Add time-based ACL support for acl-loader #2354
Conversation
Signed-off-by: bingwang <bingwang@microsoft.com>
|
This pull request introduces 2 alerts when merging 0006a60 into 3be2ad7 - view on LGTM.com new alerts:
|
|
This pull request introduces 1 alert when merging 2371472 into 3be2ad7 - view on LGTM.com new alerts:
|
|
Let's mark this as draft here since the HLD is still under reviewing |
Sure. |
|
This pull request introduces 1 alert when merging 9ab1f48 into 1ac584b - view on LGTM.com new alerts:
|
acl_loader/main.py
Outdated
| """ | ||
| Load file with ACL rules configuration in openconfig ACL format. Convert rules | ||
| to Config DB schema. | ||
| :param filename: File in openconfig ACL format | ||
| :param is_time_based: A bool, indicates whether the rule is dynamic or not |
acl_loader/main.py
Outdated
| @@ -583,6 +586,41 @@ def convert_input_interface(self, table_name, rule_idx, rule): | |||
|
|
|||
| return rule_props | |||
|
|
|||
| def is_db_rule_dynamic(self, key): | |||
acl_loader/main.py
Outdated
| def is_time_based_rule(self, rule): | ||
| return rule.time_range.config.start_time | ||
|
|
||
| def convert_dynamic_acl_config(self, key, rule): |
There was a problem hiding this comment.
convert_time_based_acl_config
acl_loader/main.py
Outdated
|
|
||
| return rule_props | ||
|
|
||
| def add_config_db_dynamic_acl_rule_entry(self, table, rule, entry): |
There was a problem hiding this comment.
add_config_db_time_based_acl_rule_entry
acl_loader/main.py
Outdated
|
|
||
| def add_config_db_dynamic_acl_rule_entry(self, table, rule, entry): | ||
| """ | ||
| Insert entry to CONFIG_DB for dynamic ACL |
| """ | ||
| key = table + '|' + rule | ||
| try: | ||
| entry.pop('is_time_based', None) |
There was a problem hiding this comment.
Why we have this entry? It is not exist in HLD
There was a problem hiding this comment.
"is_time_based" is an internal field to mark if the ACL is time-based not or during acl-loader parsing the json file.
| @@ -596,16 +634,27 @@ def validate_rule_fields(self, rule_props): | |||
| if ("ICMPV6_TYPE" in rule_props or "ICMPV6_CODE" in rule_props) and protocol != 58: | |||
| raise AclLoaderException("IP_PROTOCOL={} is not ICMPV6, but ICMPV6 fields were provided".format(protocol)) | |||
|
|
|||
| def convert_rule_to_db_schema(self, table_name, rule): | |||
| def convert_rule_to_db_schema(self, table_name, rule, rule_name, is_time_based): | |||
There was a problem hiding this comment.
Better use an enum type instead. In future, we might introduce more ACL types, use enum can avoiding change the API:
- Standard
- TimeBased
- ...
There was a problem hiding this comment.
This is an optional comments. We can do the refactor after this PR for sure.
acl_loader/main.py
Outdated
| rule_props = {} | ||
| rule_data = {(table_name, "RULE_" + str(rule_idx)): rule_props} | ||
| if is_time_based and not self.is_time_based_rule(rule): | ||
| warning("Attempting to insert time-based ACL rule without TTL, refused") |
There was a problem hiding this comment.
Without start_time and end_time
acl_loader/main.py
Outdated
| return False | ||
|
|
||
| def is_time_based_rule(self, rule): | ||
| return rule.time_range.config.start_time |
There was a problem hiding this comment.
We'd better check if end_time provided here
| @@ -642,9 +692,10 @@ def deny_rule(self, table_name): | |||
| rule_props["ETHER_TYPE"] = str(self.ethertype_map["ETHERTYPE_IPV4"]) | |||
| return rule_data | |||
|
|
|||
| def convert_rules(self): | |||
| def convert_rules(self, is_time_based): | |||
There was a problem hiding this comment.
Same previous comment, we'd better use enum type here.
We can do refactor in future. Add this comment here as a reminder
acl_loader/main.py
Outdated
| """ | ||
| Convert rules in openconfig ACL format to Config DB schema | ||
| :param is_time_based: A bool, indicates whether the rule is dynamic or not |
There was a problem hiding this comment.
the rule is time_based or not
acl_loader/main.py
Outdated
| @@ -765,6 +822,33 @@ def incremental_update(self): | |||
| for namespace_configdb in self.per_npu_configdb.values(): | |||
| namespace_configdb.set_entry(self.ACL_RULE, key, self.rules_info[key]) | |||
|
|
|||
| def update_time_based_acl_rules(self): | |||
| """ | |||
| Perform update of dynamic ACL rule. | |||
There was a problem hiding this comment.
Perform update of time-based ACL rule.
acl_loader/main.py
Outdated
| def update_time_based_acl_rules(self): | ||
| """ | ||
| Perform update of dynamic ACL rule. | ||
| Renew the TTL of ACL rule if existing, or insert new dynamic ACL rule |
There was a problem hiding this comment.
Update the start_time and end_time if existing, or insert new time-based ACL rule
What I did
Add time-based ACL support for acl-loader
How I did it
Modify code according to HLD: Dynamic-ACL-Design.md (Currently is under PR review)
New acl-loader CLIs are introduced:
acl-loader update time-based-acl <filename.json>
acl-loader delete-time-based-acl
How to verify it
See HLD unit test and system test.
sonic-net/SONiC#1078
Previous command output (if the output of a command-line utility has changed)
N/A
New command output (if the output of a command-line utility has changed)
admin@hostname: acl-loader update time-based-acl dacl.json
Info: Added CONFIG_DB entry for rule DYNAMIC_RULE_1
Info: {'PRIORITY': '9999', 'ETHER_TYPE': '2048', 'PACKET_ACTION': 'DROP', 'DST_IP': '10.0.0.57/32', 'is_dynamic': 'True', 'ttl': '3600', 'creation_time': '1662515645', 'expiration_time': '1662519245'}
Info: Added CONFIG_DB entry for rule DYNAMIC_RULE_2
Info: {'PRIORITY': '9998', 'ETHER_TYPE': '2048', 'PACKET_ACTION': 'DROP', 'DST_IP': '192.168.0.101/32', 'is_dynamic': 'True', 'ttl': '10', 'creation_time': '1662515645', 'expiration_time': '1662515655'}
admin@hostname: acl-loader delete-time-based-acl BMC_ACL_SOUTHBOUND 1
Info: Removed a dynamic ACL rule BMC_ACL_SOUTHBOUND|DYNAMIC_RULE_1