# Copyright 2021-present Intel Corporation. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. """ Thrift SAI interface ACL tests """ from sai_thrift.sai_headers import * from sai_base_test import * @group("draft") class AclGroupTest(SaiHelper): ''' ACL group test class ''' def setUp(self): super(AclGroupTest, self).setUp() self.port_mac = '00:11:22:33:44:55' self.lag_mac = '00:11:22:33:44:56' self.port_mac2 = '00:11:22:33:44:57' self.lag_mac2 = '00:11:22:33:44:58' self.port_fdb_entry = sai_thrift_fdb_entry_t( switch_id=self.switch_id, mac_address=self.port_mac, bv_id=self.vlan10) sai_thrift_create_fdb_entry( self.client, self.port_fdb_entry, type=SAI_FDB_ENTRY_TYPE_STATIC, bridge_port_id=self.port0_bp) self.lag_fdb_entry = sai_thrift_fdb_entry_t( switch_id=self.switch_id, mac_address=self.lag_mac, bv_id=self.vlan10) sai_thrift_create_fdb_entry( self.client, self.lag_fdb_entry, type=SAI_FDB_ENTRY_TYPE_STATIC, bridge_port_id=self.lag1_bp) # create bridge ports self.port24_bp = sai_thrift_create_bridge_port( self.client, bridge_id=self.default_1q_bridge, port_id=self.port24, type=SAI_BRIDGE_PORT_TYPE_PORT, admin_state=True) self.assertNotEqual(self.port24_bp, 0) self.port25_bp = sai_thrift_create_bridge_port( self.client, bridge_id=self.default_1q_bridge, port_id=self.port25, type=SAI_BRIDGE_PORT_TYPE_PORT, admin_state=True) self.assertNotEqual(self.port25_bp, 0) # create LAGs self.lag6 = sai_thrift_create_lag(self.client) self.assertNotEqual(self.lag6, 0) self.lag6_bp = sai_thrift_create_bridge_port( self.client, bridge_id=self.default_1q_bridge, port_id=self.lag6, type=SAI_BRIDGE_PORT_TYPE_PORT, admin_state=True) self.assertNotEqual(self.lag6_bp, 0) self.lag6_member26 = sai_thrift_create_lag_member( self.client, lag_id=self.lag6, port_id=self.port26) self.lag6_member27 = sai_thrift_create_lag_member( self.client, lag_id=self.lag6, port_id=self.port27) self.lag6_member28 = sai_thrift_create_lag_member( self.client, lag_id=self.lag6, port_id=self.port28) # create vlan 40 with port24, port25 and lag6 self.vlan40 = sai_thrift_create_vlan(self.client, vlan_id=40) self.assertNotEqual(self.vlan40, 0) self.vlan40_member24 = sai_thrift_create_vlan_member( self.client, vlan_id=self.vlan40, bridge_port_id=self.port24_bp, vlan_tagging_mode=SAI_VLAN_TAGGING_MODE_UNTAGGED) self.vlan40_member25 = sai_thrift_create_vlan_member( self.client, vlan_id=self.vlan40, bridge_port_id=self.port25_bp, vlan_tagging_mode=SAI_VLAN_TAGGING_MODE_TAGGED) self.vlan40_member_lag6 = sai_thrift_create_vlan_member( self.client, vlan_id=self.vlan40, bridge_port_id=self.lag6_bp, vlan_tagging_mode=SAI_VLAN_TAGGING_MODE_UNTAGGED) # setup untagged ports sai_thrift_set_port_attribute( self.client, self.port24, port_vlan_id=40) sai_thrift_set_lag_attribute(self.client, self.lag6, port_vlan_id=40) self.port_fdb_entry2 = sai_thrift_fdb_entry_t( switch_id=self.switch_id, mac_address=self.port_mac2, bv_id=self.vlan40) sai_thrift_create_fdb_entry( self.client, self.port_fdb_entry2, type=SAI_FDB_ENTRY_TYPE_STATIC, bridge_port_id=self.port24_bp) self.lag_fdb_entry2 = sai_thrift_fdb_entry_t( switch_id=self.switch_id, mac_address=self.lag_mac2, bv_id=self.vlan40) sai_thrift_create_fdb_entry( self.client, self.lag_fdb_entry2, type=SAI_FDB_ENTRY_TYPE_STATIC, bridge_port_id=self.lag6_bp) def runTest(self): self.portLagIngressAclTableGroupTest() self.portLagEgressAclTableGroupTest() def tearDown(self): sai_thrift_remove_fdb_entry(self.client, self.port_fdb_entry) sai_thrift_remove_fdb_entry(self.client, self.lag_fdb_entry) sai_thrift_remove_fdb_entry(self.client, self.port_fdb_entry2) sai_thrift_remove_fdb_entry(self.client, self.lag_fdb_entry2) sai_thrift_set_port_attribute(self.client, self.port24, port_vlan_id=0) sai_thrift_set_lag_attribute(self.client, self.lag6, port_vlan_id=0) # remove vlan config sai_thrift_remove_vlan_member(self.client, self.vlan40_member_lag6) sai_thrift_remove_vlan_member(self.client, self.vlan40_member25) sai_thrift_remove_vlan_member(self.client, self.vlan40_member24) sai_thrift_remove_vlan(self.client, self.vlan40) # remove lag config sai_thrift_remove_lag_member(self.client, self.lag6_member28) sai_thrift_remove_lag_member(self.client, self.lag6_member27) sai_thrift_remove_lag_member(self.client, self.lag6_member26) sai_thrift_remove_bridge_port(self.client, self.lag6_bp) sai_thrift_remove_lag(self.client, self.lag6) # remove bridge ports sai_thrift_remove_bridge_port(self.client, self.port25_bp) sai_thrift_remove_bridge_port(self.client, self.port24_bp) super(AclGroupTest, self).tearDown() def portLagIngressAclTableGroupTest(self): ''' Verify combination of port and LAG as bind points to ingress ACL table group. ''' print("portLagIngressAclTableGroupTest") # create ACL table group group_stage = SAI_ACL_STAGE_INGRESS group_bind_points = [SAI_ACL_BIND_POINT_TYPE_PORT, SAI_ACL_BIND_POINT_TYPE_LAG] group_bind_point_type_list = sai_thrift_s32_list_t( count=len(group_bind_points), int32list=group_bind_points) group_type = SAI_ACL_TABLE_GROUP_TYPE_PARALLEL acl_group = sai_thrift_create_acl_table_group( self.client, acl_stage=group_stage, acl_bind_point_type_list=group_bind_point_type_list, type=group_type) # create ACL table table_stage = SAI_ACL_STAGE_INGRESS table_bind_points = [SAI_ACL_BIND_POINT_TYPE_PORT, SAI_ACL_BIND_POINT_TYPE_LAG] table_bind_point_type_list = sai_thrift_s32_list_t( count=len(table_bind_points), int32list=table_bind_points) acl_table = sai_thrift_create_acl_table( self.client, acl_stage=table_stage, acl_bind_point_type_list=table_bind_point_type_list, field_src_ip=True) # create ACL table entry src_ip = '10.0.0.1' src_ip2 = '10.0.0.2' src_ip_mask = '255.255.255.255' src_ip_t = sai_thrift_acl_field_data_t( data=sai_thrift_acl_field_data_data_t(ip4=src_ip), mask=sai_thrift_acl_field_data_mask_t(ip4=src_ip_mask)) packet_action = sai_thrift_acl_action_data_t( parameter=sai_thrift_acl_action_parameter_t( s32=SAI_PACKET_ACTION_DROP)) acl_entry = sai_thrift_create_acl_entry( self.client, table_id=acl_table, priority=10, field_src_ip=src_ip_t, action_packet_action=packet_action) # add ACL table group member member1 = sai_thrift_create_acl_table_group_member( self.client, acl_table_group_id=acl_group, acl_table_id=acl_table) # create ACL counter acl_counter = sai_thrift_create_acl_counter( self.client, table_id=acl_table) # attach ACL counter to ACL entry action_counter_t = sai_thrift_acl_action_data_t( parameter=sai_thrift_acl_action_parameter_t( oid=acl_counter), enable=True) sai_thrift_set_acl_entry_attribute( self.client, acl_entry, action_counter=action_counter_t) try: pkt1 = simple_udp_packet( eth_dst=self.port_mac, eth_src=self.lag_mac, ip_src=src_ip, pktlen=100) pkt2 = simple_udp_packet( eth_dst=self.lag_mac, eth_src=self.port_mac, ip_src=src_ip, pktlen=100) pkt3 = simple_udp_packet( eth_dst=self.port_mac2, eth_src=self.lag_mac2, ip_src=src_ip2, pktlen=100) pkt4 = simple_udp_packet( eth_dst=self.lag_mac2, eth_src=self.port_mac2, ip_src=src_ip2, pktlen=100) print("Sending packet without ACL table group") print("Sending packet from lag to port") send_packet(self, self.dev_port4, pkt1) verify_packet(self, pkt1, self.dev_port0) print("Sending packet from port to lag") send_packet(self, self.dev_port0, pkt2) verify_any_packet_any_port( self, [pkt2, pkt2, pkt2], [self.dev_port4, self.dev_port5, self.dev_port6]) print("Sending packet from lag2 to port2") send_packet(self, self.dev_port26, pkt3) verify_packet(self, pkt3, self.dev_port24) print("Sending packet from port2 to lag2") send_packet(self, self.dev_port24, pkt4) verify_any_packet_any_port( self, [pkt4, pkt4, pkt4], [self.dev_port26, self.dev_port27, self.dev_port28]) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter, packets=True) self.assertEqual(packets['packets'], 0) print("Attach ACL table group to port") sai_thrift_set_port_attribute(self.client, self.port0, ingress_acl=acl_group) print("Sending packet from port to lag, drop") send_packet(self, self.dev_port0, pkt2) verify_no_other_packets(self) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter, packets=True) self.assertEqual(packets['packets'], 1) print("Sending packet from port2 to lag2, do not drop") send_packet(self, self.dev_port24, pkt4) verify_any_packet_any_port( self, [pkt4, pkt4, pkt4], [self.dev_port26, self.dev_port27, self.dev_port28]) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter, packets=True) self.assertEqual(packets['packets'], 1) print("Attach ACL table group to lag") sai_thrift_set_lag_attribute(self.client, self.lag1, ingress_acl=acl_group) print("Sending packet from lag to port, drop") send_packet(self, self.dev_port4, pkt1) verify_no_other_packets(self) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter, packets=True) self.assertEqual(packets['packets'], 2) print("Sending packet from lag to port, drop") send_packet(self, self.dev_port26, pkt3) verify_packet(self, pkt3, self.dev_port24) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter, packets=True) self.assertEqual(packets['packets'], 2) finally: action_counter_t = sai_thrift_acl_action_data_t( parameter=sai_thrift_acl_action_parameter_t( oid=0), enable=True) sai_thrift_set_acl_entry_attribute( self.client, acl_entry, action_counter=action_counter_t) sai_thrift_set_acl_counter_attribute( self.client, acl_counter, packets=None) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter, packets=True) self.assertEqual(packets['packets'], 0) sai_thrift_remove_acl_counter(self.client, acl_counter) sai_thrift_set_port_attribute(self.client, self.port0, ingress_acl=0) sai_thrift_set_lag_attribute(self.client, self.lag1, ingress_acl=0) sai_thrift_remove_acl_table_group_member(self.client, member1) sai_thrift_remove_acl_entry(self.client, acl_entry) sai_thrift_remove_acl_table(self.client, acl_table) sai_thrift_remove_acl_table_group(self.client, acl_group) def portLagEgressAclTableGroupTest(self): ''' Verify combination of port and LAG as bind points to egress ACL table group. ''' print("portLagEgressAclTableGroupTest") # create ACL table group group_stage = SAI_ACL_STAGE_EGRESS group_bind_points = [SAI_ACL_BIND_POINT_TYPE_PORT, SAI_ACL_BIND_POINT_TYPE_LAG] group_bind_point_type_list = sai_thrift_s32_list_t( count=len(group_bind_points), int32list=group_bind_points) group_type = SAI_ACL_TABLE_GROUP_TYPE_PARALLEL acl_group = sai_thrift_create_acl_table_group( self.client, acl_stage=group_stage, acl_bind_point_type_list=group_bind_point_type_list, type=group_type) # create ACL table table_stage = SAI_ACL_STAGE_EGRESS table_bind_points = [SAI_ACL_BIND_POINT_TYPE_PORT, SAI_ACL_BIND_POINT_TYPE_LAG] table_bind_point_type_list = sai_thrift_s32_list_t( count=len(table_bind_points), int32list=table_bind_points) acl_table = sai_thrift_create_acl_table( self.client, acl_stage=table_stage, acl_bind_point_type_list=table_bind_point_type_list, field_src_ip=True) # create ACL table entry src_ip = '10.0.0.1' src_ip2 = '10.0.0.2' src_ip_mask = '255.255.255.255' src_ip_t = sai_thrift_acl_field_data_t( data=sai_thrift_acl_field_data_data_t(ip4=src_ip), mask=sai_thrift_acl_field_data_mask_t(ip4=src_ip_mask)) packet_action = sai_thrift_acl_action_data_t( parameter=sai_thrift_acl_action_parameter_t( s32=SAI_PACKET_ACTION_DROP)) acl_entry = sai_thrift_create_acl_entry( self.client, table_id=acl_table, priority=10, field_src_ip=src_ip_t, action_packet_action=packet_action) # add ACL table group member member1 = sai_thrift_create_acl_table_group_member( self.client, acl_table_group_id=acl_group, acl_table_id=acl_table) # create ACL counter acl_counter = sai_thrift_create_acl_counter( self.client, table_id=acl_table) # attach ACL counter to ACL entry action_counter_t = sai_thrift_acl_action_data_t( parameter=sai_thrift_acl_action_parameter_t( oid=acl_counter), enable=True) sai_thrift_set_acl_entry_attribute( self.client, acl_entry, action_counter=action_counter_t) try: pkt1 = simple_udp_packet( eth_dst=self.port_mac, eth_src=self.lag_mac, ip_src=src_ip, pktlen=100) pkt2 = simple_udp_packet( eth_dst=self.lag_mac, eth_src=self.port_mac, ip_src=src_ip, pktlen=100) pkt3 = simple_udp_packet( eth_dst=self.port_mac2, eth_src=self.lag_mac2, ip_src=src_ip2, pktlen=100) pkt4 = simple_udp_packet( eth_dst=self.lag_mac2, eth_src=self.port_mac2, ip_src=src_ip2, pktlen=100) print("Sending packet without ACL table group") print("Sending packet from lag to port") send_packet(self, self.dev_port4, pkt1) verify_packet(self, pkt1, self.dev_port0) print("Sending packet from port to lag") send_packet(self, self.dev_port0, pkt2) verify_any_packet_any_port( self, [pkt2, pkt2, pkt2], [self.dev_port4, self.dev_port5, self.dev_port6]) print("Sending packet from lag2 to port2") send_packet(self, self.dev_port26, pkt3) verify_packet(self, pkt3, self.dev_port24) print("Sending packet from port2 to lag2") send_packet(self, self.dev_port24, pkt4) verify_any_packet_any_port( self, [pkt4, pkt4, pkt4], [self.dev_port26, self.dev_port27, self.dev_port28]) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter, packets=True) self.assertEqual(packets['packets'], 0) print("Attach ACL table group to port") sai_thrift_set_port_attribute(self.client, self.port0, egress_acl=acl_group) print("Sending packet from lag to port, drop") send_packet(self, self.dev_port4, pkt1) verify_no_other_packets(self) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter, packets=True) self.assertEqual(packets['packets'], 1) print("Sending packet from lag to port, drop") send_packet(self, self.dev_port26, pkt3) verify_packet(self, pkt3, self.dev_port24) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter, packets=True) self.assertEqual(packets['packets'], 1) print("Attach ACL table group to lag") sai_thrift_set_lag_attribute(self.client, self.lag1, egress_acl=acl_group) print("Sending packet from port to lag, drop") send_packet(self, self.dev_port0, pkt2) verify_no_other_packets(self) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter, packets=True) self.assertEqual(packets['packets'], 2) print("Sending packet from port2 to lag2, do not drop") send_packet(self, self.dev_port24, pkt4) verify_any_packet_any_port( self, [pkt4, pkt4, pkt4], [self.dev_port26, self.dev_port27, self.dev_port28]) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter, packets=True) self.assertEqual(packets['packets'], 2) finally: action_counter_t = sai_thrift_acl_action_data_t( parameter=sai_thrift_acl_action_parameter_t( oid=0), enable=True) sai_thrift_set_acl_entry_attribute( self.client, acl_entry, action_counter=action_counter_t) sai_thrift_set_acl_counter_attribute( self.client, acl_counter, packets=None) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter, packets=True) self.assertEqual(packets['packets'], 0) sai_thrift_remove_acl_counter(self.client, acl_counter) sai_thrift_set_port_attribute(self.client, self.port0, egress_acl=0) sai_thrift_set_lag_attribute(self.client, self.lag1, egress_acl=0) sai_thrift_remove_acl_table_group_member(self.client, member1) sai_thrift_remove_acl_entry(self.client, acl_entry) sai_thrift_remove_acl_table(self.client, acl_table) sai_thrift_remove_acl_table_group(self.client, acl_group) @group("draft") class SrcIpAclTest(SaiHelperSimplified): """ Verify matching on src ip address field Configuration +----------+-----------+ | port0 | port0_rif | +----------+-----------+ | port1 | port1_rif | +----------+-----------+ """ def setUp(self): super(SrcIpAclTest, self).setUp() self.create_routing_interfaces(ports=[0, 1]) l4_src_port = 1000 rif_id1 = self.port0_rif self.rif_id2 = self.port1_rif ip_addr_subnet = '172.16.10.0/24' ip_addr = '172.16.10.1' dmac = '00:11:22:33:44:55' mac_src = '00:22:22:22:22:22' ip_addr_src = '192.168.100.100' print("Create neighbor with %s ip address, %d router interface" " id and %s destination mac" % ( ip_addr, rif_id1, dmac)) self.nbr_entry = sai_thrift_neighbor_entry_t( rif_id=rif_id1, ip_address=sai_ipaddress(ip_addr)) sai_thrift_create_neighbor_entry( self.client, self.nbr_entry, dst_mac_address=dmac) print("Create nhop with %s ip address and %d router" " interface id" % (ip_addr, rif_id1)) self.nhop = sai_thrift_create_next_hop( self.client, ip=sai_ipaddress(ip_addr), router_interface_id=rif_id1, type=SAI_NEXT_HOP_TYPE_IP) print("Create route with %s ip prefix and %d router" " interface id" % (ip_addr_subnet, rif_id1)) self.route_entry = sai_thrift_route_entry_t( vr_id=self.default_vrf, destination=sai_ipprefix( ip_addr_subnet)) sai_thrift_create_route_entry(self.client, self.route_entry, next_hop_id=rif_id1) self.pkt = simple_tcp_packet(eth_dst=ROUTER_MAC, eth_src=mac_src, ip_dst=ip_addr, ip_src=ip_addr_src, tcp_sport=l4_src_port, ip_id=105, ip_ttl=64) self.exp_pkt = simple_tcp_packet(eth_dst=dmac, eth_src=ROUTER_MAC, ip_dst=ip_addr, ip_src=ip_addr_src, tcp_sport=l4_src_port, ip_id=105, ip_ttl=63) def runTest(self): print("Testing SrcIpAclTest") print('--------------------------------------------------------------') print("Sending packet ptf_intf 2 -> ptf_intf 1 (192.168.100.100 " "--->172.16.10.1 [id = 105])") try: print('#### NO ACL Applied ####') print('#### Sending ', ROUTER_MAC, '| 00:22:22:22:22:22 | ' '172.16.10.1 | 192.168.100.100 | SPORT 1000 | @ ptf_intf 2') send_packet(self, self.dev_port1, self.pkt) print('#### Expecting 00:11:22:33:44:55 |', ROUTER_MAC, '| ' '172.16.10.1 | 192.168.100.100 | SPORT 1000 | @ ptf_intf 1') verify_packets(self, self.exp_pkt, [self.dev_port0]) finally: print('----------------------------------------------------------' '------------------------------------') print("Sending packet ptf_intf 2 -[ACL]-> ptf_intf 1 (192.168.0.1" "-[ACL]-> 172.16.10.1 [id = 105])") table_stage_ingress = SAI_ACL_STAGE_INGRESS table_stage_egress = SAI_ACL_STAGE_EGRESS entry_priority = 1 ip_src = "192.168.100.1" ip_src_mask = "255.255.255.0" table_bind_points = [SAI_ACL_BIND_POINT_TYPE_ROUTER_INTF] table_bind_point_type_list = sai_thrift_s32_list_t( count=len(table_bind_points), int32list=table_bind_points) acl_ingress_table_id = sai_thrift_create_acl_table( self.client, acl_stage=table_stage_ingress, acl_bind_point_type_list=table_bind_point_type_list, field_src_ip=True) self.assertNotEqual(acl_ingress_table_id, 0) src_ip_t = sai_thrift_acl_field_data_t( data=sai_thrift_acl_field_data_data_t(ip4=ip_src), mask=sai_thrift_acl_field_data_mask_t(ip4=ip_src_mask)) packet_action = sai_thrift_acl_action_data_t( parameter=sai_thrift_acl_action_parameter_t( s32=SAI_PACKET_ACTION_DROP)) acl_ingress_entry_id = sai_thrift_create_acl_entry( self.client, table_id=acl_ingress_table_id, priority=entry_priority, field_src_ip=src_ip_t, action_packet_action=packet_action) self.assertNotEqual(acl_ingress_entry_id, 0) # create ACL counter acl_counter_ingress = sai_thrift_create_acl_counter( self.client, table_id=acl_ingress_table_id) # attach ACL counter to ACL entry action_counter_ingress = sai_thrift_acl_action_data_t( parameter=sai_thrift_acl_action_parameter_t( oid=acl_counter_ingress), enable=True) sai_thrift_set_acl_entry_attribute( self.client, acl_ingress_entry_id, action_counter=action_counter_ingress) # bind this ACL table to rif_id2s object id sai_thrift_set_router_interface_attribute( self.client, self.rif_id2, ingress_acl=acl_ingress_table_id) try: print('#### ACL \'DROP, src ip 192.168.100.1/255.255.255.0, SPORT' ' 1000, in_ports[ptf_intf_1,2]\' Applied ####') print('#### Sending ', ROUTER_MAC, '| 00:22:22:22:22:22 | ' '172.16.10.1 | 192.168.100.100 | SPORT 1000 | @ ptf_intf 1') send_packet(self, self.dev_port1, self.pkt) print('#### NOT Expecting 00:11:22:33:44:55 |', ROUTER_MAC, '| ' '172.16.10.1 | 192.168.100.100 | SPORT 1000 | @ ptf_intf 0') verify_no_other_packets(self, timeout=1) # unbind this ACL table from rif_id2s object id sai_thrift_set_router_interface_attribute( self.client, self.rif_id2, ingress_acl=int(SAI_NULL_OBJECT_ID)) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_ingress, packets=True) self.assertEqual(packets['packets'], 1) # cleanup ACL action_counter_ingress = sai_thrift_acl_action_data_t( parameter=sai_thrift_acl_action_parameter_t( oid=0), enable=True) sai_thrift_set_acl_entry_attribute( self.client, acl_ingress_entry_id, action_counter=action_counter_ingress) sai_thrift_set_acl_counter_attribute( self.client, acl_counter_ingress, packets=None) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_ingress, packets=True) self.assertEqual(packets['packets'], 0) sai_thrift_remove_acl_counter(self.client, acl_counter_ingress) sai_thrift_remove_acl_entry(self.client, acl_ingress_entry_id) sai_thrift_remove_acl_table(self.client, acl_ingress_table_id) acl_egress_table_id = sai_thrift_create_acl_table( self.client, acl_stage=table_stage_egress, acl_bind_point_type_list=table_bind_point_type_list, field_src_ip=True) self.assertNotEqual(acl_egress_table_id, 0) acl_egress_entry_id = sai_thrift_create_acl_entry( self.client, table_id=acl_egress_table_id, priority=entry_priority, field_src_ip=src_ip_t, action_packet_action=packet_action) self.assertNotEqual(acl_egress_entry_id, 0) # create ACL counter acl_counter_egress = sai_thrift_create_acl_counter( self.client, table_id=acl_egress_table_id) # attach ACL counter to ACL entry action_counter_egress = sai_thrift_acl_action_data_t( parameter=sai_thrift_acl_action_parameter_t( oid=acl_counter_egress), enable=True) sai_thrift_set_acl_entry_attribute( self.client, acl_egress_entry_id, action_counter=action_counter_egress) # bind this ACL table to rif_id2s object id sai_thrift_set_router_interface_attribute( self.client, self.rif_id2, egress_acl=acl_egress_table_id) print('#### ACL \'DROP, src ip 192.168.100.1/255.255.255.0, SPORT' ' 1000, in_ports[ptf_intf_1,2]\' Applied ####') print('#### Sending ', ROUTER_MAC, '| 00:22:22:22:22:22 | ' '172.16.10.1 | 192.168.100.100 | SPORT 1000 | @ ptf_intf 1') send_packet(self, self.dev_port1, self.pkt) print('#### NOT Expecting 00:11:22:33:44:55 |', ROUTER_MAC, '| ' '172.16.10.1 | 192.168.100.100 | SPORT 1000 | @ ptf_intf 0') verify_no_other_packets(self, timeout=1) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_egress, packets=True) self.assertEqual(packets['packets'], 1) finally: # unbind this ACL table from rif_id2s object id sai_thrift_set_router_interface_attribute( self.client, self.rif_id2, egress_acl=int(SAI_NULL_OBJECT_ID)) # cleanup ACL action_counter_egress = sai_thrift_acl_action_data_t( parameter=sai_thrift_acl_action_parameter_t( oid=0), enable=True) sai_thrift_set_acl_entry_attribute( self.client, acl_egress_entry_id, action_counter=action_counter_egress) sai_thrift_set_acl_counter_attribute( self.client, acl_counter_egress, packets=None) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_egress, packets=True) self.assertEqual(packets['packets'], 0) sai_thrift_remove_acl_counter(self.client, acl_counter_egress) sai_thrift_remove_acl_entry(self.client, acl_egress_entry_id) sai_thrift_remove_acl_table(self.client, acl_egress_table_id) def tearDown(self): sai_thrift_remove_route_entry(self.client, self.route_entry) sai_thrift_remove_next_hop(self.client, self.nhop) sai_thrift_remove_neighbor_entry(self.client, self.nbr_entry) self.destroy_routing_interfaces() super(SrcIpAclTest, self).tearDown() @group("draft") class DstIpAclTest(SaiHelperSimplified): """ Verify matching on dst ip address field Configuration +----------+-----------+ | port0 | port0_rif | +----------+-----------+ | port1 | port1_rif | +----------+-----------+ """ def setUp(self): super(DstIpAclTest, self).setUp() self.create_routing_interfaces(ports=[0, 1]) l4_dst_port = 1000 rif_id1 = self.port0_rif self.rif_id2 = self.port1_rif ip_addr_subnet = '172.16.10.0/24' ip_addr = '172.16.10.1' dmac = '00:11:22:33:44:55' mac_src = '00:22:22:22:22:22' ip_addr_src = '192.168.100.100' print("Create neighbor with %s ip address, %d router interface" " id and %s destination mac" % ( ip_addr, rif_id1, dmac)) self.nbr_entry = sai_thrift_neighbor_entry_t( rif_id=rif_id1, ip_address=sai_ipaddress(ip_addr)) sai_thrift_create_neighbor_entry( self.client, self.nbr_entry, dst_mac_address=dmac) print("Create nhop with %s ip address and %d router" " interface id" % (ip_addr, rif_id1)) self.nhop = sai_thrift_create_next_hop( self.client, ip=sai_ipaddress(ip_addr), router_interface_id=rif_id1, type=SAI_NEXT_HOP_TYPE_IP) print("Create route with %s ip prefix and %d router" " interface id" % (ip_addr_subnet, rif_id1)) self.route_entry = sai_thrift_route_entry_t( vr_id=self.default_vrf, destination=sai_ipprefix( ip_addr_subnet)) sai_thrift_create_route_entry(self.client, self.route_entry, next_hop_id=rif_id1) self.pkt = simple_tcp_packet(eth_dst=ROUTER_MAC, eth_src=mac_src, ip_dst=ip_addr, ip_src=ip_addr_src, tcp_sport=l4_dst_port, ip_id=105, ip_ttl=64) self.exp_pkt = simple_tcp_packet(eth_dst=dmac, eth_src=ROUTER_MAC, ip_dst=ip_addr, ip_src=ip_addr_src, tcp_sport=l4_dst_port, ip_id=105, ip_ttl=63) def runTest(self): print("Testing DstIpAclTest") print('--------------------------------------------------------------' '--------------------------------') print("Sending packet ptf_intf 2 -> ptf_intf 1 (192.168.100.100 " "---> 172.16.10.1 [id = 105])") try: print('#### NO ACL Applied ####') print('#### Sending ', ROUTER_MAC, '| 00:22:22:22:22:22 | ' '172.16.10.1 | 192.168.100.100 | SPORT 1000 | @ ptf_intf 2') send_packet(self, self.dev_port1, self.pkt) print('#### Expecting 00:11:22:33:44:55 |', ROUTER_MAC, '| ' '172.16.10.1 | 192.168.100.100 | SPORT 1000 | @ ptf_intf 1') verify_packets(self, self.exp_pkt, [self.dev_port0]) finally: print('----------------------------------------------------------') print("Sending packet ptf_intf 2 -[ACL]-> ptf_intf 1 (192.168.0.1" "-[ACL]-> 172.16.10.1 [id = 105])") table_stage_ingress = SAI_ACL_STAGE_INGRESS table_stage_egress = SAI_ACL_STAGE_EGRESS entry_priority = 1 ip_dst = "172.16.10.1" ip_dst_mask = "255.255.255.0" table_bind_points = [SAI_ACL_BIND_POINT_TYPE_ROUTER_INTF] table_bind_point_type_list = sai_thrift_s32_list_t( count=len(table_bind_points), int32list=table_bind_points) acl_ingress_table_id = sai_thrift_create_acl_table( self.client, acl_stage=table_stage_ingress, acl_bind_point_type_list=table_bind_point_type_list, field_src_ip=True) self.assertNotEqual(acl_ingress_table_id, 0) dst_ip_t = sai_thrift_acl_field_data_t( data=sai_thrift_acl_field_data_data_t(ip4=ip_dst), mask=sai_thrift_acl_field_data_mask_t(ip4=ip_dst_mask)) packet_action = sai_thrift_acl_action_data_t( parameter=sai_thrift_acl_action_parameter_t( s32=SAI_PACKET_ACTION_DROP)) acl_ingress_entry_id = sai_thrift_create_acl_entry( self.client, table_id=acl_ingress_table_id, priority=entry_priority, field_dst_ip=dst_ip_t, action_packet_action=packet_action) self.assertNotEqual(acl_ingress_entry_id, 0) # create ACL counter acl_counter_ingress = sai_thrift_create_acl_counter( self.client, table_id=acl_ingress_table_id) # attach ACL counter to ACL entry action_counter_ingress = sai_thrift_acl_action_data_t( parameter=sai_thrift_acl_action_parameter_t( oid=acl_counter_ingress), enable=True) sai_thrift_set_acl_entry_attribute( self.client, acl_ingress_entry_id, action_counter=action_counter_ingress) # bind this ACL table to rif_id2s object id sai_thrift_set_router_interface_attribute( self.client, self.rif_id2, ingress_acl=acl_ingress_table_id) try: print('#### ACL \'DROP, src ip 192.168.100.1/255.255.255.0, SPORT' ' 1000, in_ports[ptf_intf_1,2]\' Applied ####') print('#### Sending ', ROUTER_MAC, '| 00:22:22:22:22:22 | ' '172.16.10.1 | 192.168.100.100 | SPORT 1000 | @ ptf_intf 1') send_packet(self, self.dev_port1, self.pkt) print('#### NOT Expecting 00:11:22:33:44:55 |', ROUTER_MAC, '| ' '172.16.10.1 | 192.168.100.100 | SPORT 1000 | @ ptf_intf 0') verify_no_other_packets(self, timeout=1) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_ingress, packets=True) self.assertEqual(packets['packets'], 1) # cleanup ACL action_counter_ingress = sai_thrift_acl_action_data_t( parameter=sai_thrift_acl_action_parameter_t( oid=0), enable=True) sai_thrift_set_acl_entry_attribute( self.client, acl_ingress_entry_id, action_counter=action_counter_ingress) sai_thrift_set_acl_counter_attribute( self.client, acl_counter_ingress, packets=None) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_ingress, packets=True) self.assertEqual(packets['packets'], 0) sai_thrift_remove_acl_counter(self.client, acl_counter_ingress) # unbind this ACL table from rif_id2s object id sai_thrift_set_router_interface_attribute( self.client, self.rif_id2, ingress_acl=int(SAI_NULL_OBJECT_ID)) sai_thrift_remove_acl_entry(self.client, acl_ingress_entry_id) sai_thrift_remove_acl_table(self.client, acl_ingress_table_id) acl_egress_table_id = sai_thrift_create_acl_table( self.client, acl_stage=table_stage_egress, acl_bind_point_type_list=table_bind_point_type_list, field_dst_ip=True) self.assertNotEqual(acl_egress_table_id, 0) acl_egress_entry_id = sai_thrift_create_acl_entry( self.client, table_id=acl_egress_table_id, priority=entry_priority, field_dst_ip=dst_ip_t, action_packet_action=packet_action) self.assertNotEqual(acl_egress_entry_id, 0) # create ACL counter acl_counter_egress = sai_thrift_create_acl_counter( self.client, table_id=acl_egress_table_id) # attach ACL counter to ACL entry action_counter_egress = sai_thrift_acl_action_data_t( parameter=sai_thrift_acl_action_parameter_t( oid=acl_counter_egress), enable=True) sai_thrift_set_acl_entry_attribute( self.client, acl_egress_entry_id, action_counter=action_counter_egress) # bind this ACL table to rif_id2s object id sai_thrift_set_router_interface_attribute( self.client, self.rif_id2, egress_acl=acl_egress_table_id) print('#### ACL \'DROP, src ip 192.168.100.1/255.255.255.0, SPORT' ' 1000, in_ports[ptf_intf_1,2]\' Applied ####') print('#### Sending ', ROUTER_MAC, '| 00:22:22:22:22:22 | ' '172.16.10.1 | 192.168.100.100 | SPORT 1000 | @ ptf_intf 1') send_packet(self, self.dev_port1, self.pkt) print('#### NOT Expecting 00:11:22:33:44:55 |', ROUTER_MAC, '| ' '172.16.10.1 | 192.168.100.100 | SPORT 1000 | @ ptf_intf 0') verify_no_other_packets(self, timeout=1) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_egress, packets=True) self.assertEqual(packets['packets'], 1) finally: # unbind this ACL table from rif_id2s object id sai_thrift_set_router_interface_attribute( self.client, self.rif_id2, egress_acl=int(SAI_NULL_OBJECT_ID)) # cleanup ACL action_counter_egress = sai_thrift_acl_action_data_t( parameter=sai_thrift_acl_action_parameter_t( oid=0), enable=True) sai_thrift_set_acl_entry_attribute( self.client, acl_egress_entry_id, action_counter=action_counter_egress) sai_thrift_set_acl_counter_attribute( self.client, acl_counter_egress, packets=None) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_egress, packets=True) self.assertEqual(packets['packets'], 0) sai_thrift_remove_acl_counter(self.client, acl_counter_egress) # cleanup ACL sai_thrift_remove_acl_entry(self.client, acl_egress_entry_id) sai_thrift_remove_acl_table(self.client, acl_egress_table_id) def tearDown(self): sai_thrift_remove_route_entry(self.client, self.route_entry) sai_thrift_remove_next_hop(self.client, self.nhop) sai_thrift_remove_neighbor_entry(self.client, self.nbr_entry) self.destroy_routing_interfaces() super(DstIpAclTest, self).tearDown() @group("draft") class MACSrcAclTest(SaiHelperSimplified): """ Verify matching on src mac address field Configuration +----------+-----------+ | port0 | port0_rif | +----------+-----------+ | port1 | port1_rif | +----------+-----------+ """ def setUp(self): super(MACSrcAclTest, self).setUp() self.create_routing_interfaces(ports=[0, 1]) rif_id1 = self.port0_rif self.rif_id2 = self.port1_rif ip_addr_subnet = '172.16.10.0/24' ip_addr = '172.16.10.1' dmac = '00:11:22:33:44:55' self.mac_src = '00:22:22:22:22:22' ip_addr_src = '192.168.0.1' print("Create neighbor with %s ip address, %d router interface" " id and %s destination mac" % ( ip_addr, rif_id1, dmac)) self.nbr_entry = sai_thrift_neighbor_entry_t( rif_id=rif_id1, ip_address=sai_ipaddress(ip_addr)) sai_thrift_create_neighbor_entry( self.client, self.nbr_entry, dst_mac_address=dmac) print("Create nhop with %s ip address and %d router" " interface id" % (ip_addr, rif_id1)) self.nhop = sai_thrift_create_next_hop( self.client, ip=sai_ipaddress(ip_addr), router_interface_id=rif_id1, type=SAI_NEXT_HOP_TYPE_IP) print("Create route with %s ip prefix and %d router" " interface id" % (ip_addr_subnet, rif_id1)) self.route_entry = sai_thrift_route_entry_t( vr_id=self.default_vrf, destination=sai_ipprefix( ip_addr_subnet)) sai_thrift_create_route_entry(self.client, self.route_entry, next_hop_id=rif_id1) self.pkt = simple_tcp_packet(eth_dst=ROUTER_MAC, eth_src=self.mac_src, ip_dst=ip_addr, ip_src=ip_addr_src, ip_id=105, ip_ttl=64) self.exp_pkt = simple_tcp_packet(eth_dst=dmac, eth_src=ROUTER_MAC, ip_dst=ip_addr, ip_src=ip_addr_src, ip_id=105, ip_ttl=63) def runTest(self): print('--------------------------------------------------------------') print("Sending packet ptf_intf 2 -> ptf_intf 1 (192.168.0.1 --->" " 172.16.10.1 [id = 105])") try: print('#### NO ACL Applied ####') print('#### Sending ', ROUTER_MAC, '| 00:22:22:22:22:22 | ' '172.16.10.1 | 192.168.100.1 | @ ptf_intf 2') send_packet(self, self.dev_port1, self.pkt) print('#### Expecting 00:11:22:33:44:55 |', ROUTER_MAC, '| ' '172.16.10.1 | 192.168.100.1 | @ ptf_intf 1') verify_packets(self, self.exp_pkt, [self.dev_port0]) finally: print('----------------------------------------------------------') print("Sending packet ptf_intf 2 -[ACL]-> ptf_intf 1 (192.168.0.1-" "[ACL]-> 172.16.10.1 [id = 105])") # setup ACL to block based on Source MAC table_stage_ingress = SAI_ACL_STAGE_INGRESS table_stage_egress = SAI_ACL_STAGE_EGRESS entry_priority = 1 mac_src_mask = 'ff:ff:ff:ff:ff:ff' table_bind_points = [SAI_ACL_BIND_POINT_TYPE_ROUTER_INTF] table_bind_point_type_list = sai_thrift_s32_list_t( count=len(table_bind_points), int32list=table_bind_points) acl_ingress_table_id = sai_thrift_create_acl_table( self.client, acl_stage=table_stage_ingress, acl_bind_point_type_list=table_bind_point_type_list, field_src_mac=True) self.assertNotEqual(acl_ingress_table_id, 0) src_mac_t = sai_thrift_acl_field_data_t( data=sai_thrift_acl_field_data_data_t(mac=self.mac_src), mask=sai_thrift_acl_field_data_mask_t(mac=mac_src_mask)) packet_action = sai_thrift_acl_action_data_t( parameter=sai_thrift_acl_action_parameter_t( s32=SAI_PACKET_ACTION_DROP)) acl_ingress_entry_id = sai_thrift_create_acl_entry( self.client, table_id=acl_ingress_table_id, priority=entry_priority, field_src_mac=src_mac_t, action_packet_action=packet_action) self.assertNotEqual(acl_ingress_entry_id, 0) # create ACL counter acl_counter_ingress = sai_thrift_create_acl_counter( self.client, table_id=acl_ingress_table_id) # attach ACL counter to ACL entry action_counter_ingress = sai_thrift_acl_action_data_t( parameter=sai_thrift_acl_action_parameter_t( oid=acl_counter_ingress), enable=True) sai_thrift_set_acl_entry_attribute( self.client, acl_ingress_entry_id, action_counter=action_counter_ingress) # bind this ACL table to rif_id2s object id sai_thrift_set_router_interface_attribute( self.client, self.rif_id2, ingress_acl=acl_ingress_table_id) try: print('#### ACL \'DROP, src mac 00:22:22:22:22:22, ' 'in_ports[ptf_intf_1,2]\' Applied ####') print('#### Sending ', ROUTER_MAC, '| 00:22:22:22:22:22 | ' '172.16.10.1 | 192.168.0.1 | @ ptf_intf 2') # send the same packet send_packet(self, self.dev_port1, self.pkt) # ensure packet is dropped # check for absence of packet here! print('#### NOT Expecting 00:11:22:33:44:55 |', ROUTER_MAC, '| 172.16.10.1 | 192.168.0.1 | @ ptf_intf 1') verify_no_other_packets(self, timeout=2) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_ingress, packets=True) self.assertEqual(packets['packets'], 1) # cleanup ACL action_counter_ingress = sai_thrift_acl_action_data_t( parameter=sai_thrift_acl_action_parameter_t( oid=0), enable=True) sai_thrift_set_acl_entry_attribute( self.client, acl_ingress_entry_id, action_counter=action_counter_ingress) sai_thrift_set_acl_counter_attribute( self.client, acl_counter_ingress, packets=None) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_ingress, packets=True) self.assertEqual(packets['packets'], 0) sai_thrift_remove_acl_counter(self.client, acl_counter_ingress) # unbind this ACL table from rif_id2s object id sai_thrift_set_router_interface_attribute( self.client, self.rif_id2, ingress_acl=int(SAI_NULL_OBJECT_ID)) sai_thrift_remove_acl_entry(self.client, acl_ingress_entry_id) sai_thrift_remove_acl_table(self.client, acl_ingress_table_id) acl_egress_table_id = sai_thrift_create_acl_table( self.client, acl_stage=table_stage_egress, acl_bind_point_type_list=table_bind_point_type_list, field_src_mac=True) self.assertNotEqual(acl_egress_table_id, 0) acl_egress_entry_id = sai_thrift_create_acl_entry( self.client, table_id=acl_egress_table_id, priority=entry_priority, field_src_mac=src_mac_t, action_packet_action=packet_action) self.assertNotEqual(acl_egress_entry_id, 0) # create ACL counter acl_counter_egress = sai_thrift_create_acl_counter( self.client, table_id=acl_egress_table_id) # attach ACL counter to ACL entry action_counter_egress = sai_thrift_acl_action_data_t( parameter=sai_thrift_acl_action_parameter_t( oid=acl_counter_egress), enable=True) sai_thrift_set_acl_entry_attribute( self.client, acl_egress_entry_id, action_counter=action_counter_egress) # bind this ACL table to rif_id2s object id sai_thrift_set_router_interface_attribute( self.client, self.rif_id2, egress_acl=acl_egress_table_id) print('#### ACL \'DROP, src mac 00:22:22:22:22:22, ' 'in_ports[ptf_intf_1,2]\' Applied ####') print('#### Sending ', ROUTER_MAC, '| 00:22:22:22:22:22 | ' '172.16.10.1 | 192.168.0.1 | @ ptf_intf 2') # send the same packet send_packet(self, self.dev_port1, pkt) # ensure packet is dropped # check for absence of packet here! print('#### NOT Expecting 00:11:22:33:44:55 |', ROUTER_MAC, '| 172.16.10.1 | 192.168.0.1 | @ ptf_intf 1') verify_no_other_packets(self, timeout=2) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_egress, packets=True) self.assertEqual(packets['packets'], 1) finally: # unbind this ACL table from rif_id2s object id sai_thrift_set_router_interface_attribute( self.client, self.rif_id2, egress_acl=int(SAI_NULL_OBJECT_ID)) # cleanup ACL action_counter_egress = sai_thrift_acl_action_data_t( parameter=sai_thrift_acl_action_parameter_t( oid=0), enable=True) sai_thrift_set_acl_entry_attribute( self.client, acl_egress_entry_id, action_counter=action_counter_egress) sai_thrift_set_acl_counter_attribute( self.client, acl_counter_egress, packets=None) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_egress, packets=True) self.assertEqual(packets['packets'], 0) sai_thrift_remove_acl_counter(self.client, acl_counter_egress) # cleanup ACL sai_thrift_remove_acl_entry(self.client, acl_egress_entry_id) sai_thrift_remove_acl_table(self.client, acl_egress_table_id) def tearDown(self): sai_thrift_remove_route_entry(self.client, self.route_entry) sai_thrift_remove_next_hop(self.client, self.nhop) sai_thrift_remove_neighbor_entry(self.client, self.nbr_entry) self.destroy_routing_interfaces() super(MACSrcAclTest, self).tearDown() @group("draft") class L3L4PortTest(SaiHelperSimplified): """ Verify matching on l4_dst_port and l4_src_port fields Configuration +----------+-----------+ | port0 | port0_rif | +----------+-----------+ | port1 | port1_rif | +----------+-----------+ """ def setUp(self): super(L3L4PortTest, self).setUp() self.create_routing_interfaces(ports=[0, 1]) self.l4_dst_port = 1000 self.l4_src_port = 500 rif_id1 = self.port0_rif self.rif_id2 = self.port1_rif ip_addr_subnet = '172.16.10.0/24' ip_addr = '172.16.10.1' dmac = '00:11:22:33:44:55' mac_src = '00:22:22:22:22:22' ip_addr_src = '192.168.100.100' print("Create neighbor with %s ip address, %d router interface" " id and %s destination mac" % ( ip_addr, rif_id1, dmac)) self.nbr_entry = sai_thrift_neighbor_entry_t( rif_id=rif_id1, ip_address=sai_ipaddress(ip_addr)) sai_thrift_create_neighbor_entry( self.client, self.nbr_entry, dst_mac_address=dmac) print("Create nhop with %s ip address and %d router" " interface id" % (ip_addr, rif_id1)) self.nhop = sai_thrift_create_next_hop( self.client, ip=sai_ipaddress(ip_addr), router_interface_id=rif_id1, type=SAI_NEXT_HOP_TYPE_IP) print("Create route with %s ip prefix and %d router" " interface id" % (ip_addr_subnet, rif_id1)) self.route_entry = sai_thrift_route_entry_t( vr_id=self.default_vrf, destination=sai_ipprefix( ip_addr_subnet)) sai_thrift_create_route_entry(self.client, self.route_entry, next_hop_id=rif_id1) self.pkt = simple_tcp_packet(eth_dst=ROUTER_MAC, eth_src=mac_src, ip_dst=ip_addr, ip_src=ip_addr_src, tcp_sport=self.l4_src_port, tcp_dport=self.l4_dst_port, ip_id=105, ip_ttl=64) self.exp_pkt = simple_tcp_packet(eth_dst=dmac, eth_src=ROUTER_MAC, ip_dst=ip_addr, ip_src=ip_addr_src, tcp_sport=self.l4_src_port, tcp_dport=self.l4_dst_port, ip_id=105, ip_ttl=63) def runTest(self): print("Testing L4 src/dest port ACL filter") print('--------------------------------------------------------------' '--------------------------------') print("Sending packet ptf_intf 2 -> ptf_intf 1 (192.168.100.100 --->" " 172.16.10.1 [id = 105])") try: print('#### NO ACL Applied ####') print('#### Sending ', ROUTER_MAC, '| 00:22:22:22:22:22 | ' '172.16.10.1 | 192.168.100.100 | SPORT 1000 | @ ptf_intf 2') send_packet(self, self.dev_port1, self.pkt) print('#### Expecting 00:11:22:33:44:55 |', ROUTER_MAC, '| ' '172.16.10.1 | 192.168.100.100 | SPORT 1000 | @ ptf_intf 1') verify_packets(self, self.exp_pkt, [self.dev_port0]) finally: print('----------------------------------------------------------' '------------------------------------') print("Sending packet ptf_intf 2 -[acl]-> ptf_intf 1 (192.168.0.1" "-[a]cl]-> 172.16.10.1 [id = 105])") table_stage_ingress = SAI_ACL_STAGE_INGRESS table_stage_egress = SAI_ACL_STAGE_EGRESS entry_priority = 1 ip_src = "192.168.100.1" ip_src_mask = "255.255.255.0" table_bind_points = [SAI_ACL_BIND_POINT_TYPE_ROUTER_INTF] table_bind_point_type_list = sai_thrift_s32_list_t( count=len(table_bind_points), int32list=table_bind_points) acl_ingress_table_id = sai_thrift_create_acl_table( self.client, acl_stage=table_stage_ingress, acl_bind_point_type_list=table_bind_point_type_list, field_l4_src_port=True, field_l4_dst_port=True) self.assertNotEqual(acl_ingress_table_id, 0) src_ip_t = sai_thrift_acl_field_data_t( data=sai_thrift_acl_field_data_data_t(ip4=ip_src), mask=sai_thrift_acl_field_data_mask_t(ip4=ip_src_mask)) l4_dst_port_mask = 32759 l4_dst_port_t = sai_thrift_acl_field_data_t( data=sai_thrift_acl_field_data_data_t(u16=self.l4_dst_port), mask=sai_thrift_acl_field_data_mask_t(u16=l4_dst_port_mask)) l4_src_port_mask = 32759 l4_src_port_t = sai_thrift_acl_field_data_t( data=sai_thrift_acl_field_data_data_t(u16=self.l4_src_port), mask=sai_thrift_acl_field_data_mask_t(u16=l4_src_port_mask)) packet_action = sai_thrift_acl_action_data_t( parameter=sai_thrift_acl_action_parameter_t( s32=SAI_PACKET_ACTION_DROP)) acl_ingress_entry_id = sai_thrift_create_acl_entry( self.client, table_id=acl_ingress_table_id, priority=entry_priority, field_src_ip=src_ip_t, action_packet_action=packet_action, field_l4_dst_port=l4_dst_port_t, field_l4_src_port=l4_src_port_t) # create ACL counter acl_counter_ingress = sai_thrift_create_acl_counter( self.client, table_id=acl_ingress_table_id) # attach ACL counter to ACL entry action_counter_ingress = sai_thrift_acl_action_data_t( parameter=sai_thrift_acl_action_parameter_t( oid=acl_counter_ingress), enable=True) sai_thrift_set_acl_entry_attribute( self.client, acl_ingress_entry_id, action_counter=action_counter_ingress) self.assertNotEqual(acl_ingress_entry_id, 0) # bind this ACL table to rif_id2s object id sai_thrift_set_router_interface_attribute( self.client, self.rif_id2, ingress_acl=acl_ingress_table_id) try: print('#### ACL \'DROP, src ip 192.168.100.1/255.255.255.0, SPORT' ' 1000, in_ports[ptf_intf_1,2]\' Applied ####') print('#### Sending ', ROUTER_MAC, '| 00:22:22:22:22:22 | ' '172.16.10.1 | 192.168.100.100 | SPORT 1000 | @ ptf_intf 1') # send the same packet send_packet(self, self.dev_port1, self.pkt) # ensure packet is dropped # check for absence of packet here! print('#### NOT Expecting 00:11:22:33:44:55 |', ROUTER_MAC, '| ' '172.16.10.1 | 192.168.100.100 | SPORT 1000 | @ ptf_intf 0') verify_no_other_packets(self, timeout=1) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_ingress, packets=True) self.assertEqual(packets['packets'], 1) # cleanup ACL action_counter_ingress = sai_thrift_acl_action_data_t( parameter=sai_thrift_acl_action_parameter_t( oid=0), enable=True) sai_thrift_set_acl_entry_attribute( self.client, acl_ingress_entry_id, action_counter=action_counter_ingress) sai_thrift_set_acl_counter_attribute( self.client, acl_counter_ingress, packets=None) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_ingress, packets=True) self.assertEqual(packets['packets'], 0) sai_thrift_remove_acl_counter(self.client, acl_counter_ingress) # unbind this ACL table from rif_id2s object id sai_thrift_set_router_interface_attribute( self.client, self.rif_id2, ingress_acl=int(SAI_NULL_OBJECT_ID)) sai_thrift_remove_acl_entry(self.client, acl_ingress_entry_id) sai_thrift_remove_acl_table(self.client, acl_ingress_table_id) acl_egress_table_id = sai_thrift_create_acl_table( self.client, acl_stage=table_stage_egress, acl_bind_point_type_list=table_bind_point_type_list, field_src_ip=True) self.assertNotEqual(acl_egress_table_id, 0) acl_egress_entry_id = sai_thrift_create_acl_entry( self.client, table_id=acl_egress_table_id, priority=entry_priority, field_src_ip=src_ip_t, action_packet_action=packet_action, field_l4_dst_port=l4_dst_port_t, field_l4_src_port=l4_src_port_t) # create ACL counter acl_counter_egress = sai_thrift_create_acl_counter( self.client, table_id=acl_egress_table_id) # attach ACL counter to ACL entry action_counter_egress = sai_thrift_acl_action_data_t( parameter=sai_thrift_acl_action_parameter_t( oid=acl_counter_egress), enable=True) sai_thrift_set_acl_entry_attribute( self.client, acl_egress_entry_id, action_counter=action_counter_egress) self.assertNotEqual(acl_egress_entry_id, 0) # bind this ACL table to rif_id2s object id sai_thrift_set_router_interface_attribute( self.client, self.rif_id2, egress_acl=acl_egress_table_id) print('#### ACL \'DROP, src mac 00:22:22:22:22:22, ' 'in_ports[ptf_intf_1,2]\' Applied ####') print('#### Sending ', ROUTER_MAC, '| 00:22:22:22:22:22 | ' '172.16.10.1 | 192.168.0.1 | @ ptf_intf 2') # send the same packet send_packet(self, self.dev_port1, self.pkt) # ensure packet is dropped # check for absence of packet here! print('#### NOT Expecting 00:11:22:33:44:55 |', ROUTER_MAC, '| 172.16.10.1 | 192.168.0.1 | @ ptf_intf 1') verify_no_other_packets(self, timeout=2) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_egress, packets=True) self.assertEqual(packets['packets'], 1) finally: # unbind this ACL table from rif_id2s object id sai_thrift_set_router_interface_attribute( self.client, self.rif_id2, egress_acl=int(SAI_NULL_OBJECT_ID)) # cleanup ACL action_counter_egress = sai_thrift_acl_action_data_t( parameter=sai_thrift_acl_action_parameter_t( oid=0), enable=True) sai_thrift_set_acl_entry_attribute( self.client, acl_egress_entry_id, action_counter=action_counter_egress) sai_thrift_set_acl_counter_attribute( self.client, acl_counter_egress, packets=None) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_egress, packets=True) self.assertEqual(packets['packets'], 0) sai_thrift_remove_acl_counter(self.client, acl_counter_egress) # cleanup ACL sai_thrift_remove_acl_entry(self.client, acl_egress_entry_id) sai_thrift_remove_acl_table(self.client, acl_egress_table_id) def tearDown(self): sai_thrift_remove_route_entry(self.client, self.route_entry) sai_thrift_remove_next_hop(self.client, self.nhop) sai_thrift_remove_neighbor_entry(self.client, self.nbr_entry) self.destroy_routing_interfaces() super(L3L4PortTest, self).tearDown() @group("draft") class L3AclRangeTest(SaiHelperSimplified): """ Verify matching on ACL range Configuration +----------+-----------+ | port0 | port0_rif | +----------+-----------+ | port1 | port1_rif | +----------+-----------+ """ def setUp(self): super(L3AclRangeTest, self).setUp() self.create_routing_interfaces(ports=[0, 1]) l4_dst_port = 1000 rif_id1 = self.port0_rif self.rif_id2 = self.port1_rif ip_addr_subnet = '172.16.10.0/24' ip_addr = '172.16.10.1' dmac = '00:11:22:33:44:55' mac_src = '00:22:22:22:22:22' ip_addr_src = '192.168.100.100' print("Create neighbor with %s ip address, %d router interface" " id and %s destination mac" % ( ip_addr, rif_id1, dmac)) self.nbr_entry = sai_thrift_neighbor_entry_t( rif_id=rif_id1, ip_address=sai_ipaddress(ip_addr)) sai_thrift_create_neighbor_entry( self.client, self.nbr_entry, dst_mac_address=dmac) print("Create nhop with %s ip address and %d router" " interface id" % (ip_addr, rif_id1)) self.nhop = sai_thrift_create_next_hop( self.client, ip=sai_ipaddress(ip_addr), router_interface_id=rif_id1, type=SAI_NEXT_HOP_TYPE_IP) print("Create route with %s ip prefix and %d router " "interface id" % (ip_addr_subnet, rif_id1)) self.route_entry = sai_thrift_route_entry_t( vr_id=self.default_vrf, destination=sai_ipprefix( ip_addr_subnet)) sai_thrift_create_route_entry(self.client, self.route_entry, next_hop_id=rif_id1) self.tcp_pkt = simple_tcp_packet(eth_dst=ROUTER_MAC, eth_src=mac_src, ip_dst=ip_addr, ip_src=ip_addr_src, tcp_dport=l4_dst_port, ip_id=105, ip_ttl=64) self.tcp_exp_pkt = simple_tcp_packet(eth_dst=dmac, eth_src=ROUTER_MAC, ip_dst=ip_addr, ip_src=ip_addr_src, tcp_dport=l4_dst_port, ip_id=105, ip_ttl=63) self.udp_pkt = simple_udp_packet(eth_dst=ROUTER_MAC, eth_src=mac_src, ip_dst=ip_addr, udp_dport=l4_dst_port, ip_src=ip_addr_src, ip_id=105, ip_ttl=64) self.udp_exp_pkt = simple_udp_packet(eth_dst=dmac, eth_src=ROUTER_MAC, ip_dst=ip_addr, ip_src=ip_addr_src, udp_dport=l4_dst_port, ip_id=105, ip_ttl=63) self.table_stage_ingress = SAI_ACL_STAGE_INGRESS self.table_stage_egress = SAI_ACL_STAGE_EGRESS self.tcp_protocol = 0x06 self.udp_protocol = 0x11 def runTest(self): self.routingTest() print("Sending TCP packet ptf_intf 2 -[ingress ACL]-> ptf_intf 1 " "(192.168.0.1-[ingress ACL]-> 172.16.10.1 [id = 105])") self.aclTest(self.table_stage_ingress, self.tcp_protocol) print("Sending UDP packet ptf_intf 2 -[ingress ACL]-> ptf_intf 1 " "(192.168.0.1-[ingress ACL]-> 172.16.10.1 [id = 105])") self.aclTest(self.table_stage_ingress, self.udp_protocol) print("Sending TCP packet ptf_intf 2 -[egress ACL]-> ptf_intf 1 " "(192.168.0.1-[egress ACL]-> 172.16.10.1 [id = 105])") self.aclTest(self.table_stage_egress, self.tcp_protocol) print("Sending UDP packet ptf_intf 2 -[egress ACL]-> ptf_intf 1 " "(192.168.0.1-[egress ACL]-> 172.16.10.1 [id = 105])") self.aclTest(self.table_stage_egress, self.udp_protocol) def routingTest(self): """ Verifies routing for TCP and UDP traffic """ print('--------------------------------------------------------------') print("Sending TCP packet ptf_intf 2 -> ptf_intf 1 (192.168.100.100 " "---> 172.16.10.1 [id = 105])") print('#### NO ACL Applied ####') print('#### Sending ', ROUTER_MAC, '| 00:22:22:22:22:22 | ' '172.16.10.1 | 192.168.100.100 | SPORT 1000 | @ ptf_intf 2') send_packet(self, self.dev_port1, self.tcp_pkt) print('#### Expecting 00:11:22:33:44:55 |', ROUTER_MAC, '| ' '172.16.10.1 | 192.168.100.100 | SPORT 1000 | @ ptf_intf 1') verify_packets(self, self.tcp_exp_pkt, [self.dev_port0]) print('----------------------------------------------------------') print("Sending UDP packet ptf_intf 2 -> ptf_intf 1 (192.168.100.100 " "---> 172.16.10.1 [id = 105])") print('#### NO ACL Applied ####') print('#### Sending ', ROUTER_MAC, '| 00:22:22:22:22:22 | ' '172.16.10.1 | 192.168.100.100 | SPORT 1000 | @ ptf_intf 2') send_packet(self, self.dev_port1, self.udp_pkt) print('#### Expecting 00:11:22:33:44:55 |', ROUTER_MAC, '| ' '172.16.10.1 | 192.168.100.100 | SPORT 1000 | @ ptf_intf 1') verify_packets(self, self.udp_exp_pkt, [self.dev_port0]) print('----------------------------------------------------------') def aclTest(self, stage, protocol): """ Verifies ingress or egress ACLs for range and TCP or UDP traffic Args: stage (int): specifies ingress or egress type of ACL protocol (int): specifies protocol field value """ if protocol == 0x06: pkt = self.tcp_pkt elif protocol == 0x11: pkt = self.udp_pkt field_protocol = sai_thrift_acl_field_data_t( data=sai_thrift_acl_field_data_data_t(u8=protocol), mask=sai_thrift_acl_field_data_mask_t(u8=0x0F)) entry_priority = 1 table_bind_points = [SAI_ACL_BIND_POINT_TYPE_ROUTER_INTF] table_bind_point_type_list = sai_thrift_s32_list_t( count=len(table_bind_points), int32list=table_bind_points) acl_table_id = sai_thrift_create_acl_table( self.client, acl_stage=stage, acl_bind_point_type_list=table_bind_point_type_list, field_src_ip=True, field_ip_protocol=True) self.assertNotEqual(acl_table_id, 0) packet_action = sai_thrift_acl_action_data_t( parameter=sai_thrift_acl_action_parameter_t( s32=SAI_PACKET_ACTION_DROP)) u32range = sai_thrift_u32_range_t(min=1000, max=1000) acl_range_id = sai_thrift_create_acl_range( self.client, type=SAI_ACL_RANGE_TYPE_L4_DST_PORT_RANGE, limit=u32range) range_list = [acl_range_id] print("ACL range created 0x%lx" % (acl_range_id)) range_list_t = sai_thrift_acl_field_data_t( data=sai_thrift_acl_field_data_data_t( objlist=sai_thrift_object_list_t( count=len(range_list), idlist=range_list))) acl_entry_id = sai_thrift_create_acl_entry( self.client, table_id=acl_table_id, priority=entry_priority, action_packet_action=packet_action, field_acl_range_type=range_list_t, field_ip_protocol=field_protocol) print("ACL ingress table created 0x%lx" % (acl_table_id)) # create ACL counter acl_counter = sai_thrift_create_acl_counter( self.client, table_id=acl_table_id) # attach ACL counter to ACL entry action_counter = sai_thrift_acl_action_data_t( parameter=sai_thrift_acl_action_parameter_t( oid=acl_counter), enable=True) sai_thrift_set_acl_entry_attribute( self.client, acl_entry_id, action_counter=action_counter) if stage == SAI_ACL_STAGE_INGRESS: # bind this ACL table to rif_id2s object id sai_thrift_set_router_interface_attribute( self.client, self.rif_id2, ingress_acl=acl_table_id) elif stage == SAI_ACL_STAGE_EGRESS: # bind this ACL table to rif_id2s object id sai_thrift_set_router_interface_attribute( self.client, self.rif_id2, egress_acl=acl_table_id) try: print('#### ACL \'DROP, src ip 192.168.100.1/255.255.255.0, SPORT' ' 1000, in_ports[ptf_intf_1,2]\' Applied ####') print('#### Sending ', ROUTER_MAC, '| 00:22:22:22:22:22 | ' '172.16.10.1 | 192.168.100.100 | SPORT 1000 | @ ptf_intf 1') # send the same packet send_packet(self, self.dev_port1, pkt) # ensure packet is dropped # check for absence of packet here! print('#### NOT Expecting 00:11:22:33:44:55 |', ROUTER_MAC, '| ' '172.16.10.1 | 192.168.100.100 | SPORT 1000 | @ ptf_intf 0') verify_no_other_packets(self, timeout=1) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter, packets=True) self.assertEqual(packets['packets'], 1) finally: # unbind this ACL table from rif_id2s object id if stage == SAI_ACL_STAGE_INGRESS: sai_thrift_set_router_interface_attribute( self.client, self.rif_id2, ingress_acl=int( SAI_NULL_OBJECT_ID)) elif stage == SAI_ACL_STAGE_EGRESS: sai_thrift_set_router_interface_attribute( self.client, self.rif_id2, egress_acl=int( SAI_NULL_OBJECT_ID)) # cleanup ACL action_counter = sai_thrift_acl_action_data_t( parameter=sai_thrift_acl_action_parameter_t( oid=0), enable=True) sai_thrift_set_acl_entry_attribute( self.client, acl_entry_id, action_counter=action_counter) sai_thrift_set_acl_counter_attribute( self.client, acl_counter, packets=None) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter, packets=True) self.assertEqual(packets['packets'], 0) sai_thrift_remove_acl_counter(self.client, acl_counter) # cleanup ACL sai_thrift_remove_acl_entry(self.client, acl_entry_id) sai_thrift_remove_acl_range(self.client, acl_range_id) sai_thrift_remove_acl_table(self.client, acl_table_id) def tearDown(self): sai_thrift_remove_route_entry(self.client, self.route_entry) sai_thrift_remove_next_hop(self.client, self.nhop) sai_thrift_remove_neighbor_entry(self.client, self.nbr_entry) self.destroy_routing_interfaces() super(L3AclRangeTest, self).tearDown() @group("draft") class ACLGroupSeveralMembersTest(SaiHelper): """ Verify matching on ACL groups with the IPv4 and IPv6 groups members """ def setUp(self): super(ACLGroupSeveralMembersTest, self).setUp() mirror_type = SAI_MIRROR_SESSION_TYPE_LOCAL rif_id1 = self.port10_rif self.ipv4_addr = '192.168.0.1' self.ipv6_addr = '4000::1' self.dmac = '00:22:22:22:22:22' print("Create neighbor with %s ip address, %d router interface" " id and %s destination mac" % ( self.ipv4_addr, rif_id1, self.dmac)) self.nbr_entry1 = sai_thrift_neighbor_entry_t( rif_id=rif_id1, ip_address=sai_ipaddress(self.ipv4_addr)) sai_thrift_create_neighbor_entry( self.client, self.nbr_entry1, dst_mac_address=self.dmac) print("Create nhop with %s ip address and %d router" " interface id" % (self.ipv4_addr, rif_id1)) self.nhop1 = sai_thrift_create_next_hop( self.client, ip=sai_ipaddress(self.ipv4_addr), router_interface_id=rif_id1, type=SAI_NEXT_HOP_TYPE_IP) print("Create neighbor with %s ip address, %d router interface" " id and %s destination mac" % ( self.ipv6_addr, rif_id1, self.dmac)) self.nbr_entry2 = sai_thrift_neighbor_entry_t( rif_id=rif_id1, ip_address=sai_ipaddress(self.ipv6_addr)) sai_thrift_create_neighbor_entry( self.client, self.nbr_entry2, dst_mac_address=self.dmac) print("Create nhop with %s ip address and %d router" " interface id" % (self.ipv6_addr, rif_id1)) self.nhop2 = sai_thrift_create_next_hop( self.client, ip=sai_ipaddress(self.ipv6_addr), router_interface_id=rif_id1, type=SAI_NEXT_HOP_TYPE_IP) print("Create mirror session") self.spanid = sai_thrift_create_mirror_session( self.client, monitor_port=self.port24, type=mirror_type) def runTest(self): # setup ACL table groups ipv4_addr_src1 = "20.0.0.1" ipv4_addr_src2 = "20.0.0.3" ipv4_mask = "255.255.255.255" ipv6_mask = "ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff" ipv6_addr_src = '2000::1' group_stage_ingress = SAI_ACL_STAGE_INGRESS group_stage_egress = SAI_ACL_STAGE_EGRESS group_bind_point_list = [SAI_ACL_BIND_POINT_TYPE_PORT] group_type = SAI_ACL_TABLE_GROUP_TYPE_PARALLEL table_stage_ingress = SAI_ACL_STAGE_INGRESS table_stage_egress = SAI_ACL_STAGE_EGRESS group_bind_point_type_list = sai_thrift_s32_list_t( count=len(group_bind_point_list), int32list=group_bind_point_list) print("Create ACL tables groups") acl_group_ingress = sai_thrift_create_acl_table_group( self.client, acl_stage=group_stage_ingress, acl_bind_point_type_list=group_bind_point_type_list, type=group_type) table_bind_point_list = [SAI_ACL_BIND_POINT_TYPE_PORT] table_bind_point_type_list = sai_thrift_s32_list_t( count=len(table_bind_point_list), int32list=table_bind_point_list) packet_action = sai_thrift_acl_action_data_t( parameter=sai_thrift_acl_action_parameter_t( s32=SAI_PACKET_ACTION_DROP)) print("Create ACL field data") src_ip_t_ipv4 = sai_thrift_acl_field_data_t( data=sai_thrift_acl_field_data_data_t(ip4=ipv4_addr_src1), mask=sai_thrift_acl_field_data_mask_t(ip4=ipv4_mask)) src_ip_t_ipv6 = sai_thrift_acl_field_data_t( data=sai_thrift_acl_field_data_data_t(ip6=ipv6_addr_src), mask=sai_thrift_acl_field_data_mask_t( ip6=ipv6_mask)) src_ip_t_mirror = sai_thrift_acl_field_data_t( data=sai_thrift_acl_field_data_data_t(ip4=ipv4_addr_src2), mask=sai_thrift_acl_field_data_mask_t(ip4=ipv4_mask)) # create ACL tables print("Create ACL tables") acl_ingress_ipv4_table_id = sai_thrift_create_acl_table( self.client, acl_stage=table_stage_ingress, acl_bind_point_type_list=table_bind_point_type_list, field_src_ip=True) acl_ingress_ipv6_table_id = sai_thrift_create_acl_table( self.client, acl_stage=table_stage_ingress, acl_bind_point_type_list=table_bind_point_type_list, field_src_ipv6=True) # create ACL table group members print("Create ACL group members") acl_group_ingress_ipv4_member_id = \ sai_thrift_create_acl_table_group_member( self.client, acl_table_group_id=acl_group_ingress, acl_table_id=acl_ingress_ipv4_table_id) acl_group_ingress_ipv6_member_id = \ sai_thrift_create_acl_table_group_member( self.client, acl_table_group_id=acl_group_ingress, acl_table_id=acl_ingress_ipv6_table_id) # create ACL entries print("Create ACL entries") ipv4_acl_ingress_entry_id = sai_thrift_create_acl_entry( self.client, table_id=acl_ingress_ipv4_table_id, priority=9999, field_src_ip=src_ip_t_ipv4, action_packet_action=packet_action) ipv6_acl_ingress_entry_id = sai_thrift_create_acl_entry( self.client, table_id=acl_ingress_ipv6_table_id, priority=9998, field_src_ipv6=src_ip_t_ipv6, action_packet_action=packet_action) mirror_acl_ingress_entry_id = sai_thrift_create_acl_entry( self.client, table_id=acl_ingress_ipv4_table_id, priority=9997, field_src_ip=src_ip_t_mirror, action_packet_action=packet_action) # create ACL counter acl_counter_ingress_ipv4 = sai_thrift_create_acl_counter( self.client, table_id=acl_ingress_ipv4_table_id) # attach ACL counter to ACL entry action_counter_ingress_ipv4 = sai_thrift_acl_action_data_t( parameter=sai_thrift_acl_action_parameter_t( oid=acl_counter_ingress_ipv4), enable=True) sai_thrift_set_acl_entry_attribute( self.client, ipv4_acl_ingress_entry_id, action_counter=action_counter_ingress_ipv4) # create ACL counter acl_counter_ingress_ipv6 = sai_thrift_create_acl_counter( self.client, table_id=acl_ingress_ipv6_table_id) # attach ACL counter to ACL entry action_counter_ingress_ipv6 = sai_thrift_acl_action_data_t( parameter=sai_thrift_acl_action_parameter_t( oid=acl_counter_ingress_ipv6), enable=True) sai_thrift_set_acl_entry_attribute( self.client, ipv6_acl_ingress_entry_id, action_counter=action_counter_ingress_ipv6) # create ACL counter acl_counter_ingress_mirror = sai_thrift_create_acl_counter( self.client, table_id=acl_ingress_ipv4_table_id) # attach ACL counter to ACL entry action_counter_ingress_mirror = sai_thrift_acl_action_data_t( parameter=sai_thrift_acl_action_parameter_t( oid=acl_counter_ingress_mirror), enable=True) sai_thrift_set_acl_entry_attribute( self.client, mirror_acl_ingress_entry_id, action_counter=action_counter_ingress_mirror) try: pkt = simple_tcp_packet(eth_dst=ROUTER_MAC, eth_src=self.dmac, ip_src=ipv4_addr_src1, ip_dst=self.ipv4_addr, tcp_sport=0x4321, tcp_dport=0x51, ip_ttl=64) exp_pkt = simple_tcp_packet(eth_dst=self.dmac, eth_src=ROUTER_MAC, ip_src=ipv4_addr_src1, ip_dst=self.ipv4_addr, tcp_sport=0x4321, tcp_dport=0x51, ip_ttl=63) print('#### Sending ', ROUTER_MAC, '| 00:22:22:22:22:22 | ' '20.0.0.1 | 192.168.0.1 | @ ptf_intf 2') send_packet(self, self.dev_port11, pkt) print('#### Expecting ', self.dmac, ' | ', ROUTER_MAC, '| 20.0.0.1' ' | 192.168.0.1 | @ ptf_intf 1') verify_packets(self, exp_pkt, [self.dev_port10]) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_ingress_ipv4, packets=True) self.assertEqual(packets['packets'], 0) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_ingress_ipv6, packets=True) self.assertEqual(packets['packets'], 0) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_ingress_mirror, packets=True) self.assertEqual(packets['packets'], 0) pktv6 = simple_tcpv6_packet(eth_dst=ROUTER_MAC, eth_src=self.dmac, ipv6_dst=self.ipv6_addr, ipv6_src=ipv6_addr_src, ipv6_hlim=64) exp_pktv6 = simple_tcpv6_packet(eth_dst=self.dmac, eth_src=ROUTER_MAC, ipv6_dst=self.ipv6_addr, ipv6_src=ipv6_addr_src, ipv6_hlim=63) print('#### Sending ', ROUTER_MAC, '| 00:22:22:22:22:22 | 4000::1' ' | 2000::1 | @ ptf_intf 2') send_packet(self, self.dev_port11, pktv6) print('#### Expecting ', self.dmac, ' | ', ROUTER_MAC, '| 4000::1' ' | 2000::1 | @ ptf_intf 1') verify_packets(self, exp_pktv6, [self.dev_port10]) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_ingress_ipv4, packets=True) self.assertEqual(packets['packets'], 0) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_ingress_ipv6, packets=True) self.assertEqual(packets['packets'], 0) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_ingress_mirror, packets=True) self.assertEqual(packets['packets'], 0) pkt2 = simple_tcp_packet(eth_dst=ROUTER_MAC, eth_src=self.dmac, ip_src=ipv4_addr_src2, ip_dst=self.ipv4_addr, tcp_sport=0x4321, tcp_dport=0x51, ip_ttl=64) exp_pkt2 = simple_tcp_packet(eth_dst=self.dmac, eth_src=ROUTER_MAC, ip_src=ipv4_addr_src2, ip_dst=self.ipv4_addr, tcp_sport=0x4321, tcp_dport=0x51, ip_ttl=63) print('#### Sending ', ROUTER_MAC, '| 00:22:22:22:22:22 | ' '20.0.0.3 | 192.168.0.1 | @ ptf_intf 2') send_packet(self, self.dev_port11, pkt2) print('#### Expecting ', self.dmac, ' | ', ROUTER_MAC, '| 20.0.0.3' ' | 192.168.0.1 | @ ptf_intf 1') verify_packets(self, exp_pkt2, [self.dev_port10]) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_ingress_ipv4, packets=True) self.assertEqual(packets['packets'], 0) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_ingress_ipv6, packets=True) self.assertEqual(packets['packets'], 0) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_ingress_mirror, packets=True) self.assertEqual(packets['packets'], 0) # bind ACL group to port and verify ACLs work sai_thrift_set_port_attribute( self.client, self.port11, ingress_acl=acl_group_ingress) print('#### Sending ', ROUTER_MAC, '| 00:22:22:22:22:22 | ' '20.0.0.1 | 192.168.0.1 | @ ptf_intf 2') send_packet(self, self.dev_port11, pkt) print('#### NOT Expecting ', self.dmac, ' | ', ROUTER_MAC, '| ' '20.0.0.1 | 192.168.0.1 | @ ptf_intf 1') verify_no_other_packets(self, timeout=2) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_ingress_ipv4, packets=True) self.assertEqual(packets['packets'], 1) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_ingress_ipv6, packets=True) self.assertEqual(packets['packets'], 0) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_ingress_mirror, packets=True) self.assertEqual(packets['packets'], 0) print('#### Sending ', ROUTER_MAC, '| 00:22:22:22:22:22 | 4000::1' ' | 2000::1 | @ ptf_intf 2') send_packet(self, self.dev_port11, pktv6) print('#### NOT Expecting ', self.dmac, ' | ', ROUTER_MAC, '| ' '4000::1 | 2000::1 | @ ptf_intf 1') verify_no_other_packets(self, timeout=2) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_ingress_ipv4, packets=True) self.assertEqual(packets['packets'], 1) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_ingress_ipv6, packets=True) self.assertEqual(packets['packets'], 1) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_ingress_mirror, packets=True) self.assertEqual(packets['packets'], 0) # unbind ACL group from port - ACLs sholdn't have any effect sai_thrift_set_port_attribute( self.client, self.port11, ingress_acl=int(SAI_NULL_OBJECT_ID)) print('#### Sending ', ROUTER_MAC, '| 00:22:22:22:22:22 | ' '20.0.0.1 | 192.168.0.1 | @ ptf_intf 2') send_packet(self, self.dev_port11, pkt) print('#### Expecting ', self.dmac, ' | ', ROUTER_MAC, '| 20.0.0.1' ' | 192.168.0.1 | @ ptf_intf 1') verify_packets(self, exp_pkt, [self.dev_port10]) print('#### Sending ', ROUTER_MAC, '| 00:22:22:22:22:22 | 4000::1' ' | 2000::1 | @ ptf_intf 2') send_packet(self, self.dev_port11, pktv6) print('#### Expecting ', self.dmac, ' | ', ROUTER_MAC, '| 4000::1' ' | 2000::1 | @ ptf_intf 1') verify_packets(self, exp_pktv6, [self.dev_port10]) print('#### Sending ', ROUTER_MAC, '| 00:22:22:22:22:22 | ' '20.0.0.3 | 192.168.0.1 | @ ptf_intf 2') send_packet(self, self.dev_port11, pkt2) print('#### Expecting ', self.dmac, ' | ', ROUTER_MAC, '| 20.0.0.3' ' | 192.168.0.1 | @ ptf_intf 1') verify_packets(self, exp_pkt2, [self.dev_port10]) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_ingress_ipv4, packets=True) self.assertEqual(packets['packets'], 1) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_ingress_ipv6, packets=True) self.assertEqual(packets['packets'], 1) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_ingress_mirror, packets=True) self.assertEqual(packets['packets'], 0) # cleanup ACL action_counter_ingress_ipv4 = sai_thrift_acl_action_data_t( parameter=sai_thrift_acl_action_parameter_t( oid=0), enable=True) sai_thrift_set_acl_entry_attribute( self.client, ipv4_acl_ingress_entry_id, action_counter=action_counter_ingress_ipv4) sai_thrift_set_acl_counter_attribute( self.client, acl_counter_ingress_ipv4, packets=None) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_ingress_ipv4, packets=True) self.assertEqual(packets['packets'], 0) sai_thrift_remove_acl_counter( self.client, acl_counter_ingress_ipv4) action_counter_ingress_ipv6 = sai_thrift_acl_action_data_t( parameter=sai_thrift_acl_action_parameter_t( oid=0), enable=True) sai_thrift_set_acl_entry_attribute( self.client, ipv6_acl_ingress_entry_id, action_counter=action_counter_ingress_ipv6) sai_thrift_set_acl_counter_attribute( self.client, acl_counter_ingress_ipv6, packets=None) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_ingress_ipv6, packets=True) self.assertEqual(packets['packets'], 0) sai_thrift_remove_acl_counter( self.client, acl_counter_ingress_ipv6) action_counter_ingress_mirror = sai_thrift_acl_action_data_t( parameter=sai_thrift_acl_action_parameter_t( oid=0), enable=True) sai_thrift_set_acl_entry_attribute( self.client, mirror_acl_ingress_entry_id, action_counter=action_counter_ingress_mirror) sai_thrift_set_acl_counter_attribute( self.client, acl_counter_ingress_mirror, packets=None) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_ingress_mirror, packets=True) self.assertEqual(packets['packets'], 0) sai_thrift_remove_acl_counter( self.client, acl_counter_ingress_mirror) sai_thrift_remove_acl_table_group_member( self.client, acl_group_ingress_ipv4_member_id) sai_thrift_remove_acl_table_group_member( self.client, acl_group_ingress_ipv6_member_id) sai_thrift_remove_acl_table_group(self.client, acl_group_ingress) sai_thrift_remove_acl_entry(self.client, ipv4_acl_ingress_entry_id) sai_thrift_remove_acl_entry(self.client, ipv6_acl_ingress_entry_id) sai_thrift_remove_acl_entry(self.client, mirror_acl_ingress_entry_id) sai_thrift_remove_acl_table(self.client, acl_ingress_ipv4_table_id) sai_thrift_remove_acl_table(self.client, acl_ingress_ipv6_table_id) print("Create ACL tables groups") acl_group_egress = sai_thrift_create_acl_table_group( self.client, acl_stage=group_stage_egress, acl_bind_point_type_list=group_bind_point_type_list, type=group_type) # create ACL tables print("Create ACL tables") acl_egress_ipv4_table_id = sai_thrift_create_acl_table( self.client, acl_stage=table_stage_egress, acl_bind_point_type_list=table_bind_point_type_list, field_src_ip=True) acl_egress_ipv6_table_id = sai_thrift_create_acl_table( self.client, acl_stage=table_stage_egress, acl_bind_point_type_list=table_bind_point_type_list, field_src_ipv6=True) # create ACL table group members print("Create ACL group members") acl_group_egress_ipv4_member_id = \ sai_thrift_create_acl_table_group_member( self.client, acl_table_group_id=acl_group_egress, acl_table_id=acl_egress_ipv4_table_id) acl_group_egress_ipv6_member_id = \ sai_thrift_create_acl_table_group_member( self.client, acl_table_group_id=acl_group_egress, acl_table_id=acl_egress_ipv6_table_id) # create ACL entries print("Create ACL entries") ipv4_acl_egress_entry_id = sai_thrift_create_acl_entry( self.client, table_id=acl_egress_ipv4_table_id, priority=9999, field_src_ip=src_ip_t_ipv4, action_packet_action=packet_action) ipv6_acl_egress_entry_id = sai_thrift_create_acl_entry( self.client, table_id=acl_egress_ipv6_table_id, priority=9998, field_src_ipv6=src_ip_t_ipv6, action_packet_action=packet_action) mirror_acl_egress_entry_id = sai_thrift_create_acl_entry( self.client, table_id=acl_egress_ipv4_table_id, priority=9997, field_src_ip=src_ip_t_mirror, action_packet_action=packet_action) # create ACL counter acl_counter_egress_ipv4 = sai_thrift_create_acl_counter( self.client, table_id=acl_egress_ipv4_table_id) # attach ACL counter to ACL entry action_counter_egress_ipv4 = sai_thrift_acl_action_data_t( parameter=sai_thrift_acl_action_parameter_t( oid=acl_counter_egress_ipv4), enable=True) sai_thrift_set_acl_entry_attribute( self.client, ipv4_acl_egress_entry_id, action_counter=action_counter_egress_ipv4) # create ACL counter acl_counter_egress_ipv6 = sai_thrift_create_acl_counter( self.client, table_id=acl_egress_ipv6_table_id) # attach ACL counter to ACL entry action_counter_egress_ipv6 = sai_thrift_acl_action_data_t( parameter=sai_thrift_acl_action_parameter_t( oid=acl_counter_egress_ipv6), enable=True) sai_thrift_set_acl_entry_attribute( self.client, ipv6_acl_egress_entry_id, action_counter=action_counter_egress_ipv6) # create ACL counter acl_counter_egress_mirror = sai_thrift_create_acl_counter( self.client, table_id=acl_egress_ipv4_table_id) # attach ACL counter to ACL entry action_counter_egress_mirror = sai_thrift_acl_action_data_t( parameter=sai_thrift_acl_action_parameter_t( oid=acl_counter_egress_mirror), enable=True) sai_thrift_set_acl_entry_attribute( self.client, mirror_acl_egress_entry_id, action_counter=action_counter_egress_mirror) print('#### Sending ', ROUTER_MAC, '| 00:22:22:22:22:22 | ' '20.0.0.1 | 192.168.0.1 | @ ptf_intf 2') send_packet(self, self.dev_port11, pkt) print('#### Expecting ', self.dmac, ' | ', ROUTER_MAC, '| 20.0.0.1' ' | 192.168.0.1 | @ ptf_intf 1') verify_packets(self, exp_pkt, [self.dev_port10]) print('#### Sending ', ROUTER_MAC, '| 00:22:22:22:22:22 | 4000::1' ' | 2000::1 | @ ptf_intf 2') send_packet(self, self.dev_port11, pktv6) print('#### Expecting ', self.dmac, ' | ', ROUTER_MAC, '| 4000::1' ' | 2000::1 | @ ptf_intf 1') verify_packets(self, exp_pktv6, [self.dev_port10]) print('#### Sending ', ROUTER_MAC, '| 00:22:22:22:22:22 | ' '20.0.0.3 | 192.168.0.1 | @ ptf_intf 2') send_packet(self, self.dev_port11, pkt2) print('#### Expecting ', self.dmac, ' | ', ROUTER_MAC, '| 20.0.0.3' ' | 192.168.0.1 | @ ptf_intf 1') verify_packets(self, exp_pkt2, [self.dev_port10]) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_egress_ipv4, packets=True) self.assertEqual(packets['packets'], 0) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_egress_ipv6, packets=True) self.assertEqual(packets['packets'], 0) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_egress_mirror, packets=True) self.assertEqual(packets['packets'], 0) # bind ACL group to port and verify ACLs work sai_thrift_set_port_attribute( self.client, self.port10, egress_acl=acl_group_egress) print('#### Sending ', ROUTER_MAC, '| 00:22:22:22:22:22 | ' '20.0.0.1 | 192.168.0.1 | @ ptf_intf 2') send_packet(self, self.dev_port11, pkt) print('#### NOT Expecting ', self.dmac, ' | ', ROUTER_MAC, '| ' '20.0.0.1 | 192.168.0.1 | @ ptf_intf 1') verify_no_other_packets(self, timeout=2) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_egress_ipv4, packets=True) self.assertEqual(packets['packets'], 1) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_egress_ipv6, packets=True) self.assertEqual(packets['packets'], 0) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_egress_mirror, packets=True) self.assertEqual(packets['packets'], 0) print('#### Sending ', ROUTER_MAC, '| 00:22:22:22:22:22 | 4000::1' ' | 2000::1 | @ ptf_intf 2') send_packet(self, self.dev_port11, pktv6) print('#### NOT Expecting ', self.dmac, ' | ', ROUTER_MAC, '| ' '4000::1 | 2000::1 | @ ptf_intf 1') verify_no_other_packets(self, timeout=2) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_egress_ipv4, packets=True) self.assertEqual(packets['packets'], 1) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_egress_ipv6, packets=True) self.assertEqual(packets['packets'], 1) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_egress_mirror, packets=True) self.assertEqual(packets['packets'], 0) # unbind ACL group from port - ACLs sholdn't have any effect sai_thrift_set_port_attribute( self.client, self.port10, egress_acl=int(SAI_NULL_OBJECT_ID)) print('#### Sending ', ROUTER_MAC, '| 00:22:22:22:22:22 | ' '20.0.0.1 | 192.168.0.1 | @ ptf_intf 2') send_packet(self, self.dev_port11, pkt) print('#### Expecting ', self.dmac, ' | ', ROUTER_MAC, '| 20.0.0.1' ' | 192.168.0.1 | @ ptf_intf 1') verify_packets(self, exp_pkt, [self.dev_port10]) print('#### Sending ', ROUTER_MAC, '| 00:22:22:22:22:22 | 4000::1' ' | 2000::1 | @ ptf_intf 2') send_packet(self, self.dev_port11, pktv6) print('#### Expecting ', self.dmac, ' | ', ROUTER_MAC, '| 4000::1' ' | 2000::1 | @ ptf_intf 1') verify_packets(self, exp_pktv6, [self.dev_port10]) print('#### Sending ', ROUTER_MAC, '| 00:22:22:22:22:22 | ' '20.0.0.3 | 192.168.0.1 | @ ptf_intf 2') send_packet(self, self.dev_port11, pkt2) print('#### Expecting ', self.dmac, ' | ', ROUTER_MAC, '| 20.0.0.3' ' | 192.168.0.1 | @ ptf_intf 1') verify_packets(self, exp_pkt2, [self.dev_port10]) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_egress_ipv4, packets=True) self.assertEqual(packets['packets'], 1) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_egress_ipv6, packets=True) self.assertEqual(packets['packets'], 1) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_egress_mirror, packets=True) self.assertEqual(packets['packets'], 0) finally: # cleanup ACL action_counter_egress_ipv4 = sai_thrift_acl_action_data_t( parameter=sai_thrift_acl_action_parameter_t( oid=0), enable=True) sai_thrift_set_acl_entry_attribute( self.client, ipv4_acl_egress_entry_id, action_counter=action_counter_egress_ipv4) sai_thrift_set_acl_counter_attribute( self.client, acl_counter_egress_ipv4, packets=None) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_egress_ipv4, packets=True) self.assertEqual(packets['packets'], 0) sai_thrift_remove_acl_counter(self.client, acl_counter_egress_ipv4) action_counter_egress_ipv6 = sai_thrift_acl_action_data_t( parameter=sai_thrift_acl_action_parameter_t( oid=0), enable=True) sai_thrift_set_acl_entry_attribute( self.client, ipv6_acl_egress_entry_id, action_counter=action_counter_egress_ipv6) sai_thrift_set_acl_counter_attribute( self.client, acl_counter_egress_ipv6, packets=None) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_egress_ipv6, packets=True) self.assertEqual(packets['packets'], 0) sai_thrift_remove_acl_counter(self.client, acl_counter_egress_ipv6) action_counter_egress_mirror = sai_thrift_acl_action_data_t( parameter=sai_thrift_acl_action_parameter_t( oid=0), enable=True) sai_thrift_set_acl_entry_attribute( self.client, mirror_acl_egress_entry_id, action_counter=action_counter_egress_mirror) sai_thrift_set_acl_counter_attribute( self.client, acl_counter_egress_mirror, packets=None) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_egress_mirror, packets=True) self.assertEqual(packets['packets'], 0) sai_thrift_remove_acl_counter( self.client, acl_counter_egress_mirror) sai_thrift_remove_acl_table_group_member( self.client, acl_group_egress_ipv4_member_id) sai_thrift_remove_acl_table_group_member( self.client, acl_group_egress_ipv6_member_id) sai_thrift_remove_acl_table_group(self.client, acl_group_egress) sai_thrift_remove_acl_entry(self.client, ipv4_acl_egress_entry_id) sai_thrift_remove_acl_entry(self.client, ipv6_acl_egress_entry_id) sai_thrift_remove_acl_entry(self.client, mirror_acl_egress_entry_id) sai_thrift_remove_acl_table(self.client, acl_egress_ipv4_table_id) sai_thrift_remove_acl_table(self.client, acl_egress_ipv6_table_id) def tearDown(self): sai_thrift_remove_mirror_session(self.client, self.spanid) sai_thrift_remove_next_hop(self.client, self.nhop1) sai_thrift_remove_next_hop(self.client, self.nhop2) sai_thrift_remove_neighbor_entry(self.client, self.nbr_entry1) sai_thrift_remove_neighbor_entry(self.client, self.nbr_entry2) super(ACLGroupSeveralMembersTest, self).tearDown() @group("draft") class MultAclTableGroupBindTest(SaiHelper): """ Verify matching on ACL table groups """ def setUp(self): super(MultAclTableGroupBindTest, self).setUp() rif_id = self.port13_rif ip_addr_subnet = '172.16.10.0/24' self.ip_addr = '172.16.10.1' self.dmac = '00:11:22:33:44:55' print("Create neighbor with %s ip address, %d router interface" " id and %s destination mac" % ( self.ip_addr, rif_id, self.dmac)) self.nbr_entry = sai_thrift_neighbor_entry_t( rif_id=rif_id, ip_address=sai_ipaddress(self.ip_addr)) sai_thrift_create_neighbor_entry( self.client, self.nbr_entry, dst_mac_address=self.dmac) print("Create nhop with %s ip address and %d router" " interface id" % (self.ip_addr, rif_id)) self.nhop = sai_thrift_create_next_hop( self.client, ip=sai_ipaddress(self.ip_addr), router_interface_id=rif_id, type=SAI_NEXT_HOP_TYPE_IP) print("Create route with %s ip prefix and %d router" " interface id" % (ip_addr_subnet, rif_id)) self.route_entry = sai_thrift_route_entry_t( vr_id=self.default_vrf, destination=sai_ipprefix( ip_addr_subnet)) sai_thrift_create_route_entry(self.client, self.route_entry, next_hop_id=rif_id) # setup mirror ACL table mirror_type = SAI_MIRROR_SESSION_TYPE_LOCAL print("Create mirror session") self.span_session = sai_thrift_create_mirror_session( self.client, monitor_port=self.port10, type=mirror_type, vlan_header_valid=False) print(self.span_session) def runTest(self): print('--------------------------------------------------------------') print('Testing both IPV4, MIRROR ACL table within a ACL table group on' ' same set of ports') print("Sending packet ptf_intf 4 -> [ptf_intf 1, ptf_intf 2, ptf_intf " "3] (192.168.0.1 ---> 172.16.10.1 [id = 105])") mac_src = '00:22:22:22:22:22' ip_mask = '255.255.255.0' ipv4_addr = '192.168.0.1' # send the test packet(s) pkt = simple_tcp_packet(eth_dst=ROUTER_MAC, eth_src=mac_src, ip_dst=self.ip_addr, ip_src=ipv4_addr, ip_id=105, ip_ttl=64) exp_pkt = simple_tcp_packet(eth_dst=self.dmac, eth_src=ROUTER_MAC, ip_dst=self.ip_addr, ip_src=ipv4_addr, ip_id=105, ip_ttl=63) print('#### NO ACL Applied ####') print('#### Sending ', ROUTER_MAC, '| 00:22:22:22:22:22 | 172.16.10.1' ' | 192.168.0.1 | @ ptf_intf 1') send_packet(self, self.dev_port10, pkt) print('#### Expecting 00:11:22:33:44:55 |', ROUTER_MAC, '| 172.16.10.1' ' | 192.168.0.1 | @ ptf_intf 4') verify_packet(self, exp_pkt, self.dev_port13) print('#### Sending ', ROUTER_MAC, '| 00:22:22:22:22:22 | 172.16.10.1' ' | 192.168.0.1 | @ ptf_intf 2') send_packet(self, self.dev_port11, pkt) print('#### Expecting 00:11:22:33:44:55 |', ROUTER_MAC, '| 172.16.10.1' ' | 192.168.0.1 | @ ptf_intf 4') verify_packet(self, exp_pkt, self.dev_port13) print('#### Sending ', ROUTER_MAC, '| 00:22:22:22:22:22 | 172.16.10.1' ' | 192.168.0.1 | @ ptf_intf 3') send_packet(self, self.dev_port12, pkt) print('#### Expecting 00:11:22:33:44:55 |', ROUTER_MAC, '| 172.16.10.1' ' | 192.168.0.1 | @ ptf_intf 4') verify_packet(self, exp_pkt, self.dev_port13) # setup ACL table group group_bind_point_list = [SAI_ACL_BIND_POINT_TYPE_PORT] group_type = SAI_ACL_TABLE_GROUP_TYPE_PARALLEL group_stage_ingress = SAI_ACL_STAGE_INGRESS group_stage_egress = SAI_ACL_STAGE_EGRESS # setup ACL table 1 table_stage_ingress = SAI_ACL_STAGE_INGRESS table_stage_egress = SAI_ACL_STAGE_EGRESS table_bind_point_list = [SAI_ACL_BIND_POINT_TYPE_PORT] group_bind_point_type_list = sai_thrift_s32_list_t( count=len(group_bind_point_list), int32list=group_bind_point_list) table_bind_point_type_list = sai_thrift_s32_list_t( count=len(table_bind_point_list), int32list=table_bind_point_list) packet_action = sai_thrift_acl_action_data_t( parameter=sai_thrift_acl_action_parameter_t( s32=SAI_PACKET_ACTION_DROP)) print("Create ACL field data") src_ip_t_ipv4 = sai_thrift_acl_field_data_t( data=sai_thrift_acl_field_data_data_t(ip4=ipv4_addr), mask=sai_thrift_acl_field_data_mask_t(ip4=ip_mask)) # create ACL tables print("Create ACL tables") acl_ingress_ip_table_id = sai_thrift_create_acl_table( self.client, acl_stage=table_stage_ingress, acl_bind_point_type_list=table_bind_point_type_list, field_src_ip=True) print("Sending packet ptf_intf 2 -[ACL]-> ptf_intf 1 (20.20.20.1-[ACL]" "-> 172.16.10.1 [id = 105])") # setup ACL table to block on below matching param ip_src = "192.168.0.1" ip_src_mask = "255.255.255.0" ip_dst = "172.16.10.1" ip_dst_mask = "255.255.255.0" ip_proto = 6 src_ip_t_mirror = sai_thrift_acl_field_data_t( data=sai_thrift_acl_field_data_data_t(ip4=ip_src), mask=sai_thrift_acl_field_data_mask_t(ip4=ip_src_mask)) dst_ip_t_mirror = sai_thrift_acl_field_data_t( data=sai_thrift_acl_field_data_data_t(ip4=ip_dst), mask=sai_thrift_acl_field_data_mask_t(ip4=ip_dst_mask)) # create ACL tables print("Create ACL tables") acl_ingress_mirror_table_id = sai_thrift_create_acl_table( self.client, acl_stage=table_stage_ingress, acl_bind_point_type_list=table_bind_point_type_list, field_src_ip=True, field_dst_ip=True, field_ip_protocol=ip_proto) # setup ACL table group members group_member_priority = 1 acl_group_ingress_list = [] acl_group_member_ingress_list = [] in_ports = [self.port10, self.port11, self.port12] for port in in_ports: # ACL table group print("Create ACL tables groups for", port, " port") acl_table_group_ingress = sai_thrift_create_acl_table_group( self.client, acl_stage=group_stage_ingress, acl_bind_point_type_list=group_bind_point_type_list, type=group_type) # create ACL table group member 1 - v4 tables acl_group_ingress_ip_member_id = \ sai_thrift_create_acl_table_group_member( self.client, acl_table_group_id=acl_table_group_ingress, acl_table_id=acl_ingress_ip_table_id, priority=group_member_priority) # create ACL table group members 2 - mirror tables print("Create ACL group members") acl_group_ingress_mirror_member_id = \ sai_thrift_create_acl_table_group_member( self.client, acl_table_group_id=acl_table_group_ingress, acl_table_id=acl_ingress_mirror_table_id, priority=group_member_priority) acl_group_ingress_list.append(acl_table_group_ingress) acl_group_member_ingress_list.append( acl_group_ingress_ip_member_id) acl_group_member_ingress_list.append( acl_group_ingress_mirror_member_id) for i, ports in enumerate(in_ports): # attach this ACL table group to port10, port11, port12 print("Bind ACL ingress group 0x % lx to port 0x % lx" % ( acl_group_ingress_list[i], ports)) sai_thrift_set_port_attribute( self.client, ports, ingress_acl=acl_group_ingress_list[i]) # create ACL entries print("Create ACL entries") acl_ingress_ip_entry_id = sai_thrift_create_acl_entry( self.client, table_id=acl_ingress_ip_table_id, priority=1, field_src_ip=src_ip_t_ipv4, action_packet_action=packet_action) # create ACL counter acl_counter_ingress = sai_thrift_create_acl_counter( self.client, table_id=acl_ingress_ip_table_id) # attach ACL counter to ACL entry action_counter_ingress = sai_thrift_acl_action_data_t( parameter=sai_thrift_acl_action_parameter_t( oid=acl_counter_ingress), enable=True) sai_thrift_set_acl_entry_attribute( self.client, acl_ingress_ip_entry_id, action_counter=action_counter_ingress) src_l4_port = sai_thrift_acl_field_data_t( enable=True, data=sai_thrift_acl_field_data_data_t(u16=4000), mask=sai_thrift_acl_field_data_mask_t(u16=32767)) dst_l4_port = sai_thrift_acl_field_data_t( enable=True, data=sai_thrift_acl_field_data_data_t(u16=5000), mask=sai_thrift_acl_field_data_mask_t(u16=32767)) mirror_action = sai_thrift_acl_action_data_t( parameter=sai_thrift_acl_action_parameter_t( objlist=sai_thrift_object_list_t( count=len([self.span_session]), idlist=[self.span_session]))) # create ACL entries print("Create ACL entries") mirror_acl_ingress_entry_id = sai_thrift_create_acl_entry( self.client, table_id=acl_ingress_mirror_table_id, priority=1, field_src_ip=src_ip_t_mirror, field_dst_ip=dst_ip_t_mirror, field_l4_src_port=src_l4_port, field_l4_dst_port=dst_l4_port, action_mirror_ingress=mirror_action) # create ACL counter acl_counter_mirror = sai_thrift_create_acl_counter( self.client, table_id=acl_ingress_mirror_table_id) # attach ACL counter to ACL entry action_counter_mirror = sai_thrift_acl_action_data_t( parameter=sai_thrift_acl_action_parameter_t( oid=acl_counter_mirror), enable=True) sai_thrift_set_acl_entry_attribute( self.client, mirror_acl_ingress_entry_id, action_counter=action_counter_mirror) try: print('#### ACL \'DROP, src mac 00:22:22:22:22:22, ' 'in_ports[ptf_intf_1,2,3,4]\' Applied ####') print('#### Sending ', ROUTER_MAC, '| 00:22:22:22:22:22 | ' '172.16.10.1 | 192.168.0.1 | @ ptf_intf 1') time.sleep(5) send_packet(self, self.dev_port10, pkt) print('#### NOT Expecting 00:11:22:33:44:55 |', ROUTER_MAC, '| ' '172.16.10.1 | 192.168.0.1 | @ ptf_intf 4') verify_no_other_packets(self, timeout=1) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_ingress, packets=True) self.assertEqual(packets['packets'], 1) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_mirror, packets=True) self.assertEqual(packets['packets'], 0) print('#### Sending ', ROUTER_MAC, '| 00:22:22:22:22:22 | ' '172.16.10.1 | 192.168.0.1 | @ ptf_intf 2') send_packet(self, self.dev_port11, pkt) print('#### NOT Expecting 00:11:22:33:44:55 |', ROUTER_MAC, '| ' '172.16.10.1 | 192.168.0.1 | @ ptf_intf 4') verify_no_other_packets(self, timeout=1) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_ingress, packets=True) self.assertEqual(packets['packets'], 2) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_mirror, packets=True) self.assertEqual(packets['packets'], 0) print('#### Sending ', ROUTER_MAC, '| 00:22:22:22:22:22 | ' '172.16.10.1 | 192.168.0.1 | @ ptf_intf 3') send_packet(self, self.dev_port12, pkt) print('#### NOT Expecting 00:11:22:33:44:55 |', ROUTER_MAC, '| ' '172.16.10.1 | 192.168.0.1 | @ ptf_intf 4') verify_no_other_packets(self, timeout=1) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_ingress, packets=True) self.assertEqual(packets['packets'], 3) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_mirror, packets=True) self.assertEqual(packets['packets'], 0) print("Verify Mirror ACL") time.sleep(5) pkt = simple_tcp_packet(eth_dst=ROUTER_MAC, eth_src=mac_src, ip_src=ipv4_addr, ip_dst=self.ip_addr, ip_id=105, ip_ttl=64, tcp_sport=4000, tcp_dport=5000) print("TX packet port 12 -> port 13, ipv4 ACL blocks route pkt but" " mirror ACL mirrors pkt to port 10") send_packet(self, self.dev_port12, pkt) verify_packets(self, pkt, ports=[self.dev_port10]) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_ingress, packets=True) self.assertEqual(packets['packets'], 4) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_mirror, packets=True) self.assertEqual(packets['packets'], 1) # cleanup ACL, remove ACL group member action_counter_ingress = sai_thrift_acl_action_data_t( parameter=sai_thrift_acl_action_parameter_t( oid=0), enable=True) sai_thrift_set_acl_entry_attribute( self.client, acl_ingress_ip_entry_id, action_counter=action_counter_ingress) sai_thrift_set_acl_counter_attribute( self.client, acl_counter_ingress, packets=None) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_ingress, packets=True) self.assertEqual(packets['packets'], 0) sai_thrift_remove_acl_counter(self.client, acl_counter_ingress) action_counter_mirror = sai_thrift_acl_action_data_t( parameter=sai_thrift_acl_action_parameter_t( oid=0), enable=True) sai_thrift_set_acl_entry_attribute( self.client, mirror_acl_ingress_entry_id, action_counter=action_counter_mirror) sai_thrift_set_acl_counter_attribute( self.client, acl_counter_mirror, packets=None) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_mirror, packets=True) self.assertEqual(packets['packets'], 0) sai_thrift_remove_acl_counter(self.client, acl_counter_mirror) for mbr in acl_group_member_ingress_list: sai_thrift_remove_acl_table_group_member(self.client, mbr) # unlink this ACL table from port10, port12, port13 object for i, ports in enumerate(in_ports): sai_thrift_set_port_attribute( self.client, ports, ingress_acl=int(SAI_NULL_OBJECT_ID)) # cleanup ACL group, entries, tables for grp in acl_group_ingress_list: sai_thrift_remove_acl_table_group(self.client, grp) sai_thrift_remove_acl_entry( self.client, acl_ingress_ip_entry_id) sai_thrift_remove_acl_table( self.client, acl_ingress_ip_table_id) sai_thrift_remove_acl_entry( self.client, mirror_acl_ingress_entry_id) sai_thrift_remove_acl_table( self.client, acl_ingress_mirror_table_id) # create ACL tables print("Create ACL tables") acl_egress_ip_table_id = sai_thrift_create_acl_table( self.client, acl_stage=table_stage_egress, acl_bind_point_type_list=table_bind_point_type_list, field_src_ip=True) # ACL table group print("Create ACL egress table groups") acl_table_group_egress = sai_thrift_create_acl_table_group( self.client, acl_stage=group_stage_egress, acl_bind_point_type_list=group_bind_point_type_list, type=group_type) # create ACL table group member 1 - v4 tables acl_group_egress_ip_member_id = \ sai_thrift_create_acl_table_group_member( self.client, acl_table_group_id=acl_table_group_egress, acl_table_id=acl_egress_ip_table_id, priority=group_member_priority) # attach this ACL table group to port4 print("Bind ACL egress group to port4") sai_thrift_set_port_attribute( self.client, self.port13, egress_acl=acl_table_group_egress) # create ACL entries print("Create ACL entries") acl_egress_ip_entry_id = sai_thrift_create_acl_entry( self.client, table_id=acl_egress_ip_table_id, priority=1, field_src_ip=src_ip_t_ipv4, action_packet_action=packet_action) # create ACL counter acl_counter_egress = sai_thrift_create_acl_counter( self.client, table_id=acl_egress_ip_table_id) # attach ACL counter to ACL entry action_counter_egress = sai_thrift_acl_action_data_t( parameter=sai_thrift_acl_action_parameter_t( oid=acl_counter_ingress), enable=True) sai_thrift_set_acl_entry_attribute( self.client, acl_egress_ip_entry_id, action_counter=action_counter_egress) # send the test packet(s) pkt = simple_tcp_packet(eth_dst=ROUTER_MAC, eth_src='00:22:22:22:22:22', ip_dst='172.16.10.1', ip_src='192.168.0.1', ip_id=105, ip_ttl=64) print('#### ACL \'DROP, src mac 00:22:22:22:22:22, ' 'in_ports[ptf_intf_1,2,3,4]\' Applied ####') print('#### Sending ', ROUTER_MAC, '| 00:22:22:22:22:22 | ' '172.16.10.1 | 192.168.0.1 | @ ptf_intf 1') time.sleep(5) send_packet(self, self.dev_port10, pkt) print('#### NOT Expecting 00:11:22:33:44:55 |', ROUTER_MAC, '| ' '172.16.10.1 | 192.168.0.1 | @ ptf_intf 4') verify_no_other_packets(self, timeout=1) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_egress, packets=True) self.assertEqual(packets['packets'], 1) print('#### Sending ', ROUTER_MAC, '| 00:22:22:22:22:22 | ' '172.16.10.1 | 192.168.0.1 | @ ptf_intf 2') send_packet(self, self.dev_port11, pkt) print('#### NOT Expecting 00:11:22:33:44:55 |', ROUTER_MAC, '| ' '172.16.10.1 | 192.168.0.1 | @ ptf_intf 4') verify_no_other_packets(self, timeout=1) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_egress, packets=True) self.assertEqual(packets['packets'], 2) print('#### Sending ', ROUTER_MAC, '| 00:22:22:22:22:22 | ' '172.16.10.1 | 192.168.0.1 | @ ptf_intf 3') send_packet(self, self.dev_port12, pkt) print('#### NOT Expecting 00:11:22:33:44:55 |', ROUTER_MAC, '| ' '172.16.10.1 | 192.168.0.1 | @ ptf_intf 4') verify_no_other_packets(self, timeout=1) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_egress, packets=True) self.assertEqual(packets['packets'], 3) time.sleep(5) finally: # cleanup ACL, remove ACL group member action_counter_egress = sai_thrift_acl_action_data_t( parameter=sai_thrift_acl_action_parameter_t( oid=0), enable=True) sai_thrift_set_acl_entry_attribute( self.client, acl_egress_ip_entry_id, action_counter=action_counter_egress) sai_thrift_set_acl_counter_attribute( self.client, acl_counter_egress, packets=None) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_egress, packets=True) self.assertEqual(packets['packets'], 0) sai_thrift_remove_acl_counter(self.client, acl_counter_egress) sai_thrift_remove_acl_table_group_member( self.client, acl_group_egress_ip_member_id) # unlink this ACL table from port4 object sai_thrift_set_port_attribute(self.client, self.port13, egress_acl=int(SAI_NULL_OBJECT_ID)) # cleanup ACL group, entries, tables sai_thrift_remove_acl_table_group(self.client, acl_table_group_egress) sai_thrift_remove_acl_entry( self.client, acl_egress_ip_entry_id) sai_thrift_remove_acl_table( self.client, acl_egress_ip_table_id) def tearDown(self): # cleanup mirror session sai_thrift_remove_mirror_session(self.client, self.span_session) # l3 part sai_thrift_remove_route_entry(self.client, self.route_entry) sai_thrift_remove_next_hop(self.client, self.nhop) sai_thrift_remove_neighbor_entry(self.client, self.nbr_entry) super(MultAclTableGroupBindTest, self).tearDown() @group("draft") class TCPFlagsACLTest(SaiHelperSimplified): """ Verify ACL TCP Flags Configuration +----------+-----------+ | port0 | port0_rif | +----------+-----------+ | port1 | port1_rif | +----------+-----------+ """ def setUp(self): super(TCPFlagsACLTest, self).setUp() self.create_routing_interfaces(ports=[0, 1]) self.acl_table = None self.acl_entry = None self.acl_counter = None self.dmac = '00:11:22:33:44:55' self.ip_addr1 = '10.10.10.1' self.ip_addr2 = '10.10.10.2' self.src_mac = '00:22:22:22:22:22' self.ip_addr_src = '192.168.0.1' self.nhop = sai_thrift_create_next_hop( self.client, ip=sai_ipaddress(self.ip_addr2), router_interface_id=self.port0_rif, type=SAI_NEXT_HOP_TYPE_IP) self.neighbor_entry = sai_thrift_neighbor_entry_t( rif_id=self.port0_rif, ip_address=sai_ipaddress(self.ip_addr2)) sai_thrift_create_neighbor_entry( self.client, self.neighbor_entry, dst_mac_address=self.dmac) self.route_entry = sai_thrift_route_entry_t( vr_id=self.default_vrf, destination=sai_ipprefix('10.10.10.0/24')) sai_thrift_create_route_entry( self.client, self.route_entry, next_hop_id=self.nhop) def runTest(self): print("TCPFlagsAclTest") stage = SAI_ACL_STAGE_INGRESS bind_points = [SAI_ACL_BIND_POINT_TYPE_ROUTER_INTERFACE] action_types = [SAI_ACL_ACTION_TYPE_PACKET_ACTION] action_drop = SAI_PACKET_ACTION_DROP acl_bind_point_type_list = sai_thrift_s32_list_t( count=len(bind_points), int32list=bind_points) acl_action_type_list = sai_thrift_s32_list_t( count=len(action_types), int32list=action_types) self.acl_table = sai_thrift_create_acl_table( self.client, acl_stage=stage, acl_bind_point_type_list=acl_bind_point_type_list, acl_action_type_list=acl_action_type_list, field_dst_ip=True) packet_action = sai_thrift_acl_action_data_t( parameter=sai_thrift_acl_action_parameter_t(s32=action_drop)) tcp_flag = sai_thrift_acl_field_data_t( data=sai_thrift_acl_field_data_data_t(u8=0x17), mask=sai_thrift_acl_field_data_mask_t(u8=0x10)) self.acl_entry = sai_thrift_create_acl_entry( self.client, table_id=self.acl_table, action_packet_action=packet_action, field_tcp_flags=tcp_flag ) # create ACL counter self.acl_counter = sai_thrift_create_acl_counter( self.client, table_id=self.acl_table) # attach ACL counter to ACL entry action_counter = sai_thrift_acl_action_data_t( parameter=sai_thrift_acl_action_parameter_t( oid=self.acl_counter), enable=True) sai_thrift_set_acl_entry_attribute( self.client, self.acl_entry, action_counter=action_counter) sai_thrift_set_router_interface_attribute( self.client, self.port1_rif, ingress_acl=self.acl_table) pkt = simple_tcp_packet( eth_dst=ROUTER_MAC, eth_src=self.src_mac, ip_dst=self.ip_addr1, ip_src=self.ip_addr_src, tcp_flags=0x2, ip_ttl=64) exp_pkt = simple_tcp_packet( eth_dst=self.dmac, eth_src=ROUTER_MAC, ip_dst=self.ip_addr1, ip_src=self.ip_addr_src, tcp_flags=0x2, ip_ttl=63) print("Sending tcp packet (ACK bit 0) on port %d, forward" % self.dev_port1) send_packet(self, self.dev_port1, pkt) verify_packet(self, exp_pkt, self.dev_port0) packets = sai_thrift_get_acl_counter_attribute( self.client, self.acl_counter, packets=True) self.assertEqual(packets['packets'], 0) pkt = simple_udp_packet( eth_dst=ROUTER_MAC, eth_src=self.src_mac, ip_dst=self.ip_addr1, ip_src=self.ip_addr_src, pktlen=100, ip_ttl=64) exp_pkt = simple_udp_packet( eth_dst=self.dmac, eth_src=ROUTER_MAC, ip_dst=self.ip_addr1, ip_src=self.ip_addr_src, pktlen=100, ip_ttl=63) print("Sending udp packet on port %d, forward" % self.dev_port1) send_packet(self, self.dev_port1, pkt) verify_packet(self, exp_pkt, self.dev_port0) packets = sai_thrift_get_acl_counter_attribute( self.client, self.acl_counter, packets=True) self.assertEqual(packets['packets'], 0) pkt = simple_tcp_packet( eth_dst=ROUTER_MAC, eth_src=self.src_mac, ip_dst=self.ip_addr1, ip_src=self.ip_addr_src, ip_id=105, tcp_flags=0x10, ip_ttl=64) print("Sending tcp packet (ACK bit 1) on port %d, drop" % self.dev_port1) send_packet(self, self.dev_port1, pkt) verify_no_other_packets(self, timeout=1) packets = sai_thrift_get_acl_counter_attribute( self.client, self.acl_counter, packets=True) self.assertEqual(packets['packets'], 1) pkt = simple_udp_packet( eth_dst=ROUTER_MAC, eth_src=self.src_mac, ip_dst=self.ip_addr1, ip_src=self.ip_addr_src, pktlen=100, ip_ttl=64) exp_pkt = simple_udp_packet( eth_dst=self.dmac, eth_src=ROUTER_MAC, ip_dst=self.ip_addr1, ip_src=self.ip_addr_src, pktlen=100, ip_ttl=63) print("Sending udp packet on port %d, forward" % self.dev_port1) send_packet(self, self.dev_port1, pkt) verify_packet(self, exp_pkt, self.dev_port0) packets = sai_thrift_get_acl_counter_attribute( self.client, self.acl_counter, packets=True) self.assertEqual(packets['packets'], 1) def tearDown(self): # cleanup ACL action_counter = sai_thrift_acl_action_data_t( parameter=sai_thrift_acl_action_parameter_t( oid=0), enable=True) sai_thrift_set_acl_entry_attribute( self.client, self.acl_entry, action_counter=action_counter) sai_thrift_set_acl_counter_attribute( self.client, self.acl_counter, packets=None) packets = sai_thrift_get_acl_counter_attribute( self.client, self.acl_counter, packets=True) self.assertEqual(packets['packets'], 0) sai_thrift_remove_acl_counter(self.client, self.acl_counter) sai_thrift_set_router_interface_attribute( self.client, self.port1_rif, ingress_acl=0) sai_thrift_remove_acl_entry(self.client, self.acl_entry) sai_thrift_remove_acl_table(self.client, self.acl_table) sai_thrift_remove_route_entry(self.client, self.route_entry) sai_thrift_remove_next_hop(self.client, self.nhop) sai_thrift_remove_neighbor_entry(self.client, self.neighbor_entry) self.destroy_routing_interfaces() super(TCPFlagsACLTest, self).tearDown() @group("draft") class AclTableTypeTest(SaiHelper): ''' ACL Type class. This test creates tables with various match fields ''' acl_range_type = sai_thrift_s32_list_t(count=0, int32list=[]) def setUp(self): super(AclTableTypeTest, self).setUp() self.dmac = '00:11:22:33:44:55' self.src_mac = '00:22:22:22:22:22' self.ip_addr1 = '10.0.0.1' self.ip_addr2 = '10.10.10.2' self.port24_rif = sai_thrift_create_router_interface( self.client, type=SAI_ROUTER_INTERFACE_TYPE_PORT, virtual_router_id=self.default_vrf, port_id=self.port24) self.port25_rif = sai_thrift_create_router_interface( self.client, type=SAI_ROUTER_INTERFACE_TYPE_PORT, virtual_router_id=self.default_vrf, port_id=self.port25) self.nhop1 = sai_thrift_create_next_hop( self.client, ip=sai_ipaddress(self.ip_addr2), router_interface_id=self.port25_rif, type=SAI_NEXT_HOP_TYPE_IP) self.neighbor_entry1 = sai_thrift_neighbor_entry_t( rif_id=self.port25_rif, ip_address=sai_ipaddress(self.ip_addr2)) sai_thrift_create_neighbor_entry( self.client, self.neighbor_entry1, dst_mac_address=self.dmac) self.route_entry0 = sai_thrift_route_entry_t( vr_id=self.default_vrf, destination=sai_ipprefix('10.0.0.1/32')) sai_thrift_create_route_entry( self.client, self.route_entry0, next_hop_id=self.nhop1) self.route_entry1 = sai_thrift_route_entry_t( vr_id=self.default_vrf, destination=sai_ipprefix( '1234:5678:9abc:def0:4422:1133:5577:99aa/128')) sai_thrift_create_route_entry( self.client, self.route_entry1, next_hop_id=self.nhop1) self.vlan_oid = sai_thrift_create_vlan(self.client, 100) mac_action = SAI_PACKET_ACTION_FORWARD self.port26_bp = sai_thrift_create_bridge_port( self.client, bridge_id=self.default_1q_bridge, port_id=self.port26, type=SAI_BRIDGE_PORT_TYPE_PORT, admin_state=True) self.vlan_member1 = sai_thrift_create_vlan_member( self.client, vlan_id=self.vlan_oid, bridge_port_id=self.port26_bp, vlan_tagging_mode=SAI_VLAN_TAGGING_MODE_TAGGED) self.port27_bp = sai_thrift_create_bridge_port( self.client, bridge_id=self.default_1q_bridge, port_id=self.port27, type=SAI_BRIDGE_PORT_TYPE_PORT, admin_state=True) self.vlan_member2 = sai_thrift_create_vlan_member( self.client, vlan_id=self.vlan_oid, bridge_port_id=self.port27_bp, vlan_tagging_mode=SAI_VLAN_TAGGING_MODE_TAGGED) self.fdb_entry1 = sai_thrift_fdb_entry_t( switch_id=self.switch_id, mac_address=self.src_mac, bv_id=self.vlan_oid) sai_thrift_create_fdb_entry( self.client, self.fdb_entry1, type=SAI_FDB_ENTRY_TYPE_STATIC, bridge_port_id=self.port26_bp, packet_action=mac_action) self.fdb_entry2 = sai_thrift_fdb_entry_t( switch_id=self.switch_id, mac_address=self.dmac, bv_id=self.vlan_oid) sai_thrift_create_fdb_entry( self.client, self.fdb_entry2, type=SAI_FDB_ENTRY_TYPE_STATIC, bridge_port_id=self.port27_bp, packet_action=mac_action) def runTest(self): self.testIPv4Acl() self.testIPv6Acl() self.testIPMirrorAcl() def tearDown(self): sai_thrift_remove_fdb_entry(self.client, self.fdb_entry1) sai_thrift_remove_fdb_entry(self.client, self.fdb_entry2) sai_thrift_remove_vlan_member(self.client, self.vlan_member1) sai_thrift_remove_vlan_member(self.client, self.vlan_member2) sai_thrift_remove_bridge_port(self.client, self.port26_bp) sai_thrift_remove_bridge_port(self.client, self.port27_bp) sai_thrift_remove_vlan(self.client, self.vlan_oid) sai_thrift_remove_route_entry(self.client, self.route_entry0) sai_thrift_remove_route_entry(self.client, self.route_entry1) sai_thrift_remove_next_hop(self.client, self.nhop1) sai_thrift_remove_neighbor_entry(self.client, self.neighbor_entry1) sai_thrift_remove_router_interface(self.client, self.port25_rif) sai_thrift_remove_router_interface(self.client, self.port24_rif) super(AclTableTypeTest, self).tearDown() def testIPv4Acl(self): ''' Verify various IPv4 field combinations for table creation ''' print("testIPv4Acl") pkt1 = simple_tcp_packet(eth_dst=ROUTER_MAC, eth_src=self.src_mac, ip_dst=self.ip_addr1, ip_ttl=64) exp_pkt1 = simple_tcp_packet(eth_dst=self.dmac, eth_src=ROUTER_MAC, ip_dst=self.ip_addr1, ip_ttl=63) pkt2 = simple_tcp_packet(eth_dst=self.dmac, eth_src=self.src_mac, dl_vlan_enable=True, vlan_vid=100, ip_src=self.ip_addr2, ip_dst=self.ip_addr1, ip_id=102, ip_ttl=64) exp_pkt2 = simple_tcp_packet(eth_dst=self.dmac, eth_src=self.src_mac, ip_dst=self.ip_addr1, ip_src=self.ip_addr2, ip_id=102, dl_vlan_enable=True, vlan_vid=100, ip_ttl=64) try: # verify packet forwarding without ACL send_packet(self, self.dev_port24, pkt1) verify_packet(self, exp_pkt1, self.dev_port25) send_packet(self, self.dev_port26, pkt2) verify_packet(self, exp_pkt2, self.dev_port27) # create ACL table table_stage = SAI_ACL_STAGE_INGRESS table_bind_points = [SAI_ACL_BIND_POINT_TYPE_PORT, SAI_ACL_BIND_POINT_TYPE_LAG] table_bind_point_type_list = sai_thrift_s32_list_t( count=len(table_bind_points), int32list=table_bind_points) acl_table = sai_thrift_create_acl_table( self.client, acl_stage=table_stage, acl_bind_point_type_list=table_bind_point_type_list, field_src_ip=True, field_dst_ip=True, field_ip_protocol=True, field_dscp=True, field_l4_src_port=True, field_l4_dst_port=True, field_ttl=True, field_tcp_flags=True, field_ether_type=True, field_acl_range_type=self.acl_range_type, field_icmp_code=True, field_icmp_type=True, field_acl_ip_frag=True, field_acl_ip_type=True, field_outer_vlan_id=True) # create ACL table entry dst_ip_mask = '255.255.255.255' dst_ip_t = sai_thrift_acl_field_data_t( data=sai_thrift_acl_field_data_data_t(ip4=self.ip_addr1), mask=sai_thrift_acl_field_data_mask_t(ip4=dst_ip_mask)) packet_action = sai_thrift_acl_action_data_t( parameter=sai_thrift_acl_action_parameter_t( s32=SAI_PACKET_ACTION_DROP)) acl_entry = sai_thrift_create_acl_entry( self.client, table_id=acl_table, priority=10, field_dst_ip=dst_ip_t, action_packet_action=packet_action) # create ACL counter acl_counter_ingress = sai_thrift_create_acl_counter( self.client, table_id=acl_table) # attach ACL counter to ACL entry action_counter_ingress = sai_thrift_acl_action_data_t( parameter=sai_thrift_acl_action_parameter_t( oid=acl_counter_ingress), enable=True) sai_thrift_set_acl_entry_attribute( self.client, acl_entry, action_counter=action_counter_ingress) # bind ACL table to ingress port 24 sai_thrift_set_port_attribute( self.client, self.port24, ingress_acl=acl_table) sai_thrift_set_port_attribute( self.client, self.port26, ingress_acl=acl_table) # verify packet dropped after ACL apply send_packet(self, self.dev_port24, pkt1) verify_no_other_packets(self, timeout=2) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_ingress, packets=True) self.assertEqual(packets['packets'], 1) send_packet(self, self.dev_port26, pkt2) verify_no_other_packets(self, timeout=2) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_ingress, packets=True) self.assertEqual(packets['packets'], 2) finally: # cleanup ACL action_counter_ingress = sai_thrift_acl_action_data_t( parameter=sai_thrift_acl_action_parameter_t( oid=0), enable=True) sai_thrift_set_acl_entry_attribute( self.client, acl_entry, action_counter=action_counter_ingress) sai_thrift_set_acl_counter_attribute( self.client, acl_counter_ingress, packets=None) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_ingress, packets=True) self.assertEqual(packets['packets'], 0) sai_thrift_remove_acl_counter(self.client, acl_counter_ingress) sai_thrift_set_port_attribute(self.client, self.port24, ingress_acl=0) sai_thrift_set_port_attribute(self.client, self.port26, ingress_acl=0) sai_thrift_remove_acl_entry(self.client, acl_entry) sai_thrift_remove_acl_table(self.client, acl_table) def testIPv6Acl(self): ''' Verify various IPv6 field combinations for table creation ''' print("testIPv6Acl") pkt1 = simple_tcpv6_packet( eth_dst=ROUTER_MAC, ipv6_dst='1234:5678:9abc:def0:4422:1133:5577:99aa', ipv6_hlim=64) exp_pkt1 = simple_tcpv6_packet( eth_dst=self.dmac, eth_src=ROUTER_MAC, ipv6_dst='1234:5678:9abc:def0:4422:1133:5577:99aa', ipv6_hlim=63) pkt2 = simple_tcpv6_packet( eth_dst=self.dmac, eth_src=self.src_mac, dl_vlan_enable=True, vlan_vid=100, ipv6_dst='1234:5678:9abc:def0:4422:1133:5577:99aa', ipv6_src='2000::1', ipv6_hlim=64) exp_pkt2 = simple_tcpv6_packet( eth_dst=self.dmac, eth_src=self.src_mac, dl_vlan_enable=True, vlan_vid=100, ipv6_dst='1234:5678:9abc:def0:4422:1133:5577:99aa', ipv6_src='2000::1', ipv6_hlim=64) try: # verify packet forwarding without ACL send_packet(self, self.dev_port24, pkt1) verify_packet(self, exp_pkt1, self.dev_port25) send_packet(self, self.dev_port26, pkt2) verify_packet(self, exp_pkt2, self.dev_port27) # create ACL table table_stage = SAI_ACL_STAGE_INGRESS table_bind_points = [SAI_ACL_BIND_POINT_TYPE_PORT, SAI_ACL_BIND_POINT_TYPE_LAG] table_bind_point_type_list = sai_thrift_s32_list_t( count=len(table_bind_points), int32list=table_bind_points) acl_table = sai_thrift_create_acl_table( self.client, acl_stage=table_stage, acl_bind_point_type_list=table_bind_point_type_list, field_src_ipv6=True, field_dst_ipv6=True, field_ip_protocol=True, field_ipv6_next_header=True, field_dscp=True, field_l4_src_port=True, field_l4_dst_port=True, field_ttl=True, field_tcp_flags=True, field_ether_type=True, field_ipv6_flow_label=True, field_acl_range_type=self.acl_range_type, field_icmpv6_code=True, field_icmpv6_type=True, field_acl_ip_frag=True, field_acl_ip_type=True, field_outer_vlan_id=True) # create ACL table entry dst_ip = '1234:5678:9abc:def0:4422:1133:5577:99aa' dst_ip_mask = 'FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF' dst_ip_t = sai_thrift_acl_field_data_t( data=sai_thrift_acl_field_data_data_t(ip6=dst_ip), mask=sai_thrift_acl_field_data_mask_t(ip6=dst_ip_mask)) packet_action = sai_thrift_acl_action_data_t( parameter=sai_thrift_acl_action_parameter_t( s32=SAI_PACKET_ACTION_DROP)) acl_entry = sai_thrift_create_acl_entry( self.client, table_id=acl_table, priority=10, field_dst_ipv6=dst_ip_t, action_packet_action=packet_action) # create ACL counter acl_counter_ingress = sai_thrift_create_acl_counter( self.client, table_id=acl_table) # attach ACL counter to ACL entry action_counter_ingress = sai_thrift_acl_action_data_t( parameter=sai_thrift_acl_action_parameter_t( oid=acl_counter_ingress), enable=True) sai_thrift_set_acl_entry_attribute( self.client, acl_entry, action_counter=action_counter_ingress) # bind ACL table to ingress port 24 sai_thrift_set_port_attribute(self.client, self.port24, ingress_acl=acl_table) sai_thrift_set_port_attribute(self.client, self.port26, ingress_acl=acl_table) # verify packet dropped after ACL apply send_packet(self, self.dev_port24, pkt1) verify_no_other_packets(self, timeout=2) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_ingress, packets=True) self.assertEqual(packets['packets'], 1) send_packet(self, self.dev_port26, pkt2) verify_no_other_packets(self, timeout=2) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_ingress, packets=True) self.assertEqual(packets['packets'], 2) finally: # cleanup ACL action_counter_ingress = sai_thrift_acl_action_data_t( parameter=sai_thrift_acl_action_parameter_t( oid=0), enable=True) sai_thrift_set_acl_entry_attribute( self.client, acl_entry, action_counter=action_counter_ingress) sai_thrift_set_acl_counter_attribute( self.client, acl_counter_ingress, packets=None) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_ingress, packets=True) self.assertEqual(packets['packets'], 0) sai_thrift_remove_acl_counter(self.client, acl_counter_ingress) sai_thrift_set_port_attribute(self.client, self.port24, ingress_acl=0) sai_thrift_set_port_attribute(self.client, self.port26, ingress_acl=0) sai_thrift_remove_acl_entry(self.client, acl_entry) sai_thrift_remove_acl_table(self.client, acl_table) def testIPMirrorAcl(self): ''' Verify various IP mirror functionality ''' print("testIPMirrorAcl") pkt1 = simple_tcpv6_packet( eth_dst=ROUTER_MAC, ipv6_dst='1234:5678:9abc:def0:4422:1133:5577:99aa', ipv6_hlim=64) exp_pkt1 = simple_tcpv6_packet( eth_dst=self.dmac, eth_src=ROUTER_MAC, ipv6_dst='1234:5678:9abc:def0:4422:1133:5577:99aa', ipv6_hlim=63) pkt2 = simple_tcpv6_packet( eth_dst=self.dmac, eth_src=self.src_mac, dl_vlan_enable=True, vlan_vid=100, ipv6_dst='1234:5678:9abc:def0:4422:1133:5577:99aa', ipv6_src='2000::1', ipv6_hlim=64) exp_pkt2 = simple_tcpv6_packet( eth_dst=self.dmac, eth_src=self.src_mac, dl_vlan_enable=True, vlan_vid=100, ipv6_dst='1234:5678:9abc:def0:4422:1133:5577:99aa', ipv6_src='2000::1', ipv6_hlim=64) try: # verify packet forwarding without ACL send_packet(self, self.dev_port24, pkt1) verify_packet(self, exp_pkt1, self.dev_port25) send_packet(self, self.dev_port26, pkt2) # verify_no_other_packets(self) verify_packet(self, exp_pkt2, self.dev_port27) mirror_session = sai_thrift_create_mirror_session( self.client, monitor_port=self.port28, type=SAI_MIRROR_SESSION_TYPE_LOCAL) # create ACL table table_stage = SAI_ACL_STAGE_INGRESS table_bind_points = [SAI_ACL_BIND_POINT_TYPE_PORT, SAI_ACL_BIND_POINT_TYPE_LAG] table_bind_point_type_list = sai_thrift_s32_list_t( count=len(table_bind_points), int32list=table_bind_points) actions = [SAI_ACL_ACTION_TYPE_MIRROR_INGRESS] action_type_list = sai_thrift_s32_list_t( count=len(actions), int32list=actions) acl_table = sai_thrift_create_acl_table( self.client, acl_stage=table_stage, acl_bind_point_type_list=table_bind_point_type_list, acl_action_type_list=action_type_list, field_src_ipv6=True, field_dst_ipv6=True, field_ip_protocol=True, field_ipv6_next_header=True, field_dscp=True, field_l4_src_port=True, field_l4_dst_port=True, field_ttl=True, field_tcp_flags=True, field_ether_type=True, field_acl_range_type=self.acl_range_type, field_icmpv6_code=True, field_icmpv6_type=True, field_acl_ip_frag=True, field_acl_ip_type=True, field_outer_vlan_id=True) # create ACL table entry dst_ip = '1234:5678:9abc:def0:4422:1133:5577:99aa' dst_ip_mask = 'FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF' dst_ip_t = sai_thrift_acl_field_data_t( data=sai_thrift_acl_field_data_data_t(ip6=dst_ip), mask=sai_thrift_acl_field_data_mask_t(ip6=dst_ip_mask)) mirror_session_list = sai_thrift_object_list_t( count=1, idlist=[mirror_session]) mirror_action = sai_thrift_acl_action_data_t( parameter=sai_thrift_acl_action_parameter_t( objlist=mirror_session_list)) acl_entry = sai_thrift_create_acl_entry( self.client, table_id=acl_table, priority=10, field_dst_ipv6=dst_ip_t, action_mirror_ingress=mirror_action) # create ACL counter acl_counter_ingress = sai_thrift_create_acl_counter( self.client, table_id=acl_table) # attach ACL counter to ACL entry action_counter_ingress = sai_thrift_acl_action_data_t( parameter=sai_thrift_acl_action_parameter_t( oid=acl_counter_ingress), enable=True) sai_thrift_set_acl_entry_attribute( self.client, acl_entry, action_counter=action_counter_ingress) # bind ACL table to ingress port 24 sai_thrift_set_port_attribute(self.client, self.port24, ingress_acl=acl_table) sai_thrift_set_port_attribute(self.client, self.port26, ingress_acl=acl_table) # verify packet dropped after ACL apply send_packet(self, self.dev_port24, pkt1) verify_each_packet_on_each_port(self, [exp_pkt1, pkt1], [self.dev_port25, self.dev_port28]) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_ingress, packets=True) self.assertEqual(packets['packets'], 1) send_packet(self, self.dev_port26, pkt2) verify_each_packet_on_each_port(self, [exp_pkt2, pkt2], [self.dev_port27, self.dev_port28]) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_ingress, packets=True) self.assertEqual(packets['packets'], 2) finally: # cleanup ACL action_counter_ingress = sai_thrift_acl_action_data_t( parameter=sai_thrift_acl_action_parameter_t( oid=0), enable=True) sai_thrift_set_acl_entry_attribute( self.client, acl_entry, action_counter=action_counter_ingress) sai_thrift_set_acl_counter_attribute( self.client, acl_counter_ingress, packets=None) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_ingress, packets=True) self.assertEqual(packets['packets'], 0) sai_thrift_remove_acl_counter(self.client, acl_counter_ingress) sai_thrift_set_port_attribute(self.client, self.port24, ingress_acl=0) sai_thrift_set_port_attribute(self.client, self.port26, ingress_acl=0) sai_thrift_remove_acl_entry(self.client, acl_entry) sai_thrift_remove_acl_table(self.client, acl_table) sai_thrift_remove_mirror_session(self.client, mirror_session) @group("draft") class AclRedirectPortAndLagTest(SaiHelper): """ Verify ACL redirection for ports and lags test cases """ def setUp(self): super(AclRedirectPortAndLagTest, self).setUp() self.acl_grp_members = [] self.acl_grps = [] self.acl_rules = [] self.acl_tables = [] self.vlan_members = [] self.vlan_ports = [] self.bridge_ports = [] self.fdbs = [] self.lags = [] self.lag_members = [] self.action_counters = [] self.counters = [] self.mac = '00:11:11:11:11:11' mac_action = SAI_PACKET_ACTION_FORWARD # Add port 24, 25, 26 to Vlan100 vlan_id = 100 self.vlan_oid = sai_thrift_create_vlan(self.client, vlan_id) port24_bp = sai_thrift_create_bridge_port( self.client, bridge_id=self.default_1q_bridge, port_id=self.port24, type=SAI_BRIDGE_PORT_TYPE_PORT, admin_state=True) self.bridge_ports.append(port24_bp) vlan_member1 = sai_thrift_create_vlan_member( self.client, vlan_id=self.vlan_oid, bridge_port_id=port24_bp, vlan_tagging_mode=SAI_VLAN_TAGGING_MODE_UNTAGGED) self.vlan_members.append(vlan_member1) self.vlan_ports.append(self.port24) port25_bp = sai_thrift_create_bridge_port( self.client, bridge_id=self.default_1q_bridge, port_id=self.port25, type=SAI_BRIDGE_PORT_TYPE_PORT, admin_state=True) self.bridge_ports.append(port25_bp) vlan_member2 = sai_thrift_create_vlan_member( self.client, vlan_id=self.vlan_oid, bridge_port_id=port25_bp, vlan_tagging_mode=SAI_VLAN_TAGGING_MODE_UNTAGGED) self.vlan_members.append(vlan_member2) self.vlan_ports.append(self.port25) port26_bp = sai_thrift_create_bridge_port( self.client, bridge_id=self.default_1q_bridge, port_id=self.port26, type=SAI_BRIDGE_PORT_TYPE_PORT, admin_state=True) self.bridge_ports.append(port26_bp) vlan_member3 = sai_thrift_create_vlan_member( self.client, vlan_id=self.vlan_oid, bridge_port_id=port26_bp, vlan_tagging_mode=SAI_VLAN_TAGGING_MODE_UNTAGGED) self.vlan_members.append(vlan_member3) self.vlan_ports.append(self.port26) sai_thrift_set_port_attribute( self.client, self.port24, port_vlan_id=vlan_id) sai_thrift_set_port_attribute( self.client, self.port25, port_vlan_id=vlan_id) sai_thrift_set_port_attribute( self.client, self.port26, port_vlan_id=vlan_id) # Create Lag (port 27, 28) and add it to Vlan100 self.lag_id = sai_thrift_create_lag(self.client) self.lags.append(self.lag_id) lag1_bp = sai_thrift_create_bridge_port( self.client, bridge_id=self.default_1q_bridge, port_id=self.lag_id, type=SAI_BRIDGE_PORT_TYPE_PORT, admin_state=True) self.bridge_ports.append(lag1_bp) lag_member_id1 = sai_thrift_create_lag_member( self.client, lag_id=self.lag_id, port_id=self.port27) self.lag_members.append(lag_member_id1) lag_member_id2 = sai_thrift_create_lag_member( self.client, lag_id=self.lag_id, port_id=self.port28) self.lag_members.append(lag_member_id2) vlan_member4 = sai_thrift_create_vlan_member( self.client, vlan_id=self.vlan_oid, bridge_port_id=lag1_bp, vlan_tagging_mode=SAI_VLAN_TAGGING_MODE_UNTAGGED) self.vlan_members.append(vlan_member4) self.vlan_ports.append(self.port27) self.vlan_ports.append(self.port28) fdb_entry = sai_thrift_fdb_entry_t( switch_id=self.switch_id, mac_address=self.mac, bv_id=self.vlan_oid) sai_thrift_create_fdb_entry( self.client, fdb_entry, type=SAI_FDB_ENTRY_TYPE_STATIC, bridge_port_id=port24_bp, packet_action=mac_action) self.fdbs.append(fdb_entry) def runTest(self): print("Testing AclRedirectPortAndLagTest") print('-------------------------------------------------------------') eth_pkt1 = simple_eth_packet(pktlen=100, eth_dst=self.mac, eth_src='00:06:07:08:09:0a', eth_type=0x8137) eth_pkt2 = simple_eth_packet(pktlen=100, eth_dst=self.mac, eth_src='00:06:07:08:09:0a', eth_type=0x8136) eth_pkt3 = simple_eth_packet(pktlen=100, eth_dst=self.mac, eth_src='00:06:07:08:09:0a', eth_type=0x8135) eth_pkt4 = simple_eth_packet(pktlen=100, eth_dst=self.mac, eth_src='00:06:07:08:09:0a', eth_type=0x8134) neg_test_pkt = simple_eth_packet(pktlen=100, eth_dst=self.mac, eth_src='00:06:07:08:09:0a', eth_type=0x1111) print('#### NO ACL Applied ####') # send the test packet(s) print("Sending Test packet EthType:0x%lx port 25 -> port 24" % ( eth_pkt1[Ether].type)) send_packet(self, self.dev_port25, eth_pkt1) verify_packets(self, eth_pkt1, [self.dev_port24]) print("Sending Test packet EthType:0x%lx port 25 -> port 24" % ( eth_pkt2[Ether].type)) send_packet(self, self.dev_port25, eth_pkt2) verify_packets(self, eth_pkt2, [self.dev_port24]) print("Sending Test packet EthType:0x%lx port 25 -> port 24" % ( eth_pkt3[Ether].type)) send_packet(self, self.dev_port25, eth_pkt3) verify_packets(self, eth_pkt3, [self.dev_port24]) print("Sending Test packet EthType:0x%lx port 25 -> port 24" % ( eth_pkt4[Ether].type)) send_packet(self, self.dev_port25, eth_pkt4) verify_packets(self, eth_pkt4, [self.dev_port24]) print("Sending Test(negative test) packet EthType:0x%lx port 25 -> " "port 24" % (neg_test_pkt[Ether].type)) send_packet(self, self.dev_port25, neg_test_pkt) verify_packets(self, neg_test_pkt, [self.dev_port24]) print("Sending Test(negative test) packet EthType:0x%lx port 25 -> " "port 24" % (neg_test_pkt[Ether].type)) # setup ACL to redirect based on Ether type entry_priority = 1 acl_action = SAI_ACL_ENTRY_ATTR_ACTION_REDIRECT # setup ACL table group group_bind_point_list = [SAI_ACL_BIND_POINT_TYPE_PORT] group_type = SAI_ACL_TABLE_GROUP_TYPE_PARALLEL group_stage_ingress = SAI_ACL_STAGE_INGRESS group_member_priority = 100 # setup ACL table table_stage_ingress = SAI_ACL_STAGE_INGRESS table_bind_point_list = [SAI_ACL_BIND_POINT_TYPE_PORT] group_bind_point_type_list = sai_thrift_s32_list_t( count=len(group_bind_point_list), int32list=group_bind_point_list) table_bind_point_type_list = sai_thrift_s32_list_t( count=len(table_bind_point_list), int32list=table_bind_point_list) # create ACL table group acl_table_group_ingress = sai_thrift_create_acl_table_group( self.client, acl_stage=group_stage_ingress, acl_bind_point_type_list=group_bind_point_type_list, type=group_type) self.acl_grps.append(acl_table_group_ingress) # create ACL tables print("Create ACL tables") acl_table_id_ingress = sai_thrift_create_acl_table( self.client, acl_stage=table_stage_ingress, acl_bind_point_type_list=table_bind_point_type_list) self.acl_tables.append(acl_table_id_ingress) self.assertTrue((acl_table_id_ingress != 0), "ACL table create failed") print("IPV4 ACL Table created 0x%lx" % (acl_table_id_ingress)) # create ACL table group members acl_group_member_id_ingress = \ sai_thrift_create_acl_table_group_member( self.client, acl_table_group_id=acl_table_group_ingress, acl_table_id=acl_table_id_ingress, priority=group_member_priority) self.assertTrue(acl_group_member_id_ingress != 0, "ACL group member add failed for ACL table 0x%lx, " "acl group 0x%lx" % ( acl_table_id_ingress, acl_table_group_ingress)) self.acl_grp_members.append(acl_group_member_id_ingress) eth_type = 0x8137 - 0x10000 ether_type = sai_thrift_acl_field_data_t( data=sai_thrift_acl_field_data_data_t(u16=eth_type), mask=sai_thrift_acl_field_data_mask_t(u16=32767)) redirect_action = sai_thrift_acl_action_data_t( parameter=sai_thrift_acl_action_parameter_t( s32=acl_action, oid=self.port26)) # create ACL entries print("Create ACL entries") acl_ip_entry_id_ingress1 = sai_thrift_create_acl_entry( self.client, table_id=acl_table_id_ingress, priority=entry_priority, field_ether_type=ether_type, action_redirect=redirect_action) # create ACL counter acl_counter_ingress1 = sai_thrift_create_acl_counter( self.client, table_id=acl_table_id_ingress) # attach ACL counter to ACL entry action_counter_ingress1 = sai_thrift_acl_action_data_t( parameter=sai_thrift_acl_action_parameter_t( oid=acl_counter_ingress1), enable=True) sai_thrift_set_acl_entry_attribute( self.client, acl_ip_entry_id_ingress1, action_counter=action_counter_ingress1) self.counters.append(acl_counter_ingress1) self.action_counters.append(action_counter_ingress1) self.acl_rules.append(acl_ip_entry_id_ingress1) self.assertTrue((acl_ip_entry_id_ingress1 != 0), 'ACL entry Match: ' 'EthType-0x%lx Action: Redirect-0x%lx, create ' 'failed for ACL table 0x%lx' % ( eth_type, self.port26, acl_table_id_ingress)) print("ACL entry Match: EthType-0x%lx Action: Redirect-0x%lx " "created 0x%lx" % (eth_pkt1[Ether].type, self.port26, acl_ip_entry_id_ingress1)) entry_priority += 1 eth_type = 0x8136 - 0x10000 ether_type = sai_thrift_acl_field_data_t( data=sai_thrift_acl_field_data_data_t(u16=eth_type), mask=sai_thrift_acl_field_data_mask_t(u16=32767)) redirect_action = sai_thrift_acl_action_data_t( parameter=sai_thrift_acl_action_parameter_t( s32=acl_action, oid=self.lag_id)) acl_ip_entry_id_ingress2 = sai_thrift_create_acl_entry( self.client, table_id=acl_table_id_ingress, priority=entry_priority, field_ether_type=ether_type, action_redirect=redirect_action) # create ACL counter acl_counter_ingress2 = sai_thrift_create_acl_counter( self.client, table_id=acl_table_id_ingress) # attach ACL counter to ACL entry action_counter_ingress2 = sai_thrift_acl_action_data_t( parameter=sai_thrift_acl_action_parameter_t( oid=acl_counter_ingress2), enable=True) sai_thrift_set_acl_entry_attribute( self.client, acl_ip_entry_id_ingress2, action_counter=action_counter_ingress2) self.counters.append(acl_counter_ingress2) self.action_counters.append(action_counter_ingress2) self.acl_rules.append(acl_ip_entry_id_ingress2) self.assertTrue((acl_ip_entry_id_ingress2 != 0), 'ACL entry Match: ' 'EthType-0x%lx Action: Redirect-0x%lx, create ' 'failed for ACL table 0x%lx' % ( eth_type, self.lag_id, acl_table_id_ingress)) print("ACL entry Match: EthType-0x%lx Action: Redirect-0x%lx " "created 0x%lx" % (eth_pkt2[Ether].type, self.lag_id, acl_ip_entry_id_ingress2)) # create ACL table group members acl_group_member_id_ingress = \ sai_thrift_create_acl_table_group_member( self.client, acl_table_group_id=acl_table_group_ingress, acl_table_id=acl_table_id_ingress, priority=200) self.assertTrue(acl_group_member_id_ingress != 0, "ACL group member add failed for ACL table 0x%lx, " "ACL group 0x%lx" % ( acl_table_id_ingress, acl_table_group_ingress)) self.acl_grp_members.append(acl_group_member_id_ingress) eth_type = 0x8135 - 0x10000 ether_type = sai_thrift_acl_field_data_t( data=sai_thrift_acl_field_data_data_t(u16=eth_type), mask=sai_thrift_acl_field_data_mask_t(u16=32767)) redirect_action = sai_thrift_acl_action_data_t( parameter=sai_thrift_acl_action_parameter_t( s32=acl_action, oid=self.port26)) print("Create ACL entries") acl_ip_entry_id_ingress3 = sai_thrift_create_acl_entry( self.client, table_id=acl_table_id_ingress, priority=entry_priority, field_ether_type=ether_type, action_redirect=redirect_action) # create ACL counter acl_counter_ingress3 = sai_thrift_create_acl_counter( self.client, table_id=acl_table_id_ingress) # attach ACL counter to ACL entry action_counter_ingress3 = sai_thrift_acl_action_data_t( parameter=sai_thrift_acl_action_parameter_t( oid=acl_counter_ingress3), enable=True) sai_thrift_set_acl_entry_attribute( self.client, acl_ip_entry_id_ingress3, action_counter=action_counter_ingress3) self.counters.append(acl_counter_ingress3) self.action_counters.append(action_counter_ingress3) self.acl_rules.append(acl_ip_entry_id_ingress3) self.assertTrue((acl_ip_entry_id_ingress3 != 0), 'ACL entry Match: ' 'EthType-0x%lx Action: Redirect-0x%lx, create ' 'failed for acl table 0x%lx' % ( eth_type, self.port26, acl_table_id_ingress)) print("ACL entry Match: EthType-0x%lx Action: Redirect-0x%lx " "created 0x%lx" % (eth_pkt3[Ether].type, self.port26, acl_ip_entry_id_ingress3)) eth_type = 0x8134 - 0x10000 ether_type = sai_thrift_acl_field_data_t( data=sai_thrift_acl_field_data_data_t(u16=eth_type), mask=sai_thrift_acl_field_data_mask_t(u16=32767)) redirect_action = sai_thrift_acl_action_data_t( parameter=sai_thrift_acl_action_parameter_t( s32=acl_action, oid=self.lag_id)) print("Create ACL entries") acl_ip_entry_id_ingress4 = sai_thrift_create_acl_entry( self.client, table_id=acl_table_id_ingress, priority=entry_priority, field_ether_type=ether_type, action_redirect=redirect_action) # create ACL counter acl_counter_ingress4 = sai_thrift_create_acl_counter( self.client, table_id=acl_table_id_ingress) # attach ACL counter to ACL entry action_counter_ingress4 = sai_thrift_acl_action_data_t( parameter=sai_thrift_acl_action_parameter_t( oid=acl_counter_ingress4), enable=True) sai_thrift_set_acl_entry_attribute( self.client, acl_ip_entry_id_ingress4, action_counter=action_counter_ingress4) self.acl_rules.append(acl_ip_entry_id_ingress4) self.assertTrue((acl_ip_entry_id_ingress4 != 0), 'ACL entry Match: ' 'EthType-0x%lx Action: Redirect-0x%lx, create ' 'failed for ACL table 0x%lx' % ( eth_type, self.lag_id, acl_table_id_ingress)) print("ACL entry Match: EthType-0x%lx Action: Redirect-0x%lx " "created 0x%lx" % (eth_pkt3[Ether].type, self.lag_id, acl_ip_entry_id_ingress4)) self.counters.append(acl_counter_ingress4) self.action_counters.append(action_counter_ingress4) print("Binding ACL grp 0x%lx to Port25" % (acl_table_group_ingress)) # bind ACL GRP to Port25 sai_thrift_set_port_attribute( self.client, self.port25, ingress_acl=acl_table_group_ingress) print("Sending Test packet EthType:0x%lx port 25 -> [ACL REDIRECT] " "-> port 26" % (eth_pkt1[Ether].type)) # ensure packet is redirected! send_packet(self, self.dev_port25, eth_pkt1) verify_packets(self, eth_pkt1, [self.dev_port26]) packets1 = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_ingress1, packets=True) self.assertEqual(packets1['packets'], 1) packets2 = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_ingress2, packets=True) self.assertEqual(packets2['packets'], 0) packets3 = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_ingress3, packets=True) self.assertEqual(packets3['packets'], 0) packets4 = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_ingress4, packets=True) self.assertEqual(packets4['packets'], 0) # ensure packet is redirected! print("Sending Test packet EthType:0x%lx port 25 -> [ACL REDIRECT] " "-> Lag1 (Port 26/Port 27)" % (eth_pkt2[Ether].type)) send_packet(self, self.dev_port25, eth_pkt2) verify_packets_any(self, eth_pkt2, [self.dev_port27, self.dev_port28]) packets1 = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_ingress1, packets=True) self.assertEqual(packets1['packets'], 1) packets2 = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_ingress2, packets=True) self.assertEqual(packets2['packets'], 1) packets3 = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_ingress3, packets=True) self.assertEqual(packets3['packets'], 0) packets4 = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_ingress4, packets=True) self.assertEqual(packets4['packets'], 0) # ensure packet is redirected! print("Sending Test packet EthType:0x%lx port 25 -> [ACL REDIRECT] " "-> port 26" % (eth_pkt3[Ether].type)) send_packet(self, self.dev_port25, eth_pkt3) verify_packets(self, eth_pkt3, [self.dev_port26]) packets1 = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_ingress1, packets=True) self.assertEqual(packets1['packets'], 1) packets2 = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_ingress2, packets=True) self.assertEqual(packets2['packets'], 1) packets3 = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_ingress3, packets=True) self.assertEqual(packets3['packets'], 1) packets4 = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_ingress4, packets=True) self.assertEqual(packets4['packets'], 0) # ensure packet is redirected! print("Sending Test packet EthType:0x%lx port 25 -> [ACL REDIRECT] " "-> Lag1 (Port 27/Port 28)" % (eth_pkt4[Ether].type)) send_packet(self, self.dev_port25, eth_pkt4) verify_packets_any(self, eth_pkt4, [self.dev_port27, self.dev_port28]) packets1 = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_ingress1, packets=True) self.assertEqual(packets1['packets'], 1) packets2 = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_ingress2, packets=True) self.assertEqual(packets2['packets'], 1) packets3 = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_ingress3, packets=True) self.assertEqual(packets3['packets'], 1) packets4 = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_ingress4, packets=True) self.assertEqual(packets4['packets'], 1) # ensure packet is not redirected! print("Sending Test(negative test) packet EthType:0x%lx port 25 -> " "port 24" % (neg_test_pkt[Ether].type)) send_packet(self, self.dev_port25, neg_test_pkt) verify_packets(self, neg_test_pkt, [self.dev_port24]) packets1 = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_ingress1, packets=True) self.assertEqual(packets1['packets'], 1) packets2 = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_ingress2, packets=True) self.assertEqual(packets2['packets'], 1) packets3 = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_ingress3, packets=True) self.assertEqual(packets3['packets'], 1) packets4 = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_ingress4, packets=True) self.assertEqual(packets4['packets'], 1) def tearDown(self): # Clean up ACL configuration sai_thrift_set_port_attribute( self.client, self.port25, ingress_acl=int(SAI_NULL_OBJECT_ID)) for acl_grp_member in list(self.acl_grp_members): sai_thrift_remove_acl_table_group_member(self.client, acl_grp_member) self.acl_grp_members.remove(acl_grp_member) for acl_grp in list(self.acl_grps): sai_thrift_remove_acl_table_group(self.client, acl_grp) self.acl_grps.remove(acl_grp) for i, acl_action_counter in enumerate(self.action_counters): acl_action_counter = sai_thrift_acl_action_data_t( parameter=sai_thrift_acl_action_parameter_t( oid=0), enable=True) sai_thrift_set_acl_entry_attribute( self.client, self.acl_rules[i], action_counter=acl_action_counter) for acl_counter in self.counters: sai_thrift_set_acl_counter_attribute( self.client, acl_counter, packets=None) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter, packets=True) self.assertEqual(packets['packets'], 0) sai_thrift_remove_acl_counter(self.client, acl_counter) for acl_rule in list(self.acl_rules): sai_thrift_remove_acl_entry(self.client, acl_rule) self.acl_rules.remove(acl_rule) for acl_table in list(self.acl_tables): sai_thrift_remove_acl_table(self.client, acl_table) self.acl_tables.remove(acl_table) for fdb in list(self.fdbs): sai_thrift_remove_fdb_entry(self.client, fdb) self.fdbs.remove(fdb) # Clean up network configuration sai_thrift_set_port_attribute( self.client, self.port24, port_vlan_id=int(SAI_NULL_OBJECT_ID)) sai_thrift_set_port_attribute( self.client, self.port25, port_vlan_id=int(SAI_NULL_OBJECT_ID)) sai_thrift_set_port_attribute( self.client, self.port26, port_vlan_id=int(SAI_NULL_OBJECT_ID)) for vlan_member in list(self.vlan_members): sai_thrift_remove_vlan_member(self.client, vlan_member) self.vlan_members.remove(vlan_member) sai_thrift_remove_vlan(self.client, self.vlan_oid) for lag_member in list(self.lag_members): sai_thrift_remove_lag_member(self.client, lag_member) self.lag_members.remove(lag_member) for port in list(self.bridge_ports): sai_thrift_remove_bridge_port(self.client, port) self.bridge_ports.remove(port) for lag in list(self.lags): sai_thrift_remove_lag(self.client, lag) self.lags.remove(lag) for vlan_port in list(self.vlan_ports): self.vlan_ports.remove(vlan_port) super(AclRedirectPortAndLagTest, self).tearDown() @group("draft") class AclPreIngressTest(AclTableTypeTest): ''' Verify pre-ingress ACL ''' def setUp(self): super(AclPreIngressTest, self).setUp() self.dmac1 = '00:11:22:33:44:55' self.dmac2 = '00:11:22:33:44:56' self.ip_addr1 = '10.0.0.1' self.ip_addr2 = '10.10.10.2' self.vrf1 = sai_thrift_create_virtual_router(self.client) self.vrf1_port26_rif = sai_thrift_create_router_interface( self.client, type=SAI_ROUTER_INTERFACE_TYPE_PORT, virtual_router_id=self.vrf1, port_id=self.port26) self.vrf1_nhop0 = sai_thrift_create_next_hop( self.client, ip=sai_ipaddress(self.ip_addr2), router_interface_id=self.vrf1_port26_rif, type=SAI_NEXT_HOP_TYPE_IP) self.vrf1_neighbor_entry0 = sai_thrift_neighbor_entry_t( rif_id=self.vrf1_port26_rif, ip_address=sai_ipaddress(self.ip_addr2)) sai_thrift_create_neighbor_entry( self.client, self.vrf1_neighbor_entry0, dst_mac_address=self.dmac2) self.vrf1_route_entry0 = sai_thrift_route_entry_t( vr_id=self.vrf1, destination=sai_ipprefix('10.0.0.1/32')) sai_thrift_create_route_entry( self.client, self.vrf1_route_entry0, next_hop_id=self.vrf1_nhop0) def runTest(self): self.testPreIngressAcl() def tearDown(self): sai_thrift_remove_route_entry(self.client, self.vrf1_route_entry0) sai_thrift_remove_next_hop(self.client, self.vrf1_nhop0) sai_thrift_remove_neighbor_entry( self.client, self.vrf1_neighbor_entry0) sai_thrift_remove_router_interface(self.client, self.vrf1_port26_rif) sai_thrift_remove_virtual_router(self.client, self.vrf1) super(AclPreIngressTest, self).tearDown() def testPreIngressAcl(self): ''' Verify pre-ingress matching and VRF assignment ''' print("testPreIngressAcl") acl_table_oid = None acl_entry_oid = None try: table_stage = SAI_ACL_STAGE_PRE_INGRESS table_bind_points = [SAI_ACL_BIND_POINT_TYPE_SWITCH] table_bind_point_type_list = sai_thrift_s32_list_t( count=len(table_bind_points), int32list=table_bind_points) acl_table_oid = sai_thrift_create_acl_table( self.client, acl_stage=table_stage, acl_bind_point_type_list=table_bind_point_type_list, field_src_mac=True, field_dst_mac=True, field_ether_type=True, field_src_ip=True, field_dst_ip=True, field_tos=True) self.assertNotEqual(acl_table_oid, 0) src_mac = '00:26:dd:14:c4:ee' src_mac_mask = 'ff:ff:ff:ff:ff:ff' src_mac_t = sai_thrift_acl_field_data_t( data=sai_thrift_acl_field_data_data_t(mac=src_mac), mask=sai_thrift_acl_field_data_mask_t(mac=src_mac_mask)) action_set_vrf = sai_thrift_acl_action_data_t( enable=True, parameter=sai_thrift_acl_action_parameter_t( oid=self.vrf1)) packet_action = sai_thrift_acl_action_data_t( parameter=sai_thrift_acl_action_parameter_t( s32=SAI_PACKET_ACTION_FORWARD)) acl_entry_oid = sai_thrift_create_acl_entry( self.client, table_id=acl_table_oid, priority=10, field_src_mac=src_mac_t, action_packet_action=packet_action, action_set_vrf=action_set_vrf) self.assertNotEqual(acl_entry_oid, 0) # create ACL counter acl_counter_ingress = sai_thrift_create_acl_counter( self.client, table_id=acl_table_oid) # attach ACL counter to ACL entry action_counter_ingress = sai_thrift_acl_action_data_t( parameter=sai_thrift_acl_action_parameter_t( oid=acl_counter_ingress), enable=True) sai_thrift_set_acl_entry_attribute( self.client, acl_entry_oid, action_counter=action_counter_ingress) pkt = simple_ip_packet( eth_src=src_mac, eth_dst=ROUTER_MAC, ip_dst=self.ip_addr1, ip_ttl=64) exp_pkt_default_vrf = simple_ip_packet( eth_src=ROUTER_MAC, eth_dst=self.dmac1, ip_dst=self.ip_addr1, ip_ttl=63) exp_pkt_vrf1 = simple_ip_packet( eth_src=ROUTER_MAC, eth_dst=self.dmac2, ip_dst=self.ip_addr1, ip_ttl=63) # send to port in default vrf, expect in default vrf # pre ingress is not enabled on switch send_packet(self, self.dev_port24, pkt) verify_any_packet_on_ports_list(self, pkts=[exp_pkt_default_vrf], ports=[[self.dev_port25]]) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_ingress, packets=True) self.assertEqual(packets['packets'], 0) # bind pre-ingress table to switch sai_thrift_set_switch_attribute(self.client, pre_ingress_acl=acl_table_oid) # send to port in default vrf, expect in vrf1 send_packet(self, self.dev_port24, pkt) verify_any_packet_on_ports_list(self, pkts=[exp_pkt_vrf1], ports=[[self.dev_port26]]) sai_thrift_set_switch_attribute(self.client, pre_ingress_acl=0) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_ingress, packets=True) self.assertEqual(packets['packets'], 1) send_packet(self, self.dev_port24, pkt) verify_any_packet_on_ports_list(self, pkts=[exp_pkt_default_vrf], ports=[[self.dev_port25]]) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_ingress, packets=True) self.assertEqual(packets['packets'], 1) finally: # cleanup ACL action_counter_ingress = sai_thrift_acl_action_data_t( parameter=sai_thrift_acl_action_parameter_t( oid=0), enable=True) sai_thrift_set_acl_entry_attribute( self.client, acl_entry_oid, action_counter=action_counter_ingress) sai_thrift_set_acl_counter_attribute( self.client, acl_counter_ingress, packets=None) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_ingress, packets=True) self.assertEqual(packets['packets'], 0) sai_thrift_remove_acl_counter(self.client, acl_counter_ingress) sai_thrift_set_switch_attribute(self.client, pre_ingress_acl=0) if acl_entry_oid: sai_thrift_remove_acl_entry(self.client, acl_entry_oid) if acl_table_oid: sai_thrift_remove_acl_table(self.client, acl_table_oid) @group("draft") class IPv6NextHdrTest(SaiHelperSimplified): """ Verify ACL blocking TCP traffic Configuration +----------+-----------+ | port0 | port0_rif | +----------+-----------+ | port1 | port1_rif | +----------+-----------+ """ def setUp(self): super(IPv6NextHdrTest, self).setUp() self.create_routing_interfaces(ports=[0, 1]) self.ip_addr1 = '1234:5678:9abc:def0:4422:1133:5577:99aa' self.ip_addr2 = '2000::1' self.mac1 = '00:11:22:33:44:55' self.mac2 = '00:22:22:22:22:22' mask = '/112' self.table_stage_ingress = SAI_ACL_STAGE_INGRESS self.table_stage_egress = SAI_ACL_STAGE_EGRESS self.neighbor_entry1 = sai_thrift_neighbor_entry_t( rif_id=self.port0_rif, ip_address=sai_ipaddress(self.ip_addr1)) sai_thrift_create_neighbor_entry( self.client, self.neighbor_entry1, dst_mac_address=self.mac1) self.nhop1 = sai_thrift_create_next_hop( self.client, ip=sai_ipaddress(self.ip_addr1), router_interface_id=self.port0_rif, type=SAI_NEXT_HOP_TYPE_IP) self.route_entry1 = sai_thrift_route_entry_t( vr_id=self.default_vrf, destination=sai_ipprefix( self.ip_addr1 + mask)) sai_thrift_create_route_entry( self.client, self.route_entry1, next_hop_id=self.nhop1) self.neighbor_entry2 = sai_thrift_neighbor_entry_t( rif_id=self.port1_rif, ip_address=sai_ipaddress(self.ip_addr2)) sai_thrift_create_neighbor_entry( self.client, self.neighbor_entry2, dst_mac_address=self.mac2) self.nhop2 = sai_thrift_create_next_hop( self.client, ip=sai_ipaddress(self.ip_addr2), router_interface_id=self.port1_rif, type=SAI_NEXT_HOP_TYPE_IP) self.route_entry2 = sai_thrift_route_entry_t( vr_id=self.default_vrf, destination=sai_ipprefix( self.ip_addr2 + mask)) sai_thrift_create_route_entry( self.client, self.route_entry2, next_hop_id=self.nhop2) self.tcpv6_1 = simple_tcpv6_packet(eth_dst=ROUTER_MAC, eth_src=self.mac2, ipv6_dst=self.ip_addr1, ipv6_src=self.ip_addr2, ipv6_hlim=64) self.exp_tcpv6_1 = simple_tcpv6_packet(eth_dst=self.mac1, eth_src=ROUTER_MAC, ipv6_dst=self.ip_addr1, ipv6_src=self.ip_addr2, ipv6_hlim=63) self.udpv6_1 = simple_udpv6_packet(eth_dst=ROUTER_MAC, eth_src=self.mac2, ipv6_dst=self.ip_addr1, ipv6_src=self.ip_addr2, ipv6_hlim=64) self.exp_udpv6_1 = simple_udpv6_packet(eth_dst=self.mac1, eth_src=ROUTER_MAC, ipv6_dst=self.ip_addr1, ipv6_src=self.ip_addr2, ipv6_hlim=63) self.tcpv6_2 = simple_tcpv6_packet(eth_dst=ROUTER_MAC, eth_src=self.mac1, ipv6_dst=self.ip_addr2, ipv6_src=self.ip_addr1, ipv6_hlim=64) self.exp_tcpv6_2 = simple_tcpv6_packet(eth_dst=self.mac2, eth_src=ROUTER_MAC, ipv6_dst=self.ip_addr2, ipv6_src=self.ip_addr1, ipv6_hlim=63) self.udpv6_2 = simple_udpv6_packet(eth_dst=ROUTER_MAC, eth_src=self.mac1, ipv6_dst=self.ip_addr2, ipv6_src=self.ip_addr1, ipv6_hlim=64) self.exp_udpv6_2 = simple_udpv6_packet(eth_dst=self.mac2, eth_src=ROUTER_MAC, ipv6_dst=self.ip_addr2, ipv6_src=self.ip_addr1, ipv6_hlim=63) def runTest(self): self.aclRoutingTest() self.aclIPv6NextHdrTest(self.table_stage_ingress) self.aclIPv6NextHdrTest(self.table_stage_egress) def tearDown(self): sai_thrift_remove_route_entry(self.client, self.route_entry1) sai_thrift_remove_next_hop(self.client, self.nhop1) sai_thrift_remove_neighbor_entry(self.client, self.neighbor_entry1) sai_thrift_remove_route_entry(self.client, self.route_entry2) sai_thrift_remove_next_hop(self.client, self.nhop2) sai_thrift_remove_neighbor_entry(self.client, self.neighbor_entry2) self.destroy_routing_interfaces() super(IPv6NextHdrTest, self).tearDown() def aclRoutingTest(self): """ Verify routing without ACL """ try: print('----------------------------------------------------------') print("Sending packet ptf_intf 2 -> ptf_intf 1 (", self.ip_addr2, " ---> ", self.ip_addr1, ")") print('#### NO ACL Applied: sending TCP packets ####') print('#### Sending ', ROUTER_MAC, ' | ', self.mac2, ' | ', self.ip_addr2, ' | ', self.ip_addr1, ' | @ ptf_intf 2') send_packet(self, self.dev_port1, self.tcpv6_1) print('#### Expecting ', self.mac1, ' | ', ROUTER_MAC, ' | ', self.ip_addr2, ' | ', self.ip_addr1, ' | @ ptf_intf 1') verify_packets(self, self.exp_tcpv6_1, [self.dev_port0]) print('#### NO ACL Applied: sending UDP packets ####') send_packet(self, self.dev_port1, self.udpv6_1) verify_packets(self, self.exp_udpv6_1, [self.dev_port0]) print('----------------------------------------------------------') print("Sending packet ptf_intf 2 -> ptf_intf 1 (", self.ip_addr1, " ---> ", self.ip_addr2, ")") print('#### NO ACL Applied: sending TCP packets ####') print('#### Sending ', ROUTER_MAC, ' | ', self.mac1, ' | ', self.ip_addr1, ' | ', self.ip_addr2, ' | @ ptf_intf 2') send_packet(self, self.dev_port0, self.tcpv6_2) print('#### Expecting ', self.mac2, ' | ', ROUTER_MAC, ' | ', self.ip_addr1, ' | ', self.ip_addr2, ' | @ ptf_intf 1') verify_packets(self, self.exp_tcpv6_2, [self.dev_port1]) print('#### NO ACL Applied: sending UDP packets ####') send_packet(self, self.dev_port0, self.udpv6_2) verify_packets(self, self.exp_udpv6_2, [self.dev_port1]) finally: print('----------------------------------------------------------') def aclIPv6NextHdrTest(self, table_stage): """ Verify ACL with next header field Args: table_stage (int): specifies ingress or egress type of ACL """ # setup ACL to block based on Source IP acl_mask = 'ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff' table_bind_point_list = [SAI_ACL_BIND_POINT_TYPE_PORT] # next level protocol is TCP ipv6_next_header = 0x06 if table_stage == SAI_ACL_STAGE_INGRESS: src_ip = self.ip_addr2 dst_ip = self.ip_addr1 elif table_stage == SAI_ACL_STAGE_EGRESS: src_ip = self.ip_addr1 dst_ip = self.ip_addr2 table_bind_point_type_list = sai_thrift_s32_list_t( count=len(table_bind_point_list), int32list=table_bind_point_list) acl_table_id = sai_thrift_create_acl_table( self.client, acl_stage=table_stage, acl_bind_point_type_list=table_bind_point_type_list, field_src_ipv6=True, field_ipv6_next_header=True) src_ip_t = sai_thrift_acl_field_data_t( data=sai_thrift_acl_field_data_data_t(ip6=src_ip), mask=sai_thrift_acl_field_data_mask_t( ip6=acl_mask)) packet_action = sai_thrift_acl_action_data_t( parameter=sai_thrift_acl_action_parameter_t( s32=SAI_PACKET_ACTION_DROP)) field_ipv6_next_header = sai_thrift_acl_field_data_t( data=sai_thrift_acl_field_data_data_t(u8=ipv6_next_header), mask=sai_thrift_acl_field_data_mask_t(u8=0x0F)) # Add drop ACL entry to IPv6 ACL Table acl_entry_id = sai_thrift_create_acl_entry( self.client, priority=9999, table_id=acl_table_id, field_src_ipv6=src_ip_t, action_packet_action=packet_action, field_ipv6_next_header=field_ipv6_next_header) # create ACL counter acl_counter = sai_thrift_create_acl_counter( self.client, table_id=acl_table_id) # attach ACL counter to ACL entry action_counter = sai_thrift_acl_action_data_t( parameter=sai_thrift_acl_action_parameter_t( oid=acl_counter), enable=True) sai_thrift_set_acl_entry_attribute( self.client, acl_entry_id, action_counter=action_counter) if table_stage == SAI_ACL_STAGE_INGRESS: # bind this ACL table to ports object id sai_thrift_set_port_attribute( self.client, self.port1, ingress_acl=acl_table_id) sport = self.dev_port1 dport = self.dev_port0 pkt_udp = self.udpv6_1 exp_pkt_udp = self.exp_udpv6_1 pkt_tcp = self.tcpv6_1 exp_pkt_tcp = self.exp_tcpv6_1 dmac = self.mac1 smac = self.mac2 elif table_stage == SAI_ACL_STAGE_EGRESS: # bind this ACL table to ports object id sai_thrift_set_port_attribute( self.client, self.port1, egress_acl=acl_table_id) sport = self.dev_port0 dport = self.dev_port1 pkt_udp = self.udpv6_2 exp_pkt_udp = self.exp_udpv6_2 pkt_tcp = self.tcpv6_2 exp_pkt_tcp = self.exp_tcpv6_2 dmac = self.mac2 smac = self.mac1 try: self.assertNotEqual(acl_table_id, 0) self.assertNotEqual(acl_entry_id, 0) print("Sending packet ptf_intf 2-[ACL]-> ptf_intf 1 (", src_ip, " -[ACL]-> ", dst_ip, ")") print('#### Sending TCP', ROUTER_MAC, ' | ', smac, ' | ', src_ip, ' | ', dst_ip, ' | @ ptf_intf 2') send_packet(self, sport, pkt_tcp) # ensure the TCP packet is dropped and check for absence # of packet here print('#### NOT Expecting TCP ', dmac, ' | ', ROUTER_MAC, ' | ', src_ip, ' | ', dst_ip, ' | @ ptf_intf 1') verify_no_other_packets(self, timeout=2) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter, packets=True) self.assertEqual(packets['packets'], 1) print('#### Sending UDP', ROUTER_MAC, ' | ', smac, ' | ', src_ip, ' | ', dst_ip, ' | @ ptf_intf 2') send_packet(self, sport, pkt_udp) # ensure the UDP packet is forwarded print('#### Expecting UDP ', dmac, ' | ', ROUTER_MAC, ' | ', src_ip, ' | ', dst_ip, ' | @ ptf_intf 1') verify_packets(self, exp_pkt_udp, [dport]) # change action_type of ACL entry from ACL_DROP to ACL_PERMIT aclaction_data = sai_thrift_acl_action_data_t( parameter=sai_thrift_acl_action_parameter_t( s32=SAI_PACKET_ACTION_FORWARD), enable=True) sai_thrift_set_acl_entry_attribute( client=self.client, acl_entry_oid=acl_entry_id, action_packet_action=aclaction_data) print('#### Sending ', ROUTER_MAC, ' | ', smac, ' | ', src_ip, ' | ', dst_ip, ' | @ ptf_intf 2') # send the same packet send_packet(self, sport, pkt_tcp) print('#### Expecting ', dmac, ' | ', ROUTER_MAC, ' | ', src_ip, ' | ', dst_ip, ' | @ ptf_intf 1') # check that TCP packet is forwarded verify_packets(self, exp_pkt_tcp, [dport]) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter, packets=True) self.assertEqual(packets['packets'], 1) finally: # cleanup ACL action_counter = sai_thrift_acl_action_data_t( parameter=sai_thrift_acl_action_parameter_t( oid=0), enable=True) sai_thrift_set_acl_entry_attribute( self.client, acl_entry_id, action_counter=action_counter) sai_thrift_set_acl_counter_attribute( self.client, acl_counter, packets=None) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter, packets=True) self.assertEqual(packets['packets'], 0) sai_thrift_remove_acl_counter(self.client, acl_counter) # unbind this ACL table from ports object id if table_stage == SAI_ACL_STAGE_INGRESS: sai_thrift_set_port_attribute( self.client, self.port1, ingress_acl=0) elif table_stage == SAI_ACL_STAGE_EGRESS: sai_thrift_set_port_attribute( self.client, self.port1, egress_acl=0) sai_thrift_remove_acl_entry(self.client, acl_entry_id) sai_thrift_remove_acl_table(self.client, acl_table_id) @group("draft") class IPAclFragmentTest(SaiHelperSimplified): """ Verify ACL with IP fragmentation Configuration +----------+-----------+ | port0 | port0_rif | +----------+-----------+ | port1 | port1_rif | +----------+-----------+ """ def setUp(self): super(IPAclFragmentTest, self).setUp() self.create_routing_interfaces(ports=[0, 1]) print('--------------------------------------------------------------') print("Sending packet ptf_intf 2 -> ptf_intf 1 (192.168.0.1 ---> " "172.16.10.1 [id = 105])") self.ip_addr1 = '172.16.10.1' self.ip_addr2 = '192.168.0.1' self.dmac1 = '00:11:22:33:44:55' self.dmac2 = '00:22:22:22:22:22' mask = '/24' self.table_stage_ingress = SAI_ACL_STAGE_INGRESS self.table_stage_egress = SAI_ACL_STAGE_EGRESS self.neighbor_entry1 = sai_thrift_neighbor_entry_t( rif_id=self.port0_rif, ip_address=sai_ipaddress(self.ip_addr1)) sai_thrift_create_neighbor_entry( self.client, self.neighbor_entry1, dst_mac_address=self.dmac1) self.nhop1 = sai_thrift_create_next_hop( self.client, ip=sai_ipaddress(self.ip_addr1), router_interface_id=self.port0_rif, type=SAI_NEXT_HOP_TYPE_IP) self.route_entry1 = sai_thrift_route_entry_t( vr_id=self.default_vrf, destination=sai_ipprefix(self.ip_addr1 + mask)) sai_thrift_create_route_entry( self.client, self.route_entry1, next_hop_id=self.nhop1) self.neighbor_entry2 = sai_thrift_neighbor_entry_t( rif_id=self.port1_rif, ip_address=sai_ipaddress(self.ip_addr2)) sai_thrift_create_neighbor_entry( self.client, self.neighbor_entry2, dst_mac_address=self.dmac2) self.nhop2 = sai_thrift_create_next_hop( self.client, ip=sai_ipaddress(self.ip_addr2), router_interface_id=self.port1_rif, type=SAI_NEXT_HOP_TYPE_IP) self.route_entry2 = sai_thrift_route_entry_t( vr_id=self.default_vrf, destination=sai_ipprefix(self.ip_addr2 + mask)) sai_thrift_create_route_entry( self.client, self.route_entry2, next_hop_id=self.nhop2) self.pkt1 = simple_tcp_packet(eth_dst=ROUTER_MAC, eth_src=self.dmac2, ip_dst=self.ip_addr1, ip_src=self.ip_addr2, ip_id=105, ip_tos=0xc8, ip_ttl=64) self.exp_pkt1 = simple_tcp_packet(eth_dst=self.dmac1, eth_src=ROUTER_MAC, ip_dst=self.ip_addr1, ip_src=self.ip_addr2, ip_id=105, ip_tos=0xc8, ip_ttl=63) self.pkt2 = simple_tcp_packet(eth_dst=ROUTER_MAC, eth_src=self.dmac1, ip_dst=self.ip_addr2, ip_src=self.ip_addr1, ip_id=105, ip_tos=0xc8, ip_ttl=64) self.exp_pkt2 = simple_tcp_packet(eth_dst=self.dmac2, eth_src=ROUTER_MAC, ip_dst=self.ip_addr2, ip_src=self.ip_addr1, ip_id=105, ip_tos=0xc8, ip_ttl=63) def runTest(self): self.aclRoutingTest() self.aclIPFragmentTest(self.table_stage_ingress) self.aclIPFragmentTest(self.table_stage_egress) # TODO: requires additional verification def tearDown(self): sai_thrift_remove_route_entry(self.client, self.route_entry1) sai_thrift_remove_next_hop(self.client, self.nhop1) sai_thrift_remove_neighbor_entry(self.client, self.neighbor_entry1) sai_thrift_remove_route_entry(self.client, self.route_entry2) sai_thrift_remove_next_hop(self.client, self.nhop2) sai_thrift_remove_neighbor_entry(self.client, self.neighbor_entry2) self.destroy_routing_interfaces() super(IPAclFragmentTest, self).tearDown() def aclRoutingTest(self): """ Verify routing """ # send the test packet(s) try: print('#### NO ACL Applied ####') print('#### Sending ', ROUTER_MAC, '| ', self.dmac2, ' | ', self.ip_addr1, ' | ', self.ip_addr2, ' | @ ptf_intf 2') send_packet(self, self.dev_port1, self.pkt1) print('#### Expecting ', self.dmac1, ' |', ROUTER_MAC, '| ', self.ip_addr1, ' | ', self.ip_addr2, ' | @ ptf_intf 1') verify_packets(self, self.exp_pkt1, [self.dev_port0]) print('#### NO ACL Applied ####') print('#### Sending ', ROUTER_MAC, '| ', self.dmac1, ' | ', self.ip_addr2, ' | ', self.ip_addr1, ' | @ ptf_intf 2') send_packet(self, self.dev_port0, self.pkt2) print('#### Expecting ', self.dmac2, ' |', ROUTER_MAC, '| ', self.ip_addr2, ' | ', self.ip_addr1, ' | @ ptf_intf 1') verify_packets(self, self.exp_pkt2, [self.dev_port1]) finally: print('----------------------------------------------------------') def aclIPFragmentTest(self, table_stage): """ Verify ACL with IP frgamentation Args: table_stage (int): specifies ingress or egress type of ACL """ # setup ACL to block based on Source IP table_bind_point_list = [SAI_ACL_BIND_POINT_TYPE_PORT] entry_priority = SAI_SWITCH_ATTR_ACL_ENTRY_MINIMUM_PRIORITY table_bind_point_type_list = sai_thrift_s32_list_t( count=len(table_bind_point_list), int32list=table_bind_point_list) acl_table_id = sai_thrift_create_acl_table( self.client, acl_stage=table_stage, acl_bind_point_type_list=table_bind_point_type_list, field_acl_ip_frag=True) packet_action = sai_thrift_acl_action_data_t( parameter=sai_thrift_acl_action_parameter_t( s32=SAI_PACKET_ACTION_DROP)) acl_ip_frag = sai_thrift_acl_field_data_t( sai_thrift_acl_field_data_data_t( s32=SAI_ACL_IP_FRAG_ANY)) # Add drop ACL entry to IPv6 ACL Table acl_entry_id = sai_thrift_create_acl_entry( self.client, priority=entry_priority, table_id=acl_table_id, action_packet_action=packet_action, field_acl_ip_frag=acl_ip_frag) # create ACL counter acl_counter = sai_thrift_create_acl_counter( self.client, table_id=acl_table_id) # attach ACL counter to ACL entry action_counter = sai_thrift_acl_action_data_t( parameter=sai_thrift_acl_action_parameter_t( oid=acl_counter), enable=True) sai_thrift_set_acl_entry_attribute( self.client, acl_entry_id, action_counter=action_counter) try: if table_stage == SAI_ACL_STAGE_INGRESS: sai_thrift_set_port_attribute( self.client, self.port1, ingress_acl=acl_table_id) sport = self.dev_port1 dport = self.dev_port0 pkt = self.pkt1 exp_pkt = self.exp_pkt1 ip_addr1 = self.ip_addr1 ip_addr2 = self.ip_addr2 dmac = self.dmac1 smac = self.dmac2 elif table_stage == SAI_ACL_STAGE_EGRESS: sai_thrift_set_port_attribute( self.client, self.port1, egress_acl=acl_table_id) sport = self.dev_port0 dport = self.dev_port1 pkt = self.pkt2 exp_pkt = self.exp_pkt2 ip_addr1 = self.ip_addr2 ip_addr2 = self.ip_addr1 dmac = self.dmac2 smac = self.dmac1 self.assertNotEqual(acl_table_id, 0) self.assertNotEqual(acl_entry_id, 0) print('#### ACL Applied, but non frag ####') print('#### Sending ', ROUTER_MAC, ' | ', smac, ' | ', ip_addr1, ' | ', ip_addr2, ' | @ ptf_intf 2') send_packet(self, sport, pkt) print('#### Expecting ', dmac, ' | ', ROUTER_MAC, ' | ', ip_addr1, ' | ', ip_addr2, ' | @ ptf_intf 1') verify_packets(self, exp_pkt, [dport]) print('#### ACL no Drop, DF=1, offset = 0, Applied ####') print('#### Sending ', ROUTER_MAC, ' | ', smac, ' | ', ip_addr1, ' | ', ip_addr2, ' | @ ptf_intf 2') # send the same packet pkt['IP'].flags = 2 exp_pkt['IP'].flags = 2 pkt['IP'].frag = 0 send_packet(self, sport, pkt) print('#### Expecting ', dmac, ' | ', ROUTER_MAC, ' | ', ip_addr1, ' | ', ip_addr2, ' | @ ptf_intf 1') verify_packets(self, exp_pkt, [dport]) exp_pkt['IP'].flags = 0 print('#### ACL Drop, MF=1, offset = 0, ' 'first fragment, Applied ####') print('#### Sending ', ROUTER_MAC, ' | ', smac, ' | ', ip_addr1, ' | ', ip_addr2, ' | @ ptf_intf 2') # send the same packet pkt['IP'].flags = 1 pkt['IP'].frag = 0 send_packet(self, sport, pkt) print('#### NOT Expecting ', dmac, ' |', ROUTER_MAC, ' | ', ip_addr1, ' | ', ip_addr2, ' | @ ptf_intf 1') verify_no_other_packets(self, timeout=2) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter, packets=True) self.assertEqual(packets['packets'], 1) print('#### ACL Drop, MF=1, offset = 20, ' 'non head fragment, Applied ####') print('#### Sending ', ROUTER_MAC, ' | ', smac, ' | ', ip_addr1, ' | ', ip_addr2, ' | @ ptf_intf 2') # send the same packet pkt['IP'].flags = 1 pkt['IP'].frag = 20 send_packet(self, sport, pkt) print('#### NOT Expecting ', dmac, ' | ', ROUTER_MAC, ' | ', ip_addr1, ' | ', ip_addr2, ' | @ ptf_intf 1') verify_no_other_packets(self, timeout=2) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter, packets=True) self.assertEqual(packets['packets'], 2) print('#### ACL Drop, MF=0, offset = 20, last fragment,' ' Applied ####') print('#### Sending ', ROUTER_MAC, ' | ', smac, ' | ', ip_addr1, ' | ', ip_addr2, ' | @ ptf_intf 2') # send the same packet pkt['IP'].flags = 0 pkt['IP'].frag = 20 send_packet(self, sport, pkt) print('#### NOT Expecting ', dmac, ' | ', ROUTER_MAC, ' | ', ip_addr1, ' | ', ip_addr2, ' | @ ptf_intf 1') verify_no_other_packets(self, timeout=2) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter, packets=True) self.assertEqual(packets['packets'], 3) finally: # cleanup ACL action_counter = sai_thrift_acl_action_data_t( parameter=sai_thrift_acl_action_parameter_t( oid=0), enable=True) sai_thrift_set_acl_entry_attribute( self.client, acl_entry_id, action_counter=action_counter) sai_thrift_set_acl_counter_attribute( self.client, acl_counter, packets=None) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter, packets=True) self.assertEqual(packets['packets'], 0) sai_thrift_remove_acl_counter(self.client, acl_counter) # unbind this ACL table from ports object id if table_stage == SAI_ACL_STAGE_INGRESS: sai_thrift_set_port_attribute( self.client, self.port1, ingress_acl=0) elif table_stage == SAI_ACL_STAGE_EGRESS: sai_thrift_set_port_attribute( self.client, self.port1, egress_acl=0) sai_thrift_remove_acl_entry(self.client, acl_entry_id) sai_thrift_remove_acl_table(self.client, acl_table_id) @group("draft") class L3AclCounterTest(SaiHelperSimplified): """ Verify ACL counter test case Configuration +----------+-----------+ | port0 | port0_rif | +----------+-----------+ | port1 | port1_rif | +----------+-----------+ """ def setUp(self): super(L3AclCounterTest, self).setUp() self.create_routing_interfaces(ports=[0, 1]) l4_src_port = 1000 mask = '/24' self.ip_addr1 = '172.16.10.1' self.dmac1 = '00:11:22:33:44:55' self.ip_addr2 = '192.168.100.100' self.dmac2 = '00:22:22:22:22:22' self.table_stage_ingress = SAI_ACL_STAGE_INGRESS self.table_stage_egress = SAI_ACL_STAGE_EGRESS self.neighbor_entry1 = sai_thrift_neighbor_entry_t( rif_id=self.port0_rif, ip_address=sai_ipaddress(self.ip_addr1)) sai_thrift_create_neighbor_entry( self.client, self.neighbor_entry1, dst_mac_address=self.dmac1) self.nhop1 = sai_thrift_create_next_hop( self.client, ip=sai_ipaddress(self.ip_addr1), router_interface_id=self.port0_rif, type=SAI_NEXT_HOP_TYPE_IP) self.route_entry1 = sai_thrift_route_entry_t( vr_id=self.default_vrf, destination=sai_ipprefix(self.ip_addr1 + mask)) sai_thrift_create_route_entry( self.client, self.route_entry1, next_hop_id=self.nhop1) self.neighbor_entry2 = sai_thrift_neighbor_entry_t( rif_id=self.port1_rif, ip_address=sai_ipaddress(self.ip_addr2)) sai_thrift_create_neighbor_entry( self.client, self.neighbor_entry2, dst_mac_address=self.dmac2) self.nhop2 = sai_thrift_create_next_hop( self.client, ip=sai_ipaddress(self.ip_addr2), router_interface_id=self.port1_rif, type=SAI_NEXT_HOP_TYPE_IP) self.route_entry2 = sai_thrift_route_entry_t( vr_id=self.default_vrf, destination=sai_ipprefix(self.ip_addr2 + mask)) sai_thrift_create_route_entry( self.client, self.route_entry2, next_hop_id=self.nhop2) self.pkt1 = simple_tcp_packet(eth_dst=ROUTER_MAC, eth_src=self.dmac2, ip_dst=self.ip_addr1, ip_src=self.ip_addr2, tcp_sport=l4_src_port, ip_id=105, ip_ttl=64) self.exp_pkt1 = simple_tcp_packet(eth_dst=self.dmac1, eth_src=ROUTER_MAC, ip_dst=self.ip_addr1, ip_src=self.ip_addr2, tcp_sport=l4_src_port, ip_id=105, ip_ttl=63) self.pkt2 = simple_tcp_packet(eth_dst=ROUTER_MAC, eth_src=self.dmac1, ip_dst=self.ip_addr2, ip_src=self.ip_addr1, tcp_sport=l4_src_port, ip_id=105, ip_ttl=64) self.exp_pkt2 = simple_tcp_packet(eth_dst=self.dmac2, eth_src=ROUTER_MAC, ip_dst=self.ip_addr2, ip_src=self.ip_addr1, tcp_sport=l4_src_port, ip_id=105, ip_ttl=63) def runTest(self): self.aclRoutingTest() self.l3AclCounterTest(self.table_stage_ingress) self.l3AclCounterTest(self.table_stage_egress) def tearDown(self): sai_thrift_remove_route_entry(self.client, self.route_entry1) sai_thrift_remove_next_hop(self.client, self.nhop1) sai_thrift_remove_neighbor_entry(self.client, self.neighbor_entry1) sai_thrift_remove_route_entry(self.client, self.route_entry2) sai_thrift_remove_next_hop(self.client, self.nhop2) sai_thrift_remove_neighbor_entry(self.client, self.neighbor_entry2) self.destroy_routing_interfaces() super(L3AclCounterTest, self).tearDown() def aclRoutingTest(self): """ Verify ACL configuration """ print('--------------------------------------------------------------') print("Sending packet ptf_intf 2 -> ptf_intf 1 (", self.ip_addr2, " ---> ", self.ip_addr1, " [id = 105])") try: print('#### NO ACL Applied ####') print('#### Sending ', ROUTER_MAC, ' | ', self.dmac2, ' | ', self.ip_addr2, ' | ', self.ip_addr1, ' | SPORT 1000 | ' '@ ptf_intf 2') send_packet(self, self.dev_port1, self.pkt1) print('#### Expecting ', self.dmac1, ' | ', ROUTER_MAC, ' | ', self.ip_addr2, ' | ', self.ip_addr1, ' | SPORT 1000 | ' '@ ptf_intf 1') verify_packets(self, self.exp_pkt1, [self.dev_port0]) print('----------------------------------------------------------') print("Sending packet ptf_intf 2 -> ptf_intf 1 (", self.ip_addr1, " ---> ", self.ip_addr2, " [id = 105])") print('#### NO ACL Applied ####') print('#### Sending ', ROUTER_MAC, '| ', self.dmac1, ' | ', self.ip_addr1, ' | ', self.ip_addr2, ' | SPORT 1000 | ' '@ ptf_intf 2') send_packet(self, self.dev_port0, self.pkt2) print('#### Expecting ', self.dmac2, ' |', ROUTER_MAC, '| ', self.ip_addr1, ' | ', self.ip_addr2, ' | SPORT 1000 | ' '@ ptf_intf 1') verify_packets(self, self.exp_pkt2, [self.dev_port1]) finally: print('----------------------------------------------------------') def l3AclCounterTest(self, table_stage): """ Verify ACL with action counter Args: table_stage (int): specifies the type of ACL table stage """ print("Testing L3AclCounterTest") entry_priority = 1 action = SAI_PACKET_ACTION_DROP ip_src_mask = "255.255.255.0" if table_stage == SAI_ACL_STAGE_INGRESS: ip_src = "192.168.100.1" ip_src_addr = "192.168.100.100" ip_dst = self.ip_addr1 ip_dst_addr = "172.16.10.1" dmac = self.dmac1 smac = self.dmac2 elif table_stage == SAI_ACL_STAGE_EGRESS: ip_src = "172.16.10.1" ip_src_addr = "172.16.10.1" ip_dst = "192.168.100.1" ip_dst_addr = "192.168.100.100" dmac = self.dmac2 smac = self.dmac1 print("Sending packet ptf_intf 2 -[ACL]-> ptf_intf 1 " "(", ip_src, "-[ACL]-> ", ip_dst, " [id = 105])") table_bind_points = [SAI_ACL_BIND_POINT_TYPE_ROUTER_INTF] table_bind_point_type_list = sai_thrift_s32_list_t( count=len(table_bind_points), int32list=table_bind_points) src_ip_t = sai_thrift_acl_field_data_t( data=sai_thrift_acl_field_data_data_t(ip4=ip_src), mask=sai_thrift_acl_field_data_mask_t(ip4=ip_src_mask)) packet_action = sai_thrift_acl_action_data_t( parameter=sai_thrift_acl_action_parameter_t( s32=action)) acl_table_id = sai_thrift_create_acl_table( self.client, acl_stage=table_stage, acl_bind_point_type_list=table_bind_point_type_list, field_src_ip=True) acl_entry_id = sai_thrift_create_acl_entry( self.client, table_id=acl_table_id, priority=entry_priority, field_src_ip=src_ip_t, action_packet_action=packet_action) # bind this ACL table to rif_id2s object id if table_stage == SAI_ACL_STAGE_INGRESS: sai_thrift_set_router_interface_attribute( self.client, self.port1_rif, ingress_acl=acl_table_id) pkt = self.pkt1 sport = self.dev_port1 elif table_stage == SAI_ACL_STAGE_EGRESS: sai_thrift_set_router_interface_attribute( self.client, self.port1_rif, egress_acl=acl_table_id) pkt = self.pkt2 sport = self.dev_port0 # create ACL counter and bind it to the ACL entry acl_counter_id = sai_thrift_create_acl_counter( client=self.client, table_id=acl_table_id) action_counter_t = sai_thrift_acl_action_data_t( parameter=sai_thrift_acl_action_parameter_t(oid=acl_counter_id), enable=True) sai_thrift_set_acl_entry_attribute( self.client, acl_entry_id, action_counter=action_counter_t) try: self.assertNotEqual(acl_table_id, 0) self.assertNotEqual(acl_entry_id, 0) self.assertNotEqual(acl_counter_id, 0) pkt_cnt = 5 attr_values = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_id, packets=True, bytes=True) initial_pkts_cnt = attr_values["packets"] initial_bytes_cnt = attr_values["bytes"] print('#### ACL \'DROP, src ip ', ip_src, '/', ip_src_mask, ', ' 'SPORT 1000, in_ports[ptf_intf_1,2]\' Applied ####') print('#### Sending ', ROUTER_MAC, '| ', smac, ' | ', ip_src_addr, ' | ', ip_dst_addr, ' | SPORT 1000 | @ ptf_intf 1') # send the same packet for i in range(0, pkt_cnt): print(i, pkt_cnt) send_packet(self, sport, pkt) # ensure packets are dropped # check for absence of packets here! print('#### NOT Expecting ', dmac, ' | ', ROUTER_MAC, ' | ', ip_src_addr, ' | ', ip_dst_addr, ' | SPORT 1000 | ' '@ ptf_intf 0') verify_no_other_packets(self, timeout=1) time.sleep(2) attr_values = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_id, packets=True, bytes=True) actual_pkts_cnt = (attr_values["packets"] - initial_pkts_cnt) print(actual_pkts_cnt) actual_bytes_cnt = (attr_values["bytes"] - initial_bytes_cnt) print(actual_bytes_cnt) self.assertEqual(actual_pkts_cnt, pkt_cnt, "packets counter value " "actual_pkts_cnt is not pkt_cnt") finally: # unbind this ACL table from rif_id object id if table_stage == SAI_ACL_STAGE_INGRESS: sai_thrift_set_router_interface_attribute( self.client, self.port1_rif, ingress_acl=0) elif table_stage == SAI_ACL_STAGE_EGRESS: sai_thrift_set_router_interface_attribute( self.client, self.port1_rif, egress_acl=0) # cleanup ACL sai_thrift_remove_acl_entry(self.client, acl_entry_id) sai_thrift_remove_acl_table(self.client, acl_table_id) sai_thrift_remove_acl_counter(self.client, acl_counter_id) @group("draft") class VlanAclTest(SaiHelper): """ Verify ACL vlan test case """ def setUp(self): super(VlanAclTest, self).setUp() print("Sending L2 packet - port 24 -> port 25 [trunk vlan=100])") vlan_id = 100 mac1 = '00:11:11:11:11:11' mac2 = '00:22:22:22:22:22' self.ip_addr1 = '192.168.100.1' self.ip_addr2 = '172.16.0.1' mac_action = SAI_PACKET_ACTION_FORWARD self.table_stage_ingress = SAI_ACL_STAGE_INGRESS self.table_stage_egress = SAI_ACL_STAGE_EGRESS self.group_stage_ingress = SAI_ACL_STAGE_INGRESS self.group_stage_egress = SAI_ACL_STAGE_EGRESS self.vlan_oid = sai_thrift_create_vlan(self.client, vlan_id) self.port24_bp = sai_thrift_create_bridge_port( self.client, bridge_id=self.default_1q_bridge, port_id=self.port24, type=SAI_BRIDGE_PORT_TYPE_PORT, admin_state=True) self.vlan_member1 = sai_thrift_create_vlan_member( self.client, vlan_id=self.vlan_oid, bridge_port_id=self.port24_bp, vlan_tagging_mode=SAI_VLAN_TAGGING_MODE_TAGGED) self.port25_bp = sai_thrift_create_bridge_port( self.client, bridge_id=self.default_1q_bridge, port_id=self.port25, type=SAI_BRIDGE_PORT_TYPE_PORT, admin_state=True) self.vlan_member2 = sai_thrift_create_vlan_member( self.client, vlan_id=self.vlan_oid, bridge_port_id=self.port25_bp, vlan_tagging_mode=SAI_VLAN_TAGGING_MODE_TAGGED) self.fdb_entry1 = sai_thrift_fdb_entry_t( switch_id=self.switch_id, mac_address=mac1, bv_id=self.vlan_oid) sai_thrift_create_fdb_entry( self.client, self.fdb_entry1, type=SAI_FDB_ENTRY_TYPE_STATIC, bridge_port_id=self.port24_bp, packet_action=mac_action) self.fdb_entry2 = sai_thrift_fdb_entry_t( switch_id=self.switch_id, mac_address=mac2, bv_id=self.vlan_oid) sai_thrift_create_fdb_entry( self.client, self.fdb_entry2, type=SAI_FDB_ENTRY_TYPE_STATIC, bridge_port_id=self.port25_bp, packet_action=mac_action) self.pkt1 = simple_tcp_packet(eth_dst=mac2, eth_src=mac1, dl_vlan_enable=True, vlan_vid=100, ip_src=self.ip_addr1, ip_dst=self.ip_addr2, ip_id=102, ip_ttl=64) self.exp_pkt1 = simple_tcp_packet(eth_dst=mac2, eth_src=mac1, ip_dst=self.ip_addr2, ip_src=self.ip_addr1, ip_id=102, dl_vlan_enable=True, vlan_vid=100, ip_ttl=64) self.pkt2 = simple_tcp_packet(eth_dst=mac1, eth_src=mac2, dl_vlan_enable=True, vlan_vid=100, ip_src=self.ip_addr2, ip_dst=self.ip_addr1, ip_id=102, ip_ttl=64) self.exp_pkt2 = simple_tcp_packet(eth_dst=mac1, eth_src=mac2, ip_dst=self.ip_addr1, ip_src=self.ip_addr2, ip_id=102, dl_vlan_enable=True, vlan_vid=100, ip_ttl=64) def runTest(self): self.noAclTest() self.aclVlanTest(self.table_stage_ingress, self.group_stage_ingress) self.aclVlanTest(self.table_stage_egress, self.group_stage_egress) def tearDown(self): sai_thrift_remove_fdb_entry(self.client, self.fdb_entry1) sai_thrift_remove_fdb_entry(self.client, self.fdb_entry2) sai_thrift_remove_vlan_member(self.client, self.vlan_member1) sai_thrift_remove_vlan_member(self.client, self.vlan_member2) sai_thrift_remove_bridge_port(self.client, self.port24_bp) sai_thrift_remove_bridge_port(self.client, self.port25_bp) sai_thrift_remove_vlan(self.client, self.vlan_oid) super(VlanAclTest, self).tearDown() def noAclTest(self): """ Verify forwarding without ACL """ print('#### NO ACL Applied ####') # send the test packet(s) print("Sending TCP type test packet port 24 -> port 25") send_packet(self, self.dev_port24, self.pkt1) verify_packets(self, self.exp_pkt1, [self.dev_port25]) print("Sending TCP type test packet port 25 -> port 24") send_packet(self, self.dev_port25, self.pkt2) verify_packets(self, self.exp_pkt2, [self.dev_port24]) def aclVlanTest(self, table_stage, group_stage): """ Verify ACL with vlan Args: table_stage (int): specifies the type of ACL table stage group_stage (int): specifies the type of ACL group stage """ table_bind_point_list = [SAI_ACL_BIND_POINT_TYPE_VLAN] entry_priority = 1 group_bind_point_list = [SAI_ACL_BIND_POINT_TYPE_VLAN] group_type = SAI_ACL_TABLE_GROUP_TYPE_PARALLEL group_member_priority = 100 acl_action = SAI_PACKET_ACTION_DROP ip_src_mask = "255.255.255.0" if table_stage == SAI_ACL_STAGE_INGRESS: ip_src = self.ip_addr1 sport = self.dev_port24 pkt = self.pkt1 elif table_stage == SAI_ACL_STAGE_EGRESS: ip_src = self.ip_addr2 sport = self.dev_port25 pkt = self.pkt2 group_bind_point_type_list = sai_thrift_s32_list_t( count=len(group_bind_point_list), int32list=group_bind_point_list) table_bind_point_type_list = sai_thrift_s32_list_t( count=len(table_bind_point_list), int32list=table_bind_point_list) packet_action = sai_thrift_acl_action_data_t( parameter=sai_thrift_acl_action_parameter_t( s32=acl_action)) acl_table_group_id = sai_thrift_create_acl_table_group( self.client, acl_stage=group_stage, acl_bind_point_type_list=group_bind_point_type_list, type=group_type) acl_table_id = sai_thrift_create_acl_table( self.client, acl_stage=table_stage, acl_bind_point_type_list=table_bind_point_type_list, field_src_ip=True) src_ip_t = sai_thrift_acl_field_data_t( data=sai_thrift_acl_field_data_data_t(ip4=ip_src), mask=sai_thrift_acl_field_data_mask_t(ip4=ip_src_mask)) acl_table_group_member_id = sai_thrift_create_acl_table_group_member( self.client, acl_table_group_id=acl_table_group_id, acl_table_id=acl_table_id, priority=group_member_priority) acl_entry_id = sai_thrift_create_acl_entry( self.client, table_id=acl_table_id, priority=entry_priority, field_src_ip=src_ip_t, action_packet_action=packet_action) # create ACL counter acl_counter = sai_thrift_create_acl_counter( self.client, table_id=acl_table_id) # attach ACL counter to ACL entry action_counter = sai_thrift_acl_action_data_t( parameter=sai_thrift_acl_action_parameter_t( oid=acl_counter), enable=True) sai_thrift_set_acl_entry_attribute( self.client, acl_entry_id, action_counter=action_counter) if table_stage == SAI_ACL_STAGE_INGRESS: sai_thrift_set_vlan_attribute(self.client, vlan_oid=self.vlan_oid, ingress_acl=acl_table_group_id) elif table_stage == SAI_ACL_STAGE_EGRESS: sai_thrift_set_vlan_attribute(self.client, vlan_oid=self.vlan_oid, egress_acl=acl_table_group_id) try: send_packet(self, sport, pkt) verify_no_other_packets(self, timeout=1) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter, packets=True) self.assertEqual(packets['packets'], 1) finally: # cleanup ACL action_counter = sai_thrift_acl_action_data_t( parameter=sai_thrift_acl_action_parameter_t( oid=0), enable=True) sai_thrift_set_acl_entry_attribute( self.client, acl_entry_id, action_counter=action_counter) sai_thrift_set_acl_counter_attribute( self.client, acl_counter, packets=None) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter, packets=True) self.assertEqual(packets['packets'], 0) sai_thrift_remove_acl_counter(self.client, acl_counter) if table_stage == SAI_ACL_STAGE_INGRESS: sai_thrift_set_vlan_attribute(self.client, vlan_oid=self.vlan_oid, ingress_acl=0) elif table_stage == SAI_ACL_STAGE_EGRESS: sai_thrift_set_vlan_attribute(self.client, vlan_oid=self.vlan_oid, egress_acl=0) sai_thrift_remove_acl_table_group_member( self.client, acl_table_group_member_id) sai_thrift_remove_acl_entry(self.client, acl_entry_id) sai_thrift_remove_acl_table(self.client, acl_table_id) sai_thrift_remove_acl_table_group(self.client, acl_table_group_id) @group("draft") class AclLagTest(SaiHelper): """ Verify ACL with lag test case """ def setUp(self): super(AclLagTest, self).setUp() self.lag_id = sai_thrift_create_lag(self.client) self.lag_member_id1 = sai_thrift_create_lag_member( self.client, lag_id=self.lag_id, port_id=self.port24) self.vrf = sai_thrift_create_virtual_router(self.client) self.rif_id1 = sai_thrift_create_router_interface( self.client, type=SAI_ROUTER_INTERFACE_TYPE_PORT, virtual_router_id=self.vrf, port_id=self.lag_id) self.rif_id2 = sai_thrift_create_router_interface( self.client, type=SAI_ROUTER_INTERFACE_TYPE_PORT, virtual_router_id=self.vrf, port_id=self.port26) self.ip_addr1 = "20.0.0.2" self.ip_addr_subnet1 = '20.0.0.0' self.dmac1 = '00:22:22:22:22:22' self.ip_addr_subnet2 = '192.168.0.0' self.ip_addr2 = '192.168.0.1' self.dmac2 = '00:11:22:33:44:55' self.ip_src_mask = "255.255.255.255" mask = '/16' self.neighbor_entry1 = sai_thrift_neighbor_entry_t( rif_id=self.rif_id1, ip_address=sai_ipaddress(self.ip_addr2)) sai_thrift_create_neighbor_entry( self.client, self.neighbor_entry1, dst_mac_address=self.dmac1) self.nhop1 = sai_thrift_create_next_hop( self.client, ip=sai_ipaddress(self.ip_addr2), router_interface_id=self.rif_id1, type=SAI_NEXT_HOP_TYPE_IP) self.route_entry1 = sai_thrift_route_entry_t( vr_id=self.vrf, destination=sai_ipprefix(self.ip_addr_subnet2 + mask)) sai_thrift_create_route_entry( self.client, self.route_entry1, next_hop_id=self.nhop1) self.neighbor_entry2 = sai_thrift_neighbor_entry_t( rif_id=self.rif_id2, ip_address=sai_ipaddress(self.ip_addr1)) sai_thrift_create_neighbor_entry( self.client, self.neighbor_entry2, dst_mac_address=self.dmac2) self.nhop2 = sai_thrift_create_next_hop( self.client, ip=sai_ipaddress(self.ip_addr1), router_interface_id=self.rif_id2, type=SAI_NEXT_HOP_TYPE_IP) self.route_entry2 = sai_thrift_route_entry_t( vr_id=self.vrf, destination=sai_ipprefix(self.ip_addr_subnet1 + mask)) sai_thrift_create_route_entry( self.client, self.route_entry2, next_hop_id=self.nhop2) def runTest(self): self.lagAclEgressTest() self.lagAclIngressTest() def tearDown(self): sai_thrift_remove_route_entry(self.client, self.route_entry2) sai_thrift_remove_next_hop(self.client, self.nhop2) sai_thrift_remove_neighbor_entry(self.client, self.neighbor_entry2) sai_thrift_remove_route_entry(self.client, self.route_entry1) sai_thrift_remove_next_hop(self.client, self.nhop1) sai_thrift_remove_neighbor_entry(self.client, self.neighbor_entry1) sai_thrift_remove_router_interface(self.client, self.rif_id2) sai_thrift_remove_router_interface(self.client, self.rif_id1) sai_thrift_remove_lag_member(self.client, self.lag_member_id1) sai_thrift_remove_lag(self.client, self.lag_id) sai_thrift_remove_virtual_router(self.client, self.vrf) super(AclLagTest, self).tearDown() def lagAclEgressTest(self): ''' Verify egress ACL with lag "ACL_RULE|ACL_TABLE_IPV4_ID|RULE_1": { "type": "hash", "value": { "PACKET_ACTION": "DROP", "PRIORITY": "9999", "SRC_IP": "20.0.0.2/32" } }, ''' table_stage_egress = SAI_ACL_STAGE_EGRESS table_bind_point_list = [SAI_ACL_BIND_POINT_TYPE_PORT] action = SAI_PACKET_ACTION_DROP ip_src = self.ip_addr1 ip_dst = self.ip_addr_subnet2 sport = self.dev_port26 dport1 = self.dev_port24 dport2 = self.dev_port25 table_bind_point_type_list = sai_thrift_s32_list_t( count=len(table_bind_point_list), int32list=table_bind_point_list) packet_action = sai_thrift_acl_action_data_t( parameter=sai_thrift_acl_action_parameter_t( s32=action)) src_ip_t = sai_thrift_acl_field_data_t( data=sai_thrift_acl_field_data_data_t(ip4=ip_src), mask=sai_thrift_acl_field_data_mask_t(ip4=self.ip_src_mask)) acl_table_ipv4_id = sai_thrift_create_acl_table( self.client, acl_stage=table_stage_egress, acl_bind_point_type_list=table_bind_point_type_list, field_src_ip=True) acl_entry_id = sai_thrift_create_acl_entry( self.client, table_id=acl_table_ipv4_id, priority=9999, field_src_ip=src_ip_t, action_packet_action=packet_action) # create ACL counter acl_counter_egress = sai_thrift_create_acl_counter( self.client, table_id=acl_table_ipv4_id) # attach ACL counter to ACL entry action_counter_egress = sai_thrift_acl_action_data_t( parameter=sai_thrift_acl_action_parameter_t( oid=acl_counter_egress), enable=True) sai_thrift_set_acl_entry_attribute( self.client, acl_entry_id, action_counter=action_counter_egress) try: pkt = simple_tcp_packet( eth_dst=ROUTER_MAC, eth_src=self.dmac1, ip_src=ip_src, ip_dst=ip_dst, tcp_sport=0x4321, tcp_dport=0x51, ip_ttl=64) exp_pkt = simple_tcp_packet( eth_dst=self.dmac1, eth_src=ROUTER_MAC, ip_src=ip_src, ip_dst=ip_dst, tcp_sport=0x4321, tcp_dport=0x51, ip_ttl=63) send_packet(self, sport, pkt) verify_packets(self, exp_pkt, ports=[dport1]) # Now bind the ACL table - the packet should be dropped sai_thrift_set_lag_attribute(self.client, lag_oid=self.lag_id, egress_acl=acl_table_ipv4_id) send_packet(self, sport, pkt) verify_no_other_packets(self, timeout=1) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_egress, packets=True) self.assertEqual(packets['packets'], 1) # Add one more LAG member and verify the packet # is not forwarded to it lag_member_id2 = sai_thrift_create_lag_member( self.client, lag_id=self.lag_id, port_id=self.port25) send_packet(self, sport, pkt) verify_no_other_packets(self, timeout=1) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_egress, packets=True) self.assertEqual(packets['packets'], 2) # Now unbind the ACL table sai_thrift_set_lag_attribute(self.client, lag_oid=self.lag_id, egress_acl=0) send_packet(self, sport, pkt) verify_any_packet_any_port( self, [exp_pkt], [dport1, dport2], timeout=2) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_egress, packets=True) self.assertEqual(packets['packets'], 2) finally: # cleanup ACL action_counter_egress = sai_thrift_acl_action_data_t( parameter=sai_thrift_acl_action_parameter_t( oid=0), enable=True) sai_thrift_set_acl_entry_attribute( self.client, acl_entry_id, action_counter=action_counter_egress) sai_thrift_set_acl_counter_attribute( self.client, acl_counter_egress, packets=None) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_egress, packets=True) self.assertEqual(packets['packets'], 0) sai_thrift_remove_acl_counter(self.client, acl_counter_egress) if lag_member_id2: sai_thrift_remove_lag_member(self.client, lag_member_id2) sai_thrift_remove_acl_entry(self.client, acl_entry_id) sai_thrift_remove_acl_table(self.client, acl_table_ipv4_id) def lagAclIngressTest(self): ''' Verify ingress ACL with lag "ACL_RULE|ACL_TABLE_IPV4_ID|RULE_1": { "type": "hash", "value": { "PACKET_ACTION": "DROP", "PRIORITY": "9999", "SRC_IP": "192.168.0.1/32" } }, ''' table_stage_ingress = SAI_ACL_STAGE_INGRESS table_bind_point_list = [SAI_ACL_BIND_POINT_TYPE_PORT] action = SAI_PACKET_ACTION_DROP ip_src = self.ip_addr2 ip_dst = self.ip_addr_subnet1 dport = self.dev_port26 sport1 = self.dev_port24 sport2 = self.dev_port27 table_bind_point_type_list = sai_thrift_s32_list_t( count=len(table_bind_point_list), int32list=table_bind_point_list) packet_action = sai_thrift_acl_action_data_t( parameter=sai_thrift_acl_action_parameter_t( s32=action)) src_ip_t = sai_thrift_acl_field_data_t( data=sai_thrift_acl_field_data_data_t(ip4=ip_src), mask=sai_thrift_acl_field_data_mask_t(ip4=self.ip_src_mask)) acl_table_ipv4_id = sai_thrift_create_acl_table( self.client, acl_stage=table_stage_ingress, acl_bind_point_type_list=table_bind_point_type_list, field_src_ip=True) acl_entry_id = sai_thrift_create_acl_entry( self.client, table_id=acl_table_ipv4_id, priority=9999, field_src_ip=src_ip_t, action_packet_action=packet_action) # create ACL counter acl_counter_ingress = sai_thrift_create_acl_counter( self.client, table_id=acl_table_ipv4_id) # attach ACL counter to ACL entry action_counter_ingress = sai_thrift_acl_action_data_t( parameter=sai_thrift_acl_action_parameter_t( oid=acl_counter_ingress), enable=True) sai_thrift_set_acl_entry_attribute( self.client, acl_entry_id, action_counter=action_counter_ingress) try: pkt = simple_tcp_packet( eth_dst=ROUTER_MAC, eth_src=self.dmac2, ip_src=ip_src, ip_dst=ip_dst, tcp_sport=0x4321, tcp_dport=0x51, ip_ttl=64) exp_pkt = simple_tcp_packet( eth_dst=self.dmac2, eth_src=ROUTER_MAC, ip_src=ip_src, ip_dst=ip_dst, tcp_sport=0x4321, tcp_dport=0x51, ip_ttl=63) # Add one more LAG member lag_member_id2 = sai_thrift_create_lag_member( self.client, lag_id=self.lag_id, port_id=self.port27) send_packet(self, sport1, pkt) verify_packets(self, exp_pkt, ports=[dport]) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_ingress, packets=True) self.assertEqual(packets['packets'], 0) send_packet(self, sport2, pkt) verify_packets(self, exp_pkt, ports=[dport]) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_ingress, packets=True) self.assertEqual(packets['packets'], 0) # Now bind the ACL table - the packet should be dropped sai_thrift_set_lag_attribute(self.client, lag_oid=self.lag_id, ingress_acl=acl_table_ipv4_id) send_packet(self, sport1, pkt) verify_no_other_packets(self, timeout=1) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_ingress, packets=True) self.assertEqual(packets['packets'], 1) send_packet(self, sport2, pkt) verify_no_other_packets(self, timeout=1) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_ingress, packets=True) self.assertEqual(packets['packets'], 2) # Now unbind the ACL table sai_thrift_set_lag_attribute(self.client, lag_oid=self.lag_id, ingress_acl=0) finally: # cleanup ACL action_counter_ingress = sai_thrift_acl_action_data_t( parameter=sai_thrift_acl_action_parameter_t( oid=0), enable=True) sai_thrift_set_acl_entry_attribute( self.client, acl_entry_id, action_counter=action_counter_ingress) sai_thrift_set_acl_counter_attribute( self.client, acl_counter_ingress, packets=None) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_ingress, packets=True) self.assertEqual(packets['packets'], 0) sai_thrift_remove_acl_counter(self.client, acl_counter_ingress) if lag_member_id2: sai_thrift_remove_lag_member(self.client, lag_member_id2) sai_thrift_remove_acl_entry(self.client, acl_entry_id) sai_thrift_remove_acl_table(self.client, acl_table_ipv4_id) @group("draft") class IngressL3AclDscpTest(SaiHelperSimplified): """ Verify ACL test case with the dscp field Configuration +----------+-----------+ | port0 | port0_rif | +----------+-----------+ | port1 | port1_rif | +----------+-----------+ """ def setUp(self): super(IngressL3AclDscpTest, self).setUp() self.create_routing_interfaces(ports=[0, 1]) l4_dst_port = 1000 ip_addr = '172.16.10.1' dmac = '00:11:22:33:44:55' self.neighbor_entry = sai_thrift_neighbor_entry_t( rif_id=self.port0_rif, ip_address=sai_ipaddress(ip_addr)) sai_thrift_create_neighbor_entry( self.client, self.neighbor_entry, dst_mac_address=dmac) self.nhop = sai_thrift_create_next_hop( self.client, ip=sai_ipaddress(ip_addr), router_interface_id=self.port0_rif, type=SAI_NEXT_HOP_TYPE_IP) self.pkt = simple_tcp_packet( eth_dst=ROUTER_MAC, eth_src='00:22:22:22:22:22', ip_dst='172.16.10.1', ip_src='192.168.100.100', tcp_dport=l4_dst_port, ip_id=105, ip_ttl=64, ip_tos=200) self.exp_pkt = simple_tcp_packet( eth_dst='00:11:22:33:44:55', eth_src=ROUTER_MAC, ip_dst='172.16.10.1', ip_src='192.168.100.100', tcp_dport=l4_dst_port, ip_id=105, ip_ttl=63, ip_tos=200) def runTest(self): self.routingTest() self.ingressL3AclDscpTest() def tearDown(self): sai_thrift_remove_next_hop(self.client, self.nhop) sai_thrift_remove_neighbor_entry(self.client, self.neighbor_entry) self.destroy_routing_interfaces() super(IngressL3AclDscpTest, self).tearDown() def routingTest(self): """ Verify basic routing """ print('--------------------------------------------------------------') print("Sending packet ptf_intf 2 -> ptf_intf 1 (192.168.100.100 ---> " "172.16.10.1 [id = 105])") try: print('#### NO ACL Applied ####') print('#### Sending ', ROUTER_MAC, '| 00:22:22:22:22:22 | ' '172.16.10.1 | 192.168.100.100 | SPORT 1000 | @ ptf_intf 2') send_packet(self, self.dev_port1, self.pkt) print('#### Expecting 00:11:22:33:44:55 |', ROUTER_MAC, '| ' '172.16.10.1 | 192.168.100.100 | SPORT 1000 | @ ptf_intf 1') verify_packets(self, self.exp_pkt, [self.dev_port0]) finally: print('----------------------------------------------------------') def ingressL3AclDscpTest(self): """ Verify ACL with the dscp field """ print("Sending packet ptf_intf 2 -[ACL]-> ptf_intf 1 " "(192.168.0.1-[ACL]-> 172.16.10.1 [id = 105])") table_stage = SAI_ACL_STAGE_INGRESS table_bind_point_list = [SAI_ACL_BIND_POINT_TYPE_ROUTER_INTF] entry_priority = 1 action = SAI_PACKET_ACTION_DROP ip_src = "192.168.100.1" ip_src_mask = "255.255.255.0" table_bind_point_type_list = sai_thrift_s32_list_t( count=len(table_bind_point_list), int32list=table_bind_point_list) packet_action = sai_thrift_acl_action_data_t( parameter=sai_thrift_acl_action_parameter_t( s32=action)) src_ip_t = sai_thrift_acl_field_data_t( data=sai_thrift_acl_field_data_data_t(ip4=ip_src), mask=sai_thrift_acl_field_data_mask_t(ip4=ip_src_mask)) field_dscp = sai_thrift_acl_field_data_t( data=sai_thrift_acl_field_data_data_t(u8=50)) acl_table_id = sai_thrift_create_acl_table( self.client, acl_stage=table_stage, acl_bind_point_type_list=table_bind_point_type_list, field_src_ip=True, field_dscp=True) print("ACL Table created 0x%lx" % (acl_table_id)) acl_entry_id = sai_thrift_create_acl_entry( self.client, table_id=acl_table_id, priority=entry_priority, field_src_ip=src_ip_t, action_packet_action=packet_action, field_dscp=field_dscp) # create ACL counter acl_counter_ingress = sai_thrift_create_acl_counter( self.client, table_id=acl_table_id) # attach ACL counter to ACL entry action_counter_ingress = sai_thrift_acl_action_data_t( parameter=sai_thrift_acl_action_parameter_t( oid=acl_counter_ingress), enable=True) sai_thrift_set_acl_entry_attribute( self.client, acl_entry_id, action_counter=action_counter_ingress) # bind this ACL table to rif_id2s object id sai_thrift_set_router_interface_attribute( self.client, self.port1_rif, ingress_acl=acl_table_id) try: self.assertNotEqual(acl_table_id, 0) self.assertNotEqual(acl_entry_id, 0) print('#### ACL \'DROP, src ip 192.168.100.1/255.255.255.0, ' 'SPORT 1000, in_ports[ptf_intf_1,2]\' Applied ####') print('#### Sending ', ROUTER_MAC, '| 00:22:22:22:22:22 | ' '172.16.10.1 | 192.168.100.100 | SPORT 1000 | @ ptf_intf 1') # send the same packet send_packet(self, self.dev_port1, self.pkt) # ensure packet is dropped # check for absence of packet here! print('#### NOT Expecting 00:11:22:33:44:55 |', ROUTER_MAC, '| ' '172.16.10.1 | 192.168.100.100 | SPORT 1000 | @ ptf_intf 0') verify_no_other_packets(self, timeout=1) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_ingress, packets=True) self.assertEqual(packets['packets'], 1) finally: # unbind this ACL table from rif_id2s object id sai_thrift_set_router_interface_attribute( self.client, self.port1_rif, ingress_acl=0) # cleanup ACL action_counter_ingress = sai_thrift_acl_action_data_t( parameter=sai_thrift_acl_action_parameter_t( oid=0), enable=True) sai_thrift_set_acl_entry_attribute( self.client, acl_entry_id, action_counter=action_counter_ingress) sai_thrift_set_acl_counter_attribute( self.client, acl_counter_ingress, packets=None) packets = sai_thrift_get_acl_counter_attribute( self.client, acl_counter_ingress, packets=True) self.assertEqual(packets['packets'], 0) sai_thrift_remove_acl_counter(self.client, acl_counter_ingress) sai_thrift_remove_acl_entry(self.client, acl_entry_id) sai_thrift_remove_acl_table(self.client, acl_table_id)