Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[caclmgrd] Add a rule to allow all connections from localhost #1858

Merged
merged 3 commits into from
Jul 13, 2018
Merged

[caclmgrd] Add a rule to allow all connections from localhost #1858

merged 3 commits into from
Jul 13, 2018

Conversation

jleveque
Copy link
Contributor

No description provided.

@jleveque jleveque self-assigned this Jul 12, 2018
@jleveque jleveque requested review from lguohan and qiluo-msft July 12, 2018 22:07
@@ -147,6 +147,9 @@ class ControlPlaneAclManager(object):
iptables_cmds.append("ip6tables -F")
iptables_cmds.append("ip6tables -X")

# Add iptables command to allow all traffic from localhost
iptables_cmds.append("iptables -A INPUT -s 127.0.0.1 -j ACCEPT")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What if someone sends you a packet with 127.0.0.1 dst address?
I'd better use something like this:

sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A OUTPUT -o lo -j ACCEPT

Copy link
Contributor Author

@jleveque jleveque Jul 12, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done. Agree that an interface-based approach is more secure than an IP-based approach here.

Copy link
Collaborator

@qiluo-msft qiluo-msft Jul 12, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have assigned 2 ipv4 address to lo:

  1. 127.0.0.1
  2. loopback address

I thought this method will allow more than we expected.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point. Changed: Now accepting all incoming traffic on lo iff it has the localhost source IP.

@jleveque jleveque merged commit 2ccfefc into sonic-net:master Jul 13, 2018
@jleveque jleveque deleted the caclmgrd_allow_localhost branch July 13, 2018 17:27
Pterosaur added a commit to Pterosaur/sonic-buildimage that referenced this pull request Oct 26, 2021
7444e96 [macsecmgr]: Add rekey period in macsec mgr (sonic-net#1958)
d95823d [Buffermgr]Graceful handling of buffer model change (sonic-net#1956)
b0aa6a0 EVPN VxLAN enhancement to support P2MP tunnel based programming for Layer2 extension (sonic-net#1858)
85bdf54 Fix the option missing in kernel config issue (sonic-net#1973)
6b15584 (master) Orchagent validates mirror session queue parameter against maximum value from SAI (sonic-net#1957)
fc9ffb9 [copp] Add ISIS, LDP and micro-BFD trap types to CoPP manager (sonic-net#1890)
452cbc1 [macsecorch]: Add IPG adjusting for MACsec gearbox model (sonic-net#1925)
f248e26 [orchagent] Add separate next hop table and orch (sonic-net#1702)
fd0cafe [portorch]: Skip to create port if the lane set isn't available in ASIC (sonic-net#1923)
ef6b5d4 fix the type for SAI_BUFFER_PROFILE_ATTR_BUFFER_SIZE (sonic-net#1942)
b592ad7 [cfgmgr] Fix for STATE_DB Port check (sonic-net#1936)

Signed-off-by: Ze Gan <ganze718@gmail.com>
stepanblyschak added a commit to stepanblyschak/sonic-buildimage that referenced this pull request Nov 11, 2021
```
5f8ebfa (HEAD, origin/master, origin/HEAD, master) [AclOrch] move ACL counters to flex counter infrastructure (sonic-net#1943)
8119ec0 [bfdorch] Orchagent support hardware BFD (sonic-net#1883)
15074ac [sonic-swss]:enable unconfiguring PFC on last TC on a port (sonic-net#1962)
05c7c05 [Mux orch] set default as standby, change mux orch priority (sonic-net#2010)
fe5b2a9 [pytest]: Ignore errors deleting host ifs (sonic-net#2005)
70da9af [ci]: use native arm64 and armhf pool (sonic-net#2013)
e14a071 [qos] Add EXP to TC map support (sonic-net#1954)
c91a7f2 [switchorch] Implement VXLAN src port range feature  (sonic-net#1959)
b20f0f4 Gcov for swss daemon (sonic-net#1737)
01c243a [CRM][MPLS] Fix the mpls nexthop CRM attribute (sonic-net#2008)
8448a60 [vs tests]Migrating sonic-swss tests to use hwsku instead of fakeplatform (sonic-net#1978)
faa26db Fix random failure in PR/CI build. (sonic-net#2006)
e03edb6 Allow interface type value none (sonic-net#1991)
71b9650 [orchagent] Fix group name of port-buffer-drop in flexcounterorch.cpp (sonic-net#1967)
facdef5 [VS test] Skip flaky virtual chassis test (sonic-net#2004)
8261c1f [pytest]: Increase timeout when checking services (sonic-net#2000)
67278be [teammgrd]: Handle LAGs cleanup gracefully on Warm/Fast reboot. (sonic-net#1934)
e92c1df Enable FEC statistics collection for Ethernet ports (sonic-net#1994)
9f30ca1 VxLAN Tunnel Counters and Rates implementation (sonic-net#1859)
ac3103a Add missing neighbor resolution for MPLS route programming (sonic-net#1968)
bfba0ad [vlanmgr]Fix for STATE_DB port check logic (sonic-net#1980)
9ef2ba4 [vlanmgr]: Update VLAN removal code to work with 5.10 kernel and newer iproute2 versions (sonic-net#1970)
41fb26c [Mux orch] Handle setting unknown mux state (sonic-net#1984)
ac09bde [azp]: Increase timeout for VS tests (sonic-net#1988)
da8a43e [pytest]: Check if appl DB exists before deleting (sonic-net#1983)
553d75a [tunnel decap] Change tunnel orch order (sonic-net#1977)
7444e96 [macsecmgr]: Add rekey period in macsec mgr (sonic-net#1958)
d95823d [Buffermgr]Graceful handling of buffer model change (sonic-net#1956)
b0aa6a0 EVPN VxLAN enhancement to support P2MP tunnel based programming for Layer2 extension (sonic-net#1858)
85bdf54 Fix the option missing in kernel config issue (sonic-net#1973)
6b15584 Orchagent validates mirror session queue parameter against maximum value from SAI (sonic-net#1957)
fc9ffb9 [copp] Add ISIS, LDP and micro-BFD trap types to CoPP manager (sonic-net#1890)
452cbc1 [macsecorch]: Add IPG adjusting for MACsec gearbox model (sonic-net#1925)
```

Signed-off-by: Stepan Blyschak <stepanb@nvidia.com>
vivekrnv added a commit to vivekrnv/sonic-buildimage that referenced this pull request Nov 16, 2021
…t#1796)

efa2ff6 [show][platform summary] Add chassis type in the platform summary output(sonic-net#1922)
a39350c [aclshow] enhance ACL counters to work with FC infrastructure (sonic-net#1858)
ed88013 [sonic-package-manager] fix registry requests failing when no service field in Bearer fields (sonic-net#1921)
00b6045 [VS test] Increase test timeout (sonic-net#1924)

Signed-off-by: Vivek Reddy Karri <vkarri@nvidia.com>
qiluo-msft pushed a commit that referenced this pull request Nov 22, 2021
a3e34e3 [Auto Techsupport] Event driven Techsupport Changes (#1796)
efa2ff6 [show][platform summary] Add chassis type in the platform summary output(#1922)
a39350c [aclshow] enhance ACL counters to work with FC infrastructure (#1858)
ed88013 [sonic-package-manager] fix registry requests failing when no service field in Bearer fields (#1921)
00b6045 [VS test] Increase test timeout (#1924)
theasianpianist pushed a commit to theasianpianist/sonic-buildimage that referenced this pull request Feb 5, 2022
…ayer2 extension (sonic-net#1858)

* Vxlan evpn p2mp changes for Layer2 functionality
taras-keryk pushed a commit to taras-keryk/sonic-buildimage that referenced this pull request Apr 28, 2022
…net#1858)

#### What I did

Made a change for aclshow and counterpoll that adds support for ACL flex counters.

DEPENDS ON: sonic-net/sonic-swss-common#533 sonic-net/sonic-sairedis#953 sonic-net/sonic-swss#1943
HLD: sonic-net/SONiC#857

#### How I did it

Modified aclshow and counterpoll and UT.

#### How to verify it

Together with depends PRs. Run ACL/Everflow test suite.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants