diff options
author | Pavel Kotucek <pkotucek@cisco.com> | 2017-09-14 09:50:52 +0200 |
---|---|---|
committer | Ole Trøan <otroan@employees.org> | 2017-09-19 07:24:02 +0000 |
commit | 057704ebb51a006fbfd18dba570df1ca504b4277 (patch) | |
tree | d84792b3a967b132bfffbcef1f49f778109973a6 | |
parent | 8d66f9d3f83a419fde67efbb2ee8697038922b7a (diff) |
ACL plugin enable macip for ip4/ip6 traffic
Plus fixed problem with acl heap.
Change-Id: I3d91db549ebe4595f1dab9b8780f90722540024b
Signed-off-by: Pavel Kotucek <pkotucek@cisco.com>
-rw-r--r-- | src/plugins/acl/acl.c | 12 | ||||
-rw-r--r-- | test/test_acl_plugin_macip.py | 281 |
2 files changed, 204 insertions, 89 deletions
diff --git a/src/plugins/acl/acl.c b/src/plugins/acl/acl.c index 21823e3b..04a66864 100644 --- a/src/plugins/acl/acl.c +++ b/src/plugins/acl/acl.c @@ -894,7 +894,6 @@ acl_interface_add_del_inout_acl (u32 sw_if_index, u8 is_add, u8 is_input, { int rv = -1; acl_main_t *am = &acl_main; - void *oldheap = acl_set_heap(am); if (is_add) { rv = @@ -910,7 +909,6 @@ acl_interface_add_del_inout_acl (u32 sw_if_index, u8 is_add, u8 is_input, rv = acl_interface_del_inout_acl (sw_if_index, is_input, acl_list_index); } - clib_mem_set_heap (oldheap); return rv; } @@ -1075,8 +1073,8 @@ macip_create_classify_tables (acl_main_t * am, u32 macip_acl_index) 1); last_table = mt->table_index; } - a->ip4_table_index = ~0; - a->ip6_table_index = ~0; + a->ip4_table_index = last_table; + a->ip6_table_index = last_table; a->l2_table_index = last_table; /* Populate the classifier tables with rules from the MACIP ACL */ @@ -1262,11 +1260,11 @@ macip_acl_interface_add_acl (acl_main_t * am, u32 sw_if_index, void *oldheap = acl_set_heap(am); a = pool_elt_at_index (am->macip_acls, macip_acl_index); vec_validate_init_empty (am->macip_acl_by_sw_if_index, sw_if_index, ~0); + clib_mem_set_heap (oldheap); /* If there already a MACIP ACL applied, unapply it */ if (~0 != am->macip_acl_by_sw_if_index[sw_if_index]) macip_acl_interface_del_acl(am, sw_if_index); am->macip_acl_by_sw_if_index[sw_if_index] = macip_acl_index; - clib_mem_set_heap (oldheap); /* Apply the classifier tables for L2 ACLs */ rv = @@ -1279,7 +1277,6 @@ static int macip_acl_del_list (u32 acl_list_index) { acl_main_t *am = &acl_main; - void *oldheap = acl_set_heap(am); macip_acl_list_t *a; int i; if (pool_is_free_index (am->macip_acls, acl_list_index)) @@ -1296,6 +1293,7 @@ macip_acl_del_list (u32 acl_list_index) } } + void *oldheap = acl_set_heap(am); /* Now that classifier tables are detached, clean them up */ macip_destroy_classify_tables (am, acl_list_index); @@ -1316,7 +1314,6 @@ macip_acl_interface_add_del_acl (u32 sw_if_index, u8 is_add, u32 acl_list_index) { acl_main_t *am = &acl_main; - void *oldheap = acl_set_heap(am); int rv = -1; if (is_add) { @@ -1326,7 +1323,6 @@ macip_acl_interface_add_del_acl (u32 sw_if_index, u8 is_add, { rv = macip_acl_interface_del_acl (am, sw_if_index); } - clib_mem_set_heap (oldheap); return rv; } diff --git a/test/test_acl_plugin_macip.py b/test/test_acl_plugin_macip.py index 3f41313b..f10d6cc6 100644 --- a/test/test_acl_plugin_macip.py +++ b/test/test_acl_plugin_macip.py @@ -275,17 +275,17 @@ class TestMACIP(VppTestCase): denyMAC = True if not is_permit and mac_type == self.WILD_MAC: denyIP = True - if bridged_routed: + + if bridged_routed == self.BRIDGED: if is_permit: src_mac = remote_dst_host._mac dst_mac = 'de:ad:00:00:00:00' - dst_ip6 = src_ip_if.remote_ip6 - src_ip6 = remote_dst_host.ip6 - dst_ip4 = src_ip_if.remote_ip4 src_ip4 = remote_dst_host.ip4 + dst_ip4 = src_ip_if.remote_ip4 + src_ip6 = remote_dst_host.ip6 + dst_ip6 = src_ip_if.remote_ip6 ip_permit = src_ip6 if is_ip6 else src_ip4 mac_permit = src_mac - if denyMAC: mac = src_mac.split(':') mac[0] = format(int(mac[0], 16)+1, "02x") @@ -297,17 +297,36 @@ class TestMACIP(VppTestCase): if denyIP: if ip_type != self.WILD_IP: src_mac = mac_permit - dst_ip6 = src_ip_if.remote_ip6 - src_ip6 = remote_dst_host.ip6 + src_ip4 = remote_dst_host.ip4 dst_ip4 = src_ip_if.remote_ip4 + src_ip6 = remote_dst_host.ip6 + dst_ip6 = src_ip_if.remote_ip6 + else: + if is_permit: + src_mac = remote_dst_host._mac + dst_mac = src_ip_if.local_mac + src_ip4 = src_ip_if.remote_ip4 + dst_ip4 = remote_dst_host.ip4 + src_ip6 = src_ip_if.remote_ip6 + dst_ip6 = remote_dst_host.ip6 + ip_permit = src_ip6 if is_ip6 else src_ip4 + mac_permit = src_mac + if denyMAC: + mac = src_mac.split(':') + mac[0] = format(int(mac[0], 16) + 1, "02x") + src_mac = ":".join(mac) + if is_ip6: + src_ip6 = ip_permit + else: + src_ip4 = ip_permit + if denyIP: + src_mac = remote_dst_host._mac + if ip_type != self.WILD_IP: + src_mac = mac_permit src_ip4 = remote_dst_host.ip4 - else: # TODO - src_mac = src_ip_if.remote_mac - dst_mac = src_ip_if.local_mac - src_ip6 = src_ip_if.remote_ip6 - dst_ip6 = remote_dst_host.ip6 - src_ip4 = src_ip_if.remote_ip4 - dst_ip4 = remote_dst_host.ip4 + dst_ip4 = src_ip_if.remote_ip4 + src_ip6 = remote_dst_host.ip6 + dst_ip6 = src_ip_if.remote_ip6 if is_permit: info = self.create_packet_info(src_ip_if, dst_ip_if) @@ -323,10 +342,7 @@ class TestMACIP(VppTestCase): # create packet packet = Ether(src=src_mac, dst=dst_mac) - if bridged_routed: - ip_rule = src_ip6 if is_ip6 else src_ip4 - else: - ip_rule = dst_ip6 if is_ip6 else dst_ip4 + ip_rule = src_ip6 if is_ip6 else src_ip4 if is_ip6: if ip_type != self.EXACT_IP: sub_ip = list(unpack('<16B', inet_pton(AF_INET6, ip_rule))) @@ -340,10 +356,7 @@ class TestMACIP(VppTestCase): sub_ip[2] = str(int(sub_ip[2]) + 1) sub_ip[14] = random.randint(100, 199) sub_ip[15] = random.randint(200, 255) - if bridged_routed: - src_ip6 = inet_ntop(AF_INET6, str(bytearray(sub_ip))) - else: - dst_ip6 = inet_ntop(AF_INET6, str(bytearray(sub_ip))) + src_ip6 = inet_ntop(AF_INET6, str(bytearray(sub_ip))) packet /= IPv6(src=src_ip6, dst=dst_ip6) else: if ip_type != self.EXACT_IP: @@ -358,11 +371,7 @@ class TestMACIP(VppTestCase): sub_ip[1] = str(int(sub_ip[1])+1) sub_ip[2] = str(random.randint(100, 199)) sub_ip[3] = str(random.randint(200, 255)) - if bridged_routed: - src_ip4 = ".".join(sub_ip) - else: - # TODO - dst_ip4 = ".".join(sub_ip) + src_ip4 = ".".join(sub_ip) packet /= IP(src=src_ip4, dst=dst_ip4, frag=0, flags=0) packet /= UDP(sport=src_port, dport=dst_port)/Raw(payload) @@ -390,10 +399,7 @@ class TestMACIP(VppTestCase): if ip_type == self.WILD_IP: ip = "0::0" else: - if bridged_routed: - ip = src_ip6 - else: - ip = dst_ip6 + ip = src_ip6 if ip_type == self.SUBNET_IP: sub_ip = list(unpack('<16B', inet_pton(AF_INET6, ip))) for i in range(8, 16): @@ -403,10 +409,7 @@ class TestMACIP(VppTestCase): if ip_type == self.WILD_IP: ip = "0.0.0.0" else: - if bridged_routed: - ip = src_ip4 - else: - ip = dst_ip4 + ip = src_ip4 if ip_type == self.SUBNET_IP: sub_ip = ip.split('.') sub_ip[2] = sub_ip[3] = '0' @@ -469,12 +472,13 @@ class TestMACIP(VppTestCase): do_not_expected_capture=False): self.reset_packet_infos() - tx_if = self.pg0 if bridged_routed else self.pg2 - rx_if = self.pg2 if bridged_routed else self.pg0 + tx_if = self.pg0 if bridged_routed == self.BRIDGED else self.pg2 + rx_if = self.pg2 if bridged_routed == self.BRIDGED else self.pg0 test_dict = self.create_stream(mac_type, ip_type, packets, self.pg2, self.loop0, - bridged_routed, is_ip6) + bridged_routed, + is_ip6) reply = self.vapi.macip_acl_add(test_dict['rules']) self.assertEqual(reply.retval, 0) @@ -496,7 +500,7 @@ class TestMACIP(VppTestCase): packet_count = self.get_packet_count_for_if_idx( self.loop0.sw_if_index) if mac_type == self.WILD_MAC and ip_type == self.WILD_IP: - packet_count = packets + packet_count = packets if bridged_routed else packet_count capture = rx_if.get_capture(packet_count) self.verify_capture(test_dict['stream'], capture, is_ip6) @@ -509,131 +513,240 @@ class TestMACIP(VppTestCase): if traffic is not None: self.run_traffic(self.EXACT_MAC, self.EXACT_IP, traffic, ip, 9) - def test_acl_ip4_exactMAC_exactIP(self): - """ IP4 MACIP exactMAC|exactIP ACL + def test_acl_bridged_ip4_exactMAC_exactIP(self): + """ IP4 MACIP exactMAC|exactIP ACL bridged traffic """ self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.BRIDGED, self.IS_IP4, 9) - def test_acl_ip6_exactMAC_exactIP(self): - """ IP6 MACIP exactMAC|exactIP ACL + def test_acl_bridged_ip6_exactMAC_exactIP(self): + """ IP6 MACIP exactMAC|exactIP ACL bridged traffic """ self.run_traffic(self.EXACT_MAC, self.EXACT_IP, self.BRIDGED, self.IS_IP6, 9) - def test_acl_ip4_exactMAC_subnetIP(self): - """ IP4 MACIP exactMAC|subnetIP ACL + def test_acl_bridged_ip4_exactMAC_subnetIP(self): + """ IP4 MACIP exactMAC|subnetIP ACL bridged traffic """ self.run_traffic(self.EXACT_MAC, self.SUBNET_IP, self.BRIDGED, self.IS_IP4, 9) - def test_acl_ip6_exactMAC_subnetIP(self): - """ IP6 MACIP exactMAC|subnetIP ACL + def test_acl_bridged_ip6_exactMAC_subnetIP(self): + """ IP6 MACIP exactMAC|subnetIP ACL bridged traffic """ self.run_traffic(self.EXACT_MAC, self.SUBNET_IP, self.BRIDGED, self.IS_IP6, 9) - def test_acl_ip4_exactMAC_wildIP(self): - """ IP4 MACIP exactMAC|wildIP ACL + def test_acl_bridged_ip4_exactMAC_wildIP(self): + """ IP4 MACIP exactMAC|wildIP ACL bridged traffic """ self.run_traffic(self.EXACT_MAC, self.WILD_IP, self.BRIDGED, self.IS_IP4, 9) - def test_acl_ip6_exactMAC_wildIP(self): - """ IP6 MACIP exactMAC|wildIP ACL + def test_acl_bridged_ip6_exactMAC_wildIP(self): + """ IP6 MACIP exactMAC|wildIP ACL bridged traffic """ self.run_traffic(self.EXACT_MAC, self.WILD_IP, self.BRIDGED, self.IS_IP6, 9) - def test_acl_ip4_ouiMAC_exactIP(self): - """ IP4 MACIP ouiMAC|exactIP ACL + def test_acl_bridged_ip4_ouiMAC_exactIP(self): + """ IP4 MACIP ouiMAC|exactIP ACL bridged traffic """ self.run_traffic(self.OUI_MAC, self.EXACT_IP, self.BRIDGED, self.IS_IP4, 3) - def test_acl_ip6_ouiMAC_exactIP(self): - """ IP6 MACIP oui_MAC|exactIP ACL + def test_acl_bridged_ip6_ouiMAC_exactIP(self): + """ IP6 MACIP oui_MAC|exactIP ACL bridged traffic """ self.run_traffic(self.OUI_MAC, self.EXACT_IP, self.BRIDGED, self.IS_IP6, 9) - def test_acl_ip4_ouiMAC_subnetIP(self): - """ IP4 MACIP ouiMAC|subnetIP ACL + def test_acl_bridged_ip4_ouiMAC_subnetIP(self): + """ IP4 MACIP ouiMAC|subnetIP ACL bridged traffic """ self.run_traffic(self.OUI_MAC, self.SUBNET_IP, self.BRIDGED, self.IS_IP4, 9) - def test_acl_ip6_ouiMAC_subnetIP(self): - """ IP6 MACIP ouiMAC|subnetIP ACL + def test_acl_bridged_ip6_ouiMAC_subnetIP(self): + """ IP6 MACIP ouiMAC|subnetIP ACL bridged traffic """ self.run_traffic(self.OUI_MAC, self.SUBNET_IP, self.BRIDGED, self.IS_IP6, 9) - def test_acl_ip4_ouiMAC_wildIP(self): - """ IP4 MACIP ouiMAC|wildIP ACL + def test_acl_bridged_ip4_ouiMAC_wildIP(self): + """ IP4 MACIP ouiMAC|wildIP ACL bridged traffic """ self.run_traffic(self.OUI_MAC, self.WILD_IP, self.BRIDGED, self.IS_IP4, 9) - def test_acl_ip6_ouiMAC_wildIP(self): - """ IP6 MACIP ouiMAC|wildIP ACL + def test_acl_bridged_ip6_ouiMAC_wildIP(self): + """ IP6 MACIP ouiMAC|wildIP ACL bridged traffic """ self.run_traffic(self.OUI_MAC, self.WILD_IP, self.BRIDGED, self.IS_IP6, 9) - def test_acl_ip4_wildMAC_exactIP(self): - """ IP4 MACIP wildcardMAC|exactIP ACL + def test_ac_bridgedl_ip4_wildMAC_exactIP(self): + """ IP4 MACIP wildcardMAC|exactIP ACL bridged traffic """ self.run_traffic(self.WILD_MAC, self.EXACT_IP, self.BRIDGED, self.IS_IP4, 9) - def test_acl_ip6_wildMAC_exactIP(self): - """ IP6 MACIP wildcardMAC|exactIP ACL + def test_acl_bridged_ip6_wildMAC_exactIP(self): + """ IP6 MACIP wildcardMAC|exactIP ACL bridged traffic """ self.run_traffic(self.WILD_MAC, self.EXACT_IP, self.BRIDGED, self.IS_IP6, 9) - def test_acl_ip4_wildMAC_subnetIP(self): - """ IP4 MACIP wildcardMAC|subnetIP ACL + def test_acl_bridged_ip4_wildMAC_subnetIP(self): + """ IP4 MACIP wildcardMAC|subnetIP ACL bridged traffic """ self.run_traffic(self.WILD_MAC, self.SUBNET_IP, self.BRIDGED, self.IS_IP4, 9) - def test_acl_ip6_wildMAC_subnetIP(self): - """ IP6 MACIP wildcardMAC|subnetIP ACL + def test_acl_bridged_ip6_wildMAC_subnetIP(self): + """ IP6 MACIP wildcardMAC|subnetIP ACL bridged traffic """ self.run_traffic(self.WILD_MAC, self.SUBNET_IP, self.BRIDGED, self.IS_IP6, 9) - def test_acl_ip4_wildMAC_wildIP(self): - """ IP4 MACIP wildcardMAC|wildIP ACL + def test_acl_bridged_ip4_wildMAC_wildIP(self): + """ IP4 MACIP wildcardMAC|wildIP ACL bridged traffic """ self.run_traffic(self.WILD_MAC, self.WILD_IP, self.BRIDGED, self.IS_IP4, 9) - def test_acl_ip6_wildMAC_wildIP(self): - """ IP6 MACIP wildcardMAC|wildIP ACL + def test_acl_bridged_ip6_wildMAC_wildIP(self): + """ IP6 MACIP wildcardMAC|wildIP ACL bridged traffic """ self.run_traffic(self.WILD_MAC, self.WILD_IP, self.BRIDGED, self.IS_IP6, 9) + def test_acl_routed_ip4_exactMAC_exactIP(self): + """ IP4 MACIP exactMAC|exactIP ACL routed traffic + """ + self.run_traffic(self.EXACT_MAC, self.EXACT_IP, + self.ROUTED, self.IS_IP4, 9) + + def test_acl_routed_ip6_exactMAC_exactIP(self): + """ IP6 MACIP exactMAC|exactIP ACL routed traffic + """ + + self.run_traffic(self.EXACT_MAC, self.EXACT_IP, + self.ROUTED, self.IS_IP6, 9) + + def test_acl_routed_ip4_exactMAC_subnetIP(self): + """ IP4 MACIP exactMAC|subnetIP ACL routed traffic + """ + self.run_traffic(self.EXACT_MAC, self.SUBNET_IP, + self.ROUTED, self.IS_IP4, 9) + + def test_acl_routed_ip6_exactMAC_subnetIP(self): + """ IP6 MACIP exactMAC|subnetIP ACL routed traffic + """ + + self.run_traffic(self.EXACT_MAC, self.SUBNET_IP, + self.ROUTED, self.IS_IP6, 9) + + def test_acl_routed_ip4_exactMAC_wildIP(self): + """ IP4 MACIP exactMAC|wildIP ACL routed traffic + """ + self.run_traffic(self.EXACT_MAC, self.WILD_IP, + self.ROUTED, self.IS_IP4, 9) + + def test_acl_routed_ip6_exactMAC_wildIP(self): + """ IP6 MACIP exactMAC|wildIP ACL routed traffic + """ + + self.run_traffic(self.EXACT_MAC, self.WILD_IP, + self.ROUTED, self.IS_IP6, 9) + + def test_acl_routed_ip4_ouiMAC_exactIP(self): + """ IP4 MACIP ouiMAC|exactIP ACL routed traffic + """ + + self.run_traffic(self.OUI_MAC, self.EXACT_IP, + self.ROUTED, self.IS_IP4, 9) + + def test_acl_routed_ip6_ouiMAC_exactIP(self): + """ IP6 MACIP ouiMAC|exactIP ACL routed traffic + """ + + self.run_traffic(self.OUI_MAC, self.EXACT_IP, + self.ROUTED, self.IS_IP6, 9) + + def test_acl_routed_ip4_ouiMAC_subnetIP(self): + """ IP4 MACIP ouiMAC|subnetIP ACL routed traffic + """ + + self.run_traffic(self.OUI_MAC, self.SUBNET_IP, + self.ROUTED, self.IS_IP4, 9) + + def test_acl_routed_ip6_ouiMAC_subnetIP(self): + """ IP6 MACIP ouiMAC|subnetIP ACL routed traffic + """ + + self.run_traffic(self.OUI_MAC, self.SUBNET_IP, + self.ROUTED, self.IS_IP6, 9) + + def test_acl_routed_ip4_ouiMAC_wildIP(self): + """ IP4 MACIP ouiMAC|wildIP ACL routed traffic + """ + + self.run_traffic(self.OUI_MAC, self.WILD_IP, + self.ROUTED, self.IS_IP4, 9) + + def test_acl_routed_ip6_ouiMAC_wildIP(self): + """ IP6 MACIP ouiMAC|wildIP ACL routed traffic + """ + + self.run_traffic(self.OUI_MAC, self.WILD_IP, + self.ROUTED, self.IS_IP6, 9) + + def test_acl_routed_ip4_wildMAC_exactIP(self): + """ IP4 MACIP wildcardMAC|exactIP ACL routed traffic + """ + + self.run_traffic(self.WILD_MAC, self.EXACT_IP, + self.ROUTED, self.IS_IP4, 9) + + def test_acl_routed_ip6_wildMAC_exactIP(self): + """ IP6 MACIP wildcardMAC|exactIP ACL routed traffic + """ + + self.run_traffic(self.WILD_MAC, self.EXACT_IP, + self.ROUTED, self.IS_IP6, 9) + + def test_acl_routed_ip4_wildMAC_subnetIP(self): + """ IP4 MACIP wildcardMAC|subnetIP ACL routed traffic + """ + + self.run_traffic(self.WILD_MAC, self.SUBNET_IP, + self.ROUTED, self.IS_IP4, 9) + + def test_acl_routed_ip6_wildMAC_subnetIP(self): + """ IP6 MACIP wildcardMAC|subnetIP ACL routed traffic + """ + + self.run_traffic(self.WILD_MAC, self.SUBNET_IP, + self.ROUTED, self.IS_IP6, 9) + def test_acl_1_2(self): """ MACIP ACL with 2 entries """ @@ -829,13 +942,19 @@ class TestMACIP(VppTestCase): self.assertEqual(len([x for x in reply.acls if x != 4294967295]), 0) - @unittest.skipUnless(running_extended_tests(), "part of extended tests") - def test_routed(self): - """ MACIP with routed traffic + def test_acl_routed_ip4_wildMAC_wildIP(self): + """ IP4 MACIP wildcardMAC|wildIP ACL """ - # TODO: routed do not work yet !!! - # self.run_traffic(self.EXACT_IP, self.EXACT_MAC, False, False, 9) - # self.run_traffic(self.EXACT_IP, self.EXACT_MAC, False, True, 9) + + self.run_traffic(self.WILD_MAC, self.WILD_IP, + self.ROUTED, self.IS_IP4, 9) + + def test_acl_routed_ip6_wildMAC_wildIP(self): + """ IP6 MACIP wildcardMAC|wildIP ACL + """ + + self.run_traffic(self.WILD_MAC, self.WILD_IP, + self.ROUTED, self.IS_IP6, 9) if __name__ == '__main__': |