From 85bda393158b46e5ed4f6d92f2ec96a825a9062e Mon Sep 17 00:00:00 2001 From: Roman Dodin Date: Thu, 4 Apr 2024 09:49:14 +0200 Subject: [PATCH] Added acl rules for srl 24.3+ (#1968) * added acl rules for srl 24.3+ * remove unused receiver * added a json-rpc test over http --- docs/manual/kinds/srl.md | 9 ++++++ nodes/srl/srl.go | 2 ++ nodes/srl/srl_default_config.go.tpl | 2 ++ nodes/srl/version.go | 41 +++++++++++++++++++++++++++- tests/02-basic-srl/01-two-srls.robot | 7 +++++ 5 files changed, 60 insertions(+), 1 deletion(-) diff --git a/docs/manual/kinds/srl.md b/docs/manual/kinds/srl.md index cfb63e069..4f078f304 100644 --- a/docs/manual/kinds/srl.md +++ b/docs/manual/kinds/srl.md @@ -425,6 +425,15 @@ A:srl# info system dns If you wish to turn off the automatic DNS provisioning, set the `servers` list to an empty value in the [node configuration](../nodes.md#dns). +### ACL configuration + +Starting with SR Linux 24.3.1 release, containerlab adds CPM filter rules to the default factory configuration to allow the following traffic: + +* HTTP access over port 80 for v4 and v6 +* Telnet access over port 23 for v4 and v6 + +These protocols were removed from the default factory configuration in SR Linux 24.3.1 as a security hardening measure, but they are valuable for lab environments, hence containerlab adds them back. + ## Host Requirements SR Linux is a containerized NOS, therefore it depends on the host's kernel and CPU. It is recommended to run a kernel v4 and newer, though it might also run on the older kernels. diff --git a/nodes/srl/srl.go b/nodes/srl/srl.go index bcc408d84..b44c5ae21 100644 --- a/nodes/srl/srl.go +++ b/nodes/srl/srl.go @@ -528,6 +528,8 @@ type srlTemplateData struct { SNMPConfig string // GRPCConfig is a string containing GRPC configuration GRPCConfig string + // ACLConfig is a string containing ACL configuration + ACLConfig string } // tplIFace template interface struct. diff --git a/nodes/srl/srl_default_config.go.tpl b/nodes/srl/srl_default_config.go.tpl index 6f2b16741..deca9f8ab 100644 --- a/nodes/srl/srl_default_config.go.tpl +++ b/nodes/srl/srl_default_config.go.tpl @@ -1,3 +1,5 @@ +{{ .ACLConfig }} + set / system tls server-profile clab-profile set / system tls server-profile clab-profile key "{{ .TLSKey }}" set / system tls server-profile clab-profile certificate "{{ .TLSCert }}" diff --git a/nodes/srl/version.go b/nodes/srl/version.go index 703f7c178..fffb31ee9 100644 --- a/nodes/srl/version.go +++ b/nodes/srl/version.go @@ -30,6 +30,39 @@ set / system grpc-server clab network-instance mgmt set / system grpc-server clab trace-options [ request response common ] set / system grpc-server clab unix-socket admin-state enable set / system grpc-server clab admin-state enable` + + // aclConfig contains the ACL configuration for srlinux versions >= 24.3 to enable + // non secure telnet and http access to the router which are useful for labs. + aclConfig = `set / acl acl-filter cpm type ipv4 entry 88 description "Containerlab-added rule: Accept incoming Telnet when the other host initiates the TCP connection" +set / acl acl-filter cpm type ipv4 entry 88 match ipv4 protocol tcp +set / acl acl-filter cpm type ipv4 entry 88 match transport source-port operator eq +set / acl acl-filter cpm type ipv4 entry 88 match transport source-port value 23 +set / acl acl-filter cpm type ipv4 entry 88 action accept +set / acl acl-filter cpm type ipv4 entry 98 description "Containerlab-added rule: Accept incoming Telnet when this router initiates the TCP connection" +set / acl acl-filter cpm type ipv4 entry 98 match ipv4 protocol tcp +set / acl acl-filter cpm type ipv4 entry 98 match transport destination-port operator eq +set / acl acl-filter cpm type ipv4 entry 98 match transport destination-port value 23 +set / acl acl-filter cpm type ipv4 entry 98 action accept +set / acl acl-filter cpm type ipv4 entry 158 description "Containerlab-added rule: Accept incoming HTTP(JSON-RPC) when the other host initiates the TCP connection" +set / acl acl-filter cpm type ipv4 entry 158 match ipv4 protocol tcp +set / acl acl-filter cpm type ipv4 entry 158 match transport destination-port operator eq +set / acl acl-filter cpm type ipv4 entry 158 match transport destination-port value 80 +set / acl acl-filter cpm type ipv4 entry 158 action accept +set / acl acl-filter cpm type ipv6 entry 128 description "Containerlab-added rule: Accept incoming Telnet when the other host initiates the TCP connection" +set / acl acl-filter cpm type ipv6 entry 128 match ipv6 next-header tcp +set / acl acl-filter cpm type ipv6 entry 128 match transport source-port operator eq +set / acl acl-filter cpm type ipv6 entry 128 match transport source-port value 23 +set / acl acl-filter cpm type ipv6 entry 128 action accept +set / acl acl-filter cpm type ipv6 entry 138 description "Containerlab-added rule: Accept incoming Telnet when this router initiates the TCP connection" +set / acl acl-filter cpm type ipv6 entry 138 match ipv6 next-header tcp +set / acl acl-filter cpm type ipv6 entry 138 match transport destination-port operator eq +set / acl acl-filter cpm type ipv6 entry 138 match transport destination-port value 23 +set / acl acl-filter cpm type ipv6 entry 138 action accept +set / acl acl-filter cpm type ipv6 entry 188 description "Containerlab-added rule: Accept incoming HTTP(JSON-RPC) when the other host initiates the TCP connection" +set / acl acl-filter cpm type ipv6 entry 188 match ipv6 next-header tcp +set / acl acl-filter cpm type ipv6 entry 188 match transport destination-port operator eq +set / acl acl-filter cpm type ipv6 entry 188 match transport destination-port value 80 +set / acl acl-filter cpm type ipv6 entry 188 action accept` ) // SrlVersion represents an sr linux version as a set of fields. @@ -57,7 +90,7 @@ func (n *srl) RunningVersion(ctx context.Context) (*SrlVersion, error) { return n.parseVersionString(execResult.GetStdOutString()), nil } -func (n *srl) parseVersionString(s string) *SrlVersion { +func (*srl) parseVersionString(s string) *SrlVersion { re, _ := regexp.Compile(`v(\d{1,3})\.(\d{1,2})\.(\d{1,3})\-(\d{1,4})\-(\S+)`) v := re.FindStringSubmatch(s) @@ -93,6 +126,12 @@ func (n *srl) setVersionSpecificParams(tplData *srlTemplateData) { tplData.SSHPubKeys = catenateKeys(n.sshPubKeys) } + // in srlinux >= v24.3+ we add ACL rules to enable http and telnet access + // that are useful for labs and were removed as a security hardening measure. + if len(n.sshPubKeys) > 0 && (semver.Compare(v, "v24.3") >= 0 || n.swVersion.major == "0") { + tplData.ACLConfig = aclConfig + } + // in srlinux v23.10.x we need to enable GNMI unix socket services to enable // communications over unix socket (e.g. NDK agents) if semver.Compare(v, "v23.10") == 0 { diff --git a/tests/02-basic-srl/01-two-srls.robot b/tests/02-basic-srl/01-two-srls.robot index f5572e670..0bb04308c 100644 --- a/tests/02-basic-srl/01-two-srls.robot +++ b/tests/02-basic-srl/01-two-srls.robot @@ -117,6 +117,13 @@ Ensure srl1 can ping srl2 over ethernet-1/1 interface Should Be Equal As Integers ${rc} 0 Should Contain ${output} 0% packet loss +Verify JSON-RPC works over HTTP + ${rc} ${output} = Run And Return Rc And Output + ... curl 'http://admin:NokiaSrl1!@clab-${lab-name}-srl1/jsonrpc' -d '{"jsonrpc":"2.0","id":0,"method":"get","params":{"commands":[{"path":"/system/information/version","datastore":"state"}]}}' + Log ${output} + Should Be Equal As Integers ${rc} 0 + Should Not Contain ${output} error + Verify TLS works with JSON-RPC with skipping certificate check ${rc} ${output} = Run And Return Rc And Output ... curl -k 'https://admin:NokiaSrl1!@clab-${lab-name}-srl1/jsonrpc' -d '{"jsonrpc":"2.0","id":0,"method":"get","params":{"commands":[{"path":"/system/information/version","datastore":"state"}]}}'