Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

[caclmgrd] Add a rule to allow all connections from localhost #1858

Merged
merged 3 commits into from
Jul 13, 2018
Merged

[caclmgrd] Add a rule to allow all connections from localhost #1858

Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
e933747
[caclmgrd] Add a rule to allow all connections from localhost
jleveque Jul 12, 2018
e07a8e2
Make rule interface-based, not IP-based for security; Add IPv6 rule
jleveque Jul 12, 2018
3eb31ee
Allow incoming traffic on lo ONLY if from localhost IPs
jleveque Jul 12, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions files/image_config/caclmgrd/caclmgrd
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -147,6 +147,9 @@ class ControlPlaneAclManager(object):
iptables_cmds.append("ip6tables -F")
iptables_cmds.append("ip6tables -X")

# Add iptables command to allow all traffic from localhost
iptables_cmds.append("iptables -A INPUT -s 127.0.0.1 -j ACCEPT")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What if someone sends you a packet with 127.0.0.1 dst address?
I'd better use something like this:

sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A OUTPUT -o lo -j ACCEPT

Copy link
Contributor Author

@jleveque jleveque Jul 12, 2018
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done. Agree that an interface-based approach is more secure than an IP-based approach here.

Copy link
Collaborator

@qiluo-msft qiluo-msft Jul 12, 2018
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have assigned 2 ipv4 address to lo:

  1. 127.0.0.1
  2. loopback address

I thought this method will allow more than we expected.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point. Changed: Now accepting all incoming traffic on lo iff it has the localhost source IP.


# Get current ACL tables and rules from Config DB
self._tables_db_info = self.config_db.get_table(self.ACL_TABLE)
self._rules_db_info = self.config_db.get_table(self.ACL_RULE)
Expand Down