Skip to content

ACL Configuration High Level Design

Oleksandr Ivantsiv edited this page Oct 3, 2017 · 5 revisions

Draft. Under development

ACL Configuration in SONiC

High Level Design Document

Revision 0.1

List of Tables

Table 1: Revision
Rev Date Author Change Description
0.1 Oleksandr Ivantsiv Initial version

About this Manual

This document provides general information about the ACL configuration implementation in SONiC.

Scope

This document describes the high-level design of the ACL configuration.

1.1 System Chart

Following diagram describes a top level overview of the SONiC ACL configuration components:

2 Subsystem Requirements Overview

https://github.com/Azure/SONiC/wiki/ACL-Configuration-Requirement-Description

2.1 Requirements implementation schedule

Requirement Implementation Phase Release date Comment
ACL full update Phase 0 09.2017
ACL incremental update Phase 1 09.2017
LAG/VLAN interface binds Phase 2 10.2017 Requirements should be clarified. Additional design session required.
ACL rule and binding dynamic configuration through CLI Phase 3

3 Modules Design

3.1 Phase 0 and 1

3.1.1 Modules that need to be modified or added

3.1.1.1 Config DB

ACL and session configuration should be moved into Config DB. Orchagent should additionally subscribe to Config DB. All ACL and session configuration will be removed from APP DB. Mirror session state will remain in APP DB. Flows related to changing mirror session state will remain the same.

3.1.1.1.1 Config DB schema
3.1.1.1.1.1 ACL_TABLE

Schema is the same as it was in APP DB. Schema can found here:

https://github.com/Azure/SONiC/wiki/ACL-High-Level-Design#31211-acl-tables-table

3.1.1.1.1.2 MIRROR_SESSION

Schema is the same as it was in APP DB. Table name changed from PORT_MIRROR_TABLE to MIRROR_SESSION. “src_ip”, “gre_type”, “dscp”, and “queue” fields in MIRROR_SESSION_TABLE will become optional. If optional value is not specified it will be filled by orchagent with platform dependent default. Schema can found here:

https://github.com/Azure/SONiC/wiki/Everflow-High-Level-Design#3121-app-db-schema-reference

3.1.1.1.1.3 ACL_RULE

Schema is the same as it was in APP DB. Table name changed from ACL_RULE_TABLE to ACL_RULE.

https://github.com/Azure/SONiC/wiki/ACL-High-Level-Design#31212-acl-rules-table

3.1.1.3 SWSS

3.1.1.3.1 Orchagent

Orchagent should subscribe to Config DB instead of APP DB. As far as DB schema remains the same only the following changes should be performed:

  • Add Config DB connector to OrchDaemon.
  • Pass Config DB connector to AclOrch and EverflowOrch classes.
  • Rename ACL_RULE_TABLE to ACL_RULE.
  • Rename PORT_MIRROR_TABLE to MIRROR_SESSION.
  • “gre_type”, “dscp”, "ttl", and “queue” fields in MIRROR_SESSION table will become optional. If fields are not specified in Config DB orchagent will fill them with platform dependent default values.

3.1.1.4 Minigraph parser

Minigraph parser should be extended to convert ACL and mirroring configuration from the minigraph to Config DB schema. Config DB schema will be written to /etc/sonic/config_db.json file with other SONiC configuration.

3.1.1.5 ACL loader

ACL Loader is a tool that loads ACL rules from ACL Definition File, and translate them into ConfigDB schema. It will then write them into config DB after clear corresponding ACL tables, or compared them to the current value in config DB and do addition, deletion and modification correspondingly. In either scenario, it can be assumed that ACL table and mirror session have already been set up in config DB, and rules that don’t match any existing table could be ignored.

ACL loader utility will be implemented based on translate_acl. translate_acl utility will be removed.

3.1.1.5.1 ACL loader interface

acl-loader
Usage: acl-loader [OPTIONS] COMMAND [ARGS]...

  Utility to operate with ACL rule

Options:
  --help  Show this message and exit.

Commands:
  show table [<id>]           Print existing ACL tables.
  show session [<id>]         Print existing everflow sessions.
  show rule [<id>]            Print existing ACL rules.
  update full <file>          Install new ACL rules from file. This command will remove all existing ACL rules.
  update incremental <file>   Update ACL rules. This command will compare ACL rules from given file with existing and do 
                              corresponding addition, deletion or modification.

3.1.1.5 Show command

Show command will be extended. The following commands will be added:

Usage: show [OPTIONS] COMMAND [ARGS]...

  SONiC command line - 'show' command

Options:
  -h, ?, --help  Show this message and exit.

Commands:
...
acl table [<id>]           Print existing ACL tables.
session [<id>]             Print existing everflow 
acl rule [<id>]            Print existing ACL rules.

3.1.1.6 Config command

Config command will be extended. The following commands will be added:

config
Usage: config [OPTIONS] COMMAND [ARGS]...

  SONiC command line - 'config' command

Options:
  --help  Show this message and exit.

Commands:
...
  acl update full <file>          Install new ACL rules from file. This command will remove all existing ACL rules.
  acl update incremental <file>   Update ACL rules. This command will compare ACL rules from given file with existing and 
                                  do corresponding addition, deletion or modification.

4 Flows

4.1 Create ACL table/Mirror session from minigraph

4.2 Install ACL rules

4.3 Update ACL rules

Clone this wiki locally