def ipv4_acl_config():
st.log('Creating IPv4 ACL in ACL table:')
acl_obj.create_acl_table(vars.D1,
name=data.acl_ipv4_table_name,
type=data.type,
description=data.description,
stage=data.stage)
st.log('Adding IPv4 ACL source_ip drop rule in ACL rule table:')
acl_obj.create_acl_rule(vars.D1,
table_name=data.acl_ipv4_table_name,
rule_name=data.acl_rule,
packet_action=data.packet_action,
priority=data.priority,
SRC_IP="{}/{}".format(data.src_ip, data.mask))
def ipv6_acl_config():
st.log('Creating IPv6 ACL in ACL table:')
acl_obj.create_acl_table(vars.D1,
name=data.acl_ipv6_table_name,
type=data.type_ipv6,
description=data.description,
stage=data.stage,
ports=[vars.D1T1P1])
st.log('Adding IPv4 ACL source_ip drop rule in ACL rule table:')
acl_obj.create_acl_rule(vars.D1,
table_name=data.acl_ipv6_table_name,
acl_type="ipv6",
rule_name=data.acl_rule_v6,
packet_action=data.packet_action,
priority=data.priority,
SRC_IPV6="{}/{}".format(data.src_ipv6,
data.mask_ipv6))
def create_aclrule_scale(**kwargs):
#import pdb;pdb.set_trace()
mnd_params = ['dut', 'acl_name']
for param in mnd_params:
if param not in kwargs:
st.log('Mandatory parameter {} is not found'.format(param))
return False
input_params = [
'src_ip', 'src_ip_incr', 'src_ip_mask', 'dst_ip', 'dst_ip_incr',
'dst_ip_mask', 'src_ipv6', 'src_ipv6_incr', 'src_ipv6_mask',
'dst_ipv6', 'dst_ipv6_incr', 'dst_ipv6_mask', 'src_port',
'src_port_incr', 'dst_port', 'dst_port_incr', 'rule_name', 'action',
'priority', 'priority_incr', 'ip_type', 'ip_protocol', 'tcp_flags',
'dscp', 'mirror_action', 'ether_type', 'dut', 'acl_name',
'acl_name_incr', 'count'
]
def_list = [
'', '', '24', '', '', '24', '', '', '64', '', '', '64', '', '', '', '',
'1', 'forward', '1', '', '', '', '', '', '', '', '', '', '', '1'
]
list_params = map(
input_params.__getitem__,
[0, 3, 6, 9, 12, 14, 16, 17, 18, 19, 20, 22, 23, 24, 25, 27])
d = {}
for i, param in enumerate(input_params):
d[param] = kwargs.get(param, def_list[i])
d['count'] = int(d['count'])
# To conver the values to list if user has not provided.
for param in list_params:
if param in kwargs:
d[param] = list(kwargs[param]) if type(
kwargs[param]) is list else [kwargs[param]]
else:
d[param] = [d[param]]
if d['count'] != 1:
for param in list_params:
if len(d[param]) != d['count']:
if param != 'rule_name':
if param + '_incr' in kwargs:
if param == 'src_ip' or param == 'dst_ip':
d[param] = tol.range_ipv4(d[param][0], d['count'],
d[param + '_mask'])
if param == 'src_ipv6' or param == 'dst_ipv6':
d[param] = tol.range_ipv6(d[param][0], d['count'],
d[param + '_mask'])
if param == 'src_port' or param == 'dst_port' or param == 'priority':
d[param] = range(int(d[param][0]),
d['count'] + int(d[param][0]))
if param == 'acl_name':
d[param] = [
str(d[param][0]) + str(x)
for x in range(d['count'])
]
else:
d[param] = d[param] * d['count']
else:
d['rule_name'] = [
str(d[param][0]) + '_' + str(x)
for x in range(d['count'])
]
key_params = [
'SRC_IP', 'DST_IP', 'SRC_IPV6', 'DST_IPV6', 'rule_name',
'packet_action', 'priority', 'ip_type', 'ip_protocol', 'tcp_flags',
'dscp', 'mirror_action', 'ether_type', 'table_name'
]
spl_key_params = [
'l4_src_port', 'l4_dst_port', 'l4_src_port_range', 'l4_dst_port_range'
]
# 1:1 mapping with key_params that of input_params indexes.
value_params = map(input_params.__getitem__,
[0, 3, 6, 9, 16, 17, 18, 19, 20, 22, 23, 24, 25, 27])
spl_value_params = map(input_params.__getitem__, [12, 14])
values = [d[x] for x in value_params]
spl_values = [d[x] for x in spl_value_params]
for line, s_line in zip(zip(*values), zip(*spl_values)):
dict_param = {'dut': d['dut']}
for i, val in enumerate(line):
if val != '':
dict_param[key_params[i]] = val
for i, val in enumerate(s_line):
if val != '':
j = 2 if re.search('-', val) else 0
dict_param[spl_key_params[i + j]] = val
acl_obj.create_acl_rule(**dict_param)
return True
def test_ft_erspan_action_ethertype_dscp_tcp_flags_l4range():
"""
Author: Lakshminarayana D ([email protected])
Verify that ERSPAN is working as expected and intended traffic with TCP_FLAGS, L4_Range_Ports and dscp from ACL
rule is mirrored to remote interface.
Topology:
---------
TG1 ----
DUT1 ---- DUT2 ---- TG3
TG2 ----
"""
# tcp_flag_info = {'fin': 1, 'syn': 2, 'rst': 4, 'psh': 8, 'ack':16, 'urg': 32}
ip.config_ip_addr_interface(vars.D1, vars.D1T1P1, "2001:1::1", "64", family="ipv6")
ip.config_ip_addr_interface(vars.D1, vars.D1T1P2, "2001:2::1", "64", family="ipv6")
tcp_flag_info = {'fin': 1}
for k, v in tcp_flag_info.items():
kn = 'psh' if k == 'urg' else 'urg'
vn = 8 if v == 32 else 32
proto = 'tcp'
# l4 port values
port_val = {'src_port': 2000, 'dst_port': 3000}
c_fields = [proto + '_src_port', proto + '_dst_port', 'dscp']
# Creating l4_port range parameters to TG stream
tg_arg = {c_fields[0]: port_val['src_port'], c_fields[1]: port_val['dst_port'],
proto + "_src_port_mode": 'incr', proto + "_src_port_count": '10',
proto + "_dst_port_mode": 'incr', proto + "_dst_port_count": '10',
proto + '_src_port_step': '1', proto + '_dst_port_step': '1', 'tcp_' + k + '_flag': 1}
# Creating l4_port range parameters to TG stream to verify negative scenario
tg_argn = {c_fields[0]: port_val['src_port'] + 11, c_fields[1]: port_val['dst_port'] + 11,
'tcp_' + kn + '_flag': 1}
criteria_list = ['--ip-proto', '--dscp', '--tcp-flags', '--src-ip', '--dst-ip','--ether-type', '--src-port',
'--dst-port']
criteria_values = ['6', '8','fin',data.src_ip_mask,data.dst_ip_mask,'0x0800','2000-2010','3000-3010']
acl.create_acl_rule(vars.D1, table_name="L3_IPV6_INGRESS", rule_name="FWD_RULE1", packet_action="FORWARD",
priority=900, ether_type='0x86dd', type="L3V6", ip_protocol="ip")
acl_dscp.config_classifier_table(vars.D1, enable='create', match_type="fields", class_name=data.acl_rule)
acl_dscp.config_classifier_table(vars.D1, enable='yes', class_criteria=criteria_list, class_name=data.acl_rule,
criteria_value=criteria_values, match_type="fields")
acl_dscp.config_flow_update_table(vars.D1,policy_name=data.acl_table_name,flow='add',class_name=data.acl_rule,
priority_value=data.priority, description=data.description, policy_type=data.type)
acl_dscp.config_flow_update_table(vars.D1, policy_name=data.acl_table_name, flow='update',policy_type=data.type,
class_name=data.acl_rule, priority_option='--mirror-session',
priority_value=data.mirror_action)
match = [{'class_name': data.acl_rule}]
if not acl_dscp.verify(vars.D1, 'classifier', verify_list=match):
st.report_fail("classifier_opeartion_failed")
# TG traffic verification:
retval = send_traffic(capture_values=[hex(v).lstrip('0x').zfill(2), '0800'],
capture_fields=['tcp_flags', 'ether_type'],
ip_dscp='8', l4_protocol='tcp', **tg_arg)
if not retval[0]:
st.report_fail("traffic_verification_fail", 'packet count')
# TG traffic verification-Negetive check:
retval = send_traffic(capture_values=[hex(vn).lstrip('0x').zfill(2), '86dd'],
capture_fields=['tcp_flags', 'ether_type'],
ip_dscp='56', l4_protocol='tcp', family='ipv6', neg_check=True, **tg_argn)
if retval[0]:
st.report_fail("neg_traffic_verification_fail", 'packet count')
rule_counters=acl.show_acl_counters(vars.D1, acl_table="L3_IPV6_INGRESS", acl_rule="FWD_RULE1", acl_type="ipv6")
if not rule_counters:
st.report_fail("matched_traffic_forward_fail")
if not rule_counters[0]['packetscnt'] or int(rule_counters[0]['packetscnt']) < data.pkts_per_burst:
st.report_fail("matched_traffic_forward_fail")
st.report_pass("test_case_passed")
def nat_pre_config():
global vars
vars = st.ensure_min_topology("D1T1:2")
platform = basic_obj.get_hwsku(vars.D1)
common_constants = st.get_datastore(vars.D1, "constants", "default")
if platform.lower() in common_constants['TH3_PLATFORMS']:
st.error("NAT is not supported for this platform {}".format(platform))
st.report_unsupported('NAT_unsupported_platform',platform)
global tg_handler, tg1, tg2, tg_ph_1, tg_ph_2, dut1_rt_int_mac, tg_str_data, tg_rt_int_handle
tg_handler = util_tg_init(vars, [vars.T1D1P1, vars.T1D1P2])
tg1 = tg_handler["tg"]
tg2 = tg_handler["tg"]
tg_ph_1 = tg_handler["tg_ph_1"]
tg_ph_2 = tg_handler["tg_ph_2"]
ip_obj.config_ip_addr_interface(vars.D1, vars.D1T1P1, data.in1_ip_addr, data.in1_ip_addr_mask, family=data.af_ipv4)
ip_obj.config_ip_addr_interface(vars.D1, vars.D1T1P2, data.out_ip_addr_l[0], data.out_ip_addr_mask, family=data.af_ipv4)
dut1_rt_int_mac = basic_obj.get_ifconfig_ether(vars.D1, vars.D1T1P1)
ip_obj.create_static_route(vars.D1, data.out_ip_addr_h,
"{}/{}".format(data.global_ip_addr_rt, data.global_ip_addr_mask),
shell=data.shell_vtysh, family=data.af_ipv4)
ip_obj.create_static_route(vars.D1, data.in1_ip_addr_h[0], "{}/{}".format(data.s_global_ip_rt, data.s_global_ip_mask))
tg_rt_int_handle = util_tg_routing_int_config(vars, tg1, tg2, tg_ph_1, tg_ph_2)
st.log("NAT Configuration")
nat_obj.config_nat_feature(vars.D1, 'enable')
util_nat_zone_config(vars, [vars.D1T1P1, vars.D1T1P2], [data.zone_1, data.zone_2], config=data.config_add)
nat_obj.config_nat_static(vars.D1, protocol=data.proto_all, global_ip=data.out_ip_addr_l[0],
local_ip=data.in1_ip_addr_h[0], config=data.config_add, nat_type=data.nat_type_dnat)
nat_obj.config_nat_static(vars.D1, protocol=data.proto_tcp, global_ip=data.out_ip_addr_l[1],
local_ip=data.in1_ip_addr_h[1],
local_port_id=data.tcp_src_local_port, global_port_id=data.tcp_src_global_port,
config=data.config_add, nat_type=data.nat_type_dnat)
nat_obj.config_nat_static(vars.D1, protocol=data.proto_udp, global_ip=data.in1_ip_addr_h[2],
local_ip=data.out_ip_addr_l[2],
local_port_id=data.udp_src_global_port, global_port_id=data.udp_src_local_port,
config=data.config_add, nat_type=data.nat_type_snat)
nat_obj.config_nat_static(vars.D1, protocol=data.proto_all, global_ip=data.s_global_ip, local_ip=data.s_local_ip,
config=data.config_add, nat_type=data.nat_type_snat)
nat_obj.config_nat_static(vars.D1,protocol=data.proto_all,global_ip=data.out_ip_addr_l[3],local_ip=data.in1_ip_addr_h[3],
config=data.config_add,nat_type=data.nat_type_dnat,twice_nat_id=data.twice_nat_id_1)
nat_obj.config_nat_static(vars.D1, protocol=data.proto_all, global_ip=data.global_ip_addr,
local_ip=data.test_ip_addr,
config=data.config_add, nat_type=data.nat_type_snat, twice_nat_id=data.twice_nat_id_1)
# dynamic NAT config
st.log("Creating NAT Pool-1")
nat_obj.config_nat_pool(vars.D1, pool_name=data.pool_name[0], global_ip_range=data.out_ip_range,
global_port_range= data.global_port_range, config=data.config_add)
nat_obj.config_nat_pool(vars.D1, pool_name="scale_pool", global_ip_range="125.56.90.23-125.56.90.30",
global_port_range="1001-8001", config=data.config_add)
st.log("Creating NAT Pool binding")
nat_obj.config_nat_pool_binding(vars.D1, binding_name=data.bind_name[0], pool_name=data.pool_name[0],
config=data.config_add)
st.log("Creating NAT Pool-2")
nat_obj.config_nat_pool(vars.D1, pool_name=data.pool_name[1], global_ip_range=data.out2_ip_range,
config=data.config_add)
st.log("Creating NAT Pool-2 binding")
nat_obj.config_nat_pool_binding(vars.D1, binding_name=data.bind_name[1], pool_name=data.pool_name[1],
config=data.config_add)
# nat acl for ingress traffic
acl_obj.create_acl_table(vars.D1, name=data.acl_table_in_nat_eg, stage="INGRESS", type=data.type,
description="ingress-acl", ports=[vars.D1T1P1])
acl_obj.create_acl_rule(vars.D1, table_name=data.acl_table_in_nat_eg, rule_name="rule-32", packet_action=data.packet_forward_action,
SRC_IP="{}/{}".format(data.in1_ip_addr_rt, data.in1_ip_addr_mask), priority='98', type=data.type, ip_protocol="4")
acl_obj.create_acl_rule(vars.D1, table_name=data.acl_table_in_nat_eg, rule_name="rule-33",
packet_action=data.packet_do_not_nat_action,
SRC_IP="{}/{}".format('14.1.0.1', data.mask), priority='97', type=data.type, ip_protocol="4")
# Checking arp table for debugging
arp_obj.show_arp(vars.D1)
ip_obj.show_ip_route(vars.D1)
# Clearing all interface counters for debugging purpose
intf_obj.clear_interface_counters(vars.D1)
tg_str_data = util_tg_stream_config(tg1, tg2, tg_ph_1, tg_ph_2)
def test_fuctPBR_02():
global description
global descriptionv6
global vars
vars = st.get_testbed_vars()
final_result = True
description = 'IPv4_ACL_redirect_NH'
descriptionv6 = 'IPv6_ACL_redirect_NH'
st.log(
'This test covers StSoSeConf014 StSoSeConf015 StSoSeVer014 StSoSeVer015'
)
st.log('creating IPv4 static route')
ipfeature.create_static_route(dut1,
static_ip=srpIP,
next_hop=nextHop_ip,
shell='')
ipfeature.create_static_route(dut1,
static_ip=srpIPv6,
next_hop=nextHop_ipv6,
shell='',
family='ipv6')
st.log(
'creating IPv4 ACL table and binding to the ports in Ingress direction'
)
acl_obj.create_acl_table(dut1,
name=acl_table_name,
stage=stage,
type=type,
description=description,
ports=[r1_tg_ports1])
acl_obj.create_acl_table(dut1,
name=acl_table_namev6,
stage=stage,
type=typev6,
description=descriptionv6,
ports=[r1_tg_ports1])
st.log(
'Creating ACL rules with src_ip dst_ip port and action as forward drop'
)
acl_obj.create_acl_rule(dut1,
table_name=acl_table_name,
rule_name=rule_list[0],
priority=priority_list[0],
packet_action=pktAction + nextHop_ip + '|' +
r1_tg_ports2,
SRC_IP="{}/{}".format(srpIP, maskACL),
DST_IP="{}/{}".format(dstIP, maskACL))
acl_obj.create_acl_rule(dut1,
table_name=acl_table_name,
rule_name=rule_list[9],
priority=priority_list[9],
packet_action='drop',
IP_TYPE='ipv4any')
acl_obj.create_acl_rule(dut1,
table_name=acl_table_namev6,
rule_name=rule_list[0],
priority=priority_list[0],
packet_action=pktAction + nextHop_ipv6 + '|' +
r1_tg_ports2,
SRC_IPV6="{}/{}".format(srpIPv6, '128'),
DST_IPV6="{}/{}".format(dstIPv6, '128'))
acl_obj.create_acl_rule(dut1,
table_name=acl_table_namev6,
rule_name=rule_list[9],
priority=priority_list[9],
packet_action='drop',
IP_TYPE='ipv6any')
#acl_obj.create_acl_rule(dut1, table_name=acl_table_name, rule_name=rule_list[0],priority=priority_list[0], packet_action=pktAction+nextHop_ip+'|'+r1_tg_ports2, SRC_IP="{}/{}".format(srpIP, maskACL),DST_IP="{}/{}".format(dstIP, maskACL))
start_stop_traffic(tg1, tg2, tg_dut1_p1_handle, tg_dut1_p2_handle)
traffic_details = {
'1': {
'tx_ports': [vars.T1D1P1],
'tx_obj': [tg1],
'exp_ratio': [[1, 0, 1, 0]],
'rx_ports': [vars.T1D1P2],
'rx_obj': [tg2],
'stream_list': [[stream_id1, stream_id2, stream_id3, stream_id4]]
}
}
test1 = tgapi.validate_tgen_traffic(traffic_details=traffic_details,
mode='streamblock',
comp_type='packet_count')
if test1 is False:
st.error("Traffic Verification Failed")
final_result = False
t1 = acl_obj.verify_acl_stats(dut1,
table_name=acl_table_name,
rule_name=rule_list[0],
packet_count=expCount)
t2 = acl_obj.verify_acl_stats(dut1,
table_name=acl_table_name,
rule_name=rule_list[9],
packet_count=expCount)
t3 = acl_obj.verify_acl_stats(dut1,
table_name=acl_table_namev6,
rule_name=rule_list[0],
packet_count=expCount)
t4 = acl_obj.verify_acl_stats(dut1,
table_name=acl_table_namev6,
rule_name=rule_list[9],
packet_count=int(expCount) + 16)
if False in list(set([t1, t2, t3, t4])):
tc = [t1, t2, t3, t4].index(False)
print("TC failed for rule : " + str((tc + 1)))
st.error("ACL stats validation Failed")
final_result = False
else:
st.log('ACL stats validation Passed')
st.log('Deleting IPv4/v6 static route')
ipfeature.delete_static_route(dut1,
static_ip=srpIP,
next_hop=nextHop_ip,
shell='')
ipfeature.delete_static_route(dut1,
static_ip=srpIPv6,
next_hop=nextHop_ipv6,
shell='',
family='ipv6')
st.log('Removing the ACL table config')
acl_obj.delete_acl_table(dut=dut1, acl_table_name=acl_table_name)
acl_obj.delete_acl_table(dut=dut1, acl_table_name=acl_table_namev6)
if final_result:
st.log(
"PBR-Test:Validation of PBR REDIRECT_TO_Next-Hop interface Passed")
st.report_pass('test_case_passed')
else:
st.error(
"PBR-Test : Validation of PBR REDIRECT_TO_Next-Hop interface failed"
)
st.report_fail('test_case_failed')
