Gitiles
Code Review Sign In
gerrit.nordix.org / fdio / vpp / d1b05647427c79cfd5322991bbe663fae65f37b5 / . / test / test_acl_plugin_l2l3.py
blob: 32abf184bb9dd1256f1423edad54e5de64fe11e0 [file] [log] [blame]
Andrew Yourtchenkod2a59be2017-03-21 10:31:55 +0100[diff] [blame]1#!/usr/bin/env python
2"""ACL IRB Test Case HLD:
3
4**config**
5 - L2 MAC learning enabled in l2bd
6 - 2 routed interfaces untagged, bvi (Bridge Virtual Interface)
7 - 2 bridged interfaces in l2bd with bvi
8
9**test**
10 - sending ip4 eth pkts between routed interfaces
11 - 2 routed interfaces
12 - 2 bridged interfaces
13
14 - 64B, 512B, 1518B, 9200B (ether_size)
15
16 - burst of pkts per interface
17 - 257pkts per burst
18 - routed pkts hitting different FIB entries
19 - bridged pkts hitting different MAC entries
20
21**verify**
22 - all packets received correctly
23
24"""
25
26import unittest
27from socket import inet_pton, AF_INET, AF_INET6
28from random import choice
29from pprint import pprint
30
31from scapy.packet import Raw
32from scapy.layers.l2 import Ether
33from scapy.layers.inet import IP, UDP, ICMP, TCP
34from scapy.layers.inet6 import IPv6, ICMPv6Unknown, ICMPv6EchoRequest
35from scapy.layers.inet6 import ICMPv6EchoReply, IPv6ExtHdrRouting
Andrew Yourtchenkod1b05642017-04-04 14:10:40 +0000[diff] [blame^]36from scapy.layers.inet6 import IPv6ExtHdrFragment
Andrew Yourtchenkod2a59be2017-03-21 10:31:55 +0100[diff] [blame]37
38from framework import VppTestCase, VppTestRunner
39import time
40
41
42class TestIpIrb(VppTestCase):
43 """IRB Test Case"""
44
45 @classmethod
46 def setUpClass(cls):
47 """
48 #. Create BD with MAC learning enabled and put interfaces to this BD.
49 #. Configure IPv4 addresses on loopback interface and routed interface.
50 #. Configure MAC address binding to IPv4 neighbors on loop0.
51 #. Configure MAC address on pg2.
52 #. Loopback BVI interface has remote hosts, one half of hosts are
53 behind pg0 second behind pg1.
54 """
55 super(TestIpIrb, cls).setUpClass()
56
57 cls.pg_if_packet_sizes = [64, 512, 1518, 9018] # packet sizes
58 cls.bd_id = 10
59 cls.remote_hosts_count = 250
60
61 # create 3 pg interfaces, 1 loopback interface
62 cls.create_pg_interfaces(range(3))
63 cls.create_loopback_interfaces(range(1))
64
65 cls.interfaces = list(cls.pg_interfaces)
66 cls.interfaces.extend(cls.lo_interfaces)
67
68 for i in cls.interfaces:
69 i.admin_up()
70
71 # Create BD with MAC learning enabled and put interfaces to this BD
72 cls.vapi.sw_interface_set_l2_bridge(
73 cls.loop0.sw_if_index, bd_id=cls.bd_id, bvi=1)
74 cls.vapi.sw_interface_set_l2_bridge(
75 cls.pg0.sw_if_index, bd_id=cls.bd_id)
76 cls.vapi.sw_interface_set_l2_bridge(
77 cls.pg1.sw_if_index, bd_id=cls.bd_id)
78
79 # Configure IPv4 addresses on loopback interface and routed interface
80 cls.loop0.config_ip4()
81 cls.loop0.config_ip6()
82 cls.pg2.config_ip4()
83 cls.pg2.config_ip6()
84
85 # Configure MAC address binding to IPv4 neighbors on loop0
86 cls.loop0.generate_remote_hosts(cls.remote_hosts_count)
87 cls.loop0.configure_ipv4_neighbors()
88 cls.loop0.configure_ipv6_neighbors()
89 # configure MAC address on pg2
90 cls.pg2.resolve_arp()
91 cls.pg2.resolve_ndp()
92
93 cls.WITHOUT_EH = False
94 cls.WITH_EH = True
95
96 # Loopback BVI interface has remote hosts, one half of hosts are behind
97 # pg0 second behind pg1
98 half = cls.remote_hosts_count // 2
99 cls.pg0.remote_hosts = cls.loop0.remote_hosts[:half]
100 cls.pg1.remote_hosts = cls.loop0.remote_hosts[half:]
101
102 def tearDown(self):
103 """Run standard test teardown and log ``show l2patch``,
104 ``show l2fib verbose``,``show bridge-domain <bd_id> detail``,
105 ``show ip arp``.
106 """
107 super(TestIpIrb, self).tearDown()
108 if not self.vpp_dead:
109 self.logger.info(self.vapi.cli("show l2patch"))
110 self.logger.info(self.vapi.cli("show classify tables"))
111 self.logger.info(self.vapi.cli("show vlib graph"))
112 self.logger.info(self.vapi.cli("show l2fib verbose"))
113 self.logger.info(self.vapi.cli("show bridge-domain %s detail" %
114 self.bd_id))
115 self.logger.info(self.vapi.cli("show ip arp"))
116 self.logger.info(self.vapi.cli("show ip6 neighbors"))
117 self.logger.info(self.vapi.cli("show acl-plugin sessions"))
118
119 def api_acl_add_replace(self, acl_index, r, count, tag="",
120 expected_retval=0):
121 """Add/replace an ACL
122
123 :param int acl_index: ACL index to replace, 4294967295 to create new.
124 :param acl_rule r: ACL rules array.
125 :param str tag: symbolic tag (description) for this ACL.
126 :param int count: number of rules.
127 """
128 return self.vapi.api(self.vapi.papi.acl_add_replace,
129 {'acl_index': acl_index,
130 'r': r,
131 'count': count,
132 'tag': tag
133 }, expected_retval=expected_retval)
134
135 def api_acl_interface_set_acl_list(self, sw_if_index, count, n_input, acls,
136 expected_retval=0):
137 return self.vapi.api(self.vapi.papi.acl_interface_set_acl_list,
138 {'sw_if_index': sw_if_index,
139 'count': count,
140 'n_input': n_input,
141 'acls': acls
142 }, expected_retval=expected_retval)
143
144 def api_acl_dump(self, acl_index, expected_retval=0):
145 return self.vapi.api(self.vapi.papi.acl_dump,
146 {'acl_index': acl_index},
147 expected_retval=expected_retval)
148
149 def create_stream(self, src_ip_if, dst_ip_if, reverse, packet_sizes,
150 is_ip6, expect_blocked, expect_established,
151 add_extension_header):
152 pkts = []
153 rules = []
154 permit_rules = []
155 permit_and_reflect_rules = []
156 total_packet_count = 8
157 for i in range(0, total_packet_count):
158 modulo = (i//2) % 2
159 can_reflect_this_packet = (modulo == 0)
160 is_permit = i % 2
161 remote_dst_index = i % len(dst_ip_if.remote_hosts)
162 remote_dst_host = dst_ip_if.remote_hosts[remote_dst_index]
163 if is_permit == 1:
164 info = self.create_packet_info(src_ip_if, dst_ip_if)
165 payload = self.info_to_payload(info)
166 else:
167 to_be_blocked = False
168 if (expect_blocked and not expect_established):
169 to_be_blocked = True
170 if (not can_reflect_this_packet):
171 to_be_blocked = True
172 if to_be_blocked:
173 payload = "to be blocked"
174 else:
175 info = self.create_packet_info(src_ip_if, dst_ip_if)
176 payload = self.info_to_payload(info)
177 if reverse:
178 dst_mac = 'de:ad:00:00:00:00'
179 src_mac = remote_dst_host._mac
180 dst_ip6 = src_ip_if.remote_ip6
181 src_ip6 = remote_dst_host.ip6
182 dst_ip4 = src_ip_if.remote_ip4
183 src_ip4 = remote_dst_host.ip4
184 dst_l4 = 1234 + i
185 src_l4 = 4321 + i
186 else:
187 dst_mac = src_ip_if.local_mac
188 src_mac = src_ip_if.remote_mac
189 src_ip6 = src_ip_if.remote_ip6
190 dst_ip6 = remote_dst_host.ip6
191 src_ip4 = src_ip_if.remote_ip4
192 dst_ip4 = remote_dst_host.ip4
193 src_l4 = 1234 + i
194 dst_l4 = 4321 + i
195
196 # default ULP should be something we do not use in tests
197 ulp_l4 = TCP(sport=src_l4, dport=dst_l4)
198 # potentially a chain of protocols leading to ULP
199 ulp = ulp_l4
200
201 if can_reflect_this_packet:
202 if is_ip6:
203 ulp_l4 = UDP(sport=src_l4, dport=dst_l4)
204 if add_extension_header:
205 # prepend some extension headers
206 ulp = (IPv6ExtHdrRouting() / IPv6ExtHdrRouting() /
Andrew Yourtchenkod1b05642017-04-04 14:10:40 +0000[diff] [blame^]207 IPv6ExtHdrFragment(offset=0, m=1) / ulp_l4)
Andrew Yourtchenkod2a59be2017-03-21 10:31:55 +0100[diff] [blame]208 # uncomment below to test invalid ones
209 # ulp = IPv6ExtHdrRouting(len = 200) / ulp_l4
210 else:
211 ulp = ulp_l4
212 p = (Ether(dst=dst_mac, src=src_mac) /
213 IPv6(src=src_ip6, dst=dst_ip6) /
214 ulp /
215 Raw(payload))
216 else:
217 ulp_l4 = UDP(sport=src_l4, dport=dst_l4)
Andrew Yourtchenkod1b05642017-04-04 14:10:40 +0000[diff] [blame^]218 # IPv4 does not allow extension headers,
219 # but we rather make it a first fragment
220 flags = 1 if add_extension_header else 0
Andrew Yourtchenkod2a59be2017-03-21 10:31:55 +0100[diff] [blame]221 ulp = ulp_l4
222 p = (Ether(dst=dst_mac, src=src_mac) /
Andrew Yourtchenkod1b05642017-04-04 14:10:40 +0000[diff] [blame^]223 IP(src=src_ip4, dst=dst_ip4, frag=0, flags=flags) /
Andrew Yourtchenkod2a59be2017-03-21 10:31:55 +0100[diff] [blame]224 ulp /
225 Raw(payload))
226 elif modulo == 1:
227 if is_ip6:
228 ulp_l4 = ICMPv6Unknown(type=128 + (i % 2), code=i % 2)
229 ulp = ulp_l4
230 p = (Ether(dst=dst_mac, src=src_mac) /
231 IPv6(src=src_ip6, dst=dst_ip6) /
232 ulp /
233 Raw(payload))
234 else:
235 ulp_l4 = ICMP(type=8 + (i % 2), code=i % 2)
236 ulp = ulp_l4
237 p = (Ether(dst=dst_mac, src=src_mac) /
238 IP(src=src_ip4, dst=dst_ip4) /
239 ulp /
240 Raw(payload))
241
242 if i % 2 == 1:
243 info.data = p.copy()
244 size = packet_sizes[(i // 2) % len(packet_sizes)]
245 self.extend_packet(p, size)
246 pkts.append(p)
247
248 rule_family = AF_INET6 if p.haslayer(IPv6) else AF_INET
249 rule_prefix_len = 128 if p.haslayer(IPv6) else 32
250 rule_l3_layer = IPv6 if p.haslayer(IPv6) else IP
251
252 if p.haslayer(UDP):
253 rule_l4_sport = p[UDP].sport
254 rule_l4_dport = p[UDP].dport
255 else:
256 if p.haslayer(ICMP):
257 rule_l4_sport = p[ICMP].type
258 rule_l4_dport = p[ICMP].code
259 else:
260 rule_l4_sport = p[ICMPv6Unknown].type
261 rule_l4_dport = p[ICMPv6Unknown].code
262 if p.haslayer(IPv6):
263 rule_l4_proto = ulp_l4.overload_fields[IPv6]['nh']
264 else:
265 rule_l4_proto = p[IP].proto
266
267 new_rule = {
268 'is_permit': is_permit,
269 'is_ipv6': p.haslayer(IPv6),
270 'src_ip_addr': inet_pton(rule_family,
271 p[rule_l3_layer].src),
272 'src_ip_prefix_len': rule_prefix_len,
273 'dst_ip_addr': inet_pton(rule_family,
274 p[rule_l3_layer].dst),
275 'dst_ip_prefix_len': rule_prefix_len,
276 'srcport_or_icmptype_first': rule_l4_sport,
277 'srcport_or_icmptype_last': rule_l4_sport,
278 'dstport_or_icmpcode_first': rule_l4_dport,
279 'dstport_or_icmpcode_last': rule_l4_dport,
280 'proto': rule_l4_proto,
281 }
282 rules.append(new_rule)
283 new_rule_permit = new_rule.copy()
284 new_rule_permit['is_permit'] = 1
285 permit_rules.append(new_rule_permit)
286
287 new_rule_permit_and_reflect = new_rule.copy()
288 if can_reflect_this_packet:
289 new_rule_permit_and_reflect['is_permit'] = 2
290 else:
291 new_rule_permit_and_reflect['is_permit'] = is_permit
292 permit_and_reflect_rules.append(new_rule_permit_and_reflect)
293
294 return {'stream': pkts,
295 'rules': rules,
296 'permit_rules': permit_rules,
297 'permit_and_reflect_rules': permit_and_reflect_rules}
298
299 def verify_capture(self, dst_ip_if, src_ip_if, capture, reverse):
300 last_info = dict()
301 for i in self.interfaces:
302 last_info[i.sw_if_index] = None
303
304 dst_ip_sw_if_index = dst_ip_if.sw_if_index
305 return
306
307 for packet in capture:
308 l3 = IP if packet.haslayer(IP) else IPv6
309 ip = packet[l3]
310 if packet.haslayer(UDP):
311 l4 = UDP
312 else:
313 if packet.haslayer(ICMP):
314 l4 = ICMP
315 else:
316 l4 = ICMPv6Unknown
317
318 # Scapy IPv6 stuff is too smart for its own good.
319 # So we do this and coerce the ICMP into unknown type
320 if packet.haslayer(UDP):
321 data = str(packet[UDP][Raw])
322 else:
323 if l3 == IP:
324 data = str(ICMP(str(packet[l3].payload))[Raw])
325 else:
326 data = str(ICMPv6Unknown(str(packet[l3].payload)).msgbody)
327 udp_or_icmp = packet[l3].payload
328 payload_info = self.payload_to_info(data)
329 packet_index = payload_info.index
330
331 self.assertEqual(payload_info.dst, dst_ip_sw_if_index)
332
333 next_info = self.get_next_packet_info_for_interface2(
334 payload_info.src, dst_ip_sw_if_index,
335 last_info[payload_info.src])
336 last_info[payload_info.src] = next_info
337 self.assertTrue(next_info is not None)
338 self.assertEqual(packet_index, next_info.index)
339 saved_packet = next_info.data
340 self.assertTrue(next_info is not None)
341
342 # MAC: src, dst
343 if not reverse:
344 self.assertEqual(packet.src, dst_ip_if.local_mac)
345 host = dst_ip_if.host_by_mac(packet.dst)
346
347 # IP: src, dst
348 # self.assertEqual(ip.src, src_ip_if.remote_ip4)
349 if saved_packet is not None:
350 self.assertEqual(ip.src, saved_packet[l3].src)
351 self.assertEqual(ip.dst, saved_packet[l3].dst)
352 if l4 == UDP:
353 self.assertEqual(udp_or_icmp.sport, saved_packet[l4].sport)
354 self.assertEqual(udp_or_icmp.dport, saved_packet[l4].dport)
355 else:
356 print("Saved packet is none")
357 # self.assertEqual(ip.dst, host.ip4)
358
359 # UDP:
360
361 def create_acls_for_a_stream(self, stream_dict,
362 test_l2_action, is_reflect):
363 r = stream_dict['rules']
364 r_permit = stream_dict['permit_rules']
365 r_permit_reflect = stream_dict['permit_and_reflect_rules']
366 r_action = r_permit_reflect if is_reflect else r
367 reply = self.api_acl_add_replace(acl_index=4294967295, r=r_action,
368 count=len(r_action), tag="action acl")
369 action_acl_index = reply.acl_index
370 reply = self.api_acl_add_replace(acl_index=4294967295, r=r_permit,
371 count=len(r_permit), tag="permit acl")
372 permit_acl_index = reply.acl_index
373 return {'L2': action_acl_index if test_l2_action else permit_acl_index,
374 'L3': permit_acl_index if test_l2_action else action_acl_index,
375 'permit': permit_acl_index, 'action': action_acl_index}
376
377 def apply_acl_ip46_x_to_y(self, bridged_to_routed, test_l2_deny,
378 is_ip6, is_reflect, add_eh):
379 """ Apply the ACLs
380 """
381 self.reset_packet_infos()
382 stream_dict = self.create_stream(
383 self.pg2, self.loop0,
384 bridged_to_routed,
385 self.pg_if_packet_sizes, is_ip6,
386 not is_reflect, False, add_eh)
387 stream = stream_dict['stream']
388 acl_idx = self.create_acls_for_a_stream(stream_dict, test_l2_deny,
389 is_reflect)
390 n_input_l3 = 0 if bridged_to_routed else 1
391 n_input_l2 = 1 if bridged_to_routed else 0
392 self.api_acl_interface_set_acl_list(sw_if_index=self.pg2.sw_if_index,
393 count=1,
394 n_input=n_input_l3,
395 acls=[acl_idx['L3']])
396 self.api_acl_interface_set_acl_list(sw_if_index=self.pg0.sw_if_index,
397 count=1,
398 n_input=n_input_l2,
399 acls=[acl_idx['L2']])
400 self.api_acl_interface_set_acl_list(sw_if_index=self.pg1.sw_if_index,
401 count=1,
402 n_input=n_input_l2,
403 acls=[acl_idx['L2']])
404
405 def apply_acl_ip46_both_directions_reflect(self,
406 primary_is_bridged_to_routed,
407 reflect_on_l2, is_ip6, add_eh):
408 primary_is_routed_to_bridged = not primary_is_bridged_to_routed
409 self.reset_packet_infos()
410 stream_dict_fwd = self.create_stream(self.pg2, self.loop0,
411 primary_is_bridged_to_routed,
412 self.pg_if_packet_sizes, is_ip6,
413 False, False, add_eh)
414 acl_idx_fwd = self.create_acls_for_a_stream(stream_dict_fwd,
415 reflect_on_l2, True)
416
417 stream_dict_rev = self.create_stream(self.pg2, self.loop0,
418 not primary_is_bridged_to_routed,
419 self.pg_if_packet_sizes, is_ip6,
420 True, True, add_eh)
421 # We want the primary action to be "deny" rather than reflect
422 acl_idx_rev = self.create_acls_for_a_stream(stream_dict_rev,
423 reflect_on_l2, False)
424
425 if primary_is_bridged_to_routed:
426 inbound_l2_acl = acl_idx_fwd['L2']
427 else:
428 inbound_l2_acl = acl_idx_rev['L2']
429
430 if primary_is_routed_to_bridged:
431 outbound_l2_acl = acl_idx_fwd['L2']
432 else:
433 outbound_l2_acl = acl_idx_rev['L2']
434
435 if primary_is_routed_to_bridged:
436 inbound_l3_acl = acl_idx_fwd['L3']
437 else:
438 inbound_l3_acl = acl_idx_rev['L3']
439
440 if primary_is_bridged_to_routed:
441 outbound_l3_acl = acl_idx_fwd['L3']
442 else:
443 outbound_l3_acl = acl_idx_rev['L3']
444
445 self.api_acl_interface_set_acl_list(sw_if_index=self.pg2.sw_if_index,
446 count=2,
447 n_input=1,
448 acls=[inbound_l3_acl,
449 outbound_l3_acl])
450 self.api_acl_interface_set_acl_list(sw_if_index=self.pg0.sw_if_index,
451 count=2,
452 n_input=1,
453 acls=[inbound_l2_acl,
454 outbound_l2_acl])
455 self.api_acl_interface_set_acl_list(sw_if_index=self.pg1.sw_if_index,
456 count=2,
457 n_input=1,
458 acls=[inbound_l2_acl,
459 outbound_l2_acl])
460
461 def apply_acl_ip46_routed_to_bridged(self, test_l2_deny, is_ip6,
462 is_reflect, add_eh):
463 self.apply_acl_ip46_x_to_y(False, test_l2_deny, is_ip6,
464 is_reflect, add_eh)
465
466 def apply_acl_ip46_bridged_to_routed(self, test_l2_deny, is_ip6,
467 is_reflect, add_eh):
468 self.apply_acl_ip46_x_to_y(True, test_l2_deny, is_ip6,
469 is_reflect, add_eh)
470
471 def run_traffic_ip46_x_to_y(self, bridged_to_routed,
472 test_l2_deny, is_ip6,
473 is_reflect, is_established, add_eh):
474 self.reset_packet_infos()
475 stream_dict = self.create_stream(self.pg2, self.loop0,
476 bridged_to_routed,
477 self.pg_if_packet_sizes, is_ip6,
478 not is_reflect, is_established,
479 add_eh)
480 stream = stream_dict['stream']
481
482 tx_if = self.pg0 if bridged_to_routed else self.pg2
483 rx_if = self.pg2 if bridged_to_routed else self.pg0
484
485 tx_if.add_stream(stream)
486 self.pg_enable_capture(self.pg_interfaces)
487 self.pg_start()
488 packet_count = self.get_packet_count_for_if_idx(self.loop0.sw_if_index)
489 rcvd1 = rx_if.get_capture(packet_count)
490 self.verify_capture(self.loop0, self.pg2, rcvd1, bridged_to_routed)
491
492 def run_traffic_ip46_routed_to_bridged(self, test_l2_deny, is_ip6,
493 is_reflect, is_established, add_eh):
494 self.run_traffic_ip46_x_to_y(False, test_l2_deny, is_ip6,
495 is_reflect, is_established, add_eh)
496
497 def run_traffic_ip46_bridged_to_routed(self, test_l2_deny, is_ip6,
498 is_reflect, is_established, add_eh):
499 self.run_traffic_ip46_x_to_y(True, test_l2_deny, is_ip6,
500 is_reflect, is_established, add_eh)
501
502 def run_test_ip46_routed_to_bridged(self, test_l2_deny,
503 is_ip6, is_reflect, add_eh):
504 self.apply_acl_ip46_routed_to_bridged(test_l2_deny,
505 is_ip6, is_reflect, add_eh)
506 self.run_traffic_ip46_routed_to_bridged(test_l2_deny, is_ip6,
507 is_reflect, False, add_eh)
508
509 def run_test_ip46_bridged_to_routed(self, test_l2_deny,
510 is_ip6, is_reflect, add_eh):
511 self.apply_acl_ip46_bridged_to_routed(test_l2_deny,
512 is_ip6, is_reflect, add_eh)
513 self.run_traffic_ip46_bridged_to_routed(test_l2_deny, is_ip6,
514 is_reflect, False, add_eh)
515
516 def run_test_ip46_routed_to_bridged_and_back(self, test_l2_action,
517 is_ip6, add_eh):
518 self.apply_acl_ip46_both_directions_reflect(False, test_l2_action,
519 is_ip6, add_eh)
520 self.run_traffic_ip46_routed_to_bridged(test_l2_action, is_ip6,
521 True, False, add_eh)
522 self.run_traffic_ip46_bridged_to_routed(test_l2_action, is_ip6,
523 False, True, add_eh)
524
525 def run_test_ip46_bridged_to_routed_and_back(self, test_l2_action,
526 is_ip6, add_eh):
527 self.apply_acl_ip46_both_directions_reflect(True, test_l2_action,
528 is_ip6, add_eh)
529 self.run_traffic_ip46_bridged_to_routed(test_l2_action, is_ip6,
530 True, False, add_eh)
531 self.run_traffic_ip46_routed_to_bridged(test_l2_action, is_ip6,
532 False, True, add_eh)
533
534 def test_0000_ip6_irb_1(self):
535 """ ACL plugin prepare"""
536 if not self.vpp_dead:
537 cmd = "set acl-plugin session timeout udp idle 2000"
538 self.logger.info(self.vapi.ppcli(cmd))
539 # uncomment to not skip past the routing header
540 # and watch the EH tests fail
541 # self.logger.info(self.vapi.ppcli(
542 # "set acl-plugin skip-ipv6-extension-header 43 0"))
543 # uncomment to test the session limit (stateful tests will fail)
544 # self.logger.info(self.vapi.ppcli(
545 # "set acl-plugin session table max-entries 1"))
546 # new datapath is the default, but just in case
547 # self.logger.info(self.vapi.ppcli(
548 # "set acl-plugin l2-datapath new"))
549 # If you want to see some tests fail, uncomment the next line
550 # self.logger.info(self.vapi.ppcli(
551 # "set acl-plugin l2-datapath old"))
552
553 def test_0001_ip6_irb_1(self):
554 """ ACL IPv6 routed -> bridged, L2 ACL deny"""
555 self.run_test_ip46_routed_to_bridged(True, True, False,
556 self.WITHOUT_EH)
557
558 def test_0002_ip6_irb_1(self):
559 """ ACL IPv6 routed -> bridged, L3 ACL deny"""
560 self.run_test_ip46_routed_to_bridged(False, True, False,
561 self.WITHOUT_EH)
562
563 def test_0003_ip4_irb_1(self):
564 """ ACL IPv4 routed -> bridged, L2 ACL deny"""
565 self.run_test_ip46_routed_to_bridged(True, False, False,
566 self.WITHOUT_EH)
567
568 def test_0004_ip4_irb_1(self):
569 """ ACL IPv4 routed -> bridged, L3 ACL deny"""
570 self.run_test_ip46_routed_to_bridged(False, False, False,
571 self.WITHOUT_EH)
572
573 def test_0005_ip6_irb_1(self):
574 """ ACL IPv6 bridged -> routed, L2 ACL deny """
575 self.run_test_ip46_bridged_to_routed(True, True, False,
576 self.WITHOUT_EH)
577
578 def test_0006_ip6_irb_1(self):
579 """ ACL IPv6 bridged -> routed, L3 ACL deny """
580 self.run_test_ip46_bridged_to_routed(False, True, False,
581 self.WITHOUT_EH)
582
583 def test_0007_ip6_irb_1(self):
584 """ ACL IPv4 bridged -> routed, L2 ACL deny """
585 self.run_test_ip46_bridged_to_routed(True, False, False,
586 self.WITHOUT_EH)
587
588 def test_0008_ip6_irb_1(self):
589 """ ACL IPv4 bridged -> routed, L3 ACL deny """
590 self.run_test_ip46_bridged_to_routed(False, False, False,
591 self.WITHOUT_EH)
592
593 # Stateful ACL tests
594 def test_0101_ip6_irb_1(self):
595 """ ACL IPv6 routed -> bridged, L2 ACL permit+reflect"""
596 self.run_test_ip46_routed_to_bridged_and_back(True, True,
597 self.WITHOUT_EH)
598
599 def test_0102_ip6_irb_1(self):
600 """ ACL IPv6 bridged -> routed, L2 ACL permit+reflect"""
601 self.run_test_ip46_bridged_to_routed_and_back(True, True,
602 self.WITHOUT_EH)
603
604 def test_0103_ip6_irb_1(self):
605 """ ACL IPv4 routed -> bridged, L2 ACL permit+reflect"""
606 self.run_test_ip46_routed_to_bridged_and_back(True, False,
607 self.WITHOUT_EH)
608
609 def test_0104_ip6_irb_1(self):
610 """ ACL IPv4 bridged -> routed, L2 ACL permit+reflect"""
611 self.run_test_ip46_bridged_to_routed_and_back(True, False,
612 self.WITHOUT_EH)
613
614 def test_0111_ip6_irb_1(self):
615 """ ACL IPv6 routed -> bridged, L3 ACL permit+reflect"""
616 self.run_test_ip46_routed_to_bridged_and_back(False, True,
617 self.WITHOUT_EH)
618
619 def test_0112_ip6_irb_1(self):
620 """ ACL IPv6 bridged -> routed, L3 ACL permit+reflect"""
621 self.run_test_ip46_bridged_to_routed_and_back(False, True,
622 self.WITHOUT_EH)
623
624 def test_0113_ip6_irb_1(self):
625 """ ACL IPv4 routed -> bridged, L3 ACL permit+reflect"""
626 self.run_test_ip46_routed_to_bridged_and_back(False, False,
627 self.WITHOUT_EH)
628
629 def test_0114_ip6_irb_1(self):
630 """ ACL IPv4 bridged -> routed, L3 ACL permit+reflect"""
631 self.run_test_ip46_bridged_to_routed_and_back(False, False,
632 self.WITHOUT_EH)
633
634 # A block of tests with extension headers
635
636 def test_1001_ip6_irb_1(self):
637 """ ACL IPv6+EH routed -> bridged, L2 ACL deny"""
638 self.run_test_ip46_routed_to_bridged(True, True, False,
639 self.WITH_EH)
640
641 def test_1002_ip6_irb_1(self):
642 """ ACL IPv6+EH routed -> bridged, L3 ACL deny"""
643 self.run_test_ip46_routed_to_bridged(False, True, False,
644 self.WITH_EH)
645
646 def test_1005_ip6_irb_1(self):
647 """ ACL IPv6+EH bridged -> routed, L2 ACL deny """
648 self.run_test_ip46_bridged_to_routed(True, True, False,
649 self.WITH_EH)
650
651 def test_1006_ip6_irb_1(self):
652 """ ACL IPv6+EH bridged -> routed, L3 ACL deny """
653 self.run_test_ip46_bridged_to_routed(False, True, False,
654 self.WITH_EH)
655
656 def test_1101_ip6_irb_1(self):
657 """ ACL IPv6+EH routed -> bridged, L2 ACL permit+reflect"""
658 self.run_test_ip46_routed_to_bridged_and_back(True, True,
659 self.WITH_EH)
660
661 def test_1102_ip6_irb_1(self):
662 """ ACL IPv6+EH bridged -> routed, L2 ACL permit+reflect"""
663 self.run_test_ip46_bridged_to_routed_and_back(True, True,
664 self.WITH_EH)
665
666 def test_1111_ip6_irb_1(self):
667 """ ACL IPv6+EH routed -> bridged, L3 ACL permit+reflect"""
668 self.run_test_ip46_routed_to_bridged_and_back(False, True,
669 self.WITH_EH)
670
671 def test_1112_ip6_irb_1(self):
672 """ ACL IPv6+EH bridged -> routed, L3 ACL permit+reflect"""
673 self.run_test_ip46_bridged_to_routed_and_back(False, True,
674 self.WITH_EH)
675
Andrew Yourtchenkod1b05642017-04-04 14:10:40 +0000[diff] [blame^]676 # IPv4 with "MF" bit set
677
678 def test_1201_ip6_irb_1(self):
679 """ ACL IPv4+MF routed -> bridged, L2 ACL deny"""
680 self.run_test_ip46_routed_to_bridged(True, False, False,
681 self.WITH_EH)
682
683 def test_1202_ip6_irb_1(self):
684 """ ACL IPv4+MF routed -> bridged, L3 ACL deny"""
685 self.run_test_ip46_routed_to_bridged(False, False, False,
686 self.WITH_EH)
687
688 def test_1205_ip6_irb_1(self):
689 """ ACL IPv4+MF bridged -> routed, L2 ACL deny """
690 self.run_test_ip46_bridged_to_routed(True, False, False,
691 self.WITH_EH)
692
693 def test_1206_ip6_irb_1(self):
694 """ ACL IPv4+MF bridged -> routed, L3 ACL deny """
695 self.run_test_ip46_bridged_to_routed(False, False, False,
696 self.WITH_EH)
697
698 def test_1301_ip6_irb_1(self):
699 """ ACL IPv4+MF routed -> bridged, L2 ACL permit+reflect"""
700 self.run_test_ip46_routed_to_bridged_and_back(True, False,
701 self.WITH_EH)
702
703 def test_1302_ip6_irb_1(self):
704 """ ACL IPv4+MF bridged -> routed, L2 ACL permit+reflect"""
705 self.run_test_ip46_bridged_to_routed_and_back(True, False,
706 self.WITH_EH)
707
708 def test_1311_ip6_irb_1(self):
709 """ ACL IPv4+MF routed -> bridged, L3 ACL permit+reflect"""
710 self.run_test_ip46_routed_to_bridged_and_back(False, False,
711 self.WITH_EH)
712
713 def test_1312_ip6_irb_1(self):
714 """ ACL IPv4+MF bridged -> routed, L3 ACL permit+reflect"""
715 self.run_test_ip46_bridged_to_routed_and_back(False, False,
716 self.WITH_EH)
717
Andrew Yourtchenkod2a59be2017-03-21 10:31:55 +0100[diff] [blame]718 # Old datapath group
719 def test_8900_ip6_irb_1(self):
720 """ ACL plugin set old L2 datapath"""
721 if not self.vpp_dead:
722 cmd = "set acl-plugin l2-datapath old"
723 self.logger.info(self.vapi.ppcli(cmd))
724
725 def test_8901_ip6_irb_1(self):
726 """ ACL IPv6 routed -> bridged, L2 ACL deny"""
727 self.run_test_ip46_routed_to_bridged(True, True, False,
728 self.WITHOUT_EH)
729
730 def test_8902_ip6_irb_1(self):
731 """ ACL IPv6 routed -> bridged, L3 ACL deny"""
732 self.run_test_ip46_routed_to_bridged(False, True, False,
733 self.WITHOUT_EH)
734
735 def test_8903_ip4_irb_1(self):
736 """ ACL IPv4 routed -> bridged, L2 ACL deny"""
737 self.run_test_ip46_routed_to_bridged(True, False, False,
738 self.WITHOUT_EH)
739
740 def test_8904_ip4_irb_1(self):
741 """ ACL IPv4 routed -> bridged, L3 ACL deny"""
742 self.run_test_ip46_routed_to_bridged(False, False, False,
743 self.WITHOUT_EH)
744
745 def test_8905_ip6_irb_1(self):
746 """ ACL IPv6 bridged -> routed, L2 ACL deny """
747 self.run_test_ip46_bridged_to_routed(True, True, False,
748 self.WITHOUT_EH)
749
750 def test_8906_ip6_irb_1(self):
751 """ ACL IPv6 bridged -> routed, L3 ACL deny """
752 self.run_test_ip46_bridged_to_routed(False, True, False,
753 self.WITHOUT_EH)
754
755 def test_8907_ip6_irb_1(self):
756 """ ACL IPv4 bridged -> routed, L2 ACL deny """
757 self.run_test_ip46_bridged_to_routed(True, False, False,
758 self.WITHOUT_EH)
759
760 def test_8908_ip6_irb_1(self):
761 """ ACL IPv4 bridged -> routed, L3 ACL deny """
762 self.run_test_ip46_bridged_to_routed(False, False, False,
763 self.WITHOUT_EH)
764
765
766if __name__ == '__main__':
767 unittest.main(testRunner=VppTestRunner)