From b9ccd38df49cca2f4bc86ccf93f6ef514b9d9137 Mon Sep 17 00:00:00 2001 From: Nils Semmelrock Date: Tue, 29 Mar 2022 17:20:22 +0200 Subject: [PATCH] chore(pipelined): blocking of local ipv6 addresses is tested Signed-off-by: Nils Semmelrock --- .../pipelined/tests/pipelined_test_util.py | 9 +- ...IpBlockLTE.test_blocking_ip_match.snapshot | 28 ++++++- ...ockLTEIpV6.test_blocking_ip_match.snapshot | 38 +++++++++ .../pipelined/tests/test_access_control.py | 83 ++++++++++++++++++- 4 files changed, 154 insertions(+), 4 deletions(-) create mode 100644 lte/gateway/python/magma/pipelined/tests/snapshots/test_access_control.AccessControlTestLocalIpBlockLTEIpV6.test_blocking_ip_match.snapshot diff --git a/lte/gateway/python/magma/pipelined/tests/pipelined_test_util.py b/lte/gateway/python/magma/pipelined/tests/pipelined_test_util.py index eac1ae41f6240..5d482a5bd0233 100644 --- a/lte/gateway/python/magma/pipelined/tests/pipelined_test_util.py +++ b/lte/gateway/python/magma/pipelined/tests/pipelined_test_util.py @@ -433,19 +433,22 @@ def create_service_manager( return service_manager -def _parse_flow(flow): +def _parse_flow(flow, ipv6_prefix_only=False): fields_to_remove = [ r'duration=[\d\w\.]*, ', r'idle_age=[\d]*, ', ] for field in fields_to_remove: flow = re.sub(field, '', flow) + if ipv6_prefix_only: + flow = re.sub(r'ipv6_dst=fe80::[0-9,a-f,:]+ ', 'ipv6_dst=fe80::linkLocalSuffix ', flow) return flow def _get_current_bridge_snapshot( bridge_name, service_manager, include_stats=True, + ipv6_prefix_only=False, ) -> List[str]: table_assignments = service_manager.get_all_table_assignments() # Currently, the unit test setup library does not set up the ryu api app. @@ -457,7 +460,7 @@ def _get_current_bridge_snapshot( table_assignments, include_stats=include_stats, ) - return [_parse_flow(flow) for flow in flows] + return [_parse_flow(flow, ipv6_prefix_only) for flow in flows] def fail( @@ -518,6 +521,7 @@ def assert_bridge_snapshot_match( service_manager: ServiceManager, snapshot_name: Optional[str] = None, include_stats: bool = True, + ipv6_prefix_only: bool = False, ): """ Verifies the current bridge snapshot matches the snapshot saved in file for @@ -536,6 +540,7 @@ def assert_bridge_snapshot_match( bridge_name, service_manager, include_stats, + ipv6_prefix_only, ) snapshot_file, expected = expected_snapshot( diff --git a/lte/gateway/python/magma/pipelined/tests/snapshots/test_access_control.AccessControlTestLocalIpBlockLTE.test_blocking_ip_match.snapshot b/lte/gateway/python/magma/pipelined/tests/snapshots/test_access_control.AccessControlTestLocalIpBlockLTE.test_blocking_ip_match.snapshot index cf48880740e1e..3cc0870313bc1 100644 --- a/lte/gateway/python/magma/pipelined/tests/snapshots/test_access_control.AccessControlTestLocalIpBlockLTE.test_blocking_ip_match.snapshot +++ b/lte/gateway/python/magma/pipelined/tests/snapshots/test_access_control.AccessControlTestLocalIpBlockLTE.test_blocking_ip_match.snapshot @@ -1,12 +1,38 @@ cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=100,icmp,reg1=0x1,nw_dst=10.1.0.1 actions=resubmit(,middle(main_table)),set_field:0->reg0,set_field:0->reg3 + cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=100,icmp6,reg1=0x1,ipv6_dst=fe80::linkLocalSuffix actions=resubmit(,middle(main_table)),set_field:0->reg0,set_field:0->reg3 cookie=0x0, table=access_control(main_table), n_packets=2, n_bytes=68, priority=10,ip,reg1=0x1,nw_dst=127.0.0.0/8 actions=drop cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ip,reg1=0x1,nw_dst=10.0.2.15 actions=drop cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ip,reg1=0x1,nw_dst=192.168.60.142 actions=drop cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ip,reg1=0x1,nw_dst=192.168.129.1 actions=drop + cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ip,reg1=0x1,nw_dst=172.17.0.1 actions=drop cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ip,reg1=0x1,nw_dst=192.168.128.1 actions=drop cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ip,reg1=0x1,nw_dst=10.1.0.1 actions=drop - cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ip,reg1=0x1,nw_dst=172.17.0.1 actions=drop cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ip,reg1=0x1,nw_dst=192.168.1.1 actions=drop + cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ipv6,reg1=0x1,ipv6_dst=::1 actions=drop + cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ipv6,reg1=0x1,ipv6_dst=2020::10 actions=drop + cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ipv6,reg1=0x1,ipv6_dst=fe80::linkLocalSuffix actions=drop + cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ipv6,reg1=0x1,ipv6_dst=fe80::linkLocalSuffix actions=drop + cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ipv6,reg1=0x1,ipv6_dst=fe80::linkLocalSuffix actions=drop + cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ipv6,reg1=0x1,ipv6_dst=fe80::linkLocalSuffix actions=drop + cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ipv6,reg1=0x1,ipv6_dst=fe80::linkLocalSuffix actions=drop + cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ipv6,reg1=0x1,ipv6_dst=fe80::linkLocalSuffix actions=drop + cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ipv6,reg1=0x1,ipv6_dst=fe80::linkLocalSuffix actions=drop + cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ipv6,reg1=0x1,ipv6_dst=fe80::linkLocalSuffix actions=drop + cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ipv6,reg1=0x1,ipv6_dst=fe80::linkLocalSuffix actions=drop + cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ipv6,reg1=0x1,ipv6_dst=fe80::linkLocalSuffix actions=drop + cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ipv6,reg1=0x1,ipv6_dst=fe80::linkLocalSuffix actions=drop + cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ipv6,reg1=0x1,ipv6_dst=fe80::linkLocalSuffix actions=drop + cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ipv6,reg1=0x1,ipv6_dst=fe80::linkLocalSuffix actions=drop + cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ipv6,reg1=0x1,ipv6_dst=fe80::linkLocalSuffix actions=drop + cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ipv6,reg1=0x1,ipv6_dst=fe80::linkLocalSuffix actions=drop + cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ipv6,reg1=0x1,ipv6_dst=fe80::linkLocalSuffix actions=drop + cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ipv6,reg1=0x1,ipv6_dst=fe80::linkLocalSuffix actions=drop + cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ipv6,reg1=0x1,ipv6_dst=fe80::linkLocalSuffix actions=drop + cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ipv6,reg1=0x1,ipv6_dst=fe80::linkLocalSuffix actions=drop + cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ipv6,reg1=0x1,ipv6_dst=fe80::linkLocalSuffix actions=drop + cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ipv6,reg1=0x1,ipv6_dst=fe80::linkLocalSuffix actions=drop + cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ipv6,reg1=0x1,ipv6_dst=fe80::linkLocalSuffix actions=drop + cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ipv6,reg1=0x1,ipv6_dst=fe80::linkLocalSuffix actions=drop cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=0,reg1=0x10 actions=resubmit(,middle(main_table)),set_field:0->reg0,set_field:0->reg3 cookie=0x0, table=access_control(main_table), n_packets=1, n_bytes=34, priority=0,reg1=0x1 actions=resubmit(,access_control(scratch_table_0)),set_field:0->reg0,set_field:0->reg3 cookie=0x0, table=access_control(scratch_table_0), n_packets=1, n_bytes=34, priority=0 actions=resubmit(,middle(main_table)),set_field:0->reg0,set_field:0->reg3 diff --git a/lte/gateway/python/magma/pipelined/tests/snapshots/test_access_control.AccessControlTestLocalIpBlockLTEIpV6.test_blocking_ip_match.snapshot b/lte/gateway/python/magma/pipelined/tests/snapshots/test_access_control.AccessControlTestLocalIpBlockLTEIpV6.test_blocking_ip_match.snapshot new file mode 100644 index 0000000000000..8b35703229231 --- /dev/null +++ b/lte/gateway/python/magma/pipelined/tests/snapshots/test_access_control.AccessControlTestLocalIpBlockLTEIpV6.test_blocking_ip_match.snapshot @@ -0,0 +1,38 @@ + cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=100,icmp,reg1=0x1,nw_dst=10.1.0.1 actions=resubmit(,middle(main_table)),set_field:0->reg0,set_field:0->reg3 + cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=100,icmp6,reg1=0x1,ipv6_dst=fe80::linkLocalSuffix actions=resubmit(,middle(main_table)),set_field:0->reg0,set_field:0->reg3 + cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ip,reg1=0x1,nw_dst=127.0.0.0/8 actions=drop + cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ip,reg1=0x1,nw_dst=10.0.2.15 actions=drop + cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ip,reg1=0x1,nw_dst=192.168.60.142 actions=drop + cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ip,reg1=0x1,nw_dst=192.168.129.1 actions=drop + cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ip,reg1=0x1,nw_dst=172.17.0.1 actions=drop + cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ip,reg1=0x1,nw_dst=192.168.128.1 actions=drop + cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ip,reg1=0x1,nw_dst=10.1.0.1 actions=drop + cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ip,reg1=0x1,nw_dst=192.168.1.1 actions=drop + cookie=0x0, table=access_control(main_table), n_packets=1, n_bytes=54, priority=10,ipv6,reg1=0x1,ipv6_dst=::1 actions=drop + cookie=0x0, table=access_control(main_table), n_packets=1, n_bytes=54, priority=10,ipv6,reg1=0x1,ipv6_dst=2020::10 actions=drop + cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ipv6,reg1=0x1,ipv6_dst=fe80::linkLocalSuffix actions=drop + cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ipv6,reg1=0x1,ipv6_dst=fe80::linkLocalSuffix actions=drop + cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ipv6,reg1=0x1,ipv6_dst=fe80::linkLocalSuffix actions=drop + cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ipv6,reg1=0x1,ipv6_dst=fe80::linkLocalSuffix actions=drop + cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ipv6,reg1=0x1,ipv6_dst=fe80::linkLocalSuffix actions=drop + cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ipv6,reg1=0x1,ipv6_dst=fe80::linkLocalSuffix actions=drop + cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ipv6,reg1=0x1,ipv6_dst=fe80::linkLocalSuffix actions=drop + cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ipv6,reg1=0x1,ipv6_dst=fe80::linkLocalSuffix actions=drop + cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ipv6,reg1=0x1,ipv6_dst=fe80::linkLocalSuffix actions=drop + cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ipv6,reg1=0x1,ipv6_dst=fe80::linkLocalSuffix actions=drop + cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ipv6,reg1=0x1,ipv6_dst=fe80::linkLocalSuffix actions=drop + cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ipv6,reg1=0x1,ipv6_dst=fe80::linkLocalSuffix actions=drop + cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ipv6,reg1=0x1,ipv6_dst=fe80::linkLocalSuffix actions=drop + cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ipv6,reg1=0x1,ipv6_dst=fe80::linkLocalSuffix actions=drop + cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ipv6,reg1=0x1,ipv6_dst=fe80::linkLocalSuffix actions=drop + cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ipv6,reg1=0x1,ipv6_dst=fe80::linkLocalSuffix actions=drop + cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ipv6,reg1=0x1,ipv6_dst=fe80::linkLocalSuffix actions=drop + cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ipv6,reg1=0x1,ipv6_dst=fe80::linkLocalSuffix actions=drop + cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ipv6,reg1=0x1,ipv6_dst=fe80::linkLocalSuffix actions=drop + cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ipv6,reg1=0x1,ipv6_dst=fe80::linkLocalSuffix actions=drop + cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ipv6,reg1=0x1,ipv6_dst=fe80::linkLocalSuffix actions=drop + cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ipv6,reg1=0x1,ipv6_dst=fe80::linkLocalSuffix actions=drop + cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ipv6,reg1=0x1,ipv6_dst=fe80::linkLocalSuffix actions=drop + cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=0,reg1=0x10 actions=resubmit(,middle(main_table)),set_field:0->reg0,set_field:0->reg3 + cookie=0x0, table=access_control(main_table), n_packets=1, n_bytes=54, priority=0,reg1=0x1 actions=resubmit(,access_control(scratch_table_0)),set_field:0->reg0,set_field:0->reg3 + cookie=0x0, table=access_control(scratch_table_0), n_packets=1, n_bytes=54, priority=0 actions=resubmit(,middle(main_table)),set_field:0->reg0,set_field:0->reg3 diff --git a/lte/gateway/python/magma/pipelined/tests/test_access_control.py b/lte/gateway/python/magma/pipelined/tests/test_access_control.py index c32b7fa22738a..44865a744ac71 100644 --- a/lte/gateway/python/magma/pipelined/tests/test_access_control.py +++ b/lte/gateway/python/magma/pipelined/tests/test_access_control.py @@ -21,7 +21,10 @@ from magma.pipelined.openflow.magma_match import MagmaMatch from magma.pipelined.openflow.registers import Direction from magma.pipelined.tests.app.flow_query import RyuDirectFlowQuery as FlowQuery -from magma.pipelined.tests.app.packet_builder import IPPacketBuilder +from magma.pipelined.tests.app.packet_builder import ( + IPPacketBuilder, + IPv6PacketBuilder, +) from magma.pipelined.tests.app.packet_injector import ScapyPacketInjector from magma.pipelined.tests.app.start_pipelined import ( PipelinedController, @@ -120,6 +123,12 @@ def _setupSubscribers(self): default_ambr_config, self._tbl_num, ) + def _setupSubscribersIpV6(self): + return SubContextConfig( + 'IMSI001010000000013', 'ab42::74', + default_ambr_config, self._tbl_num, + ) + class AccessControlTestLTE(AbstractAccessControlTest): INBOUND_TEST_IP = '127.0.0.1' OUTBOUND_TEST_IP = '127.1.0.1' @@ -496,6 +505,72 @@ def test_blocking_ip_match(self): self, self.BRIDGE, self.service_manager, + ipv6_prefix_only=True, + ) + +class AccessControlTestLocalIpBlockLTEIpV6(AbstractAccessControlTest): + OUTBOUND_TEST_IP1 = '::1' + OUTBOUND_TEST_IP2 = '2020::10' + OUTBOUND_TEST_IP3 = 'ab23::42' + + @classmethod + def getConfig(cls): + config = { + 'setup_type': 'LTE', + 'allow_unknown_arps': False, + 'bridge_name': cls.BRIDGE, + 'bridge_ip_address': cls.BRIDGE_IP, + 'nat_iface': 'eth2', + 'enodeb_iface': 'eth1', + 'qos': {'enable': False}, + 'access_control': { + 'ip_blocklist': [], + 'block_agw_local_ips': True, + }, + 'clean_restart': True, + 'mtr_interface': 'mtr0', + } + return config + + @classmethod + def getMconfig(cls): + return PipelineD( + allowed_gre_peers=[{'ip': '1.2.3.4/24', 'key': 123}], + ) + + def test_blocking_ip_match(self): + """ + Inbound ip match test, checks that packets are properly matched when + the inbound traffic matches an ip in the blocklist. + + Assert: + Both packets are matched + Ip match flows are added + """ + sub = self._setupSubscribersIpV6() + + isolator = RyuDirectTableIsolator( + RyuForwardFlowArgsBuilder.from_subscriber(sub).build_requests(), + self.testing_controller, + ) + + # Set up packets + pkt_sender = ScapyPacketInjector(self.BRIDGE) + packets = [ + _build_default_ipv6_packet(self.MAC_DEST, self.OUTBOUND_TEST_IP1, sub.ip), + _build_default_ipv6_packet(self.MAC_DEST, self.OUTBOUND_TEST_IP2, sub.ip), + _build_default_ipv6_packet(self.MAC_DEST, self.OUTBOUND_TEST_IP3, sub.ip), + ] + + with isolator: + for packet in packets: + pkt_sender.send(packet) + + assert_bridge_snapshot_match( + self, + self.BRIDGE, + self.service_manager, + ipv6_prefix_only=True, ) @@ -504,3 +579,9 @@ def _build_default_ip_packet(mac, dst, src): .set_ip_layer(dst, src) \ .set_ether_layer(mac, "00:00:00:00:00:00") \ .build() + +def _build_default_ipv6_packet(mac, dst, src): + return IPv6PacketBuilder() \ + .set_ip_layer(dst, src) \ + .set_ether_layer(mac, "00:00:00:00:00:00") \ + .build()