301 lines
12 KiB
Python
Executable File
301 lines
12 KiB
Python
Executable File
#!/usr/bin/env python
|
|
#
|
|
# caclmgrd
|
|
#
|
|
# Control plane ACL manager daemon for SONiC
|
|
#
|
|
# Upon starting, this daemon reads control plane ACL tables and rules from
|
|
# Config DB, converts the rules into iptables rules and installs the iptables
|
|
# rules. The daemon then indefintely listens for notifications from Config DB
|
|
# and updates iptables rules if control plane ACL configuration has changed.
|
|
#
|
|
|
|
try:
|
|
import ipaddr as ipaddress
|
|
import os
|
|
import subprocess
|
|
import sys
|
|
import syslog
|
|
from swsssdk import ConfigDBConnector
|
|
except ImportError as err:
|
|
raise ImportError("%s - required module not found" % str(err))
|
|
|
|
VERSION = "1.0"
|
|
|
|
SYSLOG_IDENTIFIER = "caclmgrd"
|
|
|
|
|
|
# ========================== Syslog wrappers ==========================
|
|
|
|
def log_info(msg):
|
|
syslog.openlog(SYSLOG_IDENTIFIER)
|
|
syslog.syslog(syslog.LOG_INFO, msg)
|
|
syslog.closelog()
|
|
|
|
|
|
def log_warning(msg):
|
|
syslog.openlog(SYSLOG_IDENTIFIER)
|
|
syslog.syslog(syslog.LOG_WARNING, msg)
|
|
syslog.closelog()
|
|
|
|
|
|
def log_error(msg):
|
|
syslog.openlog(SYSLOG_IDENTIFIER)
|
|
syslog.syslog(syslog.LOG_ERR, msg)
|
|
syslog.closelog()
|
|
|
|
|
|
# ============================== Classes ==============================
|
|
|
|
class ControlPlaneAclManager(object):
|
|
"""
|
|
Class which reads control plane ACL tables and rules from Config DB,
|
|
translates them into equivalent iptables commands and runs those
|
|
commands in order to apply the control plane ACLs.
|
|
|
|
Attributes:
|
|
config_db: Handle to Config Redis database via SwSS SDK
|
|
"""
|
|
ACL_TABLE = "ACL_TABLE"
|
|
ACL_RULE = "ACL_RULE"
|
|
|
|
ACL_TABLE_TYPE_CTRLPLANE = "CTRLPLANE"
|
|
|
|
# To specify a port range, use iptables format: separate start and end
|
|
# ports with a colon, e.g., "1000:2000"
|
|
ACL_SERVICES = {
|
|
"NTP": {"ip_protocols": ["udp"], "dst_ports": ["123"]},
|
|
"SNMP": {"ip_protocols": ["tcp", "udp"], "dst_ports": ["161"]},
|
|
"SSH": {"ip_protocols": ["tcp"], "dst_ports": ["22"]}
|
|
}
|
|
|
|
def __init__(self):
|
|
# Open a handle to the Config database
|
|
self.config_db = ConfigDBConnector()
|
|
self.config_db.connect()
|
|
|
|
def run_commands(self, commands):
|
|
"""
|
|
Given a list of shell commands, run them in order
|
|
|
|
Args:
|
|
commands: List of strings, each string is a shell command
|
|
"""
|
|
for cmd in commands:
|
|
proc = subprocess.Popen(cmd, shell=True)
|
|
|
|
(stdout, stderr) = proc.communicate()
|
|
|
|
if proc.returncode != 0:
|
|
log_error("Error running command '{}'".format(cmd))
|
|
|
|
def parse_int_to_tcp_flags(self, hex_value):
|
|
tcp_flags_str = ""
|
|
if hex_value & 0x01:
|
|
tcp_flags_str += "FIN,"
|
|
if hex_value & 0x02:
|
|
tcp_flags_str += "SYN,"
|
|
if hex_value & 0x04:
|
|
tcp_flags_str += "RST,"
|
|
if hex_value & 0x08:
|
|
tcp_flags_str += "PSH,"
|
|
if hex_value & 0x10:
|
|
tcp_flags_str += "ACK,"
|
|
if hex_value & 0x20:
|
|
tcp_flags_str += "URG,"
|
|
# iptables doesn't handle the flags below now. It has some special keys for it:
|
|
# --ecn-tcp-cwr This matches if the TCP ECN CWR (Congestion Window Received) bit is set.
|
|
# --ecn-tcp-ece This matches if the TCP ECN ECE (ECN Echo) bit is set.
|
|
# if hex_value & 0x40:
|
|
# tcp_flags_str += "ECE,"
|
|
# if hex_value & 0x80:
|
|
# tcp_flags_str += "CWR,"
|
|
|
|
# Delete the trailing comma
|
|
tcp_flags_str = tcp_flags_str[:-1]
|
|
return tcp_flags_str
|
|
|
|
def get_acl_rules_and_translate_to_iptables_commands(self):
|
|
"""
|
|
Retrieves current ACL tables and rules from Config DB, translates
|
|
control plane ACLs into a list of iptables commands that can be run
|
|
in order to install ACL rules.
|
|
|
|
Returns:
|
|
A list of strings, each string is an iptables shell command
|
|
|
|
"""
|
|
iptables_cmds = []
|
|
|
|
# First, add iptables commands to set default policies to accept all
|
|
# traffic. In case we are connected remotely, the connection will not
|
|
# drop when we flush the current rules
|
|
iptables_cmds.append("iptables -P INPUT ACCEPT")
|
|
iptables_cmds.append("iptables -P FORWARD ACCEPT")
|
|
iptables_cmds.append("iptables -P OUTPUT ACCEPT")
|
|
|
|
# Add iptables command to flush the current rules
|
|
iptables_cmds.append("iptables -F")
|
|
|
|
# Add iptables command to delete all non-default chains
|
|
iptables_cmds.append("iptables -X")
|
|
|
|
# Add same set of commands for ip6tables
|
|
iptables_cmds.append("ip6tables -P INPUT ACCEPT")
|
|
iptables_cmds.append("ip6tables -P FORWARD ACCEPT")
|
|
iptables_cmds.append("ip6tables -P OUTPUT ACCEPT")
|
|
iptables_cmds.append("ip6tables -F")
|
|
iptables_cmds.append("ip6tables -X")
|
|
|
|
# Add iptables commands to allow all IPv4 and IPv6 traffic from localhost
|
|
iptables_cmds.append("iptables -A INPUT -s 127.0.0.1 -i lo -j ACCEPT")
|
|
iptables_cmds.append("ip6tables -A INPUT -s ::1 -i lo -j ACCEPT")
|
|
|
|
# Get current ACL tables and rules from Config DB
|
|
self._tables_db_info = self.config_db.get_table(self.ACL_TABLE)
|
|
self._rules_db_info = self.config_db.get_table(self.ACL_RULE)
|
|
|
|
# Walk the ACL tables
|
|
for (table_name, table_data) in self._tables_db_info.iteritems():
|
|
|
|
table_ip_version = None
|
|
|
|
# Ignore non-control-plane ACL tables
|
|
if table_data["type"] != self.ACL_TABLE_TYPE_CTRLPLANE:
|
|
continue
|
|
|
|
acl_services = table_data["services"]
|
|
|
|
for acl_service in acl_services:
|
|
if acl_service not in self.ACL_SERVICES:
|
|
log_warning("Ignoring control plane ACL '{}' with unrecognized service '{}'"
|
|
.format(table_name, acl_service))
|
|
continue
|
|
|
|
log_info("Translating ACL rules for control plane ACL '{}' (service: '{}')"
|
|
.format(table_name, acl_service))
|
|
|
|
# Obtain default IP protocol(s) and destination port(s) for this service
|
|
ip_protocols = self.ACL_SERVICES[acl_service]["ip_protocols"]
|
|
dst_ports = self.ACL_SERVICES[acl_service]["dst_ports"]
|
|
|
|
acl_rules = {}
|
|
|
|
for ((rule_table_name, rule_id), rule_props) in self._rules_db_info.iteritems():
|
|
if rule_table_name == table_name:
|
|
if not rule_props:
|
|
log_warning("rule_props for rule_id {} empty or null!".format(rule_id))
|
|
continue
|
|
|
|
try:
|
|
acl_rules[rule_props["PRIORITY"]] = rule_props
|
|
except KeyError:
|
|
log_error("rule_props for rule_id {} does not have key 'PRIORITY'!".format(rule_id))
|
|
continue
|
|
|
|
# If we haven't determined the IP version for this ACL table yet,
|
|
# try to do it now. We attempt to determine heuristically based on
|
|
# whether the src or dst IP of this rule is an IPv4 or IPv6 address.
|
|
if not table_ip_version:
|
|
if (("SRC_IPV6" in rule_props and rule_props["SRC_IPV6"]) or
|
|
("DST_IPV6" in rule_props and rule_props["DST_IPV6"])):
|
|
table_ip_version = 6
|
|
elif (("SRC_IP" in rule_props and rule_props["SRC_IP"]) or
|
|
("DST_IP" in rule_props and rule_props["DST_IP"])):
|
|
table_ip_version = 4
|
|
|
|
# If we were unable to determine whether this ACL table contains
|
|
# IPv4 or IPv6 rules, log a message and skip processing this table.
|
|
if not table_ip_version:
|
|
log_warning("Unable to determine if ACL table '{}' contains IPv4 or IPv6 rules. Skipping table..."
|
|
.format(table_name))
|
|
continue
|
|
|
|
# For each ACL rule in this table (in descending order of priority)
|
|
for priority in sorted(acl_rules.iterkeys(), reverse=True):
|
|
rule_props = acl_rules[priority]
|
|
|
|
if "PACKET_ACTION" not in rule_props:
|
|
log_error("ACL rule does not contain PACKET_ACTION property")
|
|
continue
|
|
|
|
# Apply the rule to the default protocol(s) for this ACL service
|
|
for ip_protocol in ip_protocols:
|
|
for dst_port in dst_ports:
|
|
rule_cmd = "ip6tables" if table_ip_version == 6 else "iptables"
|
|
rule_cmd += " -A INPUT -p {}".format(ip_protocol)
|
|
|
|
if "SRC_IPV6" in rule_props and rule_props["SRC_IPV6"]:
|
|
rule_cmd += " -s {}".format(rule_props["SRC_IPV6"])
|
|
elif "SRC_IP" in rule_props and rule_props["SRC_IP"]:
|
|
rule_cmd += " -s {}".format(rule_props["SRC_IP"])
|
|
|
|
rule_cmd += " --dport {}".format(dst_port)
|
|
|
|
# If there are TCP flags present and ip protocol is TCP, append them
|
|
if ip_protocol == "tcp" and "TCP_FLAGS" in rule_props and rule_props["TCP_FLAGS"]:
|
|
tcp_flags, tcp_flags_mask = rule_props["TCP_FLAGS"].split("/")
|
|
|
|
tcp_flags = int(tcp_flags, 16)
|
|
tcp_flags_mask = int(tcp_flags_mask, 16)
|
|
|
|
if tcp_flags_mask > 0:
|
|
rule_cmd += " --tcp-flags {mask} {flags}".format(mask = self.parse_int_to_tcp_flags(tcp_flags_mask), flags = self.parse_int_to_tcp_flags(tcp_flags))
|
|
|
|
# Append the packet action as the jump target
|
|
rule_cmd += " -j {}".format(rule_props["PACKET_ACTION"])
|
|
|
|
iptables_cmds.append(rule_cmd)
|
|
|
|
return iptables_cmds
|
|
|
|
def update_control_plane_acls(self):
|
|
"""
|
|
Convenience wrapper which retrieves current ACL tables and rules from
|
|
Config DB, translates control plane ACLs into a list of iptables
|
|
commands and runs them.
|
|
"""
|
|
iptables_cmds = self.get_acl_rules_and_translate_to_iptables_commands()
|
|
|
|
log_info("Issuing the following iptables commands:")
|
|
for cmd in iptables_cmds:
|
|
log_info(" " + cmd)
|
|
|
|
self.run_commands(iptables_cmds)
|
|
|
|
def notification_handler(self, key, data):
|
|
log_info("ACL configuration changed. Updating iptables rules for control plane ACLs...")
|
|
self.update_control_plane_acls()
|
|
|
|
def run(self):
|
|
# Unconditionally update control plane ACLs once at start
|
|
self.update_control_plane_acls()
|
|
|
|
# Subscribe to notifications when ACL tables or rules change
|
|
self.config_db.subscribe(self.ACL_TABLE,
|
|
lambda table, key, data: self.notification_handler(key, data))
|
|
self.config_db.subscribe(self.ACL_RULE,
|
|
lambda table, key, data: self.notification_handler(key, data))
|
|
|
|
# Indefinitely listen for Config DB notifications
|
|
self.config_db.listen()
|
|
|
|
|
|
# ============================= Functions =============================
|
|
|
|
def main():
|
|
log_info("Starting up...")
|
|
|
|
if not os.geteuid() == 0:
|
|
log_error("Must be root to run this daemon")
|
|
print "Error: Must be root to run this daemon"
|
|
sys.exit(1)
|
|
|
|
# Instantiate a ControlPlaneAclManager object
|
|
caclmgr = ControlPlaneAclManager()
|
|
caclmgr.run()
|
|
|
|
|
|
if __name__ == "__main__":
|
|
main()
|