Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[multi-asic] Enhanced iptable default rules #6765

Merged
merged 7 commits into from
Feb 25, 2021
Merged

Conversation

abdosi
Copy link
Contributor

@abdosi abdosi commented Feb 11, 2021

What I did:-

  • For multi-asic platforms added iptable v4 rule to communicate on docker bridge ip
  • For multi-asic platforms extend iptable v4 rule for iptable v6 also
  • For multi-asic program made all internal rules applicable for all protocols (not filter based on tcp/udp). This is done to be consistent same as local host rule
  • For multi-asic platforms made nat rule (to forward traffic from namespace to host) generic for all protocols and also use Source IP if present for matching

Why I did:

  • We need iptable v4 rule to communicate on docker bridge ip since syslog on multi-asic platforms uses docker bridge ip and for
    host docker syslog is sent with both source and destination ip as docker bridge ip
  • iptable v6 rules are added as enhancement and to be symmetric as iptable v4 rules.
  • Nat rule changes were triggered because even SSH has same use case as SNMP ([Multi-Asic] Forward SNMP requests received on front panel interface to SNMP agent in host. #5420)
  • Need to qualify Source IP with NAT rules is needed since if we load explicit filter rule since we are doing NAT INPUT table will not be used and to make sure we only NAT the valid traffic.

How I verify:
Verified on single and multi-asic platforms

Default table  INPUT Rules on host for multi-asic platforms

sudo iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  127.0.0.1            0.0.0.0/0
ACCEPT     all  --  240.127.1.1          240.127.1.1
ACCEPT     all  --  240.127.1.6          240.127.1.1
ACCEPT     all  --  240.127.1.7          240.127.1.1
ACCEPT     all  --  240.127.1.4          240.127.1.1
ACCEPT     all  --  240.127.1.2          240.127.1.1
ACCEPT     all  --  240.127.1.3          240.127.1.1
ACCEPT     all  --  240.127.1.5          240.127.1.1

Default table  INPUT Rules  In Namespace

sudo ip netns exec asic3 iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  127.0.0.1            0.0.0.0/0
ACCEPT     all  --  240.127.1.3          240.127.1.3
ACCEPT     all  --  240.127.1.1          240.127.1.3

Default NAT Table Rules  In Namespace

sudo ip netns exec asic0 iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DNAT       tcp  --  0.0.0.0/0              0.0.0.0/0            tcp dpt:161 to:240.127.1.1
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22 to:240.127.1.1

NAT  Rule after loading below acl.json

sudo ip netns exec asic0 iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
DNAT       tcp  --  1.1.1.1              0.0.0.0/0            tcp dpt:161 to:240.127.1.1
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22 to:240.127.1.1

{
    "acl": {
        "acl-sets": {
            "acl-set": {
                "SNMP-ACL": {
                    "acl-entries": {
                        "acl-entry": {
                            "1": {
                                "actions": {
                                    "config": {
                                        "forwarding-action": "ACCEPT"
                                    }
                                },
                                "config": {
                                    "sequence-id": 1
                                },
                                "ip": {
                                    "config": {
                                        "protocol": "IP_UDP",
                                        "source-ip-address": "1.1.1.1/32"
                                    }
                                }
                            }
                        }
                    },
                    "config": {
                        "name": "SNMP-ACL"
                    }
                }
            }
        }
    }

and also added ip6table rules.

Signed-off-by: Abhishek Dosi <[email protected]>
@lguohan
Copy link
Collaborator

lguohan commented Feb 11, 2021

is the test expect to fail?

Signed-off-by: Abhishek Dosi <[email protected]>
@abdosi
Copy link
Contributor Author

abdosi commented Feb 17, 2021

@judyjoseph please review again. This has changes to NAT rules also as we discussed offline.

Thanks @abdosi

Signed-off-by: Abhishek Dosi <[email protected]>
@abdosi
Copy link
Contributor Author

abdosi commented Feb 17, 2021

is the test expect to fail?

@lguohan yes it should not fail. Fixed it.

Signed-off-by: Abhishek Dosi <[email protected]>
Signed-off-by: Abhishek Dosi <[email protected]>
Signed-off-by: Abhishek Dosi <[email protected]>
@abdosi
Copy link
Contributor Author

abdosi commented Feb 23, 2021

will move below change to separate PR. this change has dependency with sonic-mgmt test case failure. would need to disable the test case/make the change/enable test case again.

Signed-off-by: Abhishek Dosi <[email protected]>
@abdosi
Copy link
Contributor Author

abdosi commented Feb 24, 2021

@judyjoseph can you please review again.

@abdosi abdosi merged commit c66cbc1 into sonic-net:master Feb 25, 2021
@abdosi abdosi deleted the iptable branch February 25, 2021 17:39
abdosi added a commit that referenced this pull request Feb 26, 2021
What I did:-

For multi-asic platforms added iptable v4 rule to communicate on docker bridge ip
For multi-asic platforms extend iptable v4 rule for iptable v6 also
For multi-asic program made all internal rules applicable for all protocols (not filter based on tcp/udp). This is done to be consistent same as local host rule
For multi-asic platforms made nat rule (to forward traffic from namespace to host) generic for all protocols and also use Source IP if present for matching
abdosi added a commit to sonic-net/sonic-mgmt that referenced this pull request Mar 2, 2021
Enhanced test_cacl_application.py for multi-asic platforms. Also it adds new test case to cover all multi-asic specific changes
as done in PR's:-
sonic-net/sonic-buildimage#5022
sonic-net/sonic-buildimage#5420
sonic-net/sonic-buildimage#5364
sonic-net/sonic-buildimage#6765

Also fix some of API in common/devices.py and bug in config_facts
qiluo-msft pushed a commit that referenced this pull request May 24, 2021
What I did:-

For multi-asic platforms added iptable v4 rule to communicate on docker bridge ip
For multi-asic platforms extend iptable v4 rule for iptable v6 also
For multi-asic program made all internal rules applicable for all protocols (not filter based on tcp/udp). This is done to be consistent same as local host rule
For multi-asic platforms made nat rule (to forward traffic from namespace to host) generic for all protocols and also use Source IP if present for matching
carl-nokia pushed a commit to carl-nokia/sonic-buildimage that referenced this pull request Aug 7, 2021
What I did:-

For multi-asic platforms added iptable v4 rule to communicate on docker bridge ip
For multi-asic platforms extend iptable v4 rule for iptable v6 also
For multi-asic program made all internal rules applicable for all protocols (not filter based on tcp/udp). This is done to be consistent same as local host rule
For multi-asic platforms made nat rule (to forward traffic from namespace to host) generic for all protocols and also use Source IP if present for matching
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants