[syncd] Add pre match logic for acl entry#1240
Merged
kcudnik merged 2 commits intosonic-net:masterfrom Jun 8, 2023
Merged
Conversation
vaibhavhd
reviewed
May 22, 2023
|
|
||
| if (obj.second->getObjectType() == SAI_OBJECT_TYPE_ACL_TABLE_GROUP) | ||
| if (obj.second->getObjectType() == SAI_OBJECT_TYPE_ACL_TABLE_GROUP || | ||
| obj.second->getObjectType() == SAI_OBJECT_TYPE_ACL_ENTRY) |
Contributor
There was a problem hiding this comment.
Why is this change needed? Wouldn't cretePreMatchForAclEntries be sufficient to match right ACLs?
Collaborator
Author
There was a problem hiding this comment.
no, since ACL_ENTRY is leaf object
vaibhavhd
reviewed
May 22, 2023
| auto cPrio = cAclEntry->getSaiAttr(SAI_ACL_ENTRY_ATTR_PRIORITY); | ||
| auto tPrio = tAclEntry->getSaiAttr(SAI_ACL_ENTRY_ATTR_PRIORITY); | ||
|
|
||
| if (cPrio->getStrAttrValue() != tPrio->getStrAttrValue()) |
Contributor
There was a problem hiding this comment.
Rookie question: are ACL priorities guaranteed to be always unique? If not, then we will likely run into same issue again.
Collaborator
Author
There was a problem hiding this comment.
no they are not guaranteed in general, but sonic make sure that they are, since we want to control the right order of the acl, so having 2 acls with the same priority not guarantee the order of them
vaibhavhd
previously approved these changes
May 22, 2023
Contributor
vaibhavhd
left a comment
vaibhavhd
left a comment
There was a problem hiding this comment.
Please wait for Ying or Sai's review before merge.
saiarcot895
reviewed
May 23, 2023
saiarcot895
approved these changes
May 23, 2023
Collaborator
Author
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
yxieca
pushed a commit
that referenced
this pull request
Jun 15, 2023
this will test scenario where we have 1 acl entry with counter and after warm boot 2 acl entries and 2 counters the same which could end up matching wrong acl counter and causing fail "object exist" on broadcom acl entry set, which will require improve pre match logic for acl entry
Contributor
|
This commit could not be cleanly cherry-picked to 202012. Please submit another PR. |
Contributor
|
@kcudnik please raise a separate PR for 202012 branch |
kcudnik
added a commit
to kcudnik/sonic-sairedis
that referenced
this pull request
Jun 28, 2023
this will test scenario where we have 1 acl entry with counter and after warm boot 2 acl entries and 2 counters the same which could end up matching wrong acl counter and causing fail "object exist" on broadcom acl entry set, which will require improve pre match logic for acl entry
Contributor
|
Manually cherry-pick PR created: #1257 |
kcudnik
added a commit
that referenced
this pull request
Jul 10, 2023
this will test scenario where we have 1 acl entry with counter and after warm boot 2 acl entries and 2 counters the same which could end up matching wrong acl counter and causing fail "object exist" on broadcom acl entry set, which will require improve pre match logic for acl entry
kcudnik
added a commit
to kcudnik/sonic-sairedis
that referenced
this pull request
Aug 2, 2023
this will test scenario where we have 1 acl entry with counter and after warm boot 2 acl entries and 2 counters the same which could end up matching wrong acl counter and causing fail "object exist" on broadcom acl entry set, which will require improve pre match logic for acl entry
yxieca
pushed a commit
that referenced
this pull request
Aug 29, 2023
this will test scenario where we have 1 acl entry with counter and after warm boot 2 acl entries and 2 counters the same which could end up matching wrong acl counter and causing fail "object exist" on broadcom acl entry set, which will require improve pre match logic for acl entry
vaibhavhd
pushed a commit
to sonic-net/sonic-utilities
that referenced
this pull request
Jun 3, 2024
…3333) Description Add a check for ensuring mirror session ACLs are programmed to ASIC What is the issue? This fix is to address an issue where an ACL is added to CONFIG_DB, but before it could be programmed to ASIC, Orchagent is paused. This leads to APPLY_VIEW failure when base image OA could not process this ACL entry and target image's OA still creates it. The issue has an image fix available at sonic-net/sonic-sairedis#1240 This issue is very rare, and has been caught by upgrade path tests only once in thousands of iterations. What is this fix? A new logic is added to check if mirror session ACLs for arp and nd are added to ASIC.. ACLs are looked into ASIC_DB and matched using SAI_ACL_ENTRY_ATTR_PRIORITY attribute. SAI_ACL_ENTRY_ATTR_PRIORITY for arp ACL is 8888 and for nd is 8887 If one of the ACLs is found missing then warmboot is aborted. Tested on physical testbed running 202311 and master
arfeigin
pushed a commit
to arfeigin/sonic-utilities
that referenced
this pull request
Jun 16, 2024
…onic-net#3333) Description Add a check for ensuring mirror session ACLs are programmed to ASIC What is the issue? This fix is to address an issue where an ACL is added to CONFIG_DB, but before it could be programmed to ASIC, Orchagent is paused. This leads to APPLY_VIEW failure when base image OA could not process this ACL entry and target image's OA still creates it. The issue has an image fix available at sonic-net/sonic-sairedis#1240 This issue is very rare, and has been caught by upgrade path tests only once in thousands of iterations. What is this fix? A new logic is added to check if mirror session ACLs for arp and nd are added to ASIC.. ACLs are looked into ASIC_DB and matched using SAI_ACL_ENTRY_ATTR_PRIORITY attribute. SAI_ACL_ENTRY_ATTR_PRIORITY for arp ACL is 8888 and for nd is 8887 If one of the ACLs is found missing then warmboot is aborted. Tested on physical testbed running 202311 and master
nmoray
pushed a commit
to nmoray/sonic-utilities
that referenced
this pull request
Jun 25, 2025
…onic-net#3333) Description Add a check for ensuring mirror session ACLs are programmed to ASIC What is the issue? This fix is to address an issue where an ACL is added to CONFIG_DB, but before it could be programmed to ASIC, Orchagent is paused. This leads to APPLY_VIEW failure when base image OA could not process this ACL entry and target image's OA still creates it. The issue has an image fix available at sonic-net/sonic-sairedis#1240 This issue is very rare, and has been caught by upgrade path tests only once in thousands of iterations. What is this fix? A new logic is added to check if mirror session ACLs for arp and nd are added to ASIC.. ACLs are looked into ASIC_DB and matched using SAI_ACL_ENTRY_ATTR_PRIORITY attribute. SAI_ACL_ENTRY_ATTR_PRIORITY for arp ACL is 8888 and for nd is 8887 If one of the ACLs is found missing then warmboot is aborted. Tested on physical testbed running 202311 and master
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
this will test scenario where we have 1 acl entry with counter and after
warm boot 2 acl entries and 2 counters the same which could end up
matching wrong acl counter and causing fail "object exist" on broadcom
acl entry set, which will require improve pre match logic for acl entry
ADO: 17914573