Skip to content

Commit

Permalink
Update check of IP_TYPE from ACL Yang model (#13810)
Browse files Browse the repository at this point in the history 
Why I did it
This PR is to update the check of IP_TYPE from sonic-acl.yang.
It's because if the ACL rule is added by loading a json file with acl-loader, there is no IP_TYPE for ACL rule. If such rule exists in ACL_RULE table, the GCU (generic config updater) refuses to update any ACL rules because the existing one is invalid.
This PR updates the yang model for ACL. If the IP_TYPE leaf doesn't exist, then we don't check the field.

How I did it
Accept the rule if IP_TYPE is absent.

How to verify it
The change is verified by UT.
  • Loading branch information
@bingwang-ms
bingwang-ms authored Mar 30, 2023
1 parent a8f8ea3 commit 760c06e
Show file tree
Hide file tree
Showing 3 changed files with 60 additions and 4 deletions.
3 changes: 3 additions & 0 deletions src/sonic-yang-models/tests/yang_model_tests/tests/acl.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,9 @@
"eStrKey" : "When",
"eStr": ["IP_TYPE"]
},
"ACL_RULE_WITHOUT_IP_TYPE": {
"desc": "Configure ACL_RULE without IP_TYPE."
},
"ACL_RULE_ARP_TYPE_DST_IPV6_MISMATCH": {
"desc": "Configure IP_TYPE as ARP and DST_IPV6 in ACL_RULE.",
"eStrKey" : "When",
Expand Down
53 changes: 53 additions & 0 deletions src/sonic-yang-models/tests/yang_model_tests/tests_config/acl.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -158,6 +158,59 @@
}
}
},
"ACL_RULE_WITHOUT_IP_TYPE": {
"sonic-acl:sonic-acl": {
"sonic-acl:ACL_RULE": {
"ACL_RULE_LIST": [
{
"ACL_TABLE_NAME": "NO-NSW-PACL-V4",
"PACKET_ACTION": "FORWARD",
"PRIORITY": 999980,
"RULE_NAME": "Rule_20",
"SRC_IPV6": "2001::1/64"
}
]
},
"sonic-acl:ACL_TABLE": {
"ACL_TABLE_LIST": [
{
"ACL_TABLE_NAME": "NO-NSW-PACL-V4",
"policy_desc": "Filter IPv4",
"ports": [
"Ethernet0",
"Ethernet1"
],
"stage": "EGRESS",
"type": "L3"
}
]
}
},
"sonic-port:sonic-port": {
"sonic-port:PORT": {
"PORT_LIST": [
{
"admin_status": "up",
"alias": "eth0",
"description": "Ethernet0",
"lanes": "0,1,2,3",
"mtu": 9000,
"name": "Ethernet0",
"speed": 25000
},
{
"admin_status": "up",
"alias": "eth1",
"description": "Ethernet1",
"lanes": "4,5,6,7",
"mtu": 9000,
"name": "Ethernet1",
"speed": 25000
}
]
}
}
},
"ACL_RULE_UNDEFINED_PACKET_ACTION": {
"sonic-acl:sonic-acl": {
"sonic-acl:ACL_RULE": {
Expand Down
8 changes: 4 additions & 4 deletions src/sonic-yang-models/yang-templates/sonic-acl.yang.j2
View file
Original file line number Diff line number Diff line change
Expand Up @@ -106,7 +106,7 @@ module sonic-acl {
}
}
case ip4_prefix {
when "boolean(IP_TYPE[.='ANY' or .='IP' or .='IPV4' or .='IPv4ANY' or .='ARP'])";
when "not(IP_TYPE) or boolean(IP_TYPE[.='ANY' or .='IP' or .='IPV4' or .='IPv4ANY' or .='ARP'])";
leaf SRC_IP {
type inet:ipv4-prefix;
}
Expand All @@ -117,7 +117,7 @@ module sonic-acl {
}

case ip6_prefix {
when "boolean(IP_TYPE[.='ANY' or .='IP' or .='IPV6' or .='IPv6ANY'])";
when "not(IP_TYPE) or boolean(IP_TYPE[.='ANY' or .='IP' or .='IPV6' or .='IPv6ANY'])";
leaf SRC_IPV6 {
type inet:ipv6-prefix;
}
Expand Down Expand Up @@ -199,7 +199,7 @@ module sonic-acl {
choice icmp {

case icmp4 {
when "boolean(IP_TYPE[.='ANY' or .='IP' or .='IPV4' or .='IPv4ANY' or .='ARP'])";
when "not(IP_TYPE) or boolean(IP_TYPE[.='ANY' or .='IP' or .='IPV4' or .='IPv4ANY' or .='ARP'])";
leaf ICMP_TYPE {
type uint8 {
range 1..44;
Expand All @@ -214,7 +214,7 @@ module sonic-acl {
}

case icmp6 {
when "boolean(IP_TYPE[.='ANY' or .='IP' or .='IPV6' or .='IPv6ANY'])";
when "not(IP_TYPE) or boolean(IP_TYPE[.='ANY' or .='IP' or .='IPV6' or .='IPv6ANY'])";
leaf ICMPV6_TYPE {
type uint8 {
range 1..44;
Expand Down

0 comments on commit 760c06e

Please sign in to comment.