2 from __future__ import print_function
4 """ACL plugin - MACIP tests
9 from socket import inet_ntop, inet_pton, AF_INET, AF_INET6
10 from struct import pack, unpack
13 from ipaddress import ip_network, IPv4Network, IPv6Network
14 from config import config
17 from scapy.packet import Raw
18 from scapy.layers.l2 import Ether
19 from scapy.layers.inet import IP, UDP
20 from scapy.layers.inet6 import IPv6
22 from framework import VppTestCase, VppTestRunner
23 from vpp_lo_interface import VppLoInterface
24 from vpp_l2 import L2_PORT_TYPE
25 from vpp_sub_interface import (
40 from vpp_papi import MACAddress
43 @unittest.skipIf("acl" in config.excluded_plugins, "Exclude ACL plugin tests")
44 class MethodHolder(VppTestCase):
76 Perform standard class setup (defined by class method setUpClass in
77 class VppTestCase) before running the test case, set test case related
78 variables and configure VPP.
80 super(MethodHolder, cls).setUpClass()
82 cls.pg_if_packet_sizes = [64, 512, 1518, 9018] # packet sizes
84 cls.remote_hosts_count = 200
87 # create 4 pg interfaces, 1 loopback interface
88 cls.create_pg_interfaces(range(4))
89 cls.create_loopback_interfaces(1)
91 # create 2 subinterfaces
93 VppDot1QSubint(cls, cls.pg1, 10),
94 VppDot1ADSubint(cls, cls.pg2, 20, 300, 400),
95 VppDot1QSubint(cls, cls.pg3, 30),
96 VppDot1ADSubint(cls, cls.pg3, 40, 600, 700),
99 cls.subifs[0].set_vtr(L2_VTR_OP.L2_POP_1, inner=10, push1q=1)
100 cls.subifs[1].set_vtr(L2_VTR_OP.L2_POP_2, outer=300, inner=400, push1q=1)
101 cls.subifs[2].set_vtr(L2_VTR_OP.L2_POP_1, inner=30, push1q=1)
102 cls.subifs[3].set_vtr(L2_VTR_OP.L2_POP_2, outer=600, inner=700, push1q=1)
104 cls.interfaces = list(cls.pg_interfaces)
105 cls.interfaces.extend(cls.lo_interfaces)
106 cls.interfaces.extend(cls.subifs)
108 for i in cls.interfaces:
111 # Create BD with MAC learning enabled and put interfaces to this BD
112 cls.vapi.sw_interface_set_l2_bridge(
113 rx_sw_if_index=cls.loop0.sw_if_index,
115 port_type=L2_PORT_TYPE.BVI,
117 cls.vapi.sw_interface_set_l2_bridge(
118 rx_sw_if_index=cls.pg0.sw_if_index, bd_id=cls.bd_id
120 cls.vapi.sw_interface_set_l2_bridge(
121 rx_sw_if_index=cls.pg1.sw_if_index, bd_id=cls.bd_id
123 cls.vapi.sw_interface_set_l2_bridge(
124 rx_sw_if_index=cls.subifs[0].sw_if_index, bd_id=cls.bd_id
126 cls.vapi.sw_interface_set_l2_bridge(
127 rx_sw_if_index=cls.subifs[1].sw_if_index, bd_id=cls.bd_id
130 # Configure IPv4/6 addresses on loop interface and routed interface
131 cls.loop0.config_ip4()
132 cls.loop0.config_ip6()
138 # Configure MAC address binding to IPv4 neighbors on loop0
139 cls.loop0.generate_remote_hosts(cls.remote_hosts_count)
140 # Modify host mac addresses to have different OUI parts
141 for i in range(2, cls.remote_hosts_count + 2):
142 mac = cls.loop0.remote_hosts[i - 2]._mac.split(":")
143 mac[2] = format(int(mac[2], 16) + i, "02x")
144 cls.loop0.remote_hosts[i - 2]._mac = ":".join(mac)
146 cls.loop0.configure_ipv4_neighbors()
147 cls.loop0.configure_ipv6_neighbors()
149 # configure MAC address on pg3
150 cls.pg3.resolve_arp()
151 cls.pg3.resolve_ndp()
153 # configure MAC address on subifs
159 # configure MAC address on pg2
160 cls.pg2.resolve_arp()
161 cls.pg2.resolve_ndp()
163 # Loopback BVI interface has remote hosts
164 # one half of hosts are behind pg0 second behind pg1,pg2,pg3 subifs
165 cls.pg0.remote_hosts = cls.loop0.remote_hosts[:100]
166 cls.subifs[0].remote_hosts = cls.loop0.remote_hosts[100:125]
167 cls.subifs[1].remote_hosts = cls.loop0.remote_hosts[125:150]
168 cls.subifs[2].remote_hosts = cls.loop0.remote_hosts[150:175]
169 cls.subifs[3].remote_hosts = cls.loop0.remote_hosts[175:]
172 super(MethodHolder, cls).tearDownClass()
176 def tearDownClass(cls):
177 super(MethodHolder, cls).tearDownClass()
180 super(MethodHolder, self).setUp()
181 self.reset_packet_infos()
183 def show_commands_at_teardown(self):
184 self.logger.info(self.vapi.ppcli("show interface address"))
185 self.logger.info(self.vapi.ppcli("show hardware"))
186 self.logger.info(self.vapi.ppcli("sh acl-plugin macip acl"))
187 self.logger.info(self.vapi.ppcli("sh acl-plugin macip interface"))
188 self.logger.info(self.vapi.ppcli("sh classify tables verbose"))
189 self.logger.info(self.vapi.ppcli("sh acl-plugin acl"))
190 self.logger.info(self.vapi.ppcli("sh acl-plugin interface"))
191 self.logger.info(self.vapi.ppcli("sh acl-plugin tables"))
192 # print(self.vapi.ppcli("show interface address"))
193 # print(self.vapi.ppcli("show hardware"))
194 # print(self.vapi.ppcli("sh acl-plugin macip interface"))
195 # print(self.vapi.ppcli("sh acl-plugin macip acl"))
197 def macip_acl_dump_debug(self):
198 acls = self.vapi.macip_acl_dump()
201 # print("ACL #"+str(acl.acl_index))
206 elif r.is_permit == 0:
209 print(" IP6" if r.is_ipv6 else " IP4",
211 binascii.hexlify(r.src_mac),
212 binascii.hexlify(r.src_mac_mask),
213 unpack('<16B', r.src_ip_addr),
219 self, mac_type=EXACT_MAC, ip_type=EXACT_IP, acl_count=1, rules_count=None
222 if rules_count is None:
224 src_mac = int("220000dead00", 16)
225 for acl in range(2, (acl_count + 1) * 2):
227 host = random.choice(self.loop0.remote_hosts)
229 ip4 = host.ip4.split(".")
230 ip6 = list(unpack("<16B", inet_pton(AF_INET6, host.ip6)))
232 if ip_type == self.EXACT_IP:
235 elif ip_type == self.WILD_IP:
237 ip6 = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]
240 rules_count[int((acl / 2) - 1)] = 1
245 if mac_type == self.EXACT_MAC:
246 mask = "ff:ff:ff:ff:ff:ff"
247 elif mac_type == self.WILD_MAC:
248 mask = "00:00:00:00:00:00"
249 elif mac_type == self.OUI_MAC:
250 mask = "ff:ff:ff:00:00:00"
252 mask = "ff:ff:ff:ff:ff:00"
254 ip = ip6 if is_ip6 else ip4
255 ip_len = prefix_len6 if is_ip6 else prefix_len4
257 for i in range(0, (rules_count[int((acl / 2) - 1)])):
259 if mac_type == self.WILD_MAC:
260 mac = "00:00:00:00:00:00"
261 elif mac_type == self.OUI_MAC:
263 ":".join(re.findall("..", "{:02x}".format(src_mac))[:3])
267 mac = ":".join(re.findall("..", "{:02x}".format(src_mac)))
269 if ip_type == self.EXACT_IP:
270 ip4[3] = random.randint(100, 200)
271 ip6[15] = random.randint(100, 200)
272 elif ip_type == self.SUBNET_IP:
273 ip4[2] = random.randint(100, 200)
275 ip6[7] = random.randint(100, 200)
278 for j in range(0, len(ip)):
279 ip_pack += pack("<B", int(ip[j]))
282 is_permit=self.PERMIT,
283 src_prefix=ip_network((ip_pack, ip_len)),
284 src_mac=MACAddress(mac).packed,
285 src_mac_mask=MACAddress(mask).packed,
288 if ip_type == self.WILD_IP:
292 src_mac += 1099511627776
295 def apply_macip_rules(self, acls):
298 macip_acl = VppMacipAcl(self, rules=acl)
299 macip_acl.add_vpp_config()
300 macip_acls.append(macip_acl)
303 def verify_macip_acls(self, acl_count, rules_count, expected_count=2):
304 reply = self.macip_acl_dump_debug()
305 for acl in range(2, (acl_count + 1) * 2):
306 self.assertEqual(reply[acl - 2].count, rules_count[acl // 2 - 1])
308 self.vapi.macip_acl_interface_get()
310 self.vapi.macip_acl_interface_add_del(sw_if_index=0, acl_index=0)
311 self.vapi.macip_acl_interface_add_del(sw_if_index=1, acl_index=1)
313 reply = self.vapi.macip_acl_interface_get()
314 self.assertEqual(reply.count, expected_count)
327 # exact MAC and exact IP
328 # exact MAC and subnet of IPs
329 # exact MAC and wildcard IP
330 # wildcard MAC and exact IP
331 # wildcard MAC and subnet of IPs
332 # wildcard MAC and wildcard IP
333 # OUI restricted MAC and exact IP
334 # OUI restricted MAC and subnet of IPs
335 # OUI restricted MAC and wildcard IP
343 mac_rule = "00:00:00:00:00:00"
344 mac_mask = "00:00:00:00:00:00"
345 for p in range(0, packet_count):
346 remote_dst_index = p % len(dst_if.remote_hosts)
347 remote_dst_host = dst_if.remote_hosts[remote_dst_index]
351 is_permit = self.PERMIT if p % 3 == 0 else self.DENY
352 denyMAC = True if not is_permit and p % 3 == 1 else False
353 denyIP = True if not is_permit and p % 3 == 2 else False
354 if not is_permit and ip_type == self.WILD_IP:
356 if not is_permit and mac_type == self.WILD_MAC:
359 if traffic == self.BRIDGED:
361 src_mac = remote_dst_host._mac
362 dst_mac = "de:ad:00:00:00:00"
363 src_ip4 = remote_dst_host.ip4
364 dst_ip4 = src_if.remote_ip4
365 src_ip6 = remote_dst_host.ip6
366 dst_ip6 = src_if.remote_ip6
367 ip_permit = src_ip6 if is_ip6 else src_ip4
370 mac = src_mac.split(":")
371 mac[0] = format(int(mac[0], 16) + 1, "02x")
372 src_mac = ":".join(mac)
378 if ip_type != self.WILD_IP:
380 src_ip4 = remote_dst_host.ip4
381 dst_ip4 = src_if.remote_ip4
382 src_ip6 = remote_dst_host.ip6
383 dst_ip6 = src_if.remote_ip6
386 src_mac = remote_dst_host._mac
387 dst_mac = src_if.local_mac
388 src_ip4 = src_if.remote_ip4
389 dst_ip4 = remote_dst_host.ip4
390 src_ip6 = src_if.remote_ip6
391 dst_ip6 = remote_dst_host.ip6
392 ip_permit = src_ip6 if is_ip6 else src_ip4
395 mac = src_mac.split(":")
396 mac[0] = format(int(mac[0], 16) + 1, "02x")
397 src_mac = ":".join(mac)
403 src_mac = remote_dst_host._mac
404 if ip_type != self.WILD_IP:
406 src_ip4 = remote_dst_host.ip4
407 dst_ip4 = src_if.remote_ip4
408 src_ip6 = remote_dst_host.ip6
409 dst_ip6 = src_if.remote_ip6
412 info = self.create_packet_info(src_if, dst_if)
413 payload = self.info_to_payload(info)
415 payload = "to be blocked"
417 if mac_type == self.WILD_MAC:
418 mac = src_mac.split(":")
419 for i in range(1, 5):
420 mac[i] = format(random.randint(0, 255), "02x")
421 src_mac = ":".join(mac)
424 packet = Ether(src=src_mac, dst=dst_mac)
425 ip_rule = src_ip6 if is_ip6 else src_ip4
427 if ip_type != self.EXACT_IP:
428 sub_ip = list(unpack("<16B", inet_pton(AF_INET6, ip_rule)))
429 if ip_type == self.WILD_IP:
430 sub_ip[0] = random.randint(240, 254)
431 sub_ip[1] = random.randint(230, 239)
432 sub_ip[14] = random.randint(100, 199)
433 sub_ip[15] = random.randint(200, 255)
434 elif ip_type == self.SUBNET_IP:
436 sub_ip[2] = int(sub_ip[2]) + 1
437 sub_ip[14] = random.randint(100, 199)
438 sub_ip[15] = random.randint(200, 255)
439 packed_src_ip6 = b"".join([scapy.compat.chb(x) for x in sub_ip])
440 src_ip6 = inet_ntop(AF_INET6, packed_src_ip6)
441 packet /= IPv6(src=src_ip6, dst=dst_ip6)
443 if ip_type != self.EXACT_IP:
444 sub_ip = ip_rule.split(".")
445 if ip_type == self.WILD_IP:
446 sub_ip[0] = random.randint(1, 49)
447 sub_ip[1] = random.randint(50, 99)
448 sub_ip[2] = random.randint(100, 199)
449 sub_ip[3] = random.randint(200, 255)
450 elif ip_type == self.SUBNET_IP:
452 sub_ip[1] = int(sub_ip[1]) + 1
453 sub_ip[2] = random.randint(100, 199)
454 sub_ip[3] = random.randint(200, 255)
455 src_ip4 = ".".join(["{!s}".format(x) for x in sub_ip])
456 packet /= IP(src=src_ip4, dst=dst_ip4, frag=0, flags=0)
458 packet /= UDP(sport=src_port, dport=dst_port) / Raw(payload)
460 packet[Raw].load += b" mac:%s" % src_mac.encode("utf-8")
462 size = self.pg_if_packet_sizes[p % len(self.pg_if_packet_sizes)]
463 if isinstance(src_if, VppSubInterface):
465 if isinstance(src_if, VppDot1QSubint):
466 if src_if is self.subifs[0]:
467 if tags == self.PERMIT_TAGS:
468 packet = src_if.add_dot1q_layer(packet, 10)
470 packet = src_if.add_dot1q_layer(packet, 11)
472 if tags == self.PERMIT_TAGS:
473 packet = src_if.add_dot1q_layer(packet, 30)
475 packet = src_if.add_dot1q_layer(packet, 33)
476 elif isinstance(src_if, VppDot1ADSubint):
477 if src_if is self.subifs[1]:
478 if tags == self.PERMIT_TAGS:
479 packet = src_if.add_dot1ad_layer(packet, 300, 400)
481 packet = src_if.add_dot1ad_layer(packet, 333, 444)
483 if tags == self.PERMIT_TAGS:
484 packet = src_if.add_dot1ad_layer(packet, 600, 700)
486 packet = src_if.add_dot1ad_layer(packet, 666, 777)
487 self.extend_packet(packet, size)
488 packets.append(packet)
490 # create suitable MACIP rule
491 if mac_type == self.EXACT_MAC:
493 mac_mask = "ff:ff:ff:ff:ff:ff"
494 elif mac_type == self.WILD_MAC:
495 mac_rule = "00:00:00:00:00:00"
496 mac_mask = "00:00:00:00:00:00"
497 elif mac_type == self.OUI_MAC:
498 mac = src_mac.split(":")
499 mac[3] = mac[4] = mac[5] = "00"
500 mac_rule = ":".join(mac)
501 mac_mask = "ff:ff:ff:00:00:00"
504 if ip_type == self.WILD_IP:
508 if ip_type == self.SUBNET_IP:
509 sub_ip = list(unpack("<16B", inet_pton(AF_INET6, ip)))
510 for i in range(8, 16):
512 packed_ip = b"".join([scapy.compat.chb(x) for x in sub_ip])
513 ip = inet_ntop(AF_INET6, packed_ip)
515 if ip_type == self.WILD_IP:
519 if ip_type == self.SUBNET_IP:
520 sub_ip = ip.split(".")
521 sub_ip[2] = sub_ip[3] = "0"
522 ip = ".".join(sub_ip)
524 prefix_len = 128 if is_ip6 else 32
525 if ip_type == self.WILD_IP:
527 elif ip_type == self.SUBNET_IP:
528 prefix_len = 64 if is_ip6 else 16
529 ip_rule = inet_pton(AF_INET6 if is_ip6 else AF_INET, ip)
531 # create suitable ACL rule
533 rule_l4_sport = packet[UDP].sport
534 rule_l4_dport = packet[UDP].dport
535 rule_family = AF_INET6 if packet.haslayer(IPv6) else AF_INET
536 rule_prefix_len = 128 if packet.haslayer(IPv6) else 32
537 rule_l3_layer = IPv6 if packet.haslayer(IPv6) else IP
538 if packet.haslayer(IPv6):
539 rule_l4_proto = packet[UDP].overload_fields[IPv6]["nh"]
541 rule_l4_proto = packet[IP].proto
543 src_network = ip_network((packet[rule_l3_layer].src, rule_prefix_len))
544 dst_network = ip_network((packet[rule_l3_layer].dst, rule_prefix_len))
548 src_prefix=src_network,
549 dst_prefix=dst_network,
550 sport_from=rule_l4_sport,
551 sport_to=rule_l4_sport,
552 dport_from=rule_l4_dport,
553 dport_to=rule_l4_dport,
555 acl_rules.append(acl_rule)
557 if mac_type == self.WILD_MAC and ip_type == self.WILD_IP and p > 0:
561 macip_rule = MacipRule(
563 src_prefix=ip_network((ip_rule, prefix_len)),
564 src_mac=MACAddress(mac_rule).packed,
565 src_mac_mask=MACAddress(mac_mask).packed,
567 macip_rules.append(macip_rule)
569 # deny all other packets
570 if not (mac_type == self.WILD_MAC and ip_type == self.WILD_IP):
571 network = IPv6Network((0, 0)) if is_ip6 else IPv4Network((0, 0))
572 macip_rule = MacipRule(
575 src_mac=MACAddress("00:00:00:00:00:00").packed,
576 src_mac_mask=MACAddress("00:00:00:00:00:00").packed,
578 macip_rules.append(macip_rule)
580 network = IPv6Network((0, 0)) if is_ip6 else IPv4Network((0, 0))
590 acl_rules.append(acl_rule)
591 return {"stream": packets, "macip_rules": macip_rules, "acl_rules": acl_rules}
593 def verify_capture(self, stream, capture, is_ip6):
600 # p_l3 = IPv6 if is_ip6 else IP
603 # print(p[Ether].src, p[Ether].dst, p[p_l3].src, p[p_l3].dst)
605 # acls = self.macip_acl_dump_debug()
610 # print(binascii.hexlify(r.src_mac), \
611 # binascii.hexlify(r.src_mac_mask),\
612 # unpack('<16B', r.src_ip_addr), \
613 # r.src_ip_prefix_len)
616 # print(p[Ether].src, p[Ether].dst, p[p_l3].src, p[p_l3].dst
617 # data = p[Raw].load.split(':',1)[1])
618 # print(p[p_l3].src, data)
627 do_not_expected_capture=False,
631 permit_tags=PERMIT_TAGS,
634 self.reset_packet_infos()
637 tx_if = self.pg0 if traffic == self.BRIDGED else self.pg3
638 rx_if = self.pg3 if traffic == self.BRIDGED else self.pg0
642 if tags == self.DOT1Q:
643 if traffic == self.BRIDGED:
644 tx_if = self.subifs[0]
646 src_if = self.subifs[0]
649 tx_if = self.subifs[2]
651 src_if = self.subifs[2]
653 elif tags == self.DOT1AD:
654 if traffic == self.BRIDGED:
655 tx_if = self.subifs[1]
657 src_if = self.subifs[1]
660 tx_if = self.subifs[3]
662 src_if = self.subifs[3]
667 test_dict = self.create_stream(
680 self.acl = VppMacipAcl(self, rules=test_dict["macip_rules"])
682 self.acl = VppAcl(self, rules=test_dict["acl_rules"])
683 self.acl.add_vpp_config()
686 self.acl_if = VppMacipAclInterface(
687 self, sw_if_index=tx_if.sw_if_index, acls=[self.acl]
689 self.acl_if.add_vpp_config()
691 dump = self.acl_if.dump()
692 self.assertTrue(dump)
693 self.assertEqual(dump[0].acls[0], self.acl.acl_index)
695 self.acl_if = VppAclInterface(
696 self, sw_if_index=tx_if.sw_if_index, n_input=1, acls=[self.acl]
698 self.acl_if.add_vpp_config()
700 if hasattr(self, "acl_if"):
701 self.acl_if.remove_vpp_config()
702 if try_replace and hasattr(self, "acl"):
704 self.acl.modify_vpp_config(test_dict["macip_rules"])
706 self.acl.modify_vpp_config(test_dict["acl_rules"])
708 if not isinstance(src_if, VppSubInterface):
709 tx_if.add_stream(test_dict["stream"])
711 tx_if.parent.add_stream(test_dict["stream"])
712 self.pg_enable_capture(self.pg_interfaces)
715 if do_not_expected_capture:
719 traffic == self.BRIDGED
720 and mac_type == self.WILD_MAC
721 and ip_type == self.WILD_IP
723 capture = rx_if.get_capture(packets)
725 capture = rx_if.get_capture(
726 self.get_packet_count_for_if_idx(dst_if.sw_if_index)
728 self.verify_capture(test_dict["stream"], capture, is_ip6)
730 if hasattr(self, "acl_if"):
731 self.acl_if.remove_vpp_config()
732 if hasattr(self, "acl"):
733 self.acl.remove_vpp_config()
736 self, mac_type, ip_type, acl_count, rules_count, traffic=None, ip=None
738 self.apply_macip_rules(
739 self.create_rules(mac_type, ip_type, acl_count, rules_count)
741 self.verify_macip_acls(acl_count, rules_count)
743 if traffic is not None:
744 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, traffic, ip, 9)
747 class TestMACIP_IP4(MethodHolder):
748 """MACIP with IP4 traffic"""
752 super(TestMACIP_IP4, cls).setUpClass()
755 def tearDownClass(cls):
756 super(TestMACIP_IP4, cls).tearDownClass()
758 def test_acl_bridged_ip4_exactMAC_exactIP(self):
759 """IP4 MACIP exactMAC|exactIP ACL bridged traffic"""
760 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.BRIDGED, self.IS_IP4, 9)
762 def test_acl_bridged_ip4_exactMAC_subnetIP(self):
763 """IP4 MACIP exactMAC|subnetIP ACL bridged traffic"""
765 self.run_traffic(self.EXACT_MAC, self.SUBNET_IP, self.BRIDGED, self.IS_IP4, 9)
767 def test_acl_bridged_ip4_exactMAC_wildIP(self):
768 """IP4 MACIP exactMAC|wildIP ACL bridged traffic"""
770 self.run_traffic(self.EXACT_MAC, self.WILD_IP, self.BRIDGED, self.IS_IP4, 9)
772 def test_acl_bridged_ip4_ouiMAC_exactIP(self):
773 """IP4 MACIP ouiMAC|exactIP ACL bridged traffic"""
775 self.run_traffic(self.OUI_MAC, self.EXACT_IP, self.BRIDGED, self.IS_IP4, 3)
777 def test_acl_bridged_ip4_ouiMAC_subnetIP(self):
778 """IP4 MACIP ouiMAC|subnetIP ACL bridged traffic"""
780 self.run_traffic(self.OUI_MAC, self.SUBNET_IP, self.BRIDGED, self.IS_IP4, 9)
782 def test_acl_bridged_ip4_ouiMAC_wildIP(self):
783 """IP4 MACIP ouiMAC|wildIP ACL bridged traffic"""
785 self.run_traffic(self.OUI_MAC, self.WILD_IP, self.BRIDGED, self.IS_IP4, 9)
787 def test_ac_bridgedl_ip4_wildMAC_exactIP(self):
788 """IP4 MACIP wildcardMAC|exactIP ACL bridged traffic"""
790 self.run_traffic(self.WILD_MAC, self.EXACT_IP, self.BRIDGED, self.IS_IP4, 9)
792 def test_acl_bridged_ip4_wildMAC_subnetIP(self):
793 """IP4 MACIP wildcardMAC|subnetIP ACL bridged traffic"""
795 self.run_traffic(self.WILD_MAC, self.SUBNET_IP, self.BRIDGED, self.IS_IP4, 9)
797 def test_acl_bridged_ip4_wildMAC_wildIP(self):
798 """IP4 MACIP wildcardMAC|wildIP ACL bridged traffic"""
800 self.run_traffic(self.WILD_MAC, self.WILD_IP, self.BRIDGED, self.IS_IP4, 9)
802 def test_acl_routed_ip4_exactMAC_exactIP(self):
803 """IP4 MACIP exactMAC|exactIP ACL routed traffic"""
804 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED, self.IS_IP4, 9)
806 def test_acl_routed_ip4_exactMAC_subnetIP(self):
807 """IP4 MACIP exactMAC|subnetIP ACL routed traffic"""
808 self.run_traffic(self.EXACT_MAC, self.SUBNET_IP, self.ROUTED, self.IS_IP4, 9)
810 def test_acl_routed_ip4_exactMAC_wildIP(self):
811 """IP4 MACIP exactMAC|wildIP ACL routed traffic"""
812 self.run_traffic(self.EXACT_MAC, self.WILD_IP, self.ROUTED, self.IS_IP4, 9)
814 def test_acl_routed_ip4_ouiMAC_exactIP(self):
815 """IP4 MACIP ouiMAC|exactIP ACL routed traffic"""
817 self.run_traffic(self.OUI_MAC, self.EXACT_IP, self.ROUTED, self.IS_IP4, 9)
819 def test_acl_routed_ip4_ouiMAC_subnetIP(self):
820 """IP4 MACIP ouiMAC|subnetIP ACL routed traffic"""
822 self.run_traffic(self.OUI_MAC, self.SUBNET_IP, self.ROUTED, self.IS_IP4, 9)
824 def test_acl_routed_ip4_ouiMAC_wildIP(self):
825 """IP4 MACIP ouiMAC|wildIP ACL routed traffic"""
827 self.run_traffic(self.OUI_MAC, self.WILD_IP, self.ROUTED, self.IS_IP4, 9)
829 def test_acl_routed_ip4_wildMAC_exactIP(self):
830 """IP4 MACIP wildcardMAC|exactIP ACL routed traffic"""
832 self.run_traffic(self.WILD_MAC, self.EXACT_IP, self.ROUTED, self.IS_IP4, 9)
834 def test_acl_routed_ip4_wildMAC_subnetIP(self):
835 """IP4 MACIP wildcardMAC|subnetIP ACL routed traffic"""
837 self.run_traffic(self.WILD_MAC, self.SUBNET_IP, self.ROUTED, self.IS_IP4, 9)
839 def test_acl_routed_ip4_wildMAC_wildIP(self):
840 """IP4 MACIP wildcardMAC|wildIP ACL"""
842 self.run_traffic(self.WILD_MAC, self.WILD_IP, self.ROUTED, self.IS_IP4, 9)
844 def test_acl_replace_traffic_ip4(self):
845 """MACIP replace ACL with IP4 traffic"""
847 self.OUI_MAC, self.SUBNET_IP, self.BRIDGED, self.IS_IP4, 9, try_replace=True
859 class TestMACIP_IP6(MethodHolder):
860 """MACIP with IP6 traffic"""
864 super(TestMACIP_IP6, cls).setUpClass()
867 def tearDownClass(cls):
868 super(TestMACIP_IP6, cls).tearDownClass()
870 def test_acl_bridged_ip6_exactMAC_exactIP(self):
871 """IP6 MACIP exactMAC|exactIP ACL bridged traffic"""
873 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.BRIDGED, self.IS_IP6, 9)
875 def test_acl_bridged_ip6_exactMAC_subnetIP(self):
876 """IP6 MACIP exactMAC|subnetIP ACL bridged traffic"""
878 self.run_traffic(self.EXACT_MAC, self.SUBNET_IP, self.BRIDGED, self.IS_IP6, 9)
880 def test_acl_bridged_ip6_exactMAC_wildIP(self):
881 """IP6 MACIP exactMAC|wildIP ACL bridged traffic"""
883 self.run_traffic(self.EXACT_MAC, self.WILD_IP, self.BRIDGED, self.IS_IP6, 9)
885 def test_acl_bridged_ip6_ouiMAC_exactIP(self):
886 """IP6 MACIP oui_MAC|exactIP ACL bridged traffic"""
888 self.run_traffic(self.OUI_MAC, self.EXACT_IP, self.BRIDGED, self.IS_IP6, 9)
890 def test_acl_bridged_ip6_ouiMAC_subnetIP(self):
891 """IP6 MACIP ouiMAC|subnetIP ACL bridged traffic"""
893 self.run_traffic(self.OUI_MAC, self.SUBNET_IP, self.BRIDGED, self.IS_IP6, 9)
895 def test_acl_bridged_ip6_ouiMAC_wildIP(self):
896 """IP6 MACIP ouiMAC|wildIP ACL bridged traffic"""
898 self.run_traffic(self.OUI_MAC, self.WILD_IP, self.BRIDGED, self.IS_IP6, 9)
900 def test_acl_bridged_ip6_wildMAC_exactIP(self):
901 """IP6 MACIP wildcardMAC|exactIP ACL bridged traffic"""
903 self.run_traffic(self.WILD_MAC, self.EXACT_IP, self.BRIDGED, self.IS_IP6, 9)
905 def test_acl_bridged_ip6_wildMAC_subnetIP(self):
906 """IP6 MACIP wildcardMAC|subnetIP ACL bridged traffic"""
908 self.run_traffic(self.WILD_MAC, self.SUBNET_IP, self.BRIDGED, self.IS_IP6, 9)
910 def test_acl_bridged_ip6_wildMAC_wildIP(self):
911 """IP6 MACIP wildcardMAC|wildIP ACL bridged traffic"""
913 self.run_traffic(self.WILD_MAC, self.WILD_IP, self.BRIDGED, self.IS_IP6, 9)
915 def test_acl_routed_ip6_exactMAC_exactIP(self):
916 """IP6 MACIP exactMAC|exactIP ACL routed traffic"""
918 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED, self.IS_IP6, 9)
920 def test_acl_routed_ip6_exactMAC_subnetIP(self):
921 """IP6 MACIP exactMAC|subnetIP ACL routed traffic"""
923 self.run_traffic(self.EXACT_MAC, self.SUBNET_IP, self.ROUTED, self.IS_IP6, 9)
925 def test_acl_routed_ip6_exactMAC_wildIP(self):
926 """IP6 MACIP exactMAC|wildIP ACL routed traffic"""
928 self.run_traffic(self.EXACT_MAC, self.WILD_IP, self.ROUTED, self.IS_IP6, 9)
930 def test_acl_routed_ip6_ouiMAC_exactIP(self):
931 """IP6 MACIP ouiMAC|exactIP ACL routed traffic"""
933 self.run_traffic(self.OUI_MAC, self.EXACT_IP, self.ROUTED, self.IS_IP6, 9)
935 def test_acl_routed_ip6_ouiMAC_subnetIP(self):
936 """IP6 MACIP ouiMAC|subnetIP ACL routed traffic"""
938 self.run_traffic(self.OUI_MAC, self.SUBNET_IP, self.ROUTED, self.IS_IP6, 9)
940 def test_acl_routed_ip6_ouiMAC_wildIP(self):
941 """IP6 MACIP ouiMAC|wildIP ACL routed traffic"""
943 self.run_traffic(self.OUI_MAC, self.WILD_IP, self.ROUTED, self.IS_IP6, 9)
945 def test_acl_routed_ip6_wildMAC_exactIP(self):
946 """IP6 MACIP wildcardMAC|exactIP ACL routed traffic"""
948 self.run_traffic(self.WILD_MAC, self.EXACT_IP, self.ROUTED, self.IS_IP6, 9)
950 def test_acl_routed_ip6_wildMAC_subnetIP(self):
951 """IP6 MACIP wildcardMAC|subnetIP ACL routed traffic"""
953 self.run_traffic(self.WILD_MAC, self.SUBNET_IP, self.ROUTED, self.IS_IP6, 9)
955 def test_acl_routed_ip6_wildMAC_wildIP(self):
956 """IP6 MACIP wildcardMAC|wildIP ACL"""
958 self.run_traffic(self.WILD_MAC, self.WILD_IP, self.ROUTED, self.IS_IP6, 9)
960 def test_acl_replace_traffic_ip6(self):
961 """MACIP replace ACL with IP6 traffic"""
963 self.OUI_MAC, self.SUBNET_IP, self.BRIDGED, self.IS_IP6, 9, try_replace=True
975 class TestMACIP(MethodHolder):
980 super(TestMACIP, cls).setUpClass()
983 def tearDownClass(cls):
984 super(TestMACIP, cls).tearDownClass()
986 def test_acl_1_2(self):
987 """MACIP ACL with 2 entries"""
989 self.run_test_acls(self.EXACT_MAC, self.WILD_IP, 1, [2])
991 def test_acl_1_5(self):
992 """MACIP ACL with 5 entries"""
994 self.run_test_acls(self.EXACT_MAC, self.SUBNET_IP, 1, [5])
996 def test_acl_1_10(self):
997 """MACIP ACL with 10 entries"""
999 self.run_test_acls(self.EXACT_MAC, self.EXACT_IP, 1, [10])
1001 def test_acl_1_20(self):
1002 """MACIP ACL with 20 entries"""
1004 self.run_test_acls(self.OUI_MAC, self.WILD_IP, 1, [20])
1006 def test_acl_1_50(self):
1007 """MACIP ACL with 50 entries"""
1009 self.run_test_acls(self.OUI_MAC, self.SUBNET_IP, 1, [50])
1011 def test_acl_1_100(self):
1012 """MACIP ACL with 100 entries"""
1014 self.run_test_acls(self.OUI_MAC, self.EXACT_IP, 1, [100])
1016 def test_acl_2_X(self):
1017 """MACIP 2 ACLs each with 100+ entries"""
1019 self.run_test_acls(self.OUI_MAC, self.SUBNET_IP, 2, [100, 200])
1021 def test_acl_10_X(self):
1022 """MACIP 10 ACLs each with 100+ entries"""
1028 [100, 120, 140, 160, 180, 200, 210, 220, 230, 240],
1031 def test_acl_10_X_traffic_ip4(self):
1032 """MACIP 10 ACLs each with 100+ entries with IP4 traffic"""
1038 [100, 120, 140, 160, 180, 200, 210, 220, 230, 240],
1043 def test_acl_10_X_traffic_ip6(self):
1044 """MACIP 10 ACLs each with 100+ entries with IP6 traffic"""
1050 [100, 120, 140, 160, 180, 200, 210, 220, 230, 240],
1055 def test_acl_replace(self):
1056 """MACIP replace ACL"""
1058 r1 = self.create_rules(acl_count=3, rules_count=[2, 2, 2])
1059 r2 = self.create_rules(mac_type=self.OUI_MAC, ip_type=self.SUBNET_IP)
1060 macip_acls = self.apply_macip_rules(r1)
1062 acls_before = self.macip_acl_dump_debug()
1064 # replace acls #2, #3 with new
1065 macip_acls[2].modify_vpp_config(r2[0])
1066 macip_acls[3].modify_vpp_config(r2[1])
1068 acls_after = self.macip_acl_dump_debug()
1071 self.assertEqual(len(acls_before), len(acls_after))
1072 for acl1, acl2 in zip(
1073 acls_before[:2] + acls_before[4:], acls_after[:2] + acls_after[4:]
1075 self.assertEqual(len(acl1), len(acl2))
1077 self.assertEqual(len(acl1.r), len(acl2.r))
1078 for r1, r2 in zip(acl1.r, acl2.r):
1079 self.assertEqual(len(acl1.r), len(acl2.r))
1080 self.assertEqual(acl1.r, acl2.r)
1081 for acl1, acl2 in zip(acls_before[2:4], acls_after[2:4]):
1082 self.assertEqual(len(acl1), len(acl2))
1084 self.assertNotEqual(len(acl1.r), len(acl2.r))
1085 for r1, r2 in zip(acl1.r, acl2.r):
1086 self.assertNotEqual(len(acl1.r), len(acl2.r))
1087 self.assertNotEqual(acl1.r, acl2.r)
1089 def test_delete_intf(self):
1090 """MACIP ACL delete intf with acl"""
1092 intf_count = len(self.interfaces) + 1
1094 macip_alcs = self.apply_macip_rules(
1095 self.create_rules(acl_count=3, rules_count=[3, 5, 4])
1098 intf.append(VppLoInterface(self))
1099 intf.append(VppLoInterface(self))
1101 sw_if_index0 = intf[0].sw_if_index
1102 macip_acl_if0 = VppMacipAclInterface(
1103 self, sw_if_index=sw_if_index0, acls=[macip_alcs[1]]
1105 macip_acl_if0.add_vpp_config()
1107 reply = self.vapi.macip_acl_interface_get()
1108 self.assertEqual(reply.count, intf_count + 1)
1109 self.assertEqual(reply.acls[sw_if_index0], 1)
1111 sw_if_index1 = intf[1].sw_if_index
1112 macip_acl_if1 = VppMacipAclInterface(
1113 self, sw_if_index=sw_if_index1, acls=[macip_alcs[0]]
1115 macip_acl_if1.add_vpp_config()
1117 reply = self.vapi.macip_acl_interface_get()
1118 self.assertEqual(reply.count, intf_count + 2)
1119 self.assertEqual(reply.acls[sw_if_index1], 0)
1121 intf[0].remove_vpp_config()
1122 reply = self.vapi.macip_acl_interface_get()
1123 self.assertEqual(reply.count, intf_count + 2)
1124 self.assertEqual(reply.acls[sw_if_index0], 4294967295)
1125 self.assertEqual(reply.acls[sw_if_index1], 0)
1127 intf.append(VppLoInterface(self))
1128 intf.append(VppLoInterface(self))
1129 sw_if_index2 = intf[2].sw_if_index
1130 sw_if_index3 = intf[3].sw_if_index
1131 macip_acl_if2 = VppMacipAclInterface(
1132 self, sw_if_index=sw_if_index2, acls=[macip_alcs[1]]
1134 macip_acl_if2.add_vpp_config()
1135 macip_acl_if3 = VppMacipAclInterface(
1136 self, sw_if_index=sw_if_index3, acls=[macip_alcs[1]]
1138 macip_acl_if3.add_vpp_config()
1140 reply = self.vapi.macip_acl_interface_get()
1141 self.assertEqual(reply.count, intf_count + 3)
1142 self.assertEqual(reply.acls[sw_if_index1], 0)
1143 self.assertEqual(reply.acls[sw_if_index2], 1)
1144 self.assertEqual(reply.acls[sw_if_index3], 1)
1145 self.logger.info("MACIP ACL on multiple interfaces:")
1146 self.logger.info(self.vapi.ppcli("sh acl-plugin macip acl"))
1147 self.logger.info(self.vapi.ppcli("sh acl-plugin macip acl index 1234"))
1148 self.logger.info(self.vapi.ppcli("sh acl-plugin macip acl index 1"))
1149 self.logger.info(self.vapi.ppcli("sh acl-plugin macip acl index 0"))
1150 self.logger.info(self.vapi.ppcli("sh acl-plugin macip interface"))
1152 intf[2].remove_vpp_config()
1153 intf[1].remove_vpp_config()
1155 reply = self.vapi.macip_acl_interface_get()
1156 self.assertEqual(reply.count, intf_count + 3)
1157 self.assertEqual(reply.acls[sw_if_index0], 4294967295)
1158 self.assertEqual(reply.acls[sw_if_index1], 4294967295)
1159 self.assertEqual(reply.acls[sw_if_index2], 4294967295)
1160 self.assertEqual(reply.acls[sw_if_index3], 1)
1162 intf[3].remove_vpp_config()
1163 reply = self.vapi.macip_acl_interface_get()
1165 self.assertEqual(len([x for x in reply.acls if x != 4294967295]), 0)
1168 class TestACL_dot1q_bridged(MethodHolder):
1169 """ACL on dot1q bridged subinterfaces Tests"""
1172 def setUpClass(cls):
1173 super(TestACL_dot1q_bridged, cls).setUpClass()
1176 def tearDownClass(cls):
1177 super(TestACL_dot1q_bridged, cls).tearDownClass()
1179 def test_acl_bridged_ip4_subif_dot1q(self):
1180 """IP4 ACL SubIf Dot1Q bridged traffic"""
1191 def test_acl_bridged_ip6_subif_dot1q(self):
1192 """IP6 ACL SubIf Dot1Q bridged traffic"""
1204 class TestACL_dot1ad_bridged(MethodHolder):
1205 """ACL on dot1ad bridged subinterfaces Tests"""
1208 def setUpClass(cls):
1209 super(TestACL_dot1ad_bridged, cls).setUpClass()
1212 def tearDownClass(cls):
1213 super(TestACL_dot1ad_bridged, cls).tearDownClass()
1215 def test_acl_bridged_ip4_subif_dot1ad(self):
1216 """IP4 ACL SubIf Dot1AD bridged traffic"""
1227 def test_acl_bridged_ip6_subif_dot1ad(self):
1228 """IP6 ACL SubIf Dot1AD bridged traffic"""
1240 class TestACL_dot1q_routed(MethodHolder):
1241 """ACL on dot1q routed subinterfaces Tests"""
1244 def setUpClass(cls):
1245 super(TestACL_dot1q_routed, cls).setUpClass()
1248 def tearDownClass(cls):
1249 super(TestACL_dot1q_routed, cls).tearDownClass()
1251 def test_acl_routed_ip4_subif_dot1q(self):
1252 """IP4 ACL SubIf Dot1Q routed traffic"""
1263 def test_acl_routed_ip6_subif_dot1q(self):
1264 """IP6 ACL SubIf Dot1Q routed traffic"""
1275 def test_acl_routed_ip4_subif_dot1q_deny_by_tags(self):
1276 """IP4 ACL SubIf wrong tags Dot1Q routed traffic"""
1286 permit_tags=self.DENY_TAGS,
1289 def test_acl_routed_ip6_subif_dot1q_deny_by_tags(self):
1290 """IP6 ACL SubIf wrong tags Dot1Q routed traffic"""
1300 permit_tags=self.DENY_TAGS,
1304 class TestACL_dot1ad_routed(MethodHolder):
1305 """ACL on dot1ad routed subinterfaces Tests"""
1308 def setUpClass(cls):
1309 super(TestACL_dot1ad_routed, cls).setUpClass()
1312 def tearDownClass(cls):
1313 super(TestACL_dot1ad_routed, cls).tearDownClass()
1315 def test_acl_routed_ip6_subif_dot1ad(self):
1316 """IP6 ACL SubIf Dot1AD routed traffic"""
1327 def test_acl_routed_ip4_subif_dot1ad(self):
1328 """IP4 ACL SubIf Dot1AD routed traffic"""
1339 def test_acl_routed_ip6_subif_dot1ad_deny_by_tags(self):
1340 """IP6 ACL SubIf wrong tags Dot1AD routed traffic"""
1350 permit_tags=self.DENY_TAGS,
1353 def test_acl_routed_ip4_subif_dot1ad_deny_by_tags(self):
1354 """IP4 ACL SubIf wrong tags Dot1AD routed traffic"""
1364 permit_tags=self.DENY_TAGS,
1368 if __name__ == "__main__":
1369 unittest.main(testRunner=VppTestRunner)