2.20. test_acl_plugin_l2l3 module

ACL IRB Test Case HLD:

config

  • L2 MAC learning enabled in l2bd

  • 2 routed interfaces untagged, bvi (Bridge Virtual Interface)

  • 2 bridged interfaces in l2bd with bvi

test
  • sending ip4 eth pkts between routed interfaces

    • 2 routed interfaces

    • 2 bridged interfaces

  • 64B, 512B, 1518B, 9200B (ether_size)

  • burst of pkts per interface

    • 257pkts per burst

    • routed pkts hitting different FIB entries

    • bridged pkts hitting different MAC entries

verify

  • all packets received correctly

class test_acl_plugin_l2l3.TestACLpluginL2L3(methodName='runTest')

Bases: framework.VppTestCase

TestACLpluginL2L3 Test Case

applied_acl_shuffle(sw_if_index)
apply_acl_ip46_both_directions_reflect(primary_is_bridged_to_routed, reflect_on_l2, is_ip6, add_eh, stateful_icmp)
apply_acl_ip46_bridged_to_routed(test_l2_deny, is_ip6, is_reflect, add_eh)
apply_acl_ip46_routed_to_bridged(test_l2_deny, is_ip6, is_reflect, add_eh)
apply_acl_ip46_x_to_y(bridged_to_routed, test_l2_deny, is_ip6, is_reflect, add_eh)

Apply the ACLs

create_acls_for_a_stream(stream_dict, test_l2_action, is_reflect)
create_stream(src_ip_if, dst_ip_if, reverse, packet_sizes, is_ip6, expect_blocked, expect_established, add_extension_header, icmp_stateful=False)
run_test_ip46_bridged_to_routed(test_l2_deny, is_ip6, is_reflect, add_eh)
run_test_ip46_bridged_to_routed_and_back(test_l2_action, is_ip6, add_eh, stateful_icmp=False)
run_test_ip46_routed_to_bridged(test_l2_deny, is_ip6, is_reflect, add_eh)
run_test_ip46_routed_to_bridged_and_back(test_l2_action, is_ip6, add_eh, stateful_icmp=False)
run_traffic_ip46_bridged_to_routed(test_l2_deny, is_ip6, is_reflect, is_established, add_eh, stateful_icmp=False)
run_traffic_ip46_routed_to_bridged(test_l2_deny, is_ip6, is_reflect, is_established, add_eh, stateful_icmp=False)
run_traffic_ip46_x_to_y(bridged_to_routed, test_l2_deny, is_ip6, is_reflect, is_established, add_eh, stateful_icmp=False)
classmethod setUpClass()

  1. Create BD with MAC learning enabled and put interfaces to this BD.

  2. Configure IPv4 addresses on loopback interface and routed interface.

  3. Configure MAC address binding to IPv4 neighbors on loop0.

  4. Configure MAC address on pg2.

  5. Loopback BVI interface has remote hosts, one half of hosts are behind pg0 second behind pg1.

tearDown()

Run standard test teardown and log show l2patch, show l2fib verbose,``show bridge-domain <bd_id> detail``, show ip arp.

classmethod tearDownClass()

Perform final cleanup after running all tests in this test-case

test_0000_ip6_irb_1()

ACL plugin prepare

test_0001_ip6_irb_1()

ACL IPv6 routed -> bridged, L2 ACL deny

test_0002_ip6_irb_1()

ACL IPv6 routed -> bridged, L3 ACL deny

test_0003_ip4_irb_1()

ACL IPv4 routed -> bridged, L2 ACL deny

test_0004_ip4_irb_1()

ACL IPv4 routed -> bridged, L3 ACL deny

test_0005_ip6_irb_1()

ACL IPv6 bridged -> routed, L2 ACL deny

test_0006_ip6_irb_1()

ACL IPv6 bridged -> routed, L3 ACL deny

test_0007_ip6_irb_1()

ACL IPv4 bridged -> routed, L2 ACL deny

test_0008_ip6_irb_1()

ACL IPv4 bridged -> routed, L3 ACL deny

test_0101_ip6_irb_1()

ACL IPv6 routed -> bridged, L2 ACL permit+reflect

test_0102_ip6_irb_1()

ACL IPv6 bridged -> routed, L2 ACL permit+reflect

test_0103_ip6_irb_1()

ACL IPv4 routed -> bridged, L2 ACL permit+reflect

test_0104_ip6_irb_1()

ACL IPv4 bridged -> routed, L2 ACL permit+reflect

test_0111_ip6_irb_1()

ACL IPv6 routed -> bridged, L3 ACL permit+reflect

test_0112_ip6_irb_1()

ACL IPv6 bridged -> routed, L3 ACL permit+reflect

test_0113_ip6_irb_1()

ACL IPv4 routed -> bridged, L3 ACL permit+reflect

test_0114_ip6_irb_1()

ACL IPv4 bridged -> routed, L3 ACL permit+reflect

test_1001_ip6_irb_1()

ACL IPv6+EH routed -> bridged, L2 ACL deny

test_1002_ip6_irb_1()

ACL IPv6+EH routed -> bridged, L3 ACL deny

test_1005_ip6_irb_1()

ACL IPv6+EH bridged -> routed, L2 ACL deny

test_1006_ip6_irb_1()

ACL IPv6+EH bridged -> routed, L3 ACL deny

test_1101_ip6_irb_1()

ACL IPv6+EH routed -> bridged, L2 ACL permit+reflect

test_1102_ip6_irb_1()

ACL IPv6+EH bridged -> routed, L2 ACL permit+reflect

test_1111_ip6_irb_1()

ACL IPv6+EH routed -> bridged, L3 ACL permit+reflect

test_1112_ip6_irb_1()

ACL IPv6+EH bridged -> routed, L3 ACL permit+reflect

test_1201_ip6_irb_1()

ACL IPv4+MF routed -> bridged, L2 ACL deny

test_1202_ip6_irb_1()

ACL IPv4+MF routed -> bridged, L3 ACL deny

test_1205_ip6_irb_1()

ACL IPv4+MF bridged -> routed, L2 ACL deny

test_1206_ip6_irb_1()

ACL IPv4+MF bridged -> routed, L3 ACL deny

test_1301_ip6_irb_1()

ACL IPv4+MF routed -> bridged, L2 ACL permit+reflect

test_1302_ip6_irb_1()

ACL IPv4+MF bridged -> routed, L2 ACL permit+reflect

test_1311_ip6_irb_1()

ACL IPv4+MF routed -> bridged, L3 ACL permit+reflect

test_1312_ip6_irb_1()

ACL IPv4+MF bridged -> routed, L3 ACL permit+reflect

test_1401_ip6_irb_1()

IPv6 routed -> bridged, L2 ACL permit+reflect, ICMP reflect

test_1402_ip6_irb_1()

IPv6 bridged -> routed, L2 ACL permit+reflect, ICMP reflect

test_1403_ip4_irb_1()

IPv4 routed -> bridged, L2 ACL permit+reflect, ICMP reflect

test_1404_ip4_irb_1()

IPv4 bridged -> routed, L2 ACL permit+reflect, ICMP reflect

test_1411_ip6_irb_1()

IPv6 routed -> bridged, L3 ACL permit+reflect, ICMP reflect

test_1412_ip6_irb_1()

IPv6 bridged -> routed, L3 ACL permit+reflect, ICMP reflect

test_1413_ip4_irb_1()

IPv4 routed -> bridged, L3 ACL permit+reflect, ICMP reflect

test_1414_ip4_irb_1()

IPv4 bridged -> routed, L3 ACL permit+reflect, ICMP reflect

verify_capture(dst_ip_if, src_ip_if, capture, reverse)