Code Review / vpp.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | inline | side by side
acl: revert acl: api cleanup
[vpp.git] / src / plugins / acl / test / test_acl_plugin.py
diff --git a/src/plugins/acl/test/test_acl_plugin.py b/src/plugins/acl/test/test_acl_plugin.py
index 8cac81c..f07d375 100644 (file)
--- a/src/plugins/acl/test/test_acl_plugin.py
+++ b/src/plugins/acl/test/test_acl_plugin.py
@@ -12,11 +12,8 @@ from scapy.layers.inet6 import IPv6, ICMPv6EchoRequest
 from scapy.layers.inet6 import IPv6ExtHdrFragment
 from framework import VppTestCase, VppTestRunner
 from util import Host, ppp
 from scapy.layers.inet6 import IPv6ExtHdrFragment
 from framework import VppTestCase, VppTestRunner
 from util import Host, ppp
-from ipaddress import IPv4Network, IPv6Network
 
 from vpp_lo_interface import VppLoInterface
 
 from vpp_lo_interface import VppLoInterface
-from vpp_acl import AclRule, VppAcl, VppAclInterface, VppEtypeWhitelist
-from vpp_ip import INVALID_INDEX
 
 
 class TestACLplugin(VppTestCase):
 
 
 class TestACLplugin(VppTestCase):
@@ -178,49 +175,105 @@ class TestACLplugin(VppTestCase):
                                          % self.bd_id))
 
     def create_rule(self, ip=0, permit_deny=0, ports=PORTS_ALL, proto=-1,
                                          % self.bd_id))
 
     def create_rule(self, ip=0, permit_deny=0, ports=PORTS_ALL, proto=-1,
-                    s_prefix=0, s_ip=0,
-                    d_prefix=0, d_ip=0):
-        if ip:
-            src_prefix = IPv6Network((s_ip, s_prefix))
-            dst_prefix = IPv6Network((d_ip, d_prefix))
+                    s_prefix=0, s_ip=b'\x00\x00\x00\x00',
+                    d_prefix=0, d_ip=b'\x00\x00\x00\x00'):
+        if proto == -1:
+            return
+        if ports == self.PORTS_ALL:
+            sport_from = 0
+            dport_from = 0
+            sport_to = 65535 if proto != 1 and proto != 58 else 255
+            dport_to = sport_to
+        elif ports == self.PORTS_RANGE:
+            if proto == 1:
+                sport_from = self.icmp4_type
+                sport_to = self.icmp4_type
+                dport_from = self.icmp4_code
+                dport_to = self.icmp4_code
+            elif proto == 58:
+                sport_from = self.icmp6_type
+                sport_to = self.icmp6_type
+                dport_from = self.icmp6_code
+                dport_to = self.icmp6_code
+            elif proto == self.proto[self.IP][self.TCP]:
+                sport_from = self.tcp_sport_from
+                sport_to = self.tcp_sport_to
+                dport_from = self.tcp_dport_from
+                dport_to = self.tcp_dport_to
+            elif proto == self.proto[self.IP][self.UDP]:
+                sport_from = self.udp_sport_from
+                sport_to = self.udp_sport_to
+                dport_from = self.udp_dport_from
+                dport_to = self.udp_dport_to
+        elif ports == self.PORTS_RANGE_2:
+            if proto == 1:
+                sport_from = self.icmp4_type_2
+                sport_to = self.icmp4_type_2
+                dport_from = self.icmp4_code_from_2
+                dport_to = self.icmp4_code_to_2
+            elif proto == 58:
+                sport_from = self.icmp6_type_2
+                sport_to = self.icmp6_type_2
+                dport_from = self.icmp6_code_from_2
+                dport_to = self.icmp6_code_to_2
+            elif proto == self.proto[self.IP][self.TCP]:
+                sport_from = self.tcp_sport_from_2
+                sport_to = self.tcp_sport_to_2
+                dport_from = self.tcp_dport_from_2
+                dport_to = self.tcp_dport_to_2
+            elif proto == self.proto[self.IP][self.UDP]:
+                sport_from = self.udp_sport_from_2
+                sport_to = self.udp_sport_to_2
+                dport_from = self.udp_dport_from_2
+                dport_to = self.udp_dport_to_2
         else:
         else:
-            src_prefix = IPv4Network((s_ip, s_prefix))
-            dst_prefix = IPv4Network((d_ip, d_prefix))
-        return AclRule(is_permit=permit_deny, ports=ports, proto=proto,
-                       src_prefix=src_prefix, dst_prefix=dst_prefix)
-
-    def apply_rules(self, rules, tag=None):
-        acl = VppAcl(self, rules, tag=tag)
-        acl.add_vpp_config()
-        self.logger.info("Dumped ACL: " + str(acl.dump()))
+            sport_from = ports
+            sport_to = ports
+            dport_from = ports
+            dport_to = ports
+
+        rule = ({'is_permit': permit_deny, 'is_ipv6': ip, 'proto': proto,
+                 'srcport_or_icmptype_first': sport_from,
+                 'srcport_or_icmptype_last': sport_to,
+                 'src_ip_prefix_len': s_prefix,
+                 'src_ip_addr': s_ip,
+                 'dstport_or_icmpcode_first': dport_from,
+                 'dstport_or_icmpcode_last': dport_to,
+                 'dst_ip_prefix_len': d_prefix,
+                 'dst_ip_addr': d_ip})
+        return rule
+
+    def apply_rules(self, rules, tag=b''):
+        reply = self.vapi.acl_add_replace(acl_index=4294967295, r=rules,
+                                          tag=tag)
+        self.logger.info("Dumped ACL: " + str(
+            self.vapi.acl_dump(reply.acl_index)))
         # Apply a ACL on the interface as inbound
         for i in self.pg_interfaces:
         # Apply a ACL on the interface as inbound
         for i in self.pg_interfaces:
-            acl_if = VppAclInterface(
-                self, sw_if_index=i.sw_if_index, n_input=1, acls=[acl])
-            acl_if.add_vpp_config()
-        return acl.acl_index
-
-    def apply_rules_to(self, rules, tag=None, sw_if_index=INVALID_INDEX):
-        acl = VppAcl(self, rules, tag=tag)
-        acl.add_vpp_config()
-        self.logger.info("Dumped ACL: " + str(acl.dump()))
+            self.vapi.acl_interface_set_acl_list(sw_if_index=i.sw_if_index,
+                                                 n_input=1,
+                                                 acls=[reply.acl_index])
+        return reply.acl_index
+
+    def apply_rules_to(self, rules, tag=b'', sw_if_index=0xFFFFFFFF):
+        reply = self.vapi.acl_add_replace(acl_index=4294967295, r=rules,
+                                          tag=tag)
+        self.logger.info("Dumped ACL: " + str(
+            self.vapi.acl_dump(reply.acl_index)))
         # Apply a ACL on the interface as inbound
         # Apply a ACL on the interface as inbound
-        acl_if = VppAclInterface(self, sw_if_index=sw_if_index, n_input=1,
-                                 acls=[acl])
-        return acl.acl_index
+        self.vapi.acl_interface_set_acl_list(sw_if_index=sw_if_index,
+                                             n_input=1,
+                                             acls=[reply.acl_index])
+        return reply.acl_index
 
 
-    def etype_whitelist(self, whitelist, n_input, add=True):
+    def etype_whitelist(self, whitelist, n_input):
         # Apply whitelists on all the interfaces
         # Apply whitelists on all the interfaces
-        if add:
-            self._wl = []
-            for i in self.pg_interfaces:
-                self._wl.append(VppEtypeWhitelist(
-                    self, sw_if_index=i.sw_if_index, whitelist=whitelist,
-                    n_input=n_input).add_vpp_config())
-        else:
-            if hasattr(self, "_wl"):
-                for wl in self._wl:
-                    wl.remove_vpp_config()
+        for i in self.pg_interfaces:
+            # checkstyle can't read long names. Help them.
+            fun = self.vapi.acl_interface_set_etype_whitelist
+            fun(sw_if_index=i.sw_if_index, n_input=n_input,
+                whitelist=whitelist)
+        return
 
     def create_upper_layer(self, packet_index, proto, ports=0):
         p = self.proto_map[proto]
 
     def create_upper_layer(self, packet_index, proto, ports=0):
         p = self.proto_map[proto]
@@ -489,16 +542,24 @@ class TestACLplugin(VppTestCase):
         """
 
         self.logger.info("ACLP_TEST_START_0001")
         """
 
         self.logger.info("ACLP_TEST_START_0001")
-        # Create a permit-1234 ACL
-        r = [AclRule(is_permit=1, proto=17, ports=1234)]
-        r[0].sport_to = 1235
+        # Add an ACL
+        r = [{'is_permit': 1, 'is_ipv6': 0, 'proto': 17,
+              'srcport_or_icmptype_first': 1234,
+              'srcport_or_icmptype_last': 1235,
+              'src_ip_prefix_len': 0,
+              'src_ip_addr': b'\x00\x00\x00\x00',
+              'dstport_or_icmpcode_first': 1234,
+              'dstport_or_icmpcode_last': 1234,
+              'dst_ip_addr': b'\x00\x00\x00\x00',
+              'dst_ip_prefix_len': 0}]
         # Test 1: add a new ACL
         # Test 1: add a new ACL
-        first_acl = VppAcl(self, rules=r, tag="permit 1234")
-        first_acl.add_vpp_config()
-        self.assertTrue(first_acl.query_vpp_config())
+        reply = self.vapi.acl_add_replace(acl_index=4294967295, r=r,
+                                          tag=b"permit 1234")
+        self.assertEqual(reply.retval, 0)
         # The very first ACL gets #0
         # The very first ACL gets #0
-        self.assertEqual(first_acl.acl_index, 0)
-        rr = first_acl.dump()
+        self.assertEqual(reply.acl_index, 0)
+        first_acl = reply.acl_index
+        rr = self.vapi.acl_dump(reply.acl_index)
         self.logger.info("Dumped ACL: " + str(rr))
         self.assertEqual(len(rr), 1)
         # We should have the same number of ACL entries as we had asked
         self.logger.info("Dumped ACL: " + str(rr))
         self.assertEqual(len(rr), 1)
         # We should have the same number of ACL entries as we had asked
@@ -507,50 +568,70 @@ class TestACLplugin(VppTestCase):
         # are different types, we need to iterate over rules and keys to get
         # to basic values.
         for i_rule in range(0, len(r) - 1):
         # are different types, we need to iterate over rules and keys to get
         # to basic values.
         for i_rule in range(0, len(r) - 1):
-            encoded_rule = r[i_rule].encode()
-            for rule_key in encoded_rule:
+            for rule_key in r[i_rule]:
                 self.assertEqual(rr[0].r[i_rule][rule_key],
                 self.assertEqual(rr[0].r[i_rule][rule_key],
-                                 encoded_rule[rule_key])
-
-        # Create a deny-1234 ACL
-        r_deny = [AclRule(is_permit=0, proto=17, ports=1234),
-                  AclRule(is_permit=1, proto=17, ports=0)]
-        r_deny[0].sport_to = 1235
-        second_acl = VppAcl(self, rules=r_deny, tag="deny 1234;permit all")
-        second_acl.add_vpp_config()
-        self.assertTrue(second_acl.query_vpp_config())
+                                 r[i_rule][rule_key])
+
+        # Add a deny-1234 ACL
+        r_deny = [{'is_permit': 0, 'is_ipv6': 0, 'proto': 17,
+                   'srcport_or_icmptype_first': 1234,
+                   'srcport_or_icmptype_last': 1235,
+                   'src_ip_prefix_len': 0,
+                   'src_ip_addr': b'\x00\x00\x00\x00',
+                   'dstport_or_icmpcode_first': 1234,
+                   'dstport_or_icmpcode_last': 1234,
+                   'dst_ip_addr': b'\x00\x00\x00\x00',
+                   'dst_ip_prefix_len': 0},
+                  {'is_permit': 1, 'is_ipv6': 0, 'proto': 17,
+                   'srcport_or_icmptype_first': 0,
+                   'srcport_or_icmptype_last': 0,
+                   'src_ip_prefix_len': 0,
+                   'src_ip_addr': b'\x00\x00\x00\x00',
+                   'dstport_or_icmpcode_first': 0,
+                   'dstport_or_icmpcode_last': 0,
+                   'dst_ip_addr': b'\x00\x00\x00\x00',
+                   'dst_ip_prefix_len': 0}]
+
+        reply = self.vapi.acl_add_replace(acl_index=4294967295, r=r_deny,
+                                          tag=b"deny 1234;permit all")
+        self.assertEqual(reply.retval, 0)
         # The second ACL gets #1
         # The second ACL gets #1
-        self.assertEqual(second_acl.acl_index, 1)
+        self.assertEqual(reply.acl_index, 1)
+        second_acl = reply.acl_index
 
         # Test 2: try to modify a nonexistent ACL
 
         # Test 2: try to modify a nonexistent ACL
-        invalid_acl = VppAcl(self, acl_index=432, rules=r, tag="FFFF:FFFF")
-        reply = invalid_acl.add_vpp_config(expect_error=True)
-
-        # apply an ACL on an interface inbound, try to delete ACL, must fail
-        acl_if_list = VppAclInterface(
-            self, sw_if_index=self.pg0.sw_if_index, n_input=1,
-            acls=[first_acl])
-        acl_if_list.add_vpp_config()
-        first_acl.remove_vpp_config(expect_error=True)
-        # Unapply an ACL and then try to delete it - must be ok
-        acl_if_list.remove_vpp_config()
-        first_acl.remove_vpp_config()
-
+        reply = self.vapi.acl_add_replace(acl_index=432, r=r,
+                                          tag=b"FFFF:FFFF", expected_retval=-6)
+        self.assertEqual(reply.retval, -6)
+        # The ACL number should pass through
+        self.assertEqual(reply.acl_index, 432)
         # apply an ACL on an interface inbound, try to delete ACL, must fail
         # apply an ACL on an interface inbound, try to delete ACL, must fail
-        acl_if_list = VppAclInterface(
-            self, sw_if_index=self.pg0.sw_if_index, n_input=0,
-            acls=[second_acl])
-        acl_if_list.add_vpp_config()
-        second_acl.remove_vpp_config(expect_error=True)
+        self.vapi.acl_interface_set_acl_list(sw_if_index=self.pg0.sw_if_index,
+                                             n_input=1,
+                                             acls=[first_acl])
+        reply = self.vapi.acl_del(acl_index=first_acl, expected_retval=-142)
         # Unapply an ACL and then try to delete it - must be ok
         # Unapply an ACL and then try to delete it - must be ok
-        acl_if_list.remove_vpp_config()
-        second_acl.remove_vpp_config()
+        self.vapi.acl_interface_set_acl_list(sw_if_index=self.pg0.sw_if_index,
+                                             n_input=0,
+                                             acls=[])
+        reply = self.vapi.acl_del(acl_index=first_acl, expected_retval=0)
+
+        # apply an ACL on an interface outbound, try to delete ACL, must fail
+        self.vapi.acl_interface_set_acl_list(sw_if_index=self.pg0.sw_if_index,
+                                             n_input=0,
+                                             acls=[second_acl])
+        reply = self.vapi.acl_del(acl_index=second_acl, expected_retval=-143)
+        # Unapply the ACL and then try to delete it - must be ok
+        self.vapi.acl_interface_set_acl_list(sw_if_index=self.pg0.sw_if_index,
+                                             n_input=0,
+                                             acls=[])
+        reply = self.vapi.acl_del(acl_index=second_acl, expected_retval=0)
 
         # try to apply a nonexistent ACL - must fail
 
         # try to apply a nonexistent ACL - must fail
-        acl_if_list = VppAclInterface(
-            self, sw_if_index=self.pg0.sw_if_index, n_input=0,
-            acls=[invalid_acl])
-        acl_if_list.add_vpp_config(expect_error=True)
+        self.vapi.acl_interface_set_acl_list(sw_if_index=self.pg0.sw_if_index,
+                                             n_input=1,
+                                             acls=[first_acl],
+                                             expected_retval=-6)
 
         self.logger.info("ACLP_TEST_FINISH_0001")
 
 
         self.logger.info("ACLP_TEST_FINISH_0001")
 
@@ -561,12 +642,12 @@ class TestACLplugin(VppTestCase):
 
         rules = []
         rules.append(self.create_rule(self.IPV4, self.PERMIT,
 
         rules = []
         rules.append(self.create_rule(self.IPV4, self.PERMIT,
-                                      0, self.proto[self.IP][self.UDP]))
+                     0, self.proto[self.IP][self.UDP]))
         rules.append(self.create_rule(self.IPV4, self.PERMIT,
         rules.append(self.create_rule(self.IPV4, self.PERMIT,
-                                      0, self.proto[self.IP][self.TCP]))
+                     0, self.proto[self.IP][self.TCP]))
 
         # Apply rules
 
         # Apply rules
-        acl_idx = self.apply_rules(rules, "permit per-flow")
+        acl_idx = self.apply_rules(rules, b"permit per-flow")
 
         # enable counters
         reply = self.vapi.papi.acl_stats_intf_counters_enable(enable=1)
 
         # enable counters
         reply = self.vapi.papi.acl_stats_intf_counters_enable(enable=1)
@@ -595,15 +676,14 @@ class TestACLplugin(VppTestCase):
         self.logger.info("ACLP_TEST_START_0003")
         # Add a deny-flows ACL
         rules = []
         self.logger.info("ACLP_TEST_START_0003")
         # Add a deny-flows ACL
         rules = []
-        rules.append(self.create_rule(
-            self.IPV4, self.DENY, self.PORTS_ALL,
-            self.proto[self.IP][self.UDP]))
+        rules.append(self.create_rule(self.IPV4, self.DENY,
+                     self.PORTS_ALL, self.proto[self.IP][self.UDP]))
         # Permit ip any any in the end
         rules.append(self.create_rule(self.IPV4, self.PERMIT,
                                       self.PORTS_ALL, 0))
 
         # Apply rules
         # Permit ip any any in the end
         rules.append(self.create_rule(self.IPV4, self.PERMIT,
                                       self.PORTS_ALL, 0))
 
         # Apply rules
-        acl_idx = self.apply_rules(rules, "deny per-flow;permit all")
+        acl_idx = self.apply_rules(rules, b"deny per-flow;permit all")
 
         # enable counters
         reply = self.vapi.papi.acl_stats_intf_counters_enable(enable=1)
 
         # enable counters
         reply = self.vapi.papi.acl_stats_intf_counters_enable(enable=1)
@@ -637,7 +717,7 @@ class TestACLplugin(VppTestCase):
         rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
 
         # Apply rules
         rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
 
         # Apply rules
-        self.apply_rules(rules, "permit icmpv4")
+        self.apply_rules(rules, b"permit icmpv4")
 
         # Traffic should still pass
         self.run_verify_test(self.ICMP, self.IPV4,
 
         # Traffic should still pass
         self.run_verify_test(self.ICMP, self.IPV4,
@@ -658,7 +738,7 @@ class TestACLplugin(VppTestCase):
         rules.append(self.create_rule(self.IPV6, self.DENY, self.PORTS_ALL, 0))
 
         # Apply rules
         rules.append(self.create_rule(self.IPV6, self.DENY, self.PORTS_ALL, 0))
 
         # Apply rules
-        self.apply_rules(rules, "permit icmpv6")
+        self.apply_rules(rules, b"permit icmpv6")
 
         # Traffic should still pass
         self.run_verify_test(self.ICMP, self.IPV6,
 
         # Traffic should still pass
         self.run_verify_test(self.ICMP, self.IPV6,
@@ -679,7 +759,7 @@ class TestACLplugin(VppTestCase):
                                       self.PORTS_ALL, 0))
 
         # Apply rules
                                       self.PORTS_ALL, 0))
 
         # Apply rules
-        self.apply_rules(rules, "deny icmpv4")
+        self.apply_rules(rules, b"deny icmpv4")
 
         # Traffic should not pass
         self.run_verify_negat_test(self.ICMP, self.IPV4, 0)
 
         # Traffic should not pass
         self.run_verify_negat_test(self.ICMP, self.IPV4, 0)
@@ -699,7 +779,7 @@ class TestACLplugin(VppTestCase):
                                       self.PORTS_ALL, 0))
 
         # Apply rules
                                       self.PORTS_ALL, 0))
 
         # Apply rules
-        self.apply_rules(rules, "deny icmpv6")
+        self.apply_rules(rules, b"deny icmpv6")
 
         # Traffic should not pass
         self.run_verify_negat_test(self.ICMP, self.IPV6, 0)
 
         # Traffic should not pass
         self.run_verify_negat_test(self.ICMP, self.IPV6, 0)
@@ -714,12 +794,12 @@ class TestACLplugin(VppTestCase):
         # Add an ACL
         rules = []
         rules.append(self.create_rule(self.IPV4, self.PERMIT, self.PORTS_RANGE,
         # Add an ACL
         rules = []
         rules.append(self.create_rule(self.IPV4, self.PERMIT, self.PORTS_RANGE,
-                                      self.proto[self.IP][self.TCP]))
+                     self.proto[self.IP][self.TCP]))
         # deny ip any any in the end
         rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
 
         # Apply rules
         # deny ip any any in the end
         rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
 
         # Apply rules
-        self.apply_rules(rules, "permit ipv4 tcp")
+        self.apply_rules(rules, b"permit ipv4 tcp")
 
         # Traffic should still pass
         self.run_verify_test(self.IP, self.IPV4, self.proto[self.IP][self.TCP])
 
         # Traffic should still pass
         self.run_verify_test(self.IP, self.IPV4, self.proto[self.IP][self.TCP])
@@ -739,7 +819,7 @@ class TestACLplugin(VppTestCase):
         rules.append(self.create_rule(self.IPV6, self.DENY, self.PORTS_ALL, 0))
 
         # Apply rules
         rules.append(self.create_rule(self.IPV6, self.DENY, self.PORTS_ALL, 0))
 
         # Apply rules
-        self.apply_rules(rules, "permit ip6 tcp")
+        self.apply_rules(rules, b"permit ip6 tcp")
 
         # Traffic should still pass
         self.run_verify_test(self.IP, self.IPV6, self.proto[self.IP][self.TCP])
 
         # Traffic should still pass
         self.run_verify_test(self.IP, self.IPV6, self.proto[self.IP][self.TCP])
@@ -759,7 +839,7 @@ class TestACLplugin(VppTestCase):
         rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
 
         # Apply rules
         rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
 
         # Apply rules
-        self.apply_rules(rules, "permit ipv udp")
+        self.apply_rules(rules, b"permit ipv udp")
 
         # Traffic should still pass
         self.run_verify_test(self.IP, self.IPV4, self.proto[self.IP][self.UDP])
 
         # Traffic should still pass
         self.run_verify_test(self.IP, self.IPV4, self.proto[self.IP][self.UDP])
@@ -779,7 +859,7 @@ class TestACLplugin(VppTestCase):
         rules.append(self.create_rule(self.IPV6, self.DENY, self.PORTS_ALL, 0))
 
         # Apply rules
         rules.append(self.create_rule(self.IPV6, self.DENY, self.PORTS_ALL, 0))
 
         # Apply rules
-        self.apply_rules(rules, "permit ip6 udp")
+        self.apply_rules(rules, b"permit ip6 udp")
 
         # Traffic should still pass
         self.run_verify_test(self.IP, self.IPV6, self.proto[self.IP][self.UDP])
 
         # Traffic should still pass
         self.run_verify_test(self.IP, self.IPV6, self.proto[self.IP][self.UDP])
@@ -804,7 +884,7 @@ class TestACLplugin(VppTestCase):
                                       self.PORTS_ALL, 0))
 
         # Apply rules
                                       self.PORTS_ALL, 0))
 
         # Apply rules
-        self.apply_rules(rules, "deny ip4/ip6 tcp")
+        self.apply_rules(rules, b"deny ip4/ip6 tcp")
 
         # Traffic should not pass
         self.run_verify_negat_test(self.IP, self.IPRANDOM,
 
         # Traffic should not pass
         self.run_verify_negat_test(self.IP, self.IPRANDOM,
@@ -830,7 +910,7 @@ class TestACLplugin(VppTestCase):
                                       self.PORTS_ALL, 0))
 
         # Apply rules
                                       self.PORTS_ALL, 0))
 
         # Apply rules
-        self.apply_rules(rules, "deny ip4/ip6 udp")
+        self.apply_rules(rules, b"deny ip4/ip6 udp")
 
         # Traffic should not pass
         self.run_verify_negat_test(self.IP, self.IPRANDOM,
 
         # Traffic should not pass
         self.run_verify_negat_test(self.IP, self.IPRANDOM,
@@ -868,13 +948,13 @@ class TestACLplugin(VppTestCase):
         for i in range(len(r)):
             rules.append(self.create_rule(r[i][0], r[i][1], r[i][2], r[i][3]))
 
         for i in range(len(r)):
             rules.append(self.create_rule(r[i][0], r[i][1], r[i][2], r[i][3]))
 
-        acl = VppAcl(self, rules=rules)
-        acl.add_vpp_config()
-        result = acl.dump()
+        reply = self.vapi.acl_add_replace(acl_index=4294967295, r=rules)
+        result = self.vapi.acl_dump(reply.acl_index)
 
         i = 0
         for drules in result:
             for dr in drules.r:
 
         i = 0
         for drules in result:
             for dr in drules.r:
+                self.assertEqual(dr.is_ipv6, r[i][0])
                 self.assertEqual(dr.is_permit, r[i][1])
                 self.assertEqual(dr.proto, r[i][3])
 
                 self.assertEqual(dr.is_permit, r[i][1])
                 self.assertEqual(dr.proto, r[i][3])
 
@@ -921,7 +1001,7 @@ class TestACLplugin(VppTestCase):
         rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
 
         # Apply rules
         rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
 
         # Apply rules
-        self.apply_rules(rules, "permit ip4 tcp %d" % port)
+        self.apply_rules(rules, b"permit ip4 tcp %d" % port)
 
         # Traffic should still pass
         self.run_verify_test(self.IP, self.IPV4,
 
         # Traffic should still pass
         self.run_verify_test(self.IP, self.IPV4,
@@ -943,7 +1023,7 @@ class TestACLplugin(VppTestCase):
         rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
 
         # Apply rules
         rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
 
         # Apply rules
-        self.apply_rules(rules, "permit ip4 tcp %d" % port)
+        self.apply_rules(rules, b"permit ip4 tcp %d" % port)
 
         # Traffic should still pass
         self.run_verify_test(self.IP, self.IPV4,
 
         # Traffic should still pass
         self.run_verify_test(self.IP, self.IPV4,
@@ -965,7 +1045,7 @@ class TestACLplugin(VppTestCase):
         rules.append(self.create_rule(self.IPV6, self.DENY, self.PORTS_ALL, 0))
 
         # Apply rules
         rules.append(self.create_rule(self.IPV6, self.DENY, self.PORTS_ALL, 0))
 
         # Apply rules
-        self.apply_rules(rules, "permit ip4 tcp %d" % port)
+        self.apply_rules(rules, b"permit ip4 tcp %d" % port)
 
         # Traffic should still pass
         self.run_verify_test(self.IP, self.IPV6,
 
         # Traffic should still pass
         self.run_verify_test(self.IP, self.IPV6,
@@ -974,7 +1054,7 @@ class TestACLplugin(VppTestCase):
         self.logger.info("ACLP_TEST_FINISH_0017")
 
     def test_0018_udp_permit_port_v6(self):
         self.logger.info("ACLP_TEST_FINISH_0017")
 
     def test_0018_udp_permit_port_v6(self):
-        """ permit single UDPv6
+        """ permit single UPPv6
         """
         self.logger.info("ACLP_TEST_START_0018")
 
         """
         self.logger.info("ACLP_TEST_START_0018")
 
@@ -988,7 +1068,7 @@ class TestACLplugin(VppTestCase):
                                       self.PORTS_ALL, 0))
 
         # Apply rules
                                       self.PORTS_ALL, 0))
 
         # Apply rules
-        self.apply_rules(rules, "permit ip4 tcp %d" % port)
+        self.apply_rules(rules, b"permit ip4 tcp %d" % port)
 
         # Traffic should still pass
         self.run_verify_test(self.IP, self.IPV6,
 
         # Traffic should still pass
         self.run_verify_test(self.IP, self.IPV6,
@@ -1015,7 +1095,7 @@ class TestACLplugin(VppTestCase):
                                       self.PORTS_ALL, 0))
 
         # Apply rules
                                       self.PORTS_ALL, 0))
 
         # Apply rules
-        self.apply_rules(rules, "deny ip4/ip6 udp %d" % port)
+        self.apply_rules(rules, b"deny ip4/ip6 udp %d" % port)
 
         # Traffic should not pass
         self.run_verify_negat_test(self.IP, self.IPRANDOM,
 
         # Traffic should not pass
         self.run_verify_negat_test(self.IP, self.IPRANDOM,
@@ -1042,7 +1122,7 @@ class TestACLplugin(VppTestCase):
                                       self.PORTS_ALL, 0))
 
         # Apply rules
                                       self.PORTS_ALL, 0))
 
         # Apply rules
-        self.apply_rules(rules, "deny ip4/ip6 udp %d" % port)
+        self.apply_rules(rules, b"deny ip4/ip6 udp %d" % port)
 
         # Traffic should not pass
         self.run_verify_negat_test(self.IP, self.IPRANDOM,
 
         # Traffic should not pass
         self.run_verify_negat_test(self.IP, self.IPRANDOM,
@@ -1070,7 +1150,7 @@ class TestACLplugin(VppTestCase):
                                       self.PORTS_ALL, 0))
 
         # Apply rules
                                       self.PORTS_ALL, 0))
 
         # Apply rules
-        self.apply_rules(rules, "deny ip4/ip6 udp %d" % port)
+        self.apply_rules(rules, b"deny ip4/ip6 udp %d" % port)
 
         # Traffic should not pass
         self.run_verify_negat_test(self.IP, self.IPRANDOM,
 
         # Traffic should not pass
         self.run_verify_negat_test(self.IP, self.IPRANDOM,
@@ -1092,7 +1172,7 @@ class TestACLplugin(VppTestCase):
             self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
 
         # Apply rules
             self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
 
         # Apply rules
-        self.apply_rules(rules, "permit empty udp ip4 %d" % port)
+        self.apply_rules(rules, b"permit empty udp ip4 %d" % port)
 
         # Traffic should still pass
         # Create incoming packet streams for packet-generator interfaces
 
         # Traffic should still pass
         # Create incoming packet streams for packet-generator interfaces
@@ -1126,7 +1206,7 @@ class TestACLplugin(VppTestCase):
         rules.append(self.create_rule(self.IPV6, self.DENY, self.PORTS_ALL, 0))
 
         # Apply rules
         rules.append(self.create_rule(self.IPV6, self.DENY, self.PORTS_ALL, 0))
 
         # Apply rules
-        self.apply_rules(rules, "permit empty udp ip6 %d" % port)
+        self.apply_rules(rules, b"permit empty udp ip6 %d" % port)
 
         # Traffic should still pass
         # Create incoming packet streams for packet-generator interfaces
 
         # Traffic should still pass
         # Create incoming packet streams for packet-generator interfaces
@@ -1156,14 +1236,14 @@ class TestACLplugin(VppTestCase):
         # Add an ACL
         rules = []
         rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_RANGE_2,
         # Add an ACL
         rules = []
         rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_RANGE_2,
-                                      self.proto[self.IP][self.TCP]))
+                     self.proto[self.IP][self.TCP]))
         rules.append(self.create_rule(self.IPV4, self.PERMIT, self.PORTS_RANGE,
         rules.append(self.create_rule(self.IPV4, self.PERMIT, self.PORTS_RANGE,
-                                      self.proto[self.IP][self.TCP]))
+                     self.proto[self.IP][self.TCP]))
         # deny ip any any in the end
         rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
 
         # Apply rules
         # deny ip any any in the end
         rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
 
         # Apply rules
-        self.apply_rules(rules, "permit ipv4 tcp")
+        self.apply_rules(rules, b"permit ipv4 tcp")
 
         # Traffic should still pass
         self.run_verify_test(self.IP, self.IPV4, self.proto[self.IP][self.TCP])
 
         # Traffic should still pass
         self.run_verify_test(self.IP, self.IPV4, self.proto[self.IP][self.TCP])
@@ -1185,7 +1265,7 @@ class TestACLplugin(VppTestCase):
         rules.append(self.create_rule(self.IPV6, self.DENY, self.PORTS_ALL, 0))
 
         # Apply rules
         rules.append(self.create_rule(self.IPV6, self.DENY, self.PORTS_ALL, 0))
 
         # Apply rules
-        self.apply_rules(rules, "permit ip6 tcp")
+        self.apply_rules(rules, b"permit ip6 tcp")
 
         # Traffic should still pass
         self.run_verify_test(self.IP, self.IPV6, self.proto[self.IP][self.TCP])
 
         # Traffic should still pass
         self.run_verify_test(self.IP, self.IPV6, self.proto[self.IP][self.TCP])
@@ -1207,7 +1287,7 @@ class TestACLplugin(VppTestCase):
         rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
 
         # Apply rules
         rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
 
         # Apply rules
-        self.apply_rules(rules, "permit ipv4 udp")
+        self.apply_rules(rules, b"permit ipv4 udp")
 
         # Traffic should still pass
         self.run_verify_test(self.IP, self.IPV4, self.proto[self.IP][self.UDP])
 
         # Traffic should still pass
         self.run_verify_test(self.IP, self.IPV4, self.proto[self.IP][self.UDP])
@@ -1229,7 +1309,7 @@ class TestACLplugin(VppTestCase):
         rules.append(self.create_rule(self.IPV6, self.DENY, self.PORTS_ALL, 0))
 
         # Apply rules
         rules.append(self.create_rule(self.IPV6, self.DENY, self.PORTS_ALL, 0))
 
         # Apply rules
-        self.apply_rules(rules, "permit ip6 udp")
+        self.apply_rules(rules, b"permit ip6 udp")
 
         # Traffic should still pass
         self.run_verify_test(self.IP, self.IPV6, self.proto[self.IP][self.UDP])
 
         # Traffic should still pass
         self.run_verify_test(self.IP, self.IPV6, self.proto[self.IP][self.UDP])
@@ -1260,7 +1340,7 @@ class TestACLplugin(VppTestCase):
                                       self.PORTS_ALL, 0))
 
         # Apply rules
                                       self.PORTS_ALL, 0))
 
         # Apply rules
-        self.apply_rules(rules, "deny ip4/ip6 tcp")
+        self.apply_rules(rules, b"deny ip4/ip6 tcp")
 
         # Traffic should not pass
         self.run_verify_negat_test(self.IP, self.IPRANDOM,
 
         # Traffic should not pass
         self.run_verify_negat_test(self.IP, self.IPRANDOM,
@@ -1292,7 +1372,7 @@ class TestACLplugin(VppTestCase):
                                       self.PORTS_ALL, 0))
 
         # Apply rules
                                       self.PORTS_ALL, 0))
 
         # Apply rules
-        self.apply_rules(rules, "deny ip4/ip6 udp")
+        self.apply_rules(rules, b"deny ip4/ip6 udp")
 
         # Traffic should not pass
         self.run_verify_negat_test(self.IP, self.IPRANDOM,
 
         # Traffic should not pass
         self.run_verify_negat_test(self.IP, self.IPRANDOM,
@@ -1308,14 +1388,14 @@ class TestACLplugin(VppTestCase):
         # Add an ACL
         rules = []
         rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_RANGE_2,
         # Add an ACL
         rules = []
         rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_RANGE_2,
-                                      self.proto[self.IP][self.TCP]))
+                     self.proto[self.IP][self.TCP]))
         rules.append(self.create_rule(self.IPV4, self.PERMIT, self.PORTS_RANGE,
         rules.append(self.create_rule(self.IPV4, self.PERMIT, self.PORTS_RANGE,
-                                      self.proto[self.IP][self.TCP]))
+                     self.proto[self.IP][self.TCP]))
         # deny ip any any in the end
         rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
 
         # Apply rules
         # deny ip any any in the end
         rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
 
         # Apply rules
-        self.apply_rules(rules, "permit ipv4 tcp")
+        self.apply_rules(rules, b"permit ipv4 tcp")
 
         # Traffic should still pass also for an odd ethertype
         self.run_verify_test(self.IP, self.IPV4, self.proto[self.IP][self.TCP],
 
         # Traffic should still pass also for an odd ethertype
         self.run_verify_test(self.IP, self.IPV4, self.proto[self.IP][self.TCP],
@@ -1330,14 +1410,15 @@ class TestACLplugin(VppTestCase):
         # Add an ACL
         rules = []
         rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_RANGE_2,
         # Add an ACL
         rules = []
         rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_RANGE_2,
-                                      self.proto[self.IP][self.TCP]))
+                     self.proto[self.IP][self.TCP]))
         rules.append(self.create_rule(self.IPV4, self.PERMIT, self.PORTS_RANGE,
         rules.append(self.create_rule(self.IPV4, self.PERMIT, self.PORTS_RANGE,
-                                      self.proto[self.IP][self.TCP]))
+                     self.proto[self.IP][self.TCP]))
         # deny ip any any in the end
         rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
 
         # Apply rules
         # deny ip any any in the end
         rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
 
         # Apply rules
-        self.apply_rules(rules, "permit ipv4 tcp")
+        self.apply_rules(rules, b"permit ipv4 tcp")
+
         # whitelist the 0xbbbb etype - so the 0xaaaa should be blocked
         self.etype_whitelist([0xbbb], 1)
 
         # whitelist the 0xbbbb etype - so the 0xaaaa should be blocked
         self.etype_whitelist([0xbbb], 1)
 
@@ -1347,7 +1428,7 @@ class TestACLplugin(VppTestCase):
                                    0, False, 0xaaaa)
 
         # remove the whitelist
                                    0, False, 0xaaaa)
 
         # remove the whitelist
-        self.etype_whitelist([], 0, add=False)
+        self.etype_whitelist([], 0)
 
         self.logger.info("ACLP_TEST_FINISH_0305")
 
 
         self.logger.info("ACLP_TEST_FINISH_0305")
 
@@ -1359,14 +1440,15 @@ class TestACLplugin(VppTestCase):
         # Add an ACL
         rules = []
         rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_RANGE_2,
         # Add an ACL
         rules = []
         rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_RANGE_2,
-                                      self.proto[self.IP][self.TCP]))
+                     self.proto[self.IP][self.TCP]))
         rules.append(self.create_rule(self.IPV4, self.PERMIT, self.PORTS_RANGE,
         rules.append(self.create_rule(self.IPV4, self.PERMIT, self.PORTS_RANGE,
-                                      self.proto[self.IP][self.TCP]))
+                     self.proto[self.IP][self.TCP]))
         # deny ip any any in the end
         rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
 
         # Apply rules
         # deny ip any any in the end
         rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
 
         # Apply rules
-        self.apply_rules(rules, "permit ipv4 tcp")
+        self.apply_rules(rules, b"permit ipv4 tcp")
+
         # whitelist the 0xbbbb etype - so the 0xaaaa should be blocked
         self.etype_whitelist([0xbbb], 1)
 
         # whitelist the 0xbbbb etype - so the 0xaaaa should be blocked
         self.etype_whitelist([0xbbb], 1)
 
@@ -1375,7 +1457,7 @@ class TestACLplugin(VppTestCase):
                              0, False, True, 0x0bbb)
 
         # remove the whitelist, the previously blocked 0xAAAA should pass now
                              0, False, True, 0x0bbb)
 
         # remove the whitelist, the previously blocked 0xAAAA should pass now
-        self.etype_whitelist([], 0, add=False)
+        self.etype_whitelist([], 0)
 
         self.logger.info("ACLP_TEST_FINISH_0306")
 
 
         self.logger.info("ACLP_TEST_FINISH_0306")
 
@@ -1387,19 +1469,19 @@ class TestACLplugin(VppTestCase):
         # Add an ACL
         rules = []
         rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_RANGE_2,
         # Add an ACL
         rules = []
         rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_RANGE_2,
-                                      self.proto[self.IP][self.TCP]))
+                     self.proto[self.IP][self.TCP]))
         rules.append(self.create_rule(self.IPV4, self.PERMIT, self.PORTS_RANGE,
         rules.append(self.create_rule(self.IPV4, self.PERMIT, self.PORTS_RANGE,
-                                      self.proto[self.IP][self.TCP]))
+                     self.proto[self.IP][self.TCP]))
         # deny ip any any in the end
         rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
 
         # Apply rules
         # deny ip any any in the end
         rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
 
         # Apply rules
-        self.apply_rules(rules, "permit ipv4 tcp")
+        self.apply_rules(rules, b"permit ipv4 tcp")
 
         # whitelist the 0xbbbb etype - so the 0xaaaa should be blocked
         self.etype_whitelist([0xbbb], 1)
         # remove the whitelist, the previously blocked 0xAAAA should pass now
 
         # whitelist the 0xbbbb etype - so the 0xaaaa should be blocked
         self.etype_whitelist([0xbbb], 1)
         # remove the whitelist, the previously blocked 0xAAAA should pass now
-        self.etype_whitelist([], 0, add=False)
+        self.etype_whitelist([], 0)
 
         # The whitelisted traffic, should pass
         self.run_verify_test(self.IP, self.IPV4, self.proto[self.IP][self.TCP],
 
         # The whitelisted traffic, should pass
         self.run_verify_test(self.IP, self.IPV4, self.proto[self.IP][self.TCP],
@@ -1415,9 +1497,9 @@ class TestACLplugin(VppTestCase):
         # Add an ACL
         rules = []
         rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_RANGE_2,
         # Add an ACL
         rules = []
         rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_RANGE_2,
-                                      self.proto[self.IP][self.TCP]))
+                     self.proto[self.IP][self.TCP]))
         rules.append(self.create_rule(self.IPV4, self.PERMIT, self.PORTS_RANGE,
         rules.append(self.create_rule(self.IPV4, self.PERMIT, self.PORTS_RANGE,
-                                      self.proto[self.IP][self.TCP]))
+                     self.proto[self.IP][self.TCP]))
         # deny ip any any in the end
         rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
 
         # deny ip any any in the end
         rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
 
@@ -1426,13 +1508,12 @@ class TestACLplugin(VppTestCase):
         intf.append(VppLoInterface(self))
 
         # Apply rules
         intf.append(VppLoInterface(self))
 
         # Apply rules
-        self.apply_rules_to(rules, "permit ipv4 tcp", intf[0].sw_if_index)
+        self.apply_rules_to(rules, b"permit ipv4 tcp", intf[0].sw_if_index)
 
         # Remove the interface
         intf[0].remove_vpp_config()
 
         self.logger.info("ACLP_TEST_FINISH_0315")
 
 
         # Remove the interface
         intf[0].remove_vpp_config()
 
         self.logger.info("ACLP_TEST_FINISH_0315")
 
-
 if __name__ == '__main__':
     unittest.main(testRunner=VppTestRunner)
 if __name__ == '__main__':
     unittest.main(testRunner=VppTestRunner)
Vector Packet Processing