Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[caclmgrd] Add some default ACCEPT rules and lastly drop all incoming packets #4412

Merged
merged 6 commits into from
May 11, 2020
Merged

[caclmgrd] Add some default ACCEPT rules and lastly drop all incoming packets #4412

merged 6 commits into from
May 11, 2020

Conversation

jleveque
Copy link
Contributor

@jleveque jleveque commented Apr 11, 2020
edited
Loading

- What I did

Modified behavior to enhance device security as follows:

  • Upon starting or receiving notification of ACL table/rule changes in Config DB:
    1. Add iptables/ip6tables commands to allow all incoming packets from established TCP sessions or new TCP sessions which are related to established TCP sessions
    2. Add iptables/ip6tables commands to allow bidirectional ICMPv4 ping and traceroute
    3. Add iptables/ip6tables commands to allow bidirectional ICMPv6 ping and traceroute
    4. Add iptables/ip6tables commands to allow all incoming Neighbor Discovery Protocol (NDP) NS/NA/RS/RA messages
    5. Add iptables/ip6tables commands to allow all incoming IPv4 DHCP packets
    6. Add iptables/ip6tables commands to allow all incoming IPv6 DHCP packets
    7. Add iptables/ip6tables commands to allow all incoming BGP traffic
    8. Add iptables/ip6tables commands for all ACL rules for recognized services (currently SSH, SNMP, NTP)
    9. For all services which we did not find configured ACL rules, add iptables/ip6tables commands to allow all incoming packets for those services (allows the device to accept SSH connections before the device is configured)
    10. Add iptables rules to drop all packets destined for loopback interface IP addresses
    11. Add iptables rules to drop all packets destined for management interface IP addresses
    12. Add iptables rules to drop all packets destined for point-to-point interface IP addresses
    13. Add iptables rules to drop all packets destined for our VLAN interface gateway IP addresses
    14. Add iptables/ip6tables commands to allow all incoming packets with TTL of 0 or 1 (This allows the device to respond to tools like tcptraceroute)
    15. If we found control plane ACLs in the configuration and applied them, we lastly add iptables/ip6tables commands to drop all other incoming packets

@jleveque jleveque requested a review from lguohan April 11, 2020 03:08
@jleveque jleveque self-assigned this Apr 11, 2020
@jleveque jleveque marked this pull request as ready for review May 5, 2020 00:03
lguohan
lguohan previously approved these changes May 6, 2020
View reviewed changes
@jleveque
Copy link
Contributor Author

jleveque commented May 6, 2020

@lguohan: Can you please review/approve again? I made a few minor changes to check for valid tables and make constant names more accurate. Thanks!

@jleveque jleveque merged commit 5e8e0d7 into sonic-net:master May 11, 2020
@jleveque jleveque deleted the cacl_enhance branch May 11, 2020 19:36
@jleveque
Copy link
Contributor Author

Removed labels requesting cherry-picks into release branches until tested and verified.

@jleveque
Copy link
Contributor Author

This PR introduces a bug which is fixed in #4581

@jleveque jleveque mentioned this pull request May 12, 2020
Merged
abdosi pushed a commit that referenced this pull request Jun 3, 2020
@jleveque @abdosi
[caclmgrd] Add some default ACCEPT rules and lastly drop all incoming…
ac957a0 
… packets (#4412)

Modified caclmgrd behavior to enhance control plane security as follows:

Upon starting or receiving notification of ACL table/rule changes in Config DB:
1. Add iptables/ip6tables commands to allow all incoming packets from established TCP sessions or new TCP sessions which are related to established TCP sessions
2. Add iptables/ip6tables commands to allow bidirectional ICMPv4 ping and traceroute
3. Add iptables/ip6tables commands to allow bidirectional ICMPv6 ping and traceroute
4. Add iptables/ip6tables commands to allow all incoming Neighbor Discovery Protocol (NDP) NS/NA/RS/RA messages
5. Add iptables/ip6tables commands to allow all incoming IPv4 DHCP packets
6. Add iptables/ip6tables commands to allow all incoming IPv6 DHCP packets
7. Add iptables/ip6tables commands to allow all incoming BGP traffic
8. Add iptables/ip6tables commands for all ACL rules for recognized services (currently SSH, SNMP, NTP)
9. For all services which we did not find configured ACL rules, add iptables/ip6tables commands to allow all incoming packets for those services (allows the device to accept SSH connections before the device is configured)
10. Add iptables rules to drop all packets destined for loopback interface IP addresses
11. Add iptables rules to drop all packets destined for management interface IP addresses
12. Add iptables rules to drop all packets destined for point-to-point interface IP addresses
13. Add iptables rules to drop all packets destined for our VLAN interface gateway IP addresses
14. Add iptables/ip6tables commands to allow all incoming packets with TTL of 0 or 1 (This allows the device to respond to tools like tcptraceroute)
15. If we found control plane ACLs in the configuration and applied them, we lastly add iptables/ip6tables commands to drop all other incoming packets
yxieca pushed a commit that referenced this pull request Jun 9, 2020
@jleveque @yxieca
[caclmgrd] Add some default ACCEPT rules and lastly drop all incoming…
3ee9c5d 
… packets (#4412)

Modified caclmgrd behavior to enhance control plane security as follows:

Upon starting or receiving notification of ACL table/rule changes in Config DB:
1. Add iptables/ip6tables commands to allow all incoming packets from established TCP sessions or new TCP sessions which are related to established TCP sessions
2. Add iptables/ip6tables commands to allow bidirectional ICMPv4 ping and traceroute
3. Add iptables/ip6tables commands to allow bidirectional ICMPv6 ping and traceroute
4. Add iptables/ip6tables commands to allow all incoming Neighbor Discovery Protocol (NDP) NS/NA/RS/RA messages
5. Add iptables/ip6tables commands to allow all incoming IPv4 DHCP packets
6. Add iptables/ip6tables commands to allow all incoming IPv6 DHCP packets
7. Add iptables/ip6tables commands to allow all incoming BGP traffic
8. Add iptables/ip6tables commands for all ACL rules for recognized services (currently SSH, SNMP, NTP)
9. For all services which we did not find configured ACL rules, add iptables/ip6tables commands to allow all incoming packets for those services (allows the device to accept SSH connections before the device is configured)
10. Add iptables rules to drop all packets destined for loopback interface IP addresses
11. Add iptables rules to drop all packets destined for management interface IP addresses
12. Add iptables rules to drop all packets destined for point-to-point interface IP addresses
13. Add iptables rules to drop all packets destined for our VLAN interface gateway IP addresses
14. Add iptables/ip6tables commands to allow all incoming packets with TTL of 0 or 1 (This allows the device to respond to tools like tcptraceroute)
15. If we found control plane ACLs in the configuration and applied them, we lastly add iptables/ip6tables commands to drop all other incoming packets
@abdosi abdosi mentioned this pull request Jun 24, 2020
Merged
abdosi added a commit to abdosi/sonic-mgmt that referenced this pull request Jun 24, 2020
@abdosi
As part of this PR#sonic-net/sonic-buildimage#4412
7c04d74 
we have added ACCEPT rules for BGP packets as default. Because of this
iptable rule added by qos_sai.yml get ignored because of lower priority
and make test case fails since BGP packets impacts Buffer calcualtion
assumption of testcase.

Fix is to add iptable rule to Drop BGP Packet from test case as highest
priority.

Fix in py script also
abdosi added a commit to sonic-net/sonic-mgmt that referenced this pull request Jun 25, 2020
@abdosi
As part of this PR#sonic-net/sonic-buildimage#4412 (#1810)
a25951a 
we have added ACCEPT rules for BGP packets as default. Because of this
iptable rule added by qos_sai.yml get ignored because of lower priority
and make test case fails since BGP packets impacts Buffer calcualtion
assumption of testcase.

Fix is to add iptable rule to Drop BGP Packet from test case as highest
priority.

Fix in py script also
@bluecmd bluecmd mentioned this pull request Jan 27, 2022
Closed
6 tasks
@Sunxiaoluo
Copy link

May I ask why the change in step xiii was made? Is it for a specific network environment?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lguohan lguohan lguohan approved these changes

Assignees

@jleveque jleveque

Labels
Control Plane ACL Enhancement ➕ Included in 201811 Branch Included in 201911 Branch Request for 201811 Branch :shipit: Request for 201911 Branch :shipit: Security 🛡️
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@jleveque @Sunxiaoluo @lguohan @yxieca @abdosi