-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[caclmgrd] Add a rule to allow all connections from localhost #1858
Conversation
files/image_config/caclmgrd/caclmgrd
Outdated
@@ -147,6 +147,9 @@ class ControlPlaneAclManager(object): | |||
iptables_cmds.append("ip6tables -F") | |||
iptables_cmds.append("ip6tables -X") | |||
|
|||
# Add iptables command to allow all traffic from localhost | |||
iptables_cmds.append("iptables -A INPUT -s 127.0.0.1 -j ACCEPT") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What if someone sends you a packet with 127.0.0.1 dst address?
I'd better use something like this:
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A OUTPUT -o lo -j ACCEPT
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done. Agree that an interface-based approach is more secure than an IP-based approach here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We have assigned 2 ipv4 address to lo:
- 127.0.0.1
- loopback address
I thought this method will allow more than we expected.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good point. Changed: Now accepting all incoming traffic on lo iff it has the localhost source IP.
7444e96 [macsecmgr]: Add rekey period in macsec mgr (sonic-net#1958) d95823d [Buffermgr]Graceful handling of buffer model change (sonic-net#1956) b0aa6a0 EVPN VxLAN enhancement to support P2MP tunnel based programming for Layer2 extension (sonic-net#1858) 85bdf54 Fix the option missing in kernel config issue (sonic-net#1973) 6b15584 (master) Orchagent validates mirror session queue parameter against maximum value from SAI (sonic-net#1957) fc9ffb9 [copp] Add ISIS, LDP and micro-BFD trap types to CoPP manager (sonic-net#1890) 452cbc1 [macsecorch]: Add IPG adjusting for MACsec gearbox model (sonic-net#1925) f248e26 [orchagent] Add separate next hop table and orch (sonic-net#1702) fd0cafe [portorch]: Skip to create port if the lane set isn't available in ASIC (sonic-net#1923) ef6b5d4 fix the type for SAI_BUFFER_PROFILE_ATTR_BUFFER_SIZE (sonic-net#1942) b592ad7 [cfgmgr] Fix for STATE_DB Port check (sonic-net#1936) Signed-off-by: Ze Gan <ganze718@gmail.com>
``` 5f8ebfa (HEAD, origin/master, origin/HEAD, master) [AclOrch] move ACL counters to flex counter infrastructure (sonic-net#1943) 8119ec0 [bfdorch] Orchagent support hardware BFD (sonic-net#1883) 15074ac [sonic-swss]:enable unconfiguring PFC on last TC on a port (sonic-net#1962) 05c7c05 [Mux orch] set default as standby, change mux orch priority (sonic-net#2010) fe5b2a9 [pytest]: Ignore errors deleting host ifs (sonic-net#2005) 70da9af [ci]: use native arm64 and armhf pool (sonic-net#2013) e14a071 [qos] Add EXP to TC map support (sonic-net#1954) c91a7f2 [switchorch] Implement VXLAN src port range feature (sonic-net#1959) b20f0f4 Gcov for swss daemon (sonic-net#1737) 01c243a [CRM][MPLS] Fix the mpls nexthop CRM attribute (sonic-net#2008) 8448a60 [vs tests]Migrating sonic-swss tests to use hwsku instead of fakeplatform (sonic-net#1978) faa26db Fix random failure in PR/CI build. (sonic-net#2006) e03edb6 Allow interface type value none (sonic-net#1991) 71b9650 [orchagent] Fix group name of port-buffer-drop in flexcounterorch.cpp (sonic-net#1967) facdef5 [VS test] Skip flaky virtual chassis test (sonic-net#2004) 8261c1f [pytest]: Increase timeout when checking services (sonic-net#2000) 67278be [teammgrd]: Handle LAGs cleanup gracefully on Warm/Fast reboot. (sonic-net#1934) e92c1df Enable FEC statistics collection for Ethernet ports (sonic-net#1994) 9f30ca1 VxLAN Tunnel Counters and Rates implementation (sonic-net#1859) ac3103a Add missing neighbor resolution for MPLS route programming (sonic-net#1968) bfba0ad [vlanmgr]Fix for STATE_DB port check logic (sonic-net#1980) 9ef2ba4 [vlanmgr]: Update VLAN removal code to work with 5.10 kernel and newer iproute2 versions (sonic-net#1970) 41fb26c [Mux orch] Handle setting unknown mux state (sonic-net#1984) ac09bde [azp]: Increase timeout for VS tests (sonic-net#1988) da8a43e [pytest]: Check if appl DB exists before deleting (sonic-net#1983) 553d75a [tunnel decap] Change tunnel orch order (sonic-net#1977) 7444e96 [macsecmgr]: Add rekey period in macsec mgr (sonic-net#1958) d95823d [Buffermgr]Graceful handling of buffer model change (sonic-net#1956) b0aa6a0 EVPN VxLAN enhancement to support P2MP tunnel based programming for Layer2 extension (sonic-net#1858) 85bdf54 Fix the option missing in kernel config issue (sonic-net#1973) 6b15584 Orchagent validates mirror session queue parameter against maximum value from SAI (sonic-net#1957) fc9ffb9 [copp] Add ISIS, LDP and micro-BFD trap types to CoPP manager (sonic-net#1890) 452cbc1 [macsecorch]: Add IPG adjusting for MACsec gearbox model (sonic-net#1925) ``` Signed-off-by: Stepan Blyschak <stepanb@nvidia.com>
…t#1796) efa2ff6 [show][platform summary] Add chassis type in the platform summary output(sonic-net#1922) a39350c [aclshow] enhance ACL counters to work with FC infrastructure (sonic-net#1858) ed88013 [sonic-package-manager] fix registry requests failing when no service field in Bearer fields (sonic-net#1921) 00b6045 [VS test] Increase test timeout (sonic-net#1924) Signed-off-by: Vivek Reddy Karri <vkarri@nvidia.com>
a3e34e3 [Auto Techsupport] Event driven Techsupport Changes (#1796) efa2ff6 [show][platform summary] Add chassis type in the platform summary output(#1922) a39350c [aclshow] enhance ACL counters to work with FC infrastructure (#1858) ed88013 [sonic-package-manager] fix registry requests failing when no service field in Bearer fields (#1921) 00b6045 [VS test] Increase test timeout (#1924)
…ayer2 extension (sonic-net#1858) * Vxlan evpn p2mp changes for Layer2 functionality
…net#1858) #### What I did Made a change for aclshow and counterpoll that adds support for ACL flex counters. DEPENDS ON: sonic-net/sonic-swss-common#533 sonic-net/sonic-sairedis#953 sonic-net/sonic-swss#1943 HLD: sonic-net/SONiC#857 #### How I did it Modified aclshow and counterpoll and UT. #### How to verify it Together with depends PRs. Run ACL/Everflow test suite.
No description provided.