From 7558d03611a35ee3700cf884d06f88dca827df44 Mon Sep 17 00:00:00 2001 From: abdosi <58047199+abdosi@users.noreply.github.com> Date: Fri, 22 Sep 2023 10:53:23 -0700 Subject: [PATCH] [202205] Assign altname for bridge interface on chassis and iptables rules update to allow traffic on it. (#16504) What I did: Fixes: #16468 Why I did: On Some chassis there is no dedicated eth1-midplane interface on supervisor for supervisor and LC communication but instead Linux bridge br1 is used for that. Because of this changes that were done to white-list traffic over eth1-midplane would not work. How I did: To fix this we are using altname property of ip link command to set eth1-midplane as altname of br interface. This is done to keep design generic across chassis and between supervisor and LC also. IP-table rules are updated to get parent/base interface name of eth1-midplane. Signed-off-by: Abhishek Dosi --- files/build_templates/docker_image_ctl.j2 | 3 +++ src/sonic-host-services/scripts/caclmgrd | 13 +++++++++---- .../tests/caclmgrd/cacl_external_client_acl_test.py | 2 +- .../caclmgrd/caclmgrd_chassis_midplane_test.py | 2 +- 4 files changed, 14 insertions(+), 6 deletions(-) diff --git a/files/build_templates/docker_image_ctl.j2 b/files/build_templates/docker_image_ctl.j2 index 6f00b0a567..4bd2620b13 100644 --- a/files/build_templates/docker_image_ctl.j2 +++ b/files/build_templates/docker_image_ctl.j2 @@ -180,6 +180,9 @@ function postStartAction() ip link add name ns-eth1"$NET_NS" type veth peer name eth1@"$NET_NS" ip link set dev eth1@"$NET_NS" master br1 ip link set dev eth1@"$NET_NS" up + # For chassis system where Linux bridge is used on supervisor for midplane communication + # assign alternate name as eth1-midplane for generic design + ip link property add dev br1 altname eth1-midplane else ip link add name ns-eth1"$NET_NS" link eth1-midplane type macvlan mode bridge fi diff --git a/src/sonic-host-services/scripts/caclmgrd b/src/sonic-host-services/scripts/caclmgrd index 7dd64dff61..10ab742548 100755 --- a/src/sonic-host-services/scripts/caclmgrd +++ b/src/sonic-host-services/scripts/caclmgrd @@ -277,19 +277,24 @@ class ControlPlaneAclManager(daemon_base.DaemonBase): def get_chassis_midplane_interface_ip(self): + chassis_midplane_dev_name_command = "ip -4 -o addr show " + "eth1-midplane" +\ + " | awk '{print $0}' | cut -d' ' -f2" + + midplane_dev_name = self.run_commands([chassis_midplane_dev_name_command]) + chassis_midplane_ip_command = "ip -4 -o addr show " + "eth1-midplane" +\ " | awk '{print $4}' | cut -d'/' -f1 | head -1" - return self.run_commands([chassis_midplane_ip_command]) - + midplane_ip = self.run_commands([chassis_midplane_ip_command]) + return midplane_dev_name, midplane_ip def generate_allow_internal_chasis_midplane_traffic(self, namespace): allow_internal_chassis_midplane_traffic = [] if not namespace: - chassis_midplane_ip = self.get_chassis_midplane_interface_ip() + midplane_dev_name, chassis_midplane_ip = self.get_chassis_midplane_interface_ip() if not chassis_midplane_ip: return allow_internal_chassis_midplane_traffic allow_internal_chassis_midplane_traffic.append("iptables -A INPUT -s {} -d {} -j ACCEPT".format(chassis_midplane_ip, chassis_midplane_ip)) - allow_internal_chassis_midplane_traffic.append("iptables -A INPUT -i eth1-midplane -j ACCEPT") + allow_internal_chassis_midplane_traffic.append("iptables -A INPUT -i {} -j ACCEPT".format(midplane_dev_name)) return allow_internal_chassis_midplane_traffic diff --git a/src/sonic-host-services/tests/caclmgrd/cacl_external_client_acl_test.py b/src/sonic-host-services/tests/caclmgrd/cacl_external_client_acl_test.py index 65255b0581..4d26e5511d 100644 --- a/src/sonic-host-services/tests/caclmgrd/cacl_external_client_acl_test.py +++ b/src/sonic-host-services/tests/caclmgrd/cacl_external_client_acl_test.py @@ -38,7 +38,7 @@ class TestCaclmgrdExternalClientAcl(TestCase): self.caclmgrd.ControlPlaneAclManager.get_namespace_mgmt_ipv6 = mock.MagicMock() self.caclmgrd.ControlPlaneAclManager.generate_block_ip2me_traffic_iptables_commands = mock.MagicMock(return_value=[]) self.caclmgrd.ControlPlaneAclManager.get_chain_list = mock.MagicMock(return_value=["INPUT", "FORWARD", "OUTPUT"]) - self.caclmgrd.ControlPlaneAclManager.get_chassis_midplane_interface_ip = mock.MagicMock(return_value='') + self.caclmgrd.ControlPlaneAclManager.get_chassis_midplane_interface_ip = mock.MagicMock(return_value=('','')) caclmgrd_daemon = self.caclmgrd.ControlPlaneAclManager("caclmgrd") iptables_rules_ret, _ = caclmgrd_daemon.get_acl_rules_and_translate_to_iptables_commands('', MockConfigDb()) diff --git a/src/sonic-host-services/tests/caclmgrd/caclmgrd_chassis_midplane_test.py b/src/sonic-host-services/tests/caclmgrd/caclmgrd_chassis_midplane_test.py index 6eb903e794..0f6bcb671f 100644 --- a/src/sonic-host-services/tests/caclmgrd/caclmgrd_chassis_midplane_test.py +++ b/src/sonic-host-services/tests/caclmgrd/caclmgrd_chassis_midplane_test.py @@ -36,7 +36,7 @@ class TestCaclmgrdChassisMidplane(TestCase): self.caclmgrd.ControlPlaneAclManager.get_namespace_mgmt_ip = mock.MagicMock() self.caclmgrd.ControlPlaneAclManager.get_namespace_mgmt_ipv6 = mock.MagicMock() - self.caclmgrd.ControlPlaneAclManager.get_chassis_midplane_interface_ip = mock.MagicMock(return_value="1.0.0.33") + self.caclmgrd.ControlPlaneAclManager.get_chassis_midplane_interface_ip = mock.MagicMock(return_value=("eth1-midplane","1.0.0.33")) caclmgrd_daemon = self.caclmgrd.ControlPlaneAclManager("caclmgrd") ret = caclmgrd_daemon.generate_allow_internal_chasis_midplane_traffic('') self.assertListEqual(test_data["return"], ret)