Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[acl] Add IN_PORTS qualifier for L3 table #3078

Merged
merged 8 commits into from
Mar 18, 2024

Conversation

neethajohn
Copy link
Contributor

@neethajohn neethajohn commented Mar 14, 2024

What I did
Added IN_PORTS for L3 v4 and v6 tables

Why I did it
IN_PORTS qualifier was allowed for L3 table in 202012 release and below. Changes in #1982 removed that support leading to regression in some of our testcases. The following error was observed
ERR swss#orchagent: :- validateAclRuleMatch: Match SAI_ACL_ENTRY_ATTR_FIELD_IN_PORTS in rule RULE_1 is not supported by table DATAACL

How I verified it
Build swss deb with the changes and rule creation is successful. Rules are installed in the asic as well
/var/log/syslog.3.gz:Mar 13 23:01:55.331230 str2-7050qx-32s-acs-02 INFO swss#orchagent: :- doAclRuleTask: OP: SET, TABLE_ID: DATAACL, RULE_ID: RULE_1
/var/log/syslog.3.gz:Mar 13 23:01:55.355294 str2-7050qx-32s-acs-02 INFO swss#orchagent: :- createCounter: Created counter for the rule RULE_1 in table DATAACL
/var/log/syslog.3.gz:Mar 13 23:01:55.380069 str2-7050qx-32s-acs-02 NOTICE swss#orchagent: :- add: Successfully created ACL rule RULE_1 in table DATAACL

admin@str2-7050qx-32s-acs-02:~$ show acl rule
Table    Rule          Priority    Action   Match                                                                                                                                                                                                                    Status
-------  ------------ ----------  -------- ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------  --------
DATAACL  RULE_1       9999        FORWARD   ETHER_TYPE: 2048                                                                                                                                                                                                         Active
                                           IN_PORTS: Ethernet12,Ethernet16,Ethernet20,Ethernet24,Ethernet28,Ethernet32,Ethernet36,Ethernet4,Ethernet40,Ethernet44,Ethernet48,Ethernet52,Ethernet56,Ethernet60,Ethernet64,Ethernet68,Ethernet72,Ethernet76,Ethernet8
                                           VLAN_ID: 1000
DATAACL  DEFAULT_RULE 1           DROP      ETHER_TYPE: 2048                                                                                                                                                                                                         Active

Signed-off-by: Neetha John <nejo@microsoft.com>
Signed-off-by: Neetha John <nejo@microsoft.com>
@bingwang-ms
Copy link
Contributor

The only concern for this change is we may have limitation on the number of qualifiers we can programmed in a single ACL table on some platform. But given the L3 table definition used to work in 202012 branch, it should be fine.

@neethajohn neethajohn marked this pull request as ready for review March 18, 2024 15:27
@neethajohn neethajohn requested a review from prsunny as a code owner March 18, 2024 15:27
tests/test_acl.py Outdated Show resolved Hide resolved
Signed-off-by: Neetha John <nejo@microsoft.com>
Signed-off-by: Neetha John <nejo@microsoft.com>
Signed-off-by: Neetha John <nejo@microsoft.com>
Signed-off-by: Neetha John <nejo@microsoft.com>
@prsunny prsunny merged commit 9d4a3ad into sonic-net:master Mar 18, 2024
14 checks passed
@StormLiangMS
Copy link
Contributor

StormLiangMS commented Mar 20, 2024

hi @neethajohn could you run test with 202305 image? And we also need to test with Mellanox platform in case this change break theirs.

@StormLiangMS
Copy link
Contributor

ADO: 27172619

mssonicbld pushed a commit to mssonicbld/sonic-swss that referenced this pull request Mar 21, 2024
* Apply IN_PORTS qualifiier for L3 table

Why I did it
IN_PORTS qualifier was allowed for L3 table in 202012 release and below. Changes in sonic-net#1982 removed that support leading to regression in some of our testcases. The following error was observed
ERR swss#orchagent: :- validateAclRuleMatch: Match SAI_ACL_ENTRY_ATTR_FIELD_IN_PORTS in rule RULE_1 is not supported by table DATAACL
@mssonicbld
Copy link
Collaborator

Cherry-pick PR to 202311: #3083

mssonicbld pushed a commit to mssonicbld/sonic-swss that referenced this pull request Mar 22, 2024
* Apply IN_PORTS qualifiier for L3 table

Why I did it
IN_PORTS qualifier was allowed for L3 table in 202012 release and below. Changes in sonic-net#1982 removed that support leading to regression in some of our testcases. The following error was observed
ERR swss#orchagent: :- validateAclRuleMatch: Match SAI_ACL_ENTRY_ATTR_FIELD_IN_PORTS in rule RULE_1 is not supported by table DATAACL
@mssonicbld
Copy link
Collaborator

Cherry-pick PR to 202305: #3086

mssonicbld pushed a commit that referenced this pull request Mar 22, 2024
* Apply IN_PORTS qualifiier for L3 table

Why I did it
IN_PORTS qualifier was allowed for L3 table in 202012 release and below. Changes in #1982 removed that support leading to regression in some of our testcases. The following error was observed
ERR swss#orchagent: :- validateAclRuleMatch: Match SAI_ACL_ENTRY_ATTR_FIELD_IN_PORTS in rule RULE_1 is not supported by table DATAACL
mssonicbld pushed a commit that referenced this pull request Mar 22, 2024
* Apply IN_PORTS qualifiier for L3 table

Why I did it
IN_PORTS qualifier was allowed for L3 table in 202012 release and below. Changes in #1982 removed that support leading to regression in some of our testcases. The following error was observed
ERR swss#orchagent: :- validateAclRuleMatch: Match SAI_ACL_ENTRY_ATTR_FIELD_IN_PORTS in rule RULE_1 is not supported by table DATAACL
neethajohn added a commit to neethajohn/sonic-swss that referenced this pull request Mar 26, 2024
prsunny pushed a commit that referenced this pull request Mar 29, 2024
This reverts commit 9d4a3ad.
*Revert "[acl] Add IN_PORTS qualifier for L3 table"
mssonicbld pushed a commit to mssonicbld/sonic-swss that referenced this pull request Apr 3, 2024
…onic-net#3092)

This reverts commit 9d4a3ad.
*Revert "[acl] Add IN_PORTS qualifier for L3 table"
kevinskwang added a commit to kevinskwang/sonic-buildimage that referenced this pull request Apr 3, 2024
Why I did it
Release notes for Cisco 8102-64H-O, 8101-32FH-O, and 8111-32EH-O
• Fix for tx_drop counter increasing while the port is oper down (SR 696930881)
• Fix for [8111] MAC learning issue
• Addressed the following test case failures:
1 qos/test_tunnel_qos_remap
2 dualtor.test_tor_ecn.py:test_dscp_to_queue_during_decap_on_active
3 platform_tests.api.test_fan_drawer_fans.TestFanDrawerFans
4 platform_tests.api.test_chassis_fans.TestChassisFans
5 platform_tests.api.test_chassis.TestChassisApi failure
6 platform_tests.api.test_thermal.TestThermalApi failure

Caveats:
• There is a recent change in sonic_buildimage which is causing the test_acl failures:
• The PR link is sonic-net/sonic-swss#3078
• This PR 3078 has since been reverted in sonic-net:master via PR sonic-net#3092 and should be merged to 202305 for addressing the test_acl failures:
• The revert PR link is sonic-net/sonic-swss#3092
• Proceeding with this code drop with this known upstream issue impacting quality. Image can be built for validation once the upstream issue is addressed in 202305.

How I did it
Update platform version to 202305.1.0.11

Signed-off-by: Kevin(Shengkai) Wang <shengkaiwang@microsoft.com>
StormLiangMS pushed a commit that referenced this pull request Apr 3, 2024
…3098)

This reverts commit 9d4a3ad.
*Revert "[acl] Add IN_PORTS qualifier for L3 table"

Co-authored-by: Neetha John <nejo@microsoft.com>
noaOrMlnx pushed a commit to noaOrMlnx/sonic-swss that referenced this pull request Apr 3, 2024
StormLiangMS pushed a commit to sonic-net/sonic-buildimage that referenced this pull request Apr 3, 2024
Why I did it
Release notes for Cisco 8102-64H-O, 8101-32FH-O, and 8111-32EH-O
• Fix for tx_drop counter increasing while the port is oper down (SR 696930881)
• Fix for [8111] MAC learning issue
• Addressed the following test case failures:
1 qos/test_tunnel_qos_remap
2 dualtor.test_tor_ecn.py:test_dscp_to_queue_during_decap_on_active
3 platform_tests.api.test_fan_drawer_fans.TestFanDrawerFans
4 platform_tests.api.test_chassis_fans.TestChassisFans
5 platform_tests.api.test_chassis.TestChassisApi failure
6 platform_tests.api.test_thermal.TestThermalApi failure

Caveats:
• There is a recent change in sonic_buildimage which is causing the test_acl failures:
• The PR link is sonic-net/sonic-swss#3078
• This PR 3078 has since been reverted in sonic-net:master via PR #3092 and should be merged to 202305 for addressing the test_acl failures:
• The revert PR link is sonic-net/sonic-swss#3092
• Proceeding with this code drop with this known upstream issue impacting quality. Image can be built for validation once the upstream issue is addressed in 202305.

How I did it
Update platform version to 202305.1.0.11

Signed-off-by: Kevin(Shengkai) Wang <shengkaiwang@microsoft.com>
cscarpitta pushed a commit to cscarpitta/sonic-swss that referenced this pull request Apr 5, 2024
* Apply IN_PORTS qualifiier for L3 table

Why I did it
IN_PORTS qualifier was allowed for L3 table in 202012 release and below. Changes in sonic-net#1982 removed that support leading to regression in some of our testcases. The following error was observed
ERR swss#orchagent: :- validateAclRuleMatch: Match SAI_ACL_ENTRY_ATTR_FIELD_IN_PORTS in rule RULE_1 is not supported by table DATAACL
cscarpitta pushed a commit to cscarpitta/sonic-swss that referenced this pull request Apr 5, 2024
…onic-net#3092)

This reverts commit 9d4a3ad.
*Revert "[acl] Add IN_PORTS qualifier for L3 table"
mssonicbld pushed a commit to mssonicbld/sonic-swss that referenced this pull request Apr 5, 2024
…onic-net#3092)

This reverts commit 9d4a3ad.
*Revert "[acl] Add IN_PORTS qualifier for L3 table"
mssonicbld pushed a commit that referenced this pull request Apr 8, 2024
This reverts commit 9d4a3ad.
*Revert "[acl] Add IN_PORTS qualifier for L3 table"
superchild pushed a commit to superchild/sonic-swss that referenced this pull request Apr 24, 2024
* Fixes mock test failure

* Fixes mock test run failure

fixes pipeline run failure

FAIL: p4orch_tests_usan
=======================

../../../orchagent/vrforch.cpp:113:41: runtime error: member call on
null pointer of type 'struct RouteOrch'
../../../orchagent/vrforch.cpp:113:41: runtime error: member access
within null pointer of type 'struct RouteOrch'
FAIL p4orch_tests_usan (exit status: 139)

* Fixed orchagent crash in VM with the Qos BUFFER_QUEUE|system-port|Queue-id-range config (sonic-net#3050)

* Fixed orchagent crash in VM with the Qos BUFFER_QUEUE|system-port|Queue-id-range config

* [intfsorch] Enable ipv6 proxy ndp along with proxy arp (sonic-net#3045)

* [intfsorch] Enable ipv6 proxy ndp along with proxy arp

setting SAI_VLAN_ATTR_UNKNOWN_MULTICAST_FLOOD_CONTROL_TYPE to
SAI_VLAN_FLOOD_CONTROL_TYPE_NONE when proxy arp is enabled. This fixes a
bug where ipv6 NS packets were flooding ports with duplicate packets. We
now set multicast flood type to none.

* Fix multi VLAN neighbor learning (sonic-net#3049)

What I did

When adding a new neighbor, check if the neighbor IP has already been learned on a different VLAN. If it has, remove the old neighbor entry before adding the new one.

Why I did it
On Gemini devices, if a neighbor IP moves from an active port in one VLAN to a second VLAN, then back to the first VLAN (with 3 different MAC addresses), orchagent will crash. Even though the MAC address of the last move is different from the first MAC address, orchagent believes the last MAC address to already be programmed in the hardware and tries to set an attribute of the entry which doesn't exist.

* [asan] Disable the "maybe-uninitialized" warning when compiled with ASAN enabled.

* Set HOST_TX_READY_NOTIFY attribute only after query capabilities(sonic-net#3070)

*Set HOST_TX_READY_NOTIFY attribute only after query capabilities

* [EVPN] Skip EVPN routes with invalid VNI or router mac field (sonic-net#3073)

* Skip EVPN routes with invalid VNI or router mac field

* Add port flap count and last flap timestamp to APPL_DB (sonic-net#3052)

* Add port flap count and last flap timestamp

* Add basic fabric link monitoring counters and states handling. (sonic-net#2988)

* Add basic fabric link monitoring counters and states handling.

* [Mellanox] Fix inconsistence in the shared headroom pool initialization (sonic-net#3057)

* Fix inconsistence in the shared headroom pool initialization

* Why I did it

During initialization, if SHP is enabled

the buffer pool sizes, xoff have initialized to 0, which means SHP is disabled
but the buffer profiles already indicate SHP
later on the buffer pool sizes are updated with off being non-zero
In case the orchagent starts handling buffer configuration between 2 and 3, it is inconsistent between buffer pools and profiles, which fails Mellanox SAI sanity check.
To avoid it, it indicates SHP enabled by setting a very small buffer pool and SHP sizes

* [acl] Add IN_PORTS qualifier for L3 table (sonic-net#3078)

* Apply IN_PORTS qualifiier for L3 table

Why I did it
IN_PORTS qualifier was allowed for L3 table in 202012 release and below. Changes in sonic-net#1982 removed that support leading to regression in some of our testcases. The following error was observed
ERR swss#orchagent: :- validateAclRuleMatch: Match SAI_ACL_ENTRY_ATTR_FIELD_IN_PORTS in rule RULE_1 is not supported by table DATAACL

* [bulker] add support for neighbor bulking (sonic-net#2768)

Adding support for sai_neighbor_api_t bulking in bulker.h

* [buffermgrd] Move switch-statement outside of if-statement in BufferMgr::doTask (sonic-net#3055)

* [buffermgr] Moved switch statement outside of if-statmement in Buffermgr::doTask

The switch statement which would normally erase buffer events was moved
to be inside the if-statement which would only enter if the event is a
SET event. This was introduced in commit e5329c39.

This would cause an infinite loop, since non-set events would never be
erased.

The switch statement has now been moved to occur outside the if,
allowing for non-set commands to be processed.

* [portsorch] process only updated APP_DB fields when port is already   created (sonic-net#3025)

* [portsorch] process only updated APP_DB fields when port is already created

What I did

Fixing an issue when setting some port attribute in APPL_DB triggers serdes parameters to be re-programmed with port toggling. Made portsorch to handle only those attributes that were pushed to APPL_DB, so that serdes programming happens only by xcvrd's request to do so.

* [Copp]Refactor coppmgr tests (sonic-net#3093)

What I did
Refactoring coppmgr mock tests

Why I did it
After migration to bookworm, coppmgr tests started failing due to the use of sudo commands.

* Revert "[acl] Add IN_PORTS qualifier for L3 table (sonic-net#3078)" (sonic-net#3092)

This reverts commit 9d4a3ad.
*Revert "[acl] Add IN_PORTS qualifier for L3 table"

* [orchagent] TWAMP Light orchagent implementation (sonic-net#2927)

* [orchagent] TWAMP Light orchagent implementation. (sonic-net#2927)
* What I did
Implemented the TWAMP Light feature according to the SONiC TWAMP Light HLD(sonic-net/SONiC#1320).

* Clang format change. (sonic-net#3080)

What I did
This PR has no real code change. It is purely clang formatting. It only applies to the P4Orch codes.
Commands that I run:
find orchagent/p4orch -name *.h -o -name .cpp | xargs clang-format -i -style="{BasedOnStyle: Microsoft, DerivePointerAlignment: false}"

find orchagent -name response_publisher -o -name return_code.h | xargs clang-format -i -style="{BasedOnStyle: Microsoft, DerivePointerAlignment: false}"

* T2-VOQ-VS: Fix iBGP bringup issue  (sonic-net#3053)

* Fix iBGP bringup issue T2-vswitch
* On T2-VOQ chassis Emulation with multi-asic linecards, iBGP sessions dont come up. Related Issue: sonic-net/sonic-buildimage#18129

* [Fdbsyncd] Adding extern_learn flag with fdb entry so Kernel doesn't age out (sonic-net#2985)

* Adding extern_learn flag with fdb entry so that Kernel doesn't age out the MAC

* [Fdbsyncd] Adding extern_learn flag with fdb entry so Kernel doesn't age out

What I did
extern_learn flag is added while programming the fdb entry into the Kernel. This will make sure that kernel doesn't age out the fdb entry. (#15004)

How I did it
A flag extern_learn will be passed while programing the fdb entry. (#15004)

How to verify it
Tested MAC add/del to the Kernel from the local FDB entry. (#15004)

Signed-off-by: kishore.kunal@broadcom.com

---------

Signed-off-by: kishore.kunal@broadcom.com
Co-authored-by: Sudharsan Dhamal Gopalarathnam <sudharsand@nvidia.com>

* Fix oper FEC retrieval after warmboot (sonic-net#3100)

Updating oper FEC status in state_db after warm-reboot as part of refresh port status call

* [EVPN]Fix fpmsyncd crash when EVPN type5 is received with bgp fib suppression enabled (sonic-net#3101)

* [EVPN]Fix fpmsyncd crash when EVPN type5 is received with bgp fib suppression enabled

* [portsorch] Handle TRANSCEIVER_INFO table on warm boot (sonic-net#3087)

* Add existing data from TRANSCEIVER_INFO table

* Introduce a new role for DPU-NPU Interconnect

Signed-off-by: Vivek Reddy Karri <vkarri@nvidia.com>
Co-authored-by: Sudharsan Dhamal Gopalarathnam <sudharsand@nvidia.com>

* [p4orch] Clang format change. (sonic-net#3096)

What I did
[p4orch]  This PR has no real code change. It is purely clang formatting. 
It does the same as sonic-net#3080.

* [dash] fix ENI admin state update (sonic-net#3081)

* [dash] fix ENI admin state update

* Add force option for fabric port unisolate command (sonic-net#3089)

What I did
Add force option to the unisolate link command, so users can make the links not isolate if they want.
depends on sonic-net/sonic-buildimage#18447

* [twamporch] Explicitly initialize local variable (sonic-net#3115)

What I did
Explicitly initialized local variable.

Why I did it
We met below error message in sonic-buildimage armhf build (sonic-net/sonic-buildimage#18334)

* Add bookworm build to the PR checkers (sonic-net#3114)

What I did
Add a Bookworm build to the PR checkers. Also fix some Bookworm build errors that crept in.

Why I did it
Buildimage now builds swss for Bookworm, so the build needs to succeed.

* [ACL] Remove flex counter when updating ACL rule (sonic-net#3118)

What I did
This PR is to fix sonic-net/sonic-buildimage#18719

When ACL rule is created for the first time, a flex counter is created and registered. When the same ACL rule is being updated, the FlexCounter created before is not removed, and another FlexCounter is created and registered.

Why I did it
Fix the issue that FlexCounter is duplicated when updating existing ACL rule.

---------

Signed-off-by: kishore.kunal@broadcom.com
Signed-off-by: Vivek Reddy Karri <vkarri@nvidia.com>
Co-authored-by: saksarav-nokia <sakthivadivu.saravanaraj@nokia.com>
Co-authored-by: Nikola Dancejic <26731235+Ndancejic@users.noreply.github.com>
Co-authored-by: Lawrence Lee <lawlee@microsoft.com>
Co-authored-by: Oleksandr Ivantsiv <oivantsiv@nvidia.com>
Co-authored-by: noaOrMlnx <58519608+noaOrMlnx@users.noreply.github.com>
Co-authored-by: Lior Avramov <73036155+liorghub@users.noreply.github.com>
Co-authored-by: Prince George <45705344+prgeor@users.noreply.github.com>
Co-authored-by: jfeng-arista <98421150+jfeng-arista@users.noreply.github.com>
Co-authored-by: Stephen Sun <5379172+stephenxs@users.noreply.github.com>
Co-authored-by: Neetha John <nejo@microsoft.com>
Co-authored-by: Amir <mazora@marvell.com>
Co-authored-by: Stepan Blyshchak <38952541+stepanblyschak@users.noreply.github.com>
Co-authored-by: Sudharsan Dhamal Gopalarathnam <sudharsand@nvidia.com>
Co-authored-by: xiaodong hu <32903206+huseratgithub@users.noreply.github.com>
Co-authored-by: mint570 <70396898+mint570@users.noreply.github.com>
Co-authored-by: Deepak Singhal <115033986+deepak-singhal0408@users.noreply.github.com>
Co-authored-by: KISHORE KUNAL <64033340+kishorekunal01@users.noreply.github.com>
Co-authored-by: Vivek <vivekreddykarri98@gmail.com>
Co-authored-by: Yakiv Huryk <62013282+Yakiv-Huryk@users.noreply.github.com>
Co-authored-by: Saikrishna Arcot <sarcot@microsoft.com>
Co-authored-by: bingwang-ms <66248323+bingwang-ms@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants