Added acl rules for srl 24.3+ (#1968)

* added acl rules for srl 24.3+ * remove unused receiver * added a json-rpc test over http
srl-labs · Apr 4, 2024 · 85bda39 · 85bda39
1 parent 9b47e3a
commit 85bda39
Show file tree

Hide file tree

Showing 5 changed files with 60 additions and 1 deletion.
diff --git a/docs/manual/kinds/srl.md b/docs/manual/kinds/srl.md
@@ -425,6 +425,15 @@ A:srl# info system dns
 
 If you wish to turn off the automatic DNS provisioning, set the `servers` list to an empty value in the [node configuration](../nodes.md#dns).
 
+### ACL configuration
+
+Starting with SR Linux 24.3.1 release, containerlab adds CPM filter rules to the default factory configuration to allow the following traffic:
+
+* HTTP access over port 80 for v4 and v6
+* Telnet access over port 23 for v4 and v6
+
+These protocols were removed from the default factory configuration in SR Linux 24.3.1 as a security hardening measure, but they are valuable for lab environments, hence containerlab adds them back.
+
 ## Host Requirements
 
 SR Linux is a containerized NOS, therefore it depends on the host's kernel and CPU. It is recommended to run a kernel v4 and newer, though it might also run on the older kernels.

diff --git a/nodes/srl/srl.go b/nodes/srl/srl.go
@@ -528,6 +528,8 @@ type srlTemplateData struct {
 	SNMPConfig string
 	// GRPCConfig is a string containing GRPC configuration
 	GRPCConfig string
+	// ACLConfig is a string containing ACL configuration
+	ACLConfig string
 }
 
 // tplIFace template interface struct.

diff --git a/nodes/srl/srl_default_config.go.tpl b/nodes/srl/srl_default_config.go.tpl
@@ -1,3 +1,5 @@
+{{ .ACLConfig }}
+
 set / system tls server-profile clab-profile
 set / system tls server-profile clab-profile key "{{ .TLSKey }}"
 set / system tls server-profile clab-profile certificate "{{ .TLSCert }}"

diff --git a/nodes/srl/version.go b/nodes/srl/version.go
@@ -30,6 +30,39 @@ set / system grpc-server clab network-instance mgmt
 set / system grpc-server clab trace-options [ request response common ]
 set / system grpc-server clab unix-socket admin-state enable
 set / system grpc-server clab admin-state enable`
+
+	// aclConfig contains the ACL configuration for srlinux versions >= 24.3 to enable
+	// non secure telnet and http access to the router which are useful for labs.
+	aclConfig = `set / acl acl-filter cpm type ipv4 entry 88 description "Containerlab-added rule: Accept incoming Telnet when the other host initiates the TCP connection"
+set / acl acl-filter cpm type ipv4 entry 88 match ipv4 protocol tcp
+set / acl acl-filter cpm type ipv4 entry 88 match transport source-port operator eq
+set / acl acl-filter cpm type ipv4 entry 88 match transport source-port value 23
+set / acl acl-filter cpm type ipv4 entry 88 action accept
+set / acl acl-filter cpm type ipv4 entry 98 description "Containerlab-added rule: Accept incoming Telnet when this router initiates the TCP connection"
+set / acl acl-filter cpm type ipv4 entry 98 match ipv4 protocol tcp
+set / acl acl-filter cpm type ipv4 entry 98 match transport destination-port operator eq
+set / acl acl-filter cpm type ipv4 entry 98 match transport destination-port value 23
+set / acl acl-filter cpm type ipv4 entry 98 action accept
+set / acl acl-filter cpm type ipv4 entry 158 description "Containerlab-added rule: Accept incoming HTTP(JSON-RPC) when the other host initiates the TCP connection"
+set / acl acl-filter cpm type ipv4 entry 158 match ipv4 protocol tcp
+set / acl acl-filter cpm type ipv4 entry 158 match transport destination-port operator eq
+set / acl acl-filter cpm type ipv4 entry 158 match transport destination-port value 80
+set / acl acl-filter cpm type ipv4 entry 158 action accept
+set / acl acl-filter cpm type ipv6 entry 128 description "Containerlab-added rule: Accept incoming Telnet when the other host initiates the TCP connection"
+set / acl acl-filter cpm type ipv6 entry 128 match ipv6 next-header tcp
+set / acl acl-filter cpm type ipv6 entry 128 match transport source-port operator eq
+set / acl acl-filter cpm type ipv6 entry 128 match transport source-port value 23
+set / acl acl-filter cpm type ipv6 entry 128 action accept
+set / acl acl-filter cpm type ipv6 entry 138 description "Containerlab-added rule: Accept incoming Telnet when this router initiates the TCP connection"
+set / acl acl-filter cpm type ipv6 entry 138 match ipv6 next-header tcp
+set / acl acl-filter cpm type ipv6 entry 138 match transport destination-port operator eq
+set / acl acl-filter cpm type ipv6 entry 138 match transport destination-port value 23
+set / acl acl-filter cpm type ipv6 entry 138 action accept
+set / acl acl-filter cpm type ipv6 entry 188 description "Containerlab-added rule: Accept incoming HTTP(JSON-RPC) when the other host initiates the TCP connection"
+set / acl acl-filter cpm type ipv6 entry 188 match ipv6 next-header tcp
+set / acl acl-filter cpm type ipv6 entry 188 match transport destination-port operator eq
+set / acl acl-filter cpm type ipv6 entry 188 match transport destination-port value 80
+set / acl acl-filter cpm type ipv6 entry 188 action accept`
 )
 
 // SrlVersion represents an sr linux version as a set of fields.
@@ -57,7 +90,7 @@ func (n *srl) RunningVersion(ctx context.Context) (*SrlVersion, error) {
 	return n.parseVersionString(execResult.GetStdOutString()), nil
 }
 
-func (n *srl) parseVersionString(s string) *SrlVersion {
+func (*srl) parseVersionString(s string) *SrlVersion {
 	re, _ := regexp.Compile(`v(\d{1,3})\.(\d{1,2})\.(\d{1,3})\-(\d{1,4})\-(\S+)`)
 
 	v := re.FindStringSubmatch(s)
@@ -93,6 +126,12 @@ func (n *srl) setVersionSpecificParams(tplData *srlTemplateData) {
 		tplData.SSHPubKeys = catenateKeys(n.sshPubKeys)
 	}
 
+	// in srlinux >= v24.3+ we add ACL rules to enable http and telnet access
+	// that are useful for labs and were removed as a security hardening measure.
+	if len(n.sshPubKeys) > 0 && (semver.Compare(v, "v24.3") >= 0 || n.swVersion.major == "0") {
+		tplData.ACLConfig = aclConfig
+	}
+
 	// in srlinux v23.10.x we need to enable GNMI unix socket services to enable
 	// communications over unix socket (e.g. NDK agents)
 	if semver.Compare(v, "v23.10") == 0 {

diff --git a/tests/02-basic-srl/01-two-srls.robot b/tests/02-basic-srl/01-two-srls.robot
@@ -117,6 +117,13 @@ Ensure srl1 can ping srl2 over ethernet-1/1 interface
     Should Be Equal As Integers    ${rc}    0
     Should Contain    ${output}    0% packet loss
 
+Verify JSON-RPC works over HTTP
+    ${rc}    ${output} =    Run And Return Rc And Output
+    ...    curl 'http://admin:NokiaSrl1!@clab-${lab-name}-srl1/jsonrpc' -d '{"jsonrpc":"2.0","id":0,"method":"get","params":{"commands":[{"path":"/system/information/version","datastore":"state"}]}}'
+    Log    ${output}
+    Should Be Equal As Integers    ${rc}    0
+    Should Not Contain    ${output}    error
+
 Verify TLS works with JSON-RPC with skipping certificate check
     ${rc}    ${output} =    Run And Return Rc And Output
     ...    curl -k 'https://admin:NokiaSrl1!@clab-${lab-name}-srl1/jsonrpc' -d '{"jsonrpc":"2.0","id":0,"method":"get","params":{"commands":[{"path":"/system/information/version","datastore":"state"}]}}'