Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Custom ACL Based Metering #1889

Open
wants to merge 3 commits into
base: master
Choose a base branch
from

Conversation

shaygol
Copy link

@shaygol shaygol commented Jan 8, 2025

Describes the Custom ACL Based Metering (CABM) feature design in SONiC.

Describes the Custom ACL Based Metering (CABM) feature design in SONiC.
@mssonicbld
Copy link
Collaborator

/azp run

Copy link

linux-foundation-easycla bot commented Jan 8, 2025

CLA Missing ID

  • ✅login: shaygol / (0f08d82)
  • ❌ The commit (1a0f703, 767a9a0). This user is authorized, but they must confirm their affiliation with their company. Start the authorization process by clicking here, click "Corporate", select the appropriate company from the list, then confirm your affiliation on the page that appears. For further assistance with EasyCLA, please submit a support request ticket.

Copy link

No pipelines are associated with this pull request.

@mssonicbld
Copy link
Collaborator

/azp run

Copy link

No pipelines are associated with this pull request.

priority = 1*3DIGIT ; rule priority. Valid values range
; could be platform dependent

packet_action = "FORWARD"/"DROP"/"DO_NOT_NAT" ; action when the fields are matched
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The packet_action and policer_action fields are a little bit confusing. For example, if the packet_action is DROP and policer is present, does that mean you only drop the traffic under a certain rate control?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Each ACL rule can only specify a single action due to the ACL-Orch design and implementation.
For example, a rule specifying 'packet_action = DROP' cannot also include 'policer_action = M_POLICER_7'.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see. Can you clarify that in the db schema?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure

; matches are same as in ACL_RULE table.
actions = action-list ; list of actions for this table.
; ["REDIRECT_ACTION", ... , "POLICER_ACTION"]
```
Copy link
Contributor

@bingwang-ms bingwang-ms Jan 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This may introduce some new dependency between ACL_TABLE , ACL_RULE and POLICER table. You may need to update code to handle the dependency.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The design indeed introduces a dependency between ACL_RULE and POLICER tables, as ACL_RULE references POLICER_TABLE objects.

5. Create ACL Table: Add an ACL table in ACL_TABLE, referencing the custom table type and validates the configuration.
6. Create ACL Rule: Add an ACL rule in ACL_RULE, referencing actions, including policer_action.
7. Verify Rule Compatibility: ACL-Orch validates that the rule action compatibility with the associated ACL table type.
8. Verify and Map Policer to SAI Object: Policer-Orch maps the policer_action name if it exists from CONFIG_DB to SAI object IDs.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In this design, can a policer be shared by multiple ACL rules? If it can be shared, how is the rate calculated?
For example, the policer limits the rate to 100pps, and the policer is shared by RULE_1 and RULE_2. Does that mean RULE_1 and RULE_2 share the 100pps?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, in this design, a single policer can be shared across multiple ACL rules. The rate specified in the policer will be applied cumulatively to all traffic matching any rule that references the shared policer.

@zhangyanzhao
Copy link
Collaborator

![alt text](Config_Flow.jpg)


1. Query Capabilities on Initialization: ACL-Orch queries SAI to retrieve supported ACL actions, including SAI_ACL_ACTION_TYPE_SET_POLICER.
Copy link
Contributor

@bingwang-ms bingwang-ms Jan 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For now, the policer is only bound to mirror session. So if the capability query of SAI_ACL_ACTION_TYPE_SET_POLICER return true, does that mean policer can be applied to ACL rules? And is this only for Ingress only?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As discussed in the meeting, if the capability can be determined by checking the ACL stage capabilities by reading SAI_SWITCH_ATTR_ACL_STAGE_INGRESS and SAI_SWITCH_ATTR_ACL_STAGE_EGRESS which are published in STATE DB at orchagent initialization, do we still need to add this new capability check?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The capability query I mentioned here is the same as the one you referred to. The new additional step (4.) involves checking in the DB if the policer for ACL capability is true.


#### **Configuration Flow**

![alt text](Config_Flow.jpg)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we are validating the ACL action policer capability based on information from STATE_DB, please use it in the diagram.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The ACL-Orch saves the information in both STATE_DB and local DB. So in my case, I can just check the local DB.

##### ACL Table Type Table
When a new ACL table is created, SAI needs to receive a list of supported actions which the rules belonging to this table are allowed to use.
To support the new policer action, the custom table types table schema will be extended with a policer action attribute - **"POLICER_ACTION"** for the actions attribute field.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please highlight the changes done on top of the existing tables for this feature.

...
+ /* prevent deletion of policer that referenced by ACL rule.
+ Note that new policer won't be referenced by any ACL rules initially */
+ must "not(../acl:sonic-acl/acl:ACL_RULE/acl:ACL_RULE_LIST[acl:policer_action=current()/name])" {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This may not be required, please double check.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure, thanks. I'll update the HLD accordingly.

@mssonicbld
Copy link
Collaborator

/azp run

Copy link

No pipelines are associated with this pull request.

@shaygol
Copy link
Author

shaygol commented Jan 26, 2025

Repository PR Title State Context
sonic-swss [AclOrch] Custom ACL Based Metering PR Status PR Checks
sonic-buildimage [sonic-buildimage] Custom ACL Based Metering PR Status PR Checks
sonic-utilities [sonic-utilities] Custom ACL Based Metering PR Status PR Checks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
Status: 🏗 In Progress
Development

Successfully merging this pull request may close these issues.

5 participants