Unbinding ingress ACL from interface fails #43
Comments
|
@Tejaswi-Goel , same here. Can we verify it on Ethernet(Multiples of 4)? |
|
@justinejose91 Tried on Ethernet4 : |
|
ACL Orch doesnt support ACL without port binding. when the last port is removed, it receives a notification that acl has changed and sees 0 ports which is considered as invalid and no action (HW cleanup) is taken. |
|
@abhishekd0 Is it like, we can't handle the acl table cleanup from hardware after unbinding? Please correct me if I am wrong. |
|
The way ABNF schema is defined for ACLs, Ports are present inside the ACL config, when we remove the last binding port, ports@ field becomes 0 size list which is considered invalid. So it doesnt do cleanup. A lot of issues we are seeing in ACLs is origination from the fact that ACL Binding and ACL details are present inside the ACL_TABLE itself. Things would be much simpler and easier to handle (for all cases) if we had another table to define the ACL bindings rather than using ACL_TABLE itself. |
Remove ingress ACL from interface (Fails )
a CLI COMMANDS:
sonic(conf-if-Ethernet1)# do show ip access-lists
ip access-list test1
1 permit tcp 4.4.4.4/24 5.5.5.5/24
sonic(conf-if-Ethernet1)# do show ip access-group
Ingress IP access-list test1 on Ethernet1
sonic(conf-if-Ethernet1)# no ip access-group test1 in
Failed
sonic(conf-if-Ethernet1)# do show ip access-group // show command working fine
sonic(conf-if-Ethernet1)#
b. Config db
127.0.0.1:6379[4]> hgetall "ACL_TABLE|test1_ACL_IPV4"
c. HARDWARE CONFIG CHECK:
Ingress ACL entry not removed from hardware:
GID 6: gid=0x6, instance=0 mode=Single, stage=Ingress lookup=Enabled, ActionResId={-1}, pbmp={0x0000000000000000000000000000000000000000000000 0000000001ffffffff}^M
2419 qset={SrcIp, DstIp, InPorts, RangeCheck, L4SrcPort, L4DstPort, EtherType, IpProtocol, TcpControl, IpType, Stage, StageIngress, IcmpTypeCode, _ RangeCheckBits24_31},^M
2420 selcodes[0]=^M
2421 {^M
2422 FPF1=4^M
2423 FPF2=0^M
2424 FPF3=7^M
2425 InterfaceClassSelect=3^M
2426 TcpClassSelect=0^M
2427 Intraslice=Primary slice.^M
2428 {_RangeCheckBits24_31->IpType->InPorts->RangeCheck->Stage->StageIngress->DstIp->SrcIp->L4SrcPort->IcmpTypeCode->L4DstPort->TcpControl->EtherType->IpProtocol},^M
2429 ^M
2430 group_priority= -2147483647^M
2431 slice_primary = {slice_number=3, Entry count=512(0x200), Entry free=511(0x1ff)},^M
2432 group_status={prio_min=65534, prio_max=2147483647, entries_total=2560, entries_free=2559,^M
2433 counters_total=2560, counters_free=2559, meters_total=4096, meters_free=3584}^M
2434 EID 0x00000096: gid=0x6,^M
2435 slice=3, slice_idx=0, part =0 prio=0xfffe, flags=0x210602, Installed, Enabled^M
2436 tcam: color_indep=1, ^M
2437 Stage ^M
2438 StageIngress ^M
2439 DstIp ^M
2440 Offset0: 72 Width0: 32 ^M
2441 DATA=0x05050500 ^M
2442 MASK=0xffffff00 ^M
2443 SrcIp ^M
2444 Offset0: 104 Width0: 32 ^M
2445 DATA=0x04040400 ^M
2446 MASK=0xffffff00 ^M
2447 IpProtocol ^M
2448 Offset0: 64 Width0: 8 ^M
2449 DATA=0x00000006 ^M
2450 MASK=0x000000ff ^M
2451 action={act=DropCancel, param0=0(0), param1=0(0), param2=0(0), param3=0(0)}^M
2452 policer=^M
2453 statistics={stat id 129 slice = 3 idx=0 entries=1}{Bytes}{Packets}^M
The text was updated successfully, but these errors were encountered: