Difference between revisions of "VPP/SecurityGroups"
From fd.io
< VPP
(→API) |
(→API) |
||
| Line 68: | Line 68: | ||
define ip_apr_add_del_egress | define ip_apr_add_del_egress | ||
| + | { | ||
u32 sw_ifindex; | u32 sw_ifindex; | ||
u8 is_add | u8 is_add | ||
| Line 82: | Line 83: | ||
define ip_apr_add_del_ingress | define ip_apr_add_del_ingress | ||
| + | { | ||
u32 sw_ifindex; | u32 sw_ifindex; | ||
u8 is_add | u8 is_add | ||
| Line 91: | Line 93: | ||
u16 dst_min_port; | u16 dst_min_port; | ||
u16 dst_max_port; | u16 dst_max_port; | ||
| + | } | ||
| + | |||
| + | Add or delete MAC / IP ingress filter: | ||
| + | define ip_apr_macip_add_del_ingress | ||
| + | { | ||
| + | u32 sw_ifindex; | ||
| + | u8 is_add; | ||
| + | u8 is_ip6; | ||
| + | u8 mac_address[6]; | ||
| + | u8 ip_address[16]; | ||
} | } | ||
Revision as of 11:54, 12 October 2016
Contents
VPP Security Groups
Introduction
Features are tracked as they are developed in the following VPP-427.
Requirements
- Support classifiers/filters on any interface type (bridged / routed)
- Filter on IP-addresses with address mask or prefix length (IPv4 and IPv6)
- Filter on source and destination TCP/UDP port ranges
- Filter on source and destination L2 MAC addresses
- Support IPv6 with extension headers present
- Support fragmented packets and unknown transport layer headers
- Combinations of the above filters (e.g. MAC + IP)
- Filters on ingress and egress interfaces
- Stateful firewall. No application layer filtering.
Work list
| Task | Owner | Priority | Status | Description |
|---|---|---|---|---|
| API definition | Ole | 0 | WIP | |
| Ingress/Egress support for classifier | 0 | |||
| Support for L2/L3 interfaces | 0 | |||
| "Established" behaviour | 1 | |||
| Stateful firewall | 1 | |||
| Port ip_tables_firewall.py from Neutron as unit test | 1 |
API
Add or delete egress IP access policy rule:
define ip_apr_add_del_egress
{
u32 sw_ifindex;
u8 is_add
u8 allow;
u8 is_ipv6;
u8 src_ip_addr[16];
u8 src_ip_prefix_len;
u8 proto;
u16 dst_min_port;
u16 dst_max_port;
}
Add or delete ingress IP access policy rule:
define ip_apr_add_del_ingress
{
u32 sw_ifindex;
u8 is_add
u8 allow;
u8 is_ipv6;
u8 dst_ip_addr[16];
u8 dst_ip_prefix_len;
u8 proto;
u16 dst_min_port;
u16 dst_max_port;
}
Add or delete MAC / IP ingress filter:
define ip_apr_macip_add_del_ingress
{
u32 sw_ifindex;
u8 is_add;
u8 is_ip6;
u8 mac_address[6];
u8 ip_address[16];
}
CLI
set interface input acl intfc <int> [ip4-table <index>] [ip6-table <index>] [l2-table <index>] [del] show inacl type [ip4|ip6|l2]
classify table [miss-next|l2-miss_next|acl-miss-next <next_index>] mask <mask-value> buckets <nn> [skip <n>] [match <n>] [del] show classify tables [index <nn>] classify session [hit-next|l2-hit-next|acl-hit-next <next_index>|policer-hit-next <policer_name>] table-index <nn> match [hex] [l2] [l3 ip4] [opaque-index <index>]
test classify [src <ip>] [sessions <nn>] [buckets <nn>] [table <nn>] [del]
set ip classify intfc <int> table-index <index>
set interface ip6 table <intfc> <table-id>
set interface l2 input classify intfc <interface-name> [ip4-table <n>] [ip6-table <n>] [other-table <n>]
set interface l2 output classify intfc <<interface-name>> [ip4-table <n>] [ip6-table <n>] [other-table <n>]
set ip source-and-port-range-check
show ip source-and-port-range-check vrf <nn> <ip-addr> <port>
Examples
YANG model
Open Issues
- Security Group use case specific API. Done in VPP or control plane plugin?
