@@ -409,6 +409,145 @@ It's possible to create separate configuration files for different ASIC platform
409409
410410----------------------------------------------
411411
412+ ###ACL\_ TABLE
413+ Stores information about ACL tables on the switch. Port names are defined in [ port_config.ini] ( ../portsyncd/port_config.ini ) .
414+
415+ key = ACL_TABLE:name ; acl_table_name must be unique
416+ ;field = value
417+ policy_desc = 1*255VCHAR ; name of the ACL policy table description
418+ type = "mirror"/"l3" ; type of acl table, every type of
419+ ; table defines the match/action a
420+ ; specific set of match and actions.
421+ ports = [0-max_ports]*port_name ; the ports to which this ACL
422+ ; table is applied, can be emtry
423+ ; value annotations
424+ port_name = 1*64VCHAR ; name of the port, must be unique
425+ max_ports = 1*5DIGIT ; number of ports supported on the chip
426+
427+
428+
429+ ###ACL\_ RULE\_ TABLE
430+ Stores rules associated with a specific ACL table on the switch.
431+
432+ key: ACL_RULE_TABLE:table_name:rule_name ; key of the rule entry in the table,
433+ ; seq is the order of the rules
434+ ; when the packet is filtered by the
435+ ; ACL "policy_name".
436+ ; A rule is always assocaited with a
437+ ; policy.
438+
439+ ;field = value
440+ priority = 1*3DIGIT ; rule priority. Valid values range
441+ ; could be platform dependent
442+
443+ packet_action = "forward"/"drop"/"mirror" ; action when the fields are
444+ ; matched (mirror action only
445+ ; available to mirror acl table
446+ ; type)
447+
448+ mirror_action = 1*255VCHAR ; refer to the mirror session
449+ ; (only available to mirror acl
450+ ; table type)
451+
452+ ether_type = h16 ; Ethernet type field
453+
454+ ip_type = ip_types ; options of the l2_protocol_type
455+ ; field. Only v4 is support for
456+ ; this stage.
457+
458+ ip_protocol = h8 ; options of the l3_protocol_type field
459+
460+ src_ip = ipv4_prefix ; options of the source ipv4
461+ ; address (and mask) field
462+
463+ dst_ip = ipv4_prefix ; options of the destination ipv4
464+ ; address (and mask) field
465+
466+ l4_src_port = port_num ; source L4 port or the
467+ l4_dst_port = port_num ; destination L4 port
468+
469+ l4_src_port_range = port_num_L-port_num_H ; source ports range of L4 ports field
470+ l4_dst_port_range = port_num_L-port_num_H ; destination ports range of L4 ports field
471+
472+ tcp_flags = h8/h8 ; TCP flags field and mask
473+ dscp = h8 ; DSCP field (only available for mirror
474+ ; table type)
475+
476+ ;value annotations
477+ ip_types = any | ip | ipv4 | ipv4any | non_ipv4 | ipv6any | non_ipv6
478+ port_num = 1*5DIGIT ; a number between 0 and 65535
479+ port_num_L = 1*5DIGIT ; a number between 0 and 65535,
480+ ; port_num_L < port_num_H
481+ port_num_H = 1*5DIGIT ; a number between 0 and 65535,
482+ ; port_num_L < port_num_H
483+ ipv6_prefix = 6( h16 ":" ) ls32
484+ / "::" 5( h16 ":" ) ls32
485+ / [ h16 ] "::" 4( h16 ":" ) ls32
486+ / [ *1( h16 ":" ) h16 ] "::" 3( h16 ":" ) ls32
487+ / [ *2( h16 ":" ) h16 ] "::" 2( h16 ":" ) ls32
488+ / [ *3( h16 ":" ) h16 ] "::" h16 ":" ls32
489+ / [ *4( h16 ":" ) h16 ] "::" ls32
490+ / [ *5( h16 ":" ) h16 ] "::" h16
491+ / [ *6( h16 ":" ) h16 ] "::"
492+ h8 = 1*2HEXDIG
493+ h16 = 1*4HEXDIG
494+ ls32 = ( h16 ":" h16 ) / IPv4address
495+ ipv4_prefix = dec-octet "." dec-octet "." dec-octet "." dec-octet “/” %d1-32
496+ dec-octet = DIGIT ; 0-9
497+ / %x31-39 DIGIT ; 10-99
498+ / "1" 2DIGIT ; 100-199
499+ / "2" %x30-34 DIGIT ; 200-249
500+
501+ Example:
502+
503+ [
504+ {
505+ "ACL_TABLE:Drop_IP": {
506+ "policy_desc" : "Drop_Traffic",
507+ "type" : "L3",
508+ "ports" : "Ethernet0,Ethernet4"
509+ },
510+ "OP": "SET"
511+ },
512+ {
513+ "ACL_RULE_TABLE:Drop_IP:TheDrop": {
514+ "priority" : "55",
515+ "SRC_IP" : "20.0.0.0/25",
516+ "DST_IP" : "20.0.0.0/23",
517+ "L4_SRC_PORT" : "80",
518+ "PACKET_ACTION" : "DROP"
519+ },
520+ "OP": "SET"
521+ }
522+ ]
523+
524+ Equivalent RedisDB entry:
525+
526+ 127.0.0.1:6379> KEYS *ACL*
527+ 1) "ACL_TABLE:Drop_IP"
528+ 2) "ACL_RULE_TABLE:Drop_IP:TheDrop"
529+ 127.0.0.1:6379> HGETALL ACL_TABLE:Drop_IP
530+ 1) "policy_desc"
531+ 2) "Drop_Traffic"
532+ 3) "ports"
533+ 4) "Ethernet0,Ethernet4"
534+ 5) "type"
535+ 6) "L3"
536+ 127.0.0.1:6379> HGETALL ACL_RULE_TABLE:Drop_IP:TheDrop
537+ 1) "DST_IP"
538+ 2) "20.0.0.0/23"
539+ 3) "L4_SRC_PORT"
540+ 4) "80"
541+ 5) "PACKET_ACTION"
542+ 6) "DROP"
543+ 7) "SRC_IP"
544+ 8) "20.0.0.0/25"
545+ 9) "priority"
546+ 10) "55"
547+ 127.0.0.1:6379>
548+
549+ ----------------------------------------------
550+
412551###Configuration files
413552What configuration files should we have? Do apps, orch agent each need separate files?
414553
0 commit comments