Network Policy (npol) Plugin

Overview

The Network Policy (npol) plugin provides a programmable policy engine for applying packet filtering and forwarding rules in VPP. It allows you to:

  • Create and manage IP sets (collections of IPs, subnets, or IP:port entries).

  • Define rules to allow, deny, or log traffic based on IPs, prefixes, sets, ports, and direction.

  • Build policies from rules and apply them on interfaces in RX (inbound) and TX (outbound) directions.

Quick Start

This example shows how to configure and apply a network policy on a loopback interface.

  1. Create a loopback interface and configure an IP address

DBGvpp# create loopback interface
loop0

DBGvpp# set interface state loop0 up

DBGvpp# set interface ip address loop0 10.0.0.1/32

DBGvpp# sh int addr
local0 (dn):
loop0 (up):
  L3 10.0.0.1/32

  1. Explore npol commands

DBGvpp# npol ?
     npol interface clear                     npol interface clear [interface | sw_if_index N]
     npol interface configure                 npol interface configure [interface | sw_if_index N] rx <num_rx> tx <num_tx> <policy_id> ...
     npol ipset add member                    npol ipset add member [id] [prefix]
     npol ipset add                           npol ipset add [prefix|proto ip port|ip]
     npol ipset del member                    npol ipset del member [id] [prefix]
     npol ipset del                           npol ipset del [id]
     npol policy add                          npol policy add [rx rule_id rule_id ...] [tx rule_id rule_id ...] [update [id]]
     npol policy del                          npol policy del [id]
     npol rule add                            npol rule add [ip4|ip6] [allow|deny|log|pass][filter[==|!=]value][[src|dst][==|!=][prefix|set ID|[port-port]]]
     npol rule del                            npol rule del [id]

  1. Create an IP set

DBGvpp# npol ipset add 20.0.0.0/24
npol ipset 0 added

DBGvpp# sh npol ipsets
[ipset#0;prefix;20.0.0.0/24,]

  1. Add rules

  • Rule 0: Deny packets with a source IP in the created set.

  • Rule 1: Allow all other packets.

DBGvpp# npol rule add ip4 deny src==set0
npol rule 0 added

DBGvpp# npol rule add ip4 allow
npol rule 1 added

DBGvpp# sh npol rules
[rule#0;deny][src==[ipset#0;prefix;20.0.0.0/24,],]
[rule#1;allow][]

  1. Create a policy

This policy applies Rule 0 and Rule 1 on RX, and Rule 1 on TX.

DBGvpp# npol policy add rx 0 1 tx 1
npol policy 0 added

DBGvpp# sh npol policies verbose
[policy#0]
  tx:[rule#1;allow][]
  rx:[rule#0;deny][src==[ipset#0;prefix;20.0.0.0/24,],]
  rx:[rule#1;allow][]

  1. Apply the policy to an interface

DBGvpp# npol interface configure loop0 0
npol interface 1 configured

DBGvpp# sh npol interfaces
Interfaces with policies configured:
[loop0 sw_if_index=1  addr=10.0.0.1]
   rx-policy-default:1 rx-profile-default:1
   tx-policy-default:1 tx-profile-default:1
  profiles:
    [policy#0]
      tx:[rule#1;allow][]
      rx:[rule#0;deny][src==[ipset#0;prefix;20.0.0.0/24,],]
      rx:[rule#1;allow][]

Summary

  • IP sets define groups of IPs, prefixes, or IP:port pairs.

  • Rules define match conditions and actions (allow, deny, log, pass).

  • Policies group rules per direction (RX/TX).

  • Interfaces are configured with policies, enforcing filtering in the datapath.

This modular design allows fine-grained policy enforcement directly in VPP with efficient data structures.