ACL (Access Control List) Does Not Get Installed

Follow

Issue

After running the cl-acltool -i command, my access-list rule is not installed and no error is generated. Running iptables --list, ip6tables --list, ebtables --list or cl-acltool -L all shows that the rule was never installed.

Note: The preferred way to see which access control lists are installed is to use the cl-acltool command.

Environment

  • Cumulus Linux 1.5.x
  • Cumulus Linux 2.0.x

Root Cause

ACL policies must have each rule assigned to a particular rule category. The categories are iptables, ip6tables and ebtables rules under tags [iptables], [ip6tables], [ebtables] respectively.

Diagnostic Steps

  1. Check the policy.d folder:
    cumulus@switch:~$ cd /etc/cumulus/acl/policy.d
    cumulus@switch:/etc/cumulus/acl/policy.d$ ls
    00control_plane.rules 99control_plane_catch_all.rules test.rules cumulus@switch:/etc/cumulus/acl/policy.d$
  2. Check each .rules file and look for the particular rule that is not being installed:
    $ cat test.rules
    -A FORWARD -o swp1 -s 30.30.30.0/24 -j POLICE --set-mode KB --set-rate 1280 $

Resolution

Add the correct rule category to your rule and then run the Cumulus Linux cl-acltool -i command as described in the 2.0.x or 1.5.x documentation. In the particular case above there is no rule category in test.rules; since an IPv4 rule is desired, you can add [iptables] above the one rule in the test.rules.

Have more questions? Submit a request

Comments

Powered by Zendesk