kamel: [caclmgrd] Use interface IP for IP2ME

Currently the first IP on the VLAN subnet is used, regardless of whatever IP is actually assigned to the control plane. This fix uses the correct IP. See earlier work: - sonic-net/sonic-buildimage#9826 - sonic-net/sonic-buildimage#7178 - sonic-net/sonic-buildimage#7008 Signed-off-by: Christian Svensson <[email protected]>
kamelnetworks · Apr 16, 2023 · a4ad63f · a4ad63f
1 parent 9c66190
commit a4ad63f
Show file tree

Hide file tree

Showing 2 changed files with 42 additions and 20 deletions.
diff --git a/scripts/caclmgrd b/scripts/caclmgrd
@@ -282,20 +282,16 @@ class ControlPlaneAclManager(daemon_base.DaemonBase):
                 for key, _ in iface_table.items():
                     if not _ip_prefix_in_key(key):
                         continue
-
                     iface_name, iface_cidr = key
-                    ip_ntwrk = ipaddress.ip_network(iface_cidr, strict=False)
+                    ip_iface = ipaddress.ip_interface(iface_cidr)
+                    if isinstance(ip_iface, ipaddress.IPv4Interface):
+                        block_ip2me_cmds.append(self.iptables_cmd_ns_prefix[namespace] + ['iptables', '-A', 'INPUT', '-d', format(ip_iface.ip), '-j', 'DROP'])
+                    elif isinstance(ip_iface, ipaddress.IPv6Interface):
+                        block_ip2me_cmds.append(self.iptables_cmd_ns_prefix[namespace] + ['ip6tables', '-A', 'INPUT', '-d', format(ip_iface.ip), '-j', 'DROP'])
+                    else:
+                        self.log_warning("Unrecognized IP address type on interface '{}': {}".format(iface_name, ip_iface))
 
-                    # For VLAN interfaces, the IP address we want to block is the default gateway (i.e.,
-                    # the first available host IP address of the VLAN subnet)
-                    ip_addr = next(ip_ntwrk.hosts()) if iface_table_name == "VLAN_INTERFACE" else ip_ntwrk.network_address
 
-                    if isinstance(ip_ntwrk, ipaddress.IPv4Network):
-                        block_ip2me_cmds.append(self.iptables_cmd_ns_prefix[namespace] + ['iptables', '-A', 'INPUT', '-d', '{}/{}'.format(ip_addr, ip_ntwrk.max_prefixlen), '-j', 'DROP'])
-                    elif isinstance(ip_ntwrk, ipaddress.IPv6Network):
-                        block_ip2me_cmds.append(self.iptables_cmd_ns_prefix[namespace] + ['ip6tables', '-A', 'INPUT', '-d', '{}/{}'.format(ip_addr, ip_ntwrk.max_prefixlen), '-j', 'DROP'])
-                    else:
-                        self.log_warning("Unrecognized IP address type on interface '{}': {}".format(iface_name, ip_ntwrk))
 
         return block_ip2me_cmds
 

diff --git a/tests/caclmgrd/test_ip2me_vectors.py b/tests/caclmgrd/test_ip2me_vectors.py
@@ -53,9 +53,9 @@
                 "FEATURE": {},
             },
             "return": [
-                ['iptables', '-A', 'INPUT', '-d', '10.10.10.10/32', '-j', 'DROP'],
-                ['iptables', '-A', 'INPUT', '-d', '10.10.11.10/32', '-j', 'DROP'],
-                ['iptables', '-A', 'INPUT', '-d', '10.10.12.10/32', '-j', 'DROP'],
+                ['iptables', '-A', 'INPUT', '-d', '10.10.10.10', '-j', 'DROP'],
+                ['iptables', '-A', 'INPUT', '-d', '10.10.11.10', '-j', 'DROP'],
+                ['iptables', '-A', 'INPUT', '-d', '10.10.12.10', '-j', 'DROP'],
             ],
         },
     ],
@@ -81,7 +81,33 @@
                 "FEATURE": {},
             },
             "return": [
-                ['iptables', '-A', 'INPUT', '-d', '10.10.11.1/32', '-j', 'DROP'],
+                ['iptables', '-A', 'INPUT', '-d', '10.10.11.1', '-j', 'DROP'],
+            ],
+        },
+    ],
+    [
+        "One VLAN interface, /24, we are .2",
+        {
+            "config_db": {
+                "MGMT_INTERFACE": {
+                    "eth0|172.18.0.100/24": {
+                        "gwaddr": "172.18.0.1"
+                    }
+                },
+                "LOOPBACK_INTERFACE": {},
+                "VLAN_INTERFACE": {
+                    "Vlan110|10.10.11.2/24": {},
+                },
+                "PORTCHANNEL_INTERFACE": {},
+                "INTERFACE": {},
+                "DEVICE_METADATA": {
+                    "localhost": {
+                    }
+                },
+                "FEATURE": {},
+            },
+            "return": [
+                "iptables -A INPUT -d 10.10.11.2 -j DROP",
             ],
         },
     ],
@@ -113,11 +139,11 @@
                 "FEATURE": {},
             },
             "return": [
-                ['ip6tables', '-A', 'INPUT', '-d', '2001:db8:10::/128', '-j', 'DROP'],
-                ['ip6tables', '-A', 'INPUT', '-d', '2001:db8:11::1/128', '-j', 'DROP'],
-                ['ip6tables', '-A', 'INPUT', '-d', '2001:db8:12::/128', '-j', 'DROP'],
-                ['ip6tables', '-A', 'INPUT', '-d', '2001:db8:13::/128', '-j', 'DROP']
-            ],  
+                ['ip6tables', '-A', 'INPUT', '-d', '2001:db8:10::', '-j', 'DROP'],
+                ['ip6tables', '-A', 'INPUT', '-d', '2001:db8:11::', '-j', 'DROP'],
+                ['ip6tables', '-A', 'INPUT', '-d', '2001:db8:12::', '-j', 'DROP'],
+                ['ip6tables', '-A', 'INPUT', '-d', '2001:db8:13::', '-j', 'DROP']
+            ],
         },
     ]
 ]