Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[question] caclmgrd, how is the CP filtering done on Arista platform? #2165

Closed
maq123 opened this issue Oct 18, 2018 · 4 comments
Closed

[question] caclmgrd, how is the CP filtering done on Arista platform? #2165

maq123 opened this issue Oct 18, 2018 · 4 comments
Assignees
@jleveque
Labels
Question ❓

Comments

@maq123
Copy link

maq123 commented Oct 18, 2018

In one of the pull requests: fcd1bb6 I see the information that Arista uses its own proprietary solution to implement CP ACLs.

Could anyone shed more light onto this mechanism? Is it completely independent from iptables?
@lguohan
Copy link
Collaborator

lguohan commented Oct 18, 2018

we will drop their CP implementation and unified to use iptables. it is no longer needed.

@maq123
Copy link
Author

maq123 commented Oct 19, 2018

thanks. But is this feature working currently with this Arista specific thing? I wanted to be able to verify if the rules were applied but can't figure out where to look.

@jleveque
Copy link
Contributor

@maq123: With the current Arista solution, for SSH, allowed IPs/ranges will be written to /etc/sshd.allow in the base image, and for SNMP, allowed IPs/ranges will be written to /etc/snmp/snmpd.conf inside the SNMP container. Please let me know if you have further questions.

@maq123
Copy link
Author

maq123 commented Oct 26, 2018

Hi @jleveque , thank you for the clarifications!

@maq123 maq123 closed this as completed Oct 26, 2018
judyjoseph added a commit that referenced this issue Apr 4, 2022
@judyjoseph
Update sonic-swss
16bb877 
5bb99c7 Validate LAG has members before mirror session create (#2130)
ec6c8af [vxlan] Remove tunnel map objects on VNET tunnel removal (#2150)
7e7db19 [BFD]Registering BFD state change callback during session creation (#2202)
618fe07 [VNET]Fixing nexthop group delete during route change (#2198)
91b66df [portsorch]: Prevent LAG member configuration when port has active ACL binding (#2165)
29de9d0 Remove redundant and problematic code to skip "pool" field in buffer profile handling (#2197)
ded0b45 [PBH] Implement Edit Flows (#2169)
2ee0f49 [neighsyncd] increase neighsyncd timeout (#2209)
a0160c0 [QosOrch] The notifications cannot be drained in QosOrch in case the first one needs to retry (#2206)
saiarcot895 added a commit to saiarcot895/sonic-buildimage that referenced this issue Apr 5, 2022
@saiarcot895
[sonic-swss]: Update submodule
ea2e2db 
This submodule update brings in the following changes:

```
50d5be2 Make changes to support compiling on Bullseye with GCC 10 (sonic-net#2216)
0870cf5 [mirrororch]: Implement HW resources availability validation for SPAN/ERSPAN (sonic-net#2187)
f4ec565 [vlanmgrd] fix use-after-free memory issue (sonic-net#2211)
c2de7fc [QosOrch] The notifications cannot be drained in QosOrch in case the first one needs to retry (sonic-net#2206)
5575935 [neighsyncd] increase neighsyncd timeout (sonic-net#2209)
0f06910 [PBH] Implement Edit Flows (sonic-net#2169)
6241bbf Remove redundant and problematic code to skip "pool" field in buffer profile handling (sonic-net#2197)
a55343c [azp]: Set diff coverage threshhold to 80% (sonic-net#2188)
390cae1 [portsorch]: Prevent LAG member configuration when port has active ACL binding (sonic-net#2165)
c1d47e6 [VNET]Fixing nexthop group delete during route change (sonic-net#2198)
8941cc0 [BFD]Registering BFD state change callback during session creation (sonic-net#2202)
680c539 [vxlan] Remove tunnel map objects on VNET tunnel removal (sonic-net#2150)
20dde0c Fix for handling broadcom DNX ASIC to have ipv4 and ipv6 ACL rules in separate tables. (sonic-net#2178)
5b7c949 [FdbOrch] SAI_FDB_EVENT_MOVE generates update with empty update.entry.port_name (sonic-net#2200)
7350d49 [Vxlanmgr] vnet netdev cleanup during config reload fix (sonic-net#2191)
2bef62b Validate LAG has members before mirror session create (sonic-net#2130)
1e4d4ce [VS test] Increase VS test time, skip dpb flaky test (sonic-net#2195)
6eda965 [vstest]Migrating vs tests from using click commands to direct DB access (sonic-net#2179)
```

Signed-off-by: Saikrishna Arcot <[email protected]>
theasianpianist added a commit to theasianpianist/sonic-buildimage that referenced this issue Apr 6, 2022
@theasianpianist
[swss]: Submodule update:
81a746a 
50d5be2 (HEAD, origin/master, origin/HEAD) Make changes to support compiling on Bullseye with GCC 10 (sonic-net#2216)
0870cf5 [mirrororch]: Implement HW resources availability validation for SPAN/ERSPAN (sonic-net#2187)
f4ec565 [vlanmgrd] fix use-after-free memory issue (sonic-net#2211)
c2de7fc [QosOrch] The notifications cannot be drained in QosOrch in case the first one needs to retry (sonic-net#2206)
5575935 [neighsyncd] increase neighsyncd timeout (sonic-net#2209)
0f06910 (master) [PBH] Implement Edit Flows (sonic-net#2169)
6241bbf Remove redundant and problematic code to skip "pool" field in buffer profile handling (sonic-net#2197)
a55343c [azp]: Set diff coverage threshhold to 80% (sonic-net#2188)
390cae1 [portsorch]: Prevent LAG member configuration when port has active ACL binding (sonic-net#2165)
c1d47e6 [VNET]Fixing nexthop group delete during route change (sonic-net#2198)
8941cc0 [BFD]Registering BFD state change callback during session creation (sonic-net#2202)
680c539 [vxlan] Remove tunnel map objects on VNET tunnel removal (sonic-net#2150)
20dde0c Fix for handling broadcom DNX ASIC to have ipv4 and ipv6 ACL rules in separate tables. (sonic-net#2178)
5b7c949 [FdbOrch] SAI_FDB_EVENT_MOVE generates update with empty update.entry.port_name (sonic-net#2200)
7350d49 [Vxlanmgr] vnet netdev cleanup during config reload fix (sonic-net#2191)
2bef62b Validate LAG has members before mirror session create (sonic-net#2130)
1e4d4ce [VS test] Increase VS test time, skip dpb flaky test (sonic-net#2195)
6eda965 [vstest]Migrating vs tests from using click commands to direct DB access (sonic-net#2179)

Signed-off-by: Lawrence Lee <[email protected]>
liat-grozovik pushed a commit that referenced this issue Apr 7, 2022
@nazariig
[submodule] Advance sonic-swss submodule. (#10404)
16717d2 
In order to include the following commit:
0f06910 [PBH] Implement Edit Flows (sonic-net/sonic-swss#2169)

sonic-swss

50d5be2 Make changes to support compiling on Bullseye with GCC 10 (#2216)
0870cf5 [mirrororch]: Implement HW resources availability validation for SPAN/ERSPAN (#2187)
f4ec565 [vlanmgrd] fix use-after-free memory issue (#2211)
c2de7fc [QosOrch] The notifications cannot be drained in QosOrch in case the first one needs to retry (#2206)
5575935 [neighsyncd] increase neighsyncd timeout (#2209)
0f06910 [PBH] Implement Edit Flows (#2169)
6241bbf Remove redundant and problematic code to skip "pool" field in buffer profile handling (#2197)
a55343c [azp]: Set diff coverage threshhold to 80% (#2188)
390cae1 [portsorch]: Prevent LAG member configuration when port has active ACL binding (#2165)
c1d47e6 [VNET]Fixing nexthop group delete during route change (#2198)
8941cc0 [BFD]Registering BFD state change callback during session creation (#2202)
680c539 [vxlan] Remove tunnel map objects on VNET tunnel removal (#2150)
20dde0c Fix for handling broadcom DNX ASIC to have ipv4 and ipv6 ACL rules in separate tables. (#2178)
5b7c949 [FdbOrch] SAI_FDB_EVENT_MOVE generates update with empty update.entry.port_name (#2200)
7350d49 [Vxlanmgr] vnet netdev cleanup during config reload fix (#2191)
2bef62b Validate LAG has members before mirror session create (#2130)
1e4d4ce [VS test] Increase VS test time, skip dpb flaky test (#2195)
6eda965 [vstest]Migrating vs tests from using click commands to direct DB access (#2179)

Signed-off-by: Nazarii Hnydyn <[email protected]>
Ndancejic pushed a commit to Ndancejic/sonic-buildimage that referenced this issue May 3, 2022
@nazariig
[portsorch]: Prevent LAG member configuration when port has active AC…
390cae1 
…L binding (sonic-net#2165)

* [portsorch]: Prevent LAG member configuration when port has active ACL binding.
Signed-off-by: Nazarii Hnydyn <[email protected]>
dprital added a commit to dprital/sonic-buildimage that referenced this issue May 25, 2022
@dprital
[submodule] Update sonic-utilities submodule
657dd81 
Update sonic-utilities submodule pointer to include the following:
* [GCU] Handling type1 lists ([sonic-net#2171](sonic-net/sonic-utilities#2171))
* [yang] extend ConfigMgmt constructor to pass YANG options ([sonic-net#2118](sonic-net/sonic-utilities#2118))
* [dump] implement ACL modules ([sonic-net#2153](sonic-net/sonic-utilities#2153))
* show commands for SYSTEM READY ([sonic-net#1851](sonic-net/sonic-utilities#1851))
* [GCU] Handling non-compliant leaf-list with string values ([sonic-net#2174](sonic-net/sonic-utilities#2174))
* Add sonic-delayed.target to Application Extension .timer file generator ([sonic-net#2176](sonic-net/sonic-utilities#2176))
* [portconfig] Allow to configure interface mtu for physical ports ([#l](https:/Azure/sonic-utilities/pull/l))
* Broadcast Unknown-multicast and Unknown-unicast Storm-control  ([sonic-net#928](sonic-net/sonic-utilities#928))
* sonic-utils: initial support for link-training ([sonic-net#2071](sonic-net/sonic-utilities#2071))
* [portchannel] Added ACL/PBH binding checks to the port before getting added to portchannel ([sonic-net#2151](sonic-net/sonic-utilities#2151))
* Modify override testcase to cover PORT admin_status ([sonic-net#2165](sonic-net/sonic-utilities#2165))
* [GCU] Validate peer_group_range ip_range are correct ([sonic-net#2145](sonic-net/sonic-utilities#2145))
* [auto-ts] add memory check ([sonic-net#2116](sonic-net/sonic-utilities#2116))
* support new interface types CR8/SR8/KR8/LR8 which are brougnt by SAI V.1.10.2 ([sonic-net#2167](sonic-net/sonic-utilities#2167))
* [scripts/fast-reboot] Add option to include ssd-upgrader-part boot option with SONiC partition ([sonic-net#2150](sonic-net/sonic-utilities#2150))
* [config reload] Fix invalid rstrip. ([sonic-net#2157](sonic-net/sonic-utilities#2157))
* Accept 0 for queue and dscp ([sonic-net#2162](sonic-net/sonic-utilities#2162))

Signed-off-by: dprital <[email protected]>
@ayurkiv-nvda ayurkiv-nvda mentioned this issue May 26, 2022
Closed
6 tasks
stepanblyschak added a commit to stepanblyschak/sonic-buildimage that referenced this issue May 27, 2022
@stepanblyschak
[sonic-utilities] update submodule
18b1a5a 
```
3d3c89b fix for non-coherent cmis modules (sonic-net#2163)
2054680 [subinterface] Fix route add command to accept subinterface as dev (sonic-net#2180)
5383e92 [subinterface]Avoid removing the subinterface when last configured ip is removed (sonic-net#2181)
f5af780 [GCU] Handling type1 lists (sonic-net#2171)
4516179 [yang] extend ConfigMgmt constructor to pass YANG options (sonic-net#2118)
2f53bd4 [dump] implement ACL modules (sonic-net#2153)
494dd62 show commands for SYSTEM READY (sonic-net#1851)
4fc09b1 [GCU] Handling non-compliant leaf-list with string values (sonic-net#2174)
675c7b6 Add sonic-delayed.target to Application Extension .timer file generator (sonic-net#2176)
c587933 [portconfig] Allow to configure interface mtu for physical ports only
9881f3e Broadcast Unknown-multicast and Unknown-unicast Storm-control  (sonic-net#928)
88286cb sonic-utils: initial support for link-training (sonic-net#2071)
29503ab [portchannel] Added ACL/PBH binding checks to the port before getting added to portchannel (sonic-net#2151)
ac89489 Modify override testcase to cover PORT admin_status (sonic-net#2165)
d7953d2 [GCU] Validate peer_group_range ip_range are correct (sonic-net#2145)
aa81b97 [auto-ts] add memory check (sonic-net#2116)
b370290 support new interface types CR8/SR8/KR8/LR8 which are brougnt by SAI V.1.10.2 (sonic-net#2167)
87fc0a4 [scripts/fast-reboot] Add option to include ssd-upgrader-part boot option with SONiC partition (sonic-net#2150)
90abc07 [config reload] Fix invalid rstrip. (sonic-net#2157)
fac1769 Accept 0 for queue and dscp (sonic-net#2162)
```

Signed-off-by: Stepan Blyschak <[email protected]>
yxieca added a commit to yxieca/sonic-buildimage that referenced this issue Jun 2, 2022
@yxieca
[202205][swss] advance swss submodule head
b22fe5e 
Including change:

* 7ff8f75 2022-06-03 | Revert "[portsorch]: Prevent LAG member configuration when port has active ACL binding (sonic-net#2165)" (sonic-net#2306) (HEAD -> 202205, github/202205) [bingwang-ms]

Signed-off-by: Ying Xie <[email protected]>
@yxieca yxieca mentioned this issue Jun 2, 2022
Merged
6 tasks
@yxieca yxieca mentioned this issue Jun 2, 2022
Merged
yxieca added a commit that referenced this issue Jun 2, 2022
@yxieca
[202205][swss] advance swss submodule head (#11014)
b6aafc1 
Including change:

* 7ff8f75 2022-06-03 | Revert "[portsorch]: Prevent LAG member configuration when port has active ACL binding (#2165)" (#2306) (HEAD -> 202205, github/202205) [bingwang-ms]

Signed-off-by: Ying Xie <[email protected]>
yxieca added a commit to yxieca/sonic-buildimage that referenced this issue Jun 8, 2022
@yxieca
[submodule][swss] advance swss submodule head
9d40eff 
To included:
* ad8f5e4 2022-06-08 | Revert "[Counters] Improve performance by polling only configured ports buffer queue/pg counters (sonic-net#2143)" (sonic-net#2315) (HEAD -> master, origin/master, origin/HEAD) [Ying Xie]
* 2ff763f 2022-06-08 | Fix test_warm_reboot issues blocking PR merge (sonic-net#2309) [Vaibhav Hemant Dixit]
* 05d19ea 2022-06-02 | Purge package sonic-db-cli which depends on libswsscommon (sonic-net#2308) [Qi Luo]
* a0c3238 2022-06-03 | Add port counter sanity check (sonic-net#2300) [Junhua Zhai]
* 4944f0f 2022-06-03 | Revert "[portsorch]: Prevent LAG member configuration when port has active ACL binding (sonic-net#2165)" (sonic-net#2306) [bingwang-ms]
* eba212d 2022-05-31 | [Counters] Improve performance by polling only configured ports buffer queue/pg counters (sonic-net#2143) [shlomibitton]
* 9999dae 2022-05-28 | [counter] Support gearbox counters (sonic-net#2218) [Junhua Zhai]
* c73cf10 2022-05-28 | Support mock_test infra for dynamic buffer manager and fix issues found during mock test (sonic-net#2234) [Stephen Sun]

Signed-off-by: Ying Xie <[email protected]>
yxieca added a commit that referenced this issue Jun 9, 2022
@yxieca
[submodule][swss] advance swss submodule head (#11015)
26436e3 
To included:
* ad8f5e4 2022-06-08 | Revert "[Counters] Improve performance by polling only configured ports buffer queue/pg counters (#2143)" (#2315) (HEAD -> master, origin/master, origin/HEAD) [Ying Xie]
* 2ff763f 2022-06-08 | Fix test_warm_reboot issues blocking PR merge (#2309) [Vaibhav Hemant Dixit]
* 05d19ea 2022-06-02 | Purge package sonic-db-cli which depends on libswsscommon (#2308) [Qi Luo]
* a0c3238 2022-06-03 | Add port counter sanity check (#2300) [Junhua Zhai]
* 4944f0f 2022-06-03 | Revert "[portsorch]: Prevent LAG member configuration when port has active ACL binding (#2165)" (#2306) [bingwang-ms]
* eba212d 2022-05-31 | [Counters] Improve performance by polling only configured ports buffer queue/pg counters (#2143) [shlomibitton]
* 9999dae 2022-05-28 | [counter] Support gearbox counters (#2218) [Junhua Zhai]
* c73cf10 2022-05-28 | Support mock_test infra for dynamic buffer manager and fix issues found during mock test (#2234) [Stephen Sun]

Signed-off-by: Ying Xie <[email protected]>
wen587 added a commit that referenced this issue Jun 13, 2022
@wen587
[sonic-utilities] update submodule (#11090)
6a4105a 
29503ab [portchannel] Added ACL/PBH binding checks to the port before getting added to portchannel (#2151)
ac89489 Modify override testcase to cover PORT admin_status (#2165)
d7953d2 [GCU] Validate peer_group_range ip_range are correct (#2145)
aa81b97 [auto-ts] add memory check (#2116)
b370290 support new interface types CR8/SR8/KR8/LR8 which are brougnt by SAI V.1.10.2 (#2167)
87fc0a4 [scripts/fast-reboot] Add option to include ssd-upgrader-part boot option with SONiC partition (#2150)
90abc07 [config reload] Fix invalid rstrip. (#2157)
fac1769 Accept 0 for queue and dscp (#2162)
@yxieca yxieca mentioned this issue Jun 17, 2022
Closed
This was referenced Jun 17, 2022
Closed
Merged
liushilongbuaa pushed a commit to liushilongbuaa/sonic-buildimage that referenced this issue Jun 20, 2022
@yxieca
Merged PR 6004325: Manual merge github master to internal
19c4542 
Related work items: #49, #58, #107, sonic-net#247, sonic-net#249, sonic-net#277, sonic-net#593, sonic-net#597, sonic-net#1035, sonic-net#2130, sonic-net#2150, sonic-net#2165, sonic-net#2169, sonic-net#2178, sonic-net#2179, sonic-net#2187, sonic-net#2188, sonic-net#2191, sonic-net#2195, sonic-net#2197, sonic-net#2198, sonic-net#2200, sonic-net#2202, sonic-net#2206, sonic-net#2209, sonic-net#2211, sonic-net#2216, sonic-net#7909, sonic-net#8927, sonic-net#9681, sonic-net#9733, sonic-net#9746, sonic-net#9850, sonic-net#9967, sonic-net#10104, sonic-net#10152, sonic-net#10168, sonic-net#10228, sonic-net#10266, sonic-net#10288, sonic-net#10294, sonic-net#10313, sonic-net#10394, sonic-net#10403, sonic-net#10404, sonic-net#10421, sonic-net#10431, sonic-net#10437, sonic-net#10445, sonic-net#10457, sonic-net#10458, sonic-net#10465, sonic-net#10467, sonic-net#10469, sonic-net#10470, sonic-net#10474, sonic-net#10477, sonic-net#10478, sonic-net#10482, sonic-net#10485, sonic-net#10488, sonic-net#10489, sonic-net#10492, sonic-net#10494, sonic-net#10498, sonic-net#10501, sonic-net#10509, sonic-net#10512, sonic-net#10514, sonic-net#10516, sonic-net#10517, sonic-net#10523, sonic-net#10525, sonic-net#10531, sonic-net#10532, sonic-net#10538, sonic-net#10555, sonic-net#10557, sonic-net#10559, sonic-net#10561, sonic-net#10565, sonic-net#10572, sonic-net#10574, sonic-net#10576, sonic-net#10578, sonic-net#10581, sonic-net#10585, sonic-net#10587, sonic-net#10599, sonic-net#10607, sonic-net#10611, sonic-net#10616, sonic-net#10618, sonic-net#10619, sonic-net#10623, sonic-net#10624, sonic-net#10633, sonic-net#10646, sonic-net#10655, sonic-net#10660, sonic-net#10664, sonic-net#10680, sonic-net#10683
yxieca pushed a commit that referenced this issue Jun 20, 2022
@wen587
[202205][utilities] advance utilities submodule head (#11184)
7a22cbf 
13ec600 [generic-config-updater] Add NTP validator (#2212)
4fc09b1 [GCU] Handling non-compliant leaf-list with string values (#2174)
ac89489 Modify override testcase to cover PORT admin_status (#2165)
d7953d2 [GCU] Validate peer_group_range ip_range are correct (#2145)
robertvolkmann pushed a commit to robertvolkmann/sonic-buildimage that referenced this issue Jul 26, 2022
@yxieca @robertvolkmann
[202205][swss] advance swss submodule head (sonic-net#11014)
11e4cb9 
Including change:

* 7ff8f75 2022-06-03 | Revert "[portsorch]: Prevent LAG member configuration when port has active ACL binding (sonic-net#2165)" (sonic-net#2306) (HEAD -> 202205, github/202205) [bingwang-ms]

Signed-off-by: Ying Xie <[email protected]>
vivekrnv pushed a commit to vivekrnv/sonic-buildimage that referenced this issue Aug 26, 2022
@bingwang-ms
Revert "[portsorch]: Prevent LAG member configuration when port has a…
4944f0f 
…ctive ACL binding (sonic-net#2165)" (sonic-net#2306)

This reverts commit 390cae1.
@aravindmani-1 aravindmani-1 mentioned this issue Nov 18, 2022
Merged
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jleveque jleveque

Labels
Question ❓
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@lguohan @stcheng @jleveque @maq123