From d5404928345ba2690d8f6cce0095f57d0a89c671 Mon Sep 17 00:00:00 2001 From: Christian Svensson Date: Fri, 18 Feb 2022 00:04:59 +0100 Subject: [PATCH] caclmgrd: remove permit source port 179 (#9827) [Caclmgrd] Remove insecure opening of source port 179 Signed-off-by: Christian Svensson --- src/sonic-host-services/scripts/caclmgrd | 2 -- 1 file changed, 2 deletions(-) diff --git a/src/sonic-host-services/scripts/caclmgrd b/src/sonic-host-services/scripts/caclmgrd index 77bcd2e4ee..a65f05a345 100755 --- a/src/sonic-host-services/scripts/caclmgrd +++ b/src/sonic-host-services/scripts/caclmgrd @@ -501,9 +501,7 @@ class ControlPlaneAclManager(daemon_base.DaemonBase): # Add iptables/ip6tables commands to allow all incoming BGP traffic # TODO: Determine BGP ACLs based on configured device sessions, and remove this blanket acceptance iptables_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "iptables -A INPUT -p tcp --dport 179 -j ACCEPT") - iptables_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "iptables -A INPUT -p tcp --sport 179 -j ACCEPT") iptables_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "ip6tables -A INPUT -p tcp --dport 179 -j ACCEPT") - iptables_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "ip6tables -A INPUT -p tcp --sport 179 -j ACCEPT") # Get current ACL tables and rules from Config DB self._tables_db_info = self.config_db_map[namespace].get_table(self.ACL_TABLE)