Gitiles
Code Review Sign In
gerrit.nordix.org / fdio / vpp / 4c9f2a805038a2d4f663b05a3d08ac4ee1eec3da / . / test / test_acl_plugin_macip.py
blob: d27458d7df07fdf0c75d8b56b4db7f74cef820a2 [file] [log] [blame]
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]1#!/usr/bin/env python
2"""ACL plugin - MACIP tests
3"""
4import random
5import re
6import unittest
7
8from socket import inet_ntop, inet_pton, AF_INET, AF_INET6
9from struct import *
10from scapy.packet import Raw
11from scapy.layers.l2 import Ether
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]12from scapy.layers.inet import IP, UDP
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]13from scapy.layers.inet6 import IPv6
14
15from framework import VppTestCase, VppTestRunner, running_extended_tests
16from vpp_lo_interface import VppLoInterface
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]17from vpp_papi_provider import L2_VTR_OP
18from vpp_sub_interface import VppSubInterface, VppDot1QSubint, VppDot1ADSubint
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]19
20
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]21class MethodHolder(VppTestCase):
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]22 DEBUG = False
23
24 BRIDGED = True
25 ROUTED = False
26
27 IS_IP4 = False
28 IS_IP6 = True
29
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]30 DOT1AD = "dot1ad"
31 DOT1Q = "dot1q"
32 PERMIT_TAGS = True
33 DENY_TAGS = False
34
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]35 # rule types
36 DENY = 0
37 PERMIT = 1
38
39 # ACL types
40 EXACT_IP = 1
41 SUBNET_IP = 2
42 WILD_IP = 3
43
44 EXACT_MAC = 1
45 WILD_MAC = 2
46 OUI_MAC = 3
47
48 ACLS = []
49
50 @classmethod
51 def setUpClass(cls):
52 """
53 Perform standard class setup (defined by class method setUpClass in
54 class VppTestCase) before running the test case, set test case related
55 variables and configure VPP.
56 """
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]57 super(MethodHolder, cls).setUpClass()
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]58
59 cls.pg_if_packet_sizes = [64, 512, 1518, 9018] # packet sizes
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]60 cls.bd_id = 111
61 cls.remote_hosts_count = 200
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]62
63 try:
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]64 # create 4 pg interfaces, 1 loopback interface
65 cls.create_pg_interfaces(range(4))
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]66 cls.create_loopback_interfaces(range(1))
67
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]68 # create 2 subinterfaces
69 cls.subifs = [
70 VppDot1QSubint(cls, cls.pg1, 10),
71 VppDot1ADSubint(cls, cls.pg2, 20, 300, 400),
72 VppDot1QSubint(cls, cls.pg3, 30),
73 VppDot1ADSubint(cls, cls.pg3, 40, 600, 700)]
74
75 cls.subifs[0].set_vtr(L2_VTR_OP.L2_POP_1,
76 inner=10, push1q=1)
77 cls.subifs[1].set_vtr(L2_VTR_OP.L2_POP_2,
78 outer=300, inner=400, push1q=1)
79 cls.subifs[2].set_vtr(L2_VTR_OP.L2_POP_1,
80 inner=30, push1q=1)
81 cls.subifs[3].set_vtr(L2_VTR_OP.L2_POP_2,
82 outer=600, inner=700, push1q=1)
83
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]84 cls.interfaces = list(cls.pg_interfaces)
85 cls.interfaces.extend(cls.lo_interfaces)
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]86 cls.interfaces.extend(cls.subifs)
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]87
88 for i in cls.interfaces:
89 i.admin_up()
90
91 # Create BD with MAC learning enabled and put interfaces to this BD
92 cls.vapi.sw_interface_set_l2_bridge(
93 cls.loop0.sw_if_index, bd_id=cls.bd_id, bvi=1)
94 cls.vapi.sw_interface_set_l2_bridge(
95 cls.pg0.sw_if_index, bd_id=cls.bd_id)
96 cls.vapi.sw_interface_set_l2_bridge(
97 cls.pg1.sw_if_index, bd_id=cls.bd_id)
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]98 cls.vapi.sw_interface_set_l2_bridge(
99 cls.subifs[0].sw_if_index, bd_id=cls.bd_id)
100 cls.vapi.sw_interface_set_l2_bridge(
101 cls.subifs[1].sw_if_index, bd_id=cls.bd_id)
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]102
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]103 # Configure IPv4/6 addresses on loop interface and routed interface
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]104 cls.loop0.config_ip4()
105 cls.loop0.config_ip6()
106 cls.pg2.config_ip4()
107 cls.pg2.config_ip6()
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]108 cls.pg3.config_ip4()
109 cls.pg3.config_ip6()
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]110
111 # Configure MAC address binding to IPv4 neighbors on loop0
112 cls.loop0.generate_remote_hosts(cls.remote_hosts_count)
113 # Modify host mac addresses to have different OUI parts
114 for i in range(2, cls.remote_hosts_count + 2):
115 mac = cls.loop0.remote_hosts[i-2]._mac.split(':')
116 mac[2] = format(int(mac[2], 16) + i, "02x")
117 cls.loop0.remote_hosts[i - 2]._mac = ":".join(mac)
118
119 cls.loop0.configure_ipv4_neighbors()
120 cls.loop0.configure_ipv6_neighbors()
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]121
122 # configure MAC address on pg3
123 cls.pg3.resolve_arp()
124 cls.pg3.resolve_ndp()
125
126 # configure MAC address on subifs
127 for i in cls.subifs:
128 i.config_ip4()
129 i.resolve_arp()
130 i.config_ip6()
131
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]132 # configure MAC address on pg2
133 cls.pg2.resolve_arp()
134 cls.pg2.resolve_ndp()
135
136 # Loopback BVI interface has remote hosts
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]137 # one half of hosts are behind pg0 second behind pg1,pg2,pg3 subifs
138 cls.pg0.remote_hosts = cls.loop0.remote_hosts[:100]
139 cls.subifs[0].remote_hosts = cls.loop0.remote_hosts[100:125]
140 cls.subifs[1].remote_hosts = cls.loop0.remote_hosts[125:150]
141 cls.subifs[2].remote_hosts = cls.loop0.remote_hosts[150:175]
142 cls.subifs[3].remote_hosts = cls.loop0.remote_hosts[175:]
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]143
144 except Exception:
145 super(TestMACIP, cls).tearDownClass()
146 raise
147
148 def setUp(self):
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]149 super(MethodHolder, self).setUp()
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]150 self.reset_packet_infos()
151 del self.ACLS[:]
152
153 def tearDown(self):
154 """
155 Show various debug prints after each test.
156 """
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]157 super(MethodHolder, self).tearDown()
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]158 if not self.vpp_dead:
159 self.logger.info(self.vapi.ppcli("show interface address"))
160 self.logger.info(self.vapi.ppcli("show hardware"))
161 self.logger.info(self.vapi.ppcli("sh acl-plugin macip acl"))
162 self.logger.info(self.vapi.ppcli("sh acl-plugin macip interface"))
163 self.logger.info(self.vapi.ppcli("sh classify tables verbose"))
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]164 self.logger.info(self.vapi.ppcli("sh acl-plugin acl"))
165 self.logger.info(self.vapi.ppcli("sh acl-plugin interface"))
166 self.logger.info(self.vapi.ppcli("sh acl-plugin tables"))
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]167 # print self.vapi.ppcli("show interface address")
168 # print self.vapi.ppcli("show hardware")
169 # print self.vapi.ppcli("sh acl-plugin macip interface")
170 # print self.vapi.ppcli("sh acl-plugin macip acl")
171 self.delete_acls()
172
173 def macip_acl_dump_debug(self):
174 acls = self.vapi.macip_acl_dump()
175 if self.DEBUG:
176 for acl in acls:
Pavel Kotucekc29940c2017-09-07 08:17:31 +0200[diff] [blame]177 print "ACL #"+str(acl.acl_index)
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]178 for r in acl.r:
179 rule = "ACTION"
180 if r.is_permit == 1:
181 rule = "PERMIT"
182 elif r.is_permit == 0:
183 rule = "DENY "
Pavel Kotucekc29940c2017-09-07 08:17:31 +0200[diff] [blame]184 print " IP6" if r.is_ipv6 else " IP4", \
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]185 rule, \
186 r.src_mac.encode('hex'), \
187 r.src_mac_mask.encode('hex'),\
188 unpack('<16B', r.src_ip_addr), \
189 r.src_ip_prefix_len
190 return acls
191
Pavel Kotucekc29940c2017-09-07 08:17:31 +0200[diff] [blame]192 def create_rules(self, mac_type=EXACT_MAC, ip_type=EXACT_IP,
193 acl_count=1, rules_count=[1]):
194 acls = []
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]195 src_mac = int("220000dead00", 16)
196 for acl in range(2, (acl_count+1) * 2):
Pavel Kotucekc29940c2017-09-07 08:17:31 +0200[diff] [blame]197 rules = []
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]198 host = random.choice(self.loop0.remote_hosts)
199 is_ip6 = acl % 2
200 ip4 = host.ip4.split('.')
201 ip6 = list(unpack('<16B', inet_pton(AF_INET6, host.ip6)))
202
203 if ip_type == self.EXACT_IP:
204 prefix_len4 = 32
205 prefix_len6 = 128
206 elif ip_type == self.WILD_IP:
207 ip4 = [0, 0, 0, 0]
208 ip6 = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]
209 prefix_len4 = 0
210 prefix_len6 = 0
211 rules_count[(acl / 2) - 1] = 1
212 else:
213 prefix_len4 = 24
214 prefix_len6 = 64
215
216 if mac_type == self.EXACT_MAC:
217 mask = "ff:ff:ff:ff:ff:ff"
218 elif mac_type == self.WILD_MAC:
219 mask = "00:00:00:00:00:00"
220 elif mac_type == self.OUI_MAC:
221 mask = "ff:ff:ff:00:00:00"
222 else:
223 mask = "ff:ff:ff:ff:ff:00"
224
225 ip = ip6 if is_ip6 else ip4
226 ip_len = prefix_len6 if is_ip6 else prefix_len4
227
228 for i in range(0, rules_count[(acl / 2) - 1]):
229 src_mac += 16777217
230 if mac_type == self.WILD_MAC:
231 mac = "00:00:00:00:00:00"
232 elif mac_type == self.OUI_MAC:
233 mac = ':'.join(re.findall('..', '{:02x}'.format(
234 src_mac))[:3])+":00:00:00"
235 else:
236 mac = ':'.join(re.findall('..', '{:02x}'.format(src_mac)))
237
238 if ip_type == self.EXACT_IP:
239 ip4[3] = random.randint(100, 200)
240 ip6[15] = random.randint(100, 200)
241 elif ip_type == self.SUBNET_IP:
242 ip4[2] = random.randint(100, 200)
243 ip4[3] = 0
244 ip6[8] = random.randint(100, 200)
245 ip6[15] = 0
246 ip_pack = ''
247 for j in range(0, len(ip)):
248 ip_pack += pack('<B', int(ip[j]))
249
250 rule = ({'is_permit': self.PERMIT,
251 'is_ipv6': is_ip6,
252 'src_ip_addr': ip_pack,
253 'src_ip_prefix_len': ip_len,
254 'src_mac': mac.replace(':', '').decode('hex'),
255 'src_mac_mask': mask.replace(':', '').decode('hex')})
256 rules.append(rule)
257 if ip_type == self.WILD_IP:
258 break
259
Pavel Kotucekc29940c2017-09-07 08:17:31 +0200[diff] [blame]260 acls.append(rules)
261 src_mac += 1099511627776
262 return acls
263
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]264 def apply_macip_rules(self, acls):
Pavel Kotucekc29940c2017-09-07 08:17:31 +0200[diff] [blame]265 for acl in acls:
266 reply = self.vapi.macip_acl_add(acl)
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]267 self.assertEqual(reply.retval, 0)
268 self.ACLS.append(reply.acl_index)
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]269
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]270 def verify_macip_acls(self, acl_count, rules_count, expected_count=2):
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]271 reply = self.macip_acl_dump_debug()
272 for acl in range(2, (acl_count+1) * 2):
273 self.assertEqual(reply[acl - 2].count, rules_count[acl/2-1])
274
275 self.vapi.macip_acl_interface_get()
276
277 self.vapi.macip_acl_interface_add_del(sw_if_index=0, acl_index=0)
278 self.vapi.macip_acl_interface_add_del(sw_if_index=1, acl_index=1)
279
280 reply = self.vapi.macip_acl_interface_get()
281 self.assertEqual(reply.count, expected_count)
282
283 def delete_acls(self):
284 for acl in range(len(self.ACLS)-1, -1, -1):
285 self.vapi.macip_acl_del(self.ACLS[acl])
286
287 reply = self.vapi.macip_acl_dump()
288 self.assertEqual(len(reply), 0)
289
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]290 intf_acls = self.vapi.ppcli("sh acl-plugin interface").split(
291 "\nsw_if_index")
292 for i_a in intf_acls:
293 ia = i_a.split(":")
294 if len(ia) == 3:
295 sw_if_index = int(ia[0])
296 acl_index = int(ia[2])
297 self.vapi.acl_interface_add_del(sw_if_index, acl_index, 0)
298 self.vapi.acl_del(acl_index)
299
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]300 def create_stream(self, mac_type, ip_type, packet_count,
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]301 src_if, dst_if, traffic, is_ip6, tags=PERMIT_TAGS):
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]302 # exact MAC and exact IP
303 # exact MAC and subnet of IPs
304 # exact MAC and wildcard IP
305 # wildcard MAC and exact IP
306 # wildcard MAC and subnet of IPs
307 # wildcard MAC and wildcard IP
308 # OUI restricted MAC and exact IP
309 # OUI restricted MAC and subnet of IPs
310 # OUI restricted MAC and wildcard IP
311
312 packets = []
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]313 macip_rules = []
314 acl_rules = []
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]315 ip_permit = ""
316 mac_permit = ""
317 dst_mac = ""
318 mac_rule = "00:00:00:00:00:00"
319 mac_mask = "00:00:00:00:00:00"
320 for p in range(0, packet_count):
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]321 remote_dst_index = p % len(dst_if.remote_hosts)
322 remote_dst_host = dst_if.remote_hosts[remote_dst_index]
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]323
324 dst_port = 1234 + p
325 src_port = 4321 + p
326 is_permit = self.PERMIT if p % 3 == 0 else self.DENY
327 denyMAC = True if not is_permit and p % 3 == 1 else False
328 denyIP = True if not is_permit and p % 3 == 2 else False
329 if not is_permit and ip_type == self.WILD_IP:
330 denyMAC = True
331 if not is_permit and mac_type == self.WILD_MAC:
332 denyIP = True
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]333
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]334 if traffic == self.BRIDGED:
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]335 if is_permit:
336 src_mac = remote_dst_host._mac
337 dst_mac = 'de:ad:00:00:00:00'
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]338 src_ip4 = remote_dst_host.ip4
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]339 dst_ip4 = src_if.remote_ip4
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]340 src_ip6 = remote_dst_host.ip6
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]341 dst_ip6 = src_if.remote_ip6
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]342 ip_permit = src_ip6 if is_ip6 else src_ip4
343 mac_permit = src_mac
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]344 if denyMAC:
345 mac = src_mac.split(':')
346 mac[0] = format(int(mac[0], 16)+1, "02x")
347 src_mac = ":".join(mac)
348 if is_ip6:
349 src_ip6 = ip_permit
350 else:
351 src_ip4 = ip_permit
352 if denyIP:
353 if ip_type != self.WILD_IP:
354 src_mac = mac_permit
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]355 src_ip4 = remote_dst_host.ip4
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]356 dst_ip4 = src_if.remote_ip4
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]357 src_ip6 = remote_dst_host.ip6
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]358 dst_ip6 = src_if.remote_ip6
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]359 else:
360 if is_permit:
361 src_mac = remote_dst_host._mac
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]362 dst_mac = src_if.local_mac
363 src_ip4 = src_if.remote_ip4
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]364 dst_ip4 = remote_dst_host.ip4
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]365 src_ip6 = src_if.remote_ip6
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]366 dst_ip6 = remote_dst_host.ip6
367 ip_permit = src_ip6 if is_ip6 else src_ip4
368 mac_permit = src_mac
369 if denyMAC:
370 mac = src_mac.split(':')
371 mac[0] = format(int(mac[0], 16) + 1, "02x")
372 src_mac = ":".join(mac)
373 if is_ip6:
374 src_ip6 = ip_permit
375 else:
376 src_ip4 = ip_permit
377 if denyIP:
378 src_mac = remote_dst_host._mac
379 if ip_type != self.WILD_IP:
380 src_mac = mac_permit
381 src_ip4 = remote_dst_host.ip4
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]382 dst_ip4 = src_if.remote_ip4
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]383 src_ip6 = remote_dst_host.ip6
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]384 dst_ip6 = src_if.remote_ip6
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]385
386 if is_permit:
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]387 info = self.create_packet_info(src_if, dst_if)
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]388 payload = self.info_to_payload(info)
389 else:
390 payload = "to be blocked"
391
392 if mac_type == self.WILD_MAC:
393 mac = src_mac.split(':')
394 for i in range(1, 5):
395 mac[i] = format(random.randint(0, 255), "02x")
396 src_mac = ":".join(mac)
397
398 # create packet
399 packet = Ether(src=src_mac, dst=dst_mac)
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]400 ip_rule = src_ip6 if is_ip6 else src_ip4
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]401 if is_ip6:
402 if ip_type != self.EXACT_IP:
403 sub_ip = list(unpack('<16B', inet_pton(AF_INET6, ip_rule)))
404 if ip_type == self.WILD_IP:
405 sub_ip[0] = random.randint(240, 254)
406 sub_ip[1] = random.randint(230, 239)
407 sub_ip[14] = random.randint(100, 199)
408 sub_ip[15] = random.randint(200, 255)
409 elif ip_type == self.SUBNET_IP:
410 if denyIP:
411 sub_ip[2] = str(int(sub_ip[2]) + 1)
412 sub_ip[14] = random.randint(100, 199)
413 sub_ip[15] = random.randint(200, 255)
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]414 src_ip6 = inet_ntop(AF_INET6, str(bytearray(sub_ip)))
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]415 packet /= IPv6(src=src_ip6, dst=dst_ip6)
416 else:
417 if ip_type != self.EXACT_IP:
418 sub_ip = ip_rule.split('.')
419 if ip_type == self.WILD_IP:
420 sub_ip[0] = str(random.randint(1, 49))
421 sub_ip[1] = str(random.randint(50, 99))
422 sub_ip[2] = str(random.randint(100, 199))
423 sub_ip[3] = str(random.randint(200, 255))
424 elif ip_type == self.SUBNET_IP:
425 if denyIP:
426 sub_ip[1] = str(int(sub_ip[1])+1)
427 sub_ip[2] = str(random.randint(100, 199))
428 sub_ip[3] = str(random.randint(200, 255))
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]429 src_ip4 = ".".join(sub_ip)
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]430 packet /= IP(src=src_ip4, dst=dst_ip4, frag=0, flags=0)
431
432 packet /= UDP(sport=src_port, dport=dst_port)/Raw(payload)
433
434 packet[Raw].load += " mac:"+src_mac
435
436 size = self.pg_if_packet_sizes[p % len(self.pg_if_packet_sizes)]
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]437 if isinstance(src_if, VppSubInterface):
438 size = size + 4
439 if isinstance(src_if, VppDot1QSubint):
440 if src_if is self.subifs[0]:
441 if tags == self.PERMIT_TAGS:
442 packet = src_if.add_dot1q_layer(packet, 10)
443 else:
444 packet = src_if.add_dot1q_layer(packet, 11)
445 else:
446 if tags == self.PERMIT_TAGS:
447 packet = src_if.add_dot1q_layer(packet, 30)
448 else:
449 packet = src_if.add_dot1q_layer(packet, 33)
450 elif isinstance(src_if, VppDot1ADSubint):
451 if src_if is self.subifs[1]:
452 if tags == self.PERMIT_TAGS:
453 packet = src_if.add_dot1ad_layer(packet, 300, 400)
454 else:
455 packet = src_if.add_dot1ad_layer(packet, 333, 444)
456 else:
457 if tags == self.PERMIT_TAGS:
458 packet = src_if.add_dot1ad_layer(packet, 600, 700)
459 else:
460 packet = src_if.add_dot1ad_layer(packet, 666, 777)
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]461 self.extend_packet(packet, size)
462 packets.append(packet)
463
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]464 # create suitable MACIP rule
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]465 if mac_type == self.EXACT_MAC:
466 mac_rule = src_mac
467 mac_mask = "ff:ff:ff:ff:ff:ff"
468 elif mac_type == self.WILD_MAC:
469 mac_rule = "00:00:00:00:00:00"
470 mac_mask = "00:00:00:00:00:00"
471 elif mac_type == self.OUI_MAC:
472 mac = src_mac.split(':')
473 mac[3] = mac[4] = mac[5] = '00'
474 mac_rule = ":".join(mac)
475 mac_mask = "ff:ff:ff:00:00:00"
476
477 if is_ip6:
478 if ip_type == self.WILD_IP:
479 ip = "0::0"
480 else:
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]481 ip = src_ip6
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]482 if ip_type == self.SUBNET_IP:
483 sub_ip = list(unpack('<16B', inet_pton(AF_INET6, ip)))
484 for i in range(8, 16):
485 sub_ip[i] = 0
486 ip = inet_ntop(AF_INET6, str(bytearray(sub_ip)))
487 else:
488 if ip_type == self.WILD_IP:
489 ip = "0.0.0.0"
490 else:
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]491 ip = src_ip4
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]492 if ip_type == self.SUBNET_IP:
493 sub_ip = ip.split('.')
494 sub_ip[2] = sub_ip[3] = '0'
495 ip = ".".join(sub_ip)
496
497 prefix_len = 128 if is_ip6 else 32
498 if ip_type == self.WILD_IP:
499 prefix_len = 0
500 elif ip_type == self.SUBNET_IP:
501 prefix_len = 64 if is_ip6 else 16
502 ip_rule = inet_pton(AF_INET6 if is_ip6 else AF_INET, ip)
503
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]504 # create suitable ACL rule
505 if is_permit:
506 rule_l4_sport = packet[UDP].sport
507 rule_l4_dport = packet[UDP].dport
508 rule_family = AF_INET6 if packet.haslayer(IPv6) else AF_INET
509 rule_prefix_len = 128 if packet.haslayer(IPv6) else 32
510 rule_l3_layer = IPv6 if packet.haslayer(IPv6) else IP
511 if packet.haslayer(IPv6):
512 rule_l4_proto = packet[UDP].overload_fields[IPv6]['nh']
513 else:
514 rule_l4_proto = packet[IP].proto
515
516 acl_rule = {
517 'is_permit': is_permit,
518 'is_ipv6': is_ip6,
519 'src_ip_addr': inet_pton(rule_family,
520 packet[rule_l3_layer].src),
521 'src_ip_prefix_len': rule_prefix_len,
522 'dst_ip_addr': inet_pton(rule_family,
523 packet[rule_l3_layer].dst),
524 'dst_ip_prefix_len': rule_prefix_len,
525 'srcport_or_icmptype_first': rule_l4_sport,
526 'srcport_or_icmptype_last': rule_l4_sport,
527 'dstport_or_icmpcode_first': rule_l4_dport,
528 'dstport_or_icmpcode_last': rule_l4_dport,
529 'proto': rule_l4_proto}
530 acl_rules.append(acl_rule)
531
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]532 if mac_type == self.WILD_MAC and ip_type == self.WILD_IP and p > 0:
533 continue
534
535 if is_permit:
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]536 macip_rule = ({
537 'is_permit': is_permit,
538 'is_ipv6': is_ip6,
539 'src_ip_addr': ip_rule,
540 'src_ip_prefix_len': prefix_len,
541 'src_mac': mac_rule.replace(':', '').decode('hex'),
542 'src_mac_mask': mac_mask.replace(':', '').decode('hex')})
543 macip_rules.append(macip_rule)
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]544
545 # deny all other packets
546 if not (mac_type == self.WILD_MAC and ip_type == self.WILD_IP):
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]547 macip_rule = ({'is_permit': 0,
548 'is_ipv6': is_ip6,
549 'src_ip_addr': "",
550 'src_ip_prefix_len': 0,
551 'src_mac': "",
552 'src_mac_mask': ""})
553 macip_rules.append(macip_rule)
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]554
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]555 acl_rule = {'is_permit': 0,
556 'is_ipv6': is_ip6}
557 acl_rules.append(acl_rule)
558 return {'stream': packets,
559 'macip_rules': macip_rules,
560 'acl_rules': acl_rules}
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]561
562 def verify_capture(self, stream, capture, is_ip6):
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]563 """
564 :param stream:
565 :param capture:
566 :param is_ip6:
567 :return:
568 """
569 # p_l3 = IPv6 if is_ip6 else IP
570 # if self.DEBUG:
571 # for p in stream:
572 # print p[Ether].src, p[Ether].dst, p[p_l3].src, p[p_l3].dst
573 #
574 # acls = self.macip_acl_dump_debug()
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]575
576 # TODO : verify
577 # for acl in acls:
578 # for r in acl.r:
579 # print r.src_mac.encode('hex'), \
580 # r.src_mac_mask.encode('hex'),\
581 # unpack('<16B', r.src_ip_addr), \
582 # r.src_ip_prefix_len
583 #
584 # for p in capture:
585 # print p[Ether].src, p[Ether].dst, p[p_l3].src, p[p_l3].dst
586 # data = p[Raw].load.split(':',1)[1]
587 # print p[p_l3].src, data
588
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]589 def run_traffic(self, mac_type, ip_type, traffic, is_ip6, packets,
590 do_not_expected_capture=False, tags=None,
591 apply_rules=True, isMACIP=True, permit_tags=PERMIT_TAGS):
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]592 self.reset_packet_infos()
593
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]594 if tags is None:
595 tx_if = self.pg0 if traffic == self.BRIDGED else self.pg3
596 rx_if = self.pg3 if traffic == self.BRIDGED else self.pg0
597 src_if = self.pg3
598 dst_if = self.loop0
599 else:
600 if tags == self.DOT1Q:
601 if traffic == self.BRIDGED:
602 tx_if = self.subifs[0]
603 rx_if = self.pg0
604 src_if = self.subifs[0]
605 dst_if = self.loop0
606 else:
607 tx_if = self.subifs[2]
608 rx_if = self.pg0
609 src_if = self.subifs[2]
610 dst_if = self.loop0
611 elif tags == self.DOT1AD:
612 if traffic == self.BRIDGED:
613 tx_if = self.subifs[1]
614 rx_if = self.pg0
615 src_if = self.subifs[1]
616 dst_if = self.loop0
617 else:
618 tx_if = self.subifs[3]
619 rx_if = self.pg0
620 src_if = self.subifs[3]
621 dst_if = self.loop0
622 else:
623 return
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]624
625 test_dict = self.create_stream(mac_type, ip_type, packets,
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]626 src_if, dst_if,
627 traffic, is_ip6,
628 tags=permit_tags)
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]629
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]630 if apply_rules:
631 if isMACIP:
632 reply = self.vapi.macip_acl_add(test_dict['macip_rules'])
633 else:
634 reply = self.vapi.acl_add_replace(acl_index=4294967295,
635 r=test_dict['acl_rules'])
636 self.assertEqual(reply.retval, 0)
637 acl_index = reply.acl_index
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]638
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]639 if isMACIP:
640 self.vapi.macip_acl_interface_add_del(
641 sw_if_index=tx_if.sw_if_index,
642 acl_index=acl_index)
643 reply = self.vapi.macip_acl_interface_get()
644 self.assertEqual(reply.acls[tx_if.sw_if_index], acl_index)
645 self.ACLS.append(reply.acls[tx_if.sw_if_index])
646 else:
647 self.vapi.acl_interface_add_del(
648 sw_if_index=tx_if.sw_if_index, acl_index=acl_index)
649 else:
650 self.vapi.macip_acl_interface_add_del(
651 sw_if_index=tx_if.sw_if_index,
652 acl_index=0)
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]653
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]654 if not isinstance(src_if, VppSubInterface):
655 tx_if.add_stream(test_dict['stream'])
656 else:
657 tx_if.parent.add_stream(test_dict['stream'])
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]658 self.pg_enable_capture(self.pg_interfaces)
659 self.pg_start()
660
Pavel Kotucekc29940c2017-09-07 08:17:31 +0200[diff] [blame]661 if do_not_expected_capture:
662 rx_if.get_capture(0)
663 else:
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]664 if traffic == self.BRIDGED and mac_type == self.WILD_MAC and \
665 ip_type == self.WILD_IP:
666 capture = rx_if.get_capture(packets)
667 else:
668 capture = rx_if.get_capture(
669 self.get_packet_count_for_if_idx(dst_if.sw_if_index))
Pavel Kotucekc29940c2017-09-07 08:17:31 +0200[diff] [blame]670 self.verify_capture(test_dict['stream'], capture, is_ip6)
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]671 if not isMACIP:
672 self.vapi.acl_interface_add_del(sw_if_index=tx_if.sw_if_index,
673 acl_index=acl_index, is_add=0)
674 self.vapi.acl_del(acl_index)
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]675
676 def run_test_acls(self, mac_type, ip_type, acl_count,
677 rules_count, traffic=None, ip=None):
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]678 self.apply_macip_rules(self.create_rules(mac_type, ip_type, acl_count,
679 rules_count))
680 self.verify_macip_acls(acl_count, rules_count)
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]681
682 if traffic is not None:
683 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, traffic, ip, 9)
684
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]685
686class TestMACIP_IP4(MethodHolder):
687 """MACIP with IP4 traffic"""
688
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]689 def test_acl_bridged_ip4_exactMAC_exactIP(self):
690 """ IP4 MACIP exactMAC|exactIP ACL bridged traffic
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]691 """
692 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
693 self.BRIDGED, self.IS_IP4, 9)
694
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]695 def test_acl_bridged_ip4_exactMAC_subnetIP(self):
696 """ IP4 MACIP exactMAC|subnetIP ACL bridged traffic
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]697 """
698
699 self.run_traffic(self.EXACT_MAC, self.SUBNET_IP,
700 self.BRIDGED, self.IS_IP4, 9)
701
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]702 def test_acl_bridged_ip4_exactMAC_wildIP(self):
703 """ IP4 MACIP exactMAC|wildIP ACL bridged traffic
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]704 """
705
706 self.run_traffic(self.EXACT_MAC, self.WILD_IP,
707 self.BRIDGED, self.IS_IP4, 9)
708
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]709 def test_acl_bridged_ip4_ouiMAC_exactIP(self):
710 """ IP4 MACIP ouiMAC|exactIP ACL bridged traffic
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]711 """
712
713 self.run_traffic(self.OUI_MAC, self.EXACT_IP,
714 self.BRIDGED, self.IS_IP4, 3)
715
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]716 def test_acl_bridged_ip4_ouiMAC_subnetIP(self):
717 """ IP4 MACIP ouiMAC|subnetIP ACL bridged traffic
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]718 """
719
720 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
721 self.BRIDGED, self.IS_IP4, 9)
722
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]723 def test_acl_bridged_ip4_ouiMAC_wildIP(self):
724 """ IP4 MACIP ouiMAC|wildIP ACL bridged traffic
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]725 """
726
727 self.run_traffic(self.OUI_MAC, self.WILD_IP,
728 self.BRIDGED, self.IS_IP4, 9)
729
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]730 def test_ac_bridgedl_ip4_wildMAC_exactIP(self):
731 """ IP4 MACIP wildcardMAC|exactIP ACL bridged traffic
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]732 """
733
734 self.run_traffic(self.WILD_MAC, self.EXACT_IP,
735 self.BRIDGED, self.IS_IP4, 9)
736
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]737 def test_acl_bridged_ip4_wildMAC_subnetIP(self):
738 """ IP4 MACIP wildcardMAC|subnetIP ACL bridged traffic
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]739 """
740
741 self.run_traffic(self.WILD_MAC, self.SUBNET_IP,
742 self.BRIDGED, self.IS_IP4, 9)
743
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]744 def test_acl_bridged_ip4_wildMAC_wildIP(self):
745 """ IP4 MACIP wildcardMAC|wildIP ACL bridged traffic
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]746 """
747
748 self.run_traffic(self.WILD_MAC, self.WILD_IP,
749 self.BRIDGED, self.IS_IP4, 9)
750
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]751 def test_acl_routed_ip4_exactMAC_exactIP(self):
752 """ IP4 MACIP exactMAC|exactIP ACL routed traffic
753 """
754 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
755 self.ROUTED, self.IS_IP4, 9)
756
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]757 def test_acl_routed_ip4_exactMAC_subnetIP(self):
758 """ IP4 MACIP exactMAC|subnetIP ACL routed traffic
759 """
760 self.run_traffic(self.EXACT_MAC, self.SUBNET_IP,
761 self.ROUTED, self.IS_IP4, 9)
762
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]763 def test_acl_routed_ip4_exactMAC_wildIP(self):
764 """ IP4 MACIP exactMAC|wildIP ACL routed traffic
765 """
766 self.run_traffic(self.EXACT_MAC, self.WILD_IP,
767 self.ROUTED, self.IS_IP4, 9)
768
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]769 def test_acl_routed_ip4_ouiMAC_exactIP(self):
770 """ IP4 MACIP ouiMAC|exactIP ACL routed traffic
771 """
772
773 self.run_traffic(self.OUI_MAC, self.EXACT_IP,
774 self.ROUTED, self.IS_IP4, 9)
775
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]776 def test_acl_routed_ip4_ouiMAC_subnetIP(self):
777 """ IP4 MACIP ouiMAC|subnetIP ACL routed traffic
778 """
779
780 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
781 self.ROUTED, self.IS_IP4, 9)
782
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]783 def test_acl_routed_ip4_ouiMAC_wildIP(self):
784 """ IP4 MACIP ouiMAC|wildIP ACL routed traffic
785 """
786
787 self.run_traffic(self.OUI_MAC, self.WILD_IP,
788 self.ROUTED, self.IS_IP4, 9)
789
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]790 def test_acl_routed_ip4_wildMAC_exactIP(self):
791 """ IP4 MACIP wildcardMAC|exactIP ACL routed traffic
792 """
793
794 self.run_traffic(self.WILD_MAC, self.EXACT_IP,
795 self.ROUTED, self.IS_IP4, 9)
796
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]797 def test_acl_routed_ip4_wildMAC_subnetIP(self):
798 """ IP4 MACIP wildcardMAC|subnetIP ACL routed traffic
799 """
800
801 self.run_traffic(self.WILD_MAC, self.SUBNET_IP,
802 self.ROUTED, self.IS_IP4, 9)
803
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]804 def test_acl_routed_ip4_wildMAC_wildIP(self):
805 """ IP4 MACIP wildcardMAC|wildIP ACL
806 """
807
808 self.run_traffic(self.WILD_MAC, self.WILD_IP,
809 self.ROUTED, self.IS_IP4, 9)
810
811 def test_acl_replace_traffic_ip4(self):
812 """ MACIP replace ACL with IP4 traffic
813 """
814 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
815 self.BRIDGED, self.IS_IP4, 9)
816
817 r = self.create_rules()
818 # replace acls #2, #3 with new
819 reply = self.vapi.macip_acl_add_replace(r[0], 0)
820 self.assertEqual(reply.retval, 0)
821 self.assertEqual(reply.acl_index, 0)
822
823 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
824 self.BRIDGED, self.IS_IP4, 9, True)
825
826
827class TestMACIP_IP6(MethodHolder):
828 """MACIP with IP6 traffic"""
829
830 def test_acl_bridged_ip6_exactMAC_exactIP(self):
831 """ IP6 MACIP exactMAC|exactIP ACL bridged traffic
832 """
833
834 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
835 self.BRIDGED, self.IS_IP6, 9)
836
837 def test_acl_bridged_ip6_exactMAC_subnetIP(self):
838 """ IP6 MACIP exactMAC|subnetIP ACL bridged traffic
839 """
840
841 self.run_traffic(self.EXACT_MAC, self.SUBNET_IP,
842 self.BRIDGED, self.IS_IP6, 9)
843
844 def test_acl_bridged_ip6_exactMAC_wildIP(self):
845 """ IP6 MACIP exactMAC|wildIP ACL bridged traffic
846 """
847
848 self.run_traffic(self.EXACT_MAC, self.WILD_IP,
849 self.BRIDGED, self.IS_IP6, 9)
850
851 def test_acl_bridged_ip6_ouiMAC_exactIP(self):
852 """ IP6 MACIP oui_MAC|exactIP ACL bridged traffic
853 """
854
855 self.run_traffic(self.OUI_MAC, self.EXACT_IP,
856 self.BRIDGED, self.IS_IP6, 9)
857
858 def test_acl_bridged_ip6_ouiMAC_subnetIP(self):
859 """ IP6 MACIP ouiMAC|subnetIP ACL bridged traffic
860 """
861
862 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
863 self.BRIDGED, self.IS_IP6, 9)
864
865 def test_acl_bridged_ip6_ouiMAC_wildIP(self):
866 """ IP6 MACIP ouiMAC|wildIP ACL bridged traffic
867 """
868
869 self.run_traffic(self.OUI_MAC, self.WILD_IP,
870 self.BRIDGED, self.IS_IP6, 9)
871
872 def test_acl_bridged_ip6_wildMAC_exactIP(self):
873 """ IP6 MACIP wildcardMAC|exactIP ACL bridged traffic
874 """
875
876 self.run_traffic(self.WILD_MAC, self.EXACT_IP,
877 self.BRIDGED, self.IS_IP6, 9)
878
879 def test_acl_bridged_ip6_wildMAC_subnetIP(self):
880 """ IP6 MACIP wildcardMAC|subnetIP ACL bridged traffic
881 """
882
883 self.run_traffic(self.WILD_MAC, self.SUBNET_IP,
884 self.BRIDGED, self.IS_IP6, 9)
885
886 def test_acl_bridged_ip6_wildMAC_wildIP(self):
887 """ IP6 MACIP wildcardMAC|wildIP ACL bridged traffic
888 """
889
890 self.run_traffic(self.WILD_MAC, self.WILD_IP,
891 self.BRIDGED, self.IS_IP6, 9)
892
893 def test_acl_routed_ip6_exactMAC_exactIP(self):
894 """ IP6 MACIP exactMAC|exactIP ACL routed traffic
895 """
896
897 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
898 self.ROUTED, self.IS_IP6, 9)
899
900 def test_acl_routed_ip6_exactMAC_subnetIP(self):
901 """ IP6 MACIP exactMAC|subnetIP ACL routed traffic
902 """
903
904 self.run_traffic(self.EXACT_MAC, self.SUBNET_IP,
905 self.ROUTED, self.IS_IP6, 9)
906
907 def test_acl_routed_ip6_exactMAC_wildIP(self):
908 """ IP6 MACIP exactMAC|wildIP ACL routed traffic
909 """
910
911 self.run_traffic(self.EXACT_MAC, self.WILD_IP,
912 self.ROUTED, self.IS_IP6, 9)
913
914 def test_acl_routed_ip6_ouiMAC_exactIP(self):
915 """ IP6 MACIP ouiMAC|exactIP ACL routed traffic
916 """
917
918 self.run_traffic(self.OUI_MAC, self.EXACT_IP,
919 self.ROUTED, self.IS_IP6, 9)
920
921 def test_acl_routed_ip6_ouiMAC_subnetIP(self):
922 """ IP6 MACIP ouiMAC|subnetIP ACL routed traffic
923 """
924
925 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
926 self.ROUTED, self.IS_IP6, 9)
927
928 def test_acl_routed_ip6_ouiMAC_wildIP(self):
929 """ IP6 MACIP ouiMAC|wildIP ACL routed traffic
930 """
931
932 self.run_traffic(self.OUI_MAC, self.WILD_IP,
933 self.ROUTED, self.IS_IP6, 9)
934
935 def test_acl_routed_ip6_wildMAC_exactIP(self):
936 """ IP6 MACIP wildcardMAC|exactIP ACL routed traffic
937 """
938
939 self.run_traffic(self.WILD_MAC, self.EXACT_IP,
940 self.ROUTED, self.IS_IP6, 9)
941
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]942 def test_acl_routed_ip6_wildMAC_subnetIP(self):
943 """ IP6 MACIP wildcardMAC|subnetIP ACL routed traffic
944 """
945
946 self.run_traffic(self.WILD_MAC, self.SUBNET_IP,
947 self.ROUTED, self.IS_IP6, 9)
948
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]949 def test_acl_routed_ip6_wildMAC_wildIP(self):
950 """ IP6 MACIP wildcardMAC|wildIP ACL
951 """
952
953 self.run_traffic(self.WILD_MAC, self.WILD_IP,
954 self.ROUTED, self.IS_IP6, 9)
955
956 def test_acl_replace_traffic_ip6(self):
957 """ MACIP replace ACL with IP6 traffic
958 """
959 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
960 self.BRIDGED, self.IS_IP6, 9)
961
962 r = self.create_rules()
963 # replace acls #2, #3 with new
964 reply = self.vapi.macip_acl_add_replace(r[0], 0)
965 self.assertEqual(reply.retval, 0)
966 self.assertEqual(reply.acl_index, 0)
967
968 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
969 self.BRIDGED, self.IS_IP6, 9, True)
970
971
972class TestMACIP(MethodHolder):
973 """MACIP Tests"""
974
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]975 def test_acl_1_2(self):
976 """ MACIP ACL with 2 entries
977 """
978
979 self.run_test_acls(self.EXACT_MAC, self.WILD_IP, 1, [2])
980
981 def test_acl_1_5(self):
982 """ MACIP ACL with 5 entries
983 """
984
985 self.run_test_acls(self.EXACT_MAC, self.SUBNET_IP, 1, [5])
986
987 def test_acl_1_10(self):
988 """ MACIP ACL with 10 entries
989 """
990
991 self.run_test_acls(self.EXACT_MAC, self.EXACT_IP, 1, [10])
992
993 def test_acl_1_20(self):
994 """ MACIP ACL with 20 entries
995 """
996
997 self.run_test_acls(self.OUI_MAC, self.WILD_IP, 1, [20])
998
999 def test_acl_1_50(self):
1000 """ MACIP ACL with 50 entries
1001 """
1002
1003 self.run_test_acls(self.OUI_MAC, self.SUBNET_IP, 1, [50])
1004
1005 def test_acl_1_100(self):
1006 """ MACIP ACL with 100 entries
1007 """
1008
1009 self.run_test_acls(self.OUI_MAC, self.EXACT_IP, 1, [100])
1010
1011 def test_acl_2_X(self):
1012 """ MACIP 2 ACLs each with 100+ entries
1013 """
1014
1015 self.run_test_acls(self.OUI_MAC, self.SUBNET_IP, 2, [100, 200])
1016
1017 def test_acl_10_X(self):
1018 """ MACIP 10 ACLs each with 100+ entries
1019 """
1020
1021 self.run_test_acls(self.EXACT_MAC, self.EXACT_IP, 10,
1022 [100, 120, 140, 160, 180, 200, 210, 220, 230, 240])
1023
1024 def test_acl_10_X_traffic_ip4(self):
1025 """ MACIP 10 ACLs each with 100+ entries with IP4 traffic
1026 """
1027
1028 self.run_test_acls(self.EXACT_MAC, self.EXACT_IP, 10,
1029 [100, 120, 140, 160, 180, 200, 210, 220, 230, 240],
1030 self.BRIDGED, self.IS_IP4)
1031
1032 def test_acl_10_X_traffic_ip6(self):
1033 """ MACIP 10 ACLs each with 100+ entries with IP6 traffic
1034 """
1035
1036 self.run_test_acls(self.EXACT_MAC, self.EXACT_IP, 10,
1037 [100, 120, 140, 160, 180, 200, 210, 220, 230, 240],
1038 self.BRIDGED, self.IS_IP6)
1039
Pavel Kotucekc29940c2017-09-07 08:17:31 +0200[diff] [blame]1040 def test_acl_replace(self):
1041 """ MACIP replace ACL
1042 """
1043
1044 r1 = self.create_rules(acl_count=3, rules_count=[2, 2, 2])
1045 r2 = self.create_rules(mac_type=self.OUI_MAC, ip_type=self.SUBNET_IP)
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]1046 self.apply_macip_rules(r1)
Pavel Kotucekc29940c2017-09-07 08:17:31 +0200[diff] [blame]1047
1048 acls_before = self.macip_acl_dump_debug()
1049
1050 # replace acls #2, #3 with new
1051 reply = self.vapi.macip_acl_add_replace(r2[0], 2)
1052 self.assertEqual(reply.retval, 0)
1053 self.assertEqual(reply.acl_index, 2)
1054 reply = self.vapi.macip_acl_add_replace(r2[1], 3)
1055 self.assertEqual(reply.retval, 0)
1056 self.assertEqual(reply.acl_index, 3)
1057
1058 acls_after = self.macip_acl_dump_debug()
1059
1060 # verify changes
1061 self.assertEqual(len(acls_before), len(acls_after))
1062 for acl1, acl2 in zip(
1063 acls_before[:2]+acls_before[4:],
1064 acls_after[:2]+acls_after[4:]):
1065 self.assertEqual(len(acl1), len(acl2))
1066
1067 self.assertEqual(len(acl1.r), len(acl2.r))
1068 for r1, r2 in zip(acl1.r, acl2.r):
1069 self.assertEqual(len(acl1.r), len(acl2.r))
1070 self.assertEqual(acl1.r, acl2.r)
1071 for acl1, acl2 in zip(
1072 acls_before[2:4],
1073 acls_after[2:4]):
1074 self.assertEqual(len(acl1), len(acl2))
1075
1076 self.assertNotEqual(len(acl1.r), len(acl2.r))
1077 for r1, r2 in zip(acl1.r, acl2.r):
1078 self.assertNotEqual(len(acl1.r), len(acl2.r))
1079 self.assertNotEqual(acl1.r, acl2.r)
1080
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]1081 def test_delete_intf(self):
1082 """ MACIP ACL delete intf with acl
1083 """
1084
1085 intf_count = len(self.interfaces)+1
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]1086 intf = []
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]1087 self.apply_macip_rules(self.create_rules(acl_count=3,
1088 rules_count=[3, 5, 4]))
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]1089
1090 intf.append(VppLoInterface(self, 0))
1091 intf.append(VppLoInterface(self, 1))
1092
1093 sw_if_index0 = intf[0].sw_if_index
1094 self.vapi.macip_acl_interface_add_del(sw_if_index0, 1)
1095
1096 reply = self.vapi.macip_acl_interface_get()
1097 self.assertEqual(reply.count, intf_count+1)
1098 self.assertEqual(reply.acls[sw_if_index0], 1)
1099
1100 sw_if_index1 = intf[1].sw_if_index
1101 self.vapi.macip_acl_interface_add_del(sw_if_index1, 0)
1102
1103 reply = self.vapi.macip_acl_interface_get()
1104 self.assertEqual(reply.count, intf_count+2)
1105 self.assertEqual(reply.acls[sw_if_index1], 0)
1106
1107 intf[0].remove_vpp_config()
1108 reply = self.vapi.macip_acl_interface_get()
1109 self.assertEqual(reply.count, intf_count+2)
1110 self.assertEqual(reply.acls[sw_if_index0], 4294967295)
1111 self.assertEqual(reply.acls[sw_if_index1], 0)
1112
1113 intf.append(VppLoInterface(self, 2))
1114 intf.append(VppLoInterface(self, 3))
1115 sw_if_index2 = intf[2].sw_if_index
1116 sw_if_index3 = intf[3].sw_if_index
1117 self.vapi.macip_acl_interface_add_del(sw_if_index2, 1)
1118 self.vapi.macip_acl_interface_add_del(sw_if_index3, 1)
1119
1120 reply = self.vapi.macip_acl_interface_get()
1121 self.assertEqual(reply.count, intf_count+3)
1122 self.assertEqual(reply.acls[sw_if_index1], 0)
1123 self.assertEqual(reply.acls[sw_if_index2], 1)
1124 self.assertEqual(reply.acls[sw_if_index3], 1)
1125
1126 intf[2].remove_vpp_config()
1127 intf[1].remove_vpp_config()
1128
1129 reply = self.vapi.macip_acl_interface_get()
1130 self.assertEqual(reply.count, intf_count+3)
1131 self.assertEqual(reply.acls[sw_if_index0], 4294967295)
1132 self.assertEqual(reply.acls[sw_if_index1], 4294967295)
1133 self.assertEqual(reply.acls[sw_if_index2], 4294967295)
1134 self.assertEqual(reply.acls[sw_if_index3], 1)
1135
1136 intf[3].remove_vpp_config()
1137 reply = self.vapi.macip_acl_interface_get()
1138
1139 self.assertEqual(len([x for x in reply.acls if x != 4294967295]), 0)
1140
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]1141
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]1142class TestACL_dot1q_bridged(MethodHolder):
1143 """ACL on dot1q bridged subinterfaces Tests"""
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]1144
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]1145 def test_acl_bridged_ip4_subif_dot1q(self):
1146 """ IP4 ACL SubIf Dot1Q bridged traffic"""
1147 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.BRIDGED,
1148 self.IS_IP4, 9, tags=self.DOT1Q, isMACIP=False)
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]1149
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]1150 def test_acl_bridged_ip6_subif_dot1q(self):
1151 """ IP6 ACL SubIf Dot1Q bridged traffic"""
1152 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.BRIDGED,
1153 self.IS_IP6, 9, tags=self.DOT1Q, isMACIP=False)
1154
1155
1156class TestACL_dot1ad_bridged(MethodHolder):
1157 """ACL on dot1ad bridged subinterfaces Tests"""
1158
1159 def test_acl_bridged_ip4_subif_dot1ad(self):
1160 """ IP4 ACL SubIf Dot1AD bridged traffic"""
1161 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.BRIDGED,
1162 self.IS_IP4, 9, tags=self.DOT1AD, isMACIP=False)
1163
1164 def test_acl_bridged_ip6_subif_dot1ad(self):
1165 """ IP6 ACL SubIf Dot1AD bridged traffic"""
1166 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.BRIDGED,
1167 self.IS_IP6, 9, tags=self.DOT1AD, isMACIP=False)
1168
1169
1170class TestACL_dot1q_routed(MethodHolder):
1171 """ACL on dot1q routed subinterfaces Tests"""
1172
1173 def test_acl_routed_ip4_subif_dot1q(self):
1174 """ IP4 ACL SubIf Dot1Q routed traffic"""
1175 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1176 self.IS_IP4, 9, tags=self.DOT1Q, isMACIP=False)
1177
1178 def test_acl_routed_ip6_subif_dot1q(self):
1179 """ IP6 ACL SubIf Dot1Q routed traffic"""
1180 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1181 self.IS_IP6, 9, tags=self.DOT1Q, isMACIP=False)
1182
1183 def test_acl_routed_ip4_subif_dot1q_deny_by_tags(self):
1184 """ IP4 ACL SubIf wrong tags Dot1Q routed traffic"""
1185 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1186 self.IS_IP4, 9, True, tags=self.DOT1Q, isMACIP=False,
1187 permit_tags=self.DENY_TAGS)
1188
1189 def test_acl_routed_ip6_subif_dot1q_deny_by_tags(self):
1190 """ IP6 ACL SubIf wrong tags Dot1Q routed traffic"""
1191 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1192 self.IS_IP6, 9, True, tags=self.DOT1Q, isMACIP=False,
1193 permit_tags=self.DENY_TAGS)
1194
1195
1196class TestACL_dot1ad_routed(MethodHolder):
1197 """ACL on dot1ad routed subinterfaces Tests"""
1198
1199 def test_acl_routed_ip6_subif_dot1ad(self):
1200 """ IP6 ACL SubIf Dot1AD routed traffic"""
1201 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1202 self.IS_IP6, 9, tags=self.DOT1AD, isMACIP=False)
1203
1204 def test_acl_routed_ip4_subif_dot1ad(self):
1205 """ IP4 ACL SubIf Dot1AD routed traffic"""
1206 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1207 self.IS_IP4, 9, tags=self.DOT1AD, isMACIP=False)
1208
1209 def test_acl_routed_ip6_subif_dot1ad_deny_by_tags(self):
1210 """ IP6 ACL SubIf wrong tags Dot1AD routed traffic"""
1211 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1212 self.IS_IP6, 9, True, tags=self.DOT1AD, isMACIP=False,
1213 permit_tags=self.DENY_TAGS)
1214
1215 def test_acl_routed_ip4_subif_dot1ad_deny_by_tags(self):
1216 """ IP4 ACL SubIf wrong tags Dot1AD routed traffic"""
1217 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1218 self.IS_IP4, 9, True, tags=self.DOT1AD, isMACIP=False,
1219 permit_tags=self.DENY_TAGS)
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]1220
1221
1222if __name__ == '__main__':
1223 unittest.main(testRunner=VppTestRunner)