2 from __future__ import print_function
3 """ACL plugin - MACIP tests
10 from socket import inet_ntop, inet_pton, AF_INET, AF_INET6
12 from scapy.packet import Raw
13 from scapy.layers.l2 import Ether
14 from scapy.layers.inet import IP, UDP
15 from scapy.layers.inet6 import IPv6
17 from framework import VppTestCase, VppTestRunner, running_extended_tests
18 from vpp_lo_interface import VppLoInterface
19 from vpp_papi_provider import L2_VTR_OP
20 from vpp_sub_interface import VppSubInterface, VppDot1QSubint, VppDot1ADSubint
21 from vpp_papi_provider import L2_PORT_TYPE
24 class MethodHolder(VppTestCase):
56 Perform standard class setup (defined by class method setUpClass in
57 class VppTestCase) before running the test case, set test case related
58 variables and configure VPP.
60 super(MethodHolder, cls).setUpClass()
62 cls.pg_if_packet_sizes = [64, 512, 1518, 9018] # packet sizes
64 cls.remote_hosts_count = 200
67 # create 4 pg interfaces, 1 loopback interface
68 cls.create_pg_interfaces(range(4))
69 cls.create_loopback_interfaces(1)
71 # create 2 subinterfaces
73 VppDot1QSubint(cls, cls.pg1, 10),
74 VppDot1ADSubint(cls, cls.pg2, 20, 300, 400),
75 VppDot1QSubint(cls, cls.pg3, 30),
76 VppDot1ADSubint(cls, cls.pg3, 40, 600, 700)]
78 cls.subifs[0].set_vtr(L2_VTR_OP.L2_POP_1,
80 cls.subifs[1].set_vtr(L2_VTR_OP.L2_POP_2,
81 outer=300, inner=400, push1q=1)
82 cls.subifs[2].set_vtr(L2_VTR_OP.L2_POP_1,
84 cls.subifs[3].set_vtr(L2_VTR_OP.L2_POP_2,
85 outer=600, inner=700, push1q=1)
87 cls.interfaces = list(cls.pg_interfaces)
88 cls.interfaces.extend(cls.lo_interfaces)
89 cls.interfaces.extend(cls.subifs)
91 for i in cls.interfaces:
94 # Create BD with MAC learning enabled and put interfaces to this BD
95 cls.vapi.sw_interface_set_l2_bridge(
96 cls.loop0.sw_if_index, bd_id=cls.bd_id,
97 port_type=L2_PORT_TYPE.BVI)
98 cls.vapi.sw_interface_set_l2_bridge(
99 cls.pg0.sw_if_index, bd_id=cls.bd_id)
100 cls.vapi.sw_interface_set_l2_bridge(
101 cls.pg1.sw_if_index, bd_id=cls.bd_id)
102 cls.vapi.sw_interface_set_l2_bridge(
103 cls.subifs[0].sw_if_index, bd_id=cls.bd_id)
104 cls.vapi.sw_interface_set_l2_bridge(
105 cls.subifs[1].sw_if_index, bd_id=cls.bd_id)
107 # Configure IPv4/6 addresses on loop interface and routed interface
108 cls.loop0.config_ip4()
109 cls.loop0.config_ip6()
115 # Configure MAC address binding to IPv4 neighbors on loop0
116 cls.loop0.generate_remote_hosts(cls.remote_hosts_count)
117 # Modify host mac addresses to have different OUI parts
118 for i in range(2, cls.remote_hosts_count + 2):
119 mac = cls.loop0.remote_hosts[i-2]._mac.split(':')
120 mac[2] = format(int(mac[2], 16) + i, "02x")
121 cls.loop0.remote_hosts[i - 2]._mac = ":".join(mac)
123 cls.loop0.configure_ipv4_neighbors()
124 cls.loop0.configure_ipv6_neighbors()
126 # configure MAC address on pg3
127 cls.pg3.resolve_arp()
128 cls.pg3.resolve_ndp()
130 # configure MAC address on subifs
136 # configure MAC address on pg2
137 cls.pg2.resolve_arp()
138 cls.pg2.resolve_ndp()
140 # Loopback BVI interface has remote hosts
141 # one half of hosts are behind pg0 second behind pg1,pg2,pg3 subifs
142 cls.pg0.remote_hosts = cls.loop0.remote_hosts[:100]
143 cls.subifs[0].remote_hosts = cls.loop0.remote_hosts[100:125]
144 cls.subifs[1].remote_hosts = cls.loop0.remote_hosts[125:150]
145 cls.subifs[2].remote_hosts = cls.loop0.remote_hosts[150:175]
146 cls.subifs[3].remote_hosts = cls.loop0.remote_hosts[175:]
149 super(MethodHolder, cls).tearDownClass()
153 super(MethodHolder, self).setUp()
154 self.reset_packet_infos()
159 Show various debug prints after each test.
161 super(MethodHolder, self).tearDown()
162 if not self.vpp_dead:
163 self.logger.info(self.vapi.ppcli("show interface address"))
164 self.logger.info(self.vapi.ppcli("show hardware"))
165 self.logger.info(self.vapi.ppcli("sh acl-plugin macip acl"))
166 self.logger.info(self.vapi.ppcli("sh acl-plugin macip interface"))
167 self.logger.info(self.vapi.ppcli("sh classify tables verbose"))
168 self.logger.info(self.vapi.ppcli("sh acl-plugin acl"))
169 self.logger.info(self.vapi.ppcli("sh acl-plugin interface"))
170 self.logger.info(self.vapi.ppcli("sh acl-plugin tables"))
171 # print(self.vapi.ppcli("show interface address"))
172 # print(self.vapi.ppcli("show hardware"))
173 # print(self.vapi.ppcli("sh acl-plugin macip interface"))
174 # print(self.vapi.ppcli("sh acl-plugin macip acl"))
177 def macip_acl_dump_debug(self):
178 acls = self.vapi.macip_acl_dump()
181 print("ACL #"+str(acl.acl_index))
186 elif r.is_permit == 0:
188 print(" IP6" if r.is_ipv6 else " IP4",
190 binascii.hexlify(r.src_mac),
191 binascii.hexlify(r.src_mac_mask),
192 unpack('<16B', r.src_ip_addr),
196 def create_rules(self, mac_type=EXACT_MAC, ip_type=EXACT_IP,
197 acl_count=1, rules_count=[1]):
199 src_mac = int("220000dead00", 16)
200 for acl in range(2, (acl_count+1) * 2):
202 host = random.choice(self.loop0.remote_hosts)
204 ip4 = host.ip4.split('.')
205 ip6 = list(unpack('<16B', inet_pton(AF_INET6, host.ip6)))
207 if ip_type == self.EXACT_IP:
210 elif ip_type == self.WILD_IP:
212 ip6 = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]
215 rules_count[(acl / 2) - 1] = 1
220 if mac_type == self.EXACT_MAC:
221 mask = "ff:ff:ff:ff:ff:ff"
222 elif mac_type == self.WILD_MAC:
223 mask = "00:00:00:00:00:00"
224 elif mac_type == self.OUI_MAC:
225 mask = "ff:ff:ff:00:00:00"
227 mask = "ff:ff:ff:ff:ff:00"
229 ip = ip6 if is_ip6 else ip4
230 ip_len = prefix_len6 if is_ip6 else prefix_len4
232 for i in range(0, rules_count[(acl / 2) - 1]):
234 if mac_type == self.WILD_MAC:
235 mac = "00:00:00:00:00:00"
236 elif mac_type == self.OUI_MAC:
237 mac = ':'.join(re.findall('..', '{:02x}'.format(
238 src_mac))[:3])+":00:00:00"
240 mac = ':'.join(re.findall('..', '{:02x}'.format(src_mac)))
242 if ip_type == self.EXACT_IP:
243 ip4[3] = random.randint(100, 200)
244 ip6[15] = random.randint(100, 200)
245 elif ip_type == self.SUBNET_IP:
246 ip4[2] = random.randint(100, 200)
248 ip6[8] = random.randint(100, 200)
251 for j in range(0, len(ip)):
252 ip_pack += pack('<B', int(ip[j]))
254 rule = ({'is_permit': self.PERMIT,
256 'src_ip_addr': ip_pack,
257 'src_ip_prefix_len': ip_len,
258 'src_mac': mac.replace(':', '').decode('hex'),
259 'src_mac_mask': mask.replace(':', '').decode('hex')})
261 if ip_type == self.WILD_IP:
265 src_mac += 1099511627776
268 def apply_macip_rules(self, acls):
270 reply = self.vapi.macip_acl_add(acl)
271 self.assertEqual(reply.retval, 0)
272 self.ACLS.append(reply.acl_index)
274 def verify_macip_acls(self, acl_count, rules_count, expected_count=2):
275 reply = self.macip_acl_dump_debug()
276 for acl in range(2, (acl_count+1) * 2):
277 self.assertEqual(reply[acl - 2].count, rules_count[acl/2-1])
279 self.vapi.macip_acl_interface_get()
281 self.vapi.macip_acl_interface_add_del(sw_if_index=0, acl_index=0)
282 self.vapi.macip_acl_interface_add_del(sw_if_index=1, acl_index=1)
284 reply = self.vapi.macip_acl_interface_get()
285 self.assertEqual(reply.count, expected_count)
287 def delete_acls(self):
288 for acl in range(len(self.ACLS)-1, -1, -1):
289 self.vapi.macip_acl_del(self.ACLS[acl])
291 reply = self.vapi.macip_acl_dump()
292 self.assertEqual(len(reply), 0)
294 intf_acls = self.vapi.acl_interface_list_dump()
295 for i_a in intf_acls:
296 sw_if_index = i_a.sw_if_index
297 for acl_index in i_a.acls:
298 self.vapi.acl_interface_add_del(sw_if_index, acl_index, 0)
299 self.vapi.acl_del(acl_index)
301 def create_stream(self, mac_type, ip_type, packet_count,
302 src_if, dst_if, traffic, is_ip6, tags=PERMIT_TAGS):
303 # exact MAC and exact IP
304 # exact MAC and subnet of IPs
305 # exact MAC and wildcard IP
306 # wildcard MAC and exact IP
307 # wildcard MAC and subnet of IPs
308 # wildcard MAC and wildcard IP
309 # OUI restricted MAC and exact IP
310 # OUI restricted MAC and subnet of IPs
311 # OUI restricted MAC and wildcard IP
319 mac_rule = "00:00:00:00:00:00"
320 mac_mask = "00:00:00:00:00:00"
321 for p in range(0, packet_count):
322 remote_dst_index = p % len(dst_if.remote_hosts)
323 remote_dst_host = dst_if.remote_hosts[remote_dst_index]
327 is_permit = self.PERMIT if p % 3 == 0 else self.DENY
328 denyMAC = True if not is_permit and p % 3 == 1 else False
329 denyIP = True if not is_permit and p % 3 == 2 else False
330 if not is_permit and ip_type == self.WILD_IP:
332 if not is_permit and mac_type == self.WILD_MAC:
335 if traffic == self.BRIDGED:
337 src_mac = remote_dst_host._mac
338 dst_mac = 'de:ad:00:00:00:00'
339 src_ip4 = remote_dst_host.ip4
340 dst_ip4 = src_if.remote_ip4
341 src_ip6 = remote_dst_host.ip6
342 dst_ip6 = src_if.remote_ip6
343 ip_permit = src_ip6 if is_ip6 else src_ip4
346 mac = src_mac.split(':')
347 mac[0] = format(int(mac[0], 16)+1, "02x")
348 src_mac = ":".join(mac)
354 if ip_type != self.WILD_IP:
356 src_ip4 = remote_dst_host.ip4
357 dst_ip4 = src_if.remote_ip4
358 src_ip6 = remote_dst_host.ip6
359 dst_ip6 = src_if.remote_ip6
362 src_mac = remote_dst_host._mac
363 dst_mac = src_if.local_mac
364 src_ip4 = src_if.remote_ip4
365 dst_ip4 = remote_dst_host.ip4
366 src_ip6 = src_if.remote_ip6
367 dst_ip6 = remote_dst_host.ip6
368 ip_permit = src_ip6 if is_ip6 else src_ip4
371 mac = src_mac.split(':')
372 mac[0] = format(int(mac[0], 16) + 1, "02x")
373 src_mac = ":".join(mac)
379 src_mac = remote_dst_host._mac
380 if ip_type != self.WILD_IP:
382 src_ip4 = remote_dst_host.ip4
383 dst_ip4 = src_if.remote_ip4
384 src_ip6 = remote_dst_host.ip6
385 dst_ip6 = src_if.remote_ip6
388 info = self.create_packet_info(src_if, dst_if)
389 payload = self.info_to_payload(info)
391 payload = "to be blocked"
393 if mac_type == self.WILD_MAC:
394 mac = src_mac.split(':')
395 for i in range(1, 5):
396 mac[i] = format(random.randint(0, 255), "02x")
397 src_mac = ":".join(mac)
400 packet = Ether(src=src_mac, dst=dst_mac)
401 ip_rule = src_ip6 if is_ip6 else src_ip4
403 if ip_type != self.EXACT_IP:
404 sub_ip = list(unpack('<16B', inet_pton(AF_INET6, ip_rule)))
405 if ip_type == self.WILD_IP:
406 sub_ip[0] = random.randint(240, 254)
407 sub_ip[1] = random.randint(230, 239)
408 sub_ip[14] = random.randint(100, 199)
409 sub_ip[15] = random.randint(200, 255)
410 elif ip_type == self.SUBNET_IP:
412 sub_ip[2] = str(int(sub_ip[2]) + 1)
413 sub_ip[14] = random.randint(100, 199)
414 sub_ip[15] = random.randint(200, 255)
415 src_ip6 = inet_ntop(AF_INET6, str(bytearray(sub_ip)))
416 packet /= IPv6(src=src_ip6, dst=dst_ip6)
418 if ip_type != self.EXACT_IP:
419 sub_ip = ip_rule.split('.')
420 if ip_type == self.WILD_IP:
421 sub_ip[0] = str(random.randint(1, 49))
422 sub_ip[1] = str(random.randint(50, 99))
423 sub_ip[2] = str(random.randint(100, 199))
424 sub_ip[3] = str(random.randint(200, 255))
425 elif ip_type == self.SUBNET_IP:
427 sub_ip[1] = str(int(sub_ip[1])+1)
428 sub_ip[2] = str(random.randint(100, 199))
429 sub_ip[3] = str(random.randint(200, 255))
430 src_ip4 = ".".join(sub_ip)
431 packet /= IP(src=src_ip4, dst=dst_ip4, frag=0, flags=0)
433 packet /= UDP(sport=src_port, dport=dst_port)/Raw(payload)
435 packet[Raw].load += " mac:"+src_mac
437 size = self.pg_if_packet_sizes[p % len(self.pg_if_packet_sizes)]
438 if isinstance(src_if, VppSubInterface):
440 if isinstance(src_if, VppDot1QSubint):
441 if src_if is self.subifs[0]:
442 if tags == self.PERMIT_TAGS:
443 packet = src_if.add_dot1q_layer(packet, 10)
445 packet = src_if.add_dot1q_layer(packet, 11)
447 if tags == self.PERMIT_TAGS:
448 packet = src_if.add_dot1q_layer(packet, 30)
450 packet = src_if.add_dot1q_layer(packet, 33)
451 elif isinstance(src_if, VppDot1ADSubint):
452 if src_if is self.subifs[1]:
453 if tags == self.PERMIT_TAGS:
454 packet = src_if.add_dot1ad_layer(packet, 300, 400)
456 packet = src_if.add_dot1ad_layer(packet, 333, 444)
458 if tags == self.PERMIT_TAGS:
459 packet = src_if.add_dot1ad_layer(packet, 600, 700)
461 packet = src_if.add_dot1ad_layer(packet, 666, 777)
462 self.extend_packet(packet, size)
463 packets.append(packet)
465 # create suitable MACIP rule
466 if mac_type == self.EXACT_MAC:
468 mac_mask = "ff:ff:ff:ff:ff:ff"
469 elif mac_type == self.WILD_MAC:
470 mac_rule = "00:00:00:00:00:00"
471 mac_mask = "00:00:00:00:00:00"
472 elif mac_type == self.OUI_MAC:
473 mac = src_mac.split(':')
474 mac[3] = mac[4] = mac[5] = '00'
475 mac_rule = ":".join(mac)
476 mac_mask = "ff:ff:ff:00:00:00"
479 if ip_type == self.WILD_IP:
483 if ip_type == self.SUBNET_IP:
484 sub_ip = list(unpack('<16B', inet_pton(AF_INET6, ip)))
485 for i in range(8, 16):
487 ip = inet_ntop(AF_INET6, str(bytearray(sub_ip)))
489 if ip_type == self.WILD_IP:
493 if ip_type == self.SUBNET_IP:
494 sub_ip = ip.split('.')
495 sub_ip[2] = sub_ip[3] = '0'
496 ip = ".".join(sub_ip)
498 prefix_len = 128 if is_ip6 else 32
499 if ip_type == self.WILD_IP:
501 elif ip_type == self.SUBNET_IP:
502 prefix_len = 64 if is_ip6 else 16
503 ip_rule = inet_pton(AF_INET6 if is_ip6 else AF_INET, ip)
505 # create suitable ACL rule
507 rule_l4_sport = packet[UDP].sport
508 rule_l4_dport = packet[UDP].dport
509 rule_family = AF_INET6 if packet.haslayer(IPv6) else AF_INET
510 rule_prefix_len = 128 if packet.haslayer(IPv6) else 32
511 rule_l3_layer = IPv6 if packet.haslayer(IPv6) else IP
512 if packet.haslayer(IPv6):
513 rule_l4_proto = packet[UDP].overload_fields[IPv6]['nh']
515 rule_l4_proto = packet[IP].proto
518 'is_permit': is_permit,
520 'src_ip_addr': inet_pton(rule_family,
521 packet[rule_l3_layer].src),
522 'src_ip_prefix_len': rule_prefix_len,
523 'dst_ip_addr': inet_pton(rule_family,
524 packet[rule_l3_layer].dst),
525 'dst_ip_prefix_len': rule_prefix_len,
526 'srcport_or_icmptype_first': rule_l4_sport,
527 'srcport_or_icmptype_last': rule_l4_sport,
528 'dstport_or_icmpcode_first': rule_l4_dport,
529 'dstport_or_icmpcode_last': rule_l4_dport,
530 'proto': rule_l4_proto}
531 acl_rules.append(acl_rule)
533 if mac_type == self.WILD_MAC and ip_type == self.WILD_IP and p > 0:
538 'is_permit': is_permit,
540 'src_ip_addr': ip_rule,
541 'src_ip_prefix_len': prefix_len,
542 'src_mac': mac_rule.replace(':', '').decode('hex'),
543 'src_mac_mask': mac_mask.replace(':', '').decode('hex')})
544 macip_rules.append(macip_rule)
546 # deny all other packets
547 if not (mac_type == self.WILD_MAC and ip_type == self.WILD_IP):
548 macip_rule = ({'is_permit': 0,
551 'src_ip_prefix_len': 0,
554 macip_rules.append(macip_rule)
556 acl_rule = {'is_permit': 0,
558 acl_rules.append(acl_rule)
559 return {'stream': packets,
560 'macip_rules': macip_rules,
561 'acl_rules': acl_rules}
563 def verify_capture(self, stream, capture, is_ip6):
570 # p_l3 = IPv6 if is_ip6 else IP
573 # print(p[Ether].src, p[Ether].dst, p[p_l3].src, p[p_l3].dst)
575 # acls = self.macip_acl_dump_debug()
580 # print(binascii.hexlify(r.src_mac), \
581 # binascii.hexlify(r.src_mac_mask),\
582 # unpack('<16B', r.src_ip_addr), \
583 # r.src_ip_prefix_len)
586 # print(p[Ether].src, p[Ether].dst, p[p_l3].src, p[p_l3].dst
587 # data = p[Raw].load.split(':',1)[1])
588 # print(p[p_l3].src, data)
590 def run_traffic(self, mac_type, ip_type, traffic, is_ip6, packets,
591 do_not_expected_capture=False, tags=None,
592 apply_rules=True, isMACIP=True, permit_tags=PERMIT_TAGS,
594 self.reset_packet_infos()
597 tx_if = self.pg0 if traffic == self.BRIDGED else self.pg3
598 rx_if = self.pg3 if traffic == self.BRIDGED else self.pg0
602 if tags == self.DOT1Q:
603 if traffic == self.BRIDGED:
604 tx_if = self.subifs[0]
606 src_if = self.subifs[0]
609 tx_if = self.subifs[2]
611 src_if = self.subifs[2]
613 elif tags == self.DOT1AD:
614 if traffic == self.BRIDGED:
615 tx_if = self.subifs[1]
617 src_if = self.subifs[1]
620 tx_if = self.subifs[3]
622 src_if = self.subifs[3]
627 test_dict = self.create_stream(mac_type, ip_type, packets,
634 reply = self.vapi.macip_acl_add(test_dict['macip_rules'])
636 reply = self.vapi.acl_add_replace(acl_index=4294967295,
637 r=test_dict['acl_rules'])
638 self.assertEqual(reply.retval, 0)
639 acl_index = reply.acl_index
642 self.vapi.macip_acl_interface_add_del(
643 sw_if_index=tx_if.sw_if_index,
645 reply = self.vapi.macip_acl_interface_get()
646 self.assertEqual(reply.acls[tx_if.sw_if_index], acl_index)
647 self.ACLS.append(reply.acls[tx_if.sw_if_index])
649 self.vapi.acl_interface_add_del(
650 sw_if_index=tx_if.sw_if_index, acl_index=acl_index)
652 self.vapi.macip_acl_interface_add_del(
653 sw_if_index=tx_if.sw_if_index,
657 reply = self.vapi.macip_acl_add_replace(
658 test_dict['macip_rules'],
661 reply = self.vapi.acl_add_replace(acl_index=acl_index,
662 r=test_dict['acl_rules'])
663 self.assertEqual(reply.retval, 0)
665 if not isinstance(src_if, VppSubInterface):
666 tx_if.add_stream(test_dict['stream'])
668 tx_if.parent.add_stream(test_dict['stream'])
669 self.pg_enable_capture(self.pg_interfaces)
672 if do_not_expected_capture:
675 if traffic == self.BRIDGED and mac_type == self.WILD_MAC and \
676 ip_type == self.WILD_IP:
677 capture = rx_if.get_capture(packets)
679 capture = rx_if.get_capture(
680 self.get_packet_count_for_if_idx(dst_if.sw_if_index))
681 self.verify_capture(test_dict['stream'], capture, is_ip6)
683 self.vapi.acl_interface_add_del(sw_if_index=tx_if.sw_if_index,
684 acl_index=acl_index, is_add=0)
685 self.vapi.acl_del(acl_index)
687 def run_test_acls(self, mac_type, ip_type, acl_count,
688 rules_count, traffic=None, ip=None):
689 self.apply_macip_rules(self.create_rules(mac_type, ip_type, acl_count,
691 self.verify_macip_acls(acl_count, rules_count)
693 if traffic is not None:
694 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, traffic, ip, 9)
697 class TestMACIP_IP4(MethodHolder):
698 """MACIP with IP4 traffic"""
700 def test_acl_bridged_ip4_exactMAC_exactIP(self):
701 """ IP4 MACIP exactMAC|exactIP ACL bridged traffic
703 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
704 self.BRIDGED, self.IS_IP4, 9)
706 def test_acl_bridged_ip4_exactMAC_subnetIP(self):
707 """ IP4 MACIP exactMAC|subnetIP ACL bridged traffic
710 self.run_traffic(self.EXACT_MAC, self.SUBNET_IP,
711 self.BRIDGED, self.IS_IP4, 9)
713 def test_acl_bridged_ip4_exactMAC_wildIP(self):
714 """ IP4 MACIP exactMAC|wildIP ACL bridged traffic
717 self.run_traffic(self.EXACT_MAC, self.WILD_IP,
718 self.BRIDGED, self.IS_IP4, 9)
720 def test_acl_bridged_ip4_ouiMAC_exactIP(self):
721 """ IP4 MACIP ouiMAC|exactIP ACL bridged traffic
724 self.run_traffic(self.OUI_MAC, self.EXACT_IP,
725 self.BRIDGED, self.IS_IP4, 3)
727 def test_acl_bridged_ip4_ouiMAC_subnetIP(self):
728 """ IP4 MACIP ouiMAC|subnetIP ACL bridged traffic
731 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
732 self.BRIDGED, self.IS_IP4, 9)
734 def test_acl_bridged_ip4_ouiMAC_wildIP(self):
735 """ IP4 MACIP ouiMAC|wildIP ACL bridged traffic
738 self.run_traffic(self.OUI_MAC, self.WILD_IP,
739 self.BRIDGED, self.IS_IP4, 9)
741 def test_ac_bridgedl_ip4_wildMAC_exactIP(self):
742 """ IP4 MACIP wildcardMAC|exactIP ACL bridged traffic
745 self.run_traffic(self.WILD_MAC, self.EXACT_IP,
746 self.BRIDGED, self.IS_IP4, 9)
748 def test_acl_bridged_ip4_wildMAC_subnetIP(self):
749 """ IP4 MACIP wildcardMAC|subnetIP ACL bridged traffic
752 self.run_traffic(self.WILD_MAC, self.SUBNET_IP,
753 self.BRIDGED, self.IS_IP4, 9)
755 def test_acl_bridged_ip4_wildMAC_wildIP(self):
756 """ IP4 MACIP wildcardMAC|wildIP ACL bridged traffic
759 self.run_traffic(self.WILD_MAC, self.WILD_IP,
760 self.BRIDGED, self.IS_IP4, 9)
762 def test_acl_routed_ip4_exactMAC_exactIP(self):
763 """ IP4 MACIP exactMAC|exactIP ACL routed traffic
765 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
766 self.ROUTED, self.IS_IP4, 9)
768 def test_acl_routed_ip4_exactMAC_subnetIP(self):
769 """ IP4 MACIP exactMAC|subnetIP ACL routed traffic
771 self.run_traffic(self.EXACT_MAC, self.SUBNET_IP,
772 self.ROUTED, self.IS_IP4, 9)
774 def test_acl_routed_ip4_exactMAC_wildIP(self):
775 """ IP4 MACIP exactMAC|wildIP ACL routed traffic
777 self.run_traffic(self.EXACT_MAC, self.WILD_IP,
778 self.ROUTED, self.IS_IP4, 9)
780 def test_acl_routed_ip4_ouiMAC_exactIP(self):
781 """ IP4 MACIP ouiMAC|exactIP ACL routed traffic
784 self.run_traffic(self.OUI_MAC, self.EXACT_IP,
785 self.ROUTED, self.IS_IP4, 9)
787 def test_acl_routed_ip4_ouiMAC_subnetIP(self):
788 """ IP4 MACIP ouiMAC|subnetIP ACL routed traffic
791 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
792 self.ROUTED, self.IS_IP4, 9)
794 def test_acl_routed_ip4_ouiMAC_wildIP(self):
795 """ IP4 MACIP ouiMAC|wildIP ACL routed traffic
798 self.run_traffic(self.OUI_MAC, self.WILD_IP,
799 self.ROUTED, self.IS_IP4, 9)
801 def test_acl_routed_ip4_wildMAC_exactIP(self):
802 """ IP4 MACIP wildcardMAC|exactIP ACL routed traffic
805 self.run_traffic(self.WILD_MAC, self.EXACT_IP,
806 self.ROUTED, self.IS_IP4, 9)
808 def test_acl_routed_ip4_wildMAC_subnetIP(self):
809 """ IP4 MACIP wildcardMAC|subnetIP ACL routed traffic
812 self.run_traffic(self.WILD_MAC, self.SUBNET_IP,
813 self.ROUTED, self.IS_IP4, 9)
815 def test_acl_routed_ip4_wildMAC_wildIP(self):
816 """ IP4 MACIP wildcardMAC|wildIP ACL
819 self.run_traffic(self.WILD_MAC, self.WILD_IP,
820 self.ROUTED, self.IS_IP4, 9)
822 def test_acl_replace_traffic_ip4(self):
823 """ MACIP replace ACL with IP4 traffic
825 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
826 self.BRIDGED, self.IS_IP4, 9, try_replace=True)
827 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
828 self.BRIDGED, self.IS_IP4, 9, try_replace=True)
831 class TestMACIP_IP6(MethodHolder):
832 """MACIP with IP6 traffic"""
834 def test_acl_bridged_ip6_exactMAC_exactIP(self):
835 """ IP6 MACIP exactMAC|exactIP ACL bridged traffic
838 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
839 self.BRIDGED, self.IS_IP6, 9)
841 def test_acl_bridged_ip6_exactMAC_subnetIP(self):
842 """ IP6 MACIP exactMAC|subnetIP ACL bridged traffic
845 self.run_traffic(self.EXACT_MAC, self.SUBNET_IP,
846 self.BRIDGED, self.IS_IP6, 9)
848 def test_acl_bridged_ip6_exactMAC_wildIP(self):
849 """ IP6 MACIP exactMAC|wildIP ACL bridged traffic
852 self.run_traffic(self.EXACT_MAC, self.WILD_IP,
853 self.BRIDGED, self.IS_IP6, 9)
855 def test_acl_bridged_ip6_ouiMAC_exactIP(self):
856 """ IP6 MACIP oui_MAC|exactIP ACL bridged traffic
859 self.run_traffic(self.OUI_MAC, self.EXACT_IP,
860 self.BRIDGED, self.IS_IP6, 9)
862 def test_acl_bridged_ip6_ouiMAC_subnetIP(self):
863 """ IP6 MACIP ouiMAC|subnetIP ACL bridged traffic
866 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
867 self.BRIDGED, self.IS_IP6, 9)
869 def test_acl_bridged_ip6_ouiMAC_wildIP(self):
870 """ IP6 MACIP ouiMAC|wildIP ACL bridged traffic
873 self.run_traffic(self.OUI_MAC, self.WILD_IP,
874 self.BRIDGED, self.IS_IP6, 9)
876 def test_acl_bridged_ip6_wildMAC_exactIP(self):
877 """ IP6 MACIP wildcardMAC|exactIP ACL bridged traffic
880 self.run_traffic(self.WILD_MAC, self.EXACT_IP,
881 self.BRIDGED, self.IS_IP6, 9)
883 def test_acl_bridged_ip6_wildMAC_subnetIP(self):
884 """ IP6 MACIP wildcardMAC|subnetIP ACL bridged traffic
887 self.run_traffic(self.WILD_MAC, self.SUBNET_IP,
888 self.BRIDGED, self.IS_IP6, 9)
890 def test_acl_bridged_ip6_wildMAC_wildIP(self):
891 """ IP6 MACIP wildcardMAC|wildIP ACL bridged traffic
894 self.run_traffic(self.WILD_MAC, self.WILD_IP,
895 self.BRIDGED, self.IS_IP6, 9)
897 def test_acl_routed_ip6_exactMAC_exactIP(self):
898 """ IP6 MACIP exactMAC|exactIP ACL routed traffic
901 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
902 self.ROUTED, self.IS_IP6, 9)
904 def test_acl_routed_ip6_exactMAC_subnetIP(self):
905 """ IP6 MACIP exactMAC|subnetIP ACL routed traffic
908 self.run_traffic(self.EXACT_MAC, self.SUBNET_IP,
909 self.ROUTED, self.IS_IP6, 9)
911 def test_acl_routed_ip6_exactMAC_wildIP(self):
912 """ IP6 MACIP exactMAC|wildIP ACL routed traffic
915 self.run_traffic(self.EXACT_MAC, self.WILD_IP,
916 self.ROUTED, self.IS_IP6, 9)
918 def test_acl_routed_ip6_ouiMAC_exactIP(self):
919 """ IP6 MACIP ouiMAC|exactIP ACL routed traffic
922 self.run_traffic(self.OUI_MAC, self.EXACT_IP,
923 self.ROUTED, self.IS_IP6, 9)
925 def test_acl_routed_ip6_ouiMAC_subnetIP(self):
926 """ IP6 MACIP ouiMAC|subnetIP ACL routed traffic
929 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
930 self.ROUTED, self.IS_IP6, 9)
932 def test_acl_routed_ip6_ouiMAC_wildIP(self):
933 """ IP6 MACIP ouiMAC|wildIP ACL routed traffic
936 self.run_traffic(self.OUI_MAC, self.WILD_IP,
937 self.ROUTED, self.IS_IP6, 9)
939 def test_acl_routed_ip6_wildMAC_exactIP(self):
940 """ IP6 MACIP wildcardMAC|exactIP ACL routed traffic
943 self.run_traffic(self.WILD_MAC, self.EXACT_IP,
944 self.ROUTED, self.IS_IP6, 9)
946 def test_acl_routed_ip6_wildMAC_subnetIP(self):
947 """ IP6 MACIP wildcardMAC|subnetIP ACL routed traffic
950 self.run_traffic(self.WILD_MAC, self.SUBNET_IP,
951 self.ROUTED, self.IS_IP6, 9)
953 def test_acl_routed_ip6_wildMAC_wildIP(self):
954 """ IP6 MACIP wildcardMAC|wildIP ACL
957 self.run_traffic(self.WILD_MAC, self.WILD_IP,
958 self.ROUTED, self.IS_IP6, 9)
960 def test_acl_replace_traffic_ip6(self):
961 """ MACIP replace ACL with IP6 traffic
963 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
964 self.BRIDGED, self.IS_IP6, 9, try_replace=True)
965 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
966 self.BRIDGED, self.IS_IP6, 9, try_replace=True)
969 class TestMACIP(MethodHolder):
972 def test_acl_1_2(self):
973 """ MACIP ACL with 2 entries
976 self.run_test_acls(self.EXACT_MAC, self.WILD_IP, 1, [2])
978 def test_acl_1_5(self):
979 """ MACIP ACL with 5 entries
982 self.run_test_acls(self.EXACT_MAC, self.SUBNET_IP, 1, [5])
984 def test_acl_1_10(self):
985 """ MACIP ACL with 10 entries
988 self.run_test_acls(self.EXACT_MAC, self.EXACT_IP, 1, [10])
990 def test_acl_1_20(self):
991 """ MACIP ACL with 20 entries
994 self.run_test_acls(self.OUI_MAC, self.WILD_IP, 1, [20])
996 def test_acl_1_50(self):
997 """ MACIP ACL with 50 entries
1000 self.run_test_acls(self.OUI_MAC, self.SUBNET_IP, 1, [50])
1002 def test_acl_1_100(self):
1003 """ MACIP ACL with 100 entries
1006 self.run_test_acls(self.OUI_MAC, self.EXACT_IP, 1, [100])
1008 def test_acl_2_X(self):
1009 """ MACIP 2 ACLs each with 100+ entries
1012 self.run_test_acls(self.OUI_MAC, self.SUBNET_IP, 2, [100, 200])
1014 def test_acl_10_X(self):
1015 """ MACIP 10 ACLs each with 100+ entries
1018 self.run_test_acls(self.EXACT_MAC, self.EXACT_IP, 10,
1019 [100, 120, 140, 160, 180, 200, 210, 220, 230, 240])
1021 def test_acl_10_X_traffic_ip4(self):
1022 """ MACIP 10 ACLs each with 100+ entries with IP4 traffic
1025 self.run_test_acls(self.EXACT_MAC, self.EXACT_IP, 10,
1026 [100, 120, 140, 160, 180, 200, 210, 220, 230, 240],
1027 self.BRIDGED, self.IS_IP4)
1029 def test_acl_10_X_traffic_ip6(self):
1030 """ MACIP 10 ACLs each with 100+ entries with IP6 traffic
1033 self.run_test_acls(self.EXACT_MAC, self.EXACT_IP, 10,
1034 [100, 120, 140, 160, 180, 200, 210, 220, 230, 240],
1035 self.BRIDGED, self.IS_IP6)
1037 def test_acl_replace(self):
1038 """ MACIP replace ACL
1041 r1 = self.create_rules(acl_count=3, rules_count=[2, 2, 2])
1042 r2 = self.create_rules(mac_type=self.OUI_MAC, ip_type=self.SUBNET_IP)
1043 self.apply_macip_rules(r1)
1045 acls_before = self.macip_acl_dump_debug()
1047 # replace acls #2, #3 with new
1048 reply = self.vapi.macip_acl_add_replace(r2[0], 2)
1049 self.assertEqual(reply.retval, 0)
1050 self.assertEqual(reply.acl_index, 2)
1051 reply = self.vapi.macip_acl_add_replace(r2[1], 3)
1052 self.assertEqual(reply.retval, 0)
1053 self.assertEqual(reply.acl_index, 3)
1055 acls_after = self.macip_acl_dump_debug()
1058 self.assertEqual(len(acls_before), len(acls_after))
1059 for acl1, acl2 in zip(
1060 acls_before[:2]+acls_before[4:],
1061 acls_after[:2]+acls_after[4:]):
1062 self.assertEqual(len(acl1), len(acl2))
1064 self.assertEqual(len(acl1.r), len(acl2.r))
1065 for r1, r2 in zip(acl1.r, acl2.r):
1066 self.assertEqual(len(acl1.r), len(acl2.r))
1067 self.assertEqual(acl1.r, acl2.r)
1068 for acl1, acl2 in zip(
1071 self.assertEqual(len(acl1), len(acl2))
1073 self.assertNotEqual(len(acl1.r), len(acl2.r))
1074 for r1, r2 in zip(acl1.r, acl2.r):
1075 self.assertNotEqual(len(acl1.r), len(acl2.r))
1076 self.assertNotEqual(acl1.r, acl2.r)
1078 def test_delete_intf(self):
1079 """ MACIP ACL delete intf with acl
1082 intf_count = len(self.interfaces)+1
1084 self.apply_macip_rules(self.create_rules(acl_count=3,
1085 rules_count=[3, 5, 4]))
1087 intf.append(VppLoInterface(self))
1088 intf.append(VppLoInterface(self))
1090 sw_if_index0 = intf[0].sw_if_index
1091 self.vapi.macip_acl_interface_add_del(sw_if_index0, 1)
1093 reply = self.vapi.macip_acl_interface_get()
1094 self.assertEqual(reply.count, intf_count+1)
1095 self.assertEqual(reply.acls[sw_if_index0], 1)
1097 sw_if_index1 = intf[1].sw_if_index
1098 self.vapi.macip_acl_interface_add_del(sw_if_index1, 0)
1100 reply = self.vapi.macip_acl_interface_get()
1101 self.assertEqual(reply.count, intf_count+2)
1102 self.assertEqual(reply.acls[sw_if_index1], 0)
1104 intf[0].remove_vpp_config()
1105 reply = self.vapi.macip_acl_interface_get()
1106 self.assertEqual(reply.count, intf_count+2)
1107 self.assertEqual(reply.acls[sw_if_index0], 4294967295)
1108 self.assertEqual(reply.acls[sw_if_index1], 0)
1110 intf.append(VppLoInterface(self))
1111 intf.append(VppLoInterface(self))
1112 sw_if_index2 = intf[2].sw_if_index
1113 sw_if_index3 = intf[3].sw_if_index
1114 self.vapi.macip_acl_interface_add_del(sw_if_index2, 1)
1115 self.vapi.macip_acl_interface_add_del(sw_if_index3, 1)
1117 reply = self.vapi.macip_acl_interface_get()
1118 self.assertEqual(reply.count, intf_count+3)
1119 self.assertEqual(reply.acls[sw_if_index1], 0)
1120 self.assertEqual(reply.acls[sw_if_index2], 1)
1121 self.assertEqual(reply.acls[sw_if_index3], 1)
1122 self.logger.info("MACIP ACL on multiple interfaces:")
1123 self.logger.info(self.vapi.ppcli("sh acl-plugin macip acl"))
1124 self.logger.info(self.vapi.ppcli("sh acl-plugin macip acl index 1234"))
1125 self.logger.info(self.vapi.ppcli("sh acl-plugin macip acl index 1"))
1126 self.logger.info(self.vapi.ppcli("sh acl-plugin macip acl index 0"))
1127 self.logger.info(self.vapi.ppcli("sh acl-plugin macip interface"))
1129 intf[2].remove_vpp_config()
1130 intf[1].remove_vpp_config()
1132 reply = self.vapi.macip_acl_interface_get()
1133 self.assertEqual(reply.count, intf_count+3)
1134 self.assertEqual(reply.acls[sw_if_index0], 4294967295)
1135 self.assertEqual(reply.acls[sw_if_index1], 4294967295)
1136 self.assertEqual(reply.acls[sw_if_index2], 4294967295)
1137 self.assertEqual(reply.acls[sw_if_index3], 1)
1139 intf[3].remove_vpp_config()
1140 reply = self.vapi.macip_acl_interface_get()
1142 self.assertEqual(len([x for x in reply.acls if x != 4294967295]), 0)
1145 class TestACL_dot1q_bridged(MethodHolder):
1146 """ACL on dot1q bridged subinterfaces Tests"""
1148 def test_acl_bridged_ip4_subif_dot1q(self):
1149 """ IP4 ACL SubIf Dot1Q bridged traffic"""
1150 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.BRIDGED,
1151 self.IS_IP4, 9, tags=self.DOT1Q, isMACIP=False)
1153 def test_acl_bridged_ip6_subif_dot1q(self):
1154 """ IP6 ACL SubIf Dot1Q bridged traffic"""
1155 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.BRIDGED,
1156 self.IS_IP6, 9, tags=self.DOT1Q, isMACIP=False)
1159 class TestACL_dot1ad_bridged(MethodHolder):
1160 """ACL on dot1ad bridged subinterfaces Tests"""
1162 def test_acl_bridged_ip4_subif_dot1ad(self):
1163 """ IP4 ACL SubIf Dot1AD bridged traffic"""
1164 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.BRIDGED,
1165 self.IS_IP4, 9, tags=self.DOT1AD, isMACIP=False)
1167 def test_acl_bridged_ip6_subif_dot1ad(self):
1168 """ IP6 ACL SubIf Dot1AD bridged traffic"""
1169 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.BRIDGED,
1170 self.IS_IP6, 9, tags=self.DOT1AD, isMACIP=False)
1173 class TestACL_dot1q_routed(MethodHolder):
1174 """ACL on dot1q routed subinterfaces Tests"""
1176 def test_acl_routed_ip4_subif_dot1q(self):
1177 """ IP4 ACL SubIf Dot1Q routed traffic"""
1178 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1179 self.IS_IP4, 9, tags=self.DOT1Q, isMACIP=False)
1181 def test_acl_routed_ip6_subif_dot1q(self):
1182 """ IP6 ACL SubIf Dot1Q routed traffic"""
1183 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1184 self.IS_IP6, 9, tags=self.DOT1Q, isMACIP=False)
1186 def test_acl_routed_ip4_subif_dot1q_deny_by_tags(self):
1187 """ IP4 ACL SubIf wrong tags Dot1Q routed traffic"""
1188 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1189 self.IS_IP4, 9, True, tags=self.DOT1Q, isMACIP=False,
1190 permit_tags=self.DENY_TAGS)
1192 def test_acl_routed_ip6_subif_dot1q_deny_by_tags(self):
1193 """ IP6 ACL SubIf wrong tags Dot1Q routed traffic"""
1194 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1195 self.IS_IP6, 9, True, tags=self.DOT1Q, isMACIP=False,
1196 permit_tags=self.DENY_TAGS)
1199 class TestACL_dot1ad_routed(MethodHolder):
1200 """ACL on dot1ad routed subinterfaces Tests"""
1202 def test_acl_routed_ip6_subif_dot1ad(self):
1203 """ IP6 ACL SubIf Dot1AD routed traffic"""
1204 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1205 self.IS_IP6, 9, tags=self.DOT1AD, isMACIP=False)
1207 def test_acl_routed_ip4_subif_dot1ad(self):
1208 """ IP4 ACL SubIf Dot1AD routed traffic"""
1209 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1210 self.IS_IP4, 9, tags=self.DOT1AD, isMACIP=False)
1212 def test_acl_routed_ip6_subif_dot1ad_deny_by_tags(self):
1213 """ IP6 ACL SubIf wrong tags Dot1AD routed traffic"""
1214 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1215 self.IS_IP6, 9, True, tags=self.DOT1AD, isMACIP=False,
1216 permit_tags=self.DENY_TAGS)
1218 def test_acl_routed_ip4_subif_dot1ad_deny_by_tags(self):
1219 """ IP4 ACL SubIf wrong tags Dot1AD routed traffic"""
1220 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1221 self.IS_IP4, 9, True, tags=self.DOT1AD, isMACIP=False,
1222 permit_tags=self.DENY_TAGS)
1225 if __name__ == '__main__':
1226 unittest.main(testRunner=VppTestRunner)