[acl] Add default deny rule for l3 table #734
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
stcheng
suggested changes
Jun 22, 2017
| }, | ||
| { | ||
| "ACL_RULE_TABLE:dataacl:default_rule":{ | ||
| "PACKET_ACTION":"DROP", |
There was a problem hiding this comment.
Add one more attribute: "ETHER_TYPE":"0x0800",
There was a problem hiding this comment.
Shouldn't none-ip packet be dropped as well?
There was a problem hiding this comment.
all packet includes lldp, arp, lacp, they should not be dropped. It is better to limit to only ip.
There was a problem hiding this comment.
Didn't quite get it. Shouldn't we have an explicit ACL rule to allow lldp/arp packets?
There was a problem hiding this comment.
The implicit rule is to drop all IP and IPv6 packets.
There was a problem hiding this comment.
Modified so that it drops IP packets only.
| { | ||
| "ACL_RULE_TABLE:dataacl:default_rule":{ | ||
| "PACKET_ACTION":"DROP", | ||
| "priority":1 |
There was a problem hiding this comment.
All capitalized to make it look unified.
lguohan
approved these changes
Jun 23, 2017
qiluo-msft
added a commit
that referenced
this pull request
Jun 30, 2017
* [build_debian]: Add dbus package to update timezone (#702) Signed-off-by: Hiayang Zheng haiyang.z@alibaba.inc * [Accton]: Add a new supported device and platform, AS7712-32X (#662) * platform/broadcom: Add a new supported device and platform, AS7712-32X * Switch Vendor: Edge-core * Switch SKU: AS7712-32X * ASIC Vendor: Broadcom * Swich ASIC: Tomahawk * Port Configuration: 32x100G * SONiC Image: SONiC-ONIE-Broadcom Signed-off-by: polly_hsu@accton.com * [image]: load platform specific settings in sonic-to-sonic upgrade (#710) * [submodule]: Update sairedis submodule (#712) Include fix for saithrift port split parsing * [docker-ptf]: Install exabgp in docker ptf (#709) * [platform]: fix file mode for acction platform to create clean build (#714) * [image]: expand dockerfs.tar.gz directly on to disk without intermediate file (#715) * [submodule]: update swss/sairedis/swss-common submodule (#716) fix bug for logrotate sairedis log * [submodule]: update sonic-swss (#719) * [image]: add debian security update in the apt source list (#724) * [submodule]: update sonic-platform-daemons (#722) * [platform]: turn on/off four leds for breakout-able front panel ports (#723) turn on/off four leds for breakout-able front panel ports on arista 7050 qx32 platform * [sonic-quagga]:update submodule (#718) Signed-off-by: Sihui Han <sihan@microsoft.com> * Add Broadcom LED microprocessor initialization for Dell S6000 (#726) * Add Broadcom LED microprocessor initialization for Dell S6000 * Increase bcmcmd timeout to 60 seconds * [platform]: Update sonic-platform-modules-arista (#727) * [Broadcom]: Update SAI package to support Accton-AS7712-C32 (#720) * Remove exsiting sonic-platform-modules-accton and apply submodule add… (#717) * Remove exsiting sonic-platform-modules-accton and apply submodule adding on this folder. * Remove redundant commnet * Remove folder platform/broadcom/sonic-platform-modules-accton. * Add this dir for submodule. * [submodule]: update sonic-platform-daemons submodule (#731) * [installer] Copy old config files rather than only minigraph (#730) * [BGPD]: add bgp dynamic neighbor configuration (#708) * add bgp dynamic neighbor configuration * [bgpd]: update as comments * update as comment * update to deployment_id_asn_map * minor change * [docker-syncd-brcm]: Sleep to allow syncd to create socket before calling bcmcmd (#733) * [docker-syncd-brcm]: Sleep to allow syncd to create socket before calling bcmcmd * Instead of fixed sleep interval, continually check for presence of socket * [sonic-cfggen]: Support multiple input yaml files with -y option (#729) * [sonic-cfggen]: Fix minigraph.py when port_alias_map absent (#738) * [bgp]: move allowas-in into ipv6 section to enable allowas-in for ipv6 (#741) * [swss]: Sleep 5 min regardless of arp_update return code (#743) - arp_update return code is not guaranteed to be true/false. When there is no VLAN, arp_update will return true. When there are VLANs, arp_update will return false because the command arping returns 1 due to the option '-w 0'. - This script should be run every 5 minutes regardless of the return code. * [Mellanox]: Update SAI version (#740) - Initialize ECMP default hashing with IPv6 packets * [sonic-cfggen]: Add default IP deny rule in translate_acl (#734) - Add IPv4 implicit rule: deny ip any any This implicit rule has lowest priority and ensures that the device denies all unmatched IP traffic. * [docker-platform-monitor]: Add fancontrol (#735) * Fix typo in README (#750) * Fix typo in README * Fix comment * Fix README * [DHCP Relay]: Add support for custom Option 82 circuit_id of the form '<hostname>:<portname>' (#747) * Add docker-dhcp-relay/Dockerfile to .gitignore * Add isc-dhcp-relay .deb package to image build process, along with my Option 82 patch * Install custom isc-dhcp-relay in dhcp_relay docker * Install isc-dhcp-relay build dependencies in sonic-slave Docker container * Copy the built .deb package to the destination directory * Add dependencies for isc-dhcp-relay * Change Option 82 string to '<hostname>:<portname>' * Install dependencies of .deb files implicitly in Dockerfile * Remove unused line * Remove unnecessary space * [Accton]: Add a new supported device and platform AS7716-32X (#732) Switch Vendor: Edge-core Switch SKU: AS7716-32X ASIC Vendor: Broadcom Swich ASIC: Tomahawk Port Configuration: 32x100G SONiC Image: SONiC-ONIE-Broadcom Signed-off-by: polly_hsu@accton.com * [.gitignore]: Update src, config engine (#754) Signed-off-by: marian-pritsak <marianp@mellanox.com> * [submodule]: update sonic-swss (#755) * [sonic-swss-common]: Submodule update (#759) * [mgmt slave] Install correct version of python-cffi (#760) * [DHCP Relay]: Fix Option 82 string - Remove quotes; add MAC address of receiving port as remote_id (#763) * [platform]: add front panel index in port_config.ini for s6100 (#752) * add front panel index in port_config.ini * [igb]: change download url to azure storage url (#770) * [baseimage]: Increase net.core.rmem_max to 2097152 (#767) * Increase net.core.rmem_max to 2097152 * Update Ingrasys platform submodule (#764) * Remove specific fancontrol service. Signed-off-by: Wade He <chihen.he@gmail.com> * [Broadcom]: Update SAI package to support Celestica Seastone DX010 and Accton AS7716 (#768) * [LLDP]: Port description (TLV 4) now contains '<neighbor_host_name>:<port_name>' (#772) * [sonic-slave]: install docker-ce 17.03.02 stable version (#774) * [device]: add minigraph and LED support for Arista 7050 QX32S (#773) * Update submodules: sairedis, swss
3 tasks
lguohan
pushed a commit
to Sabareesh-Kumar-Anandan/sonic-buildimage
that referenced
this pull request
Dec 19, 2020
[syncd] Translate removed RIDs in fdb notification (sonic-net#734) [syncd] Move syncd classes to syncd namespace (sonic-net#742) [vs] Use /sbin/ip absolute path for ip command in MACsecManager (sonic-net#744) [saidiscovery] Update saidiscovery to use VendorSai object and metadata (sonic-net#736) Remove Winline warning since it depends on external headers (sonic-net#741) Signed-off-by: Sabareesh Kumar Anandan <sanandan@marvell.com>
lguohan
pushed a commit
that referenced
this pull request
Dec 19, 2020
[vs] Add workaround for clean up macsec ports (#752) [logfile]: Add handling of Sairedis rec filename (#747) Update README.md [meta] Fix stat_mode enums to sai_bulk_op_error_mode_t (#753) [syncd][tests] Add syncd deprecated attribute value test (#751) [vs] Skip MACsec clean up if /sbin/ip is not accessible (#750) Configure enable -Wcast-align=strict when supported by compiler (#749) [syncd] Translate depreacated attr enum values to new ones (#746) [sairedis]vs SAI support for voq neighbor (#725) [syncd] Translate removed RIDs in fdb notification (#734) [syncd] Move syncd classes to syncd namespace (#742) [vs] Use /sbin/ip absolute path for ip command in MACsecManager (#744) [saidiscovery] Update saidiscovery to use VendorSai object and metadata (#736) Remove Winline warning since it depends on external headers (#741) [meta] Enable strict cast-align warning (#738) [vs] Use meta class instead info when using unittests (#740) [vs] Support flush entry type all on virtual switch (#735) [vslib]: Add MACsec state to state base (#722) [README.md] Update installation steps (#730) Switch Capability support (#728) [vs] Fail switch create when warm boot requested and no warm boot state (#739) Dynamic Port breakout fix the crash, port down event processing after<80> (#727) Code clean (#721) Signed-off-by: Sabareesh Kumar Anandan <sanandan@marvell.com>
stepanblyschak
pushed a commit
to stepanblyschak/sonic-buildimage
that referenced
this pull request
May 10, 2021
AidanCopeland
pushed a commit
to Metaswitch/sonic-buildimage
that referenced
this pull request
Apr 14, 2022
8 tasks
StormLiangMS
added a commit
that referenced
this pull request
Feb 17, 2023
Why I did it Submodule advances: sonic-utilities 8e8e6088 - [202211][dhcp_relay] Remove add field of vlanid to DHCP_RELAY table while adding vlan ([201811 sub-module] advance sub-modules: utilities, swss, swss-common #2679) (16 hours ago) [Yaqiang Zhu] 1400fb94 - [GCU] Ignore bgpraw in GCU applier (Fix sfputil indexing for 7170-Q59S20 #2623) (15 hours ago) [jingwenxie] f76a6364 - [vlan] Refresh dhcpv6_relay config while adding/deleting a vlan ([sonic-py-swsssdk] Update submodule #2660) (15 hours ago) [Yaqiang Zhu] 7849e18d - [db_migrator] make LOG_LEVEL_DB migration more robust (Mellanox platform: attach queues 2 and 6 to lossy profile using generic buffer template #2651) (16 hours ago) [Stepan Blyshchak] c7df6dfa - Fixed a bug in "show vnet routes all" causing screen overrun. (Add hook to allow customizing link cable lengths #2644) (16 hours ago) [siqbal1986] a5505f02 - show logging CLI support for logs stored in tmpfs (Traceback error seen while issuing show interface commands with if_names #2641) (16 hours ago) [mihirpat1] bbacb91a - [system-health] Fix issue: show system-health CLI crashes (Updating deb package for platform and sai #2635) (16 hours ago) [Junchao-Mellanox] 8d724024 - [sai_failure_dump]Invoking dump during SAI failure ([dockers]: Upgrade LLDP docker to stretch build #2633) (16 hours ago) [Sudharsan Dhamal Gopalarathnam] 3c3be526 - Add transceiver info CLI support to show output from TRANSCEIVER_INFO for ZR ([submodule]: Update sonic-sairedis pointer #2630) (16 hours ago) [mihirpat1] 37f41666 - [show] add support for gRPC show commands for active-active ([bitmap-vnet]: Bitmap vnet test image [DO NOT MERGE] #2629) (16 hours ago) [vdahiya12] b06d7fe4 - [show_bfd] add local discriminator in show bfd command ([Pmon] Selectively load pmon container daemons #2625) (16 hours ago) [Baorong Liu] 6adcd3e8 - [GCU] Ignore bgpraw table in GCU operation ([Mellanox] Fix SAI version #2628) (16 hours ago) [jingwenxie] c65bdc35 - [muxcable][config] Add support to enable/disable ceasing to be an advertisement interface when radv service is stopped (Add knob in ConfigDB to enable/disable telemetry container #2622) (16 hours ago) [Jing Zhang] 91e9457f - Add Transceiver PM basic CLI support to show output from TRANSCEIVER_PM table for ZR ([201803] Restart SwSS, syncd and dependent services if a critical process in syncd container exits #2615) (16 hours ago) [longhuan-cisco] 54cc8c5a - Remove TODO comment which is no longer relevant (Warm-reboot: teamd warm restart caused neighbor deleted and learned again. #2600) (16 hours ago) [Lior Avramov] 6891b4fb - Making 'show feature autorestart' more resilient to missing auto_restart config in CONFIG_DB ([submodule] update mellanox hw-mgmgt pointer (V.2.0.0061) #2592) (16 hours ago) [kartik-arista] 1e8bea37 - [storyteller] add link prober state change to story teller ([sonic-buildimage] New feature managementVRF(L3mdev) #2585) (16 hours ago) [Jing Zhang] 7481a20f - Extend fast-reboot STATE_DB entry timer ([submodule]: update sonic-swss-common, sonic-py-swsssdk, sonic-snmpagent #2577) (16 hours ago) [Aryeh Feigin] 0e08701c - [sonic_installer] use /etc/resolv.conf from the host when migrating packages (Set a rate limit on syslog messages from all Docker containers #2573) (16 hours ago) [Stepan Blyshchak] 06096780 - Fixed admin state config CLI for Backport interfaces (Prior to install a new ONIE SONiC image, delete all partitions except EFI/ONIE #2557) (16 hours ago) [anamehra] 9f1f13e4 - [show] Add bgpraw to show run all (Fixed typo on paragraph #40 #2537) (16 hours ago) [jingwenxie] 98bc8bd2 - [chassis][voq] Add "show fabric reachability" command. ([ntp]: Build 4.2.6 locally. #2528) (16 hours ago) [jfeng-arista] 3a50b63f - Preserve copp tables through DB migration ([docker-radvd]: upgrade docker radvd to stretch based #2524) (16 hours ago) [Aryeh Feigin] 28f6b127 - [masic] 'show interfaces counters' reminds to use '-d all' option to check for internal links (solve dependency issue #2466) (16 hours ago) [wenyiz2021] 15026e14 - suppport multi asic for show queue counter ([dockers] Prevent old supervisord messages from gettting re-logged to syslog #2439) (16 hours ago) [zhixzhu] 2d773e17 - [masic support] 'show run bgp' support for multi-asic (lo address not synced to the asic #2427) (16 hours ago) [wenyiz2021] sonic-swss 4f304bc - [EVPN]Handling race condition when remote VNI arrives before tunnel map entry ([sonic-quagga] Function defect, do NOT cancel route while connect IP down #2642) (15 hours ago) [Sudharsan Dhamal Gopalarathnam] 34fc615 - [sai_failure_dump]Invoking dump during SAI failure (Add hook to allow customizing link cable lengths #2644) (15 hours ago) [Sudharsan Dhamal Gopalarathnam] b817695 - [autoneg]Fixing adv interface types to be set when AN is disabled (Fix issue with platform file path name #2638) (15 hours ago) [Sudharsan Dhamal Gopalarathnam] ab36bd4 - [bfdorch] add local discriminator to state DB ([bitmap-vnet]: Bitmap vnet test image [DO NOT MERGE] #2629) (15 hours ago) [Baorong Liu] 6343471 - Remove TODO comments that are no longer relevant (Add knob in ConfigDB to enable/disable telemetry container #2622) (15 hours ago) [Lior Avramov] 2b1869c - [refactor]Refactoring sai handle status (Rollback kernel submodule update. #2621) (15 hours ago) [Sudharsan Dhamal Gopalarathnam] c41a1b7 - Fix issue ARP entry is out of sync between kernel and APPL_DB after warm reboot if the ARP entry is updated more than once during warm reboot in PFC watchdog warm reboot test #13341 ARP entry can be out of sync between kernel and APPL_DB if multiple updates are received from RTNL ([sub module] advance sonic-utilities sub module for 201811 branch #2619) (15 hours ago) [Stephen Sun] da0cf7a - Changed the BFD default detect multiplier to 10x ("failed to load plugin io.containerd.snapshotter..." seen during linux boot up #2614) (15 hours ago) [siqbal1986] 13b5adf - [vstest] Only collect stdout of orchagent_restart_check in vstest ([submodules] update swss and utilities pointers #2597) (15 hours ago) [bingwang-ms] 2b9d94d - Avoid aborting orchagent when setting TUNNEL attributes (build failing for PLATFORM=p4 #2591) (15 hours ago) [Stephen Sun] 99b7d3b - Only collect stdout of orchagent_restart_check in vstest ( [saibcm-modules]: import new bcm modules #2578) (15 hours ago) [bingwang-ms] 5209c42 - dereg acl-rule counters during acl-table del ([201803] Set a rate limit on syslog messages from all Docker containers #2574) (15 hours ago) [Vivek] ae68054 - Fixed set mtu for deleted subintf due to late notification ([vs]: Add option to specify platform name for DVS orchagent #2571) (15 hours ago) [EdenGri] ab13dfa - Remove TODO comments which are no longer needed (support set timezone in ConfigDB #2568) (15 hours ago) [Junchao-Mellanox] a3545cf - Modify coppmgr mergeConfig to support preserving copp tables through reboot. (Added new SN3700/SN3700C Mellanox platforms #2548) (15 hours ago) [Aryeh Feigin] be16e79 - Use github code scanning instead of LGTM ([201803] [services] Restart SwSS service upon unexpected critical process exit #2546) (15 hours ago) [Liu Shilong] 63c0234 - Updated handling of VRF_VNI mapping and VLAN_VNI mapping for same VNI ID (Move warm_restart enable/disable config to stateDB WARM_RESTART_ENABL… #2538) (15 hours ago) [Tapash Das] 4844111 - Fix potential risks ([mlnx] Fix sai xml path for boxer platform #2516) (15 hours ago) [Liran-Ar] 6420808 - [p4orch]: PINS Extension tables support ([build] When generating image version, handle case where current commit has no reachable tags #2506) (15 hours ago) [svshah-intel] sonic-swss-common 1badd46 - Increase the netlink buffer size from 3MB to 16MB. (arp_update doesn't sleep 300 between each execution #739) (14 hours ago) [KISHORE KUNAL] 6555057 - Refactor eventpublisher deinit ([acl] Add default deny rule for l3 table #734) (14 hours ago) [Zain Budhwani] f4d6de7 - Use github code scanning instead of LGTM ([sonic-quagga]:update submodule #718) (14 hours ago) [Liu Shilong] sonic-linux-kernel 74f9a8f - Update linux kernel for hw-mgmt V.7.0020.4104 (Move template files to /usr/share/sonic/templates #305) (14 hours ago) [Stephen Sun] 6365701 - Fixes for emmc unreliability ([build_debian.sh]: Integrate system dump script #270) (14 hours ago) [Samuel Angebault] How I did it How to verify it
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.