-
Notifications
You must be signed in to change notification settings - Fork 650
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[acl-loader]: do not add default deny rule for egress acl #1531
Conversation
Signed-off-by: Guohan Lu <[email protected]>
This pull request introduces 1 alert when merging 1b952e7 into 4d89510 - view on LGTM.com new alerts:
|
Signed-off-by: Guohan Lu <[email protected]>
Signed-off-by: Guohan Lu <[email protected]>
Signed-off-by: Guohan Lu <[email protected]>
Signed-off-by: Guohan Lu <[email protected]>
Signed-off-by: Guohan Lu <[email protected]>
Signed-off-by: Guohan Lu <[email protected]>
Signed-off-by: Guohan Lu <[email protected]>
@lguohan, @qiluo-msft can you please provide info why these changes happen (HLD, some other doc), as after this test_unmatched_blocked (which expects that all unmatched traffic for egress will be automatically blocked) started failing |
@SavchukRomanLv Sorry for the inconvenience. We have use case that one physical port belongs to 2 vlans and there are multiple egress ACL tables bound to the same port, actually each ACL table only have ACL rules matching one vlan ID. If all unmatched traffic for egress will be automatically dropped, the first table will drop remaining traffic on one vlan and all traffic on the other vlan. To quickly fix this issue, we expected user provide explicit drop rules at the end of each ACL table, and we removed the default drop rule. Please be aware that we translate the egress ACL table bound to vlan to egress ACL table bound to each port in that vlan in currently implementation. |
@qiluo-msft @lguohan is there a plan to change the sonic-mgmt test expectations? |
* fc80eeb 2021-03-28 | [acl-loader]: do not add default deny rule for egress acl (sonic-net#1531) (HEAD, origin/201911) [lguohan] Signed-off-by: Guohan Lu <[email protected]>
Signed-off-by: Guohan Lu [email protected]
What I did
do not add default deny rule for egress acl
How I did it
How to verify it
tbd
Previous command output (if the output of a command-line utility has changed)
New command output (if the output of a command-line utility has changed)