Gitiles
Code Review Sign In
gerrit.nordix.org / fdio / vpp / 02063b985ac2fd3ce24a42fe9e27f434ea088053 / . / test / test_acl_plugin.py
blob: 036a5dbc0c20bb70d87f4d82a0ea890e0a06ea2d [file] [log] [blame]
Renato Botelho do Coutoead1e532019-10-31 13:31:07 -0500[diff] [blame]1#!/usr/bin/env python3
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]2"""ACL plugin Test Case HLD:
3"""
4
5import unittest
6import random
7
8from scapy.packet import Raw
9from scapy.layers.l2 import Ether
10from scapy.layers.inet import IP, TCP, UDP, ICMP
11from scapy.layers.inet6 import IPv6, ICMPv6EchoRequest
Andrew Yourtchenkod1b05642017-04-04 14:10:40 +0000[diff] [blame]12from scapy.layers.inet6 import IPv6ExtHdrFragment
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]13from framework import VppTestCase, VppTestRunner
Andrew Yourtchenkoc8eae8d2021-01-20 20:30:36 +0000[diff] [blame]14from framework import tag_fixme_vpp_workers
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]15from util import Host, ppp
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]16from ipaddress import IPv4Network, IPv6Network
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]17
Andrew Yourtchenkode3682f2018-03-23 10:38:46 +0100[diff] [blame]18from vpp_lo_interface import VppLoInterface
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]19from vpp_acl import AclRule, VppAcl, VppAclInterface, VppEtypeWhitelist
20from vpp_ip import INVALID_INDEX
Andrew Yourtchenkode3682f2018-03-23 10:38:46 +0100[diff] [blame]21
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]22
Andrew Yourtchenkoc8eae8d2021-01-20 20:30:36 +0000[diff] [blame]23@tag_fixme_vpp_workers
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]24class TestACLplugin(VppTestCase):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]25 """ACL plugin Test Case"""
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]26
27 # traffic types
28 IP = 0
29 ICMP = 1
30
31 # IP version
32 IPRANDOM = -1
33 IPV4 = 0
34 IPV6 = 1
35
36 # rule types
37 DENY = 0
38 PERMIT = 1
39
40 # supported protocols
41 proto = [[6, 17], [1, 58]]
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]42 proto_map = {1: "ICMP", 58: "ICMPv6EchoRequest", 6: "TCP", 17: "UDP"}
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]43 ICMPv4 = 0
44 ICMPv6 = 1
45 TCP = 0
46 UDP = 1
47 PROTO_ALL = 0
48
49 # port ranges
50 PORTS_ALL = -1
51 PORTS_RANGE = 0
Andrew Yourtchenko6be72cd2017-08-10 17:02:58 +0200[diff] [blame]52 PORTS_RANGE_2 = 1
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]53 udp_sport_from = 10
54 udp_sport_to = udp_sport_from + 5
55 udp_dport_from = 20000
56 udp_dport_to = udp_dport_from + 5000
57 tcp_sport_from = 30
58 tcp_sport_to = tcp_sport_from + 5
59 tcp_dport_from = 40000
60 tcp_dport_to = tcp_dport_from + 5000
61
Andrew Yourtchenko6be72cd2017-08-10 17:02:58 +0200[diff] [blame]62 udp_sport_from_2 = 90
63 udp_sport_to_2 = udp_sport_from_2 + 5
64 udp_dport_from_2 = 30000
65 udp_dport_to_2 = udp_dport_from_2 + 5000
66 tcp_sport_from_2 = 130
67 tcp_sport_to_2 = tcp_sport_from_2 + 5
68 tcp_dport_from_2 = 20000
69 tcp_dport_to_2 = tcp_dport_from_2 + 5000
70
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]71 icmp4_type = 8 # echo request
72 icmp4_code = 3
73 icmp6_type = 128 # echo request
74 icmp6_code = 3
75
Andrew Yourtchenko6be72cd2017-08-10 17:02:58 +0200[diff] [blame]76 icmp4_type_2 = 8
77 icmp4_code_from_2 = 5
78 icmp4_code_to_2 = 20
79 icmp6_type_2 = 128
80 icmp6_code_from_2 = 8
81 icmp6_code_to_2 = 42
82
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]83 # Test variables
84 bd_id = 1
85
86 @classmethod
87 def setUpClass(cls):
88 """
89 Perform standard class setup (defined by class method setUpClass in
90 class VppTestCase) before running the test case, set test case related
91 variables and configure VPP.
92 """
93 super(TestACLplugin, cls).setUpClass()
94
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]95 try:
96 # Create 2 pg interfaces
97 cls.create_pg_interfaces(range(2))
98
99 # Packet flows mapping pg0 -> pg1, pg2 etc.
100 cls.flows = dict()
101 cls.flows[cls.pg0] = [cls.pg1]
102
103 # Packet sizes
104 cls.pg_if_packet_sizes = [64, 512, 1518, 9018]
105
106 # Create BD with MAC learning and unknown unicast flooding disabled
107 # and put interfaces to this BD
Laszlo Kiraly0f8f4352022-09-16 13:20:07 +0200[diff] [blame]108 cls.vapi.bridge_domain_add_del_v2(
109 bd_id=cls.bd_id, uu_flood=1, learn=1, flood=1, forward=1, is_add=1
110 )
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]111 for pg_if in cls.pg_interfaces:
Ole Troana5b2eec2019-03-11 19:23:25 +0100[diff] [blame]112 cls.vapi.sw_interface_set_l2_bridge(
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]113 rx_sw_if_index=pg_if.sw_if_index, bd_id=cls.bd_id
114 )
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]115
116 # Set up all interfaces
117 for i in cls.pg_interfaces:
118 i.admin_up()
119
120 # Mapping between packet-generator index and lists of test hosts
121 cls.hosts_by_pg_idx = dict()
122 for pg_if in cls.pg_interfaces:
123 cls.hosts_by_pg_idx[pg_if.sw_if_index] = []
124
125 # Create list of deleted hosts
126 cls.deleted_hosts_by_pg_idx = dict()
127 for pg_if in cls.pg_interfaces:
128 cls.deleted_hosts_by_pg_idx[pg_if.sw_if_index] = []
129
130 # warm-up the mac address tables
131 # self.warmup_test()
Andrew Yourtchenko7ff74532018-10-06 09:24:28 +0200[diff] [blame]132 count = 16
133 start = 0
134 n_int = len(cls.pg_interfaces)
snaramre2bb71512019-10-16 22:15:43 +0000[diff] [blame]135 macs_per_if = count // n_int
Andrew Yourtchenko7ff74532018-10-06 09:24:28 +0200[diff] [blame]136 i = -1
137 for pg_if in cls.pg_interfaces:
138 i += 1
139 start_nr = macs_per_if * i + start
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]140 end_nr = (
141 count + start if i == (n_int - 1) else macs_per_if * (i + 1) + start
142 )
Andrew Yourtchenko7ff74532018-10-06 09:24:28 +0200[diff] [blame]143 hosts = cls.hosts_by_pg_idx[pg_if.sw_if_index]
snaramre2bb71512019-10-16 22:15:43 +0000[diff] [blame]144 for j in range(int(start_nr), int(end_nr)):
Andrew Yourtchenko7ff74532018-10-06 09:24:28 +0200[diff] [blame]145 host = Host(
146 "00:00:00:ff:%02x:%02x" % (pg_if.sw_if_index, j),
147 "172.17.1%02x.%u" % (pg_if.sw_if_index, j),
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]148 "2017:dead:%02x::%u" % (pg_if.sw_if_index, j),
149 )
Andrew Yourtchenko7ff74532018-10-06 09:24:28 +0200[diff] [blame]150 hosts.append(host)
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]151
152 except Exception:
153 super(TestACLplugin, cls).tearDownClass()
154 raise
155
Paul Vinciguerra7f9b7f92019-03-12 19:23:27 -0700[diff] [blame]156 @classmethod
157 def tearDownClass(cls):
158 super(TestACLplugin, cls).tearDownClass()
159
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]160 def setUp(self):
161 super(TestACLplugin, self).setUp()
162 self.reset_packet_infos()
163
164 def tearDown(self):
165 """
166 Show various debug prints after each test.
167 """
168 super(TestACLplugin, self).tearDown()
Paul Vinciguerra90cf21b2019-03-13 09:23:05 -0700[diff] [blame]169
170 def show_commands_at_teardown(self):
171 cli = "show vlib graph l2-input-feat-arc"
172 self.logger.info(self.vapi.ppcli(cli))
173 cli = "show vlib graph l2-input-feat-arc-end"
174 self.logger.info(self.vapi.ppcli(cli))
175 cli = "show vlib graph l2-output-feat-arc"
176 self.logger.info(self.vapi.ppcli(cli))
177 cli = "show vlib graph l2-output-feat-arc-end"
178 self.logger.info(self.vapi.ppcli(cli))
179 self.logger.info(self.vapi.ppcli("show l2fib verbose"))
180 self.logger.info(self.vapi.ppcli("show acl-plugin acl"))
181 self.logger.info(self.vapi.ppcli("show acl-plugin interface"))
182 self.logger.info(self.vapi.ppcli("show acl-plugin tables"))
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]183 self.logger.info(self.vapi.ppcli("show bridge-domain %s detail" % self.bd_id))
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]184
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]185 def create_rule(
186 self,
187 ip=0,
188 permit_deny=0,
189 ports=PORTS_ALL,
190 proto=-1,
191 s_prefix=0,
192 s_ip=0,
193 d_prefix=0,
194 d_ip=0,
195 ):
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]196 if ip:
197 src_prefix = IPv6Network((s_ip, s_prefix))
198 dst_prefix = IPv6Network((d_ip, d_prefix))
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]199 else:
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]200 src_prefix = IPv4Network((s_ip, s_prefix))
201 dst_prefix = IPv4Network((d_ip, d_prefix))
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]202 return AclRule(
203 is_permit=permit_deny,
204 ports=ports,
205 proto=proto,
206 src_prefix=src_prefix,
207 dst_prefix=dst_prefix,
208 )
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]209
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]210 def apply_rules(self, rules, tag=None):
211 acl = VppAcl(self, rules, tag=tag)
212 acl.add_vpp_config()
213 self.logger.info("Dumped ACL: " + str(acl.dump()))
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]214 # Apply a ACL on the interface as inbound
215 for i in self.pg_interfaces:
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]216 acl_if = VppAclInterface(
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]217 self, sw_if_index=i.sw_if_index, n_input=1, acls=[acl]
218 )
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]219 acl_if.add_vpp_config()
220 return acl.acl_index
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]221
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]222 def apply_rules_to(self, rules, tag=None, sw_if_index=INVALID_INDEX):
223 acl = VppAcl(self, rules, tag=tag)
224 acl.add_vpp_config()
225 self.logger.info("Dumped ACL: " + str(acl.dump()))
Andrew Yourtchenkode3682f2018-03-23 10:38:46 +0100[diff] [blame]226 # Apply a ACL on the interface as inbound
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]227 acl_if = VppAclInterface(self, sw_if_index=sw_if_index, n_input=1, acls=[acl])
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]228 return acl.acl_index
Andrew Yourtchenkode3682f2018-03-23 10:38:46 +0100[diff] [blame]229
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]230 def etype_whitelist(self, whitelist, n_input, add=True):
Andrew Yourtchenkoc43b3f92018-02-06 17:42:32 +0100[diff] [blame]231 # Apply whitelists on all the interfaces
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]232 if add:
233 self._wl = []
234 for i in self.pg_interfaces:
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]235 self._wl.append(
236 VppEtypeWhitelist(
237 self,
238 sw_if_index=i.sw_if_index,
239 whitelist=whitelist,
240 n_input=n_input,
241 ).add_vpp_config()
242 )
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]243 else:
244 if hasattr(self, "_wl"):
245 for wl in self._wl:
246 wl.remove_vpp_config()
Andrew Yourtchenkoc43b3f92018-02-06 17:42:32 +0100[diff] [blame]247
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]248 def create_upper_layer(self, packet_index, proto, ports=0):
249 p = self.proto_map[proto]
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]250 if p == "UDP":
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]251 if ports == 0:
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]252 return UDP(
253 sport=random.randint(self.udp_sport_from, self.udp_sport_to),
254 dport=random.randint(self.udp_dport_from, self.udp_dport_to),
255 )
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]256 else:
257 return UDP(sport=ports, dport=ports)
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]258 elif p == "TCP":
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]259 if ports == 0:
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]260 return TCP(
261 sport=random.randint(self.tcp_sport_from, self.tcp_sport_to),
262 dport=random.randint(self.tcp_dport_from, self.tcp_dport_to),
263 )
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]264 else:
265 return TCP(sport=ports, dport=ports)
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]266 return ""
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]267
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]268 def create_stream(
269 self,
270 src_if,
271 packet_sizes,
272 traffic_type=0,
273 ipv6=0,
274 proto=-1,
275 ports=0,
276 fragments=False,
277 pkt_raw=True,
278 etype=-1,
279 ):
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]280 """
281 Create input packet stream for defined interface using hosts or
282 deleted_hosts list.
283
284 :param object src_if: Interface to create packet stream for.
285 :param list packet_sizes: List of required packet sizes.
286 :param traffic_type: 1: ICMP packet, 2: IPv6 with EH, 0: otherwise.
287 :return: Stream of packets.
288 """
289 pkts = []
290 if self.flows.__contains__(src_if):
291 src_hosts = self.hosts_by_pg_idx[src_if.sw_if_index]
292 for dst_if in self.flows[src_if]:
293 dst_hosts = self.hosts_by_pg_idx[dst_if.sw_if_index]
294 n_int = len(dst_hosts) * len(src_hosts)
295 for i in range(0, n_int):
snaramre2bb71512019-10-16 22:15:43 +0000[diff] [blame]296 dst_host = dst_hosts[int(i / len(src_hosts))]
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]297 src_host = src_hosts[i % len(src_hosts)]
298 pkt_info = self.create_packet_info(src_if, dst_if)
299 if ipv6 == 1:
300 pkt_info.ip = 1
301 elif ipv6 == 0:
302 pkt_info.ip = 0
303 else:
304 pkt_info.ip = random.choice([0, 1])
305 if proto == -1:
306 pkt_info.proto = random.choice(self.proto[self.IP])
307 else:
308 pkt_info.proto = proto
309 payload = self.info_to_payload(pkt_info)
310 p = Ether(dst=dst_host.mac, src=src_host.mac)
Andrew Yourtchenkoc43b3f92018-02-06 17:42:32 +0100[diff] [blame]311 if etype > 0:
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]312 p = Ether(dst=dst_host.mac, src=src_host.mac, type=etype)
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]313 if pkt_info.ip:
314 p /= IPv6(dst=dst_host.ip6, src=src_host.ip6)
Andrew Yourtchenkod1b05642017-04-04 14:10:40 +0000[diff] [blame]315 if fragments:
316 p /= IPv6ExtHdrFragment(offset=64, m=1)
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]317 else:
Andrew Yourtchenkod1b05642017-04-04 14:10:40 +0000[diff] [blame]318 if fragments:
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]319 p /= IP(
320 src=src_host.ip4, dst=dst_host.ip4, flags=1, frag=64
321 )
Andrew Yourtchenkod1b05642017-04-04 14:10:40 +0000[diff] [blame]322 else:
323 p /= IP(src=src_host.ip4, dst=dst_host.ip4)
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]324 if traffic_type == self.ICMP:
325 if pkt_info.ip:
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]326 p /= ICMPv6EchoRequest(
327 type=self.icmp6_type, code=self.icmp6_code
328 )
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]329 else:
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]330 p /= ICMP(type=self.icmp4_type, code=self.icmp4_code)
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]331 else:
332 p /= self.create_upper_layer(i, pkt_info.proto, ports)
Pavel Kotuceke7b67342017-04-18 13:12:20 +0200[diff] [blame]333 if pkt_raw:
334 p /= Raw(payload)
335 pkt_info.data = p.copy()
336 if pkt_raw:
337 size = random.choice(packet_sizes)
338 self.extend_packet(p, size)
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]339 pkts.append(p)
340 return pkts
341
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]342 def verify_capture(self, pg_if, capture, traffic_type=0, ip_type=0, etype=-1):
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]343 """
344 Verify captured input packet stream for defined interface.
345
346 :param object pg_if: Interface to verify captured packet stream for.
347 :param list capture: Captured packet stream.
348 :param traffic_type: 1: ICMP packet, 2: IPv6 with EH, 0: otherwise.
349 """
350 last_info = dict()
351 for i in self.pg_interfaces:
352 last_info[i.sw_if_index] = None
353 dst_sw_if_index = pg_if.sw_if_index
354 for packet in capture:
Andrew Yourtchenkoc43b3f92018-02-06 17:42:32 +0100[diff] [blame]355 if etype > 0:
356 if packet[Ether].type != etype:
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]357 self.logger.error(ppp("Unexpected ethertype in packet:", packet))
Andrew Yourtchenkoc43b3f92018-02-06 17:42:32 +0100[diff] [blame]358 else:
359 continue
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]360 try:
361 # Raw data for ICMPv6 are stored in ICMPv6EchoRequest.data
362 if traffic_type == self.ICMP and ip_type == self.IPV6:
363 payload_info = self.payload_to_info(
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]364 packet[ICMPv6EchoRequest], "data"
365 )
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]366 payload = packet[ICMPv6EchoRequest]
367 else:
Paul Vinciguerraeaea4212019-03-06 11:58:06 -0800[diff] [blame]368 payload_info = self.payload_to_info(packet[Raw])
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]369 payload = packet[self.proto_map[payload_info.proto]]
370 except:
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]371 self.logger.error(
372 ppp("Unexpected or invalid packet (outside network):", packet)
373 )
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]374 raise
375
376 if ip_type != 0:
377 self.assertEqual(payload_info.ip, ip_type)
378 if traffic_type == self.ICMP:
379 try:
380 if payload_info.ip == 0:
381 self.assertEqual(payload.type, self.icmp4_type)
382 self.assertEqual(payload.code, self.icmp4_code)
383 else:
384 self.assertEqual(payload.type, self.icmp6_type)
385 self.assertEqual(payload.code, self.icmp6_code)
386 except:
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]387 self.logger.error(
388 ppp("Unexpected or invalid packet (outside network):", packet)
389 )
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]390 raise
391 else:
392 try:
393 ip_version = IPv6 if payload_info.ip == 1 else IP
394
395 ip = packet[ip_version]
396 packet_index = payload_info.index
397
398 self.assertEqual(payload_info.dst, dst_sw_if_index)
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]399 self.logger.debug(
400 "Got packet on port %s: src=%u (id=%u)"
401 % (pg_if.name, payload_info.src, packet_index)
402 )
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]403 next_info = self.get_next_packet_info_for_interface2(
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]404 payload_info.src, dst_sw_if_index, last_info[payload_info.src]
405 )
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]406 last_info[payload_info.src] = next_info
407 self.assertTrue(next_info is not None)
408 self.assertEqual(packet_index, next_info.index)
409 saved_packet = next_info.data
410 # Check standard fields
411 self.assertEqual(ip.src, saved_packet[ip_version].src)
412 self.assertEqual(ip.dst, saved_packet[ip_version].dst)
413 p = self.proto_map[payload_info.proto]
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]414 if p == "TCP":
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]415 tcp = packet[TCP]
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]416 self.assertEqual(tcp.sport, saved_packet[TCP].sport)
417 self.assertEqual(tcp.dport, saved_packet[TCP].dport)
418 elif p == "UDP":
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]419 udp = packet[UDP]
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]420 self.assertEqual(udp.sport, saved_packet[UDP].sport)
421 self.assertEqual(udp.dport, saved_packet[UDP].dport)
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]422 except:
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]423 self.logger.error(ppp("Unexpected or invalid packet:", packet))
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]424 raise
425 for i in self.pg_interfaces:
426 remaining_packet = self.get_next_packet_info_for_interface2(
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]427 i, dst_sw_if_index, last_info[i.sw_if_index]
428 )
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]429 self.assertTrue(
430 remaining_packet is None,
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]431 "Port %u: Packet expected from source %u didn't arrive"
432 % (dst_sw_if_index, i.sw_if_index),
433 )
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]434
435 def run_traffic_no_check(self):
436 # Test
437 # Create incoming packet streams for packet-generator interfaces
438 for i in self.pg_interfaces:
439 if self.flows.__contains__(i):
440 pkts = self.create_stream(i, self.pg_if_packet_sizes)
441 if len(pkts) > 0:
442 i.add_stream(pkts)
443
444 # Enable packet capture and start packet sending
445 self.pg_enable_capture(self.pg_interfaces)
446 self.pg_start()
447
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]448 def run_verify_test(
449 self,
450 traffic_type=0,
451 ip_type=0,
452 proto=-1,
453 ports=0,
454 frags=False,
455 pkt_raw=True,
456 etype=-1,
457 ):
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]458 # Test
459 # Create incoming packet streams for packet-generator interfaces
460 pkts_cnt = 0
461 for i in self.pg_interfaces:
462 if self.flows.__contains__(i):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]463 pkts = self.create_stream(
464 i,
465 self.pg_if_packet_sizes,
466 traffic_type,
467 ip_type,
468 proto,
469 ports,
470 frags,
471 pkt_raw,
472 etype,
473 )
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]474 if len(pkts) > 0:
475 i.add_stream(pkts)
476 pkts_cnt += len(pkts)
477
478 # Enable packet capture and start packet sendingself.IPV
479 self.pg_enable_capture(self.pg_interfaces)
480 self.pg_start()
Andrew Yourtchenko7ff74532018-10-06 09:24:28 +0200[diff] [blame]481 self.logger.info("sent packets count: %d" % pkts_cnt)
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]482
483 # Verify
484 # Verify outgoing packet streams per packet-generator interface
485 for src_if in self.pg_interfaces:
486 if self.flows.__contains__(src_if):
487 for dst_if in self.flows[src_if]:
488 capture = dst_if.get_capture(pkts_cnt)
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]489 self.logger.info("Verifying capture on interface %s" % dst_if.name)
490 self.verify_capture(dst_if, capture, traffic_type, ip_type, etype)
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]491
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]492 def run_verify_negat_test(
493 self, traffic_type=0, ip_type=0, proto=-1, ports=0, frags=False, etype=-1
494 ):
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]495 # Test
Andrew Yourtchenko7ff74532018-10-06 09:24:28 +0200[diff] [blame]496 pkts_cnt = 0
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]497 self.reset_packet_infos()
498 for i in self.pg_interfaces:
499 if self.flows.__contains__(i):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]500 pkts = self.create_stream(
501 i,
502 self.pg_if_packet_sizes,
503 traffic_type,
504 ip_type,
505 proto,
506 ports,
507 frags,
508 True,
509 etype,
510 )
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]511 if len(pkts) > 0:
512 i.add_stream(pkts)
Andrew Yourtchenko7ff74532018-10-06 09:24:28 +0200[diff] [blame]513 pkts_cnt += len(pkts)
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]514
515 # Enable packet capture and start packet sending
516 self.pg_enable_capture(self.pg_interfaces)
517 self.pg_start()
Andrew Yourtchenko7ff74532018-10-06 09:24:28 +0200[diff] [blame]518 self.logger.info("sent packets count: %d" % pkts_cnt)
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]519
520 # Verify
521 # Verify outgoing packet streams per packet-generator interface
522 for src_if in self.pg_interfaces:
523 if self.flows.__contains__(src_if):
524 for dst_if in self.flows[src_if]:
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]525 self.logger.info("Verifying capture on interface %s" % dst_if.name)
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]526 capture = dst_if.get_capture(0)
527 self.assertEqual(len(capture), 0)
528
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]529 def test_0000_warmup_test(self):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]530 """ACL plugin version check; learn MACs"""
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]531 reply = self.vapi.papi.acl_plugin_get_version()
532 self.assertEqual(reply.major, 1)
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]533 self.logger.info(
534 "Working with ACL plugin version: %d.%d" % (reply.major, reply.minor)
535 )
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]536 # minor version changes are non breaking
537 # self.assertEqual(reply.minor, 0)
538
539 def test_0001_acl_create(self):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]540 """ACL create/delete test"""
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]541
542 self.logger.info("ACLP_TEST_START_0001")
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]543 # Create a permit-1234 ACL
544 r = [AclRule(is_permit=1, proto=17, ports=1234, sport_to=1235)]
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]545 # Test 1: add a new ACL
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]546 first_acl = VppAcl(self, rules=r, tag="permit 1234")
547 first_acl.add_vpp_config()
548 self.assertTrue(first_acl.query_vpp_config())
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]549 # The very first ACL gets #0
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]550 self.assertEqual(first_acl.acl_index, 0)
551 rr = first_acl.dump()
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]552 self.logger.info("Dumped ACL: " + str(rr))
553 self.assertEqual(len(rr), 1)
554 # We should have the same number of ACL entries as we had asked
555 self.assertEqual(len(rr[0].r), len(r))
556 # The rules should be the same. But because the submitted and returned
557 # are different types, we need to iterate over rules and keys to get
558 # to basic values.
559 for i_rule in range(0, len(r) - 1):
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]560 encoded_rule = r[i_rule].encode()
561 for rule_key in encoded_rule:
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]562 self.assertEqual(rr[0].r[i_rule][rule_key], encoded_rule[rule_key])
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]563
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]564 # Create a deny-1234 ACL
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]565 r_deny = [
566 AclRule(is_permit=0, proto=17, ports=1234, sport_to=1235),
567 AclRule(is_permit=1, proto=17, ports=0),
568 ]
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]569 second_acl = VppAcl(self, rules=r_deny, tag="deny 1234;permit all")
570 second_acl.add_vpp_config()
571 self.assertTrue(second_acl.query_vpp_config())
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]572 # The second ACL gets #1
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]573 self.assertEqual(second_acl.acl_index, 1)
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]574
575 # Test 2: try to modify a nonexistent ACL
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]576 invalid_acl = VppAcl(self, acl_index=432, rules=r, tag="FFFF:FFFF")
577 reply = invalid_acl.add_vpp_config(expect_error=True)
Jakub Grajciaraad1ee12020-03-11 12:47:32 +0100[diff] [blame]578
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]579 # apply an ACL on an interface inbound, try to delete ACL, must fail
580 acl_if_list = VppAclInterface(
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]581 self, sw_if_index=self.pg0.sw_if_index, n_input=1, acls=[first_acl]
582 )
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]583 acl_if_list.add_vpp_config()
584 first_acl.remove_vpp_config(expect_error=True)
585 # Unapply an ACL and then try to delete it - must be ok
586 acl_if_list.remove_vpp_config()
587 first_acl.remove_vpp_config()
588
589 # apply an ACL on an interface inbound, try to delete ACL, must fail
590 acl_if_list = VppAclInterface(
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]591 self, sw_if_index=self.pg0.sw_if_index, n_input=0, acls=[second_acl]
592 )
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]593 acl_if_list.add_vpp_config()
594 second_acl.remove_vpp_config(expect_error=True)
595 # Unapply an ACL and then try to delete it - must be ok
596 acl_if_list.remove_vpp_config()
597 second_acl.remove_vpp_config()
Andrew Yourtchenko987abe92017-09-27 13:50:31 +0200[diff] [blame]598
599 # try to apply a nonexistent ACL - must fail
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]600 acl_if_list = VppAclInterface(
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]601 self, sw_if_index=self.pg0.sw_if_index, n_input=0, acls=[invalid_acl]
602 )
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]603 acl_if_list.add_vpp_config(expect_error=True)
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]604
605 self.logger.info("ACLP_TEST_FINISH_0001")
606
607 def test_0002_acl_permit_apply(self):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]608 """permit ACL apply test"""
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]609 self.logger.info("ACLP_TEST_START_0002")
610
611 rules = []
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]612 rules.append(
613 self.create_rule(self.IPV4, self.PERMIT, 0, self.proto[self.IP][self.UDP])
614 )
615 rules.append(
616 self.create_rule(self.IPV4, self.PERMIT, 0, self.proto[self.IP][self.TCP])
617 )
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]618
619 # Apply rules
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]620 acl_idx = self.apply_rules(rules, "permit per-flow")
Andrew Yourtchenkof995c712019-06-13 15:23:21 +0000[diff] [blame]621
622 # enable counters
623 reply = self.vapi.papi.acl_stats_intf_counters_enable(enable=1)
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]624
625 # Traffic should still pass
626 self.run_verify_test(self.IP, self.IPV4, -1)
Andrew Yourtchenkof995c712019-06-13 15:23:21 +0000[diff] [blame]627
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]628 matches = self.statistics.get_counter("/acl/%d/matches" % acl_idx)
Andrew Yourtchenkof995c712019-06-13 15:23:21 +0000[diff] [blame]629 self.logger.info("stat segment counters: %s" % repr(matches))
630 cli = "show acl-plugin acl"
631 self.logger.info(self.vapi.ppcli(cli))
632 cli = "show acl-plugin tables"
633 self.logger.info(self.vapi.ppcli(cli))
634
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]635 total_hits = matches[0][0]["packets"] + matches[0][1]["packets"]
Andrew Yourtchenkof995c712019-06-13 15:23:21 +0000[diff] [blame]636 self.assertEqual(total_hits, 64)
637
638 # disable counters
639 reply = self.vapi.papi.acl_stats_intf_counters_enable(enable=0)
640
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]641 self.logger.info("ACLP_TEST_FINISH_0002")
642
643 def test_0003_acl_deny_apply(self):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]644 """deny ACL apply test"""
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]645 self.logger.info("ACLP_TEST_START_0003")
646 # Add a deny-flows ACL
647 rules = []
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]648 rules.append(
649 self.create_rule(
650 self.IPV4, self.DENY, self.PORTS_ALL, self.proto[self.IP][self.UDP]
651 )
652 )
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]653 # Permit ip any any in the end
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]654 rules.append(self.create_rule(self.IPV4, self.PERMIT, self.PORTS_ALL, 0))
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]655
656 # Apply rules
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]657 acl_idx = self.apply_rules(rules, "deny per-flow;permit all")
Andrew Yourtchenkof995c712019-06-13 15:23:21 +0000[diff] [blame]658
659 # enable counters
660 reply = self.vapi.papi.acl_stats_intf_counters_enable(enable=1)
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]661
662 # Traffic should not pass
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]663 self.run_verify_negat_test(self.IP, self.IPV4, self.proto[self.IP][self.UDP])
Andrew Yourtchenkof995c712019-06-13 15:23:21 +0000[diff] [blame]664
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]665 matches = self.statistics.get_counter("/acl/%d/matches" % acl_idx)
Andrew Yourtchenkof995c712019-06-13 15:23:21 +0000[diff] [blame]666 self.logger.info("stat segment counters: %s" % repr(matches))
667 cli = "show acl-plugin acl"
668 self.logger.info(self.vapi.ppcli(cli))
669 cli = "show acl-plugin tables"
670 self.logger.info(self.vapi.ppcli(cli))
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]671 self.assertEqual(matches[0][0]["packets"], 64)
Andrew Yourtchenkof995c712019-06-13 15:23:21 +0000[diff] [blame]672 # disable counters
673 reply = self.vapi.papi.acl_stats_intf_counters_enable(enable=0)
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]674 self.logger.info("ACLP_TEST_FINISH_0003")
Andrew Yourtchenkof995c712019-06-13 15:23:21 +0000[diff] [blame]675 # self.assertEqual(, 0)
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]676
677 def test_0004_vpp624_permit_icmpv4(self):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]678 """VPP_624 permit ICMPv4"""
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]679 self.logger.info("ACLP_TEST_START_0004")
680
681 # Add an ACL
682 rules = []
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]683 rules.append(
684 self.create_rule(
685 self.IPV4,
686 self.PERMIT,
687 self.PORTS_RANGE,
688 self.proto[self.ICMP][self.ICMPv4],
689 )
690 )
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]691 # deny ip any any in the end
692 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
693
694 # Apply rules
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]695 self.apply_rules(rules, "permit icmpv4")
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]696
697 # Traffic should still pass
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]698 self.run_verify_test(self.ICMP, self.IPV4, self.proto[self.ICMP][self.ICMPv4])
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]699
700 self.logger.info("ACLP_TEST_FINISH_0004")
701
702 def test_0005_vpp624_permit_icmpv6(self):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]703 """VPP_624 permit ICMPv6"""
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]704 self.logger.info("ACLP_TEST_START_0005")
705
706 # Add an ACL
707 rules = []
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]708 rules.append(
709 self.create_rule(
710 self.IPV6,
711 self.PERMIT,
712 self.PORTS_RANGE,
713 self.proto[self.ICMP][self.ICMPv6],
714 )
715 )
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]716 # deny ip any any in the end
717 rules.append(self.create_rule(self.IPV6, self.DENY, self.PORTS_ALL, 0))
718
719 # Apply rules
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]720 self.apply_rules(rules, "permit icmpv6")
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]721
722 # Traffic should still pass
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]723 self.run_verify_test(self.ICMP, self.IPV6, self.proto[self.ICMP][self.ICMPv6])
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]724
725 self.logger.info("ACLP_TEST_FINISH_0005")
726
727 def test_0006_vpp624_deny_icmpv4(self):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]728 """VPP_624 deny ICMPv4"""
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]729 self.logger.info("ACLP_TEST_START_0006")
730 # Add an ACL
731 rules = []
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]732 rules.append(
733 self.create_rule(
734 self.IPV4,
735 self.DENY,
736 self.PORTS_RANGE,
737 self.proto[self.ICMP][self.ICMPv4],
738 )
739 )
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]740 # permit ip any any in the end
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]741 rules.append(self.create_rule(self.IPV4, self.PERMIT, self.PORTS_ALL, 0))
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]742
743 # Apply rules
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]744 self.apply_rules(rules, "deny icmpv4")
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]745
746 # Traffic should not pass
747 self.run_verify_negat_test(self.ICMP, self.IPV4, 0)
748
749 self.logger.info("ACLP_TEST_FINISH_0006")
750
751 def test_0007_vpp624_deny_icmpv6(self):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]752 """VPP_624 deny ICMPv6"""
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]753 self.logger.info("ACLP_TEST_START_0007")
754 # Add an ACL
755 rules = []
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]756 rules.append(
757 self.create_rule(
758 self.IPV6,
759 self.DENY,
760 self.PORTS_RANGE,
761 self.proto[self.ICMP][self.ICMPv6],
762 )
763 )
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]764 # deny ip any any in the end
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]765 rules.append(self.create_rule(self.IPV6, self.PERMIT, self.PORTS_ALL, 0))
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]766
767 # Apply rules
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]768 self.apply_rules(rules, "deny icmpv6")
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]769
770 # Traffic should not pass
771 self.run_verify_negat_test(self.ICMP, self.IPV6, 0)
772
773 self.logger.info("ACLP_TEST_FINISH_0007")
774
775 def test_0008_tcp_permit_v4(self):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]776 """permit TCPv4"""
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]777 self.logger.info("ACLP_TEST_START_0008")
778
779 # Add an ACL
780 rules = []
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]781 rules.append(
782 self.create_rule(
783 self.IPV4, self.PERMIT, self.PORTS_RANGE, self.proto[self.IP][self.TCP]
784 )
785 )
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]786 # deny ip any any in the end
787 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
788
789 # Apply rules
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]790 self.apply_rules(rules, "permit ipv4 tcp")
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]791
792 # Traffic should still pass
793 self.run_verify_test(self.IP, self.IPV4, self.proto[self.IP][self.TCP])
794
795 self.logger.info("ACLP_TEST_FINISH_0008")
796
797 def test_0009_tcp_permit_v6(self):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]798 """permit TCPv6"""
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]799 self.logger.info("ACLP_TEST_START_0009")
800
801 # Add an ACL
802 rules = []
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]803 rules.append(
804 self.create_rule(
805 self.IPV6, self.PERMIT, self.PORTS_RANGE, self.proto[self.IP][self.TCP]
806 )
807 )
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]808 # deny ip any any in the end
809 rules.append(self.create_rule(self.IPV6, self.DENY, self.PORTS_ALL, 0))
810
811 # Apply rules
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]812 self.apply_rules(rules, "permit ip6 tcp")
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]813
814 # Traffic should still pass
815 self.run_verify_test(self.IP, self.IPV6, self.proto[self.IP][self.TCP])
816
817 self.logger.info("ACLP_TEST_FINISH_0008")
818
819 def test_0010_udp_permit_v4(self):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]820 """permit UDPv4"""
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]821 self.logger.info("ACLP_TEST_START_0010")
822
823 # Add an ACL
824 rules = []
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]825 rules.append(
826 self.create_rule(
827 self.IPV4, self.PERMIT, self.PORTS_RANGE, self.proto[self.IP][self.UDP]
828 )
829 )
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]830 # deny ip any any in the end
831 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
832
833 # Apply rules
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]834 self.apply_rules(rules, "permit ipv udp")
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]835
836 # Traffic should still pass
837 self.run_verify_test(self.IP, self.IPV4, self.proto[self.IP][self.UDP])
838
839 self.logger.info("ACLP_TEST_FINISH_0010")
840
841 def test_0011_udp_permit_v6(self):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]842 """permit UDPv6"""
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]843 self.logger.info("ACLP_TEST_START_0011")
844
845 # Add an ACL
846 rules = []
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]847 rules.append(
848 self.create_rule(
849 self.IPV6, self.PERMIT, self.PORTS_RANGE, self.proto[self.IP][self.UDP]
850 )
851 )
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]852 # deny ip any any in the end
853 rules.append(self.create_rule(self.IPV6, self.DENY, self.PORTS_ALL, 0))
854
855 # Apply rules
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]856 self.apply_rules(rules, "permit ip6 udp")
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]857
858 # Traffic should still pass
859 self.run_verify_test(self.IP, self.IPV6, self.proto[self.IP][self.UDP])
860
861 self.logger.info("ACLP_TEST_FINISH_0011")
862
863 def test_0012_tcp_deny(self):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]864 """deny TCPv4/v6"""
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]865 self.logger.info("ACLP_TEST_START_0012")
866
867 # Add an ACL
868 rules = []
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]869 rules.append(
870 self.create_rule(
871 self.IPV4, self.DENY, self.PORTS_RANGE, self.proto[self.IP][self.TCP]
872 )
873 )
874 rules.append(
875 self.create_rule(
876 self.IPV6, self.DENY, self.PORTS_RANGE, self.proto[self.IP][self.TCP]
877 )
878 )
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]879 # permit ip any any in the end
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]880 rules.append(self.create_rule(self.IPV4, self.PERMIT, self.PORTS_ALL, 0))
881 rules.append(self.create_rule(self.IPV6, self.PERMIT, self.PORTS_ALL, 0))
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]882
883 # Apply rules
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]884 self.apply_rules(rules, "deny ip4/ip6 tcp")
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]885
886 # Traffic should not pass
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]887 self.run_verify_negat_test(
888 self.IP, self.IPRANDOM, self.proto[self.IP][self.TCP]
889 )
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]890
891 self.logger.info("ACLP_TEST_FINISH_0012")
892
893 def test_0013_udp_deny(self):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]894 """deny UDPv4/v6"""
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]895 self.logger.info("ACLP_TEST_START_0013")
896
897 # Add an ACL
898 rules = []
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]899 rules.append(
900 self.create_rule(
901 self.IPV4, self.DENY, self.PORTS_RANGE, self.proto[self.IP][self.UDP]
902 )
903 )
904 rules.append(
905 self.create_rule(
906 self.IPV6, self.DENY, self.PORTS_RANGE, self.proto[self.IP][self.UDP]
907 )
908 )
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]909 # permit ip any any in the end
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]910 rules.append(self.create_rule(self.IPV4, self.PERMIT, self.PORTS_ALL, 0))
911 rules.append(self.create_rule(self.IPV6, self.PERMIT, self.PORTS_ALL, 0))
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]912
913 # Apply rules
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]914 self.apply_rules(rules, "deny ip4/ip6 udp")
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]915
916 # Traffic should not pass
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]917 self.run_verify_negat_test(
918 self.IP, self.IPRANDOM, self.proto[self.IP][self.UDP]
919 )
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]920
921 self.logger.info("ACLP_TEST_FINISH_0013")
922
923 def test_0014_acl_dump(self):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]924 """verify add/dump acls"""
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]925 self.logger.info("ACLP_TEST_START_0014")
926
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]927 r = [
928 [self.IPV4, self.PERMIT, 1234, self.proto[self.IP][self.TCP]],
929 [self.IPV4, self.PERMIT, 2345, self.proto[self.IP][self.UDP]],
930 [self.IPV4, self.PERMIT, 0, self.proto[self.IP][self.TCP]],
931 [self.IPV4, self.PERMIT, 0, self.proto[self.IP][self.UDP]],
932 [self.IPV4, self.PERMIT, 5, self.proto[self.ICMP][self.ICMPv4]],
933 [self.IPV6, self.PERMIT, 4321, self.proto[self.IP][self.TCP]],
934 [self.IPV6, self.PERMIT, 5432, self.proto[self.IP][self.UDP]],
935 [self.IPV6, self.PERMIT, 0, self.proto[self.IP][self.TCP]],
936 [self.IPV6, self.PERMIT, 0, self.proto[self.IP][self.UDP]],
937 [self.IPV6, self.PERMIT, 6, self.proto[self.ICMP][self.ICMPv6]],
938 [self.IPV4, self.DENY, self.PORTS_ALL, 0],
939 [self.IPV4, self.DENY, 1234, self.proto[self.IP][self.TCP]],
940 [self.IPV4, self.DENY, 2345, self.proto[self.IP][self.UDP]],
941 [self.IPV4, self.DENY, 5, self.proto[self.ICMP][self.ICMPv4]],
942 [self.IPV6, self.DENY, 4321, self.proto[self.IP][self.TCP]],
943 [self.IPV6, self.DENY, 5432, self.proto[self.IP][self.UDP]],
944 [self.IPV6, self.DENY, 6, self.proto[self.ICMP][self.ICMPv6]],
945 [self.IPV6, self.DENY, self.PORTS_ALL, 0],
946 ]
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]947
948 # Add and verify new ACLs
949 rules = []
950 for i in range(len(r)):
951 rules.append(self.create_rule(r[i][0], r[i][1], r[i][2], r[i][3]))
952
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]953 acl = VppAcl(self, rules=rules)
954 acl.add_vpp_config()
955 result = acl.dump()
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]956
957 i = 0
958 for drules in result:
959 for dr in drules.r:
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]960 self.assertEqual(dr.is_permit, r[i][1])
961 self.assertEqual(dr.proto, r[i][3])
962
963 if r[i][2] > 0:
964 self.assertEqual(dr.srcport_or_icmptype_first, r[i][2])
965 else:
966 if r[i][2] < 0:
967 self.assertEqual(dr.srcport_or_icmptype_first, 0)
968 self.assertEqual(dr.srcport_or_icmptype_last, 65535)
969 else:
970 if dr.proto == self.proto[self.IP][self.TCP]:
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]971 self.assertGreater(
972 dr.srcport_or_icmptype_first, self.tcp_sport_from - 1
973 )
974 self.assertLess(
975 dr.srcport_or_icmptype_first, self.tcp_sport_to + 1
976 )
977 self.assertGreater(
978 dr.dstport_or_icmpcode_last, self.tcp_dport_from - 1
979 )
980 self.assertLess(
981 dr.dstport_or_icmpcode_last, self.tcp_dport_to + 1
982 )
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]983 elif dr.proto == self.proto[self.IP][self.UDP]:
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]984 self.assertGreater(
985 dr.srcport_or_icmptype_first, self.udp_sport_from - 1
986 )
987 self.assertLess(
988 dr.srcport_or_icmptype_first, self.udp_sport_to + 1
989 )
990 self.assertGreater(
991 dr.dstport_or_icmpcode_last, self.udp_dport_from - 1
992 )
993 self.assertLess(
994 dr.dstport_or_icmpcode_last, self.udp_dport_to + 1
995 )
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]996 i += 1
997
998 self.logger.info("ACLP_TEST_FINISH_0014")
999
1000 def test_0015_tcp_permit_port_v4(self):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1001 """permit single TCPv4"""
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]1002 self.logger.info("ACLP_TEST_START_0015")
1003
Andrew Yourtchenkoec574ff2019-10-03 07:55:52 +0000[diff] [blame]1004 port = random.randint(16384, 65535)
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]1005 # Add an ACL
1006 rules = []
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1007 rules.append(
1008 self.create_rule(
1009 self.IPV4, self.PERMIT, port, self.proto[self.IP][self.TCP]
1010 )
1011 )
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]1012 # deny ip any any in the end
1013 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
1014
1015 # Apply rules
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]1016 self.apply_rules(rules, "permit ip4 tcp %d" % port)
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]1017
1018 # Traffic should still pass
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1019 self.run_verify_test(self.IP, self.IPV4, self.proto[self.IP][self.TCP], port)
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]1020
1021 self.logger.info("ACLP_TEST_FINISH_0015")
1022
1023 def test_0016_udp_permit_port_v4(self):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1024 """permit single UDPv4"""
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]1025 self.logger.info("ACLP_TEST_START_0016")
1026
Andrew Yourtchenkoec574ff2019-10-03 07:55:52 +0000[diff] [blame]1027 port = random.randint(16384, 65535)
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]1028 # Add an ACL
1029 rules = []
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1030 rules.append(
1031 self.create_rule(
1032 self.IPV4, self.PERMIT, port, self.proto[self.IP][self.UDP]
1033 )
1034 )
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]1035 # deny ip any any in the end
1036 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
1037
1038 # Apply rules
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]1039 self.apply_rules(rules, "permit ip4 tcp %d" % port)
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]1040
1041 # Traffic should still pass
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1042 self.run_verify_test(self.IP, self.IPV4, self.proto[self.IP][self.UDP], port)
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]1043
1044 self.logger.info("ACLP_TEST_FINISH_0016")
1045
1046 def test_0017_tcp_permit_port_v6(self):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1047 """permit single TCPv6"""
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]1048 self.logger.info("ACLP_TEST_START_0017")
1049
Andrew Yourtchenkoec574ff2019-10-03 07:55:52 +0000[diff] [blame]1050 port = random.randint(16384, 65535)
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]1051 # Add an ACL
1052 rules = []
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1053 rules.append(
1054 self.create_rule(
1055 self.IPV6, self.PERMIT, port, self.proto[self.IP][self.TCP]
1056 )
1057 )
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]1058 # deny ip any any in the end
1059 rules.append(self.create_rule(self.IPV6, self.DENY, self.PORTS_ALL, 0))
1060
1061 # Apply rules
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]1062 self.apply_rules(rules, "permit ip4 tcp %d" % port)
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]1063
1064 # Traffic should still pass
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1065 self.run_verify_test(self.IP, self.IPV6, self.proto[self.IP][self.TCP], port)
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]1066
1067 self.logger.info("ACLP_TEST_FINISH_0017")
1068
1069 def test_0018_udp_permit_port_v6(self):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1070 """permit single UDPv6"""
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]1071 self.logger.info("ACLP_TEST_START_0018")
1072
Andrew Yourtchenkoec574ff2019-10-03 07:55:52 +0000[diff] [blame]1073 port = random.randint(16384, 65535)
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]1074 # Add an ACL
1075 rules = []
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1076 rules.append(
1077 self.create_rule(
1078 self.IPV6, self.PERMIT, port, self.proto[self.IP][self.UDP]
1079 )
1080 )
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]1081 # deny ip any any in the end
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1082 rules.append(self.create_rule(self.IPV6, self.DENY, self.PORTS_ALL, 0))
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]1083
1084 # Apply rules
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]1085 self.apply_rules(rules, "permit ip4 tcp %d" % port)
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]1086
1087 # Traffic should still pass
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1088 self.run_verify_test(self.IP, self.IPV6, self.proto[self.IP][self.UDP], port)
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]1089
1090 self.logger.info("ACLP_TEST_FINISH_0018")
1091
1092 def test_0019_udp_deny_port(self):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1093 """deny single TCPv4/v6"""
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]1094 self.logger.info("ACLP_TEST_START_0019")
1095
Andrew Yourtchenkoec574ff2019-10-03 07:55:52 +0000[diff] [blame]1096 port = random.randint(16384, 65535)
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]1097 # Add an ACL
1098 rules = []
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1099 rules.append(
1100 self.create_rule(self.IPV4, self.DENY, port, self.proto[self.IP][self.TCP])
1101 )
1102 rules.append(
1103 self.create_rule(self.IPV6, self.DENY, port, self.proto[self.IP][self.TCP])
1104 )
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]1105 # Permit ip any any in the end
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1106 rules.append(self.create_rule(self.IPV4, self.PERMIT, self.PORTS_ALL, 0))
1107 rules.append(self.create_rule(self.IPV6, self.PERMIT, self.PORTS_ALL, 0))
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]1108
1109 # Apply rules
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]1110 self.apply_rules(rules, "deny ip4/ip6 udp %d" % port)
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]1111
1112 # Traffic should not pass
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1113 self.run_verify_negat_test(
1114 self.IP, self.IPRANDOM, self.proto[self.IP][self.TCP], port
1115 )
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]1116
1117 self.logger.info("ACLP_TEST_FINISH_0019")
1118
1119 def test_0020_udp_deny_port(self):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1120 """deny single UDPv4/v6"""
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]1121 self.logger.info("ACLP_TEST_START_0020")
1122
Andrew Yourtchenkoec574ff2019-10-03 07:55:52 +0000[diff] [blame]1123 port = random.randint(16384, 65535)
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]1124 # Add an ACL
1125 rules = []
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1126 rules.append(
1127 self.create_rule(self.IPV4, self.DENY, port, self.proto[self.IP][self.UDP])
1128 )
1129 rules.append(
1130 self.create_rule(self.IPV6, self.DENY, port, self.proto[self.IP][self.UDP])
1131 )
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]1132 # Permit ip any any in the end
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1133 rules.append(self.create_rule(self.IPV4, self.PERMIT, self.PORTS_ALL, 0))
1134 rules.append(self.create_rule(self.IPV6, self.PERMIT, self.PORTS_ALL, 0))
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]1135
1136 # Apply rules
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]1137 self.apply_rules(rules, "deny ip4/ip6 udp %d" % port)
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]1138
1139 # Traffic should not pass
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1140 self.run_verify_negat_test(
1141 self.IP, self.IPRANDOM, self.proto[self.IP][self.UDP], port
1142 )
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]1143
1144 self.logger.info("ACLP_TEST_FINISH_0020")
1145
Andrew Yourtchenkod1b05642017-04-04 14:10:40 +0000[diff] [blame]1146 def test_0021_udp_deny_port_verify_fragment_deny(self):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1147 """deny single UDPv4/v6, permit ip any, verify non-initial fragment
Chris Luked0421942018-04-10 15:19:54 -0400[diff] [blame]1148 blocked
Andrew Yourtchenkod1b05642017-04-04 14:10:40 +0000[diff] [blame]1149 """
1150 self.logger.info("ACLP_TEST_START_0021")
1151
Andrew Yourtchenkoec574ff2019-10-03 07:55:52 +0000[diff] [blame]1152 port = random.randint(16384, 65535)
Andrew Yourtchenkod1b05642017-04-04 14:10:40 +0000[diff] [blame]1153 # Add an ACL
1154 rules = []
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1155 rules.append(
1156 self.create_rule(self.IPV4, self.DENY, port, self.proto[self.IP][self.UDP])
1157 )
1158 rules.append(
1159 self.create_rule(self.IPV6, self.DENY, port, self.proto[self.IP][self.UDP])
1160 )
Andrew Yourtchenkod1b05642017-04-04 14:10:40 +0000[diff] [blame]1161 # deny ip any any in the end
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1162 rules.append(self.create_rule(self.IPV4, self.PERMIT, self.PORTS_ALL, 0))
1163 rules.append(self.create_rule(self.IPV6, self.PERMIT, self.PORTS_ALL, 0))
Andrew Yourtchenkod1b05642017-04-04 14:10:40 +0000[diff] [blame]1164
1165 # Apply rules
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]1166 self.apply_rules(rules, "deny ip4/ip6 udp %d" % port)
Andrew Yourtchenkod1b05642017-04-04 14:10:40 +0000[diff] [blame]1167
1168 # Traffic should not pass
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1169 self.run_verify_negat_test(
1170 self.IP, self.IPRANDOM, self.proto[self.IP][self.UDP], port, True
1171 )
Andrew Yourtchenkod1b05642017-04-04 14:10:40 +0000[diff] [blame]1172
1173 self.logger.info("ACLP_TEST_FINISH_0021")
1174
Pavel Kotuceke7b67342017-04-18 13:12:20 +0200[diff] [blame]1175 def test_0022_zero_length_udp_ipv4(self):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1176 """VPP-687 zero length udp ipv4 packet"""
Pavel Kotuceke7b67342017-04-18 13:12:20 +0200[diff] [blame]1177 self.logger.info("ACLP_TEST_START_0022")
1178
Andrew Yourtchenkoec574ff2019-10-03 07:55:52 +0000[diff] [blame]1179 port = random.randint(16384, 65535)
Pavel Kotuceke7b67342017-04-18 13:12:20 +0200[diff] [blame]1180 # Add an ACL
1181 rules = []
Pavel Kotuceke7b67342017-04-18 13:12:20 +0200[diff] [blame]1182 rules.append(
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1183 self.create_rule(
1184 self.IPV4, self.PERMIT, port, self.proto[self.IP][self.UDP]
1185 )
1186 )
1187 # deny ip any any in the end
1188 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
Pavel Kotuceke7b67342017-04-18 13:12:20 +0200[diff] [blame]1189
1190 # Apply rules
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]1191 self.apply_rules(rules, "permit empty udp ip4 %d" % port)
Pavel Kotuceke7b67342017-04-18 13:12:20 +0200[diff] [blame]1192
1193 # Traffic should still pass
1194 # Create incoming packet streams for packet-generator interfaces
1195 pkts_cnt = 0
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1196 pkts = self.create_stream(
1197 self.pg0,
1198 self.pg_if_packet_sizes,
1199 self.IP,
1200 self.IPV4,
1201 self.proto[self.IP][self.UDP],
1202 port,
1203 False,
1204 False,
1205 )
Pavel Kotuceke7b67342017-04-18 13:12:20 +0200[diff] [blame]1206 if len(pkts) > 0:
1207 self.pg0.add_stream(pkts)
1208 pkts_cnt += len(pkts)
1209
1210 # Enable packet capture and start packet sendingself.IPV
1211 self.pg_enable_capture(self.pg_interfaces)
1212 self.pg_start()
1213
1214 self.pg1.get_capture(pkts_cnt)
1215
1216 self.logger.info("ACLP_TEST_FINISH_0022")
1217
1218 def test_0023_zero_length_udp_ipv6(self):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1219 """VPP-687 zero length udp ipv6 packet"""
Pavel Kotuceke7b67342017-04-18 13:12:20 +0200[diff] [blame]1220 self.logger.info("ACLP_TEST_START_0023")
1221
Andrew Yourtchenkoec574ff2019-10-03 07:55:52 +0000[diff] [blame]1222 port = random.randint(16384, 65535)
Pavel Kotuceke7b67342017-04-18 13:12:20 +0200[diff] [blame]1223 # Add an ACL
1224 rules = []
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1225 rules.append(
1226 self.create_rule(
1227 self.IPV6, self.PERMIT, port, self.proto[self.IP][self.UDP]
1228 )
1229 )
Pavel Kotuceke7b67342017-04-18 13:12:20 +0200[diff] [blame]1230 # deny ip any any in the end
1231 rules.append(self.create_rule(self.IPV6, self.DENY, self.PORTS_ALL, 0))
1232
1233 # Apply rules
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]1234 self.apply_rules(rules, "permit empty udp ip6 %d" % port)
Pavel Kotuceke7b67342017-04-18 13:12:20 +0200[diff] [blame]1235
1236 # Traffic should still pass
1237 # Create incoming packet streams for packet-generator interfaces
1238 pkts_cnt = 0
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1239 pkts = self.create_stream(
1240 self.pg0,
1241 self.pg_if_packet_sizes,
1242 self.IP,
1243 self.IPV6,
1244 self.proto[self.IP][self.UDP],
1245 port,
1246 False,
1247 False,
1248 )
Pavel Kotuceke7b67342017-04-18 13:12:20 +0200[diff] [blame]1249 if len(pkts) > 0:
1250 self.pg0.add_stream(pkts)
1251 pkts_cnt += len(pkts)
1252
1253 # Enable packet capture and start packet sendingself.IPV
1254 self.pg_enable_capture(self.pg_interfaces)
1255 self.pg_start()
1256
1257 # Verify outgoing packet streams per packet-generator interface
1258 self.pg1.get_capture(pkts_cnt)
1259
1260 self.logger.info("ACLP_TEST_FINISH_0023")
1261
Andrew Yourtchenko6be72cd2017-08-10 17:02:58 +0200[diff] [blame]1262 def test_0108_tcp_permit_v4(self):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1263 """permit TCPv4 + non-match range"""
Andrew Yourtchenko6be72cd2017-08-10 17:02:58 +0200[diff] [blame]1264 self.logger.info("ACLP_TEST_START_0108")
1265
1266 # Add an ACL
1267 rules = []
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1268 rules.append(
1269 self.create_rule(
1270 self.IPV4, self.DENY, self.PORTS_RANGE_2, self.proto[self.IP][self.TCP]
1271 )
1272 )
1273 rules.append(
1274 self.create_rule(
1275 self.IPV4, self.PERMIT, self.PORTS_RANGE, self.proto[self.IP][self.TCP]
1276 )
1277 )
Andrew Yourtchenko6be72cd2017-08-10 17:02:58 +0200[diff] [blame]1278 # deny ip any any in the end
1279 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
1280
1281 # Apply rules
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]1282 self.apply_rules(rules, "permit ipv4 tcp")
Andrew Yourtchenko6be72cd2017-08-10 17:02:58 +0200[diff] [blame]1283
1284 # Traffic should still pass
1285 self.run_verify_test(self.IP, self.IPV4, self.proto[self.IP][self.TCP])
1286
1287 self.logger.info("ACLP_TEST_FINISH_0108")
1288
1289 def test_0109_tcp_permit_v6(self):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1290 """permit TCPv6 + non-match range"""
Andrew Yourtchenko6be72cd2017-08-10 17:02:58 +0200[diff] [blame]1291 self.logger.info("ACLP_TEST_START_0109")
1292
1293 # Add an ACL
1294 rules = []
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1295 rules.append(
1296 self.create_rule(
1297 self.IPV6, self.DENY, self.PORTS_RANGE_2, self.proto[self.IP][self.TCP]
1298 )
1299 )
1300 rules.append(
1301 self.create_rule(
1302 self.IPV6, self.PERMIT, self.PORTS_RANGE, self.proto[self.IP][self.TCP]
1303 )
1304 )
Andrew Yourtchenko6be72cd2017-08-10 17:02:58 +0200[diff] [blame]1305 # deny ip any any in the end
1306 rules.append(self.create_rule(self.IPV6, self.DENY, self.PORTS_ALL, 0))
1307
1308 # Apply rules
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]1309 self.apply_rules(rules, "permit ip6 tcp")
Andrew Yourtchenko6be72cd2017-08-10 17:02:58 +0200[diff] [blame]1310
1311 # Traffic should still pass
1312 self.run_verify_test(self.IP, self.IPV6, self.proto[self.IP][self.TCP])
1313
1314 self.logger.info("ACLP_TEST_FINISH_0109")
1315
1316 def test_0110_udp_permit_v4(self):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1317 """permit UDPv4 + non-match range"""
Andrew Yourtchenko6be72cd2017-08-10 17:02:58 +0200[diff] [blame]1318 self.logger.info("ACLP_TEST_START_0110")
1319
1320 # Add an ACL
1321 rules = []
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1322 rules.append(
1323 self.create_rule(
1324 self.IPV4, self.DENY, self.PORTS_RANGE_2, self.proto[self.IP][self.UDP]
1325 )
1326 )
1327 rules.append(
1328 self.create_rule(
1329 self.IPV4, self.PERMIT, self.PORTS_RANGE, self.proto[self.IP][self.UDP]
1330 )
1331 )
Andrew Yourtchenko6be72cd2017-08-10 17:02:58 +0200[diff] [blame]1332 # deny ip any any in the end
1333 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
1334
1335 # Apply rules
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]1336 self.apply_rules(rules, "permit ipv4 udp")
Andrew Yourtchenko6be72cd2017-08-10 17:02:58 +0200[diff] [blame]1337
1338 # Traffic should still pass
1339 self.run_verify_test(self.IP, self.IPV4, self.proto[self.IP][self.UDP])
1340
1341 self.logger.info("ACLP_TEST_FINISH_0110")
1342
1343 def test_0111_udp_permit_v6(self):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1344 """permit UDPv6 + non-match range"""
Andrew Yourtchenko6be72cd2017-08-10 17:02:58 +0200[diff] [blame]1345 self.logger.info("ACLP_TEST_START_0111")
1346
1347 # Add an ACL
1348 rules = []
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1349 rules.append(
1350 self.create_rule(
1351 self.IPV6, self.DENY, self.PORTS_RANGE_2, self.proto[self.IP][self.UDP]
1352 )
1353 )
1354 rules.append(
1355 self.create_rule(
1356 self.IPV6, self.PERMIT, self.PORTS_RANGE, self.proto[self.IP][self.UDP]
1357 )
1358 )
Andrew Yourtchenko6be72cd2017-08-10 17:02:58 +0200[diff] [blame]1359 # deny ip any any in the end
1360 rules.append(self.create_rule(self.IPV6, self.DENY, self.PORTS_ALL, 0))
1361
1362 # Apply rules
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]1363 self.apply_rules(rules, "permit ip6 udp")
Andrew Yourtchenko6be72cd2017-08-10 17:02:58 +0200[diff] [blame]1364
1365 # Traffic should still pass
1366 self.run_verify_test(self.IP, self.IPV6, self.proto[self.IP][self.UDP])
1367
1368 self.logger.info("ACLP_TEST_FINISH_0111")
1369
1370 def test_0112_tcp_deny(self):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1371 """deny TCPv4/v6 + non-match range"""
Andrew Yourtchenko6be72cd2017-08-10 17:02:58 +0200[diff] [blame]1372 self.logger.info("ACLP_TEST_START_0112")
1373
1374 # Add an ACL
1375 rules = []
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1376 rules.append(
1377 self.create_rule(
1378 self.IPV4,
1379 self.PERMIT,
1380 self.PORTS_RANGE_2,
1381 self.proto[self.IP][self.TCP],
1382 )
1383 )
1384 rules.append(
1385 self.create_rule(
1386 self.IPV6,
1387 self.PERMIT,
1388 self.PORTS_RANGE_2,
1389 self.proto[self.IP][self.TCP],
1390 )
1391 )
1392 rules.append(
1393 self.create_rule(
1394 self.IPV4, self.DENY, self.PORTS_RANGE, self.proto[self.IP][self.TCP]
1395 )
1396 )
1397 rules.append(
1398 self.create_rule(
1399 self.IPV6, self.DENY, self.PORTS_RANGE, self.proto[self.IP][self.TCP]
1400 )
1401 )
Andrew Yourtchenko6be72cd2017-08-10 17:02:58 +0200[diff] [blame]1402 # permit ip any any in the end
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1403 rules.append(self.create_rule(self.IPV4, self.PERMIT, self.PORTS_ALL, 0))
1404 rules.append(self.create_rule(self.IPV6, self.PERMIT, self.PORTS_ALL, 0))
Andrew Yourtchenko6be72cd2017-08-10 17:02:58 +0200[diff] [blame]1405
1406 # Apply rules
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]1407 self.apply_rules(rules, "deny ip4/ip6 tcp")
Andrew Yourtchenko6be72cd2017-08-10 17:02:58 +0200[diff] [blame]1408
1409 # Traffic should not pass
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1410 self.run_verify_negat_test(
1411 self.IP, self.IPRANDOM, self.proto[self.IP][self.TCP]
1412 )
Andrew Yourtchenko6be72cd2017-08-10 17:02:58 +0200[diff] [blame]1413
1414 self.logger.info("ACLP_TEST_FINISH_0112")
1415
1416 def test_0113_udp_deny(self):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1417 """deny UDPv4/v6 + non-match range"""
Andrew Yourtchenko6be72cd2017-08-10 17:02:58 +0200[diff] [blame]1418 self.logger.info("ACLP_TEST_START_0113")
1419
1420 # Add an ACL
1421 rules = []
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1422 rules.append(
1423 self.create_rule(
1424 self.IPV4,
1425 self.PERMIT,
1426 self.PORTS_RANGE_2,
1427 self.proto[self.IP][self.UDP],
1428 )
1429 )
1430 rules.append(
1431 self.create_rule(
1432 self.IPV6,
1433 self.PERMIT,
1434 self.PORTS_RANGE_2,
1435 self.proto[self.IP][self.UDP],
1436 )
1437 )
1438 rules.append(
1439 self.create_rule(
1440 self.IPV4, self.DENY, self.PORTS_RANGE, self.proto[self.IP][self.UDP]
1441 )
1442 )
1443 rules.append(
1444 self.create_rule(
1445 self.IPV6, self.DENY, self.PORTS_RANGE, self.proto[self.IP][self.UDP]
1446 )
1447 )
Andrew Yourtchenko6be72cd2017-08-10 17:02:58 +0200[diff] [blame]1448 # permit ip any any in the end
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1449 rules.append(self.create_rule(self.IPV4, self.PERMIT, self.PORTS_ALL, 0))
1450 rules.append(self.create_rule(self.IPV6, self.PERMIT, self.PORTS_ALL, 0))
Andrew Yourtchenko6be72cd2017-08-10 17:02:58 +0200[diff] [blame]1451
1452 # Apply rules
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]1453 self.apply_rules(rules, "deny ip4/ip6 udp")
Andrew Yourtchenko6be72cd2017-08-10 17:02:58 +0200[diff] [blame]1454
1455 # Traffic should not pass
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1456 self.run_verify_negat_test(
1457 self.IP, self.IPRANDOM, self.proto[self.IP][self.UDP]
1458 )
Andrew Yourtchenko6be72cd2017-08-10 17:02:58 +0200[diff] [blame]1459
1460 self.logger.info("ACLP_TEST_FINISH_0113")
1461
Andrew Yourtchenkoc43b3f92018-02-06 17:42:32 +0100[diff] [blame]1462 def test_0300_tcp_permit_v4_etype_aaaa(self):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1463 """permit TCPv4, send 0xAAAA etype"""
Andrew Yourtchenkoc43b3f92018-02-06 17:42:32 +0100[diff] [blame]1464 self.logger.info("ACLP_TEST_START_0300")
1465
1466 # Add an ACL
1467 rules = []
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1468 rules.append(
1469 self.create_rule(
1470 self.IPV4, self.DENY, self.PORTS_RANGE_2, self.proto[self.IP][self.TCP]
1471 )
1472 )
1473 rules.append(
1474 self.create_rule(
1475 self.IPV4, self.PERMIT, self.PORTS_RANGE, self.proto[self.IP][self.TCP]
1476 )
1477 )
Andrew Yourtchenkoc43b3f92018-02-06 17:42:32 +0100[diff] [blame]1478 # deny ip any any in the end
1479 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
1480
1481 # Apply rules
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]1482 self.apply_rules(rules, "permit ipv4 tcp")
Andrew Yourtchenkoc43b3f92018-02-06 17:42:32 +0100[diff] [blame]1483
Andrew Yourtchenkoc43b3f92018-02-06 17:42:32 +0100[diff] [blame]1484 # Traffic should still pass also for an odd ethertype
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1485 self.run_verify_test(
1486 self.IP, self.IPV4, self.proto[self.IP][self.TCP], 0, False, True, 0xAAAA
1487 )
Andrew Yourtchenkoc43b3f92018-02-06 17:42:32 +0100[diff] [blame]1488 self.logger.info("ACLP_TEST_FINISH_0300")
1489
1490 def test_0305_tcp_permit_v4_etype_blacklist_aaaa(self):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1491 """permit TCPv4, whitelist 0x0BBB ethertype, send 0xAAAA-blocked"""
Andrew Yourtchenkoc43b3f92018-02-06 17:42:32 +0100[diff] [blame]1492 self.logger.info("ACLP_TEST_START_0305")
1493
1494 # Add an ACL
1495 rules = []
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1496 rules.append(
1497 self.create_rule(
1498 self.IPV4, self.DENY, self.PORTS_RANGE_2, self.proto[self.IP][self.TCP]
1499 )
1500 )
1501 rules.append(
1502 self.create_rule(
1503 self.IPV4, self.PERMIT, self.PORTS_RANGE, self.proto[self.IP][self.TCP]
1504 )
1505 )
Andrew Yourtchenkoc43b3f92018-02-06 17:42:32 +0100[diff] [blame]1506 # deny ip any any in the end
1507 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
1508
1509 # Apply rules
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]1510 self.apply_rules(rules, "permit ipv4 tcp")
Andrew Yourtchenkoc43b3f92018-02-06 17:42:32 +0100[diff] [blame]1511 # whitelist the 0xbbbb etype - so the 0xaaaa should be blocked
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1512 self.etype_whitelist([0xBBB], 1)
Andrew Yourtchenkoc43b3f92018-02-06 17:42:32 +0100[diff] [blame]1513
Andrew Yourtchenkoc43b3f92018-02-06 17:42:32 +0100[diff] [blame]1514 # The oddball ethertype should be blocked
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1515 self.run_verify_negat_test(
1516 self.IP, self.IPV4, self.proto[self.IP][self.TCP], 0, False, 0xAAAA
1517 )
Andrew Yourtchenkoc43b3f92018-02-06 17:42:32 +0100[diff] [blame]1518
Andrew Yourtchenko7ff74532018-10-06 09:24:28 +0200[diff] [blame]1519 # remove the whitelist
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]1520 self.etype_whitelist([], 0, add=False)
Andrew Yourtchenko7ff74532018-10-06 09:24:28 +0200[diff] [blame]1521
1522 self.logger.info("ACLP_TEST_FINISH_0305")
1523
1524 def test_0306_tcp_permit_v4_etype_blacklist_aaaa(self):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1525 """permit TCPv4, whitelist 0x0BBB ethertype, send 0x0BBB - pass"""
Andrew Yourtchenko7ff74532018-10-06 09:24:28 +0200[diff] [blame]1526 self.logger.info("ACLP_TEST_START_0306")
1527
1528 # Add an ACL
1529 rules = []
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1530 rules.append(
1531 self.create_rule(
1532 self.IPV4, self.DENY, self.PORTS_RANGE_2, self.proto[self.IP][self.TCP]
1533 )
1534 )
1535 rules.append(
1536 self.create_rule(
1537 self.IPV4, self.PERMIT, self.PORTS_RANGE, self.proto[self.IP][self.TCP]
1538 )
1539 )
Andrew Yourtchenko7ff74532018-10-06 09:24:28 +0200[diff] [blame]1540 # deny ip any any in the end
1541 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
1542
1543 # Apply rules
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]1544 self.apply_rules(rules, "permit ipv4 tcp")
Andrew Yourtchenko7ff74532018-10-06 09:24:28 +0200[diff] [blame]1545 # whitelist the 0xbbbb etype - so the 0xaaaa should be blocked
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1546 self.etype_whitelist([0xBBB], 1)
Andrew Yourtchenko7ff74532018-10-06 09:24:28 +0200[diff] [blame]1547
1548 # The whitelisted traffic, should pass
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1549 self.run_verify_test(
1550 self.IP, self.IPV4, self.proto[self.IP][self.TCP], 0, False, True, 0x0BBB
1551 )
Andrew Yourtchenkoc43b3f92018-02-06 17:42:32 +0100[diff] [blame]1552
1553 # remove the whitelist, the previously blocked 0xAAAA should pass now
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]1554 self.etype_whitelist([], 0, add=False)
Andrew Yourtchenko7ff74532018-10-06 09:24:28 +0200[diff] [blame]1555
1556 self.logger.info("ACLP_TEST_FINISH_0306")
1557
1558 def test_0307_tcp_permit_v4_etype_blacklist_aaaa(self):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1559 """permit TCPv4, whitelist 0x0BBB, remove, send 0xAAAA - pass"""
Andrew Yourtchenko7ff74532018-10-06 09:24:28 +0200[diff] [blame]1560 self.logger.info("ACLP_TEST_START_0307")
1561
1562 # Add an ACL
1563 rules = []
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1564 rules.append(
1565 self.create_rule(
1566 self.IPV4, self.DENY, self.PORTS_RANGE_2, self.proto[self.IP][self.TCP]
1567 )
1568 )
1569 rules.append(
1570 self.create_rule(
1571 self.IPV4, self.PERMIT, self.PORTS_RANGE, self.proto[self.IP][self.TCP]
1572 )
1573 )
Andrew Yourtchenko7ff74532018-10-06 09:24:28 +0200[diff] [blame]1574 # deny ip any any in the end
1575 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
1576
1577 # Apply rules
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]1578 self.apply_rules(rules, "permit ipv4 tcp")
Andrew Yourtchenko7ff74532018-10-06 09:24:28 +0200[diff] [blame]1579
1580 # whitelist the 0xbbbb etype - so the 0xaaaa should be blocked
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1581 self.etype_whitelist([0xBBB], 1)
Andrew Yourtchenko7ff74532018-10-06 09:24:28 +0200[diff] [blame]1582 # remove the whitelist, the previously blocked 0xAAAA should pass now
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]1583 self.etype_whitelist([], 0, add=False)
Andrew Yourtchenko7ff74532018-10-06 09:24:28 +0200[diff] [blame]1584
1585 # The whitelisted traffic, should pass
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1586 self.run_verify_test(
1587 self.IP, self.IPV4, self.proto[self.IP][self.TCP], 0, False, True, 0xAAAA
1588 )
Andrew Yourtchenkoc43b3f92018-02-06 17:42:32 +0100[diff] [blame]1589
Andrew Yourtchenko7ff74532018-10-06 09:24:28 +0200[diff] [blame]1590 self.logger.info("ACLP_TEST_FINISH_0306")
Andrew Yourtchenko6be72cd2017-08-10 17:02:58 +0200[diff] [blame]1591
Andrew Yourtchenkode3682f2018-03-23 10:38:46 +0100[diff] [blame]1592 def test_0315_del_intf(self):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1593 """apply an acl and delete the interface"""
Andrew Yourtchenkode3682f2018-03-23 10:38:46 +0100[diff] [blame]1594 self.logger.info("ACLP_TEST_START_0315")
1595
1596 # Add an ACL
1597 rules = []
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1598 rules.append(
1599 self.create_rule(
1600 self.IPV4, self.DENY, self.PORTS_RANGE_2, self.proto[self.IP][self.TCP]
1601 )
1602 )
1603 rules.append(
1604 self.create_rule(
1605 self.IPV4, self.PERMIT, self.PORTS_RANGE, self.proto[self.IP][self.TCP]
1606 )
1607 )
Andrew Yourtchenkode3682f2018-03-23 10:38:46 +0100[diff] [blame]1608 # deny ip any any in the end
1609 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
1610
1611 # create an interface
1612 intf = []
Klement Sekerabeaded52018-06-24 10:30:37 +0200[diff] [blame]1613 intf.append(VppLoInterface(self))
Andrew Yourtchenkode3682f2018-03-23 10:38:46 +0100[diff] [blame]1614
1615 # Apply rules
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]1616 self.apply_rules_to(rules, "permit ipv4 tcp", intf[0].sw_if_index)
Andrew Yourtchenkode3682f2018-03-23 10:38:46 +0100[diff] [blame]1617
1618 # Remove the interface
1619 intf[0].remove_vpp_config()
1620
1621 self.logger.info("ACLP_TEST_FINISH_0315")
1622
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]1623
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1624if __name__ == "__main__":
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]1625 unittest.main(testRunner=VppTestRunner)