Summary
AclOrch::initDefaultTableTypes() adds a fixed set of SAI_ACL_TABLE_ATTR_FIELD_* match fields to the built-in default table types (TABLE_TYPE_L3, TABLE_TYPE_L3V6, TABLE_TYPE_L3V4V6, TABLE_TYPE_MCLAG, TABLE_TYPE_MIRROR, TABLE_TYPE_MIRRORV6) without first checking whether the underlying ASIC/SAI supports those fields for an ACL table of that stage/family. On platforms that do not implement one of these match fields for L3 ACLs, create_acl_table fails and orchagent retries the create indefinitely, so ACL bring-up never completes.
Affected versions
master and 202xxx branches (logic is unchanged across them).
Background / Problem
In orchagent/aclorch.cpp, initDefaultTableTypes() builds default table types with hardcoded matches, e.g. for TABLE_TYPE_L3:
builder.withName(TABLE_TYPE_L3)
.withMatch(make_shared<AclTableMatch>(SAI_ACL_TABLE_ATTR_FIELD_ETHER_TYPE))
.withMatch(make_shared<AclTableMatch>(SAI_ACL_TABLE_ATTR_FIELD_OUTER_VLAN_ID))
.withMatch(make_shared<AclTableMatch>(SAI_ACL_TABLE_ATTR_FIELD_ACL_IP_TYPE))
...These match fields are assumed supported. AclOrch already performs SAI capability queries for actions (queryAclActionCapability() via SAI_SWITCH_ATTR_MAX_ACL_ACTION_COUNT and SAI_SWITCH_ATTR_ACL_STAGE_INGRESS/SAI_SWITCH_ATTR_ACL_STAGE_EGRESS) and for a few attributes (SAI_SWITCH_ATTR_ACL_USER_META_DATA_RANGE, SAI_ACL_ENTRY_ATTR_FIELD_ACL_USER_META, SAI_ACL_ENTRY_ATTR_ACTION_SET_ACL_META_DATA), but it does not query match-field capability before composing the default table types.
Steps to reproduce
- Run on a platform whose SAI does not implement a given default L3 match field (e.g.
SAI_ACL_TABLE_ATTR_FIELD_OUTER_VLAN_ID for inet/inet6 ACL tables).
- Configure any standard L3 ACL table (a CONFIG_DB
ACL_TABLE of type L3 bound to a port).
- Observe repeated failures:
syncd: create_acl_table returns a SAI attribute-class error (SAI_STATUS_UNKNOWN_ATTRIBUTE_0 + <index> / SAI_STATUS_ATTR_NOT_IMPLEMENTED_0).orchagent: addAclTable: Failed to create ACL table <name> and create: create status: -<code> repeating every ~1s as the table is retried.
Example (observed):
syncd#syncd: :- processQuadEvent: attr: SAI_ACL_TABLE_ATTR_FIELD_OUTER_VLAN_ID: true
swss#orchagent: :- create: create status: -262141
swss#orchagent: :- addAclTable: Failed to create ACL table PORT_INGRESS_Ethernet0
(-262141 = -(0x3FFFD), i.e. the SAI attribute-error class for the unsupported match field.)
Root cause
The default ACL table types include match fields that may not be implemented on every ASIC. Because table creation passes all match fields atomically, one unsupported field fails the entire table create, and there is no capability gate to drop unsupported fields.
Additional context
SAI does not annotate SAI_ACL_TABLE_ATTR_FIELD_OUTER_VLAN_ID (or other match fields) as L2-only; support is genuinely platform-dependent, which is why a runtime capability query is the right gate rather than static assumptions in orchagent.
Summary
AclOrch::initDefaultTableTypes()adds a fixed set ofSAI_ACL_TABLE_ATTR_FIELD_*match fields to the built-in default table types (TABLE_TYPE_L3,TABLE_TYPE_L3V6,TABLE_TYPE_L3V4V6,TABLE_TYPE_MCLAG,TABLE_TYPE_MIRROR,TABLE_TYPE_MIRRORV6) without first checking whether the underlying ASIC/SAI supports those fields for an ACL table of that stage/family. On platforms that do not implement one of these match fields for L3 ACLs,create_acl_tablefails and orchagent retries the create indefinitely, so ACL bring-up never completes.Affected versions
master and 202xxx branches (logic is unchanged across them).
Background / Problem
In
orchagent/aclorch.cpp,initDefaultTableTypes()builds default table types with hardcoded matches, e.g. forTABLE_TYPE_L3:These match fields are assumed supported.
AclOrchalready performs SAI capability queries for actions (queryAclActionCapability()viaSAI_SWITCH_ATTR_MAX_ACL_ACTION_COUNTandSAI_SWITCH_ATTR_ACL_STAGE_INGRESS/SAI_SWITCH_ATTR_ACL_STAGE_EGRESS) and for a few attributes (SAI_SWITCH_ATTR_ACL_USER_META_DATA_RANGE,SAI_ACL_ENTRY_ATTR_FIELD_ACL_USER_META,SAI_ACL_ENTRY_ATTR_ACTION_SET_ACL_META_DATA), but it does not query match-field capability before composing the default table types.Steps to reproduce
SAI_ACL_TABLE_ATTR_FIELD_OUTER_VLAN_IDfor inet/inet6 ACL tables).ACL_TABLEof typeL3bound to a port).syncd:create_acl_tablereturns a SAI attribute-class error (SAI_STATUS_UNKNOWN_ATTRIBUTE_0 + <index>/SAI_STATUS_ATTR_NOT_IMPLEMENTED_0).orchagent:addAclTable: Failed to create ACL table <name>andcreate: create status: -<code>repeating every ~1s as the table is retried.Example (observed):
(
-262141=-(0x3FFFD), i.e. the SAI attribute-error class for the unsupported match field.)Root cause
The default ACL table types include match fields that may not be implemented on every ASIC. Because table creation passes all match fields atomically, one unsupported field fails the entire table create, and there is no capability gate to drop unsupported fields.
Additional context
SAI does not annotate
SAI_ACL_TABLE_ATTR_FIELD_OUTER_VLAN_ID(or other match fields) as L2-only; support is genuinely platform-dependent, which is why a runtime capability query is the right gate rather than static assumptions in orchagent.