2 """ACL plugin - MACIP tests
9 from socket import inet_ntop, inet_pton, AF_INET, AF_INET6
11 from scapy.packet import Raw
12 from scapy.layers.l2 import Ether
13 from scapy.layers.inet import IP, UDP
14 from scapy.layers.inet6 import IPv6
16 from framework import VppTestCase, VppTestRunner, running_extended_tests
17 from vpp_lo_interface import VppLoInterface
18 from vpp_papi_provider import L2_VTR_OP
19 from vpp_sub_interface import VppSubInterface, VppDot1QSubint, VppDot1ADSubint
20 from vpp_papi_provider import L2_PORT_TYPE
23 class MethodHolder(VppTestCase):
55 Perform standard class setup (defined by class method setUpClass in
56 class VppTestCase) before running the test case, set test case related
57 variables and configure VPP.
59 super(MethodHolder, cls).setUpClass()
61 cls.pg_if_packet_sizes = [64, 512, 1518, 9018] # packet sizes
63 cls.remote_hosts_count = 200
66 # create 4 pg interfaces, 1 loopback interface
67 cls.create_pg_interfaces(range(4))
68 cls.create_loopback_interfaces(1)
70 # create 2 subinterfaces
72 VppDot1QSubint(cls, cls.pg1, 10),
73 VppDot1ADSubint(cls, cls.pg2, 20, 300, 400),
74 VppDot1QSubint(cls, cls.pg3, 30),
75 VppDot1ADSubint(cls, cls.pg3, 40, 600, 700)]
77 cls.subifs[0].set_vtr(L2_VTR_OP.L2_POP_1,
79 cls.subifs[1].set_vtr(L2_VTR_OP.L2_POP_2,
80 outer=300, inner=400, push1q=1)
81 cls.subifs[2].set_vtr(L2_VTR_OP.L2_POP_1,
83 cls.subifs[3].set_vtr(L2_VTR_OP.L2_POP_2,
84 outer=600, inner=700, push1q=1)
86 cls.interfaces = list(cls.pg_interfaces)
87 cls.interfaces.extend(cls.lo_interfaces)
88 cls.interfaces.extend(cls.subifs)
90 for i in cls.interfaces:
93 # Create BD with MAC learning enabled and put interfaces to this BD
94 cls.vapi.sw_interface_set_l2_bridge(
95 cls.loop0.sw_if_index, bd_id=cls.bd_id,
96 port_type=L2_PORT_TYPE.BVI)
97 cls.vapi.sw_interface_set_l2_bridge(
98 cls.pg0.sw_if_index, bd_id=cls.bd_id)
99 cls.vapi.sw_interface_set_l2_bridge(
100 cls.pg1.sw_if_index, bd_id=cls.bd_id)
101 cls.vapi.sw_interface_set_l2_bridge(
102 cls.subifs[0].sw_if_index, bd_id=cls.bd_id)
103 cls.vapi.sw_interface_set_l2_bridge(
104 cls.subifs[1].sw_if_index, bd_id=cls.bd_id)
106 # Configure IPv4/6 addresses on loop interface and routed interface
107 cls.loop0.config_ip4()
108 cls.loop0.config_ip6()
114 # Configure MAC address binding to IPv4 neighbors on loop0
115 cls.loop0.generate_remote_hosts(cls.remote_hosts_count)
116 # Modify host mac addresses to have different OUI parts
117 for i in range(2, cls.remote_hosts_count + 2):
118 mac = cls.loop0.remote_hosts[i-2]._mac.split(':')
119 mac[2] = format(int(mac[2], 16) + i, "02x")
120 cls.loop0.remote_hosts[i - 2]._mac = ":".join(mac)
122 cls.loop0.configure_ipv4_neighbors()
123 cls.loop0.configure_ipv6_neighbors()
125 # configure MAC address on pg3
126 cls.pg3.resolve_arp()
127 cls.pg3.resolve_ndp()
129 # configure MAC address on subifs
135 # configure MAC address on pg2
136 cls.pg2.resolve_arp()
137 cls.pg2.resolve_ndp()
139 # Loopback BVI interface has remote hosts
140 # one half of hosts are behind pg0 second behind pg1,pg2,pg3 subifs
141 cls.pg0.remote_hosts = cls.loop0.remote_hosts[:100]
142 cls.subifs[0].remote_hosts = cls.loop0.remote_hosts[100:125]
143 cls.subifs[1].remote_hosts = cls.loop0.remote_hosts[125:150]
144 cls.subifs[2].remote_hosts = cls.loop0.remote_hosts[150:175]
145 cls.subifs[3].remote_hosts = cls.loop0.remote_hosts[175:]
148 super(MethodHolder, cls).tearDownClass()
152 super(MethodHolder, self).setUp()
153 self.reset_packet_infos()
158 Show various debug prints after each test.
160 super(MethodHolder, self).tearDown()
161 if not self.vpp_dead:
162 self.logger.info(self.vapi.ppcli("show interface address"))
163 self.logger.info(self.vapi.ppcli("show hardware"))
164 self.logger.info(self.vapi.ppcli("sh acl-plugin macip acl"))
165 self.logger.info(self.vapi.ppcli("sh acl-plugin macip interface"))
166 self.logger.info(self.vapi.ppcli("sh classify tables verbose"))
167 self.logger.info(self.vapi.ppcli("sh acl-plugin acl"))
168 self.logger.info(self.vapi.ppcli("sh acl-plugin interface"))
169 self.logger.info(self.vapi.ppcli("sh acl-plugin tables"))
170 # print self.vapi.ppcli("show interface address")
171 # print self.vapi.ppcli("show hardware")
172 # print self.vapi.ppcli("sh acl-plugin macip interface")
173 # print self.vapi.ppcli("sh acl-plugin macip acl")
176 def macip_acl_dump_debug(self):
177 acls = self.vapi.macip_acl_dump()
180 print "ACL #"+str(acl.acl_index)
185 elif r.is_permit == 0:
187 print " IP6" if r.is_ipv6 else " IP4", \
189 binascii.hexlify(r.src_mac), \
190 binascii.hexlify(r.src_mac_mask),\
191 unpack('<16B', r.src_ip_addr), \
195 def create_rules(self, mac_type=EXACT_MAC, ip_type=EXACT_IP,
196 acl_count=1, rules_count=[1]):
198 src_mac = int("220000dead00", 16)
199 for acl in range(2, (acl_count+1) * 2):
201 host = random.choice(self.loop0.remote_hosts)
203 ip4 = host.ip4.split('.')
204 ip6 = list(unpack('<16B', inet_pton(AF_INET6, host.ip6)))
206 if ip_type == self.EXACT_IP:
209 elif ip_type == self.WILD_IP:
211 ip6 = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]
214 rules_count[(acl / 2) - 1] = 1
219 if mac_type == self.EXACT_MAC:
220 mask = "ff:ff:ff:ff:ff:ff"
221 elif mac_type == self.WILD_MAC:
222 mask = "00:00:00:00:00:00"
223 elif mac_type == self.OUI_MAC:
224 mask = "ff:ff:ff:00:00:00"
226 mask = "ff:ff:ff:ff:ff:00"
228 ip = ip6 if is_ip6 else ip4
229 ip_len = prefix_len6 if is_ip6 else prefix_len4
231 for i in range(0, rules_count[(acl / 2) - 1]):
233 if mac_type == self.WILD_MAC:
234 mac = "00:00:00:00:00:00"
235 elif mac_type == self.OUI_MAC:
236 mac = ':'.join(re.findall('..', '{:02x}'.format(
237 src_mac))[:3])+":00:00:00"
239 mac = ':'.join(re.findall('..', '{:02x}'.format(src_mac)))
241 if ip_type == self.EXACT_IP:
242 ip4[3] = random.randint(100, 200)
243 ip6[15] = random.randint(100, 200)
244 elif ip_type == self.SUBNET_IP:
245 ip4[2] = random.randint(100, 200)
247 ip6[8] = random.randint(100, 200)
250 for j in range(0, len(ip)):
251 ip_pack += pack('<B', int(ip[j]))
253 rule = ({'is_permit': self.PERMIT,
255 'src_ip_addr': ip_pack,
256 'src_ip_prefix_len': ip_len,
257 'src_mac': mac.replace(':', '').decode('hex'),
258 'src_mac_mask': mask.replace(':', '').decode('hex')})
260 if ip_type == self.WILD_IP:
264 src_mac += 1099511627776
267 def apply_macip_rules(self, acls):
269 reply = self.vapi.macip_acl_add(acl)
270 self.assertEqual(reply.retval, 0)
271 self.ACLS.append(reply.acl_index)
273 def verify_macip_acls(self, acl_count, rules_count, expected_count=2):
274 reply = self.macip_acl_dump_debug()
275 for acl in range(2, (acl_count+1) * 2):
276 self.assertEqual(reply[acl - 2].count, rules_count[acl/2-1])
278 self.vapi.macip_acl_interface_get()
280 self.vapi.macip_acl_interface_add_del(sw_if_index=0, acl_index=0)
281 self.vapi.macip_acl_interface_add_del(sw_if_index=1, acl_index=1)
283 reply = self.vapi.macip_acl_interface_get()
284 self.assertEqual(reply.count, expected_count)
286 def delete_acls(self):
287 for acl in range(len(self.ACLS)-1, -1, -1):
288 self.vapi.macip_acl_del(self.ACLS[acl])
290 reply = self.vapi.macip_acl_dump()
291 self.assertEqual(len(reply), 0)
293 intf_acls = self.vapi.acl_interface_list_dump()
294 for i_a in intf_acls:
295 sw_if_index = i_a.sw_if_index
296 for acl_index in i_a.acls:
297 self.vapi.acl_interface_add_del(sw_if_index, acl_index, 0)
298 self.vapi.acl_del(acl_index)
300 def create_stream(self, mac_type, ip_type, packet_count,
301 src_if, dst_if, traffic, is_ip6, tags=PERMIT_TAGS):
302 # exact MAC and exact IP
303 # exact MAC and subnet of IPs
304 # exact MAC and wildcard IP
305 # wildcard MAC and exact IP
306 # wildcard MAC and subnet of IPs
307 # wildcard MAC and wildcard IP
308 # OUI restricted MAC and exact IP
309 # OUI restricted MAC and subnet of IPs
310 # OUI restricted MAC and wildcard IP
318 mac_rule = "00:00:00:00:00:00"
319 mac_mask = "00:00:00:00:00:00"
320 for p in range(0, packet_count):
321 remote_dst_index = p % len(dst_if.remote_hosts)
322 remote_dst_host = dst_if.remote_hosts[remote_dst_index]
326 is_permit = self.PERMIT if p % 3 == 0 else self.DENY
327 denyMAC = True if not is_permit and p % 3 == 1 else False
328 denyIP = True if not is_permit and p % 3 == 2 else False
329 if not is_permit and ip_type == self.WILD_IP:
331 if not is_permit and mac_type == self.WILD_MAC:
334 if traffic == self.BRIDGED:
336 src_mac = remote_dst_host._mac
337 dst_mac = 'de:ad:00:00:00:00'
338 src_ip4 = remote_dst_host.ip4
339 dst_ip4 = src_if.remote_ip4
340 src_ip6 = remote_dst_host.ip6
341 dst_ip6 = src_if.remote_ip6
342 ip_permit = src_ip6 if is_ip6 else src_ip4
345 mac = src_mac.split(':')
346 mac[0] = format(int(mac[0], 16)+1, "02x")
347 src_mac = ":".join(mac)
353 if ip_type != self.WILD_IP:
355 src_ip4 = remote_dst_host.ip4
356 dst_ip4 = src_if.remote_ip4
357 src_ip6 = remote_dst_host.ip6
358 dst_ip6 = src_if.remote_ip6
361 src_mac = remote_dst_host._mac
362 dst_mac = src_if.local_mac
363 src_ip4 = src_if.remote_ip4
364 dst_ip4 = remote_dst_host.ip4
365 src_ip6 = src_if.remote_ip6
366 dst_ip6 = remote_dst_host.ip6
367 ip_permit = src_ip6 if is_ip6 else src_ip4
370 mac = src_mac.split(':')
371 mac[0] = format(int(mac[0], 16) + 1, "02x")
372 src_mac = ":".join(mac)
378 src_mac = remote_dst_host._mac
379 if ip_type != self.WILD_IP:
381 src_ip4 = remote_dst_host.ip4
382 dst_ip4 = src_if.remote_ip4
383 src_ip6 = remote_dst_host.ip6
384 dst_ip6 = src_if.remote_ip6
387 info = self.create_packet_info(src_if, dst_if)
388 payload = self.info_to_payload(info)
390 payload = "to be blocked"
392 if mac_type == self.WILD_MAC:
393 mac = src_mac.split(':')
394 for i in range(1, 5):
395 mac[i] = format(random.randint(0, 255), "02x")
396 src_mac = ":".join(mac)
399 packet = Ether(src=src_mac, dst=dst_mac)
400 ip_rule = src_ip6 if is_ip6 else src_ip4
402 if ip_type != self.EXACT_IP:
403 sub_ip = list(unpack('<16B', inet_pton(AF_INET6, ip_rule)))
404 if ip_type == self.WILD_IP:
405 sub_ip[0] = random.randint(240, 254)
406 sub_ip[1] = random.randint(230, 239)
407 sub_ip[14] = random.randint(100, 199)
408 sub_ip[15] = random.randint(200, 255)
409 elif ip_type == self.SUBNET_IP:
411 sub_ip[2] = str(int(sub_ip[2]) + 1)
412 sub_ip[14] = random.randint(100, 199)
413 sub_ip[15] = random.randint(200, 255)
414 src_ip6 = inet_ntop(AF_INET6, str(bytearray(sub_ip)))
415 packet /= IPv6(src=src_ip6, dst=dst_ip6)
417 if ip_type != self.EXACT_IP:
418 sub_ip = ip_rule.split('.')
419 if ip_type == self.WILD_IP:
420 sub_ip[0] = str(random.randint(1, 49))
421 sub_ip[1] = str(random.randint(50, 99))
422 sub_ip[2] = str(random.randint(100, 199))
423 sub_ip[3] = str(random.randint(200, 255))
424 elif ip_type == self.SUBNET_IP:
426 sub_ip[1] = str(int(sub_ip[1])+1)
427 sub_ip[2] = str(random.randint(100, 199))
428 sub_ip[3] = str(random.randint(200, 255))
429 src_ip4 = ".".join(sub_ip)
430 packet /= IP(src=src_ip4, dst=dst_ip4, frag=0, flags=0)
432 packet /= UDP(sport=src_port, dport=dst_port)/Raw(payload)
434 packet[Raw].load += " mac:"+src_mac
436 size = self.pg_if_packet_sizes[p % len(self.pg_if_packet_sizes)]
437 if isinstance(src_if, VppSubInterface):
439 if isinstance(src_if, VppDot1QSubint):
440 if src_if is self.subifs[0]:
441 if tags == self.PERMIT_TAGS:
442 packet = src_if.add_dot1q_layer(packet, 10)
444 packet = src_if.add_dot1q_layer(packet, 11)
446 if tags == self.PERMIT_TAGS:
447 packet = src_if.add_dot1q_layer(packet, 30)
449 packet = src_if.add_dot1q_layer(packet, 33)
450 elif isinstance(src_if, VppDot1ADSubint):
451 if src_if is self.subifs[1]:
452 if tags == self.PERMIT_TAGS:
453 packet = src_if.add_dot1ad_layer(packet, 300, 400)
455 packet = src_if.add_dot1ad_layer(packet, 333, 444)
457 if tags == self.PERMIT_TAGS:
458 packet = src_if.add_dot1ad_layer(packet, 600, 700)
460 packet = src_if.add_dot1ad_layer(packet, 666, 777)
461 self.extend_packet(packet, size)
462 packets.append(packet)
464 # create suitable MACIP rule
465 if mac_type == self.EXACT_MAC:
467 mac_mask = "ff:ff:ff:ff:ff:ff"
468 elif mac_type == self.WILD_MAC:
469 mac_rule = "00:00:00:00:00:00"
470 mac_mask = "00:00:00:00:00:00"
471 elif mac_type == self.OUI_MAC:
472 mac = src_mac.split(':')
473 mac[3] = mac[4] = mac[5] = '00'
474 mac_rule = ":".join(mac)
475 mac_mask = "ff:ff:ff:00:00:00"
478 if ip_type == self.WILD_IP:
482 if ip_type == self.SUBNET_IP:
483 sub_ip = list(unpack('<16B', inet_pton(AF_INET6, ip)))
484 for i in range(8, 16):
486 ip = inet_ntop(AF_INET6, str(bytearray(sub_ip)))
488 if ip_type == self.WILD_IP:
492 if ip_type == self.SUBNET_IP:
493 sub_ip = ip.split('.')
494 sub_ip[2] = sub_ip[3] = '0'
495 ip = ".".join(sub_ip)
497 prefix_len = 128 if is_ip6 else 32
498 if ip_type == self.WILD_IP:
500 elif ip_type == self.SUBNET_IP:
501 prefix_len = 64 if is_ip6 else 16
502 ip_rule = inet_pton(AF_INET6 if is_ip6 else AF_INET, ip)
504 # create suitable ACL rule
506 rule_l4_sport = packet[UDP].sport
507 rule_l4_dport = packet[UDP].dport
508 rule_family = AF_INET6 if packet.haslayer(IPv6) else AF_INET
509 rule_prefix_len = 128 if packet.haslayer(IPv6) else 32
510 rule_l3_layer = IPv6 if packet.haslayer(IPv6) else IP
511 if packet.haslayer(IPv6):
512 rule_l4_proto = packet[UDP].overload_fields[IPv6]['nh']
514 rule_l4_proto = packet[IP].proto
517 'is_permit': is_permit,
519 'src_ip_addr': inet_pton(rule_family,
520 packet[rule_l3_layer].src),
521 'src_ip_prefix_len': rule_prefix_len,
522 'dst_ip_addr': inet_pton(rule_family,
523 packet[rule_l3_layer].dst),
524 'dst_ip_prefix_len': rule_prefix_len,
525 'srcport_or_icmptype_first': rule_l4_sport,
526 'srcport_or_icmptype_last': rule_l4_sport,
527 'dstport_or_icmpcode_first': rule_l4_dport,
528 'dstport_or_icmpcode_last': rule_l4_dport,
529 'proto': rule_l4_proto}
530 acl_rules.append(acl_rule)
532 if mac_type == self.WILD_MAC and ip_type == self.WILD_IP and p > 0:
537 'is_permit': is_permit,
539 'src_ip_addr': ip_rule,
540 'src_ip_prefix_len': prefix_len,
541 'src_mac': mac_rule.replace(':', '').decode('hex'),
542 'src_mac_mask': mac_mask.replace(':', '').decode('hex')})
543 macip_rules.append(macip_rule)
545 # deny all other packets
546 if not (mac_type == self.WILD_MAC and ip_type == self.WILD_IP):
547 macip_rule = ({'is_permit': 0,
550 'src_ip_prefix_len': 0,
553 macip_rules.append(macip_rule)
555 acl_rule = {'is_permit': 0,
557 acl_rules.append(acl_rule)
558 return {'stream': packets,
559 'macip_rules': macip_rules,
560 'acl_rules': acl_rules}
562 def verify_capture(self, stream, capture, is_ip6):
569 # p_l3 = IPv6 if is_ip6 else IP
572 # print p[Ether].src, p[Ether].dst, p[p_l3].src, p[p_l3].dst
574 # acls = self.macip_acl_dump_debug()
579 # print binascii.hexlify(r.src_mac), \
580 # binascii.hexlify(r.src_mac_mask),\
581 # unpack('<16B', r.src_ip_addr), \
582 # r.src_ip_prefix_len
585 # print p[Ether].src, p[Ether].dst, p[p_l3].src, p[p_l3].dst
586 # data = p[Raw].load.split(':',1)[1]
587 # print p[p_l3].src, data
589 def run_traffic(self, mac_type, ip_type, traffic, is_ip6, packets,
590 do_not_expected_capture=False, tags=None,
591 apply_rules=True, isMACIP=True, permit_tags=PERMIT_TAGS,
593 self.reset_packet_infos()
596 tx_if = self.pg0 if traffic == self.BRIDGED else self.pg3
597 rx_if = self.pg3 if traffic == self.BRIDGED else self.pg0
601 if tags == self.DOT1Q:
602 if traffic == self.BRIDGED:
603 tx_if = self.subifs[0]
605 src_if = self.subifs[0]
608 tx_if = self.subifs[2]
610 src_if = self.subifs[2]
612 elif tags == self.DOT1AD:
613 if traffic == self.BRIDGED:
614 tx_if = self.subifs[1]
616 src_if = self.subifs[1]
619 tx_if = self.subifs[3]
621 src_if = self.subifs[3]
626 test_dict = self.create_stream(mac_type, ip_type, packets,
633 reply = self.vapi.macip_acl_add(test_dict['macip_rules'])
635 reply = self.vapi.acl_add_replace(acl_index=4294967295,
636 r=test_dict['acl_rules'])
637 self.assertEqual(reply.retval, 0)
638 acl_index = reply.acl_index
641 self.vapi.macip_acl_interface_add_del(
642 sw_if_index=tx_if.sw_if_index,
644 reply = self.vapi.macip_acl_interface_get()
645 self.assertEqual(reply.acls[tx_if.sw_if_index], acl_index)
646 self.ACLS.append(reply.acls[tx_if.sw_if_index])
648 self.vapi.acl_interface_add_del(
649 sw_if_index=tx_if.sw_if_index, acl_index=acl_index)
651 self.vapi.macip_acl_interface_add_del(
652 sw_if_index=tx_if.sw_if_index,
656 reply = self.vapi.macip_acl_add_replace(
657 test_dict['macip_rules'],
660 reply = self.vapi.acl_add_replace(acl_index=acl_index,
661 r=test_dict['acl_rules'])
662 self.assertEqual(reply.retval, 0)
664 if not isinstance(src_if, VppSubInterface):
665 tx_if.add_stream(test_dict['stream'])
667 tx_if.parent.add_stream(test_dict['stream'])
668 self.pg_enable_capture(self.pg_interfaces)
671 if do_not_expected_capture:
674 if traffic == self.BRIDGED and mac_type == self.WILD_MAC and \
675 ip_type == self.WILD_IP:
676 capture = rx_if.get_capture(packets)
678 capture = rx_if.get_capture(
679 self.get_packet_count_for_if_idx(dst_if.sw_if_index))
680 self.verify_capture(test_dict['stream'], capture, is_ip6)
682 self.vapi.acl_interface_add_del(sw_if_index=tx_if.sw_if_index,
683 acl_index=acl_index, is_add=0)
684 self.vapi.acl_del(acl_index)
686 def run_test_acls(self, mac_type, ip_type, acl_count,
687 rules_count, traffic=None, ip=None):
688 self.apply_macip_rules(self.create_rules(mac_type, ip_type, acl_count,
690 self.verify_macip_acls(acl_count, rules_count)
692 if traffic is not None:
693 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, traffic, ip, 9)
696 class TestMACIP_IP4(MethodHolder):
697 """MACIP with IP4 traffic"""
699 def test_acl_bridged_ip4_exactMAC_exactIP(self):
700 """ IP4 MACIP exactMAC|exactIP ACL bridged traffic
702 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
703 self.BRIDGED, self.IS_IP4, 9)
705 def test_acl_bridged_ip4_exactMAC_subnetIP(self):
706 """ IP4 MACIP exactMAC|subnetIP ACL bridged traffic
709 self.run_traffic(self.EXACT_MAC, self.SUBNET_IP,
710 self.BRIDGED, self.IS_IP4, 9)
712 def test_acl_bridged_ip4_exactMAC_wildIP(self):
713 """ IP4 MACIP exactMAC|wildIP ACL bridged traffic
716 self.run_traffic(self.EXACT_MAC, self.WILD_IP,
717 self.BRIDGED, self.IS_IP4, 9)
719 def test_acl_bridged_ip4_ouiMAC_exactIP(self):
720 """ IP4 MACIP ouiMAC|exactIP ACL bridged traffic
723 self.run_traffic(self.OUI_MAC, self.EXACT_IP,
724 self.BRIDGED, self.IS_IP4, 3)
726 def test_acl_bridged_ip4_ouiMAC_subnetIP(self):
727 """ IP4 MACIP ouiMAC|subnetIP ACL bridged traffic
730 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
731 self.BRIDGED, self.IS_IP4, 9)
733 def test_acl_bridged_ip4_ouiMAC_wildIP(self):
734 """ IP4 MACIP ouiMAC|wildIP ACL bridged traffic
737 self.run_traffic(self.OUI_MAC, self.WILD_IP,
738 self.BRIDGED, self.IS_IP4, 9)
740 def test_ac_bridgedl_ip4_wildMAC_exactIP(self):
741 """ IP4 MACIP wildcardMAC|exactIP ACL bridged traffic
744 self.run_traffic(self.WILD_MAC, self.EXACT_IP,
745 self.BRIDGED, self.IS_IP4, 9)
747 def test_acl_bridged_ip4_wildMAC_subnetIP(self):
748 """ IP4 MACIP wildcardMAC|subnetIP ACL bridged traffic
751 self.run_traffic(self.WILD_MAC, self.SUBNET_IP,
752 self.BRIDGED, self.IS_IP4, 9)
754 def test_acl_bridged_ip4_wildMAC_wildIP(self):
755 """ IP4 MACIP wildcardMAC|wildIP ACL bridged traffic
758 self.run_traffic(self.WILD_MAC, self.WILD_IP,
759 self.BRIDGED, self.IS_IP4, 9)
761 def test_acl_routed_ip4_exactMAC_exactIP(self):
762 """ IP4 MACIP exactMAC|exactIP ACL routed traffic
764 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
765 self.ROUTED, self.IS_IP4, 9)
767 def test_acl_routed_ip4_exactMAC_subnetIP(self):
768 """ IP4 MACIP exactMAC|subnetIP ACL routed traffic
770 self.run_traffic(self.EXACT_MAC, self.SUBNET_IP,
771 self.ROUTED, self.IS_IP4, 9)
773 def test_acl_routed_ip4_exactMAC_wildIP(self):
774 """ IP4 MACIP exactMAC|wildIP ACL routed traffic
776 self.run_traffic(self.EXACT_MAC, self.WILD_IP,
777 self.ROUTED, self.IS_IP4, 9)
779 def test_acl_routed_ip4_ouiMAC_exactIP(self):
780 """ IP4 MACIP ouiMAC|exactIP ACL routed traffic
783 self.run_traffic(self.OUI_MAC, self.EXACT_IP,
784 self.ROUTED, self.IS_IP4, 9)
786 def test_acl_routed_ip4_ouiMAC_subnetIP(self):
787 """ IP4 MACIP ouiMAC|subnetIP ACL routed traffic
790 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
791 self.ROUTED, self.IS_IP4, 9)
793 def test_acl_routed_ip4_ouiMAC_wildIP(self):
794 """ IP4 MACIP ouiMAC|wildIP ACL routed traffic
797 self.run_traffic(self.OUI_MAC, self.WILD_IP,
798 self.ROUTED, self.IS_IP4, 9)
800 def test_acl_routed_ip4_wildMAC_exactIP(self):
801 """ IP4 MACIP wildcardMAC|exactIP ACL routed traffic
804 self.run_traffic(self.WILD_MAC, self.EXACT_IP,
805 self.ROUTED, self.IS_IP4, 9)
807 def test_acl_routed_ip4_wildMAC_subnetIP(self):
808 """ IP4 MACIP wildcardMAC|subnetIP ACL routed traffic
811 self.run_traffic(self.WILD_MAC, self.SUBNET_IP,
812 self.ROUTED, self.IS_IP4, 9)
814 def test_acl_routed_ip4_wildMAC_wildIP(self):
815 """ IP4 MACIP wildcardMAC|wildIP ACL
818 self.run_traffic(self.WILD_MAC, self.WILD_IP,
819 self.ROUTED, self.IS_IP4, 9)
821 def test_acl_replace_traffic_ip4(self):
822 """ MACIP replace ACL with IP4 traffic
824 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
825 self.BRIDGED, self.IS_IP4, 9, try_replace=True)
826 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
827 self.BRIDGED, self.IS_IP4, 9, try_replace=True)
830 class TestMACIP_IP6(MethodHolder):
831 """MACIP with IP6 traffic"""
833 def test_acl_bridged_ip6_exactMAC_exactIP(self):
834 """ IP6 MACIP exactMAC|exactIP ACL bridged traffic
837 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
838 self.BRIDGED, self.IS_IP6, 9)
840 def test_acl_bridged_ip6_exactMAC_subnetIP(self):
841 """ IP6 MACIP exactMAC|subnetIP ACL bridged traffic
844 self.run_traffic(self.EXACT_MAC, self.SUBNET_IP,
845 self.BRIDGED, self.IS_IP6, 9)
847 def test_acl_bridged_ip6_exactMAC_wildIP(self):
848 """ IP6 MACIP exactMAC|wildIP ACL bridged traffic
851 self.run_traffic(self.EXACT_MAC, self.WILD_IP,
852 self.BRIDGED, self.IS_IP6, 9)
854 def test_acl_bridged_ip6_ouiMAC_exactIP(self):
855 """ IP6 MACIP oui_MAC|exactIP ACL bridged traffic
858 self.run_traffic(self.OUI_MAC, self.EXACT_IP,
859 self.BRIDGED, self.IS_IP6, 9)
861 def test_acl_bridged_ip6_ouiMAC_subnetIP(self):
862 """ IP6 MACIP ouiMAC|subnetIP ACL bridged traffic
865 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
866 self.BRIDGED, self.IS_IP6, 9)
868 def test_acl_bridged_ip6_ouiMAC_wildIP(self):
869 """ IP6 MACIP ouiMAC|wildIP ACL bridged traffic
872 self.run_traffic(self.OUI_MAC, self.WILD_IP,
873 self.BRIDGED, self.IS_IP6, 9)
875 def test_acl_bridged_ip6_wildMAC_exactIP(self):
876 """ IP6 MACIP wildcardMAC|exactIP ACL bridged traffic
879 self.run_traffic(self.WILD_MAC, self.EXACT_IP,
880 self.BRIDGED, self.IS_IP6, 9)
882 def test_acl_bridged_ip6_wildMAC_subnetIP(self):
883 """ IP6 MACIP wildcardMAC|subnetIP ACL bridged traffic
886 self.run_traffic(self.WILD_MAC, self.SUBNET_IP,
887 self.BRIDGED, self.IS_IP6, 9)
889 def test_acl_bridged_ip6_wildMAC_wildIP(self):
890 """ IP6 MACIP wildcardMAC|wildIP ACL bridged traffic
893 self.run_traffic(self.WILD_MAC, self.WILD_IP,
894 self.BRIDGED, self.IS_IP6, 9)
896 def test_acl_routed_ip6_exactMAC_exactIP(self):
897 """ IP6 MACIP exactMAC|exactIP ACL routed traffic
900 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
901 self.ROUTED, self.IS_IP6, 9)
903 def test_acl_routed_ip6_exactMAC_subnetIP(self):
904 """ IP6 MACIP exactMAC|subnetIP ACL routed traffic
907 self.run_traffic(self.EXACT_MAC, self.SUBNET_IP,
908 self.ROUTED, self.IS_IP6, 9)
910 def test_acl_routed_ip6_exactMAC_wildIP(self):
911 """ IP6 MACIP exactMAC|wildIP ACL routed traffic
914 self.run_traffic(self.EXACT_MAC, self.WILD_IP,
915 self.ROUTED, self.IS_IP6, 9)
917 def test_acl_routed_ip6_ouiMAC_exactIP(self):
918 """ IP6 MACIP ouiMAC|exactIP ACL routed traffic
921 self.run_traffic(self.OUI_MAC, self.EXACT_IP,
922 self.ROUTED, self.IS_IP6, 9)
924 def test_acl_routed_ip6_ouiMAC_subnetIP(self):
925 """ IP6 MACIP ouiMAC|subnetIP ACL routed traffic
928 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
929 self.ROUTED, self.IS_IP6, 9)
931 def test_acl_routed_ip6_ouiMAC_wildIP(self):
932 """ IP6 MACIP ouiMAC|wildIP ACL routed traffic
935 self.run_traffic(self.OUI_MAC, self.WILD_IP,
936 self.ROUTED, self.IS_IP6, 9)
938 def test_acl_routed_ip6_wildMAC_exactIP(self):
939 """ IP6 MACIP wildcardMAC|exactIP ACL routed traffic
942 self.run_traffic(self.WILD_MAC, self.EXACT_IP,
943 self.ROUTED, self.IS_IP6, 9)
945 def test_acl_routed_ip6_wildMAC_subnetIP(self):
946 """ IP6 MACIP wildcardMAC|subnetIP ACL routed traffic
949 self.run_traffic(self.WILD_MAC, self.SUBNET_IP,
950 self.ROUTED, self.IS_IP6, 9)
952 def test_acl_routed_ip6_wildMAC_wildIP(self):
953 """ IP6 MACIP wildcardMAC|wildIP ACL
956 self.run_traffic(self.WILD_MAC, self.WILD_IP,
957 self.ROUTED, self.IS_IP6, 9)
959 def test_acl_replace_traffic_ip6(self):
960 """ MACIP replace ACL with IP6 traffic
962 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
963 self.BRIDGED, self.IS_IP6, 9, try_replace=True)
964 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
965 self.BRIDGED, self.IS_IP6, 9, try_replace=True)
968 class TestMACIP(MethodHolder):
971 def test_acl_1_2(self):
972 """ MACIP ACL with 2 entries
975 self.run_test_acls(self.EXACT_MAC, self.WILD_IP, 1, [2])
977 def test_acl_1_5(self):
978 """ MACIP ACL with 5 entries
981 self.run_test_acls(self.EXACT_MAC, self.SUBNET_IP, 1, [5])
983 def test_acl_1_10(self):
984 """ MACIP ACL with 10 entries
987 self.run_test_acls(self.EXACT_MAC, self.EXACT_IP, 1, [10])
989 def test_acl_1_20(self):
990 """ MACIP ACL with 20 entries
993 self.run_test_acls(self.OUI_MAC, self.WILD_IP, 1, [20])
995 def test_acl_1_50(self):
996 """ MACIP ACL with 50 entries
999 self.run_test_acls(self.OUI_MAC, self.SUBNET_IP, 1, [50])
1001 def test_acl_1_100(self):
1002 """ MACIP ACL with 100 entries
1005 self.run_test_acls(self.OUI_MAC, self.EXACT_IP, 1, [100])
1007 def test_acl_2_X(self):
1008 """ MACIP 2 ACLs each with 100+ entries
1011 self.run_test_acls(self.OUI_MAC, self.SUBNET_IP, 2, [100, 200])
1013 def test_acl_10_X(self):
1014 """ MACIP 10 ACLs each with 100+ entries
1017 self.run_test_acls(self.EXACT_MAC, self.EXACT_IP, 10,
1018 [100, 120, 140, 160, 180, 200, 210, 220, 230, 240])
1020 def test_acl_10_X_traffic_ip4(self):
1021 """ MACIP 10 ACLs each with 100+ entries with IP4 traffic
1024 self.run_test_acls(self.EXACT_MAC, self.EXACT_IP, 10,
1025 [100, 120, 140, 160, 180, 200, 210, 220, 230, 240],
1026 self.BRIDGED, self.IS_IP4)
1028 def test_acl_10_X_traffic_ip6(self):
1029 """ MACIP 10 ACLs each with 100+ entries with IP6 traffic
1032 self.run_test_acls(self.EXACT_MAC, self.EXACT_IP, 10,
1033 [100, 120, 140, 160, 180, 200, 210, 220, 230, 240],
1034 self.BRIDGED, self.IS_IP6)
1036 def test_acl_replace(self):
1037 """ MACIP replace ACL
1040 r1 = self.create_rules(acl_count=3, rules_count=[2, 2, 2])
1041 r2 = self.create_rules(mac_type=self.OUI_MAC, ip_type=self.SUBNET_IP)
1042 self.apply_macip_rules(r1)
1044 acls_before = self.macip_acl_dump_debug()
1046 # replace acls #2, #3 with new
1047 reply = self.vapi.macip_acl_add_replace(r2[0], 2)
1048 self.assertEqual(reply.retval, 0)
1049 self.assertEqual(reply.acl_index, 2)
1050 reply = self.vapi.macip_acl_add_replace(r2[1], 3)
1051 self.assertEqual(reply.retval, 0)
1052 self.assertEqual(reply.acl_index, 3)
1054 acls_after = self.macip_acl_dump_debug()
1057 self.assertEqual(len(acls_before), len(acls_after))
1058 for acl1, acl2 in zip(
1059 acls_before[:2]+acls_before[4:],
1060 acls_after[:2]+acls_after[4:]):
1061 self.assertEqual(len(acl1), len(acl2))
1063 self.assertEqual(len(acl1.r), len(acl2.r))
1064 for r1, r2 in zip(acl1.r, acl2.r):
1065 self.assertEqual(len(acl1.r), len(acl2.r))
1066 self.assertEqual(acl1.r, acl2.r)
1067 for acl1, acl2 in zip(
1070 self.assertEqual(len(acl1), len(acl2))
1072 self.assertNotEqual(len(acl1.r), len(acl2.r))
1073 for r1, r2 in zip(acl1.r, acl2.r):
1074 self.assertNotEqual(len(acl1.r), len(acl2.r))
1075 self.assertNotEqual(acl1.r, acl2.r)
1077 def test_delete_intf(self):
1078 """ MACIP ACL delete intf with acl
1081 intf_count = len(self.interfaces)+1
1083 self.apply_macip_rules(self.create_rules(acl_count=3,
1084 rules_count=[3, 5, 4]))
1086 intf.append(VppLoInterface(self))
1087 intf.append(VppLoInterface(self))
1089 sw_if_index0 = intf[0].sw_if_index
1090 self.vapi.macip_acl_interface_add_del(sw_if_index0, 1)
1092 reply = self.vapi.macip_acl_interface_get()
1093 self.assertEqual(reply.count, intf_count+1)
1094 self.assertEqual(reply.acls[sw_if_index0], 1)
1096 sw_if_index1 = intf[1].sw_if_index
1097 self.vapi.macip_acl_interface_add_del(sw_if_index1, 0)
1099 reply = self.vapi.macip_acl_interface_get()
1100 self.assertEqual(reply.count, intf_count+2)
1101 self.assertEqual(reply.acls[sw_if_index1], 0)
1103 intf[0].remove_vpp_config()
1104 reply = self.vapi.macip_acl_interface_get()
1105 self.assertEqual(reply.count, intf_count+2)
1106 self.assertEqual(reply.acls[sw_if_index0], 4294967295)
1107 self.assertEqual(reply.acls[sw_if_index1], 0)
1109 intf.append(VppLoInterface(self))
1110 intf.append(VppLoInterface(self))
1111 sw_if_index2 = intf[2].sw_if_index
1112 sw_if_index3 = intf[3].sw_if_index
1113 self.vapi.macip_acl_interface_add_del(sw_if_index2, 1)
1114 self.vapi.macip_acl_interface_add_del(sw_if_index3, 1)
1116 reply = self.vapi.macip_acl_interface_get()
1117 self.assertEqual(reply.count, intf_count+3)
1118 self.assertEqual(reply.acls[sw_if_index1], 0)
1119 self.assertEqual(reply.acls[sw_if_index2], 1)
1120 self.assertEqual(reply.acls[sw_if_index3], 1)
1121 self.logger.info("MACIP ACL on multiple interfaces:")
1122 self.logger.info(self.vapi.ppcli("sh acl-plugin macip acl"))
1123 self.logger.info(self.vapi.ppcli("sh acl-plugin macip acl index 1234"))
1124 self.logger.info(self.vapi.ppcli("sh acl-plugin macip acl index 1"))
1125 self.logger.info(self.vapi.ppcli("sh acl-plugin macip acl index 0"))
1126 self.logger.info(self.vapi.ppcli("sh acl-plugin macip interface"))
1128 intf[2].remove_vpp_config()
1129 intf[1].remove_vpp_config()
1131 reply = self.vapi.macip_acl_interface_get()
1132 self.assertEqual(reply.count, intf_count+3)
1133 self.assertEqual(reply.acls[sw_if_index0], 4294967295)
1134 self.assertEqual(reply.acls[sw_if_index1], 4294967295)
1135 self.assertEqual(reply.acls[sw_if_index2], 4294967295)
1136 self.assertEqual(reply.acls[sw_if_index3], 1)
1138 intf[3].remove_vpp_config()
1139 reply = self.vapi.macip_acl_interface_get()
1141 self.assertEqual(len([x for x in reply.acls if x != 4294967295]), 0)
1144 class TestACL_dot1q_bridged(MethodHolder):
1145 """ACL on dot1q bridged subinterfaces Tests"""
1147 def test_acl_bridged_ip4_subif_dot1q(self):
1148 """ IP4 ACL SubIf Dot1Q bridged traffic"""
1149 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.BRIDGED,
1150 self.IS_IP4, 9, tags=self.DOT1Q, isMACIP=False)
1152 def test_acl_bridged_ip6_subif_dot1q(self):
1153 """ IP6 ACL SubIf Dot1Q bridged traffic"""
1154 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.BRIDGED,
1155 self.IS_IP6, 9, tags=self.DOT1Q, isMACIP=False)
1158 class TestACL_dot1ad_bridged(MethodHolder):
1159 """ACL on dot1ad bridged subinterfaces Tests"""
1161 def test_acl_bridged_ip4_subif_dot1ad(self):
1162 """ IP4 ACL SubIf Dot1AD bridged traffic"""
1163 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.BRIDGED,
1164 self.IS_IP4, 9, tags=self.DOT1AD, isMACIP=False)
1166 def test_acl_bridged_ip6_subif_dot1ad(self):
1167 """ IP6 ACL SubIf Dot1AD bridged traffic"""
1168 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.BRIDGED,
1169 self.IS_IP6, 9, tags=self.DOT1AD, isMACIP=False)
1172 class TestACL_dot1q_routed(MethodHolder):
1173 """ACL on dot1q routed subinterfaces Tests"""
1175 def test_acl_routed_ip4_subif_dot1q(self):
1176 """ IP4 ACL SubIf Dot1Q routed traffic"""
1177 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1178 self.IS_IP4, 9, tags=self.DOT1Q, isMACIP=False)
1180 def test_acl_routed_ip6_subif_dot1q(self):
1181 """ IP6 ACL SubIf Dot1Q routed traffic"""
1182 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1183 self.IS_IP6, 9, tags=self.DOT1Q, isMACIP=False)
1185 def test_acl_routed_ip4_subif_dot1q_deny_by_tags(self):
1186 """ IP4 ACL SubIf wrong tags Dot1Q routed traffic"""
1187 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1188 self.IS_IP4, 9, True, tags=self.DOT1Q, isMACIP=False,
1189 permit_tags=self.DENY_TAGS)
1191 def test_acl_routed_ip6_subif_dot1q_deny_by_tags(self):
1192 """ IP6 ACL SubIf wrong tags Dot1Q routed traffic"""
1193 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1194 self.IS_IP6, 9, True, tags=self.DOT1Q, isMACIP=False,
1195 permit_tags=self.DENY_TAGS)
1198 class TestACL_dot1ad_routed(MethodHolder):
1199 """ACL on dot1ad routed subinterfaces Tests"""
1201 def test_acl_routed_ip6_subif_dot1ad(self):
1202 """ IP6 ACL SubIf Dot1AD routed traffic"""
1203 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1204 self.IS_IP6, 9, tags=self.DOT1AD, isMACIP=False)
1206 def test_acl_routed_ip4_subif_dot1ad(self):
1207 """ IP4 ACL SubIf Dot1AD routed traffic"""
1208 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1209 self.IS_IP4, 9, tags=self.DOT1AD, isMACIP=False)
1211 def test_acl_routed_ip6_subif_dot1ad_deny_by_tags(self):
1212 """ IP6 ACL SubIf wrong tags Dot1AD routed traffic"""
1213 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1214 self.IS_IP6, 9, True, tags=self.DOT1AD, isMACIP=False,
1215 permit_tags=self.DENY_TAGS)
1217 def test_acl_routed_ip4_subif_dot1ad_deny_by_tags(self):
1218 """ IP4 ACL SubIf wrong tags Dot1AD routed traffic"""
1219 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1220 self.IS_IP4, 9, True, tags=self.DOT1AD, isMACIP=False,
1221 permit_tags=self.DENY_TAGS)
1224 if __name__ == '__main__':
1225 unittest.main(testRunner=VppTestRunner)