blob: 6f99646e6e2887fa893087ccac42168c0d39eaec [file] [log] [blame]
Pavel Kotucek932f7412017-09-07 14:44:52 +02001#!/usr/bin/env python
Paul Vinciguerra661f91f2018-11-28 19:06:41 -08002from __future__ import print_function
Pavel Kotucek932f7412017-09-07 14:44:52 +02003"""ACL plugin - MACIP tests
4"""
Paul Vinciguerra6e4c6ad2018-11-25 10:35:29 -08005import binascii
Paul Vinciguerraa7427ec2019-03-10 10:04:23 -07006import ipaddress
Pavel Kotucek932f7412017-09-07 14:44:52 +02007import random
Paul Vinciguerraa279d9c2019-02-28 09:00:09 -08008from socket import inet_ntop, inet_pton, AF_INET, AF_INET6
9from struct import pack, unpack
Pavel Kotucek932f7412017-09-07 14:44:52 +020010import re
11import unittest
12
Paul Vinciguerraa7427ec2019-03-10 10:04:23 -070013import scapy.compat
Pavel Kotucek932f7412017-09-07 14:44:52 +020014from scapy.packet import Raw
15from scapy.layers.l2 import Ether
Pavel Kotucek8daa80a2017-09-25 09:44:05 +020016from scapy.layers.inet import IP, UDP
Pavel Kotucek932f7412017-09-07 14:44:52 +020017from scapy.layers.inet6 import IPv6
18
19from framework import VppTestCase, VppTestRunner, running_extended_tests
20from vpp_lo_interface import VppLoInterface
Pavel Kotucek8daa80a2017-09-25 09:44:05 +020021from vpp_papi_provider import L2_VTR_OP
22from vpp_sub_interface import VppSubInterface, VppDot1QSubint, VppDot1ADSubint
Neale Rannsb4743802018-09-05 09:13:57 -070023from vpp_papi_provider import L2_PORT_TYPE
Pavel Kotucek932f7412017-09-07 14:44:52 +020024
25
Pavel Kotucek8daa80a2017-09-25 09:44:05 +020026class MethodHolder(VppTestCase):
Pavel Kotucek932f7412017-09-07 14:44:52 +020027 DEBUG = False
28
29 BRIDGED = True
30 ROUTED = False
31
32 IS_IP4 = False
33 IS_IP6 = True
34
Pavel Kotucek8daa80a2017-09-25 09:44:05 +020035 DOT1AD = "dot1ad"
36 DOT1Q = "dot1q"
37 PERMIT_TAGS = True
38 DENY_TAGS = False
39
Pavel Kotucek932f7412017-09-07 14:44:52 +020040 # rule types
41 DENY = 0
42 PERMIT = 1
43
44 # ACL types
45 EXACT_IP = 1
46 SUBNET_IP = 2
47 WILD_IP = 3
48
49 EXACT_MAC = 1
50 WILD_MAC = 2
51 OUI_MAC = 3
52
53 ACLS = []
54
55 @classmethod
56 def setUpClass(cls):
57 """
58 Perform standard class setup (defined by class method setUpClass in
59 class VppTestCase) before running the test case, set test case related
60 variables and configure VPP.
61 """
Pavel Kotucek8daa80a2017-09-25 09:44:05 +020062 super(MethodHolder, cls).setUpClass()
Pavel Kotucek932f7412017-09-07 14:44:52 +020063
64 cls.pg_if_packet_sizes = [64, 512, 1518, 9018] # packet sizes
Pavel Kotucek8daa80a2017-09-25 09:44:05 +020065 cls.bd_id = 111
66 cls.remote_hosts_count = 200
Pavel Kotucek932f7412017-09-07 14:44:52 +020067
68 try:
Pavel Kotucek8daa80a2017-09-25 09:44:05 +020069 # create 4 pg interfaces, 1 loopback interface
70 cls.create_pg_interfaces(range(4))
Klement Sekerab9ef2732018-06-24 22:49:33 +020071 cls.create_loopback_interfaces(1)
Pavel Kotucek932f7412017-09-07 14:44:52 +020072
Pavel Kotucek8daa80a2017-09-25 09:44:05 +020073 # create 2 subinterfaces
74 cls.subifs = [
75 VppDot1QSubint(cls, cls.pg1, 10),
76 VppDot1ADSubint(cls, cls.pg2, 20, 300, 400),
77 VppDot1QSubint(cls, cls.pg3, 30),
78 VppDot1ADSubint(cls, cls.pg3, 40, 600, 700)]
79
80 cls.subifs[0].set_vtr(L2_VTR_OP.L2_POP_1,
81 inner=10, push1q=1)
82 cls.subifs[1].set_vtr(L2_VTR_OP.L2_POP_2,
83 outer=300, inner=400, push1q=1)
84 cls.subifs[2].set_vtr(L2_VTR_OP.L2_POP_1,
85 inner=30, push1q=1)
86 cls.subifs[3].set_vtr(L2_VTR_OP.L2_POP_2,
87 outer=600, inner=700, push1q=1)
88
Pavel Kotucek932f7412017-09-07 14:44:52 +020089 cls.interfaces = list(cls.pg_interfaces)
90 cls.interfaces.extend(cls.lo_interfaces)
Pavel Kotucek8daa80a2017-09-25 09:44:05 +020091 cls.interfaces.extend(cls.subifs)
Pavel Kotucek932f7412017-09-07 14:44:52 +020092
93 for i in cls.interfaces:
94 i.admin_up()
95
96 # Create BD with MAC learning enabled and put interfaces to this BD
97 cls.vapi.sw_interface_set_l2_bridge(
Neale Rannsb4743802018-09-05 09:13:57 -070098 cls.loop0.sw_if_index, bd_id=cls.bd_id,
99 port_type=L2_PORT_TYPE.BVI)
Pavel Kotucek932f7412017-09-07 14:44:52 +0200100 cls.vapi.sw_interface_set_l2_bridge(
101 cls.pg0.sw_if_index, bd_id=cls.bd_id)
102 cls.vapi.sw_interface_set_l2_bridge(
103 cls.pg1.sw_if_index, bd_id=cls.bd_id)
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200104 cls.vapi.sw_interface_set_l2_bridge(
105 cls.subifs[0].sw_if_index, bd_id=cls.bd_id)
106 cls.vapi.sw_interface_set_l2_bridge(
107 cls.subifs[1].sw_if_index, bd_id=cls.bd_id)
Pavel Kotucek932f7412017-09-07 14:44:52 +0200108
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200109 # Configure IPv4/6 addresses on loop interface and routed interface
Pavel Kotucek932f7412017-09-07 14:44:52 +0200110 cls.loop0.config_ip4()
111 cls.loop0.config_ip6()
112 cls.pg2.config_ip4()
113 cls.pg2.config_ip6()
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200114 cls.pg3.config_ip4()
115 cls.pg3.config_ip6()
Pavel Kotucek932f7412017-09-07 14:44:52 +0200116
117 # Configure MAC address binding to IPv4 neighbors on loop0
118 cls.loop0.generate_remote_hosts(cls.remote_hosts_count)
119 # Modify host mac addresses to have different OUI parts
120 for i in range(2, cls.remote_hosts_count + 2):
121 mac = cls.loop0.remote_hosts[i-2]._mac.split(':')
122 mac[2] = format(int(mac[2], 16) + i, "02x")
123 cls.loop0.remote_hosts[i - 2]._mac = ":".join(mac)
124
125 cls.loop0.configure_ipv4_neighbors()
126 cls.loop0.configure_ipv6_neighbors()
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200127
128 # configure MAC address on pg3
129 cls.pg3.resolve_arp()
130 cls.pg3.resolve_ndp()
131
132 # configure MAC address on subifs
133 for i in cls.subifs:
134 i.config_ip4()
135 i.resolve_arp()
136 i.config_ip6()
137
Pavel Kotucek932f7412017-09-07 14:44:52 +0200138 # configure MAC address on pg2
139 cls.pg2.resolve_arp()
140 cls.pg2.resolve_ndp()
141
142 # Loopback BVI interface has remote hosts
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200143 # one half of hosts are behind pg0 second behind pg1,pg2,pg3 subifs
144 cls.pg0.remote_hosts = cls.loop0.remote_hosts[:100]
145 cls.subifs[0].remote_hosts = cls.loop0.remote_hosts[100:125]
146 cls.subifs[1].remote_hosts = cls.loop0.remote_hosts[125:150]
147 cls.subifs[2].remote_hosts = cls.loop0.remote_hosts[150:175]
148 cls.subifs[3].remote_hosts = cls.loop0.remote_hosts[175:]
Pavel Kotucek932f7412017-09-07 14:44:52 +0200149
150 except Exception:
juraj.linkes8e26f6d2018-09-19 14:59:43 +0200151 super(MethodHolder, cls).tearDownClass()
Pavel Kotucek932f7412017-09-07 14:44:52 +0200152 raise
153
154 def setUp(self):
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200155 super(MethodHolder, self).setUp()
Pavel Kotucek932f7412017-09-07 14:44:52 +0200156 self.reset_packet_infos()
157 del self.ACLS[:]
158
159 def tearDown(self):
160 """
161 Show various debug prints after each test.
162 """
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200163 super(MethodHolder, self).tearDown()
Pavel Kotucek932f7412017-09-07 14:44:52 +0200164 if not self.vpp_dead:
165 self.logger.info(self.vapi.ppcli("show interface address"))
166 self.logger.info(self.vapi.ppcli("show hardware"))
167 self.logger.info(self.vapi.ppcli("sh acl-plugin macip acl"))
168 self.logger.info(self.vapi.ppcli("sh acl-plugin macip interface"))
169 self.logger.info(self.vapi.ppcli("sh classify tables verbose"))
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200170 self.logger.info(self.vapi.ppcli("sh acl-plugin acl"))
171 self.logger.info(self.vapi.ppcli("sh acl-plugin interface"))
172 self.logger.info(self.vapi.ppcli("sh acl-plugin tables"))
Paul Vinciguerra661f91f2018-11-28 19:06:41 -0800173 # print(self.vapi.ppcli("show interface address"))
174 # print(self.vapi.ppcli("show hardware"))
175 # print(self.vapi.ppcli("sh acl-plugin macip interface"))
176 # print(self.vapi.ppcli("sh acl-plugin macip acl"))
Pavel Kotucek932f7412017-09-07 14:44:52 +0200177 self.delete_acls()
178
179 def macip_acl_dump_debug(self):
180 acls = self.vapi.macip_acl_dump()
181 if self.DEBUG:
182 for acl in acls:
Paul Vinciguerra661f91f2018-11-28 19:06:41 -0800183 print("ACL #"+str(acl.acl_index))
Pavel Kotucek932f7412017-09-07 14:44:52 +0200184 for r in acl.r:
185 rule = "ACTION"
186 if r.is_permit == 1:
187 rule = "PERMIT"
188 elif r.is_permit == 0:
189 rule = "DENY "
Paul Vinciguerra661f91f2018-11-28 19:06:41 -0800190 print(" IP6" if r.is_ipv6 else " IP4",
191 rule,
192 binascii.hexlify(r.src_mac),
193 binascii.hexlify(r.src_mac_mask),
194 unpack('<16B', r.src_ip_addr),
195 r.src_ip_prefix_len)
Pavel Kotucek932f7412017-09-07 14:44:52 +0200196 return acls
197
Pavel Kotucekc29940c2017-09-07 08:17:31 +0200198 def create_rules(self, mac_type=EXACT_MAC, ip_type=EXACT_IP,
Paul Vinciguerraa7427ec2019-03-10 10:04:23 -0700199 acl_count=1, rules_count=None):
Pavel Kotucekc29940c2017-09-07 08:17:31 +0200200 acls = []
Paul Vinciguerraa7427ec2019-03-10 10:04:23 -0700201 if rules_count is None:
202 rules_count = [1]
Pavel Kotucek932f7412017-09-07 14:44:52 +0200203 src_mac = int("220000dead00", 16)
204 for acl in range(2, (acl_count+1) * 2):
Pavel Kotucekc29940c2017-09-07 08:17:31 +0200205 rules = []
Pavel Kotucek932f7412017-09-07 14:44:52 +0200206 host = random.choice(self.loop0.remote_hosts)
207 is_ip6 = acl % 2
208 ip4 = host.ip4.split('.')
209 ip6 = list(unpack('<16B', inet_pton(AF_INET6, host.ip6)))
210
211 if ip_type == self.EXACT_IP:
212 prefix_len4 = 32
213 prefix_len6 = 128
214 elif ip_type == self.WILD_IP:
215 ip4 = [0, 0, 0, 0]
216 ip6 = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]
217 prefix_len4 = 0
218 prefix_len6 = 0
219 rules_count[(acl / 2) - 1] = 1
220 else:
221 prefix_len4 = 24
222 prefix_len6 = 64
223
224 if mac_type == self.EXACT_MAC:
225 mask = "ff:ff:ff:ff:ff:ff"
226 elif mac_type == self.WILD_MAC:
227 mask = "00:00:00:00:00:00"
228 elif mac_type == self.OUI_MAC:
229 mask = "ff:ff:ff:00:00:00"
230 else:
231 mask = "ff:ff:ff:ff:ff:00"
232
233 ip = ip6 if is_ip6 else ip4
234 ip_len = prefix_len6 if is_ip6 else prefix_len4
235
236 for i in range(0, rules_count[(acl / 2) - 1]):
237 src_mac += 16777217
238 if mac_type == self.WILD_MAC:
239 mac = "00:00:00:00:00:00"
240 elif mac_type == self.OUI_MAC:
241 mac = ':'.join(re.findall('..', '{:02x}'.format(
242 src_mac))[:3])+":00:00:00"
243 else:
Paul Vinciguerraea2450f2019-03-06 08:23:58 -0800244 mac = ':'.join(re.findall(
245 '..', '{:02x}'.format(src_mac)))
Pavel Kotucek932f7412017-09-07 14:44:52 +0200246
247 if ip_type == self.EXACT_IP:
248 ip4[3] = random.randint(100, 200)
249 ip6[15] = random.randint(100, 200)
250 elif ip_type == self.SUBNET_IP:
251 ip4[2] = random.randint(100, 200)
252 ip4[3] = 0
253 ip6[8] = random.randint(100, 200)
254 ip6[15] = 0
Paul Vinciguerraa7427ec2019-03-10 10:04:23 -0700255 ip_pack = b''
Pavel Kotucek932f7412017-09-07 14:44:52 +0200256 for j in range(0, len(ip)):
257 ip_pack += pack('<B', int(ip[j]))
258
259 rule = ({'is_permit': self.PERMIT,
260 'is_ipv6': is_ip6,
261 'src_ip_addr': ip_pack,
262 'src_ip_prefix_len': ip_len,
Paul Vinciguerraa7427ec2019-03-10 10:04:23 -0700263 'src_mac': binascii.unhexlify(mac.replace(':', '')),
264 'src_mac_mask': binascii.unhexlify(
265 mask.replace(':', ''))})
Pavel Kotucek932f7412017-09-07 14:44:52 +0200266 rules.append(rule)
267 if ip_type == self.WILD_IP:
268 break
269
Pavel Kotucekc29940c2017-09-07 08:17:31 +0200270 acls.append(rules)
271 src_mac += 1099511627776
272 return acls
273
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200274 def apply_macip_rules(self, acls):
Pavel Kotucekc29940c2017-09-07 08:17:31 +0200275 for acl in acls:
276 reply = self.vapi.macip_acl_add(acl)
Pavel Kotucek932f7412017-09-07 14:44:52 +0200277 self.assertEqual(reply.retval, 0)
278 self.ACLS.append(reply.acl_index)
Pavel Kotucek932f7412017-09-07 14:44:52 +0200279
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200280 def verify_macip_acls(self, acl_count, rules_count, expected_count=2):
Pavel Kotucek932f7412017-09-07 14:44:52 +0200281 reply = self.macip_acl_dump_debug()
282 for acl in range(2, (acl_count+1) * 2):
Paul Vinciguerraa7427ec2019-03-10 10:04:23 -0700283 self.assertEqual(reply[acl - 2].count, rules_count[acl//2-1])
Pavel Kotucek932f7412017-09-07 14:44:52 +0200284
285 self.vapi.macip_acl_interface_get()
286
287 self.vapi.macip_acl_interface_add_del(sw_if_index=0, acl_index=0)
288 self.vapi.macip_acl_interface_add_del(sw_if_index=1, acl_index=1)
289
290 reply = self.vapi.macip_acl_interface_get()
291 self.assertEqual(reply.count, expected_count)
292
293 def delete_acls(self):
294 for acl in range(len(self.ACLS)-1, -1, -1):
295 self.vapi.macip_acl_del(self.ACLS[acl])
296
297 reply = self.vapi.macip_acl_dump()
298 self.assertEqual(len(reply), 0)
299
Andrew Yourtchenkobeca2662018-03-23 12:20:56 +0100300 intf_acls = self.vapi.acl_interface_list_dump()
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200301 for i_a in intf_acls:
Andrew Yourtchenkobeca2662018-03-23 12:20:56 +0100302 sw_if_index = i_a.sw_if_index
303 for acl_index in i_a.acls:
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200304 self.vapi.acl_interface_add_del(sw_if_index, acl_index, 0)
305 self.vapi.acl_del(acl_index)
306
Pavel Kotucek932f7412017-09-07 14:44:52 +0200307 def create_stream(self, mac_type, ip_type, packet_count,
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200308 src_if, dst_if, traffic, is_ip6, tags=PERMIT_TAGS):
Pavel Kotucek932f7412017-09-07 14:44:52 +0200309 # exact MAC and exact IP
310 # exact MAC and subnet of IPs
311 # exact MAC and wildcard IP
312 # wildcard MAC and exact IP
313 # wildcard MAC and subnet of IPs
314 # wildcard MAC and wildcard IP
315 # OUI restricted MAC and exact IP
316 # OUI restricted MAC and subnet of IPs
317 # OUI restricted MAC and wildcard IP
318
319 packets = []
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200320 macip_rules = []
321 acl_rules = []
Pavel Kotucek932f7412017-09-07 14:44:52 +0200322 ip_permit = ""
323 mac_permit = ""
324 dst_mac = ""
325 mac_rule = "00:00:00:00:00:00"
326 mac_mask = "00:00:00:00:00:00"
327 for p in range(0, packet_count):
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200328 remote_dst_index = p % len(dst_if.remote_hosts)
329 remote_dst_host = dst_if.remote_hosts[remote_dst_index]
Pavel Kotucek932f7412017-09-07 14:44:52 +0200330
331 dst_port = 1234 + p
332 src_port = 4321 + p
333 is_permit = self.PERMIT if p % 3 == 0 else self.DENY
334 denyMAC = True if not is_permit and p % 3 == 1 else False
335 denyIP = True if not is_permit and p % 3 == 2 else False
336 if not is_permit and ip_type == self.WILD_IP:
337 denyMAC = True
338 if not is_permit and mac_type == self.WILD_MAC:
339 denyIP = True
Pavel Kotucek057704e2017-09-14 09:50:52 +0200340
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200341 if traffic == self.BRIDGED:
Pavel Kotucek932f7412017-09-07 14:44:52 +0200342 if is_permit:
343 src_mac = remote_dst_host._mac
344 dst_mac = 'de:ad:00:00:00:00'
Pavel Kotucek932f7412017-09-07 14:44:52 +0200345 src_ip4 = remote_dst_host.ip4
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200346 dst_ip4 = src_if.remote_ip4
Pavel Kotucek057704e2017-09-14 09:50:52 +0200347 src_ip6 = remote_dst_host.ip6
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200348 dst_ip6 = src_if.remote_ip6
Pavel Kotucek932f7412017-09-07 14:44:52 +0200349 ip_permit = src_ip6 if is_ip6 else src_ip4
350 mac_permit = src_mac
Pavel Kotucek932f7412017-09-07 14:44:52 +0200351 if denyMAC:
352 mac = src_mac.split(':')
353 mac[0] = format(int(mac[0], 16)+1, "02x")
354 src_mac = ":".join(mac)
355 if is_ip6:
356 src_ip6 = ip_permit
357 else:
358 src_ip4 = ip_permit
359 if denyIP:
360 if ip_type != self.WILD_IP:
361 src_mac = mac_permit
Pavel Kotucek932f7412017-09-07 14:44:52 +0200362 src_ip4 = remote_dst_host.ip4
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200363 dst_ip4 = src_if.remote_ip4
Pavel Kotucek057704e2017-09-14 09:50:52 +0200364 src_ip6 = remote_dst_host.ip6
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200365 dst_ip6 = src_if.remote_ip6
Pavel Kotucek057704e2017-09-14 09:50:52 +0200366 else:
367 if is_permit:
368 src_mac = remote_dst_host._mac
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200369 dst_mac = src_if.local_mac
370 src_ip4 = src_if.remote_ip4
Pavel Kotucek057704e2017-09-14 09:50:52 +0200371 dst_ip4 = remote_dst_host.ip4
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200372 src_ip6 = src_if.remote_ip6
Pavel Kotucek057704e2017-09-14 09:50:52 +0200373 dst_ip6 = remote_dst_host.ip6
374 ip_permit = src_ip6 if is_ip6 else src_ip4
375 mac_permit = src_mac
376 if denyMAC:
377 mac = src_mac.split(':')
378 mac[0] = format(int(mac[0], 16) + 1, "02x")
379 src_mac = ":".join(mac)
380 if is_ip6:
381 src_ip6 = ip_permit
382 else:
383 src_ip4 = ip_permit
384 if denyIP:
385 src_mac = remote_dst_host._mac
386 if ip_type != self.WILD_IP:
387 src_mac = mac_permit
388 src_ip4 = remote_dst_host.ip4
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200389 dst_ip4 = src_if.remote_ip4
Pavel Kotucek057704e2017-09-14 09:50:52 +0200390 src_ip6 = remote_dst_host.ip6
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200391 dst_ip6 = src_if.remote_ip6
Pavel Kotucek932f7412017-09-07 14:44:52 +0200392
393 if is_permit:
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200394 info = self.create_packet_info(src_if, dst_if)
Pavel Kotucek932f7412017-09-07 14:44:52 +0200395 payload = self.info_to_payload(info)
396 else:
397 payload = "to be blocked"
398
399 if mac_type == self.WILD_MAC:
400 mac = src_mac.split(':')
401 for i in range(1, 5):
402 mac[i] = format(random.randint(0, 255), "02x")
403 src_mac = ":".join(mac)
404
405 # create packet
406 packet = Ether(src=src_mac, dst=dst_mac)
Pavel Kotucek057704e2017-09-14 09:50:52 +0200407 ip_rule = src_ip6 if is_ip6 else src_ip4
Pavel Kotucek932f7412017-09-07 14:44:52 +0200408 if is_ip6:
409 if ip_type != self.EXACT_IP:
410 sub_ip = list(unpack('<16B', inet_pton(AF_INET6, ip_rule)))
411 if ip_type == self.WILD_IP:
412 sub_ip[0] = random.randint(240, 254)
413 sub_ip[1] = random.randint(230, 239)
414 sub_ip[14] = random.randint(100, 199)
415 sub_ip[15] = random.randint(200, 255)
416 elif ip_type == self.SUBNET_IP:
417 if denyIP:
Paul Vinciguerraa7427ec2019-03-10 10:04:23 -0700418 sub_ip[2] = int(sub_ip[2]) + 1
Pavel Kotucek932f7412017-09-07 14:44:52 +0200419 sub_ip[14] = random.randint(100, 199)
420 sub_ip[15] = random.randint(200, 255)
Paul Vinciguerraa7427ec2019-03-10 10:04:23 -0700421 packed_src_ip6 = b''.join(
422 [scapy.compat.chb(x) for x in sub_ip])
423 src_ip6 = inet_ntop(AF_INET6, packed_src_ip6)
Pavel Kotucek932f7412017-09-07 14:44:52 +0200424 packet /= IPv6(src=src_ip6, dst=dst_ip6)
425 else:
426 if ip_type != self.EXACT_IP:
427 sub_ip = ip_rule.split('.')
428 if ip_type == self.WILD_IP:
Paul Vinciguerraa7427ec2019-03-10 10:04:23 -0700429 sub_ip[0] = random.randint(1, 49)
430 sub_ip[1] = random.randint(50, 99)
431 sub_ip[2] = random.randint(100, 199)
432 sub_ip[3] = random.randint(200, 255)
Pavel Kotucek932f7412017-09-07 14:44:52 +0200433 elif ip_type == self.SUBNET_IP:
434 if denyIP:
Paul Vinciguerraa7427ec2019-03-10 10:04:23 -0700435 sub_ip[1] = int(sub_ip[1])+1
436 sub_ip[2] = random.randint(100, 199)
437 sub_ip[3] = random.randint(200, 255)
438 src_ip4 = '.'.join(['{!s}'.format(x) for x in sub_ip])
Pavel Kotucek932f7412017-09-07 14:44:52 +0200439 packet /= IP(src=src_ip4, dst=dst_ip4, frag=0, flags=0)
440
441 packet /= UDP(sport=src_port, dport=dst_port)/Raw(payload)
442
Paul Vinciguerraa7427ec2019-03-10 10:04:23 -0700443 packet[Raw].load += b" mac:%s" % scapy.compat.raw(src_mac)
Pavel Kotucek932f7412017-09-07 14:44:52 +0200444
445 size = self.pg_if_packet_sizes[p % len(self.pg_if_packet_sizes)]
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200446 if isinstance(src_if, VppSubInterface):
447 size = size + 4
448 if isinstance(src_if, VppDot1QSubint):
449 if src_if is self.subifs[0]:
450 if tags == self.PERMIT_TAGS:
451 packet = src_if.add_dot1q_layer(packet, 10)
452 else:
453 packet = src_if.add_dot1q_layer(packet, 11)
454 else:
455 if tags == self.PERMIT_TAGS:
456 packet = src_if.add_dot1q_layer(packet, 30)
457 else:
458 packet = src_if.add_dot1q_layer(packet, 33)
459 elif isinstance(src_if, VppDot1ADSubint):
460 if src_if is self.subifs[1]:
461 if tags == self.PERMIT_TAGS:
462 packet = src_if.add_dot1ad_layer(packet, 300, 400)
463 else:
464 packet = src_if.add_dot1ad_layer(packet, 333, 444)
465 else:
466 if tags == self.PERMIT_TAGS:
467 packet = src_if.add_dot1ad_layer(packet, 600, 700)
468 else:
469 packet = src_if.add_dot1ad_layer(packet, 666, 777)
Pavel Kotucek932f7412017-09-07 14:44:52 +0200470 self.extend_packet(packet, size)
471 packets.append(packet)
472
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200473 # create suitable MACIP rule
Pavel Kotucek932f7412017-09-07 14:44:52 +0200474 if mac_type == self.EXACT_MAC:
475 mac_rule = src_mac
476 mac_mask = "ff:ff:ff:ff:ff:ff"
477 elif mac_type == self.WILD_MAC:
478 mac_rule = "00:00:00:00:00:00"
479 mac_mask = "00:00:00:00:00:00"
480 elif mac_type == self.OUI_MAC:
481 mac = src_mac.split(':')
482 mac[3] = mac[4] = mac[5] = '00'
483 mac_rule = ":".join(mac)
484 mac_mask = "ff:ff:ff:00:00:00"
485
486 if is_ip6:
487 if ip_type == self.WILD_IP:
488 ip = "0::0"
489 else:
Pavel Kotucek057704e2017-09-14 09:50:52 +0200490 ip = src_ip6
Pavel Kotucek932f7412017-09-07 14:44:52 +0200491 if ip_type == self.SUBNET_IP:
492 sub_ip = list(unpack('<16B', inet_pton(AF_INET6, ip)))
493 for i in range(8, 16):
494 sub_ip[i] = 0
Paul Vinciguerraa7427ec2019-03-10 10:04:23 -0700495 packed_ip = b''.join(
496 [scapy.compat.chb(x) for x in sub_ip])
497 ip = inet_ntop(AF_INET6, packed_ip)
Pavel Kotucek932f7412017-09-07 14:44:52 +0200498 else:
499 if ip_type == self.WILD_IP:
500 ip = "0.0.0.0"
501 else:
Pavel Kotucek057704e2017-09-14 09:50:52 +0200502 ip = src_ip4
Pavel Kotucek932f7412017-09-07 14:44:52 +0200503 if ip_type == self.SUBNET_IP:
504 sub_ip = ip.split('.')
505 sub_ip[2] = sub_ip[3] = '0'
506 ip = ".".join(sub_ip)
507
508 prefix_len = 128 if is_ip6 else 32
509 if ip_type == self.WILD_IP:
510 prefix_len = 0
511 elif ip_type == self.SUBNET_IP:
512 prefix_len = 64 if is_ip6 else 16
513 ip_rule = inet_pton(AF_INET6 if is_ip6 else AF_INET, ip)
514
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200515 # create suitable ACL rule
516 if is_permit:
517 rule_l4_sport = packet[UDP].sport
518 rule_l4_dport = packet[UDP].dport
519 rule_family = AF_INET6 if packet.haslayer(IPv6) else AF_INET
520 rule_prefix_len = 128 if packet.haslayer(IPv6) else 32
521 rule_l3_layer = IPv6 if packet.haslayer(IPv6) else IP
522 if packet.haslayer(IPv6):
523 rule_l4_proto = packet[UDP].overload_fields[IPv6]['nh']
524 else:
525 rule_l4_proto = packet[IP].proto
526
527 acl_rule = {
528 'is_permit': is_permit,
529 'is_ipv6': is_ip6,
530 'src_ip_addr': inet_pton(rule_family,
531 packet[rule_l3_layer].src),
532 'src_ip_prefix_len': rule_prefix_len,
533 'dst_ip_addr': inet_pton(rule_family,
534 packet[rule_l3_layer].dst),
535 'dst_ip_prefix_len': rule_prefix_len,
536 'srcport_or_icmptype_first': rule_l4_sport,
537 'srcport_or_icmptype_last': rule_l4_sport,
538 'dstport_or_icmpcode_first': rule_l4_dport,
539 'dstport_or_icmpcode_last': rule_l4_dport,
540 'proto': rule_l4_proto}
541 acl_rules.append(acl_rule)
542
Pavel Kotucek932f7412017-09-07 14:44:52 +0200543 if mac_type == self.WILD_MAC and ip_type == self.WILD_IP and p > 0:
544 continue
545
546 if is_permit:
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200547 macip_rule = ({
548 'is_permit': is_permit,
549 'is_ipv6': is_ip6,
550 'src_ip_addr': ip_rule,
551 'src_ip_prefix_len': prefix_len,
Paul Vinciguerraa7427ec2019-03-10 10:04:23 -0700552 'src_mac': binascii.unhexlify(mac_rule.replace(':', '')),
553 'src_mac_mask': binascii.unhexlify(
554 mac_mask.replace(':', ''))})
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200555 macip_rules.append(macip_rule)
Pavel Kotucek932f7412017-09-07 14:44:52 +0200556
557 # deny all other packets
558 if not (mac_type == self.WILD_MAC and ip_type == self.WILD_IP):
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200559 macip_rule = ({'is_permit': 0,
560 'is_ipv6': is_ip6,
561 'src_ip_addr': "",
562 'src_ip_prefix_len': 0,
563 'src_mac': "",
564 'src_mac_mask': ""})
565 macip_rules.append(macip_rule)
Pavel Kotucek932f7412017-09-07 14:44:52 +0200566
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200567 acl_rule = {'is_permit': 0,
568 'is_ipv6': is_ip6}
569 acl_rules.append(acl_rule)
570 return {'stream': packets,
571 'macip_rules': macip_rules,
572 'acl_rules': acl_rules}
Pavel Kotucek932f7412017-09-07 14:44:52 +0200573
574 def verify_capture(self, stream, capture, is_ip6):
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200575 """
576 :param stream:
577 :param capture:
578 :param is_ip6:
579 :return:
580 """
581 # p_l3 = IPv6 if is_ip6 else IP
582 # if self.DEBUG:
583 # for p in stream:
Paul Vinciguerra661f91f2018-11-28 19:06:41 -0800584 # print(p[Ether].src, p[Ether].dst, p[p_l3].src, p[p_l3].dst)
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200585 #
586 # acls = self.macip_acl_dump_debug()
Pavel Kotucek932f7412017-09-07 14:44:52 +0200587
588 # TODO : verify
589 # for acl in acls:
590 # for r in acl.r:
Paul Vinciguerra661f91f2018-11-28 19:06:41 -0800591 # print(binascii.hexlify(r.src_mac), \
Paul Vinciguerra6e4c6ad2018-11-25 10:35:29 -0800592 # binascii.hexlify(r.src_mac_mask),\
Pavel Kotucek932f7412017-09-07 14:44:52 +0200593 # unpack('<16B', r.src_ip_addr), \
Paul Vinciguerra661f91f2018-11-28 19:06:41 -0800594 # r.src_ip_prefix_len)
Pavel Kotucek932f7412017-09-07 14:44:52 +0200595 #
596 # for p in capture:
Paul Vinciguerra661f91f2018-11-28 19:06:41 -0800597 # print(p[Ether].src, p[Ether].dst, p[p_l3].src, p[p_l3].dst
598 # data = p[Raw].load.split(':',1)[1])
599 # print(p[p_l3].src, data)
Pavel Kotucek932f7412017-09-07 14:44:52 +0200600
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200601 def run_traffic(self, mac_type, ip_type, traffic, is_ip6, packets,
602 do_not_expected_capture=False, tags=None,
Andrew Yourtchenkod7834912017-12-09 14:55:52 +0100603 apply_rules=True, isMACIP=True, permit_tags=PERMIT_TAGS,
604 try_replace=False):
Pavel Kotucek932f7412017-09-07 14:44:52 +0200605 self.reset_packet_infos()
606
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200607 if tags is None:
608 tx_if = self.pg0 if traffic == self.BRIDGED else self.pg3
609 rx_if = self.pg3 if traffic == self.BRIDGED else self.pg0
610 src_if = self.pg3
611 dst_if = self.loop0
612 else:
613 if tags == self.DOT1Q:
614 if traffic == self.BRIDGED:
615 tx_if = self.subifs[0]
616 rx_if = self.pg0
617 src_if = self.subifs[0]
618 dst_if = self.loop0
619 else:
620 tx_if = self.subifs[2]
621 rx_if = self.pg0
622 src_if = self.subifs[2]
623 dst_if = self.loop0
624 elif tags == self.DOT1AD:
625 if traffic == self.BRIDGED:
626 tx_if = self.subifs[1]
627 rx_if = self.pg0
628 src_if = self.subifs[1]
629 dst_if = self.loop0
630 else:
631 tx_if = self.subifs[3]
632 rx_if = self.pg0
633 src_if = self.subifs[3]
634 dst_if = self.loop0
635 else:
636 return
Pavel Kotucek932f7412017-09-07 14:44:52 +0200637
638 test_dict = self.create_stream(mac_type, ip_type, packets,
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200639 src_if, dst_if,
640 traffic, is_ip6,
641 tags=permit_tags)
Pavel Kotucek932f7412017-09-07 14:44:52 +0200642
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200643 if apply_rules:
644 if isMACIP:
645 reply = self.vapi.macip_acl_add(test_dict['macip_rules'])
646 else:
647 reply = self.vapi.acl_add_replace(acl_index=4294967295,
648 r=test_dict['acl_rules'])
649 self.assertEqual(reply.retval, 0)
650 acl_index = reply.acl_index
Pavel Kotucek932f7412017-09-07 14:44:52 +0200651
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200652 if isMACIP:
653 self.vapi.macip_acl_interface_add_del(
654 sw_if_index=tx_if.sw_if_index,
655 acl_index=acl_index)
656 reply = self.vapi.macip_acl_interface_get()
657 self.assertEqual(reply.acls[tx_if.sw_if_index], acl_index)
658 self.ACLS.append(reply.acls[tx_if.sw_if_index])
659 else:
660 self.vapi.acl_interface_add_del(
661 sw_if_index=tx_if.sw_if_index, acl_index=acl_index)
662 else:
663 self.vapi.macip_acl_interface_add_del(
664 sw_if_index=tx_if.sw_if_index,
665 acl_index=0)
Andrew Yourtchenkod7834912017-12-09 14:55:52 +0100666 if try_replace:
667 if isMACIP:
668 reply = self.vapi.macip_acl_add_replace(
669 test_dict['macip_rules'],
670 acl_index)
671 else:
672 reply = self.vapi.acl_add_replace(acl_index=acl_index,
673 r=test_dict['acl_rules'])
674 self.assertEqual(reply.retval, 0)
Pavel Kotucek932f7412017-09-07 14:44:52 +0200675
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200676 if not isinstance(src_if, VppSubInterface):
677 tx_if.add_stream(test_dict['stream'])
678 else:
679 tx_if.parent.add_stream(test_dict['stream'])
Pavel Kotucek932f7412017-09-07 14:44:52 +0200680 self.pg_enable_capture(self.pg_interfaces)
681 self.pg_start()
682
Pavel Kotucekc29940c2017-09-07 08:17:31 +0200683 if do_not_expected_capture:
684 rx_if.get_capture(0)
685 else:
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200686 if traffic == self.BRIDGED and mac_type == self.WILD_MAC and \
687 ip_type == self.WILD_IP:
688 capture = rx_if.get_capture(packets)
689 else:
690 capture = rx_if.get_capture(
691 self.get_packet_count_for_if_idx(dst_if.sw_if_index))
Pavel Kotucekc29940c2017-09-07 08:17:31 +0200692 self.verify_capture(test_dict['stream'], capture, is_ip6)
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200693 if not isMACIP:
694 self.vapi.acl_interface_add_del(sw_if_index=tx_if.sw_if_index,
695 acl_index=acl_index, is_add=0)
696 self.vapi.acl_del(acl_index)
Pavel Kotucek932f7412017-09-07 14:44:52 +0200697
698 def run_test_acls(self, mac_type, ip_type, acl_count,
699 rules_count, traffic=None, ip=None):
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200700 self.apply_macip_rules(self.create_rules(mac_type, ip_type, acl_count,
701 rules_count))
702 self.verify_macip_acls(acl_count, rules_count)
Pavel Kotucek932f7412017-09-07 14:44:52 +0200703
704 if traffic is not None:
705 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, traffic, ip, 9)
706
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200707
708class TestMACIP_IP4(MethodHolder):
709 """MACIP with IP4 traffic"""
710
Pavel Kotucek057704e2017-09-14 09:50:52 +0200711 def test_acl_bridged_ip4_exactMAC_exactIP(self):
712 """ IP4 MACIP exactMAC|exactIP ACL bridged traffic
Pavel Kotucek932f7412017-09-07 14:44:52 +0200713 """
714 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
715 self.BRIDGED, self.IS_IP4, 9)
716
Pavel Kotucek057704e2017-09-14 09:50:52 +0200717 def test_acl_bridged_ip4_exactMAC_subnetIP(self):
718 """ IP4 MACIP exactMAC|subnetIP ACL bridged traffic
Pavel Kotucek932f7412017-09-07 14:44:52 +0200719 """
720
721 self.run_traffic(self.EXACT_MAC, self.SUBNET_IP,
722 self.BRIDGED, self.IS_IP4, 9)
723
Pavel Kotucek057704e2017-09-14 09:50:52 +0200724 def test_acl_bridged_ip4_exactMAC_wildIP(self):
725 """ IP4 MACIP exactMAC|wildIP ACL bridged traffic
Pavel Kotucek932f7412017-09-07 14:44:52 +0200726 """
727
728 self.run_traffic(self.EXACT_MAC, self.WILD_IP,
729 self.BRIDGED, self.IS_IP4, 9)
730
Pavel Kotucek057704e2017-09-14 09:50:52 +0200731 def test_acl_bridged_ip4_ouiMAC_exactIP(self):
732 """ IP4 MACIP ouiMAC|exactIP ACL bridged traffic
Pavel Kotucek932f7412017-09-07 14:44:52 +0200733 """
734
735 self.run_traffic(self.OUI_MAC, self.EXACT_IP,
736 self.BRIDGED, self.IS_IP4, 3)
737
Pavel Kotucek057704e2017-09-14 09:50:52 +0200738 def test_acl_bridged_ip4_ouiMAC_subnetIP(self):
739 """ IP4 MACIP ouiMAC|subnetIP ACL bridged traffic
Pavel Kotucek932f7412017-09-07 14:44:52 +0200740 """
741
742 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
743 self.BRIDGED, self.IS_IP4, 9)
744
Pavel Kotucek057704e2017-09-14 09:50:52 +0200745 def test_acl_bridged_ip4_ouiMAC_wildIP(self):
746 """ IP4 MACIP ouiMAC|wildIP ACL bridged traffic
Pavel Kotucek932f7412017-09-07 14:44:52 +0200747 """
748
749 self.run_traffic(self.OUI_MAC, self.WILD_IP,
750 self.BRIDGED, self.IS_IP4, 9)
751
Pavel Kotucek057704e2017-09-14 09:50:52 +0200752 def test_ac_bridgedl_ip4_wildMAC_exactIP(self):
753 """ IP4 MACIP wildcardMAC|exactIP ACL bridged traffic
Pavel Kotucek932f7412017-09-07 14:44:52 +0200754 """
755
756 self.run_traffic(self.WILD_MAC, self.EXACT_IP,
757 self.BRIDGED, self.IS_IP4, 9)
758
Pavel Kotucek057704e2017-09-14 09:50:52 +0200759 def test_acl_bridged_ip4_wildMAC_subnetIP(self):
760 """ IP4 MACIP wildcardMAC|subnetIP ACL bridged traffic
Pavel Kotucek932f7412017-09-07 14:44:52 +0200761 """
762
763 self.run_traffic(self.WILD_MAC, self.SUBNET_IP,
764 self.BRIDGED, self.IS_IP4, 9)
765
Pavel Kotucek057704e2017-09-14 09:50:52 +0200766 def test_acl_bridged_ip4_wildMAC_wildIP(self):
767 """ IP4 MACIP wildcardMAC|wildIP ACL bridged traffic
Pavel Kotucek932f7412017-09-07 14:44:52 +0200768 """
769
770 self.run_traffic(self.WILD_MAC, self.WILD_IP,
771 self.BRIDGED, self.IS_IP4, 9)
772
Pavel Kotucek057704e2017-09-14 09:50:52 +0200773 def test_acl_routed_ip4_exactMAC_exactIP(self):
774 """ IP4 MACIP exactMAC|exactIP ACL routed traffic
775 """
776 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
777 self.ROUTED, self.IS_IP4, 9)
778
Pavel Kotucek057704e2017-09-14 09:50:52 +0200779 def test_acl_routed_ip4_exactMAC_subnetIP(self):
780 """ IP4 MACIP exactMAC|subnetIP ACL routed traffic
781 """
782 self.run_traffic(self.EXACT_MAC, self.SUBNET_IP,
783 self.ROUTED, self.IS_IP4, 9)
784
Pavel Kotucek057704e2017-09-14 09:50:52 +0200785 def test_acl_routed_ip4_exactMAC_wildIP(self):
786 """ IP4 MACIP exactMAC|wildIP ACL routed traffic
787 """
788 self.run_traffic(self.EXACT_MAC, self.WILD_IP,
789 self.ROUTED, self.IS_IP4, 9)
790
Pavel Kotucek057704e2017-09-14 09:50:52 +0200791 def test_acl_routed_ip4_ouiMAC_exactIP(self):
792 """ IP4 MACIP ouiMAC|exactIP ACL routed traffic
793 """
794
795 self.run_traffic(self.OUI_MAC, self.EXACT_IP,
796 self.ROUTED, self.IS_IP4, 9)
797
Pavel Kotucek057704e2017-09-14 09:50:52 +0200798 def test_acl_routed_ip4_ouiMAC_subnetIP(self):
799 """ IP4 MACIP ouiMAC|subnetIP ACL routed traffic
800 """
801
802 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
803 self.ROUTED, self.IS_IP4, 9)
804
Pavel Kotucek057704e2017-09-14 09:50:52 +0200805 def test_acl_routed_ip4_ouiMAC_wildIP(self):
806 """ IP4 MACIP ouiMAC|wildIP ACL routed traffic
807 """
808
809 self.run_traffic(self.OUI_MAC, self.WILD_IP,
810 self.ROUTED, self.IS_IP4, 9)
811
Pavel Kotucek057704e2017-09-14 09:50:52 +0200812 def test_acl_routed_ip4_wildMAC_exactIP(self):
813 """ IP4 MACIP wildcardMAC|exactIP ACL routed traffic
814 """
815
816 self.run_traffic(self.WILD_MAC, self.EXACT_IP,
817 self.ROUTED, self.IS_IP4, 9)
818
Pavel Kotucek057704e2017-09-14 09:50:52 +0200819 def test_acl_routed_ip4_wildMAC_subnetIP(self):
820 """ IP4 MACIP wildcardMAC|subnetIP ACL routed traffic
821 """
822
823 self.run_traffic(self.WILD_MAC, self.SUBNET_IP,
824 self.ROUTED, self.IS_IP4, 9)
825
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200826 def test_acl_routed_ip4_wildMAC_wildIP(self):
827 """ IP4 MACIP wildcardMAC|wildIP ACL
828 """
829
830 self.run_traffic(self.WILD_MAC, self.WILD_IP,
831 self.ROUTED, self.IS_IP4, 9)
832
833 def test_acl_replace_traffic_ip4(self):
834 """ MACIP replace ACL with IP4 traffic
835 """
836 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
Andrew Yourtchenkod7834912017-12-09 14:55:52 +0100837 self.BRIDGED, self.IS_IP4, 9, try_replace=True)
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200838 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
Andrew Yourtchenkod7834912017-12-09 14:55:52 +0100839 self.BRIDGED, self.IS_IP4, 9, try_replace=True)
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200840
841
842class TestMACIP_IP6(MethodHolder):
843 """MACIP with IP6 traffic"""
844
845 def test_acl_bridged_ip6_exactMAC_exactIP(self):
846 """ IP6 MACIP exactMAC|exactIP ACL bridged traffic
847 """
848
849 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
850 self.BRIDGED, self.IS_IP6, 9)
851
852 def test_acl_bridged_ip6_exactMAC_subnetIP(self):
853 """ IP6 MACIP exactMAC|subnetIP ACL bridged traffic
854 """
855
856 self.run_traffic(self.EXACT_MAC, self.SUBNET_IP,
857 self.BRIDGED, self.IS_IP6, 9)
858
859 def test_acl_bridged_ip6_exactMAC_wildIP(self):
860 """ IP6 MACIP exactMAC|wildIP ACL bridged traffic
861 """
862
863 self.run_traffic(self.EXACT_MAC, self.WILD_IP,
864 self.BRIDGED, self.IS_IP6, 9)
865
866 def test_acl_bridged_ip6_ouiMAC_exactIP(self):
867 """ IP6 MACIP oui_MAC|exactIP ACL bridged traffic
868 """
869
870 self.run_traffic(self.OUI_MAC, self.EXACT_IP,
871 self.BRIDGED, self.IS_IP6, 9)
872
873 def test_acl_bridged_ip6_ouiMAC_subnetIP(self):
874 """ IP6 MACIP ouiMAC|subnetIP ACL bridged traffic
875 """
876
877 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
878 self.BRIDGED, self.IS_IP6, 9)
879
880 def test_acl_bridged_ip6_ouiMAC_wildIP(self):
881 """ IP6 MACIP ouiMAC|wildIP ACL bridged traffic
882 """
883
884 self.run_traffic(self.OUI_MAC, self.WILD_IP,
885 self.BRIDGED, self.IS_IP6, 9)
886
887 def test_acl_bridged_ip6_wildMAC_exactIP(self):
888 """ IP6 MACIP wildcardMAC|exactIP ACL bridged traffic
889 """
890
891 self.run_traffic(self.WILD_MAC, self.EXACT_IP,
892 self.BRIDGED, self.IS_IP6, 9)
893
894 def test_acl_bridged_ip6_wildMAC_subnetIP(self):
895 """ IP6 MACIP wildcardMAC|subnetIP ACL bridged traffic
896 """
897
898 self.run_traffic(self.WILD_MAC, self.SUBNET_IP,
899 self.BRIDGED, self.IS_IP6, 9)
900
901 def test_acl_bridged_ip6_wildMAC_wildIP(self):
902 """ IP6 MACIP wildcardMAC|wildIP ACL bridged traffic
903 """
904
905 self.run_traffic(self.WILD_MAC, self.WILD_IP,
906 self.BRIDGED, self.IS_IP6, 9)
907
908 def test_acl_routed_ip6_exactMAC_exactIP(self):
909 """ IP6 MACIP exactMAC|exactIP ACL routed traffic
910 """
911
912 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
913 self.ROUTED, self.IS_IP6, 9)
914
915 def test_acl_routed_ip6_exactMAC_subnetIP(self):
916 """ IP6 MACIP exactMAC|subnetIP ACL routed traffic
917 """
918
919 self.run_traffic(self.EXACT_MAC, self.SUBNET_IP,
920 self.ROUTED, self.IS_IP6, 9)
921
922 def test_acl_routed_ip6_exactMAC_wildIP(self):
923 """ IP6 MACIP exactMAC|wildIP ACL routed traffic
924 """
925
926 self.run_traffic(self.EXACT_MAC, self.WILD_IP,
927 self.ROUTED, self.IS_IP6, 9)
928
929 def test_acl_routed_ip6_ouiMAC_exactIP(self):
930 """ IP6 MACIP ouiMAC|exactIP ACL routed traffic
931 """
932
933 self.run_traffic(self.OUI_MAC, self.EXACT_IP,
934 self.ROUTED, self.IS_IP6, 9)
935
936 def test_acl_routed_ip6_ouiMAC_subnetIP(self):
937 """ IP6 MACIP ouiMAC|subnetIP ACL routed traffic
938 """
939
940 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
941 self.ROUTED, self.IS_IP6, 9)
942
943 def test_acl_routed_ip6_ouiMAC_wildIP(self):
944 """ IP6 MACIP ouiMAC|wildIP ACL routed traffic
945 """
946
947 self.run_traffic(self.OUI_MAC, self.WILD_IP,
948 self.ROUTED, self.IS_IP6, 9)
949
950 def test_acl_routed_ip6_wildMAC_exactIP(self):
951 """ IP6 MACIP wildcardMAC|exactIP ACL routed traffic
952 """
953
954 self.run_traffic(self.WILD_MAC, self.EXACT_IP,
955 self.ROUTED, self.IS_IP6, 9)
956
Pavel Kotucek057704e2017-09-14 09:50:52 +0200957 def test_acl_routed_ip6_wildMAC_subnetIP(self):
958 """ IP6 MACIP wildcardMAC|subnetIP ACL routed traffic
959 """
960
961 self.run_traffic(self.WILD_MAC, self.SUBNET_IP,
962 self.ROUTED, self.IS_IP6, 9)
963
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200964 def test_acl_routed_ip6_wildMAC_wildIP(self):
965 """ IP6 MACIP wildcardMAC|wildIP ACL
966 """
967
968 self.run_traffic(self.WILD_MAC, self.WILD_IP,
969 self.ROUTED, self.IS_IP6, 9)
970
971 def test_acl_replace_traffic_ip6(self):
972 """ MACIP replace ACL with IP6 traffic
973 """
974 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
Andrew Yourtchenkod7834912017-12-09 14:55:52 +0100975 self.BRIDGED, self.IS_IP6, 9, try_replace=True)
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200976 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
Andrew Yourtchenkod7834912017-12-09 14:55:52 +0100977 self.BRIDGED, self.IS_IP6, 9, try_replace=True)
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200978
979
980class TestMACIP(MethodHolder):
981 """MACIP Tests"""
982
Pavel Kotucek932f7412017-09-07 14:44:52 +0200983 def test_acl_1_2(self):
984 """ MACIP ACL with 2 entries
985 """
986
987 self.run_test_acls(self.EXACT_MAC, self.WILD_IP, 1, [2])
988
989 def test_acl_1_5(self):
990 """ MACIP ACL with 5 entries
991 """
992
993 self.run_test_acls(self.EXACT_MAC, self.SUBNET_IP, 1, [5])
994
995 def test_acl_1_10(self):
996 """ MACIP ACL with 10 entries
997 """
998
999 self.run_test_acls(self.EXACT_MAC, self.EXACT_IP, 1, [10])
1000
1001 def test_acl_1_20(self):
1002 """ MACIP ACL with 20 entries
1003 """
1004
1005 self.run_test_acls(self.OUI_MAC, self.WILD_IP, 1, [20])
1006
1007 def test_acl_1_50(self):
1008 """ MACIP ACL with 50 entries
1009 """
1010
1011 self.run_test_acls(self.OUI_MAC, self.SUBNET_IP, 1, [50])
1012
1013 def test_acl_1_100(self):
1014 """ MACIP ACL with 100 entries
1015 """
1016
1017 self.run_test_acls(self.OUI_MAC, self.EXACT_IP, 1, [100])
1018
1019 def test_acl_2_X(self):
1020 """ MACIP 2 ACLs each with 100+ entries
1021 """
1022
1023 self.run_test_acls(self.OUI_MAC, self.SUBNET_IP, 2, [100, 200])
1024
1025 def test_acl_10_X(self):
1026 """ MACIP 10 ACLs each with 100+ entries
1027 """
1028
1029 self.run_test_acls(self.EXACT_MAC, self.EXACT_IP, 10,
1030 [100, 120, 140, 160, 180, 200, 210, 220, 230, 240])
1031
1032 def test_acl_10_X_traffic_ip4(self):
1033 """ MACIP 10 ACLs each with 100+ entries with IP4 traffic
1034 """
1035
1036 self.run_test_acls(self.EXACT_MAC, self.EXACT_IP, 10,
1037 [100, 120, 140, 160, 180, 200, 210, 220, 230, 240],
1038 self.BRIDGED, self.IS_IP4)
1039
1040 def test_acl_10_X_traffic_ip6(self):
1041 """ MACIP 10 ACLs each with 100+ entries with IP6 traffic
1042 """
1043
1044 self.run_test_acls(self.EXACT_MAC, self.EXACT_IP, 10,
1045 [100, 120, 140, 160, 180, 200, 210, 220, 230, 240],
1046 self.BRIDGED, self.IS_IP6)
1047
Pavel Kotucekc29940c2017-09-07 08:17:31 +02001048 def test_acl_replace(self):
1049 """ MACIP replace ACL
1050 """
1051
1052 r1 = self.create_rules(acl_count=3, rules_count=[2, 2, 2])
1053 r2 = self.create_rules(mac_type=self.OUI_MAC, ip_type=self.SUBNET_IP)
Pavel Kotucek8daa80a2017-09-25 09:44:05 +02001054 self.apply_macip_rules(r1)
Pavel Kotucekc29940c2017-09-07 08:17:31 +02001055
1056 acls_before = self.macip_acl_dump_debug()
1057
1058 # replace acls #2, #3 with new
1059 reply = self.vapi.macip_acl_add_replace(r2[0], 2)
1060 self.assertEqual(reply.retval, 0)
1061 self.assertEqual(reply.acl_index, 2)
1062 reply = self.vapi.macip_acl_add_replace(r2[1], 3)
1063 self.assertEqual(reply.retval, 0)
1064 self.assertEqual(reply.acl_index, 3)
1065
1066 acls_after = self.macip_acl_dump_debug()
1067
1068 # verify changes
1069 self.assertEqual(len(acls_before), len(acls_after))
1070 for acl1, acl2 in zip(
1071 acls_before[:2]+acls_before[4:],
1072 acls_after[:2]+acls_after[4:]):
1073 self.assertEqual(len(acl1), len(acl2))
1074
1075 self.assertEqual(len(acl1.r), len(acl2.r))
1076 for r1, r2 in zip(acl1.r, acl2.r):
1077 self.assertEqual(len(acl1.r), len(acl2.r))
1078 self.assertEqual(acl1.r, acl2.r)
1079 for acl1, acl2 in zip(
1080 acls_before[2:4],
1081 acls_after[2:4]):
1082 self.assertEqual(len(acl1), len(acl2))
1083
1084 self.assertNotEqual(len(acl1.r), len(acl2.r))
1085 for r1, r2 in zip(acl1.r, acl2.r):
1086 self.assertNotEqual(len(acl1.r), len(acl2.r))
1087 self.assertNotEqual(acl1.r, acl2.r)
1088
Pavel Kotucek932f7412017-09-07 14:44:52 +02001089 def test_delete_intf(self):
1090 """ MACIP ACL delete intf with acl
1091 """
1092
1093 intf_count = len(self.interfaces)+1
Pavel Kotucek932f7412017-09-07 14:44:52 +02001094 intf = []
Pavel Kotucek8daa80a2017-09-25 09:44:05 +02001095 self.apply_macip_rules(self.create_rules(acl_count=3,
1096 rules_count=[3, 5, 4]))
Pavel Kotucek932f7412017-09-07 14:44:52 +02001097
Klement Sekerabeaded52018-06-24 10:30:37 +02001098 intf.append(VppLoInterface(self))
1099 intf.append(VppLoInterface(self))
Pavel Kotucek932f7412017-09-07 14:44:52 +02001100
1101 sw_if_index0 = intf[0].sw_if_index
1102 self.vapi.macip_acl_interface_add_del(sw_if_index0, 1)
1103
1104 reply = self.vapi.macip_acl_interface_get()
1105 self.assertEqual(reply.count, intf_count+1)
1106 self.assertEqual(reply.acls[sw_if_index0], 1)
1107
1108 sw_if_index1 = intf[1].sw_if_index
1109 self.vapi.macip_acl_interface_add_del(sw_if_index1, 0)
1110
1111 reply = self.vapi.macip_acl_interface_get()
1112 self.assertEqual(reply.count, intf_count+2)
1113 self.assertEqual(reply.acls[sw_if_index1], 0)
1114
1115 intf[0].remove_vpp_config()
1116 reply = self.vapi.macip_acl_interface_get()
1117 self.assertEqual(reply.count, intf_count+2)
1118 self.assertEqual(reply.acls[sw_if_index0], 4294967295)
1119 self.assertEqual(reply.acls[sw_if_index1], 0)
1120
Klement Sekerabeaded52018-06-24 10:30:37 +02001121 intf.append(VppLoInterface(self))
1122 intf.append(VppLoInterface(self))
Pavel Kotucek932f7412017-09-07 14:44:52 +02001123 sw_if_index2 = intf[2].sw_if_index
1124 sw_if_index3 = intf[3].sw_if_index
1125 self.vapi.macip_acl_interface_add_del(sw_if_index2, 1)
1126 self.vapi.macip_acl_interface_add_del(sw_if_index3, 1)
1127
1128 reply = self.vapi.macip_acl_interface_get()
1129 self.assertEqual(reply.count, intf_count+3)
1130 self.assertEqual(reply.acls[sw_if_index1], 0)
1131 self.assertEqual(reply.acls[sw_if_index2], 1)
1132 self.assertEqual(reply.acls[sw_if_index3], 1)
Andrew Yourtchenko563a8532018-03-23 15:23:15 +01001133 self.logger.info("MACIP ACL on multiple interfaces:")
1134 self.logger.info(self.vapi.ppcli("sh acl-plugin macip acl"))
1135 self.logger.info(self.vapi.ppcli("sh acl-plugin macip acl index 1234"))
1136 self.logger.info(self.vapi.ppcli("sh acl-plugin macip acl index 1"))
1137 self.logger.info(self.vapi.ppcli("sh acl-plugin macip acl index 0"))
1138 self.logger.info(self.vapi.ppcli("sh acl-plugin macip interface"))
Pavel Kotucek932f7412017-09-07 14:44:52 +02001139
1140 intf[2].remove_vpp_config()
1141 intf[1].remove_vpp_config()
1142
1143 reply = self.vapi.macip_acl_interface_get()
1144 self.assertEqual(reply.count, intf_count+3)
1145 self.assertEqual(reply.acls[sw_if_index0], 4294967295)
1146 self.assertEqual(reply.acls[sw_if_index1], 4294967295)
1147 self.assertEqual(reply.acls[sw_if_index2], 4294967295)
1148 self.assertEqual(reply.acls[sw_if_index3], 1)
1149
1150 intf[3].remove_vpp_config()
1151 reply = self.vapi.macip_acl_interface_get()
1152
1153 self.assertEqual(len([x for x in reply.acls if x != 4294967295]), 0)
1154
Pavel Kotucek057704e2017-09-14 09:50:52 +02001155
Pavel Kotucek8daa80a2017-09-25 09:44:05 +02001156class TestACL_dot1q_bridged(MethodHolder):
1157 """ACL on dot1q bridged subinterfaces Tests"""
Pavel Kotucek057704e2017-09-14 09:50:52 +02001158
Pavel Kotucek8daa80a2017-09-25 09:44:05 +02001159 def test_acl_bridged_ip4_subif_dot1q(self):
1160 """ IP4 ACL SubIf Dot1Q bridged traffic"""
1161 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.BRIDGED,
1162 self.IS_IP4, 9, tags=self.DOT1Q, isMACIP=False)
Pavel Kotucek057704e2017-09-14 09:50:52 +02001163
Pavel Kotucek8daa80a2017-09-25 09:44:05 +02001164 def test_acl_bridged_ip6_subif_dot1q(self):
1165 """ IP6 ACL SubIf Dot1Q bridged traffic"""
1166 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.BRIDGED,
1167 self.IS_IP6, 9, tags=self.DOT1Q, isMACIP=False)
1168
1169
1170class TestACL_dot1ad_bridged(MethodHolder):
1171 """ACL on dot1ad bridged subinterfaces Tests"""
1172
1173 def test_acl_bridged_ip4_subif_dot1ad(self):
1174 """ IP4 ACL SubIf Dot1AD bridged traffic"""
1175 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.BRIDGED,
1176 self.IS_IP4, 9, tags=self.DOT1AD, isMACIP=False)
1177
1178 def test_acl_bridged_ip6_subif_dot1ad(self):
1179 """ IP6 ACL SubIf Dot1AD bridged traffic"""
1180 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.BRIDGED,
1181 self.IS_IP6, 9, tags=self.DOT1AD, isMACIP=False)
1182
1183
1184class TestACL_dot1q_routed(MethodHolder):
1185 """ACL on dot1q routed subinterfaces Tests"""
1186
1187 def test_acl_routed_ip4_subif_dot1q(self):
1188 """ IP4 ACL SubIf Dot1Q routed traffic"""
1189 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1190 self.IS_IP4, 9, tags=self.DOT1Q, isMACIP=False)
1191
1192 def test_acl_routed_ip6_subif_dot1q(self):
1193 """ IP6 ACL SubIf Dot1Q routed traffic"""
1194 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1195 self.IS_IP6, 9, tags=self.DOT1Q, isMACIP=False)
1196
1197 def test_acl_routed_ip4_subif_dot1q_deny_by_tags(self):
1198 """ IP4 ACL SubIf wrong tags Dot1Q routed traffic"""
1199 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1200 self.IS_IP4, 9, True, tags=self.DOT1Q, isMACIP=False,
1201 permit_tags=self.DENY_TAGS)
1202
1203 def test_acl_routed_ip6_subif_dot1q_deny_by_tags(self):
1204 """ IP6 ACL SubIf wrong tags Dot1Q routed traffic"""
1205 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1206 self.IS_IP6, 9, True, tags=self.DOT1Q, isMACIP=False,
1207 permit_tags=self.DENY_TAGS)
1208
1209
1210class TestACL_dot1ad_routed(MethodHolder):
1211 """ACL on dot1ad routed subinterfaces Tests"""
1212
1213 def test_acl_routed_ip6_subif_dot1ad(self):
1214 """ IP6 ACL SubIf Dot1AD routed traffic"""
1215 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1216 self.IS_IP6, 9, tags=self.DOT1AD, isMACIP=False)
1217
1218 def test_acl_routed_ip4_subif_dot1ad(self):
1219 """ IP4 ACL SubIf Dot1AD routed traffic"""
1220 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1221 self.IS_IP4, 9, tags=self.DOT1AD, isMACIP=False)
1222
1223 def test_acl_routed_ip6_subif_dot1ad_deny_by_tags(self):
1224 """ IP6 ACL SubIf wrong tags Dot1AD routed traffic"""
1225 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1226 self.IS_IP6, 9, True, tags=self.DOT1AD, isMACIP=False,
1227 permit_tags=self.DENY_TAGS)
1228
1229 def test_acl_routed_ip4_subif_dot1ad_deny_by_tags(self):
1230 """ IP4 ACL SubIf wrong tags Dot1AD routed traffic"""
1231 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1232 self.IS_IP4, 9, True, tags=self.DOT1AD, isMACIP=False,
1233 permit_tags=self.DENY_TAGS)
Pavel Kotucek932f7412017-09-07 14:44:52 +02001234
1235
1236if __name__ == '__main__':
1237 unittest.main(testRunner=VppTestRunner)