Skip to content

Commit

Permalink
[NAT] ACL Rule with DO_NOT_NAT action is getting failed. (sonic-net#1502
Browse files Browse the repository at this point in the history
)

Issue:
The ACL rule addition with  PACKET_ACTION= "DO_NOT_NAT" failed as the SAI acl "no-nat" action not supported for INGRESS stage.

Fix:
Made changes to add "SAI_ACL_ACTION_TYPE_NO_NAT" action as supported for INGRESS stage.
After the fix, verified that ACL Table and rule is created.

Signed-off-by: Akhilesh Samineni <akhilesh.samineni@broadcom.com>
  • Loading branch information
AkhileshSamineni authored Dec 24, 2020
1 parent c39a4b1 commit 9ed3026
Show file tree
Hide file tree
Showing 3 changed files with 58 additions and 1 deletion.
3 changes: 2 additions & 1 deletion orchagent/aclorch.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -124,7 +124,8 @@ static const acl_capabilities_t defaultAclActionsSupported =
ACL_STAGE_INGRESS,
{
SAI_ACL_ACTION_TYPE_PACKET_ACTION,
SAI_ACL_ACTION_TYPE_MIRROR_INGRESS
SAI_ACL_ACTION_TYPE_MIRROR_INGRESS,
SAI_ACL_ACTION_TYPE_NO_NAT
}
},
{
Expand Down
23 changes: 23 additions & 0 deletions tests/dvslib/dvs_acl.py
Original file line number Diff line number Diff line change
Expand Up @@ -389,6 +389,26 @@ def verify_redirect_acl_rule(
self._check_acl_entry_base(fvs, sai_qualifiers, "REDIRECT", priority)
self._check_acl_entry_redirect_action(fvs, expected_destination)

def verify_nat_acl_rule(
self,
sai_qualifiers: Dict[str, str],
priority: str = "2020",
acl_rule_id=None
) -> None:
"""Verify that an ACL nat rule has the correct ASIC DB representation.
Args:
sai_qualifiers: The expected set of SAI qualifiers to be found in ASIC DB.
priority: The priority of the rule.
acl_rule_id: A specific OID to check in ASIC DB. If left empty, this method
assumes that only one rule exists in ASIC DB.
"""
if not acl_rule_id:
acl_rule_id = self._get_acl_rule_id()

fvs = self.asic_db.wait_for_entry("ASIC_STATE:SAI_OBJECT_TYPE_ACL_ENTRY", acl_rule_id)
self._check_acl_entry_base(fvs, sai_qualifiers, "DO_NOT_NAT", priority)

def verify_mirror_acl_rule(
self,
sai_qualifiers: Dict[str, str],
Expand Down Expand Up @@ -527,6 +547,9 @@ def _check_acl_entry_base(
assert action == "REDIRECT"
elif "SAI_ACL_ENTRY_ATTR_ACTION_MIRROR" in k:
assert action == "MIRROR"
elif "SAI_ACL_ENTRY_ATTR_ACTION_NO_NAT" in k:
assert action == "DO_NOT_NAT"
assert v == "true"
elif k in qualifiers:
assert qualifiers[k](v)
else:
Expand Down
33 changes: 33 additions & 0 deletions tests/test_nat.py
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,10 @@

from dvslib.dvs_common import wait_for_result

L3_TABLE_TYPE = "L3"
L3_TABLE_NAME = "L3_TEST"
L3_BIND_PORTS = ["Ethernet0"]
L3_RULE_NAME = "L3_TEST_RULE"

class TestNat(object):
def setup_db(self, dvs):
Expand Down Expand Up @@ -320,6 +324,35 @@ def _check_conntrack_for_static_entry():
# delete a static nat entry
dvs.runcmd("config nat remove static basic 67.66.65.1 18.18.18.2")

def test_DoNotNatAclAction(self, dvs_acl, testlog):

# Creating the ACL Table
dvs_acl.create_acl_table(L3_TABLE_NAME, L3_TABLE_TYPE, L3_BIND_PORTS, stage="ingress")

acl_table_id = dvs_acl.get_acl_table_ids(1)[0]
acl_table_group_ids = dvs_acl.get_acl_table_group_ids(len(L3_BIND_PORTS))

dvs_acl.verify_acl_table_group_members(acl_table_id, acl_table_group_ids, 1)
dvs_acl.verify_acl_table_port_binding(acl_table_id, L3_BIND_PORTS, 1)

# Create a ACL Rule with "do_not_nat" packet action
config_qualifiers = {"SRC_IP": "14.1.0.1/32"}
dvs_acl.create_acl_rule(L3_TABLE_NAME, L3_RULE_NAME, config_qualifiers, action="DO_NOT_NAT", priority="97")

expected_sai_qualifiers = {
"SAI_ACL_ENTRY_ATTR_FIELD_SRC_IP": dvs_acl.get_simple_qualifier_comparator("14.1.0.1&mask:255.255.255.255")
}

dvs_acl.verify_nat_acl_rule(expected_sai_qualifiers, priority="97")

# Deleting the ACL Rule
dvs_acl.remove_acl_rule(L3_TABLE_NAME, L3_RULE_NAME)
dvs_acl.verify_no_acl_rules()

# Deleting the ACL Table
dvs_acl.remove_acl_table(L3_TABLE_NAME)
dvs_acl.verify_acl_table_count(0)


# Add Dummy always-pass test at end as workaroud
# for issue when Flaky fail on final test it invokes module tear-down before retrying
Expand Down

0 comments on commit 9ed3026

Please sign in to comment.