1 # Copyright (c) 2016 Cisco and/or its affiliates.
2 # Licensed under the Apache License, Version 2.0 (the "License");
3 # you may not use this file except in compliance with the License.
4 # You may obtain a copy of the License at:
6 # http://www.apache.org/licenses/LICENSE-2.0
8 # Unless required by applicable law or agreed to in writing, software
9 # distributed under the License is distributed on an "AS IS" BASIS,
10 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
11 # See the License for the specific language governing permissions and
12 # limitations under the License.
15 | &{if_settings}= | enabled=True
16 # Bridge domain settings
18 | &{bd_settings}= | flood=${True} | forward=${True} | learn=${True}
19 | ... | unknown-unicast-flood=${True} | arp-termination=${False}
20 | &{bd_if_settings}= | split_horizon_group=${0} | bvi=${False}
22 | ${acl_name_macip}= | macip
23 | ${acl_name_l3_ip4}= | acl_l3_ip4
24 | ${acl_name_l3_ip6}= | acl_l3_ip6
25 | ${acl_name_l4}= | acl_l4
26 | ${acl_name_mixed}= | acl_mixed
27 | ${acl_name_icmp}= | acl_icmp
28 | ${acl_name_icmpv6}= | acl_icmpv6
29 | ${acl_name_reflex}= | acl_reflex
32 | Resource | resources/libraries/robot/shared/default.robot
33 | Resource | resources/libraries/robot/honeycomb/honeycomb.robot
34 | Resource | resources/libraries/robot/honeycomb/interfaces.robot
35 | Resource | resources/libraries/robot/honeycomb/bridge_domain.robot
36 | Resource | resources/libraries/robot/honeycomb/access_control_lists.robot
37 | Resource | resources/libraries/robot/shared/testing_path.robot
38 | Resource | resources/libraries/robot/shared/traffic.robot
39 | Library | resources.libraries.python.honeycomb.HcAPIKwACL.ACLKeywords
40 | Library | resources.libraries.python.Trace
41 | Library | resources.libraries.python.IPv4Setup
42 | Library | resources.libraries.python.IPv4Util
43 | Library | resources.libraries.python.IPv6Util
44 | Library | resources.libraries.python.Routing
46 | Test Setup | Clear Packet Trace on All DUTs | ${nodes}
48 | Suite Setup | Set Up Honeycomb Functional Test Suite | ${node}
50 | Suite Teardown | Tear Down Honeycomb Functional Test Suite | ${node}
52 | Documentation | *Honeycomb access control lists test suite for ACL plugin.*
54 # Failing due to HC2VPP-173: cannot clean up ACLs in test teardown
55 | Force Tags | HC_FUNC | EXPECTED_FAILING
58 | TC01: ACL MAC filtering through plugin-acl node - bridged
60 | | ... | [Top] TG=DUT1=TG.
61 | | ... | [Enc] Eth-IPv4-TCP.
62 | | ... | [Cfg] (Using Honeycomb API) On DUT1 bridge both interfaces to TG\
63 | | ... | and configure L2 MAC ACL on ingress interface.
64 | | ... | [Ver] Send simple TCP packets from one TG interface to the other,\
65 | | ... | using different MACs. Receive all packets except those with\
66 | | ... | MACs in the filtered ranges.
68 | | [Teardown] | Bridged ACL test teardown
70 | | Given Setup Interfaces And Bridge Domain For plugin-acl Test
71 | | ... | macip | ${acl_name_macip}
72 | | When Honeycomb Creates ACL Chain Through ACL plugin
73 | | ... | ${dut_node} | ${acl_name_macip} | ${acl_settings} | macip=${True}
74 | | And Honeycomb Assigns plugin-acl Chain To Interface
75 | | ... | ${dut_node} | ${dut_to_tg_if1} | ${acl_name_macip}
76 | | ... | ingress | macip=${True}
77 | | Then Send TCP or UDP packet and verify received packet | ${tg_node}
78 | | ... | ${src_ip} | ${dst_ip}
79 | | ... | ${tg_to_dut_if1} | ${tg_to_dut_if1_mac}
80 | | ... | ${tg_to_dut_if2} | ${dut_to_tg_if1_mac}
81 | | ... | TCP | ${src_port} | ${dst_port}
82 | | And Run Keyword And Expect Error | TCP/UDP Rx timeout
83 | | ... | Send TCP or UDP packet and verify received packet | ${tg_node}
84 | | ... | ${src_ip} | ${dst_ip}
85 | | ... | ${tg_to_dut_if1} | ${classify_src}
86 | | ... | ${tg_to_dut_if2} | ${dut_to_tg_if1_mac}
87 | | ... | TCP | ${src_port} | ${dst_port}
88 | | And Run Keyword And Expect Error | TCP/UDP Rx timeout
89 | | ... | Send TCP or UDP packet and verify received packet | ${tg_node}
90 | | ... | ${src_ip} | ${dst_ip}
91 | | ... | ${tg_to_dut_if1} | ${classify_src2}
92 | | ... | ${tg_to_dut_if2} | ${dut_to_tg_if1_mac}
93 | | ... | TCP | ${src_port} | ${dst_port}
95 | TC02: ACL IPv4 filtering through plugin-acl node - bridged
97 | | ... | [Top] TG=DUT1=TG.
98 | | ... | [Enc] Eth-IPv4-TCP.
99 | | ... | [Cfg] (Using Honeycomb API) On DUT1 bridge both interfaces to TG\
100 | | ... | and configure L3 IPv4 ACL on ingress interface with src/dst IP
101 | | ... | and protocol number.
102 | | ... | [Ver] Send simple TCP and UDP packets from one TG interface\
103 | | ... | to the other, using different IPv4 IPs. Receive all packets except\
104 | | ... | those with IPs in the filtered ranges and UDP protocol payload.
106 | | [Teardown] | Bridged ACL test teardown
108 | | Given Setup Interfaces And Bridge Domain For plugin-acl Test
109 | | ... | l3_ip4 | ${acl_name_l3_ip4}
110 | | When Honeycomb Creates ACL Chain Through ACL plugin
111 | | ... | ${dut_node} | ${acl_name_l3_ip4} | ${acl_settings}
112 | | And Honeycomb Assigns plugin-acl Chain To Interface
113 | | ... | ${dut_node} | ${dut_to_tg_if1} | ${acl_name_l3_ip4} | ingress
114 | | Then Send TCP or UDP packet and verify received packet | ${tg_node}
115 | | ... | ${src_ip} | ${dst_ip}
116 | | ... | ${tg_to_dut_if1} | ${tg_to_dut_if1_mac}
117 | | ... | ${tg_to_dut_if2} | ${dut_to_tg_if1_mac}
118 | | ... | UDP | ${src_port} | ${dst_port}
119 | | And Send TCP or UDP packet and verify received packet | ${tg_node}
120 | | ... | ${classify_src} | ${classify_dst}
121 | | ... | ${tg_to_dut_if1} | ${tg_to_dut_if1_mac}
122 | | ... | ${tg_to_dut_if2} | ${dut_to_tg_if1_mac}
123 | | ... | TCP | ${src_port} | ${dst_port}
124 | | And Run Keyword And Expect Error | TCP/UDP Rx timeout
125 | | ... | Send TCP or UDP packet and verify received packet | ${tg_node}
126 | | ... | ${classify_src} | ${classify_dst}
127 | | ... | ${tg_to_dut_if1} | ${tg_to_dut_if1_mac}
128 | | ... | ${tg_to_dut_if2} | ${dut_to_tg_if1_mac}
129 | | ... | UDP | ${src_port} | ${dst_port}
131 | TC03: ACL IPv6 filtering through plugin-acl node - bridged
133 | | ... | [Top] TG=DUT1=TG.
134 | | ... | [Enc] Eth-IPv6-TCP.
135 | | ... | [Cfg] (Using Honeycomb API) On DUT1 bridge both interfaces to TG\
136 | | ... | and configure L3 IPv6 ACL on ingress interface with src/dst IP
137 | | ... | and protocol number.
138 | | ... | [Ver] Send simple TCP and UDP packets from one TG interface\
139 | | ... | to the other, using different IPv6 IPs. Receive all packets except\
140 | | ... | those with IPs in the filtered ranges and UDP protocol payload.
142 | | [Teardown] | Bridged ACL test teardown
144 | | Given Setup interfaces and bridge domain for plugin-acl test
145 | | ... | l3_ip6 | ${acl_name_l3_ip6}
146 | | When Honeycomb Creates ACL Chain Through ACL plugin
147 | | ... | ${dut_node} | ${acl_name_l3_ip6} | ${acl_settings}
148 | | And Honeycomb Assigns plugin-acl Chain To Interface
149 | | ... | ${dut_node} | ${dut_to_tg_if1} | ${acl_name_l3_ip6} | ingress
150 | | Then Send TCP or UDP packet and verify received packet | ${tg_node}
151 | | ... | ${src_ip} | ${dst_ip}
152 | | ... | ${tg_to_dut_if1} | ${tg_to_dut_if1_mac}
153 | | ... | ${tg_to_dut_if2} | ${dut_to_tg_if1_mac}
154 | | ... | UDP | ${src_port} | ${dst_port}
155 | | And Send TCP or UDP packet and verify received packet | ${tg_node}
156 | | ... | ${classify_src} | ${classify_dst}
157 | | ... | ${tg_to_dut_if1} | ${tg_to_dut_if1_mac}
158 | | ... | ${tg_to_dut_if2} | ${dut_to_tg_if1_mac}
159 | | ... | TCP | ${src_port} | ${dst_port}
160 | | And Run Keyword And Expect Error | TCP/UDP Rx timeout
161 | | ... | Send TCP or UDP packet and verify received packet | ${tg_node}
162 | | ... | ${classify_src} | ${classify_dst}
163 | | ... | ${tg_to_dut_if1} | ${tg_to_dut_if1_mac}
164 | | ... | ${tg_to_dut_if2} | ${dut_to_tg_if1_mac}
165 | | ... | UDP | ${src_port} | ${dst_port}
167 | TC04: ACL port filtering through plugin-acl node - bridged
169 | | ... | [Top] TG=DUT1=TG.
170 | | ... | [Enc] Eth-IPv4-TCP.
171 | | ... | [Cfg] (Using Honeycomb API) On DUT1 bridge both interfaces to TG\
172 | | ... | and and configure L4 port ACL on ingress interface
173 | | ... | with src/dst port ranges.
174 | | ... | [Ver] Send simple TCP and UDP packets from one TG interface\
175 | | ... | to the other, using different ports. Receive all packets except\
176 | | ... | those with ports in the filtered ranges.
178 | | [Teardown] | Bridged ACL test teardown
180 | | Given Setup interfaces and bridge domain for plugin-acl test
181 | | ... | L4 | ${acl_name_l4}
182 | | When Honeycomb Creates ACL Chain Through ACL plugin
183 | | ... | ${dut_node} | ${acl_name_l4} | ${acl_settings}
184 | | And Honeycomb Assigns plugin-acl Chain To Interface
185 | | ... | ${dut_node} | ${dut_to_tg_if1} | ${acl_name_l4} | ingress
186 | | Then Send TCP or UDP packet and verify received packet | ${tg_node}
187 | | ... | ${src_ip} | ${dst_ip}
188 | | ... | ${tg_to_dut_if1} | ${tg_to_dut_if1_mac}
189 | | ... | ${tg_to_dut_if2} | ${dut_to_tg_if1_mac}
190 | | ... | TCP | ${src_port} | ${dst_port}
191 | | And Run Keyword And Expect Error | TCP/UDP Rx timeout
192 | | ... | Send TCP or UDP packet and verify received packet | ${tg_node}
193 | | ... | ${src_ip} | ${dst_ip}
194 | | ... | ${tg_to_dut_if1} | ${tg_to_dut_if1_mac}
195 | | ... | ${tg_to_dut_if2} | ${dut_to_tg_if1_mac}
196 | | ... | TCP | ${classify_src} | ${classify_dst}
197 | | And Run Keyword And Expect Error | TCP/UDP Rx timeout
198 | | ... | Send TCP or UDP packet and verify received packet | ${tg_node}
199 | | ... | ${src_ip} | ${dst_ip}
200 | | ... | ${tg_to_dut_if1} | ${tg_to_dut_if1_mac}
201 | | ... | ${tg_to_dut_if2} | ${dut_to_tg_if1_mac}
202 | | ... | TCP | ${classify_src+5} | ${classify_dst+5}
204 | TC05: ACL filtering with IPv4 address and TCP port in one rule - bridged
206 | | ... | [Top] TG=DUT1=TG.
207 | | ... | [Enc] Eth-IPv4-TCP.
208 | | ... | [Cfg] (Using Honeycomb API) On DUT1 bridge both interfaces to TG\
209 | | ... | and configure a mixed rule with src/dst IP, TCP protocol
210 | | ... | and port ranges.
211 | | ... | [Ver] Send simple TCP packets from one TG interface to the other,\
212 | | ... | using IPs and ports. Receive all packets except those with\
213 | | ... | both IPs and ports in the filtered ranges.
215 | | [Teardown] | Bridged ACL test teardown
217 | | Given Setup Interfaces And Bridge Domain For plugin-acl Test
218 | | ... | mixed | ${acl_name_mixed}
219 | | When Honeycomb Creates ACL Chain Through ACL plugin
220 | | ... | ${dut_node} | ${acl_name_mixed} | ${acl_settings}
221 | | And Honeycomb Assigns plugin-acl Chain To Interface
222 | | ... | ${dut_node} | ${dut_to_tg_if1} | ${acl_name_mixed} | ingress
223 | | Then Send TCP or UDP packet and verify received packet | ${tg_node}
224 | | ... | ${src_ip} | ${dst_ip}
225 | | ... | ${tg_to_dut_if1} | ${tg_to_dut_if1_mac}
226 | | ... | ${tg_to_dut_if2} | ${dut_to_tg_if1_mac}
227 | | ... | TCP | ${src_port} | ${dst_port}
228 | | Then Send TCP or UDP packet and verify received packet | ${tg_node}
229 | | ... | ${classify_src_ip} | ${classify_dst_ip}
230 | | ... | ${tg_to_dut_if1} | ${tg_to_dut_if1_mac}
231 | | ... | ${tg_to_dut_if2} | ${dut_to_tg_if1_mac}
232 | | ... | TCP | ${src_port} | ${dst_port}
233 | | And Run Keyword And Expect Error | TCP/UDP Rx timeout
234 | | ... | Send TCP or UDP packet and verify received packet | ${tg_node}
235 | | ... | ${classify_src_ip} | ${classify_dst_ip}
236 | | ... | ${tg_to_dut_if1} | ${tg_to_dut_if1_mac}
237 | | ... | ${tg_to_dut_if2} | ${dut_to_tg_if1_mac}
238 | | ... | TCP | ${classify_src_port} | ${classify_dst_port}
240 | TC06: ACL ICMP packet filtering - bridged
242 | | ... | [Top] TG=DUT1=TG.
243 | | ... | [Enc] Eth-IPv4-ICMP.
244 | | ... | [Cfg] (Using Honeycomb API) On DUT1 bridge both interfaces to TG\
245 | | ... | and configure a ICMP protocol filtering by ICMP type and code.
246 | | ... | [Ver] Send ICMP packets from one TG interface\
247 | | ... | to the other, using different codes and types. Receive all packets\
248 | | ... | except those with types and codes in the filtered ranges.
250 | | [Teardown] | Bridged ACL test teardown
252 | | Given Setup interfaces and bridge domain for plugin-acl test
253 | | ... | icmp | ${acl_name_icmp}
254 | | When Honeycomb Creates ACL Chain Through ACL plugin
255 | | ... | ${dut_node} | ${acl_name_icmp} | ${acl_settings}
256 | | And Honeycomb Assigns plugin-acl Chain To Interface
257 | | ... | ${dut_node} | ${dut_to_tg_if1} | ${acl_name_icmp} | ingress
258 | | Then Send ICMP packet with type and code and verify received packet
260 | | ... | ${src_ip} | ${dst_ip}
261 | | ... | ${tg_to_dut_if1} | ${tg_to_dut_if1_mac}
262 | | ... | ${tg_to_dut_if2} | ${dut_to_tg_if1_mac}
263 | | ... | ${icmp_type} | ${icmp_code}
264 | | Then Send ICMP packet with type and code and verify received packet
266 | | ... | ${src_ip} | ${dst_ip}
267 | | ... | ${tg_to_dut_if1} | ${tg_to_dut_if1_mac}
268 | | ... | ${tg_to_dut_if2} | ${dut_to_tg_if1_mac}
269 | | ... | ${classify_type} | ${icmp_code}
270 | | And Run Keyword And Expect Error | ICMP echo Rx timeout
271 | | ... | Send ICMP packet with type and code and verify received packet
273 | | ... | ${src_ip} | ${dst_ip}
274 | | ... | ${tg_to_dut_if1} | ${tg_to_dut_if1_mac}
275 | | ... | ${tg_to_dut_if2} | ${dut_to_tg_if1_mac}
276 | | ... | ${classify_type} | ${classify_code}
278 | TC07: ACL ICMPv6 packet filtering - bridged
280 | | ... | [Top] TG=DUT1=TG.
281 | | ... | [Enc] Eth-IPv6-ICMP.
282 | | ... | [Cfg] (Using Honeycomb API) On DUT1 bridge both interfaces to TG\
283 | | ... | and configure a ICMPv6 protocol filtering by ICMPv6 type and code.
284 | | ... | [Ver] Send ICMPv6 packets from one TG interface\
285 | | ... | to the other, using different codes and types. Receive all packets\
286 | | ... | except those with the filtered type and code.
288 | | [Teardown] | Bridged ACL test teardown
290 | | Given Setup interfaces and bridge domain for plugin-acl test
291 | | ... | icmpv6 | ${acl_name_icmpv6}
292 | | When Honeycomb Creates ACL Chain Through ACL plugin
293 | | ... | ${dut_node} | ${acl_name_icmpv6} | ${acl_settings}
294 | | And Honeycomb Assigns plugin-acl Chain To Interface
295 | | ... | ${dut_node} | ${dut_to_tg_if1} | ${acl_name_icmpv6} | ingress
296 | | Then Send ICMP packet with type and code and verify received packet
298 | | ... | ${src_ip} | ${dst_ip}
299 | | ... | ${tg_to_dut_if1} | ${tg_to_dut_if1_mac}
300 | | ... | ${tg_to_dut_if2} | ${dut_to_tg_if1_mac}
301 | | ... | ${icmp_type} | ${icmp_code}
302 | | Then Send ICMP packet with type and code and verify received packet
304 | | ... | ${src_ip} | ${dst_ip}
305 | | ... | ${tg_to_dut_if1} | ${tg_to_dut_if1_mac}
306 | | ... | ${tg_to_dut_if2} | ${dut_to_tg_if1_mac}
307 | | ... | ${classify_type} | ${icmp_code}
308 | | And Run Keyword And Expect Error | ICMP echo Rx timeout
309 | | ... | Send ICMP packet with type and code and verify received packet
311 | | ... | ${src_ip} | ${dst_ip}
312 | | ... | ${tg_to_dut_if1} | ${tg_to_dut_if1_mac}
313 | | ... | ${tg_to_dut_if2} | ${dut_to_tg_if1_mac}
314 | | ... | ${classify_type} | ${classify_code}
316 | TC08: ACL reflexive IPv4 filtering through plugin-acl node - bridged
318 | | ... | [Top] TG=DUT1=TG.
319 | | ... | [Enc] Eth-IPv4-TCP.
320 | | ... | [Cfg] (Using Honeycomb API) On DUT1 bridge both interfaces to TG,\
321 | | ... | configure a "drop all" ACL on ingress and reflexive ACL on egress.
322 | | ... | [Ver] Send a simple TCP packet to VPP interface 1 and do not receive\
323 | | ... | it back. Then send the packet with reversed src/dst IP address\
324 | | ... | to VPP interface 2 and receive it from interface 1(this should create\
325 | | ... | a reflexive "permit" rule) Finally, send the original packet again\
326 | | ... | and receive it from interface 2.
328 | | [Teardown] | Bridged ACL test teardown
330 | | Given Setup Interfaces And Bridge Domain For plugin-acl Test
331 | | ... | reflex | ${acl_name_reflex}
332 | | When Honeycomb Creates ACL Chain Through ACL plugin
333 | | ... | ${dut_node} | ${acl_name_reflex} | ${acl_settings}
334 | | And Honeycomb Assigns plugin-acl Chain To Interface
335 | | ... | ${dut_node} | ${dut_to_tg_if1} | ${acl_name_reflex} | egress
336 | | And Import Variables | resources/test_data/honeycomb/plugin_acl.py
337 | | ... | block_all | block_all
338 | | When Honeycomb Creates ACL Chain Through ACL plugin
339 | | ... | ${dut_node} | block_all | ${acl_settings}
340 | | And Honeycomb Assigns plugin-acl Chain To Interface
341 | | ... | ${dut_node} | ${dut_to_tg_if1} | block_all | ingress
342 | | And Run Keyword And Expect Error | TCP/UDP Rx timeout
343 | | ... | Send TCP or UDP packet and verify received packet | ${tg_node}
344 | | ... | ${classify_src} | ${classify_dst}
345 | | ... | ${tg_to_dut_if1} | ${tg_to_dut_if1_mac}
346 | | ... | ${tg_to_dut_if2} | ${dut_to_tg_if1_mac}
347 | | ... | TCP | ${src_port} | ${dst_port}
348 | | And Send TCP or UDP packet and verify received packet | ${tg_node}
349 | | ... | ${classify_dst} | ${classify_src}
350 | | ... | ${tg_to_dut_if2} | ${tg_to_dut_if2_mac}
351 | | ... | ${tg_to_dut_if1} | ${dut_to_tg_if2_mac}
352 | | ... | TCP | ${dst_port} | ${src_port}
353 | | And Send TCP or UDP packet and verify received packet | ${tg_node}
354 | | ... | ${classify_src} | ${classify_dst}
355 | | ... | ${tg_to_dut_if1} | ${tg_to_dut_if1_mac}
356 | | ... | ${tg_to_dut_if2} | ${dut_to_tg_if1_mac}
357 | | ... | TCP | ${src_port} | ${dst_port}
362 | TC09: ACL IPv4 filtering through plugin-acl node - routed
364 | | ... | [Top] TG=DUT1=TG.
365 | | ... | [Enc] Eth-IPv4-TCP.
366 | | ... | [Cfg] (Using Honeycomb API) On DUT1 set IPv4 addresses on both\
367 | | ... | interfaces to TG, add ARP entry and routes, and configure L3 IPv4 ACL\
368 | | ... | on ingress interface with src/dst IP and protocol.
369 | | ... | [Ver] Send simple TCP and UDP packets from one TG interface\
370 | | ... | to the other, using different IPv4 IPs. Receive all packets except\
371 | | ... | those with IPs in the filtered ranges and UDP protocol payload.
373 | | [Teardown] | Routed ACL test teardown - ipv4
375 | | Given Setup Interface IPs And Routes For IPv4 plugin-acl Test
376 | | ... | l3_ip4 | ${acl_name_l3_ip4}
377 | | When Honeycomb Creates ACL Chain Through ACL plugin
378 | | ... | ${dut_node} | ${acl_name_l3_ip4} | ${acl_settings}
379 | | And Honeycomb Assigns plugin-acl Chain To Interface
380 | | ... | ${dut_node} | ${dut_to_tg_if1} | ${acl_name_l3_ip4} | ingress
381 | | Then Send TCP or UDP packet and verify received packet | ${tg_node}
382 | | ... | ${src_ip} | ${dst_ip}
383 | | ... | ${tg_to_dut_if1} | ${tg_to_dut_if1_mac}
384 | | ... | ${tg_to_dut_if2} | ${dut_to_tg_if1_mac}
385 | | ... | UDP | ${src_port} | ${dst_port}
386 | | And Send TCP or UDP packet and verify received packet | ${tg_node}
387 | | ... | ${classify_src} | ${classify_dst}
388 | | ... | ${tg_to_dut_if1} | ${tg_to_dut_if1_mac}
389 | | ... | ${tg_to_dut_if2} | ${dut_to_tg_if1_mac}
390 | | ... | TCP | ${src_port} | ${dst_port}
391 | | And Run Keyword And Expect Error | TCP/UDP Rx timeout
392 | | ... | Send TCP or UDP packet and verify received packet | ${tg_node}
393 | | ... | ${classify_src} | ${classify_dst}
394 | | ... | ${tg_to_dut_if1} | ${tg_to_dut_if1_mac}
395 | | ... | ${tg_to_dut_if2} | ${dut_to_tg_if1_mac}
396 | | ... | UDP | ${src_port} | ${dst_port}
398 | TC10: ACL IPv6 filtering through plugin-acl node - routed
400 | | ... | [Top] TG=DUT1=TG.
401 | | ... | [Enc] Eth-IPv6-TCP.
402 | | ... | [Cfg] (Using Honeycomb API) On DUT1 set IPv6 addresses on both\
403 | | ... | interfaces to TG, add IP neighbor entry and routes, and configure\
404 | | ... | L3 IPv6 ACL on ingress interface with src/dst IP and next-header.
405 | | ... | [Ver] Send simple TCP and UDP packets from one TG interface\
406 | | ... | to the other, using different IPv6 IPs. Receive all packets except\
407 | | ... | those with IPs in the filtered ranges and UDP protocol payload.
409 | | [Teardown] | Routed ACL test teardown - ipv6
411 | | Given Configure path in 2-node circular topology
412 | | ... | ${nodes['TG']} | ${nodes['DUT1']} | ${nodes['TG']}
413 | | And Import Variables | resources/test_data/honeycomb/plugin_acl.py
414 | | ... | L3_IP6 | ${acl_name_l3_ip6}
415 | | And Honeycomb configures interface state
416 | | ... | ${dut_node} | ${dut_to_tg_if1} | up
417 | | And Honeycomb configures interface state
418 | | ... | ${dut_node} | ${dut_to_tg_if2} | up
419 | | And Honeycomb sets interface IPv6 address | ${dut_node}
420 | | ... | ${dut_to_tg_if1} | ${dut_to_tg_if1_ip} | ${prefix_length}
421 | | And Honeycomb sets interface IPv6 address | ${dut_node}
422 | | ... | ${dut_to_tg_if2} | ${dut_to_tg_if2_ip} | ${prefix_length}
423 | | And VPP RA suppress link layer | ${dut_node} | ${dut_to_tg_if2}
424 | | And Honeycomb adds interface IPv6 neighbor
425 | | ... | ${node} | ${dut_to_tg_if2} | ${gateway} | ${tg_to_dut_if2_mac}
426 | | And VPP Route Add | ${node} | ${dst_net} | ${prefix_length}
427 | | ... | ${gateway} | interface=${dut_to_tg_if2} | use_sw_index=False
428 | | And VPP Route Add | ${node} | ${classify_dst_net} | ${prefix_length}
429 | | ... | ${gateway} | interface=${dut_to_tg_if2} | use_sw_index=False
430 | | When Honeycomb Creates ACL Chain Through ACL plugin
431 | | ... | ${dut_node} | ${acl_name_l3_ip6} | ${acl_settings}
432 | | And Honeycomb Assigns plugin-acl Chain To Interface
433 | | ... | ${dut_node} | ${dut_to_tg_if1} | ${acl_name_l3_ip6} | ingress
434 | | Then Send TCP or UDP packet and verify received packet | ${tg_node}
435 | | ... | ${src_ip} | ${dst_ip}
436 | | ... | ${tg_to_dut_if1} | ${tg_to_dut_if1_mac}
437 | | ... | ${tg_to_dut_if2} | ${dut_to_tg_if1_mac}
438 | | ... | UDP | ${src_port} | ${dst_port}
439 | | And Send TCP or UDP packet and verify received packet | ${tg_node}
440 | | ... | ${classify_src} | ${classify_dst}
441 | | ... | ${tg_to_dut_if1} | ${tg_to_dut_if1_mac}
442 | | ... | ${tg_to_dut_if2} | ${dut_to_tg_if1_mac}
443 | | ... | TCP | ${src_port} | ${dst_port}
444 | | And Run Keyword And Expect Error | TCP/UDP Rx timeout
445 | | ... | Send TCP or UDP packet and verify received packet | ${tg_node}
446 | | ... | ${classify_src} | ${classify_dst}
447 | | ... | ${tg_to_dut_if1} | ${tg_to_dut_if1_mac}
448 | | ... | ${tg_to_dut_if2} | ${dut_to_tg_if1_mac}
449 | | ... | UDP | ${src_port} | ${dst_port}
451 | TC11: ACL port filtering through plugin-acl node - routed
453 | | ... | [Top] TG=DUT1=TG.
454 | | ... | [Enc] Eth-IPv4-TCP.
455 | | ... | [Cfg] (Using Honeycomb API) On DUT1 set IPv4 addresses on both\
456 | | ... | interfaces to TG, add ARP entry and routes, and configure L4 port ACL\
457 | | ... | on ingress interface with src/dst port ranges.
458 | | ... | [Ver] Send simple TCP and UDP packets from one TG interface\
459 | | ... | to the other, using different ports. Receive all packets except\
460 | | ... | those with ports in the filtered ranges.
462 | | [Teardown] | Routed ACL test teardown - ipv4
464 | | Given Setup Interface IPs And Routes For IPv4 plugin-acl Test
465 | | ... | L4 | ${acl_name_l4}
466 | | When Honeycomb Creates ACL Chain Through ACL plugin
467 | | ... | ${dut_node} | ${acl_name_l4} | ${acl_settings}
468 | | And Honeycomb Assigns plugin-acl Chain To Interface
469 | | ... | ${dut_node} | ${dut_to_tg_if1} | ${acl_name_l4} | ingress
470 | | Then Send TCP or UDP packet and verify received packet | ${tg_node}
471 | | ... | ${src_ip} | ${dst_ip}
472 | | ... | ${tg_to_dut_if1} | ${tg_to_dut_if1_mac}
473 | | ... | ${tg_to_dut_if2} | ${dut_to_tg_if1_mac}
474 | | ... | TCP | ${src_port} | ${dst_port}
475 | | And Run Keyword And Expect Error | TCP/UDP Rx timeout
476 | | ... | Send TCP or UDP packet and verify received packet | ${tg_node}
477 | | ... | ${src_ip} | ${dst_ip}
478 | | ... | ${tg_to_dut_if1} | ${tg_to_dut_if1_mac}
479 | | ... | ${tg_to_dut_if2} | ${dut_to_tg_if1_mac}
480 | | ... | TCP | ${classify_src} | ${classify_dst}
481 | | And Run Keyword And Expect Error | TCP/UDP Rx timeout
482 | | ... | Send TCP or UDP packet and verify received packet | ${tg_node}
483 | | ... | ${src_ip} | ${dst_ip}
484 | | ... | ${tg_to_dut_if1} | ${tg_to_dut_if1_mac}
485 | | ... | ${tg_to_dut_if2} | ${dut_to_tg_if1_mac}
486 | | ... | TCP | ${classify_src+5} | ${classify_dst+5}
488 | TC12: ACL filtering with IPv4 address and TCP port in one rule - routed
490 | | ... | [Top] TG=DUT1=TG.
491 | | ... | [Enc] Eth-IPv4-TCP.
492 | | ... | [Cfg] (Using Honeycomb API) On DUT1 set IPv4 addresses on both\
493 | | ... | interfaces to TG, add ARP entry and routes and configure a mixed
494 | | ... | rule with src/dst IP, TCP protocol and port ranges.
495 | | ... | [Ver] Send simple TCP packets from one TG interface to the other,\
496 | | ... | using IPs and ports. Receive all packets except those with\
497 | | ... | both IPs and ports in the filtered ranges.
499 | | [Teardown] | Routed ACL test teardown - ipv4
501 | | Given Setup Interface IPs And Routes For IPv4 plugin-acl Test
502 | | ... | mixed | ${acl_name_mixed}
503 | | When Honeycomb Creates ACL Chain Through ACL plugin
504 | | ... | ${dut_node} | ${acl_name_mixed} | ${acl_settings}
505 | | And Honeycomb Assigns plugin-acl Chain To Interface
506 | | ... | ${dut_node} | ${dut_to_tg_if1} | ${acl_name_mixed} | ingress
507 | | Then Send TCP or UDP packet and verify received packet | ${tg_node}
508 | | ... | ${src_ip} | ${dst_ip}
509 | | ... | ${tg_to_dut_if1} | ${tg_to_dut_if1_mac}
510 | | ... | ${tg_to_dut_if2} | ${dut_to_tg_if1_mac}
511 | | ... | TCP | ${src_port} | ${dst_port}
512 | | Then Send TCP or UDP packet and verify received packet | ${tg_node}
513 | | ... | ${classify_src_ip} | ${classify_dst_ip}
514 | | ... | ${tg_to_dut_if1} | ${tg_to_dut_if1_mac}
515 | | ... | ${tg_to_dut_if2} | ${dut_to_tg_if1_mac}
516 | | ... | TCP | ${src_port} | ${dst_port}
517 | | And Run Keyword And Expect Error | TCP/UDP Rx timeout
518 | | ... | Send TCP or UDP packet and verify received packet | ${tg_node}
519 | | ... | ${classify_src_ip} | ${classify_dst_ip}
520 | | ... | ${tg_to_dut_if1} | ${tg_to_dut_if1_mac}
521 | | ... | ${tg_to_dut_if2} | ${dst_mac}
522 | | ... | TCP | ${classify_src_port} | ${classify_dst_port}
524 | TC13: ACL ICMP packet filtering - routed
526 | | ... | [Top] TG=DUT1=TG.
527 | | ... | [Enc] Eth-IPv4-TCP.
528 | | ... | [Cfg] (Using Honeycomb API) On DUT1 set IPv4 addresses on both\
529 | | ... | interfaces to TG, add ARP entry and routes, and configure ICMP ACL\
530 | | ... | on ingress interface with ICMP type and code.
531 | | ... | [Ver] Send ICMP packets from one TG interface\
532 | | ... | to the other, using different codes and types. Receive all packets\
533 | | ... | except those with the filtered type and code.
535 | | [Teardown] | Routed ACL test teardown - ipv4
537 | | Given Setup Interface IPs And Routes For IPv4 plugin-acl Test
538 | | ... | icmp | ${acl_name_icmp}
539 | | When Honeycomb Creates ACL Chain Through ACL plugin
540 | | ... | ${dut_node} | ${acl_name_icmp} | ${acl_settings}
541 | | And Honeycomb Assigns plugin-acl Chain To Interface
542 | | ... | ${dut_node} | ${dut_to_tg_if1} | ${acl_name_icmp} | ingress
543 | | Then Send ICMP packet with type and code and verify received packet
545 | | ... | ${src_ip} | ${dst_ip}
546 | | ... | ${tg_to_dut_if1} | ${tg_to_dut_if1_mac}
547 | | ... | ${tg_to_dut_if2} | ${dut_to_tg_if1_mac}
548 | | ... | ${icmp_type} | ${icmp_code}
549 | | Then Send ICMP packet with type and code and verify received packet
551 | | ... | ${src_ip} | ${dst_ip}
552 | | ... | ${tg_to_dut_if1} | ${tg_to_dut_if1_mac}
553 | | ... | ${tg_to_dut_if2} | ${dut_to_tg_if1_mac}
554 | | ... | ${classify_type} | ${icmp_code}
555 | | And Run Keyword And Expect Error | ICMP echo Rx timeout
556 | | ... | Send ICMP packet with type and code and verify received packet
558 | | ... | ${src_ip} | ${dst_ip}
559 | | ... | ${tg_to_dut_if1} | ${tg_to_dut_if1_mac}
560 | | ... | ${tg_to_dut_if2} | ${dut_to_tg_if1_mac}
561 | | ... | ${classify_type} | ${classify_code}
563 | TC14: ACL ICMPv6 packet filtering - routed
565 | | ... | [Top] TG=DUT1=TG.
566 | | ... | [Enc] Eth-IPv4-TCP.
567 | | ... | [Cfg] (Using Honeycomb API) On DUT1 set IPv6 addresses on both\
568 | | ... | interfaces to TG, add ARP entry and routes, and configure ICMP ACL\
569 | | ... | on ingress interface with ICMPv6 type and code.
570 | | ... | [Ver] Send ICMPv6 packets from one TG interface\
571 | | ... | to the other, using different codes and types. Receive all packets\
572 | | ... | except those with the filtered type and code.
574 | | [Teardown] | Routed ACL test teardown - ipv6
576 | | Given Configure path in 2-node circular topology
577 | | ... | ${nodes['TG']} | ${nodes['DUT1']} | ${nodes['TG']}
578 | | And Import Variables | resources/test_data/honeycomb/plugin_acl.py
579 | | ... | icmpv6 | ${acl_name_icmpv6}
580 | | And Honeycomb configures interface state
581 | | ... | ${dut_node} | ${dut_to_tg_if1} | up
582 | | And Honeycomb configures interface state
583 | | ... | ${dut_node} | ${dut_to_tg_if2} | up
584 | | And Honeycomb sets interface IPv6 address | ${dut_node}
585 | | ... | ${dut_to_tg_if1} | ${dut_to_tg_if1_ip} | ${prefix_length}
586 | | And Honeycomb sets interface IPv6 address | ${dut_node}
587 | | ... | ${dut_to_tg_if2} | ${dut_to_tg_if2_ip} | ${prefix_length}
588 | | And Honeycomb adds interface IPv6 neighbor
589 | | ... | ${node} | ${dut_to_tg_if2} | ${gateway} | ${tg_to_dut_if2_mac}
590 | | And VPP RA suppress link layer | ${dut_node} | ${dut_to_tg_if2}
591 | | And VPP Route Add | ${node} | ${dst_net} | ${prefix_length}
592 | | ... | ${gateway} | interface=${dut_to_tg_if2} | use_sw_index=False
593 | | And VPP Route Add | ${node} | ${classify_dst_net} | ${prefix_length}
594 | | ... | ${gateway} | interface=${dut_to_tg_if2} | use_sw_index=False
595 | | When Honeycomb Creates ACL Chain Through ACL plugin
596 | | ... | ${dut_node} | ${acl_name_icmpv6} | ${acl_settings}
597 | | And Honeycomb Assigns plugin-acl Chain To Interface
598 | | ... | ${dut_node} | ${dut_to_tg_if1} | ${acl_name_icmpv6} | ingress
599 | | Then Send ICMP packet with type and code and verify received packet
601 | | ... | ${src_ip} | ${dst_ip}
602 | | ... | ${tg_to_dut_if1} | ${tg_to_dut_if1_mac}
603 | | ... | ${tg_to_dut_if2} | ${dut_to_tg_if1_mac}
604 | | ... | ${icmp_type} | ${icmp_code}
605 | | Then Send ICMP packet with type and code and verify received packet
607 | | ... | ${src_ip} | ${dst_ip}
608 | | ... | ${tg_to_dut_if1} | ${tg_to_dut_if1_mac}
609 | | ... | ${tg_to_dut_if2} | ${dut_to_tg_if1_mac}
610 | | ... | ${classify_type} | ${icmp_code}
611 | | And Run Keyword And Expect Error | ICMP echo Rx timeout
612 | | ... | Send ICMP packet with type and code and verify received packet
614 | | ... | ${src_ip} | ${dst_ip}
615 | | ... | ${tg_to_dut_if1} | ${tg_to_dut_if1_mac}
616 | | ... | ${tg_to_dut_if2} | ${dut_to_tg_if1_mac}
617 | | ... | ${classify_type} | ${classify_code}
619 | TC15: ACL reflexive IPv4 filtering through plugin-acl node - routed
621 | | ... | [Top] TG=DUT1=TG.
622 | | ... | [Enc] Eth-IPv4-TCP.
623 | | ... | [Cfg] (Using Honeycomb API) On DUT1 set IPv4 addresses on both\
624 | | ... | interfaces to TG, add ARP entries and routes,\
625 | | ... | configure a "drop all" ACL on ingress and reflexive ACL on egress.
626 | | ... | [Ver] Send a simple TCP packet to VPP interface 1 and do not receive\
627 | | ... | it back. Then send the packet with reversed src/dst IP address\
628 | | ... | to VPP interface 2 and receive it from interface 1(this should create\
629 | | ... | a reflexive "permit" rule) Finally, send the original packet again\
630 | | ... | and receive it from interface 2.
632 | | [Teardown] | Routed ACL test teardown - ipv4
634 | | Given Setup Interface IPs And Routes For IPv4 plugin-acl Test
635 | | ... | reflex | ${acl_name_reflex}
636 | | And Add ARP on DUT
637 | | ... | ${node} | ${dut_to_tg_if1} | ${gateway2} | ${tg_to_dut_if1_mac}
638 | | And VPP Route Add
639 | | ... | ${node} | ${src_net} | ${prefix_length} | ${gateway2}
640 | | ... | interface=${dut_to_tg_if1} | use_sw_index=False
641 | | And VPP Route Add
642 | | ... | ${node} | ${classify_src_net} | ${prefix_length} | ${gateway2}
643 | | ... | interface=${dut_to_tg_if1} | use_sw_index=False
644 | | When Honeycomb Creates ACL Chain Through ACL plugin
645 | | ... | ${dut_node} | ${acl_name_reflex} | ${acl_settings}
646 | | And Honeycomb Assigns plugin-acl Chain To Interface
647 | | ... | ${dut_node} | ${dut_to_tg_if1} | ${acl_name_reflex} | egress
648 | | And Import Variables | resources/test_data/honeycomb/plugin_acl.py
649 | | ... | block_all | block_all
650 | | When Honeycomb Creates ACL Chain Through ACL plugin
651 | | ... | ${dut_node} | block_all | ${acl_settings}
652 | | And Honeycomb Assigns plugin-acl Chain To Interface
653 | | ... | ${dut_node} | ${dut_to_tg_if1} | block_all | ingress
654 | | And Run Keyword And Expect Error | TCP/UDP Rx timeout
655 | | ... | Send TCP or UDP packet and verify received packet | ${tg_node}
656 | | ... | ${classify_src} | ${classify_dst}
657 | | ... | ${tg_to_dut_if1} | ${tg_to_dut_if1_mac}
658 | | ... | ${tg_to_dut_if2} | ${dut_to_tg_if1_mac}
659 | | ... | TCP | ${src_port} | ${dst_port}
660 | | And Send TCP or UDP packet and verify received packet | ${tg_node}
661 | | ... | ${classify_dst} | ${classify_src}
662 | | ... | ${tg_to_dut_if2} | ${tg_to_dut_if2_mac}
663 | | ... | ${tg_to_dut_if1} | ${dut_to_tg_if2_mac}
664 | | ... | TCP | ${dst_port} | ${src_port}
665 | | And Send TCP or UDP packet and verify received packet | ${tg_node}
666 | | ... | ${classify_src} | ${classify_dst}
667 | | ... | ${tg_to_dut_if1} | ${tg_to_dut_if1_mac}
668 | | ... | ${tg_to_dut_if2} | ${dut_to_tg_if1_mac}
669 | | ... | TCP | ${src_port} | ${dst_port}
672 | Setup interface IPs and routes for IPv4 plugin-acl test
673 | | [Documentation] | Import test variables, set interfaces up,
674 | | ... | configure IPv4 addresses, add neighbor entry and routes.
676 | | [Arguments] | ${test_data_id} | ${acl_name}
678 | | Configure path in 2-node circular topology
679 | | ... | ${nodes['TG']} | ${nodes['DUT1']} | ${nodes['TG']}
680 | | Import Variables | resources/test_data/honeycomb/plugin_acl.py
681 | | ... | ${test_data_id} | ${acl_name}
682 | | Honeycomb configures interface state | ${dut_node} | ${dut_to_tg_if1} | up
683 | | Honeycomb configures interface state | ${dut_node} | ${dut_to_tg_if2} | up
684 | | Honeycomb sets interface IPv4 address with prefix | ${dut_node}
685 | | ... | ${dut_to_tg_if1} | ${dut_to_tg_if1_ip} | ${prefix_length}
686 | | Honeycomb sets interface IPv4 address with prefix | ${dut_node}
687 | | ... | ${dut_to_tg_if2} | ${dut_to_tg_if2_ip} | ${prefix_length}
688 | | And Honeycomb adds interface IPv4 neighbor
689 | | ... | ${node} | ${dut_to_tg_if2} | ${gateway} | ${tg_to_dut_if2_mac}
691 | | ... | ${node} | ${dst_net} | ${prefix_length} | ${gateway}
692 | | ... | interface=${dut_to_tg_if2} | use_sw_index=False
694 | | ... | ${node} | ${classify_dst_net} | ${prefix_length} | ${gateway}
695 | | ... | interface=${dut_to_tg_if2} | use_sw_index=False
697 | Setup interfaces and bridge domain for plugin-acl test
698 | | [Documentation] | Import test variables, set interfaces up and bridge them.
700 | | [Arguments] | ${test_data_id} | ${acl_name}
702 | | Configure path in 2-node circular topology
703 | | ... | ${nodes['TG']} | ${nodes['DUT1']} | ${nodes['TG']}
704 | | Import Variables | resources/test_data/honeycomb/plugin_acl.py
705 | | ... | ${test_data_id} | ${acl_name}
706 | | Honeycomb configures interface state | ${dut_node} | ${dut_to_tg_if1} | up
707 | | Honeycomb configures interface state | ${dut_node} | ${dut_to_tg_if2} | up
708 | | Honeycomb Creates first L2 Bridge Domain
709 | | ... | ${dut_node} | ${bd_name} | ${bd_settings}
710 | | Honeycomb Adds Interfaces To Bridge Domain
711 | | ... | ${dut_node} | ${dut_to_tg_if1} | ${dut_to_tg_if2}
712 | | ... | ${bd_name} | ${bd_if_settings}
714 | Bridged ACL test teardown
715 | | [Documentation] | Log packet trace and ACL settings,
716 | | ... | then clean up bridge domains.
718 | | Show Packet Trace on All DUTs | ${nodes}
719 | | Read plugin-ACL configuration from VAT | ${node}
720 | | Clear plugin-ACL configuration | ${node} | ${dut_to_tg_if1}
721 | | Honeycomb Removes All Bridge Domains
722 | | ... | ${node} | ${dut_to_tg_if1} | ${dut_to_tg_if2}
724 | Routed ACL test teardown - ipv4
725 | | [Documentation] | Log packet trace and ACL settings,
726 | | ... | then clean up IPv4 addresses and neighbors.
728 | | Show Packet Trace on All DUTs | ${nodes}
729 | | Read plugin-ACL configuration from VAT | ${node}
730 | | Clear plugin-ACL configuration | ${node} | ${dut_to_tg_if1}
731 | | Honeycomb removes interface IPv4 addresses | ${node} | ${dut_to_tg_if1}
732 | | Honeycomb clears all interface IPv4 neighbors | ${node} | ${dut_to_tg_if1}
734 | Routed ACL test teardown - ipv6
735 | | [Documentation] | Log packet trace and ACL settings,
736 | | ... | then clean up IPv6 addresses and neighbors.
738 | | Show Packet Trace on All DUTs | ${nodes}
739 | | Clear plugin-ACL configuration | ${node} | ${dut_to_tg_if1}
740 | | Read plugin-ACL configuration from VAT | ${node}
741 | | Honeycomb removes interface IPv6 addresses | ${node} | ${dut_to_tg_if1}
742 | | Honeycomb clears all interface IPv6 neighbors | ${node} | ${dut_to_tg_if1}
Code Review / csit.git / blob