iacl package

eth2p-eth-l2xcbase-iaclbase-func module

TC01: DUT with iACL MAC src-addr drops matching pkts

[Top] TG-DUT1-DUT2-TG. [Cfg] On DUT1 add source MAC address to classify table with ‘deny’. [Ver] Make TG verify matching packets are dropped.


Given Path for 3-node testing is set  ${nodes['TG']}  ${nodes['DUT1']}  ${nodes['DUT2']}  ${nodes['TG']}
  And Interfaces in 3-node path are up
  And L2 setup xconnect on DUT  ${dut1_node}  ${dut1_to_dut2}  ${dut1_to_tg}
  And L2 setup xconnect on DUT  ${dut2_node}  ${dut2_to_dut1}  ${dut2_to_tg}
 Then Send and receive ICMP Packet  ${tg_node}  ${tg_to_dut1}  ${tg_to_dut2}
${table_index}  ${skip_n}  ${match_n}=  When Vpp Creates Classify Table L2  ${dut1_node}  src
  And Vpp Configures Classify Session L2  ${dut1_node}  deny  ${table_index}  ${skip_n}  ${match_n}  src  ${tg_to_dut1_mac}
  And Vpp Enable Input ACL Interface  ${dut1_node}  ${dut1_to_tg}  ${l2_table}  ${table_index}
 Then Send and receive ICMP Packet should fail  ${tg_node}  ${tg_to_dut1}  ${tg_to_dut2}

TC02: DUT with iACL MAC dst-addr drops matching pkts

[Top] TG-DUT1-DUT2-TG. [Cfg] On DUT1 add destination MAC address to classify table with ‘deny’. [Ver] Make TG verify matching packets are dropped.


Given Path for 3-node testing is set  ${nodes['TG']}  ${nodes['DUT1']}  ${nodes['DUT2']}  ${nodes['TG']}
  And Interfaces in 3-node path are up
  And L2 setup xconnect on DUT  ${dut1_node}  ${dut1_to_dut2}  ${dut1_to_tg}
  And L2 setup xconnect on DUT  ${dut2_node}  ${dut2_to_dut1}  ${dut2_to_tg}
 Then Send and receive ICMP Packet  ${tg_node}  ${tg_to_dut1}  ${tg_to_dut2}
${table_index}  ${skip_n}  ${match_n}=  When Vpp Creates Classify Table L2  ${dut1_node}  dst
  And Vpp Configures Classify Session L2  ${dut1_node}  deny  ${table_index}  ${skip_n}  ${match_n}  dst  ${tg_to_dut2_mac}
  And Vpp Enable Input ACL Interface  ${dut1_node}  ${dut1_to_tg}  ${l2_table}  ${table_index}
 Then Send and receive ICMP Packet should fail  ${tg_node}  ${tg_to_dut1}  ${tg_to_dut2}

TC03: DUT with iACL MAC src-addr and dst-addr drops matching pkts

[Top] TG-DUT1-DUT2-TG. [Cfg] On DUT1 add source and destination MAC address to classify table with ‘deny’. [Ver] Make TG verify matching packets are dropped.


Given Path for 3-node testing is set  ${nodes['TG']}  ${nodes['DUT1']}  ${nodes['DUT2']}  ${nodes['TG']}
  And Interfaces in 3-node path are up
  And L2 setup xconnect on DUT  ${dut1_node}  ${dut1_to_dut2}  ${dut1_to_tg}
  And L2 setup xconnect on DUT  ${dut2_node}  ${dut2_to_dut1}  ${dut2_to_tg}
 Then Send and receive ICMP Packet  ${tg_node}  ${tg_to_dut1}  ${tg_to_dut2}
${table_index_1}  ${skip_n_1}  ${match_n_1}=  When Vpp Creates Classify Table L2  ${dut1_node}  src
  And Vpp Configures Classify Session L2  ${dut1_node}  deny  ${table_index_1}  ${skip_n_1}  ${match_n_1}  src  ${tg_to_dut1_mac}
${table_index_2}  ${skip_n_2}  ${match_n_2}=  When Vpp Creates Classify Table L2  ${dut1_node}  dst
  And Vpp Configures Classify Session L2  ${dut1_node}  deny  ${table_index_2}  ${skip_n_2}  ${match_n_2}  dst  ${tg_to_dut1_mac}
  And Vpp Enable Input ACL Interface  ${dut1_node}  ${dut1_to_tg}  ${l2_table}  ${table_index_1}
  And Vpp Enable Input ACL Interface  ${dut1_node}  ${dut1_to_tg}  ${l2_table}  ${table_index_2}
 Then Send and receive ICMP Packet should fail  ${tg_node}  ${tg_to_dut1}  ${tg_to_dut2}

TC04: DUT with iACL EtherType drops matching pkts

[Top] TG-DUT1-DUT2-TG. [Cfg] On DUT1 add EtherType IPv4(0x0800) to classify table with ‘deny’. [Ver] Make TG verify matching packets are dropped.


Given Path for 3-node testing is set  ${nodes['TG']}  ${nodes['DUT1']}  ${nodes['DUT2']}  ${nodes['TG']}
  And Interfaces in 3-node path are up
  And L2 setup xconnect on DUT  ${dut1_node}  ${dut1_to_dut2}  ${dut1_to_tg}
  And L2 setup xconnect on DUT  ${dut2_node}  ${dut2_to_dut1}  ${dut2_to_tg}
 Then Send and receive ICMP Packet  ${tg_node}  ${tg_to_dut1}  ${tg_to_dut2}
${table_index}  ${skip_n}  ${match_n}=  When Vpp Creates Classify Table Hex  ${dut1_node}  000000000000000000000000ffff
  And Vpp Configures Classify Session Hex  ${dut1_node}  deny  ${table_index}  ${skip_n}  ${match_n}  0000000000000000000000000800
  And Vpp Enable Input ACL Interface  ${dut1_node}  ${dut1_to_tg}  ${l2_table}  ${table_index}
 Then Send and receive ICMP Packet should fail  ${tg_node}  ${tg_to_dut1}  ${tg_to_dut2}

eth2p-ethip4-ip4base-iaclbase-func module

TC01: DUT with iACL IPv4 src-addr drops matching pkts

On DUT1 add source IPv4 address to classify table with ‘deny’.Make TG verify matching packets are dropped.


Given Path for 3-node testing is set  ${nodes['TG']}  ${nodes['DUT1']}  ${nodes['DUT2']}  ${nodes['TG']}
  And Interfaces in 3-node path are up
  And Set Interface Address  ${dut1_node}  ${dut1_to_tg}  ${dut1_to_tg_ip}  ${prefix_length}
  And Set Interface Address  ${dut1_node}  ${dut1_to_dut2}  ${dut1_to_dut2_ip}  ${prefix_length}
  And Add Arp On Dut  ${dut1_node}  ${dut1_to_dut2}  ${dut1_to_dut2_ip_GW}  ${tg_to_dut2_mac}
  And Vpp Route Add  ${dut1_node}  ${test_dst_ip}  ${prefix_length}  ${dut1_to_dut2_ip_GW}  ${dut1_to_dut2}
  And L2 setup xconnect on DUT  ${dut2_node}  ${dut2_to_dut1}  ${dut2_to_tg}
 Then Send Packet And Check Headers  ${tg_node}  ${non_drop_src_ip}  ${test_dst_ip}  ${tg_to_dut1}  ${tg_to_dut1_mac}  ${dut1_to_tg_mac}  ${tg_to_dut2}  ${dut1_to_dut2_mac}  ${tg_to_dut2_mac}
  And Send Packet And Check Headers  ${tg_node}  ${test_src_ip}  ${test_dst_ip}  ${tg_to_dut1}  ${tg_to_dut1_mac}  ${dut1_to_tg_mac}  ${tg_to_dut2}  ${dut1_to_dut2_mac}  ${tg_to_dut2_mac}
${table_index}  ${skip_n}  ${match_n}=  When Vpp Creates Classify Table L3  ${dut1_node}  ${ip_version}  src
  And Vpp Configures Classify Session L3  ${dut1_node}  deny  ${table_index}  ${skip_n}  ${match_n}  ${ip_version}  src  ${test_src_ip}
  And Vpp Enable Input Acl Interface  ${dut1_node}  ${dut1_to_tg}  ${ip_version}  ${table_index}
 Then Send packet from Port to Port should failed  ${tg_node}  ${test_src_ip}  ${test_dst_ip}  ${tg_to_dut1}  ${tg_to_dut1_mac}  ${dut1_to_tg_mac}  ${tg_to_dut2}  ${dut1_to_dut2_mac}  ${tg_to_dut2_mac}
  And Send Packet And Check Headers  ${tg_node}  ${non_drop_src_ip}  ${test_dst_ip}  ${tg_to_dut1}  ${tg_to_dut1_mac}  ${dut1_to_tg_mac}  ${tg_to_dut2}  ${dut1_to_dut2_mac}  ${tg_to_dut2_mac}

TC02: DUT with iACL IPv4 dst-addr drops matching pkts

On DUT1 add destination IPv4 address to classify table with ‘deny’.Make TG verify matching packets are dropped.


Given Path for 3-node testing is set  ${nodes['TG']}  ${nodes['DUT1']}  ${nodes['DUT2']}  ${nodes['TG']}
  And Interfaces in 3-node path are up
  And Set Interface Address  ${dut1_node}  ${dut1_to_tg}  ${dut1_to_tg_ip}  ${prefix_length}
  And Set Interface Address  ${dut1_node}  ${dut1_to_dut2}  ${dut1_to_dut2_ip}  ${prefix_length}
  And Add Arp On Dut  ${dut1_node}  ${dut1_to_dut2}  ${dut1_to_dut2_ip_GW}  ${tg_to_dut2_mac}
  And Vpp Route Add  ${dut1_node}  ${test_dst_ip}  ${prefix_length}  ${dut1_to_dut2_ip_GW}  ${dut1_to_dut2}
  And Vpp Route Add  ${dut1_node}  ${non_drop_dst_ip}  ${prefix_length}  ${dut1_to_dut2_ip_GW}  ${dut1_to_dut2}
  And L2 setup xconnect on DUT  ${dut2_node}  ${dut2_to_dut1}  ${dut2_to_tg}
 Then Send Packet And Check Headers  ${tg_node}  ${test_src_ip}  ${non_drop_dst_ip}  ${tg_to_dut1}  ${tg_to_dut1_mac}  ${dut1_to_tg_mac}  ${tg_to_dut2}  ${dut1_to_dut2_mac}  ${tg_to_dut2_mac}
  And Send Packet And Check Headers  ${tg_node}  ${test_src_ip}  ${test_dst_ip}  ${tg_to_dut1}  ${tg_to_dut1_mac}  ${dut1_to_tg_mac}  ${tg_to_dut2}  ${dut1_to_dut2_mac}  ${tg_to_dut2_mac}
${table_index}  ${skip_n}  ${match_n}=  When Vpp Creates Classify Table L3  ${dut1_node}  ${ip_version}  dst
  And Vpp Configures Classify Session L3  ${dut1_node}  deny  ${table_index}  ${skip_n}  ${match_n}  ${ip_version}  dst  ${test_dst_ip}
  And Vpp Enable Input Acl Interface  ${dut1_node}  ${dut1_to_tg}  ${ip_version}  ${table_index}
 Then Send packet from Port to Port should failed  ${tg_node}  ${test_src_ip}  ${test_dst_ip}  ${tg_to_dut1}  ${tg_to_dut1_mac}  ${dut1_to_tg_mac}  ${tg_to_dut2}  ${dut1_to_dut2_mac}  ${tg_to_dut2_mac}
  And Send Packet And Check Headers  ${tg_node}  ${test_src_ip}  ${non_drop_dst_ip}  ${tg_to_dut1}  ${tg_to_dut1_mac}  ${dut1_to_tg_mac}  ${tg_to_dut2}  ${dut1_to_dut2_mac}  ${tg_to_dut2_mac}

TC03: DUT with iACL IPv4 src-addr and dst-addr drops matching pkts

On DUT1 add source and destination IPv4 addresses to classify tablewith ‘deny’. Make TG verify matching packets are dropped.


Given Path for 3-node testing is set  ${nodes['TG']}  ${nodes['DUT1']}  ${nodes['DUT2']}  ${nodes['TG']}
  And Interfaces in 3-node path are up
  And Set Interface Address  ${dut1_node}  ${dut1_to_tg}  ${dut1_to_tg_ip}  ${prefix_length}
  And Set Interface Address  ${dut1_node}  ${dut1_to_dut2}  ${dut1_to_dut2_ip}  ${prefix_length}
  And Add Arp On Dut  ${dut1_node}  ${dut1_to_dut2}  ${dut1_to_dut2_ip_GW}  ${tg_to_dut2_mac}
  And Vpp Route Add  ${dut1_node}  ${test_dst_ip}  ${prefix_length}  ${dut1_to_dut2_ip_GW}  ${dut1_to_dut2}
  And Vpp Route Add  ${dut1_node}  ${non_drop_dst_ip}  ${prefix_length}  ${dut1_to_dut2_ip_GW}  ${dut1_to_dut2}
  And L2 setup xconnect on DUT  ${dut2_node}  ${dut2_to_dut1}  ${dut2_to_tg}
 Then Send Packet And Check Headers  ${tg_node}  ${non_drop_src_ip}  ${non_drop_dst_ip}  ${tg_to_dut1}  ${tg_to_dut1_mac}  ${dut1_to_tg_mac}  ${tg_to_dut2}  ${dut1_to_dut2_mac}  ${tg_to_dut2_mac}
  And Send Packet And Check Headers  ${tg_node}  ${test_src_ip}  ${test_dst_ip}  ${tg_to_dut1}  ${tg_to_dut1_mac}  ${dut1_to_tg_mac}  ${tg_to_dut2}  ${dut1_to_dut2_mac}  ${tg_to_dut2_mac}
${table_index_1}  ${skip_n_1}  ${match_n_1}=  When Vpp Creates Classify Table L3  ${dut1_node}  ${ip_version}  src
${table_index_2}  ${skip_n_2}  ${match_n_2}=  And Vpp Creates Classify Table L3  ${dut1_node}  ${ip_version}  dst
  And Vpp Configures Classify Session L3  ${dut1_node}  deny  ${table_index_1}  ${skip_n_1}  ${match_n_2}  ${ip_version}  src  ${test_src_ip}
  And Vpp Configures Classify Session L3  ${dut1_node}  deny  ${table_index_2}  ${skip_n_2}  ${match_n_2}  ${ip_version}  dst  ${test_dst_ip}
  And Vpp Enable Input Acl Interface  ${dut1_node}  ${dut1_to_tg}  ${ip_version}  ${table_index_1}
  And Vpp Enable Input Acl Interface  ${dut1_node}  ${dut1_to_tg}  ${ip_version}  ${table_index_2}
 Then Send packet from Port to Port should failed  ${tg_node}  ${test_src_ip}  ${test_dst_ip}  ${tg_to_dut1}  ${tg_to_dut1_mac}  ${dut1_to_tg_mac}  ${tg_to_dut2}  ${dut1_to_dut2_mac}  ${tg_to_dut2_mac}
  And Send Packet And Check Headers  ${tg_node}  ${non_drop_src_ip}  ${non_drop_dst_ip}  ${tg_to_dut1}  ${tg_to_dut1_mac}  ${dut1_to_tg_mac}  ${tg_to_dut2}  ${dut1_to_dut2_mac}  ${tg_to_dut2_mac}

TC04: DUT with iACL IPv4 protocol set to TCP drops matching pkts

On DUT1 add protocol mask and TCP protocol (0x06) to classify tablewith ‘deny’. Make TG verify matching packets are dropped.


Given Path for 3-node testing is set  ${nodes['TG']}  ${nodes['DUT1']}  ${nodes['DUT2']}  ${nodes['TG']}
  And Interfaces in 3-node path are up
  And Set Interface Address  ${dut1_node}  ${dut1_to_tg}  ${dut1_to_tg_ip}  ${prefix_length}
  And Set Interface Address  ${dut1_node}  ${dut1_to_dut2}  ${dut1_to_dut2_ip}  ${prefix_length}
  And Add Arp On Dut  ${dut1_node}  ${dut1_to_dut2}  ${dut1_to_dut2_ip_GW}  ${tg_to_dut2_mac}
  And Vpp Route Add  ${dut1_node}  ${test_dst_ip}  ${prefix_length}  ${dut1_to_dut2_ip_GW}  ${dut1_to_dut2}
  And L2 setup xconnect on DUT  ${dut2_node}  ${dut2_to_dut1}  ${dut2_to_tg}
 Then Send TCP or UDP packet  ${tg_node}  ${test_src_ip}  ${test_dst_ip}  ${tg_to_dut1}  ${tg_to_dut1_mac}  ${tg_to_dut2}  ${dut1_to_tg_mac}  UDP  80  20
  And Send TCP or UDP packet  ${tg_node}  ${test_src_ip}  ${test_dst_ip}  ${tg_to_dut1}  ${tg_to_dut1_mac}  ${tg_to_dut2}  ${dut1_to_tg_mac}  TCP  80  20
${table_index}  ${skip_n}  ${match_n}=  When Vpp Creates Classify Table Hex  ${dut1_node}  0000000000000000000000000000000000000000000000FF
  And Vpp Configures Classify Session Hex  ${dut1_node}  deny  ${table_index}  ${skip_n}  ${match_n}  000000000000000000000000000000000000000000000006
  And Vpp Enable Input Acl Interface  ${dut1_node}  ${dut1_to_tg}  ${ip_version}  ${table_index}
 Then Send TCP or UDP packet should failed  ${tg_node}  ${test_src_ip}  ${test_dst_ip}  ${tg_to_dut1}  ${tg_to_dut1_mac}  ${tg_to_dut2}  ${dut1_to_tg_mac}  TCP  80  20
  And Send TCP or UDP packet  ${tg_node}  ${test_src_ip}  ${test_dst_ip}  ${tg_to_dut1}  ${tg_to_dut1_mac}  ${tg_to_dut2}  ${dut1_to_tg_mac}  UDP  80  20

TC05: DUT with iACL IPv4 protocol set to UDP drops matching pkts

On DUT1 add protocol mask and UDP protocol (0x11) to classify tablewith ‘deny’. Make TG verify matching packets are dropped.


Given Path for 3-node testing is set  ${nodes['TG']}  ${nodes['DUT1']}  ${nodes['DUT2']}  ${nodes['TG']}
  And Interfaces in 3-node path are up
  And Set Interface Address  ${dut1_node}  ${dut1_to_tg}  ${dut1_to_tg_ip}  ${prefix_length}
  And Set Interface Address  ${dut1_node}  ${dut1_to_dut2}  ${dut1_to_dut2_ip}  ${prefix_length}
  And Add Arp On Dut  ${dut1_node}  ${dut1_to_dut2}  ${dut1_to_dut2_ip_GW}  ${tg_to_dut2_mac}
  And Vpp Route Add  ${dut1_node}  ${test_dst_ip}  ${prefix_length}  ${dut1_to_dut2_ip_GW}  ${dut1_to_dut2}
  And L2 setup xconnect on DUT  ${dut2_node}  ${dut2_to_dut1}  ${dut2_to_tg}
 Then Send TCP or UDP packet  ${tg_node}  ${test_src_ip}  ${test_dst_ip}  ${tg_to_dut1}  ${tg_to_dut1_mac}  ${tg_to_dut2}  ${dut1_to_tg_mac}  TCP  80  20
  And Send TCP or UDP packet  ${tg_node}  ${test_src_ip}  ${test_dst_ip}  ${tg_to_dut1}  ${tg_to_dut1_mac}  ${tg_to_dut2}  ${dut1_to_tg_mac}  UDP  80  20
${table_index}  ${skip_n}  ${match_n}=  When Vpp Creates Classify Table Hex  ${dut1_node}  0000000000000000000000000000000000000000000000FF
  And Vpp Configures Classify Session Hex  ${dut1_node}  deny  ${table_index}  ${skip_n}  ${match_n}  000000000000000000000000000000000000000000000011
  And Vpp Enable Input Acl Interface  ${dut1_node}  ${dut1_to_tg}  ${ip_version}  ${table_index}
 Then Send TCP or UDP packet should failed  ${tg_node}  ${test_src_ip}  ${test_dst_ip}  ${tg_to_dut1}  ${tg_to_dut1_mac}  ${tg_to_dut2}  ${dut1_to_tg_mac}  UDP  80  20
  And Send TCP or UDP packet  ${tg_node}  ${test_src_ip}  ${test_dst_ip}  ${tg_to_dut1}  ${tg_to_dut1_mac}  ${tg_to_dut2}  ${dut1_to_tg_mac}  TCP  80  20

TC06: DUT with iACL IPv4 TCP src-ports drops matching pkts

On DUT1 add TCP source ports to classify table with ‘deny’.Make TG verify matching packets are dropped.


Given Path for 3-node testing is set  ${nodes['TG']}  ${nodes['DUT1']}  ${nodes['DUT2']}  ${nodes['TG']}
  And Interfaces in 3-node path are up
  And Set Interface Address  ${dut1_node}  ${dut1_to_tg}  ${dut1_to_tg_ip}  ${prefix_length}
  And Set Interface Address  ${dut1_node}  ${dut1_to_dut2}  ${dut1_to_dut2_ip}  ${prefix_length}
  And Add Arp On Dut  ${dut1_node}  ${dut1_to_dut2}  ${dut1_to_dut2_ip_GW}  ${tg_to_dut2_mac}
  And Vpp Route Add  ${dut1_node}  ${test_dst_ip}  ${prefix_length}  ${dut1_to_dut2_ip_GW}  ${dut1_to_dut2}
  And L2 setup xconnect on DUT  ${dut2_node}  ${dut2_to_dut1}  ${dut2_to_tg}
 Then Send TCP or UDP packet  ${tg_node}  ${test_src_ip}  ${test_dst_ip}  ${tg_to_dut1}  ${tg_to_dut1_mac}  ${tg_to_dut2}  ${dut1_to_tg_mac}  TCP  110  20
  And Send TCP or UDP packet  ${tg_node}  ${test_src_ip}  ${test_dst_ip}  ${tg_to_dut1}  ${tg_to_dut1_mac}  ${tg_to_dut2}  ${dut1_to_tg_mac}  TCP  80  20
${hex_mask}=  Compute Classify Hex Mask  ${ip_version}  TCP  source
${hex_value}=  Compute Classify Hex Value  ${hex_mask}  80  0
${table_index}  ${skip_n}  ${match_n}=  When Vpp Creates Classify Table Hex  ${dut1_node}  ${hex_mask}
  And Vpp Configures Classify Session Hex  ${dut1_node}  deny  ${table_index}  ${skip_n}  ${match_n}  ${hex_value}
  And Vpp Enable Input Acl Interface  ${dut1_node}  ${dut1_to_tg}  ${ip_version}  ${table_index}
 Then Send TCP or UDP packet should failed  ${tg_node}  ${test_src_ip}  ${test_dst_ip}  ${tg_to_dut1}  ${tg_to_dut1_mac}  ${tg_to_dut2}  ${dut1_to_tg_mac}  TCP  80  20
  And Send TCP or UDP packet  ${tg_node}  ${test_src_ip}  ${test_dst_ip}  ${tg_to_dut1}  ${tg_to_dut1_mac}  ${tg_to_dut2}  ${dut1_to_tg_mac}  TCP  110  20

TC07: DUT with iACL IPv4 TCP dst-ports drops matching pkts

On DUT1 add TCP destination ports to classify table with ‘deny’.Make TG verify matching packets are dropped.


Given Path for 3-node testing is set  ${nodes['TG']}  ${nodes['DUT1']}  ${nodes['DUT2']}  ${nodes['TG']}
  And Interfaces in 3-node path are up
  And Set Interface Address  ${dut1_node}  ${dut1_to_tg}  ${dut1_to_tg_ip}  ${prefix_length}
  And Set Interface Address  ${dut1_node}  ${dut1_to_dut2}  ${dut1_to_dut2_ip}  ${prefix_length}
  And Add Arp On Dut  ${dut1_node}  ${dut1_to_dut2}  ${dut1_to_dut2_ip_GW}  ${tg_to_dut2_mac}
  And Vpp Route Add  ${dut1_node}  ${test_dst_ip}  ${prefix_length}  ${dut1_to_dut2_ip_GW}  ${dut1_to_dut2}
  And L2 setup xconnect on DUT  ${dut2_node}  ${dut2_to_dut1}  ${dut2_to_tg}
 Then Send TCP or UDP packet  ${tg_node}  ${test_src_ip}  ${test_dst_ip}  ${tg_to_dut1}  ${tg_to_dut1_mac}  ${tg_to_dut2}  ${dut1_to_tg_mac}  TCP  20  110
  And Send TCP or UDP packet  ${tg_node}  ${test_src_ip}  ${test_dst_ip}  ${tg_to_dut1}  ${tg_to_dut1_mac}  ${tg_to_dut2}  ${dut1_to_tg_mac}  TCP  20  80
${hex_mask}=  Compute Classify Hex Mask  ${ip_version}  TCP  destination
${hex_value}=  Compute Classify Hex Value  ${hex_mask}  0  80
${table_index}  ${skip_n}  ${match_n}=  When Vpp Creates Classify Table Hex  ${dut1_node}  ${hex_mask}
  And Vpp Configures Classify Session Hex  ${dut1_node}  deny  ${table_index}  ${skip_n}  ${match_n}  ${hex_value}
  And Vpp Enable Input Acl Interface  ${dut1_node}  ${dut1_to_tg}  ${ip_version}  ${table_index}
 Then Send TCP or UDP packet should failed  ${tg_node}  ${test_src_ip}  ${test_dst_ip}  ${tg_to_dut1}  ${tg_to_dut1_mac}  ${tg_to_dut2}  ${dut1_to_tg_mac}  TCP  20  80
  And Send TCP or UDP packet  ${tg_node}  ${test_src_ip}  ${test_dst_ip}  ${tg_to_dut1}  ${tg_to_dut1_mac}  ${tg_to_dut2}  ${dut1_to_tg_mac}  TCP  20  110

TC08: DUT with iACL IPv4 TCP src-ports and dst-ports drops matching pkts

On DUT1 add TCP source and destination ports to classify tablewith ‘deny’. Make TG verify matching packets are dropped.


Given Path for 3-node testing is set  ${nodes['TG']}  ${nodes['DUT1']}  ${nodes['DUT2']}  ${nodes['TG']}
  And Interfaces in 3-node path are up
  And Set Interface Address  ${dut1_node}  ${dut1_to_tg}  ${dut1_to_tg_ip}  ${prefix_length}
  And Set Interface Address  ${dut1_node}  ${dut1_to_dut2}  ${dut1_to_dut2_ip}  ${prefix_length}
  And Add Arp On Dut  ${dut1_node}  ${dut1_to_dut2}  ${dut1_to_dut2_ip_GW}  ${tg_to_dut2_mac}
  And Vpp Route Add  ${dut1_node}  ${test_dst_ip}  ${prefix_length}  ${dut1_to_dut2_ip_GW}  ${dut1_to_dut2}
  And L2 setup xconnect on DUT  ${dut2_node}  ${dut2_to_dut1}  ${dut2_to_tg}
 Then Send TCP or UDP packet  ${tg_node}  ${test_src_ip}  ${test_dst_ip}  ${tg_to_dut1}  ${tg_to_dut1_mac}  ${tg_to_dut2}  ${dut1_to_tg_mac}  TCP  110  25
  And Send TCP or UDP packet  ${tg_node}  ${test_src_ip}  ${test_dst_ip}  ${tg_to_dut1}  ${tg_to_dut1_mac}  ${tg_to_dut2}  ${dut1_to_tg_mac}  TCP  80  20
${hex_mask}=  Compute Classify Hex Mask  ${ip_version}  TCP  source + destination
${hex_value}=  Compute Classify Hex Value  ${hex_mask}  80  20
${table_index}  ${skip_n}  ${match_n}=  When Vpp Creates Classify Table Hex  ${dut1_node}  ${hex_mask}
  And Vpp Configures Classify Session Hex  ${dut1_node}  deny  ${table_index}  ${skip_n}  ${match_n}  ${hex_value}
  And Vpp Enable Input Acl Interface  ${dut1_node}  ${dut1_to_tg}  ${ip_version}  ${table_index}
 Then Send TCP or UDP packet should failed  ${tg_node}  ${test_src_ip}  ${test_dst_ip}  ${tg_to_dut1}  ${tg_to_dut1_mac}  ${tg_to_dut2}  ${dut1_to_tg_mac}  TCP  80  20
  And Send TCP or UDP packet  ${tg_node}  ${test_src_ip}  ${test_dst_ip}  ${tg_to_dut1}  ${tg_to_dut1_mac}  ${tg_to_dut2}  ${dut1_to_tg_mac}  TCP  110  25

TC09: DUT with iACL IPv4 UDP src-ports drops matching pkts

On DUT1 add UDP source ports to classify table with ‘deny’.Make TG verify matching packets are dropped.


Given Path for 3-node testing is set  ${nodes['TG']}  ${nodes['DUT1']}  ${nodes['DUT2']}  ${nodes['TG']}
  And Interfaces in 3-node path are up
  And Set Interface Address  ${dut1_node}  ${dut1_to_tg}  ${dut1_to_tg_ip}  ${prefix_length}
  And Set Interface Address  ${dut1_node}  ${dut1_to_dut2}  ${dut1_to_dut2_ip}  ${prefix_length}
  And Add Arp On Dut  ${dut1_node}  ${dut1_to_dut2}  ${dut1_to_dut2_ip_GW}  ${tg_to_dut2_mac}
  And Vpp Route Add  ${dut1_node}  ${test_dst_ip}  ${prefix_length}  ${dut1_to_dut2_ip_GW}  ${dut1_to_dut2}
  And L2 setup xconnect on DUT  ${dut2_node}  ${dut2_to_dut1}  ${dut2_to_tg}
 Then Send TCP or UDP packet  ${tg_node}  ${test_src_ip}  ${test_dst_ip}  ${tg_to_dut1}  ${tg_to_dut1_mac}  ${tg_to_dut2}  ${dut1_to_tg_mac}  UDP  110  20
  And Send TCP or UDP packet  ${tg_node}  ${test_src_ip}  ${test_dst_ip}  ${tg_to_dut1}  ${tg_to_dut1_mac}  ${tg_to_dut2}  ${dut1_to_tg_mac}  UDP  80  20
${hex_mask}=  Compute Classify Hex Mask  ${ip_version}  UDP  source
${hex_value}=  Compute Classify Hex Value  ${hex_mask}  80  0
${table_index}  ${skip_n}  ${match_n}=  When Vpp Creates Classify Table Hex  ${dut1_node}  ${hex_mask}
  And Vpp Configures Classify Session Hex  ${dut1_node}  deny  ${table_index}  ${skip_n}  ${match_n}  ${hex_value}
  And Vpp Enable Input Acl Interface  ${dut1_node}  ${dut1_to_tg}  ${ip_version}  ${table_index}
 Then Send TCP or UDP packet should failed  ${tg_node}  ${test_src_ip}  ${test_dst_ip}  ${tg_to_dut1}  ${tg_to_dut1_mac}  ${tg_to_dut2}  ${dut1_to_tg_mac}  UDP  80  20
  And Send TCP or UDP packet  ${tg_node}  ${test_src_ip}  ${test_dst_ip}  ${tg_to_dut1}  ${tg_to_dut1_mac}  ${tg_to_dut2}  ${dut1_to_tg_mac}  UDP  110  20

TC10: DUT with iACL IPv4 UDP dst-ports drops matching pkts

On DUT1 add TCP destination ports to classify table with ‘deny’.Make TG verify matching packets are dropped.


Given Path for 3-node testing is set  ${nodes['TG']}  ${nodes['DUT1']}  ${nodes['DUT2']}  ${nodes['TG']}
  And Interfaces in 3-node path are up
  And Set Interface Address  ${dut1_node}  ${dut1_to_tg}  ${dut1_to_tg_ip}  ${prefix_length}
  And Set Interface Address  ${dut1_node}  ${dut1_to_dut2}  ${dut1_to_dut2_ip}  ${prefix_length}
  And Add Arp On Dut  ${dut1_node}  ${dut1_to_dut2}  ${dut1_to_dut2_ip_GW}  ${tg_to_dut2_mac}
  And Vpp Route Add  ${dut1_node}  ${test_dst_ip}  ${prefix_length}  ${dut1_to_dut2_ip_GW}  ${dut1_to_dut2}
  And L2 setup xconnect on DUT  ${dut2_node}  ${dut2_to_dut1}  ${dut2_to_tg}
 Then Send TCP or UDP packet  ${tg_node}  ${test_src_ip}  ${test_dst_ip}  ${tg_to_dut1}  ${tg_to_dut1_mac}  ${tg_to_dut2}  ${dut1_to_tg_mac}  UDP  20  110
  And Send TCP or UDP packet  ${tg_node}  ${test_src_ip}  ${test_dst_ip}  ${tg_to_dut1}  ${tg_to_dut1_mac}  ${tg_to_dut2}  ${dut1_to_tg_mac}  UDP  20  80
${hex_mask}=  Compute Classify Hex Mask  ${ip_version}  UDP  destination
${hex_value}=  Compute Classify Hex Value  ${hex_mask}  0  80
${table_index}  ${skip_n}  ${match_n}=  When Vpp Creates Classify Table Hex  ${dut1_node}  ${hex_mask}
  And Vpp Configures Classify Session Hex  ${dut1_node}  deny  ${table_index}  ${skip_n}  ${match_n}  ${hex_value}
  And Vpp Enable Input Acl Interface  ${dut1_node}  ${dut1_to_tg}  ${ip_version}  ${table_index}
 Then Send TCP or UDP packet should failed  ${tg_node}  ${test_src_ip}  ${test_dst_ip}  ${tg_to_dut1}  ${tg_to_dut1_mac}  ${tg_to_dut2}  ${dut1_to_tg_mac}  UDP  20  80
  And Send TCP or UDP packet  ${tg_node}  ${test_src_ip}  ${test_dst_ip}  ${tg_to_dut1}  ${tg_to_dut1_mac}  ${tg_to_dut2}  ${dut1_to_tg_mac}  UDP  20  110

TC11: DUT with iACL IPv4 UDP src-ports and dst-ports drops matching pkts

On DUT1 add UDP source and destination ports to classify tablewith ‘deny’. Make TG verify matching packets are dropped.


Given Path for 3-node testing is set  ${nodes['TG']}  ${nodes['DUT1']}  ${nodes['DUT2']}  ${nodes['TG']}
  And Interfaces in 3-node path are up
  And Set Interface Address  ${dut1_node}  ${dut1_to_tg}  ${dut1_to_tg_ip}  ${prefix_length}
  And Set Interface Address  ${dut1_node}  ${dut1_to_dut2}  ${dut1_to_dut2_ip}  ${prefix_length}
  And Add Arp On Dut  ${dut1_node}  ${dut1_to_dut2}  ${dut1_to_dut2_ip_GW}  ${tg_to_dut2_mac}
  And Vpp Route Add  ${dut1_node}  ${test_dst_ip}  ${prefix_length}  ${dut1_to_dut2_ip_GW}  ${dut1_to_dut2}
  And L2 setup xconnect on DUT  ${dut2_node}  ${dut2_to_dut1}  ${dut2_to_tg}
 Then Send TCP or UDP packet  ${tg_node}  ${test_src_ip}  ${test_dst_ip}  ${tg_to_dut1}  ${tg_to_dut1_mac}  ${tg_to_dut2}  ${dut1_to_tg_mac}  UDP  110  25
  And Send TCP or UDP packet  ${tg_node}  ${test_src_ip}  ${test_dst_ip}  ${tg_to_dut1}  ${tg_to_dut1_mac}  ${tg_to_dut2}  ${dut1_to_tg_mac}  UDP  80  20
${hex_mask}=  Compute Classify Hex Mask  ${ip_version}  UDP  source + destination
${hex_value}=  Compute Classify Hex Value  ${hex_mask}  80  20
${table_index}  ${skip_n}  ${match_n}=  When Vpp Creates Classify Table Hex  ${dut1_node}  ${hex_mask}
  And Vpp Configures Classify Session Hex  ${dut1_node}  deny  ${table_index}  ${skip_n}  ${match_n}  ${hex_value}
  And Vpp Enable Input Acl Interface  ${dut1_node}  ${dut1_to_tg}  ${ip_version}  ${table_index}
 Then Send TCP or UDP packet should failed  ${tg_node}  ${test_src_ip}  ${test_dst_ip}  ${tg_to_dut1}  ${tg_to_dut1_mac}  ${tg_to_dut2}  ${dut1_to_tg_mac}  UDP  80  20
  And Send TCP or UDP packet  ${tg_node}  ${test_src_ip}  ${test_dst_ip}  ${tg_to_dut1}  ${tg_to_dut1_mac}  ${tg_to_dut2}  ${dut1_to_tg_mac}  UDP  110  25

eth2p-ethip6-ip6base-iaclbase-func module

TC01: DUT with iACL IPv6 src-addr drops matching pkts

On DUT1 add source IPv6 address to classify table with ‘deny’.Make TG verify matching packets are dropped.


Given Path for 3-node testing is set  ${nodes['TG']}  ${nodes['DUT1']}  ${nodes['DUT2']}  ${nodes['TG']}
  And Interfaces in 3-node path are up
  And Vpp Set If Ipv6 Addr  ${dut1_node}  ${dut1_to_tg}  ${dut1_to_tg_ip}  ${prefix_length}
  And Vpp Set If Ipv6 Addr  ${dut1_node}  ${dut1_to_dut2}  ${dut1_to_dut2_ip}  ${prefix_length}
  And Add Ip Neighbor  ${dut1_node}  ${dut1_to_dut2}  ${dut1_to_dut2_ip_GW}  ${tg_to_dut2_mac}
  And Vpp Route Add  ${dut1_node}  ${test_dst_ip}  ${prefix_length}  ${dut1_to_dut2_ip_GW}  ${dut1_to_dut2}
  And L2 setup xconnect on DUT  ${dut2_node}  ${dut2_to_dut1}  ${dut2_to_tg}
  And Vpp All Ra Suppress Link Layer  ${nodes}
 Then Send Packet And Check Headers  ${tg_node}  ${non_drop_src_ip}  ${test_dst_ip}  ${tg_to_dut1}  ${tg_to_dut1_mac}  ${dut1_to_tg_mac}  ${tg_to_dut2}  ${dut1_to_dut2_mac}  ${tg_to_dut2_mac}
  And Send Packet And Check Headers  ${tg_node}  ${test_src_ip}  ${test_dst_ip}  ${tg_to_dut1}  ${tg_to_dut1_mac}  ${dut1_to_tg_mac}  ${tg_to_dut2}  ${dut1_to_dut2_mac}  ${tg_to_dut2_mac}
${table_index}  ${skip_n}  ${match_n}=  When Vpp Creates Classify Table L3  ${dut1_node}  ${ip_version}  src
  And Vpp Configures Classify Session L3  ${dut1_node}  deny  ${table_index}  ${skip_n}  ${match_n}  ${ip_version}  src  ${test_src_ip}
  And Vpp Enable Input Acl Interface  ${dut1_node}  ${dut1_to_tg}  ${ip_version}  ${table_index}
 Then Send packet from Port to Port should failed  ${tg_node}  ${test_src_ip}  ${test_dst_ip}  ${tg_to_dut1}  ${tg_to_dut1_mac}  ${dut1_to_tg_mac}  ${tg_to_dut2}  ${dut1_to_dut2_mac}  ${tg_to_dut2_mac}
  And Send Packet And Check Headers  ${tg_node}  ${non_drop_src_ip}  ${test_dst_ip}  ${tg_to_dut1}  ${tg_to_dut1_mac}  ${dut1_to_tg_mac}  ${tg_to_dut2}  ${dut1_to_dut2_mac}  ${tg_to_dut2_mac}

TC02: DUT with iACL IPv6 dst-addr drops matching pkts

On DUT1 add destination IPv6 address to classify table with ‘deny’.Make TG verify matching packets are dropped.


Given Path for 3-node testing is set  ${nodes['TG']}  ${nodes['DUT1']}  ${nodes['DUT2']}  ${nodes['TG']}
  And Interfaces in 3-node path are up
  And Vpp Set If Ipv6 Addr  ${dut1_node}  ${dut1_to_tg}  ${dut1_to_tg_ip}  ${prefix_length}
  And Vpp Set If Ipv6 Addr  ${dut1_node}  ${dut1_to_dut2}  ${dut1_to_dut2_ip}  ${prefix_length}
  And Add Ip Neighbor  ${dut1_node}  ${dut1_to_dut2}  ${dut1_to_dut2_ip_GW}  ${tg_to_dut2_mac}
  And Vpp Route Add  ${dut1_node}  ${test_dst_ip}  ${prefix_length}  ${dut1_to_dut2_ip_GW}  ${dut1_to_dut2}
  And Vpp Route Add  ${dut1_node}  ${non_drop_dst_ip}  ${prefix_length}  ${dut1_to_dut2_ip_GW}  ${dut1_to_dut2}
  And L2 setup xconnect on DUT  ${dut2_node}  ${dut2_to_dut1}  ${dut2_to_tg}
  And Vpp All Ra Suppress Link Layer  ${nodes}
 Then Send Packet And Check Headers  ${tg_node}  ${test_src_ip}  ${non_drop_dst_ip}  ${tg_to_dut1}  ${tg_to_dut1_mac}  ${dut1_to_tg_mac}  ${tg_to_dut2}  ${dut1_to_dut2_mac}  ${tg_to_dut2_mac}
  And Send Packet And Check Headers  ${tg_node}  ${test_src_ip}  ${test_dst_ip}  ${tg_to_dut1}  ${tg_to_dut1_mac}  ${dut1_to_tg_mac}  ${tg_to_dut2}  ${dut1_to_dut2_mac}  ${tg_to_dut2_mac}
${table_index}  ${skip_n}  ${match_n}=  When Vpp Creates Classify Table L3  ${dut1_node}  ${ip_version}  dst
  And Vpp Configures Classify Session L3  ${dut1_node}  deny  ${table_index}  ${skip_n}  ${match_n}  ${ip_version}  dst  ${test_dst_ip}
  And Vpp Enable Input Acl Interface  ${dut1_node}  ${dut1_to_tg}  ${ip_version}  ${table_index}
 Then Send packet from Port to Port should failed  ${tg_node}  ${test_src_ip}  ${test_dst_ip}  ${tg_to_dut1}  ${tg_to_dut1_mac}  ${dut1_to_tg_mac}  ${tg_to_dut2}  ${dut1_to_dut2_mac}  ${tg_to_dut2_mac}
  And Send Packet And Check Headers  ${tg_node}  ${test_src_ip}  ${non_drop_dst_ip}  ${tg_to_dut1}  ${tg_to_dut1_mac}  ${dut1_to_tg_mac}  ${tg_to_dut2}  ${dut1_to_dut2_mac}  ${tg_to_dut2_mac}

TC03: DUT with iACL IPv6 src-addr and dst-addr drops matching pkts

On DUT1 add source and destination IPv6 addresses to classify tablewith ‘deny’. Make TG verify matching packets are dropped.


Given Path for 3-node testing is set  ${nodes['TG']}  ${nodes['DUT1']}  ${nodes['DUT2']}  ${nodes['TG']}
  And Interfaces in 3-node path are up
  And Vpp Set If Ipv6 Addr  ${dut1_node}  ${dut1_to_tg}  ${dut1_to_tg_ip}  ${prefix_length}
  And Vpp Set If Ipv6 Addr  ${dut1_node}  ${dut1_to_dut2}  ${dut1_to_dut2_ip}  ${prefix_length}
  And Add Ip Neighbor  ${dut1_node}  ${dut1_to_dut2}  ${dut1_to_dut2_ip_GW}  ${tg_to_dut2_mac}
  And Vpp Route Add  ${dut1_node}  ${test_dst_ip}  ${prefix_length}  ${dut1_to_dut2_ip_GW}  ${dut1_to_dut2}
  And Vpp Route Add  ${dut1_node}  ${non_drop_dst_ip}  ${prefix_length}  ${dut1_to_dut2_ip_GW}  ${dut1_to_dut2}
  And L2 setup xconnect on DUT  ${dut2_node}  ${dut2_to_dut1}  ${dut2_to_tg}
  And Vpp All Ra Suppress Link Layer  ${nodes}
 Then Send Packet And Check Headers  ${tg_node}  ${non_drop_src_ip}  ${non_drop_dst_ip}  ${tg_to_dut1}  ${tg_to_dut1_mac}  ${dut1_to_tg_mac}  ${tg_to_dut2}  ${dut1_to_dut2_mac}  ${tg_to_dut2_mac}
  And Send Packet And Check Headers  ${tg_node}  ${test_src_ip}  ${test_dst_ip}  ${tg_to_dut1}  ${tg_to_dut1_mac}  ${dut1_to_tg_mac}  ${tg_to_dut2}  ${dut1_to_dut2_mac}  ${tg_to_dut2_mac}
${table_index_1}  ${skip_n_1}  ${match_n_1}=  When Vpp Creates Classify Table L3  ${dut1_node}  ${ip_version}  src
${table_index_2}  ${skip_n_2}  ${match_n_2}=  And Vpp Creates Classify Table L3  ${dut1_node}  ${ip_version}  dst
  And Vpp Configures Classify Session L3  ${dut1_node}  deny  ${table_index_1}  ${skip_n_1}  ${match_n_2}  ${ip_version}  src  ${test_src_ip}
  And Vpp Configures Classify Session L3  ${dut1_node}  deny  ${table_index_2}  ${skip_n_2}  ${match_n_2}  ${ip_version}  dst  ${test_dst_ip}
  And Vpp Enable Input Acl Interface  ${dut1_node}  ${dut1_to_tg}  ${ip_version}  ${table_index_1}
  And Vpp Enable Input Acl Interface  ${dut1_node}  ${dut1_to_tg}  ${ip_version}  ${table_index_2}
 Then Send packet from Port to Port should failed  ${tg_node}  ${test_src_ip}  ${test_dst_ip}  ${tg_to_dut1}  ${tg_to_dut1_mac}  ${dut1_to_tg_mac}  ${tg_to_dut2}  ${dut1_to_dut2_mac}  ${tg_to_dut2_mac}
  And Send Packet And Check Headers  ${tg_node}  ${non_drop_src_ip}  ${non_drop_dst_ip}  ${tg_to_dut1}  ${tg_to_dut1_mac}  ${dut1_to_tg_mac}  ${tg_to_dut2}  ${dut1_to_dut2_mac}  ${tg_to_dut2_mac}

TC04: DUT with iACL IPv6 protocol set to TCP drops matching pkts

On DUT1 add protocol mask and TCP protocol (0x06) to classify tablewith ‘deny’. Make TG verify matching packets are dropped.


Given Path for 3-node testing is set  ${nodes['TG']}  ${nodes['DUT1']}  ${nodes['DUT2']}  ${nodes['TG']}
  And Interfaces in 3-node path are up
  And Vpp Set If Ipv6 Addr  ${dut1_node}  ${dut1_to_tg}  ${dut1_to_tg_ip}  ${prefix_length}
  And Vpp Set If Ipv6 Addr  ${dut1_node}  ${dut1_to_dut2}  ${dut1_to_dut2_ip}  ${prefix_length}
  And Add Ip Neighbor  ${dut1_node}  ${dut1_to_dut2}  ${dut1_to_dut2_ip_GW}  ${tg_to_dut2_mac}
  And Vpp Route Add  ${dut1_node}  ${test_dst_ip}  ${prefix_length}  ${dut1_to_dut2_ip_GW}  ${dut1_to_dut2}
  And L2 setup xconnect on DUT  ${dut2_node}  ${dut2_to_dut1}  ${dut2_to_tg}
  And Vpp All Ra Suppress Link Layer  ${nodes}
 Then Send TCP or UDP packet  ${tg_node}  ${test_src_ip}  ${test_dst_ip}  ${tg_to_dut1}  ${tg_to_dut1_mac}  ${tg_to_dut2}  ${dut1_to_tg_mac}  UDP  80  20
  And Send TCP or UDP packet  ${tg_node}  ${test_src_ip}  ${test_dst_ip}  ${tg_to_dut1}  ${tg_to_dut1_mac}  ${tg_to_dut2}  ${dut1_to_tg_mac}  TCP  80  20
${table_index}  ${skip_n}  ${match_n}=  When Vpp Creates Classify Table Hex  ${dut1_node}  0000000000000000000000000000000000000000FF
  And Vpp Configures Classify Session Hex  ${dut1_node}  deny  ${table_index}  ${skip_n}  ${match_n}  000000000000000000000000000000000000000006
  And Vpp Enable Input Acl Interface  ${dut1_node}  ${dut1_to_tg}  ${ip_version}  ${table_index}
 Then Send TCP or UDP packet should failed  ${tg_node}  ${test_src_ip}  ${test_dst_ip}  ${tg_to_dut1}  ${tg_to_dut1_mac}  ${tg_to_dut2}  ${dut1_to_tg_mac}  TCP  80  20
  And Send TCP or UDP packet  ${tg_node}  ${test_src_ip}  ${test_dst_ip}  ${tg_to_dut1}  ${tg_to_dut1_mac}  ${tg_to_dut2}  ${dut1_to_tg_mac}  UDP  80  20

TC05: DUT with iACL IPv6 protocol set to UDP drops matching pkts

On DUT1 add protocol mask and UDP protocol (0x11) to classify tablewith ‘deny’. Make TG verify matching packets are dropped.


Given Path for 3-node testing is set  ${nodes['TG']}  ${nodes['DUT1']}  ${nodes['DUT2']}  ${nodes['TG']}
  And Interfaces in 3-node path are up
  And Vpp Set If Ipv6 Addr  ${dut1_node}  ${dut1_to_tg}  ${dut1_to_tg_ip}  ${prefix_length}
  And Vpp Set If Ipv6 Addr  ${dut1_node}  ${dut1_to_dut2}  ${dut1_to_dut2_ip}  ${prefix_length}
  And Add Ip Neighbor  ${dut1_node}  ${dut1_to_dut2}  ${dut1_to_dut2_ip_GW}  ${tg_to_dut2_mac}
  And Vpp Route Add  ${dut1_node}  ${test_dst_ip}  ${prefix_length}  ${dut1_to_dut2_ip_GW}  ${dut1_to_dut2}
  And L2 setup xconnect on DUT  ${dut2_node}  ${dut2_to_dut1}  ${dut2_to_tg}
  And Vpp All Ra Suppress Link Layer  ${nodes}
 Then Send TCP or UDP packet  ${tg_node}  ${test_src_ip}  ${test_dst_ip}  ${tg_to_dut1}  ${tg_to_dut1_mac}  ${tg_to_dut2}  ${dut1_to_tg_mac}  TCP  80  20
  And Send TCP or UDP packet  ${tg_node}  ${test_src_ip}  ${test_dst_ip}  ${tg_to_dut1}  ${tg_to_dut1_mac}  ${tg_to_dut2}  ${dut1_to_tg_mac}  UDP  80  20
${table_index}  ${skip_n}  ${match_n}=  When Vpp Creates Classify Table Hex  ${dut1_node}  0000000000000000000000000000000000000000FF
  And Vpp Configures Classify Session Hex  ${dut1_node}  deny  ${table_index}  ${skip_n}  ${match_n}  000000000000000000000000000000000000000011
  And Vpp Enable Input Acl Interface  ${dut1_node}  ${dut1_to_tg}  ${ip_version}  ${table_index}
 Then Send TCP or UDP packet should failed  ${tg_node}  ${test_src_ip}  ${test_dst_ip}  ${tg_to_dut1}  ${tg_to_dut1_mac}  ${tg_to_dut2}  ${dut1_to_tg_mac}  UDP  80  20
  And Send TCP or UDP packet  ${tg_node}  ${test_src_ip}  ${test_dst_ip}  ${tg_to_dut1}  ${tg_to_dut1_mac}  ${tg_to_dut2}  ${dut1_to_tg_mac}  TCP  80  20

TC06: DUT with iACL IPv6 TCP src-ports drops matching pkts

On DUT1 add TCP source ports to classify table with ‘deny’.Make TG verify matching packets are dropped.


Given Path for 3-node testing is set  ${nodes['TG']}  ${nodes['DUT1']}  ${nodes['DUT2']}  ${nodes['TG']}
  And Interfaces in 3-node path are up
  And Vpp Set If Ipv6 Addr  ${dut1_node}  ${dut1_to_tg}  ${dut1_to_tg_ip}  ${prefix_length}
  And Vpp Set If Ipv6 Addr  ${dut1_node}  ${dut1_to_dut2}  ${dut1_to_dut2_ip}  ${prefix_length}
  And Add Ip Neighbor  ${dut1_node}  ${dut1_to_dut2}  ${dut1_to_dut2_ip_GW}  ${tg_to_dut2_mac}
  And Vpp Route Add  ${dut1_node}  ${test_dst_ip}  ${prefix_length}  ${dut1_to_dut2_ip_GW}  ${dut1_to_dut2}
  And L2 setup xconnect on DUT  ${dut2_node}  ${dut2_to_dut1}  ${dut2_to_tg}
  And Vpp All Ra Suppress Link Layer  ${nodes}
 Then Send TCP or UDP packet  ${tg_node}  ${test_src_ip}  ${test_dst_ip}  ${tg_to_dut1}  ${tg_to_dut1_mac}  ${tg_to_dut2}  ${dut1_to_tg_mac}  TCP  110  20
  And Send TCP or UDP packet  ${tg_node}  ${test_src_ip}  ${test_dst_ip}  ${tg_to_dut1}  ${tg_to_dut1_mac}  ${tg_to_dut2}  ${dut1_to_tg_mac}  TCP  80  20
${hex_mask}=  Compute Classify Hex Mask  ${ip_version}  TCP  source
${hex_value}=  Compute Classify Hex Value  ${hex_mask}  80  0
${table_index}  ${skip_n}  ${match_n}=  When Vpp Creates Classify Table Hex  ${dut1_node}  ${hex_mask}
  And Vpp Configures Classify Session Hex  ${dut1_node}  deny  ${table_index}  ${skip_n}  ${match_n}  ${hex_value}
  And Vpp Enable Input Acl Interface  ${dut1_node}  ${dut1_to_tg}  ${ip_version}  ${table_index}
 Then Send TCP or UDP packet should failed  ${tg_node}  ${test_src_ip}  ${test_dst_ip}  ${tg_to_dut1}  ${tg_to_dut1_mac}  ${tg_to_dut2}  ${dut1_to_tg_mac}  TCP  80  20
  And Send TCP or UDP packet  ${tg_node}  ${test_src_ip}  ${test_dst_ip}  ${tg_to_dut1}  ${tg_to_dut1_mac}  ${tg_to_dut2}  ${dut1_to_tg_mac}  TCP  110  20

TC07: DUT with iACL IPv6 TCP dst-ports drops matching pkts

On DUT1 add TCP destination ports to classify table with ‘deny’.Make TG verify matching packets are dropped.


Given Path for 3-node testing is set  ${nodes['TG']}  ${nodes['DUT1']}  ${nodes['DUT2']}  ${nodes['TG']}
  And Interfaces in 3-node path are up
  And Vpp Set If Ipv6 Addr  ${dut1_node}  ${dut1_to_tg}  ${dut1_to_tg_ip}  ${prefix_length}
  And Vpp Set If Ipv6 Addr  ${dut1_node}  ${dut1_to_dut2}  ${dut1_to_dut2_ip}  ${prefix_length}
  And Add Ip Neighbor  ${dut1_node}  ${dut1_to_dut2}  ${dut1_to_dut2_ip_GW}  ${tg_to_dut2_mac}
  And Vpp Route Add  ${dut1_node}  ${test_dst_ip}  ${prefix_length}  ${dut1_to_dut2_ip_GW}  ${dut1_to_dut2}
  And L2 setup xconnect on DUT  ${dut2_node}  ${dut2_to_dut1}  ${dut2_to_tg}
  And Vpp All Ra Suppress Link Layer  ${nodes}
 Then Send TCP or UDP packet  ${tg_node}  ${test_src_ip}  ${test_dst_ip}  ${tg_to_dut1}  ${tg_to_dut1_mac}  ${tg_to_dut2}  ${dut1_to_tg_mac}  TCP  20  110
  And Send TCP or UDP packet  ${tg_node}  ${test_src_ip}  ${test_dst_ip}  ${tg_to_dut1}  ${tg_to_dut1_mac}  ${tg_to_dut2}  ${dut1_to_tg_mac}  TCP  20  80
${hex_mask}=  Compute Classify Hex Mask  ${ip_version}  TCP  destination
${hex_value}=  Compute Classify Hex Value  ${hex_mask}  0  80
${table_index}  ${skip_n}  ${match_n}=  When Vpp Creates Classify Table Hex  ${dut1_node}  ${hex_mask}
  And Vpp Configures Classify Session Hex  ${dut1_node}  deny  ${table_index}  ${skip_n}  ${match_n}  ${hex_value}
  And Vpp Enable Input Acl Interface  ${dut1_node}  ${dut1_to_tg}  ${ip_version}  ${table_index}
 Then Send TCP or UDP packet should failed  ${tg_node}  ${test_src_ip}  ${test_dst_ip}  ${tg_to_dut1}  ${tg_to_dut1_mac}  ${tg_to_dut2}  ${dut1_to_tg_mac}  TCP  20  80
  And Send TCP or UDP packet  ${tg_node}  ${test_src_ip}  ${test_dst_ip}  ${tg_to_dut1}  ${tg_to_dut1_mac}  ${tg_to_dut2}  ${dut1_to_tg_mac}  TCP  20  110

TC08: DUT with iACL IPv6 TCP src-ports and dst-ports drops matching pkts

On DUT1 add TCP source and destination ports to classify tablewith ‘deny’. Make TG verify matching packets are dropped.


Given Path for 3-node testing is set  ${nodes['TG']}  ${nodes['DUT1']}  ${nodes['DUT2']}  ${nodes['TG']}
  And Interfaces in 3-node path are up
  And Vpp Set If Ipv6 Addr  ${dut1_node}  ${dut1_to_tg}  ${dut1_to_tg_ip}  ${prefix_length}
  And Vpp Set If Ipv6 Addr  ${dut1_node}  ${dut1_to_dut2}  ${dut1_to_dut2_ip}  ${prefix_length}
  And Add Ip Neighbor  ${dut1_node}  ${dut1_to_dut2}  ${dut1_to_dut2_ip_GW}  ${tg_to_dut2_mac}
  And Vpp Route Add  ${dut1_node}  ${test_dst_ip}  ${prefix_length}  ${dut1_to_dut2_ip_GW}  ${dut1_to_dut2}
  And L2 setup xconnect on DUT  ${dut2_node}  ${dut2_to_dut1}  ${dut2_to_tg}
  And Vpp All Ra Suppress Link Layer  ${nodes}
 Then Send TCP or UDP packet  ${tg_node}  ${test_src_ip}  ${test_dst_ip}  ${tg_to_dut1}  ${tg_to_dut1_mac}  ${tg_to_dut2}  ${dut1_to_tg_mac}  TCP  110  25
  And Send TCP or UDP packet  ${tg_node}  ${test_src_ip}  ${test_dst_ip}  ${tg_to_dut1}  ${tg_to_dut1_mac}  ${tg_to_dut2}  ${dut1_to_tg_mac}  TCP  80  20
${hex_mask}=  Compute Classify Hex Mask  ${ip_version}  TCP  source + destination
${hex_value}=  Compute Classify Hex Value  ${hex_mask}  80  20
${table_index}  ${skip_n}  ${match_n}=  When Vpp Creates Classify Table Hex  ${dut1_node}  ${hex_mask}
  And Vpp Configures Classify Session Hex  ${dut1_node}  deny  ${table_index}  ${skip_n}  ${match_n}  ${hex_value}
  And Vpp Enable Input Acl Interface  ${dut1_node}  ${dut1_to_tg}  ${ip_version}  ${table_index}
 Then Send TCP or UDP packet should failed  ${tg_node}  ${test_src_ip}  ${test_dst_ip}  ${tg_to_dut1}  ${tg_to_dut1_mac}  ${tg_to_dut2}  ${dut1_to_tg_mac}  TCP  80  20
  And Send TCP or UDP packet  ${tg_node}  ${test_src_ip}  ${test_dst_ip}  ${tg_to_dut1}  ${tg_to_dut1_mac}  ${tg_to_dut2}  ${dut1_to_tg_mac}  TCP  110  25

TC09: DUT with iACL IPv6 UDP src-ports drops matching pkts

On DUT1 add UDP source ports to classify table with ‘deny’.Make TG verify matching packets are dropped.


Given Path for 3-node testing is set  ${nodes['TG']}  ${nodes['DUT1']}  ${nodes['DUT2']}  ${nodes['TG']}
  And Interfaces in 3-node path are up
  And Vpp Set If Ipv6 Addr  ${dut1_node}  ${dut1_to_tg}  ${dut1_to_tg_ip}  ${prefix_length}
  And Vpp Set If Ipv6 Addr  ${dut1_node}  ${dut1_to_dut2}  ${dut1_to_dut2_ip}  ${prefix_length}
  And Add Ip Neighbor  ${dut1_node}  ${dut1_to_dut2}  ${dut1_to_dut2_ip_GW}  ${tg_to_dut2_mac}
  And Vpp Route Add  ${dut1_node}  ${test_dst_ip}  ${prefix_length}  ${dut1_to_dut2_ip_GW}  ${dut1_to_dut2}
  And L2 setup xconnect on DUT  ${dut2_node}  ${dut2_to_dut1}  ${dut2_to_tg}
  And Vpp All Ra Suppress Link Layer  ${nodes}
 Then Send TCP or UDP packet  ${tg_node}  ${test_src_ip}  ${test_dst_ip}  ${tg_to_dut1}  ${tg_to_dut1_mac}  ${tg_to_dut2}  ${dut1_to_tg_mac}  UDP  110  20
  And Send TCP or UDP packet  ${tg_node}  ${test_src_ip}  ${test_dst_ip}  ${tg_to_dut1}  ${tg_to_dut1_mac}  ${tg_to_dut2}  ${dut1_to_tg_mac}  UDP  80  20
${hex_mask}=  Compute Classify Hex Mask  ${ip_version}  UDP  source
${hex_value}=  Compute Classify Hex Value  ${hex_mask}  80  0
${table_index}  ${skip_n}  ${match_n}=  When Vpp Creates Classify Table Hex  ${dut1_node}  ${hex_mask}
  And Vpp Configures Classify Session Hex  ${dut1_node}  deny  ${table_index}  ${skip_n}  ${match_n}  ${hex_value}
  And Vpp Enable Input Acl Interface  ${dut1_node}  ${dut1_to_tg}  ${ip_version}  ${table_index}
 Then Send TCP or UDP packet should failed  ${tg_node}  ${test_src_ip}  ${test_dst_ip}  ${tg_to_dut1}  ${tg_to_dut1_mac}  ${tg_to_dut2}  ${dut1_to_tg_mac}  UDP  80  20
  And Send TCP or UDP packet  ${tg_node}  ${test_src_ip}  ${test_dst_ip}  ${tg_to_dut1}  ${tg_to_dut1_mac}  ${tg_to_dut2}  ${dut1_to_tg_mac}  UDP  110  20

TC10: DUT with iACL IPv6 UDP dst-ports drops matching pkts

On DUT1 add TCP destination ports to classify table with ‘deny’.Make TG verify matching packets are dropped.


Given Path for 3-node testing is set  ${nodes['TG']}  ${nodes['DUT1']}  ${nodes['DUT2']}  ${nodes['TG']}
  And Interfaces in 3-node path are up
  And Vpp Set If Ipv6 Addr  ${dut1_node}  ${dut1_to_tg}  ${dut1_to_tg_ip}  ${prefix_length}
  And Vpp Set If Ipv6 Addr  ${dut1_node}  ${dut1_to_dut2}  ${dut1_to_dut2_ip}  ${prefix_length}
  And Add Ip Neighbor  ${dut1_node}  ${dut1_to_dut2}  ${dut1_to_dut2_ip_GW}  ${tg_to_dut2_mac}
  And Vpp Route Add  ${dut1_node}  ${test_dst_ip}  ${prefix_length}  ${dut1_to_dut2_ip_GW}  ${dut1_to_dut2}
  And L2 setup xconnect on DUT  ${dut2_node}  ${dut2_to_dut1}  ${dut2_to_tg}
  And Vpp All Ra Suppress Link Layer  ${nodes}
 Then Send TCP or UDP packet  ${tg_node}  ${test_src_ip}  ${test_dst_ip}  ${tg_to_dut1}  ${tg_to_dut1_mac}  ${tg_to_dut2}  ${dut1_to_tg_mac}  UDP  20  110
  And Send TCP or UDP packet  ${tg_node}  ${test_src_ip}  ${test_dst_ip}  ${tg_to_dut1}  ${tg_to_dut1_mac}  ${tg_to_dut2}  ${dut1_to_tg_mac}  UDP  20  80
${hex_mask}=  Compute Classify Hex Mask  ${ip_version}  UDP  destination
${hex_value}=  Compute Classify Hex Value  ${hex_mask}  0  80
${table_index}  ${skip_n}  ${match_n}=  When Vpp Creates Classify Table Hex  ${dut1_node}  ${hex_mask}
  And Vpp Configures Classify Session Hex  ${dut1_node}  deny  ${table_index}  ${skip_n}  ${match_n}  ${hex_value}
  And Vpp Enable Input Acl Interface  ${dut1_node}  ${dut1_to_tg}  ${ip_version}  ${table_index}
 Then Send TCP or UDP packet should failed  ${tg_node}  ${test_src_ip}  ${test_dst_ip}  ${tg_to_dut1}  ${tg_to_dut1_mac}  ${tg_to_dut2}  ${dut1_to_tg_mac}  UDP  20  80
  And Send TCP or UDP packet  ${tg_node}  ${test_src_ip}  ${test_dst_ip}  ${tg_to_dut1}  ${tg_to_dut1_mac}  ${tg_to_dut2}  ${dut1_to_tg_mac}  UDP  20  110

TC11: DUT with iACL IPv6 UDP src-ports and dst-ports drops matching pkts

On DUT1 add UDP source and destination ports to classify tablewith ‘deny’. Make TG verify matching packets are dropped.


Given Path for 3-node testing is set  ${nodes['TG']}  ${nodes['DUT1']}  ${nodes['DUT2']}  ${nodes['TG']}
  And Interfaces in 3-node path are up
  And Vpp Set If Ipv6 Addr  ${dut1_node}  ${dut1_to_tg}  ${dut1_to_tg_ip}  ${prefix_length}
  And Vpp Set If Ipv6 Addr  ${dut1_node}  ${dut1_to_dut2}  ${dut1_to_dut2_ip}  ${prefix_length}
  And Add Ip Neighbor  ${dut1_node}  ${dut1_to_dut2}  ${dut1_to_dut2_ip_GW}  ${tg_to_dut2_mac}
  And Vpp Route Add  ${dut1_node}  ${test_dst_ip}  ${prefix_length}  ${dut1_to_dut2_ip_GW}  ${dut1_to_dut2}
  And L2 setup xconnect on DUT  ${dut2_node}  ${dut2_to_dut1}  ${dut2_to_tg}
  And Vpp All Ra Suppress Link Layer  ${nodes}
 Then Send TCP or UDP packet  ${tg_node}  ${test_src_ip}  ${test_dst_ip}  ${tg_to_dut1}  ${tg_to_dut1_mac}  ${tg_to_dut2}  ${dut1_to_tg_mac}  UDP  110  25
  And Send TCP or UDP packet  ${tg_node}  ${test_src_ip}  ${test_dst_ip}  ${tg_to_dut1}  ${tg_to_dut1_mac}  ${tg_to_dut2}  ${dut1_to_tg_mac}  UDP  80  20
${hex_mask}=  Compute Classify Hex Mask  ${ip_version}  UDP  source + destination
${hex_value}=  Compute Classify Hex Value  ${hex_mask}  80  20
${table_index}  ${skip_n}  ${match_n}=  When Vpp Creates Classify Table Hex  ${dut1_node}  ${hex_mask}
  And Vpp Configures Classify Session Hex  ${dut1_node}  deny  ${table_index}  ${skip_n}  ${match_n}  ${hex_value}
  And Vpp Enable Input Acl Interface  ${dut1_node}  ${dut1_to_tg}  ${ip_version}  ${table_index}
 Then Send TCP or UDP packet should failed  ${tg_node}  ${test_src_ip}  ${test_dst_ip}  ${tg_to_dut1}  ${tg_to_dut1_mac}  ${tg_to_dut2}  ${dut1_to_tg_mac}  UDP  80  20
  And Send TCP or UDP packet  ${tg_node}  ${test_src_ip}  ${test_dst_ip}  ${tg_to_dut1}  ${tg_to_dut1_mac}  ${tg_to_dut2}  ${dut1_to_tg_mac}  UDP  110  25

TC12: DUT with iACL MAC src-addr and iACL IPv6 UDP src-ports and dst-ports drops matching pkts

On DUT1 add source MAC address to classify (L2) table and add UDPsource and destination ports to classify (hex) table with ‘deny’. Make TG verify matching packets are dropped.


Given Path for 3-node testing is set  ${nodes['TG']}  ${nodes['DUT1']}  ${nodes['DUT2']}  ${nodes['TG']}
  And Interfaces in 3-node path are up
  And L2 setup xconnect on DUT  ${dut1_node}  ${dut1_to_dut2}  ${dut1_to_tg}
  And L2 setup xconnect on DUT  ${dut2_node}  ${dut2_to_dut1}  ${dut2_to_tg}
  And Vpp All Ra Suppress Link Layer  ${nodes}
 Then Send TCP or UDP packet  ${tg_node}  ${test_src_ip}  ${test_dst_ip}  ${tg_to_dut1}  ${tg_to_dut1_mac}  ${tg_to_dut2}  ${dut1_to_tg_mac}  UDP  110  25
  And Send TCP or UDP packet  ${tg_node}  ${test_src_ip}  ${test_dst_ip}  ${tg_to_dut1}  ${tg_to_dut1_mac}  ${tg_to_dut2}  ${dut1_to_tg_mac}  UDP  80  20
${table_index}  ${skip_n}  ${match_n}=  When Vpp Creates Classify Table L2  ${dut1_node}  src
  And Vpp Configures Classify Session L2  ${dut1_node}  deny  ${table_index}  ${skip_n}  ${match_n}  src  ${tg_to_dut1_mac}
${hex_mask}=  Compute Classify Hex Mask  ${ip_version}  UDP  source + destination
${hex_value}=  Compute Classify Hex Value  ${hex_mask}  80  20
${table_index}  ${skip_n}  ${match_n}=  When Vpp Creates Classify Table Hex  ${dut1_node}  ${hex_mask}
  And Vpp Configures Classify Session Hex  ${dut1_node}  deny  ${table_index}  ${skip_n}  ${match_n}  ${hex_value}
  And Vpp Enable Input Acl Interface  ${dut1_node}  ${dut1_to_tg}  ${l2_table}  ${table_index}
 Then Send TCP or UDP packet  ${tg_node}  ${test_src_ip}  ${test_dst_ip}  ${tg_to_dut1}  ${tg_to_dut1_mac}  ${tg_to_dut2}  ${dut1_to_tg_mac}  UDP  110  25
  And Send TCP or UDP packet should failed  ${tg_node}  ${test_src_ip}  ${test_dst_ip}  ${tg_to_dut1}  ${tg_to_dut1_mac}  ${tg_to_dut2}  ${dut1_to_tg_mac}  UDP  80  20