Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[caclmgrd] Translation of ACL Control Plane rules into iptables comman… #1737

Closed

Conversation

denis-maslov
Copy link

@denis-maslov denis-maslov commented May 23, 2018

- What I did
The problem
ACL control plane rules were not being translated into iptables rules
The config_db.json fragment with ACL configuration:

    "ACL_TABLE": {
        "TEST_ACL_TABLE": {
            "policy_desc": "Forward/Drop/Redirect Traffic",
            "type": "CTRLPLANE",
            "services": [
                "SNMP"
            ],
            "ports": [
                "Ethernet101",
                "Ethernet102",
                "Ethernet103",
                "Ethernet104"
            ]
        }
    }, 
    "ACL_RULE": {
        "TEST_ACL_TABLE|DROP_ON_ETH101": {
            "PRIORITY": "1011",
            "SRC_IP": "10.1.1.2/32",
            "DST_IP": "10.2.2.2/32",
            "ETHER_TYPE": "0x0800",
            "TCP_FLAGS": "0x30/0xFF",
            "IP_TYPE": "IP",
            "PACKET_ACTION": "DROP"
        }
    }, 

- How I did it
The causes

  1. There were no check if the ip protocol is "tcp" before adding --tcp-flags argument into iptables command
  2. It is necessary to set both mask and flags fields with --tcp-flags argument. But there were no parsing of the mask field from configuration db.

- How to verify it

  1. Add the fragment above into config_db.json and apply new configuration
  2. Check if ACL rules are created:
    admin@sonic:~$ acl-loader show rule
    Rule ID         Rule Name       Priority    Action    Match
    --------------  --------------  ----------  --------  --------------------
    TEST_ACL_TABLE  DROP_ON_ETH101  1011        DROP      DST_IP: 10.2.2.2/32
                                                          ETHER_TYPE: 0x0800
                                                          IP_TYPE: IP
                                                          SRC_IP: 10.1.1.2/32
                                                          TCP_FLAGS: 0x30/0xFF
    admin@sonic:~$ acl-loader show table
    Name            Type       Binding    Description
    --------------  ---------  ---------  -----------------------------
    TEST_ACL_TABLE  CTRLPLANE  SNMP       Forward/Drop/Redirect Traffic
    
  3. Check if ACL rules are translated into iptables
    admin@sonic:~$ sudo iptables -L
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination         
    DROP       tcp  --  10.1.1.2             anywhere             tcp dpt:snmp flags:FIN,SYN,RST,PSH,ACK,URG/ACK,URG
    DROP       udp  --  10.1.1.2             anywhere             udp dpt:snmp
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination         
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination    
    

- Description for the changelog

Translation of ACL Control Plane rules into iptables commands fixed

- A picture of a cute animal (not mandatory but encouraged)

  __________
 / ___  ___ \
/ / @ \/ @ \ \
\ \___/\___/ /\
 \____\/____/||
 /     /\\\\\//
|     |\\\\\\
 \      \\\\\\
   \______/\\\\
    _||_||_

@msftclas
Copy link

msftclas commented May 23, 2018

CLA assistant check
All CLA requirements met.

@denis-maslov denis-maslov changed the title [caclmgrd] Translation of ACL Control Plane rules into tcpdump comman… [caclmgrd] Translation of ACL Control Plane rules into iptables comman… May 23, 2018
BasimShalata added a commit to BasimShalata/sonic-buildimage that referenced this pull request Aug 4, 2021
This PR contains the following commits:
54b74a2 2021-08-04 [LLDP] Fix lldpshow script to enable display multiple MAC addresses on the same remote physical interface (sonic-net#1657)
0d53b7a 2021-08-03 [sonic_installer] don't print errors when installing an image not supporting app ext (sonic-net#1719)
394e2fb 2021-08-03 Implement script null_route_helper (sonic-net#1737)
dd01b56 2021-08-02 disk_check updates: (sonic-net#1736)
8a74d03 2021-07-30 [CLI][show][bgp] Fix the show ip bgp network command (sonic-net#1733)
679a4ba 2021-07-30 [MACsec]: Allow upgrade-docker for macsec container (sonic-net#1716)
e9c73e8 2021-07-28 [CLI][MPLS][Show] Added multi ASIC support for 'show mpls command'.


Signed-off-by: Basim Shalata <[email protected]>
lguohan pushed a commit that referenced this pull request Aug 6, 2021
This PR is to update sonic-utilities for master branch
Changes including
```
54b74a2 [LLDP] Fix lldpshow script to enable display multiple MAC addresses on the same remote physical interface (#1657)
0d53b7a [sonic_installer] don't print errors when installing an image not supporting app ext (#1719)
394e2fb Implement script null_route_helper (#1737)
```

Signed-off-by: bingwang <[email protected]>
lguohan pushed a commit that referenced this pull request Aug 6, 2021
This PR contains the following commits:
54b74a2 2021-08-04 [LLDP] Fix lldpshow script to enable display multiple MAC addresses on the same remote physical interface (#1657)
0d53b7a 2021-08-03 [sonic_installer] don't print errors when installing an image not supporting app ext (#1719)
394e2fb 2021-08-03 Implement script null_route_helper (#1737)
dd01b56 2021-08-02 disk_check updates: (#1736)
8a74d03 2021-07-30 [CLI][show][bgp] Fix the show ip bgp network command (#1733)
679a4ba 2021-07-30 [MACsec]: Allow upgrade-docker for macsec container (#1716)
e9c73e8 2021-07-28 [CLI][MPLS][Show] Added multi ASIC support for 'show mpls command'.


Signed-off-by: Basim Shalata <[email protected]>
carl-nokia pushed a commit to carl-nokia/sonic-buildimage that referenced this pull request Aug 7, 2021
This PR is to update sonic-utilities for master branch
Changes including
```
54b74a2 [LLDP] Fix lldpshow script to enable display multiple MAC addresses on the same remote physical interface (sonic-net#1657)
0d53b7a [sonic_installer] don't print errors when installing an image not supporting app ext (sonic-net#1719)
394e2fb Implement script null_route_helper (sonic-net#1737)
```

Signed-off-by: bingwang <[email protected]>
judyjoseph added a commit that referenced this pull request Sep 19, 2021
a631f04 Add check_db_integrity script to setup.py (#1828)
ddf6793 Implement script null_route_helper (#1737)
stepanblyschak added a commit to stepanblyschak/sonic-buildimage that referenced this pull request Nov 11, 2021
```
5f8ebfa (HEAD, origin/master, origin/HEAD, master) [AclOrch] move ACL counters to flex counter infrastructure (sonic-net#1943)
8119ec0 [bfdorch] Orchagent support hardware BFD (sonic-net#1883)
15074ac [sonic-swss]:enable unconfiguring PFC on last TC on a port (sonic-net#1962)
05c7c05 [Mux orch] set default as standby, change mux orch priority (sonic-net#2010)
fe5b2a9 [pytest]: Ignore errors deleting host ifs (sonic-net#2005)
70da9af [ci]: use native arm64 and armhf pool (sonic-net#2013)
e14a071 [qos] Add EXP to TC map support (sonic-net#1954)
c91a7f2 [switchorch] Implement VXLAN src port range feature  (sonic-net#1959)
b20f0f4 Gcov for swss daemon (sonic-net#1737)
01c243a [CRM][MPLS] Fix the mpls nexthop CRM attribute (sonic-net#2008)
8448a60 [vs tests]Migrating sonic-swss tests to use hwsku instead of fakeplatform (sonic-net#1978)
faa26db Fix random failure in PR/CI build. (sonic-net#2006)
e03edb6 Allow interface type value none (sonic-net#1991)
71b9650 [orchagent] Fix group name of port-buffer-drop in flexcounterorch.cpp (sonic-net#1967)
facdef5 [VS test] Skip flaky virtual chassis test (sonic-net#2004)
8261c1f [pytest]: Increase timeout when checking services (sonic-net#2000)
67278be [teammgrd]: Handle LAGs cleanup gracefully on Warm/Fast reboot. (sonic-net#1934)
e92c1df Enable FEC statistics collection for Ethernet ports (sonic-net#1994)
9f30ca1 VxLAN Tunnel Counters and Rates implementation (sonic-net#1859)
ac3103a Add missing neighbor resolution for MPLS route programming (sonic-net#1968)
bfba0ad [vlanmgr]Fix for STATE_DB port check logic (sonic-net#1980)
9ef2ba4 [vlanmgr]: Update VLAN removal code to work with 5.10 kernel and newer iproute2 versions (sonic-net#1970)
41fb26c [Mux orch] Handle setting unknown mux state (sonic-net#1984)
ac09bde [azp]: Increase timeout for VS tests (sonic-net#1988)
da8a43e [pytest]: Check if appl DB exists before deleting (sonic-net#1983)
553d75a [tunnel decap] Change tunnel orch order (sonic-net#1977)
7444e96 [macsecmgr]: Add rekey period in macsec mgr (sonic-net#1958)
d95823d [Buffermgr]Graceful handling of buffer model change (sonic-net#1956)
b0aa6a0 EVPN VxLAN enhancement to support P2MP tunnel based programming for Layer2 extension (sonic-net#1858)
85bdf54 Fix the option missing in kernel config issue (sonic-net#1973)
6b15584 Orchagent validates mirror session queue parameter against maximum value from SAI (sonic-net#1957)
fc9ffb9 [copp] Add ISIS, LDP and micro-BFD trap types to CoPP manager (sonic-net#1890)
452cbc1 [macsecorch]: Add IPG adjusting for MACsec gearbox model (sonic-net#1925)
```

Signed-off-by: Stepan Blyschak <[email protected]>
stepanblyschak added a commit to stepanblyschak/sonic-buildimage that referenced this pull request Nov 11, 2021
```
5f8ebfa (HEAD, origin/master, origin/HEAD, master) [AclOrch] move ACL counters to flex counter infrastructure (sonic-net#1943)
8119ec0 [bfdorch] Orchagent support hardware BFD (sonic-net#1883)
15074ac [sonic-swss]:enable unconfiguring PFC on last TC on a port (sonic-net#1962)
05c7c05 [Mux orch] set default as standby, change mux orch priority (sonic-net#2010)
fe5b2a9 [pytest]: Ignore errors deleting host ifs (sonic-net#2005)
70da9af [ci]: use native arm64 and armhf pool (sonic-net#2013)
e14a071 [qos] Add EXP to TC map support (sonic-net#1954)
c91a7f2 [switchorch] Implement VXLAN src port range feature  (sonic-net#1959)
b20f0f4 Gcov for swss daemon (sonic-net#1737)
01c243a [CRM][MPLS] Fix the mpls nexthop CRM attribute (sonic-net#2008)
```

Signed-off-by: Stepan Blyschak <[email protected]>
lguohan pushed a commit that referenced this pull request Nov 15, 2021
```
5f8ebfa (HEAD, origin/master, origin/HEAD, master) [AclOrch] move ACL counters to flex counter infrastructure (#1943)
8119ec0 [bfdorch] Orchagent support hardware BFD (#1883)
15074ac [sonic-swss]:enable unconfiguring PFC on last TC on a port (#1962)
05c7c05 [Mux orch] set default as standby, change mux orch priority (#2010)
fe5b2a9 [pytest]: Ignore errors deleting host ifs (#2005)
70da9af [ci]: use native arm64 and armhf pool (#2013)
e14a071 [qos] Add EXP to TC map support (#1954)
c91a7f2 [switchorch] Implement VXLAN src port range feature  (#1959)
b20f0f4 Gcov for swss daemon (#1737)
01c243a [CRM][MPLS] Fix the mpls nexthop CRM attribute (#2008)
```

Signed-off-by: Stepan Blyschak <[email protected]>
theasianpianist pushed a commit to theasianpianist/sonic-buildimage that referenced this pull request Feb 5, 2022
* [gcov] swss support gcov
* Introduce gcov-related automation script to test coverage rate for swss module
Signed-off-by: pettershao-ragilenetworks <[email protected]>
taras-keryk pushed a commit to taras-keryk/sonic-buildimage that referenced this pull request Apr 28, 2022
richardyu-ms added a commit to richardyu-ms/sonic-buildimage that referenced this pull request Feb 8, 2023
Include commit
- 939c14b | [Submodule][upgrade]Upgrade SAI submodule (sonic-net#1203)

updates from SAI repo
- 0031470 | improve enum values integration check (sonic-net#1727) (sonic-net#1737)
- 4f11c7e | Enable github code scanning to replace LGTM. (sonic-net#1709)

Signed-off-by: richardyu-ms <[email protected]>
richardyu-ms added a commit to richardyu-ms/sonic-buildimage that referenced this pull request Feb 8, 2023
include changes from sairedis submodule
04d3c41 | [Submodule][upgrade]Upgrade SAI submodule (sonic-net#1204)

updates from SAI
0031470 | improve enum values integration check (sonic-net#1727) (sonic-net#1737)
4f11c7e | Enable github code scanning to replace LGTM. (sonic-net#1709)

Signed-off-by: richardyu-ms <[email protected]>
richardyu-ms added a commit to richardyu-ms/sonic-buildimage that referenced this pull request Feb 9, 2023
include sairedis changes
3a960be | [submodule][SAI]ADvance SAI Header (sonic-net#1206)
7026441 | [Mellanox] Enable DSCP remapping by using SAI attribute (sonic-net#1188)
a2c37b8 | [syncd]: Enable port bulk API (sonic-net#1197)

include SAI changes
7710e24 | [cherry-pick][202211]Enhance the check enum lock script (sonic-net#1741) (sonic-net#1742)
0031470 | improve enum values integration check (sonic-net#1727) (sonic-net#1737)
4f11c7e | Enable github code scanning to replace LGTM. (sonic-net#1709)
0fd23d2 | [SAI-PTF] Skip test when hit expected error from sai api (sonic-net#1699)
aba7612 | [SAI-PTF] API Logger - reformat arg values (sonic-net#1696)
1390cee | [SAI-PTF] API Logger - reformat dict in return value (sonic-net#1690)
3d96a1d | [SAI-PTF]Add return value in the SAI-PTF log (sonic-net#1685)

Signed-off-by: richardyu-ms <[email protected]>
xumia pushed a commit that referenced this pull request Feb 11, 2023
include sairedis changes
3a960be | [submodule][SAI]ADvance SAI Header (#1206)
7026441 | [Mellanox] Enable DSCP remapping by using SAI attribute (#1188)
a2c37b8 | [syncd]: Enable port bulk API (#1197)

include SAI changes
7710e24 | [cherry-pick][202211]Enhance the check enum lock script (#1741) (#1742)
0031470 | improve enum values integration check (#1727) (#1737)
4f11c7e | Enable github code scanning to replace LGTM. (#1709)
0fd23d2 | [SAI-PTF] Skip test when hit expected error from sai api (#1699)
aba7612 | [SAI-PTF] API Logger - reformat arg values (#1696)
1390cee | [SAI-PTF] API Logger - reformat dict in return value (#1690)
3d96a1d | [SAI-PTF]Add return value in the SAI-PTF log (#1685)

Signed-off-by: richardyu-ms <[email protected]>
xumia pushed a commit that referenced this pull request Feb 12, 2023
Why I did it
include changes from sairedis submodule
102d20b | [202211][submodule][SAI]Advance header include 0031470 | improve enum values integration check (#1727) (#1737)
04d3c41 | [Submodule][upgrade]Upgrade SAI submodule (#1204)

updates from SAI
7710e24 | [cherry-pick][202211]Enhance the check enum lock script (#1741) (#1742)
0031470 | improve enum values integration check (#1727) (#1737)
4f11c7e | Enable github code scanning to replace LGTM. (#1709)

How I did it
How to verify it
StormLiangMS pushed a commit to StormLiangMS/sonic-buildimage that referenced this pull request Mar 28, 2023
Related work items: sonic-net#276, sonic-net#305, sonic-net#332, sonic-net#338, sonic-net#339, sonic-net#1188, sonic-net#1192, sonic-net#1197, sonic-net#1206, sonic-net#1685, sonic-net#1690, sonic-net#1696, sonic-net#1699, sonic-net#1709, sonic-net#1727, sonic-net#1737, sonic-net#1741, sonic-net#1742, sonic-net#2511, sonic-net#2512, sonic-net#2532, sonic-net#2559, sonic-net#2626, sonic-net#2638, sonic-net#2645, sonic-net#2649, sonic-net#2660, sonic-net#2669, sonic-net#2670, sonic-net#2678, sonic-net#10084, sonic-net#11442, sonic-net#11873, sonic-net#12047, sonic-net#12110, sonic-net#12207, sonic-net#12529, sonic-net#12678, sonic-net#13235, sonic-net#13287, sonic-net#13372, sonic-net#13395, sonic-net#13456, sonic-net#13497, sonic-net#13522, sonic-net#13545, sonic-net#13547, sonic-net#13552, sonic-net#13569, sonic-net#13572, sonic-net#13578, sonic-net#13591, sonic-net#13611, sonic-net#13647, sonic-net#13649, sonic-net#13660, sonic-net#13710, sonic-net#13716, sonic-net#13724, sonic-net#13726, sonic-net#13732, sonic-net#13735, sonic-net#13739, sonic-net#13757, sonic-net#13786, sonic-net#13792, sonic-net#13800, sonic-net#13801, sonic-net#13802, sonic-net#13805, sonic-net#13806, sonic-net#13812, sonic-net#13814, sonic-net#13822, sonic-net#13831, sonic-net#13834, sonic-net#13847, sonic-net#13870, sonic-net#13882, sonic-net#13884, sonic-net#13885, sonic-net#13894, sonic-net#13895, sonic-net#13926, sonic-net#13932, sonic-net#13935, sonic-net#13942, sonic-net#13951, sonic-net#13953, sonic-net#13964
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants