Skip to content

[DualToR][caclmgrd] Fix IPtables rules for multiple vlan interfaces for DualToR config#82

Merged
yxieca merged 4 commits intosonic-net:masterfrom
vdahiya12:dev/vdahiya/fix-ip
Nov 3, 2023
Merged

[DualToR][caclmgrd] Fix IPtables rules for multiple vlan interfaces for DualToR config#82
yxieca merged 4 commits intosonic-net:masterfrom
vdahiya12:dev/vdahiya/fix-ip

Conversation

@vdahiya12
Copy link
Copy Markdown
Contributor

@vdahiya12 vdahiya12 commented Oct 31, 2023
edited
Loading

This PR is a required for changing the L3 IP forwarding Behavior to SoC in active-active toplogy.
Basically a src IP is added to the SNAT rule so that only packets originating from ToR with src IP as vlan IP get natted by the rule and change the src IP to LoopBack IP
However if there are mutiple vlan IP's we only add the source IP as vlan IP, for which the SoC IP belongs to, this PR adds that change.

How I did it

check the config DB if the ToR is a DualToR and has an SoC IP assigned.
put an iptable rule
iptables -t nat -A POSTROUTING --destination -j SNAT --to-source "
Signed-off-by: vaibhav-dahiya vdahiya@microsoft.com

how to verify

Rules are only added once for the source IP the SoC IP belongs to

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
SNAT       all  --  192.168.0.1          192.168.0.7          to:10.1.0.38
SNAT       all  --  192.168.1.1          192.168.1.9          to:10.1.0.38

A picture of a cute animal (not mandatory but encouraged)

@vdahiya12
[DualToR][caclmgrd] Fix IPtables rules for multiple vlan interfaces for
571f3fd 
DualToR config

Signed-off-by: vaibhav-dahiya <vdahiya@microsoft.com>
@vdahiya12 vdahiya12 requested review from lolyu and zjswhhh October 31, 2023 22:38
@vdahiya12
fix changes
43e8d53 
Signed-off-by: vaibhav-dahiya <vdahiya@microsoft.com>
lolyu
lolyu reviewed Nov 1, 2023
View reviewed changes
Copy link
Copy Markdown

@lolyu lolyu left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code LGTM, please add UT.

zjswhhh
zjswhhh approved these changes Nov 1, 2023
View reviewed changes
Copy link
Copy Markdown

@zjswhhh zjswhhh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@vdahiya12
fix ut
512f145 
Signed-off-by: vaibhav-dahiya <vdahiya@microsoft.com>
@vdahiya12
add coverage
71f5370 
Signed-off-by: vaibhav-dahiya <vdahiya@microsoft.com>
@yxieca yxieca merged commit beb8bbe into sonic-net:master Nov 3, 2023
@vdahiya12 vdahiya12 mentioned this pull request Nov 3, 2023
Merged
yxieca pushed a commit that referenced this pull request Nov 6, 2023
@vdahiya12 @yxieca
[DualToR][caclmgrd] Fix IPtables rules for multiple vlan interfaces f…
52b776d 
…or DualToR config (#82)

This PR is a required for changing the L3 IP forwarding Behavior to SoC in active-active toplogy.
Basically a src IP is added to the SNAT rule so that only packets originating from ToR with src IP as vlan IP get natted by the rule and change the src IP to LoopBack IP
However if there are mutiple vlan IP's we only add the source IP as vlan IP, for which the SoC IP belongs to, this PR adds that change.

How I did it
check the config DB if the ToR is a DualToR and has an SoC IP assigned.
put an iptable rule
iptables -t nat -A POSTROUTING --destination -j SNAT --to-source "

Signed-off-by: vaibhav-dahiya <vdahiya@microsoft.com>
@StormLiangMS
Copy link
Copy Markdown

StormLiangMS commented Nov 16, 2023

@vdahiya12 could you update ADO and test result for 202305?

@vdahiya12
Copy link
Copy Markdown
Contributor Author

vdahiya12 commented Nov 16, 2023

@vdahiya12 could you update ADO and test result for 202305?

@StormLiangMS changes are tested on 202305 cherry-pick, look to be good

admin@sonic:~$ sudo iptables -n -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
SNAT       all  --  192.168.0.0          192.168.0.7          to:10.1.0.38
SNAT       all  --  192.168.0.0          192.168.0.9          to:10.1.0.38
SNAT       all  --  192.168.0.0          192.168.0.11         to:10.1.0.38
SNAT       all  --  192.168.0.0          192.168.0.13         to:10.1.0.38
SNAT       all  --  192.168.0.0          192.168.0.15         to:10.1.0.38
SNAT       all  --  192.168.0.0          192.168.0.17         to:10.1.0.38
SNAT       all  --  192.168.0.0          192.168.0.19         to:10.1.0.38
SNAT       all  --  192.168.0.0          192.168.0.3          to:10.1.0.38
SNAT       all  --  192.168.0.0          192.168.0.21         to:10.1.0.38
SNAT       all  --  192.168.0.0          192.168.0.23         to:10.1.0.38
SNAT       all  --  192.168.0.0          192.168.0.25         to:10.1.0.38
SNAT       all  --  192.168.0.0          192.168.0.27         to:10.1.0.38
SNAT       all  --  192.168.0.0          192.168.0.29         to:10.1.0.38
SNAT       all  --  192.168.0.0          192.168.0.31         to:10.1.0.38
SNAT       all  --  192.168.0.0          192.168.0.33         to:10.1.0.38
SNAT       all  --  192.168.0.0          192.168.0.35         to:10.1.0.38
SNAT       all  --  192.168.0.0          192.168.0.37         to:10.1.0.38
SNAT       all  --  192.168.0.0          192.168.0.39         to:10.1.0.38
SNAT       all  --  192.168.0.0          192.168.0.5          to:10.1.0.38
SNAT       all  --  192.168.0.0          192.168.0.41         to:10.1.0.38
SNAT       all  --  192.168.0.0          192.168.0.43         to:10.1.0.38
SNAT       all  --  192.168.0.0          192.168.0.45         to:10.1.0.38
SNAT       all  --  192.168.0.0          192.168.0.47         to:10.1.0.38
SNAT       all  --  192.168.0.0          192.168.0.49         to:10.1.0.38

@StormLiangMS
Copy link
Copy Markdown

StormLiangMS commented Nov 19, 2023

@vdahiya12 cherry pick done, pls update ADO in the PR.

StormLiangMS pushed a commit that referenced this pull request Nov 19, 2023
@vdahiya12 @StormLiangMS
[DualToR][caclmgrd] Fix IPtables rules for multiple vlan interfaces f…
45212a8 
…or DualToR config (#82)

This PR is a required for changing the L3 IP forwarding Behavior to SoC in active-active toplogy.
Basically a src IP is added to the SNAT rule so that only packets originating from ToR with src IP as vlan IP get natted by the rule and change the src IP to LoopBack IP
However if there are mutiple vlan IP's we only add the source IP as vlan IP, for which the SoC IP belongs to, this PR adds that change.

How I did it
check the config DB if the ToR is a DualToR and has an SoC IP assigned.
put an iptable rule
iptables -t nat -A POSTROUTING --destination -j SNAT --to-source "

Signed-off-by: vaibhav-dahiya <vdahiya@microsoft.com>
@vdahiya12 vdahiya12 mentioned this pull request Dec 8, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lolyu lolyu lolyu left review comments

@zjswhhh zjswhhh zjswhhh approved these changes

Assignees

No one assigned

Labels

Included in 202305 Branch Request for 202305 Branch

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@vdahiya12 @StormLiangMS @zjswhhh @lolyu @yxieca