[caclmgrd] Restrict FRR daemon loopback TCP ports to FRR user#389
[caclmgrd] Restrict FRR daemon loopback TCP ports to FRR user#389nsoma-cisco wants to merge 1 commit into
Conversation
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
@ZhaohuiS @dgsudharsan Could you please take a look? |
|
@StormLiangMS Thank you for initiating the review. |
Lock down zebra (TCP/2601) and the fpmsyncd<->zebra socket (TCP/2620) on the loopback interface so only the FRR user (UID 300) can connect; every other local UID is dropped. Per port the ACCEPT (uid-owner 300) rule is appended before the DROP so iptables matches FRR-internal traffic first. Rules are emitted in every namespace caclmgrd manages (host on single-ASIC, per-ASIC bgp container namespaces on multi-ASIC) since FRR runs in each of them with the same UID and ports. The helper is invoked from get_acl_rules_and_translate_to_iptables_commands, so the rules are reinstalled on every full programming pass: at boot, on systemctl restart caclmgrd, and after any CONFIG_DB ACL_TABLE/ACL_RULE change. Adds caclmgrd_frr_loopback_acl_test.py covering rule presence, per-port ACCEPT-before-DROP ordering, helper rule count, and ASIC-namespace prefix, plus test_no_generic_output_drop_precedes_frr_accept which inspects the generated iptables command list and asserts that no IPv4 OUTPUT-chain DROP or REJECT rule appears before the FRR per-UID ACCEPT rules. This pins the current invariant so a future contributor can't silently shadow the FRR ACCEPT and break FRR daemon loopback communication. Signed-off-by: Nageswara Soma <nsoma@cisco.com>
e4b871a to
255fccc
Compare
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
Hi @sonic-net/sonic-host-services-maintainer, this approved PR has workflow run(s) waiting for approval. Please help review. Thanks! ---Powered by SONiC BuildBot
|
11 similar comments
|
Hi @sonic-net/sonic-host-services-maintainer, this approved PR has workflow run(s) waiting for approval. Please help review. Thanks! ---Powered by SONiC BuildBot
|
|
Hi @sonic-net/sonic-host-services-maintainer, this approved PR has workflow run(s) waiting for approval. Please help review. Thanks! ---Powered by SONiC BuildBot
|
|
Hi @sonic-net/sonic-host-services-maintainer, this approved PR has workflow run(s) waiting for approval. Please help review. Thanks! ---Powered by SONiC BuildBot
|
|
Hi @sonic-net/sonic-host-services-maintainer, this approved PR has workflow run(s) waiting for approval. Please help review. Thanks! ---Powered by SONiC BuildBot
|
|
Hi @sonic-net/sonic-host-services-maintainer, this approved PR has workflow run(s) waiting for approval. Please help review. Thanks! ---Powered by SONiC BuildBot
|
|
Hi @sonic-net/sonic-host-services-maintainer, this approved PR has workflow run(s) waiting for approval. Please help review. Thanks! ---Powered by SONiC BuildBot
|
|
Hi @sonic-net/sonic-host-services-maintainer, this approved PR has workflow run(s) waiting for approval. Please help review. Thanks! ---Powered by SONiC BuildBot
|
|
Hi @sonic-net/sonic-host-services-maintainer, this approved PR has workflow run(s) waiting for approval. Please help review. Thanks! ---Powered by SONiC BuildBot
|
|
Hi @sonic-net/sonic-host-services-maintainer, this approved PR has workflow run(s) waiting for approval. Please help review. Thanks! ---Powered by SONiC BuildBot
|
|
Hi @sonic-net/sonic-host-services-maintainer, this approved PR has workflow run(s) waiting for approval. Please help review. Thanks! ---Powered by SONiC BuildBot
|
|
Hi @sonic-net/sonic-host-services-maintainer, this approved PR has workflow run(s) waiting for approval. Please help review. Thanks! ---Powered by SONiC BuildBot
|
Summary
Lock down zebra (TCP/2601) and the fpmsyncd<->zebra socket (TCP/2620) on the loopback interface so only the FRR user (UID 300) can connect; every other local UID is dropped.
caclmgrdmanages (host on single-ASIC, per-ASIC bgp container namespaces on multi-ASIC) since FRR runs in each of them with the same UID and ports.get_acl_rules_and_translate_to_iptables_commands, so the rules are reinstalled on every full programming pass: at boot, onsystemctl restart caclmgrd, and after any CONFIG_DBACL_TABLE/ACL_RULEchange — no additional plumbing required for persistence.What changed
scripts/caclmgrd:FRR_USER_UID = 300andFRR_LOOPBACK_TCP_DROP_PORTS = [2601, 2620].generate_frr_daemon_loopback_acl_commands(namespace)that emits the ACCEPT-then-DROP pair per port, namespace-prefixed.tests/caclmgrd/:caclmgrd_frr_loopback_acl_test.py— 5 tests covering rule presence, ACCEPT-before-DROP ordering, helper rule count, ASIC-namespace prefix, and a regression guard (test_no_generic_output_drop_precedes_frr_accept) that asserts no IPv4 OUTPUT-chain DROP/REJECT precedes the FRR ACCEPT rules.test_frr_loopback_acl_vectors.py— minimal CONFIG_DB test vector.Test plan
python3 -m pytest tests/caclmgrd/—53 passed(5 new + 48 pre-existing) in a Debian-bookworm container withlibswsscommon+sonic-py-commoninstalled.test_no_generic_output_drop_precedes_frr_acceptregression guard verified in-tree.iptables -S OUTPUTshows the ACCEPT/DROP pairs for ports 2601 and 2620 in the host and in each per-ASIC bgp container namespace.vtysh -d zebrastill works as the FRR user and is rejected for other UIDs; confirm fpmsyncd<->zebra connection stays up.