From e9337479d6d54e9352ad5c5d59739db779aa5245 Mon Sep 17 00:00:00 2001 From: Joe LeVeque Date: Thu, 12 Jul 2018 21:52:40 +0000 Subject: [PATCH 1/3] [caclmgrd] Add a rule to allow all connections from localhost --- files/image_config/caclmgrd/caclmgrd | 3 +++ 1 file changed, 3 insertions(+) diff --git a/files/image_config/caclmgrd/caclmgrd b/files/image_config/caclmgrd/caclmgrd index ec26b6001f50..b2364baaf7a2 100755 --- a/files/image_config/caclmgrd/caclmgrd +++ b/files/image_config/caclmgrd/caclmgrd @@ -147,6 +147,9 @@ class ControlPlaneAclManager(object): iptables_cmds.append("ip6tables -F") iptables_cmds.append("ip6tables -X") + # Add iptables command to allow all traffic from localhost + iptables_cmds.append("iptables -A INPUT -s 127.0.0.1 -j ACCEPT") + # Get current ACL tables and rules from Config DB self._tables_db_info = self.config_db.get_table(self.ACL_TABLE) self._rules_db_info = self.config_db.get_table(self.ACL_RULE) From e07a8e282131c07b90dc6b42e27e0339e0e79b0c Mon Sep 17 00:00:00 2001 From: Joe LeVeque Date: Thu, 12 Jul 2018 22:28:47 +0000 Subject: [PATCH 2/3] Make rule interface-based, not IP-based for security; Add IPv6 rule --- files/image_config/caclmgrd/caclmgrd | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/files/image_config/caclmgrd/caclmgrd b/files/image_config/caclmgrd/caclmgrd index b2364baaf7a2..85898527c7aa 100755 --- a/files/image_config/caclmgrd/caclmgrd +++ b/files/image_config/caclmgrd/caclmgrd @@ -147,8 +147,9 @@ class ControlPlaneAclManager(object): iptables_cmds.append("ip6tables -F") iptables_cmds.append("ip6tables -X") - # Add iptables command to allow all traffic from localhost - iptables_cmds.append("iptables -A INPUT -s 127.0.0.1 -j ACCEPT") + # Add iptables commands to allow all IPv4 and IPv6 traffic from localhost + iptables_cmds.append("iptables -A INPUT -i lo -j ACCEPT") + iptables_cmds.append("ip6tables -A INPUT -i lo -j ACCEPT") # Get current ACL tables and rules from Config DB self._tables_db_info = self.config_db.get_table(self.ACL_TABLE) From 3eb31eec1b2bf621d9dba8f0f54bee9c94e237d0 Mon Sep 17 00:00:00 2001 From: Joe LeVeque Date: Thu, 12 Jul 2018 23:59:49 +0000 Subject: [PATCH 3/3] Allow incoming traffic on lo ONLY if from localhost IPs --- files/image_config/caclmgrd/caclmgrd | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/files/image_config/caclmgrd/caclmgrd b/files/image_config/caclmgrd/caclmgrd index 85898527c7aa..a7ec952ca21f 100755 --- a/files/image_config/caclmgrd/caclmgrd +++ b/files/image_config/caclmgrd/caclmgrd @@ -148,8 +148,8 @@ class ControlPlaneAclManager(object): iptables_cmds.append("ip6tables -X") # Add iptables commands to allow all IPv4 and IPv6 traffic from localhost - iptables_cmds.append("iptables -A INPUT -i lo -j ACCEPT") - iptables_cmds.append("ip6tables -A INPUT -i lo -j ACCEPT") + iptables_cmds.append("iptables -A INPUT -s 127.0.0.1 -i lo -j ACCEPT") + iptables_cmds.append("ip6tables -A INPUT -s ::1 -i lo -j ACCEPT") # Get current ACL tables and rules from Config DB self._tables_db_info = self.config_db.get_table(self.ACL_TABLE)