2 """ACL plugin - MACIP tests
8 from socket import inet_ntop, inet_pton, AF_INET, AF_INET6
10 from scapy.packet import Raw
11 from scapy.layers.l2 import Ether
12 from scapy.layers.inet import IP, UDP
13 from scapy.layers.inet6 import IPv6
15 from framework import VppTestCase, VppTestRunner, running_extended_tests
16 from vpp_lo_interface import VppLoInterface
17 from vpp_papi_provider import L2_VTR_OP
18 from vpp_sub_interface import VppSubInterface, VppDot1QSubint, VppDot1ADSubint
21 class MethodHolder(VppTestCase):
53 Perform standard class setup (defined by class method setUpClass in
54 class VppTestCase) before running the test case, set test case related
55 variables and configure VPP.
57 super(MethodHolder, cls).setUpClass()
59 cls.pg_if_packet_sizes = [64, 512, 1518, 9018] # packet sizes
61 cls.remote_hosts_count = 200
64 # create 4 pg interfaces, 1 loopback interface
65 cls.create_pg_interfaces(range(4))
66 cls.create_loopback_interfaces(range(1))
68 # create 2 subinterfaces
70 VppDot1QSubint(cls, cls.pg1, 10),
71 VppDot1ADSubint(cls, cls.pg2, 20, 300, 400),
72 VppDot1QSubint(cls, cls.pg3, 30),
73 VppDot1ADSubint(cls, cls.pg3, 40, 600, 700)]
75 cls.subifs[0].set_vtr(L2_VTR_OP.L2_POP_1,
77 cls.subifs[1].set_vtr(L2_VTR_OP.L2_POP_2,
78 outer=300, inner=400, push1q=1)
79 cls.subifs[2].set_vtr(L2_VTR_OP.L2_POP_1,
81 cls.subifs[3].set_vtr(L2_VTR_OP.L2_POP_2,
82 outer=600, inner=700, push1q=1)
84 cls.interfaces = list(cls.pg_interfaces)
85 cls.interfaces.extend(cls.lo_interfaces)
86 cls.interfaces.extend(cls.subifs)
88 for i in cls.interfaces:
91 # Create BD with MAC learning enabled and put interfaces to this BD
92 cls.vapi.sw_interface_set_l2_bridge(
93 cls.loop0.sw_if_index, bd_id=cls.bd_id, bvi=1)
94 cls.vapi.sw_interface_set_l2_bridge(
95 cls.pg0.sw_if_index, bd_id=cls.bd_id)
96 cls.vapi.sw_interface_set_l2_bridge(
97 cls.pg1.sw_if_index, bd_id=cls.bd_id)
98 cls.vapi.sw_interface_set_l2_bridge(
99 cls.subifs[0].sw_if_index, bd_id=cls.bd_id)
100 cls.vapi.sw_interface_set_l2_bridge(
101 cls.subifs[1].sw_if_index, bd_id=cls.bd_id)
103 # Configure IPv4/6 addresses on loop interface and routed interface
104 cls.loop0.config_ip4()
105 cls.loop0.config_ip6()
111 # Configure MAC address binding to IPv4 neighbors on loop0
112 cls.loop0.generate_remote_hosts(cls.remote_hosts_count)
113 # Modify host mac addresses to have different OUI parts
114 for i in range(2, cls.remote_hosts_count + 2):
115 mac = cls.loop0.remote_hosts[i-2]._mac.split(':')
116 mac[2] = format(int(mac[2], 16) + i, "02x")
117 cls.loop0.remote_hosts[i - 2]._mac = ":".join(mac)
119 cls.loop0.configure_ipv4_neighbors()
120 cls.loop0.configure_ipv6_neighbors()
122 # configure MAC address on pg3
123 cls.pg3.resolve_arp()
124 cls.pg3.resolve_ndp()
126 # configure MAC address on subifs
132 # configure MAC address on pg2
133 cls.pg2.resolve_arp()
134 cls.pg2.resolve_ndp()
136 # Loopback BVI interface has remote hosts
137 # one half of hosts are behind pg0 second behind pg1,pg2,pg3 subifs
138 cls.pg0.remote_hosts = cls.loop0.remote_hosts[:100]
139 cls.subifs[0].remote_hosts = cls.loop0.remote_hosts[100:125]
140 cls.subifs[1].remote_hosts = cls.loop0.remote_hosts[125:150]
141 cls.subifs[2].remote_hosts = cls.loop0.remote_hosts[150:175]
142 cls.subifs[3].remote_hosts = cls.loop0.remote_hosts[175:]
145 super(TestMACIP, cls).tearDownClass()
149 super(MethodHolder, self).setUp()
150 self.reset_packet_infos()
155 Show various debug prints after each test.
157 super(MethodHolder, self).tearDown()
158 if not self.vpp_dead:
159 self.logger.info(self.vapi.ppcli("show interface address"))
160 self.logger.info(self.vapi.ppcli("show hardware"))
161 self.logger.info(self.vapi.ppcli("sh acl-plugin macip acl"))
162 self.logger.info(self.vapi.ppcli("sh acl-plugin macip interface"))
163 self.logger.info(self.vapi.ppcli("sh classify tables verbose"))
164 self.logger.info(self.vapi.ppcli("sh acl-plugin acl"))
165 self.logger.info(self.vapi.ppcli("sh acl-plugin interface"))
166 self.logger.info(self.vapi.ppcli("sh acl-plugin tables"))
167 # print self.vapi.ppcli("show interface address")
168 # print self.vapi.ppcli("show hardware")
169 # print self.vapi.ppcli("sh acl-plugin macip interface")
170 # print self.vapi.ppcli("sh acl-plugin macip acl")
173 def macip_acl_dump_debug(self):
174 acls = self.vapi.macip_acl_dump()
177 print "ACL #"+str(acl.acl_index)
182 elif r.is_permit == 0:
184 print " IP6" if r.is_ipv6 else " IP4", \
186 r.src_mac.encode('hex'), \
187 r.src_mac_mask.encode('hex'),\
188 unpack('<16B', r.src_ip_addr), \
192 def create_rules(self, mac_type=EXACT_MAC, ip_type=EXACT_IP,
193 acl_count=1, rules_count=[1]):
195 src_mac = int("220000dead00", 16)
196 for acl in range(2, (acl_count+1) * 2):
198 host = random.choice(self.loop0.remote_hosts)
200 ip4 = host.ip4.split('.')
201 ip6 = list(unpack('<16B', inet_pton(AF_INET6, host.ip6)))
203 if ip_type == self.EXACT_IP:
206 elif ip_type == self.WILD_IP:
208 ip6 = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]
211 rules_count[(acl / 2) - 1] = 1
216 if mac_type == self.EXACT_MAC:
217 mask = "ff:ff:ff:ff:ff:ff"
218 elif mac_type == self.WILD_MAC:
219 mask = "00:00:00:00:00:00"
220 elif mac_type == self.OUI_MAC:
221 mask = "ff:ff:ff:00:00:00"
223 mask = "ff:ff:ff:ff:ff:00"
225 ip = ip6 if is_ip6 else ip4
226 ip_len = prefix_len6 if is_ip6 else prefix_len4
228 for i in range(0, rules_count[(acl / 2) - 1]):
230 if mac_type == self.WILD_MAC:
231 mac = "00:00:00:00:00:00"
232 elif mac_type == self.OUI_MAC:
233 mac = ':'.join(re.findall('..', '{:02x}'.format(
234 src_mac))[:3])+":00:00:00"
236 mac = ':'.join(re.findall('..', '{:02x}'.format(src_mac)))
238 if ip_type == self.EXACT_IP:
239 ip4[3] = random.randint(100, 200)
240 ip6[15] = random.randint(100, 200)
241 elif ip_type == self.SUBNET_IP:
242 ip4[2] = random.randint(100, 200)
244 ip6[8] = random.randint(100, 200)
247 for j in range(0, len(ip)):
248 ip_pack += pack('<B', int(ip[j]))
250 rule = ({'is_permit': self.PERMIT,
252 'src_ip_addr': ip_pack,
253 'src_ip_prefix_len': ip_len,
254 'src_mac': mac.replace(':', '').decode('hex'),
255 'src_mac_mask': mask.replace(':', '').decode('hex')})
257 if ip_type == self.WILD_IP:
261 src_mac += 1099511627776
264 def apply_macip_rules(self, acls):
266 reply = self.vapi.macip_acl_add(acl)
267 self.assertEqual(reply.retval, 0)
268 self.ACLS.append(reply.acl_index)
270 def verify_macip_acls(self, acl_count, rules_count, expected_count=2):
271 reply = self.macip_acl_dump_debug()
272 for acl in range(2, (acl_count+1) * 2):
273 self.assertEqual(reply[acl - 2].count, rules_count[acl/2-1])
275 self.vapi.macip_acl_interface_get()
277 self.vapi.macip_acl_interface_add_del(sw_if_index=0, acl_index=0)
278 self.vapi.macip_acl_interface_add_del(sw_if_index=1, acl_index=1)
280 reply = self.vapi.macip_acl_interface_get()
281 self.assertEqual(reply.count, expected_count)
283 def delete_acls(self):
284 for acl in range(len(self.ACLS)-1, -1, -1):
285 self.vapi.macip_acl_del(self.ACLS[acl])
287 reply = self.vapi.macip_acl_dump()
288 self.assertEqual(len(reply), 0)
290 intf_acls = self.vapi.ppcli("sh acl-plugin interface").split(
292 for i_a in intf_acls:
295 sw_if_index = int(ia[0])
296 acl_index = int(ia[2])
297 self.vapi.acl_interface_add_del(sw_if_index, acl_index, 0)
298 self.vapi.acl_del(acl_index)
300 def create_stream(self, mac_type, ip_type, packet_count,
301 src_if, dst_if, traffic, is_ip6, tags=PERMIT_TAGS):
302 # exact MAC and exact IP
303 # exact MAC and subnet of IPs
304 # exact MAC and wildcard IP
305 # wildcard MAC and exact IP
306 # wildcard MAC and subnet of IPs
307 # wildcard MAC and wildcard IP
308 # OUI restricted MAC and exact IP
309 # OUI restricted MAC and subnet of IPs
310 # OUI restricted MAC and wildcard IP
318 mac_rule = "00:00:00:00:00:00"
319 mac_mask = "00:00:00:00:00:00"
320 for p in range(0, packet_count):
321 remote_dst_index = p % len(dst_if.remote_hosts)
322 remote_dst_host = dst_if.remote_hosts[remote_dst_index]
326 is_permit = self.PERMIT if p % 3 == 0 else self.DENY
327 denyMAC = True if not is_permit and p % 3 == 1 else False
328 denyIP = True if not is_permit and p % 3 == 2 else False
329 if not is_permit and ip_type == self.WILD_IP:
331 if not is_permit and mac_type == self.WILD_MAC:
334 if traffic == self.BRIDGED:
336 src_mac = remote_dst_host._mac
337 dst_mac = 'de:ad:00:00:00:00'
338 src_ip4 = remote_dst_host.ip4
339 dst_ip4 = src_if.remote_ip4
340 src_ip6 = remote_dst_host.ip6
341 dst_ip6 = src_if.remote_ip6
342 ip_permit = src_ip6 if is_ip6 else src_ip4
345 mac = src_mac.split(':')
346 mac[0] = format(int(mac[0], 16)+1, "02x")
347 src_mac = ":".join(mac)
353 if ip_type != self.WILD_IP:
355 src_ip4 = remote_dst_host.ip4
356 dst_ip4 = src_if.remote_ip4
357 src_ip6 = remote_dst_host.ip6
358 dst_ip6 = src_if.remote_ip6
361 src_mac = remote_dst_host._mac
362 dst_mac = src_if.local_mac
363 src_ip4 = src_if.remote_ip4
364 dst_ip4 = remote_dst_host.ip4
365 src_ip6 = src_if.remote_ip6
366 dst_ip6 = remote_dst_host.ip6
367 ip_permit = src_ip6 if is_ip6 else src_ip4
370 mac = src_mac.split(':')
371 mac[0] = format(int(mac[0], 16) + 1, "02x")
372 src_mac = ":".join(mac)
378 src_mac = remote_dst_host._mac
379 if ip_type != self.WILD_IP:
381 src_ip4 = remote_dst_host.ip4
382 dst_ip4 = src_if.remote_ip4
383 src_ip6 = remote_dst_host.ip6
384 dst_ip6 = src_if.remote_ip6
387 info = self.create_packet_info(src_if, dst_if)
388 payload = self.info_to_payload(info)
390 payload = "to be blocked"
392 if mac_type == self.WILD_MAC:
393 mac = src_mac.split(':')
394 for i in range(1, 5):
395 mac[i] = format(random.randint(0, 255), "02x")
396 src_mac = ":".join(mac)
399 packet = Ether(src=src_mac, dst=dst_mac)
400 ip_rule = src_ip6 if is_ip6 else src_ip4
402 if ip_type != self.EXACT_IP:
403 sub_ip = list(unpack('<16B', inet_pton(AF_INET6, ip_rule)))
404 if ip_type == self.WILD_IP:
405 sub_ip[0] = random.randint(240, 254)
406 sub_ip[1] = random.randint(230, 239)
407 sub_ip[14] = random.randint(100, 199)
408 sub_ip[15] = random.randint(200, 255)
409 elif ip_type == self.SUBNET_IP:
411 sub_ip[2] = str(int(sub_ip[2]) + 1)
412 sub_ip[14] = random.randint(100, 199)
413 sub_ip[15] = random.randint(200, 255)
414 src_ip6 = inet_ntop(AF_INET6, str(bytearray(sub_ip)))
415 packet /= IPv6(src=src_ip6, dst=dst_ip6)
417 if ip_type != self.EXACT_IP:
418 sub_ip = ip_rule.split('.')
419 if ip_type == self.WILD_IP:
420 sub_ip[0] = str(random.randint(1, 49))
421 sub_ip[1] = str(random.randint(50, 99))
422 sub_ip[2] = str(random.randint(100, 199))
423 sub_ip[3] = str(random.randint(200, 255))
424 elif ip_type == self.SUBNET_IP:
426 sub_ip[1] = str(int(sub_ip[1])+1)
427 sub_ip[2] = str(random.randint(100, 199))
428 sub_ip[3] = str(random.randint(200, 255))
429 src_ip4 = ".".join(sub_ip)
430 packet /= IP(src=src_ip4, dst=dst_ip4, frag=0, flags=0)
432 packet /= UDP(sport=src_port, dport=dst_port)/Raw(payload)
434 packet[Raw].load += " mac:"+src_mac
436 size = self.pg_if_packet_sizes[p % len(self.pg_if_packet_sizes)]
437 if isinstance(src_if, VppSubInterface):
439 if isinstance(src_if, VppDot1QSubint):
440 if src_if is self.subifs[0]:
441 if tags == self.PERMIT_TAGS:
442 packet = src_if.add_dot1q_layer(packet, 10)
444 packet = src_if.add_dot1q_layer(packet, 11)
446 if tags == self.PERMIT_TAGS:
447 packet = src_if.add_dot1q_layer(packet, 30)
449 packet = src_if.add_dot1q_layer(packet, 33)
450 elif isinstance(src_if, VppDot1ADSubint):
451 if src_if is self.subifs[1]:
452 if tags == self.PERMIT_TAGS:
453 packet = src_if.add_dot1ad_layer(packet, 300, 400)
455 packet = src_if.add_dot1ad_layer(packet, 333, 444)
457 if tags == self.PERMIT_TAGS:
458 packet = src_if.add_dot1ad_layer(packet, 600, 700)
460 packet = src_if.add_dot1ad_layer(packet, 666, 777)
461 self.extend_packet(packet, size)
462 packets.append(packet)
464 # create suitable MACIP rule
465 if mac_type == self.EXACT_MAC:
467 mac_mask = "ff:ff:ff:ff:ff:ff"
468 elif mac_type == self.WILD_MAC:
469 mac_rule = "00:00:00:00:00:00"
470 mac_mask = "00:00:00:00:00:00"
471 elif mac_type == self.OUI_MAC:
472 mac = src_mac.split(':')
473 mac[3] = mac[4] = mac[5] = '00'
474 mac_rule = ":".join(mac)
475 mac_mask = "ff:ff:ff:00:00:00"
478 if ip_type == self.WILD_IP:
482 if ip_type == self.SUBNET_IP:
483 sub_ip = list(unpack('<16B', inet_pton(AF_INET6, ip)))
484 for i in range(8, 16):
486 ip = inet_ntop(AF_INET6, str(bytearray(sub_ip)))
488 if ip_type == self.WILD_IP:
492 if ip_type == self.SUBNET_IP:
493 sub_ip = ip.split('.')
494 sub_ip[2] = sub_ip[3] = '0'
495 ip = ".".join(sub_ip)
497 prefix_len = 128 if is_ip6 else 32
498 if ip_type == self.WILD_IP:
500 elif ip_type == self.SUBNET_IP:
501 prefix_len = 64 if is_ip6 else 16
502 ip_rule = inet_pton(AF_INET6 if is_ip6 else AF_INET, ip)
504 # create suitable ACL rule
506 rule_l4_sport = packet[UDP].sport
507 rule_l4_dport = packet[UDP].dport
508 rule_family = AF_INET6 if packet.haslayer(IPv6) else AF_INET
509 rule_prefix_len = 128 if packet.haslayer(IPv6) else 32
510 rule_l3_layer = IPv6 if packet.haslayer(IPv6) else IP
511 if packet.haslayer(IPv6):
512 rule_l4_proto = packet[UDP].overload_fields[IPv6]['nh']
514 rule_l4_proto = packet[IP].proto
517 'is_permit': is_permit,
519 'src_ip_addr': inet_pton(rule_family,
520 packet[rule_l3_layer].src),
521 'src_ip_prefix_len': rule_prefix_len,
522 'dst_ip_addr': inet_pton(rule_family,
523 packet[rule_l3_layer].dst),
524 'dst_ip_prefix_len': rule_prefix_len,
525 'srcport_or_icmptype_first': rule_l4_sport,
526 'srcport_or_icmptype_last': rule_l4_sport,
527 'dstport_or_icmpcode_first': rule_l4_dport,
528 'dstport_or_icmpcode_last': rule_l4_dport,
529 'proto': rule_l4_proto}
530 acl_rules.append(acl_rule)
532 if mac_type == self.WILD_MAC and ip_type == self.WILD_IP and p > 0:
537 'is_permit': is_permit,
539 'src_ip_addr': ip_rule,
540 'src_ip_prefix_len': prefix_len,
541 'src_mac': mac_rule.replace(':', '').decode('hex'),
542 'src_mac_mask': mac_mask.replace(':', '').decode('hex')})
543 macip_rules.append(macip_rule)
545 # deny all other packets
546 if not (mac_type == self.WILD_MAC and ip_type == self.WILD_IP):
547 macip_rule = ({'is_permit': 0,
550 'src_ip_prefix_len': 0,
553 macip_rules.append(macip_rule)
555 acl_rule = {'is_permit': 0,
557 acl_rules.append(acl_rule)
558 return {'stream': packets,
559 'macip_rules': macip_rules,
560 'acl_rules': acl_rules}
562 def verify_capture(self, stream, capture, is_ip6):
569 # p_l3 = IPv6 if is_ip6 else IP
572 # print p[Ether].src, p[Ether].dst, p[p_l3].src, p[p_l3].dst
574 # acls = self.macip_acl_dump_debug()
579 # print r.src_mac.encode('hex'), \
580 # r.src_mac_mask.encode('hex'),\
581 # unpack('<16B', r.src_ip_addr), \
582 # r.src_ip_prefix_len
585 # print p[Ether].src, p[Ether].dst, p[p_l3].src, p[p_l3].dst
586 # data = p[Raw].load.split(':',1)[1]
587 # print p[p_l3].src, data
589 def run_traffic(self, mac_type, ip_type, traffic, is_ip6, packets,
590 do_not_expected_capture=False, tags=None,
591 apply_rules=True, isMACIP=True, permit_tags=PERMIT_TAGS,
593 self.reset_packet_infos()
596 tx_if = self.pg0 if traffic == self.BRIDGED else self.pg3
597 rx_if = self.pg3 if traffic == self.BRIDGED else self.pg0
601 if tags == self.DOT1Q:
602 if traffic == self.BRIDGED:
603 tx_if = self.subifs[0]
605 src_if = self.subifs[0]
608 tx_if = self.subifs[2]
610 src_if = self.subifs[2]
612 elif tags == self.DOT1AD:
613 if traffic == self.BRIDGED:
614 tx_if = self.subifs[1]
616 src_if = self.subifs[1]
619 tx_if = self.subifs[3]
621 src_if = self.subifs[3]
626 test_dict = self.create_stream(mac_type, ip_type, packets,
633 reply = self.vapi.macip_acl_add(test_dict['macip_rules'])
635 reply = self.vapi.acl_add_replace(acl_index=4294967295,
636 r=test_dict['acl_rules'])
637 self.assertEqual(reply.retval, 0)
638 acl_index = reply.acl_index
641 self.vapi.macip_acl_interface_add_del(
642 sw_if_index=tx_if.sw_if_index,
644 reply = self.vapi.macip_acl_interface_get()
645 self.assertEqual(reply.acls[tx_if.sw_if_index], acl_index)
646 self.ACLS.append(reply.acls[tx_if.sw_if_index])
648 self.vapi.acl_interface_add_del(
649 sw_if_index=tx_if.sw_if_index, acl_index=acl_index)
651 self.vapi.macip_acl_interface_add_del(
652 sw_if_index=tx_if.sw_if_index,
656 reply = self.vapi.macip_acl_add_replace(
657 test_dict['macip_rules'],
660 reply = self.vapi.acl_add_replace(acl_index=acl_index,
661 r=test_dict['acl_rules'])
662 self.assertEqual(reply.retval, 0)
664 if not isinstance(src_if, VppSubInterface):
665 tx_if.add_stream(test_dict['stream'])
667 tx_if.parent.add_stream(test_dict['stream'])
668 self.pg_enable_capture(self.pg_interfaces)
671 if do_not_expected_capture:
674 if traffic == self.BRIDGED and mac_type == self.WILD_MAC and \
675 ip_type == self.WILD_IP:
676 capture = rx_if.get_capture(packets)
678 capture = rx_if.get_capture(
679 self.get_packet_count_for_if_idx(dst_if.sw_if_index))
680 self.verify_capture(test_dict['stream'], capture, is_ip6)
682 self.vapi.acl_interface_add_del(sw_if_index=tx_if.sw_if_index,
683 acl_index=acl_index, is_add=0)
684 self.vapi.acl_del(acl_index)
686 def run_test_acls(self, mac_type, ip_type, acl_count,
687 rules_count, traffic=None, ip=None):
688 self.apply_macip_rules(self.create_rules(mac_type, ip_type, acl_count,
690 self.verify_macip_acls(acl_count, rules_count)
692 if traffic is not None:
693 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, traffic, ip, 9)
696 class TestMACIP_IP4(MethodHolder):
697 """MACIP with IP4 traffic"""
699 def test_acl_bridged_ip4_exactMAC_exactIP(self):
700 """ IP4 MACIP exactMAC|exactIP ACL bridged traffic
702 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
703 self.BRIDGED, self.IS_IP4, 9)
705 def test_acl_bridged_ip4_exactMAC_subnetIP(self):
706 """ IP4 MACIP exactMAC|subnetIP ACL bridged traffic
709 self.run_traffic(self.EXACT_MAC, self.SUBNET_IP,
710 self.BRIDGED, self.IS_IP4, 9)
712 def test_acl_bridged_ip4_exactMAC_wildIP(self):
713 """ IP4 MACIP exactMAC|wildIP ACL bridged traffic
716 self.run_traffic(self.EXACT_MAC, self.WILD_IP,
717 self.BRIDGED, self.IS_IP4, 9)
719 def test_acl_bridged_ip4_ouiMAC_exactIP(self):
720 """ IP4 MACIP ouiMAC|exactIP ACL bridged traffic
723 self.run_traffic(self.OUI_MAC, self.EXACT_IP,
724 self.BRIDGED, self.IS_IP4, 3)
726 def test_acl_bridged_ip4_ouiMAC_subnetIP(self):
727 """ IP4 MACIP ouiMAC|subnetIP ACL bridged traffic
730 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
731 self.BRIDGED, self.IS_IP4, 9)
733 def test_acl_bridged_ip4_ouiMAC_wildIP(self):
734 """ IP4 MACIP ouiMAC|wildIP ACL bridged traffic
737 self.run_traffic(self.OUI_MAC, self.WILD_IP,
738 self.BRIDGED, self.IS_IP4, 9)
740 def test_ac_bridgedl_ip4_wildMAC_exactIP(self):
741 """ IP4 MACIP wildcardMAC|exactIP ACL bridged traffic
744 self.run_traffic(self.WILD_MAC, self.EXACT_IP,
745 self.BRIDGED, self.IS_IP4, 9)
747 def test_acl_bridged_ip4_wildMAC_subnetIP(self):
748 """ IP4 MACIP wildcardMAC|subnetIP ACL bridged traffic
751 self.run_traffic(self.WILD_MAC, self.SUBNET_IP,
752 self.BRIDGED, self.IS_IP4, 9)
754 def test_acl_bridged_ip4_wildMAC_wildIP(self):
755 """ IP4 MACIP wildcardMAC|wildIP ACL bridged traffic
758 self.run_traffic(self.WILD_MAC, self.WILD_IP,
759 self.BRIDGED, self.IS_IP4, 9)
761 def test_acl_routed_ip4_exactMAC_exactIP(self):
762 """ IP4 MACIP exactMAC|exactIP ACL routed traffic
764 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
765 self.ROUTED, self.IS_IP4, 9)
767 def test_acl_routed_ip4_exactMAC_subnetIP(self):
768 """ IP4 MACIP exactMAC|subnetIP ACL routed traffic
770 self.run_traffic(self.EXACT_MAC, self.SUBNET_IP,
771 self.ROUTED, self.IS_IP4, 9)
773 def test_acl_routed_ip4_exactMAC_wildIP(self):
774 """ IP4 MACIP exactMAC|wildIP ACL routed traffic
776 self.run_traffic(self.EXACT_MAC, self.WILD_IP,
777 self.ROUTED, self.IS_IP4, 9)
779 def test_acl_routed_ip4_ouiMAC_exactIP(self):
780 """ IP4 MACIP ouiMAC|exactIP ACL routed traffic
783 self.run_traffic(self.OUI_MAC, self.EXACT_IP,
784 self.ROUTED, self.IS_IP4, 9)
786 def test_acl_routed_ip4_ouiMAC_subnetIP(self):
787 """ IP4 MACIP ouiMAC|subnetIP ACL routed traffic
790 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
791 self.ROUTED, self.IS_IP4, 9)
793 def test_acl_routed_ip4_ouiMAC_wildIP(self):
794 """ IP4 MACIP ouiMAC|wildIP ACL routed traffic
797 self.run_traffic(self.OUI_MAC, self.WILD_IP,
798 self.ROUTED, self.IS_IP4, 9)
800 def test_acl_routed_ip4_wildMAC_exactIP(self):
801 """ IP4 MACIP wildcardMAC|exactIP ACL routed traffic
804 self.run_traffic(self.WILD_MAC, self.EXACT_IP,
805 self.ROUTED, self.IS_IP4, 9)
807 def test_acl_routed_ip4_wildMAC_subnetIP(self):
808 """ IP4 MACIP wildcardMAC|subnetIP ACL routed traffic
811 self.run_traffic(self.WILD_MAC, self.SUBNET_IP,
812 self.ROUTED, self.IS_IP4, 9)
814 def test_acl_routed_ip4_wildMAC_wildIP(self):
815 """ IP4 MACIP wildcardMAC|wildIP ACL
818 self.run_traffic(self.WILD_MAC, self.WILD_IP,
819 self.ROUTED, self.IS_IP4, 9)
821 def test_acl_replace_traffic_ip4(self):
822 """ MACIP replace ACL with IP4 traffic
824 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
825 self.BRIDGED, self.IS_IP4, 9, try_replace=True)
826 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
827 self.BRIDGED, self.IS_IP4, 9, try_replace=True)
830 class TestMACIP_IP6(MethodHolder):
831 """MACIP with IP6 traffic"""
833 def test_acl_bridged_ip6_exactMAC_exactIP(self):
834 """ IP6 MACIP exactMAC|exactIP ACL bridged traffic
837 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
838 self.BRIDGED, self.IS_IP6, 9)
840 def test_acl_bridged_ip6_exactMAC_subnetIP(self):
841 """ IP6 MACIP exactMAC|subnetIP ACL bridged traffic
844 self.run_traffic(self.EXACT_MAC, self.SUBNET_IP,
845 self.BRIDGED, self.IS_IP6, 9)
847 def test_acl_bridged_ip6_exactMAC_wildIP(self):
848 """ IP6 MACIP exactMAC|wildIP ACL bridged traffic
851 self.run_traffic(self.EXACT_MAC, self.WILD_IP,
852 self.BRIDGED, self.IS_IP6, 9)
854 def test_acl_bridged_ip6_ouiMAC_exactIP(self):
855 """ IP6 MACIP oui_MAC|exactIP ACL bridged traffic
858 self.run_traffic(self.OUI_MAC, self.EXACT_IP,
859 self.BRIDGED, self.IS_IP6, 9)
861 def test_acl_bridged_ip6_ouiMAC_subnetIP(self):
862 """ IP6 MACIP ouiMAC|subnetIP ACL bridged traffic
865 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
866 self.BRIDGED, self.IS_IP6, 9)
868 def test_acl_bridged_ip6_ouiMAC_wildIP(self):
869 """ IP6 MACIP ouiMAC|wildIP ACL bridged traffic
872 self.run_traffic(self.OUI_MAC, self.WILD_IP,
873 self.BRIDGED, self.IS_IP6, 9)
875 def test_acl_bridged_ip6_wildMAC_exactIP(self):
876 """ IP6 MACIP wildcardMAC|exactIP ACL bridged traffic
879 self.run_traffic(self.WILD_MAC, self.EXACT_IP,
880 self.BRIDGED, self.IS_IP6, 9)
882 def test_acl_bridged_ip6_wildMAC_subnetIP(self):
883 """ IP6 MACIP wildcardMAC|subnetIP ACL bridged traffic
886 self.run_traffic(self.WILD_MAC, self.SUBNET_IP,
887 self.BRIDGED, self.IS_IP6, 9)
889 def test_acl_bridged_ip6_wildMAC_wildIP(self):
890 """ IP6 MACIP wildcardMAC|wildIP ACL bridged traffic
893 self.run_traffic(self.WILD_MAC, self.WILD_IP,
894 self.BRIDGED, self.IS_IP6, 9)
896 def test_acl_routed_ip6_exactMAC_exactIP(self):
897 """ IP6 MACIP exactMAC|exactIP ACL routed traffic
900 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
901 self.ROUTED, self.IS_IP6, 9)
903 def test_acl_routed_ip6_exactMAC_subnetIP(self):
904 """ IP6 MACIP exactMAC|subnetIP ACL routed traffic
907 self.run_traffic(self.EXACT_MAC, self.SUBNET_IP,
908 self.ROUTED, self.IS_IP6, 9)
910 def test_acl_routed_ip6_exactMAC_wildIP(self):
911 """ IP6 MACIP exactMAC|wildIP ACL routed traffic
914 self.run_traffic(self.EXACT_MAC, self.WILD_IP,
915 self.ROUTED, self.IS_IP6, 9)
917 def test_acl_routed_ip6_ouiMAC_exactIP(self):
918 """ IP6 MACIP ouiMAC|exactIP ACL routed traffic
921 self.run_traffic(self.OUI_MAC, self.EXACT_IP,
922 self.ROUTED, self.IS_IP6, 9)
924 def test_acl_routed_ip6_ouiMAC_subnetIP(self):
925 """ IP6 MACIP ouiMAC|subnetIP ACL routed traffic
928 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
929 self.ROUTED, self.IS_IP6, 9)
931 def test_acl_routed_ip6_ouiMAC_wildIP(self):
932 """ IP6 MACIP ouiMAC|wildIP ACL routed traffic
935 self.run_traffic(self.OUI_MAC, self.WILD_IP,
936 self.ROUTED, self.IS_IP6, 9)
938 def test_acl_routed_ip6_wildMAC_exactIP(self):
939 """ IP6 MACIP wildcardMAC|exactIP ACL routed traffic
942 self.run_traffic(self.WILD_MAC, self.EXACT_IP,
943 self.ROUTED, self.IS_IP6, 9)
945 def test_acl_routed_ip6_wildMAC_subnetIP(self):
946 """ IP6 MACIP wildcardMAC|subnetIP ACL routed traffic
949 self.run_traffic(self.WILD_MAC, self.SUBNET_IP,
950 self.ROUTED, self.IS_IP6, 9)
952 def test_acl_routed_ip6_wildMAC_wildIP(self):
953 """ IP6 MACIP wildcardMAC|wildIP ACL
956 self.run_traffic(self.WILD_MAC, self.WILD_IP,
957 self.ROUTED, self.IS_IP6, 9)
959 def test_acl_replace_traffic_ip6(self):
960 """ MACIP replace ACL with IP6 traffic
962 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
963 self.BRIDGED, self.IS_IP6, 9, try_replace=True)
964 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
965 self.BRIDGED, self.IS_IP6, 9, try_replace=True)
968 class TestMACIP(MethodHolder):
971 def test_acl_1_2(self):
972 """ MACIP ACL with 2 entries
975 self.run_test_acls(self.EXACT_MAC, self.WILD_IP, 1, [2])
977 def test_acl_1_5(self):
978 """ MACIP ACL with 5 entries
981 self.run_test_acls(self.EXACT_MAC, self.SUBNET_IP, 1, [5])
983 def test_acl_1_10(self):
984 """ MACIP ACL with 10 entries
987 self.run_test_acls(self.EXACT_MAC, self.EXACT_IP, 1, [10])
989 def test_acl_1_20(self):
990 """ MACIP ACL with 20 entries
993 self.run_test_acls(self.OUI_MAC, self.WILD_IP, 1, [20])
995 def test_acl_1_50(self):
996 """ MACIP ACL with 50 entries
999 self.run_test_acls(self.OUI_MAC, self.SUBNET_IP, 1, [50])
1001 def test_acl_1_100(self):
1002 """ MACIP ACL with 100 entries
1005 self.run_test_acls(self.OUI_MAC, self.EXACT_IP, 1, [100])
1007 def test_acl_2_X(self):
1008 """ MACIP 2 ACLs each with 100+ entries
1011 self.run_test_acls(self.OUI_MAC, self.SUBNET_IP, 2, [100, 200])
1013 def test_acl_10_X(self):
1014 """ MACIP 10 ACLs each with 100+ entries
1017 self.run_test_acls(self.EXACT_MAC, self.EXACT_IP, 10,
1018 [100, 120, 140, 160, 180, 200, 210, 220, 230, 240])
1020 def test_acl_10_X_traffic_ip4(self):
1021 """ MACIP 10 ACLs each with 100+ entries with IP4 traffic
1024 self.run_test_acls(self.EXACT_MAC, self.EXACT_IP, 10,
1025 [100, 120, 140, 160, 180, 200, 210, 220, 230, 240],
1026 self.BRIDGED, self.IS_IP4)
1028 def test_acl_10_X_traffic_ip6(self):
1029 """ MACIP 10 ACLs each with 100+ entries with IP6 traffic
1032 self.run_test_acls(self.EXACT_MAC, self.EXACT_IP, 10,
1033 [100, 120, 140, 160, 180, 200, 210, 220, 230, 240],
1034 self.BRIDGED, self.IS_IP6)
1036 def test_acl_replace(self):
1037 """ MACIP replace ACL
1040 r1 = self.create_rules(acl_count=3, rules_count=[2, 2, 2])
1041 r2 = self.create_rules(mac_type=self.OUI_MAC, ip_type=self.SUBNET_IP)
1042 self.apply_macip_rules(r1)
1044 acls_before = self.macip_acl_dump_debug()
1046 # replace acls #2, #3 with new
1047 reply = self.vapi.macip_acl_add_replace(r2[0], 2)
1048 self.assertEqual(reply.retval, 0)
1049 self.assertEqual(reply.acl_index, 2)
1050 reply = self.vapi.macip_acl_add_replace(r2[1], 3)
1051 self.assertEqual(reply.retval, 0)
1052 self.assertEqual(reply.acl_index, 3)
1054 acls_after = self.macip_acl_dump_debug()
1057 self.assertEqual(len(acls_before), len(acls_after))
1058 for acl1, acl2 in zip(
1059 acls_before[:2]+acls_before[4:],
1060 acls_after[:2]+acls_after[4:]):
1061 self.assertEqual(len(acl1), len(acl2))
1063 self.assertEqual(len(acl1.r), len(acl2.r))
1064 for r1, r2 in zip(acl1.r, acl2.r):
1065 self.assertEqual(len(acl1.r), len(acl2.r))
1066 self.assertEqual(acl1.r, acl2.r)
1067 for acl1, acl2 in zip(
1070 self.assertEqual(len(acl1), len(acl2))
1072 self.assertNotEqual(len(acl1.r), len(acl2.r))
1073 for r1, r2 in zip(acl1.r, acl2.r):
1074 self.assertNotEqual(len(acl1.r), len(acl2.r))
1075 self.assertNotEqual(acl1.r, acl2.r)
1077 def test_delete_intf(self):
1078 """ MACIP ACL delete intf with acl
1081 intf_count = len(self.interfaces)+1
1083 self.apply_macip_rules(self.create_rules(acl_count=3,
1084 rules_count=[3, 5, 4]))
1086 intf.append(VppLoInterface(self, 0))
1087 intf.append(VppLoInterface(self, 1))
1089 sw_if_index0 = intf[0].sw_if_index
1090 self.vapi.macip_acl_interface_add_del(sw_if_index0, 1)
1092 reply = self.vapi.macip_acl_interface_get()
1093 self.assertEqual(reply.count, intf_count+1)
1094 self.assertEqual(reply.acls[sw_if_index0], 1)
1096 sw_if_index1 = intf[1].sw_if_index
1097 self.vapi.macip_acl_interface_add_del(sw_if_index1, 0)
1099 reply = self.vapi.macip_acl_interface_get()
1100 self.assertEqual(reply.count, intf_count+2)
1101 self.assertEqual(reply.acls[sw_if_index1], 0)
1103 intf[0].remove_vpp_config()
1104 reply = self.vapi.macip_acl_interface_get()
1105 self.assertEqual(reply.count, intf_count+2)
1106 self.assertEqual(reply.acls[sw_if_index0], 4294967295)
1107 self.assertEqual(reply.acls[sw_if_index1], 0)
1109 intf.append(VppLoInterface(self, 2))
1110 intf.append(VppLoInterface(self, 3))
1111 sw_if_index2 = intf[2].sw_if_index
1112 sw_if_index3 = intf[3].sw_if_index
1113 self.vapi.macip_acl_interface_add_del(sw_if_index2, 1)
1114 self.vapi.macip_acl_interface_add_del(sw_if_index3, 1)
1116 reply = self.vapi.macip_acl_interface_get()
1117 self.assertEqual(reply.count, intf_count+3)
1118 self.assertEqual(reply.acls[sw_if_index1], 0)
1119 self.assertEqual(reply.acls[sw_if_index2], 1)
1120 self.assertEqual(reply.acls[sw_if_index3], 1)
1122 intf[2].remove_vpp_config()
1123 intf[1].remove_vpp_config()
1125 reply = self.vapi.macip_acl_interface_get()
1126 self.assertEqual(reply.count, intf_count+3)
1127 self.assertEqual(reply.acls[sw_if_index0], 4294967295)
1128 self.assertEqual(reply.acls[sw_if_index1], 4294967295)
1129 self.assertEqual(reply.acls[sw_if_index2], 4294967295)
1130 self.assertEqual(reply.acls[sw_if_index3], 1)
1132 intf[3].remove_vpp_config()
1133 reply = self.vapi.macip_acl_interface_get()
1135 self.assertEqual(len([x for x in reply.acls if x != 4294967295]), 0)
1138 class TestACL_dot1q_bridged(MethodHolder):
1139 """ACL on dot1q bridged subinterfaces Tests"""
1141 def test_acl_bridged_ip4_subif_dot1q(self):
1142 """ IP4 ACL SubIf Dot1Q bridged traffic"""
1143 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.BRIDGED,
1144 self.IS_IP4, 9, tags=self.DOT1Q, isMACIP=False)
1146 def test_acl_bridged_ip6_subif_dot1q(self):
1147 """ IP6 ACL SubIf Dot1Q bridged traffic"""
1148 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.BRIDGED,
1149 self.IS_IP6, 9, tags=self.DOT1Q, isMACIP=False)
1152 class TestACL_dot1ad_bridged(MethodHolder):
1153 """ACL on dot1ad bridged subinterfaces Tests"""
1155 def test_acl_bridged_ip4_subif_dot1ad(self):
1156 """ IP4 ACL SubIf Dot1AD bridged traffic"""
1157 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.BRIDGED,
1158 self.IS_IP4, 9, tags=self.DOT1AD, isMACIP=False)
1160 def test_acl_bridged_ip6_subif_dot1ad(self):
1161 """ IP6 ACL SubIf Dot1AD bridged traffic"""
1162 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.BRIDGED,
1163 self.IS_IP6, 9, tags=self.DOT1AD, isMACIP=False)
1166 class TestACL_dot1q_routed(MethodHolder):
1167 """ACL on dot1q routed subinterfaces Tests"""
1169 def test_acl_routed_ip4_subif_dot1q(self):
1170 """ IP4 ACL SubIf Dot1Q routed traffic"""
1171 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1172 self.IS_IP4, 9, tags=self.DOT1Q, isMACIP=False)
1174 def test_acl_routed_ip6_subif_dot1q(self):
1175 """ IP6 ACL SubIf Dot1Q routed traffic"""
1176 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1177 self.IS_IP6, 9, tags=self.DOT1Q, isMACIP=False)
1179 def test_acl_routed_ip4_subif_dot1q_deny_by_tags(self):
1180 """ IP4 ACL SubIf wrong tags Dot1Q routed traffic"""
1181 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1182 self.IS_IP4, 9, True, tags=self.DOT1Q, isMACIP=False,
1183 permit_tags=self.DENY_TAGS)
1185 def test_acl_routed_ip6_subif_dot1q_deny_by_tags(self):
1186 """ IP6 ACL SubIf wrong tags Dot1Q routed traffic"""
1187 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1188 self.IS_IP6, 9, True, tags=self.DOT1Q, isMACIP=False,
1189 permit_tags=self.DENY_TAGS)
1192 class TestACL_dot1ad_routed(MethodHolder):
1193 """ACL on dot1ad routed subinterfaces Tests"""
1195 def test_acl_routed_ip6_subif_dot1ad(self):
1196 """ IP6 ACL SubIf Dot1AD routed traffic"""
1197 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1198 self.IS_IP6, 9, tags=self.DOT1AD, isMACIP=False)
1200 def test_acl_routed_ip4_subif_dot1ad(self):
1201 """ IP4 ACL SubIf Dot1AD routed traffic"""
1202 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1203 self.IS_IP4, 9, tags=self.DOT1AD, isMACIP=False)
1205 def test_acl_routed_ip6_subif_dot1ad_deny_by_tags(self):
1206 """ IP6 ACL SubIf wrong tags Dot1AD routed traffic"""
1207 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1208 self.IS_IP6, 9, True, tags=self.DOT1AD, isMACIP=False,
1209 permit_tags=self.DENY_TAGS)
1211 def test_acl_routed_ip4_subif_dot1ad_deny_by_tags(self):
1212 """ IP4 ACL SubIf wrong tags Dot1AD routed traffic"""
1213 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1214 self.IS_IP4, 9, True, tags=self.DOT1AD, isMACIP=False,
1215 permit_tags=self.DENY_TAGS)
1218 if __name__ == '__main__':
1219 unittest.main(testRunner=VppTestRunner)