matthew/sonic-buildimage
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Allow one Service ACL to bind to multiple services (#1576)

Browse Source 
* [caclmgrd] Also ignore IP protocol if found in rule; we will only use our predefined protocols
This commit is contained in:
Joe LeVeque 2018-04-10 18:14:12 -07:00 committed by GitHub
parent 83f81c9676
commit c626dc921f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 97 additions and 75 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
dockers/docker-snmp-sv2/snmpd-config-updater
View File

@ -48,8 +48,8 @@ class ConfigUpdater(object):
if table_data["type"] != self.ACL_TABLE_TYPE_CTRLPLANE:
continue
# Ignore non-SSH service ACLs
if table_data["service"] != self.ACL_SERVICE_SNMP:
# Ignore non-SNMP service ACLs
if self.ACL_SERVICE_SNMP not in table_data["services"]:
continue
acl_rules = {}

10
files/image_config/caclmgrd/caclmgrd
View File

@ -123,8 +123,9 @@ class ControlPlaneAclManager(object):
if table_data["type"] != self.ACL_TABLE_TYPE_CTRLPLANE:
continue
acl_service = table_data["service"]
acl_services = table_data["services"]
for acl_service in acl_services:
if acl_service not in self.ACL_SERVICES:
log_warning("Ignoring control plane ACL '{}' with unrecognized service '{}'"
.format(table_name, acl_service))
@ -151,12 +152,7 @@ class ControlPlaneAclManager(object):
log_error("ACL rule does not contain PACKET_ACTION property")
continue
# If the rule contains an IP protocol, we will use it.
# Otherwise, we will apply the rule to the default
# protocol(s) for this ACL service
if "IP_PROTOCOL" in rule_props:
ip_protocols = [rule_props["IP_PROTOCOL"]]
# Apply the rule to the default protocol(s) for this ACL service
for ip_protocol in ip_protocols:
for dst_port in dst_ports:
rule_cmd = "iptables -A INPUT -p {}".format(ip_protocol)

2
files/image_config/ssh/sshd-config-updater
View File

@ -49,7 +49,7 @@ class ConfigUpdater(object):
continue
# Ignore non-SSH service ACLs
if table_data["service"] != self.ACL_SERVICE_SSH:
if self.ACL_SERVICE_SSH not in table_data["services"]:
continue
acl_rules = {}

20
src/sonic-config-engine/minigraph.py
View File

@ -188,6 +188,10 @@ def parse_dpg(dpg, hname):
aclattach = aclintf.find(str(QName(ns, "AttachTo"))).text.split(';')
acl_intfs = []
is_mirror = False
# TODO: Ensure that acl_intfs will only ever contain front-panel interfaces (e.g.,
# maybe we should explicity ignore management and loopback interfaces?) because we
# decide an ACL is a Control Plane ACL if acl_intfs is empty below.
for member in aclattach:
member = member.strip()
if pcs.has_key(member):
@ -209,12 +213,22 @@ def parse_dpg(dpg, hname):
# This ACL has no interfaces to attach to -- consider this a control plane ACL
try:
aclservice = aclintf.find(str(QName(ns, "Type"))).text
# If we already have an ACL with this name and this ACL is bound to a different service,
# append the service to our list of services
if aclname in acls:
if acls[aclname]['type'] != 'CTRLPLANE':
print >> sys.stderr, "Warning: ACL '%s' type mismatch. Not updating ACL." % aclname
elif acls[aclname]['services'] == aclservice:
print >> sys.stderr, "Warning: ACL '%s' already contains service '%s'. Not updating ACL." % (aclname, aclservice)
else:
acls[aclname]['services'].append(aclservice)
else:
acls[aclname] = {'policy_desc': aclname,
'ports': acl_intfs,
'type': 'CTRLPLANE',
'service': aclservice if aclservice is not None else 'UNKNOWN'}
'services': [aclservice]}
except:
print >> sys.stderr, "Warning: Ingore Control Plane ACL %s without type" % aclname
print >> sys.stderr, "Warning: Ignoring Control Plane ACL %s without type" % aclname
return intfs, lo_intfs, mgmt_intf, vlans, vlan_members, pcs, acls
return None, None, None, None, None, None, None

10
src/sonic-config-engine/tests/t0-sample-graph.xml
View File

@ -281,6 +281,16 @@
<InAcl>SSH_ACL</InAcl>
<Type>SSH</Type>
</AclInterface>
<AclInterface>
<AttachTo>SSH</AttachTo>
<InAcl>ROUTER-PROTECT</InAcl>
<Type>SSH</Type>
</AclInterface>
<AclInterface>
<AttachTo>SNMP</AttachTo>
<InAcl>ROUTER-PROTECT</InAcl>
<Type>SNMP</Type>
</AclInterface>
<AclInterface>
<AttachTo>NTP</AttachTo>
<InAcl>NTP_ACL</InAcl>

10
src/sonic-config-engine/tests/test_cfggen.py
View File

@ -78,11 +78,13 @@ class TestCfgGen(TestCase):
def test_minigraph_acl(self):
argument = '-m "' + self.sample_graph_t0 + '" -p "' + self.port_config + '" -v ACL_TABLE'
output = self.run_script(argument, True)
self.assertEqual(output.strip(), "Warning: Ingore Control Plane ACL NTP_ACL without type\n"
"{'SSH_ACL': {'type': 'CTRLPLANE', 'policy_desc': 'SSH_ACL', 'service': 'SSH', 'ports': []},"
" 'SNMP_ACL': {'type': 'CTRLPLANE', 'policy_desc': 'SNMP_ACL', 'service': 'SNMP', 'ports': []},"
self.assertEqual(output.strip(), "Warning: Ignoring Control Plane ACL NTP_ACL without type\n"
"{'SSH_ACL': {'services': ['SSH'], 'type': 'CTRLPLANE', 'policy_desc': 'SSH_ACL'},"
" 'SNMP_ACL': {'services': ['SNMP'], 'type': 'CTRLPLANE', 'policy_desc': 'SNMP_ACL'},"
" 'DATAACL': {'type': 'L3', 'policy_desc': 'DATAACL', 'ports': ['Ethernet112', 'Ethernet116', 'Ethernet120', 'Ethernet124']},"
" 'NTP_ACL': {'type': 'CTRLPLANE', 'policy_desc': 'NTP_ACL', 'service': 'NTP', 'ports': []}}")
" 'NTP_ACL': {'services': ['NTP'], 'type': 'CTRLPLANE', 'policy_desc': 'NTP_ACL'},"
" 'ROUTER_PROTECT': {'services': ['SSH', 'SNMP'], 'type': 'CTRLPLANE', 'policy_desc': 'ROUTER_PROTECT'}}")
def test_minigraph_everflow(self):
argument = '-m "' + self.sample_graph_t0 + '" -p "' + self.port_config + '" -v MIRROR_SESSION'
output = self.run_script(argument)

2
src/sonic-utilities

@ -1 +1 @@
Subproject commit 3f2d7bb4beaf3987db0c3e6fb57ae7ba51390a16
Subproject commit 5e476d6d549cf40b68e86ae01dcb703b567b85e3