2 from __future__ import print_function
3 """ACL plugin - MACIP tests
8 from socket import inet_ntop, inet_pton, AF_INET, AF_INET6
9 from struct import pack, unpack
12 from ipaddress import ip_network, IPv4Network, IPv6Network
15 from scapy.packet import Raw
16 from scapy.layers.l2 import Ether
17 from scapy.layers.inet import IP, UDP
18 from scapy.layers.inet6 import IPv6
20 from framework import VppTestCase, VppTestRunner, running_extended_tests
21 from vpp_lo_interface import VppLoInterface
22 from vpp_l2 import L2_PORT_TYPE
23 from vpp_sub_interface import L2_VTR_OP, VppSubInterface, VppDot1QSubint, \
25 from vpp_acl import AclRule, VppAcl, VppAclInterface, VppEtypeWhitelist, \
26 VppMacipAclInterface, VppMacipAcl, MacipRule
27 from vpp_papi import MACAddress
30 class MethodHolder(VppTestCase):
62 Perform standard class setup (defined by class method setUpClass in
63 class VppTestCase) before running the test case, set test case related
64 variables and configure VPP.
66 super(MethodHolder, cls).setUpClass()
68 cls.pg_if_packet_sizes = [64, 512, 1518, 9018] # packet sizes
70 cls.remote_hosts_count = 200
73 # create 4 pg interfaces, 1 loopback interface
74 cls.create_pg_interfaces(range(4))
75 cls.create_loopback_interfaces(1)
77 # create 2 subinterfaces
79 VppDot1QSubint(cls, cls.pg1, 10),
80 VppDot1ADSubint(cls, cls.pg2, 20, 300, 400),
81 VppDot1QSubint(cls, cls.pg3, 30),
82 VppDot1ADSubint(cls, cls.pg3, 40, 600, 700)]
84 cls.subifs[0].set_vtr(L2_VTR_OP.L2_POP_1,
86 cls.subifs[1].set_vtr(L2_VTR_OP.L2_POP_2,
87 outer=300, inner=400, push1q=1)
88 cls.subifs[2].set_vtr(L2_VTR_OP.L2_POP_1,
90 cls.subifs[3].set_vtr(L2_VTR_OP.L2_POP_2,
91 outer=600, inner=700, push1q=1)
93 cls.interfaces = list(cls.pg_interfaces)
94 cls.interfaces.extend(cls.lo_interfaces)
95 cls.interfaces.extend(cls.subifs)
97 for i in cls.interfaces:
100 # Create BD with MAC learning enabled and put interfaces to this BD
101 cls.vapi.sw_interface_set_l2_bridge(
102 rx_sw_if_index=cls.loop0.sw_if_index, bd_id=cls.bd_id,
103 port_type=L2_PORT_TYPE.BVI)
104 cls.vapi.sw_interface_set_l2_bridge(
105 rx_sw_if_index=cls.pg0.sw_if_index, bd_id=cls.bd_id)
106 cls.vapi.sw_interface_set_l2_bridge(
107 rx_sw_if_index=cls.pg1.sw_if_index, bd_id=cls.bd_id)
108 cls.vapi.sw_interface_set_l2_bridge(
109 rx_sw_if_index=cls.subifs[0].sw_if_index, bd_id=cls.bd_id)
110 cls.vapi.sw_interface_set_l2_bridge(
111 rx_sw_if_index=cls.subifs[1].sw_if_index, bd_id=cls.bd_id)
113 # Configure IPv4/6 addresses on loop interface and routed interface
114 cls.loop0.config_ip4()
115 cls.loop0.config_ip6()
121 # Configure MAC address binding to IPv4 neighbors on loop0
122 cls.loop0.generate_remote_hosts(cls.remote_hosts_count)
123 # Modify host mac addresses to have different OUI parts
124 for i in range(2, cls.remote_hosts_count + 2):
125 mac = cls.loop0.remote_hosts[i-2]._mac.split(':')
126 mac[2] = format(int(mac[2], 16) + i, "02x")
127 cls.loop0.remote_hosts[i - 2]._mac = ":".join(mac)
129 cls.loop0.configure_ipv4_neighbors()
130 cls.loop0.configure_ipv6_neighbors()
132 # configure MAC address on pg3
133 cls.pg3.resolve_arp()
134 cls.pg3.resolve_ndp()
136 # configure MAC address on subifs
142 # configure MAC address on pg2
143 cls.pg2.resolve_arp()
144 cls.pg2.resolve_ndp()
146 # Loopback BVI interface has remote hosts
147 # one half of hosts are behind pg0 second behind pg1,pg2,pg3 subifs
148 cls.pg0.remote_hosts = cls.loop0.remote_hosts[:100]
149 cls.subifs[0].remote_hosts = cls.loop0.remote_hosts[100:125]
150 cls.subifs[1].remote_hosts = cls.loop0.remote_hosts[125:150]
151 cls.subifs[2].remote_hosts = cls.loop0.remote_hosts[150:175]
152 cls.subifs[3].remote_hosts = cls.loop0.remote_hosts[175:]
155 super(MethodHolder, cls).tearDownClass()
159 def tearDownClass(cls):
160 super(MethodHolder, cls).tearDownClass()
163 super(MethodHolder, self).setUp()
164 self.reset_packet_infos()
166 def show_commands_at_teardown(self):
167 self.logger.info(self.vapi.ppcli("show interface address"))
168 self.logger.info(self.vapi.ppcli("show hardware"))
169 self.logger.info(self.vapi.ppcli("sh acl-plugin macip acl"))
170 self.logger.info(self.vapi.ppcli("sh acl-plugin macip interface"))
171 self.logger.info(self.vapi.ppcli("sh classify tables verbose"))
172 self.logger.info(self.vapi.ppcli("sh acl-plugin acl"))
173 self.logger.info(self.vapi.ppcli("sh acl-plugin interface"))
174 self.logger.info(self.vapi.ppcli("sh acl-plugin tables"))
175 # print(self.vapi.ppcli("show interface address"))
176 # print(self.vapi.ppcli("show hardware"))
177 # print(self.vapi.ppcli("sh acl-plugin macip interface"))
178 # print(self.vapi.ppcli("sh acl-plugin macip acl"))
180 def macip_acl_dump_debug(self):
181 acls = self.vapi.macip_acl_dump()
184 # print("ACL #"+str(acl.acl_index))
189 elif r.is_permit == 0:
192 print(" IP6" if r.is_ipv6 else " IP4",
194 binascii.hexlify(r.src_mac),
195 binascii.hexlify(r.src_mac_mask),
196 unpack('<16B', r.src_ip_addr),
201 def create_rules(self, mac_type=EXACT_MAC, ip_type=EXACT_IP,
202 acl_count=1, rules_count=None):
204 if rules_count is None:
206 src_mac = int("220000dead00", 16)
207 for acl in range(2, (acl_count+1) * 2):
209 host = random.choice(self.loop0.remote_hosts)
211 ip4 = host.ip4.split('.')
212 ip6 = list(unpack('<16B', inet_pton(AF_INET6, host.ip6)))
214 if ip_type == self.EXACT_IP:
217 elif ip_type == self.WILD_IP:
219 ip6 = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]
222 rules_count[int((acl / 2) - 1)] = 1
227 if mac_type == self.EXACT_MAC:
228 mask = "ff:ff:ff:ff:ff:ff"
229 elif mac_type == self.WILD_MAC:
230 mask = "00:00:00:00:00:00"
231 elif mac_type == self.OUI_MAC:
232 mask = "ff:ff:ff:00:00:00"
234 mask = "ff:ff:ff:ff:ff:00"
236 ip = ip6 if is_ip6 else ip4
237 ip_len = prefix_len6 if is_ip6 else prefix_len4
239 for i in range(0, (rules_count[int((acl / 2) - 1)])):
241 if mac_type == self.WILD_MAC:
242 mac = "00:00:00:00:00:00"
243 elif mac_type == self.OUI_MAC:
244 mac = ':'.join(re.findall('..', '{:02x}'.format(
245 src_mac))[:3])+":00:00:00"
247 mac = ':'.join(re.findall(
248 '..', '{:02x}'.format(src_mac)))
250 if ip_type == self.EXACT_IP:
251 ip4[3] = random.randint(100, 200)
252 ip6[15] = random.randint(100, 200)
253 elif ip_type == self.SUBNET_IP:
254 ip4[2] = random.randint(100, 200)
256 ip6[7] = random.randint(100, 200)
259 for j in range(0, len(ip)):
260 ip_pack += pack('<B', int(ip[j]))
262 rule = MacipRule(is_permit=self.PERMIT,
263 src_prefix=ip_network((ip_pack, ip_len)),
264 src_mac=MACAddress(mac).packed,
265 src_mac_mask=MACAddress(mask).packed)
267 if ip_type == self.WILD_IP:
271 src_mac += 1099511627776
274 def apply_macip_rules(self, acls):
277 macip_acl = VppMacipAcl(self, rules=acl)
278 macip_acl.add_vpp_config()
279 macip_acls.append(macip_acl)
282 def verify_macip_acls(self, acl_count, rules_count, expected_count=2):
283 reply = self.macip_acl_dump_debug()
284 for acl in range(2, (acl_count+1) * 2):
285 self.assertEqual(reply[acl - 2].count, rules_count[acl//2-1])
287 self.vapi.macip_acl_interface_get()
289 self.vapi.macip_acl_interface_add_del(sw_if_index=0, acl_index=0)
290 self.vapi.macip_acl_interface_add_del(sw_if_index=1, acl_index=1)
292 reply = self.vapi.macip_acl_interface_get()
293 self.assertEqual(reply.count, expected_count)
295 def create_stream(self, mac_type, ip_type, packet_count,
296 src_if, dst_if, traffic, is_ip6, tags=PERMIT_TAGS):
297 # exact MAC and exact IP
298 # exact MAC and subnet of IPs
299 # exact MAC and wildcard IP
300 # wildcard MAC and exact IP
301 # wildcard MAC and subnet of IPs
302 # wildcard MAC and wildcard IP
303 # OUI restricted MAC and exact IP
304 # OUI restricted MAC and subnet of IPs
305 # OUI restricted MAC and wildcard IP
313 mac_rule = "00:00:00:00:00:00"
314 mac_mask = "00:00:00:00:00:00"
315 for p in range(0, packet_count):
316 remote_dst_index = p % len(dst_if.remote_hosts)
317 remote_dst_host = dst_if.remote_hosts[remote_dst_index]
321 is_permit = self.PERMIT if p % 3 == 0 else self.DENY
322 denyMAC = True if not is_permit and p % 3 == 1 else False
323 denyIP = True if not is_permit and p % 3 == 2 else False
324 if not is_permit and ip_type == self.WILD_IP:
326 if not is_permit and mac_type == self.WILD_MAC:
329 if traffic == self.BRIDGED:
331 src_mac = remote_dst_host._mac
332 dst_mac = 'de:ad:00:00:00:00'
333 src_ip4 = remote_dst_host.ip4
334 dst_ip4 = src_if.remote_ip4
335 src_ip6 = remote_dst_host.ip6
336 dst_ip6 = src_if.remote_ip6
337 ip_permit = src_ip6 if is_ip6 else src_ip4
340 mac = src_mac.split(':')
341 mac[0] = format(int(mac[0], 16)+1, "02x")
342 src_mac = ":".join(mac)
348 if ip_type != self.WILD_IP:
350 src_ip4 = remote_dst_host.ip4
351 dst_ip4 = src_if.remote_ip4
352 src_ip6 = remote_dst_host.ip6
353 dst_ip6 = src_if.remote_ip6
356 src_mac = remote_dst_host._mac
357 dst_mac = src_if.local_mac
358 src_ip4 = src_if.remote_ip4
359 dst_ip4 = remote_dst_host.ip4
360 src_ip6 = src_if.remote_ip6
361 dst_ip6 = remote_dst_host.ip6
362 ip_permit = src_ip6 if is_ip6 else src_ip4
365 mac = src_mac.split(':')
366 mac[0] = format(int(mac[0], 16) + 1, "02x")
367 src_mac = ":".join(mac)
373 src_mac = remote_dst_host._mac
374 if ip_type != self.WILD_IP:
376 src_ip4 = remote_dst_host.ip4
377 dst_ip4 = src_if.remote_ip4
378 src_ip6 = remote_dst_host.ip6
379 dst_ip6 = src_if.remote_ip6
382 info = self.create_packet_info(src_if, dst_if)
383 payload = self.info_to_payload(info)
385 payload = "to be blocked"
387 if mac_type == self.WILD_MAC:
388 mac = src_mac.split(':')
389 for i in range(1, 5):
390 mac[i] = format(random.randint(0, 255), "02x")
391 src_mac = ":".join(mac)
394 packet = Ether(src=src_mac, dst=dst_mac)
395 ip_rule = src_ip6 if is_ip6 else src_ip4
397 if ip_type != self.EXACT_IP:
398 sub_ip = list(unpack('<16B', inet_pton(AF_INET6, ip_rule)))
399 if ip_type == self.WILD_IP:
400 sub_ip[0] = random.randint(240, 254)
401 sub_ip[1] = random.randint(230, 239)
402 sub_ip[14] = random.randint(100, 199)
403 sub_ip[15] = random.randint(200, 255)
404 elif ip_type == self.SUBNET_IP:
406 sub_ip[2] = int(sub_ip[2]) + 1
407 sub_ip[14] = random.randint(100, 199)
408 sub_ip[15] = random.randint(200, 255)
409 packed_src_ip6 = b''.join(
410 [scapy.compat.chb(x) for x in sub_ip])
411 src_ip6 = inet_ntop(AF_INET6, packed_src_ip6)
412 packet /= IPv6(src=src_ip6, dst=dst_ip6)
414 if ip_type != self.EXACT_IP:
415 sub_ip = ip_rule.split('.')
416 if ip_type == self.WILD_IP:
417 sub_ip[0] = random.randint(1, 49)
418 sub_ip[1] = random.randint(50, 99)
419 sub_ip[2] = random.randint(100, 199)
420 sub_ip[3] = random.randint(200, 255)
421 elif ip_type == self.SUBNET_IP:
423 sub_ip[1] = int(sub_ip[1])+1
424 sub_ip[2] = random.randint(100, 199)
425 sub_ip[3] = random.randint(200, 255)
426 src_ip4 = '.'.join(['{!s}'.format(x) for x in sub_ip])
427 packet /= IP(src=src_ip4, dst=dst_ip4, frag=0, flags=0)
429 packet /= UDP(sport=src_port, dport=dst_port)/Raw(payload)
431 packet[Raw].load += b" mac:%s" % src_mac.encode('utf-8')
433 size = self.pg_if_packet_sizes[p % len(self.pg_if_packet_sizes)]
434 if isinstance(src_if, VppSubInterface):
436 if isinstance(src_if, VppDot1QSubint):
437 if src_if is self.subifs[0]:
438 if tags == self.PERMIT_TAGS:
439 packet = src_if.add_dot1q_layer(packet, 10)
441 packet = src_if.add_dot1q_layer(packet, 11)
443 if tags == self.PERMIT_TAGS:
444 packet = src_if.add_dot1q_layer(packet, 30)
446 packet = src_if.add_dot1q_layer(packet, 33)
447 elif isinstance(src_if, VppDot1ADSubint):
448 if src_if is self.subifs[1]:
449 if tags == self.PERMIT_TAGS:
450 packet = src_if.add_dot1ad_layer(packet, 300, 400)
452 packet = src_if.add_dot1ad_layer(packet, 333, 444)
454 if tags == self.PERMIT_TAGS:
455 packet = src_if.add_dot1ad_layer(packet, 600, 700)
457 packet = src_if.add_dot1ad_layer(packet, 666, 777)
458 self.extend_packet(packet, size)
459 packets.append(packet)
461 # create suitable MACIP rule
462 if mac_type == self.EXACT_MAC:
464 mac_mask = "ff:ff:ff:ff:ff:ff"
465 elif mac_type == self.WILD_MAC:
466 mac_rule = "00:00:00:00:00:00"
467 mac_mask = "00:00:00:00:00:00"
468 elif mac_type == self.OUI_MAC:
469 mac = src_mac.split(':')
470 mac[3] = mac[4] = mac[5] = '00'
471 mac_rule = ":".join(mac)
472 mac_mask = "ff:ff:ff:00:00:00"
475 if ip_type == self.WILD_IP:
479 if ip_type == self.SUBNET_IP:
480 sub_ip = list(unpack('<16B', inet_pton(AF_INET6, ip)))
481 for i in range(8, 16):
483 packed_ip = b''.join(
484 [scapy.compat.chb(x) for x in sub_ip])
485 ip = inet_ntop(AF_INET6, packed_ip)
487 if ip_type == self.WILD_IP:
491 if ip_type == self.SUBNET_IP:
492 sub_ip = ip.split('.')
493 sub_ip[2] = sub_ip[3] = '0'
494 ip = ".".join(sub_ip)
496 prefix_len = 128 if is_ip6 else 32
497 if ip_type == self.WILD_IP:
499 elif ip_type == self.SUBNET_IP:
500 prefix_len = 64 if is_ip6 else 16
501 ip_rule = inet_pton(AF_INET6 if is_ip6 else AF_INET, ip)
503 # create suitable ACL rule
505 rule_l4_sport = packet[UDP].sport
506 rule_l4_dport = packet[UDP].dport
507 rule_family = AF_INET6 if packet.haslayer(IPv6) else AF_INET
508 rule_prefix_len = 128 if packet.haslayer(IPv6) else 32
509 rule_l3_layer = IPv6 if packet.haslayer(IPv6) else IP
510 if packet.haslayer(IPv6):
511 rule_l4_proto = packet[UDP].overload_fields[IPv6]['nh']
513 rule_l4_proto = packet[IP].proto
515 src_network = ip_network(
516 (packet[rule_l3_layer].src, rule_prefix_len))
517 dst_network = ip_network(
518 (packet[rule_l3_layer].dst, rule_prefix_len))
519 acl_rule = AclRule(is_permit=is_permit, proto=rule_l4_proto,
520 src_prefix=src_network,
521 dst_prefix=dst_network)
522 acl_rule.sport_from = rule_l4_sport
523 acl_rule.sport_to = rule_l4_sport
524 acl_rule.dport_from = rule_l4_dport
525 acl_rule.dport_to = rule_l4_dport
526 acl_rules.append(acl_rule)
528 if mac_type == self.WILD_MAC and ip_type == self.WILD_IP and p > 0:
532 macip_rule = MacipRule(
534 src_prefix=ip_network(
535 (ip_rule, prefix_len)),
536 src_mac=MACAddress(mac_rule).packed,
537 src_mac_mask=MACAddress(mac_mask).packed)
538 macip_rules.append(macip_rule)
540 # deny all other packets
541 if not (mac_type == self.WILD_MAC and ip_type == self.WILD_IP):
542 network = IPv6Network((0, 0)) if is_ip6 else IPv4Network((0, 0))
543 macip_rule = MacipRule(
546 src_mac=MACAddress("00:00:00:00:00:00").packed,
547 src_mac_mask=MACAddress("00:00:00:00:00:00").packed)
548 macip_rules.append(macip_rule)
550 network = IPv6Network((0, 0)) if is_ip6 else IPv4Network((0, 0))
551 acl_rule = AclRule(is_permit=0, src_prefix=network, dst_prefix=network)
552 acl_rule.sport_from = 0
553 acl_rule.sport_to = 0
554 acl_rule.dport_from = 0
555 acl_rule.dport_to = 0
556 acl_rules.append(acl_rule)
557 return {'stream': packets,
558 'macip_rules': macip_rules,
559 'acl_rules': acl_rules}
561 def verify_capture(self, stream, capture, is_ip6):
568 # p_l3 = IPv6 if is_ip6 else IP
571 # print(p[Ether].src, p[Ether].dst, p[p_l3].src, p[p_l3].dst)
573 # acls = self.macip_acl_dump_debug()
578 # print(binascii.hexlify(r.src_mac), \
579 # binascii.hexlify(r.src_mac_mask),\
580 # unpack('<16B', r.src_ip_addr), \
581 # r.src_ip_prefix_len)
584 # print(p[Ether].src, p[Ether].dst, p[p_l3].src, p[p_l3].dst
585 # data = p[Raw].load.split(':',1)[1])
586 # print(p[p_l3].src, data)
588 def run_traffic(self, mac_type, ip_type, traffic, is_ip6, packets,
589 do_not_expected_capture=False, tags=None,
590 apply_rules=True, isMACIP=True, permit_tags=PERMIT_TAGS,
592 self.reset_packet_infos()
595 tx_if = self.pg0 if traffic == self.BRIDGED else self.pg3
596 rx_if = self.pg3 if traffic == self.BRIDGED else self.pg0
600 if tags == self.DOT1Q:
601 if traffic == self.BRIDGED:
602 tx_if = self.subifs[0]
604 src_if = self.subifs[0]
607 tx_if = self.subifs[2]
609 src_if = self.subifs[2]
611 elif tags == self.DOT1AD:
612 if traffic == self.BRIDGED:
613 tx_if = self.subifs[1]
615 src_if = self.subifs[1]
618 tx_if = self.subifs[3]
620 src_if = self.subifs[3]
625 test_dict = self.create_stream(mac_type, ip_type, packets,
632 self.acl = VppMacipAcl(self, rules=test_dict['macip_rules'])
634 self.acl = VppAcl(self, rules=test_dict['acl_rules'])
635 self.acl.add_vpp_config()
638 self.acl_if = VppMacipAclInterface(
639 self, sw_if_index=tx_if.sw_if_index, acls=[self.acl])
640 self.acl_if.add_vpp_config()
642 dump = self.acl_if.dump()
643 self.assertTrue(dump)
644 self.assertEqual(dump[0].acls[0], self.acl.acl_index)
646 self.acl_if = VppAclInterface(
647 self, sw_if_index=tx_if.sw_if_index, n_input=1,
649 self.acl_if.add_vpp_config()
651 if hasattr(self, "acl_if"):
652 self.acl_if.remove_vpp_config()
653 if try_replace and hasattr(self, "acl"):
655 self.acl.rules = test_dict['macip_rules']
656 self.acl.add_vpp_config()
658 self.acl.rules = test_dict['acl_rules']
659 self.acl.add_vpp_config()
661 if not isinstance(src_if, VppSubInterface):
662 tx_if.add_stream(test_dict['stream'])
664 tx_if.parent.add_stream(test_dict['stream'])
665 self.pg_enable_capture(self.pg_interfaces)
668 if do_not_expected_capture:
671 if traffic == self.BRIDGED and mac_type == self.WILD_MAC and \
672 ip_type == self.WILD_IP:
673 capture = rx_if.get_capture(packets)
675 capture = rx_if.get_capture(
676 self.get_packet_count_for_if_idx(dst_if.sw_if_index))
677 self.verify_capture(test_dict['stream'], capture, is_ip6)
679 if hasattr(self, "acl_if"):
680 self.acl_if.remove_vpp_config()
681 if hasattr(self, "acl"):
682 self.acl.remove_vpp_config()
684 def run_test_acls(self, mac_type, ip_type, acl_count,
685 rules_count, traffic=None, ip=None):
686 self.apply_macip_rules(self.create_rules(mac_type, ip_type, acl_count,
688 self.verify_macip_acls(acl_count, rules_count)
690 if traffic is not None:
691 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, traffic, ip, 9)
694 class TestMACIP_IP4(MethodHolder):
695 """MACIP with IP4 traffic"""
699 super(TestMACIP_IP4, cls).setUpClass()
702 def tearDownClass(cls):
703 super(TestMACIP_IP4, cls).tearDownClass()
705 def test_acl_bridged_ip4_exactMAC_exactIP(self):
706 """ IP4 MACIP exactMAC|exactIP ACL bridged traffic
708 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
709 self.BRIDGED, self.IS_IP4, 9)
711 def test_acl_bridged_ip4_exactMAC_subnetIP(self):
712 """ IP4 MACIP exactMAC|subnetIP ACL bridged traffic
715 self.run_traffic(self.EXACT_MAC, self.SUBNET_IP,
716 self.BRIDGED, self.IS_IP4, 9)
718 def test_acl_bridged_ip4_exactMAC_wildIP(self):
719 """ IP4 MACIP exactMAC|wildIP ACL bridged traffic
722 self.run_traffic(self.EXACT_MAC, self.WILD_IP,
723 self.BRIDGED, self.IS_IP4, 9)
725 def test_acl_bridged_ip4_ouiMAC_exactIP(self):
726 """ IP4 MACIP ouiMAC|exactIP ACL bridged traffic
729 self.run_traffic(self.OUI_MAC, self.EXACT_IP,
730 self.BRIDGED, self.IS_IP4, 3)
732 def test_acl_bridged_ip4_ouiMAC_subnetIP(self):
733 """ IP4 MACIP ouiMAC|subnetIP ACL bridged traffic
736 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
737 self.BRIDGED, self.IS_IP4, 9)
739 def test_acl_bridged_ip4_ouiMAC_wildIP(self):
740 """ IP4 MACIP ouiMAC|wildIP ACL bridged traffic
743 self.run_traffic(self.OUI_MAC, self.WILD_IP,
744 self.BRIDGED, self.IS_IP4, 9)
746 def test_ac_bridgedl_ip4_wildMAC_exactIP(self):
747 """ IP4 MACIP wildcardMAC|exactIP ACL bridged traffic
750 self.run_traffic(self.WILD_MAC, self.EXACT_IP,
751 self.BRIDGED, self.IS_IP4, 9)
753 def test_acl_bridged_ip4_wildMAC_subnetIP(self):
754 """ IP4 MACIP wildcardMAC|subnetIP ACL bridged traffic
757 self.run_traffic(self.WILD_MAC, self.SUBNET_IP,
758 self.BRIDGED, self.IS_IP4, 9)
760 def test_acl_bridged_ip4_wildMAC_wildIP(self):
761 """ IP4 MACIP wildcardMAC|wildIP ACL bridged traffic
764 self.run_traffic(self.WILD_MAC, self.WILD_IP,
765 self.BRIDGED, self.IS_IP4, 9)
767 def test_acl_routed_ip4_exactMAC_exactIP(self):
768 """ IP4 MACIP exactMAC|exactIP ACL routed traffic
770 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
771 self.ROUTED, self.IS_IP4, 9)
773 def test_acl_routed_ip4_exactMAC_subnetIP(self):
774 """ IP4 MACIP exactMAC|subnetIP ACL routed traffic
776 self.run_traffic(self.EXACT_MAC, self.SUBNET_IP,
777 self.ROUTED, self.IS_IP4, 9)
779 def test_acl_routed_ip4_exactMAC_wildIP(self):
780 """ IP4 MACIP exactMAC|wildIP ACL routed traffic
782 self.run_traffic(self.EXACT_MAC, self.WILD_IP,
783 self.ROUTED, self.IS_IP4, 9)
785 def test_acl_routed_ip4_ouiMAC_exactIP(self):
786 """ IP4 MACIP ouiMAC|exactIP ACL routed traffic
789 self.run_traffic(self.OUI_MAC, self.EXACT_IP,
790 self.ROUTED, self.IS_IP4, 9)
792 def test_acl_routed_ip4_ouiMAC_subnetIP(self):
793 """ IP4 MACIP ouiMAC|subnetIP ACL routed traffic
796 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
797 self.ROUTED, self.IS_IP4, 9)
799 def test_acl_routed_ip4_ouiMAC_wildIP(self):
800 """ IP4 MACIP ouiMAC|wildIP ACL routed traffic
803 self.run_traffic(self.OUI_MAC, self.WILD_IP,
804 self.ROUTED, self.IS_IP4, 9)
806 def test_acl_routed_ip4_wildMAC_exactIP(self):
807 """ IP4 MACIP wildcardMAC|exactIP ACL routed traffic
810 self.run_traffic(self.WILD_MAC, self.EXACT_IP,
811 self.ROUTED, self.IS_IP4, 9)
813 def test_acl_routed_ip4_wildMAC_subnetIP(self):
814 """ IP4 MACIP wildcardMAC|subnetIP ACL routed traffic
817 self.run_traffic(self.WILD_MAC, self.SUBNET_IP,
818 self.ROUTED, self.IS_IP4, 9)
820 def test_acl_routed_ip4_wildMAC_wildIP(self):
821 """ IP4 MACIP wildcardMAC|wildIP ACL
824 self.run_traffic(self.WILD_MAC, self.WILD_IP,
825 self.ROUTED, self.IS_IP4, 9)
827 def test_acl_replace_traffic_ip4(self):
828 """ MACIP replace ACL with IP4 traffic
830 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
831 self.BRIDGED, self.IS_IP4, 9, try_replace=True)
832 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
833 self.BRIDGED, self.IS_IP4, 9, try_replace=True)
836 class TestMACIP_IP6(MethodHolder):
837 """MACIP with IP6 traffic"""
841 super(TestMACIP_IP6, cls).setUpClass()
844 def tearDownClass(cls):
845 super(TestMACIP_IP6, cls).tearDownClass()
847 def test_acl_bridged_ip6_exactMAC_exactIP(self):
848 """ IP6 MACIP exactMAC|exactIP ACL bridged traffic
851 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
852 self.BRIDGED, self.IS_IP6, 9)
854 def test_acl_bridged_ip6_exactMAC_subnetIP(self):
855 """ IP6 MACIP exactMAC|subnetIP ACL bridged traffic
858 self.run_traffic(self.EXACT_MAC, self.SUBNET_IP,
859 self.BRIDGED, self.IS_IP6, 9)
861 def test_acl_bridged_ip6_exactMAC_wildIP(self):
862 """ IP6 MACIP exactMAC|wildIP ACL bridged traffic
865 self.run_traffic(self.EXACT_MAC, self.WILD_IP,
866 self.BRIDGED, self.IS_IP6, 9)
868 def test_acl_bridged_ip6_ouiMAC_exactIP(self):
869 """ IP6 MACIP oui_MAC|exactIP ACL bridged traffic
872 self.run_traffic(self.OUI_MAC, self.EXACT_IP,
873 self.BRIDGED, self.IS_IP6, 9)
875 def test_acl_bridged_ip6_ouiMAC_subnetIP(self):
876 """ IP6 MACIP ouiMAC|subnetIP ACL bridged traffic
879 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
880 self.BRIDGED, self.IS_IP6, 9)
882 def test_acl_bridged_ip6_ouiMAC_wildIP(self):
883 """ IP6 MACIP ouiMAC|wildIP ACL bridged traffic
886 self.run_traffic(self.OUI_MAC, self.WILD_IP,
887 self.BRIDGED, self.IS_IP6, 9)
889 def test_acl_bridged_ip6_wildMAC_exactIP(self):
890 """ IP6 MACIP wildcardMAC|exactIP ACL bridged traffic
893 self.run_traffic(self.WILD_MAC, self.EXACT_IP,
894 self.BRIDGED, self.IS_IP6, 9)
896 def test_acl_bridged_ip6_wildMAC_subnetIP(self):
897 """ IP6 MACIP wildcardMAC|subnetIP ACL bridged traffic
900 self.run_traffic(self.WILD_MAC, self.SUBNET_IP,
901 self.BRIDGED, self.IS_IP6, 9)
903 def test_acl_bridged_ip6_wildMAC_wildIP(self):
904 """ IP6 MACIP wildcardMAC|wildIP ACL bridged traffic
907 self.run_traffic(self.WILD_MAC, self.WILD_IP,
908 self.BRIDGED, self.IS_IP6, 9)
910 def test_acl_routed_ip6_exactMAC_exactIP(self):
911 """ IP6 MACIP exactMAC|exactIP ACL routed traffic
914 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
915 self.ROUTED, self.IS_IP6, 9)
917 def test_acl_routed_ip6_exactMAC_subnetIP(self):
918 """ IP6 MACIP exactMAC|subnetIP ACL routed traffic
921 self.run_traffic(self.EXACT_MAC, self.SUBNET_IP,
922 self.ROUTED, self.IS_IP6, 9)
924 def test_acl_routed_ip6_exactMAC_wildIP(self):
925 """ IP6 MACIP exactMAC|wildIP ACL routed traffic
928 self.run_traffic(self.EXACT_MAC, self.WILD_IP,
929 self.ROUTED, self.IS_IP6, 9)
931 def test_acl_routed_ip6_ouiMAC_exactIP(self):
932 """ IP6 MACIP ouiMAC|exactIP ACL routed traffic
935 self.run_traffic(self.OUI_MAC, self.EXACT_IP,
936 self.ROUTED, self.IS_IP6, 9)
938 def test_acl_routed_ip6_ouiMAC_subnetIP(self):
939 """ IP6 MACIP ouiMAC|subnetIP ACL routed traffic
942 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
943 self.ROUTED, self.IS_IP6, 9)
945 def test_acl_routed_ip6_ouiMAC_wildIP(self):
946 """ IP6 MACIP ouiMAC|wildIP ACL routed traffic
949 self.run_traffic(self.OUI_MAC, self.WILD_IP,
950 self.ROUTED, self.IS_IP6, 9)
952 def test_acl_routed_ip6_wildMAC_exactIP(self):
953 """ IP6 MACIP wildcardMAC|exactIP ACL routed traffic
956 self.run_traffic(self.WILD_MAC, self.EXACT_IP,
957 self.ROUTED, self.IS_IP6, 9)
959 def test_acl_routed_ip6_wildMAC_subnetIP(self):
960 """ IP6 MACIP wildcardMAC|subnetIP ACL routed traffic
963 self.run_traffic(self.WILD_MAC, self.SUBNET_IP,
964 self.ROUTED, self.IS_IP6, 9)
966 def test_acl_routed_ip6_wildMAC_wildIP(self):
967 """ IP6 MACIP wildcardMAC|wildIP ACL
970 self.run_traffic(self.WILD_MAC, self.WILD_IP,
971 self.ROUTED, self.IS_IP6, 9)
973 def test_acl_replace_traffic_ip6(self):
974 """ MACIP replace ACL with IP6 traffic
976 self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
977 self.BRIDGED, self.IS_IP6, 9, try_replace=True)
978 self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
979 self.BRIDGED, self.IS_IP6, 9, try_replace=True)
982 class TestMACIP(MethodHolder):
987 super(TestMACIP, cls).setUpClass()
990 def tearDownClass(cls):
991 super(TestMACIP, cls).tearDownClass()
993 def test_acl_1_2(self):
994 """ MACIP ACL with 2 entries
997 self.run_test_acls(self.EXACT_MAC, self.WILD_IP, 1, [2])
999 def test_acl_1_5(self):
1000 """ MACIP ACL with 5 entries
1003 self.run_test_acls(self.EXACT_MAC, self.SUBNET_IP, 1, [5])
1005 def test_acl_1_10(self):
1006 """ MACIP ACL with 10 entries
1009 self.run_test_acls(self.EXACT_MAC, self.EXACT_IP, 1, [10])
1011 def test_acl_1_20(self):
1012 """ MACIP ACL with 20 entries
1015 self.run_test_acls(self.OUI_MAC, self.WILD_IP, 1, [20])
1017 def test_acl_1_50(self):
1018 """ MACIP ACL with 50 entries
1021 self.run_test_acls(self.OUI_MAC, self.SUBNET_IP, 1, [50])
1023 def test_acl_1_100(self):
1024 """ MACIP ACL with 100 entries
1027 self.run_test_acls(self.OUI_MAC, self.EXACT_IP, 1, [100])
1029 def test_acl_2_X(self):
1030 """ MACIP 2 ACLs each with 100+ entries
1033 self.run_test_acls(self.OUI_MAC, self.SUBNET_IP, 2, [100, 200])
1035 def test_acl_10_X(self):
1036 """ MACIP 10 ACLs each with 100+ entries
1039 self.run_test_acls(self.EXACT_MAC, self.EXACT_IP, 10,
1040 [100, 120, 140, 160, 180, 200, 210, 220, 230, 240])
1042 def test_acl_10_X_traffic_ip4(self):
1043 """ MACIP 10 ACLs each with 100+ entries with IP4 traffic
1046 self.run_test_acls(self.EXACT_MAC, self.EXACT_IP, 10,
1047 [100, 120, 140, 160, 180, 200, 210, 220, 230, 240],
1048 self.BRIDGED, self.IS_IP4)
1050 def test_acl_10_X_traffic_ip6(self):
1051 """ MACIP 10 ACLs each with 100+ entries with IP6 traffic
1054 self.run_test_acls(self.EXACT_MAC, self.EXACT_IP, 10,
1055 [100, 120, 140, 160, 180, 200, 210, 220, 230, 240],
1056 self.BRIDGED, self.IS_IP6)
1058 def test_acl_replace(self):
1059 """ MACIP replace ACL
1062 r1 = self.create_rules(acl_count=3, rules_count=[2, 2, 2])
1063 r2 = self.create_rules(mac_type=self.OUI_MAC, ip_type=self.SUBNET_IP)
1064 macip_acls = self.apply_macip_rules(r1)
1066 acls_before = self.macip_acl_dump_debug()
1068 # replace acls #2, #3 with new
1069 macip_acls[2].rules = r2[0]
1070 macip_acls[2].add_vpp_config()
1071 macip_acls[3].rules = r2[1]
1072 macip_acls[3].add_vpp_config()
1074 acls_after = self.macip_acl_dump_debug()
1077 self.assertEqual(len(acls_before), len(acls_after))
1078 for acl1, acl2 in zip(
1079 acls_before[:2]+acls_before[4:],
1080 acls_after[:2]+acls_after[4:]):
1081 self.assertEqual(len(acl1), len(acl2))
1083 self.assertEqual(len(acl1.r), len(acl2.r))
1084 for r1, r2 in zip(acl1.r, acl2.r):
1085 self.assertEqual(len(acl1.r), len(acl2.r))
1086 self.assertEqual(acl1.r, acl2.r)
1087 for acl1, acl2 in zip(
1090 self.assertEqual(len(acl1), len(acl2))
1092 self.assertNotEqual(len(acl1.r), len(acl2.r))
1093 for r1, r2 in zip(acl1.r, acl2.r):
1094 self.assertNotEqual(len(acl1.r), len(acl2.r))
1095 self.assertNotEqual(acl1.r, acl2.r)
1097 def test_delete_intf(self):
1098 """ MACIP ACL delete intf with acl
1101 intf_count = len(self.interfaces)+1
1103 macip_alcs = self.apply_macip_rules(
1104 self.create_rules(acl_count=3, rules_count=[3, 5, 4]))
1106 intf.append(VppLoInterface(self))
1107 intf.append(VppLoInterface(self))
1109 sw_if_index0 = intf[0].sw_if_index
1110 macip_acl_if0 = VppMacipAclInterface(
1111 self, sw_if_index=sw_if_index0, acls=[macip_alcs[1]])
1112 macip_acl_if0.add_vpp_config()
1114 reply = self.vapi.macip_acl_interface_get()
1115 self.assertEqual(reply.count, intf_count+1)
1116 self.assertEqual(reply.acls[sw_if_index0], 1)
1118 sw_if_index1 = intf[1].sw_if_index
1119 macip_acl_if1 = VppMacipAclInterface(
1120 self, sw_if_index=sw_if_index1, acls=[macip_alcs[0]])
1121 macip_acl_if1.add_vpp_config()
1123 reply = self.vapi.macip_acl_interface_get()
1124 self.assertEqual(reply.count, intf_count+2)
1125 self.assertEqual(reply.acls[sw_if_index1], 0)
1127 intf[0].remove_vpp_config()
1128 reply = self.vapi.macip_acl_interface_get()
1129 self.assertEqual(reply.count, intf_count+2)
1130 self.assertEqual(reply.acls[sw_if_index0], 4294967295)
1131 self.assertEqual(reply.acls[sw_if_index1], 0)
1133 intf.append(VppLoInterface(self))
1134 intf.append(VppLoInterface(self))
1135 sw_if_index2 = intf[2].sw_if_index
1136 sw_if_index3 = intf[3].sw_if_index
1137 macip_acl_if2 = VppMacipAclInterface(
1138 self, sw_if_index=sw_if_index2, acls=[macip_alcs[1]])
1139 macip_acl_if2.add_vpp_config()
1140 macip_acl_if3 = VppMacipAclInterface(
1141 self, sw_if_index=sw_if_index3, acls=[macip_alcs[1]])
1142 macip_acl_if3.add_vpp_config()
1144 reply = self.vapi.macip_acl_interface_get()
1145 self.assertEqual(reply.count, intf_count+3)
1146 self.assertEqual(reply.acls[sw_if_index1], 0)
1147 self.assertEqual(reply.acls[sw_if_index2], 1)
1148 self.assertEqual(reply.acls[sw_if_index3], 1)
1149 self.logger.info("MACIP ACL on multiple interfaces:")
1150 self.logger.info(self.vapi.ppcli("sh acl-plugin macip acl"))
1151 self.logger.info(self.vapi.ppcli("sh acl-plugin macip acl index 1234"))
1152 self.logger.info(self.vapi.ppcli("sh acl-plugin macip acl index 1"))
1153 self.logger.info(self.vapi.ppcli("sh acl-plugin macip acl index 0"))
1154 self.logger.info(self.vapi.ppcli("sh acl-plugin macip interface"))
1156 intf[2].remove_vpp_config()
1157 intf[1].remove_vpp_config()
1159 reply = self.vapi.macip_acl_interface_get()
1160 self.assertEqual(reply.count, intf_count+3)
1161 self.assertEqual(reply.acls[sw_if_index0], 4294967295)
1162 self.assertEqual(reply.acls[sw_if_index1], 4294967295)
1163 self.assertEqual(reply.acls[sw_if_index2], 4294967295)
1164 self.assertEqual(reply.acls[sw_if_index3], 1)
1166 intf[3].remove_vpp_config()
1167 reply = self.vapi.macip_acl_interface_get()
1169 self.assertEqual(len([x for x in reply.acls if x != 4294967295]), 0)
1172 class TestACL_dot1q_bridged(MethodHolder):
1173 """ACL on dot1q bridged subinterfaces Tests"""
1176 def setUpClass(cls):
1177 super(TestACL_dot1q_bridged, cls).setUpClass()
1180 def tearDownClass(cls):
1181 super(TestACL_dot1q_bridged, cls).tearDownClass()
1183 def test_acl_bridged_ip4_subif_dot1q(self):
1184 """ IP4 ACL SubIf Dot1Q bridged traffic"""
1185 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.BRIDGED,
1186 self.IS_IP4, 9, tags=self.DOT1Q, isMACIP=False)
1188 def test_acl_bridged_ip6_subif_dot1q(self):
1189 """ IP6 ACL SubIf Dot1Q bridged traffic"""
1190 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.BRIDGED,
1191 self.IS_IP6, 9, tags=self.DOT1Q, isMACIP=False)
1194 class TestACL_dot1ad_bridged(MethodHolder):
1195 """ACL on dot1ad bridged subinterfaces Tests"""
1198 def setUpClass(cls):
1199 super(TestACL_dot1ad_bridged, cls).setUpClass()
1202 def tearDownClass(cls):
1203 super(TestACL_dot1ad_bridged, cls).tearDownClass()
1205 def test_acl_bridged_ip4_subif_dot1ad(self):
1206 """ IP4 ACL SubIf Dot1AD bridged traffic"""
1207 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.BRIDGED,
1208 self.IS_IP4, 9, tags=self.DOT1AD, isMACIP=False)
1210 def test_acl_bridged_ip6_subif_dot1ad(self):
1211 """ IP6 ACL SubIf Dot1AD bridged traffic"""
1212 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.BRIDGED,
1213 self.IS_IP6, 9, tags=self.DOT1AD, isMACIP=False)
1216 class TestACL_dot1q_routed(MethodHolder):
1217 """ACL on dot1q routed subinterfaces Tests"""
1220 def setUpClass(cls):
1221 super(TestACL_dot1q_routed, cls).setUpClass()
1224 def tearDownClass(cls):
1225 super(TestACL_dot1q_routed, cls).tearDownClass()
1227 def test_acl_routed_ip4_subif_dot1q(self):
1228 """ IP4 ACL SubIf Dot1Q routed traffic"""
1229 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1230 self.IS_IP4, 9, tags=self.DOT1Q, isMACIP=False)
1232 def test_acl_routed_ip6_subif_dot1q(self):
1233 """ IP6 ACL SubIf Dot1Q routed traffic"""
1234 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1235 self.IS_IP6, 9, tags=self.DOT1Q, isMACIP=False)
1237 def test_acl_routed_ip4_subif_dot1q_deny_by_tags(self):
1238 """ IP4 ACL SubIf wrong tags Dot1Q routed traffic"""
1239 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1240 self.IS_IP4, 9, True, tags=self.DOT1Q, isMACIP=False,
1241 permit_tags=self.DENY_TAGS)
1243 def test_acl_routed_ip6_subif_dot1q_deny_by_tags(self):
1244 """ IP6 ACL SubIf wrong tags Dot1Q routed traffic"""
1245 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1246 self.IS_IP6, 9, True, tags=self.DOT1Q, isMACIP=False,
1247 permit_tags=self.DENY_TAGS)
1250 class TestACL_dot1ad_routed(MethodHolder):
1251 """ACL on dot1ad routed subinterfaces Tests"""
1254 def setUpClass(cls):
1255 super(TestACL_dot1ad_routed, cls).setUpClass()
1258 def tearDownClass(cls):
1259 super(TestACL_dot1ad_routed, cls).tearDownClass()
1261 def test_acl_routed_ip6_subif_dot1ad(self):
1262 """ IP6 ACL SubIf Dot1AD routed traffic"""
1263 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1264 self.IS_IP6, 9, tags=self.DOT1AD, isMACIP=False)
1266 def test_acl_routed_ip4_subif_dot1ad(self):
1267 """ IP4 ACL SubIf Dot1AD routed traffic"""
1268 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1269 self.IS_IP4, 9, tags=self.DOT1AD, isMACIP=False)
1271 def test_acl_routed_ip6_subif_dot1ad_deny_by_tags(self):
1272 """ IP6 ACL SubIf wrong tags Dot1AD routed traffic"""
1273 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1274 self.IS_IP6, 9, True, tags=self.DOT1AD, isMACIP=False,
1275 permit_tags=self.DENY_TAGS)
1277 def test_acl_routed_ip4_subif_dot1ad_deny_by_tags(self):
1278 """ IP4 ACL SubIf wrong tags Dot1AD routed traffic"""
1279 self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.ROUTED,
1280 self.IS_IP4, 9, True, tags=self.DOT1AD, isMACIP=False,
1281 permit_tags=self.DENY_TAGS)
1284 if __name__ == '__main__':
1285 unittest.main(testRunner=VppTestRunner)