matthew/sonic-buildimage
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Added changes for chassis: (#14816)

Browse Source 
What/Why I did:

Allow traffic with source and destination as chassis eth1-midplane ip. Needed for Supervisor Redis-db connection (Redis packet has source and destination ip as eth1-midpane) after we load acl.json that has catch-all drop rule. Changes are generic and not specific to supervisor and applies on LC also.

Made multi_asic_ns_to_host_fwd as False for ACL service for External Client. This flag is needed for service SSH and SNMP where traffic can come in namespace over front-panel ports and we need to send the traffic in host where corresponding docker/service are running. There is no use-case of External client service for multi-asic as of now. Having flag as True creates failure when we try to load acl.json.
This commit is contained in:
abdosi 2023-05-02 10:55:17 -07:00 committed by GitHub
parent 0ed0df6ddb
commit 9ca6b9cb6c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 21 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
src/sonic-host-services/scripts/caclmgrd
View File

@ -102,7 +102,7 @@ class ControlPlaneAclManager(daemon_base.DaemonBase):
}, },
"EXTERNAL_CLIENT": { "EXTERNAL_CLIENT": {
"ip_protocols": ["tcp"], "ip_protocols": ["tcp"],
"multi_asic_ns_to_host_fwd":True "multi_asic_ns_to_host_fwd":False
}, },
"ANY": { "ANY": {
"ip_protocols": ["any"], "ip_protocols": ["any"],
@ -275,14 +275,23 @@ class ControlPlaneAclManager(daemon_base.DaemonBase):
return block_ip2me_cmds return block_ip2me_cmds
def check_chassis_midplane_interface_exist(self): def get_chassis_midplane_interface_ip(self):
return self.run_commands(["ip link show" + " | grep -w 'eth1-midplane'" ], ignore_error=True)
chassis_midplane_ip_command = "ip -4 -o addr show " + "eth1-midplane" +\
" | awk '{print $4}' | cut -d'/' -f1 | head -1"
return self.run_commands([chassis_midplane_ip_command])
def generate_allow_internal_chasis_midplane_traffic(self, namespace): def generate_allow_internal_chasis_midplane_traffic(self, namespace):
if not namespace and self.check_chassis_midplane_interface_exist(): allow_internal_chassis_midplane_traffic = []
return ["iptables -A INPUT -i eth1-midplane -j ACCEPT"] if not namespace:
else: chassis_midplane_ip = self.get_chassis_midplane_interface_ip()
return [] if not chassis_midplane_ip:
return allow_internal_chassis_midplane_traffic
allow_internal_chassis_midplane_traffic.append("iptables -A INPUT -s {} -d {} -j ACCEPT".format(chassis_midplane_ip, chassis_midplane_ip))
allow_internal_chassis_midplane_traffic.append("iptables -A INPUT -i eth1-midplane -j ACCEPT")
return allow_internal_chassis_midplane_traffic
def generate_allow_internal_docker_ip_traffic_commands(self, namespace): def generate_allow_internal_docker_ip_traffic_commands(self, namespace):
allow_internal_docker_ip_cmds = [] allow_internal_docker_ip_cmds = []

2
src/sonic-host-services/tests/caclmgrd/cacl_external_client_acl_test.py
View File

@ -38,7 +38,7 @@ class TestCaclmgrdExternalClientAcl(TestCase):
self.caclmgrd.ControlPlaneAclManager.get_namespace_mgmt_ipv6 = mock.MagicMock() self.caclmgrd.ControlPlaneAclManager.get_namespace_mgmt_ipv6 = mock.MagicMock()
self.caclmgrd.ControlPlaneAclManager.generate_block_ip2me_traffic_iptables_commands = mock.MagicMock(return_value=[]) self.caclmgrd.ControlPlaneAclManager.generate_block_ip2me_traffic_iptables_commands = mock.MagicMock(return_value=[])
self.caclmgrd.ControlPlaneAclManager.get_chain_list = mock.MagicMock(return_value=["INPUT", "FORWARD", "OUTPUT"]) self.caclmgrd.ControlPlaneAclManager.get_chain_list = mock.MagicMock(return_value=["INPUT", "FORWARD", "OUTPUT"])
self.caclmgrd.ControlPlaneAclManager.check_chassis_midplane_interface_exist = mock.MagicMock(return_value=False) self.caclmgrd.ControlPlaneAclManager.get_chassis_midplane_interface_ip = mock.MagicMock(return_value='')
caclmgrd_daemon = self.caclmgrd.ControlPlaneAclManager("caclmgrd") caclmgrd_daemon = self.caclmgrd.ControlPlaneAclManager("caclmgrd")
iptables_rules_ret, _ = caclmgrd_daemon.get_acl_rules_and_translate_to_iptables_commands('') iptables_rules_ret, _ = caclmgrd_daemon.get_acl_rules_and_translate_to_iptables_commands('')

4
src/sonic-host-services/tests/caclmgrd/caclmgrd_chassis_midplane_test.py
View File

@ -36,7 +36,9 @@ class TestCaclmgrdChassisMidplane(TestCase):
self.caclmgrd.ControlPlaneAclManager.get_namespace_mgmt_ip = mock.MagicMock() self.caclmgrd.ControlPlaneAclManager.get_namespace_mgmt_ip = mock.MagicMock()
self.caclmgrd.ControlPlaneAclManager.get_namespace_mgmt_ipv6 = mock.MagicMock() self.caclmgrd.ControlPlaneAclManager.get_namespace_mgmt_ipv6 = mock.MagicMock()
self.caclmgrd.ControlPlaneAclManager.check_chassis_midplane_interface_exist = mock.MagicMock(return_value=True) self.caclmgrd.ControlPlaneAclManager.get_chassis_midplane_interface_ip = mock.MagicMock(return_value="1.0.0.33")
caclmgrd_daemon = self.caclmgrd.ControlPlaneAclManager("caclmgrd") caclmgrd_daemon = self.caclmgrd.ControlPlaneAclManager("caclmgrd")
ret = caclmgrd_daemon.generate_allow_internal_chasis_midplane_traffic('') ret = caclmgrd_daemon.generate_allow_internal_chasis_midplane_traffic('')
self.assertListEqual(test_data["return"], ret) self.assertListEqual(test_data["return"], ret)
ret = caclmgrd_daemon.generate_allow_internal_chasis_midplane_traffic('asic0')
self.assertListEqual([], ret)

1
src/sonic-host-services/tests/caclmgrd/test_chassis_midplane_vectors.py
View File

@ -8,6 +8,7 @@ CACLMGRD_CHASSIS_MIDPLANE_TEST_VECTOR = [
"Allow chassis midlane traffic", "Allow chassis midlane traffic",
{ {
"return": [ "return": [
"iptables -A INPUT -s 1.0.0.33 -d 1.0.0.33 -j ACCEPT",
"iptables -A INPUT -i eth1-midplane -j ACCEPT" "iptables -A INPUT -i eth1-midplane -j ACCEPT"
] ]
} }