[caclmgrd] Improve code reuse (#4931)

jleveque · abdosi · commit 0559b7d3b600 · 2020-07-11T09:48:10.000-07:00
Improve code reuse in `generate_block_ip2me_traffic_iptables_commands()` function.
diff --git a/files/image_config/caclmgrd/caclmgrd b/files/image_config/caclmgrd/caclmgrd
@@ -134,89 +134,37 @@ class ControlPlaneAclManager(object):
         return tcp_flags_str
 
     def generate_block_ip2me_traffic_iptables_commands(self):
-        LOOPBACK_INTERFACE_TABLE_NAME = "LOOPBACK_INTERFACE"
-        MGMT_INTERFACE_TABLE_NAME = "MGMT_INTERFACE"
-        VLAN_INTERFACE_TABLE_NAME = "VLAN_INTERFACE"
-        PORTCHANNEL_INTERFACE_TABLE_NAME = "PORTCHANNEL_INTERFACE"
-        INTERFACE_TABLE_NAME = "INTERFACE"
+        INTERFACE_TABLE_NAME_LIST = [
+            "LOOPBACK_INTERFACE",
+            "MGMT_INTERFACE",
+            "VLAN_INTERFACE",
+            "PORTCHANNEL_INTERFACE",
+            "INTERFACE"
+        ]
 
         block_ip2me_cmds = []
 
-        # Add iptables rules to drop all packets destined for loopback interface IP addresses
-        loopback_iface_table = self.config_db.get_table(LOOPBACK_INTERFACE_TABLE_NAME)
-        if loopback_iface_table:
-            for key, _ in loopback_iface_table.iteritems():
-                if not _ip_prefix_in_key(key):
-                    continue
-                iface_name, iface_cidr = key
-                ip_ntwrk = ipaddress.ip_network(iface_cidr, strict=False)
-                if isinstance(ip_ntwrk, ipaddress.IPv4Network):
-                    block_ip2me_cmds.append("iptables -A INPUT -d {}/{} -j DROP".format(ip_ntwrk.network_address, ip_ntwrk.max_prefixlen))
-                elif isinstance(ip_ntwrk, ipaddress.IPv6Network):
-                    block_ip2me_cmds.append("ip6tables -A INPUT -d {}/{} -j DROP".format(ip_ntwrk.network_address, ip_ntwrk.max_prefixlen))
-                else:
-                    log_warning("Unrecognized IP address type on interface '{}': {}".format(iface_name, ip_ntwrk))
-
-        # Add iptables rules to drop all packets destined for management interface IP addresses
-        mgmt_iface_table = self.config_db.get_table(MGMT_INTERFACE_TABLE_NAME)
-        if mgmt_iface_table:
-            for key, _ in mgmt_iface_table.iteritems():
-                if not _ip_prefix_in_key(key):
-                    continue
-                iface_name, iface_cidr = key
-                ip_ntwrk = ipaddress.ip_network(iface_cidr, strict=False)
-                if isinstance(ip_ntwrk, ipaddress.IPv4Network):
-                    block_ip2me_cmds.append("iptables -A INPUT -d {}/{} -j DROP".format(ip_ntwrk.network_address, ip_ntwrk.max_prefixlen))
-                elif isinstance(ip_ntwrk, ipaddress.IPv6Network):
-                    block_ip2me_cmds.append("ip6tables -A INPUT -d {}/{} -j DROP".format(ip_ntwrk.network_address, ip_ntwrk.max_prefixlen))
-                else:
-                    log_warning("Unrecognized IP address type on interface '{}': {}".format(iface_name, ip_ntwrk))
-
-        # Add iptables rules to drop all packets destined for our VLAN interface gateway IP addresses
-        vlan_iface_table = self.config_db.get_table(VLAN_INTERFACE_TABLE_NAME)
-        if vlan_iface_table:
-            for key, _ in vlan_iface_table.iteritems():
-                if not _ip_prefix_in_key(key):
-                    continue
-                iface_name, iface_cidr = key
-                ip_ntwrk = ipaddress.ip_network(iface_cidr, strict=False)
-                first_host = next(ip_ntwrk.hosts())
-                if isinstance(ip_ntwrk, ipaddress.IPv4Network):
-                    block_ip2me_cmds.append("iptables -A INPUT -d {}/{} -j DROP".format(first_host, ip_ntwrk.max_prefixlen))
-                elif isinstance(ip_ntwrk, ipaddress.IPv6Network):
-                    block_ip2me_cmds.append("ip6tables -A INPUT -d {}/{} -j DROP".format(first_host, ip_ntwrk.max_prefixlen))
-                else:
-                    log_warning("Unrecognized IP address type on interface '{}': {}".format(iface_name, ip_ntwrk))
-
-        # Add iptables rules to drop all packets destined for point-to-point interface IP addresses
-        # (All portchannel interfaces and configured front-panel interfaces)
-        portchannel_iface_table = self.config_db.get_table(PORTCHANNEL_INTERFACE_TABLE_NAME)
-        if portchannel_iface_table:
-            for key, _ in portchannel_iface_table.iteritems():
-                if not _ip_prefix_in_key(key):
-                    continue
-                iface_name, iface_cidr = key
-                ip_ntwrk = ipaddress.ip_network(iface_cidr, strict=False)
-                if isinstance(ip_ntwrk, ipaddress.IPv4Network):
-                    block_ip2me_cmds.append("iptables -A INPUT -d {}/{} -j DROP".format(ip_ntwrk.network_address, ip_ntwrk.max_prefixlen))
-                elif isinstance(ip_ntwrk, ipaddress.IPv6Network):
-                    block_ip2me_cmds.append("ip6tables -A INPUT -d {}/{} -j DROP".format(ip_ntwrk.network_address, ip_ntwrk.max_prefixlen))
-                else:
-                    log_warning("Unrecognized IP address type on interface '{}': {}".format(iface_name, ip_ntwrk))
-
-        iface_table = self.config_db.get_table(INTERFACE_TABLE_NAME)
-        if iface_table:
-            for key, _ in iface_table.iteritems():
-                if not _ip_prefix_in_key(key):
-                    continue
-                iface_name, iface_cidr = key
-                ip_ntwrk = ipaddress.ip_network(iface_cidr, strict=False)
-                if isinstance(ip_ntwrk, ipaddress.IPv4Network):
-                    block_ip2me_cmds.append("iptables -A INPUT -d {}/{} -j DROP".format(ip_ntwrk.network_address, ip_ntwrk.max_prefixlen))
-                elif isinstance(ip_ntwrk, ipaddress.IPv6Network):
-                    block_ip2me_cmds.append("ip6tables -A INPUT -d {}/{} -j DROP".format(ip_ntwrk.network_address, ip_ntwrk.max_prefixlen))
-                else:
-                    log_warning("Unrecognized IP address type on interface '{}': {}".format(iface_name, ip_ntwrk))
+        # Add iptables rules to drop all packets destined for peer-to-peer interface IP addresses
+        for iface_table_name in INTERFACE_TABLE_NAME_LIST:
+            iface_table = self.config_db.get_table(iface_table_name)
+            if iface_table:
+                for key, _ in iface_table.iteritems():
+                    if not _ip_prefix_in_key(key):
+                        continue
+
+                    iface_name, iface_cidr = key
+                    ip_ntwrk = ipaddress.ip_network(iface_cidr, strict=False)
+
+                    # For VLAN interfaces, the IP address we want to block is the default gateway (i.e.,
+                    # the first available host IP address of the VLAN subnet)
+                    ip_addr = next(ip_ntwrk.hosts()) if iface_table_name == "VLAN_INTERFACE" else ip_ntwrk.network_address
+
+                    if isinstance(ip_ntwrk, ipaddress.IPv4Network):
+                        block_ip2me_cmds.append("iptables -A INPUT -d {}/{} -j DROP".format(ip_addr, ip_ntwrk.max_prefixlen))
+                    elif isinstance(ip_ntwrk, ipaddress.IPv6Network):
+                        block_ip2me_cmds.append("ip6tables -A INPUT -d {}/{} -j DROP".format(ip_addr, ip_ntwrk.max_prefixlen))
+                    else:
+                        log_warning("Unrecognized IP address type on interface '{}': {}".format(iface_name, ip_ntwrk))
 
         return block_ip2me_cmds
 
