20.11.rc3 rebase version 20.11

adc_deploy.yml

@@ -1,21 +1,9 @@
-- hosts:
-    - adc_mcn0
-    - adc_mcn1
-    - adc_mcn2
-    - adc_mcn3
-    - packet_dump_server
+- hosts: adc_mxn
   remote_user: root
-  vars_files:
-    - install_config/group_vars/adc_global.yml
   roles:
-    - framework
-
-- hosts: packet_dump_server
-  remote_user: root
-  vars_files:
-    - install_config/group_vars/adc_global.yml
-  roles:
-    - packet_dump
+    - {role: adc_exporter, tags: adc_exporter}
+    - {role: adc_exporter_proxy, tags: adc_exporter_proxy}
+#    - {role: switch_rule, tags: switch_rule}
 
 - hosts: adc_mcn0
   remote_user: root
@@ -23,21 +11,24 @@
     - install_config/group_vars/adc_global.yml
     - install_config/group_vars/adc_mcn0.yml
   roles:
-    - telegraf_collect
-    - kernel-ml
-    - mrzcpd
-    - sapp
-    - tsg_master
-    - kni
-    - firewall
+    - {role: framework, tags: framework}
+    - {role: kernel-ml, tags: kernel-ml}
+    - {role: mrzcpd, tags: mrzcpd}
+    - {role: sapp, tags: sapp}
+    - {role: tsg_master, tags: tsg_master}
+    - {role: kni, tags: kni}
+    - {role: firewall, tags: firewall}
 #    - tsg_app
-    - http_healthcheck
-    - redis
-    - cert-redis
-    - maat-redis
-    - certstore
-    - telegraf_statistic
-#    - tsg_device_tag
+    - {role: http_healthcheck,tags: http_healthcheck}
+    - {role: redis, tags: redis}
+    - {role: cert-redis, tags: cert-redis}
+    - {role: maat-redis, tags: maat-redis, when: deploy_mode == "cluster"}
+    - {role: certstore, tags: certstore}
+    - {role: telegraf_statistic, tags: telegraf_statistic}
+    - {role: app_proto_identify, tags: app_proto_identify}
+    - {role: adc_exporter, tags: adc_exporter}
+#    - {role: switch_control, tags: switch_control}
+    - {role: tsg-env-patch, tags: tsg-env-patch}
 
 - hosts: adc_mcn1
   remote_user: root
@@ -45,10 +36,14 @@
     - install_config/group_vars/adc_global.yml
     - install_config/group_vars/adc_mcn1.yml
   roles:
-    - telegraf_collect
-    - kernel-ml
-    - mrzcpd
-    - tfe
+#    - tsg-env-mcn1
+    - {role: framework, tags: framework}
+    - {role: kernel-ml, tags: kernel-ml}
+    - {role: mrzcpd, tags: mrzcpd}
+    - {role: tfe, tags: tfe}
+    - {role: adc_exporter, tags: adc_exporter}
+#    - {role: switch_control, tags: switch_control}
+    - {role: tsg-env-patch, tags: tsg-env-patch}
 
 - hosts: adc_mcn2
   remote_user: root
@@ -56,10 +51,14 @@
     - install_config/group_vars/adc_global.yml
     - install_config/group_vars/adc_mcn2.yml
   roles:
-    - telegraf_collect
-    - kernel-ml
-    - mrzcpd
-    - tfe
+#    - tsg-env-mcn2
+    - {role: framework, tags: framework}
+    - {role: kernel-ml, tags: kernel-ml}
+    - {role: mrzcpd, tags: mrzcpd}
+    - {role: tfe, tags: tfe}
+    - {role: adc_exporter, tags: adc_exporter}
+#    - {role: switch_control, tags: switch_control}
+    - {role: tsg-env-patch, tags: tsg-env-path}
 
 - hosts: adc_mcn3
   remote_user: root
@@ -67,44 +66,25 @@
     - install_config/group_vars/adc_global.yml
     - install_config/group_vars/adc_mcn3.yml
   roles:
-    - telegraf_collect
-    - kernel-ml
-    - mrzcpd
-    - tfe
-
-- hosts: adc_mcn0
-  remote_user: root
-  roles:
-    - tsg-diagnose
-
-- hosts: 
-    - adc_mcn1
-    - adc_mcn2
-    - adc_mcn3
-  remote_user: root
-  roles:
-    - tsg-diagnose_sync_ca
+    - {role: framework, tags: framework}
+    - {role: kernel-ml, tags: kernel-ml}
+    - {role: mrzcpd, tags: mrzcpd}
+    - {role: tfe, tags: tfe}
+#    - {role: adc_exporter, tags: adc_exporter}
+    - {role: switch_control, tags: switch_control}
+    - {role: tsg-env-patch, tags: tsg-env-patch}
     
-- hosts: adc_mcn0
-  remote_user: root
-  roles:
-    - tsg-diagnose_stop_sync
-
-
-- hosts:
-    - adc_mcn0
-    - adc_mcn1
-    - adc_mcn2
-    - adc_mcn3
+- hosts: packet_dump_server
   remote_user: root
   vars_files:
     - install_config/group_vars/adc_global.yml
   roles:
-    #- reboot
+    - {role: framework, tags: framework}
+    - {role: packet_dump, tags: packet_dump}
 
 - hosts: app_global
   remote_user: root
   vars_files:
     - install_config/group_vars/app_global.yml
   roles:
-    - app_global
+    - {role: app_global, tags: app_global}

install_config/group_vars/adc_global.yml

@@ -3,19 +3,16 @@
 tsg_access_type: 2
 #####2: ADC;
 tsg_running_type: 2
-
+#####deploy mode: cluster, single
+deploy_mode: "cluster"
 ########################################
 #Deploy_finished_reboot
 Deploy_finished_reboot: 0
 
-########################################
-#TSG Cluster Mode
-tsg_cluster_mode: 0
-
 ########################################
 #IP Config
 maat_redis_city_server:
-  address: "10.9.62.253"
+  address: "10.4.62.253"
   port: 7002
 
 maat_redis_server:
@@ -35,16 +32,10 @@ cert_store_server:
   port: 9991
 
 log_kafkabrokers:
-  address: "10.9.61.4:9092,10.9.61.5:9092,10.9.61.6:9092"
-
-telegraf_kafkabrokers:
-  address: "\"10.9.61.4:9092\",\"10.9.61.5:9092\",\"10.9.61.6:9092\""
-
-monitor_outputs_influxdb:
-  url: "http://127.0.0.1:58086"
+  address: ['1.1.1.1:9092','2.2.2.2:9092']
 
 log_minio:
-  address: "10.9.62.253"
+  address: "10.4.62.253"
   port: 9090
 
 #########################################
@@ -55,6 +46,7 @@ fw_mail_log_level: 10
 fw_http_log_level: 10
 fw_dns_log_level: 10
 fw_quic_log_level: 10
+app_control_log_level: 10
 capture_packet_log_level: 10
 tsg_log_level: 10
 tsg_master_log_level: 10
@@ -66,7 +58,7 @@ tfe_http_log_level: FATAL
 pangu_log_level: FATAL
 doh_log_level: FATAL
 
-certstore_log_level: 30
+certstore_log_level: FATAL
 packet_dump_log_level: 10
 
 #######################################
@@ -103,9 +95,12 @@ tfe:
 ########################################
 #Marsio Config
 #marsio工作在ADC计算板时，建议使用如下配置，以保证更高的处理性能
-mrzcpd:
+mcn0_mrzcpd:
   iocore: 52,53,54,55
 
+mcn123_mrzcpd:
+  iocore: 54,55
+
 mrtunnat:
   lcore_id: 48,49,50,51 
 
@@ -118,10 +113,12 @@ app_master_log_level: 10
 app_sketch_local_log_level: 10
 app_control_plug_log_level: 10
 
-
-breakpad_upload_url: http://10.4.63.4:9000/api/2/minidump/?sentry_key=3556bac347c74585a994eb6823faf5c6
-
+breakpad_upload_url: http://10.4.63.4:9000/api/2/minidump/?sentry_key=3203b43fd5384a7dbe6a48ecb1f3c595
 data_center: Kyzylorda
 tsg_master_entrance_id: 9
 nic_mgr: 
    name: em1
+   
+sapp_prometheus_enable: 1
+sapp_prometheus_port: 9273
+sapp_prometheus_url_path: "/metrics"

install_config/group_vars/adc_mcn0.yml

@@ -37,5 +37,5 @@ AllotAccess:
   virturlID_4: 1302
   #vvipv4_mask: 24
   #vvipv6_mask: 64
- 
+
 bladename: mcn0

install_config/group_vars/adc_mcn2.yml

@@ -15,5 +15,5 @@ nic_inner_ctrl:
 nic_traffic_mirror:
   name: ens8f2
   use_mrzcpd: 1
-
+  
 bladename: mcn2

install_config/group_vars/adc_mcn3.yml

@@ -15,5 +15,5 @@ nic_inner_ctrl:
 nic_traffic_mirror:
   name: ens8f2
   use_mrzcpd: 1
-
+  
 bladename: mcn3

install_config/group_vars/server_as_tun_mode.yml

@@ -1,17 +1,16 @@
 #########################################
-#####0: Pcap;  1: Inline_device;  4: ATCA_Vlan_Flipping;  5:ATCA_VXLAN;
+#####0: Pcap;  1: Inline_device;   5:ATCA_VXLAN;
 tsg_access_type: 0
 #####0: Tun_mode;  1: normal;
 tsg_running_type: 0
 
+#####deploy mode: cluster, single
+deploy_mode: "single"
+
 ########################################
 #Deploy_finished_reboot
 Deploy_finished_reboot: 0
 
-########################################
-#TSG Cluster Mode
-tsg_cluster_mode: 0
-
 ########################################
 #Server Basic Config
 nic_mgr:
@@ -44,17 +43,12 @@ cert_store_server:
   port: 9991
 
 log_kafkabrokers:
-  address: "10.9.61.4:9092,10.9.61.5:9092,10.9.61.6:9092"
-
-telegraf_kafkabrokers:
-  address: "\"10.9.61.4:9092\",\"10.9.61.5:9092\",\"10.9.61.6:9092\""
-
-monitor_outputs_influxdb:
-  url: "http://127.0.0.1:58086"
+  address: ['1.1.1.1:9092','2.2.2.2:9092']
 
 log_minio:
   address: "10.9.62.253"
   port: 9090
+
 #########################################
 #Log Level Config
 #日志等级 10:DEBUG 20:INFO 30:FATAL
@@ -63,6 +57,7 @@ fw_mail_log_level: 10
 fw_http_log_level: 10
 fw_dns_log_level: 10
 fw_quic_log_level: 10
+app_control_log_level: 10
 capture_packet_log_level: 10
 tsg_log_level: 10
 tsg_master_log_level: 10
@@ -165,3 +160,7 @@ breakpad_upload_url: http://127.0.0.1:9000/api/2/minidump/?sentry_key=3556bac347
 
 data_center: Beijing
 tsg_master_entrance_id: 0
+
+sapp_prometheus_enable: 1
+sapp_prometheus_port: 9273
+sapp_prometheus_url_path: "/metrics"

install_config/hosts

@@ -7,7 +7,8 @@
 #20.09版本新增APP部署
 #[app_global]
 #0.0.0.0
-#[server-as-tun-mode]
+
+#[server_as_tun_mode]
 #1.1.1.1 device_id=device_1
 #
 #[adc_mxn]
@@ -29,19 +30,16 @@
 #[adc_mcn3]
 #10.3.76.1 device_id=device_1
 #10.3.76.2 device_id=device_2
+
 #[app_global]
-
-#[server-as-tun-mode]
-#p
-#[adc_mxn]
+#[server_as_tun_mode]
+#broken warning:
+#10.4.52.71
 [adc_mcn0]
-10.9.51.[1:15]
 [adc_mcn1]
-10.9.52.[1:15]
 [adc_mcn2]
-10.9.53.[1:15]
 [adc_mcn3]
-10.9.54.[1:14]
-[packet_dump_server]
-10.9.61.3
+[app_global]
+[server_as_tun_mode]
+
 

roles/adc_exporter/tasks/main.yml

@@ -0,0 +1,72 @@
+- name: "copy freeipmi tools"
+  copy:
+    src: '{{ role_path }}/files/freeipmi-1.5.7-3.el7.x86_64.rpm'
+    dest: /tmp/ansible_deploy/
+
+- name: "Install freeipmi rpm package"
+  yum:
+    name:
+      - "/tmp/ansible_deploy/freeipmi-1.5.7-3.el7.x86_64.rpm"
+    state: present
+
+- name: "mkdir /opt/adc-exporter/"
+  file:
+    path: /opt/adc-exporter/
+    state: directory
+
+- name: "copy node_exporter"
+  copy:
+    src: '{{ role_path }}/files/node_exporter'
+    dest: /opt/adc-exporter/node_exporter
+    mode: 0755
+
+- name: "copy systemd_exporter"
+  copy:
+    src: '{{ role_path }}/files/systemd_exporter'
+    dest: /opt/adc-exporter/systemd_exporter
+    mode: 0755
+
+- name: "copy ipmi_exporter"
+  copy:
+    src: '{{ role_path }}/files/ipmi_exporter'
+    dest: /opt/adc-exporter/ipmi_exporter
+    mode: 0755
+
+- name: "templates adc-exporter-node.service"
+  template:
+    src: "{{role_path}}/templates/adc-exporter-node.service.j2"
+    dest: /usr/lib/systemd/system/adc-exporter-node.service
+  tags: template
+
+- name: "templates adc-exporter-systemd.service"
+  template:
+    src: "{{role_path}}/templates/adc-exporter-systemd.service.j2"
+    dest: /usr/lib/systemd/system/adc-exporter-systemd.service
+  tags: template
+
+- name: "templates adc-exporter-ipmi.service"
+  template:
+    src: "{{role_path}}/templates/adc-exporter-ipmi.service.j2"
+    dest: /usr/lib/systemd/system/adc-exporter-ipmi.service
+  tags: template
+
+- name: 'adc-exporter-node service start'
+  systemd:
+    name: adc-exporter-node
+    enabled: yes
+    daemon_reload: yes
+    state: started
+
+- name: 'adc-exporter-systemd service start'
+  systemd:
+    name: adc-exporter-systemd
+    enabled: yes
+    daemon_reload: yes
+    state: restarted
+
+- name: 'adc-exporter-ipmi service start'
+  systemd:
+    name: adc-exporter-ipmi
+    enabled: yes
+    daemon_reload: yes
+    state: restarted

roles/adc_exporter/templates/adc-exporter-ipmi.service.j2

@@ -0,0 +1,11 @@
+[Unit]
+Description=IPMI Exporter
+After=network.target
+
+[Service]
+Type=simple
+ExecStart=/opt/adc-exporter/ipmi_exporter
+Restart=always
+
+[Install]
+WantedBy=multi-user.target

roles/adc_exporter/templates/adc-exporter-node.service.j2

@@ -0,0 +1,11 @@
+[Unit]
+Description=Node Exporter
+After=network.target
+
+[Service]
+Type=simple
+ExecStart=/opt/adc-exporter/node_exporter
+Restart=always
+
+[Install]
+WantedBy=multi-user.target

roles/adc_exporter/templates/adc-exporter-systemd.service.j2

@@ -0,0 +1,11 @@
+[Unit]
+Description=Systemd Exporter
+After=network.target
+
+[Service]
+Type=simple
+ExecStart=/opt/adc-exporter/systemd_exporter --web.disable-exporter-metrics
+Restart=always
+
+[Install]
+WantedBy=multi-user.target

roles/adc_exporter_ping/tasks/main.yml

@@ -0,0 +1,23 @@
+- name: "mkdir /opt/adc-exporter/"
+  file:
+    path: /opt/adc-exporter/
+    state: directory
+
+- name: "copy ping_exporter"
+  copy:
+    src: '{{ role_path }}/files/ping_exporter'
+    dest: /opt/adc-exporter/ping_exporter
+    mode: 0755
+
+- name: "templates ping_exporter.service"
+  template:
+    src: "{{role_path}}/templates/adc-exporter-ping.service.j2"
+    dest: /usr/lib/systemd/system/adc-exporter-ping.service
+  tags: template
+
+- name: 'adc-exporter-ping service start'
+  systemd:
+    name: adc-exporter-ping
+    enabled: yes
+    daemon_reload: yes
+    state: restarted

roles/adc_exporter_ping/templates/adc-exporter-ping.service.j2

@@ -0,0 +1,11 @@
+[Unit]
+Description=Ping Exporter
+After=network.target
+
+[Service]
+Type=simple
+ExecStart=/opt/adc-exporter/ping_exporter {{ ping_test.target|join(" ")}} --ping.size=512 --ping.interval=0.5s
+Restart=always
+
+[Install]
+WantedBy=multi-user.target

roles/adc_exporter_proxy/tasks/main.yml

@@ -0,0 +1,34 @@
+- name: "mkdir /opt/adc-exporter-proxy/"
+  file:
+    path: /opt/adc-exporter-proxy/
+    state: directory
+
+- name: "copy file to device"
+  copy:
+    src: '{{ role_path }}/files/'
+    dest: /tmp/ansible_deploy/
+    
+- name: "unarchive adc-exporter-proxy(NGINX)"
+  unarchive:
+    src: /tmp/ansible_deploy/adc_exporter_proxy.tar.gz
+    dest: /opt/adc-exporter-proxy
+    remote_src: yes
+
+- name: "templates adc-exporter-proxy.service"
+  template:
+    src: "{{role_path}}/templates/adc-exporter-proxy.service.j2"
+    dest: /usr/lib/systemd/system/adc-exporter-proxy.service
+  tags: template
+
+- name: "template nginx.conf"
+  template:
+    src: "{{role_path}}/templates/nginx.conf.j2"
+    dest: /opt/adc-exporter-proxy/adc-exporter-proxy/conf/nginx.conf
+  tags: template
+
+- name: 'adc-exporter-proxy service start'
+  systemd:
+    name: adc-exporter-proxy
+    enabled: yes
+    daemon_reload: yes
+    state: restarted

roles/adc_exporter_proxy/templates/adc-exporter-proxy.service.j2

@@ -0,0 +1,12 @@
+[Unit]
+Description=ADC Exporter Proxy (NGINX) for NEZHA
+After=network.target remote-fs.target nss-lookup.target
+
+[Service]
+Type=simple
+ExecStart=/opt/adc-exporter-proxy/adc-exporter-proxy/sbin/nginx -p /opt/adc-exporter-proxy/adc-exporter-proxy
+ExecReload=/opt/adc-exporter-proxy/adc-exporter-proxy/sbin/nginx -p /opt/adc-exporter-proxy/adc-exporter-proxy -s reload
+ExecStop=/opt/adc-exporter-proxy/adc-exporter-proxy/sbin/nginx -p /opt/adc-exporter-proxy/adc-exporter-proxy -s stop
+
+[Install]
+WantedBy=multi-user.target

roles/adc_exporter_proxy/templates/nginx.conf.j2

@@ -0,0 +1,152 @@
+
+user  nobody;
+worker_processes  1;
+daemon off;
+
+error_log  logs/error.log;
+error_log  logs/error.log  notice;
+error_log  logs/error.log  info;
+pid        logs/nginx.pid;
+
+
+events {
+    worker_connections  1024;
+}
+
+http {
+    include       mime.types;
+    default_type  application/octet-stream;
+
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    #access_log  logs/access.log  main;
+
+    sendfile        on;
+    tcp_nopush     on;
+
+    keepalive_timeout  65;
+    gzip  on;
+
+    server {
+	    listen       9000;
+	    server_name  localhost;
+
+	    location /metrics/blade/mcn0/node_exporter {
+		    proxy_pass   http://192.168.100.1:9100/metrics;
+	    }
+
+	    location /metrics/blade/mcn1/node_exporter {
+		    proxy_pass   http://192.168.100.2:9100/metrics;
+	    }
+
+	    location /metrics/blade/mcn2/node_exporter {
+		    proxy_pass   http://192.168.100.3:9100/metrics;
+	    }
+
+	    location /metrics/blade/mcn3/node_exporter {
+		    proxy_pass   http://192.168.100.4:9100/metrics;
+	    }
+
+	    location /metrics/blade/mxn/node_exporter {
+		    proxy_pass   http://192.168.100.5:9100/metrics;
+	    }
+
+            location /metrics/blade/mcn0/systemd_exporter {
+                    proxy_pass   http://192.168.100.1:9558/metrics;
+            }
+
+            location /metrics/blade/mcn1/systemd_exporter {
+                    proxy_pass   http://192.168.100.2:9558/metrics;
+            }
+
+            location /metrics/blade/mcn2/systemd_exporter {
+                    proxy_pass   http://192.168.100.3:9558/metrics;
+            }
+
+            location /metrics/blade/mcn3/systemd_exporter {
+                    proxy_pass   http://192.168.100.4:9558/metrics;
+            }
+
+	    location /metrics/blade/mcn0/ipmi_exporter {
+		    proxy_pass   http://192.168.100.1:9290/metrics;
+	    }
+
+	    location /metrics/blade/mcn1/ipmi_exporter {
+		    proxy_pass   http://192.168.100.2:9290/metrics;
+	    }
+
+	    location /metrics/blade/mcn2/ipmi_exporter {
+		    proxy_pass   http://192.168.100.3:9290/metrics;
+	    }
+
+	    location /metrics/blade/mcn3/ipmi_exporter {
+		    proxy_pass   http://192.168.100.4:9290/metrics;
+	    }
+
+	    location /metrics/blade/mxn/ipmi_exporter {
+		    proxy_pass   http://192.168.100.5:9290/metrics;
+	    }
+
+            location /metrics/blade/mcn0/certstore {
+                    proxy_pass   http://192.168.100.1:9002/metrics;
+            }
+
+            location /metrics/blade/mcn1/tfe {
+                    proxy_pass   http://192.168.100.2:9001/metrics;
+            }
+
+            location /metrics/blade/mcn2/tfe {
+                    proxy_pass   http://192.168.100.3:9001/metrics;
+            }
+
+            location /metrics/blade/mcn3/tfe {
+                    proxy_pass   http://192.168.100.4:9001/metrics;
+            }
+
+            location /metrics/blade/mcn0/sapp {
+                    proxy_pass   http://192.168.100.1:9273/metrics;
+            }
+
+            location /metrics/blade/mcn0/mrapm_device {
+                    proxy_pass   http://192.168.100.1:8901/metrics;
+            }
+
+	    location /metrics/blade/mcn0/mrapm_stream {
+                    proxy_pass   http://192.168.100.1:8902/metrics;
+            }
+
+	    location /metrics/blade/mcn1/mrapm_device {
+                    proxy_pass   http://192.168.100.2:8901/metrics;
+            }
+
+	    location /metrics/blade/mcn1/mrapm_stream {
+                    proxy_pass   http://192.168.100.2:8902/metrics;
+            }
+
+            location /metrics/blade/mcn2/mrapm_device {
+                    proxy_pass   http://192.168.100.3:8901/metrics;
+            }
+
+	    location /metrics/blade/mcn2/mrapm_stream {
+                    proxy_pass   http://192.168.100.3:8902/metrics;
+            }
+
+            location /metrics/blade/mcn3/mrapm_device {
+                    proxy_pass   http://192.168.100.4:8901/metrics;
+            }
+
+	    location /metrics/blade/mcn3/mrapm_stream {
+                    proxy_pass   http://192.168.100.4:8902/metrics;
+            }
+
+            location /metrics/blade/mcn0/maat_redis {
+                    proxy_pass   http://192.168.100.1:9121/metrics;
+            }
+
+            location /metrics/blade/mcn0/ping_exporter {
+                    proxy_pass   http://192.168.100.1:9427/metrics;
+            }
+    }
+}

roles/app_proto_identify/tasks/main.yml

@@ -0,0 +1,14 @@
+---
+- name: "copy app_proto_identify rpm package destination server"
+  copy:
+    src: "{{ role_path }}/files/"
+    dest: /tmp/ansible_deploy/
+
+- name: "install app_proto_identify"
+  yum:
+    name: "{{ app_packages }}"
+    state: present
+    skip_broken: yes
+  vars:
+    app_packages:
+      - /tmp/ansible_deploy/app_proto_identify-1.0.7.a5113ba-2.el7.x86_64.rpm

roles/certstore/files/memory.conf

@@ -1,2 +1,3 @@
 [Service]
-MemoryMax=10G
+MemoryLimit=16G
+ExecStartPost=/bin/bash -c "echo 16G > /sys/fs/cgroup/memory/system.slice/certstore.service/memory.memsw.limit_in_bytes"

roles/certstore/tasks/main.yml

@@ -3,22 +3,22 @@
     src: "{{ role_path }}/files/"
     dest: "/tmp/ansible_deploy/"
 
-- name: "Ensures /opt/tsg exists"
+- name: Ensures /opt/tsg exists
   file: path=/opt/tsg state=directory
   tags: mkdir
 
-- name: "install certstore"
+- name: install certstore
   yum:
     name:
-      - /tmp/ansible_deploy/certstore-2.1.3.202010.81eef83-1.el7.x86_64.rpm
+      - /tmp/ansible_deploy/certstore-2.1.6.20201215.f2e9ba7-1.el7.x86_64.rpm
     state: present
 
-- name: "template certstore configure file"
+- name: template certstore configure file
   template:
     src: "{{ role_path }}/templates/cert_store.ini.j2"
     dest: /opt/tsg/certstore/conf/cert_store.ini
 
-- name: "template certstore zlog file"
+- name: template certstore zlog file
   template:
     src: "{{ role_path }}/templates/zlog.conf.j2"
     dest: /opt/tsg/certstore/conf/zlog.conf

roles/certstore/templates/cert_store.ini.j2

@@ -55,4 +55,6 @@ port = {{ maat_redis_server.port }}
 dbindex =  {{ maat_redis_server.db }}
 [stat]
 statsd_server=127.0.0.1
-statsd_port=58100
+statsd_port=8100
+statsd_set_prometheus_port=9002
+statsd_set_prometheus_url_path=/metrics

roles/firewall/tasks/main.yml

@@ -11,21 +11,22 @@
     skip_broken: yes
   vars:
     fw_packages:
-      - /tmp/ansible_deploy/capture_packet_plug-3.0.4.42574b7-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/capture_packet_plug-3.0.6.a2db4a4-2.el7.x86_64.rpm
       - /tmp/ansible_deploy/conn_telemetry-1.0.2.8d6da43-2.el7.x86_64.rpm
       - /tmp/ansible_deploy/dns-2.0.9.b639626-2.el7.x86_64.rpm
       - /tmp/ansible_deploy/ftp-1.0.8.13d5fda-2.el7.x86_64.rpm
       - /tmp/ansible_deploy/fw_dns_plug-3.0.2.dab58fa-2.el7.x86_64.rpm
       - /tmp/ansible_deploy/fw_ftp_plug-3.0.1.0a78573-2.el7.x86_64.rpm
-      - /tmp/ansible_deploy/fw_http_plug-3.0.1.0c7e082-2.el7.x86_64.rpm
-      - /tmp/ansible_deploy/fw_mail_plug-3.0.1.02465eb-2.el7.x86_64.rpm
-      - /tmp/ansible_deploy/fw_quic_plug-3.0.1.b790ee1-2.el7.x86_64.rpm
-      - /tmp/ansible_deploy/fw_ssl_plug-3.0.4.a0b19ee-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/fw_http_plug-3.0.4.484b54d-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/fw_mail_plug-3.0.2.7401550-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/fw_quic_plug-3.0.4.947ef77-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/fw_ssl_plug-3.0.6.a121701-2.el7.x86_64.rpm
       - /tmp/ansible_deploy/http-2.0.5.c61ad9a-2.el7.x86_64.rpm
       - /tmp/ansible_deploy/mail-1.0.9.c1d3bde-2.el7.x86_64.rpm
-      - /tmp/ansible_deploy/quic-1.1.10.c2b90a0-2.el7.x86_64.rpm
-      - /tmp/ansible_deploy/ssl-1.0.9.69f3742-2.el7.x86_64.rpm
-      - /tmp/ansible_deploy/tsg_conn_sketch-2.0.6.abb4f4d-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/quic-1.1.17.8c22b4d-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/ssl-1.0.12.16b8fb5-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/tsg_conn_sketch-2.0.12.0ad5a3b-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/app_control_plug-1.0.9.97846eb-2.el7.x86_64.rpm
 
 - name: "Template the tsgconf/main.conf"
   template:
@@ -40,14 +41,20 @@
     dest: /home/mesasoft/sapp_run/tsgconf/maat.conf
   tags: template
 
-- name: "Template the tsgconf/tsg_log_field.conf"
-  template:
-    src: "{{ role_path }}/templates/tsg_log_field.conf.j2"
-    dest: /home/mesasoft/sapp_run/tsgconf/tsg_log_field.conf
-  tags: template
-
 - name: "Template the conf/capture_packet_plug.conf.j2"
   template:
     src: "{{ role_path }}/templates/capture_packet_plug.conf.j2"
     dest: /home/mesasoft/sapp_run/conf/capture_packet_plug.conf
   tags: template
+
+- name: "Template the tsgconf/app_l7_proto_id.conf"
+  template:
+    src: "{{ role_path }}/templates/app_l7_proto_id.conf.j2"
+    dest: /home/mesasoft/sapp_run/tsgconf/app_l7_proto_id.conf
+ 
+- name: "Template the /home/mesasoft/sapp_run/plug/business/tsg_conn_sketch/tsg_conn_sketch.inf"
+  template:
+    src: "{{ role_path }}/templates/tsg_conn_sketch.inf.j2"
+    dest: /home/mesasoft/sapp_run/plug/business/tsg_conn_sketch/tsg_conn_sketch.inf
+  tags: template
+

roles/firewall/templates/app_l7_proto_id.conf.j2

@@ -0,0 +1,51 @@
+#TYPE：1:UCHAR,2:USHORT,3:USTRING,4:ULOG,5:USTRING,6:FILE,7:UBASE64,8:PACKET
+#TYPE	FIELD		VALUE
+STRING	UNCATEGORIZED	100
+STRING	UNCATEGORIZED	101
+STRING	UNKNOWN_OTHER	102
+STRING	DNS		103
+STRING	FTP		104
+STRING	FTPS		105
+STRING	HTTP		106
+STRING	HTTPS		107
+STRING	ICMP		108
+STRING	IKE		109
+STRING	MAIL		110
+STRING	IMAPS		111
+STRING	IPSEC		112
+STRING	XMPP		113
+STRING	L2TP		114
+STRING	NTP		115
+STRING	POP3S		117
+STRING	PPTP		118
+STRING	QUIC		119
+STRING	SIP		120
+STRING	SMB		121
+STRING	SMTPS		123
+STRING	SPDY		124
+STRING	SSH		125
+STRING	SSL		126
+STRING	SOCKS		127
+STRING	TELNET		128
+STRING	DHCP		129
+STRING	RADIUS		130
+STRING	OPENVPN		131
+STRING	STUN		132
+STRING	TEREDO		133
+STRING	DTLS		134
+STRING	DoH		135
+STRING	ISAKMP		136
+STRING	MDNS		137
+STRING	NETBIOS		138
+STRING	NETFLOW		139
+STRING	RDP		140
+STRING	RTCP		141
+STRING	RTP		142
+STRING	SLP		143
+STRING	SNMP		144
+STRING	SSDP		145
+STRING	TFTP		146
+STRING	BJNP		147
+STRING	LDAP		148
+STRING	RTMP		149
+STRING	RTSP		150

roles/firewall/templates/capture_packet_plug.conf.j2

@@ -19,7 +19,7 @@ ACCEPT_TAGS={"tags":[{"tag":"data_center","value":"{{ data_center }}"}]}
 
 [LOG]
 NIC_NAME={{ nic_mgr.name }}
-BROKER_LIST={{ log_kafkabrokers.address }}
+BROKER_LIST={{ log_kafkabrokers.address | join(",") }}
 FIELD_FILE=conf/capture_packet_log_field.conf
 
 [SYSTEM]

roles/firewall/templates/main.conf.j2

@@ -20,6 +20,10 @@ LOG_LEVEL={{ fw_dns_log_level }}
 LOG_PATH="./tsglog/fw_quic_plug/fw_quic_plug"
 LOG_LEVEL={{ fw_quic_log_level }}
 
+[CONTROL_PLUG]
+LOG_PATH="./tsglog/app_control_plug/app_control_plug"
+LOG_LEVEL={{ app_control_log_level }}
+
 [MAAT]
 PROFILE="./tsgconf/maat.conf"
 SUBSCRIBER_ID_TABLE="TSG_OBJ_SUBSCRIBER_ID"
@@ -32,7 +36,7 @@ NIC_NAME="{{ nic_mgr.name }}"
 MAX_SERVICE=1
 LOG_LEVEL={{ tsg_log_level }}
 LOG_PATH="./tsglog/tsglog"
-BROKER_LIST="{{ log_kafkabrokers.address }}"
+BROKER_LIST="{{ log_kafkabrokers.address | join(",") }}"
 COMMON_FIELD_FILE="tsgconf/tsg_log_field.conf"
 
 [STATISTIC]
@@ -55,3 +59,6 @@ LOG_LEVEL={{ tsg_master_log_level }}
 LOG_PATH="./tsglog/tsg_master"
 POLICY_PRIORITY_LABEL="POLICY_PRIORITY"
 DEVICE_ID_COMMAND="hostname | awk -F'-' '{print $3}'| awk -F'adc' '{print $2}'"
+
+[TSG_CONN_SKETCH]
+log_service=2

roles/firewall/templates/tsg_conn_sketch.inf.j2

@@ -0,0 +1,35 @@
+[PLUGINFO]
+PLUGNAME=TSG_CONN_SKETCH
+SO_PATH=./plug/business/tsg_conn_sketch/tsg_conn_sketch.so
+INIT_FUNC=tsg_conn_record_init
+DESTROY_FUNC=tsg_conn_record_destroy
+
+
+[TCP]
+FUNC_FLAG=ALL
+FUNC_NAME=tsg_record_tcp_entry
+
+[TCP_ALL]
+FUNC_FLAG=ALL
+FUNC_NAME=tsg_record_tcpall_entry
+
+[UDP]
+FUNC_FLAG=ALL
+FUNC_NAME=tsg_record_udp_entry
+
+[HTTP]
+FUNC_FLAG=ALL
+FUNC_NAME=tsg_record_http_entry
+
+[SSL]
+FUNC_FLAG=SSL_CLIENT_HELLO,SSL_SERVER_HELLO,SSL_APPLICATION_DATA,SSL_CERTIFICATE_DETAIL
+FUNC_NAME=tsg_record_ssl_entry
+
+#[DNS]
+#FUNC_FLAG=ALL
+#FUNC_NAME=tsg_record_dns_entry
+
+[MAIL]
+FUNC_FLAG=ALL
+FUNC_NAME=tsg_record_mail_entry
+

roles/firewall/templates/tsg_log_field.conf.j2

@@ -1,52 +0,0 @@
-#TYPE：1:UCHAR,2:USHORT,3:ULONG,4:ULOG,5:USTRING,6:FILE,7:UBASE64,8:PACKET
-#TYPE	TOPIC	SERVICE
-TOPIC	SECURITY-EVENT-LOG	0
-TOPIC	CONNECTION-RECORD-LOG	1
-TOPIC	CONNECTION-SKETCH	2
-
-#TYPE		FIELD		VALUE
-LONG   		common_policy_id	1
-LONG   		common_service		2
-LONG   		common_action		3
-LONG   		common_start_time	4
-LONG   		common_end_time		5
-STRING		common_l4_protocol	6
-LONG   		common_address_type	7
-STRING		common_server_ip	8
-STRING		common_client_ip	9
-LONG   		common_server_port	10
-LONG   		common_client_port	11
-LONG   		common_stream_dir	12
-STRING		common_address_list	13
-LONG   		common_entrance_id	14	
-LONG   		common_device_id	15	
-LONG   		common_link_id		16	
-STRING		common_isp		17	
-LONG   		common_encapsulation	18	
-LONG   		common_direction	19	
-STRING		common_sled_ip		20	
-STRING		common_user_tags	21
-STRING		common_user_region	22
-STRING		common_app_label	23
-LONG		common_app_id		24
-LONG		common_protocol_id	25
-LONG		common_c2s_pkt_num	26
-LONG		common_s2c_pkt_num	27
-LONG		common_c2s_byte_num	28
-LONG		common_s2c_byte_num	29	
-LONG		common_con_duration_ms	30
-LONG		common_has_dup_traffic	31
-STRING		common_stream_error	32
-STRING		common_stream_trace_id	33
-STRING		common_schema_type	34
-STRING		http_host		35
-STRING		ssl_sni			36
-LONG		common_establish_latency_ms	37
-STRING		common_sub_action		38
-STRING		common_client_asn	39
-STRING		common_server_asn	40
-STRING		common_client_location	41
-STRING		common_server_location	42
-STRING		quic_sni			43
-STRING		ssl_ja3_fingerprint		44
-STRING		common_data_center	45

roles/framework/tasks/main.yml

@@ -12,14 +12,14 @@
     packages:
       - /tmp/ansible_deploy/libcjson-1.7.10.ab2896f-2.el7.x86_64.rpm
       - /tmp/ansible_deploy/libdocumentanalyze-2.0.6.2d1abe0-2.el7.x86_64.rpm
-      - /tmp/ansible_deploy/libmaatframe-3.1.3.4fbcf21-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/libmaatframe-3.1.10.653727e-2.el7.x86_64.rpm
       - /tmp/ansible_deploy/libMESA_field_stat-1.0.2.6d45eed-2.el7.x86_64.rpm
-      - /tmp/ansible_deploy/libMESA_field_stat2-2.9.4.4e2dd78-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/libMESA_field_stat2-2.9.10.72ac4f1-2.el7.x86_64.rpm
       - /tmp/ansible_deploy/libMESA_handle_logger-2.0.7.cb4ad71-2.el7.x86_64.rpm
       - /tmp/ansible_deploy/libMESA_htable-3.10.12.cf4ccfc-2.el7.x86_64.rpm
       - /tmp/ansible_deploy/libMESA_prof_load-1.0.6.c6da36a-2.el7.x86_64.rpm
       - /tmp/ansible_deploy/librdkafka-0.11.4-1.el7.x86_64.rpm
-      - /tmp/ansible_deploy/librulescan-2.2.1.1716a7b-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/librulescan-2.2.2.e5a4457-2.el7.x86_64.rpm
       - /tmp/ansible_deploy/libtsglua-1.0.8.0dbf2e6-2.el7.x86_64.rpm
       - /tmp/ansible_deploy/libwiredcfg-2.0.6.67ae0ab-2.el7.x86_64.rpm
       - /tmp/ansible_deploy/libWiredLB-2.0.5.4629165-2.el7.x86_64.rpm

roles/kernel-ml/tasks/main.yml

@@ -40,6 +40,6 @@
     - tsg_access_type == 4
     - t_kernel_ml.changed
 
-#- name: "reboot"
-#  reboot:
-#  when: t_kernel_ml.changed
+- name: "reboot"
+  reboot:
+  when: t_kernel_ml.changed

roles/kni/tasks/main.yml

@@ -7,7 +7,7 @@
 - name: "install kni rpms from localhost"
   yum:
     name:
-      - /tmp/ansible_deploy/kni-20.10.20201024.a43de2a-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/kni-20.12.01.13e663f-2.el7.x86_64.rpm
     state: present
 #    skip_broken: yes
 

roles/kni/templates/kni.conf.j2

@@ -92,7 +92,7 @@ security_policy_id = 3,10
 
 
 [ssl_dynamic_bypass]
-enabled = 1
+enabled = 0
 
 #kni dynamic bypass
 [traceid2sslinfo_htable]

roles/maat-redis/files/maat-redis-exporter.service

@@ -0,0 +1,11 @@
+[Unit]
+Description=Redis Exporter for MAAT-REDIS
+After=network.target
+
+[Service]
+ExecStart=/usr/bin/redis_exporter -redis.addr=redis://localhost:7002 -redis-only-metrics
+Type=simple
+
+[Install]
+WantedBy=multi-user.target
+

roles/maat-redis/tasks/main.yml

@@ -3,14 +3,18 @@
     src: "{{ role_path }}/files/maat-redis.service"
     dest: "/usr/lib/systemd/system"
     mode: 0644
-  when: tsg_cluster_mode == 1
+
+- name: "copy maat-redis exporter file to dest"
+  copy:
+    src: "{{ role_path }}/files/maat-redis-exporter.service"
+    dest: "/usr/lib/systemd/system"
+    mode: 0644
 
 - name: "Template the maat-redis.conf"
   template:
     src: "{{ role_path }}/templates/maat-redis.conf.j2"
     dest: /etc/maat-redis.conf
   tags: template
-  when: tsg_cluster_mode == 1
 
 - name: "start maat-redis"
   systemd:
@@ -18,4 +22,10 @@
     state: started
     daemon_reload: yes
     enabled: yes
-  when: tsg_cluster_mode == 1
+
+- name: "start maat-redis exporter"
+  systemd:
+    name: maat-redis-exporter.service
+    state: started
+    daemon_reload: yes
+    enabled: yes

roles/mrzcpd/files/memory.conf

@@ -1,2 +0,0 @@
-[Service]
-MemoryMax=100G

roles/mrzcpd/tasks/main.yml

@@ -6,7 +6,7 @@
 
 - name: "install mrzcpd"
   yum:
-    name: /tmp/ansible_deploy/mrzcpd-4.3.28.2d13de4-1.el7.x86_64.rpm
+    name: /tmp/ansible_deploy/mrzcpd-4.3.30.4627eb7-1.el7.x86_64.rpm
     state: present
 
 - name: "update sysconfig/mrzcpd"
@@ -145,10 +145,22 @@
   when: 
     - tsg_access_type != 0
 
+- name: "enable prometheus output - monit_device"
+  systemd:
+    name: mrapm_device
+    enabled: yes
+    daemon_reload: yes
+
+- name: "enable prometheus output - monit_stream"
+  systemd:
+    name: mrapm_stream
+    enabled: yes
+    daemon_reload: yes
+
 - name: "enable mrtunnat on master"
   systemd:
     name: mrtunnat
-    enabled: yes
+    enabled: no
     daemon_reload: yes
   when: 
     - nic_traffic_mirror is not defined
@@ -161,12 +173,6 @@
     daemon_reload: yes
   when: nic_traffic_mirror is defined
 
-- name: "copy memory limit file to tfe.service.d"
-  copy:
-    src: "{{ role_path }}/files/memory.conf"
-    dest: /etc/systemd/system/mrzcpd.service.d/
-    mode: 0644
-
 - name: "mask mrzcpd on server_tun_mode"
   systemd:
     name: mrzcpd

roles/mrzcpd/templates/adc_inline/mrglobal.conf.adc_inline.j2

@@ -32,7 +32,7 @@ promisc=1
 
 [service]
 # lcore id for i/o service, use comma to split
-iocore={{ mrzcpd.iocore }}
+iocore={{ mcn0_mrzcpd.iocore }}
 distmode=2
 hashmode=0
 

roles/mrzcpd/templates/allot_access/mrglobal.conf.allot_access.j2

@@ -33,7 +33,7 @@ promisc=1
 
 [service]
 # lcore id for i/o service, use comma to split
-iocore={{ mrzcpd.iocore }}
+iocore={{ mcn0_mrzcpd.iocore }}
 distmode=2
 hashmode=0
 

roles/mrzcpd/templates/traffic_mirror/mrglobal.conf.traffic_mirror.j2

@@ -10,7 +10,7 @@ clear_tx_flags=1
 promisc=1
 
 [service]
-iocore={{ mrzcpd.iocore }}
+iocore={{ mcn123_mrzcpd.iocore }}
 
 [eal]
 virtaddr=0x7d0000000000

roles/packet_dump/tasks/main.yml

@@ -1,6 +1,6 @@
 - name: "copy packet_dump rpm to destination server"
   copy:
-    src: "{{ role_path }}/files/packet_dump-1.0.7.0c9be9e-2.el7.x86_64.rpm"
+    src: "{{ role_path }}/files/packet_dump-1.0.8.2e723ab-2.el7.x86_64.rpm"
     dest: /tmp/ansible_deploy/
 
 - name: "copy  packet_dump.service to destination server"
@@ -12,7 +12,7 @@
 - name: "install packet_dump rpm from localhost"
   yum:
     name:
-      - /tmp/ansible_deploy/packet_dump-1.0.7.0c9be9e-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/packet_dump-1.0.8.2e723ab-2.el7.x86_64.rpm
     state: present
 
 - name: "Template the packet_dump.conf"

roles/packet_dump/templates/packet_dump.conf.j2

@@ -1,5 +1,5 @@
 [KAFKA]
-BROKER_LIST={{ log_kafkabrokers.address }}
+BROKER_LIST={{ log_kafkabrokers.address | join(",")}}
 KAFKA_OFFSET=largest
 
 [SYSTEM]

roles/radius/templates/radius.conf

@@ -1,6 +1,6 @@
 [RADIUS_PLUG]
 DEVICE_ID=0
-BROKERLIST={{ log_kafkabrokers.address }}
+BROKERLIST={{ log_kafkabrokers.address | join(",") }}
 COLLECT_TOPIC=RADIUS-RECORD-LOG
 SERVICE_ID=162
 NIC_NAME={{ nic_mgr.name }}

roles/reboot/tasks/main.yml

@@ -1,3 +1,3 @@
 - name: "reboot"
   reboot:
-  when: Deploy_finished_reboot == 1
+#  when: Deploy_finished_reboot == 1

roles/redis/tasks/main.yml

@@ -10,3 +10,9 @@
       - "/tmp/ansible_deploy/jemalloc-3.6.0-1.el7.x86_64.rpm"
       - "/tmp/ansible_deploy/redis40u-4.0.14-1.ius.centos7.x86_64.rpm"
     state: present
+
+- name: "redis exporter"
+  copy:
+    src: '{{ role_path }}/files/'
+    dest: /usr/bin/
+    mode: 0755

roles/sapp/files/memory.conf

@@ -1,2 +1,3 @@
 [Service]
-MemoryMax=100G
+MemoryLimit=80G
+ExecStartPost=/bin/bash -c "echo 80G > /sys/fs/cgroup/memory/system.slice/sapp.service/memory.memsw.limit_in_bytes"

roles/sapp/files/tera_fake_promisc_setup.conf

@@ -0,0 +1,2 @@
+[Service]
+ExecStartPre=/bin/bash tera_fake_promisc_setup.sh

roles/sapp/files/tera_fake_promisc_setup.sh

@@ -0,0 +1,4 @@
+set -ex
+dp_adapter_ether_addr=$(ifconfig ens1f2 | grep ether | awk '{print $2}')
+bpf_rule="ether dst $dp_adapter_ether_addr or ether dst 02:42:c0:a8:fd:03 or ether dst 02:42:c0:a8:fd:83 or ether dst 02:42:c0:a8:fd:82"
+sed -i "/BSD_packet_filter=/s/=.*/=\"$bpf_rule\"/" etc/sapp.toml

roles/sapp/tasks/main.yml

@@ -13,7 +13,13 @@
 - name: "install sapp rpms from localhost"
   yum:
     name:
-      - /tmp/ansible_deploy/sapp-4.1.13.ed89137-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/sapp-4.2.25.893d15d-2.el7.x86_64.rpm
+    state: present
+ 
+- name: "install tcpdump_mesa rpms from localhost"
+  yum:
+    name:
+      - /tmp/ansible_deploy/tcpdump_mesa-1.0.2.0c5a950-2.el7.x86_64.rpm
     state: present
     skip_broken: yes
 
@@ -46,12 +52,24 @@
     dest: /home/mesasoft/sapp_run/etc/sapp_log.conf
   tags: template
 
+- name: Template the sapp_tmpfile.conf
+  template:
+    src: "{{ role_path }}/templates/sapp_tmpfile.conf.j2"
+    dest: /etc/tmpfiles.d/sapp_tmpfile.conf
+  tags: template
+
 - name: Template the gdev.conf
   template:
     src: "{{ role_path }}/templates/gdev.conf.j2"
     dest: /home/mesasoft/sapp_run/etc/gdev.conf
   when: tsg_access_type == 1
-  
+
+- name: Template the vlan_flipping_map.conf
+  template:
+    src: "{{ role_path }}/templates/vlan_flipping_map.conf.j2"
+    dest: /home/mesasoft/sapp_run/etc/vlan_flipping_map.conf
+  when: tsg_access_type == 2
+
 
 - name: "Template sapp.service destination server"
   template:
@@ -59,6 +77,26 @@
     dest: /usr/lib/systemd/system/sapp.service
     mode: 0755
 
+- name: "copy memory limit file to sapp.service.d"
+  copy:
+    src: "{{ role_path }}/files/memory.conf"
+    dest: /etc/systemd/system/sapp.service.d/
+    mode: 0644
+
+- name: "copy fake promisc tools for tera mode - service file"
+  copy:
+    src: "{{ role_path }}/files/tera_fake_promisc_setup.conf"
+    dest: /etc/systemd/system/sapp.service.d/
+    mode: 0644
+  when: tsg_access_type == 2
+
+- name: "copy fake promisc tools for tera mode - scripts"
+  copy:
+    src: "{{ role_path }}/files/tera_fake_promisc_setup.sh"
+    dest: /home/mesasoft/sapp_run/tera_fake_promisc_setup.sh
+    mode: 0755
+  when: tsg_access_type == 2
+ 
 - name: "enable sapp"
   systemd:
     name: sapp

roles/sapp/templates/conflist.inf.j2

@@ -2,16 +2,13 @@
 {% if tsg_access_type == 1 %}
 ./plug/platform/g_device_plug/g_device_plug.inf
 #./plug/platform/http_healthcheck/http_healthcheck.inf
-{% elif tsg_access_type == 2 %}
-#./plug/platform/g_device_plug/g_device_plug.inf
-./plug/platform/http_healthcheck/http_healthcheck.inf
 {% else %}
 #./plug/platform/g_device_plug/g_device_plug.inf
 #./plug/platform/http_healthcheck/http_healthcheck.inf
 {% endif %}
+./plug/platform/app_proto_identify/app_proto_identify.inf
 ./plug/platform/tsg_master/tsg_master.inf
 {% if tsg_app_enable == 1 %}
-./plug/platform/app_proto_identify/app_proto_identify.inf
 ./plug/platform/app_master/app_master.inf
 {% endif %}
 
@@ -22,6 +19,7 @@
 ./plug/protocol/mail/mail.inf
 ./plug/protocol/ftp/ftp.inf
 ./plug/protocol/quic/quic.inf
+./plug/protocol/l2tp_protocol_plug/l2tp_protocol_plug.inf
 
 [business]
 ./plug/business/tsg_conn_sketch/tsg_conn_sketch.inf
@@ -34,7 +32,11 @@
 ./plug/business/fw_ftp_plug/fw_ftp_plug.inf
 ./plug/business/fw_quic_plug/fw_quic_plug.inf
 ./plug/business/conn_telemetry/conn_telemetry.inf
+./plug/business/app_control_plug/app_control_plug.inf
 {% if tsg_app_enable == 1 %}
 ./plug/business/app_sketch_local/app_sketch_local.inf
 ./plug/business/app_control_plug/app_control_plug.inf
 {% endif %}
+{% if tsg_access_type == 2 %}
+./plug/platform/http_healthcheck/http_healthcheck.inf
+{% endif %}

roles/sapp/templates/sapp.service.j2

@@ -5,9 +5,18 @@ Requires=mrzcpd.service
 After=mrzcpd.service
 {% endif %}
 [Service]
+Type=notify
 WorkingDirectory=/home/mesasoft/sapp_run
 ExecStart=/home/mesasoft/sapp_run/sapp
+TimeoutSec=900s
+RestartSec=10s
 Restart=always
-RestartSec=5s
+LimitNOFILE=524288
+LimitNPROC=infinity
+LimitCORE=0
+TasksMax=infinity
+Delegate=yes
+KillMode=process
+
 [Install]
 WantedBy=multi-user.target

roles/sapp/templates/sapp.toml.j2

@@ -22,16 +22,57 @@ bind_mask=[]
 bind_mask=[{{ sapp.bind_mask }}]
 {% endif %}
 
+[MEM]
+dictator_enable=0
+
 [PACKET_IO]
-{% if tsg_access_type == 4 %}
-### note, used to represent inbound or outbound direction value,
-##### because it comes from other device, so it needs to be specified manually,
-##### if inbound_route_dir=1, then outbound_route_dir=0, vice versa,
-##### in other words, outbound_route_dir = 1 ^ inbound_route_dir;
-inbound_route_dir={{ sapp.inbound_route_dir }}
-{% endif %}
+
+    [overlay_tunnel_definition]
+### note, since 2020-10-01, L2-L3 tunnel(VLAN,MPLS,PPPOE,etc.) is process and offload by mrtunnat, 	
+### after 2020-10-01, sapp support L2-L3 tunnel(VLAN,MPLS,PPPOE,etc.) without mrtunnat.
+    l2_l3_tunnel_support=1
+
+### note, optional value is [none, vxlan]
+    overlay_mode=none
+    stream_compare_layer_cfg_file="etc/stream_compare_layer.conf"
+    vlan_flipping_cfg_file="etc/vlan_flipping_map.conf"
+    asymmetric_presence_layer_cfg_file="etc/asymmetric_presence_layer.conf"
+    asymmetric_addr_layer_cfg_file="etc/asymmetric_addr_layer.conf"
+    prune_inject_layer_cfg_file="etc/prune_inject_layer.conf"
+
+    [packet_io.feature]
+	
+	{% if tsg_access_type == 4 %}
+	### note, used to represent inbound or outbound direction value,
+	### because it comes from Third party device, so it needs to be specified manually,
+	### if inbound_route_dir=1, then outbound_route_dir=0, vice versa,
+	### in other words, outbound_route_dir = 1 ^ inbound_route_dir;
+	inbound_route_dir={{ sapp.inbound_route_dir }}
+	{% endif %}
+	
 ### note, BSD_packet_filter, if you do not want to set any filter rule, keep it empty as ""
-BSD_packet_filter=""
+    BSD_packet_filter=""
+
+### note, same as tcpdump -Q/-P arg, possible values are `in', `out' and `inout', default is "in"
+    pcap_capture_direction="in"
+
+
+### note, depolyment.mode options: [sys_route, vxlan_by_inline_device, raw_ethernet_single_gateway, raw_ethernet_multi_gateway]
+### sys_route: send ip(ipv6) packet by system route table, this is default mode in mirror mode;
+### vxlan_by_inline_device: encapsulation inject packet with vxlan, and then send to inline device by udp socket.
+### raw_ethernet_single_gateway: send layer2 ethernet packet to specific gateway in same broadcast domain. 
+### raw_ethernet_multi_gateway: send layer2 ethernet packet to multiple gateway in same broadcast domain. 
+    inject_pkt_mode=sys_route
+
+### note, this config is valid if inject_pkt_mode==vxlan_by_inline_device, means udp socket src port.
+    inject_mode_inline_device_sport=54789
+
+### note, this config is valid if inject_pkt_mode==raw_ethernet_single_gateway.
+    inject_mode_single_gateway_device="eth1"
+### inject_mode_single_gateway_src_mac has lower priority than get smac from inject_mode_single_gateway_device
+    inject_mode_single_gateway_src_mac="00:11:22:77:88:99"
+    inject_mode_single_gateway_dst_mac="00:11:22:33:44:55"
+    dumpfile_sleep_time_before_exit=3
    
 ### note, depolyment.mode options: [mirror, inline, transparent]
     [packet_io.depolyment]
@@ -48,7 +89,7 @@ BSD_packet_filter=""
     name={{packet_io.internal_interface}}
     {% else %}
     type=marsio
-    name=vxlan_user
+    name={{nic_data_incoming.name}}
     {% endif %}
 
     [packet_io.external.interface]
@@ -64,25 +105,47 @@ BSD_packet_filter=""
 ### note, polling_priority = call sapp_recv_pkt every call polling_entry times,     
     polling_priority=1
 
+[PROTOCOL_FEATURE]
+    ipv6_decapsulation_enabled=1
+    ipv6_send_packet_enabled=1
+    tcp_drop_pure_ack_pkt=0
+    tcp_syn_option_parse_enabled=1 
+    skip_not_ip_layer_over_eth=0
+    treat_vlan_as_mac_in_mac=0
+    reverse_ethernet_addr=1
+
+	
 [STREAM]
+### note, stream_id_base_time format is "%Y-%m-%d %H:%M:%S" 
+    stream_id_base_time="2018-08-08 08:00:00"
     [stream.tcp]
     max=100000
     timeout=30
-    syn_mandatory=0
-    reorder_pkt_max=5
+    syn_mandatory=1
+    reorder_pkt_max=128
     analyse_option_enabled=1
+    tuple4_reuse_time_interval=30
+
+    meaningful_statistics_minimum_pkt=3
+    meaningful_statistics_minimum_byte=5
+    
         [stream.tcp.inject]
         link_mss=1460
 	  
         [stream.tcp.inject.rst]
+        auto_remedy=0
         number=3
         signature_enabled=1
         signature_seed1=65535
         signature_seed2=13
+        remedy_kill_tcp_by_inline_device=0
 	
     [stream.udp]
     max=100000
     timeout=60
+    meaningful_statistics_minimum_pkt=3
+    meaningful_statistics_minimum_byte=5
+    
 
 [PROFILING]
     [profiling.pkt_latency]
@@ -95,7 +158,7 @@ BSD_packet_filter=""
     symbol_conflict_enabled=0
   
     [profiling.log]
-    level=20
+    level=10
     interval=5
     
         [profiling.log.local]
@@ -115,9 +178,14 @@ BSD_packet_filter=""
         metric_type = default
         app_name=sapp
      
+        [profiling.log.prometheus]
+        prometheus_enabled={{ sapp_prometheus_enable }}
+        prometheus_port={{ sapp_prometheus_port }}
+        prometheus_url_path="{{ sapp_prometheus_url_path }}"
+
 [TOOLS]
     [tools.pkt_dump]
-    enabled=0
+    enabled=1
 ### note, mode options value:[storage, udp_socket]
     mode=udp_socket
     BSD_packet_filter=""
@@ -131,7 +199,7 @@ BSD_packet_filter=""
         dump_thread_id=[0,1,2,3,4]
    
         [tools.pkt_dump.udp]
-        command_port=12345
+        command_port=9345
 
         [tools.pkt_dump.storage]
 ### note, file path must be double quotation mark extension, for example,  path="/dev/shm/pkt_dump"
@@ -148,3 +216,10 @@ BSD_packet_filter=""
     entrylist_path="./etc/entrylist.conf"
     send_raw_pkt_path="./etc/send_raw_pkt.conf"
     vxlan_sport_service_map_path="./etc/vxlan_sport_service_map.conf"
+
+[breakpad]
+    disable_coredump=1
+    enable_breakpad=1
+    breakpad_minidump_dir="/tmp/crashreport"
+    enable_breakpad_upload=1
+    breakpad_upload_url="{{ breakpad_upload_url }}"

roles/sapp/templates/sapp_tmpfile.conf.j2

@@ -0,0 +1 @@
+d /home/mesasoft/sapp_run/log          	    0755 - -   2d -

roles/sapp/templates/vlan_flipping_map.conf.j2

@@ -0,0 +1,11 @@
+#for inline a device vlan flipping 
+#数据包来自C路由器端, 即C2I(I2E)方向, 
+#数据包来自I路由器端, 即I2C(E2I)方向, 
+#平台会根据vlan_id,设置当前包route_dir的值, 以便上层业务插件做两个方向的流量统计,
+#如果一对vlan_id写反了, 网络是通的, 但是I2E,E2I的流量统计就颠倒了.
+#配置文件格式, pattern:
+#来自C路由器vlan_id	  	来自I路由器vlan_id   	是否开启mac地址翻转
+#C_router_vlan_id  I_router_vlan_id mac_flipping_enable
+1301	1302	1
+1201	1202	1
+4000	4001	0

roles/switch_control/tasks/main.yml

@@ -0,0 +1,5 @@
+- name: "copy switch_control_client_non_block"
+  copy:
+    src: '{{ role_path }}/files/switch_control_client_non_block'
+    dest: /opt/tsg/env/switch_control_client_non_block
+    mode: 0755

roles/switch_rule/files/saved_startup

@@ -0,0 +1,347 @@
+# TestPoint History
+load ./Config/libertyTrail/testpoint_startup
+
+add vlan port 1 0
+
+create vlan 100
+add vlan port 100 0,11,37,39,41,43
+set port config 11 pvid 100
+set port config 11 mask 0,37,39,41,43
+set port config 0,11,39,37,41,43 learning on
+
+create vlan 200
+add vlan port 200 0,37,39,9,10,41,43
+set port config 0 mask 9..44
+set port config 37 mask 0..36,38..44
+set port config 39 mask 0..38,40..44
+set port config 41 mask 0..40,42..44
+set port config 43 mask 0..44
+set port config 0,39,37,41,43 learning on
+
+create vlan 4000
+add vlan port 4000 43
+create vlan 4001
+add vlan port 4001 43
+
+create lag
+add lag 9261 9,10
+add vlan port 200 9261
+set port config 9261 pvid 200
+set port config 9261 parser_cfg L4
+set port config 9261 learning on
+set port config 9261 mask 0,11..44
+
+create vlan all
+create lag
+add vlan port all 43
+add lag 9293 1,2,3,4
+add vlan port all 9293
+set port config 9293 parser_cfg L4
+set port config 9293 learning on
+set port config 9293 mask 0,11..44
+set vlan tagging all 1,2,3,4 tag
+set vlan tagging 1 1,2,3,4 untag
+
+create lag
+add lag 9325 5,6,7,8
+add vlan port all 9325
+set port config 9325 parser_cfg L4
+set port config 9325 learning on
+set port config 9325 mask 0,11..44
+set vlan tagging all 5,6,7,8 tag
+set vlan tagging 1 5,6,7,8 untag
+
+set port 37,39,41,43 powerdown
+set port 37,39,41,43 up
+set port 1..36 up
+
+set port config 11 parser_cfg L4
+set port config 37..44 parser_cfg L4
+
+set port config 11..36 max_frame_size 15360
+set switch reserved_mac all switch
+
+set switch config hashing l234 use_smac on
+set switch config hashing l234 use_dmac on
+set switch config hashing l234 use_l34 on 
+set switch config hashing l34 use_dip on
+set switch config hashing l34 use_sip on
+set switch config hashing l234 symmetric on 
+set switch config hashing l34 symmetric on
+
+
+set port config 9261,9293,9325 max_frame_size 15360
+create acl 1
+
+# Redirect all ARP request to ens1f2
+create acl-rule 1 40
+add acl-rule condition 1 40 src-port 1
+add acl-rule condition 1 40 ethtype 0x0806
+add acl-rule action 1 40 redirect 7214
+ 
+create acl-rule 1 41
+add acl-rule condition 1 41 src-port 2
+add acl-rule condition 1 41 ethtype 0x0806
+add acl-rule action 1 41 redirect 7214
+ 
+create acl-rule 1 42
+add acl-rule condition 1 42 src-port 3
+add acl-rule condition 1 42 ethtype 0x0806
+add acl-rule action 1 42 redirect 7214
+ 
+create acl-rule 1 43
+add acl-rule condition 1 43 src-port 4
+add acl-rule condition 1 43 ethtype 0x0806
+add acl-rule action 1 43 redirect 7214
+
+# Redirect all ICMPv4 to ens1f2 -- 10.0.0.0/8
+create acl-rule 1 44
+add acl-rule condition 1 44 src-port 1
+add acl-rule condition 1 44 protocol 0x1/0xff
+add acl-rule condition 1 44 sip 10.0.0.0/8
+add acl-rule condition 1 44 dip 10.0.0.0/8
+add acl-rule action 1 44 redirect 7214
+ 
+create acl-rule 1 45
+add acl-rule condition 1 45 src-port 2
+add acl-rule condition 1 45 protocol 0x1/0xff3
+add acl-rule condition 1 45 sip 10.0.0.0/8
+add acl-rule condition 1 45 dip 10.0.0.0/8
+add acl-rule action 1 45 redirect 7214
+ 
+create acl-rule 1 46
+add acl-rule condition 1 46 src-port 3
+add acl-rule condition 1 46 protocol 0x1/0xff
+add acl-rule condition 1 46 sip 10.0.0.0/8
+add acl-rule condition 1 46 dip 10.0.0.0/8
+add acl-rule action 1 46 redirect 7214
+ 
+create acl-rule 1 47
+add acl-rule condition 1 47 src-port 4
+add acl-rule condition 1 47 protocol 0x1/0xff
+add acl-rule condition 1 47 sip 10.0.0.0/8
+add acl-rule condition 1 47 dip 10.0.0.0/8
+add acl-rule action 1 47 redirect 7214
+
+# Redirect all ICMPv4 to ens1f2 -- 192.168.0.0/16
+create acl-rule 1 48
+add acl-rule condition 1 48 src-port 1
+add acl-rule condition 1 48 protocol 0x1/0xff
+add acl-rule condition 1 48 sip 192.168.0.0/16
+add acl-rule condition 1 48 dip 192.168.0.0/16
+add acl-rule action 1 48 redirect 7214
+ 
+create acl-rule 1 49
+add acl-rule condition 1 49 src-port 2
+add acl-rule condition 1 49 protocol 0x1/0xff3
+add acl-rule condition 1 49 sip 192.168.0.0/16
+add acl-rule condition 1 49 dip 192.168.0.0/16
+add acl-rule action 1 49 redirect 7214
+ 
+create acl-rule 1 50
+add acl-rule condition 1 50 src-port 3
+add acl-rule condition 1 50 protocol 0x1/0xff
+add acl-rule condition 1 50 sip 192.168.0.0/16
+add acl-rule condition 1 50 dip 192.168.0.0/16
+add acl-rule action 1 50 redirect 7214
+ 
+create acl-rule 1 51
+add acl-rule condition 1 51 src-port 4
+add acl-rule condition 1 51 protocol 0x1/0xff
+add acl-rule condition 1 51 sip 192.168.0.0/16
+add acl-rule condition 1 51 dip 192.168.0.0/16
+add acl-rule action 1 51 redirect 7214
+
+# Redirect all TCP with port 51218, for health check - 192.168.0.0/24
+create acl-rule 1 60
+add acl-rule condition 1 60 src-port 1
+add acl-rule condition 1 60 protocol 0x6/0xff
+add acl-rule condition 1 60 sip 192.168.0.0/16
+add acl-rule condition 1 60 dip 192.168.0.0/16
+add acl-rule condition 1 60 l4-dst-port 51218/0xffff
+add acl-rule action 1 60 redirect 7214
+ 
+create acl-rule 1 61
+add acl-rule condition 1 61 src-port 2
+add acl-rule condition 1 61 protocol 0x6/0xff
+add acl-rule condition 1 61 sip 192.168.0.0/16
+add acl-rule condition 1 61 dip 192.168.0.0/16
+add acl-rule condition 1 61 l4-dst-port 51218/0xffff
+add acl-rule action 1 61 redirect 7214
+
+create acl-rule 1 62
+add acl-rule condition 1 62 src-port 3
+add acl-rule condition 1 62 protocol 0x6/0xff
+add acl-rule condition 1 62 sip 192.168.0.0/16
+add acl-rule condition 1 62 dip 192.168.0.0/16
+add acl-rule condition 1 62 l4-dst-port 51218/0xffff
+add acl-rule action 1 62 redirect 7214
+ 
+create acl-rule 1 63
+add acl-rule condition 1 63 src-port 4
+add acl-rule condition 1 63 protocol 0x6/0xff
+add acl-rule condition 1 63 sip 192.168.0.0/16
+add acl-rule condition 1 63 dip 192.168.0.0/16
+add acl-rule condition 1 63 l4-dst-port 51218/0xffff
+add acl-rule action 1 63 redirect 7214
+
+# Redirect all TCP with port 51218, for health check - 10.0.0.0/8
+create acl-rule 1 64
+add acl-rule condition 1 64 src-port 1
+add acl-rule condition 1 64 protocol 0x6/0xff
+add acl-rule condition 1 64 sip 10.0.0.0/8
+add acl-rule condition 1 64 dip 10.0.0.0/8
+add acl-rule condition 1 64 l4-dst-port 51218/0xffff
+add acl-rule action 1 64 redirect 7214
+ 
+create acl-rule 1 65
+add acl-rule condition 1 65 src-port 2
+add acl-rule condition 1 65 protocol 0x6/0xff
+add acl-rule condition 1 65 sip 10.0.0.0/8
+add acl-rule condition 1 65 dip 10.0.0.0/8
+add acl-rule condition 1 65 l4-dst-port 51218/0xffff
+add acl-rule action 1 65 redirect 7214
+ 
+create acl-rule 1 66
+add acl-rule condition 1 66 src-port 3
+add acl-rule condition 1 66 protocol 0x6/0xff
+add acl-rule condition 1 66 sip 10.0.0.0/8
+add acl-rule condition 1 66 dip 10.0.0.0/8
+add acl-rule condition 1 66 l4-dst-port 51218/0xffff
+add acl-rule action 1 66 redirect 7214
+ 
+create acl-rule 1 67
+add acl-rule condition 1 67 src-port 4
+add acl-rule condition 1 67 protocol 0x6/0xff
+add acl-rule condition 1 67 sip 10.0.0.0/8
+add acl-rule condition 1 67 dip 10.0.0.0/8
+add acl-rule condition 1 67 l4-dst-port 51218/0xffff
+add acl-rule action 1 67 redirect 7214
+
+# Redirect all ICMPv6 link-scope packets
+create acl-rule 1 70
+add acl-rule condition 1 70 src-port 1
+add acl-rule condition 1 70 frame-type ipv6
+add acl-rule condition 1 70 ttl 255
+add acl-rule action 1 70 redirect 7214
+ 
+create acl-rule 1 71
+add acl-rule condition 1 71 src-port 2
+add acl-rule condition 1 71 frame-type ipv6
+add acl-rule condition 1 71 ttl 255
+add acl-rule action 1 71 redirect 7214
+ 
+create acl-rule 1 72
+add acl-rule condition 1 72 src-port 3
+add acl-rule condition 1 72 frame-type ipv6
+add acl-rule condition 1 72 ttl 255
+add acl-rule action 1 72 redirect 7214
+ 
+create acl-rule 1 73
+add acl-rule condition 1 73 src-port 4
+add acl-rule condition 1 73 frame-type ipv6
+add acl-rule condition 1 73 ttl 255
+add acl-rule action 1 73 redirect 7214
+
+create acl-rule 1 74
+add acl-rule condition 1 74 src-port 1
+add acl-rule condition 1 74 frame-type ipv6
+add acl-rule condition 1 74 sip fc00::/7
+add acl-rule condition 1 74 dip fc00::/7
+add acl-rule action 1 74 redirect 7214
+ 
+create acl-rule 1 75
+add acl-rule condition 1 75 src-port 2
+add acl-rule condition 1 75 frame-type ipv6
+add acl-rule condition 1 75 sip fc00::/7
+add acl-rule condition 1 75 dip fc00::/7
+add acl-rule action 1 75 redirect 7214
+ 
+create acl-rule 1 76
+add acl-rule condition 1 76 src-port 3
+add acl-rule condition 1 76 frame-type ipv6
+add acl-rule condition 1 76 sip fc00::/7
+add acl-rule condition 1 76 dip fc00::/7
+add acl-rule action 1 76 redirect 7214
+ 
+create acl-rule 1 77
+add acl-rule condition 1 77 src-port 4
+add acl-rule condition 1 77 frame-type ipv6
+add acl-rule condition 1 77 sip fc00::/7
+add acl-rule condition 1 77 dip fc00::/7
+add acl-rule action 1 77 redirect 7214
+
+create acl-rule 1 80
+add acl-rule condition 1 80 src-glort 0x5801
+add acl-rule action 1 80 redirect 9293
+
+create acl-rule 1 90
+add acl-rule condition 1 90 src-glort 0x5803
+add acl-rule condition 1 90 vlan 4000
+add acl-rule action 1 90 redirect 7220
+add acl-rule action 1 90 vlan 1
+
+create acl-rule 1 91
+add acl-rule condition 1 91 src-glort 0x5803
+add acl-rule condition 1 91 vlan 4001
+add acl-rule action 1 91 redirect 7213
+add acl-rule action 1 91 vlan 1
+
+create acl-rule 1 100
+add acl-rule condition 1 100 src-glort 0x5803
+add acl-rule action 1 100 redirect 9293
+
+create acl-rule 1 101
+add acl-rule condition 1 101 src-port 1
+add acl-rule action 1 101 redirect 7216
+create acl-rule 1 102
+add acl-rule condition 1 102 src-port 2
+add acl-rule action 1 102 redirect 7216
+create acl-rule 1 103
+add acl-rule condition 1 103 src-port 3
+add acl-rule action 1 103 redirect 7216
+create acl-rule 1 104
+add acl-rule condition 1 104 src-port 4
+add acl-rule action 1 104 redirect 7216
+
+create acl-rule 1 200
+add acl-rule condition 1 200 src-glort 0x5804
+add acl-rule action 1 200 redirect 6189
+create acl-rule 1 201
+add acl-rule condition 1 201 src-glort 0x5805
+add acl-rule action 1 201 redirect 5165
+create acl-rule 1 202
+add acl-rule condition 1 202 src-glort 0x5806
+add acl-rule action 1 202 redirect 4141
+create acl-rule 1 203
+add acl-rule condition 1 203 src-glort 0x5000
+add acl-rule action 1 203 redirect 7217
+create acl-rule 1 204
+add acl-rule condition 1 204 src-glort 0x4800
+add acl-rule action 1 204 redirect 7218
+create acl-rule 1 205
+add acl-rule condition 1 205 src-glort 0x4000
+add acl-rule action 1 205 redirect 7219
+
+create acl-rule 1 301
+add acl-rule condition 1 301 src-glort 0x5807
+add acl-rule action 1 301 redirect 7216
+add acl-rule action 1 301 vlan 4000
+
+create acl-rule 1 302
+add acl-rule condition 1 302 src-glort 0x5800
+add acl-rule action 1 302 redirect 7216
+add acl-rule action 1 302 vlan 4001
+
+create acl-rule 1 401
+add acl-rule condition 1 401 src-glort 0x5001
+add acl-rule action 1 401 redirect 9325
+create acl-rule 1 402
+add acl-rule condition 1 402 src-glort 0x4801
+add acl-rule action 1 402 redirect 9325
+create acl-rule 1 403
+add acl-rule condition 1 403 src-glort 0x4001
+add acl-rule action 1 403  redirect 9325
+
+apply acl
+remote listen

roles/switch_rule/tasks/main.yml

@@ -0,0 +1,5 @@
+- name: "copy switch_rule"
+  copy:
+    src: '{{ role_path }}/files/saved_startup'
+    dest: /usr/local/testpoint/perl/Config/libertyTrail/saved_startup
+    mode: 0755