Combine v4 and v6 L3 ACL rules on optimized platforms

[rck-innovium]

This document describes the SONiC ACL optimization for using IPv4 ACL rules in L3V6 ACL tables on platforms optimized for this.

Repo	PR title	State
sonic-swss	Combine v4 and v6 L3 ACL rules on optimized platforms	Merged
sonic-utilities	[acl-loader] Support for ACL table type L3V4V6	Merged
sonic-buildimage	Support a new ACL table type called L3V4V6	Merged
sonic-mgmt	Test plan for L3V4V6 type ACL table	Merged
sonic-mgmt	PTF Test for L3V4V6 type ACL table	Open

[zhangyanzhao]

reviewed in community meeting.

[bingwang-ms]

The proposal looks god to me. Actually, I was doing similar investigation as well. I tried to implement same feature with the custom ACL type introduced by this PR sonic-net/sonic-swss#1982. We may define the new ACL table type by configuration without code change,
I also added a test case to verify that sonic-net/sonic-mgmt#6905 .

[venkatmahalingam]

@zhangyanzhao Please add me as the reviewer.

[ghost]

Hi, There might be a mistake, I’m not involved at all in this. Please stop sending me notification emails about that. Thank you Best regards / Cordialement, Antonino NAPOLI Manager Advanced Services O: +33 972 601 900 | M: +33 766 036 737 A: 19 rue des châteaux, 59290 Wasquehal, FRANCE [A close up of a logo Description automatically generated]<https://www.expereo.com/> From: svshah-intel ***@***.***> Sent: Tuesday, February 21, 2023 8:55 PM To: sonic-net/SONiC ***@***.***> Cc: Subscribed ***@***.***> Subject: Re: [sonic-net/SONiC] Support v4 ACL rules in V6 ACL tables on optimized platforms (PR #1267) You don't often get email from ***@***.******@***.***>. Learn why this is important<https://aka.ms/LearnAboutSenderIdentification> @svshah-intel commented on this pull request.

________________________________ In doc/acl/Extend-L3V6ACLs.md<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fsonic-net%2FSONiC%2Fpull%2F1267%23discussion_r1113508338&data=05%7C01%7C%7C70f5ac7b7ac04859c83508db14458b93%7Cd8b0675bbea4400292891da6ecc1ab6c%7C1%7C0%7C638126061161778453%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=HzlxhLcdfoVzrROY5Dqr4tziJgf0cxxk8YsXazBzwVw%3D&reserved=0>:

+ * | MATCH_L4_SRC_PORT | √ |

+ * | MATCH_L4_DST_PORT | √ | + * | MATCH_TCP_FLAGS | √ | + * |-------------------------------------| + */ + + +##### Pros and Cons +All the pros and cons of option-B (extending L3V6 ACL table) applies here as well. +Additionally, option-C has the below cons: +- Need platform checks to determine which platforms can support combined v4 and v6 ACL table. +- Even on platforms that support combined v4 and v6 ACL tables, we need additional checks to identify which platforms are optimized to have v4 and v6 in the same ACL table. + +#### Implementation + +Based on the above design considerations, option-B is implemented. @rck-innovium<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Frck-innovium&data=05%7C01%7C%7C70f5ac7b7ac04859c83508db14458b93%7Cd8b0675bbea4400292891da6ecc1ab6c%7C1%7C0%7C638126061161778453%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=oazoD%2BMKCSVQhEyEGmXTGyKYAzvpfcUmjPnjdVmd3oo%3D&reserved=0> as discussed in the meeting today, it is worth to take a look at how openconfig ACL yang model supports mixed mode, and if we can follow similar option. — Reply to this email directly, view it on GitHub<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fsonic-net%2FSONiC%2Fpull%2F1267%23pullrequestreview-1308078057&data=05%7C01%7C%7C70f5ac7b7ac04859c83508db14458b93%7Cd8b0675bbea4400292891da6ecc1ab6c%7C1%7C0%7C638126061161778453%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=fZ02l3RQZDrrui%2BcpFOl8VRTFZbO3Q%2FyMZbKYUhrzlk%3D&reserved=0>, or unsubscribe<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FACZOGFYK2QEUQNIZ63UFNOLWYUMRZANCNFSM6AAAAAAVAISUMM&data=05%7C01%7C%7C70f5ac7b7ac04859c83508db14458b93%7Cd8b0675bbea4400292891da6ecc1ab6c%7C1%7C0%7C638126061161778453%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=YV1XUCR1rxGloH13bIFNm%2FDmfPBOVaUXdi%2Ft8AHgv9M%3D&reserved=0>. You are receiving this because you are subscribed to this thread.Message ID: ***@***.******@***.***>>

[zhangyanzhao]

community review recording https://zoom.us/rec/share/4-yYo-RXcFAKMxptEFExMMFYYGJnHfizv9G9I3ySVzdAfg-JN21vJdg5MOTR4HKz.OqXPjTeeWNi64ocW

[rck-innovium]

The proposal looks god to me. Actually, I was doing similar investigation as well. I tried to implement same feature with the custom ACL type introduced by this PR sonic-net/sonic-swss#1982. We may define the new ACL table type by configuration without code change, I also added a test case to verify that sonic-net/sonic-mgmt#6905 .

Please look at the updated proposal.
On platforms NOT supporting v4 and v6 in a single SAI ACL table, this new L3V4V6 ACL table will be supported by orchagent's special handling. Orchagent would internally create and manage two SAI ACL tables as shown in the right picture below. The operator is agnostic about the underlying ASIC behavior and only sees a consolidated SONiC ACL table.

This needs ACL orchagent changes.