Skip to content

Commit

Permalink
[caclmgrd] Add support to allow/deny any IP/IPv6 protocol packets com…
Browse files Browse the repository at this point in the history 
…ing to CPU based on source IP (sonic-net#4591)

Add support to allow/deny packets coming to CPU based on source IP, regardless of destination port
  • Loading branch information
@venkatmahalingam
venkatmahalingam authored Sep 23, 2020
1 parent 04c709d commit 418e437
Showing 1 changed file with 11 additions and 2 deletions.
13 changes: 11 additions & 2 deletions files/image_config/caclmgrd/caclmgrd
View file
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,10 @@ class ControlPlaneAclManager(daemon_base.DaemonBase):
"SSH": {
"ip_protocols": ["tcp"],
"dst_ports": ["22"]
},
"ANY": {
"ip_protocols": ["any"],
"dst_ports": ["0"]
}
}

Expand Down Expand Up @@ -375,14 +379,19 @@ class ControlPlaneAclManager(daemon_base.DaemonBase):
for ip_protocol in ip_protocols:
for dst_port in dst_ports:
rule_cmd = "ip6tables" if table_ip_version == 6 else "iptables"
rule_cmd += " -A INPUT -p {}".format(ip_protocol)

rule_cmd += " -A INPUT"
if ip_protocol != "any":
rule_cmd += " -p {}".format(ip_protocol)

if "SRC_IPV6" in rule_props and rule_props["SRC_IPV6"]:
rule_cmd += " -s {}".format(rule_props["SRC_IPV6"])
elif "SRC_IP" in rule_props and rule_props["SRC_IP"]:
rule_cmd += " -s {}".format(rule_props["SRC_IP"])

rule_cmd += " --dport {}".format(dst_port)
# Destination port 0 is reserved/unused port, so, using it to apply the rule to all ports.
if dst_port != "0":
rule_cmd += " --dport {}".format(dst_port)

# If there are TCP flags present and ip protocol is TCP, append them
if ip_protocol == "tcp" and "TCP_FLAGS" in rule_props and rule_props["TCP_FLAGS"]:
Expand Down

0 comments on commit 418e437

Please sign in to comment.