ACL do not create 1001 rule for allow all ips from inbound or outbound and merged 1001 to last allow rule.

dpugen/dashgen/acl_rule.py

@@ -27,6 +27,20 @@ def items(self):
  for ip_index in range(0, p.ACL_RULES_NSG, 2): # Per even ACL rule
  remote_ip_a = cp.IP_R_START + (eni_index * cp.IP_STEP_ENI) + (stage_in_index * cp.IP_STEP_NSG) + ((ip_index // 2) * cp.IP_STEP_ACL)
  ip_list_a = [str(remote_ip_a + expanded_index * cp.IP_STEPE) + '/32' for expanded_index in range(0, p.IP_PER_ACL_RULE)]
+ ip_list_all = []
+ if ((stage_in_index % p.ACL_NSG_COUNT) == (p.ACL_NSG_COUNT - 1)) and (ip_index == (p.ACL_RULES_NSG - 2)):
+ all_ips_stage1 = cp.IP_R_START + eni_index * cp.IP_STEP_ENI + (stage_in_index + 1) * cp.IP_STEP_NSG
+ all_ips_stage2 = all_ips_stage1 + 1 * cp.IP_STEP_NSG
+ all_ips_stage3 = all_ips_stage1 + 2 * cp.IP_STEP_NSG
+ all_ips_stage4 = all_ips_stage1 + 3 * cp.IP_STEP_NSG
+ all_ips_stage5 = all_ips_stage1 + 4 * cp.IP_STEP_NSG
+ ip_list_all = [
+ str(all_ips_stage1) + '/15',
+ str(all_ips_stage2) + '/15',
+ str(all_ips_stage3) + '/15',
+ str(all_ips_stage4) + '/15',
+ str(all_ips_stage5) + '/15',
+ ]
 
  # Allow
  self.num_yields += 1
@@ -35,7 +49,7 @@ def items(self):
  'priority': ip_index,
  'action': 'allow',
  'terminating': 'true',
- 'src_addr': ','.join(ip_list_a[:]),
+ 'src_addr': ','.join(ip_list_a[:] + ip_list_all[:]),
  'dst_addr': l_ip_ac
  },
  'OP': 'SET'
@@ -44,9 +58,6 @@ def items(self):
  remote_ip_d = remote_ip_a - cp.IP_STEP1
  ip_list_d = [str(remote_ip_d + expanded_index * cp.IP_STEPE) + '/32' for expanded_index in range(0, p.IP_PER_ACL_RULE)]
 
- if ip_index == (p.ACL_RULES_NSG - 2) and (stage_in_index % p.ACL_NSG_COUNT) == 4:
- break # Skip the very last rule on the last stage to have exactly 1000 rules
-
  # Deny
  self.num_yields += 1
  yield {
@@ -60,59 +71,42 @@ def items(self):
  'OP': 'SET'
  }
 
- # add as last rule in last table from ingress and egress an allow rule for all the IPs from egress and ingress
- if (stage_in_index % p.ACL_NSG_COUNT) == 4:
- all_ips_stage1 = cp.IP_L_START + eni_index * cp.IP_STEP_ENI + stage_in_index * 4 * cp.IP_STEP_NSG
- all_ips_stage2 = all_ips_stage1 + 1 * 4 * cp.IP_STEP_NSG
- all_ips_stage3 = all_ips_stage1 + 2 * 4 * cp.IP_STEP_NSG
- all_ips_stage4 = all_ips_stage1 + 3 * 4 * cp.IP_STEP_NSG
- all_ips_stage5 = all_ips_stage1 + 4 * 4 * cp.IP_STEP_NSG
- ip_list_all = [
- str(all_ips_stage1) + '/14',
- str(all_ips_stage2) + '/14',
- str(all_ips_stage3) + '/14',
- str(all_ips_stage4) + '/14',
- str(all_ips_stage5) + '/14',
- ]
-
- # Allow
- self.num_yields += 1
- yield {
- 'DASH_ACL_RULE_TABLE:%d:rule%d' % (table_id, ip_index + 1): {
- 'priority': ip_index + 1,
- 'action': 'allow',
- 'terminating': 'true',
- 'src_addr': ','.join(ip_list_all[:]),
- 'dst_addr': l_ip_ac
- },
- 'OP': 'SET'
- }
-
  for stage_out_index in range(p.ACL_NSG_COUNT):
  table_id = eni * 1000 + 500 + stage_out_index
  for ip_index in range(0, p.ACL_RULES_NSG, 2):
- remote_ip_a = cp.IP_R_START + (eni_index * cp.IP_STEP_ENI) + (stage_out_index * cp.IP_STEP_NSG) + ((ip_index // 2) * cp.IP_STEP_ACL)
+ remote_ip_a = cp.IP_R_START + (eni_index * cp.IP_STEP_ENI) + (p.ACL_NSG_COUNT + stage_out_index) * cp.IP_STEP_NSG + (ip_index // 2) * cp.IP_STEP_ACL
  ip_list_a = [str(remote_ip_a + expanded_index * cp.IP_STEPE) + '/32' for expanded_index in range(0, p.IP_PER_ACL_RULE)]
 
- # Allow
+ ip_list_all = []
+ if ((stage_out_index % p.ACL_NSG_COUNT)) == (p.ACL_NSG_COUNT - 1) and (ip_index == (p.ACL_RULES_NSG - 2)):
+ all_ips_stage1 = cp.IP_R_START + eni_index * cp.IP_STEP_ENI
+ all_ips_stage2 = all_ips_stage1 + 1 * cp.IP_STEP_NSG
+ all_ips_stage3 = all_ips_stage1 + 2 * cp.IP_STEP_NSG
+ all_ips_stage4 = all_ips_stage1 + 3 * cp.IP_STEP_NSG
+ all_ips_stage5 = all_ips_stage1 + 4 * cp.IP_STEP_NSG
+ ip_list_all = [
+ str(all_ips_stage1) + '/15',
+ str(all_ips_stage2) + '/15',
+ str(all_ips_stage3) + '/15',
+ str(all_ips_stage4) + '/15',
+ str(all_ips_stage5) + '/15',
+ ]
+ # allow
  self.num_yields += 1
  yield {
  'DASH_ACL_RULE_TABLE:%d:rule%d' % (table_id, ip_index): {
  'priority': ip_index,
  'action': 'allow',
  'terminating': 'true',
  'src_addr': l_ip_ac,
- 'dst_addr': ','.join(ip_list_a[:])
+ 'dst_addr': ','.join(ip_list_a[:] + ip_list_all[:])
  },
  'OP': 'SET'
  }
 
  remote_ip_d = remote_ip_a - cp.IP_STEP1
  ip_list_d = [str(remote_ip_d + expanded_index * cp.IP_STEPE) + '/32' for expanded_index in range(0, p.IP_PER_ACL_RULE)]
 
- if ip_index == (p.ACL_RULES_NSG - 2) and (stage_out_index % p.ACL_NSG_COUNT) == 4:
- break # Skip the very last rule on the last stage to have exactly 1000 rules
-
  # Deny
  self.num_yields += 1
  yield {
@@ -126,34 +120,6 @@ def items(self):
  'OP': 'SET'
  }
 
- # add as last rule in last table from ingress and egress an allow rule for all the IPs from egress and ingress
- if (stage_out_index % p.ACL_NSG_COUNT) == 4:
- all_ips_stage1 = cp.IP_R_START + eni_index * cp.IP_STEP_ENI
- all_ips_stage2 = all_ips_stage1 + 1 * 4 * cp.IP_STEP_NSG
- all_ips_stage3 = all_ips_stage1 + 2 * 4 * cp.IP_STEP_NSG
- all_ips_stage4 = all_ips_stage1 + 3 * 4 * cp.IP_STEP_NSG
- all_ips_stage5 = all_ips_stage1 + 4 * 4 * cp.IP_STEP_NSG
- ip_list_all = [
- str(all_ips_stage1) + '/14',
- str(all_ips_stage2) + '/14',
- str(all_ips_stage3) + '/14',
- str(all_ips_stage4) + '/14',
- str(all_ips_stage5) + '/14',
- ]
-
- # Allow
- self.num_yields += 1
- yield {
- 'DASH_ACL_RULE_TABLE:%d:rule%d' % (table_id, ip_index + 1): {
- 'priority': ip_index + 1,
- 'action': 'allow',
- 'terminating': 'true',
- 'src_addr': l_ip_ac,
- 'dst_addr': ','.join(ip_list_all[:])
- },
- 'OP': 'SET'
- }
-
 
 if __name__ == '__main__':
  conf = AclRules()

dpugen/dashgen/dash_vnet_mapping_table.py

@@ -38,10 +38,10 @@ def items(self):
  (acl_index * int(ipa(p.IP_STEP_ACL)))
  remote_mac_a = str(
  maca(
- int(maca(p.MAC_R_START)) +
- eni_index * int(maca(p.ENI_MAC_STEP)) +
- nsg_index * int(maca(p.ACL_NSG_MAC_STEP)) +
- acl_index * int(maca(p.ACL_POLICY_MAC_STEP))
+ int(maca(p.MAC_R_START))
+ + eni_index * int(maca(p.ENI_MAC_STEP))
+ + nsg_index * int(maca(p.ACL_NSG_MAC_STEP))
+ + acl_index * int(maca(p.ACL_POLICY_MAC_STEP))
  )
  ).replace('-', ':')
 

dpugen/dashgen/vpc.py

@@ -23,7 +23,7 @@ def items(self):
  ENI_L2R_STEP = p.ENI_L2R_STEP
  ENI_COUNT = p.ENI_COUNT
 
- for eni_index in range(1, ENI_COUNT+1):
+ for eni_index in range(1, ENI_COUNT + 1):
  IP_L = IP_L_START + (eni_index - 1) * IP_STEP_ENI
  r_vpc = eni_index + ENI_L2R_STEP
  IP_R = IP_R_START + (eni_index - 1) * IP_STEP_ENI

dpugen/dflt_params.py

@@ -9,7 +9,7 @@
  'PAR': '221.2.0.1', # '221.2.0.1'
 
  'ENI_START': 1, # 1
- 'ENI_COUNT': 64, # 64
+ 'ENI_COUNT': 32, # 32
  'ENI_MAC_STEP': '00:00:00:18:00:00', # '00:00:00:18:00:00'
  'ENI_STEP': 1, # 1
  'ENI_L2R_STEP': 1000, # 1000

dpugen/saigen/acl_rule.py

@@ -31,8 +31,8 @@ def items(self):
  # print(" %d" % ip_index)
  remote_ip_a = cp.IP_R_START + eni_index * cp.IP_STEP_ENI + stage_in_index * cp.IP_STEP_NSG + ip_index * cp.IP_STEP_ACL
 
- ip_list_a = [str(remote_ip_a + expanded_index * cp.IP_STEPE) +
- '/32' for expanded_index in range(0, p.IP_PER_ACL_RULE)]
+ ip_list_a = [str(remote_ip_a + expanded_index * cp.IP_STEPE)
+ + '/32' for expanded_index in range(0, p.IP_PER_ACL_RULE)]
 
  # allow
  self.num_yields += 1
@@ -42,13 +42,13 @@ def items(self):
  'type': 'SAI_OBJECT_TYPE_DASH_ACL_RULE',
  'attributes': [
  'SAI_DASH_ACL_RULE_ATTR_DASH_ACL_GROUP_ID', f'$in_acl_group_#eni{eni}nsg{nsg_index}',
- 'SAI_DASH_ACL_RULE_ATTR_PRIORITY', '%d' % ip_index,
- 'SAI_DASH_ACL_RULE_ATTR_ACTION', 'SAI_DASH_ACL_RULE_ACTION_PERMIT',
- 'SAI_DASH_ACL_RULE_ATTR_SIP', ','.join(ip_list_a[:]),
- 'SAI_DASH_ACL_RULE_ATTR_DIP', l_ip_ac,
- # 'SAI_DASH_ACL_RULE_ATTR_PROTOCOL', 'sai_u8_list_t',
- # 'SAI_DASH_ACL_RULE_ATTR_SRC_PORT', 'sai_u16_range_list_t',
- # 'SAI_DASH_ACL_RULE_ATTR_DST_PORT', 'sai_u16_range_list_t',
+ 'SAI_DASH_ACL_RULE_ATTR_PRIORITY','%d' % ip_index,
+ 'SAI_DASH_ACL_RULE_ATTR_ACTION','SAI_DASH_ACL_RULE_ACTION_PERMIT',
+ 'SAI_DASH_ACL_RULE_ATTR_SIP',','.join(ip_list_a[:]),
+ 'SAI_DASH_ACL_RULE_ATTR_DIP',l_ip_ac,
+ # 'SAI_DASH_ACL_RULE_ATTR_PROTOCOL','sai_u8_list_t',
+ # 'SAI_DASH_ACL_RULE_ATTR_SRC_PORT','sai_u16_range_list_t',
+ # 'SAI_DASH_ACL_RULE_ATTR_DST_PORT','sai_u16_range_list_t',
  ]
  }
 
@@ -64,13 +64,13 @@ def items(self):
  'type': 'SAI_OBJECT_TYPE_DASH_ACL_RULE',
  'attributes': [
  'SAI_DASH_ACL_RULE_ATTR_DASH_ACL_GROUP_ID', f'$in_acl_group_#eni{eni}nsg{nsg_index}',
- 'SAI_DASH_ACL_RULE_ATTR_PRIORITY',  f'{ip_index+1}',
- 'SAI_DASH_ACL_RULE_ATTR_ACTION',  'SAI_DASH_ACL_RULE_ACTION_DENY',
- 'SAI_DASH_ACL_RULE_ATTR_SIP',  ','.join(ip_list_d[:]),
- 'SAI_DASH_ACL_RULE_ATTR_DIP',  l_ip_ac,
- # 'SAI_DASH_ACL_RULE_ATTR_PROTOCOL',  'sai_u8_list_t',
- # 'SAI_DASH_ACL_RULE_ATTR_SRC_PORT',  'sai_u16_range_list_t',
- # 'SAI_DASH_ACL_RULE_ATTR_DST_PORT',  'sai_u16_range_list_t',
+ 'SAI_DASH_ACL_RULE_ATTR_PRIORITY', f'{ip_index+1}',
+ 'SAI_DASH_ACL_RULE_ATTR_ACTION', 'SAI_DASH_ACL_RULE_ACTION_DENY',
+ 'SAI_DASH_ACL_RULE_ATTR_SIP', ','.join(ip_list_d[:]),
+ 'SAI_DASH_ACL_RULE_ATTR_DIP', l_ip_ac,
+ # 'SAI_DASH_ACL_RULE_ATTR_PROTOCOL', 'sai_u8_list_t',
+ # 'SAI_DASH_ACL_RULE_ATTR_SRC_PORT', 'sai_u16_range_list_t',
+ # 'SAI_DASH_ACL_RULE_ATTR_DST_PORT', 'sai_u16_range_list_t',
  ]
  }
 
@@ -97,13 +97,13 @@ def items(self):
  'type': 'SAI_OBJECT_TYPE_DASH_ACL_RULE',
  'attributes': [
  'SAI_DASH_ACL_RULE_ATTR_DASH_ACL_GROUP_ID', f'$in_acl_group_#eni{eni}nsg{nsg_index}',
- 'SAI_DASH_ACL_RULE_ATTR_PRIORITY',  f'{ip_index + 2}',
- 'SAI_DASH_ACL_RULE_ATTR_ACTION',  'SAI_DASH_ACL_RULE_ACTION_PERMIT',
- 'SAI_DASH_ACL_RULE_ATTR_SIP',  ','.join(ip_list_all[:]),
- 'SAI_DASH_ACL_RULE_ATTR_DIP',  l_ip_ac,
- # 'SAI_DASH_ACL_RULE_ATTR_PROTOCOL',  'sai_u8_list_t',
- # 'SAI_DASH_ACL_RULE_ATTR_SRC_PORT',  'sai_u16_range_list_t',
- # 'SAI_DASH_ACL_RULE_ATTR_DST_PORT',  'sai_u16_range_list_t',
+ 'SAI_DASH_ACL_RULE_ATTR_PRIORITY', f'{ip_index + 2}',
+ 'SAI_DASH_ACL_RULE_ATTR_ACTION', 'SAI_DASH_ACL_RULE_ACTION_PERMIT',
+ 'SAI_DASH_ACL_RULE_ATTR_SIP', ','.join(ip_list_all[:]),
+ 'SAI_DASH_ACL_RULE_ATTR_DIP', l_ip_ac,
+ # 'SAI_DASH_ACL_RULE_ATTR_PROTOCOL', 'sai_u8_list_t',
+ # 'SAI_DASH_ACL_RULE_ATTR_SRC_PORT', 'sai_u16_range_list_t',
+ # 'SAI_DASH_ACL_RULE_ATTR_DST_PORT', 'sai_u16_range_list_t',
  ]
  }
 
@@ -115,8 +115,8 @@ def items(self):
  remote_ip_a = cp.IP_R_START + eni_index * cp.IP_STEP_ENI + \
  (p.ACL_NSG_COUNT + stage_in_index) * cp.IP_STEP_NSG + ip_index * cp.IP_STEP_ACL
 
- ip_list_a = [str(remote_ip_a + expanded_index * cp.IP_STEPE) +
- '/32' for expanded_index in range(0, p.IP_PER_ACL_RULE)]
+ ip_list_a = [str(remote_ip_a + expanded_index * cp.IP_STEPE)
+ + '/32' for expanded_index in range(0, p.IP_PER_ACL_RULE)]
 
  # allow
  self.num_yields += 1