This repository was archived by the owner on Aug 15, 2025. It is now read-only.
T7419: VPP ACL implementation #31
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
natali-rs1985
requested review from
dmbaturin,
jestabro,
sever-sever and
zdc
as code owners
sever-sever
approved these changes
May 12, 2025
Contributor
There was a problem hiding this comment.
The ACL works fine for my internal tests
Tested configurations:
- Simple IP ACL
set vpp acl ip interface eth1 input acl-tag 10 tag-name 'INPUT'
set vpp acl ip tag-name INPUT rule 10 action 'permit'
set vpp acl ip tag-name INPUT rule 10 destination port '22'
set vpp acl ip tag-name INPUT rule 10 protocol 'tcp'
set vpp acl ip tag-name INPUT rule 20 action 'permit'
set vpp acl ip tag-name INPUT rule 20 protocol 'tcp'
set vpp acl ip tag-name INPUT rule 20 source port '1024-65535'
set vpp acl ip tag-name INPUT rule 30 action 'permit'
set vpp acl ip tag-name INPUT rule 30 protocol 'gre'
set vpp settings interface eth1 driver 'dpdk'
set vpp settings unix poll-sleep-usec '223'
Generated VPP configuration:
vyos@r14:~$ sudo vppctl show acl-plugin acl
acl-index 0 count 3 tag {INPUT}
0: ipv4 permit src 0.0.0.0/0 dst 0.0.0.0/0 proto 6 sport 0-65535 dport 22
1: ipv4 permit src 0.0.0.0/0 dst 0.0.0.0/0 proto 6 sport 1024-65535 dport 0-65535
2: ipv4 permit src 0.0.0.0/0 dst 0.0.0.0/0 proto 47 sport 0-65535 dport 0-65535
applied inbound on sw_if_index: 1
used in lookup context index: 0
vyos@r14:~$
- Complex ACL
set vpp settings interface eth1 driver 'dpdk'
set vpp settings unix poll-sleep-usec '223'
set vpp interfaces gre gre10 remote '192.0.2.5'
set vpp interfaces gre gre10 source-address '192.0.2.1'
set vpp acl ip tag-name DNS_INPUT description 'Accept DNS'
set vpp acl ip tag-name DNS_INPUT rule 10 action 'permit'
set vpp acl ip tag-name DNS_INPUT rule 10 destination port '53'
set vpp acl ip tag-name DNS_INPUT rule 10 protocol 'tcp'
set vpp acl ip tag-name DNS_INPUT rule 10 source prefix '0.0.0.0/0'
set vpp acl ip tag-name DNS_INPUT rule 20 action 'permit'
set vpp acl ip tag-name DNS_INPUT rule 20 destination port '53'
set vpp acl ip tag-name DNS_INPUT rule 20 protocol 'udp'
set vpp acl ip tag-name DROP_ALL description 'Drop all'
set vpp acl ip tag-name DROP_ALL rule 10 action 'deny'
set vpp acl ip tag-name REFLECT_OUT rule 10 action 'permit-reflect'
set vpp acl ip tag-name REFLECT_OUT rule 10 destination port '22'
set vpp acl ip tag-name REFLECT_OUT rule 10 protocol 'tcp'
set vpp acl ip tag-name REFLECT_OUT rule 20 action 'permit-reflect'
set vpp acl ip tag-name REFLECT_OUT rule 20 destination port '22'
set vpp acl ip tag-name REFLECT_OUT rule 20 destination prefix '::/0'
set vpp acl ip tag-name REFLECT_OUT rule 20 protocol 'tcp'
set vpp acl ip tag-name REFLECT_OUT rule 20 source prefix '::/0'
set vpp acl ip tag-name SSH_INPUT description 'Accept SSH'
set vpp acl ip tag-name SSH_INPUT rule 10 action 'permit'
set vpp acl ip tag-name SSH_INPUT rule 10 destination port '22'
set vpp acl ip tag-name SSH_INPUT rule 10 protocol 'tcp'
set vpp acl ip tag-name SSH_INPUT rule 10 source prefix '0.0.0.0/0'
set vpp acl ip tag-name SSH_v6_INPUT description 'Accept SSH for IPv6'
set vpp acl ip tag-name SSH_v6_INPUT rule 10 action 'permit'
set vpp acl ip tag-name SSH_v6_INPUT rule 10 destination port '22'
set vpp acl ip tag-name SSH_v6_INPUT rule 10 destination prefix '::/0'
set vpp acl ip tag-name SSH_v6_INPUT rule 10 protocol 'tcp'
set vpp acl ip tag-name SSH_v6_INPUT rule 10 source port '1024-65535'
set vpp acl ip tag-name SSH_v6_INPUT rule 10 source prefix '::/0'
set vpp acl ip interface eth1 input acl-tag 10 tag-name 'DNS_INPUT'
set vpp acl ip interface eth1 input acl-tag 20 tag-name 'SSH_INPUT'
set vpp acl ip interface eth1 input acl-tag 30 tag-name 'SSH_v6_INPUT'
set vpp acl ip interface eth1 input acl-tag 9999 tag-name 'DROP_ALL'
set vpp acl ip interface eth1 output acl-tag 10 tag-name 'REFLECT_OUT'
set vpp acl ip interface gre10 input acl-tag 10 tag-name 'DROP_ALL'
Generated VPP configuration:
vyos@r14:~$ sudo vppctl show acl-plugin acl
acl-index 0 count 2 tag {DNS_INPUT}
0: ipv4 permit src 0.0.0.0/0 dst 0.0.0.0/0 proto 6 sport 0-65535 dport 53
1: ipv4 permit src 0.0.0.0/0 dst 0.0.0.0/0 proto 17 sport 0-65535 dport 53
applied inbound on sw_if_index: 1
applied outbound on sw_if_index:
used in lookup context index: 1
acl-index 1 count 1 tag {DROP_ALL}
0: ipv4 deny src 0.0.0.0/0 dst 0.0.0.0/0 proto 0 sport 0-65535 dport 0-65535
applied inbound on sw_if_index: 1, 3
applied outbound on sw_if_index:
used in lookup context index: 1, 2
acl-index 2 count 2 tag {REFLECT_OUT}
0: ipv4 permit+reflect src 0.0.0.0/0 dst 0.0.0.0/0 proto 6 sport 0-65535 dport 22
1: ipv6 permit+reflect src ::/0 dst ::/0 proto 6 sport 0-65535 dport 22
applied inbound on sw_if_index:
applied outbound on sw_if_index: 1
used in lookup context index: 0
acl-index 3 count 1 tag {SSH_INPUT}
0: ipv4 permit src 0.0.0.0/0 dst 0.0.0.0/0 proto 6 sport 0-65535 dport 22
applied inbound on sw_if_index: 1
used in lookup context index: 1
acl-index 4 count 1 tag {SSH_v6_INPUT}
0: ipv6 permit src ::/0 dst ::/0 proto 6 sport 1024-65535 dport 22
applied inbound on sw_if_index: 1
used in lookup context index: 1
vyos@r14:~$
- MAC ACL
set vpp acl macip interface eth1 tag-name 'INPUT-MAC'
set vpp acl macip tag-name INPUT-MAC rule 10 action 'deny'
set vpp acl macip tag-name INPUT-MAC rule 10 mac-address '52:54:00:09:0b:01'
set vpp acl macip tag-name INPUT-MAC rule 10 mac-mask 'ff:ff:ff:ff:ff:ff'
set vpp acl macip tag-name INPUT-MAC rule 10 prefix '192.0.2.0/24'
set vpp acl macip tag-name INPUT-MAC rule 1000 action 'permit'
Generated VPP configuration:
vyos@r14:~$ sudo vppctl show acl-plugin macip acl
MACIP acl_index: 0, count: 2 (true len 2) tag {INPUT-MAC} is free pool slot: 0
ip4_table_index 11, ip6_table_index 11, l2_table_index 11
out_ip4_table_index -1, out_ip6_table_index -1, out_l2_table_index -1
rule 0: ipv4 action 0 ip 192.0.2.0/24 mac 52:54:00:09:0b:01 mask ff:ff:ff:ff:ff:ff
rule 1: ipv4 action 1 ip 0.0.0.0/0 mac 00:00:00:00:00:00 mask 00:00:00:00:00:00
applied on sw_if_index(s): 1
vyos@r14:~$
It needs to understand that if you allow something, the default action will be to drop it. For example, if you allow IPv4 and do not have IPv6 rules, all IPv6 traffic will be dropped. It's one of the more subtle nuances of ACL logic.
natali-rs1985
force-pushed
the
T7419
branch
3 times, most recently
from
7d6a746 to
c0d6360
Compare
There was a problem hiding this comment.
Pull Request Overview
This pull request introduces a new VPP ACL feature and integrates its support into both operational and configuration modes.
- New ACL op mode and config mode functionality in Python is added via src/op_mode/vpp_acl.py and src/conf_mode/vpp_acl.py.
- ACL dependencies have been added to several VPP interface configuration files and the related interface definitions and dependency JSON have been updated.
Reviewed Changes
Copilot reviewed 18 out of 18 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| src/op_mode/vpp_acl.py | Implements new ACL operations for op mode |
| src/conf_mode/vpp_acl.py | Adds ACL configuration processing and verification logic |
| src/conf_mode/vpp_interfaces_*.py | Updates dependencies to include ACL support |
| interface-definitions/*.xml.in | Adds ACL definitions to the interface specification |
| data/config-mode-dependencies/vyos-vpp.json | Adds vpp_acl dependency |
| python/vyos/vpp/acl/acl.py | Implements ACL APIs for interacting with VPP |
|
Can you add the timeout settings (or maybe in a later commit... i not want to block a merge) for the acl-s: set acl-plugin session timeout {{udp idle}|tcp {idle|transient}} |
CLI: ``` set vpp acl ip tag-name <tag-name> rule <nn> action <permit|deny|permit-reflect> set vpp acl ip tag-name <tag-name> rule <nn> source prefix <prefix> set vpp acl ip tag-name <tag-name> rule <nn> source port <port|range> set vpp acl ip tag-name <tag-name> rule <nn> destination prefix <prefix> set vpp acl ip tag-name <tag-name> rule <nn> destination port <port> set vpp acl ip tag-name <tag-name> rule <nn> protocol <protocol> set vpp acl ip tag-name <tag-name> rule <nn> tcp-flags <fin|syn|rst|psh|ack|urg|ecn|cwr> set vpp acl ip tag-name <tag-name> rule <nn> tcp-flags not <fin|syn|rst|psh|ack|urg|ecn|cwr> set vpp acl ip interface <interface_name> input acl-tag <n> tag-name <tag-name> set vpp acl ip interface <interface_name> output acl-tag <n> tag-name <tag-name> set vpp acl macip tag-name <tag-name> rule <nn> prefix <prefix> set vpp acl macip tag-name <tag-name> rule <nn> mac-address <mac> set vpp acl macip tag-name <tag-name> rule <nn> mac-mask <mac-mask> set vpp acl macip tag-name <tag-name> rule <nn> action <permit|deny> set vpp acl macip interface <interface_name> tag-name <tag-name> ``` OP mode ``` show vpp acl ip tag-name <tag_name> show vpp acl ip interface show vpp acl macip tag-name <tag_name> show vpp acl macip interface ```
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
CLI:
OP mode
Change Summary
Types of changes
Related Task(s)
Related PR(s)
Proposed changes
How to test
Checklist: