Support Restapi/gnmi control plane acls by ZhaohuiS · Pull Request #9 · sonic-net/sonic-host-services

ZhaohuiS · 2022-08-15T09:52:52Z

Currently Sonic supports the following ACL tables.

IPV6_SNMP_ACL
EVERFLOW
SSH_ONLY
..

For the Restapi/gnmi use-cases, Sonic has to support a new Table: EXTERNAL_CLIENT of type CTRLPLANE, stage ingress

This shall match on 'src ip prefix' and dst port '8080'. Caclmgrd must parse this from acl.json and install as in the below example:

iptables -A INPUT -s 20.20.20.20/27 -p tcp --dport 8080 -j ACCEPT

or ip6tables if the 'src ip prefix' is IPv6.
Steps:

add EXTERNAL_CLIENT_ACL in config_db.json

"ACL_TABLE": {
        "NTP_ACL": {
            "policy_desc": "NTP_ACL",
            "services": [
                "NTP"
            ],
            "stage": "ingress",
            "type": "CTRLPLANE"
        },
        ...
       "EXTERNAL_CLIENT_ACL": {
            "policy_desc": "EXTERNAL_CLIENT_ACL",
            "services": [
                "EXTERNAL_CLIENT"
            ],
            "stage": "ingress",
            "type": "CTRLPLANE"
        }
}

config reload, then check show acl tables:

EXTERNAL_CLIENT_ACL  CTRLPLANE  EXTERNAL_CLIENT  EXTERNAL_CLIENT_ACL  ingress
NTP_ACL              CTRLPLANE  NTP              NTP_ACL              ingress
SNMP_ACL             CTRLPLANE  SNMP             SNMP_ACL             ingress
SSH_ONLY             CTRLPLANE  SSH              SSH_ONLY             ingress

load acl rules:
acl-loader update full external_acl.json
external_acl.json looks like this:

{
    "acl": {
        "acl-sets": {
            "acl-set": {
                "EXTERNAL_CLIENT-ACL": {
                    "acl-entries": {
                        "acl-entry": {
                            "1": {
                                "ip": {
                                    "config": {
                                        "source-ip-address": "20.0.0.3/32"
                                    }
                                }, 
                                "transport": {
				    "config": {
					"destination-port": "8081"
				    }
				},
                                "config": {
                                    "sequence-id": 1
                                }, 
                                "actions": {
                                    "config": {
                                        "forwarding-action": "ACCEPT"
                                    }
                                }
                            }
                        }
                    }, 
                    "config": {
                        "name": "EXTERNAL_CLIENT-ACL"
                    }
                }
            }
        }
    }
}

Check acl rules
IPv4:

admin@vlab-03:~$ show acl rule
Table                Rule          Priority    Action    Match
-------------------  ------------  ----------  --------  -------------------
EXTERNAL_CLIENT_ACL  RULE_0        10000       ACCEPT    L4_DST_PORT: 8081
                                                         SRC_IP: 20.0.0.3/32
EXTERNAL_CLIENT_ACL  DEFAULT_RULE  1           DROP      ETHER_TYPE: 2048

IPv6:

admin@vlab-03:~$ show acl rule
Table                Rule          Priority    Action    Match
-------------------  ------------  ----------  --------  --------------------
EXTERNAL_CLIENT_ACL  RULE_0        10000       ACCEPT    L4_DST_PORT: 8081
                                                         SRC_IPV6: 2001::3/128
EXTERNAL_CLIENT_ACL  DEFAULT_RULE  1           DROP      ETHER_TYPE: 2048

check iptables
IPv4:

-A INPUT -s 20.0.0.3/32 -p tcp -m tcp --dport 8081 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8080 -j DROP

IPv6:

-A INPUT -s 2001::3/128 -p tcp -m tcp --dport 8081 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8081 -j DROP

Also support dst port range

				"transport": {
				    "config": {
					"destination-port": "8081..8083"
				    }
				}

admin@vlab-03:~$ show acl rule
Table                Rule          Priority    Action    Match
-------------------  ------------  ----------  --------  ----------------------------
EXTERNAL_CLIENT_ACL  RULE_0        10000       ACCEPT    L4_DST_PORT_RANGE: 8081-8083
                                                         SRC_IP: 20.0.0.3/32
EXTERNAL_CLIENT_ACL  DEFAULT_RULE  1           DROP      ETHER_TYPE: 2048

-A INPUT -s 20.0.0.3/32 -p tcp -m tcp --dport 8081 -j ACCEPT
-A INPUT -s 20.0.0.3/32 -p tcp -m tcp --dport 8082 -j ACCEPT
-A INPUT -s 20.0.0.3/32 -p tcp -m tcp --dport 8083 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8081 -j DROP
-A INPUT -p tcp -m tcp --dport 8082 -j DROP
-A INPUT -p tcp -m tcp --dport 8083 -j DROP

Signed-off-by: Zhaohui Sun zhaohuisun@microsoft.com

Signed-off-by: Zhaohui Sun <zhaohuisun@microsoft.com>

prsunny · 2022-08-15T20:05:27Z

scripts/caclmgrd

        },
+        "EXTERNAL_CLIENT": {
+            "ip_protocols": ["tcp"],
+            "dst_ports": ["8081"],


Let this be triggered via config

Signed-off-by: Zhaohui Sun <zhaohuisun@microsoft.com>

prsunny

lgtm, lets add some unit tests

ZhaohuiS · 2022-08-25T00:18:47Z

lgtm, lets add some unit tests

@prsunny Sure, will do.

prsunny · 2022-08-26T01:56:57Z

lgtm, lets add some unit tests

@prsunny Sure, will do.

Thanks @ZhaohuiS , please add test for IPv6 as well

…ort range for ipv4 and ipv6 Signed-off-by: Zhaohui Sun <zhaohuisun@microsoft.com>

ZhaohuiS · 2022-08-29T08:24:52Z

lgtm, lets add some unit tests

@prsunny Sure, will do.

Thanks @ZhaohuiS , please add test for IPv6 as well

@prsunny Hi Prince, I added 4 unit test cases which cover single port and port range for both ipv4 and ipv6 in my last commit.
Please help to review it again. Thanks!

prsunny · 2022-09-01T18:37:34Z

@ZhaohuiS , we need to get this for 202205. Can you please have the submodule update for 202205?

ZhaohuiS · 2022-09-02T02:53:14Z

@ZhaohuiS , we need to get this for 202205. Can you please have the submodule update for 202205?

@prsunny Sure, will also add print warning log if dst_port is not defined.

ZhaohuiS · 2022-09-04T05:33:24Z

@ZhaohuiS , we need to get this for 202205. Can you please have the submodule update for 202205?

@prsunny I submitted in sonic-net/sonic-buildimage#11962 for 202205 branch. Please review, thanks.

For the Restapi/gnmi use-cases, Sonic has to support a new Table: EXTERNAL_CLIENT of type CTRLPLANE, stage ingress This shall match on 'src ip prefix' and dst port '8080'. Caclmgrd must parse this from acl.json and install as in the below example: iptables -A INPUT -s 20.20.20.20/27 -p tcp --dport 8080 -j ACCEPT or ip6tables if the 'src ip prefix' is IPv6. This change for master branch is in PR sonic-net/sonic-host-services#9 Signed-off-by: Zhaohui Sun <zhaohuisun@microsoft.com>

…_warning_log In #9 , I added a new EXTERNAL_CLIENT table for supporting Restapi/gnmi control plane acls. But if dest port is not defined, it will print traceback in syslog. Avoiding this scenario, we add a default empty list for dst_ports and print a warning log and skip processing EXTERNAL_CLIENT table. Signed-off-by: Zhaohui Sun zhaohuisun@microsoft.com

For the Restapi/gnmi use-cases, Sonic has to support a new Table: EXTERNAL_CLIENT of type CTRLPLANE, stage ingress This shall match on 'src ip prefix' and dst port '8080'. Caclmgrd must parse this from acl.json and install as in the below example: iptables -A INPUT -s 20.20.20.20/27 -p tcp --dport 8080 -j ACCEPT or ip6tables if the 'src ip prefix' is IPv6. This change for master branch is in PR sonic-net/sonic-host-services#9 Signed-off-by: Zhaohui Sun <zhaohuisun@microsoft.com>

For the Restapi/gnmi use-cases, Sonic has to support a new Table: EXTERNAL_CLIENT of type CTRLPLANE, stage ingress This shall match on 'src ip prefix' and dst port '8080'. Caclmgrd must parse this from acl.json and install as in the below example: iptables -A INPUT -s 20.20.20.20/27 -p tcp --dport 8080 -j ACCEPT or ip6tables if the 'src ip prefix' is IPv6. This change for master branch is in PR #9 Signed-off-by: Zhaohui Sun <zhaohuisun@microsoft.com>

What is the motivation for this PR? Original test_cacl only covers parts of SNMP or SSH protocol test, sonic-net/sonic-host-services#9 introduce EXTERNAL_CLIENT, we have to cover it in GCU test_cacl How did you do it? Enhance many functions to support different protocols and add a fixture cacl_protocol to test SSH, SNMP,NTP, EXTERNAL_CLIENT one by one. Also add T1 topology in mark topology list. Test steps: TC1 cacl table: 1. Test to add a new cacl table, which should expect success 2. test add duplicated cacl table, which should expect success 3. Test replace some variable in existing cacl table, which should expect success 4. Test add invalid cacl table, which should expect failure 5. Test remove non-existed cacl table, which should expect failure 6. Test remove cacl table, , which should expect success, 7. Test previous steps for SSH, SNMP,NTP, EXTERNAL_CLIENT one by one TC2 cacl rule: 1. Test to add a new cacl rule, which should expect success and iptables rules are expected 2. test add duplicated cacl rule, which should expect success and iptables rules are expected 3. Test replace some variable in existing cacl rule, which should expect success and iptables rules are expected 4. Test add cacl rule into non-existed cacl table, which should expect failure 5. Test remove cacl table which has cacl rules, which should expect failure 6. Test remove non-existed cacl rule, which should expect success, 7. Test remove ACL_RULE path, which should expect success and none of unexpected iptables rules exists 8. Test previous steps for SSH, SNMP,NTP, EXTERNAL_CLIENT one by one How did you verify/test it? collected 8 items generic_config_updater/test_cacl.py::test_cacl_tc1_acl_table_suite[SSH] PASSED [ 12%] generic_config_updater/test_cacl.py::test_cacl_tc2_acl_rule_test[SSH] PASSED [ 25%] generic_config_updater/test_cacl.py::test_cacl_tc1_acl_table_suite[NTP] PASSED [ 37%] generic_config_updater/test_cacl.py::test_cacl_tc2_acl_rule_test[NTP] PASSED [ 50%] generic_config_updater/test_cacl.py::test_cacl_tc1_acl_table_suite[SNMP] PASSED [ 62%] generic_config_updater/test_cacl.py::test_cacl_tc2_acl_rule_test[SNMP] PASSED [ 75%] generic_config_updater/test_cacl.py::test_cacl_tc1_acl_table_suite[EXTERNAL_CLIENT] PASSED [ 87%] generic_config_updater/test_cacl.py::test_cacl_tc2_acl_rule_test[EXTERNAL_CLIENT] PASSED [100%] ============================================================================================================ warnings summary ============================================================================================================ Any platform specific information? Run tests/generic_config_updater/test_cacl.py Signed-off-by: Zhaohui Sun <zhaohuisun@microsoft.com>

Support Restapi/gnmi control plane acls

c7d3833

Signed-off-by: Zhaohui Sun <zhaohuisun@microsoft.com>

prsunny reviewed Aug 15, 2022

View reviewed changes

qiluo-msft requested review from StormLiangMS and bingwang-ms August 15, 2022 21:20

DST_PORT is configuralbe in json config file for EXTERNAL_CLIENT_ACL

bd7b172

Signed-off-by: Zhaohui Sun <zhaohuisun@microsoft.com>

prsunny approved these changes Aug 25, 2022

View reviewed changes

Merge branch 'master' into feature/caclmgrd_external_client

d992dc0

Add 4 test cases for external_client_acl, including single port and p…

7c0b56a

…ort range for ipv4 and ipv6 Signed-off-by: Zhaohui Sun <zhaohuisun@microsoft.com>

ZhaohuiS merged commit 91c4c42 into sonic-net:master Aug 30, 2022

ZhaohuiS mentioned this pull request Aug 31, 2022

Support Restapi/gnmi control plane acls in 202012 branch sonic-net/sonic-buildimage#11903

Merged

7 tasks

This was referenced Sep 4, 2022

Add warning log if destination port is not defined for EXTERNAL_CLIENT_ACL #16

Merged

Support Restapi/gnmi control plane acls in 202205 branch sonic-net/sonic-buildimage#11962

Merged

ZhaohuiS mentioned this pull request Jul 3, 2024

[Test Gap] Cover all cacl protocols in GCU test_cacl sonic-net/sonic-mgmt#13543

Merged

8 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Support Restapi/gnmi control plane acls#9

Support Restapi/gnmi control plane acls#9
ZhaohuiS merged 4 commits intosonic-net:masterfrom
ZhaohuiS:feature/caclmgrd_external_client

ZhaohuiS commented Aug 15, 2022 •

edited

Loading

Uh oh!

prsunny Aug 15, 2022

Uh oh!

prsunny left a comment

Uh oh!

ZhaohuiS commented Aug 25, 2022

Uh oh!

prsunny commented Aug 26, 2022

Uh oh!

ZhaohuiS commented Aug 29, 2022

Uh oh!

prsunny commented Sep 1, 2022

Uh oh!

ZhaohuiS commented Sep 2, 2022

Uh oh!

ZhaohuiS commented Sep 4, 2022

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

ZhaohuiS commented Aug 15, 2022 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

prsunny Aug 15, 2022

Choose a reason for hiding this comment

Uh oh!

prsunny left a comment

Choose a reason for hiding this comment

Uh oh!

ZhaohuiS commented Aug 25, 2022

Uh oh!

prsunny commented Aug 26, 2022

Uh oh!

ZhaohuiS commented Aug 29, 2022

Uh oh!

prsunny commented Sep 1, 2022

Uh oh!

ZhaohuiS commented Sep 2, 2022

Uh oh!

ZhaohuiS commented Sep 4, 2022

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

ZhaohuiS commented Aug 15, 2022 •

edited

Loading