Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[ACL] config acl update incremental deletes all the existing rules and then adds new rules. Need provision to add/delete single rule. #2550

Open
ArthiGovindaraj opened this issue Dec 13, 2022 · 1 comment
Open

[ACL] config acl update incremental deletes all the existing rules and then adds new rules. Need provision to add/delete single rule. #2550

ArthiGovindaraj opened this issue Dec 13, 2022 · 1 comment

Comments

@ArthiGovindaraj
Copy link

Description

After creating ACL table, we are loading the rules using "config acl update full/incremental ". But, there is no provision to add or delete a single rule using CLICK commands.

It would be helpful to support commands like
config acl add rule <filename.json>
config acl delete rule

Also, config acl delete table does not clear the config_db rules. "show acl rules" will still continue displaying the rules.

Steps to reproduce the issue

  1. Create L3 ACL table => config acl add table -s ingress -p Ethernet0 L3_TABLE L3
  2. Update rule RULE_5 from acl_1.json => config acl update full acl_1.json
root@sonic:~# show acl rule
Table     Rule          Priority    Action    Match
--------  ------------  ----------  --------  -------------------
L3_TABLE  RULE_5        9995        FORWARD   DST_IP: 30.0.0.2/32
                                              ETHER_TYPE: 2048
                                              L4_DST_PORT: 4657
                                              L4_SRC_PORT: 4656
                                              SRC_IP: 20.0.0.2/32
L3_TABLE  DEFAULT_RULE  1           DROP      ETHER_TYPE: 2048
  1. Update rule RULE_6 from acl_2.json => RULE_5 is deleted and only RULE_6 exists. =========> ISSUE
root@sonic:~# show acl rule
Table     Rule          Priority    Action    Match
--------  ------------  ----------  --------  -------------------
L3_TABLE  RULE_6        9994        FORWARD   DST_IP: 30.0.0.3/32
                                              ETHER_TYPE: 2048
                                              L4_DST_PORT: 4659
                                              L4_SRC_PORT: 4658
                                              SRC_IP: 20.0.0.3/32
L3_TABLE  DEFAULT_RULE  1           DROP      ETHER_TYPE: 2048
  1. Delete the table using "config acl remove table L3_TABLE" , still "show acl rule" is not cleared =====> ISSUE
root@sonic:~# config acl remove table L3_TABLE
root@sonic:~# show acl table
Name    Type    Binding    Description    Stage
------  ------  ---------  -------------  -------
root@sonic:~# show acl rule
Table     Rule          Priority    Action    Match
--------  ------------  ----------  --------  -------------------
L3_TABLE  RULE_6        9994        FORWARD   DST_IP: 30.0.0.3/32
                                              ETHER_TYPE: 2048
                                              L4_DST_PORT: 4659
                                              L4_SRC_PORT: 4658
                                              SRC_IP: 20.0.0.3/32
L3_TABLE  DEFAULT_RULE  1           DROP      ETHER_TYPE: 2048

Describe the results you received

  • Using "config acl update" command all the existing rules in the table are getting deleted and there is no provision to add or delete a single rule.
  • When doing "config acl remove table " rules should also be deleted

Describe the results you expected

Need provision to add or delete single rule.

  1. Create L3 table
root@sonic:~# config acl add table -s ingress -p Ethernet0 L3_TABLE L3
root@sonic:~# show acl table
Name      Type    Binding    Description    Stage
--------  ------  ---------  -------------  -------
L3_TABLE  L3      Ethernet0  L3_TABLE       ingress
  1. Update RULE_5 using acl_1.json
root@sonic:~# config acl update full acl_1.json
root@sonic:~# show acl rule
Table     Rule          Priority    Action    Match
--------  ------------  ----------  --------  -------------------
L3_TABLE  RULE_5        9995        FORWARD   DST_IP: 30.0.0.2/32
                                              ETHER_TYPE: 2048
                                              L4_DST_PORT: 4657
                                              L4_SRC_PORT: 4656
                                              SRC_IP: 20.0.0.2/32
L3_TABLE  DEFAULT_RULE  1           DROP      ETHER_TYPE: 2048
  1. Update RULE_6 using acl_2.json
root@sonic:~# config acl add rule acl_2.json
root@sonic:~# show acl rule
Table     Rule          Priority    Action    Match
--------  ------------  ----------  --------  -------------------
L3_TABLE  RULE_5        9995        FORWARD   DST_IP: 30.0.0.2/32
                                              ETHER_TYPE: 2048
                                              L4_DST_PORT: 4657
                                              L4_SRC_PORT: 4656
                                              SRC_IP: 20.0.0.2/32
L3_TABLE  RULE_6        9994        FORWARD   DST_IP: 30.0.0.3/32
                                              ETHER_TYPE: 2048
                                              L4_DST_PORT: 4659
                                              L4_SRC_PORT: 4658
                                              SRC_IP: 20.0.0.3/32
L3_TABLE  DEFAULT_RULE  1           DROP      ETHER_TYPE: 2048
  1. Delete the entire table and rules using "config acl remove table L3_TABLE"
root@sonic:~# config acl remove table L3_TABLE
root@sonic:~# show acl table
Name    Type    Binding    Description    Stage
------  ------  ---------  -------------  -------
root@sonic:~# show acl rule
Table    Rule    Priority    Action    Match
-------  ------  ----------  --------  -------

Additional information you deem important (e.g. issue happens only occasionally)

Suggested fix is provided in #2523

Output of show version

Same behavior in Branch : 202205/master
@ArthiGovindaraj ArthiGovindaraj changed the title config acl update incremental deletes all the existing rules and then adds new rules config acl update incremental deletes all the existing rules and then adds new rules. Need provision to add/delete single rule. Dec 13, 2022
@ArthiGovindaraj ArthiGovindaraj changed the title config acl update incremental deletes all the existing rules and then adds new rules. Need provision to add/delete single rule. [ACL] config acl update incremental deletes all the existing rules and then adds new rules. Need provision to add/delete single rule. Dec 13, 2022
@shiraez shiraez mentioned this issue Feb 13, 2024
Open
@ArthiGovindaraj
Copy link
Author

Suggested fix provided in pull request #2523

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ArthiGovindaraj