def generate_random_rules(max_rule_num):
src_ip_list = ['10.1.1.%d' % x for x in range(1, 255)]
src_ip6_list = ['1000::%d' % x for x in range(101, 300)]
dst_port_list = range(20, 200)
dst_ip4 = '192.168.0.1'
dst_ip6 = '1::1'
rule_type_list = [cfg.VrfIncomingSvcsRule.RULE_TYPE_ACL, cfg.VrfIncomingSvcsRule.RULE_TYPE_IP]
af_list = [socket.AF_INET, socket.AF_INET6]
proto_list = [cfg.VrfIncomingSvcsRule.RULE_PROTO_TCP, cfg.VrfIncomingSvcsRule.RULE_PROTO_UDP]
action_list = [cfg.VrfIncomingSvcsRule.RULE_ACTION_DENY, cfg.VrfIncomingSvcsRule.RULE_ACTION_ALLOW]
prefix_list = [8, 16, 24, 32]
prefix6_list = [8, 16, 24, 32, 64, 128]
bool_list = [True, False]
rule_id_list = range(10000, 10200)
intf_list = [None, 'vdef-nsid1024', 'lo']
rules = []
for idx in xrange(max_rule_num):
vrf_name = get_rand_list_item(vrf_name_list)
af = get_rand_list_item(af_list)
action = get_rand_list_item(action_list)
rule_type = get_rand_list_item(rule_type_list)
seq_num = random.randint(1, 1000)
if get_rand_list_item(bool_list):
rule_id = get_rand_list_item(rule_id_list, True)
else:
rule_id = None
high_prio = get_rand_list_item(bool_list)
if rule_type == cfg.VrfIncomingSvcsRule.RULE_TYPE_ACL:
if af == socket.AF_INET:
src_ip = get_rand_list_item(src_ip_list, True)
prefix_len = get_rand_list_item(prefix_list)
else:
src_ip = get_rand_list_item(src_ip6_list, True)
prefix_len = get_rand_list_item(prefix6_list)
if src_ip is None:
break
in_intf = get_rand_list_item(intf_list)
rule = cfg.VrfIncomingSvcsRule(rule_type, vrf_name, action, af,
src_ip = socket.inet_pton(af, src_ip), prefix_len = prefix_len,
seq_num = seq_num, rule_id = rule_id,
high_prio = high_prio, in_intf = in_intf)
else:
proto = get_rand_list_item(proto_list)
dst_port = get_rand_list_item(dst_port_list, True)
if dst_port is None:
break
if vrf_name != 'default':
action = cfg.VrfIncomingSvcsRule.RULE_ACTION_DNAT
if af == socket.AF_INET:
dst_ip = dst_ip4
else:
dst_ip = dst_ip6
else:
dst_ip = None
rule = cfg.VrfIncomingSvcsRule(rule_type, vrf_name, action, af, protocol = proto,
dst_port = dst_port, dst_ip = (None if dst_ip is None else socket.inet_pton(af, dst_ip)),
seq_num = seq_num, rule_id = rule_id, high_prio = high_prio)
rules.append(rule)
return rules
def test_rule_obj():
af = socket.AF_INET
rule1 = cfg.VrfIncomingSvcsRule(cfg.VrfIncomingSvcsRule.RULE_TYPE_ACL, 'test_vrf',
cfg.VrfIncomingSvcsRule.RULE_ACTION_ALLOW, af,
src_ip = socket.inet_pton(af, '1.1.1.0'), prefix_len = 24,
protocol = cfg.VrfIncomingSvcsRule.RULE_PROTO_TCP,
dst_port = 8080, seq_num = 100,
rule_id = 1)
rule2 = cfg.VrfIncomingSvcsRule(cfg.VrfIncomingSvcsRule.RULE_TYPE_ACL, 'test_vrf',
cfg.VrfIncomingSvcsRule.RULE_ACTION_DENY, af,
src_ip = socket.inet_pton(af, '1.1.2.0'), prefix_len = 24,
protocol = cfg.VrfIncomingSvcsRule.RULE_PROTO_UDP,
dst_port = 1000, seq_num = 110,
rule_id = 2)
assert rule1.get_rule_type_name() == 'ACL'
assert rule1.get_af_name() == 'IPv4'
assert rule1.get_action_name() == 'allow'
assert rule1.get_proto_name() == 'tcp'
print 'IPv4 rule created:'
print str(rule1)
print str(rule2)
assert rule1 == rule1
assert not rule1 == rule2
assert rule1.match(src_ip = socket.inet_pton(af, '1.1.1.0'), prefix_len = 24)
assert not rule2.match(src_ip = socket.inet_pton(af, '1.1.1.0'), prefix_len = 24)
af = socket.AF_INET6
rule1 = cfg.VrfIncomingSvcsRule(cfg.VrfIncomingSvcsRule.RULE_TYPE_IP, 'test_vrf',
cfg.VrfIncomingSvcsRule.RULE_ACTION_DNAT, af,
src_ip = socket.inet_pton(af, '1::1'), prefix_len = 128,
dst_ip = socket.inet_pton(af, '2::1'),
protocol = cfg.VrfIncomingSvcsRule.RULE_PROTO_ICMP)
rule2 = cfg.VrfIncomingSvcsRule(cfg.VrfIncomingSvcsRule.RULE_TYPE_IP, 'test_vrf',
cfg.VrfIncomingSvcsRule.RULE_ACTION_DNAT, af,
src_ip = socket.inet_pton(af, '1::2'), prefix_len = 128,
dst_ip = socket.inet_pton(af, '2::1'),
seq_num = 20)
print 'IPv6 rule created:'
print str(rule1)
print str(rule2)
assert rule1 == rule1
assert not rule1 == rule2
assert rule1.match(src_ip = socket.inet_pton(af, '1::1'))
assert not rule2.match(src_ip = socket.inet_pton(af, '1::1'))
with pytest.raises(ValueError):
rule = cfg.VrfIncomingSvcsRule(100, 'vrf', 1, socket.AF_INET6)
with pytest.raises(ValueError):
rule = cfg.VrfIncomingSvcsRule(cfg.VrfIncomingSvcsRule.RULE_TYPE_ACL, 'vrf', 1, 50)
with pytest.raises(ValueError):
rule = cfg.VrfIncomingSvcsRule(cfg.VrfIncomingSvcsRule.RULE_TYPE_ACL, 'vrf', 1, socket.AF_INET,
protocol = 6)
with pytest.raises(ValueError):
rule = cfg.VrfIncomingSvcsRule(cfg.VrfIncomingSvcsRule.RULE_TYPE_ACL, 'vrf', 6, socket.AF_INET)
def test_rule_list():
id_gen = IdGenerator()
prefix_len_list = [8, 16, 24, 32]
action_list = [cfg.VrfIncomingSvcsRule.RULE_ACTION_ALLOW, cfg.VrfIncomingSvcsRule.RULE_ACTION_DENY]
src_ip_list = []
for idx in range(1, 250):
src_ip_list.append('2.2.2.' + str(idx))
rule_list = cfg.VrfIncomingSvcsRuleList()
af = socket.AF_INET
rule1 = cfg.VrfIncomingSvcsRule(cfg.VrfIncomingSvcsRule.RULE_TYPE_ACL, 'test_vrf',
cfg.VrfIncomingSvcsRule.RULE_ACTION_ALLOW, af,
src_ip = socket.inet_pton(af, '1.1.1.0'), prefix_len = 24,
protocol = cfg.VrfIncomingSvcsRule.RULE_PROTO_TCP,
dst_port = 8080, seq_num = 100)
assert rule_list.insert(rule1) is None
rule1.rule_id = 5
assert rule_list.insert(rule1) == 0
assert len(rule_list) == 1
new_rule = copy.deepcopy(rule1)
# duplicate insert is not allowed
assert rule_list.insert(new_rule) is None
new_rule.rule_id = None
# delete rule by rule attribute match
assert rule_list.remove(new_rule) is not None
assert len(rule_list) == 0
rule1.rule_id = 10
assert rule_list.insert(rule1) == 0
assert rule_list.remove_by_id(10) is not None
assert len(rule_list) == 0
assert len(rule_list.seq_num_list) == 0
assert len(rule_list.rule_id_map) == 0
test_rule_num = 20
rule_id_list = []
while test_rule_num > 0:
src_ip = get_rand_list_item(src_ip_list, True)
if src_ip is None:
break
prefix_len = get_rand_list_item(prefix_len_list)
action = get_rand_list_item(action_list)
rule = cfg.VrfIncomingSvcsRule(cfg.VrfIncomingSvcsRule.RULE_TYPE_ACL, "test_vrf", action, af,
src_ip = socket.inet_pton(socket.AF_INET, src_ip),
prefix_len = prefix_len, seq_num = random.randint(1, 1000),
rule_id = id_gen.get_new_id())
print 'Add rule to list: %s' % rule
idx = rule_list.insert(rule)
assert idx is not None
check_rule_list(rule_list)
rule_id_list.append(rule.rule_id)
test_rule_num -= 1
assert len(rule_list) == 20
assert len(rule_id_list) == 20
print 'Rule IDs: %s' % rule_id_list
# clone rule list
new_list = copy.deepcopy(rule_list)
assert len(new_list) == 20
# delete all rules
while len(rule_id_list) > 0:
rule_id = get_rand_list_item(rule_id_list, True)
print 'Delete rule ID %d' % rule_id
assert rule_list.remove_by_id(rule_id) is not None
check_rule_list(rule_list)
assert len(rule_list) == 0
assert len(rule_list.seq_num_list) == 0
assert len(rule_list.rule_id_map) == 0
print 'All rules were deleted'
new_list.clear()
assert len(new_list) == 0
assert len(new_list.seq_num_list) == 0
assert len(new_list.rule_id_map) == 0
def test_ipt_rule_check():
print 'Test system rule check with cache'
rule_list = generate_random_rules(test_rule_count)
# test for 0 ip address matching
rule_list.append(cfg.VrfIncomingSvcsRule(cfg.VrfSvcsRuleType.RULE_TYPE_ACL, 'test_management',
cfg.VrfSvcsRuleAction.RULE_ACTION_ALLOW, socket.AF_INET,
src_ip = socket.inet_pton(socket.AF_INET, '0.0.0.0'),
src_prefix_len = 0, seq_num = 9998))
rule_list.append(cfg.VrfIncomingSvcsRule(cfg.VrfSvcsRuleType.RULE_TYPE_ACL, 'test_management',
cfg.VrfSvcsRuleAction.RULE_ACTION_ALLOW, socket.AF_INET6,
src_ip = socket.inet_pton(socket.AF_INET6, '::'),
src_prefix_len = 0, seq_num = 9999))
print 'Install ACL rules to system:'
for rule in rule_list:
print str(rule)
assert cfg.VrfIncomingSvcsRuleCache.insert_rule(rule)
print 'Checking installed ACL rules'
for af in [socket.AF_INET, socket.AF_INET6]:
for vrf_name in cfg.VrfIncomingSvcsRuleCache.acl_rules[af]:
assert cfg.VrfIncomingSvcsRuleCache.check_ipt_rules(cfg.VrfSvcsRuleType.RULE_TYPE_ACL, af, vrf_name)
for vrf_name in cfg.VrfIncomingSvcsRuleCache.ip_rules[af]:
assert cfg.VrfIncomingSvcsRuleCache.check_ipt_rules(cfg.VrfSvcsRuleType.RULE_TYPE_IP, af, vrf_name)
print '%d rules in cache and system are synchronized' % len(rule_list)
# Get installed rules from system
get_rule_list = []
for rule_type in [cfg.VrfSvcsRuleType.RULE_TYPE_ACL, cfg.VrfSvcsRuleType.RULE_TYPE_IP]:
for af in [socket.AF_INET, socket.AF_INET6]:
for vrf_name in vrf_name_list:
assert cfg.IptablesHandler.get_rule_from_ipt(rule_type, af, vrf_name, get_rule_list)
assert len(get_rule_list) == len(rule_list)
print 'ACL rules read from system:'
for rule in get_rule_list:
print str(rule)
rule_idx_list = range(len(rule_list))
cache_del_rules = []
ipt_del_rules = []
sync_key_set = set()
for num in range(len(rule_list) / 2):
idx = get_rand_list_item(rule_idx_list, True)
rule = rule_list[idx]
if num <= len(rule_list) / 4:
cache_del_rules.append(rule)
else:
ipt_del_rules.append(rule)
sync_key_set.add((rule.rule_type, rule.af, rule.vrf_name))
for rule in cache_del_rules:
if rule.rule_type == cfg.VrfSvcsRuleType.RULE_TYPE_ACL:
rule_list = cfg.VrfIncomingSvcsRuleCache.acl_rules[rule.af][rule.vrf_name]
else:
rule_list = cfg.VrfIncomingSvcsRuleCache.ip_rules[rule.af][rule.vrf_name]
assert rule_list.remove(rule) is not None
assert cfg.VrfIncomingSvcsRuleCache.id_generator.release_id(rule.rule_id)
for rule in ipt_del_rules:
assert cfg.IptablesHandler.proc_rule('delete', rule)
for rule_type, af, vrf_name in sync_key_set:
print 'Expect failure for checking rules for TYPE %d AF %d VRF %s' % (rule_type, af, vrf_name)
assert not cfg.VrfIncomingSvcsRuleCache.check_ipt_rules(rule_type, af, vrf_name)
# Clear all rules from cache and system
for rule in ipt_del_rules:
if rule.rule_type == cfg.VrfSvcsRuleType.RULE_TYPE_ACL:
rule_list = cfg.VrfIncomingSvcsRuleCache.acl_rules[rule.af][rule.vrf_name]
else:
rule_list = cfg.VrfIncomingSvcsRuleCache.ip_rules[rule.af][rule.vrf_name]
assert rule_list.remove(rule) is not None
assert cfg.VrfIncomingSvcsRuleCache.id_generator.release_id(rule.rule_id)
for rule in cache_del_rules:
assert cfg.IptablesHandler.proc_rule('delete', rule)
cfg.VrfIncomingSvcsRuleCache.clear_all_rules()
# Check if system rule cleared
rule_list = []
for rule_type in [cfg.VrfSvcsRuleType.RULE_TYPE_ACL, cfg.VrfSvcsRuleType.RULE_TYPE_IP]:
for af in [socket.AF_INET, socket.AF_INET6]:
for vrf_name in vrf_name_list:
assert cfg.IptablesHandler.get_rule_from_ipt(rule_type, af, vrf_name, rule_list)
assert len(rule_list) == 0
