Gitiles
Code Review Sign In
gerrit.nordix.org / fdio / vpp / 74447d4fc5f5ff1bbde8c0cab26b3aade0548da4 / . / test / test_acl_plugin_macip.py
blob: 611bc73e312e5506024e58db6193c329f0a1d75b [file] [log] [blame]
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]1#!/usr/bin/env python
2"""ACL plugin - MACIP tests
3"""
4import random
5import re
6import unittest
7
8from socket import inet_ntop, inet_pton, AF_INET, AF_INET6
9from struct import *
10from scapy.packet import Raw
11from scapy.layers.l2 import Ether
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]12from scapy.layers.inet import IP, UDP
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]13from scapy.layers.inet6 import IPv6
14
15from framework import VppTestCase, VppTestRunner, running_extended_tests
16from vpp_lo_interface import VppLoInterface
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]17from vpp_papi_provider import L2_VTR_OP
18from vpp_sub_interface import VppSubInterface, VppDot1QSubint, VppDot1ADSubint
Neale Rannsb4743802018-09-05 09:13:57 -0700[diff] [blame]19from vpp_papi_provider import L2_PORT_TYPE
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]20
21
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]22class MethodHolder(VppTestCase):
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]23 DEBUG = False
24
25 BRIDGED = True
26 ROUTED = False
27
28 IS_IP4 = False
29 IS_IP6 = True
30
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]31 DOT1AD = "dot1ad"
32 DOT1Q = "dot1q"
33 PERMIT_TAGS = True
34 DENY_TAGS = False
35
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]36 # rule types
37 DENY = 0
38 PERMIT = 1
39
40 # ACL types
41 EXACT_IP = 1
42 SUBNET_IP = 2
43 WILD_IP = 3
44
45 EXACT_MAC = 1
46 WILD_MAC = 2
47 OUI_MAC = 3
48
49 ACLS = []
50
51 @classmethod
52 def setUpClass(cls):
53 """
54 Perform standard class setup (defined by class method setUpClass in
55 class VppTestCase) before running the test case, set test case related
56 variables and configure VPP.
57 """
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]58 super(MethodHolder, cls).setUpClass()
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]59
60 cls.pg_if_packet_sizes = [64, 512, 1518, 9018] # packet sizes
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]61 cls.bd_id = 111
62 cls.remote_hosts_count = 200
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]63
64 try:
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]65 # create 4 pg interfaces, 1 loopback interface
66 cls.create_pg_interfaces(range(4))
Klement Sekerab9ef2732018-06-24 22:49:33 +0200[diff] [blame]67 cls.create_loopback_interfaces(1)
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]68
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]69 # create 2 subinterfaces
70 cls.subifs = [
71 VppDot1QSubint(cls, cls.pg1, 10),
72 VppDot1ADSubint(cls, cls.pg2, 20, 300, 400),
73 VppDot1QSubint(cls, cls.pg3, 30),
74 VppDot1ADSubint(cls, cls.pg3, 40, 600, 700)]
75
76 cls.subifs[0].set_vtr(L2_VTR_OP.L2_POP_1,
77 inner=10, push1q=1)
78 cls.subifs[1].set_vtr(L2_VTR_OP.L2_POP_2,
79 outer=300, inner=400, push1q=1)
80 cls.subifs[2].set_vtr(L2_VTR_OP.L2_POP_1,
81 inner=30, push1q=1)
82 cls.subifs[3].set_vtr(L2_VTR_OP.L2_POP_2,
83 outer=600, inner=700, push1q=1)
84
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]85 cls.interfaces = list(cls.pg_interfaces)
86 cls.interfaces.extend(cls.lo_interfaces)
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]87 cls.interfaces.extend(cls.subifs)
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]88
89 for i in cls.interfaces:
90 i.admin_up()
91
92 # Create BD with MAC learning enabled and put interfaces to this BD
93 cls.vapi.sw_interface_set_l2_bridge(
Neale Rannsb4743802018-09-05 09:13:57 -0700[diff] [blame]94 cls.loop0.sw_if_index, bd_id=cls.bd_id,
95 port_type=L2_PORT_TYPE.BVI)
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]96 cls.vapi.sw_interface_set_l2_bridge(
97 cls.pg0.sw_if_index, bd_id=cls.bd_id)
98 cls.vapi.sw_interface_set_l2_bridge(
99 cls.pg1.sw_if_index, bd_id=cls.bd_id)
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]100 cls.vapi.sw_interface_set_l2_bridge(
101 cls.subifs[0].sw_if_index, bd_id=cls.bd_id)
102 cls.vapi.sw_interface_set_l2_bridge(
103 cls.subifs[1].sw_if_index, bd_id=cls.bd_id)
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]104
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]105 # Configure IPv4/6 addresses on loop interface and routed interface
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]106 cls.loop0.config_ip4()
107 cls.loop0.config_ip6()
108 cls.pg2.config_ip4()
109 cls.pg2.config_ip6()
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]110 cls.pg3.config_ip4()
111 cls.pg3.config_ip6()
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]112
113 # Configure MAC address binding to IPv4 neighbors on loop0
114 cls.loop0.generate_remote_hosts(cls.remote_hosts_count)
115 # Modify host mac addresses to have different OUI parts
116 for i in range(2, cls.remote_hosts_count + 2):
117 mac = cls.loop0.remote_hosts[i-2]._mac.split(':')
118 mac[2] = format(int(mac[2], 16) + i, "02x")
119 cls.loop0.remote_hosts[i - 2]._mac = ":".join(mac)
120
121 cls.loop0.configure_ipv4_neighbors()
122 cls.loop0.configure_ipv6_neighbors()
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]123
124 # configure MAC address on pg3
125 cls.pg3.resolve_arp()
126 cls.pg3.resolve_ndp()
127
128 # configure MAC address on subifs
129 for i in cls.subifs:
130 i.config_ip4()
131 i.resolve_arp()
132 i.config_ip6()
133
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]134 # configure MAC address on pg2
135 cls.pg2.resolve_arp()
136 cls.pg2.resolve_ndp()
137
138 # Loopback BVI interface has remote hosts
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]139 # one half of hosts are behind pg0 second behind pg1,pg2,pg3 subifs
140 cls.pg0.remote_hosts = cls.loop0.remote_hosts[:100]
141 cls.subifs[0].remote_hosts = cls.loop0.remote_hosts[100:125]
142 cls.subifs[1].remote_hosts = cls.loop0.remote_hosts[125:150]
143 cls.subifs[2].remote_hosts = cls.loop0.remote_hosts[150:175]
144 cls.subifs[3].remote_hosts = cls.loop0.remote_hosts[175:]
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]145
146 except Exception:
147 super(TestMACIP, cls).tearDownClass()
148 raise
149
150 def setUp(self):
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]151 super(MethodHolder, self).setUp()
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]152 self.reset_packet_infos()
153 del self.ACLS[:]
154
155 def tearDown(self):
156 """
157 Show various debug prints after each test.
158 """
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]159 super(MethodHolder, self).tearDown()
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]160 if not self.vpp_dead:
161 self.logger.info(self.vapi.ppcli("show interface address"))
162 self.logger.info(self.vapi.ppcli("show hardware"))
163 self.logger.info(self.vapi.ppcli("sh acl-plugin macip acl"))
164 self.logger.info(self.vapi.ppcli("sh acl-plugin macip interface"))
165 self.logger.info(self.vapi.ppcli("sh classify tables verbose"))
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]166 self.logger.info(self.vapi.ppcli("sh acl-plugin acl"))
167 self.logger.info(self.vapi.ppcli("sh acl-plugin interface"))
168 self.logger.info(self.vapi.ppcli("sh acl-plugin tables"))
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]169 # print self.vapi.ppcli("show interface address")
170 # print self.vapi.ppcli("show hardware")
171 # print self.vapi.ppcli("sh acl-plugin macip interface")
172 # print self.vapi.ppcli("sh acl-plugin macip acl")
173 self.delete_acls()
174
175 def macip_acl_dump_debug(self):
176 acls = self.vapi.macip_acl_dump()
177 if self.DEBUG:
178 for acl in acls:
Pavel Kotucekc29940c2017-09-07 08:17:31 +0200[diff] [blame]179 print "ACL #"+str(acl.acl_index)
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]180 for r in acl.r:
181 rule = "ACTION"
182 if r.is_permit == 1:
183 rule = "PERMIT"
184 elif r.is_permit == 0:
185 rule = "DENY "
Pavel Kotucekc29940c2017-09-07 08:17:31 +0200[diff] [blame]186 print " IP6" if r.is_ipv6 else " IP4", \
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]187 rule, \
188 r.src_mac.encode('hex'), \
189 r.src_mac_mask.encode('hex'),\
190 unpack('<16B', r.src_ip_addr), \
191 r.src_ip_prefix_len
192 return acls
193
Pavel Kotucekc29940c2017-09-07 08:17:31 +0200[diff] [blame]194 def create_rules(self, mac_type=EXACT_MAC, ip_type=EXACT_IP,
195 acl_count=1, rules_count=[1]):
196 acls = []
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]197 src_mac = int("220000dead00", 16)
198 for acl in range(2, (acl_count+1) * 2):
Pavel Kotucekc29940c2017-09-07 08:17:31 +0200[diff] [blame]199 rules = []
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]200 host = random.choice(self.loop0.remote_hosts)
201 is_ip6 = acl % 2
202 ip4 = host.ip4.split('.')
203 ip6 = list(unpack('<16B', inet_pton(AF_INET6, host.ip6)))
204
205 if ip_type == self.EXACT_IP:
206 prefix_len4 = 32
207 prefix_len6 = 128
208 elif ip_type == self.WILD_IP:
209 ip4 = [0, 0, 0, 0]
210 ip6 = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]
211 prefix_len4 = 0
212 prefix_len6 = 0
213 rules_count[(acl / 2) - 1] = 1
214 else:
215 prefix_len4 = 24
216 prefix_len6 = 64
217
218 if mac_type == self.EXACT_MAC:
219 mask = "ff:ff:ff:ff:ff:ff"
220 elif mac_type == self.WILD_MAC:
221 mask = "00:00:00:00:00:00"
222 elif mac_type == self.OUI_MAC:
223 mask = "ff:ff:ff:00:00:00"
224 else:
225 mask = "ff:ff:ff:ff:ff:00"
226
227 ip = ip6 if is_ip6 else ip4
228 ip_len = prefix_len6 if is_ip6 else prefix_len4
229
230 for i in range(0, rules_count[(acl / 2) - 1]):
231 src_mac += 16777217
232 if mac_type == self.WILD_MAC:
233 mac = "00:00:00:00:00:00"
234 elif mac_type == self.OUI_MAC:
235 mac = ':'.join(re.findall('..', '{:02x}'.format(
236 src_mac))[:3])+":00:00:00"
237 else:
238 mac = ':'.join(re.findall('..', '{:02x}'.format(src_mac)))
239
240 if ip_type == self.EXACT_IP:
241 ip4[3] = random.randint(100, 200)
242 ip6[15] = random.randint(100, 200)
243 elif ip_type == self.SUBNET_IP:
244 ip4[2] = random.randint(100, 200)
245 ip4[3] = 0
246 ip6[8] = random.randint(100, 200)
247 ip6[15] = 0
248 ip_pack = ''
249 for j in range(0, len(ip)):
250 ip_pack += pack('<B', int(ip[j]))
251
252 rule = ({'is_permit': self.PERMIT,
253 'is_ipv6': is_ip6,
254 'src_ip_addr': ip_pack,
255 'src_ip_prefix_len': ip_len,
256 'src_mac': mac.replace(':', '').decode('hex'),
257 'src_mac_mask': mask.replace(':', '').decode('hex')})
258 rules.append(rule)
259 if ip_type == self.WILD_IP:
260 break
261
Pavel Kotucekc29940c2017-09-07 08:17:31 +0200[diff] [blame]262 acls.append(rules)
263 src_mac += 1099511627776
264 return acls
265
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]266 def apply_macip_rules(self, acls):
Pavel Kotucekc29940c2017-09-07 08:17:31 +0200[diff] [blame]267 for acl in acls:
268 reply = self.vapi.macip_acl_add(acl)
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]269 self.assertEqual(reply.retval, 0)
270 self.ACLS.append(reply.acl_index)
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]271
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]272 def verify_macip_acls(self, acl_count, rules_count, expected_count=2):
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]273 reply = self.macip_acl_dump_debug()
274 for acl in range(2, (acl_count+1) * 2):
275 self.assertEqual(reply[acl - 2].count, rules_count[acl/2-1])
276
277 self.vapi.macip_acl_interface_get()
278
279 self.vapi.macip_acl_interface_add_del(sw_if_index=0, acl_index=0)
280 self.vapi.macip_acl_interface_add_del(sw_if_index=1, acl_index=1)
281
282 reply = self.vapi.macip_acl_interface_get()
283 self.assertEqual(reply.count, expected_count)
284
285 def delete_acls(self):
286 for acl in range(len(self.ACLS)-1, -1, -1):
287 self.vapi.macip_acl_del(self.ACLS[acl])
288
289 reply = self.vapi.macip_acl_dump()
290 self.assertEqual(len(reply), 0)
291
Andrew Yourtchenkobeca2662018-03-23 12:20:56 +0100[diff] [blame]292 intf_acls = self.vapi.acl_interface_list_dump()
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]293 for i_a in intf_acls:
Andrew Yourtchenkobeca2662018-03-23 12:20:56 +0100[diff] [blame]294 sw_if_index = i_a.sw_if_index
295 for acl_index in i_a.acls:
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]296 self.vapi.acl_interface_add_del(sw_if_index, acl_index, 0)
297 self.vapi.acl_del(acl_index)
298
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]299 def create_stream(self, mac_type, ip_type, packet_count,
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]300 src_if, dst_if, traffic, is_ip6, tags=PERMIT_TAGS):
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]301 # exact MAC and exact IP
302 # exact MAC and subnet of IPs
303 # exact MAC and wildcard IP
304 # wildcard MAC and exact IP
305 # wildcard MAC and subnet of IPs
306 # wildcard MAC and wildcard IP
307 # OUI restricted MAC and exact IP
308 # OUI restricted MAC and subnet of IPs
309 # OUI restricted MAC and wildcard IP
310
311 packets = []
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]312 macip_rules = []
313 acl_rules = []
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]314 ip_permit = ""
315 mac_permit = ""
316 dst_mac = ""
317 mac_rule = "00:00:00:00:00:00"
318 mac_mask = "00:00:00:00:00:00"
319 for p in range(0, packet_count):
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]320 remote_dst_index = p % len(dst_if.remote_hosts)
321 remote_dst_host = dst_if.remote_hosts[remote_dst_index]
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]322
323 dst_port = 1234 + p
324 src_port = 4321 + p
325 is_permit = self.PERMIT if p % 3 == 0 else self.DENY
326 denyMAC = True if not is_permit and p % 3 == 1 else False
327 denyIP = True if not is_permit and p % 3 == 2 else False
328 if not is_permit and ip_type == self.WILD_IP:
329 denyMAC = True
330 if not is_permit and mac_type == self.WILD_MAC:
331 denyIP = True
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]332
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]333 if traffic == self.BRIDGED:
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]334 if is_permit:
335 src_mac = remote_dst_host._mac
336 dst_mac = 'de:ad:00:00:00:00'
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]337 src_ip4 = remote_dst_host.ip4
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]338 dst_ip4 = src_if.remote_ip4
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]339 src_ip6 = remote_dst_host.ip6
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]340 dst_ip6 = src_if.remote_ip6
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]341 ip_permit = src_ip6 if is_ip6 else src_ip4
342 mac_permit = src_mac
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]343 if denyMAC:
344 mac = src_mac.split(':')
345 mac[0] = format(int(mac[0], 16)+1, "02x")
346 src_mac = ":".join(mac)
347 if is_ip6:
348 src_ip6 = ip_permit
349 else:
350 src_ip4 = ip_permit
351 if denyIP:
352 if ip_type != self.WILD_IP:
353 src_mac = mac_permit
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]354 src_ip4 = remote_dst_host.ip4
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]355 dst_ip4 = src_if.remote_ip4
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]356 src_ip6 = remote_dst_host.ip6
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]357 dst_ip6 = src_if.remote_ip6
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]358 else:
359 if is_permit:
360 src_mac = remote_dst_host._mac
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]361 dst_mac = src_if.local_mac
362 src_ip4 = src_if.remote_ip4
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]363 dst_ip4 = remote_dst_host.ip4
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]364 src_ip6 = src_if.remote_ip6
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]365 dst_ip6 = remote_dst_host.ip6
366 ip_permit = src_ip6 if is_ip6 else src_ip4
367 mac_permit = src_mac
368 if denyMAC:
369 mac = src_mac.split(':')
370 mac[0] = format(int(mac[0], 16) + 1, "02x")
371 src_mac = ":".join(mac)
372 if is_ip6:
373 src_ip6 = ip_permit
374 else:
375 src_ip4 = ip_permit
376 if denyIP:
377 src_mac = remote_dst_host._mac
378 if ip_type != self.WILD_IP:
379 src_mac = mac_permit
380 src_ip4 = remote_dst_host.ip4
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]381 dst_ip4 = src_if.remote_ip4
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]382 src_ip6 = remote_dst_host.ip6
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]383 dst_ip6 = src_if.remote_ip6
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]384
385 if is_permit:
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]386 info = self.create_packet_info(src_if, dst_if)
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]387 payload = self.info_to_payload(info)
388 else:
389 payload = "to be blocked"
390
391 if mac_type == self.WILD_MAC:
392 mac = src_mac.split(':')
393 for i in range(1, 5):
394 mac[i] = format(random.randint(0, 255), "02x")
395 src_mac = ":".join(mac)
396
397 # create packet
398 packet = Ether(src=src_mac, dst=dst_mac)
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]399 ip_rule = src_ip6 if is_ip6 else src_ip4
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]400 if is_ip6:
401 if ip_type != self.EXACT_IP:
402 sub_ip = list(unpack('<16B', inet_pton(AF_INET6, ip_rule)))
403 if ip_type == self.WILD_IP:
404 sub_ip[0] = random.randint(240, 254)
405 sub_ip[1] = random.randint(230, 239)
406 sub_ip[14] = random.randint(100, 199)
407 sub_ip[15] = random.randint(200, 255)
408 elif ip_type == self.SUBNET_IP:
409 if denyIP:
410 sub_ip[2] = str(int(sub_ip[2]) + 1)
411 sub_ip[14] = random.randint(100, 199)
412 sub_ip[15] = random.randint(200, 255)
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]413 src_ip6 = inet_ntop(AF_INET6, str(bytearray(sub_ip)))
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]414 packet /= IPv6(src=src_ip6, dst=dst_ip6)
415 else:
416 if ip_type != self.EXACT_IP:
417 sub_ip = ip_rule.split('.')
418 if ip_type == self.WILD_IP:
419 sub_ip[0] = str(random.randint(1, 49))
420 sub_ip[1] = str(random.randint(50, 99))
421 sub_ip[2] = str(random.randint(100, 199))
422 sub_ip[3] = str(random.randint(200, 255))
423 elif ip_type == self.SUBNET_IP:
424 if denyIP:
425 sub_ip[1] = str(int(sub_ip[1])+1)
426 sub_ip[2] = str(random.randint(100, 199))
427 sub_ip[3] = str(random.randint(200, 255))
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]428 src_ip4 = ".".join(sub_ip)
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]429 packet /= IP(src=src_ip4, dst=dst_ip4, frag=0, flags=0)
430
431 packet /= UDP(sport=src_port, dport=dst_port)/Raw(payload)
432
433 packet[Raw].load += " mac:"+src_mac
434
435 size = self.pg_if_packet_sizes[p % len(self.pg_if_packet_sizes)]
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]436 if isinstance(src_if, VppSubInterface):
437 size = size + 4
438 if isinstance(src_if, VppDot1QSubint):
439 if src_if is self.subifs[0]:
440 if tags == self.PERMIT_TAGS:
441 packet = src_if.add_dot1q_layer(packet, 10)
442 else:
443 packet = src_if.add_dot1q_layer(packet, 11)
444 else:
445 if tags == self.PERMIT_TAGS:
446 packet = src_if.add_dot1q_layer(packet, 30)
447 else:
448 packet = src_if.add_dot1q_layer(packet, 33)
449 elif isinstance(src_if, VppDot1ADSubint):
450 if src_if is self.subifs[1]:
451 if tags == self.PERMIT_TAGS:
452 packet = src_if.add_dot1ad_layer(packet, 300, 400)
453 else:
454 packet = src_if.add_dot1ad_layer(packet, 333, 444)
455 else:
456 if tags == self.PERMIT_TAGS:
457 packet = src_if.add_dot1ad_layer(packet, 600, 700)
458 else:
459 packet = src_if.add_dot1ad_layer(packet, 666, 777)
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]460 self.extend_packet(packet, size)
461 packets.append(packet)
462
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]463 # create suitable MACIP rule
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]464 if mac_type == self.EXACT_MAC:
465 mac_rule = src_mac
466 mac_mask = "ff:ff:ff:ff:ff:ff"
467 elif mac_type == self.WILD_MAC:
468 mac_rule = "00:00:00:00:00:00"
469 mac_mask = "00:00:00:00:00:00"
470 elif mac_type == self.OUI_MAC:
471 mac = src_mac.split(':')
472 mac[3] = mac[4] = mac[5] = '00'
473 mac_rule = ":".join(mac)
474 mac_mask = "ff:ff:ff:00:00:00"
475
476 if is_ip6:
477 if ip_type == self.WILD_IP:
478 ip = "0::0"
479 else:
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]480 ip = src_ip6
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]481 if ip_type == self.SUBNET_IP:
482 sub_ip = list(unpack('<16B', inet_pton(AF_INET6, ip)))
483 for i in range(8, 16):
484 sub_ip[i] = 0
485 ip = inet_ntop(AF_INET6, str(bytearray(sub_ip)))
486 else:
487 if ip_type == self.WILD_IP:
488 ip = "0.0.0.0"
489 else:
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]490 ip = src_ip4
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]491 if ip_type == self.SUBNET_IP:
492 sub_ip = ip.split('.')
493 sub_ip[2] = sub_ip[3] = '0'
494 ip = ".".join(sub_ip)
495
496 prefix_len = 128 if is_ip6 else 32
497 if ip_type == self.WILD_IP:
498 prefix_len = 0
499 elif ip_type == self.SUBNET_IP:
500 prefix_len = 64 if is_ip6 else 16
501 ip_rule = inet_pton(AF_INET6 if is_ip6 else AF_INET, ip)
502
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]503 # create suitable ACL rule
504 if is_permit:
505 rule_l4_sport = packet[UDP].sport
506 rule_l4_dport = packet[UDP].dport
507 rule_family = AF_INET6 if packet.haslayer(IPv6) else AF_INET
508 rule_prefix_len = 128 if packet.haslayer(IPv6) else 32
509 rule_l3_layer = IPv6 if packet.haslayer(IPv6) else IP
510 if packet.haslayer(IPv6):
511 rule_l4_proto = packet[UDP].overload_fields[IPv6]['nh']
512 else:
513 rule_l4_proto = packet[IP].proto
514
515 acl_rule = {
516 'is_permit': is_permit,
517 'is_ipv6': is_ip6,
518 'src_ip_addr': inet_pton(rule_family,
519 packet[rule_l3_layer].src),
520 'src_ip_prefix_len': rule_prefix_len,
521 'dst_ip_addr': inet_pton(rule_family,
522 packet[rule_l3_layer].dst),
523 'dst_ip_prefix_len': rule_prefix_len,
524 'srcport_or_icmptype_first': rule_l4_sport,
525 'srcport_or_icmptype_last': rule_l4_sport,
526 'dstport_or_icmpcode_first': rule_l4_dport,
527 'dstport_or_icmpcode_last': rule_l4_dport,
528 'proto': rule_l4_proto}
529 acl_rules.append(acl_rule)
530
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]531 if mac_type == self.WILD_MAC and ip_type == self.WILD_IP and p > 0:
532 continue
533
534 if is_permit:
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]535 macip_rule = ({
536 'is_permit': is_permit,
537 'is_ipv6': is_ip6,
538 'src_ip_addr': ip_rule,
539 'src_ip_prefix_len': prefix_len,
540 'src_mac': mac_rule.replace(':', '').decode('hex'),
541 'src_mac_mask': mac_mask.replace(':', '').decode('hex')})
542 macip_rules.append(macip_rule)
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]543
544 # deny all other packets
545 if not (mac_type == self.WILD_MAC and ip_type == self.WILD_IP):
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]546 macip_rule = ({'is_permit': 0,
547 'is_ipv6': is_ip6,
548 'src_ip_addr': "",
549 'src_ip_prefix_len': 0,
550 'src_mac': "",
551 'src_mac_mask': ""})
552 macip_rules.append(macip_rule)
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]553
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]554 acl_rule = {'is_permit': 0,
555 'is_ipv6': is_ip6}
556 acl_rules.append(acl_rule)
557 return {'stream': packets,
558 'macip_rules': macip_rules,
559 'acl_rules': acl_rules}
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]560
561 def verify_capture(self, stream, capture, is_ip6):
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]562 """
563 :param stream:
564 :param capture:
565 :param is_ip6:
566 :return:
567 """
568 # p_l3 = IPv6 if is_ip6 else IP
569 # if self.DEBUG:
570 # for p in stream:
571 # print p[Ether].src, p[Ether].dst, p[p_l3].src, p[p_l3].dst
572 #
573 # acls = self.macip_acl_dump_debug()
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]574
575 # TODO : verify
576 # for acl in acls:
577 # for r in acl.r:
578 # print r.src_mac.encode('hex'), \
579 # r.src_mac_mask.encode('hex'),\
580 # unpack('<16B', r.src_ip_addr), \
581 # r.src_ip_prefix_len
582 #
583 # for p in capture:
584 # print p[Ether].src, p[Ether].dst, p[p_l3].src, p[p_l3].dst
585 # data = p[Raw].load.split(':',1)[1]
586 # print p[p_l3].src, data
587
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]588 def run_traffic(self, mac_type, ip_type, traffic, is_ip6, packets,
589 do_not_expected_capture=False, tags=None,
Andrew Yourtchenkod7834912017-12-09 14:55:52 +0100[diff] [blame]590 apply_rules=True, isMACIP=True, permit_tags=PERMIT_TAGS,
591 try_replace=False):
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]592 self.reset_packet_infos()
593
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]594 if tags is None:
595 tx_if = self.pg0 if traffic == self.BRIDGED else self.pg3
596 rx_if = self.pg3 if traffic == self.BRIDGED else self.pg0
597 src_if = self.pg3
598 dst_if = self.loop0
599 else:
600 if tags == self.DOT1Q:
601 if traffic == self.BRIDGED:
602 tx_if = self.subifs[0]
603 rx_if = self.pg0
604 src_if = self.subifs[0]
605 dst_if = self.loop0
606 else:
607 tx_if = self.subifs[2]
608 rx_if = self.pg0
609 src_if = self.subifs[2]
610 dst_if = self.loop0
611 elif tags == self.DOT1AD:
612 if traffic == self.BRIDGED:
613 tx_if = self.subifs[1]
614 rx_if = self.pg0
615 src_if = self.subifs[1]
616 dst_if = self.loop0
617 else:
618 tx_if = self.subifs[3]
619 rx_if = self.pg0
620 src_if = self.subifs[3]
621 dst_if = self.loop0
622 else:
623 return
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]624
625 test_dict = self.create_stream(mac_type, ip_type, packets,
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]626 src_if, dst_if,
627 traffic, is_ip6,
628 tags=permit_tags)
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]629
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]630 if apply_rules:
631 if isMACIP:
632 reply = self.vapi.macip_acl_add(test_dict['macip_rules'])
633 else:
634 reply = self.vapi.acl_add_replace(acl_index=4294967295,
635 r=test_dict['acl_rules'])
636 self.assertEqual(reply.retval, 0)
637 acl_index = reply.acl_index
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]638
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]639 if isMACIP:
640 self.vapi.macip_acl_interface_add_del(
641 sw_if_index=tx_if.sw_if_index,
642 acl_index=acl_index)
643 reply = self.vapi.macip_acl_interface_get()
644 self.assertEqual(reply.acls[tx_if.sw_if_index], acl_index)
645 self.ACLS.append(reply.acls[tx_if.sw_if_index])
646 else:
647 self.vapi.acl_interface_add_del(
648 sw_if_index=tx_if.sw_if_index, acl_index=acl_index)
649 else:
650 self.vapi.macip_acl_interface_add_del(
651 sw_if_index=tx_if.sw_if_index,
652 acl_index=0)
Andrew Yourtchenkod7834912017-12-09 14:55:52 +0100[diff] [blame]653 if try_replace:
654 if isMACIP:
655 reply = self.vapi.macip_acl_add_replace(
656 test_dict['macip_rules'],
657 acl_index)
658 else:
659 reply = self.vapi.acl_add_replace(acl_index=acl_index,
660 r=test_dict['acl_rules'])
661 self.assertEqual(reply.retval, 0)
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]662
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]663 if not isinstance(src_if, VppSubInterface):
664 tx_if.add_stream(test_dict['stream'])
665 else:
666 tx_if.parent.add_stream(test_dict['stream'])
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]667 self.pg_enable_capture(self.pg_interfaces)
668 self.pg_start()
669
Pavel Kotucekc29940c2017-09-07 08:17:31 +0200[diff] [blame]670 if do_not_expected_capture:
671 rx_if.get_capture(0)
672 else:
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]673 if traffic == self.BRIDGED and mac_type == self.WILD_MAC and \
674 ip_type == self.WILD_IP:
675 capture = rx_if.get_capture(packets)
676 else:
677 capture = rx_if.get_capture(
678 self.get_packet_count_for_if_idx(dst_if.sw_if_index))
Pavel Kotucekc29940c2017-09-07 08:17:31 +0200[diff] [blame]679 self.verify_capture(test_dict['stream'], capture, is_ip6)
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]680 if not isMACIP:
681 self.vapi.acl_interface_add_del(sw_if_index=tx_if.sw_if_index,
682 acl_index=acl_index, is_add=0)
683 self.vapi.acl_del(acl_index)
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]684
685 def run_test_acls(self, mac_type, ip_type, acl_count,
686 rules_count, traffic=None, ip=None):
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]687 self.apply_macip_rules(self.create_rules(mac_type, ip_type, acl_count,
688 rules_count))
689 self.verify_macip_acls(acl_count, rules_count)
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]690
691 if traffic is not None:
692 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, traffic, ip, 9)
693
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]694
695class TestMACIP_IP4(MethodHolder):
696 """MACIP with IP4 traffic"""
697
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]698 def test_acl_bridged_ip4_exactMAC_exactIP(self):
699 """ IP4 MACIP exactMAC|exactIP ACL bridged traffic
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]700 """
701 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
702 self.BRIDGED, self.IS_IP4, 9)
703
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]704 def test_acl_bridged_ip4_exactMAC_subnetIP(self):
705 """ IP4 MACIP exactMAC|subnetIP ACL bridged traffic
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]706 """
707
708 self.run_traffic(self.EXACT_MAC, self.SUBNET_IP,
709 self.BRIDGED, self.IS_IP4, 9)
710
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]711 def test_acl_bridged_ip4_exactMAC_wildIP(self):
712 """ IP4 MACIP exactMAC|wildIP ACL bridged traffic
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]713 """
714
715 self.run_traffic(self.EXACT_MAC, self.WILD_IP,
716 self.BRIDGED, self.IS_IP4, 9)
717
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]718 def test_acl_bridged_ip4_ouiMAC_exactIP(self):
719 """ IP4 MACIP ouiMAC|exactIP ACL bridged traffic
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]720 """
721
722 self.run_traffic(self.OUI_MAC, self.EXACT_IP,
723 self.BRIDGED, self.IS_IP4, 3)
724
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]725 def test_acl_bridged_ip4_ouiMAC_subnetIP(self):
726 """ IP4 MACIP ouiMAC|subnetIP ACL bridged traffic
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]727 """
728
729 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
730 self.BRIDGED, self.IS_IP4, 9)
731
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]732 def test_acl_bridged_ip4_ouiMAC_wildIP(self):
733 """ IP4 MACIP ouiMAC|wildIP ACL bridged traffic
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]734 """
735
736 self.run_traffic(self.OUI_MAC, self.WILD_IP,
737 self.BRIDGED, self.IS_IP4, 9)
738
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]739 def test_ac_bridgedl_ip4_wildMAC_exactIP(self):
740 """ IP4 MACIP wildcardMAC|exactIP ACL bridged traffic
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]741 """
742
743 self.run_traffic(self.WILD_MAC, self.EXACT_IP,
744 self.BRIDGED, self.IS_IP4, 9)
745
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]746 def test_acl_bridged_ip4_wildMAC_subnetIP(self):
747 """ IP4 MACIP wildcardMAC|subnetIP ACL bridged traffic
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]748 """
749
750 self.run_traffic(self.WILD_MAC, self.SUBNET_IP,
751 self.BRIDGED, self.IS_IP4, 9)
752
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]753 def test_acl_bridged_ip4_wildMAC_wildIP(self):
754 """ IP4 MACIP wildcardMAC|wildIP ACL bridged traffic
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]755 """
756
757 self.run_traffic(self.WILD_MAC, self.WILD_IP,
758 self.BRIDGED, self.IS_IP4, 9)
759
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]760 def test_acl_routed_ip4_exactMAC_exactIP(self):
761 """ IP4 MACIP exactMAC|exactIP ACL routed traffic
762 """
763 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
764 self.ROUTED, self.IS_IP4, 9)
765
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]766 def test_acl_routed_ip4_exactMAC_subnetIP(self):
767 """ IP4 MACIP exactMAC|subnetIP ACL routed traffic
768 """
769 self.run_traffic(self.EXACT_MAC, self.SUBNET_IP,
770 self.ROUTED, self.IS_IP4, 9)
771
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]772 def test_acl_routed_ip4_exactMAC_wildIP(self):
773 """ IP4 MACIP exactMAC|wildIP ACL routed traffic
774 """
775 self.run_traffic(self.EXACT_MAC, self.WILD_IP,
776 self.ROUTED, self.IS_IP4, 9)
777
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]778 def test_acl_routed_ip4_ouiMAC_exactIP(self):
779 """ IP4 MACIP ouiMAC|exactIP ACL routed traffic
780 """
781
782 self.run_traffic(self.OUI_MAC, self.EXACT_IP,
783 self.ROUTED, self.IS_IP4, 9)
784
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]785 def test_acl_routed_ip4_ouiMAC_subnetIP(self):
786 """ IP4 MACIP ouiMAC|subnetIP ACL routed traffic
787 """
788
789 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
790 self.ROUTED, self.IS_IP4, 9)
791
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]792 def test_acl_routed_ip4_ouiMAC_wildIP(self):
793 """ IP4 MACIP ouiMAC|wildIP ACL routed traffic
794 """
795
796 self.run_traffic(self.OUI_MAC, self.WILD_IP,
797 self.ROUTED, self.IS_IP4, 9)
798
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]799 def test_acl_routed_ip4_wildMAC_exactIP(self):
800 """ IP4 MACIP wildcardMAC|exactIP ACL routed traffic
801 """
802
803 self.run_traffic(self.WILD_MAC, self.EXACT_IP,
804 self.ROUTED, self.IS_IP4, 9)
805
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]806 def test_acl_routed_ip4_wildMAC_subnetIP(self):
807 """ IP4 MACIP wildcardMAC|subnetIP ACL routed traffic
808 """
809
810 self.run_traffic(self.WILD_MAC, self.SUBNET_IP,
811 self.ROUTED, self.IS_IP4, 9)
812
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]813 def test_acl_routed_ip4_wildMAC_wildIP(self):
814 """ IP4 MACIP wildcardMAC|wildIP ACL
815 """
816
817 self.run_traffic(self.WILD_MAC, self.WILD_IP,
818 self.ROUTED, self.IS_IP4, 9)
819
820 def test_acl_replace_traffic_ip4(self):
821 """ MACIP replace ACL with IP4 traffic
822 """
823 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
Andrew Yourtchenkod7834912017-12-09 14:55:52 +0100[diff] [blame]824 self.BRIDGED, self.IS_IP4, 9, try_replace=True)
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]825 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
Andrew Yourtchenkod7834912017-12-09 14:55:52 +0100[diff] [blame]826 self.BRIDGED, self.IS_IP4, 9, try_replace=True)
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]827
828
829class TestMACIP_IP6(MethodHolder):
830 """MACIP with IP6 traffic"""
831
832 def test_acl_bridged_ip6_exactMAC_exactIP(self):
833 """ IP6 MACIP exactMAC|exactIP ACL bridged traffic
834 """
835
836 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
837 self.BRIDGED, self.IS_IP6, 9)
838
839 def test_acl_bridged_ip6_exactMAC_subnetIP(self):
840 """ IP6 MACIP exactMAC|subnetIP ACL bridged traffic
841 """
842
843 self.run_traffic(self.EXACT_MAC, self.SUBNET_IP,
844 self.BRIDGED, self.IS_IP6, 9)
845
846 def test_acl_bridged_ip6_exactMAC_wildIP(self):
847 """ IP6 MACIP exactMAC|wildIP ACL bridged traffic
848 """
849
850 self.run_traffic(self.EXACT_MAC, self.WILD_IP,
851 self.BRIDGED, self.IS_IP6, 9)
852
853 def test_acl_bridged_ip6_ouiMAC_exactIP(self):
854 """ IP6 MACIP oui_MAC|exactIP ACL bridged traffic
855 """
856
857 self.run_traffic(self.OUI_MAC, self.EXACT_IP,
858 self.BRIDGED, self.IS_IP6, 9)
859
860 def test_acl_bridged_ip6_ouiMAC_subnetIP(self):
861 """ IP6 MACIP ouiMAC|subnetIP ACL bridged traffic
862 """
863
864 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
865 self.BRIDGED, self.IS_IP6, 9)
866
867 def test_acl_bridged_ip6_ouiMAC_wildIP(self):
868 """ IP6 MACIP ouiMAC|wildIP ACL bridged traffic
869 """
870
871 self.run_traffic(self.OUI_MAC, self.WILD_IP,
872 self.BRIDGED, self.IS_IP6, 9)
873
874 def test_acl_bridged_ip6_wildMAC_exactIP(self):
875 """ IP6 MACIP wildcardMAC|exactIP ACL bridged traffic
876 """
877
878 self.run_traffic(self.WILD_MAC, self.EXACT_IP,
879 self.BRIDGED, self.IS_IP6, 9)
880
881 def test_acl_bridged_ip6_wildMAC_subnetIP(self):
882 """ IP6 MACIP wildcardMAC|subnetIP ACL bridged traffic
883 """
884
885 self.run_traffic(self.WILD_MAC, self.SUBNET_IP,
886 self.BRIDGED, self.IS_IP6, 9)
887
888 def test_acl_bridged_ip6_wildMAC_wildIP(self):
889 """ IP6 MACIP wildcardMAC|wildIP ACL bridged traffic
890 """
891
892 self.run_traffic(self.WILD_MAC, self.WILD_IP,
893 self.BRIDGED, self.IS_IP6, 9)
894
895 def test_acl_routed_ip6_exactMAC_exactIP(self):
896 """ IP6 MACIP exactMAC|exactIP ACL routed traffic
897 """
898
899 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
900 self.ROUTED, self.IS_IP6, 9)
901
902 def test_acl_routed_ip6_exactMAC_subnetIP(self):
903 """ IP6 MACIP exactMAC|subnetIP ACL routed traffic
904 """
905
906 self.run_traffic(self.EXACT_MAC, self.SUBNET_IP,
907 self.ROUTED, self.IS_IP6, 9)
908
909 def test_acl_routed_ip6_exactMAC_wildIP(self):
910 """ IP6 MACIP exactMAC|wildIP ACL routed traffic
911 """
912
913 self.run_traffic(self.EXACT_MAC, self.WILD_IP,
914 self.ROUTED, self.IS_IP6, 9)
915
916 def test_acl_routed_ip6_ouiMAC_exactIP(self):
917 """ IP6 MACIP ouiMAC|exactIP ACL routed traffic
918 """
919
920 self.run_traffic(self.OUI_MAC, self.EXACT_IP,
921 self.ROUTED, self.IS_IP6, 9)
922
923 def test_acl_routed_ip6_ouiMAC_subnetIP(self):
924 """ IP6 MACIP ouiMAC|subnetIP ACL routed traffic
925 """
926
927 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
928 self.ROUTED, self.IS_IP6, 9)
929
930 def test_acl_routed_ip6_ouiMAC_wildIP(self):
931 """ IP6 MACIP ouiMAC|wildIP ACL routed traffic
932 """
933
934 self.run_traffic(self.OUI_MAC, self.WILD_IP,
935 self.ROUTED, self.IS_IP6, 9)
936
937 def test_acl_routed_ip6_wildMAC_exactIP(self):
938 """ IP6 MACIP wildcardMAC|exactIP ACL routed traffic
939 """
940
941 self.run_traffic(self.WILD_MAC, self.EXACT_IP,
942 self.ROUTED, self.IS_IP6, 9)
943
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]944 def test_acl_routed_ip6_wildMAC_subnetIP(self):
945 """ IP6 MACIP wildcardMAC|subnetIP ACL routed traffic
946 """
947
948 self.run_traffic(self.WILD_MAC, self.SUBNET_IP,
949 self.ROUTED, self.IS_IP6, 9)
950
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]951 def test_acl_routed_ip6_wildMAC_wildIP(self):
952 """ IP6 MACIP wildcardMAC|wildIP ACL
953 """
954
955 self.run_traffic(self.WILD_MAC, self.WILD_IP,
956 self.ROUTED, self.IS_IP6, 9)
957
958 def test_acl_replace_traffic_ip6(self):
959 """ MACIP replace ACL with IP6 traffic
960 """
961 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
Andrew Yourtchenkod7834912017-12-09 14:55:52 +0100[diff] [blame]962 self.BRIDGED, self.IS_IP6, 9, try_replace=True)
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]963 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
Andrew Yourtchenkod7834912017-12-09 14:55:52 +0100[diff] [blame]964 self.BRIDGED, self.IS_IP6, 9, try_replace=True)
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]965
966
967class TestMACIP(MethodHolder):
968 """MACIP Tests"""
969
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]970 def test_acl_1_2(self):
971 """ MACIP ACL with 2 entries
972 """
973
974 self.run_test_acls(self.EXACT_MAC, self.WILD_IP, 1, [2])
975
976 def test_acl_1_5(self):
977 """ MACIP ACL with 5 entries
978 """
979
980 self.run_test_acls(self.EXACT_MAC, self.SUBNET_IP, 1, [5])
981
982 def test_acl_1_10(self):
983 """ MACIP ACL with 10 entries
984 """
985
986 self.run_test_acls(self.EXACT_MAC, self.EXACT_IP, 1, [10])
987
988 def test_acl_1_20(self):
989 """ MACIP ACL with 20 entries
990 """
991
992 self.run_test_acls(self.OUI_MAC, self.WILD_IP, 1, [20])
993
994 def test_acl_1_50(self):
995 """ MACIP ACL with 50 entries
996 """
997
998 self.run_test_acls(self.OUI_MAC, self.SUBNET_IP, 1, [50])
999
1000 def test_acl_1_100(self):
1001 """ MACIP ACL with 100 entries
1002 """
1003
1004 self.run_test_acls(self.OUI_MAC, self.EXACT_IP, 1, [100])
1005
1006 def test_acl_2_X(self):
1007 """ MACIP 2 ACLs each with 100+ entries
1008 """
1009
1010 self.run_test_acls(self.OUI_MAC, self.SUBNET_IP, 2, [100, 200])
1011
1012 def test_acl_10_X(self):
1013 """ MACIP 10 ACLs each with 100+ entries
1014 """
1015
1016 self.run_test_acls(self.EXACT_MAC, self.EXACT_IP, 10,
1017 [100, 120, 140, 160, 180, 200, 210, 220, 230, 240])
1018
1019 def test_acl_10_X_traffic_ip4(self):
1020 """ MACIP 10 ACLs each with 100+ entries with IP4 traffic
1021 """
1022
1023 self.run_test_acls(self.EXACT_MAC, self.EXACT_IP, 10,
1024 [100, 120, 140, 160, 180, 200, 210, 220, 230, 240],
1025 self.BRIDGED, self.IS_IP4)
1026
1027 def test_acl_10_X_traffic_ip6(self):
1028 """ MACIP 10 ACLs each with 100+ entries with IP6 traffic
1029 """
1030
1031 self.run_test_acls(self.EXACT_MAC, self.EXACT_IP, 10,
1032 [100, 120, 140, 160, 180, 200, 210, 220, 230, 240],
1033 self.BRIDGED, self.IS_IP6)
1034
Pavel Kotucekc29940c2017-09-07 08:17:31 +0200[diff] [blame]1035 def test_acl_replace(self):
1036 """ MACIP replace ACL
1037 """
1038
1039 r1 = self.create_rules(acl_count=3, rules_count=[2, 2, 2])
1040 r2 = self.create_rules(mac_type=self.OUI_MAC, ip_type=self.SUBNET_IP)
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]1041 self.apply_macip_rules(r1)
Pavel Kotucekc29940c2017-09-07 08:17:31 +0200[diff] [blame]1042
1043 acls_before = self.macip_acl_dump_debug()
1044
1045 # replace acls #2, #3 with new
1046 reply = self.vapi.macip_acl_add_replace(r2[0], 2)
1047 self.assertEqual(reply.retval, 0)
1048 self.assertEqual(reply.acl_index, 2)
1049 reply = self.vapi.macip_acl_add_replace(r2[1], 3)
1050 self.assertEqual(reply.retval, 0)
1051 self.assertEqual(reply.acl_index, 3)
1052
1053 acls_after = self.macip_acl_dump_debug()
1054
1055 # verify changes
1056 self.assertEqual(len(acls_before), len(acls_after))
1057 for acl1, acl2 in zip(
1058 acls_before[:2]+acls_before[4:],
1059 acls_after[:2]+acls_after[4:]):
1060 self.assertEqual(len(acl1), len(acl2))
1061
1062 self.assertEqual(len(acl1.r), len(acl2.r))
1063 for r1, r2 in zip(acl1.r, acl2.r):
1064 self.assertEqual(len(acl1.r), len(acl2.r))
1065 self.assertEqual(acl1.r, acl2.r)
1066 for acl1, acl2 in zip(
1067 acls_before[2:4],
1068 acls_after[2:4]):
1069 self.assertEqual(len(acl1), len(acl2))
1070
1071 self.assertNotEqual(len(acl1.r), len(acl2.r))
1072 for r1, r2 in zip(acl1.r, acl2.r):
1073 self.assertNotEqual(len(acl1.r), len(acl2.r))
1074 self.assertNotEqual(acl1.r, acl2.r)
1075
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]1076 def test_delete_intf(self):
1077 """ MACIP ACL delete intf with acl
1078 """
1079
1080 intf_count = len(self.interfaces)+1
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]1081 intf = []
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]1082 self.apply_macip_rules(self.create_rules(acl_count=3,
1083 rules_count=[3, 5, 4]))
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]1084
Klement Sekerabeaded52018-06-24 10:30:37 +0200[diff] [blame]1085 intf.append(VppLoInterface(self))
1086 intf.append(VppLoInterface(self))
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]1087
1088 sw_if_index0 = intf[0].sw_if_index
1089 self.vapi.macip_acl_interface_add_del(sw_if_index0, 1)
1090
1091 reply = self.vapi.macip_acl_interface_get()
1092 self.assertEqual(reply.count, intf_count+1)
1093 self.assertEqual(reply.acls[sw_if_index0], 1)
1094
1095 sw_if_index1 = intf[1].sw_if_index
1096 self.vapi.macip_acl_interface_add_del(sw_if_index1, 0)
1097
1098 reply = self.vapi.macip_acl_interface_get()
1099 self.assertEqual(reply.count, intf_count+2)
1100 self.assertEqual(reply.acls[sw_if_index1], 0)
1101
1102 intf[0].remove_vpp_config()
1103 reply = self.vapi.macip_acl_interface_get()
1104 self.assertEqual(reply.count, intf_count+2)
1105 self.assertEqual(reply.acls[sw_if_index0], 4294967295)
1106 self.assertEqual(reply.acls[sw_if_index1], 0)
1107
Klement Sekerabeaded52018-06-24 10:30:37 +0200[diff] [blame]1108 intf.append(VppLoInterface(self))
1109 intf.append(VppLoInterface(self))
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]1110 sw_if_index2 = intf[2].sw_if_index
1111 sw_if_index3 = intf[3].sw_if_index
1112 self.vapi.macip_acl_interface_add_del(sw_if_index2, 1)
1113 self.vapi.macip_acl_interface_add_del(sw_if_index3, 1)
1114
1115 reply = self.vapi.macip_acl_interface_get()
1116 self.assertEqual(reply.count, intf_count+3)
1117 self.assertEqual(reply.acls[sw_if_index1], 0)
1118 self.assertEqual(reply.acls[sw_if_index2], 1)
1119 self.assertEqual(reply.acls[sw_if_index3], 1)
Andrew Yourtchenko563a8532018-03-23 15:23:15 +0100[diff] [blame]1120 self.logger.info("MACIP ACL on multiple interfaces:")
1121 self.logger.info(self.vapi.ppcli("sh acl-plugin macip acl"))
1122 self.logger.info(self.vapi.ppcli("sh acl-plugin macip acl index 1234"))
1123 self.logger.info(self.vapi.ppcli("sh acl-plugin macip acl index 1"))
1124 self.logger.info(self.vapi.ppcli("sh acl-plugin macip acl index 0"))
1125 self.logger.info(self.vapi.ppcli("sh acl-plugin macip interface"))
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]1126
1127 intf[2].remove_vpp_config()
1128 intf[1].remove_vpp_config()
1129
1130 reply = self.vapi.macip_acl_interface_get()
1131 self.assertEqual(reply.count, intf_count+3)
1132 self.assertEqual(reply.acls[sw_if_index0], 4294967295)
1133 self.assertEqual(reply.acls[sw_if_index1], 4294967295)
1134 self.assertEqual(reply.acls[sw_if_index2], 4294967295)
1135 self.assertEqual(reply.acls[sw_if_index3], 1)
1136
1137 intf[3].remove_vpp_config()
1138 reply = self.vapi.macip_acl_interface_get()
1139
1140 self.assertEqual(len([x for x in reply.acls if x != 4294967295]), 0)
1141
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]1142
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]1143class TestACL_dot1q_bridged(MethodHolder):
1144 """ACL on dot1q bridged subinterfaces Tests"""
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]1145
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]1146 def test_acl_bridged_ip4_subif_dot1q(self):
1147 """ IP4 ACL SubIf Dot1Q bridged traffic"""
1148 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.BRIDGED,
1149 self.IS_IP4, 9, tags=self.DOT1Q, isMACIP=False)
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]1150
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]1151 def test_acl_bridged_ip6_subif_dot1q(self):
1152 """ IP6 ACL SubIf Dot1Q bridged traffic"""
1153 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.BRIDGED,
1154 self.IS_IP6, 9, tags=self.DOT1Q, isMACIP=False)
1155
1156
1157class TestACL_dot1ad_bridged(MethodHolder):
1158 """ACL on dot1ad bridged subinterfaces Tests"""
1159
1160 def test_acl_bridged_ip4_subif_dot1ad(self):
1161 """ IP4 ACL SubIf Dot1AD bridged traffic"""
1162 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.BRIDGED,
1163 self.IS_IP4, 9, tags=self.DOT1AD, isMACIP=False)
1164
1165 def test_acl_bridged_ip6_subif_dot1ad(self):
1166 """ IP6 ACL SubIf Dot1AD bridged traffic"""
1167 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.BRIDGED,
1168 self.IS_IP6, 9, tags=self.DOT1AD, isMACIP=False)
1169
1170
1171class TestACL_dot1q_routed(MethodHolder):
1172 """ACL on dot1q routed subinterfaces Tests"""
1173
1174 def test_acl_routed_ip4_subif_dot1q(self):
1175 """ IP4 ACL SubIf Dot1Q routed traffic"""
1176 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1177 self.IS_IP4, 9, tags=self.DOT1Q, isMACIP=False)
1178
1179 def test_acl_routed_ip6_subif_dot1q(self):
1180 """ IP6 ACL SubIf Dot1Q routed traffic"""
1181 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1182 self.IS_IP6, 9, tags=self.DOT1Q, isMACIP=False)
1183
1184 def test_acl_routed_ip4_subif_dot1q_deny_by_tags(self):
1185 """ IP4 ACL SubIf wrong tags Dot1Q routed traffic"""
1186 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1187 self.IS_IP4, 9, True, tags=self.DOT1Q, isMACIP=False,
1188 permit_tags=self.DENY_TAGS)
1189
1190 def test_acl_routed_ip6_subif_dot1q_deny_by_tags(self):
1191 """ IP6 ACL SubIf wrong tags Dot1Q routed traffic"""
1192 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1193 self.IS_IP6, 9, True, tags=self.DOT1Q, isMACIP=False,
1194 permit_tags=self.DENY_TAGS)
1195
1196
1197class TestACL_dot1ad_routed(MethodHolder):
1198 """ACL on dot1ad routed subinterfaces Tests"""
1199
1200 def test_acl_routed_ip6_subif_dot1ad(self):
1201 """ IP6 ACL SubIf Dot1AD routed traffic"""
1202 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1203 self.IS_IP6, 9, tags=self.DOT1AD, isMACIP=False)
1204
1205 def test_acl_routed_ip4_subif_dot1ad(self):
1206 """ IP4 ACL SubIf Dot1AD routed traffic"""
1207 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1208 self.IS_IP4, 9, tags=self.DOT1AD, isMACIP=False)
1209
1210 def test_acl_routed_ip6_subif_dot1ad_deny_by_tags(self):
1211 """ IP6 ACL SubIf wrong tags Dot1AD routed traffic"""
1212 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1213 self.IS_IP6, 9, True, tags=self.DOT1AD, isMACIP=False,
1214 permit_tags=self.DENY_TAGS)
1215
1216 def test_acl_routed_ip4_subif_dot1ad_deny_by_tags(self):
1217 """ IP4 ACL SubIf wrong tags Dot1AD routed traffic"""
1218 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1219 self.IS_IP4, 9, True, tags=self.DOT1AD, isMACIP=False,
1220 permit_tags=self.DENY_TAGS)
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]1221
1222
1223if __name__ == '__main__':
1224 unittest.main(testRunner=VppTestRunner)