def test_vlan_id_filter(): print 'Creating ACL table' table_id = nas_acl.create_table('INGRESS', 100, ['OUTER_VLAN_ID', 'INNER_VLAN_ID']) print 'Table ID: %d' % table_id print 'Creating ACL entry' entry_id_1 = nas_acl.create_entry(table_id, 1, { 'OUTER_VLAN_ID': { 'data': 0 }, 'INNER_VLAN_ID': { 'data': 0 } }, {'PACKET_ACTION': 'DROP'}) print 'Entry ID: %d' % entry_id_1 entry_id_2 = nas_acl.create_entry(table_id, 2, { 'OUTER_VLAN_ID': { 'data': 100 }, 'INNER_VLAN_ID': { 'data': 200 } }, {'PACKET_ACTION': 'DROP'}) print 'Entry ID: %d' % entry_id_2 nas_acl.print_entry(table_id) print 'Deleting ACL entry' nas_acl.delete_entry(table_id, entry_id_1) nas_acl.delete_entry(table_id, entry_id_2) print 'Deleting ACL table' nas_acl.delete_table(table_id)
def __create_entry(): _entry = __find_entry() if _entry != None: print('Exists already') return _table = __create_table() _id = _table.extract_id() _prio = _args['entry_prio'] _filters = {} if _args['entry_sipv4'] != None: _filters['SRC_IP'] = { 'addr': _args['entry_sipv4'], 'mask': _args['entry_smask4'] } if _args['entry_sport'] != None: _filters['L4_SRC_PORT'] = _args['entry_sport'] _actions = {} if _args['entry_action'] != None: _actions = {'PACKET_ACTION': _args['entry_action']} if len(_filters) == 0 or len(_actions) == 0: print("Incomplete entry parameters") sys.exit(1) _res = nas_acl.create_entry(_id, _prio, _filters, _actions) print _res
def test_update_entry_action(): print 'Creating ACL table' table_id = nas_acl.create_table('INGRESS', 100, ['IN_INTF']) print 'Table ID: %d' % table_id print 'Creating ACL entry' entry_id = nas_acl.create_entry(table_id, 1, {'IN_INTF': 'e101-001-0'}, {'PACKET_ACTION': 'DROP'}) print 'Entry ID: %d' % entry_id print 'Trying to set user trap ID with drop action (expected fail)' with pytest.raises(RuntimeError): nas_acl.replace_entry_action_list(table_id, entry_id, { 'PACKET_ACTION': 'DROP', 'SET_USER_TRAP_ID': 2 }) nas_acl.print_entry(table_id, entry_id) print 'Trying to set user trap ID with trap to CPU action' try: nas_acl.replace_entry_action_list(table_id, entry_id, { 'PACKET_ACTION': 'TRAP_TO_CPU', 'SET_USER_TRAP_ID': 2 }) except RuntimeError: assert False nas_acl.print_entry(table_id, entry_id) print 'Restoring ACL entry actions' try: nas_acl.replace_entry_action_list(table_id, entry_id, {'PACKET_ACTION': 'DROP'}) except RuntimeError: assert False nas_acl.print_entry(table_id, entry_id) print 'Deleting ACL entry' nas_acl.delete_entry(table_id, entry_id) print 'Deleting ACL table' nas_acl.delete_table(table_id)
def acl_ut_entry_create(table_id, prio=None, counter_id=None): global total, passed total.append(sys._getframe().f_code.co_name) filters = { 'SRC_IP': {'addr': '23.0.0.1', 'mask': '255.0.0.255'}, 'SRC_MAC': '01:80:c2:00:00:05', 'IPV6_FLOW_LABEL': 34456, 'TCP_FLAGS': {'data': '0x17', 'mask': '0x3f'}, 'ECN': {'data': '0x2', 'mask': '0x2'}, 'IP_TYPE': 'IP', 'IN_PORTS': [a_utl.get_if_name(2), a_utl.get_if_name(3)], } actions = { 'SET_SRC_MAC': '01:00:79:08:78:BC', 'PACKET_ACTION': 'COPY_TO_CPU', 'REDIRECT_PORT': a_utl.get_if_name(4), } if (counter_id): actions['SET_COUNTER'] = counter_id global meter_id try: meter_id, meter_opaque = a_utl.qos_meter_create( m_type='BYTE', cir=300000, cbs=800000, pbs=900000) except: print "Meter install Failed" return actions['SET_POLICER'] = {'index': meter_id, 'data': meter_opaque} global mirror_id_1, mir_opq_1 global mirror_id_2, mir_opq_2 try: mirror_id_1, mir_opq_1 = a_utl.mirror_create(13) mirror_id_2, mir_opq_2 = a_utl.mirror_create(16) except: print "Mirror Create Failed" return actions['MIRROR_INGRESS'] = [{'index': mirror_id_1, 'data': mir_opq_1}, {'index': mirror_id_2, 'data': mir_opq_2}] try: entry_id = nas_acl.create_entry(table_id=table_id, prio=prio, filter_map=filters, action_map=actions) except RuntimeError: print (sys._getframe().f_code.co_name + " - Error creating Entry") return None print (sys._getframe().f_code.co_name + " - Created Entry " + str(entry_id)) raw_input("Check entry is created and Press Enter to continue...") passed.append(sys._getframe().f_code.co_name) return entry_id
def test_bridge_type_filter(): print 'Createing Ingress ACL table' ing_table_id = nas_acl.create_table('INGRESS', 101, ['BRIDGE_TYPE']) print 'Table ID: %d' % ing_table_id print 'Creating Ingress ACL entry' entry_id_1 = nas_acl.create_entry(ing_table_id, 1, {'BRIDGE_TYPE': 'BRIDGE_1Q'}, {'PACKET_ACTION': 'DROP'}) print 'Entry ID: %d' % entry_id_1 entry_id_2 = nas_acl.create_entry(ing_table_id, 2, {'BRIDGE_TYPE': 'BRIDGE_1D'}, {'PACKET_ACTION': 'DROP'}) print 'Entry ID: %d' % entry_id_2 nas_acl.print_entry(ing_table_id) print 'Createing Egress ACL table' eg_table_id = nas_acl.create_table('EGRESS', 101, ['BRIDGE_TYPE']) print 'Table ID: %d' % eg_table_id print 'Creating Egress ACL entry' entry_id_3 = nas_acl.create_entry(eg_table_id, 1, {'BRIDGE_TYPE': 'BRIDGE_1Q'}, {'PACKET_ACTION': 'DROP'}) print 'Entry ID: %d' % entry_id_3 entry_id_4 = nas_acl.create_entry(eg_table_id, 2, {'BRIDGE_TYPE': 'BRIDGE_1D'}, {'PACKET_ACTION': 'DROP'}) print 'Entry ID: %d' % entry_id_4 nas_acl.print_entry(eg_table_id) print 'Deleting ACL entry' nas_acl.delete_entry(ing_table_id, entry_id_1) nas_acl.delete_entry(ing_table_id, entry_id_2) nas_acl.delete_entry(eg_table_id, entry_id_3) nas_acl.delete_entry(eg_table_id, entry_id_4) print 'Deleting ACL table' nas_acl.delete_table(ing_table_id) nas_acl.delete_table(eg_table_id)
def main(): tid = nas_acl.create_table(stage='EGRESS', prio=99, allow_filters=[ 'SRC_IP', 'DST_IP', 'IN_PORT', 'OUT_PORT', 'L4_SRC_PORT', 'L4_DST_PORT' ]) # # ACL Entry to drop all packets received from DST_IP on L4_DST_PORT # # ACL counter to count number of dropped packets #counter_mac = nas_acl.create_counter(table_id=tid, types=['PACKET']) # CPS Create the ACL entry eid_tcp = nas_acl.create_entry(table_id=tid, prio=512, filter_map={ 'SRC_IP': { 'addr': '23.0.0.1', 'mask': '255.0.0.0' }, 'L4_SRC_PORT': 443, }, action_map={'PACKET_ACTION': 'DROP'}) """ eid_ip = nas_acl.create_entry(table_id=tid, prio=511, filter_map={'DST_IP': '23.0.0.1', 'DSCP': {'data':0x08, 'mask':0x38}}, action_map={'SET_TC': 4, 'SET_COUNTER': counter_ip}) """ # Print both entries in ACL table nas_acl.print_entry(tid) #return tid,eid_mac #raw_input("Press Enter to clean up the ACL entries and table ...") # Print the ACL stats object #nas_acl.print_stats(tid, counter_ip) nas_acl.print_stats(tid)
def __create_entry(): _entry = __find_entry() if _entry != None: print('Exists already') return _table = __create_table() _id = _table.extract_id() _prio = _args['entry_prio'] _filters = __entry_create_filters() _actions = __entry_create_actions() if _args['d']: print _filters print _actions if len(_filters) == 0 or len(_actions) == 0: print("Incomplete entry parameters") sys.exit(1) _res = nas_acl.create_entry(_id, _prio, _filters, _actions) print 'Created entry'
def __acl_cfg_to_acl_entry(obj, create_if_not_there=False): obj = cps_object.CPSObject(obj=obj) _name = obj.get_attr_data('name') _rule = obj.get_attr_data('rule') try: _entry_id = obj.get_attr_data('base-acl/entry/id') _table_id = obj.get_attr_data('base-acl/table/id') _lst = __get_acl_entries(_table_id, _entry_id) if _lst: return obj.get() print('Invalid ACL entry details - %d and %d' % (_table_id, _entry_id)) except: print('Not created yet...') _entry_id = None _table_id = None l = _rule.strip().split(' ') _parser = argparse.ArgumentParser('Process ACL rules') _parser.add_argument('-prio', '--priority', help='The rule priority', action='store', required=False) _parser.add_argument('-i', '--in-interface', help='The incoming interface name', action='append', required=False) _parser.add_argument( '-o', '--out-interface', help= 'The outgoing interface name (same as the -i option) at this point', action='append', required=False) _parser.add_argument( '-j', '--jump', help='The action assocaiated with the rule ACCEPT or DROP', choices=['DROP', 'ACCEPT', 'ACCEPT-TRAP', 'TRAP'], action='store', required=True) _parser.add_argument( '-I', '-A', help= 'The INPUT or OUTPUT chain which maps to the INGRESS or EGRESS tables', choices=['INPUT', 'OUTPUT'], required=True) _parser.add_argument('-p', '--protocol', help='The IP protocol type (TCP/UDP/ICMP)', action='store') _parser.add_argument('-d', '--destination', help='Specify the destination IPv4/IPv6 address', action='store') _parser.add_argument('--dport', help='Specify the destination port number', action='store') _parser.add_argument('--sport', help='Specify the source port number', action='store') _parser.add_argument('-s', '--source', help='Specify the source IPv4/IPv6 address', action='store') _parser.add_argument('--mac-source', help='The source MAC address', action='store') _parser.add_argument('--mac-destination', help='The destination MAC address', action='store') _parser.add_argument( '-m', help='Module loading (depreciated at this point but ignored)', action='store') _args = vars(_parser.parse_args(l)) print "***" print _args if 'A' in _args: _args['I'] = _args['A'] _table = None if 'I' in _args: if _args['I'] == 'INPUT': _table = __table_in else: _table = __table_out if _table is None: print('Invalid table specified.') raise Exception('Failed to create table - no table specified (in/out)') _filters = {} if _args['source'] != None: if '.' in _args['source']: _addrs = _args['source'].split('/') _mask = '255.255.255.255' if len(_addrs) == 1: _addrs.append(_mask) _filters['SRC_IP'] = {'addr': _addrs[0], 'mask': _addrs[1]} if _args['destination'] != None: if '.' in _args['destination']: _addrs = _args['destination'].split('/') _mask = '255.255.255.255' if len(_addrs) == 1: _addrs.append(_mask) _filters['DST_IP'] = {'addr': _addrs[0], 'mask': _addrs[1]} if _args['mac_source'] != None: _addrs = _args['mac_source'].split('/') _mask = 'ff:ff:ff:ff:ff:ff' if len(_addrs) == 1: _addrs.append(_mask) _filters['SRC_MAC'] = {'addr': _addrs[0], 'mask': _addrs[1]} if _args['mac_destination'] != None: _addrs = _args['mac_destination'].split('/') _mask = 'ff:ff:ff:ff:ff:ff' if len(_addrs) == 1: _addrs.append(_mask) _filters['DST_MAC'] = {'addr': _addrs[0], 'mask': _addrs[1]} if _args['sport'] != None: _filters['L4_SRC_PORT'] = _args['sport'] if _args['dport'] != None: _filters['L4_DST_PORT'] = _args['dport'] _actions = {} if _args['jump'] != None and _args['jump'] == 'DROP': _actions['PACKET_ACTION'] = 'DROP' if _args['jump'] != None and _args['jump'] == 'ACCEPT': _actions['PACKET_ACTION'] = 'FORWARD' if _args['jump'] != None and _args['jump'] == 'ACCEPT-TRAP': _actions['PACKET_ACTION'] = 'COPY_TO_CPU_AND_FORWARD' if _args['jump'] != None and _args['jump'] == 'TRAP': _actions['PACKET_ACTION'] = 'COPY_TO_CPU' _prio = None if _args['priority']: _prio = int(_args['priority']) else: _prio = _default_entry_prio print('Attempting to local ACL entry') _entry = nas_acl.find_entry(table_id=_table.extract_id(),priority=_prio,\ filter_map=_filters,action_map=_actions) if _entry != None: _obj = cps_object.CPSObject(obj=_entry.data()) #_entry_id = _obj.get_attr_data('base-acl/entry/id') #_table_id = _obj.get_attr_data('base-acl/table/id') obj.add_attr('base-acl/entry/id', _obj.get_attr_data('base-acl/entry/id')) obj.add_attr('base-acl/table/id', _table.extract_id()) _obj = obj.get() _obj['operation'] = 'set' cps.db_commit(_obj, None, True) return _obj if _entry is None and create_if_not_there: _entry_id = None try: _entry_id = nas_acl.create_entry(table_id=_table.extract_id(), prio=_prio, filter_map=_filters, action_map=_actions) obj.add_attr('base-acl/entry/id', _entry_id) obj.add_attr('base-acl/table/id', _table.extract_id()) _obj = obj.get() _obj['operation'] = 'set' cps.db_commit(_obj, None, True) return _obj except Exception as err: print(err) print('Failed to create acl entry') return None return None
prio=99, allow_filters=['DST_IP', 'SRC_MAC', 'IN_PORT', 'DSCP']) # # ACL Entry to drop all packets received from MAC 50:10:6e:xx:xx:xx on port 23 # # ACL counter to count number of dropped packets counter_mac = nas_acl.create_counter(table_id=tid, types=['PACKET']) # CPS Create the ACL entry eid_mac = nas_acl.create_entry(table_id=tid, prio=512, filter_map={ 'SRC_MAC': { 'addr': '50:10:6e:00:00:00', 'mask': 'ff:ff:ff:00:00:00' }, 'IN_PORT': 23 }, action_map={ 'PACKET_ACTION': 'DROP', 'SET_COUNTER': counter_mac }) # # ACL Entry to set traffic class for packets destined to IP 23.0.0.1 # with a DSCP range 8-15 # # ACL counter to count number of dropped packets counter_ip = nas_acl.create_counter(table_id=tid, types=['PACKET']) # CPS Create the ACL entry eid_ip = nas_acl.create_entry(table_id=tid, prio=511,
actions = { 'SET_SRC_MAC': '01:00:79:08:78:BC', 'REDIRECT_PORT': a_utl.get_if_name(6), # Takes name or ifindex 'PACKET_ACTION': 'COPY_TO_CPU', 'SET_COUNTER': counter_id, # Attach internal object to # ACL action 'MIRROR_INGRESS': {'index': mirr_id_1, 'data': mirr_opq_1} # Attaching external obj # to ACL action } # Create an ACL entry with above filters and actions eid = nas_acl.create_entry( table_id=tid, prio=sys.argv[2], filter_map=filters, action_map=actions) nas_acl.print_entry(tid, eid) try: # Add another filter to the ACL entry nas_acl.append_entry_filter( table_id=tid, entry_id=eid, filter_type='DST_IP', filter_val={ 'addr': '23.0.0.1', 'mask': '255.0.0.255'}) print "Added new DST IP filter" nas_acl.print_entry(tid, eid)
'SET_SRC_MAC': '01:00:79:08:78:BC', 'REDIRECT_PORT': a_utl.get_if_name(6), # Takes name or ifindex 'PACKET_ACTION': 'COPY_TO_CPU', 'SET_COUNTER': counter_id, # Attach internal object to # ACL action 'MIRROR_INGRESS': { 'index': mirr_id_1, 'data': mirr_opq_1 } # Attaching external obj # to ACL action } # Create an ACL entry with above filters and actions eid = nas_acl.create_entry(table_id=tid, prio=sys.argv[2], filter_map=filters, action_map=actions) nas_acl.print_entry(tid, eid) try: # Add another filter to the ACL entry nas_acl.append_entry_filter(table_id=tid, entry_id=eid, filter_type='DST_IP', filter_val={ 'addr': '23.0.0.1', 'mask': '255.0.0.255' }) print "Added new DST IP filter" nas_acl.print_entry(tid, eid)
# tid = nas_acl.create_table(stage='INGRESS', prio=99, allow_filters=['DST_IP', 'SRC_MAC', 'IN_PORT', 'DSCP']) # # ACL Entry to drop all packets received from MAC 50:10:6e:xx:xx:xx on port 23 # # ACL counter to count number of dropped packets counter_mac = nas_acl.create_counter(table_id=tid, types=['PACKET']) # CPS Create the ACL entry eid_mac = nas_acl.create_entry(table_id=tid, prio=512, filter_map={'SRC_MAC': {'addr':'50:10:6e:00:00:00', 'mask':'ff:ff:ff:00:00:00'}, 'IN_PORT': 23}, action_map={'PACKET_ACTION': 'DROP', 'SET_COUNTER': counter_mac}) # # ACL Entry to set traffic class for packets destined to IP 23.0.0.1 # with a DSCP range 8-15 # # ACL counter to count number of dropped packets counter_ip = nas_acl.create_counter(table_id=tid, types=['PACKET']) # CPS Create the ACL entry eid_ip = nas_acl.create_entry(table_id=tid, prio=511, filter_map={'DST_IP': '23.0.0.1', 'DSCP': {'data':0x08, 'mask':0x38}}, action_map={'SET_TC': 4,