[GCU] Add data acl table and rule check (sonic-net#3668)

wen587 · web-flow · commit d5cbe4641d1c · 2024-12-11T11:03:45.000+08:00
ADO: 30051071

What I did
Add a json patch check to avoid race condition issue when sonic consume ACL_TABLE and ACL_RULE together

How I did it
Add a special dataacl check for specific change where ACL_TABLE type change with ACL_RULE update

How to verify it
unit test
diff --git a/generic_config_updater/gu_common.py b/generic_config_updater/gu_common.py
@@ -181,6 +181,8 @@ def validate_field_operation(self, old_config, target_config):
                 if any(op['op'] == operation and field == op['path'] for op in patch):
                     raise IllegalPatchOperationError("Given patch operation is invalid. Operation: {} is illegal on field: {}".format(operation, field))
 
+        self.illegal_dataacl_check(old_config, target_config)
+
         def _invoke_validating_function(cmd, jsonpatch_element):
             # cmd is in the format as <package/module name>.<method name>
             method_name = cmd.split(".")[-1]
@@ -212,6 +214,48 @@ def _invoke_validating_function(cmd, jsonpatch_element):
                 if not _invoke_validating_function(function, element):
                     raise IllegalPatchOperationError("Modification of {} table is illegal- validating function {} returned False".format(table, function))
 
+    def illegal_dataacl_check(self, old_config, upd_config):
+        '''
+        Block data ACL changes when patch includes:
+        1. table "type" being replaced
+        2. rule update on tables with table "type" replaced
+        This will cause race condition when swss consume the change of
+        acl table and acl rule and make the changed acl rule inactive
+        '''
+        old_acl_table = old_config.get("ACL_TABLE", {})
+        upd_acl_table = upd_config.get("ACL_TABLE", {})
+
+        # Pick data acl table with "type" field
+        old_dacl_table = [table for table, fields in old_acl_table.items()
+                          if fields.get("type") and fields["type"] != "CTRLPLANE"]
+        upd_dacl_table = [table for table, fields in upd_acl_table.items()
+                          if fields.get("type") and fields["type"] != "CTRLPLANE"]
+
+        # Pick intersect common tables that "type" being replaced
+        common_dacl_table = set(old_dacl_table).intersection(set(upd_dacl_table))
+        # Identify tables from the intersection where the "type" field differs
+        modified_common_dacl_table = [
+            table for table in common_dacl_table
+            if old_acl_table[table]["type"] != upd_acl_table[table]["type"]
+        ]
+
+        old_acl_rule = old_config.get("ACL_RULE", {})
+        upd_acl_rule = upd_config.get("ACL_RULE", {})
+
+        # Pick rules with its dependent table which has "type" replaced
+        old_dacl_rule = [rule for rule in old_acl_rule
+                         if rule.split("|")[0] in modified_common_dacl_table]
+        upd_dacl_rule = [rule for rule in upd_acl_rule
+                         if rule.split("|")[0] in modified_common_dacl_table]
+
+        # Block changes if acl rule change on tables with "type" replaced
+        for key in set(old_dacl_rule).union(set(upd_dacl_rule)):
+            if (old_acl_rule.get(key, {}) != upd_acl_rule.get(key, {})):
+                raise IllegalPatchOperationError(
+                    "Modification of dataacl rule {} is illegal: \
+                        acl table type changed in {}".format(
+                            key, modified_common_dacl_table
+                    ))
 
     def validate_lanes(self, config_db):
         if "PORT" not in config_db:
diff --git a/tests/generic_config_updater/field_operation_validator_test.py b/tests/generic_config_updater/field_operation_validator_test.py
@@ -188,6 +188,92 @@ def test_validate_field_operation_illegal__rm_loopback0(self):
         config_wrapper = gu_common.ConfigWrapper()
         self.assertRaises(gu_common.IllegalPatchOperationError, config_wrapper.validate_field_operation, old_config, target_config)
 
+    def test_validate_field_operation_illegal__dataacl_table_type_update_and_rule_change(self):
+        old_config = {
+            "ACL_TABLE": {
+                "TEST_INGRESS": {
+                    "type": "L2"
+                }
+            },
+            "ACL_RULE": {
+                "TEST_INGRESS|RULE_1": {
+                    "ETHER_TYPE": "2048"
+                }
+            }
+        }
+        target_config = {
+            "ACL_TABLE": {
+                "TEST_INGRESS": {
+                    "type": "L3V6"
+                }
+            },
+            "ACL_RULE": {
+                "TEST_INGRESS|RULE_1": {
+                    "IP_TYPE": "IPV6ANY"
+                }
+            }
+        }
+        config_wrapper = gu_common.ConfigWrapper()
+        self.assertRaises(gu_common.IllegalPatchOperationError,
+                          config_wrapper.validate_field_operation, old_config, target_config)
+
+    def test_validate_field_operation_legal__only_dataacl_table_type_update(self):
+        old_config = {
+            "ACL_TABLE": {
+                "TEST_INGRESS": {
+                    "type": "L3"
+                }
+            },
+            "ACL_RULE": {
+                "TEST_INGRESS|RULE_1": {
+                    "IP_TYPE": "IPV6ANY"
+                }
+            }
+        }
+        target_config = {
+            "ACL_TABLE": {
+                "TEST_INGRESS": {
+                    "type": "L3V6"
+                }
+            },
+            "ACL_RULE": {
+                "TEST_INGRESS|RULE_1": {
+                    "IP_TYPE": "IPV6ANY"
+                }
+            }
+        }
+        config_wrapper = gu_common.ConfigWrapper()
+        config_wrapper.validate_field_operation(old_config, target_config)
+
+    def test_validate_field_operation_legal__only_dataacl_rule_update(self):
+        old_config = {
+            "ACL_TABLE": {
+                "TEST_INGRESS": {
+                    "type": "L3"
+                }
+            },
+            "ACL_RULE": {
+                "TEST_INGRESS|RULE_1": {
+                    "IP_TYPE": "IPV6ANY"
+                }
+            }
+        }
+        target_config = {
+            "ACL_TABLE": {
+                "TEST_INGRESS": {
+                    "type": "L3"
+                }
+            },
+            "ACL_RULE": {
+                "TEST_INGRESS|RULE_1": {
+                    "IP_TYPE": "IPV4ANY"
+                }
+            }
+        }
+        config_wrapper = gu_common.ConfigWrapper()
+        config_wrapper.validate_field_operation(old_config, target_config)
+
+
 class TestGetAsicName(unittest.TestCase):
 
     @patch('sonic_py_common.device_info.get_sonic_version_info')
