From acb30c041c4b6c971129b7ea207ac8dd78a57daa Mon Sep 17 00:00:00 2001 From: Judy Joseph Date: Mon, 21 Sep 2020 11:46:16 -0700 Subject: [PATCH 1/9] [Multi-Asic] Forward SNMP requests destined to loopback IP, and coming in through the front panel interface present in the network namespace, to SNMP agent running in the linux host. --- files/build_templates/docker_image_ctl.j2 | 2 + files/image_config/caclmgrd/caclmgrd | 55 +++++++++++++++++++++++ 2 files changed, 57 insertions(+) diff --git a/files/build_templates/docker_image_ctl.j2 b/files/build_templates/docker_image_ctl.j2 index 182f7008cc87..0eba4e83ecd0 100644 --- a/files/build_templates/docker_image_ctl.j2 +++ b/files/build_templates/docker_image_ctl.j2 @@ -92,6 +92,8 @@ function postStartAction() {%- if docker_container_name == "database" %} if [ "$DEV" ]; then docker exec -i database$DEV sysctl --system -e + # Enable the forwarding on eth0 interface in namespace. + docker exec -i database$DEV sysctl net.ipv4.conf.eth0.forwarding=1 net.ipv6.conf.eth0.forwarding=1 link_namespace $DEV fi diff --git a/files/image_config/caclmgrd/caclmgrd b/files/image_config/caclmgrd/caclmgrd index ed6064b9696f..1622cb2d4cbb 100755 --- a/files/image_config/caclmgrd/caclmgrd +++ b/files/image_config/caclmgrd/caclmgrd @@ -81,7 +81,9 @@ class ControlPlaneAclManager(daemon_base.DaemonBase): self.config_db_map[''].connect() self.iptables_cmd_ns_prefix[''] = "" self.namespace_mgmt_ip = self.get_namespace_mgmt_ip(self.iptables_cmd_ns_prefix[''], '') + self.namespace_mgmt_ipv6 = self.get_namespace_mgmt_ipv6(self.iptables_cmd_ns_prefix[''], '') self.namespace_docker_mgmt_ip = {} + self.namespace_docker_mgmt_ipv6 = {} namespaces = device_info.get_all_namespaces() for front_asic_namespace in namespaces['front_ns']: self.config_db_map[front_asic_namespace] = ConfigDBConnector(use_unix_socket_path=True, namespace=front_asic_namespace) @@ -89,11 +91,15 @@ class ControlPlaneAclManager(daemon_base.DaemonBase): self.iptables_cmd_ns_prefix[front_asic_namespace] = "ip netns exec " + front_asic_namespace + " " self.namespace_docker_mgmt_ip[front_asic_namespace] = self.get_namespace_mgmt_ip(self.iptables_cmd_ns_prefix[front_asic_namespace], front_asic_namespace) + self.namespace_docker_mgmt_ipv6[front_asic_namespace] = self.get_namespace_mgmt_ipv6(self.iptables_cmd_ns_prefix[front_asic_namespace], + front_asic_namespace) for back_asic_namespace in namespaces['back_ns']: self.iptables_cmd_ns_prefix[back_asic_namespace] = "ip netns exec " + back_asic_namespace + " " self.namespace_docker_mgmt_ip[back_asic_namespace] = self.get_namespace_mgmt_ip(self.iptables_cmd_ns_prefix[back_asic_namespace], back_asic_namespace) + self.namespace_docker_mgmt_ipv6[back_asic_namespace] = self.get_namespace_mgmt_ipv6(self.iptables_cmd_ns_prefix[back_asic_namespace], + back_asic_namespace) def get_namespace_mgmt_ip(self, iptable_ns_cmd_prefix, namespace): ip_address_get_command = iptable_ns_cmd_prefix + "ip -4 -o addr show " + ("eth0" if namespace else "docker0") +\ @@ -101,6 +107,11 @@ class ControlPlaneAclManager(daemon_base.DaemonBase): return self.run_commands([ip_address_get_command]) + def get_namespace_mgmt_ipv6(self, iptable_ns_cmd_prefix, namespace): + ipv6_address_get_command = iptable_ns_cmd_prefix + "ip -6 -o addr show " + ("eth0" if namespace else "docker0") +\ + " | awk '{print $4}' | cut -d'/' -f1 | head -1" + return self.run_commands([ipv6_address_get_command]) + def run_commands(self, commands): """ Given a list of shell commands, run them in order @@ -202,6 +213,36 @@ class ControlPlaneAclManager(daemon_base.DaemonBase): (docker_mgmt_ip, self.namespace_mgmt_ip)) return allow_internal_docker_ip_cmds + def generate_translate_front_panel_snmp_traffic_commands(self, namespace): + """ + The below SNAT and DNAT rules are added in asic namespace in multi-ASIC platforms. It helps to forward the SNMP request coming + in through the front panel interfaces present in namespace to the SNMP Agent running in the linux host. The external IP address are + NATed to the internal docker IP address for the SNMP agent running in linux host to respond. + """ + translate_front_panel_snmp_cmds = [] + + if namespace: + # IPv4 rules + translate_front_panel_snmp_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "iptables -t nat -X") + translate_front_panel_snmp_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "iptables -t nat -F") + + # For namespace docker allow all tcp/udp traffic from host docker bridge to its eth0 management ip + translate_front_panel_snmp_cmds.append(self.iptables_cmd_ns_prefix[namespace] + + "iptables -t nat -A PREROUTING -p udp --dport 161 -j DNAT --to-destination {}".format(self.namespace_mgmt_ip)) + translate_front_panel_snmp_cmds.append(self.iptables_cmd_ns_prefix[namespace] + + "iptables -t nat -A POSTROUTING -p udp --dport 161 -j SNAT --to-source {}".format(self.namespace_docker_mgmt_ip[namespace])) + + # IPv6 rules + translate_front_panel_snmp_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "ip6tables -t nat -X") + translate_front_panel_snmp_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "ip6tables -t nat -F") + + translate_front_panel_snmp_cmds.append(self.iptables_cmd_ns_prefix[namespace] + + "ip6tables -t nat -A PREROUTING -p udp --dport 161 -j DNAT --to-destination {}".format(self.namespace_mgmt_ipv6)) + translate_front_panel_snmp_cmds.append(self.iptables_cmd_ns_prefix[namespace] + + "ip6tables -t nat -A POSTROUTING -p udp --dport 161 -j SNAT --to-source {}".format(self.namespace_docker_mgmt_ipv6[namespace])) + + return translate_front_panel_snmp_cmds + def is_rule_ipv4(self, rule_props): if (("SRC_IP" in rule_props and rule_props["SRC_IP"]) or ("DST_IP" in rule_props and rule_props["DST_IP"])): @@ -429,6 +470,19 @@ class ControlPlaneAclManager(daemon_base.DaemonBase): self.run_commands(iptables_cmds) + def update_control_plane_nat_acls(self, namespace): + """ + Convenience wrapper which programs the NAT rules for allowing the + snmp traffic coming on the front panel interface + """ + # Add iptables commands to allow front panel snmp traffic + iptables_cmds = self.generate_translate_front_panel_snmp_traffic_commands(namespace) + log_info("Issuing the following iptables commands:") + for cmd in iptables_cmds: + log_info(" " + cmd) + + self.run_commands(iptables_cmds) + def run(self): # Select Time-out for 10 Seconds SELECT_TIMEOUT_MS = 1000 * 10 @@ -453,6 +507,7 @@ class ControlPlaneAclManager(daemon_base.DaemonBase): for namespace in self.config_db_map.keys(): # Unconditionally update control plane ACLs once at start on given namespace self.update_control_plane_acls(namespace) + self.update_control_plane_nat_acls(namespace) # Connect to Config DB of given namespace acl_db_connector = swsscommon.DBConnector("CONFIG_DB", 0, False, namespace) # Subscribe to notifications when ACL tables changes From 1cea713f23cf238827ddfac11a2cd17b0d23944f Mon Sep 17 00:00:00 2001 From: Judy Joseph Date: Mon, 21 Sep 2020 15:47:34 -0700 Subject: [PATCH 2/9] Updates based on comments --- files/image_config/caclmgrd/caclmgrd | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/files/image_config/caclmgrd/caclmgrd b/files/image_config/caclmgrd/caclmgrd index 1622cb2d4cbb..e3f3de110063 100755 --- a/files/image_config/caclmgrd/caclmgrd +++ b/files/image_config/caclmgrd/caclmgrd @@ -108,7 +108,7 @@ class ControlPlaneAclManager(daemon_base.DaemonBase): return self.run_commands([ip_address_get_command]) def get_namespace_mgmt_ipv6(self, iptable_ns_cmd_prefix, namespace): - ipv6_address_get_command = iptable_ns_cmd_prefix + "ip -6 -o addr show " + ("eth0" if namespace else "docker0") +\ + ipv6_address_get_command = iptable_ns_cmd_prefix + "ip -6 -o addr show scope global " + ("eth0" if namespace else "docker0") +\ " | awk '{print $4}' | cut -d'/' -f1 | head -1" return self.run_commands([ipv6_address_get_command]) @@ -213,35 +213,35 @@ class ControlPlaneAclManager(daemon_base.DaemonBase): (docker_mgmt_ip, self.namespace_mgmt_ip)) return allow_internal_docker_ip_cmds - def generate_translate_front_panel_snmp_traffic_commands(self, namespace): + def generate_fwd_snmp_traffic_from_namespace_to_host_commands(self, namespace): """ The below SNAT and DNAT rules are added in asic namespace in multi-ASIC platforms. It helps to forward the SNMP request coming in through the front panel interfaces present in namespace to the SNMP Agent running in the linux host. The external IP address are NATed to the internal docker IP address for the SNMP agent running in linux host to respond. """ - translate_front_panel_snmp_cmds = [] + fwd_snmp_traffic_from_namespace_to_host_cmds = [] if namespace: # IPv4 rules - translate_front_panel_snmp_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "iptables -t nat -X") - translate_front_panel_snmp_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "iptables -t nat -F") + fwd_snmp_traffic_from_namespace_to_host_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "iptables -t nat -X") + fwd_snmp_traffic_from_namespace_to_host_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "iptables -t nat -F") # For namespace docker allow all tcp/udp traffic from host docker bridge to its eth0 management ip - translate_front_panel_snmp_cmds.append(self.iptables_cmd_ns_prefix[namespace] + + fwd_snmp_traffic_from_namespace_to_host_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "iptables -t nat -A PREROUTING -p udp --dport 161 -j DNAT --to-destination {}".format(self.namespace_mgmt_ip)) - translate_front_panel_snmp_cmds.append(self.iptables_cmd_ns_prefix[namespace] + + fwd_snmp_traffic_from_namespace_to_host_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "iptables -t nat -A POSTROUTING -p udp --dport 161 -j SNAT --to-source {}".format(self.namespace_docker_mgmt_ip[namespace])) # IPv6 rules - translate_front_panel_snmp_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "ip6tables -t nat -X") - translate_front_panel_snmp_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "ip6tables -t nat -F") + fwd_snmp_traffic_from_namespace_to_host_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "ip6tables -t nat -X") + fwd_snmp_traffic_from_namespace_to_host_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "ip6tables -t nat -F") - translate_front_panel_snmp_cmds.append(self.iptables_cmd_ns_prefix[namespace] + + fwd_snmp_traffic_from_namespace_to_host_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "ip6tables -t nat -A PREROUTING -p udp --dport 161 -j DNAT --to-destination {}".format(self.namespace_mgmt_ipv6)) - translate_front_panel_snmp_cmds.append(self.iptables_cmd_ns_prefix[namespace] + + fwd_snmp_traffic_from_namespace_to_host_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "ip6tables -t nat -A POSTROUTING -p udp --dport 161 -j SNAT --to-source {}".format(self.namespace_docker_mgmt_ipv6[namespace])) - return translate_front_panel_snmp_cmds + return fwd_snmp_traffic_from_namespace_to_host_cmds def is_rule_ipv4(self, rule_props): if (("SRC_IP" in rule_props and rule_props["SRC_IP"]) or @@ -476,7 +476,7 @@ class ControlPlaneAclManager(daemon_base.DaemonBase): snmp traffic coming on the front panel interface """ # Add iptables commands to allow front panel snmp traffic - iptables_cmds = self.generate_translate_front_panel_snmp_traffic_commands(namespace) + iptables_cmds = self.generate_fwd_snmp_traffic_from_namespace_to_host_commands(namespace) log_info("Issuing the following iptables commands:") for cmd in iptables_cmds: log_info(" " + cmd) From 1ee5a2c58b9dfcbcc8db2b6ace485e097f68b627 Mon Sep 17 00:00:00 2001 From: Judy Joseph Date: Tue, 22 Sep 2020 20:16:17 -0700 Subject: [PATCH 3/9] Further updates in docker_image_ctl.j2 and caclmgrd --- files/build_templates/docker_image_ctl.j2 | 6 ++++-- files/image_config/caclmgrd/caclmgrd | 12 ++++++++---- 2 files changed, 12 insertions(+), 6 deletions(-) diff --git a/files/build_templates/docker_image_ctl.j2 b/files/build_templates/docker_image_ctl.j2 index 0eba4e83ecd0..be6b1bbf67b5 100644 --- a/files/build_templates/docker_image_ctl.j2 +++ b/files/build_templates/docker_image_ctl.j2 @@ -91,9 +91,11 @@ function postStartAction() { {%- if docker_container_name == "database" %} if [ "$DEV" ]; then - docker exec -i database$DEV sysctl --system -e # Enable the forwarding on eth0 interface in namespace. - docker exec -i database$DEV sysctl net.ipv4.conf.eth0.forwarding=1 net.ipv6.conf.eth0.forwarding=1 + SYSCTL_CONF="/etc/sysctl.d/sysctl-net.conf" + docker exec -i database$DEV sed -i -e "s/^net.ipv4.conf.eth0.forwarding=0/net.ipv4.conf.eth0.forwarding=1/; + s/^net.ipv6.conf.eth0.forwarding=0/net.ipv6.conf.eth0.forwarding=1/" $SYSCTL_CONF + docker exec -i database$DEV sysctl --system -e link_namespace $DEV fi diff --git a/files/image_config/caclmgrd/caclmgrd b/files/image_config/caclmgrd/caclmgrd index e3f3de110063..f2c9f36aa77a 100755 --- a/files/image_config/caclmgrd/caclmgrd +++ b/files/image_config/caclmgrd/caclmgrd @@ -228,18 +228,22 @@ class ControlPlaneAclManager(daemon_base.DaemonBase): # For namespace docker allow all tcp/udp traffic from host docker bridge to its eth0 management ip fwd_snmp_traffic_from_namespace_to_host_cmds.append(self.iptables_cmd_ns_prefix[namespace] + - "iptables -t nat -A PREROUTING -p udp --dport 161 -j DNAT --to-destination {}".format(self.namespace_mgmt_ip)) + "iptables -t nat -A PREROUTING -p udp --dport {} -j DNAT --to-destination {}".format + (self.ACL_SERVICES['SNMP']['dst_ports'][0], self.namespace_mgmt_ip)) fwd_snmp_traffic_from_namespace_to_host_cmds.append(self.iptables_cmd_ns_prefix[namespace] + - "iptables -t nat -A POSTROUTING -p udp --dport 161 -j SNAT --to-source {}".format(self.namespace_docker_mgmt_ip[namespace])) + "iptables -t nat -A POSTROUTING -p udp --dport {} -j SNAT --to-source {}".format + (self.ACL_SERVICES['SNMP']['dst_ports'][0], self.namespace_docker_mgmt_ip[namespace])) # IPv6 rules fwd_snmp_traffic_from_namespace_to_host_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "ip6tables -t nat -X") fwd_snmp_traffic_from_namespace_to_host_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "ip6tables -t nat -F") fwd_snmp_traffic_from_namespace_to_host_cmds.append(self.iptables_cmd_ns_prefix[namespace] + - "ip6tables -t nat -A PREROUTING -p udp --dport 161 -j DNAT --to-destination {}".format(self.namespace_mgmt_ipv6)) + "ip6tables -t nat -A PREROUTING -p udp --dport {} -j DNAT --to-destination {}".format + (self.ACL_SERVICES['SNMP']['dst_ports'][0], self.namespace_mgmt_ipv6)) fwd_snmp_traffic_from_namespace_to_host_cmds.append(self.iptables_cmd_ns_prefix[namespace] + - "ip6tables -t nat -A POSTROUTING -p udp --dport 161 -j SNAT --to-source {}".format(self.namespace_docker_mgmt_ipv6[namespace])) + "ip6tables -t nat -A POSTROUTING -p udp --dport {} -j SNAT --to-source {}".format + (self.ACL_SERVICES['SNMP']['dst_ports'][0], self.namespace_docker_mgmt_ipv6[namespace])) return fwd_snmp_traffic_from_namespace_to_host_cmds From b3759fdbd04886d63d0f6c03f4200da8a0a77562 Mon Sep 17 00:00:00 2001 From: Judy Joseph Date: Tue, 22 Sep 2020 20:22:31 -0700 Subject: [PATCH 4/9] Change the variable for net config file. --- files/build_templates/docker_image_ctl.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/files/build_templates/docker_image_ctl.j2 b/files/build_templates/docker_image_ctl.j2 index be6b1bbf67b5..71decb3fa906 100644 --- a/files/build_templates/docker_image_ctl.j2 +++ b/files/build_templates/docker_image_ctl.j2 @@ -92,9 +92,9 @@ function postStartAction() {%- if docker_container_name == "database" %} if [ "$DEV" ]; then # Enable the forwarding on eth0 interface in namespace. - SYSCTL_CONF="/etc/sysctl.d/sysctl-net.conf" + SYSCTL_NET_CONFIG="/etc/sysctl.d/sysctl-net.conf" docker exec -i database$DEV sed -i -e "s/^net.ipv4.conf.eth0.forwarding=0/net.ipv4.conf.eth0.forwarding=1/; - s/^net.ipv6.conf.eth0.forwarding=0/net.ipv6.conf.eth0.forwarding=1/" $SYSCTL_CONF + s/^net.ipv6.conf.eth0.forwarding=0/net.ipv6.conf.eth0.forwarding=1/" $SYSCTL_NET_CONFIG docker exec -i database$DEV sysctl --system -e link_namespace $DEV fi From 847127d9ee33b26d6f6178ef0f530b1add2ad236 Mon Sep 17 00:00:00 2001 From: Judy Joseph Date: Wed, 23 Sep 2020 12:44:01 -0700 Subject: [PATCH 5/9] Updated the comments in the code. --- files/image_config/caclmgrd/caclmgrd | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/files/image_config/caclmgrd/caclmgrd b/files/image_config/caclmgrd/caclmgrd index f2c9f36aa77a..c1c0932661ea 100755 --- a/files/image_config/caclmgrd/caclmgrd +++ b/files/image_config/caclmgrd/caclmgrd @@ -216,8 +216,8 @@ class ControlPlaneAclManager(daemon_base.DaemonBase): def generate_fwd_snmp_traffic_from_namespace_to_host_commands(self, namespace): """ The below SNAT and DNAT rules are added in asic namespace in multi-ASIC platforms. It helps to forward the SNMP request coming - in through the front panel interfaces present in namespace to the SNMP Agent running in the linux host. The external IP address are - NATed to the internal docker IP address for the SNMP agent running in linux host to respond. + in through the front panel interfaces created/present in the asic namespace to the SNMP Agent running in SNMP container in + linux host network namespace. The external IP addresses are NATed to the internal docker IP addresses for the SNMP Agent to respond. """ fwd_snmp_traffic_from_namespace_to_host_cmds = [] From 02c493add16096ba10d33e59c94bad8cfa9dc017 Mon Sep 17 00:00:00 2001 From: Judy Joseph Date: Wed, 23 Sep 2020 16:12:20 -0700 Subject: [PATCH 6/9] No need to clean up the exising NAT rules if present, which could be created by some other process. --- files/image_config/caclmgrd/caclmgrd | 7 ------- 1 file changed, 7 deletions(-) diff --git a/files/image_config/caclmgrd/caclmgrd b/files/image_config/caclmgrd/caclmgrd index c1c0932661ea..0c648e9f2073 100755 --- a/files/image_config/caclmgrd/caclmgrd +++ b/files/image_config/caclmgrd/caclmgrd @@ -223,10 +223,6 @@ class ControlPlaneAclManager(daemon_base.DaemonBase): if namespace: # IPv4 rules - fwd_snmp_traffic_from_namespace_to_host_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "iptables -t nat -X") - fwd_snmp_traffic_from_namespace_to_host_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "iptables -t nat -F") - - # For namespace docker allow all tcp/udp traffic from host docker bridge to its eth0 management ip fwd_snmp_traffic_from_namespace_to_host_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "iptables -t nat -A PREROUTING -p udp --dport {} -j DNAT --to-destination {}".format (self.ACL_SERVICES['SNMP']['dst_ports'][0], self.namespace_mgmt_ip)) @@ -235,9 +231,6 @@ class ControlPlaneAclManager(daemon_base.DaemonBase): (self.ACL_SERVICES['SNMP']['dst_ports'][0], self.namespace_docker_mgmt_ip[namespace])) # IPv6 rules - fwd_snmp_traffic_from_namespace_to_host_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "ip6tables -t nat -X") - fwd_snmp_traffic_from_namespace_to_host_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "ip6tables -t nat -F") - fwd_snmp_traffic_from_namespace_to_host_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "ip6tables -t nat -A PREROUTING -p udp --dport {} -j DNAT --to-destination {}".format (self.ACL_SERVICES['SNMP']['dst_ports'][0], self.namespace_mgmt_ipv6)) From db5b1027c07ea36da3b26ea91f114bebcdd092d8 Mon Sep 17 00:00:00 2001 From: Judy Joseph Date: Wed, 23 Sep 2020 20:01:32 -0700 Subject: [PATCH 7/9] Delete our rule first and add it back, to take care of caclmgrd restart. Another benefit is that we delete only our rules, rather than earlier approach of "iptables -F" which cleans up all rules. --- files/image_config/caclmgrd/caclmgrd | 35 ++++++++++++++++------------ 1 file changed, 20 insertions(+), 15 deletions(-) diff --git a/files/image_config/caclmgrd/caclmgrd b/files/image_config/caclmgrd/caclmgrd index 0c648e9f2073..769d411f3470 100755 --- a/files/image_config/caclmgrd/caclmgrd +++ b/files/image_config/caclmgrd/caclmgrd @@ -221,22 +221,27 @@ class ControlPlaneAclManager(daemon_base.DaemonBase): """ fwd_snmp_traffic_from_namespace_to_host_cmds = [] + # The action set for iptables where D is DELETE, A is APPEND + rule_action_list = ['D', 'A'] + if namespace: - # IPv4 rules - fwd_snmp_traffic_from_namespace_to_host_cmds.append(self.iptables_cmd_ns_prefix[namespace] + - "iptables -t nat -A PREROUTING -p udp --dport {} -j DNAT --to-destination {}".format - (self.ACL_SERVICES['SNMP']['dst_ports'][0], self.namespace_mgmt_ip)) - fwd_snmp_traffic_from_namespace_to_host_cmds.append(self.iptables_cmd_ns_prefix[namespace] + - "iptables -t nat -A POSTROUTING -p udp --dport {} -j SNAT --to-source {}".format - (self.ACL_SERVICES['SNMP']['dst_ports'][0], self.namespace_docker_mgmt_ip[namespace])) - - # IPv6 rules - fwd_snmp_traffic_from_namespace_to_host_cmds.append(self.iptables_cmd_ns_prefix[namespace] + - "ip6tables -t nat -A PREROUTING -p udp --dport {} -j DNAT --to-destination {}".format - (self.ACL_SERVICES['SNMP']['dst_ports'][0], self.namespace_mgmt_ipv6)) - fwd_snmp_traffic_from_namespace_to_host_cmds.append(self.iptables_cmd_ns_prefix[namespace] + - "ip6tables -t nat -A POSTROUTING -p udp --dport {} -j SNAT --to-source {}".format - (self.ACL_SERVICES['SNMP']['dst_ports'][0], self.namespace_docker_mgmt_ipv6[namespace])) + # Delete only the rules we created earlier before addiing them again, useful in case of caclmgrd restart. + for action in rule_action_list: + # IPv4 rules + fwd_snmp_traffic_from_namespace_to_host_cmds.append(self.iptables_cmd_ns_prefix[namespace] + + "iptables -t nat -{} PREROUTING -p udp --dport {} -j DNAT --to-destination {}".format + (action, self.ACL_SERVICES['SNMP']['dst_ports'][0], self.namespace_mgmt_ip)) + fwd_snmp_traffic_from_namespace_to_host_cmds.append(self.iptables_cmd_ns_prefix[namespace] + + "iptables -t nat -{} POSTROUTING -p udp --dport {} -j SNAT --to-source {}".format + (action, self.ACL_SERVICES['SNMP']['dst_ports'][0], self.namespace_docker_mgmt_ip[namespace])) + + # IPv6 rules + fwd_snmp_traffic_from_namespace_to_host_cmds.append(self.iptables_cmd_ns_prefix[namespace] + + "ip6tables -t nat -{} PREROUTING -p udp --dport {} -j DNAT --to-destination {}".format + (action, self.ACL_SERVICES['SNMP']['dst_ports'][0], self.namespace_mgmt_ipv6)) + fwd_snmp_traffic_from_namespace_to_host_cmds.append(self.iptables_cmd_ns_prefix[namespace] + + "ip6tables -t nat -{} POSTROUTING -p udp --dport {} -j SNAT --to-source {}".format + (action, self.ACL_SERVICES['SNMP']['dst_ports'][0], self.namespace_docker_mgmt_ipv6[namespace])) return fwd_snmp_traffic_from_namespace_to_host_cmds From 1139058d8929fb7ca0e4455197f6396128d600c2 Mon Sep 17 00:00:00 2001 From: Judy Joseph Date: Wed, 23 Sep 2020 23:30:30 -0700 Subject: [PATCH 8/9] Keeping the original logic to clean the NAT entries, to revist when NAT feature added in namespace. --- files/image_config/caclmgrd/caclmgrd | 41 ++++++++++++++-------------- 1 file changed, 21 insertions(+), 20 deletions(-) diff --git a/files/image_config/caclmgrd/caclmgrd b/files/image_config/caclmgrd/caclmgrd index 769d411f3470..e0565c655ad4 100755 --- a/files/image_config/caclmgrd/caclmgrd +++ b/files/image_config/caclmgrd/caclmgrd @@ -221,27 +221,28 @@ class ControlPlaneAclManager(daemon_base.DaemonBase): """ fwd_snmp_traffic_from_namespace_to_host_cmds = [] - # The action set for iptables where D is DELETE, A is APPEND - rule_action_list = ['D', 'A'] - if namespace: - # Delete only the rules we created earlier before addiing them again, useful in case of caclmgrd restart. - for action in rule_action_list: - # IPv4 rules - fwd_snmp_traffic_from_namespace_to_host_cmds.append(self.iptables_cmd_ns_prefix[namespace] + - "iptables -t nat -{} PREROUTING -p udp --dport {} -j DNAT --to-destination {}".format - (action, self.ACL_SERVICES['SNMP']['dst_ports'][0], self.namespace_mgmt_ip)) - fwd_snmp_traffic_from_namespace_to_host_cmds.append(self.iptables_cmd_ns_prefix[namespace] + - "iptables -t nat -{} POSTROUTING -p udp --dport {} -j SNAT --to-source {}".format - (action, self.ACL_SERVICES['SNMP']['dst_ports'][0], self.namespace_docker_mgmt_ip[namespace])) - - # IPv6 rules - fwd_snmp_traffic_from_namespace_to_host_cmds.append(self.iptables_cmd_ns_prefix[namespace] + - "ip6tables -t nat -{} PREROUTING -p udp --dport {} -j DNAT --to-destination {}".format - (action, self.ACL_SERVICES['SNMP']['dst_ports'][0], self.namespace_mgmt_ipv6)) - fwd_snmp_traffic_from_namespace_to_host_cmds.append(self.iptables_cmd_ns_prefix[namespace] + - "ip6tables -t nat -{} POSTROUTING -p udp --dport {} -j SNAT --to-source {}".format - (action, self.ACL_SERVICES['SNMP']['dst_ports'][0], self.namespace_docker_mgmt_ipv6[namespace])) + # IPv4 rules + fwd_snmp_traffic_from_namespace_to_host_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "iptables -t nat -X") + fwd_snmp_traffic_from_namespace_to_host_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "iptables -t nat -F") + + fwd_snmp_traffic_from_namespace_to_host_cmds.append(self.iptables_cmd_ns_prefix[namespace] + + "iptables -t nat -A PREROUTING -p udp --dport {} -j DNAT --to-destination {}".format + (self.ACL_SERVICES['SNMP']['dst_ports'][0], self.namespace_mgmt_ip)) + fwd_snmp_traffic_from_namespace_to_host_cmds.append(self.iptables_cmd_ns_prefix[namespace] + + "iptables -t nat -A POSTROUTING -p udp --dport {} -j SNAT --to-source {}".format + (self.ACL_SERVICES['SNMP']['dst_ports'][0], self.namespace_docker_mgmt_ip[namespace])) + + # IPv6 rules + fwd_snmp_traffic_from_namespace_to_host_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "ip6tables -t nat -X") + fwd_snmp_traffic_from_namespace_to_host_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "ip6tables -t nat -F") + + fwd_snmp_traffic_from_namespace_to_host_cmds.append(self.iptables_cmd_ns_prefix[namespace] + + "ip6tables -t nat -A PREROUTING -p udp --dport {} -j DNAT --to-destination {}".format + (self.ACL_SERVICES['SNMP']['dst_ports'][0], self.namespace_mgmt_ipv6)) + fwd_snmp_traffic_from_namespace_to_host_cmds.append(self.iptables_cmd_ns_prefix[namespace] + + "ip6tables -t nat -A POSTROUTING -p udp --dport {} -j SNAT --to-source {}".format + (self.ACL_SERVICES['SNMP']['dst_ports'][0], self.namespace_docker_mgmt_ipv6[namespace])) return fwd_snmp_traffic_from_namespace_to_host_cmds From 1d84c7d93893257947da2c39eeb3156cdda7d1a2 Mon Sep 17 00:00:00 2001 From: Judy Joseph Date: Fri, 25 Sep 2020 12:55:32 -0700 Subject: [PATCH 9/9] Missing updates to log_info call. --- files/image_config/caclmgrd/caclmgrd | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/files/image_config/caclmgrd/caclmgrd b/files/image_config/caclmgrd/caclmgrd index e0565c655ad4..911158971589 100755 --- a/files/image_config/caclmgrd/caclmgrd +++ b/files/image_config/caclmgrd/caclmgrd @@ -480,9 +480,9 @@ class ControlPlaneAclManager(daemon_base.DaemonBase): """ # Add iptables commands to allow front panel snmp traffic iptables_cmds = self.generate_fwd_snmp_traffic_from_namespace_to_host_commands(namespace) - log_info("Issuing the following iptables commands:") + self.log_info("Issuing the following iptables commands:") for cmd in iptables_cmds: - log_info(" " + cmd) + self.log_info(" " + cmd) self.run_commands(iptables_cmds)