[minigraph.py] Add support for 'OutAcl' keyword and attaching ACLs to VLAN interfaces (#4229)
- Support parsing egress ACLs from minigraph file specified by the "OutAcl" element - Support attaching ACLs to VLAN interfaces
This commit is contained in:
parent
4bb2190ba6
commit
28512122bc
@ -230,7 +230,14 @@ def parse_dpg(dpg, hname):
|
|||||||
aclintfs = child.find(str(QName(ns, "AclInterfaces")))
|
aclintfs = child.find(str(QName(ns, "AclInterfaces")))
|
||||||
acls = {}
|
acls = {}
|
||||||
for aclintf in aclintfs.findall(str(QName(ns, "AclInterface"))):
|
for aclintf in aclintfs.findall(str(QName(ns, "AclInterface"))):
|
||||||
|
if aclintf.find(str(QName(ns, "InAcl"))) is not None:
|
||||||
aclname = aclintf.find(str(QName(ns, "InAcl"))).text.upper().replace(" ", "_").replace("-", "_")
|
aclname = aclintf.find(str(QName(ns, "InAcl"))).text.upper().replace(" ", "_").replace("-", "_")
|
||||||
|
stage = "ingress"
|
||||||
|
elif aclintf.find(str(QName(ns, "OutAcl"))) is not None:
|
||||||
|
aclname = aclintf.find(str(QName(ns, "OutAcl"))).text.upper().replace(" ", "_").replace("-", "_")
|
||||||
|
stage = "egress"
|
||||||
|
else:
|
||||||
|
system.exit("Error: 'AclInterface' must contain either an 'InAcl' or 'OutAcl' subelement.")
|
||||||
aclattach = aclintf.find(str(QName(ns, "AttachTo"))).text.split(';')
|
aclattach = aclintf.find(str(QName(ns, "AttachTo"))).text.split(';')
|
||||||
acl_intfs = []
|
acl_intfs = []
|
||||||
is_mirror = False
|
is_mirror = False
|
||||||
@ -247,7 +254,7 @@ def parse_dpg(dpg, hname):
|
|||||||
# to LAG will be applied to all the LAG members internally by SAI/SDK
|
# to LAG will be applied to all the LAG members internally by SAI/SDK
|
||||||
acl_intfs.append(member)
|
acl_intfs.append(member)
|
||||||
elif vlans.has_key(member):
|
elif vlans.has_key(member):
|
||||||
print >> sys.stderr, "Warning: ACL " + aclname + " is attached to a Vlan interface, which is currently not supported"
|
acl_intfs.append(member)
|
||||||
elif port_alias_map.has_key(member):
|
elif port_alias_map.has_key(member):
|
||||||
acl_intfs.append(port_alias_map[member])
|
acl_intfs.append(port_alias_map[member])
|
||||||
# Give a warning if trying to attach ACL to a LAG member interface, correct way is to attach ACL to the LAG interface
|
# Give a warning if trying to attach ACL to a LAG member interface, correct way is to attach ACL to the LAG interface
|
||||||
@ -270,13 +277,14 @@ def parse_dpg(dpg, hname):
|
|||||||
break
|
break
|
||||||
if acl_intfs:
|
if acl_intfs:
|
||||||
acls[aclname] = {'policy_desc': aclname,
|
acls[aclname] = {'policy_desc': aclname,
|
||||||
|
'stage': stage,
|
||||||
'ports': acl_intfs}
|
'ports': acl_intfs}
|
||||||
if is_mirror:
|
if is_mirror:
|
||||||
acls[aclname]['type'] = 'MIRROR'
|
acls[aclname]['type'] = 'MIRROR'
|
||||||
elif is_mirror_v6:
|
elif is_mirror_v6:
|
||||||
acls[aclname]['type'] = 'MIRRORV6'
|
acls[aclname]['type'] = 'MIRRORV6'
|
||||||
else:
|
else:
|
||||||
acls[aclname]['type'] = 'L3'
|
acls[aclname]['type'] = 'L3V6' if 'v6' in aclname.lower() else 'L3'
|
||||||
else:
|
else:
|
||||||
# This ACL has no interfaces to attach to -- consider this a control plane ACL
|
# This ACL has no interfaces to attach to -- consider this a control plane ACL
|
||||||
try:
|
try:
|
||||||
@ -294,6 +302,7 @@ def parse_dpg(dpg, hname):
|
|||||||
else:
|
else:
|
||||||
acls[aclname] = {'policy_desc': aclname,
|
acls[aclname] = {'policy_desc': aclname,
|
||||||
'type': 'CTRLPLANE',
|
'type': 'CTRLPLANE',
|
||||||
|
'stage': stage,
|
||||||
'services': [aclservice]}
|
'services': [aclservice]}
|
||||||
except:
|
except:
|
||||||
print >> sys.stderr, "Warning: Ignoring Control Plane ACL %s without type" % aclname
|
print >> sys.stderr, "Warning: Ignoring Control Plane ACL %s without type" % aclname
|
||||||
|
@ -305,7 +305,12 @@
|
|||||||
</AclInterface>
|
</AclInterface>
|
||||||
<AclInterface>
|
<AclInterface>
|
||||||
<AttachTo>PortChannel01;PortChannel02;PortChannel03;PortChannel04</AttachTo>
|
<AttachTo>PortChannel01;PortChannel02;PortChannel03;PortChannel04</AttachTo>
|
||||||
<InAcl>DataAcl</InAcl>
|
<InAcl>DataAclIngress</InAcl>
|
||||||
|
<Type>DataPlane</Type>
|
||||||
|
</AclInterface>
|
||||||
|
<AclInterface>
|
||||||
|
<AttachTo>PortChannel01;PortChannel02</AttachTo>
|
||||||
|
<OutAcl>DataAclEgress</OutAcl>
|
||||||
<Type>DataPlane</Type>
|
<Type>DataPlane</Type>
|
||||||
</AclInterface>
|
</AclInterface>
|
||||||
<AclInterface>
|
<AclInterface>
|
||||||
|
@ -84,13 +84,14 @@ class TestCfgGen(TestCase):
|
|||||||
self.assertEqual(output.strip(), "Warning: Ignoring Control Plane ACL NTP_ACL without type\n"
|
self.assertEqual(output.strip(), "Warning: Ignoring Control Plane ACL NTP_ACL without type\n"
|
||||||
"Warning: ignore interface 'fortyGigE0/2' as it is not in the port_config.ini\n"
|
"Warning: ignore interface 'fortyGigE0/2' as it is not in the port_config.ini\n"
|
||||||
"Warning: ignore interface 'fortyGigE0/2' in DEVICE_NEIGHBOR as it is not in the port_config.ini\n"
|
"Warning: ignore interface 'fortyGigE0/2' in DEVICE_NEIGHBOR as it is not in the port_config.ini\n"
|
||||||
"{'DATAACL': {'type': 'L3', 'policy_desc': 'DATAACL', 'ports': ['PortChannel01', 'PortChannel02', 'PortChannel03', 'PortChannel04']}, "
|
"{'NTP_ACL': {'services': ['NTP'], 'type': 'CTRLPLANE', 'policy_desc': 'NTP_ACL', 'stage': 'ingress'}, "
|
||||||
"'NTP_ACL': {'services': ['NTP'], 'type': 'CTRLPLANE', 'policy_desc': 'NTP_ACL'}, "
|
"'EVERFLOW': {'stage': 'ingress', 'type': 'MIRROR', 'ports': ['PortChannel01', 'PortChannel02', 'PortChannel03', 'PortChannel04', 'Ethernet4'], 'policy_desc': 'EVERFLOW'}, "
|
||||||
"'EVERFLOW': {'type': 'MIRROR', 'policy_desc': 'EVERFLOW', 'ports': ['PortChannel01', 'PortChannel02', 'PortChannel03', 'PortChannel04', 'Ethernet4']}, "
|
"'ROUTER_PROTECT': {'services': ['SSH', 'SNMP'], 'type': 'CTRLPLANE', 'policy_desc': 'ROUTER_PROTECT', 'stage': 'ingress'}, "
|
||||||
"'ROUTER_PROTECT': {'services': ['SSH', 'SNMP'], 'type': 'CTRLPLANE', 'policy_desc': 'ROUTER_PROTECT'}, "
|
"'DATAACLINGRESS': {'stage': 'ingress', 'type': 'L3', 'ports': ['PortChannel01', 'PortChannel02', 'PortChannel03', 'PortChannel04'], 'policy_desc': 'DATAACLINGRESS'}, "
|
||||||
"'SNMP_ACL': {'services': ['SNMP'], 'type': 'CTRLPLANE', 'policy_desc': 'SNMP_ACL'}, "
|
"'SNMP_ACL': {'services': ['SNMP'], 'type': 'CTRLPLANE', 'policy_desc': 'SNMP_ACL', 'stage': 'ingress'}, "
|
||||||
"'SSH_ACL': {'services': ['SSH'], 'type': 'CTRLPLANE', 'policy_desc': 'SSH_ACL'}, "
|
"'SSH_ACL': {'services': ['SSH'], 'type': 'CTRLPLANE', 'policy_desc': 'SSH_ACL', 'stage': 'ingress'}, "
|
||||||
"'EVERFLOWV6': {'type': 'MIRRORV6', 'policy_desc': 'EVERFLOWV6', 'ports': ['PortChannel01', 'PortChannel02', 'PortChannel03', 'PortChannel04', 'Ethernet4']}}")
|
"'DATAACLEGRESS': {'stage': 'egress', 'type': 'L3', 'ports': ['PortChannel01', 'PortChannel02'], 'policy_desc': 'DATAACLEGRESS'}, "
|
||||||
|
"'EVERFLOWV6': {'stage': 'ingress', 'type': 'MIRRORV6', 'ports': ['PortChannel01', 'PortChannel02', 'PortChannel03', 'PortChannel04', 'Ethernet4'], 'policy_desc': 'EVERFLOWV6'}}")
|
||||||
|
|
||||||
# everflow portion is not used
|
# everflow portion is not used
|
||||||
# def test_minigraph_everflow(self):
|
# def test_minigraph_everflow(self):
|
||||||
|
Loading…
Reference in New Issue
Block a user