Skip to content

Commit

Permalink
[ACL] Add support to match on Tunnel Termination (sonic-net#3320)
Browse files Browse the repository at this point in the history
* [ACL] Add support to match on Tunnel Termination
Add support to match an ACL rule on Tunnel Termination Flag.
Added UT and verified create_acl_entry with this attribute is working properly
  • Loading branch information
vivekrnv authored and divyachandralekha committed Dec 12, 2024
1 parent c9e7650 commit 473a25a
Show file tree
Hide file tree
Showing 3 changed files with 63 additions and 4 deletions.
7 changes: 6 additions & 1 deletion orchagent/aclorch.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,8 @@ acl_rule_attr_lookup_t aclMatchLookup =
{ MATCH_INNER_L4_SRC_PORT, SAI_ACL_ENTRY_ATTR_FIELD_INNER_L4_SRC_PORT },
{ MATCH_INNER_L4_DST_PORT, SAI_ACL_ENTRY_ATTR_FIELD_INNER_L4_DST_PORT },
{ MATCH_BTH_OPCODE, SAI_ACL_ENTRY_ATTR_FIELD_BTH_OPCODE},
{ MATCH_AETH_SYNDROME, SAI_ACL_ENTRY_ATTR_FIELD_AETH_SYNDROME}
{ MATCH_AETH_SYNDROME, SAI_ACL_ENTRY_ATTR_FIELD_AETH_SYNDROME},
{ MATCH_TUNNEL_TERM, SAI_ACL_ENTRY_ATTR_FIELD_TUNNEL_TERMINATED}
};

static acl_range_type_lookup_t aclRangeTypeLookup =
Expand Down Expand Up @@ -808,6 +809,10 @@ bool AclRule::validateAddMatch(string attr_name, string attr_value)
{
return false;
}
else if (attr_name == MATCH_TUNNEL_TERM)
{
matchData.data.booldata = (attr_name == "true");
}
else if (attr_name == MATCH_IN_PORTS)
{
auto ports = tokenize(attr_value, ',');
Expand Down
1 change: 1 addition & 0 deletions orchagent/aclorch.h
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,7 @@
#define MATCH_INNER_L4_DST_PORT "INNER_L4_DST_PORT"
#define MATCH_BTH_OPCODE "BTH_OPCODE"
#define MATCH_AETH_SYNDROME "AETH_SYNDROME"
#define MATCH_TUNNEL_TERM "TUNNEL_TERM"

#define BIND_POINT_TYPE_PORT "PORT"
#define BIND_POINT_TYPE_PORTCHANNEL "PORTCHANNEL"
Expand Down
59 changes: 56 additions & 3 deletions tests/mock_tests/aclorch_ut.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -1414,6 +1414,7 @@ namespace aclorch_test
// Table not created without table type
ASSERT_FALSE(orch->getAclTable(aclTableName));

auto matches = string(MATCH_SRC_IP) + comma + MATCH_ETHER_TYPE + comma + MATCH_L4_SRC_PORT_RANGE + comma + MATCH_BTH_OPCODE + comma + MATCH_AETH_SYNDROME + comma + MATCH_TUNNEL_TERM;
orch->doAclTableTypeTask(
deque<KeyOpFieldsValuesTuple>(
{
Expand All @@ -1423,7 +1424,7 @@ namespace aclorch_test
{
{
ACL_TABLE_TYPE_MATCHES,
string(MATCH_SRC_IP) + comma + MATCH_ETHER_TYPE + comma + MATCH_L4_SRC_PORT_RANGE + comma + MATCH_BTH_OPCODE + comma + MATCH_AETH_SYNDROME
matches
},
{
ACL_TABLE_TYPE_BPOINT_TYPES,
Expand All @@ -1447,6 +1448,7 @@ namespace aclorch_test
{ "SAI_ACL_TABLE_ATTR_FIELD_ACL_RANGE_TYPE", "1:SAI_ACL_RANGE_TYPE_L4_SRC_PORT_RANGE" },
{ "SAI_ACL_TABLE_ATTR_FIELD_BTH_OPCODE", "true" },
{ "SAI_ACL_TABLE_ATTR_FIELD_AETH_SYNDROME", "true" },
{ "SAI_ACL_TABLE_ATTR_FIELD_TUNNEL_TERMINATED", "true" },
};

ASSERT_TRUE(validateAclTable(
Expand Down Expand Up @@ -1563,18 +1565,69 @@ namespace aclorch_test

ASSERT_FALSE(orch->getAclRule(aclTableName, aclRuleName));

orch->doAclTableTypeTask(
// Verify ACL_RULE with TUNN_TERM attribute
orch->doAclRuleTask(
deque<KeyOpFieldsValuesTuple>(
{
{
aclTableTypeName,
aclTableName + "|" + "TUNN_TERM_RULE0",
SET_COMMAND,
{
{ MATCH_SRC_IP, "1.1.1.1/32" },
{ ACTION_PACKET_ACTION, PACKET_ACTION_DROP },
{ MATCH_TUNNEL_TERM, "true" }
}
},
{
aclTableName + "|" + "TUNN_TERM_RULE1",
SET_COMMAND,
{
{ MATCH_SRC_IP, "2.1.1.1/32" },
{ ACTION_PACKET_ACTION, PACKET_ACTION_DROP },
{ MATCH_TUNNEL_TERM, "false" }
}
}
}
)
);

// Verify if the rules are created
ASSERT_TRUE(orch->getAclRule(aclTableName, "TUNN_TERM_RULE0"));
ASSERT_TRUE(orch->getAclRule(aclTableName, "TUNN_TERM_RULE1"));

orch->doAclRuleTask(
deque<KeyOpFieldsValuesTuple>(
{
{
aclTableName + "|" + "TUNN_TERM_RULE0",
DEL_COMMAND,
{}
},
{
aclTableName + "|" + "TUNN_TERM_RULE1",
DEL_COMMAND,
{}
}
}
)
);

// Make sure the rules are deleted
ASSERT_FALSE(orch->getAclRule(aclTableName, "TUNN_TERM_RULE0"));
ASSERT_FALSE(orch->getAclRule(aclTableName, "TUNN_TERM_RULE1"));

orch->doAclTableTypeTask(
deque<KeyOpFieldsValuesTuple>(
{
{
aclTableTypeName,
DEL_COMMAND,
{}
}
}
)
);

// Table still exists
ASSERT_TRUE(orch->getAclTable(aclTableName));
ASSERT_FALSE(orch->getAclTableType(aclTableTypeName));
Expand Down

0 comments on commit 473a25a

Please sign in to comment.