[NAT] ACL Rule with DO_NOT_NAT action is getting failed. (#1502)

Issue:
The ACL rule addition with  PACKET_ACTION= "DO_NOT_NAT" failed as the SAI acl "no-nat" action not supported for INGRESS stage.

Fix:
Made changes to add "SAI_ACL_ACTION_TYPE_NO_NAT" action as supported for INGRESS stage.
After the fix, verified that ACL Table and rule is created.

Signed-off-by: Akhilesh Samineni <[email protected]>

Author: AkhileshSamineni

orchagent/aclorch.cpp

@@ -124,7 +124,8 @@ static const acl_capabilities_t defaultAclActionsSupported =
         ACL_STAGE_INGRESS,
         {
             SAI_ACL_ACTION_TYPE_PACKET_ACTION,
-            SAI_ACL_ACTION_TYPE_MIRROR_INGRESS
+            SAI_ACL_ACTION_TYPE_MIRROR_INGRESS,
+            SAI_ACL_ACTION_TYPE_NO_NAT
         }
     },
     {

tests/dvslib/dvs_acl.py

@@ -389,6 +389,26 @@ def verify_redirect_acl_rule(
         self._check_acl_entry_base(fvs, sai_qualifiers, "REDIRECT", priority)
         self._check_acl_entry_redirect_action(fvs, expected_destination)
 
+    def verify_nat_acl_rule(
+            self,
+            sai_qualifiers: Dict[str, str],
+            priority: str = "2020",
+            acl_rule_id=None
+    ) -> None:
+        """Verify that an ACL nat rule has the correct ASIC DB representation.
+
+        Args:
+            sai_qualifiers: The expected set of SAI qualifiers to be found in ASIC DB.
+            priority: The priority of the rule.
+            acl_rule_id: A specific OID to check in ASIC DB. If left empty, this method
+                         assumes that only one rule exists in ASIC DB.
+        """
+        if not acl_rule_id:
+            acl_rule_id = self._get_acl_rule_id()
+
+        fvs = self.asic_db.wait_for_entry("ASIC_STATE:SAI_OBJECT_TYPE_ACL_ENTRY", acl_rule_id)
+        self._check_acl_entry_base(fvs, sai_qualifiers, "DO_NOT_NAT", priority)
+
     def verify_mirror_acl_rule(
             self,
             sai_qualifiers: Dict[str, str],
@@ -527,6 +547,9 @@ def _check_acl_entry_base(
                 assert action == "REDIRECT"
             elif "SAI_ACL_ENTRY_ATTR_ACTION_MIRROR" in k:
                 assert action == "MIRROR"
+            elif "SAI_ACL_ENTRY_ATTR_ACTION_NO_NAT" in k:
+                assert action == "DO_NOT_NAT"
+                assert v == "true"
             elif k in qualifiers:
                 assert qualifiers[k](v)
             else:

tests/test_nat.py

@@ -2,6 +2,10 @@
 
 from dvslib.dvs_common import wait_for_result
 
+L3_TABLE_TYPE = "L3"
+L3_TABLE_NAME = "L3_TEST"
+L3_BIND_PORTS = ["Ethernet0"]
+L3_RULE_NAME = "L3_TEST_RULE"
 
 class TestNat(object):
     def setup_db(self, dvs):
@@ -320,6 +324,35 @@ def _check_conntrack_for_static_entry():
         # delete a static nat entry
         dvs.runcmd("config nat remove static basic 67.66.65.1 18.18.18.2")
 
+    def test_DoNotNatAclAction(self, dvs_acl, testlog):
+
+        # Creating the ACL Table
+        dvs_acl.create_acl_table(L3_TABLE_NAME, L3_TABLE_TYPE, L3_BIND_PORTS, stage="ingress")
+
+        acl_table_id = dvs_acl.get_acl_table_ids(1)[0]
+        acl_table_group_ids = dvs_acl.get_acl_table_group_ids(len(L3_BIND_PORTS))
+
+        dvs_acl.verify_acl_table_group_members(acl_table_id, acl_table_group_ids, 1)
+        dvs_acl.verify_acl_table_port_binding(acl_table_id, L3_BIND_PORTS, 1)
+
+        # Create a ACL Rule with "do_not_nat" packet action
+        config_qualifiers = {"SRC_IP": "14.1.0.1/32"}
+        dvs_acl.create_acl_rule(L3_TABLE_NAME, L3_RULE_NAME, config_qualifiers, action="DO_NOT_NAT", priority="97")
+
+        expected_sai_qualifiers = {
+            "SAI_ACL_ENTRY_ATTR_FIELD_SRC_IP": dvs_acl.get_simple_qualifier_comparator("14.1.0.1&mask:255.255.255.255")
+        }
+
+        dvs_acl.verify_nat_acl_rule(expected_sai_qualifiers, priority="97")
+
+        # Deleting the ACL Rule
+        dvs_acl.remove_acl_rule(L3_TABLE_NAME, L3_RULE_NAME)
+        dvs_acl.verify_no_acl_rules()
+
+        # Deleting the ACL Table
+        dvs_acl.remove_acl_table(L3_TABLE_NAME)
+        dvs_acl.verify_acl_table_count(0)
+
 
 # Add Dummy always-pass test at end as workaroud
 # for issue when Flaky fail on final test it invokes module tear-down before retrying