aboutsummaryrefslogtreecommitdiffstats
path: root/src/plugins/urpf
diff options
context:
space:
mode:
Diffstat (limited to 'src/plugins/urpf')
-rw-r--r--src/plugins/urpf/test/test_urpf.py305
1 files changed, 0 insertions, 305 deletions
diff --git a/src/plugins/urpf/test/test_urpf.py b/src/plugins/urpf/test/test_urpf.py
deleted file mode 100644
index 8f4e563f8bc..00000000000
--- a/src/plugins/urpf/test/test_urpf.py
+++ /dev/null
@@ -1,305 +0,0 @@
-#!/usr/bin/env python3
-
-import unittest
-
-from framework import VppTestCase, VppTestRunner
-
-from scapy.packet import Raw
-from scapy.layers.l2 import Ether
-from scapy.layers.inet import IP, UDP, ICMP
-from scapy.layers.inet6 import IPv6
-
-from vpp_papi import VppEnum
-
-N_PKTS = 63
-
-
-class TestURPF(VppTestCase):
- """ Unicast Reverse Path Forwarding Test Case """
-
- @classmethod
- def setUpClass(cls):
- super(TestURPF, cls).setUpClass()
-
- @classmethod
- def tearDownClass(cls):
- super(TestURPF, cls).tearDownClass()
-
- def setUp(self):
- super(TestURPF, self).setUp()
-
- # create 4 pg interfaces so there are a few addresses
- # in the FIB
- self.create_pg_interfaces(range(4))
-
- for i in self.pg_interfaces:
- i.admin_up()
- i.config_ip4()
- i.resolve_arp()
- i.config_ip6()
- i.resolve_ndp()
-
- def tearDown(self):
- for i in self.pg_interfaces:
- i.unconfig_ip4()
- i.unconfig_ip6()
- i.admin_down()
- super(TestURPF, self).tearDown()
-
- def test_urpf4(self):
- """ uRPF IP4 """
-
- e = VppEnum
- p_spoof_loose = (Ether(dst=self.pg0.local_mac,
- src=self.pg0.remote_mac) /
- IP(src="3.3.3.3", dst=self.pg1.remote_ip4) /
- UDP(sport=1234, dport=1234) /
- Raw(b'\xa5' * 100)) * N_PKTS
- p_spoof_strict = (Ether(dst=self.pg0.local_mac,
- src=self.pg0.remote_mac) /
- IP(src=self.pg2.remote_ip4,
- dst=self.pg1.remote_ip4) /
- UDP(sport=1234, dport=1234) /
- Raw(b'\xa5' * 100)) * N_PKTS
- p_good = (Ether(dst=self.pg0.local_mac,
- src=self.pg0.remote_mac) /
- IP(src=self.pg0.remote_ip4,
- dst=self.pg1.remote_ip4) /
- UDP(sport=1234, dport=1234) /
- Raw(b'\xa5' * 100)) * N_PKTS
-
- #
- # before adding the uRPF, ensure all packets are forwarded
- #
- self.send_and_expect(self.pg0, p_good, self.pg1)
- self.send_and_expect(self.pg0, p_spoof_strict, self.pg1)
- self.send_and_expect(self.pg0, p_spoof_loose, self.pg1)
-
- #
- # apply loose uRPF check on pg0 rx
- #
- self.vapi.urpf_update(is_input=True,
- mode=e.vl_api_urpf_mode_t.URPF_API_MODE_LOOSE,
- af=e.vl_api_address_family_t.ADDRESS_IP4,
- sw_if_index=self.pg0.sw_if_index)
-
- # good packets still pass
- self.send_and_expect(self.pg0, p_good, self.pg1)
- # packets from address for which there is a route are forwarded
- self.send_and_expect(self.pg0, p_spoof_strict, self.pg1)
- # packets from address to which there is no route are dropped
- self.send_and_assert_no_replies(self.pg0, p_spoof_loose)
-
- self.assert_error_counter_equal("/err/ip4-rx-urpf-loose/uRPF Drop",
- N_PKTS)
-
- #
- # crank it up to strict mode
- #
- self.vapi.urpf_update(is_input=True,
- mode=e.vl_api_urpf_mode_t.URPF_API_MODE_STRICT,
- af=e.vl_api_address_family_t.ADDRESS_IP4,
- sw_if_index=self.pg0.sw_if_index)
-
- # good packets still pass
- self.send_and_expect(self.pg0, p_good, self.pg1)
- # packets that would not be routed back thru pg0 are dropped
- self.send_and_assert_no_replies(self.pg0, p_spoof_strict)
- self.send_and_assert_no_replies(self.pg0, p_spoof_loose)
-
- self.assert_error_counter_equal("/err/ip4-rx-urpf-strict/uRPF Drop",
- 2 * N_PKTS)
-
- #
- # disable uRPF, all traffic should pass
- #
- self.vapi.urpf_update(is_input=True,
- mode=e.vl_api_urpf_mode_t.URPF_API_MODE_OFF,
- af=e.vl_api_address_family_t.ADDRESS_IP4,
- sw_if_index=self.pg0.sw_if_index)
-
- self.send_and_expect(self.pg0, p_good, self.pg1)
- self.send_and_expect(self.pg0, p_spoof_strict, self.pg1)
- self.send_and_expect(self.pg0, p_spoof_loose, self.pg1)
-
- #
- # Now apply in the TX direction
- # for loose it is the same deal, they should not be forwarded
- # if there's no route
- # for strict they should not be forwarded if they would be
- # forwarded thru that interface.
- #
- self.vapi.urpf_update(is_input=False,
- mode=e.vl_api_urpf_mode_t.URPF_API_MODE_LOOSE,
- af=e.vl_api_address_family_t.ADDRESS_IP4,
- sw_if_index=self.pg1.sw_if_index)
-
- self.send_and_expect(self.pg0, p_good, self.pg1)
- self.send_and_expect(self.pg0, p_spoof_strict, self.pg1)
- self.send_and_assert_no_replies(self.pg0, p_spoof_loose)
-
- self.assert_error_counter_equal("/err/ip4-tx-urpf-loose/uRPF Drop",
- N_PKTS)
-
- self.vapi.urpf_update(is_input=False,
- mode=e.vl_api_urpf_mode_t.URPF_API_MODE_STRICT,
- af=e.vl_api_address_family_t.ADDRESS_IP4,
- sw_if_index=self.pg1.sw_if_index)
-
- self.send_and_expect(self.pg0, p_good, self.pg1)
- # the strict packet, from a peer is allowed, since it does
- # not forward via pg1
- self.send_and_expect(self.pg0, p_spoof_strict, self.pg1)
- self.send_and_assert_no_replies(self.pg0, p_spoof_loose)
-
- self.assert_error_counter_equal("/err/ip4-tx-urpf-strict/uRPF Drop",
- N_PKTS)
-
- # change the strict packet so that it would forward through pg1
- p_spoof_strict = (Ether(dst=self.pg0.local_mac,
- src=self.pg0.remote_mac) /
- IP(src=self.pg1.remote_ip4,
- dst=self.pg1.remote_ip4) /
- UDP(sport=1234, dport=1234) /
- Raw(b'\xa5' * 100)) * N_PKTS
-
- self.send_and_assert_no_replies(self.pg0, p_spoof_strict)
- self.assert_error_counter_equal("/err/ip4-tx-urpf-strict/uRPF Drop",
- 2 * N_PKTS)
-
- # cleanup
- self.vapi.urpf_update(is_input=False,
- mode=e.vl_api_urpf_mode_t.URPF_API_MODE_OFF,
- af=e.vl_api_address_family_t.ADDRESS_IP4,
- sw_if_index=self.pg1.sw_if_index)
-
- def test_urpf6(self):
- """ uRPF IP6 """
-
- e = VppEnum
- p_spoof_loose = (Ether(dst=self.pg0.local_mac,
- src=self.pg0.remote_mac) /
- IPv6(src="3::3", dst=self.pg1.remote_ip6) /
- UDP(sport=1236, dport=1236) /
- Raw(b'\xa5' * 100)) * N_PKTS
- p_spoof_strict = (Ether(dst=self.pg0.local_mac,
- src=self.pg0.remote_mac) /
- IPv6(src=self.pg2.remote_ip6,
- dst=self.pg1.remote_ip6) /
- UDP(sport=1236, dport=1236) /
- Raw(b'\xa5' * 100)) * N_PKTS
- p_good = (Ether(dst=self.pg0.local_mac,
- src=self.pg0.remote_mac) /
- IPv6(src=self.pg0.remote_ip6,
- dst=self.pg1.remote_ip6) /
- UDP(sport=1236, dport=1236) /
- Raw(b'\xa5' * 100)) * N_PKTS
-
- #
- # before adding the uRPF, ensure all packets are forwarded
- #
- self.send_and_expect(self.pg0, p_good, self.pg1)
- self.send_and_expect(self.pg0, p_spoof_strict, self.pg1)
- self.send_and_expect(self.pg0, p_spoof_loose, self.pg1)
-
- #
- # apply loose uRPF check on pg0 rx
- #
- self.vapi.urpf_update(is_input=True,
- mode=e.vl_api_urpf_mode_t.URPF_API_MODE_LOOSE,
- af=e.vl_api_address_family_t.ADDRESS_IP6,
- sw_if_index=self.pg0.sw_if_index)
-
- # good packets still pass
- self.send_and_expect(self.pg0, p_good, self.pg1)
- # packets from address for which there is a route are forwarded
- self.send_and_expect(self.pg0, p_spoof_strict, self.pg1)
- # packets from address to which there is no route are dropped
- self.send_and_assert_no_replies(self.pg0, p_spoof_loose)
-
- self.assert_error_counter_equal("/err/ip6-rx-urpf-loose/uRPF Drop",
- N_PKTS)
-
- #
- # crank it up to strict mode
- #
- self.vapi.urpf_update(is_input=True,
- mode=e.vl_api_urpf_mode_t.URPF_API_MODE_STRICT,
- af=e.vl_api_address_family_t.ADDRESS_IP6,
- sw_if_index=self.pg0.sw_if_index)
-
- # good packets still pass
- self.send_and_expect(self.pg0, p_good, self.pg1)
- # packets that would not be routed back thru pg0 are dropped
- self.send_and_assert_no_replies(self.pg0, p_spoof_strict)
- self.send_and_assert_no_replies(self.pg0, p_spoof_loose)
-
- self.assert_error_counter_equal("/err/ip6-rx-urpf-strict/uRPF Drop",
- 2 * N_PKTS)
-
- #
- # disable uRPF, all traffic should pass
- #
- self.vapi.urpf_update(is_input=True,
- mode=e.vl_api_urpf_mode_t.URPF_API_MODE_OFF,
- af=e.vl_api_address_family_t.ADDRESS_IP6,
- sw_if_index=self.pg0.sw_if_index)
-
- self.send_and_expect(self.pg0, p_good, self.pg1)
- self.send_and_expect(self.pg0, p_spoof_strict, self.pg1)
- self.send_and_expect(self.pg0, p_spoof_loose, self.pg1)
-
- #
- # Now apply in the TX direction
- # for loose it is the same deal, they should not be forwarded
- # if there's no route
- # for strict they should not be forwarded if they would be
- # forwarded thru that interface.
- #
- self.vapi.urpf_update(is_input=False,
- mode=e.vl_api_urpf_mode_t.URPF_API_MODE_LOOSE,
- af=e.vl_api_address_family_t.ADDRESS_IP6,
- sw_if_index=self.pg1.sw_if_index)
-
- self.send_and_expect(self.pg0, p_good, self.pg1)
- self.send_and_expect(self.pg0, p_spoof_strict, self.pg1)
- self.send_and_assert_no_replies(self.pg0, p_spoof_loose)
-
- self.assert_error_counter_equal("/err/ip6-tx-urpf-loose/uRPF Drop",
- N_PKTS)
-
- self.vapi.urpf_update(is_input=False,
- mode=e.vl_api_urpf_mode_t.URPF_API_MODE_STRICT,
- af=e.vl_api_address_family_t.ADDRESS_IP6,
- sw_if_index=self.pg1.sw_if_index)
-
- self.send_and_expect(self.pg0, p_good, self.pg1)
- # the strict packet, from a peer is allowed, since it does
- # not forward via pg1
- self.send_and_expect(self.pg0, p_spoof_strict, self.pg1)
- self.send_and_assert_no_replies(self.pg0, p_spoof_loose)
-
- self.assert_error_counter_equal("/err/ip6-tx-urpf-strict/uRPF Drop",
- N_PKTS)
-
- # change the strict packet so that it would forward through pg1
- p_spoof_strict = (Ether(dst=self.pg0.local_mac,
- src=self.pg0.remote_mac) /
- IPv6(src=self.pg1.remote_ip6,
- dst=self.pg1.remote_ip6) /
- UDP(sport=1236, dport=1236) /
- Raw(b'\xa5' * 100)) * N_PKTS
-
- self.send_and_assert_no_replies(self.pg0, p_spoof_strict)
- self.assert_error_counter_equal("/err/ip6-tx-urpf-strict/uRPF Drop",
- 2 * N_PKTS)
-
- # cleanup
- self.vapi.urpf_update(is_input=False,
- mode=e.vl_api_urpf_mode_t.URPF_API_MODE_OFF,
- af=e.vl_api_address_family_t.ADDRESS_IP6,
- sw_if_index=self.pg1.sw_if_index)
-
-
-if __name__ == '__main__':
- unittest.main(testRunner=VppTestRunner)