ip: allow addrs from the same prefix on intf

[vpp.git] / test / test_acl_plugin.py
diff --git a/test/test_acl_plugin.py b/test/test_acl_plugin.py

index 5ccfa39..eca0231 100644 (file)
--- a/test/test_acl_plugin.py
+++ b/test/test_acl_plugin.py
@@ -103,8 +103,8 @@ class TestACLplugin(VppTestCase):
              cls.vapi.bridge_domain_add_del(bd_id=cls.bd_id, uu_flood=1,
                                             learn=1)
              for pg_if in cls.pg_interfaces:
-                cls.vapi.sw_interface_set_l2_bridge(pg_if.sw_if_index,
-                                                    bd_id=cls.bd_id)
+                cls.vapi.sw_interface_set_l2_bridge(
+                    rx_sw_if_index=pg_if.sw_if_index, bd_id=cls.bd_id)
  
              # Set up all interfaces
              for i in cls.pg_interfaces:
@@ -144,6 +144,10 @@ class TestACLplugin(VppTestCase):
              super(TestACLplugin, cls).tearDownClass()
              raise
  
+    @classmethod
+    def tearDownClass(cls):
+        super(TestACLplugin, cls).tearDownClass()
+
      def setUp(self):
          super(TestACLplugin, self).setUp()
          self.reset_packet_infos()
@@ -153,21 +157,22 @@ class TestACLplugin(VppTestCase):
          Show various debug prints after each test.
          """
          super(TestACLplugin, self).tearDown()
-        if not self.vpp_dead:
-            cli = "show vlib graph l2-input-feat-arc"
-            self.logger.info(self.vapi.ppcli(cli))
-            cli = "show vlib graph l2-input-feat-arc-end"
-            self.logger.info(self.vapi.ppcli(cli))
-            cli = "show vlib graph l2-output-feat-arc"
-            self.logger.info(self.vapi.ppcli(cli))
-            cli = "show vlib graph l2-output-feat-arc-end"
-            self.logger.info(self.vapi.ppcli(cli))
-            self.logger.info(self.vapi.ppcli("show l2fib verbose"))
-            self.logger.info(self.vapi.ppcli("show acl-plugin acl"))
-            self.logger.info(self.vapi.ppcli("show acl-plugin interface"))
-            self.logger.info(self.vapi.ppcli("show acl-plugin tables"))
-            self.logger.info(self.vapi.ppcli("show bridge-domain %s detail"
-                                             % self.bd_id))
+
+    def show_commands_at_teardown(self):
+        cli = "show vlib graph l2-input-feat-arc"
+        self.logger.info(self.vapi.ppcli(cli))
+        cli = "show vlib graph l2-input-feat-arc-end"
+        self.logger.info(self.vapi.ppcli(cli))
+        cli = "show vlib graph l2-output-feat-arc"
+        self.logger.info(self.vapi.ppcli(cli))
+        cli = "show vlib graph l2-output-feat-arc-end"
+        self.logger.info(self.vapi.ppcli(cli))
+        self.logger.info(self.vapi.ppcli("show l2fib verbose"))
+        self.logger.info(self.vapi.ppcli("show acl-plugin acl"))
+        self.logger.info(self.vapi.ppcli("show acl-plugin interface"))
+        self.logger.info(self.vapi.ppcli("show acl-plugin tables"))
+        self.logger.info(self.vapi.ppcli("show bridge-domain %s detail"
+                                         % self.bd_id))
  
      def create_rule(self, ip=0, permit_deny=0, ports=PORTS_ALL, proto=-1,
                      s_prefix=0, s_ip='\x00\x00\x00\x00',
@@ -238,7 +243,7 @@ class TestACLplugin(VppTestCase):
                   'dst_ip_addr': d_ip})
          return rule
  
-    def apply_rules(self, rules, tag=''):
+    def apply_rules(self, rules, tag=b''):
          reply = self.vapi.acl_add_replace(acl_index=4294967295, r=rules,
                                            tag=tag)
          self.logger.info("Dumped ACL: " + str(
@@ -248,9 +253,9 @@ class TestACLplugin(VppTestCase):
              self.vapi.acl_interface_set_acl_list(sw_if_index=i.sw_if_index,
                                                   n_input=1,
                                                   acls=[reply.acl_index])
-        return
+        return reply.acl_index
  
-    def apply_rules_to(self, rules, tag='', sw_if_index=0xFFFFFFFF):
+    def apply_rules_to(self, rules, tag=b'', sw_if_index=0xFFFFFFFF):
          reply = self.vapi.acl_add_replace(acl_index=4294967295, r=rules,
                                            tag=tag)
          self.logger.info("Dumped ACL: " + str(
@@ -259,7 +264,7 @@ class TestACLplugin(VppTestCase):
          self.vapi.acl_interface_set_acl_list(sw_if_index=sw_if_index,
                                               n_input=1,
                                               acls=[reply.acl_index])
-        return
+        return reply.acl_index
  
      def etype_whitelist(self, whitelist, n_input):
          # Apply whitelists on all the interfaces
@@ -380,10 +385,10 @@ class TestACLplugin(VppTestCase):
                  # Raw data for ICMPv6 are stored in ICMPv6EchoRequest.data
                  if traffic_type == self.ICMP and ip_type == self.IPV6:
                      payload_info = self.payload_to_info(
-                        packet[ICMPv6EchoRequest].data)
+                        packet[ICMPv6EchoRequest], 'data')
                      payload = packet[ICMPv6EchoRequest]
                  else:
-                    payload_info = self.payload_to_info(str(packet[Raw]))
+                    payload_info = self.payload_to_info(packet[Raw])
                      payload = packet[self.proto_map[payload_info.proto]]
              except:
                  self.logger.error(ppp("Unexpected or invalid packet "
@@ -542,14 +547,14 @@ class TestACLplugin(VppTestCase):
                'srcport_or_icmptype_first': 1234,
                'srcport_or_icmptype_last': 1235,
                'src_ip_prefix_len': 0,
-              'src_ip_addr': '\x00\x00\x00\x00',
+              'src_ip_addr': b'\x00\x00\x00\x00',
                'dstport_or_icmpcode_first': 1234,
                'dstport_or_icmpcode_last': 1234,
-              'dst_ip_addr': '\x00\x00\x00\x00',
+              'dst_ip_addr': b'\x00\x00\x00\x00',
                'dst_ip_prefix_len': 0}]
          # Test 1: add a new ACL
          reply = self.vapi.acl_add_replace(acl_index=4294967295, r=r,
-                                          tag="permit 1234")
+                                          tag=b"permit 1234")
          self.assertEqual(reply.retval, 0)
          # The very first ACL gets #0
          self.assertEqual(reply.acl_index, 0)
@@ -572,23 +577,23 @@ class TestACLplugin(VppTestCase):
                     'srcport_or_icmptype_first': 1234,
                     'srcport_or_icmptype_last': 1235,
                     'src_ip_prefix_len': 0,
-                   'src_ip_addr': '\x00\x00\x00\x00',
+                   'src_ip_addr': b'\x00\x00\x00\x00',
                     'dstport_or_icmpcode_first': 1234,
                     'dstport_or_icmpcode_last': 1234,
-                   'dst_ip_addr': '\x00\x00\x00\x00',
+                   'dst_ip_addr': b'\x00\x00\x00\x00',
                     'dst_ip_prefix_len': 0},
                    {'is_permit': 1, 'is_ipv6': 0, 'proto': 17,
                     'srcport_or_icmptype_first': 0,
                     'srcport_or_icmptype_last': 0,
                     'src_ip_prefix_len': 0,
-                   'src_ip_addr': '\x00\x00\x00\x00',
+                   'src_ip_addr': b'\x00\x00\x00\x00',
                     'dstport_or_icmpcode_first': 0,
                     'dstport_or_icmpcode_last': 0,
-                   'dst_ip_addr': '\x00\x00\x00\x00',
+                   'dst_ip_addr': b'\x00\x00\x00\x00',
                     'dst_ip_prefix_len': 0}]
  
          reply = self.vapi.acl_add_replace(acl_index=4294967295, r=r_deny,
-                                          tag="deny 1234;permit all")
+                                          tag=b"deny 1234;permit all")
          self.assertEqual(reply.retval, 0)
          # The second ACL gets #1
          self.assertEqual(reply.acl_index, 1)
@@ -596,7 +601,7 @@ class TestACLplugin(VppTestCase):
  
          # Test 2: try to modify a nonexistent ACL
          reply = self.vapi.acl_add_replace(acl_index=432, r=r,
-                                          tag="FFFF:FFFF", expected_retval=-6)
+                                          tag=b"FFFF:FFFF", expected_retval=-6)
          self.assertEqual(reply.retval, -6)
          # The ACL number should pass through
          self.assertEqual(reply.acl_index, 432)
@@ -642,10 +647,27 @@ class TestACLplugin(VppTestCase):
                       0, self.proto[self.IP][self.TCP]))
  
          # Apply rules
-        self.apply_rules(rules, "permit per-flow")
+        acl_idx = self.apply_rules(rules, b"permit per-flow")
+
+        # enable counters
+        reply = self.vapi.papi.acl_stats_intf_counters_enable(enable=1)
  
          # Traffic should still pass
          self.run_verify_test(self.IP, self.IPV4, -1)
+
+        matches = self.statistics.get_counter('/acl/%d/matches' % acl_idx)
+        self.logger.info("stat segment counters: %s" % repr(matches))
+        cli = "show acl-plugin acl"
+        self.logger.info(self.vapi.ppcli(cli))
+        cli = "show acl-plugin tables"
+        self.logger.info(self.vapi.ppcli(cli))
+
+        total_hits = matches[0][0]['packets'] + matches[0][1]['packets']
+        self.assertEqual(total_hits, 64)
+
+        # disable counters
+        reply = self.vapi.papi.acl_stats_intf_counters_enable(enable=0)
+
          self.logger.info("ACLP_TEST_FINISH_0002")
  
      def test_0003_acl_deny_apply(self):
@@ -661,13 +683,26 @@ class TestACLplugin(VppTestCase):
                                        self.PORTS_ALL, 0))
  
          # Apply rules
-        self.apply_rules(rules, "deny per-flow;permit all")
+        acl_idx = self.apply_rules(rules, b"deny per-flow;permit all")
+
+        # enable counters
+        reply = self.vapi.papi.acl_stats_intf_counters_enable(enable=1)
  
          # Traffic should not pass
          self.run_verify_negat_test(self.IP, self.IPV4,
                                     self.proto[self.IP][self.UDP])
+
+        matches = self.statistics.get_counter('/acl/%d/matches' % acl_idx)
+        self.logger.info("stat segment counters: %s" % repr(matches))
+        cli = "show acl-plugin acl"
+        self.logger.info(self.vapi.ppcli(cli))
+        cli = "show acl-plugin tables"
+        self.logger.info(self.vapi.ppcli(cli))
+        self.assertEqual(matches[0][0]['packets'], 64)
+        # disable counters
+        reply = self.vapi.papi.acl_stats_intf_counters_enable(enable=0)
          self.logger.info("ACLP_TEST_FINISH_0003")
-        # self.assertEqual(1, 0)
+        # self.assertEqual(, 0)
  
      def test_0004_vpp624_permit_icmpv4(self):
          """ VPP_624 permit ICMPv4
@@ -682,7 +717,7 @@ class TestACLplugin(VppTestCase):
          rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
  
          # Apply rules
-        self.apply_rules(rules, "permit icmpv4")
+        self.apply_rules(rules, b"permit icmpv4")
  
          # Traffic should still pass
          self.run_verify_test(self.ICMP, self.IPV4,
@@ -703,7 +738,7 @@ class TestACLplugin(VppTestCase):
          rules.append(self.create_rule(self.IPV6, self.DENY, self.PORTS_ALL, 0))
  
          # Apply rules
-        self.apply_rules(rules, "permit icmpv6")
+        self.apply_rules(rules, b"permit icmpv6")
  
          # Traffic should still pass
          self.run_verify_test(self.ICMP, self.IPV6,
@@ -724,7 +759,7 @@ class TestACLplugin(VppTestCase):
                                        self.PORTS_ALL, 0))
  
          # Apply rules
-        self.apply_rules(rules, "deny icmpv4")
+        self.apply_rules(rules, b"deny icmpv4")
  
          # Traffic should not pass
          self.run_verify_negat_test(self.ICMP, self.IPV4, 0)
@@ -744,7 +779,7 @@ class TestACLplugin(VppTestCase):
                                        self.PORTS_ALL, 0))
  
          # Apply rules
-        self.apply_rules(rules, "deny icmpv6")
+        self.apply_rules(rules, b"deny icmpv6")
  
          # Traffic should not pass
          self.run_verify_negat_test(self.ICMP, self.IPV6, 0)
@@ -764,7 +799,7 @@ class TestACLplugin(VppTestCase):
          rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
  
          # Apply rules
-        self.apply_rules(rules, "permit ipv4 tcp")
+        self.apply_rules(rules, b"permit ipv4 tcp")
  
          # Traffic should still pass
          self.run_verify_test(self.IP, self.IPV4, self.proto[self.IP][self.TCP])
@@ -784,7 +819,7 @@ class TestACLplugin(VppTestCase):
          rules.append(self.create_rule(self.IPV6, self.DENY, self.PORTS_ALL, 0))
  
          # Apply rules
-        self.apply_rules(rules, "permit ip6 tcp")
+        self.apply_rules(rules, b"permit ip6 tcp")
  
          # Traffic should still pass
          self.run_verify_test(self.IP, self.IPV6, self.proto[self.IP][self.TCP])
@@ -804,7 +839,7 @@ class TestACLplugin(VppTestCase):
          rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
  
          # Apply rules
-        self.apply_rules(rules, "permit ipv udp")
+        self.apply_rules(rules, b"permit ipv udp")
  
          # Traffic should still pass
          self.run_verify_test(self.IP, self.IPV4, self.proto[self.IP][self.UDP])
@@ -824,7 +859,7 @@ class TestACLplugin(VppTestCase):
          rules.append(self.create_rule(self.IPV6, self.DENY, self.PORTS_ALL, 0))
  
          # Apply rules
-        self.apply_rules(rules, "permit ip6 udp")
+        self.apply_rules(rules, b"permit ip6 udp")
  
          # Traffic should still pass
          self.run_verify_test(self.IP, self.IPV6, self.proto[self.IP][self.UDP])
@@ -849,7 +884,7 @@ class TestACLplugin(VppTestCase):
                                        self.PORTS_ALL, 0))
  
          # Apply rules
-        self.apply_rules(rules, "deny ip4/ip6 tcp")
+        self.apply_rules(rules, b"deny ip4/ip6 tcp")
  
          # Traffic should not pass
          self.run_verify_negat_test(self.IP, self.IPRANDOM,
@@ -875,7 +910,7 @@ class TestACLplugin(VppTestCase):
                                        self.PORTS_ALL, 0))
  
          # Apply rules
-        self.apply_rules(rules, "deny ip4/ip6 udp")
+        self.apply_rules(rules, b"deny ip4/ip6 udp")
  
          # Traffic should not pass
          self.run_verify_negat_test(self.IP, self.IPRANDOM,
@@ -966,7 +1001,7 @@ class TestACLplugin(VppTestCase):
          rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
  
          # Apply rules
-        self.apply_rules(rules, "permit ip4 tcp "+str(port))
+        self.apply_rules(rules, b"permit ip4 tcp %d" % port)
  
          # Traffic should still pass
          self.run_verify_test(self.IP, self.IPV4,
@@ -988,7 +1023,7 @@ class TestACLplugin(VppTestCase):
          rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
  
          # Apply rules
-        self.apply_rules(rules, "permit ip4 tcp "+str(port))
+        self.apply_rules(rules, b"permit ip4 tcp %d" % port)
  
          # Traffic should still pass
          self.run_verify_test(self.IP, self.IPV4,
@@ -1010,7 +1045,7 @@ class TestACLplugin(VppTestCase):
          rules.append(self.create_rule(self.IPV6, self.DENY, self.PORTS_ALL, 0))
  
          # Apply rules
-        self.apply_rules(rules, "permit ip4 tcp "+str(port))
+        self.apply_rules(rules, b"permit ip4 tcp %d" % port)
  
          # Traffic should still pass
          self.run_verify_test(self.IP, self.IPV6,
@@ -1033,7 +1068,7 @@ class TestACLplugin(VppTestCase):
                                        self.PORTS_ALL, 0))
  
          # Apply rules
-        self.apply_rules(rules, "permit ip4 tcp "+str(port))
+        self.apply_rules(rules, b"permit ip4 tcp %d" % port)
  
          # Traffic should still pass
          self.run_verify_test(self.IP, self.IPV6,
@@ -1060,7 +1095,7 @@ class TestACLplugin(VppTestCase):
                                        self.PORTS_ALL, 0))
  
          # Apply rules
-        self.apply_rules(rules, "deny ip4/ip6 udp "+str(port))
+        self.apply_rules(rules, b"deny ip4/ip6 udp %d" % port)
  
          # Traffic should not pass
          self.run_verify_negat_test(self.IP, self.IPRANDOM,
@@ -1087,7 +1122,7 @@ class TestACLplugin(VppTestCase):
                                        self.PORTS_ALL, 0))
  
          # Apply rules
-        self.apply_rules(rules, "deny ip4/ip6 udp "+str(port))
+        self.apply_rules(rules, b"deny ip4/ip6 udp %d" % port)
  
          # Traffic should not pass
          self.run_verify_negat_test(self.IP, self.IPRANDOM,
@@ -1115,7 +1150,7 @@ class TestACLplugin(VppTestCase):
                                        self.PORTS_ALL, 0))
  
          # Apply rules
-        self.apply_rules(rules, "deny ip4/ip6 udp "+str(port))
+        self.apply_rules(rules, b"deny ip4/ip6 udp %d" % port)
  
          # Traffic should not pass
          self.run_verify_negat_test(self.IP, self.IPRANDOM,
@@ -1137,7 +1172,7 @@ class TestACLplugin(VppTestCase):
              self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
  
          # Apply rules
-        self.apply_rules(rules, "permit empty udp ip4 " + str(port))
+        self.apply_rules(rules, b"permit empty udp ip4 %d" % port)
  
          # Traffic should still pass
          # Create incoming packet streams for packet-generator interfaces
@@ -1171,7 +1206,7 @@ class TestACLplugin(VppTestCase):
          rules.append(self.create_rule(self.IPV6, self.DENY, self.PORTS_ALL, 0))
  
          # Apply rules
-        self.apply_rules(rules, "permit empty udp ip6 "+str(port))
+        self.apply_rules(rules, b"permit empty udp ip6 %d" % port)
  
          # Traffic should still pass
          # Create incoming packet streams for packet-generator interfaces
@@ -1208,7 +1243,7 @@ class TestACLplugin(VppTestCase):
          rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
  
          # Apply rules
-        self.apply_rules(rules, "permit ipv4 tcp")
+        self.apply_rules(rules, b"permit ipv4 tcp")
  
          # Traffic should still pass
          self.run_verify_test(self.IP, self.IPV4, self.proto[self.IP][self.TCP])
@@ -1230,7 +1265,7 @@ class TestACLplugin(VppTestCase):
          rules.append(self.create_rule(self.IPV6, self.DENY, self.PORTS_ALL, 0))
  
          # Apply rules
-        self.apply_rules(rules, "permit ip6 tcp")
+        self.apply_rules(rules, b"permit ip6 tcp")
  
          # Traffic should still pass
          self.run_verify_test(self.IP, self.IPV6, self.proto[self.IP][self.TCP])
@@ -1252,7 +1287,7 @@ class TestACLplugin(VppTestCase):
          rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
  
          # Apply rules
-        self.apply_rules(rules, "permit ipv4 udp")
+        self.apply_rules(rules, b"permit ipv4 udp")
  
          # Traffic should still pass
          self.run_verify_test(self.IP, self.IPV4, self.proto[self.IP][self.UDP])
@@ -1274,7 +1309,7 @@ class TestACLplugin(VppTestCase):
          rules.append(self.create_rule(self.IPV6, self.DENY, self.PORTS_ALL, 0))
  
          # Apply rules
-        self.apply_rules(rules, "permit ip6 udp")
+        self.apply_rules(rules, b"permit ip6 udp")
  
          # Traffic should still pass
          self.run_verify_test(self.IP, self.IPV6, self.proto[self.IP][self.UDP])
@@ -1305,7 +1340,7 @@ class TestACLplugin(VppTestCase):
                                        self.PORTS_ALL, 0))
  
          # Apply rules
-        self.apply_rules(rules, "deny ip4/ip6 tcp")
+        self.apply_rules(rules, b"deny ip4/ip6 tcp")
  
          # Traffic should not pass
          self.run_verify_negat_test(self.IP, self.IPRANDOM,
@@ -1337,7 +1372,7 @@ class TestACLplugin(VppTestCase):
                                        self.PORTS_ALL, 0))
  
          # Apply rules
-        self.apply_rules(rules, "deny ip4/ip6 udp")
+        self.apply_rules(rules, b"deny ip4/ip6 udp")
  
          # Traffic should not pass
          self.run_verify_negat_test(self.IP, self.IPRANDOM,
@@ -1360,7 +1395,7 @@ class TestACLplugin(VppTestCase):
          rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
  
          # Apply rules
-        self.apply_rules(rules, "permit ipv4 tcp")
+        self.apply_rules(rules, b"permit ipv4 tcp")
  
          # Traffic should still pass also for an odd ethertype
          self.run_verify_test(self.IP, self.IPV4, self.proto[self.IP][self.TCP],
@@ -1382,7 +1417,7 @@ class TestACLplugin(VppTestCase):
          rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
  
          # Apply rules
-        self.apply_rules(rules, "permit ipv4 tcp")
+        self.apply_rules(rules, b"permit ipv4 tcp")
  
          # whitelist the 0xbbbb etype - so the 0xaaaa should be blocked
          self.etype_whitelist([0xbbb], 1)
@@ -1412,7 +1447,7 @@ class TestACLplugin(VppTestCase):
          rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
  
          # Apply rules
-        self.apply_rules(rules, "permit ipv4 tcp")
+        self.apply_rules(rules, b"permit ipv4 tcp")
  
          # whitelist the 0xbbbb etype - so the 0xaaaa should be blocked
          self.etype_whitelist([0xbbb], 1)
@@ -1441,7 +1476,7 @@ class TestACLplugin(VppTestCase):
          rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
  
          # Apply rules
-        self.apply_rules(rules, "permit ipv4 tcp")
+        self.apply_rules(rules, b"permit ipv4 tcp")
  
          # whitelist the 0xbbbb etype - so the 0xaaaa should be blocked
          self.etype_whitelist([0xbbb], 1)
@@ -1473,7 +1508,7 @@ class TestACLplugin(VppTestCase):
          intf.append(VppLoInterface(self))
  
          # Apply rules
-        self.apply_rules_to(rules, "permit ipv4 tcp", intf[0].sw_if_index)
+        self.apply_rules_to(rules, b"permit ipv4 tcp", intf[0].sw_if_index)
  
          # Remove the interface
          intf[0].remove_vpp_config()