diff --git a/tests/cacl/test_cacl_application.py b/tests/cacl/test_cacl_application.py index 04bf19f08f7..2cc13da532d 100644 --- a/tests/cacl/test_cacl_application.py +++ b/tests/cacl/test_cacl_application.py @@ -592,8 +592,13 @@ def generate_expected_rules(duthost, tbinfo, docker_network, asic_index, expecte generate_and_append_block_ip2me_traffic_rules(duthost, iptables_rules, ip6tables_rules, asic_index) # Allow all packets with a TTL/hop limit of 0 or 1 - iptables_rules.append("-A INPUT -m ttl --ttl-lt 2 -j ACCEPT") - ip6tables_rules.append("-A INPUT -p tcp -m hl --hl-lt 2 -j ACCEPT") + iptables_rules.append("-A INPUT -p icmp -m ttl --ttl-lt 2 -j ACCEPT") + iptables_rules.append("-A INPUT -p udp -m ttl --ttl-lt 2 -m udp --dport 1025:65535 -j ACCEPT") + iptables_rules.append("-A INPUT -p tcp -m ttl --ttl-lt 2 -m tcp --dport 1025:65535 -j ACCEPT") + + ip6tables_rules.append("-A INPUT -p ipv6-icmp -m hl --hl-lt 2 -j ACCEPT") + ip6tables_rules.append("-A INPUT -p udp -m hl --hl-lt 2 -m udp --dport 1025:65535 -j ACCEPT") + ip6tables_rules.append("-A INPUT -p tcp -m hl --hl-lt 2 -m tcp --dport 1025:65535 -j ACCEPT") # If we have added rules from the device config, we lastly add default drop rules if rules_applied_from_config > 0: diff --git a/tests/common/plugins/conditional_mark/tests_mark_conditions.yaml b/tests/common/plugins/conditional_mark/tests_mark_conditions.yaml index e245ea32ef8..c7af928836a 100644 --- a/tests/common/plugins/conditional_mark/tests_mark_conditions.yaml +++ b/tests/common/plugins/conditional_mark/tests_mark_conditions.yaml @@ -167,6 +167,12 @@ bgp/test_traffic_shift.py::test_load_minigraph_with_traffic_shift_away: ####################################### ##### cacl ##### ####################################### +cacl/test_cacl_application.py: + skip: + reason: "Skip test_cacl_application temporarily due to known issue" + conditions: + - https://github.com/sonic-net/sonic-mgmt/issues/13805 + cacl/test_cacl_application.py::test_cacl_application_dualtor: skip: reason: "test_cacl_application_dualtor is only supported on dualtor topology"