faucet icon indicating copy to clipboard operation
faucet copied to clipboard

Published 20 hours ago verified publisher icon faucetsdn

Support output ACLs

Open anarkiwi opened this issue 7 years ago • 1 comments

Input ACLs are supported; also support ACLs on output.

anarkiwi avatar Mar 14 '17 03:03 anarkiwi

Ok, I have built this for port acls and I really, really dont like it.

The problem we have is that with metadata we can only apply practically apply ACLs to unicast traffic on a port by port basis. So at the moment you can have an ACL on a port, but any flooded packet will bypass that including unknown unicast.

And my concern is that we are creating a trap for people where they will believe they have secured a port from specific traffic, but that traffic will just sneak through anyway. Having built this its pretty clear this is a trap for operators that I dont really want to inflict on them.

The alternative is to only allow output ACLs to be applied on the VLAN level. That way the same acl will be applied to all flooded packets regardless of port, so we wont miss anything.

It's gonna take a bit of extra work to get this going however. So I think its unlikely to be ready for 1.9

KitL avatar Mar 15 '19 02:03 KitL