[acl-loader] egress mirror action support and action ASIC support check #575
Conversation
| for action_key in dict(action_props): | ||
| key = "{}|{}".format(self.ACL_ACTIONS_CAPABILITY_FIELD, stage.upper()) | ||
| if key not in capability: | ||
| del action_props[action_key] |
There was a problem hiding this comment.
this method validate_actions can validate several actions in one call. This is done to allow later check if some combination of actions in one rule is allowed
| if self.is_table_control_plane(table_name): | ||
| return True | ||
|
|
||
| action_count = len(action_props) |
There was a problem hiding this comment.
right now you're validating the actions based on the number of the actions before and after the check. however, it is based on the assumption that the input action_props only contains actions. but this assumption is based on the order of the conversion in the convert_rule_to_db_schema, which seems weak to me.
will it be better to raise the exceptions immediately when the rules violate the capabilities of the switch?
There was a problem hiding this comment.
convert_rule_to_db_schema performs deep_update of rule_props dict (action, l2, ip, etc. key/values). It does not depend on the order. Thus convert_action should return a dict with acl actions only, so safely to assume action_props has only actions
| if val["type"] == AclLoader.ACL_TABLE_TYPE_CTRLPLANE: | ||
| services = natsorted(val["services"]) | ||
| data.append([key, val["type"], services[0], val["policy_desc"]]) | ||
| data.append([key, val["type"], services[0], val["policy_desc"], stage]) |
There was a problem hiding this comment.
do we need to specify the ingress stage for control plane ACLs?
There was a problem hiding this comment.
control plane ACLs are in INPUT chain. Does it make sense to mark them as ingress in this case?
Signed-off-by: Stepan Blyschak <[email protected]>
…heck Signed-off-by: Stepan Blyschak <[email protected]>
Signed-off-by: Stepan Blyschak <[email protected]>
Signed-off-by: Stepan Blyschak <[email protected]>
Signed-off-by: Stepan Blyschak <[email protected]>
Signed-off-by: Stepan Blyschak <[email protected]>
Signed-off-by: Stepan Blyschak <[email protected]>
Signed-off-by: Stepan Blyschak <[email protected]>
Signed-off-by: Stepan Blyschak <[email protected]>
Signed-off-by: Stepan Blyschak <[email protected]>
Signed-off-by: Stepan Blyschak <[email protected]>
Signed-off-by: Stepan Blyschak <[email protected]>
Signed-off-by: Stepan Blyschak <[email protected]>
…ommand Signed-off-by: Stepan Blyschak <[email protected]>
- What I did
- How I did it
- How to verify it
- Previous command output (if the output of a command-line utility has changed)
- New command output (if the output of a command-line utility has changed)
-->
DEPENDS sonic-net/sonic-swss#963