[code sync] Merge code from sonic-net/sonic-buildimage:202305 to 202305

dockers/docker-fpm-frr/frr/zebra/zebra.interfaces.conf.j2

@@ -24,5 +24,13 @@ interface {{ pc }}
 link-detect
 !
 {% endfor %}
+{% if (DEVICE_METADATA is defined) and ('localhost' in DEVICE_METADATA) and ('subtype' in DEVICE_METADATA['localhost']) and (DEVICE_METADATA['localhost']['subtype'].lower() == 'dualtor') %}
+! Disable link-detect on VLAN interfaces for dualtor
+{% for (name, prefix) in VLAN_INTERFACE|pfx_filter|unique(attribute=0) %}
+interface {{ name }}
+no link-detect
+!
+{% endfor %}
+{% endif %}
 {% endblock interfaces %}
 !

platform/broadcom/sai.mk

@@ -1,4 +1,4 @@
-LIBSAIBCM_XGS_VERSION = 8.4.39.2
+LIBSAIBCM_XGS_VERSION = 8.4.41.0
 LIBSAIBCM_DNX_VERSION = 9.2.12.1
 LIBSAIBCM_XGS_BRANCH_NAME = SAI_8.4.0_GA
 LIBSAIBCM_DNX_BRANCH_NAME = SAI_9.2.0.3

src/sonic-config-engine/tests/sample_output/py2/zebra_frr_dualtor.conf

@@ -0,0 +1,49 @@
+!
+! =========== Managed by sonic-cfggen DO NOT edit manually! ====================
+! generated by templates/zebra/zebra.conf.j2 using config DB data
+! file: zebra.conf
+!
+!
+! Force disable next hop group support
+no zebra nexthop kernel enable
+! Uses the old known FPM behavior of including next hop information in the route (e.g. RTM_NEWROUTE) messages
+no fpm use-next-hop-groups
+!
+fpm address 127.0.0.1
+!
+! template: common/daemons.common.conf.j2
+!
+hostname switch-t0
+password zebra
+enable password zebra
+!
+log syslog informational
+log facility local4
+!
+! end of template: common/daemons.common.conf.j2!
+!
+!
+! Enable nht through default route
+ip nht resolve-via-default
+ipv6 nht resolve-via-default
+! Enable link-detect (default disabled)
+interface PortChannel03
+link-detect
+!
+interface PortChannel02
+link-detect
+!
+interface PortChannel01
+link-detect
+!
+interface PortChannel04
+link-detect
+!
+! Disable link-detect on VLAN interfaces for dualtor
+interface Vlan2000
+no link-detect
+!
+interface Vlan1000
+no link-detect
+!
+!!

src/sonic-config-engine/tests/sample_output/py3/zebra_frr_dualtor.conf

@@ -0,0 +1,49 @@
+!
+! =========== Managed by sonic-cfggen DO NOT edit manually! ====================
+! generated by templates/zebra/zebra.conf.j2 using config DB data
+! file: zebra.conf
+!
+!
+! Force disable next hop group support
+no zebra nexthop kernel enable
+! Uses the old known FPM behavior of including next hop information in the route (e.g. RTM_NEWROUTE) messages
+no fpm use-next-hop-groups
+!
+fpm address 127.0.0.1
+!
+! template: common/daemons.common.conf.j2
+!
+hostname switch-t0
+password zebra
+enable password zebra
+!
+log syslog informational
+log facility local4
+!
+! end of template: common/daemons.common.conf.j2!
+!
+!
+! Enable nht through default route
+ip nht resolve-via-default
+ipv6 nht resolve-via-default
+! Enable link-detect (default disabled)
+interface PortChannel01
+link-detect
+!
+interface PortChannel02
+link-detect
+!
+interface PortChannel03
+link-detect
+!
+interface PortChannel04
+link-detect
+!
+! Disable link-detect on VLAN interfaces for dualtor
+interface Vlan1000
+no link-detect
+!
+interface Vlan2000
+no link-detect
+!
+!!

src/sonic-config-engine/tests/test_frr.py

@@ -74,3 +74,7 @@ def test_zebra_frr(self):
     def test_bgpd_frr_dualtor(self):
         extra_data = {"DEVICE_METADATA": {"localhost": {"subtype": "DualToR"}}}
         self.assertTrue(*self.run_case('bgpd/bgpd.conf.j2', 'bgpd_frr_dualtor.conf', extra_data=extra_data))
+
+    def test_zebra_frr_dualtor(self):
+        extra_data = {"DEVICE_METADATA": {"localhost": {"subtype": "DualToR"}}}
+        self.assertTrue(*self.run_case('zebra/zebra.conf.j2', 'zebra_frr_dualtor.conf', extra_data=extra_data))

src/tacacs/bash_tacplus/bash_tacplus.c

@@ -471,8 +471,9 @@ int on_shell_execve (char *user, int shell_level, char *cmd, char **argv)
                 fprintf(stdout, "%s not authorized by TACACS+ with given arguments, not executing\n", cmd);
             break;
             default:
+                // when command reject by server, authorization will failed immediately
                 fprintf(stdout, "%s authorize failed by TACACS+ with given arguments, not executing\n", cmd);
-            break;
+                return ret;
         }
 
         if ((tacacs_ctrl & AUTHORIZATION_FLAG_LOCAL) == 0) {