Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

caclmgrd interface rules patch 1 #197

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

caclmgrd interface rules patch 1 #197

wants to merge 2 commits into from

Conversation

gupurush
Copy link

@gupurush gupurush commented Dec 27, 2024
edited
Loading

Added management port exclusion (!, -i, eth0) for data plane protocols in iptable rules. Data plane protocols like BGP, BFD, and VXLAN are restricted to data interfaces only, while management protocols (NTP, SNMP, SSH) retain management port access. This enforces proper traffic segregation between management and data plane.

What is the motivation for this PR?
To enhance security by properly segregating management and data plane traffic through iptable rules in caclmgrd.

How did you do it?
Added exclude_mgmt_port rule (!, -i, eth0)
Applied exclusion to data plane protocols (BGP, BFD, VXLAN)
Preserved management port access for management services (NTP, SNMP, SSH)
Implemented conditional exclusion for other ACL rules based on service type

@mssonicbld
Copy link

/azp run

@linux-foundation-easycla Linux Foundation: EasyCLA
Copy link

linux-foundation-easycla bot commented Dec 27, 2024
edited
Loading

CLA Signed

The committers listed above are authorized under a signed CLA.

@azure-pipelines Azure Pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

@gupurush gupurush force-pushed the caclmgrd-interface-rules-patch-1 branch from 91e84f7 to 38f32c7 Compare December 27, 2024 03:32
@mssonicbld
Copy link

/azp run

@azure-pipelines Azure Pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

@gupurush gupurush force-pushed the caclmgrd-interface-rules-patch-1 branch from 38f32c7 to d131a47 Compare January 2, 2025 20:49
@mssonicbld
Copy link

/azp run

@azure-pipelines Azure Pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

@gupurush gupurush marked this pull request as ready for review January 7, 2025 20:08
@bingwang-ms
Copy link

@ZhaohuiS Could you help review?

ZhaohuiS
ZhaohuiS reviewed Feb 5, 2025
View reviewed changes
scripts/caclmgrd
if (dst_port not in self.ACL_SERVICES["NTP"]["dst_ports"] and
dst_port not in self.ACL_SERVICES["SNMP"]["dst_ports"] and
dst_port not in self.ACL_SERVICES["SSH"]["dst_ports"]):
rule_cmd = self.exclude_mgmt_port(rule_cmd)
Copy link
Contributor

@ZhaohuiS ZhaohuiS Feb 5, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For EXTERNAL_CLIENT, there is no DST_PORT setting for it, with your change, does it mean it will block restapi or gnmi traffic from eth0?

@qiluo-msft @prsunny could you please review this change? It will prohibit traffic from eth0 except NTP,SNMP and SSH.

        "EXTERNAL_CLIENT": {
            "ip_protocols": ["tcp"],
            "multi_asic_ns_to_host_fwd":True
        },

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ZhaohuiS ZhaohuiS ZhaohuiS left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@ZhaohuiS ZhaohuiS

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@gupurush @mssonicbld @bingwang-ms @ZhaohuiS