Change API into internal/replication vs external

Inlcudes:

- API updates separating internal (underlay) vs external groups
  with validation and reliance set up accordingly.
- Replicate only on encapsulated packets, which simplifies a ton of
    dataplane work (note: we still decap or not after replication is
    configured)
- Comment cleanup
- Additional testing

Author: zeeshanlakhani

dpd-client/tests/integration_tests/mcast.rs

@@ -45,12 +45,9 @@ const IPV4_NAT_TABLE_SIZE: usize = 1024; // nat routing table
 const IPV6_NAT_TABLE_SIZE: usize = 1024; // nat routing table
 const IPV4_ARP_SIZE: usize = 512; // arp cache
 const IPV6_NEIGHBOR_SIZE: usize = 512; // ipv6 neighbor cache
-/// Multicast routing tables add two entries for each entry in the
-/// replication table, one for each direction (ingress and egress).
-///
-/// We alternate between IPv4 and IPv6 multicast addresses, so it's
-/// 512 entries for each type of address.
-const MULTICAST_TABLE_SIZE: usize = 2048;
+/// The size of the multicast table related to replication on
+/// admin-scoped (internal) multicast groups.
+const MULTICAST_TABLE_SIZE: usize = 1024;
 const MCAST_TAG: &str = "mcast_table_test"; // multicast group tag
 
 // The result of a table insert or delete API operation.
@@ -76,30 +73,16 @@ fn gen_ipv6_cidr(idx: usize) -> Ipv6Net {
     Ipv6Net::new(gen_ipv6_addr(idx), 128).unwrap()
 }
 
-/// Generates valid IPv4 multicast addresses that avoid special-purpose ranges
-fn gen_ipv4_multicast_addr(idx: usize) -> Ipv4Addr {
-    // Start with 224.1.0.0 to avoid the 224.0.0.0/24 range
-    // (which contains link-local multicast)
-    // 224.0.0.0/24 is reserved for local network control use
-    let base: u32 = 0xE0010000u32; // hex for 224.1.0.0
-
-    // Avoid special-purpose ranges:
-    // - 232.0.0.0/8 (Source-Specific Multicast)
-    // - 233.0.0.0/8 (GLOP addressing)
-    // - 239.0.0.0/8 (Administratively Scoped)
-    //
-    // Keep within 224.1.0.0 - 231.255.255.255
-    let addr: u32 = base + (idx as u32 % 0x00FFFFFF);
-
-    // Convert to Ipv4Addr
-    addr.into()
-}
-
-/// Generates valid IPv6 multicast addresses that avoid reserved ranges
+// Generates valid IPv6 multicast addresses that are admin-scoped.
 fn gen_ipv6_multicast_addr(idx: usize) -> Ipv6Addr {
-    // Use ff0e::/16 (global scope) to avoid link-local and other reserved scopes
-    // FF0E is global scope multicast (avoid ff00, ff01, ff02 which are reserved)
-    Ipv6Addr::new(0xFF0E, 0, 0, 0, 0, 0, 0, (1000 + idx) as u16)
+    // Use admin-scoped multicast addresses (ff04::/16, ff05::/16, ff08::/16)
+    // This ensures they will be created as internal groups
+    let scope = match idx % 3 {
+        0 => 0xFF04, // admin-scoped
+        1 => 0xFF05, // admin-scoped
+        _ => 0xFF08, // admin-scoped
+    };
+    Ipv6Addr::new(scope, 0, 0, 0, 0, 0, 0, (1000 + idx) as u16)
 }
 
 // For each table we want to test, we define functions to insert, delete, and
@@ -474,8 +457,10 @@ async fn test_routev6_full() -> TestResult {
     test_table_capacity::<RouteV6, (), ()>(IPV6_LPM_SIZE).await
 }
 
+struct MulticastReplicationTableTest {}
+
 impl TableTest<types::MulticastGroupResponse, ()>
-    for types::MulticastGroupCreateEntry
+    for MulticastReplicationTableTest
 {
     async fn insert_entry(
         switch: &Switch,
@@ -484,64 +469,36 @@ impl TableTest<types::MulticastGroupResponse, ()>
         let (port_id1, link_id1) = switch.link_id(PhysPort(11)).unwrap();
         let (port_id2, link_id2) = switch.link_id(PhysPort(12)).unwrap();
 
-        // Alternate between IPv4 and IPv6 based on whether idx is even or odd
-        let group_ip = if idx % 2 == 0 {
-            IpAddr::V4(gen_ipv4_multicast_addr(idx))
-        } else {
-            IpAddr::V6(gen_ipv6_multicast_addr(idx))
-        };
+        // Only IPv6 admin-scoped multicast addresses for replication table testing
+        let group_ip = IpAddr::V6(gen_ipv6_multicast_addr(idx));
 
-        // Create a NAT target
-        let nat_target = types::NatTarget {
-            internal_ip: Ipv6Addr::new(0xff05, 0, 0, 0, 0, 0, 0, 1),
-            inner_mac: MacAddr::new(0xe1, 0xd5, 0x5e, 0x67, 0x89, 0xab).into(),
-            vni: (100 + idx as u32).into(),
-        };
-
-        // Alternate having a vlan_id based on whether idx is even or odd
-        let vlan_id = if idx % 2 == 0 {
-            Some(10 + (idx % 4000) as u16)
-        } else {
-            None
-        };
-
-        // Create the multicast group
-        let group_entry = types::MulticastGroupCreateEntry {
+        // Admin-scoped IPv6 groups are internal with replication info and members
+        let internal_entry = types::MulticastGroupCreateEntry {
             group_ip,
             tag: Some(MCAST_TAG.to_string()),
-            nat_target: Some(nat_target),
-            vlan_id,
             sources: None,
             replication_info: types::MulticastReplicationEntry {
                 level1_excl_id: Some(10),
                 level2_excl_id: Some(20),
             },
             members: vec![
                 types::MulticastGroupMember {
-                    port_id: port_id1,
+                    port_id: port_id1.clone(),
                     link_id: link_id1,
                     direction: types::Direction::External,
                 },
                 types::MulticastGroupMember {
-                    port_id: port_id2,
+                    port_id: port_id2.clone(),
                     link_id: link_id2,
                     direction: types::Direction::External,
                 },
             ],
         };
-
-        switch.client.multicast_group_create(&group_entry).await
+        switch.client.multicast_group_create(&internal_entry).await
     }
 
     async fn delete_entry(switch: &Switch, idx: usize) -> OpResult<()> {
-        // Find the IP with the matching index
-        let ip = if idx % 2 == 0 {
-            IpAddr::V4(gen_ipv4_multicast_addr(idx))
-        } else {
-            IpAddr::V6(gen_ipv6_multicast_addr(idx))
-        };
-
-        // Delete the route entry
+        let ip = IpAddr::V6(gen_ipv6_multicast_addr(idx));
         switch.client.multicast_group_delete(&ip).await
     }
 
@@ -559,9 +516,9 @@ impl TableTest<types::MulticastGroupResponse, ()>
 
 #[tokio::test]
 #[ignore]
-async fn test_multicast_full() -> TestResult {
+async fn test_multicast_replication_table_full() -> TestResult {
     test_table_capacity::<
-        types::MulticastGroupCreateEntry,
+        MulticastReplicationTableTest,
         types::MulticastGroupResponse,
         (),
     >(MULTICAST_TABLE_SIZE)

dpd-client/tests/integration_tests/table_tests.rs

@@ -53,14 +53,14 @@ const bit<2> MULTICAST_TAG_UNDERLAY = 1;
 const bit<2> MULTICAST_TAG_UNDERLAY_EXTERNAL = 2;
 
 /* IPv6 Address Mask Constants */
-const bit<128> IPV6_SCOPE_MASK = 0xfff00000000000000000000000000000;  // Match ff0X::/16
-const bit<128> IPV6_ULA_MASK = 0xff00000000000000000000000000000;     // Match fd00::/8
+const bit<128> IPV6_SCOPE_MASK = 0xffff0000000000000000000000000000;  // Match ff00::/16
+const bit<128> IPV6_ULA_MASK = 0xff000000000000000000000000000000;     // Match fd00::/8
 
 /* IPv6 Address Pattern Constants */
-const bit<128> IPV6_ADMIN_LOCAL_PATTERN = 0xff040000000000000000000000000000 & IPV6_SCOPE_MASK;  // ff04::/16
-const bit<128> IPV6_SITE_LOCAL_PATTERN = 0xff050000000000000000000000000000 & IPV6_SCOPE_MASK;   // ff05::/16
-const bit<128> IPV6_ORG_SCOPE_PATTERN = 0xff080000000000000000000000000000 & IPV6_SCOPE_MASK;    // ff08::/16
-const bit<128> IPV6_ULA_PATTERN = 0xFfd00000000000000000000000000000 & IPV6_ULA_MASK;            // fd00::/8
+const bit<128> IPV6_ADMIN_LOCAL_PATTERN = 0xff040000000000000000000000000000;  // ff04::/16
+const bit<128> IPV6_SITE_LOCAL_PATTERN = 0xff050000000000000000000000000000;   // ff05::/16
+const bit<128> IPV6_ORG_SCOPE_PATTERN = 0xff080000000000000000000000000000;    // ff08::/16
+const bit<128> IPV6_ULA_PATTERN = 0xfd000000000000000000000000000000;          // fd00::/8
 
 /* Reasons a packet may be dropped by the p4 pipeline */
 const bit<8> DROP_IPV4_SWITCH_ADDR_MISS         = 0x01;

dpd/p4/constants.p4

@@ -232,7 +232,7 @@ control Filter(
 				// that follow the format 33:33:xxxx:xxxx where the last 32 bits
 				// are taken directly from the last 32 bits of the IPv6 address.
 				//
-				// Sadly, the first two conditions cannot e checked properly by
+				// Sadly, the first two conditions cannot be checked properly by
 				// the parser, as we reach the total available parser match
 				// registers on the device.
 				if (hdr.ethernet.dst_mac[47:40] != 8w0x33 ||
@@ -689,7 +689,7 @@ control NatIngress (
 		if (hdr.ipv4.isValid() && meta.is_valid) {
 			if (meta.is_mcast) {
 				ingress_ipv4_mcast.apply();
-			} else  {
+			} else {
 				ingress_ipv4.apply();
 			}
 		} else if (hdr.ipv6.isValid() && meta.is_valid) {
@@ -1468,27 +1468,36 @@ control MulticastIngress (
 	in ingress_intrinsic_metadata_t ig_intr_md,
 	inout ingress_intrinsic_metadata_for_tm_t ig_tm_md)
 {
-	DirectCounter<bit<32>>(CounterType_t.PACKETS_AND_BYTES) mcast_ipv4_ctr;
 	DirectCounter<bit<32>>(CounterType_t.PACKETS_AND_BYTES) mcast_ipv6_ctr;
 	DirectCounter<bit<32>>(CounterType_t.PACKETS_AND_BYTES) mcast_ipv4_ssm_ctr;
 	DirectCounter<bit<32>>(CounterType_t.PACKETS_AND_BYTES) mcast_ipv6_ssm_ctr;
 
-	Hash<bit<13>>(HashAlgorithm_t.CRC16) mcast_hashv4_level1;
-	Hash<bit<13>>(HashAlgorithm_t.CRC16) mcast_hashv4_level2;
 	Hash<bit<13>>(HashAlgorithm_t.CRC16) mcast_hashv6_level1;
 	Hash<bit<13>>(HashAlgorithm_t.CRC16) mcast_hashv6_level2;
 
 	// Drop action for IPv4 multicast packets with no group.
+	//
+	// At this point, We should only allow replication for IPv6 packets that
+	// are admin-scoped before possible decapping.
 	action drop_mcastv4_no_group() {
 		ig_dprsr_md.drop_ctl = 1;
 		meta.drop_reason = DROP_MULTICAST_NO_GROUP;
-		mcast_ipv4_ctr.count();
 	}
 
 	// Drop action for IPv6 multicast packets with no group.
+	//
+	// At this point, we should only allow replication for IPv6 packets that
+	// are admin-scoped before possible decapping.
 	action drop_mcastv6_no_group() {
 		ig_dprsr_md.drop_ctl = 1;
 		meta.drop_reason = DROP_MULTICAST_NO_GROUP;
+	}
+
+	// Drop action for IPv6 multicast packets with no group
+	// that is a valid admin-scoped multicast group.
+	action drop_mcastv6_admin_scoped_no_group() {
+		ig_dprsr_md.drop_ctl = 1;
+		meta.drop_reason = DROP_MULTICAST_NO_GROUP;
 		mcast_ipv6_ctr.count();
 	}
 
@@ -1520,35 +1529,9 @@ control MulticastIngress (
 		mcast_ipv6_ssm_ctr.count();
 	}
 
-	action configure_mcastv4(
-		MulticastGroupId_t mcast_grp_a,
-		bit<16> rid,
-		bit<16> level1_excl_id,
-		bit<9> level2_excl_id
-	) {
-		ig_tm_md.mcast_grp_a = mcast_grp_a;
-		ig_tm_md.rid = rid;
-		ig_tm_md.level1_exclusion_id = level1_excl_id;
-		ig_tm_md.level2_exclusion_id = level2_excl_id;
-
-		// Set multicast hash based on IPv4 packet fields
-		ig_tm_md.level1_mcast_hash = (bit<13>)mcast_hashv4_level1.get({
-			hdr.ipv4.src_addr,
-			hdr.ipv4.dst_addr,
-			hdr.ipv4.protocol,
-			meta.l4_src_port,
-			meta.l4_dst_port
-		});
-
-		// Set secondary multicast hash based on IPv4 packet fields
-		ig_tm_md.level2_mcast_hash = (bit<13>)mcast_hashv4_level2.get({
-			(bit<16>)hdr.ipv4.identification,
-			ig_intr_md.ingress_port
-		});
-
-		mcast_ipv4_ctr.count();
-	}
-
+	// Configure IPv6 multicast replication with bifurcated design:
+	// mcast_grp_a: external/customer replication group
+	// mcast_grp_b: underlay/infrastructure replication group
 	action configure_mcastv6(
 		MulticastGroupId_t mcast_grp_a,
 		MulticastGroupId_t mcast_grp_b,
@@ -1580,21 +1563,10 @@ control MulticastIngress (
 		mcast_ipv6_ctr.count();
 	}
 
-	table mcast_replication_ipv4 {
-		key = { hdr.ipv4.dst_addr: exact; }
-		actions = {
-			configure_mcastv4;
-			drop_mcastv4_no_group;
-		}
-		default_action = drop_mcastv4_no_group;
-		const size = IPV4_MULTICAST_TABLE_SIZE;
-		counters = mcast_ipv4_ctr;
-	}
-
 	table mcast_source_filter_ipv4 {
 		key = {
-			hdr.ipv4.src_addr: lpm;
-			hdr.ipv4.dst_addr: exact;
+			hdr.inner_ipv4.src_addr: lpm;
+			hdr.inner_ipv4.dst_addr: exact;
 		}
 		actions = {
 			allow_source_mcastv4;
@@ -1609,17 +1581,17 @@ control MulticastIngress (
 		key = { hdr.ipv6.dst_addr: exact; }
 		actions = {
 			configure_mcastv6;
-			drop_mcastv6_no_group;
+			drop_mcastv6_admin_scoped_no_group;
 		}
-		default_action = drop_mcastv6_no_group;
+		default_action = drop_mcastv6_admin_scoped_no_group;
 		const size = IPV6_MULTICAST_TABLE_SIZE;
 		counters = mcast_ipv6_ctr;
 	}
 
 	table mcast_source_filter_ipv6 {
 		key = {
-			hdr.ipv6.src_addr: exact;
-			hdr.ipv6.dst_addr: exact;
+			hdr.inner_ipv6.src_addr: exact;
+			hdr.inner_ipv6.dst_addr: exact;
 		}
 		actions = {
 			allow_source_mcastv6;
@@ -1650,7 +1622,6 @@ control MulticastIngress (
 
 	table mcast_tag_check {
 		key = {
-			hdr.ipv6.isValid() : ternary;
 			ig_tm_md.mcast_grp_a : ternary;
 			ig_tm_md.mcast_grp_b : ternary;
 			hdr.geneve.isValid() : ternary;
@@ -1666,50 +1637,46 @@ control MulticastIngress (
 		}
 
 		const entries = {
-			( true, _, _, true, true, MULTICAST_TAG_EXTERNAL ) : invalidate_underlay_grp_and_set_decap;
-			( true, _, _, true, true, MULTICAST_TAG_UNDERLAY ) : invalidate_external_grp;
-			( true, _, _, true, true, MULTICAST_TAG_UNDERLAY_EXTERNAL ) : NoAction;
-			( _, 0, _, _, _, _ ) : invalidate_external_grp;
-			( _, _, 0, _, _, _ ) : invalidate_underlay_grp;
-			( _, 0, 0, _, _, _ ) : invalidate_grps;
+			(  _, _, true, true, MULTICAST_TAG_EXTERNAL ) : invalidate_underlay_grp_and_set_decap;
+			(  _, _, true, true, MULTICAST_TAG_UNDERLAY ) : invalidate_external_grp;
+			(  _, _, true, true, MULTICAST_TAG_UNDERLAY_EXTERNAL ) : NoAction;
+			( 0, _, _, _, _ ) : invalidate_external_grp;
+			( _, 0, _, _, _ ) : invalidate_underlay_grp;
+			( 0, 0, _, _, _ ) : invalidate_grps;
 		}
 
 		const size = 6;
 	}
 
 	// Note: SSM tables currently take one extra stage in the pipeline (17->18).
 	apply {
-		if (hdr.ipv4.isValid()) {
-			// Check if the destination address is an IPv4 SSM multicast
+		if (hdr.geneve.isValid() && hdr.inner_ipv4.isValid()) {
+			// Check if the inner destination address is an IPv4 SSM multicast
 			// address.
-			if (hdr.ipv4.dst_addr[31:24] == 8w0xe8) {
+			if (hdr.inner_ipv4.dst_addr[31:24] == 8w0xe8) {
 				mcast_source_filter_ipv4.apply();
-				if (meta.allow_source_mcast) {
-					mcast_replication_ipv4.apply();
-				}
 			} else {
-				// Otherwise, apply the multicast replication table for
-				// non-SSM multicast addresses.
-				mcast_replication_ipv4.apply();
+				meta.allow_source_mcast = true;
 			}
-		} else if (hdr.ipv6.isValid()) {
-			// Check if the destination address is an IPv6 SSM multicast
+		} else if (hdr.geneve.isValid() && hdr.inner_ipv6.isValid()) {
+			// Check if the inner destination address is an IPv6 SSM multicast
 			// address.
-			if ((hdr.ipv6.dst_addr[127:120] == 8w0xff)
-				&& ((hdr.ipv6.dst_addr[119:116] == 4w0x3))) {
+			if ((hdr.inner_ipv6.dst_addr[127:120] == 8w0xff)
+				&& ((hdr.inner_ipv6.dst_addr[119:116] == 4w0x3))) {
 					mcast_source_filter_ipv6.apply();
-				if (meta.allow_source_mcast) {
-					// Then, apply the multicast replication table.
-					mcast_replication_ipv6.apply();
-				}
 			} else {
-				// Otherwise, apply the multicast replication table for
-				// non-SSM multicast addresses.
-				mcast_replication_ipv6.apply();
+				meta.allow_source_mcast = true;
 			}
+		} else if (hdr.ipv4.isValid()) {
+			drop_mcastv4_no_group();
+		} else if (hdr.ipv6.isValid()) {
+			drop_mcastv6_no_group();
 		}
 
-		mcast_tag_check.apply();
+		if (hdr.ipv6.isValid() && meta.allow_source_mcast) {
+			mcast_replication_ipv6.apply();
+			mcast_tag_check.apply();
+		}
 	}
 }