From 950508b51aa66438f6b95b77920528e0f7491248 Mon Sep 17 00:00:00 2001
From: Nathan Wolfe <nwolfe@arista.com>
Date: Thu, 14 Apr 2022 19:35:23 -0700
Subject: [PATCH] [macsecorch]: Support for non-default sa per sc

Querying max_sa_per_sc from SAI and storing in STATE_DB. If the
SAI_MACSEC_ATTR_MAX_SECURE_ASSOCIATION_PER_SC is not supported
we will use the default of 4.

Signed-off-by: Nathan Wolfe <nwolfe@arista.com>
---
 orchagent/macsecorch.cpp | 27 +++++++++++++++++++++++++++
 orchagent/macsecorch.h   |  1 +
 2 files changed, 28 insertions(+)

diff --git a/orchagent/macsecorch.cpp b/orchagent/macsecorch.cpp
index 5b65dbdd3c..20b6057733 100644
--- a/orchagent/macsecorch.cpp
+++ b/orchagent/macsecorch.cpp
@@ -1082,6 +1082,32 @@ bool MACsecOrch::initMACsecObject(sai_object_id_t switch_id)
     }
     macsec_obj.first->second.m_sci_in_ingress_macsec_acl = attrs.front().value.booldata;
 
+    attrs.clear();
+    attr.id = SAI_MACSEC_ATTR_MAX_SECURE_ASSOCIATIONS_PER_SC;
+    attrs.push_back(attr);
+    status = sai_macsec_api->get_macsec_attribute(
+                    macsec_obj.first->second.m_ingress_id,
+                    static_cast<uint32_t>(attrs.size()),
+                    attrs.data());
+    if (status != SAI_STATUS_SUCCESS)
+    {
+        // Default to 4 if SAI_MACSEC_ATTR_MAX_SECURE_ASSOCIATION_PER_SC isn't supported
+        macsec_obj.first->second.m_max_sa_per_sc = 4;
+    } else {
+        switch (attrs.front().value.s32)
+        {
+            case SAI_MACSEC_MAX_SECURE_ASSOCIATIONS_PER_SC_TWO:
+                macsec_obj.first->second.m_max_sa_per_sc = 2;
+                break;
+            case SAI_MACSEC_MAX_SECURE_ASSOCIATIONS_PER_SC_FOUR:
+                macsec_obj.first->second.m_max_sa_per_sc = 4;
+                break;
+            default:
+                SWSS_LOG_WARN( "Unsupported value returned from SAI_MACSEC_ATTR_MAX_SECURE_ASSOCIATION_PER_SC" );
+                return false;
+        }
+    }
+
     recover.clear();
     return true;
 }
@@ -1266,6 +1292,7 @@ bool MACsecOrch::createMACsecPort(
     SWSS_LOG_NOTICE("MACsec port %s is created.", port_name.c_str());
 
     std::vector<FieldValueTuple> fvVector;
+    fvVector.emplace_back("max_sa_per_sc", std::to_string(macsec_obj.m_max_sa_per_sc));
     fvVector.emplace_back("state", "ok");
     m_state_macsec_port.set(port_name, fvVector);
 
diff --git a/orchagent/macsecorch.h b/orchagent/macsecorch.h
index 33f7b7082e..b59984a3a6 100644
--- a/orchagent/macsecorch.h
+++ b/orchagent/macsecorch.h
@@ -110,6 +110,7 @@ class MACsecOrch : public Orch
         sai_object_id_t                                 m_ingress_id;
         map<std::string, std::shared_ptr<MACsecPort> >  m_macsec_ports;
         bool                                            m_sci_in_ingress_macsec_acl;
+        sai_uint8_t                                     m_max_sa_per_sc;
     };
     map<sai_object_id_t, MACsecObject>              m_macsec_objs;
     map<std::string, std::shared_ptr<MACsecPort> >  m_macsec_ports;