Gitiles
Code Review Sign In
gerrit.nordix.org / fdio / vpp / eb46754ef6b3efd958a11ea2f0b110eb99ce3b27 / . / test / test_acl_plugin_conns.py
blob: 1a9100cb0d713a09ec4778335959be6d28cbc22e [file] [log] [blame]
Andrew Yourtchenko57d7dbc2017-05-02 20:08:51 +0200[diff] [blame]1#!/usr/bin/env python
2""" ACL plugin extended stateful tests """
3
4import unittest
5from framework import VppTestCase, VppTestRunner, running_extended_tests
6from scapy.layers.l2 import Ether
7from scapy.packet import Raw
8from scapy.layers.inet import IP, UDP
9from scapy.packet import Packet
10from socket import inet_pton, AF_INET, AF_INET6
11from scapy.layers.inet6 import IPv6, ICMPv6Unknown, ICMPv6EchoRequest
12from scapy.layers.inet6 import ICMPv6EchoReply, IPv6ExtHdrRouting
13from scapy.layers.inet6 import IPv6ExtHdrFragment
14from pprint import pprint
15from random import randint
16
17
18def to_acl_rule(self, is_permit, wildcard_sport=False):
19 p = self
20 rule_family = AF_INET6 if p.haslayer(IPv6) else AF_INET
21 rule_prefix_len = 128 if p.haslayer(IPv6) else 32
22 rule_l3_layer = IPv6 if p.haslayer(IPv6) else IP
23 rule_l4_sport = p.sport
24 rule_l4_dport = p.dport
25 if p.haslayer(IPv6):
26 rule_l4_proto = p[IPv6].nh
27 else:
28 rule_l4_proto = p[IP].proto
29
30 if wildcard_sport:
31 rule_l4_sport_first = 0
32 rule_l4_sport_last = 65535
33 else:
34 rule_l4_sport_first = rule_l4_sport
35 rule_l4_sport_last = rule_l4_sport
36
37 new_rule = {
38 'is_permit': is_permit,
39 'is_ipv6': p.haslayer(IPv6),
40 'src_ip_addr': inet_pton(rule_family,
41 p[rule_l3_layer].src),
42 'src_ip_prefix_len': rule_prefix_len,
43 'dst_ip_addr': inet_pton(rule_family,
44 p[rule_l3_layer].dst),
45 'dst_ip_prefix_len': rule_prefix_len,
46 'srcport_or_icmptype_first': rule_l4_sport_first,
47 'srcport_or_icmptype_last': rule_l4_sport_last,
48 'dstport_or_icmpcode_first': rule_l4_dport,
49 'dstport_or_icmpcode_last': rule_l4_dport,
50 'proto': rule_l4_proto,
51 }
52 return new_rule
53
54Packet.to_acl_rule = to_acl_rule
55
56
57class IterateWithSleep():
58 def __init__(self, testcase, n_iters, description, sleep_sec):
59 self.curr = 0
60 self.testcase = testcase
61 self.n_iters = n_iters
62 self.sleep_sec = sleep_sec
63 self.description = description
64
65 def __iter__(self):
66 for x in range(0, self.n_iters):
67 yield x
68 self.testcase.sleep(self.sleep_sec)
69
70
71class Conn():
72 def __init__(self, testcase, if1, if2, af, l4proto, port1, port2):
73 self.testcase = testcase
74 self.ifs = [None, None]
75 self.ifs[0] = if1
76 self.ifs[1] = if2
77 self.address_family = af
78 self.l4proto = l4proto
79 self.ports = [None, None]
80 self.ports[0] = port1
81 self.ports[1] = port2
82 self
83
84 def pkt(self, side):
85 is_ip6 = 1 if self.address_family == AF_INET6 else 0
86 s0 = side
87 s1 = 1-side
88 src_if = self.ifs[s0]
89 dst_if = self.ifs[s1]
90 layer_3 = [IP(src=src_if.remote_ip4, dst=dst_if.remote_ip4),
91 IPv6(src=src_if.remote_ip6, dst=dst_if.remote_ip6)]
92 payload = "x"
93 p = (Ether(dst=src_if.local_mac, src=src_if.remote_mac) /
94 layer_3[is_ip6] /
95 self.l4proto(sport=self.ports[s0], dport=self.ports[s1]) /
96 Raw(payload))
97 return p
98
99 def apply_acls(self, reflect_side, acl_side):
100 pkts = []
101 pkts.append(self.pkt(0))
102 pkts.append(self.pkt(1))
103 pkt = pkts[reflect_side]
104
105 r = []
106 r.append(pkt.to_acl_rule(2, wildcard_sport=True))
107 r.append(self.wildcard_rule(0))
108 res = self.testcase.api_acl_add_replace(0xffffffff, r)
109 self.testcase.assert_equal(res.retval, 0, "error adding ACL")
110 reflect_acl_index = res.acl_index
111
112 r = []
113 r.append(self.wildcard_rule(0))
114 res = self.testcase.api_acl_add_replace(0xffffffff, r)
115 self.testcase.assert_equal(res.retval, 0, "error adding deny ACL")
116 deny_acl_index = res.acl_index
117
118 if reflect_side == acl_side:
119 self.testcase.api_acl_interface_set_acl_list(
120 self.ifs[acl_side].sw_if_index, 2, 1,
121 [reflect_acl_index,
122 deny_acl_index])
123 self.testcase.api_acl_interface_set_acl_list(
124 self.ifs[1-acl_side].sw_if_index, 0, 0, [])
125 else:
126 self.testcase.api_acl_interface_set_acl_list(
127 self.ifs[acl_side].sw_if_index, 2, 1,
128 [deny_acl_index,
129 reflect_acl_index])
130 self.testcase.api_acl_interface_set_acl_list(
131 self.ifs[1-acl_side].sw_if_index, 0, 0, [])
132
133 def wildcard_rule(self, is_permit):
134 any_addr = ["0.0.0.0", "::"]
135 rule_family = self.address_family
136 is_ip6 = 1 if rule_family == AF_INET6 else 0
137 new_rule = {
138 'is_permit': is_permit,
139 'is_ipv6': is_ip6,
140 'src_ip_addr': inet_pton(rule_family, any_addr[is_ip6]),
141 'src_ip_prefix_len': 0,
142 'dst_ip_addr': inet_pton(rule_family, any_addr[is_ip6]),
143 'dst_ip_prefix_len': 0,
144 'srcport_or_icmptype_first': 0,
145 'srcport_or_icmptype_last': 65535,
146 'dstport_or_icmpcode_first': 0,
147 'dstport_or_icmpcode_last': 65535,
148 'proto': 0,
149 }
150 return new_rule
151
152 def send(self, side):
153 self.ifs[side].add_stream(self.pkt(side))
154 self.ifs[1-side].enable_capture()
155 self.testcase.pg_start()
156
157 def recv(self, side):
158 p = self.ifs[side].wait_for_packet(1)
159 return p
160
161 def send_through(self, side):
162 self.send(side)
163 p = self.recv(1-side)
164 return p
165
166 def send_pingpong(self, side):
167 p1 = self.send_through(side)
168 p2 = self.send_through(1-side)
169 return [p1, p2]
170
171
172@unittest.skipUnless(running_extended_tests(), "part of extended tests")
173class ACLPluginConnTestCase(VppTestCase):
174 """ ACL plugin connection-oriented extended testcases """
175
176 @classmethod
177 def setUpClass(self):
178 super(ACLPluginConnTestCase, self).setUpClass()
179 # create pg0 and pg1
180 self.create_pg_interfaces(range(2))
181 for i in self.pg_interfaces:
182 i.admin_up()
183 i.config_ip4()
184 i.config_ip6()
185 i.resolve_arp()
186 i.resolve_ndp()
187
Andrew Yourtchenko7f4d5772017-05-24 13:20:47 +0200[diff] [blame]188 def tearDown(self):
189 """Run standard test teardown and log various show commands
190 """
191 super(ACLPluginConnTestCase, self).tearDown()
192 if not self.vpp_dead:
193 self.logger.info(self.vapi.cli("show ip arp"))
194 self.logger.info(self.vapi.cli("show ip6 neighbors"))
195 self.logger.info(self.vapi.cli("show acl-plugin sessions"))
196 self.logger.info(self.vapi.cli("show acl-plugin acl"))
197 self.logger.info(self.vapi.cli("show acl-plugin interface"))
198 self.logger.info(self.vapi.cli("show acl-plugin tables"))
199
Andrew Yourtchenko57d7dbc2017-05-02 20:08:51 +0200[diff] [blame]200 def api_acl_add_replace(self, acl_index, r, count=-1, tag="",
201 expected_retval=0):
202 """Add/replace an ACL
203
204 :param int acl_index: ACL index to replace, 4294967295 to create new.
205 :param acl_rule r: ACL rules array.
206 :param str tag: symbolic tag (description) for this ACL.
207 :param int count: number of rules.
208 """
209 if (count < 0):
210 count = len(r)
211 return self.vapi.api(self.vapi.papi.acl_add_replace,
212 {'acl_index': acl_index,
213 'r': r,
214 'count': count,
215 'tag': tag
216 }, expected_retval=expected_retval)
217
218 def api_acl_interface_set_acl_list(self, sw_if_index, count, n_input, acls,
219 expected_retval=0):
220 return self.vapi.api(self.vapi.papi.acl_interface_set_acl_list,
221 {'sw_if_index': sw_if_index,
222 'count': count,
223 'n_input': n_input,
224 'acls': acls
225 }, expected_retval=expected_retval)
226
227 def api_acl_dump(self, acl_index, expected_retval=0):
228 return self.vapi.api(self.vapi.papi.acl_dump,
229 {'acl_index': acl_index},
230 expected_retval=expected_retval)
231
232 def run_basic_conn_test(self, af, acl_side):
233 """ Basic conn timeout test """
234 conn1 = Conn(self, self.pg0, self.pg1, af, UDP, 42001, 4242)
235 conn1.apply_acls(0, acl_side)
236 conn1.send_through(0)
237 # the return packets should pass
238 conn1.send_through(1)
239 # send some packets on conn1, ensure it doesn't go away
240 for i in IterateWithSleep(self, 20, "Keep conn active", 0.3):
241 conn1.send_through(1)
242 # allow the conn to time out
243 for i in IterateWithSleep(self, 30, "Wait for timeout", 0.1):
244 pass
245 # now try to send a packet on the reflected side
246 try:
247 p2 = conn1.send_through(1).command()
248 except:
249 # If we asserted while waiting, it's good.
250 # the conn should have timed out.
251 p2 = None
252 self.assert_equal(p2, None, "packet on long-idle conn")
253
254 def run_active_conn_test(self, af, acl_side):
255 """ Idle connection behind active connection test """
256 base = 10000 + 1000*acl_side
257 conn1 = Conn(self, self.pg0, self.pg1, af, UDP, base + 1, 2323)
258 conn2 = Conn(self, self.pg0, self.pg1, af, UDP, base + 2, 2323)
259 conn3 = Conn(self, self.pg0, self.pg1, af, UDP, base + 3, 2323)
260 conn1.apply_acls(0, acl_side)
261 conn1.send(0)
262 conn1.recv(1)
263 # create and check that the conn2/3 work
264 self.sleep(0.1)
265 conn2.send_pingpong(0)
266 self.sleep(0.1)
267 conn3.send_pingpong(0)
268 # send some packets on conn1, keep conn2/3 idle
269 for i in IterateWithSleep(self, 20, "Keep conn active", 0.2):
270 conn1.send_through(1)
271 try:
272 p2 = conn2.send_through(1).command()
273 except:
274 # If we asserted while waiting, it's good.
275 # the conn should have timed out.
276 p2 = None
277 # We should have not received the packet on a long-idle
278 # connection, because it should have timed out
279 # If it didn't - it is a problem
280 self.assert_equal(p2, None, "packet on long-idle conn")
281
Andrew Yourtchenkoeb467542017-06-21 11:24:25 +0200[diff] [blame^]282 def run_clear_conn_test(self, af, acl_side):
283 """ Clear the connections via CLI """
284 conn1 = Conn(self, self.pg0, self.pg1, af, UDP, 42001, 4242)
285 conn1.apply_acls(0, acl_side)
286 conn1.send_through(0)
287 # the return packets should pass
288 conn1.send_through(1)
289 # send some packets on conn1, ensure it doesn't go away
290 for i in IterateWithSleep(self, 20, "Keep conn active", 0.3):
291 conn1.send_through(1)
292 # clear all connections
293 self.vapi.ppcli("clear acl-plugin sessions")
294 # now try to send a packet on the reflected side
295 try:
296 p2 = conn1.send_through(1).command()
297 except:
298 # If we asserted while waiting, it's good.
299 # the conn should have timed out.
300 p2 = None
301 self.assert_equal(p2, None, "packet on supposedly deleted conn")
302
Andrew Yourtchenko57d7dbc2017-05-02 20:08:51 +0200[diff] [blame]303 def test_0000_conn_prepare_test(self):
304 """ Prepare the settings """
305 self.vapi.ppcli("set acl-plugin session timeout udp idle 1")
306
307 def test_0001_basic_conn_test(self):
308 """ IPv4: Basic conn timeout test reflect on ingress """
309 self.run_basic_conn_test(AF_INET, 0)
310
311 def test_0002_basic_conn_test(self):
312 """ IPv4: Basic conn timeout test reflect on egress """
313 self.run_basic_conn_test(AF_INET, 1)
314
Andrew Yourtchenkoeb467542017-06-21 11:24:25 +0200[diff] [blame^]315 def test_0005_clear_conn_test(self):
316 """ IPv4: reflect egress, clear conn """
317 self.run_clear_conn_test(AF_INET, 1)
318
319 def test_0006_clear_conn_test(self):
320 """ IPv4: reflect ingress, clear conn """
321 self.run_clear_conn_test(AF_INET, 0)
322
Andrew Yourtchenko57d7dbc2017-05-02 20:08:51 +0200[diff] [blame]323 def test_0011_active_conn_test(self):
324 """ IPv4: Idle conn behind active conn, reflect on ingress """
325 self.run_active_conn_test(AF_INET, 0)
326
327 def test_0012_active_conn_test(self):
328 """ IPv4: Idle conn behind active conn, reflect on egress """
329 self.run_active_conn_test(AF_INET, 1)
330
331 def test_1001_basic_conn_test(self):
332 """ IPv6: Basic conn timeout test reflect on ingress """
333 self.run_basic_conn_test(AF_INET6, 0)
334
335 def test_1002_basic_conn_test(self):
336 """ IPv6: Basic conn timeout test reflect on egress """
337 self.run_basic_conn_test(AF_INET6, 1)
338
Andrew Yourtchenkoeb467542017-06-21 11:24:25 +0200[diff] [blame^]339 def test_1005_clear_conn_test(self):
340 """ IPv6: reflect egress, clear conn """
341 self.run_clear_conn_test(AF_INET6, 1)
342
343 def test_1006_clear_conn_test(self):
344 """ IPv6: reflect ingress, clear conn """
345 self.run_clear_conn_test(AF_INET6, 0)
346
Andrew Yourtchenko57d7dbc2017-05-02 20:08:51 +0200[diff] [blame]347 def test_1011_active_conn_test(self):
348 """ IPv6: Idle conn behind active conn, reflect on ingress """
349 self.run_active_conn_test(AF_INET6, 0)
350
351 def test_1012_active_conn_test(self):
352 """ IPv6: Idle conn behind active conn, reflect on egress """
353 self.run_active_conn_test(AF_INET6, 1)