Skip to content

Commit 023a5b9

Browse files
Shuotian Chenglguohan
Shuotian Cheng
authored and
lguohan
committed
[sonic-cfggen]: translate_acl tool adds TCP mask (#697)
In orchagent, the TCP_FLAGS expects both value and mask as the input. Right now, translate_acl tool only support one TCP flag and generate the ACL with both value and mask equal to the flag. This rule will match packets that have this specific flag set regardless of the other flags.
1 parent d9cf398 commit 023a5b9

File tree

3 files changed

+52
-21
lines changed

3 files changed

+52
-21
lines changed

src/sonic-config-engine/tests/sample_output/rules_for_dataacl.json

+9
Original file line numberDiff line numberDiff line change
@@ -25,5 +25,14 @@
2525
"priority":9998
2626
},
2727
"OP":"SET"
28+
},
29+
{
30+
"ACL_RULE_TABLE:dataacl:Rule_4":{
31+
"IP_PROTOCOL":6,
32+
"PACKET_ACTION":"FORWARD",
33+
"TCP_FLAGS":"0x10/0x10",
34+
"priority":9996
35+
},
36+
"OP":"SET"
2837
}
2938
]

src/sonic-config-engine/tests/t0-sample-acl.json

+42-20
Original file line numberDiff line numberDiff line change
@@ -10,55 +10,77 @@
1010
"config": {
1111
"forwarding-action": "ACCEPT"
1212
}
13-
},
13+
},
1414
"config": {
1515
"sequence-id": 1
16-
},
16+
},
1717
"ip": {
1818
"config": {
19-
"protocol": "IP_UDP",
19+
"protocol": "IP_UDP",
2020
"source-ip-address": "10.0.0.0/8"
2121
}
2222
}
23-
},
23+
},
2424
"2": {
2525
"actions": {
2626
"config": {
2727
"forwarding-action": "ACCEPT"
2828
}
29-
},
29+
},
3030
"config": {
3131
"sequence-id": 2
32-
},
32+
},
3333
"ip": {
3434
"config": {
35-
"protocol": "IP_UDP",
35+
"protocol": "IP_UDP",
3636
"source-ip-address": "100.64.0.0/10"
3737
}
3838
}
39-
},
39+
},
4040
"3": {
4141
"actions": {
4242
"config": {
4343
"forwarding-action": "ACCEPT"
4444
}
45-
},
45+
},
4646
"config": {
4747
"sequence-id": 3
48-
},
48+
},
4949
"ip": {
5050
"config": {
51-
"protocol": "IP_UDP",
51+
"protocol": "IP_UDP",
5252
"source-ip-address": "25.0.0.0/8"
5353
}
5454
}
55+
},
56+
"4": {
57+
"actions": {
58+
"config": {
59+
"forwarding-action": "ACCEPT"
60+
}
61+
},
62+
"config": {
63+
"sequence-id": 4
64+
},
65+
"ip": {
66+
"config": {
67+
"protocol": "IP_TCP"
68+
}
69+
},
70+
"transport": {
71+
"config": {
72+
"tcp-flags": [
73+
"TCP_ACK"
74+
]
75+
}
76+
}
5577
}
5678
}
57-
},
79+
},
5880
"config": {
5981
"name": "dataacl"
6082
}
61-
},
83+
},
6284
"everflow": {
6385
"acl-entries": {
6486
"acl-entry": {
@@ -67,26 +89,26 @@
6789
"config": {
6890
"forwarding-action": "ACCEPT"
6991
}
70-
},
92+
},
7193
"config": {
7294
"sequence-id": 1
73-
},
95+
},
7496
"ip": {
7597
"config": {
76-
"destination-ip-address": "127.0.0.1/32",
77-
"protocol": "IP_TCP",
98+
"destination-ip-address": "127.0.0.1/32",
99+
"protocol": "IP_TCP",
78100
"source-ip-address": "127.0.0.1/32"
79101
}
80-
},
102+
},
81103
"transport": {
82104
"config": {
83-
"destination-port": "0",
105+
"destination-port": "0",
84106
"source-port": "0"
85107
}
86108
}
87109
}
88110
}
89-
},
111+
},
90112
"config": {
91113
"name": "everflow"
92114
}

src/sonic-config-engine/translate_acl

+1-1
Original file line numberDiff line numberDiff line change
@@ -97,7 +97,7 @@ def generate_rule_json(table_name, rule, max_priority, mirror):
9797
if flag == "TCP_CWR":
9898
tcp_flags = tcp_flags | 0x80
9999
if tcp_flags != 0x00:
100-
rule_props["TCP_FLAGS"] = '0x{:02x}'.format(tcp_flags)
100+
rule_props["TCP_FLAGS"] = '0x{:02x}/0x{:02x}'.format(tcp_flags, tcp_flags)
101101
return rule_data
102102

103103
def generate_table_json(aclset, aclname, ports, mirror, max_priority, output_path='.'):

0 commit comments

Comments
 (0)