def test_invalid_subscriber(self):
"""
Try to apply an invalid policy to a subscriber, should log and error
Assert:
Only 1 flow gets added to the table (drop flow)
"""
fake_controller_setup(self.enforcement_controller)
imsi = 'IMSI000000000000001'
sub_ip = '192.168.128.45'
flow_list = [
FlowDescription(match=FlowMatch(ipv4_src='9999.0.0.0/24'),
action=FlowDescription.DENY)
]
policy = PolicyRule(id='invalid', priority=2, flow_list=flow_list)
invalid_sub_context = RyuDirectSubscriberContext(
imsi, sub_ip, self.enforcement_controller,
self._tbl_num).add_dynamic_rule(policy)
isolator = RyuDirectTableIsolator(
RyuForwardFlowArgsBuilder.from_subscriber(
invalid_sub_context.cfg).build_requests(),
self.testing_controller)
flow_query = FlowQuery(self._tbl_num, self.testing_controller)
num_flows_start = len(flow_query.lookup())
snapshot_verifier = SnapshotVerifier(self, self.BRIDGE,
self.service_manager)
with isolator, invalid_sub_context, snapshot_verifier:
wait_after_send(self.testing_controller)
num_flows_final = len(flow_query.lookup())
self.assertEqual(num_flows_final - num_flows_start, 1)
def add_rule(args):
rule_id = args.rule_id
policy_dict = PolicyRuleDict()
arg_list = {
'ip_proto':
args.ip_proto,
'ip_dst':
IPAddress(version=IPAddress.IPV4,
address=args.ipv4_dst.encode('utf-8')),
'ip_src':
IPAddress(version=IPAddress.IPV4,
address=args.ipv4_src.encode('utf-8')),
'tcp_dst':
args.tcp_dst,
'tcp_src':
args.tcp_src,
'udp_dst':
args.udp_dst,
'udp_src':
args.udp_src,
'direction':
args.direction
}
match = FlowMatch(**arg_list)
flow = FlowDescription(match=match, action=args.action)
rule = policy_dict.get(rule_id)
if not rule or args.overwrite:
action = 'add'
rule = PolicyRule(id=rule_id, flow_list=[flow])
else:
action = 'edit'
rule.flow_list.extend([flow])
policy_dict[rule_id] = rule
print("Rule '%s' successfully %sed!" % (rule_id, action))
def test_deny_rule_install(self):
"""
Adds a policy to a subscriber. Verifies that flows are properly
installed in enforcement and enforcement stats.
Assert:
Policy classification flows installed in enforcement
Policy match flows installed in enforcement_stats
"""
fake_controller_setup(self.enforcement_controller,
self.enforcement_stats_controller)
imsi = 'IMSI001010000000014'
sub_ip = '192.16.15.7'
num_pkt_unmatched = 4096
flow_list = [
FlowDescription(match=FlowMatch(
ip_dst=convert_ipv4_str_to_ip_proto('1.1.0.0/24'),
direction=FlowMatch.UPLINK),
action=FlowDescription.DENY)
]
policy = PolicyRule(id='rule1', priority=3, flow_list=flow_list)
self.service_manager.session_rule_version_mapper.update_version(
imsi, convert_ipv4_str_to_ip_proto(sub_ip), 'rule1')
""" Setup subscriber, setup table_isolation to fwd pkts """
sub_context = RyuDirectSubscriberContext(
imsi, sub_ip, self.enforcement_controller, self._main_tbl_num,
self.enforcement_stats_controller).add_dynamic_rule(policy)
isolator = RyuDirectTableIsolator(
RyuForwardFlowArgsBuilder.from_subscriber(
sub_context.cfg).build_requests(), self.testing_controller)
pkt_sender = ScapyPacketInjector(self.IFACE)
packet = IPPacketBuilder() \
.set_ip_layer('45.10.0.0/20', sub_ip) \
.set_ether_layer(self.MAC_DEST, "00:00:00:00:00:00") \
.build()
# =========================== Verification ===========================
# Verifies that 1 flow is installed in enforcement and 2 flows are
# installed in enforcement stats, one for uplink and one for downlink.
snapshot_verifier = SnapshotVerifier(self, self.BRIDGE,
self.service_manager)
with isolator, sub_context, snapshot_verifier:
pkt_sender.send(packet)
enf_stat_name = imsi + '|' + self.DEFAULT_DROP_FLOW_NAME + '|' + sub_ip
wait_for_enforcement_stats(self.enforcement_stats_controller,
[enf_stat_name])
stats = get_enforcement_stats(
self.enforcement_stats_controller._report_usage.call_args_list)
self.assertEqual(stats[enf_stat_name].sid, imsi)
self.assertEqual(stats[enf_stat_name].rule_id,
self.DEFAULT_DROP_FLOW_NAME)
self.assertEqual(stats[enf_stat_name].dropped_rx, 0)
self.assertEqual(stats[enf_stat_name].dropped_tx,
num_pkt_unmatched * len(packet))
def create_uplink_rule(id, rating_group, ip_dest, m_key=None,
priority=10, tracking=PolicyRule.ONLY_OCS,
action=FlowDescription.PERMIT):
"""
Create a rule with a single uplink IP flow, useful for testing
Args:
id (string): rule id
rating_group (int): charging key
ip_dest (string): IP destination for rule flow
m_key (optional string): monitoring key, if the rule is tracked by PCRF
priority (int): priority of flow, the greater the higher the priority
tracking (PolicyRule.TrackingType): enum to dictate whether OCS or PCRF
or both is tracking the credit
action: permit or deny
Returns:
PolicyRule with single uplink IP flow
"""
return PolicyRule(
id=id,
priority=priority,
flow_list=[FlowDescription(
match=FlowMatch(
ipv4_dst=ip_dest, direction=FlowMatch.UPLINK),
action=action)
],
tracking_type=tracking,
rating_group=rating_group,
monitoring_key=m_key,
)
def test_rule_install(self):
"""
Adds a policy to a subscriber. Verifies that flows are properly
installed in enforcement and enforcement stats.
Assert:
Policy classification flows installed in enforcement
Policy match flows installed in enforcement_stats
"""
fake_controller_setup(self.enforcement_controller,
self.enforcement_stats_controller)
imsi = 'IMSI001010000000013'
sub_ip = '192.168.128.74'
flow_list = [
FlowDescription(match=FlowMatch(ipv4_dst='45.10.0.0/25',
direction=FlowMatch.UPLINK),
action=FlowDescription.PERMIT)
]
policy = PolicyRule(id='rule1', priority=3, flow_list=flow_list)
self.service_manager.session_rule_version_mapper.update_version(
imsi, 'rule1')
version = \
self.service_manager.session_rule_version_mapper.get_version(
imsi, 'rule1')
""" Setup subscriber, setup table_isolation to fwd pkts """
self._static_rule_dict[policy.id] = policy
sub_context = RyuDirectSubscriberContext(
imsi, sub_ip, self.enforcement_controller, self._main_tbl_num,
self.enforcement_stats_controller).add_static_rule(policy.id)
# =========================== Verification ===========================
rule_num = self.enforcement_stats_controller._rule_mapper \
.get_or_create_rule_num(policy.id)
enf_query = FlowQuery(self._main_tbl_num,
self.testing_controller,
match=flow_match_to_magma_match(
FlowMatch(ipv4_dst='45.10.0.0/25',
direction=FlowMatch.UPLINK)),
cookie=rule_num)
es_query = FlowQuery(self._scratch_tbl_num,
self.testing_controller,
match=MagmaMatch(imsi=encode_imsi(imsi),
reg2=rule_num,
rule_version=version),
cookie=rule_num)
# Verifies that 1 flow is installed in enforcement and 2 flows are
# installed in enforcement stats, one for uplink and one for downlink.
flow_verifier = FlowVerifier([
FlowTest(enf_query, 0, flow_count=1),
FlowTest(es_query, 0, flow_count=2),
], lambda: None)
snapshot_verifier = SnapshotVerifier(self, self.BRIDGE,
self.service_manager)
with sub_context, flow_verifier, snapshot_verifier:
pass
flow_verifier.verify()
def test_redirect_policy(self):
"""
Add a redirect policy, verifies that EnforcementStatsController reports
correct stats to sessiond
Assert:
1 Packet is matched and reported
"""
fake_controller_setup(self.enforcement_controller,
self.enforcement_stats_controller)
redirect_ips = ["185.128.101.5", "185.128.121.4"]
self.enforcement_controller._redirect_manager._dns_cache.get(
"about.sha.ddih.org", lambda: redirect_ips, max_age=42)
imsi = 'IMSI010000000088888'
sub_ip = '192.168.128.74'
flow_list = [FlowDescription(match=FlowMatch())]
policy = PolicyRule(id='redir_test',
priority=3,
flow_list=flow_list,
redirect=RedirectInformation(
support=1,
address_type=2,
server_address="http://about.sha.ddih.org/"))
stat_name = imsi + '|redir_test' + '|' + sub_ip
self.service_manager.session_rule_version_mapper.update_version(
imsi, convert_ipv4_str_to_ip_proto(sub_ip), 'redir_test')
""" Setup subscriber, setup table_isolation to fwd pkts """
sub_context = RyuDirectSubscriberContext(
imsi, sub_ip, self.enforcement_controller, self._main_tbl_num,
self.enforcement_stats_controller).add_dynamic_rule(policy)
isolator = RyuDirectTableIsolator(
RyuForwardFlowArgsBuilder.from_subscriber(
sub_context.cfg).build_requests(), self.testing_controller)
pkt_sender = ScapyPacketInjector(self.IFACE)
packet = TCPPacketBuilder() \
.set_tcp_layer(42132, 80, 321) \
.set_tcp_flags("S") \
.set_ip_layer('151.42.41.122', sub_ip) \
.set_ether_layer(self.MAC_DEST, "00:00:00:00:00:00") \
.build()
# =========================== Verification ===========================
snapshot_verifier = SnapshotVerifier(self, self.BRIDGE,
self.service_manager)
""" Send packet, wait until pkts are received by ovs and enf stats """
with isolator, sub_context, snapshot_verifier:
self.enforcement_stats_controller._report_usage.reset_mock()
pkt_sender.send(packet)
wait_for_enforcement_stats(self.enforcement_stats_controller,
[stat_name])
""" Send packets, wait until pkts are received by ovs and enf stats """
stats = get_enforcement_stats(
self.enforcement_stats_controller._report_usage.call_args_list)
self.assertEqual(stats[stat_name].sid, imsi)
self.assertEqual(stats[stat_name].rule_id, "redir_test")
self.assertEqual(stats[stat_name].bytes_rx, 0)
self.assertEqual(stats[stat_name].bytes_tx, len(packet))
def test_cookie_poll(self):
"""
Add a subscriber policy, verify flows are properly installed
Assert:
Query with RULE_NUM 1 returns proper values
"""
original = self.enforcement_stats_controller._poll_stats
self.enforcement_stats_controller._poll_stats = MagicMock()
self.enforcement_stats_controller.init_finished = False
self.enforcement_controller.init_finished = True
imsi = 'IMSI001010000000013'
sub_ip = '192.168.128.74'
flow_list = [
FlowDescription(
match=FlowMatch(
ip_dst=convert_ipv4_str_to_ip_proto('45.10.0.0/25'),
direction=FlowMatch.UPLINK,
),
action=FlowDescription.PERMIT,
),
]
policy = VersionedPolicy(
rule=PolicyRule(id='rule1', priority=3, flow_list=flow_list),
version=1,
)
enf_stat_name = imsi + '|' + 'rule1' + '|' + sub_ip + '|' + "1"
""" Setup subscriber, setup table_isolation to fwd pkts """
sub_context = RyuDirectSubscriberContext(
imsi, sub_ip, self.enforcement_controller,
self._main_tbl_num, self.enforcement_stats_controller,
).add_policy(policy)
snapshot_verifier = SnapshotVerifier(
self, self.BRIDGE,
self.service_manager,
)
self.enforcement_stats_controller._report_usage.reset_mock()
with sub_context, snapshot_verifier:
self.enforcement_stats_controller.init_finished = True
flows.send_stats_request(
self.enforcement_stats_controller._datapath,
self.enforcement_stats_controller.tbl_num,
0,
flows.OVS_COOKIE_MATCH_ALL,
)
wait_for_enforcement_stats(
self.enforcement_stats_controller,
[enf_stat_name],
)
stats = get_enforcement_stats(
self.enforcement_stats_controller._report_usage.call_args_list,
)
self.assertEqual(stats[enf_stat_name].rule_id, 'rule1')
self.enforcement_stats_controller._poll_stats = original
self.assertEqual(len(stats), 2)
def test_subscriber_restrict_policy(self):
"""
Add restrict policy to subscriber, send 4096 packets
Assert:
Packets are properly matched with the 'restrict_match' policy
Send /20 (4096) packets, match /16 (256) packets
"""
fake_controller_setup(self.gy_controller)
imsi = 'IMSI010000000088888'
sub_ip = '192.168.128.74'
flow_list1 = [
FlowDescription(match=FlowMatch(
ip_dst=convert_ipv4_str_to_ip_proto('8.8.8.0/24'),
direction=FlowMatch.UPLINK),
action=FlowDescription.PERMIT)
]
policies = [
VersionedPolicy(
rule=PolicyRule(id='restrict_match',
priority=2,
flow_list=flow_list1),
version=1,
)
]
pkts_matched = 256
pkts_sent = 4096
# ============================ Subscriber ============================
sub_context = RyuDirectSubscriberContext(
imsi, sub_ip, self.gy_controller,
self._tbl_num).add_policy(policies[0])
isolator = RyuDirectTableIsolator(
RyuForwardFlowArgsBuilder.from_subscriber(
sub_context.cfg).build_requests(), self.testing_controller)
pkt_sender = ScapyPacketInjector(self.IFACE)
packet = IPPacketBuilder()\
.set_ip_layer('8.8.8.8', sub_ip)\
.set_ether_layer(self.MAC_DEST, "00:00:00:00:00:00")\
.build()
flow_query = FlowQuery(self._tbl_num,
self.testing_controller,
match=flow_match_to_magma_match(
flow_list1[0].match))
# =========================== Verification ===========================
# Verify aggregate table stats, subscriber 1 'simple_match' pkt count
flow_verifier = FlowVerifier([
FlowTest(FlowQuery(self._tbl_num, self.testing_controller),
pkts_sent),
FlowTest(flow_query, pkts_matched)
], lambda: wait_after_send(self.testing_controller))
snapshot_verifier = SnapshotVerifier(self,
self.BRIDGE,
self.service_manager,
include_stats=False)
with isolator, sub_context, flow_verifier, snapshot_verifier:
pkt_sender.send(packet)
def activate_dynamic_rule(client, args):
request = ActivateFlowsRequest(
sid=SIDUtils.to_pb(args.imsi),
dynamic_rules=[
PolicyRule(
id=args.rule_id,
priority=args.priority,
hard_timeout=args.hard_timeout,
flow_list=[
FlowDescription(match=FlowMatch(
ipv4_dst=args.ipv4_dst, direction=FlowMatch.UPLINK)),
FlowDescription(match=FlowMatch(
ipv4_src=args.ipv4_dst, direction=FlowMatch.DOWNLINK)),
],
)
])
client.ActivateFlows(request)
def _build_activate_flows_data(ue_dict, disable_qos):
activate_flow_reqs = []
if disable_qos:
print("QOS Disabled")
apn_ambr = None
else:
print("QOS Enabled")
apn_ambr = AggregatedMaximumBitrate(
max_bandwidth_ul=1000000000,
max_bandwidth_dl=1000000000,
)
for ue in ue_dict:
request = ActivateFlowsRequest(
sid=SIDUtils.to_pb(ue.imsi_str),
ip_addr=ue.ipv4_src,
policies=[
VersionedPolicy(
rule=PolicyRule(
id=ue.rule_id,
priority=10,
flow_list=[
FlowDescription(match=FlowMatch(
ip_dst=convert_ipv4_str_to_ip_proto(
ue.ipv4_src),
direction=FlowMatch.UPLINK,
), ),
FlowDescription(match=FlowMatch(
ip_src=convert_ipv4_str_to_ip_proto(
ue.ipv4_dst),
direction=FlowMatch.DOWNLINK,
), ),
],
),
version=1,
),
],
request_origin=RequestOriginType(type=RequestOriginType.GX),
apn_ambr=apn_ambr,
)
request_dict = json_format.MessageToDict(request)
# Dumping ActivateFlows request into json
activate_flow_reqs.append(request_dict)
with open('activate_flows.json', 'w') as file:
json.dump(activate_flow_reqs, file, separators=(',', ':'))
def test_subscriber_ipv6_policy(self):
"""
Add policy to subscriber, send 4096 packets
Assert:
Packets are properly matched with the 'simple_match' policy
Send /20 (4096) packets, match /16 (256) packets
"""
fake_controller_setup(self.enforcement_controller)
imsi = 'IMSI010000000088888'
sub_ip = 'de34:431d:1bc::'
flow_list1 = [
FlowDescription(
match=FlowMatch(
ip_dst=convert_ipv6_bytes_to_ip_proto(
'f333:432::dbca'.encode('utf-8'), ),
direction=FlowMatch.UPLINK,
),
action=FlowDescription.PERMIT,
),
]
policies = [
VersionedPolicy(
rule=PolicyRule(id='simple_match',
priority=2,
flow_list=flow_list1),
version=1,
),
]
# ============================ Subscriber ============================
sub_context = RyuDirectSubscriberContext(
imsi,
sub_ip,
self.enforcement_controller,
self._tbl_num,
).add_policy(policies[0])
isolator = RyuDirectTableIsolator(
RyuForwardFlowArgsBuilder.from_subscriber(
sub_context.cfg).build_requests(),
self.testing_controller,
)
pkt_sender = ScapyPacketInjector(self.IFACE)
packet = IPv6PacketBuilder() \
.set_ip_layer('f333:432::dbca', sub_ip) \
.set_ether_layer(self.MAC_DEST, "00:00:00:00:00:00") \
.build()
# =========================== Verification ===========================
snapshot_verifier = SnapshotVerifier(
self,
self.BRIDGE,
self.service_manager,
)
with isolator, sub_context, snapshot_verifier:
pkt_sender.send(packet)
def _get_allow_all_flows() -> List[FlowDescription]:
"""
Get flows for allowing all traffic
Returns:
Two flows, for outgoing and incoming traffic
"""
return [
# Set flow match for all packets
# Don't set the app_name field
FlowDescription( # uplink flow
match=FlowMatch(direction=FlowMatch.Direction.Value("UPLINK"), ),
action=FlowDescription.Action.Value("PERMIT"),
),
FlowDescription( # downlink flow
match=FlowMatch(direction=FlowMatch.Direction.Value("DOWNLINK"), ),
action=FlowDescription.Action.Value("PERMIT"),
),
]
def test_poll(self):
"""
Unit test to help verify stats polling using cookie and cookie_mask
"""
fake_controller_setup(
self.enforcement_controller,
self.enforcement_stats_controller,
)
imsi = 'IMSI001010000000013'
sub_ip = '192.168.128.74'
flow_list = [
FlowDescription(
match=FlowMatch(
ip_dst=convert_ipv4_str_to_ip_proto('45.10.0.0/25'),
direction=FlowMatch.UPLINK,
),
action=FlowDescription.PERMIT,
),
]
policy = VersionedPolicy(
rule=PolicyRule(id='rule1', priority=3, flow_list=flow_list),
version=1,
)
self.service_manager.session_rule_version_mapper.save_version(
imsi, convert_ipv4_str_to_ip_proto(sub_ip), 'rule1', 1,
)
""" Setup subscriber, setup table_isolation to fwd pkts """
sub_context = RyuDirectSubscriberContext(
imsi, sub_ip, self.enforcement_controller,
self._main_tbl_num, self.enforcement_stats_controller,
).add_policy(policy)
snapshot_verifier = SnapshotVerifier(
self, self.BRIDGE,
self.service_manager,
)
with sub_context, snapshot_verifier:
rule_map = self.enforcement_stats_controller.get_stats()
if (rule_map.records[0].rule_id == self.DEFAULT_DROP_FLOW_NAME):
rule_record = rule_map.records[1]
else:
rule_record = rule_map.records[0]
self.assertEqual(rule_record.sid, imsi)
self.assertEqual(rule_record.rule_id, "rule1")
self.assertEqual(rule_record.bytes_tx, 0)
self.assertEqual(rule_record.bytes_rx, 0)
rule_map_cookie = self.enforcement_stats_controller.get_stats(1, 0)
if (rule_map_cookie.records[0].rule_id == self.DEFAULT_DROP_FLOW_NAME):
rule_record_cookie = rule_map_cookie.records[1]
else:
rule_record_cookie = rule_map_cookie.records[0]
self.assertEqual(rule_record_cookie.sid, imsi)
self.assertEqual(rule_record_cookie.rule_id, "rule1")
self.assertEqual(rule_record_cookie.bytes_tx, 0)
self.assertEqual(rule_record_cookie.bytes_rx, 0)
def test_rule_install(self):
"""
Adds a policy to a subscriber. Verifies that flows are properly
installed in enforcement and enforcement stats.
Assert:
Policy classification flows installed in enforcement
Policy match flows installed in enforcement_stats
"""
fake_controller_setup(
self.enforcement_controller,
self.enforcement_stats_controller,
)
imsi = 'IMSI001010000000013'
sub_ip = '192.168.128.74'
flow_list = [
FlowDescription(
match=FlowMatch(
ip_dst=convert_ipv4_str_to_ip_proto('45.10.0.0/25'),
direction=FlowMatch.UPLINK,
),
action=FlowDescription.PERMIT,
),
]
policy = VersionedPolicy(
rule=PolicyRule(id='rule1', priority=3, flow_list=flow_list),
version=1,
)
self.service_manager.session_rule_version_mapper.save_version(
imsi,
convert_ipv4_str_to_ip_proto(sub_ip),
'rule1',
1,
)
""" Setup subscriber, setup table_isolation to fwd pkts """
sub_context = RyuDirectSubscriberContext(
imsi,
sub_ip,
self.enforcement_controller,
self._main_tbl_num,
self.enforcement_stats_controller,
).add_policy(policy)
# =========================== Verification ===========================
# Verifies that 1 flow is installed in enforcement and 2 flows are
# installed in enforcement stats, one for uplink and one for downlink.
snapshot_verifier = SnapshotVerifier(
self,
self.BRIDGE,
self.service_manager,
)
with sub_context, snapshot_verifier:
pass
def activate_dynamic_rule(client, args):
request = ActivateFlowsRequest(
sid=SIDUtils.to_pb(args.imsi),
dynamic_rules=[
PolicyRule(
id=args.rule_id,
priority=args.priority,
hard_timeout=args.hard_timeout,
flow_list=[
FlowDescription(match=FlowMatch(
ipv4_dst=args.ipv4_dst, direction=FlowMatch.UPLINK)),
FlowDescription(match=FlowMatch(
ipv4_src=args.ipv4_dst, direction=FlowMatch.DOWNLINK)),
],
)
],
request_origin=RequestOriginType(type=RequestOriginType.GX))
response = client.ActivateFlows(request)
_print_rule_mod_results(response.dynamic_rule_results)
def get_flow_match(self, flow_list, flow_match_list):
"""
Populates flow match list
"""
for flow in flow_list:
flow_direction = (FlowMatch.UPLINK if flow["direction"] == "UL"
else FlowMatch.DOWNLINK)
ip_protocol = flow["ip_proto"]
if ip_protocol == "TCP":
ip_protocol = FlowMatch.IPPROTO_TCP
udp_src_port = 0
udp_dst_port = 0
tcp_src_port = (int(flow["tcp_src_port"])
if "tcp_src_port" in flow else 0)
tcp_dst_port = (int(flow["tcp_dst_port"])
if "tcp_dst_port" in flow else 0)
elif ip_protocol == "UDP":
ip_protocol = FlowMatch.IPPROTO_UDP
tcp_src_port = 0
tcp_dst_port = 0
udp_src_port = (int(flow["udp_src_port"])
if "udp_src_port" in flow else 0)
udp_dst_port = (int(flow["udp_dst_port"])
if "udp_dst_port" in flow else 0)
else:
udp_src_port = 0
udp_dst_port = 0
tcp_src_port = 0
tcp_dst_port = 0
ipv4_src_addr = None
if flow.get("ipv4_src", None):
ipv4_src_addr = IPAddress(
version=IPAddress.IPV4,
address=flow.get("ipv4_src").encode('utf-8'))
ipv4_dst_addr = None
if flow.get("ipv4_dst", None):
ipv4_dst_addr = IPAddress(
version=IPAddress.IPV4,
address=flow.get("ipv4_dst").encode('utf-8'))
flow_match_list.append(
FlowDescription(
match=FlowMatch(
ip_dst=ipv4_dst_addr,
ip_src=ipv4_src_addr,
tcp_src=tcp_src_port,
tcp_dst=tcp_dst_port,
udp_src=udp_src_port,
udp_dst=udp_dst_port,
ip_proto=ip_protocol,
direction=flow_direction,
),
action=FlowDescription.PERMIT,
))
def test_ipv6_rule_install(self):
"""
Adds a ipv6 policy to a subscriber. Verifies that flows are properly
installed in enforcement and enforcement stats.
Assert:
Policy classification flows installed in enforcement
Policy match flows installed in enforcement_stats
"""
fake_controller_setup(
self.enforcement_controller,
self.enforcement_stats_controller,
)
imsi = 'IMSI001010000000013'
sub_ip = 'de34:431d:1bc::'
flow_list = [
FlowDescription(
match=FlowMatch(
ip_dst=convert_ipv6_bytes_to_ip_proto(
'f333:432::dbca'.encode('utf-8'), ),
direction=FlowMatch.UPLINK,
),
action=FlowDescription.PERMIT,
),
]
policy = VersionedPolicy(
rule=PolicyRule(id='rule1', priority=3, flow_list=flow_list),
version=1,
)
self.service_manager.session_rule_version_mapper.save_version(
imsi,
convert_ipv4_str_to_ip_proto(sub_ip),
'rule1',
1,
)
""" Setup subscriber, setup table_isolation to fwd pkts """
sub_context = RyuDirectSubscriberContext(
imsi,
sub_ip,
self.enforcement_controller,
self._main_tbl_num,
self.enforcement_stats_controller,
).add_policy(policy)
# =========================== Verification ===========================
snapshot_verifier = SnapshotVerifier(
self,
self.BRIDGE,
self.service_manager,
)
with sub_context, snapshot_verifier:
pass
def test_enforcemnet_rules(self):
"""
Add QOS policy to enforcement table into OVS.
"""
fake_controller_setup(self.enforcement_controller)
imsi = 'IMSI001010000000013'
sub_ip = '192.168.128.30'
flow_list1 = [
FlowDescription(
match=FlowMatch(
direction=FlowMatch.UPLINK,
),
action=FlowDescription.PERMIT,
),
FlowDescription(
match=FlowMatch(
ip_dst=convert_ipv4_str_to_ip_proto("192.168.0.0/24"),
direction=FlowMatch.DOWNLINK,
),
action=FlowDescription.PERMIT,
),
]
self.service_manager.session_rule_version_mapper.save_version(
imsi, convert_ipv4_str_to_ip_proto(sub_ip), "rule1", 1,
)
self.enforcement_controller.activate_rules(
imsi, None, 0, convert_ipv4_str_to_ip_proto(sub_ip),
None, policies=[
VersionedPolicy(
rule=PolicyRule(id='rule1', priority=65530, flow_list=flow_list1),
version=1,
),
], shard_id=0, local_f_teid_ng=100,
)
snapshot_verifier = SnapshotVerifier(
self, self.BRIDGE,
self.service_manager,
)
with snapshot_verifier:
pass
def test_subscriber_policy(self):
"""
Add policy to subscriber, send 4096 packets
Assert:
Packets are properly matched with the 'simple_match' policy
Send /20 (4096) packets, match /16 (256) packets
"""
imsi = 'IMSI010000000088888'
sub_ip = '192.168.128.74'
flow_list1 = [FlowDescription(
match=FlowMatch(
ipv4_dst='45.10.0.0/24', direction=FlowMatch.UPLINK),
action=FlowDescription.PERMIT)
]
policies = [
PolicyRule(id='simple_match', priority=2, flow_list=flow_list1)
]
pkts_matched = 256
pkts_sent = 4096
self._static_rule_dict[policies[0].id] = policies[0]
# ============================ Subscriber ============================
sub_context = RyuDirectSubscriberContext(
imsi, sub_ip, self.enforcement_controller, self._tbl_num
).add_static_rule(policies[0].id)
isolator = RyuDirectTableIsolator(
RyuForwardFlowArgsBuilder.from_subscriber(sub_context.cfg)
.build_requests(),
self.testing_controller
)
pkt_sender = ScapyPacketInjector(self.IFACE)
packet = IPPacketBuilder()\
.set_ip_layer('45.10.0.0/20', sub_ip)\
.set_ether_layer(self.MAC_DEST, "00:00:00:00:00:00")\
.build()
flow_query = FlowQuery(
self._tbl_num, self.testing_controller,
match=flow_match_to_magma_match(flow_list1[0].match)
)
# =========================== Verification ===========================
# Verify aggregate table stats, subscriber 1 'simple_match' pkt count
flow_verifier = FlowVerifier([
FlowTest(FlowQuery(self._tbl_num, self.testing_controller),
pkts_sent),
FlowTest(flow_query, pkts_matched)
], lambda: wait_after_send(self.testing_controller))
with isolator, sub_context, flow_verifier:
pkt_sender.send(packet)
flow_verifier.verify()
def test_subscriber_redirect_policy(self):
"""
Add redirect policy to subscriber, send 4096 packets
Assert:
Packets are properly matched with the 'simple_match' policy
Send /20 (4096) packets, match /16 (256) packets
"""
fake_controller_setup(self.gy_controller)
imsi = 'IMSI010000000088888'
sub_ip = '192.168.128.74'
redirect_ips = ["185.128.101.5", "185.128.121.4"]
self.gy_controller._redirect_manager._dns_cache.get(
"about.sha.ddih.org", lambda: redirect_ips, max_age=42,
)
flow_list = [FlowDescription(match=FlowMatch())]
policy = VersionedPolicy(
rule=PolicyRule(
id='redir_test', priority=3, flow_list=flow_list,
redirect=RedirectInformation(
support=1,
address_type=2,
server_address="http://about.sha.ddih.org/",
),
),
version=1,
)
# ============================ Subscriber ============================
sub_context = RyuDirectSubscriberContext(
imsi, sub_ip, self.gy_controller, self._tbl_num,
).add_policy(policy)
isolator = RyuDirectTableIsolator(
RyuForwardFlowArgsBuilder.from_subscriber(sub_context.cfg)
.build_requests(),
self.testing_controller,
)
pkt_sender = ScapyPacketInjector(self.IFACE)
packet = TCPPacketBuilder()\
.set_tcp_layer(42132, 80, 2)\
.set_tcp_flags("S")\
.set_ip_layer('151.42.41.122', sub_ip)\
.set_ether_layer(self.MAC_DEST, "01:20:10:20:aa:bb")\
.build()
snapshot_verifier = SnapshotVerifier(
self, self.BRIDGE,
self.service_manager,
include_stats=False,
)
with isolator, sub_context, snapshot_verifier:
pkt_sender.send(packet)
def CreateAddQERinPDR(qos_enforce_rule: QoSEnforceRuleEntry,
ue_ip_addr: str) -> ActivateFlowsRequest:
if qos_enforce_rule.allow == 'YES':
allow = FlowDescription.PERMIT
else:
allow = FlowDescription.DENY
ip_dst = None
ip_src = None
if qos_enforce_rule.ipv4_dst:
ip_dst = convert_ipv4_str_to_ip_proto(qos_enforce_rule.ipv4_dst)
ip_src = convert_ipv4_str_to_ip_proto(qos_enforce_rule.ipv4_dst)
if qos_enforce_rule.direction == FlowMatch.UPLINK:
flow_list = [
FlowDescription(match=FlowMatch(
ip_dst=ip_dst, direction=qos_enforce_rule.direction),
action=allow)
]
else:
flow_list = [
FlowDescription(match=FlowMatch(
ip_src=ip_src, direction=qos_enforce_rule.direction),
action=allow)
]
qos_enforce_rule = ActivateFlowsRequest(
sid=SIDUtils.to_pb(qos_enforce_rule.imsi),
ip_addr=ue_ip_addr,
dynamic_rules=[
PolicyRule(id=qos_enforce_rule.rule_id,
priority=qos_enforce_rule.priority,
hard_timeout=qos_enforce_rule.hard_timeout,
flow_list=flow_list)
],
request_origin=RequestOriginType(type=RequestOriginType.N4))
return qos_enforce_rule
def _get_allow_all_flows(self) -> List[FlowDescription]:
"""
Returns:
Two flows, for outgoing and incoming traffic
"""
return [
# Set flow match for ll packets
# Don't set the app_name field
FlowDescription( # uplink flow
match=FlowMatch(),
action=FlowDescription.Action.Value("PERMIT"),
),
]
def activate_flows(client, args):
request = ActivateFlowsRequest(
sid=SIDUtils.to_pb(args.imsi),
ip_addr=args.ipv4,
policies=[VersionedPolicy(
rule=PolicyRule(
id=args.rule_id,
priority=args.priority,
hard_timeout=args.hard_timeout,
flow_list=[
FlowDescription(match=FlowMatch(
ip_dst=convert_ipv4_str_to_ip_proto(args.ipv4_dst),
direction=FlowMatch.UPLINK)),
FlowDescription(match=FlowMatch(
ip_src=convert_ipv4_str_to_ip_proto(args.ipv4_dst),
direction=FlowMatch.DOWNLINK)),
],
),
version=1)],
request_origin=RequestOriginType(type=RequestOriginType.GX))
response = client.ActivateFlows(request)
_print_rule_mod_results(response.policy_results)
def test_subscriber_policy_with_he(self):
"""
Add policy to subscriber with HE config
"""
cls = self.__class__
fake_controller_setup(self.enforcement_controller)
imsi = 'IMSI010000000088888'
sub_ip = '192.168.128.74'
flow_list1 = [
FlowDescription(
match=FlowMatch(
ip_dst=convert_ipv4_str_to_ip_proto('45.10.0.0/24'),
direction=FlowMatch.UPLINK,
),
action=FlowDescription.PERMIT,
),
]
he = HeaderEnrichment(urls=['abc.com'])
policies = [
VersionedPolicy(
rule=PolicyRule(id='simple_match',
priority=2,
flow_list=flow_list1,
he=he),
version=1,
),
]
# ============================ Subscriber ============================
sub_context = RyuDirectSubscriberContext(
imsi,
sub_ip,
self.enforcement_controller,
self._tbl_num,
).add_policy(policies[0])
isolator = RyuDirectTableIsolator(
RyuForwardFlowArgsBuilder.from_subscriber(
sub_context.cfg).build_requests(),
self.testing_controller,
)
snapshot_verifier = SnapshotVerifier(
self,
self.BRIDGE,
self.service_manager,
)
with isolator, sub_context, snapshot_verifier:
pass
def _get_whitelisted_policies(self):
""" Policies to allow http traffic to the whitelisted sites """
rules = []
for ip, ports in self._whitelisted_ips.items():
for port in ports:
if ip == 'local':
ip = self._local_ip
rules.append(
PolicyRule(
id='whitelist',
priority=self.ALLOW_ALL_PRIORITY,
flow_list=[
FlowDescription(
match=FlowMatch(direction=FlowMatch.UPLINK,
ip_proto=FlowMatch.IPPROTO_TCP,
ipv4_dst=ip,
tcp_dst=port)),
FlowDescription(
match=FlowMatch(direction=FlowMatch.DOWNLINK,
ip_proto=FlowMatch.IPPROTO_TCP,
ipv4_src=ip,
tcp_src=port)),
]))
return rules
def test_Update(self):
"""
Test the happy path where updates come in for rules, and sessiond
accepts the SessionRules without issue.
"""
# Expected call arguments to SetSessionRules
allow_all_flow_list = [
FlowDescription(
match=FlowMatch(
direction=FlowMatch.Direction.Value("UPLINK"), ),
action=FlowDescription.Action.Value("PERMIT"),
),
FlowDescription(
match=FlowMatch(
direction=FlowMatch.Direction.Value("DOWNLINK"), ),
action=FlowDescription.Action.Value("PERMIT"),
),
] # type: List[FlowDescription]
no_tracking_type = PolicyRule.TrackingType.Value("NO_TRACKING")
expected = SessionRules(rules_per_subscriber=[
RulesPerSubscriber(
imsi='imsi_1',
rule_set=[
RuleSet(
apply_subscriber_wide=False,
apn="apn1",
static_rules=[
StaticRuleInstall(rule_id="p1"),
],
dynamic_rules=[
DynamicRuleInstall(policy_rule=PolicyRule(
id="allowlist_sid-imsi_1-apn1",
priority=2,
flow_list=allow_all_flow_list,
tracking_type=no_tracking_type,
))
],
),
]),
RulesPerSubscriber(
imsi='imsi_2',
rule_set=[
RuleSet(
apply_subscriber_wide=False,
apn="apn1",
static_rules=[
StaticRuleInstall(rule_id="p5"),
],
dynamic_rules=[
DynamicRuleInstall(policy_rule=PolicyRule(
id="allowlist_sid-imsi_2-apn1",
priority=2,
flow_list=allow_all_flow_list,
tracking_type=no_tracking_type,
))
],
),
])
])
# Setup the test
apn_rules_dict = {}
basenames_dict = {
'bn1': ChargingRuleNameSet(RuleNames=['p5']),
'bn2': ChargingRuleNameSet(RuleNames=['p6']),
}
stub = MockLocalSessionManagerStub()
stub_call_args = [] # type: List[SessionRules]
side_effect = get_SetSessionRules_side_effect(stub_call_args)
stub.SetSessionRules = Mock(side_effect=side_effect)
callback = ApnRuleMappingsStreamerCallback(
stub,
basenames_dict,
apn_rules_dict,
)
# Construct a set of updates, keyed by subscriber ID
updates = [
DataUpdate(
key="imsi_1",
value=SubscriberPolicySet(rules_per_apn=[
ApnPolicySet(
apn="apn1",
assigned_base_names=[],
assigned_policies=["p1"],
),
], ).SerializeToString(),
),
DataUpdate(
key="imsi_2",
value=SubscriberPolicySet(rules_per_apn=[
ApnPolicySet(
apn="apn1",
assigned_base_names=["bn1"],
assigned_policies=[],
),
], ).SerializeToString(),
),
]
callback.process_update("stream", updates, False)
# Since we used a stub which always succeeds when a RAR is made,
# We should expect the assignments_dict to be updated
imsi_1_policies = apn_rules_dict["imsi_1"]
self.assertEqual(len(imsi_1_policies.rules_per_apn), 1,
'There should be 1 active APNs for imsi_1')
self.assertEqual(len(stub_call_args), 1,
'Stub should have been called once')
called_with = stub_call_args[0].SerializeToString()
self.assertEqual(called_with, expected.SerializeToString(),
'SetSessionRules call has incorrect arguments')
# Stream down a second update, and now IMSI_1 gets access to a new APN
updates_2 = [
DataUpdate(
key="imsi_1",
value=SubscriberPolicySet(rules_per_apn=[
ApnPolicySet(
apn="apn2",
assigned_base_names=["bn1"],
assigned_policies=[],
),
], ).SerializeToString(),
),
DataUpdate(
key="imsi_2",
value=SubscriberPolicySet(
global_base_names=["bn2"],
global_policies=[],
rules_per_apn=[
ApnPolicySet(
apn="apn1",
assigned_base_names=[],
assigned_policies=[],
),
],
).SerializeToString(),
),
]
expected_2 = SessionRules(rules_per_subscriber=[
RulesPerSubscriber(
imsi='imsi_1',
rule_set=[
RuleSet(
apply_subscriber_wide=False,
apn="apn2",
static_rules=[
StaticRuleInstall(rule_id="p5"),
],
dynamic_rules=[
DynamicRuleInstall(policy_rule=PolicyRule(
id="allowlist_sid-imsi_1-apn2",
priority=2,
flow_list=allow_all_flow_list,
tracking_type=no_tracking_type,
))
],
),
]),
RulesPerSubscriber(
imsi='imsi_2',
rule_set=[
RuleSet(
apply_subscriber_wide=False,
apn="apn1",
static_rules=[
StaticRuleInstall(rule_id="p6"),
],
dynamic_rules=[
DynamicRuleInstall(policy_rule=PolicyRule(
id="allowlist_sid-imsi_2-apn1",
priority=2,
flow_list=allow_all_flow_list,
tracking_type=no_tracking_type,
))
],
),
]),
])
callback.process_update("stream", updates_2, False)
imsi_1_policies = apn_rules_dict["imsi_1"]
self.assertEqual(len(imsi_1_policies.rules_per_apn), 1,
'There should be 1 active APNs for imsi_1')
self.assertEqual(len(stub_call_args), 2,
'Stub should have been called twice')
called_with = stub_call_args[1].SerializeToString()
self.assertEqual(called_with, expected_2.SerializeToString(),
'SetSessionRules call has incorrect arguments')
def test_rule_reactivation(self):
"""
Adds a policy to a subscriber, deletes it by incrementing the
version, and add it back. Verifies that the usage stats is correctly
reported, the old flows are deleted, and the new flows are installed.
Assert:
UPLINK policy matches 128 packets (*34 = 4352 bytes)
Old flows are deleted
New flows are installed
No other stats are reported
"""
fake_controller_setup(self.enforcement_controller,
self.enforcement_stats_controller)
imsi = 'IMSI001010000000013'
sub_ip = '192.168.128.74'
num_pkts_tx_match = 128
flow_list = [
FlowDescription(match=FlowMatch(ipv4_dst='45.10.0.0/25',
direction=FlowMatch.UPLINK),
action=FlowDescription.PERMIT)
]
policy = PolicyRule(id='rule1', priority=3, flow_list=flow_list)
enf_stat_name = imsi + '|rule1'
self.service_manager.session_rule_version_mapper.update_version(
imsi, 'rule1')
version = \
self.service_manager.session_rule_version_mapper.get_version(
imsi, 'rule1')
""" Setup subscriber, setup table_isolation to fwd pkts """
self._static_rule_dict[policy.id] = policy
sub_context = RyuDirectSubscriberContext(
imsi, sub_ip, self.enforcement_controller, self._main_tbl_num,
self.enforcement_stats_controller).add_static_rule(policy.id)
isolator = RyuDirectTableIsolator(
RyuForwardFlowArgsBuilder.from_subscriber(
sub_context.cfg).build_requests(), self.testing_controller)
""" Create a packet """
pkt_sender = ScapyPacketInjector(self.IFACE)
packet = IPPacketBuilder() \
.set_ip_layer('45.10.0.0/20', sub_ip) \
.set_ether_layer(self.MAC_DEST, "00:00:00:00:00:00") \
.build()
# =========================== Verification ===========================
rule_num = self.enforcement_stats_controller._rule_mapper \
.get_or_create_rule_num(policy.id)
enf_query = FlowQuery(self._main_tbl_num,
self.testing_controller,
match=flow_match_to_magma_match(
FlowMatch(ipv4_dst='45.10.0.0/25',
direction=FlowMatch.UPLINK)),
cookie=rule_num)
es_old_version_query = FlowQuery(self._scratch_tbl_num,
self.testing_controller,
match=MagmaMatch(
imsi=encode_imsi(imsi),
reg2=rule_num,
rule_version=version),
cookie=rule_num)
es_new_version_query = FlowQuery(self._scratch_tbl_num,
self.testing_controller,
match=MagmaMatch(
imsi=encode_imsi(imsi),
reg2=rule_num,
rule_version=version + 1),
cookie=rule_num)
packet_wait = FlowVerifier([], self._wait_func([enf_stat_name]))
""" Verify that flows are properly deleted """
verifier = FlowVerifier([
FlowTest(es_old_version_query, 0, flow_count=0),
FlowTest(es_new_version_query, num_pkts_tx_match, flow_count=2),
FlowTest(enf_query, num_pkts_tx_match, flow_count=1),
], self._wait_func([enf_stat_name]))
snapshot_verifier = SnapshotVerifier(self, self.BRIDGE,
self.service_manager)
"""
Send a packet, then deactivate and reactivate the same rule and send a
packet. Wait until it is received by ovs and enf stats.
"""
with isolator, sub_context, verifier, snapshot_verifier:
with packet_wait:
self.enforcement_stats_controller._report_usage.reset_mock()
pkt_sender.send(packet)
self.enforcement_stats_controller._report_usage.reset_mock()
self.service_manager.session_rule_version_mapper. \
update_version(imsi, 'rule1')
self.enforcement_controller.deactivate_rules(imsi, [policy.id])
self.enforcement_controller.activate_rules(imsi, sub_ip,
[policy.id], [])
self.enforcement_stats_controller.activate_rules(
imsi, sub_ip, [policy.id], [])
pkt_sender.send(packet)
verifier.verify()
stats = get_enforcement_stats(
self.enforcement_stats_controller._report_usage.call_args_list)
"""
Verify both packets are reported after reactivation.
"""
self.assertEqual(stats[enf_stat_name].sid, imsi)
self.assertEqual(stats[enf_stat_name].rule_id, "rule1")
self.assertEqual(stats[enf_stat_name].bytes_rx, 0)
# TODO Figure out why this one fails.
#self.assertEqual(stats[enf_stat_name].bytes_tx,
# num_pkts_tx_match * len(packet))
self.assertEqual(len(stats), 1)
def test_subscriber_policy(self):
"""
Adds 2 policies to subscriber, verifies that EnforcementStatsController
reports correct stats to sessiond
Assert:
UPLINK policy matches 128 packets (*34 = 4352 bytes)
DOWNLINK policy matches 256 packets (*34 = 8704 bytes)
No other stats are reported
"""
fake_controller_setup(self.enforcement_controller,
self.enforcement_stats_controller)
imsi = 'IMSI001010000000013'
sub_ip = '192.168.128.74'
num_pkts_tx_match = 128
num_pkts_rx_match = 256
""" Create 2 policy rules for the subscriber """
flow_list1 = [
FlowDescription(match=FlowMatch(ipv4_dst='45.10.0.0/25',
direction=FlowMatch.UPLINK),
action=FlowDescription.PERMIT)
]
flow_list2 = [
FlowDescription(match=FlowMatch(ipv4_src='45.10.0.0/24',
direction=FlowMatch.DOWNLINK),
action=FlowDescription.PERMIT)
]
policies = [
PolicyRule(id='tx_match', priority=3, flow_list=flow_list1),
PolicyRule(id='rx_match', priority=5, flow_list=flow_list2)
]
enf_stat_name = [imsi + '|tx_match', imsi + '|rx_match']
self.service_manager.session_rule_version_mapper.update_version(
imsi, 'tx_match')
self.service_manager.session_rule_version_mapper.update_version(
imsi, 'rx_match')
""" Setup subscriber, setup table_isolation to fwd pkts """
self._static_rule_dict[policies[0].id] = policies[0]
self._static_rule_dict[policies[1].id] = policies[1]
sub_context = RyuDirectSubscriberContext(
imsi, sub_ip, self.enforcement_controller, self._main_tbl_num,
self.enforcement_stats_controller).add_static_rule(
policies[0].id).add_static_rule(policies[1].id)
isolator = RyuDirectTableIsolator(
RyuForwardFlowArgsBuilder.from_subscriber(
sub_context.cfg).build_requests(), self.testing_controller)
""" Create 2 sets of packets, for policry rule1&2 """
pkt_sender = ScapyPacketInjector(self.IFACE)
packet1 = IPPacketBuilder()\
.set_ip_layer('45.10.0.0/20', sub_ip)\
.set_ether_layer(self.MAC_DEST, "00:00:00:00:00:00")\
.build()
packet2 = IPPacketBuilder()\
.set_ip_layer(sub_ip, '45.10.0.0/20')\
.set_ether_layer(self.MAC_DEST, "00:00:00:00:00:00")\
.build()
# =========================== Verification ===========================
flow_verifier = FlowVerifier([], self._wait_func(enf_stat_name))
snapshot_verifier = SnapshotVerifier(self, self.BRIDGE,
self.service_manager)
""" Send packets, wait until pkts are received by ovs and enf stats """
with isolator, sub_context, flow_verifier, snapshot_verifier:
pkt_sender.send(packet1)
pkt_sender.send(packet2)
stats = get_enforcement_stats(
self.enforcement_stats_controller._report_usage.call_args_list)
self.assertEqual(stats[enf_stat_name[0]].sid, imsi)
self.assertEqual(stats[enf_stat_name[0]].rule_id, "tx_match")
self.assertEqual(stats[enf_stat_name[0]].bytes_rx, 0)
self.assertEqual(stats[enf_stat_name[0]].bytes_tx,
num_pkts_tx_match * len(packet1))
self.assertEqual(stats[enf_stat_name[1]].sid, imsi)
self.assertEqual(stats[enf_stat_name[1]].rule_id, "rx_match")
self.assertEqual(stats[enf_stat_name[1]].bytes_tx, 0)
# downlink packets will discount ethernet header by default
# so, only count the IP portion
total_bytes_pkt2 = num_pkts_rx_match * len(packet2[IP])
self.assertEqual(stats[enf_stat_name[1]].bytes_rx, total_bytes_pkt2)
self.assertEqual(len(stats), 2)
def test_two_subscribers(self):
"""
Add 2 subscribers at the same time
Assert:
For subcriber1 the packets are matched to the proper policy
For subcriber2 the packets are matched to the proper policy
The total packet delta in the table is from the above matches
"""
fake_controller_setup(self.enforcement_controller)
pkt_sender = ScapyPacketInjector(self.IFACE)
ip_match = [
FlowDescription(match=FlowMatch(
ip_src=convert_ipv4_str_to_ip_proto('8.8.8.0/24'),
direction=1),
action=1)
]
tcp_match = [
FlowDescription(match=FlowMatch(ip_proto=6,
direction=FlowMatch.DOWNLINK),
action=FlowDescription.DENY)
]
self._static_rule_dict['t'] = PolicyRule(id='t',
priority=2,
flow_list=ip_match)
# =========================== Subscriber 1 ===========================
sub_context1 = RyuDirectSubscriberContext(
'IMSI208950001111111', '192.168.128.5',
self.enforcement_controller, self._tbl_num).add_static_rule('t')
isolator1 = RyuDirectTableIsolator(
RyuForwardFlowArgsBuilder.from_subscriber(
sub_context1.cfg).build_requests(), self.testing_controller)
packet_ip = IPPacketBuilder()\
.set_ether_layer(self.MAC_DEST, "00:00:00:00:00:00")\
.set_ip_layer(sub_context1.cfg.ip, '8.8.8.8')\
.build()
s1_pkts_sent = 29
pkts_to_send = [PktsToSend(packet_ip, s1_pkts_sent)]
flow_query1 = FlowQuery(self._tbl_num,
self.testing_controller,
match=flow_match_to_magma_match(
ip_match[0].match))
s1 = SubTest(sub_context1, isolator1,
FlowTest(flow_query1, s1_pkts_sent))
# =========================== Subscriber 2 ===========================
sub_context2 = RyuDirectSubscriberContext(
'IMSI911500451242001', '192.168.128.100',
self.enforcement_controller, self._tbl_num).add_dynamic_rule(
PolicyRule(id='qqq', priority=2, flow_list=tcp_match))
isolator2 = RyuDirectTableIsolator(
RyuForwardFlowArgsBuilder.from_subscriber(
sub_context2.cfg).build_requests(), self.testing_controller)
packet_tcp = TCPPacketBuilder()\
.set_ether_layer(self.MAC_DEST, "00:00:00:00:00:00")\
.set_ip_layer(sub_context2.cfg.ip, '15.0.0.8')\
.build()
s2_pkts_sent = 18
pkts_to_send.append(PktsToSend(packet_tcp, s2_pkts_sent))
flow_query2 = FlowQuery(self._tbl_num,
self.testing_controller,
match=flow_match_to_magma_match(
tcp_match[0].match))
s2 = SubTest(sub_context2, isolator2,
FlowTest(flow_query2, s2_pkts_sent))
# =========================== Verification ===========================
# Verify aggregate table stats, subscriber 1 & 2 flows packet matches
pkts = s1_pkts_sent + s2_pkts_sent
flow_verifier = FlowVerifier([
FlowTest(FlowQuery(self._tbl_num, self.testing_controller), pkts),
s1.flowtest_list, s2.flowtest_list
], lambda: wait_after_send(self.testing_controller))
snapshot_verifier = SnapshotVerifier(self, self.BRIDGE,
self.service_manager)
with s1.isolator, s1.context, s2.isolator, s2.context, flow_verifier, \
snapshot_verifier:
for pkt in pkts_to_send:
pkt_sender.send(pkt.pkt, pkt.num)
flow_verifier.verify()
def test_subscriber_two_policies(self):
"""
Add 2 policies to subscriber
Assert:
Packets are properly matched with the 'match' policy
The total packet delta in the table is from the above match
"""
fake_controller_setup(self.enforcement_controller)
imsi = 'IMSI208950000000001'
sub_ip = '192.168.128.74'
flow_list1 = [
FlowDescription(match=FlowMatch(
ip_src=convert_ipv4_str_to_ip_proto('15.0.0.0/24'),
direction=FlowMatch.DOWNLINK),
action=FlowDescription.DENY)
]
flow_list2 = [
FlowDescription(match=FlowMatch(ip_proto=6,
direction=FlowMatch.UPLINK),
action=FlowDescription.PERMIT)
]
policies = [
PolicyRule(id='match', priority=2, flow_list=flow_list1),
PolicyRule(id='no_match', priority=2, flow_list=flow_list2)
]
pkts_sent = 42
self._static_rule_dict[policies[0].id] = policies[0]
self._static_rule_dict[policies[1].id] = policies[1]
# ============================ Subscriber ============================
sub_context = RyuDirectSubscriberContext(imsi, sub_ip,
self.enforcement_controller,
self._tbl_num) \
.add_static_rule(policies[0].id)\
.add_static_rule(policies[1].id)
isolator = RyuDirectTableIsolator(
RyuForwardFlowArgsBuilder.from_subscriber(
sub_context.cfg).build_requests(), self.testing_controller)
pkt_sender = ScapyPacketInjector(self.IFACE)
packet = IPPacketBuilder()\
.set_ip_layer(sub_ip, '15.0.0.8')\
.set_ether_layer(self.MAC_DEST, "00:00:00:00:00:00")\
.build()
flow_query = FlowQuery(self._tbl_num,
self.testing_controller,
match=flow_match_to_magma_match(
flow_list1[0].match))
# =========================== Verification ===========================
# Verify aggregate table stats, subscriber 1 'match' rule pkt count
flow_verifier = FlowVerifier([
FlowTest(FlowQuery(self._tbl_num, self.testing_controller),
pkts_sent),
FlowTest(flow_query, pkts_sent)
], lambda: wait_after_send(self.testing_controller))
snapshot_verifier = SnapshotVerifier(self, self.BRIDGE,
self.service_manager)
with isolator, sub_context, flow_verifier, snapshot_verifier:
pkt_sender.send(packet, pkts_sent)
flow_verifier.verify()