Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

caclmgrd: Don't block traffic to mgmt by default #6

Merged
merged 2 commits into from
Aug 12, 2022
Merged

caclmgrd: Don't block traffic to mgmt by default #6

merged 2 commits into from
Aug 12, 2022

Conversation

bluecmd
Copy link
Contributor

@bluecmd bluecmd commented Aug 9, 2022
edited
Loading

Currently the IP2ME rules block the management interface's identity address instead of the actual host address. This logic results in a DROP rule that hits the management interface address only in the case of /32 netmask - all other netmasks will result in traffic being accepted by default. Thus, it is exceedingly likely that the current DROP rule has never worked for management interfaces given that /32 are mainly loopback addresses, not for network links.

Claim: Management addresses should not be dropped by default. This matches the current SONiC behavior in all current releases. Dropping by default would result in that the device can only be managed by serial console (physical or possibly BMC SoL).

Dropping management traffic is still possible by adding any explicit ACL rule which will install a default DROP that hits management as well, so this change is a no-op for every case except if anybody is using /32 on management interface as well as expects that traffic to be dropped (extremely unlikely, and still achievable by adding explicit ACLs).

Also see older discussion summary in sonic-net/sonic-buildimage#9826 (comment)

@bluecmd bluecmd changed the title WIP: caclmgrd: Don't block traffic to mgmt by default caclmgrd: Don't block traffic to mgmt by default Aug 9, 2022
@bluecmd bluecmd marked this pull request as ready for review August 9, 2022 07:36
bluecmd added 2 commits August 11, 2022 06:59
@bluecmd
caclmgrd: Don't block traffic to mgmt by default
adc058b 
Signed-off-by: Christian Svensson <blue@cmd.nu>
@bluecmd
Update test cases
a712fc4 
Signed-off-by: Christian Svensson <blue@cmd.nu>
@bluecmd
Copy link
Contributor Author

bluecmd commented Aug 11, 2022

Ping @prsunny @bingwang-ms

@prsunny
Copy link
Contributor

prsunny commented Aug 11, 2022

The expectation is that, this /32 DROP rule shall be installed at the end. If any control or other protocol (ssh/snmp etc) is required to be allowed, the user must explicitly add allow rules above the DROP rule

@bluecmd
Copy link
Contributor Author

bluecmd commented Aug 12, 2022
edited
Loading

The expectation is that, this /32 DROP rule shall be installed at the end. If any control or other protocol (ssh/snmp etc) is required to be allowed, the user must explicitly add allow rules above the DROP rule

@prsunny On the meeting in February we agreed that this DROP should be removed (see sonic-net/sonic-buildimage#9826 (comment)) , has new information come forth or has anything else changed?

@prsunny
Copy link
Contributor

prsunny commented Aug 12, 2022

The expectation is that, this /32 DROP rule shall be installed at the end. If any control or other protocol (ssh/snmp etc) is required to be allowed, the user must explicitly add allow rules above the DROP rule

@prsunny On the meeting in February we agreed that this DROP should be removed (see sonic-net/sonic-buildimage#9826 (comment)) , has new information come forth or has anything else changed?

I see, thanks for pointing out. For default ssh via mgmt, this change is required. lgtm, @yxieca to review as well.

@prsunny prsunny requested a review from yxieca August 12, 2022 16:41
@prsunny prsunny merged commit f6ea036 into sonic-net:master Aug 12, 2022
@bluecmd bluecmd deleted the ip2me-mgmt branch August 12, 2022 19:56
@SuvarnaMeenakshi
Copy link
Contributor

@bluecmd , @prsunny - this PR change is causing a sonic-mgmt test to fail and is blocking merge of sonic-host-services sub module update. https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fsonic-net%2Fsonic-buildimage%2Fpull%2F12195&data=05%7C01%7CSuvarna.Meenakshi%40microsoft.com%7Cb238b7ef21c0406f056108dab0a19f03%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638016505489756783%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=gyDxl3OWFzfmMMWaIkdX8XteVTSnpXpL3E5O58TIQuw%3D&reserved=0

Is there a plan to merge this change to other branches, based on that fix should go in sonic-mgmt repo as well.

https://github.com/sonic-net/sonic-mgmt/blob/master/tests/cacl/test_cacl_application.py#L300 - this is causing test case to fail.

@bluecmd
Copy link
Contributor Author

bluecmd commented Oct 19, 2022

@SuvarnaMeenakshi Thanks for flagging that. After taking a quick look at the tests and verify_cacl it seems to me that those tests are redundant to the unit tests introduced with this PR.

As long as we have tests that depend on the exact iptables rule output, which those tests you linked do, any changes to the rule logic in this repo will be really hard to do, as is evident with the current case @SuvarnaMeenakshi is bringing up.

My take: I recommend that the linked unit tests are deleted (or significantly reduced), as we are now testing that behavior in this repo's own tests. That way we test the specifics in this repo, and we test the manifested outcome (e.g try to run SSH or just open a port) instead of exactly how is implemented.

Thoughts?

SuvarnaMeenakshi added a commit to SuvarnaMeenakshi/sonic-mgmt that referenced this pull request Oct 20, 2022
@SuvarnaMeenakshi
Temporary removal of test_cacl_appplication test case.
7ca2ca5 
There is a caclmgrd change done to remove acl to block
mgmt traffic by default.
sonic-net/sonic-host-services#6
With this change, test case also should be modified.
Remove this test case until the test case is modified
to match change done in caclmgrd.

Signed-off-by: Suvarna Meenakshi <sumeenak@microsoft.com>
@SuvarnaMeenakshi SuvarnaMeenakshi mentioned this pull request Oct 20, 2022
Closed
@SuvarnaMeenakshi
Copy link
Contributor

@SuvarnaMeenakshi Thanks for flagging that. After taking a quick look at the tests and verify_cacl it seems to me that those tests are redundant to the unit tests introduced with this PR.

As long as we have tests that depend on the exact iptables rule output, which those tests you linked do, any changes to the rule logic in this repo will be really hard to do, as is evident with the current case @SuvarnaMeenakshi is bringing up.

My take: I recommend that the linked unit tests are deleted (or significantly reduced), as we are now testing that behavior in this repo's own tests. That way we test the specifics in this repo, and we test the manifested outcome (e.g try to run SSH or just open a port) instead of exactly how is implemented.

Thoughts?

We should keep the unit-tests and sonic-mgmt tests as sonic-mgmt tests.
You suggestion to test the outcome does seem right, but my understanding is that we compare the rules as it easier when compared to testing possible outcome for all the cacls.
In the interest of time to make sure that we are able to update sonic-host-services submodule, I have created an issue to track this: sonic-net/sonic-buildimage#12464. Will try to have a easy fix in sonic-mgmt repo to unblock and can be fine tuned later.

@SuvarnaMeenakshi SuvarnaMeenakshi mentioned this pull request Dec 21, 2022
Merged
6 tasks
SuvarnaMeenakshi added a commit to sonic-net/sonic-mgmt that referenced this pull request Dec 28, 2022
@SuvarnaMeenakshi
Remove MGMT_INTERFACE from ip2me block rule list (#7092)
14768ea 
What is the motivation for this PR?
Provides fix for sonic-net/sonic-buildimage#12464
MGMT_INTERFACE was removed from default ip2me block rules in PR sonic-net/sonic-host-services#6
This PR is to modify the test case according to the change in caclmgrd

How did you do it?
Remove MGMT_INTERFACE when generating ip2me block rule list.

How did you verify/test it?
Ran test on multi-asic vs DUT, without skipping this test:
..
cacl/test_cacl_application.py::test_cacl_application_nondualtor[vlab-08-1]
PASSED [ 70%]
cacl/test_cacl_application.py::test_cacl_application_dualtor[active_tor-vlab-08-1] SKIPPED [ 80%]
cacl/test_cacl_application.py::test_cacl_application_dualtor[standby_tor-vlab-08-1] SKIPPED [ 90%]
cacl/test_cacl_application.py::test_multiasic_cacl_application[vlab-08-1]
PASSED
SKIPPED [4] cacl/test_cacl_application.py: test_cacl_application_dualtor is only supported on dualtor topology
SKIPPED [1] cacl/test_cacl_application.py: caclmgrd may crash after loading scale ipv4 cacl rules.
SKIPPED [1] cacl/test_cacl_application.py: caclmgrd may crash after loading scale ipv6 cacl rules.
============================================================================================================ 4 passed, 6 skipped in 769.78 seconds =============================================================================================================
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yxieca yxieca yxieca approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@bluecmd @prsunny @SuvarnaMeenakshi @yxieca