From cd288d8e0812793b2c701ae9a4596d6d0837ca6b Mon Sep 17 00:00:00 2001 From: Jan Gelety Date: Wed, 5 Apr 2017 08:54:11 +0200 Subject: CSIT-622: Stateful Security Groups perf tests 1. add L2BD iACL statefull and stateless tests with 1, 10 and 50 not-hitting ACEs in combination with 100, 10k and 100k flows per direction 2. add L2BD oACL statefull and stateless tests with 1, 10 and 50 not-hitting ACEs in combination with 100, 10k and 100k flows per direction Change-Id: Ia38589aa81b50c5ccdf2813ad6fadd22b46fffeb Signed-off-by: Jan Gelety --- resources/libraries/python/Classify.py | 156 ++++++++++++++++++++- .../performance/performance_configuration.robot | 106 ++++++++++++++ 2 files changed, 261 insertions(+), 1 deletion(-) (limited to 'resources/libraries') diff --git a/resources/libraries/python/Classify.py b/resources/libraries/python/Classify.py index e4fa2a3087..469a707c32 100644 --- a/resources/libraries/python/Classify.py +++ b/resources/libraries/python/Classify.py @@ -16,6 +16,7 @@ from robot.api import logger from resources.libraries.python.VatExecutor import VatExecutor, VatTerminal +from resources.libraries.python.topology import Topology class Classify(object): @@ -387,10 +388,163 @@ class Classify(object): :param node: VPP node. :type node: dict """ - try: VatExecutor.cmd_from_template( node, "acl_plugin/acl_interface_dump.vat", json_out=False) except RuntimeError: # Fails to parse response, but it is still logged pass + + @staticmethod + def set_acl_list_for_interface(node, interface, acl_type, acl_idx=None): + """Set the list of input or output ACLs applied to the interface. It + unapplies any previously applied ACLs. + + :param node: VPP node to set ACL on. + :param interface: Interface name or sw_if_index. + :param acl_type: Type of ACL(s) - input or output. + :param acl_idx: Index(ies) of ACLs to be applied on the interface. + :type node: dict + :type interface: str or int + :type acl_type: str + :type acl_idx: list + :raises RuntimeError: If unable to set ACL list for the interface. + """ + sw_if_index = Topology.get_interface_sw_index(node, interface) \ + if isinstance(interface, basestring) else interface + + acl_list = acl_type + ' ' + ' '.join(str(idx) for idx in acl_idx) \ + if acl_idx else acl_type + + try: + with VatTerminal(node, json_param=False) as vat: + vat.vat_terminal_exec_cmd_from_template( + "acl_plugin/acl_interface_set_acl_list.vat", + interface=sw_if_index, acl_list=acl_list) + except: + raise RuntimeError("Setting of ACL list for interface {0} failed " + "on node {1}".format(interface, node['host'])) + + @staticmethod + def add_replace_acl(node, acl_idx=None, ip_ver="ipv4", action="permit", + src=None, dst=None, sport=None, dport=None, proto=None, + tcpflg_val=None, tcpflg_mask=None): + """Add a new ACL or replace the existing one. To replace an existing + ACL, pass the ID of this ACL. + + :param node: VPP node to set ACL on. + :param acl_idx: ID of ACL. (Optional) + :param ip_ver: IP version. (Optional) + :param action: ACL action. (Optional) + :param src: Source IP in format IP/plen. (Optional) + :param dst: Destination IP in format IP/plen. (Optional) + :param sport: Source port or ICMP4/6 type - range format X-Y allowed. + (Optional) + :param dport: Destination port or ICMP4/6 code - range format X-Y + allowed. (Optional) + :param proto: L4 protocol (http://www.iana.org/assignments/protocol- + numbers/protocol-numbers.xhtml). (Optional) + :param tcpflg_val: TCP flags value. (Optional) + :param tcpflg_mask: TCP flags mask. (Optional) + :type node: dict + :type acl_idx: int + :type ip_ver: str + :type action: str + :type src: str + :type dst: str + :type sport: str or int + :type dport: str or int + :type proto: int + :type tcpflg_val: int + :type tcpflg_mask: int + :raises RuntimeError: If unable to add or replace ACL. + """ + acl_idx = '{0}'.format(acl_idx) if acl_idx else '' + + src = 'src {0}'.format(src) if src else '' + + dst = 'dst {0}'.format(dst) if dst else '' + + sport = 'sport {0}'.format(sport) if sport else '' + + dport = 'dport {0}'.format(dport) if dport else '' + + proto = 'proto {0}'.format(proto) if proto else '' + + tcpflags = 'tcpflags {0} {1}'.format(tcpflg_val, tcpflg_mask) \ + if tcpflg_val and tcpflg_mask else '' + + try: + with VatTerminal(node, json_param=False) as vat: + vat.vat_terminal_exec_cmd_from_template( + "acl_plugin/acl_add_replace.vat", acl_idx=acl_idx, + ip_ver=ip_ver, action=action, src=src, dst=dst, sport=sport, + dport=dport, proto=proto, tcpflags=tcpflags) + except: + raise RuntimeError("Adding or replacing of ACL failed on " + "node {0}".format(node['host'])) + + @staticmethod + def add_replace_acl_multi_entries(node, acl_idx=None, rules=None): + """Add a new ACL or replace the existing one. To replace an existing + ACL, pass the ID of this ACL. + + :param node: VPP node to set ACL on. + :param acl_idx: ID of ACL. (Optional) + :param rules: Required rules. (Optional) + :type node: dict + :type acl_idx: int + :type rules: str + :raises RuntimeError: If unable to add or replace ACL. + """ + acl_idx = '{0}'.format(acl_idx) if acl_idx else '' + + rules = '{0}'.format(rules) if rules else '' + + try: + with VatTerminal(node, json_param=False) as vat: + vat.vat_terminal_exec_cmd_from_template( + "acl_plugin/acl_add_replace.vat", acl_idx=acl_idx, + ip_ver=rules, action='', src='', dst='', sport='', + dport='', proto='', tcpflags='') + except: + raise RuntimeError("Adding or replacing of ACL failed on " + "node {0}".format(node['host'])) + + @staticmethod + def delete_acl(node, idx): + """Delete required ACL. + + :param node: VPP node to delete ACL on. + :param idx: Index of ACL to be deleted. + :type node: dict + :type idx: int or str + :raises RuntimeError: If unable to delete ACL. + """ + try: + with VatTerminal(node, json_param=False) as vat: + vat.vat_terminal_exec_cmd_from_template( + "acl_plugin/acl_delete.vat", idx=idx) + except: + raise RuntimeError("Deletion of ACL failed on node {0}". + format(node['host'])) + + @staticmethod + def cli_show_acl(node, acl_idx=None): + """Show ACLs. + + :param node: VPP node to show ACL on. + :param acl_idx: Index of ACL to be shown. + :type node: dict + :type acl_idx: int or str + :raises RuntimeError: If unable to delete ACL. + """ + acl_idx = '{0}'.format(acl_idx) if acl_idx else '' + + try: + with VatTerminal(node, json_param=False) as vat: + vat.vat_terminal_exec_cmd_from_template( + "acl_plugin/show_acl.vat", idx=acl_idx) + except: + raise RuntimeError("Failed to show ACL on node {0}". + format(node['host'])) diff --git a/resources/libraries/robot/performance/performance_configuration.robot b/resources/libraries/robot/performance/performance_configuration.robot index 3255547e08..568114f15b 100644 --- a/resources/libraries/robot/performance/performance_configuration.robot +++ b/resources/libraries/robot/performance/performance_configuration.robot @@ -13,6 +13,7 @@ *** Settings *** | Library | Collections +| Library | String | Library | resources.libraries.python.topology.Topology | Library | resources.libraries.python.NodePath | Library | resources.libraries.python.DpdkUtil @@ -734,6 +735,111 @@ | | Configure L2BD forwarding | ${dut2} | ${dut2_if1} | ${dut2_if2} | | All Vpp Interfaces Ready Wait | ${nodes} +| Configure IPv4 ACLs +| | [Documentation] +| | ... | Configure ACL with required number of not-hitting permit ACEs plus two +| | ... | hitting ACEs for both traffic directions. +| | ... +| | ... | _NOTE:_ This KW uses following test case variables: +| | ... | - ${src_ip_start} - Source IP address start. Type: string. +| | ... | - ${dst_ip_start} - Destination IP address start. Type: string. +| | ... | - ${ip_step} - IP address step. Type: string. +| | ... | - ${sport_start} - Source port number start. Type: string. +| | ... | - ${dport_start} - Destination port number start. Type: string. +| | ... | - ${port_step} - Port number step. Type: string. +| | ... | - ${no_hit_aces_number} - Number of not-hitting ACEs to be configured. +| | ... | Type: integer +| | ... | - ${acl_apply_type} - To what path aplly the ACL - input or output. +| | ... | Type: string +| | ... | - ${acl_action} - Action for the rule - deny, permit, permit+reflect. +| | ... | Type: stringe +| | ... | - ${trex_stream1_subnet} - IP subnet used by T-Rex in direction 0->1. +| | ... | Type: string +| | ... | - ${trex_stream2_subnet} - IP subnet used by T-Rex in direction 1->0. +| | ... | Type: string +| | ... +| | [Arguments] | ${dut} | ${dut_if1}=${None} | ${dut_if2}=${None} +| | ${src_ip_int} = | Evaluate +| | ... | int(ipaddress.ip_address(unicode($src_ip_start))) - $ip_step +| | ... | modules=ipaddress +| | ${dst_ip_int} = | Evaluate +| | ... | int(ipaddress.ip_address(unicode($dst_ip_start))) - $ip_step +| | ... | modules=ipaddress +| | ${ip_limit} = | Set Variable | 255.255.255.255 +| | ${ip_limit_int} = | Evaluate +| | ... | int(ipaddress.ip_address(unicode($ip_limit))) | modules=ipaddress +| | ${sport}= | Evaluate | $sport_start - $port_step +| | ${dport}= | Evaluate | $dport_start - $port_step +| | ${port_limit}= | Set Variable | ${65535} +| | ${acl}= | Set Variable | ipv4 permit +| | :FOR | ${nr} | IN RANGE | 0 | ${no_hit_aces_number} +| | | ${src_ip_int} = | Evaluate | $src_ip_int + $ip_step +| | | ${dst_ip_int} = | Evaluate | $dst_ip_int + $ip_step +| | | ${sport}= | Evaluate | $sport + $port_step +| | | ${dport}= | Evaluate | $dport + $port_step +| | | ${ipv4_limit_reached}= | Set Variable If +| | | ... | $src_ip_int > $ip_limit_int or $src_ip_int > $ip_limit_int +| | | ... | ${True} +| | | ${udp_limit_reached}= | Set Variable If +| | | ... | $sport > $port_limit or $dport > $port_limit | ${True} +| | | Run Keyword If | $ipv4_limit_reached is True | Log +| | | ... | Can't do more iterations - IPv4 address limit has been reached. +| | | ... | WARN +| | | Run Keyword If | $udp_limit_reached is True | Log +| | | ... | Can't do more iterations - UDP port limit has been reached. +| | | ... | WARN +| | | ${src_ip} = | Run Keyword If | $ipv4_limit_reached is True +| | | ... | Set Variable | ${ip_limit} +| | | ... | ELSE | Evaluate | str(ipaddress.ip_address($src_ip_int)) +| | | ... | modules=ipaddress +| | | ${dst_ip} = | Run Keyword If | $ipv4_limit_reached is True +| | | ... | Set Variable | ${ip_limit} +| | | ... | ELSE | Evaluate | str(ipaddress.ip_address($dst_ip_int)) +| | | ... | modules=ipaddress +| | | ${sport}= | Set Variable If | ${sport} > $port_limit | $port_limit +| | | ... | ${sport} +| | | ${dport}= | Set Variable If | ${dport} > $port_limit | $port_limit +| | | ... | ${dport} +| | | ${acl}= | Catenate | ${acl} | src ${src_ip}/32 dst ${dst_ip}/32 +| | | ... | sport ${sport} | dport ${dport}, +| | | Exit For Loop If +| | | ... | $ipv4_limit_reached is True or $udp_limit_reached is True +| | ${acl}= | Catenate | ${acl} +| | ... | ipv4 ${acl_action} src ${trex_stream1_subnet}, +| | ... | ipv4 ${acl_action} src ${trex_stream2_subnet} +| | Add Replace Acl Multi Entries | ${dut} | rules=${acl} +| | @{acl_list}= | Create List | ${0} +| | Run Keyword If | 'input' in $acl_apply_type and $dut_if1 is not None +| | ... | Set Acl List For Interface | ${dut} | ${dut_if1} | input | ${acl_list} +| | Run Keyword If | 'input' in $acl_apply_type and $dut_if2 is not None +| | ... | Set Acl List For Interface | ${dut} | ${dut_if2} | input | ${acl_list} +| | Run Keyword If | 'output' in $acl_apply_type and $dut_if1 is not None +| | ... | Set Acl List For Interface | ${dut} | ${dut_if1} | output +| | ... | ${acl_list} +| | Run Keyword If | 'output' in $acl_apply_type and $dut_if2 is not None +| | ... | Set Acl List For Interface | ${dut} | ${dut_if2} | output +| | ... | ${acl_list} + +| Initialize L2 bridge domain with IPv4 ACLs on DUT1 in 3-node circular topology +| | [Documentation] +| | ... | Setup L2BD topology by adding two interfaces on DUT1 into bridge +| | ... | domain that is created automatically with index 1. Learning is +| | ... | enabled. Interfaces are brought up. Apply required ACL rules to DUT1 +| | ... | interfaces. +| | ... +| | ... | _NOTE:_ This KW uses following test case variables: +| | ... | - ${dut1} - DUT1 node. +| | ... | - ${dut2} - DUT2 node. +| | ... | - ${dut1_if1} - DUT1 interface towards TG. +| | ... | - ${dut1_if2} - DUT1 interface towards DUT2. +| | ... | - ${dut2_if1} - DUT2 interface towards DUT1. +| | ... | - ${dut2_if2} - DUT2 interface towards TG. +| | ... +| | Configure L2BD forwarding | ${dut1} | ${dut1_if1} | ${dut1_if2} +| | Configure L2XC | ${dut2} | ${dut2_if1} | ${dut2_if2} +| | All Vpp Interfaces Ready Wait | ${nodes} +| | Configure IPv4 ACLs | ${dut1} | ${dut1_if1} | ${dut1_if2} + | Initialize L2 bridge domains with Vhost-User in 3-node circular topology | | [Documentation] | | ... | Create two Vhost-User interfaces on all defined VPP nodes. Add each -- cgit 1.2.3-korg