[caclmgrd] Add a rule to allow all connections from localhost #1858
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
qiluo-msft
approved these changes
Jul 12, 2018
files/image_config/caclmgrd/caclmgrd
Outdated
| @@ -147,6 +147,9 @@ class ControlPlaneAclManager(object): | |||
| iptables_cmds.append("ip6tables -F") | |||
| iptables_cmds.append("ip6tables -X") | |||
|
|
|||
| # Add iptables command to allow all traffic from localhost | |||
| iptables_cmds.append("iptables -A INPUT -s 127.0.0.1 -j ACCEPT") | |||
There was a problem hiding this comment.
What if someone sends you a packet with 127.0.0.1 dst address?
I'd better use something like this:
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A OUTPUT -o lo -j ACCEPT
There was a problem hiding this comment.
Done. Agree that an interface-based approach is more secure than an IP-based approach here.
There was a problem hiding this comment.
We have assigned 2 ipv4 address to lo:
- 127.0.0.1
- loopback address
I thought this method will allow more than we expected.
There was a problem hiding this comment.
Good point. Changed: Now accepting all incoming traffic on lo iff it has the localhost source IP.
lguohan
approved these changes
Jul 13, 2018
lguohan
pushed a commit
that referenced
this pull request
Nov 3, 2018
Pterosaur
added a commit
to Pterosaur/sonic-buildimage
that referenced
this pull request
Oct 26, 2021
7444e96 [macsecmgr]: Add rekey period in macsec mgr (sonic-net#1958) d95823d [Buffermgr]Graceful handling of buffer model change (sonic-net#1956) b0aa6a0 EVPN VxLAN enhancement to support P2MP tunnel based programming for Layer2 extension (sonic-net#1858) 85bdf54 Fix the option missing in kernel config issue (sonic-net#1973) 6b15584 (master) Orchagent validates mirror session queue parameter against maximum value from SAI (sonic-net#1957) fc9ffb9 [copp] Add ISIS, LDP and micro-BFD trap types to CoPP manager (sonic-net#1890) 452cbc1 [macsecorch]: Add IPG adjusting for MACsec gearbox model (sonic-net#1925) f248e26 [orchagent] Add separate next hop table and orch (sonic-net#1702) fd0cafe [portorch]: Skip to create port if the lane set isn't available in ASIC (sonic-net#1923) ef6b5d4 fix the type for SAI_BUFFER_PROFILE_ATTR_BUFFER_SIZE (sonic-net#1942) b592ad7 [cfgmgr] Fix for STATE_DB Port check (sonic-net#1936) Signed-off-by: Ze Gan <ganze718@gmail.com>
5 tasks
stepanblyschak
added a commit
to stepanblyschak/sonic-buildimage
that referenced
this pull request
Nov 11, 2021
``` 5f8ebfa (HEAD, origin/master, origin/HEAD, master) [AclOrch] move ACL counters to flex counter infrastructure (sonic-net#1943) 8119ec0 [bfdorch] Orchagent support hardware BFD (sonic-net#1883) 15074ac [sonic-swss]:enable unconfiguring PFC on last TC on a port (sonic-net#1962) 05c7c05 [Mux orch] set default as standby, change mux orch priority (sonic-net#2010) fe5b2a9 [pytest]: Ignore errors deleting host ifs (sonic-net#2005) 70da9af [ci]: use native arm64 and armhf pool (sonic-net#2013) e14a071 [qos] Add EXP to TC map support (sonic-net#1954) c91a7f2 [switchorch] Implement VXLAN src port range feature (sonic-net#1959) b20f0f4 Gcov for swss daemon (sonic-net#1737) 01c243a [CRM][MPLS] Fix the mpls nexthop CRM attribute (sonic-net#2008) 8448a60 [vs tests]Migrating sonic-swss tests to use hwsku instead of fakeplatform (sonic-net#1978) faa26db Fix random failure in PR/CI build. (sonic-net#2006) e03edb6 Allow interface type value none (sonic-net#1991) 71b9650 [orchagent] Fix group name of port-buffer-drop in flexcounterorch.cpp (sonic-net#1967) facdef5 [VS test] Skip flaky virtual chassis test (sonic-net#2004) 8261c1f [pytest]: Increase timeout when checking services (sonic-net#2000) 67278be [teammgrd]: Handle LAGs cleanup gracefully on Warm/Fast reboot. (sonic-net#1934) e92c1df Enable FEC statistics collection for Ethernet ports (sonic-net#1994) 9f30ca1 VxLAN Tunnel Counters and Rates implementation (sonic-net#1859) ac3103a Add missing neighbor resolution for MPLS route programming (sonic-net#1968) bfba0ad [vlanmgr]Fix for STATE_DB port check logic (sonic-net#1980) 9ef2ba4 [vlanmgr]: Update VLAN removal code to work with 5.10 kernel and newer iproute2 versions (sonic-net#1970) 41fb26c [Mux orch] Handle setting unknown mux state (sonic-net#1984) ac09bde [azp]: Increase timeout for VS tests (sonic-net#1988) da8a43e [pytest]: Check if appl DB exists before deleting (sonic-net#1983) 553d75a [tunnel decap] Change tunnel orch order (sonic-net#1977) 7444e96 [macsecmgr]: Add rekey period in macsec mgr (sonic-net#1958) d95823d [Buffermgr]Graceful handling of buffer model change (sonic-net#1956) b0aa6a0 EVPN VxLAN enhancement to support P2MP tunnel based programming for Layer2 extension (sonic-net#1858) 85bdf54 Fix the option missing in kernel config issue (sonic-net#1973) 6b15584 Orchagent validates mirror session queue parameter against maximum value from SAI (sonic-net#1957) fc9ffb9 [copp] Add ISIS, LDP and micro-BFD trap types to CoPP manager (sonic-net#1890) 452cbc1 [macsecorch]: Add IPG adjusting for MACsec gearbox model (sonic-net#1925) ``` Signed-off-by: Stepan Blyschak <stepanb@nvidia.com>
vivekrnv
added a commit
to vivekrnv/sonic-buildimage
that referenced
this pull request
Nov 16, 2021
…t#1796) efa2ff6 [show][platform summary] Add chassis type in the platform summary output(sonic-net#1922) a39350c [aclshow] enhance ACL counters to work with FC infrastructure (sonic-net#1858) ed88013 [sonic-package-manager] fix registry requests failing when no service field in Bearer fields (sonic-net#1921) 00b6045 [VS test] Increase test timeout (sonic-net#1924) Signed-off-by: Vivek Reddy Karri <vkarri@nvidia.com>
qiluo-msft
pushed a commit
that referenced
this pull request
Nov 22, 2021
a3e34e3 [Auto Techsupport] Event driven Techsupport Changes (#1796) efa2ff6 [show][platform summary] Add chassis type in the platform summary output(#1922) a39350c [aclshow] enhance ACL counters to work with FC infrastructure (#1858) ed88013 [sonic-package-manager] fix registry requests failing when no service field in Bearer fields (#1921) 00b6045 [VS test] Increase test timeout (#1924)
theasianpianist
pushed a commit
to theasianpianist/sonic-buildimage
that referenced
this pull request
Feb 5, 2022
…ayer2 extension (sonic-net#1858) * Vxlan evpn p2mp changes for Layer2 functionality
taras-keryk
pushed a commit
to taras-keryk/sonic-buildimage
that referenced
this pull request
Apr 28, 2022
…net#1858) #### What I did Made a change for aclshow and counterpoll that adds support for ACL flex counters. DEPENDS ON: sonic-net/sonic-swss-common#533 sonic-net/sonic-sairedis#953 sonic-net/sonic-swss#1943 HLD: sonic-net/SONiC#857 #### How I did it Modified aclshow and counterpoll and UT. #### How to verify it Together with depends PRs. Run ACL/Everflow test suite.
# for free
to join this conversation on GitHub.
Already have an account?
# to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.