Updates caclmgrd to add MATCH service

[ashish12pant]

A new service Type “MATCH” in caclmgrd daemon, which can be used to apply user given combination of IP_PROTOCOL, SRC_IP, DST_PORT.

• Add support for multiple ACL RULE with different DST port numbers within single ACL TABLE for
• Add support for setting ACL RULE any Ip Protocols like udp, ospf, vrrp, igmp.
• Add unit tests required for this change

Sample JSON input:

{ 
    "ACL_TABLE": { 
        "control-plane-match": { 
            "policy_desc": "control plane acl match", 
            "services":[ 
                "MATCH” 
            ], 
            "stage": "ingress", 
            "type": "CTRLPLANE" 
        }, 
    "ACL_RULE": { 
        "control-plane-match|10": { 
            "IP_PROTOCOL": "112",  
            "SRC_IP": "0.0.0.0/0", 
            "PACKET_ACTION": "ACCEPT", 
            "PRIORITY": "9999" 
        }, 
        "control-plane-match|20": { 
            "SRC_IP": "0.0.0.0/0", 
            "IP_PROTOCOL": "89", 
            "PACKET_ACTION": "ACCEPT", 
            "PRIORITY": "9998" 
        }, 
        "control-plane-match|30": { 
            "IP_PROTOCOL": "17", 
            "SRC_IP": "0.0.0.0/0", 
            "L4_DST_PORT": "4784", 
            "PACKET_ACTION": "ACCEPT", 
            "PRIORITY": "9997" 
        }, 
        "control-plane-match|40": { 
            "IP_PROTOCOL": "6", 
            "SRC_IP": "0.0.0.0/0", 
            "L4_DST_PORT": "179", 
            "PACKET_ACTION": "ACCEPT", 
            "PRIORITY": "9996" 
       }, 
} 

Translated Iptables rule from caclmgrd:

iptables -A INPUT -p 112 -s 0.0.0.0/0 -j ACCEPT 
iptables -A INPUT -p 89 -s 0.0.0.0/0 -j ACCEPT 
iptables -A INPUT -p udp -s 0.0.0.0/0 --dport 4784-j ACCEPT 
iptables -A INPUT -p tcp -s 0.0.0.0/0 --dport 179-j ACCEPT 

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: ashish12pant (b2bc671)

[ashutosh-agrawal]

@qiluo-msft Appreciate if you can review this PR.

[ZhaohuiS]

@ashish12pant what's the difference between EXTERNAL_CLIENT and MATCH? Any particular reason to add a new service?

    "EXTERNAL_CLIENT": {
        "ip_protocols": ["tcp"],
        "multi_asic_ns_to_host_fwd":True
    },
    "MATCH": {
        "ip_protocols": ["tcp"],
        "dst_ports": ["0"],
        "multi_asic_ns_to_host_fwd":True
    },

[ashish12pant]

@ashish12pant what's the difference between EXTERNAL_CLIENT and MATCH? Any particular reason to add a new service?

    "EXTERNAL_CLIENT": {
        "ip_protocols": ["tcp"],
        "multi_asic_ns_to_host_fwd":True
    },
    "MATCH": {
        "ip_protocols": ["tcp"],
        "dst_ports": ["0"],
        "multi_asic_ns_to_host_fwd":True
    },

Limitations with EXTERNAL_CLIENT:

1. Works only for TCP and does not accept any other protocol.
2. Suppose we have more than one Rule in the table and each one have different DST_PORT values. All rules are translated to iptables with DST_PORT in the first rule.

Suppose we have following rule using EXTERNAL_CLIENT

        "control-plane-v4|60-Routing-protocols-multi-bfd": {
            "IP_PROTOCOL": "17",
            "SRC_IP": "10.1.1.1/24",
            "L4_DST_PORT": "4784",
            "PACKET_ACTION": "ACCEPT",
            "PRIORITY": "9994"
        },
        "control-plane-v4|70-Routing-protocols-BGP": {
            "IP_PROTOCOL": "6",
            "SRC_IP": "20.1.1.1/24",
            "L4_DST_PORT": "179",
            "PACKET_ACTION": "ACCEPT",
            "PRIORITY": "9993"
        },

These will translate to

iptables -A INPUT -p tcp -s 10.1.1.1/24 --dport 4784 -j ACCEPT
iptables -A INPUT -p tcp -s 20.1.1.1/24 --dport 4784 -j ACCEPT

Correct translation will be.

iptables -A INPUT -p udp -s 10.1.1.1/24 --dport 4784 -j ACCEPT
iptables -A INPUT -p tcp -s 20.1.1.1/24 --dport 179 -j ACCEPT

New service MATCH overcomes these limitations. It can accept any protocol and will work for multiple rule with different dst port.