[P4Orch] Add new ACL match qualifiers vrf_id and ipmc_table_hit. (#3892)

What I did
Added new ACL qualifiers (vrf_id, ipmc_table_hit) to enable more precise packet filtering based on VRF and multicast lookup status.
Why I did it

How I verified it
Verified this by creating and testing rules that used these new match criteria.

Author: divyagayathri-hcl

orchagent/p4orch/acl_rule_manager.cpp

@@ -764,6 +764,7 @@ ReturnCode AclRuleManager::setMatchValue(const acl_entry_attr_union_t attr_name,
                                          sai_attribute_value_t *value, P4AclRule *acl_rule,
                                          const std::string &ip_type_bit_type)
 {
+    SWSS_LOG_ENTER();
     try
     {
         switch (attr_name)
@@ -859,6 +860,7 @@ ReturnCode AclRuleManager::setMatchValue(const acl_entry_attr_union_t attr_name,
         case SAI_ACL_ENTRY_ATTR_FIELD_IP_IDENTIFICATION:
         case SAI_ACL_ENTRY_ATTR_FIELD_OUTER_VLAN_ID:
         case SAI_ACL_ENTRY_ATTR_FIELD_INNER_VLAN_ID:
+        case SAI_ACL_ENTRY_ATTR_FIELD_VRF_ID:
         case SAI_ACL_ENTRY_ATTR_FIELD_INNER_ETHER_TYPE:
         case SAI_ACL_ENTRY_ATTR_FIELD_INNER_L4_SRC_PORT:
         case SAI_ACL_ENTRY_ATTR_FIELD_INNER_L4_DST_PORT: {
@@ -1028,6 +1030,18 @@ ReturnCode AclRuleManager::setMatchValue(const acl_entry_attr_union_t attr_name,
             value->aclfield.mask.u32 = 0xFFFFFFFF;
             break;
         }
+        case SAI_ACL_ENTRY_ATTR_FIELD_IPMC_NPU_META_DST_HIT:
+        {
+            const std::vector<std::string>& value_and_mask =
+                tokenize(attr_value, kDataMaskDelimiter);
+            uint8_t hit_value = to_uint<uint8_t>(trim(value_and_mask[0]));
+            if (value_and_mask.size() > 1)
+            {
+                SWSS_LOG_INFO("Mask ignored for IPMC table hit field.");
+            }
+            value->aclfield.data.booldata = hit_value != 0;
+            break;
+        }
         default: {
             return ReturnCode(StatusCode::SWSS_RC_INVALID_PARAM)
                    << "ACL match field " << attr_name << " is not supported.";

orchagent/p4orch/acl_util.cpp

@@ -929,6 +929,7 @@ bool isDiffMatchFieldValue(const acl_entry_attr_union_t attr_name, const sai_att
     case SAI_ACL_ENTRY_ATTR_FIELD_IP_IDENTIFICATION:
     case SAI_ACL_ENTRY_ATTR_FIELD_OUTER_VLAN_ID:
     case SAI_ACL_ENTRY_ATTR_FIELD_INNER_VLAN_ID:
+    case SAI_ACL_ENTRY_ATTR_FIELD_VRF_ID:
     case SAI_ACL_ENTRY_ATTR_FIELD_INNER_ETHER_TYPE:
     case SAI_ACL_ENTRY_ATTR_FIELD_INNER_L4_SRC_PORT:
     case SAI_ACL_ENTRY_ATTR_FIELD_INNER_L4_DST_PORT: {
@@ -954,6 +955,10 @@ bool isDiffMatchFieldValue(const acl_entry_attr_union_t attr_name, const sai_att
         return memcmp(value.aclfield.data.mac, old_value.aclfield.data.mac, sizeof(sai_mac_t)) ||
                memcmp(value.aclfield.mask.mac, old_value.aclfield.mask.mac, sizeof(sai_mac_t));
     }
+    case SAI_ACL_ENTRY_ATTR_FIELD_IPMC_NPU_META_DST_HIT:
+    {
+        return value.aclfield.data.booldata != old_value.aclfield.data.booldata;
+    }
     default: {
         return false;
     }

orchagent/p4orch/acl_util.h

@@ -325,6 +325,8 @@ using P4AclRuleTables = std::map<std::string, std::map<std::string, P4AclRule>>;
 #define P4_MATCH_SRC_IPV6_WORD2 "SAI_ACL_TABLE_ATTR_FIELD_SRC_IPV6_WORD2"
 #define P4_MATCH_ROUTE_DST_USER_META "SAI_ACL_TABLE_ATTR_FIELD_ROUTE_DST_USER_META"
 #define P4_MATCH_ACL_USER_META "SAI_ACL_TABLE_ATTR_FIELD_ACL_USER_META"
+#define P4_MATCH_VRF_ID "SAI_ACL_TABLE_ATTR_FIELD_VRF_ID"
+#define P4_MATCH_IPMC_TABLE_HIT "SAI_ACL_TABLE_ATTR_FIELD_IPMC_NPU_META_DST_HIT"
 
 #define P4_ACTION_PACKET_ACTION "SAI_ACL_ENTRY_ATTR_ACTION_PACKET_ACTION"
 #define P4_ACTION_REDIRECT "SAI_ACL_ENTRY_ATTR_ACTION_REDIRECT"
@@ -486,6 +488,8 @@ static const acl_table_attr_lookup_t aclMatchTableAttrLookup = {
     {P4_MATCH_IPV6_NEXT_HEADER, SAI_ACL_TABLE_ATTR_FIELD_IPV6_NEXT_HEADER},
     {P4_MATCH_ROUTE_DST_USER_META, SAI_ACL_TABLE_ATTR_FIELD_ROUTE_DST_USER_META},
     {P4_MATCH_ACL_USER_META, SAI_ACL_TABLE_ATTR_FIELD_ACL_USER_META},
+    {P4_MATCH_VRF_ID, SAI_ACL_TABLE_ATTR_FIELD_VRF_ID},
+    {P4_MATCH_IPMC_TABLE_HIT, SAI_ACL_TABLE_ATTR_FIELD_IPMC_NPU_META_DST_HIT},
 };
 
 static const acl_table_attr_format_lookup_t aclMatchTableAttrFormatLookup = {
@@ -536,6 +540,8 @@ static const acl_table_attr_format_lookup_t aclMatchTableAttrFormatLookup = {
     {SAI_ACL_TABLE_ATTR_FIELD_IPV6_NEXT_HEADER, Format::HEX_STRING},
     {SAI_ACL_TABLE_ATTR_FIELD_ROUTE_DST_USER_META, Format::HEX_STRING},
     {SAI_ACL_TABLE_ATTR_FIELD_ACL_USER_META, Format::HEX_STRING},
+    {SAI_ACL_TABLE_ATTR_FIELD_VRF_ID, Format::HEX_STRING},
+    {SAI_ACL_TABLE_ATTR_FIELD_IPMC_NPU_META_DST_HIT, Format::HEX_STRING},
 };
 
 static const acl_table_attr_lookup_t aclCompositeMatchTableAttrLookup = {
@@ -593,6 +599,8 @@ static const acl_rule_attr_lookup_t aclMatchEntryAttrLookup = {
     {P4_MATCH_IPV6_NEXT_HEADER, SAI_ACL_ENTRY_ATTR_FIELD_IPV6_NEXT_HEADER},
     {P4_MATCH_ROUTE_DST_USER_META, SAI_ACL_ENTRY_ATTR_FIELD_ROUTE_DST_USER_META},
     {P4_MATCH_ACL_USER_META, SAI_ACL_ENTRY_ATTR_FIELD_ACL_USER_META},
+    {P4_MATCH_VRF_ID, SAI_ACL_ENTRY_ATTR_FIELD_VRF_ID},
+    {P4_MATCH_IPMC_TABLE_HIT, SAI_ACL_ENTRY_ATTR_FIELD_IPMC_NPU_META_DST_HIT},
 };
 
 static const acl_rule_attr_lookup_t aclCompositeMatchEntryAttrLookup = {

orchagent/p4orch/tests/acl_manager_test.cpp

@@ -636,10 +636,16 @@ P4AclTableDefinitionAppDbEntry getDefaultAclTableDefAppDbEntry()
     app_db_entry.match_field_lookup["inner_vlan_pri"] = BuildMatchFieldJsonStrKindSaiField(P4_MATCH_INNER_VLAN_PRI);
     app_db_entry.match_field_lookup["inner_vlan_id"] = BuildMatchFieldJsonStrKindSaiField(P4_MATCH_INNER_VLAN_ID);
     app_db_entry.match_field_lookup["inner_vlan_cfi"] = BuildMatchFieldJsonStrKindSaiField(P4_MATCH_INNER_VLAN_CFI);
-    app_db_entry.match_field_lookup["l3_class_id"] =
+    app_db_entry.match_field_lookup["vrf_id"] =
+        BuildMatchFieldJsonStrKindSaiField(P4_MATCH_VRF_ID, P4_FORMAT_HEX_STRING,
+                                           /*bitwidth=*/16);
+    app_db_entry.match_field_lookup["ipmc_table_hit"] =
+        BuildMatchFieldJsonStrKindSaiField(P4_MATCH_IPMC_TABLE_HIT,
+                                           P4_FORMAT_HEX_STRING, /*bitwidth=*/1);
+    app_db_entry.match_field_lookup["l3_clasvs_id"] =
         BuildMatchFieldJsonStrKindSaiField(P4_MATCH_ROUTE_DST_USER_META, P4_FORMAT_HEX_STRING, /*bitwidth=*/32);
     app_db_entry.match_field_lookup["acl_user_meta"] = 
-	BuildMatchFieldJsonStrKindSaiField(P4_MATCH_ACL_USER_META, P4_FORMAT_HEX_STRING, /*bitwidth=*/8);
+        BuildMatchFieldJsonStrKindSaiField(P4_MATCH_ACL_USER_META, P4_FORMAT_HEX_STRING, /*bitwidth=*/8);
     app_db_entry.match_field_lookup["src_ipv6_64bit"] = BuildMatchFieldJsonStrKindComposite(
         {nlohmann::json::parse(BuildMatchFieldJsonStrKindSaiField(P4_MATCH_SRC_IPV6_WORD3, P4_FORMAT_IPV6, 32)),
          nlohmann::json::parse(BuildMatchFieldJsonStrKindSaiField(P4_MATCH_SRC_IPV6_WORD2, P4_FORMAT_IPV6, 32))},
@@ -2794,6 +2800,8 @@ TEST_F(AclManagerTest, AclRuleWithValidMatchFields)
     app_db_entry.match_fvs["inner_vlan_pri"] = "200";
     app_db_entry.match_fvs["inner_vlan_id"] = "200";
     app_db_entry.match_fvs["inner_vlan_cfi"] = "200";
+    app_db_entry.match_fvs["vrf_id"] = "0x777";
+    app_db_entry.match_fvs["ipmc_table_hit"] = "0x1";
 
     const auto &acl_rule_key = KeyGenerator::generateAclRuleKey(app_db_entry.match_fvs, "100");
 
@@ -2890,6 +2898,11 @@ TEST_F(AclManagerTest, AclRuleWithValidMatchFields)
     EXPECT_EQ(SAI_ACL_IP_FRAG_HEAD, acl_rule->match_fvs[SAI_ACL_ENTRY_ATTR_FIELD_ACL_IP_FRAG].aclfield.data.u32);
     EXPECT_EQ(SAI_PACKET_VLAN_SINGLE_OUTER_TAG,
               acl_rule->match_fvs[SAI_ACL_ENTRY_ATTR_FIELD_PACKET_VLAN].aclfield.data.u32);
+    EXPECT_EQ(0x777, acl_rule->match_fvs[SAI_ACL_ENTRY_ATTR_FIELD_VRF_ID].aclfield.data.u16);
+    EXPECT_EQ(0xFFFF, acl_rule->match_fvs[SAI_ACL_ENTRY_ATTR_FIELD_VRF_ID].aclfield.mask.u16);
+    EXPECT_EQ(true,
+              acl_rule->match_fvs[SAI_ACL_ENTRY_ATTR_FIELD_IPMC_NPU_META_DST_HIT]
+                  .aclfield.data.booldata);
 
     // Check action field value
     EXPECT_EQ(SAI_PACKET_ACTION_TRAP,
@@ -5146,7 +5159,8 @@ TEST_F(AclManagerTest, AclRuleVerifyStateTest)
                                     "ipv6_dst\":\"fdf8:f53b:82e4::53 & "
                                     "fdf8:f53b:82e4::53\",\"match/arp_tpa\": \"0xff112231\", "
                                     "\"match/in_ports\": \"Ethernet1,Ethernet2\", \"match/out_ports\": "
-                                    "\"Ethernet4,Ethernet5\", \"priority\":15}";
+                                    "\"Ethernet4,Ethernet5\", \"priority\":15,\"match/ipmc_table_hit\":"
+                                    "\"0x1\"}";
     const auto &rule_tuple_key = std::string(kAclIngressTableName) + kTableKeyDelimiter + acl_rule_json_key;
     EnqueueRuleTuple(std::string(kAclIngressTableName),
                      swss::KeyOpFieldsValuesTuple({rule_tuple_key, SET_COMMAND, attributes}));
@@ -5176,6 +5190,7 @@ TEST_F(AclManagerTest, AclRuleVerifyStateTest)
             swss::FieldValueTuple{"SAI_ACL_ENTRY_ATTR_FIELD_ACL_IP_TYPE",
                                   "SAI_ACL_IP_TYPE_ANY&mask:0xffffffffffffffff"},
             swss::FieldValueTuple{"SAI_ACL_ENTRY_ATTR_USER_DEFINED_FIELD_GROUP_MIN", "2:255,17&mask:2:0xff,0xff"},
+            swss::FieldValueTuple{"SAI_ACL_ENTRY_ATTR_FIELD_IPMC_NPU_META_DST_HIT", "true"},
             swss::FieldValueTuple{"SAI_ACL_ENTRY_ATTR_USER_DEFINED_FIELD_GROUP_1", "2:34,49&mask:2:0xff,0xff"},
             swss::FieldValueTuple{"SAI_ACL_ENTRY_ATTR_FIELD_IN_PORTS", "2:oid:0x112233,oid:0x1fed3"},
             swss::FieldValueTuple{"SAI_ACL_ENTRY_ATTR_FIELD_OUT_PORTS", "2:oid:0x9988,oid:0x56789abcdef"},
@@ -5209,20 +5224,23 @@ TEST_F(AclManagerTest, AclRuleVerifyStateTest)
     EXPECT_FALSE(VerifyRuleState(std::string(APP_P4RT_TABLE_NAME) +
                                      ":ACL_PUNT_TABLE:{\"match/ether_type\":\"0x0800\",\"match/"
                                      "ipv6_dst\":\"fdf8:f53b:82e4::53 & "
-                                     "fdf8:f53b:82e4::53\",\"priority\":0}",
+                                     "fdf8:f53b:82e4::53\",\"priority\":0,\"match/ipmc_table_hit\":"
+                                     "\"0x1\"}",
                                  attributes)
                      .empty());
     EXPECT_FALSE(VerifyRuleState(std::string(APP_P4RT_TABLE_NAME) +
                                      ":ACL_PUNT_TABLE:{\"match/ether_type\":\"0x0800\",\"match/"
-                                     "ipv6_dst\":\"127.0.0.1/24\",\"priority\":15}",
+                                     "ipv6_dst\":\"127.0.0.1/24\",\"priority\":15,"
+                                     "\"match/ipmc_table_hit\":\"0x1\"}",
                                  attributes)
                      .empty());
 
     // Verification should fail if entry does not exist.
     EXPECT_FALSE(VerifyRuleState(std::string(APP_P4RT_TABLE_NAME) +
                                      ":ACL_PUNT_TABLE:{\"match/ether_type\":\"0x0800\",\"match/"
                                      "ipv6_dst\":\"fdf8:f53b:82e4::54 & "
-                                     "fdf8:f53b:82e4::54\",\"priority\":15}",
+                                     "fdf8:f53b:82e4::54\",\"priority\":15,\"match/ipmc_table_hit\":"
+                                     "\"0x1\"}",
                                  attributes)
                      .empty());
 
@@ -5232,7 +5250,8 @@ TEST_F(AclManagerTest, AclRuleVerifyStateTest)
     auto *acl_table = GetAclTable(kAclIngressTableName);
     EXPECT_NE(acl_table, nullptr);
     const auto &acl_rule_key = "match/arp_tpa=0xff112231:match/ether_type=0x0800:match/"
-                               "in_ports=Ethernet1,Ethernet2:match/ipv6_dst=fdf8:f53b:82e4::53 & "
+                               "in_ports=Ethernet1,Ethernet2:match/ipmc_table_hit=0x1:"
+                               "match/ipv6_dst=fdf8:f53b:82e4::53 & "
                                "fdf8:f53b:82e4::53:match/out_ports=Ethernet4,Ethernet5:priority=15";
     auto *acl_rule = GetAclRule(kAclIngressTableName, acl_rule_key);
     ASSERT_NE(acl_rule, nullptr);