caclmgrd: monitor state_db to update dhcp acl #8222
Conversation
ghost
requested a review
from 
|
missing unit test. |
|
|
||
| # Add iptables command to delete all non-default chains | ||
| iptables_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "iptables -X") | ||
| # Add iptables command to flush the current rules and delete all non-default chains |
There was a problem hiding this comment.
what is this change for?, if caclmgrd restarts, can we flush as before?
There was a problem hiding this comment.
This is to shield DHCP related rule in separate chain list. When flushing, exclude DHCP chain and flush/delete all other chains other than built-in chains.
There was a problem hiding this comment.
yes, if caclmgrd restarts, we flush all.
| @@ -383,6 +463,10 @@ class ControlPlaneAclManager(daemon_base.DaemonBase): | |||
| iptables_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "ip6tables -A INPUT -p icmpv6 --icmpv6-type router-solicitation -j ACCEPT") | |||
| iptables_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "ip6tables -A INPUT -p icmpv6 --icmpv6-type router-advertisement -j ACCEPT") | |||
|
|
|||
| # Add iptables commands to link the DCHP chain to block dhcp packets based on ingress interfaces | |||
| if self.DualToR: | |||
| iptables_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "iptables -A INPUT -p udp --dport 67 -j DHCP") | |||
There was a problem hiding this comment.
Are the below rules required for dualtor? Also why not port 68?
There was a problem hiding this comment.
this is to direct matching into DHCP chain, dhcp discovers/requests use dport 67
|
|
||
| # Add iptables command to delete all non-default chains | ||
| iptables_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "iptables -X") | ||
| # Add iptables command to flush the current rules and delete all non-default chains |
There was a problem hiding this comment.
This is to shield DHCP related rule in separate chain list. When flushing, exclude DHCP chain and flush/delete all other chains other than built-in chains.
| @@ -319,6 +327,77 @@ class ControlPlaneAclManager(daemon_base.DaemonBase): | |||
| else: | |||
| return False | |||
|
|
|||
| def setup_dhcp_chain(self, namespace): | |||
| all_chains = self.get_chain_list(self.iptables_cmd_ns_prefix[namespace], [""]) | |||
| dhcp_chain_exist = 1 if "DHCP" in all_chains else 0 | |||
There was a problem hiding this comment.
what about using boolean?
dhcp_chain_exist = "DHCP" in all_chains
| @@ -84,6 +86,8 @@ class ControlPlaneAclManager(daemon_base.DaemonBase): | |||
|
|
|||
| UPDATE_DELAY_SECS = 0.5 | |||
|
|
|||
| DualToR = 0 | |||
|
retest this please |
|
/Azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
/Azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
| break | ||
| self.log_info("mux cable update : '%s'" % str((key, op, fvs))) | ||
| self.update_dhcp_acl(key, op, dict(fvs)) | ||
| continue |
There was a problem hiding this comment.
Can you confirm this flow is tested on a non-dualtor testbed?
There was a problem hiding this comment.
yes, i tested it with both subtype=dualtor and none on a vs testbed
|
Is unit test separate PR? or are you planning to add to this? |
Ok, I see this PR - #8359. You could have it in same PR, FYI |
|
/Azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
ghost
mentioned this pull request
caclmgrd: monitor mux_cable_table in state_db to update dhcp acl - if the state changes to 'standby', add acl to block dhcp packets based on ingress interfaces - if the state changes to 'active', delete acl - if the state changes to 'unknown', also delete acl to avoid potential disconnect - both addition and deletion follow checking the existence of the rules The change has been verified on a virtual switch based testbed. Port to 202012 branch from #8222
ghost
mentioned this pull request
caclmgrd: monitor mux_cable_table in state_db to update dhcp acl
The change has been verified on a virtual switch based testbed.