From f889f801dfa050b125cbb730a2e19d523034e5c3 Mon Sep 17 00:00:00 2001 From: Shuotian Cheng Date: Wed, 8 May 2019 09:14:15 -0700 Subject: [PATCH] [aclorch]: Add ICMP type/code match for v4/v6 (#868) Support the following matches: SAI_ACL_TABLE_ATTR_FIELD_ICMP_TYPE SAI_ACL_TABLE_ATTR_FIELD_ICMP_CODE SAI_ACL_TABLE_ATTR_FIELD_ICMPV6_TYPE SAI_ACL_TABLE_ATTR_FIELD_ICMPV6_CODE Signed-off-by: Shu0T1an ChenG --- orchagent/aclorch.cpp | 133 ++++++++++++++++++++++++++--------- orchagent/aclorch.h | 4 ++ tests/test_acl.py | 158 +++++++++++++++++++++++++++++++++++++----- 3 files changed, 246 insertions(+), 49 deletions(-) diff --git a/orchagent/aclorch.cpp b/orchagent/aclorch.cpp index 675897592c6e..44f827854bcf 100644 --- a/orchagent/aclorch.cpp +++ b/orchagent/aclorch.cpp @@ -46,6 +46,10 @@ acl_rule_attr_lookup_t aclMatchLookup = { MATCH_IP_TYPE, SAI_ACL_ENTRY_ATTR_FIELD_ACL_IP_TYPE }, { MATCH_DSCP, SAI_ACL_ENTRY_ATTR_FIELD_DSCP }, { MATCH_TC, SAI_ACL_ENTRY_ATTR_FIELD_TC }, + { MATCH_ICMP_TYPE, SAI_ACL_ENTRY_ATTR_FIELD_ICMP_TYPE }, + { MATCH_ICMP_CODE, SAI_ACL_ENTRY_ATTR_FIELD_ICMP_CODE }, + { MATCH_ICMPV6_TYPE, SAI_ACL_ENTRY_ATTR_FIELD_ICMPV6_TYPE }, + { MATCH_ICMPV6_CODE, SAI_ACL_ENTRY_ATTR_FIELD_ICMPV6_CODE }, { MATCH_L4_SRC_PORT_RANGE, (sai_acl_entry_attr_t)SAI_ACL_RANGE_TYPE_L4_SRC_PORT_RANGE }, { MATCH_L4_DST_PORT_RANGE, (sai_acl_entry_attr_t)SAI_ACL_RANGE_TYPE_L4_DST_PORT_RANGE }, { MATCH_TUNNEL_VNI, SAI_ACL_ENTRY_ATTR_FIELD_TUNNEL_VNI }, @@ -334,6 +338,12 @@ bool AclRule::validateAddMatch(string attr_name, string attr_value) value.aclfield.data.u8 = to_uint(attr_value); value.aclfield.mask.u8 = 0xFF; } + else if (attr_name == MATCH_ICMP_TYPE || attr_name == MATCH_ICMP_CODE || + attr_name == MATCH_ICMPV6_TYPE || attr_name == MATCH_ICMPV6_CODE) + { + value.aclfield.data.u8 = to_uint(attr_value); + value.aclfield.mask.u8 = 0xFF; + } else if (attr_name == MATCH_TUNNEL_VNI) { value.aclfield.data.u32 = to_uint(attr_value); @@ -850,12 +860,19 @@ bool AclRuleL3::validateAddMatch(string attr_name, string attr_value) { if (attr_name == MATCH_DSCP) { - SWSS_LOG_ERROR("DSCP match is not supported for the tables of type L3"); + SWSS_LOG_ERROR("DSCP match is not supported for table type L3"); return false; } + if (attr_name == MATCH_SRC_IPV6 || attr_name == MATCH_DST_IPV6) { - SWSS_LOG_ERROR("IPv6 address match is not supported for the tables of type L3"); + SWSS_LOG_ERROR("IPv6 address match is not supported for table type L3"); + return false; + } + + if (attr_name == MATCH_ICMPV6_TYPE || attr_name == MATCH_ICMPV6_CODE) + { + SWSS_LOG_ERROR("ICMPv6 match is not supported for table type L3"); return false; } @@ -906,12 +923,19 @@ bool AclRuleL3V6::validateAddMatch(string attr_name, string attr_value) { if (attr_name == MATCH_DSCP) { - SWSS_LOG_ERROR("DSCP match is not supported for the tables of type L3V6"); + SWSS_LOG_ERROR("DSCP match is not supported for table type L3V6"); return false; } + if (attr_name == MATCH_SRC_IP || attr_name == MATCH_DST_IP) { - SWSS_LOG_ERROR("IPv4 address match is not supported for the tables of type L3V6"); + SWSS_LOG_ERROR("IPv4 address match is not supported for table type L3V6"); + return false; + } + + if (attr_name == MATCH_ICMP_TYPE || attr_name == MATCH_ICMP_CODE) + { + SWSS_LOG_ERROR("ICMPv4 match is not supported for table type L3V6"); return false; } @@ -956,21 +980,28 @@ bool AclRuleMirror::validateAddMatch(string attr_name, string attr_value) /* * Type of Tables and Supported Match Types (Configuration) - * |--------------------------------------------------| - * | Match Type | TABLE_MIRROR | TABLE_MIRRORV6 | - * |--------------------------------------------------| - * | MATCH_SRC_IP | √ | | - * | MATCH_DST_IP | √ | | - * |--------------------------------------------------| - * | MATCH_SRC_IPV6 | | √ | - * | MATCH_DST_IPV6 | | √ | - * |--------------------------------------------------| - * | MARTCH_ETHERTYPE | √ | | - * |--------------------------------------------------| + * |---------------------------------------------------| + * | Match Type | TABLE_MIRROR | TABLE_MIRRORV6 | + * |---------------------------------------------------| + * | MATCH_SRC_IP | √ | | + * | MATCH_DST_IP | √ | | + * |---------------------------------------------------| + * | MATCH_ICMP_TYPE | √ | | + * | MATCH_ICMP_CODE | √ | | + * |---------------------------------------------------| + * | MATCH_ICMPV6_TYPE | | √ | + * | MATCH_ICMPV6_CODE | | √ | + * |---------------------------------------------------| + * | MATCH_SRC_IPV6 | | √ | + * | MATCH_DST_IPV6 | | √ | + * |---------------------------------------------------| + * | MARTCH_ETHERTYPE | √ | | + * |---------------------------------------------------| */ if (m_tableType == ACL_TABLE_MIRROR && - (attr_name == MATCH_SRC_IPV6 || attr_name == MATCH_DST_IPV6)) + (attr_name == MATCH_SRC_IPV6 || attr_name == MATCH_DST_IPV6 || + attr_name == MATCH_ICMPV6_TYPE || attr_name == MATCH_ICMPV6_CODE)) { SWSS_LOG_ERROR("%s match is not supported for the table of type MIRROR", attr_name.c_str()); @@ -978,9 +1009,11 @@ bool AclRuleMirror::validateAddMatch(string attr_name, string attr_value) } if (m_tableType == ACL_TABLE_MIRRORV6 && - (attr_name == MATCH_SRC_IP || attr_name == MATCH_DST_IP || attr_name == MATCH_ETHER_TYPE)) + (attr_name == MATCH_SRC_IP || attr_name == MATCH_DST_IP || + attr_name == MATCH_ICMP_TYPE || attr_name == MATCH_ICMP_CODE || + attr_name == MATCH_ETHER_TYPE)) { - SWSS_LOG_ERROR("%s match is not supported for the table of type MIRRORV6", + SWSS_LOG_ERROR("%s match is not supported for the table of type MIRRORv6", attr_name.c_str()); return false; } @@ -1172,19 +1205,25 @@ bool AclTable::create() /* * Type of Tables and Supported Match Types (ASIC database) - * |-----------------------------------------------------------------| - * | | TABLE_MIRROR | TABLE_MIRROR | TABLE_MIRRORV6 | - * | Match Type |----------------------------------------------| - * | | combined | separated | - * |-----------------------------------------------------------------| - * | MATCH_SRC_IP | √ | √ | | - * | MATCH_DST_IP | √ | √ | | - * |-----------------------------------------------------------------| - * | MATCH_SRC_IPV6 | √ | | √ | - * | MATCH_DST_IPV6 | √ | | √ | - * |-----------------------------------------------------------------| - * | MARTCH_ETHERTYPE | √ | √ | | - * |-----------------------------------------------------------------| + * |------------------------------------------------------------------| + * | | TABLE_MIRROR | TABLE_MIRROR | TABLE_MIRRORV6 | + * | Match Type |----------------------------------------------| + * | | combined | separated | + * |------------------------------------------------------------------| + * | MATCH_SRC_IP | √ | √ | | + * | MATCH_DST_IP | √ | √ | | + * |------------------------------------------------------------------| + * | MATCH_ICMP_TYPE | √ | √ | | + * | MATCH_ICMP_CODE | √ | √ | | + * |------------------------------------------------------------------| + * | MATCH_SRC_IPV6 | √ | | √ | + * | MATCH_DST_IPV6 | √ | | √ | + * |------------------------------------------------------------------| + * | MATCH_ICMPV6_TYPE | √ | | √ | + * | MATCH_ICMPV6_CODE | √ | | √ | + * |------------------------------------------------------------------| + * | MARTCH_ETHERTYPE | √ | √ | | + * |------------------------------------------------------------------| */ if (type == ACL_TABLE_MIRROR) @@ -1197,6 +1236,14 @@ bool AclTable::create() attr.value.booldata = true; table_attrs.push_back(attr); + attr.id = SAI_ACL_TABLE_ATTR_FIELD_ICMP_TYPE; + attr.value.booldata = true; + table_attrs.push_back(attr); + + attr.id = SAI_ACL_TABLE_ATTR_FIELD_ICMP_CODE; + attr.value.booldata = true; + table_attrs.push_back(attr); + // If the switch supports v6 and requires one single table if (m_pAclOrch->m_mirrorTableCapabilities[ACL_TABLE_MIRRORV6] && m_pAclOrch->m_isCombinedMirrorV6Table) @@ -1208,6 +1255,14 @@ bool AclTable::create() attr.id = SAI_ACL_TABLE_ATTR_FIELD_DST_IPV6; attr.value.booldata = true; table_attrs.push_back(attr); + + attr.id = SAI_ACL_TABLE_ATTR_FIELD_ICMPV6_TYPE; + attr.value.booldata = true; + table_attrs.push_back(attr); + + attr.id = SAI_ACL_TABLE_ATTR_FIELD_ICMPV6_CODE; + attr.value.booldata = true; + table_attrs.push_back(attr); } } else if (type == ACL_TABLE_L3V6 || type == ACL_TABLE_MIRRORV6) // v6 only @@ -1219,6 +1274,14 @@ bool AclTable::create() attr.id = SAI_ACL_TABLE_ATTR_FIELD_DST_IPV6; attr.value.booldata = true; table_attrs.push_back(attr); + + attr.id = SAI_ACL_TABLE_ATTR_FIELD_ICMPV6_TYPE; + attr.value.booldata = true; + table_attrs.push_back(attr); + + attr.id = SAI_ACL_TABLE_ATTR_FIELD_ICMPV6_CODE; + attr.value.booldata = true; + table_attrs.push_back(attr); } else // v4 only { @@ -1229,6 +1292,14 @@ bool AclTable::create() attr.id = SAI_ACL_TABLE_ATTR_FIELD_DST_IP; attr.value.booldata = true; table_attrs.push_back(attr); + + attr.id = SAI_ACL_TABLE_ATTR_FIELD_ICMP_TYPE; + attr.value.booldata = true; + table_attrs.push_back(attr); + + attr.id = SAI_ACL_TABLE_ATTR_FIELD_ICMP_CODE; + attr.value.booldata = true; + table_attrs.push_back(attr); } attr.id = SAI_ACL_TABLE_ATTR_FIELD_L4_SRC_PORT; diff --git a/orchagent/aclorch.h b/orchagent/aclorch.h index 4e18924f7c0f..46151476e495 100644 --- a/orchagent/aclorch.h +++ b/orchagent/aclorch.h @@ -50,6 +50,10 @@ #define MATCH_L4_SRC_PORT_RANGE "L4_SRC_PORT_RANGE" #define MATCH_L4_DST_PORT_RANGE "L4_DST_PORT_RANGE" #define MATCH_TC "TC" +#define MATCH_ICMP_TYPE "ICMP_TYPE" +#define MATCH_ICMP_CODE "ICMP_CODE" +#define MATCH_ICMPV6_TYPE "ICMPV6_TYPE" +#define MATCH_ICMPV6_CODE "ICMPV6_CODE" #define MATCH_TUNNEL_VNI "TUNNEL_VNI" #define MATCH_INNER_ETHER_TYPE "INNER_ETHER_TYPE" #define MATCH_INNER_IP_PROTOCOL "INNER_IP_PROTOCOL" diff --git a/tests/test_acl.py b/tests/test_acl.py index 7d57645bd87a..197026d548fd 100644 --- a/tests/test_acl.py +++ b/tests/test_acl.py @@ -4,13 +4,33 @@ import json class TestAcl(object): - def get_acl_table_id(self, dvs, adb): - atbl = swsscommon.Table(adb, "ASIC_STATE:SAI_OBJECT_TYPE_ACL_TABLE") - keys = atbl.getKeys() + def setup_db(self, dvs): + self.pdb = swsscommon.DBConnector(0, dvs.redis_sock, 0) + self.adb = swsscommon.DBConnector(1, dvs.redis_sock, 0) + self.cdb = swsscommon.DBConnector(4, dvs.redis_sock, 0) + self.sdb = swsscommon.DBConnector(6, dvs.redis_sock, 0) + + def create_acl_table(self, table, type, ports): + tbl = swsscommon.Table(self.cdb, "ACL_TABLE") + fvs = swsscommon.FieldValuePairs([("policy_desc", "test"), + ("type", type), + ("ports", ",".join(ports))]) + tbl.set(table, fvs) + time.sleep(1) + + def remove_acl_table(self, table): + tbl = swsscommon.Table(self.cdb, "ACL_TABLE") + tbl._del(table) + time.sleep(1) + + def get_acl_table_id(self, dvs): + tbl = swsscommon.Table(self.adb, "ASIC_STATE:SAI_OBJECT_TYPE_ACL_TABLE") + keys = tbl.getKeys() + for k in dvs.asicdb.default_acl_tables: assert k in keys - acl_tables = [k for k in keys if k not in dvs.asicdb.default_acl_tables] + acl_tables = [k for k in keys if k not in dvs.asicdb.default_acl_tables] assert len(acl_tables) == 1 return acl_tables[0] @@ -105,6 +125,7 @@ def verify_acl_port_binding(self, dvs, adb, bind_ports): assert set(port_groups) == set(acl_table_groups) def test_AclTableCreation(self, dvs, testlog): + self.setup_db(dvs) db = swsscommon.DBConnector(4, dvs.redis_sock, 0) adb = swsscommon.DBConnector(1, dvs.redis_sock, 0) @@ -116,7 +137,7 @@ def test_AclTableCreation(self, dvs, testlog): time.sleep(1) # check acl table in asic db - test_acl_table_id = self.get_acl_table_id(dvs, adb) + test_acl_table_id = self.get_acl_table_id(dvs) assert test_acl_table_id # check acl table group in asic db @@ -138,6 +159,7 @@ def test_AclRuleL4SrcPort(self, dvs, testlog): hmset ACL_RULE|test|acl_test_rule priority 55 PACKET_ACTION FORWARD L4_SRC_PORT 65000 """ + self.setup_db(dvs) db = swsscommon.DBConnector(4, dvs.redis_sock, 0) adb = swsscommon.DBConnector(1, dvs.redis_sock, 0) @@ -148,7 +170,7 @@ def test_AclRuleL4SrcPort(self, dvs, testlog): time.sleep(1) - test_acl_table_id = self.get_acl_table_id(dvs, adb) + test_acl_table_id = self.get_acl_table_id(dvs) # check acl table in asic db atbl = swsscommon.Table(adb, "ASIC_STATE:SAI_OBJECT_TYPE_ACL_ENTRY") @@ -189,6 +211,7 @@ def test_AclRuleInOutPorts(self, dvs, testlog): hmset ACL_RULE|test|acl_test_rule priority 55 PACKET_ACTION FORWARD IN_PORTS Ethernet0,Ethernet4 OUT_PORTS Ethernet8,Ethernet12 """ + self.setup_db(dvs) db = swsscommon.DBConnector(4, dvs.redis_sock, 0) adb = swsscommon.DBConnector(1, dvs.redis_sock, 0) @@ -202,7 +225,7 @@ def test_AclRuleInOutPorts(self, dvs, testlog): time.sleep(1) - test_acl_table_id = self.get_acl_table_id(dvs, adb) + test_acl_table_id = self.get_acl_table_id(dvs) # check acl table in asic db atbl = swsscommon.Table(adb, "ASIC_STATE:SAI_OBJECT_TYPE_ACL_ENTRY") @@ -246,6 +269,7 @@ def test_AclRuleInOutPorts(self, dvs, testlog): def test_AclTableDeletion(self, dvs, testlog): + self.setup_db(dvs) db = swsscommon.DBConnector(4, dvs.redis_sock, 0) adb = swsscommon.DBConnector(1, dvs.redis_sock, 0) @@ -262,6 +286,7 @@ def test_AclTableDeletion(self, dvs, testlog): def test_V6AclTableCreation(self, dvs, testlog): + self.setup_db(dvs) db = swsscommon.DBConnector(4, dvs.redis_sock, 0) adb = swsscommon.DBConnector(1, dvs.redis_sock, 0) @@ -274,7 +299,7 @@ def test_V6AclTableCreation(self, dvs, testlog): time.sleep(1) # check acl table in asic db - test_acl_table_id = self.get_acl_table_id(dvs, adb) + test_acl_table_id = self.get_acl_table_id(dvs) # check acl table group in asic db atbl = swsscommon.Table(adb, "ASIC_STATE:SAI_OBJECT_TYPE_ACL_TABLE_GROUP") @@ -338,6 +363,7 @@ def test_V6AclRuleIPv6Any(self, dvs, testlog): hmset ACL_RULE|test-aclv6|test_rule1 priority 1000 PACKET_ACTION FORWARD IPv6Any """ + self.setup_db(dvs) db = swsscommon.DBConnector(4, dvs.redis_sock, 0) adb = swsscommon.DBConnector(1, dvs.redis_sock, 0) @@ -348,7 +374,7 @@ def test_V6AclRuleIPv6Any(self, dvs, testlog): time.sleep(1) - test_acl_table_id = self.get_acl_table_id(dvs, adb) + test_acl_table_id = self.get_acl_table_id(dvs) # check acl table in asic db atbl = swsscommon.Table(adb, "ASIC_STATE:SAI_OBJECT_TYPE_ACL_ENTRY") @@ -389,6 +415,7 @@ def test_V6AclRuleIPv6AnyDrop(self, dvs, testlog): hmset ACL_RULE|test-aclv6|test_rule2 priority 1002 PACKET_ACTION DROP IPv6Any """ + self.setup_db(dvs) db = swsscommon.DBConnector(4, dvs.redis_sock, 0) adb = swsscommon.DBConnector(1, dvs.redis_sock, 0) @@ -399,7 +426,7 @@ def test_V6AclRuleIPv6AnyDrop(self, dvs, testlog): time.sleep(1) - test_acl_table_id = self.get_acl_table_id(dvs, adb) + test_acl_table_id = self.get_acl_table_id(dvs) # check acl table in asic db atbl = swsscommon.Table(adb, "ASIC_STATE:SAI_OBJECT_TYPE_ACL_ENTRY") @@ -440,6 +467,7 @@ def test_V6AclRuleIpProtocol(self, dvs, testlog): hmset ACL_RULE|test-aclv6|test_rule3 priority 1003 PACKET_ACTION DROP IP_PROTOCOL 6 """ + self.setup_db(dvs) db = swsscommon.DBConnector(4, dvs.redis_sock, 0) adb = swsscommon.DBConnector(1, dvs.redis_sock, 0) @@ -450,7 +478,7 @@ def test_V6AclRuleIpProtocol(self, dvs, testlog): time.sleep(1) - test_acl_table_id = self.get_acl_table_id(dvs, adb) + test_acl_table_id = self.get_acl_table_id(dvs) # check acl table in asic db atbl = swsscommon.Table(adb, "ASIC_STATE:SAI_OBJECT_TYPE_ACL_ENTRY") @@ -491,6 +519,7 @@ def test_V6AclRuleSrcIPv6(self, dvs, testlog): hmset ACL_RULE|test-aclv6|test_rule4 priority 1004 PACKET_ACTION DROP SRC_IPV6 2777::0/64 """ + self.setup_db(dvs) db = swsscommon.DBConnector(4, dvs.redis_sock, 0) adb = swsscommon.DBConnector(1, dvs.redis_sock, 0) @@ -501,7 +530,7 @@ def test_V6AclRuleSrcIPv6(self, dvs, testlog): time.sleep(1) - test_acl_table_id = self.get_acl_table_id(dvs, adb) + test_acl_table_id = self.get_acl_table_id(dvs) # check acl table in asic db atbl = swsscommon.Table(adb, "ASIC_STATE:SAI_OBJECT_TYPE_ACL_ENTRY") @@ -542,6 +571,7 @@ def test_V6AclRuleDstIPv6(self, dvs, testlog): hmset ACL_RULE|test-aclv6|test_rule5 priority 1005 PACKET_ACTION DROP DST_IPV6 2002::2/128 """ + self.setup_db(dvs) db = swsscommon.DBConnector(4, dvs.redis_sock, 0) adb = swsscommon.DBConnector(1, dvs.redis_sock, 0) @@ -552,7 +582,7 @@ def test_V6AclRuleDstIPv6(self, dvs, testlog): time.sleep(1) - test_acl_table_id = self.get_acl_table_id(dvs, adb) + test_acl_table_id = self.get_acl_table_id(dvs) # check acl table in asic db atbl = swsscommon.Table(adb, "ASIC_STATE:SAI_OBJECT_TYPE_ACL_ENTRY") @@ -593,6 +623,7 @@ def test_V6AclRuleL4SrcPort(self, dvs, testlog): hmset ACL_RULE|test-aclv6|test_rule6 priority 1006 PACKET_ACTION DROP L4_SRC_PORT 65000 """ + self.setup_db(dvs) db = swsscommon.DBConnector(4, dvs.redis_sock, 0) adb = swsscommon.DBConnector(1, dvs.redis_sock, 0) @@ -603,7 +634,7 @@ def test_V6AclRuleL4SrcPort(self, dvs, testlog): time.sleep(1) - test_acl_table_id = self.get_acl_table_id(dvs, adb) + test_acl_table_id = self.get_acl_table_id(dvs) # check acl table in asic db atbl = swsscommon.Table(adb, "ASIC_STATE:SAI_OBJECT_TYPE_ACL_ENTRY") @@ -644,6 +675,7 @@ def test_V6AclRuleL4DstPort(self, dvs, testlog): hmset ACL_RULE|test-aclv6|test_rule7 priority 1007 PACKET_ACTION DROP L4_DST_PORT 65001 """ + self.setup_db(dvs) db = swsscommon.DBConnector(4, dvs.redis_sock, 0) adb = swsscommon.DBConnector(1, dvs.redis_sock, 0) @@ -654,7 +686,7 @@ def test_V6AclRuleL4DstPort(self, dvs, testlog): time.sleep(1) - test_acl_table_id = self.get_acl_table_id(dvs, adb) + test_acl_table_id = self.get_acl_table_id(dvs) # check acl table in asic db atbl = swsscommon.Table(adb, "ASIC_STATE:SAI_OBJECT_TYPE_ACL_ENTRY") @@ -695,6 +727,7 @@ def test_V6AclRuleTCPFlags(self, dvs, testlog): hmset ACL_RULE|test-aclv6|test_rule8 priority 1008 PACKET_ACTION DROP TCP_FLAGS 0x7/0x3f """ + self.setup_db(dvs) db = swsscommon.DBConnector(4, dvs.redis_sock, 0) adb = swsscommon.DBConnector(1, dvs.redis_sock, 0) @@ -705,7 +738,7 @@ def test_V6AclRuleTCPFlags(self, dvs, testlog): time.sleep(1) - test_acl_table_id = self.get_acl_table_id(dvs, adb) + test_acl_table_id = self.get_acl_table_id(dvs) # check acl table in asic db atbl = swsscommon.Table(adb, "ASIC_STATE:SAI_OBJECT_TYPE_ACL_ENTRY") @@ -746,6 +779,7 @@ def test_V6AclRuleL4SrcPortRange(self, dvs, testlog): hmset ACL_RULE|test-aclv6|test_rule9 priority 1009 PACKET_ACTION DROP L4_SRC_PORT_RANGE 1-100 """ + self.setup_db(dvs) db = swsscommon.DBConnector(4, dvs.redis_sock, 0) adb = swsscommon.DBConnector(1, dvs.redis_sock, 0) @@ -756,7 +790,7 @@ def test_V6AclRuleL4SrcPortRange(self, dvs, testlog): time.sleep(1) - test_acl_table_id = self.get_acl_table_id(dvs, adb) + test_acl_table_id = self.get_acl_table_id(dvs) # check acl table in asic db atbl = swsscommon.Table(adb, "ASIC_STATE:SAI_OBJECT_TYPE_ACL_ENTRY") @@ -811,6 +845,7 @@ def test_V6AclRuleL4DstPortRange(self, dvs, testlog): hmset ACL_RULE|test-aclv6|test_rule10 priority 1010 PACKET_ACTION DROP L4_DST_PORT_RANGE 101-200 """ + self.setup_db(dvs) db = swsscommon.DBConnector(4, dvs.redis_sock, 0) adb = swsscommon.DBConnector(1, dvs.redis_sock, 0) @@ -821,7 +856,7 @@ def test_V6AclRuleL4DstPortRange(self, dvs, testlog): time.sleep(1) - test_acl_table_id = self.get_acl_table_id(dvs, adb) + test_acl_table_id = self.get_acl_table_id(dvs) # check acl table in asic db atbl = swsscommon.Table(adb, "ASIC_STATE:SAI_OBJECT_TYPE_ACL_ENTRY") @@ -873,6 +908,7 @@ def test_V6AclRuleL4DstPortRange(self, dvs, testlog): def test_V6AclTableDeletion(self, dvs, testlog): + self.setup_db(dvs) db = swsscommon.DBConnector(4, dvs.redis_sock, 0) adb = swsscommon.DBConnector(1, dvs.redis_sock, 0) @@ -903,6 +939,7 @@ def check_rule_existence(self, entry, rules, verifs): return False def test_InsertAclRuleBetweenPriorities(self, dvs, testlog): + self.setup_db(dvs) db = swsscommon.DBConnector(4, dvs.redis_sock, 0) adb = swsscommon.DBConnector(1, dvs.redis_sock, 0) @@ -1001,6 +1038,7 @@ def test_InsertAclRuleBetweenPriorities(self, dvs, testlog): assert len(keys) >= 1 def test_RulesWithDiffMaskLengths(self, dvs, testlog): + self.setup_db(dvs) db = swsscommon.DBConnector(4, dvs.redis_sock, 0) adb = swsscommon.DBConnector(1, dvs.redis_sock, 0) @@ -1084,3 +1122,87 @@ def test_RulesWithDiffMaskLengths(self, dvs, testlog): atbl = swsscommon.Table(adb, "ASIC_STATE:SAI_OBJECT_TYPE_ACL_TABLE") keys = atbl.getKeys() assert len(keys) >= 1 + + def create_acl_rule(self, table, rule, field, value): + tbl = swsscommon.Table(self.cdb, "ACL_RULE") + fvs = swsscommon.FieldValuePairs([("priority", "666"), + ("PACKET_ACTION", "FORWARD"), + (field, value)]) + tbl.set(table + "|" + rule, fvs) + time.sleep(1) + + def remove_acl_rule(self, table, rule): + tbl = swsscommon.Table(self.cdb, "ACL_RULE") + tbl._del(table + "|" + rule) + time.sleep(1) + + def verify_acl_rule(self, dvs, field, value): + acl_table_id = self.get_acl_table_id(dvs) + + tbl = swsscommon.Table(self.adb, "ASIC_STATE:SAI_OBJECT_TYPE_ACL_ENTRY") + acl_entries = [k for k in tbl.getKeys() if k not in dvs.asicdb.default_acl_entries] + assert len(acl_entries) == 1 + + (status, fvs) = tbl.get(acl_entries[0]) + assert status == True + assert len(fvs) == 6 + for fv in fvs: + if fv[0] == "SAI_ACL_ENTRY_ATTR_TABLE_ID": + assert fv[1] == acl_table_id + elif fv[0] == "SAI_ACL_ENTRY_ATTR_ADMIN_STATE": + assert fv[1] == "true" + elif fv[0] == "SAI_ACL_ENTRY_ATTR_PRIORITY": + assert fv[1] == "666" + elif fv[0] == "SAI_ACL_ENTRY_ATTR_ACTION_COUNTER": + assert True + elif fv[0] == "SAI_ACL_ENTRY_ATTR_ACTION_PACKET_ACTION": + assert fv[1] == "SAI_PACKET_ACTION_FORWARD" + elif fv[0] == field: + assert fv[1] == value + else: + assert False + + + def test_AclRuleIcmp(self, dvs, testlog): + self.setup_db(dvs) + + acl_table = "TEST_TABLE" + acl_rule = "TEST_RULE" + + self.create_acl_table(acl_table, "L3", ["Ethernet0", "Ethernet4"]) + + self.create_acl_rule(acl_table, acl_rule, "ICMP_TYPE", "8") + + self.verify_acl_rule(dvs, "SAI_ACL_ENTRY_ATTR_FIELD_ICMP_TYPE", "8&mask:0xff") + + self.remove_acl_rule(acl_table, acl_rule) + + self.create_acl_rule(acl_table, acl_rule, "ICMP_CODE", "9") + + self.verify_acl_rule(dvs, "SAI_ACL_ENTRY_ATTR_FIELD_ICMP_CODE", "9&mask:0xff") + + self.remove_acl_rule(acl_table, acl_rule) + + self.remove_acl_table(acl_table) + + def test_AclRuleIcmpV6(self, dvs, testlog): + self.setup_db(dvs) + + acl_table = "TEST_TABLE" + acl_rule = "TEST_RULE" + + self.create_acl_table(acl_table, "L3V6", ["Ethernet0", "Ethernet4"]) + + self.create_acl_rule(acl_table, acl_rule, "ICMPV6_TYPE", "8") + + self.verify_acl_rule(dvs, "SAI_ACL_ENTRY_ATTR_FIELD_ICMPV6_TYPE", "8&mask:0xff") + + self.remove_acl_rule(acl_table, acl_rule) + + self.create_acl_rule(acl_table, acl_rule, "ICMPV6_CODE", "9") + + self.verify_acl_rule(dvs, "SAI_ACL_ENTRY_ATTR_FIELD_ICMPV6_CODE", "9&mask:0xff") + + self.remove_acl_rule(acl_table, acl_rule) + + self.remove_acl_table(acl_table)