Skip to content

Commit

Permalink
[ACL] Remove flex counter when updating ACL rule (sonic-net#3118)
Browse files Browse the repository at this point in the history
What I did
This PR is to fix sonic-net/sonic-buildimage#18719

When ACL rule is created for the first time, a flex counter is created and registered. When the same ACL rule is being updated, the FlexCounter created before is not removed, and another FlexCounter is created and registered.

Why I did it
Fix the issue that FlexCounter is duplicated when updating existing ACL rule.
  • Loading branch information
bingwang-ms authored and mssonicbld committed Apr 22, 2024
1 parent 5eadb79 commit 3ca3f11
Show file tree
Hide file tree
Showing 3 changed files with 56 additions and 1 deletion.
6 changes: 6 additions & 0 deletions orchagent/aclorch.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -2585,6 +2585,12 @@ bool AclTable::add(shared_ptr<AclRule> newRule)
if (ruleIter != rules.end())
{
// If ACL rule already exists, delete it first
if (ruleIter->second->hasCounter())
{
// Deregister the flex counter before deleting the rule
// A new flex counter will be created when the new rule is added
m_pAclOrch->deregisterFlexCounter(*(ruleIter->second));
}
if (ruleIter->second->remove())
{
rules.erase(ruleIter);
Expand Down
18 changes: 17 additions & 1 deletion tests/dvslib/dvs_acl.py
Original file line number Diff line number Diff line change
Expand Up @@ -685,6 +685,17 @@ def _match_acl_range(sai_acl_range):
return True

return _match_acl_range

def get_acl_counter_oid(self, acl_rule_id=None) -> str:
if not acl_rule_id:
acl_rule_id = self._get_acl_rule_id()

entry = self.asic_db.wait_for_entry("ASIC_STATE:SAI_OBJECT_TYPE_ACL_ENTRY", acl_rule_id)
counter_oid = entry.get("SAI_ACL_ENTRY_ATTR_ACTION_COUNTER")
return counter_oid

def get_acl_rule_id(self) -> str:
return self._get_acl_rule_id()

def _get_acl_rule_id(self) -> str:
num_keys = len(self.asic_db.default_acl_entries) + 1
Expand Down Expand Up @@ -742,7 +753,12 @@ def _check_acl_entry_counters_map(self, acl_entry_oid: str):
return
rule_to_counter_map = self.counters_db.get_entry("ACL_COUNTER_RULE_MAP", "")
counter_to_rule_map = {v: k for k, v in rule_to_counter_map.items()}
assert counter_oid in counter_to_rule_map
assert counter_oid in counter_to_rule_map

def check_acl_counter_not_in_counters_map(self, acl_counter_oid: str):
rule_to_counter_map = self.counters_db.get_entry("ACL_COUNTER_RULE_MAP", "")
counter_to_rule_map = {v: k for k, v in rule_to_counter_map.items()}
assert acl_counter_oid not in counter_to_rule_map

def verify_acl_table_status(
self,
Expand Down
33 changes: 33 additions & 0 deletions tests/test_acl.py
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
import pytest
from requests import request
import time

L3_TABLE_TYPE = "L3"
L3_TABLE_NAME = "L3_TEST"
Expand Down Expand Up @@ -131,6 +132,38 @@ def test_InvalidAclRuleCreation(self, dvs_acl, l3_acl_table):
dvs_acl.verify_acl_rule_status(L3_TABLE_NAME, "INVALID_RULE", None)
dvs_acl.verify_no_acl_rules()

def test_AclRuleUpdate(self, dvs_acl, l3_acl_table):
"""The test is to verify there is no duplicated flex counter when updating an ACL rule
"""
config_qualifiers = {"SRC_IP": "10.10.10.10/32"}
expected_sai_qualifiers = {
"SAI_ACL_ENTRY_ATTR_FIELD_SRC_IP": dvs_acl.get_simple_qualifier_comparator("10.10.10.10&mask:255.255.255.255")
}

dvs_acl.create_acl_rule(L3_TABLE_NAME, L3_RULE_NAME, config_qualifiers)
dvs_acl.verify_acl_rule(expected_sai_qualifiers)

acl_rule_id = dvs_acl.get_acl_rule_id()
counter_id = dvs_acl.get_acl_counter_oid()

new_config_qualifiers = {"SRC_IP": "10.10.10.11/32"}
new_expected_sai_qualifiers = {
"SAI_ACL_ENTRY_ATTR_FIELD_SRC_IP": dvs_acl.get_simple_qualifier_comparator("10.10.10.11&mask:255.255.255.255")
}
dvs_acl.update_acl_rule(L3_TABLE_NAME, L3_RULE_NAME, new_config_qualifiers)
# Verify the rule has been updated
retry = 5
while dvs_acl.get_acl_rule_id() == acl_rule_id and retry >= 0:
retry -= 1
time.sleep(1)
assert retry > 0
dvs_acl.verify_acl_rule(new_expected_sai_qualifiers)
# Verify the previous counter is removed
if counter_id:
dvs_acl.check_acl_counter_not_in_counters_map(counter_id)
dvs_acl.remove_acl_rule(L3_TABLE_NAME, L3_RULE_NAME)
dvs_acl.verify_no_acl_rules()

def test_AclRuleL4SrcPort(self, dvs_acl, l3_acl_table):
config_qualifiers = {"L4_SRC_PORT": "65000"}
expected_sai_qualifiers = {
Expand Down

0 comments on commit 3ca3f11

Please sign in to comment.