Fix to not miss the entire set of counters to be added in addObject for CounterContext::updateSupportedCount by judyjoseph · Pull Request #1493 · sonic-net/sonic-sairedis

judyjoseph · 2025-01-07T01:00:10Z

Fixes issue: sonic-net/sonic-buildimage#21232

In MACSEC there are two set of counters one for INGRESS another for EGRESS which gets mapped to the same COUNTER type - CounterType::MACSEC_SA ( https://github.com/sonic-net/sonic-swss/blob/c20902f3195b5bf8a941045e131aa1b863b69fd0/orchagent/macsecorch.cpp#L2145 )

In the releases after 202205 we started seeing this behavior where the MACSEC RX counters were missing as mentioned in the issue 21232. Further debugging pointed to issue seen after this PR : #1073 was merged.

In this case when macsec orch tries to addCounter for INGRESS SA after the EGRESS SA, and it don't go through as the m_supportedCounters is not empty.

For a fix I am removing the check in CounterContext::updateSupportedCount, which I think is ok as we anyways do a check later on in getSupportedCounters() API using isCounterSupported() before calling collectData()

sonic-sairedis/syncd/FlexCounter.cpp

Line 939 in 1684aec

if (isCounterSupported(counter))

After the fix the macsec SA ingress counters are seen

                ---------------------------------------  ----------------------------------------------------------------
MACsec port(Ethernet216)
---------------------  ---------------
cipher_suite           GCM-AES-XPN-256
enable                 true
enable_encrypt         true
enable_protect         true
enable_replay_protect  false
profile                MACSEC_PROFILE
replay_window          0
send_sci               true
---------------------  ---------------
        MACsec Egress SC (xxx)
        -----------  -
        encoding_an  0
        -----------  -
                MACsec Egress SA (0)
                -------------------------------------  ----------------------------------------------------------------
                auth_key                               xxx
                next_pn                                1
                sak                                    xxx
                salt                                   xxx
                ssci                                   1
                SAI_MACSEC_SA_ATTR_CURRENT_XPN         99
                SAI_MACSEC_SA_STAT_OCTETS_ENCRYPTED    17947
                SAI_MACSEC_SA_STAT_OCTETS_PROTECTED    0
                SAI_MACSEC_SA_STAT_OUT_PKTS_ENCRYPTED  98
                SAI_MACSEC_SA_STAT_OUT_PKTS_PROTECTED  0
                -------------------------------------  ----------------------------------------------------------------
        MACsec Ingress SC (xxx)
                MACsec Ingress SA (0)
                ---------------------------------------  ----------------------------------------------------------------
                active                                   true
                auth_key                                 xxx
                lowest_acceptable_pn                     1
                sak                                      xxx
                salt                                     xxx
                ssci                                     2
                SAI_MACSEC_SA_ATTR_CURRENT_XPN           203
                SAI_MACSEC_SA_STAT_IN_PKTS_DELAYED       0                              <<<<<<<<<<<<<<<<<<<<
                SAI_MACSEC_SA_STAT_IN_PKTS_INVALID       0
                SAI_MACSEC_SA_STAT_IN_PKTS_LATE          0
                SAI_MACSEC_SA_STAT_IN_PKTS_NOT_USING_SA  0
                SAI_MACSEC_SA_STAT_IN_PKTS_NOT_VALID     0
                SAI_MACSEC_SA_STAT_IN_PKTS_OK            5
                SAI_MACSEC_SA_STAT_IN_PKTS_UNCHECKED     0
                SAI_MACSEC_SA_STAT_IN_PKTS_UNUSED_SA     0
                SAI_MACSEC_SA_STAT_OCTETS_ENCRYPTED      512
                SAI_MACSEC_SA_STAT_OCTETS_PROTECTED      0                          <<<<<<<<<<<<<<<<<<<<<
                ---------------------------------------  ----------------------------------------------------------------

…::updateSupportedCounters

mssonicbld · 2025-01-07T01:00:12Z

/azp run

azure-pipelines · 2025-01-07T01:00:53Z

Azure Pipelines successfully started running 1 pipeline(s).

Junchao-Mellanox · 2025-01-07T01:54:47Z

Maybe we can set always_check_supported_counters to true for macsec counters?

judyjoseph · 2025-01-07T02:08:44Z

Maybe we can set always_check_supported_counters to true for macsec counters?

I thought of this approach, but from code I see it resets the current m_supportedCounters counter list -- which will not help, as it clears the existing list ?

    if (always_check_supported_counters)
    {
        m_supportedCounters.clear();
    }

Junchao-Mellanox · 2025-01-07T04:15:45Z

Removing the check will cause it check supported counter each time adding an object. I am afraid it will cause performance degradation. Could you please add one more attribute like dont_clear_support_counter and set it to true for macsec counter?

…ng the existing m_supportedCounters

mssonicbld · 2025-01-07T21:10:21Z

/azp run

azure-pipelines · 2025-01-07T21:10:32Z

Azure Pipelines successfully started running 1 pipeline(s).

judyjoseph · 2025-01-07T21:10:57Z

Removing the check will cause it check supported counter each time adding an object. I am afraid it will cause performance degradation. Could you please add one more attribute like dont_clear_support_counter and set it to true for macsec counter?

Added a new flag 'dont_clear_support_counter', do review

syncd/FlexCounter.cpp

…r MACSEC_SA

mssonicbld · 2025-01-08T23:37:19Z

/azp run

azure-pipelines · 2025-01-08T23:37:29Z

Azure Pipelines successfully started running 1 pipeline(s).

liamkearney-msft · 2025-01-09T00:15:45Z

can you add a snippit of the macsec counters tests run on this change? thanks

judyjoseph · 2025-01-09T18:16:25Z

can you add a snippit of the macsec counters tests run on this change? thanks

I have updated the PR description with the show macsec o/p. Will add the test result also soon.

mssonicbld · 2025-01-17T16:44:29Z

Cherry-pick PR to 202405: #1503

mssonicbld · 2025-01-20T23:01:45Z