Cisco Bug: CSCuq07716 - netio crashes when filtering ACL with object-groups
Sep 17, 2019
- Cisco Carrier Routing System
Known Affected Releases
Symptom: netio crashes when filtering slow-path packet with ACL Conditions: Condition (1)(3)(4)(5) must all be TRUE Condition (2) is optional: (1) An ACL (ipv4 or ipv6) is applied on interface. (2) The ACL optionally contains "log" keyword. Note that "log" keyword is NOT a required condition. It merely increases the chance that a packet filtered by hardware is sent to netio for slow-path ACL matching, because "log" triggers ACL to generate a console log for filtered packet, and the generation, delivery of such console log involves ACL logic in netio. There are other conditions where a packet is sent to netio without any ACE with "log" keyword. (3) The ACL has been previously edited. Specifically, a non-remark ACE is changed to a remark ACE as result of this edit. This is the single most important trigger of this bug (4) A packet that matches to previously non-remark ACE is filtered by the slow path, i.e. it is sent to netio for slow path processing (5) The ACL must contain object-group, and/or it is applied with compression (the compression level is 1 or 3, not 0).
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases