kamel: [caclmgrd] Use interface IP for IP2ME

Currently the first IP on the VLAN subnet is used, regardless of
whatever IP is actually assigned to the control plane. This fix uses the
correct IP.

See earlier work:
 - sonic-net/sonic-buildimage#9826
 - sonic-net/sonic-buildimage#7178
 - sonic-net/sonic-buildimage#7008

Signed-off-by: Christian Svensson <[email protected]>

Author: bluecmd

scripts/caclmgrd

@@ -285,20 +285,16 @@ class ControlPlaneAclManager(daemon_base.DaemonBase):
                 for key, _ in iface_table.items():
                     if not _ip_prefix_in_key(key):
                         continue
-
                     iface_name, iface_cidr = key
-                    ip_ntwrk = ipaddress.ip_network(iface_cidr, strict=False)
+                    ip_iface = ipaddress.ip_interface(iface_cidr)
+                    if isinstance(ip_iface, ipaddress.IPv4Interface):
+                        block_ip2me_cmds.append(self.iptables_cmd_ns_prefix[namespace] + ['iptables', '-A', 'INPUT', '-d', format(ip_iface.ip) + '/32', '-j', 'DROP'])
+                    elif isinstance(ip_iface, ipaddress.IPv6Interface):
+                        block_ip2me_cmds.append(self.iptables_cmd_ns_prefix[namespace] + ['ip6tables', '-A', 'INPUT', '-d', format(ip_iface.ip) + '/128', '-j', 'DROP'])
+                    else:
+                        self.log_warning("Unrecognized IP address type on interface '{}': {}".format(iface_name, ip_iface))
 
-                    # For VLAN interfaces, the IP address we want to block is the default gateway (i.e.,
-                    # the first available host IP address of the VLAN subnet)
-                    ip_addr = next(ip_ntwrk.hosts()) if iface_table_name == "VLAN_INTERFACE" else ip_ntwrk.network_address
 
-                    if isinstance(ip_ntwrk, ipaddress.IPv4Network):
-                        block_ip2me_cmds.append(self.iptables_cmd_ns_prefix[namespace] + ['iptables', '-A', 'INPUT', '-d', '{}/{}'.format(ip_addr, ip_ntwrk.max_prefixlen), '-j', 'DROP'])
-                    elif isinstance(ip_ntwrk, ipaddress.IPv6Network):
-                        block_ip2me_cmds.append(self.iptables_cmd_ns_prefix[namespace] + ['ip6tables', '-A', 'INPUT', '-d', '{}/{}'.format(ip_addr, ip_ntwrk.max_prefixlen), '-j', 'DROP'])
-                    else:
-                        self.log_warning("Unrecognized IP address type on interface '{}': {}".format(iface_name, ip_ntwrk))
 
         return block_ip2me_cmds
 

tests/caclmgrd/test_ip2me_vectors.py

@@ -85,6 +85,32 @@
             ],
         },
     ],
+    [
+        "One VLAN interface, /24, we are .2",
+        {
+            "config_db": {
+                "MGMT_INTERFACE": {
+                    "eth0|172.18.0.100/24": {
+                        "gwaddr": "172.18.0.1"
+                    }
+                },
+                "LOOPBACK_INTERFACE": {},
+                "VLAN_INTERFACE": {
+                    "Vlan110|10.10.11.2/24": {},
+                },
+                "PORTCHANNEL_INTERFACE": {},
+                "INTERFACE": {},
+                "DEVICE_METADATA": {
+                    "localhost": {
+                    }
+                },
+                "FEATURE": {},
+            },
+            "return": [
+                ["iptables", "-A", "INPUT", "-d", "10.10.11.2/32", "-j", "DROP"],
+            ],
+        },
+    ],
     [
         "One interface of each type, IPv6, /64 - block all interfaces but MGMT",
         {
@@ -114,10 +140,10 @@
             },
             "return": [
                 ['ip6tables', '-A', 'INPUT', '-d', '2001:db8:10::/128', '-j', 'DROP'],
-                ['ip6tables', '-A', 'INPUT', '-d', '2001:db8:11::1/128', '-j', 'DROP'],
+                ['ip6tables', '-A', 'INPUT', '-d', '2001:db8:11::/128', '-j', 'DROP'],
                 ['ip6tables', '-A', 'INPUT', '-d', '2001:db8:12::/128', '-j', 'DROP'],
                 ['ip6tables', '-A', 'INPUT', '-d', '2001:db8:13::/128', '-j', 'DROP']
-            ],  
+            ],
         },
     ]
 ]