[sonic-swss] Support IPv6 ACL (sonic-net#414)

* Support IPv6 ACL * Add vs test cases for ipv6 ACL
madhanmellanox · Mar 14, 2018 · 2ae1714 · 2ae1714
1 parent 05fb586
commit 2ae1714
Show file tree

Hide file tree

Showing 3 changed files with 754 additions and 41 deletions.
diff --git a/orchagent/aclorch.cpp b/orchagent/aclorch.cpp
@@ -33,6 +33,8 @@ acl_rule_attr_lookup_t aclMatchLookup =
 {
     { MATCH_SRC_IP,            SAI_ACL_ENTRY_ATTR_FIELD_SRC_IP },
     { MATCH_DST_IP,            SAI_ACL_ENTRY_ATTR_FIELD_DST_IP },
+    { MATCH_SRC_IPV6,          SAI_ACL_ENTRY_ATTR_FIELD_SRC_IPV6 },
+    { MATCH_DST_IPV6,          SAI_ACL_ENTRY_ATTR_FIELD_DST_IPV6 },
     { MATCH_L4_SRC_PORT,       SAI_ACL_ENTRY_ATTR_FIELD_L4_SRC_PORT },
     { MATCH_L4_DST_PORT,       SAI_ACL_ENTRY_ATTR_FIELD_L4_DST_PORT },
     { MATCH_ETHER_TYPE,        SAI_ACL_ENTRY_ATTR_FIELD_ETHER_TYPE },
@@ -55,6 +57,7 @@ acl_rule_attr_lookup_t aclL3ActionLookup =
 static acl_table_type_lookup_t aclTableTypeLookUp =
 {
     { TABLE_TYPE_L3,        ACL_TABLE_L3 },
+    { TABLE_TYPE_L3V6,      ACL_TABLE_L3V6 },
     { TABLE_TYPE_MIRROR,    ACL_TABLE_MIRROR },
     { TABLE_TYPE_CTRLPLANE, ACL_TABLE_CTRLPLANE }
 };
@@ -210,16 +213,24 @@ bool AclRule::validateAddMatch(string attr_name, string attr_value)
         {
             IpPrefix ip(attr_value);
 
-            if (ip.isV4())
+            if (!ip.isV4())
             {
-                value.aclfield.data.ip4 = ip.getIp().getV4Addr();
-                value.aclfield.mask.ip4 = ip.getMask().getV4Addr();
+                SWSS_LOG_ERROR("IP type is not v4 type");
+                return false;
             }
-            else
+            value.aclfield.data.ip4 = ip.getIp().getV4Addr();
+            value.aclfield.mask.ip4 = ip.getMask().getV4Addr();
+        }
+        else if (attr_name == MATCH_SRC_IPV6 || attr_name == MATCH_DST_IPV6)
+        {
+            IpPrefix ip(attr_value);
+            if (ip.isV4())
             {
-                memcpy(value.aclfield.data.ip6, ip.getIp().getV6Addr(), 16);
-                memcpy(value.aclfield.mask.ip6, ip.getMask().getV6Addr(), 16);
+                SWSS_LOG_ERROR("IP type is not v6 type");
+                return false;
             }
+            memcpy(value.aclfield.data.ip6, ip.getIp().getV6Addr(), 16);
+            memcpy(value.aclfield.mask.ip6, ip.getMask().getV6Addr(), 16);
         }
         else if ((attr_name == MATCH_L4_SRC_PORT_RANGE) || (attr_name == MATCH_L4_DST_PORT_RANGE))
         {
@@ -467,7 +478,7 @@ shared_ptr<AclRule> AclRule::makeShared(acl_table_type_t type, AclOrch *acl, Mir
         throw runtime_error("ACL rule action is not found in rule " + rule);
     }
 
-    if (type != ACL_TABLE_L3 && type != ACL_TABLE_MIRROR)
+    if (type != ACL_TABLE_L3 && type != ACL_TABLE_L3V6 && type != ACL_TABLE_MIRROR)
     {
         throw runtime_error("Unknown table type.");
     }
@@ -482,6 +493,11 @@ shared_ptr<AclRule> AclRule::makeShared(acl_table_type_t type, AclOrch *acl, Mir
     {
         return make_shared<AclRuleL3>(acl, rule, table, type);
     }
+    /* L3V6 rules can exist only in L3V6 table */
+    else if (type == ACL_TABLE_L3V6)
+    {
+        return make_shared<AclRuleL3V6>(acl, rule, table, type);
+    }
 
     throw runtime_error("Wrong combination of table type and action in rule " + rule);
 }
@@ -697,6 +713,11 @@ bool AclRuleL3::validateAddMatch(string attr_name, string attr_value)
         SWSS_LOG_ERROR("DSCP match is not supported for the tables of type L3");
         return false;
     }
+    if (attr_name == MATCH_SRC_IPV6 || attr_name == MATCH_DST_IPV6)
+    {
+        SWSS_LOG_ERROR("IPv6 address match is not supported for the tables of type L3");
+        return false;
+    }
 
     return AclRule::validateAddMatch(attr_name, attr_value);
 }
@@ -718,6 +739,28 @@ void AclRuleL3::update(SubjectType, void *)
     // Do nothing
 }
 
+AclRuleL3V6::AclRuleL3V6(AclOrch *aclOrch, string rule, string table, acl_table_type_t type) :
+        AclRuleL3(aclOrch, rule, table, type)
+{
+}
+
+
+bool AclRuleL3V6::validateAddMatch(string attr_name, string attr_value)
+{
+    if (attr_name == MATCH_DSCP)
+    {
+        SWSS_LOG_ERROR("DSCP match is not supported for the tables of type L3V6");
+        return false;
+    }
+    if (attr_name == MATCH_SRC_IP || attr_name == MATCH_DST_IP)
+    {
+        SWSS_LOG_ERROR("IPv4 address match is not supported for the tables of type L3V6");
+        return false;
+    }
+
+    return AclRule::validateAddMatch(attr_name, attr_value);
+}
+
 AclRuleMirror::AclRuleMirror(AclOrch *aclOrch, MirrorOrch *mirror, string rule, string table, acl_table_type_t type) :
         AclRule(aclOrch, rule, table, type),
         m_state(false),
@@ -746,7 +789,8 @@ bool AclRuleMirror::validateAddAction(string attr_name, string attr_value)
 
 bool AclRuleMirror::validateAddMatch(string attr_name, string attr_value)
 {
-    if (m_tableType == ACL_TABLE_L3 && attr_name == MATCH_DSCP)
+    if ((m_tableType == ACL_TABLE_L3 || m_tableType == ACL_TABLE_L3V6)
+	&& attr_name == MATCH_DSCP)
     {
         SWSS_LOG_ERROR("DSCP match is not supported for the tables of type L3");
         return false;
@@ -939,14 +983,26 @@ bool AclTable::create()
     attr.value.booldata = true;
     table_attrs.push_back(attr);
 
-    attr.id = SAI_ACL_TABLE_ATTR_FIELD_SRC_IP;
-    attr.value.booldata = true;
-    table_attrs.push_back(attr);
+    if (type == ACL_TABLE_L3V6)
+    {
+        attr.id = SAI_ACL_TABLE_ATTR_FIELD_SRC_IPV6;
+        attr.value.booldata = true;
+        table_attrs.push_back(attr);
 
-    attr.id = SAI_ACL_TABLE_ATTR_FIELD_DST_IP;
-    attr.value.booldata = true;
-    table_attrs.push_back(attr);
+        attr.id = SAI_ACL_TABLE_ATTR_FIELD_DST_IPV6;
+        attr.value.booldata = true;
+        table_attrs.push_back(attr);
+    }
+    else
+    {
+        attr.id = SAI_ACL_TABLE_ATTR_FIELD_SRC_IP;
+        attr.value.booldata = true;
+        table_attrs.push_back(attr);
 
+        attr.id = SAI_ACL_TABLE_ATTR_FIELD_DST_IP;
+        attr.value.booldata = true;
+        table_attrs.push_back(attr);
+    }
     attr.id = SAI_ACL_TABLE_ATTR_FIELD_L4_SRC_PORT;
     attr.value.booldata = true;
     table_attrs.push_back(attr);
@@ -1479,6 +1535,8 @@ void AclOrch::doAclTableTask(Consumer &consumer)
                     if (!processAclTableType(attr_value, newTable.type))
                     {
                         SWSS_LOG_ERROR("Failed to process table type for table %s", table_id.c_str());
+                        bAllAttributesOk = false;
+                        break;
                     }
                 }
                 else if (attr_name == TABLE_PORTS)
@@ -1490,13 +1548,17 @@ void AclOrch::doAclTableTask(Consumer &consumer)
                     if (!suc)
                     {
                         SWSS_LOG_ERROR("Failed to process table ports for table %s", table_id.c_str());
+                        bAllAttributesOk = false;
+                        break;
                     }
                 }
                 else if (attr_name == TABLE_STAGE)
                 {
                    if (!processAclTableStage(attr_value, newTable.stage))
                    {
                        SWSS_LOG_ERROR("Failed to process table stage for table %s", table_id.c_str());
+                       bAllAttributesOk = false;
+                       break;
                    }
                 }
                 else
@@ -1566,35 +1628,32 @@ void AclOrch::doAclRuleTask(Consumer &consumer)
                 continue;
             }
 
-            if (bAllAttributesOk)
-            {
-                newRule = AclRule::makeShared(m_AclTables[table_oid].type, this, m_mirrorOrch, rule_id, table_id, t);
+            newRule = AclRule::makeShared(m_AclTables[table_oid].type, this, m_mirrorOrch, rule_id, table_id, t);
 
-                for (const auto& itr : kfvFieldsValues(t))
-                {
-                    string attr_name = toUpper(fvField(itr));
-                    string attr_value = fvValue(itr);
+            for (const auto& itr : kfvFieldsValues(t))
+            {
+                string attr_name = toUpper(fvField(itr));
+                string attr_value = fvValue(itr);
 
-                    SWSS_LOG_INFO("ATTRIBUTE: %s %s", attr_name.c_str(), attr_value.c_str());
+                SWSS_LOG_INFO("ATTRIBUTE: %s %s", attr_name.c_str(), attr_value.c_str());
 
-                    if (newRule->validateAddPriority(attr_name, attr_value))
-                    {
-                        SWSS_LOG_INFO("Added priority attribute");
-                    }
-                    else if (newRule->validateAddMatch(attr_name, attr_value))
-                    {
-                        SWSS_LOG_INFO("Added match attribute '%s'", attr_name.c_str());
-                    }
-                    else if (newRule->validateAddAction(attr_name, attr_value))
-                    {
-                        SWSS_LOG_INFO("Added action attribute '%s'", attr_name.c_str());
-                    }
-                    else
-                    {
-                        SWSS_LOG_ERROR("Unknown or invalid rule attribute '%s : %s'", attr_name.c_str(), attr_value.c_str());
-                        bAllAttributesOk = false;
-                        break;
-                    }
+                if (newRule->validateAddPriority(attr_name, attr_value))
+                {
+                    SWSS_LOG_INFO("Added priority attribute");
+                }
+                else if (newRule->validateAddMatch(attr_name, attr_value))
+                {
+                    SWSS_LOG_INFO("Added match attribute '%s'", attr_name.c_str());
+                }
+                else if (newRule->validateAddAction(attr_name, attr_value))
+                {
+                    SWSS_LOG_INFO("Added action attribute '%s'", attr_name.c_str());
+                }
+                else
+                {
+                    SWSS_LOG_ERROR("Unknown or invalid rule attribute '%s : %s'", attr_name.c_str(), attr_value.c_str());
+                    bAllAttributesOk = false;
+                    break;
                 }
             }
 

diff --git a/orchagent/aclorch.h b/orchagent/aclorch.h
@@ -23,12 +23,15 @@
 #define TABLE_PORTS       "PORTS"
 
 #define TABLE_TYPE_L3        "L3"
+#define TABLE_TYPE_L3V6      "L3V6"
 #define TABLE_TYPE_MIRROR    "MIRROR"
 #define TABLE_TYPE_CTRLPLANE "CTRLPLANE"
 
 #define RULE_PRIORITY           "PRIORITY"
 #define MATCH_SRC_IP            "SRC_IP"
 #define MATCH_DST_IP            "DST_IP"
+#define MATCH_SRC_IPV6          "SRC_IPV6"
+#define MATCH_DST_IPV6          "DST_IPV6"
 #define MATCH_L4_SRC_PORT       "L4_SRC_PORT"
 #define MATCH_L4_DST_PORT       "L4_DST_PORT"
 #define MATCH_ETHER_TYPE        "ETHER_TYPE"
@@ -64,6 +67,7 @@ typedef enum
 {
     ACL_TABLE_UNKNOWN,
     ACL_TABLE_L3,
+    ACL_TABLE_L3V6,
     ACL_TABLE_MIRROR,
     ACL_TABLE_CTRLPLANE
 } acl_table_type_t;
@@ -192,10 +196,17 @@ class AclRuleL3: public AclRule
     bool validateAddMatch(string attr_name, string attr_value);
     bool validate();
     void update(SubjectType, void *);
-private:
+protected:
     sai_object_id_t getRedirectObjectId(const string& redirect_param);
 };
 
+class AclRuleL3V6: public AclRuleL3
+{
+public:
+    AclRuleL3V6(AclOrch *m_pAclOrch, string rule, string table, acl_table_type_t type);
+    bool validateAddMatch(string attr_name, string attr_value);
+};
+
 class AclRuleMirror: public AclRule
 {
 public: