| ... | ingress ACL (iACL) tests use 3-node topology TG - DUT1 - DUT2 - TG with
| ... | one link between the nodes. DUT1 and DUT2 are configured with IPv4
| ... | routing and static routes. DUT1 is configured with iACL on link to TG,
-| ... | iACL classification and permit/deny action are configured on a per test
+| ... | iACL classification and permit action are configured on a per test
| ... | case basis. Test ICMPv4 Echo Request packets are sent in one direction
| ... | by TG on link to DUT1 and received on TG link to DUT2. On receive TG
-| ... | verifies if packets are dropped, or if received verifies packet IPv4
+| ... | verifies if packets are accepted, or if received verifies packet IPv4
| ... | src-addr, dst-addr and MAC addresses.
*** Variables ***
| ${l2_table}= | l2
*** Test Cases ***
-| TC01: DUT with iACL IPv4 src-addr drops matching pkts
-| | [Documentation]
-| | ... | On DUT1 add source IPv4 address to classify table with 'deny'.\
-| | ... | Make TG verify matching packets are dropped.
-| | Given Configure path in 3-node circular topology
-| | ... | ${nodes['TG']} | ${nodes['DUT1']} | ${nodes['DUT2']} | ${nodes['TG']}
-| | And Set interfaces in 3-node circular topology up
-| | And VPP Interface Set IP Address | ${dut1_node}
-| | ... | ${dut1_to_tg} | ${dut1_to_tg_ip} | ${prefix_length}
-| | And VPP Interface Set IP Address | ${dut1_node}
-| | ... | ${dut1_to_dut2} | ${dut1_to_dut2_ip} | ${prefix_length}
-| | And VPP Add IP Neighbor
-| | ... | ${dut1_node} | ${dut1_to_dut2} | ${dut1_to_dut2_ip_GW}
-| | ... | ${tg_to_dut2_mac}
-| | And Vpp Route Add
-| | ... | ${dut1_node} | ${test_dst_ip} | ${prefix_length}
-| | ... | gateway=${dut1_to_dut2_ip_GW} | interface=${dut1_to_dut2}
-| | And Configure L2XC
-| | ... | ${dut2_node} | ${dut2_to_dut1} | ${dut2_to_tg}
-| | Then Send packet and verify headers | ${tg_node}
-| | ... | ${non_drop_src_ip} | ${test_dst_ip} | ${tg_to_dut1}
-| | ... | ${tg_to_dut1_mac} | ${dut1_to_tg_mac} | ${tg_to_dut2}
-| | ... | ${dut1_to_dut2_mac} | ${tg_to_dut2_mac}
-| | And Send packet and verify headers | ${tg_node}
-| | ... | ${test_src_ip} | ${test_dst_ip} | ${tg_to_dut1} | ${tg_to_dut1_mac}
-| | ... | ${dut1_to_tg_mac} | ${tg_to_dut2}
-| | ... | ${dut1_to_dut2_mac} | ${tg_to_dut2_mac}
-| | ${table_index} | ${skip_n} | ${match_n}=
-| | ... | When Vpp Creates Classify Table L3 | ${dut1_node}
-| | ... | ${ip_version} | src
-| | And Vpp Configures Classify Session L3
-| | ... | ${dut1_node} | deny | ${table_index} | ${skip_n} | ${match_n}
-| | ... | ${ip_version} | src | ${test_src_ip}
-| | And Vpp Enable Input Acl Interface
-| | ... | ${dut1_node} | ${dut1_to_tg} | ${ip_version} | ${table_index}
-| | Then Packet transmission from port to port should fail | ${tg_node}
-| | ... | ${test_src_ip} | ${test_dst_ip} | ${tg_to_dut1} | ${tg_to_dut1_mac}
-| | ... | ${dut1_to_tg_mac} | ${tg_to_dut2}
-| | ... | ${dut1_to_dut2_mac} | ${tg_to_dut2_mac}
-| | And Send packet and verify headers | ${tg_node}
-| | ... | ${non_drop_src_ip} | ${test_dst_ip} | ${tg_to_dut1}
-| | ... | ${tg_to_dut1_mac} | ${dut1_to_tg_mac} | ${tg_to_dut2}
-| | ... | ${dut1_to_dut2_mac} | ${tg_to_dut2_mac}
-
-| TC02: DUT with iACL IPv4 dst-addr drops matching pkts
-| | [Documentation]
-| | ... | On DUT1 add destination IPv4 address to classify table with 'deny'.\
-| | ... | Make TG verify matching packets are dropped.
-| | Given Configure path in 3-node circular topology
-| | ... | ${nodes['TG']} | ${nodes['DUT1']} | ${nodes['DUT2']} | ${nodes['TG']}
-| | And Set interfaces in 3-node circular topology up
-| | And VPP Interface Set IP Address | ${dut1_node}
-| | ... | ${dut1_to_tg} | ${dut1_to_tg_ip} | ${prefix_length}
-| | And VPP Interface Set IP Address | ${dut1_node}
-| | ... | ${dut1_to_dut2} | ${dut1_to_dut2_ip} | ${prefix_length}
-| | And VPP Add IP Neighbor
-| | ... | ${dut1_node} | ${dut1_to_dut2} | ${dut1_to_dut2_ip_GW}
-| | ... | ${tg_to_dut2_mac}
-| | And Vpp Route Add
-| | ... | ${dut1_node} | ${test_dst_ip} | ${prefix_length}
-| | ... | gateway=${dut1_to_dut2_ip_GW} | interface=${dut1_to_dut2}
-| | And Vpp Route Add
-| | ... | ${dut1_node} | ${non_drop_dst_ip} | ${prefix_length}
-| | ... | gateway=${dut1_to_dut2_ip_GW} | interface=${dut1_to_dut2}
-| | And Configure L2XC
-| | ... | ${dut2_node} | ${dut2_to_dut1} | ${dut2_to_tg}
-| | Then Send packet and verify headers | ${tg_node}
-| | ... | ${test_src_ip} | ${non_drop_dst_ip} | ${tg_to_dut1}
-| | ... | ${tg_to_dut1_mac} | ${dut1_to_tg_mac} | ${tg_to_dut2}
-| | ... | ${dut1_to_dut2_mac} | ${tg_to_dut2_mac}
-| | And Send packet and verify headers | ${tg_node}
-| | ... | ${test_src_ip} | ${test_dst_ip} | ${tg_to_dut1} | ${tg_to_dut1_mac}
-| | ... | ${dut1_to_tg_mac} | ${tg_to_dut2}
-| | ... | ${dut1_to_dut2_mac} | ${tg_to_dut2_mac}
-| | ${table_index} | ${skip_n} | ${match_n}=
-| | ... | When Vpp Creates Classify Table L3 | ${dut1_node}
-| | ... | ${ip_version} | dst
-| | And Vpp Configures Classify Session L3
-| | ... | ${dut1_node} | deny | ${table_index} | ${skip_n} | ${match_n}
-| | ... | ${ip_version} | dst | ${test_dst_ip}
-| | And Vpp Enable Input Acl Interface
-| | ... | ${dut1_node} | ${dut1_to_tg} | ${ip_version} | ${table_index}
-| | Then Packet transmission from port to port should fail | ${tg_node}
-| | ... | ${test_src_ip} | ${test_dst_ip} | ${tg_to_dut1} | ${tg_to_dut1_mac}
-| | ... | ${dut1_to_tg_mac} | ${tg_to_dut2}
-| | ... | ${dut1_to_dut2_mac} | ${tg_to_dut2_mac}
-| | And Send packet and verify headers | ${tg_node}
-| | ... | ${test_src_ip} | ${non_drop_dst_ip} | ${tg_to_dut1}
-| | ... | ${tg_to_dut1_mac} | ${dut1_to_tg_mac} | ${tg_to_dut2}
-| | ... | ${dut1_to_dut2_mac} | ${tg_to_dut2_mac}
-
-| TC03: DUT with iACL IPv4 src-addr and dst-addr drops matching pkts
+| TC01: DUT with iACL IPv4 src-addr and dst-addr accepts matching pkts
| | [Documentation]
| | ... | On DUT1 add source and destination IPv4 addresses to classify table\
-| | ... | with 'deny'. Make TG verify matching packets are dropped.
+| | ... | with 'permit'.
| | Given Configure path in 3-node circular topology
| | ... | ${nodes['TG']} | ${nodes['DUT1']} | ${nodes['DUT2']} | ${nodes['TG']}
| | And Set interfaces in 3-node circular topology up
| | ... | ${dut1_to_dut2_mac} | ${tg_to_dut2_mac}
| | ${table_index_1} | ${skip_n_1} | ${match_n_1}=
| | ... | When Vpp Creates Classify Table L3 | ${dut1_node}
-| | ... | ${ip_version} | src
+| | ... | ${ip_version} | src | ${test_src_ip}
| | ${table_index_2} | ${skip_n_2} | ${match_n_2}=
-| | ... | And Vpp Creates Classify Table L3 | ${dut1_node} | ${ip_version} | dst
+| | ... | And Vpp Creates Classify Table L3 | ${dut1_node} | ${ip_version}
+| | ... | dst | ${test_dst_ip}
| | And Vpp Configures Classify Session L3
-| | ... | ${dut1_node} | deny | ${table_index_1} | ${skip_n_1} | ${match_n_1}
+| | ... | ${dut1_node} | permit | ${table_index_1}
| | ... | ${ip_version} | src | ${test_src_ip}
| | And Vpp Configures Classify Session L3
-| | ... | ${dut1_node} | deny | ${table_index_2} | ${skip_n_2} | ${match_n_2}
+| | ... | ${dut1_node} | permit | ${table_index_2}
| | ... | ${ip_version} | dst | ${test_dst_ip}
| | And Vpp Enable Input Acl Interface
| | ... | ${dut1_node} | ${dut1_to_tg} | ${ip_version} | ${table_index_1}
| | And Vpp Enable Input Acl Interface
| | ... | ${dut1_node} | ${dut1_to_tg} | ${ip_version} | ${table_index_2}
-| | Then Packet transmission from port to port should fail | ${tg_node}
+| | Then Send packet and verify headers | ${tg_node}
| | ... | ${test_src_ip} | ${test_dst_ip} | ${tg_to_dut1} | ${tg_to_dut1_mac}
| | ... | ${dut1_to_tg_mac} | ${tg_to_dut2}
| | ... | ${dut1_to_dut2_mac} | ${tg_to_dut2_mac}
| | ... | ${tg_to_dut1_mac} | ${dut1_to_tg_mac} | ${tg_to_dut2}
| | ... | ${dut1_to_dut2_mac} | ${tg_to_dut2_mac}
-| TC04: DUT with iACL IPv4 protocol set to TCP drops matching pkts
-| | [Documentation]
-| | ... | On DUT1 add protocol mask and TCP protocol (0x06) to classify table\
-| | ... | with 'deny'. Make TG verify matching packets are dropped.
-| | Given Configure path in 3-node circular topology
-| | ... | ${nodes['TG']} | ${nodes['DUT1']} | ${nodes['DUT2']} | ${nodes['TG']}
-| | And Set interfaces in 3-node circular topology up
-| | And VPP Interface Set IP Address | ${dut1_node}
-| | ... | ${dut1_to_tg} | ${dut1_to_tg_ip} | ${prefix_length}
-| | And VPP Interface Set IP Address | ${dut1_node}
-| | ... | ${dut1_to_dut2} | ${dut1_to_dut2_ip} | ${prefix_length}
-| | And VPP Add IP Neighbor
-| | ... | ${dut1_node} | ${dut1_to_dut2} | ${dut1_to_dut2_ip_GW}
-| | ... | ${tg_to_dut2_mac}
-| | And Vpp Route Add
-| | ... | ${dut1_node} | ${test_dst_ip} | ${prefix_length}
-| | ... | gateway=${dut1_to_dut2_ip_GW} | interface=${dut1_to_dut2}
-| | And Configure L2XC
-| | ... | ${dut2_node} | ${dut2_to_dut1} | ${dut2_to_tg}
-| | Then Send TCP or UDP packet and verify received packet | ${tg_node}
-| | ... | ${test_src_ip} | ${test_dst_ip} | ${tg_to_dut1} | ${tg_to_dut1_mac}
-| | ... | ${tg_to_dut2} | ${dut1_to_tg_mac} | UDP | 80 | 20
-| | And Send TCP or UDP packet and verify received packet | ${tg_node}
-| | ... | ${test_src_ip} | ${test_dst_ip} | ${tg_to_dut1} | ${tg_to_dut1_mac}
-| | ... | ${tg_to_dut2} | ${dut1_to_tg_mac} | TCP | 80 | 20
-| | ${table_index} | ${skip_n} | ${match_n}=
-| | ... | When Vpp Creates Classify Table Hex
-| | ... | ${dut1_node} | 0000000000000000000000000000000000000000000000FF
-| | And Vpp Configures Classify Session Hex
-| | ... | ${dut1_node} | deny | ${table_index} | ${skip_n} | ${match_n}
-| | ... | 000000000000000000000000000000000000000000000006
-| | And Vpp Enable Input Acl Interface
-| | ... | ${dut1_node} | ${dut1_to_tg} | ${ip_version} | ${table_index}
-| | Then TCP or UDP packet transmission should fail | ${tg_node}
-| | ... | ${test_src_ip} | ${test_dst_ip} | ${tg_to_dut1} | ${tg_to_dut1_mac}
-| | ... | ${tg_to_dut2} | ${dut1_to_tg_mac} | TCP | 80 | 20
-| | And Send TCP or UDP packet and verify received packet | ${tg_node}
-| | ... | ${test_src_ip} | ${test_dst_ip} | ${tg_to_dut1} | ${tg_to_dut1_mac}
-| | ... | ${tg_to_dut2} | ${dut1_to_tg_mac} | UDP | 80 | 20
-
-| TC05: DUT with iACL IPv4 protocol set to UDP drops matching pkts
-| | [Documentation]
-| | ... | On DUT1 add protocol mask and UDP protocol (0x11) to classify table\
-| | ... | with 'deny'. Make TG verify matching packets are dropped.
-| | Given Configure path in 3-node circular topology
-| | ... | ${nodes['TG']} | ${nodes['DUT1']} | ${nodes['DUT2']} | ${nodes['TG']}
-| | And Set interfaces in 3-node circular topology up
-| | And VPP Interface Set IP Address | ${dut1_node}
-| | ... | ${dut1_to_tg} | ${dut1_to_tg_ip} | ${prefix_length}
-| | And VPP Interface Set IP Address | ${dut1_node}
-| | ... | ${dut1_to_dut2} | ${dut1_to_dut2_ip} | ${prefix_length}
-| | And VPP Add IP Neighbor
-| | ... | ${dut1_node} | ${dut1_to_dut2} | ${dut1_to_dut2_ip_GW}
-| | ... | ${tg_to_dut2_mac}
-| | And Vpp Route Add
-| | ... | ${dut1_node} | ${test_dst_ip} | ${prefix_length}
-| | ... | gateway=${dut1_to_dut2_ip_GW} | interface=${dut1_to_dut2}
-| | And Configure L2XC
-| | ... | ${dut2_node} | ${dut2_to_dut1} | ${dut2_to_tg}
-| | Then Send TCP or UDP packet and verify received packet | ${tg_node}
-| | ... | ${test_src_ip} | ${test_dst_ip} | ${tg_to_dut1} | ${tg_to_dut1_mac}
-| | ... | ${tg_to_dut2} | ${dut1_to_tg_mac} | TCP | 80 | 20
-| | And Send TCP or UDP packet and verify received packet | ${tg_node}
-| | ... | ${test_src_ip} | ${test_dst_ip} | ${tg_to_dut1} | ${tg_to_dut1_mac}
-| | ... | ${tg_to_dut2} | ${dut1_to_tg_mac} | UDP | 80 | 20
-| | ${table_index} | ${skip_n} | ${match_n}=
-| | ... | When Vpp Creates Classify Table Hex
-| | ... | ${dut1_node} | 0000000000000000000000000000000000000000000000FF
-| | And Vpp Configures Classify Session Hex
-| | ... | ${dut1_node} | deny | ${table_index} | ${skip_n} | ${match_n}
-| | ... | 000000000000000000000000000000000000000000000011
-| | And Vpp Enable Input Acl Interface
-| | ... | ${dut1_node} | ${dut1_to_tg} | ${ip_version} | ${table_index}
-| | Then TCP or UDP packet transmission should fail | ${tg_node}
-| | ... | ${test_src_ip} | ${test_dst_ip} | ${tg_to_dut1} | ${tg_to_dut1_mac}
-| | ... | ${tg_to_dut2} | ${dut1_to_tg_mac} | UDP | 80 | 20
-| | And Send TCP or UDP packet and verify received packet | ${tg_node}
-| | ... | ${test_src_ip} | ${test_dst_ip} | ${tg_to_dut1} | ${tg_to_dut1_mac}
-| | ... | ${tg_to_dut2} | ${dut1_to_tg_mac} | TCP | 80 | 20
-
-| TC06: DUT with iACL IPv4 TCP src-ports drops matching pkts
-| | [Documentation]
-| | ... | On DUT1 add TCP source ports to classify table with 'deny'.\
-| | ... | Make TG verify matching packets are dropped.
-| | Given Configure path in 3-node circular topology
-| | ... | ${nodes['TG']} | ${nodes['DUT1']} | ${nodes['DUT2']} | ${nodes['TG']}
-| | And Set interfaces in 3-node circular topology up
-| | And VPP Interface Set IP Address | ${dut1_node}
-| | ... | ${dut1_to_tg} | ${dut1_to_tg_ip} | ${prefix_length}
-| | And VPP Interface Set IP Address | ${dut1_node}
-| | ... | ${dut1_to_dut2} | ${dut1_to_dut2_ip} | ${prefix_length}
-| | And VPP Add IP Neighbor
-| | ... | ${dut1_node} | ${dut1_to_dut2} | ${dut1_to_dut2_ip_GW}
-| | ... | ${tg_to_dut2_mac}
-| | And Vpp Route Add
-| | ... | ${dut1_node} | ${test_dst_ip} | ${prefix_length}
-| | ... | gateway=${dut1_to_dut2_ip_GW} | interface=${dut1_to_dut2}
-| | And Configure L2XC
-| | ... | ${dut2_node} | ${dut2_to_dut1} | ${dut2_to_tg}
-| | Then Send TCP or UDP packet and verify received packet | ${tg_node}
-| | ... | ${test_src_ip} | ${test_dst_ip} | ${tg_to_dut1} | ${tg_to_dut1_mac}
-| | ... | ${tg_to_dut2} | ${dut1_to_tg_mac} | TCP | 110 | 20
-| | And Send TCP or UDP packet and verify received packet | ${tg_node}
-| | ... | ${test_src_ip} | ${test_dst_ip} | ${tg_to_dut1} | ${tg_to_dut1_mac}
-| | ... | ${tg_to_dut2} | ${dut1_to_tg_mac} | TCP | 80 | 20
-| | ${hex_mask}= | Compute Classify Hex Mask | ${ip_version} | TCP | source
-| | ${hex_value}= | Compute Classify Hex Value | ${hex_mask} | 80 | 0
-| | ${table_index} | ${skip_n} | ${match_n}=
-| | ... | When Vpp Creates Classify Table Hex | ${dut1_node} | ${hex_mask}
-| | And Vpp Configures Classify Session Hex
-| | ... | ${dut1_node} | deny | ${table_index} | ${skip_n} | ${match_n}
-| | ... | ${hex_value}
-| | And Vpp Enable Input Acl Interface
-| | ... | ${dut1_node} | ${dut1_to_tg} | ${ip_version} | ${table_index}
-| | Then TCP or UDP packet transmission should fail | ${tg_node}
-| | ... | ${test_src_ip} | ${test_dst_ip} | ${tg_to_dut1} | ${tg_to_dut1_mac}
-| | ... | ${tg_to_dut2} | ${dut1_to_tg_mac} | TCP | 80 | 20
-| | And Send TCP or UDP packet and verify received packet | ${tg_node}
-| | ... | ${test_src_ip} | ${test_dst_ip} | ${tg_to_dut1} | ${tg_to_dut1_mac}
-| | ... | ${tg_to_dut2} | ${dut1_to_tg_mac} | TCP | 110 | 20
-
-| TC07: DUT with iACL IPv4 TCP dst-ports drops matching pkts
-| | [Documentation]
-| | ... | On DUT1 add TCP destination ports to classify table with 'deny'.\
-| | ... | Make TG verify matching packets are dropped.
-| | Given Configure path in 3-node circular topology
-| | ... | ${nodes['TG']} | ${nodes['DUT1']} | ${nodes['DUT2']} | ${nodes['TG']}
-| | And Set interfaces in 3-node circular topology up
-| | And VPP Interface Set IP Address | ${dut1_node}
-| | ... | ${dut1_to_tg} | ${dut1_to_tg_ip} | ${prefix_length}
-| | And VPP Interface Set IP Address | ${dut1_node}
-| | ... | ${dut1_to_dut2} | ${dut1_to_dut2_ip} | ${prefix_length}
-| | And VPP Add IP Neighbor
-| | ... | ${dut1_node} | ${dut1_to_dut2} | ${dut1_to_dut2_ip_GW}
-| | ... | ${tg_to_dut2_mac}
-| | And Vpp Route Add
-| | ... | ${dut1_node} | ${test_dst_ip} | ${prefix_length}
-| | ... | gateway=${dut1_to_dut2_ip_GW} | interface=${dut1_to_dut2}
-| | And Configure L2XC
-| | ... | ${dut2_node} | ${dut2_to_dut1} | ${dut2_to_tg}
-| | Then Send TCP or UDP packet and verify received packet | ${tg_node}
-| | ... | ${test_src_ip} | ${test_dst_ip} | ${tg_to_dut1} | ${tg_to_dut1_mac}
-| | ... | ${tg_to_dut2} | ${dut1_to_tg_mac} | TCP | 20 | 110
-| | And Send TCP or UDP packet and verify received packet | ${tg_node}
-| | ... | ${test_src_ip} | ${test_dst_ip} | ${tg_to_dut1} | ${tg_to_dut1_mac}
-| | ... | ${tg_to_dut2} | ${dut1_to_tg_mac} | TCP | 20 | 80
-| | ${hex_mask}= | Compute Classify Hex Mask | ${ip_version} | TCP | destination
-| | ${hex_value}= | Compute Classify Hex Value | ${hex_mask} | 0 | 80
-| | ${table_index} | ${skip_n} | ${match_n}=
-| | ... | When Vpp Creates Classify Table Hex | ${dut1_node} | ${hex_mask}
-| | And Vpp Configures Classify Session Hex
-| | ... | ${dut1_node} | deny | ${table_index} | ${skip_n} | ${match_n}
-| | ... | ${hex_value}
-| | And Vpp Enable Input Acl Interface
-| | ... | ${dut1_node} | ${dut1_to_tg} | ${ip_version} | ${table_index}
-| | Then TCP or UDP packet transmission should fail | ${tg_node}
-| | ... | ${test_src_ip} | ${test_dst_ip} | ${tg_to_dut1} | ${tg_to_dut1_mac}
-| | ... | ${tg_to_dut2} | ${dut1_to_tg_mac} | TCP | 20 | 80
-| | And Send TCP or UDP packet and verify received packet | ${tg_node}
-| | ... | ${test_src_ip} | ${test_dst_ip} | ${tg_to_dut1} | ${tg_to_dut1_mac}
-| | ... | ${tg_to_dut2} | ${dut1_to_tg_mac} | TCP | 20 | 110
-
-| TC08: DUT with iACL IPv4 TCP src-ports and dst-ports drops matching pkts
+| TC02: DUT with iACL IPv4 TCP src-ports and dst-ports accepts matching pkts
| | [Documentation]
| | ... | On DUT1 add TCP source and destination ports to classify table\
-| | ... | with 'deny'. Make TG verify matching packets are dropped.
+| | ... | with 'permit'.
| | Given Configure path in 3-node circular topology
| | ... | ${nodes['TG']} | ${nodes['DUT1']} | ${nodes['DUT2']} | ${nodes['TG']}
| | And Set interfaces in 3-node circular topology up
| | ${table_index} | ${skip_n} | ${match_n}=
| | ... | When Vpp Creates Classify Table Hex | ${dut1_node} | ${hex_mask}
| | And Vpp Configures Classify Session Hex
-| | ... | ${dut1_node} | deny | ${table_index} | ${skip_n} | ${match_n}
-| | ... | ${hex_value}
+| | ... | ${dut1_node} | permit | ${table_index} | ${hex_value}
| | And Vpp Enable Input Acl Interface
| | ... | ${dut1_node} | ${dut1_to_tg} | ${ip_version} | ${table_index}
-| | Then TCP or UDP packet transmission should fail | ${tg_node}
+| | Then Send TCP or UDP packet and verify received packet | ${tg_node}
| | ... | ${test_src_ip} | ${test_dst_ip} | ${tg_to_dut1} | ${tg_to_dut1_mac}
| | ... | ${tg_to_dut2} | ${dut1_to_tg_mac} | TCP | 80 | 20
| | And Send TCP or UDP packet and verify received packet | ${tg_node}
| | ... | ${test_src_ip} | ${test_dst_ip} | ${tg_to_dut1} | ${tg_to_dut1_mac}
| | ... | ${tg_to_dut2} | ${dut1_to_tg_mac} | TCP | 110 | 25
-| TC09: DUT with iACL IPv4 UDP src-ports drops matching pkts
-| | [Documentation]
-| | ... | On DUT1 add UDP source ports to classify table with 'deny'.\
-| | ... | Make TG verify matching packets are dropped.
-| | Given Configure path in 3-node circular topology
-| | ... | ${nodes['TG']} | ${nodes['DUT1']} | ${nodes['DUT2']} | ${nodes['TG']}
-| | And Set interfaces in 3-node circular topology up
-| | And VPP Interface Set IP Address | ${dut1_node}
-| | ... | ${dut1_to_tg} | ${dut1_to_tg_ip} | ${prefix_length}
-| | And VPP Interface Set IP Address | ${dut1_node}
-| | ... | ${dut1_to_dut2} | ${dut1_to_dut2_ip} | ${prefix_length}
-| | And VPP Add IP Neighbor
-| | ... | ${dut1_node} | ${dut1_to_dut2} | ${dut1_to_dut2_ip_GW}
-| | ... | ${tg_to_dut2_mac}
-| | And Vpp Route Add
-| | ... | ${dut1_node} | ${test_dst_ip} | ${prefix_length}
-| | ... | gateway=${dut1_to_dut2_ip_GW} | interface=${dut1_to_dut2}
-| | And Configure L2XC
-| | ... | ${dut2_node} | ${dut2_to_dut1} | ${dut2_to_tg}
-| | Then Send TCP or UDP packet and verify received packet | ${tg_node}
-| | ... | ${test_src_ip} | ${test_dst_ip} | ${tg_to_dut1} | ${tg_to_dut1_mac}
-| | ... | ${tg_to_dut2} | ${dut1_to_tg_mac} | UDP | 110 | 20
-| | And Send TCP or UDP packet and verify received packet | ${tg_node}
-| | ... | ${test_src_ip} | ${test_dst_ip} | ${tg_to_dut1} | ${tg_to_dut1_mac}
-| | ... | ${tg_to_dut2} | ${dut1_to_tg_mac} | UDP | 80 | 20
-| | ${hex_mask}= | Compute Classify Hex Mask | ${ip_version} | UDP | source
-| | ${hex_value}= | Compute Classify Hex Value | ${hex_mask} | 80 | 0
-| | ${table_index} | ${skip_n} | ${match_n}=
-| | ... | When Vpp Creates Classify Table Hex | ${dut1_node} | ${hex_mask}
-| | And Vpp Configures Classify Session Hex
-| | ... | ${dut1_node} | deny | ${table_index} | ${skip_n} | ${match_n}
-| | ... | ${hex_value}
-| | And Vpp Enable Input Acl Interface
-| | ... | ${dut1_node} | ${dut1_to_tg} | ${ip_version} | ${table_index}
-| | Then TCP or UDP packet transmission should fail | ${tg_node}
-| | ... | ${test_src_ip} | ${test_dst_ip} | ${tg_to_dut1} | ${tg_to_dut1_mac}
-| | ... | ${tg_to_dut2} | ${dut1_to_tg_mac} | UDP | 80 | 20
-| | And Send TCP or UDP packet and verify received packet | ${tg_node}
-| | ... | ${test_src_ip} | ${test_dst_ip} | ${tg_to_dut1} | ${tg_to_dut1_mac}
-| | ... | ${tg_to_dut2} | ${dut1_to_tg_mac} | UDP | 110 | 20
-
-| TC10: DUT with iACL IPv4 UDP dst-ports drops matching pkts
-| | [Documentation]
-| | ... | On DUT1 add TCP destination ports to classify table with 'deny'.\
-| | ... | Make TG verify matching packets are dropped.
-| | Given Configure path in 3-node circular topology
-| | ... | ${nodes['TG']} | ${nodes['DUT1']} | ${nodes['DUT2']} | ${nodes['TG']}
-| | And Set interfaces in 3-node circular topology up
-| | And VPP Interface Set IP Address | ${dut1_node}
-| | ... | ${dut1_to_tg} | ${dut1_to_tg_ip} | ${prefix_length}
-| | And VPP Interface Set IP Address | ${dut1_node}
-| | ... | ${dut1_to_dut2} | ${dut1_to_dut2_ip} | ${prefix_length}
-| | And VPP Add IP Neighbor
-| | ... | ${dut1_node} | ${dut1_to_dut2} | ${dut1_to_dut2_ip_GW}
-| | ... | ${tg_to_dut2_mac}
-| | And Vpp Route Add
-| | ... | ${dut1_node} | ${test_dst_ip} | ${prefix_length}
-| | ... | gateway=${dut1_to_dut2_ip_GW} | interface=${dut1_to_dut2}
-| | And Configure L2XC
-| | ... | ${dut2_node} | ${dut2_to_dut1} | ${dut2_to_tg}
-| | Then Send TCP or UDP packet and verify received packet | ${tg_node}
-| | ... | ${test_src_ip} | ${test_dst_ip} | ${tg_to_dut1} | ${tg_to_dut1_mac}
-| | ... | ${tg_to_dut2} | ${dut1_to_tg_mac} | UDP | 20 | 110
-| | And Send TCP or UDP packet and verify received packet | ${tg_node}
-| | ... | ${test_src_ip} | ${test_dst_ip} | ${tg_to_dut1} | ${tg_to_dut1_mac}
-| | ... | ${tg_to_dut2} | ${dut1_to_tg_mac} | UDP | 20 | 80
-| | ${hex_mask}= | Compute Classify Hex Mask | ${ip_version} | UDP | destination
-| | ${hex_value}= | Compute Classify Hex Value | ${hex_mask} | 0 | 80
-| | ${table_index} | ${skip_n} | ${match_n}=
-| | ... | When Vpp Creates Classify Table Hex | ${dut1_node} | ${hex_mask}
-| | And Vpp Configures Classify Session Hex
-| | ... | ${dut1_node} | deny | ${table_index} | ${skip_n} | ${match_n}
-| | ... | ${hex_value}
-| | And Vpp Enable Input Acl Interface
-| | ... | ${dut1_node} | ${dut1_to_tg} | ${ip_version} | ${table_index}
-| | Then TCP or UDP packet transmission should fail | ${tg_node}
-| | ... | ${test_src_ip} | ${test_dst_ip} | ${tg_to_dut1} | ${tg_to_dut1_mac}
-| | ... | ${tg_to_dut2} | ${dut1_to_tg_mac} | UDP | 20 | 80
-| | And Send TCP or UDP packet and verify received packet | ${tg_node}
-| | ... | ${test_src_ip} | ${test_dst_ip} | ${tg_to_dut1} | ${tg_to_dut1_mac}
-| | ... | ${tg_to_dut2} | ${dut1_to_tg_mac} | UDP | 20 | 110
-
-| TC11: DUT with iACL IPv4 UDP src-ports and dst-ports drops matching pkts
+| TC03: DUT with iACL IPv4 UDP src-ports and dst-ports accepts matching pkts
| | [Documentation]
| | ... | On DUT1 add UDP source and destination ports to classify table\
-| | ... | with 'deny'. Make TG verify matching packets are dropped.
+| | ... | with 'permit'.
| | Given Configure path in 3-node circular topology
| | ... | ${nodes['TG']} | ${nodes['DUT1']} | ${nodes['DUT2']} | ${nodes['TG']}
| | And Set interfaces in 3-node circular topology up
| | ${table_index} | ${skip_n} | ${match_n}=
| | ... | When Vpp Creates Classify Table Hex | ${dut1_node} | ${hex_mask}
| | And Vpp Configures Classify Session Hex
-| | ... | ${dut1_node} | deny | ${table_index} | ${skip_n} | ${match_n}
-| | ... | ${hex_value}
+| | ... | ${dut1_node} | permit | ${table_index} | ${hex_value}
| | And Vpp Enable Input Acl Interface
| | ... | ${dut1_node} | ${dut1_to_tg} | ${ip_version} | ${table_index}
-| | Then TCP or UDP packet transmission should fail | ${tg_node}
+| | Then Send TCP or UDP packet and verify received packet | ${tg_node}
| | ... | ${test_src_ip} | ${test_dst_ip} | ${tg_to_dut1} | ${tg_to_dut1_mac}
| | ... | ${tg_to_dut2} | ${dut1_to_tg_mac} | UDP | 80 | 20
| | And Send TCP or UDP packet and verify received packet | ${tg_node}
Code Review / csit.git / blobdiff