vsg-test: Added multiple test scenarios
    applying iptable firewall , passing traffic and validating the same
    in vCPE context.

Change-Id: I2bb30dac2b496adb324b63f20544b5ab0a54f9e6
diff --git a/src/test/vsg/vsgTest.py b/src/test/vsg/vsgTest.py
index 07ebb9f..1f9aafe 100644
--- a/src/test/vsg/vsgTest.py
+++ b/src/test/vsg/vsgTest.py
@@ -277,6 +277,349 @@
         VSGAccess.restore_interface_config(mgmt, vcpe = self.vcpe_dhcp)
         assert_equal(st, 0)
 
+    def test_vsg_firewall_with_deny_destination_ip(self, vcpe=None):
+        host = '8.8.8.8'
+        if not vcpe:
+                vcpe = self.vcpe_container
+        vsg = VSGAccess.get_vcpe_vsg(vcpe)
+        st, _ = getstatusoutput('ping -c 1 {}'.format(host))
+        assert_equal(st, False)
+        try:
+            st, _ = vsg.run_cmd('sudo docker exec {} iptables -I FORWARD -d {} -j DROP'.format(vcpe,host))
+            st, _ = getstatusoutput('ping -c 1 {}'.format(host))
+            assert_equal(st, True)
+        finally:
+            vsg.run_cmd('sudo docker exec {} iptables -F'.format(vcpe))
+            vsg.run_cmd('sudo docker exec {} iptables -X'.format(vcpe))
+
+    def test_vsg_firewall_with_rule_add_and_delete_dest_ip(self, vcpe=None):
+        host = '8.8.8.8'
+        if not vcpe:
+                vcpe = self.vcpe_container
+        vsg = VSGAccess.get_vcpe_vsg(vcpe)
+        st, _ = getstatusoutput('ping -c 1 {}'.format(host))
+        assert_equal(st, False)
+        try:
+            st,output = vsg.run_cmd('sudo docker exec {} iptables -I FORWARD -d {} -j DROP'.format(vcpe,host))
+            st, _ = getstatusoutput('ping -c 1 {}'.format(host))
+            assert_equal(st, True)
+            st,_ = vsg.run_cmd('sudo docker exec {} iptables -D FORWARD -d {} -j DROP'.format(vcpe,host))
+            st, _ = getstatusoutput('ping -c 1 {}'.format(host))
+            assert_equal(st,False)
+        finally:
+            vsg.run_cmd('sudo docker exec {} iptables -F'.format(vcpe))
+            vsg.run_cmd('sudo docker exec {} iptables -X'.format(vcpe))
+
+    def test_vsg_firewall_verifying_reachability_for_non_blocked_dest_ip(self, vcpe=None):
+        host1 = '8.8.8.8'
+        host2 = '204.79.197.203'
+        if not vcpe:
+                vcpe = self.vcpe_container
+        vsg = VSGAccess.get_vcpe_vsg(vcpe)
+        st, _ = getstatusoutput('ping -c 1 {}'.format(host1))
+        assert_equal(st, False)
+        try:
+            st, _ = vsg.run_cmd('sudo docker exec {} iptables -I FORWARD -d {} -j DROP'.format(vcpe,host1))
+            st, _ = getstatusoutput('ping -c 1 {}'.format(host1))
+            assert_equal(st, True)
+            st, _ = getstatusoutput('ping -c 1 {}'.format(host2))
+            assert_equal(st,False)
+        finally:
+            vsg.run_cmd('sudo docker exec {} iptables -F'.format(vcpe))
+            vsg.run_cmd('sudo docker exec {} iptables -X'.format(vcpe))
+
+    def test_vsg_firewall_appending_rules_with_deny_dest_ip(self, vcpe=None):
+        host1 = '8.8.8.8'
+        host2 = '204.79.197.203'
+        if not vcpe:
+                vcpe = self.vcpe_container
+        vsg = VSGAccess.get_vcpe_vsg(vcpe)
+        st, _ = getstatusoutput('ping -c 1 {}'.format(host1))
+        assert_equal(st, False)
+        try:
+            st,output = vsg.run_cmd('sudo docker exec {} iptables -I FORWARD -d {} -j DROP'.format(vcpe,host1))
+            st, _ = getstatusoutput('ping -c 1 {}'.format(host1))
+            assert_equal(st, True)
+            st, _ = getstatusoutput('ping -c 1 {}'.format(host2))
+            assert_equal(st, False)
+            st, _ = vsg.run_cmd('sudo docker exec {} iptables -I FORWARD -d {} -j DROP'.format(vcpe,host2))
+            st, _ = getstatusoutput('ping -c 1 {}'.format(host2))
+            assert_equal(st,True)
+        finally:
+            vsg.run_cmd('sudo docker exec {} iptables -F'.format(vcpe))
+            vsg.run_cmd('sudo docker exec {} iptables -X'.format(vcpe))
+
+    def test_vsg_firewall_removing_one_rule_denying_dest_ip(self, vcpe=None):
+        host1 = '8.8.8.8'
+        host2 = '204.79.197.203'
+        if not vcpe:
+                vcpe = self.vcpe_container
+        vsg = VSGAccess.get_vcpe_vsg(vcpe)
+        st, _ = getstatusoutput('ping -c 1 {}'.format(host1))
+        assert_equal(st, False)
+        try:
+            st,output = vsg.run_cmd('sudo docker exec {} iptables -I FORWARD -d {} -j DROP'.format(vcpe,host1))
+            st,output = vsg.run_cmd('sudo docker exec {} iptables -I FORWARD -d {} -j DROP'.format(vcpe,host2))
+            st, _ = getstatusoutput('ping -c 1 {}'.format(host1))
+            assert_equal(st, True)
+            st, _ = getstatusoutput('ping -c 1 {}'.format(host2))
+            assert_equal(st,True)
+            st,output = vsg.run_cmd('sudo docker exec {} iptables -D FORWARD -d {} -j DROP'.format(vcpe,host2))
+            st, _ = getstatusoutput('ping -c 1 {}'.format(host2))
+            assert_equal(st,False)
+        finally:
+            vsg.run_cmd('sudo docker exec {} iptables -F'.format(vcpe))
+            vsg.run_cmd('sudo docker exec {} iptables -X'.format(vcpe))
+
+    def test_vsg_firewall_changing_rule_id_deny_dest_ip(self, vcpe=None):
+        host = '8.8.8.8'
+        if not vcpe:
+                vcpe = self.vcpe_container
+        vsg = VSGAccess.get_vcpe_vsg(vcpe)
+        st, _ = getstatusoutput('ping -c 1 {}'.format(host))
+        assert_equal(st, False)
+        try:
+            st,output = vsg.run_cmd('sudo docker exec {} iptables -I FORWARD -d {} -j DROP'.format(vcpe,host))
+            st, _ = getstatusoutput('ping -c 1 {}'.format(host))
+            assert_equal(st, True)
+            st,output = vsg.run_cmd('sudo docker exec {} iptables -I FORWARD -j ACCEPT 2'.format(vcpe))
+            st,output = vsg.run_cmd('sudo docker exec {} iptables -A FORWARD 2 -d {} -j DROP '.format(vcpe,host))
+            st, _ = getstatusoutput('ping -c 1 {}'.format(host))
+            assert_equal(st,False)
+        finally:
+            vsg.run_cmd('sudo docker exec {} iptables -F'.format(vcpe))
+            vsg.run_cmd('sudo docker exec {} iptables -X'.format(vcpe))
+
+    def test_vsg_firewall_changing_deny_rule_to_accept_dest_ip(self, vcpe=None):
+        host1 = '8.8.8.8'
+        host2 = '204.79.197.203'
+        if not vcpe:
+                vcpe = self.vcpe_container
+        vsg = VSGAccess.get_vcpe_vsg(vcpe)
+        st, _ = getstatusoutput('ping -c 1 {}'.format(host))
+        assert_equal(st, False)
+        try:
+            st,output = vsg.run_cmd('sudo docker exec {} iptables -I FORWARD -d {} -j DROP'.format(vcpe,host))
+            st, _ = getstatusoutput('ping -c 1 {}'.format(host))
+            assert_equal(st, True)
+            st,output = vsg.run_cmd('sudo docker exec {} iptables -A FORWARD -d {} -j ACCEPT 1'.format(vcpe,host))
+            st, _ = getstatusoutput('ping -c 1 {}'.format(host))
+            assert_equal(st,False)
+        finally:
+            vsg.run_cmd('sudo docker exec {} iptables -F'.format(vcpe))
+            vsg.run_cmd('sudo docker exec {} iptables -X'.format(vcpe))
+
+    def test_vsg_firewall_denying_destination_network(self, vcpe=None):
+        network = '206.190.36.44/28'
+        host1 = '204.79.197.46'
+        host2 = '204.79.197.51'
+        if not vcpe:
+                vcpe = self.vcpe_container
+        vsg = VSGAccess.get_vcpe_vsg(vcpe)
+        st, _ = getstatusoutput('ping -c 1 {}'.format(host1))
+        assert_equal(st, False)
+        try:
+            st,output = vsg.run_cmd('sudo docker exec {} iptables -I FORWARD -d {} -j DROP'.format(vcpe,network))
+            st, _ = getstatusoutput('ping -c 1 {}'.format(host1))
+            assert_equal(st, True)
+            st, _ = getstatusoutput('ping -c 1 {}'.format(host2))
+            assert_equal(st,False)
+        finally:
+            vsg.run_cmd('sudo docker exec {} iptables -F'.format(vcpe))
+
+    def test_vsg_firewall_denying_destination_network_subnet_modification(self, vcpe=None):
+        network1 = '206.190.36.44/28'
+        network2 = '206.190.36.44/26'
+        host1 = '204.79.197.46'
+        host2 = '204.79.197.51'
+        host2 = '204.79.197.63'
+        if not vcpe:
+                vcpe = self.vcpe_container
+        vsg = VSGAccess.get_vcpe_vsg(vcpe)
+        st, _ = getstatusoutput('ping -c 1 {}'.format(host1))
+        assert_equal(st, False)
+        try:
+            st,output = vsg.run_cmd('sudo docker exec {} iptables -I FORWARD -d {} -j DROP'.format(vcpe,network1))
+            st, _ = getstatusoutput('ping -c 1 {}'.format(host1))
+            assert_equal(st, True)
+            st, _ = getstatusoutput('ping -c 1 {}'.format(host2))
+            assert_equal(st,False)
+            st,output = vsg.run_cmd('sudo docker exec {} iptables -A FORWARD -d {} -j DROP'.format(vcpe,network2))
+            st, _ = getstatusoutput('ping -c 1 {}'.format(host1))
+            assert_equal(st, True)
+            st, _ = getstatusoutput('ping -c 1 {}'.format(host2))
+            assert_equal(st, True)
+            st, _ = getstatusoutput('ping -c 1 {}'.format(host3))
+            assert_equal(st, False)
+        finally:
+            vsg.run_cmd('sudo docker exec {} iptables -F'.format(vcpe))
+
+    def test_vsg_firewall_with_deny_source_ip(self, vcpe=None):
+        host = '8.8.8.8'
+        source_ip = self.vcpe_dhcp
+        if not vcpe:
+                vcpe = self.vcpe_container
+        vsg = VSGAccess.get_vcpe_vsg(vcpe)
+        st, _ = getstatusoutput('ping -c 1 {}'.format(host))
+        assert_equal(st, False)
+        try:
+            st, _ = vsg.run_cmd('sudo docker exec {} iptables -I FORWARD -s {} -j DROP'.format(vcpe,source_ip))
+            st, _ = getstatusoutput('ping -c 1 {}'.format(host))
+            assert_equal(st, True)
+        finally:
+            vsg.run_cmd('sudo docker exec {} iptables -F'.format(vcpe))
+
+    def test_vsg_firewall_rule_with_add_and_delete_deny_source_ip(self, vcpe=None):
+        host = '8.8.8.8'
+        source_ip = self.vcpe_dhcp
+        if not vcpe:
+                vcpe = self.vcpe_container
+        vsg = VSGAccess.get_vcpe_vsg(vcpe)
+        st, _ = getstatusoutput('ping -c 1 {}'.format(host))
+        assert_equal(st, False)
+        try:
+            st, _ = vsg.run_cmd('sudo docker exec {} iptables -I FORWARD -s {} -j DROP'.format(vcpe,source_ip))
+            st, _ = getstatusoutput('ping -c 1 {}'.format(host))
+            assert_equal(st, True)
+            st, _ = vsg.run_cmd('sudo docker exec {} iptables -D FORWARD -s {} -j DROP'.format(vcpe,source_ip))
+            st, _ = getstatusoutput('ping -c 1 {}'.format(host))
+            assert_equal(st, False)
+        finally:
+            vsg.run_cmd('sudo docker exec {} iptables -F'.format(vcpe))
+
+    def test_vsg_firewall_rule_with_deny_icmp_protocol_echo_requests_type(self, vcpe=None):
+        host = '8.8.8.8'
+        if not vcpe:
+                vcpe = self.vcpe_container
+        vsg = VSGAccess.get_vcpe_vsg(vcpe)
+        st, _ = getstatusoutput('ping -c 1 {}'.format(host))
+        assert_equal(st, False)
+        try:
+            st,output = vsg.run_cmd('sudo docker exec {} iptables -I FORWARD -p icmp --icmp-type echo-request -j DROP'.format(vcpe))
+            st, _ = getstatusoutput('ping -c 1 {}'.format(host))
+            assert_equal(st, True)
+            st,output = vsg.run_cmd('sudo docker exec {} iptables -D FORWARD -p icmp --icmp-type echo-request -j DROP'.format(vcpe))
+            st, _ = getstatusoutput('ping -c 1 {}'.format(host))
+            assert_equal(st, False)
+        finally:
+            vsg.run_cmd('sudo docker exec {} iptables -F'.format(vcpe))
+            vsg.run_cmd('sudo docker exec {} iptables -X'.format(vcpe))
+
+    def test_vsg_firewall_rule_with_deny_icmp_protocol_echo_reply_type(self, vcpe=None):
+        host = '8.8.8.8'
+        if not vcpe:
+                vcpe = self.vcpe_container
+        vsg = VSGAccess.get_vcpe_vsg(vcpe)
+        st, _ = getstatusoutput('ping -c 1 {}'.format('8.8.8.8'))
+        assert_equal(st, False)
+        try:
+            st,output = vsg.run_cmd('sudo docker exec {} iptables -I FORWARD -p icmp --icmp-type echo-reply -j DROP'.format(vcpe))
+            st, _ = getstatusoutput('ping -c 1 {}'.format(host))
+            assert_equal(st, True)
+            st,output = vsg.run_cmd('sudo docker exec {} iptables -D FORWARD -p icmp --icmp-type echo-reply -j DROP'.format(vcpe))
+            st, _ = getstatusoutput('ping -c 1 {}'.format(host))
+            assert_equal(st,False)
+        finally:
+            st, _ = vsg.run_cmd('sudo docker exec {} iptables -X'.format(vcpe))
+            st, _ = vsg.run_cmd('sudo docker exec {} iptables -F'.format(vcpe))
+
+    def test_vsg_firewall_changing_deny_rule_to_accept_rule_with_icmp_protocol_echo_requests_type(self, vcpe=None):
+        host = '8.8.8.8'
+        if not vcpe:
+                vcpe = self.vcpe_container
+        vsg = VSGAccess.get_vcpe_vsg(vcpe)
+        st, _ = getstatusoutput('ping -c 1 {}'.format(host))
+        assert_equal(st, False)
+        try:
+            st, _ = vsg.run_cmd('sudo docker exec {} iptables -I FORWARD 1 -p icmp --icmp-type echo-request -j DROP'.format(vcpe))
+            st, _ = getstatusoutput('ping -c 1 {}'.format(host))
+            assert_equal(st, True)
+            st, _ = vsg.run_cmd('sudo docker exec {} iptables -I FORWARD 1 -p icmp --icmp-type echo-request -j ACCEPT'.format(vcpe))
+            st, _ = getstatusoutput('ping -c 1 {}'.format(host))
+            assert_equal(st,False)
+        finally:
+            st, _ = vsg.run_cmd('sudo docker exec {} iptables -X'.format(vcpe))
+            st, _ = vsg.run_cmd('sudo docker exec {} iptables -F'.format(vcpe))
+
+    def test_vsg_firewall_changing_deny_rule_to_accept_rule_with_icmp_protocol_echo_reply_type(self, vcpe=None):
+        host = '8.8.8.8'
+        if not vcpe:
+                vcpe = self.vcpe_container
+        vsg = VSGAccess.get_vcpe_vsg(vcpe)
+        st, out1 = getstatusoutput('ping -c 1 {}'.format(host))
+        assert_equal(st, False)
+        try:
+            st,output = vsg.run_cmd('sudo docker exec {} iptables -I FORWARD 1 -p icmp --icmp-type echo-reply -j DROP'.format(vcpe))
+            st,_ = getstatusoutput('ping -c 1 {}'.format(host))
+            assert_equal(st, True)
+            st,output = vsg.run_cmd('sudo docker exec {} iptables -I FORWARD 1 -p icmp --icmp-type echo-reply -j ACCEPT'.format(vcpe))
+            st, _ = getstatusoutput('ping -c 1 {}'.format(host))
+            assert_equal(st,False)
+        finally:
+            st, _ = vsg.run_cmd('sudo docker exec {} iptables -X'.format(vcpe))
+            st, _ = vsg.run_cmd('sudo docker exec {} iptables -F'.format(vcpe))
+
+    def test_vsg_firewall_for_deny_icmp_protocol(self, vcpe=None):
+        host = '8.8.8.8'
+        if not vcpe:
+                vcpe = self.vcpe_container
+        vsg = VSGAccess.get_vcpe_vsg(vcpe)
+        st, _ = getstatusoutput('ping -c 1 {}'.format(host))
+        assert_equal(st, False)
+        try:
+            st,output = vsg.run_cmd('sudo docker exec {} iptables -I FORWARD -p icmp -j DROP'.format(vcpe))
+            st,_ = getstatusoutput('ping -c 1 {}'.format(host))
+            assert_equal(st, True)
+            st,output = vsg.run_cmd('sudo docker exec {} iptables -D FORWARD -p icmp -j DROP'.format(vcpe))
+            st, _ = getstatusoutput('ping -c 1 {}'.format(host))
+            assert_equal(st,False)
+        finally:
+            st, _ = vsg.run_cmd('sudo docker exec {} iptables -X'.format(vcpe))
+            st, _ = vsg.run_cmd('sudo docker exec {} iptables -F'.format(vcpe))
+
+    def test_vsg_firewall_rule_deny_icmp_protocol_and_destination_ip(self, vcpe=None):
+        host = '8.8.8.8'
+        if not vcpe:
+                vcpe = self.vcpe_container
+        vsg = VSGAccess.get_vcpe_vsg(vcpe)
+        st, _ = getstatusoutput('ping -c 1 {}'.format(host))
+        assert_equal(st, False)
+        try:
+            st,output = vsg.run_cmd('sudo docker exec {} iptables -I FORWARD -d {} -j DROP'.format(vcpe,host))
+            st,_ = getstatusoutput('ping -c 1 {}'.format(host))
+            assert_equal(st, True)
+            st,output = vsg.run_cmd('sudo docker exec {} iptables -I FORWARD -p icmp -j DROP'.format(vcpe))
+            assert_equal(st, True)
+            st,output = vsg.run_cmd('sudo docker exec {} iptables -D FORWARD -d {} -j DROP'.format(vcpe,host))
+            assert_equal(st, True)
+            st,output = vsg.run_cmd('sudo docker exec {} iptables -D FORWARD -p icmp -j DROP'.format(vcpe))
+            st, _ = getstatusoutput('ping -c 1 {}'.format(host))
+            assert_equal(st,False)
+        finally:
+            st, _ = vsg.run_cmd('sudo docker exec {} iptables -X'.format(vcpe))
+            st, _ = vsg.run_cmd('sudo docker exec {} iptables -F'.format(vcpe))
+
+    def test_vsg_firewall_flushing_all_configured_rules(self, vcpe=None):
+        host = '8.8.8.8'
+        if not vcpe:
+                vcpe = self.vcpe_container
+        vsg = VSGAccess.get_vcpe_vsg(vcpe)
+        st, _ = getstatusoutput('ping -c 1 {}'.format(host))
+        assert_equal(st, False)
+        try:
+            st,output = vsg.run_cmd('sudo docker exec {} iptables -I FORWARD -d {} -j DROP'.format(vcpe,host))
+            st,_ = getstatusoutput('ping -c 1 {}'.format(host))
+            assert_equal(st, True)
+            st,output = vsg.run_cmd('sudo docker exec {} iptables -I FORWARD -p icmp -j DROP'.format(vcpe))
+            st,_ = getstatusoutput('ping -c 1 {}'.format(host))
+            assert_equal(st, True)
+            st,output = vsg.run_cmd('sudo docker exec {} iptables -F'.format(vcpe))
+            st,_ = getstatusoutput('ping -c 1 {}'.format(host))
+            assert_equal(st, False)
+        finally:
+            st, _ = vsg.run_cmd('sudo docker exec {} iptables -X'.format(vcpe))
+            st, _ = vsg.run_cmd('sudo docker exec {} iptables -F'.format(vcpe))
+
     def test_vsg_xos_subscriber(self):
         subscriber_info = self.subscriber_info[0]
         volt_subscriber_info = self.volt_subscriber_info[0]