From a2a483d3cb67a4093bf9550bca0904d96e3791d7 Mon Sep 17 00:00:00 2001 From: Junchao-Mellanox <57339448+Junchao-Mellanox@users.noreply.github.com> Date: Sun, 29 Jan 2023 19:49:45 +0800 Subject: [PATCH] [acl] Add new ACL key BTH_OPCODE and AETH_SYNDROME (#2617) - What I did Add new ACL key BTH_OPCODE and AETH_SYNDROME - Why I did it Add new ACL key BTH_OPCODE and AETH_SYNDROME - How I verified it Manual test --- orchagent/aclorch.cpp | 36 ++++++++++++++++++++++++++-- orchagent/aclorch.h | 2 ++ tests/mock_tests/aclorch_ut.cpp | 42 ++++++++++++++++++++++++++++++++- 3 files changed, 77 insertions(+), 3 deletions(-) diff --git a/orchagent/aclorch.cpp b/orchagent/aclorch.cpp index 7efae768cddf..5be81efd799b 100644 --- a/orchagent/aclorch.cpp +++ b/orchagent/aclorch.cpp @@ -69,7 +69,9 @@ acl_rule_attr_lookup_t aclMatchLookup = { MATCH_INNER_ETHER_TYPE, SAI_ACL_ENTRY_ATTR_FIELD_INNER_ETHER_TYPE }, { MATCH_INNER_IP_PROTOCOL, SAI_ACL_ENTRY_ATTR_FIELD_INNER_IP_PROTOCOL }, { MATCH_INNER_L4_SRC_PORT, SAI_ACL_ENTRY_ATTR_FIELD_INNER_L4_SRC_PORT }, - { MATCH_INNER_L4_DST_PORT, SAI_ACL_ENTRY_ATTR_FIELD_INNER_L4_DST_PORT } + { MATCH_INNER_L4_DST_PORT, SAI_ACL_ENTRY_ATTR_FIELD_INNER_L4_DST_PORT }, + { MATCH_BTH_OPCODE, SAI_ACL_ENTRY_ATTR_FIELD_BTH_OPCODE}, + { MATCH_AETH_SYNDROME, SAI_ACL_ENTRY_ATTR_FIELD_AETH_SYNDROME} }; static acl_range_type_lookup_t aclRangeTypeLookup = @@ -970,6 +972,36 @@ bool AclRule::validateAddMatch(string attr_name, string attr_value) matchData.data.u8 = to_uint(attr_value); matchData.mask.u8 = 0xFF; } + else if (attr_name == MATCH_BTH_OPCODE) + { + auto opcode_data = tokenize(attr_value, '/'); + + if (opcode_data.size() == 2) + { + matchData.data.u8 = to_uint(opcode_data[0]); + matchData.mask.u8 = to_uint(opcode_data[1]); + } + else + { + SWSS_LOG_ERROR("Invalid BTH_OPCODE configuration: %s, expected format /", attr_value.c_str()); + return false; + } + } + else if (attr_name == MATCH_AETH_SYNDROME) + { + auto syndrome_data = tokenize(attr_value, '/'); + + if (syndrome_data.size() == 2) + { + matchData.data.u8 = to_uint(syndrome_data[0]); + matchData.mask.u8 = to_uint(syndrome_data[1]); + } + else + { + SWSS_LOG_ERROR("Invalid AETH_SYNDROME configuration: %s, expected format /", attr_value.c_str()); + return false; + } + } } catch (exception &e) { @@ -3796,7 +3828,7 @@ bool AclOrch::addAclTable(AclTable &newTable) } // Update matching field according to ACL stage newTable.addStageMandatoryMatchFields(); - + // Add mandatory ACL action if not present // We need to call addMandatoryActions here because addAclTable is directly called in other orchs. // The action_list is already added if the ACL table creation is triggered by CONFIGDD, but calling addMandatoryActions diff --git a/orchagent/aclorch.h b/orchagent/aclorch.h index 4972ec1ac2f7..c62a68991ac0 100644 --- a/orchagent/aclorch.h +++ b/orchagent/aclorch.h @@ -49,6 +49,8 @@ #define MATCH_INNER_IP_PROTOCOL "INNER_IP_PROTOCOL" #define MATCH_INNER_L4_SRC_PORT "INNER_L4_SRC_PORT" #define MATCH_INNER_L4_DST_PORT "INNER_L4_DST_PORT" +#define MATCH_BTH_OPCODE "BTH_OPCODE" +#define MATCH_AETH_SYNDROME "AETH_SYNDROME" #define BIND_POINT_TYPE_PORT "PORT" #define BIND_POINT_TYPE_PORTCHANNEL "PORTCHANNEL" diff --git a/tests/mock_tests/aclorch_ut.cpp b/tests/mock_tests/aclorch_ut.cpp index d8fe2bbd2a5d..5c8866b240c5 100644 --- a/tests/mock_tests/aclorch_ut.cpp +++ b/tests/mock_tests/aclorch_ut.cpp @@ -1409,7 +1409,7 @@ namespace aclorch_test { { ACL_TABLE_TYPE_MATCHES, - string(MATCH_SRC_IP) + comma + MATCH_ETHER_TYPE + comma + MATCH_L4_SRC_PORT_RANGE + string(MATCH_SRC_IP) + comma + MATCH_ETHER_TYPE + comma + MATCH_L4_SRC_PORT_RANGE + comma + MATCH_BTH_OPCODE + comma + MATCH_AETH_SYNDROME }, { ACL_TABLE_TYPE_BPOINT_TYPES, @@ -1431,6 +1431,8 @@ namespace aclorch_test { "SAI_ACL_TABLE_ATTR_FIELD_SRC_IP", "true" }, { "SAI_ACL_TABLE_ATTR_FIELD_ETHER_TYPE", "true" }, { "SAI_ACL_TABLE_ATTR_FIELD_ACL_RANGE_TYPE", "1:SAI_ACL_RANGE_TYPE_L4_SRC_PORT_RANGE" }, + { "SAI_ACL_TABLE_ATTR_FIELD_BTH_OPCODE", "true" }, + { "SAI_ACL_TABLE_ATTR_FIELD_AETH_SYNDROME", "true" }, }; ASSERT_TRUE(validateAclTable( @@ -1477,6 +1479,42 @@ namespace aclorch_test // DST_IP is not in the table type ASSERT_FALSE(orch->getAclRule(aclTableName, aclRuleName)); + orch->doAclRuleTask( + deque( + { + { + aclTableName + "|" + aclRuleName, + SET_COMMAND, + { + { ACTION_PACKET_ACTION, PACKET_ACTION_DROP }, + { MATCH_BTH_OPCODE, "0x60" }, + } + } + } + ) + ); + + // MATCH_BTH_OPCODE invalid format + ASSERT_FALSE(orch->getAclRule(aclTableName, aclRuleName)); + + orch->doAclRuleTask( + deque( + { + { + aclTableName + "|" + aclRuleName, + SET_COMMAND, + { + { ACTION_PACKET_ACTION, PACKET_ACTION_DROP }, + { MATCH_AETH_SYNDROME, "0x60" }, + } + } + } + ) + ); + + // MATCH_AETH_SYNDROME invalid format + ASSERT_FALSE(orch->getAclRule(aclTableName, aclRuleName)); + orch->doAclRuleTask( deque( { @@ -1486,6 +1524,8 @@ namespace aclorch_test { { MATCH_SRC_IP, "1.1.1.1/32" }, { ACTION_PACKET_ACTION, PACKET_ACTION_DROP }, + { MATCH_BTH_OPCODE, "0x60/0xff" }, + { MATCH_AETH_SYNDROME, "0x60/0x60" }, } } }