caclmgrd interface rules patch 1#197
Merged
qiluo-msft merged 3 commits intosonic-net:masterfrom Mar 26, 2025
Merged
Conversation
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
91e84f7 to
38f32c7
Compare
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
38f32c7 to
d131a47
Compare
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
@ZhaohuiS Could you help review? |
ZhaohuiS
reviewed
Feb 5, 2025
scripts/caclmgrd
Outdated
| if (dst_port not in self.ACL_SERVICES["NTP"]["dst_ports"] and | ||
| dst_port not in self.ACL_SERVICES["SNMP"]["dst_ports"] and | ||
| dst_port not in self.ACL_SERVICES["SSH"]["dst_ports"]): | ||
| rule_cmd = self.exclude_mgmt_port(rule_cmd) |
Contributor
There was a problem hiding this comment.
For EXTERNAL_CLIENT, there is no DST_PORT setting for it, with your change, does it mean it will block restapi or gnmi traffic from eth0?
@qiluo-msft @prsunny could you please review this change? It will prohibit traffic from eth0 except NTP,SNMP and SSH.
"EXTERNAL_CLIENT": {
"ip_protocols": ["tcp"],
"multi_asic_ns_to_host_fwd":True
},
Contributor
Author
There was a problem hiding this comment.
@ZhaohuiS We can add the protocols in ACL_SERVICES that has to go through eth0, could we have the defined list of protocols?
Contributor
There was a problem hiding this comment.
As I know, EXTERNAL_CLIENT is designed to be used for restapi and gnmi, and the port is not defined in ACL_SERVICES , we can define flexible ports for them in acl.json.
Contributor
There was a problem hiding this comment.
agree with @ZhaohuiS , this can break existing scenarios.
Contributor
Author
There was a problem hiding this comment.
Removed check so EXTERNAL_CLIENT is not affected; Updated tests. Please help review
Contributor
There was a problem hiding this comment.
@gupurush could you please also update test case, otherwise submodule advance PR test will fail,
https://github.com/sonic-net/sonic-mgmt/blob/master/tests/cacl/test_cacl_application.py
The best solution should be:
- skip test_cacl_application from PR test
- imagebuild PR get merged
- update test case
- add test_cacl_application back for PR test
Contributor
There was a problem hiding this comment.
@gupurush could you please update test_cacl_application.py to support your change in this PR? And provide the test evidence here, just want to make sure the image code change could be verified and no regression will be introduced. Thanks.
Contributor
There was a problem hiding this comment.
@gupurush please update the test_cacl_application and enable it for PR test.
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
ZhaohuiS
approved these changes
Feb 26, 2025
yejianquan
pushed a commit
to sonic-net/sonic-mgmt
that referenced
this pull request
Jun 4, 2025
Description of PR Summary: Fixes # (issue) sonic-net/sonic-host-services#197 added a new change for caclmgrd, PR test for submodule advanced PR of sonic-host-services failed. Disable test_cacl_application in PR test temporarily for merging submodule PR. > pytest_assert(len(missing_iptables_rules) == 0, "Missing expected iptables rules: {}" .format(repr(missing_iptables_rules))) E Failed: Missing expected iptables rules: {'-A INPUT -p tcp -m tcp --dport 179 -j ACCEPT'} For any changes in caclmgrd, if it will fail test_cacl_application case, need to follow the steps: skip test_cacl_application from PR test imagebuild PR get merged update test case add test_cacl_application back for PR test Type of change Bug fix Testbed and Framework(new/improvement) New Test case Skipped for non-supported platforms Test case improvement Back port request 202205 202305 202311 202405 202411 202505 Approach What is the motivation for this PR? sonic-net/sonic-host-services#197 added a new change for caclmgrd, PR test for submodule advanced PR of sonic-host-services failed. How did you do it? Disable test_cacl_application in PR test temporarily for merging submodule PR. How did you verify/test it? Retrigger PR test for sonic-host-services submodule advance PR. Signed-off-by: Zhaohui Sun <zhaohuisun@microsoft.com>
mssonicbld
pushed a commit
to mssonicbld/sonic-mgmt
that referenced
this pull request
Jun 4, 2025
Description of PR Summary: Fixes # (issue) sonic-net/sonic-host-services#197 added a new change for caclmgrd, PR test for submodule advanced PR of sonic-host-services failed. Disable test_cacl_application in PR test temporarily for merging submodule PR. > pytest_assert(len(missing_iptables_rules) == 0, "Missing expected iptables rules: {}" .format(repr(missing_iptables_rules))) E Failed: Missing expected iptables rules: {'-A INPUT -p tcp -m tcp --dport 179 -j ACCEPT'} For any changes in caclmgrd, if it will fail test_cacl_application case, need to follow the steps: skip test_cacl_application from PR test imagebuild PR get merged update test case add test_cacl_application back for PR test Type of change Bug fix Testbed and Framework(new/improvement) New Test case Skipped for non-supported platforms Test case improvement Back port request 202205 202305 202311 202405 202411 202505 Approach What is the motivation for this PR? sonic-net/sonic-host-services#197 added a new change for caclmgrd, PR test for submodule advanced PR of sonic-host-services failed. How did you do it? Disable test_cacl_application in PR test temporarily for merging submodule PR. How did you verify/test it? Retrigger PR test for sonic-host-services submodule advance PR. Signed-off-by: Zhaohui Sun <zhaohuisun@microsoft.com>
Merged
11 tasks
mssonicbld
pushed a commit
to sonic-net/sonic-mgmt
that referenced
this pull request
Jun 4, 2025
Description of PR Summary: Fixes # (issue) sonic-net/sonic-host-services#197 added a new change for caclmgrd, PR test for submodule advanced PR of sonic-host-services failed. Disable test_cacl_application in PR test temporarily for merging submodule PR. > pytest_assert(len(missing_iptables_rules) == 0, "Missing expected iptables rules: {}" .format(repr(missing_iptables_rules))) E Failed: Missing expected iptables rules: {'-A INPUT -p tcp -m tcp --dport 179 -j ACCEPT'} For any changes in caclmgrd, if it will fail test_cacl_application case, need to follow the steps: skip test_cacl_application from PR test imagebuild PR get merged update test case add test_cacl_application back for PR test Type of change Bug fix Testbed and Framework(new/improvement) New Test case Skipped for non-supported platforms Test case improvement Back port request 202205 202305 202311 202405 202411 202505 Approach What is the motivation for this PR? sonic-net/sonic-host-services#197 added a new change for caclmgrd, PR test for submodule advanced PR of sonic-host-services failed. How did you do it? Disable test_cacl_application in PR test temporarily for merging submodule PR. How did you verify/test it? Retrigger PR test for sonic-host-services submodule advance PR. Signed-off-by: Zhaohui Sun <zhaohuisun@microsoft.com>
11 tasks
11 tasks
opcoder0
pushed a commit
to opcoder0/sonic-mgmt
that referenced
this pull request
Dec 8, 2025
Description of PR Summary: Fixes # (issue) sonic-net/sonic-host-services#197 added a new change for caclmgrd, PR test for submodule advanced PR of sonic-host-services failed. Disable test_cacl_application in PR test temporarily for merging submodule PR. > pytest_assert(len(missing_iptables_rules) == 0, "Missing expected iptables rules: {}" .format(repr(missing_iptables_rules))) E Failed: Missing expected iptables rules: {'-A INPUT -p tcp -m tcp --dport 179 -j ACCEPT'} For any changes in caclmgrd, if it will fail test_cacl_application case, need to follow the steps: skip test_cacl_application from PR test imagebuild PR get merged update test case add test_cacl_application back for PR test Type of change Bug fix Testbed and Framework(new/improvement) New Test case Skipped for non-supported platforms Test case improvement Back port request 202205 202305 202311 202405 202411 202505 Approach What is the motivation for this PR? sonic-net/sonic-host-services#197 added a new change for caclmgrd, PR test for submodule advanced PR of sonic-host-services failed. How did you do it? Disable test_cacl_application in PR test temporarily for merging submodule PR. How did you verify/test it? Retrigger PR test for sonic-host-services submodule advance PR. Signed-off-by: Zhaohui Sun <zhaohuisun@microsoft.com>
AharonMalkin
pushed a commit
to AharonMalkin/sonic-mgmt
that referenced
this pull request
Dec 16, 2025
Description of PR Summary: Fixes # (issue) sonic-net/sonic-host-services#197 added a new change for caclmgrd, PR test for submodule advanced PR of sonic-host-services failed. Disable test_cacl_application in PR test temporarily for merging submodule PR. > pytest_assert(len(missing_iptables_rules) == 0, "Missing expected iptables rules: {}" .format(repr(missing_iptables_rules))) E Failed: Missing expected iptables rules: {'-A INPUT -p tcp -m tcp --dport 179 -j ACCEPT'} For any changes in caclmgrd, if it will fail test_cacl_application case, need to follow the steps: skip test_cacl_application from PR test imagebuild PR get merged update test case add test_cacl_application back for PR test Type of change Bug fix Testbed and Framework(new/improvement) New Test case Skipped for non-supported platforms Test case improvement Back port request 202205 202305 202311 202405 202411 202505 Approach What is the motivation for this PR? sonic-net/sonic-host-services#197 added a new change for caclmgrd, PR test for submodule advanced PR of sonic-host-services failed. How did you do it? Disable test_cacl_application in PR test temporarily for merging submodule PR. How did you verify/test it? Retrigger PR test for sonic-host-services submodule advance PR. Signed-off-by: Zhaohui Sun <zhaohuisun@microsoft.com> Signed-off-by: Aharon Malkin <amalkin@nvidia.com>
gshemesh2
pushed a commit
to gshemesh2/sonic-mgmt
that referenced
this pull request
Dec 21, 2025
Description of PR Summary: Fixes # (issue) sonic-net/sonic-host-services#197 added a new change for caclmgrd, PR test for submodule advanced PR of sonic-host-services failed. Disable test_cacl_application in PR test temporarily for merging submodule PR. > pytest_assert(len(missing_iptables_rules) == 0, "Missing expected iptables rules: {}" .format(repr(missing_iptables_rules))) E Failed: Missing expected iptables rules: {'-A INPUT -p tcp -m tcp --dport 179 -j ACCEPT'} For any changes in caclmgrd, if it will fail test_cacl_application case, need to follow the steps: skip test_cacl_application from PR test imagebuild PR get merged update test case add test_cacl_application back for PR test Type of change Bug fix Testbed and Framework(new/improvement) New Test case Skipped for non-supported platforms Test case improvement Back port request 202205 202305 202311 202405 202411 202505 Approach What is the motivation for this PR? sonic-net/sonic-host-services#197 added a new change for caclmgrd, PR test for submodule advanced PR of sonic-host-services failed. How did you do it? Disable test_cacl_application in PR test temporarily for merging submodule PR. How did you verify/test it? Retrigger PR test for sonic-host-services submodule advance PR. Signed-off-by: Zhaohui Sun <zhaohuisun@microsoft.com> Signed-off-by: Guy Shemesh <gshemesh@nvidia.com>
venu-nexthop
pushed a commit
to venu-nexthop/sonic-mgmt
that referenced
this pull request
Jan 13, 2026
Description of PR Summary: Fixes # (issue) sonic-net/sonic-host-services#197 added a new change for caclmgrd, PR test for submodule advanced PR of sonic-host-services failed. Disable test_cacl_application in PR test temporarily for merging submodule PR. > pytest_assert(len(missing_iptables_rules) == 0, "Missing expected iptables rules: {}" .format(repr(missing_iptables_rules))) E Failed: Missing expected iptables rules: {'-A INPUT -p tcp -m tcp --dport 179 -j ACCEPT'} For any changes in caclmgrd, if it will fail test_cacl_application case, need to follow the steps: skip test_cacl_application from PR test imagebuild PR get merged update test case add test_cacl_application back for PR test Type of change Bug fix Testbed and Framework(new/improvement) New Test case Skipped for non-supported platforms Test case improvement Back port request 202205 202305 202311 202405 202411 202505 Approach What is the motivation for this PR? sonic-net/sonic-host-services#197 added a new change for caclmgrd, PR test for submodule advanced PR of sonic-host-services failed. How did you do it? Disable test_cacl_application in PR test temporarily for merging submodule PR. How did you verify/test it? Retrigger PR test for sonic-host-services submodule advance PR. Signed-off-by: Zhaohui Sun <zhaohuisun@microsoft.com>
gshemesh2
pushed a commit
to gshemesh2/sonic-mgmt
that referenced
this pull request
Jan 26, 2026
Description of PR Summary: Fixes # (issue) sonic-net/sonic-host-services#197 added a new change for caclmgrd, PR test for submodule advanced PR of sonic-host-services failed. Disable test_cacl_application in PR test temporarily for merging submodule PR. > pytest_assert(len(missing_iptables_rules) == 0, "Missing expected iptables rules: {}" .format(repr(missing_iptables_rules))) E Failed: Missing expected iptables rules: {'-A INPUT -p tcp -m tcp --dport 179 -j ACCEPT'} For any changes in caclmgrd, if it will fail test_cacl_application case, need to follow the steps: skip test_cacl_application from PR test imagebuild PR get merged update test case add test_cacl_application back for PR test Type of change Bug fix Testbed and Framework(new/improvement) New Test case Skipped for non-supported platforms Test case improvement Back port request 202205 202305 202311 202405 202411 202505 Approach What is the motivation for this PR? sonic-net/sonic-host-services#197 added a new change for caclmgrd, PR test for submodule advanced PR of sonic-host-services failed. How did you do it? Disable test_cacl_application in PR test temporarily for merging submodule PR. How did you verify/test it? Retrigger PR test for sonic-host-services submodule advance PR. Signed-off-by: Zhaohui Sun <zhaohuisun@microsoft.com> Signed-off-by: Guy Shemesh <gshemesh@nvidia.com>
ytzur1
pushed a commit
to ytzur1/sonic-mgmt
that referenced
this pull request
Feb 2, 2026
Description of PR Summary: Fixes # (issue) sonic-net/sonic-host-services#197 added a new change for caclmgrd, PR test for submodule advanced PR of sonic-host-services failed. Disable test_cacl_application in PR test temporarily for merging submodule PR. > pytest_assert(len(missing_iptables_rules) == 0, "Missing expected iptables rules: {}" .format(repr(missing_iptables_rules))) E Failed: Missing expected iptables rules: {'-A INPUT -p tcp -m tcp --dport 179 -j ACCEPT'} For any changes in caclmgrd, if it will fail test_cacl_application case, need to follow the steps: skip test_cacl_application from PR test imagebuild PR get merged update test case add test_cacl_application back for PR test Type of change Bug fix Testbed and Framework(new/improvement) New Test case Skipped for non-supported platforms Test case improvement Back port request 202205 202305 202311 202405 202411 202505 Approach What is the motivation for this PR? sonic-net/sonic-host-services#197 added a new change for caclmgrd, PR test for submodule advanced PR of sonic-host-services failed. How did you do it? Disable test_cacl_application in PR test temporarily for merging submodule PR. How did you verify/test it? Retrigger PR test for sonic-host-services submodule advance PR. Signed-off-by: Zhaohui Sun <zhaohuisun@microsoft.com> Signed-off-by: Yael Tzur <ytzur@nvidia.com>
venu-nexthop
pushed a commit
to venu-nexthop/sonic-mgmt
that referenced
this pull request
Mar 27, 2026
Description of PR Summary: Fixes # (issue) sonic-net/sonic-host-services#197 added a new change for caclmgrd, PR test for submodule advanced PR of sonic-host-services failed. Disable test_cacl_application in PR test temporarily for merging submodule PR. > pytest_assert(len(missing_iptables_rules) == 0, "Missing expected iptables rules: {}" .format(repr(missing_iptables_rules))) E Failed: Missing expected iptables rules: {'-A INPUT -p tcp -m tcp --dport 179 -j ACCEPT'} For any changes in caclmgrd, if it will fail test_cacl_application case, need to follow the steps: skip test_cacl_application from PR test imagebuild PR get merged update test case add test_cacl_application back for PR test Type of change Bug fix Testbed and Framework(new/improvement) New Test case Skipped for non-supported platforms Test case improvement Back port request 202205 202305 202311 202405 202411 202505 Approach What is the motivation for this PR? sonic-net/sonic-host-services#197 added a new change for caclmgrd, PR test for submodule advanced PR of sonic-host-services failed. How did you do it? Disable test_cacl_application in PR test temporarily for merging submodule PR. How did you verify/test it? Retrigger PR test for sonic-host-services submodule advance PR. Signed-off-by: Zhaohui Sun <zhaohuisun@microsoft.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Added management port exclusion (!, -i, eth0) for data plane protocols in iptable rules. Data plane protocols like BGP, BFD, and VXLAN are restricted to data interfaces only, while management protocols (NTP, SNMP, SSH) retain management port access. This enforces proper traffic segregation between management and data plane.
What is the motivation for this PR?
To enhance security by properly segregating management and data plane traffic through iptable rules in caclmgrd.
How did you do it?
Added exclude_mgmt_port rule (!, -i, eth0)
Applied exclusion to data plane protocols (BGP, BFD, VXLAN)
Preserved management port access for management services (NTP, SNMP, SSH)
Implemented conditional exclusion for other ACL rules based on service type