2 """ACL plugin - MACIP tests
8 from socket import inet_ntop, inet_pton, AF_INET, AF_INET6
10 from scapy.packet import Raw
11 from scapy.layers.l2 import Ether
12 from scapy.layers.inet import IP, UDP
13 from scapy.layers.inet6 import IPv6
15 from framework import VppTestCase, VppTestRunner, running_extended_tests
16 from vpp_lo_interface import VppLoInterface
17 from vpp_papi_provider import L2_VTR_OP
18 from vpp_sub_interface import VppSubInterface, VppDot1QSubint, VppDot1ADSubint
21 class MethodHolder(VppTestCase):
53 Perform standard class setup (defined by class method setUpClass in
54 class VppTestCase) before running the test case, set test case related
55 variables and configure VPP.
57 super(MethodHolder, cls).setUpClass()
59 cls.pg_if_packet_sizes = [64, 512, 1518, 9018] # packet sizes
61 cls.remote_hosts_count = 200
64 # create 4 pg interfaces, 1 loopback interface
65 cls.create_pg_interfaces(range(4))
66 cls.create_loopback_interfaces(1)
68 # create 2 subinterfaces
70 VppDot1QSubint(cls, cls.pg1, 10),
71 VppDot1ADSubint(cls, cls.pg2, 20, 300, 400),
72 VppDot1QSubint(cls, cls.pg3, 30),
73 VppDot1ADSubint(cls, cls.pg3, 40, 600, 700)]
75 cls.subifs[0].set_vtr(L2_VTR_OP.L2_POP_1,
77 cls.subifs[1].set_vtr(L2_VTR_OP.L2_POP_2,
78 outer=300, inner=400, push1q=1)
79 cls.subifs[2].set_vtr(L2_VTR_OP.L2_POP_1,
81 cls.subifs[3].set_vtr(L2_VTR_OP.L2_POP_2,
82 outer=600, inner=700, push1q=1)
84 cls.interfaces = list(cls.pg_interfaces)
85 cls.interfaces.extend(cls.lo_interfaces)
86 cls.interfaces.extend(cls.subifs)
88 for i in cls.interfaces:
91 # Create BD with MAC learning enabled and put interfaces to this BD
92 cls.vapi.sw_interface_set_l2_bridge(
93 cls.loop0.sw_if_index, bd_id=cls.bd_id, bvi=1)
94 cls.vapi.sw_interface_set_l2_bridge(
95 cls.pg0.sw_if_index, bd_id=cls.bd_id)
96 cls.vapi.sw_interface_set_l2_bridge(
97 cls.pg1.sw_if_index, bd_id=cls.bd_id)
98 cls.vapi.sw_interface_set_l2_bridge(
99 cls.subifs[0].sw_if_index, bd_id=cls.bd_id)
100 cls.vapi.sw_interface_set_l2_bridge(
101 cls.subifs[1].sw_if_index, bd_id=cls.bd_id)
103 # Configure IPv4/6 addresses on loop interface and routed interface
104 cls.loop0.config_ip4()
105 cls.loop0.config_ip6()
111 # Configure MAC address binding to IPv4 neighbors on loop0
112 cls.loop0.generate_remote_hosts(cls.remote_hosts_count)
113 # Modify host mac addresses to have different OUI parts
114 for i in range(2, cls.remote_hosts_count + 2):
115 mac = cls.loop0.remote_hosts[i-2]._mac.split(':')
116 mac[2] = format(int(mac[2], 16) + i, "02x")
117 cls.loop0.remote_hosts[i - 2]._mac = ":".join(mac)
119 cls.loop0.configure_ipv4_neighbors()
120 cls.loop0.configure_ipv6_neighbors()
122 # configure MAC address on pg3
123 cls.pg3.resolve_arp()
124 cls.pg3.resolve_ndp()
126 # configure MAC address on subifs
132 # configure MAC address on pg2
133 cls.pg2.resolve_arp()
134 cls.pg2.resolve_ndp()
136 # Loopback BVI interface has remote hosts
137 # one half of hosts are behind pg0 second behind pg1,pg2,pg3 subifs
138 cls.pg0.remote_hosts = cls.loop0.remote_hosts[:100]
139 cls.subifs[0].remote_hosts = cls.loop0.remote_hosts[100:125]
140 cls.subifs[1].remote_hosts = cls.loop0.remote_hosts[125:150]
141 cls.subifs[2].remote_hosts = cls.loop0.remote_hosts[150:175]
142 cls.subifs[3].remote_hosts = cls.loop0.remote_hosts[175:]
145 super(TestMACIP, cls).tearDownClass()
149 super(MethodHolder, self).setUp()
150 self.reset_packet_infos()
155 Show various debug prints after each test.
157 super(MethodHolder, self).tearDown()
158 if not self.vpp_dead:
159 self.logger.info(self.vapi.ppcli("show interface address"))
160 self.logger.info(self.vapi.ppcli("show hardware"))
161 self.logger.info(self.vapi.ppcli("sh acl-plugin macip acl"))
162 self.logger.info(self.vapi.ppcli("sh acl-plugin macip interface"))
163 self.logger.info(self.vapi.ppcli("sh classify tables verbose"))
164 self.logger.info(self.vapi.ppcli("sh acl-plugin acl"))
165 self.logger.info(self.vapi.ppcli("sh acl-plugin interface"))
166 self.logger.info(self.vapi.ppcli("sh acl-plugin tables"))
167 # print self.vapi.ppcli("show interface address")
168 # print self.vapi.ppcli("show hardware")
169 # print self.vapi.ppcli("sh acl-plugin macip interface")
170 # print self.vapi.ppcli("sh acl-plugin macip acl")
173 def macip_acl_dump_debug(self):
174 acls = self.vapi.macip_acl_dump()
177 print "ACL #"+str(acl.acl_index)
182 elif r.is_permit == 0:
184 print " IP6" if r.is_ipv6 else " IP4", \
186 r.src_mac.encode('hex'), \
187 r.src_mac_mask.encode('hex'),\
188 unpack('<16B', r.src_ip_addr), \
192 def create_rules(self, mac_type=EXACT_MAC, ip_type=EXACT_IP,
193 acl_count=1, rules_count=[1]):
195 src_mac = int("220000dead00", 16)
196 for acl in range(2, (acl_count+1) * 2):
198 host = random.choice(self.loop0.remote_hosts)
200 ip4 = host.ip4.split('.')
201 ip6 = list(unpack('<16B', inet_pton(AF_INET6, host.ip6)))
203 if ip_type == self.EXACT_IP:
206 elif ip_type == self.WILD_IP:
208 ip6 = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]
211 rules_count[(acl / 2) - 1] = 1
216 if mac_type == self.EXACT_MAC:
217 mask = "ff:ff:ff:ff:ff:ff"
218 elif mac_type == self.WILD_MAC:
219 mask = "00:00:00:00:00:00"
220 elif mac_type == self.OUI_MAC:
221 mask = "ff:ff:ff:00:00:00"
223 mask = "ff:ff:ff:ff:ff:00"
225 ip = ip6 if is_ip6 else ip4
226 ip_len = prefix_len6 if is_ip6 else prefix_len4
228 for i in range(0, rules_count[(acl / 2) - 1]):
230 if mac_type == self.WILD_MAC:
231 mac = "00:00:00:00:00:00"
232 elif mac_type == self.OUI_MAC:
233 mac = ':'.join(re.findall('..', '{:02x}'.format(
234 src_mac))[:3])+":00:00:00"
236 mac = ':'.join(re.findall('..', '{:02x}'.format(src_mac)))
238 if ip_type == self.EXACT_IP:
239 ip4[3] = random.randint(100, 200)
240 ip6[15] = random.randint(100, 200)
241 elif ip_type == self.SUBNET_IP:
242 ip4[2] = random.randint(100, 200)
244 ip6[8] = random.randint(100, 200)
247 for j in range(0, len(ip)):
248 ip_pack += pack('<B', int(ip[j]))
250 rule = ({'is_permit': self.PERMIT,
252 'src_ip_addr': ip_pack,
253 'src_ip_prefix_len': ip_len,
254 'src_mac': mac.replace(':', '').decode('hex'),
255 'src_mac_mask': mask.replace(':', '').decode('hex')})
257 if ip_type == self.WILD_IP:
261 src_mac += 1099511627776
264 def apply_macip_rules(self, acls):
266 reply = self.vapi.macip_acl_add(acl)
267 self.assertEqual(reply.retval, 0)
268 self.ACLS.append(reply.acl_index)
270 def verify_macip_acls(self, acl_count, rules_count, expected_count=2):
271 reply = self.macip_acl_dump_debug()
272 for acl in range(2, (acl_count+1) * 2):
273 self.assertEqual(reply[acl - 2].count, rules_count[acl/2-1])
275 self.vapi.macip_acl_interface_get()
277 self.vapi.macip_acl_interface_add_del(sw_if_index=0, acl_index=0)
278 self.vapi.macip_acl_interface_add_del(sw_if_index=1, acl_index=1)
280 reply = self.vapi.macip_acl_interface_get()
281 self.assertEqual(reply.count, expected_count)
283 def delete_acls(self):
284 for acl in range(len(self.ACLS)-1, -1, -1):
285 self.vapi.macip_acl_del(self.ACLS[acl])
287 reply = self.vapi.macip_acl_dump()
288 self.assertEqual(len(reply), 0)
290 intf_acls = self.vapi.acl_interface_list_dump()
291 for i_a in intf_acls:
292 sw_if_index = i_a.sw_if_index
293 for acl_index in i_a.acls:
294 self.vapi.acl_interface_add_del(sw_if_index, acl_index, 0)
295 self.vapi.acl_del(acl_index)
297 def create_stream(self, mac_type, ip_type, packet_count,
298 src_if, dst_if, traffic, is_ip6, tags=PERMIT_TAGS):
299 # exact MAC and exact IP
300 # exact MAC and subnet of IPs
301 # exact MAC and wildcard IP
302 # wildcard MAC and exact IP
303 # wildcard MAC and subnet of IPs
304 # wildcard MAC and wildcard IP
305 # OUI restricted MAC and exact IP
306 # OUI restricted MAC and subnet of IPs
307 # OUI restricted MAC and wildcard IP
315 mac_rule = "00:00:00:00:00:00"
316 mac_mask = "00:00:00:00:00:00"
317 for p in range(0, packet_count):
318 remote_dst_index = p % len(dst_if.remote_hosts)
319 remote_dst_host = dst_if.remote_hosts[remote_dst_index]
323 is_permit = self.PERMIT if p % 3 == 0 else self.DENY
324 denyMAC = True if not is_permit and p % 3 == 1 else False
325 denyIP = True if not is_permit and p % 3 == 2 else False
326 if not is_permit and ip_type == self.WILD_IP:
328 if not is_permit and mac_type == self.WILD_MAC:
331 if traffic == self.BRIDGED:
333 src_mac = remote_dst_host._mac
334 dst_mac = 'de:ad:00:00:00:00'
335 src_ip4 = remote_dst_host.ip4
336 dst_ip4 = src_if.remote_ip4
337 src_ip6 = remote_dst_host.ip6
338 dst_ip6 = src_if.remote_ip6
339 ip_permit = src_ip6 if is_ip6 else src_ip4
342 mac = src_mac.split(':')
343 mac[0] = format(int(mac[0], 16)+1, "02x")
344 src_mac = ":".join(mac)
350 if ip_type != self.WILD_IP:
352 src_ip4 = remote_dst_host.ip4
353 dst_ip4 = src_if.remote_ip4
354 src_ip6 = remote_dst_host.ip6
355 dst_ip6 = src_if.remote_ip6
358 src_mac = remote_dst_host._mac
359 dst_mac = src_if.local_mac
360 src_ip4 = src_if.remote_ip4
361 dst_ip4 = remote_dst_host.ip4
362 src_ip6 = src_if.remote_ip6
363 dst_ip6 = remote_dst_host.ip6
364 ip_permit = src_ip6 if is_ip6 else src_ip4
367 mac = src_mac.split(':')
368 mac[0] = format(int(mac[0], 16) + 1, "02x")
369 src_mac = ":".join(mac)
375 src_mac = remote_dst_host._mac
376 if ip_type != self.WILD_IP:
378 src_ip4 = remote_dst_host.ip4
379 dst_ip4 = src_if.remote_ip4
380 src_ip6 = remote_dst_host.ip6
381 dst_ip6 = src_if.remote_ip6
384 info = self.create_packet_info(src_if, dst_if)
385 payload = self.info_to_payload(info)
387 payload = "to be blocked"
389 if mac_type == self.WILD_MAC:
390 mac = src_mac.split(':')
391 for i in range(1, 5):
392 mac[i] = format(random.randint(0, 255), "02x")
393 src_mac = ":".join(mac)
396 packet = Ether(src=src_mac, dst=dst_mac)
397 ip_rule = src_ip6 if is_ip6 else src_ip4
399 if ip_type != self.EXACT_IP:
400 sub_ip = list(unpack('<16B', inet_pton(AF_INET6, ip_rule)))
401 if ip_type == self.WILD_IP:
402 sub_ip[0] = random.randint(240, 254)
403 sub_ip[1] = random.randint(230, 239)
404 sub_ip[14] = random.randint(100, 199)
405 sub_ip[15] = random.randint(200, 255)
406 elif ip_type == self.SUBNET_IP:
408 sub_ip[2] = str(int(sub_ip[2]) + 1)
409 sub_ip[14] = random.randint(100, 199)
410 sub_ip[15] = random.randint(200, 255)
411 src_ip6 = inet_ntop(AF_INET6, str(bytearray(sub_ip)))
412 packet /= IPv6(src=src_ip6, dst=dst_ip6)
414 if ip_type != self.EXACT_IP:
415 sub_ip = ip_rule.split('.')
416 if ip_type == self.WILD_IP:
417 sub_ip[0] = str(random.randint(1, 49))
418 sub_ip[1] = str(random.randint(50, 99))
419 sub_ip[2] = str(random.randint(100, 199))
420 sub_ip[3] = str(random.randint(200, 255))
421 elif ip_type == self.SUBNET_IP:
423 sub_ip[1] = str(int(sub_ip[1])+1)
424 sub_ip[2] = str(random.randint(100, 199))
425 sub_ip[3] = str(random.randint(200, 255))
426 src_ip4 = ".".join(sub_ip)
427 packet /= IP(src=src_ip4, dst=dst_ip4, frag=0, flags=0)
429 packet /= UDP(sport=src_port, dport=dst_port)/Raw(payload)
431 packet[Raw].load += " mac:"+src_mac
433 size = self.pg_if_packet_sizes[p % len(self.pg_if_packet_sizes)]
434 if isinstance(src_if, VppSubInterface):
436 if isinstance(src_if, VppDot1QSubint):
437 if src_if is self.subifs[0]:
438 if tags == self.PERMIT_TAGS:
439 packet = src_if.add_dot1q_layer(packet, 10)
441 packet = src_if.add_dot1q_layer(packet, 11)
443 if tags == self.PERMIT_TAGS:
444 packet = src_if.add_dot1q_layer(packet, 30)
446 packet = src_if.add_dot1q_layer(packet, 33)
447 elif isinstance(src_if, VppDot1ADSubint):
448 if src_if is self.subifs[1]:
449 if tags == self.PERMIT_TAGS:
450 packet = src_if.add_dot1ad_layer(packet, 300, 400)
452 packet = src_if.add_dot1ad_layer(packet, 333, 444)
454 if tags == self.PERMIT_TAGS:
455 packet = src_if.add_dot1ad_layer(packet, 600, 700)
457 packet = src_if.add_dot1ad_layer(packet, 666, 777)
458 self.extend_packet(packet, size)
459 packets.append(packet)
461 # create suitable MACIP rule
462 if mac_type == self.EXACT_MAC:
464 mac_mask = "ff:ff:ff:ff:ff:ff"
465 elif mac_type == self.WILD_MAC:
466 mac_rule = "00:00:00:00:00:00"
467 mac_mask = "00:00:00:00:00:00"
468 elif mac_type == self.OUI_MAC:
469 mac = src_mac.split(':')
470 mac[3] = mac[4] = mac[5] = '00'
471 mac_rule = ":".join(mac)
472 mac_mask = "ff:ff:ff:00:00:00"
475 if ip_type == self.WILD_IP:
479 if ip_type == self.SUBNET_IP:
480 sub_ip = list(unpack('<16B', inet_pton(AF_INET6, ip)))
481 for i in range(8, 16):
483 ip = inet_ntop(AF_INET6, str(bytearray(sub_ip)))
485 if ip_type == self.WILD_IP:
489 if ip_type == self.SUBNET_IP:
490 sub_ip = ip.split('.')
491 sub_ip[2] = sub_ip[3] = '0'
492 ip = ".".join(sub_ip)
494 prefix_len = 128 if is_ip6 else 32
495 if ip_type == self.WILD_IP:
497 elif ip_type == self.SUBNET_IP:
498 prefix_len = 64 if is_ip6 else 16
499 ip_rule = inet_pton(AF_INET6 if is_ip6 else AF_INET, ip)
501 # create suitable ACL rule
503 rule_l4_sport = packet[UDP].sport
504 rule_l4_dport = packet[UDP].dport
505 rule_family = AF_INET6 if packet.haslayer(IPv6) else AF_INET
506 rule_prefix_len = 128 if packet.haslayer(IPv6) else 32
507 rule_l3_layer = IPv6 if packet.haslayer(IPv6) else IP
508 if packet.haslayer(IPv6):
509 rule_l4_proto = packet[UDP].overload_fields[IPv6]['nh']
511 rule_l4_proto = packet[IP].proto
514 'is_permit': is_permit,
516 'src_ip_addr': inet_pton(rule_family,
517 packet[rule_l3_layer].src),
518 'src_ip_prefix_len': rule_prefix_len,
519 'dst_ip_addr': inet_pton(rule_family,
520 packet[rule_l3_layer].dst),
521 'dst_ip_prefix_len': rule_prefix_len,
522 'srcport_or_icmptype_first': rule_l4_sport,
523 'srcport_or_icmptype_last': rule_l4_sport,
524 'dstport_or_icmpcode_first': rule_l4_dport,
525 'dstport_or_icmpcode_last': rule_l4_dport,
526 'proto': rule_l4_proto}
527 acl_rules.append(acl_rule)
529 if mac_type == self.WILD_MAC and ip_type == self.WILD_IP and p > 0:
534 'is_permit': is_permit,
536 'src_ip_addr': ip_rule,
537 'src_ip_prefix_len': prefix_len,
538 'src_mac': mac_rule.replace(':', '').decode('hex'),
539 'src_mac_mask': mac_mask.replace(':', '').decode('hex')})
540 macip_rules.append(macip_rule)
542 # deny all other packets
543 if not (mac_type == self.WILD_MAC and ip_type == self.WILD_IP):
544 macip_rule = ({'is_permit': 0,
547 'src_ip_prefix_len': 0,
550 macip_rules.append(macip_rule)
552 acl_rule = {'is_permit': 0,
554 acl_rules.append(acl_rule)
555 return {'stream': packets,
556 'macip_rules': macip_rules,
557 'acl_rules': acl_rules}
559 def verify_capture(self, stream, capture, is_ip6):
566 # p_l3 = IPv6 if is_ip6 else IP
569 # print p[Ether].src, p[Ether].dst, p[p_l3].src, p[p_l3].dst
571 # acls = self.macip_acl_dump_debug()
576 # print r.src_mac.encode('hex'), \
577 # r.src_mac_mask.encode('hex'),\
578 # unpack('<16B', r.src_ip_addr), \
579 # r.src_ip_prefix_len
582 # print p[Ether].src, p[Ether].dst, p[p_l3].src, p[p_l3].dst
583 # data = p[Raw].load.split(':',1)[1]
584 # print p[p_l3].src, data
586 def run_traffic(self, mac_type, ip_type, traffic, is_ip6, packets,
587 do_not_expected_capture=False, tags=None,
588 apply_rules=True, isMACIP=True, permit_tags=PERMIT_TAGS,
590 self.reset_packet_infos()
593 tx_if = self.pg0 if traffic == self.BRIDGED else self.pg3
594 rx_if = self.pg3 if traffic == self.BRIDGED else self.pg0
598 if tags == self.DOT1Q:
599 if traffic == self.BRIDGED:
600 tx_if = self.subifs[0]
602 src_if = self.subifs[0]
605 tx_if = self.subifs[2]
607 src_if = self.subifs[2]
609 elif tags == self.DOT1AD:
610 if traffic == self.BRIDGED:
611 tx_if = self.subifs[1]
613 src_if = self.subifs[1]
616 tx_if = self.subifs[3]
618 src_if = self.subifs[3]
623 test_dict = self.create_stream(mac_type, ip_type, packets,
630 reply = self.vapi.macip_acl_add(test_dict['macip_rules'])
632 reply = self.vapi.acl_add_replace(acl_index=4294967295,
633 r=test_dict['acl_rules'])
634 self.assertEqual(reply.retval, 0)
635 acl_index = reply.acl_index
638 self.vapi.macip_acl_interface_add_del(
639 sw_if_index=tx_if.sw_if_index,
641 reply = self.vapi.macip_acl_interface_get()
642 self.assertEqual(reply.acls[tx_if.sw_if_index], acl_index)
643 self.ACLS.append(reply.acls[tx_if.sw_if_index])
645 self.vapi.acl_interface_add_del(
646 sw_if_index=tx_if.sw_if_index, acl_index=acl_index)
648 self.vapi.macip_acl_interface_add_del(
649 sw_if_index=tx_if.sw_if_index,
653 reply = self.vapi.macip_acl_add_replace(
654 test_dict['macip_rules'],
657 reply = self.vapi.acl_add_replace(acl_index=acl_index,
658 r=test_dict['acl_rules'])
659 self.assertEqual(reply.retval, 0)
661 if not isinstance(src_if, VppSubInterface):
662 tx_if.add_stream(test_dict['stream'])
664 tx_if.parent.add_stream(test_dict['stream'])
665 self.pg_enable_capture(self.pg_interfaces)
668 if do_not_expected_capture:
671 if traffic == self.BRIDGED and mac_type == self.WILD_MAC and \
672 ip_type == self.WILD_IP:
673 capture = rx_if.get_capture(packets)
675 capture = rx_if.get_capture(
676 self.get_packet_count_for_if_idx(dst_if.sw_if_index))
677 self.verify_capture(test_dict['stream'], capture, is_ip6)
679 self.vapi.acl_interface_add_del(sw_if_index=tx_if.sw_if_index,
680 acl_index=acl_index, is_add=0)
681 self.vapi.acl_del(acl_index)
683 def run_test_acls(self, mac_type, ip_type, acl_count,
684 rules_count, traffic=None, ip=None):
685 self.apply_macip_rules(self.create_rules(mac_type, ip_type, acl_count,
687 self.verify_macip_acls(acl_count, rules_count)
689 if traffic is not None:
690 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, traffic, ip, 9)
693 class TestMACIP_IP4(MethodHolder):
694 """MACIP with IP4 traffic"""
696 def test_acl_bridged_ip4_exactMAC_exactIP(self):
697 """ IP4 MACIP exactMAC|exactIP ACL bridged traffic
699 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
700 self.BRIDGED, self.IS_IP4, 9)
702 def test_acl_bridged_ip4_exactMAC_subnetIP(self):
703 """ IP4 MACIP exactMAC|subnetIP ACL bridged traffic
706 self.run_traffic(self.EXACT_MAC, self.SUBNET_IP,
707 self.BRIDGED, self.IS_IP4, 9)
709 def test_acl_bridged_ip4_exactMAC_wildIP(self):
710 """ IP4 MACIP exactMAC|wildIP ACL bridged traffic
713 self.run_traffic(self.EXACT_MAC, self.WILD_IP,
714 self.BRIDGED, self.IS_IP4, 9)
716 def test_acl_bridged_ip4_ouiMAC_exactIP(self):
717 """ IP4 MACIP ouiMAC|exactIP ACL bridged traffic
720 self.run_traffic(self.OUI_MAC, self.EXACT_IP,
721 self.BRIDGED, self.IS_IP4, 3)
723 def test_acl_bridged_ip4_ouiMAC_subnetIP(self):
724 """ IP4 MACIP ouiMAC|subnetIP ACL bridged traffic
727 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
728 self.BRIDGED, self.IS_IP4, 9)
730 def test_acl_bridged_ip4_ouiMAC_wildIP(self):
731 """ IP4 MACIP ouiMAC|wildIP ACL bridged traffic
734 self.run_traffic(self.OUI_MAC, self.WILD_IP,
735 self.BRIDGED, self.IS_IP4, 9)
737 def test_ac_bridgedl_ip4_wildMAC_exactIP(self):
738 """ IP4 MACIP wildcardMAC|exactIP ACL bridged traffic
741 self.run_traffic(self.WILD_MAC, self.EXACT_IP,
742 self.BRIDGED, self.IS_IP4, 9)
744 def test_acl_bridged_ip4_wildMAC_subnetIP(self):
745 """ IP4 MACIP wildcardMAC|subnetIP ACL bridged traffic
748 self.run_traffic(self.WILD_MAC, self.SUBNET_IP,
749 self.BRIDGED, self.IS_IP4, 9)
751 def test_acl_bridged_ip4_wildMAC_wildIP(self):
752 """ IP4 MACIP wildcardMAC|wildIP ACL bridged traffic
755 self.run_traffic(self.WILD_MAC, self.WILD_IP,
756 self.BRIDGED, self.IS_IP4, 9)
758 def test_acl_routed_ip4_exactMAC_exactIP(self):
759 """ IP4 MACIP exactMAC|exactIP ACL routed traffic
761 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
762 self.ROUTED, self.IS_IP4, 9)
764 def test_acl_routed_ip4_exactMAC_subnetIP(self):
765 """ IP4 MACIP exactMAC|subnetIP ACL routed traffic
767 self.run_traffic(self.EXACT_MAC, self.SUBNET_IP,
768 self.ROUTED, self.IS_IP4, 9)
770 def test_acl_routed_ip4_exactMAC_wildIP(self):
771 """ IP4 MACIP exactMAC|wildIP ACL routed traffic
773 self.run_traffic(self.EXACT_MAC, self.WILD_IP,
774 self.ROUTED, self.IS_IP4, 9)
776 def test_acl_routed_ip4_ouiMAC_exactIP(self):
777 """ IP4 MACIP ouiMAC|exactIP ACL routed traffic
780 self.run_traffic(self.OUI_MAC, self.EXACT_IP,
781 self.ROUTED, self.IS_IP4, 9)
783 def test_acl_routed_ip4_ouiMAC_subnetIP(self):
784 """ IP4 MACIP ouiMAC|subnetIP ACL routed traffic
787 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
788 self.ROUTED, self.IS_IP4, 9)
790 def test_acl_routed_ip4_ouiMAC_wildIP(self):
791 """ IP4 MACIP ouiMAC|wildIP ACL routed traffic
794 self.run_traffic(self.OUI_MAC, self.WILD_IP,
795 self.ROUTED, self.IS_IP4, 9)
797 def test_acl_routed_ip4_wildMAC_exactIP(self):
798 """ IP4 MACIP wildcardMAC|exactIP ACL routed traffic
801 self.run_traffic(self.WILD_MAC, self.EXACT_IP,
802 self.ROUTED, self.IS_IP4, 9)
804 def test_acl_routed_ip4_wildMAC_subnetIP(self):
805 """ IP4 MACIP wildcardMAC|subnetIP ACL routed traffic
808 self.run_traffic(self.WILD_MAC, self.SUBNET_IP,
809 self.ROUTED, self.IS_IP4, 9)
811 def test_acl_routed_ip4_wildMAC_wildIP(self):
812 """ IP4 MACIP wildcardMAC|wildIP ACL
815 self.run_traffic(self.WILD_MAC, self.WILD_IP,
816 self.ROUTED, self.IS_IP4, 9)
818 def test_acl_replace_traffic_ip4(self):
819 """ MACIP replace ACL with IP4 traffic
821 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
822 self.BRIDGED, self.IS_IP4, 9, try_replace=True)
823 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
824 self.BRIDGED, self.IS_IP4, 9, try_replace=True)
827 class TestMACIP_IP6(MethodHolder):
828 """MACIP with IP6 traffic"""
830 def test_acl_bridged_ip6_exactMAC_exactIP(self):
831 """ IP6 MACIP exactMAC|exactIP ACL bridged traffic
834 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
835 self.BRIDGED, self.IS_IP6, 9)
837 def test_acl_bridged_ip6_exactMAC_subnetIP(self):
838 """ IP6 MACIP exactMAC|subnetIP ACL bridged traffic
841 self.run_traffic(self.EXACT_MAC, self.SUBNET_IP,
842 self.BRIDGED, self.IS_IP6, 9)
844 def test_acl_bridged_ip6_exactMAC_wildIP(self):
845 """ IP6 MACIP exactMAC|wildIP ACL bridged traffic
848 self.run_traffic(self.EXACT_MAC, self.WILD_IP,
849 self.BRIDGED, self.IS_IP6, 9)
851 def test_acl_bridged_ip6_ouiMAC_exactIP(self):
852 """ IP6 MACIP oui_MAC|exactIP ACL bridged traffic
855 self.run_traffic(self.OUI_MAC, self.EXACT_IP,
856 self.BRIDGED, self.IS_IP6, 9)
858 def test_acl_bridged_ip6_ouiMAC_subnetIP(self):
859 """ IP6 MACIP ouiMAC|subnetIP ACL bridged traffic
862 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
863 self.BRIDGED, self.IS_IP6, 9)
865 def test_acl_bridged_ip6_ouiMAC_wildIP(self):
866 """ IP6 MACIP ouiMAC|wildIP ACL bridged traffic
869 self.run_traffic(self.OUI_MAC, self.WILD_IP,
870 self.BRIDGED, self.IS_IP6, 9)
872 def test_acl_bridged_ip6_wildMAC_exactIP(self):
873 """ IP6 MACIP wildcardMAC|exactIP ACL bridged traffic
876 self.run_traffic(self.WILD_MAC, self.EXACT_IP,
877 self.BRIDGED, self.IS_IP6, 9)
879 def test_acl_bridged_ip6_wildMAC_subnetIP(self):
880 """ IP6 MACIP wildcardMAC|subnetIP ACL bridged traffic
883 self.run_traffic(self.WILD_MAC, self.SUBNET_IP,
884 self.BRIDGED, self.IS_IP6, 9)
886 def test_acl_bridged_ip6_wildMAC_wildIP(self):
887 """ IP6 MACIP wildcardMAC|wildIP ACL bridged traffic
890 self.run_traffic(self.WILD_MAC, self.WILD_IP,
891 self.BRIDGED, self.IS_IP6, 9)
893 def test_acl_routed_ip6_exactMAC_exactIP(self):
894 """ IP6 MACIP exactMAC|exactIP ACL routed traffic
897 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
898 self.ROUTED, self.IS_IP6, 9)
900 def test_acl_routed_ip6_exactMAC_subnetIP(self):
901 """ IP6 MACIP exactMAC|subnetIP ACL routed traffic
904 self.run_traffic(self.EXACT_MAC, self.SUBNET_IP,
905 self.ROUTED, self.IS_IP6, 9)
907 def test_acl_routed_ip6_exactMAC_wildIP(self):
908 """ IP6 MACIP exactMAC|wildIP ACL routed traffic
911 self.run_traffic(self.EXACT_MAC, self.WILD_IP,
912 self.ROUTED, self.IS_IP6, 9)
914 def test_acl_routed_ip6_ouiMAC_exactIP(self):
915 """ IP6 MACIP ouiMAC|exactIP ACL routed traffic
918 self.run_traffic(self.OUI_MAC, self.EXACT_IP,
919 self.ROUTED, self.IS_IP6, 9)
921 def test_acl_routed_ip6_ouiMAC_subnetIP(self):
922 """ IP6 MACIP ouiMAC|subnetIP ACL routed traffic
925 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
926 self.ROUTED, self.IS_IP6, 9)
928 def test_acl_routed_ip6_ouiMAC_wildIP(self):
929 """ IP6 MACIP ouiMAC|wildIP ACL routed traffic
932 self.run_traffic(self.OUI_MAC, self.WILD_IP,
933 self.ROUTED, self.IS_IP6, 9)
935 def test_acl_routed_ip6_wildMAC_exactIP(self):
936 """ IP6 MACIP wildcardMAC|exactIP ACL routed traffic
939 self.run_traffic(self.WILD_MAC, self.EXACT_IP,
940 self.ROUTED, self.IS_IP6, 9)
942 def test_acl_routed_ip6_wildMAC_subnetIP(self):
943 """ IP6 MACIP wildcardMAC|subnetIP ACL routed traffic
946 self.run_traffic(self.WILD_MAC, self.SUBNET_IP,
947 self.ROUTED, self.IS_IP6, 9)
949 def test_acl_routed_ip6_wildMAC_wildIP(self):
950 """ IP6 MACIP wildcardMAC|wildIP ACL
953 self.run_traffic(self.WILD_MAC, self.WILD_IP,
954 self.ROUTED, self.IS_IP6, 9)
956 def test_acl_replace_traffic_ip6(self):
957 """ MACIP replace ACL with IP6 traffic
959 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
960 self.BRIDGED, self.IS_IP6, 9, try_replace=True)
961 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
962 self.BRIDGED, self.IS_IP6, 9, try_replace=True)
965 class TestMACIP(MethodHolder):
968 def test_acl_1_2(self):
969 """ MACIP ACL with 2 entries
972 self.run_test_acls(self.EXACT_MAC, self.WILD_IP, 1, [2])
974 def test_acl_1_5(self):
975 """ MACIP ACL with 5 entries
978 self.run_test_acls(self.EXACT_MAC, self.SUBNET_IP, 1, [5])
980 def test_acl_1_10(self):
981 """ MACIP ACL with 10 entries
984 self.run_test_acls(self.EXACT_MAC, self.EXACT_IP, 1, [10])
986 def test_acl_1_20(self):
987 """ MACIP ACL with 20 entries
990 self.run_test_acls(self.OUI_MAC, self.WILD_IP, 1, [20])
992 def test_acl_1_50(self):
993 """ MACIP ACL with 50 entries
996 self.run_test_acls(self.OUI_MAC, self.SUBNET_IP, 1, [50])
998 def test_acl_1_100(self):
999 """ MACIP ACL with 100 entries
1002 self.run_test_acls(self.OUI_MAC, self.EXACT_IP, 1, [100])
1004 def test_acl_2_X(self):
1005 """ MACIP 2 ACLs each with 100+ entries
1008 self.run_test_acls(self.OUI_MAC, self.SUBNET_IP, 2, [100, 200])
1010 def test_acl_10_X(self):
1011 """ MACIP 10 ACLs each with 100+ entries
1014 self.run_test_acls(self.EXACT_MAC, self.EXACT_IP, 10,
1015 [100, 120, 140, 160, 180, 200, 210, 220, 230, 240])
1017 def test_acl_10_X_traffic_ip4(self):
1018 """ MACIP 10 ACLs each with 100+ entries with IP4 traffic
1021 self.run_test_acls(self.EXACT_MAC, self.EXACT_IP, 10,
1022 [100, 120, 140, 160, 180, 200, 210, 220, 230, 240],
1023 self.BRIDGED, self.IS_IP4)
1025 def test_acl_10_X_traffic_ip6(self):
1026 """ MACIP 10 ACLs each with 100+ entries with IP6 traffic
1029 self.run_test_acls(self.EXACT_MAC, self.EXACT_IP, 10,
1030 [100, 120, 140, 160, 180, 200, 210, 220, 230, 240],
1031 self.BRIDGED, self.IS_IP6)
1033 def test_acl_replace(self):
1034 """ MACIP replace ACL
1037 r1 = self.create_rules(acl_count=3, rules_count=[2, 2, 2])
1038 r2 = self.create_rules(mac_type=self.OUI_MAC, ip_type=self.SUBNET_IP)
1039 self.apply_macip_rules(r1)
1041 acls_before = self.macip_acl_dump_debug()
1043 # replace acls #2, #3 with new
1044 reply = self.vapi.macip_acl_add_replace(r2[0], 2)
1045 self.assertEqual(reply.retval, 0)
1046 self.assertEqual(reply.acl_index, 2)
1047 reply = self.vapi.macip_acl_add_replace(r2[1], 3)
1048 self.assertEqual(reply.retval, 0)
1049 self.assertEqual(reply.acl_index, 3)
1051 acls_after = self.macip_acl_dump_debug()
1054 self.assertEqual(len(acls_before), len(acls_after))
1055 for acl1, acl2 in zip(
1056 acls_before[:2]+acls_before[4:],
1057 acls_after[:2]+acls_after[4:]):
1058 self.assertEqual(len(acl1), len(acl2))
1060 self.assertEqual(len(acl1.r), len(acl2.r))
1061 for r1, r2 in zip(acl1.r, acl2.r):
1062 self.assertEqual(len(acl1.r), len(acl2.r))
1063 self.assertEqual(acl1.r, acl2.r)
1064 for acl1, acl2 in zip(
1067 self.assertEqual(len(acl1), len(acl2))
1069 self.assertNotEqual(len(acl1.r), len(acl2.r))
1070 for r1, r2 in zip(acl1.r, acl2.r):
1071 self.assertNotEqual(len(acl1.r), len(acl2.r))
1072 self.assertNotEqual(acl1.r, acl2.r)
1074 def test_delete_intf(self):
1075 """ MACIP ACL delete intf with acl
1078 intf_count = len(self.interfaces)+1
1080 self.apply_macip_rules(self.create_rules(acl_count=3,
1081 rules_count=[3, 5, 4]))
1083 intf.append(VppLoInterface(self))
1084 intf.append(VppLoInterface(self))
1086 sw_if_index0 = intf[0].sw_if_index
1087 self.vapi.macip_acl_interface_add_del(sw_if_index0, 1)
1089 reply = self.vapi.macip_acl_interface_get()
1090 self.assertEqual(reply.count, intf_count+1)
1091 self.assertEqual(reply.acls[sw_if_index0], 1)
1093 sw_if_index1 = intf[1].sw_if_index
1094 self.vapi.macip_acl_interface_add_del(sw_if_index1, 0)
1096 reply = self.vapi.macip_acl_interface_get()
1097 self.assertEqual(reply.count, intf_count+2)
1098 self.assertEqual(reply.acls[sw_if_index1], 0)
1100 intf[0].remove_vpp_config()
1101 reply = self.vapi.macip_acl_interface_get()
1102 self.assertEqual(reply.count, intf_count+2)
1103 self.assertEqual(reply.acls[sw_if_index0], 4294967295)
1104 self.assertEqual(reply.acls[sw_if_index1], 0)
1106 intf.append(VppLoInterface(self))
1107 intf.append(VppLoInterface(self))
1108 sw_if_index2 = intf[2].sw_if_index
1109 sw_if_index3 = intf[3].sw_if_index
1110 self.vapi.macip_acl_interface_add_del(sw_if_index2, 1)
1111 self.vapi.macip_acl_interface_add_del(sw_if_index3, 1)
1113 reply = self.vapi.macip_acl_interface_get()
1114 self.assertEqual(reply.count, intf_count+3)
1115 self.assertEqual(reply.acls[sw_if_index1], 0)
1116 self.assertEqual(reply.acls[sw_if_index2], 1)
1117 self.assertEqual(reply.acls[sw_if_index3], 1)
1118 self.logger.info("MACIP ACL on multiple interfaces:")
1119 self.logger.info(self.vapi.ppcli("sh acl-plugin macip acl"))
1120 self.logger.info(self.vapi.ppcli("sh acl-plugin macip acl index 1234"))
1121 self.logger.info(self.vapi.ppcli("sh acl-plugin macip acl index 1"))
1122 self.logger.info(self.vapi.ppcli("sh acl-plugin macip acl index 0"))
1123 self.logger.info(self.vapi.ppcli("sh acl-plugin macip interface"))
1125 intf[2].remove_vpp_config()
1126 intf[1].remove_vpp_config()
1128 reply = self.vapi.macip_acl_interface_get()
1129 self.assertEqual(reply.count, intf_count+3)
1130 self.assertEqual(reply.acls[sw_if_index0], 4294967295)
1131 self.assertEqual(reply.acls[sw_if_index1], 4294967295)
1132 self.assertEqual(reply.acls[sw_if_index2], 4294967295)
1133 self.assertEqual(reply.acls[sw_if_index3], 1)
1135 intf[3].remove_vpp_config()
1136 reply = self.vapi.macip_acl_interface_get()
1138 self.assertEqual(len([x for x in reply.acls if x != 4294967295]), 0)
1141 class TestACL_dot1q_bridged(MethodHolder):
1142 """ACL on dot1q bridged subinterfaces Tests"""
1144 def test_acl_bridged_ip4_subif_dot1q(self):
1145 """ IP4 ACL SubIf Dot1Q bridged traffic"""
1146 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.BRIDGED,
1147 self.IS_IP4, 9, tags=self.DOT1Q, isMACIP=False)
1149 def test_acl_bridged_ip6_subif_dot1q(self):
1150 """ IP6 ACL SubIf Dot1Q bridged traffic"""
1151 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.BRIDGED,
1152 self.IS_IP6, 9, tags=self.DOT1Q, isMACIP=False)
1155 class TestACL_dot1ad_bridged(MethodHolder):
1156 """ACL on dot1ad bridged subinterfaces Tests"""
1158 def test_acl_bridged_ip4_subif_dot1ad(self):
1159 """ IP4 ACL SubIf Dot1AD bridged traffic"""
1160 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.BRIDGED,
1161 self.IS_IP4, 9, tags=self.DOT1AD, isMACIP=False)
1163 def test_acl_bridged_ip6_subif_dot1ad(self):
1164 """ IP6 ACL SubIf Dot1AD bridged traffic"""
1165 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.BRIDGED,
1166 self.IS_IP6, 9, tags=self.DOT1AD, isMACIP=False)
1169 class TestACL_dot1q_routed(MethodHolder):
1170 """ACL on dot1q routed subinterfaces Tests"""
1172 def test_acl_routed_ip4_subif_dot1q(self):
1173 """ IP4 ACL SubIf Dot1Q routed traffic"""
1174 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1175 self.IS_IP4, 9, tags=self.DOT1Q, isMACIP=False)
1177 def test_acl_routed_ip6_subif_dot1q(self):
1178 """ IP6 ACL SubIf Dot1Q routed traffic"""
1179 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1180 self.IS_IP6, 9, tags=self.DOT1Q, isMACIP=False)
1182 def test_acl_routed_ip4_subif_dot1q_deny_by_tags(self):
1183 """ IP4 ACL SubIf wrong tags Dot1Q routed traffic"""
1184 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1185 self.IS_IP4, 9, True, tags=self.DOT1Q, isMACIP=False,
1186 permit_tags=self.DENY_TAGS)
1188 def test_acl_routed_ip6_subif_dot1q_deny_by_tags(self):
1189 """ IP6 ACL SubIf wrong tags Dot1Q routed traffic"""
1190 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1191 self.IS_IP6, 9, True, tags=self.DOT1Q, isMACIP=False,
1192 permit_tags=self.DENY_TAGS)
1195 class TestACL_dot1ad_routed(MethodHolder):
1196 """ACL on dot1ad routed subinterfaces Tests"""
1198 def test_acl_routed_ip6_subif_dot1ad(self):
1199 """ IP6 ACL SubIf Dot1AD routed traffic"""
1200 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1201 self.IS_IP6, 9, tags=self.DOT1AD, isMACIP=False)
1203 def test_acl_routed_ip4_subif_dot1ad(self):
1204 """ IP4 ACL SubIf Dot1AD routed traffic"""
1205 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1206 self.IS_IP4, 9, tags=self.DOT1AD, isMACIP=False)
1208 def test_acl_routed_ip6_subif_dot1ad_deny_by_tags(self):
1209 """ IP6 ACL SubIf wrong tags Dot1AD routed traffic"""
1210 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1211 self.IS_IP6, 9, True, tags=self.DOT1AD, isMACIP=False,
1212 permit_tags=self.DENY_TAGS)
1214 def test_acl_routed_ip4_subif_dot1ad_deny_by_tags(self):
1215 """ IP4 ACL SubIf wrong tags Dot1AD routed traffic"""
1216 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1217 self.IS_IP4, 9, True, tags=self.DOT1AD, isMACIP=False,
1218 permit_tags=self.DENY_TAGS)
1221 if __name__ == '__main__':
1222 unittest.main(testRunner=VppTestRunner)