Solved

Cumulus VX ACL - iptables only catches packets in the output chain

  • 27 June 2018
  • 3 replies
  • 412 views

Modified output of 'sudo cl-acltool -L ip':

TABLE filter :
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
Chain OUTPUT (policy ACCEPT 368 packets, 38814 bytes)

TABLE mangle :
Chain PREROUTING (policy ACCEPT 1082 packets, 80928 bytes)
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
Chain OUTPUT (policy ACCEPT 370 packets, 39014 bytes)
Chain POSTROUTING (policy ACCEPT 370 packets, 39014 bytes)

TABLE raw :
Chain PREROUTING (policy ACCEPT 1082 packets, 80928 bytes)
Chain OUTPUT (policy ACCEPT 372 packets, 39230 bytes)

When I make rules using the NCLU, they get put in the FORWARD chain of the filter table, but packets aren't being matched against rules in that chain. Where should I put rules to block traffic coming in and out of the management interface, eth0?
icon

Best answer by Eric Pulvino 27 June 2018, 22:27

code:
mv /etc/cumulus/acl/policy.d/00control_plane.rules /etc/cumulus/acl/policy.d/01control_plane.rules

cat /etc/cumulus/acl/policy.d/00block_ping.rules

[iptables]

-A INPUT --in-interface eth0 -p icmp -j DROP

EOT

cl-acltool -i


This works for me. Essentially it boils down to being an order of operations item.
View original

3 replies

Userlevel 5
You may want to check that rules in the forward chain are getting installed in the kernel.

sudo iptables-save is how you would do this on a traditional non HW-accelerated Linux system (which is what VX is).

I'm pretty sure VX does not install rules in the forward chain because those would usually be programmed into HW instead since the HW/ASIC is not there they're not installed.

TLDR Forward rules may not be supported in Vx. You could probably take them and install them with Iptables rules directly however. Note that when you do this some of the complex features like SPAN and Policing will not work as there are no primitives in the kernel to support these operations.
Thanks for your response Eric.

I'm pretty sure VX does not install rules in the forward chain because those would usually be programmed into HW instead since the HW/ASIC is not there they're not installed.

When I use NCLU to install the rules, they get installed in the forward chain. I installed a couple rules to block pings in the output chain using the cl-acltool. When I watch the stats, I can see the pings being blocked:



I'm guessing the pings to the VM are being processed, a response is generated, and then blocked by the output chain rules.

When I try to install a rule blocking in packets, it errors-out (understandably):
cumulus@Leaf01:mgmt-vrf:~/acl_test$ sudo cl-acltool -i -P ./block_ping2/
warning: Detected platform is Cumulus VX
warning: Running in no-hw-sync mode. No rules will be programmed in hw
Reading rule file ./block_ping2//00control_plane.rules ...
Processing rules in file ./block_ping2//00control_plane.rules ...
Reading rule file ./block_ping2//10_block_ping.rules ...
Processing rules in file ./block_ping2//10_block_ping.rules ...
error: line 2 : input interface specified with OUTPUT chain
error processing rule '-A OUTPUT --in-interface eth0 -p icmp -j DROP'
No acl policies to install, ... aborting

So how do I block ingressing packets, when the input chain doesn't catch any packets?
cumulus@Leaf01:mgmt-vrf:~/acl_test$ sudo iptables -vL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)⁉
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 138 packets, 10792 bytes)
pkts bytes target prot opt in out source destination
Userlevel 5
code:
mv /etc/cumulus/acl/policy.d/00control_plane.rules /etc/cumulus/acl/policy.d/01control_plane.rules

cat /etc/cumulus/acl/policy.d/00block_ping.rules

[iptables]

-A INPUT --in-interface eth0 -p icmp -j DROP

EOT

cl-acltool -i


This works for me. Essentially it boils down to being an order of operations item.

Reply