Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[caclmgrd] Heuristically determine whether ACL is IPv4 or IPv6, use iptables/ip6tables accordingly #1767

Merged
merged 2 commits into from
Jun 5, 2018
Merged

[caclmgrd] Heuristically determine whether ACL is IPv4 or IPv6, use iptables/ip6tables accordingly #1767

merged 2 commits into from
Jun 5, 2018

Conversation

jleveque
Copy link
Contributor

@jleveque jleveque commented Jun 5, 2018

No description provided.

@jleveque jleveque self-assigned this Jun 5, 2018
@jleveque jleveque requested a review from lguohan June 5, 2018 01:58
prsunny
prsunny reviewed Jun 5, 2018
View reviewed changes
files/image_config/caclmgrd/caclmgrd Outdated
# do it now. We determine heuristically based on whether the
# src IP is a v4 or v6 address.
if not table_ip_version:
if "SRC_IP" in rule_props and rule_props["SRC_IP"]:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if SRC_IP is not specified, does the ACL need to be applied to both iptables AND ip6tables?

Copy link
Contributor Author

@jleveque jleveque Jun 5, 2018
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No. We assume that with regard to service ACLS, IPv4 and IPv6 ACLs will be stored in separate tables. If a rule needs to be applied to both IPv4 and IPv6, it needs to be specified twice, one in a v4 table and once in a v6 table.

However, I realize that this implementation also assumes that the first rule in the table will always have a SRC_IP defined. If not, then the table will be assumed to be v4, whether or not subsequent rules have v6 SRC_IPs. This may not always be true. #Fixed in commit 250155c

@lguohan lguohan merged commit 711be8f into sonic-net:master Jun 5, 2018
lguohan pushed a commit that referenced this pull request Jun 5, 2018
@jleveque @lguohan
[caclmgrd] Heuristically determine whether ACL is IPv4 or IPv6, use i…
704f2fa 
…ptables/ip6tables accordingly (#1767)

* [caclmgrd] Heuristically determine whether ACL is IPv4 or IPv6, use iptables/ip6tables accordingly

* Check all rules in table until we find one with a SRC_IP
@jleveque jleveque deleted the cacl_v6 branch June 5, 2018 16:33
theasianpianist pushed a commit to theasianpianist/sonic-buildimage that referenced this pull request Feb 5, 2022
@wendani
[vs] Stablize test portchannel: test_Portchannel_oper_down end-of-tes…
6627140 
…t cleanup fix (sonic-net#1767)

* Clean up: Remove rif in test_portchannel.py

Signed-off-by: Wenda Ni <wonda.ni@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@prsunny prsunny prsunny left review comments

@lguohan lguohan lguohan approved these changes

Assignees

@jleveque jleveque

Labels
Control Plane ACL Enhancement ➕
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jleveque @lguohan @prsunny