5 from framework import VppTestCase, VppTestRunner
6 from vpp_object import VppObject
7 from vpp_neighbor import VppNeighbor
8 from vpp_ip_route import VppIpRoute, VppRoutePath, VppIpTable
12 from vpp_papi_provider import L2_PORT_TYPE
14 from scapy.packet import Raw
15 from scapy.layers.l2 import Ether, ARP
16 from scapy.layers.inet import IP, UDP
17 from scapy.layers.inet6 import IPv6, ICMPv6ND_NS, ICMPv6NDOptSrcLLAddr, \
19 from scapy.utils6 import in6_getnsma, in6_getnsmac
21 from socket import AF_INET, AF_INET6
22 from scapy.utils import inet_pton, inet_ntop
23 from util import mactobinary
26 def find_gbp_endpoint(test, sw_if_index, ip=None, mac=None):
27 vip = VppIpAddress(ip)
29 eps = test.vapi.gbp_endpoint_dump()
31 if ep.endpoint.sw_if_index != sw_if_index:
33 for eip in ep.endpoint.ips:
39 class VppGbpEndpoint(VppObject):
46 return mactobinary(self.itf.remote_mac)
50 return self.itf.remote_mac
70 return [self.ip4, self.ip6]
74 return [self.fip4, self.fip6]
76 def __init__(self, test, itf, epg, recirc, ip4, fip4, ip6, fip6):
82 self._ip4 = VppIpAddress(ip4)
83 self._fip4 = VppIpAddress(fip4)
84 self._ip6 = VppIpAddress(ip6)
85 self._fip6 = VppIpAddress(fip6)
87 self.vmac = VppMacAddress(self.itf.remote_mac)
89 def add_vpp_config(self):
90 res = self._test.vapi.gbp_endpoint_add(
92 [self.ip4.encode(), self.ip6.encode()],
95 self.handle = res.handle
96 self._test.registry.register(self, self._test.logger)
98 def remove_vpp_config(self):
99 self._test.vapi.gbp_endpoint_del(self.handle)
102 return self.object_id()
105 return "gbp-endpoint;[%d:%s:%d]" % (self.itf.sw_if_index,
109 def query_vpp_config(self):
110 return find_gbp_endpoint(self._test,
111 self.itf.sw_if_index,
115 class VppGbpRecirc(VppObject):
117 GBP Recirculation Interface
120 def __init__(self, test, epg, recirc, is_ext=False):
126 def add_vpp_config(self):
127 self._test.vapi.gbp_recirc_add_del(
129 self.recirc.sw_if_index,
132 self._test.registry.register(self, self._test.logger)
134 def remove_vpp_config(self):
135 self._test.vapi.gbp_recirc_add_del(
137 self.recirc.sw_if_index,
142 return self.object_id()
145 return "gbp-recirc;[%d]" % (self.recirc.sw_if_index)
147 def query_vpp_config(self):
148 rs = self._test.vapi.gbp_recirc_dump()
150 if r.recirc.sw_if_index == self.recirc.sw_if_index:
155 class VppGbpSubnet(VppObject):
160 def __init__(self, test, table_id, address, address_len,
162 sw_if_index=None, epg=None):
164 self.table_id = table_id
165 self.prefix = VppIpPrefix(address, address_len)
166 self.is_internal = is_internal
167 self.sw_if_index = sw_if_index
170 def add_vpp_config(self):
171 self._test.vapi.gbp_subnet_add_del(
175 self.prefix.encode(),
176 sw_if_index=self.sw_if_index if self.sw_if_index else 0xffffffff,
177 epg_id=self.epg if self.epg else 0xffff)
178 self._test.registry.register(self, self._test.logger)
180 def remove_vpp_config(self):
181 self._test.vapi.gbp_subnet_add_del(
185 self.prefix.encode())
188 return self.object_id()
191 return "gbp-subnet;[%d-%s]" % (self.table_id,
194 def query_vpp_config(self):
195 ss = self._test.vapi.gbp_subnet_dump()
197 if s.subnet.table_id == self.table_id and \
198 s.subnet.prefix == self.prefix:
203 class VppGbpEndpointGroup(VppObject):
208 def __init__(self, test, epg, rd, bd, uplink,
209 bvi, bvi_ip4, bvi_ip6=None):
213 self.bvi_ip4 = bvi_ip4
214 self.bvi_ip4_n = inet_pton(AF_INET, bvi_ip4)
215 self.bvi_ip6 = bvi_ip6
216 self.bvi_ip6_n = inet_pton(AF_INET6, bvi_ip6)
221 def add_vpp_config(self):
222 self._test.vapi.gbp_endpoint_group_add_del(
228 self.uplink.sw_if_index)
229 self._test.registry.register(self, self._test.logger)
231 def remove_vpp_config(self):
232 self._test.vapi.gbp_endpoint_group_add_del(
238 self.uplink.sw_if_index)
241 return self.object_id()
244 return "gbp-endpoint-group;[%d]" % (self.epg)
246 def query_vpp_config(self):
247 epgs = self._test.vapi.gbp_endpoint_group_dump()
249 if epg.epg.epg_id == self.epg:
254 class VppGbpContract(VppObject):
259 def __init__(self, test, src_epg, dst_epg, acl_index):
261 self.acl_index = acl_index
262 self.src_epg = src_epg
263 self.dst_epg = dst_epg
265 def add_vpp_config(self):
266 self._test.vapi.gbp_contract_add_del(
271 self._test.registry.register(self, self._test.logger)
273 def remove_vpp_config(self):
274 self._test.vapi.gbp_contract_add_del(
281 return self.object_id()
284 return "gbp-contract;[%d:%s:%d]" % (self.src_epg,
288 def query_vpp_config(self):
289 cs = self._test.vapi.gbp_contract_dump()
291 if c.contract.src_epg == self.src_epg \
292 and c.contract.dst_epg == self.dst_epg:
297 class VppGbpAcl(VppObject):
302 def __init__(self, test):
304 self.acl_index = 4294967295
306 def create_rule(self, is_ipv6=0, permit_deny=0, proto=-1,
307 s_prefix=0, s_ip='\x00\x00\x00\x00', sport_from=0,
308 sport_to=65535, d_prefix=0, d_ip='\x00\x00\x00\x00',
309 dport_from=0, dport_to=65535):
310 if proto == -1 or proto == 0:
313 elif proto == 1 or proto == 58:
316 rule = ({'is_permit': permit_deny, 'is_ipv6': is_ipv6, 'proto': proto,
317 'srcport_or_icmptype_first': sport_from,
318 'srcport_or_icmptype_last': sport_to,
319 'src_ip_prefix_len': s_prefix,
321 'dstport_or_icmpcode_first': dport_from,
322 'dstport_or_icmpcode_last': dport_to,
323 'dst_ip_prefix_len': d_prefix,
324 'dst_ip_addr': d_ip})
327 def add_vpp_config(self, rules):
329 reply = self._test.vapi.acl_add_replace(self.acl_index,
332 self.acl_index = reply.acl_index
333 return self.acl_index
335 def remove_vpp_config(self):
336 self._test.vapi.acl_del(self.acl_index)
339 return self.object_id()
342 return "gbp-acl;[%d]" % (self.acl_index)
344 def query_vpp_config(self):
345 cs = self._test.vapi.acl_dump()
347 if c.acl_index == self.acl_index:
352 class TestGBP(VppTestCase):
353 """ GBP Test Case """
356 super(TestGBP, self).setUp()
358 self.create_pg_interfaces(range(9))
359 self.create_loopback_interfaces(9)
361 self.router_mac = "00:11:22:33:44:55"
363 for i in self.pg_interfaces:
365 for i in self.lo_interfaces:
367 self.vapi.sw_interface_set_mac_address(
369 mactobinary(self.router_mac))
372 for i in self.pg_interfaces:
375 super(TestGBP, self).tearDown()
377 def send_and_expect_bridged(self, src, tx, dst):
378 rx = self.send_and_expect(src, tx, dst)
381 self.assertEqual(r[Ether].src, tx[0][Ether].src)
382 self.assertEqual(r[Ether].dst, tx[0][Ether].dst)
383 self.assertEqual(r[IP].src, tx[0][IP].src)
384 self.assertEqual(r[IP].dst, tx[0][IP].dst)
387 def send_and_expect_bridged6(self, src, tx, dst):
388 rx = self.send_and_expect(src, tx, dst)
391 self.assertEqual(r[Ether].src, tx[0][Ether].src)
392 self.assertEqual(r[Ether].dst, tx[0][Ether].dst)
393 self.assertEqual(r[IPv6].src, tx[0][IPv6].src)
394 self.assertEqual(r[IPv6].dst, tx[0][IPv6].dst)
397 def send_and_expect_routed(self, src, tx, dst, src_mac):
398 rx = self.send_and_expect(src, tx, dst)
401 self.assertEqual(r[Ether].src, src_mac)
402 self.assertEqual(r[Ether].dst, dst.remote_mac)
403 self.assertEqual(r[IP].src, tx[0][IP].src)
404 self.assertEqual(r[IP].dst, tx[0][IP].dst)
407 def send_and_expect_natted(self, src, tx, dst, src_ip):
408 rx = self.send_and_expect(src, tx, dst)
411 self.assertEqual(r[Ether].src, tx[0][Ether].src)
412 self.assertEqual(r[Ether].dst, tx[0][Ether].dst)
413 self.assertEqual(r[IP].src, src_ip)
414 self.assertEqual(r[IP].dst, tx[0][IP].dst)
417 def send_and_expect_natted6(self, src, tx, dst, src_ip):
418 rx = self.send_and_expect(src, tx, dst)
421 self.assertEqual(r[Ether].src, tx[0][Ether].src)
422 self.assertEqual(r[Ether].dst, tx[0][Ether].dst)
423 self.assertEqual(r[IPv6].src, src_ip)
424 self.assertEqual(r[IPv6].dst, tx[0][IPv6].dst)
427 def send_and_expect_unnatted(self, src, tx, dst, dst_ip):
428 rx = self.send_and_expect(src, tx, dst)
431 self.assertEqual(r[Ether].src, tx[0][Ether].src)
432 self.assertEqual(r[Ether].dst, tx[0][Ether].dst)
433 self.assertEqual(r[IP].dst, dst_ip)
434 self.assertEqual(r[IP].src, tx[0][IP].src)
437 def send_and_expect_unnatted6(self, src, tx, dst, dst_ip):
438 rx = self.send_and_expect(src, tx, dst)
441 self.assertEqual(r[Ether].src, tx[0][Ether].src)
442 self.assertEqual(r[Ether].dst, tx[0][Ether].dst)
443 self.assertEqual(r[IPv6].dst, dst_ip)
444 self.assertEqual(r[IPv6].src, tx[0][IPv6].src)
447 def send_and_expect_double_natted(self, src, tx, dst, src_ip, dst_ip):
448 rx = self.send_and_expect(src, tx, dst)
451 self.assertEqual(r[Ether].src, self.router_mac)
452 self.assertEqual(r[Ether].dst, dst.remote_mac)
453 self.assertEqual(r[IP].dst, dst_ip)
454 self.assertEqual(r[IP].src, src_ip)
457 def send_and_expect_double_natted6(self, src, tx, dst, src_ip, dst_ip):
458 rx = self.send_and_expect(src, tx, dst)
461 self.assertEqual(r[Ether].src, self.router_mac)
462 self.assertEqual(r[Ether].dst, dst.remote_mac)
463 self.assertEqual(r[IPv6].dst, dst_ip)
464 self.assertEqual(r[IPv6].src, src_ip)
468 """ Group Based Policy """
470 nat_table = VppIpTable(self, 20)
471 nat_table.add_vpp_config()
472 nat_table = VppIpTable(self, 20, is_ip6=True)
473 nat_table.add_vpp_config()
478 self.vapi.bridge_domain_add_del(1, flood=1, uu_flood=1, forward=1,
479 learn=0, arp_term=1, is_add=1)
480 self.vapi.bridge_domain_add_del(2, flood=1, uu_flood=1, forward=1,
481 learn=0, arp_term=1, is_add=1)
482 self.vapi.bridge_domain_add_del(20, flood=1, uu_flood=1, forward=1,
483 learn=0, arp_term=1, is_add=1)
486 # 3 EPGs, 2 of which share a BD.
487 # 2 NAT EPGs, one for floating-IP subnets, the other for internet
489 epgs = [VppGbpEndpointGroup(self, 220, 0, 1, self.pg4,
493 VppGbpEndpointGroup(self, 221, 0, 1, self.pg5,
497 VppGbpEndpointGroup(self, 222, 0, 2, self.pg6,
501 VppGbpEndpointGroup(self, 333, 20, 20, self.pg7,
505 VppGbpEndpointGroup(self, 444, 20, 20, self.pg8,
509 recircs = [VppGbpRecirc(self, epgs[0],
511 VppGbpRecirc(self, epgs[1],
513 VppGbpRecirc(self, epgs[2],
515 VppGbpRecirc(self, epgs[3],
516 self.loop6, is_ext=True),
517 VppGbpRecirc(self, epgs[4],
518 self.loop8, is_ext=True)]
521 recirc_nat = recircs[3]
524 # 4 end-points, 2 in the same subnet, 3 in the same BD
526 eps = [VppGbpEndpoint(self, self.pg0,
528 "10.0.0.1", "11.0.0.1",
529 "2001:10::1", "3001::1"),
530 VppGbpEndpoint(self, self.pg1,
532 "10.0.0.2", "11.0.0.2",
533 "2001:10::2", "3001::2"),
534 VppGbpEndpoint(self, self.pg2,
536 "10.0.1.1", "11.0.0.3",
537 "2001:10:1::1", "3001::3"),
538 VppGbpEndpoint(self, self.pg3,
540 "10.0.2.1", "11.0.0.4",
541 "2001:10:2::1", "3001::4")]
544 # Config related to each of the EPGs
547 # IP config on the BVI interfaces
548 if epg != epgs[1] and epg != epgs[4]:
549 epg.bvi.set_table_ip4(epg.rd)
550 epg.bvi.set_table_ip6(epg.rd)
552 # The BVIs are NAT inside interfaces
553 self.vapi.nat44_interface_add_del_feature(epg.bvi.sw_if_index,
556 self.vapi.nat66_add_del_interface(epg.bvi.sw_if_index,
560 self.vapi.sw_interface_add_del_address(epg.bvi.sw_if_index,
563 self.vapi.sw_interface_add_del_address(epg.bvi.sw_if_index,
568 # EPG uplink interfaces in the BD
569 epg.uplink.set_table_ip4(epg.rd)
570 epg.uplink.set_table_ip6(epg.rd)
571 self.vapi.sw_interface_set_l2_bridge(epg.uplink.sw_if_index,
574 # add the BD ARP termination entry for BVI IP
575 self.vapi.bd_ip_mac_add_del(bd_id=epg.bd,
576 mac=mactobinary(self.router_mac),
580 self.vapi.bd_ip_mac_add_del(bd_id=epg.bd,
581 mac=mactobinary(self.router_mac),
586 # epg[1] shares the same BVI to epg[0]
587 if epg != epgs[1] and epg != epgs[4]:
589 self.vapi.sw_interface_set_l2_bridge(
592 port_type=L2_PORT_TYPE.BVI)
595 self.vapi.l2fib_add_del(self.router_mac,
603 for recirc in recircs:
604 # EPG's ingress recirculation interface maps to its RD
605 recirc.recirc.set_table_ip4(recirc.epg.rd)
606 recirc.recirc.set_table_ip6(recirc.epg.rd)
608 # in the bridge to allow DVR. L2 emulation to punt to L3
609 self.vapi.sw_interface_set_l2_bridge(recirc.recirc.sw_if_index,
611 self.vapi.sw_interface_set_l2_emulation(
612 recirc.recirc.sw_if_index)
614 self.vapi.nat44_interface_add_del_feature(
615 recirc.recirc.sw_if_index,
618 self.vapi.nat66_add_del_interface(
619 recirc.recirc.sw_if_index,
623 recirc.add_vpp_config()
628 self.pg_enable_capture(self.pg_interfaces)
631 # routes to the endpoints. We need these since there are no
632 # adj-fibs due to the fact the the BVI address has /32 and
633 # the subnet is not attached.
635 for (ip, fip) in zip(ep.ips, ep.fips):
636 r = VppIpRoute(self, ip.address, ip.length,
637 [VppRoutePath(ip.address,
638 ep.epg.bvi.sw_if_index,
639 proto=ip.dpo_proto)],
645 # ARP entries for the endpoints
647 a = VppNeighbor(self,
648 ep.epg.bvi.sw_if_index,
655 # add the BD ARP termination entry
656 self.vapi.bd_ip_mac_add_del(bd_id=ep.epg.bd,
662 # Add static mappings for each EP from the 10/8 to 11/8 network
664 self.vapi.nat44_add_del_static_mapping(ip.bytes,
669 self.vapi.nat66_add_del_static_mapping(ip.bytes,
673 # add each EP itf to the its BD
674 self.vapi.sw_interface_set_l2_bridge(ep.itf.sw_if_index,
678 self.vapi.l2fib_add_del(ep.mac,
686 self.logger.info(self.vapi.cli("sh gbp endpoint"))
688 # ... results in a Gratuitous ARP/ND on the EPG's uplink
689 rx = ep.epg.uplink.get_capture(len(ep.ips), timeout=0.2)
691 for ii, ip in enumerate(ep.ips):
695 self.assertTrue(p.haslayer(ICMPv6ND_NA))
696 self.assertEqual(p[ICMPv6ND_NA].tgt, ip.address)
698 self.assertTrue(p.haslayer(ARP))
699 self.assertEqual(p[ARP].psrc, ip.address)
700 self.assertEqual(p[ARP].pdst, ip.address)
702 # add the BD ARP termination entry for floating IP
704 self.vapi.bd_ip_mac_add_del(bd_id=epg_nat.bd,
710 # floating IPs route via EPG recirc
711 r = VppIpRoute(self, fip.address, fip.length,
712 [VppRoutePath(fip.address,
713 ep.recirc.recirc.sw_if_index,
715 proto=fip.dpo_proto)],
721 # L2 FIB entries in the NAT EPG BD to bridge the packets from
722 # the outside direct to the internal EPG
723 self.vapi.l2fib_add_del(ep.mac,
725 ep.recirc.recirc.sw_if_index,
729 # ARP packets for unknown IP are flooded
731 pkt_arp = (Ether(dst="ff:ff:ff:ff:ff:ff",
732 src=self.pg0.remote_mac) /
734 hwdst="ff:ff:ff:ff:ff:ff",
735 hwsrc=self.pg0.remote_mac,
736 pdst=epgs[0].bvi_ip4,
739 self.send_and_expect(self.pg0, [pkt_arp], self.pg0)
742 # ARP/ND packets get a response
744 pkt_arp = (Ether(dst="ff:ff:ff:ff:ff:ff",
745 src=self.pg0.remote_mac) /
747 hwdst="ff:ff:ff:ff:ff:ff",
748 hwsrc=self.pg0.remote_mac,
749 pdst=epgs[0].bvi_ip4,
750 psrc=eps[0].ip4.address))
752 self.send_and_expect(self.pg0, [pkt_arp], self.pg0)
754 nsma = in6_getnsma(inet_pton(AF_INET6, eps[0].ip6.address))
755 d = inet_ntop(AF_INET6, nsma)
756 pkt_nd = (Ether(dst=in6_getnsmac(nsma)) /
757 IPv6(dst=d, src=eps[0].ip6.address) /
758 ICMPv6ND_NS(tgt=epgs[0].bvi_ip6) /
759 ICMPv6NDOptSrcLLAddr(lladdr=self.pg0.remote_mac))
760 self.send_and_expect(self.pg0, [pkt_nd], self.pg0)
763 # broadcast packets are flooded
765 pkt_bcast = (Ether(dst="ff:ff:ff:ff:ff:ff",
766 src=self.pg0.remote_mac) /
767 IP(src=eps[0].ip4.address, dst="232.1.1.1") /
768 UDP(sport=1234, dport=1234) /
771 self.vapi.cli("clear trace")
772 self.pg0.add_stream(pkt_bcast)
774 self.pg_enable_capture(self.pg_interfaces)
777 rxd = eps[1].itf.get_capture(1)
778 self.assertEqual(rxd[0][Ether].dst, pkt_bcast[Ether].dst)
779 rxd = epgs[0].uplink.get_capture(1)
780 self.assertEqual(rxd[0][Ether].dst, pkt_bcast[Ether].dst)
783 # packets to non-local L3 destinations dropped
785 pkt_intra_epg_220_ip4 = (Ether(src=self.pg0.remote_mac,
786 dst=self.router_mac) /
787 IP(src=eps[0].ip4.address,
789 UDP(sport=1234, dport=1234) /
791 pkt_inter_epg_222_ip4 = (Ether(src=self.pg0.remote_mac,
792 dst=self.router_mac) /
793 IP(src=eps[0].ip4.address,
795 UDP(sport=1234, dport=1234) /
798 self.send_and_assert_no_replies(self.pg0, pkt_intra_epg_220_ip4 * 65)
800 pkt_inter_epg_222_ip6 = (Ether(src=self.pg0.remote_mac,
801 dst=self.router_mac) /
802 IPv6(src=eps[0].ip6.address,
804 UDP(sport=1234, dport=1234) /
806 self.send_and_assert_no_replies(self.pg0, pkt_inter_epg_222_ip6 * 65)
809 # Add the subnet routes
811 s41 = VppGbpSubnet(self, 0, "10.0.0.0", 24)
812 s42 = VppGbpSubnet(self, 0, "10.0.1.0", 24)
813 s43 = VppGbpSubnet(self, 0, "10.0.2.0", 24)
817 s61 = VppGbpSubnet(self, 0, "2001:10::1", 64)
818 s62 = VppGbpSubnet(self, 0, "2001:10:1::1", 64)
819 s63 = VppGbpSubnet(self, 0, "2001:10:2::1", 64)
824 self.send_and_expect_bridged(self.pg0,
825 pkt_intra_epg_220_ip4 * 65,
827 self.send_and_expect_bridged(self.pg3,
828 pkt_inter_epg_222_ip4 * 65,
830 self.send_and_expect_bridged6(self.pg3,
831 pkt_inter_epg_222_ip6 * 65,
834 self.logger.info(self.vapi.cli("sh ip fib 11.0.0.2"))
835 self.logger.info(self.vapi.cli("sh gbp endpoint-group"))
836 self.logger.info(self.vapi.cli("sh gbp endpoint"))
837 self.logger.info(self.vapi.cli("sh gbp recirc"))
838 self.logger.info(self.vapi.cli("sh int"))
839 self.logger.info(self.vapi.cli("sh int addr"))
840 self.logger.info(self.vapi.cli("sh int feat loop6"))
841 self.logger.info(self.vapi.cli("sh vlib graph ip4-gbp-src-classify"))
842 self.logger.info(self.vapi.cli("sh int feat loop3"))
845 # Packet destined to unknown unicast is sent on the epg uplink ...
847 pkt_intra_epg_220_to_uplink = (Ether(src=self.pg0.remote_mac,
848 dst="00:00:00:33:44:55") /
849 IP(src=eps[0].ip4.address,
851 UDP(sport=1234, dport=1234) /
854 self.send_and_expect_bridged(self.pg0,
855 pkt_intra_epg_220_to_uplink * 65,
857 # ... and nowhere else
858 self.pg1.get_capture(0, timeout=0.1)
859 self.pg1.assert_nothing_captured(remark="Flood onto other VMS")
861 pkt_intra_epg_221_to_uplink = (Ether(src=self.pg2.remote_mac,
862 dst="00:00:00:33:44:66") /
863 IP(src=eps[0].ip4.address,
865 UDP(sport=1234, dport=1234) /
868 self.send_and_expect_bridged(self.pg2,
869 pkt_intra_epg_221_to_uplink * 65,
873 # Packets from the uplink are forwarded in the absence of a contract
875 pkt_intra_epg_220_from_uplink = (Ether(src="00:00:00:33:44:55",
876 dst=self.pg0.remote_mac) /
877 IP(src=eps[0].ip4.address,
879 UDP(sport=1234, dport=1234) /
882 self.send_and_expect_bridged(self.pg4,
883 pkt_intra_epg_220_from_uplink * 65,
887 # in the absence of policy, endpoints in the same EPG
890 pkt_intra_epg = (Ether(src=self.pg0.remote_mac,
891 dst=self.pg1.remote_mac) /
892 IP(src=eps[0].ip4.address,
893 dst=eps[1].ip4.address) /
894 UDP(sport=1234, dport=1234) /
897 self.send_and_expect_bridged(self.pg0, pkt_intra_epg * 65, self.pg1)
900 # in the abscense of policy, endpoints in the different EPG
903 pkt_inter_epg_220_to_221 = (Ether(src=self.pg0.remote_mac,
904 dst=self.pg2.remote_mac) /
905 IP(src=eps[0].ip4.address,
906 dst=eps[2].ip4.address) /
907 UDP(sport=1234, dport=1234) /
909 pkt_inter_epg_221_to_220 = (Ether(src=self.pg2.remote_mac,
910 dst=self.pg0.remote_mac) /
911 IP(src=eps[2].ip4.address,
912 dst=eps[0].ip4.address) /
913 UDP(sport=1234, dport=1234) /
915 pkt_inter_epg_220_to_222 = (Ether(src=self.pg0.remote_mac,
916 dst=self.router_mac) /
917 IP(src=eps[0].ip4.address,
918 dst=eps[3].ip4.address) /
919 UDP(sport=1234, dport=1234) /
922 self.send_and_assert_no_replies(self.pg0,
923 pkt_inter_epg_220_to_221 * 65)
924 self.send_and_assert_no_replies(self.pg0,
925 pkt_inter_epg_220_to_222 * 65)
928 # A uni-directional contract from EPG 220 -> 221
930 acl = VppGbpAcl(self)
931 rule = acl.create_rule(permit_deny=1, proto=17)
932 rule2 = acl.create_rule(is_ipv6=1, permit_deny=1, proto=17)
933 acl_index = acl.add_vpp_config([rule, rule2])
934 c1 = VppGbpContract(self, 220, 221, acl_index)
937 self.send_and_expect_bridged(self.pg0,
938 pkt_inter_epg_220_to_221 * 65,
940 self.send_and_assert_no_replies(self.pg0,
941 pkt_inter_epg_220_to_222 * 65)
944 # contract for the return direction
946 c2 = VppGbpContract(self, 221, 220, acl_index)
949 self.send_and_expect_bridged(self.pg0,
950 pkt_inter_epg_220_to_221 * 65,
952 self.send_and_expect_bridged(self.pg2,
953 pkt_inter_epg_221_to_220 * 65,
957 # check that inter group is still disabled for the groups
958 # not in the contract.
960 self.send_and_assert_no_replies(self.pg0,
961 pkt_inter_epg_220_to_222 * 65)
964 # A uni-directional contract from EPG 220 -> 222 'L3 routed'
966 c3 = VppGbpContract(self, 220, 222, acl_index)
969 self.logger.info(self.vapi.cli("sh gbp contract"))
971 self.send_and_expect_routed(self.pg0,
972 pkt_inter_epg_220_to_222 * 65,
977 # remove both contracts, traffic stops in both directions
979 c2.remove_vpp_config()
980 c1.remove_vpp_config()
981 c3.remove_vpp_config()
982 acl.remove_vpp_config()
984 self.send_and_assert_no_replies(self.pg2,
985 pkt_inter_epg_221_to_220 * 65)
986 self.send_and_assert_no_replies(self.pg0,
987 pkt_inter_epg_220_to_221 * 65)
988 self.send_and_expect_bridged(self.pg0, pkt_intra_epg * 65, self.pg1)
991 # EPs to the outside world
994 # in the EP's RD an external subnet via the NAT EPG's recirc
995 se1 = VppGbpSubnet(self, 0, "0.0.0.0", 0,
997 sw_if_index=recirc_nat.recirc.sw_if_index,
1000 se2 = VppGbpSubnet(self, 0, "11.0.0.0", 8,
1002 sw_if_index=recirc_nat.recirc.sw_if_index,
1004 se2.add_vpp_config()
1005 se16 = VppGbpSubnet(self, 0, "::", 0,
1007 sw_if_index=recirc_nat.recirc.sw_if_index,
1009 se16.add_vpp_config()
1010 # in the NAT RD an external subnet via the NAT EPG's uplink
1011 se3 = VppGbpSubnet(self, 20, "0.0.0.0", 0,
1013 sw_if_index=epg_nat.uplink.sw_if_index,
1015 se36 = VppGbpSubnet(self, 20, "::", 0,
1017 sw_if_index=epg_nat.uplink.sw_if_index,
1019 se4 = VppGbpSubnet(self, 20, "11.0.0.0", 8,
1021 sw_if_index=epg_nat.uplink.sw_if_index,
1023 se3.add_vpp_config()
1024 se36.add_vpp_config()
1025 se4.add_vpp_config()
1027 self.logger.info(self.vapi.cli("sh ip fib 0.0.0.0/0"))
1028 self.logger.info(self.vapi.cli("sh ip fib 11.0.0.1"))
1029 self.logger.info(self.vapi.cli("sh ip6 fib ::/0"))
1030 self.logger.info(self.vapi.cli("sh ip6 fib %s" %
1034 # From an EP to an outside addess: IN2OUT
1036 pkt_inter_epg_220_to_global = (Ether(src=self.pg0.remote_mac,
1037 dst=self.router_mac) /
1038 IP(src=eps[0].ip4.address,
1040 UDP(sport=1234, dport=1234) /
1044 self.send_and_assert_no_replies(self.pg0,
1045 pkt_inter_epg_220_to_global * 65)
1047 acl2 = VppGbpAcl(self)
1048 rule = acl2.create_rule(permit_deny=1, proto=17, sport_from=1234,
1049 sport_to=1234, dport_from=1234, dport_to=1234)
1050 rule2 = acl2.create_rule(is_ipv6=1, permit_deny=1, proto=17,
1051 sport_from=1234, sport_to=1234,
1052 dport_from=1234, dport_to=1234)
1054 acl_index2 = acl2.add_vpp_config([rule, rule2])
1055 c4 = VppGbpContract(self, 220, 333, acl_index2)
1058 self.send_and_expect_natted(self.pg0,
1059 pkt_inter_epg_220_to_global * 65,
1061 eps[0].fip4.address)
1063 pkt_inter_epg_220_to_global = (Ether(src=self.pg0.remote_mac,
1064 dst=self.router_mac) /
1065 IPv6(src=eps[0].ip6.address,
1067 UDP(sport=1234, dport=1234) /
1070 self.send_and_expect_natted6(self.pg0,
1071 pkt_inter_epg_220_to_global * 65,
1073 eps[0].fip6.address)
1076 # From a global address to an EP: OUT2IN
1078 pkt_inter_epg_220_from_global = (Ether(src=self.router_mac,
1079 dst=self.pg0.remote_mac) /
1080 IP(dst=eps[0].fip4.address,
1082 UDP(sport=1234, dport=1234) /
1085 self.send_and_assert_no_replies(self.pg7,
1086 pkt_inter_epg_220_from_global * 65)
1088 c5 = VppGbpContract(self, 333, 220, acl_index2)
1091 self.send_and_expect_unnatted(self.pg7,
1092 pkt_inter_epg_220_from_global * 65,
1096 pkt_inter_epg_220_from_global = (Ether(src=self.router_mac,
1097 dst=self.pg0.remote_mac) /
1098 IPv6(dst=eps[0].fip6.address,
1100 UDP(sport=1234, dport=1234) /
1103 self.send_and_expect_unnatted6(self.pg7,
1104 pkt_inter_epg_220_from_global * 65,
1109 # From a local VM to another local VM using resp. public addresses:
1112 pkt_intra_epg_220_global = (Ether(src=self.pg0.remote_mac,
1113 dst=self.router_mac) /
1114 IP(src=eps[0].ip4.address,
1115 dst=eps[1].fip4.address) /
1116 UDP(sport=1234, dport=1234) /
1119 self.send_and_expect_double_natted(eps[0].itf,
1120 pkt_intra_epg_220_global * 65,
1122 eps[0].fip4.address,
1125 pkt_intra_epg_220_global = (Ether(src=self.pg0.remote_mac,
1126 dst=self.router_mac) /
1127 IPv6(src=eps[0].ip6.address,
1128 dst=eps[1].fip6.address) /
1129 UDP(sport=1234, dport=1234) /
1132 self.send_and_expect_double_natted6(eps[0].itf,
1133 pkt_intra_epg_220_global * 65,
1135 eps[0].fip6.address,
1142 # del static mappings for each EP from the 10/8 to 11/8 network
1143 self.vapi.nat44_add_del_static_mapping(ep.ip4.bytes,
1148 self.vapi.nat66_add_del_static_mapping(ep.ip6.bytes,
1154 # IP config on the BVI interfaces
1155 self.vapi.sw_interface_add_del_address(epg.bvi.sw_if_index,
1159 self.vapi.sw_interface_add_del_address(epg.bvi.sw_if_index,
1164 self.logger.info(self.vapi.cli("sh int addr"))
1166 epg.uplink.set_table_ip4(0)
1167 epg.uplink.set_table_ip6(0)
1169 if epg != epgs[0] and epg != epgs[3]:
1170 epg.bvi.set_table_ip4(0)
1171 epg.bvi.set_table_ip6(0)
1173 self.vapi.nat44_interface_add_del_feature(epg.bvi.sw_if_index,
1176 self.vapi.nat66_add_del_interface(epg.bvi.sw_if_index,
1180 for recirc in recircs:
1181 recirc.recirc.set_table_ip4(0)
1182 recirc.recirc.set_table_ip6(0)
1184 self.vapi.nat44_interface_add_del_feature(
1185 recirc.recirc.sw_if_index,
1188 self.vapi.nat66_add_del_interface(
1189 recirc.recirc.sw_if_index,
1194 if __name__ == '__main__':
1195 unittest.main(testRunner=VppTestRunner)
Code Review / vpp.git / blob