一、目前ACL配置需要用到openconfig.json格式去操作;
ACL full update: an ACL rule definition file will be provided in openconfig json format;
All existing ACLs will be removed, and new ACLs will be configured according to the file.
二、之前关于ACL-TABLE,ACL-RULE-TABLE和port-mirror-table都从app_db放到了config_db
<从源码也可以看出来>
Move ACL_TABLE, ACL_RULE_TABLE, and PORT_MIRROR_TABLE to config DB, rename to ACL_TABLE, ACL_RULE and MIRROR_SESSION correspondingly.
三、具体步骤:
1、minigraph.xml中绑定到应用和端口
Minigraph文件绑定ACL规则到具体端口或者应用:
Vim /etc/sonic/minigraph
…….
<AclInterfaces>
<AclInterface>
<AttachTo>Ethernet16</AttachTo>
<InAcl>everflow</InAcl>
</AclInterface>
</AclInterfaces>
……
这里我将定义的everflow table绑定到了端口Ethernet16,当然,这里也可以是ERSPAN,portchanel之类的应用。
其流程如下:
2.
通过acl-load update full ../../acl.json加载acl规则到configdb中。
参考目录:这里定义的参考文件
https://github.com/Azure/sonic-buildimage/blob/023a5b9714c8d2c41ab4469beae3569c0e43933a/src/sonic-config-engine/tests/t0-sample-acl.json
Acl.json文件定义如下:
| { | |
| "acl": { | |
| "acl-sets": { | |
| "acl-set": { | |
| "dataacl": { | |
| "acl-entries": { | |
| "acl-entry": { | |
| "1": { | |
| "actions": { | |
| "config": { | |
| "forwarding-action": "ACCEPT" | |
| } | |
| }, | |
| "config": { | |
| "sequence-id": 1 | |
| }, | |
| "ip": { | |
| "config": { | |
| "protocol": "IP_UDP", | |
| "source-ip-address": "10.0.0.0/8" | |
| } | |
| } | |
| }, | |
| "2": { | |
| "actions": { | |
| "config": { | |
| "forwarding-action": "ACCEPT" | |
| } | |
| }, | |
| "config": { | |
| "sequence-id": 2 | |
| }, | |
| "ip": { | |
| "config": { | |
| "protocol": "IP_UDP", | |
| "source-ip-address": "100.64.0.0/10" | |
| } | |
| } | |
| }, | |
| "3": { | |
| "actions": { | |
| "config": { | |
| "forwarding-action": "ACCEPT" | |
| } | |
| }, | |
| "config": { | |
| "sequence-id": 3 | |
| }, | |
| "ip": { | |
| "config": { | |
| "protocol": "IP_UDP", | |
| "source-ip-address": "25.0.0.0/8" | |
| } | |
| } | |
| }, | |
| "4": { | |
| "actions": { | |
| "config": { | |
| "forwarding-action": "ACCEPT" | |
| } | |
| }, | |
| "config": { | |
| "sequence-id": 4 | |
| }, | |
| "ip": { | |
| "config": { | |
| "protocol": "IP_TCP" | |
| } | |
| }, | |
| "transport": { | |
| "config": { | |
| "tcp-flags": [ | |
| "TCP_ACK" | |
| ] | |
| } | |
| } | |
| } | |
| } | |
| }, | |
| "config": { | |
| "name": "dataacl" | |
| } | |
| }, | |
| "everflow": { | |
| "acl-entries": { | |
| "acl-entry": { | |
| "1": { | |
| "actions": { | |
| "config": { | |
| "forwarding-action": "ACCEPT" | |
| } | |
| }, | |
| "config": { | |
| "sequence-id": 1 | |
| }, | |
| "ip": { | |
| "config": { | |
| "destination-ip-address": "127.0.0.1/32", | |
| "protocol": "IP_TCP", | |
| "source-ip-address": "127.0.0.1/32" | |
| } | |
| }, | |
| "transport": { | |
| "config": { | |
| "destination-port": "0", | |
| "source-port": "0" | |
| } | |
| } | |
| } | |
| } | |
| }, | |
| "config": { | |
| "name": "everflow" | |
| } | |
| } | |
| } | |
| } | |
| } | |
| } |
