ST: Assign SC RI in reverse path when directional policy is configured

When a network policy is configured with birectional flow, ACLs should have assign rule with SC RI in both of the directions. For example: if policy P1 is configured with src: vn1, dst: vn2, direction <> and applied to vn1 then ACL are generated as follows: vn1->vn2, action: assign-vrf=>vn1-sc-ri and vn2->vn1, action: assign-vrf=>vn1-sc-ri Also fixed a case of peering MX with BgpAsAService BGP Server/Client Change-Id: Iab988483416b1c13fab489472f4db9e29861a64f Closes-Bug: #1543038 Closes-Bug: #1538318
Juniper · Feb 24, 2016 · 78745ca · 78745ca
1 parent 9c4c00e
commit 78745ca
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 12 deletions.
diff --git a/src/config/schema-transformer/config_db.py b/src/config/schema-transformer/config_db.py
@@ -1112,19 +1112,23 @@ def policy_to_acl_rule(self, prule, dynamic):
 
                 for sp, dp, sa, da in itertools.product(sp_list, dp_list,
                                                         sa_list, da_list):
+                    service_ri = None
+                    if self.me(sa.virtual_network):
+                        service_ri = service_ris.get(da.virtual_network, [None])[0]
+                    elif self.me(da.virtual_network):
+                        service_ri = service_ris.get(sa.virtual_network, [None, None])[1]
                     acl = self.add_acl_rule(
-                        sa, sp, da, dp, arule_proto, rule_uuid,
-                        prule.action_list, prule.direction,
-                        service_ris.get(da.virtual_network, [None])[0])
+                            sa, sp, da, dp, arule_proto, rule_uuid,
+                            prule.action_list, prule.direction,
+                            service_ri)
                     result_acl_rule_list.append(acl)
-                    if ((prule.direction == "<>") and
-                        (sa != da or sp != dp)):
+                    if ((prule.direction == "<>") and (sa != da or sp != dp)):
                         acl = self.add_acl_rule(
-                            da, dp, sa, sp, arule_proto, rule_uuid,
-                            prule.action_list, prule.direction,
-                            service_ris.get(sa.virtual_network, [None, None])[1])
-
+                                da, dp, sa, sp, arule_proto, rule_uuid,
+                                prule.action_list, prule.direction,
+                                service_ri)
                         result_acl_rule_list.append(acl)
+
                 # end for sp, dp
             # end for daddr
         # end for saddr
@@ -2949,9 +2953,8 @@ def update_peering(self):
         for router in self._dict.values():
             if router.name == self.name:
                 continue
-            if not self.router_type:
-                if router.router_type in ('bgpaas-server', 'bgpaas-client'):
-                    continue
+            if router.router_type in ('bgpaas-server', 'bgpaas-client'):
+                continue
             if router.asn != global_asn:
                 continue
             router_fq_name = router.name.split(':')

diff --git a/src/config/schema-transformer/test/test_service.py b/src/config/schema-transformer/test/test_service.py
@@ -357,6 +357,17 @@ def check_acl_match_nets(self, fq_name, vn1_fq_name, vn2_fq_name):
         raise Exception('nets %s/%s not found in ACL rules for %s' %
                         (vn1_fq_name, vn2_fq_name, fq_name))
 
+    @retries(5)
+    def check_acl_action_assign_rules(self, fq_name, vn1_fq_name, vn2_fq_name, sc_ri_fq_name):
+        acl = self._vnc_lib.access_control_list_read(fq_name)
+        for rule in acl.access_control_list_entries.acl_rule:
+            if (rule.match_condition.src_address.virtual_network == vn1_fq_name and
+                rule.match_condition.dst_address.virtual_network == vn2_fq_name):
+                    if rule.action_list.assign_routing_instance == sc_ri_fq_name:
+                        return
+        raise Exception('vrf assign for  nets %s/%s not matched in ACL rules for %s; sc: %s' %
+                        (vn1_fq_name, vn2_fq_name, fq_name, sc_ri_fq_name))
+
     @retries(5)
     def check_acl_match_sg(self, fq_name, acl_name, sg_id, is_all_rules = False):
         sg_obj = self._vnc_lib.security_group_read(fq_name)
@@ -668,6 +679,15 @@ def service_policy_test_with_version(self, version=None):
         self.check_ri_ref_present(self.get_ri_name(vn2_obj, sc_ri_name),
                                   self.get_ri_name(vn2_obj))
 
+        self.check_acl_action_assign_rules(vn1_obj.get_fq_name(), vn1_obj.get_fq_name_str(),
+                                  vn2_obj.get_fq_name_str(), ':'.join(self.get_ri_name(vn1_obj, sc_ri_name)))
+        self.check_acl_action_assign_rules(vn1_obj.get_fq_name(), vn2_obj.get_fq_name_str(),
+                                  vn1_obj.get_fq_name_str(), ':'.join(self.get_ri_name(vn1_obj, sc_ri_name)))
+        self.check_acl_action_assign_rules(vn2_obj.get_fq_name(), vn2_obj.get_fq_name_str(),
+                                  vn1_obj.get_fq_name_str(), ':'.join(self.get_ri_name(vn2_obj, sc_ri_name)))
+        self.check_acl_action_assign_rules(vn2_obj.get_fq_name(), vn1_obj.get_fq_name_str(),
+                                  vn2_obj.get_fq_name_str(), ':'.join(self.get_ri_name(vn2_obj, sc_ri_name)))
+
         si_name = 'default-domain:default-project:' + service_name
         sci = ServiceChainInfo(prefix = ['10.0.0.0/24'],
                                routing_instance = ':'.join(self.get_ri_name(vn1_obj)),