ACL YANG: Enforce TCP_FLAGS must constraint in ACL YANG model by xincunli-sonic · Pull Request #25357 · sonic-net/sonic-buildimage

xincunli-sonic · 2026-02-04T21:00:47Z

Why I did it

To improve the ACL YANG model by enforcing that TCP_FLAGS can only be used in ACL table types that explicitly support this match field, ensuring correct model behavior and configuration validation.

Work item tracking

Microsoft ADO (number only): 36310699

How I did it

Updated the ACL YANG model to add a must constraint for TCP_FLAGS.
Added/updated test cases and configuration to verify the new constraint.

How to verify it

Validate the ACL YANG model with various configs. Incorrect usage of TCP_FLAGS should now trigger a must constraint error, confirming the model improvement.
Running Config

{               
    "ACL_RULE": {
        "FROM_HOST_DACL|RULE_2001": {
            "IP_PROTOCOL": "6",
            "L4_SRC_PORT": "16500",
            "PACKET_ACTION": "FORWARD",
            "PRIORITY": "10",
            "TCP_FLAGS": "0x12/0x12"
        }
    },      
    "ACL_TABLE": {
...
        "FROM_HOST_DACL": {
            "policy_desc": "Test ACL Table for TCP_FLAGS validation",
            "stage": "INGRESS",
            "type": "L3_L4"
        },
...
    "ACL_TABLE_TYPE": {
        "L3_L4": {
            "ACTIONS": [
                "PACKET_ACTION",
                "COUNTER"
            ],
            "BIND_POINTS": [
                "PORT"
            ],
            "MATCHES": [
                "DST_IP",
                "DST_IPV6",
                "ETHER_TYPE",
                "IN_PORTS",
                "L4_DST_PORT",
                "L4_DST_PORT_RANGE",
                "IP_PROTOCOL",
                "IP_TYPE",
                "SRC_IP",
                "TCP_FLAGS"
            ]
        }
    },

GCU Patch

admin@str2-8101c1-09:~$ cat aclstep2.json 
[
    {
        "op": "add",
        "path": "/ACL_RULE",
        "value": {}
    },
    {
        "op": "add",
        "path": "/ACL_RULE/FROM_HOST_DACL|RULE_2001",
        "value": {
            "PRIORITY": "10",
            "PACKET_ACTION": "FORWARD",
            "IP_PROTOCOL": 6,
            "L4_SRC_PORT": 16500,
            "TCP_FLAGS": "0x12/0x12"
        }
    }
]

admin@str2-8101c1-09:~$ sudo config apply-patch aclstep2.json 
Patch Applier: localhost: Patch application starting.
Patch Applier: localhost: Patch: [{"op": "add", "path": "/ACL_RULE", "value": {"FROM_HOST_DACL|RULE_2001": {"PRIORITY": "10", "PACKET_ACTION": "FORWARD", "IP_PROTOCOL": 6, "L4_SRC_PORT": 16500, "TCP_FLAGS": "0x12/0x12"}}}, {"op": "add", "path": "/ACL_RULE/FROM_HOST_DACL|RULE_2001", "value": {"PRIORITY": "10", "PACKET_ACTION": "FORWARD", "IP_PROTOCOL": 6, "L4_SRC_PORT": 16500, "TCP_FLAGS": "0x12/0x12"}}]
Patch Applier: localhost getting current config db.
Patch Applier: localhost: simulating the target full config after applying the patch.
Patch Applier: localhost: validating all JsonPatch operations are permitted on the specified fields
Patch Applier: localhost: validating target config does not have empty tables,
                            since they do not show up in ConfigDb.
Patch Applier: localhost: sorting patch updates.
Patch Applier: The localhost patch was converted into 1 change:
Patch Applier: localhost: applying 1 change in order:
Patch Applier:   * [{"op": "add", "path": "/ACL_RULE", "value": {"FROM_HOST_DACL|RULE_2001": {"PRIORITY": "10", "PACKET_ACTION": "FORWARD", "IP_PROTOCOL": 6, "L4_SRC_PORT": 16500, "TCP_FLAGS": "0x12/0x12"}}}]
Patch Applier: localhost: verifying patch updates are reflected on ConfigDB.
...

admin@str2-8101c1-09:~$ cat aclremovetcp.json 
[
    {
        "op": "replace",
        "path": "/ACL_TABLE_TYPE/L3_l4/MATCHES",
        "value": [
            "DST_IP",
            "DST_IPV6",
            "ETHER_TYPE",
            "IN_PORTS",
            "L4_DST_PORT",
            "L4_DST_PORT_RANGE",
            "IP_PROTOCOL",
            "IP_TYPE",
            "SRC_IP"
        ]
    }
]

admin@str2-8101c1-09:~$ sudo config apply-patch aclstep2.json 
libyang[0]: Must condition "not(TCP_FLAGS) or count(/sonic-acl:sonic-acl/sonic-acl:ACL_TABLE_TYPE/sonic-acl:ACL_TABLE_TYPE_LIST[sonic-acl:ACL_TABLE_TYPE_NAME = /sonic-acl:sonic-acl/sonic-acl:ACL_TABLE/sonic-acl:ACL_TABLE_LIST[sonic-acl:ACL_TABLE_NAME = current()/ACL_TABLE_NAME]/sonic-acl:type]/sonic-acl:MATCHES[. = 'TCP_FLAGS']) > 0" not satisfied. (path: /sonic-acl:sonic-acl/ACL_RULE/ACL_RULE_LIST[ACL_TABLE_NAME='FROM_HOST_DACL'][RULE_NAME='RULE_2001'])
libyang[0]: TCP_FLAGS match field is not supported by the ACL table type (path: /sonic-acl:sonic-acl/ACL_RULE/ACL_RULE_LIST[ACL_TABLE_NAME='FROM_HOST_DACL'][RULE_NAME='RULE_2001'])
sonic_yang(3):Data Loading Failed:TCP_FLAGS match field is not supported by the ACL table type
Failed to apply patch due to: Validate json patch: [{"op": "add", "path": "/ACL_RULE", "value": {"FE_FROM_HOST_DACL|RULE_2001": {"PRIORITY": "10", "PACKET_ACTION": "FORWARD", "IP_PROTOCOL": 6, "L4_SRC_PORT": 16500, "TCP_FLAGS": "0x12/0x12"}}}, {"op": "add", "path": "/ACL_RULE/FROM_HOST_DACL|RULE_2001", "value": {"PRIORITY": "10", "PACKET_ACTION": "FORWARD", "IP_PROTOCOL": 6, "L4_SRC_PORT": 16500, "TCP_FLAGS": "0x12/0x12"}}] failed due to:Data Loading Failed
TCP_FLAGS match field is not supported by the ACL table type
Usage: config apply-patch [OPTIONS] PATCH_FILE_PATH
Try "config apply-patch -h" for help.

Error: Validate json patch: [{"op": "add", "path": "/ACL_RULE", "value": {"FROM_HOST_DACL|RULE_2001": {"PRIORITY": "10", "PACKET_ACTION": "FORWARD", "IP_PROTOCOL": 6, "L4_SRC_PORT": 16500, "TCP_FLAGS": "0x12/0x12"}}}, {"op": "add", "path": "/ACL_RULE/FROM_HOST_DACL|RULE_2001", "value": {"PRIORITY": "10", "PACKET_ACTION": "FORWARD", "IP_PROTOCOL": 6, "L4_SRC_PORT": 16500, "TCP_FLAGS": "0x12/0x12"}}] failed due to:Data Loading Failed
TCP_FLAGS match field is not supported by the ACL table type

Which release branch to backport (provide reason below if selected)

Tested branch (Please provide the tested image version)

Description for the changelog

Link to config_db schema for YANG module changes

A picture of a cute animal (not mandatory but encouraged)

mssonicbld · 2026-02-04T21:00:55Z

/azp run Azure.sonic-buildimage

azure-pipelines · 2026-02-04T21:01:10Z

Azure Pipelines successfully started running 1 pipeline(s).

mssonicbld · 2026-02-04T21:02:50Z

/azp run Azure.sonic-buildimage

azure-pipelines · 2026-02-04T21:03:06Z

Azure Pipelines successfully started running 1 pipeline(s).

mssonicbld · 2026-02-04T23:11:55Z

/azp run Azure.sonic-buildimage

azure-pipelines · 2026-02-04T23:12:06Z

Azure Pipelines successfully started running 1 pipeline(s).

mssonicbld · 2026-02-04T23:12:50Z

/azp run Azure.sonic-buildimage

azure-pipelines · 2026-02-04T23:13:02Z

Azure Pipelines successfully started running 1 pipeline(s).

mssonicbld · 2026-02-05T22:51:16Z

/azp run Azure.sonic-buildimage

azure-pipelines · 2026-02-05T22:51:29Z

Azure Pipelines successfully started running 1 pipeline(s).

mssonicbld · 2026-02-05T22:52:18Z

/azp run Azure.sonic-buildimage

azure-pipelines · 2026-02-05T22:52:29Z

Azure Pipelines successfully started running 1 pipeline(s).

mssonicbld · 2026-02-06T18:02:37Z

/azp run Azure.sonic-buildimage

azure-pipelines · 2026-02-06T18:02:52Z

Azure Pipelines successfully started running 1 pipeline(s).

mssonicbld · 2026-02-06T18:03:32Z

/azp run Azure.sonic-buildimage

azure-pipelines · 2026-02-06T18:03:44Z

Azure Pipelines successfully started running 1 pipeline(s).

mssonicbld · 2026-02-06T20:56:31Z

/azp run Azure.sonic-buildimage

azure-pipelines · 2026-02-06T20:56:43Z

Azure Pipelines successfully started running 1 pipeline(s).

mssonicbld · 2026-02-06T21:58:53Z

/azp run Azure.sonic-buildimage

azure-pipelines · 2026-02-06T21:58:59Z

Azure Pipelines will not run the associated pipelines, because the pull request was updated after the run command was issued. Review the pull request again and issue a new run command.

mssonicbld · 2026-02-06T21:59:49Z

/azp run Azure.sonic-buildimage

azure-pipelines · 2026-02-06T22:00:02Z

Azure Pipelines successfully started running 1 pipeline(s).

xincunli-sonic · 2026-03-11T19:18:29Z

/azpw run

mssonicbld · 2026-03-11T19:18:33Z

/AzurePipelines run

azure-pipelines · 2026-03-11T19:18:50Z

Azure Pipelines successfully started running 1 pipeline(s).

xincunli-sonic · 2026-03-12T00:34:19Z

/azpw run

mssonicbld · 2026-03-12T00:34:23Z

/AzurePipelines run

azure-pipelines · 2026-03-12T00:34:37Z

Azure Pipelines successfully started running 1 pipeline(s).

xincunli-sonic · 2026-03-13T21:36:03Z

/azpw run

mssonicbld · 2026-03-13T21:36:05Z

/AzurePipelines run

azure-pipelines · 2026-03-13T21:36:21Z

Azure Pipelines successfully started running 1 pipeline(s).

xincunli-sonic · 2026-03-15T23:57:43Z

/azpw run

mssonicbld · 2026-03-15T23:57:47Z

/AzurePipelines run

azure-pipelines · 2026-03-15T23:58:01Z

Azure Pipelines successfully started running 1 pipeline(s).

Signed-off-by: Xincun Li <stli@microsoft.com>

mssonicbld · 2026-03-16T16:01:19Z

/azp run Azure.sonic-buildimage

azure-pipelines · 2026-03-16T16:01:39Z

Azure Pipelines successfully started running 1 pipeline(s).

…net#25357) Why I did it: Improve ACL YANG model by enforcing that TCP_FLAGS can only be used in ACL table types that explicitly support this match field, ensuring correct model behavior and configuration validation. How I did it: Updated the ACL YANG model to add a must constraint for TCP_FLAGS. Added/updated test cases and configuration to verify the new constraint. How to verify it: Validate the ACL YANG model with various configs. Incorrect usage of TCP_FLAGS now triggers a must constraint error. Signed-off-by: Xincun Li <stli@microsoft.com> Signed-off-by: arlakshm <arlakshm@microsoft.com>

xincunli-sonic requested a review from qiluo-msft as a code owner February 4, 2026 21:00

xincunli-sonic force-pushed the xincun/add-tcp_flags-check branch from ef47832 to 3e0bb98 Compare February 4, 2026 21:01

xincunli-sonic changed the title ~~ACL YANG: add TCP_GFLAGS check with MATCHES~~ ACL YANG: Enforce TCP_FLAGS must constraint in ACL YANG model Feb 4, 2026

xincunli-sonic force-pushed the xincun/add-tcp_flags-check branch from cfac15d to 2245d06 Compare February 4, 2026 23:12

xincunli-sonic force-pushed the xincun/add-tcp_flags-check branch from cddcd98 to d4f5fdd Compare February 5, 2026 22:51

xincunli-sonic force-pushed the xincun/add-tcp_flags-check branch from b442c17 to 97d57c7 Compare February 6, 2026 18:02

xincunli-sonic force-pushed the xincun/add-tcp_flags-check branch from 1504af2 to 0269234 Compare February 6, 2026 20:56

xincunli-sonic force-pushed the xincun/add-tcp_flags-check branch from e2a27d5 to 3adade9 Compare February 6, 2026 21:58

xincunli-sonic changed the title ~~[Improve to generic]ACL YANG: Enforce TCP_FLAGS must constraint in ACL YANG model~~ ACL YANG: Enforce TCP_FLAGS must constraint in ACL YANG model Mar 11, 2026

r12f approved these changes Mar 14, 2026

View reviewed changes

xincunli-sonic added 10 commits March 16, 2026 09:00

ACL YANG: add TCP_GFLAGS check with MATCHES

748b587

Signed-off-by: Xincun Li <stli@microsoft.com>

add supported and unsupported.

dd46241

Signed-off-by: Xincun Li <stli@microsoft.com>

Add lanes

aca9759

Signed-off-by: Xincun Li <stli@microsoft.com>

fix eStr

2d96ba1

Signed-off-by: Xincun Li <stli@microsoft.com>

fix test

a566cf9

Signed-off-by: Xincun Li <stli@microsoft.com>

remove custom error message.

8328a55

Signed-off-by: Xincun Li <stli@microsoft.com>

Add semi colon

7562704

Signed-off-by: Xincun Li <stli@microsoft.com>

Fix valid case.

2af51a3

Signed-off-by: Xincun Li <stli@microsoft.com>

Fix sample config db

b08c57f

Signed-off-by: Xincun Li <stli@microsoft.com>

Rename sample acl table type

5113fa2

Signed-off-by: Xincun Li <stli@microsoft.com>

xincunli-sonic force-pushed the xincun/add-tcp_flags-check branch from 3592070 to 5113fa2 Compare March 16, 2026 16:01

vaibhavhd approved these changes Mar 17, 2026

View reviewed changes

yxieca merged commit 081c473 into sonic-net:master Mar 17, 2026
20 checks passed

Conversation

xincunli-sonic commented Feb 4, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Why I did it

Work item tracking

How I did it

How to verify it

Which release branch to backport (provide reason below if selected)

Tested branch (Please provide the tested image version)

Description for the changelog

Link to config_db schema for YANG module changes

A picture of a cute animal (not mandatory but encouraged)

Uh oh!

mssonicbld commented Feb 4, 2026

Uh oh!

azure-pipelines bot commented Feb 4, 2026

Uh oh!

mssonicbld commented Feb 4, 2026

Uh oh!

azure-pipelines bot commented Feb 4, 2026

Uh oh!

mssonicbld commented Feb 4, 2026

Uh oh!

azure-pipelines bot commented Feb 4, 2026

Uh oh!

mssonicbld commented Feb 4, 2026

Uh oh!

azure-pipelines bot commented Feb 4, 2026

Uh oh!

mssonicbld commented Feb 5, 2026

Uh oh!

azure-pipelines bot commented Feb 5, 2026

Uh oh!

mssonicbld commented Feb 5, 2026

Uh oh!

azure-pipelines bot commented Feb 5, 2026

Uh oh!

mssonicbld commented Feb 6, 2026

Uh oh!

azure-pipelines bot commented Feb 6, 2026

Uh oh!

mssonicbld commented Feb 6, 2026

Uh oh!

azure-pipelines bot commented Feb 6, 2026

Uh oh!

mssonicbld commented Feb 6, 2026

Uh oh!

azure-pipelines bot commented Feb 6, 2026

Uh oh!

mssonicbld commented Feb 6, 2026

Uh oh!

azure-pipelines bot commented Feb 6, 2026

Uh oh!

mssonicbld commented Feb 6, 2026

Uh oh!

azure-pipelines bot commented Feb 6, 2026

Uh oh!

xincunli-sonic commented Mar 11, 2026

Uh oh!

mssonicbld commented Mar 11, 2026

Uh oh!

azure-pipelines bot commented Mar 11, 2026

Uh oh!

xincunli-sonic commented Mar 12, 2026

Uh oh!

mssonicbld commented Mar 12, 2026

Uh oh!

azure-pipelines bot commented Mar 12, 2026

Uh oh!

xincunli-sonic commented Mar 13, 2026

Uh oh!

mssonicbld commented Mar 13, 2026

Uh oh!

azure-pipelines bot commented Mar 13, 2026

Uh oh!

xincunli-sonic commented Mar 15, 2026

Uh oh!

mssonicbld commented Mar 15, 2026

Uh oh!

azure-pipelines bot commented Mar 15, 2026

xincunli-sonic commented Feb 4, 2026 •

edited

Loading