go.ligato.io/vpp-agent/v3@v3.5.0/plugins/vpp/aclplugin/vppcalls/vpp2210/acl_vppcalls_test.go (about) 1 // Copyright (c) 2022 Cisco and/or its affiliates. 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at: 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 package vpp2210 16 17 import ( 18 "testing" 19 20 . "github.com/onsi/gomega" 21 "go.ligato.io/cn-infra/v2/logging/logrus" 22 23 vpp_acl "go.ligato.io/vpp-agent/v3/plugins/vpp/binapi/vpp2210/acl" 24 "go.ligato.io/vpp-agent/v3/plugins/vpp/ifplugin/ifaceidx" 25 "go.ligato.io/vpp-agent/v3/plugins/vpp/vppmock" 26 acl "go.ligato.io/vpp-agent/v3/proto/ligato/vpp/acl" 27 ) 28 29 var aclNoRules []*acl.ACL_Rule 30 31 var aclErr1Rules = []*acl.ACL_Rule{ 32 { 33 Action: acl.ACL_Rule_PERMIT, 34 IpRule: &acl.ACL_Rule_IpRule{ 35 Ip: &acl.ACL_Rule_IpRule_Ip{ 36 SourceNetwork: ".0.", 37 DestinationNetwork: "10.20.0.0/24", 38 }, 39 }, 40 }, 41 } 42 43 var aclErr2Rules = []*acl.ACL_Rule{ 44 { 45 Action: acl.ACL_Rule_PERMIT, 46 IpRule: &acl.ACL_Rule_IpRule{ 47 Ip: &acl.ACL_Rule_IpRule_Ip{ 48 SourceNetwork: "192.168.1.1/32", 49 DestinationNetwork: ".0.", 50 }, 51 }, 52 }, 53 } 54 55 var aclErr3Rules = []*acl.ACL_Rule{ 56 { 57 Action: acl.ACL_Rule_PERMIT, 58 IpRule: &acl.ACL_Rule_IpRule{ 59 Ip: &acl.ACL_Rule_IpRule_Ip{ 60 SourceNetwork: "192.168.1.1/32", 61 DestinationNetwork: "dead::1/64", 62 }, 63 }, 64 }, 65 } 66 67 var aclErr4Rules = []*acl.ACL_Rule{ 68 { 69 Action: acl.ACL_Rule_PERMIT, 70 IpRule: &acl.ACL_Rule_IpRule{ 71 Ip: &acl.ACL_Rule_IpRule_Ip{ 72 SourceNetwork: "", 73 DestinationNetwork: "", 74 }, 75 }, 76 }, 77 } 78 79 var aclErr5Rules = []*acl.ACL_Rule{ 80 { 81 Action: acl.ACL_Rule_PERMIT, 82 MacipRule: &acl.ACL_Rule_MacIpRule{ 83 SourceAddress: "192.168.0.1", 84 SourceAddressPrefix: uint32(16), 85 SourceMacAddress: "", 86 SourceMacAddressMask: "ff:ff:ff:ff:00:00", 87 }, 88 }, 89 } 90 91 var aclErr6Rules = []*acl.ACL_Rule{ 92 { 93 Action: acl.ACL_Rule_PERMIT, 94 MacipRule: &acl.ACL_Rule_MacIpRule{ 95 SourceAddress: "192.168.0.1", 96 SourceAddressPrefix: uint32(16), 97 SourceMacAddress: "11:44:0A:B8:4A:36", 98 SourceMacAddressMask: "", 99 }, 100 }, 101 } 102 103 var aclErr7Rules = []*acl.ACL_Rule{ 104 { 105 Action: acl.ACL_Rule_PERMIT, 106 MacipRule: &acl.ACL_Rule_MacIpRule{ 107 SourceAddress: "", 108 SourceAddressPrefix: uint32(16), 109 SourceMacAddress: "11:44:0A:B8:4A:36", 110 SourceMacAddressMask: "ff:ff:ff:ff:00:00", 111 }, 112 }, 113 } 114 115 var aclIPrules = []*acl.ACL_Rule{ 116 { 117 //RuleName: "permitIPv4", 118 Action: acl.ACL_Rule_PERMIT, 119 IpRule: &acl.ACL_Rule_IpRule{ 120 Ip: &acl.ACL_Rule_IpRule_Ip{ 121 SourceNetwork: "192.168.1.1/32", 122 DestinationNetwork: "10.20.0.0/24", 123 }, 124 }, 125 }, 126 { 127 //RuleName: "permitIPv6", 128 Action: acl.ACL_Rule_PERMIT, 129 IpRule: &acl.ACL_Rule_IpRule{ 130 Ip: &acl.ACL_Rule_IpRule_Ip{ 131 SourceNetwork: "dead::1/64", 132 DestinationNetwork: "dead::2/64", 133 }, 134 }, 135 }, 136 { 137 //RuleName: "denyICMP", 138 Action: acl.ACL_Rule_DENY, 139 IpRule: &acl.ACL_Rule_IpRule{ 140 Icmp: &acl.ACL_Rule_IpRule_Icmp{ 141 Icmpv6: false, 142 IcmpCodeRange: &acl.ACL_Rule_IpRule_Icmp_Range{ 143 First: 1, 144 Last: 2, 145 }, 146 IcmpTypeRange: &acl.ACL_Rule_IpRule_Icmp_Range{ 147 First: 3, 148 Last: 4, 149 }, 150 }, 151 }, 152 }, 153 { 154 //RuleName: "denyICMPv6", 155 Action: acl.ACL_Rule_DENY, 156 IpRule: &acl.ACL_Rule_IpRule{ 157 Icmp: &acl.ACL_Rule_IpRule_Icmp{ 158 Icmpv6: true, 159 IcmpCodeRange: &acl.ACL_Rule_IpRule_Icmp_Range{ 160 First: 10, 161 Last: 20, 162 }, 163 IcmpTypeRange: &acl.ACL_Rule_IpRule_Icmp_Range{ 164 First: 30, 165 Last: 40, 166 }, 167 }, 168 }, 169 }, 170 { 171 //RuleName: "permitTCP", 172 Action: acl.ACL_Rule_PERMIT, 173 IpRule: &acl.ACL_Rule_IpRule{ 174 Tcp: &acl.ACL_Rule_IpRule_Tcp{ 175 TcpFlagsMask: 20, 176 TcpFlagsValue: 10, 177 SourcePortRange: &acl.ACL_Rule_IpRule_PortRange{ 178 LowerPort: 150, 179 UpperPort: 250, 180 }, 181 DestinationPortRange: &acl.ACL_Rule_IpRule_PortRange{ 182 LowerPort: 1150, 183 UpperPort: 1250, 184 }, 185 }, 186 }, 187 }, 188 { 189 //RuleName: "denyUDP", 190 Action: acl.ACL_Rule_DENY, 191 IpRule: &acl.ACL_Rule_IpRule{ 192 Udp: &acl.ACL_Rule_IpRule_Udp{ 193 SourcePortRange: &acl.ACL_Rule_IpRule_PortRange{ 194 LowerPort: 150, 195 UpperPort: 250, 196 }, 197 DestinationPortRange: &acl.ACL_Rule_IpRule_PortRange{ 198 LowerPort: 1150, 199 UpperPort: 1250, 200 }, 201 }, 202 }, 203 }, 204 } 205 206 var aclMACIPrules = []*acl.ACL_Rule{ 207 { 208 //RuleName: "denyIPv4", 209 Action: acl.ACL_Rule_DENY, 210 MacipRule: &acl.ACL_Rule_MacIpRule{ 211 SourceAddress: "192.168.0.1", 212 SourceAddressPrefix: uint32(16), 213 SourceMacAddress: "11:44:0A:B8:4A:35", 214 SourceMacAddressMask: "ff:ff:ff:ff:00:00", 215 }, 216 }, 217 { 218 //RuleName: "denyIPv6", 219 Action: acl.ACL_Rule_DENY, 220 MacipRule: &acl.ACL_Rule_MacIpRule{ 221 SourceAddress: "dead::1", 222 SourceAddressPrefix: uint32(64), 223 SourceMacAddress: "11:44:0A:B8:4A:35", 224 SourceMacAddressMask: "ff:ff:ff:ff:00:00", 225 }, 226 }, 227 } 228 229 type testCtx struct { 230 *vppmock.TestCtx 231 aclHandler *ACLVppHandler 232 ifIndexes ifaceidx.IfaceMetadataIndexRW 233 } 234 235 func setupACLTest(t *testing.T) *testCtx { 236 ctx := vppmock.SetupTestCtx(t) 237 238 ifaceIdx := ifaceidx.NewIfaceIndex(logrus.NewLogger("test"), "test") 239 aclHandler := NewACLVppHandler(ctx.MockVPPClient, ifaceIdx).(*ACLVppHandler) 240 241 return &testCtx{ 242 TestCtx: ctx, 243 aclHandler: aclHandler, 244 ifIndexes: ifaceIdx, 245 } 246 } 247 248 func (ctx *testCtx) teardownACLTest() { 249 ctx.TeardownTestCtx() 250 } 251 252 // Test add IP acl rules 253 func TestAddIPAcl(t *testing.T) { 254 ctx := setupACLTest(t) 255 defer ctx.teardownACLTest() 256 ctx.MockVpp.MockReply(&vpp_acl.ACLAddReplaceReply{}) 257 258 aclIndex, err := ctx.aclHandler.AddACL(aclIPrules, "test0") 259 Expect(err).To(BeNil()) 260 Expect(aclIndex).To(BeEquivalentTo(0)) 261 262 _, err = ctx.aclHandler.AddACL(aclNoRules, "test1") 263 Expect(err).To(Not(BeNil())) 264 265 _, err = ctx.aclHandler.AddACL(aclErr1Rules, "test2") 266 Expect(err).To(Not(BeNil())) 267 268 _, err = ctx.aclHandler.AddACL(aclErr2Rules, "test3") 269 Expect(err).To(Not(BeNil())) 270 271 _, err = ctx.aclHandler.AddACL(aclErr3Rules, "test4") 272 Expect(err).To(Not(BeNil())) 273 274 _, err = ctx.aclHandler.AddACL(aclErr4Rules, "test5") 275 Expect(err).To(Not(BeNil())) 276 277 ctx.MockVpp.MockReply(&vpp_acl.MacipACLAddReply{}) 278 _, err = ctx.aclHandler.AddACL(aclIPrules, "test5") 279 Expect(err).To(Not(BeNil())) 280 281 ctx.MockVpp.MockReply(&vpp_acl.ACLAddReplaceReply{Retval: -1}) 282 _, err = ctx.aclHandler.AddACL(aclIPrules, "test6") 283 Expect(err).To(Not(BeNil())) 284 } 285 286 // Test add MACIP acl rules 287 func TestAddMacIPAcl(t *testing.T) { 288 ctx := setupACLTest(t) 289 defer ctx.teardownACLTest() 290 ctx.MockVpp.MockReply(&vpp_acl.MacipACLAddReply{}) 291 292 aclIndex, err := ctx.aclHandler.AddMACIPACL(aclMACIPrules, "test6") 293 Expect(err).To(BeNil()) 294 Expect(aclIndex).To(BeEquivalentTo(0)) 295 296 _, err = ctx.aclHandler.AddMACIPACL(aclNoRules, "test7") 297 Expect(err).To(Not(BeNil())) 298 299 _, err = ctx.aclHandler.AddMACIPACL(aclErr5Rules, "test8") 300 Expect(err).To(Not(BeNil())) 301 302 _, err = ctx.aclHandler.AddMACIPACL(aclErr6Rules, "test9") 303 Expect(err).To(Not(BeNil())) 304 305 _, err = ctx.aclHandler.AddMACIPACL(aclErr7Rules, "test10") 306 Expect(err).To(Not(BeNil())) 307 Expect(err.Error()).To(HavePrefix("invalid IP address ")) 308 309 ctx.MockVpp.MockReply(&vpp_acl.ACLAddReplaceReply{}) 310 _, err = ctx.aclHandler.AddMACIPACL(aclMACIPrules, "test11") 311 Expect(err).To(Not(BeNil())) 312 313 ctx.MockVpp.MockReply(&vpp_acl.MacipACLAddReply{Retval: -1}) 314 _, err = ctx.aclHandler.AddMACIPACL(aclMACIPrules, "test12") 315 Expect(err).To(Not(BeNil())) 316 } 317 318 // Test deletion of IP acl rules 319 func TestDeleteIPAcl(t *testing.T) { 320 ctx := setupACLTest(t) 321 defer ctx.teardownACLTest() 322 ctx.MockVpp.MockReply(&vpp_acl.ACLAddReplaceReply{}) 323 324 aclIndex, err := ctx.aclHandler.AddACL(aclIPrules, "test_del0") 325 Expect(err).To(BeNil()) 326 Expect(aclIndex).To(BeEquivalentTo(0)) 327 328 rule2del := []*acl.ACL_Rule{ 329 { 330 Action: acl.ACL_Rule_PERMIT, 331 IpRule: &acl.ACL_Rule_IpRule{ 332 Ip: &acl.ACL_Rule_IpRule_Ip{ 333 SourceNetwork: "10.20.30.1/32", 334 DestinationNetwork: "10.20.0.0/24", 335 }, 336 }, 337 }, 338 } 339 340 ctx.MockVpp.MockReply(&vpp_acl.ACLAddReplaceReply{ACLIndex: 1}) 341 aclIndex, err = ctx.aclHandler.AddACL(rule2del, "test_del1") 342 Expect(err).To(BeNil()) 343 Expect(aclIndex).To(BeEquivalentTo(1)) 344 345 ctx.MockVpp.MockReply(&vpp_acl.ACLAddReplaceReply{}) 346 err = ctx.aclHandler.DeleteACL(5) 347 Expect(err).To(Not(BeNil())) 348 349 ctx.MockVpp.MockReply(&vpp_acl.ACLDelReply{Retval: -1}) 350 err = ctx.aclHandler.DeleteACL(5) 351 Expect(err).To(Not(BeNil())) 352 353 ctx.MockVpp.MockReply(&vpp_acl.ACLDelReply{}) 354 err = ctx.aclHandler.DeleteACL(1) 355 Expect(err).To(BeNil()) 356 } 357 358 // Test deletion of MACIP acl rules 359 func TestDeleteMACIPAcl(t *testing.T) { 360 ctx := setupACLTest(t) 361 defer ctx.teardownACLTest() 362 ctx.MockVpp.MockReply(&vpp_acl.MacipACLAddReply{}) 363 364 aclIndex, err := ctx.aclHandler.AddMACIPACL(aclMACIPrules, "test_del2") 365 Expect(err).To(BeNil()) 366 Expect(aclIndex).To(BeEquivalentTo(0)) 367 368 rule2del := []*acl.ACL_Rule{ 369 { 370 Action: acl.ACL_Rule_PERMIT, 371 MacipRule: &acl.ACL_Rule_MacIpRule{ 372 SourceAddress: "192.168.0.1", 373 SourceAddressPrefix: uint32(16), 374 SourceMacAddress: "11:44:0A:B8:4A:35", 375 SourceMacAddressMask: "ff:ff:ff:ff:00:00", 376 }, 377 }, 378 } 379 380 ctx.MockVpp.MockReply(&vpp_acl.MacipACLAddReply{ACLIndex: 1}) 381 aclIndex, err = ctx.aclHandler.AddMACIPACL(rule2del, "test_del3") 382 Expect(err).To(BeNil()) 383 Expect(aclIndex).To(BeEquivalentTo(1)) 384 385 ctx.MockVpp.MockReply(&vpp_acl.MacipACLAddReply{}) 386 err = ctx.aclHandler.DeleteMACIPACL(5) 387 Expect(err).To(Not(BeNil())) 388 389 ctx.MockVpp.MockReply(&vpp_acl.MacipACLDelReply{Retval: -1}) 390 err = ctx.aclHandler.DeleteMACIPACL(5) 391 Expect(err).To(Not(BeNil())) 392 393 ctx.MockVpp.MockReply(&vpp_acl.MacipACLDelReply{}) 394 err = ctx.aclHandler.DeleteMACIPACL(1) 395 Expect(err).To(BeNil()) 396 } 397 398 // Test modification of IP acl rule 399 func TestModifyIPAcl(t *testing.T) { 400 ctx := setupACLTest(t) 401 defer ctx.teardownACLTest() 402 ctx.MockVpp.MockReply(&vpp_acl.ACLAddReplaceReply{}) 403 404 aclIndex, err := ctx.aclHandler.AddACL(aclIPrules, "test_modify") 405 Expect(err).To(BeNil()) 406 Expect(aclIndex).To(BeEquivalentTo(0)) 407 408 rule2modify := []*acl.ACL_Rule{ 409 { 410 Action: acl.ACL_Rule_PERMIT, 411 IpRule: &acl.ACL_Rule_IpRule{ 412 Ip: &acl.ACL_Rule_IpRule_Ip{ 413 SourceNetwork: "10.20.30.1/32", 414 DestinationNetwork: "10.20.0.0/24", 415 }, 416 }, 417 }, 418 { 419 Action: acl.ACL_Rule_PERMIT, 420 IpRule: &acl.ACL_Rule_IpRule{ 421 Ip: &acl.ACL_Rule_IpRule_Ip{ 422 SourceNetwork: "dead:dead::3/64", 423 DestinationNetwork: "dead:dead::4/64", 424 }, 425 }, 426 }, 427 } 428 429 ctx.MockVpp.MockReply(&vpp_acl.ACLAddReplaceReply{}) 430 err = ctx.aclHandler.ModifyACL(0, rule2modify, "test_modify0") 431 Expect(err).To(BeNil()) 432 433 err = ctx.aclHandler.ModifyACL(0, aclErr1Rules, "test_modify1") 434 Expect(err).To(Not(BeNil())) 435 436 err = ctx.aclHandler.ModifyACL(0, aclNoRules, "test_modify2") 437 Expect(err).To(BeNil()) 438 439 ctx.MockVpp.MockReply(&vpp_acl.MacipACLAddReplaceReply{}) 440 err = ctx.aclHandler.ModifyACL(0, aclIPrules, "test_modify3") 441 Expect(err).To(Not(BeNil())) 442 443 ctx.MockVpp.MockReply(&vpp_acl.ACLAddReplaceReply{Retval: -1}) 444 err = ctx.aclHandler.ModifyACL(0, aclIPrules, "test_modify4") 445 Expect(err).To(Not(BeNil())) 446 } 447 448 // Test modification of MACIP acl rule 449 func TestModifyMACIPAcl(t *testing.T) { 450 ctx := setupACLTest(t) 451 defer ctx.teardownACLTest() 452 ctx.MockVpp.MockReply(&vpp_acl.MacipACLAddReply{}) 453 454 aclIndex, err := ctx.aclHandler.AddMACIPACL(aclMACIPrules, "test_modify") 455 Expect(err).To(BeNil()) 456 Expect(aclIndex).To(BeEquivalentTo(0)) 457 458 rule2modify := []*acl.ACL_Rule{ 459 { 460 Action: acl.ACL_Rule_DENY, 461 MacipRule: &acl.ACL_Rule_MacIpRule{ 462 SourceAddress: "192.168.10.1", 463 SourceAddressPrefix: uint32(24), 464 SourceMacAddress: "11:44:0A:B8:4A:37", 465 SourceMacAddressMask: "ff:ff:ff:ff:00:00", 466 }, 467 }, 468 { 469 Action: acl.ACL_Rule_DENY, 470 MacipRule: &acl.ACL_Rule_MacIpRule{ 471 SourceAddress: "dead::2", 472 SourceAddressPrefix: uint32(64), 473 SourceMacAddress: "11:44:0A:B8:4A:38", 474 SourceMacAddressMask: "ff:ff:ff:ff:00:00", 475 }, 476 }, 477 } 478 479 ctx.MockVpp.MockReply(&vpp_acl.MacipACLAddReplaceReply{}) 480 err = ctx.aclHandler.ModifyMACIPACL(0, rule2modify, "test_modify0") 481 Expect(err).To(BeNil()) 482 483 err = ctx.aclHandler.ModifyMACIPACL(0, aclErr1Rules, "test_modify1") 484 Expect(err).To(Not(BeNil())) 485 486 ctx.MockVpp.MockReply(&vpp_acl.MacipACLAddReplaceReply{}) 487 err = ctx.aclHandler.ModifyMACIPACL(0, aclIPrules, "test_modify3") 488 Expect(err).To(Not(BeNil())) 489 490 ctx.MockVpp.MockReply(&vpp_acl.MacipACLAddReplaceReply{Retval: -1}) 491 err = ctx.aclHandler.ModifyMACIPACL(0, aclIPrules, "test_modify4") 492 Expect(err).To(Not(BeNil())) 493 }