diff --git a/src/config/schema-transformer/config_db.py b/src/config/schema-transformer/config_db.py index 011bb8de197..86c9a7052d9 100644 --- a/src/config/schema-transformer/config_db.py +++ b/src/config/schema-transformer/config_db.py @@ -1114,19 +1114,23 @@ def policy_to_acl_rule(self, prule, dynamic): for sp, dp, sa, da in itertools.product(sp_list, dp_list, sa_list, da_list): + service_ri = None + if self.me(sa.virtual_network): + service_ri = service_ris.get(da.virtual_network, [None])[0] + elif self.me(da.virtual_network): + service_ri = service_ris.get(sa.virtual_network, [None, None])[1] acl = self.add_acl_rule( - sa, sp, da, dp, arule_proto, rule_uuid, - prule.action_list, prule.direction, - service_ris.get(da.virtual_network, [None])[0]) + sa, sp, da, dp, arule_proto, rule_uuid, + prule.action_list, prule.direction, + service_ri) result_acl_rule_list.append(acl) - if ((prule.direction == "<>") and - (sa != da or sp != dp)): + if ((prule.direction == "<>") and (sa != da or sp != dp)): acl = self.add_acl_rule( - da, dp, sa, sp, arule_proto, rule_uuid, - prule.action_list, prule.direction, - service_ris.get(sa.virtual_network, [None, None])[1]) - + da, dp, sa, sp, arule_proto, rule_uuid, + prule.action_list, prule.direction, + service_ri) result_acl_rule_list.append(acl) + # end for sp, dp # end for daddr # end for saddr @@ -2951,9 +2955,8 @@ def update_peering(self): for router in self._dict.values(): if router.name == self.name: continue - if not self.router_type: - if router.router_type in ('bgpaas-server', 'bgpaas-client'): - continue + if router.router_type in ('bgpaas-server', 'bgpaas-client'): + continue if router.asn != global_asn: continue router_fq_name = router.name.split(':') diff --git a/src/config/schema-transformer/test/test_service.py b/src/config/schema-transformer/test/test_service.py index fe12914802b..01f81d774a5 100644 --- a/src/config/schema-transformer/test/test_service.py +++ b/src/config/schema-transformer/test/test_service.py @@ -357,6 +357,17 @@ def check_acl_match_nets(self, fq_name, vn1_fq_name, vn2_fq_name): raise Exception('nets %s/%s not found in ACL rules for %s' % (vn1_fq_name, vn2_fq_name, fq_name)) + @retries(5) + def check_acl_action_assign_rules(self, fq_name, vn1_fq_name, vn2_fq_name, sc_ri_fq_name): + acl = self._vnc_lib.access_control_list_read(fq_name) + for rule in acl.access_control_list_entries.acl_rule: + if (rule.match_condition.src_address.virtual_network == vn1_fq_name and + rule.match_condition.dst_address.virtual_network == vn2_fq_name): + if rule.action_list.assign_routing_instance == sc_ri_fq_name: + return + raise Exception('vrf assign for nets %s/%s not matched in ACL rules for %s; sc: %s' % + (vn1_fq_name, vn2_fq_name, fq_name, sc_ri_fq_name)) + @retries(5) def check_acl_match_sg(self, fq_name, acl_name, sg_id, is_all_rules = False): sg_obj = self._vnc_lib.security_group_read(fq_name) @@ -668,6 +679,15 @@ def service_policy_test_with_version(self, version=None): self.check_ri_ref_present(self.get_ri_name(vn2_obj, sc_ri_name), self.get_ri_name(vn2_obj)) + self.check_acl_action_assign_rules(vn1_obj.get_fq_name(), vn1_obj.get_fq_name_str(), + vn2_obj.get_fq_name_str(), ':'.join(self.get_ri_name(vn1_obj, sc_ri_name))) + self.check_acl_action_assign_rules(vn1_obj.get_fq_name(), vn2_obj.get_fq_name_str(), + vn1_obj.get_fq_name_str(), ':'.join(self.get_ri_name(vn1_obj, sc_ri_name))) + self.check_acl_action_assign_rules(vn2_obj.get_fq_name(), vn2_obj.get_fq_name_str(), + vn1_obj.get_fq_name_str(), ':'.join(self.get_ri_name(vn2_obj, sc_ri_name))) + self.check_acl_action_assign_rules(vn2_obj.get_fq_name(), vn1_obj.get_fq_name_str(), + vn2_obj.get_fq_name_str(), ':'.join(self.get_ri_name(vn2_obj, sc_ri_name))) + si_name = 'default-domain:default-project:' + service_name sci = ServiceChainInfo(prefix = ['10.0.0.0/24'], routing_instance = ':'.join(self.get_ri_name(vn1_obj)),