SwSS Changes for DHCP DoS Mitigation Feature

cfgmgr/portmgr.cpp

@@ -7,6 +7,7 @@
 #include "exec.h"
 #include "shellcmd.h"
 #include <swss/redisutility.h>
+#include <iostream>
 
 using namespace std;
 using namespace swss;
@@ -76,6 +77,51 @@ bool PortMgr::setPortAdminStatus(const string &alias, const bool up)
     return true;
 }
 
+bool PortMgr::setPortDHCPMitigationRate(const string &alias, const string &dhcp_rate_limit)
+{
+    stringstream cmd;
+    string res, cmd_str;
+    int ret;
+    int byte_rate = stoi(dhcp_rate_limit) * DHCP_PACKET_SIZE;
+
+    if (dhcp_rate_limit != "0")
+    {
+        /* tc qdisc add dev <port_name> handle ffff: ingress
+        &&
+        tc filter add dev <port_name> protocol ip parent ffff: prio 1 u32 match ip protocol 17 0xff match ip dport 67 0xffff police rate <byte_rate>bps burst <byte_rate>b conform-exceed drop*/
+        cmd << TC_CMD << " qdisc add dev " << shellquote(alias) << " handle ffff: ingress" << " && " \
+            << TC_CMD << " filter add dev " << shellquote(alias) << " protocol ip parent ffff: prio 1 u32 match ip protocol 17 0xff match ip dport 67 0xffff police rate " << to_string(byte_rate) << "bps burst " << to_string(byte_rate) << "b conform-exceed drop";
+        cmd_str = cmd.str();
+        ret = swss::exec(cmd_str, res);
+        if (!ret)
+        {
+            SWSS_LOG_INFO("writing dhcp_rate_limit to appl_db");
+            return writeConfigToAppDb(alias, "dhcp_rate_limit", dhcp_rate_limit);
+        }
+        else if (!isPortStateOk(alias))
+        {
+            // Can happen when a DEL notification is sent by portmgrd immediately followed by a new SET notif
+            SWSS_LOG_WARN("Setting dhcp_rate_limit to alias:%s netdev failed with cmd:%s, rc:%d, error:%s", alias.c_str(), cmd_str.c_str(), ret, res.c_str());
+            return false;
+        }
+    }
+    else
+    {
+        // tc qdisc del dev <port_name> handle ffff: ingress
+        cmd << TC_CMD << " qdisc del dev " << shellquote(alias) << " handle ffff: ingress";
+        cmd_str = cmd.str();
+        ret = swss::exec(cmd_str, res);
+        if (ret)
+        {
+            // Log the failure and return false to indicate an issue
+            SWSS_LOG_WARN("Failed to delete ingress qdisc ");
+            return false;
+        }
+    }
+
+    return true;
+}
+
 bool PortMgr::isPortStateOk(const string &alias)
 {
     vector<FieldValueTuple> temp;
@@ -155,19 +201,19 @@ void PortMgr::doTask(Consumer &consumer)
              */
             bool portOk = isPortStateOk(alias);
 
-            string admin_status, mtu;
+            string admin_status, mtu, dhcp_rate_limit;
             std::vector<FieldValueTuple> field_values;
 
             bool configured = (m_portList.find(alias) != m_portList.end());
 
             /* If this is the first time we set port settings
-             * assign default admin status and mtu
+             * assign default admin status and mtu and dhcp_rate_limit
              */
             if (!configured)
             {
                 admin_status = DEFAULT_ADMIN_STATUS_STR;
                 mtu = DEFAULT_MTU_STR;
-
+                dhcp_rate_limit = DEFAULT_DHCP_RATE_LIMIT_STR;
                 m_portList.insert(alias);
             }
             else if (!portOk)
@@ -182,6 +228,11 @@ void PortMgr::doTask(Consumer &consumer)
                 {
                     mtu = fvValue(i);
                 }
+                else if (fvField(i) == "dhcp_rate_limit")
+                {
+                    dhcp_rate_limit = fvValue(i);
+
+                }
                 else if (fvField(i) == "admin_status")
                 {
                     admin_status = fvValue(i);
@@ -205,30 +256,37 @@ void PortMgr::doTask(Consumer &consumer)
             {
                 writeConfigToAppDb(alias, field_values);
             }
-
             if (!portOk)
             {
                 SWSS_LOG_INFO("Port %s is not ready, pending...", alias.c_str());
+                writeConfigToAppDb(alias, "mtu", mtu);
+                writeConfigToAppDb(alias, "admin_status", admin_status);
+                writeConfigToAppDb(alias, "dhcp_rate_limit", dhcp_rate_limit);
 
                 /* Retry setting these params after the netdev is created */
                 field_values.clear();
                 field_values.emplace_back("mtu", mtu);
                 field_values.emplace_back("admin_status", admin_status);
+                field_values.emplace_back("dhcp_rate_limit", dhcp_rate_limit);
+
                 it->second = KeyOpFieldsValuesTuple{alias, SET_COMMAND, field_values};
                 it++;
                 continue;
             }
-
             if (!mtu.empty())
             {
                 setPortMtu(alias, mtu);
                 SWSS_LOG_NOTICE("Configure %s MTU to %s", alias.c_str(), mtu.c_str());
             }
-
             if (!admin_status.empty())
             {
                 setPortAdminStatus(alias, admin_status == "up");
                 SWSS_LOG_NOTICE("Configure %s admin status to %s", alias.c_str(), admin_status.c_str());
+            }            
+            if (!dhcp_rate_limit.empty())
+            {
+                setPortDHCPMitigationRate(alias, dhcp_rate_limit);
+                SWSS_LOG_NOTICE("Configure %s DHCP rate limit to %s", alias.c_str(), dhcp_rate_limit.c_str());
             }
         }
         else if (op == DEL_COMMAND)
@@ -256,4 +314,4 @@ bool PortMgr::writeConfigToAppDb(const std::string &alias, std::vector<FieldValu
 {
     m_appPortTable.set(alias, field_values);
     return true;
-}
+}

cfgmgr/portmgr.h

@@ -13,6 +13,8 @@ namespace swss {
 /* Port default admin status is down */
 #define DEFAULT_ADMIN_STATUS_STR    "down"
 #define DEFAULT_MTU_STR             "9100"
+#define DEFAULT_DHCP_RATE_LIMIT_STR "300"
+#define DHCP_PACKET_SIZE 406
 
 class PortMgr : public Orch
 {
@@ -36,7 +38,7 @@ class PortMgr : public Orch
     bool writeConfigToAppDb(const std::string &alias, std::vector<FieldValueTuple> &field_values);
     bool setPortMtu(const std::string &alias, const std::string &mtu);
     bool setPortAdminStatus(const std::string &alias, const bool up);
+    bool setPortDHCPMitigationRate(const std::string &alias, const std::string &dhcp_rate_limit);
     bool isPortStateOk(const std::string &alias);
 };
-
-}
+}

cfgmgr/portmgrd.cpp

@@ -35,18 +35,15 @@ int main(int argc, char **argv)
 
         PortMgr portmgr(&cfgDb, &appDb, &stateDb, cfg_port_tables);
         vector<Orch *> cfgOrchList = {&portmgr};
-
         swss::Select s;
         for (Orch *o : cfgOrchList)
         {
             s.addSelectables(o->getSelectables());
         }
-
         while (true)
         {
             Selectable *sel;
             int ret;
-
             ret = s.select(&sel, SELECT_TIMEOUT);
             if (ret == Select::ERROR)
             {
@@ -68,4 +65,4 @@ int main(int argc, char **argv)
         SWSS_LOG_ERROR("Runtime error: %s", e.what());
     }
     return -1;
-}
+}

cfgmgr/shellcmd.h

@@ -14,6 +14,7 @@
 #define TEAMDCTL_CMD         "/usr/bin/teamdctl"
 #define IPTABLES_CMD         "/sbin/iptables"
 #define CONNTRACK_CMD        "/usr/sbin/conntrack"
+#define TC_CMD               "/sbin/tc"
 
 #define EXEC_WITH_ERROR_THROW(cmd, res)   ({    \
     int ret = swss::exec(cmd, res);             \
@@ -29,4 +30,4 @@ static inline std::string shellquote(const std::string& str)
     return "\"" + std::regex_replace(str, re, "\\$1") + "\"";
 }
 
-#endif /* __SHELLCMD__ */
+#endif /* __SHELLCMD__ */

orchagent/port.h

@@ -24,6 +24,7 @@ extern "C" {
  * hence setting to 1492 (1514 - 22)
  */
 #define DEFAULT_MTU             1492
+#define DEFAULT_DHCP_RATE_LIMIT 300
 
 /*
  * Default TPID is 8100
@@ -169,6 +170,7 @@ class Port
     Type                m_type = UNKNOWN;
     uint16_t            m_index = 0;    // PHY_PORT: index
     uint32_t            m_mtu = DEFAULT_MTU;
+    uint32_t            m_dhcp_rate_limit = DEFAULT_DHCP_RATE_LIMIT;
     uint32_t            m_speed = 0;    // Mbps
     port_learn_mode_t   m_learn_mode = SAI_BRIDGE_PORT_FDB_LEARNING_MODE_HW;
     bool                m_autoneg = false;
@@ -272,4 +274,4 @@ class Port
 
 }
 
-#endif /* SWSS_PORT_H */
+#endif /* SWSS_PORT_H */

orchagent/port/portcnt.h

@@ -78,6 +78,11 @@ class PortConfig final
         bool is_set = false;
     } mtu; // Port MTU
 
+    struct {
+        std::uint32_t value;
+        bool is_set = false;
+    } dhcp_rate_limit; // Port dhcp_rate_limit
+
     struct {
         std::uint16_t value;
         bool is_set = false;

orchagent/port/porthlpr.cpp

@@ -1270,9 +1270,7 @@ bool PortHelper::validatePortConfig(PortConfig &port) const
 
         port.admin_status.value = false;
         port.admin_status.is_set = true;
-
         port.fieldValueMap[PORT_ADMIN_STATUS] = PORT_STATUS_DOWN;
     }
-
     return true;
-}
+}

orchagent/port/portschema.h

@@ -101,4 +101,5 @@
 #define PORT_SUPPRESS_THRESHOLD    "suppress_threshold"
 #define PORT_REUSE_THRESHOLD       "reuse_threshold"
 #define PORT_FLAP_PENALTY          "flap_penalty"
-#define PORT_MODE                  "mode"
+#define PORT_DHCP_RATE_LIMIT       "dhcp_rate_limit"
+#define PORT_MODE                  "mode"

orchagent/portsorch.cpp

@@ -18,7 +18,6 @@
 #include <tuple>
 #include <sstream>
 #include <unordered_set>
-
 #include <netinet/if_ether.h>
 #include "net/if.h"
 

tests/conftest.py

@@ -138,7 +138,7 @@ def _verify_db_contents():
             return (True, None)
 
         # Verify that ASIC DB has been fully initialized
-        init_polling_config = PollingConfig(2, 30, strict=True)
+        init_polling_config = PollingConfig(2, 40, strict=True)
         wait_for_result(_verify_db_contents, init_polling_config)
 
     def _generate_oid_to_interface_mapping(self) -> None:
@@ -1152,6 +1152,13 @@ def set_mtu(self, interface, mtu):
         tbl.set(interface, fvs)
         time.sleep(1)
 
+    def set_dhcp_rate_limit(self, interface, dhcp_rate_limit):
+        tbl_name = "PORT"
+        tbl = swsscommon.Table(self.cdb, tbl_name)
+        fvs = swsscommon.FieldValuePairs([("dhcp_rate_limit", dhcp_rate_limit)])
+        tbl.set(interface, fvs)
+        time.sleep(20)
+
     # deps: acl, mirror_port_erspan
     def add_neighbor(self, interface, ip, mac):
         tbl = swsscommon.ProducerStateTable(self.pdb, "NEIGH_TABLE")
@@ -1701,12 +1708,10 @@ def get_topo_neigh(self):
     def handle_neighconn(self):
         if self.oper != "create":
             return
-
         instance_to_neighbor_map = self.get_topo_neigh()
         for ctnname, nbraddrs in instance_to_neighbor_map.items():
             if ctnname not in self.dvss:
                 continue
-
             for server, neighbor_address in nbraddrs:
                 self.dvss[ctnname].servers[server].runcmd("ifconfig eth0 down")
                 self.dvss[ctnname].servers[server].runcmd("ifconfig eth0 up")
@@ -1863,6 +1868,7 @@ def update_dvs(log_path, new_dvs_env=[]):
             dvs.destroy_servers()
             dvs.create_servers()
             dvs.restart()
+            time.sleep(60)
 
         return dvs
 
@@ -1878,6 +1884,7 @@ def update_dvs(log_path, new_dvs_env=[]):
     if dvs.persistent:
         dvs.runcmd("mv /etc/sonic/config_db.json.orig /etc/sonic/config_db.json")
         dvs.ctn_restart()
+        time.sleep(60)
 
 @pytest.fixture(scope="module")
 def dvs(request, manage_dvs) -> DockerVirtualSwitch:
@@ -2038,4 +2045,4 @@ def dpb_setup_fixture(dvs):
     else:
         dvs.vct.restart()
     yield
-    remove_dpb_config_file(dvs)
+    remove_dpb_config_file(dvs)

tests/dvslib/dvs_common.py

@@ -52,11 +52,9 @@ def wait_for_result(
 
         if status:
             return (True, result)
-
         time.sleep(polling_config.polling_interval)
 
     if polling_config.strict:
         message = failure_message or f"Operation timed out after {polling_config.timeout} seconds with result {result}"
         assert False, message
-
-    return (False, result)
+    return (False, result)

tests/dvslib/dvs_database.py

@@ -155,14 +155,11 @@ def wait_for_entry(
         Returns:
             The entry stored at `key`. If no entry is found, then an empty Dict is returned.
         """
-
         def access_function():
             fv_pairs = self.get_entry(table_name, key)
             return (bool(fv_pairs), fv_pairs)
-
         message = failure_message or f'Entry not found: key="{key}", table="{table_name}"'
-        _, result = wait_for_result(access_function, polling_config, message)
-
+        _, result = wait_for_result(access_function, polling_config, message)        
         return result
 
     def wait_for_fields(
@@ -242,7 +239,6 @@ def access_function():
         status, result = wait_for_result(
             access_function, self._disable_strict_polling(polling_config)
         )
-
         if not status:
             message = failure_message or (
                 f"Expected field/value pairs not found: expected={expected_fields}, "