Issue
After running the cl-acltool -i command, my access-list rule is not installed and no error is generated. Running iptables --list, ip6tables --list, ebtables --list or cl-acltool -L all shows that the rule was never installed.
Note: The preferred way to see which access control lists are installed is to use the cl-acltool command.
Environment
- Cumulus Linux 1.5.x
- Cumulus Linux 2.0.x
Root Cause
ACL policies must have each rule assigned to a particular rule category. The categories are iptables, ip6tables and ebtables rules under tags [iptables], [ip6tables], [ebtables] respectively.
Diagnostic Steps
- Check the policy.d folder:
cumulus@switch:~$ cd /etc/cumulus/acl/policy.d
cumulus@switch:/etc/cumulus/acl/policy.d$ ls
00control_plane.rules 99control_plane_catch_all.rules test.rules cumulus@switch:/etc/cumulus/acl/policy.d$ - Check each
.rulesfile and look for the particular rule that is not being installed:
$ cat test.rules
-A FORWARD -o swp1 -s 30.30.30.0/24 -j POLICE --set-mode KB --set-rate 1280 $
Resolution
Add the correct rule category to your rule and then run the Cumulus Linux cl-acltool -i command as described in the 2.0.x or 1.5.x documentation. In the particular case above there is no rule category in test.rules; since an IPv4 rule is desired, you can add [iptables] above the one rule in the test.rules.
Comments