Add script null_route_helper #1718
Conversation
Signed-off-by: bingwang <[email protected]>
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
| return block_rules | ||
|
|
||
|
|
||
| def validate_input(ip_address): |
There was a problem hiding this comment.
Can you reuse anything from utils?
There was a problem hiding this comment.
The validate_input in this PR will add prefix len for IP addresses that don't explicitly set prefix. For example, 1.2.3.4 is changed to 1.2.3.4/32. The common utils may not do this.
| rule_value = list(rule.values())[0] if rule else None | ||
| if action == ACTION_ALLOW: | ||
| if not rule: | ||
| return |
There was a problem hiding this comment.
I think here we should be adding a rule even if it doesn't exist, may be for managing priorities. Why is it skipped here?
There was a problem hiding this comment.
Because it will be allowed anyway?
There was a problem hiding this comment.
So no need to add a rule.
There was a problem hiding this comment.
I think here we should be adding a rule even if it doesn't exist, may be for managing priorities. Why is it skipped here?
I skip here since there will be a default ALLOW rule in the pre-created ACL table. Is it necessary to add an ALLOW rule for a certain prefix?
There was a problem hiding this comment.
my concern is, lets say user specifies "unblock 1.2.3.4/32" and if there is some rule in between that says 1.2.3.0/24 drop. In this case if we don't explicitly add the "allow" rule, it will get dropped.
There was a problem hiding this comment.
That's a good catch. We discuss about it offline, and confirm that all prefix len are 32 (For IPv4) or 128 (IPv6). Based on this acknowledge, it shouldn't be a issue. I will update the validate_input interface to ensure that. Thanks
| @@ -0,0 +1,216 @@ | |||
| #!/usr/bin/env python3 | |||
There was a problem hiding this comment.
If you tested the same script with both python2/3, you can change it to
#!/usr/bin/env python
There was a problem hiding this comment.
#!/usr/bin/env python doesn't work on 202012 image since it will point to python2, and several packages are missing. I think the only way to solve the issue is to create another PR for 201911 or earlier image. It's not a clean cherry-pick.
There was a problem hiding this comment.
sonic-utilities can no longer be cherry-picked to 201911. We faced it few times and suggest to create a new PR to 201911
scripts/null_route_helper
Outdated
| ./null_route_helper acl_table_name block 10.2.3.4/32 | ||
|
|
||
| Unblock all traffic from 10.2.3.4/32: | ||
| ./null_route_helper acl_table_name unblock 10.2.3.4/32 |
There was a problem hiding this comment.
It's a good suggestion. Thanks.
I was thinking which one is better, a list command or a unblock all command? Any suggestions?
There was a problem hiding this comment.
list command will be useful in many cases, including
- unblock all
- verify existing rules
There was a problem hiding this comment.
I added a new interface list. Thanks
There was a problem hiding this comment.
Add the list command in the usage comment?
scripts/null_route_helper
Outdated
| import click | ||
| import ipaddress | ||
|
|
||
| from swsssdk import ConfigDBConnector |
There was a problem hiding this comment.
Updated. Thanks
scripts/null_route_helper
Outdated
| """ | ||
| Check the existence of pre-created ACL tables | ||
| """ | ||
| target_table = configdb.get_entry(CONFIG_DB_ACL_TABLE_TABLE, table_name) |
There was a problem hiding this comment.
Updated. Thanks
scripts/null_route_helper
Outdated
| return ipaddress.ip_network(ip_prefix, False).version | ||
|
|
||
|
|
||
| def check_table_existence(configdb, table_name): |
There was a problem hiding this comment.
Updated. Thanks
|
|
||
|
|
||
| def ip_ver(ip_prefix): | ||
| return ipaddress.ip_network(ip_prefix, False).version |
There was a problem hiding this comment.
I don't like to add a global variable to save the ip version. Any better ideas?
There was a problem hiding this comment.
I don't like to add a global variable to save the return value. Any better ideas?
There was a problem hiding this comment.
I don't like global var either. To clarify, I mean the object of ip_network is very useful, and you could deduce many attributes from it such as prefix length, not only the version.
scripts/null_route_helper
Outdated
| "PACKET_ACTION": "DROP" | ||
| } | ||
| if ip_ver(src_ip) == 4: | ||
| rule['ETHER_TYPE'] = str(0x0800) |
There was a problem hiding this comment.
Updated. Thanks
scripts/null_route_helper
Outdated
| For 'DENY', an 'DROP' rule for given ip_prefix will be added if not existed | ||
| For 'ALLOW', we will try to remove the existing 'DENY' rule, and nothing is changed if not existed | ||
| """ | ||
| check_table_existence(configdb, acl_table_name) |
| if action == ACTION_ALLOW: | ||
| if not rule: | ||
| return | ||
| configdb.mod_entry(CONFIG_DB_ACL_RULE_TABLE, rule_key, None) |
There was a problem hiding this comment.
Yes. I checked the code and confirm the entry will be deleted. Also verified in test.
https://github.com/Azure/sonic-swss-common/blob/bf8c832cf1c7a6e72d7b1c843888ffb4a27088c8/common/configdb.cpp#L96
Signed-off-by: bingwang <[email protected]>
scripts/null_route_helper
Outdated
| configdb.set_entry(CONFIG_DB_ACL_RULE_TABLE, new_rule_key, new_rule_value) | ||
|
|
||
|
|
||
| def helper(table_name, ip_prefix, action): |
There was a problem hiding this comment.
Updated. Thanks
bingwang-ms
force-pushed
the
null_route_helper
branch
from
7d82d49 to
45896c3
Compare
Signed-off-by: bingwang <[email protected]>
|
Hi @qiluo-msft @prsunny . All comments were addressed. And the unit test code was also checked in. Please help to review. Thanks |
Signed-off-by: bingwang <[email protected]>
Signed-off-by: bingwang <[email protected]>
scripts/null_route_helper
Outdated
| Example: | ||
|
|
||
| Block traffic from 10.2.3.4/32: | ||
| ./null_route_helper block acl_table_name 10.2.3.4/32 |
There was a problem hiding this comment.
Thanks, I will update.
Signed-off-by: bingwang <[email protected]>
OK. I will hold on merging this PR and create a same PR to |
|
Same PR created for master branch #1737 |
To include following changes: * d84a8cc 2021-08-05 | [fast-reboot] revert the change of disabling counter polling before fast-reboot (sonic-net#1744) (HEAD -> 202012, github/202012) [Ying Xie] * e900bc5 2021-08-04 | Add script null_route_helper (sonic-net#1718) [bingwang-ms] * 85f14e1 2021-08-02 | disk_check updates: (sonic-net#1736) [Renuka Manavalan] * d68ac1c 2021-05-27 | [console][show] Force refresh all lines status during show line (sonic-net#1641) [Blueve] * a0e417f 2021-04-25 | [console] Display success message after line cleared (sonic-net#1579) [Blueve] * 0c6bb27 2021-04-07 | [console] Include Flow Control status in show line result (sonic-net#1549) [Blueve]
This is a backport of #1737
Signed-off-by: bingwang [email protected]
What I did
This PR introduced a new helper script
null_route_helper.null_route_helperis a utility for blocking and unblocking traffic from given source ip_prefix on ACL tables.The block operation will insert a DENY rule at the top of the table. The unblock operation will remove an existing DENY rule that has been created by the block operation (i.e. it does NOT insert an ALLOW rule, only removes DENY rules).
Since SONiC supports multi ACL rules share the same priority, all ACL rules created by null_route_helper will use the highest priority(9999).
Example:
How I did it
The feature is implemented with applying ACL rules.
How to verify it
Verified with both unit test and traffic test
The coverage is not 100 since below line can't be covered
Previous command output (if the output of a command-line utility has changed)
New command output (if the output of a command-line utility has changed)