From f650a3bdbf308c0718b9fa6714a9d7058e590584 Mon Sep 17 00:00:00 2001 From: Vivek Date: Tue, 12 Nov 2024 10:32:57 -0800 Subject: [PATCH] [ACL] Add support to match on Tunnel Termination (#3320) * [ACL] Add support to match on Tunnel Termination Add support to match an ACL rule on Tunnel Termination Flag. Added UT and verified create_acl_entry with this attribute is working properly --- orchagent/aclorch.cpp | 7 +++- orchagent/aclorch.h | 1 + tests/mock_tests/aclorch_ut.cpp | 59 +++++++++++++++++++++++++++++++-- 3 files changed, 63 insertions(+), 4 deletions(-) diff --git a/orchagent/aclorch.cpp b/orchagent/aclorch.cpp index 8e43a66db3..d3536719fb 100644 --- a/orchagent/aclorch.cpp +++ b/orchagent/aclorch.cpp @@ -75,7 +75,8 @@ acl_rule_attr_lookup_t aclMatchLookup = { MATCH_INNER_L4_SRC_PORT, SAI_ACL_ENTRY_ATTR_FIELD_INNER_L4_SRC_PORT }, { MATCH_INNER_L4_DST_PORT, SAI_ACL_ENTRY_ATTR_FIELD_INNER_L4_DST_PORT }, { MATCH_BTH_OPCODE, SAI_ACL_ENTRY_ATTR_FIELD_BTH_OPCODE}, - { MATCH_AETH_SYNDROME, SAI_ACL_ENTRY_ATTR_FIELD_AETH_SYNDROME} + { MATCH_AETH_SYNDROME, SAI_ACL_ENTRY_ATTR_FIELD_AETH_SYNDROME}, + { MATCH_TUNNEL_TERM, SAI_ACL_ENTRY_ATTR_FIELD_TUNNEL_TERMINATED} }; static acl_range_type_lookup_t aclRangeTypeLookup = @@ -808,6 +809,10 @@ bool AclRule::validateAddMatch(string attr_name, string attr_value) { return false; } + else if (attr_name == MATCH_TUNNEL_TERM) + { + matchData.data.booldata = (attr_name == "true"); + } else if (attr_name == MATCH_IN_PORTS) { auto ports = tokenize(attr_value, ','); diff --git a/orchagent/aclorch.h b/orchagent/aclorch.h index 6c0246ce4a..4dcc450173 100644 --- a/orchagent/aclorch.h +++ b/orchagent/aclorch.h @@ -52,6 +52,7 @@ #define MATCH_INNER_L4_DST_PORT "INNER_L4_DST_PORT" #define MATCH_BTH_OPCODE "BTH_OPCODE" #define MATCH_AETH_SYNDROME "AETH_SYNDROME" +#define MATCH_TUNNEL_TERM "TUNNEL_TERM" #define BIND_POINT_TYPE_PORT "PORT" #define BIND_POINT_TYPE_PORTCHANNEL "PORTCHANNEL" diff --git a/tests/mock_tests/aclorch_ut.cpp b/tests/mock_tests/aclorch_ut.cpp index 351d523219..da4f7bffab 100644 --- a/tests/mock_tests/aclorch_ut.cpp +++ b/tests/mock_tests/aclorch_ut.cpp @@ -1414,6 +1414,7 @@ namespace aclorch_test // Table not created without table type ASSERT_FALSE(orch->getAclTable(aclTableName)); + auto matches = string(MATCH_SRC_IP) + comma + MATCH_ETHER_TYPE + comma + MATCH_L4_SRC_PORT_RANGE + comma + MATCH_BTH_OPCODE + comma + MATCH_AETH_SYNDROME + comma + MATCH_TUNNEL_TERM; orch->doAclTableTypeTask( deque( { @@ -1423,7 +1424,7 @@ namespace aclorch_test { { ACL_TABLE_TYPE_MATCHES, - string(MATCH_SRC_IP) + comma + MATCH_ETHER_TYPE + comma + MATCH_L4_SRC_PORT_RANGE + comma + MATCH_BTH_OPCODE + comma + MATCH_AETH_SYNDROME + matches }, { ACL_TABLE_TYPE_BPOINT_TYPES, @@ -1447,6 +1448,7 @@ namespace aclorch_test { "SAI_ACL_TABLE_ATTR_FIELD_ACL_RANGE_TYPE", "1:SAI_ACL_RANGE_TYPE_L4_SRC_PORT_RANGE" }, { "SAI_ACL_TABLE_ATTR_FIELD_BTH_OPCODE", "true" }, { "SAI_ACL_TABLE_ATTR_FIELD_AETH_SYNDROME", "true" }, + { "SAI_ACL_TABLE_ATTR_FIELD_TUNNEL_TERMINATED", "true" }, }; ASSERT_TRUE(validateAclTable( @@ -1563,11 +1565,46 @@ namespace aclorch_test ASSERT_FALSE(orch->getAclRule(aclTableName, aclRuleName)); - orch->doAclTableTypeTask( + // Verify ACL_RULE with TUNN_TERM attribute + orch->doAclRuleTask( deque( { { - aclTableTypeName, + aclTableName + "|" + "TUNN_TERM_RULE0", + SET_COMMAND, + { + { MATCH_SRC_IP, "1.1.1.1/32" }, + { ACTION_PACKET_ACTION, PACKET_ACTION_DROP }, + { MATCH_TUNNEL_TERM, "true" } + } + }, + { + aclTableName + "|" + "TUNN_TERM_RULE1", + SET_COMMAND, + { + { MATCH_SRC_IP, "2.1.1.1/32" }, + { ACTION_PACKET_ACTION, PACKET_ACTION_DROP }, + { MATCH_TUNNEL_TERM, "false" } + } + } + } + ) + ); + + // Verify if the rules are created + ASSERT_TRUE(orch->getAclRule(aclTableName, "TUNN_TERM_RULE0")); + ASSERT_TRUE(orch->getAclRule(aclTableName, "TUNN_TERM_RULE1")); + + orch->doAclRuleTask( + deque( + { + { + aclTableName + "|" + "TUNN_TERM_RULE0", + DEL_COMMAND, + {} + }, + { + aclTableName + "|" + "TUNN_TERM_RULE1", DEL_COMMAND, {} } @@ -1575,6 +1612,22 @@ namespace aclorch_test ) ); + // Make sure the rules are deleted + ASSERT_FALSE(orch->getAclRule(aclTableName, "TUNN_TERM_RULE0")); + ASSERT_FALSE(orch->getAclRule(aclTableName, "TUNN_TERM_RULE1")); + + orch->doAclTableTypeTask( + deque( + { + { + aclTableTypeName, + DEL_COMMAND, + {} + } + } + ) + ); + // Table still exists ASSERT_TRUE(orch->getAclTable(aclTableName)); ASSERT_FALSE(orch->getAclTableType(aclTableTypeName));