summaryrefslogtreecommitdiffstats
path: root/test/test_acl_plugin_l2l3.py
AgeCommit message (Collapse)AuthorFilesLines
2018-06-22make test: fix broken interfacesKlement Sekera1-1/+1
Change-Id: I2e092774f81503e04b53cc6c6b5d357fe3fc52ab Signed-off-by: Klement Sekera <ksekera@cisco.com>
2018-04-09make test: fix failure on centosKlement Sekera1-1/+1
Change-Id: I1fcc742699a60ef99ce97b35f7b964ee6ad29ddf Signed-off-by: Klement Sekera <ksekera@cisco.com>
2018-03-23acl-plugin: make test: shuffle applied ACLs as part of the testsAndrew Yourtchenko1-1/+79
During the testing of 94f9a6de3f706243d138e05b63fef1d5c8174f6c I realized there was no test coverage for the cases where the ACLs are added then modified while having beein applied. This change adds some simple shuffling to l2l3 ACL test set, whereby after each of the ACLs being applied, a few extra ACLs are applied at the front and the back of the list, and are changed several times, the base for the changes being the set of all the ACEs that are being applied previously. After these few shuffles, the routine restores the applied ACLs and proceeds to the test as usual. Change-Id: Ieda2aa5b7963746d62484e54719309de9c1ee752 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2017-09-26acl-plugin: test: move the API calls to vpp_papi_provider.pyAndrew Yourtchenko1-61/+25
Change-Id: I1d3818027b8a1fcb1ec12016e3476b5c22a2d5a5 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2017-06-19acl-plugin: bihash-based ACL lookupAndrew Yourtchenko1-0/+3
Add a bihash-based ACL lookup mechanism and make it a new default. This changes the time required to lookup a 5-tuple match from O(total_N_entries) to O(total_N_mask_types), where "mask type" is an overall mask on the 5-tuple required to represent an ACE. For testing/comparison there is a temporary debug CLI "set acl-plugin use-hash-acl-matching {0|1}", which, when set to 0, makes the plugin use the "old" linear lookup, and when set to 1, makes it use the hash-based lookup. Based on the discussions on vpp-dev mailing list, prevent assigning the ACL index to an interface, when the ACL with that index is not defined, also prevent deleting an ACL if that ACL is applied. Also, for the easier debugging of the state, there are new debug CLI commands to see the ACL plugin state at several layers: "show acl-plugin acl [index N]" - show a high-level ACL representation, used for the linear lookup and as a base for building the hashtable-based lookup. Also shows if a given ACL is applied somewhere. "show acl-plugin interface [sw_if_index N]" - show which interfaces have which ACL(s) applied. "show acl-plugin tables" - a lower-level debug command used to see the state of all of the related data structures at once. There are specifiers possible, which make for a more focused and maybe augmented output: "show acl-plugin tables acl [index N]" show the "bitmask-ready" representations of the ACLs, we well as the mask types and their associated indices. "show acl-plutin tables mask" show the derived mask types and their indices only. "show acl-plugin tables applied [sw_if_index N]" show the table of all of the ACEs applied for a given sw_if_index or all interfaces. "show acl-plugin tables hash [verbose N]" show the 48x8 bihash used for the ACL lookup. Change-Id: I89fff051424cb44bcb189e3cee04c1b8f76efc28 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2017-04-20Clean up old datapath code in ACL plugin.Andrew Yourtchenko1-48/+0
Change-Id: I3d64d5ced38a68f3fa208be00c49d20c4e6d4d0e Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
2017-04-06acl-plugin: make the IPv4/IPv6 non-first fragment handling in line with ACL ↵Andrew Yourtchenko1-3/+48
(VPP-682) This fixes the previously-implicit "drop all non-first fragments" behavior to be more in line with security rules: a non-first fragment is treated for the purposes of matching the ACL as a packet with the port match succeeding. This allows to change the behavior to permit the fragmented packets for the default "permit specific rules" ruleset, but also gives the flexibility to block the non-initial fragments by inserting into the begining a bogus rule which would deny the L4 traffic. Also, add a knob which allows to potentially turn this behavior off in case of a dire need (and revert to dropping all non-initial fragments), via a debug CLI. Change-Id: I546b372b65ff2157d9c68b1d32f9e644f1dd71b4 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com> (cherry picked from commit 9fc0c26c6b28fd6c8b8142ea52f52eafa7e8c7ac)
2017-03-21ACL plugin 1.2Andrew Yourtchenko1-0/+722
L3 path support, L2+L3 unified processing node, skip IPv6 EH support. Change-Id: Iac37a466ba1c035e5c2997b03c0743bfec5c9a08 Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>