== VICCI Policy Configuration == The control framework of the [http://vicci.planet-lab.org VICCI testbed] is based on [http://svn.planet-lab.org/wiki/MyPLCUserGuide MyPLC] and supports the [http://groups.geni.net/geni/wiki/GeniApi GENI AM API]. Access to VICCI via the GENI AM API is limited to a set of approved PlanetLab slices (a “whitelist”). Only whitelisted slices are able to list and allocate VICCI resources. The whitelist is enforced by the [http://svn.planet-lab.org/raw-attachment/wiki/WikiStart/sfatables.pdf sfatables] policy engine that runs as part of the VICCI Aggregate Manager. Sfatables is inspired by the ''iptables'' firewall tool, so configuring sfatables should be fairly intuitive for those familiar with iptables. Following is a brief description on how the VICCI whitelist is configured using sfatables. The first step is to configure sfatables to reject resource requests by default. To accomplish this, two commands are run on the machine that hosts the VICCI Aggregate Manager: {{{ # sfatables -A INCOMING -- -m all -- -j REJECT # sfatables -A OUTGOING -- -m all -- -j REJECT }}} All resource requests that match these default rules will receive a response like this: {{{ Your resource-allocation request has been rejected. }}} In order to allow some slices to access VICCI resources, the PI at a VICCI site emails the name of the slice to PlanetLab support, and the support team adds the slice HRN to the sfatables whitelist. For example, suppose that the slice is ''plc.princeton.foo''. The support team would execute the following commands at the VICCI Aggregate Manager: {{{ # sfatables -I INCOMING 1 -- -m slice --hrn=plc.princeton.foo -- -j ACCEPT # sfatables -I OUTGOING 1 -- -m slice --hrn=plc.princeton.foo -- -j ACCEPT }}} These rules would inserted at the front of the INCOMING and OUTGOING chains. A resource request for the specified slice is allowed to proceed. Otherwise the default rule is matched, and the request is denied.