From 89797255d3cd9e7257d659d9e9784e0a4c68243c Mon Sep 17 00:00:00 2001 From: Joe LeVeque Date: Wed, 13 Dec 2017 23:41:05 +0000 Subject: [PATCH 1/4] Change 'Table name' to 'Rule name' in header of show_rule() output --- acl_loader/main.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/acl_loader/main.py b/acl_loader/main.py index e1b14f1bba..9d10c9761f 100644 --- a/acl_loader/main.py +++ b/acl_loader/main.py @@ -420,7 +420,7 @@ def show_rule(self, table_name, rule_id): :param rule_id: Optional. ACL rule name. Filter rule by specified rule name. :return: """ - header = ("Rule ID", "Table Name", "Priority", "Action", "Match") + header = ("Rule ID", "Rule Name", "Priority", "Action", "Match") ignore_list = ["PRIORITY", "PACKET_ACTION", "MIRROR_ACTION"] From d8174a6359344b24681a129f9a4fdfe9d8048903 Mon Sep 17 00:00:00 2001 From: Joe LeVeque Date: Thu, 14 Dec 2017 01:24:27 +0000 Subject: [PATCH 2/4] Remove unused imports --- acl_loader/main.py | 4 ---- 1 file changed, 4 deletions(-) diff --git a/acl_loader/main.py b/acl_loader/main.py index 9d10c9761f..de7b15c99b 100644 --- a/acl_loader/main.py +++ b/acl_loader/main.py @@ -1,11 +1,7 @@ - #!/usr/bin/env python import click -import sys -import os.path import json -import argparse import tabulate from natsort import natsorted From 5564e8534b066b83e2b216b1e372d0e6ca58c9ff Mon Sep 17 00:00:00 2001 From: Joe LeVeque Date: Thu, 14 Dec 2017 01:30:19 +0000 Subject: [PATCH 3/4] Add ACL_TABLE_TYPE_MIRROR constant, other small tweaks, comments and docstrings --- acl_loader/main.py | 34 ++++++++++++++++++++++------------ 1 file changed, 22 insertions(+), 12 deletions(-) diff --git a/acl_loader/main.py b/acl_loader/main.py index de7b15c99b..1625bb15f0 100644 --- a/acl_loader/main.py +++ b/acl_loader/main.py @@ -40,6 +40,7 @@ class AclLoader(object): ACL_TABLE = "ACL_TABLE" ACL_RULE = "ACL_RULE" + ACL_TABLE_TYPE_MIRROR = "MIRROR" MIRROR_SESSION = "MIRROR_SESSION" SESSION_PREFIX = "everflow" @@ -153,11 +154,11 @@ def is_table_valid(self, tname): def is_table_mirror(self, tname): """ - Check if ACL table type is MIRROR + Check if ACL table type is ACL_TABLE_TYPE_MIRROR :param tname: ACL table name - :return: True if table type is MIRROR else False + :return: True if table type is ACL_TABLE_TYPE_MIRROR else False """ - return self.tables_db_info[tname]['type'].upper() == "MIRROR" + return self.tables_db_info[tname]['type'].upper() == self.ACL_TABLE_TYPE_MIRROR def load_rules_from_file(self, filename): """ @@ -235,6 +236,15 @@ def convert_ipv4(self, table_name, rule_idx, rule): return rule_props def convert_port(self, port): + """ + Convert port field format from openconfig ACL to Config DB schema + :param port: String, ACL port number or range in openconfig format + :return: Tuple, first value is converted port string, + second value is boolean, True if value is a port range, False + if it is a single port value + """ + # OpenConfig port range is of the format "####..####", whereas + # Config DB format is "####-####" if ".." in port: return port.replace("..", "-"), True else: @@ -254,21 +264,21 @@ def convert_transport(self, table_name, rule_idx, rule): for flag in rule.transport.config.tcp_flags: if flag == "TCP_FIN": - tcp_flags = tcp_flags | 0x01 + tcp_flags |= 0x01 if flag == "TCP_SYN": - tcp_flags = tcp_flags | 0x02 + tcp_flags |= 0x02 if flag == "TCP_RST": - tcp_flags = tcp_flags | 0x04 + tcp_flags |= 0x04 if flag == "TCP_PSH": - tcp_flags = tcp_flags | 0x08 + tcp_flags |= 0x08 if flag == "TCP_ACK": - tcp_flags = tcp_flags | 0x10 + tcp_flags |= 0x10 if flag == "TCP_URG": - tcp_flags = tcp_flags | 0x20 + tcp_flags |= 0x20 if flag == "TCP_ECE": - tcp_flags = tcp_flags | 0x40 + tcp_flags |= 0x40 if flag == "TCP_CWR": - tcp_flags = tcp_flags | 0x80 + tcp_flags |= 0x80 if tcp_flags: rule_props["TCP_FLAGS"] = '0x{:02x}/0x{:02x}'.format(tcp_flags, tcp_flags) @@ -304,7 +314,7 @@ def deny_rule(self, table_name): rule_props = {} rule_data = {(table_name, "DEFAULT_RULE"): rule_props} rule_props["PRIORITY"] = self.min_priority - rule_props["ETHER_TYPE"] = "0x0800" + rule_props["ETHER_TYPE"] = self.ethertype_map["ETHERTYPE_IPV4"] rule_props["PACKET_ACTION"] = "DROP" return rule_data From f196dcd38f930dd3348c5f271aa1a12a309f9ec0 Mon Sep 17 00:00:00 2001 From: Joe LeVeque Date: Thu, 14 Dec 2017 01:31:22 +0000 Subject: [PATCH 4/4] Add support for handling control plane ACLs --- acl_loader/main.py | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/acl_loader/main.py b/acl_loader/main.py index 1625bb15f0..9ca8c8a067 100644 --- a/acl_loader/main.py +++ b/acl_loader/main.py @@ -41,6 +41,7 @@ class AclLoader(object): ACL_TABLE = "ACL_TABLE" ACL_RULE = "ACL_RULE" ACL_TABLE_TYPE_MIRROR = "MIRROR" + ACL_TABLE_TYPE_CTRLPLANE = "CTRLPLANE" MIRROR_SESSION = "MIRROR_SESSION" SESSION_PREFIX = "everflow" @@ -160,6 +161,14 @@ def is_table_mirror(self, tname): """ return self.tables_db_info[tname]['type'].upper() == self.ACL_TABLE_TYPE_MIRROR + def is_table_control_plane(self, tname): + """ + Check if ACL table type is ACL_TABLE_TYPE_CTRLPLANE + :param tname: ACL table name + :return: True if table type is ACL_TABLE_TYPE_CTRLPLANE else False + """ + return self.tables_db_info[tname]['type'].upper() == self.ACL_TABLE_TYPE_CTRLPLANE + def load_rules_from_file(self, filename): """ Load file with ACL rules configuration in openconfig ACL format. Convert rules @@ -174,7 +183,9 @@ def convert_action(self, table_name, rule_idx, rule): rule_props = {} if rule.actions.config.forwarding_action == "ACCEPT": - if self.is_table_mirror(table_name): + if self.is_table_control_plane(table_name): + rule_props["PACKET_ACTION"] = "ACCEPT" + elif self.is_table_mirror(table_name): session_name = self.get_session_name() if not session_name: raise AclLoaderException("Mirroring session does not exist")