2 """ACL plugin Test Case HLD:
8 from scapy.packet import Raw
9 from scapy.layers.l2 import Ether
10 from scapy.layers.inet import IP, TCP, UDP, ICMP
11 from scapy.layers.inet6 import IPv6, ICMPv6EchoRequest
12 from scapy.layers.inet6 import IPv6ExtHdrFragment
13 from framework import VppTestCase, VppTestRunner
14 from framework import tag_fixme_vpp_workers
15 from util import Host, ppp
16 from ipaddress import IPv4Network, IPv6Network
18 from vpp_lo_interface import VppLoInterface
19 from vpp_acl import AclRule, VppAcl, VppAclInterface, VppEtypeWhitelist
20 from vpp_ip import INVALID_INDEX
23 @tag_fixme_vpp_workers
24 class TestACLplugin(VppTestCase):
25 """ ACL plugin Test Case """
41 proto = [[6, 17], [1, 58]]
42 proto_map = {1: 'ICMP', 58: 'ICMPv6EchoRequest', 6: 'TCP', 17: 'UDP'}
54 udp_sport_to = udp_sport_from + 5
55 udp_dport_from = 20000
56 udp_dport_to = udp_dport_from + 5000
58 tcp_sport_to = tcp_sport_from + 5
59 tcp_dport_from = 40000
60 tcp_dport_to = tcp_dport_from + 5000
63 udp_sport_to_2 = udp_sport_from_2 + 5
64 udp_dport_from_2 = 30000
65 udp_dport_to_2 = udp_dport_from_2 + 5000
66 tcp_sport_from_2 = 130
67 tcp_sport_to_2 = tcp_sport_from_2 + 5
68 tcp_dport_from_2 = 20000
69 tcp_dport_to_2 = tcp_dport_from_2 + 5000
71 icmp4_type = 8 # echo request
73 icmp6_type = 128 # echo request
89 Perform standard class setup (defined by class method setUpClass in
90 class VppTestCase) before running the test case, set test case related
91 variables and configure VPP.
93 super(TestACLplugin, cls).setUpClass()
96 # Create 2 pg interfaces
97 cls.create_pg_interfaces(range(2))
99 # Packet flows mapping pg0 -> pg1, pg2 etc.
101 cls.flows[cls.pg0] = [cls.pg1]
104 cls.pg_if_packet_sizes = [64, 512, 1518, 9018]
106 # Create BD with MAC learning and unknown unicast flooding disabled
107 # and put interfaces to this BD
108 cls.vapi.bridge_domain_add_del(bd_id=cls.bd_id, uu_flood=1,
110 for pg_if in cls.pg_interfaces:
111 cls.vapi.sw_interface_set_l2_bridge(
112 rx_sw_if_index=pg_if.sw_if_index, bd_id=cls.bd_id)
114 # Set up all interfaces
115 for i in cls.pg_interfaces:
118 # Mapping between packet-generator index and lists of test hosts
119 cls.hosts_by_pg_idx = dict()
120 for pg_if in cls.pg_interfaces:
121 cls.hosts_by_pg_idx[pg_if.sw_if_index] = []
123 # Create list of deleted hosts
124 cls.deleted_hosts_by_pg_idx = dict()
125 for pg_if in cls.pg_interfaces:
126 cls.deleted_hosts_by_pg_idx[pg_if.sw_if_index] = []
128 # warm-up the mac address tables
132 n_int = len(cls.pg_interfaces)
133 macs_per_if = count // n_int
135 for pg_if in cls.pg_interfaces:
137 start_nr = macs_per_if * i + start
138 end_nr = count + start if i == (n_int - 1) \
139 else macs_per_if * (i + 1) + start
140 hosts = cls.hosts_by_pg_idx[pg_if.sw_if_index]
141 for j in range(int(start_nr), int(end_nr)):
143 "00:00:00:ff:%02x:%02x" % (pg_if.sw_if_index, j),
144 "172.17.1%02x.%u" % (pg_if.sw_if_index, j),
145 "2017:dead:%02x::%u" % (pg_if.sw_if_index, j))
149 super(TestACLplugin, cls).tearDownClass()
153 def tearDownClass(cls):
154 super(TestACLplugin, cls).tearDownClass()
157 super(TestACLplugin, self).setUp()
158 self.reset_packet_infos()
162 Show various debug prints after each test.
164 super(TestACLplugin, self).tearDown()
166 def show_commands_at_teardown(self):
167 cli = "show vlib graph l2-input-feat-arc"
168 self.logger.info(self.vapi.ppcli(cli))
169 cli = "show vlib graph l2-input-feat-arc-end"
170 self.logger.info(self.vapi.ppcli(cli))
171 cli = "show vlib graph l2-output-feat-arc"
172 self.logger.info(self.vapi.ppcli(cli))
173 cli = "show vlib graph l2-output-feat-arc-end"
174 self.logger.info(self.vapi.ppcli(cli))
175 self.logger.info(self.vapi.ppcli("show l2fib verbose"))
176 self.logger.info(self.vapi.ppcli("show acl-plugin acl"))
177 self.logger.info(self.vapi.ppcli("show acl-plugin interface"))
178 self.logger.info(self.vapi.ppcli("show acl-plugin tables"))
179 self.logger.info(self.vapi.ppcli("show bridge-domain %s detail"
182 def create_rule(self, ip=0, permit_deny=0, ports=PORTS_ALL, proto=-1,
186 src_prefix = IPv6Network((s_ip, s_prefix))
187 dst_prefix = IPv6Network((d_ip, d_prefix))
189 src_prefix = IPv4Network((s_ip, s_prefix))
190 dst_prefix = IPv4Network((d_ip, d_prefix))
191 return AclRule(is_permit=permit_deny, ports=ports, proto=proto,
192 src_prefix=src_prefix, dst_prefix=dst_prefix)
194 def apply_rules(self, rules, tag=None):
195 acl = VppAcl(self, rules, tag=tag)
197 self.logger.info("Dumped ACL: " + str(acl.dump()))
198 # Apply a ACL on the interface as inbound
199 for i in self.pg_interfaces:
200 acl_if = VppAclInterface(
201 self, sw_if_index=i.sw_if_index, n_input=1, acls=[acl])
202 acl_if.add_vpp_config()
205 def apply_rules_to(self, rules, tag=None, sw_if_index=INVALID_INDEX):
206 acl = VppAcl(self, rules, tag=tag)
208 self.logger.info("Dumped ACL: " + str(acl.dump()))
209 # Apply a ACL on the interface as inbound
210 acl_if = VppAclInterface(self, sw_if_index=sw_if_index, n_input=1,
214 def etype_whitelist(self, whitelist, n_input, add=True):
215 # Apply whitelists on all the interfaces
218 for i in self.pg_interfaces:
219 self._wl.append(VppEtypeWhitelist(
220 self, sw_if_index=i.sw_if_index, whitelist=whitelist,
221 n_input=n_input).add_vpp_config())
223 if hasattr(self, "_wl"):
225 wl.remove_vpp_config()
227 def create_upper_layer(self, packet_index, proto, ports=0):
228 p = self.proto_map[proto]
231 return UDP(sport=random.randint(self.udp_sport_from,
233 dport=random.randint(self.udp_dport_from,
236 return UDP(sport=ports, dport=ports)
239 return TCP(sport=random.randint(self.tcp_sport_from,
241 dport=random.randint(self.tcp_dport_from,
244 return TCP(sport=ports, dport=ports)
247 def create_stream(self, src_if, packet_sizes, traffic_type=0, ipv6=0,
248 proto=-1, ports=0, fragments=False,
249 pkt_raw=True, etype=-1):
251 Create input packet stream for defined interface using hosts or
254 :param object src_if: Interface to create packet stream for.
255 :param list packet_sizes: List of required packet sizes.
256 :param traffic_type: 1: ICMP packet, 2: IPv6 with EH, 0: otherwise.
257 :return: Stream of packets.
260 if self.flows.__contains__(src_if):
261 src_hosts = self.hosts_by_pg_idx[src_if.sw_if_index]
262 for dst_if in self.flows[src_if]:
263 dst_hosts = self.hosts_by_pg_idx[dst_if.sw_if_index]
264 n_int = len(dst_hosts) * len(src_hosts)
265 for i in range(0, n_int):
266 dst_host = dst_hosts[int(i / len(src_hosts))]
267 src_host = src_hosts[i % len(src_hosts)]
268 pkt_info = self.create_packet_info(src_if, dst_if)
274 pkt_info.ip = random.choice([0, 1])
276 pkt_info.proto = random.choice(self.proto[self.IP])
278 pkt_info.proto = proto
279 payload = self.info_to_payload(pkt_info)
280 p = Ether(dst=dst_host.mac, src=src_host.mac)
282 p = Ether(dst=dst_host.mac,
286 p /= IPv6(dst=dst_host.ip6, src=src_host.ip6)
288 p /= IPv6ExtHdrFragment(offset=64, m=1)
291 p /= IP(src=src_host.ip4, dst=dst_host.ip4,
294 p /= IP(src=src_host.ip4, dst=dst_host.ip4)
295 if traffic_type == self.ICMP:
297 p /= ICMPv6EchoRequest(type=self.icmp6_type,
298 code=self.icmp6_code)
300 p /= ICMP(type=self.icmp4_type,
301 code=self.icmp4_code)
303 p /= self.create_upper_layer(i, pkt_info.proto, ports)
306 pkt_info.data = p.copy()
308 size = random.choice(packet_sizes)
309 self.extend_packet(p, size)
313 def verify_capture(self, pg_if, capture,
314 traffic_type=0, ip_type=0, etype=-1):
316 Verify captured input packet stream for defined interface.
318 :param object pg_if: Interface to verify captured packet stream for.
319 :param list capture: Captured packet stream.
320 :param traffic_type: 1: ICMP packet, 2: IPv6 with EH, 0: otherwise.
323 for i in self.pg_interfaces:
324 last_info[i.sw_if_index] = None
325 dst_sw_if_index = pg_if.sw_if_index
326 for packet in capture:
328 if packet[Ether].type != etype:
329 self.logger.error(ppp("Unexpected ethertype in packet:",
334 # Raw data for ICMPv6 are stored in ICMPv6EchoRequest.data
335 if traffic_type == self.ICMP and ip_type == self.IPV6:
336 payload_info = self.payload_to_info(
337 packet[ICMPv6EchoRequest], 'data')
338 payload = packet[ICMPv6EchoRequest]
340 payload_info = self.payload_to_info(packet[Raw])
341 payload = packet[self.proto_map[payload_info.proto]]
343 self.logger.error(ppp("Unexpected or invalid packet "
344 "(outside network):", packet))
348 self.assertEqual(payload_info.ip, ip_type)
349 if traffic_type == self.ICMP:
351 if payload_info.ip == 0:
352 self.assertEqual(payload.type, self.icmp4_type)
353 self.assertEqual(payload.code, self.icmp4_code)
355 self.assertEqual(payload.type, self.icmp6_type)
356 self.assertEqual(payload.code, self.icmp6_code)
358 self.logger.error(ppp("Unexpected or invalid packet "
359 "(outside network):", packet))
363 ip_version = IPv6 if payload_info.ip == 1 else IP
365 ip = packet[ip_version]
366 packet_index = payload_info.index
368 self.assertEqual(payload_info.dst, dst_sw_if_index)
369 self.logger.debug("Got packet on port %s: src=%u (id=%u)" %
370 (pg_if.name, payload_info.src,
372 next_info = self.get_next_packet_info_for_interface2(
373 payload_info.src, dst_sw_if_index,
374 last_info[payload_info.src])
375 last_info[payload_info.src] = next_info
376 self.assertTrue(next_info is not None)
377 self.assertEqual(packet_index, next_info.index)
378 saved_packet = next_info.data
379 # Check standard fields
380 self.assertEqual(ip.src, saved_packet[ip_version].src)
381 self.assertEqual(ip.dst, saved_packet[ip_version].dst)
382 p = self.proto_map[payload_info.proto]
385 self.assertEqual(tcp.sport, saved_packet[
387 self.assertEqual(tcp.dport, saved_packet[
391 self.assertEqual(udp.sport, saved_packet[
393 self.assertEqual(udp.dport, saved_packet[
396 self.logger.error(ppp("Unexpected or invalid packet:",
399 for i in self.pg_interfaces:
400 remaining_packet = self.get_next_packet_info_for_interface2(
401 i, dst_sw_if_index, last_info[i.sw_if_index])
403 remaining_packet is None,
404 "Port %u: Packet expected from source %u didn't arrive" %
405 (dst_sw_if_index, i.sw_if_index))
407 def run_traffic_no_check(self):
409 # Create incoming packet streams for packet-generator interfaces
410 for i in self.pg_interfaces:
411 if self.flows.__contains__(i):
412 pkts = self.create_stream(i, self.pg_if_packet_sizes)
416 # Enable packet capture and start packet sending
417 self.pg_enable_capture(self.pg_interfaces)
420 def run_verify_test(self, traffic_type=0, ip_type=0, proto=-1, ports=0,
421 frags=False, pkt_raw=True, etype=-1):
423 # Create incoming packet streams for packet-generator interfaces
425 for i in self.pg_interfaces:
426 if self.flows.__contains__(i):
427 pkts = self.create_stream(i, self.pg_if_packet_sizes,
428 traffic_type, ip_type, proto, ports,
429 frags, pkt_raw, etype)
432 pkts_cnt += len(pkts)
434 # Enable packet capture and start packet sendingself.IPV
435 self.pg_enable_capture(self.pg_interfaces)
437 self.logger.info("sent packets count: %d" % pkts_cnt)
440 # Verify outgoing packet streams per packet-generator interface
441 for src_if in self.pg_interfaces:
442 if self.flows.__contains__(src_if):
443 for dst_if in self.flows[src_if]:
444 capture = dst_if.get_capture(pkts_cnt)
445 self.logger.info("Verifying capture on interface %s" %
447 self.verify_capture(dst_if, capture,
448 traffic_type, ip_type, etype)
450 def run_verify_negat_test(self, traffic_type=0, ip_type=0, proto=-1,
451 ports=0, frags=False, etype=-1):
454 self.reset_packet_infos()
455 for i in self.pg_interfaces:
456 if self.flows.__contains__(i):
457 pkts = self.create_stream(i, self.pg_if_packet_sizes,
458 traffic_type, ip_type, proto, ports,
462 pkts_cnt += len(pkts)
464 # Enable packet capture and start packet sending
465 self.pg_enable_capture(self.pg_interfaces)
467 self.logger.info("sent packets count: %d" % pkts_cnt)
470 # Verify outgoing packet streams per packet-generator interface
471 for src_if in self.pg_interfaces:
472 if self.flows.__contains__(src_if):
473 for dst_if in self.flows[src_if]:
474 self.logger.info("Verifying capture on interface %s" %
476 capture = dst_if.get_capture(0)
477 self.assertEqual(len(capture), 0)
479 def test_0000_warmup_test(self):
480 """ ACL plugin version check; learn MACs
482 reply = self.vapi.papi.acl_plugin_get_version()
483 self.assertEqual(reply.major, 1)
484 self.logger.info("Working with ACL plugin version: %d.%d" % (
485 reply.major, reply.minor))
486 # minor version changes are non breaking
487 # self.assertEqual(reply.minor, 0)
489 def test_0001_acl_create(self):
490 """ ACL create/delete test
493 self.logger.info("ACLP_TEST_START_0001")
494 # Create a permit-1234 ACL
495 r = [AclRule(is_permit=1, proto=17, ports=1234, sport_to=1235)]
496 # Test 1: add a new ACL
497 first_acl = VppAcl(self, rules=r, tag="permit 1234")
498 first_acl.add_vpp_config()
499 self.assertTrue(first_acl.query_vpp_config())
500 # The very first ACL gets #0
501 self.assertEqual(first_acl.acl_index, 0)
502 rr = first_acl.dump()
503 self.logger.info("Dumped ACL: " + str(rr))
504 self.assertEqual(len(rr), 1)
505 # We should have the same number of ACL entries as we had asked
506 self.assertEqual(len(rr[0].r), len(r))
507 # The rules should be the same. But because the submitted and returned
508 # are different types, we need to iterate over rules and keys to get
510 for i_rule in range(0, len(r) - 1):
511 encoded_rule = r[i_rule].encode()
512 for rule_key in encoded_rule:
513 self.assertEqual(rr[0].r[i_rule][rule_key],
514 encoded_rule[rule_key])
516 # Create a deny-1234 ACL
517 r_deny = [AclRule(is_permit=0, proto=17, ports=1234, sport_to=1235),
518 AclRule(is_permit=1, proto=17, ports=0)]
519 second_acl = VppAcl(self, rules=r_deny, tag="deny 1234;permit all")
520 second_acl.add_vpp_config()
521 self.assertTrue(second_acl.query_vpp_config())
522 # The second ACL gets #1
523 self.assertEqual(second_acl.acl_index, 1)
525 # Test 2: try to modify a nonexistent ACL
526 invalid_acl = VppAcl(self, acl_index=432, rules=r, tag="FFFF:FFFF")
527 reply = invalid_acl.add_vpp_config(expect_error=True)
529 # apply an ACL on an interface inbound, try to delete ACL, must fail
530 acl_if_list = VppAclInterface(
531 self, sw_if_index=self.pg0.sw_if_index, n_input=1,
533 acl_if_list.add_vpp_config()
534 first_acl.remove_vpp_config(expect_error=True)
535 # Unapply an ACL and then try to delete it - must be ok
536 acl_if_list.remove_vpp_config()
537 first_acl.remove_vpp_config()
539 # apply an ACL on an interface inbound, try to delete ACL, must fail
540 acl_if_list = VppAclInterface(
541 self, sw_if_index=self.pg0.sw_if_index, n_input=0,
543 acl_if_list.add_vpp_config()
544 second_acl.remove_vpp_config(expect_error=True)
545 # Unapply an ACL and then try to delete it - must be ok
546 acl_if_list.remove_vpp_config()
547 second_acl.remove_vpp_config()
549 # try to apply a nonexistent ACL - must fail
550 acl_if_list = VppAclInterface(
551 self, sw_if_index=self.pg0.sw_if_index, n_input=0,
553 acl_if_list.add_vpp_config(expect_error=True)
555 self.logger.info("ACLP_TEST_FINISH_0001")
557 def test_0002_acl_permit_apply(self):
558 """ permit ACL apply test
560 self.logger.info("ACLP_TEST_START_0002")
563 rules.append(self.create_rule(self.IPV4, self.PERMIT,
564 0, self.proto[self.IP][self.UDP]))
565 rules.append(self.create_rule(self.IPV4, self.PERMIT,
566 0, self.proto[self.IP][self.TCP]))
569 acl_idx = self.apply_rules(rules, "permit per-flow")
572 reply = self.vapi.papi.acl_stats_intf_counters_enable(enable=1)
574 # Traffic should still pass
575 self.run_verify_test(self.IP, self.IPV4, -1)
577 matches = self.statistics.get_counter('/acl/%d/matches' % acl_idx)
578 self.logger.info("stat segment counters: %s" % repr(matches))
579 cli = "show acl-plugin acl"
580 self.logger.info(self.vapi.ppcli(cli))
581 cli = "show acl-plugin tables"
582 self.logger.info(self.vapi.ppcli(cli))
584 total_hits = matches[0][0]['packets'] + matches[0][1]['packets']
585 self.assertEqual(total_hits, 64)
588 reply = self.vapi.papi.acl_stats_intf_counters_enable(enable=0)
590 self.logger.info("ACLP_TEST_FINISH_0002")
592 def test_0003_acl_deny_apply(self):
593 """ deny ACL apply test
595 self.logger.info("ACLP_TEST_START_0003")
596 # Add a deny-flows ACL
598 rules.append(self.create_rule(
599 self.IPV4, self.DENY, self.PORTS_ALL,
600 self.proto[self.IP][self.UDP]))
601 # Permit ip any any in the end
602 rules.append(self.create_rule(self.IPV4, self.PERMIT,
606 acl_idx = self.apply_rules(rules, "deny per-flow;permit all")
609 reply = self.vapi.papi.acl_stats_intf_counters_enable(enable=1)
611 # Traffic should not pass
612 self.run_verify_negat_test(self.IP, self.IPV4,
613 self.proto[self.IP][self.UDP])
615 matches = self.statistics.get_counter('/acl/%d/matches' % acl_idx)
616 self.logger.info("stat segment counters: %s" % repr(matches))
617 cli = "show acl-plugin acl"
618 self.logger.info(self.vapi.ppcli(cli))
619 cli = "show acl-plugin tables"
620 self.logger.info(self.vapi.ppcli(cli))
621 self.assertEqual(matches[0][0]['packets'], 64)
623 reply = self.vapi.papi.acl_stats_intf_counters_enable(enable=0)
624 self.logger.info("ACLP_TEST_FINISH_0003")
625 # self.assertEqual(, 0)
627 def test_0004_vpp624_permit_icmpv4(self):
628 """ VPP_624 permit ICMPv4
630 self.logger.info("ACLP_TEST_START_0004")
634 rules.append(self.create_rule(self.IPV4, self.PERMIT, self.PORTS_RANGE,
635 self.proto[self.ICMP][self.ICMPv4]))
636 # deny ip any any in the end
637 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
640 self.apply_rules(rules, "permit icmpv4")
642 # Traffic should still pass
643 self.run_verify_test(self.ICMP, self.IPV4,
644 self.proto[self.ICMP][self.ICMPv4])
646 self.logger.info("ACLP_TEST_FINISH_0004")
648 def test_0005_vpp624_permit_icmpv6(self):
649 """ VPP_624 permit ICMPv6
651 self.logger.info("ACLP_TEST_START_0005")
655 rules.append(self.create_rule(self.IPV6, self.PERMIT, self.PORTS_RANGE,
656 self.proto[self.ICMP][self.ICMPv6]))
657 # deny ip any any in the end
658 rules.append(self.create_rule(self.IPV6, self.DENY, self.PORTS_ALL, 0))
661 self.apply_rules(rules, "permit icmpv6")
663 # Traffic should still pass
664 self.run_verify_test(self.ICMP, self.IPV6,
665 self.proto[self.ICMP][self.ICMPv6])
667 self.logger.info("ACLP_TEST_FINISH_0005")
669 def test_0006_vpp624_deny_icmpv4(self):
670 """ VPP_624 deny ICMPv4
672 self.logger.info("ACLP_TEST_START_0006")
675 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_RANGE,
676 self.proto[self.ICMP][self.ICMPv4]))
677 # permit ip any any in the end
678 rules.append(self.create_rule(self.IPV4, self.PERMIT,
682 self.apply_rules(rules, "deny icmpv4")
684 # Traffic should not pass
685 self.run_verify_negat_test(self.ICMP, self.IPV4, 0)
687 self.logger.info("ACLP_TEST_FINISH_0006")
689 def test_0007_vpp624_deny_icmpv6(self):
690 """ VPP_624 deny ICMPv6
692 self.logger.info("ACLP_TEST_START_0007")
695 rules.append(self.create_rule(self.IPV6, self.DENY, self.PORTS_RANGE,
696 self.proto[self.ICMP][self.ICMPv6]))
697 # deny ip any any in the end
698 rules.append(self.create_rule(self.IPV6, self.PERMIT,
702 self.apply_rules(rules, "deny icmpv6")
704 # Traffic should not pass
705 self.run_verify_negat_test(self.ICMP, self.IPV6, 0)
707 self.logger.info("ACLP_TEST_FINISH_0007")
709 def test_0008_tcp_permit_v4(self):
712 self.logger.info("ACLP_TEST_START_0008")
716 rules.append(self.create_rule(self.IPV4, self.PERMIT, self.PORTS_RANGE,
717 self.proto[self.IP][self.TCP]))
718 # deny ip any any in the end
719 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
722 self.apply_rules(rules, "permit ipv4 tcp")
724 # Traffic should still pass
725 self.run_verify_test(self.IP, self.IPV4, self.proto[self.IP][self.TCP])
727 self.logger.info("ACLP_TEST_FINISH_0008")
729 def test_0009_tcp_permit_v6(self):
732 self.logger.info("ACLP_TEST_START_0009")
736 rules.append(self.create_rule(self.IPV6, self.PERMIT, self.PORTS_RANGE,
737 self.proto[self.IP][self.TCP]))
738 # deny ip any any in the end
739 rules.append(self.create_rule(self.IPV6, self.DENY, self.PORTS_ALL, 0))
742 self.apply_rules(rules, "permit ip6 tcp")
744 # Traffic should still pass
745 self.run_verify_test(self.IP, self.IPV6, self.proto[self.IP][self.TCP])
747 self.logger.info("ACLP_TEST_FINISH_0008")
749 def test_0010_udp_permit_v4(self):
752 self.logger.info("ACLP_TEST_START_0010")
756 rules.append(self.create_rule(self.IPV4, self.PERMIT, self.PORTS_RANGE,
757 self.proto[self.IP][self.UDP]))
758 # deny ip any any in the end
759 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
762 self.apply_rules(rules, "permit ipv udp")
764 # Traffic should still pass
765 self.run_verify_test(self.IP, self.IPV4, self.proto[self.IP][self.UDP])
767 self.logger.info("ACLP_TEST_FINISH_0010")
769 def test_0011_udp_permit_v6(self):
772 self.logger.info("ACLP_TEST_START_0011")
776 rules.append(self.create_rule(self.IPV6, self.PERMIT, self.PORTS_RANGE,
777 self.proto[self.IP][self.UDP]))
778 # deny ip any any in the end
779 rules.append(self.create_rule(self.IPV6, self.DENY, self.PORTS_ALL, 0))
782 self.apply_rules(rules, "permit ip6 udp")
784 # Traffic should still pass
785 self.run_verify_test(self.IP, self.IPV6, self.proto[self.IP][self.UDP])
787 self.logger.info("ACLP_TEST_FINISH_0011")
789 def test_0012_tcp_deny(self):
792 self.logger.info("ACLP_TEST_START_0012")
796 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_RANGE,
797 self.proto[self.IP][self.TCP]))
798 rules.append(self.create_rule(self.IPV6, self.DENY, self.PORTS_RANGE,
799 self.proto[self.IP][self.TCP]))
800 # permit ip any any in the end
801 rules.append(self.create_rule(self.IPV4, self.PERMIT,
803 rules.append(self.create_rule(self.IPV6, self.PERMIT,
807 self.apply_rules(rules, "deny ip4/ip6 tcp")
809 # Traffic should not pass
810 self.run_verify_negat_test(self.IP, self.IPRANDOM,
811 self.proto[self.IP][self.TCP])
813 self.logger.info("ACLP_TEST_FINISH_0012")
815 def test_0013_udp_deny(self):
818 self.logger.info("ACLP_TEST_START_0013")
822 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_RANGE,
823 self.proto[self.IP][self.UDP]))
824 rules.append(self.create_rule(self.IPV6, self.DENY, self.PORTS_RANGE,
825 self.proto[self.IP][self.UDP]))
826 # permit ip any any in the end
827 rules.append(self.create_rule(self.IPV4, self.PERMIT,
829 rules.append(self.create_rule(self.IPV6, self.PERMIT,
833 self.apply_rules(rules, "deny ip4/ip6 udp")
835 # Traffic should not pass
836 self.run_verify_negat_test(self.IP, self.IPRANDOM,
837 self.proto[self.IP][self.UDP])
839 self.logger.info("ACLP_TEST_FINISH_0013")
841 def test_0014_acl_dump(self):
842 """ verify add/dump acls
844 self.logger.info("ACLP_TEST_START_0014")
846 r = [[self.IPV4, self.PERMIT, 1234, self.proto[self.IP][self.TCP]],
847 [self.IPV4, self.PERMIT, 2345, self.proto[self.IP][self.UDP]],
848 [self.IPV4, self.PERMIT, 0, self.proto[self.IP][self.TCP]],
849 [self.IPV4, self.PERMIT, 0, self.proto[self.IP][self.UDP]],
850 [self.IPV4, self.PERMIT, 5, self.proto[self.ICMP][self.ICMPv4]],
851 [self.IPV6, self.PERMIT, 4321, self.proto[self.IP][self.TCP]],
852 [self.IPV6, self.PERMIT, 5432, self.proto[self.IP][self.UDP]],
853 [self.IPV6, self.PERMIT, 0, self.proto[self.IP][self.TCP]],
854 [self.IPV6, self.PERMIT, 0, self.proto[self.IP][self.UDP]],
855 [self.IPV6, self.PERMIT, 6, self.proto[self.ICMP][self.ICMPv6]],
856 [self.IPV4, self.DENY, self.PORTS_ALL, 0],
857 [self.IPV4, self.DENY, 1234, self.proto[self.IP][self.TCP]],
858 [self.IPV4, self.DENY, 2345, self.proto[self.IP][self.UDP]],
859 [self.IPV4, self.DENY, 5, self.proto[self.ICMP][self.ICMPv4]],
860 [self.IPV6, self.DENY, 4321, self.proto[self.IP][self.TCP]],
861 [self.IPV6, self.DENY, 5432, self.proto[self.IP][self.UDP]],
862 [self.IPV6, self.DENY, 6, self.proto[self.ICMP][self.ICMPv6]],
863 [self.IPV6, self.DENY, self.PORTS_ALL, 0]
866 # Add and verify new ACLs
868 for i in range(len(r)):
869 rules.append(self.create_rule(r[i][0], r[i][1], r[i][2], r[i][3]))
871 acl = VppAcl(self, rules=rules)
876 for drules in result:
878 self.assertEqual(dr.is_permit, r[i][1])
879 self.assertEqual(dr.proto, r[i][3])
882 self.assertEqual(dr.srcport_or_icmptype_first, r[i][2])
885 self.assertEqual(dr.srcport_or_icmptype_first, 0)
886 self.assertEqual(dr.srcport_or_icmptype_last, 65535)
888 if dr.proto == self.proto[self.IP][self.TCP]:
889 self.assertGreater(dr.srcport_or_icmptype_first,
890 self.tcp_sport_from-1)
891 self.assertLess(dr.srcport_or_icmptype_first,
893 self.assertGreater(dr.dstport_or_icmpcode_last,
894 self.tcp_dport_from-1)
895 self.assertLess(dr.dstport_or_icmpcode_last,
897 elif dr.proto == self.proto[self.IP][self.UDP]:
898 self.assertGreater(dr.srcport_or_icmptype_first,
899 self.udp_sport_from-1)
900 self.assertLess(dr.srcport_or_icmptype_first,
902 self.assertGreater(dr.dstport_or_icmpcode_last,
903 self.udp_dport_from-1)
904 self.assertLess(dr.dstport_or_icmpcode_last,
908 self.logger.info("ACLP_TEST_FINISH_0014")
910 def test_0015_tcp_permit_port_v4(self):
911 """ permit single TCPv4
913 self.logger.info("ACLP_TEST_START_0015")
915 port = random.randint(16384, 65535)
918 rules.append(self.create_rule(self.IPV4, self.PERMIT, port,
919 self.proto[self.IP][self.TCP]))
920 # deny ip any any in the end
921 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
924 self.apply_rules(rules, "permit ip4 tcp %d" % port)
926 # Traffic should still pass
927 self.run_verify_test(self.IP, self.IPV4,
928 self.proto[self.IP][self.TCP], port)
930 self.logger.info("ACLP_TEST_FINISH_0015")
932 def test_0016_udp_permit_port_v4(self):
933 """ permit single UDPv4
935 self.logger.info("ACLP_TEST_START_0016")
937 port = random.randint(16384, 65535)
940 rules.append(self.create_rule(self.IPV4, self.PERMIT, port,
941 self.proto[self.IP][self.UDP]))
942 # deny ip any any in the end
943 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
946 self.apply_rules(rules, "permit ip4 tcp %d" % port)
948 # Traffic should still pass
949 self.run_verify_test(self.IP, self.IPV4,
950 self.proto[self.IP][self.UDP], port)
952 self.logger.info("ACLP_TEST_FINISH_0016")
954 def test_0017_tcp_permit_port_v6(self):
955 """ permit single TCPv6
957 self.logger.info("ACLP_TEST_START_0017")
959 port = random.randint(16384, 65535)
962 rules.append(self.create_rule(self.IPV6, self.PERMIT, port,
963 self.proto[self.IP][self.TCP]))
964 # deny ip any any in the end
965 rules.append(self.create_rule(self.IPV6, self.DENY, self.PORTS_ALL, 0))
968 self.apply_rules(rules, "permit ip4 tcp %d" % port)
970 # Traffic should still pass
971 self.run_verify_test(self.IP, self.IPV6,
972 self.proto[self.IP][self.TCP], port)
974 self.logger.info("ACLP_TEST_FINISH_0017")
976 def test_0018_udp_permit_port_v6(self):
977 """ permit single UDPv6
979 self.logger.info("ACLP_TEST_START_0018")
981 port = random.randint(16384, 65535)
984 rules.append(self.create_rule(self.IPV6, self.PERMIT, port,
985 self.proto[self.IP][self.UDP]))
986 # deny ip any any in the end
987 rules.append(self.create_rule(self.IPV6, self.DENY,
991 self.apply_rules(rules, "permit ip4 tcp %d" % port)
993 # Traffic should still pass
994 self.run_verify_test(self.IP, self.IPV6,
995 self.proto[self.IP][self.UDP], port)
997 self.logger.info("ACLP_TEST_FINISH_0018")
999 def test_0019_udp_deny_port(self):
1000 """ deny single TCPv4/v6
1002 self.logger.info("ACLP_TEST_START_0019")
1004 port = random.randint(16384, 65535)
1007 rules.append(self.create_rule(self.IPV4, self.DENY, port,
1008 self.proto[self.IP][self.TCP]))
1009 rules.append(self.create_rule(self.IPV6, self.DENY, port,
1010 self.proto[self.IP][self.TCP]))
1011 # Permit ip any any in the end
1012 rules.append(self.create_rule(self.IPV4, self.PERMIT,
1014 rules.append(self.create_rule(self.IPV6, self.PERMIT,
1018 self.apply_rules(rules, "deny ip4/ip6 udp %d" % port)
1020 # Traffic should not pass
1021 self.run_verify_negat_test(self.IP, self.IPRANDOM,
1022 self.proto[self.IP][self.TCP], port)
1024 self.logger.info("ACLP_TEST_FINISH_0019")
1026 def test_0020_udp_deny_port(self):
1027 """ deny single UDPv4/v6
1029 self.logger.info("ACLP_TEST_START_0020")
1031 port = random.randint(16384, 65535)
1034 rules.append(self.create_rule(self.IPV4, self.DENY, port,
1035 self.proto[self.IP][self.UDP]))
1036 rules.append(self.create_rule(self.IPV6, self.DENY, port,
1037 self.proto[self.IP][self.UDP]))
1038 # Permit ip any any in the end
1039 rules.append(self.create_rule(self.IPV4, self.PERMIT,
1041 rules.append(self.create_rule(self.IPV6, self.PERMIT,
1045 self.apply_rules(rules, "deny ip4/ip6 udp %d" % port)
1047 # Traffic should not pass
1048 self.run_verify_negat_test(self.IP, self.IPRANDOM,
1049 self.proto[self.IP][self.UDP], port)
1051 self.logger.info("ACLP_TEST_FINISH_0020")
1053 def test_0021_udp_deny_port_verify_fragment_deny(self):
1054 """ deny single UDPv4/v6, permit ip any, verify non-initial fragment
1057 self.logger.info("ACLP_TEST_START_0021")
1059 port = random.randint(16384, 65535)
1062 rules.append(self.create_rule(self.IPV4, self.DENY, port,
1063 self.proto[self.IP][self.UDP]))
1064 rules.append(self.create_rule(self.IPV6, self.DENY, port,
1065 self.proto[self.IP][self.UDP]))
1066 # deny ip any any in the end
1067 rules.append(self.create_rule(self.IPV4, self.PERMIT,
1069 rules.append(self.create_rule(self.IPV6, self.PERMIT,
1073 self.apply_rules(rules, "deny ip4/ip6 udp %d" % port)
1075 # Traffic should not pass
1076 self.run_verify_negat_test(self.IP, self.IPRANDOM,
1077 self.proto[self.IP][self.UDP], port, True)
1079 self.logger.info("ACLP_TEST_FINISH_0021")
1081 def test_0022_zero_length_udp_ipv4(self):
1082 """ VPP-687 zero length udp ipv4 packet"""
1083 self.logger.info("ACLP_TEST_START_0022")
1085 port = random.randint(16384, 65535)
1088 rules.append(self.create_rule(self.IPV4, self.PERMIT, port,
1089 self.proto[self.IP][self.UDP]))
1090 # deny ip any any in the end
1092 self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
1095 self.apply_rules(rules, "permit empty udp ip4 %d" % port)
1097 # Traffic should still pass
1098 # Create incoming packet streams for packet-generator interfaces
1100 pkts = self.create_stream(self.pg0, self.pg_if_packet_sizes,
1102 self.proto[self.IP][self.UDP], port,
1105 self.pg0.add_stream(pkts)
1106 pkts_cnt += len(pkts)
1108 # Enable packet capture and start packet sendingself.IPV
1109 self.pg_enable_capture(self.pg_interfaces)
1112 self.pg1.get_capture(pkts_cnt)
1114 self.logger.info("ACLP_TEST_FINISH_0022")
1116 def test_0023_zero_length_udp_ipv6(self):
1117 """ VPP-687 zero length udp ipv6 packet"""
1118 self.logger.info("ACLP_TEST_START_0023")
1120 port = random.randint(16384, 65535)
1123 rules.append(self.create_rule(self.IPV6, self.PERMIT, port,
1124 self.proto[self.IP][self.UDP]))
1125 # deny ip any any in the end
1126 rules.append(self.create_rule(self.IPV6, self.DENY, self.PORTS_ALL, 0))
1129 self.apply_rules(rules, "permit empty udp ip6 %d" % port)
1131 # Traffic should still pass
1132 # Create incoming packet streams for packet-generator interfaces
1134 pkts = self.create_stream(self.pg0, self.pg_if_packet_sizes,
1136 self.proto[self.IP][self.UDP], port,
1139 self.pg0.add_stream(pkts)
1140 pkts_cnt += len(pkts)
1142 # Enable packet capture and start packet sendingself.IPV
1143 self.pg_enable_capture(self.pg_interfaces)
1146 # Verify outgoing packet streams per packet-generator interface
1147 self.pg1.get_capture(pkts_cnt)
1149 self.logger.info("ACLP_TEST_FINISH_0023")
1151 def test_0108_tcp_permit_v4(self):
1152 """ permit TCPv4 + non-match range
1154 self.logger.info("ACLP_TEST_START_0108")
1158 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_RANGE_2,
1159 self.proto[self.IP][self.TCP]))
1160 rules.append(self.create_rule(self.IPV4, self.PERMIT, self.PORTS_RANGE,
1161 self.proto[self.IP][self.TCP]))
1162 # deny ip any any in the end
1163 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
1166 self.apply_rules(rules, "permit ipv4 tcp")
1168 # Traffic should still pass
1169 self.run_verify_test(self.IP, self.IPV4, self.proto[self.IP][self.TCP])
1171 self.logger.info("ACLP_TEST_FINISH_0108")
1173 def test_0109_tcp_permit_v6(self):
1174 """ permit TCPv6 + non-match range
1176 self.logger.info("ACLP_TEST_START_0109")
1180 rules.append(self.create_rule(self.IPV6, self.DENY, self.PORTS_RANGE_2,
1181 self.proto[self.IP][self.TCP]))
1182 rules.append(self.create_rule(self.IPV6, self.PERMIT, self.PORTS_RANGE,
1183 self.proto[self.IP][self.TCP]))
1184 # deny ip any any in the end
1185 rules.append(self.create_rule(self.IPV6, self.DENY, self.PORTS_ALL, 0))
1188 self.apply_rules(rules, "permit ip6 tcp")
1190 # Traffic should still pass
1191 self.run_verify_test(self.IP, self.IPV6, self.proto[self.IP][self.TCP])
1193 self.logger.info("ACLP_TEST_FINISH_0109")
1195 def test_0110_udp_permit_v4(self):
1196 """ permit UDPv4 + non-match range
1198 self.logger.info("ACLP_TEST_START_0110")
1202 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_RANGE_2,
1203 self.proto[self.IP][self.UDP]))
1204 rules.append(self.create_rule(self.IPV4, self.PERMIT, self.PORTS_RANGE,
1205 self.proto[self.IP][self.UDP]))
1206 # deny ip any any in the end
1207 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
1210 self.apply_rules(rules, "permit ipv4 udp")
1212 # Traffic should still pass
1213 self.run_verify_test(self.IP, self.IPV4, self.proto[self.IP][self.UDP])
1215 self.logger.info("ACLP_TEST_FINISH_0110")
1217 def test_0111_udp_permit_v6(self):
1218 """ permit UDPv6 + non-match range
1220 self.logger.info("ACLP_TEST_START_0111")
1224 rules.append(self.create_rule(self.IPV6, self.DENY, self.PORTS_RANGE_2,
1225 self.proto[self.IP][self.UDP]))
1226 rules.append(self.create_rule(self.IPV6, self.PERMIT, self.PORTS_RANGE,
1227 self.proto[self.IP][self.UDP]))
1228 # deny ip any any in the end
1229 rules.append(self.create_rule(self.IPV6, self.DENY, self.PORTS_ALL, 0))
1232 self.apply_rules(rules, "permit ip6 udp")
1234 # Traffic should still pass
1235 self.run_verify_test(self.IP, self.IPV6, self.proto[self.IP][self.UDP])
1237 self.logger.info("ACLP_TEST_FINISH_0111")
1239 def test_0112_tcp_deny(self):
1240 """ deny TCPv4/v6 + non-match range
1242 self.logger.info("ACLP_TEST_START_0112")
1246 rules.append(self.create_rule(self.IPV4, self.PERMIT,
1248 self.proto[self.IP][self.TCP]))
1249 rules.append(self.create_rule(self.IPV6, self.PERMIT,
1251 self.proto[self.IP][self.TCP]))
1252 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_RANGE,
1253 self.proto[self.IP][self.TCP]))
1254 rules.append(self.create_rule(self.IPV6, self.DENY, self.PORTS_RANGE,
1255 self.proto[self.IP][self.TCP]))
1256 # permit ip any any in the end
1257 rules.append(self.create_rule(self.IPV4, self.PERMIT,
1259 rules.append(self.create_rule(self.IPV6, self.PERMIT,
1263 self.apply_rules(rules, "deny ip4/ip6 tcp")
1265 # Traffic should not pass
1266 self.run_verify_negat_test(self.IP, self.IPRANDOM,
1267 self.proto[self.IP][self.TCP])
1269 self.logger.info("ACLP_TEST_FINISH_0112")
1271 def test_0113_udp_deny(self):
1272 """ deny UDPv4/v6 + non-match range
1274 self.logger.info("ACLP_TEST_START_0113")
1278 rules.append(self.create_rule(self.IPV4, self.PERMIT,
1280 self.proto[self.IP][self.UDP]))
1281 rules.append(self.create_rule(self.IPV6, self.PERMIT,
1283 self.proto[self.IP][self.UDP]))
1284 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_RANGE,
1285 self.proto[self.IP][self.UDP]))
1286 rules.append(self.create_rule(self.IPV6, self.DENY, self.PORTS_RANGE,
1287 self.proto[self.IP][self.UDP]))
1288 # permit ip any any in the end
1289 rules.append(self.create_rule(self.IPV4, self.PERMIT,
1291 rules.append(self.create_rule(self.IPV6, self.PERMIT,
1295 self.apply_rules(rules, "deny ip4/ip6 udp")
1297 # Traffic should not pass
1298 self.run_verify_negat_test(self.IP, self.IPRANDOM,
1299 self.proto[self.IP][self.UDP])
1301 self.logger.info("ACLP_TEST_FINISH_0113")
1303 def test_0300_tcp_permit_v4_etype_aaaa(self):
1304 """ permit TCPv4, send 0xAAAA etype
1306 self.logger.info("ACLP_TEST_START_0300")
1310 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_RANGE_2,
1311 self.proto[self.IP][self.TCP]))
1312 rules.append(self.create_rule(self.IPV4, self.PERMIT, self.PORTS_RANGE,
1313 self.proto[self.IP][self.TCP]))
1314 # deny ip any any in the end
1315 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
1318 self.apply_rules(rules, "permit ipv4 tcp")
1320 # Traffic should still pass also for an odd ethertype
1321 self.run_verify_test(self.IP, self.IPV4, self.proto[self.IP][self.TCP],
1322 0, False, True, 0xaaaa)
1323 self.logger.info("ACLP_TEST_FINISH_0300")
1325 def test_0305_tcp_permit_v4_etype_blacklist_aaaa(self):
1326 """ permit TCPv4, whitelist 0x0BBB ethertype, send 0xAAAA-blocked
1328 self.logger.info("ACLP_TEST_START_0305")
1332 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_RANGE_2,
1333 self.proto[self.IP][self.TCP]))
1334 rules.append(self.create_rule(self.IPV4, self.PERMIT, self.PORTS_RANGE,
1335 self.proto[self.IP][self.TCP]))
1336 # deny ip any any in the end
1337 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
1340 self.apply_rules(rules, "permit ipv4 tcp")
1341 # whitelist the 0xbbbb etype - so the 0xaaaa should be blocked
1342 self.etype_whitelist([0xbbb], 1)
1344 # The oddball ethertype should be blocked
1345 self.run_verify_negat_test(self.IP, self.IPV4,
1346 self.proto[self.IP][self.TCP],
1349 # remove the whitelist
1350 self.etype_whitelist([], 0, add=False)
1352 self.logger.info("ACLP_TEST_FINISH_0305")
1354 def test_0306_tcp_permit_v4_etype_blacklist_aaaa(self):
1355 """ permit TCPv4, whitelist 0x0BBB ethertype, send 0x0BBB - pass
1357 self.logger.info("ACLP_TEST_START_0306")
1361 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_RANGE_2,
1362 self.proto[self.IP][self.TCP]))
1363 rules.append(self.create_rule(self.IPV4, self.PERMIT, self.PORTS_RANGE,
1364 self.proto[self.IP][self.TCP]))
1365 # deny ip any any in the end
1366 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
1369 self.apply_rules(rules, "permit ipv4 tcp")
1370 # whitelist the 0xbbbb etype - so the 0xaaaa should be blocked
1371 self.etype_whitelist([0xbbb], 1)
1373 # The whitelisted traffic, should pass
1374 self.run_verify_test(self.IP, self.IPV4, self.proto[self.IP][self.TCP],
1375 0, False, True, 0x0bbb)
1377 # remove the whitelist, the previously blocked 0xAAAA should pass now
1378 self.etype_whitelist([], 0, add=False)
1380 self.logger.info("ACLP_TEST_FINISH_0306")
1382 def test_0307_tcp_permit_v4_etype_blacklist_aaaa(self):
1383 """ permit TCPv4, whitelist 0x0BBB, remove, send 0xAAAA - pass
1385 self.logger.info("ACLP_TEST_START_0307")
1389 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_RANGE_2,
1390 self.proto[self.IP][self.TCP]))
1391 rules.append(self.create_rule(self.IPV4, self.PERMIT, self.PORTS_RANGE,
1392 self.proto[self.IP][self.TCP]))
1393 # deny ip any any in the end
1394 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
1397 self.apply_rules(rules, "permit ipv4 tcp")
1399 # whitelist the 0xbbbb etype - so the 0xaaaa should be blocked
1400 self.etype_whitelist([0xbbb], 1)
1401 # remove the whitelist, the previously blocked 0xAAAA should pass now
1402 self.etype_whitelist([], 0, add=False)
1404 # The whitelisted traffic, should pass
1405 self.run_verify_test(self.IP, self.IPV4, self.proto[self.IP][self.TCP],
1406 0, False, True, 0xaaaa)
1408 self.logger.info("ACLP_TEST_FINISH_0306")
1410 def test_0315_del_intf(self):
1411 """ apply an acl and delete the interface
1413 self.logger.info("ACLP_TEST_START_0315")
1417 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_RANGE_2,
1418 self.proto[self.IP][self.TCP]))
1419 rules.append(self.create_rule(self.IPV4, self.PERMIT, self.PORTS_RANGE,
1420 self.proto[self.IP][self.TCP]))
1421 # deny ip any any in the end
1422 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
1424 # create an interface
1426 intf.append(VppLoInterface(self))
1429 self.apply_rules_to(rules, "permit ipv4 tcp", intf[0].sw_if_index)
1431 # Remove the interface
1432 intf[0].remove_vpp_config()
1434 self.logger.info("ACLP_TEST_FINISH_0315")
1437 if __name__ == '__main__':
1438 unittest.main(testRunner=VppTestRunner)