2 from __future__ import print_function
4 """ACL plugin - MACIP tests
7 from socket import inet_ntop, inet_pton, AF_INET, AF_INET6
8 from struct import pack, unpack
11 from ipaddress import ip_network, IPv4Network, IPv6Network
12 from config import config
15 from scapy.packet import Raw
16 from scapy.layers.l2 import Ether
17 from scapy.layers.inet import IP, UDP
18 from scapy.layers.inet6 import IPv6
20 from framework import VppTestCase
21 from asfframework import VppTestRunner
22 from vpp_lo_interface import VppLoInterface
23 from vpp_l2 import L2_PORT_TYPE
24 from vpp_sub_interface import (
38 from vpp_papi import MACAddress
41 @unittest.skipIf("acl" in config.excluded_plugins, "Exclude ACL plugin tests")
42 class MethodHolder(VppTestCase):
74 Perform standard class setup (defined by class method setUpClass in
75 class VppTestCase) before running the test case, set test case related
76 variables and configure VPP.
78 super(MethodHolder, cls).setUpClass()
80 cls.pg_if_packet_sizes = [64, 512, 1518, 9018] # packet sizes
82 cls.remote_hosts_count = 200
85 # create 4 pg interfaces, 1 loopback interface
86 cls.create_pg_interfaces(range(4))
87 cls.create_loopback_interfaces(1)
89 # create 2 subinterfaces
91 VppDot1QSubint(cls, cls.pg1, 10),
92 VppDot1ADSubint(cls, cls.pg2, 20, 300, 400),
93 VppDot1QSubint(cls, cls.pg3, 30),
94 VppDot1ADSubint(cls, cls.pg3, 40, 600, 700),
97 cls.subifs[0].set_vtr(L2_VTR_OP.L2_POP_1, inner=10, push1q=1)
98 cls.subifs[1].set_vtr(L2_VTR_OP.L2_POP_2, outer=300, inner=400, push1q=1)
99 cls.subifs[2].set_vtr(L2_VTR_OP.L2_POP_1, inner=30, push1q=1)
100 cls.subifs[3].set_vtr(L2_VTR_OP.L2_POP_2, outer=600, inner=700, push1q=1)
102 cls.interfaces = list(cls.pg_interfaces)
103 cls.interfaces.extend(cls.lo_interfaces)
104 cls.interfaces.extend(cls.subifs)
106 for i in cls.interfaces:
109 # Create BD with MAC learning enabled and put interfaces to this BD
110 cls.vapi.sw_interface_set_l2_bridge(
111 rx_sw_if_index=cls.loop0.sw_if_index,
113 port_type=L2_PORT_TYPE.BVI,
115 cls.vapi.sw_interface_set_l2_bridge(
116 rx_sw_if_index=cls.pg0.sw_if_index, bd_id=cls.bd_id
118 cls.vapi.sw_interface_set_l2_bridge(
119 rx_sw_if_index=cls.pg1.sw_if_index, bd_id=cls.bd_id
121 cls.vapi.sw_interface_set_l2_bridge(
122 rx_sw_if_index=cls.subifs[0].sw_if_index, bd_id=cls.bd_id
124 cls.vapi.sw_interface_set_l2_bridge(
125 rx_sw_if_index=cls.subifs[1].sw_if_index, bd_id=cls.bd_id
128 # Configure IPv4/6 addresses on loop interface and routed interface
129 cls.loop0.config_ip4()
130 cls.loop0.config_ip6()
136 # Configure MAC address binding to IPv4 neighbors on loop0
137 cls.loop0.generate_remote_hosts(cls.remote_hosts_count)
138 # Modify host mac addresses to have different OUI parts
139 for i in range(2, cls.remote_hosts_count + 2):
140 mac = cls.loop0.remote_hosts[i - 2]._mac.split(":")
141 mac[2] = format(int(mac[2], 16) + i, "02x")
142 cls.loop0.remote_hosts[i - 2]._mac = ":".join(mac)
144 cls.loop0.configure_ipv4_neighbors()
145 cls.loop0.configure_ipv6_neighbors()
147 # configure MAC address on pg3
148 cls.pg3.resolve_arp()
149 cls.pg3.resolve_ndp()
151 # configure MAC address on subifs
157 # configure MAC address on pg2
158 cls.pg2.resolve_arp()
159 cls.pg2.resolve_ndp()
161 # Loopback BVI interface has remote hosts
162 # one half of hosts are behind pg0 second behind pg1,pg2,pg3 subifs
163 cls.pg0.remote_hosts = cls.loop0.remote_hosts[:100]
164 cls.subifs[0].remote_hosts = cls.loop0.remote_hosts[100:125]
165 cls.subifs[1].remote_hosts = cls.loop0.remote_hosts[125:150]
166 cls.subifs[2].remote_hosts = cls.loop0.remote_hosts[150:175]
167 cls.subifs[3].remote_hosts = cls.loop0.remote_hosts[175:]
170 super(MethodHolder, cls).tearDownClass()
174 def tearDownClass(cls):
175 super(MethodHolder, cls).tearDownClass()
178 super(MethodHolder, self).setUp()
179 self.reset_packet_infos()
181 def show_commands_at_teardown(self):
182 self.logger.info(self.vapi.ppcli("show interface address"))
183 self.logger.info(self.vapi.ppcli("show hardware"))
184 self.logger.info(self.vapi.ppcli("sh acl-plugin macip acl"))
185 self.logger.info(self.vapi.ppcli("sh acl-plugin macip interface"))
186 self.logger.info(self.vapi.ppcli("sh classify tables verbose"))
187 self.logger.info(self.vapi.ppcli("sh acl-plugin acl"))
188 self.logger.info(self.vapi.ppcli("sh acl-plugin interface"))
189 self.logger.info(self.vapi.ppcli("sh acl-plugin tables"))
190 # print(self.vapi.ppcli("show interface address"))
191 # print(self.vapi.ppcli("show hardware"))
192 # print(self.vapi.ppcli("sh acl-plugin macip interface"))
193 # print(self.vapi.ppcli("sh acl-plugin macip acl"))
195 def macip_acl_dump_debug(self):
196 acls = self.vapi.macip_acl_dump()
199 # print("ACL #"+str(acl.acl_index))
204 elif r.is_permit == 0:
207 print(" IP6" if r.is_ipv6 else " IP4",
209 binascii.hexlify(r.src_mac),
210 binascii.hexlify(r.src_mac_mask),
211 unpack('<16B', r.src_ip_addr),
217 self, mac_type=EXACT_MAC, ip_type=EXACT_IP, acl_count=1, rules_count=None
220 if rules_count is None:
222 src_mac = int("220000dead00", 16)
223 for acl in range(2, (acl_count + 1) * 2):
225 host = random.choice(self.loop0.remote_hosts)
227 ip4 = host.ip4.split(".")
228 ip6 = list(unpack("<16B", inet_pton(AF_INET6, host.ip6)))
230 if ip_type == self.EXACT_IP:
233 elif ip_type == self.WILD_IP:
235 ip6 = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]
238 rules_count[int((acl / 2) - 1)] = 1
243 if mac_type == self.EXACT_MAC:
244 mask = "ff:ff:ff:ff:ff:ff"
245 elif mac_type == self.WILD_MAC:
246 mask = "00:00:00:00:00:00"
247 elif mac_type == self.OUI_MAC:
248 mask = "ff:ff:ff:00:00:00"
250 mask = "ff:ff:ff:ff:ff:00"
252 ip = ip6 if is_ip6 else ip4
253 ip_len = prefix_len6 if is_ip6 else prefix_len4
255 for i in range(0, (rules_count[int((acl / 2) - 1)])):
257 if mac_type == self.WILD_MAC:
258 mac = "00:00:00:00:00:00"
259 elif mac_type == self.OUI_MAC:
261 ":".join(re.findall("..", "{:02x}".format(src_mac))[:3])
265 mac = ":".join(re.findall("..", "{:02x}".format(src_mac)))
267 if ip_type == self.EXACT_IP:
268 ip4[3] = random.randint(100, 200)
269 ip6[15] = random.randint(100, 200)
270 elif ip_type == self.SUBNET_IP:
271 ip4[2] = random.randint(100, 200)
273 ip6[7] = random.randint(100, 200)
276 for j in range(0, len(ip)):
277 ip_pack += pack("<B", int(ip[j]))
280 is_permit=self.PERMIT,
281 src_prefix=ip_network((ip_pack, ip_len)),
282 src_mac=MACAddress(mac).packed,
283 src_mac_mask=MACAddress(mask).packed,
286 if ip_type == self.WILD_IP:
290 src_mac += 1099511627776
293 def apply_macip_rules(self, acls):
296 macip_acl = VppMacipAcl(self, rules=acl)
297 macip_acl.add_vpp_config()
298 macip_acls.append(macip_acl)
301 def verify_macip_acls(self, acl_count, rules_count, expected_count=2):
302 reply = self.macip_acl_dump_debug()
303 for acl in range(2, (acl_count + 1) * 2):
304 self.assertEqual(reply[acl - 2].count, rules_count[acl // 2 - 1])
306 self.vapi.macip_acl_interface_get()
308 self.vapi.macip_acl_interface_add_del(sw_if_index=0, acl_index=0)
309 self.vapi.macip_acl_interface_add_del(sw_if_index=1, acl_index=1)
311 reply = self.vapi.macip_acl_interface_get()
312 self.assertEqual(reply.count, expected_count)
325 # exact MAC and exact IP
326 # exact MAC and subnet of IPs
327 # exact MAC and wildcard IP
328 # wildcard MAC and exact IP
329 # wildcard MAC and subnet of IPs
330 # wildcard MAC and wildcard IP
331 # OUI restricted MAC and exact IP
332 # OUI restricted MAC and subnet of IPs
333 # OUI restricted MAC and wildcard IP
341 mac_rule = "00:00:00:00:00:00"
342 mac_mask = "00:00:00:00:00:00"
343 for p in range(0, packet_count):
344 remote_dst_index = p % len(dst_if.remote_hosts)
345 remote_dst_host = dst_if.remote_hosts[remote_dst_index]
349 is_permit = self.PERMIT if p % 3 == 0 else self.DENY
350 denyMAC = True if not is_permit and p % 3 == 1 else False
351 denyIP = True if not is_permit and p % 3 == 2 else False
352 if not is_permit and ip_type == self.WILD_IP:
354 if not is_permit and mac_type == self.WILD_MAC:
357 if traffic == self.BRIDGED:
359 src_mac = remote_dst_host._mac
360 dst_mac = "de:ad:00:00:00:00"
361 src_ip4 = remote_dst_host.ip4
362 dst_ip4 = src_if.remote_ip4
363 src_ip6 = remote_dst_host.ip6
364 dst_ip6 = src_if.remote_ip6
365 ip_permit = src_ip6 if is_ip6 else src_ip4
368 mac = src_mac.split(":")
369 mac[0] = format(int(mac[0], 16) + 1, "02x")
370 src_mac = ":".join(mac)
376 if ip_type != self.WILD_IP:
378 src_ip4 = remote_dst_host.ip4
379 dst_ip4 = src_if.remote_ip4
380 src_ip6 = remote_dst_host.ip6
381 dst_ip6 = src_if.remote_ip6
384 src_mac = remote_dst_host._mac
385 dst_mac = src_if.local_mac
386 src_ip4 = src_if.remote_ip4
387 dst_ip4 = remote_dst_host.ip4
388 src_ip6 = src_if.remote_ip6
389 dst_ip6 = remote_dst_host.ip6
390 ip_permit = src_ip6 if is_ip6 else src_ip4
393 mac = src_mac.split(":")
394 mac[0] = format(int(mac[0], 16) + 1, "02x")
395 src_mac = ":".join(mac)
401 src_mac = remote_dst_host._mac
402 if ip_type != self.WILD_IP:
404 src_ip4 = remote_dst_host.ip4
405 dst_ip4 = src_if.remote_ip4
406 src_ip6 = remote_dst_host.ip6
407 dst_ip6 = src_if.remote_ip6
410 info = self.create_packet_info(src_if, dst_if)
411 payload = self.info_to_payload(info)
413 payload = "to be blocked"
415 if mac_type == self.WILD_MAC:
416 mac = src_mac.split(":")
417 for i in range(1, 5):
418 mac[i] = format(random.randint(0, 255), "02x")
419 src_mac = ":".join(mac)
422 packet = Ether(src=src_mac, dst=dst_mac)
423 ip_rule = src_ip6 if is_ip6 else src_ip4
425 if ip_type != self.EXACT_IP:
426 sub_ip = list(unpack("<16B", inet_pton(AF_INET6, ip_rule)))
427 if ip_type == self.WILD_IP:
428 sub_ip[0] = random.randint(240, 254)
429 sub_ip[1] = random.randint(230, 239)
430 sub_ip[14] = random.randint(100, 199)
431 sub_ip[15] = random.randint(200, 255)
432 elif ip_type == self.SUBNET_IP:
434 sub_ip[2] = int(sub_ip[2]) + 1
435 sub_ip[14] = random.randint(100, 199)
436 sub_ip[15] = random.randint(200, 255)
437 packed_src_ip6 = b"".join([scapy.compat.chb(x) for x in sub_ip])
438 src_ip6 = inet_ntop(AF_INET6, packed_src_ip6)
439 packet /= IPv6(src=src_ip6, dst=dst_ip6)
441 if ip_type != self.EXACT_IP:
442 sub_ip = ip_rule.split(".")
443 if ip_type == self.WILD_IP:
444 sub_ip[0] = random.randint(1, 49)
445 sub_ip[1] = random.randint(50, 99)
446 sub_ip[2] = random.randint(100, 199)
447 sub_ip[3] = random.randint(200, 255)
448 elif ip_type == self.SUBNET_IP:
450 sub_ip[1] = int(sub_ip[1]) + 1
451 sub_ip[2] = random.randint(100, 199)
452 sub_ip[3] = random.randint(200, 255)
453 src_ip4 = ".".join(["{!s}".format(x) for x in sub_ip])
454 packet /= IP(src=src_ip4, dst=dst_ip4, frag=0, flags=0)
456 packet /= UDP(sport=src_port, dport=dst_port) / Raw(payload)
458 packet[Raw].load += b" mac:%s" % src_mac.encode("utf-8")
460 size = self.pg_if_packet_sizes[p % len(self.pg_if_packet_sizes)]
461 if isinstance(src_if, VppSubInterface):
463 if isinstance(src_if, VppDot1QSubint):
464 if src_if is self.subifs[0]:
465 if tags == self.PERMIT_TAGS:
466 packet = src_if.add_dot1q_layer(packet, 10)
468 packet = src_if.add_dot1q_layer(packet, 11)
470 if tags == self.PERMIT_TAGS:
471 packet = src_if.add_dot1q_layer(packet, 30)
473 packet = src_if.add_dot1q_layer(packet, 33)
474 elif isinstance(src_if, VppDot1ADSubint):
475 if src_if is self.subifs[1]:
476 if tags == self.PERMIT_TAGS:
477 packet = src_if.add_dot1ad_layer(packet, 300, 400)
479 packet = src_if.add_dot1ad_layer(packet, 333, 444)
481 if tags == self.PERMIT_TAGS:
482 packet = src_if.add_dot1ad_layer(packet, 600, 700)
484 packet = src_if.add_dot1ad_layer(packet, 666, 777)
485 self.extend_packet(packet, size)
486 packets.append(packet)
488 # create suitable MACIP rule
489 if mac_type == self.EXACT_MAC:
491 mac_mask = "ff:ff:ff:ff:ff:ff"
492 elif mac_type == self.WILD_MAC:
493 mac_rule = "00:00:00:00:00:00"
494 mac_mask = "00:00:00:00:00:00"
495 elif mac_type == self.OUI_MAC:
496 mac = src_mac.split(":")
497 mac[3] = mac[4] = mac[5] = "00"
498 mac_rule = ":".join(mac)
499 mac_mask = "ff:ff:ff:00:00:00"
502 if ip_type == self.WILD_IP:
506 if ip_type == self.SUBNET_IP:
507 sub_ip = list(unpack("<16B", inet_pton(AF_INET6, ip)))
508 for i in range(8, 16):
510 packed_ip = b"".join([scapy.compat.chb(x) for x in sub_ip])
511 ip = inet_ntop(AF_INET6, packed_ip)
513 if ip_type == self.WILD_IP:
517 if ip_type == self.SUBNET_IP:
518 sub_ip = ip.split(".")
519 sub_ip[2] = sub_ip[3] = "0"
520 ip = ".".join(sub_ip)
522 prefix_len = 128 if is_ip6 else 32
523 if ip_type == self.WILD_IP:
525 elif ip_type == self.SUBNET_IP:
526 prefix_len = 64 if is_ip6 else 16
527 ip_rule = inet_pton(AF_INET6 if is_ip6 else AF_INET, ip)
529 # create suitable ACL rule
531 rule_l4_sport = packet[UDP].sport
532 rule_l4_dport = packet[UDP].dport
533 rule_family = AF_INET6 if packet.haslayer(IPv6) else AF_INET
534 rule_prefix_len = 128 if packet.haslayer(IPv6) else 32
535 rule_l3_layer = IPv6 if packet.haslayer(IPv6) else IP
536 if packet.haslayer(IPv6):
537 rule_l4_proto = packet[UDP].overload_fields[IPv6]["nh"]
539 rule_l4_proto = packet[IP].proto
541 src_network = ip_network((packet[rule_l3_layer].src, rule_prefix_len))
542 dst_network = ip_network((packet[rule_l3_layer].dst, rule_prefix_len))
546 src_prefix=src_network,
547 dst_prefix=dst_network,
548 sport_from=rule_l4_sport,
549 sport_to=rule_l4_sport,
550 dport_from=rule_l4_dport,
551 dport_to=rule_l4_dport,
553 acl_rules.append(acl_rule)
555 if mac_type == self.WILD_MAC and ip_type == self.WILD_IP and p > 0:
559 macip_rule = MacipRule(
561 src_prefix=ip_network((ip_rule, prefix_len)),
562 src_mac=MACAddress(mac_rule).packed,
563 src_mac_mask=MACAddress(mac_mask).packed,
565 macip_rules.append(macip_rule)
567 # deny all other packets
568 if not (mac_type == self.WILD_MAC and ip_type == self.WILD_IP):
569 network = IPv6Network((0, 0)) if is_ip6 else IPv4Network((0, 0))
570 macip_rule = MacipRule(
573 src_mac=MACAddress("00:00:00:00:00:00").packed,
574 src_mac_mask=MACAddress("00:00:00:00:00:00").packed,
576 macip_rules.append(macip_rule)
578 network = IPv6Network((0, 0)) if is_ip6 else IPv4Network((0, 0))
588 acl_rules.append(acl_rule)
589 return {"stream": packets, "macip_rules": macip_rules, "acl_rules": acl_rules}
591 def verify_capture(self, stream, capture, is_ip6):
598 # p_l3 = IPv6 if is_ip6 else IP
601 # print(p[Ether].src, p[Ether].dst, p[p_l3].src, p[p_l3].dst)
603 # acls = self.macip_acl_dump_debug()
608 # print(binascii.hexlify(r.src_mac), \
609 # binascii.hexlify(r.src_mac_mask),\
610 # unpack('<16B', r.src_ip_addr), \
611 # r.src_ip_prefix_len)
614 # print(p[Ether].src, p[Ether].dst, p[p_l3].src, p[p_l3].dst
615 # data = p[Raw].load.split(':',1)[1])
616 # print(p[p_l3].src, data)
625 do_not_expected_capture=False,
629 permit_tags=PERMIT_TAGS,
632 self.reset_packet_infos()
635 tx_if = self.pg0 if traffic == self.BRIDGED else self.pg3
636 rx_if = self.pg3 if traffic == self.BRIDGED else self.pg0
640 if tags == self.DOT1Q:
641 if traffic == self.BRIDGED:
642 tx_if = self.subifs[0]
644 src_if = self.subifs[0]
647 tx_if = self.subifs[2]
649 src_if = self.subifs[2]
651 elif tags == self.DOT1AD:
652 if traffic == self.BRIDGED:
653 tx_if = self.subifs[1]
655 src_if = self.subifs[1]
658 tx_if = self.subifs[3]
660 src_if = self.subifs[3]
665 test_dict = self.create_stream(
678 self.acl = VppMacipAcl(self, rules=test_dict["macip_rules"])
680 self.acl = VppAcl(self, rules=test_dict["acl_rules"])
681 self.acl.add_vpp_config()
684 self.acl_if = VppMacipAclInterface(
685 self, sw_if_index=tx_if.sw_if_index, acls=[self.acl]
687 self.acl_if.add_vpp_config()
689 dump = self.acl_if.dump()
690 self.assertTrue(dump)
691 self.assertEqual(dump[0].acls[0], self.acl.acl_index)
693 self.acl_if = VppAclInterface(
694 self, sw_if_index=tx_if.sw_if_index, n_input=1, acls=[self.acl]
696 self.acl_if.add_vpp_config()
698 if hasattr(self, "acl_if"):
699 self.acl_if.remove_vpp_config()
700 if try_replace and hasattr(self, "acl"):
702 self.acl.modify_vpp_config(test_dict["macip_rules"])
704 self.acl.modify_vpp_config(test_dict["acl_rules"])
706 if not isinstance(src_if, VppSubInterface):
707 tx_if.add_stream(test_dict["stream"])
709 tx_if.parent.add_stream(test_dict["stream"])
710 self.pg_enable_capture(self.pg_interfaces)
713 if do_not_expected_capture:
717 traffic == self.BRIDGED
718 and mac_type == self.WILD_MAC
719 and ip_type == self.WILD_IP
721 capture = rx_if.get_capture(packets)
723 capture = rx_if.get_capture(
724 self.get_packet_count_for_if_idx(dst_if.sw_if_index)
726 self.verify_capture(test_dict["stream"], capture, is_ip6)
728 if hasattr(self, "acl_if"):
729 self.acl_if.remove_vpp_config()
730 if hasattr(self, "acl"):
731 self.acl.remove_vpp_config()
734 self, mac_type, ip_type, acl_count, rules_count, traffic=None, ip=None
736 self.apply_macip_rules(
737 self.create_rules(mac_type, ip_type, acl_count, rules_count)
739 self.verify_macip_acls(acl_count, rules_count)
741 if traffic is not None:
742 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, traffic, ip, 9)
745 class TestMACIP_IP4(MethodHolder):
746 """MACIP with IP4 traffic"""
750 super(TestMACIP_IP4, cls).setUpClass()
753 def tearDownClass(cls):
754 super(TestMACIP_IP4, cls).tearDownClass()
756 def test_acl_bridged_ip4_exactMAC_exactIP(self):
757 """IP4 MACIP exactMAC|exactIP ACL bridged traffic"""
758 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.BRIDGED, self.IS_IP4, 9)
760 def test_acl_bridged_ip4_exactMAC_subnetIP(self):
761 """IP4 MACIP exactMAC|subnetIP ACL bridged traffic"""
763 self.run_traffic(self.EXACT_MAC, self.SUBNET_IP, self.BRIDGED, self.IS_IP4, 9)
765 def test_acl_bridged_ip4_exactMAC_wildIP(self):
766 """IP4 MACIP exactMAC|wildIP ACL bridged traffic"""
768 self.run_traffic(self.EXACT_MAC, self.WILD_IP, self.BRIDGED, self.IS_IP4, 9)
770 def test_acl_bridged_ip4_ouiMAC_exactIP(self):
771 """IP4 MACIP ouiMAC|exactIP ACL bridged traffic"""
773 self.run_traffic(self.OUI_MAC, self.EXACT_IP, self.BRIDGED, self.IS_IP4, 3)
775 def test_acl_bridged_ip4_ouiMAC_subnetIP(self):
776 """IP4 MACIP ouiMAC|subnetIP ACL bridged traffic"""
778 self.run_traffic(self.OUI_MAC, self.SUBNET_IP, self.BRIDGED, self.IS_IP4, 9)
780 def test_acl_bridged_ip4_ouiMAC_wildIP(self):
781 """IP4 MACIP ouiMAC|wildIP ACL bridged traffic"""
783 self.run_traffic(self.OUI_MAC, self.WILD_IP, self.BRIDGED, self.IS_IP4, 9)
785 def test_ac_bridgedl_ip4_wildMAC_exactIP(self):
786 """IP4 MACIP wildcardMAC|exactIP ACL bridged traffic"""
788 self.run_traffic(self.WILD_MAC, self.EXACT_IP, self.BRIDGED, self.IS_IP4, 9)
790 def test_acl_bridged_ip4_wildMAC_subnetIP(self):
791 """IP4 MACIP wildcardMAC|subnetIP ACL bridged traffic"""
793 self.run_traffic(self.WILD_MAC, self.SUBNET_IP, self.BRIDGED, self.IS_IP4, 9)
795 def test_acl_bridged_ip4_wildMAC_wildIP(self):
796 """IP4 MACIP wildcardMAC|wildIP ACL bridged traffic"""
798 self.run_traffic(self.WILD_MAC, self.WILD_IP, self.BRIDGED, self.IS_IP4, 9)
800 def test_acl_routed_ip4_exactMAC_exactIP(self):
801 """IP4 MACIP exactMAC|exactIP ACL routed traffic"""
802 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED, self.IS_IP4, 9)
804 def test_acl_routed_ip4_exactMAC_subnetIP(self):
805 """IP4 MACIP exactMAC|subnetIP ACL routed traffic"""
806 self.run_traffic(self.EXACT_MAC, self.SUBNET_IP, self.ROUTED, self.IS_IP4, 9)
808 def test_acl_routed_ip4_exactMAC_wildIP(self):
809 """IP4 MACIP exactMAC|wildIP ACL routed traffic"""
810 self.run_traffic(self.EXACT_MAC, self.WILD_IP, self.ROUTED, self.IS_IP4, 9)
812 def test_acl_routed_ip4_ouiMAC_exactIP(self):
813 """IP4 MACIP ouiMAC|exactIP ACL routed traffic"""
815 self.run_traffic(self.OUI_MAC, self.EXACT_IP, self.ROUTED, self.IS_IP4, 9)
817 def test_acl_routed_ip4_ouiMAC_subnetIP(self):
818 """IP4 MACIP ouiMAC|subnetIP ACL routed traffic"""
820 self.run_traffic(self.OUI_MAC, self.SUBNET_IP, self.ROUTED, self.IS_IP4, 9)
822 def test_acl_routed_ip4_ouiMAC_wildIP(self):
823 """IP4 MACIP ouiMAC|wildIP ACL routed traffic"""
825 self.run_traffic(self.OUI_MAC, self.WILD_IP, self.ROUTED, self.IS_IP4, 9)
827 def test_acl_routed_ip4_wildMAC_exactIP(self):
828 """IP4 MACIP wildcardMAC|exactIP ACL routed traffic"""
830 self.run_traffic(self.WILD_MAC, self.EXACT_IP, self.ROUTED, self.IS_IP4, 9)
832 def test_acl_routed_ip4_wildMAC_subnetIP(self):
833 """IP4 MACIP wildcardMAC|subnetIP ACL routed traffic"""
835 self.run_traffic(self.WILD_MAC, self.SUBNET_IP, self.ROUTED, self.IS_IP4, 9)
837 def test_acl_routed_ip4_wildMAC_wildIP(self):
838 """IP4 MACIP wildcardMAC|wildIP ACL"""
840 self.run_traffic(self.WILD_MAC, self.WILD_IP, self.ROUTED, self.IS_IP4, 9)
842 def test_acl_replace_traffic_ip4(self):
843 """MACIP replace ACL with IP4 traffic"""
845 self.OUI_MAC, self.SUBNET_IP, self.BRIDGED, self.IS_IP4, 9, try_replace=True
857 class TestMACIP_IP6(MethodHolder):
858 """MACIP with IP6 traffic"""
862 super(TestMACIP_IP6, cls).setUpClass()
865 def tearDownClass(cls):
866 super(TestMACIP_IP6, cls).tearDownClass()
868 def test_acl_bridged_ip6_exactMAC_exactIP(self):
869 """IP6 MACIP exactMAC|exactIP ACL bridged traffic"""
871 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.BRIDGED, self.IS_IP6, 9)
873 def test_acl_bridged_ip6_exactMAC_subnetIP(self):
874 """IP6 MACIP exactMAC|subnetIP ACL bridged traffic"""
876 self.run_traffic(self.EXACT_MAC, self.SUBNET_IP, self.BRIDGED, self.IS_IP6, 9)
878 def test_acl_bridged_ip6_exactMAC_wildIP(self):
879 """IP6 MACIP exactMAC|wildIP ACL bridged traffic"""
881 self.run_traffic(self.EXACT_MAC, self.WILD_IP, self.BRIDGED, self.IS_IP6, 9)
883 def test_acl_bridged_ip6_ouiMAC_exactIP(self):
884 """IP6 MACIP oui_MAC|exactIP ACL bridged traffic"""
886 self.run_traffic(self.OUI_MAC, self.EXACT_IP, self.BRIDGED, self.IS_IP6, 9)
888 def test_acl_bridged_ip6_ouiMAC_subnetIP(self):
889 """IP6 MACIP ouiMAC|subnetIP ACL bridged traffic"""
891 self.run_traffic(self.OUI_MAC, self.SUBNET_IP, self.BRIDGED, self.IS_IP6, 9)
893 def test_acl_bridged_ip6_ouiMAC_wildIP(self):
894 """IP6 MACIP ouiMAC|wildIP ACL bridged traffic"""
896 self.run_traffic(self.OUI_MAC, self.WILD_IP, self.BRIDGED, self.IS_IP6, 9)
898 def test_acl_bridged_ip6_wildMAC_exactIP(self):
899 """IP6 MACIP wildcardMAC|exactIP ACL bridged traffic"""
901 self.run_traffic(self.WILD_MAC, self.EXACT_IP, self.BRIDGED, self.IS_IP6, 9)
903 def test_acl_bridged_ip6_wildMAC_subnetIP(self):
904 """IP6 MACIP wildcardMAC|subnetIP ACL bridged traffic"""
906 self.run_traffic(self.WILD_MAC, self.SUBNET_IP, self.BRIDGED, self.IS_IP6, 9)
908 def test_acl_bridged_ip6_wildMAC_wildIP(self):
909 """IP6 MACIP wildcardMAC|wildIP ACL bridged traffic"""
911 self.run_traffic(self.WILD_MAC, self.WILD_IP, self.BRIDGED, self.IS_IP6, 9)
913 def test_acl_routed_ip6_exactMAC_exactIP(self):
914 """IP6 MACIP exactMAC|exactIP ACL routed traffic"""
916 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED, self.IS_IP6, 9)
918 def test_acl_routed_ip6_exactMAC_subnetIP(self):
919 """IP6 MACIP exactMAC|subnetIP ACL routed traffic"""
921 self.run_traffic(self.EXACT_MAC, self.SUBNET_IP, self.ROUTED, self.IS_IP6, 9)
923 def test_acl_routed_ip6_exactMAC_wildIP(self):
924 """IP6 MACIP exactMAC|wildIP ACL routed traffic"""
926 self.run_traffic(self.EXACT_MAC, self.WILD_IP, self.ROUTED, self.IS_IP6, 9)
928 def test_acl_routed_ip6_ouiMAC_exactIP(self):
929 """IP6 MACIP ouiMAC|exactIP ACL routed traffic"""
931 self.run_traffic(self.OUI_MAC, self.EXACT_IP, self.ROUTED, self.IS_IP6, 9)
933 def test_acl_routed_ip6_ouiMAC_subnetIP(self):
934 """IP6 MACIP ouiMAC|subnetIP ACL routed traffic"""
936 self.run_traffic(self.OUI_MAC, self.SUBNET_IP, self.ROUTED, self.IS_IP6, 9)
938 def test_acl_routed_ip6_ouiMAC_wildIP(self):
939 """IP6 MACIP ouiMAC|wildIP ACL routed traffic"""
941 self.run_traffic(self.OUI_MAC, self.WILD_IP, self.ROUTED, self.IS_IP6, 9)
943 def test_acl_routed_ip6_wildMAC_exactIP(self):
944 """IP6 MACIP wildcardMAC|exactIP ACL routed traffic"""
946 self.run_traffic(self.WILD_MAC, self.EXACT_IP, self.ROUTED, self.IS_IP6, 9)
948 def test_acl_routed_ip6_wildMAC_subnetIP(self):
949 """IP6 MACIP wildcardMAC|subnetIP ACL routed traffic"""
951 self.run_traffic(self.WILD_MAC, self.SUBNET_IP, self.ROUTED, self.IS_IP6, 9)
953 def test_acl_routed_ip6_wildMAC_wildIP(self):
954 """IP6 MACIP wildcardMAC|wildIP ACL"""
956 self.run_traffic(self.WILD_MAC, self.WILD_IP, self.ROUTED, self.IS_IP6, 9)
958 def test_acl_replace_traffic_ip6(self):
959 """MACIP replace ACL with IP6 traffic"""
961 self.OUI_MAC, self.SUBNET_IP, self.BRIDGED, self.IS_IP6, 9, try_replace=True
973 class TestMACIP(MethodHolder):
978 super(TestMACIP, cls).setUpClass()
981 def tearDownClass(cls):
982 super(TestMACIP, cls).tearDownClass()
984 def test_acl_1_2(self):
985 """MACIP ACL with 2 entries"""
987 self.run_test_acls(self.EXACT_MAC, self.WILD_IP, 1, [2])
989 def test_acl_1_5(self):
990 """MACIP ACL with 5 entries"""
992 self.run_test_acls(self.EXACT_MAC, self.SUBNET_IP, 1, [5])
994 def test_acl_1_10(self):
995 """MACIP ACL with 10 entries"""
997 self.run_test_acls(self.EXACT_MAC, self.EXACT_IP, 1, [10])
999 def test_acl_1_20(self):
1000 """MACIP ACL with 20 entries"""
1002 self.run_test_acls(self.OUI_MAC, self.WILD_IP, 1, [20])
1004 def test_acl_1_50(self):
1005 """MACIP ACL with 50 entries"""
1007 self.run_test_acls(self.OUI_MAC, self.SUBNET_IP, 1, [50])
1009 def test_acl_1_100(self):
1010 """MACIP ACL with 100 entries"""
1012 self.run_test_acls(self.OUI_MAC, self.EXACT_IP, 1, [100])
1014 def test_acl_2_X(self):
1015 """MACIP 2 ACLs each with 100+ entries"""
1017 self.run_test_acls(self.OUI_MAC, self.SUBNET_IP, 2, [100, 200])
1019 def test_acl_10_X(self):
1020 """MACIP 10 ACLs each with 100+ entries"""
1026 [100, 120, 140, 160, 180, 200, 210, 220, 230, 240],
1029 def test_acl_10_X_traffic_ip4(self):
1030 """MACIP 10 ACLs each with 100+ entries with IP4 traffic"""
1036 [100, 120, 140, 160, 180, 200, 210, 220, 230, 240],
1041 def test_acl_10_X_traffic_ip6(self):
1042 """MACIP 10 ACLs each with 100+ entries with IP6 traffic"""
1048 [100, 120, 140, 160, 180, 200, 210, 220, 230, 240],
1053 def test_acl_replace(self):
1054 """MACIP replace ACL"""
1056 r1 = self.create_rules(acl_count=3, rules_count=[2, 2, 2])
1057 r2 = self.create_rules(mac_type=self.OUI_MAC, ip_type=self.SUBNET_IP)
1058 macip_acls = self.apply_macip_rules(r1)
1060 acls_before = self.macip_acl_dump_debug()
1062 # replace acls #2, #3 with new
1063 macip_acls[2].modify_vpp_config(r2[0])
1064 macip_acls[3].modify_vpp_config(r2[1])
1066 acls_after = self.macip_acl_dump_debug()
1069 self.assertEqual(len(acls_before), len(acls_after))
1070 for acl1, acl2 in zip(
1071 acls_before[:2] + acls_before[4:], acls_after[:2] + acls_after[4:]
1073 self.assertEqual(len(acl1), len(acl2))
1075 self.assertEqual(len(acl1.r), len(acl2.r))
1076 for r1, r2 in zip(acl1.r, acl2.r):
1077 self.assertEqual(len(acl1.r), len(acl2.r))
1078 self.assertEqual(acl1.r, acl2.r)
1079 for acl1, acl2 in zip(acls_before[2:4], acls_after[2:4]):
1080 self.assertEqual(len(acl1), len(acl2))
1082 self.assertNotEqual(len(acl1.r), len(acl2.r))
1083 for r1, r2 in zip(acl1.r, acl2.r):
1084 self.assertNotEqual(len(acl1.r), len(acl2.r))
1085 self.assertNotEqual(acl1.r, acl2.r)
1087 def test_delete_intf(self):
1088 """MACIP ACL delete intf with acl"""
1090 intf_count = len(self.interfaces) + 1
1092 macip_alcs = self.apply_macip_rules(
1093 self.create_rules(acl_count=3, rules_count=[3, 5, 4])
1096 intf.append(VppLoInterface(self))
1097 intf.append(VppLoInterface(self))
1099 sw_if_index0 = intf[0].sw_if_index
1100 macip_acl_if0 = VppMacipAclInterface(
1101 self, sw_if_index=sw_if_index0, acls=[macip_alcs[1]]
1103 macip_acl_if0.add_vpp_config()
1105 reply = self.vapi.macip_acl_interface_get()
1106 self.assertEqual(reply.count, intf_count + 1)
1107 self.assertEqual(reply.acls[sw_if_index0], 1)
1109 sw_if_index1 = intf[1].sw_if_index
1110 macip_acl_if1 = VppMacipAclInterface(
1111 self, sw_if_index=sw_if_index1, acls=[macip_alcs[0]]
1113 macip_acl_if1.add_vpp_config()
1115 reply = self.vapi.macip_acl_interface_get()
1116 self.assertEqual(reply.count, intf_count + 2)
1117 self.assertEqual(reply.acls[sw_if_index1], 0)
1119 intf[0].remove_vpp_config()
1120 reply = self.vapi.macip_acl_interface_get()
1121 self.assertEqual(reply.count, intf_count + 2)
1122 self.assertEqual(reply.acls[sw_if_index0], 4294967295)
1123 self.assertEqual(reply.acls[sw_if_index1], 0)
1125 intf.append(VppLoInterface(self))
1126 intf.append(VppLoInterface(self))
1127 sw_if_index2 = intf[2].sw_if_index
1128 sw_if_index3 = intf[3].sw_if_index
1129 macip_acl_if2 = VppMacipAclInterface(
1130 self, sw_if_index=sw_if_index2, acls=[macip_alcs[1]]
1132 macip_acl_if2.add_vpp_config()
1133 macip_acl_if3 = VppMacipAclInterface(
1134 self, sw_if_index=sw_if_index3, acls=[macip_alcs[1]]
1136 macip_acl_if3.add_vpp_config()
1138 reply = self.vapi.macip_acl_interface_get()
1139 self.assertEqual(reply.count, intf_count + 3)
1140 self.assertEqual(reply.acls[sw_if_index1], 0)
1141 self.assertEqual(reply.acls[sw_if_index2], 1)
1142 self.assertEqual(reply.acls[sw_if_index3], 1)
1143 self.logger.info("MACIP ACL on multiple interfaces:")
1144 self.logger.info(self.vapi.ppcli("sh acl-plugin macip acl"))
1145 self.logger.info(self.vapi.ppcli("sh acl-plugin macip acl index 1234"))
1146 self.logger.info(self.vapi.ppcli("sh acl-plugin macip acl index 1"))
1147 self.logger.info(self.vapi.ppcli("sh acl-plugin macip acl index 0"))
1148 self.logger.info(self.vapi.ppcli("sh acl-plugin macip interface"))
1150 intf[2].remove_vpp_config()
1151 intf[1].remove_vpp_config()
1153 reply = self.vapi.macip_acl_interface_get()
1154 self.assertEqual(reply.count, intf_count + 3)
1155 self.assertEqual(reply.acls[sw_if_index0], 4294967295)
1156 self.assertEqual(reply.acls[sw_if_index1], 4294967295)
1157 self.assertEqual(reply.acls[sw_if_index2], 4294967295)
1158 self.assertEqual(reply.acls[sw_if_index3], 1)
1160 intf[3].remove_vpp_config()
1161 reply = self.vapi.macip_acl_interface_get()
1163 self.assertEqual(len([x for x in reply.acls if x != 4294967295]), 0)
1166 class TestACL_dot1q_bridged(MethodHolder):
1167 """ACL on dot1q bridged subinterfaces Tests"""
1170 def setUpClass(cls):
1171 super(TestACL_dot1q_bridged, cls).setUpClass()
1174 def tearDownClass(cls):
1175 super(TestACL_dot1q_bridged, cls).tearDownClass()
1177 def test_acl_bridged_ip4_subif_dot1q(self):
1178 """IP4 ACL SubIf Dot1Q bridged traffic"""
1189 def test_acl_bridged_ip6_subif_dot1q(self):
1190 """IP6 ACL SubIf Dot1Q bridged traffic"""
1202 class TestACL_dot1ad_bridged(MethodHolder):
1203 """ACL on dot1ad bridged subinterfaces Tests"""
1206 def setUpClass(cls):
1207 super(TestACL_dot1ad_bridged, cls).setUpClass()
1210 def tearDownClass(cls):
1211 super(TestACL_dot1ad_bridged, cls).tearDownClass()
1213 def test_acl_bridged_ip4_subif_dot1ad(self):
1214 """IP4 ACL SubIf Dot1AD bridged traffic"""
1225 def test_acl_bridged_ip6_subif_dot1ad(self):
1226 """IP6 ACL SubIf Dot1AD bridged traffic"""
1238 class TestACL_dot1q_routed(MethodHolder):
1239 """ACL on dot1q routed subinterfaces Tests"""
1242 def setUpClass(cls):
1243 super(TestACL_dot1q_routed, cls).setUpClass()
1246 def tearDownClass(cls):
1247 super(TestACL_dot1q_routed, cls).tearDownClass()
1249 def test_acl_routed_ip4_subif_dot1q(self):
1250 """IP4 ACL SubIf Dot1Q routed traffic"""
1261 def test_acl_routed_ip6_subif_dot1q(self):
1262 """IP6 ACL SubIf Dot1Q routed traffic"""
1273 def test_acl_routed_ip4_subif_dot1q_deny_by_tags(self):
1274 """IP4 ACL SubIf wrong tags Dot1Q routed traffic"""
1284 permit_tags=self.DENY_TAGS,
1287 def test_acl_routed_ip6_subif_dot1q_deny_by_tags(self):
1288 """IP6 ACL SubIf wrong tags Dot1Q routed traffic"""
1298 permit_tags=self.DENY_TAGS,
1302 class TestACL_dot1ad_routed(MethodHolder):
1303 """ACL on dot1ad routed subinterfaces Tests"""
1306 def setUpClass(cls):
1307 super(TestACL_dot1ad_routed, cls).setUpClass()
1310 def tearDownClass(cls):
1311 super(TestACL_dot1ad_routed, cls).tearDownClass()
1313 def test_acl_routed_ip6_subif_dot1ad(self):
1314 """IP6 ACL SubIf Dot1AD routed traffic"""
1325 def test_acl_routed_ip4_subif_dot1ad(self):
1326 """IP4 ACL SubIf Dot1AD routed traffic"""
1337 def test_acl_routed_ip6_subif_dot1ad_deny_by_tags(self):
1338 """IP6 ACL SubIf wrong tags Dot1AD routed traffic"""
1348 permit_tags=self.DENY_TAGS,
1351 def test_acl_routed_ip4_subif_dot1ad_deny_by_tags(self):
1352 """IP4 ACL SubIf wrong tags Dot1AD routed traffic"""
1362 permit_tags=self.DENY_TAGS,
1366 if __name__ == "__main__":
1367 unittest.main(testRunner=VppTestRunner)