1 # Copyright (c) 2016 Cisco and/or its affiliates.
2 # Licensed under the Apache License, Version 2.0 (the "License");
3 # you may not use this file except in compliance with the License.
4 # You may obtain a copy of the License at:
6 # http://www.apache.org/licenses/LICENSE-2.0
8 # Unless required by applicable law or agreed to in writing, software
9 # distributed under the License is distributed on an "AS IS" BASIS,
10 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
11 # See the License for the specific language governing permissions and
12 # limitations under the License.
15 | &{if_settings}= | enabled=True
16 # Bridge domain settings
18 | &{bd_settings}= | flood=${True} | forward=${True} | learn=${True}
19 | ... | unknown-unicast-flood=${True} | arp-termination=${False}
20 | &{bd_if_settings}= | split_horizon_group=${0} | bvi=${False}
22 | ${acl_name_macip}= | macip
23 | ${acl_name_l3_ip4}= | acl_l3_ip4
24 | ${acl_name_l3_ip6}= | acl_l3_ip6
25 | ${acl_name_l4}= | acl_l4
26 | ${acl_name_mixed}= | acl_mixed
27 | ${acl_name_icmp}= | acl_icmp
28 | ${acl_name_icmpv6}= | acl_icmpv6
29 | ${acl_name_reflex}= | acl_reflex
32 | Resource | resources/libraries/robot/default.robot
33 | Resource | resources/libraries/robot/honeycomb/honeycomb.robot
34 | Resource | resources/libraries/robot/honeycomb/interfaces.robot
35 | Resource | resources/libraries/robot/honeycomb/bridge_domain.robot
36 | Resource | resources/libraries/robot/honeycomb/access_control_lists.robot
37 | Resource | resources/libraries/robot/testing_path.robot
38 | Resource | resources/libraries/robot/traffic.robot
39 | Library | resources.libraries.python.honeycomb.HcAPIKwACL.ACLKeywords
40 | Library | resources.libraries.python.Trace
41 | Library | resources.libraries.python.IPv4Setup
42 | Library | resources.libraries.python.IPv4Util
43 | Library | resources.libraries.python.IPv6Util
44 | Library | resources.libraries.python.Routing
46 | Test Setup | Clear Packet Trace on All DUTs | ${nodes}
48 | Suite Teardown | Restart Honeycomb and VPP | ${node}
50 | Documentation | *Honeycomb access control lists test suite for ACL plugin.*
52 | Force Tags | HC_FUNC
55 | TC01: ACL MAC filtering through plugin-acl node - bridged
57 | | ... | [Top] TG=DUT1=TG.
58 | | ... | [Enc] Eth-IPv4-TCP.
59 | | ... | [Cfg] (Using Honeycomb API) On DUT1 bridge both interfaces to TG\
60 | | ... | and configure L2 MAC ACL on ingress interface.
61 | | ... | [Ver] Send simple TCP packets from one TG interface to the other,\
62 | | ... | using different MACs. Receive all packets except those with\
63 | | ... | MACs in the filtered ranges.
65 | | [Teardown] | Bridged ACL test teardown
67 | | Given Setup Interfaces And Bridge Domain For plugin-acl Test
68 | | ... | macip | ${acl_name_macip}
69 | | When Honeycomb Creates ACL Chain Through ACL plugin
70 | | ... | ${dut_node} | ${acl_name_macip} | ${acl_settings} | macip=${True}
71 | | And Honeycomb Assigns plugin-acl Chain To Interface
72 | | ... | ${dut_node} | ${dut_to_tg_if1} | ${acl_name_macip}
73 | | ... | ingress | macip=${True}
74 | | When Send TCP or UDP packet and verify received packet | ${tg_node} | ${src_ip} | ${dst_ip}
75 | | ... | ${tg_to_dut_if1} | ${tg_to_dut_if1_mac}
76 | | ... | ${tg_to_dut_if2} | ${dut_to_tg_if1_mac}
77 | | ... | TCP | ${src_port} | ${dst_port}
78 | | And Run Keyword And Expect Error | TCP/UDP Rx timeout
79 | | ... | Send TCP or UDP packet and verify received packet | ${tg_node} | ${src_ip} | ${dst_ip}
80 | | ... | ${tg_to_dut_if1} | ${classify_src}
81 | | ... | ${tg_to_dut_if2} | ${dut_to_tg_if1_mac}
82 | | ... | TCP | ${src_port} | ${dst_port}
83 | | And Run Keyword And Expect Error | TCP/UDP Rx timeout
84 | | ... | Send TCP or UDP packet and verify received packet | ${tg_node} | ${src_ip} | ${dst_ip}
85 | | ... | ${tg_to_dut_if1} | ${classify_src2}
86 | | ... | ${tg_to_dut_if2} | ${dut_to_tg_if1_mac}
87 | | ... | TCP | ${src_port} | ${dst_port}
89 | TC02: ACL IPv4 filtering through plugin-acl node - bridged
91 | | ... | [Top] TG=DUT1=TG.
92 | | ... | [Enc] Eth-IPv4-TCP.
93 | | ... | [Cfg] (Using Honeycomb API) On DUT1 bridge both interfaces to TG\
94 | | ... | and configure L3 IPv4 ACL on ingress interface with src/dst IP
95 | | ... | and protocol number.
96 | | ... | [Ver] Send simple TCP and UDP packets from one TG interface\
97 | | ... | to the other, using different IPv4 IPs. Receive all packets except\
98 | | ... | those with IPs in the filtered ranges and UDP protocol payload.
100 | | [Teardown] | Bridged ACL test teardown
102 | | Given Setup Interfaces And Bridge Domain For plugin-acl Test
103 | | ... | l3_ip4 | ${acl_name_l3_ip4}
104 | | When Honeycomb Creates ACL Chain Through ACL plugin
105 | | ... | ${dut_node} | ${acl_name_l3_ip4} | ${acl_settings}
106 | | And Honeycomb Assigns plugin-acl Chain To Interface
107 | | ... | ${dut_node} | ${dut_to_tg_if1} | ${acl_name_l3_ip4} | ingress
108 | | Then Send TCP or UDP packet and verify received packet | ${tg_node}
109 | | ... | ${src_ip} | ${dst_ip}
110 | | ... | ${tg_to_dut_if1} | ${tg_to_dut_if1_mac}
111 | | ... | ${tg_to_dut_if2} | ${dut_to_tg_if1_mac}
112 | | ... | UDP | ${src_port} | ${dst_port}
113 | | And Send TCP or UDP packet and verify received packet | ${tg_node}
114 | | ... | ${classify_src} | ${classify_dst}
115 | | ... | ${tg_to_dut_if1} | ${tg_to_dut_if1_mac}
116 | | ... | ${tg_to_dut_if2} | ${dut_to_tg_if1_mac}
117 | | ... | TCP | ${src_port} | ${dst_port}
118 | | And Run Keyword And Expect Error | TCP/UDP Rx timeout
119 | | ... | Send TCP or UDP packet and verify received packet | ${tg_node}
120 | | ... | ${classify_src} | ${classify_dst}
121 | | ... | ${tg_to_dut_if1} | ${tg_to_dut_if1_mac}
122 | | ... | ${tg_to_dut_if2} | ${dut_to_tg_if1_mac}
123 | | ... | UDP | ${src_port} | ${dst_port}
125 | TC03: ACL IPv6 filtering through plugin-acl node - bridged
127 | | ... | [Top] TG=DUT1=TG.
128 | | ... | [Enc] Eth-IPv6-TCP.
129 | | ... | [Cfg] (Using Honeycomb API) On DUT1 bridge both interfaces to TG\
130 | | ... | and configure L3 IPv6 ACL on ingress interface with src/dst IP
131 | | ... | and protocol number.
132 | | ... | [Ver] Send simple TCP and UDP packets from one TG interface\
133 | | ... | to the other, using different IPv6 IPs. Receive all packets except\
134 | | ... | those with IPs in the filtered ranges and UDP protocol payload.
136 | | [Teardown] | Bridged ACL test teardown
138 | | Given Setup interfaces and bridge domain for plugin-acl test
139 | | ... | l3_ip6 | ${acl_name_l3_ip6}
140 | | When Honeycomb Creates ACL Chain Through ACL plugin
141 | | ... | ${dut_node} | ${acl_name_l3_ip6} | ${acl_settings}
142 | | And Honeycomb Assigns plugin-acl Chain To Interface
143 | | ... | ${dut_node} | ${dut_to_tg_if1} | ${acl_name_l3_ip6} | ingress
144 | | Then Send TCP or UDP packet and verify received packet | ${tg_node}
145 | | ... | ${src_ip} | ${dst_ip}
146 | | ... | ${tg_to_dut_if1} | ${tg_to_dut_if1_mac}
147 | | ... | ${tg_to_dut_if2} | ${dut_to_tg_if1_mac}
148 | | ... | UDP | ${src_port} | ${dst_port}
149 | | And Send TCP or UDP packet and verify received packet | ${tg_node}
150 | | ... | ${classify_src} | ${classify_dst}
151 | | ... | ${tg_to_dut_if1} | ${tg_to_dut_if1_mac}
152 | | ... | ${tg_to_dut_if2} | ${dut_to_tg_if1_mac}
153 | | ... | TCP | ${src_port} | ${dst_port}
154 | | And Run Keyword And Expect Error | TCP/UDP Rx timeout
155 | | ... | Send TCP or UDP packet and verify received packet | ${tg_node}
156 | | ... | ${classify_src} | ${classify_dst}
157 | | ... | ${tg_to_dut_if1} | ${tg_to_dut_if1_mac}
158 | | ... | ${tg_to_dut_if2} | ${dut_to_tg_if1_mac}
159 | | ... | UDP | ${src_port} | ${dst_port}
161 | TC04: ACL port filtering through plugin-acl node - bridged
163 | | ... | [Top] TG=DUT1=TG.
164 | | ... | [Enc] Eth-IPv4-TCP.
165 | | ... | [Cfg] (Using Honeycomb API) On DUT1 bridge both interfaces to TG\
166 | | ... | and and configure L4 port ACL on ingress interface
167 | | ... | with src/dst port ranges.
168 | | ... | [Ver] Send simple TCP and UDP packets from one TG interface\
169 | | ... | to the other, using different ports. Receive all packets except\
170 | | ... | those with ports in the filtered ranges.
172 | | [Teardown] | Bridged ACL test teardown
174 | | Given Setup interfaces and bridge domain for plugin-acl test
175 | | ... | L4 | ${acl_name_l4}
176 | | When Honeycomb Creates ACL Chain Through ACL plugin
177 | | ... | ${dut_node} | ${acl_name_l4} | ${acl_settings}
178 | | And Honeycomb Assigns plugin-acl Chain To Interface
179 | | ... | ${dut_node} | ${dut_to_tg_if1} | ${acl_name_l4} | ingress
180 | | Then Send TCP or UDP packet and verify received packet | ${tg_node}
181 | | ... | ${src_ip} | ${dst_ip}
182 | | ... | ${tg_to_dut_if1} | ${tg_to_dut_if1_mac}
183 | | ... | ${tg_to_dut_if2} | ${dut_to_tg_if1_mac}
184 | | ... | TCP | ${src_port} | ${dst_port}
185 | | And Run Keyword And Expect Error | TCP/UDP Rx timeout
186 | | ... | Send TCP or UDP packet and verify received packet | ${tg_node}
187 | | ... | ${src_ip} | ${dst_ip}
188 | | ... | ${tg_to_dut_if1} | ${tg_to_dut_if1_mac}
189 | | ... | ${tg_to_dut_if2} | ${dut_to_tg_if1_mac}
190 | | ... | TCP | ${classify_src} | ${classify_dst}
191 | | And Run Keyword And Expect Error | TCP/UDP Rx timeout
192 | | ... | Send TCP or UDP packet and verify received packet | ${tg_node}
193 | | ... | ${src_ip} | ${dst_ip}
194 | | ... | ${tg_to_dut_if1} | ${tg_to_dut_if1_mac}
195 | | ... | ${tg_to_dut_if2} | ${dut_to_tg_if1_mac}
196 | | ... | TCP | ${classify_src+5} | ${classify_dst+5}
198 | TC05: ACL filtering with IPv4 address and TCP port in one rule - bridged
200 | | ... | [Top] TG=DUT1=TG.
201 | | ... | [Enc] Eth-IPv4-TCP.
202 | | ... | [Cfg] (Using Honeycomb API) On DUT1 bridge both interfaces to TG\
203 | | ... | and configure a mixed rule with src/dst IP, TCP protocol
204 | | ... | and port ranges.
205 | | ... | [Ver] Send simple TCP packets from one TG interface to the other,\
206 | | ... | using IPs and ports. Receive all packets except those with\
207 | | ... | both IPs and ports in the filtered ranges.
209 | | [Teardown] | Bridged ACL test teardown
211 | | Given Setup Interfaces And Bridge Domain For plugin-acl Test
212 | | ... | mixed | ${acl_name_mixed}
213 | | When Honeycomb Creates ACL Chain Through ACL plugin
214 | | ... | ${dut_node} | ${acl_name_mixed} | ${acl_settings}
215 | | And Honeycomb Assigns plugin-acl Chain To Interface
216 | | ... | ${dut_node} | ${dut_to_tg_if1} | ${acl_name_mixed} | ingress
217 | | Then Send TCP or UDP packet and verify received packet | ${tg_node} | ${src_ip} | ${dst_ip}
218 | | ... | ${tg_to_dut_if1} | ${tg_to_dut_if1_mac}
219 | | ... | ${tg_to_dut_if2} | ${dut_to_tg_if1_mac}
220 | | ... | TCP | ${src_port} | ${dst_port}
221 | | Then Send TCP or UDP packet and verify received packet | ${tg_node}
222 | | ... | ${classify_src_ip} | ${classify_dst_ip}
223 | | ... | ${tg_to_dut_if1} | ${tg_to_dut_if1_mac}
224 | | ... | ${tg_to_dut_if2} | ${dut_to_tg_if1_mac}
225 | | ... | TCP | ${src_port} | ${dst_port}
226 | | And Run Keyword And Expect Error | TCP/UDP Rx timeout
227 | | ... | Send TCP or UDP packet and verify received packet | ${tg_node}
228 | | ... | ${classify_src_ip} | ${classify_dst_ip}
229 | | ... | ${tg_to_dut_if1} | ${tg_to_dut_if1_mac}
230 | | ... | ${tg_to_dut_if2} | ${dut_to_tg_if1_mac}
231 | | ... | TCP | ${classify_src_port} | ${classify_dst_port}
233 | TC06: ACL ICMP packet filtering - bridged
235 | | ... | [Top] TG=DUT1=TG.
236 | | ... | [Enc] Eth-IPv4-ICMP.
237 | | ... | [Cfg] (Using Honeycomb API) On DUT1 bridge both interfaces to TG\
238 | | ... | and configure a ICMP protocol filtering by ICMP type and code.
239 | | ... | [Ver] Send ICMP packets from one TG interface\
240 | | ... | to the other, using different codes and types. Receive all packets\
241 | | ... | except those with types and codes in the filtered ranges.
243 | | [Teardown] | Bridged ACL test teardown
245 | | Given Setup interfaces and bridge domain for plugin-acl test
246 | | ... | icmp | ${acl_name_icmp}
247 | | When Honeycomb Creates ACL Chain Through ACL plugin
248 | | ... | ${dut_node} | ${acl_name_icmp} | ${acl_settings}
249 | | And Honeycomb Assigns plugin-acl Chain To Interface
250 | | ... | ${dut_node} | ${dut_to_tg_if1} | ${acl_name_icmp} | ingress
251 | | Then Send ICMP packet with type and code and verify received packet | ${tg_node}
252 | | ... | ${src_ip} | ${dst_ip}
253 | | ... | ${tg_to_dut_if1} | ${tg_to_dut_if1_mac}
254 | | ... | ${tg_to_dut_if2} | ${dut_to_tg_if1_mac}
255 | | ... | ${icmp_type} | ${icmp_code}
256 | | Then Send ICMP packet with type and code and verify received packet | ${tg_node}
257 | | ... | ${src_ip} | ${dst_ip}
258 | | ... | ${tg_to_dut_if1} | ${tg_to_dut_if1_mac}
259 | | ... | ${tg_to_dut_if2} | ${dut_to_tg_if1_mac}
260 | | ... | ${classify_type} | ${icmp_code}
261 | | And Run Keyword And Expect Error | ICMP echo Rx timeout
262 | | ... | Send ICMP packet with type and code and verify received packet | ${tg_node}
263 | | ... | ${src_ip} | ${dst_ip}
264 | | ... | ${tg_to_dut_if1} | ${tg_to_dut_if1_mac}
265 | | ... | ${tg_to_dut_if2} | ${dut_to_tg_if1_mac}
266 | | ... | ${classify_type} | ${classify_code}
268 | TC07: ACL ICMPv6 packet filtering - bridged
270 | | ... | [Top] TG=DUT1=TG.
271 | | ... | [Enc] Eth-IPv6-ICMP.
272 | | ... | [Cfg] (Using Honeycomb API) On DUT1 bridge both interfaces to TG\
273 | | ... | and configure a ICMPv6 protocol filtering by ICMPv6 type and code.
274 | | ... | [Ver] Send ICMPv6 packets from one TG interface\
275 | | ... | to the other, using different codes and types. Receive all packets\
276 | | ... | except those with the filtered type and code.
278 | | [Teardown] | Bridged ACL test teardown
280 | | Given Setup interfaces and bridge domain for plugin-acl test
281 | | ... | icmpv6 | ${acl_name_icmpv6}
282 | | When Honeycomb Creates ACL Chain Through ACL plugin
283 | | ... | ${dut_node} | ${acl_name_icmpv6} | ${acl_settings}
284 | | And Honeycomb Assigns plugin-acl Chain To Interface
285 | | ... | ${dut_node} | ${dut_to_tg_if1} | ${acl_name_icmpv6} | ingress
286 | | Then Send ICMP packet with type and code and verify received packet | ${tg_node}
287 | | ... | ${src_ip} | ${dst_ip}
288 | | ... | ${tg_to_dut_if1} | ${tg_to_dut_if1_mac}
289 | | ... | ${tg_to_dut_if2} | ${dut_to_tg_if1_mac}
290 | | ... | ${icmp_type} | ${icmp_code}
291 | | Then Send ICMP packet with type and code and verify received packet | ${tg_node}
292 | | ... | ${src_ip} | ${dst_ip}
293 | | ... | ${tg_to_dut_if1} | ${tg_to_dut_if1_mac}
294 | | ... | ${tg_to_dut_if2} | ${dut_to_tg_if1_mac}
295 | | ... | ${classify_type} | ${icmp_code}
296 | | And Run Keyword And Expect Error | ICMP echo Rx timeout
297 | | ... | Send ICMP packet with type and code and verify received packet | ${tg_node}
298 | | ... | ${src_ip} | ${dst_ip}
299 | | ... | ${tg_to_dut_if1} | ${tg_to_dut_if1_mac}
300 | | ... | ${tg_to_dut_if2} | ${dut_to_tg_if1_mac}
301 | | ... | ${classify_type} | ${classify_code}
303 | TC08: ACL reflexive IPv4 filtering through plugin-acl node - bridged
305 | | ... | [Top] TG=DUT1=TG.
306 | | ... | [Enc] Eth-IPv4-TCP.
307 | | ... | [Cfg] (Using Honeycomb API) On DUT1 bridge both interfaces to TG,\
308 | | ... | configure a "drop all" ACL on ingress and reflexive ACL on egress.
309 | | ... | [Ver] Send a simple TCP packet to VPP interface 1 and do not receive\
310 | | ... | it back. Then send the packet with reversed src/dst IP address\
311 | | ... | to VPP interface 2 and receive it from interface 1(this should create\
312 | | ... | a reflexive "permit" rule) Finally, send the original packet again\
313 | | ... | and receive it from interface 2.
315 | | [Teardown] | Bridged ACL test teardown
317 | | Given Setup Interfaces And Bridge Domain For plugin-acl Test
318 | | ... | reflex | ${acl_name_reflex}
319 | | When Honeycomb Creates ACL Chain Through ACL plugin
320 | | ... | ${dut_node} | ${acl_name_reflex} | ${acl_settings}
321 | | And Honeycomb Assigns plugin-acl Chain To Interface
322 | | ... | ${dut_node} | ${dut_to_tg_if1} | ${acl_name_reflex} | egress
323 | | And Import Variables | resources/test_data/honeycomb/plugin_acl.py
324 | | ... | block_all | block_all
325 | | When Honeycomb Creates ACL Chain Through ACL plugin
326 | | ... | ${dut_node} | block_all | ${acl_settings}
327 | | And Honeycomb Assigns plugin-acl Chain To Interface
328 | | ... | ${dut_node} | ${dut_to_tg_if1} | block_all | ingress
329 | | And Run Keyword And Expect Error | TCP/UDP Rx timeout
330 | | ... | Send TCP or UDP packet and verify received packet | ${tg_node}
331 | | ... | ${classify_src} | ${classify_dst}
332 | | ... | ${tg_to_dut_if1} | ${tg_to_dut_if1_mac}
333 | | ... | ${tg_to_dut_if2} | ${dut_to_tg_if1_mac}
334 | | ... | TCP | ${src_port} | ${dst_port}
335 | | And Send TCP or UDP packet and verify received packet | ${tg_node}
336 | | ... | ${classify_dst} | ${classify_src}
337 | | ... | ${tg_to_dut_if2} | ${tg_to_dut_if2_mac}
338 | | ... | ${tg_to_dut_if1} | ${dut_to_tg_if2_mac}
339 | | ... | TCP | ${dst_port} | ${src_port}
340 | | And Send TCP or UDP packet and verify received packet | ${tg_node}
341 | | ... | ${classify_src} | ${classify_dst}
342 | | ... | ${tg_to_dut_if1} | ${tg_to_dut_if1_mac}
343 | | ... | ${tg_to_dut_if2} | ${dut_to_tg_if1_mac}
344 | | ... | TCP | ${src_port} | ${dst_port}
349 | TC09: ACL IPv4 filtering through plugin-acl node - routed
351 | | ... | [Top] TG=DUT1=TG.
352 | | ... | [Enc] Eth-IPv4-TCP.
353 | | ... | [Cfg] (Using Honeycomb API) On DUT1 set IPv4 addresses on both\
354 | | ... | interfaces to TG, add ARP entry and routes, and configure L3 IPv4 ACL\
355 | | ... | on ingress interface with src/dst IP and protocol.
356 | | ... | [Ver] Send simple TCP and UDP packets from one TG interface\
357 | | ... | to the other, using different IPv4 IPs. Receive all packets except\
358 | | ... | those with IPs in the filtered ranges and UDP protocol payload.
360 | | [Teardown] | Routed ACL test teardown - ipv4
362 | | Given Setup Interface IPs And Routes For IPv4 plugin-acl Test
363 | | ... | l3_ip4 | ${acl_name_l3_ip4}
364 | | When Honeycomb Creates ACL Chain Through ACL plugin
365 | | ... | ${dut_node} | ${acl_name_l3_ip4} | ${acl_settings}
366 | | And Honeycomb Assigns plugin-acl Chain To Interface
367 | | ... | ${dut_node} | ${dut_to_tg_if1} | ${acl_name_l3_ip4} | ingress
368 | | Then Send TCP or UDP packet and verify received packet | ${tg_node}
369 | | ... | ${src_ip} | ${dst_ip}
370 | | ... | ${tg_to_dut_if1} | ${tg_to_dut_if1_mac}
371 | | ... | ${tg_to_dut_if2} | ${dut_to_tg_if1_mac}
372 | | ... | UDP | ${src_port} | ${dst_port}
373 | | And Send TCP or UDP packet and verify received packet | ${tg_node}
374 | | ... | ${classify_src} | ${classify_dst}
375 | | ... | ${tg_to_dut_if1} | ${tg_to_dut_if1_mac}
376 | | ... | ${tg_to_dut_if2} | ${dut_to_tg_if1_mac}
377 | | ... | TCP | ${src_port} | ${dst_port}
378 | | And Run Keyword And Expect Error | TCP/UDP Rx timeout
379 | | ... | Send TCP or UDP packet and verify received packet | ${tg_node}
380 | | ... | ${classify_src} | ${classify_dst}
381 | | ... | ${tg_to_dut_if1} | ${tg_to_dut_if1_mac}
382 | | ... | ${tg_to_dut_if2} | ${dut_to_tg_if1_mac}
383 | | ... | UDP | ${src_port} | ${dst_port}
385 | TC10: ACL IPv6 filtering through plugin-acl node - routed
387 | | ... | [Top] TG=DUT1=TG.
388 | | ... | [Enc] Eth-IPv6-TCP.
389 | | ... | [Cfg] (Using Honeycomb API) On DUT1 set IPv6 addresses on both\
390 | | ... | interfaces to TG, add IP neighbor entry and routes, and configure\
391 | | ... | L3 IPv6 ACL on ingress interface with src/dst IP and next-header.
392 | | ... | [Ver] Send simple TCP and UDP packets from one TG interface\
393 | | ... | to the other, using different IPv6 IPs. Receive all packets except\
394 | | ... | those with IPs in the filtered ranges and UDP protocol payload.
396 | | [Teardown] | Routed ACL test teardown - ipv6
398 | | Given Configure path in 2-node circular topology
399 | | ... | ${nodes['TG']} | ${nodes['DUT1']} | ${nodes['TG']}
400 | | And Import Variables | resources/test_data/honeycomb/plugin_acl.py
401 | | ... | L3_IP6 | ${acl_name_l3_ip6}
402 | | And Honeycomb configures interface state | ${dut_node} | ${dut_to_tg_if1} | up
403 | | And Honeycomb configures interface state | ${dut_node} | ${dut_to_tg_if2} | up
404 | | And Honeycomb sets interface IPv6 address | ${dut_node}
405 | | ... | ${dut_to_tg_if1} | ${dut_to_tg_if1_ip} | ${prefix_length}
406 | | And Honeycomb sets interface IPv6 address | ${dut_node}
407 | | ... | ${dut_to_tg_if2} | ${dut_to_tg_if2_ip} | ${prefix_length}
408 | | And VPP RA suppress link layer | ${dut_node} | ${dut_to_tg_if2}
409 | | And Honeycomb adds interface IPv6 neighbor
410 | | ... | ${node} | ${dut_to_tg_if2} | ${gateway} | ${tg_to_dut_if2_mac}
411 | | And VPP Route Add | ${node} | ${dst_net} | ${prefix_length}
412 | | ... | ${gateway} | interface=${dut_to_tg_if2} | use_sw_index=False
413 | | And VPP Route Add | ${node} | ${classify_dst_net} | ${prefix_length}
414 | | ... | ${gateway} | interface=${dut_to_tg_if2} | use_sw_index=False
415 | | When Honeycomb Creates ACL Chain Through ACL plugin
416 | | ... | ${dut_node} | ${acl_name_l3_ip6} | ${acl_settings}
417 | | And Honeycomb Assigns plugin-acl Chain To Interface
418 | | ... | ${dut_node} | ${dut_to_tg_if1} | ${acl_name_l3_ip6} | ingress
419 | | Then Send TCP or UDP packet and verify received packet | ${tg_node}
420 | | ... | ${src_ip} | ${dst_ip}
421 | | ... | ${tg_to_dut_if1} | ${tg_to_dut_if1_mac}
422 | | ... | ${tg_to_dut_if2} | ${dut_to_tg_if1_mac}
423 | | ... | UDP | ${src_port} | ${dst_port}
424 | | And Send TCP or UDP packet and verify received packet | ${tg_node}
425 | | ... | ${classify_src} | ${classify_dst}
426 | | ... | ${tg_to_dut_if1} | ${tg_to_dut_if1_mac}
427 | | ... | ${tg_to_dut_if2} | ${dut_to_tg_if1_mac}
428 | | ... | TCP | ${src_port} | ${dst_port}
429 | | And Run Keyword And Expect Error | TCP/UDP Rx timeout
430 | | ... | Send TCP or UDP packet and verify received packet | ${tg_node}
431 | | ... | ${classify_src} | ${classify_dst}
432 | | ... | ${tg_to_dut_if1} | ${tg_to_dut_if1_mac}
433 | | ... | ${tg_to_dut_if2} | ${dut_to_tg_if1_mac}
434 | | ... | UDP | ${src_port} | ${dst_port}
436 | TC11: ACL port filtering through plugin-acl node - routed
438 | | ... | [Top] TG=DUT1=TG.
439 | | ... | [Enc] Eth-IPv4-TCP.
440 | | ... | [Cfg] (Using Honeycomb API) On DUT1 set IPv4 addresses on both\
441 | | ... | interfaces to TG, add ARP entry and routes, and configure L4 port ACL\
442 | | ... | on ingress interface with src/dst port ranges.
443 | | ... | [Ver] Send simple TCP and UDP packets from one TG interface\
444 | | ... | to the other, using different ports. Receive all packets except\
445 | | ... | those with ports in the filtered ranges.
447 | | [Teardown] | Routed ACL test teardown - ipv4
449 | | Given Setup Interface IPs And Routes For IPv4 plugin-acl Test
450 | | ... | L4 | ${acl_name_l4}
451 | | When Honeycomb Creates ACL Chain Through ACL plugin
452 | | ... | ${dut_node} | ${acl_name_l4} | ${acl_settings}
453 | | And Honeycomb Assigns plugin-acl Chain To Interface
454 | | ... | ${dut_node} | ${dut_to_tg_if1} | ${acl_name_l4} | ingress
455 | | Then Send TCP or UDP packet and verify received packet | ${tg_node}
456 | | ... | ${src_ip} | ${dst_ip}
457 | | ... | ${tg_to_dut_if1} | ${tg_to_dut_if1_mac}
458 | | ... | ${tg_to_dut_if2} | ${dut_to_tg_if1_mac}
459 | | ... | TCP | ${src_port} | ${dst_port}
460 | | And Run Keyword And Expect Error | TCP/UDP Rx timeout
461 | | ... | Send TCP or UDP packet and verify received packet | ${tg_node}
462 | | ... | ${src_ip} | ${dst_ip}
463 | | ... | ${tg_to_dut_if1} | ${tg_to_dut_if1_mac}
464 | | ... | ${tg_to_dut_if2} | ${dut_to_tg_if1_mac}
465 | | ... | TCP | ${classify_src} | ${classify_dst}
466 | | And Run Keyword And Expect Error | TCP/UDP Rx timeout
467 | | ... | Send TCP or UDP packet and verify received packet | ${tg_node}
468 | | ... | ${src_ip} | ${dst_ip}
469 | | ... | ${tg_to_dut_if1} | ${tg_to_dut_if1_mac}
470 | | ... | ${tg_to_dut_if2} | ${dut_to_tg_if1_mac}
471 | | ... | TCP | ${classify_src+5} | ${classify_dst+5}
473 | TC12: ACL filtering with IPv4 address and TCP port in one rule - routed
475 | | ... | [Top] TG=DUT1=TG.
476 | | ... | [Enc] Eth-IPv4-TCP.
477 | | ... | [Cfg] (Using Honeycomb API) On DUT1 set IPv4 addresses on both\
478 | | ... | interfaces to TG, add ARP entry and routes and configure a mixed
479 | | ... | rule with src/dst IP, TCP protocol and port ranges.
480 | | ... | [Ver] Send simple TCP packets from one TG interface to the other,\
481 | | ... | using IPs and ports. Receive all packets except those with\
482 | | ... | both IPs and ports in the filtered ranges.
484 | | [Teardown] | Routed ACL test teardown - ipv4
486 | | Given Setup Interface IPs And Routes For IPv4 plugin-acl Test
487 | | ... | mixed | ${acl_name_mixed}
488 | | When Honeycomb Creates ACL Chain Through ACL plugin
489 | | ... | ${dut_node} | ${acl_name_mixed} | ${acl_settings}
490 | | And Honeycomb Assigns plugin-acl Chain To Interface
491 | | ... | ${dut_node} | ${dut_to_tg_if1} | ${acl_name_mixed} | ingress
492 | | Then Send TCP or UDP packet and verify received packet | ${tg_node} | ${src_ip} | ${dst_ip}
493 | | ... | ${tg_to_dut_if1} | ${tg_to_dut_if1_mac}
494 | | ... | ${tg_to_dut_if2} | ${dut_to_tg_if1_mac}
495 | | ... | TCP | ${src_port} | ${dst_port}
496 | | Then Send TCP or UDP packet and verify received packet | ${tg_node}
497 | | ... | ${classify_src_ip} | ${classify_dst_ip}
498 | | ... | ${tg_to_dut_if1} | ${tg_to_dut_if1_mac}
499 | | ... | ${tg_to_dut_if2} | ${dut_to_tg_if1_mac}
500 | | ... | TCP | ${src_port} | ${dst_port}
501 | | And Run Keyword And Expect Error | TCP/UDP Rx timeout
502 | | ... | Send TCP or UDP packet and verify received packet | ${tg_node}
503 | | ... | ${classify_src_ip} | ${classify_dst_ip}
504 | | ... | ${tg_to_dut_if1} | ${tg_to_dut_if1_mac}
505 | | ... | ${tg_to_dut_if2} | ${dst_mac}
506 | | ... | TCP | ${classify_src_port} | ${classify_dst_port}
508 | TC13: ACL ICMP packet filtering - routed
510 | | ... | [Top] TG=DUT1=TG.
511 | | ... | [Enc] Eth-IPv4-TCP.
512 | | ... | [Cfg] (Using Honeycomb API) On DUT1 set IPv4 addresses on both\
513 | | ... | interfaces to TG, add ARP entry and routes, and configure ICMP ACL\
514 | | ... | on ingress interface with ICMP type and code.
515 | | ... | [Ver] Send ICMP packets from one TG interface\
516 | | ... | to the other, using different codes and types. Receive all packets\
517 | | ... | except those with the filtered type and code.
519 | | [Teardown] | Routed ACL test teardown - ipv4
521 | | Given Setup Interface IPs And Routes For IPv4 plugin-acl Test
522 | | ... | icmp | ${acl_name_icmp}
523 | | When Honeycomb Creates ACL Chain Through ACL plugin
524 | | ... | ${dut_node} | ${acl_name_icmp} | ${acl_settings}
525 | | And Honeycomb Assigns plugin-acl Chain To Interface
526 | | ... | ${dut_node} | ${dut_to_tg_if1} | ${acl_name_icmp} | ingress
527 | | Then Send ICMP packet with type and code and verify received packet | ${tg_node}
528 | | ... | ${src_ip} | ${dst_ip}
529 | | ... | ${tg_to_dut_if1} | ${tg_to_dut_if1_mac}
530 | | ... | ${tg_to_dut_if2} | ${dut_to_tg_if1_mac}
531 | | ... | ${icmp_type} | ${icmp_code}
532 | | Then Send ICMP packet with type and code and verify received packet | ${tg_node}
533 | | ... | ${src_ip} | ${dst_ip}
534 | | ... | ${tg_to_dut_if1} | ${tg_to_dut_if1_mac}
535 | | ... | ${tg_to_dut_if2} | ${dut_to_tg_if1_mac}
536 | | ... | ${classify_type} | ${icmp_code}
537 | | And Run Keyword And Expect Error | ICMP echo Rx timeout
538 | | ... | Send ICMP packet with type and code and verify received packet | ${tg_node}
539 | | ... | ${src_ip} | ${dst_ip}
540 | | ... | ${tg_to_dut_if1} | ${tg_to_dut_if1_mac}
541 | | ... | ${tg_to_dut_if2} | ${dut_to_tg_if1_mac}
542 | | ... | ${classify_type} | ${classify_code}
544 | TC14: ACL ICMPv6 packet filtering - routed
546 | | ... | [Top] TG=DUT1=TG.
547 | | ... | [Enc] Eth-IPv4-TCP.
548 | | ... | [Cfg] (Using Honeycomb API) On DUT1 set IPv6 addresses on both\
549 | | ... | interfaces to TG, add ARP entry and routes, and configure ICMP ACL\
550 | | ... | on ingress interface with ICMPv6 type and code.
551 | | ... | [Ver] Send ICMPv6 packets from one TG interface\
552 | | ... | to the other, using different codes and types. Receive all packets\
553 | | ... | except those with the filtered type and code.
555 | | [Teardown] | Routed ACL test teardown - ipv6
557 | | Given Configure path in 2-node circular topology
558 | | ... | ${nodes['TG']} | ${nodes['DUT1']} | ${nodes['TG']}
559 | | And Import Variables | resources/test_data/honeycomb/plugin_acl.py
560 | | ... | icmpv6 | ${acl_name_icmpv6}
561 | | And Honeycomb configures interface state | ${dut_node} | ${dut_to_tg_if1} | up
562 | | And Honeycomb configures interface state | ${dut_node} | ${dut_to_tg_if2} | up
563 | | And Honeycomb sets interface IPv6 address | ${dut_node}
564 | | ... | ${dut_to_tg_if1} | ${dut_to_tg_if1_ip} | ${prefix_length}
565 | | And Honeycomb sets interface IPv6 address | ${dut_node}
566 | | ... | ${dut_to_tg_if2} | ${dut_to_tg_if2_ip} | ${prefix_length}
567 | | And Honeycomb adds interface IPv6 neighbor
568 | | ... | ${node} | ${dut_to_tg_if2} | ${gateway} | ${tg_to_dut_if2_mac}
569 | | And VPP RA suppress link layer | ${dut_node} | ${dut_to_tg_if2}
570 | | And VPP Route Add | ${node} | ${dst_net} | ${prefix_length}
571 | | ... | ${gateway} | interface=${dut_to_tg_if2} | use_sw_index=False
572 | | And VPP Route Add | ${node} | ${classify_dst_net} | ${prefix_length}
573 | | ... | ${gateway} | interface=${dut_to_tg_if2} | use_sw_index=False
574 | | When Honeycomb Creates ACL Chain Through ACL plugin
575 | | ... | ${dut_node} | ${acl_name_icmpv6} | ${acl_settings}
576 | | And Honeycomb Assigns plugin-acl Chain To Interface
577 | | ... | ${dut_node} | ${dut_to_tg_if1} | ${acl_name_icmpv6} | ingress
578 | | Then Send ICMP packet with type and code and verify received packet | ${tg_node}
579 | | ... | ${src_ip} | ${dst_ip}
580 | | ... | ${tg_to_dut_if1} | ${tg_to_dut_if1_mac}
581 | | ... | ${tg_to_dut_if2} | ${dut_to_tg_if1_mac}
582 | | ... | ${icmp_type} | ${icmp_code}
583 | | Then Send ICMP packet with type and code and verify received packet | ${tg_node}
584 | | ... | ${src_ip} | ${dst_ip}
585 | | ... | ${tg_to_dut_if1} | ${tg_to_dut_if1_mac}
586 | | ... | ${tg_to_dut_if2} | ${dut_to_tg_if1_mac}
587 | | ... | ${classify_type} | ${icmp_code}
588 | | And Run Keyword And Expect Error | ICMP echo Rx timeout
589 | | ... | Send ICMP packet with type and code and verify received packet | ${tg_node}
590 | | ... | ${src_ip} | ${dst_ip}
591 | | ... | ${tg_to_dut_if1} | ${tg_to_dut_if1_mac}
592 | | ... | ${tg_to_dut_if2} | ${dut_to_tg_if1_mac}
593 | | ... | ${classify_type} | ${classify_code}
595 | TC15: ACL reflexive IPv4 filtering through plugin-acl node - routed
597 | | ... | [Top] TG=DUT1=TG.
598 | | ... | [Enc] Eth-IPv4-TCP.
599 | | ... | [Cfg] (Using Honeycomb API) On DUT1 set IPv4 addresses on both\
600 | | ... | interfaces to TG, add ARP entries and routes,\
601 | | ... | configure a "drop all" ACL on ingress and reflexive ACL on egress.
602 | | ... | [Ver] Send a simple TCP packet to VPP interface 1 and do not receive\
603 | | ... | it back. Then send the packet with reversed src/dst IP address\
604 | | ... | to VPP interface 2 and receive it from interface 1(this should create\
605 | | ... | a reflexive "permit" rule) Finally, send the original packet again\
606 | | ... | and receive it from interface 2.
608 | | [Teardown] | Routed ACL test teardown - ipv4
610 | | Given Setup Interface IPs And Routes For IPv4 plugin-acl Test
611 | | ... | reflex | ${acl_name_reflex}
612 | | And Add ARP on DUT
613 | | ... | ${node} | ${dut_to_tg_if1} | ${gateway2} | ${tg_to_dut_if1_mac}
614 | | And VPP Route Add
615 | | ... | ${node} | ${src_net} | ${prefix_length} | ${gateway2}
616 | | ... | interface=${dut_to_tg_if1} | use_sw_index=False
617 | | And VPP Route Add
618 | | ... | ${node} | ${classify_src_net} | ${prefix_length} | ${gateway2}
619 | | ... | interface=${dut_to_tg_if1} | use_sw_index=False
620 | | When Honeycomb Creates ACL Chain Through ACL plugin
621 | | ... | ${dut_node} | ${acl_name_reflex} | ${acl_settings}
622 | | And Honeycomb Assigns plugin-acl Chain To Interface
623 | | ... | ${dut_node} | ${dut_to_tg_if1} | ${acl_name_reflex} | egress
624 | | And Import Variables | resources/test_data/honeycomb/plugin_acl.py
625 | | ... | block_all | block_all
626 | | When Honeycomb Creates ACL Chain Through ACL plugin
627 | | ... | ${dut_node} | block_all | ${acl_settings}
628 | | And Honeycomb Assigns plugin-acl Chain To Interface
629 | | ... | ${dut_node} | ${dut_to_tg_if1} | block_all | ingress
630 | | And Run Keyword And Expect Error | TCP/UDP Rx timeout
631 | | ... | Send TCP or UDP packet and verify received packet | ${tg_node}
632 | | ... | ${classify_src} | ${classify_dst}
633 | | ... | ${tg_to_dut_if1} | ${tg_to_dut_if1_mac}
634 | | ... | ${tg_to_dut_if2} | ${dut_to_tg_if1_mac}
635 | | ... | TCP | ${src_port} | ${dst_port}
636 | | And Send TCP or UDP packet and verify received packet | ${tg_node}
637 | | ... | ${classify_dst} | ${classify_src}
638 | | ... | ${tg_to_dut_if2} | ${tg_to_dut_if2_mac}
639 | | ... | ${tg_to_dut_if1} | ${dut_to_tg_if2_mac}
640 | | ... | TCP | ${dst_port} | ${src_port}
641 | | And Send TCP or UDP packet and verify received packet | ${tg_node}
642 | | ... | ${classify_src} | ${classify_dst}
643 | | ... | ${tg_to_dut_if1} | ${tg_to_dut_if1_mac}
644 | | ... | ${tg_to_dut_if2} | ${dut_to_tg_if1_mac}
645 | | ... | TCP | ${src_port} | ${dst_port}
648 | Setup interface IPs and routes for IPv4 plugin-acl test
649 | | [Documentation] | Import test variables, set interfaces up,
650 | | ... | configure IPv4 addresses, add neighbor entry and routes.
652 | | [Arguments] | ${test_data_id} | ${acl_name}
654 | | Configure path in 2-node circular topology
655 | | ... | ${nodes['TG']} | ${nodes['DUT1']} | ${nodes['TG']}
656 | | Import Variables | resources/test_data/honeycomb/plugin_acl.py
657 | | ... | ${test_data_id} | ${acl_name}
658 | | Honeycomb configures interface state | ${dut_node} | ${dut_to_tg_if1} | up
659 | | Honeycomb configures interface state | ${dut_node} | ${dut_to_tg_if2} | up
660 | | Honeycomb sets interface IPv4 address with prefix | ${dut_node}
661 | | ... | ${dut_to_tg_if1} | ${dut_to_tg_if1_ip} | ${prefix_length}
662 | | Honeycomb sets interface IPv4 address with prefix | ${dut_node}
663 | | ... | ${dut_to_tg_if2} | ${dut_to_tg_if2_ip} | ${prefix_length}
664 | | And Honeycomb adds interface IPv4 neighbor
665 | | ... | ${node} | ${dut_to_tg_if2} | ${gateway} | ${tg_to_dut_if2_mac}
667 | | ... | ${node} | ${dst_net} | ${prefix_length} | ${gateway}
668 | | ... | interface=${dut_to_tg_if2} | use_sw_index=False
670 | | ... | ${node} | ${classify_dst_net} | ${prefix_length} | ${gateway}
671 | | ... | interface=${dut_to_tg_if2} | use_sw_index=False
673 | Setup interfaces and bridge domain for plugin-acl test
674 | | [Documentation] | Import test variables, set interfaces up and bridge them.
676 | | [Arguments] | ${test_data_id} | ${acl_name}
678 | | Configure path in 2-node circular topology
679 | | ... | ${nodes['TG']} | ${nodes['DUT1']} | ${nodes['TG']}
680 | | Import Variables | resources/test_data/honeycomb/plugin_acl.py
681 | | ... | ${test_data_id} | ${acl_name}
682 | | Honeycomb configures interface state | ${dut_node} | ${dut_to_tg_if1} | up
683 | | Honeycomb configures interface state | ${dut_node} | ${dut_to_tg_if2} | up
684 | | Honeycomb Creates first L2 Bridge Domain
685 | | ... | ${dut_node} | ${bd_name} | ${bd_settings}
686 | | Honeycomb Adds Interfaces To Bridge Domain
687 | | ... | ${dut_node} | ${dut_to_tg_if1} | ${dut_to_tg_if2}
688 | | ... | ${bd_name} | ${bd_if_settings}
690 | Bridged ACL test teardown
691 | | [Documentation] | Log packet trace and ACL settings,
692 | | ... | then clean up bridge domains.
694 | | Show Packet Trace on All DUTs | ${nodes}
695 | | Read plugin-ACL configuration from VAT | ${node}
696 | | Clear plugin-ACL configuration | ${node} | ${dut_to_tg_if1}
697 | | Honeycomb Removes All Bridge Domains
698 | | ... | ${node} | ${dut_to_tg_if1} | ${dut_to_tg_if2}
700 | Routed ACL test teardown - ipv4
701 | | [Documentation] | Log packet trace and ACL settings,
702 | | ... | then clean up IPv4 addresses and neighbors.
704 | | Show Packet Trace on All DUTs | ${nodes}
705 | | Read plugin-ACL configuration from VAT | ${node}
706 | | Clear plugin-ACL configuration | ${node} | ${dut_to_tg_if1}
707 | | Honeycomb removes interface IPv4 addresses | ${node} | ${dut_to_tg_if1}
708 | | Honeycomb clears all interface IPv4 neighbors | ${node} | ${dut_to_tg_if1}
710 | Routed ACL test teardown - ipv6
711 | | [Documentation] | Log packet trace and ACL settings,
712 | | ... | then clean up IPv6 addresses and neighbors.
714 | | Show Packet Trace on All DUTs | ${nodes}
715 | | Clear plugin-ACL configuration | ${node} | ${dut_to_tg_if1}
716 | | Read plugin-ACL configuration from VAT | ${node}
717 | | Honeycomb removes interface IPv6 addresses | ${node} | ${dut_to_tg_if1}
718 | | Honeycomb clears all interface IPv6 neighbors | ${node} | ${dut_to_tg_if1}
Code Review / csit.git / blob