Solved

Applying acl failed when LOG option configured


Hi,

I have a question about acl rule in Cumulus Linux 3.6.1.
I want to deny all access from the host(10.30.220.213) and generate logs.
I'm trying to apply acl with the following iptables:
root@Backpack-1_lc101:mgmt-vrf:~# cat /etc/cumulus/acl/policy.d/41eth0_login.rules
[iptables]
-A INPUT -s 10.30.220.213/32 -j LOG
-A INPUT -s 10.30.220.213/32 -j DROP
-A INPUT -j ACCEPT

However it cannot apply the acl with the following error:
root@Backpack-1_lc101:mgmt-vrf:~# cl-acltool -i
Reading rule file /etc/cumulus/acl/policy.d/00control_plane.rules ...
Processing rules in file /etc/cumulus/acl/policy.d/00control_plane.rules ...
Reading rule file /etc/cumulus/acl/policy.d/41eth0_login.rules ...
Processing rules in file /etc/cumulus/acl/policy.d/41eth0_login.rules ...
Reading rule file /etc/cumulus/acl/policy.d/99control_plane_catch_all.rules ...
Processing rules in file /etc/cumulus/acl/policy.d/99control_plane_catch_all.rules ...
Installing acl policy
error: hw sync failed (sync_acl hardware installation failed)
Rolling back ..
failed.
root@Backpack-1_lc101:mgmt-vrf:~#

It seems that LOG option has something to do with the error becasuse the iptables applied correctly when I commented out the second line of iptables.
# -A INPUT -s 10.30.220.213/32 -j LOG

I looked up the errror message"hw sync failed (sync_acl hardware installation failed)" in log message reference and it says:
"Hardware offload of ACL rule set failed, typically due to TCAM resource exhaustion and/or unsupported rules."
There are only three entries and should be enough room in TCAM resource, so I wonder if my way to write acl rule may be unsupported.
Does anyone have any idea how to write iptables with LOG option?

Regards,
icon

Best answer by Pete B 11 July 2018, 19:42

Hi @Yoatsmagoats LOG actions are supported only for ingress interfaces. Can you try adding a --in-interface match as well to the LOG/DROP rules and let us know whether that works? Thanks!
View original

3 replies

Userlevel 4
Hi @Yoatsmagoats LOG actions are supported only for ingress interfaces. Can you try adding a --in-interface match as well to the LOG/DROP rules and let us know whether that works? Thanks!
Hi @Pete B !
Thanks for the reply.
I tried as you said and it went pretty well.
root@Backpack-1_lc101:mgmt-vrf:~# cat /etc/cumulus/acl/policy.d/41eth0_login.rules
[iptables]
-A INPUT -i mgmt -s 10.30.220.213/32 -j LOG
-A INPUT -i mgmt -s 10.30.220.213/32 -j DROP
-A INPUT -j ACCEPT

Drop logs were generated in /var/log/syslog.

Thanks Pete!
Userlevel 4
Great, glad it worked out @Yoatsmagoats !

Reply