Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[caclmgrd] Add check for valid ethertype in IPv4/v6 rules #6193

Open
wants to merge 7 commits into
base: master
Choose a base branch
from
Open

[caclmgrd] Add check for valid ethertype in IPv4/v6 rules #6193

Changes from 4 commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
ed1e327
Update caclmgrd
anilkpandey Dec 11, 2020
03fe225
Update caclmgrd
anilkpandey Dec 17, 2020
49aab6b
Update caclmgrd
anilkpandey Dec 17, 2020
35e11e0
Update caclmgrd
anilkpandey Dec 22, 2020
a5e107a
Update caclmgrd
anilkpandey Dec 22, 2020
c760be2
Update caclmgrd
anilkpandey Dec 22, 2020
241d66b
Update caclmgrd
anilkpandey Dec 23, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 25 additions & 8 deletions src/sonic-host-services/scripts/caclmgrd
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -275,16 +275,20 @@ class ControlPlaneAclManager(daemon_base.DaemonBase):

return fwd_snmp_traffic_from_namespace_to_host_cmds

def is_rule_ipv4(self, rule_props):
def is_rule_ipv4(self, rule_props, ethertype):
if (("SRC_IP" in rule_props and rule_props["SRC_IP"]) or
("DST_IP" in rule_props and rule_props["DST_IP"])):
("DST_IP" in rule_props and rule_props["DST_IP"]) or
(rule_props.get("IP_TYPE", None) == "IPV4ANY") or
(ethertype == 0x800)):
return True
else:
return False

def is_rule_ipv6(self, rule_props):
def is_rule_ipv6(self, rule_props, ethertype):
if (("SRC_IPV6" in rule_props and rule_props["SRC_IPV6"]) or
("DST_IPV6" in rule_props and rule_props["DST_IPV6"])):
("DST_IPV6" in rule_props and rule_props["DST_IPV6"]) or
(rule_props.get("IP_TYPE", None) == "IPV6ANY") or
(ethertype == 0x86dd)):
return True
else:
return False
Expand Down Expand Up @@ -375,6 +379,9 @@ class ControlPlaneAclManager(daemon_base.DaemonBase):

# Walk the ACL tables
for (table_name, table_data) in self._tables_db_info.items():
if not table_data:
self.log_warning("table_data for table {} is empty or null!".format(table_name))
continue

table_ip_version = None

Expand Down Expand Up @@ -406,6 +413,15 @@ class ControlPlaneAclManager(daemon_base.DaemonBase):
self.log_warning("rule_props for rule_id {} empty or null!".format(rule_id))
continue

rule_props = {k.upper(): v for k,v in rule_props.items()}

ethertype = 0
if "ETHER_TYPE" in rule_props:
ethertype = int(rule_props['ETHER_TYPE'], 0)
if ethertype != 0x800 and ethertype != 0x86dd:
log_error("rule_props for rule_id {} does not have valid/supported ethertype.".format(rule_id))
continue

try:
acl_rules[rule_props["PRIORITY"]] = rule_props
except KeyError:
Expand All @@ -416,16 +432,16 @@ class ControlPlaneAclManager(daemon_base.DaemonBase):
# try to do it now. We attempt to determine heuristically based on
# whether the src or dst IP of this rule is an IPv4 or IPv6 address.
if not table_ip_version:
if self.is_rule_ipv6(rule_props):
if self.is_rule_ipv6(rule_props, ethertype):
table_ip_version = 6
elif self.is_rule_ipv4(rule_props):
elif self.is_rule_ipv4(rule_props, ethertype):
table_ip_version = 4

if (self.is_rule_ipv6(rule_props) and (table_ip_version == 4)):
if (self.is_rule_ipv6(rule_props, ethertype) and (table_ip_version == 4)):
self.log_error("CtrlPlane ACL table {} is a IPv4 based table and rule {} is a IPV6 rule! Ignoring rule."
.format(table_name, rule_id))
acl_rules.pop(rule_props["PRIORITY"])
elif (self.is_rule_ipv4(rule_props) and (table_ip_version == 6)):
elif (self.is_rule_ipv4(rule_props, ethertype) and (table_ip_version == 6)):
self.log_error("CtrlPlane ACL table {} is a IPv6 based table and rule {} is a IPV4 rule! Ignroing rule."
.format(table_name, rule_id))
acl_rules.pop(rule_props["PRIORITY"])
Expand All @@ -440,6 +456,7 @@ class ControlPlaneAclManager(daemon_base.DaemonBase):
# For each ACL rule in this table (in descending order of priority)
for priority in sorted(iter(acl_rules.keys()), reverse=True):
rule_props = acl_rules[priority]
rule_props = {k.upper(): v for k,v in rule_props.items()}

if "PACKET_ACTION" not in rule_props:
self.log_error("ACL rule does not contain PACKET_ACTION property")
Expand Down