aboutsummaryrefslogtreecommitdiffstats
path: root/test/test_abf.py
diff options
context:
space:
mode:
authorAndrew Yourtchenko <ayourtch@gmail.com>2017-11-17 14:38:18 +0100
committerDamjan Marion <dmarion.lists@gmail.com>2018-04-17 18:25:05 +0000
commit669d07dc016757b856e1014a415996cf9f0ebc58 (patch)
treebd86de6e168fd66563f3f81aa971403c0409bbe9 /test/test_abf.py
parent2926eca95138577be8d88eb8d6a442d93f182309 (diff)
ACL based forwarding
A poor man's flow switching or policy based rounting. An ACL is used to match packets and is associated with a [set of] forwarding paths that determine how to forward matched packets - collectively this association is a 'policy'. Policies are then 'attached', in a priority order, to an interface when thaey are encountered as an input feature. If a packet matches no policies it is forwarded normally in the IP FIB. This commit is used to test the "ACL-as-a-service" functionality, which currently compiles, and the existing traffic ACL tests pass in both hash and linear modes. Change-Id: I0b274ec9f2e645352fa898b43eb54c457e195964 Signed-off-by: Neale Ranns <nranns@cisco.com> Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com> Signed-off-by: Ole Troan <ot@cisco.com>
Diffstat (limited to 'test/test_abf.py')
-rw-r--r--test/test_abf.py338
1 files changed, 338 insertions, 0 deletions
diff --git a/test/test_abf.py b/test/test_abf.py
new file mode 100644
index 00000000000..ce53e53fc98
--- /dev/null
+++ b/test/test_abf.py
@@ -0,0 +1,338 @@
+#!/usr/bin/env python
+
+from framework import VppTestCase, VppTestRunner
+from vpp_udp_encap import *
+from vpp_ip_route import VppIpRoute, VppRoutePath, VppIpTable, DpoProto
+
+from scapy.packet import Raw
+from scapy.layers.l2 import Ether, ARP
+from scapy.layers.inet import IP, UDP
+from scapy.layers.inet6 import IPv6
+from scapy.contrib.mpls import MPLS
+
+from vpp_object import *
+from socket import inet_pton, inet_ntop, AF_INET, AF_INET6
+
+
+def find_abf_policy(test, id):
+ policies = test.vapi.abf_policy_dump()
+ for p in policies:
+ if id == p.policy.policy_id:
+ return True
+ return False
+
+
+def find_abf_itf_attach(test, id, sw_if_index):
+ attachs = test.vapi.abf_itf_attach_dump()
+ for a in attachs:
+ if id == a.attach.policy_id and \
+ sw_if_index == a.attach.sw_if_index:
+ return True
+ return False
+
+
+class VppAbfPolicy(VppObject):
+
+ def __init__(self,
+ test,
+ policy_id,
+ acl,
+ paths):
+ self._test = test
+ self.policy_id = policy_id
+ self.acl = acl
+ self.paths = paths
+
+ def encode_paths(self):
+ br_paths = []
+ for p in self.paths:
+ lstack = []
+ for l in p.nh_labels:
+ if type(l) == VppMplsLabel:
+ lstack.append(l.encode())
+ else:
+ lstack.append({'label': l, 'ttl': 255})
+ n_labels = len(lstack)
+ while (len(lstack) < 16):
+ lstack.append({})
+ br_paths.append({'next_hop': p.nh_addr,
+ 'weight': 1,
+ 'afi': p.proto,
+ 'sw_if_index': 0xffffffff,
+ 'preference': 0,
+ 'table_id': p.nh_table_id,
+ 'next_hop_id': p.next_hop_id,
+ 'is_udp_encap': p.is_udp_encap,
+ 'n_labels': n_labels,
+ 'label_stack': lstack})
+ return br_paths
+
+ def add_vpp_config(self):
+ self._test.vapi.abf_policy_add_del(
+ 1,
+ {'policy_id': self.policy_id,
+ 'acl_index': self.acl.acl_index,
+ 'n_paths': len(self.paths),
+ 'paths': self.encode_paths()})
+ self._test.registry.register(self, self._test.logger)
+
+ def remove_vpp_config(self):
+ self._test.vapi.abf_policy_add_del(
+ 0,
+ {'policy_id': self.policy_id,
+ 'acl_index': self.acl.acl_index,
+ 'n_paths': len(self.paths),
+ 'paths': self.encode_paths()})
+
+ def query_vpp_config(self):
+ return find_abf_policy(self._test, self.policy_id)
+
+ def __str__(self):
+ return self.object_id()
+
+ def object_id(self):
+ return ("abf-policy-%d" % self.policy_id)
+
+
+class VppAbfAttach(VppObject):
+
+ def __init__(self,
+ test,
+ policy_id,
+ sw_if_index,
+ priority,
+ is_ipv6=0):
+ self._test = test
+ self.policy_id = policy_id
+ self.sw_if_index = sw_if_index
+ self.priority = priority
+ self.is_ipv6 = is_ipv6
+
+ def add_vpp_config(self):
+ self._test.vapi.abf_itf_attach_add_del(
+ 1,
+ {'policy_id': self.policy_id,
+ 'sw_if_index': self.sw_if_index,
+ 'priority': self.priority,
+ 'is_ipv6': self.is_ipv6})
+ self._test.registry.register(self, self._test.logger)
+
+ def remove_vpp_config(self):
+ self._test.vapi.abf_itf_attach_add_del(
+ 0,
+ {'policy_id': self.policy_id,
+ 'sw_if_index': self.sw_if_index,
+ 'priority': self.priority,
+ 'is_ipv6': self.is_ipv6})
+
+ def query_vpp_config(self):
+ return find_abf_itf_attach(self._test,
+ self.policy_id,
+ self.sw_if_index)
+
+ def __str__(self):
+ return self.object_id()
+
+ def object_id(self):
+ return ("abf-attach-%d-%d" % (self.policy_id, self.sw_if_index))
+
+
+class TestAbf(VppTestCase):
+ """ ABF Test Case """
+
+ def setUp(self):
+ super(TestAbf, self).setUp()
+
+ self.create_pg_interfaces(range(4))
+
+ for i in self.pg_interfaces:
+ i.admin_up()
+ i.config_ip4()
+ i.resolve_arp()
+ i.config_ip6()
+ i.resolve_ndp()
+
+ def tearDown(self):
+ for i in self.pg_interfaces:
+ i.unconfig_ip4()
+ i.unconfig_ip6()
+ i.ip6_disable()
+ i.admin_down()
+ super(TestAbf, self).tearDown()
+
+ def test_abf4(self):
+ """ IPv4 ACL Based Forwarding
+ """
+
+ #
+ # We are not testing the various matching capabilities
+ # of ACLs, that's done elsewhere. Here ware are testing
+ # the application of ACLs to a forwarding path to achieve
+ # ABF
+ # So we construct just a few ACLs to ensure the ABF policies
+ # are correclty constructed and used. And a few path types
+ # to test the API path decoding.
+ #
+
+ #
+ # Rule 1
+ #
+ rule_1 = ({'is_permit': 1,
+ 'is_ipv6': 0,
+ 'proto': 17,
+ 'srcport_or_icmptype_first': 1234,
+ 'srcport_or_icmptype_last': 1234,
+ 'src_ip_prefix_len': 32,
+ 'src_ip_addr': inet_pton(AF_INET, "1.1.1.1"),
+ 'dstport_or_icmpcode_first': 1234,
+ 'dstport_or_icmpcode_last': 1234,
+ 'dst_ip_prefix_len': 32,
+ 'dst_ip_addr': inet_pton(AF_INET, "1.1.1.2")})
+ acl_1 = self.vapi.acl_add_replace(acl_index=4294967295, r=[rule_1])
+
+ #
+ # ABF policy for ACL 1 - path via interface 1
+ #
+ abf_1 = VppAbfPolicy(self, 10, acl_1,
+ [VppRoutePath(self.pg1.remote_ip4,
+ self.pg1.sw_if_index)])
+ abf_1.add_vpp_config()
+
+ #
+ # Attach the policy to input interface Pg0
+ #
+ attach_1 = VppAbfAttach(self, 10, self.pg0.sw_if_index, 50)
+ attach_1.add_vpp_config()
+
+ #
+ # fire in packet matching the ACL src,dst. If it's forwarded
+ # then the ABF was successful, since default routing will drop it
+ #
+ p_1 = (Ether(src=self.pg0.remote_mac,
+ dst=self.pg0.local_mac) /
+ IP(src="1.1.1.1", dst="1.1.1.2") /
+ UDP(sport=1234, dport=1234) /
+ Raw('\xa5' * 100))
+ self.send_and_expect(self.pg0, p_1*65, self.pg1)
+
+ #
+ # Attach a 'better' priority policy to the same interface
+ #
+ abf_2 = VppAbfPolicy(self, 11, acl_1,
+ [VppRoutePath(self.pg2.remote_ip4,
+ self.pg2.sw_if_index)])
+ abf_2.add_vpp_config()
+ attach_2 = VppAbfAttach(self, 11, self.pg0.sw_if_index, 40)
+ attach_2.add_vpp_config()
+
+ self.send_and_expect(self.pg0, p_1*65, self.pg2)
+
+ #
+ # Attach a policy with priority in the middle
+ #
+ abf_3 = VppAbfPolicy(self, 12, acl_1,
+ [VppRoutePath(self.pg3.remote_ip4,
+ self.pg3.sw_if_index)])
+ abf_3.add_vpp_config()
+ attach_3 = VppAbfAttach(self, 12, self.pg0.sw_if_index, 45)
+ attach_3.add_vpp_config()
+
+ self.send_and_expect(self.pg0, p_1*65, self.pg2)
+
+ #
+ # remove the best priority
+ #
+ attach_2.remove_vpp_config()
+ self.send_and_expect(self.pg0, p_1*65, self.pg3)
+
+ #
+ # Attach one of the same policies to Pg1
+ #
+ attach_4 = VppAbfAttach(self, 12, self.pg1.sw_if_index, 45)
+ attach_4.add_vpp_config()
+
+ p_2 = (Ether(src=self.pg1.remote_mac,
+ dst=self.pg1.local_mac) /
+ IP(src="1.1.1.1", dst="1.1.1.2") /
+ UDP(sport=1234, dport=1234) /
+ Raw('\xa5' * 100))
+ self.send_and_expect(self.pg1, p_2 * 65, self.pg3)
+
+ #
+ # detach the policy from PG1, now expect traffic to be dropped
+ #
+ attach_4.remove_vpp_config()
+
+ self.send_and_assert_no_replies(self.pg1, p_2 * 65, "Detached")
+
+ def test_abf6(self):
+ """ IPv6 ACL Based Forwarding
+ """
+
+ #
+ # Simple test for matching IPv6 packets
+ #
+
+ #
+ # Rule 1
+ #
+ rule_1 = ({'is_permit': 1,
+ 'is_ipv6': 1,
+ 'proto': 17,
+ 'srcport_or_icmptype_first': 1234,
+ 'srcport_or_icmptype_last': 1234,
+ 'src_ip_prefix_len': 128,
+ 'src_ip_addr': inet_pton(AF_INET6, "2001::2"),
+ 'dstport_or_icmpcode_first': 1234,
+ 'dstport_or_icmpcode_last': 1234,
+ 'dst_ip_prefix_len': 128,
+ 'dst_ip_addr': inet_pton(AF_INET6, "2001::1")})
+ acl_1 = self.vapi.acl_add_replace(acl_index=4294967295,
+ r=[rule_1])
+
+ #
+ # ABF policy for ACL 1 - path via interface 1
+ #
+ abf_1 = VppAbfPolicy(self, 10, acl_1,
+ [VppRoutePath("3001::1",
+ 0xffffffff,
+ proto=DpoProto.DPO_PROTO_IP6)])
+ abf_1.add_vpp_config()
+
+ attach_1 = VppAbfAttach(self, 10, self.pg0.sw_if_index,
+ 45, is_ipv6=True)
+ attach_1.add_vpp_config()
+
+ #
+ # a packet matching the rule
+ #
+ p = (Ether(src=self.pg0.remote_mac,
+ dst=self.pg0.local_mac) /
+ IPv6(src="2001::2", dst="2001::1") /
+ UDP(sport=1234, dport=1234) /
+ Raw('\xa5' * 100))
+
+ #
+ # packets are dropped because there is no route to the policy's
+ # next hop
+ #
+ self.send_and_assert_no_replies(self.pg1, p * 65, "no route")
+
+ #
+ # add a route resolving the next-hop
+ #
+ route = VppIpRoute(self, "3001::1", 32,
+ [VppRoutePath(self.pg1.remote_ip6,
+ self.pg1.sw_if_index,
+ proto=DpoProto.DPO_PROTO_IP6)],
+ is_ip6=1)
+ route.add_vpp_config()
+
+ #
+ # now expect packets forwarded.
+ #
+ self.send_and_expect(self.pg0, p * 65, self.pg1)
+
+
+if __name__ == '__main__':
+ unittest.main(testRunner=VppTestRunner)