public icon indicating copy to clipboard operation
public copied to clipboard

Published 20 hours ago verified publisher icon openconfig

ACL fragment match rule

Open dplore opened this issue 1 year ago • 1 comments

Issue reported by @rszarecki https://github.com/openconfig/public/pull/796#discussion_r1134390561

dplore avatar Mar 14 '23 16:03 dplore

It is illogical to define IP FRAGMENTATION match as /acl/acl-sets/acl-set/acl-entries/acl-entry/transport/state/builtin-detail

  • "FRAGMENT" - Matches non-zero values of the fragment-offset field" of IPv4 HEADER. Not L4/TCP/UDP/ICMP/....
  • "FRAGMENT" is not applicable for IPv6 (in contrast to any other transport leaf)

It shall be under /acl/acl-sets/acl-set/acl-entries/acl-entry/ipv4/ perhaps "FRAGMENTATION" list of booleans with 2 Leafs:

  • "FIRST_FRAGMENT" (more fragments bit set && offser == 0),
  • "FOLLOWING_FRAGMENT" (offset > 0).
  • logic among this 2 should be OR.

rszarecki avatar Aug 31 '23 15:08 rszarecki