[ssw][ha] use endpoint IP to for tunnel term acl (#3897)

zjswhhh · web-flow · commit 0c60bdb4b684 · 2025-10-28T11:05:08.000-07:00
* This PR updates the VNET orchestration code to use the endpoint IP address instead of the endpoint monitor IP when configuring tunnel termination ACL rules for local endpoints. This ensures that redirect ACL rules properly direct traffic using the actual endpoint IP rather than the monitoring IP.

Key changes:

Modified tunnel term ACL creation to use endpoint IP (ip) instead of monitor IP (nh_ip)
Updated ACL rule to include tunnel termination matching and redirect to next-hop IP instead of interface alias
Updated test cases to use separate monitor IPs (9.1.0.3, 9.1.0.4) distinct from endpoint IPs (9.1.0.1, 9.1.0.2)
diff --git a/orchagent/aclorch.cpp b/orchagent/aclorch.cpp
@@ -112,7 +112,7 @@ static acl_rule_attr_lookup_t aclL3ActionLookup =
     { ACTION_DISABLE_TRIM,                     SAI_ACL_ENTRY_ATTR_ACTION_PACKET_TRIM_DISABLE }
 };
 
-static acl_rule_attr_lookup_t aclInnerActionLookup = 
+static acl_rule_attr_lookup_t aclInnerActionLookup =
 {
     { ACTION_INNER_SRC_MAC_REWRITE_ACTION,  SAI_ACL_ENTRY_ATTR_ACTION_SET_INNER_SRC_MAC},
 };
@@ -2186,8 +2186,8 @@ AclRuleInnerSrcMacRewrite::AclRuleInnerSrcMacRewrite(AclOrch *aclOrch, string ru
             memcpy(actionData.parameter.mac, inner_src_mac_addr.getMac(), sizeof(sai_mac_t));
             action_str = ACTION_INNER_SRC_MAC_REWRITE_ACTION;
             SWSS_LOG_INFO("Converting the Mac address %s to SAI acl action parameter", _attr_value.c_str());
-        }   
-         
+        }
+
         else
         {
             return false;
@@ -2216,7 +2216,7 @@ AclRuleInnerSrcMacRewrite::AclRuleInnerSrcMacRewrite(AclOrch *aclOrch, string ru
 
  void AclRuleInnerSrcMacRewrite::onUpdate(SubjectType type, void *cntx)
  {
-    //do nothing  
+    //do nothing
  }
 
 AclRuleMirror::AclRuleMirror(AclOrch *aclOrch, MirrorOrch *mirror, string rule, string table) :
@@ -2522,7 +2522,7 @@ void AclRuleUnderlaySetDscp::onUpdate(SubjectType, void *)
 {
     // Do nothing
 }
-        
+
 AclTable::AclTable(AclOrch *pAclOrch, string id) noexcept : m_pAclOrch(pAclOrch), id(id)
 {
 
@@ -4419,7 +4419,7 @@ EgressSetDscpTableStatus AclOrch::addEgrSetDscpTable(string table_id, AclTable &
         if (!isAclMetaDataSupported())
         {
             SWSS_LOG_ERROR("Platform does not support MARK_META/MARK_METAV6 tables.");
-            return EgressSetDscpTableStatus::EGRESS_SET_DSCP_TABLE_NOT_SUPPORTED; 
+            return EgressSetDscpTableStatus::EGRESS_SET_DSCP_TABLE_NOT_SUPPORTED;
         }
         AclTable egrSetDscpTable(this);
 
diff --git a/orchagent/vnetorch.cpp b/orchagent/vnetorch.cpp
@@ -1189,7 +1189,7 @@ bool VNetRouteOrch::doRouteTask<VNetVrfObject>(const string& vnet, IpPrefix& ipP
                 auto prefixToRemove = ipPrefix;
                 if (adv_prefix.to_string() != ipPrefix.to_string())
                 {
-                    prefixToRemove = adv_prefix;                        
+                    prefixToRemove = adv_prefix;
                 }
                 auto prefixSubnet = prefixToRemove.getSubnet();
                 if(gRouteOrch && gRouteOrch->isRouteExists(prefixSubnet))
@@ -2433,7 +2433,7 @@ void VNetRouteOrch::updateVnetTunnel(const BfdUpdate& update)
             continue;
         }
         // when we add the first nexthop to the route, we dont create a nexthop group, we call the updateTunnelRoute with NHG with one member.
-        // when adding the 2nd, 3rd ... members we create each NH using this create_next_hop_group_member call but give it the reference of next_hop_group_id. 
+        // when adding the 2nd, 3rd ... members we create each NH using this create_next_hop_group_member call but give it the reference of next_hop_group_id.
         // this way we dont have to update the route, the syncd does it by itself. we only call the updateTunnelRoute to add/remove when adding or removing the
         // route fully.
 
@@ -2511,7 +2511,7 @@ void VNetRouteOrch::updateVnetTunnel(const BfdUpdate& update)
                             SWSS_LOG_INFO("Successfully removed existing bgp route for prefix: %s\n", prefixStr.c_str());
                         }
                         string op = SET_COMMAND;
-                        SWSS_LOG_INFO("Adding Vnet route for prefix:%s with nexthop group: %s\n", prefixStr.c_str(), nhStr.c_str());  
+                        SWSS_LOG_INFO("Adding Vnet route for prefix:%s with nexthop group: %s\n", prefixStr.c_str(), nhStr.c_str());
 
                         if (!updateTunnelRoute(vnet, ip_pfx, nexthops, op))
                         {
@@ -2520,7 +2520,7 @@ void VNetRouteOrch::updateVnetTunnel(const BfdUpdate& update)
                         }
                         else
                         {
-                            SWSS_LOG_INFO("Successfully created tunnel route in hardware for prefix: %s\n", prefixStr.c_str()); 
+                            SWSS_LOG_INFO("Successfully created tunnel route in hardware for prefix: %s\n", prefixStr.c_str());
                         }
                     }
                 }
@@ -2574,7 +2574,7 @@ void VNetRouteOrch::updateVnetTunnel(const BfdUpdate& update)
                     {
                         for (auto ip_pfx : syncd_nexthop_groups_[vnet][nexthops].tunnel_routes)
                         {
-                            SWSS_LOG_NOTICE("Removing Vnet route for prefix : %s due to no active nexthops.\n",ip_pfx.to_string().c_str());  
+                            SWSS_LOG_NOTICE("Removing Vnet route for prefix : %s due to no active nexthops.\n",ip_pfx.to_string().c_str());
                             string op = DEL_COMMAND;
                             updateTunnelRoute(vnet, ip_pfx, nexthops, op);
                         }
@@ -2651,7 +2651,7 @@ void VNetRouteOrch::updateVnetTunnelCustomMonitor(const MonitorUpdate& update)
     NextHopGroupKey nhg_custom_primary = getActiveNHSet( vnet, primary, prefix);
     NextHopGroupKey nhg_custom_secondary = getActiveNHSet( vnet, secondary, prefix);
     SWSS_LOG_INFO("Primary active(%s), Secondary active (%s), Current active(%s)\n", nhg_custom_primary.to_string().c_str(),
-                  nhg_custom_secondary.to_string().c_str(), active_nhg.to_string().c_str()); 
+                  nhg_custom_secondary.to_string().c_str(), active_nhg.to_string().c_str());
     if (nhg_custom_primary.getSize() > 0)
     {
         if (nhg_custom_primary != active_nhg )
@@ -2731,14 +2731,14 @@ void VNetRouteOrch::updateVnetTunnelCustomMonitor(const MonitorUpdate& update)
                 {
                     // we need to replace the nhg in the route
                     SWSS_LOG_INFO("Replacing nexthop group for prefix: %s, nexthop group: %s\n",
-                                    prefix.to_string().c_str(), nhg_custom.to_string().c_str()); 
+                                    prefix.to_string().c_str(), nhg_custom.to_string().c_str());
                     route_status = update_route(vr_id, pfx, nh_id);
                 }
                 else
                 {
                     // we need to readd the route.
                     SWSS_LOG_NOTICE("Adding Custom monitored Route with prefix: %s and nexthop group: %s\n",
-                                    prefix.to_string().c_str(), nhg_custom.to_string().c_str()); 
+                                    prefix.to_string().c_str(), nhg_custom.to_string().c_str());
                     auto prefixToUse = prefix;
                     if (prefix_to_adv_prefix_.find(prefix) != prefix_to_adv_prefix_.end())
                     {
@@ -2817,7 +2817,7 @@ void VNetRouteOrch::updateVnetTunnelCustomMonitor(const MonitorUpdate& update)
         if (nhg_custom.getSize() == 0 && active_nhg_size > 0)
         {
             vrf_obj->removeRoute(prefix);
-            SWSS_LOG_NOTICE("Route prefix is no longer active: %s\n", prefix.to_string().c_str()); 
+            SWSS_LOG_NOTICE("Route prefix is no longer active: %s\n", prefix.to_string().c_str());
             removeRouteState(vnet, prefix);
             if (prefix_to_adv_prefix_.find(prefix) != prefix_to_adv_prefix_.end())
             {
@@ -2995,7 +2995,6 @@ bool VNetRouteOrch::handleTunnel(const Request& request)
         IpAddress ip = ip_list[idx_ip];
         bool is_local = isLocalEndpoint(vnet_name, ip);
         bool is_overlay = !is_local;
-        IpAddress nh_ip = is_local ? monitor_list[idx_ip] : ip;
         string alias = is_local ? gIntfsOrch->getRouterIntfsAlias(ip) : "";
         MacAddress mac;
         uint32_t vni = 0;
@@ -3015,7 +3014,8 @@ bool VNetRouteOrch::handleTunnel(const Request& request)
 
         if (is_local)
         {
-            vnet_tunnel_term_acl_->createAclRule(vnet_name, ip_pfx, nh_ip);
+            SWSS_LOG_INFO("Attempting to add TUNNEL TERM ACL for local endpoint %s", ip.to_string().c_str());
+            vnet_tunnel_term_acl_->createAclRule(vnet_name, ip_pfx, ip);
         }
 
         NextHopKey nh(ip, alias, mac, vni, is_overlay);
@@ -3337,6 +3337,7 @@ bool VNetTunnelTermAcl::createAclRule(const string vnet_name, swss::IpPrefix& vi
     if (getAclRule(vnet_name, vip, rule))
     {
         /* If there are more than one local points for the same VIP, we will not create a new rule. */
+        SWSS_LOG_NOTICE("ACL rule already exists for VNet %s with VIP %s", vnet_name.c_str(), vip.to_string().c_str());
         return true;
     }
 
@@ -3352,10 +3353,14 @@ bool VNetTunnelTermAcl::createAclRule(const string vnet_name, swss::IpPrefix& vi
     vector<FieldValueTuple> fvs = {
         {RULE_PRIORITY, to_string(VNET_TUNNEL_TERM_ACL_BASE_PRIORITY)},
         {MATCH_DST_IP, vip.to_string()},
+        {MATCH_TUNNEL_TERM, "true"},
         /* This tunnel term acl is to handle a transient state in DPU failover, so the redirect can't point to a VIP.*/
-        {ACTION_REDIRECT_ACTION, alias}
+        {ACTION_REDIRECT_ACTION, nh_ip.to_string()}
     };
 
+    SWSS_LOG_NOTICE("Creating ACL rule %s for VNet %s with VIP %s to redirect to %s",
+                   rule_name.c_str(), vnet_name.c_str(), vip.to_string().c_str(), nh_ip.to_string().c_str());
+
     acl_rule_table_->set(rule_name, fvs);
 
     rule.rule_name = rule_name;
diff --git a/tests/dvslib/dvs_acl.py b/tests/dvslib/dvs_acl.py
@@ -754,6 +754,8 @@ def _check_acl_entry_base(
             elif "SAI_ACL_ENTRY_ATTR_ACTION_NO_NAT" in k:
                 assert action == "DO_NOT_NAT"
                 assert v == "true"
+            elif "SAI_ACL_ENTRY_ATTR_FIELD_TUNNEL_TERMINATED" in k:
+                assert v == "true"
             elif k in qualifiers:
                 assert qualifiers[k](v)
             else:
diff --git a/tests/test_vnet.py b/tests/test_vnet.py
@@ -2685,23 +2685,23 @@ def test_vnet_orch_28(self, dvs, dvs_acl, testlog):
         self.add_neighbor("Ethernet8", "9.1.0.1", "00:01:02:03:04:05")
 
         vnet_obj.fetch_exist_entries(dvs)
-        create_vnet_routes(dvs, "100.100.1.1/32", vnet_name, '9.1.0.1,9.1.0.2', ep_monitor='9.1.0.1,9.1.0.2', primary ='9.1.0.1', profile="Test_profile", monitoring='custom', adv_prefix='100.100.1.0/24', check_directly_connected=True)
+        create_vnet_routes(dvs, "100.100.1.1/32", vnet_name, '9.1.0.1,9.1.0.2', ep_monitor='9.1.0.3,9.1.0.4', primary ='9.1.0.1', profile="Test_profile", monitoring='custom', adv_prefix='100.100.1.0/24', check_directly_connected=True)
 
         # verify tunnel term acl 
         expected_sai_qualifiers = {
             "SAI_ACL_ENTRY_ATTR_FIELD_DST_IP": dvs_acl.get_simple_qualifier_comparator("100.100.1.1&mask:255.255.255.255")
         }
-        intf_id = dvs.asic_db.port_name_map["Ethernet8"]
-        dvs_acl.verify_redirect_acl_rule(expected_sai_qualifiers, intf_id, priority="9998")
+        nh_id = dvs.get_asic_db().wait_for_n_keys("ASIC_STATE:SAI_OBJECT_TYPE_NEXT_HOP", 1)[0]
+        dvs_acl.verify_redirect_acl_rule(expected_sai_qualifiers, nh_id, priority="9998")
 
         # default monitor session status is down, route should not be programmed in this status
         vnet_obj.check_del_vnet_routes(dvs, vnet_name, ["100.100.1.1/32"])
         check_state_db_routes(dvs, vnet_name, "100.100.1.1/32", [])
         check_remove_routes_advertisement(dvs, "100.100.1.0/24")
 
         # Route should be properly configured when all monitor session states go up. Only primary Endpoints should be in use.
-        update_monitor_session_state(dvs, '100.100.1.1/32', '9.1.0.1', 'up')
-        update_monitor_session_state(dvs, '100.100.1.1/32', '9.1.0.2', 'up')
+        update_monitor_session_state(dvs, '100.100.1.1/32', '9.1.0.3', 'up')
+        update_monitor_session_state(dvs, '100.100.1.1/32', '9.1.0.4', 'up')
         time.sleep(2)
         nhids = get_all_created_entries(asic_db, vnet_obj.ASIC_NEXT_HOP,set())
         tbl_nh =  swsscommon.Table(asic_db, vnet_obj.ASIC_NEXT_HOP)
@@ -2723,7 +2723,7 @@ def test_vnet_orch_28(self, dvs, dvs_acl, testlog):
         check_state_db_routes(dvs, vnet_name, "100.100.1.1/32", ['9.1.0.1'])
         check_routes_advertisement(dvs, "100.100.1.0/24", "Test_profile")
 
-        update_monitor_session_state(dvs, '100.100.1.1/32', '9.1.0.2', 'down')
+        update_monitor_session_state(dvs, '100.100.1.1/32', '9.1.0.4', 'down')
         time.sleep(2)
 
         route = get_created_entries(asic_db, vnet_obj.ASIC_ROUTE_ENTRY, vnet_obj.routes, 1)
@@ -2735,8 +2735,8 @@ def test_vnet_orch_28(self, dvs, dvs_acl, testlog):
         check_state_db_routes(dvs, vnet_name, "100.100.1.1/32", ['9.1.0.1'])
         check_routes_advertisement(dvs, "100.100.1.0/24", "Test_profile")
 
-        update_monitor_session_state(dvs, '100.100.1.1/32', '9.1.0.1', 'down')
-        update_monitor_session_state(dvs, '100.100.1.1/32', '9.1.0.2', 'up')
+        update_monitor_session_state(dvs, '100.100.1.1/32', '9.1.0.3', 'down')
+        update_monitor_session_state(dvs, '100.100.1.1/32', '9.1.0.4', 'up')
 
         time.sleep(2)
 
@@ -2761,7 +2761,7 @@ def test_vnet_orch_28(self, dvs, dvs_acl, testlog):
         check_state_db_routes(dvs, vnet_name, "100.100.1.1/32", ['9.1.0.2'])
         check_routes_advertisement(dvs, "100.100.1.0/24", "Test_profile")
 
-        update_monitor_session_state(dvs, '100.100.1.1/32', '9.1.0.1', 'up')
+        update_monitor_session_state(dvs, '100.100.1.1/32', '9.1.0.3', 'up')
         time.sleep(2)
 
         nhids = get_all_created_entries(asic_db, vnet_obj.ASIC_NEXT_HOP,set())
@@ -2784,8 +2784,8 @@ def test_vnet_orch_28(self, dvs, dvs_acl, testlog):
         check_state_db_routes(dvs, vnet_name, "100.100.1.1/32", ['9.1.0.1'])
         check_routes_advertisement(dvs, "100.100.1.0/24", "Test_profile")
 
-        update_monitor_session_state(dvs, '100.100.1.1/32', '9.1.0.1', 'down')
-        update_monitor_session_state(dvs, '100.100.1.1/32', '9.1.0.2', 'down')
+        update_monitor_session_state(dvs, '100.100.1.1/32', '9.1.0.3', 'down')
+        update_monitor_session_state(dvs, '100.100.1.1/32', '9.1.0.4', 'down')
 
         time.sleep(2)
 
@@ -2800,8 +2800,8 @@ def test_vnet_orch_28(self, dvs, dvs_acl, testlog):
         check_remove_state_db_routes(dvs, vnet_name, "100.100.1.1/32")
         check_remove_routes_advertisement(dvs, "100.100.1.0/24")
 
-        vnet_obj.check_custom_monitor_deleted(dvs, "100.100.1.1/32", "9.1.0.1")
-        vnet_obj.check_custom_monitor_deleted(dvs, "100.100.1.1/32", "9.1.0.2")
+        vnet_obj.check_custom_monitor_deleted(dvs, "100.100.1.1/32", "9.1.0.3")
+        vnet_obj.check_custom_monitor_deleted(dvs, "100.100.1.1/32", "9.1.0.4")
 
         delete_vnet_entry(dvs, vnet_name)
         vnet_obj.check_del_vnet_entry(dvs, vnet_name)

Original file line number	Diff line number	Diff line change
`@@ -112,7 +112,7 @@ static acl_rule_attr_lookup_t aclL3ActionLookup =`
`112`	`112`	`{ ACTION_DISABLE_TRIM, SAI_ACL_ENTRY_ATTR_ACTION_PACKET_TRIM_DISABLE }`
`113`	`113`	`};`
`114`	`114`
`115`		`-static acl_rule_attr_lookup_t aclInnerActionLookup =`
	`115`	`+static acl_rule_attr_lookup_t aclInnerActionLookup =`
`116`	`116`	`{`
`117`	`117`	`{ ACTION_INNER_SRC_MAC_REWRITE_ACTION, SAI_ACL_ENTRY_ATTR_ACTION_SET_INNER_SRC_MAC},`
`118`	`118`	`};`
`@@ -2186,8 +2186,8 @@ AclRuleInnerSrcMacRewrite::AclRuleInnerSrcMacRewrite(AclOrch *aclOrch, string ru`
`2186`	`2186`	`memcpy(actionData.parameter.mac, inner_src_mac_addr.getMac(), sizeof(sai_mac_t));`
`2187`	`2187`	`action_str = ACTION_INNER_SRC_MAC_REWRITE_ACTION;`
`2188`	`2188`	`SWSS_LOG_INFO("Converting the Mac address %s to SAI acl action parameter", _attr_value.c_str());`
`2189`		`- }`
`2190`		`-`
	`2189`	`+ }`
	`2190`	`+`
`2191`	`2191`	`else`
`2192`	`2192`	`{`
`2193`	`2193`	`return false;`
`@@ -2216,7 +2216,7 @@ AclRuleInnerSrcMacRewrite::AclRuleInnerSrcMacRewrite(AclOrch *aclOrch, string ru`
`2216`	`2216`
`2217`	`2217`	`void AclRuleInnerSrcMacRewrite::onUpdate(SubjectType type, void *cntx)`
`2218`	`2218`	`{`
`2219`		`- //do nothing`
	`2219`	`+ //do nothing`
`2220`	`2220`	`}`
`2221`	`2221`
`2222`	`2222`	`AclRuleMirror::AclRuleMirror(AclOrch aclOrch, MirrorOrch mirror, string rule, string table) :`
`@@ -2522,7 +2522,7 @@ void AclRuleUnderlaySetDscp::onUpdate(SubjectType, void *)`
`2522`	`2522`	`{`
`2523`	`2523`	`// Do nothing`
`2524`	`2524`	`}`
`2525`		`-`
	`2525`	`+`
`2526`	`2526`	`AclTable::AclTable(AclOrch *pAclOrch, string id) noexcept : m_pAclOrch(pAclOrch), id(id)`
`2527`	`2527`	`{`
`2528`	`2528`
`@@ -4419,7 +4419,7 @@ EgressSetDscpTableStatus AclOrch::addEgrSetDscpTable(string table_id, AclTable &`
`4419`	`4419`	`if (!isAclMetaDataSupported())`
`4420`	`4420`	`{`
`4421`	`4421`	`SWSS_LOG_ERROR("Platform does not support MARK_META/MARK_METAV6 tables.");`
`4422`		`- return EgressSetDscpTableStatus::EGRESS_SET_DSCP_TABLE_NOT_SUPPORTED;`
	`4422`	`+ return EgressSetDscpTableStatus::EGRESS_SET_DSCP_TABLE_NOT_SUPPORTED;`
`4423`	`4423`	`}`
`4424`	`4424`	`AclTable egrSetDscpTable(this);`
`4425`	`4425`
Original file line number	Diff line number	Diff line change
`@@ -1189,7 +1189,7 @@ bool VNetRouteOrch::doRouteTask<VNetVrfObject>(const string& vnet, IpPrefix& ipP`
`1189`	`1189`	`auto prefixToRemove = ipPrefix;`
`1190`	`1190`	`if (adv_prefix.to_string() != ipPrefix.to_string())`
`1191`	`1191`	`{`
`1192`		`- prefixToRemove = adv_prefix;`
	`1192`	`+ prefixToRemove = adv_prefix;`
`1193`	`1193`	`}`
`1194`	`1194`	`auto prefixSubnet = prefixToRemove.getSubnet();`
`1195`	`1195`	`if(gRouteOrch && gRouteOrch->isRouteExists(prefixSubnet))`
`@@ -2433,7 +2433,7 @@ void VNetRouteOrch::updateVnetTunnel(const BfdUpdate& update)`
`2433`	`2433`	`continue;`
`2434`	`2434`	`}`
`2435`	`2435`	`// when we add the first nexthop to the route, we dont create a nexthop group, we call the updateTunnelRoute with NHG with one member.`
`2436`		`- // when adding the 2nd, 3rd ... members we create each NH using this create_next_hop_group_member call but give it the reference of next_hop_group_id.`
	`2436`	`+ // when adding the 2nd, 3rd ... members we create each NH using this create_next_hop_group_member call but give it the reference of next_hop_group_id.`
`2437`	`2437`	`// this way we dont have to update the route, the syncd does it by itself. we only call the updateTunnelRoute to add/remove when adding or removing the`
`2438`	`2438`	`// route fully.`
`2439`	`2439`
`@@ -2511,7 +2511,7 @@ void VNetRouteOrch::updateVnetTunnel(const BfdUpdate& update)`
`2511`	`2511`	`SWSS_LOG_INFO("Successfully removed existing bgp route for prefix: %s\n", prefixStr.c_str());`
`2512`	`2512`	`}`
`2513`	`2513`	`string op = SET_COMMAND;`
`2514`		`- SWSS_LOG_INFO("Adding Vnet route for prefix:%s with nexthop group: %s\n", prefixStr.c_str(), nhStr.c_str());`
	`2514`	`+ SWSS_LOG_INFO("Adding Vnet route for prefix:%s with nexthop group: %s\n", prefixStr.c_str(), nhStr.c_str());`
`2515`	`2515`
`2516`	`2516`	`if (!updateTunnelRoute(vnet, ip_pfx, nexthops, op))`
`2517`	`2517`	`{`
`@@ -2520,7 +2520,7 @@ void VNetRouteOrch::updateVnetTunnel(const BfdUpdate& update)`
`2520`	`2520`	`}`
`2521`	`2521`	`else`
`2522`	`2522`	`{`
`2523`		`- SWSS_LOG_INFO("Successfully created tunnel route in hardware for prefix: %s\n", prefixStr.c_str());`
	`2523`	`+ SWSS_LOG_INFO("Successfully created tunnel route in hardware for prefix: %s\n", prefixStr.c_str());`
`2524`	`2524`	`}`
`2525`	`2525`	`}`
`2526`	`2526`	`}`
`@@ -2574,7 +2574,7 @@ void VNetRouteOrch::updateVnetTunnel(const BfdUpdate& update)`
`2574`	`2574`	`{`
`2575`	`2575`	`for (auto ip_pfx : syncd_nexthop_groups_[vnet][nexthops].tunnel_routes)`
`2576`	`2576`	`{`
`2577`		`- SWSS_LOG_NOTICE("Removing Vnet route for prefix : %s due to no active nexthops.\n",ip_pfx.to_string().c_str());`
	`2577`	`+ SWSS_LOG_NOTICE("Removing Vnet route for prefix : %s due to no active nexthops.\n",ip_pfx.to_string().c_str());`
`2578`	`2578`	`string op = DEL_COMMAND;`
`2579`	`2579`	`updateTunnelRoute(vnet, ip_pfx, nexthops, op);`
`2580`	`2580`	`}`
`@@ -2651,7 +2651,7 @@ void VNetRouteOrch::updateVnetTunnelCustomMonitor(const MonitorUpdate& update)`
`2651`	`2651`	`NextHopGroupKey nhg_custom_primary = getActiveNHSet( vnet, primary, prefix);`
`2652`	`2652`	`NextHopGroupKey nhg_custom_secondary = getActiveNHSet( vnet, secondary, prefix);`
`2653`	`2653`	`SWSS_LOG_INFO("Primary active(%s), Secondary active (%s), Current active(%s)\n", nhg_custom_primary.to_string().c_str(),`
`2654`		`- nhg_custom_secondary.to_string().c_str(), active_nhg.to_string().c_str());`
	`2654`	`+ nhg_custom_secondary.to_string().c_str(), active_nhg.to_string().c_str());`
`2655`	`2655`	`if (nhg_custom_primary.getSize() > 0)`
`2656`	`2656`	`{`
`2657`	`2657`	`if (nhg_custom_primary != active_nhg )`
`@@ -2731,14 +2731,14 @@ void VNetRouteOrch::updateVnetTunnelCustomMonitor(const MonitorUpdate& update)`
`2731`	`2731`	`{`
`2732`	`2732`	`// we need to replace the nhg in the route`
`2733`	`2733`	`SWSS_LOG_INFO("Replacing nexthop group for prefix: %s, nexthop group: %s\n",`
`2734`		`- prefix.to_string().c_str(), nhg_custom.to_string().c_str());`
	`2734`	`+ prefix.to_string().c_str(), nhg_custom.to_string().c_str());`
`2735`	`2735`	`route_status = update_route(vr_id, pfx, nh_id);`
`2736`	`2736`	`}`
`2737`	`2737`	`else`
`2738`	`2738`	`{`
`2739`	`2739`	`// we need to readd the route.`
`2740`	`2740`	`SWSS_LOG_NOTICE("Adding Custom monitored Route with prefix: %s and nexthop group: %s\n",`
`2741`		`- prefix.to_string().c_str(), nhg_custom.to_string().c_str());`
	`2741`	`+ prefix.to_string().c_str(), nhg_custom.to_string().c_str());`
`2742`	`2742`	`auto prefixToUse = prefix;`
`2743`	`2743`	`if (prefix_to_adv_prefix_.find(prefix) != prefix_to_adv_prefix_.end())`
`2744`	`2744`	`{`
`@@ -2817,7 +2817,7 @@ void VNetRouteOrch::updateVnetTunnelCustomMonitor(const MonitorUpdate& update)`
`2817`	`2817`	`if (nhg_custom.getSize() == 0 && active_nhg_size > 0)`
`2818`	`2818`	`{`
`2819`	`2819`	`vrf_obj->removeRoute(prefix);`
`2820`		`- SWSS_LOG_NOTICE("Route prefix is no longer active: %s\n", prefix.to_string().c_str());`
	`2820`	`+ SWSS_LOG_NOTICE("Route prefix is no longer active: %s\n", prefix.to_string().c_str());`
`2821`	`2821`	`removeRouteState(vnet, prefix);`
`2822`	`2822`	`if (prefix_to_adv_prefix_.find(prefix) != prefix_to_adv_prefix_.end())`
`2823`	`2823`	`{`
`@@ -2995,7 +2995,6 @@ bool VNetRouteOrch::handleTunnel(const Request& request)`
`2995`	`2995`	`IpAddress ip = ip_list[idx_ip];`
`2996`	`2996`	`bool is_local = isLocalEndpoint(vnet_name, ip);`
`2997`	`2997`	`bool is_overlay = !is_local;`
`2998`		`- IpAddress nh_ip = is_local ? monitor_list[idx_ip] : ip;`
`2999`	`2998`	`string alias = is_local ? gIntfsOrch->getRouterIntfsAlias(ip) : "";`
`3000`	`2999`	`MacAddress mac;`
`3001`	`3000`	`uint32_t vni = 0;`
`@@ -3015,7 +3014,8 @@ bool VNetRouteOrch::handleTunnel(const Request& request)`
`3015`	`3014`
`3016`	`3015`	`if (is_local)`
`3017`	`3016`	`{`
`3018`		`- vnet_tunnel_term_acl_->createAclRule(vnet_name, ip_pfx, nh_ip);`
	`3017`	`+ SWSS_LOG_INFO("Attempting to add TUNNEL TERM ACL for local endpoint %s", ip.to_string().c_str());`
	`3018`	`+ vnet_tunnel_term_acl_->createAclRule(vnet_name, ip_pfx, ip);`
`3019`	`3019`	`}`
`3020`	`3020`
`3021`	`3021`	`NextHopKey nh(ip, alias, mac, vni, is_overlay);`
`@@ -3337,6 +3337,7 @@ bool VNetTunnelTermAcl::createAclRule(const string vnet_name, swss::IpPrefix& vi`
`3337`	`3337`	`if (getAclRule(vnet_name, vip, rule))`
`3338`	`3338`	`{`
`3339`	`3339`	`/* If there are more than one local points for the same VIP, we will not create a new rule. */`
	`3340`	`+ SWSS_LOG_NOTICE("ACL rule already exists for VNet %s with VIP %s", vnet_name.c_str(), vip.to_string().c_str());`
`3340`	`3341`	`return true;`
`3341`	`3342`	`}`
`3342`	`3343`
`@@ -3352,10 +3353,14 @@ bool VNetTunnelTermAcl::createAclRule(const string vnet_name, swss::IpPrefix& vi`
`3352`	`3353`	`vector<FieldValueTuple> fvs = {`
`3353`	`3354`	`{RULE_PRIORITY, to_string(VNET_TUNNEL_TERM_ACL_BASE_PRIORITY)},`
`3354`	`3355`	`{MATCH_DST_IP, vip.to_string()},`
	`3356`	`+ {MATCH_TUNNEL_TERM, "true"},`
`3355`	`3357`	`/* This tunnel term acl is to handle a transient state in DPU failover, so the redirect can't point to a VIP.*/`
`3356`		`- {ACTION_REDIRECT_ACTION, alias}`
	`3358`	`+ {ACTION_REDIRECT_ACTION, nh_ip.to_string()}`
`3357`	`3359`	`};`
`3358`	`3360`
	`3361`	`+ SWSS_LOG_NOTICE("Creating ACL rule %s for VNet %s with VIP %s to redirect to %s",`
	`3362`	`+ rule_name.c_str(), vnet_name.c_str(), vip.to_string().c_str(), nh_ip.to_string().c_str());`
	`3363`	`+`
`3359`	`3364`	`acl_rule_table_->set(rule_name, fvs);`
`3360`	`3365`
`3361`	`3366`	`rule.rule_name = rule_name;`