2 """ACL IRB Test Case HLD:
5 - L2 MAC learning enabled in l2bd
6 - 2 routed interfaces untagged, bvi (Bridge Virtual Interface)
7 - 2 bridged interfaces in l2bd with bvi
10 - sending ip4 eth pkts between routed interfaces
12 - 2 bridged interfaces
14 - 64B, 512B, 1518B, 9200B (ether_size)
16 - burst of pkts per interface
18 - routed pkts hitting different FIB entries
19 - bridged pkts hitting different MAC entries
22 - all packets received correctly
28 from socket import inet_pton, AF_INET, AF_INET6
29 from random import choice, shuffle
30 from pprint import pprint
31 from ipaddress import ip_network
34 from scapy.packet import Raw
35 from scapy.layers.l2 import Ether
36 from scapy.layers.inet import IP, UDP, ICMP, TCP
37 from scapy.layers.inet6 import IPv6, ICMPv6Unknown, ICMPv6EchoRequest
38 from scapy.layers.inet6 import ICMPv6EchoReply, IPv6ExtHdrRouting
39 from scapy.layers.inet6 import IPv6ExtHdrFragment
41 from framework import VppTestCase, VppTestRunner
42 from vpp_l2 import L2_PORT_TYPE
45 from vpp_acl import AclRule, VppAcl, VppAclInterface
48 class TestACLpluginL2L3(VppTestCase):
49 """TestACLpluginL2L3 Test Case"""
54 #. Create BD with MAC learning enabled and put interfaces to this BD.
55 #. Configure IPv4 addresses on loopback interface and routed interface.
56 #. Configure MAC address binding to IPv4 neighbors on loop0.
57 #. Configure MAC address on pg2.
58 #. Loopback BVI interface has remote hosts, one half of hosts are
59 behind pg0 second behind pg1.
61 super(TestACLpluginL2L3, cls).setUpClass()
63 cls.pg_if_packet_sizes = [64, 512, 1518, 9018] # packet sizes
65 cls.remote_hosts_count = 250
67 # create 3 pg interfaces, 1 loopback interface
68 cls.create_pg_interfaces(range(3))
69 cls.create_loopback_interfaces(1)
71 cls.interfaces = list(cls.pg_interfaces)
72 cls.interfaces.extend(cls.lo_interfaces)
74 for i in cls.interfaces:
77 # Create BD with MAC learning enabled and put interfaces to this BD
78 cls.vapi.sw_interface_set_l2_bridge(
79 rx_sw_if_index=cls.loop0.sw_if_index, bd_id=cls.bd_id,
80 port_type=L2_PORT_TYPE.BVI)
81 cls.vapi.sw_interface_set_l2_bridge(rx_sw_if_index=cls.pg0.sw_if_index,
83 cls.vapi.sw_interface_set_l2_bridge(rx_sw_if_index=cls.pg1.sw_if_index,
86 # Configure IPv4 addresses on loopback interface and routed interface
87 cls.loop0.config_ip4()
88 cls.loop0.config_ip6()
92 # Configure MAC address binding to IPv4 neighbors on loop0
93 cls.loop0.generate_remote_hosts(cls.remote_hosts_count)
94 cls.loop0.configure_ipv4_neighbors()
95 cls.loop0.configure_ipv6_neighbors()
96 # configure MAC address on pg2
100 cls.WITHOUT_EH = False
102 cls.STATELESS_ICMP = False
103 cls.STATEFUL_ICMP = True
105 # Loopback BVI interface has remote hosts, one half of hosts are behind
106 # pg0 second behind pg1
107 half = cls.remote_hosts_count // 2
108 cls.pg0.remote_hosts = cls.loop0.remote_hosts[:half]
109 cls.pg1.remote_hosts = cls.loop0.remote_hosts[half:]
110 reply = cls.vapi.papi.acl_stats_intf_counters_enable(enable=1)
113 def tearDownClass(cls):
114 reply = cls.vapi.papi.acl_stats_intf_counters_enable(enable=0)
115 super(TestACLpluginL2L3, cls).tearDownClass()
118 """Run standard test teardown and log ``show l2patch``,
119 ``show l2fib verbose``,``show bridge-domain <bd_id> detail``,
120 ``show ip neighbors``.
122 super(TestACLpluginL2L3, self).tearDown()
124 def show_commands_at_teardown(self):
125 self.logger.info(self.vapi.cli("show l2patch"))
126 self.logger.info(self.vapi.cli("show classify tables"))
127 self.logger.info(self.vapi.cli("show l2fib verbose"))
128 self.logger.info(self.vapi.cli("show bridge-domain %s detail" %
130 self.logger.info(self.vapi.cli("show ip neighbors"))
131 cmd = "show acl-plugin sessions verbose 1"
132 self.logger.info(self.vapi.cli(cmd))
133 self.logger.info(self.vapi.cli("show acl-plugin acl"))
134 self.logger.info(self.vapi.cli("show acl-plugin interface"))
135 self.logger.info(self.vapi.cli("show acl-plugin tables"))
137 def create_stream(self, src_ip_if, dst_ip_if, reverse, packet_sizes,
138 is_ip6, expect_blocked, expect_established,
139 add_extension_header, icmp_stateful=False):
143 permit_and_reflect_rules = []
144 total_packet_count = 8
145 for i in range(0, total_packet_count):
147 icmp_type_delta = i % 2
149 is_udp_packet = (modulo == 0)
150 if is_udp_packet and icmp_stateful:
152 is_reflectable_icmp = (icmp_stateful and icmp_type_delta == 0 and
154 is_reflected_icmp = is_reflectable_icmp and expect_established
155 can_reflect_this_packet = is_udp_packet or is_reflectable_icmp
157 remote_dst_index = i % len(dst_ip_if.remote_hosts)
158 remote_dst_host = dst_ip_if.remote_hosts[remote_dst_index]
160 info = self.create_packet_info(src_ip_if, dst_ip_if)
161 payload = self.info_to_payload(info)
163 to_be_blocked = False
164 if (expect_blocked and not expect_established):
166 if (not can_reflect_this_packet):
169 payload = "to be blocked"
171 info = self.create_packet_info(src_ip_if, dst_ip_if)
172 payload = self.info_to_payload(info)
174 dst_mac = 'de:ad:00:00:00:00'
175 src_mac = remote_dst_host._mac
176 dst_ip6 = src_ip_if.remote_ip6
177 src_ip6 = remote_dst_host.ip6
178 dst_ip4 = src_ip_if.remote_ip4
179 src_ip4 = remote_dst_host.ip4
183 dst_mac = src_ip_if.local_mac
184 src_mac = src_ip_if.remote_mac
185 src_ip6 = src_ip_if.remote_ip6
186 dst_ip6 = remote_dst_host.ip6
187 src_ip4 = src_ip_if.remote_ip4
188 dst_ip4 = remote_dst_host.ip4
191 if is_reflected_icmp:
194 # default ULP should be something we do not use in tests
195 ulp_l4 = TCP(sport=src_l4, dport=dst_l4)
196 # potentially a chain of protocols leading to ULP
201 ulp_l4 = UDP(sport=src_l4, dport=dst_l4)
202 if add_extension_header:
203 # prepend some extension headers
204 ulp = (IPv6ExtHdrRouting() / IPv6ExtHdrRouting() /
205 IPv6ExtHdrFragment(offset=0, m=1) / ulp_l4)
206 # uncomment below to test invalid ones
207 # ulp = IPv6ExtHdrRouting(len = 200) / ulp_l4
210 p = (Ether(dst=dst_mac, src=src_mac) /
211 IPv6(src=src_ip6, dst=dst_ip6) /
215 ulp_l4 = UDP(sport=src_l4, dport=dst_l4)
216 # IPv4 does not allow extension headers,
217 # but we rather make it a first fragment
218 flags = 1 if add_extension_header else 0
220 p = (Ether(dst=dst_mac, src=src_mac) /
221 IP(src=src_ip4, dst=dst_ip4, frag=0, flags=flags) /
226 ulp_l4 = ICMPv6Unknown(type=128 + icmp_type_delta,
229 p = (Ether(dst=dst_mac, src=src_mac) /
230 IPv6(src=src_ip6, dst=dst_ip6) /
234 ulp_l4 = ICMP(type=8 - 8*icmp_type_delta, code=icmp_code)
236 p = (Ether(dst=dst_mac, src=src_mac) /
237 IP(src=src_ip4, dst=dst_ip4) /
243 size = packet_sizes[(i // 2) % len(packet_sizes)]
244 self.extend_packet(p, size)
247 rule_family = AF_INET6 if p.haslayer(IPv6) else AF_INET
248 rule_prefix_len = 128 if p.haslayer(IPv6) else 32
249 rule_l3_layer = IPv6 if p.haslayer(IPv6) else IP
252 rule_l4_sport = p[UDP].sport
253 rule_l4_dport = p[UDP].dport
256 rule_l4_sport = p[ICMP].type
257 rule_l4_dport = p[ICMP].code
259 rule_l4_sport = p[ICMPv6Unknown].type
260 rule_l4_dport = p[ICMPv6Unknown].code
262 rule_l4_proto = ulp_l4.overload_fields[IPv6]['nh']
264 rule_l4_proto = p[IP].proto
266 new_rule = AclRule(is_permit=is_permit, proto=rule_l4_proto,
267 src_prefix=ip_network(
268 (p[rule_l3_layer].src, rule_prefix_len)),
269 dst_prefix=ip_network(
270 (p[rule_l3_layer].dst, rule_prefix_len)),
271 sport_from=rule_l4_sport,
272 sport_to=rule_l4_sport,
273 dport_from=rule_l4_dport,
274 dport_to=rule_l4_dport)
276 rules.append(new_rule)
277 new_rule_permit = copy.copy(new_rule)
278 new_rule_permit.is_permit = 1
279 permit_rules.append(new_rule_permit)
281 new_rule_permit_and_reflect = copy.copy(new_rule)
282 if can_reflect_this_packet:
283 new_rule_permit_and_reflect.is_permit = 2
285 new_rule_permit_and_reflect.is_permit = is_permit
287 permit_and_reflect_rules.append(new_rule_permit_and_reflect)
288 self.logger.info("create_stream pkt#%d: %s" % (i, payload))
290 return {'stream': pkts,
292 'permit_rules': permit_rules,
293 'permit_and_reflect_rules': permit_and_reflect_rules}
295 def verify_capture(self, dst_ip_if, src_ip_if, capture, reverse):
297 for i in self.interfaces:
298 last_info[i.sw_if_index] = None
300 dst_ip_sw_if_index = dst_ip_if.sw_if_index
302 for packet in capture:
303 l3 = IP if packet.haslayer(IP) else IPv6
305 if packet.haslayer(UDP):
308 if packet.haslayer(ICMP):
313 # Scapy IPv6 stuff is too smart for its own good.
314 # So we do this and coerce the ICMP into unknown type
315 if packet.haslayer(UDP):
316 data = scapy.compat.raw(packet[UDP][Raw])
319 data = scapy.compat.raw(ICMP(
320 scapy.compat.raw(packet[l3].payload))[Raw])
322 data = scapy.compat.raw(ICMPv6Unknown(
323 scapy.compat.raw(packet[l3].payload)).msgbody)
324 udp_or_icmp = packet[l3].payload
326 # FIXME: make framework believe we are on object
327 payload_info = self.payload_to_info(data_obj)
328 packet_index = payload_info.index
330 self.assertEqual(payload_info.dst, dst_ip_sw_if_index)
332 next_info = self.get_next_packet_info_for_interface2(
333 payload_info.src, dst_ip_sw_if_index,
334 last_info[payload_info.src])
335 last_info[payload_info.src] = next_info
336 self.assertTrue(next_info is not None)
337 self.assertEqual(packet_index, next_info.index)
338 saved_packet = next_info.data
339 self.assertTrue(next_info is not None)
343 self.assertEqual(packet.src, dst_ip_if.local_mac)
344 host = dst_ip_if.host_by_mac(packet.dst)
347 # self.assertEqual(ip.src, src_ip_if.remote_ip4)
348 if saved_packet is not None:
349 self.assertEqual(ip.src, saved_packet[l3].src)
350 self.assertEqual(ip.dst, saved_packet[l3].dst)
352 self.assertEqual(udp_or_icmp.sport, saved_packet[l4].sport)
353 self.assertEqual(udp_or_icmp.dport, saved_packet[l4].dport)
354 # self.assertEqual(ip.dst, host.ip4)
358 def applied_acl_shuffle(self, acl_if):
359 saved_n_input = acl_if.n_input
360 # TOTO: maybe copy each one??
361 saved_acls = acl_if.acls
363 # now create a list of all the rules in all ACLs
365 for old_acl in saved_acls:
366 for rule in old_acl.rules:
367 all_rules.append(rule)
369 # Add a few ACLs made from shuffled rules
371 acl1 = VppAcl(self, rules=all_rules[::2], tag="shuffle 1. acl")
372 acl1.add_vpp_config()
375 acl2 = VppAcl(self, rules=all_rules[::3], tag="shuffle 2. acl")
376 acl2.add_vpp_config()
379 acl3 = VppAcl(self, rules=all_rules[::2], tag="shuffle 3. acl")
380 acl3.add_vpp_config()
382 # apply the shuffle ACLs in front
383 input_acls = [acl1, acl2]
384 output_acls = [acl1, acl2]
386 # add the currently applied ACLs
387 n_input = acl_if.n_input
388 input_acls.extend(saved_acls[:n_input])
389 output_acls.extend(saved_acls[n_input:])
391 # and the trailing shuffle ACL(s)
392 input_acls.extend([acl3])
393 output_acls.extend([acl3])
395 # set the interface ACL list to the result
396 acl_if.n_input = len(input_acls)
397 acl_if.acls = input_acls + output_acls
398 acl_if.add_vpp_config()
400 # change the ACLs a few times
401 for i in range(1, 10):
403 acl1.modify_vpp_config(all_rules[::1+(i % 2)])
406 acl2.modify_vpp_config(all_rules[::1+(i % 3)])
409 acl3.modify_vpp_config(all_rules[::1+(i % 5)])
411 # restore to how it was before and clean up
412 acl_if.n_input = saved_n_input
413 acl_if.acls = saved_acls
414 acl_if.add_vpp_config()
416 acl1.remove_vpp_config()
417 acl2.remove_vpp_config()
418 acl3.remove_vpp_config()
420 def create_acls_for_a_stream(self, stream_dict,
421 test_l2_action, is_reflect):
422 r = stream_dict['rules']
423 r_permit = stream_dict['permit_rules']
424 r_permit_reflect = stream_dict['permit_and_reflect_rules']
425 r_action = r_permit_reflect if is_reflect else r
426 action_acl = VppAcl(self, rules=r_action, tag="act. acl")
427 action_acl.add_vpp_config()
428 permit_acl = VppAcl(self, rules=r_permit, tag="perm. acl")
429 permit_acl.add_vpp_config()
431 return {'L2': action_acl if test_l2_action else permit_acl,
432 'L3': permit_acl if test_l2_action else action_acl,
433 'permit': permit_acl, 'action': action_acl}
435 def apply_acl_ip46_x_to_y(self, bridged_to_routed, test_l2_deny,
436 is_ip6, is_reflect, add_eh):
439 self.reset_packet_infos()
440 stream_dict = self.create_stream(
441 self.pg2, self.loop0,
443 self.pg_if_packet_sizes, is_ip6,
444 not is_reflect, False, add_eh)
445 stream = stream_dict['stream']
446 acl_idx = self.create_acls_for_a_stream(stream_dict, test_l2_deny,
448 n_input_l3 = 0 if bridged_to_routed else 1
449 n_input_l2 = 1 if bridged_to_routed else 0
451 acl_if_pg2 = VppAclInterface(self, sw_if_index=self.pg2.sw_if_index,
452 n_input=n_input_l3, acls=[acl_idx['L3']])
453 acl_if_pg2.add_vpp_config()
455 acl_if_pg0 = VppAclInterface(self, sw_if_index=self.pg0.sw_if_index,
456 n_input=n_input_l2, acls=[acl_idx['L2']])
457 acl_if_pg0.add_vpp_config()
459 acl_if_pg1 = VppAclInterface(self, sw_if_index=self.pg1.sw_if_index,
460 n_input=n_input_l2, acls=[acl_idx['L2']])
461 acl_if_pg1.add_vpp_config()
463 self.applied_acl_shuffle(acl_if_pg0)
464 self.applied_acl_shuffle(acl_if_pg1)
465 return {'L2': acl_idx['L2'], 'L3': acl_idx['L3']}
467 def apply_acl_ip46_both_directions_reflect(self,
468 primary_is_bridged_to_routed,
469 reflect_on_l2, is_ip6, add_eh,
471 primary_is_routed_to_bridged = not primary_is_bridged_to_routed
472 self.reset_packet_infos()
473 stream_dict_fwd = self.create_stream(self.pg2, self.loop0,
474 primary_is_bridged_to_routed,
475 self.pg_if_packet_sizes, is_ip6,
476 False, False, add_eh,
478 acl_idx_fwd = self.create_acls_for_a_stream(stream_dict_fwd,
481 stream_dict_rev = self.create_stream(self.pg2, self.loop0,
482 not primary_is_bridged_to_routed,
483 self.pg_if_packet_sizes, is_ip6,
484 True, True, add_eh, stateful_icmp)
485 # We want the primary action to be "deny" rather than reflect
486 acl_idx_rev = self.create_acls_for_a_stream(stream_dict_rev,
487 reflect_on_l2, False)
489 if primary_is_bridged_to_routed:
490 inbound_l2_acl = acl_idx_fwd['L2']
492 inbound_l2_acl = acl_idx_rev['L2']
494 if primary_is_routed_to_bridged:
495 outbound_l2_acl = acl_idx_fwd['L2']
497 outbound_l2_acl = acl_idx_rev['L2']
499 if primary_is_routed_to_bridged:
500 inbound_l3_acl = acl_idx_fwd['L3']
502 inbound_l3_acl = acl_idx_rev['L3']
504 if primary_is_bridged_to_routed:
505 outbound_l3_acl = acl_idx_fwd['L3']
507 outbound_l3_acl = acl_idx_rev['L3']
509 acl_if_pg2 = VppAclInterface(self, sw_if_index=self.pg2.sw_if_index,
511 acls=[inbound_l3_acl, outbound_l3_acl])
512 acl_if_pg2.add_vpp_config()
514 acl_if_pg0 = VppAclInterface(self, sw_if_index=self.pg0.sw_if_index,
516 acls=[inbound_l2_acl, outbound_l2_acl])
517 acl_if_pg0.add_vpp_config()
519 acl_if_pg1 = VppAclInterface(self, sw_if_index=self.pg1.sw_if_index,
521 acls=[inbound_l2_acl, outbound_l2_acl])
522 acl_if_pg1.add_vpp_config()
524 self.applied_acl_shuffle(acl_if_pg0)
525 self.applied_acl_shuffle(acl_if_pg2)
527 def apply_acl_ip46_routed_to_bridged(self, test_l2_deny, is_ip6,
529 return self.apply_acl_ip46_x_to_y(False, test_l2_deny, is_ip6,
532 def apply_acl_ip46_bridged_to_routed(self, test_l2_deny, is_ip6,
534 return self.apply_acl_ip46_x_to_y(True, test_l2_deny, is_ip6,
537 def verify_acl_packet_count(self, acl_idx, packet_count):
538 matches = self.statistics.get_counter('/acl/%d/matches' % acl_idx)
539 self.logger.info("stat seg for ACL %d: %s" % (acl_idx, repr(matches)))
542 total_count = total_count + p['packets']
543 self.assertEqual(total_count, packet_count)
545 def run_traffic_ip46_x_to_y(self, bridged_to_routed,
546 test_l2_deny, is_ip6,
547 is_reflect, is_established, add_eh,
548 stateful_icmp=False):
549 self.reset_packet_infos()
550 stream_dict = self.create_stream(self.pg2, self.loop0,
552 self.pg_if_packet_sizes, is_ip6,
553 not is_reflect, is_established,
554 add_eh, stateful_icmp)
555 stream = stream_dict['stream']
557 tx_if = self.pg0 if bridged_to_routed else self.pg2
558 rx_if = self.pg2 if bridged_to_routed else self.pg0
560 tx_if.add_stream(stream)
561 self.pg_enable_capture(self.pg_interfaces)
563 packet_count = self.get_packet_count_for_if_idx(self.loop0.sw_if_index)
564 rcvd1 = rx_if.get_capture(packet_count)
565 self.verify_capture(self.loop0, self.pg2, rcvd1, bridged_to_routed)
568 def run_traffic_ip46_routed_to_bridged(self, test_l2_deny, is_ip6,
569 is_reflect, is_established, add_eh,
570 stateful_icmp=False):
571 return self.run_traffic_ip46_x_to_y(False, test_l2_deny, is_ip6,
572 is_reflect, is_established, add_eh,
575 def run_traffic_ip46_bridged_to_routed(self, test_l2_deny, is_ip6,
576 is_reflect, is_established, add_eh,
577 stateful_icmp=False):
578 return self.run_traffic_ip46_x_to_y(True, test_l2_deny, is_ip6,
579 is_reflect, is_established, add_eh,
582 def run_test_ip46_routed_to_bridged(self, test_l2_deny,
583 is_ip6, is_reflect, add_eh):
584 acls = self.apply_acl_ip46_routed_to_bridged(test_l2_deny,
587 pkts = self.run_traffic_ip46_routed_to_bridged(test_l2_deny, is_ip6,
590 self.verify_acl_packet_count(acls['L3'].acl_index, pkts)
592 def run_test_ip46_bridged_to_routed(self, test_l2_deny,
593 is_ip6, is_reflect, add_eh):
594 acls = self.apply_acl_ip46_bridged_to_routed(test_l2_deny,
597 pkts = self.run_traffic_ip46_bridged_to_routed(test_l2_deny, is_ip6,
600 self.verify_acl_packet_count(acls['L2'].acl_index, pkts)
602 def run_test_ip46_routed_to_bridged_and_back(self, test_l2_action,
604 stateful_icmp=False):
605 self.apply_acl_ip46_both_directions_reflect(False, test_l2_action,
608 self.run_traffic_ip46_routed_to_bridged(test_l2_action, is_ip6,
611 self.run_traffic_ip46_bridged_to_routed(test_l2_action, is_ip6,
615 def run_test_ip46_bridged_to_routed_and_back(self, test_l2_action,
617 stateful_icmp=False):
618 self.apply_acl_ip46_both_directions_reflect(True, test_l2_action,
621 self.run_traffic_ip46_bridged_to_routed(test_l2_action, is_ip6,
624 self.run_traffic_ip46_routed_to_bridged(test_l2_action, is_ip6,
628 def test_0000_ip6_irb_1(self):
629 """ ACL plugin prepare"""
630 if not self.vpp_dead:
631 cmd = "set acl-plugin session timeout udp idle 2000"
632 self.logger.info(self.vapi.ppcli(cmd))
633 # uncomment to not skip past the routing header
634 # and watch the EH tests fail
635 # self.logger.info(self.vapi.ppcli(
636 # "set acl-plugin skip-ipv6-extension-header 43 0"))
637 # uncomment to test the session limit (stateful tests will fail)
638 # self.logger.info(self.vapi.ppcli(
639 # "set acl-plugin session table max-entries 1"))
640 # new datapath is the default, but just in case
641 # self.logger.info(self.vapi.ppcli(
642 # "set acl-plugin l2-datapath new"))
643 # If you want to see some tests fail, uncomment the next line
644 # self.logger.info(self.vapi.ppcli(
645 # "set acl-plugin l2-datapath old"))
647 def test_0001_ip6_irb_1(self):
648 """ ACL IPv6 routed -> bridged, L2 ACL deny"""
649 self.run_test_ip46_routed_to_bridged(True, True, False,
652 def test_0002_ip6_irb_1(self):
653 """ ACL IPv6 routed -> bridged, L3 ACL deny"""
654 self.run_test_ip46_routed_to_bridged(False, True, False,
657 def test_0003_ip4_irb_1(self):
658 """ ACL IPv4 routed -> bridged, L2 ACL deny"""
659 self.run_test_ip46_routed_to_bridged(True, False, False,
662 def test_0004_ip4_irb_1(self):
663 """ ACL IPv4 routed -> bridged, L3 ACL deny"""
664 self.run_test_ip46_routed_to_bridged(False, False, False,
667 def test_0005_ip6_irb_1(self):
668 """ ACL IPv6 bridged -> routed, L2 ACL deny """
669 self.run_test_ip46_bridged_to_routed(True, True, False,
672 def test_0006_ip6_irb_1(self):
673 """ ACL IPv6 bridged -> routed, L3 ACL deny """
674 self.run_test_ip46_bridged_to_routed(False, True, False,
677 def test_0007_ip6_irb_1(self):
678 """ ACL IPv4 bridged -> routed, L2 ACL deny """
679 self.run_test_ip46_bridged_to_routed(True, False, False,
682 def test_0008_ip6_irb_1(self):
683 """ ACL IPv4 bridged -> routed, L3 ACL deny """
684 self.run_test_ip46_bridged_to_routed(False, False, False,
688 def test_0101_ip6_irb_1(self):
689 """ ACL IPv6 routed -> bridged, L2 ACL permit+reflect"""
690 self.run_test_ip46_routed_to_bridged_and_back(True, True,
693 def test_0102_ip6_irb_1(self):
694 """ ACL IPv6 bridged -> routed, L2 ACL permit+reflect"""
695 self.run_test_ip46_bridged_to_routed_and_back(True, True,
698 def test_0103_ip6_irb_1(self):
699 """ ACL IPv4 routed -> bridged, L2 ACL permit+reflect"""
700 self.run_test_ip46_routed_to_bridged_and_back(True, False,
703 def test_0104_ip6_irb_1(self):
704 """ ACL IPv4 bridged -> routed, L2 ACL permit+reflect"""
705 self.run_test_ip46_bridged_to_routed_and_back(True, False,
708 def test_0111_ip6_irb_1(self):
709 """ ACL IPv6 routed -> bridged, L3 ACL permit+reflect"""
710 self.run_test_ip46_routed_to_bridged_and_back(False, True,
713 def test_0112_ip6_irb_1(self):
714 """ ACL IPv6 bridged -> routed, L3 ACL permit+reflect"""
715 self.run_test_ip46_bridged_to_routed_and_back(False, True,
718 def test_0113_ip6_irb_1(self):
719 """ ACL IPv4 routed -> bridged, L3 ACL permit+reflect"""
720 self.run_test_ip46_routed_to_bridged_and_back(False, False,
723 def test_0114_ip6_irb_1(self):
724 """ ACL IPv4 bridged -> routed, L3 ACL permit+reflect"""
725 self.run_test_ip46_bridged_to_routed_and_back(False, False,
728 # A block of tests with extension headers
730 def test_1001_ip6_irb_1(self):
731 """ ACL IPv6+EH routed -> bridged, L2 ACL deny"""
732 self.run_test_ip46_routed_to_bridged(True, True, False,
735 def test_1002_ip6_irb_1(self):
736 """ ACL IPv6+EH routed -> bridged, L3 ACL deny"""
737 self.run_test_ip46_routed_to_bridged(False, True, False,
740 def test_1005_ip6_irb_1(self):
741 """ ACL IPv6+EH bridged -> routed, L2 ACL deny """
742 self.run_test_ip46_bridged_to_routed(True, True, False,
745 def test_1006_ip6_irb_1(self):
746 """ ACL IPv6+EH bridged -> routed, L3 ACL deny """
747 self.run_test_ip46_bridged_to_routed(False, True, False,
750 def test_1101_ip6_irb_1(self):
751 """ ACL IPv6+EH routed -> bridged, L2 ACL permit+reflect"""
752 self.run_test_ip46_routed_to_bridged_and_back(True, True,
755 def test_1102_ip6_irb_1(self):
756 """ ACL IPv6+EH bridged -> routed, L2 ACL permit+reflect"""
757 self.run_test_ip46_bridged_to_routed_and_back(True, True,
760 def test_1111_ip6_irb_1(self):
761 """ ACL IPv6+EH routed -> bridged, L3 ACL permit+reflect"""
762 self.run_test_ip46_routed_to_bridged_and_back(False, True,
765 def test_1112_ip6_irb_1(self):
766 """ ACL IPv6+EH bridged -> routed, L3 ACL permit+reflect"""
767 self.run_test_ip46_bridged_to_routed_and_back(False, True,
770 # IPv4 with "MF" bit set
772 def test_1201_ip6_irb_1(self):
773 """ ACL IPv4+MF routed -> bridged, L2 ACL deny"""
774 self.run_test_ip46_routed_to_bridged(True, False, False,
777 def test_1202_ip6_irb_1(self):
778 """ ACL IPv4+MF routed -> bridged, L3 ACL deny"""
779 self.run_test_ip46_routed_to_bridged(False, False, False,
782 def test_1205_ip6_irb_1(self):
783 """ ACL IPv4+MF bridged -> routed, L2 ACL deny """
784 self.run_test_ip46_bridged_to_routed(True, False, False,
787 def test_1206_ip6_irb_1(self):
788 """ ACL IPv4+MF bridged -> routed, L3 ACL deny """
789 self.run_test_ip46_bridged_to_routed(False, False, False,
792 def test_1301_ip6_irb_1(self):
793 """ ACL IPv4+MF routed -> bridged, L2 ACL permit+reflect"""
794 self.run_test_ip46_routed_to_bridged_and_back(True, False,
797 def test_1302_ip6_irb_1(self):
798 """ ACL IPv4+MF bridged -> routed, L2 ACL permit+reflect"""
799 self.run_test_ip46_bridged_to_routed_and_back(True, False,
802 def test_1311_ip6_irb_1(self):
803 """ ACL IPv4+MF routed -> bridged, L3 ACL permit+reflect"""
804 self.run_test_ip46_routed_to_bridged_and_back(False, False,
807 def test_1312_ip6_irb_1(self):
808 """ ACL IPv4+MF bridged -> routed, L3 ACL permit+reflect"""
809 self.run_test_ip46_bridged_to_routed_and_back(False, False,
811 # Stateful ACL tests with stateful ICMP
813 def test_1401_ip6_irb_1(self):
814 """ IPv6 routed -> bridged, L2 ACL permit+reflect, ICMP reflect"""
815 self.run_test_ip46_routed_to_bridged_and_back(True, True,
819 def test_1402_ip6_irb_1(self):
820 """ IPv6 bridged -> routed, L2 ACL permit+reflect, ICMP reflect"""
821 self.run_test_ip46_bridged_to_routed_and_back(True, True,
825 def test_1403_ip4_irb_1(self):
826 """ IPv4 routed -> bridged, L2 ACL permit+reflect, ICMP reflect"""
827 self.run_test_ip46_routed_to_bridged_and_back(True, False,
831 def test_1404_ip4_irb_1(self):
832 """ IPv4 bridged -> routed, L2 ACL permit+reflect, ICMP reflect"""
833 self.run_test_ip46_bridged_to_routed_and_back(True, False,
837 def test_1411_ip6_irb_1(self):
838 """ IPv6 routed -> bridged, L3 ACL permit+reflect, ICMP reflect"""
839 self.run_test_ip46_routed_to_bridged_and_back(False, True,
843 def test_1412_ip6_irb_1(self):
844 """ IPv6 bridged -> routed, L3 ACL permit+reflect, ICMP reflect"""
845 self.run_test_ip46_bridged_to_routed_and_back(False, True,
849 def test_1413_ip4_irb_1(self):
850 """ IPv4 routed -> bridged, L3 ACL permit+reflect, ICMP reflect"""
851 self.run_test_ip46_routed_to_bridged_and_back(False, False,
855 def test_1414_ip4_irb_1(self):
856 """ IPv4 bridged -> routed, L3 ACL permit+reflect, ICMP reflect"""
857 self.run_test_ip46_bridged_to_routed_and_back(False, False,
862 if __name__ == '__main__':
863 unittest.main(testRunner=VppTestRunner)