stateful FW

[roirad2500]

I’m working on implementing a stateful firewall on my VPP device and would appreciate some guidance. vpp version: vpp v25.06-release built by root on 394e49c7a7d1 at 2025-06-25T13:23:50

Network setup: Device A (WAN): 20.20.20.1/24 connected to VPP via port_index 3 (WAN) – VPP IP: 20.20.20.2/24 Device B (LAN): 40.40.40.2/16 connected to VPP via port_index 5 (LAN) – VPP IP: 40.40.40.1/24

Goal: Deny all traffic from WAN → LAN Allow all traffic from LAN → WAN, including return (reply) traffic

I’ve experimented with the permit+reflect option in the ACL plugin, but it doesn’t seem to work as expected. Additionally, I’d like to know if there’s any way to apply firewall or ACL rules on specific interfaces using iifname and oifname (similar to nftables).

Any assistance, configuration examples, or best practices for achieving this setup would be greatly appreciated.

Best regards, Roi