Merge branch 'master' into master

acl_loader/main.py

@@ -94,7 +94,7 @@ class AclLoader(object):
         "ETHERTYPE_LLDP": 0x88CC,
         "ETHERTYPE_VLAN": 0x8100,
         "ETHERTYPE_ROCE": 0x8915,
-        "ETHERTYPE_ARP": 0x0806,
+        "ETHERTYPE_ARP":  0x0806,
         "ETHERTYPE_IPV4": 0x0800,
         "ETHERTYPE_IPV6": 0x86DD,
         "ETHERTYPE_MPLS": 0x8847
@@ -261,7 +261,7 @@ def read_acl_object_status_info(self, cfg_db_table_name, state_db_table_name):
             else:
                 state_db_info = self.statedb.get_all(self.statedb.STATE_DB, "{}|{}".format(state_db_table_name, state_db_key))
                 status[key]['status'] = state_db_info.get("status", "N/A") if state_db_info else "N/A"
-        
+
         return status
 
     def get_sessions_db_info(self):
@@ -346,6 +346,14 @@ def is_table_l3v6(self, tname):
         """
         return self.tables_db_info[tname]["type"].upper() == "L3V6"
 
+    def is_table_l3v4v6(self, tname):
+        """
+        Check if ACL table type is L3V4V6
+        :param tname: ACL table name
+        :return: True if table type is L3V4V6 else False
+        """
+        return self.tables_db_info[tname]["type"].upper() == "L3V4V6"
+
     def is_table_l3(self, tname):
         """
         Check if ACL table type is L3
@@ -509,6 +517,17 @@ def convert_ip(self, table_name, rule_idx, rule):
                 # "IP_ICMP" we need to pick the correct protocol number for the IP version
                 if rule.ip.config.protocol == "IP_ICMP" and self.is_table_ipv6(table_name):
                     rule_props["IP_PROTOCOL"] = self.ip_protocol_map["IP_ICMPV6"]
+                elif rule.ip.config.protocol == "IP_ICMP" and  self.is_table_l3v4v6(table_name):
+                    # For L3V4V6 tables, both ICMP and ICMPv6 are supported,
+                    # so find the IP_PROTOCOL using the ether_type.
+                    try:
+                        ether_type = rule.l2.config.ethertype
+                    except Exception as e:
+                        ether_type = None
+                    if rule.l2.config.ethertype == "ETHERTYPE_IPV6":
+                        rule_props["IP_PROTOCOL"] = self.ip_protocol_map["IP_ICMPV6"]
+                    else:
+                        rule_props["IP_PROTOCOL"] = self.ip_protocol_map[rule.ip.config.protocol]
                 else:
                     rule_props["IP_PROTOCOL"] = self.ip_protocol_map[rule.ip.config.protocol]
             else:
@@ -544,9 +563,20 @@ def convert_ip(self, table_name, rule_idx, rule):
     def convert_icmp(self, table_name, rule_idx, rule):
         rule_props = {}
 
-        is_table_v6 = self.is_table_ipv6(table_name)
-        type_key = "ICMPV6_TYPE" if is_table_v6 else "ICMP_TYPE"
-        code_key = "ICMPV6_CODE" if is_table_v6 else "ICMP_CODE"
+        is_rule_v6 = False
+        if self.is_table_ipv6(table_name):
+            is_rule_v6 = True
+        elif self.is_table_l3v4v6(table_name):
+            # get the IP version type using Ether-Type.
+            try:
+                ether_type = rule.l2.config.ethertype
+                if ether_type == "ETHERTYPE_IPV6":
+                    is_rule_v6 = True
+            except Exception as e:
+                pass
+
+        type_key = "ICMPV6_TYPE" if is_rule_v6 else "ICMP_TYPE"
+        code_key = "ICMPV6_CODE" if is_rule_v6 else "ICMP_CODE"
 
         if rule.icmp.config.type != "" and rule.icmp.config.type != "null":
             icmp_type = rule.icmp.config.type
@@ -651,7 +681,18 @@ def convert_rule_to_db_schema(self, table_name, rule):
         rule_props["PRIORITY"] = str(self.max_priority - rule_idx)
 
         # setup default ip type match to dataplane acl (could be overriden by rule later)
-        if self.is_table_l3v6(table_name):
+        if self.is_table_l3v4v6(table_name):
+            # ETHERTYPE must be passed and it should be one of IPv4 or IPv6
+            try:
+                ether_type =  rule.l2.config.ethertype
+            except Exception as e:
+                raise AclLoaderException("l2:ethertype must be provided for rule #{} in table:{} of type L3V4V6".format(rule_idx, table_name))
+            if ether_type not in ["ETHERTYPE_IPV4", "ETHERTYPE_IPV6"]:
+                # Ether type must be v4 or v6 to match IP fields, L4 (TCP/UDP) fields or ICMP fields
+                if rule.ip or rule.transport:
+                    raise AclLoaderException("ethertype={} is neither ETHERTYPE_IPV4 nor ETHERTYPE_IPV6 for IP rule #{} in table:{} type L3V4V6".format(rule.l2.config.ethertype, rule_idx, table_name))
+            rule_props["ETHER_TYPE"] = str(self.ethertype_map[ether_type])
+        elif self.is_table_l3v6(table_name):
             rule_props["IP_TYPE"] = "IPV6ANY"  # ETHERTYPE is not supported for DATAACLV6
         elif self.is_table_l3(table_name):
             rule_props["ETHER_TYPE"] = str(self.ethertype_map["ETHERTYPE_IPV4"])
@@ -682,6 +723,8 @@ def deny_rule(self, table_name):
             rule_props["IP_TYPE"] = "IPV6ANY"  # ETHERTYPE is not supported for DATAACLV6
         elif self.is_table_l3(table_name):
             rule_props["ETHER_TYPE"] = str(self.ethertype_map["ETHERTYPE_IPV4"])
+        elif self.is_table_l3v4v6(table_name):
+            rule_props["IP_TYPE"] = "IP" # Drop both v4 and v6 packets
         else:
             return {}  # Don't add default deny rule if table is not [L3, L3V6]
         return rule_data
@@ -835,7 +878,7 @@ def show_table(self, table_name):
         for key, val in self.get_tables_db_info().items():
             if table_name and key != table_name:
                 continue
-            
+
             stage = val.get("stage", Stage.INGRESS).lower()
             # Get ACL table status from STATE_DB
             if key in self.acl_table_status:

clear/main.py

@@ -492,10 +492,10 @@ def flowcnt_route(ctx, namespace):
     """Clear all route flow counters"""
     exit_if_route_flow_counter_not_support()
     if ctx.invoked_subcommand is None:
-        command = "flow_counters_stat -c -t route"
+        command = ['flow_counters_stat', '-c', '-t', 'route']
         # None namespace means default namespace
         if namespace is not None:
-            command += " -n {}".format(namespace)
+            command += ['-n', str(namespace)]
         clicommon.run_command(command)
 
 
@@ -506,12 +506,12 @@ def flowcnt_route(ctx, namespace):
 @click.argument('prefix-pattern', required=True)
 def pattern(prefix_pattern, vrf, namespace):
     """Clear route flow counters by pattern"""
-    command = "flow_counters_stat -c -t route --prefix_pattern {}".format(prefix_pattern)
+    command = ['flow_counters_stat', '-c', '-t', 'route', '--prefix_pattern', str(prefix_pattern)]
     if vrf:
-        command += ' --vrf {}'.format(vrf)
+        command += ['--vrf', str(vrf)]
     # None namespace means default namespace
     if namespace is not None:
-        command += " -n {}".format(namespace)
+        command += ['-n', str(namespace)]
     clicommon.run_command(command)
 
 
@@ -522,12 +522,12 @@ def pattern(prefix_pattern, vrf, namespace):
 @click.argument('prefix', required=True)
 def route(prefix, vrf, namespace):
     """Clear route flow counters by prefix"""
-    command = "flow_counters_stat -c -t route --prefix {}".format(prefix)
+    command = ['flow_counters_stat', '-c', '-t', 'route', '--prefix', str(prefix)]
     if vrf:
-        command += ' --vrf {}'.format(vrf)
+        command += ['--vrf', str(vrf)]
     # None namespace means default namespace
     if namespace is not None:
-        command += " -n {}".format(namespace)
+        command += ['-n', str(namespace)]
     clicommon.run_command(command)
 
 

config/config_mgmt.py

@@ -35,7 +35,8 @@ class ConfigMgmt():
     to verify config for the commands which are capable of change in config DB.
     '''
 
-    def __init__(self, source="configDB", debug=False, allowTablesWithoutYang=True, sonicYangOptions=0):
+    def __init__(self, source="configDB", debug=False, allowTablesWithoutYang=True,
+                 sonicYangOptions=0, configdb=None):
         '''
         Initialise the class, --read the config, --load in data tree.
 
@@ -44,6 +45,7 @@ def __init__(self, source="configDB", debug=False, allowTablesWithoutYang=True,
             debug (bool): verbose mode.
             allowTablesWithoutYang (bool): allow tables without yang model in
                 config or not.
+            configdb: configdb to work on.
 
         Returns:
             void
@@ -54,6 +56,7 @@ def __init__(self, source="configDB", debug=False, allowTablesWithoutYang=True,
             self.source = source
             self.allowTablesWithoutYang = allowTablesWithoutYang
             self.sonicYangOptions = sonicYangOptions
+            self.configdb = configdb
 
             # logging vars
             self.SYSLOG_IDENTIFIER = "ConfigMgmt"
@@ -194,8 +197,11 @@ def readConfigDB(self):
         self.sysLog(doPrint=True, msg='Reading data from Redis configDb')
         # Read from config DB on sonic switch
         data = dict()
-        configdb = ConfigDBConnector()
-        configdb.connect()
+        if self.configdb is None:
+            configdb = ConfigDBConnector()
+            configdb.connect()
+        else:
+            configdb = self.configdb
         sonic_cfggen.deep_update(data, sonic_cfggen.FormatConverter.db_to_output(configdb.get_config()))
         self.configdbJsonIn = sonic_cfggen.FormatConverter.to_serialized(data)
         self.sysLog(syslog.LOG_DEBUG, 'Reading Input from ConfigDB {}'.\
@@ -215,8 +221,11 @@ def writeConfigDB(self, jDiff):
         '''
         self.sysLog(doPrint=True, msg='Writing in Config DB')
         data = dict()
-        configdb = ConfigDBConnector()
-        configdb.connect(False)
+        if self.configdb is None:
+            configdb = ConfigDBConnector()
+            configdb.connect(False)
+        else:
+            configdb = self.configdb
         sonic_cfggen.deep_update(data, sonic_cfggen.FormatConverter.to_deserialized(jDiff))
         self.sysLog(msg="Write in DB: {}".format(data))
         configdb.mod_config(sonic_cfggen.FormatConverter.output_to_db(data))