From a8c6a42cef29486af84e08c74de2f8f4b280a11c Mon Sep 17 00:00:00 2001 From: bingwang Date: Mon, 28 Nov 2022 05:40:00 -0800 Subject: [PATCH 01/10] Add test case to verify custom acl type --- tests/acl/custom_acl_table/acl_rules.json | 58 ++++ .../custom_acl_table/custom_acl_table.json | 9 + .../custom_acl_table/test_custom_acl_table.py | 283 ++++++++++++++++++ 3 files changed, 350 insertions(+) create mode 100644 tests/acl/custom_acl_table/acl_rules.json create mode 100644 tests/acl/custom_acl_table/custom_acl_table.json create mode 100644 tests/acl/custom_acl_table/test_custom_acl_table.py diff --git a/tests/acl/custom_acl_table/acl_rules.json b/tests/acl/custom_acl_table/acl_rules.json new file mode 100644 index 00000000000..20ec8aba850 --- /dev/null +++ b/tests/acl/custom_acl_table/acl_rules.json @@ -0,0 +1,58 @@ +{ + "ACL_RULE": { + "CUSTOM_TABLE|RULE_1": { + "SRC_IP": "192.168.0.2/32", + "IP_PROTOCOL": "6", + "PACKET_ACTION": "FORWARD", + "PRIORITY": "9999" + }, + "CUSTOM_TABLE|RULE_2": { + "DST_IP": "103.23.2.1/32", + "IP_PROTOCOL": "6", + "PACKET_ACTION": "FORWARD", + "PRIORITY": "9998" + }, + "CUSTOM_TABLE|RULE_3": { + "SRC_IPV6": "fc02:1000::2/128", + "NEXT_HEADER": "6", + "PACKET_ACTION": "FORWARD", + "PRIORITY": "9997" + }, + "CUSTOM_TABLE|RULE_4": { + "DST_IPV6": "103:23:2:1::1/128", + "NEXT_HEADER": "6", + "PACKET_ACTION": "FORWARD", + "PRIORITY": "9996" + }, + "CUSTOM_TABLE|RULE_5": { + "L4_SRC_PORT": "8080", + "PACKET_ACTION": "FORWARD", + "PRIORITY": "9995" + }, + "CUSTOM_TABLE|RULE_6": { + "L4_DST_PORT": "8080", + "PACKET_ACTION": "FORWARD", + "PRIORITY": "9994" + }, + "CUSTOM_TABLE|RULE_7": { + "L4_SRC_PORT_RANGE": "8081-8090", + "PACKET_ACTION": "FORWARD", + "PRIORITY": "9993" + }, + "CUSTOM_TABLE|RULE_8": { + "L4_DST_PORT_RANGE": "8081-8090", + "PACKET_ACTION": "FORWARD", + "PRIORITY": "9992" + }, + "CUSTOM_TABLE|DEFAULT_DROP_RULE_V4": { + "ETHER_TYPE": "2048", + "PACKET_ACTION": "DROP", + "PRIORITY": "2" + }, + "CUSTOM_TABLE|DEFAULT_DROP_RULE_V6": { + "IP_TYPE": "IPV6ANY", + "PACKET_ACTION": "DROP", + "PRIORITY": "1" + } + } +} \ No newline at end of file diff --git a/tests/acl/custom_acl_table/custom_acl_table.json b/tests/acl/custom_acl_table/custom_acl_table.json new file mode 100644 index 00000000000..cfc2f36c25f --- /dev/null +++ b/tests/acl/custom_acl_table/custom_acl_table.json @@ -0,0 +1,9 @@ +{ + "ACL_TABLE_TYPE": { + "CUSTOM_TYPE": { + "MATCHES": "SRC_IP,DST_IP,SRC_IPV6,DST_IPV6,ETHER_TYPE,IP_TYPE,IP_PROTOCOL,NEXT_HEADER,L4_SRC_PORT,L4_DST_PORT,L4_SRC_PORT_RANGE,L4_DST_PORT_RANGE", + "ACTIONS": "PACKET_ACTION", + "BIND_POINTS": "PORT" + } + } +} diff --git a/tests/acl/custom_acl_table/test_custom_acl_table.py b/tests/acl/custom_acl_table/test_custom_acl_table.py new file mode 100644 index 00000000000..4d436ad2d05 --- /dev/null +++ b/tests/acl/custom_acl_table/test_custom_acl_table.py @@ -0,0 +1,283 @@ +import logging +import json +import pytest +import time + +from ptf.mask import Mask +import ptf.packet as scapy + + +import ptf.testutils as testutils +from tests.common.utilities import skip_release +from tests.common.helpers.assertions import pytest_assert +from tests.common.plugins.loganalyzer.loganalyzer import LogAnalyzer, LogAnalyzerError +from tests.common.dualtor.mux_simulator_control import toggle_all_simulator_ports_to_rand_selected_tor + +logger = logging.getLogger(__name__) + +pytestmark = [ + pytest.mark.topology("t0"), # Only run on T0 testbed + pytest.mark.disable_loganalyzer, # Disable automatic loganalyzer, since we use it for the test +] + +CUSTOM_ACL_TABLE_TYPE_SRC_FILE = "acl/custom_acl_table/custom_acl_table.json" +CUSTOM_ACL_TABLE_TYPE_DST_FILE = "/tmp/custom_acl_table.json" + +ACL_RULE_SRC_FILE = "acl/custom_acl_table/acl_rules.json" +ACL_RULE_DST_FILE = "/tmp/acl_rules.json" + +LOG_EXPECT_ACL_TABLE_CREATE_RE = ".*Created ACL table.*" +LOG_EXPECT_ACL_RULE_FAILED_RE = ".*Failed to create ACL rule.*" + + +@pytest.fixture(scope='module', autouse=True) +def check_release(rand_selected_dut): + skip_release(rand_selected_dut, ["201811", "201911", "202012"]) + + +@pytest.fixture(scope='module') +def setup_counterpoll_interval(rand_selected_dut): + """ + Set the counterpoll interval for acl to 1 second (10 seconds by default) + """ + # Set polling interval to 1 second + rand_selected_dut.shell('counterpoll acl interval 1000') + time.sleep(10) + yield + # Restore default value 10 seconds + rand_selected_dut.shell('counterpoll acl interval 1000') + + +def clear_acl_counter(dut): + """ + Clear the counter of ACL + """ + dut.shell('aclshow -c') + + +def read_acl_counter(dut, rule_name): + """ + Read the counter of given rule + RULE NAME TABLE NAME PRIO PACKETS COUNT BYTES COUNT + ----------- ------------ ------ --------------- ------------- + RULE_1 L3_MIX_TABLE 9999 0 0 + """ + cmd = 'aclshow -a -r {}'.format(rule_name) + time.sleep(2) + output = dut.shell(cmd)['stdout_lines'] + for line in output: + fields = line.split() + if len(fields) != 5: + continue + if fields[0] == rule_name: + return int(fields[3]) + + return 0 + + +# TODO: Move this fixture to a shared place of acl test +@pytest.fixture(scope="module", autouse=True) +def remove_dataacl_table(rand_selected_dut): + """ + Remove DATAACL to free TCAM resources + """ + TABLE_NAME = "DATAACL" + lines = rand_selected_dut.shell(cmd="show acl table {}".format(TABLE_NAME))['stdout_lines'] + data_acl_existing = False + for line in lines: + if TABLE_NAME in line: + data_acl_existing = True + break + if not data_acl_existing: + yield + return + # Remove DATAACL + logger.info("Removing ACL table {}".format(TABLE_NAME)) + rand_selected_dut.shell(cmd="config acl remove table {}".format(TABLE_NAME)) + yield + # Recover DATAACL + config_db_json = "/etc/sonic/config_db.json" + output = rand_selected_dut.shell("sonic-cfggen -j {} --var-json \"ACL_TABLE\"".format(config_db_json))['stdout'] + try: + entry = json.loads(output)[TABLE_NAME] + cmd_create_table = "config acl add table {} {} -p {} -s {}".format(TABLE_NAME, entry['type'], \ + ",".join(sorted(entry['ports'])), entry['stage']) + logger.info("Restoring ACL table {}".format(TABLE_NAME)) + rand_selected_dut.shell(cmd_create_table) + except Exception as e: + pytest.fail(str(e)) + + +@pytest.fixture(scope='module') +def setup_custom_acl_table(rand_selected_dut): + # Define a custom table type CUSTOM_TYPE by loading a json configuration + rand_selected_dut.copy(src=CUSTOM_ACL_TABLE_TYPE_SRC_FILE, dest=CUSTOM_ACL_TABLE_TYPE_DST_FILE) + rand_selected_dut.shell("sonic-cfggen -j {} -w".format(CUSTOM_ACL_TABLE_TYPE_DST_FILE)) + # Create an ACL table and bind to Vlan1000 interface + cmd_create_table = "config acl add table CUSTOM_TABLE CUSTOM_TYPE -s ingress -p Vlan1000" + cmd_remove_table = "config acl remove table CUSTOM_TABLE" + loganalyzer = LogAnalyzer(ansible_host=rand_selected_dut, marker_prefix="custom_acl") + loganalyzer.load_common_config() + + try: + logger.info("Creating ACL table CUSTOM_TABLE with type CUSTOM_TYPE") + loganalyzer.expect_regex = [LOG_EXPECT_ACL_TABLE_CREATE_RE] + # Ignore any other errors to reduce noise + loganalyzer.ignore_regex = [r".*"] + with loganalyzer: + rand_selected_dut.shell(cmd_create_table) + except LogAnalyzerError as err: + # Cleanup Config DB if table creation failed + logger.error("ACL table creation failed, attempting to clean-up...") + rand_selected_dut.shell(cmd_remove_table) + raise err + + yield + logger.info("Removing ACL table and custom type") + # Remove ACL table + rand_selected_dut.shell(cmd_remove_table) + # Remove custom type + rand_selected_dut.shell("sonic-db-cli CONFIG_DB del \'ACL_TABLE_TYPE|CUSTOM_TYPE\'") + + +@pytest.fixture(scope='module') +def setup_acl_rules(rand_selected_dut, setup_custom_acl_table): + # Copy and load acl rules + rand_selected_dut.copy(src=ACL_RULE_SRC_FILE, dest=ACL_RULE_DST_FILE) + cmd_add_rules = "sonic-cfggen -j {} -w".format(ACL_RULE_DST_FILE) + cmd_rm_rules = "acl-loader delete CUSTOM_TABLE" + + loganalyzer = LogAnalyzer(ansible_host=rand_selected_dut, marker_prefix="custom_acl") + loganalyzer.match_regex = [LOG_EXPECT_ACL_RULE_FAILED_RE] + try: + logger.info("Creating ACL rules in CUSTOM_TABLE") + with loganalyzer: + rand_selected_dut.shell(cmd_add_rules) + except LogAnalyzerError as err: + # Cleanup Config DB if failed + logger.error("ACL rule creation failed, attempting to clean-up...") + rand_selected_dut.shell(cmd_rm_rules) + raise err + yield + # Remove testing rules + logger.info("Removing testing ACL rules") + rand_selected_dut.shell(cmd_rm_rules) + + +def build_testing_pkts(router_mac): + """ + Generate packet for IO test + """ + # The IPs and ports must be exactly the same with rules defined in acl_rules.json + SRC_IP = "192.168.0.2" + SRC_IPV6 = "fc02:1000::2" + DST_IP = "103.23.2.1" + DST_IPV6 = "103:23:2:1::1" + SRC_PORT = 8080 + DST_PORT = 8080 + SRC_RANGE_PORT = 8085 + DST_RANGE_PORT = 8085 + + test_packets = {} + # Verify matching source IP and protocol + test_packets['RULE_1'] = testutils.simple_tcp_packet(eth_dst=router_mac, + ip_src=SRC_IP, + ip_dst='1.1.1.1') + # Verify matching destination IP and protocol + test_packets['RULE_2'] = testutils.simple_tcp_packet(eth_dst=router_mac, + ip_src='192.168.0.3', + ip_dst=DST_IP) + # Verify matching IPV6 source and next header + test_packets['RULE_3'] = testutils.simple_tcpv6_packet(eth_dst=router_mac, + ipv6_src=SRC_IPV6, + ipv6_dst='103:23:2:1::2') + # Verify matching IPV6 destination and next header + test_packets['RULE_4'] = testutils.simple_tcpv6_packet(eth_dst=router_mac, + ipv6_src='fc02:1000::3', + ipv6_dst=DST_IPV6) + + # Verify matching source port (IPV4) + test_packets['RULE_5'] = testutils.simple_tcp_packet(eth_dst=router_mac, + ip_src='192.168.0.3', + ip_dst='1.1.1.1', + tcp_sport=SRC_PORT) + # Verify matching destination port (IPV6) + test_packets['RULE_6'] = testutils.simple_tcpv6_packet(eth_dst=router_mac, + ipv6_src='fc02:1000::3', + ipv6_dst='103:23:2:1::2', + tcp_dport=DST_PORT) + # Verify matching source port range (IPV4) + test_packets['RULE_7'] = testutils.simple_tcp_packet(eth_dst=router_mac, + ip_src='192.168.0.3', + ip_dst='1.1.1.1', + tcp_sport=SRC_RANGE_PORT) + # Verify matching destination port (IPV6) + test_packets['RULE_8'] = testutils.simple_tcpv6_packet(eth_dst=router_mac, + ipv6_src='fc02:1000::3', + ipv6_dst='103:23:2:1::2', + tcp_dport=DST_RANGE_PORT) + + return test_packets + + +def build_exp_pkt(input_pkt): + """ + Generate the expected packet for given packet + """ + exp_pkt = Mask(input_pkt) + exp_pkt.set_do_not_care_scapy(scapy.Ether, "dst") + exp_pkt.set_do_not_care_scapy(scapy.Ether, "src") + if input_pkt.haslayer('IP'): + exp_pkt.set_do_not_care_scapy(scapy.IP, "ttl") + exp_pkt.set_do_not_care_scapy(scapy.IP, "chksum") + else: + exp_pkt.set_do_not_care_scapy(scapy.IPv6, "hlim") + + return exp_pkt + + +def test_custom_acl(rand_selected_dut, tbinfo, ptfadapter, setup_acl_rules, toggle_all_simulator_ports_to_rand_selected_tor, setup_counterpoll_interval, remove_dataacl_table): + """ + The test case is to verify the functionality of custom ACL table + Test steps + 1. Define a custom ACL table type by loading json configuration + 2. Create an ingress ACL table with the custom type + 3. Toggle all ports to active if the test is running on dual-tor + 4. Ingress packets from vlan port + 5. Verify the packets are egressed to uplinks + 6. Verify the counter of expected rule increases as expected + """ + router_mac = rand_selected_dut.facts['router_mac'] + mg_facts = rand_selected_dut.get_extended_minigraph_facts(tbinfo) + + # Selected the first vlan port as source port + src_port = list(mg_facts['minigraph_vlans'].values())[0]['members'][0] + src_port_indice = mg_facts['minigraph_ptf_indices'][src_port] + # Put all portchannel members into dst_ports + dst_port_indices = [] + for _, v in mg_facts['minigraph_portchannels'].iteritems(): + for member in v['members']: + dst_port_indices.append(mg_facts['minigraph_ptf_indices'][member]) + + test_pkts = build_testing_pkts(router_mac) + for rule, pkt in test_pkts.items(): + logger.info("Testing ACL rule {}".format(rule)) + exp_pkt = build_exp_pkt(pkt) + # Send and verify packet + clear_acl_counter(rand_selected_dut) + ptfadapter.dataplane.flush() + testutils.send(ptfadapter, pkt=pkt, port_id=src_port_indice) + testutils.verify_packet_any_port(ptfadapter, exp_pkt, ports=dst_port_indices, timeout=5) + acl_counter = read_acl_counter(rand_selected_dut, rule) + # Verify acl counter + pytest_assert(acl_counter == 1, "ACL counter for {} didn't increase as expected".format(rule)) + + + + + + + + + + From 7816b13932f5e378734df5d667d2ab9c6490ba20 Mon Sep 17 00:00:00 2001 From: bingwang Date: Mon, 28 Nov 2022 05:44:55 -0800 Subject: [PATCH 02/10] Empty line --- tests/acl/custom_acl_table/acl_rules.json | 2 +- tests/acl/custom_acl_table/test_custom_acl_table.py | 9 --------- 2 files changed, 1 insertion(+), 10 deletions(-) diff --git a/tests/acl/custom_acl_table/acl_rules.json b/tests/acl/custom_acl_table/acl_rules.json index 20ec8aba850..005fdc15ab7 100644 --- a/tests/acl/custom_acl_table/acl_rules.json +++ b/tests/acl/custom_acl_table/acl_rules.json @@ -55,4 +55,4 @@ "PRIORITY": "1" } } -} \ No newline at end of file +} diff --git a/tests/acl/custom_acl_table/test_custom_acl_table.py b/tests/acl/custom_acl_table/test_custom_acl_table.py index 4d436ad2d05..88fe15b479e 100644 --- a/tests/acl/custom_acl_table/test_custom_acl_table.py +++ b/tests/acl/custom_acl_table/test_custom_acl_table.py @@ -272,12 +272,3 @@ def test_custom_acl(rand_selected_dut, tbinfo, ptfadapter, setup_acl_rules, togg # Verify acl counter pytest_assert(acl_counter == 1, "ACL counter for {} didn't increase as expected".format(rule)) - - - - - - - - - From 813e5a8183d83badebe05f823f953cd4772b9038 Mon Sep 17 00:00:00 2001 From: bingwang-ms <66248323+bingwang-ms@users.noreply.github.com> Date: Tue, 29 Nov 2022 20:10:29 +0800 Subject: [PATCH 03/10] Add COUNTER action --- tests/acl/custom_acl_table/custom_acl_table.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/acl/custom_acl_table/custom_acl_table.json b/tests/acl/custom_acl_table/custom_acl_table.json index cfc2f36c25f..8b9b2ba60a8 100644 --- a/tests/acl/custom_acl_table/custom_acl_table.json +++ b/tests/acl/custom_acl_table/custom_acl_table.json @@ -2,7 +2,7 @@ "ACL_TABLE_TYPE": { "CUSTOM_TYPE": { "MATCHES": "SRC_IP,DST_IP,SRC_IPV6,DST_IPV6,ETHER_TYPE,IP_TYPE,IP_PROTOCOL,NEXT_HEADER,L4_SRC_PORT,L4_DST_PORT,L4_SRC_PORT_RANGE,L4_DST_PORT_RANGE", - "ACTIONS": "PACKET_ACTION", + "ACTIONS": "PACKET_ACTION,COUNTER", "BIND_POINTS": "PORT" } } From 1cd34ed5518d91c3987d1e5bd75db9f7e4485dae Mon Sep 17 00:00:00 2001 From: bingwang Date: Tue, 29 Nov 2022 05:22:22 -0800 Subject: [PATCH 04/10] Optimize DATAACL recovery --- .../custom_acl_table/test_custom_acl_table.py | 32 +++++++++---------- 1 file changed, 15 insertions(+), 17 deletions(-) diff --git a/tests/acl/custom_acl_table/test_custom_acl_table.py b/tests/acl/custom_acl_table/test_custom_acl_table.py index 88fe15b479e..82696ae2f2f 100644 --- a/tests/acl/custom_acl_table/test_custom_acl_table.py +++ b/tests/acl/custom_acl_table/test_custom_acl_table.py @@ -82,13 +82,15 @@ def remove_dataacl_table(rand_selected_dut): Remove DATAACL to free TCAM resources """ TABLE_NAME = "DATAACL" - lines = rand_selected_dut.shell(cmd="show acl table {}".format(TABLE_NAME))['stdout_lines'] - data_acl_existing = False - for line in lines: - if TABLE_NAME in line: - data_acl_existing = True - break - if not data_acl_existing: + data_acl_table = None + output = rand_selected_dut.shell("sonic-cfggen -d --var-json \"ACL_TABLE\"")['stdout'] + try: + acl_tables = json.loads(output) + if TABLE_NAME in acl_tables: + data_acl_table = {TABLE_NAME: acl_tables[TABLE_NAME]} + except ValueError as e: + pass + if data_acl_table is None: yield return # Remove DATAACL @@ -96,16 +98,11 @@ def remove_dataacl_table(rand_selected_dut): rand_selected_dut.shell(cmd="config acl remove table {}".format(TABLE_NAME)) yield # Recover DATAACL - config_db_json = "/etc/sonic/config_db.json" - output = rand_selected_dut.shell("sonic-cfggen -j {} --var-json \"ACL_TABLE\"".format(config_db_json))['stdout'] - try: - entry = json.loads(output)[TABLE_NAME] - cmd_create_table = "config acl add table {} {} -p {} -s {}".format(TABLE_NAME, entry['type'], \ - ",".join(sorted(entry['ports'])), entry['stage']) - logger.info("Restoring ACL table {}".format(TABLE_NAME)) - rand_selected_dut.shell(cmd_create_table) - except Exception as e: - pytest.fail(str(e)) + data_acl = {} + data_acl['ACL_TABLE'] = data_acl_table + cmd = 'sonic-cfggen -a \'{}\' -w'.format(json.dumps(data_acl)) + logger.info("Restoring ACL table {}".format(TABLE_NAME)) + rand_selected_dut.shell(cmd) @pytest.fixture(scope='module') @@ -247,6 +244,7 @@ def test_custom_acl(rand_selected_dut, tbinfo, ptfadapter, setup_acl_rules, togg 5. Verify the packets are egressed to uplinks 6. Verify the counter of expected rule increases as expected """ + return router_mac = rand_selected_dut.facts['router_mac'] mg_facts = rand_selected_dut.get_extended_minigraph_facts(tbinfo) From 96ac4520cb637ea43b8275c3aa536abbff091a8a Mon Sep 17 00:00:00 2001 From: bingwang Date: Tue, 29 Nov 2022 05:26:58 -0800 Subject: [PATCH 05/10] Optimize DATAACL recovery --- tests/acl/custom_acl_table/test_custom_acl_table.py | 1 - 1 file changed, 1 deletion(-) diff --git a/tests/acl/custom_acl_table/test_custom_acl_table.py b/tests/acl/custom_acl_table/test_custom_acl_table.py index 82696ae2f2f..51aa1f93a6f 100644 --- a/tests/acl/custom_acl_table/test_custom_acl_table.py +++ b/tests/acl/custom_acl_table/test_custom_acl_table.py @@ -244,7 +244,6 @@ def test_custom_acl(rand_selected_dut, tbinfo, ptfadapter, setup_acl_rules, togg 5. Verify the packets are egressed to uplinks 6. Verify the counter of expected rule increases as expected """ - return router_mac = rand_selected_dut.facts['router_mac'] mg_facts = rand_selected_dut.get_extended_minigraph_facts(tbinfo) From 82d72f970d4c5f245418e4a92593fb716cded21a Mon Sep 17 00:00:00 2001 From: bingwang Date: Wed, 30 Nov 2022 00:10:49 -0800 Subject: [PATCH 06/10] Remove hardcoded skip_release --- tests/acl/custom_acl_table/test_custom_acl_table.py | 6 ------ .../plugins/conditional_mark/tests_mark_conditions.yaml | 9 +++++++++ 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/tests/acl/custom_acl_table/test_custom_acl_table.py b/tests/acl/custom_acl_table/test_custom_acl_table.py index 51aa1f93a6f..53852352431 100644 --- a/tests/acl/custom_acl_table/test_custom_acl_table.py +++ b/tests/acl/custom_acl_table/test_custom_acl_table.py @@ -8,7 +8,6 @@ import ptf.testutils as testutils -from tests.common.utilities import skip_release from tests.common.helpers.assertions import pytest_assert from tests.common.plugins.loganalyzer.loganalyzer import LogAnalyzer, LogAnalyzerError from tests.common.dualtor.mux_simulator_control import toggle_all_simulator_ports_to_rand_selected_tor @@ -30,11 +29,6 @@ LOG_EXPECT_ACL_RULE_FAILED_RE = ".*Failed to create ACL rule.*" -@pytest.fixture(scope='module', autouse=True) -def check_release(rand_selected_dut): - skip_release(rand_selected_dut, ["201811", "201911", "202012"]) - - @pytest.fixture(scope='module') def setup_counterpoll_interval(rand_selected_dut): """ diff --git a/tests/common/plugins/conditional_mark/tests_mark_conditions.yaml b/tests/common/plugins/conditional_mark/tests_mark_conditions.yaml index 9bb523dd1b9..1b4c5aa4081 100644 --- a/tests/common/plugins/conditional_mark/tests_mark_conditions.yaml +++ b/tests/common/plugins/conditional_mark/tests_mark_conditions.yaml @@ -987,3 +987,12 @@ vrf/test_vrf_attr.py::TestVrfAttrSrcMac::test_vrf1_neigh_with_default_router_mac reason: "RIF MAC taking precedence over VRF MAC" conditions: - "asic_type in ['barefoot']" + +####################################### +##### cutsom_acl ##### +####################################### +acl/custom_acl_table/test_custom_acl_table.py: + skip: + reason: "Custom ACL not supported on older releases" + conditions: + - "release in ['201811', '201911', '202012']" From 5fbcfdd7159312e503fa92341b318e6309646a6b Mon Sep 17 00:00:00 2001 From: bingwang Date: Wed, 30 Nov 2022 00:25:16 -0800 Subject: [PATCH 07/10] Remove hardcoded skip_release --- .../tests_mark_conditions.yaml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/tests/common/plugins/conditional_mark/tests_mark_conditions.yaml b/tests/common/plugins/conditional_mark/tests_mark_conditions.yaml index 1b4c5aa4081..2c146825906 100644 --- a/tests/common/plugins/conditional_mark/tests_mark_conditions.yaml +++ b/tests/common/plugins/conditional_mark/tests_mark_conditions.yaml @@ -15,6 +15,15 @@ acl/test_acl_outer_vlan.py: conditions: - "asic_type in ['cisco-8000']" +####################################### +##### cutsom_acl ##### +####################################### +acl/custom_acl_table/test_custom_acl_table.py: + skip: + reason: "Custom ACL not supported on older releases" + conditions: + - "release in ['201811', '201911', '202012']" + ####################################### ##### arp ##### ####################################### @@ -987,12 +996,3 @@ vrf/test_vrf_attr.py::TestVrfAttrSrcMac::test_vrf1_neigh_with_default_router_mac reason: "RIF MAC taking precedence over VRF MAC" conditions: - "asic_type in ['barefoot']" - -####################################### -##### cutsom_acl ##### -####################################### -acl/custom_acl_table/test_custom_acl_table.py: - skip: - reason: "Custom ACL not supported on older releases" - conditions: - - "release in ['201811', '201911', '202012']" From c27a2f51b27ba262da808d4a0f1cf2942db61a8c Mon Sep 17 00:00:00 2001 From: bingwang Date: Wed, 30 Nov 2022 16:47:24 -0800 Subject: [PATCH 08/10] Use show_and_parse --- .../acl/custom_acl_table/test_custom_acl_table.py | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/tests/acl/custom_acl_table/test_custom_acl_table.py b/tests/acl/custom_acl_table/test_custom_acl_table.py index 53852352431..af64b362194 100644 --- a/tests/acl/custom_acl_table/test_custom_acl_table.py +++ b/tests/acl/custom_acl_table/test_custom_acl_table.py @@ -39,7 +39,7 @@ def setup_counterpoll_interval(rand_selected_dut): time.sleep(10) yield # Restore default value 10 seconds - rand_selected_dut.shell('counterpoll acl interval 1000') + rand_selected_dut.shell('counterpoll acl interval 10000') def clear_acl_counter(dut): @@ -58,13 +58,10 @@ def read_acl_counter(dut, rule_name): """ cmd = 'aclshow -a -r {}'.format(rule_name) time.sleep(2) - output = dut.shell(cmd)['stdout_lines'] - for line in output: - fields = line.split() - if len(fields) != 5: - continue - if fields[0] == rule_name: - return int(fields[3]) + counters = dut.show_and_parse(cmd) + for counter in counters: + if counter['RULE NAME'] == rule_name: + return counter['PACKETS COUNT'] return 0 @@ -262,4 +259,3 @@ def test_custom_acl(rand_selected_dut, tbinfo, ptfadapter, setup_acl_rules, togg acl_counter = read_acl_counter(rand_selected_dut, rule) # Verify acl counter pytest_assert(acl_counter == 1, "ACL counter for {} didn't increase as expected".format(rule)) - From f0996a93c3c00d14dae4966ea12b43e7b268a978 Mon Sep 17 00:00:00 2001 From: bingwang Date: Wed, 30 Nov 2022 18:22:20 -0800 Subject: [PATCH 09/10] Decrease matching fields --- tests/acl/custom_acl_table/acl_rules.json | 22 ---------- .../custom_acl_table/custom_acl_table.json | 2 +- .../custom_acl_table/test_custom_acl_table.py | 40 ++++++------------- 3 files changed, 14 insertions(+), 50 deletions(-) diff --git a/tests/acl/custom_acl_table/acl_rules.json b/tests/acl/custom_acl_table/acl_rules.json index 005fdc15ab7..ef1188d95a5 100644 --- a/tests/acl/custom_acl_table/acl_rules.json +++ b/tests/acl/custom_acl_table/acl_rules.json @@ -1,44 +1,22 @@ { "ACL_RULE": { - "CUSTOM_TABLE|RULE_1": { - "SRC_IP": "192.168.0.2/32", - "IP_PROTOCOL": "6", - "PACKET_ACTION": "FORWARD", - "PRIORITY": "9999" - }, "CUSTOM_TABLE|RULE_2": { "DST_IP": "103.23.2.1/32", "IP_PROTOCOL": "6", "PACKET_ACTION": "FORWARD", "PRIORITY": "9998" }, - "CUSTOM_TABLE|RULE_3": { - "SRC_IPV6": "fc02:1000::2/128", - "NEXT_HEADER": "6", - "PACKET_ACTION": "FORWARD", - "PRIORITY": "9997" - }, "CUSTOM_TABLE|RULE_4": { "DST_IPV6": "103:23:2:1::1/128", "NEXT_HEADER": "6", "PACKET_ACTION": "FORWARD", "PRIORITY": "9996" }, - "CUSTOM_TABLE|RULE_5": { - "L4_SRC_PORT": "8080", - "PACKET_ACTION": "FORWARD", - "PRIORITY": "9995" - }, "CUSTOM_TABLE|RULE_6": { "L4_DST_PORT": "8080", "PACKET_ACTION": "FORWARD", "PRIORITY": "9994" }, - "CUSTOM_TABLE|RULE_7": { - "L4_SRC_PORT_RANGE": "8081-8090", - "PACKET_ACTION": "FORWARD", - "PRIORITY": "9993" - }, "CUSTOM_TABLE|RULE_8": { "L4_DST_PORT_RANGE": "8081-8090", "PACKET_ACTION": "FORWARD", diff --git a/tests/acl/custom_acl_table/custom_acl_table.json b/tests/acl/custom_acl_table/custom_acl_table.json index 8b9b2ba60a8..35eb1fbe5ec 100644 --- a/tests/acl/custom_acl_table/custom_acl_table.json +++ b/tests/acl/custom_acl_table/custom_acl_table.json @@ -1,7 +1,7 @@ { "ACL_TABLE_TYPE": { "CUSTOM_TYPE": { - "MATCHES": "SRC_IP,DST_IP,SRC_IPV6,DST_IPV6,ETHER_TYPE,IP_TYPE,IP_PROTOCOL,NEXT_HEADER,L4_SRC_PORT,L4_DST_PORT,L4_SRC_PORT_RANGE,L4_DST_PORT_RANGE", + "MATCHES": "DST_IP,DST_IPV6,ETHER_TYPE,IP_TYPE,IP_PROTOCOL,NEXT_HEADER,L4_DST_PORT,L4_DST_PORT_RANGE", "ACTIONS": "PACKET_ACTION,COUNTER", "BIND_POINTS": "PORT" } diff --git a/tests/acl/custom_acl_table/test_custom_acl_table.py b/tests/acl/custom_acl_table/test_custom_acl_table.py index af64b362194..a3abae11e79 100644 --- a/tests/acl/custom_acl_table/test_custom_acl_table.py +++ b/tests/acl/custom_acl_table/test_custom_acl_table.py @@ -60,9 +60,9 @@ def read_acl_counter(dut, rule_name): time.sleep(2) counters = dut.show_and_parse(cmd) for counter in counters: - if counter['RULE NAME'] == rule_name: - return counter['PACKETS COUNT'] - + if counter['rule name'] == rule_name: + return int(counter['packets count']) + return 0 @@ -119,12 +119,12 @@ def setup_custom_acl_table(rand_selected_dut): logger.error("ACL table creation failed, attempting to clean-up...") rand_selected_dut.shell(cmd_remove_table) raise err - + yield logger.info("Removing ACL table and custom type") # Remove ACL table rand_selected_dut.shell(cmd_remove_table) - # Remove custom type + # Remove custom type rand_selected_dut.shell("sonic-db-cli CONFIG_DB del \'ACL_TABLE_TYPE|CUSTOM_TYPE\'") @@ -167,38 +167,24 @@ def build_testing_pkts(router_mac): DST_RANGE_PORT = 8085 test_packets = {} - # Verify matching source IP and protocol - test_packets['RULE_1'] = testutils.simple_tcp_packet(eth_dst=router_mac, - ip_src=SRC_IP, - ip_dst='1.1.1.1') + # Verify matching destination IP and protocol test_packets['RULE_2'] = testutils.simple_tcp_packet(eth_dst=router_mac, ip_src='192.168.0.3', ip_dst=DST_IP) - # Verify matching IPV6 source and next header - test_packets['RULE_3'] = testutils.simple_tcpv6_packet(eth_dst=router_mac, - ipv6_src=SRC_IPV6, - ipv6_dst='103:23:2:1::2') + # Verify matching IPV6 destination and next header test_packets['RULE_4'] = testutils.simple_tcpv6_packet(eth_dst=router_mac, ipv6_src='fc02:1000::3', ipv6_dst=DST_IPV6) - - # Verify matching source port (IPV4) - test_packets['RULE_5'] = testutils.simple_tcp_packet(eth_dst=router_mac, - ip_src='192.168.0.3', - ip_dst='1.1.1.1', - tcp_sport=SRC_PORT) + + # Verify matching destination port (IPV6) test_packets['RULE_6'] = testutils.simple_tcpv6_packet(eth_dst=router_mac, ipv6_src='fc02:1000::3', ipv6_dst='103:23:2:1::2', tcp_dport=DST_PORT) - # Verify matching source port range (IPV4) - test_packets['RULE_7'] = testutils.simple_tcp_packet(eth_dst=router_mac, - ip_src='192.168.0.3', - ip_dst='1.1.1.1', - tcp_sport=SRC_RANGE_PORT) + # Verify matching destination port (IPV6) test_packets['RULE_8'] = testutils.simple_tcpv6_packet(eth_dst=router_mac, ipv6_src='fc02:1000::3', @@ -232,12 +218,12 @@ def test_custom_acl(rand_selected_dut, tbinfo, ptfadapter, setup_acl_rules, togg 2. Create an ingress ACL table with the custom type 3. Toggle all ports to active if the test is running on dual-tor 4. Ingress packets from vlan port - 5. Verify the packets are egressed to uplinks + 5. Verify the packets are egressed to uplinks 6. Verify the counter of expected rule increases as expected """ router_mac = rand_selected_dut.facts['router_mac'] mg_facts = rand_selected_dut.get_extended_minigraph_facts(tbinfo) - + # Selected the first vlan port as source port src_port = list(mg_facts['minigraph_vlans'].values())[0]['members'][0] src_port_indice = mg_facts['minigraph_ptf_indices'][src_port] @@ -246,7 +232,7 @@ def test_custom_acl(rand_selected_dut, tbinfo, ptfadapter, setup_acl_rules, togg for _, v in mg_facts['minigraph_portchannels'].iteritems(): for member in v['members']: dst_port_indices.append(mg_facts['minigraph_ptf_indices'][member]) - + test_pkts = build_testing_pkts(router_mac) for rule, pkt in test_pkts.items(): logger.info("Testing ACL rule {}".format(rule)) From eb4176d2d6d86f58fd28e061c38ba5f661239856 Mon Sep 17 00:00:00 2001 From: bingwang Date: Wed, 30 Nov 2022 18:58:13 -0800 Subject: [PATCH 10/10] Match src port --- tests/acl/custom_acl_table/acl_rules.json | 10 ++++++++++ .../acl/custom_acl_table/custom_acl_table.json | 2 +- .../custom_acl_table/test_custom_acl_table.py | 17 +++++++++++------ 3 files changed, 22 insertions(+), 7 deletions(-) diff --git a/tests/acl/custom_acl_table/acl_rules.json b/tests/acl/custom_acl_table/acl_rules.json index ef1188d95a5..0725f65ab4a 100644 --- a/tests/acl/custom_acl_table/acl_rules.json +++ b/tests/acl/custom_acl_table/acl_rules.json @@ -12,11 +12,21 @@ "PACKET_ACTION": "FORWARD", "PRIORITY": "9996" }, + "CUSTOM_TABLE|RULE_5": { + "L4_SRC_PORT": "8080", + "PACKET_ACTION": "FORWARD", + "PRIORITY": "9995" + }, "CUSTOM_TABLE|RULE_6": { "L4_DST_PORT": "8080", "PACKET_ACTION": "FORWARD", "PRIORITY": "9994" }, + "CUSTOM_TABLE|RULE_7": { + "L4_SRC_PORT_RANGE": "8081-8090", + "PACKET_ACTION": "FORWARD", + "PRIORITY": "9993" + }, "CUSTOM_TABLE|RULE_8": { "L4_DST_PORT_RANGE": "8081-8090", "PACKET_ACTION": "FORWARD", diff --git a/tests/acl/custom_acl_table/custom_acl_table.json b/tests/acl/custom_acl_table/custom_acl_table.json index 35eb1fbe5ec..b2575817166 100644 --- a/tests/acl/custom_acl_table/custom_acl_table.json +++ b/tests/acl/custom_acl_table/custom_acl_table.json @@ -1,7 +1,7 @@ { "ACL_TABLE_TYPE": { "CUSTOM_TYPE": { - "MATCHES": "DST_IP,DST_IPV6,ETHER_TYPE,IP_TYPE,IP_PROTOCOL,NEXT_HEADER,L4_DST_PORT,L4_DST_PORT_RANGE", + "MATCHES": "DST_IP,DST_IPV6,ETHER_TYPE,IP_TYPE,IP_PROTOCOL,NEXT_HEADER,L4_SRC_PORT,L4_DST_PORT,L4_SRC_PORT_RANGE,L4_DST_PORT_RANGE", "ACTIONS": "PACKET_ACTION,COUNTER", "BIND_POINTS": "PORT" } diff --git a/tests/acl/custom_acl_table/test_custom_acl_table.py b/tests/acl/custom_acl_table/test_custom_acl_table.py index a3abae11e79..0be865dcfe7 100644 --- a/tests/acl/custom_acl_table/test_custom_acl_table.py +++ b/tests/acl/custom_acl_table/test_custom_acl_table.py @@ -157,8 +157,6 @@ def build_testing_pkts(router_mac): Generate packet for IO test """ # The IPs and ports must be exactly the same with rules defined in acl_rules.json - SRC_IP = "192.168.0.2" - SRC_IPV6 = "fc02:1000::2" DST_IP = "103.23.2.1" DST_IPV6 = "103:23:2:1::1" SRC_PORT = 8080 @@ -177,15 +175,22 @@ def build_testing_pkts(router_mac): test_packets['RULE_4'] = testutils.simple_tcpv6_packet(eth_dst=router_mac, ipv6_src='fc02:1000::3', ipv6_dst=DST_IPV6) - - + # Verify matching source port (IPV4) + test_packets['RULE_5'] = testutils.simple_tcp_packet(eth_dst=router_mac, + ip_src='192.168.0.3', + ip_dst='1.1.1.1', + tcp_sport=SRC_PORT) # Verify matching destination port (IPV6) test_packets['RULE_6'] = testutils.simple_tcpv6_packet(eth_dst=router_mac, ipv6_src='fc02:1000::3', ipv6_dst='103:23:2:1::2', tcp_dport=DST_PORT) - - # Verify matching destination port (IPV6) + # Verify matching source port range (IPV4) + test_packets['RULE_7'] = testutils.simple_tcp_packet(eth_dst=router_mac, + ip_src='192.168.0.3', + ip_dst='1.1.1.1', + tcp_sport=SRC_RANGE_PORT) + # Verify matching destination port range (IPV6) test_packets['RULE_8'] = testutils.simple_tcpv6_packet(eth_dst=router_mac, ipv6_src='fc02:1000::3', ipv6_dst='103:23:2:1::2',