b639b59337
The packet that was creating the session was not tracked, consequently the TCP flags seen within the session record never got the value for the session to get treated as being in the established state. Test-escape, so add the TCP tests which test the three phases of the TCP session life and make them all pass. Change-Id: Ib048bc30c809a7f03be2de7e8361c2c281270348 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com> (cherry picked from commit 754370f1b55d4102d21dd94676f2bda3170c7df0)
484 lines
19 KiB
Python
484 lines
19 KiB
Python
#!/usr/bin/env python
|
|
""" ACL plugin extended stateful tests """
|
|
|
|
import unittest
|
|
from framework import VppTestCase, VppTestRunner, running_extended_tests
|
|
from scapy.layers.l2 import Ether
|
|
from scapy.packet import Raw
|
|
from scapy.layers.inet import IP, UDP, TCP
|
|
from scapy.packet import Packet
|
|
from socket import inet_pton, AF_INET, AF_INET6
|
|
from scapy.layers.inet6 import IPv6, ICMPv6Unknown, ICMPv6EchoRequest
|
|
from scapy.layers.inet6 import ICMPv6EchoReply, IPv6ExtHdrRouting
|
|
from scapy.layers.inet6 import IPv6ExtHdrFragment
|
|
from pprint import pprint
|
|
from random import randint
|
|
|
|
|
|
def to_acl_rule(self, is_permit, wildcard_sport=False):
|
|
p = self
|
|
rule_family = AF_INET6 if p.haslayer(IPv6) else AF_INET
|
|
rule_prefix_len = 128 if p.haslayer(IPv6) else 32
|
|
rule_l3_layer = IPv6 if p.haslayer(IPv6) else IP
|
|
rule_l4_sport = p.sport
|
|
rule_l4_dport = p.dport
|
|
if p.haslayer(IPv6):
|
|
rule_l4_proto = p[IPv6].nh
|
|
else:
|
|
rule_l4_proto = p[IP].proto
|
|
|
|
if wildcard_sport:
|
|
rule_l4_sport_first = 0
|
|
rule_l4_sport_last = 65535
|
|
else:
|
|
rule_l4_sport_first = rule_l4_sport
|
|
rule_l4_sport_last = rule_l4_sport
|
|
|
|
new_rule = {
|
|
'is_permit': is_permit,
|
|
'is_ipv6': p.haslayer(IPv6),
|
|
'src_ip_addr': inet_pton(rule_family,
|
|
p[rule_l3_layer].src),
|
|
'src_ip_prefix_len': rule_prefix_len,
|
|
'dst_ip_addr': inet_pton(rule_family,
|
|
p[rule_l3_layer].dst),
|
|
'dst_ip_prefix_len': rule_prefix_len,
|
|
'srcport_or_icmptype_first': rule_l4_sport_first,
|
|
'srcport_or_icmptype_last': rule_l4_sport_last,
|
|
'dstport_or_icmpcode_first': rule_l4_dport,
|
|
'dstport_or_icmpcode_last': rule_l4_dport,
|
|
'proto': rule_l4_proto,
|
|
}
|
|
return new_rule
|
|
|
|
Packet.to_acl_rule = to_acl_rule
|
|
|
|
|
|
class IterateWithSleep():
|
|
def __init__(self, testcase, n_iters, description, sleep_sec):
|
|
self.curr = 0
|
|
self.testcase = testcase
|
|
self.n_iters = n_iters
|
|
self.sleep_sec = sleep_sec
|
|
self.description = description
|
|
|
|
def __iter__(self):
|
|
for x in range(0, self.n_iters):
|
|
yield x
|
|
self.testcase.sleep(self.sleep_sec)
|
|
|
|
|
|
class Conn():
|
|
def __init__(self, testcase, if1, if2, af, l4proto, port1, port2):
|
|
self.testcase = testcase
|
|
self.ifs = [None, None]
|
|
self.ifs[0] = if1
|
|
self.ifs[1] = if2
|
|
self.address_family = af
|
|
self.l4proto = l4proto
|
|
self.ports = [None, None]
|
|
self.ports[0] = port1
|
|
self.ports[1] = port2
|
|
self
|
|
|
|
def pkt(self, side, flags=None):
|
|
is_ip6 = 1 if self.address_family == AF_INET6 else 0
|
|
s0 = side
|
|
s1 = 1-side
|
|
src_if = self.ifs[s0]
|
|
dst_if = self.ifs[s1]
|
|
layer_3 = [IP(src=src_if.remote_ip4, dst=dst_if.remote_ip4),
|
|
IPv6(src=src_if.remote_ip6, dst=dst_if.remote_ip6)]
|
|
payload = "x"
|
|
l4args = {'sport': self.ports[s0], 'dport': self.ports[s1]}
|
|
if flags is not None:
|
|
l4args['flags'] = flags
|
|
p = (Ether(dst=src_if.local_mac, src=src_if.remote_mac) /
|
|
layer_3[is_ip6] /
|
|
self.l4proto(**l4args) /
|
|
Raw(payload))
|
|
return p
|
|
|
|
def apply_acls(self, reflect_side, acl_side):
|
|
pkts = []
|
|
pkts.append(self.pkt(0))
|
|
pkts.append(self.pkt(1))
|
|
pkt = pkts[reflect_side]
|
|
|
|
r = []
|
|
r.append(pkt.to_acl_rule(2, wildcard_sport=True))
|
|
r.append(self.wildcard_rule(0))
|
|
res = self.testcase.api_acl_add_replace(0xffffffff, r)
|
|
self.testcase.assert_equal(res.retval, 0, "error adding ACL")
|
|
reflect_acl_index = res.acl_index
|
|
|
|
r = []
|
|
r.append(self.wildcard_rule(0))
|
|
res = self.testcase.api_acl_add_replace(0xffffffff, r)
|
|
self.testcase.assert_equal(res.retval, 0, "error adding deny ACL")
|
|
deny_acl_index = res.acl_index
|
|
|
|
if reflect_side == acl_side:
|
|
self.testcase.api_acl_interface_set_acl_list(
|
|
self.ifs[acl_side].sw_if_index, 2, 1,
|
|
[reflect_acl_index,
|
|
deny_acl_index])
|
|
self.testcase.api_acl_interface_set_acl_list(
|
|
self.ifs[1-acl_side].sw_if_index, 0, 0, [])
|
|
else:
|
|
self.testcase.api_acl_interface_set_acl_list(
|
|
self.ifs[acl_side].sw_if_index, 2, 1,
|
|
[deny_acl_index,
|
|
reflect_acl_index])
|
|
self.testcase.api_acl_interface_set_acl_list(
|
|
self.ifs[1-acl_side].sw_if_index, 0, 0, [])
|
|
|
|
def wildcard_rule(self, is_permit):
|
|
any_addr = ["0.0.0.0", "::"]
|
|
rule_family = self.address_family
|
|
is_ip6 = 1 if rule_family == AF_INET6 else 0
|
|
new_rule = {
|
|
'is_permit': is_permit,
|
|
'is_ipv6': is_ip6,
|
|
'src_ip_addr': inet_pton(rule_family, any_addr[is_ip6]),
|
|
'src_ip_prefix_len': 0,
|
|
'dst_ip_addr': inet_pton(rule_family, any_addr[is_ip6]),
|
|
'dst_ip_prefix_len': 0,
|
|
'srcport_or_icmptype_first': 0,
|
|
'srcport_or_icmptype_last': 65535,
|
|
'dstport_or_icmpcode_first': 0,
|
|
'dstport_or_icmpcode_last': 65535,
|
|
'proto': 0,
|
|
}
|
|
return new_rule
|
|
|
|
def send(self, side, flags=None):
|
|
self.ifs[side].add_stream(self.pkt(side, flags))
|
|
self.ifs[1-side].enable_capture()
|
|
self.testcase.pg_start()
|
|
|
|
def recv(self, side):
|
|
p = self.ifs[side].wait_for_packet(1)
|
|
return p
|
|
|
|
def send_through(self, side, flags=None):
|
|
self.send(side, flags)
|
|
p = self.recv(1-side)
|
|
return p
|
|
|
|
def send_pingpong(self, side, flags1=None, flags2=None):
|
|
p1 = self.send_through(side, flags1)
|
|
p2 = self.send_through(1-side, flags2)
|
|
return [p1, p2]
|
|
|
|
|
|
@unittest.skipUnless(running_extended_tests(), "part of extended tests")
|
|
class ACLPluginConnTestCase(VppTestCase):
|
|
""" ACL plugin connection-oriented extended testcases """
|
|
|
|
@classmethod
|
|
def setUpClass(self):
|
|
super(ACLPluginConnTestCase, self).setUpClass()
|
|
# create pg0 and pg1
|
|
self.create_pg_interfaces(range(2))
|
|
for i in self.pg_interfaces:
|
|
i.admin_up()
|
|
i.config_ip4()
|
|
i.config_ip6()
|
|
i.resolve_arp()
|
|
i.resolve_ndp()
|
|
|
|
def tearDown(self):
|
|
"""Run standard test teardown and log various show commands
|
|
"""
|
|
super(ACLPluginConnTestCase, self).tearDown()
|
|
if not self.vpp_dead:
|
|
self.logger.info(self.vapi.cli("show ip arp"))
|
|
self.logger.info(self.vapi.cli("show ip6 neighbors"))
|
|
self.logger.info(self.vapi.cli("show acl-plugin sessions"))
|
|
self.logger.info(self.vapi.cli("show acl-plugin acl"))
|
|
self.logger.info(self.vapi.cli("show acl-plugin interface"))
|
|
self.logger.info(self.vapi.cli("show acl-plugin tables"))
|
|
|
|
def api_acl_add_replace(self, acl_index, r, count=-1, tag="",
|
|
expected_retval=0):
|
|
"""Add/replace an ACL
|
|
|
|
:param int acl_index: ACL index to replace, 4294967295 to create new.
|
|
:param acl_rule r: ACL rules array.
|
|
:param str tag: symbolic tag (description) for this ACL.
|
|
:param int count: number of rules.
|
|
"""
|
|
if (count < 0):
|
|
count = len(r)
|
|
return self.vapi.api(self.vapi.papi.acl_add_replace,
|
|
{'acl_index': acl_index,
|
|
'r': r,
|
|
'count': count,
|
|
'tag': tag
|
|
}, expected_retval=expected_retval)
|
|
|
|
def api_acl_interface_set_acl_list(self, sw_if_index, count, n_input, acls,
|
|
expected_retval=0):
|
|
return self.vapi.api(self.vapi.papi.acl_interface_set_acl_list,
|
|
{'sw_if_index': sw_if_index,
|
|
'count': count,
|
|
'n_input': n_input,
|
|
'acls': acls
|
|
}, expected_retval=expected_retval)
|
|
|
|
def api_acl_dump(self, acl_index, expected_retval=0):
|
|
return self.vapi.api(self.vapi.papi.acl_dump,
|
|
{'acl_index': acl_index},
|
|
expected_retval=expected_retval)
|
|
|
|
def run_basic_conn_test(self, af, acl_side):
|
|
""" Basic conn timeout test """
|
|
conn1 = Conn(self, self.pg0, self.pg1, af, UDP, 42001, 4242)
|
|
conn1.apply_acls(0, acl_side)
|
|
conn1.send_through(0)
|
|
# the return packets should pass
|
|
conn1.send_through(1)
|
|
# send some packets on conn1, ensure it doesn't go away
|
|
for i in IterateWithSleep(self, 20, "Keep conn active", 0.3):
|
|
conn1.send_through(1)
|
|
# allow the conn to time out
|
|
for i in IterateWithSleep(self, 30, "Wait for timeout", 0.1):
|
|
pass
|
|
# now try to send a packet on the reflected side
|
|
try:
|
|
p2 = conn1.send_through(1).command()
|
|
except:
|
|
# If we asserted while waiting, it's good.
|
|
# the conn should have timed out.
|
|
p2 = None
|
|
self.assert_equal(p2, None, "packet on long-idle conn")
|
|
|
|
def run_active_conn_test(self, af, acl_side):
|
|
""" Idle connection behind active connection test """
|
|
base = 10000 + 1000*acl_side
|
|
conn1 = Conn(self, self.pg0, self.pg1, af, UDP, base + 1, 2323)
|
|
conn2 = Conn(self, self.pg0, self.pg1, af, UDP, base + 2, 2323)
|
|
conn3 = Conn(self, self.pg0, self.pg1, af, UDP, base + 3, 2323)
|
|
conn1.apply_acls(0, acl_side)
|
|
conn1.send(0)
|
|
conn1.recv(1)
|
|
# create and check that the conn2/3 work
|
|
self.sleep(0.1)
|
|
conn2.send_pingpong(0)
|
|
self.sleep(0.1)
|
|
conn3.send_pingpong(0)
|
|
# send some packets on conn1, keep conn2/3 idle
|
|
for i in IterateWithSleep(self, 20, "Keep conn active", 0.2):
|
|
conn1.send_through(1)
|
|
try:
|
|
p2 = conn2.send_through(1).command()
|
|
except:
|
|
# If we asserted while waiting, it's good.
|
|
# the conn should have timed out.
|
|
p2 = None
|
|
# We should have not received the packet on a long-idle
|
|
# connection, because it should have timed out
|
|
# If it didn't - it is a problem
|
|
self.assert_equal(p2, None, "packet on long-idle conn")
|
|
|
|
def run_clear_conn_test(self, af, acl_side):
|
|
""" Clear the connections via CLI """
|
|
conn1 = Conn(self, self.pg0, self.pg1, af, UDP, 42001, 4242)
|
|
conn1.apply_acls(0, acl_side)
|
|
conn1.send_through(0)
|
|
# the return packets should pass
|
|
conn1.send_through(1)
|
|
# send some packets on conn1, ensure it doesn't go away
|
|
for i in IterateWithSleep(self, 20, "Keep conn active", 0.3):
|
|
conn1.send_through(1)
|
|
# clear all connections
|
|
self.vapi.ppcli("clear acl-plugin sessions")
|
|
# now try to send a packet on the reflected side
|
|
try:
|
|
p2 = conn1.send_through(1).command()
|
|
except:
|
|
# If we asserted while waiting, it's good.
|
|
# the conn should have timed out.
|
|
p2 = None
|
|
self.assert_equal(p2, None, "packet on supposedly deleted conn")
|
|
|
|
def run_tcp_transient_setup_conn_test(self, af, acl_side):
|
|
conn1 = Conn(self, self.pg0, self.pg1, af, TCP, 53001, 5151)
|
|
conn1.apply_acls(0, acl_side)
|
|
conn1.send_through(0, 'S')
|
|
# the return packets should pass
|
|
conn1.send_through(1, 'SA')
|
|
# allow the conn to time out
|
|
for i in IterateWithSleep(self, 30, "Wait for timeout", 0.1):
|
|
pass
|
|
# ensure conn times out
|
|
try:
|
|
p2 = conn1.send_through(1).command()
|
|
except:
|
|
# If we asserted while waiting, it's good.
|
|
# the conn should have timed out.
|
|
p2 = None
|
|
self.assert_equal(p2, None, "packet on supposedly deleted conn")
|
|
|
|
def run_tcp_established_conn_test(self, af, acl_side):
|
|
conn1 = Conn(self, self.pg0, self.pg1, af, TCP, 53002, 5052)
|
|
conn1.apply_acls(0, acl_side)
|
|
conn1.send_through(0, 'S')
|
|
# the return packets should pass
|
|
conn1.send_through(1, 'SA')
|
|
# complete the threeway handshake
|
|
# (NB: sequence numbers not tracked, so not set!)
|
|
conn1.send_through(0, 'A')
|
|
# allow the conn to time out if it's in embryonic timer
|
|
for i in IterateWithSleep(self, 30, "Wait for transient timeout", 0.1):
|
|
pass
|
|
# Try to send the packet from the "forbidden" side - it must pass
|
|
conn1.send_through(1, 'A')
|
|
# ensure conn times out for real
|
|
for i in IterateWithSleep(self, 130, "Wait for timeout", 0.1):
|
|
pass
|
|
try:
|
|
p2 = conn1.send_through(1).command()
|
|
except:
|
|
# If we asserted while waiting, it's good.
|
|
# the conn should have timed out.
|
|
p2 = None
|
|
self.assert_equal(p2, None, "packet on supposedly deleted conn")
|
|
|
|
def run_tcp_transient_teardown_conn_test(self, af, acl_side):
|
|
conn1 = Conn(self, self.pg0, self.pg1, af, TCP, 53002, 5052)
|
|
conn1.apply_acls(0, acl_side)
|
|
conn1.send_through(0, 'S')
|
|
# the return packets should pass
|
|
conn1.send_through(1, 'SA')
|
|
# complete the threeway handshake
|
|
# (NB: sequence numbers not tracked, so not set!)
|
|
conn1.send_through(0, 'A')
|
|
# allow the conn to time out if it's in embryonic timer
|
|
for i in IterateWithSleep(self, 30, "Wait for transient timeout", 0.1):
|
|
pass
|
|
# Try to send the packet from the "forbidden" side - it must pass
|
|
conn1.send_through(1, 'A')
|
|
# Send the FIN to bounce the session out of established
|
|
conn1.send_through(1, 'FA')
|
|
# If conn landed on transient timer it will time out here
|
|
for i in IterateWithSleep(self, 30, "Wait for transient timeout", 0.1):
|
|
pass
|
|
# Now it should have timed out already
|
|
try:
|
|
p2 = conn1.send_through(1).command()
|
|
except:
|
|
# If we asserted while waiting, it's good.
|
|
# the conn should have timed out.
|
|
p2 = None
|
|
self.assert_equal(p2, None, "packet on supposedly deleted conn")
|
|
|
|
def test_0000_conn_prepare_test(self):
|
|
""" Prepare the settings """
|
|
self.vapi.ppcli("set acl-plugin session timeout udp idle 1")
|
|
|
|
def test_0001_basic_conn_test(self):
|
|
""" IPv4: Basic conn timeout test reflect on ingress """
|
|
self.run_basic_conn_test(AF_INET, 0)
|
|
|
|
def test_0002_basic_conn_test(self):
|
|
""" IPv4: Basic conn timeout test reflect on egress """
|
|
self.run_basic_conn_test(AF_INET, 1)
|
|
|
|
def test_0005_clear_conn_test(self):
|
|
""" IPv4: reflect egress, clear conn """
|
|
self.run_clear_conn_test(AF_INET, 1)
|
|
|
|
def test_0006_clear_conn_test(self):
|
|
""" IPv4: reflect ingress, clear conn """
|
|
self.run_clear_conn_test(AF_INET, 0)
|
|
|
|
def test_0011_active_conn_test(self):
|
|
""" IPv4: Idle conn behind active conn, reflect on ingress """
|
|
self.run_active_conn_test(AF_INET, 0)
|
|
|
|
def test_0012_active_conn_test(self):
|
|
""" IPv4: Idle conn behind active conn, reflect on egress """
|
|
self.run_active_conn_test(AF_INET, 1)
|
|
|
|
def test_1001_basic_conn_test(self):
|
|
""" IPv6: Basic conn timeout test reflect on ingress """
|
|
self.run_basic_conn_test(AF_INET6, 0)
|
|
|
|
def test_1002_basic_conn_test(self):
|
|
""" IPv6: Basic conn timeout test reflect on egress """
|
|
self.run_basic_conn_test(AF_INET6, 1)
|
|
|
|
def test_1005_clear_conn_test(self):
|
|
""" IPv6: reflect egress, clear conn """
|
|
self.run_clear_conn_test(AF_INET6, 1)
|
|
|
|
def test_1006_clear_conn_test(self):
|
|
""" IPv6: reflect ingress, clear conn """
|
|
self.run_clear_conn_test(AF_INET6, 0)
|
|
|
|
def test_1011_active_conn_test(self):
|
|
""" IPv6: Idle conn behind active conn, reflect on ingress """
|
|
self.run_active_conn_test(AF_INET6, 0)
|
|
|
|
def test_1012_active_conn_test(self):
|
|
""" IPv6: Idle conn behind active conn, reflect on egress """
|
|
self.run_active_conn_test(AF_INET6, 1)
|
|
|
|
def test_2000_prepare_for_tcp_test(self):
|
|
""" Prepare for TCP session tests """
|
|
# ensure the session hangs on if it gets treated as UDP
|
|
self.vapi.ppcli("set acl-plugin session timeout udp idle 200")
|
|
# let the TCP connection time out at 5 seconds
|
|
self.vapi.ppcli("set acl-plugin session timeout tcp idle 10")
|
|
self.vapi.ppcli("set acl-plugin session timeout tcp transient 1")
|
|
|
|
def test_2001_tcp_transient_conn_test(self):
|
|
""" IPv4: transient TCP session (incomplete 3WHS), ref. on ingress """
|
|
self.run_tcp_transient_setup_conn_test(AF_INET, 0)
|
|
|
|
def test_2002_tcp_transient_conn_test(self):
|
|
""" IPv4: transient TCP session (incomplete 3WHS), ref. on egress """
|
|
self.run_tcp_transient_setup_conn_test(AF_INET, 1)
|
|
|
|
def test_2003_tcp_transient_conn_test(self):
|
|
""" IPv4: established TCP session (complete 3WHS), ref. on ingress """
|
|
self.run_tcp_established_conn_test(AF_INET, 0)
|
|
|
|
def test_2004_tcp_transient_conn_test(self):
|
|
""" IPv4: established TCP session (complete 3WHS), ref. on egress """
|
|
self.run_tcp_established_conn_test(AF_INET, 1)
|
|
|
|
def test_2005_tcp_transient_teardown_conn_test(self):
|
|
""" IPv4: transient TCP session (3WHS,ACK,FINACK), ref. on ingress """
|
|
self.run_tcp_transient_teardown_conn_test(AF_INET, 0)
|
|
|
|
def test_2006_tcp_transient_teardown_conn_test(self):
|
|
""" IPv4: transient TCP session (3WHS,ACK,FINACK), ref. on egress """
|
|
self.run_tcp_transient_teardown_conn_test(AF_INET, 1)
|
|
|
|
def test_3001_tcp_transient_conn_test(self):
|
|
""" IPv6: transient TCP session (incomplete 3WHS), ref. on ingress """
|
|
self.run_tcp_transient_setup_conn_test(AF_INET6, 0)
|
|
|
|
def test_3002_tcp_transient_conn_test(self):
|
|
""" IPv6: transient TCP session (incomplete 3WHS), ref. on egress """
|
|
self.run_tcp_transient_setup_conn_test(AF_INET6, 1)
|
|
|
|
def test_3003_tcp_transient_conn_test(self):
|
|
""" IPv6: established TCP session (complete 3WHS), ref. on ingress """
|
|
self.run_tcp_established_conn_test(AF_INET6, 0)
|
|
|
|
def test_3004_tcp_transient_conn_test(self):
|
|
""" IPv6: established TCP session (complete 3WHS), ref. on egress """
|
|
self.run_tcp_established_conn_test(AF_INET6, 1)
|
|
|
|
def test_3005_tcp_transient_teardown_conn_test(self):
|
|
""" IPv6: transient TCP session (3WHS,ACK,FINACK), ref. on ingress """
|
|
self.run_tcp_transient_teardown_conn_test(AF_INET6, 0)
|
|
|
|
def test_3006_tcp_transient_teardown_conn_test(self):
|
|
""" IPv6: transient TCP session (3WHS,ACK,FINACK), ref. on egress """
|
|
self.run_tcp_transient_teardown_conn_test(AF_INET6, 1)
|