Skip to content

Commit

Permalink
Fixed ip6table internal_docker_ip_traffic rule command for multi-asic (
Browse files Browse the repository at this point in the history
…sonic-net#94)

* Fixed ip6table internal_docker_ip_traffic rule command for multi-asic

* Added test coverage

Signed-off-by: anamehra <[email protected]>
  • Loading branch information
anamehra authored Dec 13, 2023
1 parent b9600f1 commit 722b796
Show file tree
Hide file tree
Showing 3 changed files with 57 additions and 1 deletion.
2 changes: 1 addition & 1 deletion scripts/caclmgrd
Original file line number Diff line number Diff line change
Expand Up @@ -336,7 +336,7 @@ class ControlPlaneAclManager(daemon_base.DaemonBase):
allow_internal_docker_ip_cmds.append(self.iptables_cmd_ns_prefix[namespace] + ['ip6tables', '-A', 'INPUT', '-s', self.namespace_docker_mgmt_ipv6[namespace], '-d', self.namespace_docker_mgmt_ipv6[namespace], '-j', 'ACCEPT'])
allow_internal_docker_ip_cmds.append(self.iptables_cmd_ns_prefix[namespace] + ['iptables', '-A', 'INPUT', '-s', self.namespace_mgmt_ip, '-d', self.namespace_docker_mgmt_ip[namespace], '-j', 'ACCEPT'])

allow_internal_docker_ip_cmds.append(self.iptables_cmd_ns_prefix[namespace] + ['ip6tables', '-A', 'INPUT', '-s', self.namespace_mgmt_ipv6, '-d', 'self.namespace_docker_mgmt_ipv6[namespace]', '-j', 'ACCEPT'])
allow_internal_docker_ip_cmds.append(self.iptables_cmd_ns_prefix[namespace] + ['ip6tables', '-A', 'INPUT', '-s', self.namespace_mgmt_ipv6, '-d', self.namespace_docker_mgmt_ipv6[namespace], '-j', 'ACCEPT'])

else:

Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
import os
import sys

from parameterized import parameterized
from sonic_py_common.general import load_module_from_source
from unittest import TestCase, mock
from pyfakefs.fake_filesystem_unittest import patchfs

from .test_internal_docker_ip_traffic_vectors import CACLMGRD_INTERNAL_DOCKER_IP_TEST_VECTOR


class TestCaclmgrdGenerateInternalDockerIp(TestCase):
"""
Test caclmgrd multi-asic generate internal docker ip allow rule
"""
def setUp(self):
test_path = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
modules_path = os.path.dirname(test_path)
scripts_path = os.path.join(modules_path, "scripts")
sys.path.insert(0, modules_path)
caclmgrd_path = os.path.join(scripts_path, 'caclmgrd')
self.caclmgrd = load_module_from_source('caclmgrd', caclmgrd_path)
self.maxDiff = None

@parameterized.expand(CACLMGRD_INTERNAL_DOCKER_IP_TEST_VECTOR)
@patchfs
def test_caclmgrd_internal_docker_ip_traffic(self, test_name, test_data, fs):
self.caclmgrd.ControlPlaneAclManager.get_namespace_mgmt_ip = mock.MagicMock()
self.caclmgrd.ControlPlaneAclManager.get_namespace_mgmt_ipv6 = mock.MagicMock()
caclmgrd_daemon = self.caclmgrd.ControlPlaneAclManager("caclmgrd")
caclmgrd_daemon.iptables_cmd_ns_prefix['asic0'] = ['ip', 'netns', 'exec', 'asic0']
caclmgrd_daemon.namespace_docker_mgmt_ip['asic0'] = '1.1.1.1/32'
caclmgrd_daemon.namespace_mgmt_ip = '2.2.2.2/32'
caclmgrd_daemon.namespace_docker_mgmt_ipv6['asic0'] = 'fd::01/128'
caclmgrd_daemon.namespace_mgmt_ipv6 = 'fd::02/128'

ret = caclmgrd_daemon.generate_allow_internal_docker_ip_traffic_commands('asic0')
self.assertListEqual(test_data["return"], ret)
18 changes: 18 additions & 0 deletions tests/caclmgrd/test_internal_docker_ip_traffic_vectors.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
from unittest.mock import call

"""
caclmgrd internal docker ip traffic test vector
"""
CACLMGRD_INTERNAL_DOCKER_IP_TEST_VECTOR = [
[
"Allow internal docker traffic",
{
"return": [
['ip', 'netns', 'exec', 'asic0', 'iptables', '-A', 'INPUT', '-s', '1.1.1.1/32', '-d', '1.1.1.1/32', '-j', 'ACCEPT'],
['ip', 'netns', 'exec', 'asic0', 'ip6tables', '-A', 'INPUT', '-s', 'fd::01/128', '-d', 'fd::01/128', '-j', 'ACCEPT'],
['ip', 'netns', 'exec', 'asic0', 'iptables', '-A', 'INPUT', '-s', '2.2.2.2/32', '-d', '1.1.1.1/32', '-j', 'ACCEPT'],
['ip', 'netns', 'exec', 'asic0', 'ip6tables', '-A', 'INPUT', '-s', 'fd::02/128', '-d', 'fd::01/128', '-j', 'ACCEPT']
]
}
]
]

0 comments on commit 722b796

Please sign in to comment.