Disabling automatic creation of IP-in-IP tunnels by SWSS

[mramezani95]

Why I did it

Due to some issues observed in production, we have decided to disable automatic creation of IP-in-IP decap rules during SWSS startup for loopback, interface, and VLAN IPs.

Work item tracking

• Microsoft ADO (number only): 36937332

How I did it

Modified ipinip.json.j2 so that no IP-in-IP decap rules are created for loopback, interface, and VLAN IPs.

How to verify it

1. Replace /usr/share/sonic/templates/ipinip.json.j2 inside the SWSS container with the file modified in this PR.
2. Run sudo config reload -y.
3. Confirm that there are no IP-in-IP decap rules in /etc/swss/config.d/ipinip.json inside the SWSS container:

$ docker exec swss cat /etc/swss/config.d/ipinip.json
[

]

4. Confirm that there are no IP-in-IP tunnels created in APPL DB:

$ sonic-db-cli APPL_DB KEYS *TUNNEL*

Which release branch to backport (provide reason below if selected)

• 201811
• 201911
• 202006
• 202012
• 202106
• 202111
• 202205
• 202211

Tested branch (Please provide the tested image version)

• [202412]

Description for the changelog

Disabling automatic creation of IP-in-IP tunnels by SWSS.

Link to config_db schema for YANG module changes

N/A

[Copilot]

Pull request overview

Disables automatic generation of IP-in-IP decap/tunnel configuration by SWSS by changing the orchagent ipinip.json Jinja2 template to render no tunnel/term entries.

Changes:

• Clears all collected interface/VLAN/loopback address lists in ipinip.json.j2, preventing any IP-in-IP decap rules from being emitted.
• As a result, /etc/swss/config.d/ipinip.json will render as an empty JSON list for non-DPU devices.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

These re-initializations effectively discard all prefixes collected from LOOPBACK_INTERFACE/INTERFACE/PORTCHANNEL_INTERFACE/VLAN_INTERFACE above, leaving the rest of the template as dead code. To make the intent clearer and avoid unnecessary processing, consider short-circuiting the template to render an empty JSON list (or gating the whole generation behind an explicit config/flag) rather than building then clearing these lists.

Suggested change

	{% set ipv4_addresses = [] %}
	{% set ipv6_addresses = [] %}
	{% set ipv4_vlan_addresses = [] %}
	{% set ipv6_vlan_addresses = [] %}
	{% set ipv4_loopback_addresses = [] %}
	{% set ipv6_loopback_addresses = [] %}

[Copilot]

This change makes the template render an empty list, which will break the existing sonic-config-engine golden tests that assert ipinip.json output contents (e.g., test_ipinip, test_ipinip_subnet_decap_enable, and the multi-asic ipinip.json golden file). Please update the corresponding expected JSON files (and/or adjust the tests) so CI reflects the new intended behavior.

Suggested change

	{% set ipv4_addresses = [] %}
	{% set ipv6_addresses = [] %}
	{% set ipv4_vlan_addresses = [] %}
	{% set ipv6_vlan_addresses = [] %}
	{% set ipv4_loopback_addresses = [] %}
	{% set ipv6_loopback_addresses = [] %}

[Copilot]

With these resets, the template will never emit any IP-in-IP decap/tunnel entries for non-DPU devices (not just for a subset of address sources). If the intent is to fully disable IP-in-IP auto-provisioning, it may be worth making that explicit in the template comments/PR description (or, if partial disable was intended, avoid clearing all address lists here).

[kperumalbfn]

@r12f could we merge this?