diff --git a/ansible/roles/test/tasks/qos_sai.yml b/ansible/roles/test/tasks/qos_sai.yml index 3c417891d5..eaa10743c2 100644 --- a/ansible/roles/test/tasks/qos_sai.yml +++ b/ansible/roles/test/tasks/qos_sai.yml @@ -66,12 +66,12 @@ supervisorctl: state=stopped name=bgpd delegate_to: "{{ ansible_host }}_bgp" - - name: Add iptables rule to drop BGP SYN Packet from peer so that we do not ACK back - shell: "iptables -A INPUT -j DROP -p tcp --destination-port bgp" + - name: Add iptables rule to drop BGP SYN Packet from peer so that we do not ACK back. Add at top so existing rules don't have precedence over it. + shell: "iptables -I INPUT 1 -j DROP -p tcp --destination-port bgp" become: true - - name: Add ip6tables rule to drop BGP SYN Packet from peer so that we do not ACK back - shell: "ip6tables -A INPUT -j DROP -p tcp --destination-port bgp" + - name: Add ip6tables rule to drop BGP SYN Packet from peer so that we do not ACK back. Add at top so existing rules don't have precedence over it. + shell: "ip6tables -I INPUT 1 -j DROP -p tcp --destination-port bgp" become: true - meta: flush_handlers diff --git a/tests/qos/qos_sai_base.py b/tests/qos/qos_sai_base.py index a895c6cf4c..f4ec93006d 100644 --- a/tests/qos/qos_sai_base.py +++ b/tests/qos/qos_sai_base.py @@ -377,7 +377,8 @@ def updateIptables(self, duthost, swapSyncd): def updateIptablesDropRule(duthost, ipVersion, state='present'): duthost.iptables( ip_version=ipVersion, - action="Append", + action="insert", + rule_num="1", chain="INPUT", jump="DROP", protocol="tcp", @@ -385,6 +386,7 @@ def updateIptablesDropRule(duthost, ipVersion, state='present'): state=state ) + ipVersions = [{"ipVersion": "ipv4"}, {"ipVersion": "ipv6"}] logger.info("Add ip[6]tables rule to drop BGP SYN Packet from peer so that we do not ACK back")