Add multi binding acl test into everflow test scope (sonic-net#21022)

Add multi binding acl test into everflow test scope
1. Toggle dualtor setup to AS mode
2. Only send packet from upstream to standby downstream side
3. Match the bounce back ipinip tunnel packet my multi binding acl at
   active downstream side
4. Mirror the match result
5. Validate the inner packet

Change-Id: I0cdafc78f407d0fc4150e03f20a8d6e3d8cb5c97

Author: echuawu

tests/conftest.py

@@ -58,6 +58,7 @@
 from tests.common.utilities import InterruptableThread
 from tests.common.plugins.ptfadapter.dummy_testutils import DummyTestUtils
 from tests.common.helpers.multi_thread_utils import SafeThreadPoolExecutor
+from tests.common.mellanox_data import is_mellanox_device
 
 try:
     from tests.common.macsec import MacsecPluginT2, MacsecPluginT0
@@ -2890,3 +2891,42 @@ def setup_pfc_test(
 
     logger.info("setup_info : {}".format(setup_info))
     yield setup_info
+
+
+def is_sai_profile_multi_binding_enabled(duthost):
+    """
+    Check if SAI_ACL_MULTI_BINDING_ENABLED is enabled in syncd docker's sai.profile
+
+    Args:
+        duthost: DUT host object
+
+    Returns:
+        bool: True if SAI_ACL_MULTI_BINDING_ENABLED=1 exists in sai.profile, False otherwise
+    """
+    try:
+        # Check if sai.profile exists in syncd docker
+        result = duthost.shell(
+            "docker exec syncd ls /tmp/sai.profile", module_ignore_errors=True)
+        if result['rc'] != 0:
+            return False
+
+        # Check if SAI_ACL_MULTI_BINDING_ENABLED=1 exists in the file
+        result = duthost.shell(
+            "docker exec syncd grep 'SAI_ACL_MULTI_BINDING_ENABLED=1' /tmp/sai.profile", module_ignore_errors=True)
+        return result['rc'] == 0
+    except Exception as e:
+        logger.error("Failed to check sai.profile: %s", str(e))
+        return False
+
+
+@pytest.fixture(scope="module")
+def is_multi_binding_acl_enabled(duthosts, tbinfo):
+    """
+    Check if multi-binding ACL is enabled on the DUT
+    """
+    for duthost in duthosts:
+        if not is_sai_profile_multi_binding_enabled(duthost):
+            if is_mellanox_device(duthost) and 'dualtor' in tbinfo['topo']['name']:
+                pytest.fail(
+                    "No multi-binding ACL supported on this platform, please check the sai.profile")
+            pytest.skip("No multi-binding ACL supported on this platform")

tests/everflow/everflow_test_utilities.py

@@ -18,6 +18,7 @@
 from tests.common.helpers.assertions import pytest_assert
 from tests.common.utilities import find_duthost_on_role
 from tests.common.helpers.constants import UPSTREAM_NEIGHBOR_MAP, DOWNSTREAM_NEIGHBOR_MAP
+from tests.common.helpers.sonic_db import AsicDbCli
 import json
 
 # TODO: Add suport for CONFIGLET mode
@@ -378,6 +379,28 @@ def setup_info(duthosts, rand_one_dut_hostname, tbinfo, request, topo_scenario):
     time.sleep(60)
 
 
+def validate_asic_route(duthost, prefix):
+    """
+    Check if a route exists in the routing table of the asic.
+    """
+    asicdb = AsicDbCli(duthost)
+    route_table = asicdb.dump("ASIC_STATE:SAI_OBJECT_TYPE_ROUTE_ENTRY")
+    if prefix in str(route_table):
+        return True
+    return False
+
+
+def validate_mirror_session_up(duthost, session_name):
+    """
+    Check if a mirror session is up.
+    """
+    cmd = f'sonic-db-cli STATE_DB HGET \"MIRROR_SESSION_TABLE|{session_name}\" status'
+    mirror_status = duthost.command(cmd)['stdout']
+    if 'active' in mirror_status:
+        return True
+    return False
+
+
 # TODO: This should be refactored to some common area of sonic-mgmt.
 def add_route(duthost, prefix, nexthop, namespace):
     """
@@ -452,7 +475,7 @@ def setup_arp_responder(duthost, ptfhost, setup_info):
 
 
 # TODO: This should be refactored to some common area of sonic-mgmt.
-def get_neighbor_info(duthost, dest_port, tbinfo, resolved=True):
+def get_neighbor_info(duthost, dest_port, tbinfo, resolved=True, ip_version=4):
     """
     Get the IP and MAC of the neighbor on the specified destination port.
 
@@ -462,13 +485,13 @@ def get_neighbor_info(duthost, dest_port, tbinfo, resolved=True):
         resolved: Whether to return a resolved route or not
     """
     if not resolved:
-        return "20.20.20.100"
+        return "20.20.20.100" if ip_version == 4 else "2020::20:20:20:100"
 
     mg_facts = duthost.get_extended_minigraph_facts(tbinfo)
 
     for bgp_peer in mg_facts["minigraph_bgp"]:
         if bgp_peer["name"] == mg_facts["minigraph_neighbors"][dest_port]["name"] \
-                and ipaddr.IPAddress(bgp_peer["addr"]).version == 4:
+                and ipaddr.IPAddress(bgp_peer["addr"]).version == ip_version:
             peer_ip = bgp_peer["addr"]
             break
 
@@ -745,6 +768,47 @@ def acl_stage(self):
         """
         pass
 
+    def remove_outer_ip(self, packet_data):
+        """
+        The mirror packet from IP in IP tunnel would take an external IP header.
+        Remove the outer IP header from the IPinIP packet and keeps the original Ethernet header.
+
+        Args:
+            packet_data: Original IPinIP packet
+
+        Returns:
+            scapy.Ether: Original Ethernet header + Inner IP header + payload
+        """
+        if isinstance(packet_data, bytes):
+            outer_pkt = Ether(packet_data)  # noqa: F821
+        else:
+            outer_pkt = packet_data
+
+        if not outer_pkt.haslayer(IP):      # noqa: F821
+            return None
+
+        outer_ip = outer_pkt[IP]            # noqa: F821
+
+        if outer_ip.proto != 4:
+            return None
+
+        # Extract the original Ethernet header
+        original_eth = outer_pkt[Ether]     # noqa: F821
+        eth_dst = original_eth.dst
+        eth_src = original_eth.src
+        eth_type = 0x0800
+
+        inner_payload = outer_ip.payload
+
+        # If the payload is Raw type, we need to re-parse it as IP
+        if isinstance(inner_payload, Raw):  # noqa: F821
+            inner_ip_packet = IP(bytes(inner_payload))   # noqa: F821
+        else:
+            inner_ip_packet = inner_payload
+        new_packet = Ether(dst=eth_dst, src=eth_src, type=eth_type) / inner_ip_packet  # noqa: F821
+
+        return new_packet
+
     def send_and_check_mirror_packets(self,
                                       setup,
                                       mirror_session,
@@ -755,8 +819,8 @@ def send_and_check_mirror_packets(self,
                                       src_port=None,
                                       dest_ports=None,
                                       expect_recv=True,
-                                      valid_across_namespace=True):
-
+                                      valid_across_namespace=True,
+                                      multi_binding_acl=False):
         # In Below logic idea is to send traffic in such a way so that mirror traffic
         # will need to go across namespaces and within namespace. If source and mirror destination
         # namespace are different then traffic mirror will go across namespace via (backend asic)
@@ -797,7 +861,8 @@ def send_and_check_mirror_packets(self,
                                                                                  duthost,
                                                                                  direction,
                                                                                  mirror_packet,
-                                                                                 src_port_metadata_map[src_port][1])
+                                                                                 src_port_metadata_map[src_port][1],
+                                                                                 multi_binding_acl=multi_binding_acl)
             # Avoid changing the original packet
             mirror_packet_sent = mirror_packet.copy()
             if src_port_metadata_map[src_port][0]:
@@ -819,7 +884,9 @@ def send_and_check_mirror_packets(self,
                 _, received_packet = result
                 logging.info("Received packet: %s", packet.Ether(received_packet).summary())
 
-                inner_packet = self._extract_mirror_payload(received_packet, len(mirror_packet_sent))
+                inner_packet = self._extract_mirror_payload(received_packet, len(mirror_packet_sent),
+                                                            multi_binding_acl=multi_binding_acl)
+
                 logging.info("Received inner packet: %s", inner_packet.summary())
 
                 inner_packet = Mask(inner_packet)
@@ -847,22 +914,37 @@ def send_and_check_mirror_packets(self,
                     inner_packet.set_do_not_care_scapy(packet.Ether, "dst")
                     inner_packet.set_do_not_care_scapy(packet.IP, "chksum")
 
+                if multi_binding_acl:
+                    inner_packet.set_do_not_care_scapy(packet.Ether, "dst")
+                    inner_packet.set_do_not_care_scapy(packet.Ether, "src")
+                    inner_packet.set_do_not_care_scapy(packet.IP, "chksum")
+                    inner_packet.set_do_not_care_scapy(packet.IP, "ttl")
+
                 logging.info("Expected inner packet: %s", mirror_packet_sent.summary())
                 pytest_assert(inner_packet.pkt_match(mirror_packet_sent),
                               "Mirror payload does not match received packet")
             else:
                 testutils.verify_no_packet_any(ptfadapter, expected_mirror_packet, dest_ports)
 
     @staticmethod
-    def get_expected_mirror_packet(mirror_session, setup, duthost, direction, mirror_packet, ttl_dec):
+    def get_expected_mirror_packet(mirror_session, setup, duthost, direction, mirror_packet, ttl_dec,
+                                   multi_binding_acl=False):
         payload = mirror_packet.copy()
 
         # Add vendor specific padding to the packet
         if duthost.facts["asic_type"] in ["mellanox"]:
             if six.PY2:
-                payload = binascii.unhexlify("0" * 44) + str(payload)
+                if multi_binding_acl:
+                    payload = binascii.unhexlify("0" * 44) + str(payload)[:24] + binascii.unhexlify("0" * 40) + \
+                        str(payload)[24:]
+                else:
+                    payload = binascii.unhexlify("0" * 44) + str(payload)
             else:
-                payload = binascii.unhexlify("0" * 44) + bytes(payload)
+                if multi_binding_acl:
+                    payload = binascii.unhexlify("0" * 44) + bytes(payload)[:24] + binascii.unhexlify("0" * 40) + \
+                        bytes(payload)[24:]
+                else:
+                    payload = binascii.unhexlify("0" * 44) + bytes(payload)
         if (
             duthost.facts["asic_type"] in ["barefoot", "cisco-8000", "marvell-teralynx"]
             or duthost.facts.get("platform_asic") in ["broadcom-dnx"]
@@ -908,11 +990,18 @@ def get_expected_mirror_packet(mirror_session, setup, duthost, direction, mirror
 
         return expected_packet
 
-    def _extract_mirror_payload(self, encapsulated_packet, payload_size):
-        pytest_assert(len(encapsulated_packet) >= OUTER_HEADER_SIZE,
-                      "Incomplete packet, expected at least {} header bytes".format(OUTER_HEADER_SIZE))
+    def _extract_mirror_payload(self, encapsulated_packet, payload_size, multi_binding_acl=False):
+        outer_header_size = OUTER_HEADER_SIZE
+        if multi_binding_acl:
+            outer_header_size += 20
+        pytest_assert(len(encapsulated_packet) >= outer_header_size,
+                      "Incomplete packet, expected at least {} header bytes".format(outer_header_size))
 
         inner_frame = encapsulated_packet[-payload_size:]
+        if multi_binding_acl:
+            inner_frame = encapsulated_packet[-(payload_size + 20):]
+            inner_frame = self.remove_outer_ip(inner_frame)
+            return inner_frame
         return packet.Ether(inner_frame)
 
     @staticmethod