Gitiles
Code Review Sign In
gerrit.nordix.org / fdio / vpp / beaded5e0cbcd507fa4dca4f71712bd4e6911e69 / . / test / test_acl_plugin_macip.py
blob: f35db55fb7e263ee4961a94451c3369945641357 [file] [log] [blame]
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]1#!/usr/bin/env python
2"""ACL plugin - MACIP tests
3"""
4import random
5import re
6import unittest
7
8from socket import inet_ntop, inet_pton, AF_INET, AF_INET6
9from struct import *
10from scapy.packet import Raw
11from scapy.layers.l2 import Ether
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]12from scapy.layers.inet import IP, UDP
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]13from scapy.layers.inet6 import IPv6
14
15from framework import VppTestCase, VppTestRunner, running_extended_tests
16from vpp_lo_interface import VppLoInterface
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]17from vpp_papi_provider import L2_VTR_OP
18from vpp_sub_interface import VppSubInterface, VppDot1QSubint, VppDot1ADSubint
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]19
20
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]21class MethodHolder(VppTestCase):
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]22 DEBUG = False
23
24 BRIDGED = True
25 ROUTED = False
26
27 IS_IP4 = False
28 IS_IP6 = True
29
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]30 DOT1AD = "dot1ad"
31 DOT1Q = "dot1q"
32 PERMIT_TAGS = True
33 DENY_TAGS = False
34
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]35 # rule types
36 DENY = 0
37 PERMIT = 1
38
39 # ACL types
40 EXACT_IP = 1
41 SUBNET_IP = 2
42 WILD_IP = 3
43
44 EXACT_MAC = 1
45 WILD_MAC = 2
46 OUI_MAC = 3
47
48 ACLS = []
49
50 @classmethod
51 def setUpClass(cls):
52 """
53 Perform standard class setup (defined by class method setUpClass in
54 class VppTestCase) before running the test case, set test case related
55 variables and configure VPP.
56 """
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]57 super(MethodHolder, cls).setUpClass()
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]58
59 cls.pg_if_packet_sizes = [64, 512, 1518, 9018] # packet sizes
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]60 cls.bd_id = 111
61 cls.remote_hosts_count = 200
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]62
63 try:
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]64 # create 4 pg interfaces, 1 loopback interface
65 cls.create_pg_interfaces(range(4))
Klement Sekerab9ef2732018-06-24 22:49:33 +0200[diff] [blame]66 cls.create_loopback_interfaces(1)
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]67
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]68 # create 2 subinterfaces
69 cls.subifs = [
70 VppDot1QSubint(cls, cls.pg1, 10),
71 VppDot1ADSubint(cls, cls.pg2, 20, 300, 400),
72 VppDot1QSubint(cls, cls.pg3, 30),
73 VppDot1ADSubint(cls, cls.pg3, 40, 600, 700)]
74
75 cls.subifs[0].set_vtr(L2_VTR_OP.L2_POP_1,
76 inner=10, push1q=1)
77 cls.subifs[1].set_vtr(L2_VTR_OP.L2_POP_2,
78 outer=300, inner=400, push1q=1)
79 cls.subifs[2].set_vtr(L2_VTR_OP.L2_POP_1,
80 inner=30, push1q=1)
81 cls.subifs[3].set_vtr(L2_VTR_OP.L2_POP_2,
82 outer=600, inner=700, push1q=1)
83
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]84 cls.interfaces = list(cls.pg_interfaces)
85 cls.interfaces.extend(cls.lo_interfaces)
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]86 cls.interfaces.extend(cls.subifs)
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]87
88 for i in cls.interfaces:
89 i.admin_up()
90
91 # Create BD with MAC learning enabled and put interfaces to this BD
92 cls.vapi.sw_interface_set_l2_bridge(
93 cls.loop0.sw_if_index, bd_id=cls.bd_id, bvi=1)
94 cls.vapi.sw_interface_set_l2_bridge(
95 cls.pg0.sw_if_index, bd_id=cls.bd_id)
96 cls.vapi.sw_interface_set_l2_bridge(
97 cls.pg1.sw_if_index, bd_id=cls.bd_id)
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]98 cls.vapi.sw_interface_set_l2_bridge(
99 cls.subifs[0].sw_if_index, bd_id=cls.bd_id)
100 cls.vapi.sw_interface_set_l2_bridge(
101 cls.subifs[1].sw_if_index, bd_id=cls.bd_id)
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]102
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]103 # Configure IPv4/6 addresses on loop interface and routed interface
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]104 cls.loop0.config_ip4()
105 cls.loop0.config_ip6()
106 cls.pg2.config_ip4()
107 cls.pg2.config_ip6()
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]108 cls.pg3.config_ip4()
109 cls.pg3.config_ip6()
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]110
111 # Configure MAC address binding to IPv4 neighbors on loop0
112 cls.loop0.generate_remote_hosts(cls.remote_hosts_count)
113 # Modify host mac addresses to have different OUI parts
114 for i in range(2, cls.remote_hosts_count + 2):
115 mac = cls.loop0.remote_hosts[i-2]._mac.split(':')
116 mac[2] = format(int(mac[2], 16) + i, "02x")
117 cls.loop0.remote_hosts[i - 2]._mac = ":".join(mac)
118
119 cls.loop0.configure_ipv4_neighbors()
120 cls.loop0.configure_ipv6_neighbors()
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]121
122 # configure MAC address on pg3
123 cls.pg3.resolve_arp()
124 cls.pg3.resolve_ndp()
125
126 # configure MAC address on subifs
127 for i in cls.subifs:
128 i.config_ip4()
129 i.resolve_arp()
130 i.config_ip6()
131
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]132 # configure MAC address on pg2
133 cls.pg2.resolve_arp()
134 cls.pg2.resolve_ndp()
135
136 # Loopback BVI interface has remote hosts
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]137 # one half of hosts are behind pg0 second behind pg1,pg2,pg3 subifs
138 cls.pg0.remote_hosts = cls.loop0.remote_hosts[:100]
139 cls.subifs[0].remote_hosts = cls.loop0.remote_hosts[100:125]
140 cls.subifs[1].remote_hosts = cls.loop0.remote_hosts[125:150]
141 cls.subifs[2].remote_hosts = cls.loop0.remote_hosts[150:175]
142 cls.subifs[3].remote_hosts = cls.loop0.remote_hosts[175:]
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]143
144 except Exception:
145 super(TestMACIP, cls).tearDownClass()
146 raise
147
148 def setUp(self):
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]149 super(MethodHolder, self).setUp()
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]150 self.reset_packet_infos()
151 del self.ACLS[:]
152
153 def tearDown(self):
154 """
155 Show various debug prints after each test.
156 """
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]157 super(MethodHolder, self).tearDown()
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]158 if not self.vpp_dead:
159 self.logger.info(self.vapi.ppcli("show interface address"))
160 self.logger.info(self.vapi.ppcli("show hardware"))
161 self.logger.info(self.vapi.ppcli("sh acl-plugin macip acl"))
162 self.logger.info(self.vapi.ppcli("sh acl-plugin macip interface"))
163 self.logger.info(self.vapi.ppcli("sh classify tables verbose"))
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]164 self.logger.info(self.vapi.ppcli("sh acl-plugin acl"))
165 self.logger.info(self.vapi.ppcli("sh acl-plugin interface"))
166 self.logger.info(self.vapi.ppcli("sh acl-plugin tables"))
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]167 # print self.vapi.ppcli("show interface address")
168 # print self.vapi.ppcli("show hardware")
169 # print self.vapi.ppcli("sh acl-plugin macip interface")
170 # print self.vapi.ppcli("sh acl-plugin macip acl")
171 self.delete_acls()
172
173 def macip_acl_dump_debug(self):
174 acls = self.vapi.macip_acl_dump()
175 if self.DEBUG:
176 for acl in acls:
Pavel Kotucekc29940c2017-09-07 08:17:31 +0200[diff] [blame]177 print "ACL #"+str(acl.acl_index)
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]178 for r in acl.r:
179 rule = "ACTION"
180 if r.is_permit == 1:
181 rule = "PERMIT"
182 elif r.is_permit == 0:
183 rule = "DENY "
Pavel Kotucekc29940c2017-09-07 08:17:31 +0200[diff] [blame]184 print " IP6" if r.is_ipv6 else " IP4", \
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]185 rule, \
186 r.src_mac.encode('hex'), \
187 r.src_mac_mask.encode('hex'),\
188 unpack('<16B', r.src_ip_addr), \
189 r.src_ip_prefix_len
190 return acls
191
Pavel Kotucekc29940c2017-09-07 08:17:31 +0200[diff] [blame]192 def create_rules(self, mac_type=EXACT_MAC, ip_type=EXACT_IP,
193 acl_count=1, rules_count=[1]):
194 acls = []
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]195 src_mac = int("220000dead00", 16)
196 for acl in range(2, (acl_count+1) * 2):
Pavel Kotucekc29940c2017-09-07 08:17:31 +0200[diff] [blame]197 rules = []
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]198 host = random.choice(self.loop0.remote_hosts)
199 is_ip6 = acl % 2
200 ip4 = host.ip4.split('.')
201 ip6 = list(unpack('<16B', inet_pton(AF_INET6, host.ip6)))
202
203 if ip_type == self.EXACT_IP:
204 prefix_len4 = 32
205 prefix_len6 = 128
206 elif ip_type == self.WILD_IP:
207 ip4 = [0, 0, 0, 0]
208 ip6 = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]
209 prefix_len4 = 0
210 prefix_len6 = 0
211 rules_count[(acl / 2) - 1] = 1
212 else:
213 prefix_len4 = 24
214 prefix_len6 = 64
215
216 if mac_type == self.EXACT_MAC:
217 mask = "ff:ff:ff:ff:ff:ff"
218 elif mac_type == self.WILD_MAC:
219 mask = "00:00:00:00:00:00"
220 elif mac_type == self.OUI_MAC:
221 mask = "ff:ff:ff:00:00:00"
222 else:
223 mask = "ff:ff:ff:ff:ff:00"
224
225 ip = ip6 if is_ip6 else ip4
226 ip_len = prefix_len6 if is_ip6 else prefix_len4
227
228 for i in range(0, rules_count[(acl / 2) - 1]):
229 src_mac += 16777217
230 if mac_type == self.WILD_MAC:
231 mac = "00:00:00:00:00:00"
232 elif mac_type == self.OUI_MAC:
233 mac = ':'.join(re.findall('..', '{:02x}'.format(
234 src_mac))[:3])+":00:00:00"
235 else:
236 mac = ':'.join(re.findall('..', '{:02x}'.format(src_mac)))
237
238 if ip_type == self.EXACT_IP:
239 ip4[3] = random.randint(100, 200)
240 ip6[15] = random.randint(100, 200)
241 elif ip_type == self.SUBNET_IP:
242 ip4[2] = random.randint(100, 200)
243 ip4[3] = 0
244 ip6[8] = random.randint(100, 200)
245 ip6[15] = 0
246 ip_pack = ''
247 for j in range(0, len(ip)):
248 ip_pack += pack('<B', int(ip[j]))
249
250 rule = ({'is_permit': self.PERMIT,
251 'is_ipv6': is_ip6,
252 'src_ip_addr': ip_pack,
253 'src_ip_prefix_len': ip_len,
254 'src_mac': mac.replace(':', '').decode('hex'),
255 'src_mac_mask': mask.replace(':', '').decode('hex')})
256 rules.append(rule)
257 if ip_type == self.WILD_IP:
258 break
259
Pavel Kotucekc29940c2017-09-07 08:17:31 +0200[diff] [blame]260 acls.append(rules)
261 src_mac += 1099511627776
262 return acls
263
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]264 def apply_macip_rules(self, acls):
Pavel Kotucekc29940c2017-09-07 08:17:31 +0200[diff] [blame]265 for acl in acls:
266 reply = self.vapi.macip_acl_add(acl)
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]267 self.assertEqual(reply.retval, 0)
268 self.ACLS.append(reply.acl_index)
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]269
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]270 def verify_macip_acls(self, acl_count, rules_count, expected_count=2):
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]271 reply = self.macip_acl_dump_debug()
272 for acl in range(2, (acl_count+1) * 2):
273 self.assertEqual(reply[acl - 2].count, rules_count[acl/2-1])
274
275 self.vapi.macip_acl_interface_get()
276
277 self.vapi.macip_acl_interface_add_del(sw_if_index=0, acl_index=0)
278 self.vapi.macip_acl_interface_add_del(sw_if_index=1, acl_index=1)
279
280 reply = self.vapi.macip_acl_interface_get()
281 self.assertEqual(reply.count, expected_count)
282
283 def delete_acls(self):
284 for acl in range(len(self.ACLS)-1, -1, -1):
285 self.vapi.macip_acl_del(self.ACLS[acl])
286
287 reply = self.vapi.macip_acl_dump()
288 self.assertEqual(len(reply), 0)
289
Andrew Yourtchenkobeca2662018-03-23 12:20:56 +0100[diff] [blame]290 intf_acls = self.vapi.acl_interface_list_dump()
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]291 for i_a in intf_acls:
Andrew Yourtchenkobeca2662018-03-23 12:20:56 +0100[diff] [blame]292 sw_if_index = i_a.sw_if_index
293 for acl_index in i_a.acls:
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]294 self.vapi.acl_interface_add_del(sw_if_index, acl_index, 0)
295 self.vapi.acl_del(acl_index)
296
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]297 def create_stream(self, mac_type, ip_type, packet_count,
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]298 src_if, dst_if, traffic, is_ip6, tags=PERMIT_TAGS):
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]299 # exact MAC and exact IP
300 # exact MAC and subnet of IPs
301 # exact MAC and wildcard IP
302 # wildcard MAC and exact IP
303 # wildcard MAC and subnet of IPs
304 # wildcard MAC and wildcard IP
305 # OUI restricted MAC and exact IP
306 # OUI restricted MAC and subnet of IPs
307 # OUI restricted MAC and wildcard IP
308
309 packets = []
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]310 macip_rules = []
311 acl_rules = []
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]312 ip_permit = ""
313 mac_permit = ""
314 dst_mac = ""
315 mac_rule = "00:00:00:00:00:00"
316 mac_mask = "00:00:00:00:00:00"
317 for p in range(0, packet_count):
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]318 remote_dst_index = p % len(dst_if.remote_hosts)
319 remote_dst_host = dst_if.remote_hosts[remote_dst_index]
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]320
321 dst_port = 1234 + p
322 src_port = 4321 + p
323 is_permit = self.PERMIT if p % 3 == 0 else self.DENY
324 denyMAC = True if not is_permit and p % 3 == 1 else False
325 denyIP = True if not is_permit and p % 3 == 2 else False
326 if not is_permit and ip_type == self.WILD_IP:
327 denyMAC = True
328 if not is_permit and mac_type == self.WILD_MAC:
329 denyIP = True
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]330
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]331 if traffic == self.BRIDGED:
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]332 if is_permit:
333 src_mac = remote_dst_host._mac
334 dst_mac = 'de:ad:00:00:00:00'
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]335 src_ip4 = remote_dst_host.ip4
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]336 dst_ip4 = src_if.remote_ip4
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]337 src_ip6 = remote_dst_host.ip6
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]338 dst_ip6 = src_if.remote_ip6
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]339 ip_permit = src_ip6 if is_ip6 else src_ip4
340 mac_permit = src_mac
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]341 if denyMAC:
342 mac = src_mac.split(':')
343 mac[0] = format(int(mac[0], 16)+1, "02x")
344 src_mac = ":".join(mac)
345 if is_ip6:
346 src_ip6 = ip_permit
347 else:
348 src_ip4 = ip_permit
349 if denyIP:
350 if ip_type != self.WILD_IP:
351 src_mac = mac_permit
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]352 src_ip4 = remote_dst_host.ip4
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]353 dst_ip4 = src_if.remote_ip4
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]354 src_ip6 = remote_dst_host.ip6
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]355 dst_ip6 = src_if.remote_ip6
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]356 else:
357 if is_permit:
358 src_mac = remote_dst_host._mac
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]359 dst_mac = src_if.local_mac
360 src_ip4 = src_if.remote_ip4
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]361 dst_ip4 = remote_dst_host.ip4
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]362 src_ip6 = src_if.remote_ip6
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]363 dst_ip6 = remote_dst_host.ip6
364 ip_permit = src_ip6 if is_ip6 else src_ip4
365 mac_permit = src_mac
366 if denyMAC:
367 mac = src_mac.split(':')
368 mac[0] = format(int(mac[0], 16) + 1, "02x")
369 src_mac = ":".join(mac)
370 if is_ip6:
371 src_ip6 = ip_permit
372 else:
373 src_ip4 = ip_permit
374 if denyIP:
375 src_mac = remote_dst_host._mac
376 if ip_type != self.WILD_IP:
377 src_mac = mac_permit
378 src_ip4 = remote_dst_host.ip4
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]379 dst_ip4 = src_if.remote_ip4
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]380 src_ip6 = remote_dst_host.ip6
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]381 dst_ip6 = src_if.remote_ip6
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]382
383 if is_permit:
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]384 info = self.create_packet_info(src_if, dst_if)
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]385 payload = self.info_to_payload(info)
386 else:
387 payload = "to be blocked"
388
389 if mac_type == self.WILD_MAC:
390 mac = src_mac.split(':')
391 for i in range(1, 5):
392 mac[i] = format(random.randint(0, 255), "02x")
393 src_mac = ":".join(mac)
394
395 # create packet
396 packet = Ether(src=src_mac, dst=dst_mac)
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]397 ip_rule = src_ip6 if is_ip6 else src_ip4
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]398 if is_ip6:
399 if ip_type != self.EXACT_IP:
400 sub_ip = list(unpack('<16B', inet_pton(AF_INET6, ip_rule)))
401 if ip_type == self.WILD_IP:
402 sub_ip[0] = random.randint(240, 254)
403 sub_ip[1] = random.randint(230, 239)
404 sub_ip[14] = random.randint(100, 199)
405 sub_ip[15] = random.randint(200, 255)
406 elif ip_type == self.SUBNET_IP:
407 if denyIP:
408 sub_ip[2] = str(int(sub_ip[2]) + 1)
409 sub_ip[14] = random.randint(100, 199)
410 sub_ip[15] = random.randint(200, 255)
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]411 src_ip6 = inet_ntop(AF_INET6, str(bytearray(sub_ip)))
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]412 packet /= IPv6(src=src_ip6, dst=dst_ip6)
413 else:
414 if ip_type != self.EXACT_IP:
415 sub_ip = ip_rule.split('.')
416 if ip_type == self.WILD_IP:
417 sub_ip[0] = str(random.randint(1, 49))
418 sub_ip[1] = str(random.randint(50, 99))
419 sub_ip[2] = str(random.randint(100, 199))
420 sub_ip[3] = str(random.randint(200, 255))
421 elif ip_type == self.SUBNET_IP:
422 if denyIP:
423 sub_ip[1] = str(int(sub_ip[1])+1)
424 sub_ip[2] = str(random.randint(100, 199))
425 sub_ip[3] = str(random.randint(200, 255))
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]426 src_ip4 = ".".join(sub_ip)
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]427 packet /= IP(src=src_ip4, dst=dst_ip4, frag=0, flags=0)
428
429 packet /= UDP(sport=src_port, dport=dst_port)/Raw(payload)
430
431 packet[Raw].load += " mac:"+src_mac
432
433 size = self.pg_if_packet_sizes[p % len(self.pg_if_packet_sizes)]
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]434 if isinstance(src_if, VppSubInterface):
435 size = size + 4
436 if isinstance(src_if, VppDot1QSubint):
437 if src_if is self.subifs[0]:
438 if tags == self.PERMIT_TAGS:
439 packet = src_if.add_dot1q_layer(packet, 10)
440 else:
441 packet = src_if.add_dot1q_layer(packet, 11)
442 else:
443 if tags == self.PERMIT_TAGS:
444 packet = src_if.add_dot1q_layer(packet, 30)
445 else:
446 packet = src_if.add_dot1q_layer(packet, 33)
447 elif isinstance(src_if, VppDot1ADSubint):
448 if src_if is self.subifs[1]:
449 if tags == self.PERMIT_TAGS:
450 packet = src_if.add_dot1ad_layer(packet, 300, 400)
451 else:
452 packet = src_if.add_dot1ad_layer(packet, 333, 444)
453 else:
454 if tags == self.PERMIT_TAGS:
455 packet = src_if.add_dot1ad_layer(packet, 600, 700)
456 else:
457 packet = src_if.add_dot1ad_layer(packet, 666, 777)
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]458 self.extend_packet(packet, size)
459 packets.append(packet)
460
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]461 # create suitable MACIP rule
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]462 if mac_type == self.EXACT_MAC:
463 mac_rule = src_mac
464 mac_mask = "ff:ff:ff:ff:ff:ff"
465 elif mac_type == self.WILD_MAC:
466 mac_rule = "00:00:00:00:00:00"
467 mac_mask = "00:00:00:00:00:00"
468 elif mac_type == self.OUI_MAC:
469 mac = src_mac.split(':')
470 mac[3] = mac[4] = mac[5] = '00'
471 mac_rule = ":".join(mac)
472 mac_mask = "ff:ff:ff:00:00:00"
473
474 if is_ip6:
475 if ip_type == self.WILD_IP:
476 ip = "0::0"
477 else:
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]478 ip = src_ip6
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]479 if ip_type == self.SUBNET_IP:
480 sub_ip = list(unpack('<16B', inet_pton(AF_INET6, ip)))
481 for i in range(8, 16):
482 sub_ip[i] = 0
483 ip = inet_ntop(AF_INET6, str(bytearray(sub_ip)))
484 else:
485 if ip_type == self.WILD_IP:
486 ip = "0.0.0.0"
487 else:
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]488 ip = src_ip4
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]489 if ip_type == self.SUBNET_IP:
490 sub_ip = ip.split('.')
491 sub_ip[2] = sub_ip[3] = '0'
492 ip = ".".join(sub_ip)
493
494 prefix_len = 128 if is_ip6 else 32
495 if ip_type == self.WILD_IP:
496 prefix_len = 0
497 elif ip_type == self.SUBNET_IP:
498 prefix_len = 64 if is_ip6 else 16
499 ip_rule = inet_pton(AF_INET6 if is_ip6 else AF_INET, ip)
500
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]501 # create suitable ACL rule
502 if is_permit:
503 rule_l4_sport = packet[UDP].sport
504 rule_l4_dport = packet[UDP].dport
505 rule_family = AF_INET6 if packet.haslayer(IPv6) else AF_INET
506 rule_prefix_len = 128 if packet.haslayer(IPv6) else 32
507 rule_l3_layer = IPv6 if packet.haslayer(IPv6) else IP
508 if packet.haslayer(IPv6):
509 rule_l4_proto = packet[UDP].overload_fields[IPv6]['nh']
510 else:
511 rule_l4_proto = packet[IP].proto
512
513 acl_rule = {
514 'is_permit': is_permit,
515 'is_ipv6': is_ip6,
516 'src_ip_addr': inet_pton(rule_family,
517 packet[rule_l3_layer].src),
518 'src_ip_prefix_len': rule_prefix_len,
519 'dst_ip_addr': inet_pton(rule_family,
520 packet[rule_l3_layer].dst),
521 'dst_ip_prefix_len': rule_prefix_len,
522 'srcport_or_icmptype_first': rule_l4_sport,
523 'srcport_or_icmptype_last': rule_l4_sport,
524 'dstport_or_icmpcode_first': rule_l4_dport,
525 'dstport_or_icmpcode_last': rule_l4_dport,
526 'proto': rule_l4_proto}
527 acl_rules.append(acl_rule)
528
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]529 if mac_type == self.WILD_MAC and ip_type == self.WILD_IP and p > 0:
530 continue
531
532 if is_permit:
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]533 macip_rule = ({
534 'is_permit': is_permit,
535 'is_ipv6': is_ip6,
536 'src_ip_addr': ip_rule,
537 'src_ip_prefix_len': prefix_len,
538 'src_mac': mac_rule.replace(':', '').decode('hex'),
539 'src_mac_mask': mac_mask.replace(':', '').decode('hex')})
540 macip_rules.append(macip_rule)
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]541
542 # deny all other packets
543 if not (mac_type == self.WILD_MAC and ip_type == self.WILD_IP):
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]544 macip_rule = ({'is_permit': 0,
545 'is_ipv6': is_ip6,
546 'src_ip_addr': "",
547 'src_ip_prefix_len': 0,
548 'src_mac': "",
549 'src_mac_mask': ""})
550 macip_rules.append(macip_rule)
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]551
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]552 acl_rule = {'is_permit': 0,
553 'is_ipv6': is_ip6}
554 acl_rules.append(acl_rule)
555 return {'stream': packets,
556 'macip_rules': macip_rules,
557 'acl_rules': acl_rules}
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]558
559 def verify_capture(self, stream, capture, is_ip6):
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]560 """
561 :param stream:
562 :param capture:
563 :param is_ip6:
564 :return:
565 """
566 # p_l3 = IPv6 if is_ip6 else IP
567 # if self.DEBUG:
568 # for p in stream:
569 # print p[Ether].src, p[Ether].dst, p[p_l3].src, p[p_l3].dst
570 #
571 # acls = self.macip_acl_dump_debug()
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]572
573 # TODO : verify
574 # for acl in acls:
575 # for r in acl.r:
576 # print r.src_mac.encode('hex'), \
577 # r.src_mac_mask.encode('hex'),\
578 # unpack('<16B', r.src_ip_addr), \
579 # r.src_ip_prefix_len
580 #
581 # for p in capture:
582 # print p[Ether].src, p[Ether].dst, p[p_l3].src, p[p_l3].dst
583 # data = p[Raw].load.split(':',1)[1]
584 # print p[p_l3].src, data
585
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]586 def run_traffic(self, mac_type, ip_type, traffic, is_ip6, packets,
587 do_not_expected_capture=False, tags=None,
Andrew Yourtchenkod7834912017-12-09 14:55:52 +0100[diff] [blame]588 apply_rules=True, isMACIP=True, permit_tags=PERMIT_TAGS,
589 try_replace=False):
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]590 self.reset_packet_infos()
591
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]592 if tags is None:
593 tx_if = self.pg0 if traffic == self.BRIDGED else self.pg3
594 rx_if = self.pg3 if traffic == self.BRIDGED else self.pg0
595 src_if = self.pg3
596 dst_if = self.loop0
597 else:
598 if tags == self.DOT1Q:
599 if traffic == self.BRIDGED:
600 tx_if = self.subifs[0]
601 rx_if = self.pg0
602 src_if = self.subifs[0]
603 dst_if = self.loop0
604 else:
605 tx_if = self.subifs[2]
606 rx_if = self.pg0
607 src_if = self.subifs[2]
608 dst_if = self.loop0
609 elif tags == self.DOT1AD:
610 if traffic == self.BRIDGED:
611 tx_if = self.subifs[1]
612 rx_if = self.pg0
613 src_if = self.subifs[1]
614 dst_if = self.loop0
615 else:
616 tx_if = self.subifs[3]
617 rx_if = self.pg0
618 src_if = self.subifs[3]
619 dst_if = self.loop0
620 else:
621 return
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]622
623 test_dict = self.create_stream(mac_type, ip_type, packets,
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]624 src_if, dst_if,
625 traffic, is_ip6,
626 tags=permit_tags)
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]627
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]628 if apply_rules:
629 if isMACIP:
630 reply = self.vapi.macip_acl_add(test_dict['macip_rules'])
631 else:
632 reply = self.vapi.acl_add_replace(acl_index=4294967295,
633 r=test_dict['acl_rules'])
634 self.assertEqual(reply.retval, 0)
635 acl_index = reply.acl_index
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]636
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]637 if isMACIP:
638 self.vapi.macip_acl_interface_add_del(
639 sw_if_index=tx_if.sw_if_index,
640 acl_index=acl_index)
641 reply = self.vapi.macip_acl_interface_get()
642 self.assertEqual(reply.acls[tx_if.sw_if_index], acl_index)
643 self.ACLS.append(reply.acls[tx_if.sw_if_index])
644 else:
645 self.vapi.acl_interface_add_del(
646 sw_if_index=tx_if.sw_if_index, acl_index=acl_index)
647 else:
648 self.vapi.macip_acl_interface_add_del(
649 sw_if_index=tx_if.sw_if_index,
650 acl_index=0)
Andrew Yourtchenkod7834912017-12-09 14:55:52 +0100[diff] [blame]651 if try_replace:
652 if isMACIP:
653 reply = self.vapi.macip_acl_add_replace(
654 test_dict['macip_rules'],
655 acl_index)
656 else:
657 reply = self.vapi.acl_add_replace(acl_index=acl_index,
658 r=test_dict['acl_rules'])
659 self.assertEqual(reply.retval, 0)
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]660
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]661 if not isinstance(src_if, VppSubInterface):
662 tx_if.add_stream(test_dict['stream'])
663 else:
664 tx_if.parent.add_stream(test_dict['stream'])
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]665 self.pg_enable_capture(self.pg_interfaces)
666 self.pg_start()
667
Pavel Kotucekc29940c2017-09-07 08:17:31 +0200[diff] [blame]668 if do_not_expected_capture:
669 rx_if.get_capture(0)
670 else:
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]671 if traffic == self.BRIDGED and mac_type == self.WILD_MAC and \
672 ip_type == self.WILD_IP:
673 capture = rx_if.get_capture(packets)
674 else:
675 capture = rx_if.get_capture(
676 self.get_packet_count_for_if_idx(dst_if.sw_if_index))
Pavel Kotucekc29940c2017-09-07 08:17:31 +0200[diff] [blame]677 self.verify_capture(test_dict['stream'], capture, is_ip6)
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]678 if not isMACIP:
679 self.vapi.acl_interface_add_del(sw_if_index=tx_if.sw_if_index,
680 acl_index=acl_index, is_add=0)
681 self.vapi.acl_del(acl_index)
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]682
683 def run_test_acls(self, mac_type, ip_type, acl_count,
684 rules_count, traffic=None, ip=None):
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]685 self.apply_macip_rules(self.create_rules(mac_type, ip_type, acl_count,
686 rules_count))
687 self.verify_macip_acls(acl_count, rules_count)
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]688
689 if traffic is not None:
690 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, traffic, ip, 9)
691
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]692
693class TestMACIP_IP4(MethodHolder):
694 """MACIP with IP4 traffic"""
695
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]696 def test_acl_bridged_ip4_exactMAC_exactIP(self):
697 """ IP4 MACIP exactMAC|exactIP ACL bridged traffic
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]698 """
699 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
700 self.BRIDGED, self.IS_IP4, 9)
701
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]702 def test_acl_bridged_ip4_exactMAC_subnetIP(self):
703 """ IP4 MACIP exactMAC|subnetIP ACL bridged traffic
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]704 """
705
706 self.run_traffic(self.EXACT_MAC, self.SUBNET_IP,
707 self.BRIDGED, self.IS_IP4, 9)
708
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]709 def test_acl_bridged_ip4_exactMAC_wildIP(self):
710 """ IP4 MACIP exactMAC|wildIP ACL bridged traffic
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]711 """
712
713 self.run_traffic(self.EXACT_MAC, self.WILD_IP,
714 self.BRIDGED, self.IS_IP4, 9)
715
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]716 def test_acl_bridged_ip4_ouiMAC_exactIP(self):
717 """ IP4 MACIP ouiMAC|exactIP ACL bridged traffic
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]718 """
719
720 self.run_traffic(self.OUI_MAC, self.EXACT_IP,
721 self.BRIDGED, self.IS_IP4, 3)
722
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]723 def test_acl_bridged_ip4_ouiMAC_subnetIP(self):
724 """ IP4 MACIP ouiMAC|subnetIP ACL bridged traffic
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]725 """
726
727 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
728 self.BRIDGED, self.IS_IP4, 9)
729
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]730 def test_acl_bridged_ip4_ouiMAC_wildIP(self):
731 """ IP4 MACIP ouiMAC|wildIP ACL bridged traffic
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]732 """
733
734 self.run_traffic(self.OUI_MAC, self.WILD_IP,
735 self.BRIDGED, self.IS_IP4, 9)
736
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]737 def test_ac_bridgedl_ip4_wildMAC_exactIP(self):
738 """ IP4 MACIP wildcardMAC|exactIP ACL bridged traffic
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]739 """
740
741 self.run_traffic(self.WILD_MAC, self.EXACT_IP,
742 self.BRIDGED, self.IS_IP4, 9)
743
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]744 def test_acl_bridged_ip4_wildMAC_subnetIP(self):
745 """ IP4 MACIP wildcardMAC|subnetIP ACL bridged traffic
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]746 """
747
748 self.run_traffic(self.WILD_MAC, self.SUBNET_IP,
749 self.BRIDGED, self.IS_IP4, 9)
750
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]751 def test_acl_bridged_ip4_wildMAC_wildIP(self):
752 """ IP4 MACIP wildcardMAC|wildIP ACL bridged traffic
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]753 """
754
755 self.run_traffic(self.WILD_MAC, self.WILD_IP,
756 self.BRIDGED, self.IS_IP4, 9)
757
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]758 def test_acl_routed_ip4_exactMAC_exactIP(self):
759 """ IP4 MACIP exactMAC|exactIP ACL routed traffic
760 """
761 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
762 self.ROUTED, self.IS_IP4, 9)
763
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]764 def test_acl_routed_ip4_exactMAC_subnetIP(self):
765 """ IP4 MACIP exactMAC|subnetIP ACL routed traffic
766 """
767 self.run_traffic(self.EXACT_MAC, self.SUBNET_IP,
768 self.ROUTED, self.IS_IP4, 9)
769
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]770 def test_acl_routed_ip4_exactMAC_wildIP(self):
771 """ IP4 MACIP exactMAC|wildIP ACL routed traffic
772 """
773 self.run_traffic(self.EXACT_MAC, self.WILD_IP,
774 self.ROUTED, self.IS_IP4, 9)
775
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]776 def test_acl_routed_ip4_ouiMAC_exactIP(self):
777 """ IP4 MACIP ouiMAC|exactIP ACL routed traffic
778 """
779
780 self.run_traffic(self.OUI_MAC, self.EXACT_IP,
781 self.ROUTED, self.IS_IP4, 9)
782
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]783 def test_acl_routed_ip4_ouiMAC_subnetIP(self):
784 """ IP4 MACIP ouiMAC|subnetIP ACL routed traffic
785 """
786
787 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
788 self.ROUTED, self.IS_IP4, 9)
789
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]790 def test_acl_routed_ip4_ouiMAC_wildIP(self):
791 """ IP4 MACIP ouiMAC|wildIP ACL routed traffic
792 """
793
794 self.run_traffic(self.OUI_MAC, self.WILD_IP,
795 self.ROUTED, self.IS_IP4, 9)
796
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]797 def test_acl_routed_ip4_wildMAC_exactIP(self):
798 """ IP4 MACIP wildcardMAC|exactIP ACL routed traffic
799 """
800
801 self.run_traffic(self.WILD_MAC, self.EXACT_IP,
802 self.ROUTED, self.IS_IP4, 9)
803
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]804 def test_acl_routed_ip4_wildMAC_subnetIP(self):
805 """ IP4 MACIP wildcardMAC|subnetIP ACL routed traffic
806 """
807
808 self.run_traffic(self.WILD_MAC, self.SUBNET_IP,
809 self.ROUTED, self.IS_IP4, 9)
810
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]811 def test_acl_routed_ip4_wildMAC_wildIP(self):
812 """ IP4 MACIP wildcardMAC|wildIP ACL
813 """
814
815 self.run_traffic(self.WILD_MAC, self.WILD_IP,
816 self.ROUTED, self.IS_IP4, 9)
817
818 def test_acl_replace_traffic_ip4(self):
819 """ MACIP replace ACL with IP4 traffic
820 """
821 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
Andrew Yourtchenkod7834912017-12-09 14:55:52 +0100[diff] [blame]822 self.BRIDGED, self.IS_IP4, 9, try_replace=True)
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]823 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
Andrew Yourtchenkod7834912017-12-09 14:55:52 +0100[diff] [blame]824 self.BRIDGED, self.IS_IP4, 9, try_replace=True)
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]825
826
827class TestMACIP_IP6(MethodHolder):
828 """MACIP with IP6 traffic"""
829
830 def test_acl_bridged_ip6_exactMAC_exactIP(self):
831 """ IP6 MACIP exactMAC|exactIP ACL bridged traffic
832 """
833
834 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
835 self.BRIDGED, self.IS_IP6, 9)
836
837 def test_acl_bridged_ip6_exactMAC_subnetIP(self):
838 """ IP6 MACIP exactMAC|subnetIP ACL bridged traffic
839 """
840
841 self.run_traffic(self.EXACT_MAC, self.SUBNET_IP,
842 self.BRIDGED, self.IS_IP6, 9)
843
844 def test_acl_bridged_ip6_exactMAC_wildIP(self):
845 """ IP6 MACIP exactMAC|wildIP ACL bridged traffic
846 """
847
848 self.run_traffic(self.EXACT_MAC, self.WILD_IP,
849 self.BRIDGED, self.IS_IP6, 9)
850
851 def test_acl_bridged_ip6_ouiMAC_exactIP(self):
852 """ IP6 MACIP oui_MAC|exactIP ACL bridged traffic
853 """
854
855 self.run_traffic(self.OUI_MAC, self.EXACT_IP,
856 self.BRIDGED, self.IS_IP6, 9)
857
858 def test_acl_bridged_ip6_ouiMAC_subnetIP(self):
859 """ IP6 MACIP ouiMAC|subnetIP ACL bridged traffic
860 """
861
862 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
863 self.BRIDGED, self.IS_IP6, 9)
864
865 def test_acl_bridged_ip6_ouiMAC_wildIP(self):
866 """ IP6 MACIP ouiMAC|wildIP ACL bridged traffic
867 """
868
869 self.run_traffic(self.OUI_MAC, self.WILD_IP,
870 self.BRIDGED, self.IS_IP6, 9)
871
872 def test_acl_bridged_ip6_wildMAC_exactIP(self):
873 """ IP6 MACIP wildcardMAC|exactIP ACL bridged traffic
874 """
875
876 self.run_traffic(self.WILD_MAC, self.EXACT_IP,
877 self.BRIDGED, self.IS_IP6, 9)
878
879 def test_acl_bridged_ip6_wildMAC_subnetIP(self):
880 """ IP6 MACIP wildcardMAC|subnetIP ACL bridged traffic
881 """
882
883 self.run_traffic(self.WILD_MAC, self.SUBNET_IP,
884 self.BRIDGED, self.IS_IP6, 9)
885
886 def test_acl_bridged_ip6_wildMAC_wildIP(self):
887 """ IP6 MACIP wildcardMAC|wildIP ACL bridged traffic
888 """
889
890 self.run_traffic(self.WILD_MAC, self.WILD_IP,
891 self.BRIDGED, self.IS_IP6, 9)
892
893 def test_acl_routed_ip6_exactMAC_exactIP(self):
894 """ IP6 MACIP exactMAC|exactIP ACL routed traffic
895 """
896
897 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
898 self.ROUTED, self.IS_IP6, 9)
899
900 def test_acl_routed_ip6_exactMAC_subnetIP(self):
901 """ IP6 MACIP exactMAC|subnetIP ACL routed traffic
902 """
903
904 self.run_traffic(self.EXACT_MAC, self.SUBNET_IP,
905 self.ROUTED, self.IS_IP6, 9)
906
907 def test_acl_routed_ip6_exactMAC_wildIP(self):
908 """ IP6 MACIP exactMAC|wildIP ACL routed traffic
909 """
910
911 self.run_traffic(self.EXACT_MAC, self.WILD_IP,
912 self.ROUTED, self.IS_IP6, 9)
913
914 def test_acl_routed_ip6_ouiMAC_exactIP(self):
915 """ IP6 MACIP ouiMAC|exactIP ACL routed traffic
916 """
917
918 self.run_traffic(self.OUI_MAC, self.EXACT_IP,
919 self.ROUTED, self.IS_IP6, 9)
920
921 def test_acl_routed_ip6_ouiMAC_subnetIP(self):
922 """ IP6 MACIP ouiMAC|subnetIP ACL routed traffic
923 """
924
925 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
926 self.ROUTED, self.IS_IP6, 9)
927
928 def test_acl_routed_ip6_ouiMAC_wildIP(self):
929 """ IP6 MACIP ouiMAC|wildIP ACL routed traffic
930 """
931
932 self.run_traffic(self.OUI_MAC, self.WILD_IP,
933 self.ROUTED, self.IS_IP6, 9)
934
935 def test_acl_routed_ip6_wildMAC_exactIP(self):
936 """ IP6 MACIP wildcardMAC|exactIP ACL routed traffic
937 """
938
939 self.run_traffic(self.WILD_MAC, self.EXACT_IP,
940 self.ROUTED, self.IS_IP6, 9)
941
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]942 def test_acl_routed_ip6_wildMAC_subnetIP(self):
943 """ IP6 MACIP wildcardMAC|subnetIP ACL routed traffic
944 """
945
946 self.run_traffic(self.WILD_MAC, self.SUBNET_IP,
947 self.ROUTED, self.IS_IP6, 9)
948
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]949 def test_acl_routed_ip6_wildMAC_wildIP(self):
950 """ IP6 MACIP wildcardMAC|wildIP ACL
951 """
952
953 self.run_traffic(self.WILD_MAC, self.WILD_IP,
954 self.ROUTED, self.IS_IP6, 9)
955
956 def test_acl_replace_traffic_ip6(self):
957 """ MACIP replace ACL with IP6 traffic
958 """
959 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
Andrew Yourtchenkod7834912017-12-09 14:55:52 +0100[diff] [blame]960 self.BRIDGED, self.IS_IP6, 9, try_replace=True)
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]961 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
Andrew Yourtchenkod7834912017-12-09 14:55:52 +0100[diff] [blame]962 self.BRIDGED, self.IS_IP6, 9, try_replace=True)
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]963
964
965class TestMACIP(MethodHolder):
966 """MACIP Tests"""
967
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]968 def test_acl_1_2(self):
969 """ MACIP ACL with 2 entries
970 """
971
972 self.run_test_acls(self.EXACT_MAC, self.WILD_IP, 1, [2])
973
974 def test_acl_1_5(self):
975 """ MACIP ACL with 5 entries
976 """
977
978 self.run_test_acls(self.EXACT_MAC, self.SUBNET_IP, 1, [5])
979
980 def test_acl_1_10(self):
981 """ MACIP ACL with 10 entries
982 """
983
984 self.run_test_acls(self.EXACT_MAC, self.EXACT_IP, 1, [10])
985
986 def test_acl_1_20(self):
987 """ MACIP ACL with 20 entries
988 """
989
990 self.run_test_acls(self.OUI_MAC, self.WILD_IP, 1, [20])
991
992 def test_acl_1_50(self):
993 """ MACIP ACL with 50 entries
994 """
995
996 self.run_test_acls(self.OUI_MAC, self.SUBNET_IP, 1, [50])
997
998 def test_acl_1_100(self):
999 """ MACIP ACL with 100 entries
1000 """
1001
1002 self.run_test_acls(self.OUI_MAC, self.EXACT_IP, 1, [100])
1003
1004 def test_acl_2_X(self):
1005 """ MACIP 2 ACLs each with 100+ entries
1006 """
1007
1008 self.run_test_acls(self.OUI_MAC, self.SUBNET_IP, 2, [100, 200])
1009
1010 def test_acl_10_X(self):
1011 """ MACIP 10 ACLs each with 100+ entries
1012 """
1013
1014 self.run_test_acls(self.EXACT_MAC, self.EXACT_IP, 10,
1015 [100, 120, 140, 160, 180, 200, 210, 220, 230, 240])
1016
1017 def test_acl_10_X_traffic_ip4(self):
1018 """ MACIP 10 ACLs each with 100+ entries with IP4 traffic
1019 """
1020
1021 self.run_test_acls(self.EXACT_MAC, self.EXACT_IP, 10,
1022 [100, 120, 140, 160, 180, 200, 210, 220, 230, 240],
1023 self.BRIDGED, self.IS_IP4)
1024
1025 def test_acl_10_X_traffic_ip6(self):
1026 """ MACIP 10 ACLs each with 100+ entries with IP6 traffic
1027 """
1028
1029 self.run_test_acls(self.EXACT_MAC, self.EXACT_IP, 10,
1030 [100, 120, 140, 160, 180, 200, 210, 220, 230, 240],
1031 self.BRIDGED, self.IS_IP6)
1032
Pavel Kotucekc29940c2017-09-07 08:17:31 +0200[diff] [blame]1033 def test_acl_replace(self):
1034 """ MACIP replace ACL
1035 """
1036
1037 r1 = self.create_rules(acl_count=3, rules_count=[2, 2, 2])
1038 r2 = self.create_rules(mac_type=self.OUI_MAC, ip_type=self.SUBNET_IP)
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]1039 self.apply_macip_rules(r1)
Pavel Kotucekc29940c2017-09-07 08:17:31 +0200[diff] [blame]1040
1041 acls_before = self.macip_acl_dump_debug()
1042
1043 # replace acls #2, #3 with new
1044 reply = self.vapi.macip_acl_add_replace(r2[0], 2)
1045 self.assertEqual(reply.retval, 0)
1046 self.assertEqual(reply.acl_index, 2)
1047 reply = self.vapi.macip_acl_add_replace(r2[1], 3)
1048 self.assertEqual(reply.retval, 0)
1049 self.assertEqual(reply.acl_index, 3)
1050
1051 acls_after = self.macip_acl_dump_debug()
1052
1053 # verify changes
1054 self.assertEqual(len(acls_before), len(acls_after))
1055 for acl1, acl2 in zip(
1056 acls_before[:2]+acls_before[4:],
1057 acls_after[:2]+acls_after[4:]):
1058 self.assertEqual(len(acl1), len(acl2))
1059
1060 self.assertEqual(len(acl1.r), len(acl2.r))
1061 for r1, r2 in zip(acl1.r, acl2.r):
1062 self.assertEqual(len(acl1.r), len(acl2.r))
1063 self.assertEqual(acl1.r, acl2.r)
1064 for acl1, acl2 in zip(
1065 acls_before[2:4],
1066 acls_after[2:4]):
1067 self.assertEqual(len(acl1), len(acl2))
1068
1069 self.assertNotEqual(len(acl1.r), len(acl2.r))
1070 for r1, r2 in zip(acl1.r, acl2.r):
1071 self.assertNotEqual(len(acl1.r), len(acl2.r))
1072 self.assertNotEqual(acl1.r, acl2.r)
1073
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]1074 def test_delete_intf(self):
1075 """ MACIP ACL delete intf with acl
1076 """
1077
1078 intf_count = len(self.interfaces)+1
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]1079 intf = []
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]1080 self.apply_macip_rules(self.create_rules(acl_count=3,
1081 rules_count=[3, 5, 4]))
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]1082
Klement Sekerabeaded52018-06-24 10:30:37 +0200[diff] [blame^]1083 intf.append(VppLoInterface(self))
1084 intf.append(VppLoInterface(self))
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]1085
1086 sw_if_index0 = intf[0].sw_if_index
1087 self.vapi.macip_acl_interface_add_del(sw_if_index0, 1)
1088
1089 reply = self.vapi.macip_acl_interface_get()
1090 self.assertEqual(reply.count, intf_count+1)
1091 self.assertEqual(reply.acls[sw_if_index0], 1)
1092
1093 sw_if_index1 = intf[1].sw_if_index
1094 self.vapi.macip_acl_interface_add_del(sw_if_index1, 0)
1095
1096 reply = self.vapi.macip_acl_interface_get()
1097 self.assertEqual(reply.count, intf_count+2)
1098 self.assertEqual(reply.acls[sw_if_index1], 0)
1099
1100 intf[0].remove_vpp_config()
1101 reply = self.vapi.macip_acl_interface_get()
1102 self.assertEqual(reply.count, intf_count+2)
1103 self.assertEqual(reply.acls[sw_if_index0], 4294967295)
1104 self.assertEqual(reply.acls[sw_if_index1], 0)
1105
Klement Sekerabeaded52018-06-24 10:30:37 +0200[diff] [blame^]1106 intf.append(VppLoInterface(self))
1107 intf.append(VppLoInterface(self))
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]1108 sw_if_index2 = intf[2].sw_if_index
1109 sw_if_index3 = intf[3].sw_if_index
1110 self.vapi.macip_acl_interface_add_del(sw_if_index2, 1)
1111 self.vapi.macip_acl_interface_add_del(sw_if_index3, 1)
1112
1113 reply = self.vapi.macip_acl_interface_get()
1114 self.assertEqual(reply.count, intf_count+3)
1115 self.assertEqual(reply.acls[sw_if_index1], 0)
1116 self.assertEqual(reply.acls[sw_if_index2], 1)
1117 self.assertEqual(reply.acls[sw_if_index3], 1)
Andrew Yourtchenko563a8532018-03-23 15:23:15 +0100[diff] [blame]1118 self.logger.info("MACIP ACL on multiple interfaces:")
1119 self.logger.info(self.vapi.ppcli("sh acl-plugin macip acl"))
1120 self.logger.info(self.vapi.ppcli("sh acl-plugin macip acl index 1234"))
1121 self.logger.info(self.vapi.ppcli("sh acl-plugin macip acl index 1"))
1122 self.logger.info(self.vapi.ppcli("sh acl-plugin macip acl index 0"))
1123 self.logger.info(self.vapi.ppcli("sh acl-plugin macip interface"))
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]1124
1125 intf[2].remove_vpp_config()
1126 intf[1].remove_vpp_config()
1127
1128 reply = self.vapi.macip_acl_interface_get()
1129 self.assertEqual(reply.count, intf_count+3)
1130 self.assertEqual(reply.acls[sw_if_index0], 4294967295)
1131 self.assertEqual(reply.acls[sw_if_index1], 4294967295)
1132 self.assertEqual(reply.acls[sw_if_index2], 4294967295)
1133 self.assertEqual(reply.acls[sw_if_index3], 1)
1134
1135 intf[3].remove_vpp_config()
1136 reply = self.vapi.macip_acl_interface_get()
1137
1138 self.assertEqual(len([x for x in reply.acls if x != 4294967295]), 0)
1139
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]1140
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]1141class TestACL_dot1q_bridged(MethodHolder):
1142 """ACL on dot1q bridged subinterfaces Tests"""
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]1143
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]1144 def test_acl_bridged_ip4_subif_dot1q(self):
1145 """ IP4 ACL SubIf Dot1Q bridged traffic"""
1146 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.BRIDGED,
1147 self.IS_IP4, 9, tags=self.DOT1Q, isMACIP=False)
Pavel Kotucek057704e2017-09-14 09:50:52 +0200[diff] [blame]1148
Pavel Kotucek8daa80a2017-09-25 09:44:05 +0200[diff] [blame]1149 def test_acl_bridged_ip6_subif_dot1q(self):
1150 """ IP6 ACL SubIf Dot1Q bridged traffic"""
1151 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.BRIDGED,
1152 self.IS_IP6, 9, tags=self.DOT1Q, isMACIP=False)
1153
1154
1155class TestACL_dot1ad_bridged(MethodHolder):
1156 """ACL on dot1ad bridged subinterfaces Tests"""
1157
1158 def test_acl_bridged_ip4_subif_dot1ad(self):
1159 """ IP4 ACL SubIf Dot1AD bridged traffic"""
1160 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.BRIDGED,
1161 self.IS_IP4, 9, tags=self.DOT1AD, isMACIP=False)
1162
1163 def test_acl_bridged_ip6_subif_dot1ad(self):
1164 """ IP6 ACL SubIf Dot1AD bridged traffic"""
1165 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.BRIDGED,
1166 self.IS_IP6, 9, tags=self.DOT1AD, isMACIP=False)
1167
1168
1169class TestACL_dot1q_routed(MethodHolder):
1170 """ACL on dot1q routed subinterfaces Tests"""
1171
1172 def test_acl_routed_ip4_subif_dot1q(self):
1173 """ IP4 ACL SubIf Dot1Q routed traffic"""
1174 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1175 self.IS_IP4, 9, tags=self.DOT1Q, isMACIP=False)
1176
1177 def test_acl_routed_ip6_subif_dot1q(self):
1178 """ IP6 ACL SubIf Dot1Q routed traffic"""
1179 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1180 self.IS_IP6, 9, tags=self.DOT1Q, isMACIP=False)
1181
1182 def test_acl_routed_ip4_subif_dot1q_deny_by_tags(self):
1183 """ IP4 ACL SubIf wrong tags Dot1Q routed traffic"""
1184 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1185 self.IS_IP4, 9, True, tags=self.DOT1Q, isMACIP=False,
1186 permit_tags=self.DENY_TAGS)
1187
1188 def test_acl_routed_ip6_subif_dot1q_deny_by_tags(self):
1189 """ IP6 ACL SubIf wrong tags Dot1Q routed traffic"""
1190 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1191 self.IS_IP6, 9, True, tags=self.DOT1Q, isMACIP=False,
1192 permit_tags=self.DENY_TAGS)
1193
1194
1195class TestACL_dot1ad_routed(MethodHolder):
1196 """ACL on dot1ad routed subinterfaces Tests"""
1197
1198 def test_acl_routed_ip6_subif_dot1ad(self):
1199 """ IP6 ACL SubIf Dot1AD routed traffic"""
1200 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1201 self.IS_IP6, 9, tags=self.DOT1AD, isMACIP=False)
1202
1203 def test_acl_routed_ip4_subif_dot1ad(self):
1204 """ IP4 ACL SubIf Dot1AD routed traffic"""
1205 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1206 self.IS_IP4, 9, tags=self.DOT1AD, isMACIP=False)
1207
1208 def test_acl_routed_ip6_subif_dot1ad_deny_by_tags(self):
1209 """ IP6 ACL SubIf wrong tags Dot1AD routed traffic"""
1210 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1211 self.IS_IP6, 9, True, tags=self.DOT1AD, isMACIP=False,
1212 permit_tags=self.DENY_TAGS)
1213
1214 def test_acl_routed_ip4_subif_dot1ad_deny_by_tags(self):
1215 """ IP4 ACL SubIf wrong tags Dot1AD routed traffic"""
1216 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1217 self.IS_IP4, 9, True, tags=self.DOT1AD, isMACIP=False,
1218 permit_tags=self.DENY_TAGS)
Pavel Kotucek932f7412017-09-07 14:44:52 +0200[diff] [blame]1219
1220
1221if __name__ == '__main__':
1222 unittest.main(testRunner=VppTestRunner)