Custom ACL Based Metering

- New 'AclRule' subclass: 'AclRulePolicer'
- ACL rule table schema update
- Unit Tests

Author: shaygol

doc/swss-schema.md

@@ -651,6 +651,8 @@ Stores rules associated with a specific ACL table on the switch.
     mirror_ingress_action = 1*255VCHAR         ; refer to the mirror session
     mirror_egress_action = 1*255VCHAR          ; refer to the mirror session
 
+    policer_action = 1*255VCHAR                ; refer to the policer object name
+
     ether_type    = h16                        ; Ethernet type field
 
     ip_type       = ip_types                   ; options of the l2_protocol_type

orchagent/aclorch.cpp

@@ -125,6 +125,11 @@ static acl_rule_attr_lookup_t aclOtherActionLookup =
     { ACTION_COUNTER,                       SAI_ACL_ENTRY_ATTR_ACTION_COUNTER}
 };
 
+static acl_rule_attr_lookup_t aclPolicerActionLookup =
+{
+    { ACTION_POLICER_ACTION,                SAI_ACL_ENTRY_ATTR_ACTION_SET_POLICER }
+};
+
 static acl_packet_action_lookup_t aclPacketActionLookup =
 {
     { PACKET_ACTION_FORWARD, SAI_PACKET_ACTION_FORWARD },
@@ -771,6 +776,7 @@ bool AclTableTypeParser::parseAclTableTypeActions(const std::string& value, AclT
         auto dtelAction = aclDTelActionLookup.find(action);
         auto otherAction = aclOtherActionLookup.find(action);
         auto metadataAction = aclMetadataDscpActionLookup.find(action);
+        auto policerAction = aclPolicerActionLookup.find(action);
         if (l3Action != aclL3ActionLookup.end())
         {
             saiActionAttr = l3Action->second;
@@ -791,6 +797,10 @@ bool AclTableTypeParser::parseAclTableTypeActions(const std::string& value, AclT
         {
             saiActionAttr = metadataAction->second;
         }
+        if (policerAction != aclPolicerActionLookup.end())
+        {
+            saiActionAttr = policerAction->second;
+        }
         else
         {
             SWSS_LOG_ERROR("Unknown action %s", action.c_str());
@@ -831,6 +841,7 @@ AclRule::AclRule(AclOrch *pAclOrch, string rule, string table, bool createCounte
     m_priority(0),
     m_createCounter(createCounter)
 {
+
     auto tableOid = pAclOrch->getTableById(table);
     m_pTable = pAclOrch->getTableByOid(tableOid);
     if (!m_pTable)
@@ -1700,7 +1711,14 @@ bool AclRule::getCreateCounter() const
     return m_createCounter;
 }
 
-shared_ptr<AclRule> AclRule::makeShared(AclOrch *acl, MirrorOrch *mirror, DTelOrch *dtel, const string& rule, const string& table, const KeyOpFieldsValuesTuple& data, MetaDataMgr * m_metadataMgr)
+shared_ptr<AclRule> AclRule::makeShared(AclOrch *acl,
+                                        MirrorOrch *mirror,
+                                        DTelOrch *dtel,
+                                        PolicerOrch *policer,
+                                        const string& rule,
+                                        const string& table,
+                                        const KeyOpFieldsValuesTuple& data,
+                                        MetaDataMgr * m_metadataMgr)
 {
     shared_ptr<AclRule> aclRule;
 
@@ -1729,6 +1747,10 @@ shared_ptr<AclRule> AclRule::makeShared(AclOrch *acl, MirrorOrch *mirror, DTelOr
 
             return make_shared<AclRuleDTelWatchListEntry>(acl, dtel, rule, table);
         }
+        else if (aclPolicerActionLookup.find(action) != aclPolicerActionLookup.cend())
+        {
+            return make_shared<AclRulePolicer>(acl, policer, rule, table);
+        }
     }
 
     if (!aclRule)
@@ -2063,6 +2085,172 @@ void AclRulePacket::onUpdate(SubjectType, void *)
     // Do nothing
 }
 
+AclRulePolicer::AclRulePolicer(AclOrch *aclOrch, PolicerOrch *policer, string rule, string table) :
+        AclRule(aclOrch, rule, table),
+        m_state(false),
+        m_pMirrorOrch(policer)
+{
+}
+
+bool AclRulePolicer::validateAddAction(string attr_name, string attr_value)
+{
+    SWSS_LOG_ENTER();
+
+    sai_acl_entry_attr_t action;
+
+    const auto it = aclPolicerActionLookup.find(attr_name);
+    if (it != aclPolicerActionLookup.cend())
+    {
+        action = it->second;
+    }
+    else
+    {
+        return false;
+    }
+
+    m_policerName = attr_value;
+
+    return setAction(action, sai_acl_action_data_t{});
+}
+
+bool AclRulePolicer::validate()
+{
+    SWSS_LOG_ENTER();
+
+    if ((m_rangeConfig.empty() && m_matches.empty()) || m_policerName.empty())
+    {
+        return false;
+    }
+
+    return true;
+}
+
+bool AclRulePolicer::createCounter()
+{
+    SWSS_LOG_ENTER();
+
+    if (!AclRule::createCounter())
+    {
+        SWSS_LOG_ERROR("Failed to create counter for policer rule %s", m_id.c_str());
+        return false;
+    }
+
+    return true;
+}
+
+bool AclRulePolicer::createRule()
+{
+    SWSS_LOG_ENTER();
+
+    return activate();
+}
+
+bool AclRulePolicer::removeRule()
+{
+    return deactivate();
+}
+
+bool AclRulePolicer::activate()
+{
+    SWSS_LOG_ENTER();
+
+    sai_object_id_t oid = SAI_NULL_OBJECT_ID;
+
+    if (!m_pPolicerOrch->policerExists(m_policerName))
+    {
+        SWSS_LOG_ERROR("Policer rule references policer name \"%s\" that does not exist yet", m_policerName.c_str());
+        return false;
+    }
+
+    if (!m_pPolicerOrch->getPolicerOid(m_policerName, oid) || (oid == SAI_NULL_OBJECT_ID))
+    {
+        SWSS_LOG_ERROR("Failed to get policer OID for policer %s", m_policerName.c_str());
+        return false;
+    }
+
+    for (auto& it: m_actions)
+    {
+        auto attr = it.second.getSaiAttr();
+        attr.value.aclaction.enable = true;
+        attr.value.aclaction.parameter.objlist.list = &oid;
+        attr.value.aclaction.parameter.objlist.count = 1;
+        setAction(it.first, attr.value.aclaction);
+    }
+
+    if (!hasCounter())
+    {
+        if (getCreateCounter() && !createCounter())
+        {
+            SWSS_LOG_ERROR("createCounter failed for Rule %s policer %s", m_id.c_str(), m_policerName.c_str());
+            return false;
+        }
+    }
+
+    if (!AclRule::createRule())
+    {
+        return false;
+    }
+
+    if (!m_pPolicerOrch->increaseRefCount(m_policerName))
+    {
+        SWSS_LOG_ERROR("Failed to increase policer reference count for policer %s", m_policerName.c_str());
+        return false;
+    }
+
+    m_state = true;
+
+    return true;
+}
+
+bool AclRulePolicer::deactivate()
+{
+    SWSS_LOG_ENTER();
+
+    if (!m_state)
+    {
+        return true;
+    }
+
+    if (!AclRule::removeRule())
+    {
+        return false;
+    }
+
+    if (!m_pPolicerOrch->decreaseRefCount(m_policerName))
+    {
+        SWSS_LOG_ERROR("Failed to decrease policer reference count for policer %s", m_policerName.c_str());
+        return false;
+    }
+
+    m_state = false;
+
+    return true;
+}
+
+bool AclRulePolicer::update(const AclRule& rule)
+{
+    SWSS_LOG_ENTER();
+
+    auto policerRule = dynamic_cast<const AclRulePolicer*>(&rule);
+    if (!policerRule)
+    {
+        SWSS_LOG_ERROR("Cannot update policer rule with a rule of a different type");
+        return false;
+    }
+
+    SWSS_LOG_ERROR("Updating policer rule is currently not implemented");
+    return false;
+}
+
+void AclRulePolicer::onUpdate(SubjectType type, void *cntx)
+{
+    SWSS_LOG_ENTER();
+
+    // Do nothing, since:
+    // - PolicerOrch handles policer updates internally and transparently applies them to the policer SAI object.
+    // - The existing reference count mechanism in PolicerOrch prevents deletion of referenced policers, ensuring ACL rules remain valid.
+}
+
 AclRuleMirror::AclRuleMirror(AclOrch *aclOrch, MirrorOrch *mirror, string rule, string table) :
         AclRule(aclOrch, rule, table),
         m_state(false),
@@ -3533,6 +3721,7 @@ void AclOrch::init(vector<TableConnector>& connectors, PortsOrch *portOrch, Mirr
     // Attach observers
     m_mirrorOrch->attach(this);
     gPortsOrch->attach(this);
+    m_policerOrch->attach(this);
 }
 
 void AclOrch::initDefaultTableTypes(const string& platform, const string& sub_platform)
@@ -3884,7 +4073,7 @@ void AclOrch::putAclActionCapabilityInDB(acl_stage_type_t stage)
     {
         metadataActionLookup = aclMetadataDscpActionLookup;
     }
-    for (const auto& action_map: {aclL3ActionLookup, aclMirrorStageLookup, aclDTelActionLookup, metadataActionLookup})
+    for (const auto& action_map: {aclL3ActionLookup, aclMirrorStageLookup, aclDTelActionLookup, metadataActionLookup, aclPolicerActionLookup})
     {
         for (const auto& it: action_map)
         {
@@ -4008,13 +4197,21 @@ void AclOrch::queryAclActionAttrEnumValues(const string &action_name,
     m_switchOrch->set_switch_capability(fvVector);
 }
 
-AclOrch::AclOrch(vector<TableConnector>& connectors, DBConnector* stateDb, SwitchOrch *switchOrch,
-        PortsOrch *portOrch, MirrorOrch *mirrorOrch, NeighOrch *neighOrch, RouteOrch *routeOrch, DTelOrch *dtelOrch) :
+AclOrch::AclOrch(vector<TableConnector>& connectors,
+                 DBConnector* stateDb,
+                 SwitchOrch *switchOrch,
+                 PortsOrch *portOrch,
+                 PolicerOrch *PolicerOrch,
+                 MirrorOrch *mirrorOrch,
+                 NeighOrch *neighOrch,
+                 RouteOrch *routeOrch,
+                 DTelOrch *dtelOrch) :
         Orch(connectors),
         m_aclStageCapabilityTable(stateDb, STATE_ACL_STAGE_CAPABILITY_TABLE_NAME),
         m_aclTableStateTable(stateDb, STATE_ACL_TABLE_TABLE_NAME),
         m_aclRuleStateTable(stateDb, STATE_ACL_RULE_TABLE_NAME),
         m_switchOrch(switchOrch),
+        m_policerOrch(PolicerOrch),
         m_mirrorOrch(mirrorOrch),
         m_neighOrch(neighOrch),
         m_routeOrch(routeOrch),
@@ -4041,6 +4238,8 @@ AclOrch::~AclOrch()
 {
     m_mirrorOrch->detach(this);
 
+    m_policerOrch->detach(this);
+
     if (m_dTelOrch)
     {
         m_dTelOrch->detach(this);
@@ -4263,7 +4462,7 @@ EgressSetDscpTableStatus AclOrch::addEgrSetDscpTable(string table_id, AclTable &
         if (!isAclMetaDataSupported())
         {
             SWSS_LOG_ERROR("Platform does not support MARK_META/MARK_METAV6 tables.");
-            return EgressSetDscpTableStatus::EGRESS_SET_DSCP_TABLE_NOT_SUPPORTED; 
+            return EgressSetDscpTableStatus::EGRESS_SET_DSCP_TABLE_NOT_SUPPORTED;
         }
         AclTable egrSetDscpTable(this);
 
@@ -5384,7 +5583,7 @@ void AclOrch::doAclRuleTask(Consumer &consumer)
 
             try
             {
-                newRule = AclRule::makeShared(this, m_mirrorOrch, m_dTelOrch, rule_id, table_id, t, &m_metaDataMgr);
+                newRule = AclRule::makeShared(this, m_mirrorOrch, m_dTelOrch, m_policerOrch, rule_id, table_id, t, &m_metaDataMgr);
             }
             catch (exception &e)
             {

orchagent/aclorch.h

@@ -61,6 +61,7 @@
 #define ACTION_PACKET_ACTION                "PACKET_ACTION"
 #define ACTION_REDIRECT_ACTION              "REDIRECT_ACTION"
 #define ACTION_DO_NOT_NAT_ACTION            "DO_NOT_NAT_ACTION"
+#define ACTION_POLICER_ACTION               "POLICER_ACTION"
 #define ACTION_MIRROR_ACTION                "MIRROR_ACTION"
 #define ACTION_MIRROR_INGRESS_ACTION        "MIRROR_INGRESS_ACTION"
 #define ACTION_MIRROR_EGRESS_ACTION         "MIRROR_EGRESS_ACTION"
@@ -317,12 +318,13 @@ class AclRule
 
     const vector<AclRangeConfig>& getRangeConfig() const;
     static shared_ptr<AclRule> makeShared(AclOrch *acl,
-                                        MirrorOrch *mirror,
-                                        DTelOrch *dtel,
-                                        const string& rule,
-                                        const string& table,
-                                        const KeyOpFieldsValuesTuple&,
-                                        MetaDataMgr * m_metadataMgr);
+                                          MirrorOrch *mirror,
+                                          DTelOrch *dtel,
+                                          PolicerOrch *policer,
+                                          const string& rule,
+                                          const string& table,
+                                          const KeyOpFieldsValuesTuple&,
+                                          MetaDataMgr * m_metadataMgr);
     virtual ~AclRule() {}
 
 protected:
@@ -380,6 +382,30 @@ class AclRulePacket: public AclRule
     sai_object_id_t getRedirectObjectId(const string& redirect_param);
 };
 
+class AclRulePolicer: public AclRule
+{
+public:
+    AclRulePolicer (AclOrch *m_pAclOrch, PolicerOrch *policer, string rule, string table);
+
+    bool validateAddAction(string attr_name, string attr_value);
+    bool validate();
+    bool createCounter();
+    bool createRule();
+    bool removeRule();
+    void onUpdate(SubjectType, void *) override;
+
+    bool activate();
+    bool deactivate();
+
+    bool update(const AclRule& updatedRule) override;
+
+protected:
+    protected:
+    bool m_state {false};
+    string m_policerName;
+    PolicerOrch *m_pPolicerOrch {nullptr};
+};
+
 class AclRuleMirror: public AclRule
 {
 public:
@@ -528,6 +554,7 @@ class AclOrch : public Orch, public Observer
             DBConnector             *m_stateDb,
             SwitchOrch              *m_switchOrch,
             PortsOrch               *portOrch,
+            PolicerOrch             *policerOrch,
             MirrorOrch              *mirrorOrch,
             NeighOrch               *neighOrch,
             RouteOrch               *routeOrch,
@@ -546,6 +573,7 @@ class AclOrch : public Orch, public Observer
 
     // FIXME: Add getters for them? I'd better to add a common directory of orch objects and use it everywhere
     MirrorOrch *m_mirrorOrch;
+    PolicerOrch *m_policerOrch;
     NeighOrch *m_neighOrch;
     RouteOrch *m_routeOrch;
     DTelOrch *m_dTelOrch;

orchagent/orchdaemon.cpp

@@ -464,7 +464,7 @@ bool OrchDaemon::init()
     }
 
     gAclOrch = new AclOrch(acl_table_connectors, m_stateDb,
-        gSwitchOrch, gPortsOrch, gMirrorOrch, gNeighOrch, gRouteOrch, dtel_orch);
+        gSwitchOrch, gPortsOrch, gPolicerOrch, gMirrorOrch, gNeighOrch, gRouteOrch, dtel_orch);
 
     vector<string> mlag_tables = {
         { CFG_MCLAG_TABLE_NAME },