caclmgrd: monitor state_db to update dhcp acl#8222
Conversation
ghost
requested a review
from 
|
missing unit test. |
prsunny
left a comment
prsunny
left a comment
There was a problem hiding this comment.
Please provide details of the setting up dhcp chain/acl rule in the description. Need more clarifications on the approach taken.
|
|
||
| # Add iptables command to delete all non-default chains | ||
| iptables_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "iptables -X") | ||
| # Add iptables command to flush the current rules and delete all non-default chains |
There was a problem hiding this comment.
what is this change for?, if caclmgrd restarts, can we flush as before?
There was a problem hiding this comment.
This is to shield DHCP related rule in separate chain list. When flushing, exclude DHCP chain and flush/delete all other chains other than built-in chains.
There was a problem hiding this comment.
yes, if caclmgrd restarts, we flush all.
|
|
||
| # Add iptables commands to link the DCHP chain to block dhcp packets based on ingress interfaces | ||
| if self.DualToR: | ||
| iptables_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "iptables -A INPUT -p udp --dport 67 -j DHCP") |
There was a problem hiding this comment.
Are the below rules required for dualtor? Also why not port 68?
There was a problem hiding this comment.
this is to direct matching into DHCP chain, dhcp discovers/requests use dport 67
|
|
||
| # Add iptables command to delete all non-default chains | ||
| iptables_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "iptables -X") | ||
| # Add iptables command to flush the current rules and delete all non-default chains |
There was a problem hiding this comment.
This is to shield DHCP related rule in separate chain list. When flushing, exclude DHCP chain and flush/delete all other chains other than built-in chains.
|
|
||
| def setup_dhcp_chain(self, namespace): | ||
| all_chains = self.get_chain_list(self.iptables_cmd_ns_prefix[namespace], [""]) | ||
| dhcp_chain_exist = 1 if "DHCP" in all_chains else 0 |
There was a problem hiding this comment.
what about using boolean?
dhcp_chain_exist = "DHCP" in all_chains
|
|
||
| UPDATE_DELAY_SECS = 0.5 | ||
|
|
||
| DualToR = 0 |
|
retest this please |
|
/Azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
/Azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
| break | ||
| self.log_info("mux cable update : '%s'" % str((key, op, fvs))) | ||
| self.update_dhcp_acl(key, op, dict(fvs)) | ||
| continue |
There was a problem hiding this comment.
Can you confirm this flow is tested on a non-dualtor testbed?
There was a problem hiding this comment.
yes, i tested it with both subtype=dualtor and none on a vs testbed
|
Is unit test separate PR? or are you planning to add to this? |
Ok, I see this PR - #8359. You could have it in same PR, FYI |
|
/Azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
ghost
mentioned this pull request
caclmgrd: monitor mux_cable_table in state_db to update dhcp acl - if the state changes to 'standby', add acl to block dhcp packets based on ingress interfaces - if the state changes to 'active', delete acl - if the state changes to 'unknown', also delete acl to avoid potential disconnect - both addition and deletion follow checking the existence of the rules The change has been verified on a virtual switch based testbed. Port to 202012 branch from #8222
ghost
mentioned this pull request
4 participants
caclmgrd: monitor mux_cable_table in state_db to update dhcp acl
The change has been verified on a virtual switch based testbed.