src/plugins/acl/test/test_acl_plugin_conns.py

   1 #!/usr/bin/env python3
   2 """ ACL plugin extended stateful tests """
   3
   4 import unittest
   5 from framework import VppTestCase, VppTestRunner, running_extended_tests
   6 from scapy.layers.l2 import Ether
   7 from scapy.packet import Raw
   8 from scapy.layers.inet import IP, UDP, TCP
   9 from scapy.packet import Packet
  10 from socket import inet_pton, AF_INET, AF_INET6
  11 from scapy.layers.inet6 import IPv6, ICMPv6Unknown, ICMPv6EchoRequest
  12 from scapy.layers.inet6 import ICMPv6EchoReply, IPv6ExtHdrRouting
  13 from scapy.layers.inet6 import IPv6ExtHdrFragment
  14 from pprint import pprint
  15 from random import randint
  16 from util import L4_Conn
  17
  18
  19 def to_acl_rule(self, is_permit, wildcard_sport=False):
  20     p = self
  21     rule_family = AF_INET6 if p.haslayer(IPv6) else AF_INET
  22     rule_prefix_len = 128 if p.haslayer(IPv6) else 32
  23     rule_l3_layer = IPv6 if p.haslayer(IPv6) else IP
  24     rule_l4_sport = p.sport
  25     rule_l4_dport = p.dport
  26     if p.haslayer(IPv6):
  27         rule_l4_proto = p[IPv6].nh
  28     else:
  29         rule_l4_proto = p[IP].proto
  30
  31     if wildcard_sport:
  32         rule_l4_sport_first = 0
  33         rule_l4_sport_last = 65535
  34     else:
  35         rule_l4_sport_first = rule_l4_sport
  36         rule_l4_sport_last = rule_l4_sport
  37
  38     new_rule = {
  39         'is_permit': is_permit,
  40         'is_ipv6': p.haslayer(IPv6),
  41         'src_ip_addr': inet_pton(rule_family,
  42                                  p[rule_l3_layer].src),
  43         'src_ip_prefix_len': rule_prefix_len,
  44         'dst_ip_addr': inet_pton(rule_family,
  45                                  p[rule_l3_layer].dst),
  46         'dst_ip_prefix_len': rule_prefix_len,
  47         'srcport_or_icmptype_first': rule_l4_sport_first,
  48         'srcport_or_icmptype_last': rule_l4_sport_last,
  49         'dstport_or_icmpcode_first': rule_l4_dport,
  50         'dstport_or_icmpcode_last': rule_l4_dport,
  51         'proto': rule_l4_proto,
  52     }
  53     return new_rule
  54
  55
  56 Packet.to_acl_rule = to_acl_rule
  57
  58
  59 class IterateWithSleep():
  60     def __init__(self, testcase, n_iters, description, sleep_sec):
  61         self.curr = 0
  62         self.testcase = testcase
  63         self.n_iters = n_iters
  64         self.sleep_sec = sleep_sec
  65         self.description = description
  66
  67     def __iter__(self):
  68         for x in range(0, self.n_iters):
  69             yield x
  70             self.testcase.sleep(self.sleep_sec)
  71
  72
  73 class Conn(L4_Conn):
  74     def apply_acls(self, reflect_side, acl_side):
  75         pkts = []
  76         pkts.append(self.pkt(0))
  77         pkts.append(self.pkt(1))
  78         pkt = pkts[reflect_side]
  79
  80         r = []
  81         r.append(pkt.to_acl_rule(2, wildcard_sport=True))
  82         r.append(self.wildcard_rule(0))
  83         res = self.testcase.vapi.acl_add_replace(0xffffffff, r)
  84         self.testcase.assert_equal(res.retval, 0, "error adding ACL")
  85         reflect_acl_index = res.acl_index
  86
  87         r = []
  88         r.append(self.wildcard_rule(0))
  89         res = self.testcase.vapi.acl_add_replace(0xffffffff, r)
  90         self.testcase.assert_equal(res.retval, 0, "error adding deny ACL")
  91         deny_acl_index = res.acl_index
  92
  93         if reflect_side == acl_side:
  94             self.testcase.vapi.acl_interface_set_acl_list(
  95                 self.ifs[acl_side].sw_if_index, 1,
  96                 [reflect_acl_index,
  97                     deny_acl_index])
  98             self.testcase.vapi.acl_interface_set_acl_list(
  99                 self.ifs[1-acl_side].sw_if_index, 0, [])
 100         else:
 101             self.testcase.vapi.acl_interface_set_acl_list(
 102                 self.ifs[acl_side].sw_if_index, 1,
 103                 [deny_acl_index,
 104                     reflect_acl_index])
 105             self.testcase.vapi.acl_interface_set_acl_list(
 106                 self.ifs[1-acl_side].sw_if_index, 0, [])
 107
 108     def wildcard_rule(self, is_permit):
 109         any_addr = ["0.0.0.0", "::"]
 110         rule_family = self.address_family
 111         is_ip6 = 1 if rule_family == AF_INET6 else 0
 112         new_rule = {
 113             'is_permit': is_permit,
 114             'is_ipv6': is_ip6,
 115             'src_ip_addr': inet_pton(rule_family, any_addr[is_ip6]),
 116             'src_ip_prefix_len': 0,
 117             'dst_ip_addr': inet_pton(rule_family, any_addr[is_ip6]),
 118             'dst_ip_prefix_len': 0,
 119             'srcport_or_icmptype_first': 0,
 120             'srcport_or_icmptype_last': 65535,
 121             'dstport_or_icmpcode_first': 0,
 122             'dstport_or_icmpcode_last': 65535,
 123             'proto': 0,
 124         }
 125         return new_rule
 126
 127
 128 @unittest.skipUnless(running_extended_tests, "part of extended tests")
 129 class ACLPluginConnTestCase(VppTestCase):
 130     """ ACL plugin connection-oriented extended testcases """
 131
 132     @classmethod
 133     def setUpClass(cls):
 134         super(ACLPluginConnTestCase, cls).setUpClass()
 135         # create pg0 and pg1
 136         cls.create_pg_interfaces(range(2))
 137         cmd = "set acl-plugin session table event-trace 1"
 138         cls.logger.info(cls.vapi.cli(cmd))
 139         for i in cls.pg_interfaces:
 140             i.admin_up()
 141             i.config_ip4()
 142             i.config_ip6()
 143             i.resolve_arp()
 144             i.resolve_ndp()
 145
 146     @classmethod
 147     def tearDownClass(cls):
 148         super(ACLPluginConnTestCase, cls).tearDownClass()
 149
 150     def tearDown(self):
 151         """Run standard test teardown and log various show commands
 152         """
 153         super(ACLPluginConnTestCase, self).tearDown()
 154
 155     def show_commands_at_teardown(self):
 156         self.logger.info(self.vapi.cli("show ip neighbors"))
 157         self.logger.info(self.vapi.cli("show ip6 neighbors"))
 158         self.logger.info(self.vapi.cli("show acl-plugin sessions"))
 159         self.logger.info(self.vapi.cli("show acl-plugin acl"))
 160         self.logger.info(self.vapi.cli("show acl-plugin interface"))
 161         self.logger.info(self.vapi.cli("show acl-plugin tables"))
 162         self.logger.info(self.vapi.cli("show event-logger all"))
 163
 164     def run_basic_conn_test(self, af, acl_side):
 165         """ Basic conn timeout test """
 166         conn1 = Conn(self, self.pg0, self.pg1, af, UDP, 42001, 4242)
 167         conn1.apply_acls(0, acl_side)
 168         conn1.send_through(0)
 169         # the return packets should pass
 170         conn1.send_through(1)
 171         # send some packets on conn1, ensure it doesn't go away
 172         for i in IterateWithSleep(self, 20, "Keep conn active", 0.3):
 173             conn1.send_through(1)
 174         # allow the conn to time out
 175         for i in IterateWithSleep(self, 30, "Wait for timeout", 0.1):
 176             pass
 177         # now try to send a packet on the reflected side
 178         try:
 179             p2 = conn1.send_through(1).command()
 180         except:
 181             # If we asserted while waiting, it's good.
 182             # the conn should have timed out.
 183             p2 = None
 184         self.assert_equal(p2, None, "packet on long-idle conn")
 185
 186     def run_active_conn_test(self, af, acl_side):
 187         """ Idle connection behind active connection test """
 188         base = 10000 + 1000*acl_side
 189         conn1 = Conn(self, self.pg0, self.pg1, af, UDP, base + 1, 2323)
 190         conn2 = Conn(self, self.pg0, self.pg1, af, UDP, base + 2, 2323)
 191         conn3 = Conn(self, self.pg0, self.pg1, af, UDP, base + 3, 2323)
 192         conn1.apply_acls(0, acl_side)
 193         conn1.send(0)
 194         conn1.recv(1)
 195         # create and check that the conn2/3 work
 196         self.sleep(0.1)
 197         conn2.send_pingpong(0)
 198         self.sleep(0.1)
 199         conn3.send_pingpong(0)
 200         # send some packets on conn1, keep conn2/3 idle
 201         for i in IterateWithSleep(self, 20, "Keep conn active", 0.2):
 202             conn1.send_through(1)
 203         try:
 204             p2 = conn2.send_through(1).command()
 205         except:
 206             # If we asserted while waiting, it's good.
 207             # the conn should have timed out.
 208             p2 = None
 209         # We should have not received the packet on a long-idle
 210         # connection, because it should have timed out
 211         # If it didn't - it is a problem
 212         self.assert_equal(p2, None, "packet on long-idle conn")
 213
 214     def run_clear_conn_test(self, af, acl_side):
 215         """ Clear the connections via CLI """
 216         conn1 = Conn(self, self.pg0, self.pg1, af, UDP, 42001, 4242)
 217         conn1.apply_acls(0, acl_side)
 218         conn1.send_through(0)
 219         # the return packets should pass
 220         conn1.send_through(1)
 221         # send some packets on conn1, ensure it doesn't go away
 222         for i in IterateWithSleep(self, 20, "Keep conn active", 0.3):
 223             conn1.send_through(1)
 224         # clear all connections
 225         self.vapi.ppcli("clear acl-plugin sessions")
 226         # now try to send a packet on the reflected side
 227         try:
 228             p2 = conn1.send_through(1).command()
 229         except:
 230             # If we asserted while waiting, it's good.
 231             # the conn should have timed out.
 232             p2 = None
 233         self.assert_equal(p2, None, "packet on supposedly deleted conn")
 234
 235     def run_tcp_transient_setup_conn_test(self, af, acl_side):
 236         conn1 = Conn(self, self.pg0, self.pg1, af, TCP, 53001, 5151)
 237         conn1.apply_acls(0, acl_side)
 238         conn1.send_through(0, 'S')
 239         # the return packets should pass
 240         conn1.send_through(1, 'SA')
 241         # allow the conn to time out
 242         for i in IterateWithSleep(self, 30, "Wait for timeout", 0.1):
 243             pass
 244         # ensure conn times out
 245         try:
 246             p2 = conn1.send_through(1).command()
 247         except:
 248             # If we asserted while waiting, it's good.
 249             # the conn should have timed out.
 250             p2 = None
 251         self.assert_equal(p2, None, "packet on supposedly deleted conn")
 252
 253     def run_tcp_established_conn_test(self, af, acl_side):
 254         conn1 = Conn(self, self.pg0, self.pg1, af, TCP, 53002, 5052)
 255         conn1.apply_acls(0, acl_side)
 256         conn1.send_through(0, 'S')
 257         # the return packets should pass
 258         conn1.send_through(1, 'SA')
 259         # complete the threeway handshake
 260         # (NB: sequence numbers not tracked, so not set!)
 261         conn1.send_through(0, 'A')
 262         # allow the conn to time out if it's in embryonic timer
 263         for i in IterateWithSleep(self, 30, "Wait for transient timeout", 0.1):
 264             pass
 265         # Try to send the packet from the "forbidden" side - it must pass
 266         conn1.send_through(1, 'A')
 267         # ensure conn times out for real
 268         for i in IterateWithSleep(self, 130, "Wait for timeout", 0.1):
 269             pass
 270         try:
 271             p2 = conn1.send_through(1).command()
 272         except:
 273             # If we asserted while waiting, it's good.
 274             # the conn should have timed out.
 275             p2 = None
 276         self.assert_equal(p2, None, "packet on supposedly deleted conn")
 277
 278     def run_tcp_transient_teardown_conn_test(self, af, acl_side):
 279         conn1 = Conn(self, self.pg0, self.pg1, af, TCP, 53002, 5052)
 280         conn1.apply_acls(0, acl_side)
 281         conn1.send_through(0, 'S')
 282         # the return packets should pass
 283         conn1.send_through(1, 'SA')
 284         # complete the threeway handshake
 285         # (NB: sequence numbers not tracked, so not set!)
 286         conn1.send_through(0, 'A')
 287         # allow the conn to time out if it's in embryonic timer
 288         for i in IterateWithSleep(self, 30, "Wait for transient timeout", 0.1):
 289             pass
 290         # Try to send the packet from the "forbidden" side - it must pass
 291         conn1.send_through(1, 'A')
 292         # Send the FIN to bounce the session out of established
 293         conn1.send_through(1, 'FA')
 294         # If conn landed on transient timer it will time out here
 295         for i in IterateWithSleep(self, 30, "Wait for transient timeout", 0.1):
 296             pass
 297         # Now it should have timed out already
 298         try:
 299             p2 = conn1.send_through(1).command()
 300         except:
 301             # If we asserted while waiting, it's good.
 302             # the conn should have timed out.
 303             p2 = None
 304         self.assert_equal(p2, None, "packet on supposedly deleted conn")
 305
 306     def test_0000_conn_prepare_test(self):
 307         """ Prepare the settings """
 308         self.vapi.ppcli("set acl-plugin session timeout udp idle 1")
 309
 310     def test_0001_basic_conn_test(self):
 311         """ IPv4: Basic conn timeout test reflect on ingress """
 312         self.run_basic_conn_test(AF_INET, 0)
 313
 314     def test_0002_basic_conn_test(self):
 315         """ IPv4: Basic conn timeout test reflect on egress """
 316         self.run_basic_conn_test(AF_INET, 1)
 317
 318     def test_0005_clear_conn_test(self):
 319         """ IPv4: reflect egress, clear conn """
 320         self.run_clear_conn_test(AF_INET, 1)
 321
 322     def test_0006_clear_conn_test(self):
 323         """ IPv4: reflect ingress, clear conn """
 324         self.run_clear_conn_test(AF_INET, 0)
 325
 326     def test_0011_active_conn_test(self):
 327         """ IPv4: Idle conn behind active conn, reflect on ingress """
 328         self.run_active_conn_test(AF_INET, 0)
 329
 330     def test_0012_active_conn_test(self):
 331         """ IPv4: Idle conn behind active conn, reflect on egress """
 332         self.run_active_conn_test(AF_INET, 1)
 333
 334     def test_1001_basic_conn_test(self):
 335         """ IPv6: Basic conn timeout test reflect on ingress """
 336         self.run_basic_conn_test(AF_INET6, 0)
 337
 338     def test_1002_basic_conn_test(self):
 339         """ IPv6: Basic conn timeout test reflect on egress """
 340         self.run_basic_conn_test(AF_INET6, 1)
 341
 342     def test_1005_clear_conn_test(self):
 343         """ IPv6: reflect egress, clear conn """
 344         self.run_clear_conn_test(AF_INET6, 1)
 345
 346     def test_1006_clear_conn_test(self):
 347         """ IPv6: reflect ingress, clear conn """
 348         self.run_clear_conn_test(AF_INET6, 0)
 349
 350     def test_1011_active_conn_test(self):
 351         """ IPv6: Idle conn behind active conn, reflect on ingress """
 352         self.run_active_conn_test(AF_INET6, 0)
 353
 354     def test_1012_active_conn_test(self):
 355         """ IPv6: Idle conn behind active conn, reflect on egress """
 356         self.run_active_conn_test(AF_INET6, 1)
 357
 358     def test_2000_prepare_for_tcp_test(self):
 359         """ Prepare for TCP session tests """
 360         # ensure the session hangs on if it gets treated as UDP
 361         self.vapi.ppcli("set acl-plugin session timeout udp idle 200")
 362         # let the TCP connection time out at 5 seconds
 363         self.vapi.ppcli("set acl-plugin session timeout tcp idle 10")
 364         self.vapi.ppcli("set acl-plugin session timeout tcp transient 1")
 365
 366     def test_2001_tcp_transient_conn_test(self):
 367         """ IPv4: transient TCP session (incomplete 3WHS), ref. on ingress """
 368         self.run_tcp_transient_setup_conn_test(AF_INET, 0)
 369
 370     def test_2002_tcp_transient_conn_test(self):
 371         """ IPv4: transient TCP session (incomplete 3WHS), ref. on egress """
 372         self.run_tcp_transient_setup_conn_test(AF_INET, 1)
 373
 374     def test_2003_tcp_transient_conn_test(self):
 375         """ IPv4: established TCP session (complete 3WHS), ref. on ingress """
 376         self.run_tcp_established_conn_test(AF_INET, 0)
 377
 378     def test_2004_tcp_transient_conn_test(self):
 379         """ IPv4: established TCP session (complete 3WHS), ref. on egress """
 380         self.run_tcp_established_conn_test(AF_INET, 1)
 381
 382     def test_2005_tcp_transient_teardown_conn_test(self):
 383         """ IPv4: transient TCP session (3WHS,ACK,FINACK), ref. on ingress """
 384         self.run_tcp_transient_teardown_conn_test(AF_INET, 0)
 385
 386     def test_2006_tcp_transient_teardown_conn_test(self):
 387         """ IPv4: transient TCP session (3WHS,ACK,FINACK), ref. on egress """
 388         self.run_tcp_transient_teardown_conn_test(AF_INET, 1)
 389
 390     def test_3001_tcp_transient_conn_test(self):
 391         """ IPv6: transient TCP session (incomplete 3WHS), ref. on ingress """
 392         self.run_tcp_transient_setup_conn_test(AF_INET6, 0)
 393
 394     def test_3002_tcp_transient_conn_test(self):
 395         """ IPv6: transient TCP session (incomplete 3WHS), ref. on egress """
 396         self.run_tcp_transient_setup_conn_test(AF_INET6, 1)
 397
 398     def test_3003_tcp_transient_conn_test(self):
 399         """ IPv6: established TCP session (complete 3WHS), ref. on ingress """
 400         self.run_tcp_established_conn_test(AF_INET6, 0)
 401
 402     def test_3004_tcp_transient_conn_test(self):
 403         """ IPv6: established TCP session (complete 3WHS), ref. on egress """
 404         self.run_tcp_established_conn_test(AF_INET6, 1)
 405
 406     def test_3005_tcp_transient_teardown_conn_test(self):
 407         """ IPv6: transient TCP session (3WHS,ACK,FINACK), ref. on ingress """
 408         self.run_tcp_transient_teardown_conn_test(AF_INET6, 0)
 409
 410     def test_3006_tcp_transient_teardown_conn_test(self):
 411         """ IPv6: transient TCP session (3WHS,ACK,FINACK), ref. on egress """
 412         self.run_tcp_transient_teardown_conn_test(AF_INET6, 1)