d9b0c6fbf7
Drop pycodestyle for code style checking in favor of black. Black is much faster, stable PEP8 compliant code style checker offering also automatic formatting. It aims to be very stable and produce smallest diffs. It's used by many small and big projects. Running checkstyle with black takes a few seconds with a terse output. Thus, test-checkstyle-diff is no longer necessary. Expand scope of checkstyle to all python files in the repo, replacing test-checkstyle with checkstyle-python. Also, fixstyle-python is now available for automatic style formatting. Note: python virtualenv has been consolidated in test/Makefile, test/requirements*.txt which will eventually be moved to a central location. This is required to simply the automated generation of docker executor images in the CI. Type: improvement Change-Id: I022a326603485f58585e879ac0f697fceefbc9c8 Signed-off-by: Klement Sekera <klement.sekera@gmail.com> Signed-off-by: Dave Wallace <dwallacelf@gmail.com>
322 lines
11 KiB
Python
322 lines
11 KiB
Python
#!/usr/bin/env python3
|
|
|
|
import unittest
|
|
|
|
from framework import VppTestCase, VppTestRunner
|
|
|
|
from scapy.packet import Raw
|
|
from scapy.layers.l2 import Ether
|
|
from scapy.layers.inet import IP, UDP, ICMP
|
|
from scapy.layers.inet6 import IPv6
|
|
|
|
from vpp_papi import VppEnum
|
|
|
|
N_PKTS = 63
|
|
|
|
|
|
class TestURPF(VppTestCase):
|
|
"""Unicast Reverse Path Forwarding Test Case"""
|
|
|
|
@classmethod
|
|
def setUpClass(cls):
|
|
super(TestURPF, cls).setUpClass()
|
|
|
|
@classmethod
|
|
def tearDownClass(cls):
|
|
super(TestURPF, cls).tearDownClass()
|
|
|
|
def setUp(self):
|
|
super(TestURPF, self).setUp()
|
|
|
|
# create 4 pg interfaces so there are a few addresses
|
|
# in the FIB
|
|
self.create_pg_interfaces(range(4))
|
|
|
|
for i in self.pg_interfaces:
|
|
i.admin_up()
|
|
i.config_ip4()
|
|
i.resolve_arp()
|
|
i.config_ip6()
|
|
i.resolve_ndp()
|
|
|
|
def tearDown(self):
|
|
for i in self.pg_interfaces:
|
|
i.unconfig_ip4()
|
|
i.unconfig_ip6()
|
|
i.admin_down()
|
|
super(TestURPF, self).tearDown()
|
|
|
|
def test_urpf4(self):
|
|
"""uRPF IP4"""
|
|
|
|
e = VppEnum
|
|
p_spoof_loose = (
|
|
Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac)
|
|
/ IP(src="3.3.3.3", dst=self.pg1.remote_ip4)
|
|
/ UDP(sport=1234, dport=1234)
|
|
/ Raw(b"\xa5" * 100)
|
|
) * N_PKTS
|
|
p_spoof_strict = (
|
|
Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac)
|
|
/ IP(src=self.pg2.remote_ip4, dst=self.pg1.remote_ip4)
|
|
/ UDP(sport=1234, dport=1234)
|
|
/ Raw(b"\xa5" * 100)
|
|
) * N_PKTS
|
|
p_good = (
|
|
Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac)
|
|
/ IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
|
|
/ UDP(sport=1234, dport=1234)
|
|
/ Raw(b"\xa5" * 100)
|
|
) * N_PKTS
|
|
|
|
#
|
|
# before adding the uRPF, ensure all packets are forwarded
|
|
#
|
|
self.send_and_expect(self.pg0, p_good, self.pg1)
|
|
self.send_and_expect(self.pg0, p_spoof_strict, self.pg1)
|
|
self.send_and_expect(self.pg0, p_spoof_loose, self.pg1)
|
|
|
|
#
|
|
# apply loose uRPF check on pg0 rx
|
|
#
|
|
self.vapi.urpf_update(
|
|
is_input=True,
|
|
mode=e.vl_api_urpf_mode_t.URPF_API_MODE_LOOSE,
|
|
af=e.vl_api_address_family_t.ADDRESS_IP4,
|
|
sw_if_index=self.pg0.sw_if_index,
|
|
)
|
|
|
|
# good packets still pass
|
|
self.send_and_expect(self.pg0, p_good, self.pg1)
|
|
# packets from address for which there is a route are forwarded
|
|
self.send_and_expect(self.pg0, p_spoof_strict, self.pg1)
|
|
# packets from address to which there is no route are dropped
|
|
self.send_and_assert_no_replies(self.pg0, p_spoof_loose)
|
|
|
|
self.assert_error_counter_equal("/err/ip4-rx-urpf-loose/uRPF Drop", N_PKTS)
|
|
|
|
#
|
|
# crank it up to strict mode
|
|
#
|
|
self.vapi.urpf_update(
|
|
is_input=True,
|
|
mode=e.vl_api_urpf_mode_t.URPF_API_MODE_STRICT,
|
|
af=e.vl_api_address_family_t.ADDRESS_IP4,
|
|
sw_if_index=self.pg0.sw_if_index,
|
|
)
|
|
|
|
# good packets still pass
|
|
self.send_and_expect(self.pg0, p_good, self.pg1)
|
|
# packets that would not be routed back thru pg0 are dropped
|
|
self.send_and_assert_no_replies(self.pg0, p_spoof_strict)
|
|
self.send_and_assert_no_replies(self.pg0, p_spoof_loose)
|
|
|
|
self.assert_error_counter_equal("/err/ip4-rx-urpf-strict/uRPF Drop", 2 * N_PKTS)
|
|
|
|
#
|
|
# disable uRPF, all traffic should pass
|
|
#
|
|
self.vapi.urpf_update(
|
|
is_input=True,
|
|
mode=e.vl_api_urpf_mode_t.URPF_API_MODE_OFF,
|
|
af=e.vl_api_address_family_t.ADDRESS_IP4,
|
|
sw_if_index=self.pg0.sw_if_index,
|
|
)
|
|
|
|
self.send_and_expect(self.pg0, p_good, self.pg1)
|
|
self.send_and_expect(self.pg0, p_spoof_strict, self.pg1)
|
|
self.send_and_expect(self.pg0, p_spoof_loose, self.pg1)
|
|
|
|
#
|
|
# Now apply in the TX direction
|
|
# for loose it is the same deal, they should not be forwarded
|
|
# if there's no route
|
|
# for strict they should not be forwarded if they would be
|
|
# forwarded thru that interface.
|
|
#
|
|
self.vapi.urpf_update(
|
|
is_input=False,
|
|
mode=e.vl_api_urpf_mode_t.URPF_API_MODE_LOOSE,
|
|
af=e.vl_api_address_family_t.ADDRESS_IP4,
|
|
sw_if_index=self.pg1.sw_if_index,
|
|
)
|
|
|
|
self.send_and_expect(self.pg0, p_good, self.pg1)
|
|
self.send_and_expect(self.pg0, p_spoof_strict, self.pg1)
|
|
self.send_and_assert_no_replies(self.pg0, p_spoof_loose)
|
|
|
|
self.assert_error_counter_equal("/err/ip4-tx-urpf-loose/uRPF Drop", N_PKTS)
|
|
|
|
self.vapi.urpf_update(
|
|
is_input=False,
|
|
mode=e.vl_api_urpf_mode_t.URPF_API_MODE_STRICT,
|
|
af=e.vl_api_address_family_t.ADDRESS_IP4,
|
|
sw_if_index=self.pg1.sw_if_index,
|
|
)
|
|
|
|
self.send_and_expect(self.pg0, p_good, self.pg1)
|
|
# the strict packet, from a peer is allowed, since it does
|
|
# not forward via pg1
|
|
self.send_and_expect(self.pg0, p_spoof_strict, self.pg1)
|
|
self.send_and_assert_no_replies(self.pg0, p_spoof_loose)
|
|
|
|
self.assert_error_counter_equal("/err/ip4-tx-urpf-strict/uRPF Drop", N_PKTS)
|
|
|
|
# change the strict packet so that it would forward through pg1
|
|
p_spoof_strict = (
|
|
Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac)
|
|
/ IP(src=self.pg1.remote_ip4, dst=self.pg1.remote_ip4)
|
|
/ UDP(sport=1234, dport=1234)
|
|
/ Raw(b"\xa5" * 100)
|
|
) * N_PKTS
|
|
|
|
self.send_and_assert_no_replies(self.pg0, p_spoof_strict)
|
|
self.assert_error_counter_equal("/err/ip4-tx-urpf-strict/uRPF Drop", 2 * N_PKTS)
|
|
|
|
# cleanup
|
|
self.vapi.urpf_update(
|
|
is_input=False,
|
|
mode=e.vl_api_urpf_mode_t.URPF_API_MODE_OFF,
|
|
af=e.vl_api_address_family_t.ADDRESS_IP4,
|
|
sw_if_index=self.pg1.sw_if_index,
|
|
)
|
|
|
|
def test_urpf6(self):
|
|
"""uRPF IP6"""
|
|
|
|
e = VppEnum
|
|
p_spoof_loose = (
|
|
Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac)
|
|
/ IPv6(src="3::3", dst=self.pg1.remote_ip6)
|
|
/ UDP(sport=1236, dport=1236)
|
|
/ Raw(b"\xa5" * 100)
|
|
) * N_PKTS
|
|
p_spoof_strict = (
|
|
Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac)
|
|
/ IPv6(src=self.pg2.remote_ip6, dst=self.pg1.remote_ip6)
|
|
/ UDP(sport=1236, dport=1236)
|
|
/ Raw(b"\xa5" * 100)
|
|
) * N_PKTS
|
|
p_good = (
|
|
Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac)
|
|
/ IPv6(src=self.pg0.remote_ip6, dst=self.pg1.remote_ip6)
|
|
/ UDP(sport=1236, dport=1236)
|
|
/ Raw(b"\xa5" * 100)
|
|
) * N_PKTS
|
|
|
|
#
|
|
# before adding the uRPF, ensure all packets are forwarded
|
|
#
|
|
self.send_and_expect(self.pg0, p_good, self.pg1)
|
|
self.send_and_expect(self.pg0, p_spoof_strict, self.pg1)
|
|
self.send_and_expect(self.pg0, p_spoof_loose, self.pg1)
|
|
|
|
#
|
|
# apply loose uRPF check on pg0 rx
|
|
#
|
|
self.vapi.urpf_update(
|
|
is_input=True,
|
|
mode=e.vl_api_urpf_mode_t.URPF_API_MODE_LOOSE,
|
|
af=e.vl_api_address_family_t.ADDRESS_IP6,
|
|
sw_if_index=self.pg0.sw_if_index,
|
|
)
|
|
|
|
# good packets still pass
|
|
self.send_and_expect(self.pg0, p_good, self.pg1)
|
|
# packets from address for which there is a route are forwarded
|
|
self.send_and_expect(self.pg0, p_spoof_strict, self.pg1)
|
|
# packets from address to which there is no route are dropped
|
|
self.send_and_assert_no_replies(self.pg0, p_spoof_loose)
|
|
|
|
self.assert_error_counter_equal("/err/ip6-rx-urpf-loose/uRPF Drop", N_PKTS)
|
|
|
|
#
|
|
# crank it up to strict mode
|
|
#
|
|
self.vapi.urpf_update(
|
|
is_input=True,
|
|
mode=e.vl_api_urpf_mode_t.URPF_API_MODE_STRICT,
|
|
af=e.vl_api_address_family_t.ADDRESS_IP6,
|
|
sw_if_index=self.pg0.sw_if_index,
|
|
)
|
|
|
|
# good packets still pass
|
|
self.send_and_expect(self.pg0, p_good, self.pg1)
|
|
# packets that would not be routed back thru pg0 are dropped
|
|
self.send_and_assert_no_replies(self.pg0, p_spoof_strict)
|
|
self.send_and_assert_no_replies(self.pg0, p_spoof_loose)
|
|
|
|
self.assert_error_counter_equal("/err/ip6-rx-urpf-strict/uRPF Drop", 2 * N_PKTS)
|
|
|
|
#
|
|
# disable uRPF, all traffic should pass
|
|
#
|
|
self.vapi.urpf_update(
|
|
is_input=True,
|
|
mode=e.vl_api_urpf_mode_t.URPF_API_MODE_OFF,
|
|
af=e.vl_api_address_family_t.ADDRESS_IP6,
|
|
sw_if_index=self.pg0.sw_if_index,
|
|
)
|
|
|
|
self.send_and_expect(self.pg0, p_good, self.pg1)
|
|
self.send_and_expect(self.pg0, p_spoof_strict, self.pg1)
|
|
self.send_and_expect(self.pg0, p_spoof_loose, self.pg1)
|
|
|
|
#
|
|
# Now apply in the TX direction
|
|
# for loose it is the same deal, they should not be forwarded
|
|
# if there's no route
|
|
# for strict they should not be forwarded if they would be
|
|
# forwarded thru that interface.
|
|
#
|
|
self.vapi.urpf_update(
|
|
is_input=False,
|
|
mode=e.vl_api_urpf_mode_t.URPF_API_MODE_LOOSE,
|
|
af=e.vl_api_address_family_t.ADDRESS_IP6,
|
|
sw_if_index=self.pg1.sw_if_index,
|
|
)
|
|
|
|
self.send_and_expect(self.pg0, p_good, self.pg1)
|
|
self.send_and_expect(self.pg0, p_spoof_strict, self.pg1)
|
|
self.send_and_assert_no_replies(self.pg0, p_spoof_loose)
|
|
|
|
self.assert_error_counter_equal("/err/ip6-tx-urpf-loose/uRPF Drop", N_PKTS)
|
|
|
|
self.vapi.urpf_update(
|
|
is_input=False,
|
|
mode=e.vl_api_urpf_mode_t.URPF_API_MODE_STRICT,
|
|
af=e.vl_api_address_family_t.ADDRESS_IP6,
|
|
sw_if_index=self.pg1.sw_if_index,
|
|
)
|
|
|
|
self.send_and_expect(self.pg0, p_good, self.pg1)
|
|
# the strict packet, from a peer is allowed, since it does
|
|
# not forward via pg1
|
|
self.send_and_expect(self.pg0, p_spoof_strict, self.pg1)
|
|
self.send_and_assert_no_replies(self.pg0, p_spoof_loose)
|
|
|
|
self.assert_error_counter_equal("/err/ip6-tx-urpf-strict/uRPF Drop", N_PKTS)
|
|
|
|
# change the strict packet so that it would forward through pg1
|
|
p_spoof_strict = (
|
|
Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac)
|
|
/ IPv6(src=self.pg1.remote_ip6, dst=self.pg1.remote_ip6)
|
|
/ UDP(sport=1236, dport=1236)
|
|
/ Raw(b"\xa5" * 100)
|
|
) * N_PKTS
|
|
|
|
self.send_and_assert_no_replies(self.pg0, p_spoof_strict)
|
|
self.assert_error_counter_equal("/err/ip6-tx-urpf-strict/uRPF Drop", 2 * N_PKTS)
|
|
|
|
# cleanup
|
|
self.vapi.urpf_update(
|
|
is_input=False,
|
|
mode=e.vl_api_urpf_mode_t.URPF_API_MODE_OFF,
|
|
af=e.vl_api_address_family_t.ADDRESS_IP6,
|
|
sw_if_index=self.pg1.sw_if_index,
|
|
)
|
|
|
|
|
|
if __name__ == "__main__":
|
|
unittest.main(testRunner=VppTestRunner)
|