2018-01-09 19:55:10 -06:00
|
|
|
#!/usr/bin/env python
|
|
|
|
|
#
|
|
|
|
|
# caclmgrd
|
|
|
|
|
#
|
|
|
|
|
# Control plane ACL manager daemon for SONiC
|
|
|
|
|
#
|
|
|
|
|
# Upon starting, this daemon reads control plane ACL tables and rules from
|
|
|
|
|
# Config DB, converts the rules into iptables rules and installs the iptables
|
|
|
|
|
# rules. The daemon then indefintely listens for notifications from Config DB
|
|
|
|
|
# and updates iptables rules if control plane ACL configuration has changed.
|
|
|
|
|
#
|
|
|
|
|
|
|
|
|
|
try:
|
2020-05-11 14:36:47 -05:00
|
|
|
import ipaddress
|
2018-01-09 19:55:10 -06:00
|
|
|
import os
|
|
|
|
|
import subprocess
|
|
|
|
|
import sys
|
2020-10-19 13:11:30 -05:00
|
|
|
import threading
|
|
|
|
|
import time
|
2020-08-20 17:11:42 -05:00
|
|
|
|
2020-09-15 15:34:41 -05:00
|
|
|
from sonic_py_common import daemon_base, device_info
|
2020-08-20 17:11:42 -05:00
|
|
|
from swsscommon import swsscommon
|
|
|
|
|
from swsssdk import SonicDBConfig, ConfigDBConnector
|
2018-01-09 19:55:10 -06:00
|
|
|
except ImportError as err:
|
|
|
|
|
raise ImportError("%s - required module not found" % str(err))
|
|
|
|
|
|
|
|
|
|
VERSION = "1.0"
|
|
|
|
|
|
|
|
|
|
SYSLOG_IDENTIFIER = "caclmgrd"
|
|
|
|
|
|
2020-10-19 13:11:30 -05:00
|
|
|
DEFAULT_NAMESPACE = ''
|
|
|
|
|
|
2018-01-09 19:55:10 -06:00
|
|
|
|
2020-05-12 20:16:55 -05:00
|
|
|
# ========================== Helper Functions =========================
|
|
|
|
|
|
2020-08-20 17:11:42 -05:00
|
|
|
|
2020-05-12 20:16:55 -05:00
|
|
|
def _ip_prefix_in_key(key):
|
|
|
|
|
"""
|
|
|
|
|
Function to check if IP prefix is present in a Redis database key.
|
|
|
|
|
If it is present, then the key will be a tuple. Otherwise, the
|
|
|
|
|
key will be a string.
|
|
|
|
|
"""
|
|
|
|
|
return (isinstance(key, tuple))
|
2018-01-09 19:55:10 -06:00
|
|
|
|
|
|
|
|
# ============================== Classes ==============================
|
|
|
|
|
|
2020-08-20 17:11:42 -05:00
|
|
|
|
2020-09-15 15:34:41 -05:00
|
|
|
class ControlPlaneAclManager(daemon_base.DaemonBase):
|
2018-01-09 19:55:10 -06:00
|
|
|
"""
|
|
|
|
|
Class which reads control plane ACL tables and rules from Config DB,
|
|
|
|
|
translates them into equivalent iptables commands and runs those
|
|
|
|
|
commands in order to apply the control plane ACLs.
|
|
|
|
|
Attributes:
|
|
|
|
|
config_db: Handle to Config Redis database via SwSS SDK
|
|
|
|
|
"""
|
|
|
|
|
ACL_TABLE = "ACL_TABLE"
|
|
|
|
|
ACL_RULE = "ACL_RULE"
|
|
|
|
|
|
|
|
|
|
ACL_TABLE_TYPE_CTRLPLANE = "CTRLPLANE"
|
|
|
|
|
|
2020-05-11 14:36:47 -05:00
|
|
|
# To specify a port range instead of a single port, use iptables format:
|
|
|
|
|
# separate start and end ports with a colon, e.g., "1000:2000"
|
2018-01-09 19:55:10 -06:00
|
|
|
ACL_SERVICES = {
|
2020-05-11 14:36:47 -05:00
|
|
|
"NTP": {
|
|
|
|
|
"ip_protocols": ["udp"],
|
2021-02-25 11:39:36 -06:00
|
|
|
"dst_ports": ["123"],
|
|
|
|
|
"multi_asic_ns_to_host_fwd":False
|
2020-05-11 14:36:47 -05:00
|
|
|
},
|
|
|
|
|
"SNMP": {
|
|
|
|
|
"ip_protocols": ["tcp", "udp"],
|
2021-02-25 11:39:36 -06:00
|
|
|
"dst_ports": ["161"],
|
|
|
|
|
"multi_asic_ns_to_host_fwd":True
|
2020-05-11 14:36:47 -05:00
|
|
|
},
|
|
|
|
|
"SSH": {
|
|
|
|
|
"ip_protocols": ["tcp"],
|
2021-02-25 11:39:36 -06:00
|
|
|
"dst_ports": ["22"],
|
|
|
|
|
"multi_asic_ns_to_host_fwd":True
|
2020-05-11 14:36:47 -05:00
|
|
|
}
|
2018-01-09 19:55:10 -06:00
|
|
|
}
|
|
|
|
|
|
2020-10-19 13:11:30 -05:00
|
|
|
UPDATE_DELAY_SECS = 0.5
|
|
|
|
|
|
2020-09-15 15:34:41 -05:00
|
|
|
def __init__(self, log_identifier):
|
|
|
|
|
super(ControlPlaneAclManager, self).__init__(log_identifier)
|
|
|
|
|
|
2020-10-19 13:11:30 -05:00
|
|
|
# Update-thread-specific data per namespace
|
|
|
|
|
self.update_thread = {}
|
|
|
|
|
self.lock = {}
|
|
|
|
|
self.num_changes = {}
|
|
|
|
|
|
|
|
|
|
# Initialize update-thread-specific data for default namespace
|
|
|
|
|
self.update_thread[DEFAULT_NAMESPACE] = None
|
|
|
|
|
self.lock[DEFAULT_NAMESPACE] = threading.Lock()
|
|
|
|
|
self.num_changes[DEFAULT_NAMESPACE] = 0
|
|
|
|
|
|
2020-08-20 17:11:42 -05:00
|
|
|
SonicDBConfig.load_sonic_global_db_config()
|
|
|
|
|
self.config_db_map = {}
|
|
|
|
|
self.iptables_cmd_ns_prefix = {}
|
2020-10-19 13:11:30 -05:00
|
|
|
self.config_db_map[DEFAULT_NAMESPACE] = ConfigDBConnector(use_unix_socket_path=True, namespace=DEFAULT_NAMESPACE)
|
|
|
|
|
self.config_db_map[DEFAULT_NAMESPACE].connect()
|
|
|
|
|
self.iptables_cmd_ns_prefix[DEFAULT_NAMESPACE] = ""
|
|
|
|
|
self.namespace_mgmt_ip = self.get_namespace_mgmt_ip(self.iptables_cmd_ns_prefix[DEFAULT_NAMESPACE], DEFAULT_NAMESPACE)
|
|
|
|
|
self.namespace_mgmt_ipv6 = self.get_namespace_mgmt_ipv6(self.iptables_cmd_ns_prefix[DEFAULT_NAMESPACE], DEFAULT_NAMESPACE)
|
2020-08-20 17:11:42 -05:00
|
|
|
self.namespace_docker_mgmt_ip = {}
|
2020-09-26 14:14:30 -05:00
|
|
|
self.namespace_docker_mgmt_ipv6 = {}
|
2020-10-19 13:11:30 -05:00
|
|
|
|
2020-08-20 17:11:42 -05:00
|
|
|
namespaces = device_info.get_all_namespaces()
|
|
|
|
|
for front_asic_namespace in namespaces['front_ns']:
|
2020-10-19 13:11:30 -05:00
|
|
|
self.update_thread[front_asic_namespace] = None
|
|
|
|
|
self.lock[front_asic_namespace] = threading.Lock()
|
|
|
|
|
self.num_changes[front_asic_namespace] = 0
|
|
|
|
|
|
2020-08-20 17:11:42 -05:00
|
|
|
self.config_db_map[front_asic_namespace] = ConfigDBConnector(use_unix_socket_path=True, namespace=front_asic_namespace)
|
|
|
|
|
self.config_db_map[front_asic_namespace].connect()
|
|
|
|
|
self.iptables_cmd_ns_prefix[front_asic_namespace] = "ip netns exec " + front_asic_namespace + " "
|
|
|
|
|
self.namespace_docker_mgmt_ip[front_asic_namespace] = self.get_namespace_mgmt_ip(self.iptables_cmd_ns_prefix[front_asic_namespace],
|
|
|
|
|
front_asic_namespace)
|
2020-09-26 14:14:30 -05:00
|
|
|
self.namespace_docker_mgmt_ipv6[front_asic_namespace] = self.get_namespace_mgmt_ipv6(self.iptables_cmd_ns_prefix[front_asic_namespace],
|
|
|
|
|
front_asic_namespace)
|
2020-08-20 17:11:42 -05:00
|
|
|
|
|
|
|
|
for back_asic_namespace in namespaces['back_ns']:
|
2020-10-19 13:11:30 -05:00
|
|
|
self.update_thread[back_asic_namespace] = None
|
|
|
|
|
self.lock[back_asic_namespace] = threading.Lock()
|
|
|
|
|
self.num_changes[back_asic_namespace] = 0
|
|
|
|
|
|
2020-08-20 17:11:42 -05:00
|
|
|
self.iptables_cmd_ns_prefix[back_asic_namespace] = "ip netns exec " + back_asic_namespace + " "
|
|
|
|
|
self.namespace_docker_mgmt_ip[back_asic_namespace] = self.get_namespace_mgmt_ip(self.iptables_cmd_ns_prefix[back_asic_namespace],
|
|
|
|
|
back_asic_namespace)
|
2020-09-26 14:14:30 -05:00
|
|
|
self.namespace_docker_mgmt_ipv6[back_asic_namespace] = self.get_namespace_mgmt_ipv6(self.iptables_cmd_ns_prefix[back_asic_namespace],
|
|
|
|
|
back_asic_namespace)
|
2020-08-20 17:11:42 -05:00
|
|
|
|
|
|
|
|
def get_namespace_mgmt_ip(self, iptable_ns_cmd_prefix, namespace):
|
|
|
|
|
ip_address_get_command = iptable_ns_cmd_prefix + "ip -4 -o addr show " + ("eth0" if namespace else "docker0") +\
|
|
|
|
|
" | awk '{print $4}' | cut -d'/' -f1 | head -1"
|
|
|
|
|
|
|
|
|
|
return self.run_commands([ip_address_get_command])
|
2018-01-09 19:55:10 -06:00
|
|
|
|
2020-09-26 14:14:30 -05:00
|
|
|
def get_namespace_mgmt_ipv6(self, iptable_ns_cmd_prefix, namespace):
|
|
|
|
|
ipv6_address_get_command = iptable_ns_cmd_prefix + "ip -6 -o addr show scope global " + ("eth0" if namespace else "docker0") +\
|
|
|
|
|
" | awk '{print $4}' | cut -d'/' -f1 | head -1"
|
|
|
|
|
return self.run_commands([ipv6_address_get_command])
|
|
|
|
|
|
2018-01-09 19:55:10 -06:00
|
|
|
def run_commands(self, commands):
|
|
|
|
|
"""
|
|
|
|
|
Given a list of shell commands, run them in order
|
|
|
|
|
Args:
|
|
|
|
|
commands: List of strings, each string is a shell command
|
|
|
|
|
"""
|
|
|
|
|
for cmd in commands:
|
2020-08-20 17:11:42 -05:00
|
|
|
proc = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE)
|
2018-01-09 19:55:10 -06:00
|
|
|
|
|
|
|
|
(stdout, stderr) = proc.communicate()
|
|
|
|
|
|
|
|
|
|
if proc.returncode != 0:
|
2020-09-15 15:34:41 -05:00
|
|
|
self.log_error("Error running command '{}'".format(cmd))
|
2020-08-20 17:11:42 -05:00
|
|
|
elif stdout:
|
|
|
|
|
return stdout.rstrip('\n')
|
2018-01-09 19:55:10 -06:00
|
|
|
|
2018-06-19 23:14:49 -05:00
|
|
|
def parse_int_to_tcp_flags(self, hex_value):
|
|
|
|
|
tcp_flags_str = ""
|
|
|
|
|
if hex_value & 0x01:
|
|
|
|
|
tcp_flags_str += "FIN,"
|
|
|
|
|
if hex_value & 0x02:
|
|
|
|
|
tcp_flags_str += "SYN,"
|
|
|
|
|
if hex_value & 0x04:
|
|
|
|
|
tcp_flags_str += "RST,"
|
|
|
|
|
if hex_value & 0x08:
|
|
|
|
|
tcp_flags_str += "PSH,"
|
|
|
|
|
if hex_value & 0x10:
|
|
|
|
|
tcp_flags_str += "ACK,"
|
|
|
|
|
if hex_value & 0x20:
|
|
|
|
|
tcp_flags_str += "URG,"
|
|
|
|
|
# iptables doesn't handle the flags below now. It has some special keys for it:
|
|
|
|
|
# --ecn-tcp-cwr This matches if the TCP ECN CWR (Congestion Window Received) bit is set.
|
|
|
|
|
# --ecn-tcp-ece This matches if the TCP ECN ECE (ECN Echo) bit is set.
|
|
|
|
|
# if hex_value & 0x40:
|
|
|
|
|
# tcp_flags_str += "ECE,"
|
|
|
|
|
# if hex_value & 0x80:
|
|
|
|
|
# tcp_flags_str += "CWR,"
|
|
|
|
|
|
|
|
|
|
# Delete the trailing comma
|
|
|
|
|
tcp_flags_str = tcp_flags_str[:-1]
|
|
|
|
|
return tcp_flags_str
|
|
|
|
|
|
2020-08-20 17:11:42 -05:00
|
|
|
def generate_block_ip2me_traffic_iptables_commands(self, namespace):
|
2020-07-09 13:44:13 -05:00
|
|
|
INTERFACE_TABLE_NAME_LIST = [
|
|
|
|
|
"LOOPBACK_INTERFACE",
|
|
|
|
|
"MGMT_INTERFACE",
|
|
|
|
|
"VLAN_INTERFACE",
|
|
|
|
|
"PORTCHANNEL_INTERFACE",
|
|
|
|
|
"INTERFACE"
|
|
|
|
|
]
|
2020-05-11 14:36:47 -05:00
|
|
|
|
|
|
|
|
block_ip2me_cmds = []
|
|
|
|
|
|
2020-07-09 13:44:13 -05:00
|
|
|
# Add iptables rules to drop all packets destined for peer-to-peer interface IP addresses
|
|
|
|
|
for iface_table_name in INTERFACE_TABLE_NAME_LIST:
|
2020-08-20 17:11:42 -05:00
|
|
|
iface_table = self.config_db_map[namespace].get_table(iface_table_name)
|
2020-07-09 13:44:13 -05:00
|
|
|
if iface_table:
|
|
|
|
|
for key, _ in iface_table.iteritems():
|
|
|
|
|
if not _ip_prefix_in_key(key):
|
|
|
|
|
continue
|
|
|
|
|
|
|
|
|
|
iface_name, iface_cidr = key
|
|
|
|
|
ip_ntwrk = ipaddress.ip_network(iface_cidr, strict=False)
|
|
|
|
|
|
|
|
|
|
# For VLAN interfaces, the IP address we want to block is the default gateway (i.e.,
|
|
|
|
|
# the first available host IP address of the VLAN subnet)
|
|
|
|
|
ip_addr = next(ip_ntwrk.hosts()) if iface_table_name == "VLAN_INTERFACE" else ip_ntwrk.network_address
|
|
|
|
|
|
|
|
|
|
if isinstance(ip_ntwrk, ipaddress.IPv4Network):
|
2020-08-20 17:11:42 -05:00
|
|
|
block_ip2me_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "iptables -A INPUT -d {}/{} -j DROP".format(ip_addr, ip_ntwrk.max_prefixlen))
|
2020-07-09 13:44:13 -05:00
|
|
|
elif isinstance(ip_ntwrk, ipaddress.IPv6Network):
|
2020-08-20 17:11:42 -05:00
|
|
|
block_ip2me_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "ip6tables -A INPUT -d {}/{} -j DROP".format(ip_addr, ip_ntwrk.max_prefixlen))
|
2020-07-09 13:44:13 -05:00
|
|
|
else:
|
2020-09-15 15:34:41 -05:00
|
|
|
self.log_warning("Unrecognized IP address type on interface '{}': {}".format(iface_name, ip_ntwrk))
|
2020-05-11 14:36:47 -05:00
|
|
|
|
|
|
|
|
return block_ip2me_cmds
|
|
|
|
|
|
2020-08-20 17:11:42 -05:00
|
|
|
def generate_allow_internal_docker_ip_traffic_commands(self, namespace):
|
|
|
|
|
allow_internal_docker_ip_cmds = []
|
|
|
|
|
|
|
|
|
|
if namespace:
|
2020-09-16 13:32:35 -05:00
|
|
|
# For namespace docker allow local communication on docker management ip for all proto
|
|
|
|
|
allow_internal_docker_ip_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "iptables -A INPUT -s {} -d {} -j ACCEPT".format
|
|
|
|
|
(self.namespace_docker_mgmt_ip[namespace], self.namespace_docker_mgmt_ip[namespace]))
|
|
|
|
|
|
2021-02-25 11:39:36 -06:00
|
|
|
allow_internal_docker_ip_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "ip6tables -A INPUT -s {} -d {} -j ACCEPT".format
|
|
|
|
|
(self.namespace_docker_mgmt_ipv6[namespace], self.namespace_docker_mgmt_ipv6[namespace]))
|
|
|
|
|
allow_internal_docker_ip_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "iptables -A INPUT -s {} -d {} -j ACCEPT".format
|
2020-08-20 17:11:42 -05:00
|
|
|
(self.namespace_mgmt_ip, self.namespace_docker_mgmt_ip[namespace]))
|
|
|
|
|
|
2021-02-25 11:39:36 -06:00
|
|
|
allow_internal_docker_ip_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "ip6tables -A INPUT -s {} -d {} -j ACCEPT".format
|
|
|
|
|
(self.namespace_mgmt_ipv6, self.namespace_docker_mgmt_ipv6[namespace]))
|
|
|
|
|
|
2020-08-20 17:11:42 -05:00
|
|
|
else:
|
2021-02-25 11:39:36 -06:00
|
|
|
|
|
|
|
|
# Also host namespace communication on docker bridge on multi-asic.
|
|
|
|
|
if self.namespace_docker_mgmt_ip:
|
|
|
|
|
allow_internal_docker_ip_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "iptables -A INPUT -s {} -d {} -j ACCEPT".format
|
|
|
|
|
(self.namespace_mgmt_ip, self.namespace_mgmt_ip))
|
|
|
|
|
|
|
|
|
|
if self.namespace_docker_mgmt_ipv6:
|
|
|
|
|
allow_internal_docker_ip_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "ip6tables -A INPUT -s {} -d {} -j ACCEPT".format
|
|
|
|
|
(self.namespace_mgmt_ipv6, self.namespace_mgmt_ipv6))
|
2020-08-20 17:11:42 -05:00
|
|
|
# In host allow all tcp/udp traffic from namespace docker eth0 management ip to host docker bridge
|
|
|
|
|
for docker_mgmt_ip in self.namespace_docker_mgmt_ip.values():
|
2021-02-25 11:39:36 -06:00
|
|
|
allow_internal_docker_ip_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "iptables -A INPUT -s {} -d {} -j ACCEPT".format
|
2020-08-20 17:11:42 -05:00
|
|
|
(docker_mgmt_ip, self.namespace_mgmt_ip))
|
|
|
|
|
|
2021-02-25 11:39:36 -06:00
|
|
|
for docker_mgmt_ipv6 in list(self.namespace_docker_mgmt_ipv6.values()):
|
|
|
|
|
allow_internal_docker_ip_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "ip6tables -A INPUT -s {} -d {} -j ACCEPT".format
|
|
|
|
|
(docker_mgmt_ipv6, self.namespace_mgmt_ipv6))
|
|
|
|
|
|
2020-08-20 17:11:42 -05:00
|
|
|
return allow_internal_docker_ip_cmds
|
|
|
|
|
|
2021-02-25 11:39:36 -06:00
|
|
|
def generate_fwd_traffic_from_namespace_to_host_commands(self, namespace, acl_source_ip_map):
|
2020-09-26 14:14:30 -05:00
|
|
|
"""
|
2021-02-25 11:39:36 -06:00
|
|
|
The below SNAT and DNAT rules are added in asic namespace in multi-ASIC platforms. It helps to forward request coming
|
|
|
|
|
in through the front panel interfaces created/present in the asic namespace for the servie running in linux host network namespace.
|
|
|
|
|
The external IP addresses are NATed to the internal docker IP addresses for the Host service to respond.
|
2020-09-26 14:14:30 -05:00
|
|
|
"""
|
|
|
|
|
|
2021-02-25 11:39:36 -06:00
|
|
|
if not namespace:
|
|
|
|
|
return []
|
|
|
|
|
|
|
|
|
|
fwd_traffic_from_namespace_to_host_cmds = []
|
|
|
|
|
fwd_traffic_from_namespace_to_host_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "iptables -t nat -X")
|
|
|
|
|
fwd_traffic_from_namespace_to_host_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "iptables -t nat -F")
|
|
|
|
|
fwd_traffic_from_namespace_to_host_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "ip6tables -t nat -X")
|
|
|
|
|
fwd_traffic_from_namespace_to_host_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "ip6tables -t nat -F")
|
|
|
|
|
|
|
|
|
|
for acl_service in self.ACL_SERVICES:
|
|
|
|
|
if self.ACL_SERVICES[acl_service]["multi_asic_ns_to_host_fwd"]:
|
|
|
|
|
# Get the Source IP Set if exists else use default source ip prefix
|
|
|
|
|
nat_source_ipv4_set = acl_source_ip_map[acl_service]["ipv4"] if acl_source_ip_map and acl_source_ip_map[acl_service]["ipv4"] else { "0.0.0.0/0" }
|
|
|
|
|
nat_source_ipv6_set = acl_source_ip_map[acl_service]["ipv6"] if acl_source_ip_map and acl_source_ip_map[acl_service]["ipv6"] else { "::/0" }
|
|
|
|
|
|
|
|
|
|
for ip_protocol in self.ACL_SERVICES[acl_service]["ip_protocols"]:
|
|
|
|
|
for dst_port in self.ACL_SERVICES[acl_service]["dst_ports"]:
|
|
|
|
|
for ipv4_src_ip in nat_source_ipv4_set:
|
|
|
|
|
# IPv4 rules
|
|
|
|
|
fwd_traffic_from_namespace_to_host_cmds.append(self.iptables_cmd_ns_prefix[namespace] +
|
|
|
|
|
"iptables -t nat -A PREROUTING -p {} -s {} --dport {} -j DNAT --to-destination {}".format
|
|
|
|
|
(ip_protocol, ipv4_src_ip, dst_port,
|
|
|
|
|
self.namespace_mgmt_ip))
|
|
|
|
|
fwd_traffic_from_namespace_to_host_cmds.append(self.iptables_cmd_ns_prefix[namespace] +
|
|
|
|
|
"iptables -t nat -A POSTROUTING -p {} -s {} --dport {} -j SNAT --to-source {}".format
|
|
|
|
|
(ip_protocol, ipv4_src_ip, dst_port,
|
|
|
|
|
self.namespace_docker_mgmt_ip[namespace]))
|
|
|
|
|
for ipv6_src_ip in nat_source_ipv6_set:
|
|
|
|
|
# IPv6 rules
|
|
|
|
|
fwd_traffic_from_namespace_to_host_cmds.append(self.iptables_cmd_ns_prefix[namespace] +
|
|
|
|
|
"ip6tables -t nat -A PREROUTING -p {} -s {} --dport {} -j DNAT --to-destination {}".format
|
|
|
|
|
(ip_protocol, ipv6_src_ip, dst_port,
|
|
|
|
|
self.namespace_mgmt_ipv6))
|
|
|
|
|
fwd_traffic_from_namespace_to_host_cmds.append(self.iptables_cmd_ns_prefix[namespace] +
|
|
|
|
|
"ip6tables -t nat -A POSTROUTING -p {} -s {} --dport {} -j SNAT --to-source {}".format
|
|
|
|
|
(ip_protocol,ipv6_src_ip, dst_port,
|
|
|
|
|
self.namespace_docker_mgmt_ipv6[namespace]))
|
|
|
|
|
|
|
|
|
|
return fwd_traffic_from_namespace_to_host_cmds
|
2020-09-26 14:14:30 -05:00
|
|
|
|
2020-07-15 12:24:44 -05:00
|
|
|
def is_rule_ipv4(self, rule_props):
|
|
|
|
|
if (("SRC_IP" in rule_props and rule_props["SRC_IP"]) or
|
2020-08-20 17:11:42 -05:00
|
|
|
("DST_IP" in rule_props and rule_props["DST_IP"])):
|
2020-07-15 12:24:44 -05:00
|
|
|
return True
|
|
|
|
|
else:
|
|
|
|
|
return False
|
|
|
|
|
|
|
|
|
|
def is_rule_ipv6(self, rule_props):
|
|
|
|
|
if (("SRC_IPV6" in rule_props and rule_props["SRC_IPV6"]) or
|
2020-08-20 17:11:42 -05:00
|
|
|
("DST_IPV6" in rule_props and rule_props["DST_IPV6"])):
|
2020-07-15 12:24:44 -05:00
|
|
|
return True
|
|
|
|
|
else:
|
|
|
|
|
return False
|
2020-05-11 14:36:47 -05:00
|
|
|
|
2020-08-20 17:11:42 -05:00
|
|
|
def get_acl_rules_and_translate_to_iptables_commands(self, namespace):
|
2018-01-09 19:55:10 -06:00
|
|
|
"""
|
|
|
|
|
Retrieves current ACL tables and rules from Config DB, translates
|
|
|
|
|
control plane ACLs into a list of iptables commands that can be run
|
|
|
|
|
in order to install ACL rules.
|
|
|
|
|
Returns:
|
|
|
|
|
A list of strings, each string is an iptables shell command
|
|
|
|
|
"""
|
|
|
|
|
iptables_cmds = []
|
2021-02-25 11:39:36 -06:00
|
|
|
service_to_source_ip_map = {}
|
2018-01-09 19:55:10 -06:00
|
|
|
|
|
|
|
|
# First, add iptables commands to set default policies to accept all
|
|
|
|
|
# traffic. In case we are connected remotely, the connection will not
|
|
|
|
|
# drop when we flush the current rules
|
2020-08-20 17:11:42 -05:00
|
|
|
iptables_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "iptables -P INPUT ACCEPT")
|
|
|
|
|
iptables_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "iptables -P FORWARD ACCEPT")
|
|
|
|
|
iptables_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "iptables -P OUTPUT ACCEPT")
|
2018-01-09 19:55:10 -06:00
|
|
|
|
|
|
|
|
# Add iptables command to flush the current rules
|
2020-08-20 17:11:42 -05:00
|
|
|
iptables_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "iptables -F")
|
2018-01-09 19:55:10 -06:00
|
|
|
|
|
|
|
|
# Add iptables command to delete all non-default chains
|
2020-08-20 17:11:42 -05:00
|
|
|
iptables_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "iptables -X")
|
2018-01-09 19:55:10 -06:00
|
|
|
|
2018-06-05 05:24:30 -05:00
|
|
|
# Add same set of commands for ip6tables
|
2020-08-20 17:11:42 -05:00
|
|
|
iptables_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "ip6tables -P INPUT ACCEPT")
|
|
|
|
|
iptables_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "ip6tables -P FORWARD ACCEPT")
|
|
|
|
|
iptables_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "ip6tables -P OUTPUT ACCEPT")
|
|
|
|
|
iptables_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "ip6tables -F")
|
|
|
|
|
iptables_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "ip6tables -X")
|
2018-06-05 05:24:30 -05:00
|
|
|
|
2020-05-11 14:36:47 -05:00
|
|
|
# Add iptables/ip6tables commands to allow all traffic from localhost
|
2020-08-20 17:11:42 -05:00
|
|
|
iptables_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "iptables -A INPUT -s 127.0.0.1 -i lo -j ACCEPT")
|
|
|
|
|
iptables_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "ip6tables -A INPUT -s ::1 -i lo -j ACCEPT")
|
|
|
|
|
|
|
|
|
|
# Add iptables commands to allow internal docker traffic
|
|
|
|
|
iptables_cmds += self.generate_allow_internal_docker_ip_traffic_commands(namespace)
|
2018-07-13 12:27:47 -05:00
|
|
|
|
2020-05-11 14:36:47 -05:00
|
|
|
# Add iptables/ip6tables commands to allow all incoming packets from established
|
2020-06-18 02:18:20 -05:00
|
|
|
# connections or new connections which are related to established connections
|
2020-08-20 17:11:42 -05:00
|
|
|
iptables_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT")
|
|
|
|
|
iptables_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT")
|
2020-05-11 14:36:47 -05:00
|
|
|
|
|
|
|
|
# Add iptables/ip6tables commands to allow bidirectional ICMPv4 ping and traceroute
|
|
|
|
|
# TODO: Support processing ICMPv4 service ACL rules, and remove this blanket acceptance
|
2020-08-20 17:11:42 -05:00
|
|
|
iptables_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT")
|
|
|
|
|
iptables_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT")
|
|
|
|
|
iptables_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT")
|
|
|
|
|
iptables_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT")
|
2020-05-11 14:36:47 -05:00
|
|
|
|
|
|
|
|
# Add iptables/ip6tables commands to allow bidirectional ICMPv6 ping and traceroute
|
|
|
|
|
# TODO: Support processing ICMPv6 service ACL rules, and remove this blanket acceptance
|
2020-08-20 17:11:42 -05:00
|
|
|
iptables_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT")
|
|
|
|
|
iptables_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-reply -j ACCEPT")
|
|
|
|
|
iptables_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "ip6tables -A INPUT -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT")
|
|
|
|
|
iptables_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "ip6tables -A INPUT -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT")
|
2020-05-11 14:36:47 -05:00
|
|
|
|
|
|
|
|
# Add iptables/ip6tables commands to allow all incoming Neighbor Discovery Protocol (NDP) NS/NA/RS/RA messages
|
|
|
|
|
# TODO: Support processing NDP service ACL rules, and remove this blanket acceptance
|
2020-08-20 17:11:42 -05:00
|
|
|
iptables_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT")
|
|
|
|
|
iptables_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT")
|
|
|
|
|
iptables_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "ip6tables -A INPUT -p icmpv6 --icmpv6-type router-solicitation -j ACCEPT")
|
|
|
|
|
iptables_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "ip6tables -A INPUT -p icmpv6 --icmpv6-type router-advertisement -j ACCEPT")
|
2020-05-11 14:36:47 -05:00
|
|
|
|
|
|
|
|
# Add iptables/ip6tables commands to allow all incoming IPv4 DHCP packets
|
2020-08-20 17:11:42 -05:00
|
|
|
iptables_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "iptables -A INPUT -p udp --dport 67:68 -j ACCEPT")
|
|
|
|
|
iptables_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "ip6tables -A INPUT -p udp --dport 67:68 -j ACCEPT")
|
2020-05-11 14:36:47 -05:00
|
|
|
|
|
|
|
|
# Add iptables/ip6tables commands to allow all incoming IPv6 DHCP packets
|
2020-08-20 17:11:42 -05:00
|
|
|
iptables_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "iptables -A INPUT -p udp --dport 546:547 -j ACCEPT")
|
|
|
|
|
iptables_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "ip6tables -A INPUT -p udp --dport 546:547 -j ACCEPT")
|
2020-05-11 14:36:47 -05:00
|
|
|
|
|
|
|
|
# Add iptables/ip6tables commands to allow all incoming BGP traffic
|
|
|
|
|
# TODO: Determine BGP ACLs based on configured device sessions, and remove this blanket acceptance
|
2020-08-20 17:11:42 -05:00
|
|
|
iptables_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "iptables -A INPUT -p tcp --dport 179 -j ACCEPT")
|
|
|
|
|
iptables_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "iptables -A INPUT -p tcp --sport 179 -j ACCEPT")
|
|
|
|
|
iptables_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "ip6tables -A INPUT -p tcp --dport 179 -j ACCEPT")
|
|
|
|
|
iptables_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "ip6tables -A INPUT -p tcp --sport 179 -j ACCEPT")
|
2020-05-11 14:36:47 -05:00
|
|
|
|
2018-01-09 19:55:10 -06:00
|
|
|
# Get current ACL tables and rules from Config DB
|
2020-08-20 17:11:42 -05:00
|
|
|
self._tables_db_info = self.config_db_map[namespace].get_table(self.ACL_TABLE)
|
|
|
|
|
self._rules_db_info = self.config_db_map[namespace].get_table(self.ACL_RULE)
|
2018-01-09 19:55:10 -06:00
|
|
|
|
2020-05-11 14:36:47 -05:00
|
|
|
num_ctrl_plane_acl_rules = 0
|
|
|
|
|
|
2018-01-09 19:55:10 -06:00
|
|
|
# Walk the ACL tables
|
|
|
|
|
for (table_name, table_data) in self._tables_db_info.iteritems():
|
2018-06-05 05:24:30 -05:00
|
|
|
|
|
|
|
|
table_ip_version = None
|
|
|
|
|
|
2018-01-09 19:55:10 -06:00
|
|
|
# Ignore non-control-plane ACL tables
|
|
|
|
|
if table_data["type"] != self.ACL_TABLE_TYPE_CTRLPLANE:
|
|
|
|
|
continue
|
|
|
|
|
|
2018-04-10 20:14:12 -05:00
|
|
|
acl_services = table_data["services"]
|
2018-01-09 19:55:10 -06:00
|
|
|
|
2018-04-10 20:14:12 -05:00
|
|
|
for acl_service in acl_services:
|
|
|
|
|
if acl_service not in self.ACL_SERVICES:
|
2020-09-15 15:34:41 -05:00
|
|
|
self.log_warning("Ignoring control plane ACL '{}' with unrecognized service '{}'"
|
|
|
|
|
.format(table_name, acl_service))
|
2018-01-09 19:55:10 -06:00
|
|
|
continue
|
|
|
|
|
|
2020-09-15 15:34:41 -05:00
|
|
|
self.log_info("Translating ACL rules for control plane ACL '{}' (service: '{}')"
|
|
|
|
|
.format(table_name, acl_service))
|
2018-04-10 20:14:12 -05:00
|
|
|
|
|
|
|
|
# Obtain default IP protocol(s) and destination port(s) for this service
|
|
|
|
|
ip_protocols = self.ACL_SERVICES[acl_service]["ip_protocols"]
|
|
|
|
|
dst_ports = self.ACL_SERVICES[acl_service]["dst_ports"]
|
|
|
|
|
|
|
|
|
|
acl_rules = {}
|
|
|
|
|
|
|
|
|
|
for ((rule_table_name, rule_id), rule_props) in self._rules_db_info.iteritems():
|
2020-11-13 13:41:05 -06:00
|
|
|
rule_props = {k.upper(): v for k,v in rule_props.iteritems()}
|
2018-04-10 20:14:12 -05:00
|
|
|
if rule_table_name == table_name:
|
2019-01-23 20:47:05 -06:00
|
|
|
if not rule_props:
|
2020-09-15 15:34:41 -05:00
|
|
|
self.log_warning("rule_props for rule_id {} empty or null!".format(rule_id))
|
2019-01-23 20:47:05 -06:00
|
|
|
continue
|
|
|
|
|
|
|
|
|
|
try:
|
|
|
|
|
acl_rules[rule_props["PRIORITY"]] = rule_props
|
|
|
|
|
except KeyError:
|
2020-09-15 15:34:41 -05:00
|
|
|
self.log_error("rule_props for rule_id {} does not have key 'PRIORITY'!".format(rule_id))
|
2019-01-23 20:47:05 -06:00
|
|
|
continue
|
2018-04-10 20:14:12 -05:00
|
|
|
|
2018-06-05 05:24:30 -05:00
|
|
|
# If we haven't determined the IP version for this ACL table yet,
|
2019-12-19 09:15:27 -06:00
|
|
|
# try to do it now. We attempt to determine heuristically based on
|
|
|
|
|
# whether the src or dst IP of this rule is an IPv4 or IPv6 address.
|
|
|
|
|
if not table_ip_version:
|
2020-07-15 12:24:44 -05:00
|
|
|
if self.is_rule_ipv6(rule_props):
|
2018-06-05 05:24:30 -05:00
|
|
|
table_ip_version = 6
|
2020-07-15 12:24:44 -05:00
|
|
|
elif self.is_rule_ipv4(rule_props):
|
2018-06-05 05:24:30 -05:00
|
|
|
table_ip_version = 4
|
|
|
|
|
|
2020-07-15 12:24:44 -05:00
|
|
|
if (self.is_rule_ipv6(rule_props) and (table_ip_version == 4)):
|
2020-09-15 15:34:41 -05:00
|
|
|
self.log_error("CtrlPlane ACL table {} is a IPv4 based table and rule {} is a IPV6 rule! Ignoring rule."
|
|
|
|
|
.format(table_name, rule_id))
|
2020-07-15 12:24:44 -05:00
|
|
|
acl_rules.pop(rule_props["PRIORITY"])
|
|
|
|
|
elif (self.is_rule_ipv4(rule_props) and (table_ip_version == 6)):
|
2020-09-15 15:34:41 -05:00
|
|
|
self.log_error("CtrlPlane ACL table {} is a IPv6 based table and rule {} is a IPV4 rule! Ignroing rule."
|
|
|
|
|
.format(table_name, rule_id))
|
2020-07-15 12:24:44 -05:00
|
|
|
acl_rules.pop(rule_props["PRIORITY"])
|
|
|
|
|
|
2018-06-05 05:24:30 -05:00
|
|
|
# If we were unable to determine whether this ACL table contains
|
|
|
|
|
# IPv4 or IPv6 rules, log a message and skip processing this table.
|
|
|
|
|
if not table_ip_version:
|
2020-09-15 15:34:41 -05:00
|
|
|
self.log_warning("Unable to determine if ACL table '{}' contains IPv4 or IPv6 rules. Skipping table..."
|
|
|
|
|
.format(table_name))
|
2018-06-05 05:24:30 -05:00
|
|
|
continue
|
2021-02-25 11:39:36 -06:00
|
|
|
ipv4_src_ip_set = set()
|
|
|
|
|
ipv6_src_ip_set = set()
|
2018-04-10 20:14:12 -05:00
|
|
|
# For each ACL rule in this table (in descending order of priority)
|
|
|
|
|
for priority in sorted(acl_rules.iterkeys(), reverse=True):
|
|
|
|
|
rule_props = acl_rules[priority]
|
|
|
|
|
|
|
|
|
|
if "PACKET_ACTION" not in rule_props:
|
2020-09-15 15:34:41 -05:00
|
|
|
self.log_error("ACL rule does not contain PACKET_ACTION property")
|
2018-04-10 20:14:12 -05:00
|
|
|
continue
|
|
|
|
|
|
|
|
|
|
# Apply the rule to the default protocol(s) for this ACL service
|
|
|
|
|
for ip_protocol in ip_protocols:
|
|
|
|
|
for dst_port in dst_ports:
|
2018-06-05 05:24:30 -05:00
|
|
|
rule_cmd = "ip6tables" if table_ip_version == 6 else "iptables"
|
|
|
|
|
rule_cmd += " -A INPUT -p {}".format(ip_protocol)
|
2018-04-10 20:14:12 -05:00
|
|
|
|
2020-01-17 19:33:31 -06:00
|
|
|
if "SRC_IPV6" in rule_props and rule_props["SRC_IPV6"]:
|
|
|
|
|
rule_cmd += " -s {}".format(rule_props["SRC_IPV6"])
|
2021-02-25 11:39:36 -06:00
|
|
|
if rule_props["PACKET_ACTION"] == "ACCEPT":
|
|
|
|
|
ipv6_src_ip_set.add(rule_props["SRC_IPV6"])
|
2020-01-17 19:33:31 -06:00
|
|
|
elif "SRC_IP" in rule_props and rule_props["SRC_IP"]:
|
2018-04-10 20:14:12 -05:00
|
|
|
rule_cmd += " -s {}".format(rule_props["SRC_IP"])
|
2021-02-25 11:39:36 -06:00
|
|
|
if rule_props["PACKET_ACTION"] == "ACCEPT":
|
|
|
|
|
ipv4_src_ip_set.add(rule_props["SRC_IP"])
|
2018-04-10 20:14:12 -05:00
|
|
|
|
|
|
|
|
rule_cmd += " --dport {}".format(dst_port)
|
|
|
|
|
|
2018-06-19 23:14:49 -05:00
|
|
|
# If there are TCP flags present and ip protocol is TCP, append them
|
|
|
|
|
if ip_protocol == "tcp" and "TCP_FLAGS" in rule_props and rule_props["TCP_FLAGS"]:
|
|
|
|
|
tcp_flags, tcp_flags_mask = rule_props["TCP_FLAGS"].split("/")
|
|
|
|
|
|
|
|
|
|
tcp_flags = int(tcp_flags, 16)
|
|
|
|
|
tcp_flags_mask = int(tcp_flags_mask, 16)
|
|
|
|
|
|
|
|
|
|
if tcp_flags_mask > 0:
|
2020-08-20 17:11:42 -05:00
|
|
|
rule_cmd += " --tcp-flags {mask} {flags}".format(mask=self.parse_int_to_tcp_flags(tcp_flags_mask), flags=self.parse_int_to_tcp_flags(tcp_flags))
|
2018-04-10 20:14:12 -05:00
|
|
|
|
|
|
|
|
# Append the packet action as the jump target
|
|
|
|
|
rule_cmd += " -j {}".format(rule_props["PACKET_ACTION"])
|
|
|
|
|
|
2020-08-20 17:11:42 -05:00
|
|
|
iptables_cmds.append(self.iptables_cmd_ns_prefix[namespace] + rule_cmd)
|
2020-05-11 14:36:47 -05:00
|
|
|
num_ctrl_plane_acl_rules += 1
|
|
|
|
|
|
2021-02-25 11:39:36 -06:00
|
|
|
|
|
|
|
|
service_to_source_ip_map.update({ acl_service:{ "ipv4":ipv4_src_ip_set, "ipv6":ipv6_src_ip_set } })
|
|
|
|
|
|
2020-05-11 14:36:47 -05:00
|
|
|
# Add iptables commands to block ip2me traffic
|
2020-08-20 17:11:42 -05:00
|
|
|
iptables_cmds += self.generate_block_ip2me_traffic_iptables_commands(namespace)
|
2020-05-11 14:36:47 -05:00
|
|
|
|
|
|
|
|
# Add iptables/ip6tables commands to allow all incoming packets with TTL of 0 or 1
|
|
|
|
|
# This allows the device to respond to tools like tcptraceroute
|
2020-08-20 17:11:42 -05:00
|
|
|
iptables_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "iptables -A INPUT -m ttl --ttl-lt 2 -j ACCEPT")
|
|
|
|
|
iptables_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "ip6tables -A INPUT -p tcp -m hl --hl-lt 2 -j ACCEPT")
|
2020-05-11 14:36:47 -05:00
|
|
|
|
|
|
|
|
# Finally, if the device has control plane ACLs configured,
|
|
|
|
|
# add iptables/ip6tables commands to drop all other incoming packets
|
|
|
|
|
if num_ctrl_plane_acl_rules > 0:
|
2020-08-20 17:11:42 -05:00
|
|
|
iptables_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "iptables -A INPUT -j DROP")
|
|
|
|
|
iptables_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "ip6tables -A INPUT -j DROP")
|
2018-01-09 19:55:10 -06:00
|
|
|
|
2021-02-25 11:39:36 -06:00
|
|
|
return iptables_cmds, service_to_source_ip_map
|
2018-01-09 19:55:10 -06:00
|
|
|
|
2020-08-20 17:11:42 -05:00
|
|
|
def update_control_plane_acls(self, namespace):
|
2018-01-09 19:55:10 -06:00
|
|
|
"""
|
|
|
|
|
Convenience wrapper which retrieves current ACL tables and rules from
|
|
|
|
|
Config DB, translates control plane ACLs into a list of iptables
|
|
|
|
|
commands and runs them.
|
|
|
|
|
"""
|
2021-02-25 11:39:36 -06:00
|
|
|
iptables_cmds, service_to_source_ip_map = self.get_acl_rules_and_translate_to_iptables_commands(namespace)
|
2020-09-15 15:34:41 -05:00
|
|
|
self.log_info("Issuing the following iptables commands:")
|
2018-01-09 19:55:10 -06:00
|
|
|
for cmd in iptables_cmds:
|
2020-09-15 15:34:41 -05:00
|
|
|
self.log_info(" " + cmd)
|
2018-01-09 19:55:10 -06:00
|
|
|
|
|
|
|
|
self.run_commands(iptables_cmds)
|
|
|
|
|
|
2021-02-25 11:39:36 -06:00
|
|
|
self.update_control_plane_nat_acls(namespace, service_to_source_ip_map)
|
|
|
|
|
|
|
|
|
|
def update_control_plane_nat_acls(self, namespace, service_to_source_ip_map):
|
2020-09-26 14:14:30 -05:00
|
|
|
"""
|
2021-02-25 11:39:36 -06:00
|
|
|
Convenience wrapper for multi-asic platforms
|
|
|
|
|
which programs the NAT rules for redirecting the
|
|
|
|
|
traffic coming on the front panel interface map to namespace
|
|
|
|
|
to the host.
|
2020-09-26 14:14:30 -05:00
|
|
|
"""
|
2021-02-25 11:39:36 -06:00
|
|
|
# Add iptables commands to allow front panel traffic
|
|
|
|
|
iptables_cmds = self.generate_fwd_traffic_from_namespace_to_host_commands(namespace, service_to_source_ip_map)
|
|
|
|
|
|
2020-09-26 14:14:30 -05:00
|
|
|
self.log_info("Issuing the following iptables commands:")
|
|
|
|
|
for cmd in iptables_cmds:
|
|
|
|
|
self.log_info(" " + cmd)
|
|
|
|
|
|
|
|
|
|
self.run_commands(iptables_cmds)
|
|
|
|
|
|
2020-10-19 13:11:30 -05:00
|
|
|
def check_and_update_control_plane_acls(self, namespace, num_changes):
|
|
|
|
|
"""
|
|
|
|
|
This function is intended to be spawned in a separate thread.
|
|
|
|
|
Its purpose is to prevent unnecessary iptables updates if we receive
|
|
|
|
|
multiple rapid ACL table update notifications. It sleeps for UPDATE_DELAY_SECS
|
|
|
|
|
then checks if any more ACL table updates were received in that window. If new
|
|
|
|
|
updates were received, it will sleep again and repeat the process until no
|
|
|
|
|
updates were received during the delay window, at which point it will update
|
|
|
|
|
iptables using the current ACL rules.
|
|
|
|
|
"""
|
|
|
|
|
while True:
|
|
|
|
|
# Sleep for our delay interval
|
|
|
|
|
time.sleep(self.UPDATE_DELAY_SECS)
|
|
|
|
|
|
|
|
|
|
with self.lock[namespace]:
|
|
|
|
|
if self.num_changes[namespace] > num_changes:
|
|
|
|
|
# More ACL table changes occurred since this thread was spawned
|
|
|
|
|
# spawn a new thread with the current number of changes
|
|
|
|
|
new_changes = self.num_changes[namespace] - num_changes
|
|
|
|
|
self.log_info("ACL config not stable for namespace '{}': {} changes detected in the past {} seconds. Skipping update ..."
|
|
|
|
|
.format(namespace, new_changes, self.UPDATE_DELAY_SECS))
|
|
|
|
|
num_changes = self.num_changes[namespace]
|
|
|
|
|
else:
|
|
|
|
|
if num_changes == self.num_changes[namespace] and num_changes > 0:
|
|
|
|
|
self.log_info("ACL config for namespace '{}' has not changed for {} seconds. Applying updates ..."
|
|
|
|
|
.format(namespace, self.UPDATE_DELAY_SECS))
|
|
|
|
|
self.update_control_plane_acls(namespace)
|
|
|
|
|
else:
|
|
|
|
|
self.log_error("Error updating ACLs for namespace '{}'".format(namespace))
|
|
|
|
|
|
|
|
|
|
# Re-initialize
|
|
|
|
|
self.num_changes[namespace] = 0
|
|
|
|
|
self.update_thread[namespace] = None
|
|
|
|
|
return
|
|
|
|
|
|
2018-01-09 19:55:10 -06:00
|
|
|
def run(self):
|
2020-10-19 13:11:30 -05:00
|
|
|
# Set select timeout to 1 second
|
|
|
|
|
SELECT_TIMEOUT_MS = 1000
|
2020-08-20 17:11:42 -05:00
|
|
|
|
2020-09-15 15:34:41 -05:00
|
|
|
self.log_info("Starting up ...")
|
|
|
|
|
|
|
|
|
|
if not os.geteuid() == 0:
|
|
|
|
|
self.log_error("Must be root to run this daemon")
|
|
|
|
|
print("Error: Must be root to run this daemon")
|
|
|
|
|
sys.exit(1)
|
|
|
|
|
|
2020-08-20 17:11:42 -05:00
|
|
|
# Initlaize Global config that loads all database*.json
|
|
|
|
|
if device_info.is_multi_npu():
|
|
|
|
|
swsscommon.SonicDBConfig.initializeGlobalConfig()
|
|
|
|
|
|
|
|
|
|
# Create the Select object
|
|
|
|
|
sel = swsscommon.Select()
|
|
|
|
|
# Map of Namespace <--> susbcriber table's object
|
|
|
|
|
config_db_subscriber_table_map = {}
|
|
|
|
|
|
2020-10-19 13:11:30 -05:00
|
|
|
# Loop through all asic namespaces (if present) and host namespace (DEFAULT_NAMESPACE)
|
2020-08-20 17:11:42 -05:00
|
|
|
for namespace in self.config_db_map.keys():
|
|
|
|
|
# Unconditionally update control plane ACLs once at start on given namespace
|
|
|
|
|
self.update_control_plane_acls(namespace)
|
|
|
|
|
# Connect to Config DB of given namespace
|
|
|
|
|
acl_db_connector = swsscommon.DBConnector("CONFIG_DB", 0, False, namespace)
|
|
|
|
|
# Subscribe to notifications when ACL tables changes
|
|
|
|
|
subscribe_acl_table = swsscommon.SubscriberStateTable(acl_db_connector, swsscommon.CFG_ACL_TABLE_TABLE_NAME)
|
|
|
|
|
# Subscribe to notifications when ACL rule tables changes
|
|
|
|
|
subscribe_acl_rule_table = swsscommon.SubscriberStateTable(acl_db_connector, swsscommon.CFG_ACL_RULE_TABLE_NAME)
|
|
|
|
|
# Add both tables to the selectable object
|
|
|
|
|
sel.addSelectable(subscribe_acl_table)
|
|
|
|
|
sel.addSelectable(subscribe_acl_rule_table)
|
|
|
|
|
# Update the map
|
|
|
|
|
config_db_subscriber_table_map[namespace] = []
|
|
|
|
|
config_db_subscriber_table_map[namespace].append(subscribe_acl_table)
|
|
|
|
|
config_db_subscriber_table_map[namespace].append(subscribe_acl_rule_table)
|
2020-10-08 13:31:09 -05:00
|
|
|
|
|
|
|
|
# Get the ACL rule table seprator
|
|
|
|
|
acl_rule_table_seprator = subscribe_acl_rule_table.getTableNameSeparator()
|
|
|
|
|
|
2020-08-20 17:11:42 -05:00
|
|
|
# Loop on select to see if any event happen on config db of any namespace
|
|
|
|
|
while True:
|
2020-10-14 10:05:33 -05:00
|
|
|
ctrl_plane_acl_notification = set()
|
2020-10-19 13:11:30 -05:00
|
|
|
|
|
|
|
|
# A brief sleep appears necessary in this loop or any spawned
|
|
|
|
|
# update threads will get stuck. Appears to be due to the sel.select() call.
|
|
|
|
|
# TODO: Eliminate the need for this sleep.
|
|
|
|
|
time.sleep(0.1)
|
|
|
|
|
|
2020-09-03 18:45:33 -05:00
|
|
|
(state, selectableObj) = sel.select(SELECT_TIMEOUT_MS)
|
2020-08-20 17:11:42 -05:00
|
|
|
# Continue if select is timeout or selectable object is not return
|
|
|
|
|
if state != swsscommon.Select.OBJECT:
|
|
|
|
|
continue
|
2020-10-19 13:11:30 -05:00
|
|
|
|
|
|
|
|
# Get the redisselect object from selectable object
|
2020-09-03 18:45:33 -05:00
|
|
|
redisSelectObj = swsscommon.CastSelectableToRedisSelectObj(selectableObj)
|
2020-10-19 13:11:30 -05:00
|
|
|
|
2020-09-03 18:45:33 -05:00
|
|
|
# Get the corresponding namespace from redisselect db connector object
|
|
|
|
|
namespace = redisSelectObj.getDbConnector().getNamespace()
|
2020-10-19 13:11:30 -05:00
|
|
|
|
2020-08-20 17:11:42 -05:00
|
|
|
# Pop data of both Subscriber Table object of namespace that got config db acl table event
|
|
|
|
|
for table in config_db_subscriber_table_map[namespace]:
|
2020-10-14 10:05:33 -05:00
|
|
|
while True:
|
|
|
|
|
(key, op, fvp) = table.pop()
|
|
|
|
|
# Pop of table that does not have data so break
|
|
|
|
|
if key == '':
|
|
|
|
|
break
|
|
|
|
|
# ACL Table notification. We will take Control Plane ACTION for any ACL Table Event
|
|
|
|
|
# This can be optimize further but we should not have many acl table set/del events in normal
|
|
|
|
|
# scenario
|
|
|
|
|
if acl_rule_table_seprator not in key:
|
|
|
|
|
ctrl_plane_acl_notification.add(namespace)
|
|
|
|
|
# Check ACL Rule notification and make sure Rule point to ACL Table which is Controlplane
|
|
|
|
|
else:
|
|
|
|
|
acl_table = key.split(acl_rule_table_seprator)[0]
|
|
|
|
|
if self.config_db_map[namespace].get_table(self.ACL_TABLE)[acl_table]["type"] == self.ACL_TABLE_TYPE_CTRLPLANE:
|
|
|
|
|
ctrl_plane_acl_notification.add(namespace)
|
|
|
|
|
|
|
|
|
|
# Update the Control Plane ACL of the namespace that got config db acl table event
|
|
|
|
|
for namespace in ctrl_plane_acl_notification:
|
2020-10-19 13:11:30 -05:00
|
|
|
with self.lock[namespace]:
|
|
|
|
|
if self.num_changes[namespace] == 0:
|
|
|
|
|
self.log_info("ACL change detected for namespace '{}'".format(namespace))
|
|
|
|
|
|
|
|
|
|
# Increment the number of change events we've received for this namespace
|
|
|
|
|
self.num_changes[namespace] += 1
|
|
|
|
|
|
|
|
|
|
# If an update thread is not already spawned for the namespace which we received
|
|
|
|
|
# the ACL table update event, spawn one now
|
|
|
|
|
if not self.update_thread[namespace]:
|
|
|
|
|
self.log_info("Spawning ACL update thread for namepsace '{}' ...".format(namespace))
|
|
|
|
|
self.update_thread[namespace] = threading.Thread(target=self.check_and_update_control_plane_acls,
|
|
|
|
|
args=(namespace, self.num_changes[namespace]))
|
|
|
|
|
self.update_thread[namespace].start()
|
2018-01-09 19:55:10 -06:00
|
|
|
|
|
|
|
|
# ============================= Functions =============================
|
|
|
|
|
|
2020-08-20 17:11:42 -05:00
|
|
|
|
2018-01-09 19:55:10 -06:00
|
|
|
def main():
|
2020-09-15 15:34:41 -05:00
|
|
|
# Instantiate a ControlPlaneAclManager object
|
|
|
|
|
caclmgr = ControlPlaneAclManager(SYSLOG_IDENTIFIER)
|
2018-01-09 19:55:10 -06:00
|
|
|
|
2020-09-15 15:34:41 -05:00
|
|
|
# Log all messages from INFO level and higher
|
|
|
|
|
caclmgr.set_min_log_priority_info()
|
2018-01-09 19:55:10 -06:00
|
|
|
|
|
|
|
|
caclmgr.run()
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
if __name__ == "__main__":
|
|
|
|
|
main()
|
