Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[acl-loader] Add support for matching on ICMP and VLAN info #1469

Merged
merged 7 commits into from
Mar 3, 2021
Merged

[acl-loader] Add support for matching on ICMP and VLAN info #1469

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
fbbfa11
[acl-loader] Add support for matching on ICMP and VLAN info
daall Feb 26, 2021
b87bbba
Enhance input validation and add more test cases
daall Mar 1, 2021
38da2ce
Explicitly check for 0
daall Mar 2, 2021
f7948d4
Make test checks more explicit
daall Mar 2, 2021
aa2ff41
Fix protocol number for ICMPv6 when table type is IPv6
daall Mar 3, 2021
3869af8
Fix aclshow test
daall Mar 3, 2021
bb79143
Clean up ICMP input checks and make comments more clear
daall Mar 3, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
41 changes: 39 additions & 2 deletions acl_loader/main.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -290,6 +290,14 @@ def is_table_mirror(self, tname):
"""
return self.tables_db_info[tname]['type'].upper().startswith(self.ACL_TABLE_TYPE_MIRROR)

def is_table_ipv6(self, tname):
"""
Check if ACL table type is IPv6 (L3V6 or MIRRORV6)
:param tname: ACL table name
:return: True if table type is IPv6 else False
"""
return "V6" in self.tables_db_info[tname]["type"].upper()
daall marked this conversation as resolved.
Show resolved Hide resolved

def is_table_control_plane(self, tname):
"""
Check if ACL table type is ACL_TABLE_TYPE_CTRLPLANE
Expand Down Expand Up @@ -409,10 +417,17 @@ def convert_l2(self, table_name, rule_idx, rule):
else:
try:
rule_props["ETHER_TYPE"] = int(rule.l2.config.ethertype)
except:
raise AclLoaderException("Failed to convert ethertype %s table %s rule %s" % (
except Exception:
daall marked this conversation as resolved.
Show resolved Hide resolved
raise AclLoaderException("Failed to convert ethertype %s; table %s rule %s" % (
rule.l2.config.ethertype, table_name, rule_idx))

if rule.l2.config.vlan_id:
daall marked this conversation as resolved.
Show resolved Hide resolved
try:
rule_props["VLAN_ID"] = int(rule.l2.config.vlan_id)
except Exception:
daall marked this conversation as resolved.
Show resolved Hide resolved
raise AclLoaderException("Failed to convert VLAN ID %s; table %s rule %s" % (
rule.l2.config.vlan_id, table_name, rule_idx))

return rule_props

def convert_ip(self, table_name, rule_idx, rule):
Expand Down Expand Up @@ -453,6 +468,27 @@ def convert_ip(self, table_name, rule_idx, rule):

return rule_props

def convert_icmp(self, table_name, rule_idx, rule):
rule_props = {}

is_table_v6 = self.is_table_ipv6(table_name)
type_key = "ICMPV6_TYPE" if is_table_v6 else "ICMP_TYPE"
code_key = "ICMPV6_CODE" if is_table_v6 else "ICMP_CODE"

if rule.icmp.config.type:
daall marked this conversation as resolved.
Show resolved Hide resolved
try:
rule_props[type_key] = int(rule.icmp.config.type)
except Exception:
raise AclLoaderException("Failed to convert %s; table %s, rule %s" % (type_key, table_name, rule_idx))

if rule.icmp.config.code:
try:
rule_props[code_key] = int(rule.icmp.config.code)
except Exception:
raise AclLoaderException("Failed to convert %s; table %s, rule %s" % (code_key, table_name, rule_idx))

return rule_props

def convert_port(self, port):
"""
Convert port field format from openconfig ACL to Config DB schema
Expand Down Expand Up @@ -527,6 +563,7 @@ def convert_rule_to_db_schema(self, table_name, rule):
deep_update(rule_props, self.convert_action(table_name, rule_idx, rule))
deep_update(rule_props, self.convert_l2(table_name, rule_idx, rule))
deep_update(rule_props, self.convert_ip(table_name, rule_idx, rule))
deep_update(rule_props, self.convert_icmp(table_name, rule_idx, rule))
deep_update(rule_props, self.convert_transport(table_name, rule_idx, rule))
deep_update(rule_props, self.convert_input_interface(table_name, rule_idx, rule))

Expand Down
51 changes: 51 additions & 0 deletions tests/acl_input/acl1.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -141,6 +141,57 @@
"config": {
"name": "everflowV6"
}
},
"DATAACL": {
"acl-entries": {
"acl-entry": {
"1": {
"config": {
"sequence-id": 1
},
"actions": {
"config": {
"forwarding-action": "DROP"
}
},
"ip": {
"config": {
"protocol": "IP_ICMP",
"source-ip-address": "::1/128",
"destination-ip-address": "::1/128"
}
},
"icmp": {
"config": {
"type": "4",
daall marked this conversation as resolved.
Show resolved Hide resolved
"code": "1"
}
}
},
"2": {
"config": {
"sequence-id": 2
},
"actions": {
"config": {
"forwarding-action": "DROP"
}
},
"l2": {
"config": {
"vlan-id": "369"
}
},
"ip": {
"config": {
"protocol": "IP_TCP",
"source-ip-address": "::1/128",
"destination-ip-address": "::1/128"
}
}
}
}
}
}
}
}
Expand Down
2 changes: 1 addition & 1 deletion tests/acl_loader_test.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ def test_acl_empty(self):

def test_valid(self):
yang_acl = AclLoader.parse_acl_json(os.path.join(test_path, 'acl_input/acl1.json'))
assert len(yang_acl.acl.acl_sets.acl_set) == 4
assert len(yang_acl.acl.acl_sets.acl_set) == 6

def test_invalid(self):
with pytest.raises(AclLoaderException):
Expand Down