2019-10-31 13:31:07 -05:00
|
|
|
#!/usr/bin/env python3
|
2017-03-02 15:22:47 +01:00
|
|
|
"""ACL plugin Test Case HLD:
|
|
|
|
"""
|
|
|
|
|
|
|
|
import unittest
|
|
|
|
import random
|
|
|
|
|
2023-09-26 16:01:21 +02:00
|
|
|
from config import config
|
2017-03-02 15:22:47 +01:00
|
|
|
from scapy.packet import Raw
|
|
|
|
from scapy.layers.l2 import Ether
|
|
|
|
from scapy.layers.inet import IP, TCP, UDP, ICMP
|
|
|
|
from scapy.layers.inet6 import IPv6, ICMPv6EchoRequest
|
2017-04-04 14:10:40 +00:00
|
|
|
from scapy.layers.inet6 import IPv6ExtHdrFragment
|
2023-08-31 00:47:44 -04:00
|
|
|
from framework import VppTestCase
|
|
|
|
from asfframework import VppTestRunner, tag_fixme_vpp_workers
|
2017-03-02 15:22:47 +01:00
|
|
|
from util import Host, ppp
|
2020-03-27 06:55:06 +01:00
|
|
|
from ipaddress import IPv4Network, IPv6Network
|
2017-03-02 15:22:47 +01:00
|
|
|
|
2018-03-23 10:38:46 +01:00
|
|
|
from vpp_lo_interface import VppLoInterface
|
2020-03-27 06:55:06 +01:00
|
|
|
from vpp_acl import AclRule, VppAcl, VppAclInterface, VppEtypeWhitelist
|
|
|
|
from vpp_ip import INVALID_INDEX
|
2018-03-23 10:38:46 +01:00
|
|
|
|
2017-03-02 15:22:47 +01:00
|
|
|
|
2023-09-26 16:01:21 +02:00
|
|
|
@unittest.skipIf("acl" in config.excluded_plugins, "Exclude ACL plugin tests")
|
2021-01-20 20:30:36 +00:00
|
|
|
@tag_fixme_vpp_workers
|
2017-03-02 15:22:47 +01:00
|
|
|
class TestACLplugin(VppTestCase):
|
2022-04-26 19:02:15 +02:00
|
|
|
"""ACL plugin Test Case"""
|
2017-03-02 15:22:47 +01:00
|
|
|
|
|
|
|
# traffic types
|
|
|
|
IP = 0
|
|
|
|
ICMP = 1
|
|
|
|
|
|
|
|
# IP version
|
|
|
|
IPRANDOM = -1
|
|
|
|
IPV4 = 0
|
|
|
|
IPV6 = 1
|
|
|
|
|
|
|
|
# rule types
|
|
|
|
DENY = 0
|
|
|
|
PERMIT = 1
|
|
|
|
|
|
|
|
# supported protocols
|
|
|
|
proto = [[6, 17], [1, 58]]
|
2022-04-26 19:02:15 +02:00
|
|
|
proto_map = {1: "ICMP", 58: "ICMPv6EchoRequest", 6: "TCP", 17: "UDP"}
|
2017-03-02 15:22:47 +01:00
|
|
|
ICMPv4 = 0
|
|
|
|
ICMPv6 = 1
|
|
|
|
TCP = 0
|
|
|
|
UDP = 1
|
|
|
|
PROTO_ALL = 0
|
|
|
|
|
|
|
|
# port ranges
|
|
|
|
PORTS_ALL = -1
|
|
|
|
PORTS_RANGE = 0
|
2017-08-10 17:02:58 +02:00
|
|
|
PORTS_RANGE_2 = 1
|
2017-03-02 15:22:47 +01:00
|
|
|
udp_sport_from = 10
|
|
|
|
udp_sport_to = udp_sport_from + 5
|
|
|
|
udp_dport_from = 20000
|
|
|
|
udp_dport_to = udp_dport_from + 5000
|
|
|
|
tcp_sport_from = 30
|
|
|
|
tcp_sport_to = tcp_sport_from + 5
|
|
|
|
tcp_dport_from = 40000
|
|
|
|
tcp_dport_to = tcp_dport_from + 5000
|
|
|
|
|
2017-08-10 17:02:58 +02:00
|
|
|
udp_sport_from_2 = 90
|
|
|
|
udp_sport_to_2 = udp_sport_from_2 + 5
|
|
|
|
udp_dport_from_2 = 30000
|
|
|
|
udp_dport_to_2 = udp_dport_from_2 + 5000
|
|
|
|
tcp_sport_from_2 = 130
|
|
|
|
tcp_sport_to_2 = tcp_sport_from_2 + 5
|
|
|
|
tcp_dport_from_2 = 20000
|
|
|
|
tcp_dport_to_2 = tcp_dport_from_2 + 5000
|
|
|
|
|
2017-03-02 15:22:47 +01:00
|
|
|
icmp4_type = 8 # echo request
|
|
|
|
icmp4_code = 3
|
|
|
|
icmp6_type = 128 # echo request
|
|
|
|
icmp6_code = 3
|
|
|
|
|
2017-08-10 17:02:58 +02:00
|
|
|
icmp4_type_2 = 8
|
|
|
|
icmp4_code_from_2 = 5
|
|
|
|
icmp4_code_to_2 = 20
|
|
|
|
icmp6_type_2 = 128
|
|
|
|
icmp6_code_from_2 = 8
|
|
|
|
icmp6_code_to_2 = 42
|
|
|
|
|
2017-03-02 15:22:47 +01:00
|
|
|
# Test variables
|
|
|
|
bd_id = 1
|
|
|
|
|
|
|
|
@classmethod
|
|
|
|
def setUpClass(cls):
|
|
|
|
"""
|
|
|
|
Perform standard class setup (defined by class method setUpClass in
|
|
|
|
class VppTestCase) before running the test case, set test case related
|
|
|
|
variables and configure VPP.
|
|
|
|
"""
|
|
|
|
super(TestACLplugin, cls).setUpClass()
|
|
|
|
|
|
|
|
try:
|
|
|
|
# Create 2 pg interfaces
|
|
|
|
cls.create_pg_interfaces(range(2))
|
|
|
|
|
|
|
|
# Packet flows mapping pg0 -> pg1, pg2 etc.
|
|
|
|
cls.flows = dict()
|
|
|
|
cls.flows[cls.pg0] = [cls.pg1]
|
|
|
|
|
|
|
|
# Packet sizes
|
|
|
|
cls.pg_if_packet_sizes = [64, 512, 1518, 9018]
|
|
|
|
|
|
|
|
# Create BD with MAC learning and unknown unicast flooding disabled
|
|
|
|
# and put interfaces to this BD
|
2022-09-16 13:20:07 +02:00
|
|
|
cls.vapi.bridge_domain_add_del_v2(
|
|
|
|
bd_id=cls.bd_id, uu_flood=1, learn=1, flood=1, forward=1, is_add=1
|
|
|
|
)
|
2017-03-02 15:22:47 +01:00
|
|
|
for pg_if in cls.pg_interfaces:
|
2019-03-11 19:23:25 +01:00
|
|
|
cls.vapi.sw_interface_set_l2_bridge(
|
2022-04-26 19:02:15 +02:00
|
|
|
rx_sw_if_index=pg_if.sw_if_index, bd_id=cls.bd_id
|
|
|
|
)
|
2017-03-02 15:22:47 +01:00
|
|
|
|
|
|
|
# Set up all interfaces
|
|
|
|
for i in cls.pg_interfaces:
|
|
|
|
i.admin_up()
|
|
|
|
|
|
|
|
# Mapping between packet-generator index and lists of test hosts
|
|
|
|
cls.hosts_by_pg_idx = dict()
|
|
|
|
for pg_if in cls.pg_interfaces:
|
|
|
|
cls.hosts_by_pg_idx[pg_if.sw_if_index] = []
|
|
|
|
|
|
|
|
# Create list of deleted hosts
|
|
|
|
cls.deleted_hosts_by_pg_idx = dict()
|
|
|
|
for pg_if in cls.pg_interfaces:
|
|
|
|
cls.deleted_hosts_by_pg_idx[pg_if.sw_if_index] = []
|
|
|
|
|
|
|
|
# warm-up the mac address tables
|
|
|
|
# self.warmup_test()
|
2018-10-06 09:24:28 +02:00
|
|
|
count = 16
|
|
|
|
start = 0
|
|
|
|
n_int = len(cls.pg_interfaces)
|
2019-10-16 22:15:43 +00:00
|
|
|
macs_per_if = count // n_int
|
2018-10-06 09:24:28 +02:00
|
|
|
i = -1
|
|
|
|
for pg_if in cls.pg_interfaces:
|
|
|
|
i += 1
|
|
|
|
start_nr = macs_per_if * i + start
|
2022-04-26 19:02:15 +02:00
|
|
|
end_nr = (
|
|
|
|
count + start if i == (n_int - 1) else macs_per_if * (i + 1) + start
|
|
|
|
)
|
2018-10-06 09:24:28 +02:00
|
|
|
hosts = cls.hosts_by_pg_idx[pg_if.sw_if_index]
|
2019-10-16 22:15:43 +00:00
|
|
|
for j in range(int(start_nr), int(end_nr)):
|
2018-10-06 09:24:28 +02:00
|
|
|
host = Host(
|
|
|
|
"00:00:00:ff:%02x:%02x" % (pg_if.sw_if_index, j),
|
|
|
|
"172.17.1%02x.%u" % (pg_if.sw_if_index, j),
|
2022-04-26 19:02:15 +02:00
|
|
|
"2017:dead:%02x::%u" % (pg_if.sw_if_index, j),
|
|
|
|
)
|
2018-10-06 09:24:28 +02:00
|
|
|
hosts.append(host)
|
2017-03-02 15:22:47 +01:00
|
|
|
|
|
|
|
except Exception:
|
|
|
|
super(TestACLplugin, cls).tearDownClass()
|
|
|
|
raise
|
|
|
|
|
2019-03-12 19:23:27 -07:00
|
|
|
@classmethod
|
|
|
|
def tearDownClass(cls):
|
|
|
|
super(TestACLplugin, cls).tearDownClass()
|
|
|
|
|
2017-03-02 15:22:47 +01:00
|
|
|
def setUp(self):
|
|
|
|
super(TestACLplugin, self).setUp()
|
|
|
|
self.reset_packet_infos()
|
|
|
|
|
|
|
|
def tearDown(self):
|
|
|
|
"""
|
|
|
|
Show various debug prints after each test.
|
|
|
|
"""
|
|
|
|
super(TestACLplugin, self).tearDown()
|
2019-03-13 09:23:05 -07:00
|
|
|
|
|
|
|
def show_commands_at_teardown(self):
|
|
|
|
cli = "show vlib graph l2-input-feat-arc"
|
|
|
|
self.logger.info(self.vapi.ppcli(cli))
|
|
|
|
cli = "show vlib graph l2-input-feat-arc-end"
|
|
|
|
self.logger.info(self.vapi.ppcli(cli))
|
|
|
|
cli = "show vlib graph l2-output-feat-arc"
|
|
|
|
self.logger.info(self.vapi.ppcli(cli))
|
|
|
|
cli = "show vlib graph l2-output-feat-arc-end"
|
|
|
|
self.logger.info(self.vapi.ppcli(cli))
|
|
|
|
self.logger.info(self.vapi.ppcli("show l2fib verbose"))
|
|
|
|
self.logger.info(self.vapi.ppcli("show acl-plugin acl"))
|
|
|
|
self.logger.info(self.vapi.ppcli("show acl-plugin interface"))
|
|
|
|
self.logger.info(self.vapi.ppcli("show acl-plugin tables"))
|
2022-04-26 19:02:15 +02:00
|
|
|
self.logger.info(self.vapi.ppcli("show bridge-domain %s detail" % self.bd_id))
|
|
|
|
|
|
|
|
def create_rule(
|
|
|
|
self,
|
|
|
|
ip=0,
|
|
|
|
permit_deny=0,
|
|
|
|
ports=PORTS_ALL,
|
|
|
|
proto=-1,
|
|
|
|
s_prefix=0,
|
|
|
|
s_ip=0,
|
|
|
|
d_prefix=0,
|
|
|
|
d_ip=0,
|
|
|
|
):
|
2020-03-27 06:55:06 +01:00
|
|
|
if ip:
|
|
|
|
src_prefix = IPv6Network((s_ip, s_prefix))
|
|
|
|
dst_prefix = IPv6Network((d_ip, d_prefix))
|
2017-03-02 15:22:47 +01:00
|
|
|
else:
|
2020-03-27 06:55:06 +01:00
|
|
|
src_prefix = IPv4Network((s_ip, s_prefix))
|
|
|
|
dst_prefix = IPv4Network((d_ip, d_prefix))
|
2022-04-26 19:02:15 +02:00
|
|
|
return AclRule(
|
|
|
|
is_permit=permit_deny,
|
|
|
|
ports=ports,
|
|
|
|
proto=proto,
|
|
|
|
src_prefix=src_prefix,
|
|
|
|
dst_prefix=dst_prefix,
|
|
|
|
)
|
2020-03-27 06:55:06 +01:00
|
|
|
|
|
|
|
def apply_rules(self, rules, tag=None):
|
|
|
|
acl = VppAcl(self, rules, tag=tag)
|
|
|
|
acl.add_vpp_config()
|
|
|
|
self.logger.info("Dumped ACL: " + str(acl.dump()))
|
2017-03-02 15:22:47 +01:00
|
|
|
# Apply a ACL on the interface as inbound
|
|
|
|
for i in self.pg_interfaces:
|
2020-03-27 06:55:06 +01:00
|
|
|
acl_if = VppAclInterface(
|
2022-04-26 19:02:15 +02:00
|
|
|
self, sw_if_index=i.sw_if_index, n_input=1, acls=[acl]
|
|
|
|
)
|
2020-03-27 06:55:06 +01:00
|
|
|
acl_if.add_vpp_config()
|
|
|
|
return acl.acl_index
|
|
|
|
|
|
|
|
def apply_rules_to(self, rules, tag=None, sw_if_index=INVALID_INDEX):
|
|
|
|
acl = VppAcl(self, rules, tag=tag)
|
|
|
|
acl.add_vpp_config()
|
|
|
|
self.logger.info("Dumped ACL: " + str(acl.dump()))
|
2018-03-23 10:38:46 +01:00
|
|
|
# Apply a ACL on the interface as inbound
|
2022-04-26 19:02:15 +02:00
|
|
|
acl_if = VppAclInterface(self, sw_if_index=sw_if_index, n_input=1, acls=[acl])
|
2020-03-27 06:55:06 +01:00
|
|
|
return acl.acl_index
|
2018-03-23 10:38:46 +01:00
|
|
|
|
2020-03-27 06:55:06 +01:00
|
|
|
def etype_whitelist(self, whitelist, n_input, add=True):
|
acl-plugin: add whitelisted ethertype mode (VPP-1163)
Currently, ACL plugin largely does not care about the
ethertypes other than 0x0800 (IPv4) and 0x86dd (IPv6),
the only exception being 0x0806 (ARP), which is
dealt with by the MACIP ACLs.
The other ethertypes in L2 mode are just let through.
This adds a new API message acl_interface_set_etype_whitelist,
which allows to flip the mode of a given interface
into "ethertype whitelist mode": the caller of this message
must supply the two lists (inbound and outbound) of the ethertypes
that are to be permitted, the rest of the ethertypes are
dropped.
The whitelisting for a given interface and direction takes
effect only when a policy ACL is also applied.
This operates on the same classifier node as the one used for
dispatching the policy ACL, thus, if one wishes for most of the
reasonable IPv4 deployments to continue to operate within
the whitelist mode, they must permit ARP ethertype (0x0806)
The empty list for a given direction resets the processing
to allow the unknown ethertypes. So, if one wants to just
permit the IPv4 and IPv6 and nothing else, one can add
their ethertypes to the whitelist.
Add the "show acl-plugin interface" corresponding outputs
about the whitelists, vat command, and unittests.
Change-Id: I4659978c801f36d554b6615e56e424b77876662c
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-02-06 17:42:32 +01:00
|
|
|
# Apply whitelists on all the interfaces
|
2020-03-27 06:55:06 +01:00
|
|
|
if add:
|
|
|
|
self._wl = []
|
|
|
|
for i in self.pg_interfaces:
|
2022-04-26 19:02:15 +02:00
|
|
|
self._wl.append(
|
|
|
|
VppEtypeWhitelist(
|
|
|
|
self,
|
|
|
|
sw_if_index=i.sw_if_index,
|
|
|
|
whitelist=whitelist,
|
|
|
|
n_input=n_input,
|
|
|
|
).add_vpp_config()
|
|
|
|
)
|
2020-03-27 06:55:06 +01:00
|
|
|
else:
|
|
|
|
if hasattr(self, "_wl"):
|
|
|
|
for wl in self._wl:
|
|
|
|
wl.remove_vpp_config()
|
acl-plugin: add whitelisted ethertype mode (VPP-1163)
Currently, ACL plugin largely does not care about the
ethertypes other than 0x0800 (IPv4) and 0x86dd (IPv6),
the only exception being 0x0806 (ARP), which is
dealt with by the MACIP ACLs.
The other ethertypes in L2 mode are just let through.
This adds a new API message acl_interface_set_etype_whitelist,
which allows to flip the mode of a given interface
into "ethertype whitelist mode": the caller of this message
must supply the two lists (inbound and outbound) of the ethertypes
that are to be permitted, the rest of the ethertypes are
dropped.
The whitelisting for a given interface and direction takes
effect only when a policy ACL is also applied.
This operates on the same classifier node as the one used for
dispatching the policy ACL, thus, if one wishes for most of the
reasonable IPv4 deployments to continue to operate within
the whitelist mode, they must permit ARP ethertype (0x0806)
The empty list for a given direction resets the processing
to allow the unknown ethertypes. So, if one wants to just
permit the IPv4 and IPv6 and nothing else, one can add
their ethertypes to the whitelist.
Add the "show acl-plugin interface" corresponding outputs
about the whitelists, vat command, and unittests.
Change-Id: I4659978c801f36d554b6615e56e424b77876662c
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-02-06 17:42:32 +01:00
|
|
|
|
2017-03-02 15:22:47 +01:00
|
|
|
def create_upper_layer(self, packet_index, proto, ports=0):
|
|
|
|
p = self.proto_map[proto]
|
2022-04-26 19:02:15 +02:00
|
|
|
if p == "UDP":
|
2017-03-02 15:22:47 +01:00
|
|
|
if ports == 0:
|
2022-04-26 19:02:15 +02:00
|
|
|
return UDP(
|
|
|
|
sport=random.randint(self.udp_sport_from, self.udp_sport_to),
|
|
|
|
dport=random.randint(self.udp_dport_from, self.udp_dport_to),
|
|
|
|
)
|
2017-03-02 15:22:47 +01:00
|
|
|
else:
|
|
|
|
return UDP(sport=ports, dport=ports)
|
2022-04-26 19:02:15 +02:00
|
|
|
elif p == "TCP":
|
2017-03-02 15:22:47 +01:00
|
|
|
if ports == 0:
|
2022-04-26 19:02:15 +02:00
|
|
|
return TCP(
|
|
|
|
sport=random.randint(self.tcp_sport_from, self.tcp_sport_to),
|
|
|
|
dport=random.randint(self.tcp_dport_from, self.tcp_dport_to),
|
|
|
|
)
|
2017-03-02 15:22:47 +01:00
|
|
|
else:
|
|
|
|
return TCP(sport=ports, dport=ports)
|
2022-04-26 19:02:15 +02:00
|
|
|
return ""
|
|
|
|
|
|
|
|
def create_stream(
|
|
|
|
self,
|
|
|
|
src_if,
|
|
|
|
packet_sizes,
|
|
|
|
traffic_type=0,
|
|
|
|
ipv6=0,
|
|
|
|
proto=-1,
|
|
|
|
ports=0,
|
|
|
|
fragments=False,
|
|
|
|
pkt_raw=True,
|
|
|
|
etype=-1,
|
|
|
|
):
|
2017-03-02 15:22:47 +01:00
|
|
|
"""
|
|
|
|
Create input packet stream for defined interface using hosts or
|
|
|
|
deleted_hosts list.
|
|
|
|
|
|
|
|
:param object src_if: Interface to create packet stream for.
|
|
|
|
:param list packet_sizes: List of required packet sizes.
|
|
|
|
:param traffic_type: 1: ICMP packet, 2: IPv6 with EH, 0: otherwise.
|
|
|
|
:return: Stream of packets.
|
|
|
|
"""
|
|
|
|
pkts = []
|
|
|
|
if self.flows.__contains__(src_if):
|
|
|
|
src_hosts = self.hosts_by_pg_idx[src_if.sw_if_index]
|
|
|
|
for dst_if in self.flows[src_if]:
|
|
|
|
dst_hosts = self.hosts_by_pg_idx[dst_if.sw_if_index]
|
|
|
|
n_int = len(dst_hosts) * len(src_hosts)
|
|
|
|
for i in range(0, n_int):
|
2019-10-16 22:15:43 +00:00
|
|
|
dst_host = dst_hosts[int(i / len(src_hosts))]
|
2017-03-02 15:22:47 +01:00
|
|
|
src_host = src_hosts[i % len(src_hosts)]
|
|
|
|
pkt_info = self.create_packet_info(src_if, dst_if)
|
|
|
|
if ipv6 == 1:
|
|
|
|
pkt_info.ip = 1
|
|
|
|
elif ipv6 == 0:
|
|
|
|
pkt_info.ip = 0
|
|
|
|
else:
|
|
|
|
pkt_info.ip = random.choice([0, 1])
|
|
|
|
if proto == -1:
|
|
|
|
pkt_info.proto = random.choice(self.proto[self.IP])
|
|
|
|
else:
|
|
|
|
pkt_info.proto = proto
|
|
|
|
payload = self.info_to_payload(pkt_info)
|
|
|
|
p = Ether(dst=dst_host.mac, src=src_host.mac)
|
acl-plugin: add whitelisted ethertype mode (VPP-1163)
Currently, ACL plugin largely does not care about the
ethertypes other than 0x0800 (IPv4) and 0x86dd (IPv6),
the only exception being 0x0806 (ARP), which is
dealt with by the MACIP ACLs.
The other ethertypes in L2 mode are just let through.
This adds a new API message acl_interface_set_etype_whitelist,
which allows to flip the mode of a given interface
into "ethertype whitelist mode": the caller of this message
must supply the two lists (inbound and outbound) of the ethertypes
that are to be permitted, the rest of the ethertypes are
dropped.
The whitelisting for a given interface and direction takes
effect only when a policy ACL is also applied.
This operates on the same classifier node as the one used for
dispatching the policy ACL, thus, if one wishes for most of the
reasonable IPv4 deployments to continue to operate within
the whitelist mode, they must permit ARP ethertype (0x0806)
The empty list for a given direction resets the processing
to allow the unknown ethertypes. So, if one wants to just
permit the IPv4 and IPv6 and nothing else, one can add
their ethertypes to the whitelist.
Add the "show acl-plugin interface" corresponding outputs
about the whitelists, vat command, and unittests.
Change-Id: I4659978c801f36d554b6615e56e424b77876662c
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-02-06 17:42:32 +01:00
|
|
|
if etype > 0:
|
2022-04-26 19:02:15 +02:00
|
|
|
p = Ether(dst=dst_host.mac, src=src_host.mac, type=etype)
|
2017-03-02 15:22:47 +01:00
|
|
|
if pkt_info.ip:
|
|
|
|
p /= IPv6(dst=dst_host.ip6, src=src_host.ip6)
|
2017-04-04 14:10:40 +00:00
|
|
|
if fragments:
|
|
|
|
p /= IPv6ExtHdrFragment(offset=64, m=1)
|
2017-03-02 15:22:47 +01:00
|
|
|
else:
|
2017-04-04 14:10:40 +00:00
|
|
|
if fragments:
|
2022-04-26 19:02:15 +02:00
|
|
|
p /= IP(
|
|
|
|
src=src_host.ip4, dst=dst_host.ip4, flags=1, frag=64
|
|
|
|
)
|
2017-04-04 14:10:40 +00:00
|
|
|
else:
|
|
|
|
p /= IP(src=src_host.ip4, dst=dst_host.ip4)
|
2017-03-02 15:22:47 +01:00
|
|
|
if traffic_type == self.ICMP:
|
|
|
|
if pkt_info.ip:
|
2022-04-26 19:02:15 +02:00
|
|
|
p /= ICMPv6EchoRequest(
|
|
|
|
type=self.icmp6_type, code=self.icmp6_code
|
|
|
|
)
|
2017-03-02 15:22:47 +01:00
|
|
|
else:
|
2022-04-26 19:02:15 +02:00
|
|
|
p /= ICMP(type=self.icmp4_type, code=self.icmp4_code)
|
2017-03-02 15:22:47 +01:00
|
|
|
else:
|
|
|
|
p /= self.create_upper_layer(i, pkt_info.proto, ports)
|
2017-04-18 13:12:20 +02:00
|
|
|
if pkt_raw:
|
|
|
|
p /= Raw(payload)
|
|
|
|
pkt_info.data = p.copy()
|
|
|
|
if pkt_raw:
|
|
|
|
size = random.choice(packet_sizes)
|
|
|
|
self.extend_packet(p, size)
|
2017-03-02 15:22:47 +01:00
|
|
|
pkts.append(p)
|
|
|
|
return pkts
|
|
|
|
|
2022-04-26 19:02:15 +02:00
|
|
|
def verify_capture(self, pg_if, capture, traffic_type=0, ip_type=0, etype=-1):
|
2017-03-02 15:22:47 +01:00
|
|
|
"""
|
|
|
|
Verify captured input packet stream for defined interface.
|
|
|
|
|
|
|
|
:param object pg_if: Interface to verify captured packet stream for.
|
|
|
|
:param list capture: Captured packet stream.
|
|
|
|
:param traffic_type: 1: ICMP packet, 2: IPv6 with EH, 0: otherwise.
|
|
|
|
"""
|
|
|
|
last_info = dict()
|
|
|
|
for i in self.pg_interfaces:
|
|
|
|
last_info[i.sw_if_index] = None
|
|
|
|
dst_sw_if_index = pg_if.sw_if_index
|
|
|
|
for packet in capture:
|
acl-plugin: add whitelisted ethertype mode (VPP-1163)
Currently, ACL plugin largely does not care about the
ethertypes other than 0x0800 (IPv4) and 0x86dd (IPv6),
the only exception being 0x0806 (ARP), which is
dealt with by the MACIP ACLs.
The other ethertypes in L2 mode are just let through.
This adds a new API message acl_interface_set_etype_whitelist,
which allows to flip the mode of a given interface
into "ethertype whitelist mode": the caller of this message
must supply the two lists (inbound and outbound) of the ethertypes
that are to be permitted, the rest of the ethertypes are
dropped.
The whitelisting for a given interface and direction takes
effect only when a policy ACL is also applied.
This operates on the same classifier node as the one used for
dispatching the policy ACL, thus, if one wishes for most of the
reasonable IPv4 deployments to continue to operate within
the whitelist mode, they must permit ARP ethertype (0x0806)
The empty list for a given direction resets the processing
to allow the unknown ethertypes. So, if one wants to just
permit the IPv4 and IPv6 and nothing else, one can add
their ethertypes to the whitelist.
Add the "show acl-plugin interface" corresponding outputs
about the whitelists, vat command, and unittests.
Change-Id: I4659978c801f36d554b6615e56e424b77876662c
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-02-06 17:42:32 +01:00
|
|
|
if etype > 0:
|
|
|
|
if packet[Ether].type != etype:
|
2022-04-26 19:02:15 +02:00
|
|
|
self.logger.error(ppp("Unexpected ethertype in packet:", packet))
|
acl-plugin: add whitelisted ethertype mode (VPP-1163)
Currently, ACL plugin largely does not care about the
ethertypes other than 0x0800 (IPv4) and 0x86dd (IPv6),
the only exception being 0x0806 (ARP), which is
dealt with by the MACIP ACLs.
The other ethertypes in L2 mode are just let through.
This adds a new API message acl_interface_set_etype_whitelist,
which allows to flip the mode of a given interface
into "ethertype whitelist mode": the caller of this message
must supply the two lists (inbound and outbound) of the ethertypes
that are to be permitted, the rest of the ethertypes are
dropped.
The whitelisting for a given interface and direction takes
effect only when a policy ACL is also applied.
This operates on the same classifier node as the one used for
dispatching the policy ACL, thus, if one wishes for most of the
reasonable IPv4 deployments to continue to operate within
the whitelist mode, they must permit ARP ethertype (0x0806)
The empty list for a given direction resets the processing
to allow the unknown ethertypes. So, if one wants to just
permit the IPv4 and IPv6 and nothing else, one can add
their ethertypes to the whitelist.
Add the "show acl-plugin interface" corresponding outputs
about the whitelists, vat command, and unittests.
Change-Id: I4659978c801f36d554b6615e56e424b77876662c
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-02-06 17:42:32 +01:00
|
|
|
else:
|
|
|
|
continue
|
2017-03-02 15:22:47 +01:00
|
|
|
try:
|
|
|
|
# Raw data for ICMPv6 are stored in ICMPv6EchoRequest.data
|
|
|
|
if traffic_type == self.ICMP and ip_type == self.IPV6:
|
|
|
|
payload_info = self.payload_to_info(
|
2022-04-26 19:02:15 +02:00
|
|
|
packet[ICMPv6EchoRequest], "data"
|
|
|
|
)
|
2017-03-02 15:22:47 +01:00
|
|
|
payload = packet[ICMPv6EchoRequest]
|
|
|
|
else:
|
2019-03-06 11:58:06 -08:00
|
|
|
payload_info = self.payload_to_info(packet[Raw])
|
2017-03-02 15:22:47 +01:00
|
|
|
payload = packet[self.proto_map[payload_info.proto]]
|
|
|
|
except:
|
2022-04-26 19:02:15 +02:00
|
|
|
self.logger.error(
|
|
|
|
ppp("Unexpected or invalid packet (outside network):", packet)
|
|
|
|
)
|
2017-03-02 15:22:47 +01:00
|
|
|
raise
|
|
|
|
|
|
|
|
if ip_type != 0:
|
|
|
|
self.assertEqual(payload_info.ip, ip_type)
|
|
|
|
if traffic_type == self.ICMP:
|
|
|
|
try:
|
|
|
|
if payload_info.ip == 0:
|
|
|
|
self.assertEqual(payload.type, self.icmp4_type)
|
|
|
|
self.assertEqual(payload.code, self.icmp4_code)
|
|
|
|
else:
|
|
|
|
self.assertEqual(payload.type, self.icmp6_type)
|
|
|
|
self.assertEqual(payload.code, self.icmp6_code)
|
|
|
|
except:
|
2022-04-26 19:02:15 +02:00
|
|
|
self.logger.error(
|
|
|
|
ppp("Unexpected or invalid packet (outside network):", packet)
|
|
|
|
)
|
2017-03-02 15:22:47 +01:00
|
|
|
raise
|
|
|
|
else:
|
|
|
|
try:
|
|
|
|
ip_version = IPv6 if payload_info.ip == 1 else IP
|
|
|
|
|
|
|
|
ip = packet[ip_version]
|
|
|
|
packet_index = payload_info.index
|
|
|
|
|
|
|
|
self.assertEqual(payload_info.dst, dst_sw_if_index)
|
2022-04-26 19:02:15 +02:00
|
|
|
self.logger.debug(
|
|
|
|
"Got packet on port %s: src=%u (id=%u)"
|
|
|
|
% (pg_if.name, payload_info.src, packet_index)
|
|
|
|
)
|
2017-03-02 15:22:47 +01:00
|
|
|
next_info = self.get_next_packet_info_for_interface2(
|
2022-04-26 19:02:15 +02:00
|
|
|
payload_info.src, dst_sw_if_index, last_info[payload_info.src]
|
|
|
|
)
|
2017-03-02 15:22:47 +01:00
|
|
|
last_info[payload_info.src] = next_info
|
|
|
|
self.assertTrue(next_info is not None)
|
|
|
|
self.assertEqual(packet_index, next_info.index)
|
|
|
|
saved_packet = next_info.data
|
|
|
|
# Check standard fields
|
|
|
|
self.assertEqual(ip.src, saved_packet[ip_version].src)
|
|
|
|
self.assertEqual(ip.dst, saved_packet[ip_version].dst)
|
|
|
|
p = self.proto_map[payload_info.proto]
|
2022-04-26 19:02:15 +02:00
|
|
|
if p == "TCP":
|
2017-03-02 15:22:47 +01:00
|
|
|
tcp = packet[TCP]
|
2022-04-26 19:02:15 +02:00
|
|
|
self.assertEqual(tcp.sport, saved_packet[TCP].sport)
|
|
|
|
self.assertEqual(tcp.dport, saved_packet[TCP].dport)
|
|
|
|
elif p == "UDP":
|
2017-03-02 15:22:47 +01:00
|
|
|
udp = packet[UDP]
|
2022-04-26 19:02:15 +02:00
|
|
|
self.assertEqual(udp.sport, saved_packet[UDP].sport)
|
|
|
|
self.assertEqual(udp.dport, saved_packet[UDP].dport)
|
2017-03-02 15:22:47 +01:00
|
|
|
except:
|
2022-04-26 19:02:15 +02:00
|
|
|
self.logger.error(ppp("Unexpected or invalid packet:", packet))
|
2017-03-02 15:22:47 +01:00
|
|
|
raise
|
|
|
|
for i in self.pg_interfaces:
|
|
|
|
remaining_packet = self.get_next_packet_info_for_interface2(
|
2022-04-26 19:02:15 +02:00
|
|
|
i, dst_sw_if_index, last_info[i.sw_if_index]
|
|
|
|
)
|
2017-03-02 15:22:47 +01:00
|
|
|
self.assertTrue(
|
|
|
|
remaining_packet is None,
|
2022-04-26 19:02:15 +02:00
|
|
|
"Port %u: Packet expected from source %u didn't arrive"
|
|
|
|
% (dst_sw_if_index, i.sw_if_index),
|
|
|
|
)
|
2017-03-02 15:22:47 +01:00
|
|
|
|
|
|
|
def run_traffic_no_check(self):
|
|
|
|
# Test
|
|
|
|
# Create incoming packet streams for packet-generator interfaces
|
|
|
|
for i in self.pg_interfaces:
|
|
|
|
if self.flows.__contains__(i):
|
|
|
|
pkts = self.create_stream(i, self.pg_if_packet_sizes)
|
|
|
|
if len(pkts) > 0:
|
|
|
|
i.add_stream(pkts)
|
|
|
|
|
|
|
|
# Enable packet capture and start packet sending
|
|
|
|
self.pg_enable_capture(self.pg_interfaces)
|
|
|
|
self.pg_start()
|
|
|
|
|
2022-04-26 19:02:15 +02:00
|
|
|
def run_verify_test(
|
|
|
|
self,
|
|
|
|
traffic_type=0,
|
|
|
|
ip_type=0,
|
|
|
|
proto=-1,
|
|
|
|
ports=0,
|
|
|
|
frags=False,
|
|
|
|
pkt_raw=True,
|
|
|
|
etype=-1,
|
|
|
|
):
|
2017-03-02 15:22:47 +01:00
|
|
|
# Test
|
|
|
|
# Create incoming packet streams for packet-generator interfaces
|
|
|
|
pkts_cnt = 0
|
|
|
|
for i in self.pg_interfaces:
|
|
|
|
if self.flows.__contains__(i):
|
2022-04-26 19:02:15 +02:00
|
|
|
pkts = self.create_stream(
|
|
|
|
i,
|
|
|
|
self.pg_if_packet_sizes,
|
|
|
|
traffic_type,
|
|
|
|
ip_type,
|
|
|
|
proto,
|
|
|
|
ports,
|
|
|
|
frags,
|
|
|
|
pkt_raw,
|
|
|
|
etype,
|
|
|
|
)
|
2017-03-02 15:22:47 +01:00
|
|
|
if len(pkts) > 0:
|
|
|
|
i.add_stream(pkts)
|
|
|
|
pkts_cnt += len(pkts)
|
|
|
|
|
|
|
|
# Enable packet capture and start packet sendingself.IPV
|
|
|
|
self.pg_enable_capture(self.pg_interfaces)
|
|
|
|
self.pg_start()
|
2018-10-06 09:24:28 +02:00
|
|
|
self.logger.info("sent packets count: %d" % pkts_cnt)
|
2017-03-02 15:22:47 +01:00
|
|
|
|
|
|
|
# Verify
|
|
|
|
# Verify outgoing packet streams per packet-generator interface
|
|
|
|
for src_if in self.pg_interfaces:
|
|
|
|
if self.flows.__contains__(src_if):
|
|
|
|
for dst_if in self.flows[src_if]:
|
|
|
|
capture = dst_if.get_capture(pkts_cnt)
|
2022-04-26 19:02:15 +02:00
|
|
|
self.logger.info("Verifying capture on interface %s" % dst_if.name)
|
|
|
|
self.verify_capture(dst_if, capture, traffic_type, ip_type, etype)
|
2017-03-02 15:22:47 +01:00
|
|
|
|
2022-04-26 19:02:15 +02:00
|
|
|
def run_verify_negat_test(
|
|
|
|
self, traffic_type=0, ip_type=0, proto=-1, ports=0, frags=False, etype=-1
|
|
|
|
):
|
2017-03-02 15:22:47 +01:00
|
|
|
# Test
|
2018-10-06 09:24:28 +02:00
|
|
|
pkts_cnt = 0
|
2017-03-02 15:22:47 +01:00
|
|
|
self.reset_packet_infos()
|
|
|
|
for i in self.pg_interfaces:
|
|
|
|
if self.flows.__contains__(i):
|
2022-04-26 19:02:15 +02:00
|
|
|
pkts = self.create_stream(
|
|
|
|
i,
|
|
|
|
self.pg_if_packet_sizes,
|
|
|
|
traffic_type,
|
|
|
|
ip_type,
|
|
|
|
proto,
|
|
|
|
ports,
|
|
|
|
frags,
|
|
|
|
True,
|
|
|
|
etype,
|
|
|
|
)
|
2017-03-02 15:22:47 +01:00
|
|
|
if len(pkts) > 0:
|
|
|
|
i.add_stream(pkts)
|
2018-10-06 09:24:28 +02:00
|
|
|
pkts_cnt += len(pkts)
|
2017-03-02 15:22:47 +01:00
|
|
|
|
|
|
|
# Enable packet capture and start packet sending
|
|
|
|
self.pg_enable_capture(self.pg_interfaces)
|
|
|
|
self.pg_start()
|
2018-10-06 09:24:28 +02:00
|
|
|
self.logger.info("sent packets count: %d" % pkts_cnt)
|
2017-03-02 15:22:47 +01:00
|
|
|
|
|
|
|
# Verify
|
|
|
|
# Verify outgoing packet streams per packet-generator interface
|
|
|
|
for src_if in self.pg_interfaces:
|
|
|
|
if self.flows.__contains__(src_if):
|
|
|
|
for dst_if in self.flows[src_if]:
|
2022-04-26 19:02:15 +02:00
|
|
|
self.logger.info("Verifying capture on interface %s" % dst_if.name)
|
2017-03-02 15:22:47 +01:00
|
|
|
capture = dst_if.get_capture(0)
|
|
|
|
self.assertEqual(len(capture), 0)
|
|
|
|
|
|
|
|
def test_0000_warmup_test(self):
|
2022-04-26 19:02:15 +02:00
|
|
|
"""ACL plugin version check; learn MACs"""
|
2017-03-02 15:22:47 +01:00
|
|
|
reply = self.vapi.papi.acl_plugin_get_version()
|
|
|
|
self.assertEqual(reply.major, 1)
|
2022-04-26 19:02:15 +02:00
|
|
|
self.logger.info(
|
|
|
|
"Working with ACL plugin version: %d.%d" % (reply.major, reply.minor)
|
|
|
|
)
|
2017-03-02 15:22:47 +01:00
|
|
|
# minor version changes are non breaking
|
|
|
|
# self.assertEqual(reply.minor, 0)
|
|
|
|
|
|
|
|
def test_0001_acl_create(self):
|
2022-04-26 19:02:15 +02:00
|
|
|
"""ACL create/delete test"""
|
2017-03-02 15:22:47 +01:00
|
|
|
|
|
|
|
self.logger.info("ACLP_TEST_START_0001")
|
2020-03-27 06:55:06 +01:00
|
|
|
# Create a permit-1234 ACL
|
|
|
|
r = [AclRule(is_permit=1, proto=17, ports=1234, sport_to=1235)]
|
2017-03-02 15:22:47 +01:00
|
|
|
# Test 1: add a new ACL
|
2020-03-27 06:55:06 +01:00
|
|
|
first_acl = VppAcl(self, rules=r, tag="permit 1234")
|
|
|
|
first_acl.add_vpp_config()
|
|
|
|
self.assertTrue(first_acl.query_vpp_config())
|
2017-03-02 15:22:47 +01:00
|
|
|
# The very first ACL gets #0
|
2020-03-27 06:55:06 +01:00
|
|
|
self.assertEqual(first_acl.acl_index, 0)
|
|
|
|
rr = first_acl.dump()
|
2017-03-02 15:22:47 +01:00
|
|
|
self.logger.info("Dumped ACL: " + str(rr))
|
|
|
|
self.assertEqual(len(rr), 1)
|
|
|
|
# We should have the same number of ACL entries as we had asked
|
|
|
|
self.assertEqual(len(rr[0].r), len(r))
|
|
|
|
# The rules should be the same. But because the submitted and returned
|
|
|
|
# are different types, we need to iterate over rules and keys to get
|
|
|
|
# to basic values.
|
|
|
|
for i_rule in range(0, len(r) - 1):
|
2020-03-27 06:55:06 +01:00
|
|
|
encoded_rule = r[i_rule].encode()
|
|
|
|
for rule_key in encoded_rule:
|
2022-04-26 19:02:15 +02:00
|
|
|
self.assertEqual(rr[0].r[i_rule][rule_key], encoded_rule[rule_key])
|
2020-03-27 06:55:06 +01:00
|
|
|
|
|
|
|
# Create a deny-1234 ACL
|
2022-04-26 19:02:15 +02:00
|
|
|
r_deny = [
|
|
|
|
AclRule(is_permit=0, proto=17, ports=1234, sport_to=1235),
|
|
|
|
AclRule(is_permit=1, proto=17, ports=0),
|
|
|
|
]
|
2020-03-27 06:55:06 +01:00
|
|
|
second_acl = VppAcl(self, rules=r_deny, tag="deny 1234;permit all")
|
|
|
|
second_acl.add_vpp_config()
|
|
|
|
self.assertTrue(second_acl.query_vpp_config())
|
2017-03-02 15:22:47 +01:00
|
|
|
# The second ACL gets #1
|
2020-03-27 06:55:06 +01:00
|
|
|
self.assertEqual(second_acl.acl_index, 1)
|
2017-03-02 15:22:47 +01:00
|
|
|
|
|
|
|
# Test 2: try to modify a nonexistent ACL
|
2020-03-27 06:55:06 +01:00
|
|
|
invalid_acl = VppAcl(self, acl_index=432, rules=r, tag="FFFF:FFFF")
|
|
|
|
reply = invalid_acl.add_vpp_config(expect_error=True)
|
|
|
|
|
|
|
|
# apply an ACL on an interface inbound, try to delete ACL, must fail
|
|
|
|
acl_if_list = VppAclInterface(
|
2022-04-26 19:02:15 +02:00
|
|
|
self, sw_if_index=self.pg0.sw_if_index, n_input=1, acls=[first_acl]
|
|
|
|
)
|
2020-03-27 06:55:06 +01:00
|
|
|
acl_if_list.add_vpp_config()
|
|
|
|
first_acl.remove_vpp_config(expect_error=True)
|
|
|
|
# Unapply an ACL and then try to delete it - must be ok
|
|
|
|
acl_if_list.remove_vpp_config()
|
|
|
|
first_acl.remove_vpp_config()
|
|
|
|
|
2017-09-27 13:50:31 +02:00
|
|
|
# apply an ACL on an interface inbound, try to delete ACL, must fail
|
2020-03-27 06:55:06 +01:00
|
|
|
acl_if_list = VppAclInterface(
|
2022-04-26 19:02:15 +02:00
|
|
|
self, sw_if_index=self.pg0.sw_if_index, n_input=0, acls=[second_acl]
|
|
|
|
)
|
2020-03-27 06:55:06 +01:00
|
|
|
acl_if_list.add_vpp_config()
|
|
|
|
second_acl.remove_vpp_config(expect_error=True)
|
2017-09-27 13:50:31 +02:00
|
|
|
# Unapply an ACL and then try to delete it - must be ok
|
2020-03-27 06:55:06 +01:00
|
|
|
acl_if_list.remove_vpp_config()
|
|
|
|
second_acl.remove_vpp_config()
|
2017-09-27 13:50:31 +02:00
|
|
|
|
|
|
|
# try to apply a nonexistent ACL - must fail
|
2020-03-27 06:55:06 +01:00
|
|
|
acl_if_list = VppAclInterface(
|
2022-04-26 19:02:15 +02:00
|
|
|
self, sw_if_index=self.pg0.sw_if_index, n_input=0, acls=[invalid_acl]
|
|
|
|
)
|
2020-03-27 06:55:06 +01:00
|
|
|
acl_if_list.add_vpp_config(expect_error=True)
|
2017-03-02 15:22:47 +01:00
|
|
|
|
|
|
|
self.logger.info("ACLP_TEST_FINISH_0001")
|
|
|
|
|
|
|
|
def test_0002_acl_permit_apply(self):
|
2022-04-26 19:02:15 +02:00
|
|
|
"""permit ACL apply test"""
|
2017-03-02 15:22:47 +01:00
|
|
|
self.logger.info("ACLP_TEST_START_0002")
|
|
|
|
|
|
|
|
rules = []
|
2022-04-26 19:02:15 +02:00
|
|
|
rules.append(
|
|
|
|
self.create_rule(self.IPV4, self.PERMIT, 0, self.proto[self.IP][self.UDP])
|
|
|
|
)
|
|
|
|
rules.append(
|
|
|
|
self.create_rule(self.IPV4, self.PERMIT, 0, self.proto[self.IP][self.TCP])
|
|
|
|
)
|
2017-03-02 15:22:47 +01:00
|
|
|
|
|
|
|
# Apply rules
|
2020-03-27 06:55:06 +01:00
|
|
|
acl_idx = self.apply_rules(rules, "permit per-flow")
|
2019-06-13 15:23:21 +00:00
|
|
|
|
|
|
|
# enable counters
|
|
|
|
reply = self.vapi.papi.acl_stats_intf_counters_enable(enable=1)
|
2017-03-02 15:22:47 +01:00
|
|
|
|
|
|
|
# Traffic should still pass
|
|
|
|
self.run_verify_test(self.IP, self.IPV4, -1)
|
2019-06-13 15:23:21 +00:00
|
|
|
|
2022-04-26 19:02:15 +02:00
|
|
|
matches = self.statistics.get_counter("/acl/%d/matches" % acl_idx)
|
2019-06-13 15:23:21 +00:00
|
|
|
self.logger.info("stat segment counters: %s" % repr(matches))
|
|
|
|
cli = "show acl-plugin acl"
|
|
|
|
self.logger.info(self.vapi.ppcli(cli))
|
|
|
|
cli = "show acl-plugin tables"
|
|
|
|
self.logger.info(self.vapi.ppcli(cli))
|
|
|
|
|
2022-04-26 19:02:15 +02:00
|
|
|
total_hits = matches[0][0]["packets"] + matches[0][1]["packets"]
|
2019-06-13 15:23:21 +00:00
|
|
|
self.assertEqual(total_hits, 64)
|
|
|
|
|
|
|
|
# disable counters
|
|
|
|
reply = self.vapi.papi.acl_stats_intf_counters_enable(enable=0)
|
|
|
|
|
2017-03-02 15:22:47 +01:00
|
|
|
self.logger.info("ACLP_TEST_FINISH_0002")
|
|
|
|
|
|
|
|
def test_0003_acl_deny_apply(self):
|
2022-04-26 19:02:15 +02:00
|
|
|
"""deny ACL apply test"""
|
2017-03-02 15:22:47 +01:00
|
|
|
self.logger.info("ACLP_TEST_START_0003")
|
|
|
|
# Add a deny-flows ACL
|
|
|
|
rules = []
|
2022-04-26 19:02:15 +02:00
|
|
|
rules.append(
|
|
|
|
self.create_rule(
|
|
|
|
self.IPV4, self.DENY, self.PORTS_ALL, self.proto[self.IP][self.UDP]
|
|
|
|
)
|
|
|
|
)
|
2017-03-02 15:22:47 +01:00
|
|
|
# Permit ip any any in the end
|
2022-04-26 19:02:15 +02:00
|
|
|
rules.append(self.create_rule(self.IPV4, self.PERMIT, self.PORTS_ALL, 0))
|
2017-03-02 15:22:47 +01:00
|
|
|
|
|
|
|
# Apply rules
|
2020-03-27 06:55:06 +01:00
|
|
|
acl_idx = self.apply_rules(rules, "deny per-flow;permit all")
|
2019-06-13 15:23:21 +00:00
|
|
|
|
|
|
|
# enable counters
|
|
|
|
reply = self.vapi.papi.acl_stats_intf_counters_enable(enable=1)
|
2017-03-02 15:22:47 +01:00
|
|
|
|
|
|
|
# Traffic should not pass
|
2022-04-26 19:02:15 +02:00
|
|
|
self.run_verify_negat_test(self.IP, self.IPV4, self.proto[self.IP][self.UDP])
|
2019-06-13 15:23:21 +00:00
|
|
|
|
2022-04-26 19:02:15 +02:00
|
|
|
matches = self.statistics.get_counter("/acl/%d/matches" % acl_idx)
|
2019-06-13 15:23:21 +00:00
|
|
|
self.logger.info("stat segment counters: %s" % repr(matches))
|
|
|
|
cli = "show acl-plugin acl"
|
|
|
|
self.logger.info(self.vapi.ppcli(cli))
|
|
|
|
cli = "show acl-plugin tables"
|
|
|
|
self.logger.info(self.vapi.ppcli(cli))
|
2022-04-26 19:02:15 +02:00
|
|
|
self.assertEqual(matches[0][0]["packets"], 64)
|
2019-06-13 15:23:21 +00:00
|
|
|
# disable counters
|
|
|
|
reply = self.vapi.papi.acl_stats_intf_counters_enable(enable=0)
|
2017-03-02 15:22:47 +01:00
|
|
|
self.logger.info("ACLP_TEST_FINISH_0003")
|
2019-06-13 15:23:21 +00:00
|
|
|
# self.assertEqual(, 0)
|
2017-03-02 15:22:47 +01:00
|
|
|
|
|
|
|
def test_0004_vpp624_permit_icmpv4(self):
|
2022-04-26 19:02:15 +02:00
|
|
|
"""VPP_624 permit ICMPv4"""
|
2017-03-02 15:22:47 +01:00
|
|
|
self.logger.info("ACLP_TEST_START_0004")
|
|
|
|
|
|
|
|
# Add an ACL
|
|
|
|
rules = []
|
2022-04-26 19:02:15 +02:00
|
|
|
rules.append(
|
|
|
|
self.create_rule(
|
|
|
|
self.IPV4,
|
|
|
|
self.PERMIT,
|
|
|
|
self.PORTS_RANGE,
|
|
|
|
self.proto[self.ICMP][self.ICMPv4],
|
|
|
|
)
|
|
|
|
)
|
2017-03-02 15:22:47 +01:00
|
|
|
# deny ip any any in the end
|
|
|
|
rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
|
|
|
|
|
|
|
|
# Apply rules
|
2020-03-27 06:55:06 +01:00
|
|
|
self.apply_rules(rules, "permit icmpv4")
|
2017-03-02 15:22:47 +01:00
|
|
|
|
|
|
|
# Traffic should still pass
|
2022-04-26 19:02:15 +02:00
|
|
|
self.run_verify_test(self.ICMP, self.IPV4, self.proto[self.ICMP][self.ICMPv4])
|
2017-03-02 15:22:47 +01:00
|
|
|
|
|
|
|
self.logger.info("ACLP_TEST_FINISH_0004")
|
|
|
|
|
|
|
|
def test_0005_vpp624_permit_icmpv6(self):
|
2022-04-26 19:02:15 +02:00
|
|
|
"""VPP_624 permit ICMPv6"""
|
2017-03-02 15:22:47 +01:00
|
|
|
self.logger.info("ACLP_TEST_START_0005")
|
|
|
|
|
|
|
|
# Add an ACL
|
|
|
|
rules = []
|
2022-04-26 19:02:15 +02:00
|
|
|
rules.append(
|
|
|
|
self.create_rule(
|
|
|
|
self.IPV6,
|
|
|
|
self.PERMIT,
|
|
|
|
self.PORTS_RANGE,
|
|
|
|
self.proto[self.ICMP][self.ICMPv6],
|
|
|
|
)
|
|
|
|
)
|
2017-03-02 15:22:47 +01:00
|
|
|
# deny ip any any in the end
|
|
|
|
rules.append(self.create_rule(self.IPV6, self.DENY, self.PORTS_ALL, 0))
|
|
|
|
|
|
|
|
# Apply rules
|
2020-03-27 06:55:06 +01:00
|
|
|
self.apply_rules(rules, "permit icmpv6")
|
2017-03-02 15:22:47 +01:00
|
|
|
|
|
|
|
# Traffic should still pass
|
2022-04-26 19:02:15 +02:00
|
|
|
self.run_verify_test(self.ICMP, self.IPV6, self.proto[self.ICMP][self.ICMPv6])
|
2017-03-02 15:22:47 +01:00
|
|
|
|
|
|
|
self.logger.info("ACLP_TEST_FINISH_0005")
|
|
|
|
|
|
|
|
def test_0006_vpp624_deny_icmpv4(self):
|
2022-04-26 19:02:15 +02:00
|
|
|
"""VPP_624 deny ICMPv4"""
|
2017-03-02 15:22:47 +01:00
|
|
|
self.logger.info("ACLP_TEST_START_0006")
|
|
|
|
# Add an ACL
|
|
|
|
rules = []
|
2022-04-26 19:02:15 +02:00
|
|
|
rules.append(
|
|
|
|
self.create_rule(
|
|
|
|
self.IPV4,
|
|
|
|
self.DENY,
|
|
|
|
self.PORTS_RANGE,
|
|
|
|
self.proto[self.ICMP][self.ICMPv4],
|
|
|
|
)
|
|
|
|
)
|
2017-03-02 15:22:47 +01:00
|
|
|
# permit ip any any in the end
|
2022-04-26 19:02:15 +02:00
|
|
|
rules.append(self.create_rule(self.IPV4, self.PERMIT, self.PORTS_ALL, 0))
|
2017-03-02 15:22:47 +01:00
|
|
|
|
|
|
|
# Apply rules
|
2020-03-27 06:55:06 +01:00
|
|
|
self.apply_rules(rules, "deny icmpv4")
|
2017-03-02 15:22:47 +01:00
|
|
|
|
|
|
|
# Traffic should not pass
|
|
|
|
self.run_verify_negat_test(self.ICMP, self.IPV4, 0)
|
|
|
|
|
|
|
|
self.logger.info("ACLP_TEST_FINISH_0006")
|
|
|
|
|
|
|
|
def test_0007_vpp624_deny_icmpv6(self):
|
2022-04-26 19:02:15 +02:00
|
|
|
"""VPP_624 deny ICMPv6"""
|
2017-03-02 15:22:47 +01:00
|
|
|
self.logger.info("ACLP_TEST_START_0007")
|
|
|
|
# Add an ACL
|
|
|
|
rules = []
|
2022-04-26 19:02:15 +02:00
|
|
|
rules.append(
|
|
|
|
self.create_rule(
|
|
|
|
self.IPV6,
|
|
|
|
self.DENY,
|
|
|
|
self.PORTS_RANGE,
|
|
|
|
self.proto[self.ICMP][self.ICMPv6],
|
|
|
|
)
|
|
|
|
)
|
2017-03-02 15:22:47 +01:00
|
|
|
# deny ip any any in the end
|
2022-04-26 19:02:15 +02:00
|
|
|
rules.append(self.create_rule(self.IPV6, self.PERMIT, self.PORTS_ALL, 0))
|
2017-03-02 15:22:47 +01:00
|
|
|
|
|
|
|
# Apply rules
|
2020-03-27 06:55:06 +01:00
|
|
|
self.apply_rules(rules, "deny icmpv6")
|
2017-03-02 15:22:47 +01:00
|
|
|
|
|
|
|
# Traffic should not pass
|
|
|
|
self.run_verify_negat_test(self.ICMP, self.IPV6, 0)
|
|
|
|
|
|
|
|
self.logger.info("ACLP_TEST_FINISH_0007")
|
|
|
|
|
|
|
|
def test_0008_tcp_permit_v4(self):
|
2022-04-26 19:02:15 +02:00
|
|
|
"""permit TCPv4"""
|
2017-03-02 15:22:47 +01:00
|
|
|
self.logger.info("ACLP_TEST_START_0008")
|
|
|
|
|
|
|
|
# Add an ACL
|
|
|
|
rules = []
|
2022-04-26 19:02:15 +02:00
|
|
|
rules.append(
|
|
|
|
self.create_rule(
|
|
|
|
self.IPV4, self.PERMIT, self.PORTS_RANGE, self.proto[self.IP][self.TCP]
|
|
|
|
)
|
|
|
|
)
|
2017-03-02 15:22:47 +01:00
|
|
|
# deny ip any any in the end
|
|
|
|
rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
|
|
|
|
|
|
|
|
# Apply rules
|
2020-03-27 06:55:06 +01:00
|
|
|
self.apply_rules(rules, "permit ipv4 tcp")
|
2017-03-02 15:22:47 +01:00
|
|
|
|
|
|
|
# Traffic should still pass
|
|
|
|
self.run_verify_test(self.IP, self.IPV4, self.proto[self.IP][self.TCP])
|
|
|
|
|
|
|
|
self.logger.info("ACLP_TEST_FINISH_0008")
|
|
|
|
|
|
|
|
def test_0009_tcp_permit_v6(self):
|
2022-04-26 19:02:15 +02:00
|
|
|
"""permit TCPv6"""
|
2017-03-02 15:22:47 +01:00
|
|
|
self.logger.info("ACLP_TEST_START_0009")
|
|
|
|
|
|
|
|
# Add an ACL
|
|
|
|
rules = []
|
2022-04-26 19:02:15 +02:00
|
|
|
rules.append(
|
|
|
|
self.create_rule(
|
|
|
|
self.IPV6, self.PERMIT, self.PORTS_RANGE, self.proto[self.IP][self.TCP]
|
|
|
|
)
|
|
|
|
)
|
2017-03-02 15:22:47 +01:00
|
|
|
# deny ip any any in the end
|
|
|
|
rules.append(self.create_rule(self.IPV6, self.DENY, self.PORTS_ALL, 0))
|
|
|
|
|
|
|
|
# Apply rules
|
2020-03-27 06:55:06 +01:00
|
|
|
self.apply_rules(rules, "permit ip6 tcp")
|
2017-03-02 15:22:47 +01:00
|
|
|
|
|
|
|
# Traffic should still pass
|
|
|
|
self.run_verify_test(self.IP, self.IPV6, self.proto[self.IP][self.TCP])
|
|
|
|
|
|
|
|
self.logger.info("ACLP_TEST_FINISH_0008")
|
|
|
|
|
|
|
|
def test_0010_udp_permit_v4(self):
|
2022-04-26 19:02:15 +02:00
|
|
|
"""permit UDPv4"""
|
2017-03-02 15:22:47 +01:00
|
|
|
self.logger.info("ACLP_TEST_START_0010")
|
|
|
|
|
|
|
|
# Add an ACL
|
|
|
|
rules = []
|
2022-04-26 19:02:15 +02:00
|
|
|
rules.append(
|
|
|
|
self.create_rule(
|
|
|
|
self.IPV4, self.PERMIT, self.PORTS_RANGE, self.proto[self.IP][self.UDP]
|
|
|
|
)
|
|
|
|
)
|
2017-03-02 15:22:47 +01:00
|
|
|
# deny ip any any in the end
|
|
|
|
rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
|
|
|
|
|
|
|
|
# Apply rules
|
2020-03-27 06:55:06 +01:00
|
|
|
self.apply_rules(rules, "permit ipv udp")
|
2017-03-02 15:22:47 +01:00
|
|
|
|
|
|
|
# Traffic should still pass
|
|
|
|
self.run_verify_test(self.IP, self.IPV4, self.proto[self.IP][self.UDP])
|
|
|
|
|
|
|
|
self.logger.info("ACLP_TEST_FINISH_0010")
|
|
|
|
|
|
|
|
def test_0011_udp_permit_v6(self):
|
2022-04-26 19:02:15 +02:00
|
|
|
"""permit UDPv6"""
|
2017-03-02 15:22:47 +01:00
|
|
|
self.logger.info("ACLP_TEST_START_0011")
|
|
|
|
|
|
|
|
# Add an ACL
|
|
|
|
rules = []
|
2022-04-26 19:02:15 +02:00
|
|
|
rules.append(
|
|
|
|
self.create_rule(
|
|
|
|
self.IPV6, self.PERMIT, self.PORTS_RANGE, self.proto[self.IP][self.UDP]
|
|
|
|
)
|
|
|
|
)
|
2017-03-02 15:22:47 +01:00
|
|
|
# deny ip any any in the end
|
|
|
|
rules.append(self.create_rule(self.IPV6, self.DENY, self.PORTS_ALL, 0))
|
|
|
|
|
|
|
|
# Apply rules
|
2020-03-27 06:55:06 +01:00
|
|
|
self.apply_rules(rules, "permit ip6 udp")
|
2017-03-02 15:22:47 +01:00
|
|
|
|
|
|
|
# Traffic should still pass
|
|
|
|
self.run_verify_test(self.IP, self.IPV6, self.proto[self.IP][self.UDP])
|
|
|
|
|
|
|
|
self.logger.info("ACLP_TEST_FINISH_0011")
|
|
|
|
|
|
|
|
def test_0012_tcp_deny(self):
|
2022-04-26 19:02:15 +02:00
|
|
|
"""deny TCPv4/v6"""
|
2017-03-02 15:22:47 +01:00
|
|
|
self.logger.info("ACLP_TEST_START_0012")
|
|
|
|
|
|
|
|
# Add an ACL
|
|
|
|
rules = []
|
2022-04-26 19:02:15 +02:00
|
|
|
rules.append(
|
|
|
|
self.create_rule(
|
|
|
|
self.IPV4, self.DENY, self.PORTS_RANGE, self.proto[self.IP][self.TCP]
|
|
|
|
)
|
|
|
|
)
|
|
|
|
rules.append(
|
|
|
|
self.create_rule(
|
|
|
|
self.IPV6, self.DENY, self.PORTS_RANGE, self.proto[self.IP][self.TCP]
|
|
|
|
)
|
|
|
|
)
|
2017-03-02 15:22:47 +01:00
|
|
|
# permit ip any any in the end
|
2022-04-26 19:02:15 +02:00
|
|
|
rules.append(self.create_rule(self.IPV4, self.PERMIT, self.PORTS_ALL, 0))
|
|
|
|
rules.append(self.create_rule(self.IPV6, self.PERMIT, self.PORTS_ALL, 0))
|
2017-03-02 15:22:47 +01:00
|
|
|
|
|
|
|
# Apply rules
|
2020-03-27 06:55:06 +01:00
|
|
|
self.apply_rules(rules, "deny ip4/ip6 tcp")
|
2017-03-02 15:22:47 +01:00
|
|
|
|
|
|
|
# Traffic should not pass
|
2022-04-26 19:02:15 +02:00
|
|
|
self.run_verify_negat_test(
|
|
|
|
self.IP, self.IPRANDOM, self.proto[self.IP][self.TCP]
|
|
|
|
)
|
2017-03-02 15:22:47 +01:00
|
|
|
|
|
|
|
self.logger.info("ACLP_TEST_FINISH_0012")
|
|
|
|
|
|
|
|
def test_0013_udp_deny(self):
|
2022-04-26 19:02:15 +02:00
|
|
|
"""deny UDPv4/v6"""
|
2017-03-02 15:22:47 +01:00
|
|
|
self.logger.info("ACLP_TEST_START_0013")
|
|
|
|
|
|
|
|
# Add an ACL
|
|
|
|
rules = []
|
2022-04-26 19:02:15 +02:00
|
|
|
rules.append(
|
|
|
|
self.create_rule(
|
|
|
|
self.IPV4, self.DENY, self.PORTS_RANGE, self.proto[self.IP][self.UDP]
|
|
|
|
)
|
|
|
|
)
|
|
|
|
rules.append(
|
|
|
|
self.create_rule(
|
|
|
|
self.IPV6, self.DENY, self.PORTS_RANGE, self.proto[self.IP][self.UDP]
|
|
|
|
)
|
|
|
|
)
|
2017-03-02 15:22:47 +01:00
|
|
|
# permit ip any any in the end
|
2022-04-26 19:02:15 +02:00
|
|
|
rules.append(self.create_rule(self.IPV4, self.PERMIT, self.PORTS_ALL, 0))
|
|
|
|
rules.append(self.create_rule(self.IPV6, self.PERMIT, self.PORTS_ALL, 0))
|
2017-03-02 15:22:47 +01:00
|
|
|
|
|
|
|
# Apply rules
|
2020-03-27 06:55:06 +01:00
|
|
|
self.apply_rules(rules, "deny ip4/ip6 udp")
|
2017-03-02 15:22:47 +01:00
|
|
|
|
|
|
|
# Traffic should not pass
|
2022-04-26 19:02:15 +02:00
|
|
|
self.run_verify_negat_test(
|
|
|
|
self.IP, self.IPRANDOM, self.proto[self.IP][self.UDP]
|
|
|
|
)
|
2017-03-02 15:22:47 +01:00
|
|
|
|
|
|
|
self.logger.info("ACLP_TEST_FINISH_0013")
|
|
|
|
|
|
|
|
def test_0014_acl_dump(self):
|
2022-04-26 19:02:15 +02:00
|
|
|
"""verify add/dump acls"""
|
2017-03-02 15:22:47 +01:00
|
|
|
self.logger.info("ACLP_TEST_START_0014")
|
|
|
|
|
2022-04-26 19:02:15 +02:00
|
|
|
r = [
|
|
|
|
[self.IPV4, self.PERMIT, 1234, self.proto[self.IP][self.TCP]],
|
|
|
|
[self.IPV4, self.PERMIT, 2345, self.proto[self.IP][self.UDP]],
|
|
|
|
[self.IPV4, self.PERMIT, 0, self.proto[self.IP][self.TCP]],
|
|
|
|
[self.IPV4, self.PERMIT, 0, self.proto[self.IP][self.UDP]],
|
|
|
|
[self.IPV4, self.PERMIT, 5, self.proto[self.ICMP][self.ICMPv4]],
|
|
|
|
[self.IPV6, self.PERMIT, 4321, self.proto[self.IP][self.TCP]],
|
|
|
|
[self.IPV6, self.PERMIT, 5432, self.proto[self.IP][self.UDP]],
|
|
|
|
[self.IPV6, self.PERMIT, 0, self.proto[self.IP][self.TCP]],
|
|
|
|
[self.IPV6, self.PERMIT, 0, self.proto[self.IP][self.UDP]],
|
|
|
|
[self.IPV6, self.PERMIT, 6, self.proto[self.ICMP][self.ICMPv6]],
|
|
|
|
[self.IPV4, self.DENY, self.PORTS_ALL, 0],
|
|
|
|
[self.IPV4, self.DENY, 1234, self.proto[self.IP][self.TCP]],
|
|
|
|
[self.IPV4, self.DENY, 2345, self.proto[self.IP][self.UDP]],
|
|
|
|
[self.IPV4, self.DENY, 5, self.proto[self.ICMP][self.ICMPv4]],
|
|
|
|
[self.IPV6, self.DENY, 4321, self.proto[self.IP][self.TCP]],
|
|
|
|
[self.IPV6, self.DENY, 5432, self.proto[self.IP][self.UDP]],
|
|
|
|
[self.IPV6, self.DENY, 6, self.proto[self.ICMP][self.ICMPv6]],
|
|
|
|
[self.IPV6, self.DENY, self.PORTS_ALL, 0],
|
|
|
|
]
|
2017-03-02 15:22:47 +01:00
|
|
|
|
|
|
|
# Add and verify new ACLs
|
|
|
|
rules = []
|
|
|
|
for i in range(len(r)):
|
|
|
|
rules.append(self.create_rule(r[i][0], r[i][1], r[i][2], r[i][3]))
|
|
|
|
|
2020-03-27 06:55:06 +01:00
|
|
|
acl = VppAcl(self, rules=rules)
|
|
|
|
acl.add_vpp_config()
|
|
|
|
result = acl.dump()
|
2017-03-02 15:22:47 +01:00
|
|
|
|
|
|
|
i = 0
|
|
|
|
for drules in result:
|
|
|
|
for dr in drules.r:
|
|
|
|
self.assertEqual(dr.is_permit, r[i][1])
|
|
|
|
self.assertEqual(dr.proto, r[i][3])
|
|
|
|
|
|
|
|
if r[i][2] > 0:
|
|
|
|
self.assertEqual(dr.srcport_or_icmptype_first, r[i][2])
|
|
|
|
else:
|
|
|
|
if r[i][2] < 0:
|
|
|
|
self.assertEqual(dr.srcport_or_icmptype_first, 0)
|
|
|
|
self.assertEqual(dr.srcport_or_icmptype_last, 65535)
|
|
|
|
else:
|
|
|
|
if dr.proto == self.proto[self.IP][self.TCP]:
|
2022-04-26 19:02:15 +02:00
|
|
|
self.assertGreater(
|
|
|
|
dr.srcport_or_icmptype_first, self.tcp_sport_from - 1
|
|
|
|
)
|
|
|
|
self.assertLess(
|
|
|
|
dr.srcport_or_icmptype_first, self.tcp_sport_to + 1
|
|
|
|
)
|
|
|
|
self.assertGreater(
|
|
|
|
dr.dstport_or_icmpcode_last, self.tcp_dport_from - 1
|
|
|
|
)
|
|
|
|
self.assertLess(
|
|
|
|
dr.dstport_or_icmpcode_last, self.tcp_dport_to + 1
|
|
|
|
)
|
2017-03-02 15:22:47 +01:00
|
|
|
elif dr.proto == self.proto[self.IP][self.UDP]:
|
2022-04-26 19:02:15 +02:00
|
|
|
self.assertGreater(
|
|
|
|
dr.srcport_or_icmptype_first, self.udp_sport_from - 1
|
|
|
|
)
|
|
|
|
self.assertLess(
|
|
|
|
dr.srcport_or_icmptype_first, self.udp_sport_to + 1
|
|
|
|
)
|
|
|
|
self.assertGreater(
|
|
|
|
dr.dstport_or_icmpcode_last, self.udp_dport_from - 1
|
|
|
|
)
|
|
|
|
self.assertLess(
|
|
|
|
dr.dstport_or_icmpcode_last, self.udp_dport_to + 1
|
|
|
|
)
|
2017-03-02 15:22:47 +01:00
|
|
|
i += 1
|
|
|
|
|
|
|
|
self.logger.info("ACLP_TEST_FINISH_0014")
|
|
|
|
|
|
|
|
def test_0015_tcp_permit_port_v4(self):
|
2022-04-26 19:02:15 +02:00
|
|
|
"""permit single TCPv4"""
|
2017-03-02 15:22:47 +01:00
|
|
|
self.logger.info("ACLP_TEST_START_0015")
|
|
|
|
|
2019-10-03 07:55:52 +00:00
|
|
|
port = random.randint(16384, 65535)
|
2017-03-02 15:22:47 +01:00
|
|
|
# Add an ACL
|
|
|
|
rules = []
|
2022-04-26 19:02:15 +02:00
|
|
|
rules.append(
|
|
|
|
self.create_rule(
|
|
|
|
self.IPV4, self.PERMIT, port, self.proto[self.IP][self.TCP]
|
|
|
|
)
|
|
|
|
)
|
2017-03-02 15:22:47 +01:00
|
|
|
# deny ip any any in the end
|
|
|
|
rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
|
|
|
|
|
|
|
|
# Apply rules
|
2020-03-27 06:55:06 +01:00
|
|
|
self.apply_rules(rules, "permit ip4 tcp %d" % port)
|
2017-03-02 15:22:47 +01:00
|
|
|
|
|
|
|
# Traffic should still pass
|
2022-04-26 19:02:15 +02:00
|
|
|
self.run_verify_test(self.IP, self.IPV4, self.proto[self.IP][self.TCP], port)
|
2017-03-02 15:22:47 +01:00
|
|
|
|
|
|
|
self.logger.info("ACLP_TEST_FINISH_0015")
|
|
|
|
|
|
|
|
def test_0016_udp_permit_port_v4(self):
|
2022-04-26 19:02:15 +02:00
|
|
|
"""permit single UDPv4"""
|
2017-03-02 15:22:47 +01:00
|
|
|
self.logger.info("ACLP_TEST_START_0016")
|
|
|
|
|
2019-10-03 07:55:52 +00:00
|
|
|
port = random.randint(16384, 65535)
|
2017-03-02 15:22:47 +01:00
|
|
|
# Add an ACL
|
|
|
|
rules = []
|
2022-04-26 19:02:15 +02:00
|
|
|
rules.append(
|
|
|
|
self.create_rule(
|
|
|
|
self.IPV4, self.PERMIT, port, self.proto[self.IP][self.UDP]
|
|
|
|
)
|
|
|
|
)
|
2017-03-02 15:22:47 +01:00
|
|
|
# deny ip any any in the end
|
|
|
|
rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
|
|
|
|
|
|
|
|
# Apply rules
|
2020-03-27 06:55:06 +01:00
|
|
|
self.apply_rules(rules, "permit ip4 tcp %d" % port)
|
2017-03-02 15:22:47 +01:00
|
|
|
|
|
|
|
# Traffic should still pass
|
2022-04-26 19:02:15 +02:00
|
|
|
self.run_verify_test(self.IP, self.IPV4, self.proto[self.IP][self.UDP], port)
|
2017-03-02 15:22:47 +01:00
|
|
|
|
|
|
|
self.logger.info("ACLP_TEST_FINISH_0016")
|
|
|
|
|
|
|
|
def test_0017_tcp_permit_port_v6(self):
|
2022-04-26 19:02:15 +02:00
|
|
|
"""permit single TCPv6"""
|
2017-03-02 15:22:47 +01:00
|
|
|
self.logger.info("ACLP_TEST_START_0017")
|
|
|
|
|
2019-10-03 07:55:52 +00:00
|
|
|
port = random.randint(16384, 65535)
|
2017-03-02 15:22:47 +01:00
|
|
|
# Add an ACL
|
|
|
|
rules = []
|
2022-04-26 19:02:15 +02:00
|
|
|
rules.append(
|
|
|
|
self.create_rule(
|
|
|
|
self.IPV6, self.PERMIT, port, self.proto[self.IP][self.TCP]
|
|
|
|
)
|
|
|
|
)
|
2017-03-02 15:22:47 +01:00
|
|
|
# deny ip any any in the end
|
|
|
|
rules.append(self.create_rule(self.IPV6, self.DENY, self.PORTS_ALL, 0))
|
|
|
|
|
|
|
|
# Apply rules
|
2020-03-27 06:55:06 +01:00
|
|
|
self.apply_rules(rules, "permit ip4 tcp %d" % port)
|
2017-03-02 15:22:47 +01:00
|
|
|
|
|
|
|
# Traffic should still pass
|
2022-04-26 19:02:15 +02:00
|
|
|
self.run_verify_test(self.IP, self.IPV6, self.proto[self.IP][self.TCP], port)
|
2017-03-02 15:22:47 +01:00
|
|
|
|
|
|
|
self.logger.info("ACLP_TEST_FINISH_0017")
|
|
|
|
|
|
|
|
def test_0018_udp_permit_port_v6(self):
|
2022-04-26 19:02:15 +02:00
|
|
|
"""permit single UDPv6"""
|
2017-03-02 15:22:47 +01:00
|
|
|
self.logger.info("ACLP_TEST_START_0018")
|
|
|
|
|
2019-10-03 07:55:52 +00:00
|
|
|
port = random.randint(16384, 65535)
|
2017-03-02 15:22:47 +01:00
|
|
|
# Add an ACL
|
|
|
|
rules = []
|
2022-04-26 19:02:15 +02:00
|
|
|
rules.append(
|
|
|
|
self.create_rule(
|
|
|
|
self.IPV6, self.PERMIT, port, self.proto[self.IP][self.UDP]
|
|
|
|
)
|
|
|
|
)
|
2017-03-02 15:22:47 +01:00
|
|
|
# deny ip any any in the end
|
2022-04-26 19:02:15 +02:00
|
|
|
rules.append(self.create_rule(self.IPV6, self.DENY, self.PORTS_ALL, 0))
|
2017-03-02 15:22:47 +01:00
|
|
|
|
|
|
|
# Apply rules
|
2020-03-27 06:55:06 +01:00
|
|
|
self.apply_rules(rules, "permit ip4 tcp %d" % port)
|
2017-03-02 15:22:47 +01:00
|
|
|
|
|
|
|
# Traffic should still pass
|
2022-04-26 19:02:15 +02:00
|
|
|
self.run_verify_test(self.IP, self.IPV6, self.proto[self.IP][self.UDP], port)
|
2017-03-02 15:22:47 +01:00
|
|
|
|
|
|
|
self.logger.info("ACLP_TEST_FINISH_0018")
|
|
|
|
|
|
|
|
def test_0019_udp_deny_port(self):
|
2022-04-26 19:02:15 +02:00
|
|
|
"""deny single TCPv4/v6"""
|
2017-03-02 15:22:47 +01:00
|
|
|
self.logger.info("ACLP_TEST_START_0019")
|
|
|
|
|
2019-10-03 07:55:52 +00:00
|
|
|
port = random.randint(16384, 65535)
|
2017-03-02 15:22:47 +01:00
|
|
|
# Add an ACL
|
|
|
|
rules = []
|
2022-04-26 19:02:15 +02:00
|
|
|
rules.append(
|
|
|
|
self.create_rule(self.IPV4, self.DENY, port, self.proto[self.IP][self.TCP])
|
|
|
|
)
|
|
|
|
rules.append(
|
|
|
|
self.create_rule(self.IPV6, self.DENY, port, self.proto[self.IP][self.TCP])
|
|
|
|
)
|
2017-03-02 15:22:47 +01:00
|
|
|
# Permit ip any any in the end
|
2022-04-26 19:02:15 +02:00
|
|
|
rules.append(self.create_rule(self.IPV4, self.PERMIT, self.PORTS_ALL, 0))
|
|
|
|
rules.append(self.create_rule(self.IPV6, self.PERMIT, self.PORTS_ALL, 0))
|
2017-03-02 15:22:47 +01:00
|
|
|
|
|
|
|
# Apply rules
|
2020-03-27 06:55:06 +01:00
|
|
|
self.apply_rules(rules, "deny ip4/ip6 udp %d" % port)
|
2017-03-02 15:22:47 +01:00
|
|
|
|
|
|
|
# Traffic should not pass
|
2022-04-26 19:02:15 +02:00
|
|
|
self.run_verify_negat_test(
|
|
|
|
self.IP, self.IPRANDOM, self.proto[self.IP][self.TCP], port
|
|
|
|
)
|
2017-03-02 15:22:47 +01:00
|
|
|
|
|
|
|
self.logger.info("ACLP_TEST_FINISH_0019")
|
|
|
|
|
|
|
|
def test_0020_udp_deny_port(self):
|
2022-04-26 19:02:15 +02:00
|
|
|
"""deny single UDPv4/v6"""
|
2017-03-02 15:22:47 +01:00
|
|
|
self.logger.info("ACLP_TEST_START_0020")
|
|
|
|
|
2019-10-03 07:55:52 +00:00
|
|
|
port = random.randint(16384, 65535)
|
2017-03-02 15:22:47 +01:00
|
|
|
# Add an ACL
|
|
|
|
rules = []
|
2022-04-26 19:02:15 +02:00
|
|
|
rules.append(
|
|
|
|
self.create_rule(self.IPV4, self.DENY, port, self.proto[self.IP][self.UDP])
|
|
|
|
)
|
|
|
|
rules.append(
|
|
|
|
self.create_rule(self.IPV6, self.DENY, port, self.proto[self.IP][self.UDP])
|
|
|
|
)
|
2017-03-02 15:22:47 +01:00
|
|
|
# Permit ip any any in the end
|
2022-04-26 19:02:15 +02:00
|
|
|
rules.append(self.create_rule(self.IPV4, self.PERMIT, self.PORTS_ALL, 0))
|
|
|
|
rules.append(self.create_rule(self.IPV6, self.PERMIT, self.PORTS_ALL, 0))
|
2017-03-02 15:22:47 +01:00
|
|
|
|
|
|
|
# Apply rules
|
2020-03-27 06:55:06 +01:00
|
|
|
self.apply_rules(rules, "deny ip4/ip6 udp %d" % port)
|
2017-03-02 15:22:47 +01:00
|
|
|
|
|
|
|
# Traffic should not pass
|
2022-04-26 19:02:15 +02:00
|
|
|
self.run_verify_negat_test(
|
|
|
|
self.IP, self.IPRANDOM, self.proto[self.IP][self.UDP], port
|
|
|
|
)
|
2017-03-02 15:22:47 +01:00
|
|
|
|
|
|
|
self.logger.info("ACLP_TEST_FINISH_0020")
|
|
|
|
|
2017-04-04 14:10:40 +00:00
|
|
|
def test_0021_udp_deny_port_verify_fragment_deny(self):
|
2022-04-26 19:02:15 +02:00
|
|
|
"""deny single UDPv4/v6, permit ip any, verify non-initial fragment
|
2018-04-10 15:19:54 -04:00
|
|
|
blocked
|
2017-04-04 14:10:40 +00:00
|
|
|
"""
|
|
|
|
self.logger.info("ACLP_TEST_START_0021")
|
|
|
|
|
2019-10-03 07:55:52 +00:00
|
|
|
port = random.randint(16384, 65535)
|
2017-04-04 14:10:40 +00:00
|
|
|
# Add an ACL
|
|
|
|
rules = []
|
2022-04-26 19:02:15 +02:00
|
|
|
rules.append(
|
|
|
|
self.create_rule(self.IPV4, self.DENY, port, self.proto[self.IP][self.UDP])
|
|
|
|
)
|
|
|
|
rules.append(
|
|
|
|
self.create_rule(self.IPV6, self.DENY, port, self.proto[self.IP][self.UDP])
|
|
|
|
)
|
2017-04-04 14:10:40 +00:00
|
|
|
# deny ip any any in the end
|
2022-04-26 19:02:15 +02:00
|
|
|
rules.append(self.create_rule(self.IPV4, self.PERMIT, self.PORTS_ALL, 0))
|
|
|
|
rules.append(self.create_rule(self.IPV6, self.PERMIT, self.PORTS_ALL, 0))
|
2017-04-04 14:10:40 +00:00
|
|
|
|
|
|
|
# Apply rules
|
2020-03-27 06:55:06 +01:00
|
|
|
self.apply_rules(rules, "deny ip4/ip6 udp %d" % port)
|
2017-04-04 14:10:40 +00:00
|
|
|
|
|
|
|
# Traffic should not pass
|
2022-04-26 19:02:15 +02:00
|
|
|
self.run_verify_negat_test(
|
|
|
|
self.IP, self.IPRANDOM, self.proto[self.IP][self.UDP], port, True
|
|
|
|
)
|
2017-04-04 14:10:40 +00:00
|
|
|
|
|
|
|
self.logger.info("ACLP_TEST_FINISH_0021")
|
|
|
|
|
2017-04-18 13:12:20 +02:00
|
|
|
def test_0022_zero_length_udp_ipv4(self):
|
2022-04-26 19:02:15 +02:00
|
|
|
"""VPP-687 zero length udp ipv4 packet"""
|
2017-04-18 13:12:20 +02:00
|
|
|
self.logger.info("ACLP_TEST_START_0022")
|
|
|
|
|
2019-10-03 07:55:52 +00:00
|
|
|
port = random.randint(16384, 65535)
|
2017-04-18 13:12:20 +02:00
|
|
|
# Add an ACL
|
|
|
|
rules = []
|
|
|
|
rules.append(
|
2022-04-26 19:02:15 +02:00
|
|
|
self.create_rule(
|
|
|
|
self.IPV4, self.PERMIT, port, self.proto[self.IP][self.UDP]
|
|
|
|
)
|
|
|
|
)
|
|
|
|
# deny ip any any in the end
|
|
|
|
rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
|
2017-04-18 13:12:20 +02:00
|
|
|
|
|
|
|
# Apply rules
|
2020-03-27 06:55:06 +01:00
|
|
|
self.apply_rules(rules, "permit empty udp ip4 %d" % port)
|
2017-04-18 13:12:20 +02:00
|
|
|
|
|
|
|
# Traffic should still pass
|
|
|
|
# Create incoming packet streams for packet-generator interfaces
|
|
|
|
pkts_cnt = 0
|
2022-04-26 19:02:15 +02:00
|
|
|
pkts = self.create_stream(
|
|
|
|
self.pg0,
|
|
|
|
self.pg_if_packet_sizes,
|
|
|
|
self.IP,
|
|
|
|
self.IPV4,
|
|
|
|
self.proto[self.IP][self.UDP],
|
|
|
|
port,
|
|
|
|
False,
|
|
|
|
False,
|
|
|
|
)
|
2017-04-18 13:12:20 +02:00
|
|
|
if len(pkts) > 0:
|
|
|
|
self.pg0.add_stream(pkts)
|
|
|
|
pkts_cnt += len(pkts)
|
|
|
|
|
|
|
|
# Enable packet capture and start packet sendingself.IPV
|
|
|
|
self.pg_enable_capture(self.pg_interfaces)
|
|
|
|
self.pg_start()
|
|
|
|
|
|
|
|
self.pg1.get_capture(pkts_cnt)
|
|
|
|
|
|
|
|
self.logger.info("ACLP_TEST_FINISH_0022")
|
|
|
|
|
|
|
|
def test_0023_zero_length_udp_ipv6(self):
|
2022-04-26 19:02:15 +02:00
|
|
|
"""VPP-687 zero length udp ipv6 packet"""
|
2017-04-18 13:12:20 +02:00
|
|
|
self.logger.info("ACLP_TEST_START_0023")
|
|
|
|
|
2019-10-03 07:55:52 +00:00
|
|
|
port = random.randint(16384, 65535)
|
2017-04-18 13:12:20 +02:00
|
|
|
# Add an ACL
|
|
|
|
rules = []
|
2022-04-26 19:02:15 +02:00
|
|
|
rules.append(
|
|
|
|
self.create_rule(
|
|
|
|
self.IPV6, self.PERMIT, port, self.proto[self.IP][self.UDP]
|
|
|
|
)
|
|
|
|
)
|
2017-04-18 13:12:20 +02:00
|
|
|
# deny ip any any in the end
|
|
|
|
rules.append(self.create_rule(self.IPV6, self.DENY, self.PORTS_ALL, 0))
|
|
|
|
|
|
|
|
# Apply rules
|
2020-03-27 06:55:06 +01:00
|
|
|
self.apply_rules(rules, "permit empty udp ip6 %d" % port)
|
2017-04-18 13:12:20 +02:00
|
|
|
|
|
|
|
# Traffic should still pass
|
|
|
|
# Create incoming packet streams for packet-generator interfaces
|
|
|
|
pkts_cnt = 0
|
2022-04-26 19:02:15 +02:00
|
|
|
pkts = self.create_stream(
|
|
|
|
self.pg0,
|
|
|
|
self.pg_if_packet_sizes,
|
|
|
|
self.IP,
|
|
|
|
self.IPV6,
|
|
|
|
self.proto[self.IP][self.UDP],
|
|
|
|
port,
|
|
|
|
False,
|
|
|
|
False,
|
|
|
|
)
|
2017-04-18 13:12:20 +02:00
|
|
|
if len(pkts) > 0:
|
|
|
|
self.pg0.add_stream(pkts)
|
|
|
|
pkts_cnt += len(pkts)
|
|
|
|
|
|
|
|
# Enable packet capture and start packet sendingself.IPV
|
|
|
|
self.pg_enable_capture(self.pg_interfaces)
|
|
|
|
self.pg_start()
|
|
|
|
|
|
|
|
# Verify outgoing packet streams per packet-generator interface
|
|
|
|
self.pg1.get_capture(pkts_cnt)
|
|
|
|
|
|
|
|
self.logger.info("ACLP_TEST_FINISH_0023")
|
|
|
|
|
2017-08-10 17:02:58 +02:00
|
|
|
def test_0108_tcp_permit_v4(self):
|
2022-04-26 19:02:15 +02:00
|
|
|
"""permit TCPv4 + non-match range"""
|
2017-08-10 17:02:58 +02:00
|
|
|
self.logger.info("ACLP_TEST_START_0108")
|
|
|
|
|
|
|
|
# Add an ACL
|
|
|
|
rules = []
|
2022-04-26 19:02:15 +02:00
|
|
|
rules.append(
|
|
|
|
self.create_rule(
|
|
|
|
self.IPV4, self.DENY, self.PORTS_RANGE_2, self.proto[self.IP][self.TCP]
|
|
|
|
)
|
|
|
|
)
|
|
|
|
rules.append(
|
|
|
|
self.create_rule(
|
|
|
|
self.IPV4, self.PERMIT, self.PORTS_RANGE, self.proto[self.IP][self.TCP]
|
|
|
|
)
|
|
|
|
)
|
2017-08-10 17:02:58 +02:00
|
|
|
# deny ip any any in the end
|
|
|
|
rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
|
|
|
|
|
|
|
|
# Apply rules
|
2020-03-27 06:55:06 +01:00
|
|
|
self.apply_rules(rules, "permit ipv4 tcp")
|
2017-08-10 17:02:58 +02:00
|
|
|
|
|
|
|
# Traffic should still pass
|
|
|
|
self.run_verify_test(self.IP, self.IPV4, self.proto[self.IP][self.TCP])
|
|
|
|
|
|
|
|
self.logger.info("ACLP_TEST_FINISH_0108")
|
|
|
|
|
|
|
|
def test_0109_tcp_permit_v6(self):
|
2022-04-26 19:02:15 +02:00
|
|
|
"""permit TCPv6 + non-match range"""
|
2017-08-10 17:02:58 +02:00
|
|
|
self.logger.info("ACLP_TEST_START_0109")
|
|
|
|
|
|
|
|
# Add an ACL
|
|
|
|
rules = []
|
2022-04-26 19:02:15 +02:00
|
|
|
rules.append(
|
|
|
|
self.create_rule(
|
|
|
|
self.IPV6, self.DENY, self.PORTS_RANGE_2, self.proto[self.IP][self.TCP]
|
|
|
|
)
|
|
|
|
)
|
|
|
|
rules.append(
|
|
|
|
self.create_rule(
|
|
|
|
self.IPV6, self.PERMIT, self.PORTS_RANGE, self.proto[self.IP][self.TCP]
|
|
|
|
)
|
|
|
|
)
|
2017-08-10 17:02:58 +02:00
|
|
|
# deny ip any any in the end
|
|
|
|
rules.append(self.create_rule(self.IPV6, self.DENY, self.PORTS_ALL, 0))
|
|
|
|
|
|
|
|
# Apply rules
|
2020-03-27 06:55:06 +01:00
|
|
|
self.apply_rules(rules, "permit ip6 tcp")
|
2017-08-10 17:02:58 +02:00
|
|
|
|
|
|
|
# Traffic should still pass
|
|
|
|
self.run_verify_test(self.IP, self.IPV6, self.proto[self.IP][self.TCP])
|
|
|
|
|
|
|
|
self.logger.info("ACLP_TEST_FINISH_0109")
|
|
|
|
|
|
|
|
def test_0110_udp_permit_v4(self):
|
2022-04-26 19:02:15 +02:00
|
|
|
"""permit UDPv4 + non-match range"""
|
2017-08-10 17:02:58 +02:00
|
|
|
self.logger.info("ACLP_TEST_START_0110")
|
|
|
|
|
|
|
|
# Add an ACL
|
|
|
|
rules = []
|
2022-04-26 19:02:15 +02:00
|
|
|
rules.append(
|
|
|
|
self.create_rule(
|
|
|
|
self.IPV4, self.DENY, self.PORTS_RANGE_2, self.proto[self.IP][self.UDP]
|
|
|
|
)
|
|
|
|
)
|
|
|
|
rules.append(
|
|
|
|
self.create_rule(
|
|
|
|
self.IPV4, self.PERMIT, self.PORTS_RANGE, self.proto[self.IP][self.UDP]
|
|
|
|
)
|
|
|
|
)
|
2017-08-10 17:02:58 +02:00
|
|
|
# deny ip any any in the end
|
|
|
|
rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
|
|
|
|
|
|
|
|
# Apply rules
|
2020-03-27 06:55:06 +01:00
|
|
|
self.apply_rules(rules, "permit ipv4 udp")
|
2017-08-10 17:02:58 +02:00
|
|
|
|
|
|
|
# Traffic should still pass
|
|
|
|
self.run_verify_test(self.IP, self.IPV4, self.proto[self.IP][self.UDP])
|
|
|
|
|
|
|
|
self.logger.info("ACLP_TEST_FINISH_0110")
|
|
|
|
|
|
|
|
def test_0111_udp_permit_v6(self):
|
2022-04-26 19:02:15 +02:00
|
|
|
"""permit UDPv6 + non-match range"""
|
2017-08-10 17:02:58 +02:00
|
|
|
self.logger.info("ACLP_TEST_START_0111")
|
|
|
|
|
|
|
|
# Add an ACL
|
|
|
|
rules = []
|
2022-04-26 19:02:15 +02:00
|
|
|
rules.append(
|
|
|
|
self.create_rule(
|
|
|
|
self.IPV6, self.DENY, self.PORTS_RANGE_2, self.proto[self.IP][self.UDP]
|
|
|
|
)
|
|
|
|
)
|
|
|
|
rules.append(
|
|
|
|
self.create_rule(
|
|
|
|
self.IPV6, self.PERMIT, self.PORTS_RANGE, self.proto[self.IP][self.UDP]
|
|
|
|
)
|
|
|
|
)
|
2017-08-10 17:02:58 +02:00
|
|
|
# deny ip any any in the end
|
|
|
|
rules.append(self.create_rule(self.IPV6, self.DENY, self.PORTS_ALL, 0))
|
|
|
|
|
|
|
|
# Apply rules
|
2020-03-27 06:55:06 +01:00
|
|
|
self.apply_rules(rules, "permit ip6 udp")
|
2017-08-10 17:02:58 +02:00
|
|
|
|
|
|
|
# Traffic should still pass
|
|
|
|
self.run_verify_test(self.IP, self.IPV6, self.proto[self.IP][self.UDP])
|
|
|
|
|
|
|
|
self.logger.info("ACLP_TEST_FINISH_0111")
|
|
|
|
|
|
|
|
def test_0112_tcp_deny(self):
|
2022-04-26 19:02:15 +02:00
|
|
|
"""deny TCPv4/v6 + non-match range"""
|
2017-08-10 17:02:58 +02:00
|
|
|
self.logger.info("ACLP_TEST_START_0112")
|
|
|
|
|
|
|
|
# Add an ACL
|
|
|
|
rules = []
|
2022-04-26 19:02:15 +02:00
|
|
|
rules.append(
|
|
|
|
self.create_rule(
|
|
|
|
self.IPV4,
|
|
|
|
self.PERMIT,
|
|
|
|
self.PORTS_RANGE_2,
|
|
|
|
self.proto[self.IP][self.TCP],
|
|
|
|
)
|
|
|
|
)
|
|
|
|
rules.append(
|
|
|
|
self.create_rule(
|
|
|
|
self.IPV6,
|
|
|
|
self.PERMIT,
|
|
|
|
self.PORTS_RANGE_2,
|
|
|
|
self.proto[self.IP][self.TCP],
|
|
|
|
)
|
|
|
|
)
|
|
|
|
rules.append(
|
|
|
|
self.create_rule(
|
|
|
|
self.IPV4, self.DENY, self.PORTS_RANGE, self.proto[self.IP][self.TCP]
|
|
|
|
)
|
|
|
|
)
|
|
|
|
rules.append(
|
|
|
|
self.create_rule(
|
|
|
|
self.IPV6, self.DENY, self.PORTS_RANGE, self.proto[self.IP][self.TCP]
|
|
|
|
)
|
|
|
|
)
|
2017-08-10 17:02:58 +02:00
|
|
|
# permit ip any any in the end
|
2022-04-26 19:02:15 +02:00
|
|
|
rules.append(self.create_rule(self.IPV4, self.PERMIT, self.PORTS_ALL, 0))
|
|
|
|
rules.append(self.create_rule(self.IPV6, self.PERMIT, self.PORTS_ALL, 0))
|
2017-08-10 17:02:58 +02:00
|
|
|
|
|
|
|
# Apply rules
|
2020-03-27 06:55:06 +01:00
|
|
|
self.apply_rules(rules, "deny ip4/ip6 tcp")
|
2017-08-10 17:02:58 +02:00
|
|
|
|
|
|
|
# Traffic should not pass
|
2022-04-26 19:02:15 +02:00
|
|
|
self.run_verify_negat_test(
|
|
|
|
self.IP, self.IPRANDOM, self.proto[self.IP][self.TCP]
|
|
|
|
)
|
2017-08-10 17:02:58 +02:00
|
|
|
|
|
|
|
self.logger.info("ACLP_TEST_FINISH_0112")
|
|
|
|
|
|
|
|
def test_0113_udp_deny(self):
|
2022-04-26 19:02:15 +02:00
|
|
|
"""deny UDPv4/v6 + non-match range"""
|
2017-08-10 17:02:58 +02:00
|
|
|
self.logger.info("ACLP_TEST_START_0113")
|
|
|
|
|
|
|
|
# Add an ACL
|
|
|
|
rules = []
|
2022-04-26 19:02:15 +02:00
|
|
|
rules.append(
|
|
|
|
self.create_rule(
|
|
|
|
self.IPV4,
|
|
|
|
self.PERMIT,
|
|
|
|
self.PORTS_RANGE_2,
|
|
|
|
self.proto[self.IP][self.UDP],
|
|
|
|
)
|
|
|
|
)
|
|
|
|
rules.append(
|
|
|
|
self.create_rule(
|
|
|
|
self.IPV6,
|
|
|
|
self.PERMIT,
|
|
|
|
self.PORTS_RANGE_2,
|
|
|
|
self.proto[self.IP][self.UDP],
|
|
|
|
)
|
|
|
|
)
|
|
|
|
rules.append(
|
|
|
|
self.create_rule(
|
|
|
|
self.IPV4, self.DENY, self.PORTS_RANGE, self.proto[self.IP][self.UDP]
|
|
|
|
)
|
|
|
|
)
|
|
|
|
rules.append(
|
|
|
|
self.create_rule(
|
|
|
|
self.IPV6, self.DENY, self.PORTS_RANGE, self.proto[self.IP][self.UDP]
|
|
|
|
)
|
|
|
|
)
|
2017-08-10 17:02:58 +02:00
|
|
|
# permit ip any any in the end
|
2022-04-26 19:02:15 +02:00
|
|
|
rules.append(self.create_rule(self.IPV4, self.PERMIT, self.PORTS_ALL, 0))
|
|
|
|
rules.append(self.create_rule(self.IPV6, self.PERMIT, self.PORTS_ALL, 0))
|
2017-08-10 17:02:58 +02:00
|
|
|
|
|
|
|
# Apply rules
|
2020-03-27 06:55:06 +01:00
|
|
|
self.apply_rules(rules, "deny ip4/ip6 udp")
|
2017-08-10 17:02:58 +02:00
|
|
|
|
|
|
|
# Traffic should not pass
|
2022-04-26 19:02:15 +02:00
|
|
|
self.run_verify_negat_test(
|
|
|
|
self.IP, self.IPRANDOM, self.proto[self.IP][self.UDP]
|
|
|
|
)
|
2017-08-10 17:02:58 +02:00
|
|
|
|
|
|
|
self.logger.info("ACLP_TEST_FINISH_0113")
|
|
|
|
|
acl-plugin: add whitelisted ethertype mode (VPP-1163)
Currently, ACL plugin largely does not care about the
ethertypes other than 0x0800 (IPv4) and 0x86dd (IPv6),
the only exception being 0x0806 (ARP), which is
dealt with by the MACIP ACLs.
The other ethertypes in L2 mode are just let through.
This adds a new API message acl_interface_set_etype_whitelist,
which allows to flip the mode of a given interface
into "ethertype whitelist mode": the caller of this message
must supply the two lists (inbound and outbound) of the ethertypes
that are to be permitted, the rest of the ethertypes are
dropped.
The whitelisting for a given interface and direction takes
effect only when a policy ACL is also applied.
This operates on the same classifier node as the one used for
dispatching the policy ACL, thus, if one wishes for most of the
reasonable IPv4 deployments to continue to operate within
the whitelist mode, they must permit ARP ethertype (0x0806)
The empty list for a given direction resets the processing
to allow the unknown ethertypes. So, if one wants to just
permit the IPv4 and IPv6 and nothing else, one can add
their ethertypes to the whitelist.
Add the "show acl-plugin interface" corresponding outputs
about the whitelists, vat command, and unittests.
Change-Id: I4659978c801f36d554b6615e56e424b77876662c
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-02-06 17:42:32 +01:00
|
|
|
def test_0300_tcp_permit_v4_etype_aaaa(self):
|
2022-04-26 19:02:15 +02:00
|
|
|
"""permit TCPv4, send 0xAAAA etype"""
|
acl-plugin: add whitelisted ethertype mode (VPP-1163)
Currently, ACL plugin largely does not care about the
ethertypes other than 0x0800 (IPv4) and 0x86dd (IPv6),
the only exception being 0x0806 (ARP), which is
dealt with by the MACIP ACLs.
The other ethertypes in L2 mode are just let through.
This adds a new API message acl_interface_set_etype_whitelist,
which allows to flip the mode of a given interface
into "ethertype whitelist mode": the caller of this message
must supply the two lists (inbound and outbound) of the ethertypes
that are to be permitted, the rest of the ethertypes are
dropped.
The whitelisting for a given interface and direction takes
effect only when a policy ACL is also applied.
This operates on the same classifier node as the one used for
dispatching the policy ACL, thus, if one wishes for most of the
reasonable IPv4 deployments to continue to operate within
the whitelist mode, they must permit ARP ethertype (0x0806)
The empty list for a given direction resets the processing
to allow the unknown ethertypes. So, if one wants to just
permit the IPv4 and IPv6 and nothing else, one can add
their ethertypes to the whitelist.
Add the "show acl-plugin interface" corresponding outputs
about the whitelists, vat command, and unittests.
Change-Id: I4659978c801f36d554b6615e56e424b77876662c
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-02-06 17:42:32 +01:00
|
|
|
self.logger.info("ACLP_TEST_START_0300")
|
|
|
|
|
|
|
|
# Add an ACL
|
|
|
|
rules = []
|
2022-04-26 19:02:15 +02:00
|
|
|
rules.append(
|
|
|
|
self.create_rule(
|
|
|
|
self.IPV4, self.DENY, self.PORTS_RANGE_2, self.proto[self.IP][self.TCP]
|
|
|
|
)
|
|
|
|
)
|
|
|
|
rules.append(
|
|
|
|
self.create_rule(
|
|
|
|
self.IPV4, self.PERMIT, self.PORTS_RANGE, self.proto[self.IP][self.TCP]
|
|
|
|
)
|
|
|
|
)
|
acl-plugin: add whitelisted ethertype mode (VPP-1163)
Currently, ACL plugin largely does not care about the
ethertypes other than 0x0800 (IPv4) and 0x86dd (IPv6),
the only exception being 0x0806 (ARP), which is
dealt with by the MACIP ACLs.
The other ethertypes in L2 mode are just let through.
This adds a new API message acl_interface_set_etype_whitelist,
which allows to flip the mode of a given interface
into "ethertype whitelist mode": the caller of this message
must supply the two lists (inbound and outbound) of the ethertypes
that are to be permitted, the rest of the ethertypes are
dropped.
The whitelisting for a given interface and direction takes
effect only when a policy ACL is also applied.
This operates on the same classifier node as the one used for
dispatching the policy ACL, thus, if one wishes for most of the
reasonable IPv4 deployments to continue to operate within
the whitelist mode, they must permit ARP ethertype (0x0806)
The empty list for a given direction resets the processing
to allow the unknown ethertypes. So, if one wants to just
permit the IPv4 and IPv6 and nothing else, one can add
their ethertypes to the whitelist.
Add the "show acl-plugin interface" corresponding outputs
about the whitelists, vat command, and unittests.
Change-Id: I4659978c801f36d554b6615e56e424b77876662c
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-02-06 17:42:32 +01:00
|
|
|
# deny ip any any in the end
|
|
|
|
rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
|
|
|
|
|
|
|
|
# Apply rules
|
2020-03-27 06:55:06 +01:00
|
|
|
self.apply_rules(rules, "permit ipv4 tcp")
|
acl-plugin: add whitelisted ethertype mode (VPP-1163)
Currently, ACL plugin largely does not care about the
ethertypes other than 0x0800 (IPv4) and 0x86dd (IPv6),
the only exception being 0x0806 (ARP), which is
dealt with by the MACIP ACLs.
The other ethertypes in L2 mode are just let through.
This adds a new API message acl_interface_set_etype_whitelist,
which allows to flip the mode of a given interface
into "ethertype whitelist mode": the caller of this message
must supply the two lists (inbound and outbound) of the ethertypes
that are to be permitted, the rest of the ethertypes are
dropped.
The whitelisting for a given interface and direction takes
effect only when a policy ACL is also applied.
This operates on the same classifier node as the one used for
dispatching the policy ACL, thus, if one wishes for most of the
reasonable IPv4 deployments to continue to operate within
the whitelist mode, they must permit ARP ethertype (0x0806)
The empty list for a given direction resets the processing
to allow the unknown ethertypes. So, if one wants to just
permit the IPv4 and IPv6 and nothing else, one can add
their ethertypes to the whitelist.
Add the "show acl-plugin interface" corresponding outputs
about the whitelists, vat command, and unittests.
Change-Id: I4659978c801f36d554b6615e56e424b77876662c
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-02-06 17:42:32 +01:00
|
|
|
|
|
|
|
# Traffic should still pass also for an odd ethertype
|
2022-04-26 19:02:15 +02:00
|
|
|
self.run_verify_test(
|
|
|
|
self.IP, self.IPV4, self.proto[self.IP][self.TCP], 0, False, True, 0xAAAA
|
|
|
|
)
|
acl-plugin: add whitelisted ethertype mode (VPP-1163)
Currently, ACL plugin largely does not care about the
ethertypes other than 0x0800 (IPv4) and 0x86dd (IPv6),
the only exception being 0x0806 (ARP), which is
dealt with by the MACIP ACLs.
The other ethertypes in L2 mode are just let through.
This adds a new API message acl_interface_set_etype_whitelist,
which allows to flip the mode of a given interface
into "ethertype whitelist mode": the caller of this message
must supply the two lists (inbound and outbound) of the ethertypes
that are to be permitted, the rest of the ethertypes are
dropped.
The whitelisting for a given interface and direction takes
effect only when a policy ACL is also applied.
This operates on the same classifier node as the one used for
dispatching the policy ACL, thus, if one wishes for most of the
reasonable IPv4 deployments to continue to operate within
the whitelist mode, they must permit ARP ethertype (0x0806)
The empty list for a given direction resets the processing
to allow the unknown ethertypes. So, if one wants to just
permit the IPv4 and IPv6 and nothing else, one can add
their ethertypes to the whitelist.
Add the "show acl-plugin interface" corresponding outputs
about the whitelists, vat command, and unittests.
Change-Id: I4659978c801f36d554b6615e56e424b77876662c
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-02-06 17:42:32 +01:00
|
|
|
self.logger.info("ACLP_TEST_FINISH_0300")
|
|
|
|
|
|
|
|
def test_0305_tcp_permit_v4_etype_blacklist_aaaa(self):
|
2022-04-26 19:02:15 +02:00
|
|
|
"""permit TCPv4, whitelist 0x0BBB ethertype, send 0xAAAA-blocked"""
|
acl-plugin: add whitelisted ethertype mode (VPP-1163)
Currently, ACL plugin largely does not care about the
ethertypes other than 0x0800 (IPv4) and 0x86dd (IPv6),
the only exception being 0x0806 (ARP), which is
dealt with by the MACIP ACLs.
The other ethertypes in L2 mode are just let through.
This adds a new API message acl_interface_set_etype_whitelist,
which allows to flip the mode of a given interface
into "ethertype whitelist mode": the caller of this message
must supply the two lists (inbound and outbound) of the ethertypes
that are to be permitted, the rest of the ethertypes are
dropped.
The whitelisting for a given interface and direction takes
effect only when a policy ACL is also applied.
This operates on the same classifier node as the one used for
dispatching the policy ACL, thus, if one wishes for most of the
reasonable IPv4 deployments to continue to operate within
the whitelist mode, they must permit ARP ethertype (0x0806)
The empty list for a given direction resets the processing
to allow the unknown ethertypes. So, if one wants to just
permit the IPv4 and IPv6 and nothing else, one can add
their ethertypes to the whitelist.
Add the "show acl-plugin interface" corresponding outputs
about the whitelists, vat command, and unittests.
Change-Id: I4659978c801f36d554b6615e56e424b77876662c
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-02-06 17:42:32 +01:00
|
|
|
self.logger.info("ACLP_TEST_START_0305")
|
|
|
|
|
|
|
|
# Add an ACL
|
|
|
|
rules = []
|
2022-04-26 19:02:15 +02:00
|
|
|
rules.append(
|
|
|
|
self.create_rule(
|
|
|
|
self.IPV4, self.DENY, self.PORTS_RANGE_2, self.proto[self.IP][self.TCP]
|
|
|
|
)
|
|
|
|
)
|
|
|
|
rules.append(
|
|
|
|
self.create_rule(
|
|
|
|
self.IPV4, self.PERMIT, self.PORTS_RANGE, self.proto[self.IP][self.TCP]
|
|
|
|
)
|
|
|
|
)
|
acl-plugin: add whitelisted ethertype mode (VPP-1163)
Currently, ACL plugin largely does not care about the
ethertypes other than 0x0800 (IPv4) and 0x86dd (IPv6),
the only exception being 0x0806 (ARP), which is
dealt with by the MACIP ACLs.
The other ethertypes in L2 mode are just let through.
This adds a new API message acl_interface_set_etype_whitelist,
which allows to flip the mode of a given interface
into "ethertype whitelist mode": the caller of this message
must supply the two lists (inbound and outbound) of the ethertypes
that are to be permitted, the rest of the ethertypes are
dropped.
The whitelisting for a given interface and direction takes
effect only when a policy ACL is also applied.
This operates on the same classifier node as the one used for
dispatching the policy ACL, thus, if one wishes for most of the
reasonable IPv4 deployments to continue to operate within
the whitelist mode, they must permit ARP ethertype (0x0806)
The empty list for a given direction resets the processing
to allow the unknown ethertypes. So, if one wants to just
permit the IPv4 and IPv6 and nothing else, one can add
their ethertypes to the whitelist.
Add the "show acl-plugin interface" corresponding outputs
about the whitelists, vat command, and unittests.
Change-Id: I4659978c801f36d554b6615e56e424b77876662c
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-02-06 17:42:32 +01:00
|
|
|
# deny ip any any in the end
|
|
|
|
rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
|
|
|
|
|
|
|
|
# Apply rules
|
2020-03-27 06:55:06 +01:00
|
|
|
self.apply_rules(rules, "permit ipv4 tcp")
|
acl-plugin: add whitelisted ethertype mode (VPP-1163)
Currently, ACL plugin largely does not care about the
ethertypes other than 0x0800 (IPv4) and 0x86dd (IPv6),
the only exception being 0x0806 (ARP), which is
dealt with by the MACIP ACLs.
The other ethertypes in L2 mode are just let through.
This adds a new API message acl_interface_set_etype_whitelist,
which allows to flip the mode of a given interface
into "ethertype whitelist mode": the caller of this message
must supply the two lists (inbound and outbound) of the ethertypes
that are to be permitted, the rest of the ethertypes are
dropped.
The whitelisting for a given interface and direction takes
effect only when a policy ACL is also applied.
This operates on the same classifier node as the one used for
dispatching the policy ACL, thus, if one wishes for most of the
reasonable IPv4 deployments to continue to operate within
the whitelist mode, they must permit ARP ethertype (0x0806)
The empty list for a given direction resets the processing
to allow the unknown ethertypes. So, if one wants to just
permit the IPv4 and IPv6 and nothing else, one can add
their ethertypes to the whitelist.
Add the "show acl-plugin interface" corresponding outputs
about the whitelists, vat command, and unittests.
Change-Id: I4659978c801f36d554b6615e56e424b77876662c
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-02-06 17:42:32 +01:00
|
|
|
# whitelist the 0xbbbb etype - so the 0xaaaa should be blocked
|
2022-04-26 19:02:15 +02:00
|
|
|
self.etype_whitelist([0xBBB], 1)
|
acl-plugin: add whitelisted ethertype mode (VPP-1163)
Currently, ACL plugin largely does not care about the
ethertypes other than 0x0800 (IPv4) and 0x86dd (IPv6),
the only exception being 0x0806 (ARP), which is
dealt with by the MACIP ACLs.
The other ethertypes in L2 mode are just let through.
This adds a new API message acl_interface_set_etype_whitelist,
which allows to flip the mode of a given interface
into "ethertype whitelist mode": the caller of this message
must supply the two lists (inbound and outbound) of the ethertypes
that are to be permitted, the rest of the ethertypes are
dropped.
The whitelisting for a given interface and direction takes
effect only when a policy ACL is also applied.
This operates on the same classifier node as the one used for
dispatching the policy ACL, thus, if one wishes for most of the
reasonable IPv4 deployments to continue to operate within
the whitelist mode, they must permit ARP ethertype (0x0806)
The empty list for a given direction resets the processing
to allow the unknown ethertypes. So, if one wants to just
permit the IPv4 and IPv6 and nothing else, one can add
their ethertypes to the whitelist.
Add the "show acl-plugin interface" corresponding outputs
about the whitelists, vat command, and unittests.
Change-Id: I4659978c801f36d554b6615e56e424b77876662c
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-02-06 17:42:32 +01:00
|
|
|
|
|
|
|
# The oddball ethertype should be blocked
|
2022-04-26 19:02:15 +02:00
|
|
|
self.run_verify_negat_test(
|
|
|
|
self.IP, self.IPV4, self.proto[self.IP][self.TCP], 0, False, 0xAAAA
|
|
|
|
)
|
acl-plugin: add whitelisted ethertype mode (VPP-1163)
Currently, ACL plugin largely does not care about the
ethertypes other than 0x0800 (IPv4) and 0x86dd (IPv6),
the only exception being 0x0806 (ARP), which is
dealt with by the MACIP ACLs.
The other ethertypes in L2 mode are just let through.
This adds a new API message acl_interface_set_etype_whitelist,
which allows to flip the mode of a given interface
into "ethertype whitelist mode": the caller of this message
must supply the two lists (inbound and outbound) of the ethertypes
that are to be permitted, the rest of the ethertypes are
dropped.
The whitelisting for a given interface and direction takes
effect only when a policy ACL is also applied.
This operates on the same classifier node as the one used for
dispatching the policy ACL, thus, if one wishes for most of the
reasonable IPv4 deployments to continue to operate within
the whitelist mode, they must permit ARP ethertype (0x0806)
The empty list for a given direction resets the processing
to allow the unknown ethertypes. So, if one wants to just
permit the IPv4 and IPv6 and nothing else, one can add
their ethertypes to the whitelist.
Add the "show acl-plugin interface" corresponding outputs
about the whitelists, vat command, and unittests.
Change-Id: I4659978c801f36d554b6615e56e424b77876662c
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-02-06 17:42:32 +01:00
|
|
|
|
2018-10-06 09:24:28 +02:00
|
|
|
# remove the whitelist
|
2020-03-27 06:55:06 +01:00
|
|
|
self.etype_whitelist([], 0, add=False)
|
2018-10-06 09:24:28 +02:00
|
|
|
|
|
|
|
self.logger.info("ACLP_TEST_FINISH_0305")
|
|
|
|
|
|
|
|
def test_0306_tcp_permit_v4_etype_blacklist_aaaa(self):
|
2022-04-26 19:02:15 +02:00
|
|
|
"""permit TCPv4, whitelist 0x0BBB ethertype, send 0x0BBB - pass"""
|
2018-10-06 09:24:28 +02:00
|
|
|
self.logger.info("ACLP_TEST_START_0306")
|
|
|
|
|
|
|
|
# Add an ACL
|
|
|
|
rules = []
|
2022-04-26 19:02:15 +02:00
|
|
|
rules.append(
|
|
|
|
self.create_rule(
|
|
|
|
self.IPV4, self.DENY, self.PORTS_RANGE_2, self.proto[self.IP][self.TCP]
|
|
|
|
)
|
|
|
|
)
|
|
|
|
rules.append(
|
|
|
|
self.create_rule(
|
|
|
|
self.IPV4, self.PERMIT, self.PORTS_RANGE, self.proto[self.IP][self.TCP]
|
|
|
|
)
|
|
|
|
)
|
2018-10-06 09:24:28 +02:00
|
|
|
# deny ip any any in the end
|
|
|
|
rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
|
|
|
|
|
|
|
|
# Apply rules
|
2020-03-27 06:55:06 +01:00
|
|
|
self.apply_rules(rules, "permit ipv4 tcp")
|
2018-10-06 09:24:28 +02:00
|
|
|
# whitelist the 0xbbbb etype - so the 0xaaaa should be blocked
|
2022-04-26 19:02:15 +02:00
|
|
|
self.etype_whitelist([0xBBB], 1)
|
2018-10-06 09:24:28 +02:00
|
|
|
|
|
|
|
# The whitelisted traffic, should pass
|
2022-04-26 19:02:15 +02:00
|
|
|
self.run_verify_test(
|
|
|
|
self.IP, self.IPV4, self.proto[self.IP][self.TCP], 0, False, True, 0x0BBB
|
|
|
|
)
|
acl-plugin: add whitelisted ethertype mode (VPP-1163)
Currently, ACL plugin largely does not care about the
ethertypes other than 0x0800 (IPv4) and 0x86dd (IPv6),
the only exception being 0x0806 (ARP), which is
dealt with by the MACIP ACLs.
The other ethertypes in L2 mode are just let through.
This adds a new API message acl_interface_set_etype_whitelist,
which allows to flip the mode of a given interface
into "ethertype whitelist mode": the caller of this message
must supply the two lists (inbound and outbound) of the ethertypes
that are to be permitted, the rest of the ethertypes are
dropped.
The whitelisting for a given interface and direction takes
effect only when a policy ACL is also applied.
This operates on the same classifier node as the one used for
dispatching the policy ACL, thus, if one wishes for most of the
reasonable IPv4 deployments to continue to operate within
the whitelist mode, they must permit ARP ethertype (0x0806)
The empty list for a given direction resets the processing
to allow the unknown ethertypes. So, if one wants to just
permit the IPv4 and IPv6 and nothing else, one can add
their ethertypes to the whitelist.
Add the "show acl-plugin interface" corresponding outputs
about the whitelists, vat command, and unittests.
Change-Id: I4659978c801f36d554b6615e56e424b77876662c
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-02-06 17:42:32 +01:00
|
|
|
|
|
|
|
# remove the whitelist, the previously blocked 0xAAAA should pass now
|
2020-03-27 06:55:06 +01:00
|
|
|
self.etype_whitelist([], 0, add=False)
|
2018-10-06 09:24:28 +02:00
|
|
|
|
|
|
|
self.logger.info("ACLP_TEST_FINISH_0306")
|
|
|
|
|
|
|
|
def test_0307_tcp_permit_v4_etype_blacklist_aaaa(self):
|
2022-04-26 19:02:15 +02:00
|
|
|
"""permit TCPv4, whitelist 0x0BBB, remove, send 0xAAAA - pass"""
|
2018-10-06 09:24:28 +02:00
|
|
|
self.logger.info("ACLP_TEST_START_0307")
|
|
|
|
|
|
|
|
# Add an ACL
|
|
|
|
rules = []
|
2022-04-26 19:02:15 +02:00
|
|
|
rules.append(
|
|
|
|
self.create_rule(
|
|
|
|
self.IPV4, self.DENY, self.PORTS_RANGE_2, self.proto[self.IP][self.TCP]
|
|
|
|
)
|
|
|
|
)
|
|
|
|
rules.append(
|
|
|
|
self.create_rule(
|
|
|
|
self.IPV4, self.PERMIT, self.PORTS_RANGE, self.proto[self.IP][self.TCP]
|
|
|
|
)
|
|
|
|
)
|
2018-10-06 09:24:28 +02:00
|
|
|
# deny ip any any in the end
|
|
|
|
rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
|
|
|
|
|
|
|
|
# Apply rules
|
2020-03-27 06:55:06 +01:00
|
|
|
self.apply_rules(rules, "permit ipv4 tcp")
|
2018-10-06 09:24:28 +02:00
|
|
|
|
|
|
|
# whitelist the 0xbbbb etype - so the 0xaaaa should be blocked
|
2022-04-26 19:02:15 +02:00
|
|
|
self.etype_whitelist([0xBBB], 1)
|
2018-10-06 09:24:28 +02:00
|
|
|
# remove the whitelist, the previously blocked 0xAAAA should pass now
|
2020-03-27 06:55:06 +01:00
|
|
|
self.etype_whitelist([], 0, add=False)
|
2018-10-06 09:24:28 +02:00
|
|
|
|
|
|
|
# The whitelisted traffic, should pass
|
2022-04-26 19:02:15 +02:00
|
|
|
self.run_verify_test(
|
|
|
|
self.IP, self.IPV4, self.proto[self.IP][self.TCP], 0, False, True, 0xAAAA
|
|
|
|
)
|
acl-plugin: add whitelisted ethertype mode (VPP-1163)
Currently, ACL plugin largely does not care about the
ethertypes other than 0x0800 (IPv4) and 0x86dd (IPv6),
the only exception being 0x0806 (ARP), which is
dealt with by the MACIP ACLs.
The other ethertypes in L2 mode are just let through.
This adds a new API message acl_interface_set_etype_whitelist,
which allows to flip the mode of a given interface
into "ethertype whitelist mode": the caller of this message
must supply the two lists (inbound and outbound) of the ethertypes
that are to be permitted, the rest of the ethertypes are
dropped.
The whitelisting for a given interface and direction takes
effect only when a policy ACL is also applied.
This operates on the same classifier node as the one used for
dispatching the policy ACL, thus, if one wishes for most of the
reasonable IPv4 deployments to continue to operate within
the whitelist mode, they must permit ARP ethertype (0x0806)
The empty list for a given direction resets the processing
to allow the unknown ethertypes. So, if one wants to just
permit the IPv4 and IPv6 and nothing else, one can add
their ethertypes to the whitelist.
Add the "show acl-plugin interface" corresponding outputs
about the whitelists, vat command, and unittests.
Change-Id: I4659978c801f36d554b6615e56e424b77876662c
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-02-06 17:42:32 +01:00
|
|
|
|
2018-10-06 09:24:28 +02:00
|
|
|
self.logger.info("ACLP_TEST_FINISH_0306")
|
2017-08-10 17:02:58 +02:00
|
|
|
|
2018-03-23 10:38:46 +01:00
|
|
|
def test_0315_del_intf(self):
|
2022-04-26 19:02:15 +02:00
|
|
|
"""apply an acl and delete the interface"""
|
2018-03-23 10:38:46 +01:00
|
|
|
self.logger.info("ACLP_TEST_START_0315")
|
|
|
|
|
|
|
|
# Add an ACL
|
|
|
|
rules = []
|
2022-04-26 19:02:15 +02:00
|
|
|
rules.append(
|
|
|
|
self.create_rule(
|
|
|
|
self.IPV4, self.DENY, self.PORTS_RANGE_2, self.proto[self.IP][self.TCP]
|
|
|
|
)
|
|
|
|
)
|
|
|
|
rules.append(
|
|
|
|
self.create_rule(
|
|
|
|
self.IPV4, self.PERMIT, self.PORTS_RANGE, self.proto[self.IP][self.TCP]
|
|
|
|
)
|
|
|
|
)
|
2018-03-23 10:38:46 +01:00
|
|
|
# deny ip any any in the end
|
|
|
|
rules.append(self.create_rule(self.IPV4, self.DENY, self.PORTS_ALL, 0))
|
|
|
|
|
|
|
|
# create an interface
|
|
|
|
intf = []
|
2018-06-24 10:30:37 +02:00
|
|
|
intf.append(VppLoInterface(self))
|
2018-03-23 10:38:46 +01:00
|
|
|
|
|
|
|
# Apply rules
|
2020-03-27 06:55:06 +01:00
|
|
|
self.apply_rules_to(rules, "permit ipv4 tcp", intf[0].sw_if_index)
|
2018-03-23 10:38:46 +01:00
|
|
|
|
|
|
|
# Remove the interface
|
|
|
|
intf[0].remove_vpp_config()
|
|
|
|
|
|
|
|
self.logger.info("ACLP_TEST_FINISH_0315")
|
|
|
|
|
2020-03-27 06:55:06 +01:00
|
|
|
|
2022-04-26 19:02:15 +02:00
|
|
|
if __name__ == "__main__":
|
2017-03-02 15:22:47 +01:00
|
|
|
unittest.main(testRunner=VppTestRunner)
|