From 382e997b065c53f802b43167623846b324b2f5ae Mon Sep 17 00:00:00 2001 From: Prince Date: Thu, 12 Sep 2019 01:02:30 +0000 Subject: [PATCH 1/6] Install Iptables rules to set TCPMSS for lo interface --- build_debian.sh | 3 ++ files/build_templates/docker_image_ctl.j2 | 5 +++ .../build_templates/sonic_debian_extension.j2 | 3 ++ files/image_config/iptables/iptables.j2 | 37 +++++++++++++++++++ files/image_config/iptables/iptables.sh | 7 ++++ files/image_config/updategraph/updategraph | 13 ++++++- 6 files changed, 67 insertions(+), 1 deletion(-) create mode 100644 files/image_config/iptables/iptables.j2 create mode 100755 files/image_config/iptables/iptables.sh diff --git a/build_debian.sh b/build_debian.sh index 4a734aea0995..0fad71f4946e 100755 --- a/build_debian.sh +++ b/build_debian.sh @@ -487,6 +487,9 @@ fi sudo sed -i 's/EBTABLES_LOAD_ON_START="no"/EBTABLES_LOAD_ON_START="yes"/g' ${FILESYSTEM_ROOT}/etc/default/ebtables sudo cp files/image_config/ebtables/ebtables.filter ${FILESYSTEM_ROOT}/etc +## Setup iptables rules +sudo cp files/image_config/iptables/iptables.sh ${FILESYSTEM_ROOT}/usr/bin + ## Debug Image specific changes ## Update motd for debug image if [ "$DEBUG_IMG" == "y" ] diff --git a/files/build_templates/docker_image_ctl.j2 b/files/build_templates/docker_image_ctl.j2 index 756ce16a2bc0..99a37c3f302b 100644 --- a/files/build_templates/docker_image_ctl.j2 +++ b/files/build_templates/docker_image_ctl.j2 @@ -87,6 +87,11 @@ function postStartAction() # Migrate the DB to the latest schema version if needed /usr/bin/db_migrator.py -o migrate fi + + if [[ -x /usr/bin/iptables.sh ]]; then + # Install iptables rules + /usr/bin/iptables.sh + fi {%- elif docker_container_name == "swss" %} docker exec swss rm -f /ready # remove cruft if [[ "$BOOT_TYPE" == "fast" ]] && [[ -d /host/fast-reboot ]]; then diff --git a/files/build_templates/sonic_debian_extension.j2 b/files/build_templates/sonic_debian_extension.j2 index 0f27c15273c1..036b95140974 100644 --- a/files/build_templates/sonic_debian_extension.j2 +++ b/files/build_templates/sonic_debian_extension.j2 @@ -197,6 +197,9 @@ echo "hostcfgd.service" | sudo tee -a $GENERATED_SERVICE_FILE sudo cp $IMAGE_CONFIGS/hostcfgd/hostcfgd $FILESYSTEM_ROOT/usr/bin/ sudo cp $IMAGE_CONFIGS/hostcfgd/*.j2 $FILESYSTEM_ROOT_USR_SHARE_SONIC_TEMPLATES/ +# Copy iptables files +sudo cp $IMAGE_CONFIGS/iptables/*.j2 $FILESYSTEM_ROOT_USR_SHARE_SONIC_TEMPLATES/ + # Copy the buffer configuration template sudo cp $BUILD_TEMPLATES/buffers_config.j2 $FILESYSTEM_ROOT_USR_SHARE_SONIC_TEMPLATES/ diff --git a/files/image_config/iptables/iptables.j2 b/files/image_config/iptables/iptables.j2 new file mode 100644 index 000000000000..986e31448152 --- /dev/null +++ b/files/image_config/iptables/iptables.j2 @@ -0,0 +1,37 @@ +#!/usr/bin/env bash + +function ip_tables_install +{ + echo "Installing Iptables mangle rules" + prefix=$1 + cmd=$2 + + # Set first with prerouting and direction = destination + chain="PREROUTING" + dir="d" + while true; do + exec="${cmd} -t mangle -C ${chain} -p tcp --tcp-flags SYN SYN -${dir} ${prefix} -j TCPMSS --set-mss 1460" + $exec 2> /dev/null + if [ $? -eq 0 ]; then + echo "${prefix} rule exists in ${chain}" + else + exec="${cmd} -t mangle -A ${chain} -p tcp --tcp-flags SYN SYN -${dir} ${prefix} -j TCPMSS --set-mss 1460" + echo $exec + $exec + fi + + if [ $chain = "PREROUTING" ]; then + chain="POSTROUTING" + dir="s" + else + break + fi + done +} + +{% block loopback %} +# Iptables rules for the loopback network interface +{% for (name, prefix) in LOOPBACK_INTERFACE|pfx_filter %} +ip_tables_install {{ prefix | ip }} {{ 'iptables' if prefix | ipv4 else 'ip6tables' }} +{% endfor %} +{% endblock loopback %} diff --git a/files/image_config/iptables/iptables.sh b/files/image_config/iptables/iptables.sh new file mode 100755 index 000000000000..a3919b21479e --- /dev/null +++ b/files/image_config/iptables/iptables.sh @@ -0,0 +1,7 @@ +#!/usr/bin/env bash + +sonic-cfggen -d -t /usr/share/sonic/templates/iptables.j2 > /usr/bin/iptables_install.sh + +chmod +x /usr/bin/iptables_install.sh + +/usr/bin/iptables_install.sh diff --git a/files/image_config/updategraph/updategraph b/files/image_config/updategraph/updategraph index b14f75f8582f..fc42b05a4864 100755 --- a/files/image_config/updategraph/updategraph +++ b/files/image_config/updategraph/updategraph @@ -2,6 +2,14 @@ CONFIG_DB_INDEX=4 +function install_iptables() +{ + if [[ -x /usr/bin/iptables.sh ]]; then + # Install iptables rules + /usr/bin/iptables.sh + fi +} + reload_minigraph() { echo "Reloading minigraph..." @@ -21,6 +29,7 @@ reload_minigraph() # Set latest version number /usr/bin/db_migrator.py -o set_version fi + install_iptables } function copy_config_files_and_directories() @@ -46,7 +55,6 @@ function check_system_warm_boot() fi } - if [ ! -f /etc/sonic/updategraph.conf ]; then echo "No updategraph.conf found, generating a default one." echo "enabled=false" >/etc/sonic/updategraph.conf @@ -67,6 +75,7 @@ if [ -f /tmp/pending_config_migration ]; then else echo "Use config_db.json from old system..." sonic-cfggen -j /etc/sonic/config_db.json --write-to-db + install_iptables fi rm -f /tmp/pending_config_migration sed -i "/enabled=/d" /etc/sonic/updategraph.conf @@ -82,6 +91,7 @@ if [ -f /tmp/pending_config_initialization ]; then sonic-cfggen -H -k ${PRESET[0]} --preset ${PRESET[1]} > /etc/sonic/config_db.json redis-cli -n $CONFIG_DB_INDEX FLUSHDB sonic-cfggen -j /etc/sonic/config_db.json --write-to-db + install_iptables redis-cli -n $CONFIG_DB_INDEX SET "CONFIG_DB_INITIALIZED" "1" exit 0 fi @@ -127,6 +137,7 @@ if [ "$src" = "dhcp" ]; then fi redis-cli -n $CONFIG_DB_INDEX FLUSHDB sonic-cfggen -j /etc/sonic/config_db.json --write-to-db + install_iptables redis-cli -n $CONFIG_DB_INDEX SET "CONFIG_DB_INITIALIZED" "1" if [ "$dhcp_as_static" = "true" ]; then sed -i "/enabled=/d" /etc/sonic/updategraph.conf From aad843ced16a7d43dc37c756e9fe3c387f63327f Mon Sep 17 00:00:00 2001 From: Prince Date: Fri, 13 Sep 2019 21:17:07 +0000 Subject: [PATCH 2/6] Move invocation to hostcfgd --- files/build_templates/docker_image_ctl.j2 | 5 ----- files/image_config/hostcfgd/hostcfgd | 15 +++++++++++++++ files/image_config/updategraph/updategraph | 13 +------------ 3 files changed, 16 insertions(+), 17 deletions(-) diff --git a/files/build_templates/docker_image_ctl.j2 b/files/build_templates/docker_image_ctl.j2 index 99a37c3f302b..756ce16a2bc0 100644 --- a/files/build_templates/docker_image_ctl.j2 +++ b/files/build_templates/docker_image_ctl.j2 @@ -87,11 +87,6 @@ function postStartAction() # Migrate the DB to the latest schema version if needed /usr/bin/db_migrator.py -o migrate fi - - if [[ -x /usr/bin/iptables.sh ]]; then - # Install iptables rules - /usr/bin/iptables.sh - fi {%- elif docker_container_name == "swss" %} docker exec swss rm -f /ready # remove cruft if [[ "$BOOT_TYPE" == "fast" ]] && [[ -d /host/fast-reboot ]]; then diff --git a/files/image_config/hostcfgd/hostcfgd b/files/image_config/hostcfgd/hostcfgd index b1ec2644e122..373cba56e44b 100755 --- a/files/image_config/hostcfgd/hostcfgd +++ b/files/image_config/hostcfgd/hostcfgd @@ -159,6 +159,7 @@ class HostConfigDaemon: self.aaacfg = AaaCfg() self.aaacfg.load(aaa, tacacs_global, tacacs_server) self.hostname_cache="" + self.lpbk_handler() def aaa_handler(self, key, data): self.aaacfg.aaa_update(key, data) @@ -215,11 +216,25 @@ class HostConfigDaemon: self.hostname_cache = hostname + def lpbk_handler(self, key=None, data=None): + script = '/usr/bin/iptables.sh' + exists = os.path.isfile(script) + if not exists: + syslog.syslog(syslog.LOG_ERR, "Can't find iptables script ") + return + + try: + subprocess.check_call(script, shell=True) + except subprocess.CalledProcessError as err: + syslog.syslog(syslog.LOG_ERR, "{} - failed: return code - {}, output:\n{}" + .format(err.cmd, err.returncode, err.output)) + def start(self): self.config_db.subscribe('AAA', lambda table, key, data: self.aaa_handler(key, data)) self.config_db.subscribe('TACPLUS_SERVER', lambda table, key, data: self.tacacs_server_handler(key, data)) self.config_db.subscribe('TACPLUS', lambda table, key, data: self.tacacs_global_handler(key, data)) self.config_db.subscribe('DEVICE_METADATA', lambda table, key, data: self.hostname_handler(key, data)) + self.config_db.subscribe('LOOPBACK_INTERFACE', lambda table, key, data: self.lpbk_handler(key, data)) self.config_db.listen() diff --git a/files/image_config/updategraph/updategraph b/files/image_config/updategraph/updategraph index fc42b05a4864..b14f75f8582f 100755 --- a/files/image_config/updategraph/updategraph +++ b/files/image_config/updategraph/updategraph @@ -2,14 +2,6 @@ CONFIG_DB_INDEX=4 -function install_iptables() -{ - if [[ -x /usr/bin/iptables.sh ]]; then - # Install iptables rules - /usr/bin/iptables.sh - fi -} - reload_minigraph() { echo "Reloading minigraph..." @@ -29,7 +21,6 @@ reload_minigraph() # Set latest version number /usr/bin/db_migrator.py -o set_version fi - install_iptables } function copy_config_files_and_directories() @@ -55,6 +46,7 @@ function check_system_warm_boot() fi } + if [ ! -f /etc/sonic/updategraph.conf ]; then echo "No updategraph.conf found, generating a default one." echo "enabled=false" >/etc/sonic/updategraph.conf @@ -75,7 +67,6 @@ if [ -f /tmp/pending_config_migration ]; then else echo "Use config_db.json from old system..." sonic-cfggen -j /etc/sonic/config_db.json --write-to-db - install_iptables fi rm -f /tmp/pending_config_migration sed -i "/enabled=/d" /etc/sonic/updategraph.conf @@ -91,7 +82,6 @@ if [ -f /tmp/pending_config_initialization ]; then sonic-cfggen -H -k ${PRESET[0]} --preset ${PRESET[1]} > /etc/sonic/config_db.json redis-cli -n $CONFIG_DB_INDEX FLUSHDB sonic-cfggen -j /etc/sonic/config_db.json --write-to-db - install_iptables redis-cli -n $CONFIG_DB_INDEX SET "CONFIG_DB_INITIALIZED" "1" exit 0 fi @@ -137,7 +127,6 @@ if [ "$src" = "dhcp" ]; then fi redis-cli -n $CONFIG_DB_INDEX FLUSHDB sonic-cfggen -j /etc/sonic/config_db.json --write-to-db - install_iptables redis-cli -n $CONFIG_DB_INDEX SET "CONFIG_DB_INITIALIZED" "1" if [ "$dhcp_as_static" = "true" ]; then sed -i "/enabled=/d" /etc/sonic/updategraph.conf From a910b1b80df82387ce05dcaf6b7bae025c5aa94b Mon Sep 17 00:00:00 2001 From: Prince Date: Tue, 17 Sep 2019 02:26:54 +0000 Subject: [PATCH 3/6] Moved implementation to hostcfgd to maintain at one place --- build_debian.sh | 3 - .../build_templates/sonic_debian_extension.j2 | 3 - files/image_config/hostcfgd/hostcfgd | 87 ++++++++++++++++--- files/image_config/iptables/iptables.j2 | 37 -------- files/image_config/iptables/iptables.sh | 7 -- 5 files changed, 75 insertions(+), 62 deletions(-) delete mode 100644 files/image_config/iptables/iptables.j2 delete mode 100755 files/image_config/iptables/iptables.sh diff --git a/build_debian.sh b/build_debian.sh index 0fad71f4946e..4a734aea0995 100755 --- a/build_debian.sh +++ b/build_debian.sh @@ -487,9 +487,6 @@ fi sudo sed -i 's/EBTABLES_LOAD_ON_START="no"/EBTABLES_LOAD_ON_START="yes"/g' ${FILESYSTEM_ROOT}/etc/default/ebtables sudo cp files/image_config/ebtables/ebtables.filter ${FILESYSTEM_ROOT}/etc -## Setup iptables rules -sudo cp files/image_config/iptables/iptables.sh ${FILESYSTEM_ROOT}/usr/bin - ## Debug Image specific changes ## Update motd for debug image if [ "$DEBUG_IMG" == "y" ] diff --git a/files/build_templates/sonic_debian_extension.j2 b/files/build_templates/sonic_debian_extension.j2 index 036b95140974..0f27c15273c1 100644 --- a/files/build_templates/sonic_debian_extension.j2 +++ b/files/build_templates/sonic_debian_extension.j2 @@ -197,9 +197,6 @@ echo "hostcfgd.service" | sudo tee -a $GENERATED_SERVICE_FILE sudo cp $IMAGE_CONFIGS/hostcfgd/hostcfgd $FILESYSTEM_ROOT/usr/bin/ sudo cp $IMAGE_CONFIGS/hostcfgd/*.j2 $FILESYSTEM_ROOT_USR_SHARE_SONIC_TEMPLATES/ -# Copy iptables files -sudo cp $IMAGE_CONFIGS/iptables/*.j2 $FILESYSTEM_ROOT_USR_SHARE_SONIC_TEMPLATES/ - # Copy the buffer configuration template sudo cp $BUILD_TEMPLATES/buffers_config.j2 $FILESYSTEM_ROOT_USR_SHARE_SONIC_TEMPLATES/ diff --git a/files/image_config/hostcfgd/hostcfgd b/files/image_config/hostcfgd/hostcfgd index 373cba56e44b..fa2f653f6350 100755 --- a/files/image_config/hostcfgd/hostcfgd +++ b/files/image_config/hostcfgd/hostcfgd @@ -8,6 +8,7 @@ import subprocess import syslog import copy import jinja2 +import ipaddr as ipaddress from swsssdk import ConfigDBConnector # FILE @@ -49,6 +50,68 @@ def obfuscate(data): else: return data +class Iptables(object): + def is_ip_prefix_in_key(self, key): + ''' + Function to check if IP address is present in the key. If it + is present, then the key would be a tuple or else, it shall be + be string + ''' + return (isinstance(key, tuple)) + + def load(self, lpbk_table): + for row in lpbk_table: + self.iptables_handler(row, lpbk_table[row]) + + def command(self, chain, ip, ver, op): + cmd = 'iptables' if ver == '4' else 'ip6tables' + cmd += ' -t mangle --{} {} -p tcp --tcp-flags SYN SYN'.format(op, chain) + cmd += ' -d' if chain == 'PREROUTING' else ' -s' + cmd += ' {} -j TCPMSS --set-mss 1460'.format(ip) + + return cmd + + def iptables_handler(self, key, data, add=True): + if not self.is_ip_prefix_in_key(key): + return + + iface, ip = key + ip_str = ip.split("/")[0] + ip_addr = ipaddress.IPAddress(ip_str) + if isinstance(ip_addr, ipaddress.IPv6Address): + ver = '6' + else: + ver = '4' + + self.mangle_handler(ip_str, ver, add) + + def mangle_handler(self, ip, ver, add): + if not add: + op = 'delete' + else: + op = 'check' + + iptables_cmds = [] + chains = ['PREROUTING', 'POSTROUTING'] + for chain in chains: + cmd = self.command(chain, ip, ver, op) + if not add: + iptables_cmds.append(cmd) + else: + ret = subprocess.call(cmd, shell=True) + if ret == 0: + syslog.syslog(syslog.LOG_INFO, "{} rule exists in {}".format(ip, chain)) + else: + # Modify command from Check to Append + iptables_cmds.append(cmd.replace("check","append")) + + for cmd in iptables_cmds: + syslog.syslog(syslog.LOG_INFO, "Running cmd - {}".format(cmd)) + try: + subprocess.check_call(cmd, shell=True) + except subprocess.CalledProcessError as err: + syslog.syslog(syslog.LOG_ERR, "{} - failed: return code - {}, output:\n{}" + .format(err.cmd, err.returncode, err.output)) class AaaCfg(object): def __init__(self): @@ -159,7 +222,9 @@ class HostConfigDaemon: self.aaacfg = AaaCfg() self.aaacfg.load(aaa, tacacs_global, tacacs_server) self.hostname_cache="" - self.lpbk_handler() + lpbk_table = self.config_db.get_table('LOOPBACK_INTERFACE') + self.iptables = Iptables() + self.iptables.load(lpbk_table) def aaa_handler(self, key, data): self.aaacfg.aaa_update(key, data) @@ -216,18 +281,16 @@ class HostConfigDaemon: self.hostname_cache = hostname - def lpbk_handler(self, key=None, data=None): - script = '/usr/bin/iptables.sh' - exists = os.path.isfile(script) - if not exists: - syslog.syslog(syslog.LOG_ERR, "Can't find iptables script ") - return + def lpbk_handler(self, key, data): + key = ConfigDBConnector.deserialize_key(key) + #Check if delete operation by fetch existing keys + keys = self.config_db.get_keys('LOOPBACK_INTERFACE') + if key in keys: + add = True + else: + add = False - try: - subprocess.check_call(script, shell=True) - except subprocess.CalledProcessError as err: - syslog.syslog(syslog.LOG_ERR, "{} - failed: return code - {}, output:\n{}" - .format(err.cmd, err.returncode, err.output)) + self.iptables.iptables_handler(key, data, add) def start(self): self.config_db.subscribe('AAA', lambda table, key, data: self.aaa_handler(key, data)) diff --git a/files/image_config/iptables/iptables.j2 b/files/image_config/iptables/iptables.j2 deleted file mode 100644 index 986e31448152..000000000000 --- a/files/image_config/iptables/iptables.j2 +++ /dev/null @@ -1,37 +0,0 @@ -#!/usr/bin/env bash - -function ip_tables_install -{ - echo "Installing Iptables mangle rules" - prefix=$1 - cmd=$2 - - # Set first with prerouting and direction = destination - chain="PREROUTING" - dir="d" - while true; do - exec="${cmd} -t mangle -C ${chain} -p tcp --tcp-flags SYN SYN -${dir} ${prefix} -j TCPMSS --set-mss 1460" - $exec 2> /dev/null - if [ $? -eq 0 ]; then - echo "${prefix} rule exists in ${chain}" - else - exec="${cmd} -t mangle -A ${chain} -p tcp --tcp-flags SYN SYN -${dir} ${prefix} -j TCPMSS --set-mss 1460" - echo $exec - $exec - fi - - if [ $chain = "PREROUTING" ]; then - chain="POSTROUTING" - dir="s" - else - break - fi - done -} - -{% block loopback %} -# Iptables rules for the loopback network interface -{% for (name, prefix) in LOOPBACK_INTERFACE|pfx_filter %} -ip_tables_install {{ prefix | ip }} {{ 'iptables' if prefix | ipv4 else 'ip6tables' }} -{% endfor %} -{% endblock loopback %} diff --git a/files/image_config/iptables/iptables.sh b/files/image_config/iptables/iptables.sh deleted file mode 100755 index a3919b21479e..000000000000 --- a/files/image_config/iptables/iptables.sh +++ /dev/null @@ -1,7 +0,0 @@ -#!/usr/bin/env bash - -sonic-cfggen -d -t /usr/share/sonic/templates/iptables.j2 > /usr/bin/iptables_install.sh - -chmod +x /usr/bin/iptables_install.sh - -/usr/bin/iptables_install.sh From a4035b871f8d22c77ac2241e2c33d871a394a3fa Mon Sep 17 00:00:00 2001 From: Prince Date: Tue, 17 Sep 2019 17:43:03 +0000 Subject: [PATCH 4/6] Use variable for TCP MSS --- files/image_config/hostcfgd/hostcfgd | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/files/image_config/hostcfgd/hostcfgd b/files/image_config/hostcfgd/hostcfgd index fa2f653f6350..bf8e17fb5804 100755 --- a/files/image_config/hostcfgd/hostcfgd +++ b/files/image_config/hostcfgd/hostcfgd @@ -51,6 +51,12 @@ def obfuscate(data): return data class Iptables(object): + def __init__(self): + ''' + Default MSS to 1460 - (MTU 1500 - 40 (TCP/IP Overhead)) + ''' + self.tcpmss = 1460 + def is_ip_prefix_in_key(self, key): ''' Function to check if IP address is present in the key. If it @@ -67,7 +73,7 @@ class Iptables(object): cmd = 'iptables' if ver == '4' else 'ip6tables' cmd += ' -t mangle --{} {} -p tcp --tcp-flags SYN SYN'.format(op, chain) cmd += ' -d' if chain == 'PREROUTING' else ' -s' - cmd += ' {} -j TCPMSS --set-mss 1460'.format(ip) + cmd += ' {} -j TCPMSS --set-mss {}'.format(ip, self.tcpmss) return cmd @@ -103,7 +109,7 @@ class Iptables(object): syslog.syslog(syslog.LOG_INFO, "{} rule exists in {}".format(ip, chain)) else: # Modify command from Check to Append - iptables_cmds.append(cmd.replace("check","append")) + iptables_cmds.append(cmd.replace("check", "append")) for cmd in iptables_cmds: syslog.syslog(syslog.LOG_INFO, "Running cmd - {}".format(cmd)) From 289e24125c5b167770ac65e4f8700d564a4ee4a0 Mon Sep 17 00:00:00 2001 From: Prince Date: Tue, 17 Sep 2019 19:44:21 +0000 Subject: [PATCH 5/6] Update MSS value for IPv6 --- files/image_config/hostcfgd/hostcfgd | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/files/image_config/hostcfgd/hostcfgd b/files/image_config/hostcfgd/hostcfgd index bf8e17fb5804..b7f37c82e990 100755 --- a/files/image_config/hostcfgd/hostcfgd +++ b/files/image_config/hostcfgd/hostcfgd @@ -54,8 +54,10 @@ class Iptables(object): def __init__(self): ''' Default MSS to 1460 - (MTU 1500 - 40 (TCP/IP Overhead)) + For IPv6, it would be 1440 - (MTU 1500 - 60 octects) ''' self.tcpmss = 1460 + self.tcp6mss = 1440 def is_ip_prefix_in_key(self, key): ''' @@ -73,7 +75,8 @@ class Iptables(object): cmd = 'iptables' if ver == '4' else 'ip6tables' cmd += ' -t mangle --{} {} -p tcp --tcp-flags SYN SYN'.format(op, chain) cmd += ' -d' if chain == 'PREROUTING' else ' -s' - cmd += ' {} -j TCPMSS --set-mss {}'.format(ip, self.tcpmss) + mss = self.tcpmss if ver == '4' else self.tcp6mss + cmd += ' {} -j TCPMSS --set-mss {}'.format(ip, mss) return cmd From 45118f844f35996b148073d6599eb86e37c0aa6c Mon Sep 17 00:00:00 2001 From: Prince Date: Tue, 17 Sep 2019 21:25:50 +0000 Subject: [PATCH 6/6] Added a comment for clarity in the add case --- files/image_config/hostcfgd/hostcfgd | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/files/image_config/hostcfgd/hostcfgd b/files/image_config/hostcfgd/hostcfgd index b7f37c82e990..4b37c64b9a68 100755 --- a/files/image_config/hostcfgd/hostcfgd +++ b/files/image_config/hostcfgd/hostcfgd @@ -107,6 +107,11 @@ class Iptables(object): if not add: iptables_cmds.append(cmd) else: + ''' + For add case, first check if rule exists. Iptables just appends to the chain + as a new rule even if it is the same as an existing one. Check this and + do nothing if rule exists + ''' ret = subprocess.call(cmd, shell=True) if ret == 0: syslog.syslog(syslog.LOG_INFO, "{} rule exists in {}".format(ip, chain))