matthew/sonic-buildimage
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Update check of IP_TYPE from ACL Yang model (#13810)

Browse Source 
Why I did it
This PR is to update the check of IP_TYPE from sonic-acl.yang.
It's because if the ACL rule is added by loading a json file with acl-loader, there is no IP_TYPE for ACL rule. If such rule exists in ACL_RULE table, the GCU (generic config updater) refuses to update any ACL rules because the existing one is invalid.
This PR updates the yang model for ACL. If the IP_TYPE leaf doesn't exist, then we don't check the field.

How I did it
Accept the rule if IP_TYPE is absent.

How to verify it
The change is verified by UT.
This commit is contained in:
bingwang-ms 2023-03-29 18:24:31 -07:00 committed by GitHub
parent a8f8ea3b50
commit 760c06ecba
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 60 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
src/sonic-yang-models/tests/yang_model_tests/tests/acl.json
View File

@ -31,6 +31,9 @@
"eStrKey" : "When", "eStrKey" : "When",
"eStr": ["IP_TYPE"] "eStr": ["IP_TYPE"]
}, },
"ACL_RULE_WITHOUT_IP_TYPE": {
"desc": "Configure ACL_RULE without IP_TYPE."
},
"ACL_RULE_ARP_TYPE_DST_IPV6_MISMATCH": { "ACL_RULE_ARP_TYPE_DST_IPV6_MISMATCH": {
"desc": "Configure IP_TYPE as ARP and DST_IPV6 in ACL_RULE.", "desc": "Configure IP_TYPE as ARP and DST_IPV6 in ACL_RULE.",
"eStrKey" : "When", "eStrKey" : "When",

53
src/sonic-yang-models/tests/yang_model_tests/tests_config/acl.json
View File

@ -158,6 +158,59 @@
} }
} }
}, },
"ACL_RULE_WITHOUT_IP_TYPE": {
"sonic-acl:sonic-acl": {
"sonic-acl:ACL_RULE": {
"ACL_RULE_LIST": [
{
"ACL_TABLE_NAME": "NO-NSW-PACL-V4",
"PACKET_ACTION": "FORWARD",
"PRIORITY": 999980,
"RULE_NAME": "Rule_20",
"SRC_IPV6": "2001::1/64"
}
]
},
"sonic-acl:ACL_TABLE": {
"ACL_TABLE_LIST": [
{
"ACL_TABLE_NAME": "NO-NSW-PACL-V4",
"policy_desc": "Filter IPv4",
"ports": [
"Ethernet0",
"Ethernet1"
],
"stage": "EGRESS",
"type": "L3"
}
]
}
},
"sonic-port:sonic-port": {
"sonic-port:PORT": {
"PORT_LIST": [
{
"admin_status": "up",
"alias": "eth0",
"description": "Ethernet0",
"lanes": "0,1,2,3",
"mtu": 9000,
"name": "Ethernet0",
"speed": 25000
},
{
"admin_status": "up",
"alias": "eth1",
"description": "Ethernet1",
"lanes": "4,5,6,7",
"mtu": 9000,
"name": "Ethernet1",
"speed": 25000
}
]
}
}
},
"ACL_RULE_UNDEFINED_PACKET_ACTION": { "ACL_RULE_UNDEFINED_PACKET_ACTION": {
"sonic-acl:sonic-acl": { "sonic-acl:sonic-acl": {
"sonic-acl:ACL_RULE": { "sonic-acl:ACL_RULE": {

8
src/sonic-yang-models/yang-templates/sonic-acl.yang.j2
View File

@ -106,7 +106,7 @@ module sonic-acl {
} }
} }
case ip4_prefix { case ip4_prefix {
when "boolean(IP_TYPE[.='ANY' or .='IP' or .='IPV4' or .='IPv4ANY' or .='ARP'])"; when "not(IP_TYPE) or boolean(IP_TYPE[.='ANY' or .='IP' or .='IPV4' or .='IPv4ANY' or .='ARP'])";
leaf SRC_IP { leaf SRC_IP {
type inet:ipv4-prefix; type inet:ipv4-prefix;
} }
@ -117,7 +117,7 @@ module sonic-acl {
} }
case ip6_prefix { case ip6_prefix {
when "boolean(IP_TYPE[.='ANY' or .='IP' or .='IPV6' or .='IPv6ANY'])"; when "not(IP_TYPE) or boolean(IP_TYPE[.='ANY' or .='IP' or .='IPV6' or .='IPv6ANY'])";
leaf SRC_IPV6 { leaf SRC_IPV6 {
type inet:ipv6-prefix; type inet:ipv6-prefix;
} }
@ -199,7 +199,7 @@ module sonic-acl {
choice icmp { choice icmp {
case icmp4 { case icmp4 {
when "boolean(IP_TYPE[.='ANY' or .='IP' or .='IPV4' or .='IPv4ANY' or .='ARP'])"; when "not(IP_TYPE) or boolean(IP_TYPE[.='ANY' or .='IP' or .='IPV4' or .='IPv4ANY' or .='ARP'])";
leaf ICMP_TYPE { leaf ICMP_TYPE {
type uint8 { type uint8 {
range 1..44; range 1..44;
@ -214,7 +214,7 @@ module sonic-acl {
} }
case icmp6 { case icmp6 {
when "boolean(IP_TYPE[.='ANY' or .='IP' or .='IPV6' or .='IPv6ANY'])"; when "not(IP_TYPE) or boolean(IP_TYPE[.='ANY' or .='IP' or .='IPV6' or .='IPv6ANY'])";
leaf ICMPV6_TYPE { leaf ICMPV6_TYPE {
type uint8 { type uint8 {
range 1..44; range 1..44;