From 7c04d7414d036da2a47b55e0b4d6787e31b67ca5 Mon Sep 17 00:00:00 2001
From: Abhishek Dosi <abdosi@microsoft.com>
Date: Tue, 23 Jun 2020 18:01:59 -0700
Subject: [PATCH] As part of this
 PR#https://github.com/Azure/sonic-buildimage/pull/4412 we have added ACCEPT
 rules for BGP packets as default. Because of this iptable rule added by
 qos_sai.yml get ignored because of lower priority and make test case fails
 since BGP packets impacts Buffer calcualtion assumption of testcase.

Fix is to add iptable rule to Drop BGP Packet from test case as highest
priority.

Fix in py script also
---
 ansible/roles/test/tasks/qos_sai.yml | 8 ++++----
 tests/qos/qos_sai_base.py            | 4 +++-
 2 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/ansible/roles/test/tasks/qos_sai.yml b/ansible/roles/test/tasks/qos_sai.yml
index 3c417891d5..eaa10743c2 100644
--- a/ansible/roles/test/tasks/qos_sai.yml
+++ b/ansible/roles/test/tasks/qos_sai.yml
@@ -66,12 +66,12 @@
       supervisorctl: state=stopped name=bgpd
       delegate_to: "{{ ansible_host }}_bgp"
     
-    - name: Add iptables rule to drop BGP SYN Packet from peer so that we do not ACK back
-      shell: "iptables -A INPUT -j DROP -p tcp --destination-port bgp"
+    - name: Add iptables rule to drop BGP SYN Packet from peer so that we do not ACK back. Add at top so existing rules don't have precedence over it.
+      shell: "iptables -I INPUT 1 -j DROP -p tcp --destination-port bgp"
       become: true
 
-    - name: Add ip6tables rule to drop BGP SYN Packet from peer so that we do not ACK back
-      shell: "ip6tables -A INPUT -j DROP -p tcp --destination-port bgp"
+    - name: Add ip6tables rule to drop BGP SYN Packet from peer so that we do not ACK back. Add at top so existing rules don't have precedence over it.
+      shell: "ip6tables -I INPUT 1 -j DROP -p tcp --destination-port bgp"
       become: true
 
     - meta: flush_handlers
diff --git a/tests/qos/qos_sai_base.py b/tests/qos/qos_sai_base.py
index a895c6cf4c..f4ec93006d 100644
--- a/tests/qos/qos_sai_base.py
+++ b/tests/qos/qos_sai_base.py
@@ -377,7 +377,8 @@ def updateIptables(self, duthost, swapSyncd):
         def updateIptablesDropRule(duthost, ipVersion,  state='present'):
             duthost.iptables(
                 ip_version=ipVersion,
-                action="Append",
+                action="insert",
+                rule_num="1",
                 chain="INPUT",
                 jump="DROP",
                 protocol="tcp",
@@ -385,6 +386,7 @@ def updateIptablesDropRule(duthost, ipVersion,  state='present'):
                 state=state
             )
 
+
         ipVersions  = [{"ipVersion": "ipv4"}, {"ipVersion": "ipv6"}]
 
         logger.info("Add ip[6]tables rule to drop BGP SYN Packet from peer so that we do not ACK back")