[202205] Assign altname for bridge interface on chassis and iptables rules update to allow traffic on it. (#16504)

What I did: Fixes: #16468 Why I did: On Some chassis there is no dedicated eth1-midplane interface on supervisor for supervisor and LC communication but instead Linux bridge br1 is used for that. Because of this changes that were done to white-list traffic over eth1-midplane would not work. How I did: To fix this we are using altname property of ip link command to set eth1-midplane as altname of br interface. This is done to keep design generic across chassis and between supervisor and LC also. IP-table rules are updated to get parent/base interface name of eth1-midplane. Signed-off-by: Abhishek Dosi <abdosi@microsoft.com>
2023-09-22 10:53:23 -07:00 · 2023-09-22 10:53:23 -07:00 · 7558d03611
commit 7558d03611
parent 6ebfa3b34b
4 changed files with 14 additions and 6 deletions
--- a/files/build_templates/docker_image_ctl.j2
+++ b/files/build_templates/docker_image_ctl.j2
@ -180,6 +180,9 @@ function postStartAction()
                   ip link add name ns-eth1"$NET_NS" type veth peer name eth1@"$NET_NS"
                   ip link set dev eth1@"$NET_NS" master br1
                   ip link set dev eth1@"$NET_NS" up
+                   # For chassis system where Linux bridge is used on supervisor for midplane communication
+                   # assign alternate name as eth1-midplane for generic design
+                   ip link property add dev br1 altname eth1-midplane
           else
                   ip link add name ns-eth1"$NET_NS" link eth1-midplane type macvlan mode bridge
           fi
--- a/src/sonic-host-services/scripts/caclmgrd
+++ b/src/sonic-host-services/scripts/caclmgrd
@ -277,19 +277,24 @@ class ControlPlaneAclManager(daemon_base.DaemonBase):

    def get_chassis_midplane_interface_ip(self):

+        chassis_midplane_dev_name_command = "ip -4 -o addr show " + "eth1-midplane" +\
+                                             " | awk '{print $0}' | cut -d' ' -f2"
+
+        midplane_dev_name = self.run_commands([chassis_midplane_dev_name_command])
+
        chassis_midplane_ip_command = "ip -4 -o addr show " + "eth1-midplane" +\
                                 " | awk '{print $4}' | cut -d'/' -f1 | head -1"
-        return self.run_commands([chassis_midplane_ip_command])
-
+        midplane_ip = self.run_commands([chassis_midplane_ip_command])
+        return midplane_dev_name, midplane_ip

    def generate_allow_internal_chasis_midplane_traffic(self, namespace):
        allow_internal_chassis_midplane_traffic = []
        if not namespace:
-            chassis_midplane_ip = self.get_chassis_midplane_interface_ip()
+            midplane_dev_name, chassis_midplane_ip = self.get_chassis_midplane_interface_ip()
            if not chassis_midplane_ip:
                return allow_internal_chassis_midplane_traffic
            allow_internal_chassis_midplane_traffic.append("iptables -A INPUT -s {} -d {} -j ACCEPT".format(chassis_midplane_ip, chassis_midplane_ip))
-            allow_internal_chassis_midplane_traffic.append("iptables -A INPUT -i eth1-midplane -j ACCEPT")
+            allow_internal_chassis_midplane_traffic.append("iptables -A INPUT -i {} -j ACCEPT".format(midplane_dev_name))

        return allow_internal_chassis_midplane_traffic

--- a/src/sonic-host-services/tests/caclmgrd/cacl_external_client_acl_test.py
+++ b/src/sonic-host-services/tests/caclmgrd/cacl_external_client_acl_test.py
@ -38,7 +38,7 @@ class TestCaclmgrdExternalClientAcl(TestCase):
        self.caclmgrd.ControlPlaneAclManager.get_namespace_mgmt_ipv6 = mock.MagicMock()
        self.caclmgrd.ControlPlaneAclManager.generate_block_ip2me_traffic_iptables_commands = mock.MagicMock(return_value=[])
        self.caclmgrd.ControlPlaneAclManager.get_chain_list = mock.MagicMock(return_value=["INPUT", "FORWARD", "OUTPUT"])
-        self.caclmgrd.ControlPlaneAclManager.get_chassis_midplane_interface_ip = mock.MagicMock(return_value='')
+        self.caclmgrd.ControlPlaneAclManager.get_chassis_midplane_interface_ip = mock.MagicMock(return_value=('',''))
        caclmgrd_daemon = self.caclmgrd.ControlPlaneAclManager("caclmgrd")

        iptables_rules_ret, _ = caclmgrd_daemon.get_acl_rules_and_translate_to_iptables_commands('', MockConfigDb())
--- a/src/sonic-host-services/tests/caclmgrd/caclmgrd_chassis_midplane_test.py
+++ b/src/sonic-host-services/tests/caclmgrd/caclmgrd_chassis_midplane_test.py
@ -36,7 +36,7 @@ class TestCaclmgrdChassisMidplane(TestCase):

        self.caclmgrd.ControlPlaneAclManager.get_namespace_mgmt_ip = mock.MagicMock()
        self.caclmgrd.ControlPlaneAclManager.get_namespace_mgmt_ipv6 = mock.MagicMock()
-        self.caclmgrd.ControlPlaneAclManager.get_chassis_midplane_interface_ip = mock.MagicMock(return_value="1.0.0.33")
+        self.caclmgrd.ControlPlaneAclManager.get_chassis_midplane_interface_ip = mock.MagicMock(return_value=("eth1-midplane","1.0.0.33"))
        caclmgrd_daemon = self.caclmgrd.ControlPlaneAclManager("caclmgrd")
        ret = caclmgrd_daemon.generate_allow_internal_chasis_midplane_traffic('')
        self.assertListEqual(test_data["return"], ret)