-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
COPP with ~350 rules take more than 10 min to install at iptables #5275
Comments
Issue in 2019 release, causing degradation in performance. |
@abdosi: It appears this regression occurred with the introduction of multi-ASIC support in caclmgrd. Can you please investigate? |
Thanks for the clarification, @abdosi . I believe I misinterpreted the issue description. I'll continue to investigate. I have been considering bringing back the update thread for a while to speed up updates by preventing unnecessary updates. I think it is time. |
@Ezrickd: I see you provided the ACL tables and rules output from the CLI, but can you please also provide the ACL configuration being used (you can simply provide the entire config_db.json file if that is acceptable for you). This will help me reproduce the issue. |
@Ezrickd Is this issue a regression or a history one? |
@Ezrickd can you run your test again on latest 201911 and post the result. |
Sonic swith running 201911 build commit f6a8678
switch has 4 tables 2 for IPv4 and 2 for IPv6 for each there are two protocols SSH & SNMP.
when config reload and check iptables -L -v -n --line-number we see the list of rules go up and down, as if the table is flushed for every rule that is installed. I can see the same on syslog file that rules are insterted to iptales again and again....
it takes the device to install all rules more than 10 Min when at this time you can access the device though the rule applyed if Drop.
untill rule table is syncd with iptbels.
i have used an old caclmgrd config file and the issue is resolved, so ~350 rules are installed instanlly.
the file was taken from old post which is updated by now..
https://github.com/Azure/sonic-buildimage/blob/master/files/image_config/caclmgrd/caclmgrd
attached show from terminal display the Iptables number going up and down, also syslog file that dispaly the insertion of the rules.
attached rule & tables from config_db.json
attched old caclmgrd file that resolve the issue.
ACL_Rule & Table .txt
iptables_line number.txt
log_iptables .txt
old caclmgrd file taken from git .txt
caclmgrd_comes with onic hash f6a8678d.txt
The text was updated successfully, but these errors were encountered: