Installed nftables.

sonic-net · Jan 8, 2025 · 5b5ef28 · 5b5ef28
1 parent 9588a40
commit 5b5ef28
Show file tree

Hide file tree

Showing 4 changed files with 26 additions and 18 deletions.
diff --git a/build_debian.sh b/build_debian.sh
@@ -389,7 +389,8 @@ sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y in
     wireless-regdb          \
     ethtool                 \
     zstd                    \
-    nvme-cli
+    nvme-cli                \
+    nftables
 
 # Have systemd create the auditd log directory
 sudo mkdir -p ${FILESYSTEM_ROOT}/etc/systemd/system/auditd.service.d
@@ -650,8 +651,8 @@ if [ "${enable_organization_extensions}" = "y" ]; then
    fi
 fi
 
-## Setup ebtable rules (rule file in text format)
-sudo cp files/image_config/ebtables/ebtables.filter.cfg ${FILESYSTEM_ROOT}/etc
+## Setup nftables rules
+sudo cp files/image_config/nftables/nftables.conf ${FILESYSTEM_ROOT}/etc
 
 ## Debug Image specific changes
 ## Update motd for debug image

diff --git a/dockers/docker-orchagent/Dockerfile.j2 b/dockers/docker-orchagent/Dockerfile.j2
@@ -22,7 +22,9 @@ RUN apt-get update &&       \
         pciutils            \
         # Needed for installing netifaces Python package
         build-essential     \
-        python3-dev
+        python3-dev         \
+        libnftables1=0.9.8-3.1+deb11u2 \
+        nftables=0.9.8-3.1+deb11u2
 
 {% if ( CONFIGURED_ARCH == "armhf" or CONFIGURED_ARCH == "arm64" ) %}
 # Fix for gcc/python/iputils-ping not found in arm docker

diff --git a/files/build_templates/docker_image_ctl.j2 b/files/build_templates/docker_image_ctl.j2
@@ -45,18 +45,6 @@ function updateSyslogConf()
         rm -rf $TMP_FILE
     fi
 }
-function ebtables_config()
-{
-    if [[ "$DEV" && $DATABASE_TYPE != "dpudb" ]]; then
-        # Install ebtables filter in namespaces on multi-asic.
-        ip netns exec $NET_NS ebtables-restore < /etc/ebtables.filter.cfg
-    else
-        if [[ ! ($NUM_ASIC -gt 1) ]]; then
-            # Install ebtables filter in host for single asic.
-            ebtables-restore < /etc/ebtables.filter.cfg
-        fi
-    fi
-}
 
 function getMountPoint()
 {
@@ -214,9 +202,9 @@ function postStartAction()
            fi
        fi
     fi
-    # Setup ebtables configuration
+    # Setup nftables configuration
 {%- if sonic_asic_platform != "vs" %}
-    ebtables_config
+    nft -f /etc/nftables.conf
 {%- endif %}
     # chassisdb starts before database starts, bypass the PING check since other
     # databases are not availbale until database container is ready.

diff --git a/files/image_config/nftables/nftables.conf b/files/image_config/nftables/nftables.conf
@@ -0,0 +1,17 @@
+table bridge filter {
+        chain INPUT {
+                type filter hook input priority filter; policy accept;
+        }
+
+        chain FORWARD {
+                type filter hook forward priority filter; policy accept;
+                ether daddr 01:80:c2:00:00:00 counter packets 0 bytes 0 drop
+                ether type arp counter packets 0 bytes 0 drop
+                ether type vlan vlan type 0x0806  counter packets 0 bytes 0 drop
+                ether daddr & 01:00:00:00:00:00 == 01:00:00:00:00:00 counter packets 0 bytes 0 drop
+        }
+
+        chain OUTPUT {
+                type filter hook output priority filter; policy accept;
+        }
+}