2 """ACL IRB Test Case HLD:
5 - L2 MAC learning enabled in l2bd
6 - 2 routed interfaces untagged, bvi (Bridge Virtual Interface)
7 - 2 bridged interfaces in l2bd with bvi
10 - sending ip4 eth pkts between routed interfaces
12 - 2 bridged interfaces
14 - 64B, 512B, 1518B, 9200B (ether_size)
16 - burst of pkts per interface
18 - routed pkts hitting different FIB entries
19 - bridged pkts hitting different MAC entries
22 - all packets received correctly
28 from socket import inet_pton, AF_INET, AF_INET6
29 from random import choice, shuffle
30 from pprint import pprint
31 from ipaddress import ip_network
34 from scapy.packet import Raw
35 from scapy.layers.l2 import Ether
36 from scapy.layers.inet import IP, UDP, ICMP, TCP
37 from scapy.layers.inet6 import IPv6, ICMPv6Unknown, ICMPv6EchoRequest
38 from scapy.layers.inet6 import ICMPv6EchoReply, IPv6ExtHdrRouting
39 from scapy.layers.inet6 import IPv6ExtHdrFragment
41 from framework import VppTestCase, VppTestRunner
42 from vpp_l2 import L2_PORT_TYPE
45 from vpp_acl import AclRule, VppAcl, VppAclInterface
48 class TestACLpluginL2L3(VppTestCase):
49 """TestACLpluginL2L3 Test Case"""
54 #. Create BD with MAC learning enabled and put interfaces to this BD.
55 #. Configure IPv4 addresses on loopback interface and routed interface.
56 #. Configure MAC address binding to IPv4 neighbors on loop0.
57 #. Configure MAC address on pg2.
58 #. Loopback BVI interface has remote hosts, one half of hosts are
59 behind pg0 second behind pg1.
61 super(TestACLpluginL2L3, cls).setUpClass()
63 cls.pg_if_packet_sizes = [64, 512, 1518, 9018] # packet sizes
65 cls.remote_hosts_count = 250
67 # create 3 pg interfaces, 1 loopback interface
68 cls.create_pg_interfaces(range(3))
69 cls.create_loopback_interfaces(1)
71 cls.interfaces = list(cls.pg_interfaces)
72 cls.interfaces.extend(cls.lo_interfaces)
74 for i in cls.interfaces:
77 # Create BD with MAC learning enabled and put interfaces to this BD
78 cls.vapi.sw_interface_set_l2_bridge(
79 rx_sw_if_index=cls.loop0.sw_if_index,
81 port_type=L2_PORT_TYPE.BVI,
83 cls.vapi.sw_interface_set_l2_bridge(
84 rx_sw_if_index=cls.pg0.sw_if_index, bd_id=cls.bd_id
86 cls.vapi.sw_interface_set_l2_bridge(
87 rx_sw_if_index=cls.pg1.sw_if_index, bd_id=cls.bd_id
90 # Configure IPv4 addresses on loopback interface and routed interface
91 cls.loop0.config_ip4()
92 cls.loop0.config_ip6()
96 # Configure MAC address binding to IPv4 neighbors on loop0
97 cls.loop0.generate_remote_hosts(cls.remote_hosts_count)
98 cls.loop0.configure_ipv4_neighbors()
99 cls.loop0.configure_ipv6_neighbors()
100 # configure MAC address on pg2
101 cls.pg2.resolve_arp()
102 cls.pg2.resolve_ndp()
104 cls.WITHOUT_EH = False
106 cls.STATELESS_ICMP = False
107 cls.STATEFUL_ICMP = True
109 # Loopback BVI interface has remote hosts, one half of hosts are behind
110 # pg0 second behind pg1
111 half = cls.remote_hosts_count // 2
112 cls.pg0.remote_hosts = cls.loop0.remote_hosts[:half]
113 cls.pg1.remote_hosts = cls.loop0.remote_hosts[half:]
114 reply = cls.vapi.papi.acl_stats_intf_counters_enable(enable=1)
117 def tearDownClass(cls):
118 reply = cls.vapi.papi.acl_stats_intf_counters_enable(enable=0)
119 super(TestACLpluginL2L3, cls).tearDownClass()
122 """Run standard test teardown and log ``show l2patch``,
123 ``show l2fib verbose``,``show bridge-domain <bd_id> detail``,
124 ``show ip neighbors``.
126 super(TestACLpluginL2L3, self).tearDown()
128 def show_commands_at_teardown(self):
129 self.logger.info(self.vapi.cli("show l2patch"))
130 self.logger.info(self.vapi.cli("show classify tables"))
131 self.logger.info(self.vapi.cli("show l2fib verbose"))
132 self.logger.info(self.vapi.cli("show bridge-domain %s detail" % self.bd_id))
133 self.logger.info(self.vapi.cli("show ip neighbors"))
134 cmd = "show acl-plugin sessions verbose 1"
135 self.logger.info(self.vapi.cli(cmd))
136 self.logger.info(self.vapi.cli("show acl-plugin acl"))
137 self.logger.info(self.vapi.cli("show acl-plugin interface"))
138 self.logger.info(self.vapi.cli("show acl-plugin tables"))
149 add_extension_header,
155 permit_and_reflect_rules = []
156 total_packet_count = 8
157 for i in range(0, total_packet_count):
158 modulo = (i // 2) % 2
159 icmp_type_delta = i % 2
161 is_udp_packet = modulo == 0
162 if is_udp_packet and icmp_stateful:
164 is_reflectable_icmp = (
165 icmp_stateful and icmp_type_delta == 0 and not is_udp_packet
167 is_reflected_icmp = is_reflectable_icmp and expect_established
168 can_reflect_this_packet = is_udp_packet or is_reflectable_icmp
170 remote_dst_index = i % len(dst_ip_if.remote_hosts)
171 remote_dst_host = dst_ip_if.remote_hosts[remote_dst_index]
173 info = self.create_packet_info(src_ip_if, dst_ip_if)
174 payload = self.info_to_payload(info)
176 to_be_blocked = False
177 if expect_blocked and not expect_established:
179 if not can_reflect_this_packet:
182 payload = "to be blocked"
184 info = self.create_packet_info(src_ip_if, dst_ip_if)
185 payload = self.info_to_payload(info)
187 dst_mac = "de:ad:00:00:00:00"
188 src_mac = remote_dst_host._mac
189 dst_ip6 = src_ip_if.remote_ip6
190 src_ip6 = remote_dst_host.ip6
191 dst_ip4 = src_ip_if.remote_ip4
192 src_ip4 = remote_dst_host.ip4
196 dst_mac = src_ip_if.local_mac
197 src_mac = src_ip_if.remote_mac
198 src_ip6 = src_ip_if.remote_ip6
199 dst_ip6 = remote_dst_host.ip6
200 src_ip4 = src_ip_if.remote_ip4
201 dst_ip4 = remote_dst_host.ip4
204 if is_reflected_icmp:
207 # default ULP should be something we do not use in tests
208 ulp_l4 = TCP(sport=src_l4, dport=dst_l4)
209 # potentially a chain of protocols leading to ULP
214 ulp_l4 = UDP(sport=src_l4, dport=dst_l4)
215 if add_extension_header:
216 # prepend some extension headers
219 / IPv6ExtHdrRouting()
220 / IPv6ExtHdrFragment(offset=0, m=1)
223 # uncomment below to test invalid ones
224 # ulp = IPv6ExtHdrRouting(len = 200) / ulp_l4
228 Ether(dst=dst_mac, src=src_mac)
229 / IPv6(src=src_ip6, dst=dst_ip6)
234 ulp_l4 = UDP(sport=src_l4, dport=dst_l4)
235 # IPv4 does not allow extension headers,
236 # but we rather make it a first fragment
237 flags = 1 if add_extension_header else 0
240 Ether(dst=dst_mac, src=src_mac)
241 / IP(src=src_ip4, dst=dst_ip4, frag=0, flags=flags)
247 ulp_l4 = ICMPv6Unknown(type=128 + icmp_type_delta, code=icmp_code)
250 Ether(dst=dst_mac, src=src_mac)
251 / IPv6(src=src_ip6, dst=dst_ip6)
256 ulp_l4 = ICMP(type=8 - 8 * icmp_type_delta, code=icmp_code)
259 Ether(dst=dst_mac, src=src_mac)
260 / IP(src=src_ip4, dst=dst_ip4)
267 size = packet_sizes[(i // 2) % len(packet_sizes)]
268 self.extend_packet(p, size)
271 rule_family = AF_INET6 if p.haslayer(IPv6) else AF_INET
272 rule_prefix_len = 128 if p.haslayer(IPv6) else 32
273 rule_l3_layer = IPv6 if p.haslayer(IPv6) else IP
276 rule_l4_sport = p[UDP].sport
277 rule_l4_dport = p[UDP].dport
280 rule_l4_sport = p[ICMP].type
281 rule_l4_dport = p[ICMP].code
283 rule_l4_sport = p[ICMPv6Unknown].type
284 rule_l4_dport = p[ICMPv6Unknown].code
286 rule_l4_proto = ulp_l4.overload_fields[IPv6]["nh"]
288 rule_l4_proto = p[IP].proto
293 src_prefix=ip_network((p[rule_l3_layer].src, rule_prefix_len)),
294 dst_prefix=ip_network((p[rule_l3_layer].dst, rule_prefix_len)),
295 sport_from=rule_l4_sport,
296 sport_to=rule_l4_sport,
297 dport_from=rule_l4_dport,
298 dport_to=rule_l4_dport,
301 rules.append(new_rule)
302 new_rule_permit = copy.copy(new_rule)
303 new_rule_permit.is_permit = 1
304 permit_rules.append(new_rule_permit)
306 new_rule_permit_and_reflect = copy.copy(new_rule)
307 if can_reflect_this_packet:
308 new_rule_permit_and_reflect.is_permit = 2
310 new_rule_permit_and_reflect.is_permit = is_permit
312 permit_and_reflect_rules.append(new_rule_permit_and_reflect)
313 self.logger.info("create_stream pkt#%d: %s" % (i, payload))
318 "permit_rules": permit_rules,
319 "permit_and_reflect_rules": permit_and_reflect_rules,
322 def verify_capture(self, dst_ip_if, src_ip_if, capture, reverse):
324 for i in self.interfaces:
325 last_info[i.sw_if_index] = None
327 dst_ip_sw_if_index = dst_ip_if.sw_if_index
329 for packet in capture:
330 l3 = IP if packet.haslayer(IP) else IPv6
332 if packet.haslayer(UDP):
335 if packet.haslayer(ICMP):
340 # Scapy IPv6 stuff is too smart for its own good.
341 # So we do this and coerce the ICMP into unknown type
342 if packet.haslayer(UDP):
343 data = scapy.compat.raw(packet[UDP][Raw])
346 data = scapy.compat.raw(
347 ICMP(scapy.compat.raw(packet[l3].payload))[Raw]
350 data = scapy.compat.raw(
351 ICMPv6Unknown(scapy.compat.raw(packet[l3].payload)).msgbody
353 udp_or_icmp = packet[l3].payload
355 # FIXME: make framework believe we are on object
356 payload_info = self.payload_to_info(data_obj)
357 packet_index = payload_info.index
359 self.assertEqual(payload_info.dst, dst_ip_sw_if_index)
361 next_info = self.get_next_packet_info_for_interface2(
362 payload_info.src, dst_ip_sw_if_index, last_info[payload_info.src]
364 last_info[payload_info.src] = next_info
365 self.assertTrue(next_info is not None)
366 self.assertEqual(packet_index, next_info.index)
367 saved_packet = next_info.data
368 self.assertTrue(next_info is not None)
372 self.assertEqual(packet.src, dst_ip_if.local_mac)
373 host = dst_ip_if.host_by_mac(packet.dst)
376 # self.assertEqual(ip.src, src_ip_if.remote_ip4)
377 if saved_packet is not None:
378 self.assertEqual(ip.src, saved_packet[l3].src)
379 self.assertEqual(ip.dst, saved_packet[l3].dst)
381 self.assertEqual(udp_or_icmp.sport, saved_packet[l4].sport)
382 self.assertEqual(udp_or_icmp.dport, saved_packet[l4].dport)
383 # self.assertEqual(ip.dst, host.ip4)
387 def applied_acl_shuffle(self, acl_if):
388 saved_n_input = acl_if.n_input
389 # TOTO: maybe copy each one??
390 saved_acls = acl_if.acls
392 # now create a list of all the rules in all ACLs
394 for old_acl in saved_acls:
395 for rule in old_acl.rules:
396 all_rules.append(rule)
398 # Add a few ACLs made from shuffled rules
400 acl1 = VppAcl(self, rules=all_rules[::2], tag="shuffle 1. acl")
401 acl1.add_vpp_config()
404 acl2 = VppAcl(self, rules=all_rules[::3], tag="shuffle 2. acl")
405 acl2.add_vpp_config()
408 acl3 = VppAcl(self, rules=all_rules[::2], tag="shuffle 3. acl")
409 acl3.add_vpp_config()
411 # apply the shuffle ACLs in front
412 input_acls = [acl1, acl2]
413 output_acls = [acl1, acl2]
415 # add the currently applied ACLs
416 n_input = acl_if.n_input
417 input_acls.extend(saved_acls[:n_input])
418 output_acls.extend(saved_acls[n_input:])
420 # and the trailing shuffle ACL(s)
421 input_acls.extend([acl3])
422 output_acls.extend([acl3])
424 # set the interface ACL list to the result
425 acl_if.n_input = len(input_acls)
426 acl_if.acls = input_acls + output_acls
427 acl_if.add_vpp_config()
429 # change the ACLs a few times
430 for i in range(1, 10):
432 acl1.modify_vpp_config(all_rules[:: 1 + (i % 2)])
435 acl2.modify_vpp_config(all_rules[:: 1 + (i % 3)])
438 acl3.modify_vpp_config(all_rules[:: 1 + (i % 5)])
440 # restore to how it was before and clean up
441 acl_if.n_input = saved_n_input
442 acl_if.acls = saved_acls
443 acl_if.add_vpp_config()
445 acl1.remove_vpp_config()
446 acl2.remove_vpp_config()
447 acl3.remove_vpp_config()
449 def create_acls_for_a_stream(self, stream_dict, test_l2_action, is_reflect):
450 r = stream_dict["rules"]
451 r_permit = stream_dict["permit_rules"]
452 r_permit_reflect = stream_dict["permit_and_reflect_rules"]
453 r_action = r_permit_reflect if is_reflect else r
454 action_acl = VppAcl(self, rules=r_action, tag="act. acl")
455 action_acl.add_vpp_config()
456 permit_acl = VppAcl(self, rules=r_permit, tag="perm. acl")
457 permit_acl.add_vpp_config()
460 "L2": action_acl if test_l2_action else permit_acl,
461 "L3": permit_acl if test_l2_action else action_acl,
462 "permit": permit_acl,
463 "action": action_acl,
466 def apply_acl_ip46_x_to_y(
467 self, bridged_to_routed, test_l2_deny, is_ip6, is_reflect, add_eh
470 self.reset_packet_infos()
471 stream_dict = self.create_stream(
475 self.pg_if_packet_sizes,
481 stream = stream_dict["stream"]
482 acl_idx = self.create_acls_for_a_stream(stream_dict, test_l2_deny, is_reflect)
483 n_input_l3 = 0 if bridged_to_routed else 1
484 n_input_l2 = 1 if bridged_to_routed else 0
486 acl_if_pg2 = VppAclInterface(
488 sw_if_index=self.pg2.sw_if_index,
490 acls=[acl_idx["L3"]],
492 acl_if_pg2.add_vpp_config()
494 acl_if_pg0 = VppAclInterface(
496 sw_if_index=self.pg0.sw_if_index,
498 acls=[acl_idx["L2"]],
500 acl_if_pg0.add_vpp_config()
502 acl_if_pg1 = VppAclInterface(
504 sw_if_index=self.pg1.sw_if_index,
506 acls=[acl_idx["L2"]],
508 acl_if_pg1.add_vpp_config()
510 self.applied_acl_shuffle(acl_if_pg0)
511 self.applied_acl_shuffle(acl_if_pg1)
512 return {"L2": acl_idx["L2"], "L3": acl_idx["L3"]}
514 def apply_acl_ip46_both_directions_reflect(
515 self, primary_is_bridged_to_routed, reflect_on_l2, is_ip6, add_eh, stateful_icmp
517 primary_is_routed_to_bridged = not primary_is_bridged_to_routed
518 self.reset_packet_infos()
519 stream_dict_fwd = self.create_stream(
522 primary_is_bridged_to_routed,
523 self.pg_if_packet_sizes,
530 acl_idx_fwd = self.create_acls_for_a_stream(
531 stream_dict_fwd, reflect_on_l2, True
534 stream_dict_rev = self.create_stream(
537 not primary_is_bridged_to_routed,
538 self.pg_if_packet_sizes,
545 # We want the primary action to be "deny" rather than reflect
546 acl_idx_rev = self.create_acls_for_a_stream(
547 stream_dict_rev, reflect_on_l2, False
550 if primary_is_bridged_to_routed:
551 inbound_l2_acl = acl_idx_fwd["L2"]
553 inbound_l2_acl = acl_idx_rev["L2"]
555 if primary_is_routed_to_bridged:
556 outbound_l2_acl = acl_idx_fwd["L2"]
558 outbound_l2_acl = acl_idx_rev["L2"]
560 if primary_is_routed_to_bridged:
561 inbound_l3_acl = acl_idx_fwd["L3"]
563 inbound_l3_acl = acl_idx_rev["L3"]
565 if primary_is_bridged_to_routed:
566 outbound_l3_acl = acl_idx_fwd["L3"]
568 outbound_l3_acl = acl_idx_rev["L3"]
570 acl_if_pg2 = VppAclInterface(
572 sw_if_index=self.pg2.sw_if_index,
574 acls=[inbound_l3_acl, outbound_l3_acl],
576 acl_if_pg2.add_vpp_config()
578 acl_if_pg0 = VppAclInterface(
580 sw_if_index=self.pg0.sw_if_index,
582 acls=[inbound_l2_acl, outbound_l2_acl],
584 acl_if_pg0.add_vpp_config()
586 acl_if_pg1 = VppAclInterface(
588 sw_if_index=self.pg1.sw_if_index,
590 acls=[inbound_l2_acl, outbound_l2_acl],
592 acl_if_pg1.add_vpp_config()
594 self.applied_acl_shuffle(acl_if_pg0)
595 self.applied_acl_shuffle(acl_if_pg2)
597 def apply_acl_ip46_routed_to_bridged(
598 self, test_l2_deny, is_ip6, is_reflect, add_eh
600 return self.apply_acl_ip46_x_to_y(
601 False, test_l2_deny, is_ip6, is_reflect, add_eh
604 def apply_acl_ip46_bridged_to_routed(
605 self, test_l2_deny, is_ip6, is_reflect, add_eh
607 return self.apply_acl_ip46_x_to_y(
608 True, test_l2_deny, is_ip6, is_reflect, add_eh
611 def verify_acl_packet_count(self, acl_idx, packet_count):
612 matches = self.statistics.get_counter("/acl/%d/matches" % acl_idx)
613 self.logger.info("stat seg for ACL %d: %s" % (acl_idx, repr(matches)))
617 total_count = total_count + p["packets"]
618 self.assertEqual(total_count, packet_count)
620 def run_traffic_ip46_x_to_y(
630 self.reset_packet_infos()
631 stream_dict = self.create_stream(
635 self.pg_if_packet_sizes,
642 stream = stream_dict["stream"]
644 tx_if = self.pg0 if bridged_to_routed else self.pg2
645 rx_if = self.pg2 if bridged_to_routed else self.pg0
647 tx_if.add_stream(stream)
648 self.pg_enable_capture(self.pg_interfaces)
650 packet_count = self.get_packet_count_for_if_idx(self.loop0.sw_if_index)
651 rcvd1 = rx_if.get_capture(packet_count)
652 self.verify_capture(self.loop0, self.pg2, rcvd1, bridged_to_routed)
655 def run_traffic_ip46_routed_to_bridged(
664 return self.run_traffic_ip46_x_to_y(
674 def run_traffic_ip46_bridged_to_routed(
683 return self.run_traffic_ip46_x_to_y(
693 def run_test_ip46_routed_to_bridged(self, test_l2_deny, is_ip6, is_reflect, add_eh):
694 acls = self.apply_acl_ip46_routed_to_bridged(
695 test_l2_deny, is_ip6, is_reflect, add_eh
697 pkts = self.run_traffic_ip46_routed_to_bridged(
698 test_l2_deny, is_ip6, is_reflect, False, add_eh
700 self.verify_acl_packet_count(acls["L3"].acl_index, pkts)
702 def run_test_ip46_bridged_to_routed(self, test_l2_deny, is_ip6, is_reflect, add_eh):
703 acls = self.apply_acl_ip46_bridged_to_routed(
704 test_l2_deny, is_ip6, is_reflect, add_eh
706 pkts = self.run_traffic_ip46_bridged_to_routed(
707 test_l2_deny, is_ip6, is_reflect, False, add_eh
709 self.verify_acl_packet_count(acls["L2"].acl_index, pkts)
711 def run_test_ip46_routed_to_bridged_and_back(
712 self, test_l2_action, is_ip6, add_eh, stateful_icmp=False
714 self.apply_acl_ip46_both_directions_reflect(
715 False, test_l2_action, is_ip6, add_eh, stateful_icmp
717 self.run_traffic_ip46_routed_to_bridged(
718 test_l2_action, is_ip6, True, False, add_eh, stateful_icmp
720 self.run_traffic_ip46_bridged_to_routed(
721 test_l2_action, is_ip6, False, True, add_eh, stateful_icmp
724 def run_test_ip46_bridged_to_routed_and_back(
725 self, test_l2_action, is_ip6, add_eh, stateful_icmp=False
727 self.apply_acl_ip46_both_directions_reflect(
728 True, test_l2_action, is_ip6, add_eh, stateful_icmp
730 self.run_traffic_ip46_bridged_to_routed(
731 test_l2_action, is_ip6, True, False, add_eh, stateful_icmp
733 self.run_traffic_ip46_routed_to_bridged(
734 test_l2_action, is_ip6, False, True, add_eh, stateful_icmp
737 def test_0000_ip6_irb_1(self):
738 """ACL plugin prepare"""
739 if not self.vpp_dead:
740 cmd = "set acl-plugin session timeout udp idle 2000"
741 self.logger.info(self.vapi.ppcli(cmd))
742 # uncomment to not skip past the routing header
743 # and watch the EH tests fail
744 # self.logger.info(self.vapi.ppcli(
745 # "set acl-plugin skip-ipv6-extension-header 43 0"))
746 # uncomment to test the session limit (stateful tests will fail)
747 # self.logger.info(self.vapi.ppcli(
748 # "set acl-plugin session table max-entries 1"))
749 # new datapath is the default, but just in case
750 # self.logger.info(self.vapi.ppcli(
751 # "set acl-plugin l2-datapath new"))
752 # If you want to see some tests fail, uncomment the next line
753 # self.logger.info(self.vapi.ppcli(
754 # "set acl-plugin l2-datapath old"))
756 def test_0001_ip6_irb_1(self):
757 """ACL IPv6 routed -> bridged, L2 ACL deny"""
758 self.run_test_ip46_routed_to_bridged(True, True, False, self.WITHOUT_EH)
760 def test_0002_ip6_irb_1(self):
761 """ACL IPv6 routed -> bridged, L3 ACL deny"""
762 self.run_test_ip46_routed_to_bridged(False, True, False, self.WITHOUT_EH)
764 def test_0003_ip4_irb_1(self):
765 """ACL IPv4 routed -> bridged, L2 ACL deny"""
766 self.run_test_ip46_routed_to_bridged(True, False, False, self.WITHOUT_EH)
768 def test_0004_ip4_irb_1(self):
769 """ACL IPv4 routed -> bridged, L3 ACL deny"""
770 self.run_test_ip46_routed_to_bridged(False, False, False, self.WITHOUT_EH)
772 def test_0005_ip6_irb_1(self):
773 """ACL IPv6 bridged -> routed, L2 ACL deny"""
774 self.run_test_ip46_bridged_to_routed(True, True, False, self.WITHOUT_EH)
776 def test_0006_ip6_irb_1(self):
777 """ACL IPv6 bridged -> routed, L3 ACL deny"""
778 self.run_test_ip46_bridged_to_routed(False, True, False, self.WITHOUT_EH)
780 def test_0007_ip6_irb_1(self):
781 """ACL IPv4 bridged -> routed, L2 ACL deny"""
782 self.run_test_ip46_bridged_to_routed(True, False, False, self.WITHOUT_EH)
784 def test_0008_ip6_irb_1(self):
785 """ACL IPv4 bridged -> routed, L3 ACL deny"""
786 self.run_test_ip46_bridged_to_routed(False, False, False, self.WITHOUT_EH)
789 def test_0101_ip6_irb_1(self):
790 """ACL IPv6 routed -> bridged, L2 ACL permit+reflect"""
791 self.run_test_ip46_routed_to_bridged_and_back(True, True, self.WITHOUT_EH)
793 def test_0102_ip6_irb_1(self):
794 """ACL IPv6 bridged -> routed, L2 ACL permit+reflect"""
795 self.run_test_ip46_bridged_to_routed_and_back(True, True, self.WITHOUT_EH)
797 def test_0103_ip6_irb_1(self):
798 """ACL IPv4 routed -> bridged, L2 ACL permit+reflect"""
799 self.run_test_ip46_routed_to_bridged_and_back(True, False, self.WITHOUT_EH)
801 def test_0104_ip6_irb_1(self):
802 """ACL IPv4 bridged -> routed, L2 ACL permit+reflect"""
803 self.run_test_ip46_bridged_to_routed_and_back(True, False, self.WITHOUT_EH)
805 def test_0111_ip6_irb_1(self):
806 """ACL IPv6 routed -> bridged, L3 ACL permit+reflect"""
807 self.run_test_ip46_routed_to_bridged_and_back(False, True, self.WITHOUT_EH)
809 def test_0112_ip6_irb_1(self):
810 """ACL IPv6 bridged -> routed, L3 ACL permit+reflect"""
811 self.run_test_ip46_bridged_to_routed_and_back(False, True, self.WITHOUT_EH)
813 def test_0113_ip6_irb_1(self):
814 """ACL IPv4 routed -> bridged, L3 ACL permit+reflect"""
815 self.run_test_ip46_routed_to_bridged_and_back(False, False, self.WITHOUT_EH)
817 def test_0114_ip6_irb_1(self):
818 """ACL IPv4 bridged -> routed, L3 ACL permit+reflect"""
819 self.run_test_ip46_bridged_to_routed_and_back(False, False, self.WITHOUT_EH)
821 # A block of tests with extension headers
823 def test_1001_ip6_irb_1(self):
824 """ACL IPv6+EH routed -> bridged, L2 ACL deny"""
825 self.run_test_ip46_routed_to_bridged(True, True, False, self.WITH_EH)
827 def test_1002_ip6_irb_1(self):
828 """ACL IPv6+EH routed -> bridged, L3 ACL deny"""
829 self.run_test_ip46_routed_to_bridged(False, True, False, self.WITH_EH)
831 def test_1005_ip6_irb_1(self):
832 """ACL IPv6+EH bridged -> routed, L2 ACL deny"""
833 self.run_test_ip46_bridged_to_routed(True, True, False, self.WITH_EH)
835 def test_1006_ip6_irb_1(self):
836 """ACL IPv6+EH bridged -> routed, L3 ACL deny"""
837 self.run_test_ip46_bridged_to_routed(False, True, False, self.WITH_EH)
839 def test_1101_ip6_irb_1(self):
840 """ACL IPv6+EH routed -> bridged, L2 ACL permit+reflect"""
841 self.run_test_ip46_routed_to_bridged_and_back(True, True, self.WITH_EH)
843 def test_1102_ip6_irb_1(self):
844 """ACL IPv6+EH bridged -> routed, L2 ACL permit+reflect"""
845 self.run_test_ip46_bridged_to_routed_and_back(True, True, self.WITH_EH)
847 def test_1111_ip6_irb_1(self):
848 """ACL IPv6+EH routed -> bridged, L3 ACL permit+reflect"""
849 self.run_test_ip46_routed_to_bridged_and_back(False, True, self.WITH_EH)
851 def test_1112_ip6_irb_1(self):
852 """ACL IPv6+EH bridged -> routed, L3 ACL permit+reflect"""
853 self.run_test_ip46_bridged_to_routed_and_back(False, True, self.WITH_EH)
855 # IPv4 with "MF" bit set
857 def test_1201_ip6_irb_1(self):
858 """ACL IPv4+MF routed -> bridged, L2 ACL deny"""
859 self.run_test_ip46_routed_to_bridged(True, False, False, self.WITH_EH)
861 def test_1202_ip6_irb_1(self):
862 """ACL IPv4+MF routed -> bridged, L3 ACL deny"""
863 self.run_test_ip46_routed_to_bridged(False, False, False, self.WITH_EH)
865 def test_1205_ip6_irb_1(self):
866 """ACL IPv4+MF bridged -> routed, L2 ACL deny"""
867 self.run_test_ip46_bridged_to_routed(True, False, False, self.WITH_EH)
869 def test_1206_ip6_irb_1(self):
870 """ACL IPv4+MF bridged -> routed, L3 ACL deny"""
871 self.run_test_ip46_bridged_to_routed(False, False, False, self.WITH_EH)
873 def test_1301_ip6_irb_1(self):
874 """ACL IPv4+MF routed -> bridged, L2 ACL permit+reflect"""
875 self.run_test_ip46_routed_to_bridged_and_back(True, False, self.WITH_EH)
877 def test_1302_ip6_irb_1(self):
878 """ACL IPv4+MF bridged -> routed, L2 ACL permit+reflect"""
879 self.run_test_ip46_bridged_to_routed_and_back(True, False, self.WITH_EH)
881 def test_1311_ip6_irb_1(self):
882 """ACL IPv4+MF routed -> bridged, L3 ACL permit+reflect"""
883 self.run_test_ip46_routed_to_bridged_and_back(False, False, self.WITH_EH)
885 def test_1312_ip6_irb_1(self):
886 """ACL IPv4+MF bridged -> routed, L3 ACL permit+reflect"""
887 self.run_test_ip46_bridged_to_routed_and_back(False, False, self.WITH_EH)
889 # Stateful ACL tests with stateful ICMP
891 def test_1401_ip6_irb_1(self):
892 """IPv6 routed -> bridged, L2 ACL permit+reflect, ICMP reflect"""
893 self.run_test_ip46_routed_to_bridged_and_back(
894 True, True, self.WITHOUT_EH, self.STATEFUL_ICMP
897 def test_1402_ip6_irb_1(self):
898 """IPv6 bridged -> routed, L2 ACL permit+reflect, ICMP reflect"""
899 self.run_test_ip46_bridged_to_routed_and_back(
900 True, True, self.WITHOUT_EH, self.STATEFUL_ICMP
903 def test_1403_ip4_irb_1(self):
904 """IPv4 routed -> bridged, L2 ACL permit+reflect, ICMP reflect"""
905 self.run_test_ip46_routed_to_bridged_and_back(
906 True, False, self.WITHOUT_EH, self.STATEFUL_ICMP
909 def test_1404_ip4_irb_1(self):
910 """IPv4 bridged -> routed, L2 ACL permit+reflect, ICMP reflect"""
911 self.run_test_ip46_bridged_to_routed_and_back(
912 True, False, self.WITHOUT_EH, self.STATEFUL_ICMP
915 def test_1411_ip6_irb_1(self):
916 """IPv6 routed -> bridged, L3 ACL permit+reflect, ICMP reflect"""
917 self.run_test_ip46_routed_to_bridged_and_back(
918 False, True, self.WITHOUT_EH, self.STATEFUL_ICMP
921 def test_1412_ip6_irb_1(self):
922 """IPv6 bridged -> routed, L3 ACL permit+reflect, ICMP reflect"""
923 self.run_test_ip46_bridged_to_routed_and_back(
924 False, True, self.WITHOUT_EH, self.STATEFUL_ICMP
927 def test_1413_ip4_irb_1(self):
928 """IPv4 routed -> bridged, L3 ACL permit+reflect, ICMP reflect"""
929 self.run_test_ip46_routed_to_bridged_and_back(
930 False, False, self.WITHOUT_EH, self.STATEFUL_ICMP
933 def test_1414_ip4_irb_1(self):
934 """IPv4 bridged -> routed, L3 ACL permit+reflect, ICMP reflect"""
935 self.run_test_ip46_bridged_to_routed_and_back(
936 False, False, self.WITHOUT_EH, self.STATEFUL_ICMP
940 if __name__ == "__main__":
941 unittest.main(testRunner=VppTestRunner)