diff --git a/orchagent/aclorch.cpp b/orchagent/aclorch.cpp index 114dc99ee6da..798a39fc9953 100644 --- a/orchagent/aclorch.cpp +++ b/orchagent/aclorch.cpp @@ -124,7 +124,8 @@ static const acl_capabilities_t defaultAclActionsSupported = ACL_STAGE_INGRESS, { SAI_ACL_ACTION_TYPE_PACKET_ACTION, - SAI_ACL_ACTION_TYPE_MIRROR_INGRESS + SAI_ACL_ACTION_TYPE_MIRROR_INGRESS, + SAI_ACL_ACTION_TYPE_NO_NAT } }, { diff --git a/tests/dvslib/dvs_acl.py b/tests/dvslib/dvs_acl.py index 41c588e738ab..2b48c3b76c61 100644 --- a/tests/dvslib/dvs_acl.py +++ b/tests/dvslib/dvs_acl.py @@ -389,6 +389,26 @@ def verify_redirect_acl_rule( self._check_acl_entry_base(fvs, sai_qualifiers, "REDIRECT", priority) self._check_acl_entry_redirect_action(fvs, expected_destination) + def verify_nat_acl_rule( + self, + sai_qualifiers: Dict[str, str], + priority: str = "2020", + acl_rule_id=None + ) -> None: + """Verify that an ACL nat rule has the correct ASIC DB representation. + + Args: + sai_qualifiers: The expected set of SAI qualifiers to be found in ASIC DB. + priority: The priority of the rule. + acl_rule_id: A specific OID to check in ASIC DB. If left empty, this method + assumes that only one rule exists in ASIC DB. + """ + if not acl_rule_id: + acl_rule_id = self._get_acl_rule_id() + + fvs = self.asic_db.wait_for_entry("ASIC_STATE:SAI_OBJECT_TYPE_ACL_ENTRY", acl_rule_id) + self._check_acl_entry_base(fvs, sai_qualifiers, "DO_NOT_NAT", priority) + def verify_mirror_acl_rule( self, sai_qualifiers: Dict[str, str], @@ -527,6 +547,9 @@ def _check_acl_entry_base( assert action == "REDIRECT" elif "SAI_ACL_ENTRY_ATTR_ACTION_MIRROR" in k: assert action == "MIRROR" + elif "SAI_ACL_ENTRY_ATTR_ACTION_NO_NAT" in k: + assert action == "DO_NOT_NAT" + assert v == "true" elif k in qualifiers: assert qualifiers[k](v) else: diff --git a/tests/test_nat.py b/tests/test_nat.py index 6f8606d67bd8..2c76e153c5dc 100644 --- a/tests/test_nat.py +++ b/tests/test_nat.py @@ -2,6 +2,10 @@ from dvslib.dvs_common import wait_for_result +L3_TABLE_TYPE = "L3" +L3_TABLE_NAME = "L3_TEST" +L3_BIND_PORTS = ["Ethernet0"] +L3_RULE_NAME = "L3_TEST_RULE" class TestNat(object): def setup_db(self, dvs): @@ -320,6 +324,35 @@ def _check_conntrack_for_static_entry(): # delete a static nat entry dvs.runcmd("config nat remove static basic 67.66.65.1 18.18.18.2") + def test_DoNotNatAclAction(self, dvs_acl, testlog): + + # Creating the ACL Table + dvs_acl.create_acl_table(L3_TABLE_NAME, L3_TABLE_TYPE, L3_BIND_PORTS, stage="ingress") + + acl_table_id = dvs_acl.get_acl_table_ids(1)[0] + acl_table_group_ids = dvs_acl.get_acl_table_group_ids(len(L3_BIND_PORTS)) + + dvs_acl.verify_acl_table_group_members(acl_table_id, acl_table_group_ids, 1) + dvs_acl.verify_acl_table_port_binding(acl_table_id, L3_BIND_PORTS, 1) + + # Create a ACL Rule with "do_not_nat" packet action + config_qualifiers = {"SRC_IP": "14.1.0.1/32"} + dvs_acl.create_acl_rule(L3_TABLE_NAME, L3_RULE_NAME, config_qualifiers, action="DO_NOT_NAT", priority="97") + + expected_sai_qualifiers = { + "SAI_ACL_ENTRY_ATTR_FIELD_SRC_IP": dvs_acl.get_simple_qualifier_comparator("14.1.0.1&mask:255.255.255.255") + } + + dvs_acl.verify_nat_acl_rule(expected_sai_qualifiers, priority="97") + + # Deleting the ACL Rule + dvs_acl.remove_acl_rule(L3_TABLE_NAME, L3_RULE_NAME) + dvs_acl.verify_no_acl_rules() + + # Deleting the ACL Table + dvs_acl.remove_acl_table(L3_TABLE_NAME) + dvs_acl.verify_acl_table_count(0) + # Add Dummy always-pass test at end as workaroud # for issue when Flaky fail on final test it invokes module tear-down before retrying