Gitiles
Code Review Sign In
gerrit.nordix.org / fdio / vpp / 5ee51f8ed616f14f3b32ae8857d383fefa02d861 / . / test / test_acl_plugin_l2l3.py
blob: 346825fceec4c5047772175b8263e8a505ccf2fd [file] [log] [blame]
Andrew Yourtchenkod2a59be2017-03-21 10:31:55 +0100[diff] [blame]1#!/usr/bin/env python
2"""ACL IRB Test Case HLD:
3
4**config**
5 - L2 MAC learning enabled in l2bd
6 - 2 routed interfaces untagged, bvi (Bridge Virtual Interface)
7 - 2 bridged interfaces in l2bd with bvi
8
9**test**
10 - sending ip4 eth pkts between routed interfaces
11 - 2 routed interfaces
12 - 2 bridged interfaces
13
14 - 64B, 512B, 1518B, 9200B (ether_size)
15
16 - burst of pkts per interface
17 - 257pkts per burst
18 - routed pkts hitting different FIB entries
19 - bridged pkts hitting different MAC entries
20
21**verify**
22 - all packets received correctly
23
24"""
25
26import unittest
27from socket import inet_pton, AF_INET, AF_INET6
28from random import choice
29from pprint import pprint
30
31from scapy.packet import Raw
32from scapy.layers.l2 import Ether
33from scapy.layers.inet import IP, UDP, ICMP, TCP
34from scapy.layers.inet6 import IPv6, ICMPv6Unknown, ICMPv6EchoRequest
35from scapy.layers.inet6 import ICMPv6EchoReply, IPv6ExtHdrRouting
36
37from framework import VppTestCase, VppTestRunner
38import time
39
40
41class TestIpIrb(VppTestCase):
42 """IRB Test Case"""
43
44 @classmethod
45 def setUpClass(cls):
46 """
47 #. Create BD with MAC learning enabled and put interfaces to this BD.
48 #. Configure IPv4 addresses on loopback interface and routed interface.
49 #. Configure MAC address binding to IPv4 neighbors on loop0.
50 #. Configure MAC address on pg2.
51 #. Loopback BVI interface has remote hosts, one half of hosts are
52 behind pg0 second behind pg1.
53 """
54 super(TestIpIrb, cls).setUpClass()
55
56 cls.pg_if_packet_sizes = [64, 512, 1518, 9018] # packet sizes
57 cls.bd_id = 10
58 cls.remote_hosts_count = 250
59
60 # create 3 pg interfaces, 1 loopback interface
61 cls.create_pg_interfaces(range(3))
62 cls.create_loopback_interfaces(range(1))
63
64 cls.interfaces = list(cls.pg_interfaces)
65 cls.interfaces.extend(cls.lo_interfaces)
66
67 for i in cls.interfaces:
68 i.admin_up()
69
70 # Create BD with MAC learning enabled and put interfaces to this BD
71 cls.vapi.sw_interface_set_l2_bridge(
72 cls.loop0.sw_if_index, bd_id=cls.bd_id, bvi=1)
73 cls.vapi.sw_interface_set_l2_bridge(
74 cls.pg0.sw_if_index, bd_id=cls.bd_id)
75 cls.vapi.sw_interface_set_l2_bridge(
76 cls.pg1.sw_if_index, bd_id=cls.bd_id)
77
78 # Configure IPv4 addresses on loopback interface and routed interface
79 cls.loop0.config_ip4()
80 cls.loop0.config_ip6()
81 cls.pg2.config_ip4()
82 cls.pg2.config_ip6()
83
84 # Configure MAC address binding to IPv4 neighbors on loop0
85 cls.loop0.generate_remote_hosts(cls.remote_hosts_count)
86 cls.loop0.configure_ipv4_neighbors()
87 cls.loop0.configure_ipv6_neighbors()
88 # configure MAC address on pg2
89 cls.pg2.resolve_arp()
90 cls.pg2.resolve_ndp()
91
92 cls.WITHOUT_EH = False
93 cls.WITH_EH = True
94
95 # Loopback BVI interface has remote hosts, one half of hosts are behind
96 # pg0 second behind pg1
97 half = cls.remote_hosts_count // 2
98 cls.pg0.remote_hosts = cls.loop0.remote_hosts[:half]
99 cls.pg1.remote_hosts = cls.loop0.remote_hosts[half:]
100
101 def tearDown(self):
102 """Run standard test teardown and log ``show l2patch``,
103 ``show l2fib verbose``,``show bridge-domain <bd_id> detail``,
104 ``show ip arp``.
105 """
106 super(TestIpIrb, self).tearDown()
107 if not self.vpp_dead:
108 self.logger.info(self.vapi.cli("show l2patch"))
109 self.logger.info(self.vapi.cli("show classify tables"))
110 self.logger.info(self.vapi.cli("show vlib graph"))
111 self.logger.info(self.vapi.cli("show l2fib verbose"))
112 self.logger.info(self.vapi.cli("show bridge-domain %s detail" %
113 self.bd_id))
114 self.logger.info(self.vapi.cli("show ip arp"))
115 self.logger.info(self.vapi.cli("show ip6 neighbors"))
116 self.logger.info(self.vapi.cli("show acl-plugin sessions"))
117
118 def api_acl_add_replace(self, acl_index, r, count, tag="",
119 expected_retval=0):
120 """Add/replace an ACL
121
122 :param int acl_index: ACL index to replace, 4294967295 to create new.
123 :param acl_rule r: ACL rules array.
124 :param str tag: symbolic tag (description) for this ACL.
125 :param int count: number of rules.
126 """
127 return self.vapi.api(self.vapi.papi.acl_add_replace,
128 {'acl_index': acl_index,
129 'r': r,
130 'count': count,
131 'tag': tag
132 }, expected_retval=expected_retval)
133
134 def api_acl_interface_set_acl_list(self, sw_if_index, count, n_input, acls,
135 expected_retval=0):
136 return self.vapi.api(self.vapi.papi.acl_interface_set_acl_list,
137 {'sw_if_index': sw_if_index,
138 'count': count,
139 'n_input': n_input,
140 'acls': acls
141 }, expected_retval=expected_retval)
142
143 def api_acl_dump(self, acl_index, expected_retval=0):
144 return self.vapi.api(self.vapi.papi.acl_dump,
145 {'acl_index': acl_index},
146 expected_retval=expected_retval)
147
148 def create_stream(self, src_ip_if, dst_ip_if, reverse, packet_sizes,
149 is_ip6, expect_blocked, expect_established,
150 add_extension_header):
151 pkts = []
152 rules = []
153 permit_rules = []
154 permit_and_reflect_rules = []
155 total_packet_count = 8
156 for i in range(0, total_packet_count):
157 modulo = (i//2) % 2
158 can_reflect_this_packet = (modulo == 0)
159 is_permit = i % 2
160 remote_dst_index = i % len(dst_ip_if.remote_hosts)
161 remote_dst_host = dst_ip_if.remote_hosts[remote_dst_index]
162 if is_permit == 1:
163 info = self.create_packet_info(src_ip_if, dst_ip_if)
164 payload = self.info_to_payload(info)
165 else:
166 to_be_blocked = False
167 if (expect_blocked and not expect_established):
168 to_be_blocked = True
169 if (not can_reflect_this_packet):
170 to_be_blocked = True
171 if to_be_blocked:
172 payload = "to be blocked"
173 else:
174 info = self.create_packet_info(src_ip_if, dst_ip_if)
175 payload = self.info_to_payload(info)
176 if reverse:
177 dst_mac = 'de:ad:00:00:00:00'
178 src_mac = remote_dst_host._mac
179 dst_ip6 = src_ip_if.remote_ip6
180 src_ip6 = remote_dst_host.ip6
181 dst_ip4 = src_ip_if.remote_ip4
182 src_ip4 = remote_dst_host.ip4
183 dst_l4 = 1234 + i
184 src_l4 = 4321 + i
185 else:
186 dst_mac = src_ip_if.local_mac
187 src_mac = src_ip_if.remote_mac
188 src_ip6 = src_ip_if.remote_ip6
189 dst_ip6 = remote_dst_host.ip6
190 src_ip4 = src_ip_if.remote_ip4
191 dst_ip4 = remote_dst_host.ip4
192 src_l4 = 1234 + i
193 dst_l4 = 4321 + i
194
195 # default ULP should be something we do not use in tests
196 ulp_l4 = TCP(sport=src_l4, dport=dst_l4)
197 # potentially a chain of protocols leading to ULP
198 ulp = ulp_l4
199
200 if can_reflect_this_packet:
201 if is_ip6:
202 ulp_l4 = UDP(sport=src_l4, dport=dst_l4)
203 if add_extension_header:
204 # prepend some extension headers
205 ulp = (IPv6ExtHdrRouting() / IPv6ExtHdrRouting() /
206 IPv6ExtHdrRouting() / ulp_l4)
207 # uncomment below to test invalid ones
208 # ulp = IPv6ExtHdrRouting(len = 200) / ulp_l4
209 else:
210 ulp = ulp_l4
211 p = (Ether(dst=dst_mac, src=src_mac) /
212 IPv6(src=src_ip6, dst=dst_ip6) /
213 ulp /
214 Raw(payload))
215 else:
216 ulp_l4 = UDP(sport=src_l4, dport=dst_l4)
217 # IPv4 does not allow extension headers
218 ulp = ulp_l4
219 p = (Ether(dst=dst_mac, src=src_mac) /
220 IP(src=src_ip4, dst=dst_ip4) /
221 ulp /
222 Raw(payload))
223 elif modulo == 1:
224 if is_ip6:
225 ulp_l4 = ICMPv6Unknown(type=128 + (i % 2), code=i % 2)
226 ulp = ulp_l4
227 p = (Ether(dst=dst_mac, src=src_mac) /
228 IPv6(src=src_ip6, dst=dst_ip6) /
229 ulp /
230 Raw(payload))
231 else:
232 ulp_l4 = ICMP(type=8 + (i % 2), code=i % 2)
233 ulp = ulp_l4
234 p = (Ether(dst=dst_mac, src=src_mac) /
235 IP(src=src_ip4, dst=dst_ip4) /
236 ulp /
237 Raw(payload))
238
239 if i % 2 == 1:
240 info.data = p.copy()
241 size = packet_sizes[(i // 2) % len(packet_sizes)]
242 self.extend_packet(p, size)
243 pkts.append(p)
244
245 rule_family = AF_INET6 if p.haslayer(IPv6) else AF_INET
246 rule_prefix_len = 128 if p.haslayer(IPv6) else 32
247 rule_l3_layer = IPv6 if p.haslayer(IPv6) else IP
248
249 if p.haslayer(UDP):
250 rule_l4_sport = p[UDP].sport
251 rule_l4_dport = p[UDP].dport
252 else:
253 if p.haslayer(ICMP):
254 rule_l4_sport = p[ICMP].type
255 rule_l4_dport = p[ICMP].code
256 else:
257 rule_l4_sport = p[ICMPv6Unknown].type
258 rule_l4_dport = p[ICMPv6Unknown].code
259 if p.haslayer(IPv6):
260 rule_l4_proto = ulp_l4.overload_fields[IPv6]['nh']
261 else:
262 rule_l4_proto = p[IP].proto
263
264 new_rule = {
265 'is_permit': is_permit,
266 'is_ipv6': p.haslayer(IPv6),
267 'src_ip_addr': inet_pton(rule_family,
268 p[rule_l3_layer].src),
269 'src_ip_prefix_len': rule_prefix_len,
270 'dst_ip_addr': inet_pton(rule_family,
271 p[rule_l3_layer].dst),
272 'dst_ip_prefix_len': rule_prefix_len,
273 'srcport_or_icmptype_first': rule_l4_sport,
274 'srcport_or_icmptype_last': rule_l4_sport,
275 'dstport_or_icmpcode_first': rule_l4_dport,
276 'dstport_or_icmpcode_last': rule_l4_dport,
277 'proto': rule_l4_proto,
278 }
279 rules.append(new_rule)
280 new_rule_permit = new_rule.copy()
281 new_rule_permit['is_permit'] = 1
282 permit_rules.append(new_rule_permit)
283
284 new_rule_permit_and_reflect = new_rule.copy()
285 if can_reflect_this_packet:
286 new_rule_permit_and_reflect['is_permit'] = 2
287 else:
288 new_rule_permit_and_reflect['is_permit'] = is_permit
289 permit_and_reflect_rules.append(new_rule_permit_and_reflect)
290
291 return {'stream': pkts,
292 'rules': rules,
293 'permit_rules': permit_rules,
294 'permit_and_reflect_rules': permit_and_reflect_rules}
295
296 def verify_capture(self, dst_ip_if, src_ip_if, capture, reverse):
297 last_info = dict()
298 for i in self.interfaces:
299 last_info[i.sw_if_index] = None
300
301 dst_ip_sw_if_index = dst_ip_if.sw_if_index
302 return
303
304 for packet in capture:
305 l3 = IP if packet.haslayer(IP) else IPv6
306 ip = packet[l3]
307 if packet.haslayer(UDP):
308 l4 = UDP
309 else:
310 if packet.haslayer(ICMP):
311 l4 = ICMP
312 else:
313 l4 = ICMPv6Unknown
314
315 # Scapy IPv6 stuff is too smart for its own good.
316 # So we do this and coerce the ICMP into unknown type
317 if packet.haslayer(UDP):
318 data = str(packet[UDP][Raw])
319 else:
320 if l3 == IP:
321 data = str(ICMP(str(packet[l3].payload))[Raw])
322 else:
323 data = str(ICMPv6Unknown(str(packet[l3].payload)).msgbody)
324 udp_or_icmp = packet[l3].payload
325 payload_info = self.payload_to_info(data)
326 packet_index = payload_info.index
327
328 self.assertEqual(payload_info.dst, dst_ip_sw_if_index)
329
330 next_info = self.get_next_packet_info_for_interface2(
331 payload_info.src, dst_ip_sw_if_index,
332 last_info[payload_info.src])
333 last_info[payload_info.src] = next_info
334 self.assertTrue(next_info is not None)
335 self.assertEqual(packet_index, next_info.index)
336 saved_packet = next_info.data
337 self.assertTrue(next_info is not None)
338
339 # MAC: src, dst
340 if not reverse:
341 self.assertEqual(packet.src, dst_ip_if.local_mac)
342 host = dst_ip_if.host_by_mac(packet.dst)
343
344 # IP: src, dst
345 # self.assertEqual(ip.src, src_ip_if.remote_ip4)
346 if saved_packet is not None:
347 self.assertEqual(ip.src, saved_packet[l3].src)
348 self.assertEqual(ip.dst, saved_packet[l3].dst)
349 if l4 == UDP:
350 self.assertEqual(udp_or_icmp.sport, saved_packet[l4].sport)
351 self.assertEqual(udp_or_icmp.dport, saved_packet[l4].dport)
352 else:
353 print("Saved packet is none")
354 # self.assertEqual(ip.dst, host.ip4)
355
356 # UDP:
357
358 def create_acls_for_a_stream(self, stream_dict,
359 test_l2_action, is_reflect):
360 r = stream_dict['rules']
361 r_permit = stream_dict['permit_rules']
362 r_permit_reflect = stream_dict['permit_and_reflect_rules']
363 r_action = r_permit_reflect if is_reflect else r
364 reply = self.api_acl_add_replace(acl_index=4294967295, r=r_action,
365 count=len(r_action), tag="action acl")
366 action_acl_index = reply.acl_index
367 reply = self.api_acl_add_replace(acl_index=4294967295, r=r_permit,
368 count=len(r_permit), tag="permit acl")
369 permit_acl_index = reply.acl_index
370 return {'L2': action_acl_index if test_l2_action else permit_acl_index,
371 'L3': permit_acl_index if test_l2_action else action_acl_index,
372 'permit': permit_acl_index, 'action': action_acl_index}
373
374 def apply_acl_ip46_x_to_y(self, bridged_to_routed, test_l2_deny,
375 is_ip6, is_reflect, add_eh):
376 """ Apply the ACLs
377 """
378 self.reset_packet_infos()
379 stream_dict = self.create_stream(
380 self.pg2, self.loop0,
381 bridged_to_routed,
382 self.pg_if_packet_sizes, is_ip6,
383 not is_reflect, False, add_eh)
384 stream = stream_dict['stream']
385 acl_idx = self.create_acls_for_a_stream(stream_dict, test_l2_deny,
386 is_reflect)
387 n_input_l3 = 0 if bridged_to_routed else 1
388 n_input_l2 = 1 if bridged_to_routed else 0
389 self.api_acl_interface_set_acl_list(sw_if_index=self.pg2.sw_if_index,
390 count=1,
391 n_input=n_input_l3,
392 acls=[acl_idx['L3']])
393 self.api_acl_interface_set_acl_list(sw_if_index=self.pg0.sw_if_index,
394 count=1,
395 n_input=n_input_l2,
396 acls=[acl_idx['L2']])
397 self.api_acl_interface_set_acl_list(sw_if_index=self.pg1.sw_if_index,
398 count=1,
399 n_input=n_input_l2,
400 acls=[acl_idx['L2']])
401
402 def apply_acl_ip46_both_directions_reflect(self,
403 primary_is_bridged_to_routed,
404 reflect_on_l2, is_ip6, add_eh):
405 primary_is_routed_to_bridged = not primary_is_bridged_to_routed
406 self.reset_packet_infos()
407 stream_dict_fwd = self.create_stream(self.pg2, self.loop0,
408 primary_is_bridged_to_routed,
409 self.pg_if_packet_sizes, is_ip6,
410 False, False, add_eh)
411 acl_idx_fwd = self.create_acls_for_a_stream(stream_dict_fwd,
412 reflect_on_l2, True)
413
414 stream_dict_rev = self.create_stream(self.pg2, self.loop0,
415 not primary_is_bridged_to_routed,
416 self.pg_if_packet_sizes, is_ip6,
417 True, True, add_eh)
418 # We want the primary action to be "deny" rather than reflect
419 acl_idx_rev = self.create_acls_for_a_stream(stream_dict_rev,
420 reflect_on_l2, False)
421
422 if primary_is_bridged_to_routed:
423 inbound_l2_acl = acl_idx_fwd['L2']
424 else:
425 inbound_l2_acl = acl_idx_rev['L2']
426
427 if primary_is_routed_to_bridged:
428 outbound_l2_acl = acl_idx_fwd['L2']
429 else:
430 outbound_l2_acl = acl_idx_rev['L2']
431
432 if primary_is_routed_to_bridged:
433 inbound_l3_acl = acl_idx_fwd['L3']
434 else:
435 inbound_l3_acl = acl_idx_rev['L3']
436
437 if primary_is_bridged_to_routed:
438 outbound_l3_acl = acl_idx_fwd['L3']
439 else:
440 outbound_l3_acl = acl_idx_rev['L3']
441
442 self.api_acl_interface_set_acl_list(sw_if_index=self.pg2.sw_if_index,
443 count=2,
444 n_input=1,
445 acls=[inbound_l3_acl,
446 outbound_l3_acl])
447 self.api_acl_interface_set_acl_list(sw_if_index=self.pg0.sw_if_index,
448 count=2,
449 n_input=1,
450 acls=[inbound_l2_acl,
451 outbound_l2_acl])
452 self.api_acl_interface_set_acl_list(sw_if_index=self.pg1.sw_if_index,
453 count=2,
454 n_input=1,
455 acls=[inbound_l2_acl,
456 outbound_l2_acl])
457
458 def apply_acl_ip46_routed_to_bridged(self, test_l2_deny, is_ip6,
459 is_reflect, add_eh):
460 self.apply_acl_ip46_x_to_y(False, test_l2_deny, is_ip6,
461 is_reflect, add_eh)
462
463 def apply_acl_ip46_bridged_to_routed(self, test_l2_deny, is_ip6,
464 is_reflect, add_eh):
465 self.apply_acl_ip46_x_to_y(True, test_l2_deny, is_ip6,
466 is_reflect, add_eh)
467
468 def run_traffic_ip46_x_to_y(self, bridged_to_routed,
469 test_l2_deny, is_ip6,
470 is_reflect, is_established, add_eh):
471 self.reset_packet_infos()
472 stream_dict = self.create_stream(self.pg2, self.loop0,
473 bridged_to_routed,
474 self.pg_if_packet_sizes, is_ip6,
475 not is_reflect, is_established,
476 add_eh)
477 stream = stream_dict['stream']
478
479 tx_if = self.pg0 if bridged_to_routed else self.pg2
480 rx_if = self.pg2 if bridged_to_routed else self.pg0
481
482 tx_if.add_stream(stream)
483 self.pg_enable_capture(self.pg_interfaces)
484 self.pg_start()
485 packet_count = self.get_packet_count_for_if_idx(self.loop0.sw_if_index)
486 rcvd1 = rx_if.get_capture(packet_count)
487 self.verify_capture(self.loop0, self.pg2, rcvd1, bridged_to_routed)
488
489 def run_traffic_ip46_routed_to_bridged(self, test_l2_deny, is_ip6,
490 is_reflect, is_established, add_eh):
491 self.run_traffic_ip46_x_to_y(False, test_l2_deny, is_ip6,
492 is_reflect, is_established, add_eh)
493
494 def run_traffic_ip46_bridged_to_routed(self, test_l2_deny, is_ip6,
495 is_reflect, is_established, add_eh):
496 self.run_traffic_ip46_x_to_y(True, test_l2_deny, is_ip6,
497 is_reflect, is_established, add_eh)
498
499 def run_test_ip46_routed_to_bridged(self, test_l2_deny,
500 is_ip6, is_reflect, add_eh):
501 self.apply_acl_ip46_routed_to_bridged(test_l2_deny,
502 is_ip6, is_reflect, add_eh)
503 self.run_traffic_ip46_routed_to_bridged(test_l2_deny, is_ip6,
504 is_reflect, False, add_eh)
505
506 def run_test_ip46_bridged_to_routed(self, test_l2_deny,
507 is_ip6, is_reflect, add_eh):
508 self.apply_acl_ip46_bridged_to_routed(test_l2_deny,
509 is_ip6, is_reflect, add_eh)
510 self.run_traffic_ip46_bridged_to_routed(test_l2_deny, is_ip6,
511 is_reflect, False, add_eh)
512
513 def run_test_ip46_routed_to_bridged_and_back(self, test_l2_action,
514 is_ip6, add_eh):
515 self.apply_acl_ip46_both_directions_reflect(False, test_l2_action,
516 is_ip6, add_eh)
517 self.run_traffic_ip46_routed_to_bridged(test_l2_action, is_ip6,
518 True, False, add_eh)
519 self.run_traffic_ip46_bridged_to_routed(test_l2_action, is_ip6,
520 False, True, add_eh)
521
522 def run_test_ip46_bridged_to_routed_and_back(self, test_l2_action,
523 is_ip6, add_eh):
524 self.apply_acl_ip46_both_directions_reflect(True, test_l2_action,
525 is_ip6, add_eh)
526 self.run_traffic_ip46_bridged_to_routed(test_l2_action, is_ip6,
527 True, False, add_eh)
528 self.run_traffic_ip46_routed_to_bridged(test_l2_action, is_ip6,
529 False, True, add_eh)
530
531 def test_0000_ip6_irb_1(self):
532 """ ACL plugin prepare"""
533 if not self.vpp_dead:
534 cmd = "set acl-plugin session timeout udp idle 2000"
535 self.logger.info(self.vapi.ppcli(cmd))
536 # uncomment to not skip past the routing header
537 # and watch the EH tests fail
538 # self.logger.info(self.vapi.ppcli(
539 # "set acl-plugin skip-ipv6-extension-header 43 0"))
540 # uncomment to test the session limit (stateful tests will fail)
541 # self.logger.info(self.vapi.ppcli(
542 # "set acl-plugin session table max-entries 1"))
543 # new datapath is the default, but just in case
544 # self.logger.info(self.vapi.ppcli(
545 # "set acl-plugin l2-datapath new"))
546 # If you want to see some tests fail, uncomment the next line
547 # self.logger.info(self.vapi.ppcli(
548 # "set acl-plugin l2-datapath old"))
549
550 def test_0001_ip6_irb_1(self):
551 """ ACL IPv6 routed -> bridged, L2 ACL deny"""
552 self.run_test_ip46_routed_to_bridged(True, True, False,
553 self.WITHOUT_EH)
554
555 def test_0002_ip6_irb_1(self):
556 """ ACL IPv6 routed -> bridged, L3 ACL deny"""
557 self.run_test_ip46_routed_to_bridged(False, True, False,
558 self.WITHOUT_EH)
559
560 def test_0003_ip4_irb_1(self):
561 """ ACL IPv4 routed -> bridged, L2 ACL deny"""
562 self.run_test_ip46_routed_to_bridged(True, False, False,
563 self.WITHOUT_EH)
564
565 def test_0004_ip4_irb_1(self):
566 """ ACL IPv4 routed -> bridged, L3 ACL deny"""
567 self.run_test_ip46_routed_to_bridged(False, False, False,
568 self.WITHOUT_EH)
569
570 def test_0005_ip6_irb_1(self):
571 """ ACL IPv6 bridged -> routed, L2 ACL deny """
572 self.run_test_ip46_bridged_to_routed(True, True, False,
573 self.WITHOUT_EH)
574
575 def test_0006_ip6_irb_1(self):
576 """ ACL IPv6 bridged -> routed, L3 ACL deny """
577 self.run_test_ip46_bridged_to_routed(False, True, False,
578 self.WITHOUT_EH)
579
580 def test_0007_ip6_irb_1(self):
581 """ ACL IPv4 bridged -> routed, L2 ACL deny """
582 self.run_test_ip46_bridged_to_routed(True, False, False,
583 self.WITHOUT_EH)
584
585 def test_0008_ip6_irb_1(self):
586 """ ACL IPv4 bridged -> routed, L3 ACL deny """
587 self.run_test_ip46_bridged_to_routed(False, False, False,
588 self.WITHOUT_EH)
589
590 # Stateful ACL tests
591 def test_0101_ip6_irb_1(self):
592 """ ACL IPv6 routed -> bridged, L2 ACL permit+reflect"""
593 self.run_test_ip46_routed_to_bridged_and_back(True, True,
594 self.WITHOUT_EH)
595
596 def test_0102_ip6_irb_1(self):
597 """ ACL IPv6 bridged -> routed, L2 ACL permit+reflect"""
598 self.run_test_ip46_bridged_to_routed_and_back(True, True,
599 self.WITHOUT_EH)
600
601 def test_0103_ip6_irb_1(self):
602 """ ACL IPv4 routed -> bridged, L2 ACL permit+reflect"""
603 self.run_test_ip46_routed_to_bridged_and_back(True, False,
604 self.WITHOUT_EH)
605
606 def test_0104_ip6_irb_1(self):
607 """ ACL IPv4 bridged -> routed, L2 ACL permit+reflect"""
608 self.run_test_ip46_bridged_to_routed_and_back(True, False,
609 self.WITHOUT_EH)
610
611 def test_0111_ip6_irb_1(self):
612 """ ACL IPv6 routed -> bridged, L3 ACL permit+reflect"""
613 self.run_test_ip46_routed_to_bridged_and_back(False, True,
614 self.WITHOUT_EH)
615
616 def test_0112_ip6_irb_1(self):
617 """ ACL IPv6 bridged -> routed, L3 ACL permit+reflect"""
618 self.run_test_ip46_bridged_to_routed_and_back(False, True,
619 self.WITHOUT_EH)
620
621 def test_0113_ip6_irb_1(self):
622 """ ACL IPv4 routed -> bridged, L3 ACL permit+reflect"""
623 self.run_test_ip46_routed_to_bridged_and_back(False, False,
624 self.WITHOUT_EH)
625
626 def test_0114_ip6_irb_1(self):
627 """ ACL IPv4 bridged -> routed, L3 ACL permit+reflect"""
628 self.run_test_ip46_bridged_to_routed_and_back(False, False,
629 self.WITHOUT_EH)
630
631 # A block of tests with extension headers
632
633 def test_1001_ip6_irb_1(self):
634 """ ACL IPv6+EH routed -> bridged, L2 ACL deny"""
635 self.run_test_ip46_routed_to_bridged(True, True, False,
636 self.WITH_EH)
637
638 def test_1002_ip6_irb_1(self):
639 """ ACL IPv6+EH routed -> bridged, L3 ACL deny"""
640 self.run_test_ip46_routed_to_bridged(False, True, False,
641 self.WITH_EH)
642
643 def test_1005_ip6_irb_1(self):
644 """ ACL IPv6+EH bridged -> routed, L2 ACL deny """
645 self.run_test_ip46_bridged_to_routed(True, True, False,
646 self.WITH_EH)
647
648 def test_1006_ip6_irb_1(self):
649 """ ACL IPv6+EH bridged -> routed, L3 ACL deny """
650 self.run_test_ip46_bridged_to_routed(False, True, False,
651 self.WITH_EH)
652
653 def test_1101_ip6_irb_1(self):
654 """ ACL IPv6+EH routed -> bridged, L2 ACL permit+reflect"""
655 self.run_test_ip46_routed_to_bridged_and_back(True, True,
656 self.WITH_EH)
657
658 def test_1102_ip6_irb_1(self):
659 """ ACL IPv6+EH bridged -> routed, L2 ACL permit+reflect"""
660 self.run_test_ip46_bridged_to_routed_and_back(True, True,
661 self.WITH_EH)
662
663 def test_1111_ip6_irb_1(self):
664 """ ACL IPv6+EH routed -> bridged, L3 ACL permit+reflect"""
665 self.run_test_ip46_routed_to_bridged_and_back(False, True,
666 self.WITH_EH)
667
668 def test_1112_ip6_irb_1(self):
669 """ ACL IPv6+EH bridged -> routed, L3 ACL permit+reflect"""
670 self.run_test_ip46_bridged_to_routed_and_back(False, True,
671 self.WITH_EH)
672
673 # Old datapath group
674 def test_8900_ip6_irb_1(self):
675 """ ACL plugin set old L2 datapath"""
676 if not self.vpp_dead:
677 cmd = "set acl-plugin l2-datapath old"
678 self.logger.info(self.vapi.ppcli(cmd))
679
680 def test_8901_ip6_irb_1(self):
681 """ ACL IPv6 routed -> bridged, L2 ACL deny"""
682 self.run_test_ip46_routed_to_bridged(True, True, False,
683 self.WITHOUT_EH)
684
685 def test_8902_ip6_irb_1(self):
686 """ ACL IPv6 routed -> bridged, L3 ACL deny"""
687 self.run_test_ip46_routed_to_bridged(False, True, False,
688 self.WITHOUT_EH)
689
690 def test_8903_ip4_irb_1(self):
691 """ ACL IPv4 routed -> bridged, L2 ACL deny"""
692 self.run_test_ip46_routed_to_bridged(True, False, False,
693 self.WITHOUT_EH)
694
695 def test_8904_ip4_irb_1(self):
696 """ ACL IPv4 routed -> bridged, L3 ACL deny"""
697 self.run_test_ip46_routed_to_bridged(False, False, False,
698 self.WITHOUT_EH)
699
700 def test_8905_ip6_irb_1(self):
701 """ ACL IPv6 bridged -> routed, L2 ACL deny """
702 self.run_test_ip46_bridged_to_routed(True, True, False,
703 self.WITHOUT_EH)
704
705 def test_8906_ip6_irb_1(self):
706 """ ACL IPv6 bridged -> routed, L3 ACL deny """
707 self.run_test_ip46_bridged_to_routed(False, True, False,
708 self.WITHOUT_EH)
709
710 def test_8907_ip6_irb_1(self):
711 """ ACL IPv4 bridged -> routed, L2 ACL deny """
712 self.run_test_ip46_bridged_to_routed(True, False, False,
713 self.WITHOUT_EH)
714
715 def test_8908_ip6_irb_1(self):
716 """ ACL IPv4 bridged -> routed, L3 ACL deny """
717 self.run_test_ip46_bridged_to_routed(False, False, False,
718 self.WITHOUT_EH)
719
720
721if __name__ == '__main__':
722 unittest.main(testRunner=VppTestRunner)