2 from __future__ import print_function
3 """ACL plugin - MACIP tests
8 from socket import inet_ntop, inet_pton, AF_INET, AF_INET6
9 from struct import pack, unpack
14 from scapy.packet import Raw
15 from scapy.layers.l2 import Ether
16 from scapy.layers.inet import IP, UDP
17 from scapy.layers.inet6 import IPv6
19 from framework import VppTestCase, VppTestRunner, running_extended_tests
20 from vpp_lo_interface import VppLoInterface
21 from vpp_l2 import L2_PORT_TYPE
22 from vpp_sub_interface import L2_VTR_OP, VppSubInterface, VppDot1QSubint, \
26 class MethodHolder(VppTestCase):
58 Perform standard class setup (defined by class method setUpClass in
59 class VppTestCase) before running the test case, set test case related
60 variables and configure VPP.
62 super(MethodHolder, cls).setUpClass()
64 cls.pg_if_packet_sizes = [64, 512, 1518, 9018] # packet sizes
66 cls.remote_hosts_count = 200
69 # create 4 pg interfaces, 1 loopback interface
70 cls.create_pg_interfaces(range(4))
71 cls.create_loopback_interfaces(1)
73 # create 2 subinterfaces
75 VppDot1QSubint(cls, cls.pg1, 10),
76 VppDot1ADSubint(cls, cls.pg2, 20, 300, 400),
77 VppDot1QSubint(cls, cls.pg3, 30),
78 VppDot1ADSubint(cls, cls.pg3, 40, 600, 700)]
80 cls.subifs[0].set_vtr(L2_VTR_OP.L2_POP_1,
82 cls.subifs[1].set_vtr(L2_VTR_OP.L2_POP_2,
83 outer=300, inner=400, push1q=1)
84 cls.subifs[2].set_vtr(L2_VTR_OP.L2_POP_1,
86 cls.subifs[3].set_vtr(L2_VTR_OP.L2_POP_2,
87 outer=600, inner=700, push1q=1)
89 cls.interfaces = list(cls.pg_interfaces)
90 cls.interfaces.extend(cls.lo_interfaces)
91 cls.interfaces.extend(cls.subifs)
93 for i in cls.interfaces:
96 # Create BD with MAC learning enabled and put interfaces to this BD
97 cls.vapi.sw_interface_set_l2_bridge(
98 rx_sw_if_index=cls.loop0.sw_if_index, bd_id=cls.bd_id,
99 port_type=L2_PORT_TYPE.BVI)
100 cls.vapi.sw_interface_set_l2_bridge(
101 rx_sw_if_index=cls.pg0.sw_if_index, bd_id=cls.bd_id)
102 cls.vapi.sw_interface_set_l2_bridge(
103 rx_sw_if_index=cls.pg1.sw_if_index, bd_id=cls.bd_id)
104 cls.vapi.sw_interface_set_l2_bridge(
105 rx_sw_if_index=cls.subifs[0].sw_if_index, bd_id=cls.bd_id)
106 cls.vapi.sw_interface_set_l2_bridge(
107 rx_sw_if_index=cls.subifs[1].sw_if_index, bd_id=cls.bd_id)
109 # Configure IPv4/6 addresses on loop interface and routed interface
110 cls.loop0.config_ip4()
111 cls.loop0.config_ip6()
117 # Configure MAC address binding to IPv4 neighbors on loop0
118 cls.loop0.generate_remote_hosts(cls.remote_hosts_count)
119 # Modify host mac addresses to have different OUI parts
120 for i in range(2, cls.remote_hosts_count + 2):
121 mac = cls.loop0.remote_hosts[i-2]._mac.split(':')
122 mac[2] = format(int(mac[2], 16) + i, "02x")
123 cls.loop0.remote_hosts[i - 2]._mac = ":".join(mac)
125 cls.loop0.configure_ipv4_neighbors()
126 cls.loop0.configure_ipv6_neighbors()
128 # configure MAC address on pg3
129 cls.pg3.resolve_arp()
130 cls.pg3.resolve_ndp()
132 # configure MAC address on subifs
138 # configure MAC address on pg2
139 cls.pg2.resolve_arp()
140 cls.pg2.resolve_ndp()
142 # Loopback BVI interface has remote hosts
143 # one half of hosts are behind pg0 second behind pg1,pg2,pg3 subifs
144 cls.pg0.remote_hosts = cls.loop0.remote_hosts[:100]
145 cls.subifs[0].remote_hosts = cls.loop0.remote_hosts[100:125]
146 cls.subifs[1].remote_hosts = cls.loop0.remote_hosts[125:150]
147 cls.subifs[2].remote_hosts = cls.loop0.remote_hosts[150:175]
148 cls.subifs[3].remote_hosts = cls.loop0.remote_hosts[175:]
151 super(MethodHolder, cls).tearDownClass()
155 def tearDownClass(cls):
156 super(MethodHolder, cls).tearDownClass()
159 super(MethodHolder, self).setUp()
160 self.reset_packet_infos()
165 Show various debug prints after each test.
167 super(MethodHolder, self).tearDown()
168 if not self.vpp_dead:
169 self.logger.info(self.vapi.ppcli("show interface address"))
170 self.logger.info(self.vapi.ppcli("show hardware"))
171 self.logger.info(self.vapi.ppcli("sh acl-plugin macip acl"))
172 self.logger.info(self.vapi.ppcli("sh acl-plugin macip interface"))
173 self.logger.info(self.vapi.ppcli("sh classify tables verbose"))
174 self.logger.info(self.vapi.ppcli("sh acl-plugin acl"))
175 self.logger.info(self.vapi.ppcli("sh acl-plugin interface"))
176 self.logger.info(self.vapi.ppcli("sh acl-plugin tables"))
177 # print(self.vapi.ppcli("show interface address"))
178 # print(self.vapi.ppcli("show hardware"))
179 # print(self.vapi.ppcli("sh acl-plugin macip interface"))
180 # print(self.vapi.ppcli("sh acl-plugin macip acl"))
183 def macip_acl_dump_debug(self):
184 acls = self.vapi.macip_acl_dump()
187 print("ACL #"+str(acl.acl_index))
192 elif r.is_permit == 0:
194 print(" IP6" if r.is_ipv6 else " IP4",
196 binascii.hexlify(r.src_mac),
197 binascii.hexlify(r.src_mac_mask),
198 unpack('<16B', r.src_ip_addr),
202 def create_rules(self, mac_type=EXACT_MAC, ip_type=EXACT_IP,
203 acl_count=1, rules_count=None):
205 if rules_count is None:
207 src_mac = int("220000dead00", 16)
208 for acl in range(2, (acl_count+1) * 2):
210 host = random.choice(self.loop0.remote_hosts)
212 ip4 = host.ip4.split('.')
213 ip6 = list(unpack('<16B', inet_pton(AF_INET6, host.ip6)))
215 if ip_type == self.EXACT_IP:
218 elif ip_type == self.WILD_IP:
220 ip6 = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]
223 rules_count[(acl / 2) - 1] = 1
228 if mac_type == self.EXACT_MAC:
229 mask = "ff:ff:ff:ff:ff:ff"
230 elif mac_type == self.WILD_MAC:
231 mask = "00:00:00:00:00:00"
232 elif mac_type == self.OUI_MAC:
233 mask = "ff:ff:ff:00:00:00"
235 mask = "ff:ff:ff:ff:ff:00"
237 ip = ip6 if is_ip6 else ip4
238 ip_len = prefix_len6 if is_ip6 else prefix_len4
240 for i in range(0, rules_count[(acl / 2) - 1]):
242 if mac_type == self.WILD_MAC:
243 mac = "00:00:00:00:00:00"
244 elif mac_type == self.OUI_MAC:
245 mac = ':'.join(re.findall('..', '{:02x}'.format(
246 src_mac))[:3])+":00:00:00"
248 mac = ':'.join(re.findall(
249 '..', '{:02x}'.format(src_mac)))
251 if ip_type == self.EXACT_IP:
252 ip4[3] = random.randint(100, 200)
253 ip6[15] = random.randint(100, 200)
254 elif ip_type == self.SUBNET_IP:
255 ip4[2] = random.randint(100, 200)
257 ip6[8] = random.randint(100, 200)
260 for j in range(0, len(ip)):
261 ip_pack += pack('<B', int(ip[j]))
263 rule = ({'is_permit': self.PERMIT,
265 'src_ip_addr': ip_pack,
266 'src_ip_prefix_len': ip_len,
267 'src_mac': binascii.unhexlify(mac.replace(':', '')),
268 'src_mac_mask': binascii.unhexlify(
269 mask.replace(':', ''))})
271 if ip_type == self.WILD_IP:
275 src_mac += 1099511627776
278 def apply_macip_rules(self, acls):
280 reply = self.vapi.macip_acl_add(acl)
281 self.assertEqual(reply.retval, 0)
282 self.ACLS.append(reply.acl_index)
284 def verify_macip_acls(self, acl_count, rules_count, expected_count=2):
285 reply = self.macip_acl_dump_debug()
286 for acl in range(2, (acl_count+1) * 2):
287 self.assertEqual(reply[acl - 2].count, rules_count[acl//2-1])
289 self.vapi.macip_acl_interface_get()
291 self.vapi.macip_acl_interface_add_del(sw_if_index=0, acl_index=0)
292 self.vapi.macip_acl_interface_add_del(sw_if_index=1, acl_index=1)
294 reply = self.vapi.macip_acl_interface_get()
295 self.assertEqual(reply.count, expected_count)
297 def delete_acls(self):
298 for acl in range(len(self.ACLS)-1, -1, -1):
299 self.vapi.macip_acl_del(self.ACLS[acl])
301 reply = self.vapi.macip_acl_dump()
302 self.assertEqual(len(reply), 0)
304 intf_acls = self.vapi.acl_interface_list_dump()
305 for i_a in intf_acls:
306 sw_if_index = i_a.sw_if_index
307 for acl_index in i_a.acls:
308 self.vapi.acl_interface_add_del(sw_if_index, acl_index, 0)
309 self.vapi.acl_del(acl_index)
311 def create_stream(self, mac_type, ip_type, packet_count,
312 src_if, dst_if, traffic, is_ip6, tags=PERMIT_TAGS):
313 # exact MAC and exact IP
314 # exact MAC and subnet of IPs
315 # exact MAC and wildcard IP
316 # wildcard MAC and exact IP
317 # wildcard MAC and subnet of IPs
318 # wildcard MAC and wildcard IP
319 # OUI restricted MAC and exact IP
320 # OUI restricted MAC and subnet of IPs
321 # OUI restricted MAC and wildcard IP
329 mac_rule = "00:00:00:00:00:00"
330 mac_mask = "00:00:00:00:00:00"
331 for p in range(0, packet_count):
332 remote_dst_index = p % len(dst_if.remote_hosts)
333 remote_dst_host = dst_if.remote_hosts[remote_dst_index]
337 is_permit = self.PERMIT if p % 3 == 0 else self.DENY
338 denyMAC = True if not is_permit and p % 3 == 1 else False
339 denyIP = True if not is_permit and p % 3 == 2 else False
340 if not is_permit and ip_type == self.WILD_IP:
342 if not is_permit and mac_type == self.WILD_MAC:
345 if traffic == self.BRIDGED:
347 src_mac = remote_dst_host._mac
348 dst_mac = 'de:ad:00:00:00:00'
349 src_ip4 = remote_dst_host.ip4
350 dst_ip4 = src_if.remote_ip4
351 src_ip6 = remote_dst_host.ip6
352 dst_ip6 = src_if.remote_ip6
353 ip_permit = src_ip6 if is_ip6 else src_ip4
356 mac = src_mac.split(':')
357 mac[0] = format(int(mac[0], 16)+1, "02x")
358 src_mac = ":".join(mac)
364 if ip_type != self.WILD_IP:
366 src_ip4 = remote_dst_host.ip4
367 dst_ip4 = src_if.remote_ip4
368 src_ip6 = remote_dst_host.ip6
369 dst_ip6 = src_if.remote_ip6
372 src_mac = remote_dst_host._mac
373 dst_mac = src_if.local_mac
374 src_ip4 = src_if.remote_ip4
375 dst_ip4 = remote_dst_host.ip4
376 src_ip6 = src_if.remote_ip6
377 dst_ip6 = remote_dst_host.ip6
378 ip_permit = src_ip6 if is_ip6 else src_ip4
381 mac = src_mac.split(':')
382 mac[0] = format(int(mac[0], 16) + 1, "02x")
383 src_mac = ":".join(mac)
389 src_mac = remote_dst_host._mac
390 if ip_type != self.WILD_IP:
392 src_ip4 = remote_dst_host.ip4
393 dst_ip4 = src_if.remote_ip4
394 src_ip6 = remote_dst_host.ip6
395 dst_ip6 = src_if.remote_ip6
398 info = self.create_packet_info(src_if, dst_if)
399 payload = self.info_to_payload(info)
401 payload = "to be blocked"
403 if mac_type == self.WILD_MAC:
404 mac = src_mac.split(':')
405 for i in range(1, 5):
406 mac[i] = format(random.randint(0, 255), "02x")
407 src_mac = ":".join(mac)
410 packet = Ether(src=src_mac, dst=dst_mac)
411 ip_rule = src_ip6 if is_ip6 else src_ip4
413 if ip_type != self.EXACT_IP:
414 sub_ip = list(unpack('<16B', inet_pton(AF_INET6, ip_rule)))
415 if ip_type == self.WILD_IP:
416 sub_ip[0] = random.randint(240, 254)
417 sub_ip[1] = random.randint(230, 239)
418 sub_ip[14] = random.randint(100, 199)
419 sub_ip[15] = random.randint(200, 255)
420 elif ip_type == self.SUBNET_IP:
422 sub_ip[2] = int(sub_ip[2]) + 1
423 sub_ip[14] = random.randint(100, 199)
424 sub_ip[15] = random.randint(200, 255)
425 packed_src_ip6 = b''.join(
426 [scapy.compat.chb(x) for x in sub_ip])
427 src_ip6 = inet_ntop(AF_INET6, packed_src_ip6)
428 packet /= IPv6(src=src_ip6, dst=dst_ip6)
430 if ip_type != self.EXACT_IP:
431 sub_ip = ip_rule.split('.')
432 if ip_type == self.WILD_IP:
433 sub_ip[0] = random.randint(1, 49)
434 sub_ip[1] = random.randint(50, 99)
435 sub_ip[2] = random.randint(100, 199)
436 sub_ip[3] = random.randint(200, 255)
437 elif ip_type == self.SUBNET_IP:
439 sub_ip[1] = int(sub_ip[1])+1
440 sub_ip[2] = random.randint(100, 199)
441 sub_ip[3] = random.randint(200, 255)
442 src_ip4 = '.'.join(['{!s}'.format(x) for x in sub_ip])
443 packet /= IP(src=src_ip4, dst=dst_ip4, frag=0, flags=0)
445 packet /= UDP(sport=src_port, dport=dst_port)/Raw(payload)
447 packet[Raw].load += b" mac:%s" % scapy.compat.raw(src_mac)
449 size = self.pg_if_packet_sizes[p % len(self.pg_if_packet_sizes)]
450 if isinstance(src_if, VppSubInterface):
452 if isinstance(src_if, VppDot1QSubint):
453 if src_if is self.subifs[0]:
454 if tags == self.PERMIT_TAGS:
455 packet = src_if.add_dot1q_layer(packet, 10)
457 packet = src_if.add_dot1q_layer(packet, 11)
459 if tags == self.PERMIT_TAGS:
460 packet = src_if.add_dot1q_layer(packet, 30)
462 packet = src_if.add_dot1q_layer(packet, 33)
463 elif isinstance(src_if, VppDot1ADSubint):
464 if src_if is self.subifs[1]:
465 if tags == self.PERMIT_TAGS:
466 packet = src_if.add_dot1ad_layer(packet, 300, 400)
468 packet = src_if.add_dot1ad_layer(packet, 333, 444)
470 if tags == self.PERMIT_TAGS:
471 packet = src_if.add_dot1ad_layer(packet, 600, 700)
473 packet = src_if.add_dot1ad_layer(packet, 666, 777)
474 self.extend_packet(packet, size)
475 packets.append(packet)
477 # create suitable MACIP rule
478 if mac_type == self.EXACT_MAC:
480 mac_mask = "ff:ff:ff:ff:ff:ff"
481 elif mac_type == self.WILD_MAC:
482 mac_rule = "00:00:00:00:00:00"
483 mac_mask = "00:00:00:00:00:00"
484 elif mac_type == self.OUI_MAC:
485 mac = src_mac.split(':')
486 mac[3] = mac[4] = mac[5] = '00'
487 mac_rule = ":".join(mac)
488 mac_mask = "ff:ff:ff:00:00:00"
491 if ip_type == self.WILD_IP:
495 if ip_type == self.SUBNET_IP:
496 sub_ip = list(unpack('<16B', inet_pton(AF_INET6, ip)))
497 for i in range(8, 16):
499 packed_ip = b''.join(
500 [scapy.compat.chb(x) for x in sub_ip])
501 ip = inet_ntop(AF_INET6, packed_ip)
503 if ip_type == self.WILD_IP:
507 if ip_type == self.SUBNET_IP:
508 sub_ip = ip.split('.')
509 sub_ip[2] = sub_ip[3] = '0'
510 ip = ".".join(sub_ip)
512 prefix_len = 128 if is_ip6 else 32
513 if ip_type == self.WILD_IP:
515 elif ip_type == self.SUBNET_IP:
516 prefix_len = 64 if is_ip6 else 16
517 ip_rule = inet_pton(AF_INET6 if is_ip6 else AF_INET, ip)
519 # create suitable ACL rule
521 rule_l4_sport = packet[UDP].sport
522 rule_l4_dport = packet[UDP].dport
523 rule_family = AF_INET6 if packet.haslayer(IPv6) else AF_INET
524 rule_prefix_len = 128 if packet.haslayer(IPv6) else 32
525 rule_l3_layer = IPv6 if packet.haslayer(IPv6) else IP
526 if packet.haslayer(IPv6):
527 rule_l4_proto = packet[UDP].overload_fields[IPv6]['nh']
529 rule_l4_proto = packet[IP].proto
532 'is_permit': is_permit,
534 'src_ip_addr': inet_pton(rule_family,
535 packet[rule_l3_layer].src),
536 'src_ip_prefix_len': rule_prefix_len,
537 'dst_ip_addr': inet_pton(rule_family,
538 packet[rule_l3_layer].dst),
539 'dst_ip_prefix_len': rule_prefix_len,
540 'srcport_or_icmptype_first': rule_l4_sport,
541 'srcport_or_icmptype_last': rule_l4_sport,
542 'dstport_or_icmpcode_first': rule_l4_dport,
543 'dstport_or_icmpcode_last': rule_l4_dport,
544 'proto': rule_l4_proto}
545 acl_rules.append(acl_rule)
547 if mac_type == self.WILD_MAC and ip_type == self.WILD_IP and p > 0:
552 'is_permit': is_permit,
554 'src_ip_addr': ip_rule,
555 'src_ip_prefix_len': prefix_len,
556 'src_mac': binascii.unhexlify(mac_rule.replace(':', '')),
557 'src_mac_mask': binascii.unhexlify(
558 mac_mask.replace(':', ''))})
559 macip_rules.append(macip_rule)
561 # deny all other packets
562 if not (mac_type == self.WILD_MAC and ip_type == self.WILD_IP):
563 macip_rule = ({'is_permit': 0,
566 'src_ip_prefix_len': 0,
569 macip_rules.append(macip_rule)
571 acl_rule = {'is_permit': 0,
573 acl_rules.append(acl_rule)
574 return {'stream': packets,
575 'macip_rules': macip_rules,
576 'acl_rules': acl_rules}
578 def verify_capture(self, stream, capture, is_ip6):
585 # p_l3 = IPv6 if is_ip6 else IP
588 # print(p[Ether].src, p[Ether].dst, p[p_l3].src, p[p_l3].dst)
590 # acls = self.macip_acl_dump_debug()
595 # print(binascii.hexlify(r.src_mac), \
596 # binascii.hexlify(r.src_mac_mask),\
597 # unpack('<16B', r.src_ip_addr), \
598 # r.src_ip_prefix_len)
601 # print(p[Ether].src, p[Ether].dst, p[p_l3].src, p[p_l3].dst
602 # data = p[Raw].load.split(':',1)[1])
603 # print(p[p_l3].src, data)
605 def run_traffic(self, mac_type, ip_type, traffic, is_ip6, packets,
606 do_not_expected_capture=False, tags=None,
607 apply_rules=True, isMACIP=True, permit_tags=PERMIT_TAGS,
609 self.reset_packet_infos()
612 tx_if = self.pg0 if traffic == self.BRIDGED else self.pg3
613 rx_if = self.pg3 if traffic == self.BRIDGED else self.pg0
617 if tags == self.DOT1Q:
618 if traffic == self.BRIDGED:
619 tx_if = self.subifs[0]
621 src_if = self.subifs[0]
624 tx_if = self.subifs[2]
626 src_if = self.subifs[2]
628 elif tags == self.DOT1AD:
629 if traffic == self.BRIDGED:
630 tx_if = self.subifs[1]
632 src_if = self.subifs[1]
635 tx_if = self.subifs[3]
637 src_if = self.subifs[3]
642 test_dict = self.create_stream(mac_type, ip_type, packets,
649 reply = self.vapi.macip_acl_add(test_dict['macip_rules'])
651 reply = self.vapi.acl_add_replace(acl_index=4294967295,
652 r=test_dict['acl_rules'])
653 self.assertEqual(reply.retval, 0)
654 acl_index = reply.acl_index
657 self.vapi.macip_acl_interface_add_del(
658 sw_if_index=tx_if.sw_if_index,
660 reply = self.vapi.macip_acl_interface_get()
661 self.assertEqual(reply.acls[tx_if.sw_if_index], acl_index)
662 self.ACLS.append(reply.acls[tx_if.sw_if_index])
664 self.vapi.acl_interface_add_del(
665 sw_if_index=tx_if.sw_if_index, acl_index=acl_index)
667 self.vapi.macip_acl_interface_add_del(
668 sw_if_index=tx_if.sw_if_index,
672 reply = self.vapi.macip_acl_add_replace(
673 test_dict['macip_rules'],
676 reply = self.vapi.acl_add_replace(acl_index=acl_index,
677 r=test_dict['acl_rules'])
678 self.assertEqual(reply.retval, 0)
680 if not isinstance(src_if, VppSubInterface):
681 tx_if.add_stream(test_dict['stream'])
683 tx_if.parent.add_stream(test_dict['stream'])
684 self.pg_enable_capture(self.pg_interfaces)
687 if do_not_expected_capture:
690 if traffic == self.BRIDGED and mac_type == self.WILD_MAC and \
691 ip_type == self.WILD_IP:
692 capture = rx_if.get_capture(packets)
694 capture = rx_if.get_capture(
695 self.get_packet_count_for_if_idx(dst_if.sw_if_index))
696 self.verify_capture(test_dict['stream'], capture, is_ip6)
698 self.vapi.acl_interface_add_del(sw_if_index=tx_if.sw_if_index,
699 acl_index=acl_index, is_add=0)
700 self.vapi.acl_del(acl_index)
702 def run_test_acls(self, mac_type, ip_type, acl_count,
703 rules_count, traffic=None, ip=None):
704 self.apply_macip_rules(self.create_rules(mac_type, ip_type, acl_count,
706 self.verify_macip_acls(acl_count, rules_count)
708 if traffic is not None:
709 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, traffic, ip, 9)
712 class TestMACIP_IP4(MethodHolder):
713 """MACIP with IP4 traffic"""
717 super(TestMACIP_IP4, cls).setUpClass()
720 def tearDownClass(cls):
721 super(TestMACIP_IP4, cls).tearDownClass()
723 def test_acl_bridged_ip4_exactMAC_exactIP(self):
724 """ IP4 MACIP exactMAC|exactIP ACL bridged traffic
726 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
727 self.BRIDGED, self.IS_IP4, 9)
729 def test_acl_bridged_ip4_exactMAC_subnetIP(self):
730 """ IP4 MACIP exactMAC|subnetIP ACL bridged traffic
733 self.run_traffic(self.EXACT_MAC, self.SUBNET_IP,
734 self.BRIDGED, self.IS_IP4, 9)
736 def test_acl_bridged_ip4_exactMAC_wildIP(self):
737 """ IP4 MACIP exactMAC|wildIP ACL bridged traffic
740 self.run_traffic(self.EXACT_MAC, self.WILD_IP,
741 self.BRIDGED, self.IS_IP4, 9)
743 def test_acl_bridged_ip4_ouiMAC_exactIP(self):
744 """ IP4 MACIP ouiMAC|exactIP ACL bridged traffic
747 self.run_traffic(self.OUI_MAC, self.EXACT_IP,
748 self.BRIDGED, self.IS_IP4, 3)
750 def test_acl_bridged_ip4_ouiMAC_subnetIP(self):
751 """ IP4 MACIP ouiMAC|subnetIP ACL bridged traffic
754 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
755 self.BRIDGED, self.IS_IP4, 9)
757 def test_acl_bridged_ip4_ouiMAC_wildIP(self):
758 """ IP4 MACIP ouiMAC|wildIP ACL bridged traffic
761 self.run_traffic(self.OUI_MAC, self.WILD_IP,
762 self.BRIDGED, self.IS_IP4, 9)
764 def test_ac_bridgedl_ip4_wildMAC_exactIP(self):
765 """ IP4 MACIP wildcardMAC|exactIP ACL bridged traffic
768 self.run_traffic(self.WILD_MAC, self.EXACT_IP,
769 self.BRIDGED, self.IS_IP4, 9)
771 def test_acl_bridged_ip4_wildMAC_subnetIP(self):
772 """ IP4 MACIP wildcardMAC|subnetIP ACL bridged traffic
775 self.run_traffic(self.WILD_MAC, self.SUBNET_IP,
776 self.BRIDGED, self.IS_IP4, 9)
778 def test_acl_bridged_ip4_wildMAC_wildIP(self):
779 """ IP4 MACIP wildcardMAC|wildIP ACL bridged traffic
782 self.run_traffic(self.WILD_MAC, self.WILD_IP,
783 self.BRIDGED, self.IS_IP4, 9)
785 def test_acl_routed_ip4_exactMAC_exactIP(self):
786 """ IP4 MACIP exactMAC|exactIP ACL routed traffic
788 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
789 self.ROUTED, self.IS_IP4, 9)
791 def test_acl_routed_ip4_exactMAC_subnetIP(self):
792 """ IP4 MACIP exactMAC|subnetIP ACL routed traffic
794 self.run_traffic(self.EXACT_MAC, self.SUBNET_IP,
795 self.ROUTED, self.IS_IP4, 9)
797 def test_acl_routed_ip4_exactMAC_wildIP(self):
798 """ IP4 MACIP exactMAC|wildIP ACL routed traffic
800 self.run_traffic(self.EXACT_MAC, self.WILD_IP,
801 self.ROUTED, self.IS_IP4, 9)
803 def test_acl_routed_ip4_ouiMAC_exactIP(self):
804 """ IP4 MACIP ouiMAC|exactIP ACL routed traffic
807 self.run_traffic(self.OUI_MAC, self.EXACT_IP,
808 self.ROUTED, self.IS_IP4, 9)
810 def test_acl_routed_ip4_ouiMAC_subnetIP(self):
811 """ IP4 MACIP ouiMAC|subnetIP ACL routed traffic
814 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
815 self.ROUTED, self.IS_IP4, 9)
817 def test_acl_routed_ip4_ouiMAC_wildIP(self):
818 """ IP4 MACIP ouiMAC|wildIP ACL routed traffic
821 self.run_traffic(self.OUI_MAC, self.WILD_IP,
822 self.ROUTED, self.IS_IP4, 9)
824 def test_acl_routed_ip4_wildMAC_exactIP(self):
825 """ IP4 MACIP wildcardMAC|exactIP ACL routed traffic
828 self.run_traffic(self.WILD_MAC, self.EXACT_IP,
829 self.ROUTED, self.IS_IP4, 9)
831 def test_acl_routed_ip4_wildMAC_subnetIP(self):
832 """ IP4 MACIP wildcardMAC|subnetIP ACL routed traffic
835 self.run_traffic(self.WILD_MAC, self.SUBNET_IP,
836 self.ROUTED, self.IS_IP4, 9)
838 def test_acl_routed_ip4_wildMAC_wildIP(self):
839 """ IP4 MACIP wildcardMAC|wildIP ACL
842 self.run_traffic(self.WILD_MAC, self.WILD_IP,
843 self.ROUTED, self.IS_IP4, 9)
845 def test_acl_replace_traffic_ip4(self):
846 """ MACIP replace ACL with IP4 traffic
848 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
849 self.BRIDGED, self.IS_IP4, 9, try_replace=True)
850 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
851 self.BRIDGED, self.IS_IP4, 9, try_replace=True)
854 class TestMACIP_IP6(MethodHolder):
855 """MACIP with IP6 traffic"""
859 super(TestMACIP_IP6, cls).setUpClass()
862 def tearDownClass(cls):
863 super(TestMACIP_IP6, cls).tearDownClass()
865 def test_acl_bridged_ip6_exactMAC_exactIP(self):
866 """ IP6 MACIP exactMAC|exactIP ACL bridged traffic
869 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
870 self.BRIDGED, self.IS_IP6, 9)
872 def test_acl_bridged_ip6_exactMAC_subnetIP(self):
873 """ IP6 MACIP exactMAC|subnetIP ACL bridged traffic
876 self.run_traffic(self.EXACT_MAC, self.SUBNET_IP,
877 self.BRIDGED, self.IS_IP6, 9)
879 def test_acl_bridged_ip6_exactMAC_wildIP(self):
880 """ IP6 MACIP exactMAC|wildIP ACL bridged traffic
883 self.run_traffic(self.EXACT_MAC, self.WILD_IP,
884 self.BRIDGED, self.IS_IP6, 9)
886 def test_acl_bridged_ip6_ouiMAC_exactIP(self):
887 """ IP6 MACIP oui_MAC|exactIP ACL bridged traffic
890 self.run_traffic(self.OUI_MAC, self.EXACT_IP,
891 self.BRIDGED, self.IS_IP6, 9)
893 def test_acl_bridged_ip6_ouiMAC_subnetIP(self):
894 """ IP6 MACIP ouiMAC|subnetIP ACL bridged traffic
897 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
898 self.BRIDGED, self.IS_IP6, 9)
900 def test_acl_bridged_ip6_ouiMAC_wildIP(self):
901 """ IP6 MACIP ouiMAC|wildIP ACL bridged traffic
904 self.run_traffic(self.OUI_MAC, self.WILD_IP,
905 self.BRIDGED, self.IS_IP6, 9)
907 def test_acl_bridged_ip6_wildMAC_exactIP(self):
908 """ IP6 MACIP wildcardMAC|exactIP ACL bridged traffic
911 self.run_traffic(self.WILD_MAC, self.EXACT_IP,
912 self.BRIDGED, self.IS_IP6, 9)
914 def test_acl_bridged_ip6_wildMAC_subnetIP(self):
915 """ IP6 MACIP wildcardMAC|subnetIP ACL bridged traffic
918 self.run_traffic(self.WILD_MAC, self.SUBNET_IP,
919 self.BRIDGED, self.IS_IP6, 9)
921 def test_acl_bridged_ip6_wildMAC_wildIP(self):
922 """ IP6 MACIP wildcardMAC|wildIP ACL bridged traffic
925 self.run_traffic(self.WILD_MAC, self.WILD_IP,
926 self.BRIDGED, self.IS_IP6, 9)
928 def test_acl_routed_ip6_exactMAC_exactIP(self):
929 """ IP6 MACIP exactMAC|exactIP ACL routed traffic
932 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
933 self.ROUTED, self.IS_IP6, 9)
935 def test_acl_routed_ip6_exactMAC_subnetIP(self):
936 """ IP6 MACIP exactMAC|subnetIP ACL routed traffic
939 self.run_traffic(self.EXACT_MAC, self.SUBNET_IP,
940 self.ROUTED, self.IS_IP6, 9)
942 def test_acl_routed_ip6_exactMAC_wildIP(self):
943 """ IP6 MACIP exactMAC|wildIP ACL routed traffic
946 self.run_traffic(self.EXACT_MAC, self.WILD_IP,
947 self.ROUTED, self.IS_IP6, 9)
949 def test_acl_routed_ip6_ouiMAC_exactIP(self):
950 """ IP6 MACIP ouiMAC|exactIP ACL routed traffic
953 self.run_traffic(self.OUI_MAC, self.EXACT_IP,
954 self.ROUTED, self.IS_IP6, 9)
956 def test_acl_routed_ip6_ouiMAC_subnetIP(self):
957 """ IP6 MACIP ouiMAC|subnetIP ACL routed traffic
960 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
961 self.ROUTED, self.IS_IP6, 9)
963 def test_acl_routed_ip6_ouiMAC_wildIP(self):
964 """ IP6 MACIP ouiMAC|wildIP ACL routed traffic
967 self.run_traffic(self.OUI_MAC, self.WILD_IP,
968 self.ROUTED, self.IS_IP6, 9)
970 def test_acl_routed_ip6_wildMAC_exactIP(self):
971 """ IP6 MACIP wildcardMAC|exactIP ACL routed traffic
974 self.run_traffic(self.WILD_MAC, self.EXACT_IP,
975 self.ROUTED, self.IS_IP6, 9)
977 def test_acl_routed_ip6_wildMAC_subnetIP(self):
978 """ IP6 MACIP wildcardMAC|subnetIP ACL routed traffic
981 self.run_traffic(self.WILD_MAC, self.SUBNET_IP,
982 self.ROUTED, self.IS_IP6, 9)
984 def test_acl_routed_ip6_wildMAC_wildIP(self):
985 """ IP6 MACIP wildcardMAC|wildIP ACL
988 self.run_traffic(self.WILD_MAC, self.WILD_IP,
989 self.ROUTED, self.IS_IP6, 9)
991 def test_acl_replace_traffic_ip6(self):
992 """ MACIP replace ACL with IP6 traffic
994 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
995 self.BRIDGED, self.IS_IP6, 9, try_replace=True)
996 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
997 self.BRIDGED, self.IS_IP6, 9, try_replace=True)
1000 class TestMACIP(MethodHolder):
1004 def setUpClass(cls):
1005 super(TestMACIP, cls).setUpClass()
1008 def tearDownClass(cls):
1009 super(TestMACIP, cls).tearDownClass()
1011 def test_acl_1_2(self):
1012 """ MACIP ACL with 2 entries
1015 self.run_test_acls(self.EXACT_MAC, self.WILD_IP, 1, [2])
1017 def test_acl_1_5(self):
1018 """ MACIP ACL with 5 entries
1021 self.run_test_acls(self.EXACT_MAC, self.SUBNET_IP, 1, [5])
1023 def test_acl_1_10(self):
1024 """ MACIP ACL with 10 entries
1027 self.run_test_acls(self.EXACT_MAC, self.EXACT_IP, 1, [10])
1029 def test_acl_1_20(self):
1030 """ MACIP ACL with 20 entries
1033 self.run_test_acls(self.OUI_MAC, self.WILD_IP, 1, [20])
1035 def test_acl_1_50(self):
1036 """ MACIP ACL with 50 entries
1039 self.run_test_acls(self.OUI_MAC, self.SUBNET_IP, 1, [50])
1041 def test_acl_1_100(self):
1042 """ MACIP ACL with 100 entries
1045 self.run_test_acls(self.OUI_MAC, self.EXACT_IP, 1, [100])
1047 def test_acl_2_X(self):
1048 """ MACIP 2 ACLs each with 100+ entries
1051 self.run_test_acls(self.OUI_MAC, self.SUBNET_IP, 2, [100, 200])
1053 def test_acl_10_X(self):
1054 """ MACIP 10 ACLs each with 100+ entries
1057 self.run_test_acls(self.EXACT_MAC, self.EXACT_IP, 10,
1058 [100, 120, 140, 160, 180, 200, 210, 220, 230, 240])
1060 def test_acl_10_X_traffic_ip4(self):
1061 """ MACIP 10 ACLs each with 100+ entries with IP4 traffic
1064 self.run_test_acls(self.EXACT_MAC, self.EXACT_IP, 10,
1065 [100, 120, 140, 160, 180, 200, 210, 220, 230, 240],
1066 self.BRIDGED, self.IS_IP4)
1068 def test_acl_10_X_traffic_ip6(self):
1069 """ MACIP 10 ACLs each with 100+ entries with IP6 traffic
1072 self.run_test_acls(self.EXACT_MAC, self.EXACT_IP, 10,
1073 [100, 120, 140, 160, 180, 200, 210, 220, 230, 240],
1074 self.BRIDGED, self.IS_IP6)
1076 def test_acl_replace(self):
1077 """ MACIP replace ACL
1080 r1 = self.create_rules(acl_count=3, rules_count=[2, 2, 2])
1081 r2 = self.create_rules(mac_type=self.OUI_MAC, ip_type=self.SUBNET_IP)
1082 self.apply_macip_rules(r1)
1084 acls_before = self.macip_acl_dump_debug()
1086 # replace acls #2, #3 with new
1087 reply = self.vapi.macip_acl_add_replace(r2[0], 2)
1088 self.assertEqual(reply.retval, 0)
1089 self.assertEqual(reply.acl_index, 2)
1090 reply = self.vapi.macip_acl_add_replace(r2[1], 3)
1091 self.assertEqual(reply.retval, 0)
1092 self.assertEqual(reply.acl_index, 3)
1094 acls_after = self.macip_acl_dump_debug()
1097 self.assertEqual(len(acls_before), len(acls_after))
1098 for acl1, acl2 in zip(
1099 acls_before[:2]+acls_before[4:],
1100 acls_after[:2]+acls_after[4:]):
1101 self.assertEqual(len(acl1), len(acl2))
1103 self.assertEqual(len(acl1.r), len(acl2.r))
1104 for r1, r2 in zip(acl1.r, acl2.r):
1105 self.assertEqual(len(acl1.r), len(acl2.r))
1106 self.assertEqual(acl1.r, acl2.r)
1107 for acl1, acl2 in zip(
1110 self.assertEqual(len(acl1), len(acl2))
1112 self.assertNotEqual(len(acl1.r), len(acl2.r))
1113 for r1, r2 in zip(acl1.r, acl2.r):
1114 self.assertNotEqual(len(acl1.r), len(acl2.r))
1115 self.assertNotEqual(acl1.r, acl2.r)
1117 def test_delete_intf(self):
1118 """ MACIP ACL delete intf with acl
1121 intf_count = len(self.interfaces)+1
1123 self.apply_macip_rules(self.create_rules(acl_count=3,
1124 rules_count=[3, 5, 4]))
1126 intf.append(VppLoInterface(self))
1127 intf.append(VppLoInterface(self))
1129 sw_if_index0 = intf[0].sw_if_index
1130 self.vapi.macip_acl_interface_add_del(sw_if_index0, 1)
1132 reply = self.vapi.macip_acl_interface_get()
1133 self.assertEqual(reply.count, intf_count+1)
1134 self.assertEqual(reply.acls[sw_if_index0], 1)
1136 sw_if_index1 = intf[1].sw_if_index
1137 self.vapi.macip_acl_interface_add_del(sw_if_index1, 0)
1139 reply = self.vapi.macip_acl_interface_get()
1140 self.assertEqual(reply.count, intf_count+2)
1141 self.assertEqual(reply.acls[sw_if_index1], 0)
1143 intf[0].remove_vpp_config()
1144 reply = self.vapi.macip_acl_interface_get()
1145 self.assertEqual(reply.count, intf_count+2)
1146 self.assertEqual(reply.acls[sw_if_index0], 4294967295)
1147 self.assertEqual(reply.acls[sw_if_index1], 0)
1149 intf.append(VppLoInterface(self))
1150 intf.append(VppLoInterface(self))
1151 sw_if_index2 = intf[2].sw_if_index
1152 sw_if_index3 = intf[3].sw_if_index
1153 self.vapi.macip_acl_interface_add_del(sw_if_index2, 1)
1154 self.vapi.macip_acl_interface_add_del(sw_if_index3, 1)
1156 reply = self.vapi.macip_acl_interface_get()
1157 self.assertEqual(reply.count, intf_count+3)
1158 self.assertEqual(reply.acls[sw_if_index1], 0)
1159 self.assertEqual(reply.acls[sw_if_index2], 1)
1160 self.assertEqual(reply.acls[sw_if_index3], 1)
1161 self.logger.info("MACIP ACL on multiple interfaces:")
1162 self.logger.info(self.vapi.ppcli("sh acl-plugin macip acl"))
1163 self.logger.info(self.vapi.ppcli("sh acl-plugin macip acl index 1234"))
1164 self.logger.info(self.vapi.ppcli("sh acl-plugin macip acl index 1"))
1165 self.logger.info(self.vapi.ppcli("sh acl-plugin macip acl index 0"))
1166 self.logger.info(self.vapi.ppcli("sh acl-plugin macip interface"))
1168 intf[2].remove_vpp_config()
1169 intf[1].remove_vpp_config()
1171 reply = self.vapi.macip_acl_interface_get()
1172 self.assertEqual(reply.count, intf_count+3)
1173 self.assertEqual(reply.acls[sw_if_index0], 4294967295)
1174 self.assertEqual(reply.acls[sw_if_index1], 4294967295)
1175 self.assertEqual(reply.acls[sw_if_index2], 4294967295)
1176 self.assertEqual(reply.acls[sw_if_index3], 1)
1178 intf[3].remove_vpp_config()
1179 reply = self.vapi.macip_acl_interface_get()
1181 self.assertEqual(len([x for x in reply.acls if x != 4294967295]), 0)
1184 class TestACL_dot1q_bridged(MethodHolder):
1185 """ACL on dot1q bridged subinterfaces Tests"""
1188 def setUpClass(cls):
1189 super(TestACL_dot1q_bridged, cls).setUpClass()
1192 def tearDownClass(cls):
1193 super(TestACL_dot1q_bridged, cls).tearDownClass()
1195 def test_acl_bridged_ip4_subif_dot1q(self):
1196 """ IP4 ACL SubIf Dot1Q bridged traffic"""
1197 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.BRIDGED,
1198 self.IS_IP4, 9, tags=self.DOT1Q, isMACIP=False)
1200 def test_acl_bridged_ip6_subif_dot1q(self):
1201 """ IP6 ACL SubIf Dot1Q bridged traffic"""
1202 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.BRIDGED,
1203 self.IS_IP6, 9, tags=self.DOT1Q, isMACIP=False)
1206 class TestACL_dot1ad_bridged(MethodHolder):
1207 """ACL on dot1ad bridged subinterfaces Tests"""
1210 def setUpClass(cls):
1211 super(TestACL_dot1ad_bridged, cls).setUpClass()
1214 def tearDownClass(cls):
1215 super(TestACL_dot1ad_bridged, cls).tearDownClass()
1217 def test_acl_bridged_ip4_subif_dot1ad(self):
1218 """ IP4 ACL SubIf Dot1AD bridged traffic"""
1219 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.BRIDGED,
1220 self.IS_IP4, 9, tags=self.DOT1AD, isMACIP=False)
1222 def test_acl_bridged_ip6_subif_dot1ad(self):
1223 """ IP6 ACL SubIf Dot1AD bridged traffic"""
1224 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.BRIDGED,
1225 self.IS_IP6, 9, tags=self.DOT1AD, isMACIP=False)
1228 class TestACL_dot1q_routed(MethodHolder):
1229 """ACL on dot1q routed subinterfaces Tests"""
1232 def setUpClass(cls):
1233 super(TestACL_dot1q_routed, cls).setUpClass()
1236 def tearDownClass(cls):
1237 super(TestACL_dot1q_routed, cls).tearDownClass()
1239 def test_acl_routed_ip4_subif_dot1q(self):
1240 """ IP4 ACL SubIf Dot1Q routed traffic"""
1241 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1242 self.IS_IP4, 9, tags=self.DOT1Q, isMACIP=False)
1244 def test_acl_routed_ip6_subif_dot1q(self):
1245 """ IP6 ACL SubIf Dot1Q routed traffic"""
1246 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1247 self.IS_IP6, 9, tags=self.DOT1Q, isMACIP=False)
1249 def test_acl_routed_ip4_subif_dot1q_deny_by_tags(self):
1250 """ IP4 ACL SubIf wrong tags Dot1Q routed traffic"""
1251 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1252 self.IS_IP4, 9, True, tags=self.DOT1Q, isMACIP=False,
1253 permit_tags=self.DENY_TAGS)
1255 def test_acl_routed_ip6_subif_dot1q_deny_by_tags(self):
1256 """ IP6 ACL SubIf wrong tags Dot1Q routed traffic"""
1257 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1258 self.IS_IP6, 9, True, tags=self.DOT1Q, isMACIP=False,
1259 permit_tags=self.DENY_TAGS)
1262 class TestACL_dot1ad_routed(MethodHolder):
1263 """ACL on dot1ad routed subinterfaces Tests"""
1266 def setUpClass(cls):
1267 super(TestACL_dot1ad_routed, cls).setUpClass()
1270 def tearDownClass(cls):
1271 super(TestACL_dot1ad_routed, cls).tearDownClass()
1273 def test_acl_routed_ip6_subif_dot1ad(self):
1274 """ IP6 ACL SubIf Dot1AD routed traffic"""
1275 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1276 self.IS_IP6, 9, tags=self.DOT1AD, isMACIP=False)
1278 def test_acl_routed_ip4_subif_dot1ad(self):
1279 """ IP4 ACL SubIf Dot1AD routed traffic"""
1280 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1281 self.IS_IP4, 9, tags=self.DOT1AD, isMACIP=False)
1283 def test_acl_routed_ip6_subif_dot1ad_deny_by_tags(self):
1284 """ IP6 ACL SubIf wrong tags Dot1AD routed traffic"""
1285 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1286 self.IS_IP6, 9, True, tags=self.DOT1AD, isMACIP=False,
1287 permit_tags=self.DENY_TAGS)
1289 def test_acl_routed_ip4_subif_dot1ad_deny_by_tags(self):
1290 """ IP4 ACL SubIf wrong tags Dot1AD routed traffic"""
1291 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1292 self.IS_IP4, 9, True, tags=self.DOT1AD, isMACIP=False,
1293 permit_tags=self.DENY_TAGS)
1296 if __name__ == '__main__':
1297 unittest.main(testRunner=VppTestRunner)