From 79afcb30b73617396e16ce3cb1a06b45a4f4e44c Mon Sep 17 00:00:00 2001 From: Andriy Yurkiv <70649192+ayurkiv-nvda@users.noreply.github.com> Date: Wed, 1 Mar 2023 11:27:58 +0200 Subject: [PATCH] [Dual-ToR] handle 'mux_tunnel_egress_acl' attrib in order to change ACL configuration (drop on ingress/egress) on standby ToR (#2646) - What I did Use "mux_tunnel_ingress_acl" to set ACL rules on ingress/egress side depending on attribute value ("disabled/enabled"). - Why I did it We need to drop data-plane traffic and handle Control-plane traffic in the Dual-ToR scenario. But we can't do it on Mellanox platform and process traffic on ingress. To workaround it we can set ACL rules on egress ports, so will process control plane on ingress and drop Data-plane traffic that came from standby port on egress - How I verified it check "show mux status" on standby ToR - Mux status should be healthy. check "show what-just-happened" on standby ToR - no ICMP drop expected on standby ports. Signed-off-by: Andriy Yurkiv --- orchagent/aclorch.cpp | 1 + orchagent/aclorch.h | 1 + orchagent/muxorch.cpp | 12 +++++++++--- orchagent/muxorch.h | 1 + 4 files changed, 12 insertions(+), 3 deletions(-) diff --git a/orchagent/aclorch.cpp b/orchagent/aclorch.cpp index 472ff70def5d..89f77ab9dccd 100644 --- a/orchagent/aclorch.cpp +++ b/orchagent/aclorch.cpp @@ -3188,6 +3188,7 @@ void AclOrch::initDefaultTableTypes() builder.withName(TABLE_TYPE_DROP) .withBindPointType(SAI_ACL_BIND_POINT_TYPE_PORT) .withMatch(make_shared(SAI_ACL_TABLE_ATTR_FIELD_TC)) + .withMatch(make_shared(SAI_ACL_TABLE_ATTR_FIELD_IN_PORTS)) .build() ); diff --git a/orchagent/aclorch.h b/orchagent/aclorch.h index c62a68991ac0..d9dd292785cc 100644 --- a/orchagent/aclorch.h +++ b/orchagent/aclorch.h @@ -95,6 +95,7 @@ #define MLNX_MAX_RANGES_COUNT 16 #define INGRESS_TABLE_DROP "IngressTableDrop" +#define EGRESS_TABLE_DROP "EgressTableDrop" #define RULE_OPER_ADD 0 #define RULE_OPER_DELETE 1 diff --git a/orchagent/muxorch.cpp b/orchagent/muxorch.cpp index 8c807341c545..79641374b4c2 100644 --- a/orchagent/muxorch.cpp +++ b/orchagent/muxorch.cpp @@ -791,8 +791,14 @@ MuxAclHandler::MuxAclHandler(sai_object_id_t port, string alias) { SWSS_LOG_ENTER(); + string value; + shared_ptr m_config_db = shared_ptr(new DBConnector("CONFIG_DB", 0)); + unique_ptr m_systemDefaultsTable = unique_ptr
(new Table(m_config_db.get(), "SYSTEM_DEFAULTS")); + m_systemDefaultsTable->hget("mux_tunnel_egress_acl", "status", value); + is_ingress_acl_ = value != "enabled"; + // There is one handler instance per MUX port - string table_name = MUX_ACL_TABLE_NAME; + string table_name = is_ingress_acl_ ? MUX_ACL_TABLE_NAME : EGRESS_TABLE_DROP; string rule_name = MUX_ACL_RULE_NAME; port_ = port; @@ -830,7 +836,7 @@ MuxAclHandler::MuxAclHandler(sai_object_id_t port, string alias) MuxAclHandler::~MuxAclHandler(void) { SWSS_LOG_ENTER(); - string table_name = MUX_ACL_TABLE_NAME; + string table_name = is_ingress_acl_ ? MUX_ACL_TABLE_NAME : EGRESS_TABLE_DROP; string rule_name = MUX_ACL_RULE_NAME; SWSS_LOG_NOTICE("Un-Binding port %" PRIx64 "", port_); @@ -876,7 +882,7 @@ void MuxAclHandler::createMuxAclTable(sai_object_id_t port, string strTable) auto dropType = gAclOrch->getAclTableType(TABLE_TYPE_DROP); assert(dropType); acl_table.validateAddType(*dropType); - acl_table.stage = ACL_STAGE_INGRESS; + acl_table.stage = is_ingress_acl_ ? ACL_STAGE_INGRESS : ACL_STAGE_EGRESS; gAclOrch->addAclTable(acl_table); bindAllPorts(acl_table); } diff --git a/orchagent/muxorch.h b/orchagent/muxorch.h index d2590168cc12..8b7e3c95691d 100644 --- a/orchagent/muxorch.h +++ b/orchagent/muxorch.h @@ -55,6 +55,7 @@ class MuxAclHandler // class shared dict: ACL table name -> ACL table static std::map acl_table_; sai_object_id_t port_ = SAI_NULL_OBJECT_ID; + bool is_ingress_acl_ = true; string alias_; };