sonic-net · prsunny · Sep 18, 2019 · Sep 12, 2019 · Sep 13, 2019 · Sep 17, 2019
diff --git a/build_debian.sh b/build_debian.sh
@@ -487,6 +487,9 @@ fi
 sudo sed -i 's/EBTABLES_LOAD_ON_START="no"/EBTABLES_LOAD_ON_START="yes"/g' ${FILESYSTEM_ROOT}/etc/default/ebtables
 sudo cp files/image_config/ebtables/ebtables.filter ${FILESYSTEM_ROOT}/etc
 
+## Setup iptables rules
+sudo cp files/image_config/iptables/iptables.sh ${FILESYSTEM_ROOT}/usr/bin
+
 ## Debug Image specific changes
 ## Update motd for debug image
 if [ "$DEBUG_IMG" == "y" ]

diff --git a/files/build_templates/docker_image_ctl.j2 b/files/build_templates/docker_image_ctl.j2
@@ -87,6 +87,11 @@ function postStartAction()
         # Migrate the DB to the latest schema version if needed
         /usr/bin/db_migrator.py -o migrate
     fi
+
+    if [[ -x /usr/bin/iptables.sh ]]; then
+        # Install iptables rules
+        /usr/bin/iptables.sh
+    fi
 {%- elif docker_container_name == "swss" %}
     docker exec swss rm -f /ready   # remove cruft
     if [[ "$BOOT_TYPE" == "fast" ]] && [[ -d /host/fast-reboot ]]; then

diff --git a/files/build_templates/sonic_debian_extension.j2 b/files/build_templates/sonic_debian_extension.j2
@@ -197,6 +197,9 @@ echo "hostcfgd.service" | sudo tee -a $GENERATED_SERVICE_FILE
 sudo cp $IMAGE_CONFIGS/hostcfgd/hostcfgd $FILESYSTEM_ROOT/usr/bin/
 sudo cp $IMAGE_CONFIGS/hostcfgd/*.j2 $FILESYSTEM_ROOT_USR_SHARE_SONIC_TEMPLATES/
 
+# Copy iptables files
+sudo cp $IMAGE_CONFIGS/iptables/*.j2 $FILESYSTEM_ROOT_USR_SHARE_SONIC_TEMPLATES/
+
 # Copy the buffer configuration template
 sudo cp $BUILD_TEMPLATES/buffers_config.j2 $FILESYSTEM_ROOT_USR_SHARE_SONIC_TEMPLATES/
 

diff --git a/files/image_config/iptables/iptables.j2 b/files/image_config/iptables/iptables.j2
@@ -0,0 +1,37 @@
+#!/usr/bin/env bash
+
+function ip_tables_install
+{
+    echo "Installing Iptables mangle rules"
+    prefix=$1
+    cmd=$2
+
+    # Set first with prerouting and direction = destination
+    chain="PREROUTING"
+    dir="d"
+    while true; do
+        exec="${cmd} -t mangle -C ${chain} -p tcp --tcp-flags SYN SYN -${dir} ${prefix} -j TCPMSS --set-mss 1460"
+        $exec 2> /dev/null
+        if [ $? -eq 0 ]; then
+            echo "${prefix} rule exists in ${chain}"
+        else
+            exec="${cmd} -t mangle -A ${chain} -p tcp --tcp-flags SYN SYN -${dir} ${prefix} -j TCPMSS --set-mss 1460"
+            echo $exec
+            $exec
+        fi
+
+        if [ $chain = "PREROUTING" ]; then
+            chain="POSTROUTING"
+            dir="s"
+        else
+            break
+        fi
+    done
+}
+
+{% block loopback %}
+# Iptables rules for the loopback network interface
+{% for (name, prefix) in LOOPBACK_INTERFACE|pfx_filter %}
+ip_tables_install {{ prefix | ip }} {{ 'iptables' if prefix | ipv4 else 'ip6tables' }}
+{% endfor %}
+{% endblock loopback %}
diff --git a/files/image_config/iptables/iptables.sh b/files/image_config/iptables/iptables.sh
@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+
+sonic-cfggen -d -t /usr/share/sonic/templates/iptables.j2 > /usr/bin/iptables_install.sh
+
+chmod +x /usr/bin/iptables_install.sh
+
+/usr/bin/iptables_install.sh
diff --git a/files/image_config/updategraph/updategraph b/files/image_config/updategraph/updategraph
@@ -2,6 +2,14 @@
 
 CONFIG_DB_INDEX=4
 
+function install_iptables()
+{
+    if [[ -x /usr/bin/iptables.sh ]]; then
+        # Install iptables rules
+        /usr/bin/iptables.sh
+    fi
+}
+
 reload_minigraph()
 {
     echo "Reloading minigraph..."
@@ -21,6 +29,7 @@ reload_minigraph()
         # Set latest version number
         /usr/bin/db_migrator.py -o set_version
     fi
+    install_iptables
 }
 
 function copy_config_files_and_directories()
@@ -46,7 +55,6 @@ function check_system_warm_boot()
     fi
 }
 
-
 if [ ! -f /etc/sonic/updategraph.conf ]; then
     echo "No updategraph.conf found, generating a default one."
     echo "enabled=false" >/etc/sonic/updategraph.conf
@@ -67,6 +75,7 @@ if [ -f /tmp/pending_config_migration ]; then
     else
         echo "Use config_db.json from old system..."
         sonic-cfggen -j /etc/sonic/config_db.json --write-to-db
+        install_iptables
     fi
     rm -f /tmp/pending_config_migration
     sed -i "/enabled=/d" /etc/sonic/updategraph.conf
@@ -82,6 +91,7 @@ if [ -f /tmp/pending_config_initialization ]; then
         sonic-cfggen -H -k ${PRESET[0]} --preset ${PRESET[1]} > /etc/sonic/config_db.json
         redis-cli -n $CONFIG_DB_INDEX FLUSHDB
         sonic-cfggen -j /etc/sonic/config_db.json --write-to-db
+        install_iptables
         redis-cli -n $CONFIG_DB_INDEX SET "CONFIG_DB_INITIALIZED" "1"
         exit 0
     fi
@@ -127,6 +137,7 @@ if [ "$src" = "dhcp" ]; then
         fi
         redis-cli -n $CONFIG_DB_INDEX FLUSHDB
         sonic-cfggen -j /etc/sonic/config_db.json --write-to-db
+        install_iptables
         redis-cli -n $CONFIG_DB_INDEX SET "CONFIG_DB_INITIALIZED" "1"
         if [ "$dhcp_as_static" = "true" ]; then
             sed -i "/enabled=/d" /etc/sonic/updategraph.conf