Skip to content

Commit

Permalink
[aclorch] Add ACL_TABLE_TYPE configuration (sonic-net#1982)
Browse files Browse the repository at this point in the history
* [aclorch] Add ACL_TABLE_TYPE configuration

Added an API to create a table with configurable ACL table type
(matches, bpoints, actions). Implemented a handler for new
ACL_TABLE_TYPE CONFIG DB table.

Implemented UT for the above.

HLD: sonic-net/SONiC#867

DEPENDS ON: sonic-net/sonic-swss-common#546 sonic-net/sonic-sairedis#957

I implemented ACL table type concept. Till this change, there are predefined ACL table types orchagent knows about (L3, L3V6, etc.) and if other orch requires a custom table a new table type needs to be defined in aclorch.
This PR addresses this limitation by introducing AclTableType which can be constructed from a set of matches, actions and bpoint types user needs. There is also a new handler for ACL_TABLE_TYPE table which is used for user to define table types.
Currently, some of built-in ACL table types that requires special handling are distinguished from others by their names (TABLE_TYPE_MIRROR, TABLE_TYPE_MIRRORV6) and a special handling is performed by an AclOrch.

Signed-off-by: Stepan Blyshchak <stepanb@nvidia.com>
  • Loading branch information
stepanblyschak authored Nov 23, 2021
1 parent 59cab5d commit bb0733a
Show file tree
Hide file tree
Showing 18 changed files with 1,673 additions and 1,214 deletions.
40 changes: 40 additions & 0 deletions doc/Configuration.md
Original file line number Diff line number Diff line change
Expand Up @@ -286,6 +286,46 @@ and migration plan
```

***ACL table type configuration example***
```
{
"ACL_TABLE_TYPE": {
"CUSTOM_L3": {
"MATCHES": [
"IN_PORTS",
"OUT_PORTS",
"SRC_IP"
],
"ACTIONS": [
"PACKET_ACTION",
"MIRROR_INGRESS_ACTION"
],
"BIND_POINTS": [
"PORT",
"LAG"
]
}
},
"ACL_TABLE": {
"DATAACL": {
"STAGE": "INGRESS",
"TYPE": "CUSTOM_L3",
"PORTS": [
"Ethernet0",
"PortChannel1"
]
}
},
"ACL_RULE": {
"DATAACL|RULE0": {
"PRIORITY": "999",
"PACKET_ACTION": "DROP",
"SRC_IP": "1.1.1.1/32",
}
}
}
```

### BGP Sessions

BGP session configuration is defined in **BGP_NEIGHBOR** table. BGP
Expand Down
24 changes: 23 additions & 1 deletion doc/swss-schema.md
Original file line number Diff line number Diff line change
Expand Up @@ -569,15 +569,37 @@ It's possible to create separate configuration files for different ASIC platform

----------------------------------------------

### ACL\_TABLE\_TYPE
Stores a definition of table - set of matches, actions and bind point types. ACL_TABLE references a key inside this table in "type" field.

```
key: ACL_TABLE_TYPE:name ; key of the ACL table type entry. The name is arbitary name user chooses.
; field = value
matches = match-list ; list of matches for this table, matches are same as in ACL_RULE table.
actions = action-list ; list of actions for this table, actions are same as in ACL_RULE table.
bind_points = bind-points-list ; list of bind point types for this table.
; values annotation
match = 1*64VCHAR
match-list = [1-max-matches]*match
action = 1*64VCHAR
action-list = [1-max-actions]*action
bind-point = port/lag
bind-points-list = [1-max-bind-points]*bind-point
```

### ACL\_TABLE
Stores information about ACL tables on the switch. Port names are defined in [port_config.ini](../portsyncd/port_config.ini).

key = ACL_TABLE:name ; acl_table_name must be unique
;field = value
policy_desc = 1*255VCHAR ; name of the ACL policy table description
type = "mirror"/"l3"/"l3v6" ; type of acl table, every type of
type = 1*255VCHAR ; type of acl table, every type of
; table defines the match/action a
; specific set of match and actions.
; There are pre-defined table types like
; "MIRROR", "MIRRORV6", "MIRROR_DSCP",
; "L3", "L3V6", "MCLAG", "PFCWD", "DROP".
ports = [0-max_ports]*port_name ; the ports to which this ACL
; table is applied, can be emtry
; value annotations
Expand Down
Loading

0 comments on commit bb0733a

Please sign in to comment.