[caclmgrd] Translation of ACL Control Plane rules into iptables comman… #1737

denis-maslov · 2018-05-23T14:54:00Z

- What I did
The problem
ACL control plane rules were not being translated into iptables rules
The config_db.json fragment with ACL configuration:

    "ACL_TABLE": {
        "TEST_ACL_TABLE": {
            "policy_desc": "Forward/Drop/Redirect Traffic",
            "type": "CTRLPLANE",
            "services": [
                "SNMP"
            ],
            "ports": [
                "Ethernet101",
                "Ethernet102",
                "Ethernet103",
                "Ethernet104"
            ]
        }
    }, 
    "ACL_RULE": {
        "TEST_ACL_TABLE|DROP_ON_ETH101": {
            "PRIORITY": "1011",
            "SRC_IP": "10.1.1.2/32",
            "DST_IP": "10.2.2.2/32",
            "ETHER_TYPE": "0x0800",
            "TCP_FLAGS": "0x30/0xFF",
            "IP_TYPE": "IP",
            "PACKET_ACTION": "DROP"
        }
    },

- How I did it
The causes

There were no check if the ip protocol is "tcp" before adding --tcp-flags argument into iptables command
It is necessary to set both mask and flags fields with --tcp-flags argument. But there were no parsing of the mask field from configuration db.

- How to verify it

Add the fragment above into config_db.json and apply new configuration

Check if ACL rules are created:

admin@sonic:~$ acl-loader show rule
Rule ID         Rule Name       Priority    Action    Match
--------------  --------------  ----------  --------  --------------------
TEST_ACL_TABLE  DROP_ON_ETH101  1011        DROP      DST_IP: 10.2.2.2/32
                                                      ETHER_TYPE: 0x0800
                                                      IP_TYPE: IP
                                                      SRC_IP: 10.1.1.2/32
                                                      TCP_FLAGS: 0x30/0xFF
admin@sonic:~$ acl-loader show table
Name            Type       Binding    Description
--------------  ---------  ---------  -----------------------------
TEST_ACL_TABLE  CTRLPLANE  SNMP       Forward/Drop/Redirect Traffic

Check if ACL rules are translated into iptables

admin@sonic:~$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       tcp  --  10.1.1.2             anywhere             tcp dpt:snmp flags:FIN,SYN,RST,PSH,ACK,URG/ACK,URG
DROP       udp  --  10.1.1.2             anywhere             udp dpt:snmp

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

- Description for the changelog

Translation of ACL Control Plane rules into iptables commands fixed

- A picture of a cute animal (not mandatory but encouraged)

  __________
 / ___  ___ \
/ / @ \/ @ \ \
\ \___/\___/ /\
 \____\/____/||
 /     /\\\\\//
|     |\\\\\\
 \      \\\\\\
   \______/\\\\
    _||_||_

…ds fixed Signed-off-by: Denis Maslov <Denis.Maslov@cavium.com>

msftclas · 2018-05-23T14:54:12Z

All CLA requirements met.

This PR contains the following commits: 54b74a2 2021-08-04 [LLDP] Fix lldpshow script to enable display multiple MAC addresses on the same remote physical interface (sonic-net#1657) 0d53b7a 2021-08-03 [sonic_installer] don't print errors when installing an image not supporting app ext (sonic-net#1719) 394e2fb 2021-08-03 Implement script null_route_helper (sonic-net#1737) dd01b56 2021-08-02 disk_check updates: (sonic-net#1736) 8a74d03 2021-07-30 [CLI][show][bgp] Fix the show ip bgp network command (sonic-net#1733) 679a4ba 2021-07-30 [MACsec]: Allow upgrade-docker for macsec container (sonic-net#1716) e9c73e8 2021-07-28 [CLI][MPLS][Show] Added multi ASIC support for 'show mpls command'. Signed-off-by: Basim Shalata <basims@nvidia.com>

This PR is to update sonic-utilities for master branch Changes including ``` 54b74a2 [LLDP] Fix lldpshow script to enable display multiple MAC addresses on the same remote physical interface (#1657) 0d53b7a [sonic_installer] don't print errors when installing an image not supporting app ext (#1719) 394e2fb Implement script null_route_helper (#1737) ``` Signed-off-by: bingwang <bingwang@microsoft.com>

This PR contains the following commits: 54b74a2 2021-08-04 [LLDP] Fix lldpshow script to enable display multiple MAC addresses on the same remote physical interface (#1657) 0d53b7a 2021-08-03 [sonic_installer] don't print errors when installing an image not supporting app ext (#1719) 394e2fb 2021-08-03 Implement script null_route_helper (#1737) dd01b56 2021-08-02 disk_check updates: (#1736) 8a74d03 2021-07-30 [CLI][show][bgp] Fix the show ip bgp network command (#1733) 679a4ba 2021-07-30 [MACsec]: Allow upgrade-docker for macsec container (#1716) e9c73e8 2021-07-28 [CLI][MPLS][Show] Added multi ASIC support for 'show mpls command'. Signed-off-by: Basim Shalata <basims@nvidia.com>

This PR is to update sonic-utilities for master branch Changes including ``` 54b74a2 [LLDP] Fix lldpshow script to enable display multiple MAC addresses on the same remote physical interface (sonic-net#1657) 0d53b7a [sonic_installer] don't print errors when installing an image not supporting app ext (sonic-net#1719) 394e2fb Implement script null_route_helper (sonic-net#1737) ``` Signed-off-by: bingwang <bingwang@microsoft.com>

a631f04 Add check_db_integrity script to setup.py (#1828) ddf6793 Implement script null_route_helper (#1737)

``` 5f8ebfa (HEAD, origin/master, origin/HEAD, master) [AclOrch] move ACL counters to flex counter infrastructure (sonic-net#1943) 8119ec0 [bfdorch] Orchagent support hardware BFD (sonic-net#1883) 15074ac [sonic-swss]:enable unconfiguring PFC on last TC on a port (sonic-net#1962) 05c7c05 [Mux orch] set default as standby, change mux orch priority (sonic-net#2010) fe5b2a9 [pytest]: Ignore errors deleting host ifs (sonic-net#2005) 70da9af [ci]: use native arm64 and armhf pool (sonic-net#2013) e14a071 [qos] Add EXP to TC map support (sonic-net#1954) c91a7f2 [switchorch] Implement VXLAN src port range feature (sonic-net#1959) b20f0f4 Gcov for swss daemon (sonic-net#1737) 01c243a [CRM][MPLS] Fix the mpls nexthop CRM attribute (sonic-net#2008) 8448a60 [vs tests]Migrating sonic-swss tests to use hwsku instead of fakeplatform (sonic-net#1978) faa26db Fix random failure in PR/CI build. (sonic-net#2006) e03edb6 Allow interface type value none (sonic-net#1991) 71b9650 [orchagent] Fix group name of port-buffer-drop in flexcounterorch.cpp (sonic-net#1967) facdef5 [VS test] Skip flaky virtual chassis test (sonic-net#2004) 8261c1f [pytest]: Increase timeout when checking services (sonic-net#2000) 67278be [teammgrd]: Handle LAGs cleanup gracefully on Warm/Fast reboot. (sonic-net#1934) e92c1df Enable FEC statistics collection for Ethernet ports (sonic-net#1994) 9f30ca1 VxLAN Tunnel Counters and Rates implementation (sonic-net#1859) ac3103a Add missing neighbor resolution for MPLS route programming (sonic-net#1968) bfba0ad [vlanmgr]Fix for STATE_DB port check logic (sonic-net#1980) 9ef2ba4 [vlanmgr]: Update VLAN removal code to work with 5.10 kernel and newer iproute2 versions (sonic-net#1970) 41fb26c [Mux orch] Handle setting unknown mux state (sonic-net#1984) ac09bde [azp]: Increase timeout for VS tests (sonic-net#1988) da8a43e [pytest]: Check if appl DB exists before deleting (sonic-net#1983) 553d75a [tunnel decap] Change tunnel orch order (sonic-net#1977) 7444e96 [macsecmgr]: Add rekey period in macsec mgr (sonic-net#1958) d95823d [Buffermgr]Graceful handling of buffer model change (sonic-net#1956) b0aa6a0 EVPN VxLAN enhancement to support P2MP tunnel based programming for Layer2 extension (sonic-net#1858) 85bdf54 Fix the option missing in kernel config issue (sonic-net#1973) 6b15584 Orchagent validates mirror session queue parameter against maximum value from SAI (sonic-net#1957) fc9ffb9 [copp] Add ISIS, LDP and micro-BFD trap types to CoPP manager (sonic-net#1890) 452cbc1 [macsecorch]: Add IPG adjusting for MACsec gearbox model (sonic-net#1925) ``` Signed-off-by: Stepan Blyschak <stepanb@nvidia.com>

``` 5f8ebfa (HEAD, origin/master, origin/HEAD, master) [AclOrch] move ACL counters to flex counter infrastructure (sonic-net#1943) 8119ec0 [bfdorch] Orchagent support hardware BFD (sonic-net#1883) 15074ac [sonic-swss]:enable unconfiguring PFC on last TC on a port (sonic-net#1962) 05c7c05 [Mux orch] set default as standby, change mux orch priority (sonic-net#2010) fe5b2a9 [pytest]: Ignore errors deleting host ifs (sonic-net#2005) 70da9af [ci]: use native arm64 and armhf pool (sonic-net#2013) e14a071 [qos] Add EXP to TC map support (sonic-net#1954) c91a7f2 [switchorch] Implement VXLAN src port range feature (sonic-net#1959) b20f0f4 Gcov for swss daemon (sonic-net#1737) 01c243a [CRM][MPLS] Fix the mpls nexthop CRM attribute (sonic-net#2008) ``` Signed-off-by: Stepan Blyschak <stepanb@nvidia.com>

``` 5f8ebfa (HEAD, origin/master, origin/HEAD, master) [AclOrch] move ACL counters to flex counter infrastructure (#1943) 8119ec0 [bfdorch] Orchagent support hardware BFD (#1883) 15074ac [sonic-swss]:enable unconfiguring PFC on last TC on a port (#1962) 05c7c05 [Mux orch] set default as standby, change mux orch priority (#2010) fe5b2a9 [pytest]: Ignore errors deleting host ifs (#2005) 70da9af [ci]: use native arm64 and armhf pool (#2013) e14a071 [qos] Add EXP to TC map support (#1954) c91a7f2 [switchorch] Implement VXLAN src port range feature (#1959) b20f0f4 Gcov for swss daemon (#1737) 01c243a [CRM][MPLS] Fix the mpls nexthop CRM attribute (#2008) ``` Signed-off-by: Stepan Blyschak <stepanb@nvidia.com>

* [gcov] swss support gcov * Introduce gcov-related automation script to test coverage rate for swss module Signed-off-by: pettershao-ragilenetworks <pettershao@ragilenetworks.com>

Signed-off-by: bingwang <bingwang@microsoft.com>

Include commit - 939c14b | [Submodule][upgrade]Upgrade SAI submodule (sonic-net#1203) updates from SAI repo - 0031470 | improve enum values integration check (sonic-net#1727) (sonic-net#1737) - 4f11c7e | Enable github code scanning to replace LGTM. (sonic-net#1709) Signed-off-by: richardyu-ms <richard.yu@microsoft.com>

include changes from sairedis submodule 04d3c41 | [Submodule][upgrade]Upgrade SAI submodule (sonic-net#1204) updates from SAI 0031470 | improve enum values integration check (sonic-net#1727) (sonic-net#1737) 4f11c7e | Enable github code scanning to replace LGTM. (sonic-net#1709) Signed-off-by: richardyu-ms <richard.yu@microsoft.com>

include sairedis changes 3a960be | [submodule][SAI]ADvance SAI Header (sonic-net#1206) 7026441 | [Mellanox] Enable DSCP remapping by using SAI attribute (sonic-net#1188) a2c37b8 | [syncd]: Enable port bulk API (sonic-net#1197) include SAI changes 7710e24 | [cherry-pick][202211]Enhance the check enum lock script (sonic-net#1741) (sonic-net#1742) 0031470 | improve enum values integration check (sonic-net#1727) (sonic-net#1737) 4f11c7e | Enable github code scanning to replace LGTM. (sonic-net#1709) 0fd23d2 | [SAI-PTF] Skip test when hit expected error from sai api (sonic-net#1699) aba7612 | [SAI-PTF] API Logger - reformat arg values (sonic-net#1696) 1390cee | [SAI-PTF] API Logger - reformat dict in return value (sonic-net#1690) 3d96a1d | [SAI-PTF]Add return value in the SAI-PTF log (sonic-net#1685) Signed-off-by: richardyu-ms <richard.yu@microsoft.com>

include sairedis changes 3a960be | [submodule][SAI]ADvance SAI Header (#1206) 7026441 | [Mellanox] Enable DSCP remapping by using SAI attribute (#1188) a2c37b8 | [syncd]: Enable port bulk API (#1197) include SAI changes 7710e24 | [cherry-pick][202211]Enhance the check enum lock script (#1741) (#1742) 0031470 | improve enum values integration check (#1727) (#1737) 4f11c7e | Enable github code scanning to replace LGTM. (#1709) 0fd23d2 | [SAI-PTF] Skip test when hit expected error from sai api (#1699) aba7612 | [SAI-PTF] API Logger - reformat arg values (#1696) 1390cee | [SAI-PTF] API Logger - reformat dict in return value (#1690) 3d96a1d | [SAI-PTF]Add return value in the SAI-PTF log (#1685) Signed-off-by: richardyu-ms <richard.yu@microsoft.com>

Why I did it include changes from sairedis submodule 102d20b | [202211][submodule][SAI]Advance header include 0031470 | improve enum values integration check (#1727) (#1737) 04d3c41 | [Submodule][upgrade]Upgrade SAI submodule (#1204) updates from SAI 7710e24 | [cherry-pick][202211]Enhance the check enum lock script (#1741) (#1742) 0031470 | improve enum values integration check (#1727) (#1737) 4f11c7e | Enable github code scanning to replace LGTM. (#1709) How I did it How to verify it

Related work items: sonic-net#276, sonic-net#305, sonic-net#332, sonic-net#338, sonic-net#339, sonic-net#1188, sonic-net#1192, sonic-net#1197, sonic-net#1206, sonic-net#1685, sonic-net#1690, sonic-net#1696, sonic-net#1699, sonic-net#1709, sonic-net#1727, sonic-net#1737, sonic-net#1741, sonic-net#1742, sonic-net#2511, sonic-net#2512, sonic-net#2532, sonic-net#2559, sonic-net#2626, sonic-net#2638, sonic-net#2645, sonic-net#2649, sonic-net#2660, sonic-net#2669, sonic-net#2670, sonic-net#2678, sonic-net#10084, sonic-net#11442, sonic-net#11873, sonic-net#12047, sonic-net#12110, sonic-net#12207, sonic-net#12529, sonic-net#12678, sonic-net#13235, sonic-net#13287, sonic-net#13372, sonic-net#13395, sonic-net#13456, sonic-net#13497, sonic-net#13522, sonic-net#13545, sonic-net#13547, sonic-net#13552, sonic-net#13569, sonic-net#13572, sonic-net#13578, sonic-net#13591, sonic-net#13611, sonic-net#13647, sonic-net#13649, sonic-net#13660, sonic-net#13710, sonic-net#13716, sonic-net#13724, sonic-net#13726, sonic-net#13732, sonic-net#13735, sonic-net#13739, sonic-net#13757, sonic-net#13786, sonic-net#13792, sonic-net#13800, sonic-net#13801, sonic-net#13802, sonic-net#13805, sonic-net#13806, sonic-net#13812, sonic-net#13814, sonic-net#13822, sonic-net#13831, sonic-net#13834, sonic-net#13847, sonic-net#13870, sonic-net#13882, sonic-net#13884, sonic-net#13885, sonic-net#13894, sonic-net#13895, sonic-net#13926, sonic-net#13932, sonic-net#13935, sonic-net#13942, sonic-net#13951, sonic-net#13953, sonic-net#13964

[caclmgrd] Translation of ACL Control Plane rules into tcpdump comman…

283fa5f

…ds fixed Signed-off-by: Denis Maslov <Denis.Maslov@cavium.com>

denis-maslov changed the title ~~[caclmgrd] Translation of ACL Control Plane rules into tcpdump comman…~~ [caclmgrd] Translation of ACL Control Plane rules into iptables comman… May 23, 2018

denis-maslov closed this May 23, 2018

BasimShalata mentioned this pull request Aug 4, 2021

[sonic-utilities] Submodule update #8338

Merged

5 tasks

yxieca mentioned this pull request Aug 5, 2021

[utilities] advance utilities submodule head #8356

Merged

judyjoseph added a commit that referenced this pull request Sep 19, 2021

Update sonic-utilities submodule with commits,

5fe5793

a631f04 Add check_db_integrity script to setup.py (#1828) ddf6793 Implement script null_route_helper (#1737)

taras-keryk pushed a commit to taras-keryk/sonic-buildimage that referenced this pull request Apr 28, 2022

Implement script null_route_helper (sonic-net#1737)

394e2fb

Signed-off-by: bingwang <bingwang@microsoft.com>

richardyu-ms mentioned this pull request Feb 8, 2023

[202205][sairedis]advance sairedis head #13711

Closed

8 tasks

richardyu-ms mentioned this pull request Feb 8, 2023

[202211][submodule]Advance sairedis head #13712

Merged

8 tasks

richardyu-ms mentioned this pull request Feb 9, 2023

[master][submodule][sairedis]Advance submodule head #13724

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[caclmgrd] Translation of ACL Control Plane rules into iptables comman… #1737

[caclmgrd] Translation of ACL Control Plane rules into iptables comman… #1737

denis-maslov commented May 23, 2018 •

edited

Loading

msftclas commented May 23, 2018 •

edited

Loading

[caclmgrd] Translation of ACL Control Plane rules into iptables comman… #1737

[caclmgrd] Translation of ACL Control Plane rules into iptables comman… #1737

Conversation

denis-maslov commented May 23, 2018 • edited Loading

msftclas commented May 23, 2018 • edited Loading

denis-maslov commented May 23, 2018 •

edited

Loading

msftclas commented May 23, 2018 •

edited

Loading