Skip to content

[caclmgrd]: New traceroute iptables rules#5

Open
Zmegolaz wants to merge 1 commit intosonic-net:masterfrom
Zmegolaz:traceroute-acl
Open

[caclmgrd]: New traceroute iptables rules#5
Zmegolaz wants to merge 1 commit intosonic-net:masterfrom
Zmegolaz:traceroute-acl

Conversation

@Zmegolaz
Copy link

@Zmegolaz Zmegolaz commented Jul 28, 2022

The current ip(6)tables rules allow all packets which have a TTL of 2 or below, which means anyone can access any port as long as they set their initial TTL to a suitable value.

In practice this means:

  1. TCP traceroute is no longer allowed here. IMO this should be handled by the service ACLs, so that you can only do a TCP traceroute to port 22 if you're allowed to SSH to the device.
  2. Instead of ACCEPTing traceroute packets, reply with ICMP port unreachable. Traceroute clients are fine with that as a reply.
  3. ICMP traceroute (from Windows mainly) are not allowed here, but they are in the general ping ACLs.
  4. The port range is 33434-33523, which is enough for 30 hops.

isabelmsft pushed a commit to isabelmsft/sonic-host-services that referenced this pull request Dec 31, 2022
@renukamanavalan
Update gnmi_cli (sonic-net#5) (sonic-net#44)
4f45e3a 
Update gnmi_cli
When configured via args:
    1) Write responses only to a o/p file instead of stdout.
    2) For on change events, filter for a specific event.
    3) Exit upon receiving N responses.
    4) Exit upon timeout.

The above would help use gnmi_cli as tool in scripting environment that does testing.
gpunathilell pushed a commit to gpunathilell/sonic-host-services that referenced this pull request Sep 24, 2025
@mssonicbld
Merge pull request sonic-net#5 from mssonicbld/sonicbld/202506-merge
598cf31 
```<br>* 5f79c8f - (HEAD -> 202506, origin/202505) Improve LC reboot cause for supervisor heartbeat loss (sonic-net#291) (2025-07-16) [mssonicbld]
* d86b612 - Fix ProcessStatsST column name issue and add test case to cover check (sonic-net#286) (2025-07-10) [mssonicbld]<br>```
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Zmegolaz