I have a question about acl rule in Cumulus Linux 3.6.1.
I want to deny all access from the host(10.30.220.213) and generate logs.
I'm trying to apply acl with the following iptables:
root@Backpack-1_lc101:mgmt-vrf:~# cat /etc/cumulus/acl/policy.d/41eth0_login.rules
-A INPUT -s 10.30.220.213/32 -j LOG
-A INPUT -s 10.30.220.213/32 -j DROP
-A INPUT -j ACCEPT
However it cannot apply the acl with the following error:
root@Backpack-1_lc101:mgmt-vrf:~# cl-acltool -i
Reading rule file /etc/cumulus/acl/policy.d/00control_plane.rules ...
Processing rules in file /etc/cumulus/acl/policy.d/00control_plane.rules ...
Reading rule file /etc/cumulus/acl/policy.d/41eth0_login.rules ...
Processing rules in file /etc/cumulus/acl/policy.d/41eth0_login.rules ...
Reading rule file /etc/cumulus/acl/policy.d/99control_plane_catch_all.rules ...
Processing rules in file /etc/cumulus/acl/policy.d/99control_plane_catch_all.rules ...
Installing acl policy
error: hw sync failed (sync_acl hardware installation failed)
Rolling back ..
It seems that LOG option has something to do with the error becasuse the iptables applied correctly when I commented out the second line of iptables.
# -A INPUT -s 10.30.220.213/32 -j LOG
I looked up the errror message"hw sync failed (sync_acl hardware installation failed)" in log message reference and it says:
"Hardware offload of ACL rule set failed, typically due to TCAM resource exhaustion and/or unsupported rules."
There are only three entries and should be enough room in TCAM resource, so I wonder if my way to write acl rule may be unsupported.
Does anyone have any idea how to write iptables with LOG option?
Best answer by Pete B