[meta]: Enable validation for SAI_ATTR_VALUE_TYPE_ACL_FIELD_DATA_UINT8_LIST#1856
Open
srodd-nexthop wants to merge 6 commits into
Open
[meta]: Enable validation for SAI_ATTR_VALUE_TYPE_ACL_FIELD_DATA_UINT8_LIST#1856srodd-nexthop wants to merge 6 commits into
srodd-nexthop wants to merge 6 commits into
Conversation
Collaborator
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
srodd-nexthop
force-pushed
the
srodd.nexthopai.udf
branch
from
ddf5e52 to
fa97379
Compare
Collaborator
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Author
|
/azp run |
|
Commenter does not have sufficient privileges for PR 1856 in repo sonic-net/sonic-sairedis |
6 tasks
srodd-nexthop
added a commit
to nexthop-ai/sonic-mgmt
that referenced
this pull request
May 11, 2026
Adds tests/udf/test_udf.py covering the UDF feature added in sonic-net/sonic-swss#4493 (UdfOrch), sonic-net/sonic-buildimage#26874 (YANG), and sonic-net/sonic-sairedis#1856 (meta validation). Registers the suite under t0 and t1-lag in .azure-pipelines/pr_test_scripts.yaml. Coverage (18 test classes, 30+ test methods): - Baseline ASIC_DB programming and CONFIG_DB schema - UDP traffic match through UDF-backed ACL fields - ACL rule create/delete with UDF dependencies - UDF/ACL teardown ordering (correct-order and wrong-order recovery) - ACL rule priority shadowing - Forward reference resolution (TABLE_TYPE configured before SELECTOR) - Multiple selectors per UDF group, distinct OIDs - Invalid CONFIG_DB rejection (negative tests) - SAI UDF_MATCH/UDF attribute round-trip from CONFIG_DB - L3-type auto-mask, L4-port-zero match presence detection - Match type filtering at packet level - Selector field validation (missing/unknown base, missing match) - Selector immutability and idempotent SET handling - UDF_MATCH refcount sharing across selectors (dedup) - UDF_GROUP refcount layering (TABLE_TYPE / TABLE / multi-table) - ACL rule blocking selector deletion - Edge cases (rule with UDF not in table, double-delete, type-vs-table deletion ordering) - End-to-end traffic with full UDF + ACL pipeline All config done directly via sonic-cfggen -j -w; SAI object lifecycle verified via ASIC_DB OID diffing. Module-scoped LogAnalyzer captures unexpected orchagent errors in non-failing mode (negative tests deliberately trigger SWSS_LOG_ERRORs that are ignored via regex). conftest.py overrides yang_validation_check with a UDF-scoped equivalent that validates only UDF/UDF_SELECTOR tables against sonic-udf.yang (avoids spurious failures from FLEX_COUNTER_TABLE entries not covered by installed YANG models on some platforms). Signed-off-by: satishkumar <srodd@nexthop.ai>
srodd-nexthop
added a commit
to nexthop-ai/sonic-mgmt
that referenced
this pull request
May 11, 2026
Adds tests/udf/test_udf.py covering the UDF feature added in sonic-net/sonic-swss#4493 (UdfOrch), sonic-net/sonic-buildimage#26874 (YANG), and sonic-net/sonic-sairedis#1856 (meta validation). Registers the suite under t0 and t1-lag in .azure-pipelines/pr_test_scripts.yaml. Coverage (18 test classes, 30+ test methods): - Baseline ASIC_DB programming and CONFIG_DB schema - UDP traffic match through UDF-backed ACL fields - ACL rule create/delete with UDF dependencies - UDF/ACL teardown ordering (correct-order and wrong-order recovery) - ACL rule priority shadowing - Forward reference resolution (TABLE_TYPE configured before SELECTOR) - Multiple selectors per UDF group, distinct OIDs - Invalid CONFIG_DB rejection (negative tests) - SAI UDF_MATCH/UDF attribute round-trip from CONFIG_DB - L3-type auto-mask, L4-port-zero match presence detection - Match type filtering at packet level - Selector field validation (missing/unknown base, missing match) - Selector immutability and idempotent SET handling - UDF_MATCH refcount sharing across selectors (dedup) - UDF_GROUP refcount layering (TABLE_TYPE / TABLE / multi-table) - ACL rule blocking selector deletion - Edge cases (rule with UDF not in table, double-delete, type-vs-table deletion ordering) - End-to-end traffic with full UDF + ACL pipeline All config done directly via sonic-cfggen -j -w; SAI object lifecycle verified via ASIC_DB OID diffing. Module-scoped LogAnalyzer captures unexpected orchagent errors in non-failing mode (negative tests deliberately trigger SWSS_LOG_ERRORs that are ignored via regex). Signed-off-by: satishkumar <srodd@nexthop.ai>
srodd-nexthop
added a commit
to nexthop-ai/sonic-mgmt
that referenced
this pull request
May 11, 2026
Adds tests/udf/test_udf.py covering the UDF feature added in sonic-net/sonic-swss#4493 (UdfOrch), sonic-net/sonic-buildimage#26874 (YANG), and sonic-net/sonic-sairedis#1856 (meta validation). Registers the suite under t0 and t1-lag in .azure-pipelines/pr_test_scripts.yaml. Coverage (18 test classes, 30+ test methods): - Baseline ASIC_DB programming and CONFIG_DB schema - UDP traffic match through UDF-backed ACL fields - ACL rule create/delete with UDF dependencies - UDF/ACL teardown ordering (correct-order and wrong-order recovery) - ACL rule priority shadowing - Forward reference resolution (TABLE_TYPE configured before SELECTOR) - Multiple selectors per UDF group, distinct OIDs - Invalid CONFIG_DB rejection (negative tests) - SAI UDF_MATCH/UDF attribute round-trip from CONFIG_DB - L3-type auto-mask, L4-port-zero match presence detection - Match type filtering at packet level - Selector field validation (missing/unknown base, missing match) - Selector immutability and idempotent SET handling - UDF_MATCH refcount sharing across selectors (dedup) - UDF_GROUP refcount layering (TABLE_TYPE / TABLE / multi-table) - ACL rule blocking selector deletion - Edge cases (rule with UDF not in table, double-delete, type-vs-table deletion ordering) - End-to-end traffic with full UDF + ACL pipeline All config done directly via sonic-cfggen -j -w; SAI object lifecycle verified via ASIC_DB OID diffing. Module-scoped LogAnalyzer captures unexpected orchagent errors in non-failing mode (negative tests deliberately trigger SWSS_LOG_ERRORs that are ignored via regex). Signed-off-by: satishkumar <srodd@nexthop.ai>
Signed-off-by: satishkumar rodd <srodd@nexthop.ai>
srodd-nexthop
force-pushed
the
srodd.nexthopai.udf
branch
from
fa97379 to
12393d8
Compare
srodd-nexthop
added a commit
to nexthop-ai/sonic-mgmt
that referenced
this pull request
May 12, 2026
Adds tests/udf/test_udf.py covering the UDF feature added in sonic-net/sonic-swss#4493 (UdfOrch), sonic-net/sonic-buildimage#26874 (YANG), and sonic-net/sonic-sairedis#1856 (meta validation). Registers the suite under t0 and t1-lag in .azure-pipelines/pr_test_scripts.yaml. Coverage (18 test classes, 30+ test methods): - Baseline ASIC_DB programming and CONFIG_DB schema - UDP traffic match through UDF-backed ACL fields - ACL rule create/delete with UDF dependencies - UDF/ACL teardown ordering (correct-order and wrong-order recovery) - ACL rule priority shadowing - Forward reference resolution (TABLE_TYPE configured before SELECTOR) - Multiple selectors per UDF group, distinct OIDs - Invalid CONFIG_DB rejection (negative tests) - SAI UDF_MATCH/UDF attribute round-trip from CONFIG_DB - L3-type auto-mask, L4-port-zero match presence detection - Match type filtering at packet level - Selector field validation (missing/unknown base, missing match) - Selector immutability and idempotent SET handling - UDF_MATCH refcount sharing across selectors (dedup) - UDF_GROUP refcount layering (TABLE_TYPE / TABLE / multi-table) - ACL rule blocking selector deletion - Edge cases (rule with UDF not in table, double-delete, type-vs-table deletion ordering) - End-to-end traffic with full UDF + ACL pipeline All config done directly via sonic-cfggen -j -w; SAI object lifecycle verified via ASIC_DB OID diffing. Module-scoped LogAnalyzer captures unexpected orchagent errors in non-failing mode (negative tests deliberately trigger SWSS_LOG_ERRORs that are ignored via regex). Signed-off-by: satishkumar <srodd@nexthop.ai>
Note that the UINT8_LIST ACL field value type is consumed by UDF-backed ACL match fields, where the byte pattern lives in aclfield.data.u8list. Signed-off-by: satishkumar rodd <srodd@nexthop.ai>
Collaborator
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Signed-off-by: satishkumar rodd <srodd@nexthop.ai>
Collaborator
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Fixes Build amd64 / BuildAsan amd64 failure: aspellcheck.pl: WARNING: Word 'UDF' is misspelled ../meta/Meta.cpp Signed-off-by: satishkumar rodd <srodd@nexthop.ai>
Collaborator
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Fixes SaiSerialize.sai_serialize_attr_value unit test failure: C++ exception with description ':- sai_deserialize_list: invalid list' thrown in the test body. The earlier guard (12393d8, a2bdcfa) skipped the '&mask:' portion when mask.u8list was empty. That broke round-trip: deserialize still expects the suffix and throws on an empty smask. Reverting to the unconditional form (matching master and all other ACL field types) restores symmetry. sai_serialize_number_list handles empty lists without crashing, as proven by master where this test passes. Signed-off-by: satishkumar rodd <srodd@nexthop.ai>
Collaborator
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Signed-off-by: satishkumar rodd <srodd@nexthop.ai>
Collaborator
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
HLD: sonic-net/SONiC#2299
Why I did it
SAI_ATTR_VALUE_TYPE_ACL_FIELD_DATA_UINT8_LISTis the value type used for ACL fields backed by UDF (user-defined field) groups — the byte pattern and mask live inaclfield.data.u8list. Inmeta/Meta.cppthe validation cases for this type were commented out in all five paths (create,set,get,post_get,post_remove), so UDF ACL matches were being silently skipped by the meta layer.This blocks the UDF feature being added to orchagent (companion PR: sonic-net/sonic-swss#<4493#>) — without metadata validation, UDF ACL rules don't round-trip correctly through sairedis.
Work item tracking
How I did it
meta/Meta.cpp— uncommented and enabled theSAI_ATTR_VALUE_TYPE_ACL_FIELD_DATA_UINT8_LISTcase in:meta_generic_validation_create—VALIDATION_LIST(md, value.aclfield.data.u8list)whenaclfield.enableis set.meta_generic_validation_set— same, forSEToperations.meta_generic_validation_get— unconditionalVALIDATION_LISTonget.meta_generic_validation_post_get—VALIDATION_LIST_GETwhen enabled.meta_generic_validation_post_remove— no-op (no object references to decrement foru8list), but the case is now present rather than falling through.meta/SaiSerialize.cpp— added serialization support for theu8listfield so it round-trips through the sairedis record/replay layer.How to verify it
Build:
make).metaunit tests pass (make checkinmeta/andunittest/).Runtime (with the companion orchagent PR):
config_db.json; verify sairedis accepts theCREATEfor anACL_ENTRYreferencing the UDF group as a match field (visible insairedis.rec).syncdreceives and applies theACL_ENTRYattributes including theu8listbyte pattern.u8listwould reach syncd unchecked.Which release branch to backport (provide reason below if selected)
Not a backport — enables a new feature (UDF ACL matching).
Tested branch (Please provide the tested image version)
masterDescription for the changelog
Enable meta validation for
SAI_ATTR_VALUE_TYPE_ACL_FIELD_DATA_UINT8_LIST(ACL fields with uint8 list values, used by UDF).