예제 #1
0
    def test_invalid_subscriber(self):
        """
        Try to apply an invalid policy to a subscriber, should log and error

        Assert:
            Only 1 flow gets added to the table (drop flow)
        """
        fake_controller_setup(self.enforcement_controller)
        imsi = 'IMSI000000000000001'
        sub_ip = '192.168.128.45'
        flow_list = [
            FlowDescription(match=FlowMatch(ipv4_src='9999.0.0.0/24'),
                            action=FlowDescription.DENY)
        ]
        policy = PolicyRule(id='invalid', priority=2, flow_list=flow_list)
        invalid_sub_context = RyuDirectSubscriberContext(
            imsi, sub_ip, self.enforcement_controller,
            self._tbl_num).add_dynamic_rule(policy)
        isolator = RyuDirectTableIsolator(
            RyuForwardFlowArgsBuilder.from_subscriber(
                invalid_sub_context.cfg).build_requests(),
            self.testing_controller)
        flow_query = FlowQuery(self._tbl_num, self.testing_controller)
        num_flows_start = len(flow_query.lookup())
        snapshot_verifier = SnapshotVerifier(self, self.BRIDGE,
                                             self.service_manager)

        with isolator, invalid_sub_context, snapshot_verifier:
            wait_after_send(self.testing_controller)
            num_flows_final = len(flow_query.lookup())

        self.assertEqual(num_flows_final - num_flows_start, 1)
예제 #2
0
def add_rule(args):
    rule_id = args.rule_id
    policy_dict = PolicyRuleDict()
    arg_list = {
        'ip_proto':
        args.ip_proto,
        'ip_dst':
        IPAddress(version=IPAddress.IPV4,
                  address=args.ipv4_dst.encode('utf-8')),
        'ip_src':
        IPAddress(version=IPAddress.IPV4,
                  address=args.ipv4_src.encode('utf-8')),
        'tcp_dst':
        args.tcp_dst,
        'tcp_src':
        args.tcp_src,
        'udp_dst':
        args.udp_dst,
        'udp_src':
        args.udp_src,
        'direction':
        args.direction
    }
    match = FlowMatch(**arg_list)
    flow = FlowDescription(match=match, action=args.action)
    rule = policy_dict.get(rule_id)
    if not rule or args.overwrite:
        action = 'add'
        rule = PolicyRule(id=rule_id, flow_list=[flow])
    else:
        action = 'edit'
        rule.flow_list.extend([flow])
    policy_dict[rule_id] = rule
    print("Rule '%s' successfully %sed!" % (rule_id, action))
    def test_deny_rule_install(self):
        """
        Adds a policy to a subscriber. Verifies that flows are properly
        installed in enforcement and enforcement stats.
        Assert:
            Policy classification flows installed in enforcement
            Policy match flows installed in enforcement_stats
        """
        fake_controller_setup(self.enforcement_controller,
                              self.enforcement_stats_controller)
        imsi = 'IMSI001010000000014'
        sub_ip = '192.16.15.7'
        num_pkt_unmatched = 4096

        flow_list = [
            FlowDescription(match=FlowMatch(
                ip_dst=convert_ipv4_str_to_ip_proto('1.1.0.0/24'),
                direction=FlowMatch.UPLINK),
                            action=FlowDescription.DENY)
        ]
        policy = PolicyRule(id='rule1', priority=3, flow_list=flow_list)
        self.service_manager.session_rule_version_mapper.update_version(
            imsi, convert_ipv4_str_to_ip_proto(sub_ip), 'rule1')
        """ Setup subscriber, setup table_isolation to fwd pkts """
        sub_context = RyuDirectSubscriberContext(
            imsi, sub_ip, self.enforcement_controller, self._main_tbl_num,
            self.enforcement_stats_controller).add_dynamic_rule(policy)

        isolator = RyuDirectTableIsolator(
            RyuForwardFlowArgsBuilder.from_subscriber(
                sub_context.cfg).build_requests(), self.testing_controller)

        pkt_sender = ScapyPacketInjector(self.IFACE)
        packet = IPPacketBuilder() \
            .set_ip_layer('45.10.0.0/20', sub_ip) \
            .set_ether_layer(self.MAC_DEST, "00:00:00:00:00:00") \
            .build()

        # =========================== Verification ===========================

        # Verifies that 1 flow is installed in enforcement and 2 flows are
        # installed in enforcement stats, one for uplink and one for downlink.
        snapshot_verifier = SnapshotVerifier(self, self.BRIDGE,
                                             self.service_manager)

        with isolator, sub_context, snapshot_verifier:
            pkt_sender.send(packet)

        enf_stat_name = imsi + '|' + self.DEFAULT_DROP_FLOW_NAME + '|' + sub_ip
        wait_for_enforcement_stats(self.enforcement_stats_controller,
                                   [enf_stat_name])
        stats = get_enforcement_stats(
            self.enforcement_stats_controller._report_usage.call_args_list)

        self.assertEqual(stats[enf_stat_name].sid, imsi)
        self.assertEqual(stats[enf_stat_name].rule_id,
                         self.DEFAULT_DROP_FLOW_NAME)
        self.assertEqual(stats[enf_stat_name].dropped_rx, 0)
        self.assertEqual(stats[enf_stat_name].dropped_tx,
                         num_pkt_unmatched * len(packet))
예제 #4
0
def create_uplink_rule(id, rating_group, ip_dest, m_key=None,
                       priority=10, tracking=PolicyRule.ONLY_OCS,
                       action=FlowDescription.PERMIT):
    """
    Create a rule with a single uplink IP flow, useful for testing
    Args:
        id (string): rule id
        rating_group (int): charging key
        ip_dest (string): IP destination for rule flow
        m_key (optional string): monitoring key, if the rule is tracked by PCRF
        priority (int): priority of flow, the greater the higher the priority
        tracking (PolicyRule.TrackingType): enum to dictate whether OCS or PCRF
            or both is tracking the credit
        action: permit or deny
    Returns:
        PolicyRule with single uplink IP flow
    """
    return PolicyRule(
        id=id,
        priority=priority,
        flow_list=[FlowDescription(
            match=FlowMatch(
                ipv4_dst=ip_dest, direction=FlowMatch.UPLINK),
            action=action)
        ],
        tracking_type=tracking,
        rating_group=rating_group,
        monitoring_key=m_key,
    )
예제 #5
0
    def test_rule_install(self):
        """
        Adds a policy to a subscriber. Verifies that flows are properly
        installed in enforcement and enforcement stats.

        Assert:
            Policy classification flows installed in enforcement
            Policy match flows installed in enforcement_stats
        """
        fake_controller_setup(self.enforcement_controller,
                              self.enforcement_stats_controller)
        imsi = 'IMSI001010000000013'
        sub_ip = '192.168.128.74'

        flow_list = [
            FlowDescription(match=FlowMatch(ipv4_dst='45.10.0.0/25',
                                            direction=FlowMatch.UPLINK),
                            action=FlowDescription.PERMIT)
        ]
        policy = PolicyRule(id='rule1', priority=3, flow_list=flow_list)
        self.service_manager.session_rule_version_mapper.update_version(
            imsi, 'rule1')
        version = \
            self.service_manager.session_rule_version_mapper.get_version(
                imsi, 'rule1')
        """ Setup subscriber, setup table_isolation to fwd pkts """
        self._static_rule_dict[policy.id] = policy
        sub_context = RyuDirectSubscriberContext(
            imsi, sub_ip, self.enforcement_controller, self._main_tbl_num,
            self.enforcement_stats_controller).add_static_rule(policy.id)

        # =========================== Verification ===========================
        rule_num = self.enforcement_stats_controller._rule_mapper \
            .get_or_create_rule_num(policy.id)
        enf_query = FlowQuery(self._main_tbl_num,
                              self.testing_controller,
                              match=flow_match_to_magma_match(
                                  FlowMatch(ipv4_dst='45.10.0.0/25',
                                            direction=FlowMatch.UPLINK)),
                              cookie=rule_num)
        es_query = FlowQuery(self._scratch_tbl_num,
                             self.testing_controller,
                             match=MagmaMatch(imsi=encode_imsi(imsi),
                                              reg2=rule_num,
                                              rule_version=version),
                             cookie=rule_num)

        # Verifies that 1 flow is installed in enforcement and 2 flows are
        # installed in enforcement stats, one for uplink and one for downlink.
        flow_verifier = FlowVerifier([
            FlowTest(enf_query, 0, flow_count=1),
            FlowTest(es_query, 0, flow_count=2),
        ], lambda: None)
        snapshot_verifier = SnapshotVerifier(self, self.BRIDGE,
                                             self.service_manager)

        with sub_context, flow_verifier, snapshot_verifier:
            pass

        flow_verifier.verify()
예제 #6
0
    def test_redirect_policy(self):
        """
        Add a redirect policy, verifies that EnforcementStatsController reports
        correct stats to sessiond

        Assert:
            1 Packet is matched and reported
        """
        fake_controller_setup(self.enforcement_controller,
                              self.enforcement_stats_controller)
        redirect_ips = ["185.128.101.5", "185.128.121.4"]
        self.enforcement_controller._redirect_manager._dns_cache.get(
            "about.sha.ddih.org", lambda: redirect_ips, max_age=42)
        imsi = 'IMSI010000000088888'
        sub_ip = '192.168.128.74'
        flow_list = [FlowDescription(match=FlowMatch())]
        policy = PolicyRule(id='redir_test',
                            priority=3,
                            flow_list=flow_list,
                            redirect=RedirectInformation(
                                support=1,
                                address_type=2,
                                server_address="http://about.sha.ddih.org/"))
        stat_name = imsi + '|redir_test' + '|' + sub_ip
        self.service_manager.session_rule_version_mapper.update_version(
            imsi, convert_ipv4_str_to_ip_proto(sub_ip), 'redir_test')
        """ Setup subscriber, setup table_isolation to fwd pkts """
        sub_context = RyuDirectSubscriberContext(
            imsi, sub_ip, self.enforcement_controller, self._main_tbl_num,
            self.enforcement_stats_controller).add_dynamic_rule(policy)
        isolator = RyuDirectTableIsolator(
            RyuForwardFlowArgsBuilder.from_subscriber(
                sub_context.cfg).build_requests(), self.testing_controller)
        pkt_sender = ScapyPacketInjector(self.IFACE)
        packet = TCPPacketBuilder() \
            .set_tcp_layer(42132, 80, 321) \
            .set_tcp_flags("S") \
            .set_ip_layer('151.42.41.122', sub_ip) \
            .set_ether_layer(self.MAC_DEST, "00:00:00:00:00:00") \
            .build()

        # =========================== Verification ===========================
        snapshot_verifier = SnapshotVerifier(self, self.BRIDGE,
                                             self.service_manager)
        """ Send packet, wait until pkts are received by ovs and enf stats """
        with isolator, sub_context, snapshot_verifier:
            self.enforcement_stats_controller._report_usage.reset_mock()
            pkt_sender.send(packet)

        wait_for_enforcement_stats(self.enforcement_stats_controller,
                                   [stat_name])
        """ Send packets, wait until pkts are received by ovs and enf stats """
        stats = get_enforcement_stats(
            self.enforcement_stats_controller._report_usage.call_args_list)

        self.assertEqual(stats[stat_name].sid, imsi)
        self.assertEqual(stats[stat_name].rule_id, "redir_test")
        self.assertEqual(stats[stat_name].bytes_rx, 0)
        self.assertEqual(stats[stat_name].bytes_tx, len(packet))
예제 #7
0
    def test_cookie_poll(self):
        """
        Add a subscriber policy, verify flows are properly installed
        Assert:
        Query with RULE_NUM 1 returns proper values
        """
        original = self.enforcement_stats_controller._poll_stats
        self.enforcement_stats_controller._poll_stats = MagicMock()
        self.enforcement_stats_controller.init_finished = False
        self.enforcement_controller.init_finished = True

        imsi = 'IMSI001010000000013'
        sub_ip = '192.168.128.74'

        flow_list = [
            FlowDescription(
                match=FlowMatch(
                    ip_dst=convert_ipv4_str_to_ip_proto('45.10.0.0/25'),
                    direction=FlowMatch.UPLINK,
                ),
                action=FlowDescription.PERMIT,
            ),
        ]

        policy = VersionedPolicy(
            rule=PolicyRule(id='rule1', priority=3, flow_list=flow_list),
            version=1,
        )
        enf_stat_name = imsi + '|' + 'rule1' + '|' + sub_ip + '|' + "1"
        """ Setup subscriber, setup table_isolation to fwd pkts """
        sub_context = RyuDirectSubscriberContext(
            imsi, sub_ip, self.enforcement_controller,
            self._main_tbl_num, self.enforcement_stats_controller,
        ).add_policy(policy)

        snapshot_verifier = SnapshotVerifier(
            self, self.BRIDGE,
            self.service_manager,
        )

        self.enforcement_stats_controller._report_usage.reset_mock()
        with sub_context, snapshot_verifier:
            self.enforcement_stats_controller.init_finished = True
            flows.send_stats_request(
                self.enforcement_stats_controller._datapath,
                self.enforcement_stats_controller.tbl_num,
                0,
                flows.OVS_COOKIE_MATCH_ALL,
            )
            wait_for_enforcement_stats(
                self.enforcement_stats_controller,
                [enf_stat_name],
            )
        stats = get_enforcement_stats(
            self.enforcement_stats_controller._report_usage.call_args_list,
        )
        self.assertEqual(stats[enf_stat_name].rule_id, 'rule1')
        self.enforcement_stats_controller._poll_stats = original
        self.assertEqual(len(stats), 2)
예제 #8
0
    def test_subscriber_restrict_policy(self):
        """
        Add restrict policy to subscriber, send 4096 packets

        Assert:
            Packets are properly matched with the 'restrict_match' policy
            Send /20 (4096) packets, match /16 (256) packets
        """
        fake_controller_setup(self.gy_controller)
        imsi = 'IMSI010000000088888'
        sub_ip = '192.168.128.74'
        flow_list1 = [
            FlowDescription(match=FlowMatch(
                ip_dst=convert_ipv4_str_to_ip_proto('8.8.8.0/24'),
                direction=FlowMatch.UPLINK),
                            action=FlowDescription.PERMIT)
        ]
        policies = [
            VersionedPolicy(
                rule=PolicyRule(id='restrict_match',
                                priority=2,
                                flow_list=flow_list1),
                version=1,
            )
        ]
        pkts_matched = 256
        pkts_sent = 4096

        # ============================ Subscriber ============================
        sub_context = RyuDirectSubscriberContext(
            imsi, sub_ip, self.gy_controller,
            self._tbl_num).add_policy(policies[0])
        isolator = RyuDirectTableIsolator(
            RyuForwardFlowArgsBuilder.from_subscriber(
                sub_context.cfg).build_requests(), self.testing_controller)
        pkt_sender = ScapyPacketInjector(self.IFACE)
        packet = IPPacketBuilder()\
            .set_ip_layer('8.8.8.8', sub_ip)\
            .set_ether_layer(self.MAC_DEST, "00:00:00:00:00:00")\
            .build()
        flow_query = FlowQuery(self._tbl_num,
                               self.testing_controller,
                               match=flow_match_to_magma_match(
                                   flow_list1[0].match))

        # =========================== Verification ===========================
        # Verify aggregate table stats, subscriber 1 'simple_match' pkt count
        flow_verifier = FlowVerifier([
            FlowTest(FlowQuery(self._tbl_num, self.testing_controller),
                     pkts_sent),
            FlowTest(flow_query, pkts_matched)
        ], lambda: wait_after_send(self.testing_controller))
        snapshot_verifier = SnapshotVerifier(self,
                                             self.BRIDGE,
                                             self.service_manager,
                                             include_stats=False)

        with isolator, sub_context, flow_verifier, snapshot_verifier:
            pkt_sender.send(packet)
예제 #9
0
def activate_dynamic_rule(client, args):
    request = ActivateFlowsRequest(
        sid=SIDUtils.to_pb(args.imsi),
        dynamic_rules=[
            PolicyRule(
                id=args.rule_id,
                priority=args.priority,
                hard_timeout=args.hard_timeout,
                flow_list=[
                    FlowDescription(match=FlowMatch(
                        ipv4_dst=args.ipv4_dst, direction=FlowMatch.UPLINK)),
                    FlowDescription(match=FlowMatch(
                        ipv4_src=args.ipv4_dst, direction=FlowMatch.DOWNLINK)),
                ],
            )
        ])
    client.ActivateFlows(request)
예제 #10
0
def _build_activate_flows_data(ue_dict, disable_qos):
    activate_flow_reqs = []

    if disable_qos:
        print("QOS Disabled")
        apn_ambr = None
    else:
        print("QOS Enabled")
        apn_ambr = AggregatedMaximumBitrate(
            max_bandwidth_ul=1000000000,
            max_bandwidth_dl=1000000000,
        )
    for ue in ue_dict:
        request = ActivateFlowsRequest(
            sid=SIDUtils.to_pb(ue.imsi_str),
            ip_addr=ue.ipv4_src,
            policies=[
                VersionedPolicy(
                    rule=PolicyRule(
                        id=ue.rule_id,
                        priority=10,
                        flow_list=[
                            FlowDescription(match=FlowMatch(
                                ip_dst=convert_ipv4_str_to_ip_proto(
                                    ue.ipv4_src),
                                direction=FlowMatch.UPLINK,
                            ), ),
                            FlowDescription(match=FlowMatch(
                                ip_src=convert_ipv4_str_to_ip_proto(
                                    ue.ipv4_dst),
                                direction=FlowMatch.DOWNLINK,
                            ), ),
                        ],
                    ),
                    version=1,
                ),
            ],
            request_origin=RequestOriginType(type=RequestOriginType.GX),
            apn_ambr=apn_ambr,
        )
        request_dict = json_format.MessageToDict(request)
        # Dumping ActivateFlows request into json
        activate_flow_reqs.append(request_dict)
    with open('activate_flows.json', 'w') as file:
        json.dump(activate_flow_reqs, file, separators=(',', ':'))
예제 #11
0
    def test_subscriber_ipv6_policy(self):
        """
        Add policy to subscriber, send 4096 packets

        Assert:
            Packets are properly matched with the 'simple_match' policy
            Send /20 (4096) packets, match /16 (256) packets
        """
        fake_controller_setup(self.enforcement_controller)
        imsi = 'IMSI010000000088888'
        sub_ip = 'de34:431d:1bc::'
        flow_list1 = [
            FlowDescription(
                match=FlowMatch(
                    ip_dst=convert_ipv6_bytes_to_ip_proto(
                        'f333:432::dbca'.encode('utf-8'), ),
                    direction=FlowMatch.UPLINK,
                ),
                action=FlowDescription.PERMIT,
            ),
        ]
        policies = [
            VersionedPolicy(
                rule=PolicyRule(id='simple_match',
                                priority=2,
                                flow_list=flow_list1),
                version=1,
            ),
        ]

        # ============================ Subscriber ============================
        sub_context = RyuDirectSubscriberContext(
            imsi,
            sub_ip,
            self.enforcement_controller,
            self._tbl_num,
        ).add_policy(policies[0])
        isolator = RyuDirectTableIsolator(
            RyuForwardFlowArgsBuilder.from_subscriber(
                sub_context.cfg).build_requests(),
            self.testing_controller,
        )
        pkt_sender = ScapyPacketInjector(self.IFACE)
        packet = IPv6PacketBuilder() \
            .set_ip_layer('f333:432::dbca', sub_ip) \
            .set_ether_layer(self.MAC_DEST, "00:00:00:00:00:00") \
            .build()

        # =========================== Verification ===========================
        snapshot_verifier = SnapshotVerifier(
            self,
            self.BRIDGE,
            self.service_manager,
        )

        with isolator, sub_context, snapshot_verifier:
            pkt_sender.send(packet)
예제 #12
0
def _get_allow_all_flows() -> List[FlowDescription]:
    """
    Get flows for allowing all traffic
    Returns:
        Two flows, for outgoing and incoming traffic
    """
    return [
        # Set flow match for all packets
        # Don't set the app_name field
        FlowDescription(  # uplink flow
            match=FlowMatch(direction=FlowMatch.Direction.Value("UPLINK"), ),
            action=FlowDescription.Action.Value("PERMIT"),
        ),
        FlowDescription(  # downlink flow
            match=FlowMatch(direction=FlowMatch.Direction.Value("DOWNLINK"), ),
            action=FlowDescription.Action.Value("PERMIT"),
        ),
    ]
예제 #13
0
    def test_poll(self):
        """
        Unit test to help verify stats polling using cookie and cookie_mask
        """
        fake_controller_setup(
            self.enforcement_controller,
            self.enforcement_stats_controller,
        )
        imsi = 'IMSI001010000000013'
        sub_ip = '192.168.128.74'

        flow_list = [
            FlowDescription(
                match=FlowMatch(
                    ip_dst=convert_ipv4_str_to_ip_proto('45.10.0.0/25'),
                    direction=FlowMatch.UPLINK,
                ),
                action=FlowDescription.PERMIT,
            ),
        ]
        policy = VersionedPolicy(
            rule=PolicyRule(id='rule1', priority=3, flow_list=flow_list),
            version=1,
        )
        self.service_manager.session_rule_version_mapper.save_version(
            imsi, convert_ipv4_str_to_ip_proto(sub_ip), 'rule1', 1,
        )

        """ Setup subscriber, setup table_isolation to fwd pkts """
        sub_context = RyuDirectSubscriberContext(
            imsi, sub_ip, self.enforcement_controller,
            self._main_tbl_num, self.enforcement_stats_controller,
        ).add_policy(policy)

        snapshot_verifier = SnapshotVerifier(
            self, self.BRIDGE,
            self.service_manager,
        )
        with sub_context, snapshot_verifier:
            rule_map = self.enforcement_stats_controller.get_stats()
            if (rule_map.records[0].rule_id == self.DEFAULT_DROP_FLOW_NAME):
                rule_record = rule_map.records[1]
            else:
                rule_record = rule_map.records[0]
            self.assertEqual(rule_record.sid, imsi)
            self.assertEqual(rule_record.rule_id, "rule1")
            self.assertEqual(rule_record.bytes_tx, 0)
            self.assertEqual(rule_record.bytes_rx, 0)
            rule_map_cookie = self.enforcement_stats_controller.get_stats(1, 0)
            if (rule_map_cookie.records[0].rule_id == self.DEFAULT_DROP_FLOW_NAME):
                rule_record_cookie = rule_map_cookie.records[1]
            else:
                rule_record_cookie = rule_map_cookie.records[0]
            self.assertEqual(rule_record_cookie.sid, imsi)
            self.assertEqual(rule_record_cookie.rule_id, "rule1")
            self.assertEqual(rule_record_cookie.bytes_tx, 0)
            self.assertEqual(rule_record_cookie.bytes_rx, 0)
예제 #14
0
    def test_rule_install(self):
        """
        Adds a policy to a subscriber. Verifies that flows are properly
        installed in enforcement and enforcement stats.

        Assert:
            Policy classification flows installed in enforcement
            Policy match flows installed in enforcement_stats
        """
        fake_controller_setup(
            self.enforcement_controller,
            self.enforcement_stats_controller,
        )
        imsi = 'IMSI001010000000013'
        sub_ip = '192.168.128.74'

        flow_list = [
            FlowDescription(
                match=FlowMatch(
                    ip_dst=convert_ipv4_str_to_ip_proto('45.10.0.0/25'),
                    direction=FlowMatch.UPLINK,
                ),
                action=FlowDescription.PERMIT,
            ),
        ]
        policy = VersionedPolicy(
            rule=PolicyRule(id='rule1', priority=3, flow_list=flow_list),
            version=1,
        )
        self.service_manager.session_rule_version_mapper.save_version(
            imsi,
            convert_ipv4_str_to_ip_proto(sub_ip),
            'rule1',
            1,
        )
        """ Setup subscriber, setup table_isolation to fwd pkts """
        sub_context = RyuDirectSubscriberContext(
            imsi,
            sub_ip,
            self.enforcement_controller,
            self._main_tbl_num,
            self.enforcement_stats_controller,
        ).add_policy(policy)

        # =========================== Verification ===========================

        # Verifies that 1 flow is installed in enforcement and 2 flows are
        # installed in enforcement stats, one for uplink and one for downlink.
        snapshot_verifier = SnapshotVerifier(
            self,
            self.BRIDGE,
            self.service_manager,
        )

        with sub_context, snapshot_verifier:
            pass
예제 #15
0
def activate_dynamic_rule(client, args):
    request = ActivateFlowsRequest(
        sid=SIDUtils.to_pb(args.imsi),
        dynamic_rules=[
            PolicyRule(
                id=args.rule_id,
                priority=args.priority,
                hard_timeout=args.hard_timeout,
                flow_list=[
                    FlowDescription(match=FlowMatch(
                        ipv4_dst=args.ipv4_dst, direction=FlowMatch.UPLINK)),
                    FlowDescription(match=FlowMatch(
                        ipv4_src=args.ipv4_dst, direction=FlowMatch.DOWNLINK)),
                ],
            )
        ],
        request_origin=RequestOriginType(type=RequestOriginType.GX))
    response = client.ActivateFlows(request)
    _print_rule_mod_results(response.dynamic_rule_results)
예제 #16
0
    def get_flow_match(self, flow_list, flow_match_list):
        """
        Populates flow match list
        """
        for flow in flow_list:
            flow_direction = (FlowMatch.UPLINK if flow["direction"] == "UL"
                              else FlowMatch.DOWNLINK)
            ip_protocol = flow["ip_proto"]
            if ip_protocol == "TCP":
                ip_protocol = FlowMatch.IPPROTO_TCP
                udp_src_port = 0
                udp_dst_port = 0
                tcp_src_port = (int(flow["tcp_src_port"])
                                if "tcp_src_port" in flow else 0)
                tcp_dst_port = (int(flow["tcp_dst_port"])
                                if "tcp_dst_port" in flow else 0)
            elif ip_protocol == "UDP":
                ip_protocol = FlowMatch.IPPROTO_UDP
                tcp_src_port = 0
                tcp_dst_port = 0
                udp_src_port = (int(flow["udp_src_port"])
                                if "udp_src_port" in flow else 0)
                udp_dst_port = (int(flow["udp_dst_port"])
                                if "udp_dst_port" in flow else 0)
            else:
                udp_src_port = 0
                udp_dst_port = 0
                tcp_src_port = 0
                tcp_dst_port = 0

            ipv4_src_addr = None
            if flow.get("ipv4_src", None):
                ipv4_src_addr = IPAddress(
                    version=IPAddress.IPV4,
                    address=flow.get("ipv4_src").encode('utf-8'))
            ipv4_dst_addr = None
            if flow.get("ipv4_dst", None):
                ipv4_dst_addr = IPAddress(
                    version=IPAddress.IPV4,
                    address=flow.get("ipv4_dst").encode('utf-8'))

            flow_match_list.append(
                FlowDescription(
                    match=FlowMatch(
                        ip_dst=ipv4_dst_addr,
                        ip_src=ipv4_src_addr,
                        tcp_src=tcp_src_port,
                        tcp_dst=tcp_dst_port,
                        udp_src=udp_src_port,
                        udp_dst=udp_dst_port,
                        ip_proto=ip_protocol,
                        direction=flow_direction,
                    ),
                    action=FlowDescription.PERMIT,
                ))
예제 #17
0
    def test_ipv6_rule_install(self):
        """
        Adds a ipv6 policy to a subscriber. Verifies that flows are properly
        installed in enforcement and enforcement stats.

        Assert:
            Policy classification flows installed in enforcement
            Policy match flows installed in enforcement_stats
        """
        fake_controller_setup(
            self.enforcement_controller,
            self.enforcement_stats_controller,
        )

        imsi = 'IMSI001010000000013'
        sub_ip = 'de34:431d:1bc::'

        flow_list = [
            FlowDescription(
                match=FlowMatch(
                    ip_dst=convert_ipv6_bytes_to_ip_proto(
                        'f333:432::dbca'.encode('utf-8'), ),
                    direction=FlowMatch.UPLINK,
                ),
                action=FlowDescription.PERMIT,
            ),
        ]
        policy = VersionedPolicy(
            rule=PolicyRule(id='rule1', priority=3, flow_list=flow_list),
            version=1,
        )
        self.service_manager.session_rule_version_mapper.save_version(
            imsi,
            convert_ipv4_str_to_ip_proto(sub_ip),
            'rule1',
            1,
        )
        """ Setup subscriber, setup table_isolation to fwd pkts """
        sub_context = RyuDirectSubscriberContext(
            imsi,
            sub_ip,
            self.enforcement_controller,
            self._main_tbl_num,
            self.enforcement_stats_controller,
        ).add_policy(policy)

        # =========================== Verification ===========================
        snapshot_verifier = SnapshotVerifier(
            self,
            self.BRIDGE,
            self.service_manager,
        )

        with sub_context, snapshot_verifier:
            pass
예제 #18
0
    def test_enforcemnet_rules(self):
        """
        Add QOS policy to enforcement table into OVS. 
        """
        fake_controller_setup(self.enforcement_controller)
        imsi = 'IMSI001010000000013'
        sub_ip = '192.168.128.30'
        flow_list1 = [
            FlowDescription(
                match=FlowMatch(
                    direction=FlowMatch.UPLINK,
                ),
                action=FlowDescription.PERMIT,
            ),
            FlowDescription(
                match=FlowMatch(
                    ip_dst=convert_ipv4_str_to_ip_proto("192.168.0.0/24"),
                    direction=FlowMatch.DOWNLINK,
                ),
                action=FlowDescription.PERMIT,
            ),
        ]
        self.service_manager.session_rule_version_mapper.save_version(
            imsi, convert_ipv4_str_to_ip_proto(sub_ip), "rule1", 1,
        )
        self.enforcement_controller.activate_rules(
            imsi, None, 0, convert_ipv4_str_to_ip_proto(sub_ip),
            None, policies=[
                VersionedPolicy(
                    rule=PolicyRule(id='rule1', priority=65530, flow_list=flow_list1),
                    version=1,
                ),
            ], shard_id=0, local_f_teid_ng=100,
        )

        snapshot_verifier = SnapshotVerifier(
            self, self.BRIDGE,
            self.service_manager,
        )

        with snapshot_verifier:
            pass
예제 #19
0
    def test_subscriber_policy(self):
        """
        Add policy to subscriber, send 4096 packets

        Assert:
            Packets are properly matched with the 'simple_match' policy
            Send /20 (4096) packets, match /16 (256) packets
        """
        imsi = 'IMSI010000000088888'
        sub_ip = '192.168.128.74'
        flow_list1 = [FlowDescription(
            match=FlowMatch(
                ipv4_dst='45.10.0.0/24', direction=FlowMatch.UPLINK),
            action=FlowDescription.PERMIT)
        ]
        policies = [
            PolicyRule(id='simple_match', priority=2, flow_list=flow_list1)
        ]
        pkts_matched = 256
        pkts_sent = 4096

        self._static_rule_dict[policies[0].id] = policies[0]

        # ============================ Subscriber ============================
        sub_context = RyuDirectSubscriberContext(
            imsi, sub_ip, self.enforcement_controller, self._tbl_num
        ).add_static_rule(policies[0].id)
        isolator = RyuDirectTableIsolator(
            RyuForwardFlowArgsBuilder.from_subscriber(sub_context.cfg)
                                     .build_requests(),
            self.testing_controller
        )
        pkt_sender = ScapyPacketInjector(self.IFACE)
        packet = IPPacketBuilder()\
            .set_ip_layer('45.10.0.0/20', sub_ip)\
            .set_ether_layer(self.MAC_DEST, "00:00:00:00:00:00")\
            .build()
        flow_query = FlowQuery(
            self._tbl_num, self.testing_controller,
            match=flow_match_to_magma_match(flow_list1[0].match)
        )

        # =========================== Verification ===========================
        # Verify aggregate table stats, subscriber 1 'simple_match' pkt count
        flow_verifier = FlowVerifier([
            FlowTest(FlowQuery(self._tbl_num, self.testing_controller),
                     pkts_sent),
            FlowTest(flow_query, pkts_matched)
        ], lambda: wait_after_send(self.testing_controller))

        with isolator, sub_context, flow_verifier:
            pkt_sender.send(packet)

        flow_verifier.verify()
예제 #20
0
파일: test_gy.py 프로젝트: katojunya/magma
    def test_subscriber_redirect_policy(self):
        """
        Add redirect policy to subscriber, send 4096 packets

        Assert:
            Packets are properly matched with the 'simple_match' policy
            Send /20 (4096) packets, match /16 (256) packets
        """
        fake_controller_setup(self.gy_controller)
        imsi = 'IMSI010000000088888'
        sub_ip = '192.168.128.74'
        redirect_ips = ["185.128.101.5", "185.128.121.4"]
        self.gy_controller._redirect_manager._dns_cache.get(
            "about.sha.ddih.org", lambda: redirect_ips, max_age=42,
        )
        flow_list = [FlowDescription(match=FlowMatch())]
        policy = VersionedPolicy(
            rule=PolicyRule(
                id='redir_test', priority=3, flow_list=flow_list,
                redirect=RedirectInformation(
                    support=1,
                    address_type=2,
                    server_address="http://about.sha.ddih.org/",
                ),
            ),
            version=1,
        )

        # ============================ Subscriber ============================
        sub_context = RyuDirectSubscriberContext(
            imsi, sub_ip, self.gy_controller, self._tbl_num,
        ).add_policy(policy)
        isolator = RyuDirectTableIsolator(
            RyuForwardFlowArgsBuilder.from_subscriber(sub_context.cfg)
                                     .build_requests(),
            self.testing_controller,
        )
        pkt_sender = ScapyPacketInjector(self.IFACE)
        packet = TCPPacketBuilder()\
            .set_tcp_layer(42132, 80, 2)\
            .set_tcp_flags("S")\
            .set_ip_layer('151.42.41.122', sub_ip)\
            .set_ether_layer(self.MAC_DEST, "01:20:10:20:aa:bb")\
            .build()

        snapshot_verifier = SnapshotVerifier(
            self, self.BRIDGE,
            self.service_manager,
            include_stats=False,
        )

        with isolator, sub_context, snapshot_verifier:
            pkt_sender.send(packet)
예제 #21
0
    def CreateAddQERinPDR(qos_enforce_rule: QoSEnforceRuleEntry,
                          ue_ip_addr: str) -> ActivateFlowsRequest:

        if qos_enforce_rule.allow == 'YES':
            allow = FlowDescription.PERMIT
        else:
            allow = FlowDescription.DENY

        ip_dst = None
        ip_src = None

        if qos_enforce_rule.ipv4_dst:
            ip_dst = convert_ipv4_str_to_ip_proto(qos_enforce_rule.ipv4_dst)
            ip_src = convert_ipv4_str_to_ip_proto(qos_enforce_rule.ipv4_dst)

        if qos_enforce_rule.direction == FlowMatch.UPLINK:
            flow_list = [
                FlowDescription(match=FlowMatch(
                    ip_dst=ip_dst, direction=qos_enforce_rule.direction),
                                action=allow)
            ]
        else:
            flow_list = [
                FlowDescription(match=FlowMatch(
                    ip_src=ip_src, direction=qos_enforce_rule.direction),
                                action=allow)
            ]

        qos_enforce_rule = ActivateFlowsRequest(
            sid=SIDUtils.to_pb(qos_enforce_rule.imsi),
            ip_addr=ue_ip_addr,
            dynamic_rules=[
                PolicyRule(id=qos_enforce_rule.rule_id,
                           priority=qos_enforce_rule.priority,
                           hard_timeout=qos_enforce_rule.hard_timeout,
                           flow_list=flow_list)
            ],
            request_origin=RequestOriginType(type=RequestOriginType.N4))
        return qos_enforce_rule
예제 #22
0
 def _get_allow_all_flows(self) -> List[FlowDescription]:
     """
     Returns:
         Two flows, for outgoing and incoming traffic
     """
     return [
         # Set flow match for ll packets
         # Don't set the app_name field
         FlowDescription(  # uplink flow
             match=FlowMatch(),
             action=FlowDescription.Action.Value("PERMIT"),
         ),
     ]
예제 #23
0
def activate_flows(client, args):
    request = ActivateFlowsRequest(
        sid=SIDUtils.to_pb(args.imsi),
        ip_addr=args.ipv4,
        policies=[VersionedPolicy(
            rule=PolicyRule(
                id=args.rule_id,
                priority=args.priority,
                hard_timeout=args.hard_timeout,
                flow_list=[
                    FlowDescription(match=FlowMatch(
                        ip_dst=convert_ipv4_str_to_ip_proto(args.ipv4_dst),
                        direction=FlowMatch.UPLINK)),
                    FlowDescription(match=FlowMatch(
                        ip_src=convert_ipv4_str_to_ip_proto(args.ipv4_dst),
                        direction=FlowMatch.DOWNLINK)),
                ],
            ),
            version=1)],
        request_origin=RequestOriginType(type=RequestOriginType.GX))
    response = client.ActivateFlows(request)
    _print_rule_mod_results(response.policy_results)
예제 #24
0
    def test_subscriber_policy_with_he(self):
        """
        Add policy to subscriber with HE config

        """
        cls = self.__class__

        fake_controller_setup(self.enforcement_controller)

        imsi = 'IMSI010000000088888'
        sub_ip = '192.168.128.74'
        flow_list1 = [
            FlowDescription(
                match=FlowMatch(
                    ip_dst=convert_ipv4_str_to_ip_proto('45.10.0.0/24'),
                    direction=FlowMatch.UPLINK,
                ),
                action=FlowDescription.PERMIT,
            ),
        ]
        he = HeaderEnrichment(urls=['abc.com'])
        policies = [
            VersionedPolicy(
                rule=PolicyRule(id='simple_match',
                                priority=2,
                                flow_list=flow_list1,
                                he=he),
                version=1,
            ),
        ]

        # ============================ Subscriber ============================
        sub_context = RyuDirectSubscriberContext(
            imsi,
            sub_ip,
            self.enforcement_controller,
            self._tbl_num,
        ).add_policy(policies[0])

        isolator = RyuDirectTableIsolator(
            RyuForwardFlowArgsBuilder.from_subscriber(
                sub_context.cfg).build_requests(),
            self.testing_controller,
        )
        snapshot_verifier = SnapshotVerifier(
            self,
            self.BRIDGE,
            self.service_manager,
        )
        with isolator, sub_context, snapshot_verifier:
            pass
예제 #25
0
 def _get_whitelisted_policies(self):
     """ Policies to allow http traffic to the whitelisted sites """
     rules = []
     for ip, ports in self._whitelisted_ips.items():
         for port in ports:
             if ip == 'local':
                 ip = self._local_ip
             rules.append(
                 PolicyRule(
                     id='whitelist',
                     priority=self.ALLOW_ALL_PRIORITY,
                     flow_list=[
                         FlowDescription(
                             match=FlowMatch(direction=FlowMatch.UPLINK,
                                             ip_proto=FlowMatch.IPPROTO_TCP,
                                             ipv4_dst=ip,
                                             tcp_dst=port)),
                         FlowDescription(
                             match=FlowMatch(direction=FlowMatch.DOWNLINK,
                                             ip_proto=FlowMatch.IPPROTO_TCP,
                                             ipv4_src=ip,
                                             tcp_src=port)),
                     ]))
     return rules
예제 #26
0
    def test_Update(self):
        """
        Test the happy path where updates come in for rules, and sessiond
        accepts the SessionRules without issue.
        """

        # Expected call arguments to SetSessionRules
        allow_all_flow_list = [
            FlowDescription(
                match=FlowMatch(
                    direction=FlowMatch.Direction.Value("UPLINK"), ),
                action=FlowDescription.Action.Value("PERMIT"),
            ),
            FlowDescription(
                match=FlowMatch(
                    direction=FlowMatch.Direction.Value("DOWNLINK"), ),
                action=FlowDescription.Action.Value("PERMIT"),
            ),
        ]  # type: List[FlowDescription]
        no_tracking_type = PolicyRule.TrackingType.Value("NO_TRACKING")
        expected = SessionRules(rules_per_subscriber=[
            RulesPerSubscriber(
                imsi='imsi_1',
                rule_set=[
                    RuleSet(
                        apply_subscriber_wide=False,
                        apn="apn1",
                        static_rules=[
                            StaticRuleInstall(rule_id="p1"),
                        ],
                        dynamic_rules=[
                            DynamicRuleInstall(policy_rule=PolicyRule(
                                id="allowlist_sid-imsi_1-apn1",
                                priority=2,
                                flow_list=allow_all_flow_list,
                                tracking_type=no_tracking_type,
                            ))
                        ],
                    ),
                ]),
            RulesPerSubscriber(
                imsi='imsi_2',
                rule_set=[
                    RuleSet(
                        apply_subscriber_wide=False,
                        apn="apn1",
                        static_rules=[
                            StaticRuleInstall(rule_id="p5"),
                        ],
                        dynamic_rules=[
                            DynamicRuleInstall(policy_rule=PolicyRule(
                                id="allowlist_sid-imsi_2-apn1",
                                priority=2,
                                flow_list=allow_all_flow_list,
                                tracking_type=no_tracking_type,
                            ))
                        ],
                    ),
                ])
        ])

        # Setup the test
        apn_rules_dict = {}
        basenames_dict = {
            'bn1': ChargingRuleNameSet(RuleNames=['p5']),
            'bn2': ChargingRuleNameSet(RuleNames=['p6']),
        }
        stub = MockLocalSessionManagerStub()

        stub_call_args = []  # type: List[SessionRules]
        side_effect = get_SetSessionRules_side_effect(stub_call_args)
        stub.SetSessionRules = Mock(side_effect=side_effect)

        callback = ApnRuleMappingsStreamerCallback(
            stub,
            basenames_dict,
            apn_rules_dict,
        )

        # Construct a set of updates, keyed by subscriber ID
        updates = [
            DataUpdate(
                key="imsi_1",
                value=SubscriberPolicySet(rules_per_apn=[
                    ApnPolicySet(
                        apn="apn1",
                        assigned_base_names=[],
                        assigned_policies=["p1"],
                    ),
                ], ).SerializeToString(),
            ),
            DataUpdate(
                key="imsi_2",
                value=SubscriberPolicySet(rules_per_apn=[
                    ApnPolicySet(
                        apn="apn1",
                        assigned_base_names=["bn1"],
                        assigned_policies=[],
                    ),
                ], ).SerializeToString(),
            ),
        ]

        callback.process_update("stream", updates, False)

        # Since we used a stub which always succeeds when a RAR is made,
        # We should expect the assignments_dict to be updated
        imsi_1_policies = apn_rules_dict["imsi_1"]
        self.assertEqual(len(imsi_1_policies.rules_per_apn), 1,
                         'There should be 1 active APNs for imsi_1')
        self.assertEqual(len(stub_call_args), 1,
                         'Stub should have been called once')
        called_with = stub_call_args[0].SerializeToString()
        self.assertEqual(called_with, expected.SerializeToString(),
                         'SetSessionRules call has incorrect arguments')

        # Stream down a second update, and now IMSI_1 gets access to a new APN
        updates_2 = [
            DataUpdate(
                key="imsi_1",
                value=SubscriberPolicySet(rules_per_apn=[
                    ApnPolicySet(
                        apn="apn2",
                        assigned_base_names=["bn1"],
                        assigned_policies=[],
                    ),
                ], ).SerializeToString(),
            ),
            DataUpdate(
                key="imsi_2",
                value=SubscriberPolicySet(
                    global_base_names=["bn2"],
                    global_policies=[],
                    rules_per_apn=[
                        ApnPolicySet(
                            apn="apn1",
                            assigned_base_names=[],
                            assigned_policies=[],
                        ),
                    ],
                ).SerializeToString(),
            ),
        ]
        expected_2 = SessionRules(rules_per_subscriber=[
            RulesPerSubscriber(
                imsi='imsi_1',
                rule_set=[
                    RuleSet(
                        apply_subscriber_wide=False,
                        apn="apn2",
                        static_rules=[
                            StaticRuleInstall(rule_id="p5"),
                        ],
                        dynamic_rules=[
                            DynamicRuleInstall(policy_rule=PolicyRule(
                                id="allowlist_sid-imsi_1-apn2",
                                priority=2,
                                flow_list=allow_all_flow_list,
                                tracking_type=no_tracking_type,
                            ))
                        ],
                    ),
                ]),
            RulesPerSubscriber(
                imsi='imsi_2',
                rule_set=[
                    RuleSet(
                        apply_subscriber_wide=False,
                        apn="apn1",
                        static_rules=[
                            StaticRuleInstall(rule_id="p6"),
                        ],
                        dynamic_rules=[
                            DynamicRuleInstall(policy_rule=PolicyRule(
                                id="allowlist_sid-imsi_2-apn1",
                                priority=2,
                                flow_list=allow_all_flow_list,
                                tracking_type=no_tracking_type,
                            ))
                        ],
                    ),
                ]),
        ])

        callback.process_update("stream", updates_2, False)

        imsi_1_policies = apn_rules_dict["imsi_1"]
        self.assertEqual(len(imsi_1_policies.rules_per_apn), 1,
                         'There should be 1 active APNs for imsi_1')
        self.assertEqual(len(stub_call_args), 2,
                         'Stub should have been called twice')
        called_with = stub_call_args[1].SerializeToString()
        self.assertEqual(called_with, expected_2.SerializeToString(),
                         'SetSessionRules call has incorrect arguments')
예제 #27
0
    def test_rule_reactivation(self):
        """
        Adds a policy to a subscriber, deletes it by incrementing the
        version, and add it back. Verifies that the usage stats is correctly
        reported, the old flows are deleted, and the new flows are installed.

        Assert:
            UPLINK policy matches 128 packets (*34 = 4352 bytes)
            Old flows are deleted
            New flows are installed
            No other stats are reported
        """
        fake_controller_setup(self.enforcement_controller,
                              self.enforcement_stats_controller)
        imsi = 'IMSI001010000000013'
        sub_ip = '192.168.128.74'
        num_pkts_tx_match = 128

        flow_list = [
            FlowDescription(match=FlowMatch(ipv4_dst='45.10.0.0/25',
                                            direction=FlowMatch.UPLINK),
                            action=FlowDescription.PERMIT)
        ]
        policy = PolicyRule(id='rule1', priority=3, flow_list=flow_list)
        enf_stat_name = imsi + '|rule1'
        self.service_manager.session_rule_version_mapper.update_version(
            imsi, 'rule1')
        version = \
            self.service_manager.session_rule_version_mapper.get_version(
                imsi, 'rule1')
        """ Setup subscriber, setup table_isolation to fwd pkts """
        self._static_rule_dict[policy.id] = policy
        sub_context = RyuDirectSubscriberContext(
            imsi, sub_ip, self.enforcement_controller, self._main_tbl_num,
            self.enforcement_stats_controller).add_static_rule(policy.id)
        isolator = RyuDirectTableIsolator(
            RyuForwardFlowArgsBuilder.from_subscriber(
                sub_context.cfg).build_requests(), self.testing_controller)
        """ Create a packet """
        pkt_sender = ScapyPacketInjector(self.IFACE)
        packet = IPPacketBuilder() \
            .set_ip_layer('45.10.0.0/20', sub_ip) \
            .set_ether_layer(self.MAC_DEST, "00:00:00:00:00:00") \
            .build()

        # =========================== Verification ===========================
        rule_num = self.enforcement_stats_controller._rule_mapper \
            .get_or_create_rule_num(policy.id)
        enf_query = FlowQuery(self._main_tbl_num,
                              self.testing_controller,
                              match=flow_match_to_magma_match(
                                  FlowMatch(ipv4_dst='45.10.0.0/25',
                                            direction=FlowMatch.UPLINK)),
                              cookie=rule_num)
        es_old_version_query = FlowQuery(self._scratch_tbl_num,
                                         self.testing_controller,
                                         match=MagmaMatch(
                                             imsi=encode_imsi(imsi),
                                             reg2=rule_num,
                                             rule_version=version),
                                         cookie=rule_num)
        es_new_version_query = FlowQuery(self._scratch_tbl_num,
                                         self.testing_controller,
                                         match=MagmaMatch(
                                             imsi=encode_imsi(imsi),
                                             reg2=rule_num,
                                             rule_version=version + 1),
                                         cookie=rule_num)
        packet_wait = FlowVerifier([], self._wait_func([enf_stat_name]))
        """ Verify that flows are properly deleted """
        verifier = FlowVerifier([
            FlowTest(es_old_version_query, 0, flow_count=0),
            FlowTest(es_new_version_query, num_pkts_tx_match, flow_count=2),
            FlowTest(enf_query, num_pkts_tx_match, flow_count=1),
        ], self._wait_func([enf_stat_name]))
        snapshot_verifier = SnapshotVerifier(self, self.BRIDGE,
                                             self.service_manager)
        """
        Send a packet, then deactivate and reactivate the same rule and send a
        packet. Wait until it is received by ovs and enf stats.
        """
        with isolator, sub_context, verifier, snapshot_verifier:
            with packet_wait:
                self.enforcement_stats_controller._report_usage.reset_mock()
                pkt_sender.send(packet)

            self.enforcement_stats_controller._report_usage.reset_mock()
            self.service_manager.session_rule_version_mapper. \
                update_version(imsi, 'rule1')
            self.enforcement_controller.deactivate_rules(imsi, [policy.id])
            self.enforcement_controller.activate_rules(imsi, sub_ip,
                                                       [policy.id], [])
            self.enforcement_stats_controller.activate_rules(
                imsi, sub_ip, [policy.id], [])
            pkt_sender.send(packet)

        verifier.verify()

        stats = get_enforcement_stats(
            self.enforcement_stats_controller._report_usage.call_args_list)
        """
        Verify both packets are reported after reactivation.
        """
        self.assertEqual(stats[enf_stat_name].sid, imsi)
        self.assertEqual(stats[enf_stat_name].rule_id, "rule1")
        self.assertEqual(stats[enf_stat_name].bytes_rx, 0)
        # TODO Figure out why this one fails.
        #self.assertEqual(stats[enf_stat_name].bytes_tx,
        #                 num_pkts_tx_match * len(packet))
        self.assertEqual(len(stats), 1)
예제 #28
0
    def test_subscriber_policy(self):
        """
        Adds 2 policies to subscriber, verifies that EnforcementStatsController
        reports correct stats to sessiond

        Assert:
            UPLINK policy matches 128 packets (*34 = 4352 bytes)
            DOWNLINK policy matches 256 packets (*34 = 8704 bytes)
            No other stats are reported
        """
        fake_controller_setup(self.enforcement_controller,
                              self.enforcement_stats_controller)
        imsi = 'IMSI001010000000013'
        sub_ip = '192.168.128.74'
        num_pkts_tx_match = 128
        num_pkts_rx_match = 256
        """ Create 2 policy rules for the subscriber """
        flow_list1 = [
            FlowDescription(match=FlowMatch(ipv4_dst='45.10.0.0/25',
                                            direction=FlowMatch.UPLINK),
                            action=FlowDescription.PERMIT)
        ]
        flow_list2 = [
            FlowDescription(match=FlowMatch(ipv4_src='45.10.0.0/24',
                                            direction=FlowMatch.DOWNLINK),
                            action=FlowDescription.PERMIT)
        ]
        policies = [
            PolicyRule(id='tx_match', priority=3, flow_list=flow_list1),
            PolicyRule(id='rx_match', priority=5, flow_list=flow_list2)
        ]
        enf_stat_name = [imsi + '|tx_match', imsi + '|rx_match']
        self.service_manager.session_rule_version_mapper.update_version(
            imsi, 'tx_match')
        self.service_manager.session_rule_version_mapper.update_version(
            imsi, 'rx_match')
        """ Setup subscriber, setup table_isolation to fwd pkts """
        self._static_rule_dict[policies[0].id] = policies[0]
        self._static_rule_dict[policies[1].id] = policies[1]
        sub_context = RyuDirectSubscriberContext(
            imsi, sub_ip, self.enforcement_controller, self._main_tbl_num,
            self.enforcement_stats_controller).add_static_rule(
                policies[0].id).add_static_rule(policies[1].id)
        isolator = RyuDirectTableIsolator(
            RyuForwardFlowArgsBuilder.from_subscriber(
                sub_context.cfg).build_requests(), self.testing_controller)
        """ Create 2 sets of packets, for policry rule1&2 """
        pkt_sender = ScapyPacketInjector(self.IFACE)
        packet1 = IPPacketBuilder()\
            .set_ip_layer('45.10.0.0/20', sub_ip)\
            .set_ether_layer(self.MAC_DEST, "00:00:00:00:00:00")\
            .build()
        packet2 = IPPacketBuilder()\
            .set_ip_layer(sub_ip, '45.10.0.0/20')\
            .set_ether_layer(self.MAC_DEST, "00:00:00:00:00:00")\
            .build()

        # =========================== Verification ===========================
        flow_verifier = FlowVerifier([], self._wait_func(enf_stat_name))
        snapshot_verifier = SnapshotVerifier(self, self.BRIDGE,
                                             self.service_manager)
        """ Send packets, wait until pkts are received by ovs and enf stats """
        with isolator, sub_context, flow_verifier, snapshot_verifier:
            pkt_sender.send(packet1)
            pkt_sender.send(packet2)

        stats = get_enforcement_stats(
            self.enforcement_stats_controller._report_usage.call_args_list)

        self.assertEqual(stats[enf_stat_name[0]].sid, imsi)
        self.assertEqual(stats[enf_stat_name[0]].rule_id, "tx_match")
        self.assertEqual(stats[enf_stat_name[0]].bytes_rx, 0)
        self.assertEqual(stats[enf_stat_name[0]].bytes_tx,
                         num_pkts_tx_match * len(packet1))

        self.assertEqual(stats[enf_stat_name[1]].sid, imsi)
        self.assertEqual(stats[enf_stat_name[1]].rule_id, "rx_match")
        self.assertEqual(stats[enf_stat_name[1]].bytes_tx, 0)

        # downlink packets will discount ethernet header by default
        # so, only count the IP portion
        total_bytes_pkt2 = num_pkts_rx_match * len(packet2[IP])
        self.assertEqual(stats[enf_stat_name[1]].bytes_rx, total_bytes_pkt2)

        self.assertEqual(len(stats), 2)
예제 #29
0
    def test_two_subscribers(self):
        """
        Add 2 subscribers at the same time

        Assert:
            For subcriber1 the packets are matched to the proper policy
            For subcriber2 the packets are matched to the proper policy
            The total packet delta in the table is from the above matches
        """
        fake_controller_setup(self.enforcement_controller)
        pkt_sender = ScapyPacketInjector(self.IFACE)
        ip_match = [
            FlowDescription(match=FlowMatch(
                ip_src=convert_ipv4_str_to_ip_proto('8.8.8.0/24'),
                direction=1),
                            action=1)
        ]
        tcp_match = [
            FlowDescription(match=FlowMatch(ip_proto=6,
                                            direction=FlowMatch.DOWNLINK),
                            action=FlowDescription.DENY)
        ]

        self._static_rule_dict['t'] = PolicyRule(id='t',
                                                 priority=2,
                                                 flow_list=ip_match)

        # =========================== Subscriber 1 ===========================
        sub_context1 = RyuDirectSubscriberContext(
            'IMSI208950001111111', '192.168.128.5',
            self.enforcement_controller, self._tbl_num).add_static_rule('t')
        isolator1 = RyuDirectTableIsolator(
            RyuForwardFlowArgsBuilder.from_subscriber(
                sub_context1.cfg).build_requests(), self.testing_controller)
        packet_ip = IPPacketBuilder()\
            .set_ether_layer(self.MAC_DEST, "00:00:00:00:00:00")\
            .set_ip_layer(sub_context1.cfg.ip, '8.8.8.8')\
            .build()
        s1_pkts_sent = 29
        pkts_to_send = [PktsToSend(packet_ip, s1_pkts_sent)]
        flow_query1 = FlowQuery(self._tbl_num,
                                self.testing_controller,
                                match=flow_match_to_magma_match(
                                    ip_match[0].match))
        s1 = SubTest(sub_context1, isolator1,
                     FlowTest(flow_query1, s1_pkts_sent))

        # =========================== Subscriber 2 ===========================
        sub_context2 = RyuDirectSubscriberContext(
            'IMSI911500451242001', '192.168.128.100',
            self.enforcement_controller, self._tbl_num).add_dynamic_rule(
                PolicyRule(id='qqq', priority=2, flow_list=tcp_match))
        isolator2 = RyuDirectTableIsolator(
            RyuForwardFlowArgsBuilder.from_subscriber(
                sub_context2.cfg).build_requests(), self.testing_controller)
        packet_tcp = TCPPacketBuilder()\
            .set_ether_layer(self.MAC_DEST, "00:00:00:00:00:00")\
            .set_ip_layer(sub_context2.cfg.ip, '15.0.0.8')\
            .build()
        s2_pkts_sent = 18
        pkts_to_send.append(PktsToSend(packet_tcp, s2_pkts_sent))
        flow_query2 = FlowQuery(self._tbl_num,
                                self.testing_controller,
                                match=flow_match_to_magma_match(
                                    tcp_match[0].match))
        s2 = SubTest(sub_context2, isolator2,
                     FlowTest(flow_query2, s2_pkts_sent))

        # =========================== Verification ===========================
        # Verify aggregate table stats, subscriber 1 & 2 flows packet matches
        pkts = s1_pkts_sent + s2_pkts_sent
        flow_verifier = FlowVerifier([
            FlowTest(FlowQuery(self._tbl_num, self.testing_controller), pkts),
            s1.flowtest_list, s2.flowtest_list
        ], lambda: wait_after_send(self.testing_controller))
        snapshot_verifier = SnapshotVerifier(self, self.BRIDGE,
                                             self.service_manager)

        with s1.isolator, s1.context, s2.isolator, s2.context, flow_verifier, \
             snapshot_verifier:
            for pkt in pkts_to_send:
                pkt_sender.send(pkt.pkt, pkt.num)

        flow_verifier.verify()
예제 #30
0
    def test_subscriber_two_policies(self):
        """
        Add 2 policies to subscriber

        Assert:
            Packets are properly matched with the 'match' policy
            The total packet delta in the table is from the above match
        """
        fake_controller_setup(self.enforcement_controller)
        imsi = 'IMSI208950000000001'
        sub_ip = '192.168.128.74'
        flow_list1 = [
            FlowDescription(match=FlowMatch(
                ip_src=convert_ipv4_str_to_ip_proto('15.0.0.0/24'),
                direction=FlowMatch.DOWNLINK),
                            action=FlowDescription.DENY)
        ]
        flow_list2 = [
            FlowDescription(match=FlowMatch(ip_proto=6,
                                            direction=FlowMatch.UPLINK),
                            action=FlowDescription.PERMIT)
        ]
        policies = [
            PolicyRule(id='match', priority=2, flow_list=flow_list1),
            PolicyRule(id='no_match', priority=2, flow_list=flow_list2)
        ]
        pkts_sent = 42

        self._static_rule_dict[policies[0].id] = policies[0]
        self._static_rule_dict[policies[1].id] = policies[1]

        # ============================ Subscriber ============================
        sub_context = RyuDirectSubscriberContext(imsi, sub_ip,
                                                 self.enforcement_controller,
                                                 self._tbl_num) \
            .add_static_rule(policies[0].id)\
            .add_static_rule(policies[1].id)
        isolator = RyuDirectTableIsolator(
            RyuForwardFlowArgsBuilder.from_subscriber(
                sub_context.cfg).build_requests(), self.testing_controller)
        pkt_sender = ScapyPacketInjector(self.IFACE)
        packet = IPPacketBuilder()\
            .set_ip_layer(sub_ip, '15.0.0.8')\
            .set_ether_layer(self.MAC_DEST, "00:00:00:00:00:00")\
            .build()
        flow_query = FlowQuery(self._tbl_num,
                               self.testing_controller,
                               match=flow_match_to_magma_match(
                                   flow_list1[0].match))

        # =========================== Verification ===========================
        # Verify aggregate table stats, subscriber 1 'match' rule pkt count
        flow_verifier = FlowVerifier([
            FlowTest(FlowQuery(self._tbl_num, self.testing_controller),
                     pkts_sent),
            FlowTest(flow_query, pkts_sent)
        ], lambda: wait_after_send(self.testing_controller))
        snapshot_verifier = SnapshotVerifier(self, self.BRIDGE,
                                             self.service_manager)

        with isolator, sub_context, flow_verifier, snapshot_verifier:
            pkt_sender.send(packet, pkts_sent)

        flow_verifier.verify()