[caclmgrd] Refactor ACL_SERVICES

* Renaming ACL_SERVICES to KNOWN_SYSTEM_SERVICES
  to stay consistant, because the service list
  is used for setting rules for MGMT interface,
  which is not related to ACL functionality.

Signed-off-by: Maksym Belei <[email protected]>

Author: Maksym Belei

src/sonic-host-services/scripts/caclmgrd

@@ -61,7 +61,7 @@ class ControlPlaneAclManager(daemon_base.DaemonBase):
 
     # To specify a port range instead of a single port, use iptables format:
     # separate start and end ports with a colon, e.g., "1000:2000"
-    ACL_SERVICES = {
+    KNOWN_SYSTEM_SERVICES = {
         "NTP": {
             "ip_protocols": ["udp"],
             "dst_ports": ["123"],
@@ -263,12 +263,12 @@ class ControlPlaneAclManager(daemon_base.DaemonBase):
                     continue
 
                 # Add iptables rules to allow input packets of all the known services
-                for acl_service in self.ACL_SERVICES:
+                for acl_service in self.KNOWN_SYSTEM_SERVICES:
                     # Skip "ANY" record
                     if acl_service == "ANY":
                         continue
-                    for ip_protocol in self.ACL_SERVICES[acl_service]["ip_protocols"]:
-                        for dst_port in  self.ACL_SERVICES[acl_service]["dst_ports"]:
+                    for ip_protocol in self.KNOWN_SYSTEM_SERVICES[acl_service]["ip_protocols"]:
+                        for dst_port in  self.KNOWN_SYSTEM_SERVICES[acl_service]["dst_ports"]:
                             mgmt_intf_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "{} -A INPUT -p {} -d {}/{} --dport {} -j ACCEPT".format(table, ip_protocol, ip_addr, mask, dst_port))
                 # Drop the rest of traffic
                 mgmt_intf_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "{} -A INPUT -d {}/{} -j DROP".format(table, ip_addr, mask))
@@ -328,14 +328,14 @@ class ControlPlaneAclManager(daemon_base.DaemonBase):
         fwd_traffic_from_namespace_to_host_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "ip6tables -t nat -X")
         fwd_traffic_from_namespace_to_host_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "ip6tables -t nat -F")
 
-        for acl_service in self.ACL_SERVICES:
-            if self.ACL_SERVICES[acl_service]["multi_asic_ns_to_host_fwd"]:
+        for acl_service in self.KNOWN_SYSTEM_SERVICES:
+            if self.KNOWN_SYSTEM_SERVICES[acl_service]["multi_asic_ns_to_host_fwd"]:
                 # Get the Source IP Set if exists else use default source ip prefix
                 nat_source_ipv4_set = acl_source_ip_map[acl_service]["ipv4"] if acl_source_ip_map and acl_source_ip_map[acl_service]["ipv4"] else { "0.0.0.0/0" }
                 nat_source_ipv6_set = acl_source_ip_map[acl_service]["ipv6"] if acl_source_ip_map and acl_source_ip_map[acl_service]["ipv6"] else { "::/0" }
 
-                for ip_protocol in self.ACL_SERVICES[acl_service]["ip_protocols"]:
-                    for dst_port in  self.ACL_SERVICES[acl_service]["dst_ports"]: 
+                for ip_protocol in self.KNOWN_SYSTEM_SERVICES[acl_service]["ip_protocols"]:
+                    for dst_port in  self.KNOWN_SYSTEM_SERVICES[acl_service]["dst_ports"]: 
                         for ipv4_src_ip in nat_source_ipv4_set:
                             # IPv4 rules
                             fwd_traffic_from_namespace_to_host_cmds.append(self.iptables_cmd_ns_prefix[namespace] +
@@ -546,7 +546,7 @@ class ControlPlaneAclManager(daemon_base.DaemonBase):
             acl_services = table_data["services"]
 
             for acl_service in acl_services:
-                if acl_service not in self.ACL_SERVICES:
+                if acl_service not in self.KNOWN_SYSTEM_SERVICES:
                     self.log_warning("Ignoring control plane ACL '{}' with unrecognized service '{}'"
                                      .format(table_name, acl_service))
                     continue
@@ -555,8 +555,8 @@ class ControlPlaneAclManager(daemon_base.DaemonBase):
                               .format(table_name, acl_service))
 
                 # Obtain default IP protocol(s) and destination port(s) for this service
-                ip_protocols = self.ACL_SERVICES[acl_service]["ip_protocols"]
-                dst_ports = self.ACL_SERVICES[acl_service]["dst_ports"]
+                ip_protocols = self.KNOWN_SYSTEM_SERVICES[acl_service]["ip_protocols"]
+                dst_ports = self.KNOWN_SYSTEM_SERVICES[acl_service]["dst_ports"]
 
                 acl_rules = {}