[aclorch]: add support for acl rule to match out port #810
Conversation
pull from origin
shine4chen
changed the title
orchagent/aclorch.cpp
Outdated
| } | ||
| else if (port.m_type == Port::LAG) | ||
| { | ||
| m_outPorts.push_back(port.m_lag_id); |
There was a problem hiding this comment.
does not match SAI spec.
https://github.com/opencomputeproject/SAI/blob/master/inc/saiacl.h#L1260
same as above.
* Aclorch can be the consumer of the APP_ACL_TABLE_NAME and APP_ACL_RULE_TABLE_NAME tables in APP_DB * ACL rule can match out port Signed-off-by: shine.chen <shine.chen@nephosinc.com>
Signed-off-by: leo.li <leo.li@nephosinc.com>
|
The corresponding VS test case has been added, please review. |
Signed-off-by: shine.chen <shine.chen@nephosinc.com>
|
could you resolve the conflicts? |
Signed-off-by: shine.chen <shine.chen@nephosinc.com>
|
@stcheng we have fixed the conflicts. |
|
where is the mclag design spec? since out_ports match are not supported in various asic vendor. we need a more generic approach to address this need. |
|
@lguohan we have discuss it with BRCM folks in sonic-mclag-subgroup. There is a workaround in SAI layer by combination of ingress acl and egress acl. With this workaround most vendors can support out-ports. The following is the isolation logic description copied from MCLAG-HLD
|
|
unless Broadcom SAI as well as other vendor SAI has implemented outPorts, merging this PR will immediately break the image. |
|
isolation group is much more generic and different ASIC can choose different way to implement. Not all ASIC verdors have the same workaround as broadcom. I do not see a reason why we cannot add LAG into isolation group, it is a simple metadata change. |
|
@lguohan Thanks for the feedback. The following is my answer for your concern.
|
|
BRCM will implement an isolation group solution for ingress filtering instead of outPorts, pkts will be dropped at the ingress instead of queueing for egress drop. Design proposal along with other MCLAG improvements will be shared in the upcoming BRCM enhancement HLD. |
|
retest this please |
1 similar comment
|
retest this please |
merge azure/sonic-swss to aclorch branch
Signed-off-by: shine.chen <shine.chen@mediatek.com>
|
retest this please |
3 similar comments
|
retest this please |
|
retest this please |
|
retest this please |
ACL rule can match out port. Out port could be port intf , lag or vlan. Signed-off-by: shine.chen <shine.chen@nephosinc.com>
…b-cli/sonic-db-dump (sonic-net#810) * [MultiDB] sonic-utilities - replace redis-cli/redis-dump with sonic-db-cli/sonic-db-dump * only accept upper and underscore to prevent injection * quotation on db_name
What I did
ACL rule can match out port. Out port could be port intf , lag or vlan.
Why I did it
mclag need acl rule can bind to LAG and acl rule can match out port.
How I verified it
test it on nephos lab
Details if related