test/test_acl_plugin_macip.py

   1 #!/usr/bin/env python
   2 """ACL plugin - MACIP tests
   3 """
   4 import random
   5 import re
   6 import unittest
   7
   8 from socket import inet_ntop, inet_pton, AF_INET, AF_INET6
   9 from struct import *
  10 from scapy.packet import Raw
  11 from scapy.layers.l2 import Ether
  12 from scapy.layers.inet import IP, UDP, TCP
  13 from scapy.layers.inet6 import IPv6
  14
  15 from framework import VppTestCase, VppTestRunner, running_extended_tests
  16 from vpp_lo_interface import VppLoInterface
  17
  18
  19 class TestMACIP(VppTestCase):
  20     """MACIP Test Case"""
  21
  22     DEBUG = False
  23
  24     BRIDGED = True
  25     ROUTED = False
  26
  27     IS_IP4 = False
  28     IS_IP6 = True
  29
  30     # rule types
  31     DENY = 0
  32     PERMIT = 1
  33
  34     # ACL types
  35     EXACT_IP = 1
  36     SUBNET_IP = 2
  37     WILD_IP = 3
  38
  39     EXACT_MAC = 1
  40     WILD_MAC = 2
  41     OUI_MAC = 3
  42
  43     ACLS = []
  44
  45     @classmethod
  46     def setUpClass(cls):
  47         """
  48         Perform standard class setup (defined by class method setUpClass in
  49         class VppTestCase) before running the test case, set test case related
  50         variables and configure VPP.
  51         """
  52         super(TestMACIP, cls).setUpClass()
  53
  54         cls.pg_if_packet_sizes = [64, 512, 1518, 9018]  # packet sizes
  55         cls.bd_id = 10
  56         cls.remote_hosts_count = 250
  57
  58         try:
  59             # create 3 pg interfaces, 1 loopback interface
  60             cls.create_pg_interfaces(range(3))
  61             cls.create_loopback_interfaces(range(1))
  62
  63             cls.interfaces = list(cls.pg_interfaces)
  64             cls.interfaces.extend(cls.lo_interfaces)
  65
  66             for i in cls.interfaces:
  67                 i.admin_up()
  68
  69             # Create BD with MAC learning enabled and put interfaces to this BD
  70             cls.vapi.sw_interface_set_l2_bridge(
  71                 cls.loop0.sw_if_index, bd_id=cls.bd_id, bvi=1)
  72             cls.vapi.sw_interface_set_l2_bridge(
  73                 cls.pg0.sw_if_index, bd_id=cls.bd_id)
  74             cls.vapi.sw_interface_set_l2_bridge(
  75                 cls.pg1.sw_if_index, bd_id=cls.bd_id)
  76
  77             # Configure IPv4 addresses on loop interface and routed interface
  78             cls.loop0.config_ip4()
  79             cls.loop0.config_ip6()
  80             cls.pg2.config_ip4()
  81             cls.pg2.config_ip6()
  82
  83             # Configure MAC address binding to IPv4 neighbors on loop0
  84             cls.loop0.generate_remote_hosts(cls.remote_hosts_count)
  85             # Modify host mac addresses to have different OUI parts
  86             for i in range(2, cls.remote_hosts_count + 2):
  87                 mac = cls.loop0.remote_hosts[i-2]._mac.split(':')
  88                 mac[2] = format(int(mac[2], 16) + i, "02x")
  89                 cls.loop0.remote_hosts[i - 2]._mac = ":".join(mac)
  90
  91             cls.loop0.configure_ipv4_neighbors()
  92             cls.loop0.configure_ipv6_neighbors()
  93             # configure MAC address on pg2
  94             cls.pg2.resolve_arp()
  95             cls.pg2.resolve_ndp()
  96
  97             # Loopback BVI interface has remote hosts
  98             # one half of hosts are behind pg0 second behind pg1
  99             half = cls.remote_hosts_count // 2
 100             cls.pg0.remote_hosts = cls.loop0.remote_hosts[:half]
 101             cls.pg1.remote_hosts = cls.loop0.remote_hosts[half:]
 102
 103         except Exception:
 104             super(TestMACIP, cls).tearDownClass()
 105             raise
 106
 107     def setUp(self):
 108         super(TestMACIP, self).setUp()
 109         self.reset_packet_infos()
 110         del self.ACLS[:]
 111
 112     def tearDown(self):
 113         """
 114         Show various debug prints after each test.
 115         """
 116         super(TestMACIP, self).tearDown()
 117         if not self.vpp_dead:
 118             self.logger.info(self.vapi.ppcli("show interface address"))
 119             self.logger.info(self.vapi.ppcli("show hardware"))
 120             self.logger.info(self.vapi.ppcli("sh acl-plugin macip acl"))
 121             self.logger.info(self.vapi.ppcli("sh acl-plugin macip interface"))
 122             self.logger.info(self.vapi.ppcli("sh classify tables verbose"))
 123             # print self.vapi.ppcli("show interface address")
 124             # print self.vapi.ppcli("show hardware")
 125             # print self.vapi.ppcli("sh acl-plugin macip interface")
 126             # print self.vapi.ppcli("sh acl-plugin macip acl")
 127         self.delete_acls()
 128
 129     def macip_acl_dump_debug(self):
 130         acls = self.vapi.macip_acl_dump()
 131         if self.DEBUG:
 132             for acl in acls:
 133                 print "ACL #"+str(acl.acl_index)
 134                 for r in acl.r:
 135                     rule = "ACTION"
 136                     if r.is_permit == 1:
 137                         rule = "PERMIT"
 138                     elif r.is_permit == 0:
 139                         rule = "DENY  "
 140                     print "    IP6" if r.is_ipv6 else "    IP4", \
 141                           rule, \
 142                           r.src_mac.encode('hex'), \
 143                           r.src_mac_mask.encode('hex'),\
 144                           unpack('<16B', r.src_ip_addr), \
 145                           r.src_ip_prefix_len
 146         return acls
 147
 148     def create_rules(self, mac_type=EXACT_MAC, ip_type=EXACT_IP,
 149                      acl_count=1, rules_count=[1]):
 150         acls = []
 151         src_mac = int("220000dead00", 16)
 152         for acl in range(2, (acl_count+1) * 2):
 153             rules = []
 154             host = random.choice(self.loop0.remote_hosts)
 155             is_ip6 = acl % 2
 156             ip4 = host.ip4.split('.')
 157             ip6 = list(unpack('<16B', inet_pton(AF_INET6, host.ip6)))
 158
 159             if ip_type == self.EXACT_IP:
 160                 prefix_len4 = 32
 161                 prefix_len6 = 128
 162             elif ip_type == self.WILD_IP:
 163                 ip4 = [0, 0, 0, 0]
 164                 ip6 = [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0]
 165                 prefix_len4 = 0
 166                 prefix_len6 = 0
 167                 rules_count[(acl / 2) - 1] = 1
 168             else:
 169                 prefix_len4 = 24
 170                 prefix_len6 = 64
 171
 172             if mac_type == self.EXACT_MAC:
 173                 mask = "ff:ff:ff:ff:ff:ff"
 174             elif mac_type == self.WILD_MAC:
 175                 mask = "00:00:00:00:00:00"
 176             elif mac_type == self.OUI_MAC:
 177                 mask = "ff:ff:ff:00:00:00"
 178             else:
 179                 mask = "ff:ff:ff:ff:ff:00"
 180
 181             ip = ip6 if is_ip6 else ip4
 182             ip_len = prefix_len6 if is_ip6 else prefix_len4
 183
 184             for i in range(0, rules_count[(acl / 2) - 1]):
 185                 src_mac += 16777217
 186                 if mac_type == self.WILD_MAC:
 187                     mac = "00:00:00:00:00:00"
 188                 elif mac_type == self.OUI_MAC:
 189                     mac = ':'.join(re.findall('..', '{:02x}'.format(
 190                         src_mac))[:3])+":00:00:00"
 191                 else:
 192                     mac = ':'.join(re.findall('..', '{:02x}'.format(src_mac)))
 193
 194                 if ip_type == self.EXACT_IP:
 195                     ip4[3] = random.randint(100, 200)
 196                     ip6[15] = random.randint(100, 200)
 197                 elif ip_type == self.SUBNET_IP:
 198                     ip4[2] = random.randint(100, 200)
 199                     ip4[3] = 0
 200                     ip6[8] = random.randint(100, 200)
 201                     ip6[15] = 0
 202                 ip_pack = ''
 203                 for j in range(0, len(ip)):
 204                     ip_pack += pack('<B', int(ip[j]))
 205
 206                 rule = ({'is_permit': self.PERMIT,
 207                          'is_ipv6': is_ip6,
 208                          'src_ip_addr': ip_pack,
 209                          'src_ip_prefix_len': ip_len,
 210                          'src_mac': mac.replace(':', '').decode('hex'),
 211                          'src_mac_mask': mask.replace(':', '').decode('hex')})
 212                 rules.append(rule)
 213                 if ip_type == self.WILD_IP:
 214                     break
 215
 216             acls.append(rules)
 217             src_mac += 1099511627776
 218         return acls
 219
 220     def apply_rules(self, acls):
 221         for acl in acls:
 222             reply = self.vapi.macip_acl_add(acl)
 223             self.assertEqual(reply.retval, 0)
 224             self.ACLS.append(reply.acl_index)
 225
 226     def verify_acls(self, acl_count, rules_count, expected_count=2):
 227         reply = self.macip_acl_dump_debug()
 228         for acl in range(2, (acl_count+1) * 2):
 229             self.assertEqual(reply[acl - 2].count, rules_count[acl/2-1])
 230
 231         self.vapi.macip_acl_interface_get()
 232
 233         self.vapi.macip_acl_interface_add_del(sw_if_index=0, acl_index=0)
 234         self.vapi.macip_acl_interface_add_del(sw_if_index=1, acl_index=1)
 235
 236         reply = self.vapi.macip_acl_interface_get()
 237         self.assertEqual(reply.count, expected_count)
 238
 239     def delete_acls(self):
 240         for acl in range(len(self.ACLS)-1, -1, -1):
 241             self.vapi.macip_acl_del(self.ACLS[acl])
 242
 243         reply = self.vapi.macip_acl_dump()
 244         self.assertEqual(len(reply), 0)
 245
 246     def create_stream(self, mac_type, ip_type, packet_count,
 247                       src_ip_if, dst_ip_if, bridged_routed, is_ip6):
 248         # exact MAC and exact IP
 249         # exact MAC and subnet of IPs
 250         # exact MAC and wildcard IP
 251         # wildcard MAC and exact IP
 252         # wildcard MAC and subnet of IPs
 253         # wildcard MAC and wildcard IP
 254         # OUI restricted MAC and exact IP
 255         # OUI restricted MAC and subnet of IPs
 256         # OUI restricted MAC and wildcard IP
 257
 258         packets = []
 259         rules = []
 260         ip_permit = ""
 261         mac_permit = ""
 262         dst_mac = ""
 263         mac_rule = "00:00:00:00:00:00"
 264         mac_mask = "00:00:00:00:00:00"
 265         for p in range(0, packet_count):
 266             remote_dst_index = p % len(dst_ip_if.remote_hosts)
 267             remote_dst_host = dst_ip_if.remote_hosts[remote_dst_index]
 268
 269             dst_port = 1234 + p
 270             src_port = 4321 + p
 271             is_permit = self.PERMIT if p % 3 == 0 else self.DENY
 272             denyMAC = True if not is_permit and p % 3 == 1 else False
 273             denyIP = True if not is_permit and p % 3 == 2 else False
 274             if not is_permit and ip_type == self.WILD_IP:
 275                 denyMAC = True
 276             if not is_permit and mac_type == self.WILD_MAC:
 277                 denyIP = True
 278             if bridged_routed:
 279                 if is_permit:
 280                     src_mac = remote_dst_host._mac
 281                     dst_mac = 'de:ad:00:00:00:00'
 282                     dst_ip6 = src_ip_if.remote_ip6
 283                     src_ip6 = remote_dst_host.ip6
 284                     dst_ip4 = src_ip_if.remote_ip4
 285                     src_ip4 = remote_dst_host.ip4
 286                     ip_permit = src_ip6 if is_ip6 else src_ip4
 287                     mac_permit = src_mac
 288
 289                 if denyMAC:
 290                     mac = src_mac.split(':')
 291                     mac[0] = format(int(mac[0], 16)+1, "02x")
 292                     src_mac = ":".join(mac)
 293                     if is_ip6:
 294                         src_ip6 = ip_permit
 295                     else:
 296                         src_ip4 = ip_permit
 297                 if denyIP:
 298                     if ip_type != self.WILD_IP:
 299                         src_mac = mac_permit
 300                     dst_ip6 = src_ip_if.remote_ip6
 301                     src_ip6 = remote_dst_host.ip6
 302                     dst_ip4 = src_ip_if.remote_ip4
 303                     src_ip4 = remote_dst_host.ip4
 304             else:   # TODO
 305                 src_mac = src_ip_if.remote_mac
 306                 dst_mac = src_ip_if.local_mac
 307                 src_ip6 = src_ip_if.remote_ip6
 308                 dst_ip6 = remote_dst_host.ip6
 309                 src_ip4 = src_ip_if.remote_ip4
 310                 dst_ip4 = remote_dst_host.ip4
 311
 312             if is_permit:
 313                 info = self.create_packet_info(src_ip_if, dst_ip_if)
 314                 payload = self.info_to_payload(info)
 315             else:
 316                 payload = "to be blocked"
 317
 318             if mac_type == self.WILD_MAC:
 319                 mac = src_mac.split(':')
 320                 for i in range(1, 5):
 321                     mac[i] = format(random.randint(0, 255), "02x")
 322                 src_mac = ":".join(mac)
 323
 324             # create packet
 325             packet = Ether(src=src_mac, dst=dst_mac)
 326             if bridged_routed:
 327                 ip_rule = src_ip6 if is_ip6 else src_ip4
 328             else:
 329                 ip_rule = dst_ip6 if is_ip6 else dst_ip4
 330             if is_ip6:
 331                 if ip_type != self.EXACT_IP:
 332                     sub_ip = list(unpack('<16B', inet_pton(AF_INET6, ip_rule)))
 333                     if ip_type == self.WILD_IP:
 334                         sub_ip[0] = random.randint(240, 254)
 335                         sub_ip[1] = random.randint(230, 239)
 336                         sub_ip[14] = random.randint(100, 199)
 337                         sub_ip[15] = random.randint(200, 255)
 338                     elif ip_type == self.SUBNET_IP:
 339                         if denyIP:
 340                             sub_ip[2] = str(int(sub_ip[2]) + 1)
 341                         sub_ip[14] = random.randint(100, 199)
 342                         sub_ip[15] = random.randint(200, 255)
 343                     if bridged_routed:
 344                         src_ip6 = inet_ntop(AF_INET6, str(bytearray(sub_ip)))
 345                     else:
 346                         dst_ip6 = inet_ntop(AF_INET6, str(bytearray(sub_ip)))
 347                 packet /= IPv6(src=src_ip6, dst=dst_ip6)
 348             else:
 349                 if ip_type != self.EXACT_IP:
 350                     sub_ip = ip_rule.split('.')
 351                     if ip_type == self.WILD_IP:
 352                         sub_ip[0] = str(random.randint(1, 49))
 353                         sub_ip[1] = str(random.randint(50, 99))
 354                         sub_ip[2] = str(random.randint(100, 199))
 355                         sub_ip[3] = str(random.randint(200, 255))
 356                     elif ip_type == self.SUBNET_IP:
 357                         if denyIP:
 358                             sub_ip[1] = str(int(sub_ip[1])+1)
 359                         sub_ip[2] = str(random.randint(100, 199))
 360                         sub_ip[3] = str(random.randint(200, 255))
 361                     if bridged_routed:
 362                         src_ip4 = ".".join(sub_ip)
 363                     else:
 364                         # TODO
 365                         dst_ip4 = ".".join(sub_ip)
 366                 packet /= IP(src=src_ip4, dst=dst_ip4, frag=0, flags=0)
 367
 368             packet /= UDP(sport=src_port, dport=dst_port)/Raw(payload)
 369
 370             packet[Raw].load += " mac:"+src_mac
 371
 372             size = self.pg_if_packet_sizes[p % len(self.pg_if_packet_sizes)]
 373             self.extend_packet(packet, size)
 374             packets.append(packet)
 375
 376             # create suitable rule
 377             if mac_type == self.EXACT_MAC:
 378                 mac_rule = src_mac
 379                 mac_mask = "ff:ff:ff:ff:ff:ff"
 380             elif mac_type == self.WILD_MAC:
 381                 mac_rule = "00:00:00:00:00:00"
 382                 mac_mask = "00:00:00:00:00:00"
 383             elif mac_type == self.OUI_MAC:
 384                 mac = src_mac.split(':')
 385                 mac[3] = mac[4] = mac[5] = '00'
 386                 mac_rule = ":".join(mac)
 387                 mac_mask = "ff:ff:ff:00:00:00"
 388
 389             if is_ip6:
 390                 if ip_type == self.WILD_IP:
 391                     ip = "0::0"
 392                 else:
 393                     if bridged_routed:
 394                         ip = src_ip6
 395                     else:
 396                         ip = dst_ip6
 397                     if ip_type == self.SUBNET_IP:
 398                         sub_ip = list(unpack('<16B', inet_pton(AF_INET6, ip)))
 399                         for i in range(8, 16):
 400                             sub_ip[i] = 0
 401                         ip = inet_ntop(AF_INET6, str(bytearray(sub_ip)))
 402             else:
 403                 if ip_type == self.WILD_IP:
 404                     ip = "0.0.0.0"
 405                 else:
 406                     if bridged_routed:
 407                         ip = src_ip4
 408                     else:
 409                         ip = dst_ip4
 410                     if ip_type == self.SUBNET_IP:
 411                         sub_ip = ip.split('.')
 412                         sub_ip[2] = sub_ip[3] = '0'
 413                         ip = ".".join(sub_ip)
 414
 415             prefix_len = 128 if is_ip6 else 32
 416             if ip_type == self.WILD_IP:
 417                 prefix_len = 0
 418             elif ip_type == self.SUBNET_IP:
 419                 prefix_len = 64 if is_ip6 else 16
 420             ip_rule = inet_pton(AF_INET6 if is_ip6 else AF_INET, ip)
 421
 422             if mac_type == self.WILD_MAC and ip_type == self.WILD_IP and p > 0:
 423                 continue
 424
 425             if is_permit:
 426                 rule = ({'is_permit': is_permit,
 427                          'is_ipv6': is_ip6,
 428                          'src_ip_addr': ip_rule,
 429                          'src_ip_prefix_len': prefix_len,
 430                          'src_mac': mac_rule.replace(':', '').decode('hex'),
 431                          'src_mac_mask': mac_mask.replace(':', '').decode(
 432                              'hex')})
 433                 rules.append(rule)
 434
 435         # deny all other packets
 436         if not (mac_type == self.WILD_MAC and ip_type == self.WILD_IP):
 437             rule = ({'is_permit': 0,
 438                      'is_ipv6': is_ip6,
 439                      'src_ip_addr': "",
 440                      'src_ip_prefix_len': 0,
 441                      'src_mac': "",
 442                      'src_mac_mask': ""})
 443             rules.append(rule)
 444
 445         return {'stream': packets, 'rules': rules}
 446
 447     def verify_capture(self, stream, capture, is_ip6):
 448         p_l3 = IPv6 if is_ip6 else IP
 449         if self.DEBUG:
 450             for p in stream:
 451                 print p[Ether].src, p[Ether].dst, p[p_l3].src, p[p_l3].dst
 452
 453         acls = self.macip_acl_dump_debug()
 454
 455         # TODO : verify
 456         # for acl in acls:
 457         #     for r in acl.r:
 458         #         print r.src_mac.encode('hex'), \
 459         #               r.src_mac_mask.encode('hex'),\
 460         #               unpack('<16B', r.src_ip_addr), \
 461         #               r.src_ip_prefix_len
 462         #
 463         # for p in capture:
 464         #     print p[Ether].src, p[Ether].dst, p[p_l3].src, p[p_l3].dst
 465         #     data = p[Raw].load.split(':',1)[1]
 466         #     print p[p_l3].src, data
 467
 468     def run_traffic(self, mac_type, ip_type, bridged_routed, is_ip6, packets,
 469                     do_not_expected_capture=False):
 470         self.reset_packet_infos()
 471
 472         tx_if = self.pg0 if bridged_routed else self.pg2
 473         rx_if = self.pg2 if bridged_routed else self.pg0
 474
 475         test_dict = self.create_stream(mac_type, ip_type, packets,
 476                                        self.pg2, self.loop0,
 477                                        bridged_routed, is_ip6)
 478
 479         reply = self.vapi.macip_acl_add(test_dict['rules'])
 480         self.assertEqual(reply.retval, 0)
 481         acl_index = reply.acl_index
 482
 483         self.vapi.macip_acl_interface_add_del(sw_if_index=tx_if.sw_if_index,
 484                                               acl_index=acl_index)
 485         reply = self.vapi.macip_acl_interface_get()
 486         self.assertEqual(reply.acls[tx_if.sw_if_index], acl_index)
 487         self.ACLS.append(reply.acls[tx_if.sw_if_index])
 488
 489         tx_if.add_stream(test_dict['stream'])
 490         self.pg_enable_capture(self.pg_interfaces)
 491         self.pg_start()
 492
 493         if do_not_expected_capture:
 494             rx_if.get_capture(0)
 495         else:
 496             packet_count = self.get_packet_count_for_if_idx(
 497                 self.loop0.sw_if_index)
 498             if mac_type == self.WILD_MAC and ip_type == self.WILD_IP:
 499                 packet_count = packets
 500             capture = rx_if.get_capture(packet_count)
 501             self.verify_capture(test_dict['stream'], capture, is_ip6)
 502
 503     def run_test_acls(self, mac_type, ip_type, acl_count,
 504                       rules_count, traffic=None, ip=None):
 505         self.apply_rules(self.create_rules(mac_type, ip_type, acl_count,
 506                                            rules_count))
 507         self.verify_acls(acl_count, rules_count)
 508
 509         if traffic is not None:
 510             self.run_traffic(self.EXACT_MAC, self.EXACT_IP, traffic, ip, 9)
 511
 512     def test_acl_ip4_exactMAC_exactIP(self):
 513         """ IP4 MACIP exactMAC|exactIP ACL
 514         """
 515         self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
 516                          self.BRIDGED, self.IS_IP4, 9)
 517
 518     def test_acl_ip6_exactMAC_exactIP(self):
 519         """ IP6 MACIP exactMAC|exactIP ACL
 520         """
 521
 522         self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
 523                          self.BRIDGED, self.IS_IP6, 9)
 524
 525     def test_acl_ip4_exactMAC_subnetIP(self):
 526         """ IP4 MACIP exactMAC|subnetIP ACL
 527         """
 528
 529         self.run_traffic(self.EXACT_MAC, self.SUBNET_IP,
 530                          self.BRIDGED, self.IS_IP4, 9)
 531
 532     def test_acl_ip6_exactMAC_subnetIP(self):
 533         """ IP6 MACIP exactMAC|subnetIP ACL
 534         """
 535
 536         self.run_traffic(self.EXACT_MAC, self.SUBNET_IP,
 537                          self.BRIDGED, self.IS_IP6, 9)
 538
 539     def test_acl_ip4_exactMAC_wildIP(self):
 540         """ IP4 MACIP exactMAC|wildIP ACL
 541         """
 542
 543         self.run_traffic(self.EXACT_MAC, self.WILD_IP,
 544                          self.BRIDGED, self.IS_IP4, 9)
 545
 546     def test_acl_ip6_exactMAC_wildIP(self):
 547         """ IP6 MACIP exactMAC|wildIP ACL
 548         """
 549
 550         self.run_traffic(self.EXACT_MAC, self.WILD_IP,
 551                          self.BRIDGED, self.IS_IP6, 9)
 552
 553     def test_acl_ip4_ouiMAC_exactIP(self):
 554         """ IP4 MACIP ouiMAC|exactIP ACL
 555         """
 556
 557         self.run_traffic(self.OUI_MAC, self.EXACT_IP,
 558                          self.BRIDGED, self.IS_IP4, 3)
 559
 560     def test_acl_ip6_ouiMAC_exactIP(self):
 561         """ IP6 MACIP oui_MAC|exactIP ACL
 562         """
 563
 564         self.run_traffic(self.OUI_MAC, self.EXACT_IP,
 565                          self.BRIDGED, self.IS_IP6, 9)
 566
 567     def test_acl_ip4_ouiMAC_subnetIP(self):
 568         """ IP4 MACIP ouiMAC|subnetIP ACL
 569         """
 570
 571         self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
 572                          self.BRIDGED, self.IS_IP4, 9)
 573
 574     def test_acl_ip6_ouiMAC_subnetIP(self):
 575         """ IP6 MACIP ouiMAC|subnetIP ACL
 576         """
 577
 578         self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
 579                          self.BRIDGED, self.IS_IP6, 9)
 580
 581     def test_acl_ip4_ouiMAC_wildIP(self):
 582         """ IP4 MACIP ouiMAC|wildIP ACL
 583         """
 584
 585         self.run_traffic(self.OUI_MAC, self.WILD_IP,
 586                          self.BRIDGED, self.IS_IP4, 9)
 587
 588     def test_acl_ip6_ouiMAC_wildIP(self):
 589         """ IP6 MACIP ouiMAC|wildIP ACL
 590         """
 591
 592         self.run_traffic(self.OUI_MAC, self.WILD_IP,
 593                          self.BRIDGED, self.IS_IP6, 9)
 594
 595     def test_acl_ip4_wildMAC_exactIP(self):
 596         """ IP4 MACIP wildcardMAC|exactIP ACL
 597         """
 598
 599         self.run_traffic(self.WILD_MAC, self.EXACT_IP,
 600                          self.BRIDGED, self.IS_IP4, 9)
 601
 602     def test_acl_ip6_wildMAC_exactIP(self):
 603         """ IP6 MACIP wildcardMAC|exactIP ACL
 604         """
 605
 606         self.run_traffic(self.WILD_MAC, self.EXACT_IP,
 607                          self.BRIDGED, self.IS_IP6, 9)
 608
 609     def test_acl_ip4_wildMAC_subnetIP(self):
 610         """ IP4 MACIP wildcardMAC|subnetIP ACL
 611         """
 612
 613         self.run_traffic(self.WILD_MAC, self.SUBNET_IP,
 614                          self.BRIDGED, self.IS_IP4, 9)
 615
 616     def test_acl_ip6_wildMAC_subnetIP(self):
 617         """ IP6 MACIP wildcardMAC|subnetIP ACL
 618         """
 619
 620         self.run_traffic(self.WILD_MAC, self.SUBNET_IP,
 621                          self.BRIDGED, self.IS_IP6, 9)
 622
 623     def test_acl_ip4_wildMAC_wildIP(self):
 624         """ IP4 MACIP wildcardMAC|wildIP ACL
 625         """
 626
 627         self.run_traffic(self.WILD_MAC, self.WILD_IP,
 628                          self.BRIDGED, self.IS_IP4, 9)
 629
 630     def test_acl_ip6_wildMAC_wildIP(self):
 631         """ IP6 MACIP wildcardMAC|wildIP ACL
 632         """
 633
 634         self.run_traffic(self.WILD_MAC, self.WILD_IP,
 635                          self.BRIDGED, self.IS_IP6, 9)
 636
 637     def test_acl_1_2(self):
 638         """ MACIP ACL with 2 entries
 639         """
 640
 641         self.run_test_acls(self.EXACT_MAC, self.WILD_IP, 1, [2])
 642
 643     def test_acl_1_5(self):
 644         """ MACIP ACL with 5 entries
 645         """
 646
 647         self.run_test_acls(self.EXACT_MAC, self.SUBNET_IP, 1, [5])
 648
 649     def test_acl_1_10(self):
 650         """ MACIP ACL with 10 entries
 651         """
 652
 653         self.run_test_acls(self.EXACT_MAC, self.EXACT_IP, 1, [10])
 654
 655     def test_acl_1_20(self):
 656         """ MACIP ACL with 20 entries
 657         """
 658
 659         self.run_test_acls(self.OUI_MAC, self.WILD_IP, 1, [20])
 660
 661     def test_acl_1_50(self):
 662         """ MACIP ACL with 50 entries
 663         """
 664
 665         self.run_test_acls(self.OUI_MAC, self.SUBNET_IP, 1, [50])
 666
 667     def test_acl_1_100(self):
 668         """ MACIP ACL with 100 entries
 669         """
 670
 671         self.run_test_acls(self.OUI_MAC, self.EXACT_IP, 1, [100])
 672
 673     def test_acl_2_X(self):
 674         """ MACIP 2 ACLs each with 100+ entries
 675         """
 676
 677         self.run_test_acls(self.OUI_MAC, self.SUBNET_IP, 2, [100, 200])
 678
 679     def test_acl_10_X(self):
 680         """ MACIP 10 ACLs each with 100+ entries
 681         """
 682
 683         self.run_test_acls(self.EXACT_MAC, self.EXACT_IP, 10,
 684                            [100, 120, 140, 160, 180, 200, 210, 220, 230, 240])
 685
 686     def test_acl_10_X_traffic_ip4(self):
 687         """ MACIP 10 ACLs each with 100+ entries with IP4 traffic
 688         """
 689
 690         self.run_test_acls(self.EXACT_MAC, self.EXACT_IP, 10,
 691                            [100, 120, 140, 160, 180, 200, 210, 220, 230, 240],
 692                            self.BRIDGED, self.IS_IP4)
 693
 694     def test_acl_10_X_traffic_ip6(self):
 695         """ MACIP 10 ACLs each with 100+ entries with IP6 traffic
 696         """
 697
 698         self.run_test_acls(self.EXACT_MAC, self.EXACT_IP, 10,
 699                            [100, 120, 140, 160, 180, 200, 210, 220, 230, 240],
 700                            self.BRIDGED, self.IS_IP6)
 701
 702     def test_acl_replace(self):
 703         """ MACIP replace ACL
 704         """
 705
 706         r1 = self.create_rules(acl_count=3, rules_count=[2, 2, 2])
 707         r2 = self.create_rules(mac_type=self.OUI_MAC, ip_type=self.SUBNET_IP)
 708         self.apply_rules(r1)
 709
 710         acls_before = self.macip_acl_dump_debug()
 711
 712         # replace acls #2, #3 with new
 713         reply = self.vapi.macip_acl_add_replace(r2[0], 2)
 714         self.assertEqual(reply.retval, 0)
 715         self.assertEqual(reply.acl_index, 2)
 716         reply = self.vapi.macip_acl_add_replace(r2[1], 3)
 717         self.assertEqual(reply.retval, 0)
 718         self.assertEqual(reply.acl_index, 3)
 719
 720         acls_after = self.macip_acl_dump_debug()
 721
 722         # verify changes
 723         self.assertEqual(len(acls_before), len(acls_after))
 724         for acl1, acl2 in zip(
 725                 acls_before[:2]+acls_before[4:],
 726                 acls_after[:2]+acls_after[4:]):
 727             self.assertEqual(len(acl1), len(acl2))
 728
 729             self.assertEqual(len(acl1.r), len(acl2.r))
 730             for r1, r2 in zip(acl1.r, acl2.r):
 731                 self.assertEqual(len(acl1.r), len(acl2.r))
 732                 self.assertEqual(acl1.r, acl2.r)
 733         for acl1, acl2 in zip(
 734                 acls_before[2:4],
 735                 acls_after[2:4]):
 736             self.assertEqual(len(acl1), len(acl2))
 737
 738             self.assertNotEqual(len(acl1.r), len(acl2.r))
 739             for r1, r2 in zip(acl1.r, acl2.r):
 740                 self.assertNotEqual(len(acl1.r), len(acl2.r))
 741                 self.assertNotEqual(acl1.r, acl2.r)
 742
 743     def test_acl_replace_traffic_ip4(self):
 744         """ MACIP replace ACL with IP4 traffic
 745         """
 746         self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
 747                          self.BRIDGED, self.IS_IP4, 9)
 748
 749         r = self.create_rules()
 750         # replace acls #2, #3 with new
 751         reply = self.vapi.macip_acl_add_replace(r[0], 0)
 752         self.assertEqual(reply.retval, 0)
 753         self.assertEqual(reply.acl_index, 0)
 754
 755         self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
 756                          self.BRIDGED, self.IS_IP4, 9, True)
 757
 758     def test_acl_replace_traffic_ip6(self):
 759         """ MACIP replace ACL with IP6 traffic
 760         """
 761         self.run_traffic(self.OUI_MAC, self.SUBNET_IP,
 762                          self.BRIDGED, self.IS_IP6, 9)
 763
 764         r = self.create_rules()
 765         # replace acls #2, #3 with new
 766         reply = self.vapi.macip_acl_add_replace(r[0], 0)
 767         self.assertEqual(reply.retval, 0)
 768         self.assertEqual(reply.acl_index, 0)
 769
 770         self.run_traffic(self.EXACT_MAC, self.EXACT_IP,
 771                          self.BRIDGED, self.IS_IP6, 9, True)
 772
 773     def test_delete_intf(self):
 774         """ MACIP ACL delete intf with acl
 775         """
 776
 777         intf_count = len(self.interfaces)+1
 778         intf = []
 779         self.apply_rules(self.create_rules(acl_count=3, rules_count=[3, 5, 4]))
 780
 781         intf.append(VppLoInterface(self, 0))
 782         intf.append(VppLoInterface(self, 1))
 783
 784         sw_if_index0 = intf[0].sw_if_index
 785         self.vapi.macip_acl_interface_add_del(sw_if_index0, 1)
 786
 787         reply = self.vapi.macip_acl_interface_get()
 788         self.assertEqual(reply.count, intf_count+1)
 789         self.assertEqual(reply.acls[sw_if_index0], 1)
 790
 791         sw_if_index1 = intf[1].sw_if_index
 792         self.vapi.macip_acl_interface_add_del(sw_if_index1, 0)
 793
 794         reply = self.vapi.macip_acl_interface_get()
 795         self.assertEqual(reply.count, intf_count+2)
 796         self.assertEqual(reply.acls[sw_if_index1], 0)
 797
 798         intf[0].remove_vpp_config()
 799         reply = self.vapi.macip_acl_interface_get()
 800         self.assertEqual(reply.count, intf_count+2)
 801         self.assertEqual(reply.acls[sw_if_index0], 4294967295)
 802         self.assertEqual(reply.acls[sw_if_index1], 0)
 803
 804         intf.append(VppLoInterface(self, 2))
 805         intf.append(VppLoInterface(self, 3))
 806         sw_if_index2 = intf[2].sw_if_index
 807         sw_if_index3 = intf[3].sw_if_index
 808         self.vapi.macip_acl_interface_add_del(sw_if_index2, 1)
 809         self.vapi.macip_acl_interface_add_del(sw_if_index3, 1)
 810
 811         reply = self.vapi.macip_acl_interface_get()
 812         self.assertEqual(reply.count, intf_count+3)
 813         self.assertEqual(reply.acls[sw_if_index1], 0)
 814         self.assertEqual(reply.acls[sw_if_index2], 1)
 815         self.assertEqual(reply.acls[sw_if_index3], 1)
 816
 817         intf[2].remove_vpp_config()
 818         intf[1].remove_vpp_config()
 819
 820         reply = self.vapi.macip_acl_interface_get()
 821         self.assertEqual(reply.count, intf_count+3)
 822         self.assertEqual(reply.acls[sw_if_index0], 4294967295)
 823         self.assertEqual(reply.acls[sw_if_index1], 4294967295)
 824         self.assertEqual(reply.acls[sw_if_index2], 4294967295)
 825         self.assertEqual(reply.acls[sw_if_index3], 1)
 826
 827         intf[3].remove_vpp_config()
 828         reply = self.vapi.macip_acl_interface_get()
 829
 830         self.assertEqual(len([x for x in reply.acls if x != 4294967295]), 0)
 831
 832     @unittest.skipUnless(running_extended_tests(), "part of extended tests")
 833     def test_routed(self):
 834         """ MACIP with routed traffic
 835         """
 836         # TODO: routed do not work yet !!!
 837         # self.run_traffic(self.EXACT_IP, self.EXACT_MAC, False, False, 9)
 838         # self.run_traffic(self.EXACT_IP, self.EXACT_MAC, False, True, 9)
 839
 840
 841 if __name__ == '__main__':
 842     unittest.main(testRunner=VppTestRunner)