From ed1e327e52bb9551179da9b3180388cbc7190b83 Mon Sep 17 00:00:00 2001 From: anilkpan <47642449+anilkpan@users.noreply.github.com> Date: Fri, 11 Dec 2020 13:47:24 -0800 Subject: [PATCH 1/7] Update caclmgrd Added check for valid ethertype in IPv4/v6 rule. --- src/sonic-host-services/scripts/caclmgrd | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/src/sonic-host-services/scripts/caclmgrd b/src/sonic-host-services/scripts/caclmgrd index e029066a6e47..3f3eabf9efab 100755 --- a/src/sonic-host-services/scripts/caclmgrd +++ b/src/sonic-host-services/scripts/caclmgrd @@ -277,14 +277,18 @@ class ControlPlaneAclManager(daemon_base.DaemonBase): def is_rule_ipv4(self, rule_props): if (("SRC_IP" in rule_props and rule_props["SRC_IP"]) or - ("DST_IP" in rule_props and rule_props["DST_IP"])): + ("DST_IP" in rule_props and rule_props["DST_IP"]) or + (rule_props.get("IP_TYPE", None) == "IPV6ANY") or + (ethertype == 0x800)): return True else: return False def is_rule_ipv6(self, rule_props): if (("SRC_IPV6" in rule_props and rule_props["SRC_IPV6"]) or - ("DST_IPV6" in rule_props and rule_props["DST_IPV6"])): + ("DST_IPV6" in rule_props and rule_props["DST_IPV6"]) or + (rule_props.get("IP_TYPE", None) == "IPV6ANY") or + (ethertype == 0x86dd)): return True else: return False @@ -375,6 +379,8 @@ class ControlPlaneAclManager(daemon_base.DaemonBase): # Walk the ACL tables for (table_name, table_data) in self._tables_db_info.items(): + if not table_data: + continue table_ip_version = None @@ -406,6 +412,15 @@ class ControlPlaneAclManager(daemon_base.DaemonBase): self.log_warning("rule_props for rule_id {} empty or null!".format(rule_id)) continue + rule_props = {k.upper(): v for k,v in rule_props.items()} + + ethertype = 0 + if "ETHER_TYPE" in rule_props: + ethertype = int(rule_props['ETHER_TYPE'], 0) + if ethertype != 0x800 and ethertype != 0x86dd: + log_error("rule_props for rule_id {} does not have valid/supported ethertype.".format(rule_id)) + continue + try: acl_rules[rule_props["PRIORITY"]] = rule_props except KeyError: @@ -440,6 +455,7 @@ class ControlPlaneAclManager(daemon_base.DaemonBase): # For each ACL rule in this table (in descending order of priority) for priority in sorted(iter(acl_rules.keys()), reverse=True): rule_props = acl_rules[priority] + rule_props = {k.upper(): v for k,v in rule_props.items()} if "PACKET_ACTION" not in rule_props: self.log_error("ACL rule does not contain PACKET_ACTION property") From 03fe225c1a7de3e3d3172d4233e130f1d2390a6c Mon Sep 17 00:00:00 2001 From: anilkpan <47642449+anilkpan@users.noreply.github.com> Date: Thu, 17 Dec 2020 14:41:39 -0800 Subject: [PATCH 2/7] Update caclmgrd --- src/sonic-host-services/scripts/caclmgrd | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/sonic-host-services/scripts/caclmgrd b/src/sonic-host-services/scripts/caclmgrd index 3f3eabf9efab..4fb9a61dc677 100755 --- a/src/sonic-host-services/scripts/caclmgrd +++ b/src/sonic-host-services/scripts/caclmgrd @@ -278,7 +278,7 @@ class ControlPlaneAclManager(daemon_base.DaemonBase): def is_rule_ipv4(self, rule_props): if (("SRC_IP" in rule_props and rule_props["SRC_IP"]) or ("DST_IP" in rule_props and rule_props["DST_IP"]) or - (rule_props.get("IP_TYPE", None) == "IPV6ANY") or + (rule_props.get("IP_TYPE", None) == "IPV4ANY") or (ethertype == 0x800)): return True else: @@ -380,6 +380,7 @@ class ControlPlaneAclManager(daemon_base.DaemonBase): # Walk the ACL tables for (table_name, table_data) in self._tables_db_info.items(): if not table_data: + self.log_warning("table_data is empty or null!") continue table_ip_version = None From 49aab6b215a05b7fdc21b5d285fb744561092366 Mon Sep 17 00:00:00 2001 From: anilkpan <47642449+anilkpan@users.noreply.github.com> Date: Thu, 17 Dec 2020 15:14:44 -0800 Subject: [PATCH 3/7] Update caclmgrd --- src/sonic-host-services/scripts/caclmgrd | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/sonic-host-services/scripts/caclmgrd b/src/sonic-host-services/scripts/caclmgrd index 4fb9a61dc677..dee84112bbf1 100755 --- a/src/sonic-host-services/scripts/caclmgrd +++ b/src/sonic-host-services/scripts/caclmgrd @@ -380,7 +380,7 @@ class ControlPlaneAclManager(daemon_base.DaemonBase): # Walk the ACL tables for (table_name, table_data) in self._tables_db_info.items(): if not table_data: - self.log_warning("table_data is empty or null!") + self.log_warning("table_data for table {} is empty or null!".format(table_name)) continue table_ip_version = None From 35e11e074d405988ba7c8aa510ad2cc6d9671e8f Mon Sep 17 00:00:00 2001 From: anilkpan <47642449+anilkpan@users.noreply.github.com> Date: Mon, 21 Dec 2020 22:10:52 -0800 Subject: [PATCH 4/7] Update caclmgrd --- src/sonic-host-services/scripts/caclmgrd | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/src/sonic-host-services/scripts/caclmgrd b/src/sonic-host-services/scripts/caclmgrd index dee84112bbf1..12bbe4b7a9df 100755 --- a/src/sonic-host-services/scripts/caclmgrd +++ b/src/sonic-host-services/scripts/caclmgrd @@ -275,7 +275,7 @@ class ControlPlaneAclManager(daemon_base.DaemonBase): return fwd_snmp_traffic_from_namespace_to_host_cmds - def is_rule_ipv4(self, rule_props): + def is_rule_ipv4(self, rule_props, ethertype): if (("SRC_IP" in rule_props and rule_props["SRC_IP"]) or ("DST_IP" in rule_props and rule_props["DST_IP"]) or (rule_props.get("IP_TYPE", None) == "IPV4ANY") or @@ -284,7 +284,7 @@ class ControlPlaneAclManager(daemon_base.DaemonBase): else: return False - def is_rule_ipv6(self, rule_props): + def is_rule_ipv6(self, rule_props, ethertype): if (("SRC_IPV6" in rule_props and rule_props["SRC_IPV6"]) or ("DST_IPV6" in rule_props and rule_props["DST_IPV6"]) or (rule_props.get("IP_TYPE", None) == "IPV6ANY") or @@ -432,16 +432,16 @@ class ControlPlaneAclManager(daemon_base.DaemonBase): # try to do it now. We attempt to determine heuristically based on # whether the src or dst IP of this rule is an IPv4 or IPv6 address. if not table_ip_version: - if self.is_rule_ipv6(rule_props): + if self.is_rule_ipv6(rule_props, ethertype): table_ip_version = 6 - elif self.is_rule_ipv4(rule_props): + elif self.is_rule_ipv4(rule_props, ethertype): table_ip_version = 4 - if (self.is_rule_ipv6(rule_props) and (table_ip_version == 4)): + if (self.is_rule_ipv6(rule_props, ethertype) and (table_ip_version == 4)): self.log_error("CtrlPlane ACL table {} is a IPv4 based table and rule {} is a IPV6 rule! Ignoring rule." .format(table_name, rule_id)) acl_rules.pop(rule_props["PRIORITY"]) - elif (self.is_rule_ipv4(rule_props) and (table_ip_version == 6)): + elif (self.is_rule_ipv4(rule_props, ethertype) and (table_ip_version == 6)): self.log_error("CtrlPlane ACL table {} is a IPv6 based table and rule {} is a IPV4 rule! Ignroing rule." .format(table_name, rule_id)) acl_rules.pop(rule_props["PRIORITY"]) From a5e107add180321800b85456f801b053f23658e0 Mon Sep 17 00:00:00 2001 From: anilkpan <47642449+anilkpan@users.noreply.github.com> Date: Tue, 22 Dec 2020 12:42:39 -0800 Subject: [PATCH 5/7] Update caclmgrd --- src/sonic-host-services/scripts/caclmgrd | 22 +++++++++++++--------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/src/sonic-host-services/scripts/caclmgrd b/src/sonic-host-services/scripts/caclmgrd index 12bbe4b7a9df..62b609446227 100755 --- a/src/sonic-host-services/scripts/caclmgrd +++ b/src/sonic-host-services/scripts/caclmgrd @@ -275,20 +275,24 @@ class ControlPlaneAclManager(daemon_base.DaemonBase): return fwd_snmp_traffic_from_namespace_to_host_cmds - def is_rule_ipv4(self, rule_props, ethertype): + def get_ethertype_from_rule_props(rule_props): + ethertype = int(rule_props['ETHER_TYPE'], 0) + return ethertype + + def is_rule_ipv4(self, rule_props): if (("SRC_IP" in rule_props and rule_props["SRC_IP"]) or ("DST_IP" in rule_props and rule_props["DST_IP"]) or (rule_props.get("IP_TYPE", None) == "IPV4ANY") or - (ethertype == 0x800)): + (get_ethertype_from_rule_props(rule_props) == 0x800)): return True else: return False - def is_rule_ipv6(self, rule_props, ethertype): + def is_rule_ipv6(self, rule_props): if (("SRC_IPV6" in rule_props and rule_props["SRC_IPV6"]) or ("DST_IPV6" in rule_props and rule_props["DST_IPV6"]) or (rule_props.get("IP_TYPE", None) == "IPV6ANY") or - (ethertype == 0x86dd)): + (get_ethertype_from_rule_props(rule_props) == 0x86dd)): return True else: return False @@ -417,7 +421,7 @@ class ControlPlaneAclManager(daemon_base.DaemonBase): ethertype = 0 if "ETHER_TYPE" in rule_props: - ethertype = int(rule_props['ETHER_TYPE'], 0) + ethertype = get_ethertype_from_rule_props(rule_props) if ethertype != 0x800 and ethertype != 0x86dd: log_error("rule_props for rule_id {} does not have valid/supported ethertype.".format(rule_id)) continue @@ -432,16 +436,16 @@ class ControlPlaneAclManager(daemon_base.DaemonBase): # try to do it now. We attempt to determine heuristically based on # whether the src or dst IP of this rule is an IPv4 or IPv6 address. if not table_ip_version: - if self.is_rule_ipv6(rule_props, ethertype): + if self.is_rule_ipv6(rule_props): table_ip_version = 6 - elif self.is_rule_ipv4(rule_props, ethertype): + elif self.is_rule_ipv4(rule_props): table_ip_version = 4 - if (self.is_rule_ipv6(rule_props, ethertype) and (table_ip_version == 4)): + if (self.is_rule_ipv6(rule_props) and (table_ip_version == 4)): self.log_error("CtrlPlane ACL table {} is a IPv4 based table and rule {} is a IPV6 rule! Ignoring rule." .format(table_name, rule_id)) acl_rules.pop(rule_props["PRIORITY"]) - elif (self.is_rule_ipv4(rule_props, ethertype) and (table_ip_version == 6)): + elif (self.is_rule_ipv4(rule_props) and (table_ip_version == 6)): self.log_error("CtrlPlane ACL table {} is a IPv6 based table and rule {} is a IPV4 rule! Ignroing rule." .format(table_name, rule_id)) acl_rules.pop(rule_props["PRIORITY"]) From c760be2c09704fc56492c48203f112c90e6aa52d Mon Sep 17 00:00:00 2001 From: anilkpan <47642449+anilkpan@users.noreply.github.com> Date: Tue, 22 Dec 2020 15:23:46 -0800 Subject: [PATCH 6/7] Update caclmgrd --- src/sonic-host-services/scripts/caclmgrd | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/sonic-host-services/scripts/caclmgrd b/src/sonic-host-services/scripts/caclmgrd index 62b609446227..6a3c5d3748e3 100755 --- a/src/sonic-host-services/scripts/caclmgrd +++ b/src/sonic-host-services/scripts/caclmgrd @@ -276,7 +276,8 @@ class ControlPlaneAclManager(daemon_base.DaemonBase): return fwd_snmp_traffic_from_namespace_to_host_cmds def get_ethertype_from_rule_props(rule_props): - ethertype = int(rule_props['ETHER_TYPE'], 0) + ethertype_str = rule_props.get('ETHER_TYPE', '0') + ethertype = int(ethertype_str, 0) return ethertype def is_rule_ipv4(self, rule_props): From 241d66b28836d8742690ee2c81da3d60c3882ba4 Mon Sep 17 00:00:00 2001 From: anilkpan <47642449+anilkpan@users.noreply.github.com> Date: Tue, 22 Dec 2020 16:46:55 -0800 Subject: [PATCH 7/7] Update caclmgrd --- src/sonic-host-services/scripts/caclmgrd | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/sonic-host-services/scripts/caclmgrd b/src/sonic-host-services/scripts/caclmgrd index 6a3c5d3748e3..4d461e903f7e 100755 --- a/src/sonic-host-services/scripts/caclmgrd +++ b/src/sonic-host-services/scripts/caclmgrd @@ -30,6 +30,8 @@ SYSLOG_IDENTIFIER = "caclmgrd" DEFAULT_NAMESPACE = '' +ETHERTYPE_IPV4 = 0x0800 +ETHERTYPE_IPV6 = 0x86dd # ========================== Helper Functions ========================= @@ -284,7 +286,7 @@ class ControlPlaneAclManager(daemon_base.DaemonBase): if (("SRC_IP" in rule_props and rule_props["SRC_IP"]) or ("DST_IP" in rule_props and rule_props["DST_IP"]) or (rule_props.get("IP_TYPE", None) == "IPV4ANY") or - (get_ethertype_from_rule_props(rule_props) == 0x800)): + (get_ethertype_from_rule_props(rule_props) == ETHERTYPE_IPV4)): return True else: return False @@ -293,7 +295,7 @@ class ControlPlaneAclManager(daemon_base.DaemonBase): if (("SRC_IPV6" in rule_props and rule_props["SRC_IPV6"]) or ("DST_IPV6" in rule_props and rule_props["DST_IPV6"]) or (rule_props.get("IP_TYPE", None) == "IPV6ANY") or - (get_ethertype_from_rule_props(rule_props) == 0x86dd)): + (get_ethertype_from_rule_props(rule_props) == ETHERTYPE_IPV6)): return True else: return False @@ -420,10 +422,8 @@ class ControlPlaneAclManager(daemon_base.DaemonBase): rule_props = {k.upper(): v for k,v in rule_props.items()} - ethertype = 0 if "ETHER_TYPE" in rule_props: - ethertype = get_ethertype_from_rule_props(rule_props) - if ethertype != 0x800 and ethertype != 0x86dd: + if get_ethertype_from_rule_props(rule_props) not in [ETHERTYPE_IPV4, ETHERTYPE_IPV6]: log_error("rule_props for rule_id {} does not have valid/supported ethertype.".format(rule_id)) continue