-
Notifications
You must be signed in to change notification settings - Fork 547
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[orchagent]: Add MACsec Orchagent #1474
Conversation
Signed-off-by: Ze Gan <ganze718@gmail.com>
Signed-off-by: Ze Gan <ganze718@gmail.com>
Signed-off-by: Ze Gan <ganze718@gmail.com>
Signed-off-by: Ze Gan <ganze718@gmail.com>
Signed-off-by: Ze Gan <ganze718@gmail.com>
Signed-off-by: Ze Gan <ganze718@gmail.com>
Signed-off-by: Ze Gan <ganze718@gmail.com>
Signed-off-by: Ze Gan <ganze718@gmail.com>
Signed-off-by: Ze Gan <ganze718@gmail.com>
Signed-off-by: Ze Gan <ganze718@gmail.com>
Signed-off-by: Ze Gan <ganze718@gmail.com>
Signed-off-by: Ze Gan <ganze718@gmail.com>
Signed-off-by: Ze Gan <ganze718@gmail.com>
Signed-off-by: Ze Gan <ganze718@gmail.com>
Signed-off-by: Ze Gan <ganze718@gmail.com>
Signed-off-by: Ze Gan <ganze718@gmail.com>
Signed-off-by: Ze Gan <ganze718@gmail.com>
Signed-off-by: Ze Gan <ganze718@gmail.com>
orchagent/port.h
Outdated
@@ -114,6 +114,8 @@ class Port | |||
|
|||
std::unordered_set<sai_object_id_t> m_ingress_acl_tables_uset; | |||
std::unordered_set<sai_object_id_t> m_egress_acl_tables_uset; | |||
|
|||
sai_object_id_t m_line_port_id = 0; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
remove this one since this pr does not support gearbox
orchagent/macsecorch.h
Outdated
void uninstallCounter(const std::string &obj_name, sai_object_id_t obj_id); | ||
|
||
/* ACL */ | ||
bool initACLTable( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
-> initMacsecAclTable
Add test |
Signed-off-by: Ze Gan <ganze718@gmail.com>
Signed-off-by: Ze Gan <ganze718@gmail.com>
Signed-off-by: Ze Gan <ganze718@gmail.com>
Signed-off-by: Ze Gan <ganze718@gmail.com>
retest vs please |
orchagent/macsecorch.cpp
Outdated
"SAI_MACSEC_SA_ATTR_MINIMUM_XPN", | ||
}; | ||
|
||
/* Helpers */ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can helper functions be in swss-common?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this going to be committed before latest saimacsec.h changes are integrated?
orchagent/macsecorch.cpp
Outdated
auto sc = scs.find(*m_sci); | ||
if (sc == scs.end()) | ||
{ | ||
SWSS_LOG_INFO("Cannot find the MACsec SC %lu at the port %s.", *m_sci, m_port_name->c_str()); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Use PRIx64 instead of lu for SCI for easier debugging.
orchagent/macsecorch.cpp
Outdated
auto macsec_obj = m_macsec_objs.emplace(switch_id, MACsecObject()); | ||
if (!macsec_obj.second) | ||
{ | ||
SWSS_LOG_INFO("The MACsec has been initialized at the switch %lu", switch_id); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Use PRIx64 instead of lu for consistent OID display in syslog.
orchagent/saihelper.cpp
Outdated
@@ -197,6 +199,7 @@ void initSaiApi() | |||
sai_log_set(SAI_API_SAMPLEPACKET, SAI_LOG_LEVEL_NOTICE); | |||
sai_log_set(SAI_API_DEBUG_COUNTER, SAI_LOG_LEVEL_NOTICE); | |||
sai_log_set((sai_api_t)SAI_API_NAT, SAI_LOG_LEVEL_NOTICE); | |||
sai_log_set(SAI_API_NAT, SAI_LOG_LEVEL_NOTICE); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Copy-n-paste error.
orchagent/macsecorch.cpp
Outdated
extern sai_port_api_t *sai_port_api; | ||
extern sai_switch_api_t *sai_switch_api; | ||
|
||
static const std::vector<std::string> macsec_egress_sa_stats = |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
When you add support for MACSEC_SA_STATS, this will need to be renamed since it is not a vector of stats but attrs.
Signed-off-by: Ze Gan <ganze718@gmail.com>
orchagent/macsecorch.cpp
Outdated
SWSS_LOG_WARN("Cannot initialize MACsec egress object at the switch %lu", switch_id); | ||
return false; | ||
} | ||
recover.add_action([&]() { sai_macsec_api->remove_macsec_port(macsec_obj.first->second.m_egress_id); }); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this correct?
*ctx.get_port_id()); | ||
}); | ||
} | ||
if (!updateMACsecPort(*ctx.get_macsec_port(), port_attr)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
what's this doing?
orchagent/macsecorch.cpp
Outdated
macsec_port.m_ingress_port_id = SAI_NULL_OBJECT_ID; | ||
}); | ||
|
||
macsec_port.m_enable_encrypt = true; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
are these always fixed? There might be integrity only mode?
orchagent/macsecorch.cpp
Outdated
}); | ||
|
||
macsec_port.m_enable_encrypt = true; | ||
macsec_port.m_sci_in_sectag = true; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
SAI it's false by default.
orchagent/macsecorch.cpp
Outdated
SWSS_LOG_WARN("Cannot initialize MACsec ingress object at the switch 0x%" PRIx64, switch_id); | ||
return false; | ||
} | ||
recover.add_action([&]() { sai_macsec_api->remove_macsec_port(macsec_obj.first->second.m_ingress_id); }); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
remove macsec()
const std::string &, | ||
const TaskArgs &); | ||
const static std::map<TaskType, TaskFunc> TaskMap = { | ||
{{APP_MACSEC_PORT_TABLE_NAME, SET_COMMAND}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Rename these functions' names
Signed-off-by: Ze Gan <ganze718@gmail.com>
Signed-off-by: Ze Gan <ganze718@gmail.com>
Signed-off-by: Ze Gan <ganze718@gmail.com>
Signed-off-by: Ze Gan <ganze718@gmail.com>
Signed-off-by: Ze Gan <ganze718@gmail.com>
retest vs please |
Signed-off-by: Ze Gan <ganze718@gmail.com>
Add MACsec orchagent for MACsec feature. The MACsecOrch is introduced in the Orchagent to handle configuration requests. It monitors MACsec related tables in APP DB and convert those messages to SAI commands to manage the MACsec object. The main functions are defined in class MACsecOrch as follow ``` task_process_status taskUpdateMACsecPort(const std::string & port_name, const TaskArgs & port_attr); task_process_status taskDisableMACsecPort(const std::string & port_name, const TaskArgs & port_attr); task_process_status taskUpdateEgressSC(const std::string & port_sci, const TaskArgs & sc_attr); task_process_status taskDeleteEgressSC(const std::string & port_sci, const TaskArgs & sc_attr); task_process_status taskUpdateIngressSC(const std::string & port_sci, const TaskArgs & sc_attr); task_process_status taskDeleteIngressSC(const std::string & port_sci, const TaskArgs & sc_attr); task_process_status taskUpdateEgressSA(const std::string & port_sci_an, const TaskArgs & sa_attr); task_process_status taskDeleteEgressSA(const std::string & port_sci_an, const TaskArgs & sa_attr); task_process_status taskUpdateIngressSA(const std::string & port_sci_an, const TaskArgs & sa_attr); task_process_status taskDeleteIngressSA(const std::string & port_sci_an, const TaskArgs & sa_attr); ``` The HLD of MACsec orchagent is at [MACsec HLD](https://github.com/Azure/SONiC/blob/master/doc/macsec/MACsec_hld.md#344-macsec-orch) Signed-off-by: Ze Gan <ganze718@gmail.com>
Add MACsec orchagent for MACsec feature. The MACsecOrch is introduced in the Orchagent to handle configuration requests. It monitors MACsec related tables in APP DB and convert those messages to SAI commands to manage the MACsec object. The main functions are defined in class MACsecOrch as follow ``` task_process_status taskUpdateMACsecPort(const std::string & port_name, const TaskArgs & port_attr); task_process_status taskDisableMACsecPort(const std::string & port_name, const TaskArgs & port_attr); task_process_status taskUpdateEgressSC(const std::string & port_sci, const TaskArgs & sc_attr); task_process_status taskDeleteEgressSC(const std::string & port_sci, const TaskArgs & sc_attr); task_process_status taskUpdateIngressSC(const std::string & port_sci, const TaskArgs & sc_attr); task_process_status taskDeleteIngressSC(const std::string & port_sci, const TaskArgs & sc_attr); task_process_status taskUpdateEgressSA(const std::string & port_sci_an, const TaskArgs & sa_attr); task_process_status taskDeleteEgressSA(const std::string & port_sci_an, const TaskArgs & sa_attr); task_process_status taskUpdateIngressSA(const std::string & port_sci_an, const TaskArgs & sa_attr); task_process_status taskDeleteIngressSA(const std::string & port_sci_an, const TaskArgs & sa_attr); ``` The HLD of MACsec orchagent is at [MACsec HLD](https://github.com/Azure/SONiC/blob/master/doc/macsec/MACsec_hld.md#344-macsec-orch) Signed-off-by: Ze Gan <ganze718@gmail.com>
What I did
Add MACsec orchagent for MACsec feature.
The MACsecOrch is introduced in the Orchagent to handle configuration requests. It monitors MACsec related tables in APP DB and convert those messages to SAI commands to manage the MACsec object.
The main functions are defined in class MACsecOrch as follow
The HLD of MACsec orchagent is at MACsec HLD
Why I did it
MACsec orchagent is needed to transfer MACsec management message from wpa_supplicant to SAI.
How I verified it
Following the verification at #1475 . The macsec device should be created and you can obverse whether the MACsec configuration is correct by command
ip macsec show
Details if related
This PR depends on :
sonic-net/sonic-wpa-supplicant#16
sonic-net/sonic-buildimage#5700
#1475
sonic-net/sonic-sairedis#691
sonic-net/sonic-swss-common#434
sonic-net/sonic-sairedis#770