matthew/sonic-buildimage
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

[caclmgrd] Don't limit connection tracking to TCP (#4796)

Browse Source 
Don't limit iptables connection tracking to TCP protocol; allow connection tracking for all protocols. This allows services like NTP, which is UDP-based, to receive replies from an NTP server even if the port is blocked, as long as it is in reply to a request sent from the device itself.
This commit is contained in:
Joe LeVeque 2020-06-18 00:18:20 -07:00 committed by Ying Xie
parent e02de1dc89
commit d9b8bed916
1 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
files/image_config/caclmgrd/caclmgrd
View File

@ -258,9 +258,9 @@ class ControlPlaneAclManager(object):
iptables_cmds.append("ip6tables -A INPUT -s ::1 -i lo -j ACCEPT")
# Add iptables/ip6tables commands to allow all incoming packets from established
# TCP sessions or new TCP sessions which are related to established TCP sessions
iptables_cmds.append("iptables -A INPUT -p tcp -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT")
iptables_cmds.append("ip6tables -A INPUT -p tcp -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT")
# connections or new connections which are related to established connections
iptables_cmds.append("iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT")
iptables_cmds.append("ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT")
# Add iptables/ip6tables commands to allow bidirectional ICMPv4 ping and traceroute
# TODO: Support processing ICMPv4 service ACL rules, and remove this blanket acceptance