Skip to content

Commit

Permalink
[portsorch]: Prevent LAG member configuration when port has active AC…
Browse files Browse the repository at this point in the history
…L binding (sonic-net#2165)

* [portsorch]: Prevent LAG member configuration when port has active ACL binding.
Signed-off-by: Nazarii Hnydyn <nazariig@nvidia.com>
  • Loading branch information
nazariig authored Mar 30, 2022
1 parent c1d47e6 commit 390cae1
Show file tree
Hide file tree
Showing 2 changed files with 89 additions and 0 deletions.
11 changes: 11 additions & 0 deletions orchagent/portsorch.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -3851,6 +3851,17 @@ void PortsOrch::doLagMemberTask(Consumer &consumer)
continue;
}

if (!port.m_ingress_acl_tables_uset.empty() || !port.m_egress_acl_tables_uset.empty())
{
SWSS_LOG_ERROR(
"Failed to add member %s to LAG %s: ingress/egress ACL configuration is present",
port.m_alias.c_str(),
lag.m_alias.c_str()
);
it = consumer.m_toSync.erase(it);
continue;
}

if (!addLagMember(lag, port, (status == "enabled")))
{
it++;
Expand Down
78 changes: 78 additions & 0 deletions tests/test_acl_portchannel.py
Original file line number Diff line number Diff line change
@@ -1,9 +1,87 @@
import time
import pytest
import logging

from swsscommon import swsscommon


logging.basicConfig(level=logging.INFO)
acllogger = logging.getLogger(__name__)


@pytest.fixture(autouse=True, scope="class")
def dvs_api(request, dvs_acl):
# Fixtures are created when first requested by a test, and are destroyed based on their scope
if request.cls is None:
yield
return
acllogger.info("Initialize DVS API: ACL")
request.cls.dvs_acl = dvs_acl
yield
acllogger.info("Deinitialize DVS API: ACL")
del request.cls.dvs_acl


@pytest.mark.usefixtures("dvs_lag_manager")
class TestAclInterfaceBinding:
@pytest.mark.parametrize("stage", ["ingress", "egress"])
def test_AclTablePortChannelMemberBinding(self, testlog, stage):
"""Verify that LAG member creation is prohibited when ACL binding is configured
The test flow:
1. Create ACL table and bind Ethernet124
2. Verify ACL table has been successfully added
3. Create LAG
4. Verify LAG has been successfully added
5. Create LAG member Ethernet120
6. Verify LAG member has been successfully added
7. Create LAG member Ethernet124
8. Verify LAG member hasn't been added because of active ACL binding
Args:
testlog: test start/end log record injector
stage: ACL table stage (e.g., ingress/egress)
"""
try:
acllogger.info("Create ACL table: acl_table")
self.dvs_acl.create_acl_table(
table_name="acl_table",
table_type="L3",
ports=["Ethernet124"],
stage=stage
)
self.dvs_acl.verify_acl_table_count(1)

acllogger.info("Create LAG: PortChannel0001")
self.dvs_lag.create_port_channel("0001")
self.dvs_lag.get_and_verify_port_channel(1)

acllogger.info("Create LAG member: Ethernet120")
self.dvs_lag.create_port_channel_member("0001", "Ethernet120")
self.dvs_lag.get_and_verify_port_channel_members(1)

acllogger.info("Create LAG member: Ethernet124")
self.dvs_lag.create_port_channel_member("0001", "Ethernet124")
acllogger.info("Verify LAG member hasn't been created: Ethernet124")
self.dvs_lag.get_and_verify_port_channel_members(1)
finally:
acllogger.info("Remove LAG member: Ethernet124")
self.dvs_lag.remove_port_channel_member("0001", "Ethernet124")
self.dvs_lag.get_and_verify_port_channel_members(1)

acllogger.info("Remove LAG member: Ethernet120")
self.dvs_lag.remove_port_channel_member("0001", "Ethernet120")
self.dvs_lag.get_and_verify_port_channel_members(0)

acllogger.info("Remove LAG: PortChannel0001")
self.dvs_lag.remove_port_channel("0001")
self.dvs_lag.get_and_verify_port_channel(0)

acllogger.info("Remove ACL table: acl_table")
self.dvs_acl.remove_acl_table("acl_table")
self.dvs_acl.verify_acl_table_count(0)


class TestPortChannelAcl(object):
def setup_db(self, dvs):
self.pdb = swsscommon.DBConnector(0, dvs.redis_sock, 0)
Expand Down

0 comments on commit 390cae1

Please sign in to comment.