johnchiucc
commented
1 month ago After analysis, suggest use qualifier NEXT_HEADER instead of IP_PROTOCOL for IPv6 rules. Then do config load to apply it. One example at bottom.
Analysis
A similar workaround in Marvell SAI is removed to avoid redundant part (as sonic-swss workaround), and improve ACL arrangement. The change pass community test cases but this combination of IP_PROTOCOL qualifier and custom ipv6 table type is not expected. Thus it exposes this sonic qualifier setting difference between IPv4 and IPv6.
-
Use
NEXT_HEADERfor IPv6 is recommended. This follows SAI and IPv6 definition.- Use
config load(ready for NEXT_HEADER qualifer) - To
acl-loader, need community to improve acl-loader to acceptNEXT_HEADER.
- Use
-
Use
IP_PROTOCOLfor IPv6 is not recommended and going to be obsoleted- Pre-defined IPv6 (MIRRORV6, L3V6..etc) table type with sonic-swss workaround (snipped as below) converts IP_PROTOCOL as NEXT_HEADER to follow SAI definition as workaround.
- code snippet of https://github.com/sonic-net/sonic-swss/blob/20e8b362a5e4fd5361a6f08effddd08d61d5d262/orchagent/aclorch.cpp#L1066
// TODO: For backwards compatibility, users can substitute IP_PROTOCOL for NEXT_HEADER. // This should be removed in a future release. if ((m_pTable->type.getName() == TABLE_TYPE_MIRRORV6 || m_pTable->type.getName() == TABLE_TYPE_L3V6) && attr_name == MATCH_IP_PROTOCOL) { SWSS_LOG_WARN("Support for IP protocol on IPv6 tables will be removed in a future release, please switch to using NEXT_HEADER instead!"); attr_name = MATCH_NEXT_HEADER; }
Working scenario
With ACL configuration aligned to config schema using NEXT_HEADER and config load:
root@str-marvell-acs-1:/home/admin# cat acl_table_types.json
{
"ACL_TABLE_TYPE": {
"BMCDATAV6": {
"MATCHES": ["SRC_IPV6", "DST_IPV6", "ETHER_TYPE", "IP_TYPE", "IN_PORTS", "L4_SRC_PORT", "L4_DST_PORT", "L4_SRC_PORT_RANGE", "L4_DST_PORT_RANGE", "ICMPV6_TYPE", "ICMPV6_CODE", "TCP_FLAGS", "NEXT_HEADER"],
"ACTIONS": ["PACKET_ACTION", "COUNTER"],
"BIND_POINTS": ["PORT"]
}
}
}
root@str-marvell-acs-1:/home/admin#
root@str-marvell-acs-1:/home/admin# cat acl_test.json
{
"ACL_RULE": {
"NORTHBOUND_V6|4000_AD_HOC_TCP_SYN": {
"NEXT_HEADER": "6",
"ETHER_TYPE": "34525",
"PRIORITY": "6000",
"TCP_FLAGS": "0x02/0x02",
"PACKET_ACTION": "DROP"
},
"NORTHBOUND_V6|4001_AD_HOC_ALLOW_ICMPV6_ECHO": {
"PACKET_ACTION": "FORWARD",
"PRIORITY": "5999",
"DST_IPV6": "fc03::1/128",
"NEXT_HEADER": "58",
"ETHER_TYPE": "34525",
"ICMPV6_CODE": "0",
"ICMPV6_TYPE": "129"
}
}
}
root@str-marvell-acs-1:/home/admin# sonic-cfggen -j acl_table_types.json -w
root@str-marvell-acs-1:/home/admin# config acl add table NORTHBOUND_V6 BMCDATAV6 -p Ethernet0,Ethernet1,Ethernet2 -s ingress
root@str-marvell-acs-1:/home/admin# config load acl_test.json -y
Running command: /usr/local/bin/sonic-cfggen -j acl_test.json --write-to-db
Description
On latest 202311 marvell-armhf image, dataplane ACL rule cannot match packet correctly. Please check the details in repro steps.
Steps to reproduce the issue:
On Nokia-7215 Mx DUT with latest 202311 image installed:
acl_table_types.jsonwith below content:acl.jsonwith below contents:Describe the results you received:
[On DUT] Check ACL counter before and after send ICMPv6 packet with
aclshow -a. We can see the counter of RULE_4000 increased by 100, but RULE_4001 doesn't increase. That's incorrect behavior.Describe the results you expected:
ACL counter of RULE_4001 should increase by 100.
I can see the correct behavior on old 202311 image:
Output of
show version:Output of
show techsupport:Additional information you deem important (e.g. issue happens only occasionally):