Guest Blog: REST API for Cumulus Linux ACLs
RESTful control of Cumulus Linux ACLs included a proof of concept script that demonstrated how to remotely control iptables entries in Cumulus Linux. Cumulus Linux in turn converts the standard Linux iptables rules into the hardware ACLs implemented by merchant silicon switch ASICs to deliver line rate filtering.
Previous blog posts demonstrated how remote control of Cumulus Linux ACLs can be used for DDoS mitigationand Large “Elephant” flow marking.
A more advanced version of the script is now available on GitHub
The new script adds the following features:
- It now runs as a daemon.
- Exceptions generated by cl-acltool are caught and handled
- Rules are compiled asynchronously, reducing response time of REST calls
- Updates are batched, supporting hundreds of operations per second
The script doesn’t provide any security, which may be acceptable if access to the REST API is limited to the management port, but is generally unacceptable for production deployments.
Fortunately, Cumulus Linux is a open Linux distribution that allows additional software components to be installed. Rather than being forced to add authentication and encryption to the script, it is possible to install additional software and leverage the capabilities of a mature web server such as Apache. The Continue reading