[acl-loader] Improve input validation for acl_loader #1479
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Signed-off-by: Danny Allen [email protected]
What I did
I fixed two issues:
The IPv6 block rule was only looking at the table name, not the table type, when determining what type of default deny rule to add. This isn't very robust.
Individual fields are validated, but there are some invalid combinations like mixing certain protocol numbers like TCP (6) with fields that don't make sense for TCP (like ICMP type/code fields).
How I did it
is_table_ipv6
method to verify that the table is a V6 dataacl table.How to verify it
Added new test cases, verified that the existing ACL and CACL tests have no regression.
Previous command output (if the output of a command-line utility has changed)
New command output (if the output of a command-line utility has changed)