2 """ACL plugin Test Case HLD:
8 from scapy.packet import Raw
9 from scapy.layers.l2 import Ether
10 from scapy.layers.inet import IP, TCP, UDP, ICMP
11 from scapy.layers.inet6 import IPv6, ICMPv6EchoRequest
12 from scapy.layers.inet6 import IPv6ExtHdrFragment
13 from framework import VppTestCase, VppTestRunner
14 from util import Host, ppp
15 from ipaddress import IPv4Network, IPv6Network
17 from vpp_lo_interface import VppLoInterface
18 from vpp_acl import AclRule, VppAcl, VppAclInterface, VppEtypeWhitelist
19 from vpp_ip import INVALID_INDEX
22 class TestACLplugin(VppTestCase):
23 """ ACL plugin Test Case """
39 proto = [[6, 17], [1, 58]]
40 proto_map = {1: 'ICMP', 58: 'ICMPv6EchoRequest', 6: 'TCP', 17: 'UDP'}
52 udp_sport_to = udp_sport_from + 5
53 udp_dport_from = 20000
54 udp_dport_to = udp_dport_from + 5000
56 tcp_sport_to = tcp_sport_from + 5
57 tcp_dport_from = 40000
58 tcp_dport_to = tcp_dport_from + 5000
61 udp_sport_to_2 = udp_sport_from_2 + 5
62 udp_dport_from_2 = 30000
63 udp_dport_to_2 = udp_dport_from_2 + 5000
64 tcp_sport_from_2 = 130
65 tcp_sport_to_2 = tcp_sport_from_2 + 5
66 tcp_dport_from_2 = 20000
67 tcp_dport_to_2 = tcp_dport_from_2 + 5000
69 icmp4_type = 8 # echo request
71 icmp6_type = 128 # echo request
87 Perform standard class setup (defined by class method setUpClass in
88 class VppTestCase) before running the test case, set test case related
89 variables and configure VPP.
91 super(TestACLplugin, cls).setUpClass()
94 # Create 2 pg interfaces
95 cls.create_pg_interfaces(range(2))
97 # Packet flows mapping pg0 -> pg1, pg2 etc.
99 cls.flows[cls.pg0] = [cls.pg1]
102 cls.pg_if_packet_sizes = [64, 512, 1518, 9018]
104 # Create BD with MAC learning and unknown unicast flooding disabled
105 # and put interfaces to this BD
106 cls.vapi.bridge_domain_add_del(bd_id=cls.bd_id, uu_flood=1,
108 for pg_if in cls.pg_interfaces:
109 cls.vapi.sw_interface_set_l2_bridge(
110 rx_sw_if_index=pg_if.sw_if_index, bd_id=cls.bd_id)
112 # Set up all interfaces
113 for i in cls.pg_interfaces:
116 # Mapping between packet-generator index and lists of test hosts
117 cls.hosts_by_pg_idx = dict()
118 for pg_if in cls.pg_interfaces:
119 cls.hosts_by_pg_idx[pg_if.sw_if_index] = []
121 # Create list of deleted hosts
122 cls.deleted_hosts_by_pg_idx = dict()
123 for pg_if in cls.pg_interfaces:
124 cls.deleted_hosts_by_pg_idx[pg_if.sw_if_index] = []
126 # warm-up the mac address tables
130 n_int = len(cls.pg_interfaces)
131 macs_per_if = count // n_int
133 for pg_if in cls.pg_interfaces:
135 start_nr = macs_per_if * i + start
136 end_nr = count + start if i == (n_int - 1) \
137 else macs_per_if * (i + 1) + start
138 hosts = cls.hosts_by_pg_idx[pg_if.sw_if_index]
139 for j in range(int(start_nr), int(end_nr)):
141 "00:00:00:ff:%02x:%02x" % (pg_if.sw_if_index, j),
142 "172.17.1%02x.%u" % (pg_if.sw_if_index, j),
143 "2017:dead:%02x::%u" % (pg_if.sw_if_index, j))
147 super(TestACLplugin, cls).tearDownClass()
151 def tearDownClass(cls):
152 super(TestACLplugin, cls).tearDownClass()
155 super(TestACLplugin, self).setUp()
156 self.reset_packet_infos()
160 Show various debug prints after each test.
162 super(TestACLplugin, self).tearDown()
164 def show_commands_at_teardown(self):
165 cli = "show vlib graph l2-input-feat-arc"
166 self.logger.info(self.vapi.ppcli(cli))
167 cli = "show vlib graph l2-input-feat-arc-end"
168 self.logger.info(self.vapi.ppcli(cli))
169 cli = "show vlib graph l2-output-feat-arc"
170 self.logger.info(self.vapi.ppcli(cli))
171 cli = "show vlib graph l2-output-feat-arc-end"
172 self.logger.info(self.vapi.ppcli(cli))
173 self.logger.info(self.vapi.ppcli("show l2fib verbose"))
174 self.logger.info(self.vapi.ppcli("show acl-plugin acl"))
175 self.logger.info(self.vapi.ppcli("show acl-plugin interface"))
176 self.logger.info(self.vapi.ppcli("show acl-plugin tables"))
177 self.logger.info(self.vapi.ppcli("show bridge-domain %s detail"
180 def create_rule(self, ip=0, permit_deny=0, ports=PORTS_ALL, proto=-1,
184 src_prefix = IPv6Network((s_ip, s_prefix))
185 dst_prefix = IPv6Network((d_ip, d_prefix))
187 src_prefix = IPv4Network((s_ip, s_prefix))
188 dst_prefix = IPv4Network((d_ip, d_prefix))
189 return AclRule(is_permit=permit_deny, ports=ports, proto=proto,
190 src_prefix=src_prefix, dst_prefix=dst_prefix)
192 def apply_rules(self, rules, tag=None):
193 acl = VppAcl(self, rules, tag=tag)
195 self.logger.info("Dumped ACL: " + str(acl.dump()))
196 # Apply a ACL on the interface as inbound
197 for i in self.pg_interfaces:
198 acl_if = VppAclInterface(
199 self, sw_if_index=i.sw_if_index, n_input=1, acls=[acl])
200 acl_if.add_vpp_config()
203 def apply_rules_to(self, rules, tag=None, sw_if_index=INVALID_INDEX):
204 acl = VppAcl(self, rules, tag=tag)
206 self.logger.info("Dumped ACL: " + str(acl.dump()))
207 # Apply a ACL on the interface as inbound
208 acl_if = VppAclInterface(self, sw_if_index=sw_if_index, n_input=1,
212 def etype_whitelist(self, whitelist, n_input, add=True):
213 # Apply whitelists on all the interfaces
216 for i in self.pg_interfaces:
217 self._wl.append(VppEtypeWhitelist(
218 self, sw_if_index=i.sw_if_index, whitelist=whitelist,
219 n_input=n_input).add_vpp_config())
221 if hasattr(self, "_wl"):
223 wl.remove_vpp_config()
225 def create_upper_layer(self, packet_index, proto, ports=0):
226 p = self.proto_map[proto]
229 return UDP(sport=random.randint(self.udp_sport_from,
231 dport=random.randint(self.udp_dport_from,
234 return UDP(sport=ports, dport=ports)
237 return TCP(sport=random.randint(self.tcp_sport_from,
239 dport=random.randint(self.tcp_dport_from,
242 return TCP(sport=ports, dport=ports)
245 def create_stream(self, src_if, packet_sizes, traffic_type=0, ipv6=0,
246 proto=-1, ports=0, fragments=False,
247 pkt_raw=True, etype=-1):
249 Create input packet stream for defined interface using hosts or
252 :param object src_if: Interface to create packet stream for.
253 :param list packet_sizes: List of required packet sizes.
254 :param traffic_type: 1: ICMP packet, 2: IPv6 with EH, 0: otherwise.
255 :return: Stream of packets.
258 if self.flows.__contains__(src_if):
259 src_hosts = self.hosts_by_pg_idx[src_if.sw_if_index]
260 for dst_if in self.flows[src_if]:
261 dst_hosts = self.hosts_by_pg_idx[dst_if.sw_if_index]
262 n_int = len(dst_hosts) * len(src_hosts)
263 for i in range(0, n_int):
264 dst_host = dst_hosts[int(i / len(src_hosts))]
265 src_host = src_hosts[i % len(src_hosts)]
266 pkt_info = self.create_packet_info(src_if, dst_if)
272 pkt_info.ip = random.choice([0, 1])
274 pkt_info.proto = random.choice(self.proto[self.IP])
276 pkt_info.proto = proto
277 payload = self.info_to_payload(pkt_info)
278 p = Ether(dst=dst_host.mac, src=src_host.mac)
280 p = Ether(dst=dst_host.mac,
284 p /= IPv6(dst=dst_host.ip6, src=src_host.ip6)
286 p /= IPv6ExtHdrFragment(offset=64, m=1)
289 p /= IP(src=src_host.ip4, dst=dst_host.ip4,
292 p /= IP(src=src_host.ip4, dst=dst_host.ip4)
293 if traffic_type == self.ICMP:
295 p /= ICMPv6EchoRequest(type=self.icmp6_type,
296 code=self.icmp6_code)
298 p /= ICMP(type=self.icmp4_type,
299 code=self.icmp4_code)
301 p /= self.create_upper_layer(i, pkt_info.proto, ports)
304 pkt_info.data = p.copy()
306 size = random.choice(packet_sizes)
307 self.extend_packet(p, size)
311 def verify_capture(self, pg_if, capture,
312 traffic_type=0, ip_type=0, etype=-1):
314 Verify captured input packet stream for defined interface.
316 :param object pg_if: Interface to verify captured packet stream for.
317 :param list capture: Captured packet stream.
318 :param traffic_type: 1: ICMP packet, 2: IPv6 with EH, 0: otherwise.
321 for i in self.pg_interfaces:
322 last_info[i.sw_if_index] = None
323 dst_sw_if_index = pg_if.sw_if_index
324 for packet in capture:
326 if packet[Ether].type != etype:
327 self.logger.error(ppp("Unexpected ethertype in packet:",
332 # Raw data for ICMPv6 are stored in ICMPv6EchoRequest.data
333 if traffic_type == self.ICMP and ip_type == self.IPV6:
334 payload_info = self.payload_to_info(
335 packet[ICMPv6EchoRequest], 'data')
336 payload = packet[ICMPv6EchoRequest]
338 payload_info = self.payload_to_info(packet[Raw])
339 payload = packet[self.proto_map[payload_info.proto]]
341 self.logger.error(ppp("Unexpected or invalid packet "
342 "(outside network):", packet))
346 self.assertEqual(payload_info.ip, ip_type)
347 if traffic_type == self.ICMP:
349 if payload_info.ip == 0:
350 self.assertEqual(payload.type, self.icmp4_type)
351 self.assertEqual(payload.code, self.icmp4_code)
353 self.assertEqual(payload.type, self.icmp6_type)
354 self.assertEqual(payload.code, self.icmp6_code)
356 self.logger.error(ppp("Unexpected or invalid packet "
357 "(outside network):", packet))
361 ip_version = IPv6 if payload_info.ip == 1 else IP
363 ip = packet[ip_version]
364 packet_index = payload_info.index
366 self.assertEqual(payload_info.dst, dst_sw_if_index)
367 self.logger.debug("Got packet on port %s: src=%u (id=%u)" %
368 (pg_if.name, payload_info.src,
370 next_info = self.get_next_packet_info_for_interface2(
371 payload_info.src, dst_sw_if_index,
372 last_info[payload_info.src])
373 last_info[payload_info.src] = next_info
374 self.assertTrue(next_info is not None)
375 self.assertEqual(packet_index, next_info.index)
376 saved_packet = next_info.data
377 # Check standard fields
378 self.assertEqual(ip.src, saved_packet[ip_version].src)
379 self.assertEqual(ip.dst, saved_packet[ip_version].dst)
380 p = self.proto_map[payload_info.proto]
383 self.assertEqual(tcp.sport, saved_packet[
385 self.assertEqual(tcp.dport, saved_packet[
389 self.assertEqual(udp.sport, saved_packet[
391 self.assertEqual(udp.dport, saved_packet[
394 self.logger.error(ppp("Unexpected or invalid packet:",
397 for i in self.pg_interfaces:
398 remaining_packet = self.get_next_packet_info_for_interface2(
399 i, dst_sw_if_index, last_info[i.sw_if_index])
401 remaining_packet is None,
402 "Port %u: Packet expected from source %u didn't arrive" %
403 (dst_sw_if_index, i.sw_if_index))
405 def run_traffic_no_check(self):
407 # Create incoming packet streams for packet-generator interfaces
408 for i in self.pg_interfaces:
409 if self.flows.__contains__(i):
410 pkts = self.create_stream(i, self.pg_if_packet_sizes)
414 # Enable packet capture and start packet sending
415 self.pg_enable_capture(self.pg_interfaces)
418 def run_verify_test(self, traffic_type=0, ip_type=0, proto=-1, ports=0,
419 frags=False, pkt_raw=True, etype=-1):
421 # Create incoming packet streams for packet-generator interfaces
423 for i in self.pg_interfaces:
424 if self.flows.__contains__(i):
425 pkts = self.create_stream(i, self.pg_if_packet_sizes,
426 traffic_type, ip_type, proto, ports,
427 frags, pkt_raw, etype)
430 pkts_cnt += len(pkts)
432 # Enable packet capture and start packet sendingself.IPV
433 self.pg_enable_capture(self.pg_interfaces)
435 self.logger.info("sent packets count: %d" % pkts_cnt)
438 # Verify outgoing packet streams per packet-generator interface
439 for src_if in self.pg_interfaces:
440 if self.flows.__contains__(src_if):
441 for dst_if in self.flows[src_if]:
442 capture = dst_if.get_capture(pkts_cnt)
443 self.logger.info("Verifying capture on interface %s" %
445 self.verify_capture(dst_if, capture,
446 traffic_type, ip_type, etype)
448 def run_verify_negat_test(self, traffic_type=0, ip_type=0, proto=-1,
449 ports=0, frags=False, etype=-1):
452 self.reset_packet_infos()
453 for i in self.pg_interfaces:
454 if self.flows.__contains__(i):
455 pkts = self.create_stream(i, self.pg_if_packet_sizes,
456 traffic_type, ip_type, proto, ports,
460 pkts_cnt += len(pkts)
462 # Enable packet capture and start packet sending
463 self.pg_enable_capture(self.pg_interfaces)
465 self.logger.info("sent packets count: %d" % pkts_cnt)
468 # Verify outgoing packet streams per packet-generator interface
469 for src_if in self.pg_interfaces:
470 if self.flows.__contains__(src_if):
471 for dst_if in self.flows[src_if]:
472 self.logger.info("Verifying capture on interface %s" %
474 capture = dst_if.get_capture(0)
475 self.assertEqual(len(capture), 0)
477 def test_0000_warmup_test(self):
478 """ ACL plugin version check; learn MACs
480 reply = self.vapi.papi.acl_plugin_get_version()
481 self.assertEqual(reply.major, 1)
482 self.logger.info("Working with ACL plugin version: %d.%d" % (
483 reply.major, reply.minor))
484 # minor version changes are non breaking
485 # self.assertEqual(reply.minor, 0)
487 def test_0001_acl_create(self):
488 """ ACL create/delete test
491 self.logger.info("ACLP_TEST_START_0001")
492 # Create a permit-1234 ACL
493 r = [AclRule(is_permit=1, proto=17, ports=1234, sport_to=1235)]
494 # Test 1: add a new ACL
495 first_acl = VppAcl(self, rules=r, tag="permit 1234")
496 first_acl.add_vpp_config()
497 self.assertTrue(first_acl.query_vpp_config())
498 # The very first ACL gets #0
499 self.assertEqual(first_acl.acl_index, 0)
500 rr = first_acl.dump()
501 self.logger.info("Dumped ACL: " + str(rr))
502 self.assertEqual(len(rr), 1)
503 # We should have the same number of ACL entries as we had asked
504 self.assertEqual(len(rr[0].r), len(r))
505 # The rules should be the same. But because the submitted and returned
506 # are different types, we need to iterate over rules and keys to get
508 for i_rule in range(0, len(r) - 1):
509 encoded_rule = r[i_rule].encode()
510 for rule_key in encoded_rule:
511 self.assertEqual(rr[0].r[i_rule][rule_key],
512 encoded_rule[rule_key])
514 # Create a deny-1234 ACL
515 r_deny = [AclRule(is_permit=0, proto=17, ports=1234, sport_to=1235),
516 AclRule(is_permit=1, proto=17, ports=0)]
517 second_acl = VppAcl(self, rules=r_deny, tag="deny 1234;permit all")
518 second_acl.add_vpp_config()
519 self.assertTrue(second_acl.query_vpp_config())
520 # The second ACL gets #1
521 self.assertEqual(second_acl.acl_index, 1)
523 # Test 2: try to modify a nonexistent ACL
524 invalid_acl = VppAcl(self, acl_index=432, rules=r, tag="FFFF:FFFF")
525 reply = invalid_acl.add_vpp_config(expect_error=True)
527 # apply an ACL on an interface inbound, try to delete ACL, must fail
528 acl_if_list = VppAclInterface(
529 self, sw_if_index=self.pg0.sw_if_index, n_input=1,
531 acl_if_list.add_vpp_config()
532 first_acl.remove_vpp_config(expect_error=True)
533 # Unapply an ACL and then try to delete it - must be ok
534 acl_if_list.remove_vpp_config()
535 first_acl.remove_vpp_config()
537 # apply an ACL on an interface inbound, try to delete ACL, must fail
538 acl_if_list = VppAclInterface(
539 self, sw_if_index=self.pg0.sw_if_index, n_input=0,
541 acl_if_list.add_vpp_config()
542 second_acl.remove_vpp_config(expect_error=True)
543 # Unapply an ACL and then try to delete it - must be ok
544 acl_if_list.remove_vpp_config()
545 second_acl.remove_vpp_config()
547 # try to apply a nonexistent ACL - must fail
548 acl_if_list = VppAclInterface(
549 self, sw_if_index=self.pg0.sw_if_index, n_input=0,
551 acl_if_list.add_vpp_config(expect_error=True)
553 self.logger.info("ACLP_TEST_FINISH_0001")
555 def test_0002_acl_permit_apply(self):
556 """ permit ACL apply test
558 self.logger.info("ACLP_TEST_START_0002")
561 rules.append(self.create_rule(self.IPV4, self.PERMIT,
562 0, self.proto[self.IP][self.UDP]))
563 rules.append(self.create_rule(self.IPV4, self.PERMIT,
564 0, self.proto[self.IP][self.TCP]))
567 acl_idx = self.apply_rules(rules, "permit per-flow")
570 reply = self.vapi.papi.acl_stats_intf_counters_enable(enable=1)
572 # Traffic should still pass
573 self.run_verify_test(self.IP, self.IPV4, -1)
575 matches = self.statistics.get_counter('/acl/%d/matches' % acl_idx)
576 self.logger.info("stat segment counters: %s" % repr(matches))
577 cli = "show acl-plugin acl"
578 self.logger.info(self.vapi.ppcli(cli))
579 cli = "show acl-plugin tables"
580 self.logger.info(self.vapi.ppcli(cli))
582 total_hits = matches[0][0]['packets'] + matches[0][1]['packets']
583 self.assertEqual(total_hits, 64)
586 reply = self.vapi.papi.acl_stats_intf_counters_enable(enable=0)
588 self.logger.info("ACLP_TEST_FINISH_0002")
590 def test_0003_acl_deny_apply(self):
591 """ deny ACL apply test
593 self.logger.info("ACLP_TEST_START_0003")
594 # Add a deny-flows ACL
596 rules.append(self.create_rule(
597 self.IPV4, self.DENY, self.PORTS_ALL,
598 self.proto[self.IP][self.UDP]))
599 # Permit ip any any in the end
600 rules.append(self.create_rule(self.IPV4, self.PERMIT,
604 acl_idx = self.apply_rules(rules, "deny per-flow;permit all")
607 reply = self.vapi.papi.acl_stats_intf_counters_enable(enable=1)
609 # Traffic should not pass
610 self.run_verify_negat_test(self.IP, self.IPV4,
611 self.proto[self.IP][self.UDP])
613 matches = self.statistics.get_counter('/acl/%d/matches' % acl_idx)
614 self.logger.info("stat segment counters: %s" % repr(matches))
615 cli = "show acl-plugin acl"
616 self.logger.info(self.vapi.ppcli(cli))
617 cli = "show acl-plugin tables"
618 self.logger.info(self.vapi.ppcli(cli))
619 self.assertEqual(matches[0][0]['packets'], 64)
621 reply = self.vapi.papi.acl_stats_intf_counters_enable(enable=0)
622 self.logger.info("ACLP_TEST_FINISH_0003")
623 # self.assertEqual(, 0)
625 def test_0004_vpp624_permit_icmpv4(self):
626 """ VPP_624 permit ICMPv4
628 self.logger.info("ACLP_TEST_START_0004")
632 rules.append(self.create_rule(self.IPV4, self.PERMIT, self.PORTS_RANGE,
633 self.proto[self.ICMP][self.ICMPv4]))
634 # deny ip any any in the end
635 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
638 self.apply_rules(rules, "permit icmpv4")
640 # Traffic should still pass
641 self.run_verify_test(self.ICMP, self.IPV4,
642 self.proto[self.ICMP][self.ICMPv4])
644 self.logger.info("ACLP_TEST_FINISH_0004")
646 def test_0005_vpp624_permit_icmpv6(self):
647 """ VPP_624 permit ICMPv6
649 self.logger.info("ACLP_TEST_START_0005")
653 rules.append(self.create_rule(self.IPV6, self.PERMIT, self.PORTS_RANGE,
654 self.proto[self.ICMP][self.ICMPv6]))
655 # deny ip any any in the end
656 rules.append(self.create_rule(self.IPV6, self.DENY, self.PORTS_ALL, 0))
659 self.apply_rules(rules, "permit icmpv6")
661 # Traffic should still pass
662 self.run_verify_test(self.ICMP, self.IPV6,
663 self.proto[self.ICMP][self.ICMPv6])
665 self.logger.info("ACLP_TEST_FINISH_0005")
667 def test_0006_vpp624_deny_icmpv4(self):
668 """ VPP_624 deny ICMPv4
670 self.logger.info("ACLP_TEST_START_0006")
673 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_RANGE,
674 self.proto[self.ICMP][self.ICMPv4]))
675 # permit ip any any in the end
676 rules.append(self.create_rule(self.IPV4, self.PERMIT,
680 self.apply_rules(rules, "deny icmpv4")
682 # Traffic should not pass
683 self.run_verify_negat_test(self.ICMP, self.IPV4, 0)
685 self.logger.info("ACLP_TEST_FINISH_0006")
687 def test_0007_vpp624_deny_icmpv6(self):
688 """ VPP_624 deny ICMPv6
690 self.logger.info("ACLP_TEST_START_0007")
693 rules.append(self.create_rule(self.IPV6, self.DENY, self.PORTS_RANGE,
694 self.proto[self.ICMP][self.ICMPv6]))
695 # deny ip any any in the end
696 rules.append(self.create_rule(self.IPV6, self.PERMIT,
700 self.apply_rules(rules, "deny icmpv6")
702 # Traffic should not pass
703 self.run_verify_negat_test(self.ICMP, self.IPV6, 0)
705 self.logger.info("ACLP_TEST_FINISH_0007")
707 def test_0008_tcp_permit_v4(self):
710 self.logger.info("ACLP_TEST_START_0008")
714 rules.append(self.create_rule(self.IPV4, self.PERMIT, self.PORTS_RANGE,
715 self.proto[self.IP][self.TCP]))
716 # deny ip any any in the end
717 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
720 self.apply_rules(rules, "permit ipv4 tcp")
722 # Traffic should still pass
723 self.run_verify_test(self.IP, self.IPV4, self.proto[self.IP][self.TCP])
725 self.logger.info("ACLP_TEST_FINISH_0008")
727 def test_0009_tcp_permit_v6(self):
730 self.logger.info("ACLP_TEST_START_0009")
734 rules.append(self.create_rule(self.IPV6, self.PERMIT, self.PORTS_RANGE,
735 self.proto[self.IP][self.TCP]))
736 # deny ip any any in the end
737 rules.append(self.create_rule(self.IPV6, self.DENY, self.PORTS_ALL, 0))
740 self.apply_rules(rules, "permit ip6 tcp")
742 # Traffic should still pass
743 self.run_verify_test(self.IP, self.IPV6, self.proto[self.IP][self.TCP])
745 self.logger.info("ACLP_TEST_FINISH_0008")
747 def test_0010_udp_permit_v4(self):
750 self.logger.info("ACLP_TEST_START_0010")
754 rules.append(self.create_rule(self.IPV4, self.PERMIT, self.PORTS_RANGE,
755 self.proto[self.IP][self.UDP]))
756 # deny ip any any in the end
757 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
760 self.apply_rules(rules, "permit ipv udp")
762 # Traffic should still pass
763 self.run_verify_test(self.IP, self.IPV4, self.proto[self.IP][self.UDP])
765 self.logger.info("ACLP_TEST_FINISH_0010")
767 def test_0011_udp_permit_v6(self):
770 self.logger.info("ACLP_TEST_START_0011")
774 rules.append(self.create_rule(self.IPV6, self.PERMIT, self.PORTS_RANGE,
775 self.proto[self.IP][self.UDP]))
776 # deny ip any any in the end
777 rules.append(self.create_rule(self.IPV6, self.DENY, self.PORTS_ALL, 0))
780 self.apply_rules(rules, "permit ip6 udp")
782 # Traffic should still pass
783 self.run_verify_test(self.IP, self.IPV6, self.proto[self.IP][self.UDP])
785 self.logger.info("ACLP_TEST_FINISH_0011")
787 def test_0012_tcp_deny(self):
790 self.logger.info("ACLP_TEST_START_0012")
794 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_RANGE,
795 self.proto[self.IP][self.TCP]))
796 rules.append(self.create_rule(self.IPV6, self.DENY, self.PORTS_RANGE,
797 self.proto[self.IP][self.TCP]))
798 # permit ip any any in the end
799 rules.append(self.create_rule(self.IPV4, self.PERMIT,
801 rules.append(self.create_rule(self.IPV6, self.PERMIT,
805 self.apply_rules(rules, "deny ip4/ip6 tcp")
807 # Traffic should not pass
808 self.run_verify_negat_test(self.IP, self.IPRANDOM,
809 self.proto[self.IP][self.TCP])
811 self.logger.info("ACLP_TEST_FINISH_0012")
813 def test_0013_udp_deny(self):
816 self.logger.info("ACLP_TEST_START_0013")
820 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_RANGE,
821 self.proto[self.IP][self.UDP]))
822 rules.append(self.create_rule(self.IPV6, self.DENY, self.PORTS_RANGE,
823 self.proto[self.IP][self.UDP]))
824 # permit ip any any in the end
825 rules.append(self.create_rule(self.IPV4, self.PERMIT,
827 rules.append(self.create_rule(self.IPV6, self.PERMIT,
831 self.apply_rules(rules, "deny ip4/ip6 udp")
833 # Traffic should not pass
834 self.run_verify_negat_test(self.IP, self.IPRANDOM,
835 self.proto[self.IP][self.UDP])
837 self.logger.info("ACLP_TEST_FINISH_0013")
839 def test_0014_acl_dump(self):
840 """ verify add/dump acls
842 self.logger.info("ACLP_TEST_START_0014")
844 r = [[self.IPV4, self.PERMIT, 1234, self.proto[self.IP][self.TCP]],
845 [self.IPV4, self.PERMIT, 2345, self.proto[self.IP][self.UDP]],
846 [self.IPV4, self.PERMIT, 0, self.proto[self.IP][self.TCP]],
847 [self.IPV4, self.PERMIT, 0, self.proto[self.IP][self.UDP]],
848 [self.IPV4, self.PERMIT, 5, self.proto[self.ICMP][self.ICMPv4]],
849 [self.IPV6, self.PERMIT, 4321, self.proto[self.IP][self.TCP]],
850 [self.IPV6, self.PERMIT, 5432, self.proto[self.IP][self.UDP]],
851 [self.IPV6, self.PERMIT, 0, self.proto[self.IP][self.TCP]],
852 [self.IPV6, self.PERMIT, 0, self.proto[self.IP][self.UDP]],
853 [self.IPV6, self.PERMIT, 6, self.proto[self.ICMP][self.ICMPv6]],
854 [self.IPV4, self.DENY, self.PORTS_ALL, 0],
855 [self.IPV4, self.DENY, 1234, self.proto[self.IP][self.TCP]],
856 [self.IPV4, self.DENY, 2345, self.proto[self.IP][self.UDP]],
857 [self.IPV4, self.DENY, 5, self.proto[self.ICMP][self.ICMPv4]],
858 [self.IPV6, self.DENY, 4321, self.proto[self.IP][self.TCP]],
859 [self.IPV6, self.DENY, 5432, self.proto[self.IP][self.UDP]],
860 [self.IPV6, self.DENY, 6, self.proto[self.ICMP][self.ICMPv6]],
861 [self.IPV6, self.DENY, self.PORTS_ALL, 0]
864 # Add and verify new ACLs
866 for i in range(len(r)):
867 rules.append(self.create_rule(r[i][0], r[i][1], r[i][2], r[i][3]))
869 acl = VppAcl(self, rules=rules)
874 for drules in result:
876 self.assertEqual(dr.is_permit, r[i][1])
877 self.assertEqual(dr.proto, r[i][3])
880 self.assertEqual(dr.srcport_or_icmptype_first, r[i][2])
883 self.assertEqual(dr.srcport_or_icmptype_first, 0)
884 self.assertEqual(dr.srcport_or_icmptype_last, 65535)
886 if dr.proto == self.proto[self.IP][self.TCP]:
887 self.assertGreater(dr.srcport_or_icmptype_first,
888 self.tcp_sport_from-1)
889 self.assertLess(dr.srcport_or_icmptype_first,
891 self.assertGreater(dr.dstport_or_icmpcode_last,
892 self.tcp_dport_from-1)
893 self.assertLess(dr.dstport_or_icmpcode_last,
895 elif dr.proto == self.proto[self.IP][self.UDP]:
896 self.assertGreater(dr.srcport_or_icmptype_first,
897 self.udp_sport_from-1)
898 self.assertLess(dr.srcport_or_icmptype_first,
900 self.assertGreater(dr.dstport_or_icmpcode_last,
901 self.udp_dport_from-1)
902 self.assertLess(dr.dstport_or_icmpcode_last,
906 self.logger.info("ACLP_TEST_FINISH_0014")
908 def test_0015_tcp_permit_port_v4(self):
909 """ permit single TCPv4
911 self.logger.info("ACLP_TEST_START_0015")
913 port = random.randint(16384, 65535)
916 rules.append(self.create_rule(self.IPV4, self.PERMIT, port,
917 self.proto[self.IP][self.TCP]))
918 # deny ip any any in the end
919 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
922 self.apply_rules(rules, "permit ip4 tcp %d" % port)
924 # Traffic should still pass
925 self.run_verify_test(self.IP, self.IPV4,
926 self.proto[self.IP][self.TCP], port)
928 self.logger.info("ACLP_TEST_FINISH_0015")
930 def test_0016_udp_permit_port_v4(self):
931 """ permit single UDPv4
933 self.logger.info("ACLP_TEST_START_0016")
935 port = random.randint(16384, 65535)
938 rules.append(self.create_rule(self.IPV4, self.PERMIT, port,
939 self.proto[self.IP][self.UDP]))
940 # deny ip any any in the end
941 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
944 self.apply_rules(rules, "permit ip4 tcp %d" % port)
946 # Traffic should still pass
947 self.run_verify_test(self.IP, self.IPV4,
948 self.proto[self.IP][self.UDP], port)
950 self.logger.info("ACLP_TEST_FINISH_0016")
952 def test_0017_tcp_permit_port_v6(self):
953 """ permit single TCPv6
955 self.logger.info("ACLP_TEST_START_0017")
957 port = random.randint(16384, 65535)
960 rules.append(self.create_rule(self.IPV6, self.PERMIT, port,
961 self.proto[self.IP][self.TCP]))
962 # deny ip any any in the end
963 rules.append(self.create_rule(self.IPV6, self.DENY, self.PORTS_ALL, 0))
966 self.apply_rules(rules, "permit ip4 tcp %d" % port)
968 # Traffic should still pass
969 self.run_verify_test(self.IP, self.IPV6,
970 self.proto[self.IP][self.TCP], port)
972 self.logger.info("ACLP_TEST_FINISH_0017")
974 def test_0018_udp_permit_port_v6(self):
975 """ permit single UDPv6
977 self.logger.info("ACLP_TEST_START_0018")
979 port = random.randint(16384, 65535)
982 rules.append(self.create_rule(self.IPV6, self.PERMIT, port,
983 self.proto[self.IP][self.UDP]))
984 # deny ip any any in the end
985 rules.append(self.create_rule(self.IPV6, self.DENY,
989 self.apply_rules(rules, "permit ip4 tcp %d" % port)
991 # Traffic should still pass
992 self.run_verify_test(self.IP, self.IPV6,
993 self.proto[self.IP][self.UDP], port)
995 self.logger.info("ACLP_TEST_FINISH_0018")
997 def test_0019_udp_deny_port(self):
998 """ deny single TCPv4/v6
1000 self.logger.info("ACLP_TEST_START_0019")
1002 port = random.randint(16384, 65535)
1005 rules.append(self.create_rule(self.IPV4, self.DENY, port,
1006 self.proto[self.IP][self.TCP]))
1007 rules.append(self.create_rule(self.IPV6, self.DENY, port,
1008 self.proto[self.IP][self.TCP]))
1009 # Permit ip any any in the end
1010 rules.append(self.create_rule(self.IPV4, self.PERMIT,
1012 rules.append(self.create_rule(self.IPV6, self.PERMIT,
1016 self.apply_rules(rules, "deny ip4/ip6 udp %d" % port)
1018 # Traffic should not pass
1019 self.run_verify_negat_test(self.IP, self.IPRANDOM,
1020 self.proto[self.IP][self.TCP], port)
1022 self.logger.info("ACLP_TEST_FINISH_0019")
1024 def test_0020_udp_deny_port(self):
1025 """ deny single UDPv4/v6
1027 self.logger.info("ACLP_TEST_START_0020")
1029 port = random.randint(16384, 65535)
1032 rules.append(self.create_rule(self.IPV4, self.DENY, port,
1033 self.proto[self.IP][self.UDP]))
1034 rules.append(self.create_rule(self.IPV6, self.DENY, port,
1035 self.proto[self.IP][self.UDP]))
1036 # Permit ip any any in the end
1037 rules.append(self.create_rule(self.IPV4, self.PERMIT,
1039 rules.append(self.create_rule(self.IPV6, self.PERMIT,
1043 self.apply_rules(rules, "deny ip4/ip6 udp %d" % port)
1045 # Traffic should not pass
1046 self.run_verify_negat_test(self.IP, self.IPRANDOM,
1047 self.proto[self.IP][self.UDP], port)
1049 self.logger.info("ACLP_TEST_FINISH_0020")
1051 def test_0021_udp_deny_port_verify_fragment_deny(self):
1052 """ deny single UDPv4/v6, permit ip any, verify non-initial fragment
1055 self.logger.info("ACLP_TEST_START_0021")
1057 port = random.randint(16384, 65535)
1060 rules.append(self.create_rule(self.IPV4, self.DENY, port,
1061 self.proto[self.IP][self.UDP]))
1062 rules.append(self.create_rule(self.IPV6, self.DENY, port,
1063 self.proto[self.IP][self.UDP]))
1064 # deny ip any any in the end
1065 rules.append(self.create_rule(self.IPV4, self.PERMIT,
1067 rules.append(self.create_rule(self.IPV6, self.PERMIT,
1071 self.apply_rules(rules, "deny ip4/ip6 udp %d" % port)
1073 # Traffic should not pass
1074 self.run_verify_negat_test(self.IP, self.IPRANDOM,
1075 self.proto[self.IP][self.UDP], port, True)
1077 self.logger.info("ACLP_TEST_FINISH_0021")
1079 def test_0022_zero_length_udp_ipv4(self):
1080 """ VPP-687 zero length udp ipv4 packet"""
1081 self.logger.info("ACLP_TEST_START_0022")
1083 port = random.randint(16384, 65535)
1086 rules.append(self.create_rule(self.IPV4, self.PERMIT, port,
1087 self.proto[self.IP][self.UDP]))
1088 # deny ip any any in the end
1090 self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
1093 self.apply_rules(rules, "permit empty udp ip4 %d" % port)
1095 # Traffic should still pass
1096 # Create incoming packet streams for packet-generator interfaces
1098 pkts = self.create_stream(self.pg0, self.pg_if_packet_sizes,
1100 self.proto[self.IP][self.UDP], port,
1103 self.pg0.add_stream(pkts)
1104 pkts_cnt += len(pkts)
1106 # Enable packet capture and start packet sendingself.IPV
1107 self.pg_enable_capture(self.pg_interfaces)
1110 self.pg1.get_capture(pkts_cnt)
1112 self.logger.info("ACLP_TEST_FINISH_0022")
1114 def test_0023_zero_length_udp_ipv6(self):
1115 """ VPP-687 zero length udp ipv6 packet"""
1116 self.logger.info("ACLP_TEST_START_0023")
1118 port = random.randint(16384, 65535)
1121 rules.append(self.create_rule(self.IPV6, self.PERMIT, port,
1122 self.proto[self.IP][self.UDP]))
1123 # deny ip any any in the end
1124 rules.append(self.create_rule(self.IPV6, self.DENY, self.PORTS_ALL, 0))
1127 self.apply_rules(rules, "permit empty udp ip6 %d" % port)
1129 # Traffic should still pass
1130 # Create incoming packet streams for packet-generator interfaces
1132 pkts = self.create_stream(self.pg0, self.pg_if_packet_sizes,
1134 self.proto[self.IP][self.UDP], port,
1137 self.pg0.add_stream(pkts)
1138 pkts_cnt += len(pkts)
1140 # Enable packet capture and start packet sendingself.IPV
1141 self.pg_enable_capture(self.pg_interfaces)
1144 # Verify outgoing packet streams per packet-generator interface
1145 self.pg1.get_capture(pkts_cnt)
1147 self.logger.info("ACLP_TEST_FINISH_0023")
1149 def test_0108_tcp_permit_v4(self):
1150 """ permit TCPv4 + non-match range
1152 self.logger.info("ACLP_TEST_START_0108")
1156 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_RANGE_2,
1157 self.proto[self.IP][self.TCP]))
1158 rules.append(self.create_rule(self.IPV4, self.PERMIT, self.PORTS_RANGE,
1159 self.proto[self.IP][self.TCP]))
1160 # deny ip any any in the end
1161 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
1164 self.apply_rules(rules, "permit ipv4 tcp")
1166 # Traffic should still pass
1167 self.run_verify_test(self.IP, self.IPV4, self.proto[self.IP][self.TCP])
1169 self.logger.info("ACLP_TEST_FINISH_0108")
1171 def test_0109_tcp_permit_v6(self):
1172 """ permit TCPv6 + non-match range
1174 self.logger.info("ACLP_TEST_START_0109")
1178 rules.append(self.create_rule(self.IPV6, self.DENY, self.PORTS_RANGE_2,
1179 self.proto[self.IP][self.TCP]))
1180 rules.append(self.create_rule(self.IPV6, self.PERMIT, self.PORTS_RANGE,
1181 self.proto[self.IP][self.TCP]))
1182 # deny ip any any in the end
1183 rules.append(self.create_rule(self.IPV6, self.DENY, self.PORTS_ALL, 0))
1186 self.apply_rules(rules, "permit ip6 tcp")
1188 # Traffic should still pass
1189 self.run_verify_test(self.IP, self.IPV6, self.proto[self.IP][self.TCP])
1191 self.logger.info("ACLP_TEST_FINISH_0109")
1193 def test_0110_udp_permit_v4(self):
1194 """ permit UDPv4 + non-match range
1196 self.logger.info("ACLP_TEST_START_0110")
1200 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_RANGE_2,
1201 self.proto[self.IP][self.UDP]))
1202 rules.append(self.create_rule(self.IPV4, self.PERMIT, self.PORTS_RANGE,
1203 self.proto[self.IP][self.UDP]))
1204 # deny ip any any in the end
1205 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
1208 self.apply_rules(rules, "permit ipv4 udp")
1210 # Traffic should still pass
1211 self.run_verify_test(self.IP, self.IPV4, self.proto[self.IP][self.UDP])
1213 self.logger.info("ACLP_TEST_FINISH_0110")
1215 def test_0111_udp_permit_v6(self):
1216 """ permit UDPv6 + non-match range
1218 self.logger.info("ACLP_TEST_START_0111")
1222 rules.append(self.create_rule(self.IPV6, self.DENY, self.PORTS_RANGE_2,
1223 self.proto[self.IP][self.UDP]))
1224 rules.append(self.create_rule(self.IPV6, self.PERMIT, self.PORTS_RANGE,
1225 self.proto[self.IP][self.UDP]))
1226 # deny ip any any in the end
1227 rules.append(self.create_rule(self.IPV6, self.DENY, self.PORTS_ALL, 0))
1230 self.apply_rules(rules, "permit ip6 udp")
1232 # Traffic should still pass
1233 self.run_verify_test(self.IP, self.IPV6, self.proto[self.IP][self.UDP])
1235 self.logger.info("ACLP_TEST_FINISH_0111")
1237 def test_0112_tcp_deny(self):
1238 """ deny TCPv4/v6 + non-match range
1240 self.logger.info("ACLP_TEST_START_0112")
1244 rules.append(self.create_rule(self.IPV4, self.PERMIT,
1246 self.proto[self.IP][self.TCP]))
1247 rules.append(self.create_rule(self.IPV6, self.PERMIT,
1249 self.proto[self.IP][self.TCP]))
1250 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_RANGE,
1251 self.proto[self.IP][self.TCP]))
1252 rules.append(self.create_rule(self.IPV6, self.DENY, self.PORTS_RANGE,
1253 self.proto[self.IP][self.TCP]))
1254 # permit ip any any in the end
1255 rules.append(self.create_rule(self.IPV4, self.PERMIT,
1257 rules.append(self.create_rule(self.IPV6, self.PERMIT,
1261 self.apply_rules(rules, "deny ip4/ip6 tcp")
1263 # Traffic should not pass
1264 self.run_verify_negat_test(self.IP, self.IPRANDOM,
1265 self.proto[self.IP][self.TCP])
1267 self.logger.info("ACLP_TEST_FINISH_0112")
1269 def test_0113_udp_deny(self):
1270 """ deny UDPv4/v6 + non-match range
1272 self.logger.info("ACLP_TEST_START_0113")
1276 rules.append(self.create_rule(self.IPV4, self.PERMIT,
1278 self.proto[self.IP][self.UDP]))
1279 rules.append(self.create_rule(self.IPV6, self.PERMIT,
1281 self.proto[self.IP][self.UDP]))
1282 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_RANGE,
1283 self.proto[self.IP][self.UDP]))
1284 rules.append(self.create_rule(self.IPV6, self.DENY, self.PORTS_RANGE,
1285 self.proto[self.IP][self.UDP]))
1286 # permit ip any any in the end
1287 rules.append(self.create_rule(self.IPV4, self.PERMIT,
1289 rules.append(self.create_rule(self.IPV6, self.PERMIT,
1293 self.apply_rules(rules, "deny ip4/ip6 udp")
1295 # Traffic should not pass
1296 self.run_verify_negat_test(self.IP, self.IPRANDOM,
1297 self.proto[self.IP][self.UDP])
1299 self.logger.info("ACLP_TEST_FINISH_0113")
1301 def test_0300_tcp_permit_v4_etype_aaaa(self):
1302 """ permit TCPv4, send 0xAAAA etype
1304 self.logger.info("ACLP_TEST_START_0300")
1308 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_RANGE_2,
1309 self.proto[self.IP][self.TCP]))
1310 rules.append(self.create_rule(self.IPV4, self.PERMIT, self.PORTS_RANGE,
1311 self.proto[self.IP][self.TCP]))
1312 # deny ip any any in the end
1313 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
1316 self.apply_rules(rules, "permit ipv4 tcp")
1318 # Traffic should still pass also for an odd ethertype
1319 self.run_verify_test(self.IP, self.IPV4, self.proto[self.IP][self.TCP],
1320 0, False, True, 0xaaaa)
1321 self.logger.info("ACLP_TEST_FINISH_0300")
1323 def test_0305_tcp_permit_v4_etype_blacklist_aaaa(self):
1324 """ permit TCPv4, whitelist 0x0BBB ethertype, send 0xAAAA-blocked
1326 self.logger.info("ACLP_TEST_START_0305")
1330 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_RANGE_2,
1331 self.proto[self.IP][self.TCP]))
1332 rules.append(self.create_rule(self.IPV4, self.PERMIT, self.PORTS_RANGE,
1333 self.proto[self.IP][self.TCP]))
1334 # deny ip any any in the end
1335 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
1338 self.apply_rules(rules, "permit ipv4 tcp")
1339 # whitelist the 0xbbbb etype - so the 0xaaaa should be blocked
1340 self.etype_whitelist([0xbbb], 1)
1342 # The oddball ethertype should be blocked
1343 self.run_verify_negat_test(self.IP, self.IPV4,
1344 self.proto[self.IP][self.TCP],
1347 # remove the whitelist
1348 self.etype_whitelist([], 0, add=False)
1350 self.logger.info("ACLP_TEST_FINISH_0305")
1352 def test_0306_tcp_permit_v4_etype_blacklist_aaaa(self):
1353 """ permit TCPv4, whitelist 0x0BBB ethertype, send 0x0BBB - pass
1355 self.logger.info("ACLP_TEST_START_0306")
1359 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_RANGE_2,
1360 self.proto[self.IP][self.TCP]))
1361 rules.append(self.create_rule(self.IPV4, self.PERMIT, self.PORTS_RANGE,
1362 self.proto[self.IP][self.TCP]))
1363 # deny ip any any in the end
1364 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
1367 self.apply_rules(rules, "permit ipv4 tcp")
1368 # whitelist the 0xbbbb etype - so the 0xaaaa should be blocked
1369 self.etype_whitelist([0xbbb], 1)
1371 # The whitelisted traffic, should pass
1372 self.run_verify_test(self.IP, self.IPV4, self.proto[self.IP][self.TCP],
1373 0, False, True, 0x0bbb)
1375 # remove the whitelist, the previously blocked 0xAAAA should pass now
1376 self.etype_whitelist([], 0, add=False)
1378 self.logger.info("ACLP_TEST_FINISH_0306")
1380 def test_0307_tcp_permit_v4_etype_blacklist_aaaa(self):
1381 """ permit TCPv4, whitelist 0x0BBB, remove, send 0xAAAA - pass
1383 self.logger.info("ACLP_TEST_START_0307")
1387 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_RANGE_2,
1388 self.proto[self.IP][self.TCP]))
1389 rules.append(self.create_rule(self.IPV4, self.PERMIT, self.PORTS_RANGE,
1390 self.proto[self.IP][self.TCP]))
1391 # deny ip any any in the end
1392 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
1395 self.apply_rules(rules, "permit ipv4 tcp")
1397 # whitelist the 0xbbbb etype - so the 0xaaaa should be blocked
1398 self.etype_whitelist([0xbbb], 1)
1399 # remove the whitelist, the previously blocked 0xAAAA should pass now
1400 self.etype_whitelist([], 0, add=False)
1402 # The whitelisted traffic, should pass
1403 self.run_verify_test(self.IP, self.IPV4, self.proto[self.IP][self.TCP],
1404 0, False, True, 0xaaaa)
1406 self.logger.info("ACLP_TEST_FINISH_0306")
1408 def test_0315_del_intf(self):
1409 """ apply an acl and delete the interface
1411 self.logger.info("ACLP_TEST_START_0315")
1415 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_RANGE_2,
1416 self.proto[self.IP][self.TCP]))
1417 rules.append(self.create_rule(self.IPV4, self.PERMIT, self.PORTS_RANGE,
1418 self.proto[self.IP][self.TCP]))
1419 # deny ip any any in the end
1420 rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
1422 # create an interface
1424 intf.append(VppLoInterface(self))
1427 self.apply_rules_to(rules, "permit ipv4 tcp", intf[0].sw_if_index)
1429 # Remove the interface
1430 intf[0].remove_vpp_config()
1432 self.logger.info("ACLP_TEST_FINISH_0315")
1435 if __name__ == '__main__':
1436 unittest.main(testRunner=VppTestRunner)