TEST : Validation for ACL Rules and created flows.
Also added ACL in the list.
Change-Id: I6842c72da0d2a87c1f2c77b83f6406ac73d8ceb4
(cherry picked from commit f0dd5bb8fd2dd3bced92cb8a32eb83cb9b6a7f00)
diff --git a/src/test/acl/__init__.py b/src/test/acl/__init__.py
new file mode 100644
index 0000000..c38f621
--- /dev/null
+++ b/src/test/acl/__init__.py
@@ -0,0 +1,26 @@
+#
+# Copyright 2016-present Ciena Corporation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+import os,sys
+##add the python path to lookup the utils
+working_dir = os.path.dirname(os.path.realpath(sys.argv[-1]))
+utils_dir = os.path.join(working_dir, '../utils')
+fsm_dir = os.path.join(working_dir, '../fsm')
+cli_dir = os.path.join(working_dir, '../cli')
+subscriber_dir = os.path.join(working_dir, '../subscriber')
+__path__.append(utils_dir)
+__path__.append(fsm_dir)
+__path__.append(cli_dir)
+__path__.append(subscriber_dir)
diff --git a/src/test/acl/aclTest.py b/src/test/acl/aclTest.py
new file mode 100644
index 0000000..8bc5f24
--- /dev/null
+++ b/src/test/acl/aclTest.py
@@ -0,0 +1,1159 @@
+#
+# Copyright 2016-present Ciena Corporation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+import unittest
+from nose.tools import *
+from scapy.all import *
+from OnosCtrl import OnosCtrl, get_mac
+from OltConfig import OltConfig
+from OnosFlowCtrl import OnosFlowCtrl
+from onosclidriver import OnosCliDriver
+from CordContainer import Container, Onos
+from portmaps import g_subscriber_port_map
+from CordTestServer import cord_test_onos_restart
+from ACL import ACLTest
+import threading
+import time
+import os
+import json
+import pexpect
+log.setLevel('INFO')
+
+class acl_exchange(unittest.TestCase):
+
+ app = ('org.onosproject.acl')
+ device_id = 'of:' + get_mac('ovsbr0')
+ test_path = os.path.dirname(os.path.realpath(__file__))
+ onos_config_path = os.path.join(test_path, '..', 'setup/onos-config')
+ GATEWAY = '192.168.10.50'
+ INGRESS_PORT = 1
+ EGRESS_PORT = 2
+ ingress_iface = 1
+ egress_iface = 2
+ MAX_PORTS = 100
+ CURRENT_PORT_NUM = egress_iface
+ ACL_SRC_IP = '192.168.20.3/32'
+ ACL_DST_IP = '192.168.30.2/32'
+ ACL_SRC_IP_RULE_2 = '192.168.40.3/32'
+ ACL_DST_IP_RULE_2 = '192.168.50.2/32'
+ ACL_SRC_IP_PREFIX_24 = '192.168.20.3/24'
+ ACL_DST_IP_PREFIX_24 = '192.168.30.2/24'
+ HOST_DST_IP = '192.168.30.0/24'
+ HOST_DST_IP_RULE_2 = '192.168.50.0/24'
+
+ @classmethod
+ def setUpClass(cls):
+ cls.olt = OltConfig()
+ cls.port_map,_ = cls.olt.olt_port_map()
+ if not cls.port_map:
+ cls.port_map = g_subscriber_port_map
+ time.sleep(3)
+ log.info('port_map = %s'%cls.port_map[1] )
+
+ @classmethod
+ def tearDownClass(cls):
+ '''Deactivate the acl app'''
+
+
+ def setUp(self):
+ ''' Activate the acl app'''
+ self.maxDiff = None ##for assert_equal compare outputs on failure
+ self.onos_ctrl = OnosCtrl(self.app)
+ status, _ = self.onos_ctrl.activate()
+ assert_equal(status, True)
+ time.sleep(3)
+ status, _ = ACLTest.remove_acl_rule()
+ log.info('Start setup')
+ assert_equal(status, True)
+
+ def tearDown(self):
+ '''Deactivate the acl app'''
+ log.info('Tear down setup')
+ self.CURRENT_PORT_NUM = 4
+
+ def cliEnter(self):
+ retries = 0
+ while retries < 3:
+ self.cli = OnosCliDriver(connect = True)
+ if self.cli.handle:
+ break
+ else:
+ retries += 1
+ time.sleep(2)
+
+ def cliExit(self):
+ self.cli.disconnect()
+
+ @classmethod
+ def acl_hosts_add(cls, dstHostIpMac, egress_iface_count = 1, egress_iface_num = None):
+ index = 0
+ if egress_iface_num is None:
+ egress_iface_num = cls.egress_iface
+ for ip,_ in dstHostIpMac:
+ egress = cls.port_map[egress_iface_num]
+ log.info('Assigning ip %s to interface %s' %(ip, egress))
+ config_cmds_egress = ( 'ifconfig {} 0'.format(egress),
+ 'ifconfig {0} up'.format(egress),
+ 'ifconfig {0} {1}'.format(egress, ip),
+ 'arping -I {0} {1} -c 2'.format(egress, ip.split('/')[0]),
+ 'ifconfig {0}'.format(egress),
+ )
+ for cmd in config_cmds_egress:
+ os.system(cmd)
+ index += 1
+ if index == egress_iface_count:
+ break
+ egress_iface_count += 1
+ egress_iface_num += 1
+
+
+ @classmethod
+ def acl_hosts_remove(cls, egress_iface_count = 1, egress_iface_num = None):
+ if egress_iface_num is None:
+ egress_iface_num = cls.egress_iface
+ n = 0
+ for n in range(egress_iface_count):
+ egress = cls.port_map[egress_iface_num]
+ config_cmds_egress = ('ifconfig {} 0'.format(egress))
+ os.system(config_cmds_egress)
+ egress_iface_num += 1
+
+# @classmethod
+ def acl_rule_traffic_send_recv(self, srcMac, dstMac, srcIp, dstIp, ingress =None, egress=None, ip_proto=None, dstPortNum = None, positive_test = True):
+ if ingress is None:
+ ingress = self.ingress_iface
+ if egress is None:
+ egress = self.egress_iface
+ ingress = self.port_map[ingress]
+ egress = self.port_map[egress]
+ self.success = False if positive_test else True
+ timeout = 10 if positive_test else 1
+ count = 2 if positive_test else 1
+ self.start_sending = True
+ def recv_task():
+ def recv_cb(pkt):
+ log.info('Pkt seen with ingress ip %s, egress ip %s' %(pkt[IP].src, pkt[IP].dst))
+ self.success = True if positive_test else False
+ sniff(count=count, timeout=timeout,
+ lfilter = lambda p: IP in p and p[IP].dst == dstIp.split('/')[0] and p[IP].src == srcIp.split('/')[0],
+ prn = recv_cb, iface = egress)
+ self.start_sending = False
+
+ t = threading.Thread(target = recv_task)
+ t.start()
+ L2 = Ether(src = srcMac, dst = dstMac)
+ L3 = IP(src = srcIp.split('/')[0], dst = dstIp.split('/')[0])
+ pkt = L2/L3
+ log.info('Sending a packet with dst ip %s, src ip %s , dst mac %s src mac %s on port %s to verify if flows are correct' %
+ (dstIp.split('/')[0], srcIp.split('/')[0], dstMac, srcMac, ingress))
+ while self.start_sending is True:
+ sendp(pkt, count=50, iface = ingress)
+ t.join()
+ assert_equal(self.success, True)
+
+ @classmethod
+ def onos_load_config(cls, config):
+ status, code = OnosCtrl.config(config)
+ if status is False:
+ log.info('JSON request returned status %d' %code)
+ assert_equal(status, True)
+
+ def test_acl_allow_rule(self):
+ acl_rule = ACLTest()
+ status, code = acl_rule.adding_acl_rule('v4', srcIp=self.ACL_SRC_IP, dstIp =self.ACL_DST_IP, action = 'allow')
+ if status is False:
+ log.info('JSON request returned status %d' %code)
+ assert_equal(status, True)
+ result = acl_rule.get_acl_rules()
+ aclRules1 = result.json()['aclRules']
+ log.info('Added ACL rules = %s' %result.json()['aclRules'])
+ acl_Id = map(lambda d: d['id'], aclRules1)
+ assert_equal(len(acl_Id), 1)
+
+ def test_acl_allow_rule_with_24_bit_mask(self):
+ acl_rule = ACLTest()
+ status,code = acl_rule.adding_acl_rule('v4', srcIp=self.ACL_SRC_IP_PREFIX_24, dstIp =self.ACL_DST_IP_PREFIX_24, action = 'allow')
+ if status is False:
+ log.info('JSON request returned status %d' %code)
+ assert_equal(status, True)
+ result = acl_rule.get_acl_rules()
+ aclRules1 = result.json()['aclRules']
+ log.info('Added ACL rules = %s' %result.json()['aclRules'])
+ acl_Id = map(lambda d: d['id'], aclRules1)
+ assert_equal(len(acl_Id), 1)
+
+ def test_acl_deny_rule(self):
+ acl_rule = ACLTest()
+ status,code = acl_rule.adding_acl_rule('v4', srcIp=self.ACL_SRC_IP, dstIp =self.ACL_DST_IP, action = 'deny')
+ if status is False:
+ log.info('JSON request returned status %d' %code)
+ assert_equal(status, True)
+ result = acl_rule.get_acl_rules()
+ aclRules1 = result.json()['aclRules']
+ log.info('Added ACL rules = %s' %result.json()['aclRules'])
+ acl_Id = map(lambda d: d['id'], aclRules1)
+ assert_equal(len(acl_Id), 1)
+
+ def test_acl_deny_rule_with_24_bit_mask(self):
+ acl_rule = ACLTest()
+ status,code = acl_rule.adding_acl_rule('v4', srcIp=self.ACL_SRC_IP_PREFIX_24, dstIp =self.ACL_DST_IP_PREFIX_24, action = 'deny')
+ if status is False:
+ log.info('JSON request returned status %d' %code)
+ assert_equal(status, True)
+ result = acl_rule.get_acl_rules()
+ aclRules1 = result.json()['aclRules']
+ log.info('Added ACL rules = %s' %result.json()['aclRules'])
+ acl_Id = map(lambda d: d['id'], aclRules1)
+ assert_equal(len(acl_Id), 1)
+
+ def test_acl_add_remove_rule(self):
+ acl_rule = ACLTest()
+ status,code = acl_rule.adding_acl_rule('v4', srcIp=self.ACL_SRC_IP, dstIp =self.ACL_DST_IP, action = 'allow')
+ if status is False:
+ log.info('JSON request returned status %d' %code)
+ assert_equal(status, True)
+ result = acl_rule.get_acl_rules()
+ aclRules1 = result.json()['aclRules']
+ log.info('Added ACL rules = %s' %result.json()['aclRules'])
+ acl_Id = map(lambda d: d['id'], aclRules1)
+ status, code = acl_rule.remove_acl_rule(acl_Id[0])
+ if status is False:
+ log.info('JSON request returned status %d' %code)
+ assert_equal(status, True)
+
+ def test_acl_add_remove_all_rules(self):
+ acl_rule = ACLTest()
+ status,code = acl_rule.adding_acl_rule('v4', srcIp=self.ACL_SRC_IP, dstIp =self.ACL_DST_IP, action = 'allow')
+ status,code = acl_rule.adding_acl_rule('v4', srcIp='10.10.10.10/24', dstIp ='20.20.20.20/24', action = 'deny')
+ if status is False:
+ log.info('JSON request returned status %d' %code)
+ assert_equal(status, True)
+ result = acl_rule.get_acl_rules()
+ aclRules1 = result.json()['aclRules']
+ log.info('Added ACL rules = %s' %result.json()['aclRules'])
+ acl_Id = map(lambda d: d['id'], aclRules1)
+ status, _ = ACLTest.remove_acl_rule()
+ if status is False:
+ log.info('JSON request returned status %d' %code)
+ assert_equal(status, True)
+
+ def test_acl_remove_all_rules_without_add(self):
+ status, _ = ACLTest.remove_acl_rule()
+ if status is False:
+ log.info('JSON request returned status %d' %code)
+ assert_equal(status, True)
+
+ def test_acl_allow_and_deny_rule_for_same_src_and_dst_ip(self):
+ acl_rule = ACLTest()
+ status, code = acl_rule.adding_acl_rule('v4', srcIp=self.ACL_SRC_IP, dstIp =self.ACL_DST_IP, action = 'allow')
+ if status is False:
+ log.info('JSON request returned status %d' %code)
+ assert_equal(status, True)
+ status,code = acl_rule.adding_acl_rule('v4', srcIp=self.ACL_SRC_IP, dstIp =self.ACL_DST_IP, action = 'deny')
+ if status is False:
+ log.info('JSON request returned status %d' %code)
+ assert_equal(status, False)
+ result = acl_rule.get_acl_rules()
+ aclRules1 = result.json()['aclRules']
+ log.info('Added ACL rules = %s' %result.json()['aclRules'])
+ acl_Id = map(lambda d: d['id'], aclRules1)
+ assert_equal(len(acl_Id), 1)
+ status, _ = ACLTest.remove_acl_rule()
+ if status is False:
+ log.info('JSON request returned status %d' %code)
+ assert_equal(status, True)
+
+ def test_acl_allow_rules_for_matched_dst_ips(self):
+ acl_rule = ACLTest()
+ status, code = acl_rule.adding_acl_rule('v4', srcIp=self.ACL_SRC_IP, dstIp ='192.168.30.2/24', action = 'allow')
+ if status is False:
+ log.info('JSON request returned status %d' %code)
+ assert_equal(status, True)
+ status, code = acl_rule.adding_acl_rule('v4', srcIp=self.ACL_SRC_IP, dstIp =self.ACL_DST_IP, action = 'allow')
+ if status is False:
+ log.info('JSON request returned status %d' %code)
+ assert_equal(status, False)
+ result = acl_rule.get_acl_rules()
+ aclRules1 = result.json()['aclRules']
+ log.info('Added ACL rules = %s' %result.json()['aclRules'])
+ acl_Id = map(lambda d: d['id'], aclRules1)
+ assert_equal(len(acl_Id), 1)
+ status, _ = ACLTest.remove_acl_rule()
+ if status is False:
+ log.info('JSON request returned status %d' %code)
+ assert_equal(status, True)
+
+ def test_acl_with_matching_src_and_dst_ip_traffic(self):
+ ingress = self.ingress_iface
+ egress = self.CURRENT_PORT_NUM
+ acl_rule = ACLTest()
+ status, code, host_ip_mac = acl_rule.generate_onos_interface_config(iface_num= self.CURRENT_PORT_NUM, iface_name = 'b1',iface_count = 1, iface_ip = self.HOST_DST_IP)
+ self.CURRENT_PORT_NUM += 1
+ time.sleep(5)
+ if status is False:
+ log.info('JSON request returned status %d' %code)
+ assert_equal(status, True)
+ srcMac = '00:00:00:00:00:11'
+ dstMac = host_ip_mac[0][1]
+ self.acl_hosts_add(dstHostIpMac = host_ip_mac, egress_iface_count = 1, egress_iface_num = egress )
+ status, code = acl_rule.adding_acl_rule('v4', srcIp=self.ACL_SRC_IP, dstIp =self.ACL_DST_IP, action = 'allow')
+ time.sleep(10)
+ if status is False:
+ log.info('JSON request returned status %d' %code)
+ assert_equal(status, True)
+ result = acl_rule.get_acl_rules()
+ aclRules1 = result.json()['aclRules']
+ acl_Id = map(lambda d: d['id'], aclRules1)
+ assert_equal(len(acl_Id), 1)
+ log.info('Added ACL rules = %s' %result.json()['aclRules'])
+ self.cliEnter()
+ ##Now verify
+ hosts = json.loads(self.cli.hosts(jsonFormat = True))
+ log.info('Discovered hosts: %s' %hosts)
+ flows = json.loads(self.cli.flows(jsonFormat = True))
+ flows = filter(lambda f: f['flows'], flows)
+ #log.info('Flows: %s' %flows)
+ assert_not_equal(len(flows), 0)
+ self.acl_rule_traffic_send_recv(srcMac = srcMac, dstMac = dstMac ,srcIp =self.ACL_SRC_IP, dstIp = self.ACL_DST_IP,ingress =ingress, egress = egress, ip_proto = 'UDP')
+ self.cliExit()
+ self.acl_hosts_remove(egress_iface_count = 1, egress_iface_num = egress)
+
+ def test_acl_with_matching_24bit_mask_src_and_dst_ip_traffic(self):
+ ingress = self.ingress_iface
+ egress = self.CURRENT_PORT_NUM
+ acl_rule = ACLTest()
+ status,code,host_ip_mac = acl_rule.generate_onos_interface_config(iface_num= self.CURRENT_PORT_NUM, iface_name = 'b1',iface_count = 1, iface_ip = self.HOST_DST_IP)
+ self.CURRENT_PORT_NUM += 1
+ time.sleep(5)
+ if status is False:
+ log.info('JSON request returned status %d' %code)
+ assert_equal(status, True)
+ srcMac = '00:00:00:00:00:11'
+ dstMac = host_ip_mac[0][1]
+ self.acl_hosts_add(dstHostIpMac = host_ip_mac, egress_iface_count = 1, egress_iface_num = egress )
+ status,code = acl_rule.adding_acl_rule('v4', srcIp=self.ACL_SRC_IP_PREFIX_24, dstIp =self.ACL_DST_IP_PREFIX_24, action = 'allow')
+ time.sleep(10)
+ if status is False:
+ log.info('JSON request returned status %d' %code)
+ assert_equal(status, True)
+ result = acl_rule.get_acl_rules()
+ aclRules1 = result.json()['aclRules']
+ acl_Id = map(lambda d: d['id'], aclRules1)
+ assert_equal(len(acl_Id), 1)
+ log.info('Added ACL rules = %s' %result.json()['aclRules'])
+ self.cliEnter()
+ ##Now verify
+ hosts = json.loads(self.cli.hosts(jsonFormat = True))
+ log.info('Discovered hosts: %s' %hosts)
+ flows = json.loads(self.cli.flows(jsonFormat = True))
+ flows = filter(lambda f: f['flows'], flows)
+ #log.info('Flows: %s' %flows)
+ assert_not_equal(len(flows), 0)
+ self.acl_rule_traffic_send_recv(srcMac = srcMac, dstMac = dstMac ,srcIp =self.ACL_SRC_IP, dstIp = self.ACL_DST_IP, ingress =ingress, egress = egress, ip_proto = 'UDP')
+ self.cliExit()
+ self.acl_hosts_remove(egress_iface_count = 1, egress_iface_num = egress)
+
+ def test_acl_with_non_matching_src_and_dst_ip_traffic(self):
+ ingress = self.ingress_iface
+ egress = self.CURRENT_PORT_NUM
+ acl_rule = ACLTest()
+ status, code, host_ip_mac = acl_rule.generate_onos_interface_config(iface_num= self.CURRENT_PORT_NUM, iface_name = 'b1',iface_count = 1, iface_ip = self.HOST_DST_IP)
+ self.CURRENT_PORT_NUM += 1
+ time.sleep(5)
+ if status is False:
+ log.info('JSON request returned status %d' %code)
+ assert_equal(status, True)
+ srcMac = '00:00:00:00:00:11'
+ dstMac = host_ip_mac[0][1]
+ self.acl_hosts_add(dstHostIpMac = host_ip_mac, egress_iface_count = 1, egress_iface_num = egress )
+ status, code = acl_rule.adding_acl_rule('v4', srcIp=self.ACL_SRC_IP, dstIp =self.ACL_DST_IP, action = 'allow')
+ time.sleep(10)
+ if status is False:
+ log.info('JSON request returned status %d' %code)
+ assert_equal(status, True)
+ result = acl_rule.get_acl_rules()
+ aclRules1 = result.json()['aclRules']
+ acl_Id = map(lambda d: d['id'], aclRules1)
+ assert_equal(len(acl_Id), 1)
+ log.info('Added ACL rules = %s' %result.json()['aclRules'])
+ self.cliEnter()
+ ##Now verify
+ hosts = json.loads(self.cli.hosts(jsonFormat = True))
+ log.info('Discovered hosts: %s' %hosts)
+ flows = json.loads(self.cli.flows(jsonFormat = True))
+ flows = filter(lambda f: f['flows'], flows)
+ #log.info('Flows: %s' %flows)
+ assert_not_equal(len(flows), 0)
+ self.acl_rule_traffic_send_recv(srcMac = srcMac, dstMac = dstMac, srcIp ='192.168.40.1/24', dstIp = self.ACL_DST_IP, ingress=ingress, egress = egress, ip_proto = 'UDP', positive_test = False )
+ self.cliExit()
+ self.acl_hosts_remove(egress_iface_count = 1, egress_iface_num = egress)
+
+ def test_acl_deny_rule_with_matching_src_and_dst_ip_traffic(self):
+ ingress = self.ingress_iface
+ egress = self.CURRENT_PORT_NUM
+ acl_rule = ACLTest()
+ status, code, host_ip_mac = acl_rule.generate_onos_interface_config(iface_num= self.CURRENT_PORT_NUM, iface_name = 'b1',iface_count = 1, iface_ip = self.HOST_DST_IP)
+ self.CURRENT_PORT_NUM += 1
+ time.sleep(5)
+ if status is False:
+ log.info('JSON request returned status %d' %code)
+ assert_equal(status, True)
+ srcMac = '00:00:00:00:00:11'
+ dstMac = host_ip_mac[0][1]
+ self.acl_hosts_add(dstHostIpMac = host_ip_mac, egress_iface_count = 1, egress_iface_num = egress )
+ status, code = acl_rule.adding_acl_rule('v4', srcIp=self.ACL_SRC_IP, dstIp =self.ACL_DST_IP, action = 'deny')
+ time.sleep(10)
+ if status is False:
+ log.info('JSON request returned status %d' %code)
+ assert_equal(status, True)
+ result = acl_rule.get_acl_rules()
+ aclRules1 = result.json()['aclRules']
+ acl_Id = map(lambda d: d['id'], aclRules1)
+ assert_equal(len(acl_Id), 1)
+ log.info('Added ACL rules = %s' %result.json()['aclRules'])
+ self.cliEnter()
+ ##Now verify
+ hosts = json.loads(self.cli.hosts(jsonFormat = True))
+ log.info('Discovered hosts: %s' %hosts)
+ flows = json.loads(self.cli.flows(jsonFormat = True))
+ flows = filter(lambda f: f['flows'], flows)
+ #log.info('Flows: %s' %flows)
+ assert_not_equal(len(flows), 0)
+ self.acl_rule_traffic_send_recv(srcMac = srcMac, dstMac = dstMac ,srcIp =self.ACL_SRC_IP, dstIp = self.ACL_DST_IP,ingress =ingress, egress = egress, ip_proto = 'UDP', positive_test = False)
+ self.cliExit()
+ self.acl_hosts_remove(egress_iface_count = 1, egress_iface_num = egress)
+
+ def test_acl_deny_rule_with_src_and_dst_ip_applying_24_bit_mask_for_matching_traffic(self):
+ ingress = self.ingress_iface
+ egress = self.CURRENT_PORT_NUM
+ acl_rule = ACLTest()
+ status,code,host_ip_mac = acl_rule.generate_onos_interface_config(iface_num= self.CURRENT_PORT_NUM, iface_name = 'b1',iface_count = 1, iface_ip = self.HOST_DST_IP)
+ self.CURRENT_PORT_NUM += 1
+ time.sleep(5)
+ if status is False:
+ log.info('JSON request returned status %d' %code)
+ assert_equal(status, True)
+ srcMac = '00:00:00:00:00:11'
+ dstMac = host_ip_mac[0][1]
+ self.acl_hosts_add(dstHostIpMac = host_ip_mac, egress_iface_count = 1, egress_iface_num = egress )
+ status,code = acl_rule.adding_acl_rule('v4', srcIp=self.ACL_SRC_IP_PREFIX_24, dstIp =self.ACL_DST_IP_PREFIX_24, action = 'deny')
+ time.sleep(10)
+ if status is False:
+ log.info('JSON request returned status %d' %code)
+ assert_equal(status, True)
+ result = acl_rule.get_acl_rules()
+ aclRules1 = result.json()['aclRules']
+ acl_Id = map(lambda d: d['id'], aclRules1)
+ assert_equal(len(acl_Id), 1)
+ log.info('Added ACL rules = %s' %result.json()['aclRules'])
+ self.cliEnter()
+ ##Now verify
+ hosts = json.loads(self.cli.hosts(jsonFormat = True))
+ log.info('Discovered hosts: %s' %hosts)
+ flows = json.loads(self.cli.flows(jsonFormat = True))
+ flows = filter(lambda f: f['flows'], flows)
+ #log.info('Flows: %s' %flows)
+ assert_not_equal(len(flows), 0)
+ self.acl_rule_traffic_send_recv(srcMac = srcMac, dstMac = dstMac ,srcIp =self.ACL_SRC_IP_PREFIX_24, dstIp = self.ACL_DST_IP_PREFIX_24,ingress =ingress, egress = egress, ip_proto = 'UDP', positive_test = False)
+ self.cliExit()
+ self.acl_hosts_remove(egress_iface_count = 1, egress_iface_num = egress)
+
+ def test_acl_deny_rule_with_non_matching_src_and_dst_ip_traffic(self):
+ ingress = self.ingress_iface
+ egress = self.CURRENT_PORT_NUM
+ acl_rule = ACLTest()
+ status, code, host_ip_mac = acl_rule.generate_onos_interface_config(iface_num= self.CURRENT_PORT_NUM, iface_name = 'b1',iface_count = 1, iface_ip = self.HOST_DST_IP)
+ self.CURRENT_PORT_NUM += 1
+ time.sleep(5)
+ if status is False:
+ log.info('JSON request returned status %d' %code)
+ assert_equal(status, True)
+ srcMac = '00:00:00:00:00:11'
+ dstMac = host_ip_mac[0][1]
+ self.acl_hosts_add(dstHostIpMac = host_ip_mac, egress_iface_count = 1, egress_iface_num = egress )
+ status,code = acl_rule.adding_acl_rule('v4', srcIp=self.ACL_SRC_IP, dstIp =self.ACL_DST_IP, action = 'allow')
+ time.sleep(10)
+ if status is False:
+ log.info('JSON request returned status %d' %code)
+ assert_equal(status, True)
+ result = acl_rule.get_acl_rules()
+ aclRules1 = result.json()['aclRules']
+ acl_Id = map(lambda d: d['id'], aclRules1)
+ assert_equal(len(acl_Id), 1)
+ log.info('Added ACL rules = %s' %result.json()['aclRules'])
+ self.cliEnter()
+ ##Now verify
+ hosts = json.loads(self.cli.hosts(jsonFormat = True))
+ log.info('Discovered hosts: %s' %hosts)
+ flows = json.loads(self.cli.flows(jsonFormat = True))
+ flows = filter(lambda f: f['flows'], flows)
+ #log.info('Flows: %s' %flows)
+ assert_not_equal(len(flows), 0)
+ self.acl_rule_traffic_send_recv(srcMac = srcMac, dstMac = dstMac ,srcIp ='192.168.40.1/24', dstIp = self.ACL_DST_IP,ingress =ingress, egress = egress, ip_proto = 'UDP', positive_test = False)
+ self.cliExit()
+ self.acl_hosts_remove(egress_iface_count = 1, egress_iface_num = egress)
+
+ def test_acl_allow_and_deny_rules_with_matching_src_and_dst_ip_traffic(self):
+ ingress = self.ingress_iface
+ egress = self.CURRENT_PORT_NUM
+ acl_rule = ACLTest()
+ status,code,host_ip_mac = acl_rule.generate_onos_interface_config(iface_num= self.CURRENT_PORT_NUM, iface_name = 'b1',iface_count = 1, iface_ip = self.HOST_DST_IP)
+ self.CURRENT_PORT_NUM += 1
+ time.sleep(5)
+ if status is False:
+ log.info('JSON request returned status %d' %code)
+ assert_equal(status, True)
+ srcMac = '00:00:00:00:00:11'
+ dstMac = host_ip_mac[0][1]
+ self.acl_hosts_add(dstHostIpMac = host_ip_mac, egress_iface_count = 1, egress_iface_num = egress )
+ status,code = acl_rule.adding_acl_rule('v4', srcIp=self.ACL_SRC_IP, dstIp =self.ACL_DST_IP, action = 'allow')
+ time.sleep(10)
+ if status is False:
+ log.info('JSON request returned status %d' %code)
+ assert_equal(status, True)
+ result = acl_rule.get_acl_rules()
+ aclRules1 = result.json()['aclRules']
+ acl_Id = map(lambda d: d['id'], aclRules1)
+ assert_equal(len(acl_Id), 1)
+ log.info('Added ACL rules = %s' %result.json()['aclRules'])
+ self.cliEnter()
+ ##Now verify
+ hosts = json.loads(self.cli.hosts(jsonFormat = True))
+ log.info('Discovered hosts: %s' %hosts)
+ flows = json.loads(self.cli.flows(jsonFormat = True))
+ flows = filter(lambda f: f['flows'], flows)
+ #log.info('Flows: %s' %flows)
+ assert_not_equal(len(flows), 0)
+ egress = self.CURRENT_PORT_NUM
+ self.acl_rule_traffic_send_recv(srcMac = srcMac, dstMac = dstMac ,srcIp =self.ACL_SRC_IP, dstIp = self.ACL_DST_IP,ingress =ingress, egress = egress ,ip_proto = 'UDP')
+ status,code,host_ip_mac = acl_rule.generate_onos_interface_config(iface_num= self.CURRENT_PORT_NUM, iface_name = 'b1',iface_count = 1, iface_ip = self.HOST_DST_IP_RULE_2)
+ self.CURRENT_PORT_NUM += 1
+ time.sleep(5)
+ if status is False:
+ log.info('JSON request returned status %d' %code)
+ assert_equal(status, True)
+ dstMac = host_ip_mac[0][1]
+ self.acl_hosts_add(dstHostIpMac = host_ip_mac, egress_iface_count = 1, egress_iface_num = egress )
+ status,code = acl_rule.adding_acl_rule('v4', srcIp=self.ACL_SRC_IP_RULE_2, dstIp =self.ACL_DST_IP_RULE_2, action = 'deny')
+ time.sleep(10)
+ if status is False:
+ log.info('JSON request returned status %d' %code)
+ assert_equal(status, True)
+ result = acl_rule.get_acl_rules()
+ aclRules1 = result.json()['aclRules']
+ acl_Id = map(lambda d: d['id'], aclRules1)
+ assert_equal(len(acl_Id), 2)
+ log.info('Added ACL rules = %s' %result.json()['aclRules'])
+ self.acl_rule_traffic_send_recv(srcMac = srcMac, dstMac = dstMac ,srcIp =self.ACL_SRC_IP_RULE_2, dstIp = self.ACL_DST_IP_RULE_2,ingress =ingress, egress = egress, ip_proto = 'UDP', positive_test = False)
+ ### crossing checking that we should not receive allow acl rule traffic on onther host non matched traffic
+ self.acl_rule_traffic_send_recv(srcMac = srcMac, dstMac = dstMac ,srcIp =self.ACL_SRC_IP, dstIp = self.ACL_DST_IP,ingress =ingress, egress = egress, positive_test = False)
+ self.cliExit()
+ self.acl_hosts_remove(egress_iface_count = 1, egress_iface_num = egress)
+
+ def test_acl_for_l4_acl_rule(self):
+ acl_rule = ACLTest()
+ status,code = acl_rule.adding_acl_rule('v4', srcIp=self.ACL_SRC_IP, dstIp =self.ACL_DST_IP, ipProto ='TCP', dstTpPort ='222', action = 'allow')
+ if status is False:
+ log.info('JSON request returned status %d' %code)
+ assert_equal(status, True)
+ result = acl_rule.get_acl_rules()
+ aclRules1 = result.json()['aclRules']
+ log.info('Added ACL rules = %s' %result.json()['aclRules'])
+ acl_Id = map(lambda d: d['id'], aclRules1)
+ assert_equal(len(acl_Id), 1)
+
+ def test_acl_for_remove_l4_rule(self):
+ acl_rule = ACLTest()
+ status,code = acl_rule.adding_acl_rule('v4', srcIp=self.ACL_SRC_IP, dstIp =self.ACL_DST_IP, ipProto ='UDP', dstTpPort ='245', action = 'allow')
+ if status is False:
+ log.info('JSON request returned status %d' %code)
+ assert_equal(status, True)
+ result = acl_rule.get_acl_rules()
+ aclRules1 = result.json()['aclRules']
+ log.info('Added ACL rules = %s' %result.json()['aclRules'])
+ acl_Id = map(lambda d: d['id'], aclRules1)
+ status, code = acl_rule.remove_acl_rule(acl_Id[0])
+ if status is False:
+ log.info('JSON request returned status %d' %code)
+ assert_equal(status, True)
+
+ def test_acl_for_remove_l4_rules(self):
+ acl_rule = ACLTest()
+ status,code = acl_rule.adding_acl_rule('v4', srcIp=self.ACL_SRC_IP, dstIp =self.ACL_DST_IP, ipProto ='TCP', dstTpPort ='567', action = 'allow')
+ if status is False:
+ log.info('JSON request returned status %d' %code)
+ assert_equal(status, True)
+ status,code = acl_rule.adding_acl_rule('v4', srcIp=self.ACL_SRC_IP, dstIp =self.ACL_DST_IP, ipProto ='UDP', dstTpPort ='245', action = 'deny')
+ if status is False:
+ log.info('JSON request returned status %d' %code)
+ assert_equal(status, True)
+ status,code = acl_rule.adding_acl_rule('v4', srcIp=self.ACL_SRC_IP, dstIp =self.ACL_DST_IP, ipProto ='ICMP', dstTpPort ='1',action = 'allow')
+ if status is False:
+ log.info('JSON request returned status %d' %code)
+ assert_equal(status, True)
+ result = acl_rule.get_acl_rules()
+ aclRules1 = result.json()['aclRules']
+ log.info('Added ACL rules = %s' %result.json()['aclRules'])
+ acl_Id = map(lambda d: d['id'], aclRules1)
+ assert_equal(len(acl_Id), 3)
+ status, _ = ACLTest.remove_acl_rule()
+ if status is False:
+ log.info('JSON request returned status %d' %code)
+ assert_equal(status, True)
+
+ def test_acl_adding_specific_l4_and_all_l4_allow_rule(self):
+ acl_rule = ACLTest()
+ status,code = acl_rule.adding_acl_rule('v4', srcIp=self.ACL_SRC_IP, dstIp =self.ACL_DST_IP, ipProto ='TCP', dstTpPort ='222', action = 'allow')
+ if status is False:
+ log.info('JSON request returned status %d' %code)
+ assert_equal(status, True)
+ status,code = acl_rule.adding_acl_rule('v4', srcIp=self.ACL_SRC_IP, dstIp =self.ACL_DST_IP, action = 'allow')
+ if status is False:
+ log.info('JSON request returned status %d' %code)
+ assert_equal(status, True)
+ result = acl_rule.get_acl_rules()
+ aclRules1 = result.json()['aclRules']
+ log.info('Added ACL rules = %s' %result.json()['aclRules'])
+ acl_Id = map(lambda d: d['id'], aclRules1)
+ assert_equal(len(acl_Id), 2)
+
+ def test_acl_adding_all_l4_and_specific_l4_allow_rule(self):
+ acl_rule = ACLTest()
+ status,code = acl_rule.adding_acl_rule('v4', srcIp=self.ACL_SRC_IP, dstIp =self.ACL_DST_IP, action = 'allow')
+ if status is False:
+ log.info('JSON request returned status %d' %code)
+ assert_equal(status, True)
+ status,code = acl_rule.adding_acl_rule('v4', srcIp=self.ACL_SRC_IP, dstIp =self.ACL_DST_IP, ipProto ='UDP', dstTpPort ='345', action = 'allow')
+ if status is True:
+ log.info('JSON request returned status %d' %code)
+ assert_equal(status, True)
+ result = acl_rule.get_acl_rules()
+ aclRules1 = result.json()['aclRules']
+ log.info('Added ACL rules = %s' %result.json()['aclRules'])
+ acl_Id = map(lambda d: d['id'], aclRules1)
+ assert_equal(len(acl_Id), 1)
+
+ def test_acl_with_specific_l4_and_all_l4_deny_rule(self):
+ acl_rule = ACLTest()
+ status,code = acl_rule.adding_acl_rule('v4', srcIp=self.ACL_SRC_IP, dstIp =self.ACL_DST_IP, ipProto ='TCP', dstTpPort ='222', action = 'deny')
+ if status is False:
+ log.info('JSON request returned status %d' %code)
+ assert_equal(status, True)
+ status,code = acl_rule.adding_acl_rule('v4', srcIp=self.ACL_SRC_IP, dstIp =self.ACL_DST_IP, action = 'deny')
+ if status is False:
+ log.info('JSON request returned status %d' %code)
+ assert_equal(status, True)
+ result = acl_rule.get_acl_rules()
+ aclRules1 = result.json()['aclRules']
+ log.info('Added ACL rules = %s' %result.json()['aclRules'])
+ acl_Id = map(lambda d: d['id'], aclRules1)
+ assert_equal(len(acl_Id), 2)
+
+ def test_acl_with_all_l4_and_specific_l4_deny_rule(self):
+ acl_rule = ACLTest()
+ status,code = acl_rule.adding_acl_rule('v4', srcIp=self.ACL_SRC_IP, dstIp =self.ACL_DST_IP, action = 'deny')
+ if status is False:
+ log.info('JSON request returned status %d' %code)
+ assert_equal(status, True)
+ status,code = acl_rule.adding_acl_rule('v4', srcIp=self.ACL_SRC_IP, dstIp =self.ACL_DST_IP, ipProto ='UDP', dstTpPort ='345', action = 'deny')
+ if status is True:
+ log.info('JSON request returned status %d' %code)
+ assert_equal(status, True)
+ result = acl_rule.get_acl_rules()
+ aclRules1 = result.json()['aclRules']
+ log.info('Added ACL rules = %s' %result.json()['aclRules'])
+ acl_Id = map(lambda d: d['id'], aclRules1)
+ assert_equal(len(acl_Id), 1)
+
+ def test_acl_with_specific_l4_deny_and_all_l4_allow_rule(self):
+ acl_rule = ACLTest()
+ status,code = acl_rule.adding_acl_rule('v4', srcIp=self.ACL_SRC_IP, dstIp =self.ACL_DST_IP, ipProto ='TCP', dstTpPort ='222', action = 'deny')
+ if status is False:
+ log.info('JSON request returned status %d' %code)
+ assert_equal(status, True)
+ status,code = acl_rule.adding_acl_rule('v4', srcIp=self.ACL_SRC_IP, dstIp =self.ACL_DST_IP, action = 'allow')
+ if status is False:
+ log.info('JSON request returned status %d' %code)
+ assert_equal(status, True)
+ result = acl_rule.get_acl_rules()
+ aclRules1 = result.json()['aclRules']
+ log.info('Added ACL rules = %s' %result.json()['aclRules'])
+ acl_Id = map(lambda d: d['id'], aclRules1)
+ assert_equal(len(acl_Id), 2)
+
+ def test_acl_deny_all_l4_and_allow_specific_l4_rule(self):
+ acl_rule = ACLTest()
+ status,code = acl_rule.adding_acl_rule('v4', srcIp=self.ACL_SRC_IP, dstIp =self.ACL_DST_IP, action = 'deny')
+ if status is False:
+ log.info('JSON request returned status %d' %code)
+ assert_equal(status, True)
+ status,code = acl_rule.adding_acl_rule('v4', srcIp=self.ACL_SRC_IP, dstIp =self.ACL_DST_IP, ipProto ='UDP', dstTpPort ='345', action = 'allow')
+ if status is True:
+ log.info('JSON request returned status %d' %code)
+ assert_equal(status, True)
+ result = acl_rule.get_acl_rules()
+ aclRules1 = result.json()['aclRules']
+ log.info('Added ACL rules = %s' %result.json()['aclRules'])
+ acl_Id = map(lambda d: d['id'], aclRules1)
+ assert_equal(len(acl_Id), 1)
+
+ def test_acl_tcp_port_allow_rule_for_matching_and_non_matching_traffic(self):
+ ingress = self.ingress_iface
+ egress = self.CURRENT_PORT_NUM
+ acl_rule = ACLTest()
+ status,code,host_ip_mac = acl_rule.generate_onos_interface_config(iface_num= self.CURRENT_PORT_NUM, iface_name = 'b1',iface_count = 1, iface_ip = self.HOST_DST_IP)
+ self.CURRENT_PORT_NUM += 1
+ time.sleep(5)
+ if status is False:
+ log.info('JSON request returned status %d' %code)
+ assert_equal(status, True)
+ srcMac = '00:00:00:00:00:11'
+ dstMac = host_ip_mac[0][1]
+ self.acl_hosts_add(dstHostIpMac = host_ip_mac, egress_iface_count = 1, egress_iface_num = egress )
+ status,code = acl_rule.adding_acl_rule('v4', srcIp=self.ACL_SRC_IP, dstIp =self.ACL_DST_IP, ipProto ='TCP', dstTpPort ='222', action = 'allow')
+ time.sleep(20)
+ if status is False:
+ log.info('JSON request returned status %d' %code)
+ assert_equal(status, True)
+ result = acl_rule.get_acl_rules()
+ aclRules1 = result.json()['aclRules']
+ acl_Id = map(lambda d: d['id'], aclRules1)
+ assert_equal(len(acl_Id), 1)
+ log.info('Added ACL Rules = %s' %result.json()['aclRules'])
+ self.cliEnter()
+ ##Now verify
+ hosts = json.loads(self.cli.hosts(jsonFormat = True))
+ log.info('Discovered hosts: %s' %hosts)
+ flows = json.loads(self.cli.flows(jsonFormat = True))
+ flows = filter(lambda f: f['flows'], flows)
+ #log.info('Flows: %s' %flows)
+ assert_not_equal(len(flows), 0)
+ self.acl_rule_traffic_send_recv(srcMac = srcMac, dstMac = dstMac ,srcIp =self.ACL_SRC_IP, dstIp = self.ACL_DST_IP,ingress =ingress, egress = egress, ip_proto = 'TCP', dstPortNum = 222)
+ ## Non-matching traffic for TCP portocol testing
+ self.acl_rule_traffic_send_recv(srcMac = srcMac, dstMac = dstMac ,srcIp =self.ACL_SRC_IP, dstIp = self.ACL_DST_IP,ingress =ingress, egress = egress, ip_proto = 'TCP', dstPortNum = 444, positive_test = False)
+ self.cliExit()
+ self.acl_hosts_remove(egress_iface_count = 1, egress_iface_num = egress)
+
+ def test_acl_udp_port_allow_rule_for_matching_and_non_matching_traffic(self):
+ ingress = self.ingress_iface
+ egress = self.CURRENT_PORT_NUM
+ acl_rule = ACLTest()
+ status,code,host_ip_mac = acl_rule.generate_onos_interface_config(iface_num= self.CURRENT_PORT_NUM, iface_name = 'b1',iface_count = 1, iface_ip = self.HOST_DST_IP)
+ self.CURRENT_PORT_NUM += 1
+ time.sleep(5)
+ if status is False:
+ log.info('JSON request returned status %d' %code)
+ assert_equal(status, True)
+ srcMac = '00:00:00:00:00:11'
+ dstMac = host_ip_mac[0][1]
+ self.acl_hosts_add(dstHostIpMac = host_ip_mac, egress_iface_count = 1, egress_iface_num = egress )
+ status,code = acl_rule.adding_acl_rule('v4', srcIp=self.ACL_SRC_IP, dstIp =self.ACL_DST_IP, ipProto ='UDP', dstTpPort ='456', action = 'allow')
+ time.sleep(20)
+ if status is False:
+ log.info('JSON request returned status %d' %code)
+ assert_equal(status, True)
+ result = acl_rule.get_acl_rules()
+ aclRules1 = result.json()['aclRules']
+ acl_Id = map(lambda d: d['id'], aclRules1)
+ assert_equal(len(acl_Id), 1)
+ log.info('Added ACL Rules = %s' %result.json()['aclRules'])
+ self.cliEnter()
+ ##Now verify
+ hosts = json.loads(self.cli.hosts(jsonFormat = True))
+ log.info('Discovered hosts: %s' %hosts)
+ flows = json.loads(self.cli.flows(jsonFormat = True))
+ flows = filter(lambda f: f['flows'], flows)
+ #log.info('Flows: %s' %flows)
+ assert_not_equal(len(flows), 0)
+ self.acl_rule_traffic_send_recv(srcMac = srcMac, dstMac = dstMac ,srcIp =self.ACL_SRC_IP, dstIp = self.ACL_DST_IP,ingress =ingress, egress = egress, ip_proto = 'UDP', dstPortNum = 456)
+ ## Non-matching traffic for TCP portocol testing
+ self.acl_rule_traffic_send_recv(srcMac = srcMac, dstMac = dstMac ,srcIp =self.ACL_SRC_IP, dstIp = self.ACL_DST_IP,ingress =ingress, egress = egress, ip_proto = 'UDP', dstPortNum = 654, positive_test = False)
+ self.cliExit()
+ self.acl_hosts_remove(egress_iface_count = 1, egress_iface_num = egress)
+
+ def test_acl_icmp_port_allow_rule_for_matching_and_non_matching_traffic(self):
+ ingress = self.ingress_iface
+ egress = self.CURRENT_PORT_NUM
+ acl_rule = ACLTest()
+ status,code,host_ip_mac = acl_rule.generate_onos_interface_config(iface_num= self.CURRENT_PORT_NUM, iface_name = 'b1',iface_count = 1, iface_ip = self.HOST_DST_IP)
+ self.CURRENT_PORT_NUM += 1
+ time.sleep(5)
+ if status is False:
+ log.info('JSON request returned status %d' %code)
+ assert_equal(status, True)
+ srcMac = '00:00:00:00:00:11'
+ dstMac = host_ip_mac[0][1]
+ self.acl_hosts_add(dstHostIpMac = host_ip_mac, egress_iface_count = 1, egress_iface_num = egress )
+ status,code = acl_rule.adding_acl_rule('v4', srcIp=self.ACL_SRC_IP, dstIp =self.ACL_DST_IP, ipProto ='ICMP', dstTpPort ='1', action = 'allow')
+ time.sleep(20)
+ if status is False:
+ log.info('JSON request returned status %d' %code)
+ assert_equal(status, True)
+ result = acl_rule.get_acl_rules()
+ aclRules1 = result.json()['aclRules']
+ acl_Id = map(lambda d: d['id'], aclRules1)
+ assert_equal(len(acl_Id), 1)
+ log.info('Added ACL Rules = %s' %result.json()['aclRules'])
+ self.cliEnter()
+ ##Now verify
+ hosts = json.loads(self.cli.hosts(jsonFormat = True))
+ log.info('Discovered hosts: %s' %hosts)
+ flows = json.loads(self.cli.flows(jsonFormat = True))
+ flows = filter(lambda f: f['flows'], flows)
+ #log.info('Flows: %s' %flows)
+ assert_not_equal(len(flows), 0)
+ self.acl_rule_traffic_send_recv(srcMac = srcMac, dstMac = dstMac ,srcIp =self.ACL_SRC_IP, dstIp = self.ACL_DST_IP,ingress =ingress, egress = egress, ip_proto = 'ICMP', dstPortNum = 1)
+ ## Non-matching traffic for TCP portocol testing
+ self.acl_rule_traffic_send_recv(srcMac = srcMac, dstMac = dstMac ,srcIp =self.ACL_SRC_IP, dstIp = self.ACL_DST_IP,ingress =ingress, egress = egress, ip_proto = 'ICMP', dstPortNum = 2, positive_test = False)
+ self.cliExit()
+ self.acl_hosts_remove(egress_iface_count = 1, egress_iface_num = egress)
+
+ def test_acl_tcp_port_deny_rule_for_matching_and_non_matching_traffic(self):
+ ingress = self.ingress_iface
+ egress = self.CURRENT_PORT_NUM
+ acl_rule = ACLTest()
+ status,code,host_ip_mac = acl_rule.generate_onos_interface_config(iface_num= self.CURRENT_PORT_NUM, iface_name = 'b1',iface_count = 1, iface_ip = self.HOST_DST_IP)
+ self.CURRENT_PORT_NUM += 1
+ time.sleep(5)
+ if status is False:
+ log.info('JSON request returned status %d' %code)
+ assert_equal(status, True)
+ srcMac = '00:00:00:00:00:11'
+ dstMac = host_ip_mac[0][1]
+ self.acl_hosts_add(dstHostIpMac = host_ip_mac, egress_iface_count = 1, egress_iface_num = egress )
+ status,code = acl_rule.adding_acl_rule('v4', srcIp=self.ACL_SRC_IP, dstIp =self.ACL_DST_IP, ipProto ='TCP', dstTpPort ='222', action = 'deny')
+ time.sleep(20)
+ if status is False:
+ log.info('JSON request returned status %d' %code)
+ assert_equal(status, True)
+ result = acl_rule.get_acl_rules()
+ aclRules1 = result.json()['aclRules']
+ acl_Id = map(lambda d: d['id'], aclRules1)
+ assert_equal(len(acl_Id), 1)
+ log.info('Added ACL Rules = %s' %result.json()['aclRules'])
+ self.cliEnter()
+ ##Now verify
+ hosts = json.loads(self.cli.hosts(jsonFormat = True))
+ log.info('Discovered hosts: %s' %hosts)
+ flows = json.loads(self.cli.flows(jsonFormat = True))
+ flows = filter(lambda f: f['flows'], flows)
+ #log.info('Flows: %s' %flows)
+ assert_not_equal(len(flows), 0)
+ self.acl_rule_traffic_send_recv(srcMac = srcMac, dstMac = dstMac ,srcIp =self.ACL_SRC_IP, dstIp = self.ACL_DST_IP,ingress =ingress, egress = egress, ip_proto = 'TCP', dstPortNum = 222, positive_test = False)
+ ## Non-matching traffic for TCP portocol testing
+ self.acl_rule_traffic_send_recv(srcMac = srcMac, dstMac = dstMac ,srcIp =self.ACL_SRC_IP, dstIp = self.ACL_DST_IP,ingress =ingress, egress = egress, ip_proto = 'TCP', dstPortNum = 444, positive_test = False)
+ self.cliExit()
+ self.acl_hosts_remove(egress_iface_count = 1, egress_iface_num = egress)
+
+ def test_acl_udp_port_deny_rule_for_matching_and_non_matching_traffic(self):
+ ingress = self.ingress_iface
+ egress = self.CURRENT_PORT_NUM
+ acl_rule = ACLTest()
+ status,code,host_ip_mac = acl_rule.generate_onos_interface_config(iface_num= self.CURRENT_PORT_NUM, iface_name = 'b1',iface_count = 1, iface_ip = self.HOST_DST_IP)
+ self.CURRENT_PORT_NUM += 1
+ time.sleep(5)
+ if status is False:
+ log.info('JSON request returned status %d' %code)
+ assert_equal(status, True)
+ srcMac = '00:00:00:00:00:11'
+ dstMac = host_ip_mac[0][1]
+ self.acl_hosts_add(dstHostIpMac = host_ip_mac, egress_iface_count = 1, egress_iface_num = egress )
+ status,code = acl_rule.adding_acl_rule('v4', srcIp=self.ACL_SRC_IP, dstIp =self.ACL_DST_IP, ipProto ='UDP', dstTpPort ='654', action = 'deny')
+ time.sleep(20)
+ if status is False:
+ log.info('JSON request returned status %d' %code)
+ assert_equal(status, True)
+ result = acl_rule.get_acl_rules()
+ aclRules1 = result.json()['aclRules']
+ acl_Id = map(lambda d: d['id'], aclRules1)
+ assert_equal(len(acl_Id), 1)
+ log.info('Added ACL Rules = %s' %result.json()['aclRules'])
+ self.cliEnter()
+ ##Now verify
+ hosts = json.loads(self.cli.hosts(jsonFormat = True))
+ log.info('Discovered hosts: %s' %hosts)
+ flows = json.loads(self.cli.flows(jsonFormat = True))
+ flows = filter(lambda f: f['flows'], flows)
+ #log.info('Flows: %s' %flows)
+ assert_not_equal(len(flows), 0)
+ self.acl_rule_traffic_send_recv(srcMac = srcMac, dstMac = dstMac ,srcIp =self.ACL_SRC_IP, dstIp = self.ACL_DST_IP,ingress =ingress, egress = egress, ip_proto = 'UDP', dstPortNum = 654, positive_test = False)
+ ## Non-matching traffic for TCP portocol testing
+ self.acl_rule_traffic_send_recv(srcMac = srcMac, dstMac = dstMac ,srcIp =self.ACL_SRC_IP, dstIp = self.ACL_DST_IP,ingress =ingress, egress = egress, ip_proto = 'UDP', dstPortNum = 444, positive_test = False)
+ self.cliExit()
+ self.acl_hosts_remove(egress_iface_count = 1, egress_iface_num = egress)
+
+ def test_acl_icmp_port_deny_rule_for_matching_and_non_matching_traffic(self):
+ ingress = self.ingress_iface
+ egress = self.CURRENT_PORT_NUM
+ acl_rule = ACLTest()
+ status,code,host_ip_mac = acl_rule.generate_onos_interface_config(iface_num= self.CURRENT_PORT_NUM, iface_name = 'b1',iface_count = 1, iface_ip = self.HOST_DST_IP)
+ self.CURRENT_PORT_NUM += 1
+ time.sleep(5)
+ if status is False:
+ log.info('JSON request returned status %d' %code)
+ assert_equal(status, True)
+ srcMac = '00:00:00:00:00:11'
+ dstMac = host_ip_mac[0][1]
+ self.acl_hosts_add(dstHostIpMac = host_ip_mac, egress_iface_count = 1, egress_iface_num = egress )
+ status,code = acl_rule.adding_acl_rule('v4', srcIp=self.ACL_SRC_IP, dstIp =self.ACL_DST_IP, ipProto ='ICMP', dstTpPort ='1', action = 'deny')
+ time.sleep(20)
+ if status is False:
+ log.info('JSON request returned status %d' %code)
+ assert_equal(status, True)
+ result = acl_rule.get_acl_rules()
+ aclRules1 = result.json()['aclRules']
+ acl_Id = map(lambda d: d['id'], aclRules1)
+ assert_equal(len(acl_Id), 1)
+ log.info('Added ACL Rules = %s' %result.json()['aclRules'])
+ self.cliEnter()
+ ##Now verify
+ hosts = json.loads(self.cli.hosts(jsonFormat = True))
+ log.info('Discovered hosts: %s' %hosts)
+ flows = json.loads(self.cli.flows(jsonFormat = True))
+ flows = filter(lambda f: f['flows'], flows)
+ #log.info('Flows: %s' %flows)
+ assert_not_equal(len(flows), 0)
+ self.acl_rule_traffic_send_recv(srcMac = srcMac, dstMac = dstMac ,srcIp =self.ACL_SRC_IP, dstIp = self.ACL_DST_IP,ingress =ingress, egress = egress, ip_proto = 'ICMP', dstPortNum = 1, positive_test = False)
+ ## Non-matching traffic for TCP portocol testing
+ self.acl_rule_traffic_send_recv(srcMac = srcMac, dstMac = dstMac ,srcIp =self.ACL_SRC_IP, dstIp = self.ACL_DST_IP,ingress =ingress, egress = egress, ip_proto = 'ICMP', dstPortNum = 2, positive_test = False)
+ self.cliExit()
+ self.acl_hosts_remove(egress_iface_count = 1, egress_iface_num = egress)
+
+ def test_acl_two_allow_rules_for_tcp_port_matching_traffic(self):
+ ingress = self.ingress_iface
+ egress = self.CURRENT_PORT_NUM
+ acl_rule = ACLTest()
+ status,code,host_ip_mac = acl_rule.generate_onos_interface_config(iface_num= self.CURRENT_PORT_NUM, iface_name = 'b1',iface_count = 1, iface_ip = self.HOST_DST_IP)
+ self.CURRENT_PORT_NUM += 1
+ time.sleep(5)
+ if status is False:
+ log.info('JSON request returned status %d' %code)
+ assert_equal(status, True)
+ srcMac = '00:00:00:00:00:11'
+ dstMac = host_ip_mac[0][1]
+ self.acl_hosts_add(dstHostIpMac = host_ip_mac, egress_iface_count = 1, egress_iface_num = egress )
+ status,code = acl_rule.adding_acl_rule('v4', srcIp=self.ACL_SRC_IP, dstIp =self.ACL_DST_IP, ipProto ='TCP', dstTpPort ='222', action = 'allow')
+ time.sleep(10)
+ if status is False:
+ log.info('JSON request returned status %d' %code)
+ assert_equal(status, True)
+ result = acl_rule.get_acl_rules()
+ aclRules1 = result.json()['aclRules']
+ acl_Id = map(lambda d: d['id'], aclRules1)
+ assert_equal(len(acl_Id), 1)
+ log.info('Added ACL rules = %s' %result.json()['aclRules'])
+ self.cliEnter()
+ ##Now verify
+ hosts = json.loads(self.cli.hosts(jsonFormat = True))
+ log.info('Discovered hosts: %s' %hosts)
+ flows = json.loads(self.cli.flows(jsonFormat = True))
+ flows = filter(lambda f: f['flows'], flows)
+ #log.info('Flows: %s' %flows)
+ assert_not_equal(len(flows), 0)
+ egress = self.CURRENT_PORT_NUM
+ self.acl_rule_traffic_send_recv(srcMac = srcMac, dstMac = dstMac ,srcIp =self.ACL_SRC_IP, dstIp = self.ACL_DST_IP,ingress =ingress, egress = egress, ip_proto = 'TCP', dstPortNum = 222)
+ status,code,host_ip_mac = acl_rule.generate_onos_interface_config(iface_num= self.CURRENT_PORT_NUM, iface_name = 'b1',iface_count = 1, iface_ip = self.HOST_DST_IP_RULE_2)
+ self.CURRENT_PORT_NUM += 1
+ time.sleep(5)
+ if status is False:
+ log.info('JSON request returned status %d' %code)
+ assert_equal(status, True)
+ dstMac = host_ip_mac[0][1]
+ self.acl_hosts_add(dstHostIpMac = host_ip_mac, egress_iface_count = 1, egress_iface_num = egress )
+ status,code = acl_rule.adding_acl_rule('v4', srcIp=self.ACL_SRC_IP_RULE_2, dstIp =self.ACL_DST_IP_RULE_2, ipProto ='TCP', dstTpPort ='345', action = 'allow')
+ time.sleep(10)
+ if status is False:
+ log.info('JSON request returned status %d' %code)
+ assert_equal(status, True)
+ result = acl_rule.get_acl_rules()
+ aclRules1 = result.json()['aclRules']
+ acl_Id = map(lambda d: d['id'], aclRules1)
+ assert_equal(len(acl_Id), 2)
+ self.acl_rule_traffic_send_recv(srcMac = srcMac, dstMac = dstMac ,srcIp =self.ACL_SRC_IP_RULE_2, dstIp = self.ACL_DST_IP_RULE_2,ingress =ingress, egress = egress, ip_proto = 'TCP', dstPortNum = 345)
+ ### crossing checking that we should not receive allow acl rule traffic on onther host non matched traffic
+ self.acl_rule_traffic_send_recv(srcMac = srcMac, dstMac = dstMac ,srcIp =self.ACL_SRC_IP, dstIp = self.ACL_DST_IP,ingress =ingress, egress = egress, ip_proto = 'TCP', dstPortNum = 222, positive_test = False)
+ self.cliExit()
+ self.acl_hosts_remove(egress_iface_count = 2, egress_iface_num = egress-1)
+
+ def test_acl_two_allow_rules_for_udp_ports_matching_traffic(self):
+ ingress = self.ingress_iface
+ egress = self.CURRENT_PORT_NUM
+ acl_rule = ACLTest()
+ status,code,host_ip_mac = acl_rule.generate_onos_interface_config(iface_num= self.CURRENT_PORT_NUM, iface_name = 'b1',iface_count = 1, iface_ip = self.HOST_DST_IP)
+ self.CURRENT_PORT_NUM += 1
+ time.sleep(5)
+ if status is False:
+ log.info('JSON request returned status %d' %code)
+ assert_equal(status, True)
+ srcMac = '00:00:00:00:00:11'
+ dstMac = host_ip_mac[0][1]
+ self.acl_hosts_add(dstHostIpMac = host_ip_mac, egress_iface_count = 1, egress_iface_num = egress )
+ status,code = acl_rule.adding_acl_rule('v4', srcIp=self.ACL_SRC_IP, dstIp =self.ACL_DST_IP, ipProto ='UDP', dstTpPort ='987', action = 'allow')
+ time.sleep(10)
+ if status is False:
+ log.info('JSON request returned status %d' %code)
+ assert_equal(status, True)
+ result = acl_rule.get_acl_rules()
+ aclRules1 = result.json()['aclRules']
+ acl_Id = map(lambda d: d['id'], aclRules1)
+ assert_equal(len(acl_Id), 1)
+ log.info('Added ACL rules = %s' %result.json()['aclRules'])
+ self.cliEnter()
+ ##Now verify
+ hosts = json.loads(self.cli.hosts(jsonFormat = True))
+ log.info('Discovered hosts: %s' %hosts)
+ flows = json.loads(self.cli.flows(jsonFormat = True))
+ flows = filter(lambda f: f['flows'], flows)
+ #log.info('Flows: %s' %flows)
+ assert_not_equal(len(flows), 0)
+ egress = self.CURRENT_PORT_NUM
+ self.acl_rule_traffic_send_recv(srcMac = srcMac, dstMac = dstMac ,srcIp =self.ACL_SRC_IP, dstIp = self.ACL_DST_IP,ingress =ingress, egress = egress, ip_proto = 'UDP', dstPortNum = 987)
+ status,code,host_ip_mac = acl_rule.generate_onos_interface_config(iface_num= self.CURRENT_PORT_NUM, iface_name = 'b1',iface_count = 1, iface_ip = self.HOST_DST_IP_RULE_2)
+ self.CURRENT_PORT_NUM += 1
+ time.sleep(5)
+ if status is False:
+ log.info('JSON request returned status %d' %code)
+ assert_equal(status, True)
+ dstMac = host_ip_mac[0][1]
+ self.acl_hosts_add(dstHostIpMac = host_ip_mac, egress_iface_count = 1, egress_iface_num = egress )
+ status,code = acl_rule.adding_acl_rule('v4', srcIp=self.ACL_SRC_IP_RULE_2, dstIp =self.ACL_DST_IP_RULE_2, ipProto ='TCP', dstTpPort ='345', action = 'allow')
+ time.sleep(10)
+ if status is False:
+ log.info('JSON request returned status %d' %code)
+ assert_equal(status, True)
+ result = acl_rule.get_acl_rules()
+ aclRules1 = result.json()['aclRules']
+ acl_Id = map(lambda d: d['id'], aclRules1)
+ assert_equal(len(acl_Id), 2)
+ self.acl_rule_traffic_send_recv(srcMac = srcMac, dstMac = dstMac ,srcIp =self.ACL_SRC_IP_RULE_2, dstIp = self.ACL_DST_IP_RULE_2,ingress =ingress, egress = egress, ip_proto = 'TCP', dstPortNum = 345)
+ ### crossing checking that we should not receive allow acl rule traffic on onther host non matched traffic
+ self.acl_rule_traffic_send_recv(srcMac = srcMac, dstMac = dstMac ,srcIp =self.ACL_SRC_IP, dstIp = self.ACL_DST_IP,ingress =ingress, egress = egress, ip_proto = 'UDP', dstPortNum = 987, positive_test = False)
+ self.cliExit()
+ self.acl_hosts_remove(egress_iface_count = 2, egress_iface_num = egress-1)
+
+ def test_acl_two_allow_rules_for_src_ips_dst_ips_and_l4_ports_matching_traffic(self):
+ ingress = self.ingress_iface
+ egress = self.CURRENT_PORT_NUM
+ acl_rule = ACLTest()
+ status,code,host_ip_mac = acl_rule.generate_onos_interface_config(iface_num= self.CURRENT_PORT_NUM, iface_name = 'b1',iface_count = 1, iface_ip = self.HOST_DST_IP)
+ self.CURRENT_PORT_NUM += 1
+ time.sleep(5)
+ if status is False:
+ log.info('JSON request returned status %d' %code)
+ assert_equal(status, True)
+ srcMac = '00:00:00:00:00:11'
+ dstMac = host_ip_mac[0][1]
+ self.acl_hosts_add(dstHostIpMac = host_ip_mac, egress_iface_count = 1, egress_iface_num = egress )
+ status,code = acl_rule.adding_acl_rule('v4', srcIp=self.ACL_SRC_IP, dstIp =self.ACL_DST_IP, action = 'allow')
+ time.sleep(10)
+ if status is False:
+ log.info('JSON request returned status %d' %code)
+ assert_equal(status, True)
+ result = acl_rule.get_acl_rules()
+ aclRules1 = result.json()['aclRules']
+ acl_Id = map(lambda d: d['id'], aclRules1)
+ assert_equal(len(acl_Id), 1)
+ log.info('Added ACL rules = %s' %result.json()['aclRules'])
+ self.cliEnter()
+ ##Now verify
+ hosts = json.loads(self.cli.hosts(jsonFormat = True))
+ log.info('Discovered hosts: %s' %hosts)
+ flows = json.loads(self.cli.flows(jsonFormat = True))
+ flows = filter(lambda f: f['flows'], flows)
+ #log.info('Flows: %s' %flows)
+ assert_not_equal(len(flows), 0)
+ egress = self.CURRENT_PORT_NUM
+ self.acl_rule_traffic_send_recv(srcMac = srcMac, dstMac = dstMac ,srcIp =self.ACL_SRC_IP, dstIp = self.ACL_DST_IP,ingress =ingress, egress = egress, ip_proto = 'UDP')
+ status,code,host_ip_mac = acl_rule.generate_onos_interface_config(iface_num= self.CURRENT_PORT_NUM, iface_name = 'b1',iface_count = 1, iface_ip = self.HOST_DST_IP_RULE_2)
+ self.CURRENT_PORT_NUM += 1
+ time.sleep(5)
+ if status is False:
+ log.info('JSON request returned status %d' %code)
+ assert_equal(status, True)
+ dstMac = host_ip_mac[0][1]
+ self.acl_hosts_add(dstHostIpMac = host_ip_mac, egress_iface_count = 1, egress_iface_num = egress )
+ status,code = acl_rule.adding_acl_rule('v4', srcIp=self.ACL_SRC_IP_RULE_2, dstIp =self.ACL_DST_IP_RULE_2, ipProto ='TCP', dstTpPort ='345', action = 'allow')
+ time.sleep(10)
+ if status is False:
+ log.info('JSON request returned status %d' %code)
+ assert_equal(status, True)
+ result = acl_rule.get_acl_rules()
+ aclRules1 = result.json()['aclRules']
+ acl_Id = map(lambda d: d['id'], aclRules1)
+ assert_equal(len(acl_Id), 2)
+ self.acl_rule_traffic_send_recv(srcMac = srcMac, dstMac = dstMac ,srcIp =self.ACL_SRC_IP_RULE_2, dstIp = self.ACL_DST_IP_RULE_2,ingress =ingress, egress = egress, ip_proto = 'TCP', dstPortNum = 345)
+ ### crossing checking that we should not receive allow acl rule traffic on onther host non matched traffic
+ self.acl_rule_traffic_send_recv(srcMac = srcMac, dstMac = dstMac ,srcIp =self.ACL_SRC_IP, dstIp = self.ACL_DST_IP,ingress =ingress, egress = egress, ip_proto = 'UDP', dstPortNum = 987, positive_test = False)
+ self.cliExit()
+ self.acl_hosts_remove(egress_iface_count = 2, egress_iface_num = egress-1)
+
+ def test_acl_allow_and_deny_rules_for_src_ips_dst_ips_and_l4_ports_matching_traffic(self):
+ ingress = self.ingress_iface
+ egress = self.CURRENT_PORT_NUM
+ acl_rule = ACLTest()
+ status,code,host_ip_mac = acl_rule.generate_onos_interface_config(iface_num= self.CURRENT_PORT_NUM, iface_name = 'b1',iface_count = 1, iface_ip = self.HOST_DST_IP)
+ self.CURRENT_PORT_NUM += 1
+ time.sleep(5)
+ if status is False:
+ log.info('JSON request returned status %d' %code)
+ assert_equal(status, True)
+ srcMac = '00:00:00:00:00:11'
+ dstMac = host_ip_mac[0][1]
+ self.acl_hosts_add(dstHostIpMac = host_ip_mac, egress_iface_count = 1, egress_iface_num = egress )
+ status,code = acl_rule.adding_acl_rule('v4', srcIp=self.ACL_SRC_IP, dstIp =self.ACL_DST_IP, action = 'deny')
+ time.sleep(10)
+ if status is False:
+ log.info('JSON request returned status %d' %code)
+ assert_equal(status, True)
+ result = acl_rule.get_acl_rules()
+ aclRules1 = result.json()['aclRules']
+ acl_Id = map(lambda d: d['id'], aclRules1)
+ assert_equal(len(acl_Id), 1)
+ log.info('Added ACL rules = %s' %result.json()['aclRules'])
+ self.cliEnter()
+ ##Now verify
+ hosts = json.loads(self.cli.hosts(jsonFormat = True))
+ log.info('Discovered hosts: %s' %hosts)
+ flows = json.loads(self.cli.flows(jsonFormat = True))
+ flows = filter(lambda f: f['flows'], flows)
+ #log.info('Flows: %s' %flows)
+ assert_not_equal(len(flows), 0)
+ egress = self.CURRENT_PORT_NUM
+ self.acl_rule_traffic_send_recv(srcMac = srcMac, dstMac = dstMac ,srcIp =self.ACL_SRC_IP, dstIp = self.ACL_DST_IP,ingress =ingress, egress = egress, ip_proto = 'UDP', positive_test = False)
+ status,code,host_ip_mac = acl_rule.generate_onos_interface_config(iface_num= self.CURRENT_PORT_NUM, iface_name = 'b1',iface_count = 1, iface_ip = self.HOST_DST_IP_RULE_2)
+ self.CURRENT_PORT_NUM += 1
+ time.sleep(5)
+ if status is False:
+ log.info('JSON request returned status %d' %code)
+ assert_equal(status, True)
+ dstMac = host_ip_mac[0][1]
+ self.acl_hosts_add(dstHostIpMac = host_ip_mac, egress_iface_count = 1, egress_iface_num = egress )
+ status,code = acl_rule.adding_acl_rule('v4', srcIp=self.ACL_SRC_IP_RULE_2, dstIp =self.ACL_DST_IP_RULE_2, ipProto ='UDP', dstTpPort ='345', action = 'allow')
+ time.sleep(10)
+ if status is False:
+ log.info('JSON request returned status %d' %code)
+ assert_equal(status, True)
+ result = acl_rule.get_acl_rules()
+ aclRules1 = result.json()['aclRules']
+ acl_Id = map(lambda d: d['id'], aclRules1)
+ assert_equal(len(acl_Id), 2)
+ self.acl_rule_traffic_send_recv(srcMac = srcMac, dstMac = dstMac ,srcIp =self.ACL_SRC_IP_RULE_2, dstIp = self.ACL_DST_IP_RULE_2,ingress =ingress, egress = egress, ip_proto = 'UDP', dstPortNum = 345)
+ ### crossing checking that we should not receive allow acl rule traffic on onther host non matched traffic
+ self.acl_rule_traffic_send_recv(srcMac = srcMac, dstMac = dstMac ,srcIp =self.ACL_SRC_IP, dstIp = self.ACL_DST_IP,ingress =ingress, egress = egress, ip_proto = 'UDP', dstPortNum = 987, positive_test = False)
+ self.cliExit()
+ self.acl_hosts_remove(egress_iface_count = 2, egress_iface_num = egress-1)
+
+
+
diff --git a/src/test/setup/cord-test.py b/src/test/setup/cord-test.py
index 3100f90..d29b9d2 100755
--- a/src/test/setup/cord-test.py
+++ b/src/test/setup/cord-test.py
@@ -38,7 +38,7 @@
)
basename = 'cord-tester'
IMAGE = 'cord-test/nose'
- ALL_TESTS = ('tls', 'dhcp', 'dhcprelay','igmp', 'subscriber', 'cordSubscriber', 'vrouter', 'flows', 'proxyarp')
+ ALL_TESTS = ('tls', 'dhcp', 'dhcprelay','igmp', 'subscriber', 'cordSubscriber', 'vrouter', 'flows', 'proxyarp', 'acl')
def __init__(self, tests, instance = 0, num_instances = 1, ctlr_ip = None, image = IMAGE, tag = 'latest',
env = None, rm = False, update = False):
diff --git a/src/test/utils/ACL.py b/src/test/utils/ACL.py
new file mode 100644
index 0000000..1492868
--- /dev/null
+++ b/src/test/utils/ACL.py
@@ -0,0 +1,120 @@
+#
+# Copyright 2016-present Ciena Corporation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+import json
+import requests
+import os,sys,time
+from scapy.all import *
+from OnosCtrl import OnosCtrl, get_mac
+from OnosFlowCtrl import OnosFlowCtrl
+
+conf.verb = 0 # Disable Scapy verbosity
+conf.checkIPaddr = 0 # Don't check response packets for matching destination IPs
+
+class ACLTest:
+
+ auth = ('karaf', 'karaf')
+ controller = os.getenv('ONOS_CONTROLLER_IP') or 'localhost'
+ add_acl_rule_url = 'http://%s:8181/onos/v1/acl/rules' %(controller)
+ remove_acl_rule_url = 'http://%s:8181/onos/v1/acl/rules/%s' %(controller, id)
+ clear_all_acl_rule_url = 'http://%s:8181/onos/v1/acl/rules' %(controller)
+ iface_create_onos_url = 'http://%s:8181/onos/v1/network/configuration' %(controller)
+ device_id = 'of:' + get_mac('ovsbr0')
+ MAX_PORTS = 100
+
+ def __init__(self, ipv4Prefix ='v4', srcIp ='null', dstIp ='null', ipProto = 'null', dstTpPort = 0, action = 'null', ingress_iface = 1, egress_iface = 2,iface_num = 0, iface_name = 'null', iface_count = 0, iface_ip = 'null'):
+ self.ipv4Prefix = ipv4Prefix
+ self.srcIp = srcIp
+ self.ingress_iface = ingress_iface
+ self.egress_iface = egress_iface
+ self.dstIp = dstIp
+ self.ipProto = ipProto
+ self.dstTpPort = dstTpPort
+ self.action = action
+ self.iface_count = iface_count
+ self.iface_num = iface_num
+ self.iface_name = iface_name
+ self.iface_ip = iface_ip
+
+ def adding_acl_rule(self, ipv4Prefix, srcIp, dstIp, ipProto ='null', dstTpPort='null', action= 'include'):
+ '''This function is generating ACL json file and post to ONOS for creating a ACL rule'''
+ if ipv4Prefix is 'v4':
+ acl_dict = {}
+ if srcIp and dstIp and action:
+ acl_dict['srcIp'] = '{}'.format(srcIp)
+ acl_dict['dstIp'] = '{}'.format(dstIp)
+ acl_dict['action'] = '{}'.format(action)
+ if ipProto is not 'null':
+ acl_dict['ipProto'] = '{}'.format(ipProto)
+ if dstTpPort is not 'null':
+ acl_dict['dstTpPort'] = '{}'.format(dstTpPort)
+ json_data = json.dumps(acl_dict)
+ resp = requests.post(self.add_acl_rule_url, auth = self.auth, data = json_data)
+ return resp.ok, resp.status_code
+
+ def get_acl_rules(self):
+ '''This function is getting a ACL rules from ONOS with json formate'''
+ resp = requests.get(self.add_acl_rule_url, auth = self.auth)
+ return resp
+
+ @classmethod
+ def remove_acl_rule(cls,id = None):
+ '''This function is delete one or all ACL rules in ONOS'''
+ if id is None:
+ remove_acl_rule_url = 'http://%s:8181/onos/v1/acl/rules' %(cls.controller)
+ else:
+ remove_acl_rule_url = 'http://%s:8181/onos/v1/acl/rules/%s' %(cls.controller, id)
+ resp = requests.delete(remove_acl_rule_url, auth = cls.auth)
+ return resp.ok, resp.status_code
+
+ def generate_onos_interface_config(self,iface_num = 4, iface_name = 'null',iface_count = 1,iface_ip = '198.162.10.1'):
+ '''This function is generate interface config data in json format and post to ONOS for creating it '''
+ ''' To add interfaces on ONOS to test acl with trffic'''
+ num = 0
+ egress_host_list = []
+ interface_list = []
+ ip = iface_ip.split('/')[0]
+ start_iface_ip = ip.split('.')
+ start_ip = ( int(start_iface_ip[0]) << 24) | ( int(start_iface_ip[1]) << 16) | ( int(start_iface_ip[2]) << 8) | 0
+ end_ip = ( 200 << 24 ) | (168 << 16) | (10 << 8) | 0
+ ports_dict = { 'ports' : {} }
+ for n in xrange(start_ip, end_ip, 256):
+ port_map = ports_dict['ports']
+ port = iface_num if num < self.MAX_PORTS - 1 else self.MAX_PORTS - 1
+ device_port_key = '{0}/{1}'.format(self.device_id, port)
+ try:
+ interfaces = port_map[device_port_key]['interfaces']
+ except:
+ port_map[device_port_key] = { 'interfaces' : [] }
+ interfaces = port_map[device_port_key]['interfaces']
+ ip = n + 2
+ peer_ip = n + 1
+ ips = '%d.%d.%d.%d/%d'%( (ip >> 24) & 0xff, ( (ip >> 16) & 0xff ), ( (ip >> 8 ) & 0xff ), ip & 0xff, int(iface_ip.split('/')[1]))
+ peer = '%d.%d.%d.%d' % ( (peer_ip >> 24) & 0xff, ( ( peer_ip >> 16) & 0xff ), ( (peer_ip >> 8 ) & 0xff ), peer_ip & 0xff )
+ mac = RandMAC()._fix()
+ egress_host_list.append((peer, mac))
+ if num < self.MAX_PORTS - 1:
+ interface_dict = { 'name' : '{0}-{1}'.format(iface_name,port), 'ips': [ips], 'mac' : mac }
+ interfaces.append(interface_dict)
+ interface_list.append(interface_dict['name'])
+ else:
+ interfaces[0]['ips'].append(ips)
+ num += 1
+ if num == iface_count:
+ break
+ json_data = json.dumps(ports_dict)
+ resp = requests.post(self.iface_create_onos_url, auth = self.auth, data = json_data)
+ return resp.ok, resp.status_code, egress_host_list
+