[acl-loader]: acl-loader integration. (#1000)
* [acl-loader]: acl-loader integration. acl-loader was inplemented based on translate_acl source code. acl-loader can't be tested with unittest. Same testcases will be covered with testbed tests. - Remove translate_acl utility and tests. - Remove mirror template. - Do not run ACL rules and mirror configuration generators. - Adopt minigraph parser to work with acl-loader. * Update sonic-swss-common and sonic-swss submodules. Enable ACL dynamic config feature. * Update sonic-utilities submodule. Include fix for acl-loader incremental update command. * [sonic-cfggen]: Add test for everflow cfggen configuration.
This commit is contained in:
parent
967030f24d
commit
29f67ebe58
@ -1,24 +0,0 @@
|
|||||||
[
|
|
||||||
{% if MIRROR_SESSION %}
|
|
||||||
{% for session in MIRROR_SESSION %}
|
|
||||||
{
|
|
||||||
"MIRROR_SESSION_TABLE:{{session}}": {
|
|
||||||
"src_ip": "{{ MIRROR_SESSION[session]['src_ip'] }}",
|
|
||||||
"dst_ip": "{{ MIRROR_SESSION[session]['dst_ip'] }}",
|
|
||||||
{% if onie_switch_asic == "mlnx" %}
|
|
||||||
"gre_type": "0x6558",
|
|
||||||
"queue": "1",
|
|
||||||
{% else %}
|
|
||||||
"gre_type": "0x88be",
|
|
||||||
"queue": "0",
|
|
||||||
{% endif %}
|
|
||||||
"dscp": "8",
|
|
||||||
"ttl": "255"
|
|
||||||
},
|
|
||||||
"OP": "SET"
|
|
||||||
}{% if not loop.last %},{% endif %}
|
|
||||||
|
|
||||||
{% endfor %}
|
|
||||||
{% endif %}
|
|
||||||
]
|
|
||||||
|
|
@ -4,7 +4,6 @@ mkdir -p /etc/swss/config.d/
|
|||||||
|
|
||||||
sonic-cfggen -m /etc/sonic/minigraph.xml -d -t /usr/share/sonic/templates/switch.json.j2 > /etc/swss/config.d/switch.json
|
sonic-cfggen -m /etc/sonic/minigraph.xml -d -t /usr/share/sonic/templates/switch.json.j2 > /etc/swss/config.d/switch.json
|
||||||
sonic-cfggen -m /etc/sonic/minigraph.xml -d -t /usr/share/sonic/templates/ipinip.json.j2 > /etc/swss/config.d/ipinip.json
|
sonic-cfggen -m /etc/sonic/minigraph.xml -d -t /usr/share/sonic/templates/ipinip.json.j2 > /etc/swss/config.d/ipinip.json
|
||||||
sonic-cfggen -m /etc/sonic/minigraph.xml -d -t /usr/share/sonic/templates/mirror.json.j2 > /etc/swss/config.d/mirror.json
|
|
||||||
sonic-cfggen -m /etc/sonic/minigraph.xml -d -t /usr/share/sonic/templates/ports.json.j2 > /etc/swss/config.d/ports.json
|
sonic-cfggen -m /etc/sonic/minigraph.xml -d -t /usr/share/sonic/templates/ports.json.j2 > /etc/swss/config.d/ports.json
|
||||||
|
|
||||||
export platform=`sonic-cfggen -v platform`
|
export platform=`sonic-cfggen -v platform`
|
||||||
|
@ -2,18 +2,6 @@
|
|||||||
|
|
||||||
set -e
|
set -e
|
||||||
|
|
||||||
function config_acl {
|
|
||||||
if [ -f "/etc/sonic/acl.json" ]; then
|
|
||||||
mkdir -p /etc/swss/config.d/acl
|
|
||||||
rm -rf /etc/swss/config.d/acl/*
|
|
||||||
translate_acl -m /etc/sonic/minigraph.xml -o /etc/swss/config.d/acl /etc/sonic/acl.json
|
|
||||||
for filename in /etc/swss/config.d/acl/*.json; do
|
|
||||||
[ -e "$filename" ] || break
|
|
||||||
swssconfig $filename
|
|
||||||
done
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
function fast_reboot {
|
function fast_reboot {
|
||||||
case "$(cat /proc/cmdline)" in
|
case "$(cat /proc/cmdline)" in
|
||||||
*fast-reboot*)
|
*fast-reboot*)
|
||||||
@ -39,7 +27,7 @@ fast_reboot
|
|||||||
|
|
||||||
HWSKU=`sonic-cfggen -m /etc/sonic/minigraph.xml -d -v "DEVICE_METADATA['localhost']['hwsku']"`
|
HWSKU=`sonic-cfggen -m /etc/sonic/minigraph.xml -d -v "DEVICE_METADATA['localhost']['hwsku']"`
|
||||||
|
|
||||||
SWSSCONFIG_ARGS="00-copp.config.json ipinip.json mirror.json ports.json switch.json "
|
SWSSCONFIG_ARGS="00-copp.config.json ipinip.json ports.json switch.json "
|
||||||
|
|
||||||
if [ "$HWSKU" == "Force10-S6000" ]; then
|
if [ "$HWSKU" == "Force10-S6000" ]; then
|
||||||
SWSSCONFIG_ARGS+="td2.32ports.buffers.json td2.32ports.qos.json "
|
SWSSCONFIG_ARGS+="td2.32ports.buffers.json td2.32ports.qos.json "
|
||||||
@ -56,5 +44,3 @@ for file in $SWSSCONFIG_ARGS; do
|
|||||||
swssconfig /etc/swss/config.d/$file
|
swssconfig /etc/swss/config.d/$file
|
||||||
sleep 1
|
sleep 1
|
||||||
done
|
done
|
||||||
|
|
||||||
config_acl
|
|
||||||
|
@ -175,7 +175,7 @@ def parse_dpg(dpg, hname):
|
|||||||
aclintfs = child.find(str(QName(ns, "AclInterfaces")))
|
aclintfs = child.find(str(QName(ns, "AclInterfaces")))
|
||||||
acls = {}
|
acls = {}
|
||||||
for aclintf in aclintfs.findall(str(QName(ns, "AclInterface"))):
|
for aclintf in aclintfs.findall(str(QName(ns, "AclInterface"))):
|
||||||
aclname = aclintf.find(str(QName(ns, "InAcl"))).text.lower().replace(" ", "_").replace("-", "_")
|
aclname = aclintf.find(str(QName(ns, "InAcl"))).text.upper().replace(" ", "_").replace("-", "_")
|
||||||
aclattach = aclintf.find(str(QName(ns, "AttachTo"))).text.split(';')
|
aclattach = aclintf.find(str(QName(ns, "AttachTo"))).text.split(';')
|
||||||
acl_intfs = []
|
acl_intfs = []
|
||||||
is_mirror = False
|
is_mirror = False
|
||||||
@ -193,7 +193,7 @@ def parse_dpg(dpg, hname):
|
|||||||
acl_intfs = port_alias_map.values()
|
acl_intfs = port_alias_map.values()
|
||||||
break;
|
break;
|
||||||
if acl_intfs:
|
if acl_intfs:
|
||||||
acls[aclname] = { 'policy_desc': aclname, 'ports': acl_intfs, 'type': 'mirror' if is_mirror else 'L3'}
|
acls[aclname] = { 'policy_desc': aclname, 'ports': acl_intfs, 'type': 'MIRROR' if is_mirror else 'L3'}
|
||||||
return intfs, lo_intfs, mgmt_intf, vlans, pcs, acls
|
return intfs, lo_intfs, mgmt_intf, vlans, pcs, acls
|
||||||
return None, None, None, None, None, None
|
return None, None, None, None, None, None
|
||||||
|
|
||||||
|
@ -16,7 +16,7 @@ setup(name='sonic-config-engine',
|
|||||||
author_email='taoyl@microsoft.com',
|
author_email='taoyl@microsoft.com',
|
||||||
url='https://github.com/Azure/sonic-buildimage',
|
url='https://github.com/Azure/sonic-buildimage',
|
||||||
py_modules=['portconfig', 'minigraph', 'openconfig_acl', 'sonic_platform'],
|
py_modules=['portconfig', 'minigraph', 'openconfig_acl', 'sonic_platform'],
|
||||||
scripts=['sonic-cfggen', 'translate_acl'],
|
scripts=['sonic-cfggen'],
|
||||||
install_requires=['lxml', 'jinja2', 'netaddr', 'ipaddr', 'pyyaml', 'pyangbind'],
|
install_requires=['lxml', 'jinja2', 'netaddr', 'ipaddr', 'pyyaml', 'pyangbind'],
|
||||||
test_suite='setup.get_test_suite',
|
test_suite='setup.get_test_suite',
|
||||||
)
|
)
|
||||||
|
@ -1,14 +0,0 @@
|
|||||||
[
|
|
||||||
{
|
|
||||||
"MIRROR_SESSION_TABLE:everflow0": {
|
|
||||||
"src_ip": "10.1.0.32",
|
|
||||||
"dst_ip": "2.2.2.2",
|
|
||||||
"gre_type": "0x88be",
|
|
||||||
"queue": "0",
|
|
||||||
"dscp": "8",
|
|
||||||
"ttl": "255"
|
|
||||||
},
|
|
||||||
"OP": "SET"
|
|
||||||
}
|
|
||||||
]
|
|
||||||
|
|
@ -1,46 +0,0 @@
|
|||||||
[
|
|
||||||
{
|
|
||||||
"ACL_RULE_TABLE:DATAACL:RULE_1":{
|
|
||||||
"IP_PROTOCOL":17,
|
|
||||||
"PACKET_ACTION":"FORWARD",
|
|
||||||
"SRC_IP":"10.0.0.0/8",
|
|
||||||
"priority":9999
|
|
||||||
},
|
|
||||||
"OP":"SET"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"ACL_RULE_TABLE:DATAACL:RULE_3":{
|
|
||||||
"IP_PROTOCOL":17,
|
|
||||||
"PACKET_ACTION":"FORWARD",
|
|
||||||
"SRC_IP":"25.0.0.0/8",
|
|
||||||
"priority":9997
|
|
||||||
},
|
|
||||||
"OP":"SET"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"ACL_RULE_TABLE:DATAACL:RULE_2":{
|
|
||||||
"IP_PROTOCOL":17,
|
|
||||||
"PACKET_ACTION":"FORWARD",
|
|
||||||
"SRC_IP":"100.64.0.0/10",
|
|
||||||
"priority":9998
|
|
||||||
},
|
|
||||||
"OP":"SET"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"ACL_RULE_TABLE:DATAACL:RULE_4":{
|
|
||||||
"IP_PROTOCOL":6,
|
|
||||||
"PACKET_ACTION":"FORWARD",
|
|
||||||
"TCP_FLAGS":"0x10/0x10",
|
|
||||||
"priority":9996
|
|
||||||
},
|
|
||||||
"OP":"SET"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"ACL_RULE_TABLE:DATAACL:DEFAULT_RULE":{
|
|
||||||
"ETHER_TYPE":"0x0800",
|
|
||||||
"PACKET_ACTION":"DROP",
|
|
||||||
"priority":1
|
|
||||||
},
|
|
||||||
"OP":"SET"
|
|
||||||
}
|
|
||||||
]
|
|
@ -1,14 +0,0 @@
|
|||||||
[
|
|
||||||
{
|
|
||||||
"ACL_RULE_TABLE:EVERFLOW:RULE_1":{
|
|
||||||
"DST_IP":"127.0.0.1/32",
|
|
||||||
"IP_PROTOCOL":6,
|
|
||||||
"L4_DST_PORT":0,
|
|
||||||
"L4_SRC_PORT":0,
|
|
||||||
"MIRROR_ACTION":"everflow",
|
|
||||||
"SRC_IP":"127.0.0.1/32",
|
|
||||||
"priority":9999
|
|
||||||
},
|
|
||||||
"OP":"SET"
|
|
||||||
}
|
|
||||||
]
|
|
@ -1,10 +0,0 @@
|
|||||||
[
|
|
||||||
{
|
|
||||||
"ACL_TABLE:DATAACL":{
|
|
||||||
"policy_desc":"dataacl",
|
|
||||||
"ports":"Ethernet112,Ethernet116,Ethernet120,Ethernet124",
|
|
||||||
"type":"L3"
|
|
||||||
},
|
|
||||||
"OP":"SET"
|
|
||||||
}
|
|
||||||
]
|
|
@ -1,10 +0,0 @@
|
|||||||
[
|
|
||||||
{
|
|
||||||
"ACL_TABLE:EVERFLOW":{
|
|
||||||
"policy_desc":"everflow",
|
|
||||||
"ports":"Ethernet24,Ethernet40,Ethernet20,Ethernet44,Ethernet48,Ethernet28,Ethernet96,Ethernet92,Ethernet76,Ethernet116,Ethernet72,Ethernet112,Ethernet52,Ethernet80,Ethernet56,Ethernet32,Ethernet16,Ethernet36,Ethernet12,Ethernet60,Ethernet8,Ethernet4,Ethernet0,Ethernet64,Ethernet68,Ethernet84,Ethernet88,Ethernet108,Ethernet120,Ethernet104,Ethernet124,Ethernet100",
|
|
||||||
"type":"mirror"
|
|
||||||
},
|
|
||||||
"OP":"SET"
|
|
||||||
}
|
|
||||||
]
|
|
@ -1,58 +0,0 @@
|
|||||||
import filecmp
|
|
||||||
import os
|
|
||||||
import subprocess
|
|
||||||
|
|
||||||
from unittest import TestCase
|
|
||||||
|
|
||||||
class TestAcl(TestCase):
|
|
||||||
def setUp(self):
|
|
||||||
self.test_dir = os.path.dirname(os.path.realpath(__file__))
|
|
||||||
self.script_file = os.path.join(self.test_dir, '..', 'sonic-cfggen')
|
|
||||||
self.acl_script_file = os.path.join(self.test_dir, '..', 'translate_acl')
|
|
||||||
self.t0_minigraph = os.path.join(self.test_dir, 't0-sample-graph.xml')
|
|
||||||
self.t0_minigraph_everflow = os.path.join(self.test_dir, 't0-sample-graph-everflow.xml')
|
|
||||||
self.t0_acl = os.path.join(self.test_dir, 't0-sample-acl.json')
|
|
||||||
self.t0_port_config = os.path.join(self.test_dir, 't0-sample-port-config.ini')
|
|
||||||
|
|
||||||
def run_script(self, argument):
|
|
||||||
print 'CMD: sonic-cfggen ' + argument
|
|
||||||
output = ''
|
|
||||||
try:
|
|
||||||
output = subprocess.check_output(self.script_file + ' ' + argument, shell=True, stderr=subprocess.STDOUT)
|
|
||||||
except subprocess.CalledProcessError, (p):
|
|
||||||
print 'CalledProcessError: CMD:%s returncode:%s' % (p.cmd, p.returncode)
|
|
||||||
print p.output
|
|
||||||
return output
|
|
||||||
|
|
||||||
def run_acl_script(self, argument):
|
|
||||||
print 'CMD: translate_acl ' + argument
|
|
||||||
output = ''
|
|
||||||
try:
|
|
||||||
output = subprocess.check_output(self.acl_script_file + ' ' + argument, shell=True, stderr=subprocess.STDOUT)
|
|
||||||
except subprocess.CalledProcessError, (p):
|
|
||||||
print 'CalledProcessError: CMD:%s returncode:%s' % (p.cmd, p.returncode)
|
|
||||||
print p.output
|
|
||||||
return output
|
|
||||||
|
|
||||||
def test_translate_acl(self):
|
|
||||||
argument = '-m ' + self.t0_minigraph + ' -p ' + self.t0_port_config + ' -o ' + self.test_dir + ' ' + self.t0_acl
|
|
||||||
self.run_acl_script(argument)
|
|
||||||
for filename in ['rules_for_dataacl.json','table_dataacl.json']:
|
|
||||||
sample_output_file = os.path.join(self.test_dir, 'sample_output', filename)
|
|
||||||
output_file = os.path.join(self.test_dir, filename)
|
|
||||||
assert filecmp.cmp(sample_output_file, output_file)
|
|
||||||
|
|
||||||
def test_translate_everflow(self):
|
|
||||||
argument = '-m ' + self.t0_minigraph_everflow + ' -p ' + self.t0_port_config + ' -o ' + self.test_dir + ' ' + self.t0_acl
|
|
||||||
self.run_acl_script(argument)
|
|
||||||
for filename in ['rules_for_everflow.json','table_everflow.json']:
|
|
||||||
sample_output_file = os.path.join(self.test_dir, 'sample_output', filename)
|
|
||||||
output_file = os.path.join(self.test_dir, filename)
|
|
||||||
assert filecmp.cmp(sample_output_file, output_file)
|
|
||||||
|
|
||||||
def tearDown(self):
|
|
||||||
for filename in ['rules_for_dataacl.json','table_dataacl.json','rules_for_everflow.json','table_everflow.json']:
|
|
||||||
try:
|
|
||||||
os.remove(os.path.join(self.test_dir, filename))
|
|
||||||
except OSError:
|
|
||||||
pass
|
|
@ -73,7 +73,12 @@ class TestCfgGen(TestCase):
|
|||||||
def test_minigraph_acl(self):
|
def test_minigraph_acl(self):
|
||||||
argument = '-m "' + self.sample_graph_t0 + '" -p "' + self.port_config + '" -v ACL_TABLE'
|
argument = '-m "' + self.sample_graph_t0 + '" -p "' + self.port_config + '" -v ACL_TABLE'
|
||||||
output = self.run_script(argument)
|
output = self.run_script(argument)
|
||||||
self.assertEqual(output.strip(), "{'dataacl': {'type': 'L3', 'policy_desc': 'dataacl', 'ports': ['Ethernet112', 'Ethernet116', 'Ethernet120', 'Ethernet124']}}")
|
self.assertEqual(output.strip(), "{'DATAACL': {'type': 'L3', 'policy_desc': 'DATAACL', 'ports': ['Ethernet112', 'Ethernet116', 'Ethernet120', 'Ethernet124']}}")
|
||||||
|
|
||||||
|
def test_minigraph_everflow(self):
|
||||||
|
argument = '-m "' + self.sample_graph_t0 + '" -p "' + self.port_config + '" -v MIRROR_SESSION'
|
||||||
|
output = self.run_script(argument)
|
||||||
|
self.assertEqual(output.strip(), "{'everflow0': {'src_ip': '10.1.0.32', 'dst_ip': '2.2.2.2'}}")
|
||||||
|
|
||||||
def test_minigraph_interfaces(self):
|
def test_minigraph_interfaces(self):
|
||||||
argument = '-m "' + self.sample_graph_simple + '" -p "' + self.port_config + '" -v \'INTERFACE.keys()\''
|
argument = '-m "' + self.sample_graph_simple + '" -p "' + self.port_config + '" -v \'INTERFACE.keys()\''
|
||||||
|
@ -77,15 +77,6 @@ class TestJ2Files(TestCase):
|
|||||||
|
|
||||||
assert filecmp.cmp(sample_output_file, self.output_file)
|
assert filecmp.cmp(sample_output_file, self.output_file)
|
||||||
|
|
||||||
def test_everflow(self):
|
|
||||||
everflow_file = os.path.join(self.test_dir, '..', '..', '..', 'dockers', 'docker-orchagent', 'mirror.json.j2')
|
|
||||||
argument = '-m ' + self.t0_minigraph + ' -p ' + self.t0_port_config + ' -t ' + everflow_file + ' > ' + self.output_file
|
|
||||||
self.run_script(argument)
|
|
||||||
|
|
||||||
sample_output_file = os.path.join(self.test_dir, 'sample_output', 'mirror.json')
|
|
||||||
|
|
||||||
assert filecmp.cmp(sample_output_file, self.output_file)
|
|
||||||
|
|
||||||
def test_msn27xx_32ports_buffers(self):
|
def test_msn27xx_32ports_buffers(self):
|
||||||
buffer_file = os.path.join(self.test_dir, '..', '..', '..', 'dockers', 'docker-orchagent', 'msn27xx.32ports.buffers.json.j2')
|
buffer_file = os.path.join(self.test_dir, '..', '..', '..', 'dockers', 'docker-orchagent', 'msn27xx.32ports.buffers.json.j2')
|
||||||
argument = '-m ' + self.t1_mlnx_minigraph + ' -p ' + self.mlnx_port_config + ' -t ' + buffer_file + ' > ' + self.output_file
|
argument = '-m ' + self.t1_mlnx_minigraph + ' -p ' + self.mlnx_port_config + ' -t ' + buffer_file + ' > ' + self.output_file
|
||||||
|
@ -1,174 +0,0 @@
|
|||||||
#!/usr/bin/env python
|
|
||||||
|
|
||||||
import sys
|
|
||||||
import os.path
|
|
||||||
import json
|
|
||||||
import argparse
|
|
||||||
|
|
||||||
import openconfig_acl
|
|
||||||
import pyangbind.lib.pybindJSON as pybindJSON
|
|
||||||
from minigraph import parse_xml
|
|
||||||
|
|
||||||
def dump_json(filename, data):
|
|
||||||
with open(filename, 'w') as outfile:
|
|
||||||
json.dump(data, outfile, indent=4, sort_keys=True, separators=(',', ':'))
|
|
||||||
|
|
||||||
def default_deny_rule(table_name):
|
|
||||||
rule_props = {}
|
|
||||||
rule_data = {}
|
|
||||||
rule_data["ACL_RULE_TABLE:"+table_name.upper()+":DEFAULT_RULE"] = rule_props
|
|
||||||
rule_data["OP"] = "SET"
|
|
||||||
rule_props["priority"] = 1
|
|
||||||
rule_props["ETHER_TYPE"] = "0x0800"
|
|
||||||
rule_props["PACKET_ACTION"] = "DROP"
|
|
||||||
return rule_data
|
|
||||||
|
|
||||||
def generate_rule_json(table_name, rule, max_priority, mirror):
|
|
||||||
rule_idx = rule.config.sequence_id
|
|
||||||
rule_props = {}
|
|
||||||
rule_data = {}
|
|
||||||
rule_data["ACL_RULE_TABLE:"+table_name.upper()+":RULE_"+str(rule_idx)] = rule_props
|
|
||||||
rule_data["OP"] = "SET"
|
|
||||||
|
|
||||||
rule_props["priority"] = max_priority - rule_idx
|
|
||||||
if rule.actions.config.forwarding_action == "ACCEPT":
|
|
||||||
if mirror:
|
|
||||||
rule_props["MIRROR_ACTION"] = "everflow"
|
|
||||||
else:
|
|
||||||
rule_props["PACKET_ACTION"] = "FORWARD"
|
|
||||||
elif rule.actions.config.forwarding_action == "DROP":
|
|
||||||
rule_props["PACKET_ACTION"] = "DROP"
|
|
||||||
elif rule.actions.config.forwarding_action == "REJECT":
|
|
||||||
rule_props["PACKET_ACTION"] = "DROP"
|
|
||||||
else:
|
|
||||||
print "Unknown rule action %s in table %s, rule %d!" % (rule.actions.config.forwarding_action, table_name, rule_idx)
|
|
||||||
return {}
|
|
||||||
|
|
||||||
ip_protocol_map = {
|
|
||||||
"IP_TCP" : 6,
|
|
||||||
"IP_ICMP" : 1,
|
|
||||||
"IP_UDP" : 17,
|
|
||||||
"IP_IGMP" : 2,
|
|
||||||
"IP_PIM" : 103,
|
|
||||||
"IP_RSVP" : 46,
|
|
||||||
"IP_GRE" : 47,
|
|
||||||
"IP_AUTH" : 51,
|
|
||||||
"IP_L2TP" : 115
|
|
||||||
}
|
|
||||||
|
|
||||||
if not rule.ip.config.protocol:
|
|
||||||
pass
|
|
||||||
elif ip_protocol_map.has_key(rule.ip.config.protocol):
|
|
||||||
rule_props["IP_PROTOCOL"] = ip_protocol_map[rule.ip.config.protocol]
|
|
||||||
else:
|
|
||||||
try:
|
|
||||||
int(rule.ip.config.protocol)
|
|
||||||
except:
|
|
||||||
print "Unknown rule protocol %s in table %s, rule %d!" % (rule.ip.config.protocol, table_name, rule_idx)
|
|
||||||
return {}
|
|
||||||
else:
|
|
||||||
rule_props["IP_PROTOCOL"] = rule.ip.config.protocol
|
|
||||||
|
|
||||||
if rule.ip.config.source_ip_address != "":
|
|
||||||
rule_props["SRC_IP"] = rule.ip.config.source_ip_address
|
|
||||||
if rule.ip.config.destination_ip_address != "":
|
|
||||||
rule_props["DST_IP"] = rule.ip.config.destination_ip_address
|
|
||||||
|
|
||||||
if rule.transport.config.source_port == "":
|
|
||||||
pass
|
|
||||||
elif str(rule.transport.config.source_port).find("..") < 0:
|
|
||||||
rule_props["L4_SRC_PORT"] = rule.transport.config.source_port
|
|
||||||
else:
|
|
||||||
rule_props["L4_SRC_PORT_RANGE"] = str(rule.transport.config.source_port).replace("..", "-")
|
|
||||||
|
|
||||||
if rule.transport.config.destination_port == "":
|
|
||||||
pass
|
|
||||||
elif str(rule.transport.config.destination_port).find("..") < 0:
|
|
||||||
rule_props["L4_DST_PORT"] = rule.transport.config.destination_port
|
|
||||||
else:
|
|
||||||
rule_props["L4_DST_PORT_RANGE"] = str(rule.transport.config.destination_port).replace("..", "-")
|
|
||||||
|
|
||||||
tcp_flags = 0x00;
|
|
||||||
for flag in rule.transport.config.tcp_flags:
|
|
||||||
if flag == "TCP_FIN":
|
|
||||||
tcp_flags = tcp_flags | 0x01
|
|
||||||
if flag == "TCP_SYN":
|
|
||||||
tcp_flags = tcp_flags | 0x02
|
|
||||||
if flag == "TCP_RST":
|
|
||||||
tcp_flags = tcp_flags | 0x04
|
|
||||||
if flag == "TCP_PSH":
|
|
||||||
tcp_flags = tcp_flags | 0x08
|
|
||||||
if flag == "TCP_ACK":
|
|
||||||
tcp_flags = tcp_flags | 0x10
|
|
||||||
if flag == "TCP_URG":
|
|
||||||
tcp_flags = tcp_flags | 0x20
|
|
||||||
if flag == "TCP_ECE":
|
|
||||||
tcp_flags = tcp_flags | 0x40
|
|
||||||
if flag == "TCP_CWR":
|
|
||||||
tcp_flags = tcp_flags | 0x80
|
|
||||||
if tcp_flags != 0x00:
|
|
||||||
rule_props["TCP_FLAGS"] = '0x{:02x}/0x{:02x}'.format(tcp_flags, tcp_flags)
|
|
||||||
return rule_data
|
|
||||||
|
|
||||||
def generate_table_json(aclset, aclname, ports, t_type, max_priority, output_path='.'):
|
|
||||||
table_name = aclname.replace(" ", "_").replace("-", "_")
|
|
||||||
#table_name = generate_random_table_name()
|
|
||||||
mirror = (t_type == 'mirror')
|
|
||||||
|
|
||||||
table_props = {}
|
|
||||||
table_props["policy_desc"] = table_name
|
|
||||||
table_props["type"] = t_type
|
|
||||||
table_props["ports"] = ports
|
|
||||||
|
|
||||||
table_data = [{}]
|
|
||||||
table_data[0]["ACL_TABLE:"+table_name.upper()] = table_props
|
|
||||||
table_data[0]["OP"] = "SET"
|
|
||||||
dump_json(os.path.join(output_path, "table_"+table_name+".json"), table_data)
|
|
||||||
|
|
||||||
rule_data = []
|
|
||||||
for aclentryname in aclset.acl_entries.acl_entry:
|
|
||||||
aclentry = aclset.acl_entries.acl_entry[aclentryname]
|
|
||||||
rule_props = generate_rule_json(table_name, aclentry, max_priority, mirror)
|
|
||||||
if rule_props:
|
|
||||||
rule_data.append(rule_props)
|
|
||||||
if not mirror:
|
|
||||||
rule_data.append(default_deny_rule(table_name))
|
|
||||||
dump_json(os.path.join(output_path, "rules_for_"+table_name+".json"), rule_data)
|
|
||||||
|
|
||||||
def translate_acl_fixed_port(filename, output_path, port, max_priority):
|
|
||||||
yang_acl = pybindJSON.load(filename, openconfig_acl, "openconfig_acl")
|
|
||||||
for aclsetname in yang_acl.acl.acl_sets.acl_set:
|
|
||||||
aclset = yang_acl.acl.acl_sets.acl_set[aclsetname]
|
|
||||||
generate_table_json(aclset, aclsetname, port, 'l3', max_priority, output_path)
|
|
||||||
return
|
|
||||||
|
|
||||||
def translate_acl(filename, output_path, mini_acl, max_priority):
|
|
||||||
yang_acl = pybindJSON.load(filename, openconfig_acl, "openconfig_acl")
|
|
||||||
for aclsetname in yang_acl.acl.acl_sets.acl_set:
|
|
||||||
tablename = aclsetname.replace(" ", "_").replace("-", "_")
|
|
||||||
if mini_acl.has_key(tablename):
|
|
||||||
t_type = mini_acl[tablename]['type']
|
|
||||||
ports = ','.join(mini_acl[tablename]['ports'])
|
|
||||||
aclset = yang_acl.acl.acl_sets.acl_set[aclsetname]
|
|
||||||
generate_table_json(aclset, aclsetname, ports, t_type, max_priority, output_path)
|
|
||||||
return
|
|
||||||
|
|
||||||
def main():
|
|
||||||
parser = argparse.ArgumentParser(description="Translate openconfig ACL json into SONiC ACL jsons")
|
|
||||||
parser.add_argument('input', metavar='INPUT', help='input json file in openconfig format')
|
|
||||||
group = parser.add_mutually_exclusive_group(required=True)
|
|
||||||
group.add_argument('-a', '--attach-to', help='the port(s) that this ACL is attached to')
|
|
||||||
group.add_argument('-m', '--minigraph', help='read ACL attaching information from minigraph')
|
|
||||||
parser.add_argument("-p", "--port-config", help="port config file, used with -m")
|
|
||||||
parser.add_argument('-n', '--max-priority', type=int, default=10000, help='the priority number of the first rule in ACL entries')
|
|
||||||
parser.add_argument('-o', '--output-path', default='.', help='output directory where SONiC ACL jsons will be generated')
|
|
||||||
args = parser.parse_args()
|
|
||||||
if args.attach_to:
|
|
||||||
translate_acl_fixed_port(args.input, args.output_path, args.port, args.max_priority)
|
|
||||||
elif args.minigraph:
|
|
||||||
mini_data = parse_xml(args.minigraph, port_config_file=args.port_config)
|
|
||||||
if mini_data['ACL_TABLE']:
|
|
||||||
translate_acl(args.input, args.output_path, mini_data['ACL_TABLE'], args.max_priority)
|
|
||||||
|
|
||||||
if __name__ == "__main__":
|
|
||||||
main()
|
|
@ -1 +1 @@
|
|||||||
Subproject commit 3b7c3e3348779e1fc7b147a299d22942a34f5cb9
|
Subproject commit f90a4e1ef369491b84a048cbf234f4cd3442d552
|
@ -1 +1 @@
|
|||||||
Subproject commit 31142b8fac1796b7d665ed06609c9fec09c9707f
|
Subproject commit 2e94b54e3626a4acd73bb3edb2f94d61793ee0e4
|
@ -1 +1 @@
|
|||||||
Subproject commit 67f8806ce42f2511f170117d70ecfd0e8d205eb5
|
Subproject commit 1d37c9c199b7934653f907095bf11e685889df23
|
Loading…
Reference in New Issue
Block a user