[caclmgrd] Log error message if IPv4 ACL table contains IPv6 rule and vice-versa (#4498)

* Defect 2082949: Handling Control Plane ACLs so that IPv4 rules and IPv6 rules are not added to the same ACL table

* Previous code review comments of coming up with functions for is_ipv4_rule and is_ipv6_rule is addressed and also raising Exceptions instead of simply aborting when the conflict occurs is handled

* Addressed code review comment to replace duplicate code with already existing functions

* removed raising Exception when rule conflict in Control plane ACLs are found

* added code to remove the rule_props if it is conflicting ACL table versioning rule

* addressed review comment to add ignoring rule in the error statement

Co-authored-by: Madhan Babu <madhan@arc-build-server.mtr.labs.mlnx>
This commit is contained in:
madhanmellanox 2020-07-15 10:24:44 -07:00 committed by GitHub
parent 6ebcfb226b
commit ade634090d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -168,6 +168,19 @@ class ControlPlaneAclManager(object):
return block_ip2me_cmds
def is_rule_ipv4(self, rule_props):
if (("SRC_IP" in rule_props and rule_props["SRC_IP"]) or
("DST_IP" in rule_props and rule_props["DST_IP"])):
return True
else:
return False
def is_rule_ipv6(self, rule_props):
if (("SRC_IPV6" in rule_props and rule_props["SRC_IPV6"]) or
("DST_IPV6" in rule_props and rule_props["DST_IPV6"])):
return True
else:
return False
def get_acl_rules_and_translate_to_iptables_commands(self):
"""
@ -295,13 +308,20 @@ class ControlPlaneAclManager(object):
# try to do it now. We attempt to determine heuristically based on
# whether the src or dst IP of this rule is an IPv4 or IPv6 address.
if not table_ip_version:
if (("SRC_IPV6" in rule_props and rule_props["SRC_IPV6"]) or
("DST_IPV6" in rule_props and rule_props["DST_IPV6"])):
if self.is_rule_ipv6(rule_props):
table_ip_version = 6
elif (("SRC_IP" in rule_props and rule_props["SRC_IP"]) or
("DST_IP" in rule_props and rule_props["DST_IP"])):
elif self.is_rule_ipv4(rule_props):
table_ip_version = 4
if (self.is_rule_ipv6(rule_props) and (table_ip_version == 4)):
log_error("CtrlPlane ACL table {} is a IPv4 based table and rule {} is a IPV6 rule! Ignoring rule."
.format(table_name, rule_id))
acl_rules.pop(rule_props["PRIORITY"])
elif (self.is_rule_ipv4(rule_props) and (table_ip_version == 6)):
log_error("CtrlPlane ACL table {} is a IPv6 based table and rule {} is a IPV4 rule! Ignroing rule."
.format(table_name, rule_id))
acl_rules.pop(rule_props["PRIORITY"])
# If we were unable to determine whether this ACL table contains
# IPv4 or IPv6 rules, log a message and skip processing this table.
if not table_ip_version: