2 from __future__ import print_function
3 """ACL plugin - MACIP tests
8 from socket import inet_ntop, inet_pton, AF_INET, AF_INET6
9 from struct import pack, unpack
14 from scapy.packet import Raw
15 from scapy.layers.l2 import Ether
16 from scapy.layers.inet import IP, UDP
17 from scapy.layers.inet6 import IPv6
19 from framework import VppTestCase, VppTestRunner, running_extended_tests
20 from vpp_lo_interface import VppLoInterface
21 from vpp_l2 import L2_PORT_TYPE
22 from vpp_sub_interface import L2_VTR_OP, VppSubInterface, VppDot1QSubint, \
26 class MethodHolder(VppTestCase):
58 Perform standard class setup (defined by class method setUpClass in
59 class VppTestCase) before running the test case, set test case related
60 variables and configure VPP.
62 super(MethodHolder, cls).setUpClass()
64 cls.pg_if_packet_sizes = [64, 512, 1518, 9018] # packet sizes
66 cls.remote_hosts_count = 200
69 # create 4 pg interfaces, 1 loopback interface
70 cls.create_pg_interfaces(range(4))
71 cls.create_loopback_interfaces(1)
73 # create 2 subinterfaces
75 VppDot1QSubint(cls, cls.pg1, 10),
76 VppDot1ADSubint(cls, cls.pg2, 20, 300, 400),
77 VppDot1QSubint(cls, cls.pg3, 30),
78 VppDot1ADSubint(cls, cls.pg3, 40, 600, 700)]
80 cls.subifs[0].set_vtr(L2_VTR_OP.L2_POP_1,
82 cls.subifs[1].set_vtr(L2_VTR_OP.L2_POP_2,
83 outer=300, inner=400, push1q=1)
84 cls.subifs[2].set_vtr(L2_VTR_OP.L2_POP_1,
86 cls.subifs[3].set_vtr(L2_VTR_OP.L2_POP_2,
87 outer=600, inner=700, push1q=1)
89 cls.interfaces = list(cls.pg_interfaces)
90 cls.interfaces.extend(cls.lo_interfaces)
91 cls.interfaces.extend(cls.subifs)
93 for i in cls.interfaces:
96 # Create BD with MAC learning enabled and put interfaces to this BD
97 cls.vapi.sw_interface_set_l2_bridge(
98 rx_sw_if_index=cls.loop0.sw_if_index, bd_id=cls.bd_id,
99 port_type=L2_PORT_TYPE.BVI)
100 cls.vapi.sw_interface_set_l2_bridge(
101 rx_sw_if_index=cls.pg0.sw_if_index, bd_id=cls.bd_id)
102 cls.vapi.sw_interface_set_l2_bridge(
103 rx_sw_if_index=cls.pg1.sw_if_index, bd_id=cls.bd_id)
104 cls.vapi.sw_interface_set_l2_bridge(
105 rx_sw_if_index=cls.subifs[0].sw_if_index, bd_id=cls.bd_id)
106 cls.vapi.sw_interface_set_l2_bridge(
107 rx_sw_if_index=cls.subifs[1].sw_if_index, bd_id=cls.bd_id)
109 # Configure IPv4/6 addresses on loop interface and routed interface
110 cls.loop0.config_ip4()
111 cls.loop0.config_ip6()
117 # Configure MAC address binding to IPv4 neighbors on loop0
118 cls.loop0.generate_remote_hosts(cls.remote_hosts_count)
119 # Modify host mac addresses to have different OUI parts
120 for i in range(2, cls.remote_hosts_count + 2):
121 mac = cls.loop0.remote_hosts[i-2]._mac.split(':')
122 mac[2] = format(int(mac[2], 16) + i, "02x")
123 cls.loop0.remote_hosts[i - 2]._mac = ":".join(mac)
125 cls.loop0.configure_ipv4_neighbors()
126 cls.loop0.configure_ipv6_neighbors()
128 # configure MAC address on pg3
129 cls.pg3.resolve_arp()
130 cls.pg3.resolve_ndp()
132 # configure MAC address on subifs
138 # configure MAC address on pg2
139 cls.pg2.resolve_arp()
140 cls.pg2.resolve_ndp()
142 # Loopback BVI interface has remote hosts
143 # one half of hosts are behind pg0 second behind pg1,pg2,pg3 subifs
144 cls.pg0.remote_hosts = cls.loop0.remote_hosts[:100]
145 cls.subifs[0].remote_hosts = cls.loop0.remote_hosts[100:125]
146 cls.subifs[1].remote_hosts = cls.loop0.remote_hosts[125:150]
147 cls.subifs[2].remote_hosts = cls.loop0.remote_hosts[150:175]
148 cls.subifs[3].remote_hosts = cls.loop0.remote_hosts[175:]
151 super(MethodHolder, cls).tearDownClass()
155 def tearDownClass(cls):
156 super(MethodHolder, cls).tearDownClass()
159 super(MethodHolder, self).setUp()
160 self.reset_packet_infos()
164 super(MethodHolder, self).tearDown()
167 def show_commands_at_teardown(self):
168 self.logger.info(self.vapi.ppcli("show interface address"))
169 self.logger.info(self.vapi.ppcli("show hardware"))
170 self.logger.info(self.vapi.ppcli("sh acl-plugin macip acl"))
171 self.logger.info(self.vapi.ppcli("sh acl-plugin macip interface"))
172 self.logger.info(self.vapi.ppcli("sh classify tables verbose"))
173 self.logger.info(self.vapi.ppcli("sh acl-plugin acl"))
174 self.logger.info(self.vapi.ppcli("sh acl-plugin interface"))
175 self.logger.info(self.vapi.ppcli("sh acl-plugin tables"))
176 # print(self.vapi.ppcli("show interface address"))
177 # print(self.vapi.ppcli("show hardware"))
178 # print(self.vapi.ppcli("sh acl-plugin macip interface"))
179 # print(self.vapi.ppcli("sh acl-plugin macip acl"))
181 def macip_acl_dump_debug(self):
182 acls = self.vapi.macip_acl_dump()
185 print("ACL #"+str(acl.acl_index))
190 elif r.is_permit == 0:
192 print(" IP6" if r.is_ipv6 else " IP4",
194 binascii.hexlify(r.src_mac),
195 binascii.hexlify(r.src_mac_mask),
196 unpack('<16B', r.src_ip_addr),
200 def create_rules(self, mac_type=EXACT_MAC, ip_type=EXACT_IP,
201 acl_count=1, rules_count=None):
203 if rules_count is None:
205 src_mac = int("220000dead00", 16)
206 for acl in range(2, (acl_count+1) * 2):
208 host = random.choice(self.loop0.remote_hosts)
210 ip4 = host.ip4.split('.')
211 ip6 = list(unpack('<16B', inet_pton(AF_INET6, host.ip6)))
213 if ip_type == self.EXACT_IP:
216 elif ip_type == self.WILD_IP:
218 ip6 = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]
221 rules_count[(acl / 2) - 1] = 1
226 if mac_type == self.EXACT_MAC:
227 mask = "ff:ff:ff:ff:ff:ff"
228 elif mac_type == self.WILD_MAC:
229 mask = "00:00:00:00:00:00"
230 elif mac_type == self.OUI_MAC:
231 mask = "ff:ff:ff:00:00:00"
233 mask = "ff:ff:ff:ff:ff:00"
235 ip = ip6 if is_ip6 else ip4
236 ip_len = prefix_len6 if is_ip6 else prefix_len4
238 for i in range(0, rules_count[(acl / 2) - 1]):
240 if mac_type == self.WILD_MAC:
241 mac = "00:00:00:00:00:00"
242 elif mac_type == self.OUI_MAC:
243 mac = ':'.join(re.findall('..', '{:02x}'.format(
244 src_mac))[:3])+":00:00:00"
246 mac = ':'.join(re.findall(
247 '..', '{:02x}'.format(src_mac)))
249 if ip_type == self.EXACT_IP:
250 ip4[3] = random.randint(100, 200)
251 ip6[15] = random.randint(100, 200)
252 elif ip_type == self.SUBNET_IP:
253 ip4[2] = random.randint(100, 200)
255 ip6[8] = random.randint(100, 200)
258 for j in range(0, len(ip)):
259 ip_pack += pack('<B', int(ip[j]))
261 rule = ({'is_permit': self.PERMIT,
263 'src_ip_addr': ip_pack,
264 'src_ip_prefix_len': ip_len,
265 'src_mac': binascii.unhexlify(mac.replace(':', '')),
266 'src_mac_mask': binascii.unhexlify(
267 mask.replace(':', ''))})
269 if ip_type == self.WILD_IP:
273 src_mac += 1099511627776
276 def apply_macip_rules(self, acls):
278 reply = self.vapi.macip_acl_add(acl)
279 self.assertEqual(reply.retval, 0)
280 self.ACLS.append(reply.acl_index)
282 def verify_macip_acls(self, acl_count, rules_count, expected_count=2):
283 reply = self.macip_acl_dump_debug()
284 for acl in range(2, (acl_count+1) * 2):
285 self.assertEqual(reply[acl - 2].count, rules_count[acl//2-1])
287 self.vapi.macip_acl_interface_get()
289 self.vapi.macip_acl_interface_add_del(sw_if_index=0, acl_index=0)
290 self.vapi.macip_acl_interface_add_del(sw_if_index=1, acl_index=1)
292 reply = self.vapi.macip_acl_interface_get()
293 self.assertEqual(reply.count, expected_count)
295 def delete_acls(self):
296 for acl in range(len(self.ACLS)-1, -1, -1):
297 self.vapi.macip_acl_del(self.ACLS[acl])
299 reply = self.vapi.macip_acl_dump()
300 self.assertEqual(len(reply), 0)
302 intf_acls = self.vapi.acl_interface_list_dump()
303 for i_a in intf_acls:
304 sw_if_index = i_a.sw_if_index
305 for acl_index in i_a.acls:
306 self.vapi.acl_interface_add_del(sw_if_index, acl_index, 0)
307 self.vapi.acl_del(acl_index)
309 def create_stream(self, mac_type, ip_type, packet_count,
310 src_if, dst_if, traffic, is_ip6, tags=PERMIT_TAGS):
311 # exact MAC and exact IP
312 # exact MAC and subnet of IPs
313 # exact MAC and wildcard IP
314 # wildcard MAC and exact IP
315 # wildcard MAC and subnet of IPs
316 # wildcard MAC and wildcard IP
317 # OUI restricted MAC and exact IP
318 # OUI restricted MAC and subnet of IPs
319 # OUI restricted MAC and wildcard IP
327 mac_rule = "00:00:00:00:00:00"
328 mac_mask = "00:00:00:00:00:00"
329 for p in range(0, packet_count):
330 remote_dst_index = p % len(dst_if.remote_hosts)
331 remote_dst_host = dst_if.remote_hosts[remote_dst_index]
335 is_permit = self.PERMIT if p % 3 == 0 else self.DENY
336 denyMAC = True if not is_permit and p % 3 == 1 else False
337 denyIP = True if not is_permit and p % 3 == 2 else False
338 if not is_permit and ip_type == self.WILD_IP:
340 if not is_permit and mac_type == self.WILD_MAC:
343 if traffic == self.BRIDGED:
345 src_mac = remote_dst_host._mac
346 dst_mac = 'de:ad:00:00:00:00'
347 src_ip4 = remote_dst_host.ip4
348 dst_ip4 = src_if.remote_ip4
349 src_ip6 = remote_dst_host.ip6
350 dst_ip6 = src_if.remote_ip6
351 ip_permit = src_ip6 if is_ip6 else src_ip4
354 mac = src_mac.split(':')
355 mac[0] = format(int(mac[0], 16)+1, "02x")
356 src_mac = ":".join(mac)
362 if ip_type != self.WILD_IP:
364 src_ip4 = remote_dst_host.ip4
365 dst_ip4 = src_if.remote_ip4
366 src_ip6 = remote_dst_host.ip6
367 dst_ip6 = src_if.remote_ip6
370 src_mac = remote_dst_host._mac
371 dst_mac = src_if.local_mac
372 src_ip4 = src_if.remote_ip4
373 dst_ip4 = remote_dst_host.ip4
374 src_ip6 = src_if.remote_ip6
375 dst_ip6 = remote_dst_host.ip6
376 ip_permit = src_ip6 if is_ip6 else src_ip4
379 mac = src_mac.split(':')
380 mac[0] = format(int(mac[0], 16) + 1, "02x")
381 src_mac = ":".join(mac)
387 src_mac = remote_dst_host._mac
388 if ip_type != self.WILD_IP:
390 src_ip4 = remote_dst_host.ip4
391 dst_ip4 = src_if.remote_ip4
392 src_ip6 = remote_dst_host.ip6
393 dst_ip6 = src_if.remote_ip6
396 info = self.create_packet_info(src_if, dst_if)
397 payload = self.info_to_payload(info)
399 payload = "to be blocked"
401 if mac_type == self.WILD_MAC:
402 mac = src_mac.split(':')
403 for i in range(1, 5):
404 mac[i] = format(random.randint(0, 255), "02x")
405 src_mac = ":".join(mac)
408 packet = Ether(src=src_mac, dst=dst_mac)
409 ip_rule = src_ip6 if is_ip6 else src_ip4
411 if ip_type != self.EXACT_IP:
412 sub_ip = list(unpack('<16B', inet_pton(AF_INET6, ip_rule)))
413 if ip_type == self.WILD_IP:
414 sub_ip[0] = random.randint(240, 254)
415 sub_ip[1] = random.randint(230, 239)
416 sub_ip[14] = random.randint(100, 199)
417 sub_ip[15] = random.randint(200, 255)
418 elif ip_type == self.SUBNET_IP:
420 sub_ip[2] = int(sub_ip[2]) + 1
421 sub_ip[14] = random.randint(100, 199)
422 sub_ip[15] = random.randint(200, 255)
423 packed_src_ip6 = b''.join(
424 [scapy.compat.chb(x) for x in sub_ip])
425 src_ip6 = inet_ntop(AF_INET6, packed_src_ip6)
426 packet /= IPv6(src=src_ip6, dst=dst_ip6)
428 if ip_type != self.EXACT_IP:
429 sub_ip = ip_rule.split('.')
430 if ip_type == self.WILD_IP:
431 sub_ip[0] = random.randint(1, 49)
432 sub_ip[1] = random.randint(50, 99)
433 sub_ip[2] = random.randint(100, 199)
434 sub_ip[3] = random.randint(200, 255)
435 elif ip_type == self.SUBNET_IP:
437 sub_ip[1] = int(sub_ip[1])+1
438 sub_ip[2] = random.randint(100, 199)
439 sub_ip[3] = random.randint(200, 255)
440 src_ip4 = '.'.join(['{!s}'.format(x) for x in sub_ip])
441 packet /= IP(src=src_ip4, dst=dst_ip4, frag=0, flags=0)
443 packet /= UDP(sport=src_port, dport=dst_port)/Raw(payload)
445 packet[Raw].load += b" mac:%s" % scapy.compat.raw(src_mac)
447 size = self.pg_if_packet_sizes[p % len(self.pg_if_packet_sizes)]
448 if isinstance(src_if, VppSubInterface):
450 if isinstance(src_if, VppDot1QSubint):
451 if src_if is self.subifs[0]:
452 if tags == self.PERMIT_TAGS:
453 packet = src_if.add_dot1q_layer(packet, 10)
455 packet = src_if.add_dot1q_layer(packet, 11)
457 if tags == self.PERMIT_TAGS:
458 packet = src_if.add_dot1q_layer(packet, 30)
460 packet = src_if.add_dot1q_layer(packet, 33)
461 elif isinstance(src_if, VppDot1ADSubint):
462 if src_if is self.subifs[1]:
463 if tags == self.PERMIT_TAGS:
464 packet = src_if.add_dot1ad_layer(packet, 300, 400)
466 packet = src_if.add_dot1ad_layer(packet, 333, 444)
468 if tags == self.PERMIT_TAGS:
469 packet = src_if.add_dot1ad_layer(packet, 600, 700)
471 packet = src_if.add_dot1ad_layer(packet, 666, 777)
472 self.extend_packet(packet, size)
473 packets.append(packet)
475 # create suitable MACIP rule
476 if mac_type == self.EXACT_MAC:
478 mac_mask = "ff:ff:ff:ff:ff:ff"
479 elif mac_type == self.WILD_MAC:
480 mac_rule = "00:00:00:00:00:00"
481 mac_mask = "00:00:00:00:00:00"
482 elif mac_type == self.OUI_MAC:
483 mac = src_mac.split(':')
484 mac[3] = mac[4] = mac[5] = '00'
485 mac_rule = ":".join(mac)
486 mac_mask = "ff:ff:ff:00:00:00"
489 if ip_type == self.WILD_IP:
493 if ip_type == self.SUBNET_IP:
494 sub_ip = list(unpack('<16B', inet_pton(AF_INET6, ip)))
495 for i in range(8, 16):
497 packed_ip = b''.join(
498 [scapy.compat.chb(x) for x in sub_ip])
499 ip = inet_ntop(AF_INET6, packed_ip)
501 if ip_type == self.WILD_IP:
505 if ip_type == self.SUBNET_IP:
506 sub_ip = ip.split('.')
507 sub_ip[2] = sub_ip[3] = '0'
508 ip = ".".join(sub_ip)
510 prefix_len = 128 if is_ip6 else 32
511 if ip_type == self.WILD_IP:
513 elif ip_type == self.SUBNET_IP:
514 prefix_len = 64 if is_ip6 else 16
515 ip_rule = inet_pton(AF_INET6 if is_ip6 else AF_INET, ip)
517 # create suitable ACL rule
519 rule_l4_sport = packet[UDP].sport
520 rule_l4_dport = packet[UDP].dport
521 rule_family = AF_INET6 if packet.haslayer(IPv6) else AF_INET
522 rule_prefix_len = 128 if packet.haslayer(IPv6) else 32
523 rule_l3_layer = IPv6 if packet.haslayer(IPv6) else IP
524 if packet.haslayer(IPv6):
525 rule_l4_proto = packet[UDP].overload_fields[IPv6]['nh']
527 rule_l4_proto = packet[IP].proto
530 'is_permit': is_permit,
532 'src_ip_addr': inet_pton(rule_family,
533 packet[rule_l3_layer].src),
534 'src_ip_prefix_len': rule_prefix_len,
535 'dst_ip_addr': inet_pton(rule_family,
536 packet[rule_l3_layer].dst),
537 'dst_ip_prefix_len': rule_prefix_len,
538 'srcport_or_icmptype_first': rule_l4_sport,
539 'srcport_or_icmptype_last': rule_l4_sport,
540 'dstport_or_icmpcode_first': rule_l4_dport,
541 'dstport_or_icmpcode_last': rule_l4_dport,
542 'proto': rule_l4_proto}
543 acl_rules.append(acl_rule)
545 if mac_type == self.WILD_MAC and ip_type == self.WILD_IP and p > 0:
550 'is_permit': is_permit,
552 'src_ip_addr': ip_rule,
553 'src_ip_prefix_len': prefix_len,
554 'src_mac': binascii.unhexlify(mac_rule.replace(':', '')),
555 'src_mac_mask': binascii.unhexlify(
556 mac_mask.replace(':', ''))})
557 macip_rules.append(macip_rule)
559 # deny all other packets
560 if not (mac_type == self.WILD_MAC and ip_type == self.WILD_IP):
561 macip_rule = ({'is_permit': 0,
564 'src_ip_prefix_len': 0,
567 macip_rules.append(macip_rule)
569 acl_rule = {'is_permit': 0,
571 acl_rules.append(acl_rule)
572 return {'stream': packets,
573 'macip_rules': macip_rules,
574 'acl_rules': acl_rules}
576 def verify_capture(self, stream, capture, is_ip6):
583 # p_l3 = IPv6 if is_ip6 else IP
586 # print(p[Ether].src, p[Ether].dst, p[p_l3].src, p[p_l3].dst)
588 # acls = self.macip_acl_dump_debug()
593 # print(binascii.hexlify(r.src_mac), \
594 # binascii.hexlify(r.src_mac_mask),\
595 # unpack('<16B', r.src_ip_addr), \
596 # r.src_ip_prefix_len)
599 # print(p[Ether].src, p[Ether].dst, p[p_l3].src, p[p_l3].dst
600 # data = p[Raw].load.split(':',1)[1])
601 # print(p[p_l3].src, data)
603 def run_traffic(self, mac_type, ip_type, traffic, is_ip6, packets,
604 do_not_expected_capture=False, tags=None,
605 apply_rules=True, isMACIP=True, permit_tags=PERMIT_TAGS,
607 self.reset_packet_infos()
610 tx_if = self.pg0 if traffic == self.BRIDGED else self.pg3
611 rx_if = self.pg3 if traffic == self.BRIDGED else self.pg0
615 if tags == self.DOT1Q:
616 if traffic == self.BRIDGED:
617 tx_if = self.subifs[0]
619 src_if = self.subifs[0]
622 tx_if = self.subifs[2]
624 src_if = self.subifs[2]
626 elif tags == self.DOT1AD:
627 if traffic == self.BRIDGED:
628 tx_if = self.subifs[1]
630 src_if = self.subifs[1]
633 tx_if = self.subifs[3]
635 src_if = self.subifs[3]
640 test_dict = self.create_stream(mac_type, ip_type, packets,
647 reply = self.vapi.macip_acl_add(test_dict['macip_rules'])
649 reply = self.vapi.acl_add_replace(acl_index=4294967295,
650 r=test_dict['acl_rules'])
651 self.assertEqual(reply.retval, 0)
652 acl_index = reply.acl_index
655 self.vapi.macip_acl_interface_add_del(
656 sw_if_index=tx_if.sw_if_index,
658 reply = self.vapi.macip_acl_interface_get()
659 self.assertEqual(reply.acls[tx_if.sw_if_index], acl_index)
660 self.ACLS.append(reply.acls[tx_if.sw_if_index])
662 self.vapi.acl_interface_add_del(
663 sw_if_index=tx_if.sw_if_index, acl_index=acl_index)
665 self.vapi.macip_acl_interface_add_del(
666 sw_if_index=tx_if.sw_if_index,
670 reply = self.vapi.macip_acl_add_replace(
671 test_dict['macip_rules'],
674 reply = self.vapi.acl_add_replace(acl_index=acl_index,
675 r=test_dict['acl_rules'])
676 self.assertEqual(reply.retval, 0)
678 if not isinstance(src_if, VppSubInterface):
679 tx_if.add_stream(test_dict['stream'])
681 tx_if.parent.add_stream(test_dict['stream'])
682 self.pg_enable_capture(self.pg_interfaces)
685 if do_not_expected_capture:
688 if traffic == self.BRIDGED and mac_type == self.WILD_MAC and \
689 ip_type == self.WILD_IP:
690 capture = rx_if.get_capture(packets)
692 capture = rx_if.get_capture(
693 self.get_packet_count_for_if_idx(dst_if.sw_if_index))
694 self.verify_capture(test_dict['stream'], capture, is_ip6)
696 self.vapi.acl_interface_add_del(sw_if_index=tx_if.sw_if_index,
697 acl_index=acl_index, is_add=0)
698 self.vapi.acl_del(acl_index)
700 def run_test_acls(self, mac_type, ip_type, acl_count,
701 rules_count, traffic=None, ip=None):
702 self.apply_macip_rules(self.create_rules(mac_type, ip_type, acl_count,
704 self.verify_macip_acls(acl_count, rules_count)
706 if traffic is not None:
707 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, traffic, ip, 9)
710 class TestMACIP_IP4(MethodHolder):
711 """MACIP with IP4 traffic"""
715 super(TestMACIP_IP4, cls).setUpClass()
718 def tearDownClass(cls):
719 super(TestMACIP_IP4, cls).tearDownClass()
721 def test_acl_bridged_ip4_exactMAC_exactIP(self):
722 """ IP4 MACIP exactMAC|exactIP ACL bridged traffic
724 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
725 self.BRIDGED, self.IS_IP4, 9)
727 def test_acl_bridged_ip4_exactMAC_subnetIP(self):
728 """ IP4 MACIP exactMAC|subnetIP ACL bridged traffic
731 self.run_traffic(self.EXACT_MAC, self.SUBNET_IP,
732 self.BRIDGED, self.IS_IP4, 9)
734 def test_acl_bridged_ip4_exactMAC_wildIP(self):
735 """ IP4 MACIP exactMAC|wildIP ACL bridged traffic
738 self.run_traffic(self.EXACT_MAC, self.WILD_IP,
739 self.BRIDGED, self.IS_IP4, 9)
741 def test_acl_bridged_ip4_ouiMAC_exactIP(self):
742 """ IP4 MACIP ouiMAC|exactIP ACL bridged traffic
745 self.run_traffic(self.OUI_MAC, self.EXACT_IP,
746 self.BRIDGED, self.IS_IP4, 3)
748 def test_acl_bridged_ip4_ouiMAC_subnetIP(self):
749 """ IP4 MACIP ouiMAC|subnetIP ACL bridged traffic
752 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
753 self.BRIDGED, self.IS_IP4, 9)
755 def test_acl_bridged_ip4_ouiMAC_wildIP(self):
756 """ IP4 MACIP ouiMAC|wildIP ACL bridged traffic
759 self.run_traffic(self.OUI_MAC, self.WILD_IP,
760 self.BRIDGED, self.IS_IP4, 9)
762 def test_ac_bridgedl_ip4_wildMAC_exactIP(self):
763 """ IP4 MACIP wildcardMAC|exactIP ACL bridged traffic
766 self.run_traffic(self.WILD_MAC, self.EXACT_IP,
767 self.BRIDGED, self.IS_IP4, 9)
769 def test_acl_bridged_ip4_wildMAC_subnetIP(self):
770 """ IP4 MACIP wildcardMAC|subnetIP ACL bridged traffic
773 self.run_traffic(self.WILD_MAC, self.SUBNET_IP,
774 self.BRIDGED, self.IS_IP4, 9)
776 def test_acl_bridged_ip4_wildMAC_wildIP(self):
777 """ IP4 MACIP wildcardMAC|wildIP ACL bridged traffic
780 self.run_traffic(self.WILD_MAC, self.WILD_IP,
781 self.BRIDGED, self.IS_IP4, 9)
783 def test_acl_routed_ip4_exactMAC_exactIP(self):
784 """ IP4 MACIP exactMAC|exactIP ACL routed traffic
786 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
787 self.ROUTED, self.IS_IP4, 9)
789 def test_acl_routed_ip4_exactMAC_subnetIP(self):
790 """ IP4 MACIP exactMAC|subnetIP ACL routed traffic
792 self.run_traffic(self.EXACT_MAC, self.SUBNET_IP,
793 self.ROUTED, self.IS_IP4, 9)
795 def test_acl_routed_ip4_exactMAC_wildIP(self):
796 """ IP4 MACIP exactMAC|wildIP ACL routed traffic
798 self.run_traffic(self.EXACT_MAC, self.WILD_IP,
799 self.ROUTED, self.IS_IP4, 9)
801 def test_acl_routed_ip4_ouiMAC_exactIP(self):
802 """ IP4 MACIP ouiMAC|exactIP ACL routed traffic
805 self.run_traffic(self.OUI_MAC, self.EXACT_IP,
806 self.ROUTED, self.IS_IP4, 9)
808 def test_acl_routed_ip4_ouiMAC_subnetIP(self):
809 """ IP4 MACIP ouiMAC|subnetIP ACL routed traffic
812 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
813 self.ROUTED, self.IS_IP4, 9)
815 def test_acl_routed_ip4_ouiMAC_wildIP(self):
816 """ IP4 MACIP ouiMAC|wildIP ACL routed traffic
819 self.run_traffic(self.OUI_MAC, self.WILD_IP,
820 self.ROUTED, self.IS_IP4, 9)
822 def test_acl_routed_ip4_wildMAC_exactIP(self):
823 """ IP4 MACIP wildcardMAC|exactIP ACL routed traffic
826 self.run_traffic(self.WILD_MAC, self.EXACT_IP,
827 self.ROUTED, self.IS_IP4, 9)
829 def test_acl_routed_ip4_wildMAC_subnetIP(self):
830 """ IP4 MACIP wildcardMAC|subnetIP ACL routed traffic
833 self.run_traffic(self.WILD_MAC, self.SUBNET_IP,
834 self.ROUTED, self.IS_IP4, 9)
836 def test_acl_routed_ip4_wildMAC_wildIP(self):
837 """ IP4 MACIP wildcardMAC|wildIP ACL
840 self.run_traffic(self.WILD_MAC, self.WILD_IP,
841 self.ROUTED, self.IS_IP4, 9)
843 def test_acl_replace_traffic_ip4(self):
844 """ MACIP replace ACL with IP4 traffic
846 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
847 self.BRIDGED, self.IS_IP4, 9, try_replace=True)
848 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
849 self.BRIDGED, self.IS_IP4, 9, try_replace=True)
852 class TestMACIP_IP6(MethodHolder):
853 """MACIP with IP6 traffic"""
857 super(TestMACIP_IP6, cls).setUpClass()
860 def tearDownClass(cls):
861 super(TestMACIP_IP6, cls).tearDownClass()
863 def test_acl_bridged_ip6_exactMAC_exactIP(self):
864 """ IP6 MACIP exactMAC|exactIP ACL bridged traffic
867 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
868 self.BRIDGED, self.IS_IP6, 9)
870 def test_acl_bridged_ip6_exactMAC_subnetIP(self):
871 """ IP6 MACIP exactMAC|subnetIP ACL bridged traffic
874 self.run_traffic(self.EXACT_MAC, self.SUBNET_IP,
875 self.BRIDGED, self.IS_IP6, 9)
877 def test_acl_bridged_ip6_exactMAC_wildIP(self):
878 """ IP6 MACIP exactMAC|wildIP ACL bridged traffic
881 self.run_traffic(self.EXACT_MAC, self.WILD_IP,
882 self.BRIDGED, self.IS_IP6, 9)
884 def test_acl_bridged_ip6_ouiMAC_exactIP(self):
885 """ IP6 MACIP oui_MAC|exactIP ACL bridged traffic
888 self.run_traffic(self.OUI_MAC, self.EXACT_IP,
889 self.BRIDGED, self.IS_IP6, 9)
891 def test_acl_bridged_ip6_ouiMAC_subnetIP(self):
892 """ IP6 MACIP ouiMAC|subnetIP ACL bridged traffic
895 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
896 self.BRIDGED, self.IS_IP6, 9)
898 def test_acl_bridged_ip6_ouiMAC_wildIP(self):
899 """ IP6 MACIP ouiMAC|wildIP ACL bridged traffic
902 self.run_traffic(self.OUI_MAC, self.WILD_IP,
903 self.BRIDGED, self.IS_IP6, 9)
905 def test_acl_bridged_ip6_wildMAC_exactIP(self):
906 """ IP6 MACIP wildcardMAC|exactIP ACL bridged traffic
909 self.run_traffic(self.WILD_MAC, self.EXACT_IP,
910 self.BRIDGED, self.IS_IP6, 9)
912 def test_acl_bridged_ip6_wildMAC_subnetIP(self):
913 """ IP6 MACIP wildcardMAC|subnetIP ACL bridged traffic
916 self.run_traffic(self.WILD_MAC, self.SUBNET_IP,
917 self.BRIDGED, self.IS_IP6, 9)
919 def test_acl_bridged_ip6_wildMAC_wildIP(self):
920 """ IP6 MACIP wildcardMAC|wildIP ACL bridged traffic
923 self.run_traffic(self.WILD_MAC, self.WILD_IP,
924 self.BRIDGED, self.IS_IP6, 9)
926 def test_acl_routed_ip6_exactMAC_exactIP(self):
927 """ IP6 MACIP exactMAC|exactIP ACL routed traffic
930 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
931 self.ROUTED, self.IS_IP6, 9)
933 def test_acl_routed_ip6_exactMAC_subnetIP(self):
934 """ IP6 MACIP exactMAC|subnetIP ACL routed traffic
937 self.run_traffic(self.EXACT_MAC, self.SUBNET_IP,
938 self.ROUTED, self.IS_IP6, 9)
940 def test_acl_routed_ip6_exactMAC_wildIP(self):
941 """ IP6 MACIP exactMAC|wildIP ACL routed traffic
944 self.run_traffic(self.EXACT_MAC, self.WILD_IP,
945 self.ROUTED, self.IS_IP6, 9)
947 def test_acl_routed_ip6_ouiMAC_exactIP(self):
948 """ IP6 MACIP ouiMAC|exactIP ACL routed traffic
951 self.run_traffic(self.OUI_MAC, self.EXACT_IP,
952 self.ROUTED, self.IS_IP6, 9)
954 def test_acl_routed_ip6_ouiMAC_subnetIP(self):
955 """ IP6 MACIP ouiMAC|subnetIP ACL routed traffic
958 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
959 self.ROUTED, self.IS_IP6, 9)
961 def test_acl_routed_ip6_ouiMAC_wildIP(self):
962 """ IP6 MACIP ouiMAC|wildIP ACL routed traffic
965 self.run_traffic(self.OUI_MAC, self.WILD_IP,
966 self.ROUTED, self.IS_IP6, 9)
968 def test_acl_routed_ip6_wildMAC_exactIP(self):
969 """ IP6 MACIP wildcardMAC|exactIP ACL routed traffic
972 self.run_traffic(self.WILD_MAC, self.EXACT_IP,
973 self.ROUTED, self.IS_IP6, 9)
975 def test_acl_routed_ip6_wildMAC_subnetIP(self):
976 """ IP6 MACIP wildcardMAC|subnetIP ACL routed traffic
979 self.run_traffic(self.WILD_MAC, self.SUBNET_IP,
980 self.ROUTED, self.IS_IP6, 9)
982 def test_acl_routed_ip6_wildMAC_wildIP(self):
983 """ IP6 MACIP wildcardMAC|wildIP ACL
986 self.run_traffic(self.WILD_MAC, self.WILD_IP,
987 self.ROUTED, self.IS_IP6, 9)
989 def test_acl_replace_traffic_ip6(self):
990 """ MACIP replace ACL with IP6 traffic
992 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
993 self.BRIDGED, self.IS_IP6, 9, try_replace=True)
994 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
995 self.BRIDGED, self.IS_IP6, 9, try_replace=True)
998 class TestMACIP(MethodHolder):
1002 def setUpClass(cls):
1003 super(TestMACIP, cls).setUpClass()
1006 def tearDownClass(cls):
1007 super(TestMACIP, cls).tearDownClass()
1009 def test_acl_1_2(self):
1010 """ MACIP ACL with 2 entries
1013 self.run_test_acls(self.EXACT_MAC, self.WILD_IP, 1, [2])
1015 def test_acl_1_5(self):
1016 """ MACIP ACL with 5 entries
1019 self.run_test_acls(self.EXACT_MAC, self.SUBNET_IP, 1, [5])
1021 def test_acl_1_10(self):
1022 """ MACIP ACL with 10 entries
1025 self.run_test_acls(self.EXACT_MAC, self.EXACT_IP, 1, [10])
1027 def test_acl_1_20(self):
1028 """ MACIP ACL with 20 entries
1031 self.run_test_acls(self.OUI_MAC, self.WILD_IP, 1, [20])
1033 def test_acl_1_50(self):
1034 """ MACIP ACL with 50 entries
1037 self.run_test_acls(self.OUI_MAC, self.SUBNET_IP, 1, [50])
1039 def test_acl_1_100(self):
1040 """ MACIP ACL with 100 entries
1043 self.run_test_acls(self.OUI_MAC, self.EXACT_IP, 1, [100])
1045 def test_acl_2_X(self):
1046 """ MACIP 2 ACLs each with 100+ entries
1049 self.run_test_acls(self.OUI_MAC, self.SUBNET_IP, 2, [100, 200])
1051 def test_acl_10_X(self):
1052 """ MACIP 10 ACLs each with 100+ entries
1055 self.run_test_acls(self.EXACT_MAC, self.EXACT_IP, 10,
1056 [100, 120, 140, 160, 180, 200, 210, 220, 230, 240])
1058 def test_acl_10_X_traffic_ip4(self):
1059 """ MACIP 10 ACLs each with 100+ entries with IP4 traffic
1062 self.run_test_acls(self.EXACT_MAC, self.EXACT_IP, 10,
1063 [100, 120, 140, 160, 180, 200, 210, 220, 230, 240],
1064 self.BRIDGED, self.IS_IP4)
1066 def test_acl_10_X_traffic_ip6(self):
1067 """ MACIP 10 ACLs each with 100+ entries with IP6 traffic
1070 self.run_test_acls(self.EXACT_MAC, self.EXACT_IP, 10,
1071 [100, 120, 140, 160, 180, 200, 210, 220, 230, 240],
1072 self.BRIDGED, self.IS_IP6)
1074 def test_acl_replace(self):
1075 """ MACIP replace ACL
1078 r1 = self.create_rules(acl_count=3, rules_count=[2, 2, 2])
1079 r2 = self.create_rules(mac_type=self.OUI_MAC, ip_type=self.SUBNET_IP)
1080 self.apply_macip_rules(r1)
1082 acls_before = self.macip_acl_dump_debug()
1084 # replace acls #2, #3 with new
1085 reply = self.vapi.macip_acl_add_replace(r2[0], 2)
1086 self.assertEqual(reply.retval, 0)
1087 self.assertEqual(reply.acl_index, 2)
1088 reply = self.vapi.macip_acl_add_replace(r2[1], 3)
1089 self.assertEqual(reply.retval, 0)
1090 self.assertEqual(reply.acl_index, 3)
1092 acls_after = self.macip_acl_dump_debug()
1095 self.assertEqual(len(acls_before), len(acls_after))
1096 for acl1, acl2 in zip(
1097 acls_before[:2]+acls_before[4:],
1098 acls_after[:2]+acls_after[4:]):
1099 self.assertEqual(len(acl1), len(acl2))
1101 self.assertEqual(len(acl1.r), len(acl2.r))
1102 for r1, r2 in zip(acl1.r, acl2.r):
1103 self.assertEqual(len(acl1.r), len(acl2.r))
1104 self.assertEqual(acl1.r, acl2.r)
1105 for acl1, acl2 in zip(
1108 self.assertEqual(len(acl1), len(acl2))
1110 self.assertNotEqual(len(acl1.r), len(acl2.r))
1111 for r1, r2 in zip(acl1.r, acl2.r):
1112 self.assertNotEqual(len(acl1.r), len(acl2.r))
1113 self.assertNotEqual(acl1.r, acl2.r)
1115 def test_delete_intf(self):
1116 """ MACIP ACL delete intf with acl
1119 intf_count = len(self.interfaces)+1
1121 self.apply_macip_rules(self.create_rules(acl_count=3,
1122 rules_count=[3, 5, 4]))
1124 intf.append(VppLoInterface(self))
1125 intf.append(VppLoInterface(self))
1127 sw_if_index0 = intf[0].sw_if_index
1128 self.vapi.macip_acl_interface_add_del(sw_if_index0, 1)
1130 reply = self.vapi.macip_acl_interface_get()
1131 self.assertEqual(reply.count, intf_count+1)
1132 self.assertEqual(reply.acls[sw_if_index0], 1)
1134 sw_if_index1 = intf[1].sw_if_index
1135 self.vapi.macip_acl_interface_add_del(sw_if_index1, 0)
1137 reply = self.vapi.macip_acl_interface_get()
1138 self.assertEqual(reply.count, intf_count+2)
1139 self.assertEqual(reply.acls[sw_if_index1], 0)
1141 intf[0].remove_vpp_config()
1142 reply = self.vapi.macip_acl_interface_get()
1143 self.assertEqual(reply.count, intf_count+2)
1144 self.assertEqual(reply.acls[sw_if_index0], 4294967295)
1145 self.assertEqual(reply.acls[sw_if_index1], 0)
1147 intf.append(VppLoInterface(self))
1148 intf.append(VppLoInterface(self))
1149 sw_if_index2 = intf[2].sw_if_index
1150 sw_if_index3 = intf[3].sw_if_index
1151 self.vapi.macip_acl_interface_add_del(sw_if_index2, 1)
1152 self.vapi.macip_acl_interface_add_del(sw_if_index3, 1)
1154 reply = self.vapi.macip_acl_interface_get()
1155 self.assertEqual(reply.count, intf_count+3)
1156 self.assertEqual(reply.acls[sw_if_index1], 0)
1157 self.assertEqual(reply.acls[sw_if_index2], 1)
1158 self.assertEqual(reply.acls[sw_if_index3], 1)
1159 self.logger.info("MACIP ACL on multiple interfaces:")
1160 self.logger.info(self.vapi.ppcli("sh acl-plugin macip acl"))
1161 self.logger.info(self.vapi.ppcli("sh acl-plugin macip acl index 1234"))
1162 self.logger.info(self.vapi.ppcli("sh acl-plugin macip acl index 1"))
1163 self.logger.info(self.vapi.ppcli("sh acl-plugin macip acl index 0"))
1164 self.logger.info(self.vapi.ppcli("sh acl-plugin macip interface"))
1166 intf[2].remove_vpp_config()
1167 intf[1].remove_vpp_config()
1169 reply = self.vapi.macip_acl_interface_get()
1170 self.assertEqual(reply.count, intf_count+3)
1171 self.assertEqual(reply.acls[sw_if_index0], 4294967295)
1172 self.assertEqual(reply.acls[sw_if_index1], 4294967295)
1173 self.assertEqual(reply.acls[sw_if_index2], 4294967295)
1174 self.assertEqual(reply.acls[sw_if_index3], 1)
1176 intf[3].remove_vpp_config()
1177 reply = self.vapi.macip_acl_interface_get()
1179 self.assertEqual(len([x for x in reply.acls if x != 4294967295]), 0)
1182 class TestACL_dot1q_bridged(MethodHolder):
1183 """ACL on dot1q bridged subinterfaces Tests"""
1186 def setUpClass(cls):
1187 super(TestACL_dot1q_bridged, cls).setUpClass()
1190 def tearDownClass(cls):
1191 super(TestACL_dot1q_bridged, cls).tearDownClass()
1193 def test_acl_bridged_ip4_subif_dot1q(self):
1194 """ IP4 ACL SubIf Dot1Q bridged traffic"""
1195 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.BRIDGED,
1196 self.IS_IP4, 9, tags=self.DOT1Q, isMACIP=False)
1198 def test_acl_bridged_ip6_subif_dot1q(self):
1199 """ IP6 ACL SubIf Dot1Q bridged traffic"""
1200 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.BRIDGED,
1201 self.IS_IP6, 9, tags=self.DOT1Q, isMACIP=False)
1204 class TestACL_dot1ad_bridged(MethodHolder):
1205 """ACL on dot1ad bridged subinterfaces Tests"""
1208 def setUpClass(cls):
1209 super(TestACL_dot1ad_bridged, cls).setUpClass()
1212 def tearDownClass(cls):
1213 super(TestACL_dot1ad_bridged, cls).tearDownClass()
1215 def test_acl_bridged_ip4_subif_dot1ad(self):
1216 """ IP4 ACL SubIf Dot1AD bridged traffic"""
1217 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.BRIDGED,
1218 self.IS_IP4, 9, tags=self.DOT1AD, isMACIP=False)
1220 def test_acl_bridged_ip6_subif_dot1ad(self):
1221 """ IP6 ACL SubIf Dot1AD bridged traffic"""
1222 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.BRIDGED,
1223 self.IS_IP6, 9, tags=self.DOT1AD, isMACIP=False)
1226 class TestACL_dot1q_routed(MethodHolder):
1227 """ACL on dot1q routed subinterfaces Tests"""
1230 def setUpClass(cls):
1231 super(TestACL_dot1q_routed, cls).setUpClass()
1234 def tearDownClass(cls):
1235 super(TestACL_dot1q_routed, cls).tearDownClass()
1237 def test_acl_routed_ip4_subif_dot1q(self):
1238 """ IP4 ACL SubIf Dot1Q routed traffic"""
1239 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1240 self.IS_IP4, 9, tags=self.DOT1Q, isMACIP=False)
1242 def test_acl_routed_ip6_subif_dot1q(self):
1243 """ IP6 ACL SubIf Dot1Q routed traffic"""
1244 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1245 self.IS_IP6, 9, tags=self.DOT1Q, isMACIP=False)
1247 def test_acl_routed_ip4_subif_dot1q_deny_by_tags(self):
1248 """ IP4 ACL SubIf wrong tags Dot1Q routed traffic"""
1249 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1250 self.IS_IP4, 9, True, tags=self.DOT1Q, isMACIP=False,
1251 permit_tags=self.DENY_TAGS)
1253 def test_acl_routed_ip6_subif_dot1q_deny_by_tags(self):
1254 """ IP6 ACL SubIf wrong tags Dot1Q routed traffic"""
1255 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1256 self.IS_IP6, 9, True, tags=self.DOT1Q, isMACIP=False,
1257 permit_tags=self.DENY_TAGS)
1260 class TestACL_dot1ad_routed(MethodHolder):
1261 """ACL on dot1ad routed subinterfaces Tests"""
1264 def setUpClass(cls):
1265 super(TestACL_dot1ad_routed, cls).setUpClass()
1268 def tearDownClass(cls):
1269 super(TestACL_dot1ad_routed, cls).tearDownClass()
1271 def test_acl_routed_ip6_subif_dot1ad(self):
1272 """ IP6 ACL SubIf Dot1AD routed traffic"""
1273 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1274 self.IS_IP6, 9, tags=self.DOT1AD, isMACIP=False)
1276 def test_acl_routed_ip4_subif_dot1ad(self):
1277 """ IP4 ACL SubIf Dot1AD routed traffic"""
1278 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1279 self.IS_IP4, 9, tags=self.DOT1AD, isMACIP=False)
1281 def test_acl_routed_ip6_subif_dot1ad_deny_by_tags(self):
1282 """ IP6 ACL SubIf wrong tags Dot1AD routed traffic"""
1283 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1284 self.IS_IP6, 9, True, tags=self.DOT1AD, isMACIP=False,
1285 permit_tags=self.DENY_TAGS)
1287 def test_acl_routed_ip4_subif_dot1ad_deny_by_tags(self):
1288 """ IP4 ACL SubIf wrong tags Dot1AD routed traffic"""
1289 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1290 self.IS_IP4, 9, True, tags=self.DOT1AD, isMACIP=False,
1291 permit_tags=self.DENY_TAGS)
1294 if __name__ == '__main__':
1295 unittest.main(testRunner=VppTestRunner)