caclmgrd: remove permit source port 179 (#9827)

[Caclmgrd] Remove insecure opening of source port 179
Signed-off-by: Christian Svensson <blue@cmd.nu>
This commit is contained in:
Christian Svensson 2022-02-18 00:04:59 +01:00 committed by GitHub
parent 5ce75acfa5
commit d540492834
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -501,9 +501,7 @@ class ControlPlaneAclManager(daemon_base.DaemonBase):
# Add iptables/ip6tables commands to allow all incoming BGP traffic
# TODO: Determine BGP ACLs based on configured device sessions, and remove this blanket acceptance
iptables_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "iptables -A INPUT -p tcp --dport 179 -j ACCEPT")
iptables_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "iptables -A INPUT -p tcp --sport 179 -j ACCEPT")
iptables_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "ip6tables -A INPUT -p tcp --dport 179 -j ACCEPT")
iptables_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "ip6tables -A INPUT -p tcp --sport 179 -j ACCEPT")
# Get current ACL tables and rules from Config DB
self._tables_db_info = self.config_db_map[namespace].get_table(self.ACL_TABLE)