2 """ACL plugin - MACIP tests
8 from socket import inet_ntop, inet_pton, AF_INET, AF_INET6
10 from scapy.packet import Raw
11 from scapy.layers.l2 import Ether
12 from scapy.layers.inet import IP, UDP
13 from scapy.layers.inet6 import IPv6
15 from framework import VppTestCase, VppTestRunner, running_extended_tests
16 from vpp_lo_interface import VppLoInterface
17 from vpp_papi_provider import L2_VTR_OP
18 from vpp_sub_interface import VppSubInterface, VppDot1QSubint, VppDot1ADSubint
19 from vpp_papi_provider import L2_PORT_TYPE
22 class MethodHolder(VppTestCase):
54 Perform standard class setup (defined by class method setUpClass in
55 class VppTestCase) before running the test case, set test case related
56 variables and configure VPP.
58 super(MethodHolder, cls).setUpClass()
60 cls.pg_if_packet_sizes = [64, 512, 1518, 9018] # packet sizes
62 cls.remote_hosts_count = 200
65 # create 4 pg interfaces, 1 loopback interface
66 cls.create_pg_interfaces(range(4))
67 cls.create_loopback_interfaces(1)
69 # create 2 subinterfaces
71 VppDot1QSubint(cls, cls.pg1, 10),
72 VppDot1ADSubint(cls, cls.pg2, 20, 300, 400),
73 VppDot1QSubint(cls, cls.pg3, 30),
74 VppDot1ADSubint(cls, cls.pg3, 40, 600, 700)]
76 cls.subifs[0].set_vtr(L2_VTR_OP.L2_POP_1,
78 cls.subifs[1].set_vtr(L2_VTR_OP.L2_POP_2,
79 outer=300, inner=400, push1q=1)
80 cls.subifs[2].set_vtr(L2_VTR_OP.L2_POP_1,
82 cls.subifs[3].set_vtr(L2_VTR_OP.L2_POP_2,
83 outer=600, inner=700, push1q=1)
85 cls.interfaces = list(cls.pg_interfaces)
86 cls.interfaces.extend(cls.lo_interfaces)
87 cls.interfaces.extend(cls.subifs)
89 for i in cls.interfaces:
92 # Create BD with MAC learning enabled and put interfaces to this BD
93 cls.vapi.sw_interface_set_l2_bridge(
94 cls.loop0.sw_if_index, bd_id=cls.bd_id,
95 port_type=L2_PORT_TYPE.BVI)
96 cls.vapi.sw_interface_set_l2_bridge(
97 cls.pg0.sw_if_index, bd_id=cls.bd_id)
98 cls.vapi.sw_interface_set_l2_bridge(
99 cls.pg1.sw_if_index, bd_id=cls.bd_id)
100 cls.vapi.sw_interface_set_l2_bridge(
101 cls.subifs[0].sw_if_index, bd_id=cls.bd_id)
102 cls.vapi.sw_interface_set_l2_bridge(
103 cls.subifs[1].sw_if_index, bd_id=cls.bd_id)
105 # Configure IPv4/6 addresses on loop interface and routed interface
106 cls.loop0.config_ip4()
107 cls.loop0.config_ip6()
113 # Configure MAC address binding to IPv4 neighbors on loop0
114 cls.loop0.generate_remote_hosts(cls.remote_hosts_count)
115 # Modify host mac addresses to have different OUI parts
116 for i in range(2, cls.remote_hosts_count + 2):
117 mac = cls.loop0.remote_hosts[i-2]._mac.split(':')
118 mac[2] = format(int(mac[2], 16) + i, "02x")
119 cls.loop0.remote_hosts[i - 2]._mac = ":".join(mac)
121 cls.loop0.configure_ipv4_neighbors()
122 cls.loop0.configure_ipv6_neighbors()
124 # configure MAC address on pg3
125 cls.pg3.resolve_arp()
126 cls.pg3.resolve_ndp()
128 # configure MAC address on subifs
134 # configure MAC address on pg2
135 cls.pg2.resolve_arp()
136 cls.pg2.resolve_ndp()
138 # Loopback BVI interface has remote hosts
139 # one half of hosts are behind pg0 second behind pg1,pg2,pg3 subifs
140 cls.pg0.remote_hosts = cls.loop0.remote_hosts[:100]
141 cls.subifs[0].remote_hosts = cls.loop0.remote_hosts[100:125]
142 cls.subifs[1].remote_hosts = cls.loop0.remote_hosts[125:150]
143 cls.subifs[2].remote_hosts = cls.loop0.remote_hosts[150:175]
144 cls.subifs[3].remote_hosts = cls.loop0.remote_hosts[175:]
147 super(MethodHolder, cls).tearDownClass()
151 super(MethodHolder, self).setUp()
152 self.reset_packet_infos()
157 Show various debug prints after each test.
159 super(MethodHolder, self).tearDown()
160 if not self.vpp_dead:
161 self.logger.info(self.vapi.ppcli("show interface address"))
162 self.logger.info(self.vapi.ppcli("show hardware"))
163 self.logger.info(self.vapi.ppcli("sh acl-plugin macip acl"))
164 self.logger.info(self.vapi.ppcli("sh acl-plugin macip interface"))
165 self.logger.info(self.vapi.ppcli("sh classify tables verbose"))
166 self.logger.info(self.vapi.ppcli("sh acl-plugin acl"))
167 self.logger.info(self.vapi.ppcli("sh acl-plugin interface"))
168 self.logger.info(self.vapi.ppcli("sh acl-plugin tables"))
169 # print self.vapi.ppcli("show interface address")
170 # print self.vapi.ppcli("show hardware")
171 # print self.vapi.ppcli("sh acl-plugin macip interface")
172 # print self.vapi.ppcli("sh acl-plugin macip acl")
175 def macip_acl_dump_debug(self):
176 acls = self.vapi.macip_acl_dump()
179 print "ACL #"+str(acl.acl_index)
184 elif r.is_permit == 0:
186 print " IP6" if r.is_ipv6 else " IP4", \
188 r.src_mac.encode('hex'), \
189 r.src_mac_mask.encode('hex'),\
190 unpack('<16B', r.src_ip_addr), \
194 def create_rules(self, mac_type=EXACT_MAC, ip_type=EXACT_IP,
195 acl_count=1, rules_count=[1]):
197 src_mac = int("220000dead00", 16)
198 for acl in range(2, (acl_count+1) * 2):
200 host = random.choice(self.loop0.remote_hosts)
202 ip4 = host.ip4.split('.')
203 ip6 = list(unpack('<16B', inet_pton(AF_INET6, host.ip6)))
205 if ip_type == self.EXACT_IP:
208 elif ip_type == self.WILD_IP:
210 ip6 = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]
213 rules_count[(acl / 2) - 1] = 1
218 if mac_type == self.EXACT_MAC:
219 mask = "ff:ff:ff:ff:ff:ff"
220 elif mac_type == self.WILD_MAC:
221 mask = "00:00:00:00:00:00"
222 elif mac_type == self.OUI_MAC:
223 mask = "ff:ff:ff:00:00:00"
225 mask = "ff:ff:ff:ff:ff:00"
227 ip = ip6 if is_ip6 else ip4
228 ip_len = prefix_len6 if is_ip6 else prefix_len4
230 for i in range(0, rules_count[(acl / 2) - 1]):
232 if mac_type == self.WILD_MAC:
233 mac = "00:00:00:00:00:00"
234 elif mac_type == self.OUI_MAC:
235 mac = ':'.join(re.findall('..', '{:02x}'.format(
236 src_mac))[:3])+":00:00:00"
238 mac = ':'.join(re.findall('..', '{:02x}'.format(src_mac)))
240 if ip_type == self.EXACT_IP:
241 ip4[3] = random.randint(100, 200)
242 ip6[15] = random.randint(100, 200)
243 elif ip_type == self.SUBNET_IP:
244 ip4[2] = random.randint(100, 200)
246 ip6[8] = random.randint(100, 200)
249 for j in range(0, len(ip)):
250 ip_pack += pack('<B', int(ip[j]))
252 rule = ({'is_permit': self.PERMIT,
254 'src_ip_addr': ip_pack,
255 'src_ip_prefix_len': ip_len,
256 'src_mac': mac.replace(':', '').decode('hex'),
257 'src_mac_mask': mask.replace(':', '').decode('hex')})
259 if ip_type == self.WILD_IP:
263 src_mac += 1099511627776
266 def apply_macip_rules(self, acls):
268 reply = self.vapi.macip_acl_add(acl)
269 self.assertEqual(reply.retval, 0)
270 self.ACLS.append(reply.acl_index)
272 def verify_macip_acls(self, acl_count, rules_count, expected_count=2):
273 reply = self.macip_acl_dump_debug()
274 for acl in range(2, (acl_count+1) * 2):
275 self.assertEqual(reply[acl - 2].count, rules_count[acl/2-1])
277 self.vapi.macip_acl_interface_get()
279 self.vapi.macip_acl_interface_add_del(sw_if_index=0, acl_index=0)
280 self.vapi.macip_acl_interface_add_del(sw_if_index=1, acl_index=1)
282 reply = self.vapi.macip_acl_interface_get()
283 self.assertEqual(reply.count, expected_count)
285 def delete_acls(self):
286 for acl in range(len(self.ACLS)-1, -1, -1):
287 self.vapi.macip_acl_del(self.ACLS[acl])
289 reply = self.vapi.macip_acl_dump()
290 self.assertEqual(len(reply), 0)
292 intf_acls = self.vapi.acl_interface_list_dump()
293 for i_a in intf_acls:
294 sw_if_index = i_a.sw_if_index
295 for acl_index in i_a.acls:
296 self.vapi.acl_interface_add_del(sw_if_index, acl_index, 0)
297 self.vapi.acl_del(acl_index)
299 def create_stream(self, mac_type, ip_type, packet_count,
300 src_if, dst_if, traffic, is_ip6, tags=PERMIT_TAGS):
301 # exact MAC and exact IP
302 # exact MAC and subnet of IPs
303 # exact MAC and wildcard IP
304 # wildcard MAC and exact IP
305 # wildcard MAC and subnet of IPs
306 # wildcard MAC and wildcard IP
307 # OUI restricted MAC and exact IP
308 # OUI restricted MAC and subnet of IPs
309 # OUI restricted MAC and wildcard IP
317 mac_rule = "00:00:00:00:00:00"
318 mac_mask = "00:00:00:00:00:00"
319 for p in range(0, packet_count):
320 remote_dst_index = p % len(dst_if.remote_hosts)
321 remote_dst_host = dst_if.remote_hosts[remote_dst_index]
325 is_permit = self.PERMIT if p % 3 == 0 else self.DENY
326 denyMAC = True if not is_permit and p % 3 == 1 else False
327 denyIP = True if not is_permit and p % 3 == 2 else False
328 if not is_permit and ip_type == self.WILD_IP:
330 if not is_permit and mac_type == self.WILD_MAC:
333 if traffic == self.BRIDGED:
335 src_mac = remote_dst_host._mac
336 dst_mac = 'de:ad:00:00:00:00'
337 src_ip4 = remote_dst_host.ip4
338 dst_ip4 = src_if.remote_ip4
339 src_ip6 = remote_dst_host.ip6
340 dst_ip6 = src_if.remote_ip6
341 ip_permit = src_ip6 if is_ip6 else src_ip4
344 mac = src_mac.split(':')
345 mac[0] = format(int(mac[0], 16)+1, "02x")
346 src_mac = ":".join(mac)
352 if ip_type != self.WILD_IP:
354 src_ip4 = remote_dst_host.ip4
355 dst_ip4 = src_if.remote_ip4
356 src_ip6 = remote_dst_host.ip6
357 dst_ip6 = src_if.remote_ip6
360 src_mac = remote_dst_host._mac
361 dst_mac = src_if.local_mac
362 src_ip4 = src_if.remote_ip4
363 dst_ip4 = remote_dst_host.ip4
364 src_ip6 = src_if.remote_ip6
365 dst_ip6 = remote_dst_host.ip6
366 ip_permit = src_ip6 if is_ip6 else src_ip4
369 mac = src_mac.split(':')
370 mac[0] = format(int(mac[0], 16) + 1, "02x")
371 src_mac = ":".join(mac)
377 src_mac = remote_dst_host._mac
378 if ip_type != self.WILD_IP:
380 src_ip4 = remote_dst_host.ip4
381 dst_ip4 = src_if.remote_ip4
382 src_ip6 = remote_dst_host.ip6
383 dst_ip6 = src_if.remote_ip6
386 info = self.create_packet_info(src_if, dst_if)
387 payload = self.info_to_payload(info)
389 payload = "to be blocked"
391 if mac_type == self.WILD_MAC:
392 mac = src_mac.split(':')
393 for i in range(1, 5):
394 mac[i] = format(random.randint(0, 255), "02x")
395 src_mac = ":".join(mac)
398 packet = Ether(src=src_mac, dst=dst_mac)
399 ip_rule = src_ip6 if is_ip6 else src_ip4
401 if ip_type != self.EXACT_IP:
402 sub_ip = list(unpack('<16B', inet_pton(AF_INET6, ip_rule)))
403 if ip_type == self.WILD_IP:
404 sub_ip[0] = random.randint(240, 254)
405 sub_ip[1] = random.randint(230, 239)
406 sub_ip[14] = random.randint(100, 199)
407 sub_ip[15] = random.randint(200, 255)
408 elif ip_type == self.SUBNET_IP:
410 sub_ip[2] = str(int(sub_ip[2]) + 1)
411 sub_ip[14] = random.randint(100, 199)
412 sub_ip[15] = random.randint(200, 255)
413 src_ip6 = inet_ntop(AF_INET6, str(bytearray(sub_ip)))
414 packet /= IPv6(src=src_ip6, dst=dst_ip6)
416 if ip_type != self.EXACT_IP:
417 sub_ip = ip_rule.split('.')
418 if ip_type == self.WILD_IP:
419 sub_ip[0] = str(random.randint(1, 49))
420 sub_ip[1] = str(random.randint(50, 99))
421 sub_ip[2] = str(random.randint(100, 199))
422 sub_ip[3] = str(random.randint(200, 255))
423 elif ip_type == self.SUBNET_IP:
425 sub_ip[1] = str(int(sub_ip[1])+1)
426 sub_ip[2] = str(random.randint(100, 199))
427 sub_ip[3] = str(random.randint(200, 255))
428 src_ip4 = ".".join(sub_ip)
429 packet /= IP(src=src_ip4, dst=dst_ip4, frag=0, flags=0)
431 packet /= UDP(sport=src_port, dport=dst_port)/Raw(payload)
433 packet[Raw].load += " mac:"+src_mac
435 size = self.pg_if_packet_sizes[p % len(self.pg_if_packet_sizes)]
436 if isinstance(src_if, VppSubInterface):
438 if isinstance(src_if, VppDot1QSubint):
439 if src_if is self.subifs[0]:
440 if tags == self.PERMIT_TAGS:
441 packet = src_if.add_dot1q_layer(packet, 10)
443 packet = src_if.add_dot1q_layer(packet, 11)
445 if tags == self.PERMIT_TAGS:
446 packet = src_if.add_dot1q_layer(packet, 30)
448 packet = src_if.add_dot1q_layer(packet, 33)
449 elif isinstance(src_if, VppDot1ADSubint):
450 if src_if is self.subifs[1]:
451 if tags == self.PERMIT_TAGS:
452 packet = src_if.add_dot1ad_layer(packet, 300, 400)
454 packet = src_if.add_dot1ad_layer(packet, 333, 444)
456 if tags == self.PERMIT_TAGS:
457 packet = src_if.add_dot1ad_layer(packet, 600, 700)
459 packet = src_if.add_dot1ad_layer(packet, 666, 777)
460 self.extend_packet(packet, size)
461 packets.append(packet)
463 # create suitable MACIP rule
464 if mac_type == self.EXACT_MAC:
466 mac_mask = "ff:ff:ff:ff:ff:ff"
467 elif mac_type == self.WILD_MAC:
468 mac_rule = "00:00:00:00:00:00"
469 mac_mask = "00:00:00:00:00:00"
470 elif mac_type == self.OUI_MAC:
471 mac = src_mac.split(':')
472 mac[3] = mac[4] = mac[5] = '00'
473 mac_rule = ":".join(mac)
474 mac_mask = "ff:ff:ff:00:00:00"
477 if ip_type == self.WILD_IP:
481 if ip_type == self.SUBNET_IP:
482 sub_ip = list(unpack('<16B', inet_pton(AF_INET6, ip)))
483 for i in range(8, 16):
485 ip = inet_ntop(AF_INET6, str(bytearray(sub_ip)))
487 if ip_type == self.WILD_IP:
491 if ip_type == self.SUBNET_IP:
492 sub_ip = ip.split('.')
493 sub_ip[2] = sub_ip[3] = '0'
494 ip = ".".join(sub_ip)
496 prefix_len = 128 if is_ip6 else 32
497 if ip_type == self.WILD_IP:
499 elif ip_type == self.SUBNET_IP:
500 prefix_len = 64 if is_ip6 else 16
501 ip_rule = inet_pton(AF_INET6 if is_ip6 else AF_INET, ip)
503 # create suitable ACL rule
505 rule_l4_sport = packet[UDP].sport
506 rule_l4_dport = packet[UDP].dport
507 rule_family = AF_INET6 if packet.haslayer(IPv6) else AF_INET
508 rule_prefix_len = 128 if packet.haslayer(IPv6) else 32
509 rule_l3_layer = IPv6 if packet.haslayer(IPv6) else IP
510 if packet.haslayer(IPv6):
511 rule_l4_proto = packet[UDP].overload_fields[IPv6]['nh']
513 rule_l4_proto = packet[IP].proto
516 'is_permit': is_permit,
518 'src_ip_addr': inet_pton(rule_family,
519 packet[rule_l3_layer].src),
520 'src_ip_prefix_len': rule_prefix_len,
521 'dst_ip_addr': inet_pton(rule_family,
522 packet[rule_l3_layer].dst),
523 'dst_ip_prefix_len': rule_prefix_len,
524 'srcport_or_icmptype_first': rule_l4_sport,
525 'srcport_or_icmptype_last': rule_l4_sport,
526 'dstport_or_icmpcode_first': rule_l4_dport,
527 'dstport_or_icmpcode_last': rule_l4_dport,
528 'proto': rule_l4_proto}
529 acl_rules.append(acl_rule)
531 if mac_type == self.WILD_MAC and ip_type == self.WILD_IP and p > 0:
536 'is_permit': is_permit,
538 'src_ip_addr': ip_rule,
539 'src_ip_prefix_len': prefix_len,
540 'src_mac': mac_rule.replace(':', '').decode('hex'),
541 'src_mac_mask': mac_mask.replace(':', '').decode('hex')})
542 macip_rules.append(macip_rule)
544 # deny all other packets
545 if not (mac_type == self.WILD_MAC and ip_type == self.WILD_IP):
546 macip_rule = ({'is_permit': 0,
549 'src_ip_prefix_len': 0,
552 macip_rules.append(macip_rule)
554 acl_rule = {'is_permit': 0,
556 acl_rules.append(acl_rule)
557 return {'stream': packets,
558 'macip_rules': macip_rules,
559 'acl_rules': acl_rules}
561 def verify_capture(self, stream, capture, is_ip6):
568 # p_l3 = IPv6 if is_ip6 else IP
571 # print p[Ether].src, p[Ether].dst, p[p_l3].src, p[p_l3].dst
573 # acls = self.macip_acl_dump_debug()
578 # print r.src_mac.encode('hex'), \
579 # r.src_mac_mask.encode('hex'),\
580 # unpack('<16B', r.src_ip_addr), \
581 # r.src_ip_prefix_len
584 # print p[Ether].src, p[Ether].dst, p[p_l3].src, p[p_l3].dst
585 # data = p[Raw].load.split(':',1)[1]
586 # print p[p_l3].src, data
588 def run_traffic(self, mac_type, ip_type, traffic, is_ip6, packets,
589 do_not_expected_capture=False, tags=None,
590 apply_rules=True, isMACIP=True, permit_tags=PERMIT_TAGS,
592 self.reset_packet_infos()
595 tx_if = self.pg0 if traffic == self.BRIDGED else self.pg3
596 rx_if = self.pg3 if traffic == self.BRIDGED else self.pg0
600 if tags == self.DOT1Q:
601 if traffic == self.BRIDGED:
602 tx_if = self.subifs[0]
604 src_if = self.subifs[0]
607 tx_if = self.subifs[2]
609 src_if = self.subifs[2]
611 elif tags == self.DOT1AD:
612 if traffic == self.BRIDGED:
613 tx_if = self.subifs[1]
615 src_if = self.subifs[1]
618 tx_if = self.subifs[3]
620 src_if = self.subifs[3]
625 test_dict = self.create_stream(mac_type, ip_type, packets,
632 reply = self.vapi.macip_acl_add(test_dict['macip_rules'])
634 reply = self.vapi.acl_add_replace(acl_index=4294967295,
635 r=test_dict['acl_rules'])
636 self.assertEqual(reply.retval, 0)
637 acl_index = reply.acl_index
640 self.vapi.macip_acl_interface_add_del(
641 sw_if_index=tx_if.sw_if_index,
643 reply = self.vapi.macip_acl_interface_get()
644 self.assertEqual(reply.acls[tx_if.sw_if_index], acl_index)
645 self.ACLS.append(reply.acls[tx_if.sw_if_index])
647 self.vapi.acl_interface_add_del(
648 sw_if_index=tx_if.sw_if_index, acl_index=acl_index)
650 self.vapi.macip_acl_interface_add_del(
651 sw_if_index=tx_if.sw_if_index,
655 reply = self.vapi.macip_acl_add_replace(
656 test_dict['macip_rules'],
659 reply = self.vapi.acl_add_replace(acl_index=acl_index,
660 r=test_dict['acl_rules'])
661 self.assertEqual(reply.retval, 0)
663 if not isinstance(src_if, VppSubInterface):
664 tx_if.add_stream(test_dict['stream'])
666 tx_if.parent.add_stream(test_dict['stream'])
667 self.pg_enable_capture(self.pg_interfaces)
670 if do_not_expected_capture:
673 if traffic == self.BRIDGED and mac_type == self.WILD_MAC and \
674 ip_type == self.WILD_IP:
675 capture = rx_if.get_capture(packets)
677 capture = rx_if.get_capture(
678 self.get_packet_count_for_if_idx(dst_if.sw_if_index))
679 self.verify_capture(test_dict['stream'], capture, is_ip6)
681 self.vapi.acl_interface_add_del(sw_if_index=tx_if.sw_if_index,
682 acl_index=acl_index, is_add=0)
683 self.vapi.acl_del(acl_index)
685 def run_test_acls(self, mac_type, ip_type, acl_count,
686 rules_count, traffic=None, ip=None):
687 self.apply_macip_rules(self.create_rules(mac_type, ip_type, acl_count,
689 self.verify_macip_acls(acl_count, rules_count)
691 if traffic is not None:
692 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, traffic, ip, 9)
695 class TestMACIP_IP4(MethodHolder):
696 """MACIP with IP4 traffic"""
698 def test_acl_bridged_ip4_exactMAC_exactIP(self):
699 """ IP4 MACIP exactMAC|exactIP ACL bridged traffic
701 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
702 self.BRIDGED, self.IS_IP4, 9)
704 def test_acl_bridged_ip4_exactMAC_subnetIP(self):
705 """ IP4 MACIP exactMAC|subnetIP ACL bridged traffic
708 self.run_traffic(self.EXACT_MAC, self.SUBNET_IP,
709 self.BRIDGED, self.IS_IP4, 9)
711 def test_acl_bridged_ip4_exactMAC_wildIP(self):
712 """ IP4 MACIP exactMAC|wildIP ACL bridged traffic
715 self.run_traffic(self.EXACT_MAC, self.WILD_IP,
716 self.BRIDGED, self.IS_IP4, 9)
718 def test_acl_bridged_ip4_ouiMAC_exactIP(self):
719 """ IP4 MACIP ouiMAC|exactIP ACL bridged traffic
722 self.run_traffic(self.OUI_MAC, self.EXACT_IP,
723 self.BRIDGED, self.IS_IP4, 3)
725 def test_acl_bridged_ip4_ouiMAC_subnetIP(self):
726 """ IP4 MACIP ouiMAC|subnetIP ACL bridged traffic
729 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
730 self.BRIDGED, self.IS_IP4, 9)
732 def test_acl_bridged_ip4_ouiMAC_wildIP(self):
733 """ IP4 MACIP ouiMAC|wildIP ACL bridged traffic
736 self.run_traffic(self.OUI_MAC, self.WILD_IP,
737 self.BRIDGED, self.IS_IP4, 9)
739 def test_ac_bridgedl_ip4_wildMAC_exactIP(self):
740 """ IP4 MACIP wildcardMAC|exactIP ACL bridged traffic
743 self.run_traffic(self.WILD_MAC, self.EXACT_IP,
744 self.BRIDGED, self.IS_IP4, 9)
746 def test_acl_bridged_ip4_wildMAC_subnetIP(self):
747 """ IP4 MACIP wildcardMAC|subnetIP ACL bridged traffic
750 self.run_traffic(self.WILD_MAC, self.SUBNET_IP,
751 self.BRIDGED, self.IS_IP4, 9)
753 def test_acl_bridged_ip4_wildMAC_wildIP(self):
754 """ IP4 MACIP wildcardMAC|wildIP ACL bridged traffic
757 self.run_traffic(self.WILD_MAC, self.WILD_IP,
758 self.BRIDGED, self.IS_IP4, 9)
760 def test_acl_routed_ip4_exactMAC_exactIP(self):
761 """ IP4 MACIP exactMAC|exactIP ACL routed traffic
763 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
764 self.ROUTED, self.IS_IP4, 9)
766 def test_acl_routed_ip4_exactMAC_subnetIP(self):
767 """ IP4 MACIP exactMAC|subnetIP ACL routed traffic
769 self.run_traffic(self.EXACT_MAC, self.SUBNET_IP,
770 self.ROUTED, self.IS_IP4, 9)
772 def test_acl_routed_ip4_exactMAC_wildIP(self):
773 """ IP4 MACIP exactMAC|wildIP ACL routed traffic
775 self.run_traffic(self.EXACT_MAC, self.WILD_IP,
776 self.ROUTED, self.IS_IP4, 9)
778 def test_acl_routed_ip4_ouiMAC_exactIP(self):
779 """ IP4 MACIP ouiMAC|exactIP ACL routed traffic
782 self.run_traffic(self.OUI_MAC, self.EXACT_IP,
783 self.ROUTED, self.IS_IP4, 9)
785 def test_acl_routed_ip4_ouiMAC_subnetIP(self):
786 """ IP4 MACIP ouiMAC|subnetIP ACL routed traffic
789 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
790 self.ROUTED, self.IS_IP4, 9)
792 def test_acl_routed_ip4_ouiMAC_wildIP(self):
793 """ IP4 MACIP ouiMAC|wildIP ACL routed traffic
796 self.run_traffic(self.OUI_MAC, self.WILD_IP,
797 self.ROUTED, self.IS_IP4, 9)
799 def test_acl_routed_ip4_wildMAC_exactIP(self):
800 """ IP4 MACIP wildcardMAC|exactIP ACL routed traffic
803 self.run_traffic(self.WILD_MAC, self.EXACT_IP,
804 self.ROUTED, self.IS_IP4, 9)
806 def test_acl_routed_ip4_wildMAC_subnetIP(self):
807 """ IP4 MACIP wildcardMAC|subnetIP ACL routed traffic
810 self.run_traffic(self.WILD_MAC, self.SUBNET_IP,
811 self.ROUTED, self.IS_IP4, 9)
813 def test_acl_routed_ip4_wildMAC_wildIP(self):
814 """ IP4 MACIP wildcardMAC|wildIP ACL
817 self.run_traffic(self.WILD_MAC, self.WILD_IP,
818 self.ROUTED, self.IS_IP4, 9)
820 def test_acl_replace_traffic_ip4(self):
821 """ MACIP replace ACL with IP4 traffic
823 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
824 self.BRIDGED, self.IS_IP4, 9, try_replace=True)
825 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
826 self.BRIDGED, self.IS_IP4, 9, try_replace=True)
829 class TestMACIP_IP6(MethodHolder):
830 """MACIP with IP6 traffic"""
832 def test_acl_bridged_ip6_exactMAC_exactIP(self):
833 """ IP6 MACIP exactMAC|exactIP ACL bridged traffic
836 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
837 self.BRIDGED, self.IS_IP6, 9)
839 def test_acl_bridged_ip6_exactMAC_subnetIP(self):
840 """ IP6 MACIP exactMAC|subnetIP ACL bridged traffic
843 self.run_traffic(self.EXACT_MAC, self.SUBNET_IP,
844 self.BRIDGED, self.IS_IP6, 9)
846 def test_acl_bridged_ip6_exactMAC_wildIP(self):
847 """ IP6 MACIP exactMAC|wildIP ACL bridged traffic
850 self.run_traffic(self.EXACT_MAC, self.WILD_IP,
851 self.BRIDGED, self.IS_IP6, 9)
853 def test_acl_bridged_ip6_ouiMAC_exactIP(self):
854 """ IP6 MACIP oui_MAC|exactIP ACL bridged traffic
857 self.run_traffic(self.OUI_MAC, self.EXACT_IP,
858 self.BRIDGED, self.IS_IP6, 9)
860 def test_acl_bridged_ip6_ouiMAC_subnetIP(self):
861 """ IP6 MACIP ouiMAC|subnetIP ACL bridged traffic
864 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
865 self.BRIDGED, self.IS_IP6, 9)
867 def test_acl_bridged_ip6_ouiMAC_wildIP(self):
868 """ IP6 MACIP ouiMAC|wildIP ACL bridged traffic
871 self.run_traffic(self.OUI_MAC, self.WILD_IP,
872 self.BRIDGED, self.IS_IP6, 9)
874 def test_acl_bridged_ip6_wildMAC_exactIP(self):
875 """ IP6 MACIP wildcardMAC|exactIP ACL bridged traffic
878 self.run_traffic(self.WILD_MAC, self.EXACT_IP,
879 self.BRIDGED, self.IS_IP6, 9)
881 def test_acl_bridged_ip6_wildMAC_subnetIP(self):
882 """ IP6 MACIP wildcardMAC|subnetIP ACL bridged traffic
885 self.run_traffic(self.WILD_MAC, self.SUBNET_IP,
886 self.BRIDGED, self.IS_IP6, 9)
888 def test_acl_bridged_ip6_wildMAC_wildIP(self):
889 """ IP6 MACIP wildcardMAC|wildIP ACL bridged traffic
892 self.run_traffic(self.WILD_MAC, self.WILD_IP,
893 self.BRIDGED, self.IS_IP6, 9)
895 def test_acl_routed_ip6_exactMAC_exactIP(self):
896 """ IP6 MACIP exactMAC|exactIP ACL routed traffic
899 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
900 self.ROUTED, self.IS_IP6, 9)
902 def test_acl_routed_ip6_exactMAC_subnetIP(self):
903 """ IP6 MACIP exactMAC|subnetIP ACL routed traffic
906 self.run_traffic(self.EXACT_MAC, self.SUBNET_IP,
907 self.ROUTED, self.IS_IP6, 9)
909 def test_acl_routed_ip6_exactMAC_wildIP(self):
910 """ IP6 MACIP exactMAC|wildIP ACL routed traffic
913 self.run_traffic(self.EXACT_MAC, self.WILD_IP,
914 self.ROUTED, self.IS_IP6, 9)
916 def test_acl_routed_ip6_ouiMAC_exactIP(self):
917 """ IP6 MACIP ouiMAC|exactIP ACL routed traffic
920 self.run_traffic(self.OUI_MAC, self.EXACT_IP,
921 self.ROUTED, self.IS_IP6, 9)
923 def test_acl_routed_ip6_ouiMAC_subnetIP(self):
924 """ IP6 MACIP ouiMAC|subnetIP ACL routed traffic
927 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
928 self.ROUTED, self.IS_IP6, 9)
930 def test_acl_routed_ip6_ouiMAC_wildIP(self):
931 """ IP6 MACIP ouiMAC|wildIP ACL routed traffic
934 self.run_traffic(self.OUI_MAC, self.WILD_IP,
935 self.ROUTED, self.IS_IP6, 9)
937 def test_acl_routed_ip6_wildMAC_exactIP(self):
938 """ IP6 MACIP wildcardMAC|exactIP ACL routed traffic
941 self.run_traffic(self.WILD_MAC, self.EXACT_IP,
942 self.ROUTED, self.IS_IP6, 9)
944 def test_acl_routed_ip6_wildMAC_subnetIP(self):
945 """ IP6 MACIP wildcardMAC|subnetIP ACL routed traffic
948 self.run_traffic(self.WILD_MAC, self.SUBNET_IP,
949 self.ROUTED, self.IS_IP6, 9)
951 def test_acl_routed_ip6_wildMAC_wildIP(self):
952 """ IP6 MACIP wildcardMAC|wildIP ACL
955 self.run_traffic(self.WILD_MAC, self.WILD_IP,
956 self.ROUTED, self.IS_IP6, 9)
958 def test_acl_replace_traffic_ip6(self):
959 """ MACIP replace ACL with IP6 traffic
961 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
962 self.BRIDGED, self.IS_IP6, 9, try_replace=True)
963 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
964 self.BRIDGED, self.IS_IP6, 9, try_replace=True)
967 class TestMACIP(MethodHolder):
970 def test_acl_1_2(self):
971 """ MACIP ACL with 2 entries
974 self.run_test_acls(self.EXACT_MAC, self.WILD_IP, 1, [2])
976 def test_acl_1_5(self):
977 """ MACIP ACL with 5 entries
980 self.run_test_acls(self.EXACT_MAC, self.SUBNET_IP, 1, [5])
982 def test_acl_1_10(self):
983 """ MACIP ACL with 10 entries
986 self.run_test_acls(self.EXACT_MAC, self.EXACT_IP, 1, [10])
988 def test_acl_1_20(self):
989 """ MACIP ACL with 20 entries
992 self.run_test_acls(self.OUI_MAC, self.WILD_IP, 1, [20])
994 def test_acl_1_50(self):
995 """ MACIP ACL with 50 entries
998 self.run_test_acls(self.OUI_MAC, self.SUBNET_IP, 1, [50])
1000 def test_acl_1_100(self):
1001 """ MACIP ACL with 100 entries
1004 self.run_test_acls(self.OUI_MAC, self.EXACT_IP, 1, [100])
1006 def test_acl_2_X(self):
1007 """ MACIP 2 ACLs each with 100+ entries
1010 self.run_test_acls(self.OUI_MAC, self.SUBNET_IP, 2, [100, 200])
1012 def test_acl_10_X(self):
1013 """ MACIP 10 ACLs each with 100+ entries
1016 self.run_test_acls(self.EXACT_MAC, self.EXACT_IP, 10,
1017 [100, 120, 140, 160, 180, 200, 210, 220, 230, 240])
1019 def test_acl_10_X_traffic_ip4(self):
1020 """ MACIP 10 ACLs each with 100+ entries with IP4 traffic
1023 self.run_test_acls(self.EXACT_MAC, self.EXACT_IP, 10,
1024 [100, 120, 140, 160, 180, 200, 210, 220, 230, 240],
1025 self.BRIDGED, self.IS_IP4)
1027 def test_acl_10_X_traffic_ip6(self):
1028 """ MACIP 10 ACLs each with 100+ entries with IP6 traffic
1031 self.run_test_acls(self.EXACT_MAC, self.EXACT_IP, 10,
1032 [100, 120, 140, 160, 180, 200, 210, 220, 230, 240],
1033 self.BRIDGED, self.IS_IP6)
1035 def test_acl_replace(self):
1036 """ MACIP replace ACL
1039 r1 = self.create_rules(acl_count=3, rules_count=[2, 2, 2])
1040 r2 = self.create_rules(mac_type=self.OUI_MAC, ip_type=self.SUBNET_IP)
1041 self.apply_macip_rules(r1)
1043 acls_before = self.macip_acl_dump_debug()
1045 # replace acls #2, #3 with new
1046 reply = self.vapi.macip_acl_add_replace(r2[0], 2)
1047 self.assertEqual(reply.retval, 0)
1048 self.assertEqual(reply.acl_index, 2)
1049 reply = self.vapi.macip_acl_add_replace(r2[1], 3)
1050 self.assertEqual(reply.retval, 0)
1051 self.assertEqual(reply.acl_index, 3)
1053 acls_after = self.macip_acl_dump_debug()
1056 self.assertEqual(len(acls_before), len(acls_after))
1057 for acl1, acl2 in zip(
1058 acls_before[:2]+acls_before[4:],
1059 acls_after[:2]+acls_after[4:]):
1060 self.assertEqual(len(acl1), len(acl2))
1062 self.assertEqual(len(acl1.r), len(acl2.r))
1063 for r1, r2 in zip(acl1.r, acl2.r):
1064 self.assertEqual(len(acl1.r), len(acl2.r))
1065 self.assertEqual(acl1.r, acl2.r)
1066 for acl1, acl2 in zip(
1069 self.assertEqual(len(acl1), len(acl2))
1071 self.assertNotEqual(len(acl1.r), len(acl2.r))
1072 for r1, r2 in zip(acl1.r, acl2.r):
1073 self.assertNotEqual(len(acl1.r), len(acl2.r))
1074 self.assertNotEqual(acl1.r, acl2.r)
1076 def test_delete_intf(self):
1077 """ MACIP ACL delete intf with acl
1080 intf_count = len(self.interfaces)+1
1082 self.apply_macip_rules(self.create_rules(acl_count=3,
1083 rules_count=[3, 5, 4]))
1085 intf.append(VppLoInterface(self))
1086 intf.append(VppLoInterface(self))
1088 sw_if_index0 = intf[0].sw_if_index
1089 self.vapi.macip_acl_interface_add_del(sw_if_index0, 1)
1091 reply = self.vapi.macip_acl_interface_get()
1092 self.assertEqual(reply.count, intf_count+1)
1093 self.assertEqual(reply.acls[sw_if_index0], 1)
1095 sw_if_index1 = intf[1].sw_if_index
1096 self.vapi.macip_acl_interface_add_del(sw_if_index1, 0)
1098 reply = self.vapi.macip_acl_interface_get()
1099 self.assertEqual(reply.count, intf_count+2)
1100 self.assertEqual(reply.acls[sw_if_index1], 0)
1102 intf[0].remove_vpp_config()
1103 reply = self.vapi.macip_acl_interface_get()
1104 self.assertEqual(reply.count, intf_count+2)
1105 self.assertEqual(reply.acls[sw_if_index0], 4294967295)
1106 self.assertEqual(reply.acls[sw_if_index1], 0)
1108 intf.append(VppLoInterface(self))
1109 intf.append(VppLoInterface(self))
1110 sw_if_index2 = intf[2].sw_if_index
1111 sw_if_index3 = intf[3].sw_if_index
1112 self.vapi.macip_acl_interface_add_del(sw_if_index2, 1)
1113 self.vapi.macip_acl_interface_add_del(sw_if_index3, 1)
1115 reply = self.vapi.macip_acl_interface_get()
1116 self.assertEqual(reply.count, intf_count+3)
1117 self.assertEqual(reply.acls[sw_if_index1], 0)
1118 self.assertEqual(reply.acls[sw_if_index2], 1)
1119 self.assertEqual(reply.acls[sw_if_index3], 1)
1120 self.logger.info("MACIP ACL on multiple interfaces:")
1121 self.logger.info(self.vapi.ppcli("sh acl-plugin macip acl"))
1122 self.logger.info(self.vapi.ppcli("sh acl-plugin macip acl index 1234"))
1123 self.logger.info(self.vapi.ppcli("sh acl-plugin macip acl index 1"))
1124 self.logger.info(self.vapi.ppcli("sh acl-plugin macip acl index 0"))
1125 self.logger.info(self.vapi.ppcli("sh acl-plugin macip interface"))
1127 intf[2].remove_vpp_config()
1128 intf[1].remove_vpp_config()
1130 reply = self.vapi.macip_acl_interface_get()
1131 self.assertEqual(reply.count, intf_count+3)
1132 self.assertEqual(reply.acls[sw_if_index0], 4294967295)
1133 self.assertEqual(reply.acls[sw_if_index1], 4294967295)
1134 self.assertEqual(reply.acls[sw_if_index2], 4294967295)
1135 self.assertEqual(reply.acls[sw_if_index3], 1)
1137 intf[3].remove_vpp_config()
1138 reply = self.vapi.macip_acl_interface_get()
1140 self.assertEqual(len([x for x in reply.acls if x != 4294967295]), 0)
1143 class TestACL_dot1q_bridged(MethodHolder):
1144 """ACL on dot1q bridged subinterfaces Tests"""
1146 def test_acl_bridged_ip4_subif_dot1q(self):
1147 """ IP4 ACL SubIf Dot1Q bridged traffic"""
1148 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.BRIDGED,
1149 self.IS_IP4, 9, tags=self.DOT1Q, isMACIP=False)
1151 def test_acl_bridged_ip6_subif_dot1q(self):
1152 """ IP6 ACL SubIf Dot1Q bridged traffic"""
1153 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.BRIDGED,
1154 self.IS_IP6, 9, tags=self.DOT1Q, isMACIP=False)
1157 class TestACL_dot1ad_bridged(MethodHolder):
1158 """ACL on dot1ad bridged subinterfaces Tests"""
1160 def test_acl_bridged_ip4_subif_dot1ad(self):
1161 """ IP4 ACL SubIf Dot1AD bridged traffic"""
1162 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.BRIDGED,
1163 self.IS_IP4, 9, tags=self.DOT1AD, isMACIP=False)
1165 def test_acl_bridged_ip6_subif_dot1ad(self):
1166 """ IP6 ACL SubIf Dot1AD bridged traffic"""
1167 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.BRIDGED,
1168 self.IS_IP6, 9, tags=self.DOT1AD, isMACIP=False)
1171 class TestACL_dot1q_routed(MethodHolder):
1172 """ACL on dot1q routed subinterfaces Tests"""
1174 def test_acl_routed_ip4_subif_dot1q(self):
1175 """ IP4 ACL SubIf Dot1Q routed traffic"""
1176 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1177 self.IS_IP4, 9, tags=self.DOT1Q, isMACIP=False)
1179 def test_acl_routed_ip6_subif_dot1q(self):
1180 """ IP6 ACL SubIf Dot1Q routed traffic"""
1181 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1182 self.IS_IP6, 9, tags=self.DOT1Q, isMACIP=False)
1184 def test_acl_routed_ip4_subif_dot1q_deny_by_tags(self):
1185 """ IP4 ACL SubIf wrong tags Dot1Q routed traffic"""
1186 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1187 self.IS_IP4, 9, True, tags=self.DOT1Q, isMACIP=False,
1188 permit_tags=self.DENY_TAGS)
1190 def test_acl_routed_ip6_subif_dot1q_deny_by_tags(self):
1191 """ IP6 ACL SubIf wrong tags Dot1Q routed traffic"""
1192 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1193 self.IS_IP6, 9, True, tags=self.DOT1Q, isMACIP=False,
1194 permit_tags=self.DENY_TAGS)
1197 class TestACL_dot1ad_routed(MethodHolder):
1198 """ACL on dot1ad routed subinterfaces Tests"""
1200 def test_acl_routed_ip6_subif_dot1ad(self):
1201 """ IP6 ACL SubIf Dot1AD routed traffic"""
1202 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1203 self.IS_IP6, 9, tags=self.DOT1AD, isMACIP=False)
1205 def test_acl_routed_ip4_subif_dot1ad(self):
1206 """ IP4 ACL SubIf Dot1AD routed traffic"""
1207 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1208 self.IS_IP4, 9, tags=self.DOT1AD, isMACIP=False)
1210 def test_acl_routed_ip6_subif_dot1ad_deny_by_tags(self):
1211 """ IP6 ACL SubIf wrong tags Dot1AD routed traffic"""
1212 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1213 self.IS_IP6, 9, True, tags=self.DOT1AD, isMACIP=False,
1214 permit_tags=self.DENY_TAGS)
1216 def test_acl_routed_ip4_subif_dot1ad_deny_by_tags(self):
1217 """ IP4 ACL SubIf wrong tags Dot1AD routed traffic"""
1218 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1219 self.IS_IP4, 9, True, tags=self.DOT1AD, isMACIP=False,
1220 permit_tags=self.DENY_TAGS)
1223 if __name__ == '__main__':
1224 unittest.main(testRunner=VppTestRunner)