summaryrefslogtreecommitdiffstats
path: root/test/test_acl_plugin.py
AgeCommit message (Collapse)AuthorFilesLines
2018-10-14acl-plugin: make each test in test_acl_plugin runnable separatelyAndrew Yourtchenko1-36/+75
And improve the robustness of the ethertype whitelist test coverage Change-Id: I64fe3a25208dbc619ae5cd6404f6122e69394a38 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-06-25make test: fix broken interfaces #2Klement Sekera1-1/+1
Change-Id: I9d5b5d925fd2c09a1113fc51e433a16d729a241b Signed-off-by: Klement Sekera <ksekera@cisco.com>
2018-04-10test: Fix issues with new version of pycodestyle (VPP-1232)Chris Luke1-1/+2
- Ignore warnings W504 (newline after binary operator) which otherwise occurs a significant number of times. - Fix two instances of lines >79 chars. Change-Id: I8cef56f8afc237187995e638e610c8c0554e2bb5 Signed-off-by: Chris Luke <chrisy@flirble.org>
2018-03-23acl-plugin: make test: add a test which deletes an interface with applied ACLAndrew Yourtchenko1-0/+39
There was no test coverage for a scenario of an interface having an ACL and that interface being deleted. Add a basic sanity test which applies an ACL to an interface and then deletes that interface. Change-Id: Ib6462e02cf69f1173125ac2481c608f68eb389ac Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2018-02-08acl-plugin: add whitelisted ethertype mode (VPP-1163)Andrew Yourtchenko1-7/+93
Currently, ACL plugin largely does not care about the ethertypes other than 0x0800 (IPv4) and 0x86dd (IPv6), the only exception being 0x0806 (ARP), which is dealt with by the MACIP ACLs. The other ethertypes in L2 mode are just let through. This adds a new API message acl_interface_set_etype_whitelist, which allows to flip the mode of a given interface into "ethertype whitelist mode": the caller of this message must supply the two lists (inbound and outbound) of the ethertypes that are to be permitted, the rest of the ethertypes are dropped. The whitelisting for a given interface and direction takes effect only when a policy ACL is also applied. This operates on the same classifier node as the one used for dispatching the policy ACL, thus, if one wishes for most of the reasonable IPv4 deployments to continue to operate within the whitelist mode, they must permit ARP ethertype (0x0806) The empty list for a given direction resets the processing to allow the unknown ethertypes. So, if one wants to just permit the IPv4 and IPv6 and nothing else, one can add their ethertypes to the whitelist. Add the "show acl-plugin interface" corresponding outputs about the whitelists, vat command, and unittests. Change-Id: I4659978c801f36d554b6615e56e424b77876662c Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2017-11-11ACLs: Use better error return codes than "-1" everywhere.Jon Loeliger1-5/+5
Added two new errors: ACL_IN_USE_INBOUND ACL_IN_USE_OUTBOUND Update ACL tests to expect new, precise return values. Change-Id: I644861a18aa5b70cce5f451dd6655641160c7697 Signed-off-by: Jon Loeliger <jdl@netgate.com>
2017-11-10make test: automatically seed random generatorKlement Sekera1-2/+0
Change-Id: I286b61d41cc2b557de3eb8801ff95c643f680acd Signed-off-by: Klement Sekera <ksekera@cisco.com>
2017-10-25VPP-1033: Python API support arbitrary sized input parameters.Ole Troan1-2/+2
Dynamically calculate the required buffer size to pack into based on message definition. Also add input parameter length checking. Change-Id: I7633bec596e4833bb328fbf63a65b866c7985de5 Signed-off-by: Ole Troan <ot@cisco.com>
2017-09-27acl-plugin: take 2 at VPP-991 fix, this time with a test case which verifies it.Andrew Yourtchenko1-1/+30
The replacement of [] with pool_elt_at_index and subsequent fixing it was incorrect - it was equivalent to &[], since it returns a pointer to the element. I've added VPP-993 previously to create a testcase, so this commit partially fulfills that one as well. Change-Id: I5b15e3ce48316f0429232aacf885e8f7c63d9522 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2017-09-26acl-plugin: test: move the API calls to vpp_papi_provider.pyAndrew Yourtchenko1-49/+15
Change-Id: I1d3818027b8a1fcb1ec12016e3476b5c22a2d5a5 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2017-09-07acl-plugin: match index set to first portrange element if non-first ↵Andrew Yourtchenko1-0/+191
portrange matches on the same hash key (VPP-937) Multiple portranges that land on the same hash key will always report the match on the first portrange - even when the subsequent portranges have matched. Test escape, so make a corresponding test case and fix the code so it passes. (the commit on stable/1707 has erroneously mentioned VPP-938 jira ticket) Change-Id: Idbeb8a122252ead2468f5f9dbaf72cf0e8bb78f1 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com> (cherry picked from commit fb088f0a201270e949469c915c529d75ad13353e) Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2017-06-19acl-plugin: bihash-based ACL lookupAndrew Yourtchenko1-0/+3
Add a bihash-based ACL lookup mechanism and make it a new default. This changes the time required to lookup a 5-tuple match from O(total_N_entries) to O(total_N_mask_types), where "mask type" is an overall mask on the 5-tuple required to represent an ACE. For testing/comparison there is a temporary debug CLI "set acl-plugin use-hash-acl-matching {0|1}", which, when set to 0, makes the plugin use the "old" linear lookup, and when set to 1, makes it use the hash-based lookup. Based on the discussions on vpp-dev mailing list, prevent assigning the ACL index to an interface, when the ACL with that index is not defined, also prevent deleting an ACL if that ACL is applied. Also, for the easier debugging of the state, there are new debug CLI commands to see the ACL plugin state at several layers: "show acl-plugin acl [index N]" - show a high-level ACL representation, used for the linear lookup and as a base for building the hashtable-based lookup. Also shows if a given ACL is applied somewhere. "show acl-plugin interface [sw_if_index N]" - show which interfaces have which ACL(s) applied. "show acl-plugin tables" - a lower-level debug command used to see the state of all of the related data structures at once. There are specifiers possible, which make for a more focused and maybe augmented output: "show acl-plugin tables acl [index N]" show the "bitmask-ready" representations of the ACLs, we well as the mask types and their associated indices. "show acl-plutin tables mask" show the derived mask types and their indices only. "show acl-plugin tables applied [sw_if_index N]" show the table of all of the ACEs applied for a given sw_if_index or all interfaces. "show acl-plugin tables hash [verbose N]" show the 48x8 bihash used for the ACL lookup. Change-Id: I89fff051424cb44bcb189e3cee04c1b8f76efc28 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2017-04-18ACL-plugin does not match UDP next-header, VPP-687Pavel Kotucek1-7/+79
Change-Id: Ide4f9bd6158fb64d069540fb43f4e593e39d6ff3 Signed-off-by: Pavel Kotucek <pkotucek@cisco.com>
2017-04-06acl-plugin: make the IPv4/IPv6 non-first fragment handling in line with ACL ↵Andrew Yourtchenko1-6/+43
(VPP-682) This fixes the previously-implicit "drop all non-first fragments" behavior to be more in line with security rules: a non-first fragment is treated for the purposes of matching the ACL as a packet with the port match succeeding. This allows to change the behavior to permit the fragmented packets for the default "permit specific rules" ruleset, but also gives the flexibility to block the non-initial fragments by inserting into the begining a bogus rule which would deny the L4 traffic. Also, add a knob which allows to potentially turn this behavior off in case of a dire need (and revert to dropping all non-initial fragments), via a debug CLI. Change-Id: I546b372b65ff2157d9c68b1d32f9e644f1dd71b4 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com> (cherry picked from commit 9fc0c26c6b28fd6c8b8142ea52f52eafa7e8c7ac)
2017-03-13ACL plugin rejects ICMP messages (VPP-624)Pavel Kotucek1-0/+1015
Change-Id: I95113a277b94cce5ff332fcf9f57ec6f385acec0 Signed-off-by: Pavel Kotucek <pkotucek@cisco.com>