-
Notifications
You must be signed in to change notification settings - Fork 1.1k
ACL Configuration High Level Design
Rev | Date | Author | Change Description |
---|---|---|---|
0.1 | Oleksandr Ivantsiv | Initial version |
This document provides general information about the ACL configuration implementation in SONiC.
This document describes the high-level design of the ACL configuration.
Following diagram describes a top level overview of the SONiC ACL configuration components:
https://github.com/Azure/SONiC/wiki/ACL-Configuration-Requirement-Description
Requirement | Implementation Phase | Release date | Comment |
---|---|---|---|
ACL full update | Phase 0 | 09.2017 | |
ACL incremental update | Phase 1 | 09.2017 | |
LAG/VLAN interface binds | Phase 2 | 10.2017 | Requirements should be clarified. Additional design session required. |
ACL rule and binding dynamic configuration through CLI | Phase 3 |
ACL and session configuration should be moved into Config DB. Orchagent should additionally subscribe to Config DB. All ACL and session configuration will be removed from APP DB. Mirror session state will remain in APP DB. Flows related to changing mirror session state will remain the same.
Schema is the same as it was in APP DB. Schema can found here:
https://github.com/Azure/SONiC/wiki/ACL-High-Level-Design#31211-acl-tables-table
Schema is the same as it was in APP DB. Table name changed from PORT_MIRROR_TABLE to MIRROR_SESSION. “src_ip”, “gre_type”, “dscp”, and “queue” fields in MIRROR_SESSION_TABLE will become optional. If optional value is not specified it will be filled by orchagent with platform dependent default. Schema can found here:
https://github.com/Azure/SONiC/wiki/Everflow-High-Level-Design#3121-app-db-schema-reference
Schema is the same as it was in APP DB. Table name changed from ACL_RULE_TABLE to ACL_RULE.
https://github.com/Azure/SONiC/wiki/ACL-High-Level-Design#31212-acl-rules-table
Orchagent should subscribe to Config DB instead of APP DB. As far as DB schema remains the same only the following changes should be performed:
- Add Config DB connector to OrchDaemon.
- Pass Config DB connector to AclOrch and EverflowOrch classes.
- Rename ACL_RULE_TABLE to ACL_RULE.
- Rename PORT_MIRROR_TABLE to MIRROR_SESSION.
- “gre_type”, “dscp”, "ttl", and “queue” fields in MIRROR_SESSION table will become optional. If fields are not specified in Config DB orchagent will fill them with platform dependent default values.
Minigraph parser should be extended to convert ACL and mirroring configuration from the minigraph to Config DB schema. Config DB schema will be written to /etc/sonic/config_db.json file with other SONiC configuration.
ACL Loader is a tool that loads ACL rules from ACL Definition File, and translate them into ConfigDB schema. It will then write them into config DB after clear corresponding ACL tables, or compared them to the current value in config DB and do addition, deletion and modification correspondingly. In either scenario, it can be assumed that ACL table and mirror session have already been set up in config DB, and rules that don’t match any existing table could be ignored.
ACL loader utility will be implemented based on translate_acl. translate_acl utility will be removed.
acl-loader
Usage: acl-loader [OPTIONS] COMMAND [ARGS]...
Utility to operate with ACL rule
Options:
--help Show this message and exit.
Commands:
show table [<id>] Print existing ACL tables.
show session [<id>] Print existing everflow sessions.
show rule [<id>] Print existing ACL rules.
update full <file> Install new ACL rules from file. This command will remove all existing ACL rules.
update incremental <file> Update ACL rules. This command will compare ACL rules from given file with existing and do
corresponding addition, deletion or modification.
Show command will be extended. The following commands will be added:
Usage: show [OPTIONS] COMMAND [ARGS]...
SONiC command line - 'show' command
Options:
-h, ?, --help Show this message and exit.
Commands:
...
acl table [<id>] Print existing ACL tables.
session [<id>] Print existing everflow
acl rule [<id>] Print existing ACL rules.
Config command will be extended. The following commands will be added:
config
Usage: config [OPTIONS] COMMAND [ARGS]...
SONiC command line - 'config' command
Options:
--help Show this message and exit.
Commands:
...
acl update full <file> Install new ACL rules from file. This command will remove all existing ACL rules.
acl update incremental <file> Update ACL rules. This command will compare ACL rules from given file with existing and
do corresponding addition, deletion or modification.
-
For Users
-
For Developers
-
Subgroups/Working Groups
-
Presentations
-
Join Us