From 18362c996cc906342aa6c8092e7bd03062e2be1d Mon Sep 17 00:00:00 2001 From: Taoyu Li Date: Wed, 21 Jun 2017 18:26:57 +0000 Subject: [PATCH 1/2] [acl] Add default deny rule for l3 table --- .../tests/sample_output/rules_for_dataacl.json | 7 +++++++ src/sonic-config-engine/translate_acl | 12 +++++++++++- 2 files changed, 18 insertions(+), 1 deletion(-) diff --git a/src/sonic-config-engine/tests/sample_output/rules_for_dataacl.json b/src/sonic-config-engine/tests/sample_output/rules_for_dataacl.json index 48fa240c9dc6..2f304f988f7e 100644 --- a/src/sonic-config-engine/tests/sample_output/rules_for_dataacl.json +++ b/src/sonic-config-engine/tests/sample_output/rules_for_dataacl.json @@ -34,5 +34,12 @@ "priority":9996 }, "OP":"SET" + }, + { + "ACL_RULE_TABLE:dataacl:default_rule":{ + "PACKET_ACTION":"DROP", + "priority":1 + }, + "OP":"SET" } ] \ No newline at end of file diff --git a/src/sonic-config-engine/translate_acl b/src/sonic-config-engine/translate_acl index 584db7b64488..237e2bdadfa2 100755 --- a/src/sonic-config-engine/translate_acl +++ b/src/sonic-config-engine/translate_acl @@ -13,6 +13,15 @@ def dump_json(filename, data): with open(filename, 'w') as outfile: json.dump(data, outfile, indent=4, sort_keys=True, separators=(',', ':')) +def default_deny_rule(table_name): + rule_props = {} + rule_data = {} + rule_data["ACL_RULE_TABLE:"+table_name+":default_rule"] = rule_props + rule_data["OP"] = "SET" + rule_props["priority"] = 1 + rule_props["PACKET_ACTION"] = "DROP" + return rule_data + def generate_rule_json(table_name, rule, max_priority, mirror): rule_idx = rule.config.sequence_id rule_props = {} @@ -120,7 +129,8 @@ def generate_table_json(aclset, aclname, ports, mirror, max_priority, output_pat rule_props = generate_rule_json(table_name, aclentry, max_priority, mirror) if rule_props: rule_data.append(rule_props) - + if not mirror: + rule_data.append(default_deny_rule(table_name)) dump_json(os.path.join(output_path, "rules_for_"+table_name+".json"), rule_data) def translate_acl_fixed_port(filename, output_path, port, max_priority): From d872ae8f637e6cda573010e21deebdc38e62a031 Mon Sep 17 00:00:00 2001 From: Taoyu Li Date: Thu, 22 Jun 2017 21:10:03 +0000 Subject: [PATCH 2/2] Address CR comments --- .../tests/sample_output/rules_for_dataacl.json | 11 ++++++----- .../tests/sample_output/rules_for_everflow.json | 2 +- src/sonic-config-engine/translate_acl | 5 +++-- 3 files changed, 10 insertions(+), 8 deletions(-) diff --git a/src/sonic-config-engine/tests/sample_output/rules_for_dataacl.json b/src/sonic-config-engine/tests/sample_output/rules_for_dataacl.json index 2f304f988f7e..709468f9d945 100644 --- a/src/sonic-config-engine/tests/sample_output/rules_for_dataacl.json +++ b/src/sonic-config-engine/tests/sample_output/rules_for_dataacl.json @@ -1,6 +1,6 @@ [ { - "ACL_RULE_TABLE:dataacl:Rule_1":{ + "ACL_RULE_TABLE:DATAACL:RULE_1":{ "IP_PROTOCOL":17, "PACKET_ACTION":"FORWARD", "SRC_IP":"10.0.0.0/8", @@ -9,7 +9,7 @@ "OP":"SET" }, { - "ACL_RULE_TABLE:dataacl:Rule_3":{ + "ACL_RULE_TABLE:DATAACL:RULE_3":{ "IP_PROTOCOL":17, "PACKET_ACTION":"FORWARD", "SRC_IP":"25.0.0.0/8", @@ -18,7 +18,7 @@ "OP":"SET" }, { - "ACL_RULE_TABLE:dataacl:Rule_2":{ + "ACL_RULE_TABLE:DATAACL:RULE_2":{ "IP_PROTOCOL":17, "PACKET_ACTION":"FORWARD", "SRC_IP":"100.64.0.0/10", @@ -27,7 +27,7 @@ "OP":"SET" }, { - "ACL_RULE_TABLE:dataacl:Rule_4":{ + "ACL_RULE_TABLE:DATAACL:RULE_4":{ "IP_PROTOCOL":6, "PACKET_ACTION":"FORWARD", "TCP_FLAGS":"0x10/0x10", @@ -36,7 +36,8 @@ "OP":"SET" }, { - "ACL_RULE_TABLE:dataacl:default_rule":{ + "ACL_RULE_TABLE:DATAACL:DEFAULT_RULE":{ + "ETHER_TYPE":"0x0800", "PACKET_ACTION":"DROP", "priority":1 }, diff --git a/src/sonic-config-engine/tests/sample_output/rules_for_everflow.json b/src/sonic-config-engine/tests/sample_output/rules_for_everflow.json index c31965e31e27..2f39a0dcc4a3 100644 --- a/src/sonic-config-engine/tests/sample_output/rules_for_everflow.json +++ b/src/sonic-config-engine/tests/sample_output/rules_for_everflow.json @@ -1,6 +1,6 @@ [ { - "ACL_RULE_TABLE:everflow:Rule_1":{ + "ACL_RULE_TABLE:EVERFLOW:RULE_1":{ "DST_IP":"127.0.0.1/32", "IP_PROTOCOL":6, "L4_DST_PORT":0, diff --git a/src/sonic-config-engine/translate_acl b/src/sonic-config-engine/translate_acl index 237e2bdadfa2..696a433730a9 100755 --- a/src/sonic-config-engine/translate_acl +++ b/src/sonic-config-engine/translate_acl @@ -16,9 +16,10 @@ def dump_json(filename, data): def default_deny_rule(table_name): rule_props = {} rule_data = {} - rule_data["ACL_RULE_TABLE:"+table_name+":default_rule"] = rule_props + rule_data["ACL_RULE_TABLE:"+table_name.upper()+":DEFAULT_RULE"] = rule_props rule_data["OP"] = "SET" rule_props["priority"] = 1 + rule_props["ETHER_TYPE"] = "0x0800" rule_props["PACKET_ACTION"] = "DROP" return rule_data @@ -26,7 +27,7 @@ def generate_rule_json(table_name, rule, max_priority, mirror): rule_idx = rule.config.sequence_id rule_props = {} rule_data = {} - rule_data["ACL_RULE_TABLE:"+table_name+":Rule_"+str(rule_idx)] = rule_props + rule_data["ACL_RULE_TABLE:"+table_name.upper()+":RULE_"+str(rule_idx)] = rule_props rule_data["OP"] = "SET" rule_props["priority"] = max_priority - rule_idx