Issue
After running the cl-acltool -i
command, my access-list rule is not installed and no error is generated. Running iptables --list
, ip6tables --list
, ebtables --list
or cl-acltool -L all
shows that the rule was never installed.
Note: The preferred way to see which access control lists are installed is to use the cl-acltool
command.
Environment
- Cumulus Linux 1.5.x
- Cumulus Linux 2.0.x
Root Cause
ACL policies must have each rule assigned to a particular rule category. The categories are iptables, ip6tables and ebtables rules under tags [iptables]
, [ip6tables]
, [ebtables]
respectively.
Diagnostic Steps
- Check the policy.d folder:
cumulus@switch:~$ cd /etc/cumulus/acl/policy.d
cumulus@switch:/etc/cumulus/acl/policy.d$ ls
00control_plane.rules 99control_plane_catch_all.rules test.rules cumulus@switch:/etc/cumulus/acl/policy.d$ - Check each
.rules
file and look for the particular rule that is not being installed:
$ cat test.rules
-A FORWARD -o swp1 -s 30.30.30.0/24 -j POLICE --set-mode KB --set-rate 1280 $
Resolution
Add the correct rule category to your rule and then run the Cumulus Linux cl-acltool -i
command as described in the 2.0.x or 1.5.x documentation. In the particular case above there is no rule category in test.rules
; since an IPv4 rule is desired, you can add [iptables]
above the one rule in the test.rules
.
Comments