patch add iptables rules for eth0 interface filtering

sonic-net · Jan 2, 2025 · d131a47 · d131a47
1 parent c0ca6d9
commit d131a47
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/scripts/caclmgrd b/scripts/caclmgrd
@@ -791,6 +791,11 @@ class ControlPlaneAclManager(daemon_base.DaemonBase):
                             # Append the packet action as the jump target
                             rule_cmd += ["-j", "{}".format(rule_props["PACKET_ACTION"])]
 
+                            if (dst_port not in self.ACL_SERVICES["NTP"]["dst_ports"] and
+                                dst_port not in self.ACL_SERVICES["SNMP"]["dst_ports"] and
+                                dst_port not in self.ACL_SERVICES["SSH"]["dst_ports"]):
+                                rule_cmd = self.exclude_mgmt_port(rule_cmd)
+
                             iptables_cmds.append(self.iptables_cmd_ns_prefix[namespace] + rule_cmd)
                             num_ctrl_plane_acl_rules += 1