stateful FW

[roirad2500]

I’m working on implementing a stateful firewall on my VPP device and would appreciate some guidance.
vpp version:
vpp v25.06-release built by root on 394e49c7a7d1 at 2025-06-25T13:23:50

Network setup:
Device A (WAN): 20.20.20.1/24 connected to VPP via port_index 3 (WAN) – VPP IP: 20.20.20.2/24
Device B (LAN): 40.40.40.2/16 connected to VPP via port_index 5 (LAN) – VPP IP: 40.40.40.1/24

Goal:
Deny all traffic from WAN → LAN
Allow all traffic from LAN → WAN, including return (reply) traffic

I’ve experimented with the permit+reflect option in the ACL plugin, but it doesn’t seem to work as expected.
Additionally, I’d like to know if there’s any way to apply firewall or ACL rules on specific interfaces using iifname and oifname (similar to nftables).

Any assistance, configuration examples, or best practices for achieving this setup would be greatly appreciated.

Best regards,
Roi

[ayourtch]

The session state in stateful ACLs in VPP is per-interface and is not shared between different interfaces. So, if you apply deny-all inbound on wan, and permit+reflect outbound on wan, it should achieve what you describe.

[roirad2500]

Hi
Thank you first for you quick response.
i have another issue:

In the same setup, my ACL rule is:

In this case, I can’t reach the VPP device (20.20.20.2) or Device B (40.40.40.2) from Device A — meaning that when Device A initiates the session, the traffic is blocked.
However, my ACL rule already includes specific source and destination addresses but its still blocked.

My expectation is to be able to start a session from Device A to the VPP device, but not to Device B.

Thanks