def _ng_qer_update( self, request: SessionSet, pdr_entry: PDRRuleEntry, ) -> Tuple[List[RuleModResult], List[RuleModResult]]: enforcement_res = [] failed_policy_rules_results = [] session_version = request.session_version local_f_teid_ng = request.local_f_teid # PDR is deleted with ActiveRules or DelActive rules recieved if pdr_entry.pdr_state == PdrState.Value('REMOVE'): qos_enforce_rule = pdr_entry.del_qos_enforce_rule if qos_enforce_rule.ip_addr: ipv4 = convert_ipv4_str_to_ip_proto(qos_enforce_rule.ip_addr) self._ng_deactivate_qer_flows( ipv4, local_f_teid_ng, qos_enforce_rule, session_version, ) if qos_enforce_rule.ipv6_addr: ipv6 = convert_ipv6_bytes_to_ip_proto(qos_enforce_rule.ipv6_addr) self._ng_deactivate_qer_flows( ipv6, local_f_teid_ng, qos_enforce_rule, session_version, ) elif pdr_entry.pdr_state == PdrState.Value('IDLE'): qos_enforce_rule = pdr_entry.add_qos_enforce_rule if qos_enforce_rule.ip_addr: ipv4 = convert_ipv4_str_to_ip_proto(qos_enforce_rule.ip_addr) self._ng_inactivate_qer_flows(ipv4, qos_enforce_rule, session_version) if qos_enforce_rule.ipv6_addr: ipv6 = convert_ipv6_bytes_to_ip_proto(qos_enforce_rule.ipv6_addr) self._ng_inactivate_qer_flows(ipv6, qos_enforce_rule, session_version) # Install PDR rules elif pdr_entry.pdr_state == PdrState.Value('INSTALL'): qos_enforce_rule = pdr_entry.add_qos_enforce_rule if qos_enforce_rule.ip_addr: ipv4 = convert_ipv4_str_to_ip_proto(qos_enforce_rule.ip_addr) enforcement_res = \ self._ng_activate_qer_flow( ipv4, local_f_teid_ng, qos_enforce_rule, session_version, ) failed_policy_rules_results = \ _retrieve_failed_results(enforcement_res) if qos_enforce_rule.ipv6_addr: ipv6 = convert_ipv6_bytes_to_ip_proto(qos_enforce_rule.ipv6_addr) enforcement_res = \ self._ng_activate_qer_flow( ipv6, local_f_teid_ng, qos_enforce_rule, session_version, ) failed_policy_rules_results = \ _retrieve_failed_results(enforcement_res) return failed_policy_rules_results
def _activate_flows( self, request: ActivateFlowsRequest, fut: 'Future[ActivateFlowsResult]', ) -> None: """ Activate flows for ipv4 / ipv6 or both CWF won't have an ip_addr passed """ ret = ActivateFlowsResult() if self._service_config['setup_type'] == 'CWF' or request.ip_addr: ipv4 = convert_ipv4_str_to_ip_proto(request.ip_addr) if request.request_origin.type == RequestOriginType.GX: self._update_version(request, ipv4) ret_ipv4 = self._install_flows_gx(request, ipv4) else: ret_ipv4 = self._install_flows_gy(request, ipv4) ret.policy_results.extend(ret_ipv4.policy_results) if request.ipv6_addr: ipv6 = convert_ipv6_bytes_to_ip_proto(request.ipv6_addr) self._update_ipv6_prefix_store(request.ipv6_addr) if request.request_origin.type == RequestOriginType.GX: self._update_version(request, ipv6) ret_ipv6 = self._install_flows_gx(request, ipv6) else: ret_ipv6 = self._install_flows_gy(request, ipv6) ret.policy_results.extend(ret_ipv6.policy_results) fut.set_result(ret)
def _activate_flows(self, request: ActivateFlowsRequest, fut: 'Future[ActivateFlowsResult]') -> None: """ Activate flows for ipv4 / ipv6 or both CWF won't have an ip_addr passed """ ret = ActivateFlowsResult() if self._service_config['setup_type'] == 'CWF' or request.ip_addr: ipv4 = convert_ipv4_str_to_ip_proto(request.ip_addr) if request.request_origin.type == RequestOriginType.GX: ret_ipv4 = self._install_flows_gx(request, ipv4) else: ret_ipv4 = self._install_flows_gy(request, ipv4) ret.static_rule_results.extend(ret_ipv4.static_rule_results) ret.dynamic_rule_results.extend(ret_ipv4.dynamic_rule_results) if request.ipv6_addr: ipv6 = convert_ipv6_bytes_to_ip_proto(request.ipv6_addr) self._update_ipv6_prefix_store(request.ipv6_addr) if request.request_origin.type == RequestOriginType.GX: ret_ipv6 = self._install_flows_gx(request, ipv6) else: ret_ipv6 = self._install_flows_gy(request, ipv6) ret.static_rule_results.extend(ret_ipv6.static_rule_results) ret.dynamic_rule_results.extend(ret_ipv6.dynamic_rule_results) if request.uplink_tunnel and request.downlink_tunnel: self._update_tunnel_map_store(request.uplink_tunnel, request.downlink_tunnel) fut.set_result(ret)
def _get_ue_specific_flow_msgs(self, requests: List[ActivateFlowsRequest]): msg_list = [] for add_flow_req in requests: imsi = add_flow_req.sid.id apn_ambr = add_flow_req.apn_ambr policies = add_flow_req.policies msisdn = add_flow_req.msisdn uplink_tunnel = add_flow_req.uplink_tunnel if self._setup_type == 'CWF' or add_flow_req.ip_addr: ipv4 = convert_ipv4_str_to_ip_proto(add_flow_req.ip_addr) msgs = self._get_default_flow_msgs_for_subscriber(imsi, ipv4) if msgs: msg_list.extend(msgs) for policy in policies: msg_list.extend(self._get_policy_flows(imsi, msisdn, uplink_tunnel, ipv4, apn_ambr, policy)) if add_flow_req.ipv6_addr: ipv6 = convert_ipv6_bytes_to_ip_proto(add_flow_req.ipv6_addr) msgs = self._get_default_flow_msgs_for_subscriber(imsi, ipv6) if msgs: msg_list.extend(msgs) for policy in policies: msg_list.extend(self._get_policy_flows(imsi, msisdn, uplink_tunnel, ipv6, apn_ambr, policy)) return {self.tbl_num: msg_list}
def test_subscriber_ipv6_policy(self): """ Add policy to subscriber, send 4096 packets Assert: Packets are properly matched with the 'simple_match' policy Send /20 (4096) packets, match /16 (256) packets """ fake_controller_setup(self.enforcement_controller) imsi = 'IMSI010000000088888' sub_ip = 'de34:431d:1bc::' flow_list1 = [ FlowDescription( match=FlowMatch( ip_dst=convert_ipv6_bytes_to_ip_proto( 'f333:432::dbca'.encode('utf-8'), ), direction=FlowMatch.UPLINK, ), action=FlowDescription.PERMIT, ), ] policies = [ VersionedPolicy( rule=PolicyRule(id='simple_match', priority=2, flow_list=flow_list1), version=1, ), ] # ============================ Subscriber ============================ sub_context = RyuDirectSubscriberContext( imsi, sub_ip, self.enforcement_controller, self._tbl_num, ).add_policy(policies[0]) isolator = RyuDirectTableIsolator( RyuForwardFlowArgsBuilder.from_subscriber( sub_context.cfg).build_requests(), self.testing_controller, ) pkt_sender = ScapyPacketInjector(self.IFACE) packet = IPv6PacketBuilder() \ .set_ip_layer('f333:432::dbca', sub_ip) \ .set_ether_layer(self.MAC_DEST, "00:00:00:00:00:00") \ .build() # =========================== Verification =========================== snapshot_verifier = SnapshotVerifier( self, self.BRIDGE, self.service_manager, ) with isolator, sub_context, snapshot_verifier: pkt_sender.send(packet)
def test_ipv6_rule_install(self): """ Adds a ipv6 policy to a subscriber. Verifies that flows are properly installed in enforcement and enforcement stats. Assert: Policy classification flows installed in enforcement Policy match flows installed in enforcement_stats """ fake_controller_setup( self.enforcement_controller, self.enforcement_stats_controller, ) imsi = 'IMSI001010000000013' sub_ip = 'de34:431d:1bc::' flow_list = [ FlowDescription( match=FlowMatch( ip_dst=convert_ipv6_bytes_to_ip_proto( 'f333:432::dbca'.encode('utf-8'), ), direction=FlowMatch.UPLINK, ), action=FlowDescription.PERMIT, ), ] policy = VersionedPolicy( rule=PolicyRule(id='rule1', priority=3, flow_list=flow_list), version=1, ) self.service_manager.session_rule_version_mapper.save_version( imsi, convert_ipv4_str_to_ip_proto(sub_ip), 'rule1', 1, ) """ Setup subscriber, setup table_isolation to fwd pkts """ sub_context = RyuDirectSubscriberContext( imsi, sub_ip, self.enforcement_controller, self._main_tbl_num, self.enforcement_stats_controller, ).add_policy(policy) # =========================== Verification =========================== snapshot_verifier = SnapshotVerifier( self, self.BRIDGE, self.service_manager, ) with sub_context, snapshot_verifier: pass
def _deactivate_flows(self, request): """ Deactivate flows for ipv4 / ipv6 or both CWF won't have an ip_addr passed """ if self._service_config['setup_type'] == 'CWF' or request.ip_addr: ipv4 = convert_ipv4_str_to_ip_proto(request.ip_addr) if self._should_remove_from_gx(request): self._deactivate_flows_gx(request, ipv4) if self._should_remove_from_gy(request): self._deactivate_flows_gy(request, ipv4) if request.ipv6_addr: ipv6 = convert_ipv6_bytes_to_ip_proto(request.ipv6_addr) self._update_ipv6_prefix_store(request.ipv6_addr) if self._should_remove_from_gx(request): self._deactivate_flows_gx(request, ipv6) if self._should_remove_from_gy(request): self._deactivate_flows_gy(request, ipv6)
def test_enforcement_ipv6_restart(self): """ Adds rules using the setup feature 1) Empty SetupFlowsRequest - assert default flows 2) Add imsi with ipv6 policy - assert everything is properly added """ fake_controller_setup( enf_controller=self.enforcement_controller, enf_stats_controller=self.enforcement_stats_controller, startup_flow_controller=self.startup_flows_contoller, ) snapshot_verifier = SnapshotVerifier( self, self.BRIDGE, self.service_manager, 'default_flows', ) with snapshot_verifier: pass imsi = 'IMSI010000002388888' sub_ip = b'fe80:24c3:d0ff:fef3:9d21:4407:d337:1928' flow_list = [ FlowDescription( match=FlowMatch( ip_dst=convert_ipv6_bytes_to_ip_proto(b'fe80::'), direction=FlowMatch.UPLINK, ), action=FlowDescription.PERMIT, ), ] policies = [ VersionedPolicy( rule=PolicyRule(id='ipv6_rule', priority=2, flow_list=flow_list), version=1, ), ] enf_stat_name = [imsi + '|ipv6_rule' + '|' + str(sub_ip) + "|" + "1"] setup_flows_request = SetupFlowsRequest( requests=[ ActivateFlowsRequest( sid=SIDUtils.to_pb(imsi), ipv6_addr=sub_ip, policies=policies, ), ], epoch=global_epoch, ) fake_controller_setup( enf_controller=self.enforcement_controller, enf_stats_controller=self.enforcement_stats_controller, startup_flow_controller=self.startup_flows_contoller, setup_flows_request=setup_flows_request, ) snapshot_verifier = SnapshotVerifier( self, self.BRIDGE, self.service_manager, 'after_restart', ) with snapshot_verifier: pass fake_controller_setup( enf_controller=self.enforcement_controller, enf_stats_controller=self.enforcement_stats_controller, startup_flow_controller=self.startup_flows_contoller, ) snapshot_verifier = SnapshotVerifier( self, self.BRIDGE, self.service_manager, 'default_flows', ) with snapshot_verifier: pass
def _ng_qer_update( self, request: SessionSet, pdr_entry: PDRRuleEntry, ) -> List[RuleModResult]: enforcement_res = [] failed_policy_rules_results: List = [] local_f_teid_ng = request.local_f_teid # PDR is deleted with ActiveRules or DelActive rules recieved if pdr_entry.pdr_state == PdrState.Value('REMOVE'): qos_enforce_rule = pdr_entry.del_qos_enforce_rule if qos_enforce_rule.ip_addr: ipv4 = convert_ip_str_to_ip_proto(qos_enforce_rule.ip_addr) self._ng_deactivate_qer_flows( ipv4, local_f_teid_ng, qos_enforce_rule, ) if qos_enforce_rule.ipv6_addr: ipv6 = convert_ipv6_bytes_to_ip_proto( qos_enforce_rule.ipv6_addr) self._update_ipv6_prefix_store(qos_enforce_rule.ipv6_addr) self._ng_deactivate_qer_flows( ipv6, local_f_teid_ng, qos_enforce_rule, ) elif pdr_entry.pdr_state == PdrState.Value('IDLE'): qos_enforce_rule = pdr_entry.add_qos_enforce_rule if qos_enforce_rule.ip_addr: ipv4 = convert_ipv4_str_to_ip_proto(qos_enforce_rule.ip_addr) self._ng_inactivate_qer_flows(ipv4, qos_enforce_rule) if qos_enforce_rule.ipv6_addr: ipv6 = convert_ipv6_bytes_to_ip_proto( qos_enforce_rule.ipv6_addr) self._ng_inactivate_qer_flows(ipv6, qos_enforce_rule) # Install PDR rules elif pdr_entry.pdr_state == PdrState.Value('INSTALL') or \ pdr_entry.pdr_state == PdrState.Value('MODI'): qos_enforce_rule = pdr_entry.add_qos_enforce_rule if qos_enforce_rule.ip_addr: ipv4 = convert_ip_str_to_ip_proto(qos_enforce_rule.ip_addr) enforcement_res = \ self._ng_activate_qer_flow( ipv4, local_f_teid_ng, qos_enforce_rule, ) failed_policy_rules_results = \ _retrieve_failed_results(enforcement_res) if qos_enforce_rule.ipv6_addr: ipv6 = convert_ipv6_bytes_to_ip_proto( qos_enforce_rule.ipv6_addr) self._update_ipv6_prefix_store(qos_enforce_rule.ipv6_addr) enforcement_res = \ self._ng_activate_qer_flow( ipv6, local_f_teid_ng, qos_enforce_rule, ) failed_policy_rules_results = \ _retrieve_failed_results(enforcement_res) if pdr_entry.pdr_state == PdrState.Value('MODI'): qos_enforce_deactivate_rule = pdr_entry.del_qos_enforce_rule if qos_enforce_deactivate_rule.policies: logging.info("qos_enforce_deactivate_rule.policies") if qos_enforce_deactivate_rule.ip_addr: ipv4 = convert_ip_str_to_ip_proto( qos_enforce_deactivate_rule.ip_addr) self._ng_mod_qer_flow( ipv4, qos_enforce_deactivate_rule, ) if qos_enforce_deactivate_rule.ipv6_addr: ipv6 = convert_ipv6_bytes_to_ip_proto( qos_enforce_deactivate_rule.ipv6_addr) self._ng_mod_qer_flow( ipv6, qos_enforce_deactivate_rule, ) return failed_policy_rules_results