Submit python model

[saad-mzhr]

This is an attempt to translate P4 model to python so that Stateful Features (firewall, metering, ST) and Complex Match Types (ternary/range list) can be implemented.

Current State:
This model incorporates all the features in the existing P4 model and adds on top of it:

• ACL Table including Ternary and Range List types
• ACL Pipeline logic as required in the spec
• Flow Table for holding the active connections
• Flow Timer for evicting the active connection

Note that P4 model is not rewritten from scratch. Instead, it is translated word to word so as to preserve all the effort that has been put in the P4 model.

Directory/File Structure:
There is only a single folder (python_model) that directly holds all the files needed at runtime. There is a sub-directory called "python_model/tests" that stores regression tests used during development. This sub-directory is not used at runtime.
Main directory (python_model) has 2 types of files:

1. Names starting with "dash_": They are almost an identical copy of their P4 counterparts (e.g dash_vxlan.p4, dash_pipeline.p4).
2. Names starting with "__" (double underscore). They include framework logic that was originally implemented in BMv2. For example implementation of Match-Action tables, Counters etc

Testing:

• Framework features specially Match Tables are very rigorously tested (see tests folder).
• ACL table is also tested against the data given in this document (See tests/acl_test):
  https://github.com/sonic-net/DASH/blob/main/documentation/general/sdn-pipeline-basic-elements.md#acl-actions

Right now, mostly white box testing is being done over debugger for better visibility.

Steps to run:

1. Make sure you have:
   Python 3.10.12
   VSCODE 1.81.1
   Python dev extensions in VSCODE
2. Open VSCODE in the "python_model" directory
3. Open file named unit_test.py
4. Hit debug button and follow the packet flow through the pipeline

This program tests basic Stateful Firewall functionality. It configures inbound/outbound tables with appropriate values.
It also creates 2 ACL groups for inbound and outbound. Outbound ACLs have "Allow All" policy. Inbound ACLs have "Deny All" policy. The program first sends an outbound UDP packet. It is allowed by the firewall. Pipeline returns a transformed version of the packet (Use debugger to follow the packet flow).
Next, the program sends a corresponding inbound packet (UDP response). Even though the Inbound ACL has a "Deny All" policy, but this response packet will still be allowed in because of the flow table.
Also, if you send the response packet after a long enough interval (>5 seconds), response packet will be dropped because the connection has timed out.

Some points about the code:

• Most of the P4 constructs (tables, counters) are emulated perfectly. I did not make an abstraction for P4 "control blocks" as it seemed unnecessary. Instead, Everything (functions, tables, counters) is out in the open.
• Simplicity and functional correctness were the main objectives rather than performance and memory efficiency.

[linux-foundation-easycla]

• ❌ - login: @saad-mzhr . The commit (7c74007, 65084fa, bc7577a, 5648a40, 1fe484f, bcc4d2b, 48b1739, 5143242, ea276ff, 4be1847, b66d2f5, 0ba774c, b057cee, 7778184, 3397238, 3b657cd, 44c2d05, 217f2a5, a60a559, 01f5712, 65ad5c2, 93c1a71) is not authorized under a signed CLA. Please click here to be authorized. For further assistance with EasyCLA, please submit a support request ticket.

[KrisNey-MSFT]

hi @saad-mzhr - did you want me to keep this Open in the DASH Community?
Thank you, Kristina

[KrisNey-MSFT]

hi @saad-mzhr - did you want me to keep this Open in the DASH Community?
Thank you, Kristina