[SAIP4] Update P4 PreIngress table to match on DST_MAC, Uncomment refers_to annotation for multicast group ID in redirect action, Assign priorities to ACL Ingress tables, Add tests for multicast programming, Add an ACL egress table with a src_mac match to middleblock & Add acl_forward to mirror_and_redirect.

sai_p4/fixed/packet_rewrites.p4

@@ -55,10 +55,6 @@ control multicast_rewrites(inout local_metadata_t local_metadata,
   // This will cause the source MAC of packets generated by the group member to
   // be rewritten to the `src_mac` of the `set_multicast_src_mac` action of the
   // entry.
-  //
-  // TODO: Remove `@unsupported` annotation once the switch stack
-  // supports this table.
-  @unsupported
   @p4runtime_role(P4RUNTIME_ROLE_ROUTING)
   @id(ROUTING_MULTICAST_ROUTER_INTERFACE_TABLE_ID)
   table multicast_router_interface_table {

sai_p4/fixed/routing.p4

@@ -165,9 +165,6 @@ control routing_lookup(in headers_t headers,
   // Calling this action will override unicast, and can itself be overriden by
   // `mark_to_drop`.
   //
-  // TODO: Remove `@unsupported` annotation once the switch stack
-  // supports multicast.
-  @unsupported
   @id(ROUTING_SET_MULTICAST_GROUP_ID_ACTION_ID)
   @action_restriction("
     // Disallow 0 since it encodes 'no multicast' in V1Model.
@@ -226,9 +223,6 @@ control routing_lookup(in headers_t headers,
   // Models SAI IPMC entries of type (*,G) whose destination is an IPv4 address.
   @p4runtime_role(P4RUNTIME_ROLE_ROUTING)
   @id(ROUTING_IPV4_MULTICAST_TABLE_ID)
-  // TODO: Remove `@unsupported` annotation once the switch stack
-  // supports multicast.
-  @unsupported
   table ipv4_multicast_table {
     key = {
       // Sets `vr_id` in `sai_ipmc_entry_t`.
@@ -247,9 +241,6 @@ control routing_lookup(in headers_t headers,
   // Models SAI IPMC entries of type (*,G) whose destination is an IPv6 address.
   @p4runtime_role(P4RUNTIME_ROLE_ROUTING)
   @id(ROUTING_IPV6_MULTICAST_TABLE_ID)
-  // TODO: Remove `@unsupported` annotation once the switch stack
-  // supports multicast.
-  @unsupported
   table ipv6_multicast_table {
     key = {
       // Sets `vr_id` in `sai_ipmc_entry_t`.

sai_p4/instantiations/google/BUILD.bazel

@@ -27,6 +27,7 @@ package(
 
 SHARED_DEPS = [
     "acl_common_actions.p4",
+    "acl_egress.p4",
     "acl_ingress.p4",
     "acl_pre_ingress.p4",
     "ids.h",
@@ -41,12 +42,10 @@ SHARED_DEPS = [
 MIDDLEBLOCK_DEPS = SHARED_DEPS + ["middleblock.p4"]
 
 FABRIC_BORDER_ROUTER_DEPS = SHARED_DEPS + [
-    "acl_egress.p4",
     "fabric_border_router.p4",
 ]
 
 TOR_DEPS = SHARED_DEPS + [
-    "acl_egress.p4",
     "tor.p4",
 ]
 

sai_p4/instantiations/google/acl_egress.p4

@@ -88,7 +88,7 @@ control acl_egress(in headers_t headers,
               @sai_field(SAI_ACL_TABLE_ATTR_FIELD_DST_IPV6_WORD2)
           ) @format(IPV6_ADDRESS);
 #endif
-#if defined(SAI_INSTANTIATION_TOR)
+#if defined(SAI_INSTANTIATION_TOR) || defined(SAI_INSTANTIATION_MIDDLEBLOCK)
       headers.ethernet.src_addr : ternary @name("src_mac") @id(10)
           @sai_field(SAI_ACL_TABLE_ATTR_FIELD_SRC_MAC) @format(MAC_ADDRESS);
 #endif

sai_p4/instantiations/google/acl_ingress.p4

@@ -263,7 +263,8 @@ control acl_ingress(in headers_t headers,
           @sai_field(SAI_ACL_TABLE_ATTR_FIELD_ECN);
 #endif
       // Field for v4 IP protocol and v6 next header.
-      ip_protocol : ternary @name("ip_protocol") @id(13)
+      ip_protocol : ternary
+          @id(13) @name("ip_protocol")
           @sai_field(SAI_ACL_TABLE_ATTR_FIELD_IP_PROTOCOL);
 #if defined(SAI_INSTANTIATION_FABRIC_BORDER_ROUTER) || defined(SAI_INSTANTIATION_TOR)
       headers.icmp.type : ternary @name("icmp_type") @id(19)
@@ -391,6 +392,7 @@ control acl_ingress(in headers_t headers,
 
   @p4runtime_role(P4RUNTIME_ROLE_SDN_CONTROLLER)
   @id(ACL_INGRESS_COUNTING_TABLE_ID)
+  @sai_acl_priority(7)
   @sai_acl(INGRESS)
   @entry_restriction("
     // Only allow IP field matches for IP packets.
@@ -405,9 +407,11 @@ control acl_ingress(in headers_t headers,
   ")
   table acl_ingress_counting_table {
     key = {
-      headers.ipv4.isValid() || headers.ipv6.isValid() : optional @name("is_ip")
-          @id(1) @sai_field(SAI_ACL_TABLE_ATTR_FIELD_ACL_IP_TYPE/IP);
-      headers.ipv4.isValid() : optional @name("is_ipv4") @id(2)
+      headers.ipv4.isValid() || headers.ipv6.isValid() : optional
+          @id(1) @name("is_ip")
+          @sai_field(SAI_ACL_TABLE_ATTR_FIELD_ACL_IP_TYPE/IP);
+      headers.ipv4.isValid() : optional
+          @id(2) @name("is_ipv4")
           @sai_field(SAI_ACL_TABLE_ATTR_FIELD_ACL_IP_TYPE/IPV4ANY);
       headers.ipv6.isValid() : optional @name("is_ipv6") @id(3)
           @sai_field(SAI_ACL_TABLE_ATTR_FIELD_ACL_IP_TYPE/IPV6ANY);
@@ -451,8 +455,7 @@ control acl_ingress(in headers_t headers,
   ")
   action redirect_to_ipmc_group(
     @sai_action_param(SAI_ACL_ENTRY_ATTR_ACTION_REDIRECT)
-    // TODO: Add this once supported by PDPI and its customers.
-    // @refers_to(multicast_group_table, multicast_group_id)
+    @refers_to(builtin::multicast_group_table, multicast_group_id)
     multicast_group_id_t multicast_group_id) {
     standard_metadata.mcast_grp = multicast_group_id;
 
@@ -465,6 +468,7 @@ control acl_ingress(in headers_t headers,
   // ACL table that mirrors and redirects packets.
   @id(ACL_INGRESS_MIRROR_AND_REDIRECT_TABLE_ID)
   @sai_acl(INGRESS)
+  @sai_acl_priority(15)
   @p4runtime_role(P4RUNTIME_ROLE_SDN_CONTROLLER)
   @entry_restriction("
     // Only allow IP field matches for IP packets.
@@ -541,6 +545,7 @@ control acl_ingress(in headers_t headers,
         @unsupported;
     }
     actions = {
+      @proto_id(4) acl_forward();
       @proto_id(1) acl_mirror();
       @proto_id(2) redirect_to_nexthop();
       @proto_id(3) redirect_to_ipmc_group();
@@ -553,6 +558,7 @@ control acl_ingress(in headers_t headers,
   // ACL table that only drops or denies packets, and is otherwise a no-op.
   @id(ACL_INGRESS_SECURITY_TABLE_ID)
   @sai_acl(INGRESS)
+  @sai_acl_priority(20)
   @p4runtime_role(P4RUNTIME_ROLE_SDN_CONTROLLER)
   @entry_restriction("
     // Forbid using ether_type for IP packets (by convention, use is_ip* instead).

sai_p4/instantiations/google/acl_pre_ingress.p4

@@ -95,8 +95,10 @@ control acl_pre_ingress(in headers_t headers,
           @sai_field(SAI_ACL_TABLE_ATTR_FIELD_ACL_IP_TYPE/IPV6ANY);
       headers.ethernet.src_addr : ternary @name("src_mac") @id(4)
           @sai_field(SAI_ACL_TABLE_ATTR_FIELD_SRC_MAC) @format(MAC_ADDRESS);
+#ifdef SAI_INSTANTIATION_FABRIC_BORDER_ROUTER
       headers.ethernet.dst_addr : ternary @name("dst_mac") @id(9)
           @sai_field(SAI_ACL_TABLE_ATTR_FIELD_DST_MAC) @format(MAC_ADDRESS);
+#endif
       headers.ipv4.dst_addr : ternary @name("dst_ip") @id(5)
           @sai_field(SAI_ACL_TABLE_ATTR_FIELD_DST_IP) @format(IPV4_ADDRESS);
       headers.ipv6.dst_addr[127:64] : ternary @name("dst_ipv6") @id(6)

sai_p4/instantiations/google/fabric_border_router.p4info.pb.txt

@@ -317,7 +317,6 @@ tables {
     name: "ingress.routing_lookup.ipv4_multicast_table"
     alias: "ipv4_multicast_table"
     annotations: "@p4runtime_role(\"sdn_controller\")"
-    annotations: "@unsupported"
   }
   match_fields {
     id: 1
@@ -352,7 +351,6 @@ tables {
     name: "ingress.routing_lookup.ipv6_multicast_table"
     alias: "ipv6_multicast_table"
     annotations: "@p4runtime_role(\"sdn_controller\")"
-    annotations: "@unsupported"
   }
   match_fields {
     id: 1
@@ -567,6 +565,7 @@ tables {
     name: "ingress.acl_ingress.acl_ingress_counting_table"
     alias: "acl_ingress_counting_table"
     annotations: "@p4runtime_role(\"sdn_controller\")"
+    annotations: "@sai_acl_priority(7)"
     annotations: "@sai_acl(INGRESS)"
     annotations: "@entry_restriction(\"\n    // Only allow IP field matches for IP packets.\n    dscp::mask != 0 -> (is_ip == 1 || is_ipv4 == 1 || is_ipv6 == 1);\n    // Forbid illegal combinations of IP_TYPE fields.\n    is_ip::mask != 0 -> (is_ipv4::mask == 0 && is_ipv6::mask == 0);\n    is_ipv4::mask != 0 -> (is_ip::mask == 0 && is_ipv6::mask == 0);\n    is_ipv6::mask != 0 -> (is_ip::mask == 0 && is_ipv4::mask == 0);\n    // Forbid unsupported combinations of IP_TYPE fields.\n    is_ipv4::mask != 0 -> (is_ipv4 == 1);\n    is_ipv6::mask != 0 -> (is_ipv6 == 1);\n  \")"
   }
@@ -851,7 +850,6 @@ tables {
     id: 33554508
     name: "egress.packet_rewrites.multicast_rewrites.multicast_router_interface_table"
     alias: "multicast_router_interface_table"
-    annotations: "@unsupported"
     annotations: "@p4runtime_role(\"sdn_controller\")"
   }
   match_fields {
@@ -1123,7 +1121,6 @@ actions {
     id: 16777240
     name: "ingress.routing_lookup.set_multicast_group_id"
     alias: "set_multicast_group_id"
-    annotations: "@unsupported"
     annotations: "@action_restriction(\"\n    // Disallow 0 since it encodes \'no multicast\' in V1Model.\n    multicast_group_id != 0;\n  \")"
   }
   params {

sai_p4/instantiations/google/middleblock.p4

@@ -20,6 +20,7 @@
 #include "../../fixed/drop_martians.p4"
 #include "../../fixed/packet_rewrites.p4"
 #include "../../fixed/tunnel_termination.p4"
+#include "acl_egress.p4"
 #include "acl_ingress.p4"
 #include "acl_pre_ingress.p4"
 #include "admit_google_system_mac.p4"
@@ -62,6 +63,7 @@ control egress(inout headers_t headers,
       mirroring_encap.apply(headers, local_metadata, standard_metadata);
       egress_vlan_checks.apply(headers, local_metadata, standard_metadata);
       vlan_tag.apply(headers, local_metadata, standard_metadata);
+      acl_egress.apply(headers, local_metadata, standard_metadata);
     }
   }
 }  // control egress

sai_p4/instantiations/google/middleblock.p4info.pb.txt

@@ -94,14 +94,6 @@ tables {
     bitwidth: 48
     match_type: TERNARY
   }
-  match_fields {
-    id: 9
-    name: "dst_mac"
-    annotations: "@sai_field(SAI_ACL_TABLE_ATTR_FIELD_DST_MAC)"
-    annotations: "@format(MAC_ADDRESS)"
-    bitwidth: 48
-    match_type: TERNARY
-  }
   match_fields {
     id: 5
     name: "dst_ip"
@@ -317,7 +309,6 @@ tables {
     name: "ingress.routing_lookup.ipv4_multicast_table"
     alias: "ipv4_multicast_table"
     annotations: "@p4runtime_role(\"sdn_controller\")"
-    annotations: "@unsupported"
   }
   match_fields {
     id: 1
@@ -352,7 +343,6 @@ tables {
     name: "ingress.routing_lookup.ipv6_multicast_table"
     alias: "ipv6_multicast_table"
     annotations: "@p4runtime_role(\"sdn_controller\")"
-    annotations: "@unsupported"
   }
   match_fields {
     id: 1
@@ -552,6 +542,7 @@ tables {
     name: "ingress.acl_ingress.acl_ingress_mirror_and_redirect_table"
     alias: "acl_ingress_mirror_and_redirect_table"
     annotations: "@sai_acl(INGRESS)"
+    annotations: "@sai_acl_priority(15)"
     annotations: "@p4runtime_role(\"sdn_controller\")"
     annotations: "@entry_restriction(\"\n    // Only allow IP field matches for IP packets.\n    dst_ip::mask != 0 -> is_ipv4 == 1;\n    dst_ipv6::mask != 0 -> is_ipv6 == 1;\n    // Forbid illegal combinations of IP_TYPE fields.\n    is_ip::mask != 0 -> (is_ipv4::mask == 0 && is_ipv6::mask == 0);\n    is_ipv4::mask != 0 -> (is_ip::mask == 0 && is_ipv6::mask == 0);\n    is_ipv6::mask != 0 -> (is_ip::mask == 0 && is_ipv4::mask == 0);\n    // Forbid unsupported combinations of IP_TYPE fields.\n    is_ipv4::mask != 0 -> (is_ipv4 == 1);\n    is_ipv6::mask != 0 -> (is_ipv6 == 1);\n  \")"
   }
@@ -610,6 +601,10 @@ tables {
     bitwidth: 1
     match_type: OPTIONAL
   }
+  action_refs {
+    id: 16777475
+    annotations: "@proto_id(4)"
+  }
   action_refs {
     id: 16777476
     annotations: "@proto_id(1)"
@@ -636,6 +631,7 @@ tables {
     name: "ingress.acl_ingress.acl_ingress_security_table"
     alias: "acl_ingress_security_table"
     annotations: "@sai_acl(INGRESS)"
+    annotations: "@sai_acl_priority(20)"
     annotations: "@p4runtime_role(\"sdn_controller\")"
     annotations: "@entry_restriction(\"\n    // Forbid using ether_type for IP packets (by convention, use is_ip* instead).\n    ether_type != 0x0800 && ether_type != 0x86dd;\n\n    // Only allow IP field matches for IP packets.\n    dst_ip::mask != 0 -> is_ipv4 == 1;\n    src_ip::mask != 0 -> is_ipv4 == 1;\n    src_ipv6::mask != 0 -> is_ipv6 == 1;\n\n  // TODO: This comment is required for the preprocessor to not\n  // spit out nonsense.\n\n\n\n\n\n\n\n    // Forbid illegal combinations of IP_TYPE fields.\n    is_ip::mask != 0 -> (is_ipv4::mask == 0 && is_ipv6::mask == 0);\n    is_ipv4::mask != 0 -> (is_ip::mask == 0 && is_ipv6::mask == 0);\n    is_ipv6::mask != 0 -> (is_ip::mask == 0 && is_ipv4::mask == 0);\n    // Forbid unsupported combinations of IP_TYPE fields.\n    is_ipv4::mask != 0 -> (is_ipv4 == 1);\n    is_ipv6::mask != 0 -> (is_ipv6 == 1);\n  \")"
   }
@@ -945,7 +941,6 @@ tables {
     id: 33554508
     name: "egress.packet_rewrites.multicast_rewrites.multicast_router_interface_table"
     alias: "multicast_router_interface_table"
-    annotations: "@unsupported"
     annotations: "@p4runtime_role(\"sdn_controller\")"
   }
   match_fields {
@@ -975,6 +970,73 @@ tables {
   }
   size: 128
 }
+tables {
+  preamble {
+    id: 33554692
+    name: "egress.acl_egress.acl_egress_table"
+    alias: "acl_egress_table"
+    annotations: "@p4runtime_role(\"sdn_controller\")"
+    annotations: "@sai_acl(EGRESS)"
+    annotations: "@entry_restriction(\"\n\n\n\n\n\n    // Only allow IP field matches for IP packets.\n    ip_protocol::mask != 0 -> (is_ip == 1 || is_ipv4 == 1 || is_ipv6 == 1);\n\n\n\n\n\n\n\n    // Forbid illegal combinations of IP_TYPE fields.\n    is_ip::mask != 0 -> (is_ipv4::mask == 0 && is_ipv6::mask == 0);\n    is_ipv4::mask != 0 -> (is_ip::mask == 0 && is_ipv6::mask == 0);\n    is_ipv6::mask != 0 -> (is_ip::mask == 0 && is_ipv4::mask == 0);\n    // Forbid unsupported combinations of IP_TYPE fields.\n    is_ipv4::mask != 0 -> (is_ipv4 == 1);\n    is_ipv6::mask != 0 -> (is_ipv6 == 1);\n  \")"
+  }
+  match_fields {
+    id: 2
+    name: "ip_protocol"
+    annotations: "@sai_field(SAI_ACL_TABLE_ATTR_FIELD_IP_PROTOCOL)"
+    bitwidth: 8
+    match_type: TERNARY
+  }
+  match_fields {
+    id: 4
+    name: "out_port"
+    annotations: "@sai_field(SAI_ACL_TABLE_ATTR_FIELD_OUT_PORT)"
+    match_type: OPTIONAL
+    type_name {
+      name: "port_id_t"
+    }
+  }
+  match_fields {
+    id: 5
+    name: "is_ip"
+    annotations: "@sai_field(SAI_ACL_TABLE_ATTR_FIELD_ACL_IP_TYPE / IP)"
+    bitwidth: 1
+    match_type: OPTIONAL
+  }
+  match_fields {
+    id: 6
+    name: "is_ipv4"
+    annotations: "@sai_field(SAI_ACL_TABLE_ATTR_FIELD_ACL_IP_TYPE / IPV4ANY)"
+    bitwidth: 1
+    match_type: OPTIONAL
+  }
+  match_fields {
+    id: 7
+    name: "is_ipv6"
+    annotations: "@sai_field(SAI_ACL_TABLE_ATTR_FIELD_ACL_IP_TYPE / IPV6ANY)"
+    bitwidth: 1
+    match_type: OPTIONAL
+  }
+  match_fields {
+    id: 10
+    name: "src_mac"
+    annotations: "@sai_field(SAI_ACL_TABLE_ATTR_FIELD_SRC_MAC)"
+    annotations: "@format(MAC_ADDRESS)"
+    bitwidth: 48
+    match_type: TERNARY
+  }
+  action_refs {
+    id: 16777481
+    annotations: "@proto_id(1)"
+  }
+  action_refs {
+    id: 21257015
+    annotations: "@defaultonly"
+    scope: DEFAULT_ONLY
+  }
+  const_default_action_id: 21257015
+  direct_resource_ids: 318767364
+  size: 127
+}
 actions {
   preamble {
     id: 21257015
@@ -1137,7 +1199,6 @@ actions {
     id: 16777240
     name: "ingress.routing_lookup.set_multicast_group_id"
     alias: "set_multicast_group_id"
-    annotations: "@unsupported"
     annotations: "@action_restriction(\"\n    // Disallow 0 since it encodes \'no multicast\' in V1Model.\n    multicast_group_id != 0;\n  \")"
   }
   params {
@@ -1243,6 +1304,7 @@ actions {
     id: 1
     name: "multicast_group_id"
     annotations: "@sai_action_param(SAI_ACL_ENTRY_ATTR_ACTION_REDIRECT)"
+    annotations: "@refers_to(builtin : : multicast_group_table , multicast_group_id)"
     bitwidth: 16
   }
 }
@@ -1594,6 +1656,17 @@ direct_counters {
   }
   direct_table_id: 33554698
 }
+direct_counters {
+  preamble {
+    id: 318767364
+    name: "egress.acl_egress.acl_egress_counter"
+    alias: "acl_egress_counter"
+  }
+  spec {
+    unit: BOTH
+  }
+  direct_table_id: 33554692
+}
 direct_meters {
   preamble {
     id: 352321792

sai_p4/instantiations/google/minimum_guaranteed_sizes.p4

@@ -54,7 +54,8 @@
 #define ROUTING_IPV4_MULTICAST_TABLE_MINIMUM_GUARANTEED_SIZE 1600
 #define ROUTING_IPV6_MULTICAST_TABLE_MINIMUM_GUARANTEED_SIZE 1600
 
-#define ROUTING_MULTICAST_ROUTER_INTERFACE_TABLE_MINIMUM_GUARANTEED_SIZE 128
+// TODO: multicast_router_interface_table runs out of space at 110 entries, expected 128 
+#define ROUTING_MULTICAST_ROUTER_INTERFACE_TABLE_MINIMUM_GUARANTEED_SIZE 110
 
 // The maximum number of wcmp groups.
 #define WCMP_GROUP_TABLE_MINIMUM_GUARANTEED_SIZE 3968