2 """ACL IRB Test Case HLD:
5 - L2 MAC learning enabled in l2bd
6 - 2 routed interfaces untagged, bvi (Bridge Virtual Interface)
7 - 2 bridged interfaces in l2bd with bvi
10 - sending ip4 eth pkts between routed interfaces
12 - 2 bridged interfaces
14 - 64B, 512B, 1518B, 9200B (ether_size)
16 - burst of pkts per interface
18 - routed pkts hitting different FIB entries
19 - bridged pkts hitting different MAC entries
22 - all packets received correctly
28 from socket import inet_pton, AF_INET, AF_INET6
29 from random import choice, shuffle
30 from pprint import pprint
31 from ipaddress import ip_network
32 from config import config
35 from scapy.packet import Raw
36 from scapy.layers.l2 import Ether
37 from scapy.layers.inet import IP, UDP, ICMP, TCP
38 from scapy.layers.inet6 import IPv6, ICMPv6Unknown, ICMPv6EchoRequest
39 from scapy.layers.inet6 import ICMPv6EchoReply, IPv6ExtHdrRouting
40 from scapy.layers.inet6 import IPv6ExtHdrFragment
42 from framework import VppTestCase, VppTestRunner
43 from vpp_l2 import L2_PORT_TYPE
46 from vpp_acl import AclRule, VppAcl, VppAclInterface
49 @unittest.skipIf("acl" in config.excluded_plugins, "Exclude ACL plugin tests")
50 class TestACLpluginL2L3(VppTestCase):
51 """TestACLpluginL2L3 Test Case"""
56 #. Create BD with MAC learning enabled and put interfaces to this BD.
57 #. Configure IPv4 addresses on loopback interface and routed interface.
58 #. Configure MAC address binding to IPv4 neighbors on loop0.
59 #. Configure MAC address on pg2.
60 #. Loopback BVI interface has remote hosts, one half of hosts are
61 behind pg0 second behind pg1.
63 super(TestACLpluginL2L3, cls).setUpClass()
65 cls.pg_if_packet_sizes = [64, 512, 1518, 9018] # packet sizes
67 cls.remote_hosts_count = 250
69 # create 3 pg interfaces, 1 loopback interface
70 cls.create_pg_interfaces(range(3))
71 cls.create_loopback_interfaces(1)
73 cls.interfaces = list(cls.pg_interfaces)
74 cls.interfaces.extend(cls.lo_interfaces)
76 for i in cls.interfaces:
79 # Create BD with MAC learning enabled and put interfaces to this BD
80 cls.vapi.sw_interface_set_l2_bridge(
81 rx_sw_if_index=cls.loop0.sw_if_index,
83 port_type=L2_PORT_TYPE.BVI,
85 cls.vapi.sw_interface_set_l2_bridge(
86 rx_sw_if_index=cls.pg0.sw_if_index, bd_id=cls.bd_id
88 cls.vapi.sw_interface_set_l2_bridge(
89 rx_sw_if_index=cls.pg1.sw_if_index, bd_id=cls.bd_id
92 # Configure IPv4 addresses on loopback interface and routed interface
93 cls.loop0.config_ip4()
94 cls.loop0.config_ip6()
98 # Configure MAC address binding to IPv4 neighbors on loop0
99 cls.loop0.generate_remote_hosts(cls.remote_hosts_count)
100 cls.loop0.configure_ipv4_neighbors()
101 cls.loop0.configure_ipv6_neighbors()
102 # configure MAC address on pg2
103 cls.pg2.resolve_arp()
104 cls.pg2.resolve_ndp()
106 cls.WITHOUT_EH = False
108 cls.STATELESS_ICMP = False
109 cls.STATEFUL_ICMP = True
111 # Loopback BVI interface has remote hosts, one half of hosts are behind
112 # pg0 second behind pg1
113 half = cls.remote_hosts_count // 2
114 cls.pg0.remote_hosts = cls.loop0.remote_hosts[:half]
115 cls.pg1.remote_hosts = cls.loop0.remote_hosts[half:]
116 reply = cls.vapi.papi.acl_stats_intf_counters_enable(enable=1)
119 def tearDownClass(cls):
120 reply = cls.vapi.papi.acl_stats_intf_counters_enable(enable=0)
121 super(TestACLpluginL2L3, cls).tearDownClass()
124 """Run standard test teardown and log ``show l2patch``,
125 ``show l2fib verbose``,``show bridge-domain <bd_id> detail``,
126 ``show ip neighbors``.
128 super(TestACLpluginL2L3, self).tearDown()
130 def show_commands_at_teardown(self):
131 self.logger.info(self.vapi.cli("show l2patch"))
132 self.logger.info(self.vapi.cli("show classify tables"))
133 self.logger.info(self.vapi.cli("show l2fib verbose"))
134 self.logger.info(self.vapi.cli("show bridge-domain %s detail" % self.bd_id))
135 self.logger.info(self.vapi.cli("show ip neighbors"))
136 cmd = "show acl-plugin sessions verbose 1"
137 self.logger.info(self.vapi.cli(cmd))
138 self.logger.info(self.vapi.cli("show acl-plugin acl"))
139 self.logger.info(self.vapi.cli("show acl-plugin interface"))
140 self.logger.info(self.vapi.cli("show acl-plugin tables"))
151 add_extension_header,
157 permit_and_reflect_rules = []
158 total_packet_count = 8
159 for i in range(0, total_packet_count):
160 modulo = (i // 2) % 2
161 icmp_type_delta = i % 2
163 is_udp_packet = modulo == 0
164 if is_udp_packet and icmp_stateful:
166 is_reflectable_icmp = (
167 icmp_stateful and icmp_type_delta == 0 and not is_udp_packet
169 is_reflected_icmp = is_reflectable_icmp and expect_established
170 can_reflect_this_packet = is_udp_packet or is_reflectable_icmp
172 remote_dst_index = i % len(dst_ip_if.remote_hosts)
173 remote_dst_host = dst_ip_if.remote_hosts[remote_dst_index]
175 info = self.create_packet_info(src_ip_if, dst_ip_if)
176 payload = self.info_to_payload(info)
178 to_be_blocked = False
179 if expect_blocked and not expect_established:
181 if not can_reflect_this_packet:
184 payload = "to be blocked"
186 info = self.create_packet_info(src_ip_if, dst_ip_if)
187 payload = self.info_to_payload(info)
189 dst_mac = "de:ad:00:00:00:00"
190 src_mac = remote_dst_host._mac
191 dst_ip6 = src_ip_if.remote_ip6
192 src_ip6 = remote_dst_host.ip6
193 dst_ip4 = src_ip_if.remote_ip4
194 src_ip4 = remote_dst_host.ip4
198 dst_mac = src_ip_if.local_mac
199 src_mac = src_ip_if.remote_mac
200 src_ip6 = src_ip_if.remote_ip6
201 dst_ip6 = remote_dst_host.ip6
202 src_ip4 = src_ip_if.remote_ip4
203 dst_ip4 = remote_dst_host.ip4
206 if is_reflected_icmp:
209 # default ULP should be something we do not use in tests
210 ulp_l4 = TCP(sport=src_l4, dport=dst_l4)
211 # potentially a chain of protocols leading to ULP
216 ulp_l4 = UDP(sport=src_l4, dport=dst_l4)
217 if add_extension_header:
218 # prepend some extension headers
221 / IPv6ExtHdrRouting()
222 / IPv6ExtHdrFragment(offset=0, m=1)
225 # uncomment below to test invalid ones
226 # ulp = IPv6ExtHdrRouting(len = 200) / ulp_l4
230 Ether(dst=dst_mac, src=src_mac)
231 / IPv6(src=src_ip6, dst=dst_ip6)
236 ulp_l4 = UDP(sport=src_l4, dport=dst_l4)
237 # IPv4 does not allow extension headers,
238 # but we rather make it a first fragment
239 flags = 1 if add_extension_header else 0
242 Ether(dst=dst_mac, src=src_mac)
243 / IP(src=src_ip4, dst=dst_ip4, frag=0, flags=flags)
249 ulp_l4 = ICMPv6Unknown(type=128 + icmp_type_delta, code=icmp_code)
252 Ether(dst=dst_mac, src=src_mac)
253 / IPv6(src=src_ip6, dst=dst_ip6)
258 ulp_l4 = ICMP(type=8 - 8 * icmp_type_delta, code=icmp_code)
261 Ether(dst=dst_mac, src=src_mac)
262 / IP(src=src_ip4, dst=dst_ip4)
269 size = packet_sizes[(i // 2) % len(packet_sizes)]
270 self.extend_packet(p, size)
273 rule_family = AF_INET6 if p.haslayer(IPv6) else AF_INET
274 rule_prefix_len = 128 if p.haslayer(IPv6) else 32
275 rule_l3_layer = IPv6 if p.haslayer(IPv6) else IP
278 rule_l4_sport = p[UDP].sport
279 rule_l4_dport = p[UDP].dport
282 rule_l4_sport = p[ICMP].type
283 rule_l4_dport = p[ICMP].code
285 rule_l4_sport = p[ICMPv6Unknown].type
286 rule_l4_dport = p[ICMPv6Unknown].code
288 rule_l4_proto = ulp_l4.overload_fields[IPv6]["nh"]
290 rule_l4_proto = p[IP].proto
295 src_prefix=ip_network((p[rule_l3_layer].src, rule_prefix_len)),
296 dst_prefix=ip_network((p[rule_l3_layer].dst, rule_prefix_len)),
297 sport_from=rule_l4_sport,
298 sport_to=rule_l4_sport,
299 dport_from=rule_l4_dport,
300 dport_to=rule_l4_dport,
303 rules.append(new_rule)
304 new_rule_permit = copy.copy(new_rule)
305 new_rule_permit.is_permit = 1
306 permit_rules.append(new_rule_permit)
308 new_rule_permit_and_reflect = copy.copy(new_rule)
309 if can_reflect_this_packet:
310 new_rule_permit_and_reflect.is_permit = 2
312 new_rule_permit_and_reflect.is_permit = is_permit
314 permit_and_reflect_rules.append(new_rule_permit_and_reflect)
315 self.logger.info("create_stream pkt#%d: %s" % (i, payload))
320 "permit_rules": permit_rules,
321 "permit_and_reflect_rules": permit_and_reflect_rules,
324 def verify_capture(self, dst_ip_if, src_ip_if, capture, reverse):
326 for i in self.interfaces:
327 last_info[i.sw_if_index] = None
329 dst_ip_sw_if_index = dst_ip_if.sw_if_index
331 for packet in capture:
332 l3 = IP if packet.haslayer(IP) else IPv6
334 if packet.haslayer(UDP):
337 if packet.haslayer(ICMP):
342 # Scapy IPv6 stuff is too smart for its own good.
343 # So we do this and coerce the ICMP into unknown type
344 if packet.haslayer(UDP):
345 data = scapy.compat.raw(packet[UDP][Raw])
348 data = scapy.compat.raw(
349 ICMP(scapy.compat.raw(packet[l3].payload))[Raw]
352 data = scapy.compat.raw(
353 ICMPv6Unknown(scapy.compat.raw(packet[l3].payload)).msgbody
355 udp_or_icmp = packet[l3].payload
357 # FIXME: make framework believe we are on object
358 payload_info = self.payload_to_info(data_obj)
359 packet_index = payload_info.index
361 self.assertEqual(payload_info.dst, dst_ip_sw_if_index)
363 next_info = self.get_next_packet_info_for_interface2(
364 payload_info.src, dst_ip_sw_if_index, last_info[payload_info.src]
366 last_info[payload_info.src] = next_info
367 self.assertTrue(next_info is not None)
368 self.assertEqual(packet_index, next_info.index)
369 saved_packet = next_info.data
370 self.assertTrue(next_info is not None)
374 self.assertEqual(packet.src, dst_ip_if.local_mac)
375 host = dst_ip_if.host_by_mac(packet.dst)
378 # self.assertEqual(ip.src, src_ip_if.remote_ip4)
379 if saved_packet is not None:
380 self.assertEqual(ip.src, saved_packet[l3].src)
381 self.assertEqual(ip.dst, saved_packet[l3].dst)
383 self.assertEqual(udp_or_icmp.sport, saved_packet[l4].sport)
384 self.assertEqual(udp_or_icmp.dport, saved_packet[l4].dport)
385 # self.assertEqual(ip.dst, host.ip4)
389 def applied_acl_shuffle(self, acl_if):
390 saved_n_input = acl_if.n_input
391 # TOTO: maybe copy each one??
392 saved_acls = acl_if.acls
394 # now create a list of all the rules in all ACLs
396 for old_acl in saved_acls:
397 for rule in old_acl.rules:
398 all_rules.append(rule)
400 # Add a few ACLs made from shuffled rules
402 acl1 = VppAcl(self, rules=all_rules[::2], tag="shuffle 1. acl")
403 acl1.add_vpp_config()
406 acl2 = VppAcl(self, rules=all_rules[::3], tag="shuffle 2. acl")
407 acl2.add_vpp_config()
410 acl3 = VppAcl(self, rules=all_rules[::2], tag="shuffle 3. acl")
411 acl3.add_vpp_config()
413 # apply the shuffle ACLs in front
414 input_acls = [acl1, acl2]
415 output_acls = [acl1, acl2]
417 # add the currently applied ACLs
418 n_input = acl_if.n_input
419 input_acls.extend(saved_acls[:n_input])
420 output_acls.extend(saved_acls[n_input:])
422 # and the trailing shuffle ACL(s)
423 input_acls.extend([acl3])
424 output_acls.extend([acl3])
426 # set the interface ACL list to the result
427 acl_if.n_input = len(input_acls)
428 acl_if.acls = input_acls + output_acls
429 acl_if.add_vpp_config()
431 # change the ACLs a few times
432 for i in range(1, 10):
434 acl1.modify_vpp_config(all_rules[:: 1 + (i % 2)])
437 acl2.modify_vpp_config(all_rules[:: 1 + (i % 3)])
440 acl3.modify_vpp_config(all_rules[:: 1 + (i % 5)])
442 # restore to how it was before and clean up
443 acl_if.n_input = saved_n_input
444 acl_if.acls = saved_acls
445 acl_if.add_vpp_config()
447 acl1.remove_vpp_config()
448 acl2.remove_vpp_config()
449 acl3.remove_vpp_config()
451 def create_acls_for_a_stream(self, stream_dict, test_l2_action, is_reflect):
452 r = stream_dict["rules"]
453 r_permit = stream_dict["permit_rules"]
454 r_permit_reflect = stream_dict["permit_and_reflect_rules"]
455 r_action = r_permit_reflect if is_reflect else r
456 action_acl = VppAcl(self, rules=r_action, tag="act. acl")
457 action_acl.add_vpp_config()
458 permit_acl = VppAcl(self, rules=r_permit, tag="perm. acl")
459 permit_acl.add_vpp_config()
462 "L2": action_acl if test_l2_action else permit_acl,
463 "L3": permit_acl if test_l2_action else action_acl,
464 "permit": permit_acl,
465 "action": action_acl,
468 def apply_acl_ip46_x_to_y(
469 self, bridged_to_routed, test_l2_deny, is_ip6, is_reflect, add_eh
472 self.reset_packet_infos()
473 stream_dict = self.create_stream(
477 self.pg_if_packet_sizes,
483 stream = stream_dict["stream"]
484 acl_idx = self.create_acls_for_a_stream(stream_dict, test_l2_deny, is_reflect)
485 n_input_l3 = 0 if bridged_to_routed else 1
486 n_input_l2 = 1 if bridged_to_routed else 0
488 acl_if_pg2 = VppAclInterface(
490 sw_if_index=self.pg2.sw_if_index,
492 acls=[acl_idx["L3"]],
494 acl_if_pg2.add_vpp_config()
496 acl_if_pg0 = VppAclInterface(
498 sw_if_index=self.pg0.sw_if_index,
500 acls=[acl_idx["L2"]],
502 acl_if_pg0.add_vpp_config()
504 acl_if_pg1 = VppAclInterface(
506 sw_if_index=self.pg1.sw_if_index,
508 acls=[acl_idx["L2"]],
510 acl_if_pg1.add_vpp_config()
512 self.applied_acl_shuffle(acl_if_pg0)
513 self.applied_acl_shuffle(acl_if_pg1)
514 return {"L2": acl_idx["L2"], "L3": acl_idx["L3"]}
516 def apply_acl_ip46_both_directions_reflect(
517 self, primary_is_bridged_to_routed, reflect_on_l2, is_ip6, add_eh, stateful_icmp
519 primary_is_routed_to_bridged = not primary_is_bridged_to_routed
520 self.reset_packet_infos()
521 stream_dict_fwd = self.create_stream(
524 primary_is_bridged_to_routed,
525 self.pg_if_packet_sizes,
532 acl_idx_fwd = self.create_acls_for_a_stream(
533 stream_dict_fwd, reflect_on_l2, True
536 stream_dict_rev = self.create_stream(
539 not primary_is_bridged_to_routed,
540 self.pg_if_packet_sizes,
547 # We want the primary action to be "deny" rather than reflect
548 acl_idx_rev = self.create_acls_for_a_stream(
549 stream_dict_rev, reflect_on_l2, False
552 if primary_is_bridged_to_routed:
553 inbound_l2_acl = acl_idx_fwd["L2"]
555 inbound_l2_acl = acl_idx_rev["L2"]
557 if primary_is_routed_to_bridged:
558 outbound_l2_acl = acl_idx_fwd["L2"]
560 outbound_l2_acl = acl_idx_rev["L2"]
562 if primary_is_routed_to_bridged:
563 inbound_l3_acl = acl_idx_fwd["L3"]
565 inbound_l3_acl = acl_idx_rev["L3"]
567 if primary_is_bridged_to_routed:
568 outbound_l3_acl = acl_idx_fwd["L3"]
570 outbound_l3_acl = acl_idx_rev["L3"]
572 acl_if_pg2 = VppAclInterface(
574 sw_if_index=self.pg2.sw_if_index,
576 acls=[inbound_l3_acl, outbound_l3_acl],
578 acl_if_pg2.add_vpp_config()
580 acl_if_pg0 = VppAclInterface(
582 sw_if_index=self.pg0.sw_if_index,
584 acls=[inbound_l2_acl, outbound_l2_acl],
586 acl_if_pg0.add_vpp_config()
588 acl_if_pg1 = VppAclInterface(
590 sw_if_index=self.pg1.sw_if_index,
592 acls=[inbound_l2_acl, outbound_l2_acl],
594 acl_if_pg1.add_vpp_config()
596 self.applied_acl_shuffle(acl_if_pg0)
597 self.applied_acl_shuffle(acl_if_pg2)
599 def apply_acl_ip46_routed_to_bridged(
600 self, test_l2_deny, is_ip6, is_reflect, add_eh
602 return self.apply_acl_ip46_x_to_y(
603 False, test_l2_deny, is_ip6, is_reflect, add_eh
606 def apply_acl_ip46_bridged_to_routed(
607 self, test_l2_deny, is_ip6, is_reflect, add_eh
609 return self.apply_acl_ip46_x_to_y(
610 True, test_l2_deny, is_ip6, is_reflect, add_eh
613 def verify_acl_packet_count(self, acl_idx, packet_count):
614 matches = self.statistics.get_counter("/acl/%d/matches" % acl_idx)
615 self.logger.info("stat seg for ACL %d: %s" % (acl_idx, repr(matches)))
619 total_count = total_count + p["packets"]
620 self.assertEqual(total_count, packet_count)
622 def run_traffic_ip46_x_to_y(
632 self.reset_packet_infos()
633 stream_dict = self.create_stream(
637 self.pg_if_packet_sizes,
644 stream = stream_dict["stream"]
646 tx_if = self.pg0 if bridged_to_routed else self.pg2
647 rx_if = self.pg2 if bridged_to_routed else self.pg0
649 tx_if.add_stream(stream)
650 self.pg_enable_capture(self.pg_interfaces)
652 packet_count = self.get_packet_count_for_if_idx(self.loop0.sw_if_index)
653 rcvd1 = rx_if.get_capture(packet_count)
654 self.verify_capture(self.loop0, self.pg2, rcvd1, bridged_to_routed)
657 def run_traffic_ip46_routed_to_bridged(
666 return self.run_traffic_ip46_x_to_y(
676 def run_traffic_ip46_bridged_to_routed(
685 return self.run_traffic_ip46_x_to_y(
695 def run_test_ip46_routed_to_bridged(self, test_l2_deny, is_ip6, is_reflect, add_eh):
696 acls = self.apply_acl_ip46_routed_to_bridged(
697 test_l2_deny, is_ip6, is_reflect, add_eh
699 pkts = self.run_traffic_ip46_routed_to_bridged(
700 test_l2_deny, is_ip6, is_reflect, False, add_eh
702 self.verify_acl_packet_count(acls["L3"].acl_index, pkts)
704 def run_test_ip46_bridged_to_routed(self, test_l2_deny, is_ip6, is_reflect, add_eh):
705 acls = self.apply_acl_ip46_bridged_to_routed(
706 test_l2_deny, is_ip6, is_reflect, add_eh
708 pkts = self.run_traffic_ip46_bridged_to_routed(
709 test_l2_deny, is_ip6, is_reflect, False, add_eh
711 self.verify_acl_packet_count(acls["L2"].acl_index, pkts)
713 def run_test_ip46_routed_to_bridged_and_back(
714 self, test_l2_action, is_ip6, add_eh, stateful_icmp=False
716 self.apply_acl_ip46_both_directions_reflect(
717 False, test_l2_action, is_ip6, add_eh, stateful_icmp
719 self.run_traffic_ip46_routed_to_bridged(
720 test_l2_action, is_ip6, True, False, add_eh, stateful_icmp
722 self.run_traffic_ip46_bridged_to_routed(
723 test_l2_action, is_ip6, False, True, add_eh, stateful_icmp
726 def run_test_ip46_bridged_to_routed_and_back(
727 self, test_l2_action, is_ip6, add_eh, stateful_icmp=False
729 self.apply_acl_ip46_both_directions_reflect(
730 True, test_l2_action, is_ip6, add_eh, stateful_icmp
732 self.run_traffic_ip46_bridged_to_routed(
733 test_l2_action, is_ip6, True, False, add_eh, stateful_icmp
735 self.run_traffic_ip46_routed_to_bridged(
736 test_l2_action, is_ip6, False, True, add_eh, stateful_icmp
739 def test_0000_ip6_irb_1(self):
740 """ACL plugin prepare"""
741 if not self.vpp_dead:
742 cmd = "set acl-plugin session timeout udp idle 2000"
743 self.logger.info(self.vapi.ppcli(cmd))
744 # uncomment to not skip past the routing header
745 # and watch the EH tests fail
746 # self.logger.info(self.vapi.ppcli(
747 # "set acl-plugin skip-ipv6-extension-header 43 0"))
748 # uncomment to test the session limit (stateful tests will fail)
749 # self.logger.info(self.vapi.ppcli(
750 # "set acl-plugin session table max-entries 1"))
751 # new datapath is the default, but just in case
752 # self.logger.info(self.vapi.ppcli(
753 # "set acl-plugin l2-datapath new"))
754 # If you want to see some tests fail, uncomment the next line
755 # self.logger.info(self.vapi.ppcli(
756 # "set acl-plugin l2-datapath old"))
758 def test_0001_ip6_irb_1(self):
759 """ACL IPv6 routed -> bridged, L2 ACL deny"""
760 self.run_test_ip46_routed_to_bridged(True, True, False, self.WITHOUT_EH)
762 def test_0002_ip6_irb_1(self):
763 """ACL IPv6 routed -> bridged, L3 ACL deny"""
764 self.run_test_ip46_routed_to_bridged(False, True, False, self.WITHOUT_EH)
766 def test_0003_ip4_irb_1(self):
767 """ACL IPv4 routed -> bridged, L2 ACL deny"""
768 self.run_test_ip46_routed_to_bridged(True, False, False, self.WITHOUT_EH)
770 def test_0004_ip4_irb_1(self):
771 """ACL IPv4 routed -> bridged, L3 ACL deny"""
772 self.run_test_ip46_routed_to_bridged(False, False, False, self.WITHOUT_EH)
774 def test_0005_ip6_irb_1(self):
775 """ACL IPv6 bridged -> routed, L2 ACL deny"""
776 self.run_test_ip46_bridged_to_routed(True, True, False, self.WITHOUT_EH)
778 def test_0006_ip6_irb_1(self):
779 """ACL IPv6 bridged -> routed, L3 ACL deny"""
780 self.run_test_ip46_bridged_to_routed(False, True, False, self.WITHOUT_EH)
782 def test_0007_ip6_irb_1(self):
783 """ACL IPv4 bridged -> routed, L2 ACL deny"""
784 self.run_test_ip46_bridged_to_routed(True, False, False, self.WITHOUT_EH)
786 def test_0008_ip6_irb_1(self):
787 """ACL IPv4 bridged -> routed, L3 ACL deny"""
788 self.run_test_ip46_bridged_to_routed(False, False, False, self.WITHOUT_EH)
791 def test_0101_ip6_irb_1(self):
792 """ACL IPv6 routed -> bridged, L2 ACL permit+reflect"""
793 self.run_test_ip46_routed_to_bridged_and_back(True, True, self.WITHOUT_EH)
795 def test_0102_ip6_irb_1(self):
796 """ACL IPv6 bridged -> routed, L2 ACL permit+reflect"""
797 self.run_test_ip46_bridged_to_routed_and_back(True, True, self.WITHOUT_EH)
799 def test_0103_ip6_irb_1(self):
800 """ACL IPv4 routed -> bridged, L2 ACL permit+reflect"""
801 self.run_test_ip46_routed_to_bridged_and_back(True, False, self.WITHOUT_EH)
803 def test_0104_ip6_irb_1(self):
804 """ACL IPv4 bridged -> routed, L2 ACL permit+reflect"""
805 self.run_test_ip46_bridged_to_routed_and_back(True, False, self.WITHOUT_EH)
807 def test_0111_ip6_irb_1(self):
808 """ACL IPv6 routed -> bridged, L3 ACL permit+reflect"""
809 self.run_test_ip46_routed_to_bridged_and_back(False, True, self.WITHOUT_EH)
811 def test_0112_ip6_irb_1(self):
812 """ACL IPv6 bridged -> routed, L3 ACL permit+reflect"""
813 self.run_test_ip46_bridged_to_routed_and_back(False, True, self.WITHOUT_EH)
815 def test_0113_ip6_irb_1(self):
816 """ACL IPv4 routed -> bridged, L3 ACL permit+reflect"""
817 self.run_test_ip46_routed_to_bridged_and_back(False, False, self.WITHOUT_EH)
819 def test_0114_ip6_irb_1(self):
820 """ACL IPv4 bridged -> routed, L3 ACL permit+reflect"""
821 self.run_test_ip46_bridged_to_routed_and_back(False, False, self.WITHOUT_EH)
823 # A block of tests with extension headers
825 def test_1001_ip6_irb_1(self):
826 """ACL IPv6+EH routed -> bridged, L2 ACL deny"""
827 self.run_test_ip46_routed_to_bridged(True, True, False, self.WITH_EH)
829 def test_1002_ip6_irb_1(self):
830 """ACL IPv6+EH routed -> bridged, L3 ACL deny"""
831 self.run_test_ip46_routed_to_bridged(False, True, False, self.WITH_EH)
833 def test_1005_ip6_irb_1(self):
834 """ACL IPv6+EH bridged -> routed, L2 ACL deny"""
835 self.run_test_ip46_bridged_to_routed(True, True, False, self.WITH_EH)
837 def test_1006_ip6_irb_1(self):
838 """ACL IPv6+EH bridged -> routed, L3 ACL deny"""
839 self.run_test_ip46_bridged_to_routed(False, True, False, self.WITH_EH)
841 def test_1101_ip6_irb_1(self):
842 """ACL IPv6+EH routed -> bridged, L2 ACL permit+reflect"""
843 self.run_test_ip46_routed_to_bridged_and_back(True, True, self.WITH_EH)
845 def test_1102_ip6_irb_1(self):
846 """ACL IPv6+EH bridged -> routed, L2 ACL permit+reflect"""
847 self.run_test_ip46_bridged_to_routed_and_back(True, True, self.WITH_EH)
849 def test_1111_ip6_irb_1(self):
850 """ACL IPv6+EH routed -> bridged, L3 ACL permit+reflect"""
851 self.run_test_ip46_routed_to_bridged_and_back(False, True, self.WITH_EH)
853 def test_1112_ip6_irb_1(self):
854 """ACL IPv6+EH bridged -> routed, L3 ACL permit+reflect"""
855 self.run_test_ip46_bridged_to_routed_and_back(False, True, self.WITH_EH)
857 # IPv4 with "MF" bit set
859 def test_1201_ip6_irb_1(self):
860 """ACL IPv4+MF routed -> bridged, L2 ACL deny"""
861 self.run_test_ip46_routed_to_bridged(True, False, False, self.WITH_EH)
863 def test_1202_ip6_irb_1(self):
864 """ACL IPv4+MF routed -> bridged, L3 ACL deny"""
865 self.run_test_ip46_routed_to_bridged(False, False, False, self.WITH_EH)
867 def test_1205_ip6_irb_1(self):
868 """ACL IPv4+MF bridged -> routed, L2 ACL deny"""
869 self.run_test_ip46_bridged_to_routed(True, False, False, self.WITH_EH)
871 def test_1206_ip6_irb_1(self):
872 """ACL IPv4+MF bridged -> routed, L3 ACL deny"""
873 self.run_test_ip46_bridged_to_routed(False, False, False, self.WITH_EH)
875 def test_1301_ip6_irb_1(self):
876 """ACL IPv4+MF routed -> bridged, L2 ACL permit+reflect"""
877 self.run_test_ip46_routed_to_bridged_and_back(True, False, self.WITH_EH)
879 def test_1302_ip6_irb_1(self):
880 """ACL IPv4+MF bridged -> routed, L2 ACL permit+reflect"""
881 self.run_test_ip46_bridged_to_routed_and_back(True, False, self.WITH_EH)
883 def test_1311_ip6_irb_1(self):
884 """ACL IPv4+MF routed -> bridged, L3 ACL permit+reflect"""
885 self.run_test_ip46_routed_to_bridged_and_back(False, False, self.WITH_EH)
887 def test_1312_ip6_irb_1(self):
888 """ACL IPv4+MF bridged -> routed, L3 ACL permit+reflect"""
889 self.run_test_ip46_bridged_to_routed_and_back(False, False, self.WITH_EH)
891 # Stateful ACL tests with stateful ICMP
893 def test_1401_ip6_irb_1(self):
894 """IPv6 routed -> bridged, L2 ACL permit+reflect, ICMP reflect"""
895 self.run_test_ip46_routed_to_bridged_and_back(
896 True, True, self.WITHOUT_EH, self.STATEFUL_ICMP
899 def test_1402_ip6_irb_1(self):
900 """IPv6 bridged -> routed, L2 ACL permit+reflect, ICMP reflect"""
901 self.run_test_ip46_bridged_to_routed_and_back(
902 True, True, self.WITHOUT_EH, self.STATEFUL_ICMP
905 def test_1403_ip4_irb_1(self):
906 """IPv4 routed -> bridged, L2 ACL permit+reflect, ICMP reflect"""
907 self.run_test_ip46_routed_to_bridged_and_back(
908 True, False, self.WITHOUT_EH, self.STATEFUL_ICMP
911 def test_1404_ip4_irb_1(self):
912 """IPv4 bridged -> routed, L2 ACL permit+reflect, ICMP reflect"""
913 self.run_test_ip46_bridged_to_routed_and_back(
914 True, False, self.WITHOUT_EH, self.STATEFUL_ICMP
917 def test_1411_ip6_irb_1(self):
918 """IPv6 routed -> bridged, L3 ACL permit+reflect, ICMP reflect"""
919 self.run_test_ip46_routed_to_bridged_and_back(
920 False, True, self.WITHOUT_EH, self.STATEFUL_ICMP
923 def test_1412_ip6_irb_1(self):
924 """IPv6 bridged -> routed, L3 ACL permit+reflect, ICMP reflect"""
925 self.run_test_ip46_bridged_to_routed_and_back(
926 False, True, self.WITHOUT_EH, self.STATEFUL_ICMP
929 def test_1413_ip4_irb_1(self):
930 """IPv4 routed -> bridged, L3 ACL permit+reflect, ICMP reflect"""
931 self.run_test_ip46_routed_to_bridged_and_back(
932 False, False, self.WITHOUT_EH, self.STATEFUL_ICMP
935 def test_1414_ip4_irb_1(self):
936 """IPv4 bridged -> routed, L3 ACL permit+reflect, ICMP reflect"""
937 self.run_test_ip46_bridged_to_routed_and_back(
938 False, False, self.WITHOUT_EH, self.STATEFUL_ICMP
942 if __name__ == "__main__":
943 unittest.main(testRunner=VppTestRunner)