[Sub-ports] ACL doesn't support sub-ports as port type

[OleksandrKozodoi]

Summary

Based on Sub-port HLD ACL could support sub-ports to be assigned as a port type in ACL table.

HLD:

SAI attributes	attribute value/type
SAI_ROUTER_INTERFACE_ATTR_INGRESS_ACL	ACL table or ACL table group oid
SAI_ROUTER_INTERFACE_ATTR_EGRESS_ACL	ACL table or ACL table group oid

But sub-ports port type is not implemented in SONiC realization of ACL.
portsorch.cpp:

switch (port.m_type)
    {
        case Port::PHY:
        {
            attr.id = ingress ?
                    SAI_PORT_ATTR_INGRESS_ACL : SAI_PORT_ATTR_EGRESS_ACL;
            status = sai_port_api->set_port_attribute(port.m_port_id, &attr);
            break;
        }
        case Port::LAG:
        {
            attr.id = ingress ?
                    SAI_LAG_ATTR_INGRESS_ACL : SAI_LAG_ATTR_EGRESS_ACL;
            status = sai_lag_api->set_lag_attribute(port.m_lag_id, &attr);
            break;
        }
        case Port::VLAN:
        {
            attr.id = ingress ?
                    SAI_VLAN_ATTR_INGRESS_ACL : SAI_VLAN_ATTR_EGRESS_ACL;
            status =
                sai_vlan_api->set_vlan_attribute(port.m_vlan_info.vlan_oid,
                                                 &attr);
            break;
        }
        default:
        {
            SWSS_LOG_ERROR("Failed to %s %s port with type %d",
                           bind_str.c_str(), port.m_alias.c_str(), port.m_type);
            return false;
        }
    }

Is this expected and ACL doesn't support sub-ports or needs to add realization of sub-ports to ACL?

Test scenario

I've tried to assign ACL to sub-port interface.
ACL config:

{
    "ACL_TABLE": {
        "test_acl_table": {
            "stage": "ingress",
            "type": "L3",
            "policy_desc": "test_policy",
            "ports": [
            "Ethernet4.10",
            "Ethernet4.20"
            ]
        }
    },
    "ACL_RULE": {
        "test_acl_table|1": {
            "PRIORITY": "10",
            "PACKET_ACTION": "DROP",
            "ICMP_TYPE": "8"
        }
    }
}

After this, I send traffic and expected that it will be dropped on sub-port interface. Actually, it was forwarded.

[wendani]

field ports is a placeholder only for physical port and LAG list. This said, swss only supports these two bind point types as of now. swss does not support acl binding to router interface (sub port being one type of router interfaces).

field ports does not include vlan. There was proposal to introduce schema field vlan to support vlan bind point type. https://github.com/Azure/SONiC/blob/master/doc/acl/ACL-enhancements-on-SONIC.docx but has not yet been materialized.

There is pending effort to support vlan router interface (being one type of router interfaces). #1218

If there is a use case for router interface bind point, a new field schema may be necessary to hold router interface list and to distinguish between physical port/lag/vlan bind point and router interface (type port, type vlan) bind point created on the corresponding objects.

[anshuv-mfst]

Enhancement request