Skip to content

Commit

Permalink
Add backend acl template (sonic-net#11220)
Browse files Browse the repository at this point in the history
Why I did it
Storage backend has all vlan members tagged. If untagged packets are received on those links, they are accounted as RX_DROPS which can lead to false alarms in monitoring tools. Using this acl to hide these drops.

How I did it
Created a acl template which will be loaded during minigraph load for backend. This template will allow tagged vlan packets and dropped untagged

How to verify it
Unit tests

Signed-off-by: Neetha John <[email protected]>
  • Loading branch information
neethajohn authored and skbarista committed Aug 17, 2022
1 parent be532c0 commit 5a54853
Show file tree
Hide file tree
Showing 7 changed files with 314 additions and 0 deletions.
51 changes: 51 additions & 0 deletions files/build_templates/backend_acl.j2
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
{%- set vlan2ports = {} %}
{%- for vlan in VLAN %}
{% set portlist = [] %}
{%- for vlan_name, port in VLAN_MEMBER %}
{%- if vlan_name == vlan %}
{%- if portlist.append(port) %}{%- endif %}
{%- endif %}
{%- endfor %}
{%- set _ = vlan2ports.update({vlan: portlist| sort | join(',')}) %}
{%- endfor %}


{
"acl": {
"acl-sets": {
"acl-set": {
"DATAACL": {
"acl-entries": {
"acl-entry": {
{% for vlan, vlan_entries in VLAN.items() %}
"{{ loop.index }}": {
"config": {
"sequence-id": {{ loop.index }}
},
"actions": {
"config": {
"forwarding-action": "ACCEPT"
}
},
"l2": {
"config": {
"vlan_id": "{{ vlan_entries['vlanid'] }}"
}
},
"input_interface": {
"interface_ref": {
"config": {
"interface": "{{ vlan2ports[vlan] }}"
}
}
}

}{% if not loop.last %},{% endif %}
{% endfor -%}
}
}
}
}
}
}
}
3 changes: 3 additions & 0 deletions files/build_templates/sonic_debian_extension.j2
Original file line number Diff line number Diff line change
Expand Up @@ -520,6 +520,9 @@ then
fi
{% endif %}

# Copy backend acl template
sudo cp $BUILD_TEMPLATES/backend_acl.j2 $FILESYSTEM_ROOT_USR_SHARE_SONIC_TEMPLATES/

# Copy hostname configuration scripts
sudo cp $IMAGE_CONFIGS/hostname/hostname-config.service $FILESYSTEM_ROOT_USR_LIB_SYSTEMD_SYSTEM
echo "hostname-config.service" | sudo tee -a $GENERATED_SERVICE_FILE
Expand Down
59 changes: 59 additions & 0 deletions src/sonic-config-engine/tests/data/backend_acl/acl_multi_vlan.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@

{
"acl": {
"acl-sets": {
"acl-set": {
"DATAACL": {
"acl-entries": {
"acl-entry": {
"1": {
"config": {
"sequence-id": 1
},
"actions": {
"config": {
"forwarding-action": "ACCEPT"
}
},
"l2": {
"config": {
"vlan_id": "1000"
}
},
"input_interface": {
"interface_ref": {
"config": {
"interface": "Ethernet12,Ethernet16,Ethernet20,Ethernet24,Ethernet28,Ethernet32,Ethernet36,Ethernet40,Ethernet44,Ethernet48,Ethernet52,Ethernet56,Ethernet60,Ethernet64,Ethernet68,Ethernet72,Ethernet76"
}
}
}

}, "2": {
"config": {
"sequence-id": 2
},
"actions": {
"config": {
"forwarding-action": "ACCEPT"
}
},
"l2": {
"config": {
"vlan_id": "2000"
}
},
"input_interface": {
"interface_ref": {
"config": {
"interface": "Ethernet4,Ethernet8"
}
}
}

} }
}
}
}
}
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@

{
"acl": {
"acl-sets": {
"acl-set": {
"DATAACL": {
"acl-entries": {
"acl-entry": {
"1": {
"config": {
"sequence-id": 1
},
"actions": {
"config": {
"forwarding-action": "ACCEPT"
}
},
"l2": {
"config": {
"vlan_id": "1000"
}
},
"input_interface": {
"interface_ref": {
"config": {
"interface": "Ethernet12,Ethernet16,Ethernet20,Ethernet24,Ethernet28,Ethernet32,Ethernet36,Ethernet4,Ethernet40,Ethernet44,Ethernet48,Ethernet52,Ethernet56,Ethernet60,Ethernet64,Ethernet68,Ethernet72,Ethernet76,Ethernet8"
}
}
}

}
}
}
}
}
}
}
}
69 changes: 69 additions & 0 deletions src/sonic-config-engine/tests/data/backend_acl/multi_vlan.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,69 @@
{
"VLAN": {
"Vlan1000": {
"vlanid": "1000"
},
"Vlan2000": {
"vlanid": "2000"
}
},
"VLAN_MEMBER": {
"Vlan1000|Ethernet12": {
"tagging_mode": "tagged"
},
"Vlan1000|Ethernet16": {
"tagging_mode": "tagged"
},
"Vlan1000|Ethernet20": {
"tagging_mode": "tagged"
},
"Vlan1000|Ethernet24": {
"tagging_mode": "tagged"
},
"Vlan1000|Ethernet28": {
"tagging_mode": "tagged"
},
"Vlan1000|Ethernet32": {
"tagging_mode": "tagged"
},
"Vlan1000|Ethernet36": {
"tagging_mode": "tagged"
},
"Vlan1000|Ethernet40": {
"tagging_mode": "tagged"
},
"Vlan1000|Ethernet44": {
"tagging_mode": "tagged"
},
"Vlan1000|Ethernet48": {
"tagging_mode": "tagged"
},
"Vlan1000|Ethernet52": {
"tagging_mode": "tagged"
},
"Vlan1000|Ethernet56": {
"tagging_mode": "tagged"
},
"Vlan1000|Ethernet60": {
"tagging_mode": "tagged"
},
"Vlan1000|Ethernet64": {
"tagging_mode": "tagged"
},
"Vlan1000|Ethernet68": {
"tagging_mode": "tagged"
},
"Vlan1000|Ethernet72": {
"tagging_mode": "tagged"
},
"Vlan1000|Ethernet76": {
"tagging_mode": "tagged"
},
"Vlan2000|Ethernet4": {
"tagging_mode": "tagged"
},
"Vlan2000|Ethernet8": {
"tagging_mode": "tagged"
}
}
}
66 changes: 66 additions & 0 deletions src/sonic-config-engine/tests/data/backend_acl/single_vlan.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
{
"VLAN": {
"Vlan1000": {
"vlanid": "1000"
}
},
"VLAN_MEMBER": {
"Vlan1000|Ethernet4": {
"tagging_mode": "tagged"
},
"Vlan1000|Ethernet8": {
"tagging_mode": "tagged"
},
"Vlan1000|Ethernet12": {
"tagging_mode": "tagged"
},
"Vlan1000|Ethernet16": {
"tagging_mode": "tagged"
},
"Vlan1000|Ethernet20": {
"tagging_mode": "tagged"
},
"Vlan1000|Ethernet24": {
"tagging_mode": "tagged"
},
"Vlan1000|Ethernet28": {
"tagging_mode": "tagged"
},
"Vlan1000|Ethernet32": {
"tagging_mode": "tagged"
},
"Vlan1000|Ethernet36": {
"tagging_mode": "tagged"
},
"Vlan1000|Ethernet40": {
"tagging_mode": "tagged"
},
"Vlan1000|Ethernet44": {
"tagging_mode": "tagged"
},
"Vlan1000|Ethernet48": {
"tagging_mode": "tagged"
},
"Vlan1000|Ethernet52": {
"tagging_mode": "tagged"
},
"Vlan1000|Ethernet56": {
"tagging_mode": "tagged"
},
"Vlan1000|Ethernet60": {
"tagging_mode": "tagged"
},
"Vlan1000|Ethernet64": {
"tagging_mode": "tagged"
},
"Vlan1000|Ethernet68": {
"tagging_mode": "tagged"
},
"Vlan1000|Ethernet72": {
"tagging_mode": "tagged"
},
"Vlan1000|Ethernet76": {
"tagging_mode": "tagged"
}
}
}
28 changes: 28 additions & 0 deletions src/sonic-config-engine/tests/test_j2files.py
Original file line number Diff line number Diff line change
Expand Up @@ -562,6 +562,34 @@ def test_ntp_conf(self):
self.run_script(argument)
assert utils.cmp(expected, self.output_file), self.run_diff(expected, self.output_file)

def test_backend_acl_template_render(self):
acl_template = os.path.join(
self.test_dir, '..', '..', '..', 'files', 'build_templates',
'backend_acl.j2'
)
test_list = {
'single_vlan': {
'input': 'single_vlan.json',
'output': 'acl_single_vlan.json'
},
'multi_vlan': {
'input': 'multi_vlan.json',
'output': 'acl_multi_vlan.json'
},
}
for _, v in test_list.items():
input_file = os.path.join(
self.test_dir, 'data', 'backend_acl', v['input']
)
argument = " -j {} -t {} > {}".format(
input_file, acl_template, self.output_file
)
sample_output_file = os.path.join(
self.test_dir, 'data', 'backend_acl', v['output']
)
self.run_script(argument)
assert utils.cmp(sample_output_file, self.output_file), self.run_diff(sample_output_file, self.output_file)

def tearDown(self):
os.environ["CFGGEN_UNIT_TESTING"] = ""
try:
Expand Down

0 comments on commit 5a54853

Please sign in to comment.