Skip to content

Commit

Permalink
Merge pull request #3311 from anarkiwi/multitunnelacl
Browse files Browse the repository at this point in the history 
Allow same tunnel ACL to be multiply applied
  • Loading branch information
@anarkiwi
anarkiwi authored Oct 29, 2019
2 parents 1df1362 + 54107c3 commit 64ebec1
Show file tree
Hide file tree
Showing 4 changed files with 54 additions and 10 deletions.
8 changes: 8 additions & 0 deletions faucet/acl.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -111,6 +111,7 @@ def __init__(self, _id, dp_id, conf):
self.meter = False
self.matches = {}
self.set_fields = set()
self._ports_resolved = False

#TODO: Would be possible to save the names instead of the DP and port objects
# TUNNEL:
Expand Down Expand Up @@ -151,6 +152,10 @@ def __init__(self, _id, dp_id, conf):
conf['rules'].append(normalized_rule)
super(ACL, self).__init__(_id, dp_id, conf)

def finalize(self):
self._ports_resolved = True
super(ACL, self).finalize()

def check_config(self):
test_config_condition(
not self.rules, 'no rules found for ACL %s' % self._id)
Expand Down Expand Up @@ -407,6 +412,8 @@ def _resolve_output_ports(self, action_conf, resolve_port_cb, resolve_tunnel_obj
return result

def resolve_ports(self, resolve_port_cb, resolve_tunnel_objects):
if self._ports_resolved:
return
for rule_conf in self.rules:
if 'actions' in rule_conf:
actions_conf = rule_conf['actions']
Expand All @@ -429,6 +436,7 @@ def resolve_ports(self, resolve_port_cb, resolve_tunnel_objects):
else:
resolved_actions[action_name] = action_conf
rule_conf['actions'] = resolved_actions
self._ports_resolved = True


# NOTE: 802.1x steals the port ACL table.
Expand Down
3 changes: 2 additions & 1 deletion faucet/conf.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -87,7 +87,8 @@ def _check_unknown_conf(self, conf):
def _check_conf_types(self, conf, conf_types):
"""Check that conf value is of the correct type."""
test_config_condition(not isinstance(conf, dict), (
'Conf object must be type %s not %s' % (dict, type(conf))))
'Conf object %s contents %s must be type %s not %s' % (
self._id, conf, dict, type(conf))))
for conf_key, conf_value in conf.items():
test_config_condition(
conf_key not in conf_types, '%s field unknown in %s (known types %s)' % (
Expand Down
10 changes: 1 addition & 9 deletions faucet/dp.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1156,22 +1156,19 @@ def verify_acl_exact_match(acls):
def resolve_acls():
"""Resolve config references in ACLs."""
# TODO: move this config validation to ACL object.
resolved = []
for vlan in self.vlans.values():
if vlan.acls_in:
acls = []
for acl in vlan.acls_in:
resolve_acl(acl, vid=vlan.vid)
acls.append(self.acls[acl])
resolved.append(acl)
vlan.acls_in = acls
verify_acl_exact_match(acls)
if vlan.acls_out:
acls = []
for acl in vlan.acls_out:
resolve_acl(acl, vid=vlan.vid)
acls.append(self.acls[acl])
resolved.append(acl)
vlan.acls_out = acls
verify_acl_exact_match(acls)
for port in self.ports.values():
Expand All @@ -1182,7 +1179,6 @@ def resolve_acls():
for acl in port.acls_in:
resolve_acl(acl, port_num=port.number)
acls.append(self.acls[acl])
resolved.append(acl)
port.acls_in = acls
verify_acl_exact_match(acls)

Expand All @@ -1192,7 +1188,6 @@ def resolve_acls():

for acl_name in acl_names:
resolve_acl(acl_name, port_num=port.number)
resolved.append(acl_name)

if port.dot1x_acl:
acl_names = [self.dot1x.get('auth_acl'),
Expand All @@ -1201,19 +1196,16 @@ def resolve_acls():
for acl_name in acl_names:
if self.acls.get(acl_name, None):
resolve_acl(acl_name, port_num=port.number)
resolved.append(acl_name)

if self.dp_acls:
acls = []
for acl in self.acls:
resolve_acl(acl, dp=self)
acls.append(self.acls[acl])
resolved.append(acl)
self.dp_acls = acls
for acl in self.acls:
if acl not in resolved and self.acls[acl].get_tunnel_rule_indices():
if self.acls[acl].get_tunnel_rule_indices():
resolve_acl(acl, None)
resolved.append(acl)
if self.tunnel_acls:
for tunnel_acl in self.tunnel_acls.values():
tunnel_acl.verify_tunnel_rules(self)
Expand Down
43 changes: 43 additions & 0 deletions tests/unit/faucet/test_config.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1189,6 +1189,49 @@ def test_tunnel_config_valid_accepted(self):
"""
self.check_config_success(config, cp.dp_parser)

def test_multiple_tunnel_acls(self):
"""Test config success with same tunnel ACL multiply applied."""
config = """
acls:
tunnel-acl:
- rule:
actions:
output:
tunnel: {type: 'vlan', tunnel_id: tunnelvlan, dp: sw2, port: 2}
vlans:
vlan100:
vid: 100
tunnelvlan:
vid: 200
reserved_internal_vlan: True
dps:
sw1:
dp_id: 0x1
stack:
priority: 1
interfaces:
1:
native_vlan: vlan100
acls_in: [tunnel-acl]
2:
native_vlan: vlan100
acls_in: [tunnel-acl]
3:
stack:
dp: sw2
port: 1
sw2:
dp_id: 0x2
interfaces:
1:
stack:
dp: sw1
port: 3
2:
native_vlan: vlan100
"""
self.check_config_success(config, cp.dp_parser)

def test_tunnel_id_by_vlan_name(self):
"""Test config success by referencing tunnel id by a vlan name"""
config = """
Expand Down

0 comments on commit 64ebec1

Please sign in to comment.