[caclmgrd] seperate CTRL_PLANE_ACL_TABLE

src/sonic-config-engine/minigraph.py

@@ -583,6 +583,7 @@ def parse_dpg(dpg, hname):
             vlans[sonic_vlan_name] = vlan_attributes
 
         acls = {}
+        ctrl_plane_acls = {}
         for aclintf in aclintfs.findall(str(QName(ns, "AclInterface"))):
             if aclintf.find(str(QName(ns, "InAcl"))) is not None:
                 aclname = aclintf.find(str(QName(ns, "InAcl"))).text.upper().replace(" ", "_").replace("-", "_")
@@ -662,18 +663,15 @@ def parse_dpg(dpg, hname):
 
                     # If we already have an ACL with this name and this ACL is bound to a different service,
                     # append the service to our list of services
-                    if aclname in acls:
-                        if acls[aclname]['type'] != 'CTRLPLANE':
-                            print("Warning: ACL '%s' type mismatch. Not updating ACL." % aclname, file=sys.stderr)
-                        elif acls[aclname]['services'] == aclservice:
+                    if aclname in ctrl_plane_acls:
+                        if ctrl_plane_acls[aclname]['services'] == aclservice:
                             print("Warning: ACL '%s' already contains service '%s'. Not updating ACL." % (aclname, aclservice), file=sys.stderr)
                         else:
-                            acls[aclname]['services'].append(aclservice)
+                            ctrl_plane_acls[aclname]['services'].append(aclservice)
                     else:
-                        acls[aclname] = {'policy_desc': aclname,
-                                         'type': 'CTRLPLANE',
-                                         'stage': stage,
-                                         'services': [aclservice]}
+                        ctrl_plane_acls[aclname] = {'policy_desc': aclname,
+                                                    'stage': stage,
+                                                    'services': [aclservice]}
                 except:
                     print("Warning: Ignoring Control Plane ACL %s without type" % aclname, file=sys.stderr)
 
@@ -696,7 +694,7 @@ def parse_dpg(dpg, hname):
                     if mg_key in mg_tunnel.attrib:
                         tunnelintfs[tunnel_type][tunnel_name][table_key] = mg_tunnel.attrib[mg_key]
 
-        return intfs, lo_intfs, mvrf, mgmt_intf, voq_inband_intfs, vlans, vlan_members, dhcp_relay_table, pcs, pc_members, acls, vni, tunnelintfs, dpg_ecmp_content
+        return intfs, lo_intfs, mvrf, mgmt_intf, voq_inband_intfs, vlans, vlan_members, dhcp_relay_table, pcs, pc_members, acls, ctrl_plane_acls, vni, tunnelintfs, dpg_ecmp_content
     return None, None, None, None, None, None, None, None, None, None, None, None, None
 
 def parse_host_loopback(dpg, hname):
@@ -1223,7 +1221,7 @@ def parse_xml(filename, platform=None, port_config_file=None, asic_name=None, hw
     for child in root:
         if asic_name is None:
             if child.tag == str(QName(ns, "DpgDec")):
-                (intfs, lo_intfs, mvrf, mgmt_intf, voq_inband_intfs, vlans, vlan_members, dhcp_relay_table, pcs, pc_members, acls, vni, tunnel_intfs, dpg_ecmp_content) = parse_dpg(child, hostname)
+                (intfs, lo_intfs, mvrf, mgmt_intf, voq_inband_intfs, vlans, vlan_members, dhcp_relay_table, pcs, pc_members, acls, ctrl_plane_acls, vni, tunnel_intfs, dpg_ecmp_content) = parse_dpg(child, hostname)
             elif child.tag == str(QName(ns, "CpgDec")):
                 (bgp_sessions, bgp_internal_sessions, bgp_voq_chassis_sessions, bgp_asn, bgp_peers_with_range, bgp_monitors) = parse_cpg(child, hostname)
             elif child.tag == str(QName(ns, "PngDec")):
@@ -1238,7 +1236,7 @@ def parse_xml(filename, platform=None, port_config_file=None, asic_name=None, hw
                 (port_speeds_default, port_descriptions, sys_ports) = parse_deviceinfo(child, hwsku)
         else:
             if child.tag == str(QName(ns, "DpgDec")):
-                (intfs, lo_intfs, mvrf, mgmt_intf, voq_inband_intfs, vlans, vlan_members, dhcp_relay_table, pcs, pc_members, acls, vni, tunnel_intfs, dpg_ecmp_content) = parse_dpg(child, asic_name)
+                (intfs, lo_intfs, mvrf, mgmt_intf, voq_inband_intfs, vlans, vlan_members, dhcp_relay_table, pcs, pc_members, acls, ctrl_plane_acls, vni, tunnel_intfs, dpg_ecmp_content) = parse_dpg(child, asic_name)
                 host_lo_intfs = parse_host_loopback(child, hostname)
             elif child.tag == str(QName(ns, "CpgDec")):
                 (bgp_sessions, bgp_internal_sessions, bgp_voq_chassis_sessions, bgp_asn, bgp_peers_with_range, bgp_monitors) = parse_cpg(child, asic_name, local_devices)
@@ -1590,6 +1588,7 @@ def parse_xml(filename, platform=None, port_config_file=None, asic_name=None, hw
     results['NTP_SERVER'] = dict((item, {}) for item in ntp_servers)
     results['TACPLUS_SERVER'] = dict((item, {'priority': '1', 'tcp_port': '49'}) for item in tacacs_servers)
     results['ACL_TABLE'] = filter_acl_table_bindings(acls, neighbors, pcs, sub_role)
+    results['CTRL_PLANE_ACL_TABLE'] = filter_acl_table_bindings(ctrl_plane_acls, neighbors, pcs, sub_role)
     results['FEATURE'] = {
         'telemetry': {
             'status': 'enabled'

src/sonic-config-engine/tests/test_yang_data.json

@@ -261,24 +261,6 @@
                     ],
                     "stage": "ingress",
                     "type": "MIRRORV6"
-                },
-                {
-                    "ACL_TABLE_NAME": "SNMP_ACL",
-                    "policy_desc": "SNMP_ACL",
-                    "services": [
-                        "SNMP"
-                    ],
-                    "stage": "ingress",
-                    "type": "CTRLPLANE"
-                },
-                {
-                    "ACL_TABLE_NAME": "SSH_ONLY",
-                    "policy_desc": "SSH_ONLY",
-                    "services": [
-                        "SSH"
-                    ],
-                    "stage": "ingress",
-                    "type": "CTRLPLANE"
                 }
             ]
         },
@@ -304,6 +286,30 @@
             ]
         }
     },
+    "sonic-ctrl-plane-acl:sonic-ctrl-plane-acl": {
+        "sonic-ctrl-plane:CTRL_PLANE_ACL_TABLE": {
+            "CTRL_PLANE_ACL_TABLE_LIST": [
+                {
+                    "ACL_TABLE_NAME": "SNMP_ACL",
+                    "policy_desc": "SNMP_ACL",
+                    "services": [
+                        "SNMP"
+                    ],
+                    "stage": "ingress",
+                    "type": "CTRLPLANE"
+                },
+                {
+                    "ACL_TABLE_NAME": "SSH_ONLY",
+                    "policy_desc": "SSH_ONLY",
+                    "services": [
+                        "SSH"
+                    ],
+                    "stage": "ingress",
+                    "type": "CTRLPLANE"
+                }
+            ]
+        }
+    },
     "sonic-vlan:sonic-vlan": {
         "sonic-vlan:VLAN": {
             "VLAN_LIST": [

src/sonic-host-services/scripts/caclmgrd

@@ -52,13 +52,11 @@ class ControlPlaneAclManager(daemon_base.DaemonBase):
     Attributes:
         config_db: Handle to Config Redis database via SwSS SDK
     """
-    ACL_TABLE = "ACL_TABLE"
-    ACL_RULE = "ACL_RULE"
+    CTRL_PLANE_ACL_TABLE = "CTRL_PLANE_ACL_TABLE"
+    CTRL_PLANE_ACL_RULE = "CTRL_PLANE_ACL_RULE"
     DEVICE_METADATA_TABLE = "DEVICE_METADATA"
     MUX_CABLE_TABLE = "MUX_CABLE_TABLE"
 
-    ACL_TABLE_TYPE_CTRLPLANE = "CTRLPLANE"
-
     # To specify a port range instead of a single port, use iptables format:
     # separate start and end ports with a colon, e.g., "1000:2000"
     ACL_SERVICES = {
@@ -484,8 +482,8 @@ class ControlPlaneAclManager(daemon_base.DaemonBase):
         iptables_cmds.append(self.iptables_cmd_ns_prefix[namespace] + "ip6tables -A INPUT -p tcp --sport 179 -j ACCEPT")
 
         # Get current ACL tables and rules from Config DB
-        self._tables_db_info = self.config_db_map[namespace].get_table(self.ACL_TABLE)
-        self._rules_db_info = self.config_db_map[namespace].get_table(self.ACL_RULE)
+        self._tables_db_info = self.config_db_map[namespace].get_table(self.CTRL_PLANE_ACL_TABLE)
+        self._rules_db_info = self.config_db_map[namespace].get_table(self.CTRL_PLANE_ACL_RULE)
 
         num_ctrl_plane_acl_rules = 0
 
@@ -494,10 +492,6 @@ class ControlPlaneAclManager(daemon_base.DaemonBase):
 
             table_ip_version = None
 
-            # Ignore non-control-plane ACL tables
-            if table_data["type"] != self.ACL_TABLE_TYPE_CTRLPLANE:
-                continue
-
             acl_services = table_data["services"]
 
             for acl_service in acl_services:
@@ -730,9 +724,9 @@ class ControlPlaneAclManager(daemon_base.DaemonBase):
             # Connect to Config DB of given namespace
             acl_db_connector = swsscommon.DBConnector("CONFIG_DB", 0, False, namespace)
             # Subscribe to notifications when ACL tables changes
-            subscribe_acl_table = swsscommon.SubscriberStateTable(acl_db_connector, swsscommon.CFG_ACL_TABLE_TABLE_NAME)
+            subscribe_acl_table = swsscommon.SubscriberStateTable(acl_db_connector, swsscommon.CFG_CTRL_PLANE_ACL_TABLE_TABLE_NAME)
             # Subscribe to notifications when ACL rule tables changes
-            subscribe_acl_rule_table = swsscommon.SubscriberStateTable(acl_db_connector, swsscommon.CFG_ACL_RULE_TABLE_NAME)
+            subscribe_acl_rule_table = swsscommon.SubscriberStateTable(acl_db_connector, swsscommon.CFG_CTRL_PLANE_ACL_RULE_TABLE_NAME)
             # Add both tables to the selectable object
             sel.addSelectable(subscribe_acl_table)
             sel.addSelectable(subscribe_acl_rule_table)
@@ -785,8 +779,7 @@ class ControlPlaneAclManager(daemon_base.DaemonBase):
                     # Check ACL Rule notification and make sure Rule point to ACL Table which is Controlplane
                     else:
                         acl_table = key.split(acl_rule_table_seprator)[0]
-                        if self.config_db_map[namespace].get_table(self.ACL_TABLE)[acl_table]["type"] == self.ACL_TABLE_TYPE_CTRLPLANE:
-                            ctrl_plane_acl_notification.add(namespace)
+                        ctrl_plane_acl_notification.add(namespace)
 
             # Update the Control Plane ACL of the namespace that got config db acl table event
             for namespace in ctrl_plane_acl_notification:

src/sonic-yang-models/setup.py

@@ -49,6 +49,7 @@
                          './yang-models/sonic-breakout_cfg.yang',
                          './yang-models/sonic-copp.yang',
                          './yang-models/sonic-crm.yang',
+                         './yang-models/sonic-ctrl-plane-acl.yang',
                          './yang-models/sonic-device_metadata.yang',
                          './yang-models/sonic-device_neighbor.yang',
                          './yang-models/sonic-extension.yang',

src/sonic-yang-models/tests/files/sample_config_db.json

@@ -630,6 +630,15 @@
                 ]
             }
         },
+        "CTRL_PLANE_ACL_TABLE": {
+            "SSH_ONLY": {
+                "policy_desc": "SSH only",
+                "services": [
+                    "SSH"
+                ],
+                "stage": "ingress"
+            }
+        },
         "PBH_HASH_FIELD": {
             "inner_ip_proto": {
                 "hash_field": "INNER_IP_PROTOCOL",

src/sonic-yang-models/tests/yang_model_tests/tests/acl.json

@@ -53,15 +53,6 @@
             "value": "INGRESS"
         }
     },
-    "ACL_TABLE_STAGE_SERVICES": {
-        "desc": "ACL_TABLE LOAD STAGE SERVICES SUCCESSFULLY.",
-        "eStrKey" : "Verify",
-        "verify": {
-            "xpath": "/sonic-acl:sonic-acl/ACL_TABLE/ACL_TABLE_LIST[ACL_TABLE_NAME='NO-NSW-PACL-V4']/ACL_TABLE_NAME",
-            "key": "sonic-acl:services",
-            "value": ["SNMP"]
-        }
-    },
     "ACL_TABLE_CUSTOM_TABLE_TYPE": {
         "desc": "ACL_TABLE LOAD TABLE TYPE SUCCESSFULLY."
     }

src/sonic-yang-models/tests/yang_model_tests/tests/ctrl_plane_acl.json

@@ -0,0 +1,11 @@
+{
+    "CTRL_PLANE_ACL_TABLE_STAGE_SERVICES": {
+        "desc": "CTRL_PLANE_ACL_TABLE LOAD STAGE SERVICES SUCCESSFULLY.",
+        "eStrKey" : "Verify",
+        "verify": {
+            "xpath": "/sonic-ctrl-plane-acl:sonic-ctrl-plane-acl/CTRL_PLANE_ACL_TABLE/CTRL_PLANE_ACL_TABLE_LIST[ACL_TABLE_NAME='NO-NSW-PACL-V4']/ACL_TABLE_NAME",
+            "key": "sonic-ctrl-plane-acl:services",
+            "value": ["SNMP"]
+        }
+    }
+}

src/sonic-yang-models/tests/yang_model_tests/tests_config/acl.json

@@ -415,23 +415,6 @@
             }
         }
     },
-    "ACL_TABLE_STAGE_SERVICES": {
-        "sonic-acl:sonic-acl": {
-            "sonic-acl:ACL_TABLE": {
-                "ACL_TABLE_LIST": [
-                    {
-                        "ACL_TABLE_NAME": "NO-NSW-PACL-V4",
-                        "policy_desc": "Filter IPv4",
-                        "services": [
-                            "SNMP"
-                        ],
-                        "stage": "ingress",
-                        "type": "L3"
-                    }
-                ]
-            }
-        }
-    },
     "ACL_TABLE_UNDEFINED_TABLE_TYPE": {
         "sonic-acl:sonic-acl": {
             "sonic-acl:ACL_TABLE": {

src/sonic-yang-models/tests/yang_model_tests/tests_config/ctrl_plane_acl.json

@@ -0,0 +1,18 @@
+{
+    "CTRL_PLANE_ACL_TABLE_STAGE_SERVICES": {
+        "sonic-ctrl-plane-acl:sonic-ctrl-plane-acl": {
+            "sonic-ctrl-plane-acl:CTRL_PLANE_ACL_TABLE": {
+                "CTRL_PLANE_ACL_TABLE_LIST": [
+                    {
+                        "ACL_TABLE_NAME": "NO-NSW-PACL-V4",
+                        "policy_desc": "Filter IPv4",
+                        "services": [
+                            "SNMP"
+                        ],
+                        "stage": "ingress"
+                    }
+                ]
+            }
+        }
+    }
+}