2 from __future__ import print_function
3 """ACL plugin - MACIP tests
7 from socket import inet_ntop, inet_pton, AF_INET, AF_INET6
8 from struct import pack, unpack
12 from scapy.packet import Raw
13 from scapy.layers.l2 import Ether
14 from scapy.layers.inet import IP, UDP
15 from scapy.layers.inet6 import IPv6
17 from framework import VppTestCase, VppTestRunner, running_extended_tests
18 from vpp_lo_interface import VppLoInterface
19 from vpp_papi_provider import L2_VTR_OP
20 from vpp_sub_interface import VppSubInterface, VppDot1QSubint, VppDot1ADSubint
21 from vpp_papi_provider import L2_PORT_TYPE
24 class MethodHolder(VppTestCase):
56 Perform standard class setup (defined by class method setUpClass in
57 class VppTestCase) before running the test case, set test case related
58 variables and configure VPP.
60 super(MethodHolder, cls).setUpClass()
62 cls.pg_if_packet_sizes = [64, 512, 1518, 9018] # packet sizes
64 cls.remote_hosts_count = 200
67 # create 4 pg interfaces, 1 loopback interface
68 cls.create_pg_interfaces(range(4))
69 cls.create_loopback_interfaces(1)
71 # create 2 subinterfaces
73 VppDot1QSubint(cls, cls.pg1, 10),
74 VppDot1ADSubint(cls, cls.pg2, 20, 300, 400),
75 VppDot1QSubint(cls, cls.pg3, 30),
76 VppDot1ADSubint(cls, cls.pg3, 40, 600, 700)]
78 cls.subifs[0].set_vtr(L2_VTR_OP.L2_POP_1,
80 cls.subifs[1].set_vtr(L2_VTR_OP.L2_POP_2,
81 outer=300, inner=400, push1q=1)
82 cls.subifs[2].set_vtr(L2_VTR_OP.L2_POP_1,
84 cls.subifs[3].set_vtr(L2_VTR_OP.L2_POP_2,
85 outer=600, inner=700, push1q=1)
87 cls.interfaces = list(cls.pg_interfaces)
88 cls.interfaces.extend(cls.lo_interfaces)
89 cls.interfaces.extend(cls.subifs)
91 for i in cls.interfaces:
94 # Create BD with MAC learning enabled and put interfaces to this BD
95 cls.vapi.sw_interface_set_l2_bridge(
96 cls.loop0.sw_if_index, bd_id=cls.bd_id,
97 port_type=L2_PORT_TYPE.BVI)
98 cls.vapi.sw_interface_set_l2_bridge(
99 cls.pg0.sw_if_index, bd_id=cls.bd_id)
100 cls.vapi.sw_interface_set_l2_bridge(
101 cls.pg1.sw_if_index, bd_id=cls.bd_id)
102 cls.vapi.sw_interface_set_l2_bridge(
103 cls.subifs[0].sw_if_index, bd_id=cls.bd_id)
104 cls.vapi.sw_interface_set_l2_bridge(
105 cls.subifs[1].sw_if_index, bd_id=cls.bd_id)
107 # Configure IPv4/6 addresses on loop interface and routed interface
108 cls.loop0.config_ip4()
109 cls.loop0.config_ip6()
115 # Configure MAC address binding to IPv4 neighbors on loop0
116 cls.loop0.generate_remote_hosts(cls.remote_hosts_count)
117 # Modify host mac addresses to have different OUI parts
118 for i in range(2, cls.remote_hosts_count + 2):
119 mac = cls.loop0.remote_hosts[i-2]._mac.split(':')
120 mac[2] = format(int(mac[2], 16) + i, "02x")
121 cls.loop0.remote_hosts[i - 2]._mac = ":".join(mac)
123 cls.loop0.configure_ipv4_neighbors()
124 cls.loop0.configure_ipv6_neighbors()
126 # configure MAC address on pg3
127 cls.pg3.resolve_arp()
128 cls.pg3.resolve_ndp()
130 # configure MAC address on subifs
136 # configure MAC address on pg2
137 cls.pg2.resolve_arp()
138 cls.pg2.resolve_ndp()
140 # Loopback BVI interface has remote hosts
141 # one half of hosts are behind pg0 second behind pg1,pg2,pg3 subifs
142 cls.pg0.remote_hosts = cls.loop0.remote_hosts[:100]
143 cls.subifs[0].remote_hosts = cls.loop0.remote_hosts[100:125]
144 cls.subifs[1].remote_hosts = cls.loop0.remote_hosts[125:150]
145 cls.subifs[2].remote_hosts = cls.loop0.remote_hosts[150:175]
146 cls.subifs[3].remote_hosts = cls.loop0.remote_hosts[175:]
149 super(MethodHolder, cls).tearDownClass()
153 super(MethodHolder, self).setUp()
154 self.reset_packet_infos()
159 Show various debug prints after each test.
161 super(MethodHolder, self).tearDown()
162 if not self.vpp_dead:
163 self.logger.info(self.vapi.ppcli("show interface address"))
164 self.logger.info(self.vapi.ppcli("show hardware"))
165 self.logger.info(self.vapi.ppcli("sh acl-plugin macip acl"))
166 self.logger.info(self.vapi.ppcli("sh acl-plugin macip interface"))
167 self.logger.info(self.vapi.ppcli("sh classify tables verbose"))
168 self.logger.info(self.vapi.ppcli("sh acl-plugin acl"))
169 self.logger.info(self.vapi.ppcli("sh acl-plugin interface"))
170 self.logger.info(self.vapi.ppcli("sh acl-plugin tables"))
171 # print(self.vapi.ppcli("show interface address"))
172 # print(self.vapi.ppcli("show hardware"))
173 # print(self.vapi.ppcli("sh acl-plugin macip interface"))
174 # print(self.vapi.ppcli("sh acl-plugin macip acl"))
177 def macip_acl_dump_debug(self):
178 acls = self.vapi.macip_acl_dump()
181 print("ACL #"+str(acl.acl_index))
186 elif r.is_permit == 0:
188 print(" IP6" if r.is_ipv6 else " IP4",
190 binascii.hexlify(r.src_mac),
191 binascii.hexlify(r.src_mac_mask),
192 unpack('<16B', r.src_ip_addr),
196 def create_rules(self, mac_type=EXACT_MAC, ip_type=EXACT_IP,
197 acl_count=1, rules_count=[1]):
199 src_mac = int("220000dead00", 16)
200 for acl in range(2, (acl_count+1) * 2):
202 host = random.choice(self.loop0.remote_hosts)
204 ip4 = host.ip4.split('.')
205 ip6 = list(unpack('<16B', inet_pton(AF_INET6, host.ip6)))
207 if ip_type == self.EXACT_IP:
210 elif ip_type == self.WILD_IP:
212 ip6 = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]
215 rules_count[(acl / 2) - 1] = 1
220 if mac_type == self.EXACT_MAC:
221 mask = "ff:ff:ff:ff:ff:ff"
222 elif mac_type == self.WILD_MAC:
223 mask = "00:00:00:00:00:00"
224 elif mac_type == self.OUI_MAC:
225 mask = "ff:ff:ff:00:00:00"
227 mask = "ff:ff:ff:ff:ff:00"
229 ip = ip6 if is_ip6 else ip4
230 ip_len = prefix_len6 if is_ip6 else prefix_len4
232 for i in range(0, rules_count[(acl / 2) - 1]):
234 if mac_type == self.WILD_MAC:
235 mac = "00:00:00:00:00:00"
236 elif mac_type == self.OUI_MAC:
237 mac = ':'.join(re.findall('..', '{:02x}'.format(
238 src_mac))[:3])+":00:00:00"
240 mac = ':'.join(re.findall(
241 '..', '{:02x}'.format(src_mac)))
243 if ip_type == self.EXACT_IP:
244 ip4[3] = random.randint(100, 200)
245 ip6[15] = random.randint(100, 200)
246 elif ip_type == self.SUBNET_IP:
247 ip4[2] = random.randint(100, 200)
249 ip6[8] = random.randint(100, 200)
252 for j in range(0, len(ip)):
253 ip_pack += pack('<B', int(ip[j]))
255 rule = ({'is_permit': self.PERMIT,
257 'src_ip_addr': ip_pack,
258 'src_ip_prefix_len': ip_len,
259 'src_mac': mac.replace(':', '').decode('hex'),
260 'src_mac_mask': mask.replace(':', '').decode('hex')})
262 if ip_type == self.WILD_IP:
266 src_mac += 1099511627776
269 def apply_macip_rules(self, acls):
271 reply = self.vapi.macip_acl_add(acl)
272 self.assertEqual(reply.retval, 0)
273 self.ACLS.append(reply.acl_index)
275 def verify_macip_acls(self, acl_count, rules_count, expected_count=2):
276 reply = self.macip_acl_dump_debug()
277 for acl in range(2, (acl_count+1) * 2):
278 self.assertEqual(reply[acl - 2].count, rules_count[acl/2-1])
280 self.vapi.macip_acl_interface_get()
282 self.vapi.macip_acl_interface_add_del(sw_if_index=0, acl_index=0)
283 self.vapi.macip_acl_interface_add_del(sw_if_index=1, acl_index=1)
285 reply = self.vapi.macip_acl_interface_get()
286 self.assertEqual(reply.count, expected_count)
288 def delete_acls(self):
289 for acl in range(len(self.ACLS)-1, -1, -1):
290 self.vapi.macip_acl_del(self.ACLS[acl])
292 reply = self.vapi.macip_acl_dump()
293 self.assertEqual(len(reply), 0)
295 intf_acls = self.vapi.acl_interface_list_dump()
296 for i_a in intf_acls:
297 sw_if_index = i_a.sw_if_index
298 for acl_index in i_a.acls:
299 self.vapi.acl_interface_add_del(sw_if_index, acl_index, 0)
300 self.vapi.acl_del(acl_index)
302 def create_stream(self, mac_type, ip_type, packet_count,
303 src_if, dst_if, traffic, is_ip6, tags=PERMIT_TAGS):
304 # exact MAC and exact IP
305 # exact MAC and subnet of IPs
306 # exact MAC and wildcard IP
307 # wildcard MAC and exact IP
308 # wildcard MAC and subnet of IPs
309 # wildcard MAC and wildcard IP
310 # OUI restricted MAC and exact IP
311 # OUI restricted MAC and subnet of IPs
312 # OUI restricted MAC and wildcard IP
320 mac_rule = "00:00:00:00:00:00"
321 mac_mask = "00:00:00:00:00:00"
322 for p in range(0, packet_count):
323 remote_dst_index = p % len(dst_if.remote_hosts)
324 remote_dst_host = dst_if.remote_hosts[remote_dst_index]
328 is_permit = self.PERMIT if p % 3 == 0 else self.DENY
329 denyMAC = True if not is_permit and p % 3 == 1 else False
330 denyIP = True if not is_permit and p % 3 == 2 else False
331 if not is_permit and ip_type == self.WILD_IP:
333 if not is_permit and mac_type == self.WILD_MAC:
336 if traffic == self.BRIDGED:
338 src_mac = remote_dst_host._mac
339 dst_mac = 'de:ad:00:00:00:00'
340 src_ip4 = remote_dst_host.ip4
341 dst_ip4 = src_if.remote_ip4
342 src_ip6 = remote_dst_host.ip6
343 dst_ip6 = src_if.remote_ip6
344 ip_permit = src_ip6 if is_ip6 else src_ip4
347 mac = src_mac.split(':')
348 mac[0] = format(int(mac[0], 16)+1, "02x")
349 src_mac = ":".join(mac)
355 if ip_type != self.WILD_IP:
357 src_ip4 = remote_dst_host.ip4
358 dst_ip4 = src_if.remote_ip4
359 src_ip6 = remote_dst_host.ip6
360 dst_ip6 = src_if.remote_ip6
363 src_mac = remote_dst_host._mac
364 dst_mac = src_if.local_mac
365 src_ip4 = src_if.remote_ip4
366 dst_ip4 = remote_dst_host.ip4
367 src_ip6 = src_if.remote_ip6
368 dst_ip6 = remote_dst_host.ip6
369 ip_permit = src_ip6 if is_ip6 else src_ip4
372 mac = src_mac.split(':')
373 mac[0] = format(int(mac[0], 16) + 1, "02x")
374 src_mac = ":".join(mac)
380 src_mac = remote_dst_host._mac
381 if ip_type != self.WILD_IP:
383 src_ip4 = remote_dst_host.ip4
384 dst_ip4 = src_if.remote_ip4
385 src_ip6 = remote_dst_host.ip6
386 dst_ip6 = src_if.remote_ip6
389 info = self.create_packet_info(src_if, dst_if)
390 payload = self.info_to_payload(info)
392 payload = "to be blocked"
394 if mac_type == self.WILD_MAC:
395 mac = src_mac.split(':')
396 for i in range(1, 5):
397 mac[i] = format(random.randint(0, 255), "02x")
398 src_mac = ":".join(mac)
401 packet = Ether(src=src_mac, dst=dst_mac)
402 ip_rule = src_ip6 if is_ip6 else src_ip4
404 if ip_type != self.EXACT_IP:
405 sub_ip = list(unpack('<16B', inet_pton(AF_INET6, ip_rule)))
406 if ip_type == self.WILD_IP:
407 sub_ip[0] = random.randint(240, 254)
408 sub_ip[1] = random.randint(230, 239)
409 sub_ip[14] = random.randint(100, 199)
410 sub_ip[15] = random.randint(200, 255)
411 elif ip_type == self.SUBNET_IP:
413 sub_ip[2] = str(int(sub_ip[2]) + 1)
414 sub_ip[14] = random.randint(100, 199)
415 sub_ip[15] = random.randint(200, 255)
416 src_ip6 = inet_ntop(AF_INET6, str(bytearray(sub_ip)))
417 packet /= IPv6(src=src_ip6, dst=dst_ip6)
419 if ip_type != self.EXACT_IP:
420 sub_ip = ip_rule.split('.')
421 if ip_type == self.WILD_IP:
422 sub_ip[0] = str(random.randint(1, 49))
423 sub_ip[1] = str(random.randint(50, 99))
424 sub_ip[2] = str(random.randint(100, 199))
425 sub_ip[3] = str(random.randint(200, 255))
426 elif ip_type == self.SUBNET_IP:
428 sub_ip[1] = str(int(sub_ip[1])+1)
429 sub_ip[2] = str(random.randint(100, 199))
430 sub_ip[3] = str(random.randint(200, 255))
431 src_ip4 = ".".join(sub_ip)
432 packet /= IP(src=src_ip4, dst=dst_ip4, frag=0, flags=0)
434 packet /= UDP(sport=src_port, dport=dst_port)/Raw(payload)
436 packet[Raw].load += " mac:"+src_mac
438 size = self.pg_if_packet_sizes[p % len(self.pg_if_packet_sizes)]
439 if isinstance(src_if, VppSubInterface):
441 if isinstance(src_if, VppDot1QSubint):
442 if src_if is self.subifs[0]:
443 if tags == self.PERMIT_TAGS:
444 packet = src_if.add_dot1q_layer(packet, 10)
446 packet = src_if.add_dot1q_layer(packet, 11)
448 if tags == self.PERMIT_TAGS:
449 packet = src_if.add_dot1q_layer(packet, 30)
451 packet = src_if.add_dot1q_layer(packet, 33)
452 elif isinstance(src_if, VppDot1ADSubint):
453 if src_if is self.subifs[1]:
454 if tags == self.PERMIT_TAGS:
455 packet = src_if.add_dot1ad_layer(packet, 300, 400)
457 packet = src_if.add_dot1ad_layer(packet, 333, 444)
459 if tags == self.PERMIT_TAGS:
460 packet = src_if.add_dot1ad_layer(packet, 600, 700)
462 packet = src_if.add_dot1ad_layer(packet, 666, 777)
463 self.extend_packet(packet, size)
464 packets.append(packet)
466 # create suitable MACIP rule
467 if mac_type == self.EXACT_MAC:
469 mac_mask = "ff:ff:ff:ff:ff:ff"
470 elif mac_type == self.WILD_MAC:
471 mac_rule = "00:00:00:00:00:00"
472 mac_mask = "00:00:00:00:00:00"
473 elif mac_type == self.OUI_MAC:
474 mac = src_mac.split(':')
475 mac[3] = mac[4] = mac[5] = '00'
476 mac_rule = ":".join(mac)
477 mac_mask = "ff:ff:ff:00:00:00"
480 if ip_type == self.WILD_IP:
484 if ip_type == self.SUBNET_IP:
485 sub_ip = list(unpack('<16B', inet_pton(AF_INET6, ip)))
486 for i in range(8, 16):
488 ip = inet_ntop(AF_INET6, str(bytearray(sub_ip)))
490 if ip_type == self.WILD_IP:
494 if ip_type == self.SUBNET_IP:
495 sub_ip = ip.split('.')
496 sub_ip[2] = sub_ip[3] = '0'
497 ip = ".".join(sub_ip)
499 prefix_len = 128 if is_ip6 else 32
500 if ip_type == self.WILD_IP:
502 elif ip_type == self.SUBNET_IP:
503 prefix_len = 64 if is_ip6 else 16
504 ip_rule = inet_pton(AF_INET6 if is_ip6 else AF_INET, ip)
506 # create suitable ACL rule
508 rule_l4_sport = packet[UDP].sport
509 rule_l4_dport = packet[UDP].dport
510 rule_family = AF_INET6 if packet.haslayer(IPv6) else AF_INET
511 rule_prefix_len = 128 if packet.haslayer(IPv6) else 32
512 rule_l3_layer = IPv6 if packet.haslayer(IPv6) else IP
513 if packet.haslayer(IPv6):
514 rule_l4_proto = packet[UDP].overload_fields[IPv6]['nh']
516 rule_l4_proto = packet[IP].proto
519 'is_permit': is_permit,
521 'src_ip_addr': inet_pton(rule_family,
522 packet[rule_l3_layer].src),
523 'src_ip_prefix_len': rule_prefix_len,
524 'dst_ip_addr': inet_pton(rule_family,
525 packet[rule_l3_layer].dst),
526 'dst_ip_prefix_len': rule_prefix_len,
527 'srcport_or_icmptype_first': rule_l4_sport,
528 'srcport_or_icmptype_last': rule_l4_sport,
529 'dstport_or_icmpcode_first': rule_l4_dport,
530 'dstport_or_icmpcode_last': rule_l4_dport,
531 'proto': rule_l4_proto}
532 acl_rules.append(acl_rule)
534 if mac_type == self.WILD_MAC and ip_type == self.WILD_IP and p > 0:
539 'is_permit': is_permit,
541 'src_ip_addr': ip_rule,
542 'src_ip_prefix_len': prefix_len,
543 'src_mac': mac_rule.replace(':', '').decode('hex'),
544 'src_mac_mask': mac_mask.replace(':', '').decode('hex')})
545 macip_rules.append(macip_rule)
547 # deny all other packets
548 if not (mac_type == self.WILD_MAC and ip_type == self.WILD_IP):
549 macip_rule = ({'is_permit': 0,
552 'src_ip_prefix_len': 0,
555 macip_rules.append(macip_rule)
557 acl_rule = {'is_permit': 0,
559 acl_rules.append(acl_rule)
560 return {'stream': packets,
561 'macip_rules': macip_rules,
562 'acl_rules': acl_rules}
564 def verify_capture(self, stream, capture, is_ip6):
571 # p_l3 = IPv6 if is_ip6 else IP
574 # print(p[Ether].src, p[Ether].dst, p[p_l3].src, p[p_l3].dst)
576 # acls = self.macip_acl_dump_debug()
581 # print(binascii.hexlify(r.src_mac), \
582 # binascii.hexlify(r.src_mac_mask),\
583 # unpack('<16B', r.src_ip_addr), \
584 # r.src_ip_prefix_len)
587 # print(p[Ether].src, p[Ether].dst, p[p_l3].src, p[p_l3].dst
588 # data = p[Raw].load.split(':',1)[1])
589 # print(p[p_l3].src, data)
591 def run_traffic(self, mac_type, ip_type, traffic, is_ip6, packets,
592 do_not_expected_capture=False, tags=None,
593 apply_rules=True, isMACIP=True, permit_tags=PERMIT_TAGS,
595 self.reset_packet_infos()
598 tx_if = self.pg0 if traffic == self.BRIDGED else self.pg3
599 rx_if = self.pg3 if traffic == self.BRIDGED else self.pg0
603 if tags == self.DOT1Q:
604 if traffic == self.BRIDGED:
605 tx_if = self.subifs[0]
607 src_if = self.subifs[0]
610 tx_if = self.subifs[2]
612 src_if = self.subifs[2]
614 elif tags == self.DOT1AD:
615 if traffic == self.BRIDGED:
616 tx_if = self.subifs[1]
618 src_if = self.subifs[1]
621 tx_if = self.subifs[3]
623 src_if = self.subifs[3]
628 test_dict = self.create_stream(mac_type, ip_type, packets,
635 reply = self.vapi.macip_acl_add(test_dict['macip_rules'])
637 reply = self.vapi.acl_add_replace(acl_index=4294967295,
638 r=test_dict['acl_rules'])
639 self.assertEqual(reply.retval, 0)
640 acl_index = reply.acl_index
643 self.vapi.macip_acl_interface_add_del(
644 sw_if_index=tx_if.sw_if_index,
646 reply = self.vapi.macip_acl_interface_get()
647 self.assertEqual(reply.acls[tx_if.sw_if_index], acl_index)
648 self.ACLS.append(reply.acls[tx_if.sw_if_index])
650 self.vapi.acl_interface_add_del(
651 sw_if_index=tx_if.sw_if_index, acl_index=acl_index)
653 self.vapi.macip_acl_interface_add_del(
654 sw_if_index=tx_if.sw_if_index,
658 reply = self.vapi.macip_acl_add_replace(
659 test_dict['macip_rules'],
662 reply = self.vapi.acl_add_replace(acl_index=acl_index,
663 r=test_dict['acl_rules'])
664 self.assertEqual(reply.retval, 0)
666 if not isinstance(src_if, VppSubInterface):
667 tx_if.add_stream(test_dict['stream'])
669 tx_if.parent.add_stream(test_dict['stream'])
670 self.pg_enable_capture(self.pg_interfaces)
673 if do_not_expected_capture:
676 if traffic == self.BRIDGED and mac_type == self.WILD_MAC and \
677 ip_type == self.WILD_IP:
678 capture = rx_if.get_capture(packets)
680 capture = rx_if.get_capture(
681 self.get_packet_count_for_if_idx(dst_if.sw_if_index))
682 self.verify_capture(test_dict['stream'], capture, is_ip6)
684 self.vapi.acl_interface_add_del(sw_if_index=tx_if.sw_if_index,
685 acl_index=acl_index, is_add=0)
686 self.vapi.acl_del(acl_index)
688 def run_test_acls(self, mac_type, ip_type, acl_count,
689 rules_count, traffic=None, ip=None):
690 self.apply_macip_rules(self.create_rules(mac_type, ip_type, acl_count,
692 self.verify_macip_acls(acl_count, rules_count)
694 if traffic is not None:
695 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, traffic, ip, 9)
698 class TestMACIP_IP4(MethodHolder):
699 """MACIP with IP4 traffic"""
701 def test_acl_bridged_ip4_exactMAC_exactIP(self):
702 """ IP4 MACIP exactMAC|exactIP ACL bridged traffic
704 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
705 self.BRIDGED, self.IS_IP4, 9)
707 def test_acl_bridged_ip4_exactMAC_subnetIP(self):
708 """ IP4 MACIP exactMAC|subnetIP ACL bridged traffic
711 self.run_traffic(self.EXACT_MAC, self.SUBNET_IP,
712 self.BRIDGED, self.IS_IP4, 9)
714 def test_acl_bridged_ip4_exactMAC_wildIP(self):
715 """ IP4 MACIP exactMAC|wildIP ACL bridged traffic
718 self.run_traffic(self.EXACT_MAC, self.WILD_IP,
719 self.BRIDGED, self.IS_IP4, 9)
721 def test_acl_bridged_ip4_ouiMAC_exactIP(self):
722 """ IP4 MACIP ouiMAC|exactIP ACL bridged traffic
725 self.run_traffic(self.OUI_MAC, self.EXACT_IP,
726 self.BRIDGED, self.IS_IP4, 3)
728 def test_acl_bridged_ip4_ouiMAC_subnetIP(self):
729 """ IP4 MACIP ouiMAC|subnetIP ACL bridged traffic
732 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
733 self.BRIDGED, self.IS_IP4, 9)
735 def test_acl_bridged_ip4_ouiMAC_wildIP(self):
736 """ IP4 MACIP ouiMAC|wildIP ACL bridged traffic
739 self.run_traffic(self.OUI_MAC, self.WILD_IP,
740 self.BRIDGED, self.IS_IP4, 9)
742 def test_ac_bridgedl_ip4_wildMAC_exactIP(self):
743 """ IP4 MACIP wildcardMAC|exactIP ACL bridged traffic
746 self.run_traffic(self.WILD_MAC, self.EXACT_IP,
747 self.BRIDGED, self.IS_IP4, 9)
749 def test_acl_bridged_ip4_wildMAC_subnetIP(self):
750 """ IP4 MACIP wildcardMAC|subnetIP ACL bridged traffic
753 self.run_traffic(self.WILD_MAC, self.SUBNET_IP,
754 self.BRIDGED, self.IS_IP4, 9)
756 def test_acl_bridged_ip4_wildMAC_wildIP(self):
757 """ IP4 MACIP wildcardMAC|wildIP ACL bridged traffic
760 self.run_traffic(self.WILD_MAC, self.WILD_IP,
761 self.BRIDGED, self.IS_IP4, 9)
763 def test_acl_routed_ip4_exactMAC_exactIP(self):
764 """ IP4 MACIP exactMAC|exactIP ACL routed traffic
766 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
767 self.ROUTED, self.IS_IP4, 9)
769 def test_acl_routed_ip4_exactMAC_subnetIP(self):
770 """ IP4 MACIP exactMAC|subnetIP ACL routed traffic
772 self.run_traffic(self.EXACT_MAC, self.SUBNET_IP,
773 self.ROUTED, self.IS_IP4, 9)
775 def test_acl_routed_ip4_exactMAC_wildIP(self):
776 """ IP4 MACIP exactMAC|wildIP ACL routed traffic
778 self.run_traffic(self.EXACT_MAC, self.WILD_IP,
779 self.ROUTED, self.IS_IP4, 9)
781 def test_acl_routed_ip4_ouiMAC_exactIP(self):
782 """ IP4 MACIP ouiMAC|exactIP ACL routed traffic
785 self.run_traffic(self.OUI_MAC, self.EXACT_IP,
786 self.ROUTED, self.IS_IP4, 9)
788 def test_acl_routed_ip4_ouiMAC_subnetIP(self):
789 """ IP4 MACIP ouiMAC|subnetIP ACL routed traffic
792 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
793 self.ROUTED, self.IS_IP4, 9)
795 def test_acl_routed_ip4_ouiMAC_wildIP(self):
796 """ IP4 MACIP ouiMAC|wildIP ACL routed traffic
799 self.run_traffic(self.OUI_MAC, self.WILD_IP,
800 self.ROUTED, self.IS_IP4, 9)
802 def test_acl_routed_ip4_wildMAC_exactIP(self):
803 """ IP4 MACIP wildcardMAC|exactIP ACL routed traffic
806 self.run_traffic(self.WILD_MAC, self.EXACT_IP,
807 self.ROUTED, self.IS_IP4, 9)
809 def test_acl_routed_ip4_wildMAC_subnetIP(self):
810 """ IP4 MACIP wildcardMAC|subnetIP ACL routed traffic
813 self.run_traffic(self.WILD_MAC, self.SUBNET_IP,
814 self.ROUTED, self.IS_IP4, 9)
816 def test_acl_routed_ip4_wildMAC_wildIP(self):
817 """ IP4 MACIP wildcardMAC|wildIP ACL
820 self.run_traffic(self.WILD_MAC, self.WILD_IP,
821 self.ROUTED, self.IS_IP4, 9)
823 def test_acl_replace_traffic_ip4(self):
824 """ MACIP replace ACL with IP4 traffic
826 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
827 self.BRIDGED, self.IS_IP4, 9, try_replace=True)
828 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
829 self.BRIDGED, self.IS_IP4, 9, try_replace=True)
832 class TestMACIP_IP6(MethodHolder):
833 """MACIP with IP6 traffic"""
835 def test_acl_bridged_ip6_exactMAC_exactIP(self):
836 """ IP6 MACIP exactMAC|exactIP ACL bridged traffic
839 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
840 self.BRIDGED, self.IS_IP6, 9)
842 def test_acl_bridged_ip6_exactMAC_subnetIP(self):
843 """ IP6 MACIP exactMAC|subnetIP ACL bridged traffic
846 self.run_traffic(self.EXACT_MAC, self.SUBNET_IP,
847 self.BRIDGED, self.IS_IP6, 9)
849 def test_acl_bridged_ip6_exactMAC_wildIP(self):
850 """ IP6 MACIP exactMAC|wildIP ACL bridged traffic
853 self.run_traffic(self.EXACT_MAC, self.WILD_IP,
854 self.BRIDGED, self.IS_IP6, 9)
856 def test_acl_bridged_ip6_ouiMAC_exactIP(self):
857 """ IP6 MACIP oui_MAC|exactIP ACL bridged traffic
860 self.run_traffic(self.OUI_MAC, self.EXACT_IP,
861 self.BRIDGED, self.IS_IP6, 9)
863 def test_acl_bridged_ip6_ouiMAC_subnetIP(self):
864 """ IP6 MACIP ouiMAC|subnetIP ACL bridged traffic
867 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
868 self.BRIDGED, self.IS_IP6, 9)
870 def test_acl_bridged_ip6_ouiMAC_wildIP(self):
871 """ IP6 MACIP ouiMAC|wildIP ACL bridged traffic
874 self.run_traffic(self.OUI_MAC, self.WILD_IP,
875 self.BRIDGED, self.IS_IP6, 9)
877 def test_acl_bridged_ip6_wildMAC_exactIP(self):
878 """ IP6 MACIP wildcardMAC|exactIP ACL bridged traffic
881 self.run_traffic(self.WILD_MAC, self.EXACT_IP,
882 self.BRIDGED, self.IS_IP6, 9)
884 def test_acl_bridged_ip6_wildMAC_subnetIP(self):
885 """ IP6 MACIP wildcardMAC|subnetIP ACL bridged traffic
888 self.run_traffic(self.WILD_MAC, self.SUBNET_IP,
889 self.BRIDGED, self.IS_IP6, 9)
891 def test_acl_bridged_ip6_wildMAC_wildIP(self):
892 """ IP6 MACIP wildcardMAC|wildIP ACL bridged traffic
895 self.run_traffic(self.WILD_MAC, self.WILD_IP,
896 self.BRIDGED, self.IS_IP6, 9)
898 def test_acl_routed_ip6_exactMAC_exactIP(self):
899 """ IP6 MACIP exactMAC|exactIP ACL routed traffic
902 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
903 self.ROUTED, self.IS_IP6, 9)
905 def test_acl_routed_ip6_exactMAC_subnetIP(self):
906 """ IP6 MACIP exactMAC|subnetIP ACL routed traffic
909 self.run_traffic(self.EXACT_MAC, self.SUBNET_IP,
910 self.ROUTED, self.IS_IP6, 9)
912 def test_acl_routed_ip6_exactMAC_wildIP(self):
913 """ IP6 MACIP exactMAC|wildIP ACL routed traffic
916 self.run_traffic(self.EXACT_MAC, self.WILD_IP,
917 self.ROUTED, self.IS_IP6, 9)
919 def test_acl_routed_ip6_ouiMAC_exactIP(self):
920 """ IP6 MACIP ouiMAC|exactIP ACL routed traffic
923 self.run_traffic(self.OUI_MAC, self.EXACT_IP,
924 self.ROUTED, self.IS_IP6, 9)
926 def test_acl_routed_ip6_ouiMAC_subnetIP(self):
927 """ IP6 MACIP ouiMAC|subnetIP ACL routed traffic
930 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
931 self.ROUTED, self.IS_IP6, 9)
933 def test_acl_routed_ip6_ouiMAC_wildIP(self):
934 """ IP6 MACIP ouiMAC|wildIP ACL routed traffic
937 self.run_traffic(self.OUI_MAC, self.WILD_IP,
938 self.ROUTED, self.IS_IP6, 9)
940 def test_acl_routed_ip6_wildMAC_exactIP(self):
941 """ IP6 MACIP wildcardMAC|exactIP ACL routed traffic
944 self.run_traffic(self.WILD_MAC, self.EXACT_IP,
945 self.ROUTED, self.IS_IP6, 9)
947 def test_acl_routed_ip6_wildMAC_subnetIP(self):
948 """ IP6 MACIP wildcardMAC|subnetIP ACL routed traffic
951 self.run_traffic(self.WILD_MAC, self.SUBNET_IP,
952 self.ROUTED, self.IS_IP6, 9)
954 def test_acl_routed_ip6_wildMAC_wildIP(self):
955 """ IP6 MACIP wildcardMAC|wildIP ACL
958 self.run_traffic(self.WILD_MAC, self.WILD_IP,
959 self.ROUTED, self.IS_IP6, 9)
961 def test_acl_replace_traffic_ip6(self):
962 """ MACIP replace ACL with IP6 traffic
964 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
965 self.BRIDGED, self.IS_IP6, 9, try_replace=True)
966 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
967 self.BRIDGED, self.IS_IP6, 9, try_replace=True)
970 class TestMACIP(MethodHolder):
973 def test_acl_1_2(self):
974 """ MACIP ACL with 2 entries
977 self.run_test_acls(self.EXACT_MAC, self.WILD_IP, 1, [2])
979 def test_acl_1_5(self):
980 """ MACIP ACL with 5 entries
983 self.run_test_acls(self.EXACT_MAC, self.SUBNET_IP, 1, [5])
985 def test_acl_1_10(self):
986 """ MACIP ACL with 10 entries
989 self.run_test_acls(self.EXACT_MAC, self.EXACT_IP, 1, [10])
991 def test_acl_1_20(self):
992 """ MACIP ACL with 20 entries
995 self.run_test_acls(self.OUI_MAC, self.WILD_IP, 1, [20])
997 def test_acl_1_50(self):
998 """ MACIP ACL with 50 entries
1001 self.run_test_acls(self.OUI_MAC, self.SUBNET_IP, 1, [50])
1003 def test_acl_1_100(self):
1004 """ MACIP ACL with 100 entries
1007 self.run_test_acls(self.OUI_MAC, self.EXACT_IP, 1, [100])
1009 def test_acl_2_X(self):
1010 """ MACIP 2 ACLs each with 100+ entries
1013 self.run_test_acls(self.OUI_MAC, self.SUBNET_IP, 2, [100, 200])
1015 def test_acl_10_X(self):
1016 """ MACIP 10 ACLs each with 100+ entries
1019 self.run_test_acls(self.EXACT_MAC, self.EXACT_IP, 10,
1020 [100, 120, 140, 160, 180, 200, 210, 220, 230, 240])
1022 def test_acl_10_X_traffic_ip4(self):
1023 """ MACIP 10 ACLs each with 100+ entries with IP4 traffic
1026 self.run_test_acls(self.EXACT_MAC, self.EXACT_IP, 10,
1027 [100, 120, 140, 160, 180, 200, 210, 220, 230, 240],
1028 self.BRIDGED, self.IS_IP4)
1030 def test_acl_10_X_traffic_ip6(self):
1031 """ MACIP 10 ACLs each with 100+ entries with IP6 traffic
1034 self.run_test_acls(self.EXACT_MAC, self.EXACT_IP, 10,
1035 [100, 120, 140, 160, 180, 200, 210, 220, 230, 240],
1036 self.BRIDGED, self.IS_IP6)
1038 def test_acl_replace(self):
1039 """ MACIP replace ACL
1042 r1 = self.create_rules(acl_count=3, rules_count=[2, 2, 2])
1043 r2 = self.create_rules(mac_type=self.OUI_MAC, ip_type=self.SUBNET_IP)
1044 self.apply_macip_rules(r1)
1046 acls_before = self.macip_acl_dump_debug()
1048 # replace acls #2, #3 with new
1049 reply = self.vapi.macip_acl_add_replace(r2[0], 2)
1050 self.assertEqual(reply.retval, 0)
1051 self.assertEqual(reply.acl_index, 2)
1052 reply = self.vapi.macip_acl_add_replace(r2[1], 3)
1053 self.assertEqual(reply.retval, 0)
1054 self.assertEqual(reply.acl_index, 3)
1056 acls_after = self.macip_acl_dump_debug()
1059 self.assertEqual(len(acls_before), len(acls_after))
1060 for acl1, acl2 in zip(
1061 acls_before[:2]+acls_before[4:],
1062 acls_after[:2]+acls_after[4:]):
1063 self.assertEqual(len(acl1), len(acl2))
1065 self.assertEqual(len(acl1.r), len(acl2.r))
1066 for r1, r2 in zip(acl1.r, acl2.r):
1067 self.assertEqual(len(acl1.r), len(acl2.r))
1068 self.assertEqual(acl1.r, acl2.r)
1069 for acl1, acl2 in zip(
1072 self.assertEqual(len(acl1), len(acl2))
1074 self.assertNotEqual(len(acl1.r), len(acl2.r))
1075 for r1, r2 in zip(acl1.r, acl2.r):
1076 self.assertNotEqual(len(acl1.r), len(acl2.r))
1077 self.assertNotEqual(acl1.r, acl2.r)
1079 def test_delete_intf(self):
1080 """ MACIP ACL delete intf with acl
1083 intf_count = len(self.interfaces)+1
1085 self.apply_macip_rules(self.create_rules(acl_count=3,
1086 rules_count=[3, 5, 4]))
1088 intf.append(VppLoInterface(self))
1089 intf.append(VppLoInterface(self))
1091 sw_if_index0 = intf[0].sw_if_index
1092 self.vapi.macip_acl_interface_add_del(sw_if_index0, 1)
1094 reply = self.vapi.macip_acl_interface_get()
1095 self.assertEqual(reply.count, intf_count+1)
1096 self.assertEqual(reply.acls[sw_if_index0], 1)
1098 sw_if_index1 = intf[1].sw_if_index
1099 self.vapi.macip_acl_interface_add_del(sw_if_index1, 0)
1101 reply = self.vapi.macip_acl_interface_get()
1102 self.assertEqual(reply.count, intf_count+2)
1103 self.assertEqual(reply.acls[sw_if_index1], 0)
1105 intf[0].remove_vpp_config()
1106 reply = self.vapi.macip_acl_interface_get()
1107 self.assertEqual(reply.count, intf_count+2)
1108 self.assertEqual(reply.acls[sw_if_index0], 4294967295)
1109 self.assertEqual(reply.acls[sw_if_index1], 0)
1111 intf.append(VppLoInterface(self))
1112 intf.append(VppLoInterface(self))
1113 sw_if_index2 = intf[2].sw_if_index
1114 sw_if_index3 = intf[3].sw_if_index
1115 self.vapi.macip_acl_interface_add_del(sw_if_index2, 1)
1116 self.vapi.macip_acl_interface_add_del(sw_if_index3, 1)
1118 reply = self.vapi.macip_acl_interface_get()
1119 self.assertEqual(reply.count, intf_count+3)
1120 self.assertEqual(reply.acls[sw_if_index1], 0)
1121 self.assertEqual(reply.acls[sw_if_index2], 1)
1122 self.assertEqual(reply.acls[sw_if_index3], 1)
1123 self.logger.info("MACIP ACL on multiple interfaces:")
1124 self.logger.info(self.vapi.ppcli("sh acl-plugin macip acl"))
1125 self.logger.info(self.vapi.ppcli("sh acl-plugin macip acl index 1234"))
1126 self.logger.info(self.vapi.ppcli("sh acl-plugin macip acl index 1"))
1127 self.logger.info(self.vapi.ppcli("sh acl-plugin macip acl index 0"))
1128 self.logger.info(self.vapi.ppcli("sh acl-plugin macip interface"))
1130 intf[2].remove_vpp_config()
1131 intf[1].remove_vpp_config()
1133 reply = self.vapi.macip_acl_interface_get()
1134 self.assertEqual(reply.count, intf_count+3)
1135 self.assertEqual(reply.acls[sw_if_index0], 4294967295)
1136 self.assertEqual(reply.acls[sw_if_index1], 4294967295)
1137 self.assertEqual(reply.acls[sw_if_index2], 4294967295)
1138 self.assertEqual(reply.acls[sw_if_index3], 1)
1140 intf[3].remove_vpp_config()
1141 reply = self.vapi.macip_acl_interface_get()
1143 self.assertEqual(len([x for x in reply.acls if x != 4294967295]), 0)
1146 class TestACL_dot1q_bridged(MethodHolder):
1147 """ACL on dot1q bridged subinterfaces Tests"""
1149 def test_acl_bridged_ip4_subif_dot1q(self):
1150 """ IP4 ACL SubIf Dot1Q bridged traffic"""
1151 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.BRIDGED,
1152 self.IS_IP4, 9, tags=self.DOT1Q, isMACIP=False)
1154 def test_acl_bridged_ip6_subif_dot1q(self):
1155 """ IP6 ACL SubIf Dot1Q bridged traffic"""
1156 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.BRIDGED,
1157 self.IS_IP6, 9, tags=self.DOT1Q, isMACIP=False)
1160 class TestACL_dot1ad_bridged(MethodHolder):
1161 """ACL on dot1ad bridged subinterfaces Tests"""
1163 def test_acl_bridged_ip4_subif_dot1ad(self):
1164 """ IP4 ACL SubIf Dot1AD bridged traffic"""
1165 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.BRIDGED,
1166 self.IS_IP4, 9, tags=self.DOT1AD, isMACIP=False)
1168 def test_acl_bridged_ip6_subif_dot1ad(self):
1169 """ IP6 ACL SubIf Dot1AD bridged traffic"""
1170 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.BRIDGED,
1171 self.IS_IP6, 9, tags=self.DOT1AD, isMACIP=False)
1174 class TestACL_dot1q_routed(MethodHolder):
1175 """ACL on dot1q routed subinterfaces Tests"""
1177 def test_acl_routed_ip4_subif_dot1q(self):
1178 """ IP4 ACL SubIf Dot1Q routed traffic"""
1179 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1180 self.IS_IP4, 9, tags=self.DOT1Q, isMACIP=False)
1182 def test_acl_routed_ip6_subif_dot1q(self):
1183 """ IP6 ACL SubIf Dot1Q routed traffic"""
1184 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1185 self.IS_IP6, 9, tags=self.DOT1Q, isMACIP=False)
1187 def test_acl_routed_ip4_subif_dot1q_deny_by_tags(self):
1188 """ IP4 ACL SubIf wrong tags Dot1Q routed traffic"""
1189 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1190 self.IS_IP4, 9, True, tags=self.DOT1Q, isMACIP=False,
1191 permit_tags=self.DENY_TAGS)
1193 def test_acl_routed_ip6_subif_dot1q_deny_by_tags(self):
1194 """ IP6 ACL SubIf wrong tags Dot1Q routed traffic"""
1195 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1196 self.IS_IP6, 9, True, tags=self.DOT1Q, isMACIP=False,
1197 permit_tags=self.DENY_TAGS)
1200 class TestACL_dot1ad_routed(MethodHolder):
1201 """ACL on dot1ad routed subinterfaces Tests"""
1203 def test_acl_routed_ip6_subif_dot1ad(self):
1204 """ IP6 ACL SubIf Dot1AD routed traffic"""
1205 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1206 self.IS_IP6, 9, tags=self.DOT1AD, isMACIP=False)
1208 def test_acl_routed_ip4_subif_dot1ad(self):
1209 """ IP4 ACL SubIf Dot1AD routed traffic"""
1210 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1211 self.IS_IP4, 9, tags=self.DOT1AD, isMACIP=False)
1213 def test_acl_routed_ip6_subif_dot1ad_deny_by_tags(self):
1214 """ IP6 ACL SubIf wrong tags Dot1AD routed traffic"""
1215 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1216 self.IS_IP6, 9, True, tags=self.DOT1AD, isMACIP=False,
1217 permit_tags=self.DENY_TAGS)
1219 def test_acl_routed_ip4_subif_dot1ad_deny_by_tags(self):
1220 """ IP4 ACL SubIf wrong tags Dot1AD routed traffic"""
1221 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1222 self.IS_IP4, 9, True, tags=self.DOT1AD, isMACIP=False,
1223 permit_tags=self.DENY_TAGS)
1226 if __name__ == '__main__':
1227 unittest.main(testRunner=VppTestRunner)