2 """ACL plugin Test Case HLD:
8 from scapy.packet import Raw
9 from scapy.layers.l2 import Ether
10 from scapy.layers.inet import IP, TCP, UDP, ICMP
11 from scapy.layers.inet6 import IPv6, ICMPv6EchoRequest
12 from scapy.layers.inet6 import IPv6ExtHdrFragment
13 from framework import VppTestCase, VppTestRunner
14 from util import Host, ppp
15 from ipaddress import IPv4Network, IPv6Network
17 from vpp_lo_interface import VppLoInterface
18 from vpp_acl import AclRule, VppAcl, VppAclInterface, VppEtypeWhitelist
19 from vpp_ip import INVALID_INDEX
22 class TestACLplugin(VppTestCase):
23 """ ACL plugin Test Case """
39 proto = [[6, 17], [1, 58]]
40 proto_map = {1: 'ICMP', 58: 'ICMPv6EchoRequest', 6: 'TCP', 17: 'UDP'}
52 udp_sport_to = udp_sport_from + 5
53 udp_dport_from = 20000
54 udp_dport_to = udp_dport_from + 5000
56 tcp_sport_to = tcp_sport_from + 5
57 tcp_dport_from = 40000
58 tcp_dport_to = tcp_dport_from + 5000
61 udp_sport_to_2 = udp_sport_from_2 + 5
62 udp_dport_from_2 = 30000
63 udp_dport_to_2 = udp_dport_from_2 + 5000
64 tcp_sport_from_2 = 130
65 tcp_sport_to_2 = tcp_sport_from_2 + 5
66 tcp_dport_from_2 = 20000
67 tcp_dport_to_2 = tcp_dport_from_2 + 5000
69 icmp4_type = 8 # echo request
71 icmp6_type = 128 # echo request
87 Perform standard class setup (defined by class method setUpClass in
88 class VppTestCase) before running the test case, set test case related
89 variables and configure VPP.
91 super(TestACLplugin, cls).setUpClass()
94 # Create 2 pg interfaces
95 cls.create_pg_interfaces(range(2))
97 # Packet flows mapping pg0 -> pg1, pg2 etc.
99 cls.flows[cls.pg0] = [cls.pg1]
102 cls.pg_if_packet_sizes = [64, 512, 1518, 9018]
104 # Create BD with MAC learning and unknown unicast flooding disabled
105 # and put interfaces to this BD
106 cls.vapi.bridge_domain_add_del(bd_id=cls.bd_id, uu_flood=1,
108 for pg_if in cls.pg_interfaces:
109 cls.vapi.sw_interface_set_l2_bridge(
110 rx_sw_if_index=pg_if.sw_if_index, bd_id=cls.bd_id)
112 # Set up all interfaces
113 for i in cls.pg_interfaces:
116 # Mapping between packet-generator index and lists of test hosts
117 cls.hosts_by_pg_idx = dict()
118 for pg_if in cls.pg_interfaces:
119 cls.hosts_by_pg_idx[pg_if.sw_if_index] = []
121 # Create list of deleted hosts
122 cls.deleted_hosts_by_pg_idx = dict()
123 for pg_if in cls.pg_interfaces:
124 cls.deleted_hosts_by_pg_idx[pg_if.sw_if_index] = []
126 # warm-up the mac address tables
130 n_int = len(cls.pg_interfaces)
131 macs_per_if = count // n_int
133 for pg_if in cls.pg_interfaces:
135 start_nr = macs_per_if * i + start
136 end_nr = count + start if i == (n_int - 1) \
137 else macs_per_if * (i + 1) + start
138 hosts = cls.hosts_by_pg_idx[pg_if.sw_if_index]
139 for j in range(int(start_nr), int(end_nr)):
141 "00:00:00:ff:%02x:%02x" % (pg_if.sw_if_index, j),
142 "172.17.1%02x.%u" % (pg_if.sw_if_index, j),
143 "2017:dead:%02x::%u" % (pg_if.sw_if_index, j))
147 super(TestACLplugin, cls).tearDownClass()
151 def tearDownClass(cls):
152 super(TestACLplugin, cls).tearDownClass()
155 super(TestACLplugin, self).setUp()
156 self.reset_packet_infos()
160 Show various debug prints after each test.
162 super(TestACLplugin, self).tearDown()
164 def show_commands_at_teardown(self):
165 cli = "show vlib graph l2-input-feat-arc"
166 self.logger.info(self.vapi.ppcli(cli))
167 cli = "show vlib graph l2-input-feat-arc-end"
168 self.logger.info(self.vapi.ppcli(cli))
169 cli = "show vlib graph l2-output-feat-arc"
170 self.logger.info(self.vapi.ppcli(cli))
171 cli = "show vlib graph l2-output-feat-arc-end"
172 self.logger.info(self.vapi.ppcli(cli))
173 self.logger.info(self.vapi.ppcli("show l2fib verbose"))
174 self.logger.info(self.vapi.ppcli("show acl-plugin acl"))
175 self.logger.info(self.vapi.ppcli("show acl-plugin interface"))
176 self.logger.info(self.vapi.ppcli("show acl-plugin tables"))
177 self.logger.info(self.vapi.ppcli("show bridge-domain %s detail"
180 def create_rule(self, ip=0, permit_deny=0, ports=PORTS_ALL, proto=-1,
184 src_prefix = IPv6Network((s_ip, s_prefix))
185 dst_prefix = IPv6Network((d_ip, d_prefix))
187 src_prefix = IPv4Network((s_ip, s_prefix))
188 dst_prefix = IPv4Network((d_ip, d_prefix))
189 return AclRule(is_permit=permit_deny, ports=ports, proto=proto,
190 src_prefix=src_prefix, dst_prefix=dst_prefix)
192 def apply_rules(self, rules, tag=None):
193 acl = VppAcl(self, rules, tag=tag)
195 self.logger.info("Dumped ACL: " + str(acl.dump()))
196 # Apply a ACL on the interface as inbound
197 for i in self.pg_interfaces:
198 acl_if = VppAclInterface(
199 self, sw_if_index=i.sw_if_index, n_input=1, acls=[acl])
200 acl_if.add_vpp_config()
203 def apply_rules_to(self, rules, tag=None, sw_if_index=INVALID_INDEX):
204 acl = VppAcl(self, rules, tag=tag)
206 self.logger.info("Dumped ACL: " + str(acl.dump()))
207 # Apply a ACL on the interface as inbound
208 acl_if = VppAclInterface(self, sw_if_index=sw_if_index, n_input=1,
212 def etype_whitelist(self, whitelist, n_input, add=True):
213 # Apply whitelists on all the interfaces
216 for i in self.pg_interfaces:
217 self._wl.append(VppEtypeWhitelist(
218 self, sw_if_index=i.sw_if_index, whitelist=whitelist,
219 n_input=n_input).add_vpp_config())
221 if hasattr(self, "_wl"):
223 wl.remove_vpp_config()
225 def create_upper_layer(self, packet_index, proto, ports=0):
226 p = self.proto_map[proto]
229 return UDP(sport=random.randint(self.udp_sport_from,
231 dport=random.randint(self.udp_dport_from,
234 return UDP(sport=ports, dport=ports)
237 return TCP(sport=random.randint(self.tcp_sport_from,
239 dport=random.randint(self.tcp_dport_from,
242 return TCP(sport=ports, dport=ports)
245 def create_stream(self, src_if, packet_sizes, traffic_type=0, ipv6=0,
246 proto=-1, ports=0, fragments=False,
247 pkt_raw=True, etype=-1):
249 Create input packet stream for defined interface using hosts or
252 :param object src_if: Interface to create packet stream for.
253 :param list packet_sizes: List of required packet sizes.
254 :param traffic_type: 1: ICMP packet, 2: IPv6 with EH, 0: otherwise.
255 :return: Stream of packets.
258 if self.flows.__contains__(src_if):
259 src_hosts = self.hosts_by_pg_idx[src_if.sw_if_index]
260 for dst_if in self.flows[src_if]:
261 dst_hosts = self.hosts_by_pg_idx[dst_if.sw_if_index]
262 n_int = len(dst_hosts) * len(src_hosts)
263 for i in range(0, n_int):
264 dst_host = dst_hosts[int(i / len(src_hosts))]
265 src_host = src_hosts[i % len(src_hosts)]
266 pkt_info = self.create_packet_info(src_if, dst_if)
272 pkt_info.ip = random.choice([0, 1])
274 pkt_info.proto = random.choice(self.proto[self.IP])
276 pkt_info.proto = proto
277 payload = self.info_to_payload(pkt_info)
278 p = Ether(dst=dst_host.mac, src=src_host.mac)
280 p = Ether(dst=dst_host.mac,
284 p /= IPv6(dst=dst_host.ip6, src=src_host.ip6)
286 p /= IPv6ExtHdrFragment(offset=64, m=1)
289 p /= IP(src=src_host.ip4, dst=dst_host.ip4,
292 p /= IP(src=src_host.ip4, dst=dst_host.ip4)
293 if traffic_type == self.ICMP:
295 p /= ICMPv6EchoRequest(type=self.icmp6_type,
296 code=self.icmp6_code)
298 p /= ICMP(type=self.icmp4_type,
299 code=self.icmp4_code)
301 p /= self.create_upper_layer(i, pkt_info.proto, ports)
304 pkt_info.data = p.copy()
306 size = random.choice(packet_sizes)
307 self.extend_packet(p, size)
311 def verify_capture(self, pg_if, capture,
312 traffic_type=0, ip_type=0, etype=-1):
314 Verify captured input packet stream for defined interface.
316 :param object pg_if: Interface to verify captured packet stream for.
317 :param list capture: Captured packet stream.
318 :param traffic_type: 1: ICMP packet, 2: IPv6 with EH, 0: otherwise.
321 for i in self.pg_interfaces:
322 last_info[i.sw_if_index] = None
323 dst_sw_if_index = pg_if.sw_if_index
324 for packet in capture:
326 if packet[Ether].type != etype:
327 self.logger.error(ppp("Unexpected ethertype in packet:",
332 # Raw data for ICMPv6 are stored in ICMPv6EchoRequest.data
333 if traffic_type == self.ICMP and ip_type == self.IPV6:
334 payload_info = self.payload_to_info(
335 packet[ICMPv6EchoRequest], 'data')
336 payload = packet[ICMPv6EchoRequest]
338 payload_info = self.payload_to_info(packet[Raw])
339 payload = packet[self.proto_map[payload_info.proto]]
341 self.logger.error(ppp("Unexpected or invalid packet "
342 "(outside network):", packet))
346 self.assertEqual(payload_info.ip, ip_type)
347 if traffic_type == self.ICMP:
349 if payload_info.ip == 0:
350 self.assertEqual(payload.type, self.icmp4_type)
351 self.assertEqual(payload.code, self.icmp4_code)
353 self.assertEqual(payload.type, self.icmp6_type)
354 self.assertEqual(payload.code, self.icmp6_code)
356 self.logger.error(ppp("Unexpected or invalid packet "
357 "(outside network):", packet))
361 ip_version = IPv6 if payload_info.ip == 1 else IP
363 ip = packet[ip_version]
364 packet_index = payload_info.index
366 self.assertEqual(payload_info.dst, dst_sw_if_index)
367 self.logger.debug("Got packet on port %s: src=%u (id=%u)" %
368 (pg_if.name, payload_info.src,
370 next_info = self.get_next_packet_info_for_interface2(
371 payload_info.src, dst_sw_if_index,
372 last_info[payload_info.src])
373 last_info[payload_info.src] = next_info
374 self.assertTrue(next_info is not None)
375 self.assertEqual(packet_index, next_info.index)
376 saved_packet = next_info.data
377 # Check standard fields
378 self.assertEqual(ip.src, saved_packet[ip_version].src)
379 self.assertEqual(ip.dst, saved_packet[ip_version].dst)
380 p = self.proto_map[payload_info.proto]
383 self.assertEqual(tcp.sport, saved_packet[
385 self.assertEqual(tcp.dport, saved_packet[
389 self.assertEqual(udp.sport, saved_packet[
391 self.assertEqual(udp.dport, saved_packet[
394 self.logger.error(ppp("Unexpected or invalid packet:",
397 for i in self.pg_interfaces:
398 remaining_packet = self.get_next_packet_info_for_interface2(
399 i, dst_sw_if_index, last_info[i.sw_if_index])
401 remaining_packet is None,
402 "Port %u: Packet expected from source %u didn't arrive" %
403 (dst_sw_if_index, i.sw_if_index))
405 def run_traffic_no_check(self):
407 # Create incoming packet streams for packet-generator interfaces
408 for i in self.pg_interfaces:
409 if self.flows.__contains__(i):
410 pkts = self.create_stream(i, self.pg_if_packet_sizes)
414 # Enable packet capture and start packet sending
415 self.pg_enable_capture(self.pg_interfaces)
418 def run_verify_test(self, traffic_type=0, ip_type=0, proto=-1, ports=0,
419 frags=False, pkt_raw=True, etype=-1):
421 # Create incoming packet streams for packet-generator interfaces
423 for i in self.pg_interfaces:
424 if self.flows.__contains__(i):
425 pkts = self.create_stream(i, self.pg_if_packet_sizes,
426 traffic_type, ip_type, proto, ports,
427 frags, pkt_raw, etype)
430 pkts_cnt += len(pkts)
432 # Enable packet capture and start packet sendingself.IPV
433 self.pg_enable_capture(self.pg_interfaces)
435 self.logger.info("sent packets count: %d" % pkts_cnt)
438 # Verify outgoing packet streams per packet-generator interface
439 for src_if in self.pg_interfaces:
440 if self.flows.__contains__(src_if):
441 for dst_if in self.flows[src_if]:
442 capture = dst_if.get_capture(pkts_cnt)
443 self.logger.info("Verifying capture on interface %s" %
445 self.verify_capture(dst_if, capture,
446 traffic_type, ip_type, etype)
448 def run_verify_negat_test(self, traffic_type=0, ip_type=0, proto=-1,
449 ports=0, frags=False, etype=-1):
452 self.reset_packet_infos()
453 for i in self.pg_interfaces:
454 if self.flows.__contains__(i):
455 pkts = self.create_stream(i, self.pg_if_packet_sizes,
456 traffic_type, ip_type, proto, ports,
460 pkts_cnt += len(pkts)
462 # Enable packet capture and start packet sending
463 self.pg_enable_capture(self.pg_interfaces)
465 self.logger.info("sent packets count: %d" % pkts_cnt)
468 # Verify outgoing packet streams per packet-generator interface
469 for src_if in self.pg_interfaces:
470 if self.flows.__contains__(src_if):
471 for dst_if in self.flows[src_if]:
472 self.logger.info("Verifying capture on interface %s" %
474 capture = dst_if.get_capture(0)
475 self.assertEqual(len(capture), 0)
477 def test_0000_warmup_test(self):
478 """ ACL plugin version check; learn MACs
480 reply = self.vapi.papi.acl_plugin_get_version()
481 self.assertEqual(reply.major, 1)
482 self.logger.info("Working with ACL plugin version: %d.%d" % (
483 reply.major, reply.minor))
484 # minor version changes are non breaking
485 # self.assertEqual(reply.minor, 0)
487 def test_0001_acl_create(self):
488 """ ACL create/delete test
491 self.logger.info("ACLP_TEST_START_0001")
492 # Create a permit-1234 ACL
493 r = [AclRule(is_permit=1, proto=17, ports=1234)]
495 # Test 1: add a new ACL
496 first_acl = VppAcl(self, rules=r, tag="permit 1234")
497 first_acl.add_vpp_config()
498 self.assertTrue(first_acl.query_vpp_config())
499 # The very first ACL gets #0
500 self.assertEqual(first_acl.acl_index, 0)
501 rr = first_acl.dump()
502 self.logger.info("Dumped ACL: " + str(rr))
503 self.assertEqual(len(rr), 1)
504 # We should have the same number of ACL entries as we had asked
505 self.assertEqual(len(rr[0].r), len(r))
506 # The rules should be the same. But because the submitted and returned
507 # are different types, we need to iterate over rules and keys to get
509 for i_rule in range(0, len(r) - 1):
510 encoded_rule = r[i_rule].encode()
511 for rule_key in encoded_rule:
512 self.assertEqual(rr[0].r[i_rule][rule_key],
513 encoded_rule[rule_key])
515 # Create a deny-1234 ACL
516 r_deny = [AclRule(is_permit=0, proto=17, ports=1234),
517 AclRule(is_permit=1, proto=17, ports=0)]
518 r_deny[0].sport_to = 1235
519 second_acl = VppAcl(self, rules=r_deny, tag="deny 1234;permit all")
520 second_acl.add_vpp_config()
521 self.assertTrue(second_acl.query_vpp_config())
522 # The second ACL gets #1
523 self.assertEqual(second_acl.acl_index, 1)
525 # Test 2: try to modify a nonexistent ACL
526 invalid_acl = VppAcl(self, acl_index=432, rules=r, tag="FFFF:FFFF")
527 reply = invalid_acl.add_vpp_config(expect_error=True)
529 # apply an ACL on an interface inbound, try to delete ACL, must fail
530 acl_if_list = VppAclInterface(
531 self, sw_if_index=self.pg0.sw_if_index, n_input=1,
533 acl_if_list.add_vpp_config()
534 first_acl.remove_vpp_config(expect_error=True)
535 # Unapply an ACL and then try to delete it - must be ok
536 acl_if_list.remove_vpp_config()
537 first_acl.remove_vpp_config()
539 # apply an ACL on an interface inbound, try to delete ACL, must fail
540 acl_if_list = VppAclInterface(
541 self, sw_if_index=self.pg0.sw_if_index, n_input=0,
543 acl_if_list.add_vpp_config()
544 second_acl.remove_vpp_config(expect_error=True)
545 # Unapply an ACL and then try to delete it - must be ok
546 acl_if_list.remove_vpp_config()
547 second_acl.remove_vpp_config()
549 # try to apply a nonexistent ACL - must fail
550 acl_if_list = VppAclInterface(
551 self, sw_if_index=self.pg0.sw_if_index, n_input=0,
553 acl_if_list.add_vpp_config(expect_error=True)
555 self.logger.info("ACLP_TEST_FINISH_0001")
557 def test_0002_acl_permit_apply(self):
558 """ permit ACL apply test
560 self.logger.info("ACLP_TEST_START_0002")
563 rules.append(self.create_rule(self.IPV4, self.PERMIT,
564 0, self.proto[self.IP][self.UDP]))
565 rules.append(self.create_rule(self.IPV4, self.PERMIT,
566 0, self.proto[self.IP][self.TCP]))
569 acl_idx = self.apply_rules(rules, "permit per-flow")
572 reply = self.vapi.papi.acl_stats_intf_counters_enable(enable=1)
574 # Traffic should still pass
575 self.run_verify_test(self.IP, self.IPV4, -1)
577 matches = self.statistics.get_counter('/acl/%d/matches' % acl_idx)
578 self.logger.info("stat segment counters: %s" % repr(matches))
579 cli = "show acl-plugin acl"
580 self.logger.info(self.vapi.ppcli(cli))
581 cli = "show acl-plugin tables"
582 self.logger.info(self.vapi.ppcli(cli))
584 total_hits = matches[0][0]['packets'] + matches[0][1]['packets']
585 self.assertEqual(total_hits, 64)
588 reply = self.vapi.papi.acl_stats_intf_counters_enable(enable=0)
590 self.logger.info("ACLP_TEST_FINISH_0002")
592 def test_0003_acl_deny_apply(self):
593 """ deny ACL apply test
595 self.logger.info("ACLP_TEST_START_0003")
596 # Add a deny-flows ACL
598 rules.append(self.create_rule(
599 self.IPV4, self.DENY, self.PORTS_ALL,
600 self.proto[self.IP][self.UDP]))
601 # Permit ip any any in the end
602 rules.append(self.create_rule(self.IPV4, self.PERMIT,
606 acl_idx = self.apply_rules(rules, "deny per-flow;permit all")
609 reply = self.vapi.papi.acl_stats_intf_counters_enable(enable=1)
611 # Traffic should not pass
612 self.run_verify_negat_test(self.IP, self.IPV4,
613 self.proto[self.IP][self.UDP])
615 matches = self.statistics.get_counter('/acl/%d/matches' % acl_idx)
616 self.logger.info("stat segment counters: %s" % repr(matches))
617 cli = "show acl-plugin acl"
618 self.logger.info(self.vapi.ppcli(cli))
619 cli = "show acl-plugin tables"
620 self.logger.info(self.vapi.ppcli(cli))
621 self.assertEqual(matches[0][0]['packets'], 64)
623 reply = self.vapi.papi.acl_stats_intf_counters_enable(enable=0)
624 self.logger.info("ACLP_TEST_FINISH_0003")
625 # self.assertEqual(, 0)
627 def test_0004_vpp624_permit_icmpv4(self):
628 """ VPP_624 permit ICMPv4
630 self.logger.info("ACLP_TEST_START_0004")
634 rules.append(self.create_rule(self.IPV4, self.PERMIT, self.PORTS_RANGE,
635 self.proto[self.ICMP][self.ICMPv4]))
636 # deny ip any any in the end
637 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
640 self.apply_rules(rules, "permit icmpv4")
642 # Traffic should still pass
643 self.run_verify_test(self.ICMP, self.IPV4,
644 self.proto[self.ICMP][self.ICMPv4])
646 self.logger.info("ACLP_TEST_FINISH_0004")
648 def test_0005_vpp624_permit_icmpv6(self):
649 """ VPP_624 permit ICMPv6
651 self.logger.info("ACLP_TEST_START_0005")
655 rules.append(self.create_rule(self.IPV6, self.PERMIT, self.PORTS_RANGE,
656 self.proto[self.ICMP][self.ICMPv6]))
657 # deny ip any any in the end
658 rules.append(self.create_rule(self.IPV6, self.DENY, self.PORTS_ALL, 0))
661 self.apply_rules(rules, "permit icmpv6")
663 # Traffic should still pass
664 self.run_verify_test(self.ICMP, self.IPV6,
665 self.proto[self.ICMP][self.ICMPv6])
667 self.logger.info("ACLP_TEST_FINISH_0005")
669 def test_0006_vpp624_deny_icmpv4(self):
670 """ VPP_624 deny ICMPv4
672 self.logger.info("ACLP_TEST_START_0006")
675 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_RANGE,
676 self.proto[self.ICMP][self.ICMPv4]))
677 # permit ip any any in the end
678 rules.append(self.create_rule(self.IPV4, self.PERMIT,
682 self.apply_rules(rules, "deny icmpv4")
684 # Traffic should not pass
685 self.run_verify_negat_test(self.ICMP, self.IPV4, 0)
687 self.logger.info("ACLP_TEST_FINISH_0006")
689 def test_0007_vpp624_deny_icmpv6(self):
690 """ VPP_624 deny ICMPv6
692 self.logger.info("ACLP_TEST_START_0007")
695 rules.append(self.create_rule(self.IPV6, self.DENY, self.PORTS_RANGE,
696 self.proto[self.ICMP][self.ICMPv6]))
697 # deny ip any any in the end
698 rules.append(self.create_rule(self.IPV6, self.PERMIT,
702 self.apply_rules(rules, "deny icmpv6")
704 # Traffic should not pass
705 self.run_verify_negat_test(self.ICMP, self.IPV6, 0)
707 self.logger.info("ACLP_TEST_FINISH_0007")
709 def test_0008_tcp_permit_v4(self):
712 self.logger.info("ACLP_TEST_START_0008")
716 rules.append(self.create_rule(self.IPV4, self.PERMIT, self.PORTS_RANGE,
717 self.proto[self.IP][self.TCP]))
718 # deny ip any any in the end
719 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
722 self.apply_rules(rules, "permit ipv4 tcp")
724 # Traffic should still pass
725 self.run_verify_test(self.IP, self.IPV4, self.proto[self.IP][self.TCP])
727 self.logger.info("ACLP_TEST_FINISH_0008")
729 def test_0009_tcp_permit_v6(self):
732 self.logger.info("ACLP_TEST_START_0009")
736 rules.append(self.create_rule(self.IPV6, self.PERMIT, self.PORTS_RANGE,
737 self.proto[self.IP][self.TCP]))
738 # deny ip any any in the end
739 rules.append(self.create_rule(self.IPV6, self.DENY, self.PORTS_ALL, 0))
742 self.apply_rules(rules, "permit ip6 tcp")
744 # Traffic should still pass
745 self.run_verify_test(self.IP, self.IPV6, self.proto[self.IP][self.TCP])
747 self.logger.info("ACLP_TEST_FINISH_0008")
749 def test_0010_udp_permit_v4(self):
752 self.logger.info("ACLP_TEST_START_0010")
756 rules.append(self.create_rule(self.IPV4, self.PERMIT, self.PORTS_RANGE,
757 self.proto[self.IP][self.UDP]))
758 # deny ip any any in the end
759 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
762 self.apply_rules(rules, "permit ipv udp")
764 # Traffic should still pass
765 self.run_verify_test(self.IP, self.IPV4, self.proto[self.IP][self.UDP])
767 self.logger.info("ACLP_TEST_FINISH_0010")
769 def test_0011_udp_permit_v6(self):
772 self.logger.info("ACLP_TEST_START_0011")
776 rules.append(self.create_rule(self.IPV6, self.PERMIT, self.PORTS_RANGE,
777 self.proto[self.IP][self.UDP]))
778 # deny ip any any in the end
779 rules.append(self.create_rule(self.IPV6, self.DENY, self.PORTS_ALL, 0))
782 self.apply_rules(rules, "permit ip6 udp")
784 # Traffic should still pass
785 self.run_verify_test(self.IP, self.IPV6, self.proto[self.IP][self.UDP])
787 self.logger.info("ACLP_TEST_FINISH_0011")
789 def test_0012_tcp_deny(self):
792 self.logger.info("ACLP_TEST_START_0012")
796 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_RANGE,
797 self.proto[self.IP][self.TCP]))
798 rules.append(self.create_rule(self.IPV6, self.DENY, self.PORTS_RANGE,
799 self.proto[self.IP][self.TCP]))
800 # permit ip any any in the end
801 rules.append(self.create_rule(self.IPV4, self.PERMIT,
803 rules.append(self.create_rule(self.IPV6, self.PERMIT,
807 self.apply_rules(rules, "deny ip4/ip6 tcp")
809 # Traffic should not pass
810 self.run_verify_negat_test(self.IP, self.IPRANDOM,
811 self.proto[self.IP][self.TCP])
813 self.logger.info("ACLP_TEST_FINISH_0012")
815 def test_0013_udp_deny(self):
818 self.logger.info("ACLP_TEST_START_0013")
822 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_RANGE,
823 self.proto[self.IP][self.UDP]))
824 rules.append(self.create_rule(self.IPV6, self.DENY, self.PORTS_RANGE,
825 self.proto[self.IP][self.UDP]))
826 # permit ip any any in the end
827 rules.append(self.create_rule(self.IPV4, self.PERMIT,
829 rules.append(self.create_rule(self.IPV6, self.PERMIT,
833 self.apply_rules(rules, "deny ip4/ip6 udp")
835 # Traffic should not pass
836 self.run_verify_negat_test(self.IP, self.IPRANDOM,
837 self.proto[self.IP][self.UDP])
839 self.logger.info("ACLP_TEST_FINISH_0013")
841 def test_0014_acl_dump(self):
842 """ verify add/dump acls
844 self.logger.info("ACLP_TEST_START_0014")
846 r = [[self.IPV4, self.PERMIT, 1234, self.proto[self.IP][self.TCP]],
847 [self.IPV4, self.PERMIT, 2345, self.proto[self.IP][self.UDP]],
848 [self.IPV4, self.PERMIT, 0, self.proto[self.IP][self.TCP]],
849 [self.IPV4, self.PERMIT, 0, self.proto[self.IP][self.UDP]],
850 [self.IPV4, self.PERMIT, 5, self.proto[self.ICMP][self.ICMPv4]],
851 [self.IPV6, self.PERMIT, 4321, self.proto[self.IP][self.TCP]],
852 [self.IPV6, self.PERMIT, 5432, self.proto[self.IP][self.UDP]],
853 [self.IPV6, self.PERMIT, 0, self.proto[self.IP][self.TCP]],
854 [self.IPV6, self.PERMIT, 0, self.proto[self.IP][self.UDP]],
855 [self.IPV6, self.PERMIT, 6, self.proto[self.ICMP][self.ICMPv6]],
856 [self.IPV4, self.DENY, self.PORTS_ALL, 0],
857 [self.IPV4, self.DENY, 1234, self.proto[self.IP][self.TCP]],
858 [self.IPV4, self.DENY, 2345, self.proto[self.IP][self.UDP]],
859 [self.IPV4, self.DENY, 5, self.proto[self.ICMP][self.ICMPv4]],
860 [self.IPV6, self.DENY, 4321, self.proto[self.IP][self.TCP]],
861 [self.IPV6, self.DENY, 5432, self.proto[self.IP][self.UDP]],
862 [self.IPV6, self.DENY, 6, self.proto[self.ICMP][self.ICMPv6]],
863 [self.IPV6, self.DENY, self.PORTS_ALL, 0]
866 # Add and verify new ACLs
868 for i in range(len(r)):
869 rules.append(self.create_rule(r[i][0], r[i][1], r[i][2], r[i][3]))
871 acl = VppAcl(self, rules=rules)
876 for drules in result:
878 self.assertEqual(dr.is_permit, r[i][1])
879 self.assertEqual(dr.proto, r[i][3])
882 self.assertEqual(dr.srcport_or_icmptype_first, r[i][2])
885 self.assertEqual(dr.srcport_or_icmptype_first, 0)
886 self.assertEqual(dr.srcport_or_icmptype_last, 65535)
888 if dr.proto == self.proto[self.IP][self.TCP]:
889 self.assertGreater(dr.srcport_or_icmptype_first,
890 self.tcp_sport_from-1)
891 self.assertLess(dr.srcport_or_icmptype_first,
893 self.assertGreater(dr.dstport_or_icmpcode_last,
894 self.tcp_dport_from-1)
895 self.assertLess(dr.dstport_or_icmpcode_last,
897 elif dr.proto == self.proto[self.IP][self.UDP]:
898 self.assertGreater(dr.srcport_or_icmptype_first,
899 self.udp_sport_from-1)
900 self.assertLess(dr.srcport_or_icmptype_first,
902 self.assertGreater(dr.dstport_or_icmpcode_last,
903 self.udp_dport_from-1)
904 self.assertLess(dr.dstport_or_icmpcode_last,
908 self.logger.info("ACLP_TEST_FINISH_0014")
910 def test_0015_tcp_permit_port_v4(self):
911 """ permit single TCPv4
913 self.logger.info("ACLP_TEST_START_0015")
915 port = random.randint(16384, 65535)
918 rules.append(self.create_rule(self.IPV4, self.PERMIT, port,
919 self.proto[self.IP][self.TCP]))
920 # deny ip any any in the end
921 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
924 self.apply_rules(rules, "permit ip4 tcp %d" % port)
926 # Traffic should still pass
927 self.run_verify_test(self.IP, self.IPV4,
928 self.proto[self.IP][self.TCP], port)
930 self.logger.info("ACLP_TEST_FINISH_0015")
932 def test_0016_udp_permit_port_v4(self):
933 """ permit single UDPv4
935 self.logger.info("ACLP_TEST_START_0016")
937 port = random.randint(16384, 65535)
940 rules.append(self.create_rule(self.IPV4, self.PERMIT, port,
941 self.proto[self.IP][self.UDP]))
942 # deny ip any any in the end
943 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
946 self.apply_rules(rules, "permit ip4 tcp %d" % port)
948 # Traffic should still pass
949 self.run_verify_test(self.IP, self.IPV4,
950 self.proto[self.IP][self.UDP], port)
952 self.logger.info("ACLP_TEST_FINISH_0016")
954 def test_0017_tcp_permit_port_v6(self):
955 """ permit single TCPv6
957 self.logger.info("ACLP_TEST_START_0017")
959 port = random.randint(16384, 65535)
962 rules.append(self.create_rule(self.IPV6, self.PERMIT, port,
963 self.proto[self.IP][self.TCP]))
964 # deny ip any any in the end
965 rules.append(self.create_rule(self.IPV6, self.DENY, self.PORTS_ALL, 0))
968 self.apply_rules(rules, "permit ip4 tcp %d" % port)
970 # Traffic should still pass
971 self.run_verify_test(self.IP, self.IPV6,
972 self.proto[self.IP][self.TCP], port)
974 self.logger.info("ACLP_TEST_FINISH_0017")
976 def test_0018_udp_permit_port_v6(self):
977 """ permit single UDPv6
979 self.logger.info("ACLP_TEST_START_0018")
981 port = random.randint(16384, 65535)
984 rules.append(self.create_rule(self.IPV6, self.PERMIT, port,
985 self.proto[self.IP][self.UDP]))
986 # deny ip any any in the end
987 rules.append(self.create_rule(self.IPV6, self.DENY,
991 self.apply_rules(rules, "permit ip4 tcp %d" % port)
993 # Traffic should still pass
994 self.run_verify_test(self.IP, self.IPV6,
995 self.proto[self.IP][self.UDP], port)
997 self.logger.info("ACLP_TEST_FINISH_0018")
999 def test_0019_udp_deny_port(self):
1000 """ deny single TCPv4/v6
1002 self.logger.info("ACLP_TEST_START_0019")
1004 port = random.randint(16384, 65535)
1007 rules.append(self.create_rule(self.IPV4, self.DENY, port,
1008 self.proto[self.IP][self.TCP]))
1009 rules.append(self.create_rule(self.IPV6, self.DENY, port,
1010 self.proto[self.IP][self.TCP]))
1011 # Permit ip any any in the end
1012 rules.append(self.create_rule(self.IPV4, self.PERMIT,
1014 rules.append(self.create_rule(self.IPV6, self.PERMIT,
1018 self.apply_rules(rules, "deny ip4/ip6 udp %d" % port)
1020 # Traffic should not pass
1021 self.run_verify_negat_test(self.IP, self.IPRANDOM,
1022 self.proto[self.IP][self.TCP], port)
1024 self.logger.info("ACLP_TEST_FINISH_0019")
1026 def test_0020_udp_deny_port(self):
1027 """ deny single UDPv4/v6
1029 self.logger.info("ACLP_TEST_START_0020")
1031 port = random.randint(16384, 65535)
1034 rules.append(self.create_rule(self.IPV4, self.DENY, port,
1035 self.proto[self.IP][self.UDP]))
1036 rules.append(self.create_rule(self.IPV6, self.DENY, port,
1037 self.proto[self.IP][self.UDP]))
1038 # Permit ip any any in the end
1039 rules.append(self.create_rule(self.IPV4, self.PERMIT,
1041 rules.append(self.create_rule(self.IPV6, self.PERMIT,
1045 self.apply_rules(rules, "deny ip4/ip6 udp %d" % port)
1047 # Traffic should not pass
1048 self.run_verify_negat_test(self.IP, self.IPRANDOM,
1049 self.proto[self.IP][self.UDP], port)
1051 self.logger.info("ACLP_TEST_FINISH_0020")
1053 def test_0021_udp_deny_port_verify_fragment_deny(self):
1054 """ deny single UDPv4/v6, permit ip any, verify non-initial fragment
1057 self.logger.info("ACLP_TEST_START_0021")
1059 port = random.randint(16384, 65535)
1062 rules.append(self.create_rule(self.IPV4, self.DENY, port,
1063 self.proto[self.IP][self.UDP]))
1064 rules.append(self.create_rule(self.IPV6, self.DENY, port,
1065 self.proto[self.IP][self.UDP]))
1066 # deny ip any any in the end
1067 rules.append(self.create_rule(self.IPV4, self.PERMIT,
1069 rules.append(self.create_rule(self.IPV6, self.PERMIT,
1073 self.apply_rules(rules, "deny ip4/ip6 udp %d" % port)
1075 # Traffic should not pass
1076 self.run_verify_negat_test(self.IP, self.IPRANDOM,
1077 self.proto[self.IP][self.UDP], port, True)
1079 self.logger.info("ACLP_TEST_FINISH_0021")
1081 def test_0022_zero_length_udp_ipv4(self):
1082 """ VPP-687 zero length udp ipv4 packet"""
1083 self.logger.info("ACLP_TEST_START_0022")
1085 port = random.randint(16384, 65535)
1088 rules.append(self.create_rule(self.IPV4, self.PERMIT, port,
1089 self.proto[self.IP][self.UDP]))
1090 # deny ip any any in the end
1092 self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
1095 self.apply_rules(rules, "permit empty udp ip4 %d" % port)
1097 # Traffic should still pass
1098 # Create incoming packet streams for packet-generator interfaces
1100 pkts = self.create_stream(self.pg0, self.pg_if_packet_sizes,
1102 self.proto[self.IP][self.UDP], port,
1105 self.pg0.add_stream(pkts)
1106 pkts_cnt += len(pkts)
1108 # Enable packet capture and start packet sendingself.IPV
1109 self.pg_enable_capture(self.pg_interfaces)
1112 self.pg1.get_capture(pkts_cnt)
1114 self.logger.info("ACLP_TEST_FINISH_0022")
1116 def test_0023_zero_length_udp_ipv6(self):
1117 """ VPP-687 zero length udp ipv6 packet"""
1118 self.logger.info("ACLP_TEST_START_0023")
1120 port = random.randint(16384, 65535)
1123 rules.append(self.create_rule(self.IPV6, self.PERMIT, port,
1124 self.proto[self.IP][self.UDP]))
1125 # deny ip any any in the end
1126 rules.append(self.create_rule(self.IPV6, self.DENY, self.PORTS_ALL, 0))
1129 self.apply_rules(rules, "permit empty udp ip6 %d" % port)
1131 # Traffic should still pass
1132 # Create incoming packet streams for packet-generator interfaces
1134 pkts = self.create_stream(self.pg0, self.pg_if_packet_sizes,
1136 self.proto[self.IP][self.UDP], port,
1139 self.pg0.add_stream(pkts)
1140 pkts_cnt += len(pkts)
1142 # Enable packet capture and start packet sendingself.IPV
1143 self.pg_enable_capture(self.pg_interfaces)
1146 # Verify outgoing packet streams per packet-generator interface
1147 self.pg1.get_capture(pkts_cnt)
1149 self.logger.info("ACLP_TEST_FINISH_0023")
1151 def test_0108_tcp_permit_v4(self):
1152 """ permit TCPv4 + non-match range
1154 self.logger.info("ACLP_TEST_START_0108")
1158 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_RANGE_2,
1159 self.proto[self.IP][self.TCP]))
1160 rules.append(self.create_rule(self.IPV4, self.PERMIT, self.PORTS_RANGE,
1161 self.proto[self.IP][self.TCP]))
1162 # deny ip any any in the end
1163 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
1166 self.apply_rules(rules, "permit ipv4 tcp")
1168 # Traffic should still pass
1169 self.run_verify_test(self.IP, self.IPV4, self.proto[self.IP][self.TCP])
1171 self.logger.info("ACLP_TEST_FINISH_0108")
1173 def test_0109_tcp_permit_v6(self):
1174 """ permit TCPv6 + non-match range
1176 self.logger.info("ACLP_TEST_START_0109")
1180 rules.append(self.create_rule(self.IPV6, self.DENY, self.PORTS_RANGE_2,
1181 self.proto[self.IP][self.TCP]))
1182 rules.append(self.create_rule(self.IPV6, self.PERMIT, self.PORTS_RANGE,
1183 self.proto[self.IP][self.TCP]))
1184 # deny ip any any in the end
1185 rules.append(self.create_rule(self.IPV6, self.DENY, self.PORTS_ALL, 0))
1188 self.apply_rules(rules, "permit ip6 tcp")
1190 # Traffic should still pass
1191 self.run_verify_test(self.IP, self.IPV6, self.proto[self.IP][self.TCP])
1193 self.logger.info("ACLP_TEST_FINISH_0109")
1195 def test_0110_udp_permit_v4(self):
1196 """ permit UDPv4 + non-match range
1198 self.logger.info("ACLP_TEST_START_0110")
1202 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_RANGE_2,
1203 self.proto[self.IP][self.UDP]))
1204 rules.append(self.create_rule(self.IPV4, self.PERMIT, self.PORTS_RANGE,
1205 self.proto[self.IP][self.UDP]))
1206 # deny ip any any in the end
1207 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
1210 self.apply_rules(rules, "permit ipv4 udp")
1212 # Traffic should still pass
1213 self.run_verify_test(self.IP, self.IPV4, self.proto[self.IP][self.UDP])
1215 self.logger.info("ACLP_TEST_FINISH_0110")
1217 def test_0111_udp_permit_v6(self):
1218 """ permit UDPv6 + non-match range
1220 self.logger.info("ACLP_TEST_START_0111")
1224 rules.append(self.create_rule(self.IPV6, self.DENY, self.PORTS_RANGE_2,
1225 self.proto[self.IP][self.UDP]))
1226 rules.append(self.create_rule(self.IPV6, self.PERMIT, self.PORTS_RANGE,
1227 self.proto[self.IP][self.UDP]))
1228 # deny ip any any in the end
1229 rules.append(self.create_rule(self.IPV6, self.DENY, self.PORTS_ALL, 0))
1232 self.apply_rules(rules, "permit ip6 udp")
1234 # Traffic should still pass
1235 self.run_verify_test(self.IP, self.IPV6, self.proto[self.IP][self.UDP])
1237 self.logger.info("ACLP_TEST_FINISH_0111")
1239 def test_0112_tcp_deny(self):
1240 """ deny TCPv4/v6 + non-match range
1242 self.logger.info("ACLP_TEST_START_0112")
1246 rules.append(self.create_rule(self.IPV4, self.PERMIT,
1248 self.proto[self.IP][self.TCP]))
1249 rules.append(self.create_rule(self.IPV6, self.PERMIT,
1251 self.proto[self.IP][self.TCP]))
1252 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_RANGE,
1253 self.proto[self.IP][self.TCP]))
1254 rules.append(self.create_rule(self.IPV6, self.DENY, self.PORTS_RANGE,
1255 self.proto[self.IP][self.TCP]))
1256 # permit ip any any in the end
1257 rules.append(self.create_rule(self.IPV4, self.PERMIT,
1259 rules.append(self.create_rule(self.IPV6, self.PERMIT,
1263 self.apply_rules(rules, "deny ip4/ip6 tcp")
1265 # Traffic should not pass
1266 self.run_verify_negat_test(self.IP, self.IPRANDOM,
1267 self.proto[self.IP][self.TCP])
1269 self.logger.info("ACLP_TEST_FINISH_0112")
1271 def test_0113_udp_deny(self):
1272 """ deny UDPv4/v6 + non-match range
1274 self.logger.info("ACLP_TEST_START_0113")
1278 rules.append(self.create_rule(self.IPV4, self.PERMIT,
1280 self.proto[self.IP][self.UDP]))
1281 rules.append(self.create_rule(self.IPV6, self.PERMIT,
1283 self.proto[self.IP][self.UDP]))
1284 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_RANGE,
1285 self.proto[self.IP][self.UDP]))
1286 rules.append(self.create_rule(self.IPV6, self.DENY, self.PORTS_RANGE,
1287 self.proto[self.IP][self.UDP]))
1288 # permit ip any any in the end
1289 rules.append(self.create_rule(self.IPV4, self.PERMIT,
1291 rules.append(self.create_rule(self.IPV6, self.PERMIT,
1295 self.apply_rules(rules, "deny ip4/ip6 udp")
1297 # Traffic should not pass
1298 self.run_verify_negat_test(self.IP, self.IPRANDOM,
1299 self.proto[self.IP][self.UDP])
1301 self.logger.info("ACLP_TEST_FINISH_0113")
1303 def test_0300_tcp_permit_v4_etype_aaaa(self):
1304 """ permit TCPv4, send 0xAAAA etype
1306 self.logger.info("ACLP_TEST_START_0300")
1310 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_RANGE_2,
1311 self.proto[self.IP][self.TCP]))
1312 rules.append(self.create_rule(self.IPV4, self.PERMIT, self.PORTS_RANGE,
1313 self.proto[self.IP][self.TCP]))
1314 # deny ip any any in the end
1315 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
1318 self.apply_rules(rules, "permit ipv4 tcp")
1320 # Traffic should still pass also for an odd ethertype
1321 self.run_verify_test(self.IP, self.IPV4, self.proto[self.IP][self.TCP],
1322 0, False, True, 0xaaaa)
1323 self.logger.info("ACLP_TEST_FINISH_0300")
1325 def test_0305_tcp_permit_v4_etype_blacklist_aaaa(self):
1326 """ permit TCPv4, whitelist 0x0BBB ethertype, send 0xAAAA-blocked
1328 self.logger.info("ACLP_TEST_START_0305")
1332 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_RANGE_2,
1333 self.proto[self.IP][self.TCP]))
1334 rules.append(self.create_rule(self.IPV4, self.PERMIT, self.PORTS_RANGE,
1335 self.proto[self.IP][self.TCP]))
1336 # deny ip any any in the end
1337 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
1340 self.apply_rules(rules, "permit ipv4 tcp")
1341 # whitelist the 0xbbbb etype - so the 0xaaaa should be blocked
1342 self.etype_whitelist([0xbbb], 1)
1344 # The oddball ethertype should be blocked
1345 self.run_verify_negat_test(self.IP, self.IPV4,
1346 self.proto[self.IP][self.TCP],
1349 # remove the whitelist
1350 self.etype_whitelist([], 0, add=False)
1352 self.logger.info("ACLP_TEST_FINISH_0305")
1354 def test_0306_tcp_permit_v4_etype_blacklist_aaaa(self):
1355 """ permit TCPv4, whitelist 0x0BBB ethertype, send 0x0BBB - pass
1357 self.logger.info("ACLP_TEST_START_0306")
1361 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_RANGE_2,
1362 self.proto[self.IP][self.TCP]))
1363 rules.append(self.create_rule(self.IPV4, self.PERMIT, self.PORTS_RANGE,
1364 self.proto[self.IP][self.TCP]))
1365 # deny ip any any in the end
1366 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
1369 self.apply_rules(rules, "permit ipv4 tcp")
1370 # whitelist the 0xbbbb etype - so the 0xaaaa should be blocked
1371 self.etype_whitelist([0xbbb], 1)
1373 # The whitelisted traffic, should pass
1374 self.run_verify_test(self.IP, self.IPV4, self.proto[self.IP][self.TCP],
1375 0, False, True, 0x0bbb)
1377 # remove the whitelist, the previously blocked 0xAAAA should pass now
1378 self.etype_whitelist([], 0, add=False)
1380 self.logger.info("ACLP_TEST_FINISH_0306")
1382 def test_0307_tcp_permit_v4_etype_blacklist_aaaa(self):
1383 """ permit TCPv4, whitelist 0x0BBB, remove, send 0xAAAA - pass
1385 self.logger.info("ACLP_TEST_START_0307")
1389 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_RANGE_2,
1390 self.proto[self.IP][self.TCP]))
1391 rules.append(self.create_rule(self.IPV4, self.PERMIT, self.PORTS_RANGE,
1392 self.proto[self.IP][self.TCP]))
1393 # deny ip any any in the end
1394 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
1397 self.apply_rules(rules, "permit ipv4 tcp")
1399 # whitelist the 0xbbbb etype - so the 0xaaaa should be blocked
1400 self.etype_whitelist([0xbbb], 1)
1401 # remove the whitelist, the previously blocked 0xAAAA should pass now
1402 self.etype_whitelist([], 0, add=False)
1404 # The whitelisted traffic, should pass
1405 self.run_verify_test(self.IP, self.IPV4, self.proto[self.IP][self.TCP],
1406 0, False, True, 0xaaaa)
1408 self.logger.info("ACLP_TEST_FINISH_0306")
1410 def test_0315_del_intf(self):
1411 """ apply an acl and delete the interface
1413 self.logger.info("ACLP_TEST_START_0315")
1417 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_RANGE_2,
1418 self.proto[self.IP][self.TCP]))
1419 rules.append(self.create_rule(self.IPV4, self.PERMIT, self.PORTS_RANGE,
1420 self.proto[self.IP][self.TCP]))
1421 # deny ip any any in the end
1422 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
1424 # create an interface
1426 intf.append(VppLoInterface(self))
1429 self.apply_rules_to(rules, "permit ipv4 tcp", intf[0].sw_if_index)
1431 # Remove the interface
1432 intf[0].remove_vpp_config()
1434 self.logger.info("ACLP_TEST_FINISH_0315")
1437 if __name__ == '__main__':
1438 unittest.main(testRunner=VppTestRunner)