-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[question] caclmgrd, how is the CP filtering done on Arista platform? #2165
Comments
we will drop their CP implementation and unified to use iptables. it is no longer needed. |
thanks. But is this feature working currently with this Arista specific thing? I wanted to be able to verify if the rules were applied but can't figure out where to look. |
@maq123: With the current Arista solution, for SSH, allowed IPs/ranges will be written to |
Hi @jleveque , thank you for the clarifications! |
5bb99c7 Validate LAG has members before mirror session create (#2130) ec6c8af [vxlan] Remove tunnel map objects on VNET tunnel removal (#2150) 7e7db19 [BFD]Registering BFD state change callback during session creation (#2202) 618fe07 [VNET]Fixing nexthop group delete during route change (#2198) 91b66df [portsorch]: Prevent LAG member configuration when port has active ACL binding (#2165) 29de9d0 Remove redundant and problematic code to skip "pool" field in buffer profile handling (#2197) ded0b45 [PBH] Implement Edit Flows (#2169) 2ee0f49 [neighsyncd] increase neighsyncd timeout (#2209) a0160c0 [QosOrch] The notifications cannot be drained in QosOrch in case the first one needs to retry (#2206)
This submodule update brings in the following changes: ``` 50d5be2 Make changes to support compiling on Bullseye with GCC 10 (sonic-net#2216) 0870cf5 [mirrororch]: Implement HW resources availability validation for SPAN/ERSPAN (sonic-net#2187) f4ec565 [vlanmgrd] fix use-after-free memory issue (sonic-net#2211) c2de7fc [QosOrch] The notifications cannot be drained in QosOrch in case the first one needs to retry (sonic-net#2206) 5575935 [neighsyncd] increase neighsyncd timeout (sonic-net#2209) 0f06910 [PBH] Implement Edit Flows (sonic-net#2169) 6241bbf Remove redundant and problematic code to skip "pool" field in buffer profile handling (sonic-net#2197) a55343c [azp]: Set diff coverage threshhold to 80% (sonic-net#2188) 390cae1 [portsorch]: Prevent LAG member configuration when port has active ACL binding (sonic-net#2165) c1d47e6 [VNET]Fixing nexthop group delete during route change (sonic-net#2198) 8941cc0 [BFD]Registering BFD state change callback during session creation (sonic-net#2202) 680c539 [vxlan] Remove tunnel map objects on VNET tunnel removal (sonic-net#2150) 20dde0c Fix for handling broadcom DNX ASIC to have ipv4 and ipv6 ACL rules in separate tables. (sonic-net#2178) 5b7c949 [FdbOrch] SAI_FDB_EVENT_MOVE generates update with empty update.entry.port_name (sonic-net#2200) 7350d49 [Vxlanmgr] vnet netdev cleanup during config reload fix (sonic-net#2191) 2bef62b Validate LAG has members before mirror session create (sonic-net#2130) 1e4d4ce [VS test] Increase VS test time, skip dpb flaky test (sonic-net#2195) 6eda965 [vstest]Migrating vs tests from using click commands to direct DB access (sonic-net#2179) ``` Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
50d5be2 (HEAD, origin/master, origin/HEAD) Make changes to support compiling on Bullseye with GCC 10 (sonic-net#2216) 0870cf5 [mirrororch]: Implement HW resources availability validation for SPAN/ERSPAN (sonic-net#2187) f4ec565 [vlanmgrd] fix use-after-free memory issue (sonic-net#2211) c2de7fc [QosOrch] The notifications cannot be drained in QosOrch in case the first one needs to retry (sonic-net#2206) 5575935 [neighsyncd] increase neighsyncd timeout (sonic-net#2209) 0f06910 (master) [PBH] Implement Edit Flows (sonic-net#2169) 6241bbf Remove redundant and problematic code to skip "pool" field in buffer profile handling (sonic-net#2197) a55343c [azp]: Set diff coverage threshhold to 80% (sonic-net#2188) 390cae1 [portsorch]: Prevent LAG member configuration when port has active ACL binding (sonic-net#2165) c1d47e6 [VNET]Fixing nexthop group delete during route change (sonic-net#2198) 8941cc0 [BFD]Registering BFD state change callback during session creation (sonic-net#2202) 680c539 [vxlan] Remove tunnel map objects on VNET tunnel removal (sonic-net#2150) 20dde0c Fix for handling broadcom DNX ASIC to have ipv4 and ipv6 ACL rules in separate tables. (sonic-net#2178) 5b7c949 [FdbOrch] SAI_FDB_EVENT_MOVE generates update with empty update.entry.port_name (sonic-net#2200) 7350d49 [Vxlanmgr] vnet netdev cleanup during config reload fix (sonic-net#2191) 2bef62b Validate LAG has members before mirror session create (sonic-net#2130) 1e4d4ce [VS test] Increase VS test time, skip dpb flaky test (sonic-net#2195) 6eda965 [vstest]Migrating vs tests from using click commands to direct DB access (sonic-net#2179) Signed-off-by: Lawrence Lee <lawlee@microsoft.com>
In order to include the following commit: 0f06910 [PBH] Implement Edit Flows (sonic-net/sonic-swss#2169) sonic-swss 50d5be2 Make changes to support compiling on Bullseye with GCC 10 (#2216) 0870cf5 [mirrororch]: Implement HW resources availability validation for SPAN/ERSPAN (#2187) f4ec565 [vlanmgrd] fix use-after-free memory issue (#2211) c2de7fc [QosOrch] The notifications cannot be drained in QosOrch in case the first one needs to retry (#2206) 5575935 [neighsyncd] increase neighsyncd timeout (#2209) 0f06910 [PBH] Implement Edit Flows (#2169) 6241bbf Remove redundant and problematic code to skip "pool" field in buffer profile handling (#2197) a55343c [azp]: Set diff coverage threshhold to 80% (#2188) 390cae1 [portsorch]: Prevent LAG member configuration when port has active ACL binding (#2165) c1d47e6 [VNET]Fixing nexthop group delete during route change (#2198) 8941cc0 [BFD]Registering BFD state change callback during session creation (#2202) 680c539 [vxlan] Remove tunnel map objects on VNET tunnel removal (#2150) 20dde0c Fix for handling broadcom DNX ASIC to have ipv4 and ipv6 ACL rules in separate tables. (#2178) 5b7c949 [FdbOrch] SAI_FDB_EVENT_MOVE generates update with empty update.entry.port_name (#2200) 7350d49 [Vxlanmgr] vnet netdev cleanup during config reload fix (#2191) 2bef62b Validate LAG has members before mirror session create (#2130) 1e4d4ce [VS test] Increase VS test time, skip dpb flaky test (#2195) 6eda965 [vstest]Migrating vs tests from using click commands to direct DB access (#2179) Signed-off-by: Nazarii Hnydyn <nazariig@nvidia.com>
…L binding (sonic-net#2165) * [portsorch]: Prevent LAG member configuration when port has active ACL binding. Signed-off-by: Nazarii Hnydyn <nazariig@nvidia.com>
Update sonic-utilities submodule pointer to include the following: * [GCU] Handling type1 lists ([sonic-net#2171](sonic-net/sonic-utilities#2171)) * [yang] extend ConfigMgmt constructor to pass YANG options ([sonic-net#2118](sonic-net/sonic-utilities#2118)) * [dump] implement ACL modules ([sonic-net#2153](sonic-net/sonic-utilities#2153)) * show commands for SYSTEM READY ([sonic-net#1851](sonic-net/sonic-utilities#1851)) * [GCU] Handling non-compliant leaf-list with string values ([sonic-net#2174](sonic-net/sonic-utilities#2174)) * Add sonic-delayed.target to Application Extension .timer file generator ([sonic-net#2176](sonic-net/sonic-utilities#2176)) * [portconfig] Allow to configure interface mtu for physical ports ([#l](https://github.com/Azure/sonic-utilities/pull/l)) * Broadcast Unknown-multicast and Unknown-unicast Storm-control ([sonic-net#928](sonic-net/sonic-utilities#928)) * sonic-utils: initial support for link-training ([sonic-net#2071](sonic-net/sonic-utilities#2071)) * [portchannel] Added ACL/PBH binding checks to the port before getting added to portchannel ([sonic-net#2151](sonic-net/sonic-utilities#2151)) * Modify override testcase to cover PORT admin_status ([sonic-net#2165](sonic-net/sonic-utilities#2165)) * [GCU] Validate peer_group_range ip_range are correct ([sonic-net#2145](sonic-net/sonic-utilities#2145)) * [auto-ts] add memory check ([sonic-net#2116](sonic-net/sonic-utilities#2116)) * support new interface types CR8/SR8/KR8/LR8 which are brougnt by SAI V.1.10.2 ([sonic-net#2167](sonic-net/sonic-utilities#2167)) * [scripts/fast-reboot] Add option to include ssd-upgrader-part boot option with SONiC partition ([sonic-net#2150](sonic-net/sonic-utilities#2150)) * [config reload] Fix invalid rstrip. ([sonic-net#2157](sonic-net/sonic-utilities#2157)) * Accept 0 for queue and dscp ([sonic-net#2162](sonic-net/sonic-utilities#2162)) Signed-off-by: dprital <drorp@nvidia.com>
``` 3d3c89b fix for non-coherent cmis modules (sonic-net#2163) 2054680 [subinterface] Fix route add command to accept subinterface as dev (sonic-net#2180) 5383e92 [subinterface]Avoid removing the subinterface when last configured ip is removed (sonic-net#2181) f5af780 [GCU] Handling type1 lists (sonic-net#2171) 4516179 [yang] extend ConfigMgmt constructor to pass YANG options (sonic-net#2118) 2f53bd4 [dump] implement ACL modules (sonic-net#2153) 494dd62 show commands for SYSTEM READY (sonic-net#1851) 4fc09b1 [GCU] Handling non-compliant leaf-list with string values (sonic-net#2174) 675c7b6 Add sonic-delayed.target to Application Extension .timer file generator (sonic-net#2176) c587933 [portconfig] Allow to configure interface mtu for physical ports only 9881f3e Broadcast Unknown-multicast and Unknown-unicast Storm-control (sonic-net#928) 88286cb sonic-utils: initial support for link-training (sonic-net#2071) 29503ab [portchannel] Added ACL/PBH binding checks to the port before getting added to portchannel (sonic-net#2151) ac89489 Modify override testcase to cover PORT admin_status (sonic-net#2165) d7953d2 [GCU] Validate peer_group_range ip_range are correct (sonic-net#2145) aa81b97 [auto-ts] add memory check (sonic-net#2116) b370290 support new interface types CR8/SR8/KR8/LR8 which are brougnt by SAI V.1.10.2 (sonic-net#2167) 87fc0a4 [scripts/fast-reboot] Add option to include ssd-upgrader-part boot option with SONiC partition (sonic-net#2150) 90abc07 [config reload] Fix invalid rstrip. (sonic-net#2157) fac1769 Accept 0 for queue and dscp (sonic-net#2162) ``` Signed-off-by: Stepan Blyschak <stepanb@nvidia.com>
Including change: * 7ff8f75 2022-06-03 | Revert "[portsorch]: Prevent LAG member configuration when port has active ACL binding (sonic-net#2165)" (sonic-net#2306) (HEAD -> 202205, github/202205) [bingwang-ms] Signed-off-by: Ying Xie <ying.xie@microsoft.com>
To included: * ad8f5e4 2022-06-08 | Revert "[Counters] Improve performance by polling only configured ports buffer queue/pg counters (sonic-net#2143)" (sonic-net#2315) (HEAD -> master, origin/master, origin/HEAD) [Ying Xie] * 2ff763f 2022-06-08 | Fix test_warm_reboot issues blocking PR merge (sonic-net#2309) [Vaibhav Hemant Dixit] * 05d19ea 2022-06-02 | Purge package sonic-db-cli which depends on libswsscommon (sonic-net#2308) [Qi Luo] * a0c3238 2022-06-03 | Add port counter sanity check (sonic-net#2300) [Junhua Zhai] * 4944f0f 2022-06-03 | Revert "[portsorch]: Prevent LAG member configuration when port has active ACL binding (sonic-net#2165)" (sonic-net#2306) [bingwang-ms] * eba212d 2022-05-31 | [Counters] Improve performance by polling only configured ports buffer queue/pg counters (sonic-net#2143) [shlomibitton] * 9999dae 2022-05-28 | [counter] Support gearbox counters (sonic-net#2218) [Junhua Zhai] * c73cf10 2022-05-28 | Support mock_test infra for dynamic buffer manager and fix issues found during mock test (sonic-net#2234) [Stephen Sun] Signed-off-by: Ying Xie <ying.xie@microsoft.com>
To included: * ad8f5e4 2022-06-08 | Revert "[Counters] Improve performance by polling only configured ports buffer queue/pg counters (#2143)" (#2315) (HEAD -> master, origin/master, origin/HEAD) [Ying Xie] * 2ff763f 2022-06-08 | Fix test_warm_reboot issues blocking PR merge (#2309) [Vaibhav Hemant Dixit] * 05d19ea 2022-06-02 | Purge package sonic-db-cli which depends on libswsscommon (#2308) [Qi Luo] * a0c3238 2022-06-03 | Add port counter sanity check (#2300) [Junhua Zhai] * 4944f0f 2022-06-03 | Revert "[portsorch]: Prevent LAG member configuration when port has active ACL binding (#2165)" (#2306) [bingwang-ms] * eba212d 2022-05-31 | [Counters] Improve performance by polling only configured ports buffer queue/pg counters (#2143) [shlomibitton] * 9999dae 2022-05-28 | [counter] Support gearbox counters (#2218) [Junhua Zhai] * c73cf10 2022-05-28 | Support mock_test infra for dynamic buffer manager and fix issues found during mock test (#2234) [Stephen Sun] Signed-off-by: Ying Xie <ying.xie@microsoft.com>
29503ab [portchannel] Added ACL/PBH binding checks to the port before getting added to portchannel (#2151) ac89489 Modify override testcase to cover PORT admin_status (#2165) d7953d2 [GCU] Validate peer_group_range ip_range are correct (#2145) aa81b97 [auto-ts] add memory check (#2116) b370290 support new interface types CR8/SR8/KR8/LR8 which are brougnt by SAI V.1.10.2 (#2167) 87fc0a4 [scripts/fast-reboot] Add option to include ssd-upgrader-part boot option with SONiC partition (#2150) 90abc07 [config reload] Fix invalid rstrip. (#2157) fac1769 Accept 0 for queue and dscp (#2162)
Related work items: #49, #58, #107, sonic-net#247, sonic-net#249, sonic-net#277, sonic-net#593, sonic-net#597, sonic-net#1035, sonic-net#2130, sonic-net#2150, sonic-net#2165, sonic-net#2169, sonic-net#2178, sonic-net#2179, sonic-net#2187, sonic-net#2188, sonic-net#2191, sonic-net#2195, sonic-net#2197, sonic-net#2198, sonic-net#2200, sonic-net#2202, sonic-net#2206, sonic-net#2209, sonic-net#2211, sonic-net#2216, sonic-net#7909, sonic-net#8927, sonic-net#9681, sonic-net#9733, sonic-net#9746, sonic-net#9850, sonic-net#9967, sonic-net#10104, sonic-net#10152, sonic-net#10168, sonic-net#10228, sonic-net#10266, sonic-net#10288, sonic-net#10294, sonic-net#10313, sonic-net#10394, sonic-net#10403, sonic-net#10404, sonic-net#10421, sonic-net#10431, sonic-net#10437, sonic-net#10445, sonic-net#10457, sonic-net#10458, sonic-net#10465, sonic-net#10467, sonic-net#10469, sonic-net#10470, sonic-net#10474, sonic-net#10477, sonic-net#10478, sonic-net#10482, sonic-net#10485, sonic-net#10488, sonic-net#10489, sonic-net#10492, sonic-net#10494, sonic-net#10498, sonic-net#10501, sonic-net#10509, sonic-net#10512, sonic-net#10514, sonic-net#10516, sonic-net#10517, sonic-net#10523, sonic-net#10525, sonic-net#10531, sonic-net#10532, sonic-net#10538, sonic-net#10555, sonic-net#10557, sonic-net#10559, sonic-net#10561, sonic-net#10565, sonic-net#10572, sonic-net#10574, sonic-net#10576, sonic-net#10578, sonic-net#10581, sonic-net#10585, sonic-net#10587, sonic-net#10599, sonic-net#10607, sonic-net#10611, sonic-net#10616, sonic-net#10618, sonic-net#10619, sonic-net#10623, sonic-net#10624, sonic-net#10633, sonic-net#10646, sonic-net#10655, sonic-net#10660, sonic-net#10664, sonic-net#10680, sonic-net#10683
Including change: * 7ff8f75 2022-06-03 | Revert "[portsorch]: Prevent LAG member configuration when port has active ACL binding (sonic-net#2165)" (sonic-net#2306) (HEAD -> 202205, github/202205) [bingwang-ms] Signed-off-by: Ying Xie <ying.xie@microsoft.com>
…ctive ACL binding (sonic-net#2165)" (sonic-net#2306) This reverts commit 390cae1.
In one of the pull requests: fcd1bb6 I see the information that Arista uses its own proprietary solution to implement CP ACLs.
Could anyone shed more light onto this mechanism? Is it completely independent from iptables?
The text was updated successfully, but these errors were encountered: