Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[GCU] [MA] ACL_RULE modifications are not applied #20378

Open
okaravasi opened this issue Sep 30, 2024 · 4 comments
Open

[GCU] [MA] ACL_RULE modifications are not applied #20378

okaravasi opened this issue Sep 30, 2024 · 4 comments
Assignees
@xincunli-sonic
Labels
MSFT Multi-ASIC Triaged this issue has been triaged

Comments

@okaravasi
Copy link

Description

GCU modification to ACL_RULE path fail to be applied for multi-asic platform.
More specifically, ACL_RULE is added per namespace but not applied to iptables and thus, the test case verification fails.

Failed tests:

  • tests/generic_config_updater/test_cacl.py/test_cacl_tc2_acl_rule_test
  • tests/generic_config_updater/test_monitor_config.py/test_monitor_config_tc1_suite

(Automated test cases support for running in t2 topology is added via PR sonic-net/sonic-mgmt#14070 )

Steps to reproduce the issue

  1. Apply below steps in a duthost multi-asic.
  2. Create a file "add_acl_rule.json" to add a new rule in one asic namespace.
    An example below:
[
	  {
		"op": "add",
		"path": "/asic1/ACL_RULE",
		"value": {
		  "NTP_ACL|TEST_DROP": {
			"IP_PROTOCOL": "17",
			"L4_DST_PORT": "123",
			"IP_TYPE": "IP",
			"PACKET_ACTION": "DROP",
			"PRIORITY": "9998",
			"SRC_IP": "9.9.9.9/32"
		  }
		}
	  }
	]
  1. Apply the configuration change.

sudo config apply-patch add_acl_rule.json

  1. Verify ACL_RULE created
    sudo ip netns exec asic1 show acl rule
  2. Verify ACL_RULE was added to iptables
    sudo ip netns exec asic1 iptables -S

Describe the results you received

The rule was not seen in iptables cmd and functionality not applied.

Describe the results you expected

The rule should be visible in runningconfiguration as well as in iptables.

Additional information you deem important (e.g. issue happens only occasionally)

Issue happend only on multi-asic platform.

Output of show version

admin@ixre-egl-board9:~$ show version

SONiC Software Version: SONiC.HEAD.832829-nokia-master-bf8e2c9a7
SONiC OS Version: 12
Distribution: Debian 12.7
Kernel: 6.1.0-22-2-amd64
Build commit: bf8e2c9a7
Build date: Wed Sep 25 15:57:47 UTC 2024
Built by: gitlab-runner@wfrv-sonicbld06

Platform: x86_64-nokia_ixr7250e_36x400g-r0
HwSKU: Nokia-IXR7250E-36x400G
ASIC: broadcom
ASIC Count: 2
Serial Number: EAG2-02-045
Model Number: N/A
Hardware Revision: 56
Uptime: 13:50:23 up  5:23,  1 user,  load average: 1.65, 1.89, 1.89
Date: Fri 27 Sep 2024 13:50:23

Docker images:
REPOSITORY                    TAG                                  IMAGE ID       SIZE
docker-macsec                 latest                               f178be710750   406MB
docker-dhcp-relay             latest                               e5960cfc6019   384MB
docker-snmp                   HEAD.832829-nokia-master-bf8e2c9a7   f1902b7928cb   418MB
docker-snmp                   latest                               f1902b7928cb   418MB
docker-platform-monitor       HEAD.832829-nokia-master-bf8e2c9a7   6a906f0e6739   459MB
docker-platform-monitor       latest                               6a906f0e6739   459MB
docker-orchagent              HEAD.832829-nokia-master-bf8e2c9a7   76bc76f58932   416MB
docker-orchagent              latest                               76bc76f58932   416MB
docker-nat                    HEAD.832829-nokia-master-bf8e2c9a7   0bf0a967a985   406MB
docker-nat                    latest                               0bf0a967a985   406MB
docker-fpm-frr                HEAD.832829-nokia-master-bf8e2c9a7   624306e87567   435MB
docker-fpm-frr                latest                               624306e87567   435MB
docker-eventd                 HEAD.832829-nokia-master-bf8e2c9a7   d147b480e6e5   374MB
docker-eventd                 latest                               d147b480e6e5   374MB
docker-database               HEAD.832829-nokia-master-bf8e2c9a7   091078e9aebd   383MB
docker-database               latest                               091078e9aebd   383MB
docker-sonic-mgmt-framework   HEAD.832829-nokia-master-bf8e2c9a7   3d2388474edc   424MB
docker-sonic-mgmt-framework   latest                               3d2388474edc   424MB
docker-teamd                  HEAD.832829-nokia-master-bf8e2c9a7   42c01511be73   403MB
docker-teamd                  latest                               42c01511be73   403MB
docker-sflow                  HEAD.832829-nokia-master-bf8e2c9a7   7fa8d1cd42d2   404MB
docker-sflow                  latest                               7fa8d1cd42d2   404MB
docker-router-advertiser      HEAD.832829-nokia-master-bf8e2c9a7   c2b35825bf43   374MB
docker-router-advertiser      latest                               c2b35825bf43   374MB
docker-mux                    HEAD.832829-nokia-master-bf8e2c9a7   d8bfad4511df   386MB
docker-mux                    latest                               d8bfad4511df   386MB
docker-lldp                   HEAD.832829-nokia-master-bf8e2c9a7   51d3f507b05a   383MB
docker-lldp                   latest                               51d3f507b05a   383MB
docker-sonic-gnmi             HEAD.832829-nokia-master-bf8e2c9a7   a46ced6f5be5   459MB
docker-sonic-gnmi             latest                               a46ced6f5be5   459MB
docker-syncd-brcm-dnx         HEAD.832829-nokia-master-bf8e2c9a7   6ed78c7518fb   759MB
docker-syncd-brcm-dnx         latest                               6ed78c7518fb   759MB
docker-gbsyncd-broncos        HEAD.832829-nokia-master-bf8e2c9a7   7d357e969457   410MB
docker-gbsyncd-broncos        latest                               7d357e969457   410MB
docker-gbsyncd-credo          HEAD.832829-nokia-master-bf8e2c9a7   4a412757e74c   383MB
docker-gbsyncd-credo          latest                               4a412757e74c   383MB
@okaravasi okaravasi mentioned this issue Sep 30, 2024
Closed
@okaravasi
Copy link
Author

Moving issue from sonic-utilities repo, here. Closing the original ticket (sonic-net/sonic-utilities#3558) as duplicate.

@judyjoseph judyjoseph added Multi-ASIC Triaged this issue has been triaged MSFT labels Oct 9, 2024
@xincunli-sonic
Copy link
Contributor

Cannot repro in MSFT lab

admin@str2-7250-lc1-2:~$ show ver

SONiC Software Version: SONiC.20220532.72
SONiC OS Version: 11
Distribution: Debian 11.9
Kernel: 5.10.0-23-2-amd64
Build commit: 7766169087
Build date: Fri Oct 4 00:15:40 UTC 2024
Built by: azureuser@98b2318ac000000

Platform: x86_64-nokia_ixr7250e_36x400g-r0
HwSKU: Nokia-IXR7250E-36x100G
ASIC: broadcom
ASIC Count: 2
Serial Number: NS220304200
Model Number: 3HE12578AARA01
Hardware Revision: 56
Uptime: 15:54:33 up 4 days, 19:56, 1 user, load average: 1.52, 1.65, 1.73
Date: Wed 09 Oct 2024 15:54:33

admin@str2-7250-lc1-2:~$ cat acl.json
[
{
"op": "add",
"path": "/asic1/ACL_RULE",
"value": {
"NTP_ACL|TEST_DROP": {
"IP_PROTOCOL": "17",
"L4_DST_PORT": "123",
"IP_TYPE": "IP",
"PACKET_ACTION": "DROP",
"PRIORITY": "9998",
"SRC_IP": "9.9.9.9/32"
}
}
}
]

admin@str2-7250-lc1-2:~$ sudo config apply-patch acl.json
sonic_yang(6):Note: Below table(s) have no YANG models: DHCP_SERVER
sonic_yang(6):Note: Below table(s) have no YANG models: LOGGER
sonic_yang(6):Note: Below table(s) have no YANG models: LOGGER
Patch Applier: asic1: Patch application starting.
Patch Applier: asic1: Patch: [{"op": "add", "path": "/ACL_RULE", "value": {"NTP_ACL|TEST_DROP": {"IP_PROTOCOL": "17", "L4_DST_PORT": "123", "IP_TYPE": "IP", "PACKET_ACTION": "DROP", "PRIORITY": "9998", "SRC_IP": "9.9.9.9/32"}}}]
Patch Applier: asic1 getting current config db.
Patch Applier: asic1: simulating the target full config after applying the patch.
Patch Applier: asic1: validating all JsonPatch operations are permitted on the specified fields
Patch Applier: asic1: validating target config does not have empty tables,
since they do not show up in ConfigDb.
Patch Applier: asic1: sorting patch updates.
Patch Applier: The asic1 patch was converted into 1 change:
Patch Applier: asic1: applying 1 change in order:
Patch Applier: * [{"op": "add", "path": "/ACL_RULE", "value": {"NTP_ACL|TEST_DROP": {"IP_PROTOCOL": "17", "L4_DST_PORT": "123", "IP_TYPE": "IP", "PACKET_ACTION": "DROP", "PRIORITY": "9998", "SRC_IP": "9.9.9.9/32"}}}]
Patch Applier: asic1: verifying patch updates are reflected on ConfigDB.
Patch Applier: asic1 patch application completed.
Patch applied successfully.

config db looks like:
"asic1": {
"ACL_RULE": {
"NTP_ACL|TEST_DROP": {
"IP_PROTOCOL": "17",
"IP_TYPE": "IP",
"L4_DST_PORT": "123",
"PACKET_ACTION": "DROP",
"PRIORITY": "9998",
"SRC_IP": "9.9.9.9/32"
}
},

admin@str2-7250-lc1-2:~$ sudo ip netns exec asic1 show acl rule
Table Rule Priority Action Match Status

NTP_ACL TEST_DROP 9998 DROP IP_PROTOCOL: 17 N/A
IP_TYPE: IP
L4_DST_PORT: 123
SRC_IP: 9.9.9.9/32

admin@str2-7250-lc1-2:~$ sudo ip netns exec asic1 iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -s 127.0.0.1/32 -i lo -j ACCEPT
-A INPUT -s 240.127.1.3/32 -d 240.127.1.3/32 -j ACCEPT
-A INPUT -s 240.127.1.1/32 -d 240.127.1.3/32 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -p udp -m udp --dport 67:68 -j ACCEPT
-A INPUT -p udp -m udp --dport 546:547 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 179 -j ACCEPT
-A INPUT -s 20.44.16.64/27 -p tcp -m tcp --dport 8081 -j ACCEPT
-A INPUT -s 13.66.141.96/27 -p tcp -m tcp --dport 8081 -j ACCEPT
-A INPUT -s 13.69.229.128/27 -p tcp -m tcp --dport 8081 -j ACCEPT
-A INPUT -s 52.162.110.128/27 -p tcp -m tcp --dport 8081 -j ACCEPT
-A INPUT -s 52.231.147.224/27 -p tcp -m tcp --dport 8081 -j ACCEPT
-A INPUT -s 40.74.146.224/27 -p tcp -m tcp --dport 8081 -j ACCEPT
-A INPUT -s 40.78.203.96/27 -p tcp -m tcp --dport 8081 -j ACCEPT
-A INPUT -s 20.150.171.224/27 -p tcp -m tcp --dport 8081 -j ACCEPT
-A INPUT -s 52.162.110.128/27 -p tcp -m tcp --dport 8081 -j ACCEPT
-A INPUT -s 20.44.16.64/27 -p tcp -m tcp --dport 8090 -j ACCEPT
-A INPUT -s 13.66.141.96/27 -p tcp -m tcp --dport 8090 -j ACCEPT
-A INPUT -s 13.69.229.128/27 -p tcp -m tcp --dport 8090 -j ACCEPT
-A INPUT -s 52.162.110.128/27 -p tcp -m tcp --dport 8090 -j ACCEPT
-A INPUT -s 52.231.147.224/27 -p tcp -m tcp --dport 8090 -j ACCEPT
-A INPUT -s 40.74.146.224/27 -p tcp -m tcp --dport 8090 -j ACCEPT
-A INPUT -s 40.78.203.96/27 -p tcp -m tcp --dport 8090 -j ACCEPT
-A INPUT -s 20.150.171.224/27 -p tcp -m tcp --dport 8090 -j ACCEPT
-A INPUT -s 52.162.110.128/27 -p tcp -m tcp --dport 8090 -j ACCEPT
-A INPUT -s 9.9.9.9/32 -p udp -m udp --dport 123 -j DROP
-A INPUT -d 10.1.0.1/32 -j DROP
-A INPUT -d 192.0.0.2/32 -j DROP
-A INPUT -d 10.3.146.0/32 -j DROP
-A INPUT -d 10.0.0.6/32 -j DROP
-A INPUT -d 10.0.0.10/32 -j DROP
-A INPUT -m ttl --ttl-lt 2 -j ACCEPT
-A INPUT -j DROP

@okaravasi
Copy link
Author

@xincunli-sonic

After further debugging, the issue is happening only when trying to modify an existing ACL_RULE via apply-patch replace and it is not seen when creating a new ACL RULE.
In that case, the apply-patch recognizes 0 changes and as a result the iptable shows out-of dated information.

So, after creating an ACL_RULE with the steps from description, as a next step please try to modify the newly created rule.

For example sending this patch:

[
        {
            "op": "replace",
            "path": "/asic1/ACL_RULE/NTP_ACL|TEST_DROP/SRC_IP",
            "value": "8.8.8.8/32"
        }
    ]

Output from console shows the change was not recognized (patch was converted into 0 changes.).

Patch Applier: asic1: Patch application starting.
Patch Applier: asic1: Patch: [{"op": "replace", "path": "/ACL_RULE/NTP_ACL|TEST_DROP/SRC_IP", "value": "8.8.8.8/32"}]
Patch Applier: asic1 getting current config db.
Patch Applier: asic1: simulating the target full config after applying the patch.
Patch Applier: asic1: validating all JsonPatch operations are permitted on the specified fields
Patch Applier: asic1: validating target config does not have empty tables,
since they do not show up in ConfigDb.
Patch Applier: asic1: sorting patch updates.
Patch Applier: The asic1 patch was converted into 0 changes.
Patch Applier: asic1: applying 0 changes in order.
Patch Applier: asic1: verifying patch updates are reflected on ConfigDB.
Patch Applier: asic1 patch application completed.
Patch applied successfully.

Also, tried with operation "add" also, and results were the same.

admin@ixre-egl-board41:~$ sudo config apply-patch acl_rule_replace
Patch Applier: asic1: Patch application starting.
Patch Applier: asic1: Patch: [{"op": "add", "path": "/ACL_RULE/NTP_ACL|TEST_DROP/SRC_IP", "value": "8.8.8.8/32"}]
Patch Applier: asic1 getting current config db.
Patch Applier: asic1: simulating the target full config after applying the patch.
Patch Applier: asic1: validating all JsonPatch operations are permitted on the specified fields
Patch Applier: asic1: validating target config does not have empty tables,
since they do not show up in ConfigDb.
Patch Applier: asic1: sorting patch updates.
Patch Applier: The asic1 patch was converted into 0 changes.
Patch Applier: asic1: applying 0 changes in order.
Patch Applier: asic1: verifying patch updates are reflected on ConfigDB.
Patch Applier: asic1 patch application completed.
Patch applied successfully.

Entries in iptables -S displayed the initial rule information - were not updated.

@arlakshm
Copy link
Contributor

@xincunli-sonic, can you please help triage this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@xincunli-sonic xincunli-sonic

Labels
MSFT Multi-ASIC Triaged this issue has been triaged
Projects
SONiC Chassis
Status: No status
Milestone
No milestone
Development

No branches or pull requests
4 participants
@judyjoseph @arlakshm @xincunli-sonic @okaravasi