Skip to content

Commit

Permalink
[caclmgrd] Filter DHCP packets based on dest port only (sonic-net#4995)
Browse files Browse the repository at this point in the history
  • Loading branch information
jleveque authored Jul 17, 2020
1 parent 458b4ae commit d692549
Showing 1 changed file with 4 additions and 4 deletions.
8 changes: 4 additions & 4 deletions files/image_config/caclmgrd/caclmgrd
Original file line number Diff line number Diff line change
Expand Up @@ -245,12 +245,12 @@ class ControlPlaneAclManager(object):
iptables_cmds.append("ip6tables -A INPUT -p icmpv6 --icmpv6-type router-advertisement -j ACCEPT")

# Add iptables/ip6tables commands to allow all incoming IPv4 DHCP packets
iptables_cmds.append("iptables -A INPUT -p udp --dport 67:68 --sport 67:68 -j ACCEPT")
iptables_cmds.append("ip6tables -A INPUT -p udp --dport 67:68 --sport 67:68 -j ACCEPT")
iptables_cmds.append("iptables -A INPUT -p udp --dport 67:68 -j ACCEPT")
iptables_cmds.append("ip6tables -A INPUT -p udp --dport 67:68 -j ACCEPT")

# Add iptables/ip6tables commands to allow all incoming IPv6 DHCP packets
iptables_cmds.append("iptables -A INPUT -p udp --dport 546:547 --sport 546:547 -j ACCEPT")
iptables_cmds.append("ip6tables -A INPUT -p udp --dport 546:547 --sport 546:547 -j ACCEPT")
iptables_cmds.append("iptables -A INPUT -p udp --dport 546:547 -j ACCEPT")
iptables_cmds.append("ip6tables -A INPUT -p udp --dport 546:547 -j ACCEPT")

# Add iptables/ip6tables commands to allow all incoming BGP traffic
# TODO: Determine BGP ACLs based on configured device sessions, and remove this blanket acceptance
Expand Down

0 comments on commit d692549

Please sign in to comment.