Ejemplo n.º 1
0
def test_vlan_id_filter():
    print 'Creating ACL table'
    table_id = nas_acl.create_table('INGRESS', 100,
                                    ['OUTER_VLAN_ID', 'INNER_VLAN_ID'])
    print 'Table ID: %d' % table_id
    print 'Creating ACL entry'
    entry_id_1 = nas_acl.create_entry(table_id, 1, {
        'OUTER_VLAN_ID': {
            'data': 0
        },
        'INNER_VLAN_ID': {
            'data': 0
        }
    }, {'PACKET_ACTION': 'DROP'})
    print 'Entry ID: %d' % entry_id_1
    entry_id_2 = nas_acl.create_entry(table_id, 2, {
        'OUTER_VLAN_ID': {
            'data': 100
        },
        'INNER_VLAN_ID': {
            'data': 200
        }
    }, {'PACKET_ACTION': 'DROP'})
    print 'Entry ID: %d' % entry_id_2

    nas_acl.print_entry(table_id)

    print 'Deleting ACL entry'
    nas_acl.delete_entry(table_id, entry_id_1)
    nas_acl.delete_entry(table_id, entry_id_2)
    print 'Deleting ACL table'
    nas_acl.delete_table(table_id)
Ejemplo n.º 2
0
def __create_entry():
    _entry = __find_entry()
    if _entry != None:
        print('Exists already')
        return
    _table = __create_table()
    _id = _table.extract_id()
    _prio = _args['entry_prio']
    _filters = {}

    if _args['entry_sipv4'] != None:
        _filters['SRC_IP'] = {
            'addr': _args['entry_sipv4'],
            'mask': _args['entry_smask4']
        }
    if _args['entry_sport'] != None:
        _filters['L4_SRC_PORT'] = _args['entry_sport']

    _actions = {}
    if _args['entry_action'] != None:
        _actions = {'PACKET_ACTION': _args['entry_action']}

    if len(_filters) == 0 or len(_actions) == 0:
        print("Incomplete entry parameters")
        sys.exit(1)

    _res = nas_acl.create_entry(_id, _prio, _filters, _actions)
    print _res
Ejemplo n.º 3
0
def test_update_entry_action():
    print 'Creating ACL table'
    table_id = nas_acl.create_table('INGRESS', 100, ['IN_INTF'])
    print 'Table ID: %d' % table_id
    print 'Creating ACL entry'
    entry_id = nas_acl.create_entry(table_id, 1, {'IN_INTF': 'e101-001-0'},
                                    {'PACKET_ACTION': 'DROP'})
    print 'Entry ID: %d' % entry_id
    print 'Trying to set user trap ID with drop action (expected fail)'
    with pytest.raises(RuntimeError):
        nas_acl.replace_entry_action_list(table_id, entry_id, {
            'PACKET_ACTION': 'DROP',
            'SET_USER_TRAP_ID': 2
        })
    nas_acl.print_entry(table_id, entry_id)
    print 'Trying to set user trap ID with trap to CPU action'
    try:
        nas_acl.replace_entry_action_list(table_id, entry_id, {
            'PACKET_ACTION': 'TRAP_TO_CPU',
            'SET_USER_TRAP_ID': 2
        })
    except RuntimeError:
        assert False
    nas_acl.print_entry(table_id, entry_id)
    print 'Restoring ACL entry actions'
    try:
        nas_acl.replace_entry_action_list(table_id, entry_id,
                                          {'PACKET_ACTION': 'DROP'})
    except RuntimeError:
        assert False
    nas_acl.print_entry(table_id, entry_id)
    print 'Deleting ACL entry'
    nas_acl.delete_entry(table_id, entry_id)
    print 'Deleting ACL table'
    nas_acl.delete_table(table_id)
Ejemplo n.º 4
0
def acl_ut_entry_create(table_id, prio=None, counter_id=None):
    global total, passed
    total.append(sys._getframe().f_code.co_name)
    filters = {
        'SRC_IP': {'addr': '23.0.0.1', 'mask': '255.0.0.255'},
        'SRC_MAC': '01:80:c2:00:00:05',
        'IPV6_FLOW_LABEL': 34456,
        'TCP_FLAGS': {'data': '0x17', 'mask': '0x3f'},
        'ECN': {'data': '0x2', 'mask': '0x2'},
        'IP_TYPE': 'IP',
        'IN_PORTS': [a_utl.get_if_name(2), a_utl.get_if_name(3)],
    }

    actions = {
        'SET_SRC_MAC': '01:00:79:08:78:BC',
        'PACKET_ACTION': 'COPY_TO_CPU',
        'REDIRECT_PORT': a_utl.get_if_name(4),
    }
    if (counter_id):
        actions['SET_COUNTER'] = counter_id

    global meter_id
    try:
        meter_id, meter_opaque = a_utl.qos_meter_create(
            m_type='BYTE', cir=300000,
            cbs=800000, pbs=900000)
    except:
        print "Meter install Failed"
        return

    actions['SET_POLICER'] = {'index': meter_id, 'data': meter_opaque}

    global mirror_id_1, mir_opq_1
    global mirror_id_2, mir_opq_2
    try:
        mirror_id_1, mir_opq_1 = a_utl.mirror_create(13)
        mirror_id_2, mir_opq_2 = a_utl.mirror_create(16)
    except:
        print "Mirror Create Failed"
        return

    actions['MIRROR_INGRESS'] = [{'index': mirror_id_1, 'data': mir_opq_1},
                                 {'index': mirror_id_2, 'data': mir_opq_2}]

    try:
        entry_id = nas_acl.create_entry(table_id=table_id, prio=prio,
                                        filter_map=filters, action_map=actions)
    except RuntimeError:
        print (sys._getframe().f_code.co_name + " - Error creating Entry")
        return None

    print (sys._getframe().f_code.co_name +
           " - Created Entry " + str(entry_id))
    raw_input("Check entry is created and Press Enter to continue...")
    passed.append(sys._getframe().f_code.co_name)
    return entry_id
Ejemplo n.º 5
0
def acl_ut_entry_create(table_id, prio=None, counter_id=None):
    global total, passed
    total.append(sys._getframe().f_code.co_name)
    filters = {
        'SRC_IP': {'addr': '23.0.0.1', 'mask': '255.0.0.255'},
        'SRC_MAC': '01:80:c2:00:00:05',
        'IPV6_FLOW_LABEL': 34456,
        'TCP_FLAGS': {'data': '0x17', 'mask': '0x3f'},
        'ECN': {'data': '0x2', 'mask': '0x2'},
        'IP_TYPE': 'IP',
        'IN_PORTS': [a_utl.get_if_name(2), a_utl.get_if_name(3)],
    }

    actions = {
        'SET_SRC_MAC': '01:00:79:08:78:BC',
        'PACKET_ACTION': 'COPY_TO_CPU',
        'REDIRECT_PORT': a_utl.get_if_name(4),
    }
    if (counter_id):
        actions['SET_COUNTER'] = counter_id

    global meter_id
    try:
        meter_id, meter_opaque = a_utl.qos_meter_create(
            m_type='BYTE', cir=300000,
            cbs=800000, pbs=900000)
    except:
        print "Meter install Failed"
        return

    actions['SET_POLICER'] = {'index': meter_id, 'data': meter_opaque}

    global mirror_id_1, mir_opq_1
    global mirror_id_2, mir_opq_2
    try:
        mirror_id_1, mir_opq_1 = a_utl.mirror_create(13)
        mirror_id_2, mir_opq_2 = a_utl.mirror_create(16)
    except:
        print "Mirror Create Failed"
        return

    actions['MIRROR_INGRESS'] = [{'index': mirror_id_1, 'data': mir_opq_1},
                                 {'index': mirror_id_2, 'data': mir_opq_2}]

    try:
        entry_id = nas_acl.create_entry(table_id=table_id, prio=prio,
                                        filter_map=filters, action_map=actions)
    except RuntimeError:
        print (sys._getframe().f_code.co_name + " - Error creating Entry")
        return None

    print (sys._getframe().f_code.co_name +
           " - Created Entry " + str(entry_id))
    raw_input("Check entry is created and Press Enter to continue...")
    passed.append(sys._getframe().f_code.co_name)
    return entry_id
Ejemplo n.º 6
0
def test_bridge_type_filter():
    print 'Createing Ingress ACL table'
    ing_table_id = nas_acl.create_table('INGRESS', 101, ['BRIDGE_TYPE'])
    print 'Table ID: %d' % ing_table_id
    print 'Creating Ingress ACL entry'
    entry_id_1 = nas_acl.create_entry(ing_table_id, 1,
                                      {'BRIDGE_TYPE': 'BRIDGE_1Q'},
                                      {'PACKET_ACTION': 'DROP'})
    print 'Entry ID: %d' % entry_id_1
    entry_id_2 = nas_acl.create_entry(ing_table_id, 2,
                                      {'BRIDGE_TYPE': 'BRIDGE_1D'},
                                      {'PACKET_ACTION': 'DROP'})
    print 'Entry ID: %d' % entry_id_2

    nas_acl.print_entry(ing_table_id)

    print 'Createing Egress ACL table'
    eg_table_id = nas_acl.create_table('EGRESS', 101, ['BRIDGE_TYPE'])
    print 'Table ID: %d' % eg_table_id
    print 'Creating Egress ACL entry'
    entry_id_3 = nas_acl.create_entry(eg_table_id, 1,
                                      {'BRIDGE_TYPE': 'BRIDGE_1Q'},
                                      {'PACKET_ACTION': 'DROP'})
    print 'Entry ID: %d' % entry_id_3
    entry_id_4 = nas_acl.create_entry(eg_table_id, 2,
                                      {'BRIDGE_TYPE': 'BRIDGE_1D'},
                                      {'PACKET_ACTION': 'DROP'})
    print 'Entry ID: %d' % entry_id_4

    nas_acl.print_entry(eg_table_id)

    print 'Deleting ACL entry'
    nas_acl.delete_entry(ing_table_id, entry_id_1)
    nas_acl.delete_entry(ing_table_id, entry_id_2)
    nas_acl.delete_entry(eg_table_id, entry_id_3)
    nas_acl.delete_entry(eg_table_id, entry_id_4)
    print 'Deleting ACL table'
    nas_acl.delete_table(ing_table_id)
    nas_acl.delete_table(eg_table_id)
Ejemplo n.º 7
0
def main():

    tid = nas_acl.create_table(stage='EGRESS',
                               prio=99,
                               allow_filters=[
                                   'SRC_IP', 'DST_IP', 'IN_PORT', 'OUT_PORT',
                                   'L4_SRC_PORT', 'L4_DST_PORT'
                               ])

    #
    # ACL Entry to drop all packets received from DST_IP on L4_DST_PORT
    #
    # ACL counter to count number of dropped packets
    #counter_mac = nas_acl.create_counter(table_id=tid, types=['PACKET'])
    # CPS Create the ACL entry
    eid_tcp = nas_acl.create_entry(table_id=tid,
                                   prio=512,
                                   filter_map={
                                       'SRC_IP': {
                                           'addr': '23.0.0.1',
                                           'mask': '255.0.0.0'
                                       },
                                       'L4_SRC_PORT': 443,
                                   },
                                   action_map={'PACKET_ACTION': 'DROP'})
    """
  eid_ip = nas_acl.create_entry(table_id=tid,
                                prio=511,
                                filter_map={'DST_IP': '23.0.0.1',
                                            'DSCP': {'data':0x08, 'mask':0x38}},
                                action_map={'SET_TC': 4,
                                            'SET_COUNTER': counter_ip})
  """
    # Print both entries in ACL table
    nas_acl.print_entry(tid)
    #return tid,eid_mac

    #raw_input("Press Enter to clean up the ACL entries and table ...")

    # Print the ACL stats object
    #nas_acl.print_stats(tid, counter_ip)
    nas_acl.print_stats(tid)
Ejemplo n.º 8
0
def __create_entry():
    _entry = __find_entry()
    if _entry != None:
        print('Exists already')
        return
    _table = __create_table()
    _id = _table.extract_id()
    _prio = _args['entry_prio']

    _filters = __entry_create_filters()
    _actions = __entry_create_actions()
    if _args['d']:
        print _filters
        print _actions

    if len(_filters) == 0 or len(_actions) == 0:
        print("Incomplete entry parameters")
        sys.exit(1)

    _res = nas_acl.create_entry(_id, _prio, _filters, _actions)
    print 'Created entry'
Ejemplo n.º 9
0
def __acl_cfg_to_acl_entry(obj, create_if_not_there=False):
    obj = cps_object.CPSObject(obj=obj)

    _name = obj.get_attr_data('name')
    _rule = obj.get_attr_data('rule')
    try:
        _entry_id = obj.get_attr_data('base-acl/entry/id')
        _table_id = obj.get_attr_data('base-acl/table/id')
        _lst = __get_acl_entries(_table_id, _entry_id)
        if _lst:
            return obj.get()
        print('Invalid ACL entry details - %d and %d' % (_table_id, _entry_id))
    except:
        print('Not created yet...')
        _entry_id = None
        _table_id = None

    l = _rule.strip().split(' ')
    _parser = argparse.ArgumentParser('Process ACL rules')

    _parser.add_argument('-prio',
                         '--priority',
                         help='The rule priority',
                         action='store',
                         required=False)
    _parser.add_argument('-i',
                         '--in-interface',
                         help='The incoming interface name',
                         action='append',
                         required=False)
    _parser.add_argument(
        '-o',
        '--out-interface',
        help=
        'The outgoing interface name (same as the -i option) at this point',
        action='append',
        required=False)
    _parser.add_argument(
        '-j',
        '--jump',
        help='The action assocaiated with the rule ACCEPT or DROP',
        choices=['DROP', 'ACCEPT', 'ACCEPT-TRAP', 'TRAP'],
        action='store',
        required=True)
    _parser.add_argument(
        '-I',
        '-A',
        help=
        'The INPUT or OUTPUT chain which maps to the INGRESS or EGRESS tables',
        choices=['INPUT', 'OUTPUT'],
        required=True)
    _parser.add_argument('-p',
                         '--protocol',
                         help='The IP protocol type (TCP/UDP/ICMP)',
                         action='store')
    _parser.add_argument('-d',
                         '--destination',
                         help='Specify the destination IPv4/IPv6 address',
                         action='store')
    _parser.add_argument('--dport',
                         help='Specify the destination port number',
                         action='store')
    _parser.add_argument('--sport',
                         help='Specify the source port number',
                         action='store')
    _parser.add_argument('-s',
                         '--source',
                         help='Specify the source IPv4/IPv6 address',
                         action='store')
    _parser.add_argument('--mac-source',
                         help='The source MAC address',
                         action='store')
    _parser.add_argument('--mac-destination',
                         help='The destination MAC address',
                         action='store')
    _parser.add_argument(
        '-m',
        help='Module loading (depreciated at this point but ignored)',
        action='store')

    _args = vars(_parser.parse_args(l))
    print "***"
    print _args
    if 'A' in _args:
        _args['I'] = _args['A']
    _table = None
    if 'I' in _args:
        if _args['I'] == 'INPUT':
            _table = __table_in
        else:
            _table = __table_out
    if _table is None:
        print('Invalid table specified.')
        raise Exception('Failed to create table - no table specified (in/out)')

    _filters = {}
    if _args['source'] != None:
        if '.' in _args['source']:
            _addrs = _args['source'].split('/')
            _mask = '255.255.255.255'
            if len(_addrs) == 1:
                _addrs.append(_mask)
            _filters['SRC_IP'] = {'addr': _addrs[0], 'mask': _addrs[1]}
    if _args['destination'] != None:
        if '.' in _args['destination']:
            _addrs = _args['destination'].split('/')
            _mask = '255.255.255.255'
            if len(_addrs) == 1:
                _addrs.append(_mask)
            _filters['DST_IP'] = {'addr': _addrs[0], 'mask': _addrs[1]}

    if _args['mac_source'] != None:
        _addrs = _args['mac_source'].split('/')
        _mask = 'ff:ff:ff:ff:ff:ff'
        if len(_addrs) == 1:
            _addrs.append(_mask)
        _filters['SRC_MAC'] = {'addr': _addrs[0], 'mask': _addrs[1]}

    if _args['mac_destination'] != None:
        _addrs = _args['mac_destination'].split('/')
        _mask = 'ff:ff:ff:ff:ff:ff'
        if len(_addrs) == 1:
            _addrs.append(_mask)
        _filters['DST_MAC'] = {'addr': _addrs[0], 'mask': _addrs[1]}

    if _args['sport'] != None:
        _filters['L4_SRC_PORT'] = _args['sport']

    if _args['dport'] != None:
        _filters['L4_DST_PORT'] = _args['dport']

    _actions = {}
    if _args['jump'] != None and _args['jump'] == 'DROP':
        _actions['PACKET_ACTION'] = 'DROP'
    if _args['jump'] != None and _args['jump'] == 'ACCEPT':
        _actions['PACKET_ACTION'] = 'FORWARD'
    if _args['jump'] != None and _args['jump'] == 'ACCEPT-TRAP':
        _actions['PACKET_ACTION'] = 'COPY_TO_CPU_AND_FORWARD'
    if _args['jump'] != None and _args['jump'] == 'TRAP':
        _actions['PACKET_ACTION'] = 'COPY_TO_CPU'

    _prio = None
    if _args['priority']:
        _prio = int(_args['priority'])
    else:
        _prio = _default_entry_prio

    print('Attempting to local ACL entry')
    _entry = nas_acl.find_entry(table_id=_table.extract_id(),priority=_prio,\
                filter_map=_filters,action_map=_actions)
    if _entry != None:
        _obj = cps_object.CPSObject(obj=_entry.data())
        #_entry_id = _obj.get_attr_data('base-acl/entry/id')
        #_table_id = _obj.get_attr_data('base-acl/table/id')
        obj.add_attr('base-acl/entry/id',
                     _obj.get_attr_data('base-acl/entry/id'))
        obj.add_attr('base-acl/table/id', _table.extract_id())

        _obj = obj.get()
        _obj['operation'] = 'set'
        cps.db_commit(_obj, None, True)
        return _obj

    if _entry is None and create_if_not_there:
        _entry_id = None
        try:
            _entry_id = nas_acl.create_entry(table_id=_table.extract_id(),
                                             prio=_prio,
                                             filter_map=_filters,
                                             action_map=_actions)
            obj.add_attr('base-acl/entry/id', _entry_id)
            obj.add_attr('base-acl/table/id', _table.extract_id())
            _obj = obj.get()
            _obj['operation'] = 'set'
            cps.db_commit(_obj, None, True)
            return _obj
        except Exception as err:
            print(err)
            print('Failed to create acl entry')
            return None

    return None
    prio=99,
    allow_filters=['DST_IP', 'SRC_MAC', 'IN_PORT', 'DSCP'])

#
# ACL Entry to drop all packets received from MAC 50:10:6e:xx:xx:xx on port 23
#
# ACL counter to count number of dropped packets
counter_mac = nas_acl.create_counter(table_id=tid, types=['PACKET'])
# CPS Create the ACL entry
eid_mac = nas_acl.create_entry(table_id=tid,
                               prio=512,
                               filter_map={
                                   'SRC_MAC': {
                                       'addr': '50:10:6e:00:00:00',
                                       'mask': 'ff:ff:ff:00:00:00'
                                   },
                                   'IN_PORT': 23
                               },
                               action_map={
                                   'PACKET_ACTION': 'DROP',
                                   'SET_COUNTER': counter_mac
                               })
#
# ACL Entry to set traffic class for packets destined to IP 23.0.0.1
# with a DSCP range 8-15
#
# ACL counter to count number of dropped packets
counter_ip = nas_acl.create_counter(table_id=tid, types=['PACKET'])
# CPS Create the ACL entry
eid_ip = nas_acl.create_entry(table_id=tid,
                              prio=511,
Ejemplo n.º 11
0
actions = {
    'SET_SRC_MAC': '01:00:79:08:78:BC',
    'REDIRECT_PORT': a_utl.get_if_name(6),              # Takes name or ifindex
    'PACKET_ACTION': 'COPY_TO_CPU',
    'SET_COUNTER': counter_id,
    # Attach internal object to
                                                        # ACL action
    'MIRROR_INGRESS':
    {'index': mirr_id_1, 'data': mirr_opq_1}  # Attaching external obj
    # to ACL action
}

# Create an ACL entry with above filters and actions
eid = nas_acl.create_entry(
    table_id=tid,
    prio=sys.argv[2],
    filter_map=filters,
    action_map=actions)
nas_acl.print_entry(tid, eid)

try:
    # Add another filter to the ACL entry
    nas_acl.append_entry_filter(
        table_id=tid,
        entry_id=eid,
        filter_type='DST_IP',
        filter_val={
            'addr': '23.0.0.1',
            'mask': '255.0.0.255'})
    print "Added new DST IP filter"
    nas_acl.print_entry(tid, eid)
Ejemplo n.º 12
0
    'SET_SRC_MAC': '01:00:79:08:78:BC',
    'REDIRECT_PORT': a_utl.get_if_name(6),  # Takes name or ifindex
    'PACKET_ACTION': 'COPY_TO_CPU',
    'SET_COUNTER': counter_id,
    # Attach internal object to
    # ACL action
    'MIRROR_INGRESS': {
        'index': mirr_id_1,
        'data': mirr_opq_1
    }  # Attaching external obj
    # to ACL action
}

# Create an ACL entry with above filters and actions
eid = nas_acl.create_entry(table_id=tid,
                           prio=sys.argv[2],
                           filter_map=filters,
                           action_map=actions)
nas_acl.print_entry(tid, eid)

try:
    # Add another filter to the ACL entry
    nas_acl.append_entry_filter(table_id=tid,
                                entry_id=eid,
                                filter_type='DST_IP',
                                filter_val={
                                    'addr': '23.0.0.1',
                                    'mask': '255.0.0.255'
                                })
    print "Added new DST IP filter"
    nas_acl.print_entry(tid, eid)
Ejemplo n.º 13
0
#
tid = nas_acl.create_table(stage='INGRESS',
                           prio=99,
                           allow_filters=['DST_IP', 'SRC_MAC',
                                          'IN_PORT', 'DSCP'])

#
# ACL Entry to drop all packets received from MAC 50:10:6e:xx:xx:xx on port 23
#
# ACL counter to count number of dropped packets
counter_mac = nas_acl.create_counter(table_id=tid, types=['PACKET'])
# CPS Create the ACL entry
eid_mac = nas_acl.create_entry(table_id=tid,
                               prio=512,
                               filter_map={'SRC_MAC': {'addr':'50:10:6e:00:00:00',
                                                       'mask':'ff:ff:ff:00:00:00'},
                                           'IN_PORT': 23},
                               action_map={'PACKET_ACTION': 'DROP',
                                           'SET_COUNTER': counter_mac})
#
# ACL Entry to set traffic class for packets destined to IP 23.0.0.1
# with a DSCP range 8-15
#
# ACL counter to count number of dropped packets
counter_ip = nas_acl.create_counter(table_id=tid, types=['PACKET'])
# CPS Create the ACL entry
eid_ip = nas_acl.create_entry(table_id=tid,
                              prio=511,
                              filter_map={'DST_IP': '23.0.0.1',
                                          'DSCP': {'data':0x08, 'mask':0x38}},
                              action_map={'SET_TC': 4,