-
Notifications
You must be signed in to change notification settings - Fork 650
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add time-based ACL support for acl-loader #2354
base: master
Are you sure you want to change the base?
Conversation
Signed-off-by: bingwang <bingwang@microsoft.com>
This pull request introduces 2 alerts when merging 0006a60 into 3be2ad7 - view on LGTM.com new alerts:
|
This pull request introduces 1 alert when merging 2371472 into 3be2ad7 - view on LGTM.com new alerts:
|
Let's mark this as draft here since the HLD is still under reviewing |
Sure. |
This pull request introduces 1 alert when merging 9ab1f48 into 1ac584b - view on LGTM.com new alerts:
|
acl_loader/main.py
Outdated
""" | ||
Load file with ACL rules configuration in openconfig ACL format. Convert rules | ||
to Config DB schema. | ||
:param filename: File in openconfig ACL format | ||
:param is_time_based: A bool, indicates whether the rule is dynamic or not |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
time-based
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Accept and thanks!
acl_loader/main.py
Outdated
@@ -583,6 +586,41 @@ def convert_input_interface(self, table_name, rule_idx, rule): | |||
|
|||
return rule_props | |||
|
|||
def is_db_rule_dynamic(self, key): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is_db_rule_time_based
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Accept and thanks!
acl_loader/main.py
Outdated
def is_time_based_rule(self, rule): | ||
return rule.time_range.config.start_time | ||
|
||
def convert_dynamic_acl_config(self, key, rule): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
convert_time_based_acl_config
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Accept and thanks!
acl_loader/main.py
Outdated
|
||
return rule_props | ||
|
||
def add_config_db_dynamic_acl_rule_entry(self, table, rule, entry): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
add_config_db_time_based_acl_rule_entry
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Accept and thanks!
acl_loader/main.py
Outdated
|
||
def add_config_db_dynamic_acl_rule_entry(self, table, rule, entry): | ||
""" | ||
Insert entry to CONFIG_DB for dynamic ACL |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
...for time-based ACL
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Accept and thanks!
""" | ||
key = table + '|' + rule | ||
try: | ||
entry.pop('is_time_based', None) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why we have this entry? It is not exist in HLD
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"is_time_based" is an internal field to mark if the ACL is time-based not or during acl-loader parsing the json file.
@@ -596,16 +634,27 @@ def validate_rule_fields(self, rule_props): | |||
if ("ICMPV6_TYPE" in rule_props or "ICMPV6_CODE" in rule_props) and protocol != 58: | |||
raise AclLoaderException("IP_PROTOCOL={} is not ICMPV6, but ICMPV6 fields were provided".format(protocol)) | |||
|
|||
def convert_rule_to_db_schema(self, table_name, rule): | |||
def convert_rule_to_db_schema(self, table_name, rule, rule_name, is_time_based): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Better use an enum type instead. In future, we might introduce more ACL types, use enum can avoiding change the API:
- Standard
- TimeBased
- ...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is an optional comments. We can do the refactor after this PR for sure.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Noted.
acl_loader/main.py
Outdated
rule_props = {} | ||
rule_data = {(table_name, "RULE_" + str(rule_idx)): rule_props} | ||
if is_time_based and not self.is_time_based_rule(rule): | ||
warning("Attempting to insert time-based ACL rule without TTL, refused") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Without start_time
and end_time
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Accept and thanks!
acl_loader/main.py
Outdated
return False | ||
|
||
def is_time_based_rule(self, rule): | ||
return rule.time_range.config.start_time |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We'd better check if end_time
provided here
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Accept and thanks!
@@ -642,9 +692,10 @@ def deny_rule(self, table_name): | |||
rule_props["ETHER_TYPE"] = str(self.ethertype_map["ETHERTYPE_IPV4"]) | |||
return rule_data | |||
|
|||
def convert_rules(self): | |||
def convert_rules(self, is_time_based): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same previous comment, we'd better use enum type here.
We can do refactor in future. Add this comment here as a reminder
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Noted.
acl_loader/main.py
Outdated
""" | ||
Convert rules in openconfig ACL format to Config DB schema | ||
:param is_time_based: A bool, indicates whether the rule is dynamic or not |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the rule is time_based
or not
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Accept and thanks!
acl_loader/main.py
Outdated
@@ -765,6 +822,33 @@ def incremental_update(self): | |||
for namespace_configdb in self.per_npu_configdb.values(): | |||
namespace_configdb.set_entry(self.ACL_RULE, key, self.rules_info[key]) | |||
|
|||
def update_time_based_acl_rules(self): | |||
""" | |||
Perform update of dynamic ACL rule. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Perform update of time-based ACL rule.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Accept and thanks!
acl_loader/main.py
Outdated
def update_time_based_acl_rules(self): | ||
""" | ||
Perform update of dynamic ACL rule. | ||
Renew the TTL of ACL rule if existing, or insert new dynamic ACL rule |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Update the start_time
and end_time
if existing, or insert new time-based ACL rule
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Accept and thanks!
What I did
Add time-based ACL support for acl-loader
How I did it
Modify code according to HLD: Dynamic-ACL-Design.md (Currently is under PR review)
New acl-loader CLIs are introduced:
acl-loader update time-based-acl <filename.json>
acl-loader delete-time-based-acl
How to verify it
See HLD unit test and system test.
sonic-net/SONiC#1078
Previous command output (if the output of a command-line utility has changed)
N/A
New command output (if the output of a command-line utility has changed)
admin@hostname: acl-loader update time-based-acl dacl.json
Info: Added CONFIG_DB entry for rule DYNAMIC_RULE_1
Info: {'PRIORITY': '9999', 'ETHER_TYPE': '2048', 'PACKET_ACTION': 'DROP', 'DST_IP': '10.0.0.57/32', 'is_dynamic': 'True', 'ttl': '3600', 'creation_time': '1662515645', 'expiration_time': '1662519245'}
Info: Added CONFIG_DB entry for rule DYNAMIC_RULE_2
Info: {'PRIORITY': '9998', 'ETHER_TYPE': '2048', 'PACKET_ACTION': 'DROP', 'DST_IP': '192.168.0.101/32', 'is_dynamic': 'True', 'ttl': '10', 'creation_time': '1662515645', 'expiration_time': '1662515655'}
admin@hostname: acl-loader delete-time-based-acl BMC_ACL_SOUTHBOUND 1
Info: Removed a dynamic ACL rule BMC_ACL_SOUTHBOUND|DYNAMIC_RULE_1