search

sonic-net / sonic-buildimage

Scripts which perform an installable binary image build for SONiC
Other
740 stars 1.43k forks source link

[GCU] [MA] ACL_RULE modifications are not applied #20378

Open okaravasi opened 1 month ago

okaravasi commented 1 month ago

Description

GCU modification to ACL_RULE path fail to be applied for multi-asic platform. More specifically, ACL_RULE is added per namespace but not applied to iptables and thus, the test case verification fails.

Failed tests:

(Automated test cases support for running in t2 topology is added via PR https://github.com/sonic-net/sonic-mgmt/pull/14070 )

Steps to reproduce the issue

  1. Apply below steps in a duthost multi-asic.
  2. Create a file "add_acl_rule.json" to add a new rule in one asic namespace. An example below:
[
      {
        "op": "add",
        "path": "/asic1/ACL_RULE",
        "value": {
          "NTP_ACL|TEST_DROP": {
            "IP_PROTOCOL": "17",
            "L4_DST_PORT": "123",
            "IP_TYPE": "IP",
            "PACKET_ACTION": "DROP",
            "PRIORITY": "9998",
            "SRC_IP": "9.9.9.9/32"
          }
        }
      }
    ]
  1. Apply the configuration change.

sudo config apply-patch add_acl_rule.json

  1. Verify ACL_RULE created sudo ip netns exec asic1 show acl rule
  2. Verify ACL_RULE was added to iptables sudo ip netns exec asic1 iptables -S

Describe the results you received

The rule was not seen in iptables cmd and functionality not applied.

Describe the results you expected

The rule should be visible in runningconfiguration as well as in iptables.

Additional information you deem important (e.g. issue happens only occasionally)

Issue happend only on multi-asic platform.

Output of show version

admin@ixre-egl-board9:~$ show version

SONiC Software Version: SONiC.HEAD.832829-nokia-master-bf8e2c9a7
SONiC OS Version: 12
Distribution: Debian 12.7
Kernel: 6.1.0-22-2-amd64
Build commit: bf8e2c9a7
Build date: Wed Sep 25 15:57:47 UTC 2024
Built by: gitlab-runner@wfrv-sonicbld06

Platform: x86_64-nokia_ixr7250e_36x400g-r0
HwSKU: Nokia-IXR7250E-36x400G
ASIC: broadcom
ASIC Count: 2
Serial Number: EAG2-02-045
Model Number: N/A
Hardware Revision: 56
Uptime: 13:50:23 up  5:23,  1 user,  load average: 1.65, 1.89, 1.89
Date: Fri 27 Sep 2024 13:50:23

Docker images:
REPOSITORY                    TAG                                  IMAGE ID       SIZE
docker-macsec                 latest                               f178be710750   406MB
docker-dhcp-relay             latest                               e5960cfc6019   384MB
docker-snmp                   HEAD.832829-nokia-master-bf8e2c9a7   f1902b7928cb   418MB
docker-snmp                   latest                               f1902b7928cb   418MB
docker-platform-monitor       HEAD.832829-nokia-master-bf8e2c9a7   6a906f0e6739   459MB
docker-platform-monitor       latest                               6a906f0e6739   459MB
docker-orchagent              HEAD.832829-nokia-master-bf8e2c9a7   76bc76f58932   416MB
docker-orchagent              latest                               76bc76f58932   416MB
docker-nat                    HEAD.832829-nokia-master-bf8e2c9a7   0bf0a967a985   406MB
docker-nat                    latest                               0bf0a967a985   406MB
docker-fpm-frr                HEAD.832829-nokia-master-bf8e2c9a7   624306e87567   435MB
docker-fpm-frr                latest                               624306e87567   435MB
docker-eventd                 HEAD.832829-nokia-master-bf8e2c9a7   d147b480e6e5   374MB
docker-eventd                 latest                               d147b480e6e5   374MB
docker-database               HEAD.832829-nokia-master-bf8e2c9a7   091078e9aebd   383MB
docker-database               latest                               091078e9aebd   383MB
docker-sonic-mgmt-framework   HEAD.832829-nokia-master-bf8e2c9a7   3d2388474edc   424MB
docker-sonic-mgmt-framework   latest                               3d2388474edc   424MB
docker-teamd                  HEAD.832829-nokia-master-bf8e2c9a7   42c01511be73   403MB
docker-teamd                  latest                               42c01511be73   403MB
docker-sflow                  HEAD.832829-nokia-master-bf8e2c9a7   7fa8d1cd42d2   404MB
docker-sflow                  latest                               7fa8d1cd42d2   404MB
docker-router-advertiser      HEAD.832829-nokia-master-bf8e2c9a7   c2b35825bf43   374MB
docker-router-advertiser      latest                               c2b35825bf43   374MB
docker-mux                    HEAD.832829-nokia-master-bf8e2c9a7   d8bfad4511df   386MB
docker-mux                    latest                               d8bfad4511df   386MB
docker-lldp                   HEAD.832829-nokia-master-bf8e2c9a7   51d3f507b05a   383MB
docker-lldp                   latest                               51d3f507b05a   383MB
docker-sonic-gnmi             HEAD.832829-nokia-master-bf8e2c9a7   a46ced6f5be5   459MB
docker-sonic-gnmi             latest                               a46ced6f5be5   459MB
docker-syncd-brcm-dnx         HEAD.832829-nokia-master-bf8e2c9a7   6ed78c7518fb   759MB
docker-syncd-brcm-dnx         latest                               6ed78c7518fb   759MB
docker-gbsyncd-broncos        HEAD.832829-nokia-master-bf8e2c9a7   7d357e969457   410MB
docker-gbsyncd-broncos        latest                               7d357e969457   410MB
docker-gbsyncd-credo          HEAD.832829-nokia-master-bf8e2c9a7   4a412757e74c   383MB
docker-gbsyncd-credo          latest                               4a412757e74c   383MB
okaravasi commented 1 month ago

Moving issue from sonic-utilities repo, here. Closing the original ticket (https://github.com/sonic-net/sonic-utilities/issues/3558) as duplicate.

xincunli-sonic commented 1 month ago

Cannot repro in MSFT lab

admin@str2-7250-lc1-2:~$ show ver

SONiC Software Version: SONiC.20220532.72 SONiC OS Version: 11 Distribution: Debian 11.9 Kernel: 5.10.0-23-2-amd64 Build commit: 7766169087 Build date: Fri Oct 4 00:15:40 UTC 2024 Built by: azureuser@98b2318ac000000

Platform: x86_64-nokia_ixr7250e_36x400g-r0 HwSKU: Nokia-IXR7250E-36x100G ASIC: broadcom ASIC Count: 2 Serial Number: NS220304200 Model Number: 3HE12578AARA01 Hardware Revision: 56 Uptime: 15:54:33 up 4 days, 19:56, 1 user, load average: 1.52, 1.65, 1.73 Date: Wed 09 Oct 2024 15:54:33

admin@str2-7250-lc1-2:~$ cat acl.json [ { "op": "add", "path": "/asic1/ACL_RULE", "value": { "NTP_ACL|TEST_DROP": { "IP_PROTOCOL": "17", "L4_DST_PORT": "123", "IP_TYPE": "IP", "PACKET_ACTION": "DROP", "PRIORITY": "9998", "SRC_IP": "9.9.9.9/32" } } } ]

admin@str2-7250-lc1-2:~$ sudo config apply-patch acl.json sonic_yang(6):Note: Below table(s) have no YANG models: DHCP_SERVER sonic_yang(6):Note: Below table(s) have no YANG models: LOGGER sonic_yang(6):Note: Below table(s) have no YANG models: LOGGER Patch Applier: asic1: Patch application starting. Patch Applier: asic1: Patch: [{"op": "add", "path": "/ACL_RULE", "value": {"NTP_ACL|TEST_DROP": {"IP_PROTOCOL": "17", "L4_DST_PORT": "123", "IP_TYPE": "IP", "PACKET_ACTION": "DROP", "PRIORITY": "9998", "SRC_IP": "9.9.9.9/32"}}}] Patch Applier: asic1 getting current config db. Patch Applier: asic1: simulating the target full config after applying the patch. Patch Applier: asic1: validating all JsonPatch operations are permitted on the specified fields Patch Applier: asic1: validating target config does not have empty tables, since they do not show up in ConfigDb. Patch Applier: asic1: sorting patch updates. Patch Applier: The asic1 patch was converted into 1 change: Patch Applier: asic1: applying 1 change in order: Patch Applier: * [{"op": "add", "path": "/ACL_RULE", "value": {"NTP_ACL|TEST_DROP": {"IP_PROTOCOL": "17", "L4_DST_PORT": "123", "IP_TYPE": "IP", "PACKET_ACTION": "DROP", "PRIORITY": "9998", "SRC_IP": "9.9.9.9/32"}}}] Patch Applier: asic1: verifying patch updates are reflected on ConfigDB. Patch Applier: asic1 patch application completed. Patch applied successfully.

config db looks like: "asic1": { "ACL_RULE": { "NTP_ACL|TEST_DROP": { "IP_PROTOCOL": "17", "IP_TYPE": "IP", "L4_DST_PORT": "123", "PACKET_ACTION": "DROP", "PRIORITY": "9998", "SRC_IP": "9.9.9.9/32" } },

admin@str2-7250-lc1-2:~$ sudo ip netns exec asic1 show acl rule Table Rule Priority Action Match Status

NTP_ACL TEST_DROP 9998 DROP IP_PROTOCOL: 17 N/A IP_TYPE: IP L4_DST_PORT: 123 SRC_IP: 9.9.9.9/32

admin@str2-7250-lc1-2:~$ sudo ip netns exec asic1 iptables -S -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -A INPUT -s 127.0.0.1/32 -i lo -j ACCEPT -A INPUT -s 240.127.1.3/32 -d 240.127.1.3/32 -j ACCEPT -A INPUT -s 240.127.1.1/32 -d 240.127.1.3/32 -j ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT -A INPUT -p udp -m udp --dport 67:68 -j ACCEPT -A INPUT -p udp -m udp --dport 546:547 -j ACCEPT -A INPUT -p tcp -m tcp --dport 179 -j ACCEPT -A INPUT -s 20.44.16.64/27 -p tcp -m tcp --dport 8081 -j ACCEPT -A INPUT -s 13.66.141.96/27 -p tcp -m tcp --dport 8081 -j ACCEPT -A INPUT -s 13.69.229.128/27 -p tcp -m tcp --dport 8081 -j ACCEPT -A INPUT -s 52.162.110.128/27 -p tcp -m tcp --dport 8081 -j ACCEPT -A INPUT -s 52.231.147.224/27 -p tcp -m tcp --dport 8081 -j ACCEPT -A INPUT -s 40.74.146.224/27 -p tcp -m tcp --dport 8081 -j ACCEPT -A INPUT -s 40.78.203.96/27 -p tcp -m tcp --dport 8081 -j ACCEPT -A INPUT -s 20.150.171.224/27 -p tcp -m tcp --dport 8081 -j ACCEPT -A INPUT -s 52.162.110.128/27 -p tcp -m tcp --dport 8081 -j ACCEPT -A INPUT -s 20.44.16.64/27 -p tcp -m tcp --dport 8090 -j ACCEPT -A INPUT -s 13.66.141.96/27 -p tcp -m tcp --dport 8090 -j ACCEPT -A INPUT -s 13.69.229.128/27 -p tcp -m tcp --dport 8090 -j ACCEPT -A INPUT -s 52.162.110.128/27 -p tcp -m tcp --dport 8090 -j ACCEPT -A INPUT -s 52.231.147.224/27 -p tcp -m tcp --dport 8090 -j ACCEPT -A INPUT -s 40.74.146.224/27 -p tcp -m tcp --dport 8090 -j ACCEPT -A INPUT -s 40.78.203.96/27 -p tcp -m tcp --dport 8090 -j ACCEPT -A INPUT -s 20.150.171.224/27 -p tcp -m tcp --dport 8090 -j ACCEPT -A INPUT -s 52.162.110.128/27 -p tcp -m tcp --dport 8090 -j ACCEPT -A INPUT -s 9.9.9.9/32 -p udp -m udp --dport 123 -j DROP -A INPUT -d 10.1.0.1/32 -j DROP -A INPUT -d 192.0.0.2/32 -j DROP -A INPUT -d 10.3.146.0/32 -j DROP -A INPUT -d 10.0.0.6/32 -j DROP -A INPUT -d 10.0.0.10/32 -j DROP -A INPUT -m ttl --ttl-lt 2 -j ACCEPT -A INPUT -j DROP

okaravasi commented 1 month ago

@xincunli-sonic

After further debugging, the issue is happening only when trying to modify an existing ACL_RULE via apply-patch replace and it is not seen when creating a new ACL RULE. In that case, the apply-patch recognizes 0 changes and as a result the iptable shows out-of dated information.

So, after creating an ACL_RULE with the steps from description, as a next step please try to modify the newly created rule.

For example sending this patch:

[
        {
            "op": "replace",
            "path": "/asic1/ACL_RULE/NTP_ACL|TEST_DROP/SRC_IP",
            "value": "8.8.8.8/32"
        }
    ]

Output from console shows the change was not recognized (patch was converted into 0 changes.).

Patch Applier: asic1: Patch application starting. Patch Applier: asic1: Patch: [{"op": "replace", "path": "/ACL_RULE/NTP_ACL|TEST_DROP/SRC_IP", "value": "8.8.8.8/32"}] Patch Applier: asic1 getting current config db. Patch Applier: asic1: simulating the target full config after applying the patch. Patch Applier: asic1: validating all JsonPatch operations are permitted on the specified fields Patch Applier: asic1: validating target config does not have empty tables, since they do not show up in ConfigDb. Patch Applier: asic1: sorting patch updates. Patch Applier: The asic1 patch was converted into 0 changes. Patch Applier: asic1: applying 0 changes in order. Patch Applier: asic1: verifying patch updates are reflected on ConfigDB. Patch Applier: asic1 patch application completed. Patch applied successfully.

Also, tried with operation "add" also, and results were the same.

admin@ixre-egl-board41:~$ sudo config apply-patch acl_rule_replace Patch Applier: asic1: Patch application starting. Patch Applier: asic1: Patch: [{"op": "add", "path": "/ACL_RULE/NTP_ACL|TEST_DROP/SRC_IP", "value": "8.8.8.8/32"}] Patch Applier: asic1 getting current config db. Patch Applier: asic1: simulating the target full config after applying the patch. Patch Applier: asic1: validating all JsonPatch operations are permitted on the specified fields Patch Applier: asic1: validating target config does not have empty tables, since they do not show up in ConfigDb. Patch Applier: asic1: sorting patch updates. Patch Applier: The asic1 patch was converted into 0 changes. Patch Applier: asic1: applying 0 changes in order. Patch Applier: asic1: verifying patch updates are reflected on ConfigDB. Patch Applier: asic1 patch application completed. Patch applied successfully.

Entries in iptables -S displayed the initial rule information - were not updated.

arlakshm commented 6 days ago

@xincunli-sonic, can you please help triage this issue.

xincunli-sonic commented 1 day ago

Repro steps:

Create Acl rule

acla.json 

[
    {
        "op": "add",
        "path": "/asic1/ACL_RULE",
        "value": {
            "NTP_ACL|TEST_DROP": {
                "IP_PROTOCOL": "17",
                "L4_DST_PORT": "123",
                "IP_TYPE": "IP",
                "PACKET_ACTION": "DROP",
                "PRIORITY": "9998",
                "SRC_IP": "9.9.9.9/32"
            }
        }
    }
]

aclp.json

[
        {
            "op": "replace",
            "path": "/asic1/ACL_RULE/NTP_ACL|TEST_DROP/SRC_IP",
            "value": "8.8.8.8/32"
        }
    ]
admin@str2-7250-lc1-2:~$ sudo config apply-patch acla.json 
Patch Applier: asic1: Patch application starting.
Patch Applier: asic1: Patch: [{"op": "add", "path": "/ACL_RULE", "value": {"NTP_ACL|TEST_DROP": {"IP_PROTOCOL": "17", "L4_DST_PORT": "123", "IP_TYPE": "IP", "PACKET_ACTION": "DROP", "PRIORITY": "9998", "SRC_IP": "9.9.9.9/32"}}}]
Patch Applier: asic1 getting current config db.
Patch Applier: asic1: simulating the target full config after applying the patch.
Patch Applier: asic1: validating all JsonPatch operations are permitted on the specified fields
Patch Applier: asic1: validating target config does not have empty tables,
                            since they do not show up in ConfigDb.
Patch Applier: asic1: sorting patch updates.
Patch Applier: The asic1 patch was converted into 1 change:
Patch Applier: asic1: applying 1 change in order:
Patch Applier:   * [{"op": "add", "path": "/ACL_RULE", "value": {"NTP_ACL|TEST_DROP": {"IP_PROTOCOL": "17", "L4_DST_PORT": "123", "IP_TYPE": "IP", "PACKET_ACTION": "DROP", "PRIORITY": "9998", "SRC_IP": "9.9.9.9/32"}}}]
Patch Applier: asic1: verifying patch updates are reflected on ConfigDB.
Patch Applier: asic1 patch application completed.
Patch applied successfully.
admin@str2-7250-lc1-2:~$ sudo config apply-patch aclp.json 
Patch Applier: asic1: Patch application starting.
Patch Applier: asic1: Patch: [{"op": "replace", "path": "/ACL_RULE/NTP_ACL|TEST_DROP/SRC_IP", "value": "8.8.8.8/32"}]
Patch Applier: asic1 getting current config db.
Patch Applier: asic1: simulating the target full config after applying the patch.
Patch Applier: asic1: validating all JsonPatch operations are permitted on the specified fields
Patch Applier: asic1: validating target config does not have empty tables,
                            since they do not show up in ConfigDb.
Patch Applier: asic1: sorting patch updates.
Patch Applier: The asic1 patch was converted into 1 change:
Patch Applier: asic1: applying 1 change in order:
Patch Applier:   * [{"op": "replace", "path": "/ACL_RULE/NTP_ACL|TEST_DROP/SRC_IP", "value": "8.8.8.8/32"}]
Patch Applier: asic1: verifying patch updates are reflected on ConfigDB.
Patch Applier: asic1 patch application completed.
Patch applied successfully.
admin@str2-7250-lc1-2:~$  sudo ip netns exec asic1 show acl rule
Table    Rule       Priority    Action    Match               Status
-------  ---------  ----------  --------  ------------------  --------
NTP_ACL  TEST_DROP  9998        DROP      IP_PROTOCOL: 17     N/A
                                          IP_TYPE: IP
                                          L4_DST_PORT: 123
                                          SRC_IP: 8.8.8.8/32
admin@str2-7250-lc1-2:~$  sudo ip netns exec asic1 iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -s 127.0.0.1/32 -i lo -j ACCEPT
-A INPUT -s 240.127.1.2/32 -d 240.127.1.2/32 -j ACCEPT
-A INPUT -s 240.127.1.1/32 -d 240.127.1.2/32 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -p udp -m udp --dport 67:68 -j ACCEPT
-A INPUT -p udp -m udp --dport 546:547 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 179 -j ACCEPT
-A INPUT -s 20.44.16.64/27 -p tcp -m tcp --dport 8081 -j ACCEPT
-A INPUT -s 13.66.141.96/27 -p tcp -m tcp --dport 8081 -j ACCEPT
-A INPUT -s 13.69.229.128/27 -p tcp -m tcp --dport 8081 -j ACCEPT
-A INPUT -s 52.162.110.128/27 -p tcp -m tcp --dport 8081 -j ACCEPT
-A INPUT -s 52.231.147.224/27 -p tcp -m tcp --dport 8081 -j ACCEPT
-A INPUT -s 40.74.146.224/27 -p tcp -m tcp --dport 8081 -j ACCEPT
-A INPUT -s 40.78.203.96/27 -p tcp -m tcp --dport 8081 -j ACCEPT
-A INPUT -s 20.150.171.224/27 -p tcp -m tcp --dport 8081 -j ACCEPT
-A INPUT -s 52.162.110.128/27 -p tcp -m tcp --dport 8081 -j ACCEPT
-A INPUT -d 10.20.8.199/32 -p tcp -m tcp --dport 8081 -j ACCEPT
-A INPUT -d 10.212.64.1/32 -p tcp -m tcp --dport 8081 -j ACCEPT
-A INPUT -d 10.212.64.2/32 -p tcp -m tcp --dport 8081 -j ACCEPT
-A INPUT -s 20.44.16.64/27 -p tcp -m tcp --dport 8090 -j ACCEPT
-A INPUT -s 13.66.141.96/27 -p tcp -m tcp --dport 8090 -j ACCEPT
-A INPUT -s 13.69.229.128/27 -p tcp -m tcp --dport 8090 -j ACCEPT
-A INPUT -s 52.162.110.128/27 -p tcp -m tcp --dport 8090 -j ACCEPT
-A INPUT -s 52.231.147.224/27 -p tcp -m tcp --dport 8090 -j ACCEPT
-A INPUT -s 40.74.146.224/27 -p tcp -m tcp --dport 8090 -j ACCEPT
-A INPUT -s 40.78.203.96/27 -p tcp -m tcp --dport 8090 -j ACCEPT
-A INPUT -s 20.150.171.224/27 -p tcp -m tcp --dport 8090 -j ACCEPT
-A INPUT -s 52.162.110.128/27 -p tcp -m tcp --dport 8090 -j ACCEPT
-A INPUT -d 10.20.8.199/32 -p tcp -m tcp --dport 8090 -j ACCEPT
-A INPUT -d 10.212.64.1/32 -p tcp -m tcp --dport 8090 -j ACCEPT
-A INPUT -d 10.212.64.2/32 -p tcp -m tcp --dport 8090 -j ACCEPT
-A INPUT -s 9.9.9.9/32 -p udp -m udp --dport 123 -j DROP
-A INPUT -d 10.1.0.1/32 -j DROP
-A INPUT -d 192.0.0.2/32 -j DROP
-A INPUT -d 10.0.0.6/32 -j DROP
-A INPUT -d 10.0.0.10/32 -j DROP
-A INPUT -p icmp -m ttl --ttl-lt 2 -j ACCEPT
-A INPUT -p udp -m ttl --ttl-lt 2 -m udp --dport 1025:65535 -j ACCEPT
-A INPUT -p tcp -m ttl --ttl-lt 2 -m tcp --dport 1025:65535 -j ACCEPT
-A INPUT -j DROP

Check config db:

    "asic1": {
        "ACL_RULE": {
            "NTP_ACL|TEST_DROP": {
                "IP_PROTOCOL": "17",
                "IP_TYPE": "IP",
                "L4_DST_PORT": "123",
                "PACKET_ACTION": "DROP",
                "PRIORITY": "9998",
                "SRC_IP": "8.8.8.8/32"
            }
        },

Check syslog

admin@str2-7250-lc1-2:~$ sudo grep -F 8.8.8.8 /var/log/syslog
2024 Nov 19 00:29:26.189474 str2-7250-lc1-2 NOTICE GenericConfigUpdater: Patch Applier: asic1: Patch: [{"op": "replace", "path": "/ACL_RULE/NTP_ACL|TEST_DROP/SRC_IP", "value": "8.8.8.8/32"}]
2024 Nov 19 00:29:28.192324 str2-7250-lc1-2 NOTICE config: Patch Applier:   * [{"op": "replace", "path": "/ACL_RULE/NTP_ACL|TEST_DROP/SRC_IP", "value": "8.8.8.8/32"}]
2024 Nov 19 00:29:30.648647 str2-7250-lc1-2 NOTICE config: 'apply-patch' executed successfully for asic1 by [{'op': 'replace', 'path': '/ACL_RULE/NTP_ACL|TEST_DROP/SRC_IP', 'value': '8.8.8.8/32'}]
2024 Nov 19 00:29:30.648779 str2-7250-lc1-2 NOTICE config: Patch applied successfully for [{"op": "replace", "path": "/ACL_RULE/NTP_ACL|TEST_DROP/SRC_IP", "value": "8.8.8.8/32"}].
2024 Nov 19 00:30:30.984409 str2-7250-lc1-2 NOTICE GenericConfigUpdater: Patch Applier: asic1: Patch: [{"op": "replace", "path": "/ACL_RULE/NTP_ACL|TEST_DROP/SRC_IP", "value": "8.8.8.8/32"}]
2024 Nov 19 00:30:38.490914 str2-7250-lc1-2 NOTICE GenericConfigUpdater: Patch Applier: asic1: Patch: [{"op": "replace", "path": "/ACL_RULE/NTP_ACL|TEST_DROP/SRC_IP", "value": "8.8.8.8/32"}]
2024 Nov 19 00:30:40.848050 str2-7250-lc1-2 NOTICE config: 'apply-patch' executed successfully for asic1 by [{'op': 'replace', 'path': '/ACL_RULE/NTP_ACL|TEST_DROP/SRC_IP', 'value': '8.8.8.8/32'}]
2024 Nov 19 00:30:40.848161 str2-7250-lc1-2 NOTICE config: Patch applied successfully for [{"op": "replace", "path": "/ACL_RULE/NTP_ACL|TEST_DROP/SRC_IP", "value": "8.8.8.8/32"}].

Check sairedis

admin@str2-7250-lc1-2:/var/log/swss$ grep -F 8.8.8.8 swss.asic1.rec
2024-11-19.00:29:28.675297|ACL_RULE|NTP_ACL|TEST_DROP|SET|IP_PROTOCOL:17|IP_TYPE:IP|L4_DST_PORT:123|PACKET_ACTION:DROP|PRIORITY:9998|SRC_IP:8.8.8.8/32

So, the config db has been changed, acl rule changed too, but iptables did not change. @arlakshm, would you mind help take a look further? Thanks!