Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[caclmgrd] Translation of ACL Control Plane rules into iptables commands fixed #1798

Merged
merged 1 commit into from
Jun 20, 2018

Conversation

denis-maslov
Copy link

Signed-off-by: Denis Maslov Denis.Maslov@cavium.com

- What I did
The problem
ACL control plane rules were not being translated into iptables rules
The config_db.json fragment with ACL configuration:

    "ACL_TABLE": {
        "TEST_ACL_TABLE": {
            "policy_desc": "Forward/Drop/Redirect Traffic",
            "type": "CTRLPLANE",
            "services": [
                "SNMP"
            ],
            "ports": [
                "Ethernet101",
                "Ethernet102",
                "Ethernet103",
                "Ethernet104"
            ]
        }
    }, 
    "ACL_RULE": {
        "TEST_ACL_TABLE|DROP_ON_ETH101": {
            "PRIORITY": "1011",
            "SRC_IP": "10.1.1.2/32",
            "DST_IP": "10.2.2.2/32",
            "ETHER_TYPE": "0x0800",
            "TCP_FLAGS": "0x30/0xFF",
            "IP_TYPE": "IP",
            "PACKET_ACTION": "DROP"
        }
    }, 

- How I did it
The causes

  1. There were no check if the ip protocol is "tcp" before adding --tcp-flags argument into iptables command
  2. It is necessary to set both mask and flags fields with --tcp-flags argument. But there were no parsing of the mask field from configuration db.

- How to verify it

  1. Add the fragment above into config_db.json and apply new configuration
  2. Check if ACL rules are created:
    admin@sonic:~$ acl-loader show rule
    Rule ID         Rule Name       Priority    Action    Match
    --------------  --------------  ----------  --------  --------------------
    TEST_ACL_TABLE  DROP_ON_ETH101  1011        DROP      DST_IP: 10.2.2.2/32
                                                          ETHER_TYPE: 0x0800
                                                          IP_TYPE: IP
                                                          SRC_IP: 10.1.1.2/32
                                                          TCP_FLAGS: 0x30/0xFF
    admin@sonic:~$ acl-loader show table
    Name            Type       Binding    Description
    --------------  ---------  ---------  -----------------------------
    TEST_ACL_TABLE  CTRLPLANE  SNMP       Forward/Drop/Redirect Traffic
    
  3. Check if ACL rules are translated into iptables
    admin@sonic:~$ sudo iptables -L
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination         
    DROP       tcp  --  10.1.1.2             anywhere             tcp dpt:snmp flags:FIN,SYN,RST,PSH,ACK,URG/ACK,URG
    DROP       udp  --  10.1.1.2             anywhere             udp dpt:snmp
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination         
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination    
    

- Description for the changelog

Translation of ACL Control Plane rules into iptables commands fixed

- A picture of a cute animal (not mandatory but encouraged)

  __________
 / ___  ___ \
/ / @ \/ @ \ \
\ \___/\___/ /\
 \____\/____/||
 /     /\\\\\//
|     |\\\\\\
 \      \\\\\\
   \______/\\\\
    _||_||_

…nds fixed

Signed-off-by: Denis Maslov <Denis.Maslov@cavium.com>
@lguohan lguohan merged commit d82db79 into sonic-net:master Jun 20, 2018
wen587 added a commit that referenced this pull request Oct 26, 2021
8ea834b [sonic_installer] Change sonic_installer check ASIC mismatch by platforms list (#1836)
9017d99 Fix the option missing in kernel config issue (#1888)
6595ad4 [mlag] fix log print sequence (#1730)
e600e1c CLI command to load config in Yang format (#1781)
00948d0 Fix the target db version of portchannel-key test (#1842)
6412fea [sonic-package-manager] remove make_python_identifier (#1801)
f738818 [sonic-package-manager] stop service explicitelly before uninstalling package (#1805)
d8ee5e9 Remove exec from platform_reboot_plugin call to handle any hang issue. (#1879)
827fcee [chassis][routecheck]filter out the chassis internal interfaces (#1798)
4d732c6 [generic_config_updater] Logging (#1864)
25bb184 [config]: Add loopback interfaces to interface name checker (#1869)
c950a55 Validate input of config mirror_session add (#1825)
9ab20fd [show][config] fix the muxcable commands for interface naming mode (#1862)
476b3a4 [multi-asic][cli][chassis-db] Avoid connecting to chassis db for cli commands executed from linecard (#1707)
theasianpianist pushed a commit to theasianpianist/sonic-buildimage that referenced this pull request Feb 5, 2022
…-net#1752)" (sonic-net#1798)

This reverts commit a44e651.

Proper weight initialization is needed when weights are not provided:
https://github.com/Azure/sonic-swss/blob/a44e6513556cfed7de1b70690db90cc09fcef666/orchagent/routeorch.cpp#L638

Warmboot is failing on various platforms: sonic-net#7919

The original PR needs some negative unit testcases when the weight is not present for the nexthop group.
taras-keryk pushed a commit to taras-keryk/sonic-buildimage that referenced this pull request Apr 28, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants