From 023a5b9714c8d2c41ab4469beae3569c0e43933a Mon Sep 17 00:00:00 2001 From: Shuotian Cheng Date: Mon, 12 Jun 2017 21:22:46 -0700 Subject: [PATCH] [sonic-cfggen]: translate_acl tool adds TCP mask (#697) In orchagent, the TCP_FLAGS expects both value and mask as the input. Right now, translate_acl tool only support one TCP flag and generate the ACL with both value and mask equal to the flag. This rule will match packets that have this specific flag set regardless of the other flags. --- .../sample_output/rules_for_dataacl.json | 9 +++ .../tests/t0-sample-acl.json | 62 +++++++++++++------ src/sonic-config-engine/translate_acl | 2 +- 3 files changed, 52 insertions(+), 21 deletions(-) diff --git a/src/sonic-config-engine/tests/sample_output/rules_for_dataacl.json b/src/sonic-config-engine/tests/sample_output/rules_for_dataacl.json index 9fd0199c4cf2..48fa240c9dc6 100644 --- a/src/sonic-config-engine/tests/sample_output/rules_for_dataacl.json +++ b/src/sonic-config-engine/tests/sample_output/rules_for_dataacl.json @@ -25,5 +25,14 @@ "priority":9998 }, "OP":"SET" + }, + { + "ACL_RULE_TABLE:dataacl:Rule_4":{ + "IP_PROTOCOL":6, + "PACKET_ACTION":"FORWARD", + "TCP_FLAGS":"0x10/0x10", + "priority":9996 + }, + "OP":"SET" } ] \ No newline at end of file diff --git a/src/sonic-config-engine/tests/t0-sample-acl.json b/src/sonic-config-engine/tests/t0-sample-acl.json index e04971e5f2ec..4157a1701b60 100644 --- a/src/sonic-config-engine/tests/t0-sample-acl.json +++ b/src/sonic-config-engine/tests/t0-sample-acl.json @@ -10,55 +10,77 @@ "config": { "forwarding-action": "ACCEPT" } - }, + }, "config": { "sequence-id": 1 - }, + }, "ip": { "config": { - "protocol": "IP_UDP", + "protocol": "IP_UDP", "source-ip-address": "10.0.0.0/8" } } - }, + }, "2": { "actions": { "config": { "forwarding-action": "ACCEPT" } - }, + }, "config": { "sequence-id": 2 - }, + }, "ip": { "config": { - "protocol": "IP_UDP", + "protocol": "IP_UDP", "source-ip-address": "100.64.0.0/10" } } - }, + }, "3": { "actions": { "config": { "forwarding-action": "ACCEPT" } - }, + }, "config": { "sequence-id": 3 - }, + }, "ip": { "config": { - "protocol": "IP_UDP", + "protocol": "IP_UDP", "source-ip-address": "25.0.0.0/8" } } + }, + "4": { + "actions": { + "config": { + "forwarding-action": "ACCEPT" + } + }, + "config": { + "sequence-id": 4 + }, + "ip": { + "config": { + "protocol": "IP_TCP" + } + }, + "transport": { + "config": { + "tcp-flags": [ + "TCP_ACK" + ] + } + } } } - }, + }, "config": { "name": "dataacl" } - }, + }, "everflow": { "acl-entries": { "acl-entry": { @@ -67,26 +89,26 @@ "config": { "forwarding-action": "ACCEPT" } - }, + }, "config": { "sequence-id": 1 - }, + }, "ip": { "config": { - "destination-ip-address": "127.0.0.1/32", - "protocol": "IP_TCP", + "destination-ip-address": "127.0.0.1/32", + "protocol": "IP_TCP", "source-ip-address": "127.0.0.1/32" } - }, + }, "transport": { "config": { - "destination-port": "0", + "destination-port": "0", "source-port": "0" } } } } - }, + }, "config": { "name": "everflow" } diff --git a/src/sonic-config-engine/translate_acl b/src/sonic-config-engine/translate_acl index 6ee89cfd4612..584db7b64488 100755 --- a/src/sonic-config-engine/translate_acl +++ b/src/sonic-config-engine/translate_acl @@ -97,7 +97,7 @@ def generate_rule_json(table_name, rule, max_priority, mirror): if flag == "TCP_CWR": tcp_flags = tcp_flags | 0x80 if tcp_flags != 0x00: - rule_props["TCP_FLAGS"] = '0x{:02x}'.format(tcp_flags) + rule_props["TCP_FLAGS"] = '0x{:02x}/0x{:02x}'.format(tcp_flags, tcp_flags) return rule_data def generate_table_json(aclset, aclname, ports, mirror, max_priority, output_path='.'):