[202205][multi-asic] Fix the issue where if dest port is not specified in ACL rule than caclmgrd gets exception (#12577)

Why I did it Creating this PR to take changes from sonic-net/sonic-host-services#21
2022-11-03 11:38:31 -07:00 · 2022-11-03 11:38:31 -07:00 · 2abb9e1c46
commit 2abb9e1c46
parent 8f80dc3a1b
3 changed files with 64 additions and 21 deletions
--- a/src/sonic-host-services/scripts/caclmgrd
+++ b/src/sonic-host-services/scripts/caclmgrd
@ -300,6 +300,7 @@ class ControlPlaneAclManager(daemon_base.DaemonBase):
                nat_source_ipv6_set = acl_source_ip_map[acl_service]["ipv6"] if acl_source_ip_map and acl_source_ip_map[acl_service]["ipv6"] else { "::/0" }
                for ip_protocol in self.ACL_SERVICES[acl_service]["ip_protocols"]:
                    if "dst_ports" in self.ACL_SERVICES[acl_service]:
                        for dst_port in  self.ACL_SERVICES[acl_service]["dst_ports"]: 
                            for ipv4_src_ip in nat_source_ipv4_set:
                                # IPv4 rules
--- a/src/sonic-host-services/tests/caclmgrd/cacl_external_client_acl_test.py
+++ b/src/sonic-host-services/tests/caclmgrd/cacl_external_client_acl_test.py
@ -42,3 +42,10 @@ class TestCaclmgrdExternalClientAcl(TestCase):
        iptables_rules_ret, _ = caclmgrd_daemon.get_acl_rules_and_translate_to_iptables_commands('')
        self.assertEqual(set(test_data["return"]).issubset(set(iptables_rules_ret)), True)
        caclmgrd_daemon.iptables_cmd_ns_prefix['asic0'] = 'ip netns exec asic0'
        caclmgrd_daemon.namespace_docker_mgmt_ip['asic0'] = '1.1.1.1'
        caclmgrd_daemon.namespace_mgmt_ip = '2.2.2.2'
        caclmgrd_daemon.namespace_docker_mgmt_ipv6['asic0'] = 'fd::01'
        caclmgrd_daemon.namespace_mgmt_ipv6 = 'fd::02'
        _ = caclmgrd_daemon.generate_fwd_traffic_from_namespace_to_host_commands('asic0', None)
--- a/src/sonic-host-services/tests/caclmgrd/test_external_client_acl_vectors.py
+++ b/src/sonic-host-services/tests/caclmgrd/test_external_client_acl_vectors.py
@ -4,6 +4,41 @@ from unittest.mock import call
    caclmgrd test external_client_acl vector
 """
 EXTERNAL_CLIENT_ACL_TEST_VECTOR = [
    [
        "Test for EXTERNAL_CLIENT_ACL with no dest port configured.",
        {
            "config_db": {
                "ACL_TABLE": {
                    "EXTERNAL_CLIENT_ACL": {
                        "stage": "INGRESS",
                        "type": "CTRLPLANE",
                        "services": [
                            "EXTERNAL_CLIENT"
                        ]
                    }
                },
                "ACL_RULE": {
                    "EXTERNAL_CLIENT_ACL|DEFAULT_RULE": {
                        "ETHER_TYPE": "2048",
                        "PACKET_ACTION": "DROP",
                        "PRIORITY": "1"
                    },
                    "EXTERNAL_CLIENT_ACL|RULE_1": {
                        "PACKET_ACTION": "ACCEPT",
                        "PRIORITY": "9998",
                        "SRC_IP": "20.0.0.55/32"
                    },
                },
                "DEVICE_METADATA": {
                    "localhost": {
                    }
                },
                "FEATURE": {},
            },
            "return": [
            ],
        }
    ],
    [
        "Test single IPv4 dst port + src ip for EXTERNAL_CLIENT_ACL",
        {