Gitiles
Code Review Sign In
gerrit.nordix.org / fdio / vpp / 712dde9cec41beef3b4252a8cf14f98b674a8d79 / . / test / test_abf.py
blob: 1de36c922217ecc50d544ec25118b51f43923e16 [file] [log] [blame]
Andrew Yourtchenko669d07d2017-11-17 14:38:18 +0100[diff] [blame]1#!/usr/bin/env python
2
Paul Vinciguerraa279d9c2019-02-28 09:00:09 -0800[diff] [blame]3from socket import inet_pton, inet_ntop, AF_INET, AF_INET6
4import unittest
5
Andrew Yourtchenko669d07d2017-11-17 14:38:18 +0100[diff] [blame]6from framework import VppTestCase, VppTestRunner
Neale Rannsc0a93142018-09-05 15:42:26 -0700[diff] [blame]7from vpp_ip import DpoProto
Neale Rannsf726f532019-03-11 05:34:50 -0700[diff] [blame]8from vpp_ip_route import VppIpRoute, VppRoutePath, VppMplsLabel, VppIpTable
Andrew Yourtchenko669d07d2017-11-17 14:38:18 +0100[diff] [blame]9
10from scapy.packet import Raw
Paul Vinciguerraa279d9c2019-02-28 09:00:09 -0800[diff] [blame]11from scapy.layers.l2 import Ether
Andrew Yourtchenko669d07d2017-11-17 14:38:18 +0100[diff] [blame]12from scapy.layers.inet import IP, UDP
13from scapy.layers.inet6 import IPv6
Andrew Yourtchenko669d07d2017-11-17 14:38:18 +0100[diff] [blame]14
Paul Vinciguerraa279d9c2019-02-28 09:00:09 -0800[diff] [blame]15from vpp_object import VppObject
Andrew Yourtchenko669d07d2017-11-17 14:38:18 +0100[diff] [blame]16
17
18def find_abf_policy(test, id):
19 policies = test.vapi.abf_policy_dump()
20 for p in policies:
21 if id == p.policy.policy_id:
22 return True
23 return False
24
25
26def find_abf_itf_attach(test, id, sw_if_index):
27 attachs = test.vapi.abf_itf_attach_dump()
28 for a in attachs:
29 if id == a.attach.policy_id and \
30 sw_if_index == a.attach.sw_if_index:
31 return True
32 return False
33
34
35class VppAbfPolicy(VppObject):
36
37 def __init__(self,
38 test,
39 policy_id,
40 acl,
41 paths):
42 self._test = test
43 self.policy_id = policy_id
44 self.acl = acl
45 self.paths = paths
46
47 def encode_paths(self):
48 br_paths = []
49 for p in self.paths:
50 lstack = []
51 for l in p.nh_labels:
52 if type(l) == VppMplsLabel:
53 lstack.append(l.encode())
54 else:
55 lstack.append({'label': l, 'ttl': 255})
56 n_labels = len(lstack)
57 while (len(lstack) < 16):
58 lstack.append({})
59 br_paths.append({'next_hop': p.nh_addr,
60 'weight': 1,
61 'afi': p.proto,
62 'sw_if_index': 0xffffffff,
63 'preference': 0,
64 'table_id': p.nh_table_id,
65 'next_hop_id': p.next_hop_id,
66 'is_udp_encap': p.is_udp_encap,
67 'n_labels': n_labels,
68 'label_stack': lstack})
69 return br_paths
70
71 def add_vpp_config(self):
72 self._test.vapi.abf_policy_add_del(
73 1,
74 {'policy_id': self.policy_id,
75 'acl_index': self.acl.acl_index,
76 'n_paths': len(self.paths),
77 'paths': self.encode_paths()})
78 self._test.registry.register(self, self._test.logger)
79
80 def remove_vpp_config(self):
81 self._test.vapi.abf_policy_add_del(
82 0,
83 {'policy_id': self.policy_id,
84 'acl_index': self.acl.acl_index,
85 'n_paths': len(self.paths),
86 'paths': self.encode_paths()})
87
88 def query_vpp_config(self):
89 return find_abf_policy(self._test, self.policy_id)
90
Andrew Yourtchenko669d07d2017-11-17 14:38:18 +0100[diff] [blame]91 def object_id(self):
92 return ("abf-policy-%d" % self.policy_id)
93
94
95class VppAbfAttach(VppObject):
96
97 def __init__(self,
98 test,
99 policy_id,
100 sw_if_index,
101 priority,
102 is_ipv6=0):
103 self._test = test
104 self.policy_id = policy_id
105 self.sw_if_index = sw_if_index
106 self.priority = priority
107 self.is_ipv6 = is_ipv6
108
109 def add_vpp_config(self):
110 self._test.vapi.abf_itf_attach_add_del(
111 1,
112 {'policy_id': self.policy_id,
113 'sw_if_index': self.sw_if_index,
114 'priority': self.priority,
115 'is_ipv6': self.is_ipv6})
116 self._test.registry.register(self, self._test.logger)
117
118 def remove_vpp_config(self):
119 self._test.vapi.abf_itf_attach_add_del(
120 0,
121 {'policy_id': self.policy_id,
122 'sw_if_index': self.sw_if_index,
123 'priority': self.priority,
124 'is_ipv6': self.is_ipv6})
125
126 def query_vpp_config(self):
127 return find_abf_itf_attach(self._test,
128 self.policy_id,
129 self.sw_if_index)
130
Andrew Yourtchenko669d07d2017-11-17 14:38:18 +0100[diff] [blame]131 def object_id(self):
132 return ("abf-attach-%d-%d" % (self.policy_id, self.sw_if_index))
133
134
135class TestAbf(VppTestCase):
136 """ ABF Test Case """
137
Paul Vinciguerra7f9b7f92019-03-12 19:23:27 -0700[diff] [blame]138 @classmethod
139 def setUpClass(cls):
140 super(TestAbf, cls).setUpClass()
141
142 @classmethod
143 def tearDownClass(cls):
144 super(TestAbf, cls).tearDownClass()
145
Andrew Yourtchenko669d07d2017-11-17 14:38:18 +0100[diff] [blame]146 def setUp(self):
147 super(TestAbf, self).setUp()
148
Neale Rannsf726f532019-03-11 05:34:50 -0700[diff] [blame]149 self.create_pg_interfaces(range(5))
Andrew Yourtchenko669d07d2017-11-17 14:38:18 +0100[diff] [blame]150
Neale Rannsf726f532019-03-11 05:34:50 -0700[diff] [blame]151 for i in self.pg_interfaces[:4]:
Andrew Yourtchenko669d07d2017-11-17 14:38:18 +0100[diff] [blame]152 i.admin_up()
153 i.config_ip4()
154 i.resolve_arp()
155 i.config_ip6()
156 i.resolve_ndp()
157
158 def tearDown(self):
159 for i in self.pg_interfaces:
160 i.unconfig_ip4()
161 i.unconfig_ip6()
162 i.ip6_disable()
163 i.admin_down()
164 super(TestAbf, self).tearDown()
165
166 def test_abf4(self):
167 """ IPv4 ACL Based Forwarding
168 """
169
170 #
171 # We are not testing the various matching capabilities
172 # of ACLs, that's done elsewhere. Here ware are testing
173 # the application of ACLs to a forwarding path to achieve
174 # ABF
175 # So we construct just a few ACLs to ensure the ABF policies
Paul Vinciguerra8feeaff2019-03-27 11:25:48 -0700[diff] [blame]176 # are correctly constructed and used. And a few path types
Andrew Yourtchenko669d07d2017-11-17 14:38:18 +0100[diff] [blame]177 # to test the API path decoding.
178 #
179
180 #
181 # Rule 1
182 #
183 rule_1 = ({'is_permit': 1,
184 'is_ipv6': 0,
185 'proto': 17,
186 'srcport_or_icmptype_first': 1234,
187 'srcport_or_icmptype_last': 1234,
188 'src_ip_prefix_len': 32,
189 'src_ip_addr': inet_pton(AF_INET, "1.1.1.1"),
190 'dstport_or_icmpcode_first': 1234,
191 'dstport_or_icmpcode_last': 1234,
192 'dst_ip_prefix_len': 32,
193 'dst_ip_addr': inet_pton(AF_INET, "1.1.1.2")})
194 acl_1 = self.vapi.acl_add_replace(acl_index=4294967295, r=[rule_1])
195
196 #
197 # ABF policy for ACL 1 - path via interface 1
198 #
199 abf_1 = VppAbfPolicy(self, 10, acl_1,
200 [VppRoutePath(self.pg1.remote_ip4,
201 self.pg1.sw_if_index)])
202 abf_1.add_vpp_config()
203
204 #
205 # Attach the policy to input interface Pg0
206 #
207 attach_1 = VppAbfAttach(self, 10, self.pg0.sw_if_index, 50)
208 attach_1.add_vpp_config()
209
210 #
211 # fire in packet matching the ACL src,dst. If it's forwarded
212 # then the ABF was successful, since default routing will drop it
213 #
214 p_1 = (Ether(src=self.pg0.remote_mac,
215 dst=self.pg0.local_mac) /
216 IP(src="1.1.1.1", dst="1.1.1.2") /
217 UDP(sport=1234, dport=1234) /
218 Raw('\xa5' * 100))
219 self.send_and_expect(self.pg0, p_1*65, self.pg1)
220
221 #
222 # Attach a 'better' priority policy to the same interface
223 #
224 abf_2 = VppAbfPolicy(self, 11, acl_1,
225 [VppRoutePath(self.pg2.remote_ip4,
226 self.pg2.sw_if_index)])
227 abf_2.add_vpp_config()
228 attach_2 = VppAbfAttach(self, 11, self.pg0.sw_if_index, 40)
229 attach_2.add_vpp_config()
230
231 self.send_and_expect(self.pg0, p_1*65, self.pg2)
232
233 #
234 # Attach a policy with priority in the middle
235 #
236 abf_3 = VppAbfPolicy(self, 12, acl_1,
237 [VppRoutePath(self.pg3.remote_ip4,
238 self.pg3.sw_if_index)])
239 abf_3.add_vpp_config()
240 attach_3 = VppAbfAttach(self, 12, self.pg0.sw_if_index, 45)
241 attach_3.add_vpp_config()
242
243 self.send_and_expect(self.pg0, p_1*65, self.pg2)
244
245 #
246 # remove the best priority
247 #
248 attach_2.remove_vpp_config()
249 self.send_and_expect(self.pg0, p_1*65, self.pg3)
250
251 #
252 # Attach one of the same policies to Pg1
253 #
254 attach_4 = VppAbfAttach(self, 12, self.pg1.sw_if_index, 45)
255 attach_4.add_vpp_config()
256
257 p_2 = (Ether(src=self.pg1.remote_mac,
258 dst=self.pg1.local_mac) /
259 IP(src="1.1.1.1", dst="1.1.1.2") /
260 UDP(sport=1234, dport=1234) /
261 Raw('\xa5' * 100))
262 self.send_and_expect(self.pg1, p_2 * 65, self.pg3)
263
264 #
265 # detach the policy from PG1, now expect traffic to be dropped
266 #
267 attach_4.remove_vpp_config()
268
269 self.send_and_assert_no_replies(self.pg1, p_2 * 65, "Detached")
270
Neale Rannsf726f532019-03-11 05:34:50 -0700[diff] [blame]271 #
272 # Swap to route via a next-hop in the non-default table
273 #
274 table_20 = VppIpTable(self, 20)
275 table_20.add_vpp_config()
276
277 self.pg4.set_table_ip4(table_20.table_id)
278 self.pg4.admin_up()
279 self.pg4.config_ip4()
280 self.pg4.resolve_arp()
281
282 abf_13 = VppAbfPolicy(self, 13, acl_1,
283 [VppRoutePath(self.pg4.remote_ip4,
284 0xffffffff,
285 nh_table_id=table_20.table_id)])
286 abf_13.add_vpp_config()
287 attach_5 = VppAbfAttach(self, 13, self.pg0.sw_if_index, 30)
288 attach_5.add_vpp_config()
289
290 self.send_and_expect(self.pg0, p_1*65, self.pg4)
291
292 self.pg4.unconfig_ip4()
293 self.pg4.set_table_ip4(0)
294
Andrew Yourtchenko669d07d2017-11-17 14:38:18 +0100[diff] [blame]295 def test_abf6(self):
296 """ IPv6 ACL Based Forwarding
297 """
298
299 #
300 # Simple test for matching IPv6 packets
301 #
302
303 #
304 # Rule 1
305 #
306 rule_1 = ({'is_permit': 1,
307 'is_ipv6': 1,
308 'proto': 17,
309 'srcport_or_icmptype_first': 1234,
310 'srcport_or_icmptype_last': 1234,
311 'src_ip_prefix_len': 128,
312 'src_ip_addr': inet_pton(AF_INET6, "2001::2"),
313 'dstport_or_icmpcode_first': 1234,
314 'dstport_or_icmpcode_last': 1234,
315 'dst_ip_prefix_len': 128,
316 'dst_ip_addr': inet_pton(AF_INET6, "2001::1")})
317 acl_1 = self.vapi.acl_add_replace(acl_index=4294967295,
318 r=[rule_1])
319
320 #
321 # ABF policy for ACL 1 - path via interface 1
322 #
323 abf_1 = VppAbfPolicy(self, 10, acl_1,
324 [VppRoutePath("3001::1",
325 0xffffffff,
326 proto=DpoProto.DPO_PROTO_IP6)])
327 abf_1.add_vpp_config()
328
329 attach_1 = VppAbfAttach(self, 10, self.pg0.sw_if_index,
330 45, is_ipv6=True)
331 attach_1.add_vpp_config()
332
333 #
334 # a packet matching the rule
335 #
336 p = (Ether(src=self.pg0.remote_mac,
337 dst=self.pg0.local_mac) /
338 IPv6(src="2001::2", dst="2001::1") /
339 UDP(sport=1234, dport=1234) /
340 Raw('\xa5' * 100))
341
342 #
343 # packets are dropped because there is no route to the policy's
344 # next hop
345 #
346 self.send_and_assert_no_replies(self.pg1, p * 65, "no route")
347
348 #
349 # add a route resolving the next-hop
350 #
351 route = VppIpRoute(self, "3001::1", 32,
352 [VppRoutePath(self.pg1.remote_ip6,
353 self.pg1.sw_if_index,
354 proto=DpoProto.DPO_PROTO_IP6)],
355 is_ip6=1)
356 route.add_vpp_config()
357
358 #
359 # now expect packets forwarded.
360 #
361 self.send_and_expect(self.pg0, p * 65, self.pg1)
362
363
364if __name__ == '__main__':
365 unittest.main(testRunner=VppTestRunner)