def ipv4_acl_config(): st.log('Creating IPv4 ACL in ACL table:') acl_obj.create_acl_table(vars.D1, name=data.acl_ipv4_table_name, type=data.type, description=data.description, stage=data.stage) st.log('Adding IPv4 ACL source_ip drop rule in ACL rule table:') acl_obj.create_acl_rule(vars.D1, table_name=data.acl_ipv4_table_name, rule_name=data.acl_rule, packet_action=data.packet_action, priority=data.priority, SRC_IP="{}/{}".format(data.src_ip, data.mask))
def ipv6_acl_config(): st.log('Creating IPv6 ACL in ACL table:') acl_obj.create_acl_table(vars.D1, name=data.acl_ipv6_table_name, type=data.type_ipv6, description=data.description, stage=data.stage, ports=[vars.D1T1P1]) st.log('Adding IPv4 ACL source_ip drop rule in ACL rule table:') acl_obj.create_acl_rule(vars.D1, table_name=data.acl_ipv6_table_name, acl_type="ipv6", rule_name=data.acl_rule_v6, packet_action=data.packet_action, priority=data.priority, SRC_IPV6="{}/{}".format(data.src_ipv6, data.mask_ipv6))
def create_aclrule_scale(**kwargs): #import pdb;pdb.set_trace() mnd_params = ['dut', 'acl_name'] for param in mnd_params: if param not in kwargs: st.log('Mandatory parameter {} is not found'.format(param)) return False input_params = [ 'src_ip', 'src_ip_incr', 'src_ip_mask', 'dst_ip', 'dst_ip_incr', 'dst_ip_mask', 'src_ipv6', 'src_ipv6_incr', 'src_ipv6_mask', 'dst_ipv6', 'dst_ipv6_incr', 'dst_ipv6_mask', 'src_port', 'src_port_incr', 'dst_port', 'dst_port_incr', 'rule_name', 'action', 'priority', 'priority_incr', 'ip_type', 'ip_protocol', 'tcp_flags', 'dscp', 'mirror_action', 'ether_type', 'dut', 'acl_name', 'acl_name_incr', 'count' ] def_list = [ '', '', '24', '', '', '24', '', '', '64', '', '', '64', '', '', '', '', '1', 'forward', '1', '', '', '', '', '', '', '', '', '', '', '1' ] list_params = map( input_params.__getitem__, [0, 3, 6, 9, 12, 14, 16, 17, 18, 19, 20, 22, 23, 24, 25, 27]) d = {} for i, param in enumerate(input_params): d[param] = kwargs.get(param, def_list[i]) d['count'] = int(d['count']) # To conver the values to list if user has not provided. for param in list_params: if param in kwargs: d[param] = list(kwargs[param]) if type( kwargs[param]) is list else [kwargs[param]] else: d[param] = [d[param]] if d['count'] != 1: for param in list_params: if len(d[param]) != d['count']: if param != 'rule_name': if param + '_incr' in kwargs: if param == 'src_ip' or param == 'dst_ip': d[param] = tol.range_ipv4(d[param][0], d['count'], d[param + '_mask']) if param == 'src_ipv6' or param == 'dst_ipv6': d[param] = tol.range_ipv6(d[param][0], d['count'], d[param + '_mask']) if param == 'src_port' or param == 'dst_port' or param == 'priority': d[param] = range(int(d[param][0]), d['count'] + int(d[param][0])) if param == 'acl_name': d[param] = [ str(d[param][0]) + str(x) for x in range(d['count']) ] else: d[param] = d[param] * d['count'] else: d['rule_name'] = [ str(d[param][0]) + '_' + str(x) for x in range(d['count']) ] key_params = [ 'SRC_IP', 'DST_IP', 'SRC_IPV6', 'DST_IPV6', 'rule_name', 'packet_action', 'priority', 'ip_type', 'ip_protocol', 'tcp_flags', 'dscp', 'mirror_action', 'ether_type', 'table_name' ] spl_key_params = [ 'l4_src_port', 'l4_dst_port', 'l4_src_port_range', 'l4_dst_port_range' ] # 1:1 mapping with key_params that of input_params indexes. value_params = map(input_params.__getitem__, [0, 3, 6, 9, 16, 17, 18, 19, 20, 22, 23, 24, 25, 27]) spl_value_params = map(input_params.__getitem__, [12, 14]) values = [d[x] for x in value_params] spl_values = [d[x] for x in spl_value_params] for line, s_line in zip(zip(*values), zip(*spl_values)): dict_param = {'dut': d['dut']} for i, val in enumerate(line): if val != '': dict_param[key_params[i]] = val for i, val in enumerate(s_line): if val != '': j = 2 if re.search('-', val) else 0 dict_param[spl_key_params[i + j]] = val acl_obj.create_acl_rule(**dict_param) return True
def test_ft_erspan_action_ethertype_dscp_tcp_flags_l4range(): """ Author: Lakshminarayana D ([email protected]) Verify that ERSPAN is working as expected and intended traffic with TCP_FLAGS, L4_Range_Ports and dscp from ACL rule is mirrored to remote interface. Topology: --------- TG1 ---- DUT1 ---- DUT2 ---- TG3 TG2 ---- """ # tcp_flag_info = {'fin': 1, 'syn': 2, 'rst': 4, 'psh': 8, 'ack':16, 'urg': 32} ip.config_ip_addr_interface(vars.D1, vars.D1T1P1, "2001:1::1", "64", family="ipv6") ip.config_ip_addr_interface(vars.D1, vars.D1T1P2, "2001:2::1", "64", family="ipv6") tcp_flag_info = {'fin': 1} for k, v in tcp_flag_info.items(): kn = 'psh' if k == 'urg' else 'urg' vn = 8 if v == 32 else 32 proto = 'tcp' # l4 port values port_val = {'src_port': 2000, 'dst_port': 3000} c_fields = [proto + '_src_port', proto + '_dst_port', 'dscp'] # Creating l4_port range parameters to TG stream tg_arg = {c_fields[0]: port_val['src_port'], c_fields[1]: port_val['dst_port'], proto + "_src_port_mode": 'incr', proto + "_src_port_count": '10', proto + "_dst_port_mode": 'incr', proto + "_dst_port_count": '10', proto + '_src_port_step': '1', proto + '_dst_port_step': '1', 'tcp_' + k + '_flag': 1} # Creating l4_port range parameters to TG stream to verify negative scenario tg_argn = {c_fields[0]: port_val['src_port'] + 11, c_fields[1]: port_val['dst_port'] + 11, 'tcp_' + kn + '_flag': 1} criteria_list = ['--ip-proto', '--dscp', '--tcp-flags', '--src-ip', '--dst-ip','--ether-type', '--src-port', '--dst-port'] criteria_values = ['6', '8','fin',data.src_ip_mask,data.dst_ip_mask,'0x0800','2000-2010','3000-3010'] acl.create_acl_rule(vars.D1, table_name="L3_IPV6_INGRESS", rule_name="FWD_RULE1", packet_action="FORWARD", priority=900, ether_type='0x86dd', type="L3V6", ip_protocol="ip") acl_dscp.config_classifier_table(vars.D1, enable='create', match_type="fields", class_name=data.acl_rule) acl_dscp.config_classifier_table(vars.D1, enable='yes', class_criteria=criteria_list, class_name=data.acl_rule, criteria_value=criteria_values, match_type="fields") acl_dscp.config_flow_update_table(vars.D1,policy_name=data.acl_table_name,flow='add',class_name=data.acl_rule, priority_value=data.priority, description=data.description, policy_type=data.type) acl_dscp.config_flow_update_table(vars.D1, policy_name=data.acl_table_name, flow='update',policy_type=data.type, class_name=data.acl_rule, priority_option='--mirror-session', priority_value=data.mirror_action) match = [{'class_name': data.acl_rule}] if not acl_dscp.verify(vars.D1, 'classifier', verify_list=match): st.report_fail("classifier_opeartion_failed") # TG traffic verification: retval = send_traffic(capture_values=[hex(v).lstrip('0x').zfill(2), '0800'], capture_fields=['tcp_flags', 'ether_type'], ip_dscp='8', l4_protocol='tcp', **tg_arg) if not retval[0]: st.report_fail("traffic_verification_fail", 'packet count') # TG traffic verification-Negetive check: retval = send_traffic(capture_values=[hex(vn).lstrip('0x').zfill(2), '86dd'], capture_fields=['tcp_flags', 'ether_type'], ip_dscp='56', l4_protocol='tcp', family='ipv6', neg_check=True, **tg_argn) if retval[0]: st.report_fail("neg_traffic_verification_fail", 'packet count') rule_counters=acl.show_acl_counters(vars.D1, acl_table="L3_IPV6_INGRESS", acl_rule="FWD_RULE1", acl_type="ipv6") if not rule_counters: st.report_fail("matched_traffic_forward_fail") if not rule_counters[0]['packetscnt'] or int(rule_counters[0]['packetscnt']) < data.pkts_per_burst: st.report_fail("matched_traffic_forward_fail") st.report_pass("test_case_passed")
def nat_pre_config(): global vars vars = st.ensure_min_topology("D1T1:2") platform = basic_obj.get_hwsku(vars.D1) common_constants = st.get_datastore(vars.D1, "constants", "default") if platform.lower() in common_constants['TH3_PLATFORMS']: st.error("NAT is not supported for this platform {}".format(platform)) st.report_unsupported('NAT_unsupported_platform',platform) global tg_handler, tg1, tg2, tg_ph_1, tg_ph_2, dut1_rt_int_mac, tg_str_data, tg_rt_int_handle tg_handler = util_tg_init(vars, [vars.T1D1P1, vars.T1D1P2]) tg1 = tg_handler["tg"] tg2 = tg_handler["tg"] tg_ph_1 = tg_handler["tg_ph_1"] tg_ph_2 = tg_handler["tg_ph_2"] ip_obj.config_ip_addr_interface(vars.D1, vars.D1T1P1, data.in1_ip_addr, data.in1_ip_addr_mask, family=data.af_ipv4) ip_obj.config_ip_addr_interface(vars.D1, vars.D1T1P2, data.out_ip_addr_l[0], data.out_ip_addr_mask, family=data.af_ipv4) dut1_rt_int_mac = basic_obj.get_ifconfig_ether(vars.D1, vars.D1T1P1) ip_obj.create_static_route(vars.D1, data.out_ip_addr_h, "{}/{}".format(data.global_ip_addr_rt, data.global_ip_addr_mask), shell=data.shell_vtysh, family=data.af_ipv4) ip_obj.create_static_route(vars.D1, data.in1_ip_addr_h[0], "{}/{}".format(data.s_global_ip_rt, data.s_global_ip_mask)) tg_rt_int_handle = util_tg_routing_int_config(vars, tg1, tg2, tg_ph_1, tg_ph_2) st.log("NAT Configuration") nat_obj.config_nat_feature(vars.D1, 'enable') util_nat_zone_config(vars, [vars.D1T1P1, vars.D1T1P2], [data.zone_1, data.zone_2], config=data.config_add) nat_obj.config_nat_static(vars.D1, protocol=data.proto_all, global_ip=data.out_ip_addr_l[0], local_ip=data.in1_ip_addr_h[0], config=data.config_add, nat_type=data.nat_type_dnat) nat_obj.config_nat_static(vars.D1, protocol=data.proto_tcp, global_ip=data.out_ip_addr_l[1], local_ip=data.in1_ip_addr_h[1], local_port_id=data.tcp_src_local_port, global_port_id=data.tcp_src_global_port, config=data.config_add, nat_type=data.nat_type_dnat) nat_obj.config_nat_static(vars.D1, protocol=data.proto_udp, global_ip=data.in1_ip_addr_h[2], local_ip=data.out_ip_addr_l[2], local_port_id=data.udp_src_global_port, global_port_id=data.udp_src_local_port, config=data.config_add, nat_type=data.nat_type_snat) nat_obj.config_nat_static(vars.D1, protocol=data.proto_all, global_ip=data.s_global_ip, local_ip=data.s_local_ip, config=data.config_add, nat_type=data.nat_type_snat) nat_obj.config_nat_static(vars.D1,protocol=data.proto_all,global_ip=data.out_ip_addr_l[3],local_ip=data.in1_ip_addr_h[3], config=data.config_add,nat_type=data.nat_type_dnat,twice_nat_id=data.twice_nat_id_1) nat_obj.config_nat_static(vars.D1, protocol=data.proto_all, global_ip=data.global_ip_addr, local_ip=data.test_ip_addr, config=data.config_add, nat_type=data.nat_type_snat, twice_nat_id=data.twice_nat_id_1) # dynamic NAT config st.log("Creating NAT Pool-1") nat_obj.config_nat_pool(vars.D1, pool_name=data.pool_name[0], global_ip_range=data.out_ip_range, global_port_range= data.global_port_range, config=data.config_add) nat_obj.config_nat_pool(vars.D1, pool_name="scale_pool", global_ip_range="125.56.90.23-125.56.90.30", global_port_range="1001-8001", config=data.config_add) st.log("Creating NAT Pool binding") nat_obj.config_nat_pool_binding(vars.D1, binding_name=data.bind_name[0], pool_name=data.pool_name[0], config=data.config_add) st.log("Creating NAT Pool-2") nat_obj.config_nat_pool(vars.D1, pool_name=data.pool_name[1], global_ip_range=data.out2_ip_range, config=data.config_add) st.log("Creating NAT Pool-2 binding") nat_obj.config_nat_pool_binding(vars.D1, binding_name=data.bind_name[1], pool_name=data.pool_name[1], config=data.config_add) # nat acl for ingress traffic acl_obj.create_acl_table(vars.D1, name=data.acl_table_in_nat_eg, stage="INGRESS", type=data.type, description="ingress-acl", ports=[vars.D1T1P1]) acl_obj.create_acl_rule(vars.D1, table_name=data.acl_table_in_nat_eg, rule_name="rule-32", packet_action=data.packet_forward_action, SRC_IP="{}/{}".format(data.in1_ip_addr_rt, data.in1_ip_addr_mask), priority='98', type=data.type, ip_protocol="4") acl_obj.create_acl_rule(vars.D1, table_name=data.acl_table_in_nat_eg, rule_name="rule-33", packet_action=data.packet_do_not_nat_action, SRC_IP="{}/{}".format('14.1.0.1', data.mask), priority='97', type=data.type, ip_protocol="4") # Checking arp table for debugging arp_obj.show_arp(vars.D1) ip_obj.show_ip_route(vars.D1) # Clearing all interface counters for debugging purpose intf_obj.clear_interface_counters(vars.D1) tg_str_data = util_tg_stream_config(tg1, tg2, tg_ph_1, tg_ph_2)
def test_fuctPBR_02(): global description global descriptionv6 global vars vars = st.get_testbed_vars() final_result = True description = 'IPv4_ACL_redirect_NH' descriptionv6 = 'IPv6_ACL_redirect_NH' st.log( 'This test covers StSoSeConf014 StSoSeConf015 StSoSeVer014 StSoSeVer015' ) st.log('creating IPv4 static route') ipfeature.create_static_route(dut1, static_ip=srpIP, next_hop=nextHop_ip, shell='') ipfeature.create_static_route(dut1, static_ip=srpIPv6, next_hop=nextHop_ipv6, shell='', family='ipv6') st.log( 'creating IPv4 ACL table and binding to the ports in Ingress direction' ) acl_obj.create_acl_table(dut1, name=acl_table_name, stage=stage, type=type, description=description, ports=[r1_tg_ports1]) acl_obj.create_acl_table(dut1, name=acl_table_namev6, stage=stage, type=typev6, description=descriptionv6, ports=[r1_tg_ports1]) st.log( 'Creating ACL rules with src_ip dst_ip port and action as forward drop' ) acl_obj.create_acl_rule(dut1, table_name=acl_table_name, rule_name=rule_list[0], priority=priority_list[0], packet_action=pktAction + nextHop_ip + '|' + r1_tg_ports2, SRC_IP="{}/{}".format(srpIP, maskACL), DST_IP="{}/{}".format(dstIP, maskACL)) acl_obj.create_acl_rule(dut1, table_name=acl_table_name, rule_name=rule_list[9], priority=priority_list[9], packet_action='drop', IP_TYPE='ipv4any') acl_obj.create_acl_rule(dut1, table_name=acl_table_namev6, rule_name=rule_list[0], priority=priority_list[0], packet_action=pktAction + nextHop_ipv6 + '|' + r1_tg_ports2, SRC_IPV6="{}/{}".format(srpIPv6, '128'), DST_IPV6="{}/{}".format(dstIPv6, '128')) acl_obj.create_acl_rule(dut1, table_name=acl_table_namev6, rule_name=rule_list[9], priority=priority_list[9], packet_action='drop', IP_TYPE='ipv6any') #acl_obj.create_acl_rule(dut1, table_name=acl_table_name, rule_name=rule_list[0],priority=priority_list[0], packet_action=pktAction+nextHop_ip+'|'+r1_tg_ports2, SRC_IP="{}/{}".format(srpIP, maskACL),DST_IP="{}/{}".format(dstIP, maskACL)) start_stop_traffic(tg1, tg2, tg_dut1_p1_handle, tg_dut1_p2_handle) traffic_details = { '1': { 'tx_ports': [vars.T1D1P1], 'tx_obj': [tg1], 'exp_ratio': [[1, 0, 1, 0]], 'rx_ports': [vars.T1D1P2], 'rx_obj': [tg2], 'stream_list': [[stream_id1, stream_id2, stream_id3, stream_id4]] } } test1 = tgapi.validate_tgen_traffic(traffic_details=traffic_details, mode='streamblock', comp_type='packet_count') if test1 is False: st.error("Traffic Verification Failed") final_result = False t1 = acl_obj.verify_acl_stats(dut1, table_name=acl_table_name, rule_name=rule_list[0], packet_count=expCount) t2 = acl_obj.verify_acl_stats(dut1, table_name=acl_table_name, rule_name=rule_list[9], packet_count=expCount) t3 = acl_obj.verify_acl_stats(dut1, table_name=acl_table_namev6, rule_name=rule_list[0], packet_count=expCount) t4 = acl_obj.verify_acl_stats(dut1, table_name=acl_table_namev6, rule_name=rule_list[9], packet_count=int(expCount) + 16) if False in list(set([t1, t2, t3, t4])): tc = [t1, t2, t3, t4].index(False) print("TC failed for rule : " + str((tc + 1))) st.error("ACL stats validation Failed") final_result = False else: st.log('ACL stats validation Passed') st.log('Deleting IPv4/v6 static route') ipfeature.delete_static_route(dut1, static_ip=srpIP, next_hop=nextHop_ip, shell='') ipfeature.delete_static_route(dut1, static_ip=srpIPv6, next_hop=nextHop_ipv6, shell='', family='ipv6') st.log('Removing the ACL table config') acl_obj.delete_acl_table(dut=dut1, acl_table_name=acl_table_name) acl_obj.delete_acl_table(dut=dut1, acl_table_name=acl_table_namev6) if final_result: st.log( "PBR-Test:Validation of PBR REDIRECT_TO_Next-Hop interface Passed") st.report_pass('test_case_passed') else: st.error( "PBR-Test : Validation of PBR REDIRECT_TO_Next-Hop interface failed" ) st.report_fail('test_case_failed')