X-Git-Url: https://gerrit.fd.io/r/gitweb?a=blobdiff_plain;f=test%2Ftest_trace_filter.py;h=b716b794f96ec4687e8597abab9f97381a01ea63;hb=77812045e;hp=fa0d74812f5ad790add69a4b3d126f254794933b;hpb=b23ffd7ef216463c35b75c831e6a27e58971f4ec;p=vpp.git diff --git a/test/test_trace_filter.py b/test/test_trace_filter.py index fa0d74812f5..b716b794f96 100644 --- a/test/test_trace_filter.py +++ b/test/test_trace_filter.py @@ -1,32 +1,36 @@ #!/usr/bin/env python3 import unittest +import secrets +import socket from framework import VppTestCase, VppTestRunner -from vpp_ip_route import VppIpTable, VppIpRoute, VppRoutePath +from vpp_ipip_tun_interface import VppIpIpTunInterface +from vpp_papi import VppEnum +from vpp_ipsec import VppIpsecSA, VppIpsecSpd, VppIpsecSpdItfBinding, VppIpsecSpdEntry +from vpp_ip_route import VppIpRoute, VppRoutePath, FibPathProto from scapy.contrib.geneve import GENEVE from scapy.packet import Raw from scapy.layers.l2 import Ether -from scapy.layers.inet import IP, UDP +from scapy.layers.inet import IP, UDP, TCP from scapy.layers.vxlan import VXLAN +from scapy.layers.ipsec import ESP, SecurityAssociation from scapy.compat import raw from scapy.utils import rdpcap -class TestTracefilter(VppTestCase): - """ Packet Tracer Filter Test """ - +class TemplateTraceFilter(VppTestCase): @classmethod def setUpClass(cls): - super(TestTracefilter, cls).setUpClass() + super().setUpClass() @classmethod def tearDownClass(cls): - super(TestTracefilter, cls).tearDownClass() + super().tearDownClass() def setUp(self): - super(TestTracefilter, self).setUp() + super().setUp() self.create_pg_interfaces(range(2)) self.pg0.generate_remote_hosts(11) for i in self.pg_interfaces: @@ -35,7 +39,7 @@ class TestTracefilter(VppTestCase): i.resolve_arp() def tearDown(self): - super(TestTracefilter, self).tearDown() + super().tearDown() for i in self.pg_interfaces: i.unconfig() i.admin_down() @@ -43,8 +47,11 @@ class TestTracefilter(VppTestCase): def cli(self, cmd): r = self.vapi.cli_return_response(cmd) if r.retval != 0: - s = "reply '%s'" % r.reply if hasattr( - r, "reply") else "retval '%s'" % r.retval + s = ( + "reply '%s'" % r.reply + if hasattr(r, "reply") + else "retval '%s'" % r.retval + ) raise RuntimeError("cli command '%s' FAIL with %s" % (cmd, s)) return r @@ -53,9 +60,12 @@ class TestTracefilter(VppTestCase): r = self.cli("show classify table verbose") self.assertTrue(r.reply.find("hits %i" % n) != -1) + def clear(self): + self.cli("clear trace") + def add_trace_filter(self, mask, match): self.cli("classify filter trace mask %s match %s" % (mask, match)) - self.cli("clear trace") + self.clear() self.cli("trace add pg-input 1000 filter") def del_trace_filters(self): @@ -70,27 +80,46 @@ class TestTracefilter(VppTestCase): s = "pcap rx/tx/drop: first table none" self.assertTrue(r.reply.find(s) != -1) + # install a classify rule, inject traffic and check for hits + def assert_classify(self, mask, match, packets, n=None): + self.add_trace_filter("hex %s" % mask, "hex %s" % match) + self.send_and_expect(self.pg0, packets, self.pg1, trace=False) + self.assert_hits(n if n is not None else len(packets)) + self.del_trace_filters() + + +class TestTracefilter(TemplateTraceFilter): + """Packet Tracer Filter Test""" + def test_basic(self): - """ Packet Tracer Filter Test """ + """Packet Tracer Filter Test""" self.add_trace_filter( - "l3 ip4 src", - "l3 ip4 src %s" % - self.pg0.remote_hosts[5].ip4) + "l3 ip4 src", "l3 ip4 src %s" % self.pg0.remote_hosts[5].ip4 + ) self.add_trace_filter( - "l3 ip4 proto l4 src_port", - "l3 ip4 proto 17 l4 src_port 2345") + "l3 ip4 proto l4 src_port", "l3 ip4 proto 17 l4 src_port 2345" + ) # the packet we are trying to match p = list() for i in range(100): src = self.pg0.remote_hosts[i % len(self.pg0.remote_hosts)].ip4 - p.append((Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) / - IP(src=src, dst=self.pg1.remote_ip4) / - UDP(sport=1234, dport=2345) / Raw('\xa5' * 100))) + p.append( + ( + Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) + / IP(src=src, dst=self.pg1.remote_ip4) + / UDP(sport=1234, dport=2345) + / Raw("\xa5" * 100) + ) + ) for i in range(17): - p.append((Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) / - IP(src=self.pg0.remote_hosts[0].ip4, - dst=self.pg1.remote_ip4) / - UDP(sport=2345, dport=1234) / Raw('\xa5' * 100))) + p.append( + ( + Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) + / IP(src=self.pg0.remote_hosts[0].ip4, dst=self.pg1.remote_ip4) + / UDP(sport=2345, dport=1234) + / Raw("\xa5" * 100) + ) + ) self.send_and_expect(self.pg0, p, self.pg1, trace=False) @@ -100,29 +129,24 @@ class TestTracefilter(VppTestCase): self.del_trace_filters() - # install a classify rule, inject traffic and check for hits - def assert_classify(self, mask, match, packets, n=None): - self.add_trace_filter("hex %s" % mask, "hex %s" % match) - self.send_and_expect(self.pg0, packets, self.pg1, trace=False) - self.assert_hits(n if n is not None else len(packets)) - self.del_trace_filters() - def test_encap(self): - """ Packet Tracer Filter Test with encap """ + """Packet Tracer Filter Test with encap""" # the packet we are trying to match - p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) / - IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) / - UDP() / - VXLAN() / - Ether() / - IP() / - UDP() / - GENEVE(vni=1234) / - Ether() / - IP(src='192.168.4.167') / - UDP() / - Raw('\xa5' * 100)) + p = ( + Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) + / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) + / UDP() + / VXLAN() + / Ether() + / IP() + / UDP() + / GENEVE(vni=1234) + / Ether() + / IP(src="192.168.4.167") + / UDP() + / Raw("\xa5" * 100) + ) # # compute filter mask & value @@ -130,29 +154,31 @@ class TestTracefilter(VppTestCase): # we need to set checksums to 0 to make sure scapy will not recompute # them # - tmpl = (Ether() / - IP(chksum=0) / - UDP(chksum=0) / - VXLAN() / - Ether() / - IP(chksum=0) / - UDP(chksum=0) / - GENEVE(vni=0) / - Ether() / - IP(src='0.0.0.0', chksum=0)) + tmpl = ( + Ether() + / IP(chksum=0) + / UDP(chksum=0) + / VXLAN() + / Ether() + / IP(chksum=0) + / UDP(chksum=0) + / GENEVE(vni=0) + / Ether() + / IP(src="0.0.0.0", chksum=0) + ) ori = raw(tmpl) # the mask - tmpl[GENEVE].vni = 0xffffff + tmpl[GENEVE].vni = 0xFFFFFF user = tmpl[GENEVE].payload - user[IP].src = '255.255.255.255' + user[IP].src = "255.255.255.255" new = raw(tmpl) mask = "".join(("{:02x}".format(o ^ n) for o, n in zip(ori, new))) # this does not match (wrong vni) tmpl[GENEVE].vni = 1 user = tmpl[GENEVE].payload - user[IP].src = '192.168.4.167' + user[IP].src = "192.168.4.167" new = raw(tmpl) match = "".join(("{:02x}".format(o ^ n) for o, n in zip(ori, new))) self.assert_classify(mask, match, [p] * 11, 0) @@ -164,29 +190,41 @@ class TestTracefilter(VppTestCase): self.assert_classify(mask, match, [p] * 17) def test_pcap(self): - """ Packet Capture Filter Test """ + """Packet Capture Filter Test""" self.cli( - "classify filter pcap mask l3 ip4 src match l3 ip4 src %s" % - self.pg0.remote_hosts[5].ip4) + "classify filter pcap mask l3 ip4 src match l3 ip4 src %s" + % self.pg0.remote_hosts[5].ip4 + ) self.cli( "classify filter pcap " "mask l3 ip4 proto l4 src_port " - "match l3 ip4 proto 17 l4 src_port 2345") + "match l3 ip4 proto 17 l4 src_port 2345" + ) self.cli( "pcap trace rx tx max 1000 intfc pg0 " - "file vpp_test_trace_filter_test_pcap.pcap filter") + "file vpp_test_trace_filter_test_pcap.pcap filter" + ) # the packet we are trying to match p = list() for i in range(100): src = self.pg0.remote_hosts[i % len(self.pg0.remote_hosts)].ip4 - p.append((Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) / - IP(src=src, dst=self.pg1.remote_ip4) / - UDP(sport=1234, dport=2345) / Raw('\xa5' * 100))) + p.append( + ( + Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) + / IP(src=src, dst=self.pg1.remote_ip4) + / UDP(sport=1234, dport=2345) + / Raw("\xa5" * 100) + ) + ) for i in range(17): - p.append((Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) / - IP(src=self.pg0.remote_hosts[0].ip4, - dst=self.pg1.remote_ip4) / - UDP(sport=2345, dport=1234) / Raw('\xa5' * 100))) + p.append( + ( + Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) + / IP(src=self.pg0.remote_hosts[0].ip4, dst=self.pg1.remote_ip4) + / UDP(sport=2345, dport=1234) + / Raw("\xa5" * 100) + ) + ) self.send_and_expect(self.pg0, p, self.pg1, trace=False) @@ -208,28 +246,42 @@ class TestTracefilter(VppTestCase): self.assertEqual(str(pcap[i]), p_) def test_pcap_drop(self): - """ Drop Packet Capture Filter Test """ + """Drop Packet Capture Filter Test""" self.cli( "pcap trace drop max 1000 " "error {ip4-udp-lookup}.{no_listener} " - "file vpp_test_trace_filter_test_pcap_drop.pcap") + "file vpp_test_trace_filter_test_pcap_drop.pcap" + ) # the packet we are trying to match p = list() for i in range(17): # this packet should be forwarded - p.append((Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) / - IP(src=self.pg0.remote_hosts[0].ip4, - dst=self.pg1.remote_ip4) / - UDP(sport=2345, dport=1234) / Raw('\xa5' * 100))) + p.append( + ( + Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) + / IP(src=self.pg0.remote_hosts[0].ip4, dst=self.pg1.remote_ip4) + / UDP(sport=2345, dport=1234) + / Raw("\xa5" * 100) + ) + ) # this packet should be captured (no listener) - p.append((Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) / - IP(src=self.pg0.remote_hosts[0].ip4, - dst=self.pg0.local_ip4) / - UDP(sport=2345, dport=1234) / Raw('\xa5' * 100))) + p.append( + ( + Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) + / IP(src=self.pg0.remote_hosts[0].ip4, dst=self.pg0.local_ip4) + / UDP(sport=2345, dport=1234) + / Raw("\xa5" * 100) + ) + ) # this packet will be blackholed but not captured - p.append((Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) / - IP(src=self.pg0.remote_hosts[0].ip4, dst="0.0.0.0") / - UDP(sport=2345, dport=1234) / Raw('\xa5' * 100))) + p.append( + ( + Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) + / IP(src=self.pg0.remote_hosts[0].ip4, dst="0.0.0.0") + / UDP(sport=2345, dport=1234) + / Raw("\xa5" * 100) + ) + ) self.send_and_expect(self.pg0, p, self.pg1, n_rx=17, trace=False) @@ -240,5 +292,176 @@ class TestTracefilter(VppTestCase): self.assertEqual(len(pcap), 17) -if __name__ == '__main__': +class TestTraceFilterInner(TemplateTraceFilter): + """Packet Tracer Filter Inner Test""" + + extra_vpp_plugin_config = [ + "plugin tracenode_plugin.so {enable}", + ] + + def add_trace_filter(self, mask, match, tn_feature_intfc_index=None): + if tn_feature_intfc_index is not None: + self.logger.info("fffff") + self.vapi.tracenode_enable_disable(sw_if_index=tn_feature_intfc_index) + super().add_trace_filter(mask, match) + + def del_trace_filters(self, tn_feature_intfc_index=None): + if tn_feature_intfc_index is not None: + self.vapi.tracenode_enable_disable( + sw_if_index=tn_feature_intfc_index, enable=False + ) + super().del_trace_filters() + + def __add_sa(self, id_, tun_src, tun_dst): + # AES-CTR-128 / SHA2-256 + crypto_key_length = 16 + salt_length = 4 + integ_key_lenght = 16 + crypto_key = secrets.token_bytes(crypto_key_length) + salt = secrets.randbits(salt_length * 8) + integ_key = secrets.token_bytes(integ_key_lenght) + + flags = VppEnum.vl_api_ipsec_sad_flags_t.IPSEC_API_SAD_FLAG_UDP_ENCAP + + vpp_sa_in = VppIpsecSA( + test=self, + id=id_, + spi=id_, + integ_alg=VppEnum.vl_api_ipsec_integ_alg_t.IPSEC_API_INTEG_ALG_SHA_256_128, + integ_key=integ_key, + crypto_alg=VppEnum.vl_api_ipsec_crypto_alg_t.IPSEC_API_CRYPTO_ALG_AES_CTR_128, + crypto_key=crypto_key, + proto=VppEnum.vl_api_ipsec_proto_t.IPSEC_API_PROTO_ESP, + flags=flags, + salt=salt, + tun_src=tun_src, + tun_dst=tun_dst, + udp_src=4500, + udp_dst=4500, + ) + vpp_sa_in.add_vpp_config() + + scapy_sa_in = SecurityAssociation( + ESP, + spi=id_, + crypt_algo="AES-CTR", + crypt_key=crypto_key + salt.to_bytes(salt_length, "big"), + auth_algo="SHA2-256-128", + auth_key=integ_key, + tunnel_header=IP(src=tun_src, dst=tun_dst), + nat_t_header=UDP(sport=4500, dport=4500), + ) + + id_ += 1 + + vpp_sa_out = VppIpsecSA( + test=self, + id=id_, + spi=id_, + integ_alg=VppEnum.vl_api_ipsec_integ_alg_t.IPSEC_API_INTEG_ALG_SHA_256_128, + integ_key=integ_key, + crypto_alg=VppEnum.vl_api_ipsec_crypto_alg_t.IPSEC_API_CRYPTO_ALG_AES_CTR_128, + crypto_key=crypto_key, + proto=VppEnum.vl_api_ipsec_proto_t.IPSEC_API_PROTO_ESP, + flags=flags, + salt=salt, + tun_src=tun_dst, + tun_dst=tun_src, + udp_src=4500, + udp_dst=4500, + ) + vpp_sa_out.add_vpp_config() + + scapy_sa_out = SecurityAssociation( + ESP, + spi=id_, + crypt_algo="AES-CTR", + crypt_key=crypto_key + salt.to_bytes(salt_length, "big"), + auth_algo="SHA2-256-128", + auth_key=integ_key, + tunnel_header=IP(src=tun_dst, dst=tun_src), + nat_t_header=UDP(sport=4500, dport=4500), + ) + + return vpp_sa_in, scapy_sa_in, vpp_sa_out, scapy_sa_out + + def __gen_encrypt_pkt(self, scapy_sa, pkt): + return Ether( + src=self.pg0.local_mac, dst=self.pg0.remote_mac + ) / scapy_sa.encrypt(pkt) + + def test_encrypted_encap(self): + """Packet Tracer Filter Test with encrypted encap""" + + vpp_sa_in, scapy_sa_in, vpp_sa_out, _ = self.__add_sa( + 1, self.pg0.local_ip4, self.pg0.remote_ip4 + ) + + spd = VppIpsecSpd(self, 1) + spd.add_vpp_config() + + spd_binding = VppIpsecSpdItfBinding(self, spd, self.pg0) + spd_binding.add_vpp_config() + + spd_entry = VppIpsecSpdEntry( + self, + spd, + 1, + self.pg0.local_ip4, + self.pg0.local_ip4, + self.pg0.remote_ip4, + self.pg0.remote_ip4, + socket.IPPROTO_ESP, + policy=VppEnum.vl_api_ipsec_spd_action_t.IPSEC_API_SPD_ACTION_PROTECT, + is_outbound=0, + ).add_vpp_config() + + # the inner packet we are trying to match + inner_pkt = ( + IP(src=self.pg1.local_ip4, dst=self.pg1.remote_ip4) + / TCP(sport=1234, dport=4321) + / Raw(b"\xa5" * 100) + ) + pkt = self.__gen_encrypt_pkt(scapy_sa_in, inner_pkt) + + # self.add_trace_filter("l3 ip4 src", f"l3 ip4 src {self.pg0.local_ip4}") + + self.add_trace_filter( + "l2 none l3 ip4 src proto l4 dst_port", + f"l2 none l3 ip4 src {self.pg1.local_ip4} proto 6 l4 dst_port 4321", + tn_feature_intfc_index=self.pg0.sw_if_index, + ) + + self.logger.info("Sending packet with matching inner") + self.send_and_expect(self.pg0, pkt * 67, self.pg1, trace=False) + self.assert_hits(67) + self.clear() + + self.logger.info("Sending packet with wrong inner port") + inner_pkt[TCP].dport = 1111 + pkt = self.__gen_encrypt_pkt(scapy_sa_in, inner_pkt) + self.send_and_expect(self.pg0, pkt * 67, self.pg1, trace=False) + # the classify session should still have the 67 previous hits. + # In another way, the delta is 0 + self.assert_hits(67) + self.clear() + + self.logger.info("Sending packet with wrong source address") + inner_pkt[IP].src = "1.2.3.4" + inner_pkt[TCP].dport = 4321 + pkt = self.__gen_encrypt_pkt(scapy_sa_in, inner_pkt) + self.send_and_expect(self.pg0, pkt * 67, self.pg1, trace=False) + self.assert_hits(67) + self.clear() + + self.del_trace_filters(tn_feature_intfc_index=self.pg0.sw_if_index) + + spd_entry.remove_vpp_config() + spd_binding.remove_vpp_config() + spd.remove_vpp_config() + vpp_sa_in.remove_vpp_config() + vpp_sa_out.remove_vpp_config() + + +if __name__ == "__main__": unittest.main(testRunner=VppTestRunner)