Address Review Comments

Signed-off-by: Abhishek Dosi <abdosi@microsoft.com>
sonic-net · Jul 23, 2020 · a1ac653 · a1ac653
1 parent 1094086
commit a1ac653
Show file tree

Hide file tree

Showing 2 changed files with 48 additions and 48 deletions.
diff --git a/files/build_templates/sonic_debian_extension.j2 b/files/build_templates/sonic_debian_extension.j2
@@ -214,7 +214,7 @@ if [[ $CONFIGURED_ARCH == amd64 ]]; then
 sudo DEBIAN_FRONTEND=noninteractive dpkg --root=$FILESYSTEM_ROOT -i $debs_path/kdump-tools_*.deb || \
     sudo LANG=C DEBIAN_FRONTEND=noninteractive DEBCONF_NONINTERACTIVE_SEEN=true chroot $FILESYSTEM_ROOT apt-get -q --no-install-suggests --no-install-recommends --force-no install
 fi
-#Install python-swss-common package and all it's dependent package
+# Install python-swss-common package and all its dependent packages
 {% if python_swss_debs.strip() -%}
 {% for deb in python_swss_debs.strip().split(' ') -%}
 sudo dpkg --root=$FILESYSTEM_ROOT -i {{deb}} || sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y install -f

diff --git a/files/image_config/caclmgrd/caclmgrd b/files/image_config/caclmgrd/caclmgrd
@@ -92,15 +92,15 @@ class ControlPlaneAclManager(object):
     def __init__(self):
         SonicDBConfig.load_sonic_global_db_config()
         self.config_db_map = {}
-        self.iptable_cmd_prefix = {}
+        self.iptables_cmd_prefix = {}
         self.config_db_map[''] = ConfigDBConnector(use_unix_socket_path=True, namespace='')
         self.config_db_map[''].connect()
-        self.iptable_cmd_prefix[''] = ""
+        self.iptables_cmd_prefix[''] = ""
         namespaces = sonic_device_util.get_all_namespaces()
         for front_asic_namespaces in namespaces['front_ns']:
             self.config_db_map[front_asic_namespaces] = ConfigDBConnector(use_unix_socket_path=True, namespace=front_asic_namespaces)
             self.config_db_map[front_asic_namespaces].connect()
-            self.iptable_cmd_prefix[front_asic_namespaces] = "ip netns exec " + front_asic_namespaces + " " 
+            self.iptables_cmd_prefix[front_asic_namespaces] = "ip netns exec " + front_asic_namespaces + " "
 
     def run_commands(self, commands):
         """
@@ -170,9 +170,9 @@ class ControlPlaneAclManager(object):
                     ip_addr = next(ip_ntwrk.hosts()) if iface_table_name == "VLAN_INTERFACE" else ip_ntwrk.network_address
 
                     if isinstance(ip_ntwrk, ipaddress.IPv4Network):
-                        block_ip2me_cmds.append(self.iptable_cmd_prefix[namespace] + ("iptables -A INPUT -d {}/{} -j DROP".format(ip_addr, ip_ntwrk.max_prefixlen)))
+                        block_ip2me_cmds.append(self.iptables_cmd_prefix[namespace] + "iptables -A INPUT -d {}/{} -j DROP".format(ip_addr, ip_ntwrk.max_prefixlen)))
                     elif isinstance(ip_ntwrk, ipaddress.IPv6Network):
-                        block_ip2me_cmds.append(self.iptable_cmd_prefix[namespace] + ("ip6tables -A INPUT -d {}/{} -j DROP".format(ip_addr, ip_ntwrk.max_prefixlen)))
+                        block_ip2me_cmds.append(self.iptables_cmd_prefix[namespace] + "ip6tables -A INPUT -d {}/{} -j DROP".format(ip_addr, ip_ntwrk.max_prefixlen)))
                     else:
                         log_warning("Unrecognized IP address type on interface '{}': {}".format(iface_name, ip_ntwrk))
 
@@ -207,67 +207,67 @@ class ControlPlaneAclManager(object):
         # First, add iptables commands to set default policies to accept all
         # traffic. In case we are connected remotely, the connection will not
         # drop when we flush the current rules
-        iptables_cmds.append(self.iptable_cmd_prefix[namespace] + ("iptables -P INPUT ACCEPT"))
-        iptables_cmds.append(self.iptable_cmd_prefix[namespace] + ("iptables -P FORWARD ACCEPT"))
-        iptables_cmds.append(self.iptable_cmd_prefix[namespace] + ("iptables -P OUTPUT ACCEPT"))
+        iptables_cmds.append(self.iptables_cmd_prefix[namespace] + "iptables -P INPUT ACCEPT")
+        iptables_cmds.append(self.iptables_cmd_prefix[namespace] + "iptables -P FORWARD ACCEPT")
+        iptables_cmds.append(self.iptables_cmd_prefix[namespace] + "iptables -P OUTPUT ACCEPT")
 
         # Add iptables command to flush the current rules
-        iptables_cmds.append(self.iptable_cmd_prefix[namespace] + ("iptables -F"))
+        iptables_cmds.append(self.iptables_cmd_prefix[namespace] + "iptables -F")
 
         # Add iptables command to delete all non-default chains
-        iptables_cmds.append(self.iptable_cmd_prefix[namespace] + ("iptables -X"))
+        iptables_cmds.append(self.iptables_cmd_prefix[namespace] + "iptables -X")
 
         # Add same set of commands for ip6tables
-        iptables_cmds.append(self.iptable_cmd_prefix[namespace] + ("ip6tables -P INPUT ACCEPT"))
-        iptables_cmds.append(self.iptable_cmd_prefix[namespace] + ("ip6tables -P FORWARD ACCEPT"))
-        iptables_cmds.append(self.iptable_cmd_prefix[namespace] + ("ip6tables -P OUTPUT ACCEPT"))
-        iptables_cmds.append(self.iptable_cmd_prefix[namespace] + ("ip6tables -F"))
-        iptables_cmds.append(self.iptable_cmd_prefix[namespace] + ("ip6tables -X"))
+        iptables_cmds.append(self.iptables_cmd_prefix[namespace] + "ip6tables -P INPUT ACCEPT")
+        iptables_cmds.append(self.iptables_cmd_prefix[namespace] + "ip6tables -P FORWARD ACCEPT")
+        iptables_cmds.append(self.iptables_cmd_prefix[namespace] + "ip6tables -P OUTPUT ACCEPT")
+        iptables_cmds.append(self.iptables_cmd_prefix[namespace] + "ip6tables -F")
+        iptables_cmds.append(self.iptables_cmd_prefix[namespace] + "ip6tables -X")
 
         # Add iptables/ip6tables commands to allow all traffic from localhost
-        iptables_cmds.append(self.iptable_cmd_prefix[namespace] + ("iptables -A INPUT -s 127.0.0.1 -i lo -j ACCEPT"))
-        iptables_cmds.append(self.iptable_cmd_prefix[namespace] + ("ip6tables -A INPUT -s ::1 -i lo -j ACCEPT"))
+        iptables_cmds.append(self.iptables_cmd_prefix[namespace] + "iptables -A INPUT -s 127.0.0.1 -i lo -j ACCEPT")
+        iptables_cmds.append(self.iptables_cmd_prefix[namespace] + "ip6tables -A INPUT -s ::1 -i lo -j ACCEPT")
 
         # Add iptables/ip6tables commands to allow all incoming packets from established
         # connections or new connections which are related to established connections
-        iptables_cmds.append(self.iptable_cmd_prefix[namespace] + ("iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT"))
-        iptables_cmds.append(self.iptable_cmd_prefix[namespace] + ("ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT"))
+        iptables_cmds.append(self.iptables_cmd_prefix[namespace] + "iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT")
+        iptables_cmds.append(self.iptables_cmd_prefix[namespace] + "ip6tables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT")
 
         # Add iptables/ip6tables commands to allow bidirectional ICMPv4 ping and traceroute
         # TODO: Support processing ICMPv4 service ACL rules, and remove this blanket acceptance
-        iptables_cmds.append(self.iptable_cmd_prefix[namespace] + ("iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT"))
-        iptables_cmds.append(self.iptable_cmd_prefix[namespace] + ("iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT"))
-        iptables_cmds.append(self.iptable_cmd_prefix[namespace] + ("iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT"))
-        iptables_cmds.append(self.iptable_cmd_prefix[namespace] + ("iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT"))
+        iptables_cmds.append(self.iptables_cmd_prefix[namespace] + "iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT")
+        iptables_cmds.append(self.iptables_cmd_prefix[namespace] + "iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT")
+        iptables_cmds.append(self.iptables_cmd_prefix[namespace] + "iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT")
+        iptables_cmds.append(self.iptables_cmd_prefix[namespace] + "iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT")
 
         # Add iptables/ip6tables commands to allow bidirectional ICMPv6 ping and traceroute
         # TODO: Support processing ICMPv6 service ACL rules, and remove this blanket acceptance
-        iptables_cmds.append(self.iptable_cmd_prefix[namespace] + ("ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT"))
-        iptables_cmds.append(self.iptable_cmd_prefix[namespace] + ("ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-reply -j ACCEPT"))
-        iptables_cmds.append(self.iptable_cmd_prefix[namespace] + ("ip6tables -A INPUT -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT"))
-        iptables_cmds.append(self.iptable_cmd_prefix[namespace] + ("ip6tables -A INPUT -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT"))
+        iptables_cmds.append(self.iptables_cmd_prefix[namespace] + "ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT")
+        iptables_cmds.append(self.iptables_cmd_prefix[namespace] + "ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-reply -j ACCEPT")
+        iptables_cmds.append(self.iptables_cmd_prefix[namespace] + "ip6tables -A INPUT -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT")
+        iptables_cmds.append(self.iptables_cmd_prefix[namespace] + "ip6tables -A INPUT -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT")
 
         # Add iptables/ip6tables commands to allow all incoming Neighbor Discovery Protocol (NDP) NS/NA/RS/RA messages
         # TODO: Support processing NDP service ACL rules, and remove this blanket acceptance
-        iptables_cmds.append(self.iptable_cmd_prefix[namespace] + ("ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT"))
-        iptables_cmds.append(self.iptable_cmd_prefix[namespace] + ("ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT"))
-        iptables_cmds.append(self.iptable_cmd_prefix[namespace] + ("ip6tables -A INPUT -p icmpv6 --icmpv6-type router-solicitation -j ACCEPT"))
-        iptables_cmds.append(self.iptable_cmd_prefix[namespace] + ("ip6tables -A INPUT -p icmpv6 --icmpv6-type router-advertisement -j ACCEPT"))
+        iptables_cmds.append(self.iptables_cmd_prefix[namespace] + "ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT")
+        iptables_cmds.append(self.iptables_cmd_prefix[namespace] + "ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT")
+        iptables_cmds.append(self.iptables_cmd_prefix[namespace] + "ip6tables -A INPUT -p icmpv6 --icmpv6-type router-solicitation -j ACCEPT")
+        iptables_cmds.append(self.iptables_cmd_prefix[namespace] + "ip6tables -A INPUT -p icmpv6 --icmpv6-type router-advertisement -j ACCEPT")
 
         # Add iptables/ip6tables commands to allow all incoming IPv4 DHCP packets
-        iptables_cmds.append(self.iptable_cmd_prefix[namespace] + ("iptables -A INPUT -p udp --dport 67:68 --sport 67:68 -j ACCEPT"))
-        iptables_cmds.append(self.iptable_cmd_prefix[namespace] + ("ip6tables -A INPUT -p udp --dport 67:68 --sport 67:68 -j ACCEPT"))
+        iptables_cmds.append(self.iptables_cmd_prefix[namespace] + "iptables -A INPUT -p udp --dport 67:68 --sport 67:68 -j ACCEPT")
+        iptables_cmds.append(self.iptables_cmd_prefix[namespace] + "ip6tables -A INPUT -p udp --dport 67:68 --sport 67:68 -j ACCEPT")
 
         # Add iptables/ip6tables commands to allow all incoming IPv6 DHCP packets
-        iptables_cmds.append(self.iptable_cmd_prefix[namespace] + ("iptables -A INPUT -p udp --dport 546:547 --sport 546:547 -j ACCEPT"))
-        iptables_cmds.append(self.iptable_cmd_prefix[namespace] + ("ip6tables -A INPUT -p udp --dport 546:547 --sport 546:547 -j ACCEPT"))
+        iptables_cmds.append(self.iptables_cmd_prefix[namespace] + "iptables -A INPUT -p udp --dport 546:547 --sport 546:547 -j ACCEPT")
+        iptables_cmds.append(self.iptables_cmd_prefix[namespace] + "ip6tables -A INPUT -p udp --dport 546:547 --sport 546:547 -j ACCEPT")
 
         # Add iptables/ip6tables commands to allow all incoming BGP traffic
         # TODO: Determine BGP ACLs based on configured device sessions, and remove this blanket acceptance
-        iptables_cmds.append(self.iptable_cmd_prefix[namespace] + ("iptables -A INPUT -p tcp --dport 179 -j ACCEPT"))
-        iptables_cmds.append(self.iptable_cmd_prefix[namespace] + ("iptables -A INPUT -p tcp --sport 179 -j ACCEPT"))
-        iptables_cmds.append(self.iptable_cmd_prefix[namespace] + ("ip6tables -A INPUT -p tcp --dport 179 -j ACCEPT"))
-        iptables_cmds.append(self.iptable_cmd_prefix[namespace] + ("ip6tables -A INPUT -p tcp --sport 179 -j ACCEPT"))
+        iptables_cmds.append(self.iptables_cmd_prefix[namespace] + "iptables -A INPUT -p tcp --dport 179 -j ACCEPT")
+        iptables_cmds.append(self.iptables_cmd_prefix[namespace] + "iptables -A INPUT -p tcp --sport 179 -j ACCEPT")
+        iptables_cmds.append(self.iptables_cmd_prefix[namespace] + "ip6tables -A INPUT -p tcp --dport 179 -j ACCEPT")
+        iptables_cmds.append(self.iptables_cmd_prefix[namespace] + "ip6tables -A INPUT -p tcp --sport 179 -j ACCEPT")
 
 
         # Get current ACL tables and rules from Config DB
@@ -373,24 +373,24 @@ class ControlPlaneAclManager(object):
                             # Append the packet action as the jump target
                             rule_cmd += " -j {}".format(rule_props["PACKET_ACTION"])
 
-                            iptables_cmds.append(self.iptable_cmd_prefix[namespace] + rule_cmd)
+                            iptables_cmds.append(self.iptables_cmd_prefix[namespace] + rule_cmd)
                             num_ctrl_plane_acl_rules += 1
 
         # Add iptables commands to block ip2me traffic
         iptables_cmds += self.generate_block_ip2me_traffic_iptables_commands(namespace)
 
         # Add iptables/ip6tables commands to allow all incoming packets with TTL of 0 or 1
         # This allows the device to respond to tools like tcptraceroute
-        iptables_cmds.append(self.iptable_cmd_prefix[namespace] + ("iptables -A INPUT -m ttl --ttl-lt 2 -j ACCEPT"))
-        iptables_cmds.append(self.iptable_cmd_prefix[namespace] + ("ip6tables -A INPUT -p tcp -m hl --hl-lt 2 -j ACCEPT"))
+        iptables_cmds.append(self.iptables_cmd_prefix[namespace] + "iptables -A INPUT -m ttl --ttl-lt 2 -j ACCEPT")
+        iptables_cmds.append(self.iptables_cmd_prefix[namespace] + "ip6tables -A INPUT -p tcp -m hl --hl-lt 2 -j ACCEPT")
 
         # Finally, if the device has control plane ACLs configured,
         # add iptables/ip6tables commands to drop all other incoming packets
         if num_ctrl_plane_acl_rules > 0:
-            iptables_cmds.append(self.iptable_cmd_prefix[namespace] + ("iptables -A INPUT -j DROP"))
-            iptables_cmds.append(self.iptable_cmd_prefix[namespace] + ("iptables -A FORWARD -j DROP"))
-            iptables_cmds.append(self.iptable_cmd_prefix[namespace] + ("ip6tables -A INPUT -j DROP"))
-            iptables_cmds.append(self.iptable_cmd_prefix[namespace] + ("ip6tables -A FORWARD -j DROP"))
+            iptables_cmds.append(self.iptables_cmd_prefix[namespace] + "iptables -A INPUT -j DROP")
+            iptables_cmds.append(self.iptables_cmd_prefix[namespace] + "iptables -A FORWARD -j DROP")
+            iptables_cmds.append(self.iptables_cmd_prefix[namespace] + "ip6tables -A INPUT -j DROP")
+            iptables_cmds.append(self.iptables_cmd_prefix[namespace] + "ip6tables -A FORWARD -j DROP")
 
         return iptables_cmds
 
@@ -414,7 +414,7 @@ class ControlPlaneAclManager(object):
         sel = swsscommon.Select()
         config_db_subscriber_table_map = {}
         for namespace in self.config_db_map.keys():
-            # Program first time to setup default ip table rules
+            # Unconditionally update control plane ACLs once at start
             self.update_control_plane_acls(namespace)
             acl_db_connector = swsscommon.DBConnector("CONFIG_DB", 0, False, namespace)
             subscribe_acl_table = swsscommon.SubscriberStateTable(acl_db_connector, swsscommon.CFG_ACL_TABLE_TABLE_NAME)