Gitiles
Code Review Sign In
gerrit.nordix.org / fdio / vpp / 43b1f44571fd6989d6442723433cad28a5ab244f / . / test / test_acl_plugin_macip.py
blob: bf87e02ecd9dba53f006c338e4663853a67f83a3 [file] [log] [blame]
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]1#!/usr/bin/env python
2"""ACL plugin - MACIP tests
3"""
4import random
5import re
6import unittest
7
8from socket import inet_ntop, inet_pton, AF_INET, AF_INET6
9from struct import *
10from scapy.packet import Raw
11from scapy.layers.l2 import Ether
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]12from scapy.layers.inet import IP, UDP
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]13from scapy.layers.inet6 import IPv6
14
15from framework import VppTestCase, VppTestRunner, running_extended_tests
16from vpp_lo_interface import VppLoInterface
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]17from vpp_papi_provider import L2_VTR_OP
18from vpp_sub_interface import VppSubInterface, VppDot1QSubint, VppDot1ADSubint
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]19
20
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]21class MethodHolder(VppTestCase):
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]22 DEBUG = False
23
24 BRIDGED = True
25 ROUTED = False
26
27 IS_IP4 = False
28 IS_IP6 = True
29
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]30 DOT1AD = "dot1ad"
31 DOT1Q = "dot1q"
32 PERMIT_TAGS = True
33 DENY_TAGS = False
34
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]35 # rule types
36 DENY = 0
37 PERMIT = 1
38
39 # ACL types
40 EXACT_IP = 1
41 SUBNET_IP = 2
42 WILD_IP = 3
43
44 EXACT_MAC = 1
45 WILD_MAC = 2
46 OUI_MAC = 3
47
48 ACLS = []
49
50 @classmethod
51 def setUpClass(cls):
52 """
53 Perform standard class setup (defined by class method setUpClass in
54 class VppTestCase) before running the test case, set test case related
55 variables and configure VPP.
56 """
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]57 super(MethodHolder, cls).setUpClass()
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]58
59 cls.pg_if_packet_sizes = [64, 512, 1518, 9018] # packet sizes
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]60 cls.bd_id = 111
61 cls.remote_hosts_count = 200
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]62
63 try:
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]64 # create 4 pg interfaces, 1 loopback interface
65 cls.create_pg_interfaces(range(4))
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]66 cls.create_loopback_interfaces(range(1))
67
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]68 # create 2 subinterfaces
69 cls.subifs = [
70 VppDot1QSubint(cls, cls.pg1, 10),
71 VppDot1ADSubint(cls, cls.pg2, 20, 300, 400),
72 VppDot1QSubint(cls, cls.pg3, 30),
73 VppDot1ADSubint(cls, cls.pg3, 40, 600, 700)]
74
75 cls.subifs[0].set_vtr(L2_VTR_OP.L2_POP_1,
76 inner=10, push1q=1)
77 cls.subifs[1].set_vtr(L2_VTR_OP.L2_POP_2,
78 outer=300, inner=400, push1q=1)
79 cls.subifs[2].set_vtr(L2_VTR_OP.L2_POP_1,
80 inner=30, push1q=1)
81 cls.subifs[3].set_vtr(L2_VTR_OP.L2_POP_2,
82 outer=600, inner=700, push1q=1)
83
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]84 cls.interfaces = list(cls.pg_interfaces)
85 cls.interfaces.extend(cls.lo_interfaces)
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]86 cls.interfaces.extend(cls.subifs)
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]87
88 for i in cls.interfaces:
89 i.admin_up()
90
91 # Create BD with MAC learning enabled and put interfaces to this BD
92 cls.vapi.sw_interface_set_l2_bridge(
93 cls.loop0.sw_if_index, bd_id=cls.bd_id, bvi=1)
94 cls.vapi.sw_interface_set_l2_bridge(
95 cls.pg0.sw_if_index, bd_id=cls.bd_id)
96 cls.vapi.sw_interface_set_l2_bridge(
97 cls.pg1.sw_if_index, bd_id=cls.bd_id)
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]98 cls.vapi.sw_interface_set_l2_bridge(
99 cls.subifs[0].sw_if_index, bd_id=cls.bd_id)
100 cls.vapi.sw_interface_set_l2_bridge(
101 cls.subifs[1].sw_if_index, bd_id=cls.bd_id)
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]102
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]103 # Configure IPv4/6 addresses on loop interface and routed interface
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]104 cls.loop0.config_ip4()
105 cls.loop0.config_ip6()
106 cls.pg2.config_ip4()
107 cls.pg2.config_ip6()
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]108 cls.pg3.config_ip4()
109 cls.pg3.config_ip6()
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]110
111 # Configure MAC address binding to IPv4 neighbors on loop0
112 cls.loop0.generate_remote_hosts(cls.remote_hosts_count)
113 # Modify host mac addresses to have different OUI parts
114 for i in range(2, cls.remote_hosts_count + 2):
115 mac = cls.loop0.remote_hosts[i-2]._mac.split(':')
116 mac[2] = format(int(mac[2], 16) + i, "02x")
117 cls.loop0.remote_hosts[i - 2]._mac = ":".join(mac)
118
119 cls.loop0.configure_ipv4_neighbors()
120 cls.loop0.configure_ipv6_neighbors()
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]121
122 # configure MAC address on pg3
123 cls.pg3.resolve_arp()
124 cls.pg3.resolve_ndp()
125
126 # configure MAC address on subifs
127 for i in cls.subifs:
128 i.config_ip4()
129 i.resolve_arp()
130 i.config_ip6()
131
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]132 # configure MAC address on pg2
133 cls.pg2.resolve_arp()
134 cls.pg2.resolve_ndp()
135
136 # Loopback BVI interface has remote hosts
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]137 # one half of hosts are behind pg0 second behind pg1,pg2,pg3 subifs
138 cls.pg0.remote_hosts = cls.loop0.remote_hosts[:100]
139 cls.subifs[0].remote_hosts = cls.loop0.remote_hosts[100:125]
140 cls.subifs[1].remote_hosts = cls.loop0.remote_hosts[125:150]
141 cls.subifs[2].remote_hosts = cls.loop0.remote_hosts[150:175]
142 cls.subifs[3].remote_hosts = cls.loop0.remote_hosts[175:]
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]143
144 except Exception:
145 super(TestMACIP, cls).tearDownClass()
146 raise
147
148 def setUp(self):
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]149 super(MethodHolder, self).setUp()
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]150 self.reset_packet_infos()
151 del self.ACLS[:]
152
153 def tearDown(self):
154 """
155 Show various debug prints after each test.
156 """
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]157 super(MethodHolder, self).tearDown()
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]158 if not self.vpp_dead:
159 self.logger.info(self.vapi.ppcli("show interface address"))
160 self.logger.info(self.vapi.ppcli("show hardware"))
161 self.logger.info(self.vapi.ppcli("sh acl-plugin macip acl"))
162 self.logger.info(self.vapi.ppcli("sh acl-plugin macip interface"))
163 self.logger.info(self.vapi.ppcli("sh classify tables verbose"))
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]164 self.logger.info(self.vapi.ppcli("sh acl-plugin acl"))
165 self.logger.info(self.vapi.ppcli("sh acl-plugin interface"))
166 self.logger.info(self.vapi.ppcli("sh acl-plugin tables"))
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]167 # print self.vapi.ppcli("show interface address")
168 # print self.vapi.ppcli("show hardware")
169 # print self.vapi.ppcli("sh acl-plugin macip interface")
170 # print self.vapi.ppcli("sh acl-plugin macip acl")
171 self.delete_acls()
172
173 def macip_acl_dump_debug(self):
174 acls = self.vapi.macip_acl_dump()
175 if self.DEBUG:
176 for acl in acls:
Pavel Kotucekc29940c2017-09-07 08:17:31 +0200[diff] [blame]177 print "ACL #"+str(acl.acl_index)
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]178 for r in acl.r:
179 rule = "ACTION"
180 if r.is_permit == 1:
181 rule = "PERMIT"
182 elif r.is_permit == 0:
183 rule = "DENY "
Pavel Kotucekc29940c2017-09-07 08:17:31 +0200[diff] [blame]184 print " IP6" if r.is_ipv6 else " IP4", \
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]185 rule, \
186 r.src_mac.encode('hex'), \
187 r.src_mac_mask.encode('hex'),\
188 unpack('<16B', r.src_ip_addr), \
189 r.src_ip_prefix_len
190 return acls
191
Pavel Kotucekc29940c2017-09-07 08:17:31 +0200[diff] [blame]192 def create_rules(self, mac_type=EXACT_MAC, ip_type=EXACT_IP,
193 acl_count=1, rules_count=[1]):
194 acls = []
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]195 src_mac = int("220000dead00", 16)
196 for acl in range(2, (acl_count+1) * 2):
Pavel Kotucekc29940c2017-09-07 08:17:31 +0200[diff] [blame]197 rules = []
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]198 host = random.choice(self.loop0.remote_hosts)
199 is_ip6 = acl % 2
200 ip4 = host.ip4.split('.')
201 ip6 = list(unpack('<16B', inet_pton(AF_INET6, host.ip6)))
202
203 if ip_type == self.EXACT_IP:
204 prefix_len4 = 32
205 prefix_len6 = 128
206 elif ip_type == self.WILD_IP:
207 ip4 = [0, 0, 0, 0]
208 ip6 = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]
209 prefix_len4 = 0
210 prefix_len6 = 0
211 rules_count[(acl / 2) - 1] = 1
212 else:
213 prefix_len4 = 24
214 prefix_len6 = 64
215
216 if mac_type == self.EXACT_MAC:
217 mask = "ff:ff:ff:ff:ff:ff"
218 elif mac_type == self.WILD_MAC:
219 mask = "00:00:00:00:00:00"
220 elif mac_type == self.OUI_MAC:
221 mask = "ff:ff:ff:00:00:00"
222 else:
223 mask = "ff:ff:ff:ff:ff:00"
224
225 ip = ip6 if is_ip6 else ip4
226 ip_len = prefix_len6 if is_ip6 else prefix_len4
227
228 for i in range(0, rules_count[(acl / 2) - 1]):
229 src_mac += 16777217
230 if mac_type == self.WILD_MAC:
231 mac = "00:00:00:00:00:00"
232 elif mac_type == self.OUI_MAC:
233 mac = ':'.join(re.findall('..', '{:02x}'.format(
234 src_mac))[:3])+":00:00:00"
235 else:
236 mac = ':'.join(re.findall('..', '{:02x}'.format(src_mac)))
237
238 if ip_type == self.EXACT_IP:
239 ip4[3] = random.randint(100, 200)
240 ip6[15] = random.randint(100, 200)
241 elif ip_type == self.SUBNET_IP:
242 ip4[2] = random.randint(100, 200)
243 ip4[3] = 0
244 ip6[8] = random.randint(100, 200)
245 ip6[15] = 0
246 ip_pack = ''
247 for j in range(0, len(ip)):
248 ip_pack += pack('<B', int(ip[j]))
249
250 rule = ({'is_permit': self.PERMIT,
251 'is_ipv6': is_ip6,
252 'src_ip_addr': ip_pack,
253 'src_ip_prefix_len': ip_len,
254 'src_mac': mac.replace(':', '').decode('hex'),
255 'src_mac_mask': mask.replace(':', '').decode('hex')})
256 rules.append(rule)
257 if ip_type == self.WILD_IP:
258 break
259
Pavel Kotucekc29940c2017-09-07 08:17:31 +0200[diff] [blame]260 acls.append(rules)
261 src_mac += 1099511627776
262 return acls
263
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]264 def apply_macip_rules(self, acls):
Pavel Kotucekc29940c2017-09-07 08:17:31 +0200[diff] [blame]265 for acl in acls:
266 reply = self.vapi.macip_acl_add(acl)
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]267 self.assertEqual(reply.retval, 0)
268 self.ACLS.append(reply.acl_index)
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]269
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]270 def verify_macip_acls(self, acl_count, rules_count, expected_count=2):
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]271 reply = self.macip_acl_dump_debug()
272 for acl in range(2, (acl_count+1) * 2):
273 self.assertEqual(reply[acl - 2].count, rules_count[acl/2-1])
274
275 self.vapi.macip_acl_interface_get()
276
277 self.vapi.macip_acl_interface_add_del(sw_if_index=0, acl_index=0)
278 self.vapi.macip_acl_interface_add_del(sw_if_index=1, acl_index=1)
279
280 reply = self.vapi.macip_acl_interface_get()
281 self.assertEqual(reply.count, expected_count)
282
283 def delete_acls(self):
284 for acl in range(len(self.ACLS)-1, -1, -1):
285 self.vapi.macip_acl_del(self.ACLS[acl])
286
287 reply = self.vapi.macip_acl_dump()
288 self.assertEqual(len(reply), 0)
289
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]290 intf_acls = self.vapi.ppcli("sh acl-plugin interface").split(
291 "\nsw_if_index")
292 for i_a in intf_acls:
293 ia = i_a.split(":")
294 if len(ia) == 3:
295 sw_if_index = int(ia[0])
296 acl_index = int(ia[2])
297 self.vapi.acl_interface_add_del(sw_if_index, acl_index, 0)
298 self.vapi.acl_del(acl_index)
299
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]300 def create_stream(self, mac_type, ip_type, packet_count,
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]301 src_if, dst_if, traffic, is_ip6, tags=PERMIT_TAGS):
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]302 # exact MAC and exact IP
303 # exact MAC and subnet of IPs
304 # exact MAC and wildcard IP
305 # wildcard MAC and exact IP
306 # wildcard MAC and subnet of IPs
307 # wildcard MAC and wildcard IP
308 # OUI restricted MAC and exact IP
309 # OUI restricted MAC and subnet of IPs
310 # OUI restricted MAC and wildcard IP
311
312 packets = []
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]313 macip_rules = []
314 acl_rules = []
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]315 ip_permit = ""
316 mac_permit = ""
317 dst_mac = ""
318 mac_rule = "00:00:00:00:00:00"
319 mac_mask = "00:00:00:00:00:00"
320 for p in range(0, packet_count):
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]321 remote_dst_index = p % len(dst_if.remote_hosts)
322 remote_dst_host = dst_if.remote_hosts[remote_dst_index]
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]323
324 dst_port = 1234 + p
325 src_port = 4321 + p
326 is_permit = self.PERMIT if p % 3 == 0 else self.DENY
327 denyMAC = True if not is_permit and p % 3 == 1 else False
328 denyIP = True if not is_permit and p % 3 == 2 else False
329 if not is_permit and ip_type == self.WILD_IP:
330 denyMAC = True
331 if not is_permit and mac_type == self.WILD_MAC:
332 denyIP = True
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]333
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]334 if traffic == self.BRIDGED:
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]335 if is_permit:
336 src_mac = remote_dst_host._mac
337 dst_mac = 'de:ad:00:00:00:00'
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]338 src_ip4 = remote_dst_host.ip4
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]339 dst_ip4 = src_if.remote_ip4
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]340 src_ip6 = remote_dst_host.ip6
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]341 dst_ip6 = src_if.remote_ip6
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]342 ip_permit = src_ip6 if is_ip6 else src_ip4
343 mac_permit = src_mac
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]344 if denyMAC:
345 mac = src_mac.split(':')
346 mac[0] = format(int(mac[0], 16)+1, "02x")
347 src_mac = ":".join(mac)
348 if is_ip6:
349 src_ip6 = ip_permit
350 else:
351 src_ip4 = ip_permit
352 if denyIP:
353 if ip_type != self.WILD_IP:
354 src_mac = mac_permit
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]355 src_ip4 = remote_dst_host.ip4
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]356 dst_ip4 = src_if.remote_ip4
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]357 src_ip6 = remote_dst_host.ip6
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]358 dst_ip6 = src_if.remote_ip6
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]359 else:
360 if is_permit:
361 src_mac = remote_dst_host._mac
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]362 dst_mac = src_if.local_mac
363 src_ip4 = src_if.remote_ip4
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]364 dst_ip4 = remote_dst_host.ip4
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]365 src_ip6 = src_if.remote_ip6
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]366 dst_ip6 = remote_dst_host.ip6
367 ip_permit = src_ip6 if is_ip6 else src_ip4
368 mac_permit = src_mac
369 if denyMAC:
370 mac = src_mac.split(':')
371 mac[0] = format(int(mac[0], 16) + 1, "02x")
372 src_mac = ":".join(mac)
373 if is_ip6:
374 src_ip6 = ip_permit
375 else:
376 src_ip4 = ip_permit
377 if denyIP:
378 src_mac = remote_dst_host._mac
379 if ip_type != self.WILD_IP:
380 src_mac = mac_permit
381 src_ip4 = remote_dst_host.ip4
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]382 dst_ip4 = src_if.remote_ip4
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]383 src_ip6 = remote_dst_host.ip6
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]384 dst_ip6 = src_if.remote_ip6
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]385
386 if is_permit:
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]387 info = self.create_packet_info(src_if, dst_if)
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]388 payload = self.info_to_payload(info)
389 else:
390 payload = "to be blocked"
391
392 if mac_type == self.WILD_MAC:
393 mac = src_mac.split(':')
394 for i in range(1, 5):
395 mac[i] = format(random.randint(0, 255), "02x")
396 src_mac = ":".join(mac)
397
398 # create packet
399 packet = Ether(src=src_mac, dst=dst_mac)
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]400 ip_rule = src_ip6 if is_ip6 else src_ip4
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]401 if is_ip6:
402 if ip_type != self.EXACT_IP:
403 sub_ip = list(unpack('<16B', inet_pton(AF_INET6, ip_rule)))
404 if ip_type == self.WILD_IP:
405 sub_ip[0] = random.randint(240, 254)
406 sub_ip[1] = random.randint(230, 239)
407 sub_ip[14] = random.randint(100, 199)
408 sub_ip[15] = random.randint(200, 255)
409 elif ip_type == self.SUBNET_IP:
410 if denyIP:
411 sub_ip[2] = str(int(sub_ip[2]) + 1)
412 sub_ip[14] = random.randint(100, 199)
413 sub_ip[15] = random.randint(200, 255)
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]414 src_ip6 = inet_ntop(AF_INET6, str(bytearray(sub_ip)))
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]415 packet /= IPv6(src=src_ip6, dst=dst_ip6)
416 else:
417 if ip_type != self.EXACT_IP:
418 sub_ip = ip_rule.split('.')
419 if ip_type == self.WILD_IP:
420 sub_ip[0] = str(random.randint(1, 49))
421 sub_ip[1] = str(random.randint(50, 99))
422 sub_ip[2] = str(random.randint(100, 199))
423 sub_ip[3] = str(random.randint(200, 255))
424 elif ip_type == self.SUBNET_IP:
425 if denyIP:
426 sub_ip[1] = str(int(sub_ip[1])+1)
427 sub_ip[2] = str(random.randint(100, 199))
428 sub_ip[3] = str(random.randint(200, 255))
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]429 src_ip4 = ".".join(sub_ip)
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]430 packet /= IP(src=src_ip4, dst=dst_ip4, frag=0, flags=0)
431
432 packet /= UDP(sport=src_port, dport=dst_port)/Raw(payload)
433
434 packet[Raw].load += " mac:"+src_mac
435
436 size = self.pg_if_packet_sizes[p % len(self.pg_if_packet_sizes)]
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]437 if isinstance(src_if, VppSubInterface):
438 size = size + 4
439 if isinstance(src_if, VppDot1QSubint):
440 if src_if is self.subifs[0]:
441 if tags == self.PERMIT_TAGS:
442 packet = src_if.add_dot1q_layer(packet, 10)
443 else:
444 packet = src_if.add_dot1q_layer(packet, 11)
445 else:
446 if tags == self.PERMIT_TAGS:
447 packet = src_if.add_dot1q_layer(packet, 30)
448 else:
449 packet = src_if.add_dot1q_layer(packet, 33)
450 elif isinstance(src_if, VppDot1ADSubint):
451 if src_if is self.subifs[1]:
452 if tags == self.PERMIT_TAGS:
453 packet = src_if.add_dot1ad_layer(packet, 300, 400)
454 else:
455 packet = src_if.add_dot1ad_layer(packet, 333, 444)
456 else:
457 if tags == self.PERMIT_TAGS:
458 packet = src_if.add_dot1ad_layer(packet, 600, 700)
459 else:
460 packet = src_if.add_dot1ad_layer(packet, 666, 777)
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]461 self.extend_packet(packet, size)
462 packets.append(packet)
463
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]464 # create suitable MACIP rule
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]465 if mac_type == self.EXACT_MAC:
466 mac_rule = src_mac
467 mac_mask = "ff:ff:ff:ff:ff:ff"
468 elif mac_type == self.WILD_MAC:
469 mac_rule = "00:00:00:00:00:00"
470 mac_mask = "00:00:00:00:00:00"
471 elif mac_type == self.OUI_MAC:
472 mac = src_mac.split(':')
473 mac[3] = mac[4] = mac[5] = '00'
474 mac_rule = ":".join(mac)
475 mac_mask = "ff:ff:ff:00:00:00"
476
477 if is_ip6:
478 if ip_type == self.WILD_IP:
479 ip = "0::0"
480 else:
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]481 ip = src_ip6
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]482 if ip_type == self.SUBNET_IP:
483 sub_ip = list(unpack('<16B', inet_pton(AF_INET6, ip)))
484 for i in range(8, 16):
485 sub_ip[i] = 0
486 ip = inet_ntop(AF_INET6, str(bytearray(sub_ip)))
487 else:
488 if ip_type == self.WILD_IP:
489 ip = "0.0.0.0"
490 else:
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]491 ip = src_ip4
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]492 if ip_type == self.SUBNET_IP:
493 sub_ip = ip.split('.')
494 sub_ip[2] = sub_ip[3] = '0'
495 ip = ".".join(sub_ip)
496
497 prefix_len = 128 if is_ip6 else 32
498 if ip_type == self.WILD_IP:
499 prefix_len = 0
500 elif ip_type == self.SUBNET_IP:
501 prefix_len = 64 if is_ip6 else 16
502 ip_rule = inet_pton(AF_INET6 if is_ip6 else AF_INET, ip)
503
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]504 # create suitable ACL rule
505 if is_permit:
506 rule_l4_sport = packet[UDP].sport
507 rule_l4_dport = packet[UDP].dport
508 rule_family = AF_INET6 if packet.haslayer(IPv6) else AF_INET
509 rule_prefix_len = 128 if packet.haslayer(IPv6) else 32
510 rule_l3_layer = IPv6 if packet.haslayer(IPv6) else IP
511 if packet.haslayer(IPv6):
512 rule_l4_proto = packet[UDP].overload_fields[IPv6]['nh']
513 else:
514 rule_l4_proto = packet[IP].proto
515
516 acl_rule = {
517 'is_permit': is_permit,
518 'is_ipv6': is_ip6,
519 'src_ip_addr': inet_pton(rule_family,
520 packet[rule_l3_layer].src),
521 'src_ip_prefix_len': rule_prefix_len,
522 'dst_ip_addr': inet_pton(rule_family,
523 packet[rule_l3_layer].dst),
524 'dst_ip_prefix_len': rule_prefix_len,
525 'srcport_or_icmptype_first': rule_l4_sport,
526 'srcport_or_icmptype_last': rule_l4_sport,
527 'dstport_or_icmpcode_first': rule_l4_dport,
528 'dstport_or_icmpcode_last': rule_l4_dport,
529 'proto': rule_l4_proto}
530 acl_rules.append(acl_rule)
531
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]532 if mac_type == self.WILD_MAC and ip_type == self.WILD_IP and p > 0:
533 continue
534
535 if is_permit:
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]536 macip_rule = ({
537 'is_permit': is_permit,
538 'is_ipv6': is_ip6,
539 'src_ip_addr': ip_rule,
540 'src_ip_prefix_len': prefix_len,
541 'src_mac': mac_rule.replace(':', '').decode('hex'),
542 'src_mac_mask': mac_mask.replace(':', '').decode('hex')})
543 macip_rules.append(macip_rule)
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]544
545 # deny all other packets
546 if not (mac_type == self.WILD_MAC and ip_type == self.WILD_IP):
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]547 macip_rule = ({'is_permit': 0,
548 'is_ipv6': is_ip6,
549 'src_ip_addr': "",
550 'src_ip_prefix_len': 0,
551 'src_mac': "",
552 'src_mac_mask': ""})
553 macip_rules.append(macip_rule)
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]554
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]555 acl_rule = {'is_permit': 0,
556 'is_ipv6': is_ip6}
557 acl_rules.append(acl_rule)
558 return {'stream': packets,
559 'macip_rules': macip_rules,
560 'acl_rules': acl_rules}
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]561
562 def verify_capture(self, stream, capture, is_ip6):
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]563 """
564 :param stream:
565 :param capture:
566 :param is_ip6:
567 :return:
568 """
569 # p_l3 = IPv6 if is_ip6 else IP
570 # if self.DEBUG:
571 # for p in stream:
572 # print p[Ether].src, p[Ether].dst, p[p_l3].src, p[p_l3].dst
573 #
574 # acls = self.macip_acl_dump_debug()
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]575
576 # TODO : verify
577 # for acl in acls:
578 # for r in acl.r:
579 # print r.src_mac.encode('hex'), \
580 # r.src_mac_mask.encode('hex'),\
581 # unpack('<16B', r.src_ip_addr), \
582 # r.src_ip_prefix_len
583 #
584 # for p in capture:
585 # print p[Ether].src, p[Ether].dst, p[p_l3].src, p[p_l3].dst
586 # data = p[Raw].load.split(':',1)[1]
587 # print p[p_l3].src, data
588
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]589 def run_traffic(self, mac_type, ip_type, traffic, is_ip6, packets,
590 do_not_expected_capture=False, tags=None,
Andrew Yourtchenkod7834912017-12-09 14:55:52 +0100[diff] [blame]591 apply_rules=True, isMACIP=True, permit_tags=PERMIT_TAGS,
592 try_replace=False):
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]593 self.reset_packet_infos()
594
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]595 if tags is None:
596 tx_if = self.pg0 if traffic == self.BRIDGED else self.pg3
597 rx_if = self.pg3 if traffic == self.BRIDGED else self.pg0
598 src_if = self.pg3
599 dst_if = self.loop0
600 else:
601 if tags == self.DOT1Q:
602 if traffic == self.BRIDGED:
603 tx_if = self.subifs[0]
604 rx_if = self.pg0
605 src_if = self.subifs[0]
606 dst_if = self.loop0
607 else:
608 tx_if = self.subifs[2]
609 rx_if = self.pg0
610 src_if = self.subifs[2]
611 dst_if = self.loop0
612 elif tags == self.DOT1AD:
613 if traffic == self.BRIDGED:
614 tx_if = self.subifs[1]
615 rx_if = self.pg0
616 src_if = self.subifs[1]
617 dst_if = self.loop0
618 else:
619 tx_if = self.subifs[3]
620 rx_if = self.pg0
621 src_if = self.subifs[3]
622 dst_if = self.loop0
623 else:
624 return
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]625
626 test_dict = self.create_stream(mac_type, ip_type, packets,
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]627 src_if, dst_if,
628 traffic, is_ip6,
629 tags=permit_tags)
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]630
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]631 if apply_rules:
632 if isMACIP:
633 reply = self.vapi.macip_acl_add(test_dict['macip_rules'])
634 else:
635 reply = self.vapi.acl_add_replace(acl_index=4294967295,
636 r=test_dict['acl_rules'])
637 self.assertEqual(reply.retval, 0)
638 acl_index = reply.acl_index
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]639
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]640 if isMACIP:
641 self.vapi.macip_acl_interface_add_del(
642 sw_if_index=tx_if.sw_if_index,
643 acl_index=acl_index)
644 reply = self.vapi.macip_acl_interface_get()
645 self.assertEqual(reply.acls[tx_if.sw_if_index], acl_index)
646 self.ACLS.append(reply.acls[tx_if.sw_if_index])
647 else:
648 self.vapi.acl_interface_add_del(
649 sw_if_index=tx_if.sw_if_index, acl_index=acl_index)
650 else:
651 self.vapi.macip_acl_interface_add_del(
652 sw_if_index=tx_if.sw_if_index,
653 acl_index=0)
Andrew Yourtchenkod7834912017-12-09 14:55:52 +0100[diff] [blame]654 if try_replace:
655 if isMACIP:
656 reply = self.vapi.macip_acl_add_replace(
657 test_dict['macip_rules'],
658 acl_index)
659 else:
660 reply = self.vapi.acl_add_replace(acl_index=acl_index,
661 r=test_dict['acl_rules'])
662 self.assertEqual(reply.retval, 0)
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]663
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]664 if not isinstance(src_if, VppSubInterface):
665 tx_if.add_stream(test_dict['stream'])
666 else:
667 tx_if.parent.add_stream(test_dict['stream'])
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]668 self.pg_enable_capture(self.pg_interfaces)
669 self.pg_start()
670
Pavel Kotucekc29940c2017-09-07 08:17:31 +0200[diff] [blame]671 if do_not_expected_capture:
672 rx_if.get_capture(0)
673 else:
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]674 if traffic == self.BRIDGED and mac_type == self.WILD_MAC and \
675 ip_type == self.WILD_IP:
676 capture = rx_if.get_capture(packets)
677 else:
678 capture = rx_if.get_capture(
679 self.get_packet_count_for_if_idx(dst_if.sw_if_index))
Pavel Kotucekc29940c2017-09-07 08:17:31 +0200[diff] [blame]680 self.verify_capture(test_dict['stream'], capture, is_ip6)
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]681 if not isMACIP:
682 self.vapi.acl_interface_add_del(sw_if_index=tx_if.sw_if_index,
683 acl_index=acl_index, is_add=0)
684 self.vapi.acl_del(acl_index)
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]685
686 def run_test_acls(self, mac_type, ip_type, acl_count,
687 rules_count, traffic=None, ip=None):
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]688 self.apply_macip_rules(self.create_rules(mac_type, ip_type, acl_count,
689 rules_count))
690 self.verify_macip_acls(acl_count, rules_count)
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]691
692 if traffic is not None:
693 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, traffic, ip, 9)
694
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]695
696class TestMACIP_IP4(MethodHolder):
697 """MACIP with IP4 traffic"""
698
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]699 def test_acl_bridged_ip4_exactMAC_exactIP(self):
700 """ IP4 MACIP exactMAC|exactIP ACL bridged traffic
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]701 """
702 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
703 self.BRIDGED, self.IS_IP4, 9)
704
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]705 def test_acl_bridged_ip4_exactMAC_subnetIP(self):
706 """ IP4 MACIP exactMAC|subnetIP ACL bridged traffic
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]707 """
708
709 self.run_traffic(self.EXACT_MAC, self.SUBNET_IP,
710 self.BRIDGED, self.IS_IP4, 9)
711
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]712 def test_acl_bridged_ip4_exactMAC_wildIP(self):
713 """ IP4 MACIP exactMAC|wildIP ACL bridged traffic
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]714 """
715
716 self.run_traffic(self.EXACT_MAC, self.WILD_IP,
717 self.BRIDGED, self.IS_IP4, 9)
718
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]719 def test_acl_bridged_ip4_ouiMAC_exactIP(self):
720 """ IP4 MACIP ouiMAC|exactIP ACL bridged traffic
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]721 """
722
723 self.run_traffic(self.OUI_MAC, self.EXACT_IP,
724 self.BRIDGED, self.IS_IP4, 3)
725
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]726 def test_acl_bridged_ip4_ouiMAC_subnetIP(self):
727 """ IP4 MACIP ouiMAC|subnetIP ACL bridged traffic
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]728 """
729
730 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
731 self.BRIDGED, self.IS_IP4, 9)
732
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]733 def test_acl_bridged_ip4_ouiMAC_wildIP(self):
734 """ IP4 MACIP ouiMAC|wildIP ACL bridged traffic
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]735 """
736
737 self.run_traffic(self.OUI_MAC, self.WILD_IP,
738 self.BRIDGED, self.IS_IP4, 9)
739
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]740 def test_ac_bridgedl_ip4_wildMAC_exactIP(self):
741 """ IP4 MACIP wildcardMAC|exactIP ACL bridged traffic
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]742 """
743
744 self.run_traffic(self.WILD_MAC, self.EXACT_IP,
745 self.BRIDGED, self.IS_IP4, 9)
746
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]747 def test_acl_bridged_ip4_wildMAC_subnetIP(self):
748 """ IP4 MACIP wildcardMAC|subnetIP ACL bridged traffic
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]749 """
750
751 self.run_traffic(self.WILD_MAC, self.SUBNET_IP,
752 self.BRIDGED, self.IS_IP4, 9)
753
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]754 def test_acl_bridged_ip4_wildMAC_wildIP(self):
755 """ IP4 MACIP wildcardMAC|wildIP ACL bridged traffic
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]756 """
757
758 self.run_traffic(self.WILD_MAC, self.WILD_IP,
759 self.BRIDGED, self.IS_IP4, 9)
760
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]761 def test_acl_routed_ip4_exactMAC_exactIP(self):
762 """ IP4 MACIP exactMAC|exactIP ACL routed traffic
763 """
764 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
765 self.ROUTED, self.IS_IP4, 9)
766
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]767 def test_acl_routed_ip4_exactMAC_subnetIP(self):
768 """ IP4 MACIP exactMAC|subnetIP ACL routed traffic
769 """
770 self.run_traffic(self.EXACT_MAC, self.SUBNET_IP,
771 self.ROUTED, self.IS_IP4, 9)
772
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]773 def test_acl_routed_ip4_exactMAC_wildIP(self):
774 """ IP4 MACIP exactMAC|wildIP ACL routed traffic
775 """
776 self.run_traffic(self.EXACT_MAC, self.WILD_IP,
777 self.ROUTED, self.IS_IP4, 9)
778
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]779 def test_acl_routed_ip4_ouiMAC_exactIP(self):
780 """ IP4 MACIP ouiMAC|exactIP ACL routed traffic
781 """
782
783 self.run_traffic(self.OUI_MAC, self.EXACT_IP,
784 self.ROUTED, self.IS_IP4, 9)
785
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]786 def test_acl_routed_ip4_ouiMAC_subnetIP(self):
787 """ IP4 MACIP ouiMAC|subnetIP ACL routed traffic
788 """
789
790 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
791 self.ROUTED, self.IS_IP4, 9)
792
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]793 def test_acl_routed_ip4_ouiMAC_wildIP(self):
794 """ IP4 MACIP ouiMAC|wildIP ACL routed traffic
795 """
796
797 self.run_traffic(self.OUI_MAC, self.WILD_IP,
798 self.ROUTED, self.IS_IP4, 9)
799
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]800 def test_acl_routed_ip4_wildMAC_exactIP(self):
801 """ IP4 MACIP wildcardMAC|exactIP ACL routed traffic
802 """
803
804 self.run_traffic(self.WILD_MAC, self.EXACT_IP,
805 self.ROUTED, self.IS_IP4, 9)
806
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]807 def test_acl_routed_ip4_wildMAC_subnetIP(self):
808 """ IP4 MACIP wildcardMAC|subnetIP ACL routed traffic
809 """
810
811 self.run_traffic(self.WILD_MAC, self.SUBNET_IP,
812 self.ROUTED, self.IS_IP4, 9)
813
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]814 def test_acl_routed_ip4_wildMAC_wildIP(self):
815 """ IP4 MACIP wildcardMAC|wildIP ACL
816 """
817
818 self.run_traffic(self.WILD_MAC, self.WILD_IP,
819 self.ROUTED, self.IS_IP4, 9)
820
821 def test_acl_replace_traffic_ip4(self):
822 """ MACIP replace ACL with IP4 traffic
823 """
824 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
Andrew Yourtchenkod7834912017-12-09 14:55:52 +0100[diff] [blame]825 self.BRIDGED, self.IS_IP4, 9, try_replace=True)
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]826 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
Andrew Yourtchenkod7834912017-12-09 14:55:52 +0100[diff] [blame]827 self.BRIDGED, self.IS_IP4, 9, try_replace=True)
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]828
829
830class TestMACIP_IP6(MethodHolder):
831 """MACIP with IP6 traffic"""
832
833 def test_acl_bridged_ip6_exactMAC_exactIP(self):
834 """ IP6 MACIP exactMAC|exactIP ACL bridged traffic
835 """
836
837 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
838 self.BRIDGED, self.IS_IP6, 9)
839
840 def test_acl_bridged_ip6_exactMAC_subnetIP(self):
841 """ IP6 MACIP exactMAC|subnetIP ACL bridged traffic
842 """
843
844 self.run_traffic(self.EXACT_MAC, self.SUBNET_IP,
845 self.BRIDGED, self.IS_IP6, 9)
846
847 def test_acl_bridged_ip6_exactMAC_wildIP(self):
848 """ IP6 MACIP exactMAC|wildIP ACL bridged traffic
849 """
850
851 self.run_traffic(self.EXACT_MAC, self.WILD_IP,
852 self.BRIDGED, self.IS_IP6, 9)
853
854 def test_acl_bridged_ip6_ouiMAC_exactIP(self):
855 """ IP6 MACIP oui_MAC|exactIP ACL bridged traffic
856 """
857
858 self.run_traffic(self.OUI_MAC, self.EXACT_IP,
859 self.BRIDGED, self.IS_IP6, 9)
860
861 def test_acl_bridged_ip6_ouiMAC_subnetIP(self):
862 """ IP6 MACIP ouiMAC|subnetIP ACL bridged traffic
863 """
864
865 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
866 self.BRIDGED, self.IS_IP6, 9)
867
868 def test_acl_bridged_ip6_ouiMAC_wildIP(self):
869 """ IP6 MACIP ouiMAC|wildIP ACL bridged traffic
870 """
871
872 self.run_traffic(self.OUI_MAC, self.WILD_IP,
873 self.BRIDGED, self.IS_IP6, 9)
874
875 def test_acl_bridged_ip6_wildMAC_exactIP(self):
876 """ IP6 MACIP wildcardMAC|exactIP ACL bridged traffic
877 """
878
879 self.run_traffic(self.WILD_MAC, self.EXACT_IP,
880 self.BRIDGED, self.IS_IP6, 9)
881
882 def test_acl_bridged_ip6_wildMAC_subnetIP(self):
883 """ IP6 MACIP wildcardMAC|subnetIP ACL bridged traffic
884 """
885
886 self.run_traffic(self.WILD_MAC, self.SUBNET_IP,
887 self.BRIDGED, self.IS_IP6, 9)
888
889 def test_acl_bridged_ip6_wildMAC_wildIP(self):
890 """ IP6 MACIP wildcardMAC|wildIP ACL bridged traffic
891 """
892
893 self.run_traffic(self.WILD_MAC, self.WILD_IP,
894 self.BRIDGED, self.IS_IP6, 9)
895
896 def test_acl_routed_ip6_exactMAC_exactIP(self):
897 """ IP6 MACIP exactMAC|exactIP ACL routed traffic
898 """
899
900 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
901 self.ROUTED, self.IS_IP6, 9)
902
903 def test_acl_routed_ip6_exactMAC_subnetIP(self):
904 """ IP6 MACIP exactMAC|subnetIP ACL routed traffic
905 """
906
907 self.run_traffic(self.EXACT_MAC, self.SUBNET_IP,
908 self.ROUTED, self.IS_IP6, 9)
909
910 def test_acl_routed_ip6_exactMAC_wildIP(self):
911 """ IP6 MACIP exactMAC|wildIP ACL routed traffic
912 """
913
914 self.run_traffic(self.EXACT_MAC, self.WILD_IP,
915 self.ROUTED, self.IS_IP6, 9)
916
917 def test_acl_routed_ip6_ouiMAC_exactIP(self):
918 """ IP6 MACIP ouiMAC|exactIP ACL routed traffic
919 """
920
921 self.run_traffic(self.OUI_MAC, self.EXACT_IP,
922 self.ROUTED, self.IS_IP6, 9)
923
924 def test_acl_routed_ip6_ouiMAC_subnetIP(self):
925 """ IP6 MACIP ouiMAC|subnetIP ACL routed traffic
926 """
927
928 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
929 self.ROUTED, self.IS_IP6, 9)
930
931 def test_acl_routed_ip6_ouiMAC_wildIP(self):
932 """ IP6 MACIP ouiMAC|wildIP ACL routed traffic
933 """
934
935 self.run_traffic(self.OUI_MAC, self.WILD_IP,
936 self.ROUTED, self.IS_IP6, 9)
937
938 def test_acl_routed_ip6_wildMAC_exactIP(self):
939 """ IP6 MACIP wildcardMAC|exactIP ACL routed traffic
940 """
941
942 self.run_traffic(self.WILD_MAC, self.EXACT_IP,
943 self.ROUTED, self.IS_IP6, 9)
944
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]945 def test_acl_routed_ip6_wildMAC_subnetIP(self):
946 """ IP6 MACIP wildcardMAC|subnetIP ACL routed traffic
947 """
948
949 self.run_traffic(self.WILD_MAC, self.SUBNET_IP,
950 self.ROUTED, self.IS_IP6, 9)
951
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]952 def test_acl_routed_ip6_wildMAC_wildIP(self):
953 """ IP6 MACIP wildcardMAC|wildIP ACL
954 """
955
956 self.run_traffic(self.WILD_MAC, self.WILD_IP,
957 self.ROUTED, self.IS_IP6, 9)
958
959 def test_acl_replace_traffic_ip6(self):
960 """ MACIP replace ACL with IP6 traffic
961 """
962 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
Andrew Yourtchenkod7834912017-12-09 14:55:52 +0100[diff] [blame]963 self.BRIDGED, self.IS_IP6, 9, try_replace=True)
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]964 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
Andrew Yourtchenkod7834912017-12-09 14:55:52 +0100[diff] [blame]965 self.BRIDGED, self.IS_IP6, 9, try_replace=True)
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]966
967
968class TestMACIP(MethodHolder):
969 """MACIP Tests"""
970
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]971 def test_acl_1_2(self):
972 """ MACIP ACL with 2 entries
973 """
974
975 self.run_test_acls(self.EXACT_MAC, self.WILD_IP, 1, [2])
976
977 def test_acl_1_5(self):
978 """ MACIP ACL with 5 entries
979 """
980
981 self.run_test_acls(self.EXACT_MAC, self.SUBNET_IP, 1, [5])
982
983 def test_acl_1_10(self):
984 """ MACIP ACL with 10 entries
985 """
986
987 self.run_test_acls(self.EXACT_MAC, self.EXACT_IP, 1, [10])
988
989 def test_acl_1_20(self):
990 """ MACIP ACL with 20 entries
991 """
992
993 self.run_test_acls(self.OUI_MAC, self.WILD_IP, 1, [20])
994
995 def test_acl_1_50(self):
996 """ MACIP ACL with 50 entries
997 """
998
999 self.run_test_acls(self.OUI_MAC, self.SUBNET_IP, 1, [50])
1000
1001 def test_acl_1_100(self):
1002 """ MACIP ACL with 100 entries
1003 """
1004
1005 self.run_test_acls(self.OUI_MAC, self.EXACT_IP, 1, [100])
1006
1007 def test_acl_2_X(self):
1008 """ MACIP 2 ACLs each with 100+ entries
1009 """
1010
1011 self.run_test_acls(self.OUI_MAC, self.SUBNET_IP, 2, [100, 200])
1012
1013 def test_acl_10_X(self):
1014 """ MACIP 10 ACLs each with 100+ entries
1015 """
1016
1017 self.run_test_acls(self.EXACT_MAC, self.EXACT_IP, 10,
1018 [100, 120, 140, 160, 180, 200, 210, 220, 230, 240])
1019
1020 def test_acl_10_X_traffic_ip4(self):
1021 """ MACIP 10 ACLs each with 100+ entries with IP4 traffic
1022 """
1023
1024 self.run_test_acls(self.EXACT_MAC, self.EXACT_IP, 10,
1025 [100, 120, 140, 160, 180, 200, 210, 220, 230, 240],
1026 self.BRIDGED, self.IS_IP4)
1027
1028 def test_acl_10_X_traffic_ip6(self):
1029 """ MACIP 10 ACLs each with 100+ entries with IP6 traffic
1030 """
1031
1032 self.run_test_acls(self.EXACT_MAC, self.EXACT_IP, 10,
1033 [100, 120, 140, 160, 180, 200, 210, 220, 230, 240],
1034 self.BRIDGED, self.IS_IP6)
1035
Pavel Kotucekc29940c2017-09-07 08:17:31 +0200[diff] [blame]1036 def test_acl_replace(self):
1037 """ MACIP replace ACL
1038 """
1039
1040 r1 = self.create_rules(acl_count=3, rules_count=[2, 2, 2])
1041 r2 = self.create_rules(mac_type=self.OUI_MAC, ip_type=self.SUBNET_IP)
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]1042 self.apply_macip_rules(r1)
Pavel Kotucekc29940c2017-09-07 08:17:31 +0200[diff] [blame]1043
1044 acls_before = self.macip_acl_dump_debug()
1045
1046 # replace acls #2, #3 with new
1047 reply = self.vapi.macip_acl_add_replace(r2[0], 2)
1048 self.assertEqual(reply.retval, 0)
1049 self.assertEqual(reply.acl_index, 2)
1050 reply = self.vapi.macip_acl_add_replace(r2[1], 3)
1051 self.assertEqual(reply.retval, 0)
1052 self.assertEqual(reply.acl_index, 3)
1053
1054 acls_after = self.macip_acl_dump_debug()
1055
1056 # verify changes
1057 self.assertEqual(len(acls_before), len(acls_after))
1058 for acl1, acl2 in zip(
1059 acls_before[:2]+acls_before[4:],
1060 acls_after[:2]+acls_after[4:]):
1061 self.assertEqual(len(acl1), len(acl2))
1062
1063 self.assertEqual(len(acl1.r), len(acl2.r))
1064 for r1, r2 in zip(acl1.r, acl2.r):
1065 self.assertEqual(len(acl1.r), len(acl2.r))
1066 self.assertEqual(acl1.r, acl2.r)
1067 for acl1, acl2 in zip(
1068 acls_before[2:4],
1069 acls_after[2:4]):
1070 self.assertEqual(len(acl1), len(acl2))
1071
1072 self.assertNotEqual(len(acl1.r), len(acl2.r))
1073 for r1, r2 in zip(acl1.r, acl2.r):
1074 self.assertNotEqual(len(acl1.r), len(acl2.r))
1075 self.assertNotEqual(acl1.r, acl2.r)
1076
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]1077 def test_delete_intf(self):
1078 """ MACIP ACL delete intf with acl
1079 """
1080
1081 intf_count = len(self.interfaces)+1
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]1082 intf = []
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]1083 self.apply_macip_rules(self.create_rules(acl_count=3,
1084 rules_count=[3, 5, 4]))
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]1085
1086 intf.append(VppLoInterface(self, 0))
1087 intf.append(VppLoInterface(self, 1))
1088
1089 sw_if_index0 = intf[0].sw_if_index
1090 self.vapi.macip_acl_interface_add_del(sw_if_index0, 1)
1091
1092 reply = self.vapi.macip_acl_interface_get()
1093 self.assertEqual(reply.count, intf_count+1)
1094 self.assertEqual(reply.acls[sw_if_index0], 1)
1095
1096 sw_if_index1 = intf[1].sw_if_index
1097 self.vapi.macip_acl_interface_add_del(sw_if_index1, 0)
1098
1099 reply = self.vapi.macip_acl_interface_get()
1100 self.assertEqual(reply.count, intf_count+2)
1101 self.assertEqual(reply.acls[sw_if_index1], 0)
1102
1103 intf[0].remove_vpp_config()
1104 reply = self.vapi.macip_acl_interface_get()
1105 self.assertEqual(reply.count, intf_count+2)
1106 self.assertEqual(reply.acls[sw_if_index0], 4294967295)
1107 self.assertEqual(reply.acls[sw_if_index1], 0)
1108
1109 intf.append(VppLoInterface(self, 2))
1110 intf.append(VppLoInterface(self, 3))
1111 sw_if_index2 = intf[2].sw_if_index
1112 sw_if_index3 = intf[3].sw_if_index
1113 self.vapi.macip_acl_interface_add_del(sw_if_index2, 1)
1114 self.vapi.macip_acl_interface_add_del(sw_if_index3, 1)
1115
1116 reply = self.vapi.macip_acl_interface_get()
1117 self.assertEqual(reply.count, intf_count+3)
1118 self.assertEqual(reply.acls[sw_if_index1], 0)
1119 self.assertEqual(reply.acls[sw_if_index2], 1)
1120 self.assertEqual(reply.acls[sw_if_index3], 1)
1121
1122 intf[2].remove_vpp_config()
1123 intf[1].remove_vpp_config()
1124
1125 reply = self.vapi.macip_acl_interface_get()
1126 self.assertEqual(reply.count, intf_count+3)
1127 self.assertEqual(reply.acls[sw_if_index0], 4294967295)
1128 self.assertEqual(reply.acls[sw_if_index1], 4294967295)
1129 self.assertEqual(reply.acls[sw_if_index2], 4294967295)
1130 self.assertEqual(reply.acls[sw_if_index3], 1)
1131
1132 intf[3].remove_vpp_config()
1133 reply = self.vapi.macip_acl_interface_get()
1134
1135 self.assertEqual(len([x for x in reply.acls if x != 4294967295]), 0)
1136
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]1137
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]1138class TestACL_dot1q_bridged(MethodHolder):
1139 """ACL on dot1q bridged subinterfaces Tests"""
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]1140
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]1141 def test_acl_bridged_ip4_subif_dot1q(self):
1142 """ IP4 ACL SubIf Dot1Q bridged traffic"""
1143 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.BRIDGED,
1144 self.IS_IP4, 9, tags=self.DOT1Q, isMACIP=False)
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]1145
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]1146 def test_acl_bridged_ip6_subif_dot1q(self):
1147 """ IP6 ACL SubIf Dot1Q bridged traffic"""
1148 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.BRIDGED,
1149 self.IS_IP6, 9, tags=self.DOT1Q, isMACIP=False)
1150
1151
1152class TestACL_dot1ad_bridged(MethodHolder):
1153 """ACL on dot1ad bridged subinterfaces Tests"""
1154
1155 def test_acl_bridged_ip4_subif_dot1ad(self):
1156 """ IP4 ACL SubIf Dot1AD bridged traffic"""
1157 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.BRIDGED,
1158 self.IS_IP4, 9, tags=self.DOT1AD, isMACIP=False)
1159
1160 def test_acl_bridged_ip6_subif_dot1ad(self):
1161 """ IP6 ACL SubIf Dot1AD bridged traffic"""
1162 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.BRIDGED,
1163 self.IS_IP6, 9, tags=self.DOT1AD, isMACIP=False)
1164
1165
1166class TestACL_dot1q_routed(MethodHolder):
1167 """ACL on dot1q routed subinterfaces Tests"""
1168
1169 def test_acl_routed_ip4_subif_dot1q(self):
1170 """ IP4 ACL SubIf Dot1Q routed traffic"""
1171 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1172 self.IS_IP4, 9, tags=self.DOT1Q, isMACIP=False)
1173
1174 def test_acl_routed_ip6_subif_dot1q(self):
1175 """ IP6 ACL SubIf Dot1Q routed traffic"""
1176 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1177 self.IS_IP6, 9, tags=self.DOT1Q, isMACIP=False)
1178
1179 def test_acl_routed_ip4_subif_dot1q_deny_by_tags(self):
1180 """ IP4 ACL SubIf wrong tags Dot1Q routed traffic"""
1181 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1182 self.IS_IP4, 9, True, tags=self.DOT1Q, isMACIP=False,
1183 permit_tags=self.DENY_TAGS)
1184
1185 def test_acl_routed_ip6_subif_dot1q_deny_by_tags(self):
1186 """ IP6 ACL SubIf wrong tags Dot1Q routed traffic"""
1187 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1188 self.IS_IP6, 9, True, tags=self.DOT1Q, isMACIP=False,
1189 permit_tags=self.DENY_TAGS)
1190
1191
1192class TestACL_dot1ad_routed(MethodHolder):
1193 """ACL on dot1ad routed subinterfaces Tests"""
1194
1195 def test_acl_routed_ip6_subif_dot1ad(self):
1196 """ IP6 ACL SubIf Dot1AD routed traffic"""
1197 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1198 self.IS_IP6, 9, tags=self.DOT1AD, isMACIP=False)
1199
1200 def test_acl_routed_ip4_subif_dot1ad(self):
1201 """ IP4 ACL SubIf Dot1AD routed traffic"""
1202 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1203 self.IS_IP4, 9, tags=self.DOT1AD, isMACIP=False)
1204
1205 def test_acl_routed_ip6_subif_dot1ad_deny_by_tags(self):
1206 """ IP6 ACL SubIf wrong tags Dot1AD routed traffic"""
1207 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1208 self.IS_IP6, 9, True, tags=self.DOT1AD, isMACIP=False,
1209 permit_tags=self.DENY_TAGS)
1210
1211 def test_acl_routed_ip4_subif_dot1ad_deny_by_tags(self):
1212 """ IP4 ACL SubIf wrong tags Dot1AD routed traffic"""
1213 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1214 self.IS_IP4, 9, True, tags=self.DOT1AD, isMACIP=False,
1215 permit_tags=self.DENY_TAGS)
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]1216
1217
1218if __name__ == '__main__':
1219 unittest.main(testRunner=VppTestRunner)