ACL plugin support tagged subinterfaces
Change-Id: I92b351895c7efb26533c05512b91ead8ddbfb9c8
Signed-off-by: Pavel Kotucek <pkotucek@cisco.com>
diff --git a/test/test_acl_plugin_macip.py b/test/test_acl_plugin_macip.py
index f10d6cc..d27458d 100644
--- a/test/test_acl_plugin_macip.py
+++ b/test/test_acl_plugin_macip.py
@@ -9,16 +9,16 @@
from struct import *
from scapy.packet import Raw
from scapy.layers.l2 import Ether
-from scapy.layers.inet import IP, UDP, TCP
+from scapy.layers.inet import IP, UDP
from scapy.layers.inet6 import IPv6
from framework import VppTestCase, VppTestRunner, running_extended_tests
from vpp_lo_interface import VppLoInterface
+from vpp_papi_provider import L2_VTR_OP
+from vpp_sub_interface import VppSubInterface, VppDot1QSubint, VppDot1ADSubint
-class TestMACIP(VppTestCase):
- """MACIP Test Case"""
-
+class MethodHolder(VppTestCase):
DEBUG = False
BRIDGED = True
@@ -27,6 +27,11 @@
IS_IP4 = False
IS_IP6 = True
+ DOT1AD = "dot1ad"
+ DOT1Q = "dot1q"
+ PERMIT_TAGS = True
+ DENY_TAGS = False
+
# rule types
DENY = 0
PERMIT = 1
@@ -49,19 +54,36 @@
class VppTestCase) before running the test case, set test case related
variables and configure VPP.
"""
- super(TestMACIP, cls).setUpClass()
+ super(MethodHolder, cls).setUpClass()
cls.pg_if_packet_sizes = [64, 512, 1518, 9018] # packet sizes
- cls.bd_id = 10
- cls.remote_hosts_count = 250
+ cls.bd_id = 111
+ cls.remote_hosts_count = 200
try:
- # create 3 pg interfaces, 1 loopback interface
- cls.create_pg_interfaces(range(3))
+ # create 4 pg interfaces, 1 loopback interface
+ cls.create_pg_interfaces(range(4))
cls.create_loopback_interfaces(range(1))
+ # create 2 subinterfaces
+ cls.subifs = [
+ VppDot1QSubint(cls, cls.pg1, 10),
+ VppDot1ADSubint(cls, cls.pg2, 20, 300, 400),
+ VppDot1QSubint(cls, cls.pg3, 30),
+ VppDot1ADSubint(cls, cls.pg3, 40, 600, 700)]
+
+ cls.subifs[0].set_vtr(L2_VTR_OP.L2_POP_1,
+ inner=10, push1q=1)
+ cls.subifs[1].set_vtr(L2_VTR_OP.L2_POP_2,
+ outer=300, inner=400, push1q=1)
+ cls.subifs[2].set_vtr(L2_VTR_OP.L2_POP_1,
+ inner=30, push1q=1)
+ cls.subifs[3].set_vtr(L2_VTR_OP.L2_POP_2,
+ outer=600, inner=700, push1q=1)
+
cls.interfaces = list(cls.pg_interfaces)
cls.interfaces.extend(cls.lo_interfaces)
+ cls.interfaces.extend(cls.subifs)
for i in cls.interfaces:
i.admin_up()
@@ -73,12 +95,18 @@
cls.pg0.sw_if_index, bd_id=cls.bd_id)
cls.vapi.sw_interface_set_l2_bridge(
cls.pg1.sw_if_index, bd_id=cls.bd_id)
+ cls.vapi.sw_interface_set_l2_bridge(
+ cls.subifs[0].sw_if_index, bd_id=cls.bd_id)
+ cls.vapi.sw_interface_set_l2_bridge(
+ cls.subifs[1].sw_if_index, bd_id=cls.bd_id)
- # Configure IPv4 addresses on loop interface and routed interface
+ # Configure IPv4/6 addresses on loop interface and routed interface
cls.loop0.config_ip4()
cls.loop0.config_ip6()
cls.pg2.config_ip4()
cls.pg2.config_ip6()
+ cls.pg3.config_ip4()
+ cls.pg3.config_ip6()
# Configure MAC address binding to IPv4 neighbors on loop0
cls.loop0.generate_remote_hosts(cls.remote_hosts_count)
@@ -90,22 +118,35 @@
cls.loop0.configure_ipv4_neighbors()
cls.loop0.configure_ipv6_neighbors()
+
+ # configure MAC address on pg3
+ cls.pg3.resolve_arp()
+ cls.pg3.resolve_ndp()
+
+ # configure MAC address on subifs
+ for i in cls.subifs:
+ i.config_ip4()
+ i.resolve_arp()
+ i.config_ip6()
+
# configure MAC address on pg2
cls.pg2.resolve_arp()
cls.pg2.resolve_ndp()
# Loopback BVI interface has remote hosts
- # one half of hosts are behind pg0 second behind pg1
- half = cls.remote_hosts_count // 2
- cls.pg0.remote_hosts = cls.loop0.remote_hosts[:half]
- cls.pg1.remote_hosts = cls.loop0.remote_hosts[half:]
+ # one half of hosts are behind pg0 second behind pg1,pg2,pg3 subifs
+ cls.pg0.remote_hosts = cls.loop0.remote_hosts[:100]
+ cls.subifs[0].remote_hosts = cls.loop0.remote_hosts[100:125]
+ cls.subifs[1].remote_hosts = cls.loop0.remote_hosts[125:150]
+ cls.subifs[2].remote_hosts = cls.loop0.remote_hosts[150:175]
+ cls.subifs[3].remote_hosts = cls.loop0.remote_hosts[175:]
except Exception:
super(TestMACIP, cls).tearDownClass()
raise
def setUp(self):
- super(TestMACIP, self).setUp()
+ super(MethodHolder, self).setUp()
self.reset_packet_infos()
del self.ACLS[:]
@@ -113,13 +154,16 @@
"""
Show various debug prints after each test.
"""
- super(TestMACIP, self).tearDown()
+ super(MethodHolder, self).tearDown()
if not self.vpp_dead:
self.logger.info(self.vapi.ppcli("show interface address"))
self.logger.info(self.vapi.ppcli("show hardware"))
self.logger.info(self.vapi.ppcli("sh acl-plugin macip acl"))
self.logger.info(self.vapi.ppcli("sh acl-plugin macip interface"))
self.logger.info(self.vapi.ppcli("sh classify tables verbose"))
+ self.logger.info(self.vapi.ppcli("sh acl-plugin acl"))
+ self.logger.info(self.vapi.ppcli("sh acl-plugin interface"))
+ self.logger.info(self.vapi.ppcli("sh acl-plugin tables"))
# print self.vapi.ppcli("show interface address")
# print self.vapi.ppcli("show hardware")
# print self.vapi.ppcli("sh acl-plugin macip interface")
@@ -217,13 +261,13 @@
src_mac += 1099511627776
return acls
- def apply_rules(self, acls):
+ def apply_macip_rules(self, acls):
for acl in acls:
reply = self.vapi.macip_acl_add(acl)
self.assertEqual(reply.retval, 0)
self.ACLS.append(reply.acl_index)
- def verify_acls(self, acl_count, rules_count, expected_count=2):
+ def verify_macip_acls(self, acl_count, rules_count, expected_count=2):
reply = self.macip_acl_dump_debug()
for acl in range(2, (acl_count+1) * 2):
self.assertEqual(reply[acl - 2].count, rules_count[acl/2-1])
@@ -243,8 +287,18 @@
reply = self.vapi.macip_acl_dump()
self.assertEqual(len(reply), 0)
+ intf_acls = self.vapi.ppcli("sh acl-plugin interface").split(
+ "\nsw_if_index")
+ for i_a in intf_acls:
+ ia = i_a.split(":")
+ if len(ia) == 3:
+ sw_if_index = int(ia[0])
+ acl_index = int(ia[2])
+ self.vapi.acl_interface_add_del(sw_if_index, acl_index, 0)
+ self.vapi.acl_del(acl_index)
+
def create_stream(self, mac_type, ip_type, packet_count,
- src_ip_if, dst_ip_if, bridged_routed, is_ip6):
+ src_if, dst_if, traffic, is_ip6, tags=PERMIT_TAGS):
# exact MAC and exact IP
# exact MAC and subnet of IPs
# exact MAC and wildcard IP
@@ -256,15 +310,16 @@
# OUI restricted MAC and wildcard IP
packets = []
- rules = []
+ macip_rules = []
+ acl_rules = []
ip_permit = ""
mac_permit = ""
dst_mac = ""
mac_rule = "00:00:00:00:00:00"
mac_mask = "00:00:00:00:00:00"
for p in range(0, packet_count):
- remote_dst_index = p % len(dst_ip_if.remote_hosts)
- remote_dst_host = dst_ip_if.remote_hosts[remote_dst_index]
+ remote_dst_index = p % len(dst_if.remote_hosts)
+ remote_dst_host = dst_if.remote_hosts[remote_dst_index]
dst_port = 1234 + p
src_port = 4321 + p
@@ -276,14 +331,14 @@
if not is_permit and mac_type == self.WILD_MAC:
denyIP = True
- if bridged_routed == self.BRIDGED:
+ if traffic == self.BRIDGED:
if is_permit:
src_mac = remote_dst_host._mac
dst_mac = 'de:ad:00:00:00:00'
src_ip4 = remote_dst_host.ip4
- dst_ip4 = src_ip_if.remote_ip4
+ dst_ip4 = src_if.remote_ip4
src_ip6 = remote_dst_host.ip6
- dst_ip6 = src_ip_if.remote_ip6
+ dst_ip6 = src_if.remote_ip6
ip_permit = src_ip6 if is_ip6 else src_ip4
mac_permit = src_mac
if denyMAC:
@@ -298,16 +353,16 @@
if ip_type != self.WILD_IP:
src_mac = mac_permit
src_ip4 = remote_dst_host.ip4
- dst_ip4 = src_ip_if.remote_ip4
+ dst_ip4 = src_if.remote_ip4
src_ip6 = remote_dst_host.ip6
- dst_ip6 = src_ip_if.remote_ip6
+ dst_ip6 = src_if.remote_ip6
else:
if is_permit:
src_mac = remote_dst_host._mac
- dst_mac = src_ip_if.local_mac
- src_ip4 = src_ip_if.remote_ip4
+ dst_mac = src_if.local_mac
+ src_ip4 = src_if.remote_ip4
dst_ip4 = remote_dst_host.ip4
- src_ip6 = src_ip_if.remote_ip6
+ src_ip6 = src_if.remote_ip6
dst_ip6 = remote_dst_host.ip6
ip_permit = src_ip6 if is_ip6 else src_ip4
mac_permit = src_mac
@@ -324,12 +379,12 @@
if ip_type != self.WILD_IP:
src_mac = mac_permit
src_ip4 = remote_dst_host.ip4
- dst_ip4 = src_ip_if.remote_ip4
+ dst_ip4 = src_if.remote_ip4
src_ip6 = remote_dst_host.ip6
- dst_ip6 = src_ip_if.remote_ip6
+ dst_ip6 = src_if.remote_ip6
if is_permit:
- info = self.create_packet_info(src_ip_if, dst_ip_if)
+ info = self.create_packet_info(src_if, dst_if)
payload = self.info_to_payload(info)
else:
payload = "to be blocked"
@@ -379,10 +434,34 @@
packet[Raw].load += " mac:"+src_mac
size = self.pg_if_packet_sizes[p % len(self.pg_if_packet_sizes)]
+ if isinstance(src_if, VppSubInterface):
+ size = size + 4
+ if isinstance(src_if, VppDot1QSubint):
+ if src_if is self.subifs[0]:
+ if tags == self.PERMIT_TAGS:
+ packet = src_if.add_dot1q_layer(packet, 10)
+ else:
+ packet = src_if.add_dot1q_layer(packet, 11)
+ else:
+ if tags == self.PERMIT_TAGS:
+ packet = src_if.add_dot1q_layer(packet, 30)
+ else:
+ packet = src_if.add_dot1q_layer(packet, 33)
+ elif isinstance(src_if, VppDot1ADSubint):
+ if src_if is self.subifs[1]:
+ if tags == self.PERMIT_TAGS:
+ packet = src_if.add_dot1ad_layer(packet, 300, 400)
+ else:
+ packet = src_if.add_dot1ad_layer(packet, 333, 444)
+ else:
+ if tags == self.PERMIT_TAGS:
+ packet = src_if.add_dot1ad_layer(packet, 600, 700)
+ else:
+ packet = src_if.add_dot1ad_layer(packet, 666, 777)
self.extend_packet(packet, size)
packets.append(packet)
- # create suitable rule
+ # create suitable MACIP rule
if mac_type == self.EXACT_MAC:
mac_rule = src_mac
mac_mask = "ff:ff:ff:ff:ff:ff"
@@ -422,38 +501,77 @@
prefix_len = 64 if is_ip6 else 16
ip_rule = inet_pton(AF_INET6 if is_ip6 else AF_INET, ip)
+ # create suitable ACL rule
+ if is_permit:
+ rule_l4_sport = packet[UDP].sport
+ rule_l4_dport = packet[UDP].dport
+ rule_family = AF_INET6 if packet.haslayer(IPv6) else AF_INET
+ rule_prefix_len = 128 if packet.haslayer(IPv6) else 32
+ rule_l3_layer = IPv6 if packet.haslayer(IPv6) else IP
+ if packet.haslayer(IPv6):
+ rule_l4_proto = packet[UDP].overload_fields[IPv6]['nh']
+ else:
+ rule_l4_proto = packet[IP].proto
+
+ acl_rule = {
+ 'is_permit': is_permit,
+ 'is_ipv6': is_ip6,
+ 'src_ip_addr': inet_pton(rule_family,
+ packet[rule_l3_layer].src),
+ 'src_ip_prefix_len': rule_prefix_len,
+ 'dst_ip_addr': inet_pton(rule_family,
+ packet[rule_l3_layer].dst),
+ 'dst_ip_prefix_len': rule_prefix_len,
+ 'srcport_or_icmptype_first': rule_l4_sport,
+ 'srcport_or_icmptype_last': rule_l4_sport,
+ 'dstport_or_icmpcode_first': rule_l4_dport,
+ 'dstport_or_icmpcode_last': rule_l4_dport,
+ 'proto': rule_l4_proto}
+ acl_rules.append(acl_rule)
+
if mac_type == self.WILD_MAC and ip_type == self.WILD_IP and p > 0:
continue
if is_permit:
- rule = ({'is_permit': is_permit,
- 'is_ipv6': is_ip6,
- 'src_ip_addr': ip_rule,
- 'src_ip_prefix_len': prefix_len,
- 'src_mac': mac_rule.replace(':', '').decode('hex'),
- 'src_mac_mask': mac_mask.replace(':', '').decode(
- 'hex')})
- rules.append(rule)
+ macip_rule = ({
+ 'is_permit': is_permit,
+ 'is_ipv6': is_ip6,
+ 'src_ip_addr': ip_rule,
+ 'src_ip_prefix_len': prefix_len,
+ 'src_mac': mac_rule.replace(':', '').decode('hex'),
+ 'src_mac_mask': mac_mask.replace(':', '').decode('hex')})
+ macip_rules.append(macip_rule)
# deny all other packets
if not (mac_type == self.WILD_MAC and ip_type == self.WILD_IP):
- rule = ({'is_permit': 0,
- 'is_ipv6': is_ip6,
- 'src_ip_addr': "",
- 'src_ip_prefix_len': 0,
- 'src_mac': "",
- 'src_mac_mask': ""})
- rules.append(rule)
+ macip_rule = ({'is_permit': 0,
+ 'is_ipv6': is_ip6,
+ 'src_ip_addr': "",
+ 'src_ip_prefix_len': 0,
+ 'src_mac': "",
+ 'src_mac_mask': ""})
+ macip_rules.append(macip_rule)
- return {'stream': packets, 'rules': rules}
+ acl_rule = {'is_permit': 0,
+ 'is_ipv6': is_ip6}
+ acl_rules.append(acl_rule)
+ return {'stream': packets,
+ 'macip_rules': macip_rules,
+ 'acl_rules': acl_rules}
def verify_capture(self, stream, capture, is_ip6):
- p_l3 = IPv6 if is_ip6 else IP
- if self.DEBUG:
- for p in stream:
- print p[Ether].src, p[Ether].dst, p[p_l3].src, p[p_l3].dst
-
- acls = self.macip_acl_dump_debug()
+ """
+ :param stream:
+ :param capture:
+ :param is_ip6:
+ :return:
+ """
+ # p_l3 = IPv6 if is_ip6 else IP
+ # if self.DEBUG:
+ # for p in stream:
+ # print p[Ether].src, p[Ether].dst, p[p_l3].src, p[p_l3].dst
+ #
+ # acls = self.macip_acl_dump_debug()
# TODO : verify
# for acl in acls:
@@ -468,64 +586,112 @@
# data = p[Raw].load.split(':',1)[1]
# print p[p_l3].src, data
- def run_traffic(self, mac_type, ip_type, bridged_routed, is_ip6, packets,
- do_not_expected_capture=False):
+ def run_traffic(self, mac_type, ip_type, traffic, is_ip6, packets,
+ do_not_expected_capture=False, tags=None,
+ apply_rules=True, isMACIP=True, permit_tags=PERMIT_TAGS):
self.reset_packet_infos()
- tx_if = self.pg0 if bridged_routed == self.BRIDGED else self.pg2
- rx_if = self.pg2 if bridged_routed == self.BRIDGED else self.pg0
+ if tags is None:
+ tx_if = self.pg0 if traffic == self.BRIDGED else self.pg3
+ rx_if = self.pg3 if traffic == self.BRIDGED else self.pg0
+ src_if = self.pg3
+ dst_if = self.loop0
+ else:
+ if tags == self.DOT1Q:
+ if traffic == self.BRIDGED:
+ tx_if = self.subifs[0]
+ rx_if = self.pg0
+ src_if = self.subifs[0]
+ dst_if = self.loop0
+ else:
+ tx_if = self.subifs[2]
+ rx_if = self.pg0
+ src_if = self.subifs[2]
+ dst_if = self.loop0
+ elif tags == self.DOT1AD:
+ if traffic == self.BRIDGED:
+ tx_if = self.subifs[1]
+ rx_if = self.pg0
+ src_if = self.subifs[1]
+ dst_if = self.loop0
+ else:
+ tx_if = self.subifs[3]
+ rx_if = self.pg0
+ src_if = self.subifs[3]
+ dst_if = self.loop0
+ else:
+ return
test_dict = self.create_stream(mac_type, ip_type, packets,
- self.pg2, self.loop0,
- bridged_routed,
- is_ip6)
+ src_if, dst_if,
+ traffic, is_ip6,
+ tags=permit_tags)
- reply = self.vapi.macip_acl_add(test_dict['rules'])
- self.assertEqual(reply.retval, 0)
- acl_index = reply.acl_index
+ if apply_rules:
+ if isMACIP:
+ reply = self.vapi.macip_acl_add(test_dict['macip_rules'])
+ else:
+ reply = self.vapi.acl_add_replace(acl_index=4294967295,
+ r=test_dict['acl_rules'])
+ self.assertEqual(reply.retval, 0)
+ acl_index = reply.acl_index
- self.vapi.macip_acl_interface_add_del(sw_if_index=tx_if.sw_if_index,
- acl_index=acl_index)
- reply = self.vapi.macip_acl_interface_get()
- self.assertEqual(reply.acls[tx_if.sw_if_index], acl_index)
- self.ACLS.append(reply.acls[tx_if.sw_if_index])
+ if isMACIP:
+ self.vapi.macip_acl_interface_add_del(
+ sw_if_index=tx_if.sw_if_index,
+ acl_index=acl_index)
+ reply = self.vapi.macip_acl_interface_get()
+ self.assertEqual(reply.acls[tx_if.sw_if_index], acl_index)
+ self.ACLS.append(reply.acls[tx_if.sw_if_index])
+ else:
+ self.vapi.acl_interface_add_del(
+ sw_if_index=tx_if.sw_if_index, acl_index=acl_index)
+ else:
+ self.vapi.macip_acl_interface_add_del(
+ sw_if_index=tx_if.sw_if_index,
+ acl_index=0)
- tx_if.add_stream(test_dict['stream'])
+ if not isinstance(src_if, VppSubInterface):
+ tx_if.add_stream(test_dict['stream'])
+ else:
+ tx_if.parent.add_stream(test_dict['stream'])
self.pg_enable_capture(self.pg_interfaces)
self.pg_start()
if do_not_expected_capture:
rx_if.get_capture(0)
else:
- packet_count = self.get_packet_count_for_if_idx(
- self.loop0.sw_if_index)
- if mac_type == self.WILD_MAC and ip_type == self.WILD_IP:
- packet_count = packets if bridged_routed else packet_count
- capture = rx_if.get_capture(packet_count)
+ if traffic == self.BRIDGED and mac_type == self.WILD_MAC and \
+ ip_type == self.WILD_IP:
+ capture = rx_if.get_capture(packets)
+ else:
+ capture = rx_if.get_capture(
+ self.get_packet_count_for_if_idx(dst_if.sw_if_index))
self.verify_capture(test_dict['stream'], capture, is_ip6)
+ if not isMACIP:
+ self.vapi.acl_interface_add_del(sw_if_index=tx_if.sw_if_index,
+ acl_index=acl_index, is_add=0)
+ self.vapi.acl_del(acl_index)
def run_test_acls(self, mac_type, ip_type, acl_count,
rules_count, traffic=None, ip=None):
- self.apply_rules(self.create_rules(mac_type, ip_type, acl_count,
- rules_count))
- self.verify_acls(acl_count, rules_count)
+ self.apply_macip_rules(self.create_rules(mac_type, ip_type, acl_count,
+ rules_count))
+ self.verify_macip_acls(acl_count, rules_count)
if traffic is not None:
self.run_traffic(self.EXACT_MAC, self.EXACT_IP, traffic, ip, 9)
+
+class TestMACIP_IP4(MethodHolder):
+ """MACIP with IP4 traffic"""
+
def test_acl_bridged_ip4_exactMAC_exactIP(self):
""" IP4 MACIP exactMAC|exactIP ACL bridged traffic
"""
self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
self.BRIDGED, self.IS_IP4, 9)
- def test_acl_bridged_ip6_exactMAC_exactIP(self):
- """ IP6 MACIP exactMAC|exactIP ACL bridged traffic
- """
-
- self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
- self.BRIDGED, self.IS_IP6, 9)
-
def test_acl_bridged_ip4_exactMAC_subnetIP(self):
""" IP4 MACIP exactMAC|subnetIP ACL bridged traffic
"""
@@ -533,13 +699,6 @@
self.run_traffic(self.EXACT_MAC, self.SUBNET_IP,
self.BRIDGED, self.IS_IP4, 9)
- def test_acl_bridged_ip6_exactMAC_subnetIP(self):
- """ IP6 MACIP exactMAC|subnetIP ACL bridged traffic
- """
-
- self.run_traffic(self.EXACT_MAC, self.SUBNET_IP,
- self.BRIDGED, self.IS_IP6, 9)
-
def test_acl_bridged_ip4_exactMAC_wildIP(self):
""" IP4 MACIP exactMAC|wildIP ACL bridged traffic
"""
@@ -547,13 +706,6 @@
self.run_traffic(self.EXACT_MAC, self.WILD_IP,
self.BRIDGED, self.IS_IP4, 9)
- def test_acl_bridged_ip6_exactMAC_wildIP(self):
- """ IP6 MACIP exactMAC|wildIP ACL bridged traffic
- """
-
- self.run_traffic(self.EXACT_MAC, self.WILD_IP,
- self.BRIDGED, self.IS_IP6, 9)
-
def test_acl_bridged_ip4_ouiMAC_exactIP(self):
""" IP4 MACIP ouiMAC|exactIP ACL bridged traffic
"""
@@ -561,13 +713,6 @@
self.run_traffic(self.OUI_MAC, self.EXACT_IP,
self.BRIDGED, self.IS_IP4, 3)
- def test_acl_bridged_ip6_ouiMAC_exactIP(self):
- """ IP6 MACIP oui_MAC|exactIP ACL bridged traffic
- """
-
- self.run_traffic(self.OUI_MAC, self.EXACT_IP,
- self.BRIDGED, self.IS_IP6, 9)
-
def test_acl_bridged_ip4_ouiMAC_subnetIP(self):
""" IP4 MACIP ouiMAC|subnetIP ACL bridged traffic
"""
@@ -575,13 +720,6 @@
self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
self.BRIDGED, self.IS_IP4, 9)
- def test_acl_bridged_ip6_ouiMAC_subnetIP(self):
- """ IP6 MACIP ouiMAC|subnetIP ACL bridged traffic
- """
-
- self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
- self.BRIDGED, self.IS_IP6, 9)
-
def test_acl_bridged_ip4_ouiMAC_wildIP(self):
""" IP4 MACIP ouiMAC|wildIP ACL bridged traffic
"""
@@ -589,13 +727,6 @@
self.run_traffic(self.OUI_MAC, self.WILD_IP,
self.BRIDGED, self.IS_IP4, 9)
- def test_acl_bridged_ip6_ouiMAC_wildIP(self):
- """ IP6 MACIP ouiMAC|wildIP ACL bridged traffic
- """
-
- self.run_traffic(self.OUI_MAC, self.WILD_IP,
- self.BRIDGED, self.IS_IP6, 9)
-
def test_ac_bridgedl_ip4_wildMAC_exactIP(self):
""" IP4 MACIP wildcardMAC|exactIP ACL bridged traffic
"""
@@ -603,13 +734,6 @@
self.run_traffic(self.WILD_MAC, self.EXACT_IP,
self.BRIDGED, self.IS_IP4, 9)
- def test_acl_bridged_ip6_wildMAC_exactIP(self):
- """ IP6 MACIP wildcardMAC|exactIP ACL bridged traffic
- """
-
- self.run_traffic(self.WILD_MAC, self.EXACT_IP,
- self.BRIDGED, self.IS_IP6, 9)
-
def test_acl_bridged_ip4_wildMAC_subnetIP(self):
""" IP4 MACIP wildcardMAC|subnetIP ACL bridged traffic
"""
@@ -617,13 +741,6 @@
self.run_traffic(self.WILD_MAC, self.SUBNET_IP,
self.BRIDGED, self.IS_IP4, 9)
- def test_acl_bridged_ip6_wildMAC_subnetIP(self):
- """ IP6 MACIP wildcardMAC|subnetIP ACL bridged traffic
- """
-
- self.run_traffic(self.WILD_MAC, self.SUBNET_IP,
- self.BRIDGED, self.IS_IP6, 9)
-
def test_acl_bridged_ip4_wildMAC_wildIP(self):
""" IP4 MACIP wildcardMAC|wildIP ACL bridged traffic
"""
@@ -631,52 +748,24 @@
self.run_traffic(self.WILD_MAC, self.WILD_IP,
self.BRIDGED, self.IS_IP4, 9)
- def test_acl_bridged_ip6_wildMAC_wildIP(self):
- """ IP6 MACIP wildcardMAC|wildIP ACL bridged traffic
- """
-
- self.run_traffic(self.WILD_MAC, self.WILD_IP,
- self.BRIDGED, self.IS_IP6, 9)
-
def test_acl_routed_ip4_exactMAC_exactIP(self):
""" IP4 MACIP exactMAC|exactIP ACL routed traffic
"""
self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
self.ROUTED, self.IS_IP4, 9)
- def test_acl_routed_ip6_exactMAC_exactIP(self):
- """ IP6 MACIP exactMAC|exactIP ACL routed traffic
- """
-
- self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
- self.ROUTED, self.IS_IP6, 9)
-
def test_acl_routed_ip4_exactMAC_subnetIP(self):
""" IP4 MACIP exactMAC|subnetIP ACL routed traffic
"""
self.run_traffic(self.EXACT_MAC, self.SUBNET_IP,
self.ROUTED, self.IS_IP4, 9)
- def test_acl_routed_ip6_exactMAC_subnetIP(self):
- """ IP6 MACIP exactMAC|subnetIP ACL routed traffic
- """
-
- self.run_traffic(self.EXACT_MAC, self.SUBNET_IP,
- self.ROUTED, self.IS_IP6, 9)
-
def test_acl_routed_ip4_exactMAC_wildIP(self):
""" IP4 MACIP exactMAC|wildIP ACL routed traffic
"""
self.run_traffic(self.EXACT_MAC, self.WILD_IP,
self.ROUTED, self.IS_IP4, 9)
- def test_acl_routed_ip6_exactMAC_wildIP(self):
- """ IP6 MACIP exactMAC|wildIP ACL routed traffic
- """
-
- self.run_traffic(self.EXACT_MAC, self.WILD_IP,
- self.ROUTED, self.IS_IP6, 9)
-
def test_acl_routed_ip4_ouiMAC_exactIP(self):
""" IP4 MACIP ouiMAC|exactIP ACL routed traffic
"""
@@ -684,13 +773,6 @@
self.run_traffic(self.OUI_MAC, self.EXACT_IP,
self.ROUTED, self.IS_IP4, 9)
- def test_acl_routed_ip6_ouiMAC_exactIP(self):
- """ IP6 MACIP ouiMAC|exactIP ACL routed traffic
- """
-
- self.run_traffic(self.OUI_MAC, self.EXACT_IP,
- self.ROUTED, self.IS_IP6, 9)
-
def test_acl_routed_ip4_ouiMAC_subnetIP(self):
""" IP4 MACIP ouiMAC|subnetIP ACL routed traffic
"""
@@ -698,13 +780,6 @@
self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
self.ROUTED, self.IS_IP4, 9)
- def test_acl_routed_ip6_ouiMAC_subnetIP(self):
- """ IP6 MACIP ouiMAC|subnetIP ACL routed traffic
- """
-
- self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
- self.ROUTED, self.IS_IP6, 9)
-
def test_acl_routed_ip4_ouiMAC_wildIP(self):
""" IP4 MACIP ouiMAC|wildIP ACL routed traffic
"""
@@ -712,13 +787,6 @@
self.run_traffic(self.OUI_MAC, self.WILD_IP,
self.ROUTED, self.IS_IP4, 9)
- def test_acl_routed_ip6_ouiMAC_wildIP(self):
- """ IP6 MACIP ouiMAC|wildIP ACL routed traffic
- """
-
- self.run_traffic(self.OUI_MAC, self.WILD_IP,
- self.ROUTED, self.IS_IP6, 9)
-
def test_acl_routed_ip4_wildMAC_exactIP(self):
""" IP4 MACIP wildcardMAC|exactIP ACL routed traffic
"""
@@ -726,13 +794,6 @@
self.run_traffic(self.WILD_MAC, self.EXACT_IP,
self.ROUTED, self.IS_IP4, 9)
- def test_acl_routed_ip6_wildMAC_exactIP(self):
- """ IP6 MACIP wildcardMAC|exactIP ACL routed traffic
- """
-
- self.run_traffic(self.WILD_MAC, self.EXACT_IP,
- self.ROUTED, self.IS_IP6, 9)
-
def test_acl_routed_ip4_wildMAC_subnetIP(self):
""" IP4 MACIP wildcardMAC|subnetIP ACL routed traffic
"""
@@ -740,6 +801,144 @@
self.run_traffic(self.WILD_MAC, self.SUBNET_IP,
self.ROUTED, self.IS_IP4, 9)
+ def test_acl_routed_ip4_wildMAC_wildIP(self):
+ """ IP4 MACIP wildcardMAC|wildIP ACL
+ """
+
+ self.run_traffic(self.WILD_MAC, self.WILD_IP,
+ self.ROUTED, self.IS_IP4, 9)
+
+ def test_acl_replace_traffic_ip4(self):
+ """ MACIP replace ACL with IP4 traffic
+ """
+ self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
+ self.BRIDGED, self.IS_IP4, 9)
+
+ r = self.create_rules()
+ # replace acls #2, #3 with new
+ reply = self.vapi.macip_acl_add_replace(r[0], 0)
+ self.assertEqual(reply.retval, 0)
+ self.assertEqual(reply.acl_index, 0)
+
+ self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
+ self.BRIDGED, self.IS_IP4, 9, True)
+
+
+class TestMACIP_IP6(MethodHolder):
+ """MACIP with IP6 traffic"""
+
+ def test_acl_bridged_ip6_exactMAC_exactIP(self):
+ """ IP6 MACIP exactMAC|exactIP ACL bridged traffic
+ """
+
+ self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
+ self.BRIDGED, self.IS_IP6, 9)
+
+ def test_acl_bridged_ip6_exactMAC_subnetIP(self):
+ """ IP6 MACIP exactMAC|subnetIP ACL bridged traffic
+ """
+
+ self.run_traffic(self.EXACT_MAC, self.SUBNET_IP,
+ self.BRIDGED, self.IS_IP6, 9)
+
+ def test_acl_bridged_ip6_exactMAC_wildIP(self):
+ """ IP6 MACIP exactMAC|wildIP ACL bridged traffic
+ """
+
+ self.run_traffic(self.EXACT_MAC, self.WILD_IP,
+ self.BRIDGED, self.IS_IP6, 9)
+
+ def test_acl_bridged_ip6_ouiMAC_exactIP(self):
+ """ IP6 MACIP oui_MAC|exactIP ACL bridged traffic
+ """
+
+ self.run_traffic(self.OUI_MAC, self.EXACT_IP,
+ self.BRIDGED, self.IS_IP6, 9)
+
+ def test_acl_bridged_ip6_ouiMAC_subnetIP(self):
+ """ IP6 MACIP ouiMAC|subnetIP ACL bridged traffic
+ """
+
+ self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
+ self.BRIDGED, self.IS_IP6, 9)
+
+ def test_acl_bridged_ip6_ouiMAC_wildIP(self):
+ """ IP6 MACIP ouiMAC|wildIP ACL bridged traffic
+ """
+
+ self.run_traffic(self.OUI_MAC, self.WILD_IP,
+ self.BRIDGED, self.IS_IP6, 9)
+
+ def test_acl_bridged_ip6_wildMAC_exactIP(self):
+ """ IP6 MACIP wildcardMAC|exactIP ACL bridged traffic
+ """
+
+ self.run_traffic(self.WILD_MAC, self.EXACT_IP,
+ self.BRIDGED, self.IS_IP6, 9)
+
+ def test_acl_bridged_ip6_wildMAC_subnetIP(self):
+ """ IP6 MACIP wildcardMAC|subnetIP ACL bridged traffic
+ """
+
+ self.run_traffic(self.WILD_MAC, self.SUBNET_IP,
+ self.BRIDGED, self.IS_IP6, 9)
+
+ def test_acl_bridged_ip6_wildMAC_wildIP(self):
+ """ IP6 MACIP wildcardMAC|wildIP ACL bridged traffic
+ """
+
+ self.run_traffic(self.WILD_MAC, self.WILD_IP,
+ self.BRIDGED, self.IS_IP6, 9)
+
+ def test_acl_routed_ip6_exactMAC_exactIP(self):
+ """ IP6 MACIP exactMAC|exactIP ACL routed traffic
+ """
+
+ self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
+ self.ROUTED, self.IS_IP6, 9)
+
+ def test_acl_routed_ip6_exactMAC_subnetIP(self):
+ """ IP6 MACIP exactMAC|subnetIP ACL routed traffic
+ """
+
+ self.run_traffic(self.EXACT_MAC, self.SUBNET_IP,
+ self.ROUTED, self.IS_IP6, 9)
+
+ def test_acl_routed_ip6_exactMAC_wildIP(self):
+ """ IP6 MACIP exactMAC|wildIP ACL routed traffic
+ """
+
+ self.run_traffic(self.EXACT_MAC, self.WILD_IP,
+ self.ROUTED, self.IS_IP6, 9)
+
+ def test_acl_routed_ip6_ouiMAC_exactIP(self):
+ """ IP6 MACIP ouiMAC|exactIP ACL routed traffic
+ """
+
+ self.run_traffic(self.OUI_MAC, self.EXACT_IP,
+ self.ROUTED, self.IS_IP6, 9)
+
+ def test_acl_routed_ip6_ouiMAC_subnetIP(self):
+ """ IP6 MACIP ouiMAC|subnetIP ACL routed traffic
+ """
+
+ self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
+ self.ROUTED, self.IS_IP6, 9)
+
+ def test_acl_routed_ip6_ouiMAC_wildIP(self):
+ """ IP6 MACIP ouiMAC|wildIP ACL routed traffic
+ """
+
+ self.run_traffic(self.OUI_MAC, self.WILD_IP,
+ self.ROUTED, self.IS_IP6, 9)
+
+ def test_acl_routed_ip6_wildMAC_exactIP(self):
+ """ IP6 MACIP wildcardMAC|exactIP ACL routed traffic
+ """
+
+ self.run_traffic(self.WILD_MAC, self.EXACT_IP,
+ self.ROUTED, self.IS_IP6, 9)
+
def test_acl_routed_ip6_wildMAC_subnetIP(self):
""" IP6 MACIP wildcardMAC|subnetIP ACL routed traffic
"""
@@ -747,6 +946,32 @@
self.run_traffic(self.WILD_MAC, self.SUBNET_IP,
self.ROUTED, self.IS_IP6, 9)
+ def test_acl_routed_ip6_wildMAC_wildIP(self):
+ """ IP6 MACIP wildcardMAC|wildIP ACL
+ """
+
+ self.run_traffic(self.WILD_MAC, self.WILD_IP,
+ self.ROUTED, self.IS_IP6, 9)
+
+ def test_acl_replace_traffic_ip6(self):
+ """ MACIP replace ACL with IP6 traffic
+ """
+ self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
+ self.BRIDGED, self.IS_IP6, 9)
+
+ r = self.create_rules()
+ # replace acls #2, #3 with new
+ reply = self.vapi.macip_acl_add_replace(r[0], 0)
+ self.assertEqual(reply.retval, 0)
+ self.assertEqual(reply.acl_index, 0)
+
+ self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
+ self.BRIDGED, self.IS_IP6, 9, True)
+
+
+class TestMACIP(MethodHolder):
+ """MACIP Tests"""
+
def test_acl_1_2(self):
""" MACIP ACL with 2 entries
"""
@@ -818,7 +1043,7 @@
r1 = self.create_rules(acl_count=3, rules_count=[2, 2, 2])
r2 = self.create_rules(mac_type=self.OUI_MAC, ip_type=self.SUBNET_IP)
- self.apply_rules(r1)
+ self.apply_macip_rules(r1)
acls_before = self.macip_acl_dump_debug()
@@ -853,43 +1078,14 @@
self.assertNotEqual(len(acl1.r), len(acl2.r))
self.assertNotEqual(acl1.r, acl2.r)
- def test_acl_replace_traffic_ip4(self):
- """ MACIP replace ACL with IP4 traffic
- """
- self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
- self.BRIDGED, self.IS_IP4, 9)
-
- r = self.create_rules()
- # replace acls #2, #3 with new
- reply = self.vapi.macip_acl_add_replace(r[0], 0)
- self.assertEqual(reply.retval, 0)
- self.assertEqual(reply.acl_index, 0)
-
- self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
- self.BRIDGED, self.IS_IP4, 9, True)
-
- def test_acl_replace_traffic_ip6(self):
- """ MACIP replace ACL with IP6 traffic
- """
- self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
- self.BRIDGED, self.IS_IP6, 9)
-
- r = self.create_rules()
- # replace acls #2, #3 with new
- reply = self.vapi.macip_acl_add_replace(r[0], 0)
- self.assertEqual(reply.retval, 0)
- self.assertEqual(reply.acl_index, 0)
-
- self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
- self.BRIDGED, self.IS_IP6, 9, True)
-
def test_delete_intf(self):
""" MACIP ACL delete intf with acl
"""
intf_count = len(self.interfaces)+1
intf = []
- self.apply_rules(self.create_rules(acl_count=3, rules_count=[3, 5, 4]))
+ self.apply_macip_rules(self.create_rules(acl_count=3,
+ rules_count=[3, 5, 4]))
intf.append(VppLoInterface(self, 0))
intf.append(VppLoInterface(self, 1))
@@ -942,19 +1138,85 @@
self.assertEqual(len([x for x in reply.acls if x != 4294967295]), 0)
- def test_acl_routed_ip4_wildMAC_wildIP(self):
- """ IP4 MACIP wildcardMAC|wildIP ACL
- """
- self.run_traffic(self.WILD_MAC, self.WILD_IP,
- self.ROUTED, self.IS_IP4, 9)
+class TestACL_dot1q_bridged(MethodHolder):
+ """ACL on dot1q bridged subinterfaces Tests"""
- def test_acl_routed_ip6_wildMAC_wildIP(self):
- """ IP6 MACIP wildcardMAC|wildIP ACL
- """
+ def test_acl_bridged_ip4_subif_dot1q(self):
+ """ IP4 ACL SubIf Dot1Q bridged traffic"""
+ self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.BRIDGED,
+ self.IS_IP4, 9, tags=self.DOT1Q, isMACIP=False)
- self.run_traffic(self.WILD_MAC, self.WILD_IP,
- self.ROUTED, self.IS_IP6, 9)
+ def test_acl_bridged_ip6_subif_dot1q(self):
+ """ IP6 ACL SubIf Dot1Q bridged traffic"""
+ self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.BRIDGED,
+ self.IS_IP6, 9, tags=self.DOT1Q, isMACIP=False)
+
+
+class TestACL_dot1ad_bridged(MethodHolder):
+ """ACL on dot1ad bridged subinterfaces Tests"""
+
+ def test_acl_bridged_ip4_subif_dot1ad(self):
+ """ IP4 ACL SubIf Dot1AD bridged traffic"""
+ self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.BRIDGED,
+ self.IS_IP4, 9, tags=self.DOT1AD, isMACIP=False)
+
+ def test_acl_bridged_ip6_subif_dot1ad(self):
+ """ IP6 ACL SubIf Dot1AD bridged traffic"""
+ self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.BRIDGED,
+ self.IS_IP6, 9, tags=self.DOT1AD, isMACIP=False)
+
+
+class TestACL_dot1q_routed(MethodHolder):
+ """ACL on dot1q routed subinterfaces Tests"""
+
+ def test_acl_routed_ip4_subif_dot1q(self):
+ """ IP4 ACL SubIf Dot1Q routed traffic"""
+ self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
+ self.IS_IP4, 9, tags=self.DOT1Q, isMACIP=False)
+
+ def test_acl_routed_ip6_subif_dot1q(self):
+ """ IP6 ACL SubIf Dot1Q routed traffic"""
+ self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
+ self.IS_IP6, 9, tags=self.DOT1Q, isMACIP=False)
+
+ def test_acl_routed_ip4_subif_dot1q_deny_by_tags(self):
+ """ IP4 ACL SubIf wrong tags Dot1Q routed traffic"""
+ self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
+ self.IS_IP4, 9, True, tags=self.DOT1Q, isMACIP=False,
+ permit_tags=self.DENY_TAGS)
+
+ def test_acl_routed_ip6_subif_dot1q_deny_by_tags(self):
+ """ IP6 ACL SubIf wrong tags Dot1Q routed traffic"""
+ self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
+ self.IS_IP6, 9, True, tags=self.DOT1Q, isMACIP=False,
+ permit_tags=self.DENY_TAGS)
+
+
+class TestACL_dot1ad_routed(MethodHolder):
+ """ACL on dot1ad routed subinterfaces Tests"""
+
+ def test_acl_routed_ip6_subif_dot1ad(self):
+ """ IP6 ACL SubIf Dot1AD routed traffic"""
+ self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
+ self.IS_IP6, 9, tags=self.DOT1AD, isMACIP=False)
+
+ def test_acl_routed_ip4_subif_dot1ad(self):
+ """ IP4 ACL SubIf Dot1AD routed traffic"""
+ self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
+ self.IS_IP4, 9, tags=self.DOT1AD, isMACIP=False)
+
+ def test_acl_routed_ip6_subif_dot1ad_deny_by_tags(self):
+ """ IP6 ACL SubIf wrong tags Dot1AD routed traffic"""
+ self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
+ self.IS_IP6, 9, True, tags=self.DOT1AD, isMACIP=False,
+ permit_tags=self.DENY_TAGS)
+
+ def test_acl_routed_ip4_subif_dot1ad_deny_by_tags(self):
+ """ IP4 ACL SubIf wrong tags Dot1AD routed traffic"""
+ self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
+ self.IS_IP4, 9, True, tags=self.DOT1AD, isMACIP=False,
+ permit_tags=self.DENY_TAGS)
if __name__ == '__main__':
diff --git a/test/vpp_papi_provider.py b/test/vpp_papi_provider.py
index 495db95..5085ff2 100644
--- a/test/vpp_papi_provider.py
+++ b/test/vpp_papi_provider.py
@@ -2493,6 +2493,23 @@
'acls': acls},
expected_retval=expected_retval)
+ def acl_interface_add_del(self,
+ sw_if_index,
+ acl_index,
+ is_add=1):
+ """ Add/Delete ACL to/from interface
+
+ :param sw_if_index:
+ :param acl_index:
+ :param is_add: (Default value = 1)
+ """
+
+ return self.api(self.papi.acl_interface_add_del,
+ {'is_add': is_add,
+ 'is_input': 1,
+ 'sw_if_index': sw_if_index,
+ 'acl_index': acl_index})
+
def acl_dump(self, acl_index, expected_retval=0):
return self.api(self.papi.acl_dump,
{'acl_index': acl_index},