-
Notifications
You must be signed in to change notification settings - Fork 547
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[aclorch]: add support for acl rule to match out port #810
Conversation
pull from origin
orchagent/aclorch.cpp
Outdated
} | ||
else if (port.m_type == Port::LAG) | ||
{ | ||
m_outPorts.push_back(port.m_lag_id); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
does not match SAI spec.
https://github.com/opencomputeproject/SAI/blob/master/inc/saiacl.h#L1260
same as above.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thinks, we will delete LAG port.
* Aclorch can be the consumer of the APP_ACL_TABLE_NAME and APP_ACL_RULE_TABLE_NAME tables in APP_DB * ACL rule can match out port Signed-off-by: shine.chen <shine.chen@nephosinc.com>
Signed-off-by: leo.li <leo.li@nephosinc.com>
The corresponding VS test case has been added, please review. |
Signed-off-by: shine.chen <shine.chen@nephosinc.com>
could you resolve the conflicts? |
Signed-off-by: shine.chen <shine.chen@nephosinc.com>
@stcheng we have fixed the conflicts. |
where is the mclag design spec? since out_ports match are not supported in various asic vendor. we need a more generic approach to address this need. |
@lguohan we have discuss it with BRCM folks in sonic-mclag-subgroup. There is a workaround in SAI layer by combination of ingress acl and egress acl. With this workaround most vendors can support out-ports. The following is the isolation logic description copied from MCLAG-HLD
|
unless Broadcom SAI as well as other vendor SAI has implemented outPorts, merging this PR will immediately break the image. |
isolation group is much more generic and different ASIC can choose different way to implement. Not all ASIC verdors have the same workaround as broadcom. I do not see a reason why we cannot add LAG into isolation group, it is a simple metadata change. |
@lguohan Thanks for the feedback. The following is my answer for your concern.
|
BRCM will implement an isolation group solution for ingress filtering instead of outPorts, pkts will be dropped at the ingress instead of queueing for egress drop. Design proposal along with other MCLAG improvements will be shared in the upcoming BRCM enhancement HLD. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
BRCM team has completed the review, we have no further request or comment to add, please proceed to the next steps.
retest this please |
1 similar comment
retest this please |
merge azure/sonic-swss to aclorch branch
Signed-off-by: shine.chen <shine.chen@mediatek.com>
retest this please |
3 similar comments
retest this please |
retest this please |
retest this please |
ACL rule can match out port. Out port could be port intf , lag or vlan. Signed-off-by: shine.chen <shine.chen@nephosinc.com>
…b-cli/sonic-db-dump (sonic-net#810) * [MultiDB] sonic-utilities - replace redis-cli/redis-dump with sonic-db-cli/sonic-db-dump * only accept upper and underscore to prevent injection * quotation on db_name
What I did
ACL rule can match out port. Out port could be port intf , lag or vlan.
Why I did it
mclag need acl rule can bind to LAG and acl rule can match out port.
How I verified it
test it on nephos lab
Details if related