Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[caclmgrd] Translation of ACL Control Plane rules into iptables comman… #1737

Closed
wants to merge 1 commit into from
Closed

[caclmgrd] Translation of ACL Control Plane rules into iptables comman… #1737

wants to merge 1 commit into from

Conversation

denis-maslov
Copy link

@denis-maslov denis-maslov commented May 23, 2018
edited
Loading

- What I did
The problem
ACL control plane rules were not being translated into iptables rules
The config_db.json fragment with ACL configuration:

    "ACL_TABLE": {
        "TEST_ACL_TABLE": {
            "policy_desc": "Forward/Drop/Redirect Traffic",
            "type": "CTRLPLANE",
            "services": [
                "SNMP"
            ],
            "ports": [
                "Ethernet101",
                "Ethernet102",
                "Ethernet103",
                "Ethernet104"
            ]
        }
    }, 
    "ACL_RULE": {
        "TEST_ACL_TABLE|DROP_ON_ETH101": {
            "PRIORITY": "1011",
            "SRC_IP": "10.1.1.2/32",
            "DST_IP": "10.2.2.2/32",
            "ETHER_TYPE": "0x0800",
            "TCP_FLAGS": "0x30/0xFF",
            "IP_TYPE": "IP",
            "PACKET_ACTION": "DROP"
        }
    },

- How I did it
The causes

  1. There were no check if the ip protocol is "tcp" before adding --tcp-flags argument into iptables command
  2. It is necessary to set both mask and flags fields with --tcp-flags argument. But there were no parsing of the mask field from configuration db.

- How to verify it

  1. Add the fragment above into config_db.json and apply new configuration
  2. Check if ACL rules are created: 
    admin@sonic:~$ acl-loader show rule
Rule ID         Rule Name       Priority    Action    Match
--------------  --------------  ----------  --------  --------------------
TEST_ACL_TABLE  DROP_ON_ETH101  1011        DROP      DST_IP: 10.2.2.2/32
                                                      ETHER_TYPE: 0x0800
                                                      IP_TYPE: IP
                                                      SRC_IP: 10.1.1.2/32
                                                      TCP_FLAGS: 0x30/0xFF
admin@sonic:~$ acl-loader show table
Name            Type       Binding    Description
--------------  ---------  ---------  -----------------------------
TEST_ACL_TABLE  CTRLPLANE  SNMP       Forward/Drop/Redirect Traffic
  3. Check if ACL rules are translated into iptables 
    admin@sonic:~$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       tcp  --  10.1.1.2             anywhere             tcp dpt:snmp flags:FIN,SYN,RST,PSH,ACK,URG/ACK,URG
DROP       udp  --  10.1.1.2             anywhere             udp dpt:snmp

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

- Description for the changelog

Translation of ACL Control Plane rules into iptables commands fixed

- A picture of a cute animal (not mandatory but encouraged)

  __________
 / ___  ___ \
/ / @ \/ @ \ \
\ \___/\___/ /\
 \____\/____/||
 /     /\\\\\//
|     |\\\\\\
 \      \\\\\\
   \______/\\\\
    _||_||_

[caclmgrd] Translation of ACL Control Plane rules into tcpdump comman…
283fa5f 
…ds fixed

Signed-off-by: Denis Maslov <Denis.Maslov@cavium.com>
@msftclas
Copy link

msftclas commented May 23, 2018
edited
Loading

CLA assistant check
All CLA requirements met.

@denis-maslov denis-maslov changed the title [caclmgrd] Translation of ACL Control Plane rules into tcpdump comman… [caclmgrd] Translation of ACL Control Plane rules into iptables comman… May 23, 2018
BasimShalata added a commit to BasimShalata/sonic-buildimage that referenced this pull request Aug 4, 2021
@BasimShalata
[sonic-utilities] Submodule update
b5df4ff 
This PR contains the following commits:
54b74a2 2021-08-04 [LLDP] Fix lldpshow script to enable display multiple MAC addresses on the same remote physical interface (sonic-net#1657)
0d53b7a 2021-08-03 [sonic_installer] don't print errors when installing an image not supporting app ext (sonic-net#1719)
394e2fb 2021-08-03 Implement script null_route_helper (sonic-net#1737)
dd01b56 2021-08-02 disk_check updates: (sonic-net#1736)
8a74d03 2021-07-30 [CLI][show][bgp] Fix the show ip bgp network command (sonic-net#1733)
679a4ba 2021-07-30 [MACsec]: Allow upgrade-docker for macsec container (sonic-net#1716)
e9c73e8 2021-07-28 [CLI][MPLS][Show] Added multi ASIC support for 'show mpls command'.


Signed-off-by: Basim Shalata <basims@nvidia.com>
@BasimShalata BasimShalata mentioned this pull request Aug 4, 2021
Merged
5 tasks
@yxieca yxieca mentioned this pull request Aug 5, 2021
Merged
lguohan pushed a commit that referenced this pull request Aug 6, 2021
@bingwang-ms
[submodule]: update sonic-utilities (#8348)
948ba5b 
This PR is to update sonic-utilities for master branch
Changes including
```
54b74a2 [LLDP] Fix lldpshow script to enable display multiple MAC addresses on the same remote physical interface (#1657)
0d53b7a [sonic_installer] don't print errors when installing an image not supporting app ext (#1719)
394e2fb Implement script null_route_helper (#1737)
```

Signed-off-by: bingwang <bingwang@microsoft.com>
lguohan pushed a commit that referenced this pull request Aug 6, 2021
@BasimShalata
[sonic-utilities] Submodule update (#8338)
c4e795f 
This PR contains the following commits:
54b74a2 2021-08-04 [LLDP] Fix lldpshow script to enable display multiple MAC addresses on the same remote physical interface (#1657)
0d53b7a 2021-08-03 [sonic_installer] don't print errors when installing an image not supporting app ext (#1719)
394e2fb 2021-08-03 Implement script null_route_helper (#1737)
dd01b56 2021-08-02 disk_check updates: (#1736)
8a74d03 2021-07-30 [CLI][show][bgp] Fix the show ip bgp network command (#1733)
679a4ba 2021-07-30 [MACsec]: Allow upgrade-docker for macsec container (#1716)
e9c73e8 2021-07-28 [CLI][MPLS][Show] Added multi ASIC support for 'show mpls command'.


Signed-off-by: Basim Shalata <basims@nvidia.com>
carl-nokia pushed a commit to carl-nokia/sonic-buildimage that referenced this pull request Aug 7, 2021
@bingwang-ms
[submodule]: update sonic-utilities (sonic-net#8348)
06f756d 
This PR is to update sonic-utilities for master branch
Changes including
```
54b74a2 [LLDP] Fix lldpshow script to enable display multiple MAC addresses on the same remote physical interface (sonic-net#1657)
0d53b7a [sonic_installer] don't print errors when installing an image not supporting app ext (sonic-net#1719)
394e2fb Implement script null_route_helper (sonic-net#1737)
```

Signed-off-by: bingwang <bingwang@microsoft.com>
judyjoseph added a commit that referenced this pull request Sep 19, 2021
@judyjoseph
Update sonic-utilities submodule with commits,
5fe5793 
a631f04 Add check_db_integrity script to setup.py (#1828)
ddf6793 Implement script null_route_helper (#1737)
stepanblyschak added a commit to stepanblyschak/sonic-buildimage that referenced this pull request Nov 11, 2021
@stepanblyschak
[sonic-swss] update submodule
198d136 
```
5f8ebfa (HEAD, origin/master, origin/HEAD, master) [AclOrch] move ACL counters to flex counter infrastructure (sonic-net#1943)
8119ec0 [bfdorch] Orchagent support hardware BFD (sonic-net#1883)
15074ac [sonic-swss]:enable unconfiguring PFC on last TC on a port (sonic-net#1962)
05c7c05 [Mux orch] set default as standby, change mux orch priority (sonic-net#2010)
fe5b2a9 [pytest]: Ignore errors deleting host ifs (sonic-net#2005)
70da9af [ci]: use native arm64 and armhf pool (sonic-net#2013)
e14a071 [qos] Add EXP to TC map support (sonic-net#1954)
c91a7f2 [switchorch] Implement VXLAN src port range feature  (sonic-net#1959)
b20f0f4 Gcov for swss daemon (sonic-net#1737)
01c243a [CRM][MPLS] Fix the mpls nexthop CRM attribute (sonic-net#2008)
8448a60 [vs tests]Migrating sonic-swss tests to use hwsku instead of fakeplatform (sonic-net#1978)
faa26db Fix random failure in PR/CI build. (sonic-net#2006)
e03edb6 Allow interface type value none (sonic-net#1991)
71b9650 [orchagent] Fix group name of port-buffer-drop in flexcounterorch.cpp (sonic-net#1967)
facdef5 [VS test] Skip flaky virtual chassis test (sonic-net#2004)
8261c1f [pytest]: Increase timeout when checking services (sonic-net#2000)
67278be [teammgrd]: Handle LAGs cleanup gracefully on Warm/Fast reboot. (sonic-net#1934)
e92c1df Enable FEC statistics collection for Ethernet ports (sonic-net#1994)
9f30ca1 VxLAN Tunnel Counters and Rates implementation (sonic-net#1859)
ac3103a Add missing neighbor resolution for MPLS route programming (sonic-net#1968)
bfba0ad [vlanmgr]Fix for STATE_DB port check logic (sonic-net#1980)
9ef2ba4 [vlanmgr]: Update VLAN removal code to work with 5.10 kernel and newer iproute2 versions (sonic-net#1970)
41fb26c [Mux orch] Handle setting unknown mux state (sonic-net#1984)
ac09bde [azp]: Increase timeout for VS tests (sonic-net#1988)
da8a43e [pytest]: Check if appl DB exists before deleting (sonic-net#1983)
553d75a [tunnel decap] Change tunnel orch order (sonic-net#1977)
7444e96 [macsecmgr]: Add rekey period in macsec mgr (sonic-net#1958)
d95823d [Buffermgr]Graceful handling of buffer model change (sonic-net#1956)
b0aa6a0 EVPN VxLAN enhancement to support P2MP tunnel based programming for Layer2 extension (sonic-net#1858)
85bdf54 Fix the option missing in kernel config issue (sonic-net#1973)
6b15584 Orchagent validates mirror session queue parameter against maximum value from SAI (sonic-net#1957)
fc9ffb9 [copp] Add ISIS, LDP and micro-BFD trap types to CoPP manager (sonic-net#1890)
452cbc1 [macsecorch]: Add IPG adjusting for MACsec gearbox model (sonic-net#1925)
```

Signed-off-by: Stepan Blyschak <stepanb@nvidia.com>
stepanblyschak added a commit to stepanblyschak/sonic-buildimage that referenced this pull request Nov 11, 2021
@stepanblyschak
[sonic-swss] update submodule
aef49e3 
```
5f8ebfa (HEAD, origin/master, origin/HEAD, master) [AclOrch] move ACL counters to flex counter infrastructure (sonic-net#1943)
8119ec0 [bfdorch] Orchagent support hardware BFD (sonic-net#1883)
15074ac [sonic-swss]:enable unconfiguring PFC on last TC on a port (sonic-net#1962)
05c7c05 [Mux orch] set default as standby, change mux orch priority (sonic-net#2010)
fe5b2a9 [pytest]: Ignore errors deleting host ifs (sonic-net#2005)
70da9af [ci]: use native arm64 and armhf pool (sonic-net#2013)
e14a071 [qos] Add EXP to TC map support (sonic-net#1954)
c91a7f2 [switchorch] Implement VXLAN src port range feature  (sonic-net#1959)
b20f0f4 Gcov for swss daemon (sonic-net#1737)
01c243a [CRM][MPLS] Fix the mpls nexthop CRM attribute (sonic-net#2008)
```

Signed-off-by: Stepan Blyschak <stepanb@nvidia.com>
lguohan pushed a commit that referenced this pull request Nov 15, 2021
@stepanblyschak
[sonic-swss] update submodule (#9232)
0e057a4 
```
5f8ebfa (HEAD, origin/master, origin/HEAD, master) [AclOrch] move ACL counters to flex counter infrastructure (#1943)
8119ec0 [bfdorch] Orchagent support hardware BFD (#1883)
15074ac [sonic-swss]:enable unconfiguring PFC on last TC on a port (#1962)
05c7c05 [Mux orch] set default as standby, change mux orch priority (#2010)
fe5b2a9 [pytest]: Ignore errors deleting host ifs (#2005)
70da9af [ci]: use native arm64 and armhf pool (#2013)
e14a071 [qos] Add EXP to TC map support (#1954)
c91a7f2 [switchorch] Implement VXLAN src port range feature  (#1959)
b20f0f4 Gcov for swss daemon (#1737)
01c243a [CRM][MPLS] Fix the mpls nexthop CRM attribute (#2008)
```

Signed-off-by: Stepan Blyschak <stepanb@nvidia.com>
theasianpianist pushed a commit to theasianpianist/sonic-buildimage that referenced this pull request Feb 5, 2022
@pettershao-ragilenetworks
Gcov for swss daemon (sonic-net#1737)
b20f0f4 
* [gcov] swss support gcov
* Introduce gcov-related automation script to test coverage rate for swss module
Signed-off-by: pettershao-ragilenetworks <pettershao@ragilenetworks.com>
taras-keryk pushed a commit to taras-keryk/sonic-buildimage that referenced this pull request Apr 28, 2022
@bingwang-ms
Implement script null_route_helper (sonic-net#1737)
394e2fb 
Signed-off-by: bingwang <bingwang@microsoft.com>
richardyu-ms added a commit to richardyu-ms/sonic-buildimage that referenced this pull request Feb 8, 2023
@richardyu-ms
[202205][sairedis]advance sairedis head
1a33ccd 
Include commit
- 939c14b | [Submodule][upgrade]Upgrade SAI submodule (sonic-net#1203)

updates from SAI repo
- 0031470 | improve enum values integration check (sonic-net#1727) (sonic-net#1737)
- 4f11c7e | Enable github code scanning to replace LGTM. (sonic-net#1709)

Signed-off-by: richardyu-ms <richard.yu@microsoft.com>
@richardyu-ms richardyu-ms mentioned this pull request Feb 8, 2023
Closed
8 tasks
richardyu-ms added a commit to richardyu-ms/sonic-buildimage that referenced this pull request Feb 8, 2023
@richardyu-ms
[202211][submodule]Advance sairedis head
5e9696f 
include changes from sairedis submodule
04d3c41 | [Submodule][upgrade]Upgrade SAI submodule (sonic-net#1204)

updates from SAI
0031470 | improve enum values integration check (sonic-net#1727) (sonic-net#1737)
4f11c7e | Enable github code scanning to replace LGTM. (sonic-net#1709)

Signed-off-by: richardyu-ms <richard.yu@microsoft.com>
@richardyu-ms richardyu-ms mentioned this pull request Feb 8, 2023
Merged
8 tasks
richardyu-ms added a commit to richardyu-ms/sonic-buildimage that referenced this pull request Feb 9, 2023
@richardyu-ms
[submodule][sairedis]Advance submodule head
00ef009 
include sairedis changes
3a960be | [submodule][SAI]ADvance SAI Header (sonic-net#1206)
7026441 | [Mellanox] Enable DSCP remapping by using SAI attribute (sonic-net#1188)
a2c37b8 | [syncd]: Enable port bulk API (sonic-net#1197)

include SAI changes
7710e24 | [cherry-pick][202211]Enhance the check enum lock script (sonic-net#1741) (sonic-net#1742)
0031470 | improve enum values integration check (sonic-net#1727) (sonic-net#1737)
4f11c7e | Enable github code scanning to replace LGTM. (sonic-net#1709)
0fd23d2 | [SAI-PTF] Skip test when hit expected error from sai api (sonic-net#1699)
aba7612 | [SAI-PTF] API Logger - reformat arg values (sonic-net#1696)
1390cee | [SAI-PTF] API Logger - reformat dict in return value (sonic-net#1690)
3d96a1d | [SAI-PTF]Add return value in the SAI-PTF log (sonic-net#1685)

Signed-off-by: richardyu-ms <richard.yu@microsoft.com>
@richardyu-ms richardyu-ms mentioned this pull request Feb 9, 2023
Merged
xumia pushed a commit that referenced this pull request Feb 11, 2023
@richardyu-ms
[submodule][sairedis]Advance submodule head (#13724)
43683d8 
include sairedis changes
3a960be | [submodule][SAI]ADvance SAI Header (#1206)
7026441 | [Mellanox] Enable DSCP remapping by using SAI attribute (#1188)
a2c37b8 | [syncd]: Enable port bulk API (#1197)

include SAI changes
7710e24 | [cherry-pick][202211]Enhance the check enum lock script (#1741) (#1742)
0031470 | improve enum values integration check (#1727) (#1737)
4f11c7e | Enable github code scanning to replace LGTM. (#1709)
0fd23d2 | [SAI-PTF] Skip test when hit expected error from sai api (#1699)
aba7612 | [SAI-PTF] API Logger - reformat arg values (#1696)
1390cee | [SAI-PTF] API Logger - reformat dict in return value (#1690)
3d96a1d | [SAI-PTF]Add return value in the SAI-PTF log (#1685)

Signed-off-by: richardyu-ms <richard.yu@microsoft.com>
xumia pushed a commit that referenced this pull request Feb 12, 2023
@richardyu-ms
[202211][submodule]Advance sairedis head (#13712)
422978c 
Why I did it
include changes from sairedis submodule
102d20b | [202211][submodule][SAI]Advance header include 0031470 | improve enum values integration check (#1727) (#1737)
04d3c41 | [Submodule][upgrade]Upgrade SAI submodule (#1204)

updates from SAI
7710e24 | [cherry-pick][202211]Enhance the check enum lock script (#1741) (#1742)
0031470 | improve enum values integration check (#1727) (#1737)
4f11c7e | Enable github code scanning to replace LGTM. (#1709)

How I did it
How to verify it
StormLiangMS pushed a commit to StormLiangMS/sonic-buildimage that referenced this pull request Mar 28, 2023
@xumia @StormLiangMS
Merged PR 7734653: Merge code from public to internal
2a50b2d 
Related work items: sonic-net#276, sonic-net#305, sonic-net#332, sonic-net#338, sonic-net#339, sonic-net#1188, sonic-net#1192, sonic-net#1197, sonic-net#1206, sonic-net#1685, sonic-net#1690, sonic-net#1696, sonic-net#1699, sonic-net#1709, sonic-net#1727, sonic-net#1737, sonic-net#1741, sonic-net#1742, sonic-net#2511, sonic-net#2512, sonic-net#2532, sonic-net#2559, sonic-net#2626, sonic-net#2638, sonic-net#2645, sonic-net#2649, sonic-net#2660, sonic-net#2669, sonic-net#2670, sonic-net#2678, sonic-net#10084, sonic-net#11442, sonic-net#11873, sonic-net#12047, sonic-net#12110, sonic-net#12207, sonic-net#12529, sonic-net#12678, sonic-net#13235, sonic-net#13287, sonic-net#13372, sonic-net#13395, sonic-net#13456, sonic-net#13497, sonic-net#13522, sonic-net#13545, sonic-net#13547, sonic-net#13552, sonic-net#13569, sonic-net#13572, sonic-net#13578, sonic-net#13591, sonic-net#13611, sonic-net#13647, sonic-net#13649, sonic-net#13660, sonic-net#13710, sonic-net#13716, sonic-net#13724, sonic-net#13726, sonic-net#13732, sonic-net#13735, sonic-net#13739, sonic-net#13757, sonic-net#13786, sonic-net#13792, sonic-net#13800, sonic-net#13801, sonic-net#13802, sonic-net#13805, sonic-net#13806, sonic-net#13812, sonic-net#13814, sonic-net#13822, sonic-net#13831, sonic-net#13834, sonic-net#13847, sonic-net#13870, sonic-net#13882, sonic-net#13884, sonic-net#13885, sonic-net#13894, sonic-net#13895, sonic-net#13926, sonic-net#13932, sonic-net#13935, sonic-net#13942, sonic-net#13951, sonic-net#13953, sonic-net#13964
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@denis-maslov @msftclas