From 32d57bafe59f180ddafdfbd80c31bb1800cbf723 Mon Sep 17 00:00:00 2001
From: Mohammad Hanif <mohammad.hanif@broadcom.com>
Date: Mon, 26 Sep 2022 10:11:21 -0700
Subject: [PATCH] IPv6 ACL support for DASH (#222)

* IPv6 ACL support for DASH

* Fix: No need to match against the ipv6 pkt type

* Fixed few typos

* Fixed IPv6 packet processing defects
---
 dash-pipeline/README-saithrift.md   | 10 +++++-----
 dash-pipeline/bmv2/dash_acl.p4      |  6 +++---
 dash-pipeline/bmv2/dash_metadata.p4 |  4 +++-
 dash-pipeline/bmv2/dash_outbound.p4 |  4 ++--
 dash-pipeline/bmv2/dash_parser.p4   |  2 +-
 dash-pipeline/bmv2/dash_pipeline.p4 | 16 +++++++++++-----
 dash-pipeline/bmv2/dash_vxlan.p4    |  3 +++
 7 files changed, 28 insertions(+), 17 deletions(-)

diff --git a/dash-pipeline/README-saithrift.md b/dash-pipeline/README-saithrift.md
index 22fdd2cca..e5eb3db31 100644
--- a/dash-pipeline/README-saithrift.md
+++ b/dash-pipeline/README-saithrift.md
@@ -57,17 +57,17 @@ make run-saithrift-client-dev-tests       # run both suites above
 
 **TODO:** - pass params to the container to select tests etc.
 # Developer: Run tests selectively from `bash` inside saithrift-client container
-Enter the container, this will place you in the `/test-dev/` directory of the container which corresponds to the contents of the `DASH/dash-pipline/tests` directory on the host. In this way you can interactively run test-cases while you're editing them. When doing so, the container's `/test` directory remains in-place with tests which were copied into the container at image build-time.
+Enter the container, this will place you in the `/tests-dev/` directory of the container which corresponds to the contents of the `DASH/dash-pipline/tests` directory on the host. In this way you can interactively run test-cases while you're editing them. When doing so, the container's `/tests` directory remains in-place with tests which were copied into the container at image build-time.
 ```
 make run-saithrift-client-bash 
 root@chris-z4:/tests-dev# 
 ```
-The running container is also mounted via `-v $(PWD)/test:/test-dev`  which mounts the current developer workspace into the running container. You can thereby create and edit new tests "live" from a text editor and see the effect inside the container in real-time. Note, the container image also contains the `/tests` directory which was copied into the Docker image when `make docker-saithrift-client` was last run. This means you have a "production" copy of tests as well as live "development" host volume simultaneously in the container.
+The running container is also mounted via `-v $(PWD)/tests:/test-dev`  which mounts the current developer workspace into the running container. You can thereby create and edit new tests "live" from a text editor and see the effect inside the container in real-time. Note, the container image also contains the `/tests` directory which was copied into the Docker image when `make docker-saithrift-client` was last run. This means you have a "production" copy of tests as well as live "development" host volume simultaneously in the container.
 
 ## Select Directory - Container prebuilt directory, or mounted from host
 
-* `cd /test/` - Enter directory which was prebuilt into container image; tests are not modifiable "live" from the host. This is good for canned tests.
-* `cd /test-dev/` - Enter directory which is mounted to `dash-pipeline/tests` from the host, allowing live editing in the host and running in the container. This is a convenient developer workflow.
+* `cd /tests/` - Enter directory which was prebuilt into container image; tests are not modifiable "live" from the host. This is good for canned tests.
+* `cd /tests-dev/` - Enter directory which is mounted to `dash-pipeline/tests` from the host, allowing live editing in the host and running in the container. This is a convenient developer workflow.
 
 To get the desired subdirectory for Pytests or PTF test, choose the appropriate path, e.g.:
 * `cd /tests/saithrift/pytest`
@@ -85,7 +85,7 @@ root@chris-z4:/tests-dev/saithrift/ptf# ./run-saithrift-ptftests.sh
 DASH/DASH/dash-pipeline$ make run-saithrift-client-bash
 ...
 root@chris-z4:/tests-dev/saithrift# cd pytest/
-root@chris-z4:/tests-dev/saithrift/pytest# ./run-saithrift-ptests.sh 
+root@chris-z4:/tests-dev/saithrift/pytest# ./run-saithrift-pytests.sh 
 ```
 
 
diff --git a/dash-pipeline/bmv2/dash_acl.p4 b/dash-pipeline/bmv2/dash_acl.p4
index 22fa683c7..25e284744 100644
--- a/dash-pipeline/bmv2/dash_acl.p4
+++ b/dash-pipeline/bmv2/dash_acl.p4
@@ -29,9 +29,9 @@ match_kind {
     table table_name { \
         key = { \
             meta. ## table_name ##_dash_acl_group_id : exact @name("meta.dash_acl_group_id:dash_acl_group_id"); \
-            hdr.ipv4.dst_addr : LIST_MATCH @name("hdr.ipv4.dst_addr:dip"); \
-            hdr.ipv4.src_addr : LIST_MATCH @name("hdr.ipv4.src_addr:sip"); \
-            hdr.ipv4.protocol : LIST_MATCH @name("hdr.ipv4.src_addr:protocol"); \
+            meta.dst_ip_addr : LIST_MATCH @name("meta.dst_ip_addr:dip"); \
+            meta.src_ip_addr : LIST_MATCH @name("meta.src_ip_addr:sip"); \
+            meta.ip_protocol : LIST_MATCH @name("meta.ip_protocol:protocol"); \
             hdr.tcp.src_port : RANGE_LIST_MATCH @name("hdr.tcp.src_port:src_port"); \
             hdr.tcp.dst_port : RANGE_LIST_MATCH @name("hdr.tcp.dst_port:dst_port"); \
         } \
diff --git a/dash-pipeline/bmv2/dash_metadata.p4 b/dash-pipeline/bmv2/dash_metadata.p4
index 463991ab2..c05c0973b 100644
--- a/dash-pipeline/bmv2/dash_metadata.p4
+++ b/dash-pipeline/bmv2/dash_metadata.p4
@@ -42,9 +42,11 @@ struct metadata_t {
     eni_data_t eni_data;
     bit<16> inbound_vm_id;
     bit<8> appliance_id;
-    bit<1> is_dst_ip_v6;
+    bit<1> is_overlay_ip_v6;
     bit<1> is_lkup_dst_ip_v6;
+    bit<8> ip_protocol;
     IPv4ORv6Address dst_ip_addr;
+    IPv4ORv6Address src_ip_addr;
     IPv4ORv6Address lkup_dst_ip_addr;
     conntrack_data_t conntrack_data;
     bit<16> stage1_dash_acl_group_id;
diff --git a/dash-pipeline/bmv2/dash_outbound.p4 b/dash-pipeline/bmv2/dash_outbound.p4
index 8bec5a5f0..0f57e673f 100644
--- a/dash-pipeline/bmv2/dash_outbound.p4
+++ b/dash-pipeline/bmv2/dash_outbound.p4
@@ -35,7 +35,7 @@ control outbound(inout headers_t hdr,
     table routing {
         key = {
             meta.eni_id : exact @name("meta.eni_id:eni_id");
-            meta.is_dst_ip_v6 : exact @name("meta.is_dst_ip_v6:is_destination_v4_or_v6");
+            meta.is_overlay_ip_v6 : exact @name("meta.is_overlay_ip_v6:is_destination_v4_or_v6");
             meta.dst_ip_addr : lpm @name("meta.dst_ip_addr:destination");
         }
 
@@ -117,7 +117,7 @@ control outbound(inout headers_t hdr,
 #endif // PNA_CONNTRACK
 
         meta.lkup_dst_ip_addr = meta.dst_ip_addr;
-        meta.is_lkup_dst_ip_v6 = meta.is_dst_ip_v6;
+        meta.is_lkup_dst_ip_v6 = meta.is_overlay_ip_v6;
 
         switch (routing.apply().action_run) {
             route_vnet_direct:
diff --git a/dash-pipeline/bmv2/dash_parser.p4 b/dash-pipeline/bmv2/dash_parser.p4
index 68695fce4..69bca90aa 100644
--- a/dash-pipeline/bmv2/dash_parser.p4
+++ b/dash-pipeline/bmv2/dash_parser.p4
@@ -82,7 +82,7 @@ parser dash_parser(packet_in packet,
 
     state parse_inner_ethernet {
         packet.extract(hd.inner_ethernet);
-        transition select(hd.ethernet.ether_type) {
+        transition select(hd.inner_ethernet.ether_type) {
             IPV4_ETHTYPE: parse_inner_ipv4;
             IPV6_ETHTYPE: parse_inner_ipv6;
             default: accept;
diff --git a/dash-pipeline/bmv2/dash_pipeline.p4 b/dash-pipeline/bmv2/dash_pipeline.p4
index f138c6c8b..f127606ba 100644
--- a/dash-pipeline/bmv2/dash_pipeline.p4
+++ b/dash-pipeline/bmv2/dash_pipeline.p4
@@ -117,7 +117,7 @@ control dash_ingress(inout headers_t hdr,
         meta.encap_data.vni          = vm_vni;
         meta.vnet_id                 = vnet_id;
 
-        if (meta.is_dst_ip_v6 == 1) {
+        if (meta.is_overlay_ip_v6 == 1) {
             if (meta.direction == direction_t.OUTBOUND) {
                 ACL_GROUPS_COPY_TO_META(outbound_v6);
             } else {
@@ -216,11 +216,11 @@ control dash_ingress(inout headers_t hdr,
 
     action set_acl_group_attrs(bit<32> ip_addr_family) {
         if (ip_addr_family == 0) /* SAI_IP_ADDR_FAMILY_IPV4 */ {
-            if (meta.is_dst_ip_v6 == 1) {
+            if (meta.is_overlay_ip_v6 == 1) {
                 meta.dropped = true;
             }
         } else {
-            if (meta.is_dst_ip_v6 == 0) {
+            if (meta.is_overlay_ip_v6 == 0) {
                 meta.dropped = true;
             }
         }
@@ -266,12 +266,18 @@ control dash_ingress(inout headers_t hdr,
             }
         }
 
+        meta.is_overlay_ip_v6 = 0;
+        meta.ip_protocol = 0;
         meta.dst_ip_addr = 0;
-        meta.is_dst_ip_v6 = 0;
+        meta.src_ip_addr = 0;
         if (hdr.ipv6.isValid()) {
+            meta.ip_protocol = hdr.ipv6.next_header;
+            meta.src_ip_addr = hdr.ipv6.src_addr;
             meta.dst_ip_addr = hdr.ipv6.dst_addr;
-            meta.is_dst_ip_v6 = 1;
+            meta.is_overlay_ip_v6 = 1;
         } else if (hdr.ipv4.isValid()) {
+            meta.ip_protocol = hdr.ipv4.protocol;
+            meta.src_ip_addr = (bit<128>)hdr.ipv4.src_addr;
             meta.dst_ip_addr = (bit<128>)hdr.ipv4.dst_addr;
         }
 
diff --git a/dash-pipeline/bmv2/dash_vxlan.p4 b/dash-pipeline/bmv2/dash_vxlan.p4
index 8d2c7f967..6a9a52f50 100644
--- a/dash-pipeline/bmv2/dash_vxlan.p4
+++ b/dash-pipeline/bmv2/dash_vxlan.p4
@@ -74,6 +74,9 @@ action vxlan_decap(inout headers_t hdr) {
     hdr.ipv4 = hdr.inner_ipv4;
     hdr.inner_ipv4.setInvalid();
 
+    hdr.ipv6 = hdr.inner_ipv6;
+    hdr.inner_ipv6.setInvalid();
+
     hdr.vxlan.setInvalid();
     hdr.udp.setInvalid();