matthew/sonic-buildimage
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[caclmgrd] Add support to allow/deny any IP/IPv6 protocol packets coming to CPU based on source IP (#4591)

Browse Source 
Add support to allow/deny packets coming to CPU based on source IP, regardless of destination port
This commit is contained in:
Venkatesan Mahalingam 2020-09-23 09:55:09 -07:00 committed by GitHub
parent 04c709d27f
commit 418e437d79
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 11 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
files/image_config/caclmgrd/caclmgrd
View File

@ -68,6 +68,10 @@ class ControlPlaneAclManager(daemon_base.DaemonBase):
"SSH": { "SSH": {
"ip_protocols": ["tcp"], "ip_protocols": ["tcp"],
"dst_ports": ["22"] "dst_ports": ["22"]
},
"ANY": {
"ip_protocols": ["any"],
"dst_ports": ["0"]
} }
} }
@ -375,14 +379,19 @@ class ControlPlaneAclManager(daemon_base.DaemonBase):
for ip_protocol in ip_protocols: for ip_protocol in ip_protocols:
for dst_port in dst_ports: for dst_port in dst_ports:
rule_cmd = "ip6tables" if table_ip_version == 6 else "iptables" rule_cmd = "ip6tables" if table_ip_version == 6 else "iptables"
rule_cmd += " -A INPUT -p {}".format(ip_protocol)
rule_cmd += " -A INPUT"
if ip_protocol != "any":
rule_cmd += " -p {}".format(ip_protocol)
if "SRC_IPV6" in rule_props and rule_props["SRC_IPV6"]: if "SRC_IPV6" in rule_props and rule_props["SRC_IPV6"]:
rule_cmd += " -s {}".format(rule_props["SRC_IPV6"]) rule_cmd += " -s {}".format(rule_props["SRC_IPV6"])
elif "SRC_IP" in rule_props and rule_props["SRC_IP"]: elif "SRC_IP" in rule_props and rule_props["SRC_IP"]:
rule_cmd += " -s {}".format(rule_props["SRC_IP"]) rule_cmd += " -s {}".format(rule_props["SRC_IP"])
rule_cmd += " --dport {}".format(dst_port) # Destination port 0 is reserved/unused port, so, using it to apply the rule to all ports.
if dst_port != "0":
rule_cmd += " --dport {}".format(dst_port)
# If there are TCP flags present and ip protocol is TCP, append them # If there are TCP flags present and ip protocol is TCP, append them
if ip_protocol == "tcp" and "TCP_FLAGS" in rule_props and rule_props["TCP_FLAGS"]: if ip_protocol == "tcp" and "TCP_FLAGS" in rule_props and rule_props["TCP_FLAGS"]: