[config/acl] Get ACL config from DHCP and load it in swss container (#432)
Get ACL config from DHCP and load it in swss container
This commit is contained in:
parent
4359f137f4
commit
4546372f48
@ -12,6 +12,18 @@ function start_app {
|
|||||||
done
|
done
|
||||||
}
|
}
|
||||||
|
|
||||||
|
function config_acl {
|
||||||
|
if [ -f "/etc/sonic/acl.json" ]; then
|
||||||
|
mkdir -p /etc/swss/config.d/acl
|
||||||
|
rm -rf /etc/swss/config.d/acl/*
|
||||||
|
translate_acl -m /etc/sonic/minigraph.xml -o /etc/swss/config.d/acl /etc/sonic/acl.json
|
||||||
|
for filename in /etc/swss/config.d/acl/*.json; do
|
||||||
|
[ -e "$filename" ] || break
|
||||||
|
swssconfig $filename
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
function clean_up {
|
function clean_up {
|
||||||
pkill -9 orchagent
|
pkill -9 orchagent
|
||||||
pkill -9 portsyncd
|
pkill -9 portsyncd
|
||||||
@ -60,6 +72,7 @@ while true; do
|
|||||||
result=`echo -en "SELECT 1\nHLEN HIDDEN" | redis-cli | sed -n 2p`
|
result=`echo -en "SELECT 1\nHLEN HIDDEN" | redis-cli | sed -n 2p`
|
||||||
if [ "$result" != "0" ]; then
|
if [ "$result" != "0" ]; then
|
||||||
start_app
|
start_app
|
||||||
|
config_acl
|
||||||
read
|
read
|
||||||
fi
|
fi
|
||||||
sleep 1
|
sleep 1
|
||||||
|
@ -14,11 +14,12 @@
|
|||||||
option rfc3442-classless-static-routes code 121 = array of unsigned integer 8;
|
option rfc3442-classless-static-routes code 121 = array of unsigned integer 8;
|
||||||
option snmp-community code 224 = text;
|
option snmp-community code 224 = text;
|
||||||
option minigraph-url code 225 = text;
|
option minigraph-url code 225 = text;
|
||||||
|
option acl-url code 226 = text;
|
||||||
|
|
||||||
send host-name = gethostname();
|
send host-name = gethostname();
|
||||||
request subnet-mask, broadcast-address, time-offset, routers,
|
request subnet-mask, broadcast-address, time-offset, routers,
|
||||||
domain-name, domain-name-servers, domain-search, host-name,
|
domain-name, domain-name-servers, domain-search, host-name,
|
||||||
dhcp6.name-servers, dhcp6.domain-search,
|
dhcp6.name-servers, dhcp6.domain-search,
|
||||||
netbios-name-servers, netbios-scope, interface-mtu,
|
netbios-name-servers, netbios-scope, interface-mtu,
|
||||||
rfc3442-classless-static-routes, ntp-servers, snmp-community, minigraph-url;
|
rfc3442-classless-static-routes, ntp-servers, snmp-community, minigraph-url, acl-url;
|
||||||
|
|
||||||
|
@ -5,5 +5,8 @@ case $reason in
|
|||||||
else
|
else
|
||||||
echo "N/A" > /tmp/dhcp_graph_url
|
echo "N/A" > /tmp/dhcp_graph_url
|
||||||
fi
|
fi
|
||||||
|
if [ -n "$new_acl_url" ]; then
|
||||||
|
echo $new_acl_url > /tmp/dhcp_acl_url
|
||||||
|
fi
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
@ -12,6 +12,8 @@ if [ "$enabled" != "true" ]; then
|
|||||||
exit 0
|
exit 0
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
ACL_URL=$acl_src
|
||||||
|
|
||||||
if [ "$src" = "dhcp" ]; then
|
if [ "$src" = "dhcp" ]; then
|
||||||
while [ ! -f /tmp/dhcp_graph_url ]; do
|
while [ ! -f /tmp/dhcp_graph_url ]; do
|
||||||
echo "Waiting for DHCP response..."
|
echo "Waiting for DHCP response..."
|
||||||
@ -38,6 +40,18 @@ if [ "$src" = "dhcp" ]; then
|
|||||||
sed -i "/src=/d" /etc/sonic/updategraph.conf
|
sed -i "/src=/d" /etc/sonic/updategraph.conf
|
||||||
echo "src=\"$GRAPH_URL\"" >> /etc/sonic/updategraph.conf
|
echo "src=\"$GRAPH_URL\"" >> /etc/sonic/updategraph.conf
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
if [ -f /tmp/dhcp_acl_url ]; then
|
||||||
|
ACL_URL=`sonic-cfggen -t /tmp/dhcp_acl_url -a "{\"hostname\": \"$HOSTNAME\"}"`
|
||||||
|
if [[ ! $ACL_URL =~ $URL_REGEX ]]; then
|
||||||
|
echo "\"$ACL_URL\" is not a valid url. Skipping acl update."
|
||||||
|
ACL_URL=""
|
||||||
|
fi
|
||||||
|
if [ "$dhcp_as_static" = "true" ]; then
|
||||||
|
sed -i "/acl_src=/d" /etc/sonic/updategraph.conf
|
||||||
|
echo "acl_src=\"$ACL_URL\"" >> /etc/sonic/updategraph.conf
|
||||||
|
fi
|
||||||
|
fi
|
||||||
else
|
else
|
||||||
GRAPH_URL=$src
|
GRAPH_URL=$src
|
||||||
fi
|
fi
|
||||||
@ -53,3 +67,19 @@ while true; do
|
|||||||
curl -f $GRAPH_URL -o /etc/sonic/minigraph.xml --connect-timeout 15 && break
|
curl -f $GRAPH_URL -o /etc/sonic/minigraph.xml --connect-timeout 15 && break
|
||||||
sleep 5
|
sleep 5
|
||||||
done
|
done
|
||||||
|
|
||||||
|
if [ -n "$ACL_URL" ]; then
|
||||||
|
if [ -f /etc/sonic/acl.json ]; then
|
||||||
|
echo "Renaming acl.json to acl.json.old"
|
||||||
|
mv /etc/sonic/acl.json /etc/sonic/acl.json.old
|
||||||
|
fi
|
||||||
|
echo "Getting ACL config from $ACL_URL"
|
||||||
|
|
||||||
|
while true; do
|
||||||
|
curl -f $ACL_URL -o /etc/sonic/acl.json --connect-timeout 15 && break
|
||||||
|
sleep 5
|
||||||
|
done
|
||||||
|
else
|
||||||
|
echo "Skip ACL config download."
|
||||||
|
fi
|
||||||
|
|
||||||
|
@ -129,7 +129,6 @@ def translate_acl_fixed_port(filename, output_path, port, max_priority):
|
|||||||
|
|
||||||
def translate_acl(filename, output_path, attach_to, max_priority):
|
def translate_acl(filename, output_path, attach_to, max_priority):
|
||||||
yang_acl = pybindJSON.load(filename, openconfig_acl, "openconfig_acl")
|
yang_acl = pybindJSON.load(filename, openconfig_acl, "openconfig_acl")
|
||||||
print attach_to.keys()
|
|
||||||
for aclsetname in yang_acl.acl.acl_sets.acl_set:
|
for aclsetname in yang_acl.acl.acl_sets.acl_set:
|
||||||
tablename = aclsetname.replace(" ", "_").replace("-", "_")
|
tablename = aclsetname.replace(" ", "_").replace("-", "_")
|
||||||
if attach_to.has_key(tablename):
|
if attach_to.has_key(tablename):
|
||||||
@ -151,7 +150,8 @@ def main():
|
|||||||
translate_acl_fixed_port(args.input, args.output_path, args.port, args.max_priority)
|
translate_acl_fixed_port(args.input, args.output_path, args.port, args.max_priority)
|
||||||
elif args.minigraph:
|
elif args.minigraph:
|
||||||
mini_data = parse_xml(args.minigraph)
|
mini_data = parse_xml(args.minigraph)
|
||||||
translate_acl(args.input, args.output_path, mini_data['minigraph_acls'], args.max_priority)
|
if mini_data['minigraph_acls']:
|
||||||
|
translate_acl(args.input, args.output_path, mini_data['minigraph_acls'], args.max_priority)
|
||||||
|
|
||||||
if __name__ == "__main__":
|
if __name__ == "__main__":
|
||||||
main()
|
main()
|
||||||
|
Loading…
Reference in New Issue
Block a user