Skip to content

Commit 2851212

Browse files
jlevequeyxieca
jleveque
authored and
yxieca
committed
[minigraph.py] Add support for 'OutAcl' keyword and attaching ACLs to VLAN interfaces (#4229)
- Support parsing egress ACLs from minigraph file specified by the "OutAcl" element - Support attaching ACLs to VLAN interfaces
1 parent 4bb2190 commit 2851212

File tree

3 files changed

+26
-11
lines changed

3 files changed

+26
-11
lines changed

src/sonic-config-engine/minigraph.py

Lines changed: 12 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -230,7 +230,14 @@ def parse_dpg(dpg, hname):
230230
aclintfs = child.find(str(QName(ns, "AclInterfaces")))
231231
acls = {}
232232
for aclintf in aclintfs.findall(str(QName(ns, "AclInterface"))):
233-
aclname = aclintf.find(str(QName(ns, "InAcl"))).text.upper().replace(" ", "_").replace("-", "_")
233+
if aclintf.find(str(QName(ns, "InAcl"))) is not None:
234+
aclname = aclintf.find(str(QName(ns, "InAcl"))).text.upper().replace(" ", "_").replace("-", "_")
235+
stage = "ingress"
236+
elif aclintf.find(str(QName(ns, "OutAcl"))) is not None:
237+
aclname = aclintf.find(str(QName(ns, "OutAcl"))).text.upper().replace(" ", "_").replace("-", "_")
238+
stage = "egress"
239+
else:
240+
system.exit("Error: 'AclInterface' must contain either an 'InAcl' or 'OutAcl' subelement.")
234241
aclattach = aclintf.find(str(QName(ns, "AttachTo"))).text.split(';')
235242
acl_intfs = []
236243
is_mirror = False
@@ -247,7 +254,7 @@ def parse_dpg(dpg, hname):
247254
# to LAG will be applied to all the LAG members internally by SAI/SDK
248255
acl_intfs.append(member)
249256
elif vlans.has_key(member):
250-
print >> sys.stderr, "Warning: ACL " + aclname + " is attached to a Vlan interface, which is currently not supported"
257+
acl_intfs.append(member)
251258
elif port_alias_map.has_key(member):
252259
acl_intfs.append(port_alias_map[member])
253260
# Give a warning if trying to attach ACL to a LAG member interface, correct way is to attach ACL to the LAG interface
@@ -270,13 +277,14 @@ def parse_dpg(dpg, hname):
270277
break
271278
if acl_intfs:
272279
acls[aclname] = {'policy_desc': aclname,
280+
'stage': stage,
273281
'ports': acl_intfs}
274282
if is_mirror:
275283
acls[aclname]['type'] = 'MIRROR'
276284
elif is_mirror_v6:
277285
acls[aclname]['type'] = 'MIRRORV6'
278286
else:
279-
acls[aclname]['type'] = 'L3'
287+
acls[aclname]['type'] = 'L3V6' if 'v6' in aclname.lower() else 'L3'
280288
else:
281289
# This ACL has no interfaces to attach to -- consider this a control plane ACL
282290
try:
@@ -294,6 +302,7 @@ def parse_dpg(dpg, hname):
294302
else:
295303
acls[aclname] = {'policy_desc': aclname,
296304
'type': 'CTRLPLANE',
305+
'stage': stage,
297306
'services': [aclservice]}
298307
except:
299308
print >> sys.stderr, "Warning: Ignoring Control Plane ACL %s without type" % aclname

src/sonic-config-engine/tests/t0-sample-graph.xml

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -305,7 +305,12 @@
305305
</AclInterface>
306306
<AclInterface>
307307
<AttachTo>PortChannel01;PortChannel02;PortChannel03;PortChannel04</AttachTo>
308-
<InAcl>DataAcl</InAcl>
308+
<InAcl>DataAclIngress</InAcl>
309+
<Type>DataPlane</Type>
310+
</AclInterface>
311+
<AclInterface>
312+
<AttachTo>PortChannel01;PortChannel02</AttachTo>
313+
<OutAcl>DataAclEgress</OutAcl>
309314
<Type>DataPlane</Type>
310315
</AclInterface>
311316
<AclInterface>

src/sonic-config-engine/tests/test_cfggen.py

Lines changed: 8 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -84,13 +84,14 @@ def test_minigraph_acl(self):
8484
self.assertEqual(output.strip(), "Warning: Ignoring Control Plane ACL NTP_ACL without type\n"
8585
"Warning: ignore interface 'fortyGigE0/2' as it is not in the port_config.ini\n"
8686
"Warning: ignore interface 'fortyGigE0/2' in DEVICE_NEIGHBOR as it is not in the port_config.ini\n"
87-
"{'DATAACL': {'type': 'L3', 'policy_desc': 'DATAACL', 'ports': ['PortChannel01', 'PortChannel02', 'PortChannel03', 'PortChannel04']}, "
88-
"'NTP_ACL': {'services': ['NTP'], 'type': 'CTRLPLANE', 'policy_desc': 'NTP_ACL'}, "
89-
"'EVERFLOW': {'type': 'MIRROR', 'policy_desc': 'EVERFLOW', 'ports': ['PortChannel01', 'PortChannel02', 'PortChannel03', 'PortChannel04', 'Ethernet4']}, "
90-
"'ROUTER_PROTECT': {'services': ['SSH', 'SNMP'], 'type': 'CTRLPLANE', 'policy_desc': 'ROUTER_PROTECT'}, "
91-
"'SNMP_ACL': {'services': ['SNMP'], 'type': 'CTRLPLANE', 'policy_desc': 'SNMP_ACL'}, "
92-
"'SSH_ACL': {'services': ['SSH'], 'type': 'CTRLPLANE', 'policy_desc': 'SSH_ACL'}, "
93-
"'EVERFLOWV6': {'type': 'MIRRORV6', 'policy_desc': 'EVERFLOWV6', 'ports': ['PortChannel01', 'PortChannel02', 'PortChannel03', 'PortChannel04', 'Ethernet4']}}")
87+
"{'NTP_ACL': {'services': ['NTP'], 'type': 'CTRLPLANE', 'policy_desc': 'NTP_ACL', 'stage': 'ingress'}, "
88+
"'EVERFLOW': {'stage': 'ingress', 'type': 'MIRROR', 'ports': ['PortChannel01', 'PortChannel02', 'PortChannel03', 'PortChannel04', 'Ethernet4'], 'policy_desc': 'EVERFLOW'}, "
89+
"'ROUTER_PROTECT': {'services': ['SSH', 'SNMP'], 'type': 'CTRLPLANE', 'policy_desc': 'ROUTER_PROTECT', 'stage': 'ingress'}, "
90+
"'DATAACLINGRESS': {'stage': 'ingress', 'type': 'L3', 'ports': ['PortChannel01', 'PortChannel02', 'PortChannel03', 'PortChannel04'], 'policy_desc': 'DATAACLINGRESS'}, "
91+
"'SNMP_ACL': {'services': ['SNMP'], 'type': 'CTRLPLANE', 'policy_desc': 'SNMP_ACL', 'stage': 'ingress'}, "
92+
"'SSH_ACL': {'services': ['SSH'], 'type': 'CTRLPLANE', 'policy_desc': 'SSH_ACL', 'stage': 'ingress'}, "
93+
"'DATAACLEGRESS': {'stage': 'egress', 'type': 'L3', 'ports': ['PortChannel01', 'PortChannel02'], 'policy_desc': 'DATAACLEGRESS'}, "
94+
"'EVERFLOWV6': {'stage': 'ingress', 'type': 'MIRRORV6', 'ports': ['PortChannel01', 'PortChannel02', 'PortChannel03', 'PortChannel04', 'Ethernet4'], 'policy_desc': 'EVERFLOWV6'}}")
9495

9596
# everflow portion is not used
9697
# def test_minigraph_everflow(self):

0 commit comments

Comments
 (0)