[Nexthop][fboss2-dev] CLI for config and delete ACL rule and action subcommands#1183
[Nexthop][fboss2-dev] CLI for config and delete ACL rule and action subcommands#1183hillol-nexthop wants to merge 1 commit into
Conversation
2af37c5 to
b159c3f
Compare
6fe84d8 to
df8560c
Compare
Generalize the comment to describe environments without sudo rather than calling out the fboss-sim runtime image specifically. Matches the sanitized text in upstream PR facebook#1183.
df8560c to
7ac5519
Compare
Generalize the comment to describe environments without sudo rather than calling out the fboss-sim runtime image specifically. Matches the sanitized text in upstream PR facebook#1183.
7ac5519 to
0e39794
Compare
Generalize the comment to describe environments without sudo rather than calling out the fboss-sim runtime image specifically. Matches the sanitized text in upstream PR facebook#1183.
0e39794 to
db96f2e
Compare
| } | ||
| } // namespace | ||
|
|
||
| class ConfigAclRuleTest : public Fboss2IntegrationTest { |
There was a problem hiding this comment.
Recently I introduced this per-test agent cold boot to Fboss2IntegrationTestRunner
b108a87
to make sure each single fboss2_integration_test run will alwasy start with a clean state.
And in our FBOSS internal test tool(Netcastle), I also implemented something similar
The goal is to keep our gtest here only focus on testing the functionality of our services/fboss2,
while our test infrastructure/orchestrator(like Netcastle or run_test.py) can deal with the setup/cleanup test suite logic. Please consider to simplify the test to use what we provide in run_test.py
There was a problem hiding this comment.
I have removed the snapshotting part but I need to keep the residue for injecting ACL qualifiers. I know run_test.py accepts custom config for a test but when I want to run all the integration tests, I can't specify custom config for a particular suite. The current method takes whatever base config you provide and adds the qualifiers to facilitate ACL tests to run which I find much more convenient.
It deviates a bit from the convention but makes the test self-sustainable. Let me know if you are okay with the tradeoff.
Generalize the comment to describe environments without sudo rather than calling out the fboss-sim runtime image specifically. Matches the sanitized text in upstream PR facebook#1183.
db96f2e to
ce68f78
Compare
d367bed to
14ab1c9
Compare
14ab1c9 to
2c25d8e
Compare
d5e6fc0 to
d0feb81
Compare
d0feb81 to
df1bc95
Compare
…ubcommands Full ACL rule CLI surface in fboss2-dev — match fields, actions, and whole-rule delete: fboss2-dev config acl rule <table> <rule> <attr> <value> [<ttl-mask>] fboss2-dev config acl rule <table> <rule> action <subattr> [<value>] fboss2-dev delete acl rule <table> <rule> config acl rule upserts: if the named rule does not exist in the table it is created with the supplied attribute, otherwise the attribute is applied to the existing entry. delete acl rule removes the entire AclEntry (and its MatchAction) from the table. Match-field attributes (16 setters on AclEntry): source-ip, destination-ip, protocol, source-port, destination-port, dscp, tcp-flags, icmp-type, icmp-code, ip-fragment, ttl, destination-mac, ethertype, vlan, ip-type, packet-lookup-result. The ttl <value> <mask> form is unique to the setter; without <mask> it defaults to 0xFF. Action subcommands: permit, deny, send-to-queue, set-dscp, set-tc, mirror-ingress, mirror-egress, counter, trap-to-cpu, copy-to-cpu, and redirect nexthop <ip>. permit/deny mutate AclEntry.actionType in place; the rest land on a MatchAction attached via dataPlaneTrafficPolicy.matchToAction keyed by rule name. All operations target sw.aclTableGroups (field 56); the deprecated aclTableGroup (field 45) is not supported. All mutations are HITLESS. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
df1bc95 to
1f89161
Compare
joseph5wu
left a comment
There was a problem hiding this comment.
Please address the magic number and acl unrelated test services orchestration logic comments.
| AclRuleArity aclRuleAttrArity(std::string_view attr) { | ||
| if (attr == kAclRuleAttrTtl) { | ||
| return {4, 5}; // optional <mask> | ||
| } | ||
| if (attr == kAclRuleAttrAction) { | ||
| return {4, 6}; // refined by aclRuleActionArity() | ||
| } | ||
| return {4, 4}; | ||
| } | ||
|
|
||
| AclRuleArity aclRuleActionArity(std::string_view sub) { | ||
| if (sub == kAclRuleActionPermit || sub == kAclRuleActionDeny || | ||
| sub == kAclRuleActionTrapToCpu || sub == kAclRuleActionCopyToCpu) { | ||
| return {4, 4}; // no value | ||
| } | ||
| if (sub == kAclRuleActionRedirect) { | ||
| return {6, 6}; // redirect nexthop <ip> | ||
| } | ||
| return {5, 5}; // single value | ||
| } | ||
|
|
There was a problem hiding this comment.
Let's define all these magic number as constants in the header.
I noticed you also directly use these numbers in the CmdConfigAclRule.cpp which makes me concern if we need to change the syntax of one of the attributes, it might not be as easy to locate the places we need to adjust
| // Everything else is exactly one value; a 5th token is only meaningful for | ||
| // `ttl`, so call that out specifically. | ||
| if (v.size() == 5) { |
There was a problem hiding this comment.
This is why we need to define these magic numbers.
| // value-token count is v.size() - 4 ('action' itself is v[3]). | ||
| const bool tooFew = v.size() < arity.min; | ||
| // Re-derive the action category from its arity to phrase the error. | ||
| if (arity.max == 4) { |
| << " seconds"; | ||
| } | ||
|
|
||
| void Fboss2IntegrationTest::dumpAgentDiagnostics() const { |
There was a problem hiding this comment.
I highly recommend not to include this logic in the integration tests.
Instead we should consider to use the test orchestrator like run_test.py or our internal Netcastle
to handle the agent services or collecting logs since these should be the test orchestrator's responsibility.
Let's remove this logic out from this PR and have this PR only focus on ACL related implementation
Summary
Full ACL rule CLI surface in
fboss2-dev— match fields, actions, and whole-rule delete:config acl ruleupserts — if the named rule does not exist in the table it is created with the supplied attribute, otherwise the attribute is applied to the existing entry.delete acl ruleremoves the entireAclEntry(and itsMatchAction) from the table.Match-field attributes
16 setters on
AclEntry:source-ip,destination-ip,protocol,source-port,destination-port,dscp,tcp-flags,icmp-type,icmp-code,ip-fragment,ttl,destination-mac,ethertype,vlan,ip-type,packet-lookup-result. The 5-tokenttl <value> <mask>form is unique to the setter; without<mask>it defaults to0xFF.Action subcommands
permit/denymutateAclEntry.actionTypein place. The rest land on aMatchActionattached viadataPlaneTrafficPolicy.matchToActionkeyed by rule name; the CLI finds or creates theMatchToActionentry on demand.Common
All operations target
sw.aclTableGroups(field 56) — the deprecatedaclTableGroup(field 45) is not supported. All are HITLESS: AclEntry + MatchAction mutations apply at runtime viaprocessAclTableGroupDeltainSaiAclTableManager; no warmboot-prohibited guard inSaiSwitch.How to use the CLIs
Test plan
Unit tests
fboss2_cmd_config_test --gtest_filter='*AclRule*'→ 49/49 PASSCmdConfigAclRuleTestFixture(44):argValidation_badArity,argValidation_unknownAttr,argValidation_extraTokenOnlyForTtl,argValidation_outOfRange,argValidation_badIp,argValidation_badMac,argValidation_protocolKeyword,argValidation_ipFragmentEnum,argValidation_etherTypeNumericOrNameargValidation_unknownActionSubattr,argValidation_actionPermitNoExtra,argValidation_actionRequiresValue,argValidation_actionRangeChecks,argValidation_actionRedirectShaperuleAutoCreated,tableNotFound,setSourceIp,setDestinationIp,setProtocol,setSourcePort,setDestinationPort,setDscp,setTcpFlags,setIcmpType,setIcmpCode,setIpFragment,setTtlDefaultMask,setTtlExplicitMask,setDestinationMac,setEtherType,setVlan,setIpType,setPacketLookupResultsetActionPermit,setActionDeny,setActionSendToQueue,setActionSetDscp,setActionSetTc,setActionMirrorIngress,setActionMirrorEgress,setActionCounter,setActionTrapToCpu,setActionCopyToCpu,setActionRedirectNexthopCmdDeleteAclRuleTestFixture(5):argValidation_badArity,argValidation_validArity,tableNotFound,ruleNotFound,deleteRuleIntegration tests
fboss2_integration_test --gtest_filter='*AclRule*'on a real DUT → 25/25 PASSSetUpTestSuitesnapshots/etc/coop/agent.confand unions the first AclTable'squalifierslist with every match-field qualifier exercised by the suite, then restartsfboss_sw_agent.TearDownTestSuiterestores the snapshot and restarts. Each test creates the rule on demand viaconfig acl rule; per-testTearDowndeletes it viadelete acl rule.Match-field (17):
SetSourceIp,SetDestinationIp,SetProtocol,SetSourcePort,SetDestinationPort,SetDscp,SetTcpFlags,SetIcmpType,SetIcmpCode,SetIpFragment,SetTtlDefaultMask,SetTtlExplicitMask,SetDestinationMac,SetEtherType,SetVlan,SetIpType,SetPacketLookupResultAction (7):
SetActionPermit,SetActionDeny,SetActionSendToQueue,SetActionSetDscp,SetActionSetTc,SetActionTrapToCpu,SetActionCopyToCpuDelete (1):
DeleteRule— creates the entry viaconfig acl rule, commits, asserts present, thendelete acl rule, commits, asserts gone.action mirror-ingress,action mirror-egress,action counter, andaction redirect nexthopare intentionally unit-test-only — SAI rejects entries that reference an undefined mirror session, unprovisioned counter, or unresolvable nexthop, and provisioning that supporting state on the DUT is out of scope for this PR. The CLI is verified to construct the right config delta in unit tests.