Check all rules in table until we find one with a SRC_IP

sonic-net · Jun 5, 2018 · 250155c · 250155c
1 parent f20bff2
commit 250155c
Showing 1 changed file with 17 additions and 11 deletions.
diff --git a/files/image_config/caclmgrd/caclmgrd b/files/image_config/caclmgrd/caclmgrd
@@ -155,6 +155,23 @@ class ControlPlaneAclManager(object):
                     if rule_table_name == table_name:
                         acl_rules[rule_props["PRIORITY"]] = rule_props
 
+                        # If we haven't determined the IP version for this ACL table yet,
+                        # try to do it now. We determine heuristically based on whether the
+                        # src IP is an IPv4 or IPv6 address.
+                        if not table_ip_version and "SRC_IP" in rule_props and rule_props["SRC_IP"]:
+                            ip_addr = ipaddress.IPAddress(rule_props["SRC_IP"].split("/")[0])
+                            if isinstance(ip_addr, ipaddress.IPv6Address):
+                                table_ip_version = 6
+                            elif isinstance(ip_addr, ipaddress.IPv4Address):
+                                table_ip_version = 4
+
+                # If we were unable to determine whether this ACL table contains
+                # IPv4 or IPv6 rules, log a message and skip processing this table.
+                if not table_ip_version:
+                    log_warning("Unable to determine if ACL table '{}' contains IPv4 or IPv6 rules. Skipping table..."
+                            .format(table_name))
+                    continue
+
                 # For each ACL rule in this table (in descending order of priority)
                 for priority in sorted(acl_rules.iterkeys(), reverse=True):
                     rule_props = acl_rules[priority]
@@ -163,17 +180,6 @@ class ControlPlaneAclManager(object):
                         log_error("ACL rule does not contain PACKET_ACTION property")
                         continue
 
-                    # If we haven't determined the IP version for this ACL table yet,
-                    # do it now. We determine heuristically based on whether the
-                    # src IP is a v4 or v6 address.
-                    if not table_ip_version:
-                        if "SRC_IP" in rule_props and rule_props["SRC_IP"]:
-                            ip_addr = ipaddress.IPAddress(rule_props["SRC_IP"].split("/")[0])
-                            if isinstance(ip_addr, ipaddress.IPv6Address):
-                                table_ip_version = 6
-                            else:
-                                table_ip_version = 4
-
                     # Apply the rule to the default protocol(s) for this ACL service
                     for ip_protocol in ip_protocols:
                         for dst_port in dst_ports: