[aclorch] acl set policer action#4666
Open
AnantKishorSharma wants to merge 1 commit into
Open
Conversation
Collaborator
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
AnantKishorSharma
force-pushed
the
feature/acl-set-policer-action
branch
from
695d3ce to
518e853
Compare
Collaborator
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
AnantKishorSharma
force-pushed
the
feature/acl-set-policer-action
branch
from
518e853 to
4fcf225
Compare
Collaborator
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
AnantKishorSharma
changed the title
Classic AclOrch (CONFIG_DB path) had no way to attach a policer to an ACL rule: no action map contained SAI_ACL_ENTRY_ATTR_ACTION_SET_POLICER and AclRulePacket::validateAddAction() rejected any unknown action. Only P4Orch (P4RT) could program SET_POLICER. Add a POLICER_ACTION rule action backed by a new AclRulePolicer subclass that resolves the policer OID via gPolicerOrch->getPolicerOid() and holds a PolicerOrch reference for the lifetime of the rule (increase/decrease ref count on create/remove), analogous to AclRuleMirror's handling of mirror sessions. Register the action in the table-type action parser and the makeShared dispatch. If the referenced POLICER is synced after the ACL_RULE, defer the rule and rely on the Consumer m_toSync retry (same pattern as 'Wait for ACL table'). Signed-off-by: AnantKishorSharma <AnantKishorSharma@users.noreply.github.com>
AnantKishorSharma
force-pushed
the
feature/acl-set-policer-action
branch
from
4fcf225 to
2dbf8f9
Compare
Collaborator
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Collaborator
|
Hi, there are workflow run(s) waiting for approval, you may be first-time contributor. I will notify maintainers to help approve once PR is approved. Thanks! ---Powered by SONiC BuildBot
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What I did
Added a
POLICER_ACTIONACL rule action so aCONFIG_DBACL_RULEcan attach a policer (SAI_ACL_ENTRY_ATTR_ACTION_SET_POLICER), e.g.:{ "ACL_RULE": { "DATAACL|RULE_1": { "PRIORITY": "9999", "SRC_IP": "10.0.0.1/32", "POLICER_ACTION": "test_policer" } } }Why I did it
AclOrch(theCONFIG_DBpath) had no way to attach a policer to an ACL rule: none of the action maps inorchagent/aclorch.cpp(
aclL3ActionLookup,aclMirrorStageLookup,aclDTelActionLookup,aclOtherActionLookup,aclInnerActionLookup) containedSAI_ACL_ENTRY_ATTR_ACTION_SET_POLICER, andAclRulePacket::validateAddAction()rejects any unrecognized action. The only producer ofSAI_ACL_ACTION_TYPE_SET_POLICERtoday is P4Orch (orchagent/p4orch/acl_table_manager.cpp, gated on a table-definitionmeter_unit), which is driven by P4RT — notCONFIG_DB. APOLICERtable already exists inCONFIG_DB(managed byPolicerOrch) but only mirror sessions, port storm-control, and CoPP trap groups consume it; ACL rules can't.How I verified it
POLICER, an ACL table type whoseACTIONSincludePOLICER_ACTION, anACL_TABLE, and anACL_RULEwith"POLICER_ACTION": "<policer>"; confirmSAI_ACL_ENTRY_ATTR_ACTION_SET_POLICERappears on the ASIC_DB ACL entry and the policer ref count increments (and decrements on rule remove).config_db.jsonpath to pass validation.Details if related
POLICER_ACTION->SAI_ACL_ENTRY_ATTR_ACTION_SET_POLICERlookup, registered inparseAclTableTypeActions(table-type capability) and theAclRule::makeShareddispatch.AclRulePolicerrule class: resolves the policer OID viagPolicerOrch->getPolicerOid()and holds aPolicerOrchreference for the lifetime of the rule (increaseRefCount/decreaseRefCounton create/remove), analogous toAclRuleMirror.gPolicerOrchis already a global created beforegAclOrch, so no constructor plumbing is needed.doAclRuleTask: if a rule references aPOLICERnot yet created, defer it and rely on the Consumerm_toSyncretry — same pattern as the existing "Wait for ACL table" handling — so POLICER-after-ACL_RULE sync ordering works.