vpp: support binding multiple ACL tables by priority#1732
Merged
lguohan merged 6 commits intosonic-net:masterfrom Feb 14, 2026
Merged
vpp: support binding multiple ACL tables by priority#1732lguohan merged 6 commits intosonic-net:masterfrom
lguohan merged 6 commits intosonic-net:masterfrom
Conversation
- Added catch-all acl group - Add a dummy rule because vpp doesn't allow empty table Signed-off-by: Yue Gao <[email protected]>
Collaborator
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Collaborator
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Signed-off-by: Yue Gao <[email protected]>
Signed-off-by: Yue Gao <[email protected]>
Collaborator
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
- This could happen at race condition when the interface is removed during shutdown Signed-off-by: Yue Gao <[email protected]>
This reverts commit 633c0d7. Signed-off-by: Yue Gao <[email protected]>
Collaborator
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
11 tasks
AkeelAli
approved these changes
Feb 12, 2026
Contributor
AkeelAli
left a comment
AkeelAli
left a comment
There was a problem hiding this comment.
I would just add a comment in the PR description about the changes in SaiVppStats.c.
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the VPP-backed VS ACL implementation to support binding multiple ACL tables to a port by ordering them via table-group-member priority, while preserving SONiC’s default “permit if no match” behavior. It also hardens VPP stats dumping to avoid crashes/leaks when queried stats paths disappear.
Changes:
- Remove per-table default permit-all rules and introduce an “empty table” placeholder ACL rule to satisfy VPP’s non-empty requirement.
- Bind multiple ACL tables for a table group by sorting members by priority and appending a shared catch-all default permit ACL at the end.
- Fix stats dump error handling/cleanup to avoid races and leaks when VPP stat directory listing returns null/empty.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 5 comments.
| File | Description |
|---|---|
| vslib/vpp/vppxlate/SaiVppStats.c | Frees VPP vectors and disconnects cleanly on null/empty stat listings to avoid crash/leaks. |
| vslib/vpp/SwitchVppAcl.cpp | Reworks ACL table defaults, introduces empty-table placeholder ACL, sorts/binds group members by priority, adds shared default permit ACL binding. |
| vslib/vpp/SwitchVpp.h | Adds state for the shared default permit ACL (swindex + created flag) and new helper declarations. |
| if (get(SAI_OBJECT_TYPE_ACL_TABLE_GROUP, tbl_grp_oid, 1, &attr) != SAI_STATUS_SUCCESS) { | ||
| SWSS_LOG_INFO("ACL table group %s direction not found", | ||
| sai_serialize_object_id(tbl_grp_oid).c_str()); | ||
| return SAI_STATUS_FAILURE; |
There was a problem hiding this comment.
addRemoveAclGrpMbr fails the whole operation if SAI_ACL_TABLE_GROUP_ATTR_ACL_STAGE is missing. Elsewhere (aclBindUnbindPorts) the code treats a missing stage as a no-op and returns success; consider keeping the behavior consistent to avoid group member add/remove failing due to missing/unset stage metadata.
Suggested change
| return SAI_STATUS_FAILURE; | |
| // Missing stage metadata: behave as no-op and return success, consistent with aclBindUnbindPorts | |
| return SAI_STATUS_SUCCESS; |
Comment on lines
+1632
to
+1636
| sai_status_t status = aclBindUnbindPort(port_oid, tbl_grp_oid, is_input, false); | ||
| if (status != SAI_STATUS_SUCCESS) { | ||
| SWSS_LOG_ERROR("Failed to unbind ACL group %s from port %s", | ||
| sai_serialize_object_id(tbl_grp_oid).c_str(), | ||
| sai_serialize_object_id(port_oid).c_str()); |
There was a problem hiding this comment.
During step 1 unbind, aclBindUnbindPort mutates m_acl_tbl_grp_ports_map (removes ports) as a side effect. If an unbind fails and this function returns early, the ports map can be left partially modified, desynchronizing internal bookkeeping from VPP state. Consider unbinding without updating the ports map (or rolling back map updates on failure).
Comment on lines
1871
to
+1875
| attr.id = SAI_ACL_TABLE_GROUP_MEMBER_ATTR_ACL_TABLE_ID; | ||
| if (get(SAI_OBJECT_TYPE_ACL_TABLE_GROUP_MEMBER, member_oid, 1, &attr) != SAI_STATUS_SUCCESS) { | ||
| auto sid = sai_serialize_object_id(member_oid); | ||
|
|
||
| SWSS_LOG_INFO("ACL table oid for acl grp member id %s not found", sid.c_str()); | ||
| continue; | ||
| SWSS_LOG_INFO("ACL table oid for acl grp member id %s not found", | ||
| sai_serialize_object_id(member_oid).c_str()); | ||
| return SAI_STATUS_FAILURE; |
There was a problem hiding this comment.
If fetching SAI_ACL_TABLE_GROUP_MEMBER_ATTR_ACL_TABLE_ID fails, this now returns SAI_STATUS_FAILURE immediately. Since aclBindUnbindPort already updated the port↔group bookkeeping at the top of the function, this can leave internal state indicating the port is bound/unbound even though no VPP bind/unbind was performed. Consider treating this as a skip (or rolling back the bookkeeping) to avoid desynchronizing state on transient/stale members.
Comment on lines
+1882
to
+1884
| SWSS_LOG_INFO("VS swindex for ACL table oid %s not found", | ||
| sai_serialize_object_id(tbl_oid).c_str()); | ||
| return SAI_STATUS_FAILURE; |
There was a problem hiding this comment.
Similarly, returning failure when the ACL table swindex isn’t found (m_acl_swindex_map.end()) can desynchronize bookkeeping (port already recorded as bound/unbound) and may block binding other valid tables. Consider handling this more gracefully (skip the stale member and/or roll back the port-map change) so a single missing table doesn’t break the entire group bind/unbind.
Suggested change
| SWSS_LOG_INFO("VS swindex for ACL table oid %s not found", | |
| sai_serialize_object_id(tbl_oid).c_str()); | |
| return SAI_STATUS_FAILURE; | |
| SWSS_LOG_INFO("VS swindex for ACL table oid %s not found, skipping member %s", | |
| sai_serialize_object_id(tbl_oid).c_str(), | |
| sai_serialize_object_id(member_oid).c_str()); | |
| continue; |
Comment on lines
+1339
to
+1340
| // Create an ACL with 1 rule matching dest IP 0.0.0.0/32 (will never match real traffic) but vpp doesn't allow 0 rule table | ||
| acl = (vpp_acl_t *) calloc(1, sizeof(vpp_acl_t) + sizeof(vpp_acl_rule_t)); |
There was a problem hiding this comment.
The comment in emptyAclCreate says the dummy rule “will never match real traffic”, but matching dst IP 0.0.0.0/32 can still match packets destined to 0.0.0.0 (e.g., malformed or unexpected traffic). Either adjust the wording (e.g., “unlikely”) or pick a match condition that is guaranteed not to occur in your environment.
lguohan
approved these changes
Feb 14, 2026
vivekrnv
pushed a commit
to vivekrnv/sonic-sairedis
that referenced
this pull request
Feb 18, 2026
why currently vpp doesn't support binding multiple ACL tables. Each table is appended with default permit-all rules. With multiple tables, this may cause acl matched by such rules and skip the actual rule to make in the tables after this one. what this PR does remove the default permit-all rules for each table If a table is empty, create a dummy rule that won't match any traffic because vpp doesn't allow empty table. The dummy rule matches dest-ip to 0.0.0.0/32 sort all the tables by priority in the table group. vpp doesn't support parallel matching added catch-all acl group to the end. vpp default behavior of no match is drop but sonic is accept. Fix sonic-vpp crashing due to race condition during stats pull. If the interface to get stats has been removed, stat_segment_ls_r returns null. Signed-off-by: Yue Gao <[email protected]> Signed-off-by: Vivek Reddy <[email protected]>
yue-fred-gao
added a commit
to yue-fred-gao/sonic-sairedis
that referenced
this pull request
Mar 3, 2026
why currently vpp doesn't support binding multiple ACL tables. Each table is appended with default permit-all rules. With multiple tables, this may cause acl matched by such rules and skip the actual rule to make in the tables after this one. what this PR does remove the default permit-all rules for each table If a table is empty, create a dummy rule that won't match any traffic because vpp doesn't allow empty table. The dummy rule matches dest-ip to 0.0.0.0/32 sort all the tables by priority in the table group. vpp doesn't support parallel matching added catch-all acl group to the end. vpp default behavior of no match is drop but sonic is accept. Fix sonic-vpp crashing due to race condition during stats pull. If the interface to get stats has been removed, stat_segment_ls_r returns null. Signed-off-by: Yue Gao <[email protected]>
yue-fred-gao
added a commit
that referenced
this pull request
Mar 3, 2026
why currently vpp doesn't support binding multiple ACL tables. Each table is appended with default permit-all rules. With multiple tables, this may cause acl matched by such rules and skip the actual rule to make in the tables after this one. what this PR does remove the default permit-all rules for each table If a table is empty, create a dummy rule that won't match any traffic because vpp doesn't allow empty table. The dummy rule matches dest-ip to 0.0.0.0/32 sort all the tables by priority in the table group. vpp doesn't support parallel matching added catch-all acl group to the end. vpp default behavior of no match is drop but sonic is accept. Fix sonic-vpp crashing due to race condition during stats pull. If the interface to get stats has been removed, stat_segment_ls_r returns null. Signed-off-by: Yue Gao <[email protected]>
rustiqly
pushed a commit
to rustiqly/sonic-sairedis
that referenced
this pull request
Mar 5, 2026
why currently vpp doesn't support binding multiple ACL tables. Each table is appended with default permit-all rules. With multiple tables, this may cause acl matched by such rules and skip the actual rule to make in the tables after this one. what this PR does remove the default permit-all rules for each table If a table is empty, create a dummy rule that won't match any traffic because vpp doesn't allow empty table. The dummy rule matches dest-ip to 0.0.0.0/32 sort all the tables by priority in the table group. vpp doesn't support parallel matching added catch-all acl group to the end. vpp default behavior of no match is drop but sonic is accept. Fix sonic-vpp crashing due to race condition during stats pull. If the interface to get stats has been removed, stat_segment_ls_r returns null. Signed-off-by: Yue Gao <[email protected]>
lihuay
added a commit
that referenced
this pull request
Mar 5, 2026
* [DPU] Add support for Flow bulk session get notifications Signed-off-by: Vivek Reddy <[email protected]> * Remove obvious comments Signed-off-by: Vivek Reddy <[email protected]> * Add processMetadata method to validate object id Signed-off-by: Vivek Reddy <[email protected]> * Handled comments Signed-off-by: Vivek Reddy <[email protected]> * Minor fixes Signed-off-by: Vivek Reddy <[email protected]> * Use get_stats_ext instead of get_stats for switch counters (#1757) Signed-off-by: Ryan Garofano <[email protected]> Signed-off-by: Vivek Reddy <[email protected]> * [test] Fix flaky FlexCounter.bulkChunksize by replacing usleep with poll-wait (#1766) Signed-off-by: Vivek Reddy <[email protected]> * Add .github/copilot-instructions.md for AI-assisted development (#1764) Add .github/copilot-instructions.md to provide AI-assisted development guidance for contributors using GitHub Copilot, Copilot Chat, and other AI coding tools. This file helps AI tools understand the repo's architecture, coding conventions, and contribution workflow, leading to more accurate suggestions and fewer review cycles. What's included: Repository architecture and component overview Coding standards and naming conventions Testing requirements and patterns Build system integration notes Common pitfalls and best practices This file has no impact on builds, tests, or runtime behavior — it is purely developer guidance metadata. Signed-off-by: Rustiqly <[email protected]> Signed-off-by: Vivek Reddy <[email protected]> * vpp: support binding multiple ACL tables by priority (#1732) why currently vpp doesn't support binding multiple ACL tables. Each table is appended with default permit-all rules. With multiple tables, this may cause acl matched by such rules and skip the actual rule to make in the tables after this one. what this PR does remove the default permit-all rules for each table If a table is empty, create a dummy rule that won't match any traffic because vpp doesn't allow empty table. The dummy rule matches dest-ip to 0.0.0.0/32 sort all the tables by priority in the table group. vpp doesn't support parallel matching added catch-all acl group to the end. vpp default behavior of no match is drop but sonic is accept. Fix sonic-vpp crashing due to race condition during stats pull. If the interface to get stats has been removed, stat_segment_ls_r returns null. Signed-off-by: Yue Gao <[email protected]> Signed-off-by: Vivek Reddy <[email protected]> * Update syncd/NotificationProcessor.cpp Co-authored-by: Copilot <[email protected]> Signed-off-by: Vivek Reddy <[email protected]> * Update syncd/FlowDump.cpp Co-authored-by: Copilot <[email protected]> Signed-off-by: Vivek Reddy <[email protected]> * Update syncd/FlowDump.cpp Co-authored-by: Copilot <[email protected]> Signed-off-by: Vivek Reddy <[email protected]> * Update meta/SaiSerialize.cpp Co-authored-by: Copilot <[email protected]> Signed-off-by: Vivek Reddy <[email protected]> * Handle co-pilot comments Signed-off-by: Vivek Reddy <[email protected]> --------- Signed-off-by: Vivek Reddy <[email protected]> Signed-off-by: Ryan Garofano <[email protected]> Signed-off-by: Rustiqly <[email protected]> Signed-off-by: Yue Gao <[email protected]> Co-authored-by: Ryan Garofano <[email protected]> Co-authored-by: rustiqly <[email protected]> Co-authored-by: yue-fred-gao <[email protected]> Co-authored-by: Copilot <[email protected]> Co-authored-by: Lihua Yuan <[email protected]>
vmittal-msft
pushed a commit
that referenced
this pull request
Mar 9, 2026
* Support for sonic-mgmt ACL testing on VPP (#1599) * Enabling sonic-mgmt ACL testing for Sonic-VPP * Use retval in debugs * Graceful shutdown vpp to avoid core dump (#1714) Signed-off-by: Yue Gao <[email protected]> * vpp: support ACL attached to LAG and UDP in ACE (#1718) * Handle acl attachment through LAG update * Add default permit-all rules * Support ACL with UDP protocol * if protocol is not specified but port or port-range is create 2 rules with proto UDP and TCP. vpp requires proto to be set if port or port-range is used * realign ace stats index because each ace can map to multiple acl rules Signed-off-by: Yue Gao <[email protected]> * vpp: support binding multiple ACL tables by priority (#1732) why currently vpp doesn't support binding multiple ACL tables. Each table is appended with default permit-all rules. With multiple tables, this may cause acl matched by such rules and skip the actual rule to make in the tables after this one. what this PR does remove the default permit-all rules for each table If a table is empty, create a dummy rule that won't match any traffic because vpp doesn't allow empty table. The dummy rule matches dest-ip to 0.0.0.0/32 sort all the tables by priority in the table group. vpp doesn't support parallel matching added catch-all acl group to the end. vpp default behavior of no match is drop but sonic is accept. Fix sonic-vpp crashing due to race condition during stats pull. If the interface to get stats has been removed, stat_segment_ls_r returns null. Signed-off-by: Yue Gao <[email protected]> * changes for vpp release 202510 --------- Signed-off-by: Yue Gao <[email protected]> Co-authored-by: AkeelAli <[email protected]> Co-authored-by: Mihut Aronovici <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
why
currently vpp doesn't support binding multiple ACL tables. Each table is appended with default permit-all rules. With multiple tables, this may cause acl matched by such rules and skip the actual rule to make in the tables after this one.
what this PR does