2 from __future__ import print_function
3 """ACL plugin - MACIP tests
8 from socket import inet_ntop, inet_pton, AF_INET, AF_INET6
9 from struct import pack, unpack
14 from scapy.packet import Raw
15 from scapy.layers.l2 import Ether
16 from scapy.layers.inet import IP, UDP
17 from scapy.layers.inet6 import IPv6
19 from framework import VppTestCase, VppTestRunner, running_extended_tests
20 from vpp_lo_interface import VppLoInterface
21 from vpp_l2 import L2_PORT_TYPE
22 from vpp_sub_interface import L2_VTR_OP, VppSubInterface, VppDot1QSubint, \
26 class MethodHolder(VppTestCase):
58 Perform standard class setup (defined by class method setUpClass in
59 class VppTestCase) before running the test case, set test case related
60 variables and configure VPP.
62 super(MethodHolder, cls).setUpClass()
64 cls.pg_if_packet_sizes = [64, 512, 1518, 9018] # packet sizes
66 cls.remote_hosts_count = 200
69 # create 4 pg interfaces, 1 loopback interface
70 cls.create_pg_interfaces(range(4))
71 cls.create_loopback_interfaces(1)
73 # create 2 subinterfaces
75 VppDot1QSubint(cls, cls.pg1, 10),
76 VppDot1ADSubint(cls, cls.pg2, 20, 300, 400),
77 VppDot1QSubint(cls, cls.pg3, 30),
78 VppDot1ADSubint(cls, cls.pg3, 40, 600, 700)]
80 cls.subifs[0].set_vtr(L2_VTR_OP.L2_POP_1,
82 cls.subifs[1].set_vtr(L2_VTR_OP.L2_POP_2,
83 outer=300, inner=400, push1q=1)
84 cls.subifs[2].set_vtr(L2_VTR_OP.L2_POP_1,
86 cls.subifs[3].set_vtr(L2_VTR_OP.L2_POP_2,
87 outer=600, inner=700, push1q=1)
89 cls.interfaces = list(cls.pg_interfaces)
90 cls.interfaces.extend(cls.lo_interfaces)
91 cls.interfaces.extend(cls.subifs)
93 for i in cls.interfaces:
96 # Create BD with MAC learning enabled and put interfaces to this BD
97 cls.vapi.sw_interface_set_l2_bridge(
98 rx_sw_if_index=cls.loop0.sw_if_index, bd_id=cls.bd_id,
99 port_type=L2_PORT_TYPE.BVI)
100 cls.vapi.sw_interface_set_l2_bridge(
101 rx_sw_if_index=cls.pg0.sw_if_index, bd_id=cls.bd_id)
102 cls.vapi.sw_interface_set_l2_bridge(
103 rx_sw_if_index=cls.pg1.sw_if_index, bd_id=cls.bd_id)
104 cls.vapi.sw_interface_set_l2_bridge(
105 rx_sw_if_index=cls.subifs[0].sw_if_index, bd_id=cls.bd_id)
106 cls.vapi.sw_interface_set_l2_bridge(
107 rx_sw_if_index=cls.subifs[1].sw_if_index, bd_id=cls.bd_id)
109 # Configure IPv4/6 addresses on loop interface and routed interface
110 cls.loop0.config_ip4()
111 cls.loop0.config_ip6()
117 # Configure MAC address binding to IPv4 neighbors on loop0
118 cls.loop0.generate_remote_hosts(cls.remote_hosts_count)
119 # Modify host mac addresses to have different OUI parts
120 for i in range(2, cls.remote_hosts_count + 2):
121 mac = cls.loop0.remote_hosts[i-2]._mac.split(':')
122 mac[2] = format(int(mac[2], 16) + i, "02x")
123 cls.loop0.remote_hosts[i - 2]._mac = ":".join(mac)
125 cls.loop0.configure_ipv4_neighbors()
126 cls.loop0.configure_ipv6_neighbors()
128 # configure MAC address on pg3
129 cls.pg3.resolve_arp()
130 cls.pg3.resolve_ndp()
132 # configure MAC address on subifs
138 # configure MAC address on pg2
139 cls.pg2.resolve_arp()
140 cls.pg2.resolve_ndp()
142 # Loopback BVI interface has remote hosts
143 # one half of hosts are behind pg0 second behind pg1,pg2,pg3 subifs
144 cls.pg0.remote_hosts = cls.loop0.remote_hosts[:100]
145 cls.subifs[0].remote_hosts = cls.loop0.remote_hosts[100:125]
146 cls.subifs[1].remote_hosts = cls.loop0.remote_hosts[125:150]
147 cls.subifs[2].remote_hosts = cls.loop0.remote_hosts[150:175]
148 cls.subifs[3].remote_hosts = cls.loop0.remote_hosts[175:]
151 super(MethodHolder, cls).tearDownClass()
155 def tearDownClass(cls):
156 super(MethodHolder, cls).tearDownClass()
159 super(MethodHolder, self).setUp()
160 self.reset_packet_infos()
165 Show various debug prints after each test.
167 super(MethodHolder, self).tearDown()
169 def show_commands_at_teardown(self):
170 self.logger.info(self.vapi.ppcli("show interface address"))
171 self.logger.info(self.vapi.ppcli("show hardware"))
172 self.logger.info(self.vapi.ppcli("sh acl-plugin macip acl"))
173 self.logger.info(self.vapi.ppcli("sh acl-plugin macip interface"))
174 self.logger.info(self.vapi.ppcli("sh classify tables verbose"))
175 self.logger.info(self.vapi.ppcli("sh acl-plugin acl"))
176 self.logger.info(self.vapi.ppcli("sh acl-plugin interface"))
177 self.logger.info(self.vapi.ppcli("sh acl-plugin tables"))
178 # print(self.vapi.ppcli("show interface address"))
179 # print(self.vapi.ppcli("show hardware"))
180 # print(self.vapi.ppcli("sh acl-plugin macip interface"))
181 # print(self.vapi.ppcli("sh acl-plugin macip acl"))
184 def macip_acl_dump_debug(self):
185 acls = self.vapi.macip_acl_dump()
188 print("ACL #"+str(acl.acl_index))
193 elif r.is_permit == 0:
195 print(" IP6" if r.is_ipv6 else " IP4",
197 binascii.hexlify(r.src_mac),
198 binascii.hexlify(r.src_mac_mask),
199 unpack('<16B', r.src_ip_addr),
203 def create_rules(self, mac_type=EXACT_MAC, ip_type=EXACT_IP,
204 acl_count=1, rules_count=None):
206 if rules_count is None:
208 src_mac = int("220000dead00", 16)
209 for acl in range(2, (acl_count+1) * 2):
211 host = random.choice(self.loop0.remote_hosts)
213 ip4 = host.ip4.split('.')
214 ip6 = list(unpack('<16B', inet_pton(AF_INET6, host.ip6)))
216 if ip_type == self.EXACT_IP:
219 elif ip_type == self.WILD_IP:
221 ip6 = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]
224 rules_count[(acl / 2) - 1] = 1
229 if mac_type == self.EXACT_MAC:
230 mask = "ff:ff:ff:ff:ff:ff"
231 elif mac_type == self.WILD_MAC:
232 mask = "00:00:00:00:00:00"
233 elif mac_type == self.OUI_MAC:
234 mask = "ff:ff:ff:00:00:00"
236 mask = "ff:ff:ff:ff:ff:00"
238 ip = ip6 if is_ip6 else ip4
239 ip_len = prefix_len6 if is_ip6 else prefix_len4
241 for i in range(0, rules_count[(acl / 2) - 1]):
243 if mac_type == self.WILD_MAC:
244 mac = "00:00:00:00:00:00"
245 elif mac_type == self.OUI_MAC:
246 mac = ':'.join(re.findall('..', '{:02x}'.format(
247 src_mac))[:3])+":00:00:00"
249 mac = ':'.join(re.findall(
250 '..', '{:02x}'.format(src_mac)))
252 if ip_type == self.EXACT_IP:
253 ip4[3] = random.randint(100, 200)
254 ip6[15] = random.randint(100, 200)
255 elif ip_type == self.SUBNET_IP:
256 ip4[2] = random.randint(100, 200)
258 ip6[8] = random.randint(100, 200)
261 for j in range(0, len(ip)):
262 ip_pack += pack('<B', int(ip[j]))
264 rule = ({'is_permit': self.PERMIT,
266 'src_ip_addr': ip_pack,
267 'src_ip_prefix_len': ip_len,
268 'src_mac': binascii.unhexlify(mac.replace(':', '')),
269 'src_mac_mask': binascii.unhexlify(
270 mask.replace(':', ''))})
272 if ip_type == self.WILD_IP:
276 src_mac += 1099511627776
279 def apply_macip_rules(self, acls):
281 reply = self.vapi.macip_acl_add(acl)
282 self.assertEqual(reply.retval, 0)
283 self.ACLS.append(reply.acl_index)
285 def verify_macip_acls(self, acl_count, rules_count, expected_count=2):
286 reply = self.macip_acl_dump_debug()
287 for acl in range(2, (acl_count+1) * 2):
288 self.assertEqual(reply[acl - 2].count, rules_count[acl//2-1])
290 self.vapi.macip_acl_interface_get()
292 self.vapi.macip_acl_interface_add_del(sw_if_index=0, acl_index=0)
293 self.vapi.macip_acl_interface_add_del(sw_if_index=1, acl_index=1)
295 reply = self.vapi.macip_acl_interface_get()
296 self.assertEqual(reply.count, expected_count)
298 def delete_acls(self):
299 for acl in range(len(self.ACLS)-1, -1, -1):
300 self.vapi.macip_acl_del(self.ACLS[acl])
302 reply = self.vapi.macip_acl_dump()
303 self.assertEqual(len(reply), 0)
305 intf_acls = self.vapi.acl_interface_list_dump()
306 for i_a in intf_acls:
307 sw_if_index = i_a.sw_if_index
308 for acl_index in i_a.acls:
309 self.vapi.acl_interface_add_del(sw_if_index, acl_index, 0)
310 self.vapi.acl_del(acl_index)
312 def create_stream(self, mac_type, ip_type, packet_count,
313 src_if, dst_if, traffic, is_ip6, tags=PERMIT_TAGS):
314 # exact MAC and exact IP
315 # exact MAC and subnet of IPs
316 # exact MAC and wildcard IP
317 # wildcard MAC and exact IP
318 # wildcard MAC and subnet of IPs
319 # wildcard MAC and wildcard IP
320 # OUI restricted MAC and exact IP
321 # OUI restricted MAC and subnet of IPs
322 # OUI restricted MAC and wildcard IP
330 mac_rule = "00:00:00:00:00:00"
331 mac_mask = "00:00:00:00:00:00"
332 for p in range(0, packet_count):
333 remote_dst_index = p % len(dst_if.remote_hosts)
334 remote_dst_host = dst_if.remote_hosts[remote_dst_index]
338 is_permit = self.PERMIT if p % 3 == 0 else self.DENY
339 denyMAC = True if not is_permit and p % 3 == 1 else False
340 denyIP = True if not is_permit and p % 3 == 2 else False
341 if not is_permit and ip_type == self.WILD_IP:
343 if not is_permit and mac_type == self.WILD_MAC:
346 if traffic == self.BRIDGED:
348 src_mac = remote_dst_host._mac
349 dst_mac = 'de:ad:00:00:00:00'
350 src_ip4 = remote_dst_host.ip4
351 dst_ip4 = src_if.remote_ip4
352 src_ip6 = remote_dst_host.ip6
353 dst_ip6 = src_if.remote_ip6
354 ip_permit = src_ip6 if is_ip6 else src_ip4
357 mac = src_mac.split(':')
358 mac[0] = format(int(mac[0], 16)+1, "02x")
359 src_mac = ":".join(mac)
365 if ip_type != self.WILD_IP:
367 src_ip4 = remote_dst_host.ip4
368 dst_ip4 = src_if.remote_ip4
369 src_ip6 = remote_dst_host.ip6
370 dst_ip6 = src_if.remote_ip6
373 src_mac = remote_dst_host._mac
374 dst_mac = src_if.local_mac
375 src_ip4 = src_if.remote_ip4
376 dst_ip4 = remote_dst_host.ip4
377 src_ip6 = src_if.remote_ip6
378 dst_ip6 = remote_dst_host.ip6
379 ip_permit = src_ip6 if is_ip6 else src_ip4
382 mac = src_mac.split(':')
383 mac[0] = format(int(mac[0], 16) + 1, "02x")
384 src_mac = ":".join(mac)
390 src_mac = remote_dst_host._mac
391 if ip_type != self.WILD_IP:
393 src_ip4 = remote_dst_host.ip4
394 dst_ip4 = src_if.remote_ip4
395 src_ip6 = remote_dst_host.ip6
396 dst_ip6 = src_if.remote_ip6
399 info = self.create_packet_info(src_if, dst_if)
400 payload = self.info_to_payload(info)
402 payload = "to be blocked"
404 if mac_type == self.WILD_MAC:
405 mac = src_mac.split(':')
406 for i in range(1, 5):
407 mac[i] = format(random.randint(0, 255), "02x")
408 src_mac = ":".join(mac)
411 packet = Ether(src=src_mac, dst=dst_mac)
412 ip_rule = src_ip6 if is_ip6 else src_ip4
414 if ip_type != self.EXACT_IP:
415 sub_ip = list(unpack('<16B', inet_pton(AF_INET6, ip_rule)))
416 if ip_type == self.WILD_IP:
417 sub_ip[0] = random.randint(240, 254)
418 sub_ip[1] = random.randint(230, 239)
419 sub_ip[14] = random.randint(100, 199)
420 sub_ip[15] = random.randint(200, 255)
421 elif ip_type == self.SUBNET_IP:
423 sub_ip[2] = int(sub_ip[2]) + 1
424 sub_ip[14] = random.randint(100, 199)
425 sub_ip[15] = random.randint(200, 255)
426 packed_src_ip6 = b''.join(
427 [scapy.compat.chb(x) for x in sub_ip])
428 src_ip6 = inet_ntop(AF_INET6, packed_src_ip6)
429 packet /= IPv6(src=src_ip6, dst=dst_ip6)
431 if ip_type != self.EXACT_IP:
432 sub_ip = ip_rule.split('.')
433 if ip_type == self.WILD_IP:
434 sub_ip[0] = random.randint(1, 49)
435 sub_ip[1] = random.randint(50, 99)
436 sub_ip[2] = random.randint(100, 199)
437 sub_ip[3] = random.randint(200, 255)
438 elif ip_type == self.SUBNET_IP:
440 sub_ip[1] = int(sub_ip[1])+1
441 sub_ip[2] = random.randint(100, 199)
442 sub_ip[3] = random.randint(200, 255)
443 src_ip4 = '.'.join(['{!s}'.format(x) for x in sub_ip])
444 packet /= IP(src=src_ip4, dst=dst_ip4, frag=0, flags=0)
446 packet /= UDP(sport=src_port, dport=dst_port)/Raw(payload)
448 packet[Raw].load += b" mac:%s" % scapy.compat.raw(src_mac)
450 size = self.pg_if_packet_sizes[p % len(self.pg_if_packet_sizes)]
451 if isinstance(src_if, VppSubInterface):
453 if isinstance(src_if, VppDot1QSubint):
454 if src_if is self.subifs[0]:
455 if tags == self.PERMIT_TAGS:
456 packet = src_if.add_dot1q_layer(packet, 10)
458 packet = src_if.add_dot1q_layer(packet, 11)
460 if tags == self.PERMIT_TAGS:
461 packet = src_if.add_dot1q_layer(packet, 30)
463 packet = src_if.add_dot1q_layer(packet, 33)
464 elif isinstance(src_if, VppDot1ADSubint):
465 if src_if is self.subifs[1]:
466 if tags == self.PERMIT_TAGS:
467 packet = src_if.add_dot1ad_layer(packet, 300, 400)
469 packet = src_if.add_dot1ad_layer(packet, 333, 444)
471 if tags == self.PERMIT_TAGS:
472 packet = src_if.add_dot1ad_layer(packet, 600, 700)
474 packet = src_if.add_dot1ad_layer(packet, 666, 777)
475 self.extend_packet(packet, size)
476 packets.append(packet)
478 # create suitable MACIP rule
479 if mac_type == self.EXACT_MAC:
481 mac_mask = "ff:ff:ff:ff:ff:ff"
482 elif mac_type == self.WILD_MAC:
483 mac_rule = "00:00:00:00:00:00"
484 mac_mask = "00:00:00:00:00:00"
485 elif mac_type == self.OUI_MAC:
486 mac = src_mac.split(':')
487 mac[3] = mac[4] = mac[5] = '00'
488 mac_rule = ":".join(mac)
489 mac_mask = "ff:ff:ff:00:00:00"
492 if ip_type == self.WILD_IP:
496 if ip_type == self.SUBNET_IP:
497 sub_ip = list(unpack('<16B', inet_pton(AF_INET6, ip)))
498 for i in range(8, 16):
500 packed_ip = b''.join(
501 [scapy.compat.chb(x) for x in sub_ip])
502 ip = inet_ntop(AF_INET6, packed_ip)
504 if ip_type == self.WILD_IP:
508 if ip_type == self.SUBNET_IP:
509 sub_ip = ip.split('.')
510 sub_ip[2] = sub_ip[3] = '0'
511 ip = ".".join(sub_ip)
513 prefix_len = 128 if is_ip6 else 32
514 if ip_type == self.WILD_IP:
516 elif ip_type == self.SUBNET_IP:
517 prefix_len = 64 if is_ip6 else 16
518 ip_rule = inet_pton(AF_INET6 if is_ip6 else AF_INET, ip)
520 # create suitable ACL rule
522 rule_l4_sport = packet[UDP].sport
523 rule_l4_dport = packet[UDP].dport
524 rule_family = AF_INET6 if packet.haslayer(IPv6) else AF_INET
525 rule_prefix_len = 128 if packet.haslayer(IPv6) else 32
526 rule_l3_layer = IPv6 if packet.haslayer(IPv6) else IP
527 if packet.haslayer(IPv6):
528 rule_l4_proto = packet[UDP].overload_fields[IPv6]['nh']
530 rule_l4_proto = packet[IP].proto
533 'is_permit': is_permit,
535 'src_ip_addr': inet_pton(rule_family,
536 packet[rule_l3_layer].src),
537 'src_ip_prefix_len': rule_prefix_len,
538 'dst_ip_addr': inet_pton(rule_family,
539 packet[rule_l3_layer].dst),
540 'dst_ip_prefix_len': rule_prefix_len,
541 'srcport_or_icmptype_first': rule_l4_sport,
542 'srcport_or_icmptype_last': rule_l4_sport,
543 'dstport_or_icmpcode_first': rule_l4_dport,
544 'dstport_or_icmpcode_last': rule_l4_dport,
545 'proto': rule_l4_proto}
546 acl_rules.append(acl_rule)
548 if mac_type == self.WILD_MAC and ip_type == self.WILD_IP and p > 0:
553 'is_permit': is_permit,
555 'src_ip_addr': ip_rule,
556 'src_ip_prefix_len': prefix_len,
557 'src_mac': binascii.unhexlify(mac_rule.replace(':', '')),
558 'src_mac_mask': binascii.unhexlify(
559 mac_mask.replace(':', ''))})
560 macip_rules.append(macip_rule)
562 # deny all other packets
563 if not (mac_type == self.WILD_MAC and ip_type == self.WILD_IP):
564 macip_rule = ({'is_permit': 0,
567 'src_ip_prefix_len': 0,
570 macip_rules.append(macip_rule)
572 acl_rule = {'is_permit': 0,
574 acl_rules.append(acl_rule)
575 return {'stream': packets,
576 'macip_rules': macip_rules,
577 'acl_rules': acl_rules}
579 def verify_capture(self, stream, capture, is_ip6):
586 # p_l3 = IPv6 if is_ip6 else IP
589 # print(p[Ether].src, p[Ether].dst, p[p_l3].src, p[p_l3].dst)
591 # acls = self.macip_acl_dump_debug()
596 # print(binascii.hexlify(r.src_mac), \
597 # binascii.hexlify(r.src_mac_mask),\
598 # unpack('<16B', r.src_ip_addr), \
599 # r.src_ip_prefix_len)
602 # print(p[Ether].src, p[Ether].dst, p[p_l3].src, p[p_l3].dst
603 # data = p[Raw].load.split(':',1)[1])
604 # print(p[p_l3].src, data)
606 def run_traffic(self, mac_type, ip_type, traffic, is_ip6, packets,
607 do_not_expected_capture=False, tags=None,
608 apply_rules=True, isMACIP=True, permit_tags=PERMIT_TAGS,
610 self.reset_packet_infos()
613 tx_if = self.pg0 if traffic == self.BRIDGED else self.pg3
614 rx_if = self.pg3 if traffic == self.BRIDGED else self.pg0
618 if tags == self.DOT1Q:
619 if traffic == self.BRIDGED:
620 tx_if = self.subifs[0]
622 src_if = self.subifs[0]
625 tx_if = self.subifs[2]
627 src_if = self.subifs[2]
629 elif tags == self.DOT1AD:
630 if traffic == self.BRIDGED:
631 tx_if = self.subifs[1]
633 src_if = self.subifs[1]
636 tx_if = self.subifs[3]
638 src_if = self.subifs[3]
643 test_dict = self.create_stream(mac_type, ip_type, packets,
650 reply = self.vapi.macip_acl_add(test_dict['macip_rules'])
652 reply = self.vapi.acl_add_replace(acl_index=4294967295,
653 r=test_dict['acl_rules'])
654 self.assertEqual(reply.retval, 0)
655 acl_index = reply.acl_index
658 self.vapi.macip_acl_interface_add_del(
659 sw_if_index=tx_if.sw_if_index,
661 reply = self.vapi.macip_acl_interface_get()
662 self.assertEqual(reply.acls[tx_if.sw_if_index], acl_index)
663 self.ACLS.append(reply.acls[tx_if.sw_if_index])
665 self.vapi.acl_interface_add_del(
666 sw_if_index=tx_if.sw_if_index, acl_index=acl_index)
668 self.vapi.macip_acl_interface_add_del(
669 sw_if_index=tx_if.sw_if_index,
673 reply = self.vapi.macip_acl_add_replace(
674 test_dict['macip_rules'],
677 reply = self.vapi.acl_add_replace(acl_index=acl_index,
678 r=test_dict['acl_rules'])
679 self.assertEqual(reply.retval, 0)
681 if not isinstance(src_if, VppSubInterface):
682 tx_if.add_stream(test_dict['stream'])
684 tx_if.parent.add_stream(test_dict['stream'])
685 self.pg_enable_capture(self.pg_interfaces)
688 if do_not_expected_capture:
691 if traffic == self.BRIDGED and mac_type == self.WILD_MAC and \
692 ip_type == self.WILD_IP:
693 capture = rx_if.get_capture(packets)
695 capture = rx_if.get_capture(
696 self.get_packet_count_for_if_idx(dst_if.sw_if_index))
697 self.verify_capture(test_dict['stream'], capture, is_ip6)
699 self.vapi.acl_interface_add_del(sw_if_index=tx_if.sw_if_index,
700 acl_index=acl_index, is_add=0)
701 self.vapi.acl_del(acl_index)
703 def run_test_acls(self, mac_type, ip_type, acl_count,
704 rules_count, traffic=None, ip=None):
705 self.apply_macip_rules(self.create_rules(mac_type, ip_type, acl_count,
707 self.verify_macip_acls(acl_count, rules_count)
709 if traffic is not None:
710 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, traffic, ip, 9)
713 class TestMACIP_IP4(MethodHolder):
714 """MACIP with IP4 traffic"""
718 super(TestMACIP_IP4, cls).setUpClass()
721 def tearDownClass(cls):
722 super(TestMACIP_IP4, cls).tearDownClass()
724 def test_acl_bridged_ip4_exactMAC_exactIP(self):
725 """ IP4 MACIP exactMAC|exactIP ACL bridged traffic
727 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
728 self.BRIDGED, self.IS_IP4, 9)
730 def test_acl_bridged_ip4_exactMAC_subnetIP(self):
731 """ IP4 MACIP exactMAC|subnetIP ACL bridged traffic
734 self.run_traffic(self.EXACT_MAC, self.SUBNET_IP,
735 self.BRIDGED, self.IS_IP4, 9)
737 def test_acl_bridged_ip4_exactMAC_wildIP(self):
738 """ IP4 MACIP exactMAC|wildIP ACL bridged traffic
741 self.run_traffic(self.EXACT_MAC, self.WILD_IP,
742 self.BRIDGED, self.IS_IP4, 9)
744 def test_acl_bridged_ip4_ouiMAC_exactIP(self):
745 """ IP4 MACIP ouiMAC|exactIP ACL bridged traffic
748 self.run_traffic(self.OUI_MAC, self.EXACT_IP,
749 self.BRIDGED, self.IS_IP4, 3)
751 def test_acl_bridged_ip4_ouiMAC_subnetIP(self):
752 """ IP4 MACIP ouiMAC|subnetIP ACL bridged traffic
755 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
756 self.BRIDGED, self.IS_IP4, 9)
758 def test_acl_bridged_ip4_ouiMAC_wildIP(self):
759 """ IP4 MACIP ouiMAC|wildIP ACL bridged traffic
762 self.run_traffic(self.OUI_MAC, self.WILD_IP,
763 self.BRIDGED, self.IS_IP4, 9)
765 def test_ac_bridgedl_ip4_wildMAC_exactIP(self):
766 """ IP4 MACIP wildcardMAC|exactIP ACL bridged traffic
769 self.run_traffic(self.WILD_MAC, self.EXACT_IP,
770 self.BRIDGED, self.IS_IP4, 9)
772 def test_acl_bridged_ip4_wildMAC_subnetIP(self):
773 """ IP4 MACIP wildcardMAC|subnetIP ACL bridged traffic
776 self.run_traffic(self.WILD_MAC, self.SUBNET_IP,
777 self.BRIDGED, self.IS_IP4, 9)
779 def test_acl_bridged_ip4_wildMAC_wildIP(self):
780 """ IP4 MACIP wildcardMAC|wildIP ACL bridged traffic
783 self.run_traffic(self.WILD_MAC, self.WILD_IP,
784 self.BRIDGED, self.IS_IP4, 9)
786 def test_acl_routed_ip4_exactMAC_exactIP(self):
787 """ IP4 MACIP exactMAC|exactIP ACL routed traffic
789 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
790 self.ROUTED, self.IS_IP4, 9)
792 def test_acl_routed_ip4_exactMAC_subnetIP(self):
793 """ IP4 MACIP exactMAC|subnetIP ACL routed traffic
795 self.run_traffic(self.EXACT_MAC, self.SUBNET_IP,
796 self.ROUTED, self.IS_IP4, 9)
798 def test_acl_routed_ip4_exactMAC_wildIP(self):
799 """ IP4 MACIP exactMAC|wildIP ACL routed traffic
801 self.run_traffic(self.EXACT_MAC, self.WILD_IP,
802 self.ROUTED, self.IS_IP4, 9)
804 def test_acl_routed_ip4_ouiMAC_exactIP(self):
805 """ IP4 MACIP ouiMAC|exactIP ACL routed traffic
808 self.run_traffic(self.OUI_MAC, self.EXACT_IP,
809 self.ROUTED, self.IS_IP4, 9)
811 def test_acl_routed_ip4_ouiMAC_subnetIP(self):
812 """ IP4 MACIP ouiMAC|subnetIP ACL routed traffic
815 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
816 self.ROUTED, self.IS_IP4, 9)
818 def test_acl_routed_ip4_ouiMAC_wildIP(self):
819 """ IP4 MACIP ouiMAC|wildIP ACL routed traffic
822 self.run_traffic(self.OUI_MAC, self.WILD_IP,
823 self.ROUTED, self.IS_IP4, 9)
825 def test_acl_routed_ip4_wildMAC_exactIP(self):
826 """ IP4 MACIP wildcardMAC|exactIP ACL routed traffic
829 self.run_traffic(self.WILD_MAC, self.EXACT_IP,
830 self.ROUTED, self.IS_IP4, 9)
832 def test_acl_routed_ip4_wildMAC_subnetIP(self):
833 """ IP4 MACIP wildcardMAC|subnetIP ACL routed traffic
836 self.run_traffic(self.WILD_MAC, self.SUBNET_IP,
837 self.ROUTED, self.IS_IP4, 9)
839 def test_acl_routed_ip4_wildMAC_wildIP(self):
840 """ IP4 MACIP wildcardMAC|wildIP ACL
843 self.run_traffic(self.WILD_MAC, self.WILD_IP,
844 self.ROUTED, self.IS_IP4, 9)
846 def test_acl_replace_traffic_ip4(self):
847 """ MACIP replace ACL with IP4 traffic
849 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
850 self.BRIDGED, self.IS_IP4, 9, try_replace=True)
851 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
852 self.BRIDGED, self.IS_IP4, 9, try_replace=True)
855 class TestMACIP_IP6(MethodHolder):
856 """MACIP with IP6 traffic"""
860 super(TestMACIP_IP6, cls).setUpClass()
863 def tearDownClass(cls):
864 super(TestMACIP_IP6, cls).tearDownClass()
866 def test_acl_bridged_ip6_exactMAC_exactIP(self):
867 """ IP6 MACIP exactMAC|exactIP ACL bridged traffic
870 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
871 self.BRIDGED, self.IS_IP6, 9)
873 def test_acl_bridged_ip6_exactMAC_subnetIP(self):
874 """ IP6 MACIP exactMAC|subnetIP ACL bridged traffic
877 self.run_traffic(self.EXACT_MAC, self.SUBNET_IP,
878 self.BRIDGED, self.IS_IP6, 9)
880 def test_acl_bridged_ip6_exactMAC_wildIP(self):
881 """ IP6 MACIP exactMAC|wildIP ACL bridged traffic
884 self.run_traffic(self.EXACT_MAC, self.WILD_IP,
885 self.BRIDGED, self.IS_IP6, 9)
887 def test_acl_bridged_ip6_ouiMAC_exactIP(self):
888 """ IP6 MACIP oui_MAC|exactIP ACL bridged traffic
891 self.run_traffic(self.OUI_MAC, self.EXACT_IP,
892 self.BRIDGED, self.IS_IP6, 9)
894 def test_acl_bridged_ip6_ouiMAC_subnetIP(self):
895 """ IP6 MACIP ouiMAC|subnetIP ACL bridged traffic
898 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
899 self.BRIDGED, self.IS_IP6, 9)
901 def test_acl_bridged_ip6_ouiMAC_wildIP(self):
902 """ IP6 MACIP ouiMAC|wildIP ACL bridged traffic
905 self.run_traffic(self.OUI_MAC, self.WILD_IP,
906 self.BRIDGED, self.IS_IP6, 9)
908 def test_acl_bridged_ip6_wildMAC_exactIP(self):
909 """ IP6 MACIP wildcardMAC|exactIP ACL bridged traffic
912 self.run_traffic(self.WILD_MAC, self.EXACT_IP,
913 self.BRIDGED, self.IS_IP6, 9)
915 def test_acl_bridged_ip6_wildMAC_subnetIP(self):
916 """ IP6 MACIP wildcardMAC|subnetIP ACL bridged traffic
919 self.run_traffic(self.WILD_MAC, self.SUBNET_IP,
920 self.BRIDGED, self.IS_IP6, 9)
922 def test_acl_bridged_ip6_wildMAC_wildIP(self):
923 """ IP6 MACIP wildcardMAC|wildIP ACL bridged traffic
926 self.run_traffic(self.WILD_MAC, self.WILD_IP,
927 self.BRIDGED, self.IS_IP6, 9)
929 def test_acl_routed_ip6_exactMAC_exactIP(self):
930 """ IP6 MACIP exactMAC|exactIP ACL routed traffic
933 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
934 self.ROUTED, self.IS_IP6, 9)
936 def test_acl_routed_ip6_exactMAC_subnetIP(self):
937 """ IP6 MACIP exactMAC|subnetIP ACL routed traffic
940 self.run_traffic(self.EXACT_MAC, self.SUBNET_IP,
941 self.ROUTED, self.IS_IP6, 9)
943 def test_acl_routed_ip6_exactMAC_wildIP(self):
944 """ IP6 MACIP exactMAC|wildIP ACL routed traffic
947 self.run_traffic(self.EXACT_MAC, self.WILD_IP,
948 self.ROUTED, self.IS_IP6, 9)
950 def test_acl_routed_ip6_ouiMAC_exactIP(self):
951 """ IP6 MACIP ouiMAC|exactIP ACL routed traffic
954 self.run_traffic(self.OUI_MAC, self.EXACT_IP,
955 self.ROUTED, self.IS_IP6, 9)
957 def test_acl_routed_ip6_ouiMAC_subnetIP(self):
958 """ IP6 MACIP ouiMAC|subnetIP ACL routed traffic
961 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
962 self.ROUTED, self.IS_IP6, 9)
964 def test_acl_routed_ip6_ouiMAC_wildIP(self):
965 """ IP6 MACIP ouiMAC|wildIP ACL routed traffic
968 self.run_traffic(self.OUI_MAC, self.WILD_IP,
969 self.ROUTED, self.IS_IP6, 9)
971 def test_acl_routed_ip6_wildMAC_exactIP(self):
972 """ IP6 MACIP wildcardMAC|exactIP ACL routed traffic
975 self.run_traffic(self.WILD_MAC, self.EXACT_IP,
976 self.ROUTED, self.IS_IP6, 9)
978 def test_acl_routed_ip6_wildMAC_subnetIP(self):
979 """ IP6 MACIP wildcardMAC|subnetIP ACL routed traffic
982 self.run_traffic(self.WILD_MAC, self.SUBNET_IP,
983 self.ROUTED, self.IS_IP6, 9)
985 def test_acl_routed_ip6_wildMAC_wildIP(self):
986 """ IP6 MACIP wildcardMAC|wildIP ACL
989 self.run_traffic(self.WILD_MAC, self.WILD_IP,
990 self.ROUTED, self.IS_IP6, 9)
992 def test_acl_replace_traffic_ip6(self):
993 """ MACIP replace ACL with IP6 traffic
995 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
996 self.BRIDGED, self.IS_IP6, 9, try_replace=True)
997 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
998 self.BRIDGED, self.IS_IP6, 9, try_replace=True)
1001 class TestMACIP(MethodHolder):
1005 def setUpClass(cls):
1006 super(TestMACIP, cls).setUpClass()
1009 def tearDownClass(cls):
1010 super(TestMACIP, cls).tearDownClass()
1012 def test_acl_1_2(self):
1013 """ MACIP ACL with 2 entries
1016 self.run_test_acls(self.EXACT_MAC, self.WILD_IP, 1, [2])
1018 def test_acl_1_5(self):
1019 """ MACIP ACL with 5 entries
1022 self.run_test_acls(self.EXACT_MAC, self.SUBNET_IP, 1, [5])
1024 def test_acl_1_10(self):
1025 """ MACIP ACL with 10 entries
1028 self.run_test_acls(self.EXACT_MAC, self.EXACT_IP, 1, [10])
1030 def test_acl_1_20(self):
1031 """ MACIP ACL with 20 entries
1034 self.run_test_acls(self.OUI_MAC, self.WILD_IP, 1, [20])
1036 def test_acl_1_50(self):
1037 """ MACIP ACL with 50 entries
1040 self.run_test_acls(self.OUI_MAC, self.SUBNET_IP, 1, [50])
1042 def test_acl_1_100(self):
1043 """ MACIP ACL with 100 entries
1046 self.run_test_acls(self.OUI_MAC, self.EXACT_IP, 1, [100])
1048 def test_acl_2_X(self):
1049 """ MACIP 2 ACLs each with 100+ entries
1052 self.run_test_acls(self.OUI_MAC, self.SUBNET_IP, 2, [100, 200])
1054 def test_acl_10_X(self):
1055 """ MACIP 10 ACLs each with 100+ entries
1058 self.run_test_acls(self.EXACT_MAC, self.EXACT_IP, 10,
1059 [100, 120, 140, 160, 180, 200, 210, 220, 230, 240])
1061 def test_acl_10_X_traffic_ip4(self):
1062 """ MACIP 10 ACLs each with 100+ entries with IP4 traffic
1065 self.run_test_acls(self.EXACT_MAC, self.EXACT_IP, 10,
1066 [100, 120, 140, 160, 180, 200, 210, 220, 230, 240],
1067 self.BRIDGED, self.IS_IP4)
1069 def test_acl_10_X_traffic_ip6(self):
1070 """ MACIP 10 ACLs each with 100+ entries with IP6 traffic
1073 self.run_test_acls(self.EXACT_MAC, self.EXACT_IP, 10,
1074 [100, 120, 140, 160, 180, 200, 210, 220, 230, 240],
1075 self.BRIDGED, self.IS_IP6)
1077 def test_acl_replace(self):
1078 """ MACIP replace ACL
1081 r1 = self.create_rules(acl_count=3, rules_count=[2, 2, 2])
1082 r2 = self.create_rules(mac_type=self.OUI_MAC, ip_type=self.SUBNET_IP)
1083 self.apply_macip_rules(r1)
1085 acls_before = self.macip_acl_dump_debug()
1087 # replace acls #2, #3 with new
1088 reply = self.vapi.macip_acl_add_replace(r2[0], 2)
1089 self.assertEqual(reply.retval, 0)
1090 self.assertEqual(reply.acl_index, 2)
1091 reply = self.vapi.macip_acl_add_replace(r2[1], 3)
1092 self.assertEqual(reply.retval, 0)
1093 self.assertEqual(reply.acl_index, 3)
1095 acls_after = self.macip_acl_dump_debug()
1098 self.assertEqual(len(acls_before), len(acls_after))
1099 for acl1, acl2 in zip(
1100 acls_before[:2]+acls_before[4:],
1101 acls_after[:2]+acls_after[4:]):
1102 self.assertEqual(len(acl1), len(acl2))
1104 self.assertEqual(len(acl1.r), len(acl2.r))
1105 for r1, r2 in zip(acl1.r, acl2.r):
1106 self.assertEqual(len(acl1.r), len(acl2.r))
1107 self.assertEqual(acl1.r, acl2.r)
1108 for acl1, acl2 in zip(
1111 self.assertEqual(len(acl1), len(acl2))
1113 self.assertNotEqual(len(acl1.r), len(acl2.r))
1114 for r1, r2 in zip(acl1.r, acl2.r):
1115 self.assertNotEqual(len(acl1.r), len(acl2.r))
1116 self.assertNotEqual(acl1.r, acl2.r)
1118 def test_delete_intf(self):
1119 """ MACIP ACL delete intf with acl
1122 intf_count = len(self.interfaces)+1
1124 self.apply_macip_rules(self.create_rules(acl_count=3,
1125 rules_count=[3, 5, 4]))
1127 intf.append(VppLoInterface(self))
1128 intf.append(VppLoInterface(self))
1130 sw_if_index0 = intf[0].sw_if_index
1131 self.vapi.macip_acl_interface_add_del(sw_if_index0, 1)
1133 reply = self.vapi.macip_acl_interface_get()
1134 self.assertEqual(reply.count, intf_count+1)
1135 self.assertEqual(reply.acls[sw_if_index0], 1)
1137 sw_if_index1 = intf[1].sw_if_index
1138 self.vapi.macip_acl_interface_add_del(sw_if_index1, 0)
1140 reply = self.vapi.macip_acl_interface_get()
1141 self.assertEqual(reply.count, intf_count+2)
1142 self.assertEqual(reply.acls[sw_if_index1], 0)
1144 intf[0].remove_vpp_config()
1145 reply = self.vapi.macip_acl_interface_get()
1146 self.assertEqual(reply.count, intf_count+2)
1147 self.assertEqual(reply.acls[sw_if_index0], 4294967295)
1148 self.assertEqual(reply.acls[sw_if_index1], 0)
1150 intf.append(VppLoInterface(self))
1151 intf.append(VppLoInterface(self))
1152 sw_if_index2 = intf[2].sw_if_index
1153 sw_if_index3 = intf[3].sw_if_index
1154 self.vapi.macip_acl_interface_add_del(sw_if_index2, 1)
1155 self.vapi.macip_acl_interface_add_del(sw_if_index3, 1)
1157 reply = self.vapi.macip_acl_interface_get()
1158 self.assertEqual(reply.count, intf_count+3)
1159 self.assertEqual(reply.acls[sw_if_index1], 0)
1160 self.assertEqual(reply.acls[sw_if_index2], 1)
1161 self.assertEqual(reply.acls[sw_if_index3], 1)
1162 self.logger.info("MACIP ACL on multiple interfaces:")
1163 self.logger.info(self.vapi.ppcli("sh acl-plugin macip acl"))
1164 self.logger.info(self.vapi.ppcli("sh acl-plugin macip acl index 1234"))
1165 self.logger.info(self.vapi.ppcli("sh acl-plugin macip acl index 1"))
1166 self.logger.info(self.vapi.ppcli("sh acl-plugin macip acl index 0"))
1167 self.logger.info(self.vapi.ppcli("sh acl-plugin macip interface"))
1169 intf[2].remove_vpp_config()
1170 intf[1].remove_vpp_config()
1172 reply = self.vapi.macip_acl_interface_get()
1173 self.assertEqual(reply.count, intf_count+3)
1174 self.assertEqual(reply.acls[sw_if_index0], 4294967295)
1175 self.assertEqual(reply.acls[sw_if_index1], 4294967295)
1176 self.assertEqual(reply.acls[sw_if_index2], 4294967295)
1177 self.assertEqual(reply.acls[sw_if_index3], 1)
1179 intf[3].remove_vpp_config()
1180 reply = self.vapi.macip_acl_interface_get()
1182 self.assertEqual(len([x for x in reply.acls if x != 4294967295]), 0)
1185 class TestACL_dot1q_bridged(MethodHolder):
1186 """ACL on dot1q bridged subinterfaces Tests"""
1189 def setUpClass(cls):
1190 super(TestACL_dot1q_bridged, cls).setUpClass()
1193 def tearDownClass(cls):
1194 super(TestACL_dot1q_bridged, cls).tearDownClass()
1196 def test_acl_bridged_ip4_subif_dot1q(self):
1197 """ IP4 ACL SubIf Dot1Q bridged traffic"""
1198 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.BRIDGED,
1199 self.IS_IP4, 9, tags=self.DOT1Q, isMACIP=False)
1201 def test_acl_bridged_ip6_subif_dot1q(self):
1202 """ IP6 ACL SubIf Dot1Q bridged traffic"""
1203 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.BRIDGED,
1204 self.IS_IP6, 9, tags=self.DOT1Q, isMACIP=False)
1207 class TestACL_dot1ad_bridged(MethodHolder):
1208 """ACL on dot1ad bridged subinterfaces Tests"""
1211 def setUpClass(cls):
1212 super(TestACL_dot1ad_bridged, cls).setUpClass()
1215 def tearDownClass(cls):
1216 super(TestACL_dot1ad_bridged, cls).tearDownClass()
1218 def test_acl_bridged_ip4_subif_dot1ad(self):
1219 """ IP4 ACL SubIf Dot1AD bridged traffic"""
1220 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.BRIDGED,
1221 self.IS_IP4, 9, tags=self.DOT1AD, isMACIP=False)
1223 def test_acl_bridged_ip6_subif_dot1ad(self):
1224 """ IP6 ACL SubIf Dot1AD bridged traffic"""
1225 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.BRIDGED,
1226 self.IS_IP6, 9, tags=self.DOT1AD, isMACIP=False)
1229 class TestACL_dot1q_routed(MethodHolder):
1230 """ACL on dot1q routed subinterfaces Tests"""
1233 def setUpClass(cls):
1234 super(TestACL_dot1q_routed, cls).setUpClass()
1237 def tearDownClass(cls):
1238 super(TestACL_dot1q_routed, cls).tearDownClass()
1240 def test_acl_routed_ip4_subif_dot1q(self):
1241 """ IP4 ACL SubIf Dot1Q routed traffic"""
1242 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1243 self.IS_IP4, 9, tags=self.DOT1Q, isMACIP=False)
1245 def test_acl_routed_ip6_subif_dot1q(self):
1246 """ IP6 ACL SubIf Dot1Q routed traffic"""
1247 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1248 self.IS_IP6, 9, tags=self.DOT1Q, isMACIP=False)
1250 def test_acl_routed_ip4_subif_dot1q_deny_by_tags(self):
1251 """ IP4 ACL SubIf wrong tags Dot1Q routed traffic"""
1252 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1253 self.IS_IP4, 9, True, tags=self.DOT1Q, isMACIP=False,
1254 permit_tags=self.DENY_TAGS)
1256 def test_acl_routed_ip6_subif_dot1q_deny_by_tags(self):
1257 """ IP6 ACL SubIf wrong tags Dot1Q routed traffic"""
1258 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1259 self.IS_IP6, 9, True, tags=self.DOT1Q, isMACIP=False,
1260 permit_tags=self.DENY_TAGS)
1263 class TestACL_dot1ad_routed(MethodHolder):
1264 """ACL on dot1ad routed subinterfaces Tests"""
1267 def setUpClass(cls):
1268 super(TestACL_dot1ad_routed, cls).setUpClass()
1271 def tearDownClass(cls):
1272 super(TestACL_dot1ad_routed, cls).tearDownClass()
1274 def test_acl_routed_ip6_subif_dot1ad(self):
1275 """ IP6 ACL SubIf Dot1AD routed traffic"""
1276 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1277 self.IS_IP6, 9, tags=self.DOT1AD, isMACIP=False)
1279 def test_acl_routed_ip4_subif_dot1ad(self):
1280 """ IP4 ACL SubIf Dot1AD routed traffic"""
1281 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1282 self.IS_IP4, 9, tags=self.DOT1AD, isMACIP=False)
1284 def test_acl_routed_ip6_subif_dot1ad_deny_by_tags(self):
1285 """ IP6 ACL SubIf wrong tags Dot1AD routed traffic"""
1286 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1287 self.IS_IP6, 9, True, tags=self.DOT1AD, isMACIP=False,
1288 permit_tags=self.DENY_TAGS)
1290 def test_acl_routed_ip4_subif_dot1ad_deny_by_tags(self):
1291 """ IP4 ACL SubIf wrong tags Dot1AD routed traffic"""
1292 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1293 self.IS_IP4, 9, True, tags=self.DOT1AD, isMACIP=False,
1294 permit_tags=self.DENY_TAGS)
1297 if __name__ == '__main__':
1298 unittest.main(testRunner=VppTestRunner)