From 50e3f9b08769e41dbb5d026422f2236a3162ca3b Mon Sep 17 00:00:00 2001
From: gpunathilell <gpunathilell@nvidia.com>
Date: Tue, 11 Jun 2024 21:20:28 +0000
Subject: [PATCH 1/6] DPU Management Traffic Forwarding script addition

---
 .../build_templates/sonic_debian_extension.j2 |  1 +
 files/scripts/sonic-dpu-mgmt-traffic.sh       | 73 +++++++++++++++++++
 2 files changed, 74 insertions(+)
 create mode 100644 files/scripts/sonic-dpu-mgmt-traffic.sh

diff --git a/files/build_templates/sonic_debian_extension.j2 b/files/build_templates/sonic_debian_extension.j2
index ece833119be6..b9806a1c0033 100644
--- a/files/build_templates/sonic_debian_extension.j2
+++ b/files/build_templates/sonic_debian_extension.j2
@@ -1005,6 +1005,7 @@ sudo LANG=C cp $SCRIPTS_DIR/mgmt-framework.sh $FILESYSTEM_ROOT/usr/local/bin/mgm
 sudo LANG=C cp $SCRIPTS_DIR/asic_status.sh $FILESYSTEM_ROOT/usr/local/bin/asic_status.sh
 sudo LANG=C cp $SCRIPTS_DIR/asic_status.py $FILESYSTEM_ROOT/usr/local/bin/asic_status.py
 sudo LANG=C cp $SCRIPTS_DIR/startup_tsa_tsb.py $FILESYSTEM_ROOT/usr/local/bin/startup_tsa_tsb.py
+sudo LANG=C cp $SCRIPTS_DIR/sonic-dpu-mgmt-traffic.sh $FILESYSTEM_ROOT/usr/local/bin/sonic-dpu-mgmt-traffic.sh
 
 # Copy sonic-netns-exec script
 sudo LANG=C cp $SCRIPTS_DIR/sonic-netns-exec $FILESYSTEM_ROOT/usr/bin/sonic-netns-exec
diff --git a/files/scripts/sonic-dpu-mgmt-traffic.sh b/files/scripts/sonic-dpu-mgmt-traffic.sh
new file mode 100644
index 000000000000..5fc1b4907cc0
--- /dev/null
+++ b/files/scripts/sonic-dpu-mgmt-traffic.sh
@@ -0,0 +1,73 @@
+#!/bin/bash
+#Script to control the DPU management traffic forwarding through the SmartSwitch
+
+command_name=$0
+
+usage(){
+    echo "Syntax: $command_name -e|--enable -d|--disable"
+    echo "Arguments:"
+    echo "-e			Enable dpu management traffic forwarding"
+    echo "-d			Disable dpu management traffic forwarding"
+}
+
+add_rem_valid_iptable(){
+    local op=$1
+    local table=$2
+    local chain=$3
+    shift 3
+    local rule="$@"
+    iptables -t $table -C $chain $rule &>/dev/null
+    local exit_status=$?
+    local exec_cond=0
+    if [ "$op" = "enable" ]; then
+        exec_command="iptables -t $table -A $chain $rule"
+        [ "$exit_status" -eq 0 ] || exec_cond=1 # Execute if rule is currently not present
+    else
+        exec_command="iptables -t $table -D $chain $rule"
+        [ "$exit_status" -ne 0 ] || exec_cond=1 # Execute if rule is currently present
+    fi
+    if [ "$exec_cond" -eq 1 ]; then
+        eval "$exec_command"
+    else
+        echo "$exec_command not requried, will not be executed"
+    fi
+}
+
+control_forwarding(){
+    local op=$1
+    local value=0
+    if [ "$op" = "enable" ]; then
+        value=1
+    fi
+    echo $value > /proc/sys/net/ipv4/ip_forward
+    echo $value > /proc/sys/net/ipv4/conf/eth0/forwarding
+}
+
+ctrl_dpu_forwarding(){
+    local op=$1
+    add_rem_valid_iptable $op nat POSTROUTING -o ${mgmt_iface}  -j MASQUERADE
+    add_rem_valid_iptable $op filter FORWARD -i ${mgmt_iface} -o ${midplane_iface} -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+    add_rem_valid_iptable $op filter FORWARD -i ${midplane_iface} -o ${mgmt_iface} -j ACCEPT
+    if [ "$op" = "enable" ]; then
+        echo "Enabled DPU management traffic Forwarding"
+    else
+        echo "Disabled DPU management traffic Forwarding"
+    fi
+}
+
+mgmt_iface=eth0
+midplane_iface=bridge-midplane
+
+case $1 in
+    -e|--enable)
+        ctrl_dpu_forwarding enable
+        ;;
+    -d|--disable)
+        ctrl_dpu_forwarding disable
+        ;;
+    *)
+        echo "Incorrect Usage!"
+        usage
+        exit 1
+        ;;
+esac

From 145c4c8fe3ff1f87ce7a02e69610455744767a17 Mon Sep 17 00:00:00 2001
From: gpunathilell <gpunathilell@nvidia.com>
Date: Wed, 12 Jun 2024 12:40:34 +0000
Subject: [PATCH 2/6] Preliminary check to run only on smart-switch systems

---
 files/scripts/sonic-dpu-mgmt-traffic.sh | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/files/scripts/sonic-dpu-mgmt-traffic.sh b/files/scripts/sonic-dpu-mgmt-traffic.sh
index 5fc1b4907cc0..0193b169b368 100644
--- a/files/scripts/sonic-dpu-mgmt-traffic.sh
+++ b/files/scripts/sonic-dpu-mgmt-traffic.sh
@@ -58,6 +58,10 @@ ctrl_dpu_forwarding(){
 mgmt_iface=eth0
 midplane_iface=bridge-midplane
 
+if ! ifconfig "$midplane_iface" > /dev/null 2>&1; then
+    echo "$midplane_iface doesn't exist! Please run on smart switch system"
+fi
+
 case $1 in
     -e|--enable)
         ctrl_dpu_forwarding enable

From 27d5349ff15e63f3645c86005bd8621fbe958a94 Mon Sep 17 00:00:00 2001
From: gpunathilell <gpunathilell@nvidia.com>
Date: Wed, 12 Jun 2024 12:43:19 +0000
Subject: [PATCH 3/6] Add exit condition

---
 files/scripts/sonic-dpu-mgmt-traffic.sh | 1 +
 1 file changed, 1 insertion(+)

diff --git a/files/scripts/sonic-dpu-mgmt-traffic.sh b/files/scripts/sonic-dpu-mgmt-traffic.sh
index 0193b169b368..d26c92c1ab8c 100644
--- a/files/scripts/sonic-dpu-mgmt-traffic.sh
+++ b/files/scripts/sonic-dpu-mgmt-traffic.sh
@@ -60,6 +60,7 @@ midplane_iface=bridge-midplane
 
 if ! ifconfig "$midplane_iface" > /dev/null 2>&1; then
     echo "$midplane_iface doesn't exist! Please run on smart switch system"
+    exit 1
 fi
 
 case $1 in

From 7054d3f8575266e86c952c59df22291449b5e665 Mon Sep 17 00:00:00 2001
From: gpunathilell <gpunathilell@nvidia.com>
Date: Mon, 17 Jun 2024 17:42:42 +0000
Subject: [PATCH 4/6] Add function call

---
 files/scripts/sonic-dpu-mgmt-traffic.sh | 1 +
 1 file changed, 1 insertion(+)

diff --git a/files/scripts/sonic-dpu-mgmt-traffic.sh b/files/scripts/sonic-dpu-mgmt-traffic.sh
index d26c92c1ab8c..a5ef57c4ad91 100644
--- a/files/scripts/sonic-dpu-mgmt-traffic.sh
+++ b/files/scripts/sonic-dpu-mgmt-traffic.sh
@@ -45,6 +45,7 @@ control_forwarding(){
 
 ctrl_dpu_forwarding(){
     local op=$1
+    control_forwarding $op
     add_rem_valid_iptable $op nat POSTROUTING -o ${mgmt_iface}  -j MASQUERADE
     add_rem_valid_iptable $op filter FORWARD -i ${mgmt_iface} -o ${midplane_iface} -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
     add_rem_valid_iptable $op filter FORWARD -i ${midplane_iface} -o ${mgmt_iface} -j ACCEPT

From 2bdd3324a19f709bc39261b541a057e19622844c Mon Sep 17 00:00:00 2001
From: gpunathilell <gpunathilell@nvidia.com>
Date: Mon, 15 Jul 2024 21:40:34 +0000
Subject: [PATCH 5/6] Added permission check

---
 files/scripts/sonic-dpu-mgmt-traffic.sh | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/files/scripts/sonic-dpu-mgmt-traffic.sh b/files/scripts/sonic-dpu-mgmt-traffic.sh
index a5ef57c4ad91..71e6ed29b32b 100644
--- a/files/scripts/sonic-dpu-mgmt-traffic.sh
+++ b/files/scripts/sonic-dpu-mgmt-traffic.sh
@@ -59,6 +59,12 @@ ctrl_dpu_forwarding(){
 mgmt_iface=eth0
 midplane_iface=bridge-midplane
 
+if [ "$EUID" -ne 0 ]
+    then
+    echo "Permission denied: Please run the script with elevated privileges using sudo"
+    exit 1
+fi
+
 if ! ifconfig "$midplane_iface" > /dev/null 2>&1; then
     echo "$midplane_iface doesn't exist! Please run on smart switch system"
     exit 1

From e27420e273d72240973a1a6ffb5dfb8fed95761b Mon Sep 17 00:00:00 2001
From: gpunathilell <gpunathilell@nvidia.com>
Date: Mon, 22 Jul 2024 00:47:50 +0000
Subject: [PATCH 6/6] Add execution permission

---
 files/scripts/sonic-dpu-mgmt-traffic.sh | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 mode change 100644 => 100755 files/scripts/sonic-dpu-mgmt-traffic.sh

diff --git a/files/scripts/sonic-dpu-mgmt-traffic.sh b/files/scripts/sonic-dpu-mgmt-traffic.sh
old mode 100644
new mode 100755