2 from __future__ import print_function
3 """ACL plugin - MACIP tests
8 from socket import inet_ntop, inet_pton, AF_INET, AF_INET6
9 from struct import pack, unpack
14 from scapy.packet import Raw
15 from scapy.layers.l2 import Ether
16 from scapy.layers.inet import IP, UDP
17 from scapy.layers.inet6 import IPv6
19 from framework import VppTestCase, VppTestRunner, running_extended_tests
20 from vpp_lo_interface import VppLoInterface
21 from vpp_l2 import L2_PORT_TYPE
22 from vpp_sub_interface import L2_VTR_OP, VppSubInterface, VppDot1QSubint, \
26 class MethodHolder(VppTestCase):
58 Perform standard class setup (defined by class method setUpClass in
59 class VppTestCase) before running the test case, set test case related
60 variables and configure VPP.
62 super(MethodHolder, cls).setUpClass()
64 cls.pg_if_packet_sizes = [64, 512, 1518, 9018] # packet sizes
66 cls.remote_hosts_count = 200
69 # create 4 pg interfaces, 1 loopback interface
70 cls.create_pg_interfaces(range(4))
71 cls.create_loopback_interfaces(1)
73 # create 2 subinterfaces
75 VppDot1QSubint(cls, cls.pg1, 10),
76 VppDot1ADSubint(cls, cls.pg2, 20, 300, 400),
77 VppDot1QSubint(cls, cls.pg3, 30),
78 VppDot1ADSubint(cls, cls.pg3, 40, 600, 700)]
80 cls.subifs[0].set_vtr(L2_VTR_OP.L2_POP_1,
82 cls.subifs[1].set_vtr(L2_VTR_OP.L2_POP_2,
83 outer=300, inner=400, push1q=1)
84 cls.subifs[2].set_vtr(L2_VTR_OP.L2_POP_1,
86 cls.subifs[3].set_vtr(L2_VTR_OP.L2_POP_2,
87 outer=600, inner=700, push1q=1)
89 cls.interfaces = list(cls.pg_interfaces)
90 cls.interfaces.extend(cls.lo_interfaces)
91 cls.interfaces.extend(cls.subifs)
93 for i in cls.interfaces:
96 # Create BD with MAC learning enabled and put interfaces to this BD
97 cls.vapi.sw_interface_set_l2_bridge(
98 rx_sw_if_index=cls.loop0.sw_if_index, bd_id=cls.bd_id,
99 port_type=L2_PORT_TYPE.BVI)
100 cls.vapi.sw_interface_set_l2_bridge(
101 rx_sw_if_index=cls.pg0.sw_if_index, bd_id=cls.bd_id)
102 cls.vapi.sw_interface_set_l2_bridge(
103 rx_sw_if_index=cls.pg1.sw_if_index, bd_id=cls.bd_id)
104 cls.vapi.sw_interface_set_l2_bridge(
105 rx_sw_if_index=cls.subifs[0].sw_if_index, bd_id=cls.bd_id)
106 cls.vapi.sw_interface_set_l2_bridge(
107 rx_sw_if_index=cls.subifs[1].sw_if_index, bd_id=cls.bd_id)
109 # Configure IPv4/6 addresses on loop interface and routed interface
110 cls.loop0.config_ip4()
111 cls.loop0.config_ip6()
117 # Configure MAC address binding to IPv4 neighbors on loop0
118 cls.loop0.generate_remote_hosts(cls.remote_hosts_count)
119 # Modify host mac addresses to have different OUI parts
120 for i in range(2, cls.remote_hosts_count + 2):
121 mac = cls.loop0.remote_hosts[i-2]._mac.split(':')
122 mac[2] = format(int(mac[2], 16) + i, "02x")
123 cls.loop0.remote_hosts[i - 2]._mac = ":".join(mac)
125 cls.loop0.configure_ipv4_neighbors()
126 cls.loop0.configure_ipv6_neighbors()
128 # configure MAC address on pg3
129 cls.pg3.resolve_arp()
130 cls.pg3.resolve_ndp()
132 # configure MAC address on subifs
138 # configure MAC address on pg2
139 cls.pg2.resolve_arp()
140 cls.pg2.resolve_ndp()
142 # Loopback BVI interface has remote hosts
143 # one half of hosts are behind pg0 second behind pg1,pg2,pg3 subifs
144 cls.pg0.remote_hosts = cls.loop0.remote_hosts[:100]
145 cls.subifs[0].remote_hosts = cls.loop0.remote_hosts[100:125]
146 cls.subifs[1].remote_hosts = cls.loop0.remote_hosts[125:150]
147 cls.subifs[2].remote_hosts = cls.loop0.remote_hosts[150:175]
148 cls.subifs[3].remote_hosts = cls.loop0.remote_hosts[175:]
151 super(MethodHolder, cls).tearDownClass()
155 super(MethodHolder, self).setUp()
156 self.reset_packet_infos()
161 Show various debug prints after each test.
163 super(MethodHolder, self).tearDown()
164 if not self.vpp_dead:
165 self.logger.info(self.vapi.ppcli("show interface address"))
166 self.logger.info(self.vapi.ppcli("show hardware"))
167 self.logger.info(self.vapi.ppcli("sh acl-plugin macip acl"))
168 self.logger.info(self.vapi.ppcli("sh acl-plugin macip interface"))
169 self.logger.info(self.vapi.ppcli("sh classify tables verbose"))
170 self.logger.info(self.vapi.ppcli("sh acl-plugin acl"))
171 self.logger.info(self.vapi.ppcli("sh acl-plugin interface"))
172 self.logger.info(self.vapi.ppcli("sh acl-plugin tables"))
173 # print(self.vapi.ppcli("show interface address"))
174 # print(self.vapi.ppcli("show hardware"))
175 # print(self.vapi.ppcli("sh acl-plugin macip interface"))
176 # print(self.vapi.ppcli("sh acl-plugin macip acl"))
179 def macip_acl_dump_debug(self):
180 acls = self.vapi.macip_acl_dump()
183 print("ACL #"+str(acl.acl_index))
188 elif r.is_permit == 0:
190 print(" IP6" if r.is_ipv6 else " IP4",
192 binascii.hexlify(r.src_mac),
193 binascii.hexlify(r.src_mac_mask),
194 unpack('<16B', r.src_ip_addr),
198 def create_rules(self, mac_type=EXACT_MAC, ip_type=EXACT_IP,
199 acl_count=1, rules_count=None):
201 if rules_count is None:
203 src_mac = int("220000dead00", 16)
204 for acl in range(2, (acl_count+1) * 2):
206 host = random.choice(self.loop0.remote_hosts)
208 ip4 = host.ip4.split('.')
209 ip6 = list(unpack('<16B', inet_pton(AF_INET6, host.ip6)))
211 if ip_type == self.EXACT_IP:
214 elif ip_type == self.WILD_IP:
216 ip6 = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]
219 rules_count[(acl / 2) - 1] = 1
224 if mac_type == self.EXACT_MAC:
225 mask = "ff:ff:ff:ff:ff:ff"
226 elif mac_type == self.WILD_MAC:
227 mask = "00:00:00:00:00:00"
228 elif mac_type == self.OUI_MAC:
229 mask = "ff:ff:ff:00:00:00"
231 mask = "ff:ff:ff:ff:ff:00"
233 ip = ip6 if is_ip6 else ip4
234 ip_len = prefix_len6 if is_ip6 else prefix_len4
236 for i in range(0, rules_count[(acl / 2) - 1]):
238 if mac_type == self.WILD_MAC:
239 mac = "00:00:00:00:00:00"
240 elif mac_type == self.OUI_MAC:
241 mac = ':'.join(re.findall('..', '{:02x}'.format(
242 src_mac))[:3])+":00:00:00"
244 mac = ':'.join(re.findall(
245 '..', '{:02x}'.format(src_mac)))
247 if ip_type == self.EXACT_IP:
248 ip4[3] = random.randint(100, 200)
249 ip6[15] = random.randint(100, 200)
250 elif ip_type == self.SUBNET_IP:
251 ip4[2] = random.randint(100, 200)
253 ip6[8] = random.randint(100, 200)
256 for j in range(0, len(ip)):
257 ip_pack += pack('<B', int(ip[j]))
259 rule = ({'is_permit': self.PERMIT,
261 'src_ip_addr': ip_pack,
262 'src_ip_prefix_len': ip_len,
263 'src_mac': binascii.unhexlify(mac.replace(':', '')),
264 'src_mac_mask': binascii.unhexlify(
265 mask.replace(':', ''))})
267 if ip_type == self.WILD_IP:
271 src_mac += 1099511627776
274 def apply_macip_rules(self, acls):
276 reply = self.vapi.macip_acl_add(acl)
277 self.assertEqual(reply.retval, 0)
278 self.ACLS.append(reply.acl_index)
280 def verify_macip_acls(self, acl_count, rules_count, expected_count=2):
281 reply = self.macip_acl_dump_debug()
282 for acl in range(2, (acl_count+1) * 2):
283 self.assertEqual(reply[acl - 2].count, rules_count[acl//2-1])
285 self.vapi.macip_acl_interface_get()
287 self.vapi.macip_acl_interface_add_del(sw_if_index=0, acl_index=0)
288 self.vapi.macip_acl_interface_add_del(sw_if_index=1, acl_index=1)
290 reply = self.vapi.macip_acl_interface_get()
291 self.assertEqual(reply.count, expected_count)
293 def delete_acls(self):
294 for acl in range(len(self.ACLS)-1, -1, -1):
295 self.vapi.macip_acl_del(self.ACLS[acl])
297 reply = self.vapi.macip_acl_dump()
298 self.assertEqual(len(reply), 0)
300 intf_acls = self.vapi.acl_interface_list_dump()
301 for i_a in intf_acls:
302 sw_if_index = i_a.sw_if_index
303 for acl_index in i_a.acls:
304 self.vapi.acl_interface_add_del(sw_if_index, acl_index, 0)
305 self.vapi.acl_del(acl_index)
307 def create_stream(self, mac_type, ip_type, packet_count,
308 src_if, dst_if, traffic, is_ip6, tags=PERMIT_TAGS):
309 # exact MAC and exact IP
310 # exact MAC and subnet of IPs
311 # exact MAC and wildcard IP
312 # wildcard MAC and exact IP
313 # wildcard MAC and subnet of IPs
314 # wildcard MAC and wildcard IP
315 # OUI restricted MAC and exact IP
316 # OUI restricted MAC and subnet of IPs
317 # OUI restricted MAC and wildcard IP
325 mac_rule = "00:00:00:00:00:00"
326 mac_mask = "00:00:00:00:00:00"
327 for p in range(0, packet_count):
328 remote_dst_index = p % len(dst_if.remote_hosts)
329 remote_dst_host = dst_if.remote_hosts[remote_dst_index]
333 is_permit = self.PERMIT if p % 3 == 0 else self.DENY
334 denyMAC = True if not is_permit and p % 3 == 1 else False
335 denyIP = True if not is_permit and p % 3 == 2 else False
336 if not is_permit and ip_type == self.WILD_IP:
338 if not is_permit and mac_type == self.WILD_MAC:
341 if traffic == self.BRIDGED:
343 src_mac = remote_dst_host._mac
344 dst_mac = 'de:ad:00:00:00:00'
345 src_ip4 = remote_dst_host.ip4
346 dst_ip4 = src_if.remote_ip4
347 src_ip6 = remote_dst_host.ip6
348 dst_ip6 = src_if.remote_ip6
349 ip_permit = src_ip6 if is_ip6 else src_ip4
352 mac = src_mac.split(':')
353 mac[0] = format(int(mac[0], 16)+1, "02x")
354 src_mac = ":".join(mac)
360 if ip_type != self.WILD_IP:
362 src_ip4 = remote_dst_host.ip4
363 dst_ip4 = src_if.remote_ip4
364 src_ip6 = remote_dst_host.ip6
365 dst_ip6 = src_if.remote_ip6
368 src_mac = remote_dst_host._mac
369 dst_mac = src_if.local_mac
370 src_ip4 = src_if.remote_ip4
371 dst_ip4 = remote_dst_host.ip4
372 src_ip6 = src_if.remote_ip6
373 dst_ip6 = remote_dst_host.ip6
374 ip_permit = src_ip6 if is_ip6 else src_ip4
377 mac = src_mac.split(':')
378 mac[0] = format(int(mac[0], 16) + 1, "02x")
379 src_mac = ":".join(mac)
385 src_mac = remote_dst_host._mac
386 if ip_type != self.WILD_IP:
388 src_ip4 = remote_dst_host.ip4
389 dst_ip4 = src_if.remote_ip4
390 src_ip6 = remote_dst_host.ip6
391 dst_ip6 = src_if.remote_ip6
394 info = self.create_packet_info(src_if, dst_if)
395 payload = self.info_to_payload(info)
397 payload = "to be blocked"
399 if mac_type == self.WILD_MAC:
400 mac = src_mac.split(':')
401 for i in range(1, 5):
402 mac[i] = format(random.randint(0, 255), "02x")
403 src_mac = ":".join(mac)
406 packet = Ether(src=src_mac, dst=dst_mac)
407 ip_rule = src_ip6 if is_ip6 else src_ip4
409 if ip_type != self.EXACT_IP:
410 sub_ip = list(unpack('<16B', inet_pton(AF_INET6, ip_rule)))
411 if ip_type == self.WILD_IP:
412 sub_ip[0] = random.randint(240, 254)
413 sub_ip[1] = random.randint(230, 239)
414 sub_ip[14] = random.randint(100, 199)
415 sub_ip[15] = random.randint(200, 255)
416 elif ip_type == self.SUBNET_IP:
418 sub_ip[2] = int(sub_ip[2]) + 1
419 sub_ip[14] = random.randint(100, 199)
420 sub_ip[15] = random.randint(200, 255)
421 packed_src_ip6 = b''.join(
422 [scapy.compat.chb(x) for x in sub_ip])
423 src_ip6 = inet_ntop(AF_INET6, packed_src_ip6)
424 packet /= IPv6(src=src_ip6, dst=dst_ip6)
426 if ip_type != self.EXACT_IP:
427 sub_ip = ip_rule.split('.')
428 if ip_type == self.WILD_IP:
429 sub_ip[0] = random.randint(1, 49)
430 sub_ip[1] = random.randint(50, 99)
431 sub_ip[2] = random.randint(100, 199)
432 sub_ip[3] = random.randint(200, 255)
433 elif ip_type == self.SUBNET_IP:
435 sub_ip[1] = int(sub_ip[1])+1
436 sub_ip[2] = random.randint(100, 199)
437 sub_ip[3] = random.randint(200, 255)
438 src_ip4 = '.'.join(['{!s}'.format(x) for x in sub_ip])
439 packet /= IP(src=src_ip4, dst=dst_ip4, frag=0, flags=0)
441 packet /= UDP(sport=src_port, dport=dst_port)/Raw(payload)
443 packet[Raw].load += b" mac:%s" % scapy.compat.raw(src_mac)
445 size = self.pg_if_packet_sizes[p % len(self.pg_if_packet_sizes)]
446 if isinstance(src_if, VppSubInterface):
448 if isinstance(src_if, VppDot1QSubint):
449 if src_if is self.subifs[0]:
450 if tags == self.PERMIT_TAGS:
451 packet = src_if.add_dot1q_layer(packet, 10)
453 packet = src_if.add_dot1q_layer(packet, 11)
455 if tags == self.PERMIT_TAGS:
456 packet = src_if.add_dot1q_layer(packet, 30)
458 packet = src_if.add_dot1q_layer(packet, 33)
459 elif isinstance(src_if, VppDot1ADSubint):
460 if src_if is self.subifs[1]:
461 if tags == self.PERMIT_TAGS:
462 packet = src_if.add_dot1ad_layer(packet, 300, 400)
464 packet = src_if.add_dot1ad_layer(packet, 333, 444)
466 if tags == self.PERMIT_TAGS:
467 packet = src_if.add_dot1ad_layer(packet, 600, 700)
469 packet = src_if.add_dot1ad_layer(packet, 666, 777)
470 self.extend_packet(packet, size)
471 packets.append(packet)
473 # create suitable MACIP rule
474 if mac_type == self.EXACT_MAC:
476 mac_mask = "ff:ff:ff:ff:ff:ff"
477 elif mac_type == self.WILD_MAC:
478 mac_rule = "00:00:00:00:00:00"
479 mac_mask = "00:00:00:00:00:00"
480 elif mac_type == self.OUI_MAC:
481 mac = src_mac.split(':')
482 mac[3] = mac[4] = mac[5] = '00'
483 mac_rule = ":".join(mac)
484 mac_mask = "ff:ff:ff:00:00:00"
487 if ip_type == self.WILD_IP:
491 if ip_type == self.SUBNET_IP:
492 sub_ip = list(unpack('<16B', inet_pton(AF_INET6, ip)))
493 for i in range(8, 16):
495 packed_ip = b''.join(
496 [scapy.compat.chb(x) for x in sub_ip])
497 ip = inet_ntop(AF_INET6, packed_ip)
499 if ip_type == self.WILD_IP:
503 if ip_type == self.SUBNET_IP:
504 sub_ip = ip.split('.')
505 sub_ip[2] = sub_ip[3] = '0'
506 ip = ".".join(sub_ip)
508 prefix_len = 128 if is_ip6 else 32
509 if ip_type == self.WILD_IP:
511 elif ip_type == self.SUBNET_IP:
512 prefix_len = 64 if is_ip6 else 16
513 ip_rule = inet_pton(AF_INET6 if is_ip6 else AF_INET, ip)
515 # create suitable ACL rule
517 rule_l4_sport = packet[UDP].sport
518 rule_l4_dport = packet[UDP].dport
519 rule_family = AF_INET6 if packet.haslayer(IPv6) else AF_INET
520 rule_prefix_len = 128 if packet.haslayer(IPv6) else 32
521 rule_l3_layer = IPv6 if packet.haslayer(IPv6) else IP
522 if packet.haslayer(IPv6):
523 rule_l4_proto = packet[UDP].overload_fields[IPv6]['nh']
525 rule_l4_proto = packet[IP].proto
528 'is_permit': is_permit,
530 'src_ip_addr': inet_pton(rule_family,
531 packet[rule_l3_layer].src),
532 'src_ip_prefix_len': rule_prefix_len,
533 'dst_ip_addr': inet_pton(rule_family,
534 packet[rule_l3_layer].dst),
535 'dst_ip_prefix_len': rule_prefix_len,
536 'srcport_or_icmptype_first': rule_l4_sport,
537 'srcport_or_icmptype_last': rule_l4_sport,
538 'dstport_or_icmpcode_first': rule_l4_dport,
539 'dstport_or_icmpcode_last': rule_l4_dport,
540 'proto': rule_l4_proto}
541 acl_rules.append(acl_rule)
543 if mac_type == self.WILD_MAC and ip_type == self.WILD_IP and p > 0:
548 'is_permit': is_permit,
550 'src_ip_addr': ip_rule,
551 'src_ip_prefix_len': prefix_len,
552 'src_mac': binascii.unhexlify(mac_rule.replace(':', '')),
553 'src_mac_mask': binascii.unhexlify(
554 mac_mask.replace(':', ''))})
555 macip_rules.append(macip_rule)
557 # deny all other packets
558 if not (mac_type == self.WILD_MAC and ip_type == self.WILD_IP):
559 macip_rule = ({'is_permit': 0,
562 'src_ip_prefix_len': 0,
565 macip_rules.append(macip_rule)
567 acl_rule = {'is_permit': 0,
569 acl_rules.append(acl_rule)
570 return {'stream': packets,
571 'macip_rules': macip_rules,
572 'acl_rules': acl_rules}
574 def verify_capture(self, stream, capture, is_ip6):
581 # p_l3 = IPv6 if is_ip6 else IP
584 # print(p[Ether].src, p[Ether].dst, p[p_l3].src, p[p_l3].dst)
586 # acls = self.macip_acl_dump_debug()
591 # print(binascii.hexlify(r.src_mac), \
592 # binascii.hexlify(r.src_mac_mask),\
593 # unpack('<16B', r.src_ip_addr), \
594 # r.src_ip_prefix_len)
597 # print(p[Ether].src, p[Ether].dst, p[p_l3].src, p[p_l3].dst
598 # data = p[Raw].load.split(':',1)[1])
599 # print(p[p_l3].src, data)
601 def run_traffic(self, mac_type, ip_type, traffic, is_ip6, packets,
602 do_not_expected_capture=False, tags=None,
603 apply_rules=True, isMACIP=True, permit_tags=PERMIT_TAGS,
605 self.reset_packet_infos()
608 tx_if = self.pg0 if traffic == self.BRIDGED else self.pg3
609 rx_if = self.pg3 if traffic == self.BRIDGED else self.pg0
613 if tags == self.DOT1Q:
614 if traffic == self.BRIDGED:
615 tx_if = self.subifs[0]
617 src_if = self.subifs[0]
620 tx_if = self.subifs[2]
622 src_if = self.subifs[2]
624 elif tags == self.DOT1AD:
625 if traffic == self.BRIDGED:
626 tx_if = self.subifs[1]
628 src_if = self.subifs[1]
631 tx_if = self.subifs[3]
633 src_if = self.subifs[3]
638 test_dict = self.create_stream(mac_type, ip_type, packets,
645 reply = self.vapi.macip_acl_add(test_dict['macip_rules'])
647 reply = self.vapi.acl_add_replace(acl_index=4294967295,
648 r=test_dict['acl_rules'])
649 self.assertEqual(reply.retval, 0)
650 acl_index = reply.acl_index
653 self.vapi.macip_acl_interface_add_del(
654 sw_if_index=tx_if.sw_if_index,
656 reply = self.vapi.macip_acl_interface_get()
657 self.assertEqual(reply.acls[tx_if.sw_if_index], acl_index)
658 self.ACLS.append(reply.acls[tx_if.sw_if_index])
660 self.vapi.acl_interface_add_del(
661 sw_if_index=tx_if.sw_if_index, acl_index=acl_index)
663 self.vapi.macip_acl_interface_add_del(
664 sw_if_index=tx_if.sw_if_index,
668 reply = self.vapi.macip_acl_add_replace(
669 test_dict['macip_rules'],
672 reply = self.vapi.acl_add_replace(acl_index=acl_index,
673 r=test_dict['acl_rules'])
674 self.assertEqual(reply.retval, 0)
676 if not isinstance(src_if, VppSubInterface):
677 tx_if.add_stream(test_dict['stream'])
679 tx_if.parent.add_stream(test_dict['stream'])
680 self.pg_enable_capture(self.pg_interfaces)
683 if do_not_expected_capture:
686 if traffic == self.BRIDGED and mac_type == self.WILD_MAC and \
687 ip_type == self.WILD_IP:
688 capture = rx_if.get_capture(packets)
690 capture = rx_if.get_capture(
691 self.get_packet_count_for_if_idx(dst_if.sw_if_index))
692 self.verify_capture(test_dict['stream'], capture, is_ip6)
694 self.vapi.acl_interface_add_del(sw_if_index=tx_if.sw_if_index,
695 acl_index=acl_index, is_add=0)
696 self.vapi.acl_del(acl_index)
698 def run_test_acls(self, mac_type, ip_type, acl_count,
699 rules_count, traffic=None, ip=None):
700 self.apply_macip_rules(self.create_rules(mac_type, ip_type, acl_count,
702 self.verify_macip_acls(acl_count, rules_count)
704 if traffic is not None:
705 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, traffic, ip, 9)
708 class TestMACIP_IP4(MethodHolder):
709 """MACIP with IP4 traffic"""
711 def test_acl_bridged_ip4_exactMAC_exactIP(self):
712 """ IP4 MACIP exactMAC|exactIP ACL bridged traffic
714 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
715 self.BRIDGED, self.IS_IP4, 9)
717 def test_acl_bridged_ip4_exactMAC_subnetIP(self):
718 """ IP4 MACIP exactMAC|subnetIP ACL bridged traffic
721 self.run_traffic(self.EXACT_MAC, self.SUBNET_IP,
722 self.BRIDGED, self.IS_IP4, 9)
724 def test_acl_bridged_ip4_exactMAC_wildIP(self):
725 """ IP4 MACIP exactMAC|wildIP ACL bridged traffic
728 self.run_traffic(self.EXACT_MAC, self.WILD_IP,
729 self.BRIDGED, self.IS_IP4, 9)
731 def test_acl_bridged_ip4_ouiMAC_exactIP(self):
732 """ IP4 MACIP ouiMAC|exactIP ACL bridged traffic
735 self.run_traffic(self.OUI_MAC, self.EXACT_IP,
736 self.BRIDGED, self.IS_IP4, 3)
738 def test_acl_bridged_ip4_ouiMAC_subnetIP(self):
739 """ IP4 MACIP ouiMAC|subnetIP ACL bridged traffic
742 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
743 self.BRIDGED, self.IS_IP4, 9)
745 def test_acl_bridged_ip4_ouiMAC_wildIP(self):
746 """ IP4 MACIP ouiMAC|wildIP ACL bridged traffic
749 self.run_traffic(self.OUI_MAC, self.WILD_IP,
750 self.BRIDGED, self.IS_IP4, 9)
752 def test_ac_bridgedl_ip4_wildMAC_exactIP(self):
753 """ IP4 MACIP wildcardMAC|exactIP ACL bridged traffic
756 self.run_traffic(self.WILD_MAC, self.EXACT_IP,
757 self.BRIDGED, self.IS_IP4, 9)
759 def test_acl_bridged_ip4_wildMAC_subnetIP(self):
760 """ IP4 MACIP wildcardMAC|subnetIP ACL bridged traffic
763 self.run_traffic(self.WILD_MAC, self.SUBNET_IP,
764 self.BRIDGED, self.IS_IP4, 9)
766 def test_acl_bridged_ip4_wildMAC_wildIP(self):
767 """ IP4 MACIP wildcardMAC|wildIP ACL bridged traffic
770 self.run_traffic(self.WILD_MAC, self.WILD_IP,
771 self.BRIDGED, self.IS_IP4, 9)
773 def test_acl_routed_ip4_exactMAC_exactIP(self):
774 """ IP4 MACIP exactMAC|exactIP ACL routed traffic
776 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
777 self.ROUTED, self.IS_IP4, 9)
779 def test_acl_routed_ip4_exactMAC_subnetIP(self):
780 """ IP4 MACIP exactMAC|subnetIP ACL routed traffic
782 self.run_traffic(self.EXACT_MAC, self.SUBNET_IP,
783 self.ROUTED, self.IS_IP4, 9)
785 def test_acl_routed_ip4_exactMAC_wildIP(self):
786 """ IP4 MACIP exactMAC|wildIP ACL routed traffic
788 self.run_traffic(self.EXACT_MAC, self.WILD_IP,
789 self.ROUTED, self.IS_IP4, 9)
791 def test_acl_routed_ip4_ouiMAC_exactIP(self):
792 """ IP4 MACIP ouiMAC|exactIP ACL routed traffic
795 self.run_traffic(self.OUI_MAC, self.EXACT_IP,
796 self.ROUTED, self.IS_IP4, 9)
798 def test_acl_routed_ip4_ouiMAC_subnetIP(self):
799 """ IP4 MACIP ouiMAC|subnetIP ACL routed traffic
802 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
803 self.ROUTED, self.IS_IP4, 9)
805 def test_acl_routed_ip4_ouiMAC_wildIP(self):
806 """ IP4 MACIP ouiMAC|wildIP ACL routed traffic
809 self.run_traffic(self.OUI_MAC, self.WILD_IP,
810 self.ROUTED, self.IS_IP4, 9)
812 def test_acl_routed_ip4_wildMAC_exactIP(self):
813 """ IP4 MACIP wildcardMAC|exactIP ACL routed traffic
816 self.run_traffic(self.WILD_MAC, self.EXACT_IP,
817 self.ROUTED, self.IS_IP4, 9)
819 def test_acl_routed_ip4_wildMAC_subnetIP(self):
820 """ IP4 MACIP wildcardMAC|subnetIP ACL routed traffic
823 self.run_traffic(self.WILD_MAC, self.SUBNET_IP,
824 self.ROUTED, self.IS_IP4, 9)
826 def test_acl_routed_ip4_wildMAC_wildIP(self):
827 """ IP4 MACIP wildcardMAC|wildIP ACL
830 self.run_traffic(self.WILD_MAC, self.WILD_IP,
831 self.ROUTED, self.IS_IP4, 9)
833 def test_acl_replace_traffic_ip4(self):
834 """ MACIP replace ACL with IP4 traffic
836 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
837 self.BRIDGED, self.IS_IP4, 9, try_replace=True)
838 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
839 self.BRIDGED, self.IS_IP4, 9, try_replace=True)
842 class TestMACIP_IP6(MethodHolder):
843 """MACIP with IP6 traffic"""
845 def test_acl_bridged_ip6_exactMAC_exactIP(self):
846 """ IP6 MACIP exactMAC|exactIP ACL bridged traffic
849 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
850 self.BRIDGED, self.IS_IP6, 9)
852 def test_acl_bridged_ip6_exactMAC_subnetIP(self):
853 """ IP6 MACIP exactMAC|subnetIP ACL bridged traffic
856 self.run_traffic(self.EXACT_MAC, self.SUBNET_IP,
857 self.BRIDGED, self.IS_IP6, 9)
859 def test_acl_bridged_ip6_exactMAC_wildIP(self):
860 """ IP6 MACIP exactMAC|wildIP ACL bridged traffic
863 self.run_traffic(self.EXACT_MAC, self.WILD_IP,
864 self.BRIDGED, self.IS_IP6, 9)
866 def test_acl_bridged_ip6_ouiMAC_exactIP(self):
867 """ IP6 MACIP oui_MAC|exactIP ACL bridged traffic
870 self.run_traffic(self.OUI_MAC, self.EXACT_IP,
871 self.BRIDGED, self.IS_IP6, 9)
873 def test_acl_bridged_ip6_ouiMAC_subnetIP(self):
874 """ IP6 MACIP ouiMAC|subnetIP ACL bridged traffic
877 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
878 self.BRIDGED, self.IS_IP6, 9)
880 def test_acl_bridged_ip6_ouiMAC_wildIP(self):
881 """ IP6 MACIP ouiMAC|wildIP ACL bridged traffic
884 self.run_traffic(self.OUI_MAC, self.WILD_IP,
885 self.BRIDGED, self.IS_IP6, 9)
887 def test_acl_bridged_ip6_wildMAC_exactIP(self):
888 """ IP6 MACIP wildcardMAC|exactIP ACL bridged traffic
891 self.run_traffic(self.WILD_MAC, self.EXACT_IP,
892 self.BRIDGED, self.IS_IP6, 9)
894 def test_acl_bridged_ip6_wildMAC_subnetIP(self):
895 """ IP6 MACIP wildcardMAC|subnetIP ACL bridged traffic
898 self.run_traffic(self.WILD_MAC, self.SUBNET_IP,
899 self.BRIDGED, self.IS_IP6, 9)
901 def test_acl_bridged_ip6_wildMAC_wildIP(self):
902 """ IP6 MACIP wildcardMAC|wildIP ACL bridged traffic
905 self.run_traffic(self.WILD_MAC, self.WILD_IP,
906 self.BRIDGED, self.IS_IP6, 9)
908 def test_acl_routed_ip6_exactMAC_exactIP(self):
909 """ IP6 MACIP exactMAC|exactIP ACL routed traffic
912 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
913 self.ROUTED, self.IS_IP6, 9)
915 def test_acl_routed_ip6_exactMAC_subnetIP(self):
916 """ IP6 MACIP exactMAC|subnetIP ACL routed traffic
919 self.run_traffic(self.EXACT_MAC, self.SUBNET_IP,
920 self.ROUTED, self.IS_IP6, 9)
922 def test_acl_routed_ip6_exactMAC_wildIP(self):
923 """ IP6 MACIP exactMAC|wildIP ACL routed traffic
926 self.run_traffic(self.EXACT_MAC, self.WILD_IP,
927 self.ROUTED, self.IS_IP6, 9)
929 def test_acl_routed_ip6_ouiMAC_exactIP(self):
930 """ IP6 MACIP ouiMAC|exactIP ACL routed traffic
933 self.run_traffic(self.OUI_MAC, self.EXACT_IP,
934 self.ROUTED, self.IS_IP6, 9)
936 def test_acl_routed_ip6_ouiMAC_subnetIP(self):
937 """ IP6 MACIP ouiMAC|subnetIP ACL routed traffic
940 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
941 self.ROUTED, self.IS_IP6, 9)
943 def test_acl_routed_ip6_ouiMAC_wildIP(self):
944 """ IP6 MACIP ouiMAC|wildIP ACL routed traffic
947 self.run_traffic(self.OUI_MAC, self.WILD_IP,
948 self.ROUTED, self.IS_IP6, 9)
950 def test_acl_routed_ip6_wildMAC_exactIP(self):
951 """ IP6 MACIP wildcardMAC|exactIP ACL routed traffic
954 self.run_traffic(self.WILD_MAC, self.EXACT_IP,
955 self.ROUTED, self.IS_IP6, 9)
957 def test_acl_routed_ip6_wildMAC_subnetIP(self):
958 """ IP6 MACIP wildcardMAC|subnetIP ACL routed traffic
961 self.run_traffic(self.WILD_MAC, self.SUBNET_IP,
962 self.ROUTED, self.IS_IP6, 9)
964 def test_acl_routed_ip6_wildMAC_wildIP(self):
965 """ IP6 MACIP wildcardMAC|wildIP ACL
968 self.run_traffic(self.WILD_MAC, self.WILD_IP,
969 self.ROUTED, self.IS_IP6, 9)
971 def test_acl_replace_traffic_ip6(self):
972 """ MACIP replace ACL with IP6 traffic
974 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
975 self.BRIDGED, self.IS_IP6, 9, try_replace=True)
976 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
977 self.BRIDGED, self.IS_IP6, 9, try_replace=True)
980 class TestMACIP(MethodHolder):
983 def test_acl_1_2(self):
984 """ MACIP ACL with 2 entries
987 self.run_test_acls(self.EXACT_MAC, self.WILD_IP, 1, [2])
989 def test_acl_1_5(self):
990 """ MACIP ACL with 5 entries
993 self.run_test_acls(self.EXACT_MAC, self.SUBNET_IP, 1, [5])
995 def test_acl_1_10(self):
996 """ MACIP ACL with 10 entries
999 self.run_test_acls(self.EXACT_MAC, self.EXACT_IP, 1, [10])
1001 def test_acl_1_20(self):
1002 """ MACIP ACL with 20 entries
1005 self.run_test_acls(self.OUI_MAC, self.WILD_IP, 1, [20])
1007 def test_acl_1_50(self):
1008 """ MACIP ACL with 50 entries
1011 self.run_test_acls(self.OUI_MAC, self.SUBNET_IP, 1, [50])
1013 def test_acl_1_100(self):
1014 """ MACIP ACL with 100 entries
1017 self.run_test_acls(self.OUI_MAC, self.EXACT_IP, 1, [100])
1019 def test_acl_2_X(self):
1020 """ MACIP 2 ACLs each with 100+ entries
1023 self.run_test_acls(self.OUI_MAC, self.SUBNET_IP, 2, [100, 200])
1025 def test_acl_10_X(self):
1026 """ MACIP 10 ACLs each with 100+ entries
1029 self.run_test_acls(self.EXACT_MAC, self.EXACT_IP, 10,
1030 [100, 120, 140, 160, 180, 200, 210, 220, 230, 240])
1032 def test_acl_10_X_traffic_ip4(self):
1033 """ MACIP 10 ACLs each with 100+ entries with IP4 traffic
1036 self.run_test_acls(self.EXACT_MAC, self.EXACT_IP, 10,
1037 [100, 120, 140, 160, 180, 200, 210, 220, 230, 240],
1038 self.BRIDGED, self.IS_IP4)
1040 def test_acl_10_X_traffic_ip6(self):
1041 """ MACIP 10 ACLs each with 100+ entries with IP6 traffic
1044 self.run_test_acls(self.EXACT_MAC, self.EXACT_IP, 10,
1045 [100, 120, 140, 160, 180, 200, 210, 220, 230, 240],
1046 self.BRIDGED, self.IS_IP6)
1048 def test_acl_replace(self):
1049 """ MACIP replace ACL
1052 r1 = self.create_rules(acl_count=3, rules_count=[2, 2, 2])
1053 r2 = self.create_rules(mac_type=self.OUI_MAC, ip_type=self.SUBNET_IP)
1054 self.apply_macip_rules(r1)
1056 acls_before = self.macip_acl_dump_debug()
1058 # replace acls #2, #3 with new
1059 reply = self.vapi.macip_acl_add_replace(r2[0], 2)
1060 self.assertEqual(reply.retval, 0)
1061 self.assertEqual(reply.acl_index, 2)
1062 reply = self.vapi.macip_acl_add_replace(r2[1], 3)
1063 self.assertEqual(reply.retval, 0)
1064 self.assertEqual(reply.acl_index, 3)
1066 acls_after = self.macip_acl_dump_debug()
1069 self.assertEqual(len(acls_before), len(acls_after))
1070 for acl1, acl2 in zip(
1071 acls_before[:2]+acls_before[4:],
1072 acls_after[:2]+acls_after[4:]):
1073 self.assertEqual(len(acl1), len(acl2))
1075 self.assertEqual(len(acl1.r), len(acl2.r))
1076 for r1, r2 in zip(acl1.r, acl2.r):
1077 self.assertEqual(len(acl1.r), len(acl2.r))
1078 self.assertEqual(acl1.r, acl2.r)
1079 for acl1, acl2 in zip(
1082 self.assertEqual(len(acl1), len(acl2))
1084 self.assertNotEqual(len(acl1.r), len(acl2.r))
1085 for r1, r2 in zip(acl1.r, acl2.r):
1086 self.assertNotEqual(len(acl1.r), len(acl2.r))
1087 self.assertNotEqual(acl1.r, acl2.r)
1089 def test_delete_intf(self):
1090 """ MACIP ACL delete intf with acl
1093 intf_count = len(self.interfaces)+1
1095 self.apply_macip_rules(self.create_rules(acl_count=3,
1096 rules_count=[3, 5, 4]))
1098 intf.append(VppLoInterface(self))
1099 intf.append(VppLoInterface(self))
1101 sw_if_index0 = intf[0].sw_if_index
1102 self.vapi.macip_acl_interface_add_del(sw_if_index0, 1)
1104 reply = self.vapi.macip_acl_interface_get()
1105 self.assertEqual(reply.count, intf_count+1)
1106 self.assertEqual(reply.acls[sw_if_index0], 1)
1108 sw_if_index1 = intf[1].sw_if_index
1109 self.vapi.macip_acl_interface_add_del(sw_if_index1, 0)
1111 reply = self.vapi.macip_acl_interface_get()
1112 self.assertEqual(reply.count, intf_count+2)
1113 self.assertEqual(reply.acls[sw_if_index1], 0)
1115 intf[0].remove_vpp_config()
1116 reply = self.vapi.macip_acl_interface_get()
1117 self.assertEqual(reply.count, intf_count+2)
1118 self.assertEqual(reply.acls[sw_if_index0], 4294967295)
1119 self.assertEqual(reply.acls[sw_if_index1], 0)
1121 intf.append(VppLoInterface(self))
1122 intf.append(VppLoInterface(self))
1123 sw_if_index2 = intf[2].sw_if_index
1124 sw_if_index3 = intf[3].sw_if_index
1125 self.vapi.macip_acl_interface_add_del(sw_if_index2, 1)
1126 self.vapi.macip_acl_interface_add_del(sw_if_index3, 1)
1128 reply = self.vapi.macip_acl_interface_get()
1129 self.assertEqual(reply.count, intf_count+3)
1130 self.assertEqual(reply.acls[sw_if_index1], 0)
1131 self.assertEqual(reply.acls[sw_if_index2], 1)
1132 self.assertEqual(reply.acls[sw_if_index3], 1)
1133 self.logger.info("MACIP ACL on multiple interfaces:")
1134 self.logger.info(self.vapi.ppcli("sh acl-plugin macip acl"))
1135 self.logger.info(self.vapi.ppcli("sh acl-plugin macip acl index 1234"))
1136 self.logger.info(self.vapi.ppcli("sh acl-plugin macip acl index 1"))
1137 self.logger.info(self.vapi.ppcli("sh acl-plugin macip acl index 0"))
1138 self.logger.info(self.vapi.ppcli("sh acl-plugin macip interface"))
1140 intf[2].remove_vpp_config()
1141 intf[1].remove_vpp_config()
1143 reply = self.vapi.macip_acl_interface_get()
1144 self.assertEqual(reply.count, intf_count+3)
1145 self.assertEqual(reply.acls[sw_if_index0], 4294967295)
1146 self.assertEqual(reply.acls[sw_if_index1], 4294967295)
1147 self.assertEqual(reply.acls[sw_if_index2], 4294967295)
1148 self.assertEqual(reply.acls[sw_if_index3], 1)
1150 intf[3].remove_vpp_config()
1151 reply = self.vapi.macip_acl_interface_get()
1153 self.assertEqual(len([x for x in reply.acls if x != 4294967295]), 0)
1156 class TestACL_dot1q_bridged(MethodHolder):
1157 """ACL on dot1q bridged subinterfaces Tests"""
1159 def test_acl_bridged_ip4_subif_dot1q(self):
1160 """ IP4 ACL SubIf Dot1Q bridged traffic"""
1161 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.BRIDGED,
1162 self.IS_IP4, 9, tags=self.DOT1Q, isMACIP=False)
1164 def test_acl_bridged_ip6_subif_dot1q(self):
1165 """ IP6 ACL SubIf Dot1Q bridged traffic"""
1166 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.BRIDGED,
1167 self.IS_IP6, 9, tags=self.DOT1Q, isMACIP=False)
1170 class TestACL_dot1ad_bridged(MethodHolder):
1171 """ACL on dot1ad bridged subinterfaces Tests"""
1173 def test_acl_bridged_ip4_subif_dot1ad(self):
1174 """ IP4 ACL SubIf Dot1AD bridged traffic"""
1175 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.BRIDGED,
1176 self.IS_IP4, 9, tags=self.DOT1AD, isMACIP=False)
1178 def test_acl_bridged_ip6_subif_dot1ad(self):
1179 """ IP6 ACL SubIf Dot1AD bridged traffic"""
1180 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.BRIDGED,
1181 self.IS_IP6, 9, tags=self.DOT1AD, isMACIP=False)
1184 class TestACL_dot1q_routed(MethodHolder):
1185 """ACL on dot1q routed subinterfaces Tests"""
1187 def test_acl_routed_ip4_subif_dot1q(self):
1188 """ IP4 ACL SubIf Dot1Q routed traffic"""
1189 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1190 self.IS_IP4, 9, tags=self.DOT1Q, isMACIP=False)
1192 def test_acl_routed_ip6_subif_dot1q(self):
1193 """ IP6 ACL SubIf Dot1Q routed traffic"""
1194 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1195 self.IS_IP6, 9, tags=self.DOT1Q, isMACIP=False)
1197 def test_acl_routed_ip4_subif_dot1q_deny_by_tags(self):
1198 """ IP4 ACL SubIf wrong tags Dot1Q routed traffic"""
1199 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1200 self.IS_IP4, 9, True, tags=self.DOT1Q, isMACIP=False,
1201 permit_tags=self.DENY_TAGS)
1203 def test_acl_routed_ip6_subif_dot1q_deny_by_tags(self):
1204 """ IP6 ACL SubIf wrong tags Dot1Q routed traffic"""
1205 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1206 self.IS_IP6, 9, True, tags=self.DOT1Q, isMACIP=False,
1207 permit_tags=self.DENY_TAGS)
1210 class TestACL_dot1ad_routed(MethodHolder):
1211 """ACL on dot1ad routed subinterfaces Tests"""
1213 def test_acl_routed_ip6_subif_dot1ad(self):
1214 """ IP6 ACL SubIf Dot1AD routed traffic"""
1215 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1216 self.IS_IP6, 9, tags=self.DOT1AD, isMACIP=False)
1218 def test_acl_routed_ip4_subif_dot1ad(self):
1219 """ IP4 ACL SubIf Dot1AD routed traffic"""
1220 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1221 self.IS_IP4, 9, tags=self.DOT1AD, isMACIP=False)
1223 def test_acl_routed_ip6_subif_dot1ad_deny_by_tags(self):
1224 """ IP6 ACL SubIf wrong tags Dot1AD routed traffic"""
1225 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1226 self.IS_IP6, 9, True, tags=self.DOT1AD, isMACIP=False,
1227 permit_tags=self.DENY_TAGS)
1229 def test_acl_routed_ip4_subif_dot1ad_deny_by_tags(self):
1230 """ IP4 ACL SubIf wrong tags Dot1AD routed traffic"""
1231 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1232 self.IS_IP4, 9, True, tags=self.DOT1AD, isMACIP=False,
1233 permit_tags=self.DENY_TAGS)
1236 if __name__ == '__main__':
1237 unittest.main(testRunner=VppTestRunner)