Gitiles
Code Review Sign In
gerrit.nordix.org / fdio / vpp / 5b4b4c05ff06b866b90b0df9b2be2ed28e606f16 / . / test / test_acl_plugin.py
blob: 32ecedba2a69bd0589e8d09161eee992cbd875c8 [file] [log] [blame]
Renato Botelho do Coutoead1e532019-10-31 13:31:07 -0500[diff] [blame]1#!/usr/bin/env python3
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]2"""ACL plugin Test Case HLD:
3"""
4
5import unittest
6import random
7
8from scapy.packet import Raw
9from scapy.layers.l2 import Ether
10from scapy.layers.inet import IP, TCP, UDP, ICMP
11from scapy.layers.inet6 import IPv6, ICMPv6EchoRequest
Andrew Yourtchenkod1b05642017-04-04 14:10:40 +0000[diff] [blame]12from scapy.layers.inet6 import IPv6ExtHdrFragment
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]13from framework import VppTestCase, VppTestRunner
Andrew Yourtchenkoc8eae8d2021-01-20 20:30:36 +0000[diff] [blame]14from framework import tag_fixme_vpp_workers
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]15from util import Host, ppp
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]16from ipaddress import IPv4Network, IPv6Network
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]17
Andrew Yourtchenkode3682f2018-03-23 10:38:46 +0100[diff] [blame]18from vpp_lo_interface import VppLoInterface
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]19from vpp_acl import AclRule, VppAcl, VppAclInterface, VppEtypeWhitelist
20from vpp_ip import INVALID_INDEX
Andrew Yourtchenkode3682f2018-03-23 10:38:46 +0100[diff] [blame]21
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]22
Andrew Yourtchenkoc8eae8d2021-01-20 20:30:36 +0000[diff] [blame]23@tag_fixme_vpp_workers
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]24class TestACLplugin(VppTestCase):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]25 """ACL plugin Test Case"""
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]26
27 # traffic types
28 IP = 0
29 ICMP = 1
30
31 # IP version
32 IPRANDOM = -1
33 IPV4 = 0
34 IPV6 = 1
35
36 # rule types
37 DENY = 0
38 PERMIT = 1
39
40 # supported protocols
41 proto = [[6, 17], [1, 58]]
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]42 proto_map = {1: "ICMP", 58: "ICMPv6EchoRequest", 6: "TCP", 17: "UDP"}
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]43 ICMPv4 = 0
44 ICMPv6 = 1
45 TCP = 0
46 UDP = 1
47 PROTO_ALL = 0
48
49 # port ranges
50 PORTS_ALL = -1
51 PORTS_RANGE = 0
Andrew Yourtchenko6be72cd2017-08-10 17:02:58 +0200[diff] [blame]52 PORTS_RANGE_2 = 1
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]53 udp_sport_from = 10
54 udp_sport_to = udp_sport_from + 5
55 udp_dport_from = 20000
56 udp_dport_to = udp_dport_from + 5000
57 tcp_sport_from = 30
58 tcp_sport_to = tcp_sport_from + 5
59 tcp_dport_from = 40000
60 tcp_dport_to = tcp_dport_from + 5000
61
Andrew Yourtchenko6be72cd2017-08-10 17:02:58 +0200[diff] [blame]62 udp_sport_from_2 = 90
63 udp_sport_to_2 = udp_sport_from_2 + 5
64 udp_dport_from_2 = 30000
65 udp_dport_to_2 = udp_dport_from_2 + 5000
66 tcp_sport_from_2 = 130
67 tcp_sport_to_2 = tcp_sport_from_2 + 5
68 tcp_dport_from_2 = 20000
69 tcp_dport_to_2 = tcp_dport_from_2 + 5000
70
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]71 icmp4_type = 8 # echo request
72 icmp4_code = 3
73 icmp6_type = 128 # echo request
74 icmp6_code = 3
75
Andrew Yourtchenko6be72cd2017-08-10 17:02:58 +0200[diff] [blame]76 icmp4_type_2 = 8
77 icmp4_code_from_2 = 5
78 icmp4_code_to_2 = 20
79 icmp6_type_2 = 128
80 icmp6_code_from_2 = 8
81 icmp6_code_to_2 = 42
82
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]83 # Test variables
84 bd_id = 1
85
86 @classmethod
87 def setUpClass(cls):
88 """
89 Perform standard class setup (defined by class method setUpClass in
90 class VppTestCase) before running the test case, set test case related
91 variables and configure VPP.
92 """
93 super(TestACLplugin, cls).setUpClass()
94
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]95 try:
96 # Create 2 pg interfaces
97 cls.create_pg_interfaces(range(2))
98
99 # Packet flows mapping pg0 -> pg1, pg2 etc.
100 cls.flows = dict()
101 cls.flows[cls.pg0] = [cls.pg1]
102
103 # Packet sizes
104 cls.pg_if_packet_sizes = [64, 512, 1518, 9018]
105
106 # Create BD with MAC learning and unknown unicast flooding disabled
107 # and put interfaces to this BD
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]108 cls.vapi.bridge_domain_add_del(bd_id=cls.bd_id, uu_flood=1, learn=1)
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]109 for pg_if in cls.pg_interfaces:
Ole Troana5b2eec2019-03-11 19:23:25 +0100[diff] [blame]110 cls.vapi.sw_interface_set_l2_bridge(
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]111 rx_sw_if_index=pg_if.sw_if_index, bd_id=cls.bd_id
112 )
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]113
114 # Set up all interfaces
115 for i in cls.pg_interfaces:
116 i.admin_up()
117
118 # Mapping between packet-generator index and lists of test hosts
119 cls.hosts_by_pg_idx = dict()
120 for pg_if in cls.pg_interfaces:
121 cls.hosts_by_pg_idx[pg_if.sw_if_index] = []
122
123 # Create list of deleted hosts
124 cls.deleted_hosts_by_pg_idx = dict()
125 for pg_if in cls.pg_interfaces:
126 cls.deleted_hosts_by_pg_idx[pg_if.sw_if_index] = []
127
128 # warm-up the mac address tables
129 # self.warmup_test()
Andrew Yourtchenko7ff74532018-10-06 09:24:28 +0200[diff] [blame]130 count = 16
131 start = 0
132 n_int = len(cls.pg_interfaces)
snaramre2bb71512019-10-16 22:15:43 +0000[diff] [blame]133 macs_per_if = count // n_int
Andrew Yourtchenko7ff74532018-10-06 09:24:28 +0200[diff] [blame]134 i = -1
135 for pg_if in cls.pg_interfaces:
136 i += 1
137 start_nr = macs_per_if * i + start
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]138 end_nr = (
139 count + start if i == (n_int - 1) else macs_per_if * (i + 1) + start
140 )
Andrew Yourtchenko7ff74532018-10-06 09:24:28 +0200[diff] [blame]141 hosts = cls.hosts_by_pg_idx[pg_if.sw_if_index]
snaramre2bb71512019-10-16 22:15:43 +0000[diff] [blame]142 for j in range(int(start_nr), int(end_nr)):
Andrew Yourtchenko7ff74532018-10-06 09:24:28 +0200[diff] [blame]143 host = Host(
144 "00:00:00:ff:%02x:%02x" % (pg_if.sw_if_index, j),
145 "172.17.1%02x.%u" % (pg_if.sw_if_index, j),
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]146 "2017:dead:%02x::%u" % (pg_if.sw_if_index, j),
147 )
Andrew Yourtchenko7ff74532018-10-06 09:24:28 +0200[diff] [blame]148 hosts.append(host)
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]149
150 except Exception:
151 super(TestACLplugin, cls).tearDownClass()
152 raise
153
Paul Vinciguerra7f9b7f92019-03-12 19:23:27 -0700[diff] [blame]154 @classmethod
155 def tearDownClass(cls):
156 super(TestACLplugin, cls).tearDownClass()
157
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]158 def setUp(self):
159 super(TestACLplugin, self).setUp()
160 self.reset_packet_infos()
161
162 def tearDown(self):
163 """
164 Show various debug prints after each test.
165 """
166 super(TestACLplugin, self).tearDown()
Paul Vinciguerra90cf21b2019-03-13 09:23:05 -0700[diff] [blame]167
168 def show_commands_at_teardown(self):
169 cli = "show vlib graph l2-input-feat-arc"
170 self.logger.info(self.vapi.ppcli(cli))
171 cli = "show vlib graph l2-input-feat-arc-end"
172 self.logger.info(self.vapi.ppcli(cli))
173 cli = "show vlib graph l2-output-feat-arc"
174 self.logger.info(self.vapi.ppcli(cli))
175 cli = "show vlib graph l2-output-feat-arc-end"
176 self.logger.info(self.vapi.ppcli(cli))
177 self.logger.info(self.vapi.ppcli("show l2fib verbose"))
178 self.logger.info(self.vapi.ppcli("show acl-plugin acl"))
179 self.logger.info(self.vapi.ppcli("show acl-plugin interface"))
180 self.logger.info(self.vapi.ppcli("show acl-plugin tables"))
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]181 self.logger.info(self.vapi.ppcli("show bridge-domain %s detail" % self.bd_id))
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]182
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]183 def create_rule(
184 self,
185 ip=0,
186 permit_deny=0,
187 ports=PORTS_ALL,
188 proto=-1,
189 s_prefix=0,
190 s_ip=0,
191 d_prefix=0,
192 d_ip=0,
193 ):
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]194 if ip:
195 src_prefix = IPv6Network((s_ip, s_prefix))
196 dst_prefix = IPv6Network((d_ip, d_prefix))
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]197 else:
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]198 src_prefix = IPv4Network((s_ip, s_prefix))
199 dst_prefix = IPv4Network((d_ip, d_prefix))
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]200 return AclRule(
201 is_permit=permit_deny,
202 ports=ports,
203 proto=proto,
204 src_prefix=src_prefix,
205 dst_prefix=dst_prefix,
206 )
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]207
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]208 def apply_rules(self, rules, tag=None):
209 acl = VppAcl(self, rules, tag=tag)
210 acl.add_vpp_config()
211 self.logger.info("Dumped ACL: " + str(acl.dump()))
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]212 # Apply a ACL on the interface as inbound
213 for i in self.pg_interfaces:
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]214 acl_if = VppAclInterface(
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]215 self, sw_if_index=i.sw_if_index, n_input=1, acls=[acl]
216 )
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]217 acl_if.add_vpp_config()
218 return acl.acl_index
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]219
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]220 def apply_rules_to(self, rules, tag=None, sw_if_index=INVALID_INDEX):
221 acl = VppAcl(self, rules, tag=tag)
222 acl.add_vpp_config()
223 self.logger.info("Dumped ACL: " + str(acl.dump()))
Andrew Yourtchenkode3682f2018-03-23 10:38:46 +0100[diff] [blame]224 # Apply a ACL on the interface as inbound
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]225 acl_if = VppAclInterface(self, sw_if_index=sw_if_index, n_input=1, acls=[acl])
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]226 return acl.acl_index
Andrew Yourtchenkode3682f2018-03-23 10:38:46 +0100[diff] [blame]227
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]228 def etype_whitelist(self, whitelist, n_input, add=True):
Andrew Yourtchenkoc43b3f92018-02-06 17:42:32 +0100[diff] [blame]229 # Apply whitelists on all the interfaces
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]230 if add:
231 self._wl = []
232 for i in self.pg_interfaces:
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]233 self._wl.append(
234 VppEtypeWhitelist(
235 self,
236 sw_if_index=i.sw_if_index,
237 whitelist=whitelist,
238 n_input=n_input,
239 ).add_vpp_config()
240 )
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]241 else:
242 if hasattr(self, "_wl"):
243 for wl in self._wl:
244 wl.remove_vpp_config()
Andrew Yourtchenkoc43b3f92018-02-06 17:42:32 +0100[diff] [blame]245
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]246 def create_upper_layer(self, packet_index, proto, ports=0):
247 p = self.proto_map[proto]
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]248 if p == "UDP":
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]249 if ports == 0:
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]250 return UDP(
251 sport=random.randint(self.udp_sport_from, self.udp_sport_to),
252 dport=random.randint(self.udp_dport_from, self.udp_dport_to),
253 )
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]254 else:
255 return UDP(sport=ports, dport=ports)
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]256 elif p == "TCP":
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]257 if ports == 0:
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]258 return TCP(
259 sport=random.randint(self.tcp_sport_from, self.tcp_sport_to),
260 dport=random.randint(self.tcp_dport_from, self.tcp_dport_to),
261 )
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]262 else:
263 return TCP(sport=ports, dport=ports)
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]264 return ""
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]265
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]266 def create_stream(
267 self,
268 src_if,
269 packet_sizes,
270 traffic_type=0,
271 ipv6=0,
272 proto=-1,
273 ports=0,
274 fragments=False,
275 pkt_raw=True,
276 etype=-1,
277 ):
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]278 """
279 Create input packet stream for defined interface using hosts or
280 deleted_hosts list.
281
282 :param object src_if: Interface to create packet stream for.
283 :param list packet_sizes: List of required packet sizes.
284 :param traffic_type: 1: ICMP packet, 2: IPv6 with EH, 0: otherwise.
285 :return: Stream of packets.
286 """
287 pkts = []
288 if self.flows.__contains__(src_if):
289 src_hosts = self.hosts_by_pg_idx[src_if.sw_if_index]
290 for dst_if in self.flows[src_if]:
291 dst_hosts = self.hosts_by_pg_idx[dst_if.sw_if_index]
292 n_int = len(dst_hosts) * len(src_hosts)
293 for i in range(0, n_int):
snaramre2bb71512019-10-16 22:15:43 +0000[diff] [blame]294 dst_host = dst_hosts[int(i / len(src_hosts))]
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]295 src_host = src_hosts[i % len(src_hosts)]
296 pkt_info = self.create_packet_info(src_if, dst_if)
297 if ipv6 == 1:
298 pkt_info.ip = 1
299 elif ipv6 == 0:
300 pkt_info.ip = 0
301 else:
302 pkt_info.ip = random.choice([0, 1])
303 if proto == -1:
304 pkt_info.proto = random.choice(self.proto[self.IP])
305 else:
306 pkt_info.proto = proto
307 payload = self.info_to_payload(pkt_info)
308 p = Ether(dst=dst_host.mac, src=src_host.mac)
Andrew Yourtchenkoc43b3f92018-02-06 17:42:32 +0100[diff] [blame]309 if etype > 0:
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]310 p = Ether(dst=dst_host.mac, src=src_host.mac, type=etype)
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]311 if pkt_info.ip:
312 p /= IPv6(dst=dst_host.ip6, src=src_host.ip6)
Andrew Yourtchenkod1b05642017-04-04 14:10:40 +0000[diff] [blame]313 if fragments:
314 p /= IPv6ExtHdrFragment(offset=64, m=1)
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]315 else:
Andrew Yourtchenkod1b05642017-04-04 14:10:40 +0000[diff] [blame]316 if fragments:
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]317 p /= IP(
318 src=src_host.ip4, dst=dst_host.ip4, flags=1, frag=64
319 )
Andrew Yourtchenkod1b05642017-04-04 14:10:40 +0000[diff] [blame]320 else:
321 p /= IP(src=src_host.ip4, dst=dst_host.ip4)
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]322 if traffic_type == self.ICMP:
323 if pkt_info.ip:
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]324 p /= ICMPv6EchoRequest(
325 type=self.icmp6_type, code=self.icmp6_code
326 )
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]327 else:
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]328 p /= ICMP(type=self.icmp4_type, code=self.icmp4_code)
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]329 else:
330 p /= self.create_upper_layer(i, pkt_info.proto, ports)
Pavel Kotuceke7b67342017-04-18 13:12:20 +0200[diff] [blame]331 if pkt_raw:
332 p /= Raw(payload)
333 pkt_info.data = p.copy()
334 if pkt_raw:
335 size = random.choice(packet_sizes)
336 self.extend_packet(p, size)
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]337 pkts.append(p)
338 return pkts
339
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]340 def verify_capture(self, pg_if, capture, traffic_type=0, ip_type=0, etype=-1):
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]341 """
342 Verify captured input packet stream for defined interface.
343
344 :param object pg_if: Interface to verify captured packet stream for.
345 :param list capture: Captured packet stream.
346 :param traffic_type: 1: ICMP packet, 2: IPv6 with EH, 0: otherwise.
347 """
348 last_info = dict()
349 for i in self.pg_interfaces:
350 last_info[i.sw_if_index] = None
351 dst_sw_if_index = pg_if.sw_if_index
352 for packet in capture:
Andrew Yourtchenkoc43b3f92018-02-06 17:42:32 +0100[diff] [blame]353 if etype > 0:
354 if packet[Ether].type != etype:
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]355 self.logger.error(ppp("Unexpected ethertype in packet:", packet))
Andrew Yourtchenkoc43b3f92018-02-06 17:42:32 +0100[diff] [blame]356 else:
357 continue
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]358 try:
359 # Raw data for ICMPv6 are stored in ICMPv6EchoRequest.data
360 if traffic_type == self.ICMP and ip_type == self.IPV6:
361 payload_info = self.payload_to_info(
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]362 packet[ICMPv6EchoRequest], "data"
363 )
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]364 payload = packet[ICMPv6EchoRequest]
365 else:
Paul Vinciguerraeaea4212019-03-06 11:58:06 -0800[diff] [blame]366 payload_info = self.payload_to_info(packet[Raw])
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]367 payload = packet[self.proto_map[payload_info.proto]]
368 except:
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]369 self.logger.error(
370 ppp("Unexpected or invalid packet (outside network):", packet)
371 )
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]372 raise
373
374 if ip_type != 0:
375 self.assertEqual(payload_info.ip, ip_type)
376 if traffic_type == self.ICMP:
377 try:
378 if payload_info.ip == 0:
379 self.assertEqual(payload.type, self.icmp4_type)
380 self.assertEqual(payload.code, self.icmp4_code)
381 else:
382 self.assertEqual(payload.type, self.icmp6_type)
383 self.assertEqual(payload.code, self.icmp6_code)
384 except:
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]385 self.logger.error(
386 ppp("Unexpected or invalid packet (outside network):", packet)
387 )
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]388 raise
389 else:
390 try:
391 ip_version = IPv6 if payload_info.ip == 1 else IP
392
393 ip = packet[ip_version]
394 packet_index = payload_info.index
395
396 self.assertEqual(payload_info.dst, dst_sw_if_index)
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]397 self.logger.debug(
398 "Got packet on port %s: src=%u (id=%u)"
399 % (pg_if.name, payload_info.src, packet_index)
400 )
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]401 next_info = self.get_next_packet_info_for_interface2(
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]402 payload_info.src, dst_sw_if_index, last_info[payload_info.src]
403 )
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]404 last_info[payload_info.src] = next_info
405 self.assertTrue(next_info is not None)
406 self.assertEqual(packet_index, next_info.index)
407 saved_packet = next_info.data
408 # Check standard fields
409 self.assertEqual(ip.src, saved_packet[ip_version].src)
410 self.assertEqual(ip.dst, saved_packet[ip_version].dst)
411 p = self.proto_map[payload_info.proto]
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]412 if p == "TCP":
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]413 tcp = packet[TCP]
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]414 self.assertEqual(tcp.sport, saved_packet[TCP].sport)
415 self.assertEqual(tcp.dport, saved_packet[TCP].dport)
416 elif p == "UDP":
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]417 udp = packet[UDP]
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]418 self.assertEqual(udp.sport, saved_packet[UDP].sport)
419 self.assertEqual(udp.dport, saved_packet[UDP].dport)
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]420 except:
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]421 self.logger.error(ppp("Unexpected or invalid packet:", packet))
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]422 raise
423 for i in self.pg_interfaces:
424 remaining_packet = self.get_next_packet_info_for_interface2(
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]425 i, dst_sw_if_index, last_info[i.sw_if_index]
426 )
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]427 self.assertTrue(
428 remaining_packet is None,
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]429 "Port %u: Packet expected from source %u didn't arrive"
430 % (dst_sw_if_index, i.sw_if_index),
431 )
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]432
433 def run_traffic_no_check(self):
434 # Test
435 # Create incoming packet streams for packet-generator interfaces
436 for i in self.pg_interfaces:
437 if self.flows.__contains__(i):
438 pkts = self.create_stream(i, self.pg_if_packet_sizes)
439 if len(pkts) > 0:
440 i.add_stream(pkts)
441
442 # Enable packet capture and start packet sending
443 self.pg_enable_capture(self.pg_interfaces)
444 self.pg_start()
445
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]446 def run_verify_test(
447 self,
448 traffic_type=0,
449 ip_type=0,
450 proto=-1,
451 ports=0,
452 frags=False,
453 pkt_raw=True,
454 etype=-1,
455 ):
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]456 # Test
457 # Create incoming packet streams for packet-generator interfaces
458 pkts_cnt = 0
459 for i in self.pg_interfaces:
460 if self.flows.__contains__(i):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]461 pkts = self.create_stream(
462 i,
463 self.pg_if_packet_sizes,
464 traffic_type,
465 ip_type,
466 proto,
467 ports,
468 frags,
469 pkt_raw,
470 etype,
471 )
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]472 if len(pkts) > 0:
473 i.add_stream(pkts)
474 pkts_cnt += len(pkts)
475
476 # Enable packet capture and start packet sendingself.IPV
477 self.pg_enable_capture(self.pg_interfaces)
478 self.pg_start()
Andrew Yourtchenko7ff74532018-10-06 09:24:28 +0200[diff] [blame]479 self.logger.info("sent packets count: %d" % pkts_cnt)
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]480
481 # Verify
482 # Verify outgoing packet streams per packet-generator interface
483 for src_if in self.pg_interfaces:
484 if self.flows.__contains__(src_if):
485 for dst_if in self.flows[src_if]:
486 capture = dst_if.get_capture(pkts_cnt)
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]487 self.logger.info("Verifying capture on interface %s" % dst_if.name)
488 self.verify_capture(dst_if, capture, traffic_type, ip_type, etype)
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]489
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]490 def run_verify_negat_test(
491 self, traffic_type=0, ip_type=0, proto=-1, ports=0, frags=False, etype=-1
492 ):
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]493 # Test
Andrew Yourtchenko7ff74532018-10-06 09:24:28 +0200[diff] [blame]494 pkts_cnt = 0
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]495 self.reset_packet_infos()
496 for i in self.pg_interfaces:
497 if self.flows.__contains__(i):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]498 pkts = self.create_stream(
499 i,
500 self.pg_if_packet_sizes,
501 traffic_type,
502 ip_type,
503 proto,
504 ports,
505 frags,
506 True,
507 etype,
508 )
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]509 if len(pkts) > 0:
510 i.add_stream(pkts)
Andrew Yourtchenko7ff74532018-10-06 09:24:28 +0200[diff] [blame]511 pkts_cnt += len(pkts)
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]512
513 # Enable packet capture and start packet sending
514 self.pg_enable_capture(self.pg_interfaces)
515 self.pg_start()
Andrew Yourtchenko7ff74532018-10-06 09:24:28 +0200[diff] [blame]516 self.logger.info("sent packets count: %d" % pkts_cnt)
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]517
518 # Verify
519 # Verify outgoing packet streams per packet-generator interface
520 for src_if in self.pg_interfaces:
521 if self.flows.__contains__(src_if):
522 for dst_if in self.flows[src_if]:
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]523 self.logger.info("Verifying capture on interface %s" % dst_if.name)
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]524 capture = dst_if.get_capture(0)
525 self.assertEqual(len(capture), 0)
526
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]527 def test_0000_warmup_test(self):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]528 """ACL plugin version check; learn MACs"""
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]529 reply = self.vapi.papi.acl_plugin_get_version()
530 self.assertEqual(reply.major, 1)
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]531 self.logger.info(
532 "Working with ACL plugin version: %d.%d" % (reply.major, reply.minor)
533 )
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]534 # minor version changes are non breaking
535 # self.assertEqual(reply.minor, 0)
536
537 def test_0001_acl_create(self):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]538 """ACL create/delete test"""
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]539
540 self.logger.info("ACLP_TEST_START_0001")
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]541 # Create a permit-1234 ACL
542 r = [AclRule(is_permit=1, proto=17, ports=1234, sport_to=1235)]
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]543 # Test 1: add a new ACL
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]544 first_acl = VppAcl(self, rules=r, tag="permit 1234")
545 first_acl.add_vpp_config()
546 self.assertTrue(first_acl.query_vpp_config())
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]547 # The very first ACL gets #0
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]548 self.assertEqual(first_acl.acl_index, 0)
549 rr = first_acl.dump()
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]550 self.logger.info("Dumped ACL: " + str(rr))
551 self.assertEqual(len(rr), 1)
552 # We should have the same number of ACL entries as we had asked
553 self.assertEqual(len(rr[0].r), len(r))
554 # The rules should be the same. But because the submitted and returned
555 # are different types, we need to iterate over rules and keys to get
556 # to basic values.
557 for i_rule in range(0, len(r) - 1):
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]558 encoded_rule = r[i_rule].encode()
559 for rule_key in encoded_rule:
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]560 self.assertEqual(rr[0].r[i_rule][rule_key], encoded_rule[rule_key])
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]561
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]562 # Create a deny-1234 ACL
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]563 r_deny = [
564 AclRule(is_permit=0, proto=17, ports=1234, sport_to=1235),
565 AclRule(is_permit=1, proto=17, ports=0),
566 ]
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]567 second_acl = VppAcl(self, rules=r_deny, tag="deny 1234;permit all")
568 second_acl.add_vpp_config()
569 self.assertTrue(second_acl.query_vpp_config())
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]570 # The second ACL gets #1
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]571 self.assertEqual(second_acl.acl_index, 1)
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]572
573 # Test 2: try to modify a nonexistent ACL
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]574 invalid_acl = VppAcl(self, acl_index=432, rules=r, tag="FFFF:FFFF")
575 reply = invalid_acl.add_vpp_config(expect_error=True)
Jakub Grajciaraad1ee12020-03-11 12:47:32 +0100[diff] [blame]576
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]577 # apply an ACL on an interface inbound, try to delete ACL, must fail
578 acl_if_list = VppAclInterface(
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]579 self, sw_if_index=self.pg0.sw_if_index, n_input=1, acls=[first_acl]
580 )
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]581 acl_if_list.add_vpp_config()
582 first_acl.remove_vpp_config(expect_error=True)
583 # Unapply an ACL and then try to delete it - must be ok
584 acl_if_list.remove_vpp_config()
585 first_acl.remove_vpp_config()
586
587 # apply an ACL on an interface inbound, try to delete ACL, must fail
588 acl_if_list = VppAclInterface(
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]589 self, sw_if_index=self.pg0.sw_if_index, n_input=0, acls=[second_acl]
590 )
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]591 acl_if_list.add_vpp_config()
592 second_acl.remove_vpp_config(expect_error=True)
593 # Unapply an ACL and then try to delete it - must be ok
594 acl_if_list.remove_vpp_config()
595 second_acl.remove_vpp_config()
Andrew Yourtchenko987abe92017-09-27 13:50:31 +0200[diff] [blame]596
597 # try to apply a nonexistent ACL - must fail
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]598 acl_if_list = VppAclInterface(
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]599 self, sw_if_index=self.pg0.sw_if_index, n_input=0, acls=[invalid_acl]
600 )
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]601 acl_if_list.add_vpp_config(expect_error=True)
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]602
603 self.logger.info("ACLP_TEST_FINISH_0001")
604
605 def test_0002_acl_permit_apply(self):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]606 """permit ACL apply test"""
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]607 self.logger.info("ACLP_TEST_START_0002")
608
609 rules = []
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]610 rules.append(
611 self.create_rule(self.IPV4, self.PERMIT, 0, self.proto[self.IP][self.UDP])
612 )
613 rules.append(
614 self.create_rule(self.IPV4, self.PERMIT, 0, self.proto[self.IP][self.TCP])
615 )
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]616
617 # Apply rules
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]618 acl_idx = self.apply_rules(rules, "permit per-flow")
Andrew Yourtchenkof995c712019-06-13 15:23:21 +0000[diff] [blame]619
620 # enable counters
621 reply = self.vapi.papi.acl_stats_intf_counters_enable(enable=1)
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]622
623 # Traffic should still pass
624 self.run_verify_test(self.IP, self.IPV4, -1)
Andrew Yourtchenkof995c712019-06-13 15:23:21 +0000[diff] [blame]625
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]626 matches = self.statistics.get_counter("/acl/%d/matches" % acl_idx)
Andrew Yourtchenkof995c712019-06-13 15:23:21 +0000[diff] [blame]627 self.logger.info("stat segment counters: %s" % repr(matches))
628 cli = "show acl-plugin acl"
629 self.logger.info(self.vapi.ppcli(cli))
630 cli = "show acl-plugin tables"
631 self.logger.info(self.vapi.ppcli(cli))
632
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]633 total_hits = matches[0][0]["packets"] + matches[0][1]["packets"]
Andrew Yourtchenkof995c712019-06-13 15:23:21 +0000[diff] [blame]634 self.assertEqual(total_hits, 64)
635
636 # disable counters
637 reply = self.vapi.papi.acl_stats_intf_counters_enable(enable=0)
638
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]639 self.logger.info("ACLP_TEST_FINISH_0002")
640
641 def test_0003_acl_deny_apply(self):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]642 """deny ACL apply test"""
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]643 self.logger.info("ACLP_TEST_START_0003")
644 # Add a deny-flows ACL
645 rules = []
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]646 rules.append(
647 self.create_rule(
648 self.IPV4, self.DENY, self.PORTS_ALL, self.proto[self.IP][self.UDP]
649 )
650 )
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]651 # Permit ip any any in the end
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]652 rules.append(self.create_rule(self.IPV4, self.PERMIT, self.PORTS_ALL, 0))
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]653
654 # Apply rules
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]655 acl_idx = self.apply_rules(rules, "deny per-flow;permit all")
Andrew Yourtchenkof995c712019-06-13 15:23:21 +0000[diff] [blame]656
657 # enable counters
658 reply = self.vapi.papi.acl_stats_intf_counters_enable(enable=1)
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]659
660 # Traffic should not pass
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]661 self.run_verify_negat_test(self.IP, self.IPV4, self.proto[self.IP][self.UDP])
Andrew Yourtchenkof995c712019-06-13 15:23:21 +0000[diff] [blame]662
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]663 matches = self.statistics.get_counter("/acl/%d/matches" % acl_idx)
Andrew Yourtchenkof995c712019-06-13 15:23:21 +0000[diff] [blame]664 self.logger.info("stat segment counters: %s" % repr(matches))
665 cli = "show acl-plugin acl"
666 self.logger.info(self.vapi.ppcli(cli))
667 cli = "show acl-plugin tables"
668 self.logger.info(self.vapi.ppcli(cli))
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]669 self.assertEqual(matches[0][0]["packets"], 64)
Andrew Yourtchenkof995c712019-06-13 15:23:21 +0000[diff] [blame]670 # disable counters
671 reply = self.vapi.papi.acl_stats_intf_counters_enable(enable=0)
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]672 self.logger.info("ACLP_TEST_FINISH_0003")
Andrew Yourtchenkof995c712019-06-13 15:23:21 +0000[diff] [blame]673 # self.assertEqual(, 0)
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]674
675 def test_0004_vpp624_permit_icmpv4(self):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]676 """VPP_624 permit ICMPv4"""
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]677 self.logger.info("ACLP_TEST_START_0004")
678
679 # Add an ACL
680 rules = []
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]681 rules.append(
682 self.create_rule(
683 self.IPV4,
684 self.PERMIT,
685 self.PORTS_RANGE,
686 self.proto[self.ICMP][self.ICMPv4],
687 )
688 )
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]689 # deny ip any any in the end
690 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
691
692 # Apply rules
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]693 self.apply_rules(rules, "permit icmpv4")
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]694
695 # Traffic should still pass
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]696 self.run_verify_test(self.ICMP, self.IPV4, self.proto[self.ICMP][self.ICMPv4])
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]697
698 self.logger.info("ACLP_TEST_FINISH_0004")
699
700 def test_0005_vpp624_permit_icmpv6(self):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]701 """VPP_624 permit ICMPv6"""
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]702 self.logger.info("ACLP_TEST_START_0005")
703
704 # Add an ACL
705 rules = []
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]706 rules.append(
707 self.create_rule(
708 self.IPV6,
709 self.PERMIT,
710 self.PORTS_RANGE,
711 self.proto[self.ICMP][self.ICMPv6],
712 )
713 )
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]714 # deny ip any any in the end
715 rules.append(self.create_rule(self.IPV6, self.DENY, self.PORTS_ALL, 0))
716
717 # Apply rules
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]718 self.apply_rules(rules, "permit icmpv6")
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]719
720 # Traffic should still pass
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]721 self.run_verify_test(self.ICMP, self.IPV6, self.proto[self.ICMP][self.ICMPv6])
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]722
723 self.logger.info("ACLP_TEST_FINISH_0005")
724
725 def test_0006_vpp624_deny_icmpv4(self):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]726 """VPP_624 deny ICMPv4"""
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]727 self.logger.info("ACLP_TEST_START_0006")
728 # Add an ACL
729 rules = []
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]730 rules.append(
731 self.create_rule(
732 self.IPV4,
733 self.DENY,
734 self.PORTS_RANGE,
735 self.proto[self.ICMP][self.ICMPv4],
736 )
737 )
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]738 # permit ip any any in the end
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]739 rules.append(self.create_rule(self.IPV4, self.PERMIT, self.PORTS_ALL, 0))
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]740
741 # Apply rules
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]742 self.apply_rules(rules, "deny icmpv4")
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]743
744 # Traffic should not pass
745 self.run_verify_negat_test(self.ICMP, self.IPV4, 0)
746
747 self.logger.info("ACLP_TEST_FINISH_0006")
748
749 def test_0007_vpp624_deny_icmpv6(self):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]750 """VPP_624 deny ICMPv6"""
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]751 self.logger.info("ACLP_TEST_START_0007")
752 # Add an ACL
753 rules = []
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]754 rules.append(
755 self.create_rule(
756 self.IPV6,
757 self.DENY,
758 self.PORTS_RANGE,
759 self.proto[self.ICMP][self.ICMPv6],
760 )
761 )
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]762 # deny ip any any in the end
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]763 rules.append(self.create_rule(self.IPV6, self.PERMIT, self.PORTS_ALL, 0))
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]764
765 # Apply rules
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]766 self.apply_rules(rules, "deny icmpv6")
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]767
768 # Traffic should not pass
769 self.run_verify_negat_test(self.ICMP, self.IPV6, 0)
770
771 self.logger.info("ACLP_TEST_FINISH_0007")
772
773 def test_0008_tcp_permit_v4(self):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]774 """permit TCPv4"""
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]775 self.logger.info("ACLP_TEST_START_0008")
776
777 # Add an ACL
778 rules = []
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]779 rules.append(
780 self.create_rule(
781 self.IPV4, self.PERMIT, self.PORTS_RANGE, self.proto[self.IP][self.TCP]
782 )
783 )
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]784 # deny ip any any in the end
785 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
786
787 # Apply rules
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]788 self.apply_rules(rules, "permit ipv4 tcp")
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]789
790 # Traffic should still pass
791 self.run_verify_test(self.IP, self.IPV4, self.proto[self.IP][self.TCP])
792
793 self.logger.info("ACLP_TEST_FINISH_0008")
794
795 def test_0009_tcp_permit_v6(self):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]796 """permit TCPv6"""
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]797 self.logger.info("ACLP_TEST_START_0009")
798
799 # Add an ACL
800 rules = []
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]801 rules.append(
802 self.create_rule(
803 self.IPV6, self.PERMIT, self.PORTS_RANGE, self.proto[self.IP][self.TCP]
804 )
805 )
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]806 # deny ip any any in the end
807 rules.append(self.create_rule(self.IPV6, self.DENY, self.PORTS_ALL, 0))
808
809 # Apply rules
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]810 self.apply_rules(rules, "permit ip6 tcp")
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]811
812 # Traffic should still pass
813 self.run_verify_test(self.IP, self.IPV6, self.proto[self.IP][self.TCP])
814
815 self.logger.info("ACLP_TEST_FINISH_0008")
816
817 def test_0010_udp_permit_v4(self):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]818 """permit UDPv4"""
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]819 self.logger.info("ACLP_TEST_START_0010")
820
821 # Add an ACL
822 rules = []
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]823 rules.append(
824 self.create_rule(
825 self.IPV4, self.PERMIT, self.PORTS_RANGE, self.proto[self.IP][self.UDP]
826 )
827 )
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]828 # deny ip any any in the end
829 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
830
831 # Apply rules
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]832 self.apply_rules(rules, "permit ipv udp")
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]833
834 # Traffic should still pass
835 self.run_verify_test(self.IP, self.IPV4, self.proto[self.IP][self.UDP])
836
837 self.logger.info("ACLP_TEST_FINISH_0010")
838
839 def test_0011_udp_permit_v6(self):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]840 """permit UDPv6"""
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]841 self.logger.info("ACLP_TEST_START_0011")
842
843 # Add an ACL
844 rules = []
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]845 rules.append(
846 self.create_rule(
847 self.IPV6, self.PERMIT, self.PORTS_RANGE, self.proto[self.IP][self.UDP]
848 )
849 )
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]850 # deny ip any any in the end
851 rules.append(self.create_rule(self.IPV6, self.DENY, self.PORTS_ALL, 0))
852
853 # Apply rules
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]854 self.apply_rules(rules, "permit ip6 udp")
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]855
856 # Traffic should still pass
857 self.run_verify_test(self.IP, self.IPV6, self.proto[self.IP][self.UDP])
858
859 self.logger.info("ACLP_TEST_FINISH_0011")
860
861 def test_0012_tcp_deny(self):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]862 """deny TCPv4/v6"""
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]863 self.logger.info("ACLP_TEST_START_0012")
864
865 # Add an ACL
866 rules = []
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]867 rules.append(
868 self.create_rule(
869 self.IPV4, self.DENY, self.PORTS_RANGE, self.proto[self.IP][self.TCP]
870 )
871 )
872 rules.append(
873 self.create_rule(
874 self.IPV6, self.DENY, self.PORTS_RANGE, self.proto[self.IP][self.TCP]
875 )
876 )
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]877 # permit ip any any in the end
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]878 rules.append(self.create_rule(self.IPV4, self.PERMIT, self.PORTS_ALL, 0))
879 rules.append(self.create_rule(self.IPV6, self.PERMIT, self.PORTS_ALL, 0))
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]880
881 # Apply rules
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]882 self.apply_rules(rules, "deny ip4/ip6 tcp")
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]883
884 # Traffic should not pass
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]885 self.run_verify_negat_test(
886 self.IP, self.IPRANDOM, self.proto[self.IP][self.TCP]
887 )
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]888
889 self.logger.info("ACLP_TEST_FINISH_0012")
890
891 def test_0013_udp_deny(self):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]892 """deny UDPv4/v6"""
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]893 self.logger.info("ACLP_TEST_START_0013")
894
895 # Add an ACL
896 rules = []
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]897 rules.append(
898 self.create_rule(
899 self.IPV4, self.DENY, self.PORTS_RANGE, self.proto[self.IP][self.UDP]
900 )
901 )
902 rules.append(
903 self.create_rule(
904 self.IPV6, self.DENY, self.PORTS_RANGE, self.proto[self.IP][self.UDP]
905 )
906 )
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]907 # permit ip any any in the end
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]908 rules.append(self.create_rule(self.IPV4, self.PERMIT, self.PORTS_ALL, 0))
909 rules.append(self.create_rule(self.IPV6, self.PERMIT, self.PORTS_ALL, 0))
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]910
911 # Apply rules
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]912 self.apply_rules(rules, "deny ip4/ip6 udp")
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]913
914 # Traffic should not pass
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]915 self.run_verify_negat_test(
916 self.IP, self.IPRANDOM, self.proto[self.IP][self.UDP]
917 )
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]918
919 self.logger.info("ACLP_TEST_FINISH_0013")
920
921 def test_0014_acl_dump(self):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]922 """verify add/dump acls"""
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]923 self.logger.info("ACLP_TEST_START_0014")
924
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]925 r = [
926 [self.IPV4, self.PERMIT, 1234, self.proto[self.IP][self.TCP]],
927 [self.IPV4, self.PERMIT, 2345, self.proto[self.IP][self.UDP]],
928 [self.IPV4, self.PERMIT, 0, self.proto[self.IP][self.TCP]],
929 [self.IPV4, self.PERMIT, 0, self.proto[self.IP][self.UDP]],
930 [self.IPV4, self.PERMIT, 5, self.proto[self.ICMP][self.ICMPv4]],
931 [self.IPV6, self.PERMIT, 4321, self.proto[self.IP][self.TCP]],
932 [self.IPV6, self.PERMIT, 5432, self.proto[self.IP][self.UDP]],
933 [self.IPV6, self.PERMIT, 0, self.proto[self.IP][self.TCP]],
934 [self.IPV6, self.PERMIT, 0, self.proto[self.IP][self.UDP]],
935 [self.IPV6, self.PERMIT, 6, self.proto[self.ICMP][self.ICMPv6]],
936 [self.IPV4, self.DENY, self.PORTS_ALL, 0],
937 [self.IPV4, self.DENY, 1234, self.proto[self.IP][self.TCP]],
938 [self.IPV4, self.DENY, 2345, self.proto[self.IP][self.UDP]],
939 [self.IPV4, self.DENY, 5, self.proto[self.ICMP][self.ICMPv4]],
940 [self.IPV6, self.DENY, 4321, self.proto[self.IP][self.TCP]],
941 [self.IPV6, self.DENY, 5432, self.proto[self.IP][self.UDP]],
942 [self.IPV6, self.DENY, 6, self.proto[self.ICMP][self.ICMPv6]],
943 [self.IPV6, self.DENY, self.PORTS_ALL, 0],
944 ]
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]945
946 # Add and verify new ACLs
947 rules = []
948 for i in range(len(r)):
949 rules.append(self.create_rule(r[i][0], r[i][1], r[i][2], r[i][3]))
950
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]951 acl = VppAcl(self, rules=rules)
952 acl.add_vpp_config()
953 result = acl.dump()
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]954
955 i = 0
956 for drules in result:
957 for dr in drules.r:
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]958 self.assertEqual(dr.is_permit, r[i][1])
959 self.assertEqual(dr.proto, r[i][3])
960
961 if r[i][2] > 0:
962 self.assertEqual(dr.srcport_or_icmptype_first, r[i][2])
963 else:
964 if r[i][2] < 0:
965 self.assertEqual(dr.srcport_or_icmptype_first, 0)
966 self.assertEqual(dr.srcport_or_icmptype_last, 65535)
967 else:
968 if dr.proto == self.proto[self.IP][self.TCP]:
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]969 self.assertGreater(
970 dr.srcport_or_icmptype_first, self.tcp_sport_from - 1
971 )
972 self.assertLess(
973 dr.srcport_or_icmptype_first, self.tcp_sport_to + 1
974 )
975 self.assertGreater(
976 dr.dstport_or_icmpcode_last, self.tcp_dport_from - 1
977 )
978 self.assertLess(
979 dr.dstport_or_icmpcode_last, self.tcp_dport_to + 1
980 )
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]981 elif dr.proto == self.proto[self.IP][self.UDP]:
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]982 self.assertGreater(
983 dr.srcport_or_icmptype_first, self.udp_sport_from - 1
984 )
985 self.assertLess(
986 dr.srcport_or_icmptype_first, self.udp_sport_to + 1
987 )
988 self.assertGreater(
989 dr.dstport_or_icmpcode_last, self.udp_dport_from - 1
990 )
991 self.assertLess(
992 dr.dstport_or_icmpcode_last, self.udp_dport_to + 1
993 )
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]994 i += 1
995
996 self.logger.info("ACLP_TEST_FINISH_0014")
997
998 def test_0015_tcp_permit_port_v4(self):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]999 """permit single TCPv4"""
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]1000 self.logger.info("ACLP_TEST_START_0015")
1001
Andrew Yourtchenkoec574ff2019-10-03 07:55:52 +0000[diff] [blame]1002 port = random.randint(16384, 65535)
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]1003 # Add an ACL
1004 rules = []
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1005 rules.append(
1006 self.create_rule(
1007 self.IPV4, self.PERMIT, port, self.proto[self.IP][self.TCP]
1008 )
1009 )
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]1010 # deny ip any any in the end
1011 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
1012
1013 # Apply rules
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]1014 self.apply_rules(rules, "permit ip4 tcp %d" % port)
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]1015
1016 # Traffic should still pass
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1017 self.run_verify_test(self.IP, self.IPV4, self.proto[self.IP][self.TCP], port)
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]1018
1019 self.logger.info("ACLP_TEST_FINISH_0015")
1020
1021 def test_0016_udp_permit_port_v4(self):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1022 """permit single UDPv4"""
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]1023 self.logger.info("ACLP_TEST_START_0016")
1024
Andrew Yourtchenkoec574ff2019-10-03 07:55:52 +0000[diff] [blame]1025 port = random.randint(16384, 65535)
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]1026 # Add an ACL
1027 rules = []
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1028 rules.append(
1029 self.create_rule(
1030 self.IPV4, self.PERMIT, port, self.proto[self.IP][self.UDP]
1031 )
1032 )
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]1033 # deny ip any any in the end
1034 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
1035
1036 # Apply rules
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]1037 self.apply_rules(rules, "permit ip4 tcp %d" % port)
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]1038
1039 # Traffic should still pass
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1040 self.run_verify_test(self.IP, self.IPV4, self.proto[self.IP][self.UDP], port)
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]1041
1042 self.logger.info("ACLP_TEST_FINISH_0016")
1043
1044 def test_0017_tcp_permit_port_v6(self):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1045 """permit single TCPv6"""
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]1046 self.logger.info("ACLP_TEST_START_0017")
1047
Andrew Yourtchenkoec574ff2019-10-03 07:55:52 +0000[diff] [blame]1048 port = random.randint(16384, 65535)
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]1049 # Add an ACL
1050 rules = []
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1051 rules.append(
1052 self.create_rule(
1053 self.IPV6, self.PERMIT, port, self.proto[self.IP][self.TCP]
1054 )
1055 )
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]1056 # deny ip any any in the end
1057 rules.append(self.create_rule(self.IPV6, self.DENY, self.PORTS_ALL, 0))
1058
1059 # Apply rules
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]1060 self.apply_rules(rules, "permit ip4 tcp %d" % port)
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]1061
1062 # Traffic should still pass
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1063 self.run_verify_test(self.IP, self.IPV6, self.proto[self.IP][self.TCP], port)
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]1064
1065 self.logger.info("ACLP_TEST_FINISH_0017")
1066
1067 def test_0018_udp_permit_port_v6(self):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1068 """permit single UDPv6"""
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]1069 self.logger.info("ACLP_TEST_START_0018")
1070
Andrew Yourtchenkoec574ff2019-10-03 07:55:52 +0000[diff] [blame]1071 port = random.randint(16384, 65535)
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]1072 # Add an ACL
1073 rules = []
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1074 rules.append(
1075 self.create_rule(
1076 self.IPV6, self.PERMIT, port, self.proto[self.IP][self.UDP]
1077 )
1078 )
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]1079 # deny ip any any in the end
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1080 rules.append(self.create_rule(self.IPV6, self.DENY, self.PORTS_ALL, 0))
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]1081
1082 # Apply rules
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]1083 self.apply_rules(rules, "permit ip4 tcp %d" % port)
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]1084
1085 # Traffic should still pass
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1086 self.run_verify_test(self.IP, self.IPV6, self.proto[self.IP][self.UDP], port)
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]1087
1088 self.logger.info("ACLP_TEST_FINISH_0018")
1089
1090 def test_0019_udp_deny_port(self):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1091 """deny single TCPv4/v6"""
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]1092 self.logger.info("ACLP_TEST_START_0019")
1093
Andrew Yourtchenkoec574ff2019-10-03 07:55:52 +0000[diff] [blame]1094 port = random.randint(16384, 65535)
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]1095 # Add an ACL
1096 rules = []
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1097 rules.append(
1098 self.create_rule(self.IPV4, self.DENY, port, self.proto[self.IP][self.TCP])
1099 )
1100 rules.append(
1101 self.create_rule(self.IPV6, self.DENY, port, self.proto[self.IP][self.TCP])
1102 )
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]1103 # Permit ip any any in the end
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1104 rules.append(self.create_rule(self.IPV4, self.PERMIT, self.PORTS_ALL, 0))
1105 rules.append(self.create_rule(self.IPV6, self.PERMIT, self.PORTS_ALL, 0))
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]1106
1107 # Apply rules
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]1108 self.apply_rules(rules, "deny ip4/ip6 udp %d" % port)
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]1109
1110 # Traffic should not pass
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1111 self.run_verify_negat_test(
1112 self.IP, self.IPRANDOM, self.proto[self.IP][self.TCP], port
1113 )
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]1114
1115 self.logger.info("ACLP_TEST_FINISH_0019")
1116
1117 def test_0020_udp_deny_port(self):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1118 """deny single UDPv4/v6"""
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]1119 self.logger.info("ACLP_TEST_START_0020")
1120
Andrew Yourtchenkoec574ff2019-10-03 07:55:52 +0000[diff] [blame]1121 port = random.randint(16384, 65535)
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]1122 # Add an ACL
1123 rules = []
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1124 rules.append(
1125 self.create_rule(self.IPV4, self.DENY, port, self.proto[self.IP][self.UDP])
1126 )
1127 rules.append(
1128 self.create_rule(self.IPV6, self.DENY, port, self.proto[self.IP][self.UDP])
1129 )
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]1130 # Permit ip any any in the end
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1131 rules.append(self.create_rule(self.IPV4, self.PERMIT, self.PORTS_ALL, 0))
1132 rules.append(self.create_rule(self.IPV6, self.PERMIT, self.PORTS_ALL, 0))
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]1133
1134 # Apply rules
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]1135 self.apply_rules(rules, "deny ip4/ip6 udp %d" % port)
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]1136
1137 # Traffic should not pass
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1138 self.run_verify_negat_test(
1139 self.IP, self.IPRANDOM, self.proto[self.IP][self.UDP], port
1140 )
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]1141
1142 self.logger.info("ACLP_TEST_FINISH_0020")
1143
Andrew Yourtchenkod1b05642017-04-04 14:10:40 +0000[diff] [blame]1144 def test_0021_udp_deny_port_verify_fragment_deny(self):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1145 """deny single UDPv4/v6, permit ip any, verify non-initial fragment
Chris Luked0421942018-04-10 15:19:54 -0400[diff] [blame]1146 blocked
Andrew Yourtchenkod1b05642017-04-04 14:10:40 +0000[diff] [blame]1147 """
1148 self.logger.info("ACLP_TEST_START_0021")
1149
Andrew Yourtchenkoec574ff2019-10-03 07:55:52 +0000[diff] [blame]1150 port = random.randint(16384, 65535)
Andrew Yourtchenkod1b05642017-04-04 14:10:40 +0000[diff] [blame]1151 # Add an ACL
1152 rules = []
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1153 rules.append(
1154 self.create_rule(self.IPV4, self.DENY, port, self.proto[self.IP][self.UDP])
1155 )
1156 rules.append(
1157 self.create_rule(self.IPV6, self.DENY, port, self.proto[self.IP][self.UDP])
1158 )
Andrew Yourtchenkod1b05642017-04-04 14:10:40 +0000[diff] [blame]1159 # deny ip any any in the end
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1160 rules.append(self.create_rule(self.IPV4, self.PERMIT, self.PORTS_ALL, 0))
1161 rules.append(self.create_rule(self.IPV6, self.PERMIT, self.PORTS_ALL, 0))
Andrew Yourtchenkod1b05642017-04-04 14:10:40 +0000[diff] [blame]1162
1163 # Apply rules
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]1164 self.apply_rules(rules, "deny ip4/ip6 udp %d" % port)
Andrew Yourtchenkod1b05642017-04-04 14:10:40 +0000[diff] [blame]1165
1166 # Traffic should not pass
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1167 self.run_verify_negat_test(
1168 self.IP, self.IPRANDOM, self.proto[self.IP][self.UDP], port, True
1169 )
Andrew Yourtchenkod1b05642017-04-04 14:10:40 +0000[diff] [blame]1170
1171 self.logger.info("ACLP_TEST_FINISH_0021")
1172
Pavel Kotuceke7b67342017-04-18 13:12:20 +0200[diff] [blame]1173 def test_0022_zero_length_udp_ipv4(self):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1174 """VPP-687 zero length udp ipv4 packet"""
Pavel Kotuceke7b67342017-04-18 13:12:20 +0200[diff] [blame]1175 self.logger.info("ACLP_TEST_START_0022")
1176
Andrew Yourtchenkoec574ff2019-10-03 07:55:52 +0000[diff] [blame]1177 port = random.randint(16384, 65535)
Pavel Kotuceke7b67342017-04-18 13:12:20 +0200[diff] [blame]1178 # Add an ACL
1179 rules = []
Pavel Kotuceke7b67342017-04-18 13:12:20 +0200[diff] [blame]1180 rules.append(
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1181 self.create_rule(
1182 self.IPV4, self.PERMIT, port, self.proto[self.IP][self.UDP]
1183 )
1184 )
1185 # deny ip any any in the end
1186 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
Pavel Kotuceke7b67342017-04-18 13:12:20 +0200[diff] [blame]1187
1188 # Apply rules
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]1189 self.apply_rules(rules, "permit empty udp ip4 %d" % port)
Pavel Kotuceke7b67342017-04-18 13:12:20 +0200[diff] [blame]1190
1191 # Traffic should still pass
1192 # Create incoming packet streams for packet-generator interfaces
1193 pkts_cnt = 0
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1194 pkts = self.create_stream(
1195 self.pg0,
1196 self.pg_if_packet_sizes,
1197 self.IP,
1198 self.IPV4,
1199 self.proto[self.IP][self.UDP],
1200 port,
1201 False,
1202 False,
1203 )
Pavel Kotuceke7b67342017-04-18 13:12:20 +0200[diff] [blame]1204 if len(pkts) > 0:
1205 self.pg0.add_stream(pkts)
1206 pkts_cnt += len(pkts)
1207
1208 # Enable packet capture and start packet sendingself.IPV
1209 self.pg_enable_capture(self.pg_interfaces)
1210 self.pg_start()
1211
1212 self.pg1.get_capture(pkts_cnt)
1213
1214 self.logger.info("ACLP_TEST_FINISH_0022")
1215
1216 def test_0023_zero_length_udp_ipv6(self):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1217 """VPP-687 zero length udp ipv6 packet"""
Pavel Kotuceke7b67342017-04-18 13:12:20 +0200[diff] [blame]1218 self.logger.info("ACLP_TEST_START_0023")
1219
Andrew Yourtchenkoec574ff2019-10-03 07:55:52 +0000[diff] [blame]1220 port = random.randint(16384, 65535)
Pavel Kotuceke7b67342017-04-18 13:12:20 +0200[diff] [blame]1221 # Add an ACL
1222 rules = []
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1223 rules.append(
1224 self.create_rule(
1225 self.IPV6, self.PERMIT, port, self.proto[self.IP][self.UDP]
1226 )
1227 )
Pavel Kotuceke7b67342017-04-18 13:12:20 +0200[diff] [blame]1228 # deny ip any any in the end
1229 rules.append(self.create_rule(self.IPV6, self.DENY, self.PORTS_ALL, 0))
1230
1231 # Apply rules
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]1232 self.apply_rules(rules, "permit empty udp ip6 %d" % port)
Pavel Kotuceke7b67342017-04-18 13:12:20 +0200[diff] [blame]1233
1234 # Traffic should still pass
1235 # Create incoming packet streams for packet-generator interfaces
1236 pkts_cnt = 0
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1237 pkts = self.create_stream(
1238 self.pg0,
1239 self.pg_if_packet_sizes,
1240 self.IP,
1241 self.IPV6,
1242 self.proto[self.IP][self.UDP],
1243 port,
1244 False,
1245 False,
1246 )
Pavel Kotuceke7b67342017-04-18 13:12:20 +0200[diff] [blame]1247 if len(pkts) > 0:
1248 self.pg0.add_stream(pkts)
1249 pkts_cnt += len(pkts)
1250
1251 # Enable packet capture and start packet sendingself.IPV
1252 self.pg_enable_capture(self.pg_interfaces)
1253 self.pg_start()
1254
1255 # Verify outgoing packet streams per packet-generator interface
1256 self.pg1.get_capture(pkts_cnt)
1257
1258 self.logger.info("ACLP_TEST_FINISH_0023")
1259
Andrew Yourtchenko6be72cd2017-08-10 17:02:58 +0200[diff] [blame]1260 def test_0108_tcp_permit_v4(self):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1261 """permit TCPv4 + non-match range"""
Andrew Yourtchenko6be72cd2017-08-10 17:02:58 +0200[diff] [blame]1262 self.logger.info("ACLP_TEST_START_0108")
1263
1264 # Add an ACL
1265 rules = []
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1266 rules.append(
1267 self.create_rule(
1268 self.IPV4, self.DENY, self.PORTS_RANGE_2, self.proto[self.IP][self.TCP]
1269 )
1270 )
1271 rules.append(
1272 self.create_rule(
1273 self.IPV4, self.PERMIT, self.PORTS_RANGE, self.proto[self.IP][self.TCP]
1274 )
1275 )
Andrew Yourtchenko6be72cd2017-08-10 17:02:58 +0200[diff] [blame]1276 # deny ip any any in the end
1277 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
1278
1279 # Apply rules
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]1280 self.apply_rules(rules, "permit ipv4 tcp")
Andrew Yourtchenko6be72cd2017-08-10 17:02:58 +0200[diff] [blame]1281
1282 # Traffic should still pass
1283 self.run_verify_test(self.IP, self.IPV4, self.proto[self.IP][self.TCP])
1284
1285 self.logger.info("ACLP_TEST_FINISH_0108")
1286
1287 def test_0109_tcp_permit_v6(self):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1288 """permit TCPv6 + non-match range"""
Andrew Yourtchenko6be72cd2017-08-10 17:02:58 +0200[diff] [blame]1289 self.logger.info("ACLP_TEST_START_0109")
1290
1291 # Add an ACL
1292 rules = []
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1293 rules.append(
1294 self.create_rule(
1295 self.IPV6, self.DENY, self.PORTS_RANGE_2, self.proto[self.IP][self.TCP]
1296 )
1297 )
1298 rules.append(
1299 self.create_rule(
1300 self.IPV6, self.PERMIT, self.PORTS_RANGE, self.proto[self.IP][self.TCP]
1301 )
1302 )
Andrew Yourtchenko6be72cd2017-08-10 17:02:58 +0200[diff] [blame]1303 # deny ip any any in the end
1304 rules.append(self.create_rule(self.IPV6, self.DENY, self.PORTS_ALL, 0))
1305
1306 # Apply rules
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]1307 self.apply_rules(rules, "permit ip6 tcp")
Andrew Yourtchenko6be72cd2017-08-10 17:02:58 +0200[diff] [blame]1308
1309 # Traffic should still pass
1310 self.run_verify_test(self.IP, self.IPV6, self.proto[self.IP][self.TCP])
1311
1312 self.logger.info("ACLP_TEST_FINISH_0109")
1313
1314 def test_0110_udp_permit_v4(self):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1315 """permit UDPv4 + non-match range"""
Andrew Yourtchenko6be72cd2017-08-10 17:02:58 +0200[diff] [blame]1316 self.logger.info("ACLP_TEST_START_0110")
1317
1318 # Add an ACL
1319 rules = []
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1320 rules.append(
1321 self.create_rule(
1322 self.IPV4, self.DENY, self.PORTS_RANGE_2, self.proto[self.IP][self.UDP]
1323 )
1324 )
1325 rules.append(
1326 self.create_rule(
1327 self.IPV4, self.PERMIT, self.PORTS_RANGE, self.proto[self.IP][self.UDP]
1328 )
1329 )
Andrew Yourtchenko6be72cd2017-08-10 17:02:58 +0200[diff] [blame]1330 # deny ip any any in the end
1331 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
1332
1333 # Apply rules
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]1334 self.apply_rules(rules, "permit ipv4 udp")
Andrew Yourtchenko6be72cd2017-08-10 17:02:58 +0200[diff] [blame]1335
1336 # Traffic should still pass
1337 self.run_verify_test(self.IP, self.IPV4, self.proto[self.IP][self.UDP])
1338
1339 self.logger.info("ACLP_TEST_FINISH_0110")
1340
1341 def test_0111_udp_permit_v6(self):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1342 """permit UDPv6 + non-match range"""
Andrew Yourtchenko6be72cd2017-08-10 17:02:58 +0200[diff] [blame]1343 self.logger.info("ACLP_TEST_START_0111")
1344
1345 # Add an ACL
1346 rules = []
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1347 rules.append(
1348 self.create_rule(
1349 self.IPV6, self.DENY, self.PORTS_RANGE_2, self.proto[self.IP][self.UDP]
1350 )
1351 )
1352 rules.append(
1353 self.create_rule(
1354 self.IPV6, self.PERMIT, self.PORTS_RANGE, self.proto[self.IP][self.UDP]
1355 )
1356 )
Andrew Yourtchenko6be72cd2017-08-10 17:02:58 +0200[diff] [blame]1357 # deny ip any any in the end
1358 rules.append(self.create_rule(self.IPV6, self.DENY, self.PORTS_ALL, 0))
1359
1360 # Apply rules
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]1361 self.apply_rules(rules, "permit ip6 udp")
Andrew Yourtchenko6be72cd2017-08-10 17:02:58 +0200[diff] [blame]1362
1363 # Traffic should still pass
1364 self.run_verify_test(self.IP, self.IPV6, self.proto[self.IP][self.UDP])
1365
1366 self.logger.info("ACLP_TEST_FINISH_0111")
1367
1368 def test_0112_tcp_deny(self):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1369 """deny TCPv4/v6 + non-match range"""
Andrew Yourtchenko6be72cd2017-08-10 17:02:58 +0200[diff] [blame]1370 self.logger.info("ACLP_TEST_START_0112")
1371
1372 # Add an ACL
1373 rules = []
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1374 rules.append(
1375 self.create_rule(
1376 self.IPV4,
1377 self.PERMIT,
1378 self.PORTS_RANGE_2,
1379 self.proto[self.IP][self.TCP],
1380 )
1381 )
1382 rules.append(
1383 self.create_rule(
1384 self.IPV6,
1385 self.PERMIT,
1386 self.PORTS_RANGE_2,
1387 self.proto[self.IP][self.TCP],
1388 )
1389 )
1390 rules.append(
1391 self.create_rule(
1392 self.IPV4, self.DENY, self.PORTS_RANGE, self.proto[self.IP][self.TCP]
1393 )
1394 )
1395 rules.append(
1396 self.create_rule(
1397 self.IPV6, self.DENY, self.PORTS_RANGE, self.proto[self.IP][self.TCP]
1398 )
1399 )
Andrew Yourtchenko6be72cd2017-08-10 17:02:58 +0200[diff] [blame]1400 # permit ip any any in the end
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1401 rules.append(self.create_rule(self.IPV4, self.PERMIT, self.PORTS_ALL, 0))
1402 rules.append(self.create_rule(self.IPV6, self.PERMIT, self.PORTS_ALL, 0))
Andrew Yourtchenko6be72cd2017-08-10 17:02:58 +0200[diff] [blame]1403
1404 # Apply rules
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]1405 self.apply_rules(rules, "deny ip4/ip6 tcp")
Andrew Yourtchenko6be72cd2017-08-10 17:02:58 +0200[diff] [blame]1406
1407 # Traffic should not pass
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1408 self.run_verify_negat_test(
1409 self.IP, self.IPRANDOM, self.proto[self.IP][self.TCP]
1410 )
Andrew Yourtchenko6be72cd2017-08-10 17:02:58 +0200[diff] [blame]1411
1412 self.logger.info("ACLP_TEST_FINISH_0112")
1413
1414 def test_0113_udp_deny(self):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1415 """deny UDPv4/v6 + non-match range"""
Andrew Yourtchenko6be72cd2017-08-10 17:02:58 +0200[diff] [blame]1416 self.logger.info("ACLP_TEST_START_0113")
1417
1418 # Add an ACL
1419 rules = []
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1420 rules.append(
1421 self.create_rule(
1422 self.IPV4,
1423 self.PERMIT,
1424 self.PORTS_RANGE_2,
1425 self.proto[self.IP][self.UDP],
1426 )
1427 )
1428 rules.append(
1429 self.create_rule(
1430 self.IPV6,
1431 self.PERMIT,
1432 self.PORTS_RANGE_2,
1433 self.proto[self.IP][self.UDP],
1434 )
1435 )
1436 rules.append(
1437 self.create_rule(
1438 self.IPV4, self.DENY, self.PORTS_RANGE, self.proto[self.IP][self.UDP]
1439 )
1440 )
1441 rules.append(
1442 self.create_rule(
1443 self.IPV6, self.DENY, self.PORTS_RANGE, self.proto[self.IP][self.UDP]
1444 )
1445 )
Andrew Yourtchenko6be72cd2017-08-10 17:02:58 +0200[diff] [blame]1446 # permit ip any any in the end
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1447 rules.append(self.create_rule(self.IPV4, self.PERMIT, self.PORTS_ALL, 0))
1448 rules.append(self.create_rule(self.IPV6, self.PERMIT, self.PORTS_ALL, 0))
Andrew Yourtchenko6be72cd2017-08-10 17:02:58 +0200[diff] [blame]1449
1450 # Apply rules
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]1451 self.apply_rules(rules, "deny ip4/ip6 udp")
Andrew Yourtchenko6be72cd2017-08-10 17:02:58 +0200[diff] [blame]1452
1453 # Traffic should not pass
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1454 self.run_verify_negat_test(
1455 self.IP, self.IPRANDOM, self.proto[self.IP][self.UDP]
1456 )
Andrew Yourtchenko6be72cd2017-08-10 17:02:58 +0200[diff] [blame]1457
1458 self.logger.info("ACLP_TEST_FINISH_0113")
1459
Andrew Yourtchenkoc43b3f92018-02-06 17:42:32 +0100[diff] [blame]1460 def test_0300_tcp_permit_v4_etype_aaaa(self):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1461 """permit TCPv4, send 0xAAAA etype"""
Andrew Yourtchenkoc43b3f92018-02-06 17:42:32 +0100[diff] [blame]1462 self.logger.info("ACLP_TEST_START_0300")
1463
1464 # Add an ACL
1465 rules = []
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1466 rules.append(
1467 self.create_rule(
1468 self.IPV4, self.DENY, self.PORTS_RANGE_2, self.proto[self.IP][self.TCP]
1469 )
1470 )
1471 rules.append(
1472 self.create_rule(
1473 self.IPV4, self.PERMIT, self.PORTS_RANGE, self.proto[self.IP][self.TCP]
1474 )
1475 )
Andrew Yourtchenkoc43b3f92018-02-06 17:42:32 +0100[diff] [blame]1476 # deny ip any any in the end
1477 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
1478
1479 # Apply rules
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]1480 self.apply_rules(rules, "permit ipv4 tcp")
Andrew Yourtchenkoc43b3f92018-02-06 17:42:32 +0100[diff] [blame]1481
Andrew Yourtchenkoc43b3f92018-02-06 17:42:32 +0100[diff] [blame]1482 # Traffic should still pass also for an odd ethertype
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1483 self.run_verify_test(
1484 self.IP, self.IPV4, self.proto[self.IP][self.TCP], 0, False, True, 0xAAAA
1485 )
Andrew Yourtchenkoc43b3f92018-02-06 17:42:32 +0100[diff] [blame]1486 self.logger.info("ACLP_TEST_FINISH_0300")
1487
1488 def test_0305_tcp_permit_v4_etype_blacklist_aaaa(self):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1489 """permit TCPv4, whitelist 0x0BBB ethertype, send 0xAAAA-blocked"""
Andrew Yourtchenkoc43b3f92018-02-06 17:42:32 +0100[diff] [blame]1490 self.logger.info("ACLP_TEST_START_0305")
1491
1492 # Add an ACL
1493 rules = []
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1494 rules.append(
1495 self.create_rule(
1496 self.IPV4, self.DENY, self.PORTS_RANGE_2, self.proto[self.IP][self.TCP]
1497 )
1498 )
1499 rules.append(
1500 self.create_rule(
1501 self.IPV4, self.PERMIT, self.PORTS_RANGE, self.proto[self.IP][self.TCP]
1502 )
1503 )
Andrew Yourtchenkoc43b3f92018-02-06 17:42:32 +0100[diff] [blame]1504 # deny ip any any in the end
1505 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
1506
1507 # Apply rules
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]1508 self.apply_rules(rules, "permit ipv4 tcp")
Andrew Yourtchenkoc43b3f92018-02-06 17:42:32 +0100[diff] [blame]1509 # whitelist the 0xbbbb etype - so the 0xaaaa should be blocked
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1510 self.etype_whitelist([0xBBB], 1)
Andrew Yourtchenkoc43b3f92018-02-06 17:42:32 +0100[diff] [blame]1511
Andrew Yourtchenkoc43b3f92018-02-06 17:42:32 +0100[diff] [blame]1512 # The oddball ethertype should be blocked
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1513 self.run_verify_negat_test(
1514 self.IP, self.IPV4, self.proto[self.IP][self.TCP], 0, False, 0xAAAA
1515 )
Andrew Yourtchenkoc43b3f92018-02-06 17:42:32 +0100[diff] [blame]1516
Andrew Yourtchenko7ff74532018-10-06 09:24:28 +0200[diff] [blame]1517 # remove the whitelist
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]1518 self.etype_whitelist([], 0, add=False)
Andrew Yourtchenko7ff74532018-10-06 09:24:28 +0200[diff] [blame]1519
1520 self.logger.info("ACLP_TEST_FINISH_0305")
1521
1522 def test_0306_tcp_permit_v4_etype_blacklist_aaaa(self):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1523 """permit TCPv4, whitelist 0x0BBB ethertype, send 0x0BBB - pass"""
Andrew Yourtchenko7ff74532018-10-06 09:24:28 +0200[diff] [blame]1524 self.logger.info("ACLP_TEST_START_0306")
1525
1526 # Add an ACL
1527 rules = []
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1528 rules.append(
1529 self.create_rule(
1530 self.IPV4, self.DENY, self.PORTS_RANGE_2, self.proto[self.IP][self.TCP]
1531 )
1532 )
1533 rules.append(
1534 self.create_rule(
1535 self.IPV4, self.PERMIT, self.PORTS_RANGE, self.proto[self.IP][self.TCP]
1536 )
1537 )
Andrew Yourtchenko7ff74532018-10-06 09:24:28 +0200[diff] [blame]1538 # deny ip any any in the end
1539 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
1540
1541 # Apply rules
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]1542 self.apply_rules(rules, "permit ipv4 tcp")
Andrew Yourtchenko7ff74532018-10-06 09:24:28 +0200[diff] [blame]1543 # whitelist the 0xbbbb etype - so the 0xaaaa should be blocked
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1544 self.etype_whitelist([0xBBB], 1)
Andrew Yourtchenko7ff74532018-10-06 09:24:28 +0200[diff] [blame]1545
1546 # The whitelisted traffic, should pass
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1547 self.run_verify_test(
1548 self.IP, self.IPV4, self.proto[self.IP][self.TCP], 0, False, True, 0x0BBB
1549 )
Andrew Yourtchenkoc43b3f92018-02-06 17:42:32 +0100[diff] [blame]1550
1551 # remove the whitelist, the previously blocked 0xAAAA should pass now
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]1552 self.etype_whitelist([], 0, add=False)
Andrew Yourtchenko7ff74532018-10-06 09:24:28 +0200[diff] [blame]1553
1554 self.logger.info("ACLP_TEST_FINISH_0306")
1555
1556 def test_0307_tcp_permit_v4_etype_blacklist_aaaa(self):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1557 """permit TCPv4, whitelist 0x0BBB, remove, send 0xAAAA - pass"""
Andrew Yourtchenko7ff74532018-10-06 09:24:28 +0200[diff] [blame]1558 self.logger.info("ACLP_TEST_START_0307")
1559
1560 # Add an ACL
1561 rules = []
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1562 rules.append(
1563 self.create_rule(
1564 self.IPV4, self.DENY, self.PORTS_RANGE_2, self.proto[self.IP][self.TCP]
1565 )
1566 )
1567 rules.append(
1568 self.create_rule(
1569 self.IPV4, self.PERMIT, self.PORTS_RANGE, self.proto[self.IP][self.TCP]
1570 )
1571 )
Andrew Yourtchenko7ff74532018-10-06 09:24:28 +0200[diff] [blame]1572 # deny ip any any in the end
1573 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
1574
1575 # Apply rules
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]1576 self.apply_rules(rules, "permit ipv4 tcp")
Andrew Yourtchenko7ff74532018-10-06 09:24:28 +0200[diff] [blame]1577
1578 # whitelist the 0xbbbb etype - so the 0xaaaa should be blocked
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1579 self.etype_whitelist([0xBBB], 1)
Andrew Yourtchenko7ff74532018-10-06 09:24:28 +0200[diff] [blame]1580 # remove the whitelist, the previously blocked 0xAAAA should pass now
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]1581 self.etype_whitelist([], 0, add=False)
Andrew Yourtchenko7ff74532018-10-06 09:24:28 +0200[diff] [blame]1582
1583 # The whitelisted traffic, should pass
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1584 self.run_verify_test(
1585 self.IP, self.IPV4, self.proto[self.IP][self.TCP], 0, False, True, 0xAAAA
1586 )
Andrew Yourtchenkoc43b3f92018-02-06 17:42:32 +0100[diff] [blame]1587
Andrew Yourtchenko7ff74532018-10-06 09:24:28 +0200[diff] [blame]1588 self.logger.info("ACLP_TEST_FINISH_0306")
Andrew Yourtchenko6be72cd2017-08-10 17:02:58 +0200[diff] [blame]1589
Andrew Yourtchenkode3682f2018-03-23 10:38:46 +0100[diff] [blame]1590 def test_0315_del_intf(self):
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1591 """apply an acl and delete the interface"""
Andrew Yourtchenkode3682f2018-03-23 10:38:46 +0100[diff] [blame]1592 self.logger.info("ACLP_TEST_START_0315")
1593
1594 # Add an ACL
1595 rules = []
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1596 rules.append(
1597 self.create_rule(
1598 self.IPV4, self.DENY, self.PORTS_RANGE_2, self.proto[self.IP][self.TCP]
1599 )
1600 )
1601 rules.append(
1602 self.create_rule(
1603 self.IPV4, self.PERMIT, self.PORTS_RANGE, self.proto[self.IP][self.TCP]
1604 )
1605 )
Andrew Yourtchenkode3682f2018-03-23 10:38:46 +0100[diff] [blame]1606 # deny ip any any in the end
1607 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
1608
1609 # create an interface
1610 intf = []
Klement Sekerabeaded52018-06-24 10:30:37 +0200[diff] [blame]1611 intf.append(VppLoInterface(self))
Andrew Yourtchenkode3682f2018-03-23 10:38:46 +0100[diff] [blame]1612
1613 # Apply rules
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]1614 self.apply_rules_to(rules, "permit ipv4 tcp", intf[0].sw_if_index)
Andrew Yourtchenkode3682f2018-03-23 10:38:46 +0100[diff] [blame]1615
1616 # Remove the interface
1617 intf[0].remove_vpp_config()
1618
1619 self.logger.info("ACLP_TEST_FINISH_0315")
1620
Jakub Grajciar2f8cd912020-03-27 06:55:06 +0100[diff] [blame]1621
Klement Sekerad9b0c6f2022-04-26 19:02:15 +0200[diff] [blame]1622if __name__ == "__main__":
Pavel Kotucek59dda062017-03-02 15:22:47 +0100[diff] [blame]1623 unittest.main(testRunner=VppTestRunner)