[caclmgrd] Fix subnet mask recognizing for drop ip2me rules#7178
Open
ghost wants to merge 3 commits intosonic-net:masterfrom
Open
[caclmgrd] Fix subnet mask recognizing for drop ip2me rules#7178ghost wants to merge 3 commits intosonic-net:masterfrom
ghost wants to merge 3 commits intosonic-net:masterfrom
Conversation
ghost
marked this pull request as ready for review
Author
|
retest this please |
ghost
force-pushed
the
fix_caclmgrd_mask
branch
from
d50484d to
8ac07ed
Compare
ghost
force-pushed
the
fix_caclmgrd_mask
branch
from
8ac07ed to
3c8d17d
Compare
* Implementing of recognizing of subnet masks for interfaces, found inside generate_block_ip2me_traffic_iptables_commands function. Using them for generating of iptables rules, instead of using of ip_ntwrk.max_prefixlen. Signed-off-by: d-dashkov <Dmytro_Dashkov@Jabil.com> Signed-off-by: Maksym Belei <Maksym_Belei@jabil.com>
* Adding acceptance rules for known ACL services on MGMT interface. This required, for example, for remote connecting to the device through MGMT interface. * Droping all the rest incomming traffic on MGMT interface in the new function, instead of dropping it inside function generate_block_ip2me_traffic_iptables_commands. Signed-off-by: Maksym Belei <Maksym_Belei@jabil.com>
* Renaming ACL_SERVICES to KNOWN_SYSTEM_SERVICES to stay consistant, because the service list is used for setting rules for MGMT interface, which is not related to ACL functionality. Signed-off-by: Maksym Belei <Maksym_Belei@jabil.com>
NGorb-jabil
force-pushed
the
fix_caclmgrd_mask
branch
from
3c8d17d to
5bda63c
Compare
|
@lguohan, Could you please review the changes |
Contributor
|
I just found out this PR. I created a related / alternative fix: #9826. Hopefully either PR can be merged so this issue can be fixed. |
bluecmd
added a commit
to kamelnetworks/sonic-host-services
that referenced
this pull request
Feb 19, 2024
Currently the first IP on the VLAN subnet is used, regardless of whatever IP is actually assigned to the control plane. This fix uses the correct IP. See earlier work: - sonic-net/sonic-buildimage#9826 - sonic-net/sonic-buildimage#7178 - sonic-net/sonic-buildimage#7008 Signed-off-by: Christian Svensson <blue@cmd.nu>
bluecmd
added a commit
to kamelnetworks/sonic-host-services
that referenced
this pull request
Apr 29, 2025
Currently the first IP on the VLAN subnet is used, regardless of whatever IP is actually assigned to the control plane. This fix uses the correct IP. See earlier work: - sonic-net/sonic-buildimage#9826 - sonic-net/sonic-buildimage#7178 - sonic-net/sonic-buildimage#7008 Signed-off-by: Christian Svensson <blue@cmd.nu>
dal00
pushed a commit
to kamelnetworks/sonic-linux-kernel
that referenced
this pull request
Jul 20, 2025
Currently the first IP on the VLAN subnet is used, regardless of whatever IP is actually assigned to the control plane. This fix uses the correct IP. See earlier work: - sonic-net/sonic-buildimage#9826 - sonic-net/sonic-buildimage#7178 - sonic-net/sonic-buildimage#7008 Signed-off-by: Christian Svensson <blue@cmd.nu>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why I did it
Resolves #7008
As described in #7008, currently, caclmgrd applies drop rules for network interfaces with ip_ntwrk.max_prefixlen, instead of real subnet mask prefix, what makes the rules are not valid. The changes make possible to apply iptables rules with a real subnet mask prefix.
As the changes makes the device inaccessible via SSH, SNMP and makes impossible to use NTP on MGMT interface due to result of execution of function
generate_block_ip2me_traffic_iptables_commands, new functiongenerate_commands_for_mgmt_intfhas implemented to add missing iptables rules for SSH, SNMP and NTP to the system.As ACL_SERVICES is currently used for generating rules for MGMT interface, it has renamed to stay clear in its purpose.
How I did it
By recognizing and setting a real prefix of subnet mask, instead of ip_ntwrk.max_prefixlen.
To stay possible to use SNMP, SSH and NTP on MGMT interface, new function generate_commands_for_mgmt_intf has added to caclmgrd. It adds the required rules and drops all the traffic, which has no related rules.
How to verify it
Boot the switch and try to connect to it via SSH. SSH should work normal, as same as SNMP and NTP, if configured.
See the logs with
show logging | grep caclmgrd. All the applied rules will be listed afterIssuing the following iptables commands:. All the rules should have its own subnet mask prefixes, not ip_ntwrk.max_prefixlen.Example:
Which release branch to backport (provide reason below if selected)
The fix is desirable, because it releases incoming traffic from useless data.
Description for the changelog
Fixed subnet mask prefixes for drop rules in caclmgrd. A missed rules for MGMT interface.
A picture of a cute animal (not mandatory but encouraged)