-
Bug
-
Resolution: Done
-
Medium
-
None
-
17.04
-
None
-
VPP:
"version": "17.04-rc0~192-gc5fccc0~b1818",
"build_date": "Tue Jan 31 21:16:51 UTC 2017",
"build_directory": "/w/workspace/vpp-merge-master-ubuntu1404"
Given the following configuration:
1. set two interfaces up
vat# sw_interface_set_flags sw_if_index 1 admin_up link_up
vat# sw_interface_set_flags sw_if_index 2 admin_up link_up
2. create bridge domain, assign interfaces
vat# bridge_domain_add_del bd_id 1 flood 1 uu-flood 1 forward 1 learn 1 arp-term 0
vat# sw_interface_set_l2_bridge sw_if_index 1 bd_id 1
vat# sw_interface_set_l2_bridge sw_if_index 2 bd_id 1
3. add ICMP ACL with action "permit" for icmp type 1 to 5, code 1 to 5
vat# acl_add_replace ipv4 permit sport 1-5 dport 1-5 proto 1
4. assign ACL to interface
vat# acl_interface_add_del sw_if_index 1 add input acl 0
5. verify configuration
vat# acl_dump
vl_api_acl_details_t_handler:193: acl_index: 0, count: 1
tag {}
ipv4 action 1 src 0.0.0.0/0 dst 0.0.0.0/0 proto 1 sport 1-5 dport 1-5 tcpflags 0 0
vat# acl_interface_list_dump
vl_api_acl_interface_list_details_t_handler:152: sw_if_index: 1, count: 1, n_input: 1
input 0
When I sent an ICMP packet to interface 1 with code 3, type 3, it hits the acl-plugin node but does not match against the rule and is dropped. Attached packet trace.
