Open louishot opened 1 year ago
this looks like new feature ask to further protect bgp from remote connection. currently sonic do not support this feature.
We, Kamel Networks, have implemented this in our patch set. Happy to upstream if the maintainers want it.
https://github.com/sonic-net/sonic-host-services/commit/3c5a1e9f977be7220c6b8a79f9c568b4f868338c
@bluecmd Is the iptables-based firewall processing packets by the Linux kernel or by the Hardware Packet Forwarding Engine (PFE) ? if by Linux kernel Performance is terrible, it can only process up to 1M pps
so it won't help if the packet can't be dropped by PFE
This particular commit is iptables, as is all other fine grained blocking that I'm aware of in SONiC. Happy to switch to a hardware based one if that's doable. Right now I'm just piggybacking on what SONIC already has
@bluecmd I see https://github.com/sonic-net/SONiC/blob/master/doc/acl/ACL-High-Level-Design.md In the Phase 1 there will be implemented basic ACL functionality: complete data flow (from input json file to ASIC), creating/removing ACL Tables and ACL Rules, rules will support simple matching (all except ranges) and permit/deny actions.
When configuring the control plane ACL it just generated some iptables rules in OS level, not sure if it was written to the Packet Forwarding Engine (in sonic call 'ASIC')
Hello,
I'm looking for a whitelist for BGP to allow specified IPs to establish BGP sessions then reject other. This helps with security and avoids DDoS traffic hit the control plane.
I see sonic created these rules by default I also checked this https://github.com/Azure/sonic-buildimage-msft/blob/792a1255886df5ba8e402c9f22dfff517c555304/src/sonic-host-services/scripts/caclmgrd#L62 No BGP service inside