[acl]: Allow ACL table bind to LAGs and VLANs.

sonic-net · Oct 13, 2017 · 2ffa068 · 2ffa068
1 parent 3f8cfe5
commit 2ffa068
Show file tree

Hide file tree

Showing 3 changed files with 115 additions and 18 deletions.
diff --git a/orchagent/aclorch.cpp b/orchagent/aclorch.cpp
@@ -1229,13 +1229,15 @@ void AclOrch::doAclTableTask(Consumer &consumer)
                     if (!processAclTableType(attr_value, newTable.type))
                     {
                         SWSS_LOG_ERROR("Failed to process table type for table %s", table_id.c_str());
+                        bAllAttributesOk = false;
                     }
                 }
                 else if (attr_name == TABLE_PORTS)
                 {
                     if (!processPorts(attr_value, newTable.ports))
                     {
                         SWSS_LOG_ERROR("Failed to process table ports for table %s", table_id.c_str());
+                        bAllAttributesOk = false;
                     }
                 }
                 else
@@ -1399,13 +1401,27 @@ bool AclOrch::processPorts(string portsList, ports_list_t& out)
             return false;
         }
 
-        if (port.m_type != Port::PHY)
+        switch (port.m_type)
         {
+        case Port::PHY:
+            if (port.m_lag_member_id != SAI_NULL_OBJECT_ID)
+            {
+                SWSS_LOG_ERROR("Failed to process port. Bind table to LAG member %s is not allowed", alias.c_str());
+                return false;
+            }
+            out.push_back(port.m_port_id);
+            break;
+        case Port::LAG:
+            out.push_back(port.m_lag_id);
+            break;
+        case Port::VLAN:
+            out.push_back(port.m_vlan_id);
+            break;
+        default:
             SWSS_LOG_ERROR("Failed to process port. Incorrect port %s type %d", alias.c_str(), port.m_type);
             return false;
         }
 
-        out.push_back(port.m_port_id);
     }
 
     return true;
@@ -1466,10 +1482,39 @@ sai_status_t AclOrch::createBindAclTable(AclTable &aclTable, sai_object_id_t &ta
           SAI_ACL_RANGE_TYPE_L4_SRC_PORT_RANGE
         };
 
+    set<sai_acl_bind_point_type_t> binds;
+    for (auto portid : aclTable.ports)
+    {
+        Port port;
+        if (!m_portOrch->getPort(portid, port))
+        {
+            continue;
+        }
+
+        switch (port.m_type)
+        {
+        case Port::PHY:
+            binds.insert(SAI_ACL_BIND_POINT_TYPE_PORT);
+            break;
+        case Port::VLAN:
+            binds.insert(SAI_ACL_BIND_POINT_TYPE_VLAN);
+            break;
+        case Port::LAG:
+            binds.insert(SAI_ACL_BIND_POINT_TYPE_LAG);
+            break;
+        default:
+            return SAI_STATUS_FAILURE;
+        }
+    }
     attr.id = SAI_ACL_TABLE_ATTR_ACL_BIND_POINT_TYPE_LIST;
     vector<int32_t> bpoint_list;
-    bpoint_list.push_back(SAI_ACL_BIND_POINT_TYPE_PORT);
-    attr.value.s32list.count = 1;
+
+    for (auto bind : binds)
+    {
+        bpoint_list.push_back(bind);
+    }
+
+    attr.value.s32list.count = static_cast<uint32_t>(bpoint_list.size());
     attr.value.s32list.list = bpoint_list.data();
     table_attrs.push_back(attr);
 
@@ -1622,7 +1667,6 @@ sai_status_t AclOrch::bindAclTable(sai_object_id_t table_oid, AclTable &aclTable
         {
             Port port;
             gPortsOrch->getPort(portOid, port);
-            assert(port.m_type == Port::PHY);
 
             sai_object_id_t group_member_oid;
             status = port.bindAclTable(group_member_oid, table_oid);

diff --git a/orchagent/port.cpp b/orchagent/port.cpp
@@ -10,6 +10,8 @@ extern "C" {
 using namespace std;
 
 extern sai_port_api_t *sai_port_api;
+extern sai_lag_api_t *sai_lag_api;
+extern sai_vlan_api_t *sai_vlan_api;
 extern sai_acl_api_t* sai_acl_api;
 extern sai_object_id_t gSwitchId;
 
@@ -18,12 +20,15 @@ namespace swss {
 sai_status_t Port::bindAclTable(sai_object_id_t& group_member_oid, sai_object_id_t table_oid)
 {
     sai_status_t status;
+
     sai_object_id_t groupOid;
 
     // If port ACL table group does not exist, create one
     if (m_acl_table_group_id == 0)
     {
-        sai_object_id_t bp_list[] = { SAI_ACL_BIND_POINT_TYPE_PORT };
+        int32_t bp_list[] = {SAI_ACL_BIND_POINT_TYPE_PORT,
+                SAI_ACL_BIND_POINT_TYPE_LAG,
+                SAI_ACL_BIND_POINT_TYPE_VLAN};
 
         vector<sai_attribute_t> group_attrs;
         sai_attribute_t group_attr;
@@ -33,8 +38,8 @@ sai_status_t Port::bindAclTable(sai_object_id_t& group_member_oid, sai_object_id
         group_attrs.push_back(group_attr);
 
         group_attr.id = SAI_ACL_TABLE_GROUP_ATTR_ACL_BIND_POINT_TYPE_LIST;
-        group_attr.value.objlist.count = 1;
-        group_attr.value.objlist.list = bp_list;
+        group_attr.value.s32list.count = sizeof(bp_list)/sizeof(*bp_list);
+        group_attr.value.s32list.list = bp_list;
         group_attrs.push_back(group_attr);
 
         group_attr.id = SAI_ACL_TABLE_GROUP_ATTR_TYPE;
@@ -50,18 +55,60 @@ sai_status_t Port::bindAclTable(sai_object_id_t& group_member_oid, sai_object_id
 
         m_acl_table_group_id = groupOid;
 
-        // Bind this ACL group to port OID
-        sai_attribute_t port_attr;
-        port_attr.id = SAI_PORT_ATTR_INGRESS_ACL;
-        port_attr.value.oid = groupOid;
-
-        status = sai_port_api->set_port_attribute(m_port_id, &port_attr);
-        if (status != SAI_STATUS_SUCCESS)
+        switch (m_type)
         {
-            SWSS_LOG_ERROR("Failed to bind port %s to ACL table group %lx, rv:%d",
-                    m_alias.c_str(), groupOid, status);
-            return status;
+        case PHY:
+        {
+            // Bind this ACL group to physical port
+            sai_attribute_t port_attr;
+            port_attr.id = SAI_PORT_ATTR_INGRESS_ACL;
+            port_attr.value.oid = groupOid;
+
+            status = sai_port_api->set_port_attribute(m_port_id, &port_attr);
+            if (status != SAI_STATUS_SUCCESS)
+            {
+                SWSS_LOG_ERROR("Failed to bind port %s to ACL table group %lx, rv:%d",
+                        m_alias.c_str(), groupOid, status);
+                return status;
+            }
+            break;
         }
+        case LAG:
+        {
+            // Bind this ACL group to LAG
+            sai_attribute_t lag_attr;
+            lag_attr.id = SAI_LAG_ATTR_INGRESS_ACL;
+            lag_attr.value.oid = groupOid;
+
+            status = sai_lag_api->set_lag_attribute(m_lag_id, &lag_attr);
+            if (status != SAI_STATUS_SUCCESS)
+            {
+                SWSS_LOG_ERROR("Failed to bind LAG %s to ACL table group %lx, rv:%d",
+                        m_alias.c_str(), groupOid, status);
+                return status;
+            }
+            break;
+        }
+        case VLAN:
+            // Bind this ACL group to VLAN
+            sai_attribute_t vlan_attr;
+            vlan_attr.id = SAI_VLAN_ATTR_INGRESS_ACL;
+            vlan_attr.value.oid = groupOid;
+
+            status = sai_vlan_api->set_vlan_attribute(m_vlan_oid, &vlan_attr);
+            if (status != SAI_STATUS_SUCCESS)
+            {
+                SWSS_LOG_ERROR("Failed to bind VLAN %s to ACL table group %lx, rv:%d",
+                        m_alias.c_str(), groupOid, status);
+                return status;
+            }
+
+            break;
+        default:
+            SWSS_LOG_ERROR("Failed to bind %s port with type %d", m_alias.c_str(), m_type);
+            return SAI_STATUS_FAILURE;
+        }
+
 
         SWSS_LOG_NOTICE("Create ACL table group and bind port %s to it", m_alias.c_str());
     }

diff --git a/orchagent/portsorch.cpp b/orchagent/portsorch.cpp
@@ -283,6 +283,12 @@ bool PortsOrch::getPort(sai_object_id_t id, Port &port)
                 return true;
             }
             break;
+        case Port::VLAN:
+            if (portIter.second.m_vlan_id == id)
+            {
+                port = portIter.second;
+                return true;
+            }
         default:
             continue;
         }