blob: 951e86af474d3e71fc43a202e9bfbe2387168579 [file] [log] [blame]
Pavel Kotucek932f7412017-09-07 14:44:52 +02001#!/usr/bin/env python
2"""ACL plugin - MACIP tests
3"""
Paul Vinciguerra6e4c6ad2018-11-25 10:35:29 -08004import binascii
Pavel Kotucek932f7412017-09-07 14:44:52 +02005import random
6import re
7import unittest
8
9from socket import inet_ntop, inet_pton, AF_INET, AF_INET6
10from struct import *
11from scapy.packet import Raw
12from scapy.layers.l2 import Ether
Pavel Kotucek8daa80a2017-09-25 09:44:05 +020013from scapy.layers.inet import IP, UDP
Pavel Kotucek932f7412017-09-07 14:44:52 +020014from scapy.layers.inet6 import IPv6
15
16from framework import VppTestCase, VppTestRunner, running_extended_tests
17from vpp_lo_interface import VppLoInterface
Pavel Kotucek8daa80a2017-09-25 09:44:05 +020018from vpp_papi_provider import L2_VTR_OP
19from vpp_sub_interface import VppSubInterface, VppDot1QSubint, VppDot1ADSubint
Neale Rannsb4743802018-09-05 09:13:57 -070020from vpp_papi_provider import L2_PORT_TYPE
Pavel Kotucek932f7412017-09-07 14:44:52 +020021
22
Pavel Kotucek8daa80a2017-09-25 09:44:05 +020023class MethodHolder(VppTestCase):
Pavel Kotucek932f7412017-09-07 14:44:52 +020024 DEBUG = False
25
26 BRIDGED = True
27 ROUTED = False
28
29 IS_IP4 = False
30 IS_IP6 = True
31
Pavel Kotucek8daa80a2017-09-25 09:44:05 +020032 DOT1AD = "dot1ad"
33 DOT1Q = "dot1q"
34 PERMIT_TAGS = True
35 DENY_TAGS = False
36
Pavel Kotucek932f7412017-09-07 14:44:52 +020037 # rule types
38 DENY = 0
39 PERMIT = 1
40
41 # ACL types
42 EXACT_IP = 1
43 SUBNET_IP = 2
44 WILD_IP = 3
45
46 EXACT_MAC = 1
47 WILD_MAC = 2
48 OUI_MAC = 3
49
50 ACLS = []
51
52 @classmethod
53 def setUpClass(cls):
54 """
55 Perform standard class setup (defined by class method setUpClass in
56 class VppTestCase) before running the test case, set test case related
57 variables and configure VPP.
58 """
Pavel Kotucek8daa80a2017-09-25 09:44:05 +020059 super(MethodHolder, cls).setUpClass()
Pavel Kotucek932f7412017-09-07 14:44:52 +020060
61 cls.pg_if_packet_sizes = [64, 512, 1518, 9018] # packet sizes
Pavel Kotucek8daa80a2017-09-25 09:44:05 +020062 cls.bd_id = 111
63 cls.remote_hosts_count = 200
Pavel Kotucek932f7412017-09-07 14:44:52 +020064
65 try:
Pavel Kotucek8daa80a2017-09-25 09:44:05 +020066 # create 4 pg interfaces, 1 loopback interface
67 cls.create_pg_interfaces(range(4))
Klement Sekerab9ef2732018-06-24 22:49:33 +020068 cls.create_loopback_interfaces(1)
Pavel Kotucek932f7412017-09-07 14:44:52 +020069
Pavel Kotucek8daa80a2017-09-25 09:44:05 +020070 # create 2 subinterfaces
71 cls.subifs = [
72 VppDot1QSubint(cls, cls.pg1, 10),
73 VppDot1ADSubint(cls, cls.pg2, 20, 300, 400),
74 VppDot1QSubint(cls, cls.pg3, 30),
75 VppDot1ADSubint(cls, cls.pg3, 40, 600, 700)]
76
77 cls.subifs[0].set_vtr(L2_VTR_OP.L2_POP_1,
78 inner=10, push1q=1)
79 cls.subifs[1].set_vtr(L2_VTR_OP.L2_POP_2,
80 outer=300, inner=400, push1q=1)
81 cls.subifs[2].set_vtr(L2_VTR_OP.L2_POP_1,
82 inner=30, push1q=1)
83 cls.subifs[3].set_vtr(L2_VTR_OP.L2_POP_2,
84 outer=600, inner=700, push1q=1)
85
Pavel Kotucek932f7412017-09-07 14:44:52 +020086 cls.interfaces = list(cls.pg_interfaces)
87 cls.interfaces.extend(cls.lo_interfaces)
Pavel Kotucek8daa80a2017-09-25 09:44:05 +020088 cls.interfaces.extend(cls.subifs)
Pavel Kotucek932f7412017-09-07 14:44:52 +020089
90 for i in cls.interfaces:
91 i.admin_up()
92
93 # Create BD with MAC learning enabled and put interfaces to this BD
94 cls.vapi.sw_interface_set_l2_bridge(
Neale Rannsb4743802018-09-05 09:13:57 -070095 cls.loop0.sw_if_index, bd_id=cls.bd_id,
96 port_type=L2_PORT_TYPE.BVI)
Pavel Kotucek932f7412017-09-07 14:44:52 +020097 cls.vapi.sw_interface_set_l2_bridge(
98 cls.pg0.sw_if_index, bd_id=cls.bd_id)
99 cls.vapi.sw_interface_set_l2_bridge(
100 cls.pg1.sw_if_index, bd_id=cls.bd_id)
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200101 cls.vapi.sw_interface_set_l2_bridge(
102 cls.subifs[0].sw_if_index, bd_id=cls.bd_id)
103 cls.vapi.sw_interface_set_l2_bridge(
104 cls.subifs[1].sw_if_index, bd_id=cls.bd_id)
Pavel Kotucek932f7412017-09-07 14:44:52 +0200105
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200106 # Configure IPv4/6 addresses on loop interface and routed interface
Pavel Kotucek932f7412017-09-07 14:44:52 +0200107 cls.loop0.config_ip4()
108 cls.loop0.config_ip6()
109 cls.pg2.config_ip4()
110 cls.pg2.config_ip6()
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200111 cls.pg3.config_ip4()
112 cls.pg3.config_ip6()
Pavel Kotucek932f7412017-09-07 14:44:52 +0200113
114 # Configure MAC address binding to IPv4 neighbors on loop0
115 cls.loop0.generate_remote_hosts(cls.remote_hosts_count)
116 # Modify host mac addresses to have different OUI parts
117 for i in range(2, cls.remote_hosts_count + 2):
118 mac = cls.loop0.remote_hosts[i-2]._mac.split(':')
119 mac[2] = format(int(mac[2], 16) + i, "02x")
120 cls.loop0.remote_hosts[i - 2]._mac = ":".join(mac)
121
122 cls.loop0.configure_ipv4_neighbors()
123 cls.loop0.configure_ipv6_neighbors()
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200124
125 # configure MAC address on pg3
126 cls.pg3.resolve_arp()
127 cls.pg3.resolve_ndp()
128
129 # configure MAC address on subifs
130 for i in cls.subifs:
131 i.config_ip4()
132 i.resolve_arp()
133 i.config_ip6()
134
Pavel Kotucek932f7412017-09-07 14:44:52 +0200135 # configure MAC address on pg2
136 cls.pg2.resolve_arp()
137 cls.pg2.resolve_ndp()
138
139 # Loopback BVI interface has remote hosts
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200140 # one half of hosts are behind pg0 second behind pg1,pg2,pg3 subifs
141 cls.pg0.remote_hosts = cls.loop0.remote_hosts[:100]
142 cls.subifs[0].remote_hosts = cls.loop0.remote_hosts[100:125]
143 cls.subifs[1].remote_hosts = cls.loop0.remote_hosts[125:150]
144 cls.subifs[2].remote_hosts = cls.loop0.remote_hosts[150:175]
145 cls.subifs[3].remote_hosts = cls.loop0.remote_hosts[175:]
Pavel Kotucek932f7412017-09-07 14:44:52 +0200146
147 except Exception:
juraj.linkes8e26f6d2018-09-19 14:59:43 +0200148 super(MethodHolder, cls).tearDownClass()
Pavel Kotucek932f7412017-09-07 14:44:52 +0200149 raise
150
151 def setUp(self):
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200152 super(MethodHolder, self).setUp()
Pavel Kotucek932f7412017-09-07 14:44:52 +0200153 self.reset_packet_infos()
154 del self.ACLS[:]
155
156 def tearDown(self):
157 """
158 Show various debug prints after each test.
159 """
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200160 super(MethodHolder, self).tearDown()
Pavel Kotucek932f7412017-09-07 14:44:52 +0200161 if not self.vpp_dead:
162 self.logger.info(self.vapi.ppcli("show interface address"))
163 self.logger.info(self.vapi.ppcli("show hardware"))
164 self.logger.info(self.vapi.ppcli("sh acl-plugin macip acl"))
165 self.logger.info(self.vapi.ppcli("sh acl-plugin macip interface"))
166 self.logger.info(self.vapi.ppcli("sh classify tables verbose"))
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200167 self.logger.info(self.vapi.ppcli("sh acl-plugin acl"))
168 self.logger.info(self.vapi.ppcli("sh acl-plugin interface"))
169 self.logger.info(self.vapi.ppcli("sh acl-plugin tables"))
Pavel Kotucek932f7412017-09-07 14:44:52 +0200170 # print self.vapi.ppcli("show interface address")
171 # print self.vapi.ppcli("show hardware")
172 # print self.vapi.ppcli("sh acl-plugin macip interface")
173 # print self.vapi.ppcli("sh acl-plugin macip acl")
174 self.delete_acls()
175
176 def macip_acl_dump_debug(self):
177 acls = self.vapi.macip_acl_dump()
178 if self.DEBUG:
179 for acl in acls:
Pavel Kotucekc29940c2017-09-07 08:17:31 +0200180 print "ACL #"+str(acl.acl_index)
Pavel Kotucek932f7412017-09-07 14:44:52 +0200181 for r in acl.r:
182 rule = "ACTION"
183 if r.is_permit == 1:
184 rule = "PERMIT"
185 elif r.is_permit == 0:
186 rule = "DENY "
Pavel Kotucekc29940c2017-09-07 08:17:31 +0200187 print " IP6" if r.is_ipv6 else " IP4", \
Pavel Kotucek932f7412017-09-07 14:44:52 +0200188 rule, \
Paul Vinciguerra6e4c6ad2018-11-25 10:35:29 -0800189 binascii.hexlify(r.src_mac), \
190 binascii.hexlify(r.src_mac_mask),\
Pavel Kotucek932f7412017-09-07 14:44:52 +0200191 unpack('<16B', r.src_ip_addr), \
192 r.src_ip_prefix_len
193 return acls
194
Pavel Kotucekc29940c2017-09-07 08:17:31 +0200195 def create_rules(self, mac_type=EXACT_MAC, ip_type=EXACT_IP,
196 acl_count=1, rules_count=[1]):
197 acls = []
Pavel Kotucek932f7412017-09-07 14:44:52 +0200198 src_mac = int("220000dead00", 16)
199 for acl in range(2, (acl_count+1) * 2):
Pavel Kotucekc29940c2017-09-07 08:17:31 +0200200 rules = []
Pavel Kotucek932f7412017-09-07 14:44:52 +0200201 host = random.choice(self.loop0.remote_hosts)
202 is_ip6 = acl % 2
203 ip4 = host.ip4.split('.')
204 ip6 = list(unpack('<16B', inet_pton(AF_INET6, host.ip6)))
205
206 if ip_type == self.EXACT_IP:
207 prefix_len4 = 32
208 prefix_len6 = 128
209 elif ip_type == self.WILD_IP:
210 ip4 = [0, 0, 0, 0]
211 ip6 = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]
212 prefix_len4 = 0
213 prefix_len6 = 0
214 rules_count[(acl / 2) - 1] = 1
215 else:
216 prefix_len4 = 24
217 prefix_len6 = 64
218
219 if mac_type == self.EXACT_MAC:
220 mask = "ff:ff:ff:ff:ff:ff"
221 elif mac_type == self.WILD_MAC:
222 mask = "00:00:00:00:00:00"
223 elif mac_type == self.OUI_MAC:
224 mask = "ff:ff:ff:00:00:00"
225 else:
226 mask = "ff:ff:ff:ff:ff:00"
227
228 ip = ip6 if is_ip6 else ip4
229 ip_len = prefix_len6 if is_ip6 else prefix_len4
230
231 for i in range(0, rules_count[(acl / 2) - 1]):
232 src_mac += 16777217
233 if mac_type == self.WILD_MAC:
234 mac = "00:00:00:00:00:00"
235 elif mac_type == self.OUI_MAC:
236 mac = ':'.join(re.findall('..', '{:02x}'.format(
237 src_mac))[:3])+":00:00:00"
238 else:
239 mac = ':'.join(re.findall('..', '{:02x}'.format(src_mac)))
240
241 if ip_type == self.EXACT_IP:
242 ip4[3] = random.randint(100, 200)
243 ip6[15] = random.randint(100, 200)
244 elif ip_type == self.SUBNET_IP:
245 ip4[2] = random.randint(100, 200)
246 ip4[3] = 0
247 ip6[8] = random.randint(100, 200)
248 ip6[15] = 0
249 ip_pack = ''
250 for j in range(0, len(ip)):
251 ip_pack += pack('<B', int(ip[j]))
252
253 rule = ({'is_permit': self.PERMIT,
254 'is_ipv6': is_ip6,
255 'src_ip_addr': ip_pack,
256 'src_ip_prefix_len': ip_len,
257 'src_mac': mac.replace(':', '').decode('hex'),
258 'src_mac_mask': mask.replace(':', '').decode('hex')})
259 rules.append(rule)
260 if ip_type == self.WILD_IP:
261 break
262
Pavel Kotucekc29940c2017-09-07 08:17:31 +0200263 acls.append(rules)
264 src_mac += 1099511627776
265 return acls
266
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200267 def apply_macip_rules(self, acls):
Pavel Kotucekc29940c2017-09-07 08:17:31 +0200268 for acl in acls:
269 reply = self.vapi.macip_acl_add(acl)
Pavel Kotucek932f7412017-09-07 14:44:52 +0200270 self.assertEqual(reply.retval, 0)
271 self.ACLS.append(reply.acl_index)
Pavel Kotucek932f7412017-09-07 14:44:52 +0200272
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200273 def verify_macip_acls(self, acl_count, rules_count, expected_count=2):
Pavel Kotucek932f7412017-09-07 14:44:52 +0200274 reply = self.macip_acl_dump_debug()
275 for acl in range(2, (acl_count+1) * 2):
276 self.assertEqual(reply[acl - 2].count, rules_count[acl/2-1])
277
278 self.vapi.macip_acl_interface_get()
279
280 self.vapi.macip_acl_interface_add_del(sw_if_index=0, acl_index=0)
281 self.vapi.macip_acl_interface_add_del(sw_if_index=1, acl_index=1)
282
283 reply = self.vapi.macip_acl_interface_get()
284 self.assertEqual(reply.count, expected_count)
285
286 def delete_acls(self):
287 for acl in range(len(self.ACLS)-1, -1, -1):
288 self.vapi.macip_acl_del(self.ACLS[acl])
289
290 reply = self.vapi.macip_acl_dump()
291 self.assertEqual(len(reply), 0)
292
Andrew Yourtchenkobeca2662018-03-23 12:20:56 +0100293 intf_acls = self.vapi.acl_interface_list_dump()
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200294 for i_a in intf_acls:
Andrew Yourtchenkobeca2662018-03-23 12:20:56 +0100295 sw_if_index = i_a.sw_if_index
296 for acl_index in i_a.acls:
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200297 self.vapi.acl_interface_add_del(sw_if_index, acl_index, 0)
298 self.vapi.acl_del(acl_index)
299
Pavel Kotucek932f7412017-09-07 14:44:52 +0200300 def create_stream(self, mac_type, ip_type, packet_count,
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200301 src_if, dst_if, traffic, is_ip6, tags=PERMIT_TAGS):
Pavel Kotucek932f7412017-09-07 14:44:52 +0200302 # exact MAC and exact IP
303 # exact MAC and subnet of IPs
304 # exact MAC and wildcard IP
305 # wildcard MAC and exact IP
306 # wildcard MAC and subnet of IPs
307 # wildcard MAC and wildcard IP
308 # OUI restricted MAC and exact IP
309 # OUI restricted MAC and subnet of IPs
310 # OUI restricted MAC and wildcard IP
311
312 packets = []
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200313 macip_rules = []
314 acl_rules = []
Pavel Kotucek932f7412017-09-07 14:44:52 +0200315 ip_permit = ""
316 mac_permit = ""
317 dst_mac = ""
318 mac_rule = "00:00:00:00:00:00"
319 mac_mask = "00:00:00:00:00:00"
320 for p in range(0, packet_count):
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200321 remote_dst_index = p % len(dst_if.remote_hosts)
322 remote_dst_host = dst_if.remote_hosts[remote_dst_index]
Pavel Kotucek932f7412017-09-07 14:44:52 +0200323
324 dst_port = 1234 + p
325 src_port = 4321 + p
326 is_permit = self.PERMIT if p % 3 == 0 else self.DENY
327 denyMAC = True if not is_permit and p % 3 == 1 else False
328 denyIP = True if not is_permit and p % 3 == 2 else False
329 if not is_permit and ip_type == self.WILD_IP:
330 denyMAC = True
331 if not is_permit and mac_type == self.WILD_MAC:
332 denyIP = True
Pavel Kotucek057704e2017-09-14 09:50:52 +0200333
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200334 if traffic == self.BRIDGED:
Pavel Kotucek932f7412017-09-07 14:44:52 +0200335 if is_permit:
336 src_mac = remote_dst_host._mac
337 dst_mac = 'de:ad:00:00:00:00'
Pavel Kotucek932f7412017-09-07 14:44:52 +0200338 src_ip4 = remote_dst_host.ip4
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200339 dst_ip4 = src_if.remote_ip4
Pavel Kotucek057704e2017-09-14 09:50:52 +0200340 src_ip6 = remote_dst_host.ip6
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200341 dst_ip6 = src_if.remote_ip6
Pavel Kotucek932f7412017-09-07 14:44:52 +0200342 ip_permit = src_ip6 if is_ip6 else src_ip4
343 mac_permit = src_mac
Pavel Kotucek932f7412017-09-07 14:44:52 +0200344 if denyMAC:
345 mac = src_mac.split(':')
346 mac[0] = format(int(mac[0], 16)+1, "02x")
347 src_mac = ":".join(mac)
348 if is_ip6:
349 src_ip6 = ip_permit
350 else:
351 src_ip4 = ip_permit
352 if denyIP:
353 if ip_type != self.WILD_IP:
354 src_mac = mac_permit
Pavel Kotucek932f7412017-09-07 14:44:52 +0200355 src_ip4 = remote_dst_host.ip4
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200356 dst_ip4 = src_if.remote_ip4
Pavel Kotucek057704e2017-09-14 09:50:52 +0200357 src_ip6 = remote_dst_host.ip6
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200358 dst_ip6 = src_if.remote_ip6
Pavel Kotucek057704e2017-09-14 09:50:52 +0200359 else:
360 if is_permit:
361 src_mac = remote_dst_host._mac
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200362 dst_mac = src_if.local_mac
363 src_ip4 = src_if.remote_ip4
Pavel Kotucek057704e2017-09-14 09:50:52 +0200364 dst_ip4 = remote_dst_host.ip4
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200365 src_ip6 = src_if.remote_ip6
Pavel Kotucek057704e2017-09-14 09:50:52 +0200366 dst_ip6 = remote_dst_host.ip6
367 ip_permit = src_ip6 if is_ip6 else src_ip4
368 mac_permit = src_mac
369 if denyMAC:
370 mac = src_mac.split(':')
371 mac[0] = format(int(mac[0], 16) + 1, "02x")
372 src_mac = ":".join(mac)
373 if is_ip6:
374 src_ip6 = ip_permit
375 else:
376 src_ip4 = ip_permit
377 if denyIP:
378 src_mac = remote_dst_host._mac
379 if ip_type != self.WILD_IP:
380 src_mac = mac_permit
381 src_ip4 = remote_dst_host.ip4
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200382 dst_ip4 = src_if.remote_ip4
Pavel Kotucek057704e2017-09-14 09:50:52 +0200383 src_ip6 = remote_dst_host.ip6
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200384 dst_ip6 = src_if.remote_ip6
Pavel Kotucek932f7412017-09-07 14:44:52 +0200385
386 if is_permit:
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200387 info = self.create_packet_info(src_if, dst_if)
Pavel Kotucek932f7412017-09-07 14:44:52 +0200388 payload = self.info_to_payload(info)
389 else:
390 payload = "to be blocked"
391
392 if mac_type == self.WILD_MAC:
393 mac = src_mac.split(':')
394 for i in range(1, 5):
395 mac[i] = format(random.randint(0, 255), "02x")
396 src_mac = ":".join(mac)
397
398 # create packet
399 packet = Ether(src=src_mac, dst=dst_mac)
Pavel Kotucek057704e2017-09-14 09:50:52 +0200400 ip_rule = src_ip6 if is_ip6 else src_ip4
Pavel Kotucek932f7412017-09-07 14:44:52 +0200401 if is_ip6:
402 if ip_type != self.EXACT_IP:
403 sub_ip = list(unpack('<16B', inet_pton(AF_INET6, ip_rule)))
404 if ip_type == self.WILD_IP:
405 sub_ip[0] = random.randint(240, 254)
406 sub_ip[1] = random.randint(230, 239)
407 sub_ip[14] = random.randint(100, 199)
408 sub_ip[15] = random.randint(200, 255)
409 elif ip_type == self.SUBNET_IP:
410 if denyIP:
411 sub_ip[2] = str(int(sub_ip[2]) + 1)
412 sub_ip[14] = random.randint(100, 199)
413 sub_ip[15] = random.randint(200, 255)
Pavel Kotucek057704e2017-09-14 09:50:52 +0200414 src_ip6 = inet_ntop(AF_INET6, str(bytearray(sub_ip)))
Pavel Kotucek932f7412017-09-07 14:44:52 +0200415 packet /= IPv6(src=src_ip6, dst=dst_ip6)
416 else:
417 if ip_type != self.EXACT_IP:
418 sub_ip = ip_rule.split('.')
419 if ip_type == self.WILD_IP:
420 sub_ip[0] = str(random.randint(1, 49))
421 sub_ip[1] = str(random.randint(50, 99))
422 sub_ip[2] = str(random.randint(100, 199))
423 sub_ip[3] = str(random.randint(200, 255))
424 elif ip_type == self.SUBNET_IP:
425 if denyIP:
426 sub_ip[1] = str(int(sub_ip[1])+1)
427 sub_ip[2] = str(random.randint(100, 199))
428 sub_ip[3] = str(random.randint(200, 255))
Pavel Kotucek057704e2017-09-14 09:50:52 +0200429 src_ip4 = ".".join(sub_ip)
Pavel Kotucek932f7412017-09-07 14:44:52 +0200430 packet /= IP(src=src_ip4, dst=dst_ip4, frag=0, flags=0)
431
432 packet /= UDP(sport=src_port, dport=dst_port)/Raw(payload)
433
434 packet[Raw].load += " mac:"+src_mac
435
436 size = self.pg_if_packet_sizes[p % len(self.pg_if_packet_sizes)]
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200437 if isinstance(src_if, VppSubInterface):
438 size = size + 4
439 if isinstance(src_if, VppDot1QSubint):
440 if src_if is self.subifs[0]:
441 if tags == self.PERMIT_TAGS:
442 packet = src_if.add_dot1q_layer(packet, 10)
443 else:
444 packet = src_if.add_dot1q_layer(packet, 11)
445 else:
446 if tags == self.PERMIT_TAGS:
447 packet = src_if.add_dot1q_layer(packet, 30)
448 else:
449 packet = src_if.add_dot1q_layer(packet, 33)
450 elif isinstance(src_if, VppDot1ADSubint):
451 if src_if is self.subifs[1]:
452 if tags == self.PERMIT_TAGS:
453 packet = src_if.add_dot1ad_layer(packet, 300, 400)
454 else:
455 packet = src_if.add_dot1ad_layer(packet, 333, 444)
456 else:
457 if tags == self.PERMIT_TAGS:
458 packet = src_if.add_dot1ad_layer(packet, 600, 700)
459 else:
460 packet = src_if.add_dot1ad_layer(packet, 666, 777)
Pavel Kotucek932f7412017-09-07 14:44:52 +0200461 self.extend_packet(packet, size)
462 packets.append(packet)
463
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200464 # create suitable MACIP rule
Pavel Kotucek932f7412017-09-07 14:44:52 +0200465 if mac_type == self.EXACT_MAC:
466 mac_rule = src_mac
467 mac_mask = "ff:ff:ff:ff:ff:ff"
468 elif mac_type == self.WILD_MAC:
469 mac_rule = "00:00:00:00:00:00"
470 mac_mask = "00:00:00:00:00:00"
471 elif mac_type == self.OUI_MAC:
472 mac = src_mac.split(':')
473 mac[3] = mac[4] = mac[5] = '00'
474 mac_rule = ":".join(mac)
475 mac_mask = "ff:ff:ff:00:00:00"
476
477 if is_ip6:
478 if ip_type == self.WILD_IP:
479 ip = "0::0"
480 else:
Pavel Kotucek057704e2017-09-14 09:50:52 +0200481 ip = src_ip6
Pavel Kotucek932f7412017-09-07 14:44:52 +0200482 if ip_type == self.SUBNET_IP:
483 sub_ip = list(unpack('<16B', inet_pton(AF_INET6, ip)))
484 for i in range(8, 16):
485 sub_ip[i] = 0
486 ip = inet_ntop(AF_INET6, str(bytearray(sub_ip)))
487 else:
488 if ip_type == self.WILD_IP:
489 ip = "0.0.0.0"
490 else:
Pavel Kotucek057704e2017-09-14 09:50:52 +0200491 ip = src_ip4
Pavel Kotucek932f7412017-09-07 14:44:52 +0200492 if ip_type == self.SUBNET_IP:
493 sub_ip = ip.split('.')
494 sub_ip[2] = sub_ip[3] = '0'
495 ip = ".".join(sub_ip)
496
497 prefix_len = 128 if is_ip6 else 32
498 if ip_type == self.WILD_IP:
499 prefix_len = 0
500 elif ip_type == self.SUBNET_IP:
501 prefix_len = 64 if is_ip6 else 16
502 ip_rule = inet_pton(AF_INET6 if is_ip6 else AF_INET, ip)
503
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200504 # create suitable ACL rule
505 if is_permit:
506 rule_l4_sport = packet[UDP].sport
507 rule_l4_dport = packet[UDP].dport
508 rule_family = AF_INET6 if packet.haslayer(IPv6) else AF_INET
509 rule_prefix_len = 128 if packet.haslayer(IPv6) else 32
510 rule_l3_layer = IPv6 if packet.haslayer(IPv6) else IP
511 if packet.haslayer(IPv6):
512 rule_l4_proto = packet[UDP].overload_fields[IPv6]['nh']
513 else:
514 rule_l4_proto = packet[IP].proto
515
516 acl_rule = {
517 'is_permit': is_permit,
518 'is_ipv6': is_ip6,
519 'src_ip_addr': inet_pton(rule_family,
520 packet[rule_l3_layer].src),
521 'src_ip_prefix_len': rule_prefix_len,
522 'dst_ip_addr': inet_pton(rule_family,
523 packet[rule_l3_layer].dst),
524 'dst_ip_prefix_len': rule_prefix_len,
525 'srcport_or_icmptype_first': rule_l4_sport,
526 'srcport_or_icmptype_last': rule_l4_sport,
527 'dstport_or_icmpcode_first': rule_l4_dport,
528 'dstport_or_icmpcode_last': rule_l4_dport,
529 'proto': rule_l4_proto}
530 acl_rules.append(acl_rule)
531
Pavel Kotucek932f7412017-09-07 14:44:52 +0200532 if mac_type == self.WILD_MAC and ip_type == self.WILD_IP and p > 0:
533 continue
534
535 if is_permit:
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200536 macip_rule = ({
537 'is_permit': is_permit,
538 'is_ipv6': is_ip6,
539 'src_ip_addr': ip_rule,
540 'src_ip_prefix_len': prefix_len,
541 'src_mac': mac_rule.replace(':', '').decode('hex'),
542 'src_mac_mask': mac_mask.replace(':', '').decode('hex')})
543 macip_rules.append(macip_rule)
Pavel Kotucek932f7412017-09-07 14:44:52 +0200544
545 # deny all other packets
546 if not (mac_type == self.WILD_MAC and ip_type == self.WILD_IP):
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200547 macip_rule = ({'is_permit': 0,
548 'is_ipv6': is_ip6,
549 'src_ip_addr': "",
550 'src_ip_prefix_len': 0,
551 'src_mac': "",
552 'src_mac_mask': ""})
553 macip_rules.append(macip_rule)
Pavel Kotucek932f7412017-09-07 14:44:52 +0200554
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200555 acl_rule = {'is_permit': 0,
556 'is_ipv6': is_ip6}
557 acl_rules.append(acl_rule)
558 return {'stream': packets,
559 'macip_rules': macip_rules,
560 'acl_rules': acl_rules}
Pavel Kotucek932f7412017-09-07 14:44:52 +0200561
562 def verify_capture(self, stream, capture, is_ip6):
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200563 """
564 :param stream:
565 :param capture:
566 :param is_ip6:
567 :return:
568 """
569 # p_l3 = IPv6 if is_ip6 else IP
570 # if self.DEBUG:
571 # for p in stream:
572 # print p[Ether].src, p[Ether].dst, p[p_l3].src, p[p_l3].dst
573 #
574 # acls = self.macip_acl_dump_debug()
Pavel Kotucek932f7412017-09-07 14:44:52 +0200575
576 # TODO : verify
577 # for acl in acls:
578 # for r in acl.r:
Paul Vinciguerra6e4c6ad2018-11-25 10:35:29 -0800579 # print binascii.hexlify(r.src_mac), \
580 # binascii.hexlify(r.src_mac_mask),\
Pavel Kotucek932f7412017-09-07 14:44:52 +0200581 # unpack('<16B', r.src_ip_addr), \
582 # r.src_ip_prefix_len
583 #
584 # for p in capture:
585 # print p[Ether].src, p[Ether].dst, p[p_l3].src, p[p_l3].dst
586 # data = p[Raw].load.split(':',1)[1]
587 # print p[p_l3].src, data
588
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200589 def run_traffic(self, mac_type, ip_type, traffic, is_ip6, packets,
590 do_not_expected_capture=False, tags=None,
Andrew Yourtchenkod7834912017-12-09 14:55:52 +0100591 apply_rules=True, isMACIP=True, permit_tags=PERMIT_TAGS,
592 try_replace=False):
Pavel Kotucek932f7412017-09-07 14:44:52 +0200593 self.reset_packet_infos()
594
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200595 if tags is None:
596 tx_if = self.pg0 if traffic == self.BRIDGED else self.pg3
597 rx_if = self.pg3 if traffic == self.BRIDGED else self.pg0
598 src_if = self.pg3
599 dst_if = self.loop0
600 else:
601 if tags == self.DOT1Q:
602 if traffic == self.BRIDGED:
603 tx_if = self.subifs[0]
604 rx_if = self.pg0
605 src_if = self.subifs[0]
606 dst_if = self.loop0
607 else:
608 tx_if = self.subifs[2]
609 rx_if = self.pg0
610 src_if = self.subifs[2]
611 dst_if = self.loop0
612 elif tags == self.DOT1AD:
613 if traffic == self.BRIDGED:
614 tx_if = self.subifs[1]
615 rx_if = self.pg0
616 src_if = self.subifs[1]
617 dst_if = self.loop0
618 else:
619 tx_if = self.subifs[3]
620 rx_if = self.pg0
621 src_if = self.subifs[3]
622 dst_if = self.loop0
623 else:
624 return
Pavel Kotucek932f7412017-09-07 14:44:52 +0200625
626 test_dict = self.create_stream(mac_type, ip_type, packets,
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200627 src_if, dst_if,
628 traffic, is_ip6,
629 tags=permit_tags)
Pavel Kotucek932f7412017-09-07 14:44:52 +0200630
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200631 if apply_rules:
632 if isMACIP:
633 reply = self.vapi.macip_acl_add(test_dict['macip_rules'])
634 else:
635 reply = self.vapi.acl_add_replace(acl_index=4294967295,
636 r=test_dict['acl_rules'])
637 self.assertEqual(reply.retval, 0)
638 acl_index = reply.acl_index
Pavel Kotucek932f7412017-09-07 14:44:52 +0200639
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200640 if isMACIP:
641 self.vapi.macip_acl_interface_add_del(
642 sw_if_index=tx_if.sw_if_index,
643 acl_index=acl_index)
644 reply = self.vapi.macip_acl_interface_get()
645 self.assertEqual(reply.acls[tx_if.sw_if_index], acl_index)
646 self.ACLS.append(reply.acls[tx_if.sw_if_index])
647 else:
648 self.vapi.acl_interface_add_del(
649 sw_if_index=tx_if.sw_if_index, acl_index=acl_index)
650 else:
651 self.vapi.macip_acl_interface_add_del(
652 sw_if_index=tx_if.sw_if_index,
653 acl_index=0)
Andrew Yourtchenkod7834912017-12-09 14:55:52 +0100654 if try_replace:
655 if isMACIP:
656 reply = self.vapi.macip_acl_add_replace(
657 test_dict['macip_rules'],
658 acl_index)
659 else:
660 reply = self.vapi.acl_add_replace(acl_index=acl_index,
661 r=test_dict['acl_rules'])
662 self.assertEqual(reply.retval, 0)
Pavel Kotucek932f7412017-09-07 14:44:52 +0200663
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200664 if not isinstance(src_if, VppSubInterface):
665 tx_if.add_stream(test_dict['stream'])
666 else:
667 tx_if.parent.add_stream(test_dict['stream'])
Pavel Kotucek932f7412017-09-07 14:44:52 +0200668 self.pg_enable_capture(self.pg_interfaces)
669 self.pg_start()
670
Pavel Kotucekc29940c2017-09-07 08:17:31 +0200671 if do_not_expected_capture:
672 rx_if.get_capture(0)
673 else:
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200674 if traffic == self.BRIDGED and mac_type == self.WILD_MAC and \
675 ip_type == self.WILD_IP:
676 capture = rx_if.get_capture(packets)
677 else:
678 capture = rx_if.get_capture(
679 self.get_packet_count_for_if_idx(dst_if.sw_if_index))
Pavel Kotucekc29940c2017-09-07 08:17:31 +0200680 self.verify_capture(test_dict['stream'], capture, is_ip6)
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200681 if not isMACIP:
682 self.vapi.acl_interface_add_del(sw_if_index=tx_if.sw_if_index,
683 acl_index=acl_index, is_add=0)
684 self.vapi.acl_del(acl_index)
Pavel Kotucek932f7412017-09-07 14:44:52 +0200685
686 def run_test_acls(self, mac_type, ip_type, acl_count,
687 rules_count, traffic=None, ip=None):
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200688 self.apply_macip_rules(self.create_rules(mac_type, ip_type, acl_count,
689 rules_count))
690 self.verify_macip_acls(acl_count, rules_count)
Pavel Kotucek932f7412017-09-07 14:44:52 +0200691
692 if traffic is not None:
693 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, traffic, ip, 9)
694
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200695
696class TestMACIP_IP4(MethodHolder):
697 """MACIP with IP4 traffic"""
698
Pavel Kotucek057704e2017-09-14 09:50:52 +0200699 def test_acl_bridged_ip4_exactMAC_exactIP(self):
700 """ IP4 MACIP exactMAC|exactIP ACL bridged traffic
Pavel Kotucek932f7412017-09-07 14:44:52 +0200701 """
702 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
703 self.BRIDGED, self.IS_IP4, 9)
704
Pavel Kotucek057704e2017-09-14 09:50:52 +0200705 def test_acl_bridged_ip4_exactMAC_subnetIP(self):
706 """ IP4 MACIP exactMAC|subnetIP ACL bridged traffic
Pavel Kotucek932f7412017-09-07 14:44:52 +0200707 """
708
709 self.run_traffic(self.EXACT_MAC, self.SUBNET_IP,
710 self.BRIDGED, self.IS_IP4, 9)
711
Pavel Kotucek057704e2017-09-14 09:50:52 +0200712 def test_acl_bridged_ip4_exactMAC_wildIP(self):
713 """ IP4 MACIP exactMAC|wildIP ACL bridged traffic
Pavel Kotucek932f7412017-09-07 14:44:52 +0200714 """
715
716 self.run_traffic(self.EXACT_MAC, self.WILD_IP,
717 self.BRIDGED, self.IS_IP4, 9)
718
Pavel Kotucek057704e2017-09-14 09:50:52 +0200719 def test_acl_bridged_ip4_ouiMAC_exactIP(self):
720 """ IP4 MACIP ouiMAC|exactIP ACL bridged traffic
Pavel Kotucek932f7412017-09-07 14:44:52 +0200721 """
722
723 self.run_traffic(self.OUI_MAC, self.EXACT_IP,
724 self.BRIDGED, self.IS_IP4, 3)
725
Pavel Kotucek057704e2017-09-14 09:50:52 +0200726 def test_acl_bridged_ip4_ouiMAC_subnetIP(self):
727 """ IP4 MACIP ouiMAC|subnetIP ACL bridged traffic
Pavel Kotucek932f7412017-09-07 14:44:52 +0200728 """
729
730 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
731 self.BRIDGED, self.IS_IP4, 9)
732
Pavel Kotucek057704e2017-09-14 09:50:52 +0200733 def test_acl_bridged_ip4_ouiMAC_wildIP(self):
734 """ IP4 MACIP ouiMAC|wildIP ACL bridged traffic
Pavel Kotucek932f7412017-09-07 14:44:52 +0200735 """
736
737 self.run_traffic(self.OUI_MAC, self.WILD_IP,
738 self.BRIDGED, self.IS_IP4, 9)
739
Pavel Kotucek057704e2017-09-14 09:50:52 +0200740 def test_ac_bridgedl_ip4_wildMAC_exactIP(self):
741 """ IP4 MACIP wildcardMAC|exactIP ACL bridged traffic
Pavel Kotucek932f7412017-09-07 14:44:52 +0200742 """
743
744 self.run_traffic(self.WILD_MAC, self.EXACT_IP,
745 self.BRIDGED, self.IS_IP4, 9)
746
Pavel Kotucek057704e2017-09-14 09:50:52 +0200747 def test_acl_bridged_ip4_wildMAC_subnetIP(self):
748 """ IP4 MACIP wildcardMAC|subnetIP ACL bridged traffic
Pavel Kotucek932f7412017-09-07 14:44:52 +0200749 """
750
751 self.run_traffic(self.WILD_MAC, self.SUBNET_IP,
752 self.BRIDGED, self.IS_IP4, 9)
753
Pavel Kotucek057704e2017-09-14 09:50:52 +0200754 def test_acl_bridged_ip4_wildMAC_wildIP(self):
755 """ IP4 MACIP wildcardMAC|wildIP ACL bridged traffic
Pavel Kotucek932f7412017-09-07 14:44:52 +0200756 """
757
758 self.run_traffic(self.WILD_MAC, self.WILD_IP,
759 self.BRIDGED, self.IS_IP4, 9)
760
Pavel Kotucek057704e2017-09-14 09:50:52 +0200761 def test_acl_routed_ip4_exactMAC_exactIP(self):
762 """ IP4 MACIP exactMAC|exactIP ACL routed traffic
763 """
764 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
765 self.ROUTED, self.IS_IP4, 9)
766
Pavel Kotucek057704e2017-09-14 09:50:52 +0200767 def test_acl_routed_ip4_exactMAC_subnetIP(self):
768 """ IP4 MACIP exactMAC|subnetIP ACL routed traffic
769 """
770 self.run_traffic(self.EXACT_MAC, self.SUBNET_IP,
771 self.ROUTED, self.IS_IP4, 9)
772
Pavel Kotucek057704e2017-09-14 09:50:52 +0200773 def test_acl_routed_ip4_exactMAC_wildIP(self):
774 """ IP4 MACIP exactMAC|wildIP ACL routed traffic
775 """
776 self.run_traffic(self.EXACT_MAC, self.WILD_IP,
777 self.ROUTED, self.IS_IP4, 9)
778
Pavel Kotucek057704e2017-09-14 09:50:52 +0200779 def test_acl_routed_ip4_ouiMAC_exactIP(self):
780 """ IP4 MACIP ouiMAC|exactIP ACL routed traffic
781 """
782
783 self.run_traffic(self.OUI_MAC, self.EXACT_IP,
784 self.ROUTED, self.IS_IP4, 9)
785
Pavel Kotucek057704e2017-09-14 09:50:52 +0200786 def test_acl_routed_ip4_ouiMAC_subnetIP(self):
787 """ IP4 MACIP ouiMAC|subnetIP ACL routed traffic
788 """
789
790 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
791 self.ROUTED, self.IS_IP4, 9)
792
Pavel Kotucek057704e2017-09-14 09:50:52 +0200793 def test_acl_routed_ip4_ouiMAC_wildIP(self):
794 """ IP4 MACIP ouiMAC|wildIP ACL routed traffic
795 """
796
797 self.run_traffic(self.OUI_MAC, self.WILD_IP,
798 self.ROUTED, self.IS_IP4, 9)
799
Pavel Kotucek057704e2017-09-14 09:50:52 +0200800 def test_acl_routed_ip4_wildMAC_exactIP(self):
801 """ IP4 MACIP wildcardMAC|exactIP ACL routed traffic
802 """
803
804 self.run_traffic(self.WILD_MAC, self.EXACT_IP,
805 self.ROUTED, self.IS_IP4, 9)
806
Pavel Kotucek057704e2017-09-14 09:50:52 +0200807 def test_acl_routed_ip4_wildMAC_subnetIP(self):
808 """ IP4 MACIP wildcardMAC|subnetIP ACL routed traffic
809 """
810
811 self.run_traffic(self.WILD_MAC, self.SUBNET_IP,
812 self.ROUTED, self.IS_IP4, 9)
813
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200814 def test_acl_routed_ip4_wildMAC_wildIP(self):
815 """ IP4 MACIP wildcardMAC|wildIP ACL
816 """
817
818 self.run_traffic(self.WILD_MAC, self.WILD_IP,
819 self.ROUTED, self.IS_IP4, 9)
820
821 def test_acl_replace_traffic_ip4(self):
822 """ MACIP replace ACL with IP4 traffic
823 """
824 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
Andrew Yourtchenkod7834912017-12-09 14:55:52 +0100825 self.BRIDGED, self.IS_IP4, 9, try_replace=True)
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200826 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
Andrew Yourtchenkod7834912017-12-09 14:55:52 +0100827 self.BRIDGED, self.IS_IP4, 9, try_replace=True)
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200828
829
830class TestMACIP_IP6(MethodHolder):
831 """MACIP with IP6 traffic"""
832
833 def test_acl_bridged_ip6_exactMAC_exactIP(self):
834 """ IP6 MACIP exactMAC|exactIP ACL bridged traffic
835 """
836
837 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
838 self.BRIDGED, self.IS_IP6, 9)
839
840 def test_acl_bridged_ip6_exactMAC_subnetIP(self):
841 """ IP6 MACIP exactMAC|subnetIP ACL bridged traffic
842 """
843
844 self.run_traffic(self.EXACT_MAC, self.SUBNET_IP,
845 self.BRIDGED, self.IS_IP6, 9)
846
847 def test_acl_bridged_ip6_exactMAC_wildIP(self):
848 """ IP6 MACIP exactMAC|wildIP ACL bridged traffic
849 """
850
851 self.run_traffic(self.EXACT_MAC, self.WILD_IP,
852 self.BRIDGED, self.IS_IP6, 9)
853
854 def test_acl_bridged_ip6_ouiMAC_exactIP(self):
855 """ IP6 MACIP oui_MAC|exactIP ACL bridged traffic
856 """
857
858 self.run_traffic(self.OUI_MAC, self.EXACT_IP,
859 self.BRIDGED, self.IS_IP6, 9)
860
861 def test_acl_bridged_ip6_ouiMAC_subnetIP(self):
862 """ IP6 MACIP ouiMAC|subnetIP ACL bridged traffic
863 """
864
865 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
866 self.BRIDGED, self.IS_IP6, 9)
867
868 def test_acl_bridged_ip6_ouiMAC_wildIP(self):
869 """ IP6 MACIP ouiMAC|wildIP ACL bridged traffic
870 """
871
872 self.run_traffic(self.OUI_MAC, self.WILD_IP,
873 self.BRIDGED, self.IS_IP6, 9)
874
875 def test_acl_bridged_ip6_wildMAC_exactIP(self):
876 """ IP6 MACIP wildcardMAC|exactIP ACL bridged traffic
877 """
878
879 self.run_traffic(self.WILD_MAC, self.EXACT_IP,
880 self.BRIDGED, self.IS_IP6, 9)
881
882 def test_acl_bridged_ip6_wildMAC_subnetIP(self):
883 """ IP6 MACIP wildcardMAC|subnetIP ACL bridged traffic
884 """
885
886 self.run_traffic(self.WILD_MAC, self.SUBNET_IP,
887 self.BRIDGED, self.IS_IP6, 9)
888
889 def test_acl_bridged_ip6_wildMAC_wildIP(self):
890 """ IP6 MACIP wildcardMAC|wildIP ACL bridged traffic
891 """
892
893 self.run_traffic(self.WILD_MAC, self.WILD_IP,
894 self.BRIDGED, self.IS_IP6, 9)
895
896 def test_acl_routed_ip6_exactMAC_exactIP(self):
897 """ IP6 MACIP exactMAC|exactIP ACL routed traffic
898 """
899
900 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
901 self.ROUTED, self.IS_IP6, 9)
902
903 def test_acl_routed_ip6_exactMAC_subnetIP(self):
904 """ IP6 MACIP exactMAC|subnetIP ACL routed traffic
905 """
906
907 self.run_traffic(self.EXACT_MAC, self.SUBNET_IP,
908 self.ROUTED, self.IS_IP6, 9)
909
910 def test_acl_routed_ip6_exactMAC_wildIP(self):
911 """ IP6 MACIP exactMAC|wildIP ACL routed traffic
912 """
913
914 self.run_traffic(self.EXACT_MAC, self.WILD_IP,
915 self.ROUTED, self.IS_IP6, 9)
916
917 def test_acl_routed_ip6_ouiMAC_exactIP(self):
918 """ IP6 MACIP ouiMAC|exactIP ACL routed traffic
919 """
920
921 self.run_traffic(self.OUI_MAC, self.EXACT_IP,
922 self.ROUTED, self.IS_IP6, 9)
923
924 def test_acl_routed_ip6_ouiMAC_subnetIP(self):
925 """ IP6 MACIP ouiMAC|subnetIP ACL routed traffic
926 """
927
928 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
929 self.ROUTED, self.IS_IP6, 9)
930
931 def test_acl_routed_ip6_ouiMAC_wildIP(self):
932 """ IP6 MACIP ouiMAC|wildIP ACL routed traffic
933 """
934
935 self.run_traffic(self.OUI_MAC, self.WILD_IP,
936 self.ROUTED, self.IS_IP6, 9)
937
938 def test_acl_routed_ip6_wildMAC_exactIP(self):
939 """ IP6 MACIP wildcardMAC|exactIP ACL routed traffic
940 """
941
942 self.run_traffic(self.WILD_MAC, self.EXACT_IP,
943 self.ROUTED, self.IS_IP6, 9)
944
Pavel Kotucek057704e2017-09-14 09:50:52 +0200945 def test_acl_routed_ip6_wildMAC_subnetIP(self):
946 """ IP6 MACIP wildcardMAC|subnetIP ACL routed traffic
947 """
948
949 self.run_traffic(self.WILD_MAC, self.SUBNET_IP,
950 self.ROUTED, self.IS_IP6, 9)
951
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200952 def test_acl_routed_ip6_wildMAC_wildIP(self):
953 """ IP6 MACIP wildcardMAC|wildIP ACL
954 """
955
956 self.run_traffic(self.WILD_MAC, self.WILD_IP,
957 self.ROUTED, self.IS_IP6, 9)
958
959 def test_acl_replace_traffic_ip6(self):
960 """ MACIP replace ACL with IP6 traffic
961 """
962 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
Andrew Yourtchenkod7834912017-12-09 14:55:52 +0100963 self.BRIDGED, self.IS_IP6, 9, try_replace=True)
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200964 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
Andrew Yourtchenkod7834912017-12-09 14:55:52 +0100965 self.BRIDGED, self.IS_IP6, 9, try_replace=True)
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200966
967
968class TestMACIP(MethodHolder):
969 """MACIP Tests"""
970
Pavel Kotucek932f7412017-09-07 14:44:52 +0200971 def test_acl_1_2(self):
972 """ MACIP ACL with 2 entries
973 """
974
975 self.run_test_acls(self.EXACT_MAC, self.WILD_IP, 1, [2])
976
977 def test_acl_1_5(self):
978 """ MACIP ACL with 5 entries
979 """
980
981 self.run_test_acls(self.EXACT_MAC, self.SUBNET_IP, 1, [5])
982
983 def test_acl_1_10(self):
984 """ MACIP ACL with 10 entries
985 """
986
987 self.run_test_acls(self.EXACT_MAC, self.EXACT_IP, 1, [10])
988
989 def test_acl_1_20(self):
990 """ MACIP ACL with 20 entries
991 """
992
993 self.run_test_acls(self.OUI_MAC, self.WILD_IP, 1, [20])
994
995 def test_acl_1_50(self):
996 """ MACIP ACL with 50 entries
997 """
998
999 self.run_test_acls(self.OUI_MAC, self.SUBNET_IP, 1, [50])
1000
1001 def test_acl_1_100(self):
1002 """ MACIP ACL with 100 entries
1003 """
1004
1005 self.run_test_acls(self.OUI_MAC, self.EXACT_IP, 1, [100])
1006
1007 def test_acl_2_X(self):
1008 """ MACIP 2 ACLs each with 100+ entries
1009 """
1010
1011 self.run_test_acls(self.OUI_MAC, self.SUBNET_IP, 2, [100, 200])
1012
1013 def test_acl_10_X(self):
1014 """ MACIP 10 ACLs each with 100+ entries
1015 """
1016
1017 self.run_test_acls(self.EXACT_MAC, self.EXACT_IP, 10,
1018 [100, 120, 140, 160, 180, 200, 210, 220, 230, 240])
1019
1020 def test_acl_10_X_traffic_ip4(self):
1021 """ MACIP 10 ACLs each with 100+ entries with IP4 traffic
1022 """
1023
1024 self.run_test_acls(self.EXACT_MAC, self.EXACT_IP, 10,
1025 [100, 120, 140, 160, 180, 200, 210, 220, 230, 240],
1026 self.BRIDGED, self.IS_IP4)
1027
1028 def test_acl_10_X_traffic_ip6(self):
1029 """ MACIP 10 ACLs each with 100+ entries with IP6 traffic
1030 """
1031
1032 self.run_test_acls(self.EXACT_MAC, self.EXACT_IP, 10,
1033 [100, 120, 140, 160, 180, 200, 210, 220, 230, 240],
1034 self.BRIDGED, self.IS_IP6)
1035
Pavel Kotucekc29940c2017-09-07 08:17:31 +02001036 def test_acl_replace(self):
1037 """ MACIP replace ACL
1038 """
1039
1040 r1 = self.create_rules(acl_count=3, rules_count=[2, 2, 2])
1041 r2 = self.create_rules(mac_type=self.OUI_MAC, ip_type=self.SUBNET_IP)
Pavel Kotucek8daa80a2017-09-25 09:44:05 +02001042 self.apply_macip_rules(r1)
Pavel Kotucekc29940c2017-09-07 08:17:31 +02001043
1044 acls_before = self.macip_acl_dump_debug()
1045
1046 # replace acls #2, #3 with new
1047 reply = self.vapi.macip_acl_add_replace(r2[0], 2)
1048 self.assertEqual(reply.retval, 0)
1049 self.assertEqual(reply.acl_index, 2)
1050 reply = self.vapi.macip_acl_add_replace(r2[1], 3)
1051 self.assertEqual(reply.retval, 0)
1052 self.assertEqual(reply.acl_index, 3)
1053
1054 acls_after = self.macip_acl_dump_debug()
1055
1056 # verify changes
1057 self.assertEqual(len(acls_before), len(acls_after))
1058 for acl1, acl2 in zip(
1059 acls_before[:2]+acls_before[4:],
1060 acls_after[:2]+acls_after[4:]):
1061 self.assertEqual(len(acl1), len(acl2))
1062
1063 self.assertEqual(len(acl1.r), len(acl2.r))
1064 for r1, r2 in zip(acl1.r, acl2.r):
1065 self.assertEqual(len(acl1.r), len(acl2.r))
1066 self.assertEqual(acl1.r, acl2.r)
1067 for acl1, acl2 in zip(
1068 acls_before[2:4],
1069 acls_after[2:4]):
1070 self.assertEqual(len(acl1), len(acl2))
1071
1072 self.assertNotEqual(len(acl1.r), len(acl2.r))
1073 for r1, r2 in zip(acl1.r, acl2.r):
1074 self.assertNotEqual(len(acl1.r), len(acl2.r))
1075 self.assertNotEqual(acl1.r, acl2.r)
1076
Pavel Kotucek932f7412017-09-07 14:44:52 +02001077 def test_delete_intf(self):
1078 """ MACIP ACL delete intf with acl
1079 """
1080
1081 intf_count = len(self.interfaces)+1
Pavel Kotucek932f7412017-09-07 14:44:52 +02001082 intf = []
Pavel Kotucek8daa80a2017-09-25 09:44:05 +02001083 self.apply_macip_rules(self.create_rules(acl_count=3,
1084 rules_count=[3, 5, 4]))
Pavel Kotucek932f7412017-09-07 14:44:52 +02001085
Klement Sekerabeaded52018-06-24 10:30:37 +02001086 intf.append(VppLoInterface(self))
1087 intf.append(VppLoInterface(self))
Pavel Kotucek932f7412017-09-07 14:44:52 +02001088
1089 sw_if_index0 = intf[0].sw_if_index
1090 self.vapi.macip_acl_interface_add_del(sw_if_index0, 1)
1091
1092 reply = self.vapi.macip_acl_interface_get()
1093 self.assertEqual(reply.count, intf_count+1)
1094 self.assertEqual(reply.acls[sw_if_index0], 1)
1095
1096 sw_if_index1 = intf[1].sw_if_index
1097 self.vapi.macip_acl_interface_add_del(sw_if_index1, 0)
1098
1099 reply = self.vapi.macip_acl_interface_get()
1100 self.assertEqual(reply.count, intf_count+2)
1101 self.assertEqual(reply.acls[sw_if_index1], 0)
1102
1103 intf[0].remove_vpp_config()
1104 reply = self.vapi.macip_acl_interface_get()
1105 self.assertEqual(reply.count, intf_count+2)
1106 self.assertEqual(reply.acls[sw_if_index0], 4294967295)
1107 self.assertEqual(reply.acls[sw_if_index1], 0)
1108
Klement Sekerabeaded52018-06-24 10:30:37 +02001109 intf.append(VppLoInterface(self))
1110 intf.append(VppLoInterface(self))
Pavel Kotucek932f7412017-09-07 14:44:52 +02001111 sw_if_index2 = intf[2].sw_if_index
1112 sw_if_index3 = intf[3].sw_if_index
1113 self.vapi.macip_acl_interface_add_del(sw_if_index2, 1)
1114 self.vapi.macip_acl_interface_add_del(sw_if_index3, 1)
1115
1116 reply = self.vapi.macip_acl_interface_get()
1117 self.assertEqual(reply.count, intf_count+3)
1118 self.assertEqual(reply.acls[sw_if_index1], 0)
1119 self.assertEqual(reply.acls[sw_if_index2], 1)
1120 self.assertEqual(reply.acls[sw_if_index3], 1)
Andrew Yourtchenko563a8532018-03-23 15:23:15 +01001121 self.logger.info("MACIP ACL on multiple interfaces:")
1122 self.logger.info(self.vapi.ppcli("sh acl-plugin macip acl"))
1123 self.logger.info(self.vapi.ppcli("sh acl-plugin macip acl index 1234"))
1124 self.logger.info(self.vapi.ppcli("sh acl-plugin macip acl index 1"))
1125 self.logger.info(self.vapi.ppcli("sh acl-plugin macip acl index 0"))
1126 self.logger.info(self.vapi.ppcli("sh acl-plugin macip interface"))
Pavel Kotucek932f7412017-09-07 14:44:52 +02001127
1128 intf[2].remove_vpp_config()
1129 intf[1].remove_vpp_config()
1130
1131 reply = self.vapi.macip_acl_interface_get()
1132 self.assertEqual(reply.count, intf_count+3)
1133 self.assertEqual(reply.acls[sw_if_index0], 4294967295)
1134 self.assertEqual(reply.acls[sw_if_index1], 4294967295)
1135 self.assertEqual(reply.acls[sw_if_index2], 4294967295)
1136 self.assertEqual(reply.acls[sw_if_index3], 1)
1137
1138 intf[3].remove_vpp_config()
1139 reply = self.vapi.macip_acl_interface_get()
1140
1141 self.assertEqual(len([x for x in reply.acls if x != 4294967295]), 0)
1142
Pavel Kotucek057704e2017-09-14 09:50:52 +02001143
Pavel Kotucek8daa80a2017-09-25 09:44:05 +02001144class TestACL_dot1q_bridged(MethodHolder):
1145 """ACL on dot1q bridged subinterfaces Tests"""
Pavel Kotucek057704e2017-09-14 09:50:52 +02001146
Pavel Kotucek8daa80a2017-09-25 09:44:05 +02001147 def test_acl_bridged_ip4_subif_dot1q(self):
1148 """ IP4 ACL SubIf Dot1Q bridged traffic"""
1149 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.BRIDGED,
1150 self.IS_IP4, 9, tags=self.DOT1Q, isMACIP=False)
Pavel Kotucek057704e2017-09-14 09:50:52 +02001151
Pavel Kotucek8daa80a2017-09-25 09:44:05 +02001152 def test_acl_bridged_ip6_subif_dot1q(self):
1153 """ IP6 ACL SubIf Dot1Q bridged traffic"""
1154 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.BRIDGED,
1155 self.IS_IP6, 9, tags=self.DOT1Q, isMACIP=False)
1156
1157
1158class TestACL_dot1ad_bridged(MethodHolder):
1159 """ACL on dot1ad bridged subinterfaces Tests"""
1160
1161 def test_acl_bridged_ip4_subif_dot1ad(self):
1162 """ IP4 ACL SubIf Dot1AD bridged traffic"""
1163 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.BRIDGED,
1164 self.IS_IP4, 9, tags=self.DOT1AD, isMACIP=False)
1165
1166 def test_acl_bridged_ip6_subif_dot1ad(self):
1167 """ IP6 ACL SubIf Dot1AD bridged traffic"""
1168 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.BRIDGED,
1169 self.IS_IP6, 9, tags=self.DOT1AD, isMACIP=False)
1170
1171
1172class TestACL_dot1q_routed(MethodHolder):
1173 """ACL on dot1q routed subinterfaces Tests"""
1174
1175 def test_acl_routed_ip4_subif_dot1q(self):
1176 """ IP4 ACL SubIf Dot1Q routed traffic"""
1177 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1178 self.IS_IP4, 9, tags=self.DOT1Q, isMACIP=False)
1179
1180 def test_acl_routed_ip6_subif_dot1q(self):
1181 """ IP6 ACL SubIf Dot1Q routed traffic"""
1182 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1183 self.IS_IP6, 9, tags=self.DOT1Q, isMACIP=False)
1184
1185 def test_acl_routed_ip4_subif_dot1q_deny_by_tags(self):
1186 """ IP4 ACL SubIf wrong tags Dot1Q routed traffic"""
1187 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1188 self.IS_IP4, 9, True, tags=self.DOT1Q, isMACIP=False,
1189 permit_tags=self.DENY_TAGS)
1190
1191 def test_acl_routed_ip6_subif_dot1q_deny_by_tags(self):
1192 """ IP6 ACL SubIf wrong tags Dot1Q routed traffic"""
1193 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1194 self.IS_IP6, 9, True, tags=self.DOT1Q, isMACIP=False,
1195 permit_tags=self.DENY_TAGS)
1196
1197
1198class TestACL_dot1ad_routed(MethodHolder):
1199 """ACL on dot1ad routed subinterfaces Tests"""
1200
1201 def test_acl_routed_ip6_subif_dot1ad(self):
1202 """ IP6 ACL SubIf Dot1AD routed traffic"""
1203 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1204 self.IS_IP6, 9, tags=self.DOT1AD, isMACIP=False)
1205
1206 def test_acl_routed_ip4_subif_dot1ad(self):
1207 """ IP4 ACL SubIf Dot1AD routed traffic"""
1208 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1209 self.IS_IP4, 9, tags=self.DOT1AD, isMACIP=False)
1210
1211 def test_acl_routed_ip6_subif_dot1ad_deny_by_tags(self):
1212 """ IP6 ACL SubIf wrong tags Dot1AD routed traffic"""
1213 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1214 self.IS_IP6, 9, True, tags=self.DOT1AD, isMACIP=False,
1215 permit_tags=self.DENY_TAGS)
1216
1217 def test_acl_routed_ip4_subif_dot1ad_deny_by_tags(self):
1218 """ IP4 ACL SubIf wrong tags Dot1AD routed traffic"""
1219 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1220 self.IS_IP4, 9, True, tags=self.DOT1AD, isMACIP=False,
1221 permit_tags=self.DENY_TAGS)
Pavel Kotucek932f7412017-09-07 14:44:52 +02001222
1223
1224if __name__ == '__main__':
1225 unittest.main(testRunner=VppTestRunner)