in ptf/saiacl.py [0:0]
def runTest(self):
print('--------------------------------------------------------------')
print('Testing both IPV4, MIRROR ACL table within a ACL table group on'
' same set of ports')
print("Sending packet ptf_intf 4 -> [ptf_intf 1, ptf_intf 2, ptf_intf "
"3] (192.168.0.1 ---> 172.16.10.1 [id = 105])")
mac_src = '00:22:22:22:22:22'
ip_mask = '255.255.255.0'
ipv4_addr = '192.168.0.1'
# send the test packet(s)
pkt = simple_tcp_packet(eth_dst=ROUTER_MAC,
eth_src=mac_src,
ip_dst=self.ip_addr,
ip_src=ipv4_addr,
ip_id=105,
ip_ttl=64)
exp_pkt = simple_tcp_packet(eth_dst=self.dmac,
eth_src=ROUTER_MAC,
ip_dst=self.ip_addr,
ip_src=ipv4_addr,
ip_id=105,
ip_ttl=63)
print('#### NO ACL Applied ####')
print('#### Sending ', ROUTER_MAC, '| 00:22:22:22:22:22 | 172.16.10.1'
' | 192.168.0.1 | @ ptf_intf 1')
send_packet(self, self.dev_port10, pkt)
print('#### Expecting 00:11:22:33:44:55 |', ROUTER_MAC, '| 172.16.10.1'
' | 192.168.0.1 | @ ptf_intf 4')
verify_packet(self, exp_pkt, self.dev_port13)
print('#### Sending ', ROUTER_MAC, '| 00:22:22:22:22:22 | 172.16.10.1'
' | 192.168.0.1 | @ ptf_intf 2')
send_packet(self, self.dev_port11, pkt)
print('#### Expecting 00:11:22:33:44:55 |', ROUTER_MAC, '| 172.16.10.1'
' | 192.168.0.1 | @ ptf_intf 4')
verify_packet(self, exp_pkt, self.dev_port13)
print('#### Sending ', ROUTER_MAC, '| 00:22:22:22:22:22 | 172.16.10.1'
' | 192.168.0.1 | @ ptf_intf 3')
send_packet(self, self.dev_port12, pkt)
print('#### Expecting 00:11:22:33:44:55 |', ROUTER_MAC, '| 172.16.10.1'
' | 192.168.0.1 | @ ptf_intf 4')
verify_packet(self, exp_pkt, self.dev_port13)
# setup ACL table group
group_bind_point_list = [SAI_ACL_BIND_POINT_TYPE_PORT]
group_type = SAI_ACL_TABLE_GROUP_TYPE_PARALLEL
group_stage_ingress = SAI_ACL_STAGE_INGRESS
group_stage_egress = SAI_ACL_STAGE_EGRESS
# setup ACL table 1
table_stage_ingress = SAI_ACL_STAGE_INGRESS
table_stage_egress = SAI_ACL_STAGE_EGRESS
table_bind_point_list = [SAI_ACL_BIND_POINT_TYPE_PORT]
group_bind_point_type_list = sai_thrift_s32_list_t(
count=len(group_bind_point_list), int32list=group_bind_point_list)
table_bind_point_type_list = sai_thrift_s32_list_t(
count=len(table_bind_point_list), int32list=table_bind_point_list)
packet_action = sai_thrift_acl_action_data_t(
parameter=sai_thrift_acl_action_parameter_t(
s32=SAI_PACKET_ACTION_DROP))
print("Create ACL field data")
src_ip_t_ipv4 = sai_thrift_acl_field_data_t(
data=sai_thrift_acl_field_data_data_t(ip4=ipv4_addr),
mask=sai_thrift_acl_field_data_mask_t(ip4=ip_mask))
# create ACL tables
print("Create ACL tables")
acl_ingress_ip_table_id = sai_thrift_create_acl_table(
self.client,
acl_stage=table_stage_ingress,
acl_bind_point_type_list=table_bind_point_type_list,
field_src_ip=True)
print("Sending packet ptf_intf 2 -[ACL]-> ptf_intf 1 (20.20.20.1-[ACL]"
"-> 172.16.10.1 [id = 105])")
# setup ACL table to block on below matching param
ip_src = "192.168.0.1"
ip_src_mask = "255.255.255.0"
ip_dst = "172.16.10.1"
ip_dst_mask = "255.255.255.0"
ip_proto = 6
src_ip_t_mirror = sai_thrift_acl_field_data_t(
data=sai_thrift_acl_field_data_data_t(ip4=ip_src),
mask=sai_thrift_acl_field_data_mask_t(ip4=ip_src_mask))
dst_ip_t_mirror = sai_thrift_acl_field_data_t(
data=sai_thrift_acl_field_data_data_t(ip4=ip_dst),
mask=sai_thrift_acl_field_data_mask_t(ip4=ip_dst_mask))
# create ACL tables
print("Create ACL tables")
acl_ingress_mirror_table_id = sai_thrift_create_acl_table(
self.client,
acl_stage=table_stage_ingress,
acl_bind_point_type_list=table_bind_point_type_list,
field_src_ip=True,
field_dst_ip=True,
field_ip_protocol=ip_proto)
# setup ACL table group members
group_member_priority = 1
acl_group_ingress_list = []
acl_group_member_ingress_list = []
in_ports = [self.port10, self.port11, self.port12]
for port in in_ports:
# ACL table group
print("Create ACL tables groups for", port, " port")
acl_table_group_ingress = sai_thrift_create_acl_table_group(
self.client,
acl_stage=group_stage_ingress,
acl_bind_point_type_list=group_bind_point_type_list,
type=group_type)
# create ACL table group member 1 - v4 tables
acl_group_ingress_ip_member_id = \
sai_thrift_create_acl_table_group_member(
self.client,
acl_table_group_id=acl_table_group_ingress,
acl_table_id=acl_ingress_ip_table_id,
priority=group_member_priority)
# create ACL table group members 2 - mirror tables
print("Create ACL group members")
acl_group_ingress_mirror_member_id = \
sai_thrift_create_acl_table_group_member(
self.client,
acl_table_group_id=acl_table_group_ingress,
acl_table_id=acl_ingress_mirror_table_id,
priority=group_member_priority)
acl_group_ingress_list.append(acl_table_group_ingress)
acl_group_member_ingress_list.append(
acl_group_ingress_ip_member_id)
acl_group_member_ingress_list.append(
acl_group_ingress_mirror_member_id)
for i, ports in enumerate(in_ports):
# attach this ACL table group to port10, port11, port12
print("Bind ACL ingress group 0x % lx to port 0x % lx" % (
acl_group_ingress_list[i], ports))
sai_thrift_set_port_attribute(
self.client, ports,
ingress_acl=acl_group_ingress_list[i])
# create ACL entries
print("Create ACL entries")
acl_ingress_ip_entry_id = sai_thrift_create_acl_entry(
self.client,
table_id=acl_ingress_ip_table_id,
priority=1,
field_src_ip=src_ip_t_ipv4,
action_packet_action=packet_action)
# create ACL counter
acl_counter_ingress = sai_thrift_create_acl_counter(
self.client, table_id=acl_ingress_ip_table_id)
# attach ACL counter to ACL entry
action_counter_ingress = sai_thrift_acl_action_data_t(
parameter=sai_thrift_acl_action_parameter_t(
oid=acl_counter_ingress),
enable=True)
sai_thrift_set_acl_entry_attribute(
self.client, acl_ingress_ip_entry_id,
action_counter=action_counter_ingress)
src_l4_port = sai_thrift_acl_field_data_t(
enable=True,
data=sai_thrift_acl_field_data_data_t(u16=4000),
mask=sai_thrift_acl_field_data_mask_t(u16=32767))
dst_l4_port = sai_thrift_acl_field_data_t(
enable=True,
data=sai_thrift_acl_field_data_data_t(u16=5000),
mask=sai_thrift_acl_field_data_mask_t(u16=32767))
mirror_action = sai_thrift_acl_action_data_t(
parameter=sai_thrift_acl_action_parameter_t(
objlist=sai_thrift_object_list_t(
count=len([self.span_session]),
idlist=[self.span_session])))
# create ACL entries
print("Create ACL entries")
mirror_acl_ingress_entry_id = sai_thrift_create_acl_entry(
self.client,
table_id=acl_ingress_mirror_table_id,
priority=1,
field_src_ip=src_ip_t_mirror,
field_dst_ip=dst_ip_t_mirror,
field_l4_src_port=src_l4_port,
field_l4_dst_port=dst_l4_port,
action_mirror_ingress=mirror_action)
# create ACL counter
acl_counter_mirror = sai_thrift_create_acl_counter(
self.client, table_id=acl_ingress_mirror_table_id)
# attach ACL counter to ACL entry
action_counter_mirror = sai_thrift_acl_action_data_t(
parameter=sai_thrift_acl_action_parameter_t(
oid=acl_counter_mirror),
enable=True)
sai_thrift_set_acl_entry_attribute(
self.client, mirror_acl_ingress_entry_id,
action_counter=action_counter_mirror)
try:
print('#### ACL \'DROP, src mac 00:22:22:22:22:22, '
'in_ports[ptf_intf_1,2,3,4]\' Applied ####')
print('#### Sending ', ROUTER_MAC, '| 00:22:22:22:22:22 | '
'172.16.10.1 | 192.168.0.1 | @ ptf_intf 1')
time.sleep(5)
send_packet(self, self.dev_port10, pkt)
print('#### NOT Expecting 00:11:22:33:44:55 |', ROUTER_MAC, '| '
'172.16.10.1 | 192.168.0.1 | @ ptf_intf 4')
verify_no_other_packets(self, timeout=1)
packets = sai_thrift_get_acl_counter_attribute(
self.client, acl_counter_ingress, packets=True)
self.assertEqual(packets['packets'], 1)
packets = sai_thrift_get_acl_counter_attribute(
self.client, acl_counter_mirror, packets=True)
self.assertEqual(packets['packets'], 0)
print('#### Sending ', ROUTER_MAC, '| 00:22:22:22:22:22 | '
'172.16.10.1 | 192.168.0.1 | @ ptf_intf 2')
send_packet(self, self.dev_port11, pkt)
print('#### NOT Expecting 00:11:22:33:44:55 |', ROUTER_MAC, '| '
'172.16.10.1 | 192.168.0.1 | @ ptf_intf 4')
verify_no_other_packets(self, timeout=1)
packets = sai_thrift_get_acl_counter_attribute(
self.client, acl_counter_ingress, packets=True)
self.assertEqual(packets['packets'], 2)
packets = sai_thrift_get_acl_counter_attribute(
self.client, acl_counter_mirror, packets=True)
self.assertEqual(packets['packets'], 0)
print('#### Sending ', ROUTER_MAC, '| 00:22:22:22:22:22 | '
'172.16.10.1 | 192.168.0.1 | @ ptf_intf 3')
send_packet(self, self.dev_port12, pkt)
print('#### NOT Expecting 00:11:22:33:44:55 |', ROUTER_MAC, '| '
'172.16.10.1 | 192.168.0.1 | @ ptf_intf 4')
verify_no_other_packets(self, timeout=1)
packets = sai_thrift_get_acl_counter_attribute(
self.client, acl_counter_ingress, packets=True)
self.assertEqual(packets['packets'], 3)
packets = sai_thrift_get_acl_counter_attribute(
self.client, acl_counter_mirror, packets=True)
self.assertEqual(packets['packets'], 0)
print("Verify Mirror ACL")
time.sleep(5)
pkt = simple_tcp_packet(eth_dst=ROUTER_MAC,
eth_src=mac_src,
ip_src=ipv4_addr,
ip_dst=self.ip_addr,
ip_id=105,
ip_ttl=64,
tcp_sport=4000,
tcp_dport=5000)
print("TX packet port 12 -> port 13, ipv4 ACL blocks route pkt but"
" mirror ACL mirrors pkt to port 10")
send_packet(self, self.dev_port12, pkt)
verify_packets(self, pkt, ports=[self.dev_port10])
packets = sai_thrift_get_acl_counter_attribute(
self.client, acl_counter_ingress, packets=True)
self.assertEqual(packets['packets'], 4)
packets = sai_thrift_get_acl_counter_attribute(
self.client, acl_counter_mirror, packets=True)
self.assertEqual(packets['packets'], 1)
# cleanup ACL, remove ACL group member
action_counter_ingress = sai_thrift_acl_action_data_t(
parameter=sai_thrift_acl_action_parameter_t(
oid=0),
enable=True)
sai_thrift_set_acl_entry_attribute(
self.client, acl_ingress_ip_entry_id,
action_counter=action_counter_ingress)
sai_thrift_set_acl_counter_attribute(
self.client, acl_counter_ingress, packets=None)
packets = sai_thrift_get_acl_counter_attribute(
self.client, acl_counter_ingress, packets=True)
self.assertEqual(packets['packets'], 0)
sai_thrift_remove_acl_counter(self.client, acl_counter_ingress)
action_counter_mirror = sai_thrift_acl_action_data_t(
parameter=sai_thrift_acl_action_parameter_t(
oid=0),
enable=True)
sai_thrift_set_acl_entry_attribute(
self.client, mirror_acl_ingress_entry_id,
action_counter=action_counter_mirror)
sai_thrift_set_acl_counter_attribute(
self.client, acl_counter_mirror, packets=None)
packets = sai_thrift_get_acl_counter_attribute(
self.client, acl_counter_mirror, packets=True)
self.assertEqual(packets['packets'], 0)
sai_thrift_remove_acl_counter(self.client, acl_counter_mirror)
for mbr in acl_group_member_ingress_list:
sai_thrift_remove_acl_table_group_member(self.client, mbr)
# unlink this ACL table from port10, port12, port13 object
for i, ports in enumerate(in_ports):
sai_thrift_set_port_attribute(
self.client, ports,
ingress_acl=int(SAI_NULL_OBJECT_ID))
# cleanup ACL group, entries, tables
for grp in acl_group_ingress_list:
sai_thrift_remove_acl_table_group(self.client, grp)
sai_thrift_remove_acl_entry(
self.client, acl_ingress_ip_entry_id)
sai_thrift_remove_acl_table(
self.client, acl_ingress_ip_table_id)
sai_thrift_remove_acl_entry(
self.client, mirror_acl_ingress_entry_id)
sai_thrift_remove_acl_table(
self.client, acl_ingress_mirror_table_id)
# create ACL tables
print("Create ACL tables")
acl_egress_ip_table_id = sai_thrift_create_acl_table(
self.client,
acl_stage=table_stage_egress,
acl_bind_point_type_list=table_bind_point_type_list,
field_src_ip=True)
# ACL table group
print("Create ACL egress table groups")
acl_table_group_egress = sai_thrift_create_acl_table_group(
self.client,
acl_stage=group_stage_egress,
acl_bind_point_type_list=group_bind_point_type_list,
type=group_type)
# create ACL table group member 1 - v4 tables
acl_group_egress_ip_member_id = \
sai_thrift_create_acl_table_group_member(
self.client,
acl_table_group_id=acl_table_group_egress,
acl_table_id=acl_egress_ip_table_id,
priority=group_member_priority)
# attach this ACL table group to port4
print("Bind ACL egress group to port4")
sai_thrift_set_port_attribute(
self.client, self.port13, egress_acl=acl_table_group_egress)
# create ACL entries
print("Create ACL entries")
acl_egress_ip_entry_id = sai_thrift_create_acl_entry(
self.client,
table_id=acl_egress_ip_table_id,
priority=1,
field_src_ip=src_ip_t_ipv4,
action_packet_action=packet_action)
# create ACL counter
acl_counter_egress = sai_thrift_create_acl_counter(
self.client, table_id=acl_egress_ip_table_id)
# attach ACL counter to ACL entry
action_counter_egress = sai_thrift_acl_action_data_t(
parameter=sai_thrift_acl_action_parameter_t(
oid=acl_counter_ingress),
enable=True)
sai_thrift_set_acl_entry_attribute(
self.client, acl_egress_ip_entry_id,
action_counter=action_counter_egress)
# send the test packet(s)
pkt = simple_tcp_packet(eth_dst=ROUTER_MAC,
eth_src='00:22:22:22:22:22',
ip_dst='172.16.10.1',
ip_src='192.168.0.1',
ip_id=105,
ip_ttl=64)
print('#### ACL \'DROP, src mac 00:22:22:22:22:22, '
'in_ports[ptf_intf_1,2,3,4]\' Applied ####')
print('#### Sending ', ROUTER_MAC, '| 00:22:22:22:22:22 | '
'172.16.10.1 | 192.168.0.1 | @ ptf_intf 1')
time.sleep(5)
send_packet(self, self.dev_port10, pkt)
print('#### NOT Expecting 00:11:22:33:44:55 |', ROUTER_MAC, '| '
'172.16.10.1 | 192.168.0.1 | @ ptf_intf 4')
verify_no_other_packets(self, timeout=1)
packets = sai_thrift_get_acl_counter_attribute(
self.client, acl_counter_egress, packets=True)
self.assertEqual(packets['packets'], 1)
print('#### Sending ', ROUTER_MAC, '| 00:22:22:22:22:22 | '
'172.16.10.1 | 192.168.0.1 | @ ptf_intf 2')
send_packet(self, self.dev_port11, pkt)
print('#### NOT Expecting 00:11:22:33:44:55 |', ROUTER_MAC, '| '
'172.16.10.1 | 192.168.0.1 | @ ptf_intf 4')
verify_no_other_packets(self, timeout=1)
packets = sai_thrift_get_acl_counter_attribute(
self.client, acl_counter_egress, packets=True)
self.assertEqual(packets['packets'], 2)
print('#### Sending ', ROUTER_MAC, '| 00:22:22:22:22:22 | '
'172.16.10.1 | 192.168.0.1 | @ ptf_intf 3')
send_packet(self, self.dev_port12, pkt)
print('#### NOT Expecting 00:11:22:33:44:55 |', ROUTER_MAC, '| '
'172.16.10.1 | 192.168.0.1 | @ ptf_intf 4')
verify_no_other_packets(self, timeout=1)
packets = sai_thrift_get_acl_counter_attribute(
self.client, acl_counter_egress, packets=True)
self.assertEqual(packets['packets'], 3)
time.sleep(5)
finally:
# cleanup ACL, remove ACL group member
action_counter_egress = sai_thrift_acl_action_data_t(
parameter=sai_thrift_acl_action_parameter_t(
oid=0),
enable=True)
sai_thrift_set_acl_entry_attribute(
self.client, acl_egress_ip_entry_id,
action_counter=action_counter_egress)
sai_thrift_set_acl_counter_attribute(
self.client, acl_counter_egress, packets=None)
packets = sai_thrift_get_acl_counter_attribute(
self.client, acl_counter_egress, packets=True)
self.assertEqual(packets['packets'], 0)
sai_thrift_remove_acl_counter(self.client, acl_counter_egress)
sai_thrift_remove_acl_table_group_member(
self.client, acl_group_egress_ip_member_id)
# unlink this ACL table from port4 object
sai_thrift_set_port_attribute(self.client, self.port13,
egress_acl=int(SAI_NULL_OBJECT_ID))
# cleanup ACL group, entries, tables
sai_thrift_remove_acl_table_group(self.client,
acl_table_group_egress)
sai_thrift_remove_acl_entry(
self.client, acl_egress_ip_entry_id)
sai_thrift_remove_acl_table(
self.client, acl_egress_ip_table_id)