kamel: [caclmgrd] Use interface IP for IP2ME

Currently the first IP on the VLAN subnet is used, regardless of whatever IP is actually assigned to the control plane. This fix uses the correct IP. See earlier work: - sonic-net/sonic-buildimage#9826 - sonic-net/sonic-buildimage#7178 - sonic-net/sonic-buildimage#7008 Signed-off-by: Christian Svensson <[email protected]>
kamelnetworks · Jan 31, 2023 · 0e211c9 · 0e211c9
1 parent 2115e50
commit 0e211c9
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 12 deletions.
diff --git a/scripts/caclmgrd b/scripts/caclmgrd
@@ -237,20 +237,16 @@ class ControlPlaneAclManager(daemon_base.DaemonBase):
                 for key, _ in iface_table.items():
                     if not _ip_prefix_in_key(key):
                         continue
-
                     iface_name, iface_cidr = key
-                    ip_ntwrk = ipaddress.ip_network(iface_cidr, strict=False)
+                    ip_iface = ipaddress.ip_interface(iface_cidr)
+                    if isinstance(ip_iface, ipaddress.IPv4Interface):
+                        block_ip2me_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "iptables -A INPUT -d {} -j DROP".format(ip_iface.ip, iface_name))
+                    elif isinstance(ip_iface, ipaddress.IPv6Interface):
+                        block_ip2me_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "ip6tables -A INPUT -d {} -j DROP".format(ip_iface.ip, iface_name))
+                    else:
+                        self.log_warning("Unrecognized IP address type on interface '{}': {}".format(iface_name, ip_iface))
 
-                    # For VLAN interfaces, the IP address we want to block is the default gateway (i.e.,
-                    # the first available host IP address of the VLAN subnet)
-                    ip_addr = next(ip_ntwrk.hosts()) if iface_table_name == "VLAN_INTERFACE" else ip_ntwrk.network_address
 
-                    if isinstance(ip_ntwrk, ipaddress.IPv4Network):
-                        block_ip2me_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "iptables -A INPUT -d {}/{} -j DROP".format(ip_addr, ip_ntwrk.max_prefixlen))
-                    elif isinstance(ip_ntwrk, ipaddress.IPv6Network):
-                        block_ip2me_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "ip6tables -A INPUT -d {}/{} -j DROP".format(ip_addr, ip_ntwrk.max_prefixlen))
-                    else:
-                        self.log_warning("Unrecognized IP address type on interface '{}': {}".format(iface_name, ip_ntwrk))
 
         return block_ip2me_cmds
 

diff --git a/tests/caclmgrd/test_ip2me_vectors.py b/tests/caclmgrd/test_ip2me_vectors.py
@@ -85,6 +85,32 @@
             ],
         },
     ],
+    [
+        "One VLAN interface, /24, we are .2",
+        {
+            "config_db": {
+                "MGMT_INTERFACE": {
+                    "eth0|172.18.0.100/24": {
+                        "gwaddr": "172.18.0.1"
+                    }
+                },
+                "LOOPBACK_INTERFACE": {},
+                "VLAN_INTERFACE": {
+                    "Vlan110|10.10.11.2/24": {},
+                },
+                "PORTCHANNEL_INTERFACE": {},
+                "INTERFACE": {},
+                "DEVICE_METADATA": {
+                    "localhost": {
+                    }
+                },
+                "FEATURE": {},
+            },
+            "return": [
+                "iptables -A INPUT -d 10.10.11.2/32 -j DROP",
+            ],
+        },
+    ],
     [
         "One interface of each type, IPv6, /64 - block all interfaces but MGMT",
         {
@@ -114,7 +140,7 @@
             },
             "return": [
                 "ip6tables -A INPUT -d 2001:db8:10::/128 -j DROP",
-                "ip6tables -A INPUT -d 2001:db8:11::1/128 -j DROP",
+                "ip6tables -A INPUT -d 2001:db8:11::/128 -j DROP",
                 "ip6tables -A INPUT -d 2001:db8:12::/128 -j DROP",
                 "ip6tables -A INPUT -d 2001:db8:13::/128 -j DROP"
             ],