[Smartswitch] Update control plane ACL for smartswitch #301
Conversation
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
scripts/caclmgrd
Outdated
|
|
||
| if device_info.is_smartswitch(): | ||
| # Allow traffic to the chassis midplane IP | ||
| allow_internal_chassis_midplane_traffic.append(['iptables', '-A', 'INPUT', '-d', '169.254.200.254','-j', 'ACCEPT']) |
There was a problem hiding this comment.
This is a hard-coded IP Address which will never change (since it should belong in the same network as the DPU midplane ip, these are hardcoded as well)
There was a problem hiding this comment.
@qiluo-msft please confirm, if this is okay as the IP is hard-coded, otherwise I can parse from CONFIG_DB
There was a problem hiding this comment.
If it is already in CONFIG_DB, then get from there.
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
scripts/caclmgrd
Outdated
| if "ip_prefix" in global_config: | ||
| self.log_info("Retrieved midplane bridge IP prefix from ConfigDB: {}".format(global_config["ip_prefix"])) | ||
| return global_config["ip_prefix"].split("/")[0] | ||
| except Exception as e: |
There was a problem hiding this comment.
specified exception as runtimeerror, if there are any connectivity issues and raised exception
| return global_config["ip_prefix"].split("/")[0] | ||
| except Exception as e: | ||
| self.log_error("Failed to get midplane bridge IP from ConfigDB: {}".format(str(e))) | ||
| return "169.254.200.254" |
There was a problem hiding this comment.
raised the exception, the return cannot be empty string since in 202505 (where this PR is required) the MID_PLANE_BRIDGE table is not configured by default, but the interface has this IP address:
https://github.com/sonic-net/sonic-buildimage/blob/414e4740a6ef3dcbc2b2b5ae72d00ef91c941d5a/files/image_config/midplane-network/bridge-midplane.network#L7
The ip address is where the CHASSIS DBs are hosted which are accessible from the DPU
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
The smartswitch CHASSIS_STATE_DB is hosted on the redis-chassis IP address, which needs to still accept traffic on addition of control plane ACLs (DBs should be accessible at any point of time) this ip is also needed for DPU access as well. So we have a check for smartswitch to allow traffic to the bridge-midplane IP address
##Tests
Manual tests to confirm that addition of control plane ACLs does not render the CHASSIS_STATE_DB inaccesible