ligang/vpp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

acl: revert acl: api cleanup

Browse Source 
This reverts commit aad1ee1494.

Reason for revert: Verify failure. Doesn't build.

Type: fix
Change-Id: I91b1b26ac43edde4853e4561a0083d0b3a06efee
Signed-off-by: Ole Troan <ot@cisco.com>
This commit is contained in:
Ole Trøan
2020-03-26 18:08:35 +00:00
committed by Ole Troan
parent aad1ee1494
commit 492a5d0bd7
20 changed files with 1090 additions and 1178 deletions
Download Patch File Download Diff File Expand all files Collapse all files
extras/vom/vom/acl_l2_list.cpp
+3 -3
View File
@@ -195,9 +195,9 @@ l2_list::event_handler::handle_populate(const client_db::key_t& key)
l2_list acl(hdl, std::string(reinterpret_cast<const char*>(payload.tag)));
for (unsigned int ii = 0; ii < payload.count; ii++) {
const route::prefix_t pfx(payload.r[ii].src_prefix.address.af,
(uint8_t*)&payload.r[ii].src_prefix.address.un,
payload.r[ii].src_prefix.len);
const route::prefix_t pfx(payload.r[ii].is_ipv6,
payload.r[ii].src_ip_addr,
payload.r[ii].src_ip_prefix_len);
l2_rule rule(ii,
action_t::from_int(payload.r[ii].is_permit),
pfx,
extras/vom/vom/acl_l3_list.cpp
+6 -6
View File
@@ -195,12 +195,12 @@ l3_list::event_handler::handle_populate(const client_db::key_t& key)
l3_list acl(hdl, std::string(reinterpret_cast<const char*>(payload.tag)));
for (unsigned int ii = 0; ii < payload.count; ii++) {
const route::prefix_t src(payload.r[ii].src_prefix.address.af,
(uint8_t*)&payload.r[ii].src_prefix.address.un,
payload.r[ii].src_prefix.len);
const route::prefix_t dst(payload.r[ii].dst_prefix.address.af,
(uint8_t*)&payload.r[ii].dst_prefix.address.un,
payload.r[ii].dst_prefix.len);
const route::prefix_t src(payload.r[ii].is_ipv6,
payload.r[ii].src_ip_addr,
payload.r[ii].src_ip_prefix_len);
const route::prefix_t dst(payload.r[ii].is_ipv6,
payload.r[ii].dst_ip_addr,
payload.r[ii].dst_ip_prefix_len);
l3_rule rule(ii, action_t::from_int(payload.r[ii].is_permit), src, dst);
rule.set_proto(payload.r[ii].proto);
extras/vom/vom/acl_list_cmds.cpp
+9 -12
View File
@@ -24,10 +24,9 @@ namespace list_cmds {
static void
to_vpp(const l2_rule& rule, vapi_type_macip_acl_rule& payload)
{
payload.is_permit = (vapi_enum_acl_action)rule.action().value();
rule.src_ip().to_vpp((uint8_t*)&payload.src_prefix.address.af,
(uint8_t*)&payload.src_prefix.address.un,
&payload.src_prefix.len);
payload.is_permit = rule.action().value();
rule.src_ip().to_vpp(
&payload.is_ipv6, payload.src_ip_addr, &payload.src_ip_prefix_len);
rule.mac().to_bytes(payload.src_mac, 6);
rule.mac_mask().to_bytes(payload.src_mac_mask, 6);
}
@@ -35,15 +34,13 @@ to_vpp(const l2_rule& rule, vapi_type_macip_acl_rule& payload)
static void
to_vpp(const l3_rule& rule, vapi_type_acl_rule& payload)
{
payload.is_permit = (vapi_enum_acl_action)rule.action().value();
rule.src().to_vpp((uint8_t*)&payload.src_prefix.address.af,
(uint8_t*)&payload.src_prefix.address.un,
&payload.src_prefix.len);
rule.dst().to_vpp((uint8_t*)&payload.dst_prefix.address.af,
(uint8_t*)&payload.dst_prefix.address.un,
&payload.dst_prefix.len);
payload.is_permit = rule.action().value();
rule.src().to_vpp(
&payload.is_ipv6, payload.src_ip_addr, &payload.src_ip_prefix_len);
rule.dst().to_vpp(
&payload.is_ipv6, payload.dst_ip_addr, &payload.dst_ip_prefix_len);
payload.proto = (vapi_enum_ip_proto)rule.proto();
payload.proto = rule.proto();
payload.srcport_or_icmptype_first = rule.srcport_or_icmptype_first();
payload.srcport_or_icmptype_last = rule.srcport_or_icmptype_last();
payload.dstport_or_icmpcode_first = rule.dstport_or_icmpcode_first();
src/plugins/abf/test/test_abf.py
+25 -12
View File
@@ -7,13 +7,11 @@ from framework import VppTestCase, VppTestRunner
from vpp_ip import DpoProto
from vpp_ip_route import VppIpRoute, VppRoutePath, VppMplsLabel, \
VppIpTable, FibPathProto
from vpp_acl import AclRule, VppAcl
from scapy.packet import Raw
from scapy.layers.l2 import Ether
from scapy.layers.inet import IP, UDP
from scapy.layers.inet6 import IPv6
from ipaddress import IPv4Network, IPv6Network
from vpp_object import VppObject
@@ -163,11 +161,18 @@ class TestAbf(VppTestCase):
#
# Rule 1
#
rule_1 = AclRule(is_permit=1, proto=17, ports=1234,
src_prefix=IPv4Network("1.1.1.1/32"),
dst_prefix=IPv4Network("1.1.1.2/32"))
acl_1 = VppAcl(self, rules=[rule_1])
acl_1.add_vpp_config()
rule_1 = ({'is_permit': 1,
'is_ipv6': 0,
'proto': 17,
'srcport_or_icmptype_first': 1234,
'srcport_or_icmptype_last': 1234,
'src_ip_prefix_len': 32,
'src_ip_addr': inet_pton(AF_INET, "1.1.1.1"),
'dstport_or_icmpcode_first': 1234,
'dstport_or_icmpcode_last': 1234,
'dst_ip_prefix_len': 32,
'dst_ip_addr': inet_pton(AF_INET, "1.1.1.2")})
acl_1 = self.vapi.acl_add_replace(acl_index=4294967295, r=[rule_1])
#
# ABF policy for ACL 1 - path via interface 1
@@ -279,11 +284,19 @@ class TestAbf(VppTestCase):
#
# Rule 1
#
rule_1 = AclRule(is_permit=1, proto=17, ports=1234,
src_prefix=IPv6Network("2001::2/128"),
dst_prefix=IPv6Network("2001::1/128"))
acl_1 = VppAcl(self, rules=[rule_1])
acl_1.add_vpp_config()
rule_1 = ({'is_permit': 1,
'is_ipv6': 1,
'proto': 17,
'srcport_or_icmptype_first': 1234,
'srcport_or_icmptype_last': 1234,
'src_ip_prefix_len': 128,
'src_ip_addr': inet_pton(AF_INET6, "2001::2"),
'dstport_or_icmpcode_first': 1234,
'dstport_or_icmpcode_last': 1234,
'dst_ip_prefix_len': 128,
'dst_ip_addr': inet_pton(AF_INET6, "2001::1")})
acl_1 = self.vapi.acl_add_replace(acl_index=4294967295,
r=[rule_1])
#
# ABF policy for ACL 1 - path via interface 1
src/plugins/acl/acl.api
+19 -20
View File
@@ -19,10 +19,9 @@
used to control the ACL plugin
*/
option version = "2.0.0";
option version = "1.0.1";
import "plugins/acl/acl_types.api";
import "vnet/interface_types.api";
/** \brief Get the plugin version
@param client_index - opaque cookie to identify the sender
@@ -107,7 +106,7 @@ manual_print manual_endian define acl_add_replace
u32 client_index;
u32 context;
u32 acl_index; /* ~0 to add, existing ACL# to replace */
string tag[64]; /* What gets in here gets out in the corresponding tag field when dumping the ACLs. */
u8 tag[64]; /* What gets in here gets out in the corresponding tag field when dumping the ACLs. */
u32 count;
vl_api_acl_rule_t r[count];
option vat_help = "<acl-idx> [<ipv4|ipv6>] <permit|permit+reflect|deny|action N> [src IP/plen] [dst IP/plen] [sport X-Y] [dport X-Y] [proto P] [tcpflags FL MASK], ... , ...";
@@ -155,13 +154,13 @@ autoreply manual_print define acl_interface_add_del
{
u32 client_index;
u32 context;
bool is_add [default=true];
u8 is_add;
/*
* is_input = 0 => ACL applied on interface egress
* is_input = 1 => ACL applied on interface ingress
*/
bool is_input;
vl_api_interface_index_t sw_if_index;
u8 is_input;
u32 sw_if_index;
u32 acl_index;
option vat_help = "<intfc> | sw_if_index <if-idx> [add|del] [input|output] acl <acl-idx>";
};
@@ -179,7 +178,7 @@ autoreply manual_print define acl_interface_set_acl_list
{
u32 client_index;
u32 context;
vl_api_interface_index_t sw_if_index;
u32 sw_if_index;
u8 count;
u8 n_input; /* First n_input ACLs are set as a list of input ACLs, the rest are applied as output */
u32 acls[count];
@@ -217,7 +216,7 @@ manual_endian manual_print define acl_details
{
u32 context;
u32 acl_index;
string tag[64]; /* Same blob that was supplied to us when creating the ACL, one hopes. */
u8 tag[64]; /* Same blob that was supplied to us when creating the ACL, one hopes. */
u32 count;
vl_api_acl_rule_t r[count];
};
@@ -232,7 +231,7 @@ define acl_interface_list_dump
{
u32 client_index;
u32 context;
vl_api_interface_index_t sw_if_index; /* ~0 for all interfaces */
u32 sw_if_index; /* ~0 for all interfaces */
option vat_help = "[<intfc> | sw_if_index <if-idx>]";
};
@@ -247,7 +246,7 @@ define acl_interface_list_dump
define acl_interface_list_details
{
u32 context;
vl_api_interface_index_t sw_if_index;
u32 sw_if_index;
u8 count;
u8 n_input;
u32 acls[count];
@@ -265,7 +264,7 @@ manual_endian manual_print define macip_acl_add
{
u32 client_index;
u32 context;
string tag[64];
u8 tag[64];
u32 count;
vl_api_macip_acl_rule_t r[count];
option vat_help = "...";
@@ -298,7 +297,7 @@ manual_endian manual_print define macip_acl_add_replace
u32 client_index;
u32 context;
u32 acl_index; /* ~0 to add, existing MACIP ACL# to replace */
string tag[64];
u8 tag[64];
u32 count;
vl_api_macip_acl_rule_t r[count];
option vat_help = "<acl-idx> [<ipv4|ipv6>] <permit|deny|action N> [count <count>] [src] ip <ipaddress/[plen]> mac <mac> mask <mac_mask>, ... , ...";
@@ -343,9 +342,9 @@ autoreply manual_print define macip_acl_interface_add_del
{
u32 client_index;
u32 context;
bool is_add [default=true];
u8 is_add;
/* MACIP ACLs are always input */
vl_api_interface_index_t sw_if_index;
u32 sw_if_index;
u32 acl_index;
option vat_help = "<intfc> | sw_if_index <if-idx> [add|del] acl <acl-idx>";
};
@@ -376,7 +375,7 @@ manual_endian manual_print define macip_acl_details
{
u32 context;
u32 acl_index;
string tag[64];
u8 tag[64];
u32 count;
vl_api_macip_acl_rule_t r[count];
};
@@ -415,7 +414,7 @@ define macip_acl_interface_list_dump
{
u32 client_index;
u32 context;
vl_api_interface_index_t sw_if_index; /* ~0 for all interfaces */
u32 sw_if_index; /* ~0 for all interfaces */
};
/** \brief Details about a single MACIP ACL contents
@@ -428,7 +427,7 @@ define macip_acl_interface_list_dump
define macip_acl_interface_list_details
{
u32 context;
vl_api_interface_index_t sw_if_index;
u32 sw_if_index;
u8 count;
u32 acls[count];
};
@@ -446,7 +445,7 @@ autoreply manual_print define acl_interface_set_etype_whitelist
{
u32 client_index;
u32 context;
vl_api_interface_index_t sw_if_index;
u32 sw_if_index;
u8 count; /* Total number of ethertypes in the whitelist */
u8 n_input; /* first n_input ethertypes are input, the rest - output */
u16 whitelist[count];
@@ -463,7 +462,7 @@ define acl_interface_etype_whitelist_dump
{
u32 client_index;
u32 context;
vl_api_interface_index_t sw_if_index; /* ~0 for all interfaces */
u32 sw_if_index; /* ~0 for all interfaces */
option vat_help = "[<intfc> | sw_if_index <if-idx>]";
};
@@ -478,7 +477,7 @@ define acl_interface_etype_whitelist_dump
define acl_interface_etype_whitelist_details
{
u32 context;
vl_api_interface_index_t sw_if_index;
u32 sw_if_index;
u8 count;
u8 n_input; /* first n_input ethertypes are input, the rest - output */
u16 whitelist[count];
src/plugins/acl/acl.c
+81 -55
View File
@@ -24,8 +24,6 @@
#include <vnet/classify/in_out_acl.h>
#include <vpp/app/version.h>
#include <vnet/ethernet/ethernet_types_api.h>
#include <vlibapi/api.h>
#include <vlibmemory/api.h>
@@ -344,41 +342,35 @@ validate_and_reset_acl_counters (acl_main_t * am, u32 acl_index)
}
static int
acl_api_ip4_invalid_prefix (const vl_api_prefix_t * prefix)
acl_api_ip4_invalid_prefix (void *ip4_pref_raw, u8 ip4_prefix_len)
{
ip4_address_t ip4_addr;
ip4_address_t ip4_mask;
ip4_address_t ip4_masked_addr;
if (prefix->len > 32)
return 1;
ip4_address_decode (prefix->address.un.ip4, &ip4_addr);
ip4_preflen_to_mask (prefix->len, &ip4_mask);
memcpy (&ip4_addr, ip4_pref_raw, sizeof (ip4_addr));
ip4_preflen_to_mask (ip4_prefix_len, &ip4_mask);
ip4_masked_addr.as_u32 = ip4_addr.as_u32 & ip4_mask.as_u32;
int ret = (ip4_masked_addr.as_u32 != ip4_addr.as_u32);
if (ret)
{
clib_warning
("inconsistent addr %U for prefix len %d; (%U when masked)",
format_ip4_address, prefix->address.un.ip4, prefix->len,
format_ip4_address, &ip4_masked_addr);
format_ip4_address, ip4_pref_raw, ip4_prefix_len, format_ip4_address,
&ip4_masked_addr);
}
return ret;
}
static int
acl_api_ip6_invalid_prefix (const vl_api_prefix_t * prefix)
acl_api_ip6_invalid_prefix (void *ip6_pref_raw, u8 ip6_prefix_len)
{
ip6_address_t ip6_addr;
ip6_address_t ip6_mask;
ip6_address_t ip6_masked_addr;
if (prefix->len > 128)
return 1;
ip6_address_decode (prefix->address.un.ip6, &ip6_addr);
ip6_preflen_to_mask (prefix->len, &ip6_mask);
memcpy (&ip6_addr, ip6_pref_raw, sizeof (ip6_addr));
ip6_preflen_to_mask (ip6_prefix_len, &ip6_mask);
ip6_masked_addr.as_u64[0] = ip6_addr.as_u64[0] & ip6_mask.as_u64[0];
ip6_masked_addr.as_u64[1] = ip6_addr.as_u64[1] & ip6_mask.as_u64[1];
int ret = ((ip6_masked_addr.as_u64[0] != ip6_addr.as_u64[0])
@@ -387,20 +379,12 @@ acl_api_ip6_invalid_prefix (const vl_api_prefix_t * prefix)
{
clib_warning
("inconsistent addr %U for prefix len %d; (%U when masked)",
format_ip6_address, prefix->address.un.ip6, prefix->len,
format_ip6_address, &ip6_masked_addr);
format_ip6_address, ip6_pref_raw, ip6_prefix_len, format_ip6_address,
&ip6_masked_addr);
}
return ret;
}
static int
acl_api_invalid_prefix (const vl_api_prefix_t * prefix)
{
if (prefix->address.af == ADDRESS_IP6)
return acl_api_ip6_invalid_prefix (prefix);
return acl_api_ip4_invalid_prefix (prefix);
}
static int
acl_add_list (u32 count, vl_api_acl_rule_t rules[],
u32 * acl_list_index, u8 * tag)
@@ -418,10 +402,32 @@ acl_add_list (u32 count, vl_api_acl_rule_t rules[],
/* check if what they request is consistent */
for (i = 0; i < count; i++)
{
if (acl_api_invalid_prefix (&rules[i].src_prefix))
return VNET_API_ERROR_INVALID_SRC_ADDRESS;
if (acl_api_invalid_prefix (&rules[i].dst_prefix))
return VNET_API_ERROR_INVALID_DST_ADDRESS;
if (rules[i].is_ipv6)
{
if (rules[i].src_ip_prefix_len > 128)
return VNET_API_ERROR_INVALID_VALUE;
if (rules[i].dst_ip_prefix_len > 128)
return VNET_API_ERROR_INVALID_VALUE;
if (acl_api_ip6_invalid_prefix
(&rules[i].src_ip_addr, rules[i].src_ip_prefix_len))
return VNET_API_ERROR_INVALID_SRC_ADDRESS;
if (acl_api_ip6_invalid_prefix
(&rules[i].dst_ip_addr, rules[i].dst_ip_prefix_len))
return VNET_API_ERROR_INVALID_DST_ADDRESS;
}
else
{
if (rules[i].src_ip_prefix_len > 32)
return VNET_API_ERROR_INVALID_VALUE;
if (rules[i].dst_ip_prefix_len > 32)
return VNET_API_ERROR_INVALID_VALUE;
if (acl_api_ip4_invalid_prefix
(&rules[i].src_ip_addr, rules[i].src_ip_prefix_len))
return VNET_API_ERROR_INVALID_SRC_ADDRESS;
if (acl_api_ip4_invalid_prefix
(&rules[i].dst_ip_addr, rules[i].dst_ip_prefix_len))
return VNET_API_ERROR_INVALID_DST_ADDRESS;
}
if (ntohs (rules[i].srcport_or_icmptype_first) >
ntohs (rules[i].srcport_or_icmptype_last))
return VNET_API_ERROR_INVALID_VALUE_2;
@@ -460,11 +466,19 @@ acl_add_list (u32 count, vl_api_acl_rule_t rules[],
r = vec_elt_at_index (acl_new_rules, i);
clib_memset (r, 0, sizeof (*r));
r->is_permit = rules[i].is_permit;
r->is_ipv6 = rules[i].src_prefix.address.af;
ip_address_decode (&rules[i].src_prefix.address, &r->src);
ip_address_decode (&rules[i].dst_prefix.address, &r->dst);
r->src_prefixlen = rules[i].src_prefix.len;
r->dst_prefixlen = rules[i].dst_prefix.len;
r->is_ipv6 = rules[i].is_ipv6;
if (r->is_ipv6)
{
memcpy (&r->src, rules[i].src_ip_addr, sizeof (r->src));
memcpy (&r->dst, rules[i].dst_ip_addr, sizeof (r->dst));
}
else
{
memcpy (&r->src.ip4, rules[i].src_ip_addr, sizeof (r->src.ip4));
memcpy (&r->dst.ip4, rules[i].dst_ip_addr, sizeof (r->dst.ip4));
}
r->src_prefixlen = rules[i].src_ip_prefix_len;
r->dst_prefixlen = rules[i].dst_ip_prefix_len;
r->proto = rules[i].proto;
r->src_port_or_type_first = ntohs (rules[i].srcport_or_icmptype_first);
r->src_port_or_type_last = ntohs (rules[i].srcport_or_icmptype_last);
@@ -1700,12 +1714,14 @@ macip_acl_add_list (u32 count, vl_api_macip_acl_rule_t rules[],
{
r = &acl_new_rules[i];
r->is_permit = rules[i].is_permit;
r->is_ipv6 = rules[i].src_prefix.address.af;
mac_address_decode (rules[i].src_mac, (mac_address_t *) & r->src_mac);
mac_address_decode (rules[i].src_mac_mask,
(mac_address_t *) & r->src_mac_mask);
ip_address_decode (&rules[i].src_prefix.address, &r->src_ip_addr);
r->src_prefixlen = rules[i].src_prefix.len;
r->is_ipv6 = rules[i].is_ipv6;
memcpy (&r->src_mac, rules[i].src_mac, 6);
memcpy (&r->src_mac_mask, rules[i].src_mac_mask, 6);
if (rules[i].is_ipv6)
memcpy (&r->src_ip_addr.ip6, rules[i].src_ip_addr, 16);
else
memcpy (&r->src_ip_addr.ip4, rules[i].src_ip_addr, 4);
r->src_prefixlen = rules[i].src_ip_prefix_len;
}
if (~0 == *acl_list_index)
@@ -2030,12 +2046,19 @@ static void
copy_acl_rule_to_api_rule (vl_api_acl_rule_t * api_rule, acl_rule_t * r)
{
api_rule->is_permit = r->is_permit;
ip_address_encode (&r->src, r->is_ipv6 ? IP46_TYPE_IP6 : IP46_TYPE_IP4,
&api_rule->src_prefix.address);
ip_address_encode (&r->dst, r->is_ipv6 ? IP46_TYPE_IP6 : IP46_TYPE_IP4,
&api_rule->dst_prefix.address);
api_rule->src_prefix.len = r->src_prefixlen;
api_rule->dst_prefix.len = r->dst_prefixlen;
api_rule->is_ipv6 = r->is_ipv6;
if (r->is_ipv6)
{
memcpy (api_rule->src_ip_addr, &r->src, sizeof (r->src));
memcpy (api_rule->dst_ip_addr, &r->dst, sizeof (r->dst));
}
else
{
memcpy (api_rule->src_ip_addr, &r->src.ip4, sizeof (r->src.ip4));
memcpy (api_rule->dst_ip_addr, &r->dst.ip4, sizeof (r->dst.ip4));
}
api_rule->src_ip_prefix_len = r->src_prefixlen;
api_rule->dst_ip_prefix_len = r->dst_prefixlen;
api_rule->proto = r->proto;
api_rule->srcport_or_icmptype_first = htons (r->src_port_or_type_first);
api_rule->srcport_or_icmptype_last = htons (r->src_port_or_type_last);
@@ -2310,14 +2333,17 @@ send_macip_acl_details (acl_main_t * am, vl_api_registration_t * reg,
{
r = &acl->rules[i];
rules[i].is_permit = r->is_permit;
mac_address_encode ((mac_address_t *) & r->src_mac,
rules[i].src_mac);
mac_address_encode ((mac_address_t *) & r->src_mac_mask,
rules[i].src_mac_mask);
ip_address_encode (&r->src_ip_addr,
r->is_ipv6 ? IP46_TYPE_IP6 : IP46_TYPE_IP4,
&rules[i].src_prefix.address);
rules[i].src_prefix.len = r->src_prefixlen;
rules[i].is_ipv6 = r->is_ipv6;
memcpy (rules[i].src_mac, &r->src_mac, sizeof (r->src_mac));
memcpy (rules[i].src_mac_mask, &r->src_mac_mask,
sizeof (r->src_mac_mask));
if (r->is_ipv6)
memcpy (rules[i].src_ip_addr, &r->src_ip_addr.ip6,
sizeof (r->src_ip_addr.ip6));
else
memcpy (rules[i].src_ip_addr, &r->src_ip_addr.ip4,
sizeof (r->src_ip_addr.ip4));
rules[i].src_ip_prefix_len = r->src_prefixlen;
}
}
else
src/plugins/acl/acl_test.c
+88 -63
View File
@@ -25,9 +25,6 @@
#include <vnet/ip/ip.h>
#include <arpa/inet.h>
#include <vnet/ip/ip_format_fns.h>
#include <vnet/ethernet/ethernet_format_fns.h>
#define __plugin_msg_base acl_test_main.msg_id_base
#include <vlibapi/vat_helper_macros.h>
@@ -159,16 +156,16 @@ static void vl_api_acl_plugin_get_conn_table_max_entries_reply_t_handler
static inline u8 *
vl_api_acl_rule_t_pretty_format (u8 *out, vl_api_acl_rule_t * a)
{
int af = a->src_prefix.address.af ? AF_INET6 : AF_INET;
int af = a->is_ipv6 ? AF_INET6 : AF_INET;
u8 src[INET6_ADDRSTRLEN];
u8 dst[INET6_ADDRSTRLEN];
inet_ntop(af, &a->src_prefix.address.un, (void *)src, sizeof(src));
inet_ntop(af, &a->dst_prefix.address.un, (void *)dst, sizeof(dst));
inet_ntop(af, a->src_ip_addr, (void *)src, sizeof(src));
inet_ntop(af, a->dst_ip_addr, (void *)dst, sizeof(dst));
out = format(out, "%s action %d src %s/%d dst %s/%d proto %d sport %d-%d dport %d-%d tcpflags %d mask %d",
a->src_prefix.address.af ? "ipv6" : "ipv4", a->is_permit,
src, a->src_prefix.len,
dst, a->dst_prefix.len,
a->is_ipv6 ? "ipv6" : "ipv4", a->is_permit,
src, a->src_ip_prefix_len,
dst, a->dst_ip_prefix_len,
a->proto,
a->srcport_or_icmptype_first, a->srcport_or_icmptype_last,
a->dstport_or_icmpcode_first, a->dstport_or_icmpcode_last,
@@ -199,13 +196,13 @@ static void vl_api_acl_details_t_handler
static inline u8 *
vl_api_macip_acl_rule_t_pretty_format (u8 *out, vl_api_macip_acl_rule_t * a)
{
int af = a->src_prefix.address.af ? AF_INET6 : AF_INET;
int af = a->is_ipv6 ? AF_INET6 : AF_INET;
u8 src[INET6_ADDRSTRLEN];
inet_ntop(af, &a->src_prefix.address.un, (void *)src, sizeof(src));
inet_ntop(af, a->src_ip_addr, (void *)src, sizeof(src));
out = format(out, "%s action %d ip %s/%d mac %U mask %U",
a->src_prefix.address.af ? "ipv6" : "ipv4", a->is_permit,
src, a->src_prefix.len,
a->is_ipv6 ? "ipv6" : "ipv4", a->is_permit,
src, a->src_ip_prefix_len,
my_format_mac_address, a->src_mac,
my_format_mac_address, a->src_mac_mask);
return(out);
@@ -352,7 +349,17 @@ static int api_acl_add_replace (vat_main_t * vam)
while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT)
{
if (unformat (i, "permit+reflect"))
if (unformat (i, "ipv6"))
{
vec_validate_acl_rules(rules, rule_idx);
rules[rule_idx].is_ipv6 = 1;
}
else if (unformat (i, "ipv4"))
{
vec_validate_acl_rules(rules, rule_idx);
rules[rule_idx].is_ipv6 = 0;
}
else if (unformat (i, "permit+reflect"))
{
vec_validate_acl_rules(rules, rule_idx);
rules[rule_idx].is_permit = 2;
@@ -380,33 +387,33 @@ static int api_acl_add_replace (vat_main_t * vam)
unformat_ip4_address, &src_v4address, &src_prefix_length))
{
vec_validate_acl_rules(rules, rule_idx);
memcpy (rules[rule_idx].src_prefix.address.un.ip4, &src_v4address, 4);
rules[rule_idx].src_prefix.address.af = ADDRESS_IP4;
rules[rule_idx].src_prefix.len = src_prefix_length;
memcpy (rules[rule_idx].src_ip_addr, &src_v4address, 4);
rules[rule_idx].src_ip_prefix_len = src_prefix_length;
rules[rule_idx].is_ipv6 = 0;
}
else if (unformat (i, "src %U/%d",
unformat_ip6_address, &src_v6address, &src_prefix_length))
{
vec_validate_acl_rules(rules, rule_idx);
memcpy (rules[rule_idx].src_prefix.address.un.ip6, &src_v6address, 16);
rules[rule_idx].src_prefix.address.af = ADDRESS_IP6;
rules[rule_idx].src_prefix.len = src_prefix_length;
memcpy (rules[rule_idx].src_ip_addr, &src_v6address, 16);
rules[rule_idx].src_ip_prefix_len = src_prefix_length;
rules[rule_idx].is_ipv6 = 1;
}
else if (unformat (i, "dst %U/%d",
unformat_ip4_address, &dst_v4address, &dst_prefix_length))
{
vec_validate_acl_rules(rules, rule_idx);
memcpy (rules[rule_idx].dst_prefix.address.un.ip4, &dst_v4address, 4);
rules[rule_idx].dst_prefix.address.af = ADDRESS_IP4;
rules[rule_idx].dst_prefix.len = dst_prefix_length;
memcpy (rules[rule_idx].dst_ip_addr, &dst_v4address, 4);
rules[rule_idx].dst_ip_prefix_len = dst_prefix_length;
rules[rule_idx].is_ipv6 = 0;
}
else if (unformat (i, "dst %U/%d",
unformat_ip6_address, &dst_v6address, &dst_prefix_length))
{
vec_validate_acl_rules(rules, rule_idx);
memcpy (rules[rule_idx].dst_prefix.address.un.ip6, &dst_v6address, 16);
rules[rule_idx].dst_prefix.address.af = ADDRESS_IP6;
rules[rule_idx].dst_prefix.len = dst_prefix_length;
memcpy (rules[rule_idx].dst_ip_addr, &dst_v6address, 16);
rules[rule_idx].dst_ip_prefix_len = dst_prefix_length;
rules[rule_idx].is_ipv6 = 1;
}
else if (unformat (i, "sport %d-%d", &port1, &port2))
{
@@ -644,13 +651,12 @@ api_acl_add_replace_from_file (vat_main_t * vam)
rule_idx++;
vec_validate_acl_rules(rules, rule_idx);
rules[rule_idx].is_ipv6 = 0;
rules[rule_idx].is_permit = is_permit;
memcpy (rules[rule_idx].src_prefix.address.un.ip4, &src_v4address, 4);
rules[rule_idx].src_prefix.address.af = ADDRESS_IP4;
rules[rule_idx].src_prefix.len = src_prefix_length;
memcpy (rules[rule_idx].dst_prefix.address.un.ip4, &dst_v4address, 4);
rules[rule_idx].dst_prefix.address.af = ADDRESS_IP4;
rules[rule_idx].dst_prefix.len = dst_prefix_length;
memcpy (rules[rule_idx].src_ip_addr, &src_v4address, 4);
rules[rule_idx].src_ip_prefix_len = src_prefix_length;
memcpy (rules[rule_idx].dst_ip_addr, &dst_v4address, 4);
rules[rule_idx].dst_ip_prefix_len = dst_prefix_length;
rules[rule_idx].srcport_or_icmptype_first = htons(sport_low);
rules[rule_idx].srcport_or_icmptype_last = htons(sport_high);
rules[rule_idx].dstport_or_icmpcode_first = htons(dport_low);
@@ -665,23 +671,22 @@ api_acl_add_replace_from_file (vat_main_t * vam)
rule_idx++;
vec_validate_acl_rules(rules, rule_idx);
rules[rule_idx].is_ipv6 = 0;
rules[rule_idx].is_permit = is_permit == 2 ? 2 : 1;
src_v4address.data[0]=0;
src_v4address.data[1]=0;
src_v4address.data[2]=0;
src_v4address.data[3]=0;
memcpy (rules[rule_idx].src_prefix.address.un.ip4, &src_v4address, 4);
rules[rule_idx].src_prefix.address.af = ADDRESS_IP4;
rules[rule_idx].src_prefix.len = 0;
memcpy (rules[rule_idx].src_ip_addr, &src_v4address, 4);
rules[rule_idx].src_ip_prefix_len = 0;
dst_v4address.data[0]=0;
dst_v4address.data[1]=0;
dst_v4address.data[2]=0;
dst_v4address.data[3]=0;
memcpy (rules[rule_idx].dst_prefix.address.un.ip4, &dst_v4address, 4);
rules[rule_idx].dst_prefix.address.af = ADDRESS_IP4;
rules[rule_idx].dst_prefix.len = 0;
memcpy (rules[rule_idx].dst_ip_addr, &dst_v4address, 4);
rules[rule_idx].dst_ip_prefix_len = 0;
rules[rule_idx].srcport_or_icmptype_first = htons(0);
rules[rule_idx].srcport_or_icmptype_last = htons(65535);
@@ -1171,7 +1176,17 @@ static int api_macip_acl_add (vat_main_t * vam)
while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT)
{
if (unformat (i, "permit"))
if (unformat (i, "ipv6"))
{
vec_validate_macip_acl_rules(rules, rule_idx);
rules[rule_idx].is_ipv6 = 1;
}
else if (unformat (i, "ipv4"))
{
vec_validate_macip_acl_rules(rules, rule_idx);
rules[rule_idx].is_ipv6 = 0;
}
else if (unformat (i, "permit"))
{
vec_validate_macip_acl_rules(rules, rule_idx);
rules[rule_idx].is_permit = 1;
@@ -1198,9 +1213,9 @@ static int api_macip_acl_add (vat_main_t * vam)
if (src_prefix_length == 0)
src_prefix_length = 32;
vec_validate_macip_acl_rules(rules, rule_idx);
memcpy (rules[rule_idx].src_prefix.address.un.ip4, &src_v4address, 4);
rules[rule_idx].src_prefix.address.af = ADDRESS_IP4;
rules[rule_idx].src_prefix.len = src_prefix_length;
memcpy (rules[rule_idx].src_ip_addr, &src_v4address, 4);
rules[rule_idx].src_ip_prefix_len = src_prefix_length;
rules[rule_idx].is_ipv6 = 0;
}
else if (unformat (i, "src"))
{
@@ -1214,9 +1229,9 @@ static int api_macip_acl_add (vat_main_t * vam)
if (src_prefix_length == 0)
src_prefix_length = 128;
vec_validate_macip_acl_rules(rules, rule_idx);
memcpy (rules[rule_idx].src_prefix.address.un.ip4, &src_v6address, 4);
rules[rule_idx].src_prefix.address.af = ADDRESS_IP6;
rules[rule_idx].src_prefix.len = src_prefix_length;
memcpy (rules[rule_idx].src_ip_addr, &src_v6address, 16);
rules[rule_idx].src_ip_prefix_len = src_prefix_length;
rules[rule_idx].is_ipv6 = 1;
}
else if (unformat (i, "mac %U",
my_unformat_mac_address, &src_mac))
@@ -1308,7 +1323,17 @@ static int api_macip_acl_add_replace (vat_main_t * vam)
while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT)
{
if (unformat (i, "permit"))
if (unformat (i, "ipv6"))
{
vec_validate_macip_acl_rules(rules, rule_idx);
rules[rule_idx].is_ipv6 = 1;
}
else if (unformat (i, "ipv4"))
{
vec_validate_macip_acl_rules(rules, rule_idx);
rules[rule_idx].is_ipv6 = 0;
}
else if (unformat (i, "permit"))
{
vec_validate_macip_acl_rules(rules, rule_idx);
rules[rule_idx].is_permit = 1;
@@ -1328,32 +1353,32 @@ static int api_macip_acl_add_replace (vat_main_t * vam)
rules[rule_idx].is_permit = action;
}
else if (unformat (i, "ip %U/%d",
unformat_ip4_address, &src_v4address, &src_prefix_length) ||
unformat (i, "ip %U",
unformat_ip4_address, &src_v4address))
unformat_ip4_address, &src_v4address, &src_prefix_length) ||
unformat (i, "ip %U",
unformat_ip4_address, &src_v4address))
{
if (src_prefix_length == 0)
src_prefix_length = 32;
vec_validate_macip_acl_rules(rules, rule_idx);
memcpy (rules[rule_idx].src_prefix.address.un.ip4, &src_v4address, 4);
rules[rule_idx].src_prefix.address.af = ADDRESS_IP4;
rules[rule_idx].src_prefix.len = src_prefix_length;
if (src_prefix_length == 0)
src_prefix_length = 32;
vec_validate_macip_acl_rules(rules, rule_idx);
memcpy (rules[rule_idx].src_ip_addr, &src_v4address, 4);
rules[rule_idx].src_ip_prefix_len = src_prefix_length;
rules[rule_idx].is_ipv6 = 0;
}
else if (unformat (i, "src"))
{
/* Everything in MACIP is "source" but allow this verbosity */
/* Everything in MACIP is "source" but allow this verbosity */
}
else if (unformat (i, "ip %U/%d",
unformat_ip6_address, &src_v6address, &src_prefix_length) ||
unformat (i, "ip %U",
unformat_ip6_address, &src_v6address))
unformat_ip6_address, &src_v6address, &src_prefix_length) ||
unformat (i, "ip %U",
unformat_ip6_address, &src_v6address))
{
if (src_prefix_length == 0)
src_prefix_length = 128;
src_prefix_length = 128;
vec_validate_macip_acl_rules(rules, rule_idx);
memcpy (rules[rule_idx].src_prefix.address.un.ip4, &src_v6address, 4);
rules[rule_idx].src_prefix.address.af = ADDRESS_IP6;
rules[rule_idx].src_prefix.len = src_prefix_length;
memcpy (rules[rule_idx].src_ip_addr, &src_v6address, 16);
rules[rule_idx].src_ip_prefix_len = src_prefix_length;
rules[rule_idx].is_ipv6 = 1;
}
else if (unformat (i, "mac %U",
my_unformat_mac_address, &src_mac))
src/plugins/acl/acl_types.api
+26 -23
View File
@@ -15,20 +15,14 @@
* limitations under the License.
*/
import "vnet/ip/ip_types.api";
import "vnet/ethernet/ethernet_types.api";
enum acl_action : u8
{
ACL_ACTION_API_DENY = 0,
ACL_ACTION_API_PERMIT = 1,
ACL_ACTION_API_PERMIT_REFLECT = 2,
};
/** \brief Access List Rule entry
@param is_permit - deny (0), permit (1), or permit+reflect(2) action on this rule.
@param src_prefix - Source prefix
@param dst_prefix - Destination prefix
@param is_ipv6 - IP addresses in this rule are IPv6 (1) or IPv4 (0)
@param src_ip_addr - Source prefix value
@param src_ip_prefix_len - Source prefix length
@param dst_ip_addr - Destination prefix value
@param dst_ip_prefix_len - Destination prefix length
@param proto - L4 protocol (http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml)
@param srcport_or_icmptype_first - beginning of source port or ICMP4/6 type range
@param srcport_or_icmptype_last - end of source port or ICMP4/6 type range
@@ -40,14 +34,17 @@ enum acl_action : u8
typedef acl_rule
{
vl_api_acl_action_t is_permit;
vl_api_prefix_t src_prefix;
vl_api_prefix_t dst_prefix;
u8 is_permit;
u8 is_ipv6;
u8 src_ip_addr[16];
u8 src_ip_prefix_len;
u8 dst_ip_addr[16];
u8 dst_ip_prefix_len;
/*
* L4 protocol. IANA number. 1 = ICMP, 58 = ICMPv6, 6 = TCP, 17 = UDP.
* 0 => ignore L4 and ignore the ports/tcpflags when matching.
*/
vl_api_ip_proto_t proto;
u8 proto;
/*
* If the L4 protocol is TCP or UDP, the below
* hold ranges of ports, else if the L4 is ICMP/ICMPv6
@@ -73,24 +70,30 @@ typedef acl_rule
/** \brief MACIP Access List Rule entry
@param is_permit - deny (0), permit (1) action on this rule.
@param is_ipv6 - IP addresses in this rule are IPv6 (1) or IPv4 (0)
@param src_mac - match masked source MAC address against this value
@param src_mac_mask - AND source MAC address with this value before matching
@param src_prefix - Source prefix value
@param src_ip_addr - Source prefix value
@param src_ip_prefix_len - Source prefix length
*/
typedef macip_acl_rule
{
vl_api_acl_action_t is_permit;
u8 is_permit;
u8 is_ipv6;
/*
* The source mac of the packet ANDed with src_mac_mask.
* The source ip[46] address in the packet is matched
* against src_prefix set to 0.
* against src_ip_addr, with src_ip_prefix_len set to 0.
*
* For better performance, minimize the number of
* (src_mac_mask, src_prefix.len) combinations
* (src_mac_mask, src_ip_prefix_len) combinations
* in a MACIP ACL.
*/
vl_api_mac_address_t src_mac;
vl_api_mac_address_t src_mac_mask;
vl_api_prefix_t src_prefix;
u8 src_mac[6];
u8 src_mac_mask[6];
u8 src_ip_addr[16];
u8 src_ip_prefix_len;
};
src/plugins/acl/manual_fns.h
+16 -15
View File
@@ -18,7 +18,6 @@
#include <vnet/ip/format.h>
#include <vnet/ethernet/ethernet.h>
#include <vnet/ip/ip_types_api.h>
#define vl_endianfun /* define message structures */
#include <acl/acl_types.api.h>
@@ -129,18 +128,19 @@ static inline void *
vl_api_acl_rule_t_print (vl_api_acl_rule_t * a, void *handle)
{
u8 *s;
fib_prefix_t src, dst;
ip_prefix_decode (&a->src_prefix, &src);
ip_prefix_decode (&a->dst_prefix, &dst);
s = format (0, " %s ", a->src_prefix.address.af ? "ipv6" : "ipv4");
s = format (0, " %s ", a->is_ipv6 ? "ipv6" : "ipv4");
s = format_acl_action (s, a->is_permit);
s = format (s, " \\\n");
s = format (s, " src %U dst %U \\\n",
format_fib_prefix, &src,
format_fib_prefix, &dst);
if (a->is_ipv6)
s = format (s, " src %U/%d dst %U/%d \\\n",
format_ip6_address, a->src_ip_addr, a->src_ip_prefix_len,
format_ip6_address, a->dst_ip_addr, a->dst_ip_prefix_len);
else
s = format (s, " src %U/%d dst %U/%d \\\n",
format_ip4_address, a->src_ip_addr, a->src_ip_prefix_len,
format_ip4_address, a->dst_ip_addr, a->dst_ip_prefix_len);
s = format (s, " proto %d \\\n", a->proto);
s = format (s, " sport %d-%d dport %d-%d \\\n",
clib_net_to_host_u16 (a->srcport_or_icmptype_first),
@@ -158,19 +158,20 @@ static inline void *
vl_api_macip_acl_rule_t_print (vl_api_macip_acl_rule_t * a, void *handle)
{
u8 *s;
fib_prefix_t src;
ip_prefix_decode (&a->src_prefix, &src);
s = format (0, " %s %s \\\n", a->src_prefix.address.af ? "ipv6" : "ipv4",
s = format (0, " %s %s \\\n", a->is_ipv6 ? "ipv6" : "ipv4",
a->is_permit ? "permit" : "deny");
s = format (s, " src mac %U mask %U \\\n",
format_ethernet_address, a->src_mac,
format_ethernet_address, a->src_mac_mask);
s = format (s, " src ip %U, \\",
format_fib_prefix, &src);
if (a->is_ipv6)
s = format (s, " src ip %U/%d, \\",
format_ip6_address, a->src_ip_addr, a->src_ip_prefix_len);
else
s = format (s, " src ip %U/%d, \\",
format_ip4_address, a->src_ip_addr, a->src_ip_prefix_len);
PRINT_S;
return handle;
src/plugins/acl/test/test_acl_plugin.py
+219 -138
View File
File diff suppressed because it is too large Load Diff
src/plugins/acl/test/test_acl_plugin_conns.py
+32 -33
View File
@@ -36,23 +36,22 @@ def to_acl_rule(self, is_permit, wildcard_sport=False):
rule_l4_sport_last = rule_l4_sport
new_rule = {
'is_permit': is_permit,
'is_ipv6': p.haslayer(IPv6),
'src_ip_addr': inet_pton(rule_family,
p[rule_l3_layer].src),
'src_ip_prefix_len': rule_prefix_len,
'dst_ip_addr': inet_pton(rule_family,
p[rule_l3_layer].dst),
'dst_ip_prefix_len': rule_prefix_len,
'srcport_or_icmptype_first': rule_l4_sport_first,
'srcport_or_icmptype_last': rule_l4_sport_last,
'dstport_or_icmpcode_first': rule_l4_dport,
'dstport_or_icmpcode_last': rule_l4_dport,
'proto': rule_l4_proto,
}
'is_permit': is_permit,
'is_ipv6': p.haslayer(IPv6),
'src_ip_addr': inet_pton(rule_family,
p[rule_l3_layer].src),
'src_ip_prefix_len': rule_prefix_len,
'dst_ip_addr': inet_pton(rule_family,
p[rule_l3_layer].dst),
'dst_ip_prefix_len': rule_prefix_len,
'srcport_or_icmptype_first': rule_l4_sport_first,
'srcport_or_icmptype_last': rule_l4_sport_last,
'dstport_or_icmpcode_first': rule_l4_dport,
'dstport_or_icmpcode_last': rule_l4_dport,
'proto': rule_l4_proto,
}
return new_rule
Packet.to_acl_rule = to_acl_rule
@@ -92,36 +91,36 @@ class Conn(L4_Conn):
if reflect_side == acl_side:
self.testcase.vapi.acl_interface_set_acl_list(
self.ifs[acl_side].sw_if_index, 1,
[reflect_acl_index,
self.ifs[acl_side].sw_if_index, 1,
[reflect_acl_index,
deny_acl_index])
self.testcase.vapi.acl_interface_set_acl_list(
self.ifs[1-acl_side].sw_if_index, 0, [])
self.ifs[1-acl_side].sw_if_index, 0, [])
else:
self.testcase.vapi.acl_interface_set_acl_list(
self.ifs[acl_side].sw_if_index, 1,
[deny_acl_index,
self.ifs[acl_side].sw_if_index, 1,
[deny_acl_index,
reflect_acl_index])
self.testcase.vapi.acl_interface_set_acl_list(
self.ifs[1-acl_side].sw_if_index, 0, [])
self.ifs[1-acl_side].sw_if_index, 0, [])
def wildcard_rule(self, is_permit):
any_addr = ["0.0.0.0", "::"]
rule_family = self.address_family
is_ip6 = 1 if rule_family == AF_INET6 else 0
new_rule = {
'is_permit': is_permit,
'is_ipv6': is_ip6,
'src_ip_addr': inet_pton(rule_family, any_addr[is_ip6]),
'src_ip_prefix_len': 0,
'dst_ip_addr': inet_pton(rule_family, any_addr[is_ip6]),
'dst_ip_prefix_len': 0,
'srcport_or_icmptype_first': 0,
'srcport_or_icmptype_last': 65535,
'dstport_or_icmpcode_first': 0,
'dstport_or_icmpcode_last': 65535,
'proto': 0,
}
'is_permit': is_permit,
'is_ipv6': is_ip6,
'src_ip_addr': inet_pton(rule_family, any_addr[is_ip6]),
'src_ip_prefix_len': 0,
'dst_ip_addr': inet_pton(rule_family, any_addr[is_ip6]),
'dst_ip_prefix_len': 0,
'srcport_or_icmptype_first': 0,
'srcport_or_icmptype_last': 65535,
'dstport_or_icmpcode_first': 0,
'dstport_or_icmpcode_last': 65535,
'proto': 0,
}
return new_rule
src/plugins/acl/test/test_acl_plugin_l2l3.py
+110 -106
View File
File diff suppressed because it is too large Load Diff
src/plugins/acl/test/test_acl_plugin_macip.py
+104 -94
View File
File diff suppressed because it is too large Load Diff
src/plugins/acl/test/test_classify_l2_acl.py
-1
View File
@@ -603,6 +603,5 @@ class TestClassifyAcl(TestClassifier):
self.acl_active_table = key
self.run_verify_test(self.IP, self.IPV4, -1)
if __name__ == '__main__':
unittest.main(testRunner=VppTestRunner)
src/plugins/acl/test/vpp_acl.py
-460
View File
File diff suppressed because it is too large Load Diff
src/plugins/gbp/test/test_gbp.py
+125 -84
View File
File diff suppressed because it is too large Load Diff
src/plugins/nat/test/test_nat.py
+51 -14
View File
@@ -33,7 +33,6 @@ from scapy.all import bind_layers, Packet, ByteEnumField, ShortField, \
from ipaddress import IPv6Network
from util import ppc, ppp
from socket import inet_pton, AF_INET
from vpp_acl import AclRule, VppAcl, VppAclInterface
# NAT HA protocol event data
@@ -6526,24 +6525,53 @@ class TestNAT44EndpointDependent(MethodHolder):
self.verify_capture_in(capture, self.pg0)
# Create an ACL blocking everything
out2in_deny_rule = AclRule(is_permit=0)
out2in_acl = VppAcl(self, rules=[out2in_deny_rule])
out2in_acl.add_vpp_config()
# create an ACL to permit/reflect everything
in2out_reflect_rule = AclRule(is_permit=2)
in2out_acl = VppAcl(self, rules=[in2out_reflect_rule])
in2out_acl.add_vpp_config()
out2in_deny_rule = {
'is_permit': 0,
'is_ipv6': 0,
'src_ip_addr': inet_pton(AF_INET, "0.0.0.0"),
'src_ip_prefix_len': 0,
'dst_ip_addr': inet_pton(AF_INET, "0.0.0.0"),
'dst_ip_prefix_len': 0,
'srcport_or_icmptype_first': 0,
'srcport_or_icmptype_last': 65535,
'dstport_or_icmpcode_first': 0,
'dstport_or_icmpcode_last': 65535,
'proto': 0,
}
out2in_rules = [out2in_deny_rule]
res = self.vapi.acl_add_replace(0xffffffff, out2in_rules)
self.assertEqual(res.retval, 0, "error adding out2in ACL")
out2in_acl = res.acl_index
# apply as input acl on interface and confirm it blocks everything
acl_if = VppAclInterface(self, sw_if_index=self.pg1.sw_if_index,
n_input=1, acls=[out2in_acl])
acl_if.add_vpp_config()
self.vapi.acl_interface_set_acl_list(sw_if_index=self.pg1.sw_if_index,
n_input=1,
acls=[out2in_acl])
self.send_and_assert_no_replies(self.pg1, pkts_out2in)
# create an ACL to permit/reflect everything
in2out_reflect_rule = {
'is_permit': 2,
'is_ipv6': 0,
'src_ip_addr': inet_pton(AF_INET, "0.0.0.0"),
'src_ip_prefix_len': 0,
'dst_ip_addr': inet_pton(AF_INET, "0.0.0.0"),
'dst_ip_prefix_len': 0,
'srcport_or_icmptype_first': 0,
'srcport_or_icmptype_last': 65535,
'dstport_or_icmpcode_first': 0,
'dstport_or_icmpcode_last': 65535,
'proto': 0,
}
in2out_rules = [in2out_reflect_rule]
res = self.vapi.acl_add_replace(0xffffffff, in2out_rules)
self.assertEqual(res.retval, 0, "error adding in2out ACL")
in2out_acl = res.acl_index
# apply output acl
acl_if.acls = [out2in_acl, in2out_acl]
acl_if.add_vpp_config()
self.vapi.acl_interface_set_acl_list(sw_if_index=self.pg1.sw_if_index,
n_input=1,
acls=[out2in_acl, in2out_acl])
# send in2out to generate ACL state (NAT state was created earlier)
capture = self.send_and_expect(self.pg0, pkts_in2out, self.pg1,
len(pkts_in2out))
@@ -6559,6 +6587,15 @@ class TestNAT44EndpointDependent(MethodHolder):
self.verify_capture_in(capture, self.pg0)
self.logger.info(self.vapi.cli("show trace"))
# Clean up
# Remove ACLs from interface
self.vapi.acl_interface_set_acl_list(sw_if_index=self.pg1.sw_if_index,
n_input=0,
acls=[])
# delete ACLs
self.vapi.acl_del(acl_index=out2in_acl, expected_retval=0)
self.vapi.acl_del(acl_index=in2out_acl, expected_retval=0)
def test_multiple_vrf(self):
""" Multiple VRF setup """
external_addr = '1.2.3.4'
test/test_dvr.py
+19 -12
View File
@@ -5,13 +5,11 @@ from framework import VppTestCase, VppTestRunner
from vpp_ip_route import VppIpRoute, VppRoutePath, FibPathType
from vpp_l2 import L2_PORT_TYPE
from vpp_sub_interface import L2_VTR_OP, VppDot1QSubint
from vpp_acl import AclRule, VppAcl, VppAclInterface
from scapy.packet import Raw
from scapy.layers.l2 import Ether, Dot1Q
from scapy.layers.inet import IP, UDP
from socket import AF_INET, inet_pton
from ipaddress import IPv4Network
NUM_PKTS = 67
@@ -188,18 +186,26 @@ class TestDVR(VppTestCase):
#
# Add an output L3 ACL that will block the traffic
#
rule_1 = AclRule(is_permit=0, proto=17, ports=1234,
src_prefix=IPv4Network((any_src_addr, 32)),
dst_prefix=IPv4Network((ip_non_tag_bridged, 32)))
acl = VppAcl(self, rules=[rule_1])
acl.add_vpp_config()
rule_1 = ({'is_permit': 0,
'is_ipv6': 0,
'proto': 17,
'srcport_or_icmptype_first': 1234,
'srcport_or_icmptype_last': 1234,
'src_ip_prefix_len': 32,
'src_ip_addr': inet_pton(AF_INET, any_src_addr),
'dstport_or_icmpcode_first': 1234,
'dstport_or_icmpcode_last': 1234,
'dst_ip_prefix_len': 32,
'dst_ip_addr': inet_pton(AF_INET, ip_non_tag_bridged)})
acl = self.vapi.acl_add_replace(acl_index=4294967295,
r=[rule_1])
#
# Apply the ACL on the output interface
#
acl_if1 = VppAclInterface(self, sw_if_index=self.pg1.sw_if_index,
n_input=0, acls=[acl])
acl_if1.add_vpp_config()
self.vapi.acl_interface_set_acl_list(self.pg1.sw_if_index,
0,
[acl.acl_index])
#
# Send packet's that should match the ACL and be dropped
@@ -210,8 +216,9 @@ class TestDVR(VppTestCase):
#
# cleanup
#
acl_if1.remove_vpp_config()
acl.remove_vpp_config()
self.vapi.acl_interface_set_acl_list(self.pg1.sw_if_index,
0, [])
self.vapi.acl_del(acl.acl_index)
self.vapi.sw_interface_set_l2_bridge(
rx_sw_if_index=self.pg0.sw_if_index, bd_id=1, enable=0)
test/test_pipe.py
+37 -27
View File
@@ -1,7 +1,6 @@
#!/usr/bin/env python3
from socket import AF_INET, AF_INET6, inet_pton
import unittest
from ipaddress import IPv4Network
from scapy.packet import Raw
from scapy.layers.l2 import Ether
@@ -10,7 +9,6 @@ from scapy.layers.inet import IP, UDP
from framework import VppTestCase, VppTestRunner
from vpp_interface import VppInterface
from vpp_ip_route import VppIpTable, VppIpRoute, VppRoutePath
from vpp_acl import AclRule, VppAcl, VppAclInterface
NUM_PKTS = 67
@@ -124,30 +122,39 @@ class TestPipe(VppTestCase):
#
# Attach ACL to ensure features are run on the pipe
#
rule_1 = AclRule(is_permit=0, proto=17,
src_prefix=IPv4Network("1.1.1.1/32"),
dst_prefix=IPv4Network("1.1.1.2/32"), ports=1234)
acl = VppAcl(self, rules=[rule_1])
acl.add_vpp_config()
rule_1 = ({'is_permit': 0,
'is_ipv6': 0,
'proto': 17,
'srcport_or_icmptype_first': 1234,
'srcport_or_icmptype_last': 1234,
'src_ip_prefix_len': 32,
'src_ip_addr': inet_pton(AF_INET, "1.1.1.1"),
'dstport_or_icmpcode_first': 1234,
'dstport_or_icmpcode_last': 1234,
'dst_ip_prefix_len': 32,
'dst_ip_addr': inet_pton(AF_INET, "1.1.1.2")})
acl = self.vapi.acl_add_replace(acl_index=4294967295,
r=[rule_1])
# Apply the ACL on the pipe on output
acl_if_e = VppAclInterface(self, sw_if_index=pipes[0].east, n_input=0,
acls=[acl])
acl_if_e.add_vpp_config()
self.vapi.acl_interface_set_acl_list(pipes[0].east,
0,
[acl.acl_index])
self.send_and_assert_no_replies(self.pg0, p * NUM_PKTS)
self.send_and_expect(self.pg1, p * NUM_PKTS, self.pg0)
# remove from output and apply on input
acl_if_e.remove_vpp_config()
acl_if_w = VppAclInterface(self, sw_if_index=pipes[0].west, n_input=1,
acls=[acl])
acl_if_w.add_vpp_config()
self.vapi.acl_interface_set_acl_list(pipes[0].east,
0,
[])
self.vapi.acl_interface_set_acl_list(pipes[0].west,
1,
[acl.acl_index])
self.send_and_assert_no_replies(self.pg0, p * NUM_PKTS)
self.send_and_expect(self.pg1, p * NUM_PKTS, self.pg0)
acl_if_w.remove_vpp_config()
self.vapi.acl_interface_set_acl_list(pipes[0].west,
0,
[])
self.send_and_expect(self.pg0, p * NUM_PKTS, self.pg1)
self.send_and_expect(self.pg1, p * NUM_PKTS, self.pg0)
@@ -220,21 +227,24 @@ class TestPipe(VppTestCase):
#
# Use ACLs to test features run on the Pipes
#
acl_if_e1 = VppAclInterface(self, sw_if_index=pipes[1].east, n_input=0,
acls=[acl])
acl_if_e1.add_vpp_config()
self.vapi.acl_interface_set_acl_list(pipes[1].east,
0,
[acl.acl_index])
self.send_and_assert_no_replies(self.pg2, p_east * NUM_PKTS)
self.send_and_expect(self.pg3, p_west * NUM_PKTS, self.pg2)
# remove from output and apply on input
acl_if_e1.remove_vpp_config()
acl_if_w1 = VppAclInterface(self, sw_if_index=pipes[1].west, n_input=1,
acls=[acl])
acl_if_w1.add_vpp_config()
self.vapi.acl_interface_set_acl_list(pipes[1].east,
0,
[])
self.vapi.acl_interface_set_acl_list(pipes[1].west,
1,
[acl.acl_index])
self.send_and_assert_no_replies(self.pg2, p_east * NUM_PKTS)
self.send_and_expect(self.pg3, p_west * NUM_PKTS, self.pg2)
acl_if_w1.remove_vpp_config()
self.vapi.acl_interface_set_acl_list(pipes[1].west,
0,
[])
self.send_and_expect(self.pg2, p_east * NUM_PKTS, self.pg3)
self.send_and_expect(self.pg3, p_west * NUM_PKTS, self.pg2)
test/vpp_papi_provider.py
+120
View File
@@ -925,6 +925,126 @@ class VppPapiProvider(object):
return self.api(self.papi.sr_mpls_policy_del,
{'bsid': bsid})
def acl_add_replace(self, acl_index, r, tag='',
expected_retval=0):
"""Add/replace an ACL
:param int acl_index: ACL index to replace, 2^32-1 to create new ACL.
:param acl_rule r: ACL rules array.
:param str tag: symbolic tag (description) for this ACL.
:param int count: number of rules.
"""
return self.api(self.papi.acl_add_replace,
{'acl_index': acl_index,
'r': r,
'count': len(r),
'tag': tag},
expected_retval=expected_retval)
def acl_del(self, acl_index, expected_retval=0):
"""
:param acl_index:
:return:
"""
return self.api(self.papi.acl_del,
{'acl_index': acl_index},
expected_retval=expected_retval)
def acl_interface_set_acl_list(self, sw_if_index, n_input, acls,
expected_retval=0):
return self.api(self.papi.acl_interface_set_acl_list,
{'sw_if_index': sw_if_index,
'count': len(acls),
'n_input': n_input,
'acls': acls},
expected_retval=expected_retval)
def acl_interface_set_etype_whitelist(self, sw_if_index,
n_input, whitelist,
expected_retval=0):
return self.api(self.papi.acl_interface_set_etype_whitelist,
{'sw_if_index': sw_if_index,
'count': len(whitelist),
'n_input': n_input,
'whitelist': whitelist},
expected_retval=expected_retval)
def acl_interface_add_del(self,
sw_if_index,
acl_index,
is_add=1):
""" Add/Delete ACL to/from interface
:param sw_if_index:
:param acl_index:
:param is_add: (Default value = 1)
"""
return self.api(self.papi.acl_interface_add_del,
{'is_add': is_add,
'is_input': 1,
'sw_if_index': sw_if_index,
'acl_index': acl_index})
def acl_dump(self, acl_index, expected_retval=0):
return self.api(self.papi.acl_dump,
{'acl_index': acl_index},
expected_retval=expected_retval)
def acl_interface_list_dump(self, sw_if_index=0xFFFFFFFF,
expected_retval=0):
return self.api(self.papi.acl_interface_list_dump,
{'sw_if_index': sw_if_index},
expected_retval=expected_retval)
def macip_acl_add(self, rules, tag=""):
""" Add MACIP acl
:param rules: list of rules for given acl
:param tag: acl tag
"""
return self.api(self.papi.macip_acl_add,
{'r': rules,
'count': len(rules),
'tag': tag})
def macip_acl_add_replace(self, rules, acl_index=0xFFFFFFFF, tag=""):
""" Add MACIP acl
:param rules: list of rules for given acl
:param tag: acl tag
"""
return self.api(self.papi.macip_acl_add_replace,
{'acl_index': acl_index,
'r': rules,
'count': len(rules),
'tag': tag})
def macip_acl_interface_add_del(self,
sw_if_index,
acl_index,
is_add=1):
""" Add MACIP acl to interface
:param sw_if_index:
:param acl_index:
:param is_add: (Default value = 1)
"""
return self.api(self.papi.macip_acl_interface_add_del,
{'is_add': is_add,
'sw_if_index': sw_if_index,
'acl_index': acl_index})
def macip_acl_dump(self, acl_index=4294967295):
""" Return MACIP acl dump
"""
return self.api(
self.papi.macip_acl_dump, {'acl_index': acl_index})
def ip_punt_police(self,
policer_index,
is_ip6=0,