Added IP Table rule to allow eth1-midplane traffic for chassis (#13946)

What I did:
Added IP Table rule to make sure we do not drop chassis internal traffic on eth1-midpplane when Control Plane ACL's are installed.

Why I did:
When Control Plane ACL's are installed there is default Catch All rule is added to drop all traffic that is not white-listed explicitly https://github.com/sonic-net/sonic-host-services/blob/master/scripts/caclmgrd#L735. In this case Internal Traffic between Supervisor and LC will get drop. To fix this added explicit rule to allow all traffic coming from eth1-midplane.

src/sonic-host-services/scripts/caclmgrd

@@ -191,7 +191,7 @@ class ControlPlaneAclManager(daemon_base.DaemonBase):
                                  " | awk '{print $4}' | cut -d'/' -f1 | head -1"
         return self.run_commands([ipv6_address_get_command])
 
-    def run_commands(self, commands):
+    def run_commands(self, commands, ignore_error=False):
         """
         Given a list of shell commands, run them in order
         Args:
@@ -202,7 +202,7 @@ class ControlPlaneAclManager(daemon_base.DaemonBase):
 
             (stdout, stderr) = proc.communicate()
 
-            if proc.returncode != 0:
+            if proc.returncode != 0 and not ignore_error:
                 self.log_error("Error running command '{}'".format(cmd))
             elif stdout:
                 return stdout.rstrip('\n')
@@ -275,6 +275,15 @@ class ControlPlaneAclManager(daemon_base.DaemonBase):
 
         return block_ip2me_cmds
 
+    def check_chassis_midplane_interface_exist(self):
+        return self.run_commands(["ip link show" + " | grep -w 'eth1-midplane'" ], ignore_error=True)
+
+    def generate_allow_internal_chasis_midplane_traffic(self, namespace):
+        if not namespace and self.check_chassis_midplane_interface_exist():
+            return ["iptables -A INPUT -i eth1-midplane -j ACCEPT"]
+        else:
+            return []
+
     def generate_allow_internal_docker_ip_traffic_commands(self, namespace):
         allow_internal_docker_ip_cmds = []
 
@@ -529,6 +538,9 @@ class ControlPlaneAclManager(daemon_base.DaemonBase):
         # Add iptables commands to allow internal docker traffic
         iptables_cmds += self.generate_allow_internal_docker_ip_traffic_commands(namespace)
 
+        # Add iptables commands to allow internal chasiss midplane traffic
+        iptables_cmds += self.generate_allow_internal_chasis_midplane_traffic(namespace)
+
         # Add iptables/ip6tables commands to allow all incoming packets from established
         # connections or new connections which are related to established connections
         iptables_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT")

src/sonic-host-services/tests/caclmgrd/cacl_external_client_acl_test.py

@@ -38,6 +38,7 @@ class TestCaclmgrdExternalClientAcl(TestCase):
         self.caclmgrd.ControlPlaneAclManager.get_namespace_mgmt_ipv6 = mock.MagicMock()
         self.caclmgrd.ControlPlaneAclManager.generate_block_ip2me_traffic_iptables_commands = mock.MagicMock(return_value=[])
         self.caclmgrd.ControlPlaneAclManager.get_chain_list = mock.MagicMock(return_value=["INPUT", "FORWARD", "OUTPUT"])
+        self.caclmgrd.ControlPlaneAclManager.check_chassis_midplane_interface_exist = mock.MagicMock(return_value=False)
         caclmgrd_daemon = self.caclmgrd.ControlPlaneAclManager("caclmgrd")
 
         iptables_rules_ret, _ = caclmgrd_daemon.get_acl_rules_and_translate_to_iptables_commands('')

src/sonic-host-services/tests/caclmgrd/caclmgrd_chassis_midplane_test.py

@@ -0,0 +1,42 @@
+import os
+import sys
+
+from swsscommon import swsscommon
+from parameterized import parameterized
+from sonic_py_common.general import load_module_from_source
+from unittest import TestCase, mock
+from pyfakefs.fake_filesystem_unittest import patchfs
+
+from .test_chassis_midplane_vectors import CACLMGRD_CHASSIS_MIDPLANE_TEST_VECTOR
+from tests.common.mock_configdb import MockConfigDb
+
+
+DBCONFIG_PATH = '/var/run/redis/sonic-db/database_config.json'
+
+
+class TestCaclmgrdChassisMidplane(TestCase):
+    """
+        Test caclmgrd Chassis Midplane
+    """
+    def setUp(self):
+        swsscommon.ConfigDBConnector = MockConfigDb
+        test_path = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
+        modules_path = os.path.dirname(test_path)
+        scripts_path = os.path.join(modules_path, "scripts")
+        sys.path.insert(0, modules_path)
+        caclmgrd_path = os.path.join(scripts_path, 'caclmgrd')
+        self.caclmgrd = load_module_from_source('caclmgrd', caclmgrd_path)
+        self.maxDiff = None
+
+    @parameterized.expand(CACLMGRD_CHASSIS_MIDPLANE_TEST_VECTOR)
+    @patchfs
+    def test_caclmgrd_chassis_midplane(self, test_name, test_data, fs):
+        if not os.path.exists(DBCONFIG_PATH):
+            fs.create_file(DBCONFIG_PATH) # fake database_config.json
+
+        self.caclmgrd.ControlPlaneAclManager.get_namespace_mgmt_ip = mock.MagicMock()
+        self.caclmgrd.ControlPlaneAclManager.get_namespace_mgmt_ipv6 = mock.MagicMock()
+        self.caclmgrd.ControlPlaneAclManager.check_chassis_midplane_interface_exist = mock.MagicMock(return_value=True)
+        caclmgrd_daemon = self.caclmgrd.ControlPlaneAclManager("caclmgrd")
+        ret = caclmgrd_daemon.generate_allow_internal_chasis_midplane_traffic('')
+        self.assertListEqual(test_data["return"], ret)

src/sonic-host-services/tests/caclmgrd/test_chassis_midplane_vectors.py

@@ -0,0 +1,15 @@
+from unittest.mock import call
+
+"""
+    caclmgrd chassis midplane test vector
+"""
+CACLMGRD_CHASSIS_MIDPLANE_TEST_VECTOR = [
+    [
+        "Allow chassis midlane traffic",
+        {
+            "return": [
+                "iptables -A INPUT -i eth1-midplane -j ACCEPT"
+            ]
+        }
+    ]
+]