From 3437e35f7e0cc258b39ba5cef1e659b66c85b9f5 Mon Sep 17 00:00:00 2001 From: Suvarna Meenakshi <sumeenak@microsoft.com> Date: Fri, 19 Aug 2022 18:46:47 +0000 Subject: [PATCH] [caclmgrd][chassis]: Add ip tables rules to accept internal docker traffic from fabric asic namespaces. Signed-off-by: Suvarna Meenakshi <sumeenak@microsoft.com> --- scripts/caclmgrd | 26 +++++++++++++++----------- 1 file changed, 15 insertions(+), 11 deletions(-) diff --git a/scripts/caclmgrd b/scripts/caclmgrd index 19e42a8b48a8..9974a16cd109 100755 --- a/scripts/caclmgrd +++ b/scripts/caclmgrd @@ -135,22 +135,26 @@ class ControlPlaneAclManager(daemon_base.DaemonBase): self.config_db_map[front_asic_namespace] = swsscommon.ConfigDBConnector(use_unix_socket_path=True, namespace=front_asic_namespace) self.config_db_map[front_asic_namespace].connect() - self.iptables_cmd_ns_prefix[front_asic_namespace] = "ip netns exec " + front_asic_namespace + " " - self.namespace_docker_mgmt_ip[front_asic_namespace] = self.get_namespace_mgmt_ip(self.iptables_cmd_ns_prefix[front_asic_namespace], - front_asic_namespace) - self.namespace_docker_mgmt_ipv6[front_asic_namespace] = self.get_namespace_mgmt_ipv6(self.iptables_cmd_ns_prefix[front_asic_namespace], - front_asic_namespace) + self.update_docker_mgmt_ip_acl(front_asic_namespace) for back_asic_namespace in namespaces['back_ns']: self.update_thread[back_asic_namespace] = None self.lock[back_asic_namespace] = threading.Lock() self.num_changes[back_asic_namespace] = 0 - - self.iptables_cmd_ns_prefix[back_asic_namespace] = "ip netns exec " + back_asic_namespace + " " - self.namespace_docker_mgmt_ip[back_asic_namespace] = self.get_namespace_mgmt_ip(self.iptables_cmd_ns_prefix[back_asic_namespace], - back_asic_namespace) - self.namespace_docker_mgmt_ipv6[back_asic_namespace] = self.get_namespace_mgmt_ipv6(self.iptables_cmd_ns_prefix[back_asic_namespace], - back_asic_namespace) + self.update_docket_mgmt_ip_acl(back_asic_namespace) + + for fabric_asic_namespace in namespaces['fabric_ns']: + self.update_thread[fabric_asic_namespace] = None + self.lock[fabric_asic_namespace] = threading.Lock() + self.num_changes[fabric_asic_namespace] = 0 + self.update_docket_mgmt_ip_acl(fabric_asic_namespace) + + def update_docket_mgmt_ip_acl(self, namespace): + self.iptables_cmd_ns_prefix[namespace] = "ip netns exec " + namespace + " " + self.namespace_docker_mgmt_ip[namespace] = self.get_namespace_mgmt_ip(self.iptables_cmd_ns_prefix[namespace], + namespace) + self.namespace_docker_mgmt_ipv6[namespace] = self.get_namespace_mgmt_ipv6(self.iptables_cmd_ns_prefix[namespace], + namespace) def get_namespace_mgmt_ip(self, iptable_ns_cmd_prefix, namespace): ip_address_get_command = iptable_ns_cmd_prefix + "ip -4 -o addr show " + ("eth0" if namespace else "docker0") +\