Skip to content

[ssw][ha] add tunnel term ACL for transient state during DPU switchover #3772

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 5 commits into
base: master
Choose a base branch
from
Open

[ssw][ha] add tunnel term ACL for transient state during DPU switchover #3772

wants to merge 5 commits into from

Conversation

zjswhhh
Copy link
Contributor

@zjswhhh zjswhhh commented Jul 18, 2025

What I did
HLD: https://github.com/sonic-net/SONiC/blob/master/doc/smart-switch/high-availability/vnet_local_endpoint_forwarding.md#vnetorch-programs-the-acl-rule

sign-off: Jing Zhang [email protected]

Why I did it
To avoid packet drop during DPU switchover

How I verified it
Verified with Vs testbed.

root@6a795383f34c:/# redis-cli -n 0
127.0.0.1:6379> keys *ACL*
1) "ACL_RULE_TABLE:VNET_LOCAL_ENDPOINT:Vnet28_100.100.1.1/32_IN_TUNN_TERM"
2) "ACL_TABLE_TYPE_TABLE:VNET_LOCAL_ENDPOINT_REDIRECT"
3) "ACL_TABLE_TABLE:VNET_LOCAL_ENDPOINT"

127.0.0.1:6379> hgetall "ACL_TABLE_TABLE:VNET_LOCAL_ENDPOINT"
1) "TYPE"
2) "VNET_LOCAL_ENDPOINT_REDIRECT"
3) "PORTS"
4) "Ethernet0,Ethernet100,Ethernet104,Ethernet108,Ethernet112,Ethernet116,Ethernet12,Ethernet120,Ethernet124,Ethernet16,Ethernet20,Ethernet24,Ethernet28,Ethernet32,Ethernet36,Ethernet4,Ethernet40,Ethernet44,Ethernet48,Ethernet52,Ethernet56,Ethernet60,Ethernet64,Ethernet68,Ethernet72,Ethernet76,Ethernet8,Ethernet80,Ethernet84,Ethernet88,Ethernet92,Ethernet96"
5) "POLICY_DESC"
6) "Vnet Tunnel Termination ACL"
7) "STAGE"
8) "INGRESS"

127.0.0.1:6379> hgetall "ACL_TABLE_TYPE_TABLE:VNET_LOCAL_ENDPOINT_REDIRECT"
1) "MATCHES"
2) "DST_IP,DST_IPV6,TUNNEL_TERM"
3) "ACTIONS"
4) "REDIRECT_ACTION"
5) "BIND_POINTS"
6) "PORT,PORTCHANNEL"

127.0.0.1:6379> hgetall "ACL_RULE_TABLE:VNET_LOCAL_ENDPOINT:Vnet28_100.100.1.1/32_IN_TUNN_TERM"
1) "PRIORITY"
2) "9998"
3) "DST_IP"
4) "100.100.1.1/32"
5) "REDIRECT_ACTION"
6) "Ethernet8"
127.0.0.1:6379>

Details if related

@zjswhhh zjswhhh requested a review from prsunny as a code owner July 18, 2025 00:07
@mssonicbld
Copy link
Collaborator

/azp run

@azure-pipelines Azure Pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

@zjswhhh zjswhhh requested a review from vivekrnv July 18, 2025 00:08
@zjswhhh
Copy link
Contributor Author

zjswhhh commented Jul 21, 2025

Hi @prsunny @vivekrnv - this PR was separated from #3651, can you help review again?

vivekrnv
vivekrnv suggested changes Jul 24, 2025
View reviewed changes
orchagent/vnetorch.cpp Outdated
@@ -3157,3 +3167,240 @@ bool MonitorOrch::delOperation(const Request& request)

return true;
}

TunnelTermHelper::TunnelTermHelper(DBConnector *cfgDb)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should have a separate PR in the future to re-use these functions in DashEniFwdOrch. Can the class TunnelTermHelper be moved into a different .cpp/.h file. It would be clear that way

orchagent/vnetorch.cpp
@@ -2913,6 +2918,11 @@ bool VNetRouteOrch::handleTunnel(const Request& request)
mac = MacAddress(mac_list[idx_ip]);
}

if (is_local)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just to clarify, this rule will only be added only if "check_directly_connected" is set in the VNET_RT_TUNNEL table correct?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes.

orchagent/vnetorch.h Outdated
#define VNET_TUNNEL_TERM_ACL_TABLE_TYPE "VNET_LOCAL_ENDPOINT_REDIRECT"
#define VNET_TUNNEL_TERM_ACL_TABLE "VNET_LOCAL_ENDPOINT"
#define VNET_TUNNEL_TERM_ACL_BASE_PRIORITY 9998
#define VNET_TUNNEL_TERM_ACL_RULE_NAME_SUFFIX "IN_TUNN_TERM"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since you are matching on DST_IP and it is direction agnostic. I think it is clear to name this "_TUNN_TERM"

@mssonicbld
Copy link
Collaborator

/azp run

@azure-pipelines Azure Pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

@vivekrnv
Copy link
Contributor

LGTM

@zjswhhh
Copy link
Contributor Author

zjswhhh commented Jul 29, 2025

Hi @prsunny - please help review too.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vivekrnv vivekrnv vivekrnv approved these changes

@prsunny prsunny Awaiting requested review from prsunny prsunny is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
Request for msft-202506 Branch
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@zjswhhh @mssonicbld @vivekrnv