Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

COPP with ~350 rules take more than 10 min to install at iptables #5275

Closed
Ezrickd opened this issue Aug 30, 2020 · 9 comments · Fixed by #5312 or #5621
Closed

COPP with ~350 rules take more than 10 min to install at iptables #5275

Ezrickd opened this issue Aug 30, 2020 · 9 comments · Fixed by #5312 or #5621
Assignees
@jleveque
Labels
Issue for 201911

Comments

@Ezrickd
Copy link

Ezrickd commented Aug 30, 2020

Sonic swith running 201911 build commit f6a8678
switch has 4 tables 2 for IPv4 and 2 for IPv6 for each there are two protocols SSH & SNMP.
when config reload and check iptables -L -v -n --line-number we see the list of rules go up and down, as if the table is flushed for every rule that is installed. I can see the same on syslog file that rules are insterted to iptales again and again....

it takes the device to install all rules more than 10 Min when at this time you can access the device though the rule applyed if Drop.
untill rule table is syncd with iptbels.

i have used an old caclmgrd config file and the issue is resolved, so ~350 rules are installed instanlly.
the file was taken from old post which is updated by now..

https://github.com/Azure/sonic-buildimage/blob/master/files/image_config/caclmgrd/caclmgrd

attached show from terminal display the Iptables number going up and down, also syslog file that dispaly the insertion of the rules.

attached rule & tables from config_db.json
attched old caclmgrd file that resolve the issue.

ACL_Rule & Table .txt
iptables_line number.txt
log_iptables .txt
old caclmgrd file taken from git .txt
caclmgrd_comes with onic hash f6a8678d.txt
@anshuv-mfst
Copy link

Issue in 2019 release, causing degradation in performance.

@jleveque
Copy link
Contributor

jleveque commented Sep 2, 2020

@abdosi: It appears this regression occurred with the introduction of multi-ASIC support in caclmgrd. Can you please investigate?

@jleveque jleveque assigned abdosi and unassigned jleveque Sep 2, 2020
@abdosi
Copy link
Contributor

abdosi commented Sep 2, 2020

@jleveque It is not with multi-asic changes. Issue is coming with "caclmgrd_comes with onic hash f6a8678.txt" which does not have multi-asic changes.

It is working with "old caclmgrd file taken from git .txt" which is pretty old colde where we have different thread to do processing.

@jleveque
Copy link
Contributor

jleveque commented Sep 2, 2020
edited
Loading

Thanks for the clarification, @abdosi . I believe I misinterpreted the issue description. I'll continue to investigate. I have been considering bringing back the update thread for a while to speed up updates by preventing unnecessary updates. I think it is time.

@jleveque jleveque assigned jleveque and unassigned abdosi Sep 2, 2020
@jleveque jleveque mentioned this issue Sep 3, 2020
Merged
3 tasks
@jleveque
Copy link
Contributor

jleveque commented Sep 10, 2020
edited
Loading

@Ezrickd: I see you provided the ACL tables and rules output from the CLI, but can you please also provide the ACL configuration being used (you can simply provide the entire config_db.json file if that is acceptable for you). This will help me reproduce the issue.

@Ezrickd
Copy link
Author

Ezrickd commented Sep 11, 2020 via email

@qiluo-msft
Copy link
Collaborator

@Ezrickd Is this issue a regression or a history one?
If regression, do you have a good version under comparision?

@jleveque jleveque mentioned this issue Oct 12, 2020
Open
@abdosi abdosi linked a pull request Oct 13, 2020 that will close this issue
Optimze ACL Table/Rule notification handling #5621
Merged
@abdosi
Copy link
Contributor

abdosi commented Oct 15, 2020
edited
Loading

@Ezrickd can you run your test again on latest 201911 and post the result.

cc @jleveque @liat-grozovik

@jleveque
Copy link
Contributor

jleveque commented Oct 15, 2020
edited
Loading

@Ezrickd: I will also be merging #5312 soon. I would also like you to take another measurement after those changes merge as well for comparison.

@jleveque jleveque mentioned this issue Oct 19, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jleveque jleveque

Labels
Issue for 201911
Projects
None yet
Milestone
No milestone
6 participants
@lguohan @jleveque @qiluo-msft @Ezrickd @abdosi @anshuv-mfst