Issue sonic-net#22759: Prevent CLI from adding invalid routed interfaces (sonic-net#3901)

anders-nexthop · web-flow · commit c1843fa1575a · 2025-09-25T18:28:44.000-07:00
What I did Currently, config interface ip add will accept EthernetX interfaces which do not have an underlying port or portchannel associated with them. This violates the yang model, so if these entries are added to ConfigDB, 'config replace' and 'config reload' don't work properly. To make matters worse, the implementation of config interface ip remove does not detect these invalid entries, so once they are added they cannot be removed through the CLI. I modified the command to reject invalid cases. Fixes: sonic-net#22759 How I did it Add a check for this case into the config interface ip add CLI command to avoid invalid cases of this form by checking to ensure that the interface which is passed is associated with a valid port or port channel if it is an Ethernet or PortChannel interface. There is already an existing check for vlan interfaces. How to verify it Modify existing test cases to handle expected behavior, verify that they all pass. Previous command output (if the output of a command-line utility has changed) admin@gold113-dut:~$ sudo config interface ip add EthernetNR 1.2.3.4 admin@gold113-dut:~$ sudo config interface ip add EthernetJustMadeUp 1.2.3.4 admin@gold113-dut:~$ sudo config interface ip add Ethernet99999999 1.2.3.4 admin@gold113-dut:~$ sudo config interface ip add Ethernet-totally-not-real 1.2.3.4 admin@gold113-dut:~$ sudo config interface ip remove EthernetNR 1.2.3.4 Cannot find device "EthernetNR" admin@gold113-dut:~$ sudo config replace -d /etc/sonic/config_db.json ** DRY RUN EXECUTION ** Config Replacer: Config replacement starting. Config Replacer: Target config length: 50412. Config Replacer: Getting current config db. Config Replacer: Generating patch between target config and current config db. Config Replacer: Applying patch using 'Patch Applier'. Patch Applier: localhost: Patch application starting. Patch Applier: localhost: Patch: [{"op": "remove", "path": "/INTERFACE/EthernetJustMadeUp"}, {"op": "remove", "path": "/INTERFACE/Ethernet-totally-not-real"}, {"op": "remove", "path": "/INTERFACE/EthernetNR"}, {"op": "remove", "path": "/INTERFACE/Ethernet99999999"}, {"op": "remove", "path": "/INTERFACE/EthernetJustMadeUp|1.2.3.4~132"}, {"op": "remove", "path": "/INTERFACE/Ethernet99999999|1.2.3.4~132"}, {"op": "remove", "path": "/INTERFACE/Ethernet-totally-not-real|1.2.3.4~132"}, {"op": "remove", "path": "/INTERFACE/EthernetNR|1.2.3.4~132"}] Patch Applier: localhost getting current config db. Patch Applier: localhost: simulating the target full config after applying the patch. Patch Applier: localhost: validating all JsonPatch operations are permitted on the specified fields Patch Applier: localhost: validating target config does not have empty tables, since they do not show up in ConfigDb. Patch Applier: localhost: sorting patch updates. Failed to replace config Usage: config replace [OPTIONS] TARGET_FILE_PATH Try "config replace -h" for help. Error: Data Loading Failed Leafref "/sonic-port:sonic-port/sonic-port:PORT/sonic-port:PORT_LIST/sonic-port:name" of value "EthernetNR" points to a non-existing leaf. New command output (if the output of a command-line utility has changed) admin@gold113-dut:~$ sudo config interface ip add EthernetNR.10 1.2.3.4 Usage: config interface ip add [OPTIONS] <interface_name> <ip_addr> <default gateway IP address> Try "config interface ip add -h" for help. Error: Interface EthernetNR.10 does not exist
diff --git a/config/main.py b/config/main.py
@@ -5222,47 +5222,7 @@ def add_interface_ip(ctx, interface_name, ip_addr, gw, secondary):
         interface_name = interface_alias_to_name(config_db, interface_name)
         if interface_name is None:
             ctx.fail("'interface_name' is None!")
-        # Add a validation to check this interface is not a member in vlan before
-        # changing it to a router port mode
-    vlan_member_table = config_db.get_table('VLAN_MEMBER')
-
-    if (interface_is_in_vlan(vlan_member_table, interface_name)):
-        click.echo("Interface {} is a member of vlan\nAborting!".format(interface_name))
-        return
-
 
-    portchannel_member_table = config_db.get_table('PORTCHANNEL_MEMBER')
-
-    if interface_is_in_portchannel(portchannel_member_table, interface_name):
-        ctx.fail("{} is configured as a member of portchannel."
-                .format(interface_name))
-
-    # Add a validation to check this interface is in routed mode before
-    # assigning an IP address to it
-
-    sub_intf = False
-
-    if clicommon.is_valid_port(config_db, interface_name):
-        is_port = True
-    elif clicommon.is_valid_portchannel(config_db, interface_name):
-        is_port = False
-    else:
-        sub_intf = True
-
-    if not sub_intf:
-        interface_mode = None
-        if is_port:
-            interface_data = config_db.get_entry('PORT', interface_name)
-        else:
-            interface_data = config_db.get_entry('PORTCHANNEL', interface_name)
-
-        if "mode" in interface_data:
-            interface_mode = interface_data["mode"]
-
-        if interface_mode == "trunk" or interface_mode == "access":
-            click.echo("Interface {} is in {} mode and needs to be in routed mode!".format(
-                interface_name, interface_mode))
-            return
     try:
         ip_address = ipaddress.ip_interface(ip_addr)
     except ValueError as err:
@@ -5293,7 +5253,65 @@ def add_interface_ip(ctx, interface_name, ip_addr, gw, secondary):
 
     table_name = get_interface_table_name(interface_name)
     if table_name == "":
-        ctx.fail("'interface_name' is not valid. Valid names [Ethernet/PortChannel/Vlan/Loopback]")
+        ctx.fail(f"{interface_name} is not valid. Valid names [Ethernet/PortChannel/Vlan/Loopback]")
+
+    # Add a validation to check this interface is in routed mode before
+    # assigning an IP address to it. For sub-interfaces, check that the base
+    # interface is in the right mode
+
+    base_interface_name = interface_name
+
+    # Handle short name
+    match = re.search(r'\d', interface_name)
+    if match:
+        index = match.start()
+        intf_type = interface_name[:index]
+        intf_val = interface_name[index:]
+        if intf_type == "Eth":
+            intf_type = "Ethernet"
+        elif intf_type == "Po":
+            intf_type = "PortChannel"
+        base_interface_name = intf_type + intf_val
+
+    base_table_name = table_name
+    if table_name == "VLAN_SUB_INTERFACE":
+        interface_name_parts = base_interface_name.split(".")
+        base_interface_name = interface_name_parts[0] if len(interface_name_parts) >= 2 else interface_name
+        base_table_name = get_interface_table_name(base_interface_name)
+        if base_table_name == "":
+            ctx.fail(f"{interface_name} is not valid. Valid names [Ethernet/PortChannel/Vlan/Loopback]")
+
+    portchannel_member_table = config_db.get_table('PORTCHANNEL_MEMBER')
+    if interface_is_in_portchannel(portchannel_member_table, base_interface_name):
+        ctx.fail(f"{base_interface_name} is configured as a member of portchannel.")
+
+    # Add a validation to check this interface is not a member in vlan before
+    vlan_member_table = config_db.get_table('VLAN_MEMBER')
+    if (interface_is_in_vlan(vlan_member_table, base_interface_name)):
+        ctx.fail("Interface {} is a member of vlan\nAborting!".format(base_interface_name))
+        return
+
+    if base_table_name == "INTERFACE" or base_table_name == "PORTCHANNEL_INTERFACE":
+        if clicommon.is_valid_port(config_db, base_interface_name):
+            is_port = True
+        elif clicommon.is_valid_portchannel(config_db, base_interface_name):
+            is_port = False
+        else:
+            ctx.fail("Interface {} does not exist".format(interface_name))
+
+        interface_mode = None
+        if is_port:
+            interface_data = config_db.get_entry('PORT', base_interface_name)
+        else:
+            interface_data = config_db.get_entry('PORTCHANNEL', base_interface_name)
+
+        if "mode" in interface_data:
+            interface_mode = interface_data["mode"]
+
+        if interface_mode == "trunk" or interface_mode == "access":
+            click.echo("Interface {} is in {} mode and needs to be in routed mode!".format(
+                interface_name, interface_mode))
+            return
 
     if table_name == "VLAN_INTERFACE":
         if not validate_vlan_exists(config_db, interface_name):
diff --git a/tests/ip_config_test.py b/tests/ip_config_test.py
@@ -81,6 +81,38 @@ def test_add_vlan_interface_ipv4(self):
         assert result.exit_code != 0
         assert NOT_EXIST_VLAN_ERROR_MSG in result.output
 
+        # config int ip add Ethernet12 1.1.1.1/24
+        result = runner.invoke(
+                config.config.commands["interface"].commands["ip"].commands["add"],
+                ["Ethernet12", "1.1.1.1/24"],
+                obj=obj)
+        print(result.exit_code, result.output)
+        assert "Interface Ethernet12 is a member of vlan" in result.output
+
+        # config int ip add Ethernet12.10 1.1.1.1/24
+        result = runner.invoke(
+                config.config.commands["interface"].commands["ip"].commands["add"],
+                ["Ethernet12.10", "1.1.1.1/24"],
+                obj=obj)
+        print(result.exit_code, result.output)
+        assert "Interface Ethernet12 is a member of vlan" in result.output
+
+        # config int ip add PortChannel1001 1.1.1.1/24
+        result = runner.invoke(
+                config.config.commands["interface"].commands["ip"].commands["add"],
+                ["PortChannel1001", "1.1.1.1/24"],
+                obj=obj)
+        print(result.exit_code, result.output)
+        assert "Interface PortChannel1001 is a member of vlan" in result.output
+
+        # config int ip add PortChannel1001.10 1.1.1.1/24
+        result = runner.invoke(
+                config.config.commands["interface"].commands["ip"].commands["add"],
+                ["PortChannel1001.10", "1.1.1.1/24"],
+                obj=obj)
+        print(result.exit_code, result.output)
+        assert "Interface PortChannel1001 is a member of vlan" in result.output
+
 
     def test_add_del_interface_valid_ipv4(self):
         db = Db()
@@ -105,6 +137,24 @@ def test_add_del_interface_valid_ipv4(self):
         assert result.exit_code == 0
         assert ('Eth36.10', '32.11.10.1/24') in db.cfgdb.get_table('VLAN_SUB_INTERFACE')
 
+        # config int ip add PortChannel0001.10 32.11.10.1/24
+        result = runner.invoke(
+                config.config.commands["interface"].commands["ip"].commands["add"],
+                ["PortChannel0001.10", "32.11.10.1/24"],
+                obj=obj)
+        print(result.exit_code, result.output)
+        assert result.exit_code == 0
+        assert ('PortChannel0001.10', '32.11.10.1/24') in db.cfgdb.get_table('VLAN_SUB_INTERFACE')
+
+        # config int ip add Po0001.11 32.11.10.1/24
+        result = runner.invoke(
+                config.config.commands["interface"].commands["ip"].commands["add"],
+                ["Po0001.11", "32.11.10.1/24"],
+                obj=obj)
+        print(result.exit_code, result.output)
+        assert result.exit_code == 0
+        assert ('Po0001.11', '32.11.10.1/24') in db.cfgdb.get_table('VLAN_SUB_INTERFACE')
+
         # config int ip remove Ethernet64 10.10.10.1/24
         with mock.patch('utilities_common.cli.run_command') as mock_run_command:
             result = runner.invoke(config.config.commands["interface"].commands["ip"].commands["remove"], ["Ethernet64", "10.10.10.1/24"], obj=obj)
@@ -137,6 +187,26 @@ def test_add_del_interface_valid_ipv4(self):
             assert mock_run_command.call_count == 1
             assert ('Eth36.10', '32.11.10.1/24') not in db.cfgdb.get_table('VLAN_SUB_INTERFACE')
 
+        # config int ip remove PortChannel0001.10 10.11.10.1/24
+        with mock.patch('utilities_common.cli.run_command') as mock_run_command:
+            result = runner.invoke(
+                    config.config.commands["interface"].commands["ip"].commands["remove"],
+                    ["PortChannel0001.10", "10.11.10.1/24"],
+                    obj=obj)
+            print(result.exit_code, result.output)
+            assert result.exit_code == 0
+            assert mock_run_command.call_count == 1
+            assert ('PortChannel0001.10', '10.11.10.1/24') not in db.cfgdb.get_table('VLAN_SUB_INTERFACE')
+
+        # config int ip remove Po0001.11 32.11.10.1/24
+        with mock.patch('utilities_common.cli.run_command') as mock_run_command:
+            result = runner.invoke(config.config.commands["interface"].commands["ip"].commands["remove"],
+                                   ["Po0001.11", "32.11.10.1/24"], obj=obj)
+            print(result.exit_code, result.output)
+            assert result.exit_code == 0
+            assert mock_run_command.call_count == 1
+            assert ('Po0001.11', '32.11.10.1/24') not in db.cfgdb.get_table('VLAN_SUB_INTERFACE')
+
         # config int ip add vlan1000 10.21.20.1/24 as secondary
         result = runner.invoke(config.config.commands["interface"].commands["ip"].commands["add"],
                                ["Vlan1000", "10.11.20.1/24", "--secondary"], obj=obj)
@@ -212,6 +282,80 @@ def test_ip_add_on_interface_which_is_member_of_portchannel(self):
         print(result.exit_code)
         assert 'Error: Ethernet32 is configured as a member of portchannel.' in result.output
 
+        result = runner.invoke(
+                config.config.commands["interface"].commands["ip"].commands["add"],
+                ["Ethernet32.10", "100.10.10.1/24"],
+                obj=obj)
+        assert result.exit_code != 0
+        print(result.output)
+        print(result.exit_code)
+        assert 'Error: Ethernet32 is configured as a member of portchannel.' in result.output
+
+        result = runner.invoke(
+                config.config.commands["interface"].commands["ip"].commands["add"],
+                ["Eth32.10", "100.10.10.1/24"],
+                obj=obj)
+        assert result.exit_code != 0
+        print(result.output)
+        print(result.exit_code)
+        assert 'Error: Ethernet32 is configured as a member of portchannel.' in result.output
+
+    def test_ip_add_on_interface_with_no_port(self):
+        runner = CliRunner()
+        db = Db()
+        obj = {'config_db': db.cfgdb}
+
+        # config int ip add Ethernet51 100.10.10.1/24
+        result = runner.invoke(
+                config.config.commands["interface"].commands["ip"].commands["add"],
+                ["Ethernet51", "100.10.10.1/24"],
+                obj=obj)
+        assert result.exit_code != 0
+        print(result.output)
+        print(result.exit_code)
+        assert 'Error: Interface Ethernet51 does not exist' in result.output
+
+        # config int ip add Ethernet51.10 100.10.10.1/24
+        result = runner.invoke(
+                config.config.commands["interface"].commands["ip"].commands["add"],
+                ["Ethernet51.10", "100.10.10.1/24"],
+                obj=obj)
+        assert result.exit_code != 0
+        print(result.output)
+        print(result.exit_code)
+        assert 'Error: Interface Ethernet51.10 does not exist' in result.output
+
+        # config int ip add Eth51.10 32.11.10.1/24
+        result = runner.invoke(
+                config.config.commands["interface"].commands["ip"].commands["add"],
+                ["Eth51.10", "32.11.10.1/24"],
+                obj=obj)
+        assert result.exit_code != 0
+        print(result.output)
+        print(result.exit_code)
+        assert 'Error: Interface Eth51.10 does not exist' in result.output
+
+        # config int ip add PortChanne51.10 32.11.10.1/24
+        result = runner.invoke(
+                config.config.commands["interface"].commands["ip"].commands["add"],
+                ["PortChannel51.10", "32.11.10.1/24"],
+                obj=obj)
+        assert result.exit_code != 0
+        print(result.output)
+        print(result.exit_code)
+        assert 'Error: Interface PortChannel51.10 does not exist' in result.output
+
+        # config int ip add Po51.10 32.11.10.1/24
+        result = runner.invoke(
+                config.config.commands["interface"].commands["ip"].commands["add"],
+                ["Po51.10", "32.11.10.1/24"],
+                obj=obj)
+        assert result.exit_code != 0
+        print(result.output)
+        print(result.exit_code)
+        assert 'Error: Interface Po51.10 does not exist' in result.output
+
+
     '''  Tests for IPv6 '''
 
     def test_add_del_interface_valid_ipv6(self):
diff --git a/tests/vlan_test.py b/tests/vlan_test.py
@@ -1490,7 +1490,6 @@ def test_config_set_router_port_on_member_interface(self):
         result = runner.invoke(config.config.commands["interface"].commands["ip"].commands["add"],
                                ["Ethernet4", "10.10.10.1/24"], obj=obj)
         print(result.exit_code, result.output)
-        assert result.exit_code == 0
         assert 'Interface Ethernet4 is a member of vlan\nAborting!\n' in result.output
 
     def test_config_vlan_add_member_of_portchannel(self):
diff --git a/tests/vrrp_test.py b/tests/vrrp_test.py
