3 title: "Access Control Lists"
9 VPP is tested in a number of data plane feature configurations across
10 different forwarding modes. Following sections list features tested.
12 ## ACL Security-Groups
14 Both stateless and stateful access control lists (ACL), also known as
15 security-groups, are supported by VPP.
17 Following ACL configurations are tested for MAC switching with L2
20 - *l2bdbasemaclrn-iacl{E}sl-{F}flows*: Input stateless ACL, with {E}
21 entries and {F} flows.
22 - *l2bdbasemaclrn-oacl{E}sl-{F}flows*: Output stateless ACL, with {E}
23 entries and {F} flows.
24 - *l2bdbasemaclrn-iacl{E}sf-{F}flows*: Input stateful ACL, with {E}
25 entries and {F} flows.
26 - *l2bdbasemaclrn-oacl{E}sf-{F}flows*: Output stateful ACL, with {E}
27 entries and {F} flows.
29 Following ACL configurations are tested with IPv4 routing:
31 - *ip4base-iacl{E}sl-{F}flows*: Input stateless ACL, with {E} entries
33 - *ip4base-oacl{E}sl-{F}flows*: Output stateless ACL, with {E} entries
35 - *ip4base-iacl{E}sf-{F}flows*: Input stateful ACL, with {E} entries and
37 - *ip4base-oacl{E}sf-{F}flows*: Output stateful ACL, with {E} entries
40 ACL tests are executed with the following combinations of ACL entries
43 - ACL entry definitions
45 - flow non-matching deny entry: (src-ip4, dst-ip4, src-port, dst-port).
46 - flow matching permit ACL entry: (src-ip4, dst-ip4).
48 - {E} - number of non-matching deny ACL entries, {E} = [1, 10, 50].
49 - {F} - number of UDP flows with different tuple (src-ip4, dst-ip4,
50 src-port, dst-port), {F} = [100, 10k, 100k].
51 - All {E}x{F} combinations are tested per ACL type, total of 9.
55 MAC-IP binding ACLs are tested for MAC switching with L2 bridge-domains:
57 - *l2bdbasemaclrn-macip-iacl{E}sl-{F}flows*: Input stateless ACL, with
58 {E} entries and {F} flows.
60 MAC-IP ACL tests are executed with the following combinations of ACL
61 entries and number of flows:
63 - ACL entry definitions
65 - flow non-matching deny entry: (dst-ip4, dst-mac, bit-mask)
66 - flow matching permit ACL entry: (dst-ip4, dst-mac, bit-mask)
68 - {E} - number of non-matching deny ACL entries, {E} = [1, 10, 50]
69 - {F} - number of UDP flows with different tuple (dst-ip4, dst-mac),
70 {F} = [100, 10k, 100k]
71 - All {E}x{F} combinations are tested per ACL type, total of 9.