Skip to content

Commit

Permalink
As part of this PR#sonic-net/sonic-buildimage#4412
Browse files Browse the repository at this point in the history
we have added ACCEPT rules for BGP packets as default. Because of this
iptable rule added by qos_sai.yml get ignored because of lower priority
and make test case fails since BGP packets impacts Buffer calcualtion
assumption of testcase.

Fix is to add iptable rule to Drop BGP Packet from test case as highest
priority.

Fix in py script also
  • Loading branch information
abdosi committed Jun 24, 2020
1 parent beaf073 commit 7c04d74
Show file tree
Hide file tree
Showing 2 changed files with 7 additions and 5 deletions.
8 changes: 4 additions & 4 deletions ansible/roles/test/tasks/qos_sai.yml
Original file line number Diff line number Diff line change
Expand Up @@ -66,12 +66,12 @@
supervisorctl: state=stopped name=bgpd
delegate_to: "{{ ansible_host }}_bgp"

- name: Add iptables rule to drop BGP SYN Packet from peer so that we do not ACK back
shell: "iptables -A INPUT -j DROP -p tcp --destination-port bgp"
- name: Add iptables rule to drop BGP SYN Packet from peer so that we do not ACK back. Add at top so existing rules don't have precedence over it.
shell: "iptables -I INPUT 1 -j DROP -p tcp --destination-port bgp"
become: true

- name: Add ip6tables rule to drop BGP SYN Packet from peer so that we do not ACK back
shell: "ip6tables -A INPUT -j DROP -p tcp --destination-port bgp"
- name: Add ip6tables rule to drop BGP SYN Packet from peer so that we do not ACK back. Add at top so existing rules don't have precedence over it.
shell: "ip6tables -I INPUT 1 -j DROP -p tcp --destination-port bgp"
become: true

- meta: flush_handlers
Expand Down
4 changes: 3 additions & 1 deletion tests/qos/qos_sai_base.py
Original file line number Diff line number Diff line change
Expand Up @@ -377,14 +377,16 @@ def updateIptables(self, duthost, swapSyncd):
def updateIptablesDropRule(duthost, ipVersion, state='present'):
duthost.iptables(
ip_version=ipVersion,
action="Append",
action="insert",
rule_num="1",
chain="INPUT",
jump="DROP",
protocol="tcp",
destination_port="bgp",
state=state
)


ipVersions = [{"ipVersion": "ipv4"}, {"ipVersion": "ipv6"}]

logger.info("Add ip[6]tables rule to drop BGP SYN Packet from peer so that we do not ACK back")
Expand Down

0 comments on commit 7c04d74

Please sign in to comment.