sonic-net
diff --git a/‎.azure-pipelines/build-template.yml
+20-21 b/‎.azure-pipelines/build-template.yml
+20-21
diff --git a/‎cfgmgr/Makefile.am
+1-1 b/‎cfgmgr/Makefile.am
+1-1
diff --git a/‎cfgmgr/macsecmgr.cpp
+40 b/‎cfgmgr/macsecmgr.cpp
+40
diff --git a/‎cfgmgr/macsecmgr.h
+7-1 b/‎cfgmgr/macsecmgr.h
+7-1
diff --git a/‎orchagent/aclorch.cpp
+47-13 b/‎orchagent/aclorch.cpp
+47-13
diff --git a/‎orchagent/fdborch.cpp
+2-2 b/‎orchagent/fdborch.cpp
+2-2
diff --git a/‎orchagent/macsecorch.cpp
+4-2 b/‎orchagent/macsecorch.cpp
+4-2
diff --git a/‎orchagent/port_rates.lua
+12-11 b/‎orchagent/port_rates.lua
+12-11
@@ -72,7 +72,7 @@ jobs:
       source: specific
       project: build
       pipeline: 9
-      artifacts: ${{ parameters.swss_common_artifact_name }}
+      artifact: ${{ parameters.swss_common_artifact_name }}
       runVersion: 'latestFromBranch'
       runBranch: 'refs/heads/master'
     displayName: "Download sonic swss common deb packages"
@@ -81,7 +81,7 @@ jobs:
       source: specific
       project: build
       pipeline: 12
-      artifacts: ${{ parameters.sairedis_artifact_name }}
+      artifact: ${{ parameters.sairedis_artifact_name }}
       runVersion: 'latestFromBranch'
       runBranch: 'refs/heads/master'
     displayName: "Download sonic sairedis deb packages"
@@ -90,29 +90,28 @@ jobs:
       source: specific
       project: build
       pipeline: ${{ parameters.buildimage_pipeline }}
-      artifacts: ${{ parameters.buildimage_artifact_name }}
+      artifact: ${{ parameters.buildimage_artifact_name }}
       runVersion: 'latestFromBranch'
       runBranch: 'refs/heads/master'
     displayName: "Download sonic buildimage deb packages"
   - script: |
-      ls -l
-      sudo dpkg -i ${{ parameters.buildimage_artifact_name }}/target/debs/buster/libnl-3-200_*.deb
-      sudo dpkg -i ${{ parameters.buildimage_artifact_name }}/target/debs/buster/libnl-3-dev_*.deb
-      sudo dpkg -i ${{ parameters.buildimage_artifact_name }}/target/debs/buster/libnl-genl-3-200_*.deb
-      sudo dpkg -i ${{ parameters.buildimage_artifact_name }}/target/debs/buster/libnl-genl-3-dev_*.deb
-      sudo dpkg -i ${{ parameters.buildimage_artifact_name }}/target/debs/buster/libnl-route-3-200_*.deb
-      sudo dpkg -i ${{ parameters.buildimage_artifact_name }}/target/debs/buster/libnl-route-3-dev_*.deb
-      sudo dpkg -i ${{ parameters.buildimage_artifact_name }}/target/debs/buster/libnl-nf-3-200_*.deb
-      sudo dpkg -i ${{ parameters.buildimage_artifact_name }}/target/debs/buster/libnl-nf-3-dev_*.deb
-      sudo dpkg -i ${{ parameters.swss_common_artifact_name }}/libswsscommon_1.0.0_${{ parameters.arch }}.deb
-      sudo dpkg -i ${{ parameters.swss_common_artifact_name }}/libswsscommon-dev_1.0.0_${{ parameters.arch }}.deb
-      sudo dpkg -i ${{ parameters.sairedis_artifact_name }}/libsaivs_*.deb
-      sudo dpkg -i ${{ parameters.sairedis_artifact_name }}/libsaivs-dev_*.deb
-      sudo dpkg -i ${{ parameters.sairedis_artifact_name }}/libsairedis_*.deb
-      sudo dpkg -i ${{ parameters.sairedis_artifact_name }}/libsairedis-dev_*.deb
-      sudo dpkg -i ${{ parameters.sairedis_artifact_name }}/libsaimetadata_*.deb
-      sudo dpkg -i ${{ parameters.sairedis_artifact_name }}/libsaimetadata-dev_*.deb
-      sudo dpkg -i ${{ parameters.sairedis_artifact_name }}/syncd-vs_*.deb
+      sudo dpkg -i target/debs/buster/libnl-3-200_*.deb
+      sudo dpkg -i target/debs/buster/libnl-3-dev_*.deb
+      sudo dpkg -i target/debs/buster/libnl-genl-3-200_*.deb
+      sudo dpkg -i target/debs/buster/libnl-genl-3-dev_*.deb
+      sudo dpkg -i target/debs/buster/libnl-route-3-200_*.deb
+      sudo dpkg -i target/debs/buster/libnl-route-3-dev_*.deb
+      sudo dpkg -i target/debs/buster/libnl-nf-3-200_*.deb
+      sudo dpkg -i target/debs/buster/libnl-nf-3-dev_*.deb
+      sudo dpkg -i libswsscommon_1.0.0_${{ parameters.arch }}.deb
+      sudo dpkg -i libswsscommon-dev_1.0.0_${{ parameters.arch }}.deb
+      sudo dpkg -i libsaivs_*.deb
+      sudo dpkg -i libsaivs-dev_*.deb
+      sudo dpkg -i libsairedis_*.deb
+      sudo dpkg -i libsairedis-dev_*.deb
+      sudo dpkg -i libsaimetadata_*.deb
+      sudo dpkg -i libsaimetadata-dev_*.deb
+      sudo dpkg -i syncd-vs_*.deb
     workingDirectory: $(Pipeline.Workspace)
     displayName: "Install libnl3, sonic swss common and sairedis"
   - checkout: self
 
@@ -2,7 +2,7 @@ INCLUDES = -I$(top_srcdir)/lib -I $(top_srcdir) -I $(top_srcdir)/orchagent -I $(
 CFLAGS_SAI = -I /usr/include/sai
 LIBNL_CFLAGS = -I/usr/include/libnl3
 LIBNL_LIBS = -lnl-genl-3 -lnl-route-3 -lnl-3
-SAIMETA_LIBS = -lsaimeta -lsaimetadata
+SAIMETA_LIBS = -lsaimeta -lsaimetadata -lzmq
 COMMON_LIBS = -lswsscommon
 
 bin_PROGRAMS = vlanmgrd teammgrd portmgrd intfmgrd buffermgrd vrfmgrd nbrmgrd vxlanmgrd sflowmgrd natmgrd coppmgrd tunnelmgrd macsecmgrd
 
@@ -52,6 +52,32 @@ static void lexical_convert(const std::string &policy_str, MACsecMgr::MACsecProf
     }
 }
 
+static void lexical_convert(const std::string &cipher_str, MACsecMgr::MACsecProfile::CipherSuite & cipher_suite)
+{
+    SWSS_LOG_ENTER();
+
+    if (boost::iequals(cipher_str, "GCM-AES-128"))
+    {
+        cipher_suite = MACsecMgr::MACsecProfile::CipherSuite::GCM_AES_128;
+    }
+    else if (boost::iequals(cipher_str, "GCM-AES-256"))
+    {
+        cipher_suite = MACsecMgr::MACsecProfile::CipherSuite::GCM_AES_256;
+    }
+    else if (boost::iequals(cipher_str, "GCM-AES-XPN-128"))
+    {
+        cipher_suite = MACsecMgr::MACsecProfile::CipherSuite::GCM_AES_XPN_128;
+    }
+    else if (boost::iequals(cipher_str, "GCM-AES-XPN-256"))
+    {
+        cipher_suite = MACsecMgr::MACsecProfile::CipherSuite::GCM_AES_XPN_256;
+    }
+    else
+    {
+        throw std::invalid_argument("Invalid cipher_suite : " + cipher_str);
+    }
+}
+
 template<class T>
 static bool get_value(
     const MACsecMgr::TaskArgs & ta,
@@ -686,6 +712,20 @@ bool MACsecMgr::configureMACsec(
             "mka_priority",
             profile.priority);
 
+        wpa_cli_exec_and_check(
+            session.sock,
+            port_name,
+            network_id,
+            "macsec_ciphersuite",
+            profile.cipher_suite);
+
+        wpa_cli_exec_and_check(
+            session.sock,
+            port_name,
+            network_id,
+            "macsec_include_sci",
+            (profile.send_sci ? 1 : 0));
+
         wpa_cli_exec_and_check(
             session.sock,
             port_name,
 
@@ -28,7 +28,13 @@ class MACsecMgr : public Orch
     struct MACsecProfile
     {
         std::uint32_t       priority;
-        std::string         cipher_suite;
+        enum CipherSuite
+        {
+            GCM_AES_128,
+            GCM_AES_256,
+            GCM_AES_XPN_128,
+            GCM_AES_XPN_256,
+        }                   cipher_suite;
         std::string         primary_cak;
         std::string         primary_ckn;
         std::string         fallback_cak;
 
@@ -35,6 +35,8 @@ extern CrmOrch *gCrmOrch;
 #define MIN_VLAN_ID 1    // 0 is a reserved VLAN ID
 #define MAX_VLAN_ID 4095 // 4096 is a reserved VLAN ID
 
+const int TCP_PROTOCOL_NUM = 6; // TCP protocol number
+
 acl_rule_attr_lookup_t aclMatchLookup =
 {
     { MATCH_IN_PORTS,          SAI_ACL_ENTRY_ATTR_FIELD_IN_PORTS },
@@ -645,7 +647,7 @@ void AclRule::updateInPorts()
     attr.id = SAI_ACL_ENTRY_ATTR_FIELD_IN_PORTS;
     attr.value = m_matches[SAI_ACL_ENTRY_ATTR_FIELD_IN_PORTS];
     attr.value.aclfield.enable = true;
-    
+
     status = sai_acl_api->set_acl_entry_attribute(m_ruleOid, &attr);
     if (status != SAI_STATUS_SUCCESS)
     {
@@ -1378,14 +1380,14 @@ bool AclTable::create()
         attr.id = SAI_ACL_TABLE_ATTR_ACL_STAGE;
         attr.value.s32 = (stage == ACL_STAGE_INGRESS) ? SAI_ACL_STAGE_INGRESS : SAI_ACL_STAGE_EGRESS;
         table_attrs.push_back(attr);
-        
+
         if (stage == ACL_STAGE_INGRESS)
         {
             attr.id = SAI_ACL_TABLE_ATTR_FIELD_IN_PORTS;
             attr.value.booldata = true;
             table_attrs.push_back(attr);
         }
-        
+
         sai_status_t status = sai_acl_api->create_acl_table(&m_oid, gSwitchId, (uint32_t)table_attrs.size(), table_attrs.data());
 
         if (status == SAI_STATUS_SUCCESS)
@@ -2985,11 +2987,11 @@ AclRule* AclOrch::getAclRule(string table_id, string rule_id)
 bool AclOrch::updateAclRule(string table_id, string rule_id, string attr_name, void *data, bool oper)
 {
     SWSS_LOG_ENTER();
-    
+
     sai_object_id_t table_oid = getTableById(table_id);
     string attr_value;
 
-    if (table_oid == SAI_NULL_OBJECT_ID) 
+    if (table_oid == SAI_NULL_OBJECT_ID)
     {
         SWSS_LOG_ERROR("Failed to update ACL rule in ACL table %s. Table doesn't exist", table_id.c_str());
         return false;
@@ -3002,29 +3004,29 @@ bool AclOrch::updateAclRule(string table_id, string rule_id, string attr_name, v
         return false;
     }
 
-    switch (aclMatchLookup[attr_name]) 
+    switch (aclMatchLookup[attr_name])
     {
         case SAI_ACL_ENTRY_ATTR_FIELD_IN_PORTS:
         {
             sai_object_id_t port_oid = *(sai_object_id_t *)data;
             vector<sai_object_id_t> in_ports = rule_it->second->getInPorts();
 
-            if (oper == RULE_OPER_ADD) 
+            if (oper == RULE_OPER_ADD)
             {
                 in_ports.push_back(port_oid);
-            } 
-            else 
+            }
+            else
             {
                 for (auto port_iter = in_ports.begin(); port_iter != in_ports.end(); port_iter++)
                 {
-                    if (*port_iter == port_oid) 
+                    if (*port_iter == port_oid)
                     {
                         in_ports.erase(port_iter);
                         break;
                     }
                 }
             }
-            
+
             for (const auto& port_iter: in_ports)
             {
                 Port p;
@@ -3277,14 +3279,22 @@ void AclOrch::doAclRuleTask(Consumer &consumer)
                 it = consumer.m_toSync.erase(it);
                 return;
             }
-
+            bool bHasTCPFlag = false;
+            bool bHasIPProtocol = false;
             for (const auto& itr : kfvFieldsValues(t))
             {
                 string attr_name = to_upper(fvField(itr));
                 string attr_value = fvValue(itr);
 
                 SWSS_LOG_INFO("ATTRIBUTE: %s %s", attr_name.c_str(), attr_value.c_str());
-
+                if (attr_name == MATCH_TCP_FLAGS)
+                {
+                    bHasTCPFlag = true;
+                }
+                if (attr_name == MATCH_IP_PROTOCOL || attr_name == MATCH_NEXT_HEADER)
+                {
+                    bHasIPProtocol = true;
+                }
                 if (newRule->validateAddPriority(attr_name, attr_value))
                 {
                     SWSS_LOG_INFO("Added priority attribute");
@@ -3304,6 +3314,30 @@ void AclOrch::doAclRuleTask(Consumer &consumer)
                     break;
                 }
             }
+            // If acl rule is to match TCP_FLAGS, and IP_PROTOCOL(NEXT_HEADER) is not set
+            // we set IP_PROTOCOL(NEXT_HEADER) to 6 to match TCP explicitly
+            if (bHasTCPFlag && !bHasIPProtocol)
+            {
+                string attr_name;
+                if (type == ACL_TABLE_MIRRORV6 || type == ACL_TABLE_L3V6)
+                {
+                    attr_name = MATCH_NEXT_HEADER;
+                }
+                else
+                {
+                    attr_name = MATCH_IP_PROTOCOL;
+
+                }
+                string attr_value = std::to_string(TCP_PROTOCOL_NUM);
+                if (newRule->validateAddMatch(attr_name, attr_value))
+                {
+                    SWSS_LOG_INFO("Automatically added match attribute '%s : %s'", attr_name.c_str(), attr_value.c_str());
+                }
+                else
+                {
+                    SWSS_LOG_ERROR("Failed to add attribute '%s : %s'", attr_name.c_str(), attr_value.c_str());
+                }
+            }
 
             // validate and create ACL rule
             if (bAllAttributesOk && newRule->validate())
 
@@ -1271,8 +1271,8 @@ bool FdbOrch::addFdbEntry(const FdbEntry& entry, const string& port_name,
 
     attrs.push_back(attr);
 
-    if ((fdbData.origin == FDB_ORIGIN_VXLAN_ADVERTIZED) || (fdbData.origin == FDB_ORIGIN_MCLAG_ADVERTIZED)
-            || (fdbData.type == "dynamic"))
+    if (((fdbData.origin == FDB_ORIGIN_VXLAN_ADVERTIZED) || (fdbData.origin == FDB_ORIGIN_MCLAG_ADVERTIZED))
+            && (fdbData.type == "dynamic"))
     {
         attr.id = SAI_FDB_ENTRY_ATTR_ALLOW_MAC_MOVE;
         attr.value.booldata = true;
 
@@ -219,7 +219,7 @@ class MACsecOrchContext
 
     sai_object_id_t *get_port_id()
     {
-        if(m_port_id == nullptr)
+        if (m_port_id == nullptr)
         {
             auto port = get_port();
             if (port == nullptr)
@@ -2231,7 +2231,9 @@ bool MACsecOrch::createMACsecACLDataEntry(
     if (sci_in_sectag)
     {
         attr.id = SAI_ACL_ENTRY_ATTR_FIELD_MACSEC_SCI;
-        attr.value.u64 = sci;
+        attr.value.aclfield.enable = true;
+        attr.value.aclfield.mask.u64 = 0xFFFFFFFFFFFFFFFF;
+        attr.value.aclfield.data.u64 = sci;
         attrs.push_back(attr);
     }
 
 
@@ -11,7 +11,7 @@ local function logit(msg)
 end
 
 local counters_db = ARGV[1]
-local counters_table_name = ARGV[2] 
+local counters_table_name = ARGV[2]
 local rates_table_name = "RATES"
 
 -- Get configuration
@@ -51,7 +51,7 @@ for i = 1, n do
         local out_non_ucast_pkts_last = redis.call('HGET', rates_table_name .. ':' .. KEYS[i], 'SAI_PORT_STAT_IF_OUT_NON_UCAST_PKTS_last')
         local in_octets_last = redis.call('HGET', rates_table_name .. ':' .. KEYS[i], 'SAI_PORT_STAT_IF_IN_OCTETS_last')
         local out_octets_last = redis.call('HGET', rates_table_name .. ':' .. KEYS[i], 'SAI_PORT_STAT_IF_OUT_OCTETS_last')
-        
+
         -- Calculate new rates values
         local rx_bps_new = (in_octets - in_octets_last)/delta
         local tx_bps_new = (out_octets - out_octets_last)/delta
@@ -69,25 +69,26 @@ for i = 1, n do
             redis.call('HSET', rates_table_name .. ':' .. KEYS[i], 'RX_BPS', alpha*rx_bps_new + one_minus_alpha*rx_bps_old)
             redis.call('HSET', rates_table_name .. ':' .. KEYS[i], 'RX_PPS', alpha*rx_pps_new + one_minus_alpha*rx_pps_old)
             redis.call('HSET', rates_table_name .. ':' .. KEYS[i], 'TX_BPS', alpha*tx_bps_new + one_minus_alpha*tx_bps_old)
-            redis.call('HSET', rates_table_name .. ':' .. KEYS[i], 'TX_PPS', alpha*tx_pps_new + one_minus_alpha*tx_pps_old)  
+            redis.call('HSET', rates_table_name .. ':' .. KEYS[i], 'TX_PPS', alpha*tx_pps_new + one_minus_alpha*tx_pps_old)
         else
             -- Store unsmoothed initial rates values in DB
             redis.call('HSET', rates_table_name .. ':' .. KEYS[i], 'RX_BPS', rx_bps_new)
             redis.call('HSET', rates_table_name .. ':' .. KEYS[i], 'RX_PPS', rx_pps_new)
             redis.call('HSET', rates_table_name .. ':' .. KEYS[i], 'TX_BPS', tx_bps_new)
             redis.call('HSET', rates_table_name .. ':' .. KEYS[i], 'TX_PPS', tx_pps_new)
             redis.call('HSET', state_table, 'INIT_DONE', 'DONE')
-        end        
+        end
     else
-        -- Set old COUNTERS values
-        redis.call('HSET', rates_table_name .. ':' .. KEYS[i], 'SAI_PORT_STAT_IF_IN_UCAST_PKTS_last', in_ucast_pkts)
-        redis.call('HSET', rates_table_name .. ':' .. KEYS[i], 'SAI_PORT_STAT_IF_IN_NON_UCAST_PKTS_last', in_non_ucast_pkts)
-        redis.call('HSET', rates_table_name .. ':' .. KEYS[i], 'SAI_PORT_STAT_IF_OUT_UCAST_PKTS_last', out_ucast_pkts)
-        redis.call('HSET', rates_table_name .. ':' .. KEYS[i], 'SAI_PORT_STAT_IF_OUT_NON_UCAST_PKTS_last', out_non_ucast_pkts)
-        redis.call('HSET', rates_table_name .. ':' .. KEYS[i], 'SAI_PORT_STAT_IF_IN_OCTETS_last', in_octets)
-        redis.call('HSET', rates_table_name .. ':' .. KEYS[i], 'SAI_PORT_STAT_IF_OUT_OCTETS_last', out_octets)        
         redis.call('HSET', state_table, 'INIT_DONE', 'COUNTERS_LAST')
     end
+
+    -- Set old COUNTERS values
+    redis.call('HSET', rates_table_name .. ':' .. KEYS[i], 'SAI_PORT_STAT_IF_IN_UCAST_PKTS_last', in_ucast_pkts)
+    redis.call('HSET', rates_table_name .. ':' .. KEYS[i], 'SAI_PORT_STAT_IF_IN_NON_UCAST_PKTS_last', in_non_ucast_pkts)
+    redis.call('HSET', rates_table_name .. ':' .. KEYS[i], 'SAI_PORT_STAT_IF_OUT_UCAST_PKTS_last', out_ucast_pkts)
+    redis.call('HSET', rates_table_name .. ':' .. KEYS[i], 'SAI_PORT_STAT_IF_OUT_NON_UCAST_PKTS_last', out_non_ucast_pkts)
+    redis.call('HSET', rates_table_name .. ':' .. KEYS[i], 'SAI_PORT_STAT_IF_IN_OCTETS_last', in_octets)
+    redis.call('HSET', rates_table_name .. ':' .. KEYS[i], 'SAI_PORT_STAT_IF_OUT_OCTETS_last', out_octets)
 end
 
 return logtable
Original file line number	Diff line number	Diff line change
`@@ -1271,8 +1271,8 @@ bool FdbOrch::addFdbEntry(const FdbEntry& entry, const string& port_name,`
`1271`	`1271`
`1272`	`1272`	`attrs.push_back(attr);`
`1273`	`1273`
`1274`		`- if ((fdbData.origin == FDB_ORIGIN_VXLAN_ADVERTIZED) \|\| (fdbData.origin == FDB_ORIGIN_MCLAG_ADVERTIZED)`
`1275`		`- \|\| (fdbData.type == "dynamic"))`
	`1274`	`+ if (((fdbData.origin == FDB_ORIGIN_VXLAN_ADVERTIZED) \|\| (fdbData.origin == FDB_ORIGIN_MCLAG_ADVERTIZED))`
	`1275`	`+ && (fdbData.type == "dynamic"))`
`1276`	`1276`	`{`
`1277`	`1277`	`attr.id = SAI_FDB_ENTRY_ATTR_ALLOW_MAC_MOVE;`
`1278`	`1278`	`attr.value.booldata = true;`
Original file line number	Diff line number	Diff line change
`@@ -219,7 +219,7 @@ class MACsecOrchContext`
`219`	`219`
`220`	`220`	`sai_object_id_t *get_port_id()`
`221`	`221`	`{`
`222`		`- if(m_port_id == nullptr)`
	`222`	`+ if (m_port_id == nullptr)`
`223`	`223`	`{`
`224`	`224`	`auto port = get_port();`
`225`	`225`	`if (port == nullptr)`
`@@ -2231,7 +2231,9 @@ bool MACsecOrch::createMACsecACLDataEntry(`
`2231`	`2231`	`if (sci_in_sectag)`
`2232`	`2232`	`{`
`2233`	`2233`	`attr.id = SAI_ACL_ENTRY_ATTR_FIELD_MACSEC_SCI;`
`2234`		`- attr.value.u64 = sci;`
	`2234`	`+ attr.value.aclfield.enable = true;`
	`2235`	`+ attr.value.aclfield.mask.u64 = 0xFFFFFFFFFFFFFFFF;`
	`2236`	`+ attr.value.aclfield.data.u64 = sci;`
`2235`	`2237`	`attrs.push_back(attr);`
`2236`	`2238`	`}`
`2237`	`2239`