def test_enforcemnet_rules(self):
"""
Add QOS policy to enforcement table into OVS.
"""
fake_controller_setup(self.enforcement_controller)
imsi = 'IMSI001010000000013'
sub_ip = '192.168.128.30'
flow_list1 = [
FlowDescription(
match=FlowMatch(direction=FlowMatch.UPLINK, ),
action=FlowDescription.PERMIT,
),
FlowDescription(
match=FlowMatch(
ip_dst=convert_ipv4_str_to_ip_proto("192.168.0.0/24"),
direction=FlowMatch.DOWNLINK,
),
action=FlowDescription.PERMIT,
),
]
self.service_manager.session_rule_version_mapper.save_version(
imsi,
convert_ipv4_str_to_ip_proto(sub_ip),
"rule1",
1,
)
self.enforcement_controller.activate_rules(
imsi,
None,
0,
convert_ipv4_str_to_ip_proto(sub_ip),
None,
policies=[
VersionedPolicy(
rule=PolicyRule(id='rule1',
priority=65530,
flow_list=flow_list1),
version=1,
),
],
shard_id=0,
local_f_teid_ng=100,
)
snapshot_verifier = SnapshotVerifier(
self,
self.BRIDGE,
self.service_manager,
)
with snapshot_verifier:
pass
def test_subscriber_ipv6_policy(self):
"""
Add policy to subscriber, send 4096 packets
Assert:
Packets are properly matched with the 'simple_match' policy
Send /20 (4096) packets, match /16 (256) packets
"""
fake_controller_setup(self.enforcement_controller)
imsi = 'IMSI010000000088888'
sub_ip = 'de34:431d:1bc::'
flow_list1 = [
FlowDescription(
match=FlowMatch(
ip_dst=convert_ipv6_bytes_to_ip_proto(
'f333:432::dbca'.encode('utf-8'),
),
direction=FlowMatch.UPLINK,
),
action=FlowDescription.PERMIT,
),
]
policies = [
VersionedPolicy(
rule=PolicyRule(id='simple_match', priority=2, flow_list=flow_list1),
version=1,
),
]
# ============================ Subscriber ============================
sub_context = RyuDirectSubscriberContext(
imsi, sub_ip, self.enforcement_controller, self._tbl_num,
).add_policy(policies[0])
isolator = RyuDirectTableIsolator(
RyuForwardFlowArgsBuilder.from_subscriber(sub_context.cfg)
.build_requests(),
self.testing_controller,
)
pkt_sender = ScapyPacketInjector(self.IFACE)
packet = IPv6PacketBuilder() \
.set_ip_layer('f333:432::dbca', sub_ip) \
.set_ether_layer(self.MAC_DEST, "00:00:00:00:00:00") \
.build()
# =========================== Verification ===========================
snapshot_verifier = SnapshotVerifier(
self, self.BRIDGE,
self.service_manager,
)
with isolator, sub_context, snapshot_verifier:
pkt_sender.send(packet)
def test_redirect_policy(self):
"""
Add a redirect policy, verifies that EnforcementStatsController reports
correct stats to sessiond
Assert:
1 Packet is matched and reported
"""
redirect_ips = ["185.128.101.5", "185.128.121.4"]
self.enforcement_controller._redirect_manager._dns_cache.get(
"about.sha.ddih.org", lambda: redirect_ips, max_age=42)
imsi = 'IMSI010000000088888'
sub_ip = '192.168.128.74'
flow_list = [FlowDescription(match=FlowMatch())]
policy = PolicyRule(id='redir_test',
priority=3,
flow_list=flow_list,
redirect=RedirectInformation(
support=1,
address_type=2,
server_address="http://about.sha.ddih.org/"))
stat_name = imsi + '|redir_test'
""" Setup subscriber, setup table_isolation to fwd pkts """
self._static_rule_dict[policy.id] = policy
sub_context = RyuDirectSubscriberContext(
imsi, sub_ip, self.enforcement_controller,
self._tbl_num).add_dynamic_rule(policy)
isolator = RyuDirectTableIsolator(
RyuForwardFlowArgsBuilder.from_subscriber(
sub_context.cfg).build_requests(), self.testing_controller)
pkt_sender = ScapyPacketInjector(self.IFACE)
packet = TCPPacketBuilder() \
.set_tcp_layer(42132, 80, 321) \
.set_tcp_flags("S") \
.set_ip_layer('151.42.41.122', sub_ip) \
.set_ether_layer(self.MAC_DEST, "00:00:00:00:00:00") \
.build()
# =========================== Verification ===========================
flow_verifier = FlowVerifier([], self._wait_func([stat_name]))
""" Send packet, wait until pkts are received by ovs and enf stats """
with isolator, sub_context, flow_verifier:
pkt_sender.send(packet)
stats = get_enforcement_stats(
self.enforcement_stats_controller._report_usage.call_args_list)
self.assertEqual(stats[stat_name].sid, imsi)
self.assertEqual(stats[stat_name].rule_id, "redir_test")
self.assertEqual(stats[stat_name].bytes_rx, 0)
self.assertEqual(stats[stat_name].bytes_tx, len(packet))
def test_subscriber_policy_with_he(self):
"""
Add policy to subscriber with HE config
"""
cls = self.__class__
fake_controller_setup(self.enforcement_controller)
imsi = 'IMSI010000000088888'
sub_ip = '192.168.128.74'
flow_list1 = [
FlowDescription(
match=FlowMatch(
ip_dst=convert_ipv4_str_to_ip_proto('45.10.0.0/24'),
direction=FlowMatch.UPLINK,
),
action=FlowDescription.PERMIT,
),
]
he = HeaderEnrichment(urls=['abc.com'])
policies = [
VersionedPolicy(
rule=PolicyRule(id='simple_match',
priority=2,
flow_list=flow_list1,
he=he),
version=1,
),
]
# ============================ Subscriber ============================
sub_context = RyuDirectSubscriberContext(
imsi,
sub_ip,
self.enforcement_controller,
self._tbl_num,
).add_policy(policies[0])
isolator = RyuDirectTableIsolator(
RyuForwardFlowArgsBuilder.from_subscriber(
sub_context.cfg).build_requests(),
self.testing_controller,
)
snapshot_verifier = SnapshotVerifier(
self,
self.BRIDGE,
self.service_manager,
)
with isolator, sub_context, snapshot_verifier:
pass
def test_ipv6_rule_install(self):
"""
Adds a ipv6 policy to a subscriber. Verifies that flows are properly
installed in enforcement and enforcement stats.
Assert:
Policy classification flows installed in enforcement
Policy match flows installed in enforcement_stats
"""
fake_controller_setup(
self.enforcement_controller,
self.enforcement_stats_controller,
)
imsi = 'IMSI001010000000013'
sub_ip = 'de34:431d:1bc::'
flow_list = [
FlowDescription(
match=FlowMatch(
ip_dst=convert_ipv6_bytes_to_ip_proto(
'f333:432::dbca'.encode('utf-8'),
),
direction=FlowMatch.UPLINK,
),
action=FlowDescription.PERMIT,
),
]
policy = VersionedPolicy(
rule=PolicyRule(id='rule1', priority=3, flow_list=flow_list),
version=1,
)
self.service_manager.session_rule_version_mapper.save_version(
imsi, convert_ipv4_str_to_ip_proto(sub_ip), 'rule1', 1,
)
""" Setup subscriber, setup table_isolation to fwd pkts """
sub_context = RyuDirectSubscriberContext(
imsi, sub_ip, self.enforcement_controller,
self._main_tbl_num, self.enforcement_stats_controller,
).add_policy(policy)
# =========================== Verification ===========================
snapshot_verifier = SnapshotVerifier(
self, self.BRIDGE,
self.service_manager,
)
with sub_context, snapshot_verifier:
pass
def _get_allow_all_traffic_policies(self):
""" Policy to allow all traffic to the internet """
return [
PolicyRule(
id='allow_all_traffic',
priority=self.ALLOW_ALL_PRIORITY,
flow_list=[
FlowDescription(match=FlowMatch(
direction=FlowMatch.UPLINK)),
FlowDescription(match=FlowMatch(
direction=FlowMatch.DOWNLINK)),
],
)
]
def test_rule_install(self):
"""
Adds a policy to a subscriber. Verifies that flows are properly
installed in enforcement and enforcement stats.
Assert:
Policy classification flows installed in enforcement
Policy match flows installed in enforcement_stats
"""
fake_controller_setup(
self.enforcement_controller,
self.enforcement_stats_controller,
)
imsi = 'IMSI001010000000013'
sub_ip = '192.168.128.74'
flow_list = [
FlowDescription(
match=FlowMatch(
ip_dst=convert_ipv4_str_to_ip_proto('45.10.0.0/25'),
direction=FlowMatch.UPLINK,
),
action=FlowDescription.PERMIT,
),
]
policy = VersionedPolicy(
rule=PolicyRule(id='rule1', priority=3, flow_list=flow_list),
version=1,
)
self.service_manager.session_rule_version_mapper.save_version(
imsi, convert_ipv4_str_to_ip_proto(sub_ip), 'rule1', 1,
)
""" Setup subscriber, setup table_isolation to fwd pkts """
sub_context = RyuDirectSubscriberContext(
imsi, sub_ip, self.enforcement_controller,
self._main_tbl_num, self.enforcement_stats_controller,
).add_policy(policy)
# =========================== Verification ===========================
# Verifies that 1 flow is installed in enforcement and 2 flows are
# installed in enforcement stats, one for uplink and one for downlink.
snapshot_verifier = SnapshotVerifier(
self, self.BRIDGE,
self.service_manager,
)
with sub_context, snapshot_verifier:
pass
def activate_dynamic_rule(client, args):
request = ActivateFlowsRequest(
sid=SIDUtils.to_pb(args.imsi),
dynamic_rules=[PolicyRule(
id=args.rule_id,
priority=args.priority,
hard_timeout=args.hard_timeout,
flow_list=[
FlowDescription(match=FlowMatch(
ipv4_dst=args.ipv4_dst, direction=FlowMatch.UPLINK)),
FlowDescription(match=FlowMatch(
ipv4_src=args.ipv4_dst, direction=FlowMatch.DOWNLINK)),
],
)])
client.ActivateFlows(request)
def test_cookie_poll(self):
"""
Add a subscriber policy, verify flows are properly installed
Assert:
Query with RULE_NUM 1 returns proper values
"""
original = self.enforcement_stats_controller._poll_stats
self.enforcement_stats_controller._poll_stats = MagicMock()
self.enforcement_stats_controller.init_finished = False
self.enforcement_controller.init_finished = True
imsi = 'IMSI001010000000013'
sub_ip = '192.168.128.74'
flow_list = [
FlowDescription(match=FlowMatch(
ip_dst=convert_ipv4_str_to_ip_proto('45.10.0.0/25'),
direction=FlowMatch.UPLINK),
action=FlowDescription.PERMIT)
]
policy = VersionedPolicy(
rule=PolicyRule(id='rule1', priority=3, flow_list=flow_list),
version=1,
)
enf_stat_name = imsi + '|' + 'rule1' + '|' + sub_ip + '|' + "1"
""" Setup subscriber, setup table_isolation to fwd pkts """
sub_context = RyuDirectSubscriberContext(
imsi, sub_ip, self.enforcement_controller, self._main_tbl_num,
self.enforcement_stats_controller).add_policy(policy)
snapshot_verifier = SnapshotVerifier(self, self.BRIDGE,
self.service_manager)
self.enforcement_stats_controller._report_usage.reset_mock()
with sub_context, snapshot_verifier:
self.enforcement_stats_controller.init_finished = True
flows.send_stats_request(
self.enforcement_stats_controller._datapath,
self.enforcement_stats_controller.tbl_num, 1,
flows.OVS_COOKIE_MATCH_ALL)
wait_for_enforcement_stats(self.enforcement_stats_controller,
[enf_stat_name])
stats = get_enforcement_stats(
self.enforcement_stats_controller._report_usage.call_args_list)
self.assertEqual(stats[enf_stat_name].rule_id, 'rule1')
self.enforcement_stats_controller._poll_stats = original
self.assertEqual(len(stats), 1)
def _get_whitelist_policy_rule(
self,
policy_id: str,
ip: str,
port: int,
) -> PolicyRule:
return PolicyRule(
# Don't set the rating group
# Don't set the monitoring key
# Don't set the hard timeout
id=policy_id,
priority=100,
qos=self._get_default_qos(),
flow_list=self._get_whitelist_flows(ip, port),
tracking_type=PolicyRule.TrackingType.Value("NO_TRACKING"),
)
def activate_gy_redirect(client, args):
request = ActivateFlowsRequest(
sid=SIDUtils.to_pb(args.imsi),
ip_addr=args.ipv4,
dynamic_rules=[
PolicyRule(id=args.rule_id,
priority=999,
flow_list=[],
redirect=RedirectInformation(
support=1,
address_type=2,
server_address=args.redirect_addr))
],
request_origin=RequestOriginType(type=RequestOriginType.GY))
response = client.ActivateFlows(request)
_print_rule_mod_results(response.dynamic_rule_results)
def create_bearer(client, args):
req = CreateBearerRequest(
sid=SIDUtils.to_pb(args.imsi),
link_bearer_id=args.lbi,
policy_rules=[
PolicyRule(qos=FlowQos(qci=args.qci,
gbr_ul=args.gbr_ul,
gbr_dl=args.gbr_dl,
max_req_bw_ul=args.mbr_ul,
max_req_bw_dl=args.mbr_dl,
arp=QosArp(priority_level=args.priority,
pre_capability=args.pre_cap,
pre_vulnerability=args.pre_vul)))
])
print("Creating dedicated bearer for : ", args.imsi)
client.CreateBearer(req)
def __init__(self):
self._set_session = SetSMSessionContext(
common_context=CommonSessionContext(
sid=SubscriberID(id="IMSI12345"),
ue_ipv4="192.168.128.11",
apn=bytes("BLR", 'utf-8'),
rat_type=RATType.Name(2),
sm_session_state=SMSessionFSMState.Name(2),
sm_session_version=1,
),
rat_specific_context=RatSpecificContext(
m5gsm_session_context=M5GSMSessionContext(
pdu_session_id=1,
request_type=RequestType.Name(
1,
),
gnode_endpoint=TeidSet(
teid=10000,
end_ipv4_addr="192.168.60.141",
),
pdu_session_type=PduSessionType.Name(0),
ssc_mode=SscMode.Name(2),
qos_policy=[
QosPolicy(
policy_state=0,
policy_action=1,
version=2,
qos=PolicyRule(
id="ims-voice",
priority=10,
flow_list=[],
qos=FlowQos(
qci=int(5),
max_req_bw_ul=100000,
max_req_bw_dl=100000,
arp=QosArp(
priority_level=1,
pre_capability=1,
pre_vulnerability=0,
),
),
),
),
],
),
),
)
def test_subscriber_redirect_policy(self):
"""
Add redirect policy to subscriber, send 4096 packets
Assert:
Packets are properly matched with the 'simple_match' policy
Send /20 (4096) packets, match /16 (256) packets
"""
fake_controller_setup(self.gy_controller)
imsi = 'IMSI010000000088888'
sub_ip = '192.168.128.74'
redirect_ips = ["185.128.101.5", "185.128.121.4"]
self.gy_controller._redirect_manager._dns_cache.get(
"about.sha.ddih.org", lambda: redirect_ips, max_age=42)
flow_list = [FlowDescription(match=FlowMatch())]
policy = VersionedPolicy(
rule=PolicyRule(id='redir_test',
priority=3,
flow_list=flow_list,
redirect=RedirectInformation(
support=1,
address_type=2,
server_address="http://about.sha.ddih.org/")),
version=1,
)
# ============================ Subscriber ============================
sub_context = RyuDirectSubscriberContext(
imsi, sub_ip, self.gy_controller, self._tbl_num).add_policy(policy)
isolator = RyuDirectTableIsolator(
RyuForwardFlowArgsBuilder.from_subscriber(
sub_context.cfg).build_requests(), self.testing_controller)
pkt_sender = ScapyPacketInjector(self.IFACE)
packet = TCPPacketBuilder()\
.set_tcp_layer(42132, 80, 2)\
.set_tcp_flags("S")\
.set_ip_layer('151.42.41.122', sub_ip)\
.set_ether_layer(self.MAC_DEST, "01:20:10:20:aa:bb")\
.build()
snapshot_verifier = SnapshotVerifier(self,
self.BRIDGE,
self.service_manager,
include_stats=False)
with isolator, sub_context, snapshot_verifier:
pkt_sender.send(packet)
def _get_allow_all_policy_rule(
self,
policy_id: str,
) -> PolicyRule:
"""
This builds a PolicyRule used as a default to allow traffic
for an attached subscriber.
"""
return PolicyRule(
# Don't set the rating group
# Don't set the monitoring key
# Don't set the hard timeout
id=policy_id,
priority=2,
flow_list=self._get_allow_all_flows(),
tracking_type=PolicyRule.TrackingType.Value("NO_TRACKING"),
)
def test_invalid_subscriber(self):
"""
Try to apply an invalid policy to a subscriber, should log and error
Assert:
Only 1 flow gets added to the table (drop flow)
"""
fake_controller_setup(self.enforcement_controller)
imsi = 'IMSI000000000000001'
sub_ip = '192.168.128.45'
flow_list = [
FlowDescription(
match=FlowMatch(
ip_src=convert_ipv4_str_to_ip_proto('9999.0.0.0/24'), ),
action=FlowDescription.DENY,
),
]
policy = \
VersionedPolicy(
rule=PolicyRule(id='invalid', priority=2, flow_list=flow_list),
version=1,
)
invalid_sub_context = RyuDirectSubscriberContext(
imsi,
sub_ip,
self.enforcement_controller,
self._tbl_num,
).add_policy(policy)
isolator = RyuDirectTableIsolator(
RyuForwardFlowArgsBuilder.from_subscriber(
invalid_sub_context.cfg).build_requests(),
self.testing_controller,
)
flow_query = FlowQuery(self._tbl_num, self.testing_controller)
num_flows_start = len(flow_query.lookup())
snapshot_verifier = SnapshotVerifier(
self,
self.BRIDGE,
self.service_manager,
)
with isolator, invalid_sub_context, snapshot_verifier:
wait_after_send(self.testing_controller)
num_flows_final = len(flow_query.lookup())
self.assertEqual(num_flows_final - num_flows_start, 0)
def _build_activate_flows_data(ue_dict, disable_qos):
activate_flow_reqs = []
if disable_qos:
print("QOS Disabled")
apn_ambr = None
else:
print("QOS Enabled")
apn_ambr = AggregatedMaximumBitrate(
max_bandwidth_ul=1000000000,
max_bandwidth_dl=1000000000,
)
for ue in ue_dict:
request = ActivateFlowsRequest(
sid=SIDUtils.to_pb(ue.imsi_str),
ip_addr=ue.ipv4_src,
policies=[
VersionedPolicy(
rule=PolicyRule(
id=ue.rule_id,
priority=10,
flow_list=[
FlowDescription(match=FlowMatch(
ip_dst=convert_ipv4_str_to_ip_proto(
ue.ipv4_src),
direction=FlowMatch.UPLINK,
), ),
FlowDescription(match=FlowMatch(
ip_src=convert_ipv4_str_to_ip_proto(
ue.ipv4_dst),
direction=FlowMatch.DOWNLINK,
), ),
],
),
version=1,
),
],
request_origin=RequestOriginType(type=RequestOriginType.GX),
apn_ambr=apn_ambr,
)
request_dict = json_format.MessageToDict(request)
# Dumping ActivateFlows request into json
activate_flow_reqs.append(request_dict)
with open('activate_flows.json', 'w') as file:
json.dump(activate_flow_reqs, file, separators=(',', ':'))
def activate_dynamic_rule(client, args):
request = ActivateFlowsRequest(
sid=SIDUtils.to_pb(args.imsi),
dynamic_rules=[
PolicyRule(
id=args.rule_id,
priority=args.priority,
hard_timeout=args.hard_timeout,
flow_list=[
FlowDescription(match=FlowMatch(
ipv4_dst=args.ipv4_dst, direction=FlowMatch.UPLINK)),
FlowDescription(match=FlowMatch(
ipv4_src=args.ipv4_dst, direction=FlowMatch.DOWNLINK)),
],
)
],
request_origin=RequestOriginType(type=RequestOriginType.GX))
response = client.ActivateFlows(request)
_print_rule_mod_results(response.dynamic_rule_results)
def create_bearer(self, imsi, lbi):
"""
Sends a CreateBearer Request to SPGW service
"""
print('Sending CreateBearer request to spgw service')
req = CreateBearerRequest(
sid=SIDUtils.to_pb(imsi),
link_bearer_id=lbi,
policy_rules=[
PolicyRule(qos=FlowQos(qci=1,
gbr_ul=10000000,
gbr_dl=10000000,
max_req_bw_ul=10000000,
max_req_bw_dl=10000000,
arp=QosArp(
priority_level=1,
pre_capability=1,
pre_vulnerability=0,
)))
])
self._stub.CreateBearer(req)
def CreateAddQERinPDR(qos_enforce_rule: QoSEnforceRuleEntry,
ue_ip_addr: str) -> ActivateFlowsRequest:
if qos_enforce_rule.allow == 'YES':
allow = FlowDescription.PERMIT
else:
allow = FlowDescription.DENY
ip_dst = None
ip_src = None
if qos_enforce_rule.ipv4_dst:
ip_dst = convert_ipv4_str_to_ip_proto(qos_enforce_rule.ipv4_dst)
ip_src = convert_ipv4_str_to_ip_proto(qos_enforce_rule.ipv4_dst)
if qos_enforce_rule.direction == FlowMatch.UPLINK:
flow_list = [
FlowDescription(match=FlowMatch(
ip_dst=ip_dst, direction=qos_enforce_rule.direction),
action=allow)
]
else:
flow_list = [
FlowDescription(match=FlowMatch(
ip_src=ip_src, direction=qos_enforce_rule.direction),
action=allow)
]
qos_enforce_rule = ActivateFlowsRequest(
sid=SIDUtils.to_pb(qos_enforce_rule.imsi),
ip_addr=ue_ip_addr,
dynamic_rules=[
PolicyRule(id=qos_enforce_rule.rule_id,
priority=qos_enforce_rule.priority,
hard_timeout=qos_enforce_rule.hard_timeout,
flow_list=flow_list)
],
request_origin=RequestOriginType(type=RequestOriginType.N4))
return qos_enforce_rule
def activate_flows(client, args):
request = ActivateFlowsRequest(
sid=SIDUtils.to_pb(args.imsi),
ip_addr=args.ipv4,
policies=[VersionedPolicy(
rule=PolicyRule(
id=args.rule_id,
priority=args.priority,
hard_timeout=args.hard_timeout,
flow_list=[
FlowDescription(match=FlowMatch(
ip_dst=convert_ipv4_str_to_ip_proto(args.ipv4_dst),
direction=FlowMatch.UPLINK)),
FlowDescription(match=FlowMatch(
ip_src=convert_ipv4_str_to_ip_proto(args.ipv4_dst),
direction=FlowMatch.DOWNLINK)),
],
),
version=1)],
request_origin=RequestOriginType(type=RequestOriginType.GX))
response = client.ActivateFlows(request)
_print_rule_mod_results(response.policy_results)
def create_uplink_rule(
id,
rating_group,
ip_dest,
m_key=None,
priority=10,
tracking=PolicyRule.ONLY_OCS,
action=FlowDescription.PERMIT,
):
"""
Create a rule with a single uplink IP flow, useful for testing
Args:
id (string): rule id
rating_group (int): charging key
ip_dest (string): IP destination for rule flow
m_key (optional string): monitoring key, if the rule is tracked by PCRF
priority (int): priority of flow, the greater the higher the priority
tracking (PolicyRule.TrackingType): enum to dictate whether OCS or PCRF
or both is tracking the credit
action: permit or deny
Returns:
PolicyRule with single uplink IP flow
"""
return PolicyRule(
id=id,
priority=priority,
flow_list=[
FlowDescription(
match=FlowMatch(
ipv4_dst=ip_dest,
direction=FlowMatch.UPLINK,
),
action=action,
),
],
tracking_type=tracking,
rating_group=rating_group,
monitoring_key=m_key,
)
def add_rule(self, args):
rule_id = args.rule_id
policy_dict = PolicyRuleDict()
arg_list = {
'ip_proto':
args.ip_proto,
'ip_dst':
IPAddress(
version=IPAddress.IPV4,
address=args.ipv4_dst.encode('utf-8'),
),
'ip_src':
IPAddress(
version=IPAddress.IPV4,
address=args.ipv4_src.encode('utf-8'),
),
'tcp_dst':
args.tcp_dst,
'tcp_src':
args.tcp_src,
'udp_dst':
args.udp_dst,
'udp_src':
args.udp_src,
'direction':
args.direction,
}
match = FlowMatch(**arg_list)
flow = FlowDescription(match=match, action=args.action)
rule = policy_dict.get(rule_id)
if not rule or args.overwrite:
action = 'add'
rule = PolicyRule(id=rule_id, flow_list=[flow])
else:
action = 'edit'
rule.flow_list.extend([flow])
policy_dict[rule_id] = rule
print("Rule '%s' successfully %sed!" % (rule_id, action))
def _get_whitelisted_policies(self):
""" Policies to allow http traffic to the whitelisted sites """
rules = []
for ip, ports in self._whitelisted_ips.items():
for port in ports:
if ip == 'local':
ip = self._local_ip
rules.append(
PolicyRule(
id='whitelist',
priority=self.ALLOW_ALL_PRIORITY,
flow_list=[
FlowDescription(
match=FlowMatch(direction=FlowMatch.UPLINK,
ip_proto=FlowMatch.IPPROTO_TCP,
ipv4_dst=ip,
tcp_dst=port)),
FlowDescription(
match=FlowMatch(direction=FlowMatch.DOWNLINK,
ip_proto=FlowMatch.IPPROTO_TCP,
ipv4_src=ip,
tcp_src=port)),
]))
return rules
def activate_gy_redirect(client, args):
request = ActivateFlowsRequest(
sid=SIDUtils.to_pb(args.imsi),
ip_addr=args.ipv4,
policies=[
VersionedPolicy(
rule=PolicyRule(
id=args.rule_id,
priority=999,
flow_list=[],
redirect=RedirectInformation(
support=1,
address_type=2,
server_address=args.redirect_addr,
),
),
version=1,
),
],
request_origin=RequestOriginType(type=RequestOriginType.GY),
shard_id=args.shard_id,
)
response = client.ActivateFlows(request)
_print_rule_mod_results(response.policy_results)
def test_Update(self):
"""
Test the happy path where updates come in for rules, and sessiond
accepts the SessionRules without issue.
"""
# Expected call arguments to SetSessionRules
allow_all_flow_list = [
FlowDescription(
match=FlowMatch(
direction=FlowMatch.Direction.Value("UPLINK"), ),
action=FlowDescription.Action.Value("PERMIT"),
),
FlowDescription(
match=FlowMatch(
direction=FlowMatch.Direction.Value("DOWNLINK"), ),
action=FlowDescription.Action.Value("PERMIT"),
),
] # type: List[FlowDescription]
no_tracking_type = PolicyRule.TrackingType.Value("NO_TRACKING")
expected = SessionRules(rules_per_subscriber=[
RulesPerSubscriber(
imsi='imsi_1',
rule_set=[
RuleSet(
apply_subscriber_wide=False,
apn="apn1",
static_rules=[
StaticRuleInstall(rule_id="p1"),
],
dynamic_rules=[
DynamicRuleInstall(policy_rule=PolicyRule(
id="allowlist_sid-imsi_1-apn1",
priority=2,
flow_list=allow_all_flow_list,
tracking_type=no_tracking_type,
))
],
),
]),
RulesPerSubscriber(
imsi='imsi_2',
rule_set=[
RuleSet(
apply_subscriber_wide=False,
apn="apn1",
static_rules=[
StaticRuleInstall(rule_id="p5"),
],
dynamic_rules=[
DynamicRuleInstall(policy_rule=PolicyRule(
id="allowlist_sid-imsi_2-apn1",
priority=2,
flow_list=allow_all_flow_list,
tracking_type=no_tracking_type,
))
],
),
])
])
# Setup the test
apn_rules_dict = {}
basenames_dict = {
'bn1': ChargingRuleNameSet(RuleNames=['p5']),
'bn2': ChargingRuleNameSet(RuleNames=['p6']),
}
stub = MockLocalSessionManagerStub()
stub_call_args = [] # type: List[SessionRules]
side_effect = get_SetSessionRules_side_effect(stub_call_args)
stub.SetSessionRules = Mock(side_effect=side_effect)
callback = ApnRuleMappingsStreamerCallback(
stub,
basenames_dict,
apn_rules_dict,
)
# Construct a set of updates, keyed by subscriber ID
updates = [
DataUpdate(
key="imsi_1",
value=SubscriberPolicySet(rules_per_apn=[
ApnPolicySet(
apn="apn1",
assigned_base_names=[],
assigned_policies=["p1"],
),
], ).SerializeToString(),
),
DataUpdate(
key="imsi_2",
value=SubscriberPolicySet(rules_per_apn=[
ApnPolicySet(
apn="apn1",
assigned_base_names=["bn1"],
assigned_policies=[],
),
], ).SerializeToString(),
),
]
callback.process_update("stream", updates, False)
# Since we used a stub which always succeeds when a RAR is made,
# We should expect the assignments_dict to be updated
imsi_1_policies = apn_rules_dict["imsi_1"]
self.assertEqual(len(imsi_1_policies.rules_per_apn), 1,
'There should be 1 active APNs for imsi_1')
self.assertEqual(len(stub_call_args), 1,
'Stub should have been called once')
called_with = stub_call_args[0].SerializeToString()
self.assertEqual(called_with, expected.SerializeToString(),
'SetSessionRules call has incorrect arguments')
# Stream down a second update, and now IMSI_1 gets access to a new APN
updates_2 = [
DataUpdate(
key="imsi_1",
value=SubscriberPolicySet(rules_per_apn=[
ApnPolicySet(
apn="apn2",
assigned_base_names=["bn1"],
assigned_policies=[],
),
], ).SerializeToString(),
),
DataUpdate(
key="imsi_2",
value=SubscriberPolicySet(
global_base_names=["bn2"],
global_policies=[],
rules_per_apn=[
ApnPolicySet(
apn="apn1",
assigned_base_names=[],
assigned_policies=[],
),
],
).SerializeToString(),
),
]
expected_2 = SessionRules(rules_per_subscriber=[
RulesPerSubscriber(
imsi='imsi_1',
rule_set=[
RuleSet(
apply_subscriber_wide=False,
apn="apn2",
static_rules=[
StaticRuleInstall(rule_id="p5"),
],
dynamic_rules=[
DynamicRuleInstall(policy_rule=PolicyRule(
id="allowlist_sid-imsi_1-apn2",
priority=2,
flow_list=allow_all_flow_list,
tracking_type=no_tracking_type,
))
],
),
]),
RulesPerSubscriber(
imsi='imsi_2',
rule_set=[
RuleSet(
apply_subscriber_wide=False,
apn="apn1",
static_rules=[
StaticRuleInstall(rule_id="p6"),
],
dynamic_rules=[
DynamicRuleInstall(policy_rule=PolicyRule(
id="allowlist_sid-imsi_2-apn1",
priority=2,
flow_list=allow_all_flow_list,
tracking_type=no_tracking_type,
))
],
),
]),
])
callback.process_update("stream", updates_2, False)
imsi_1_policies = apn_rules_dict["imsi_1"]
self.assertEqual(len(imsi_1_policies.rules_per_apn), 1,
'There should be 1 active APNs for imsi_1')
self.assertEqual(len(stub_call_args), 2,
'Stub should have been called twice')
called_with = stub_call_args[1].SerializeToString()
self.assertEqual(called_with, expected_2.SerializeToString(),
'SetSessionRules call has incorrect arguments')
def test_rule_reactivation(self):
"""
Adds a policy to a subscriber, deletes it by incrementing the
version, and add it back. Verifies that the usage stats is correctly
reported, the old flows are deleted, and the new flows are installed.
Assert:
UPLINK policy matches 128 packets (*34 = 4352 bytes)
Old flows are deleted
New flows are installed
No other stats are reported
"""
fake_controller_setup(self.enforcement_controller,
self.enforcement_stats_controller)
imsi = 'IMSI001010000000013'
sub_ip = '192.168.128.74'
num_pkts_tx_match = 128
flow_list = [
FlowDescription(match=FlowMatch(ipv4_dst='45.10.0.0/25',
direction=FlowMatch.UPLINK),
action=FlowDescription.PERMIT)
]
policy = PolicyRule(id='rule1', priority=3, flow_list=flow_list)
enf_stat_name = imsi + '|rule1'
self.service_manager.session_rule_version_mapper.update_version(
imsi, 'rule1')
version = \
self.service_manager.session_rule_version_mapper.get_version(
imsi, 'rule1')
""" Setup subscriber, setup table_isolation to fwd pkts """
self._static_rule_dict[policy.id] = policy
sub_context = RyuDirectSubscriberContext(
imsi, sub_ip, self.enforcement_controller, self._main_tbl_num,
self.enforcement_stats_controller).add_static_rule(policy.id)
isolator = RyuDirectTableIsolator(
RyuForwardFlowArgsBuilder.from_subscriber(
sub_context.cfg).build_requests(), self.testing_controller)
""" Create a packet """
pkt_sender = ScapyPacketInjector(self.IFACE)
packet = IPPacketBuilder() \
.set_ip_layer('45.10.0.0/20', sub_ip) \
.set_ether_layer(self.MAC_DEST, "00:00:00:00:00:00") \
.build()
# =========================== Verification ===========================
rule_num = self.enforcement_stats_controller._rule_mapper \
.get_or_create_rule_num(policy.id)
enf_query = FlowQuery(self._main_tbl_num,
self.testing_controller,
match=flow_match_to_magma_match(
FlowMatch(ipv4_dst='45.10.0.0/25',
direction=FlowMatch.UPLINK)),
cookie=rule_num)
es_old_version_query = FlowQuery(self._scratch_tbl_num,
self.testing_controller,
match=MagmaMatch(
imsi=encode_imsi(imsi),
reg2=rule_num,
rule_version=version),
cookie=rule_num)
es_new_version_query = FlowQuery(self._scratch_tbl_num,
self.testing_controller,
match=MagmaMatch(
imsi=encode_imsi(imsi),
reg2=rule_num,
rule_version=version + 1),
cookie=rule_num)
packet_wait = FlowVerifier([], self._wait_func([enf_stat_name]))
""" Verify that flows are properly deleted """
verifier = FlowVerifier([
FlowTest(es_old_version_query, 0, flow_count=0),
FlowTest(es_new_version_query, num_pkts_tx_match, flow_count=2),
FlowTest(enf_query, num_pkts_tx_match, flow_count=1),
], self._wait_func([enf_stat_name]))
snapshot_verifier = SnapshotVerifier(self, self.BRIDGE,
self.service_manager)
"""
Send a packet, then deactivate and reactivate the same rule and send a
packet. Wait until it is received by ovs and enf stats.
"""
with isolator, sub_context, verifier, snapshot_verifier:
with packet_wait:
self.enforcement_stats_controller._report_usage.reset_mock()
pkt_sender.send(packet)
self.enforcement_stats_controller._report_usage.reset_mock()
self.service_manager.session_rule_version_mapper. \
update_version(imsi, 'rule1')
self.enforcement_controller.deactivate_rules(imsi, [policy.id])
self.enforcement_controller.activate_rules(imsi, sub_ip,
[policy.id], [])
self.enforcement_stats_controller.activate_rules(
imsi, sub_ip, [policy.id], [])
pkt_sender.send(packet)
verifier.verify()
stats = get_enforcement_stats(
self.enforcement_stats_controller._report_usage.call_args_list)
"""
Verify both packets are reported after reactivation.
"""
self.assertEqual(stats[enf_stat_name].sid, imsi)
self.assertEqual(stats[enf_stat_name].rule_id, "rule1")
self.assertEqual(stats[enf_stat_name].bytes_rx, 0)
# TODO Figure out why this one fails.
#self.assertEqual(stats[enf_stat_name].bytes_tx,
# num_pkts_tx_match * len(packet))
self.assertEqual(len(stats), 1)
def test_subscriber_policy(self):
"""
Adds 2 policies to subscriber, verifies that EnforcementStatsController
reports correct stats to sessiond
Assert:
UPLINK policy matches 128 packets (*34 = 4352 bytes)
DOWNLINK policy matches 256 packets (*34 = 8704 bytes)
No other stats are reported
"""
fake_controller_setup(self.enforcement_controller,
self.enforcement_stats_controller)
imsi = 'IMSI001010000000013'
sub_ip = '192.168.128.74'
num_pkts_tx_match = 128
num_pkts_rx_match = 256
""" Create 2 policy rules for the subscriber """
flow_list1 = [
FlowDescription(match=FlowMatch(ipv4_dst='45.10.0.0/25',
direction=FlowMatch.UPLINK),
action=FlowDescription.PERMIT)
]
flow_list2 = [
FlowDescription(match=FlowMatch(ipv4_src='45.10.0.0/24',
direction=FlowMatch.DOWNLINK),
action=FlowDescription.PERMIT)
]
policies = [
PolicyRule(id='tx_match', priority=3, flow_list=flow_list1),
PolicyRule(id='rx_match', priority=5, flow_list=flow_list2)
]
enf_stat_name = [imsi + '|tx_match', imsi + '|rx_match']
self.service_manager.session_rule_version_mapper.update_version(
imsi, 'tx_match')
self.service_manager.session_rule_version_mapper.update_version(
imsi, 'rx_match')
""" Setup subscriber, setup table_isolation to fwd pkts """
self._static_rule_dict[policies[0].id] = policies[0]
self._static_rule_dict[policies[1].id] = policies[1]
sub_context = RyuDirectSubscriberContext(
imsi, sub_ip, self.enforcement_controller, self._main_tbl_num,
self.enforcement_stats_controller).add_static_rule(
policies[0].id).add_static_rule(policies[1].id)
isolator = RyuDirectTableIsolator(
RyuForwardFlowArgsBuilder.from_subscriber(
sub_context.cfg).build_requests(), self.testing_controller)
""" Create 2 sets of packets, for policry rule1&2 """
pkt_sender = ScapyPacketInjector(self.IFACE)
packet1 = IPPacketBuilder()\
.set_ip_layer('45.10.0.0/20', sub_ip)\
.set_ether_layer(self.MAC_DEST, "00:00:00:00:00:00")\
.build()
packet2 = IPPacketBuilder()\
.set_ip_layer(sub_ip, '45.10.0.0/20')\
.set_ether_layer(self.MAC_DEST, "00:00:00:00:00:00")\
.build()
# =========================== Verification ===========================
flow_verifier = FlowVerifier([], self._wait_func(enf_stat_name))
snapshot_verifier = SnapshotVerifier(self, self.BRIDGE,
self.service_manager)
""" Send packets, wait until pkts are received by ovs and enf stats """
with isolator, sub_context, flow_verifier, snapshot_verifier:
pkt_sender.send(packet1)
pkt_sender.send(packet2)
stats = get_enforcement_stats(
self.enforcement_stats_controller._report_usage.call_args_list)
self.assertEqual(stats[enf_stat_name[0]].sid, imsi)
self.assertEqual(stats[enf_stat_name[0]].rule_id, "tx_match")
self.assertEqual(stats[enf_stat_name[0]].bytes_rx, 0)
self.assertEqual(stats[enf_stat_name[0]].bytes_tx,
num_pkts_tx_match * len(packet1))
self.assertEqual(stats[enf_stat_name[1]].sid, imsi)
self.assertEqual(stats[enf_stat_name[1]].rule_id, "rx_match")
self.assertEqual(stats[enf_stat_name[1]].bytes_tx, 0)
# downlink packets will discount ethernet header by default
# so, only count the IP portion
total_bytes_pkt2 = num_pkts_rx_match * len(packet2[IP])
self.assertEqual(stats[enf_stat_name[1]].bytes_rx, total_bytes_pkt2)
self.assertEqual(len(stats), 2)
def test_two_subscribers(self):
"""
Add 2 subscribers at the same time
Assert:
For subcriber1 the packets are matched to the proper policy
For subcriber2 the packets are matched to the proper policy
The total packet delta in the table is from the above matches
"""
fake_controller_setup(self.enforcement_controller)
pkt_sender = ScapyPacketInjector(self.IFACE)
ip_match = [
FlowDescription(match=FlowMatch(
ip_src=convert_ipv4_str_to_ip_proto('8.8.8.0/24'),
direction=1),
action=1)
]
tcp_match = [
FlowDescription(match=FlowMatch(ip_proto=6,
direction=FlowMatch.DOWNLINK),
action=FlowDescription.DENY)
]
self._static_rule_dict['t'] = PolicyRule(id='t',
priority=2,
flow_list=ip_match)
# =========================== Subscriber 1 ===========================
sub_context1 = RyuDirectSubscriberContext(
'IMSI208950001111111', '192.168.128.5',
self.enforcement_controller, self._tbl_num).add_static_rule('t')
isolator1 = RyuDirectTableIsolator(
RyuForwardFlowArgsBuilder.from_subscriber(
sub_context1.cfg).build_requests(), self.testing_controller)
packet_ip = IPPacketBuilder()\
.set_ether_layer(self.MAC_DEST, "00:00:00:00:00:00")\
.set_ip_layer(sub_context1.cfg.ip, '8.8.8.8')\
.build()
s1_pkts_sent = 29
pkts_to_send = [PktsToSend(packet_ip, s1_pkts_sent)]
flow_query1 = FlowQuery(self._tbl_num,
self.testing_controller,
match=flow_match_to_magma_match(
ip_match[0].match))
s1 = SubTest(sub_context1, isolator1,
FlowTest(flow_query1, s1_pkts_sent))
# =========================== Subscriber 2 ===========================
sub_context2 = RyuDirectSubscriberContext(
'IMSI911500451242001', '192.168.128.100',
self.enforcement_controller, self._tbl_num).add_dynamic_rule(
PolicyRule(id='qqq', priority=2, flow_list=tcp_match))
isolator2 = RyuDirectTableIsolator(
RyuForwardFlowArgsBuilder.from_subscriber(
sub_context2.cfg).build_requests(), self.testing_controller)
packet_tcp = TCPPacketBuilder()\
.set_ether_layer(self.MAC_DEST, "00:00:00:00:00:00")\
.set_ip_layer(sub_context2.cfg.ip, '15.0.0.8')\
.build()
s2_pkts_sent = 18
pkts_to_send.append(PktsToSend(packet_tcp, s2_pkts_sent))
flow_query2 = FlowQuery(self._tbl_num,
self.testing_controller,
match=flow_match_to_magma_match(
tcp_match[0].match))
s2 = SubTest(sub_context2, isolator2,
FlowTest(flow_query2, s2_pkts_sent))
# =========================== Verification ===========================
# Verify aggregate table stats, subscriber 1 & 2 flows packet matches
pkts = s1_pkts_sent + s2_pkts_sent
flow_verifier = FlowVerifier([
FlowTest(FlowQuery(self._tbl_num, self.testing_controller), pkts),
s1.flowtest_list, s2.flowtest_list
], lambda: wait_after_send(self.testing_controller))
snapshot_verifier = SnapshotVerifier(self, self.BRIDGE,
self.service_manager)
with s1.isolator, s1.context, s2.isolator, s2.context, flow_verifier, \
snapshot_verifier:
for pkt in pkts_to_send:
pkt_sender.send(pkt.pkt, pkt.num)
flow_verifier.verify()
def test_subscriber_two_policies(self):
"""
Add 2 policies to subscriber
Assert:
Packets are properly matched with the 'match' policy
The total packet delta in the table is from the above match
"""
fake_controller_setup(self.enforcement_controller)
imsi = 'IMSI208950000000001'
sub_ip = '192.168.128.74'
flow_list1 = [
FlowDescription(match=FlowMatch(
ip_src=convert_ipv4_str_to_ip_proto('15.0.0.0/24'),
direction=FlowMatch.DOWNLINK),
action=FlowDescription.DENY)
]
flow_list2 = [
FlowDescription(match=FlowMatch(ip_proto=6,
direction=FlowMatch.UPLINK),
action=FlowDescription.PERMIT)
]
policies = [
PolicyRule(id='match', priority=2, flow_list=flow_list1),
PolicyRule(id='no_match', priority=2, flow_list=flow_list2)
]
pkts_sent = 42
self._static_rule_dict[policies[0].id] = policies[0]
self._static_rule_dict[policies[1].id] = policies[1]
# ============================ Subscriber ============================
sub_context = RyuDirectSubscriberContext(imsi, sub_ip,
self.enforcement_controller,
self._tbl_num) \
.add_static_rule(policies[0].id)\
.add_static_rule(policies[1].id)
isolator = RyuDirectTableIsolator(
RyuForwardFlowArgsBuilder.from_subscriber(
sub_context.cfg).build_requests(), self.testing_controller)
pkt_sender = ScapyPacketInjector(self.IFACE)
packet = IPPacketBuilder()\
.set_ip_layer(sub_ip, '15.0.0.8')\
.set_ether_layer(self.MAC_DEST, "00:00:00:00:00:00")\
.build()
flow_query = FlowQuery(self._tbl_num,
self.testing_controller,
match=flow_match_to_magma_match(
flow_list1[0].match))
# =========================== Verification ===========================
# Verify aggregate table stats, subscriber 1 'match' rule pkt count
flow_verifier = FlowVerifier([
FlowTest(FlowQuery(self._tbl_num, self.testing_controller),
pkts_sent),
FlowTest(flow_query, pkts_sent)
], lambda: wait_after_send(self.testing_controller))
snapshot_verifier = SnapshotVerifier(self, self.BRIDGE,
self.service_manager)
with isolator, sub_context, flow_verifier, snapshot_verifier:
pkt_sender.send(packet, pkts_sent)
flow_verifier.verify()
