[iccpd] Add nft-based ebtables utilities.

[puffc]

Why I did it

Fix a problem (fixes #19323) where ebtables command cannot be executed by iccpd. This cause the trapped BUM packets (ipv6 neighbor discovery) looping back to the MCLAG port channel.

Work item tracking

• Microsoft ADO (number only):

How I did it

Replacing the legacy ebtables with the nft-based ebtables command suite by adding iptables package into the iccpd docker container.

How to verify it

Verified the ebtables command can be executed from the iccpd docker. When the MCLAG reaches operational state the isolation rules can be added.

Which release branch to backport (provide reason below if selected)

• 201811
• 201911
• 202006
• 202012
• 202106
• 202111
• 202205
• 202211
• 202305

Tested branch (Please provide the tested image version)

master
202305
202211

Description for the changelog

Link to config_db schema for YANG module changes

A picture of a cute animal (not mandatory but encouraged)

[puffc]

@yxieca @Praveen-Brcm Please help to review this PR. Thanks.

[TafkaMax]

I added the iptables to the Dockerfile.j2 to test the changes.

I seem to get these syslog messages:

 iccpd#supervisord: iccpd ebtables v1.8.9 (nf_tables): Could not fetch rule set generation id: Permission denied (you must be root)

Inside the container.

# enter container
docker exec -it iccpd sh
# iptables -L
iptables v1.8.9 (nf_tables): Could not fetch rule set generation id: Permission denied (you must be root)

[puffc]

I added the iptables to the Dockerfile.j2 to test the changes.

I seem to get these syslog messages:

 iccpd#supervisord: iccpd ebtables v1.8.9 (nf_tables): Could not fetch rule set generation id: Permission denied (you must be root)

Inside the container.

# enter container

docker exec -it iccpd sh

# iptables -L

iptables v1.8.9 (nf_tables): Could not fetch rule set generation id: Permission denied (you must be root)

Thanks for your valuable feedback. I'll look into it and it may relate to PR #17835.

[kperumalbfn]

Thanks @puffc Could you update the diff with the fix for permission denied error. We could merge the change after that.

[puffc]

Thanks @puffc Could you update the diff with the fix for permission denied error. We could merge the change after that.

Thanks @kperumalbfn. The permission problem had been fixed.

[puffc]

/azpw ms_conflict

[TafkaMax]

Are people on vacation?

[saiarcot895]

Since the ebtables package just has the legacy version now, can that be removed, and only the iptables package be installed?

[TafkaMax]

Since the ebtables package just has the legacy version now, can that be removed, and only the iptables package be installed?

ebtables CLI utility does come with the iptables package, but I am not 100% sure if it can be removed without testing it first

[puffc]

Remvoed legacy ebtables packages. Now ebtables only points to ebtables-nft.

root@sonic:/# ebtables -L
Bridge table: filter

Bridge chain: INPUT, entries: 0, policy: ACCEPT

Bridge chain: FORWARD, entries: 4, policy: ACCEPT
-d BGA -j DROP
-p ARP -j DROP
-p 802_1Q --vlan-encap 0806 -j DROP
-d Multicast -j DROP

Bridge chain: OUTPUT, entries: 0, policy: ACCEPT
root@sonic:/# update-alternatives --list ebtables
/usr/sbin/ebtables-nft
root@sonic:/# ebtables -V
ebtables 1.8.7 (nf_tables)
root@sonic:/#

[puffc]

@lguohan Please review and merge. Thanks.

[puffc]

@xumia @prsunny Please review this PR. Thanks.

[puffc]

@lguohan Please review, Thanks.

[puffc]

@prsunny Would you please merge this PR? Many thanks!

[radha-danda]

@lguohan, kindly cherry-pick the patch to 202405 branch