[sidecar] p4 PHV coherence + mocha container protection

This commit forces metadata fields out of mocha containers via @pa_container_type pragmas.
Mocha containers lack ALUs and only support whole-container set operations. When a field
is the only one written by an action in a mocha container, the whole-container write
clobbers other fields sharing that container. The ipv4_checksum_err field was packed into
mocha MH0 alongside pkt_type, which could cause issues.

This adds similar protections for NAT/encap fields, egress bridge header fields, and
egress action fields in both multicast and non-multicast builds.

Other includes:

- Zero-inits sidecar header pad and unused fields (sc_pad, sc_egress,
  sc_payload) across all sidecar header construction sites to prevent stale
  PHV data from leaking into the header.

- Removes unreachable ternary entry (0, 0, _, _, _) from the multicast
  port_bitmap_check const entries table. The two preceding wildcard entries
  already cover that case.

- Simplifies multicast egress counting to use the mcast_tag local captured
  before egress decap rather than re-checking header validity.

Author: zeeshanlakhani

dpd/p4/metadata.p4

@@ -16,6 +16,62 @@
 @pa_no_init("ingress", "meta.nat_ingress_port")
 @pa_no_init("ingress", "meta.encap_needed")
 @pa_no_init("ingress", "meta.icmp_recalc")
+@pa_no_init("ingress", "meta.allow_source_mcast")
+@pa_no_init("ingress", "meta.resolve_nexthop")
+@pa_no_init("ingress", "meta.nexthop_is_v6")
+@pa_no_init("ingress", "meta.route_ttl_is_1")
+
+// Force fields out of mocha containers into normal containers. Mocha containers
+// only support whole-container-set operations, so isolated fields can have
+// their other bits corrupted by stale data from previous packets.
+//
+// Without these pragmas the compiler may pack small metadata fields into mocha
+// containers alongside unrelated fields. A whole-container write to one field
+// then clobbers the others. The risk is highest for 1-bit booleans and fields
+// with long liverange gaps between set and use.
+//
+// Both builds share ipv4_checksum_err: confirmed allocated to mocha MH0 where
+// it shared a container with pkt_type, risking false checksum-error drops.
+@pa_container_type("ingress", "meta.ipv4_checksum_err", "normal")
+
+#ifdef MULTICAST
+// Ingress fields needed for NAT encapsulation and checksum computation.
+@pa_container_type("ingress", "meta.nat_ingress_tgt", "normal")
+@pa_container_type("ingress", "meta.nat_geneve_vni", "normal")
+@pa_container_type("ingress", "meta.icmp_csum", "normal")
+@pa_container_type("ingress", "meta.body_checksum", "normal")
+@pa_container_type("ingress", "meta.orig_src_mac", "normal")
+@pa_container_type("ingress", "meta.orig_src_ipv4", "normal")
+@pa_container_type("ingress", "meta.drop_reason", "normal")
+@pa_container_type("ingress", "meta.l4_dst_port", "normal")
+@pa_container_type("ingress", "meta.nat_inner_mac", "normal")
+// Carried over from non-MULTICAST build. Without explicit pragmas these
+// fields were only protected by incidental co-location with deparsed bridge
+// header fields in the same container, which is fragile across compiler
+// versions and PHV pressure changes.
+@pa_container_type("ingress", "meta.service_routed", "normal")
+@pa_container_type("ingress", "meta.l4_src_port", "normal")
+@pa_container_type("ingress", "meta.icmp_recalc", "normal")
+@pa_container_type("ingress", "meta.nat_ingress_csum", "normal")
+// Egress bridge header fields crossing the ingress/egress boundary.
+@pa_container_type("egress", "meta.bridge_hdr.ingress_port", "normal")
+@pa_container_type("egress", "meta.bridge_hdr.is_mcast_routed", "normal")
+// Egress fields set by multicast table actions and consumed later in the
+// pipeline. drop_reason was confirmed allocated to mocha MH9 where it
+// shared a container with drop_ctl. ipv4_checksum_recalc is a 1-bit field
+// at high risk of mocha packing.
+@pa_container_type("egress", "meta.vlan_id", "normal")
+@pa_container_type("egress", "meta.port_number", "normal")
+@pa_container_type("egress", "meta.ipv4_checksum_recalc", "normal")
+@pa_container_type("egress", "meta.drop_reason", "normal")
+#else
+@pa_container_type("ingress", "meta.service_routed", "normal")
+@pa_container_type("ingress", "meta.nexthop", "normal")
+@pa_container_type("ingress", "meta.l4_src_port", "normal")
+@pa_container_type("ingress", "meta.icmp_recalc", "normal")
+@pa_container_type("ingress", "meta.nat_ingress_csum", "normal")
+@pa_container_type("ingress", "meta.drop_reason", "normal")
+#endif
 
 /* Flexible bridge header for passing metadata between ingress and egress
  * pipelines.

dpd/p4/sidecar.p4

@@ -54,6 +54,7 @@ const bit<9> USER_SPACE_SERVICE_PORT = 192;
 // Callers should set meta.drop_reason and call counters as needed.
 #define ICMP_ERROR_SETUP(type, code)                                    \
     hdr.sidecar.sc_code = SC_ICMP_NEEDED;                               \
+    hdr.sidecar.sc_pad = 0;                                             \
     hdr.sidecar.sc_ingress = (bit<16>)ig_intr_md.ingress_port;          \
     hdr.sidecar.sc_egress = (bit<16>)ig_tm_md.ucast_egress_port;        \
     hdr.sidecar.sc_ether_type = hdr.ethernet.ether_type;                \
@@ -311,8 +312,11 @@ control Services(
 	// sidecar tag, which indicates which port the request arrived on.
 	action forward_to_userspace() {
 		hdr.sidecar.sc_code = SC_FWD_TO_USERSPACE;
+		hdr.sidecar.sc_pad = 0;
 		hdr.sidecar.sc_ingress = (bit<16>)ig_intr_md.ingress_port;
+		hdr.sidecar.sc_egress = 0;
 		hdr.sidecar.sc_ether_type = hdr.ethernet.ether_type;
+		hdr.sidecar.sc_payload = 0;
 		hdr.sidecar.setValid();
 		hdr.ethernet.ether_type = ETHERTYPE_SIDECAR;
 		meta.service_routed = true;
@@ -345,6 +349,7 @@ control Services(
 	// packets always go to the port indicated by the sidecar header.
 	action mcast_inbound_link_local() {
 		hdr.sidecar.sc_code = SC_FWD_TO_USERSPACE;
+		hdr.sidecar.sc_pad = 0;
 		hdr.sidecar.sc_ingress = (bit<16>)ig_intr_md.ingress_port;
 		hdr.sidecar.sc_egress = (bit<16>)ig_tm_md.ucast_egress_port;
 		hdr.sidecar.sc_ether_type = hdr.ethernet.ether_type;
@@ -1166,6 +1171,7 @@ control Arp (
 
 	action request() {
 		hdr.sidecar.sc_code = SC_ARP_NEEDED;
+		hdr.sidecar.sc_pad = 0;
 		hdr.sidecar.sc_ingress = (bit<16>)ig_intr_md.ingress_port;
 		hdr.sidecar.sc_egress = (bit<16>)ig_tm_md.ucast_egress_port;
 		hdr.sidecar.sc_ether_type = hdr.ethernet.ether_type;
@@ -1218,6 +1224,7 @@ control Ndp (
 
 	action request() {
 		hdr.sidecar.sc_code = SC_NEIGHBOR_NEEDED;
+		hdr.sidecar.sc_pad = 0;
 		hdr.sidecar.sc_ingress = (bit<16>)ig_intr_md.ingress_port;
 		hdr.sidecar.sc_egress = (bit<16>)ig_tm_md.ucast_egress_port;
 		hdr.sidecar.sc_ether_type = hdr.ethernet.ether_type;
@@ -1723,16 +1730,18 @@ control MulticastIngress (
 			NoAction;
 		}
 
+		// Priority order: first match wins. The geneve tag entries are
+		// most specific (both headers valid + exact tag), followed by
+		// group-ID fallbacks for non-geneve multicast.
 		const entries = {
 			(  _, _, true, true, MULTICAST_TAG_EXTERNAL ) : invalidate_underlay_grp_and_set_decap;
 			(  _, _, true, true, MULTICAST_TAG_UNDERLAY ) : invalidate_external_grp;
 			(  _, _, true, true, MULTICAST_TAG_UNDERLAY_EXTERNAL ) : NoAction;
 			( 0, _, _, _, _ ) : invalidate_external_grp;
 			( _, 0, _, _, _ ) : invalidate_underlay_grp;
-			( 0, 0, _, _, _ ) : invalidate_grps;
 		}
 
-		const size = 6;
+		const size = 5;
 	}
 
 	// Note: SSM tables currently take one extra stage in the pipeline (17->18).
@@ -2259,24 +2268,23 @@ control Egress(
 			forwarded_ctr.count(eg_intr_md.egress_port);
 
 #ifdef MULTICAST
-			// Multicast-specific counting
+			// Multicast-specific counting. Use the mcast_tag
+			// local (captured before egress decap may strip
+			// geneve headers) rather than re-checking header
+			// validity.
 			if (is_mcast_routed) {
 				mcast_ctr.count(eg_intr_md.egress_port);
-				if (hdr.geneve.isValid()) {
-					if (hdr.geneve_opts.oxg_mcast.isValid()) {
-						if (mcast_tag == MULTICAST_TAG_UNDERLAY) {
-							underlay_mcast_ctr.count(
-							    eg_intr_md.egress_port);
-						} else if (mcast_tag == MULTICAST_TAG_EXTERNAL) {
-							external_mcast_ctr.count(
-							    eg_intr_md.egress_port);
-						} else if (mcast_tag == MULTICAST_TAG_UNDERLAY_EXTERNAL) {
-							underlay_mcast_ctr.count(
-							    eg_intr_md.egress_port);
-							external_mcast_ctr.count(
-							    eg_intr_md.egress_port);
-						}
-					}
+				if (mcast_tag == MULTICAST_TAG_UNDERLAY) {
+					underlay_mcast_ctr.count(
+					    eg_intr_md.egress_port);
+				} else if (mcast_tag == MULTICAST_TAG_EXTERNAL) {
+					external_mcast_ctr.count(
+					    eg_intr_md.egress_port);
+				} else if (mcast_tag == MULTICAST_TAG_UNDERLAY_EXTERNAL) {
+					underlay_mcast_ctr.count(
+					    eg_intr_md.egress_port);
+					external_mcast_ctr.count(
+					    eg_intr_md.egress_port);
 				}
 			} else if (is_link_local_ipv6_mcast) {
 				mcast_ctr.count(eg_intr_md.egress_port);