sonic-utilities
sonic-utilities copied to clipboard
Published
20 hours ago •
sonic-net
sonic-net
[ACL] config acl update incremental deletes all the existing rules and then adds new rules. Need provision to add/delete single rule.
Description
After creating ACL table, we are loading the rules using "config acl update full/incremental
It would be helpful to support commands like
config acl add rule <filename.json>
config acl delete rule
Also, config acl delete table
Steps to reproduce the issue
- Create L3 ACL table => config acl add table -s ingress -p Ethernet0 L3_TABLE L3
- Update rule RULE_5 from acl_1.json => config acl update full acl_1.json
root@sonic:~# show acl rule
Table Rule Priority Action Match
-------- ------------ ---------- -------- -------------------
L3_TABLE RULE_5 9995 FORWARD DST_IP: 30.0.0.2/32
ETHER_TYPE: 2048
L4_DST_PORT: 4657
L4_SRC_PORT: 4656
SRC_IP: 20.0.0.2/32
L3_TABLE DEFAULT_RULE 1 DROP ETHER_TYPE: 2048
- Update rule RULE_6 from acl_2.json => RULE_5 is deleted and only RULE_6 exists. =========> ISSUE
root@sonic:~# show acl rule
Table Rule Priority Action Match
-------- ------------ ---------- -------- -------------------
L3_TABLE RULE_6 9994 FORWARD DST_IP: 30.0.0.3/32
ETHER_TYPE: 2048
L4_DST_PORT: 4659
L4_SRC_PORT: 4658
SRC_IP: 20.0.0.3/32
L3_TABLE DEFAULT_RULE 1 DROP ETHER_TYPE: 2048
- Delete the table using "config acl remove table L3_TABLE" , still "show acl rule" is not cleared =====> ISSUE
root@sonic:~# config acl remove table L3_TABLE
root@sonic:~# show acl table
Name Type Binding Description Stage
------ ------ --------- ------------- -------
root@sonic:~# show acl rule
Table Rule Priority Action Match
-------- ------------ ---------- -------- -------------------
L3_TABLE RULE_6 9994 FORWARD DST_IP: 30.0.0.3/32
ETHER_TYPE: 2048
L4_DST_PORT: 4659
L4_SRC_PORT: 4658
SRC_IP: 20.0.0.3/32
L3_TABLE DEFAULT_RULE 1 DROP ETHER_TYPE: 2048
Describe the results you received
- Using "config acl update" command all the existing rules in the table are getting deleted and there is no provision to add or delete a single rule.
- When doing "config acl remove table
" rules should also be deleted
Describe the results you expected
Need provision to add or delete single rule.
- Create L3 table
root@sonic:~# config acl add table -s ingress -p Ethernet0 L3_TABLE L3
root@sonic:~# show acl table
Name Type Binding Description Stage
-------- ------ --------- ------------- -------
L3_TABLE L3 Ethernet0 L3_TABLE ingress
- Update RULE_5 using acl_1.json
root@sonic:~# config acl update full acl_1.json
root@sonic:~# show acl rule
Table Rule Priority Action Match
-------- ------------ ---------- -------- -------------------
L3_TABLE RULE_5 9995 FORWARD DST_IP: 30.0.0.2/32
ETHER_TYPE: 2048
L4_DST_PORT: 4657
L4_SRC_PORT: 4656
SRC_IP: 20.0.0.2/32
L3_TABLE DEFAULT_RULE 1 DROP ETHER_TYPE: 2048
- Update RULE_6 using acl_2.json
root@sonic:~# config acl add rule acl_2.json
root@sonic:~# show acl rule
Table Rule Priority Action Match
-------- ------------ ---------- -------- -------------------
L3_TABLE RULE_5 9995 FORWARD DST_IP: 30.0.0.2/32
ETHER_TYPE: 2048
L4_DST_PORT: 4657
L4_SRC_PORT: 4656
SRC_IP: 20.0.0.2/32
L3_TABLE RULE_6 9994 FORWARD DST_IP: 30.0.0.3/32
ETHER_TYPE: 2048
L4_DST_PORT: 4659
L4_SRC_PORT: 4658
SRC_IP: 20.0.0.3/32
L3_TABLE DEFAULT_RULE 1 DROP ETHER_TYPE: 2048
- Delete the entire table and rules using "config acl remove table L3_TABLE"
root@sonic:~# config acl remove table L3_TABLE
root@sonic:~# show acl table
Name Type Binding Description Stage
------ ------ --------- ------------- -------
root@sonic:~# show acl rule
Table Rule Priority Action Match
------- ------ ---------- -------- -------
Additional information you deem important (e.g. issue happens only occasionally)
Suggested fix is provided in https://github.com/sonic-net/sonic-utilities/pull/2523
Output of show version
Same behavior in Branch : 202205/master
Suggested fix provided in pull request https://github.com/sonic-net/sonic-utilities/pull/2523