summaryrefslogtreecommitdiffstats
path: root/test/test_gbp.py
diff options
context:
space:
mode:
authorNeale Ranns <neale.ranns@cisco.com>2018-02-05 01:13:38 -0800
committerDamjan Marion <dmarion.lists@gmail.com>2018-02-09 13:17:54 +0000
commitbc27d1be24815e1371dcce3bff2d3075a532acba (patch)
treec17db02fefb19ce593de5ddb2444f4c97e074492 /test/test_gbp.py
parentef56fae51a8683ec6ceeb01e1374cde2ba30c1e5 (diff)
GBP plugin
Group Base Policy (GBP) defines: - endpoints: typically a VM or container that is connected to the virtual switch/router (i.e. to VPP) - endpoint-group: (EPG) a collection of endpoints - policy: rules determining which traffic can pass between EPGs a.k.a a 'contract' Here, policy is implemented via an ACL. EPG classification for transit packets is determined by: - source EPG: from the packet's input interface - destination EPG: from the packet's destination IP address. Change-Id: I7b983844826b5fc3d49e21353ebda9df9b224e25 Signed-off-by: Neale Ranns <neale.ranns@cisco.com>
Diffstat (limited to 'test/test_gbp.py')
-rw-r--r--test/test_gbp.py369
1 files changed, 369 insertions, 0 deletions
diff --git a/test/test_gbp.py b/test/test_gbp.py
new file mode 100644
index 00000000000..427b14de506
--- /dev/null
+++ b/test/test_gbp.py
@@ -0,0 +1,369 @@
+#!/usr/bin/env python
+
+import unittest
+import socket
+import struct
+
+from framework import VppTestCase, VppTestRunner
+from vpp_object import VppObject
+
+from scapy.packet import Raw
+from scapy.layers.l2 import Ether
+from scapy.layers.inet import IP, UDP
+from scapy.layers.inet6 import IPv6
+
+from socket import AF_INET, AF_INET6
+from scapy.utils import inet_pton
+
+
+class VppGbpEndpoint(VppObject):
+ """
+ GDB Endpoint
+ """
+
+ def __init__(self, test, sw_if_index, addr, epg, is_ip6=0):
+ self._test = test
+ self.sw_if_index = sw_if_index
+ self.epg = epg
+ self.addr_p = addr
+ self.is_ip6 = is_ip6
+ if is_ip6:
+ self.addr = inet_pton(AF_INET6, addr)
+ else:
+ self.addr = inet_pton(AF_INET, addr)
+
+ def add_vpp_config(self):
+ self._test.vapi.gbp_endpoint_add_del(
+ 1,
+ self.sw_if_index,
+ self.addr,
+ self.is_ip6,
+ self.epg)
+ self._test.registry.register(self, self._test.logger)
+
+ def remove_vpp_config(self):
+ self._test.vapi.gbp_endpoint_add_del(
+ 0,
+ self.sw_if_index,
+ self.addr,
+ self.is_ip6,
+ self.epg)
+
+ def __str__(self):
+ return self.object_id()
+
+ def object_id(self):
+ return "gbp-endpoint;[%d:%s:%d]" % (self.sw_if_index,
+ self.addr_p,
+ self.epg)
+
+ def query_vpp_config(self):
+ eps = self._test.vapi.gbp_endpoint_dump()
+ for ep in eps:
+ if ep.endpoint.address == self.addr \
+ and ep.endpoint.sw_if_index == self.sw_if_index:
+ return True
+ return False
+
+
+class VppGbpContract(VppObject):
+ """
+ GDB Contract
+ """
+
+ def __init__(self, test, src_epg, dst_epg, acl_index):
+ self._test = test
+ self.acl_index = acl_index
+ self.src_epg = src_epg
+ self.dst_epg = dst_epg
+
+ def add_vpp_config(self):
+ self._test.vapi.gbp_contract_add_del(
+ 1,
+ self.src_epg,
+ self.dst_epg,
+ self.acl_index)
+ self._test.registry.register(self, self._test.logger)
+
+ def remove_vpp_config(self):
+ self._test.vapi.gbp_contract_add_del(
+ 0,
+ self.src_epg,
+ self.dst_epg,
+ self.acl_index)
+
+ def __str__(self):
+ return self.object_id()
+
+ def object_id(self):
+ return "gbp-contract;[%d:%s:%d]" % (self.src_epg,
+ self.dst_epg,
+ self.acl_index)
+
+ def query_vpp_config(self):
+ eps = self._test.vapi.gbp_contract_dump()
+ for ep in eps:
+ if ep.contract.src_epg == self.src_epg \
+ and ep.contract.dst_epg == self.dst_epg:
+ return True
+ return False
+
+
+class TestGBP(VppTestCase):
+ """ GBP Test Case """
+
+ def setUp(self):
+ super(TestGBP, self).setUp()
+
+ # create 6 pg interfaces for pg0 to pg5
+ self.create_pg_interfaces(range(6))
+
+ for i in self.pg_interfaces:
+ i.admin_up()
+ i.config_ip4()
+ i.resolve_arp()
+ i.config_ip6()
+ i.resolve_ndp()
+
+ def tearDown(self):
+ for i in self.pg_interfaces:
+ i.unconfig_ip4()
+ i.unconfig_ip6()
+
+ super(TestGBP, self).tearDown()
+
+ def test_gbp4(self):
+ """ Group Based Policy v4 """
+
+ ep1 = VppGbpEndpoint(self,
+ self.pg0.sw_if_index,
+ self.pg0.remote_ip4,
+ 220)
+ ep1.add_vpp_config()
+ ep2 = VppGbpEndpoint(self,
+ self.pg1.sw_if_index,
+ self.pg1.remote_ip4,
+ 220)
+ ep2.add_vpp_config()
+
+ ep3 = VppGbpEndpoint(self,
+ self.pg2.sw_if_index,
+ self.pg2.remote_ip4,
+ 221)
+ ep3.add_vpp_config()
+ ep4 = VppGbpEndpoint(self,
+ self.pg3.sw_if_index,
+ self.pg3.remote_ip4,
+ 222)
+ ep4.add_vpp_config()
+
+ self.logger.info(self.vapi.cli("sh gbp endpoint"))
+
+ #
+ # in the abscense of policy, endpoints in the same EPG
+ # can communicate
+ #
+ pkt_intra_epg = (Ether(src=self.pg0.remote_mac,
+ dst=self.pg0.local_mac) /
+ IP(src=self.pg0.remote_ip4,
+ dst=self.pg1.remote_ip4) /
+ UDP(sport=1234, dport=1234) /
+ Raw('\xa5' * 100))
+
+ self.send_and_expect(self.pg0, pkt_intra_epg * 65, self.pg1)
+
+ #
+ # in the abscense of policy, endpoints in the different EPG
+ # cannot communicate
+ #
+ pkt_inter_epg_220_to_221 = (Ether(src=self.pg0.remote_mac,
+ dst=self.pg0.local_mac) /
+ IP(src=self.pg0.remote_ip4,
+ dst=self.pg2.remote_ip4) /
+ UDP(sport=1234, dport=1234) /
+ Raw('\xa5' * 100))
+ pkt_inter_epg_220_to_222 = (Ether(src=self.pg0.remote_mac,
+ dst=self.pg0.local_mac) /
+ IP(src=self.pg0.remote_ip4,
+ dst=self.pg3.remote_ip4) /
+ UDP(sport=1234, dport=1234) /
+ Raw('\xa5' * 100))
+ pkt_inter_epg_221_to_220 = (Ether(src=self.pg2.remote_mac,
+ dst=self.pg2.local_mac) /
+ IP(src=self.pg2.remote_ip4,
+ dst=self.pg0.remote_ip4) /
+ UDP(sport=1234, dport=1234) /
+ Raw('\xa5' * 100))
+
+ self.send_and_assert_no_replies(self.pg0,
+ pkt_inter_epg_220_to_221 * 65)
+ self.send_and_assert_no_replies(self.pg0,
+ pkt_inter_epg_221_to_220 * 65)
+
+ #
+ # A uni-directional contract from EPG 220 -> 221
+ #
+ c1 = VppGbpContract(self, 220, 221, 0xffffffff)
+ c1.add_vpp_config()
+
+ self.send_and_expect(self.pg0,
+ pkt_inter_epg_220_to_221 * 65,
+ self.pg2)
+ self.send_and_assert_no_replies(self.pg2,
+ pkt_inter_epg_221_to_220 * 65)
+
+ #
+ # contract for the return direction
+ #
+ c2 = VppGbpContract(self, 221, 220, 0xffffffff)
+ c2.add_vpp_config()
+
+ self.send_and_expect(self.pg0,
+ pkt_inter_epg_220_to_221 * 65,
+ self.pg2)
+ self.send_and_expect(self.pg2,
+ pkt_inter_epg_221_to_220 * 65,
+ self.pg0)
+
+ #
+ # check that inter group is still disabled for the groups
+ # not in the contract.
+ #
+ self.send_and_assert_no_replies(self.pg0,
+ pkt_inter_epg_220_to_222 * 65)
+
+ self.logger.info(self.vapi.cli("sh gbp contract"))
+
+ #
+ # remove both contracts, traffic stops in both directions
+ #
+ c2.remove_vpp_config()
+ c1.remove_vpp_config()
+
+ self.send_and_assert_no_replies(self.pg2,
+ pkt_inter_epg_221_to_220 * 65)
+ self.send_and_assert_no_replies(self.pg0,
+ pkt_inter_epg_220_to_221 * 65)
+ self.send_and_expect(self.pg0, pkt_intra_epg * 65, self.pg1)
+
+ def test_gbp6(self):
+ """ Group Based Policy v6 """
+
+ ep1 = VppGbpEndpoint(self,
+ self.pg0.sw_if_index,
+ self.pg0.remote_ip6,
+ 220,
+ is_ip6=1)
+ ep1.add_vpp_config()
+ ep2 = VppGbpEndpoint(self,
+ self.pg1.sw_if_index,
+ self.pg1.remote_ip6,
+ 220,
+ is_ip6=1)
+ ep2.add_vpp_config()
+
+ ep3 = VppGbpEndpoint(self,
+ self.pg2.sw_if_index,
+ self.pg2.remote_ip6,
+ 221,
+ is_ip6=1)
+ ep3.add_vpp_config()
+ ep4 = VppGbpEndpoint(self,
+ self.pg3.sw_if_index,
+ self.pg3.remote_ip6,
+ 222,
+ is_ip6=1)
+ ep4.add_vpp_config()
+
+ self.logger.info(self.vapi.cli("sh gbp endpoint"))
+
+ #
+ # in the abscense of policy, endpoints in the same EPG
+ # can communicate
+ #
+ pkt_intra_epg = (Ether(src=self.pg0.remote_mac,
+ dst=self.pg0.local_mac) /
+ IPv6(src=self.pg0.remote_ip6,
+ dst=self.pg1.remote_ip6) /
+ UDP(sport=1234, dport=1234) /
+ Raw('\xa5' * 100))
+
+ self.send_and_expect(self.pg0, pkt_intra_epg * 65, self.pg1)
+
+ #
+ # in the abscense of policy, endpoints in the different EPG
+ # cannot communicate
+ #
+ pkt_inter_epg_220_to_221 = (Ether(src=self.pg0.remote_mac,
+ dst=self.pg0.local_mac) /
+ IPv6(src=self.pg0.remote_ip6,
+ dst=self.pg2.remote_ip6) /
+ UDP(sport=1234, dport=1234) /
+ Raw('\xa5' * 100))
+ pkt_inter_epg_220_to_222 = (Ether(src=self.pg0.remote_mac,
+ dst=self.pg0.local_mac) /
+ IPv6(src=self.pg0.remote_ip6,
+ dst=self.pg3.remote_ip6) /
+ UDP(sport=1234, dport=1234) /
+ Raw('\xa5' * 100))
+ pkt_inter_epg_221_to_220 = (Ether(src=self.pg2.remote_mac,
+ dst=self.pg2.local_mac) /
+ IPv6(src=self.pg2.remote_ip6,
+ dst=self.pg0.remote_ip6) /
+ UDP(sport=1234, dport=1234) /
+ Raw('\xa5' * 100))
+
+ self.send_and_assert_no_replies(self.pg0,
+ pkt_inter_epg_220_to_221 * 65)
+ self.send_and_assert_no_replies(self.pg0,
+ pkt_inter_epg_221_to_220 * 65)
+
+ #
+ # A uni-directional contract from EPG 220 -> 221
+ #
+ c1 = VppGbpContract(self, 220, 221, 0xffffffff)
+ c1.add_vpp_config()
+
+ self.send_and_expect(self.pg0,
+ pkt_inter_epg_220_to_221 * 65,
+ self.pg2)
+ self.send_and_assert_no_replies(self.pg2,
+ pkt_inter_epg_221_to_220 * 65)
+
+ #
+ # contract for the return direction
+ #
+ c2 = VppGbpContract(self, 221, 220, 0xffffffff)
+ c2.add_vpp_config()
+
+ self.send_and_expect(self.pg0,
+ pkt_inter_epg_220_to_221 * 65,
+ self.pg2)
+ self.send_and_expect(self.pg2,
+ pkt_inter_epg_221_to_220 * 65,
+ self.pg0)
+
+ #
+ # check that inter group is still disabled for the groups
+ # not in the contract.
+ #
+ self.send_and_assert_no_replies(self.pg0,
+ pkt_inter_epg_220_to_222 * 65)
+
+ self.logger.info(self.vapi.cli("sh gbp contract"))
+
+ #
+ # remove both contracts, traffic stops in both directions
+ #
+ c2.remove_vpp_config()
+ c1.remove_vpp_config()
+
+ self.send_and_assert_no_replies(self.pg2,
+ pkt_inter_epg_221_to_220 * 65)
+ self.send_and_assert_no_replies(self.pg0,
+ pkt_inter_epg_220_to_221 * 65)
+ self.send_and_expect(self.pg0, pkt_intra_epg * 65, self.pg1)
+
+
+if __name__ == '__main__':
+ unittest.main(testRunner=VppTestRunner)