Tests - Tools - Firewall Agent: (cc528bc0) · Commits · TFS / controller

src/tests/tools/firewall_agent/docs/TODO.md

deleted100644 → 0

+0 −10

Original line number	Diff line number	Diff line
		# TODO

		- To block traffic to a MicroK8s service, apply rule:
		`sudo nft add/insert rule ip filter FORWARD iifname "enp0s3" tcp dport 85 drop`

		- when applying to ingress, also apply to FORWARD
		- when applying to egress, also apply to FORWARD
		- rules (INPUT, FORWARD, OUTPUT) should be applied based on sequence_id
		- negative sequence_id => insert on top (first -1, then -2, then -3) so that order of rules is -3,-2,-1 at top of the chain
		- positive sequence_id => append on bottom (first 0, then 1, then 2) so that order of rules is 0, 1, 2 at bottom of the chain

src/tests/tools/firewall_agent/scripts/data/allow_30435_from_10_0_2_10.json

0 → 100644

+27 −0

Original line number	Diff line number	Diff line
		{"openconfig-acl:acl": {
		"acl-sets": {"acl-set": [{
		"name": "ip-filter-input", "type": "ACL_IPV4",
		"config": {"name": "ip-filter-input", "type": "ACL_IPV4"},
		"acl-entries": {"acl-entry": [
		{
		"sequence-id": 1,
		"config": {"sequence-id": 1, "description": "allow-30435-from-10-0-2-10"},
		"ipv4": {"config": {"source-address": "10.0.2.10/32", "protocol": "IP_TCP"}},
		"transport": {"config": {"destination-port": 30435}},
		"actions": {"config": {"forwarding-action": "ALLOW"}}
		}
		]}
		}]},
		"interfaces": {"interface": [{
		"id": "enp0s3",
		"config": {"id": "enp0s3"},
		"interface-ref": {"config": {"interface": "enp0s3", "subinterface": 1}},
		"ingress-acl-sets": {"ingress-acl-set": [
		{
		"set-name": "ip-filter-input", "type": "ACL_IPV4",
		"config": {"set-name": "ip-filter-input", "type": "ACL_IPV4"},
		"acl-entries": {"acl-entry": [{"sequence-id": 1}]}
		}
		]}
		}]}
		}}

src/tests/tools/firewall_agent/scripts/data/allow_30435_from_10_0_2_2.json

0 → 100644

+27 −0

Original line number	Diff line number	Diff line
		{"openconfig-acl:acl": {
		"acl-sets": {"acl-set": [{
		"name": "ip-filter-input", "type": "ACL_IPV4",
		"config": {"name": "ip-filter-input", "type": "ACL_IPV4"},
		"acl-entries": {"acl-entry": [
		{
		"sequence-id": 1,
		"config": {"sequence-id": 1, "description": "allow-30435-from-10-0-2-2"},
		"ipv4": {"config": {"source-address": "10.0.2.2/32", "protocol": "IP_TCP"}},
		"transport": {"config": {"destination-port": 30435}},
		"actions": {"config": {"forwarding-action": "ALLOW"}}
		}
		]}
		}]},
		"interfaces": {"interface": [{
		"id": "enp0s3",
		"config": {"id": "enp0s3"},
		"interface-ref": {"config": {"interface": "enp0s3", "subinterface": 1}},
		"ingress-acl-sets": {"ingress-acl-set": [
		{
		"set-name": "ip-filter-input", "type": "ACL_IPV4",
		"config": {"set-name": "ip-filter-input", "type": "ACL_IPV4"},
		"acl-entries": {"acl-entry": [{"sequence-id": 1}]}
		}
		]}
		}]}
		}}

src/tests/tools/firewall_agent/scripts/data/oc_acl_block_30435_all.json→src/tests/tools/firewall_agent/scripts/data/block_30435_from_all.json

+3 −3

Original line number	Diff line number	Diff line
		@@ -4,8 +4,8 @@
		"config": {"name": "ip-filter-input", "type": "ACL_IPV4"},
		"acl-entries": {"acl-entry": [
		{
		"sequence-id": 1,
		"config": {"sequence-id": 1, "description": "drop-30435-all"},
		"sequence-id": 10000,
		"config": {"sequence-id": 10000, "description": "drop-30435-from-all"},
		"ipv4": {"config": {"protocol": "IP_TCP"}},
		"transport": {"config": {"destination-port": 30435}},
		"actions": {"config": {"forwarding-action": "DROP"}}
		@@ -20,7 +20,7 @@
		{
		"set-name": "ip-filter-input", "type": "ACL_IPV4",
		"config": {"set-name": "ip-filter-input", "type": "ACL_IPV4"},
		"acl-entries": {"acl-entry": [{"sequence-id": 1}]}
		"acl-entries": {"acl-entry": [{"sequence-id": 10000}]}
		}
		]}
		}]}

src/tests/tools/firewall_agent/scripts/test_commands.sh

+8 −12

Original line number	Diff line number	Diff line
		@@ -18,18 +18,14 @@ curl http://172.17.0.1:8888/restconf/data/openconfig-platform:components
		curl http://172.17.0.1:8888/restconf/data/openconfig-interfaces:interfaces
		curl http://172.17.0.1:8888/restconf/data/openconfig-acl:acl

		wget -q -O- http://localhost:8001
		wget -q -O- http://localhost:8002
		curl -X POST -d @scripts/data/block_30435_from_all.json http://127.0.0.1:8888/restconf/data/openconfig-acl:acl
		curl -X POST -d @scripts/data/allow_30435_from_10_0_2_2.json http://127.0.0.1:8888/restconf/data/openconfig-acl:acl
		curl -X POST -d @scripts/data/allow_30435_from_10_0_2_10.json http://127.0.0.1:8888/restconf/data/openconfig-acl:acl

		curl -X POST -d @scripts/data/oc_acl_block_8001.json http://127.0.0.1:8888/restconf/data/openconfig-acl:acl
		curl -X POST -d @scripts/data/oc_acl_block_8002.json http://127.0.0.1:8888/restconf/data/openconfig-acl:acl
		curl -X POST -d @scripts/data/oc_acl_multi_rule.json http://127.0.0.1:8888/restconf/data/openconfig-acl:acl

		wget -q -O- http://localhost:8001
		wget -q -O- http://localhost:8002
		curl http://172.17.0.1:8888/restconf/data/openconfig-acl:acl

		curl -X DELETE http://172.17.0.1:8888/restconf/data/openconfig-acl:acl/acl-sets/acl-set=drop-8001-host
		curl -X DELETE http://172.17.0.1:8888/restconf/data/openconfig-acl:acl/acl-sets/acl-set=drop-8002-ext
		curl -X DELETE http://172.17.0.1:8888/restconf/data/openconfig-acl:acl/acl-sets/acl-set=allow-30435-from-10-0-2-2
		curl -X DELETE http://172.17.0.1:8888/restconf/data/openconfig-acl:acl/acl-sets/acl-set=allow-30435-from-10-0-2-10
		curl -X DELETE http://172.17.0.1:8888/restconf/data/openconfig-acl:acl/acl-sets/acl-set=block-30435-from-all

		curl -X POST -d @scripts/data/oc_acl_block_30435_all.json http://127.0.0.1:8888/restconf/data/openconfig-acl:acl
		curl -X DELETE http://172.17.0.1:8888/restconf/data/openconfig-acl:acl/acl-sets/acl-set=drop-30435-all
		curl http://172.17.0.1:8888/restconf/data/openconfig-acl:acl