Skip to content

Commit 26ee4ae

Browse files
neethajohnqiluo-msft
neethajohn
authored and
qiluo-msft
committed
Add backend acl template (#11220)
Why I did it Storage backend has all vlan members tagged. If untagged packets are received on those links, they are accounted as RX_DROPS which can lead to false alarms in monitoring tools. Using this acl to hide these drops. How I did it Created a acl template which will be loaded during minigraph load for backend. This template will allow tagged vlan packets and dropped untagged How to verify it Unit tests Signed-off-by: Neetha John <nejo@microsoft.com>
1 parent 2c3dc47 commit 26ee4ae

File tree

7 files changed

+314
-0
lines changed

7 files changed

+314
-0
lines changed

files/build_templates/backend_acl.j2

Lines changed: 51 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,51 @@
1+
{%- set vlan2ports = {} %}
2+
{%- for vlan in VLAN %}
3+
{% set portlist = [] %}
4+
{%- for vlan_name, port in VLAN_MEMBER %}
5+
{%- if vlan_name == vlan %}
6+
{%- if portlist.append(port) %}{%- endif %}
7+
{%- endif %}
8+
{%- endfor %}
9+
{%- set _ = vlan2ports.update({vlan: portlist| sort | join(',')}) %}
10+
{%- endfor %}
11+
12+
13+
{
14+
"acl": {
15+
"acl-sets": {
16+
"acl-set": {
17+
"DATAACL": {
18+
"acl-entries": {
19+
"acl-entry": {
20+
{% for vlan, vlan_entries in VLAN.items() %}
21+
"{{ loop.index }}": {
22+
"config": {
23+
"sequence-id": {{ loop.index }}
24+
},
25+
"actions": {
26+
"config": {
27+
"forwarding-action": "ACCEPT"
28+
}
29+
},
30+
"l2": {
31+
"config": {
32+
"vlan_id": "{{ vlan_entries['vlanid'] }}"
33+
}
34+
},
35+
"input_interface": {
36+
"interface_ref": {
37+
"config": {
38+
"interface": "{{ vlan2ports[vlan] }}"
39+
}
40+
}
41+
}
42+
43+
}{% if not loop.last %},{% endif %}
44+
{% endfor -%}
45+
}
46+
}
47+
}
48+
}
49+
}
50+
}
51+
}

files/build_templates/sonic_debian_extension.j2

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -497,6 +497,9 @@ then
497497
fi
498498
{% endif %}
499499

500+
# Copy backend acl template
501+
sudo cp $BUILD_TEMPLATES/backend_acl.j2 $FILESYSTEM_ROOT_USR_SHARE_SONIC_TEMPLATES/
502+
500503
# Copy hostname configuration scripts
501504
sudo cp $IMAGE_CONFIGS/hostname/hostname-config.service $FILESYSTEM_ROOT_USR_LIB_SYSTEMD_SYSTEM
502505
echo "hostname-config.service" | sudo tee -a $GENERATED_SERVICE_FILE

src/sonic-config-engine/tests/data/backend_acl/acl_multi_vlan.json

Lines changed: 59 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,59 @@
1+
2+
{
3+
"acl": {
4+
"acl-sets": {
5+
"acl-set": {
6+
"DATAACL": {
7+
"acl-entries": {
8+
"acl-entry": {
9+
"1": {
10+
"config": {
11+
"sequence-id": 1
12+
},
13+
"actions": {
14+
"config": {
15+
"forwarding-action": "ACCEPT"
16+
}
17+
},
18+
"l2": {
19+
"config": {
20+
"vlan_id": "1000"
21+
}
22+
},
23+
"input_interface": {
24+
"interface_ref": {
25+
"config": {
26+
"interface": "Ethernet12,Ethernet16,Ethernet20,Ethernet24,Ethernet28,Ethernet32,Ethernet36,Ethernet40,Ethernet44,Ethernet48,Ethernet52,Ethernet56,Ethernet60,Ethernet64,Ethernet68,Ethernet72,Ethernet76"
27+
}
28+
}
29+
}
30+
31+
}, "2": {
32+
"config": {
33+
"sequence-id": 2
34+
},
35+
"actions": {
36+
"config": {
37+
"forwarding-action": "ACCEPT"
38+
}
39+
},
40+
"l2": {
41+
"config": {
42+
"vlan_id": "2000"
43+
}
44+
},
45+
"input_interface": {
46+
"interface_ref": {
47+
"config": {
48+
"interface": "Ethernet4,Ethernet8"
49+
}
50+
}
51+
}
52+
53+
} }
54+
}
55+
}
56+
}
57+
}
58+
}
59+
}

src/sonic-config-engine/tests/data/backend_acl/acl_single_vlan.json

Lines changed: 38 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,38 @@
1+
2+
{
3+
"acl": {
4+
"acl-sets": {
5+
"acl-set": {
6+
"DATAACL": {
7+
"acl-entries": {
8+
"acl-entry": {
9+
"1": {
10+
"config": {
11+
"sequence-id": 1
12+
},
13+
"actions": {
14+
"config": {
15+
"forwarding-action": "ACCEPT"
16+
}
17+
},
18+
"l2": {
19+
"config": {
20+
"vlan_id": "1000"
21+
}
22+
},
23+
"input_interface": {
24+
"interface_ref": {
25+
"config": {
26+
"interface": "Ethernet12,Ethernet16,Ethernet20,Ethernet24,Ethernet28,Ethernet32,Ethernet36,Ethernet4,Ethernet40,Ethernet44,Ethernet48,Ethernet52,Ethernet56,Ethernet60,Ethernet64,Ethernet68,Ethernet72,Ethernet76,Ethernet8"
27+
}
28+
}
29+
}
30+
31+
}
32+
}
33+
}
34+
}
35+
}
36+
}
37+
}
38+
}

src/sonic-config-engine/tests/data/backend_acl/multi_vlan.json

Lines changed: 69 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,69 @@
1+
{
2+
"VLAN": {
3+
"Vlan1000": {
4+
"vlanid": "1000"
5+
},
6+
"Vlan2000": {
7+
"vlanid": "2000"
8+
}
9+
},
10+
"VLAN_MEMBER": {
11+
"Vlan1000|Ethernet12": {
12+
"tagging_mode": "tagged"
13+
},
14+
"Vlan1000|Ethernet16": {
15+
"tagging_mode": "tagged"
16+
},
17+
"Vlan1000|Ethernet20": {
18+
"tagging_mode": "tagged"
19+
},
20+
"Vlan1000|Ethernet24": {
21+
"tagging_mode": "tagged"
22+
},
23+
"Vlan1000|Ethernet28": {
24+
"tagging_mode": "tagged"
25+
},
26+
"Vlan1000|Ethernet32": {
27+
"tagging_mode": "tagged"
28+
},
29+
"Vlan1000|Ethernet36": {
30+
"tagging_mode": "tagged"
31+
},
32+
"Vlan1000|Ethernet40": {
33+
"tagging_mode": "tagged"
34+
},
35+
"Vlan1000|Ethernet44": {
36+
"tagging_mode": "tagged"
37+
},
38+
"Vlan1000|Ethernet48": {
39+
"tagging_mode": "tagged"
40+
},
41+
"Vlan1000|Ethernet52": {
42+
"tagging_mode": "tagged"
43+
},
44+
"Vlan1000|Ethernet56": {
45+
"tagging_mode": "tagged"
46+
},
47+
"Vlan1000|Ethernet60": {
48+
"tagging_mode": "tagged"
49+
},
50+
"Vlan1000|Ethernet64": {
51+
"tagging_mode": "tagged"
52+
},
53+
"Vlan1000|Ethernet68": {
54+
"tagging_mode": "tagged"
55+
},
56+
"Vlan1000|Ethernet72": {
57+
"tagging_mode": "tagged"
58+
},
59+
"Vlan1000|Ethernet76": {
60+
"tagging_mode": "tagged"
61+
},
62+
"Vlan2000|Ethernet4": {
63+
"tagging_mode": "tagged"
64+
},
65+
"Vlan2000|Ethernet8": {
66+
"tagging_mode": "tagged"
67+
}
68+
}
69+
}

src/sonic-config-engine/tests/data/backend_acl/single_vlan.json

Lines changed: 66 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,66 @@
1+
{
2+
"VLAN": {
3+
"Vlan1000": {
4+
"vlanid": "1000"
5+
}
6+
},
7+
"VLAN_MEMBER": {
8+
"Vlan1000|Ethernet4": {
9+
"tagging_mode": "tagged"
10+
},
11+
"Vlan1000|Ethernet8": {
12+
"tagging_mode": "tagged"
13+
},
14+
"Vlan1000|Ethernet12": {
15+
"tagging_mode": "tagged"
16+
},
17+
"Vlan1000|Ethernet16": {
18+
"tagging_mode": "tagged"
19+
},
20+
"Vlan1000|Ethernet20": {
21+
"tagging_mode": "tagged"
22+
},
23+
"Vlan1000|Ethernet24": {
24+
"tagging_mode": "tagged"
25+
},
26+
"Vlan1000|Ethernet28": {
27+
"tagging_mode": "tagged"
28+
},
29+
"Vlan1000|Ethernet32": {
30+
"tagging_mode": "tagged"
31+
},
32+
"Vlan1000|Ethernet36": {
33+
"tagging_mode": "tagged"
34+
},
35+
"Vlan1000|Ethernet40": {
36+
"tagging_mode": "tagged"
37+
},
38+
"Vlan1000|Ethernet44": {
39+
"tagging_mode": "tagged"
40+
},
41+
"Vlan1000|Ethernet48": {
42+
"tagging_mode": "tagged"
43+
},
44+
"Vlan1000|Ethernet52": {
45+
"tagging_mode": "tagged"
46+
},
47+
"Vlan1000|Ethernet56": {
48+
"tagging_mode": "tagged"
49+
},
50+
"Vlan1000|Ethernet60": {
51+
"tagging_mode": "tagged"
52+
},
53+
"Vlan1000|Ethernet64": {
54+
"tagging_mode": "tagged"
55+
},
56+
"Vlan1000|Ethernet68": {
57+
"tagging_mode": "tagged"
58+
},
59+
"Vlan1000|Ethernet72": {
60+
"tagging_mode": "tagged"
61+
},
62+
"Vlan1000|Ethernet76": {
63+
"tagging_mode": "tagged"
64+
}
65+
}
66+
}

src/sonic-config-engine/tests/test_j2files.py

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -590,6 +590,34 @@ def test_ntp_conf(self):
590590
self.run_script(argument)
591591
assert utils.cmp(expected, self.output_file), self.run_diff(expected, self.output_file)
592592

593+
def test_backend_acl_template_render(self):
594+
acl_template = os.path.join(
595+
self.test_dir, '..', '..', '..', 'files', 'build_templates',
596+
'backend_acl.j2'
597+
)
598+
test_list = {
599+
'single_vlan': {
600+
'input': 'single_vlan.json',
601+
'output': 'acl_single_vlan.json'
602+
},
603+
'multi_vlan': {
604+
'input': 'multi_vlan.json',
605+
'output': 'acl_multi_vlan.json'
606+
},
607+
}
608+
for _, v in test_list.items():
609+
input_file = os.path.join(
610+
self.test_dir, 'data', 'backend_acl', v['input']
611+
)
612+
argument = " -j {} -t {} > {}".format(
613+
input_file, acl_template, self.output_file
614+
)
615+
sample_output_file = os.path.join(
616+
self.test_dir, 'data', 'backend_acl', v['output']
617+
)
618+
self.run_script(argument)
619+
assert utils.cmp(sample_output_file, self.output_file), self.run_diff(sample_output_file, self.output_file)
620+
593621
def tearDown(self):
594622
os.environ["CFGGEN_UNIT_TESTING"] = ""
595623
try:

0 commit comments

Comments
 (0)