From 5a5485339e084d5329ea29713cfbf2d3fc26e6b0 Mon Sep 17 00:00:00 2001 From: Neetha John Date: Wed, 6 Jul 2022 10:24:16 -0700 Subject: [PATCH] Add backend acl template (#11220) Why I did it Storage backend has all vlan members tagged. If untagged packets are received on those links, they are accounted as RX_DROPS which can lead to false alarms in monitoring tools. Using this acl to hide these drops. How I did it Created a acl template which will be loaded during minigraph load for backend. This template will allow tagged vlan packets and dropped untagged How to verify it Unit tests Signed-off-by: Neetha John --- files/build_templates/backend_acl.j2 | 51 ++++++++++++++ .../build_templates/sonic_debian_extension.j2 | 3 + .../data/backend_acl/acl_multi_vlan.json | 59 ++++++++++++++++ .../data/backend_acl/acl_single_vlan.json | 38 ++++++++++ .../tests/data/backend_acl/multi_vlan.json | 69 +++++++++++++++++++ .../tests/data/backend_acl/single_vlan.json | 66 ++++++++++++++++++ src/sonic-config-engine/tests/test_j2files.py | 28 ++++++++ 7 files changed, 314 insertions(+) create mode 100644 files/build_templates/backend_acl.j2 create mode 100644 src/sonic-config-engine/tests/data/backend_acl/acl_multi_vlan.json create mode 100644 src/sonic-config-engine/tests/data/backend_acl/acl_single_vlan.json create mode 100644 src/sonic-config-engine/tests/data/backend_acl/multi_vlan.json create mode 100644 src/sonic-config-engine/tests/data/backend_acl/single_vlan.json diff --git a/files/build_templates/backend_acl.j2 b/files/build_templates/backend_acl.j2 new file mode 100644 index 000000000000..f5468e6c12cb --- /dev/null +++ b/files/build_templates/backend_acl.j2 @@ -0,0 +1,51 @@ +{%- set vlan2ports = {} %} +{%- for vlan in VLAN %} + {% set portlist = [] %} + {%- for vlan_name, port in VLAN_MEMBER %} + {%- if vlan_name == vlan %} + {%- if portlist.append(port) %}{%- endif %} + {%- endif %} + {%- endfor %} + {%- set _ = vlan2ports.update({vlan: portlist| sort | join(',')}) %} +{%- endfor %} + + +{ + "acl": { + "acl-sets": { + "acl-set": { + "DATAACL": { + "acl-entries": { + "acl-entry": { + {% for vlan, vlan_entries in VLAN.items() %} + "{{ loop.index }}": { + "config": { + "sequence-id": {{ loop.index }} + }, + "actions": { + "config": { + "forwarding-action": "ACCEPT" + } + }, + "l2": { + "config": { + "vlan_id": "{{ vlan_entries['vlanid'] }}" + } + }, + "input_interface": { + "interface_ref": { + "config": { + "interface": "{{ vlan2ports[vlan] }}" + } + } + } + + }{% if not loop.last %},{% endif %} + {% endfor -%} + } + } + } + } + } + } +} diff --git a/files/build_templates/sonic_debian_extension.j2 b/files/build_templates/sonic_debian_extension.j2 index 357c0df6656c..223240c329f3 100644 --- a/files/build_templates/sonic_debian_extension.j2 +++ b/files/build_templates/sonic_debian_extension.j2 @@ -520,6 +520,9 @@ then fi {% endif %} +# Copy backend acl template +sudo cp $BUILD_TEMPLATES/backend_acl.j2 $FILESYSTEM_ROOT_USR_SHARE_SONIC_TEMPLATES/ + # Copy hostname configuration scripts sudo cp $IMAGE_CONFIGS/hostname/hostname-config.service $FILESYSTEM_ROOT_USR_LIB_SYSTEMD_SYSTEM echo "hostname-config.service" | sudo tee -a $GENERATED_SERVICE_FILE diff --git a/src/sonic-config-engine/tests/data/backend_acl/acl_multi_vlan.json b/src/sonic-config-engine/tests/data/backend_acl/acl_multi_vlan.json new file mode 100644 index 000000000000..53cd50d0f2d1 --- /dev/null +++ b/src/sonic-config-engine/tests/data/backend_acl/acl_multi_vlan.json @@ -0,0 +1,59 @@ + +{ + "acl": { + "acl-sets": { + "acl-set": { + "DATAACL": { + "acl-entries": { + "acl-entry": { + "1": { + "config": { + "sequence-id": 1 + }, + "actions": { + "config": { + "forwarding-action": "ACCEPT" + } + }, + "l2": { + "config": { + "vlan_id": "1000" + } + }, + "input_interface": { + "interface_ref": { + "config": { + "interface": "Ethernet12,Ethernet16,Ethernet20,Ethernet24,Ethernet28,Ethernet32,Ethernet36,Ethernet40,Ethernet44,Ethernet48,Ethernet52,Ethernet56,Ethernet60,Ethernet64,Ethernet68,Ethernet72,Ethernet76" + } + } + } + + }, "2": { + "config": { + "sequence-id": 2 + }, + "actions": { + "config": { + "forwarding-action": "ACCEPT" + } + }, + "l2": { + "config": { + "vlan_id": "2000" + } + }, + "input_interface": { + "interface_ref": { + "config": { + "interface": "Ethernet4,Ethernet8" + } + } + } + + } } + } + } + } + } + } +} diff --git a/src/sonic-config-engine/tests/data/backend_acl/acl_single_vlan.json b/src/sonic-config-engine/tests/data/backend_acl/acl_single_vlan.json new file mode 100644 index 000000000000..86dcc80d08d1 --- /dev/null +++ b/src/sonic-config-engine/tests/data/backend_acl/acl_single_vlan.json @@ -0,0 +1,38 @@ + +{ + "acl": { + "acl-sets": { + "acl-set": { + "DATAACL": { + "acl-entries": { + "acl-entry": { + "1": { + "config": { + "sequence-id": 1 + }, + "actions": { + "config": { + "forwarding-action": "ACCEPT" + } + }, + "l2": { + "config": { + "vlan_id": "1000" + } + }, + "input_interface": { + "interface_ref": { + "config": { + "interface": "Ethernet12,Ethernet16,Ethernet20,Ethernet24,Ethernet28,Ethernet32,Ethernet36,Ethernet4,Ethernet40,Ethernet44,Ethernet48,Ethernet52,Ethernet56,Ethernet60,Ethernet64,Ethernet68,Ethernet72,Ethernet76,Ethernet8" + } + } + } + + } + } + } + } + } + } + } +} diff --git a/src/sonic-config-engine/tests/data/backend_acl/multi_vlan.json b/src/sonic-config-engine/tests/data/backend_acl/multi_vlan.json new file mode 100644 index 000000000000..13acff414a1f --- /dev/null +++ b/src/sonic-config-engine/tests/data/backend_acl/multi_vlan.json @@ -0,0 +1,69 @@ +{ + "VLAN": { + "Vlan1000": { + "vlanid": "1000" + }, + "Vlan2000": { + "vlanid": "2000" + } + }, + "VLAN_MEMBER": { + "Vlan1000|Ethernet12": { + "tagging_mode": "tagged" + }, + "Vlan1000|Ethernet16": { + "tagging_mode": "tagged" + }, + "Vlan1000|Ethernet20": { + "tagging_mode": "tagged" + }, + "Vlan1000|Ethernet24": { + "tagging_mode": "tagged" + }, + "Vlan1000|Ethernet28": { + "tagging_mode": "tagged" + }, + "Vlan1000|Ethernet32": { + "tagging_mode": "tagged" + }, + "Vlan1000|Ethernet36": { + "tagging_mode": "tagged" + }, + "Vlan1000|Ethernet40": { + "tagging_mode": "tagged" + }, + "Vlan1000|Ethernet44": { + "tagging_mode": "tagged" + }, + "Vlan1000|Ethernet48": { + "tagging_mode": "tagged" + }, + "Vlan1000|Ethernet52": { + "tagging_mode": "tagged" + }, + "Vlan1000|Ethernet56": { + "tagging_mode": "tagged" + }, + "Vlan1000|Ethernet60": { + "tagging_mode": "tagged" + }, + "Vlan1000|Ethernet64": { + "tagging_mode": "tagged" + }, + "Vlan1000|Ethernet68": { + "tagging_mode": "tagged" + }, + "Vlan1000|Ethernet72": { + "tagging_mode": "tagged" + }, + "Vlan1000|Ethernet76": { + "tagging_mode": "tagged" + }, + "Vlan2000|Ethernet4": { + "tagging_mode": "tagged" + }, + "Vlan2000|Ethernet8": { + "tagging_mode": "tagged" + } + } +} diff --git a/src/sonic-config-engine/tests/data/backend_acl/single_vlan.json b/src/sonic-config-engine/tests/data/backend_acl/single_vlan.json new file mode 100644 index 000000000000..1023e990a72f --- /dev/null +++ b/src/sonic-config-engine/tests/data/backend_acl/single_vlan.json @@ -0,0 +1,66 @@ +{ + "VLAN": { + "Vlan1000": { + "vlanid": "1000" + } + }, + "VLAN_MEMBER": { + "Vlan1000|Ethernet4": { + "tagging_mode": "tagged" + }, + "Vlan1000|Ethernet8": { + "tagging_mode": "tagged" + }, + "Vlan1000|Ethernet12": { + "tagging_mode": "tagged" + }, + "Vlan1000|Ethernet16": { + "tagging_mode": "tagged" + }, + "Vlan1000|Ethernet20": { + "tagging_mode": "tagged" + }, + "Vlan1000|Ethernet24": { + "tagging_mode": "tagged" + }, + "Vlan1000|Ethernet28": { + "tagging_mode": "tagged" + }, + "Vlan1000|Ethernet32": { + "tagging_mode": "tagged" + }, + "Vlan1000|Ethernet36": { + "tagging_mode": "tagged" + }, + "Vlan1000|Ethernet40": { + "tagging_mode": "tagged" + }, + "Vlan1000|Ethernet44": { + "tagging_mode": "tagged" + }, + "Vlan1000|Ethernet48": { + "tagging_mode": "tagged" + }, + "Vlan1000|Ethernet52": { + "tagging_mode": "tagged" + }, + "Vlan1000|Ethernet56": { + "tagging_mode": "tagged" + }, + "Vlan1000|Ethernet60": { + "tagging_mode": "tagged" + }, + "Vlan1000|Ethernet64": { + "tagging_mode": "tagged" + }, + "Vlan1000|Ethernet68": { + "tagging_mode": "tagged" + }, + "Vlan1000|Ethernet72": { + "tagging_mode": "tagged" + }, + "Vlan1000|Ethernet76": { + "tagging_mode": "tagged" + } + } +} diff --git a/src/sonic-config-engine/tests/test_j2files.py b/src/sonic-config-engine/tests/test_j2files.py index 5237ddd85067..14db19357954 100644 --- a/src/sonic-config-engine/tests/test_j2files.py +++ b/src/sonic-config-engine/tests/test_j2files.py @@ -562,6 +562,34 @@ def test_ntp_conf(self): self.run_script(argument) assert utils.cmp(expected, self.output_file), self.run_diff(expected, self.output_file) + def test_backend_acl_template_render(self): + acl_template = os.path.join( + self.test_dir, '..', '..', '..', 'files', 'build_templates', + 'backend_acl.j2' + ) + test_list = { + 'single_vlan': { + 'input': 'single_vlan.json', + 'output': 'acl_single_vlan.json' + }, + 'multi_vlan': { + 'input': 'multi_vlan.json', + 'output': 'acl_multi_vlan.json' + }, + } + for _, v in test_list.items(): + input_file = os.path.join( + self.test_dir, 'data', 'backend_acl', v['input'] + ) + argument = " -j {} -t {} > {}".format( + input_file, acl_template, self.output_file + ) + sample_output_file = os.path.join( + self.test_dir, 'data', 'backend_acl', v['output'] + ) + self.run_script(argument) + assert utils.cmp(sample_output_file, self.output_file), self.run_diff(sample_output_file, self.output_file) + def tearDown(self): os.environ["CFGGEN_UNIT_TESTING"] = "" try: