一、目前ACL配置需要用到openconfig.json格式去操作;
ACL full update: an ACL rule definition file will be provided in openconfig json format;
All existing ACLs will be removed, and new ACLs will be configured according to the file.
二、之前关于ACL-TABLE,ACL-RULE-TABLE和port-mirror-table都从app_db放到了config_db
<从源码也可以看出来>
Move ACL_TABLE, ACL_RULE_TABLE, and PORT_MIRROR_TABLE to config DB, rename to ACL_TABLE, ACL_RULE and MIRROR_SESSION correspondingly.
三、具体步骤:
1、minigraph.xml中绑定到应用和端口
Minigraph文件绑定ACL规则到具体端口或者应用:
Vim /etc/sonic/minigraph
…….
<AclInterfaces>
<AclInterface>
<AttachTo>Ethernet16</AttachTo>
<InAcl>everflow</InAcl>
</AclInterface>
</AclInterfaces>
……
这里我将定义的everflow table绑定到了端口Ethernet16,当然,这里也可以是ERSPAN,portchanel之类的应用。
其流程如下:
2.
通过acl-load update full ../../acl.json加载acl规则到configdb中。
参考目录:这里定义的参考文件
https://github.com/Azure/sonic-buildimage/blob/023a5b9714c8d2c41ab4469beae3569c0e43933a/src/sonic-config-engine/tests/t0-sample-acl.json
Acl.json文件定义如下:
| { |
|
| "acl": { |
|
| "acl-sets": { |
|
| "acl-set": { |
|
| "dataacl": { |
|
| "acl-entries": { |
|
| "acl-entry": { |
|
| "1": { |
|
| "actions": { |
|
| "config": { |
|
| "forwarding-action": "ACCEPT" |
|
| } |
|
| }, |
|
| "config": { |
|
| "sequence-id": 1 |
|
| }, |
|
| "ip": { |
|
| "config": { |
|
| "protocol": "IP_UDP", |
|
| "source-ip-address": "10.0.0.0/8" |
|
| } |
|
| } |
|
| }, |
|
| "2": { |
|
| "actions": { |
|
| "config": { |
|
| "forwarding-action": "ACCEPT" |
|
| } |
|
| }, |
|
| "config": { |
|
| "sequence-id": 2 |
|
| }, |
|
| "ip": { |
|
| "config": { |
|
| "protocol": "IP_UDP", |
|
| "source-ip-address": "100.64.0.0/10" |
|
| } |
|
| } |
|
| }, |
|
| "3": { |
|
| "actions": { |
|
| "config": { |
|
| "forwarding-action": "ACCEPT" |
|
| } |
|
| }, |
|
| "config": { |
|
| "sequence-id": 3 |
|
| }, |
|
| "ip": { |
|
| "config": { |
|
| "protocol": "IP_UDP", |
|
| "source-ip-address": "25.0.0.0/8" |
|
| } |
|
| } |
|
| }, |
|
| "4": { |
|
| "actions": { |
|
| "config": { |
|
| "forwarding-action": "ACCEPT" |
|
| } |
|
| }, |
|
| "config": { |
|
| "sequence-id": 4 |
|
| }, |
|
| "ip": { |
|
| "config": { |
|
| "protocol": "IP_TCP" |
|
| } |
|
| }, |
|
| "transport": { |
|
| "config": { |
|
| "tcp-flags": [ |
|
| "TCP_ACK" |
|
| ] |
|
| } |
|
| } |
|
| } |
|
| } |
|
| }, |
|
| "config": { |
|
| "name": "dataacl" |
|
| } |
|
| }, |
|
| "everflow": { |
|
| "acl-entries": { |
|
| "acl-entry": { |
|
| "1": { |
|
| "actions": { |
|
| "config": { |
|
| "forwarding-action": "ACCEPT" |
|
| } |
|
| }, |
|
| "config": { |
|
| "sequence-id": 1 |
|
| }, |
|
| "ip": { |
|
| "config": { |
|
| "destination-ip-address": "127.0.0.1/32", |
|
| "protocol": "IP_TCP", |
|
| "source-ip-address": "127.0.0.1/32" |
|
| } |
|
| }, |
|
| "transport": { |
|
| "config": { |
|
| "destination-port": "0", |
|
| "source-port": "0" |
|
| } |
|
| } |
|
| } |
|
| } |
|
| }, |
|
| "config": { |
|
| "name": "everflow" |
|
| } |
|
| } |
|
| } |
|
| } |
|
| } |
|
| } |
