Fix traceback issue when running caclmgrd

[ZhaohuiS]

#9824 was reported because some iptables rules are not cleaned during scale cacl rules test.
The change is to fix this issue.

Signed-off-by: Zhaohui Sun [email protected]

Why I did it

To fix the traceback reported in #9824

traceback found in /var/log/syslog

WARNING swss2#orchagent: :- removeAclRule: Skip removing rule RULE_11 from ACL table NTP_ACL. Table does not exist

INFO caclmgrd[22796]: Exception in thread Thread-9:
INFO caclmgrd[22796]: Traceback (most recent call last):
INFO caclmgrd[22796]:   File "/usr/lib/python2.7/threading.py", line 801, in __bootstrap_inner
INFO caclmgrd[22796]:     self.run()
INFO caclmgrd[22796]:   File "/usr/lib/python2.7/threading.py", line 754, in run
INFO caclmgrd[22796]:     self.__target(*self.__args, **self.__kwargs)
INFO caclmgrd[22796]:   File "/usr/bin/caclmgrd", line 618, in check_and_update_control_plane_acls
INFO caclmgrd[22796]:     self.update_control_plane_acls(namespace)
INFO caclmgrd[22796]:   File "/usr/bin/caclmgrd", line 574, in update_control_plane_acls
INFO caclmgrd[22796]:     self.update_control_plane_nat_acls(namespace, service_to_source_ip_map)
INFO caclmgrd[22796]:   File "/usr/bin/caclmgrd", line 584, in update_control_plane_nat_acls
INFO caclmgrd[22796]:     iptables_cmds = self.generate_fwd_traffic_from_namespace_to_host_commands(namespace, 
INFO caclmgrd[22796]:   File "/usr/bin/caclmgrd", line 305, in generate_fwd_traffic_from_namespace_to_host_commands
INFO caclmgrd[22796]:     nat_source_ipv4_set = acl_source_ip_map[acl_service]["ipv4"] if acl_source_ip_map and lse { "0.0.0.0/0" }
INFO caclmgrd[22796]: KeyError: 'SSH'
INFO caclmgrd[22796]: Exception in thread Thread-8:
INFO caclmgrd[22796]: Traceback (most recent call last):

How I did it

• Add checks before reading acl_source_ip_map

How to verify it

Load multiple rules(50 rules for each cacl table) with json file on asic0:

sudo ip netns exec asic0 acl-loader update full /tmp/scale_cacl.json

check iptables rules are created on asci0

sudo ip netns exec asic0 iptables -S

Copy, past and run the following commands on DUTs:

sudo ip netns exec asic0 acl-loader delete SSH_ONLY
sudo ip netns exec asic0 acl-loader delete SNMP_ACL
sudo ip netns exec asic0 acl-loader delete NTP_ACL

check some iptables rules on asci0 if all cacl rules are deleted.

Which release branch to backport (provide reason below if selected)

• 201811
• 201911
• 202006
• 202012
• 202106

Description for the changelog

A picture of a cute animal (not mandatory but encouraged)

[bingwang-ms]

@trzhang-msft Could you help to review this change?
I don't think increasing the DELAY will fully address the issue. Do we need some improvement in design?

[prsunny]

@trzhang-msft Could you help to review this change? I don't think increasing the DELAY will fully address the issue. Do we need some improvement in design?

@bingwang-ms , this change was introduced long back - #5312. May be we should have this WA to unblock the issue and later plan for a design improvement.

[ZhaohuiS]

@bingwang-ms Leave interval as it is. Just fix the traceback issue in this PR. Could you please review it please?