forked from sonic-net/sonic-buildimage
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request sonic-net#9 from ZhaohuiS/feature/caclmgrd_externa…
…l_client Support Restapi/gnmi control plane acls For the Restapi/gnmi use-cases, Sonic has to support a new Table: EXTERNAL_CLIENT of type CTRLPLANE, stage ingress This shall match on 'src ip prefix' and dst port '8080'. Caclmgrd must parse this from acl.json and install as in the below example: iptables -A INPUT -s 20.20.20.20/27 -p tcp --dport 8080 -j ACCEPT or ip6tables if the 'src ip prefix' is IPv6. Signed-off-by: Zhaohui Sun zhaohuisun@microsoft.com
- Loading branch information
Showing
3 changed files
with
230 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,44 @@ | ||
import os | ||
import sys | ||
|
||
from swsscommon import swsscommon | ||
from parameterized import parameterized | ||
from sonic_py_common.general import load_module_from_source | ||
from unittest import TestCase, mock | ||
from pyfakefs.fake_filesystem_unittest import patchfs | ||
|
||
from .test_external_client_acl_vectors import EXTERNAL_CLIENT_ACL_TEST_VECTOR | ||
from tests.common.mock_configdb import MockConfigDb | ||
|
||
|
||
DBCONFIG_PATH = '/var/run/redis/sonic-db/database_config.json' | ||
|
||
|
||
class TestCaclmgrdExternalClientAcl(TestCase): | ||
""" | ||
Test caclmgrd EXTERNAL_CLIENT_ACL | ||
""" | ||
def setUp(self): | ||
swsscommon.ConfigDBConnector = MockConfigDb | ||
test_path = os.path.dirname(os.path.dirname(os.path.abspath(__file__))) | ||
modules_path = os.path.dirname(test_path) | ||
scripts_path = os.path.join(modules_path, "scripts") | ||
sys.path.insert(0, modules_path) | ||
caclmgrd_path = os.path.join(scripts_path, 'caclmgrd') | ||
self.caclmgrd = load_module_from_source('caclmgrd', caclmgrd_path) | ||
|
||
@parameterized.expand(EXTERNAL_CLIENT_ACL_TEST_VECTOR) | ||
@patchfs | ||
def test_caclmgrd_external_client_acl(self, test_name, test_data, fs): | ||
if not os.path.exists(DBCONFIG_PATH): | ||
fs.create_file(DBCONFIG_PATH) # fake database_config.json | ||
|
||
MockConfigDb.set_config_db(test_data["config_db"]) | ||
self.caclmgrd.ControlPlaneAclManager.get_namespace_mgmt_ip = mock.MagicMock() | ||
self.caclmgrd.ControlPlaneAclManager.get_namespace_mgmt_ipv6 = mock.MagicMock() | ||
self.caclmgrd.ControlPlaneAclManager.generate_block_ip2me_traffic_iptables_commands = mock.MagicMock(return_value=[]) | ||
self.caclmgrd.ControlPlaneAclManager.get_chain_list = mock.MagicMock(return_value=["INPUT", "FORWARD", "OUTPUT"]) | ||
caclmgrd_daemon = self.caclmgrd.ControlPlaneAclManager("caclmgrd") | ||
|
||
iptables_rules_ret, _ = caclmgrd_daemon.get_acl_rules_and_translate_to_iptables_commands('') | ||
self.assertEqual(set(test_data["return"]).issubset(set(iptables_rules_ret)), True) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,167 @@ | ||
from unittest.mock import call | ||
|
||
""" | ||
caclmgrd test external_client_acl vector | ||
""" | ||
EXTERNAL_CLIENT_ACL_TEST_VECTOR = [ | ||
[ | ||
"Test single IPv4 dst port + src ip for EXTERNAL_CLIENT_ACL", | ||
{ | ||
"config_db": { | ||
"ACL_TABLE": { | ||
"EXTERNAL_CLIENT_ACL": { | ||
"stage": "INGRESS", | ||
"type": "CTRLPLANE", | ||
"services": [ | ||
"EXTERNAL_CLIENT" | ||
] | ||
} | ||
}, | ||
"ACL_RULE": { | ||
"EXTERNAL_CLIENT_ACL|DEFAULT_RULE": { | ||
"ETHER_TYPE": "2048", | ||
"PACKET_ACTION": "DROP", | ||
"PRIORITY": "1" | ||
}, | ||
"EXTERNAL_CLIENT_ACL|RULE_1": { | ||
"L4_DST_PORT": "8081", | ||
"PACKET_ACTION": "ACCEPT", | ||
"PRIORITY": "9998", | ||
"SRC_IP": "20.0.0.55/32" | ||
}, | ||
}, | ||
"DEVICE_METADATA": { | ||
"localhost": { | ||
} | ||
}, | ||
"FEATURE": {}, | ||
}, | ||
"return": [ | ||
"iptables -A INPUT -p tcp -s 20.0.0.55/32 --dport 8081 -j ACCEPT", | ||
"iptables -A INPUT -p tcp --dport 8081 -j DROP" | ||
], | ||
} | ||
], | ||
[ | ||
"Test IPv4 dst port range + src ip forEXTERNAL_CLIENT_ACL", | ||
{ | ||
"config_db": { | ||
"ACL_TABLE": { | ||
"EXTERNAL_CLIENT_ACL": { | ||
"stage": "INGRESS", | ||
"type": "CTRLPLANE", | ||
"services": [ | ||
"EXTERNAL_CLIENT" | ||
] | ||
} | ||
}, | ||
"ACL_RULE": { | ||
"EXTERNAL_CLIENT_ACL|DEFAULT_RULE": { | ||
"ETHER_TYPE": "2048", | ||
"PACKET_ACTION": "DROP", | ||
"PRIORITY": "1" | ||
}, | ||
"EXTERNAL_CLIENT_ACL|RULE_1": { | ||
"L4_DST_PORT_RANGE": "8081-8083", | ||
"PACKET_ACTION": "ACCEPT", | ||
"PRIORITY": "9998", | ||
"SRC_IP": "20.0.0.55/32" | ||
}, | ||
}, | ||
"DEVICE_METADATA": { | ||
"localhost": { | ||
} | ||
}, | ||
"FEATURE": {}, | ||
}, | ||
"return": [ | ||
"iptables -A INPUT -p tcp -s 20.0.0.55/32 --dport 8081 -j ACCEPT", | ||
"iptables -A INPUT -p tcp -s 20.0.0.55/32 --dport 8082 -j ACCEPT", | ||
"iptables -A INPUT -p tcp -s 20.0.0.55/32 --dport 8083 -j ACCEPT", | ||
"iptables -A INPUT -p tcp --dport 8081 -j DROP", | ||
"iptables -A INPUT -p tcp --dport 8082 -j DROP", | ||
"iptables -A INPUT -p tcp --dport 8083 -j DROP", | ||
], | ||
} | ||
], | ||
[ | ||
"Test IPv6 single dst port range + src ip forEXTERNAL_CLIENT_ACL", | ||
{ | ||
"config_db": { | ||
"ACL_TABLE": { | ||
"EXTERNAL_CLIENT_ACL": { | ||
"stage": "INGRESS", | ||
"type": "CTRLPLANE", | ||
"services": [ | ||
"EXTERNAL_CLIENT" | ||
] | ||
} | ||
}, | ||
"ACL_RULE": { | ||
"EXTERNAL_CLIENT_ACL|DEFAULT_RULE": { | ||
"ETHER_TYPE": "2048", | ||
"PACKET_ACTION": "DROP", | ||
"PRIORITY": "1" | ||
}, | ||
"EXTERNAL_CLIENT_ACL|RULE_1": { | ||
"L4_DST_PORT": "8081", | ||
"PACKET_ACTION": "ACCEPT", | ||
"PRIORITY": "9998", | ||
"SRC_IP": "2001::2/128" | ||
}, | ||
}, | ||
"DEVICE_METADATA": { | ||
"localhost": { | ||
} | ||
}, | ||
"FEATURE": {}, | ||
}, | ||
"return": [ | ||
"iptables -A INPUT -p tcp -s 2001::2/128 --dport 8081 -j ACCEPT", | ||
"iptables -A INPUT -p tcp --dport 8081 -j DROP" | ||
], | ||
} | ||
], | ||
[ | ||
"Test IPv6 dst port range + src ip forEXTERNAL_CLIENT_ACL", | ||
{ | ||
"config_db": { | ||
"ACL_TABLE": { | ||
"EXTERNAL_CLIENT_ACL": { | ||
"stage": "INGRESS", | ||
"type": "CTRLPLANE", | ||
"services": [ | ||
"EXTERNAL_CLIENT" | ||
] | ||
} | ||
}, | ||
"ACL_RULE": { | ||
"EXTERNAL_CLIENT_ACL|DEFAULT_RULE": { | ||
"ETHER_TYPE": "2048", | ||
"PACKET_ACTION": "DROP", | ||
"PRIORITY": "1" | ||
}, | ||
"EXTERNAL_CLIENT_ACL|RULE_1": { | ||
"L4_DST_PORT_RANGE": "8081-8083", | ||
"PACKET_ACTION": "ACCEPT", | ||
"PRIORITY": "9998", | ||
"SRC_IP": "2001::2/128" | ||
}, | ||
}, | ||
"DEVICE_METADATA": { | ||
"localhost": { | ||
} | ||
}, | ||
"FEATURE": {}, | ||
}, | ||
"return": [ | ||
"iptables -A INPUT -p tcp -s 2001::2/128 --dport 8081 -j ACCEPT", | ||
"iptables -A INPUT -p tcp -s 2001::2/128 --dport 8082 -j ACCEPT", | ||
"iptables -A INPUT -p tcp -s 2001::2/128 --dport 8083 -j ACCEPT", | ||
"iptables -A INPUT -p tcp --dport 8081 -j DROP", | ||
"iptables -A INPUT -p tcp --dport 8082 -j DROP", | ||
"iptables -A INPUT -p tcp --dport 8083 -j DROP", | ||
], | ||
} | ||
] | ||
] |