Skip to content

sonic: Restrict SSH to the OOB management network#2337

Open
berendt wants to merge 1 commit into
mainfrom
implement/issue-2329-ssh-mgmt-acl
Open

sonic: Restrict SSH to the OOB management network#2337
berendt wants to merge 1 commit into
mainfrom
implement/issue-2329-ssh-mgmt-acl

Conversation

@berendt

@berendt berendt commented Jun 10, 2026

Copy link
Copy Markdown
Member

Closes #2329

What this does

Generates, per switch, a SONiC control-plane ACL (handled by caclmgrd) that permits SSH only from the device's OOB management subnet. Once a CTRLPLANE table binds the SSH service, caclmgrd installs an implicit default-drop for it, so front-panel / in-band interfaces with IPs in the default VRF can no longer reach TCP/22.

Walkthrough (commit order)

  1. sonic: Take ownership of ACL_TABLE and ACL_RULE on regen — registers both tables in ON_DEMAND_OWNED_TABLE_KEYS (feeding OWNED_TABLE_KEYS), so base-config content is dropped up front and the tables are rebuilt from scratch on every regen. The on-demand registry was chosen over TOP_LEVEL_SCAFFOLD_KEYS so the tables are entirely absent when nothing emits them (no empty {} scaffold entries). Includes an orchestrator test pinning that stale ACL entries carried over from config_db.json do not survive a regen without an OOB IP. The existing exhaustive ownership test (test_generate_sonic_config_every_owned_table_drops_stale_entries) picks the new keys up automatically.

  2. sonic: Restrict SSH to the OOB management network — adds _add_ssh_acl_configuration(config, device, oob_ip_result), called from generate_sonic_config in the management-interface block, only when an OOB IP exists. The permitted subnet is derived from the same get_device_oob_ip result used for MGMT_INTERFACE, normalised to the network address via IPv4Network(..., strict=False). Emits exactly the shape from the issue:

    • ACL_TABLE["SSH_ONLY"]type: CTRLPLANE, services: ["SSH"]
    • ACL_RULE["SSH_ONLY|RULE_1"]PRIORITY 9999, PACKET_ACTION ACCEPT, SRC_IP <oob_network>/<prefix>, IP_TYPE IP

    Tests: helper-level (table/rule shape, network normalisation incl. non-octet boundary, wholesale replacement of pre-existing entries) plus orchestrator glue (called with the full OOB result when present, not called and tables absent when not).

Notes for the reviewer

  • Only the device's own OOB subnet is permitted — no metalbox/gateway or central admin networks (per the issue, this iteration).
  • When no OOB IP is present, no ACL is emitted and SSH is not locked down (per the issue, to be revisited if needed).
  • ACL_TABLE/ACL_RULE are not in the generated pydantic schema set (_generated/_schemas.py only models DASH_ACL_*), so the validator reports them as warnings, not errors. Adding the sonic-acl YANG model is deferred (relates to Cover Enterprise SONiC tables in the YANG model set #2258).
  • SNMP/GNMI control-plane ACLs are Ensure that the SONiC SNMP/GNMI services are accessible only on the management network #2330; the helper and owned-table wiring added here are the shared mechanism it can build on.
  • No CHANGELOG edit — this repo batches changelog entries in release PRs.

AI-assisted: Claude Code

@berendt berendt force-pushed the implement/issue-2329-ssh-mgmt-acl branch from e0ff1f4 to 7b01e69 Compare June 10, 2026 06:56
@berendt

berendt commented Jun 10, 2026

Copy link
Copy Markdown
Member Author

Has to be revisited after merge of #2338.

@berendt berendt moved this from New to In progress in Human Board Jul 1, 2026
@berendt berendt requested review from ideaship and osfrickler July 16, 2026 12:53
@berendt berendt moved this from In progress to Ready for review in Human Board Jul 16, 2026
@berendt berendt marked this pull request as ready for review July 16, 2026 12:53

@sourcery-ai sourcery-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey - I've left some high level feedback:

  • In _add_ssh_acl_configuration you overwrite config["ACL_TABLE"] and config["ACL_RULE"] wholesale; consider using setdefault/update so additional ACL emitters (e.g. future SNMP/GNMI CTRLPLANE ACLs) can coexist without being clobbered.
  • The orchestrator test test_generate_sonic_config_no_oob_ip_drops_stale_acl_tables asserts that ACL_TABLE/ACL_RULE are absent entirely; this may become too strict once other features legitimately emit ACLs without an OOB IP, so you might narrow the assertion to the SSH-only entries instead.
Prompt for AI Agents
Please address the comments from this code review:

## Overall Comments
- In `_add_ssh_acl_configuration` you overwrite `config["ACL_TABLE"]` and `config["ACL_RULE"]` wholesale; consider using `setdefault`/`update` so additional ACL emitters (e.g. future SNMP/GNMI CTRLPLANE ACLs) can coexist without being clobbered.
- The orchestrator test `test_generate_sonic_config_no_oob_ip_drops_stale_acl_tables` asserts that `ACL_TABLE`/`ACL_RULE` are absent entirely; this may become too strict once other features legitimately emit ACLs without an OOB IP, so you might narrow the assertion to the SSH-only entries instead.

Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

The generated ConfigDB did not restrict which networks can reach the
switch's SSH service: front-panel / in-band interfaces with IPs in the
default VRF could still reach TCP/22.

Emit a per-device SONiC control-plane ACL handled by caclmgrd: an
ACL_TABLE of type CTRLPLANE bound to the SSH service plus an ACL_RULE
that ACCEPTs the device's OOB management subnet. Once a CTRLPLANE table
binds a service, caclmgrd installs an implicit default-drop for it, so
SSH is reachable only from the management network.

The permitted subnet is derived from the same OOB data already used for
MGMT_INTERFACE (get_device_oob_ip), normalised to the network address.
Only the device's own OOB subnet is permitted in this iteration. When
no OOB IP is present, no ACL is emitted and SSH is not locked down.

ACL_TABLE / ACL_RULE are not yet covered by the generated pydantic
schema set, so the validator reports them as warnings, not errors.

Closes #2329

AI-assisted: Claude Code
Signed-off-by: Christian Berendt <berendt@osism.tech>
@berendt berendt force-pushed the implement/issue-2329-ssh-mgmt-acl branch from 7b01e69 to 5239e98 Compare July 16, 2026 13:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Status: Ready for review

Development

Successfully merging this pull request may close these issues.

Ensure that the SONiC SSH service is accessible only on the management network

2 participants