Skip to content

Commit 0987e1f

Browse files
authored
Added IP Table rule to allow eth1-midplane traffic for chassis (#42)
Added IP Table rule to make sure we do not drop chassis internal traffic on eth1-midpplane when Control Plane ACL's are installed.
1 parent eefbd43 commit 0987e1f

File tree

4 files changed

+80
-0
lines changed

4 files changed

+80
-0
lines changed

scripts/caclmgrd

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -299,6 +299,24 @@ class ControlPlaneAclManager(daemon_base.DaemonBase):
299299

300300
return block_ip2me_cmds
301301

302+
def get_chassis_midplane_interface_ip(self):
303+
ip_address_cmd0 = ['ip', '-4', '-o', 'addr', 'show', "eth1-midplane"]
304+
ip_address_cmd1 = ['awk', '{print $4}']
305+
ip_address_cmd2 = ['cut', '-d', '/', '-f1']
306+
ip_address_cmd3 = ['head', '-1']
307+
return self.run_commands_pipe(ip_address_cmd0, ip_address_cmd1, ip_address_cmd2, ip_address_cmd3)
308+
309+
def generate_allow_internal_chasis_midplane_traffic(self, namespace):
310+
allow_internal_chassis_midplane_traffic = []
311+
if not namespace:
312+
chassis_midplane_ip = self.get_chassis_midplane_interface_ip()
313+
if not chassis_midplane_ip:
314+
return allow_internal_chassis_midplane_traffic
315+
allow_internal_chassis_midplane_traffic.append(['iptables', '-A', 'INPUT', '-s', chassis_midplane_ip, '-d', chassis_midplane_ip, '-j', 'ACCEPT'])
316+
allow_internal_chassis_midplane_traffic.append(['iptables', '-A', 'INPUT', '-i', 'eth1-midplane', '-j', 'ACCEPT'])
317+
318+
return allow_internal_chassis_midplane_traffic
319+
302320
def generate_allow_internal_docker_ip_traffic_commands(self, namespace):
303321
allow_internal_docker_ip_cmds = []
304322

@@ -539,6 +557,9 @@ class ControlPlaneAclManager(daemon_base.DaemonBase):
539557
# Add iptables commands to allow internal docker traffic
540558
iptables_cmds += self.generate_allow_internal_docker_ip_traffic_commands(namespace)
541559

560+
# Add iptables commands to allow internal chasiss midplane traffic
561+
iptables_cmds += self.generate_allow_internal_chasis_midplane_traffic(namespace)
562+
542563
# Add iptables/ip6tables commands to allow all incoming packets from established
543564
# connections or new connections which are related to established connections
544565
iptables_cmds.append(self.iptables_cmd_ns_prefix[namespace] + ['iptables', '-A', 'INPUT', '-m', 'conntrack', '--ctstate', 'ESTABLISHED,RELATED', '-j', 'ACCEPT'])
Lines changed: 42 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,42 @@
1+
import os
2+
import sys
3+
4+
from swsscommon import swsscommon
5+
from parameterized import parameterized
6+
from sonic_py_common.general import load_module_from_source
7+
from unittest import TestCase, mock
8+
from pyfakefs.fake_filesystem_unittest import patchfs
9+
10+
from .test_chassis_midplane_vectors import CACLMGRD_CHASSIS_MIDPLANE_TEST_VECTOR
11+
from tests.common.mock_configdb import MockConfigDb
12+
13+
14+
DBCONFIG_PATH = '/var/run/redis/sonic-db/database_config.json'
15+
16+
17+
class TestCaclmgrdChassisMidplane(TestCase):
18+
"""
19+
Test caclmgrd Chassis Midplane
20+
"""
21+
def setUp(self):
22+
swsscommon.ConfigDBConnector = MockConfigDb
23+
test_path = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
24+
modules_path = os.path.dirname(test_path)
25+
scripts_path = os.path.join(modules_path, "scripts")
26+
sys.path.insert(0, modules_path)
27+
caclmgrd_path = os.path.join(scripts_path, 'caclmgrd')
28+
self.caclmgrd = load_module_from_source('caclmgrd', caclmgrd_path)
29+
self.maxDiff = None
30+
31+
@parameterized.expand(CACLMGRD_CHASSIS_MIDPLANE_TEST_VECTOR)
32+
@patchfs
33+
def test_caclmgrd_chassis_midplane(self, test_name, test_data, fs):
34+
if not os.path.exists(DBCONFIG_PATH):
35+
fs.create_file(DBCONFIG_PATH) # fake database_config.json
36+
37+
with mock.patch("caclmgrd.ControlPlaneAclManager.run_commands_pipe", return_value='1.0.0.33'):
38+
caclmgrd_daemon = self.caclmgrd.ControlPlaneAclManager("caclmgrd")
39+
ret = caclmgrd_daemon.generate_allow_internal_chasis_midplane_traffic('')
40+
self.assertListEqual(test_data["return"], ret)
41+
ret = caclmgrd_daemon.generate_allow_internal_chasis_midplane_traffic('asic0')
42+
self.assertListEqual([], ret)

tests/caclmgrd/caclmgrd_external_client_acl_test.py

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -38,6 +38,7 @@ def test_caclmgrd_external_client_acl(self, test_name, test_data, fs):
3838
self.caclmgrd.ControlPlaneAclManager.get_namespace_mgmt_ipv6 = mock.MagicMock()
3939
self.caclmgrd.ControlPlaneAclManager.generate_block_ip2me_traffic_iptables_commands = mock.MagicMock(return_value=[])
4040
self.caclmgrd.ControlPlaneAclManager.get_chain_list = mock.MagicMock(return_value=["INPUT", "FORWARD", "OUTPUT"])
41+
self.caclmgrd.ControlPlaneAclManager.get_chassis_midplane_interface_ip = mock.MagicMock(return_value='')
4142
caclmgrd_daemon = self.caclmgrd.ControlPlaneAclManager("caclmgrd")
4243

4344
iptables_rules_ret, _ = caclmgrd_daemon.get_acl_rules_and_translate_to_iptables_commands('')
Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,16 @@
1+
from unittest.mock import call
2+
3+
"""
4+
caclmgrd chassis midplane test vector
5+
"""
6+
CACLMGRD_CHASSIS_MIDPLANE_TEST_VECTOR = [
7+
[
8+
"Allow chassis midlane traffic",
9+
{
10+
"return": [
11+
['iptables', '-A', 'INPUT', '-s', '1.0.0.33', '-d', '1.0.0.33', '-j', 'ACCEPT'],
12+
['iptables', '-A', 'INPUT', '-i', 'eth1-midplane', '-j', 'ACCEPT']
13+
]
14+
}
15+
]
16+
]

0 commit comments

Comments
 (0)