Add iptables rules to drop all bgp packets destined for loopback1 IP addresses in dual ToR#262
Merged
StormLiangMS merged 5 commits intosonic-net:masterfrom Jun 11, 2025
Merged
Conversation
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Contributor
|
@yyynini can you please add the description for this PR? |
lolyu
reviewed
May 28, 2025
Contributor
|
@yyynini Please check if it needs to update the test case in test_cacl_application for dualtor |
…v4 and ipv6 addresses
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
yyynini
changed the title
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
11 tasks
lolyu
reviewed
Jun 3, 2025
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
hi @yyynini could you help to update the description part as we do in sonic-buildimage repo? |
StormLiangMS
reviewed
Jun 4, 2025
scripts/caclmgrd
Outdated
| if iface_name.startswith(loopback1_name): | ||
| loopback1_intf = ipaddress.ip_interface(iface_cidr) | ||
| loopback1_addr = loopback1_intf.ip | ||
| # Add iptables rules to drop all packets destined for loopback1 IP addresses |
There was a problem hiding this comment.
minor one, in the comment part, not all packets, but the BGP packets.
lolyu
reviewed
Jun 4, 2025
prsunny
approved these changes
Jun 4, 2025
Contributor
prsunny
left a comment
prsunny
left a comment
There was a problem hiding this comment.
lgtm, few clarification questions.
|
|
||
| return allow_internal_docker_ip_cmds | ||
|
|
||
| def generate_block_bgp_loopback1(self, namespace, config_db_connector): |
Contributor
There was a problem hiding this comment.
Can you confirm it covers both active-standy and active-active dualtor scenarios?
Contributor
Author
There was a problem hiding this comment.
Yes, the BGP block rule is applied for both DualToR scenarios.
| loopback1_addr = loopback1_intf.ip | ||
| # Add iptables rules to drop all packets destined for loopback1 IP addresses | ||
| if isinstance(loopback1_addr, ipaddress.IPv4Address): | ||
| drop_dulator_bgp_loopback1_cmds.append(self.iptables_cmd_ns_prefix[namespace] + |
Contributor
There was a problem hiding this comment.
-I is good. Lets ensure that there are no other ACCEPT rules above this.
Contributor
Author
There was a problem hiding this comment.
Yes, the DROP rule is at the top (rule 1).
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Contributor
|
@yejianquan , please take to 202505 |
Hi @prsunny , feature-labels work is after PR got merged |
|
hi @yejianquan merged. |
StormLiangMS
pushed a commit
to sonic-net/sonic-mgmt
that referenced
this pull request
Jun 11, 2025
… dualtor (#18766) What is the motivation for this PR? This PR updates the DualToR config to enforce the same loopback1 IP address for both ToRs. Based on a recent Incident 628608070 : [SONiC RCA][SLB_DNC] Gemini Tors dropping vip traffic, we need to block BGP from being established on loopback1. How did you do it? Assign the same loopback1 IP to both ToRs. Added an iptables rules to drop the packets sonic-net/sonic-host-services#262 How did you verify/test it? Confirmed both ToRs used the same loopback1 IP, and verify the drop rule.
mssonicbld
pushed a commit
to mssonicbld/sonic-mgmt
that referenced
this pull request
Jun 11, 2025
… dualtor (sonic-net#18766) What is the motivation for this PR? This PR updates the DualToR config to enforce the same loopback1 IP address for both ToRs. Based on a recent Incident 628608070 : [SONiC RCA][SLB_DNC] Gemini Tors dropping vip traffic, we need to block BGP from being established on loopback1. How did you do it? Assign the same loopback1 IP to both ToRs. Added an iptables rules to drop the packets sonic-net/sonic-host-services#262 How did you verify/test it? Confirmed both ToRs used the same loopback1 IP, and verify the drop rule.
11 tasks
mssonicbld
pushed a commit
to mssonicbld/sonic-mgmt
that referenced
this pull request
Jun 11, 2025
… dualtor (sonic-net#18766) What is the motivation for this PR? This PR updates the DualToR config to enforce the same loopback1 IP address for both ToRs. Based on a recent Incident 628608070 : [SONiC RCA][SLB_DNC] Gemini Tors dropping vip traffic, we need to block BGP from being established on loopback1. How did you do it? Assign the same loopback1 IP to both ToRs. Added an iptables rules to drop the packets sonic-net/sonic-host-services#262 How did you verify/test it? Confirmed both ToRs used the same loopback1 IP, and verify the drop rule.
11 tasks
|
Cherry-pick PR to 202505: #269 |
mssonicbld
added
Included in 202505 Branch
and removed
Created PR to 202505 Branch
labels
mssonicbld
pushed a commit
to mssonicbld/sonic-mgmt
that referenced
this pull request
Jun 12, 2025
… dualtor (sonic-net#18766) What is the motivation for this PR? This PR updates the DualToR config to enforce the same loopback1 IP address for both ToRs. Based on a recent Incident 628608070 : [SONiC RCA][SLB_DNC] Gemini Tors dropping vip traffic, we need to block BGP from being established on loopback1. How did you do it? Assign the same loopback1 IP to both ToRs. Added an iptables rules to drop the packets sonic-net/sonic-host-services#262 How did you verify/test it? Confirmed both ToRs used the same loopback1 IP, and verify the drop rule.
mssonicbld
pushed a commit
to sonic-net/sonic-mgmt
that referenced
this pull request
Jun 13, 2025
… dualtor (#18766) What is the motivation for this PR? This PR updates the DualToR config to enforce the same loopback1 IP address for both ToRs. Based on a recent Incident 628608070 : [SONiC RCA][SLB_DNC] Gemini Tors dropping vip traffic, we need to block BGP from being established on loopback1. How did you do it? Assign the same loopback1 IP to both ToRs. Added an iptables rules to drop the packets sonic-net/sonic-host-services#262 How did you verify/test it? Confirmed both ToRs used the same loopback1 IP, and verify the drop rule.
nissampa
pushed a commit
to nissampa/sonic-mgmt_dpu_test
that referenced
this pull request
Aug 7, 2025
… dualtor (sonic-net#18766) What is the motivation for this PR? This PR updates the DualToR config to enforce the same loopback1 IP address for both ToRs. Based on a recent Incident 628608070 : [SONiC RCA][SLB_DNC] Gemini Tors dropping vip traffic, we need to block BGP from being established on loopback1. How did you do it? Assign the same loopback1 IP to both ToRs. Added an iptables rules to drop the packets sonic-net/sonic-host-services#262 How did you verify/test it? Confirmed both ToRs used the same loopback1 IP, and verify the drop rule.
opcoder0
pushed a commit
to opcoder0/sonic-mgmt
that referenced
this pull request
Dec 8, 2025
… dualtor (sonic-net#18766) What is the motivation for this PR? This PR updates the DualToR config to enforce the same loopback1 IP address for both ToRs. Based on a recent Incident 628608070 : [SONiC RCA][SLB_DNC] Gemini Tors dropping vip traffic, we need to block BGP from being established on loopback1. How did you do it? Assign the same loopback1 IP to both ToRs. Added an iptables rules to drop the packets sonic-net/sonic-host-services#262 How did you verify/test it? Confirmed both ToRs used the same loopback1 IP, and verify the drop rule. Signed-off-by: opcoder0 <[email protected]>
AharonMalkin
pushed a commit
to AharonMalkin/sonic-mgmt
that referenced
this pull request
Dec 16, 2025
… dualtor (sonic-net#18766) What is the motivation for this PR? This PR updates the DualToR config to enforce the same loopback1 IP address for both ToRs. Based on a recent Incident 628608070 : [SONiC RCA][SLB_DNC] Gemini Tors dropping vip traffic, we need to block BGP from being established on loopback1. How did you do it? Assign the same loopback1 IP to both ToRs. Added an iptables rules to drop the packets sonic-net/sonic-host-services#262 How did you verify/test it? Confirmed both ToRs used the same loopback1 IP, and verify the drop rule. Signed-off-by: Aharon Malkin <[email protected]>
gshemesh2
pushed a commit
to gshemesh2/sonic-mgmt
that referenced
this pull request
Dec 21, 2025
… dualtor (sonic-net#18766) What is the motivation for this PR? This PR updates the DualToR config to enforce the same loopback1 IP address for both ToRs. Based on a recent Incident 628608070 : [SONiC RCA][SLB_DNC] Gemini Tors dropping vip traffic, we need to block BGP from being established on loopback1. How did you do it? Assign the same loopback1 IP to both ToRs. Added an iptables rules to drop the packets sonic-net/sonic-host-services#262 How did you verify/test it? Confirmed both ToRs used the same loopback1 IP, and verify the drop rule. Signed-off-by: Guy Shemesh <[email protected]>
venu-nexthop
pushed a commit
to venu-nexthop/sonic-mgmt
that referenced
this pull request
Jan 13, 2026
… dualtor (sonic-net#18766) What is the motivation for this PR? This PR updates the DualToR config to enforce the same loopback1 IP address for both ToRs. Based on a recent Incident 628608070 : [SONiC RCA][SLB_DNC] Gemini Tors dropping vip traffic, we need to block BGP from being established on loopback1. How did you do it? Assign the same loopback1 IP to both ToRs. Added an iptables rules to drop the packets sonic-net/sonic-host-services#262 How did you verify/test it? Confirmed both ToRs used the same loopback1 IP, and verify the drop rule.
gshemesh2
pushed a commit
to gshemesh2/sonic-mgmt
that referenced
this pull request
Jan 26, 2026
… dualtor (sonic-net#18766) What is the motivation for this PR? This PR updates the DualToR config to enforce the same loopback1 IP address for both ToRs. Based on a recent Incident 628608070 : [SONiC RCA][SLB_DNC] Gemini Tors dropping vip traffic, we need to block BGP from being established on loopback1. How did you do it? Assign the same loopback1 IP to both ToRs. Added an iptables rules to drop the packets sonic-net/sonic-host-services#262 How did you verify/test it? Confirmed both ToRs used the same loopback1 IP, and verify the drop rule. Signed-off-by: Guy Shemesh <[email protected]>
ytzur1
pushed a commit
to ytzur1/sonic-mgmt
that referenced
this pull request
Feb 2, 2026
… dualtor (sonic-net#18766) What is the motivation for this PR? This PR updates the DualToR config to enforce the same loopback1 IP address for both ToRs. Based on a recent Incident 628608070 : [SONiC RCA][SLB_DNC] Gemini Tors dropping vip traffic, we need to block BGP from being established on loopback1. How did you do it? Assign the same loopback1 IP to both ToRs. Added an iptables rules to drop the packets sonic-net/sonic-host-services#262 How did you verify/test it? Confirmed both ToRs used the same loopback1 IP, and verify the drop rule. Signed-off-by: Yael Tzur <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
7 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why I did it
issue: https://msazure.visualstudio.com/One/_workitems/edit/32910131/
Based on a recent Incident 628608070 : [SONiC RCA][SLB_DNC] Gemini Tors dropping vip traffic, we need to block BGP from being established on loopback1.
This PR addresses the requirement to block BGP packets on lookback1 for both active-active and active-standby dual tor scenarios.
How I did it
-Ito ensure its priority over all the other ACCEPT rules.How to verify it