[sonic-cfggen]: Add default IP deny rule in translate_acl (#734)

- Add IPv4 implicit rule: deny ip any any This implicit rule has lowest priority and ensures that the device denies all unmatched IP traffic.
2017-06-23 01:08:25 -07:00 · 2017-06-23 01:08:25 -07:00 · 00c494f023
commit 00c494f023
parent 350718ee77
3 changed files with 26 additions and 7 deletions
--- a/src/sonic-config-engine/tests/sample_output/rules_for_dataacl.json
+++ b/src/sonic-config-engine/tests/sample_output/rules_for_dataacl.json
@ -1,6 +1,6 @@
 [
    {
-        "ACL_RULE_TABLE:dataacl:Rule_1":{
+        "ACL_RULE_TABLE:DATAACL:RULE_1":{
            "IP_PROTOCOL":17,
            "PACKET_ACTION":"FORWARD",
            "SRC_IP":"10.0.0.0/8",
@ -9,7 +9,7 @@
        "OP":"SET"
    },
    {
-        "ACL_RULE_TABLE:dataacl:Rule_3":{
+        "ACL_RULE_TABLE:DATAACL:RULE_3":{
            "IP_PROTOCOL":17,
            "PACKET_ACTION":"FORWARD",
            "SRC_IP":"25.0.0.0/8",
@ -18,7 +18,7 @@
        "OP":"SET"
    },
    {
-        "ACL_RULE_TABLE:dataacl:Rule_2":{
+        "ACL_RULE_TABLE:DATAACL:RULE_2":{
            "IP_PROTOCOL":17,
            "PACKET_ACTION":"FORWARD",
            "SRC_IP":"100.64.0.0/10",
@ -27,12 +27,20 @@
        "OP":"SET"
    },
    {
-        "ACL_RULE_TABLE:dataacl:Rule_4":{
+        "ACL_RULE_TABLE:DATAACL:RULE_4":{
            "IP_PROTOCOL":6,
            "PACKET_ACTION":"FORWARD",
            "TCP_FLAGS":"0x10/0x10",
            "priority":9996
        },
        "OP":"SET"
+    },
+    {
+        "ACL_RULE_TABLE:DATAACL:DEFAULT_RULE":{
+            "ETHER_TYPE":"0x0800",
+            "PACKET_ACTION":"DROP",
+            "priority":1
+        },
+        "OP":"SET"
    }
 ]
--- a/src/sonic-config-engine/tests/sample_output/rules_for_everflow.json
+++ b/src/sonic-config-engine/tests/sample_output/rules_for_everflow.json
@ -1,6 +1,6 @@
 [
    {
-        "ACL_RULE_TABLE:everflow:Rule_1":{
+        "ACL_RULE_TABLE:EVERFLOW:RULE_1":{
            "DST_IP":"127.0.0.1/32",
            "IP_PROTOCOL":6,
            "L4_DST_PORT":0,
--- a/src/sonic-config-engine/translate_acl
+++ b/src/sonic-config-engine/translate_acl
@ -13,11 +13,21 @@ def dump_json(filename, data):
    with open(filename, 'w') as outfile:
        json.dump(data, outfile, indent=4, sort_keys=True, separators=(',', ':'))

+def default_deny_rule(table_name):
+    rule_props = {}
+    rule_data = {}
+    rule_data["ACL_RULE_TABLE:"+table_name.upper()+":DEFAULT_RULE"] = rule_props
+    rule_data["OP"] = "SET"
+    rule_props["priority"] = 1
+    rule_props["ETHER_TYPE"] = "0x0800"
+    rule_props["PACKET_ACTION"] = "DROP"
+    return rule_data
+
 def generate_rule_json(table_name, rule, max_priority, mirror):
    rule_idx = rule.config.sequence_id
    rule_props = {}
    rule_data = {}
-    rule_data["ACL_RULE_TABLE:"+table_name+":Rule_"+str(rule_idx)] = rule_props
+    rule_data["ACL_RULE_TABLE:"+table_name.upper()+":RULE_"+str(rule_idx)] = rule_props
    rule_data["OP"] = "SET"
    
    rule_props["priority"] = max_priority - rule_idx
@ -120,7 +130,8 @@ def generate_table_json(aclset, aclname, ports, mirror, max_priority, output_pat
        rule_props = generate_rule_json(table_name, aclentry, max_priority, mirror)
        if rule_props:
            rule_data.append(rule_props)
-
+    if not mirror:
+        rule_data.append(default_deny_rule(table_name))
    dump_json(os.path.join(output_path, "rules_for_"+table_name+".json"), rule_data)

 def translate_acl_fixed_port(filename, output_path, port, max_priority):