Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SmartSwitch] Added inbound traffic capability for DPU management traffic script #20635

Open
wants to merge 5 commits into
base: master
Choose a base branch
from
Open

[SmartSwitch] Added inbound traffic capability for DPU management traffic script #20635

wants to merge 5 commits into from

Conversation

gpunathilell
Copy link
Contributor

@gpunathilell gpunathilell commented Oct 28, 2024
edited
Loading

Why I did it

To add capability to control the inbound traffic for DPUs, Using the script we can now enable:

  • Outbound: Allow Traffic from DPU to reach the internet
  • Inbound: Allow SSH connection to reach the DPU from a specific port on the switch

Command examples:
sonic-dpu-mgmt-traffic.sh outbound -e This enables traffic to reach the internet from the DPU

sonic-dpu-mgmt-traffic.sh outbound -d This disables traffic to reach the internet from the DPU

sonic-dpu-mgmt-traffic.sh inbound -e --dpus dpu1 --ports 9090 This enables SSH traffic to the dpu1 from the internet
We can connect to the DPU using ssh admin@<switch name/ip> -p 9090

sonic-dpu-mgmt-traffic.sh inbound -e --dpus dpu1,dpu2 --ports 9090,5005 This enables SSH traffic to the dpu1 and dpu2 from the internet
We can connect to dpu2 using ssh admin@<switch name/ip> -p 5005

sonic-dpu-mgmt-traffic.sh inbound -e --dpus all --ports 9090,8090,8091,5032 This enables SSH traffic to all the dpus from the internet using the ports specified (in sorted order the DPUs will use the ports in the order the user specifies)
We can connect to the DPU using ssh admin@<switch name/ip> -p 5032 to connect to the 4th dpu (in sorted order)

sonic-dpu-mgmt-traffic.sh inbound -d --dpus dpu1 --ports 9090 This disables SSH traffic to the dpu1 from the internet
The same rule which was used for enable has to be used (by replacing -e with -d)

--nofwctrl Option - If both inbound and outbound rules are enabled, if we try to disable only one of them the ipv4 enabled forwarding for eth0 interface would be disabled so this option can be used in that specific case where we only need to disable either outbound or inbound traffic without affecting the other.

This feature is enabled using the ip table rules, so if the rules are flushed the connection will be terminated

Work item tracking
  • Microsoft ADO (number only):

How I did it

How to verify it

Which release branch to backport (provide reason below if selected)

  • 201811
  • 201911
  • 202006
  • 202012
  • 202106
  • 202111
  • 202205
  • 202211
  • 202305

Tested branch (Please provide the tested image version)

Description for the changelog

Link to config_db schema for YANG module changes

A picture of a cute animal (not mandatory but encouraged)

@gpunathilell gpunathilell marked this pull request as ready for review October 28, 2024 13:58
@gpunathilell
Copy link
Contributor Author

/azpw run Azure.sonic-buildimage

@mssonicbld
Copy link
Collaborator

/AzurePipelines run Azure.sonic-buildimage

@kperumalbfn
Copy link
Contributor

LGTM

@kperumalbfn
Copy link
Contributor

/azpw ms_conflict -f

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kperumalbfn kperumalbfn kperumalbfn approved these changes

@vivekrnv vivekrnv vivekrnv approved these changes

@lguohan lguohan Awaiting requested review from lguohan lguohan is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@gpunathilell @mssonicbld @kperumalbfn @vivekrnv