Update iptables to block BGP (TCP 179) traffic on eth0

[gupurush]

Description of PR

Summary: This PR updates the iptables and ip6tables rules to block incoming BGP (TCP port 179) traffic on the eth0 interface. This change ensures that BGP sessions are only allowed on non-management interfaces.
Fixes: N/A

Type of change

• Bug fix
• Testbed and Framework(new/improvement)
• New Test case
  • Skipped for non-supported platforms
• Test case improvement

Back port request

• 202205
• 202305
• 202311
• 202405
• 202411
• 202505

Approach

What is the motivation for this PR?

To support test updates in this PR: sonic-host-services#197.
Additionally, it ensures BGP port 179 is not exposed on the management interface (eth0).

How did you do it?

How did you verify/test it?

On t0-64 testbed

Any platform specific information?

None

Supported testbed topology if it's a new test case?

N/A

Documentation

No new documentation required.

[mssonicbld]

/azp run

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[gupurush]

@ZhaohuiS please help review

[ZhaohuiS]

@gupurush did you verify it on latest master image? could you provide the test evidence on master image?
But make sure your change is built in master image.
And if your case can pass on master image, please also enable test_cacl_application in PR test, I disabled it yeslerday. #18785

[mssonicbld]

/azp run

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: gupurush / name: Nanma Purushotam (c5ed350, 49e3682, e8e5314, c897f59)

[mssonicbld]

/azp run

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[mssonicbld]

/azp run

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[gupurush]

Hi @ZhaohuiS,
I have verified this on the latest master image — test_cacl_application passes successfully.

Full test log: test_cacl_application.log
Summarized test log: test_cacl_application_logs_summarized.log

I have also updated the PR to re-enable test_cacl_application.

Thanks!

[gupurush]

Hi @ZhaohuiS
The tests were executed on an image that does not include the latest update to the sonic-host-services submodule. Once #22160 is merged, these tests will pass as expected—this is also reflected in the test logs.

Kindly requesting your review when you get a chance.
Thanks!

[ZhaohuiS]

Looks good to me.

[ZhaohuiS]

@gupurush could you please use "/azpw run" to trigger another run?

[ZhaohuiS]

It is also included in 202505, need to cherry pick this change into 202505 branch as well.
https://github.com/sonic-net/sonic-host-services/blame/202505/scripts/caclmgrd

[ZhaohuiS]

will close it to retrigger the PR test.

[ZhaohuiS]

open it to trigger PR test

[mssonicbld]

/azp run

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[mssonicbld]

/azp run

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[gupurush]

It is also included in 202505, need to cherry pick this change into 202505 branch as well. https://github.com/sonic-net/sonic-host-services/blame/202505/scripts/caclmgrd

PR for 202505 - #19351

[mssonicbld]

@gupurush PR conflicts with 202505 branch

[yejianquan]

included in 202505