2 """ACL plugin - MACIP tests
8 from socket import inet_ntop, inet_pton, AF_INET, AF_INET6
10 from scapy.packet import Raw
11 from scapy.layers.l2 import Ether
12 from scapy.layers.inet import IP, UDP
13 from scapy.layers.inet6 import IPv6
15 from framework import VppTestCase, VppTestRunner, running_extended_tests
16 from vpp_lo_interface import VppLoInterface
17 from vpp_papi_provider import L2_VTR_OP
18 from vpp_sub_interface import VppSubInterface, VppDot1QSubint, VppDot1ADSubint
21 class MethodHolder(VppTestCase):
53 Perform standard class setup (defined by class method setUpClass in
54 class VppTestCase) before running the test case, set test case related
55 variables and configure VPP.
57 super(MethodHolder, cls).setUpClass()
59 cls.pg_if_packet_sizes = [64, 512, 1518, 9018] # packet sizes
61 cls.remote_hosts_count = 200
64 # create 4 pg interfaces, 1 loopback interface
65 cls.create_pg_interfaces(range(4))
66 cls.create_loopback_interfaces(range(1))
68 # create 2 subinterfaces
70 VppDot1QSubint(cls, cls.pg1, 10),
71 VppDot1ADSubint(cls, cls.pg2, 20, 300, 400),
72 VppDot1QSubint(cls, cls.pg3, 30),
73 VppDot1ADSubint(cls, cls.pg3, 40, 600, 700)]
75 cls.subifs[0].set_vtr(L2_VTR_OP.L2_POP_1,
77 cls.subifs[1].set_vtr(L2_VTR_OP.L2_POP_2,
78 outer=300, inner=400, push1q=1)
79 cls.subifs[2].set_vtr(L2_VTR_OP.L2_POP_1,
81 cls.subifs[3].set_vtr(L2_VTR_OP.L2_POP_2,
82 outer=600, inner=700, push1q=1)
84 cls.interfaces = list(cls.pg_interfaces)
85 cls.interfaces.extend(cls.lo_interfaces)
86 cls.interfaces.extend(cls.subifs)
88 for i in cls.interfaces:
91 # Create BD with MAC learning enabled and put interfaces to this BD
92 cls.vapi.sw_interface_set_l2_bridge(
93 cls.loop0.sw_if_index, bd_id=cls.bd_id, bvi=1)
94 cls.vapi.sw_interface_set_l2_bridge(
95 cls.pg0.sw_if_index, bd_id=cls.bd_id)
96 cls.vapi.sw_interface_set_l2_bridge(
97 cls.pg1.sw_if_index, bd_id=cls.bd_id)
98 cls.vapi.sw_interface_set_l2_bridge(
99 cls.subifs[0].sw_if_index, bd_id=cls.bd_id)
100 cls.vapi.sw_interface_set_l2_bridge(
101 cls.subifs[1].sw_if_index, bd_id=cls.bd_id)
103 # Configure IPv4/6 addresses on loop interface and routed interface
104 cls.loop0.config_ip4()
105 cls.loop0.config_ip6()
111 # Configure MAC address binding to IPv4 neighbors on loop0
112 cls.loop0.generate_remote_hosts(cls.remote_hosts_count)
113 # Modify host mac addresses to have different OUI parts
114 for i in range(2, cls.remote_hosts_count + 2):
115 mac = cls.loop0.remote_hosts[i-2]._mac.split(':')
116 mac[2] = format(int(mac[2], 16) + i, "02x")
117 cls.loop0.remote_hosts[i - 2]._mac = ":".join(mac)
119 cls.loop0.configure_ipv4_neighbors()
120 cls.loop0.configure_ipv6_neighbors()
122 # configure MAC address on pg3
123 cls.pg3.resolve_arp()
124 cls.pg3.resolve_ndp()
126 # configure MAC address on subifs
132 # configure MAC address on pg2
133 cls.pg2.resolve_arp()
134 cls.pg2.resolve_ndp()
136 # Loopback BVI interface has remote hosts
137 # one half of hosts are behind pg0 second behind pg1,pg2,pg3 subifs
138 cls.pg0.remote_hosts = cls.loop0.remote_hosts[:100]
139 cls.subifs[0].remote_hosts = cls.loop0.remote_hosts[100:125]
140 cls.subifs[1].remote_hosts = cls.loop0.remote_hosts[125:150]
141 cls.subifs[2].remote_hosts = cls.loop0.remote_hosts[150:175]
142 cls.subifs[3].remote_hosts = cls.loop0.remote_hosts[175:]
145 super(TestMACIP, cls).tearDownClass()
149 super(MethodHolder, self).setUp()
150 self.reset_packet_infos()
155 Show various debug prints after each test.
157 super(MethodHolder, self).tearDown()
158 if not self.vpp_dead:
159 self.logger.info(self.vapi.ppcli("show interface address"))
160 self.logger.info(self.vapi.ppcli("show hardware"))
161 self.logger.info(self.vapi.ppcli("sh acl-plugin macip acl"))
162 self.logger.info(self.vapi.ppcli("sh acl-plugin macip interface"))
163 self.logger.info(self.vapi.ppcli("sh classify tables verbose"))
164 self.logger.info(self.vapi.ppcli("sh acl-plugin acl"))
165 self.logger.info(self.vapi.ppcli("sh acl-plugin interface"))
166 self.logger.info(self.vapi.ppcli("sh acl-plugin tables"))
167 # print self.vapi.ppcli("show interface address")
168 # print self.vapi.ppcli("show hardware")
169 # print self.vapi.ppcli("sh acl-plugin macip interface")
170 # print self.vapi.ppcli("sh acl-plugin macip acl")
173 def macip_acl_dump_debug(self):
174 acls = self.vapi.macip_acl_dump()
177 print "ACL #"+str(acl.acl_index)
182 elif r.is_permit == 0:
184 print " IP6" if r.is_ipv6 else " IP4", \
186 r.src_mac.encode('hex'), \
187 r.src_mac_mask.encode('hex'),\
188 unpack('<16B', r.src_ip_addr), \
192 def create_rules(self, mac_type=EXACT_MAC, ip_type=EXACT_IP,
193 acl_count=1, rules_count=[1]):
195 src_mac = int("220000dead00", 16)
196 for acl in range(2, (acl_count+1) * 2):
198 host = random.choice(self.loop0.remote_hosts)
200 ip4 = host.ip4.split('.')
201 ip6 = list(unpack('<16B', inet_pton(AF_INET6, host.ip6)))
203 if ip_type == self.EXACT_IP:
206 elif ip_type == self.WILD_IP:
208 ip6 = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]
211 rules_count[(acl / 2) - 1] = 1
216 if mac_type == self.EXACT_MAC:
217 mask = "ff:ff:ff:ff:ff:ff"
218 elif mac_type == self.WILD_MAC:
219 mask = "00:00:00:00:00:00"
220 elif mac_type == self.OUI_MAC:
221 mask = "ff:ff:ff:00:00:00"
223 mask = "ff:ff:ff:ff:ff:00"
225 ip = ip6 if is_ip6 else ip4
226 ip_len = prefix_len6 if is_ip6 else prefix_len4
228 for i in range(0, rules_count[(acl / 2) - 1]):
230 if mac_type == self.WILD_MAC:
231 mac = "00:00:00:00:00:00"
232 elif mac_type == self.OUI_MAC:
233 mac = ':'.join(re.findall('..', '{:02x}'.format(
234 src_mac))[:3])+":00:00:00"
236 mac = ':'.join(re.findall('..', '{:02x}'.format(src_mac)))
238 if ip_type == self.EXACT_IP:
239 ip4[3] = random.randint(100, 200)
240 ip6[15] = random.randint(100, 200)
241 elif ip_type == self.SUBNET_IP:
242 ip4[2] = random.randint(100, 200)
244 ip6[8] = random.randint(100, 200)
247 for j in range(0, len(ip)):
248 ip_pack += pack('<B', int(ip[j]))
250 rule = ({'is_permit': self.PERMIT,
252 'src_ip_addr': ip_pack,
253 'src_ip_prefix_len': ip_len,
254 'src_mac': mac.replace(':', '').decode('hex'),
255 'src_mac_mask': mask.replace(':', '').decode('hex')})
257 if ip_type == self.WILD_IP:
261 src_mac += 1099511627776
264 def apply_macip_rules(self, acls):
266 reply = self.vapi.macip_acl_add(acl)
267 self.assertEqual(reply.retval, 0)
268 self.ACLS.append(reply.acl_index)
270 def verify_macip_acls(self, acl_count, rules_count, expected_count=2):
271 reply = self.macip_acl_dump_debug()
272 for acl in range(2, (acl_count+1) * 2):
273 self.assertEqual(reply[acl - 2].count, rules_count[acl/2-1])
275 self.vapi.macip_acl_interface_get()
277 self.vapi.macip_acl_interface_add_del(sw_if_index=0, acl_index=0)
278 self.vapi.macip_acl_interface_add_del(sw_if_index=1, acl_index=1)
280 reply = self.vapi.macip_acl_interface_get()
281 self.assertEqual(reply.count, expected_count)
283 def delete_acls(self):
284 for acl in range(len(self.ACLS)-1, -1, -1):
285 self.vapi.macip_acl_del(self.ACLS[acl])
287 reply = self.vapi.macip_acl_dump()
288 self.assertEqual(len(reply), 0)
290 intf_acls = self.vapi.ppcli("sh acl-plugin interface").split(
292 for i_a in intf_acls:
295 sw_if_index = int(ia[0])
296 acl_index = int(ia[2])
297 self.vapi.acl_interface_add_del(sw_if_index, acl_index, 0)
298 self.vapi.acl_del(acl_index)
300 def create_stream(self, mac_type, ip_type, packet_count,
301 src_if, dst_if, traffic, is_ip6, tags=PERMIT_TAGS):
302 # exact MAC and exact IP
303 # exact MAC and subnet of IPs
304 # exact MAC and wildcard IP
305 # wildcard MAC and exact IP
306 # wildcard MAC and subnet of IPs
307 # wildcard MAC and wildcard IP
308 # OUI restricted MAC and exact IP
309 # OUI restricted MAC and subnet of IPs
310 # OUI restricted MAC and wildcard IP
318 mac_rule = "00:00:00:00:00:00"
319 mac_mask = "00:00:00:00:00:00"
320 for p in range(0, packet_count):
321 remote_dst_index = p % len(dst_if.remote_hosts)
322 remote_dst_host = dst_if.remote_hosts[remote_dst_index]
326 is_permit = self.PERMIT if p % 3 == 0 else self.DENY
327 denyMAC = True if not is_permit and p % 3 == 1 else False
328 denyIP = True if not is_permit and p % 3 == 2 else False
329 if not is_permit and ip_type == self.WILD_IP:
331 if not is_permit and mac_type == self.WILD_MAC:
334 if traffic == self.BRIDGED:
336 src_mac = remote_dst_host._mac
337 dst_mac = 'de:ad:00:00:00:00'
338 src_ip4 = remote_dst_host.ip4
339 dst_ip4 = src_if.remote_ip4
340 src_ip6 = remote_dst_host.ip6
341 dst_ip6 = src_if.remote_ip6
342 ip_permit = src_ip6 if is_ip6 else src_ip4
345 mac = src_mac.split(':')
346 mac[0] = format(int(mac[0], 16)+1, "02x")
347 src_mac = ":".join(mac)
353 if ip_type != self.WILD_IP:
355 src_ip4 = remote_dst_host.ip4
356 dst_ip4 = src_if.remote_ip4
357 src_ip6 = remote_dst_host.ip6
358 dst_ip6 = src_if.remote_ip6
361 src_mac = remote_dst_host._mac
362 dst_mac = src_if.local_mac
363 src_ip4 = src_if.remote_ip4
364 dst_ip4 = remote_dst_host.ip4
365 src_ip6 = src_if.remote_ip6
366 dst_ip6 = remote_dst_host.ip6
367 ip_permit = src_ip6 if is_ip6 else src_ip4
370 mac = src_mac.split(':')
371 mac[0] = format(int(mac[0], 16) + 1, "02x")
372 src_mac = ":".join(mac)
378 src_mac = remote_dst_host._mac
379 if ip_type != self.WILD_IP:
381 src_ip4 = remote_dst_host.ip4
382 dst_ip4 = src_if.remote_ip4
383 src_ip6 = remote_dst_host.ip6
384 dst_ip6 = src_if.remote_ip6
387 info = self.create_packet_info(src_if, dst_if)
388 payload = self.info_to_payload(info)
390 payload = "to be blocked"
392 if mac_type == self.WILD_MAC:
393 mac = src_mac.split(':')
394 for i in range(1, 5):
395 mac[i] = format(random.randint(0, 255), "02x")
396 src_mac = ":".join(mac)
399 packet = Ether(src=src_mac, dst=dst_mac)
400 ip_rule = src_ip6 if is_ip6 else src_ip4
402 if ip_type != self.EXACT_IP:
403 sub_ip = list(unpack('<16B', inet_pton(AF_INET6, ip_rule)))
404 if ip_type == self.WILD_IP:
405 sub_ip[0] = random.randint(240, 254)
406 sub_ip[1] = random.randint(230, 239)
407 sub_ip[14] = random.randint(100, 199)
408 sub_ip[15] = random.randint(200, 255)
409 elif ip_type == self.SUBNET_IP:
411 sub_ip[2] = str(int(sub_ip[2]) + 1)
412 sub_ip[14] = random.randint(100, 199)
413 sub_ip[15] = random.randint(200, 255)
414 src_ip6 = inet_ntop(AF_INET6, str(bytearray(sub_ip)))
415 packet /= IPv6(src=src_ip6, dst=dst_ip6)
417 if ip_type != self.EXACT_IP:
418 sub_ip = ip_rule.split('.')
419 if ip_type == self.WILD_IP:
420 sub_ip[0] = str(random.randint(1, 49))
421 sub_ip[1] = str(random.randint(50, 99))
422 sub_ip[2] = str(random.randint(100, 199))
423 sub_ip[3] = str(random.randint(200, 255))
424 elif ip_type == self.SUBNET_IP:
426 sub_ip[1] = str(int(sub_ip[1])+1)
427 sub_ip[2] = str(random.randint(100, 199))
428 sub_ip[3] = str(random.randint(200, 255))
429 src_ip4 = ".".join(sub_ip)
430 packet /= IP(src=src_ip4, dst=dst_ip4, frag=0, flags=0)
432 packet /= UDP(sport=src_port, dport=dst_port)/Raw(payload)
434 packet[Raw].load += " mac:"+src_mac
436 size = self.pg_if_packet_sizes[p % len(self.pg_if_packet_sizes)]
437 if isinstance(src_if, VppSubInterface):
439 if isinstance(src_if, VppDot1QSubint):
440 if src_if is self.subifs[0]:
441 if tags == self.PERMIT_TAGS:
442 packet = src_if.add_dot1q_layer(packet, 10)
444 packet = src_if.add_dot1q_layer(packet, 11)
446 if tags == self.PERMIT_TAGS:
447 packet = src_if.add_dot1q_layer(packet, 30)
449 packet = src_if.add_dot1q_layer(packet, 33)
450 elif isinstance(src_if, VppDot1ADSubint):
451 if src_if is self.subifs[1]:
452 if tags == self.PERMIT_TAGS:
453 packet = src_if.add_dot1ad_layer(packet, 300, 400)
455 packet = src_if.add_dot1ad_layer(packet, 333, 444)
457 if tags == self.PERMIT_TAGS:
458 packet = src_if.add_dot1ad_layer(packet, 600, 700)
460 packet = src_if.add_dot1ad_layer(packet, 666, 777)
461 self.extend_packet(packet, size)
462 packets.append(packet)
464 # create suitable MACIP rule
465 if mac_type == self.EXACT_MAC:
467 mac_mask = "ff:ff:ff:ff:ff:ff"
468 elif mac_type == self.WILD_MAC:
469 mac_rule = "00:00:00:00:00:00"
470 mac_mask = "00:00:00:00:00:00"
471 elif mac_type == self.OUI_MAC:
472 mac = src_mac.split(':')
473 mac[3] = mac[4] = mac[5] = '00'
474 mac_rule = ":".join(mac)
475 mac_mask = "ff:ff:ff:00:00:00"
478 if ip_type == self.WILD_IP:
482 if ip_type == self.SUBNET_IP:
483 sub_ip = list(unpack('<16B', inet_pton(AF_INET6, ip)))
484 for i in range(8, 16):
486 ip = inet_ntop(AF_INET6, str(bytearray(sub_ip)))
488 if ip_type == self.WILD_IP:
492 if ip_type == self.SUBNET_IP:
493 sub_ip = ip.split('.')
494 sub_ip[2] = sub_ip[3] = '0'
495 ip = ".".join(sub_ip)
497 prefix_len = 128 if is_ip6 else 32
498 if ip_type == self.WILD_IP:
500 elif ip_type == self.SUBNET_IP:
501 prefix_len = 64 if is_ip6 else 16
502 ip_rule = inet_pton(AF_INET6 if is_ip6 else AF_INET, ip)
504 # create suitable ACL rule
506 rule_l4_sport = packet[UDP].sport
507 rule_l4_dport = packet[UDP].dport
508 rule_family = AF_INET6 if packet.haslayer(IPv6) else AF_INET
509 rule_prefix_len = 128 if packet.haslayer(IPv6) else 32
510 rule_l3_layer = IPv6 if packet.haslayer(IPv6) else IP
511 if packet.haslayer(IPv6):
512 rule_l4_proto = packet[UDP].overload_fields[IPv6]['nh']
514 rule_l4_proto = packet[IP].proto
517 'is_permit': is_permit,
519 'src_ip_addr': inet_pton(rule_family,
520 packet[rule_l3_layer].src),
521 'src_ip_prefix_len': rule_prefix_len,
522 'dst_ip_addr': inet_pton(rule_family,
523 packet[rule_l3_layer].dst),
524 'dst_ip_prefix_len': rule_prefix_len,
525 'srcport_or_icmptype_first': rule_l4_sport,
526 'srcport_or_icmptype_last': rule_l4_sport,
527 'dstport_or_icmpcode_first': rule_l4_dport,
528 'dstport_or_icmpcode_last': rule_l4_dport,
529 'proto': rule_l4_proto}
530 acl_rules.append(acl_rule)
532 if mac_type == self.WILD_MAC and ip_type == self.WILD_IP and p > 0:
537 'is_permit': is_permit,
539 'src_ip_addr': ip_rule,
540 'src_ip_prefix_len': prefix_len,
541 'src_mac': mac_rule.replace(':', '').decode('hex'),
542 'src_mac_mask': mac_mask.replace(':', '').decode('hex')})
543 macip_rules.append(macip_rule)
545 # deny all other packets
546 if not (mac_type == self.WILD_MAC and ip_type == self.WILD_IP):
547 macip_rule = ({'is_permit': 0,
550 'src_ip_prefix_len': 0,
553 macip_rules.append(macip_rule)
555 acl_rule = {'is_permit': 0,
557 acl_rules.append(acl_rule)
558 return {'stream': packets,
559 'macip_rules': macip_rules,
560 'acl_rules': acl_rules}
562 def verify_capture(self, stream, capture, is_ip6):
569 # p_l3 = IPv6 if is_ip6 else IP
572 # print p[Ether].src, p[Ether].dst, p[p_l3].src, p[p_l3].dst
574 # acls = self.macip_acl_dump_debug()
579 # print r.src_mac.encode('hex'), \
580 # r.src_mac_mask.encode('hex'),\
581 # unpack('<16B', r.src_ip_addr), \
582 # r.src_ip_prefix_len
585 # print p[Ether].src, p[Ether].dst, p[p_l3].src, p[p_l3].dst
586 # data = p[Raw].load.split(':',1)[1]
587 # print p[p_l3].src, data
589 def run_traffic(self, mac_type, ip_type, traffic, is_ip6, packets,
590 do_not_expected_capture=False, tags=None,
591 apply_rules=True, isMACIP=True, permit_tags=PERMIT_TAGS):
592 self.reset_packet_infos()
595 tx_if = self.pg0 if traffic == self.BRIDGED else self.pg3
596 rx_if = self.pg3 if traffic == self.BRIDGED else self.pg0
600 if tags == self.DOT1Q:
601 if traffic == self.BRIDGED:
602 tx_if = self.subifs[0]
604 src_if = self.subifs[0]
607 tx_if = self.subifs[2]
609 src_if = self.subifs[2]
611 elif tags == self.DOT1AD:
612 if traffic == self.BRIDGED:
613 tx_if = self.subifs[1]
615 src_if = self.subifs[1]
618 tx_if = self.subifs[3]
620 src_if = self.subifs[3]
625 test_dict = self.create_stream(mac_type, ip_type, packets,
632 reply = self.vapi.macip_acl_add(test_dict['macip_rules'])
634 reply = self.vapi.acl_add_replace(acl_index=4294967295,
635 r=test_dict['acl_rules'])
636 self.assertEqual(reply.retval, 0)
637 acl_index = reply.acl_index
640 self.vapi.macip_acl_interface_add_del(
641 sw_if_index=tx_if.sw_if_index,
643 reply = self.vapi.macip_acl_interface_get()
644 self.assertEqual(reply.acls[tx_if.sw_if_index], acl_index)
645 self.ACLS.append(reply.acls[tx_if.sw_if_index])
647 self.vapi.acl_interface_add_del(
648 sw_if_index=tx_if.sw_if_index, acl_index=acl_index)
650 self.vapi.macip_acl_interface_add_del(
651 sw_if_index=tx_if.sw_if_index,
654 if not isinstance(src_if, VppSubInterface):
655 tx_if.add_stream(test_dict['stream'])
657 tx_if.parent.add_stream(test_dict['stream'])
658 self.pg_enable_capture(self.pg_interfaces)
661 if do_not_expected_capture:
664 if traffic == self.BRIDGED and mac_type == self.WILD_MAC and \
665 ip_type == self.WILD_IP:
666 capture = rx_if.get_capture(packets)
668 capture = rx_if.get_capture(
669 self.get_packet_count_for_if_idx(dst_if.sw_if_index))
670 self.verify_capture(test_dict['stream'], capture, is_ip6)
672 self.vapi.acl_interface_add_del(sw_if_index=tx_if.sw_if_index,
673 acl_index=acl_index, is_add=0)
674 self.vapi.acl_del(acl_index)
676 def run_test_acls(self, mac_type, ip_type, acl_count,
677 rules_count, traffic=None, ip=None):
678 self.apply_macip_rules(self.create_rules(mac_type, ip_type, acl_count,
680 self.verify_macip_acls(acl_count, rules_count)
682 if traffic is not None:
683 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, traffic, ip, 9)
686 class TestMACIP_IP4(MethodHolder):
687 """MACIP with IP4 traffic"""
689 def test_acl_bridged_ip4_exactMAC_exactIP(self):
690 """ IP4 MACIP exactMAC|exactIP ACL bridged traffic
692 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
693 self.BRIDGED, self.IS_IP4, 9)
695 def test_acl_bridged_ip4_exactMAC_subnetIP(self):
696 """ IP4 MACIP exactMAC|subnetIP ACL bridged traffic
699 self.run_traffic(self.EXACT_MAC, self.SUBNET_IP,
700 self.BRIDGED, self.IS_IP4, 9)
702 def test_acl_bridged_ip4_exactMAC_wildIP(self):
703 """ IP4 MACIP exactMAC|wildIP ACL bridged traffic
706 self.run_traffic(self.EXACT_MAC, self.WILD_IP,
707 self.BRIDGED, self.IS_IP4, 9)
709 def test_acl_bridged_ip4_ouiMAC_exactIP(self):
710 """ IP4 MACIP ouiMAC|exactIP ACL bridged traffic
713 self.run_traffic(self.OUI_MAC, self.EXACT_IP,
714 self.BRIDGED, self.IS_IP4, 3)
716 def test_acl_bridged_ip4_ouiMAC_subnetIP(self):
717 """ IP4 MACIP ouiMAC|subnetIP ACL bridged traffic
720 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
721 self.BRIDGED, self.IS_IP4, 9)
723 def test_acl_bridged_ip4_ouiMAC_wildIP(self):
724 """ IP4 MACIP ouiMAC|wildIP ACL bridged traffic
727 self.run_traffic(self.OUI_MAC, self.WILD_IP,
728 self.BRIDGED, self.IS_IP4, 9)
730 def test_ac_bridgedl_ip4_wildMAC_exactIP(self):
731 """ IP4 MACIP wildcardMAC|exactIP ACL bridged traffic
734 self.run_traffic(self.WILD_MAC, self.EXACT_IP,
735 self.BRIDGED, self.IS_IP4, 9)
737 def test_acl_bridged_ip4_wildMAC_subnetIP(self):
738 """ IP4 MACIP wildcardMAC|subnetIP ACL bridged traffic
741 self.run_traffic(self.WILD_MAC, self.SUBNET_IP,
742 self.BRIDGED, self.IS_IP4, 9)
744 def test_acl_bridged_ip4_wildMAC_wildIP(self):
745 """ IP4 MACIP wildcardMAC|wildIP ACL bridged traffic
748 self.run_traffic(self.WILD_MAC, self.WILD_IP,
749 self.BRIDGED, self.IS_IP4, 9)
751 def test_acl_routed_ip4_exactMAC_exactIP(self):
752 """ IP4 MACIP exactMAC|exactIP ACL routed traffic
754 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
755 self.ROUTED, self.IS_IP4, 9)
757 def test_acl_routed_ip4_exactMAC_subnetIP(self):
758 """ IP4 MACIP exactMAC|subnetIP ACL routed traffic
760 self.run_traffic(self.EXACT_MAC, self.SUBNET_IP,
761 self.ROUTED, self.IS_IP4, 9)
763 def test_acl_routed_ip4_exactMAC_wildIP(self):
764 """ IP4 MACIP exactMAC|wildIP ACL routed traffic
766 self.run_traffic(self.EXACT_MAC, self.WILD_IP,
767 self.ROUTED, self.IS_IP4, 9)
769 def test_acl_routed_ip4_ouiMAC_exactIP(self):
770 """ IP4 MACIP ouiMAC|exactIP ACL routed traffic
773 self.run_traffic(self.OUI_MAC, self.EXACT_IP,
774 self.ROUTED, self.IS_IP4, 9)
776 def test_acl_routed_ip4_ouiMAC_subnetIP(self):
777 """ IP4 MACIP ouiMAC|subnetIP ACL routed traffic
780 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
781 self.ROUTED, self.IS_IP4, 9)
783 def test_acl_routed_ip4_ouiMAC_wildIP(self):
784 """ IP4 MACIP ouiMAC|wildIP ACL routed traffic
787 self.run_traffic(self.OUI_MAC, self.WILD_IP,
788 self.ROUTED, self.IS_IP4, 9)
790 def test_acl_routed_ip4_wildMAC_exactIP(self):
791 """ IP4 MACIP wildcardMAC|exactIP ACL routed traffic
794 self.run_traffic(self.WILD_MAC, self.EXACT_IP,
795 self.ROUTED, self.IS_IP4, 9)
797 def test_acl_routed_ip4_wildMAC_subnetIP(self):
798 """ IP4 MACIP wildcardMAC|subnetIP ACL routed traffic
801 self.run_traffic(self.WILD_MAC, self.SUBNET_IP,
802 self.ROUTED, self.IS_IP4, 9)
804 def test_acl_routed_ip4_wildMAC_wildIP(self):
805 """ IP4 MACIP wildcardMAC|wildIP ACL
808 self.run_traffic(self.WILD_MAC, self.WILD_IP,
809 self.ROUTED, self.IS_IP4, 9)
811 def test_acl_replace_traffic_ip4(self):
812 """ MACIP replace ACL with IP4 traffic
814 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
815 self.BRIDGED, self.IS_IP4, 9)
817 r = self.create_rules()
818 # replace acls #2, #3 with new
819 reply = self.vapi.macip_acl_add_replace(r[0], 0)
820 self.assertEqual(reply.retval, 0)
821 self.assertEqual(reply.acl_index, 0)
823 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
824 self.BRIDGED, self.IS_IP4, 9, True)
827 class TestMACIP_IP6(MethodHolder):
828 """MACIP with IP6 traffic"""
830 def test_acl_bridged_ip6_exactMAC_exactIP(self):
831 """ IP6 MACIP exactMAC|exactIP ACL bridged traffic
834 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
835 self.BRIDGED, self.IS_IP6, 9)
837 def test_acl_bridged_ip6_exactMAC_subnetIP(self):
838 """ IP6 MACIP exactMAC|subnetIP ACL bridged traffic
841 self.run_traffic(self.EXACT_MAC, self.SUBNET_IP,
842 self.BRIDGED, self.IS_IP6, 9)
844 def test_acl_bridged_ip6_exactMAC_wildIP(self):
845 """ IP6 MACIP exactMAC|wildIP ACL bridged traffic
848 self.run_traffic(self.EXACT_MAC, self.WILD_IP,
849 self.BRIDGED, self.IS_IP6, 9)
851 def test_acl_bridged_ip6_ouiMAC_exactIP(self):
852 """ IP6 MACIP oui_MAC|exactIP ACL bridged traffic
855 self.run_traffic(self.OUI_MAC, self.EXACT_IP,
856 self.BRIDGED, self.IS_IP6, 9)
858 def test_acl_bridged_ip6_ouiMAC_subnetIP(self):
859 """ IP6 MACIP ouiMAC|subnetIP ACL bridged traffic
862 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
863 self.BRIDGED, self.IS_IP6, 9)
865 def test_acl_bridged_ip6_ouiMAC_wildIP(self):
866 """ IP6 MACIP ouiMAC|wildIP ACL bridged traffic
869 self.run_traffic(self.OUI_MAC, self.WILD_IP,
870 self.BRIDGED, self.IS_IP6, 9)
872 def test_acl_bridged_ip6_wildMAC_exactIP(self):
873 """ IP6 MACIP wildcardMAC|exactIP ACL bridged traffic
876 self.run_traffic(self.WILD_MAC, self.EXACT_IP,
877 self.BRIDGED, self.IS_IP6, 9)
879 def test_acl_bridged_ip6_wildMAC_subnetIP(self):
880 """ IP6 MACIP wildcardMAC|subnetIP ACL bridged traffic
883 self.run_traffic(self.WILD_MAC, self.SUBNET_IP,
884 self.BRIDGED, self.IS_IP6, 9)
886 def test_acl_bridged_ip6_wildMAC_wildIP(self):
887 """ IP6 MACIP wildcardMAC|wildIP ACL bridged traffic
890 self.run_traffic(self.WILD_MAC, self.WILD_IP,
891 self.BRIDGED, self.IS_IP6, 9)
893 def test_acl_routed_ip6_exactMAC_exactIP(self):
894 """ IP6 MACIP exactMAC|exactIP ACL routed traffic
897 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
898 self.ROUTED, self.IS_IP6, 9)
900 def test_acl_routed_ip6_exactMAC_subnetIP(self):
901 """ IP6 MACIP exactMAC|subnetIP ACL routed traffic
904 self.run_traffic(self.EXACT_MAC, self.SUBNET_IP,
905 self.ROUTED, self.IS_IP6, 9)
907 def test_acl_routed_ip6_exactMAC_wildIP(self):
908 """ IP6 MACIP exactMAC|wildIP ACL routed traffic
911 self.run_traffic(self.EXACT_MAC, self.WILD_IP,
912 self.ROUTED, self.IS_IP6, 9)
914 def test_acl_routed_ip6_ouiMAC_exactIP(self):
915 """ IP6 MACIP ouiMAC|exactIP ACL routed traffic
918 self.run_traffic(self.OUI_MAC, self.EXACT_IP,
919 self.ROUTED, self.IS_IP6, 9)
921 def test_acl_routed_ip6_ouiMAC_subnetIP(self):
922 """ IP6 MACIP ouiMAC|subnetIP ACL routed traffic
925 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
926 self.ROUTED, self.IS_IP6, 9)
928 def test_acl_routed_ip6_ouiMAC_wildIP(self):
929 """ IP6 MACIP ouiMAC|wildIP ACL routed traffic
932 self.run_traffic(self.OUI_MAC, self.WILD_IP,
933 self.ROUTED, self.IS_IP6, 9)
935 def test_acl_routed_ip6_wildMAC_exactIP(self):
936 """ IP6 MACIP wildcardMAC|exactIP ACL routed traffic
939 self.run_traffic(self.WILD_MAC, self.EXACT_IP,
940 self.ROUTED, self.IS_IP6, 9)
942 def test_acl_routed_ip6_wildMAC_subnetIP(self):
943 """ IP6 MACIP wildcardMAC|subnetIP ACL routed traffic
946 self.run_traffic(self.WILD_MAC, self.SUBNET_IP,
947 self.ROUTED, self.IS_IP6, 9)
949 def test_acl_routed_ip6_wildMAC_wildIP(self):
950 """ IP6 MACIP wildcardMAC|wildIP ACL
953 self.run_traffic(self.WILD_MAC, self.WILD_IP,
954 self.ROUTED, self.IS_IP6, 9)
956 def test_acl_replace_traffic_ip6(self):
957 """ MACIP replace ACL with IP6 traffic
959 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
960 self.BRIDGED, self.IS_IP6, 9)
962 r = self.create_rules()
963 # replace acls #2, #3 with new
964 reply = self.vapi.macip_acl_add_replace(r[0], 0)
965 self.assertEqual(reply.retval, 0)
966 self.assertEqual(reply.acl_index, 0)
968 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
969 self.BRIDGED, self.IS_IP6, 9, True)
972 class TestMACIP(MethodHolder):
975 def test_acl_1_2(self):
976 """ MACIP ACL with 2 entries
979 self.run_test_acls(self.EXACT_MAC, self.WILD_IP, 1, [2])
981 def test_acl_1_5(self):
982 """ MACIP ACL with 5 entries
985 self.run_test_acls(self.EXACT_MAC, self.SUBNET_IP, 1, [5])
987 def test_acl_1_10(self):
988 """ MACIP ACL with 10 entries
991 self.run_test_acls(self.EXACT_MAC, self.EXACT_IP, 1, [10])
993 def test_acl_1_20(self):
994 """ MACIP ACL with 20 entries
997 self.run_test_acls(self.OUI_MAC, self.WILD_IP, 1, [20])
999 def test_acl_1_50(self):
1000 """ MACIP ACL with 50 entries
1003 self.run_test_acls(self.OUI_MAC, self.SUBNET_IP, 1, [50])
1005 def test_acl_1_100(self):
1006 """ MACIP ACL with 100 entries
1009 self.run_test_acls(self.OUI_MAC, self.EXACT_IP, 1, [100])
1011 def test_acl_2_X(self):
1012 """ MACIP 2 ACLs each with 100+ entries
1015 self.run_test_acls(self.OUI_MAC, self.SUBNET_IP, 2, [100, 200])
1017 def test_acl_10_X(self):
1018 """ MACIP 10 ACLs each with 100+ entries
1021 self.run_test_acls(self.EXACT_MAC, self.EXACT_IP, 10,
1022 [100, 120, 140, 160, 180, 200, 210, 220, 230, 240])
1024 def test_acl_10_X_traffic_ip4(self):
1025 """ MACIP 10 ACLs each with 100+ entries with IP4 traffic
1028 self.run_test_acls(self.EXACT_MAC, self.EXACT_IP, 10,
1029 [100, 120, 140, 160, 180, 200, 210, 220, 230, 240],
1030 self.BRIDGED, self.IS_IP4)
1032 def test_acl_10_X_traffic_ip6(self):
1033 """ MACIP 10 ACLs each with 100+ entries with IP6 traffic
1036 self.run_test_acls(self.EXACT_MAC, self.EXACT_IP, 10,
1037 [100, 120, 140, 160, 180, 200, 210, 220, 230, 240],
1038 self.BRIDGED, self.IS_IP6)
1040 def test_acl_replace(self):
1041 """ MACIP replace ACL
1044 r1 = self.create_rules(acl_count=3, rules_count=[2, 2, 2])
1045 r2 = self.create_rules(mac_type=self.OUI_MAC, ip_type=self.SUBNET_IP)
1046 self.apply_macip_rules(r1)
1048 acls_before = self.macip_acl_dump_debug()
1050 # replace acls #2, #3 with new
1051 reply = self.vapi.macip_acl_add_replace(r2[0], 2)
1052 self.assertEqual(reply.retval, 0)
1053 self.assertEqual(reply.acl_index, 2)
1054 reply = self.vapi.macip_acl_add_replace(r2[1], 3)
1055 self.assertEqual(reply.retval, 0)
1056 self.assertEqual(reply.acl_index, 3)
1058 acls_after = self.macip_acl_dump_debug()
1061 self.assertEqual(len(acls_before), len(acls_after))
1062 for acl1, acl2 in zip(
1063 acls_before[:2]+acls_before[4:],
1064 acls_after[:2]+acls_after[4:]):
1065 self.assertEqual(len(acl1), len(acl2))
1067 self.assertEqual(len(acl1.r), len(acl2.r))
1068 for r1, r2 in zip(acl1.r, acl2.r):
1069 self.assertEqual(len(acl1.r), len(acl2.r))
1070 self.assertEqual(acl1.r, acl2.r)
1071 for acl1, acl2 in zip(
1074 self.assertEqual(len(acl1), len(acl2))
1076 self.assertNotEqual(len(acl1.r), len(acl2.r))
1077 for r1, r2 in zip(acl1.r, acl2.r):
1078 self.assertNotEqual(len(acl1.r), len(acl2.r))
1079 self.assertNotEqual(acl1.r, acl2.r)
1081 def test_delete_intf(self):
1082 """ MACIP ACL delete intf with acl
1085 intf_count = len(self.interfaces)+1
1087 self.apply_macip_rules(self.create_rules(acl_count=3,
1088 rules_count=[3, 5, 4]))
1090 intf.append(VppLoInterface(self, 0))
1091 intf.append(VppLoInterface(self, 1))
1093 sw_if_index0 = intf[0].sw_if_index
1094 self.vapi.macip_acl_interface_add_del(sw_if_index0, 1)
1096 reply = self.vapi.macip_acl_interface_get()
1097 self.assertEqual(reply.count, intf_count+1)
1098 self.assertEqual(reply.acls[sw_if_index0], 1)
1100 sw_if_index1 = intf[1].sw_if_index
1101 self.vapi.macip_acl_interface_add_del(sw_if_index1, 0)
1103 reply = self.vapi.macip_acl_interface_get()
1104 self.assertEqual(reply.count, intf_count+2)
1105 self.assertEqual(reply.acls[sw_if_index1], 0)
1107 intf[0].remove_vpp_config()
1108 reply = self.vapi.macip_acl_interface_get()
1109 self.assertEqual(reply.count, intf_count+2)
1110 self.assertEqual(reply.acls[sw_if_index0], 4294967295)
1111 self.assertEqual(reply.acls[sw_if_index1], 0)
1113 intf.append(VppLoInterface(self, 2))
1114 intf.append(VppLoInterface(self, 3))
1115 sw_if_index2 = intf[2].sw_if_index
1116 sw_if_index3 = intf[3].sw_if_index
1117 self.vapi.macip_acl_interface_add_del(sw_if_index2, 1)
1118 self.vapi.macip_acl_interface_add_del(sw_if_index3, 1)
1120 reply = self.vapi.macip_acl_interface_get()
1121 self.assertEqual(reply.count, intf_count+3)
1122 self.assertEqual(reply.acls[sw_if_index1], 0)
1123 self.assertEqual(reply.acls[sw_if_index2], 1)
1124 self.assertEqual(reply.acls[sw_if_index3], 1)
1126 intf[2].remove_vpp_config()
1127 intf[1].remove_vpp_config()
1129 reply = self.vapi.macip_acl_interface_get()
1130 self.assertEqual(reply.count, intf_count+3)
1131 self.assertEqual(reply.acls[sw_if_index0], 4294967295)
1132 self.assertEqual(reply.acls[sw_if_index1], 4294967295)
1133 self.assertEqual(reply.acls[sw_if_index2], 4294967295)
1134 self.assertEqual(reply.acls[sw_if_index3], 1)
1136 intf[3].remove_vpp_config()
1137 reply = self.vapi.macip_acl_interface_get()
1139 self.assertEqual(len([x for x in reply.acls if x != 4294967295]), 0)
1142 class TestACL_dot1q_bridged(MethodHolder):
1143 """ACL on dot1q bridged subinterfaces Tests"""
1145 def test_acl_bridged_ip4_subif_dot1q(self):
1146 """ IP4 ACL SubIf Dot1Q bridged traffic"""
1147 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.BRIDGED,
1148 self.IS_IP4, 9, tags=self.DOT1Q, isMACIP=False)
1150 def test_acl_bridged_ip6_subif_dot1q(self):
1151 """ IP6 ACL SubIf Dot1Q bridged traffic"""
1152 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.BRIDGED,
1153 self.IS_IP6, 9, tags=self.DOT1Q, isMACIP=False)
1156 class TestACL_dot1ad_bridged(MethodHolder):
1157 """ACL on dot1ad bridged subinterfaces Tests"""
1159 def test_acl_bridged_ip4_subif_dot1ad(self):
1160 """ IP4 ACL SubIf Dot1AD bridged traffic"""
1161 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.BRIDGED,
1162 self.IS_IP4, 9, tags=self.DOT1AD, isMACIP=False)
1164 def test_acl_bridged_ip6_subif_dot1ad(self):
1165 """ IP6 ACL SubIf Dot1AD bridged traffic"""
1166 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.BRIDGED,
1167 self.IS_IP6, 9, tags=self.DOT1AD, isMACIP=False)
1170 class TestACL_dot1q_routed(MethodHolder):
1171 """ACL on dot1q routed subinterfaces Tests"""
1173 def test_acl_routed_ip4_subif_dot1q(self):
1174 """ IP4 ACL SubIf Dot1Q routed traffic"""
1175 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1176 self.IS_IP4, 9, tags=self.DOT1Q, isMACIP=False)
1178 def test_acl_routed_ip6_subif_dot1q(self):
1179 """ IP6 ACL SubIf Dot1Q routed traffic"""
1180 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1181 self.IS_IP6, 9, tags=self.DOT1Q, isMACIP=False)
1183 def test_acl_routed_ip4_subif_dot1q_deny_by_tags(self):
1184 """ IP4 ACL SubIf wrong tags Dot1Q routed traffic"""
1185 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1186 self.IS_IP4, 9, True, tags=self.DOT1Q, isMACIP=False,
1187 permit_tags=self.DENY_TAGS)
1189 def test_acl_routed_ip6_subif_dot1q_deny_by_tags(self):
1190 """ IP6 ACL SubIf wrong tags Dot1Q routed traffic"""
1191 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1192 self.IS_IP6, 9, True, tags=self.DOT1Q, isMACIP=False,
1193 permit_tags=self.DENY_TAGS)
1196 class TestACL_dot1ad_routed(MethodHolder):
1197 """ACL on dot1ad routed subinterfaces Tests"""
1199 def test_acl_routed_ip6_subif_dot1ad(self):
1200 """ IP6 ACL SubIf Dot1AD routed traffic"""
1201 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1202 self.IS_IP6, 9, tags=self.DOT1AD, isMACIP=False)
1204 def test_acl_routed_ip4_subif_dot1ad(self):
1205 """ IP4 ACL SubIf Dot1AD routed traffic"""
1206 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1207 self.IS_IP4, 9, tags=self.DOT1AD, isMACIP=False)
1209 def test_acl_routed_ip6_subif_dot1ad_deny_by_tags(self):
1210 """ IP6 ACL SubIf wrong tags Dot1AD routed traffic"""
1211 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1212 self.IS_IP6, 9, True, tags=self.DOT1AD, isMACIP=False,
1213 permit_tags=self.DENY_TAGS)
1215 def test_acl_routed_ip4_subif_dot1ad_deny_by_tags(self):
1216 """ IP4 ACL SubIf wrong tags Dot1AD routed traffic"""
1217 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1218 self.IS_IP4, 9, True, tags=self.DOT1AD, isMACIP=False,
1219 permit_tags=self.DENY_TAGS)
1222 if __name__ == '__main__':
1223 unittest.main(testRunner=VppTestRunner)