Commit Graph

31 Commits

Author SHA1 Message Date
Joe LeVeque
edf4971b16
[caclmgrd] Prevent unnecessary iptables updates (#5312)
When a large number of changes occur to the ACL table of Config DB, caclmgrd will get flooded with notifications, and previously, it would regenerate and apply the iptables rules for each change, which is unnecessary, as the iptables rules should only get applied once after the last change notification is received. If the ACL table contains a large number of control plane ACL rules, this could cause a large delay in caclmgrd getting the rules applied.

This patch causes caclmgrd to delay updating the iptables rules until it has not received a change notification for at least 0.5 seconds.
2020-10-19 11:11:30 -07:00
abdosi
9094e2176f
Optimze ACL Table/Rule notification handling (#5621)
* Optimze ACL Table/Rule notifcation handling
to loop pop() until empty to consume all the data in a batch

This wau we prevent multiple call to iptable updates

Signed-off-by: Abhishek Dosi <abdosi@microsoft.com>

* Address review comments

Signed-off-by: Abhishek Dosi <abdosi@microsoft.com>
2020-10-14 08:05:33 -07:00
abdosi
01fceb6f79
Optimized caclmgrd Notification handling. Previously (#5560)
any event happening on ACL Rule Table (eg DATAACL rules
programmed) caused control plane default action to be triggered.

Now Control Plance ACTION will be trigger only

a) ACL Rule beloging to Control ACL Table

Signed-off-by: Abhishek Dosi <abdosi@microsoft.com>
2020-10-08 11:31:09 -07:00
judyjoseph
4006ce711f
[Multi-Asic] Forward SNMP requests received on front panel interface to SNMP agent in host. (#5420)
* [Multi-Asic] Forward SNMP requests destined to loopback IP, and coming in through the front panel interface
             present in the network namespace, to SNMP agent running in the linux host.

* Updates based on comments

* Further updates in docker_image_ctl.j2 and caclmgrd

* Change the variable for net config file.

* Updated the comments in the code.

* No need to clean up the exising NAT rules if present, which could be created by some other process.

* Delete our rule first and add it back, to take care of caclmgrd restart.
Another benefit is that we delete only our rules, rather than earlier approach of "iptables -F" which cleans up all rules.

* Keeping the original logic to clean the NAT entries, to revist when NAT feature added in namespace.

* Missing updates to log_info call.
2020-09-26 12:14:30 -07:00
Venkatesan Mahalingam
418e437d79
[caclmgrd] Add support to allow/deny any IP/IPv6 protocol packets coming to CPU based on source IP (#4591)
Add support to allow/deny packets coming to CPU based on source IP, regardless of destination port
2020-09-23 09:55:09 -07:00
abdosi
d12e9cbbc6
[Multi-Asic] Fix for multi-asic where we should allow docker local (#5364)
communication on docker eth0 ip . Without this TCP Connection to Redis
does not happen in namespace.

Signed-off-by: Abhishek Dosi <abdosi@abdosi-ubuntu-vm0.nwp1qucpfg5ejooejenqshkj3e.cx.internal.cloudapp.net>

Co-authored-by: Abhishek Dosi <abdosi@abdosi-ubuntu-vm0.nwp1qucpfg5ejooejenqshkj3e.cx.internal.cloudapp.net>
2020-09-16 11:32:35 -07:00
Joe LeVeque
1ac146dd97
[caclmgrd] Inherit DaemonBase class from sonic-py-common package (#5373)
Eliminate duplicate logging code by inheriting from DaemonBase class in sonic-py-common package.
2020-09-15 13:34:41 -07:00
abdosi
dd908c2ee2
[sonic-swsscommon] submodule update with commit's (#5300)
[schema] Make schema header support C project (#373)
Removed DB specific get api's from Selectable class (#378)

With the change as part of #378 caclmgrd need to be updated
to use new client side Get API to access namespace.

Signed-off-by: Abhishek Dosi <abdosi@microsoft.com>
2020-09-02 18:09:03 -07:00
abdosi
74d8b4a6be
[caclmgrd] Add support for multi-ASIC platforms (#5022)
* Support for Control Plane ACL's for Multi-asic Platforms.
Following changes were done:
 1) Moved from using blocking listen() on Config DB to the select() model
 via python-swsscommon since we have to wait on event from multiple
 config db's
 2) Since  python-swsscommon is not available on host added libswsscommon and python-swsscommon
    and dependent packages in the base image (host enviroment)
 3) Made iptables programmed in all namespace using ip netns exec

Signed-off-by: Abhishek Dosi <abdosi@microsoft.com>

* Address Review Comments

Signed-off-by: Abhishek Dosi <abdosi@microsoft.com>

* Fix Review Comments

* Fix Comments

* Added Change for Multi-asic to have iptables
rules to accept internal docker tcp/udp traffic
needed for syslog and redis-tcp connection.

Signed-off-by: Abhishek Dosi <abdosi@microsoft.com>

* Fix Review Comments

* Added more comments on logic.

* Fixed all warning/errors reported by http://pep8online.com/
other than line > 80 characters.

* Fix Comment
Signed-off-by: Abhishek Dosi <abdosi@microsoft.com>

* Verified with swsscommon package. Fix issue for single asic platforms.

* Moved to new python package

* Address Review Comments.

Signed-off-by: Abhishek Dosi <abdosi@microsoft.com>

* Address Review Comments.
2020-08-20 15:11:42 -07:00
Joe LeVeque
b2344f6f78
[caclmgrd] Always restart service upon process termination (#5065) 2020-07-29 10:12:38 -07:00
Joe LeVeque
1587889b7a
[caclmgrd] remove default DROP rule on FORWARD chain (#5034) 2020-07-24 11:59:46 -07:00
Joe LeVeque
d6925499f1
[caclmgrd] Filter DHCP packets based on dest port only (#4995) 2020-07-17 11:16:19 -07:00
madhanmellanox
ade634090d
[caclmgrd] Log error message if IPv4 ACL table contains IPv6 rule and vice-versa (#4498)
* Defect 2082949: Handling Control Plane ACLs so that IPv4 rules and IPv6 rules are not added to the same ACL table

* Previous code review comments of coming up with functions for is_ipv4_rule and is_ipv6_rule is addressed and also raising Exceptions instead of simply aborting when the conflict occurs is handled

* Addressed code review comment to replace duplicate code with already existing functions

* removed raising Exception when rule conflict in Control plane ACLs are found

* added code to remove the rule_props if it is conflicting ACL table versioning rule

* addressed review comment to add ignoring rule in the error statement

Co-authored-by: Madhan Babu <madhan@arc-build-server.mtr.labs.mlnx>
2020-07-15 20:24:44 +03:00
Joe LeVeque
2731571dc9 [caclmgrd] Improve code reuse (#4931)
Improve code reuse in `generate_block_ip2me_traffic_iptables_commands()` function.
2020-07-12 18:08:52 +00:00
Joe LeVeque
6960477cc2
[caclmgrd] Don't limit connection tracking to TCP (#4796)
Don't limit iptables connection tracking to TCP protocol; allow connection tracking for all protocols. This allows services like NTP, which is UDP-based, to receive replies from an NTP server even if the port is blocked, as long as it is in reply to a request sent from the device itself.
2020-06-18 00:18:20 -07:00
Joe LeVeque
7b8037770d
[caclmgrd] Get first VLAN host IP address via next() (#4685)
I found that with IPv4Network types, calling list(ip_ntwrk.hosts()) is reliable. However, when doing the same with an IPv6Network, I found that the conversion to a list can hang indefinitely. This appears to me to be a bug in the ipaddress.IPv6Network implementation. However, I could not find any other reports on the web.

This patch changes the behavior to call next() on the ip_ntwrk.hosts() generator instead, which returns the IP address of the first host.
2020-06-02 02:11:21 -07:00
Joe LeVeque
bce42a7595
[caclmgrd] Allow more ICMP types (#4625) 2020-05-20 17:45:07 -07:00
Joe LeVeque
5150e7b655
[caclmgrd] Ignore keys in interface-related tables if no IP prefix is present (#4581)
Since the introduction of VRF, interface-related tables in ConfigDB will have multiple entries, one of which only contains the interface name and no IP prefix. Thus, when iterating over the keys in the tables, we need to ignore the entries which do not contain IP prefixes.
2020-05-12 18:16:55 -07:00
Joe LeVeque
5e8e0d76fc
[caclmgrd] Add some default ACCEPT rules and lastly drop all incoming packets (#4412)
Modified caclmgrd behavior to enhance control plane security as follows:

Upon starting or receiving notification of ACL table/rule changes in Config DB:
1. Add iptables/ip6tables commands to allow all incoming packets from established TCP sessions or new TCP sessions which are related to established TCP sessions
2. Add iptables/ip6tables commands to allow bidirectional ICMPv4 ping and traceroute
3. Add iptables/ip6tables commands to allow bidirectional ICMPv6 ping and traceroute
4. Add iptables/ip6tables commands to allow all incoming Neighbor Discovery Protocol (NDP) NS/NA/RS/RA messages
5. Add iptables/ip6tables commands to allow all incoming IPv4 DHCP packets
6. Add iptables/ip6tables commands to allow all incoming IPv6 DHCP packets
7. Add iptables/ip6tables commands to allow all incoming BGP traffic
8. Add iptables/ip6tables commands for all ACL rules for recognized services (currently SSH, SNMP, NTP)
9. For all services which we did not find configured ACL rules, add iptables/ip6tables commands to allow all incoming packets for those services (allows the device to accept SSH connections before the device is configured)
10. Add iptables rules to drop all packets destined for loopback interface IP addresses
11. Add iptables rules to drop all packets destined for management interface IP addresses
12. Add iptables rules to drop all packets destined for point-to-point interface IP addresses
13. Add iptables rules to drop all packets destined for our VLAN interface gateway IP addresses
14. Add iptables/ip6tables commands to allow all incoming packets with TTL of 0 or 1 (This allows the device to respond to tools like tcptraceroute)
15. If we found control plane ACLs in the configuration and applied them, we lastly add iptables/ip6tables commands to drop all other incoming packets
2020-05-11 12:36:47 -07:00
Joe LeVeque
aca1a86856 [caclmgrd] Fix application of IPv6 service ACL rules (part 2) (#4036) 2020-01-17 17:33:31 -08:00
Joe LeVeque
77d636256b
[caclmgrd] Fix application of IPv6 service ACL rules (#3917) 2019-12-19 07:15:27 -08:00
Joe LeVeque
116ddb996a [caclmgrd] Don't crash if we find empty/null rule_props (#2475)
* [caclmgrd] Don't crash if we find empty/null rule_props
2019-01-23 18:47:05 -08:00
Joe LeVeque
1e1add90f9
Remove Arista-specific service ACL solution; All platforms now use caclmgrd (#2202) 2018-10-29 10:25:18 -07:00
Joe LeVeque
2ccfefc919
[caclmgrd] Add a rule to allow all connections from localhost (#1858) 2018-07-13 10:27:47 -07:00
Denis Maslov
d82db79051 [caclmgrd] Translation of ACL Control Plane rules into iptables commands fixed (#1798)
Signed-off-by: Denis Maslov <Denis.Maslov@cavium.com>
2018-06-19 21:14:49 -07:00
Joe LeVeque
711be8f7da [caclmgrd] Heuristically determine whether ACL is IPv4 or IPv6, use iptables/ip6tables accordingly (#1767)
* [caclmgrd] Heuristically determine whether ACL is IPv4 or IPv6, use iptables/ip6tables accordingly

* Check all rules in table until we find one with a SRC_IP
2018-06-05 03:24:30 -07:00
Joe LeVeque
c626dc921f
Allow one Service ACL to bind to multiple services (#1576)
* [caclmgrd] Also ignore IP protocol if found in rule; we will only use our predefined protocols
2018-04-10 18:14:12 -07:00
Taoyu Li
e84e093dea
Move all minigraph-related action from rc.local to updategraph (#1452)
- Move all minigraph-related action from rc.local to updategraph
- updategraph service is now after database. All feature services are now after and depending on updategraph
2018-03-09 17:17:08 -08:00
Taoyu Li
04b694454a
[sonic-cfggen] Remove machine.conf info and add get_system_mac support (#1397)
[sonic-cfggen] Remove machine.conf info and add get_system_mac support
2018-02-20 14:38:13 -08:00
Joe LeVeque
162089dd9e
[caclmgrd] Prevent service from blocking system boot indefinitely (#1362) 2018-02-01 15:15:39 -08:00
Joe LeVeque
0fffa6c63b
Add caclmgrd and related files to translate and install control plane ACL rules (#1240) 2018-01-09 17:55:10 -08:00