Add script null_route_helper

[bingwang-ms]

This is a backport of #1737

Signed-off-by: bingwang bingwang@microsoft.com

What I did

This PR introduced a new helper script null_route_helper.

null_route_helper is a utility for blocking and unblocking traffic from given source ip_prefix on ACL tables.
The block operation will insert a DENY rule at the top of the table. The unblock operation will remove an existing DENY rule that has been created by the block operation (i.e. it does NOT insert an ALLOW rule, only removes DENY rules).
Since SONiC supports multi ACL rules share the same priority, all ACL rules created by null_route_helper will use the highest priority(9999).

Example:

Block traffic from 10.2.3.4/32:
./null_route_helper acl_table_name block 10.2.3.4/32

Unblock all traffic from 10.2.3.4/32:
./null_route_helper acl_table_name unblock 10.2.3.4/32

How I did it

The feature is implemented with applying ACL rules.

How to verify it

Verified with both unit test and traffic test

tests/null_route_helper_test.py::test_ip_validation PASSED                                                                                                                                      [ 11%]
tests/null_route_helper_test.py::test_ip_ver PASSED                                                                                                                                             [ 22%]
tests/null_route_helper_test.py::test_check_table_existence PASSED                                                                                                                              [ 33%]
tests/null_route_helper_test.py::test_build_rule PASSED                                                                                                                                         [ 44%]
tests/null_route_helper_test.py::test_get_rule PASSED                                                                                                                                           [ 55%]
tests/null_route_helper_test.py::test_run_when_table_absent PASSED                                                                                                                              [ 66%]
tests/null_route_helper_test.py::test_run_with_invalid_ip PASSED                                                                                                                                [ 77%]
tests/null_route_helper_test.py::test_block PASSED                                                                                                                                              [ 88%]
tests/null_route_helper_test.py::test_unblock PASSED                                                                                                                                            [100%]

Name                                          Stmts   Miss Branch BrPart  Cover
-------------------------------------------------------------------------------
scripts/null_route_helper                        96      4     24      1    96%

The coverage is not 100 since below line can't be covered

if __name__ == "__main__":
    cli()

Previous command output (if the output of a command-line utility has changed)

New command output (if the output of a command-line utility has changed)

[bingwang-ms]

/azp run

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[prsunny]

Please update command reference guide.

[prsunny]

Can you reuse anything from utils?

[bingwang-ms]

The validate_input in this PR will add prefix len for IP addresses that don't explicitly set prefix. For example, 1.2.3.4 is changed to 1.2.3.4/32. The common utils may not do this.

[prsunny]

I think here we should be adding a rule even if it doesn't exist, may be for managing priorities. Why is it skipped here?

[qiluo-msft]

Because it will be allowed anyway?

[prsunny]

yes

[qiluo-msft]

So no need to add a rule.

[bingwang-ms]

I think here we should be adding a rule even if it doesn't exist, may be for managing priorities. Why is it skipped here?

I skip here since there will be a default ALLOW rule in the pre-created ACL table. Is it necessary to add an ALLOW rule for a certain prefix?

[prsunny]

my concern is, lets say user specifies "unblock 1.2.3.4/32" and if there is some rule in between that says 1.2.3.0/24 drop. In this case if we don't explicitly add the "allow" rule, it will get dropped.

[bingwang-ms]

That's a good catch. We discuss about it offline, and confirm that all prefix len are 32 (For IPv4) or 128 (IPv6). Based on this acknowledge, it shouldn't be a issue. I will update the validate_input interface to ensure that. Thanks

[qiluo-msft]

python3

We need this feature on 201911 branch, so please make sure it could run on python2. Seems we could not cherry-pick directly. #WontFix

[qiluo-msft]

If you tested the same script with both python2/3, you can change it to

#!/usr/bin/env python

[bingwang-ms]

#!/usr/bin/env python doesn't work on 202012 image since it will point to python2, and several packages are missing. I think the only way to solve the issue is to create another PR for 201911 or earlier image. It's not a clean cherry-pick.

[prsunny]

sonic-utilities can no longer be cherry-picked to 201911. We faced it few times and suggest to create a new PR to 201911

[qiluo-msft]

unblock

./null_route_helper acl_table_name unblock 10.2.3.4/32

---

There is no action to list all the exising rules. So if a user want to unblock all, it's inconvenient #Closed

[bingwang-ms]

It's a good suggestion. Thanks.
I was thinking which one is better, a list command or a unblock all command? Any suggestions?

[qiluo-msft]

list command will be useful in many cases, including

1. unblock all
2. verify existing rules

[bingwang-ms]

I added a new interface list. Thanks

[qiluo-msft]

Add the list command in the usage comment?

[qiluo-msft]

swsssdk

from swsssdk import ConfigDBConnector

---

Please use swsscommon on master branch. #Closed

[bingwang-ms]

Updated. Thanks

[qiluo-msft]

table_name

target_table = configdb.get_entry(CONFIG_DB_ACL_TABLE_TABLE, table_name)

---

Both arguments are table names, confusing. #Closed

[bingwang-ms]

Updated. Thanks

[qiluo-msft]

check_table_existence

def check_table_existence(configdb, table_name):

---

-> get_config_db_acl_table_subtable or something similiar? #Closed

[bingwang-ms]

Updated. Thanks

[qiluo-msft]

ip_network

If you keep this variable, you can reuse it in future, such as check prefix length. #Closed

[bingwang-ms]

I don't like to add a global variable to save the ip version. Any better ideas?

[bingwang-ms]

I don't like to add a global variable to save the return value. Any better ideas?

[qiluo-msft]

I don't like global var either. To clarify, I mean the object of ip_network is very useful, and you could deduce many attributes from it such as prefix length, not only the version.

[qiluo-msft]

0x0800

rule['ETHER_TYPE'] = str(0x0800)

---

Explain magic number? #Closed

[bingwang-ms]

Updated. Thanks

[qiluo-msft]

check_table_existence

check_table_existence(configdb, acl_table_name)

---

If you store the return value, will you optimize below code? #WontFix

[qiluo-msft]

mod_entry

Do you actually delete the rule? add some comment to help reading. #Closed

[bingwang-ms]

Yes. I checked the code and confirm the entry will be deleted. Also verified in test.
https://github.com/Azure/sonic-swss-common/blob/bf8c832cf1c7a6e72d7b1c843888ffb4a27088c8/common/configdb.cpp#L96

[qiluo-msft]

helper

def helper(table_name, ip_prefix, action):

---

Use a better name? #Closed

[bingwang-ms]

Updated. Thanks

[bingwang-ms]

Hi @qiluo-msft @prsunny . All comments were addressed. And the unit test code was also checked in. Please help to review. Thanks

[qiluo-msft]

/32

we can remove the prefix completely from CLI

[bingwang-ms]

Thanks, I will update.

[qiluo-msft]

Block. This PR should go master first, and then 201911 and later branches.

[bingwang-ms]

Block. This PR should go master first, and then 201911 and later branches.

OK. I will hold on merging this PR and create a same PR to master branch.

[bingwang-ms]

Same PR created for master branch #1737