Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support Restapi/gnmi control plane acls in 202012 branch #11903

Merged
merged 5 commits into from
Sep 5, 2022
Merged

Support Restapi/gnmi control plane acls in 202012 branch #11903

merged 5 commits into from
Sep 5, 2022

Conversation

ZhaohuiS
Copy link
Contributor

@ZhaohuiS ZhaohuiS commented Aug 31, 2022
edited
Loading

Signed-off-by: Zhaohui Sun [email protected]

Why I did it

Currently Sonic supports the following ACL tables.

IPV6_SNMP_ACL
EVERFLOW
SSH_ONLY
..

For the Restapi/gnmi use-cases, Sonic has to support a new Table: EXTERNAL_CLIENT of type CTRLPLANE, stage ingress

This shall match on 'src ip prefix' and dst port '8080'. Caclmgrd must parse this from acl.json and install as in the below example:

iptables -A INPUT -s 20.20.20.20/27 -p tcp --dport 8080 -j ACCEPT

or ip6tables if the 'src ip prefix' is IPv6.

This change for master branch is in PR sonic-net/sonic-host-services#9

How I did it

Steps:

  1. add EXTERNAL_CLIENT_ACL in config_db.json
"ACL_TABLE": {
        "NTP_ACL": {
            "policy_desc": "NTP_ACL",
            "services": [
                "NTP"
            ],
            "stage": "ingress",
            "type": "CTRLPLANE"
        },
        ...
       "EXTERNAL_CLIENT_ACL": {
            "policy_desc": "EXTERNAL_CLIENT_ACL",
            "services": [
                "EXTERNAL_CLIENT"
            ],
            "stage": "ingress",
            "type": "CTRLPLANE"
        }
}
  1. config reload, then check show acl tables:
EXTERNAL_CLIENT_ACL  CTRLPLANE  EXTERNAL_CLIENT  EXTERNAL_CLIENT_ACL  ingress
NTP_ACL              CTRLPLANE  NTP              NTP_ACL              ingress
SNMP_ACL             CTRLPLANE  SNMP             SNMP_ACL             ingress
SSH_ONLY             CTRLPLANE  SSH              SSH_ONLY             ingress
  1. load acl rules:
    acl-loader update full external_acl.json
    external_acl.json looks like this:
{
    "acl": {
        "acl-sets": {
            "acl-set": {
                "EXTERNAL_CLIENT-ACL": {
                    "acl-entries": {
                        "acl-entry": {
                            "1": {
                                "ip": {
                                    "config": {
                                        "source-ip-address": "20.0.0.3/32"
                                    }
                                }, 
                                "transport": {
				    "config": {
					"destination-port": "8081"
				    }
				},
                                "config": {
                                    "sequence-id": 1
                                }, 
                                "actions": {
                                    "config": {
                                        "forwarding-action": "ACCEPT"
                                    }
                                }
                            }
                        }
                    }, 
                    "config": {
                        "name": "EXTERNAL_CLIENT-ACL"
                    }
                }
            }
        }
    }
}
  1. Check acl rules
    IPv4:
admin@vlab-03:~$ show acl rule
Table                Rule          Priority    Action    Match
-------------------  ------------  ----------  --------  -------------------
EXTERNAL_CLIENT_ACL  RULE_0        10000       ACCEPT    L4_DST_PORT: 8081
                                                         SRC_IP: 20.0.0.3/32
EXTERNAL_CLIENT_ACL  DEFAULT_RULE  1           DROP      ETHER_TYPE: 2048

IPv6:

admin@vlab-03:~$ show acl rule
Table                Rule          Priority    Action    Match
-------------------  ------------  ----------  --------  --------------------
EXTERNAL_CLIENT_ACL  RULE_0        10000       ACCEPT    L4_DST_PORT: 8081
                                                         SRC_IPV6: 2001::3/128
EXTERNAL_CLIENT_ACL  DEFAULT_RULE  1           DROP      ETHER_TYPE: 2048
  1. check iptables
    IPv4:
-A INPUT -s 20.0.0.3/32 -p tcp -m tcp --dport 8081 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8080 -j DROP

IPv6:

-A INPUT -s 2001::3/128 -p tcp -m tcp --dport 8081 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8081 -j DROP
  1. Also support dst port range
				"transport": {
				    "config": {
					"destination-port": "8081..8083"
				    }
				}

admin@vlab-03:~$ show acl rule
Table                Rule          Priority    Action    Match
-------------------  ------------  ----------  --------  ----------------------------
EXTERNAL_CLIENT_ACL  RULE_0        10000       ACCEPT    L4_DST_PORT_RANGE: 8081-8083
                                                         SRC_IP: 20.0.0.3/32
EXTERNAL_CLIENT_ACL  DEFAULT_RULE  1           DROP      ETHER_TYPE: 2048

-A INPUT -s 20.0.0.3/32 -p tcp -m tcp --dport 8081 -j ACCEPT
-A INPUT -s 20.0.0.3/32 -p tcp -m tcp --dport 8082 -j ACCEPT
-A INPUT -s 20.0.0.3/32 -p tcp -m tcp --dport 8083 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8081 -j DROP
-A INPUT -p tcp -m tcp --dport 8082 -j DROP
-A INPUT -p tcp -m tcp --dport 8083 -j DROP
  1. If not define "destination-port" in acl.json, will print the warning log such as:
    Sep 2 02:56:42.117150 vlab-03 WARNING caclmgrd[3841175]: Required destination port not found for ACL table 'EXTERNAL_CLIENT'. Skipping table...

Signed-off-by: Zhaohui Sun [email protected]

How to verify it

Boot up testbed, caclmgrd will run automatically.
Add EXTERNAL_CLIENT_ACL table in config_db.json
Load acl.json which contains external_client acl rules.
Verify if the specific traffic is blocked or forwarded.

Which release branch to backport (provide reason below if selected)

  • 201811
  • 201911
  • 202006
  • 202012
  • 202106
  • 202111
  • 202205

Description for the changelog

Link to config_db schema for YANG module changes

A picture of a cute animal (not mandatory but encouraged)

@ZhaohuiS
Remove redundant row
fe79881 
Signed-off-by: Zhaohui Sun <[email protected]>
@prsunny
Copy link
Contributor

prsunny commented Sep 1, 2022

/azp run Azure.sonic-buildimage

@sonic-net sonic-net deleted a comment from azure-pipelines bot Sep 1, 2022
@azure-pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

@yejianquan
Copy link
Contributor

/AzurePipelines run Azure.sonic-buildimage

@azure-pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

@sonic-net sonic-net deleted a comment from azure-pipelines bot Sep 2, 2022
@prsunny
Copy link
Contributor

prsunny commented Sep 2, 2022

/AzurePipelines run Azure.sonic-buildimage

@azure-pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

@ZhaohuiS ZhaohuiS changed the title Support Restapi/gnmi control plane acls Support Restapi/gnmi control plane acls in 202012 branch Sep 4, 2022
@ZhaohuiS ZhaohuiS merged commit 5357bdb into sonic-net:202012 Sep 5, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@prsunny prsunny prsunny approved these changes

@bingwang-ms bingwang-ms Awaiting requested review from bingwang-ms

@qiluo-msft qiluo-msft Awaiting requested review from qiluo-msft

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ZhaohuiS @prsunny @yejianquan