Sys-2.1 configured acl and create deviation for /description leaf

[fmolinar]

— Major test updates:

New imports: bytes, fmt, net, gopacket, gopacket/layers, gopacket/pcapgo, and deviations.

configureDUTLoopback: Now checks if loopback 0 already has the expected IPs (both v4 and v6) before deciding to configure an alternate loopback index. Previously it always used loopback 0 unconditionally.

configureDUT: Adds static routes for mgmtSrcIPv4/32 and mgmtSrcIPv6/128 pointing to atePort1 IPs, ensuring the DUT can send responses back to the ATE.

configureACLs: All Description fields on ACL sets and terms are now guarded by !deviations.ACLDescriptionUnsupported(dut).

createFlow: Sets TCP SYN flag on TCP flows; uses the actual port ID (not atePort1.Name) for Tx/Rx.

New verifyDUTResponsesInCapture: Parses a PCAP capture from the ATE and asserts that ICMP echo replies and TCP SYN-ACK responses are received from the DUT's loopback address — confirming permitted traffic is actually processed.

TestControlPlaneACL / SYS-2.1.1: Adds OTG port/device config and packet capture (start/stop) within the test run; calls verifyDUTResponsesInCapture instead of the former TODO comment. SSH flow source port changed from 12345 → 12346.

SYS-2.1.2: Adds otgConfig.Ports().Add() that was previously missing.

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly upgrades the control plane ACL testing framework by integrating robust packet capture verification, enhancing DUT configuration logic for loopback interfaces and static routes, and introducing a deviation mechanism for ACL description support. These changes aim to improve the accuracy and reliability of control plane ACL tests across various network device platforms.

Highlights

• Enhanced Packet Capture Verification: Introduced a new verifyDUTResponsesInCapture function that parses PCAP captures from the ATE to assert the reception of ICMP echo replies and TCP SYN-ACK responses from the DUT's loopback address, confirming permitted traffic processing.
• ACL Description Deviation Handling: Implemented conditional configuration for ACL set and term descriptions, guarding them with !deviations.ACLDescriptionUnsupported(dut) to accommodate platforms that do not support ACL descriptions.
• Improved DUT Loopback Configuration: Modified configureDUTLoopback to first check if loopback 0 already has the expected IPv4 and IPv6 addresses. If so, it configures loopback 1 instead, making the loopback assignment more robust.
• Static Route Configuration for Return Path: Added static routes in configureDUT for mgmtSrcIPv4 and mgmtSrcIPv6 pointing to atePort1 IPs, ensuring the DUT has a proper return path for test traffic.
• Refined Traffic Flow Creation: Updated createFlow to explicitly set the TCP SYN flag on TCP flows and to use the actual port ID (p0.ID()) for Tx/Rx configuration instead of a generic port name.

Changelog

• feature/system/control_plane_traffic/otg_tests/ingress_acl/control_plane_traffic_ingress_acl_test.go
  • Added new imports for network operations and packet analysis libraries.
  • Removed the ipProtoAny constant.
  • Updated configureDUTLoopback to dynamically select a loopback interface if loopback 0 is already in use with expected IPs.
  • Introduced static route configuration in configureDUT for management source IPs.
  • Modified configureACLs to conditionally apply ACL descriptions based on platform deviation.
  • Updated createFlow to set the TCP SYN flag and use dynamic port IDs for traffic generation.
  • Added the verifyDUTResponsesInCapture function to analyze ATE packet captures for DUT responses.
  • Refactored TestControlPlaneACL (SYS-2.1.1) to include OTG port/device configuration, start/stop packet capture, and utilize the new response verification.
  • Adjusted the SSH flow source port in TestControlPlaneACL (SYS-2.1.1) from 12345 to 12346.
  • Added missing otgConfig.Ports().Add() call in TestControlPlaneACL (SYS-2.1.2).
• feature/system/control_plane_traffic/otg_tests/ingress_acl/metadata.textproto
  • Added a platform exception for Cisco devices indicating acl_description_unsupported.
• internal/deviations/deviations.go
  • Introduced the ACLDescriptionUnsupported function to check for platform deviation regarding ACL descriptions.
• proto/metadata.proto
  • Added a new boolean field acl_description_unsupported to the Metadata.Deviations message.
• proto/metadata_go_proto/metadata.pb.go
  • Updated the protoc version.
  • Generated new Go code to include the AclDescriptionUnsupported field and its getter in the Metadata_Deviations struct.

Activity

• No specific activity (comments, reviews, progress) has been recorded for this pull request yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[OpenConfigBot]

Pull Request Functional Test Report for #5226 / 30be7e1

Virtual Devices

Device	Test	Test Documentation	Job	Raw Log
Arista cEOS		SYS-2.1: Ingress control-plane ACL.
Cisco 8000E		SYS-2.1: Ingress control-plane ACL.
Cisco XRd		SYS-2.1: Ingress control-plane ACL.
Juniper ncPTX		SYS-2.1: Ingress control-plane ACL.
Nokia SR Linux		SYS-2.1: Ingress control-plane ACL.
Openconfig Lemming		SYS-2.1: Ingress control-plane ACL.

Hardware Devices

Device	Test	Test Documentation	Raw Log
Arista 7808		SYS-2.1: Ingress control-plane ACL.
Cisco 8808		SYS-2.1: Ingress control-plane ACL.
Juniper PTX10008		SYS-2.1: Ingress control-plane ACL.
Nokia 7250 IXR-10e		SYS-2.1: Ingress control-plane ACL.

Help

[gemini-code-assist]

Code Review

This pull request introduces a deviation for ACL descriptions, adds static routes for return traffic, and significantly improves test verification by capturing and analyzing DUT responses. The changes are generally good, but there are several opportunities for improvement regarding test structure, code duplication, and adherence to contribution guidelines. I've identified some areas in the test logic and code style that could be refactored for better correctness, maintainability, and robustness.

[gemini-code-assist]

The ATE configuration logic is confusing. configureATE is called at the start of TestControlPlaneACL (line 480), which pushes an initial configuration to the ATE. However, this subtest then creates a new, empty otgConfig, re-builds the entire ATE topology (duplicating code from configureATE), and pushes it again, completely overwriting the previous configuration. This makes the initial configureATE call redundant and the test structure hard to follow. Consider refactoring the ATE configuration to be done once, or in a more modular way within each subtest, to avoid this overwrite and code duplication.

[gemini-code-assist]

The OTG configuration in the SYS-2.1.2 subtest is incomplete. It only adds a port but does not configure the OTG device, ethernet interface, or IP addresses. This makes the test fragile as it implicitly depends on the configuration from the preceding SYS-2.1.1 subtest. Each subtest should be self-contained and set up its required ATE configuration explicitly to ensure it can run independently and reliably. The ATE setup logic from the SYS-2.1.1 subtest should be replicated here.

[gemini-code-assist]

The logic to select a loopback interface is inefficient. It checks for the presence of Loopback0 and, if present, unconditionally switches to using Loopback1. If Loopback0 is already present and correctly configured with the required IP addresses, the test will unnecessarily proceed to check and configure Loopback1. The logic should first verify if Loopback0 is correctly configured and only use an alternative interface if it is not.

[gemini-code-assist]

The error messages in verifyDUTResponsesInCapture contain hardcoded IP addresses. For better maintainability and readability, these should be replaced with the constants defined for these addresses (e.g., dutLoopbackIPv4, mgmtSrcIPv4).

Suggested change

	if !foundICMPv4Reply {
	t.Errorf("Did not find IPv4 ICMP echo reply from DUT in ATE capture")
	}
	if !foundTCPSynAckV4 {
	t.Errorf("Did not find IPv4 TCP SYN-ACK from 198.51.100.1 to 192.0.2.100 in ATE capture")
	}
	if !foundICMPv6Reply {
	t.Errorf("Did not find IPv6 ICMP echo reply from DUT in ATE capture")
	}
	if !foundTCPSynAckV6 {
	t.Errorf("Did not find IPv6 TCP SYN-ACK from 2001:db8::1 to 2001:db8::100 in ATE capture")
	}
	if !foundICMPv4Reply {
	t.Errorf("Did not find IPv4 ICMP echo reply from DUT in ATE capture")
	}
	if !foundTCPSynAckV4 {
	t.Errorf("Did not find IPv4 TCP SYN-ACK from %s to %s in ATE capture", dutLoopbackIPv4, mgmtSrcIPv4)
	}
	if !foundICMPv6Reply {
	t.Errorf("Did not find IPv6 ICMP echo reply from DUT in ATE capture")
	}
	if !foundTCPSynAckV6 {
	t.Errorf("Did not find IPv6 TCP SYN-ACK from %s to %s in ATE capture", dutLoopbackIPv6, mgmtSrcIPv6)
	}

[gemini-code-assist]

The comment for the ACLDescriptionUnsupported deviation function has a typo and is missing required information.

1. There is a typo: descriptionmake should be description make.
2. According to the repository's deviation guidelines (rule 3.5), the comment must include a URL to an issue tracker. The URL https://partnerissuetracker.corp.google.com/issues/492342925 from proto/metadata.proto should be added here.

// ACLDescriptionUnsupported returns true if ACL description is unsupported.
//
// See: https://partnerissuetracker.corp.google.com/issues/492342925
//
//	/acl/acl-sets/acl-set/state/description

References

1. A comment should be added to accessor functions for deviations, containing a URL link to an issue tracker which tracks removal of the deviation. ^(link)