diff --git a/scripts/caclmgrd b/scripts/caclmgrd index 2237010b..2e4420c1 100755 --- a/scripts/caclmgrd +++ b/scripts/caclmgrd @@ -282,20 +282,16 @@ class ControlPlaneAclManager(daemon_base.DaemonBase): for key, _ in iface_table.items(): if not _ip_prefix_in_key(key): continue - iface_name, iface_cidr = key - ip_ntwrk = ipaddress.ip_network(iface_cidr, strict=False) + ip_iface = ipaddress.ip_interface(iface_cidr) + if isinstance(ip_iface, ipaddress.IPv4Interface): + block_ip2me_cmds.append(self.iptables_cmd_ns_prefix[namespace] + ['iptables', '-A', 'INPUT', '-d', format(ip_iface.ip), '-j', 'DROP']) + elif isinstance(ip_iface, ipaddress.IPv6Interface): + block_ip2me_cmds.append(self.iptables_cmd_ns_prefix[namespace] + ['ip6tables', '-A', 'INPUT', '-d', format(ip_iface.ip), '-j', 'DROP']) + else: + self.log_warning("Unrecognized IP address type on interface '{}': {}".format(iface_name, ip_iface)) - # For VLAN interfaces, the IP address we want to block is the default gateway (i.e., - # the first available host IP address of the VLAN subnet) - ip_addr = next(ip_ntwrk.hosts()) if iface_table_name == "VLAN_INTERFACE" else ip_ntwrk.network_address - if isinstance(ip_ntwrk, ipaddress.IPv4Network): - block_ip2me_cmds.append(self.iptables_cmd_ns_prefix[namespace] + ['iptables', '-A', 'INPUT', '-d', '{}/{}'.format(ip_addr, ip_ntwrk.max_prefixlen), '-j', 'DROP']) - elif isinstance(ip_ntwrk, ipaddress.IPv6Network): - block_ip2me_cmds.append(self.iptables_cmd_ns_prefix[namespace] + ['ip6tables', '-A', 'INPUT', '-d', '{}/{}'.format(ip_addr, ip_ntwrk.max_prefixlen), '-j', 'DROP']) - else: - self.log_warning("Unrecognized IP address type on interface '{}': {}".format(iface_name, ip_ntwrk)) return block_ip2me_cmds diff --git a/tests/caclmgrd/test_ip2me_vectors.py b/tests/caclmgrd/test_ip2me_vectors.py index 4cb75a32..cf4c46a9 100644 --- a/tests/caclmgrd/test_ip2me_vectors.py +++ b/tests/caclmgrd/test_ip2me_vectors.py @@ -53,9 +53,9 @@ "FEATURE": {}, }, "return": [ - ['iptables', '-A', 'INPUT', '-d', '10.10.10.10/32', '-j', 'DROP'], - ['iptables', '-A', 'INPUT', '-d', '10.10.11.10/32', '-j', 'DROP'], - ['iptables', '-A', 'INPUT', '-d', '10.10.12.10/32', '-j', 'DROP'], + ['iptables', '-A', 'INPUT', '-d', '10.10.10.10', '-j', 'DROP'], + ['iptables', '-A', 'INPUT', '-d', '10.10.11.10', '-j', 'DROP'], + ['iptables', '-A', 'INPUT', '-d', '10.10.12.10', '-j', 'DROP'], ], }, ], @@ -81,7 +81,33 @@ "FEATURE": {}, }, "return": [ - ['iptables', '-A', 'INPUT', '-d', '10.10.11.1/32', '-j', 'DROP'], + ['iptables', '-A', 'INPUT', '-d', '10.10.11.1', '-j', 'DROP'], + ], + }, + ], + [ + "One VLAN interface, /24, we are .2", + { + "config_db": { + "MGMT_INTERFACE": { + "eth0|172.18.0.100/24": { + "gwaddr": "172.18.0.1" + } + }, + "LOOPBACK_INTERFACE": {}, + "VLAN_INTERFACE": { + "Vlan110|10.10.11.2/24": {}, + }, + "PORTCHANNEL_INTERFACE": {}, + "INTERFACE": {}, + "DEVICE_METADATA": { + "localhost": { + } + }, + "FEATURE": {}, + }, + "return": [ + "iptables -A INPUT -d 10.10.11.2 -j DROP", ], }, ], @@ -113,11 +139,11 @@ "FEATURE": {}, }, "return": [ - ['ip6tables', '-A', 'INPUT', '-d', '2001:db8:10::/128', '-j', 'DROP'], - ['ip6tables', '-A', 'INPUT', '-d', '2001:db8:11::1/128', '-j', 'DROP'], - ['ip6tables', '-A', 'INPUT', '-d', '2001:db8:12::/128', '-j', 'DROP'], - ['ip6tables', '-A', 'INPUT', '-d', '2001:db8:13::/128', '-j', 'DROP'] - ], + ['ip6tables', '-A', 'INPUT', '-d', '2001:db8:10::', '-j', 'DROP'], + ['ip6tables', '-A', 'INPUT', '-d', '2001:db8:11::', '-j', 'DROP'], + ['ip6tables', '-A', 'INPUT', '-d', '2001:db8:12::', '-j', 'DROP'], + ['ip6tables', '-A', 'INPUT', '-d', '2001:db8:13::', '-j', 'DROP'] + ], }, ] ]