diff --git a/.azure-pipelines/pr_test_scripts.yaml b/.azure-pipelines/pr_test_scripts.yaml index d174d17f188..ab3bcba6804 100644 --- a/.azure-pipelines/pr_test_scripts.yaml +++ b/.azure-pipelines/pr_test_scripts.yaml @@ -19,7 +19,6 @@ t0: - bgp/test_bgp_speaker.py - bgp/test_bgp_update_timer.py - bgp/test_bgpmon.py - - cacl/test_cacl_application.py - cacl/test_cacl_function.py - console/test_console_availability.py - console/test_console_driver.py diff --git a/tests/cacl/test_cacl_application.py b/tests/cacl/test_cacl_application.py index 78efab36960..05ace57f0b4 100644 --- a/tests/cacl/test_cacl_application.py +++ b/tests/cacl/test_cacl_application.py @@ -589,8 +589,13 @@ def generate_expected_rules(duthost, tbinfo, docker_network, asic_index, expecte generate_and_append_block_ip2me_traffic_rules(duthost, iptables_rules, ip6tables_rules, asic_index) # Allow all packets with a TTL/hop limit of 0 or 1 - iptables_rules.append("-A INPUT -m ttl --ttl-lt 2 -j ACCEPT") - ip6tables_rules.append("-A INPUT -p tcp -m hl --hl-lt 2 -j ACCEPT") + iptables_rules.append("-A INPUT -p icmp -m ttl --ttl-lt 2 -j ACCEPT") + iptables_rules.append("-A INPUT -p udp -m ttl --ttl-lt 2 -m udp --dport 1025:65535 -j ACCEPT") + iptables_rules.append("-A INPUT -p tcp -m ttl --ttl-lt 2 -m tcp --dport 1025:65535 -j ACCEPT") + + ip6tables_rules.append("-A INPUT -p ipv6-icmp -m hl --hl-lt 2 -j ACCEPT") + ip6tables_rules.append("-A INPUT -p udp -m hl --hl-lt 2 -m udp --dport 1025:65535 -j ACCEPT") + ip6tables_rules.append("-A INPUT -p tcp -m hl --hl-lt 2 -m tcp --dport 1025:65535 -j ACCEPT") # If we have added rules from the device config, we lastly add default drop rules if rules_applied_from_config > 0: diff --git a/tests/common/plugins/conditional_mark/tests_mark_conditions.yaml b/tests/common/plugins/conditional_mark/tests_mark_conditions.yaml index 05407667f87..ec5df146ea4 100644 --- a/tests/common/plugins/conditional_mark/tests_mark_conditions.yaml +++ b/tests/common/plugins/conditional_mark/tests_mark_conditions.yaml @@ -166,6 +166,12 @@ bgp/test_traffic_shift.py::test_load_minigraph_with_traffic_shift_away: ####################################### ##### cacl ##### ####################################### +cacl/test_cacl_application.py: + skip: + reason: "Skip test_cacl_application temporarily due to known issue" + conditions: + - https://github.com/sonic-net/sonic-mgmt/issues/13805 + cacl/test_cacl_application.py::test_cacl_application_dualtor: skip: reason: "test_cacl_application_dualtor is only supported on dualtor topology"