Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[multi-asic] Enhanced iptable default rules #6765

Merged
merged 7 commits into from
Feb 25, 2021
Merged

[multi-asic] Enhanced iptable default rules #6765

merged 7 commits into from
Feb 25, 2021

Conversation

abdosi
Copy link
Contributor

@abdosi abdosi commented Feb 11, 2021
edited
Loading

What I did:-

  • For multi-asic platforms added iptable v4 rule to communicate on docker bridge ip
  • For multi-asic platforms extend iptable v4 rule for iptable v6 also
  • For multi-asic program made all internal rules applicable for all protocols (not filter based on tcp/udp). This is done to be consistent same as local host rule
  • For multi-asic platforms made nat rule (to forward traffic from namespace to host) generic for all protocols and also use Source IP if present for matching

Why I did:

  • We need iptable v4 rule to communicate on docker bridge ip since syslog on multi-asic platforms uses docker bridge ip and for
    host docker syslog is sent with both source and destination ip as docker bridge ip
  • iptable v6 rules are added as enhancement and to be symmetric as iptable v4 rules.
  • Nat rule changes were triggered because even SSH has same use case as SNMP ([Multi-Asic] Forward SNMP requests received on front panel interface to SNMP agent in host. #5420)
  • Need to qualify Source IP with NAT rules is needed since if we load explicit filter rule since we are doing NAT INPUT table will not be used and to make sure we only NAT the valid traffic.

How I verify:
Verified on single and multi-asic platforms

Default table  INPUT Rules on host for multi-asic platforms

sudo iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  127.0.0.1            0.0.0.0/0
ACCEPT     all  --  240.127.1.1          240.127.1.1
ACCEPT     all  --  240.127.1.6          240.127.1.1
ACCEPT     all  --  240.127.1.7          240.127.1.1
ACCEPT     all  --  240.127.1.4          240.127.1.1
ACCEPT     all  --  240.127.1.2          240.127.1.1
ACCEPT     all  --  240.127.1.3          240.127.1.1
ACCEPT     all  --  240.127.1.5          240.127.1.1

Default table  INPUT Rules  In Namespace

sudo ip netns exec asic3 iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  127.0.0.1            0.0.0.0/0
ACCEPT     all  --  240.127.1.3          240.127.1.3
ACCEPT     all  --  240.127.1.1          240.127.1.3

Default NAT Table Rules  In Namespace

sudo ip netns exec asic0 iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DNAT       tcp  --  0.0.0.0/0              0.0.0.0/0            tcp dpt:161 to:240.127.1.1
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22 to:240.127.1.1

NAT  Rule after loading below acl.json

sudo ip netns exec asic0 iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DNAT       tcp  --  1.1.1.1              0.0.0.0/0            tcp dpt:161 to:240.127.1.1
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22 to:240.127.1.1

{
    "acl": {
        "acl-sets": {
            "acl-set": {
                "SNMP-ACL": {
                    "acl-entries": {
                        "acl-entry": {
                            "1": {
                                "actions": {
                                    "config": {
                                        "forwarding-action": "ACCEPT"
                                    }
                                },
                                "config": {
                                    "sequence-id": 1
                                },
                                "ip": {
                                    "config": {
                                        "protocol": "IP_UDP",
                                        "source-ip-address": "1.1.1.1/32"
                                    }
                                }
                            }
                        }
                    },
                    "config": {
                        "name": "SNMP-ACL"
                    }
                }
            }
        }
    }

@abdosi
Added iptable rule for comminicating on docker bridge ip
5141b2e 
and also added ip6table rules.

Signed-off-by: Abhishek Dosi <abdosi@microsoft.com>
@abdosi abdosi requested a review from lguohan as a code owner February 11, 2021 01:41
@lguohan
Copy link
Collaborator

lguohan commented Feb 11, 2021

is the test expect to fail?

@abdosi
More enhancements
e593e50 
Signed-off-by: Abhishek Dosi <abdosi@microsoft.com>
@abdosi
Copy link
Contributor Author

abdosi commented Feb 17, 2021
edited by judyjoseph
Loading

@judyjoseph please review again. This has changes to NAT rules also as we discussed offline.

Thanks @abdosi

@abdosi
Fix the KVM test failure.
ce2dfc3 
Signed-off-by: Abhishek Dosi <abdosi@microsoft.com>
@abdosi
Copy link
Contributor Author

abdosi commented Feb 17, 2021

is the test expect to fail?

@lguohan yes it should not fail. Fixed it.

@abdosi
Updated for review comments
0900c82 
Signed-off-by: Abhishek Dosi <abdosi@microsoft.com>
@abdosi
Address Review Comments
fef8420 
Signed-off-by: Abhishek Dosi <abdosi@microsoft.com>
@abdosi
Fix
c4baa1d 
Signed-off-by: Abhishek Dosi <abdosi@microsoft.com>
@abdosi
Copy link
Contributor Author

abdosi commented Feb 23, 2021

will move below change to separate PR. this change has dependency with sonic-mgmt test case failure. would need to disable the test case/make the change/enable test case again.

@abdosi
Fix test failure.
90c4178 
Signed-off-by: Abhishek Dosi <abdosi@microsoft.com>
@abdosi
Copy link
Contributor Author

abdosi commented Feb 24, 2021

@judyjoseph can you please review again.

@abdosi abdosi merged commit c66cbc1 into sonic-net:master Feb 25, 2021
@abdosi abdosi deleted the iptable branch February 25, 2021 17:39
abdosi added a commit that referenced this pull request Feb 26, 2021
@abdosi
[multi-asic] Enhanced iptable default rules (#6765)
1064cd5 
What I did:-

For multi-asic platforms added iptable v4 rule to communicate on docker bridge ip
For multi-asic platforms extend iptable v4 rule for iptable v6 also
For multi-asic program made all internal rules applicable for all protocols (not filter based on tcp/udp). This is done to be consistent same as local host rule
For multi-asic platforms made nat rule (to forward traffic from namespace to host) generic for all protocols and also use Source IP if present for matching
@abdosi abdosi mentioned this pull request Mar 2, 2021
Merged
abdosi added a commit to sonic-net/sonic-mgmt that referenced this pull request Mar 2, 2021
@abdosi
multi-asic support for test_cacl_application.py (#3070)
b38562a 
Enhanced test_cacl_application.py for multi-asic platforms. Also it adds new test case to cover all multi-asic specific changes
as done in PR's:-
sonic-net/sonic-buildimage#5022
sonic-net/sonic-buildimage#5420
sonic-net/sonic-buildimage#5364
sonic-net/sonic-buildimage#6765

Also fix some of API in common/devices.py and bug in config_facts
qiluo-msft pushed a commit that referenced this pull request May 24, 2021
@abdosi @qiluo-msft
[multi-asic] Enhanced iptable default rules (#6765)
82093fd 
What I did:-

For multi-asic platforms added iptable v4 rule to communicate on docker bridge ip
For multi-asic platforms extend iptable v4 rule for iptable v6 also
For multi-asic program made all internal rules applicable for all protocols (not filter based on tcp/udp). This is done to be consistent same as local host rule
For multi-asic platforms made nat rule (to forward traffic from namespace to host) generic for all protocols and also use Source IP if present for matching
carl-nokia pushed a commit to carl-nokia/sonic-buildimage that referenced this pull request Aug 7, 2021
@abdosi
[multi-asic] Enhanced iptable default rules (sonic-net#6765)
418ee32 
What I did:-

For multi-asic platforms added iptable v4 rule to communicate on docker bridge ip
For multi-asic platforms extend iptable v4 rule for iptable v6 also
For multi-asic program made all internal rules applicable for all protocols (not filter based on tcp/udp). This is done to be consistent same as local host rule
For multi-asic platforms made nat rule (to forward traffic from namespace to host) generic for all protocols and also use Source IP if present for matching
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@judyjoseph judyjoseph judyjoseph approved these changes

@lguohan lguohan Awaiting requested review from lguohan lguohan is a code owner

@SuvarnaMeenakshi SuvarnaMeenakshi Awaiting requested review from SuvarnaMeenakshi

@arlakshm arlakshm Awaiting requested review from arlakshm

Assignees
No one assigned
Labels
Included in 201911 Branch Included in 202012 Branch Multi-ASIC Request for 201911 Branch :shipit: Request for 202012 Branch
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@abdosi @lguohan @judyjoseph @qiluo-msft