Gitiles
Code Review Sign In
gerrit.nordix.org / fdio / vpp / 28ab9cc13bb0b6adf68277f12cfcd33b69f40b00 / . / test / test_acl_plugin_l2l3.py
blob: f383a4820198e6cff1cc768c949ba60baa13c83b [file] [log] [blame]
Andrew Yourtchenkod2a59be2017-03-21 10:31:55 +0100[diff] [blame]1#!/usr/bin/env python
2"""ACL IRB Test Case HLD:
3
4**config**
5 - L2 MAC learning enabled in l2bd
6 - 2 routed interfaces untagged, bvi (Bridge Virtual Interface)
7 - 2 bridged interfaces in l2bd with bvi
8
9**test**
10 - sending ip4 eth pkts between routed interfaces
11 - 2 routed interfaces
12 - 2 bridged interfaces
13
14 - 64B, 512B, 1518B, 9200B (ether_size)
15
16 - burst of pkts per interface
17 - 257pkts per burst
18 - routed pkts hitting different FIB entries
19 - bridged pkts hitting different MAC entries
20
21**verify**
22 - all packets received correctly
23
24"""
25
26import unittest
27from socket import inet_pton, AF_INET, AF_INET6
28from random import choice
29from pprint import pprint
30
31from scapy.packet import Raw
32from scapy.layers.l2 import Ether
33from scapy.layers.inet import IP, UDP, ICMP, TCP
34from scapy.layers.inet6 import IPv6, ICMPv6Unknown, ICMPv6EchoRequest
35from scapy.layers.inet6 import ICMPv6EchoReply, IPv6ExtHdrRouting
Andrew Yourtchenkod1b05642017-04-04 14:10:40 +0000[diff] [blame]36from scapy.layers.inet6 import IPv6ExtHdrFragment
Andrew Yourtchenkod2a59be2017-03-21 10:31:55 +0100[diff] [blame]37
38from framework import VppTestCase, VppTestRunner
39import time
40
41
42class TestIpIrb(VppTestCase):
43 """IRB Test Case"""
44
45 @classmethod
46 def setUpClass(cls):
47 """
48 #. Create BD with MAC learning enabled and put interfaces to this BD.
49 #. Configure IPv4 addresses on loopback interface and routed interface.
50 #. Configure MAC address binding to IPv4 neighbors on loop0.
51 #. Configure MAC address on pg2.
52 #. Loopback BVI interface has remote hosts, one half of hosts are
53 behind pg0 second behind pg1.
54 """
55 super(TestIpIrb, cls).setUpClass()
56
57 cls.pg_if_packet_sizes = [64, 512, 1518, 9018] # packet sizes
58 cls.bd_id = 10
59 cls.remote_hosts_count = 250
60
61 # create 3 pg interfaces, 1 loopback interface
62 cls.create_pg_interfaces(range(3))
63 cls.create_loopback_interfaces(range(1))
64
65 cls.interfaces = list(cls.pg_interfaces)
66 cls.interfaces.extend(cls.lo_interfaces)
67
68 for i in cls.interfaces:
69 i.admin_up()
70
71 # Create BD with MAC learning enabled and put interfaces to this BD
72 cls.vapi.sw_interface_set_l2_bridge(
73 cls.loop0.sw_if_index, bd_id=cls.bd_id, bvi=1)
74 cls.vapi.sw_interface_set_l2_bridge(
75 cls.pg0.sw_if_index, bd_id=cls.bd_id)
76 cls.vapi.sw_interface_set_l2_bridge(
77 cls.pg1.sw_if_index, bd_id=cls.bd_id)
78
79 # Configure IPv4 addresses on loopback interface and routed interface
80 cls.loop0.config_ip4()
81 cls.loop0.config_ip6()
82 cls.pg2.config_ip4()
83 cls.pg2.config_ip6()
84
85 # Configure MAC address binding to IPv4 neighbors on loop0
86 cls.loop0.generate_remote_hosts(cls.remote_hosts_count)
87 cls.loop0.configure_ipv4_neighbors()
88 cls.loop0.configure_ipv6_neighbors()
89 # configure MAC address on pg2
90 cls.pg2.resolve_arp()
91 cls.pg2.resolve_ndp()
92
93 cls.WITHOUT_EH = False
94 cls.WITH_EH = True
95
96 # Loopback BVI interface has remote hosts, one half of hosts are behind
97 # pg0 second behind pg1
98 half = cls.remote_hosts_count // 2
99 cls.pg0.remote_hosts = cls.loop0.remote_hosts[:half]
100 cls.pg1.remote_hosts = cls.loop0.remote_hosts[half:]
101
102 def tearDown(self):
103 """Run standard test teardown and log ``show l2patch``,
104 ``show l2fib verbose``,``show bridge-domain <bd_id> detail``,
105 ``show ip arp``.
106 """
107 super(TestIpIrb, self).tearDown()
108 if not self.vpp_dead:
109 self.logger.info(self.vapi.cli("show l2patch"))
110 self.logger.info(self.vapi.cli("show classify tables"))
111 self.logger.info(self.vapi.cli("show vlib graph"))
112 self.logger.info(self.vapi.cli("show l2fib verbose"))
113 self.logger.info(self.vapi.cli("show bridge-domain %s detail" %
114 self.bd_id))
115 self.logger.info(self.vapi.cli("show ip arp"))
116 self.logger.info(self.vapi.cli("show ip6 neighbors"))
117 self.logger.info(self.vapi.cli("show acl-plugin sessions"))
Andrew Yourtchenko7f4d5772017-05-24 13:20:47 +0200[diff] [blame]118 self.logger.info(self.vapi.cli("show acl-plugin acl"))
119 self.logger.info(self.vapi.cli("show acl-plugin interface"))
120 self.logger.info(self.vapi.cli("show acl-plugin tables"))
Andrew Yourtchenkod2a59be2017-03-21 10:31:55 +0100[diff] [blame]121
122 def api_acl_add_replace(self, acl_index, r, count, tag="",
123 expected_retval=0):
124 """Add/replace an ACL
125
126 :param int acl_index: ACL index to replace, 4294967295 to create new.
127 :param acl_rule r: ACL rules array.
128 :param str tag: symbolic tag (description) for this ACL.
129 :param int count: number of rules.
130 """
131 return self.vapi.api(self.vapi.papi.acl_add_replace,
132 {'acl_index': acl_index,
133 'r': r,
134 'count': count,
135 'tag': tag
136 }, expected_retval=expected_retval)
137
138 def api_acl_interface_set_acl_list(self, sw_if_index, count, n_input, acls,
139 expected_retval=0):
140 return self.vapi.api(self.vapi.papi.acl_interface_set_acl_list,
141 {'sw_if_index': sw_if_index,
142 'count': count,
143 'n_input': n_input,
144 'acls': acls
145 }, expected_retval=expected_retval)
146
147 def api_acl_dump(self, acl_index, expected_retval=0):
148 return self.vapi.api(self.vapi.papi.acl_dump,
149 {'acl_index': acl_index},
150 expected_retval=expected_retval)
151
152 def create_stream(self, src_ip_if, dst_ip_if, reverse, packet_sizes,
153 is_ip6, expect_blocked, expect_established,
154 add_extension_header):
155 pkts = []
156 rules = []
157 permit_rules = []
158 permit_and_reflect_rules = []
159 total_packet_count = 8
160 for i in range(0, total_packet_count):
161 modulo = (i//2) % 2
162 can_reflect_this_packet = (modulo == 0)
163 is_permit = i % 2
164 remote_dst_index = i % len(dst_ip_if.remote_hosts)
165 remote_dst_host = dst_ip_if.remote_hosts[remote_dst_index]
166 if is_permit == 1:
167 info = self.create_packet_info(src_ip_if, dst_ip_if)
168 payload = self.info_to_payload(info)
169 else:
170 to_be_blocked = False
171 if (expect_blocked and not expect_established):
172 to_be_blocked = True
173 if (not can_reflect_this_packet):
174 to_be_blocked = True
175 if to_be_blocked:
176 payload = "to be blocked"
177 else:
178 info = self.create_packet_info(src_ip_if, dst_ip_if)
179 payload = self.info_to_payload(info)
180 if reverse:
181 dst_mac = 'de:ad:00:00:00:00'
182 src_mac = remote_dst_host._mac
183 dst_ip6 = src_ip_if.remote_ip6
184 src_ip6 = remote_dst_host.ip6
185 dst_ip4 = src_ip_if.remote_ip4
186 src_ip4 = remote_dst_host.ip4
187 dst_l4 = 1234 + i
188 src_l4 = 4321 + i
189 else:
190 dst_mac = src_ip_if.local_mac
191 src_mac = src_ip_if.remote_mac
192 src_ip6 = src_ip_if.remote_ip6
193 dst_ip6 = remote_dst_host.ip6
194 src_ip4 = src_ip_if.remote_ip4
195 dst_ip4 = remote_dst_host.ip4
196 src_l4 = 1234 + i
197 dst_l4 = 4321 + i
198
199 # default ULP should be something we do not use in tests
200 ulp_l4 = TCP(sport=src_l4, dport=dst_l4)
201 # potentially a chain of protocols leading to ULP
202 ulp = ulp_l4
203
204 if can_reflect_this_packet:
205 if is_ip6:
206 ulp_l4 = UDP(sport=src_l4, dport=dst_l4)
207 if add_extension_header:
208 # prepend some extension headers
209 ulp = (IPv6ExtHdrRouting() / IPv6ExtHdrRouting() /
Andrew Yourtchenkod1b05642017-04-04 14:10:40 +0000[diff] [blame]210 IPv6ExtHdrFragment(offset=0, m=1) / ulp_l4)
Andrew Yourtchenkod2a59be2017-03-21 10:31:55 +0100[diff] [blame]211 # uncomment below to test invalid ones
212 # ulp = IPv6ExtHdrRouting(len = 200) / ulp_l4
213 else:
214 ulp = ulp_l4
215 p = (Ether(dst=dst_mac, src=src_mac) /
216 IPv6(src=src_ip6, dst=dst_ip6) /
217 ulp /
218 Raw(payload))
219 else:
220 ulp_l4 = UDP(sport=src_l4, dport=dst_l4)
Andrew Yourtchenkod1b05642017-04-04 14:10:40 +0000[diff] [blame]221 # IPv4 does not allow extension headers,
222 # but we rather make it a first fragment
223 flags = 1 if add_extension_header else 0
Andrew Yourtchenkod2a59be2017-03-21 10:31:55 +0100[diff] [blame]224 ulp = ulp_l4
225 p = (Ether(dst=dst_mac, src=src_mac) /
Andrew Yourtchenkod1b05642017-04-04 14:10:40 +0000[diff] [blame]226 IP(src=src_ip4, dst=dst_ip4, frag=0, flags=flags) /
Andrew Yourtchenkod2a59be2017-03-21 10:31:55 +0100[diff] [blame]227 ulp /
228 Raw(payload))
229 elif modulo == 1:
230 if is_ip6:
231 ulp_l4 = ICMPv6Unknown(type=128 + (i % 2), code=i % 2)
232 ulp = ulp_l4
233 p = (Ether(dst=dst_mac, src=src_mac) /
234 IPv6(src=src_ip6, dst=dst_ip6) /
235 ulp /
236 Raw(payload))
237 else:
238 ulp_l4 = ICMP(type=8 + (i % 2), code=i % 2)
239 ulp = ulp_l4
240 p = (Ether(dst=dst_mac, src=src_mac) /
241 IP(src=src_ip4, dst=dst_ip4) /
242 ulp /
243 Raw(payload))
244
245 if i % 2 == 1:
246 info.data = p.copy()
247 size = packet_sizes[(i // 2) % len(packet_sizes)]
248 self.extend_packet(p, size)
249 pkts.append(p)
250
251 rule_family = AF_INET6 if p.haslayer(IPv6) else AF_INET
252 rule_prefix_len = 128 if p.haslayer(IPv6) else 32
253 rule_l3_layer = IPv6 if p.haslayer(IPv6) else IP
254
255 if p.haslayer(UDP):
256 rule_l4_sport = p[UDP].sport
257 rule_l4_dport = p[UDP].dport
258 else:
259 if p.haslayer(ICMP):
260 rule_l4_sport = p[ICMP].type
261 rule_l4_dport = p[ICMP].code
262 else:
263 rule_l4_sport = p[ICMPv6Unknown].type
264 rule_l4_dport = p[ICMPv6Unknown].code
265 if p.haslayer(IPv6):
266 rule_l4_proto = ulp_l4.overload_fields[IPv6]['nh']
267 else:
268 rule_l4_proto = p[IP].proto
269
270 new_rule = {
271 'is_permit': is_permit,
272 'is_ipv6': p.haslayer(IPv6),
273 'src_ip_addr': inet_pton(rule_family,
274 p[rule_l3_layer].src),
275 'src_ip_prefix_len': rule_prefix_len,
276 'dst_ip_addr': inet_pton(rule_family,
277 p[rule_l3_layer].dst),
278 'dst_ip_prefix_len': rule_prefix_len,
279 'srcport_or_icmptype_first': rule_l4_sport,
280 'srcport_or_icmptype_last': rule_l4_sport,
281 'dstport_or_icmpcode_first': rule_l4_dport,
282 'dstport_or_icmpcode_last': rule_l4_dport,
283 'proto': rule_l4_proto,
284 }
285 rules.append(new_rule)
286 new_rule_permit = new_rule.copy()
287 new_rule_permit['is_permit'] = 1
288 permit_rules.append(new_rule_permit)
289
290 new_rule_permit_and_reflect = new_rule.copy()
291 if can_reflect_this_packet:
292 new_rule_permit_and_reflect['is_permit'] = 2
293 else:
294 new_rule_permit_and_reflect['is_permit'] = is_permit
295 permit_and_reflect_rules.append(new_rule_permit_and_reflect)
296
297 return {'stream': pkts,
298 'rules': rules,
299 'permit_rules': permit_rules,
300 'permit_and_reflect_rules': permit_and_reflect_rules}
301
302 def verify_capture(self, dst_ip_if, src_ip_if, capture, reverse):
303 last_info = dict()
304 for i in self.interfaces:
305 last_info[i.sw_if_index] = None
306
307 dst_ip_sw_if_index = dst_ip_if.sw_if_index
308 return
309
310 for packet in capture:
311 l3 = IP if packet.haslayer(IP) else IPv6
312 ip = packet[l3]
313 if packet.haslayer(UDP):
314 l4 = UDP
315 else:
316 if packet.haslayer(ICMP):
317 l4 = ICMP
318 else:
319 l4 = ICMPv6Unknown
320
321 # Scapy IPv6 stuff is too smart for its own good.
322 # So we do this and coerce the ICMP into unknown type
323 if packet.haslayer(UDP):
324 data = str(packet[UDP][Raw])
325 else:
326 if l3 == IP:
327 data = str(ICMP(str(packet[l3].payload))[Raw])
328 else:
329 data = str(ICMPv6Unknown(str(packet[l3].payload)).msgbody)
330 udp_or_icmp = packet[l3].payload
331 payload_info = self.payload_to_info(data)
332 packet_index = payload_info.index
333
334 self.assertEqual(payload_info.dst, dst_ip_sw_if_index)
335
336 next_info = self.get_next_packet_info_for_interface2(
337 payload_info.src, dst_ip_sw_if_index,
338 last_info[payload_info.src])
339 last_info[payload_info.src] = next_info
340 self.assertTrue(next_info is not None)
341 self.assertEqual(packet_index, next_info.index)
342 saved_packet = next_info.data
343 self.assertTrue(next_info is not None)
344
345 # MAC: src, dst
346 if not reverse:
347 self.assertEqual(packet.src, dst_ip_if.local_mac)
348 host = dst_ip_if.host_by_mac(packet.dst)
349
350 # IP: src, dst
351 # self.assertEqual(ip.src, src_ip_if.remote_ip4)
352 if saved_packet is not None:
353 self.assertEqual(ip.src, saved_packet[l3].src)
354 self.assertEqual(ip.dst, saved_packet[l3].dst)
355 if l4 == UDP:
356 self.assertEqual(udp_or_icmp.sport, saved_packet[l4].sport)
357 self.assertEqual(udp_or_icmp.dport, saved_packet[l4].dport)
358 else:
359 print("Saved packet is none")
360 # self.assertEqual(ip.dst, host.ip4)
361
362 # UDP:
363
364 def create_acls_for_a_stream(self, stream_dict,
365 test_l2_action, is_reflect):
366 r = stream_dict['rules']
367 r_permit = stream_dict['permit_rules']
368 r_permit_reflect = stream_dict['permit_and_reflect_rules']
369 r_action = r_permit_reflect if is_reflect else r
370 reply = self.api_acl_add_replace(acl_index=4294967295, r=r_action,
371 count=len(r_action), tag="action acl")
372 action_acl_index = reply.acl_index
373 reply = self.api_acl_add_replace(acl_index=4294967295, r=r_permit,
374 count=len(r_permit), tag="permit acl")
375 permit_acl_index = reply.acl_index
376 return {'L2': action_acl_index if test_l2_action else permit_acl_index,
377 'L3': permit_acl_index if test_l2_action else action_acl_index,
378 'permit': permit_acl_index, 'action': action_acl_index}
379
380 def apply_acl_ip46_x_to_y(self, bridged_to_routed, test_l2_deny,
381 is_ip6, is_reflect, add_eh):
382 """ Apply the ACLs
383 """
384 self.reset_packet_infos()
385 stream_dict = self.create_stream(
386 self.pg2, self.loop0,
387 bridged_to_routed,
388 self.pg_if_packet_sizes, is_ip6,
389 not is_reflect, False, add_eh)
390 stream = stream_dict['stream']
391 acl_idx = self.create_acls_for_a_stream(stream_dict, test_l2_deny,
392 is_reflect)
393 n_input_l3 = 0 if bridged_to_routed else 1
394 n_input_l2 = 1 if bridged_to_routed else 0
395 self.api_acl_interface_set_acl_list(sw_if_index=self.pg2.sw_if_index,
396 count=1,
397 n_input=n_input_l3,
398 acls=[acl_idx['L3']])
399 self.api_acl_interface_set_acl_list(sw_if_index=self.pg0.sw_if_index,
400 count=1,
401 n_input=n_input_l2,
402 acls=[acl_idx['L2']])
403 self.api_acl_interface_set_acl_list(sw_if_index=self.pg1.sw_if_index,
404 count=1,
405 n_input=n_input_l2,
406 acls=[acl_idx['L2']])
407
408 def apply_acl_ip46_both_directions_reflect(self,
409 primary_is_bridged_to_routed,
410 reflect_on_l2, is_ip6, add_eh):
411 primary_is_routed_to_bridged = not primary_is_bridged_to_routed
412 self.reset_packet_infos()
413 stream_dict_fwd = self.create_stream(self.pg2, self.loop0,
414 primary_is_bridged_to_routed,
415 self.pg_if_packet_sizes, is_ip6,
416 False, False, add_eh)
417 acl_idx_fwd = self.create_acls_for_a_stream(stream_dict_fwd,
418 reflect_on_l2, True)
419
420 stream_dict_rev = self.create_stream(self.pg2, self.loop0,
421 not primary_is_bridged_to_routed,
422 self.pg_if_packet_sizes, is_ip6,
423 True, True, add_eh)
424 # We want the primary action to be "deny" rather than reflect
425 acl_idx_rev = self.create_acls_for_a_stream(stream_dict_rev,
426 reflect_on_l2, False)
427
428 if primary_is_bridged_to_routed:
429 inbound_l2_acl = acl_idx_fwd['L2']
430 else:
431 inbound_l2_acl = acl_idx_rev['L2']
432
433 if primary_is_routed_to_bridged:
434 outbound_l2_acl = acl_idx_fwd['L2']
435 else:
436 outbound_l2_acl = acl_idx_rev['L2']
437
438 if primary_is_routed_to_bridged:
439 inbound_l3_acl = acl_idx_fwd['L3']
440 else:
441 inbound_l3_acl = acl_idx_rev['L3']
442
443 if primary_is_bridged_to_routed:
444 outbound_l3_acl = acl_idx_fwd['L3']
445 else:
446 outbound_l3_acl = acl_idx_rev['L3']
447
448 self.api_acl_interface_set_acl_list(sw_if_index=self.pg2.sw_if_index,
449 count=2,
450 n_input=1,
451 acls=[inbound_l3_acl,
452 outbound_l3_acl])
453 self.api_acl_interface_set_acl_list(sw_if_index=self.pg0.sw_if_index,
454 count=2,
455 n_input=1,
456 acls=[inbound_l2_acl,
457 outbound_l2_acl])
458 self.api_acl_interface_set_acl_list(sw_if_index=self.pg1.sw_if_index,
459 count=2,
460 n_input=1,
461 acls=[inbound_l2_acl,
462 outbound_l2_acl])
463
464 def apply_acl_ip46_routed_to_bridged(self, test_l2_deny, is_ip6,
465 is_reflect, add_eh):
466 self.apply_acl_ip46_x_to_y(False, test_l2_deny, is_ip6,
467 is_reflect, add_eh)
468
469 def apply_acl_ip46_bridged_to_routed(self, test_l2_deny, is_ip6,
470 is_reflect, add_eh):
471 self.apply_acl_ip46_x_to_y(True, test_l2_deny, is_ip6,
472 is_reflect, add_eh)
473
474 def run_traffic_ip46_x_to_y(self, bridged_to_routed,
475 test_l2_deny, is_ip6,
476 is_reflect, is_established, add_eh):
477 self.reset_packet_infos()
478 stream_dict = self.create_stream(self.pg2, self.loop0,
479 bridged_to_routed,
480 self.pg_if_packet_sizes, is_ip6,
481 not is_reflect, is_established,
482 add_eh)
483 stream = stream_dict['stream']
484
485 tx_if = self.pg0 if bridged_to_routed else self.pg2
486 rx_if = self.pg2 if bridged_to_routed else self.pg0
487
488 tx_if.add_stream(stream)
489 self.pg_enable_capture(self.pg_interfaces)
490 self.pg_start()
491 packet_count = self.get_packet_count_for_if_idx(self.loop0.sw_if_index)
492 rcvd1 = rx_if.get_capture(packet_count)
493 self.verify_capture(self.loop0, self.pg2, rcvd1, bridged_to_routed)
494
495 def run_traffic_ip46_routed_to_bridged(self, test_l2_deny, is_ip6,
496 is_reflect, is_established, add_eh):
497 self.run_traffic_ip46_x_to_y(False, test_l2_deny, is_ip6,
498 is_reflect, is_established, add_eh)
499
500 def run_traffic_ip46_bridged_to_routed(self, test_l2_deny, is_ip6,
501 is_reflect, is_established, add_eh):
502 self.run_traffic_ip46_x_to_y(True, test_l2_deny, is_ip6,
503 is_reflect, is_established, add_eh)
504
505 def run_test_ip46_routed_to_bridged(self, test_l2_deny,
506 is_ip6, is_reflect, add_eh):
507 self.apply_acl_ip46_routed_to_bridged(test_l2_deny,
508 is_ip6, is_reflect, add_eh)
509 self.run_traffic_ip46_routed_to_bridged(test_l2_deny, is_ip6,
510 is_reflect, False, add_eh)
511
512 def run_test_ip46_bridged_to_routed(self, test_l2_deny,
513 is_ip6, is_reflect, add_eh):
514 self.apply_acl_ip46_bridged_to_routed(test_l2_deny,
515 is_ip6, is_reflect, add_eh)
516 self.run_traffic_ip46_bridged_to_routed(test_l2_deny, is_ip6,
517 is_reflect, False, add_eh)
518
519 def run_test_ip46_routed_to_bridged_and_back(self, test_l2_action,
520 is_ip6, add_eh):
521 self.apply_acl_ip46_both_directions_reflect(False, test_l2_action,
522 is_ip6, add_eh)
523 self.run_traffic_ip46_routed_to_bridged(test_l2_action, is_ip6,
524 True, False, add_eh)
525 self.run_traffic_ip46_bridged_to_routed(test_l2_action, is_ip6,
526 False, True, add_eh)
527
528 def run_test_ip46_bridged_to_routed_and_back(self, test_l2_action,
529 is_ip6, add_eh):
530 self.apply_acl_ip46_both_directions_reflect(True, test_l2_action,
531 is_ip6, add_eh)
532 self.run_traffic_ip46_bridged_to_routed(test_l2_action, is_ip6,
533 True, False, add_eh)
534 self.run_traffic_ip46_routed_to_bridged(test_l2_action, is_ip6,
535 False, True, add_eh)
536
537 def test_0000_ip6_irb_1(self):
538 """ ACL plugin prepare"""
539 if not self.vpp_dead:
540 cmd = "set acl-plugin session timeout udp idle 2000"
541 self.logger.info(self.vapi.ppcli(cmd))
542 # uncomment to not skip past the routing header
543 # and watch the EH tests fail
544 # self.logger.info(self.vapi.ppcli(
545 # "set acl-plugin skip-ipv6-extension-header 43 0"))
546 # uncomment to test the session limit (stateful tests will fail)
547 # self.logger.info(self.vapi.ppcli(
548 # "set acl-plugin session table max-entries 1"))
549 # new datapath is the default, but just in case
550 # self.logger.info(self.vapi.ppcli(
551 # "set acl-plugin l2-datapath new"))
552 # If you want to see some tests fail, uncomment the next line
553 # self.logger.info(self.vapi.ppcli(
554 # "set acl-plugin l2-datapath old"))
555
556 def test_0001_ip6_irb_1(self):
557 """ ACL IPv6 routed -> bridged, L2 ACL deny"""
558 self.run_test_ip46_routed_to_bridged(True, True, False,
559 self.WITHOUT_EH)
560
561 def test_0002_ip6_irb_1(self):
562 """ ACL IPv6 routed -> bridged, L3 ACL deny"""
563 self.run_test_ip46_routed_to_bridged(False, True, False,
564 self.WITHOUT_EH)
565
566 def test_0003_ip4_irb_1(self):
567 """ ACL IPv4 routed -> bridged, L2 ACL deny"""
568 self.run_test_ip46_routed_to_bridged(True, False, False,
569 self.WITHOUT_EH)
570
571 def test_0004_ip4_irb_1(self):
572 """ ACL IPv4 routed -> bridged, L3 ACL deny"""
573 self.run_test_ip46_routed_to_bridged(False, False, False,
574 self.WITHOUT_EH)
575
576 def test_0005_ip6_irb_1(self):
577 """ ACL IPv6 bridged -> routed, L2 ACL deny """
578 self.run_test_ip46_bridged_to_routed(True, True, False,
579 self.WITHOUT_EH)
580
581 def test_0006_ip6_irb_1(self):
582 """ ACL IPv6 bridged -> routed, L3 ACL deny """
583 self.run_test_ip46_bridged_to_routed(False, True, False,
584 self.WITHOUT_EH)
585
586 def test_0007_ip6_irb_1(self):
587 """ ACL IPv4 bridged -> routed, L2 ACL deny """
588 self.run_test_ip46_bridged_to_routed(True, False, False,
589 self.WITHOUT_EH)
590
591 def test_0008_ip6_irb_1(self):
592 """ ACL IPv4 bridged -> routed, L3 ACL deny """
593 self.run_test_ip46_bridged_to_routed(False, False, False,
594 self.WITHOUT_EH)
595
596 # Stateful ACL tests
597 def test_0101_ip6_irb_1(self):
598 """ ACL IPv6 routed -> bridged, L2 ACL permit+reflect"""
599 self.run_test_ip46_routed_to_bridged_and_back(True, True,
600 self.WITHOUT_EH)
601
602 def test_0102_ip6_irb_1(self):
603 """ ACL IPv6 bridged -> routed, L2 ACL permit+reflect"""
604 self.run_test_ip46_bridged_to_routed_and_back(True, True,
605 self.WITHOUT_EH)
606
607 def test_0103_ip6_irb_1(self):
608 """ ACL IPv4 routed -> bridged, L2 ACL permit+reflect"""
609 self.run_test_ip46_routed_to_bridged_and_back(True, False,
610 self.WITHOUT_EH)
611
612 def test_0104_ip6_irb_1(self):
613 """ ACL IPv4 bridged -> routed, L2 ACL permit+reflect"""
614 self.run_test_ip46_bridged_to_routed_and_back(True, False,
615 self.WITHOUT_EH)
616
617 def test_0111_ip6_irb_1(self):
618 """ ACL IPv6 routed -> bridged, L3 ACL permit+reflect"""
619 self.run_test_ip46_routed_to_bridged_and_back(False, True,
620 self.WITHOUT_EH)
621
622 def test_0112_ip6_irb_1(self):
623 """ ACL IPv6 bridged -> routed, L3 ACL permit+reflect"""
624 self.run_test_ip46_bridged_to_routed_and_back(False, True,
625 self.WITHOUT_EH)
626
627 def test_0113_ip6_irb_1(self):
628 """ ACL IPv4 routed -> bridged, L3 ACL permit+reflect"""
629 self.run_test_ip46_routed_to_bridged_and_back(False, False,
630 self.WITHOUT_EH)
631
632 def test_0114_ip6_irb_1(self):
633 """ ACL IPv4 bridged -> routed, L3 ACL permit+reflect"""
634 self.run_test_ip46_bridged_to_routed_and_back(False, False,
635 self.WITHOUT_EH)
636
637 # A block of tests with extension headers
638
639 def test_1001_ip6_irb_1(self):
640 """ ACL IPv6+EH routed -> bridged, L2 ACL deny"""
641 self.run_test_ip46_routed_to_bridged(True, True, False,
642 self.WITH_EH)
643
644 def test_1002_ip6_irb_1(self):
645 """ ACL IPv6+EH routed -> bridged, L3 ACL deny"""
646 self.run_test_ip46_routed_to_bridged(False, True, False,
647 self.WITH_EH)
648
649 def test_1005_ip6_irb_1(self):
650 """ ACL IPv6+EH bridged -> routed, L2 ACL deny """
651 self.run_test_ip46_bridged_to_routed(True, True, False,
652 self.WITH_EH)
653
654 def test_1006_ip6_irb_1(self):
655 """ ACL IPv6+EH bridged -> routed, L3 ACL deny """
656 self.run_test_ip46_bridged_to_routed(False, True, False,
657 self.WITH_EH)
658
659 def test_1101_ip6_irb_1(self):
660 """ ACL IPv6+EH routed -> bridged, L2 ACL permit+reflect"""
661 self.run_test_ip46_routed_to_bridged_and_back(True, True,
662 self.WITH_EH)
663
664 def test_1102_ip6_irb_1(self):
665 """ ACL IPv6+EH bridged -> routed, L2 ACL permit+reflect"""
666 self.run_test_ip46_bridged_to_routed_and_back(True, True,
667 self.WITH_EH)
668
669 def test_1111_ip6_irb_1(self):
670 """ ACL IPv6+EH routed -> bridged, L3 ACL permit+reflect"""
671 self.run_test_ip46_routed_to_bridged_and_back(False, True,
672 self.WITH_EH)
673
674 def test_1112_ip6_irb_1(self):
675 """ ACL IPv6+EH bridged -> routed, L3 ACL permit+reflect"""
676 self.run_test_ip46_bridged_to_routed_and_back(False, True,
677 self.WITH_EH)
678
Andrew Yourtchenkod1b05642017-04-04 14:10:40 +0000[diff] [blame]679 # IPv4 with "MF" bit set
680
681 def test_1201_ip6_irb_1(self):
682 """ ACL IPv4+MF routed -> bridged, L2 ACL deny"""
683 self.run_test_ip46_routed_to_bridged(True, False, False,
684 self.WITH_EH)
685
686 def test_1202_ip6_irb_1(self):
687 """ ACL IPv4+MF routed -> bridged, L3 ACL deny"""
688 self.run_test_ip46_routed_to_bridged(False, False, False,
689 self.WITH_EH)
690
691 def test_1205_ip6_irb_1(self):
692 """ ACL IPv4+MF bridged -> routed, L2 ACL deny """
693 self.run_test_ip46_bridged_to_routed(True, False, False,
694 self.WITH_EH)
695
696 def test_1206_ip6_irb_1(self):
697 """ ACL IPv4+MF bridged -> routed, L3 ACL deny """
698 self.run_test_ip46_bridged_to_routed(False, False, False,
699 self.WITH_EH)
700
701 def test_1301_ip6_irb_1(self):
702 """ ACL IPv4+MF routed -> bridged, L2 ACL permit+reflect"""
703 self.run_test_ip46_routed_to_bridged_and_back(True, False,
704 self.WITH_EH)
705
706 def test_1302_ip6_irb_1(self):
707 """ ACL IPv4+MF bridged -> routed, L2 ACL permit+reflect"""
708 self.run_test_ip46_bridged_to_routed_and_back(True, False,
709 self.WITH_EH)
710
711 def test_1311_ip6_irb_1(self):
712 """ ACL IPv4+MF routed -> bridged, L3 ACL permit+reflect"""
713 self.run_test_ip46_routed_to_bridged_and_back(False, False,
714 self.WITH_EH)
715
716 def test_1312_ip6_irb_1(self):
717 """ ACL IPv4+MF bridged -> routed, L3 ACL permit+reflect"""
718 self.run_test_ip46_bridged_to_routed_and_back(False, False,
719 self.WITH_EH)
720
Andrew Yourtchenkod2a59be2017-03-21 10:31:55 +0100[diff] [blame]721if __name__ == '__main__':
722 unittest.main(testRunner=VppTestRunner)