chore(pipelined): blocking of local ipv6 addresses is tested

Signed-off-by: Nils Semmelrock <nils.semmelrock@tngtech.com>
magma · Apr 1, 2022 · f7a8b7e · f7a8b7e
1 parent 76c5f93
commit f7a8b7e
Show file tree

Hide file tree

Showing 4 changed files with 154 additions and 4 deletions.
diff --git a/lte/gateway/python/magma/pipelined/tests/pipelined_test_util.py b/lte/gateway/python/magma/pipelined/tests/pipelined_test_util.py
@@ -433,19 +433,22 @@ def create_service_manager(
     return service_manager
 
 
-def _parse_flow(flow):
+def _parse_flow(flow, ipv6_prefix_only=False):
     fields_to_remove = [
         r'duration=[\d\w\.]*, ',
         r'idle_age=[\d]*, ',
     ]
     for field in fields_to_remove:
         flow = re.sub(field, '', flow)
+    if ipv6_prefix_only:
+        flow = re.sub(r'ipv6_dst=fe80::[0-9,a-f,:]+ ', 'ipv6_dst=fe80::linkLocalSuffix ', flow)
     return flow
 
 
 def _get_current_bridge_snapshot(
     bridge_name, service_manager,
     include_stats=True,
+    ipv6_prefix_only=False,
 ) -> List[str]:
     table_assignments = service_manager.get_all_table_assignments()
     # Currently, the unit test setup library does not set up the ryu api app.
@@ -457,7 +460,7 @@ def _get_current_bridge_snapshot(
         table_assignments,
         include_stats=include_stats,
     )
-    return [_parse_flow(flow) for flow in flows]
+    return [_parse_flow(flow, ipv6_prefix_only) for flow in flows]
 
 
 def fail(
@@ -518,6 +521,7 @@ def assert_bridge_snapshot_match(
     service_manager: ServiceManager,
     snapshot_name: Optional[str] = None,
     include_stats: bool = True,
+    ipv6_prefix_only: bool = False,
 ):
     """
     Verifies the current bridge snapshot matches the snapshot saved in file for
@@ -536,6 +540,7 @@ def assert_bridge_snapshot_match(
         bridge_name,
         service_manager,
         include_stats,
+        ipv6_prefix_only,
     )
 
     snapshot_file, expected = expected_snapshot(

diff --git a/...hots/test_access_control.AccessControlTestLocalIpBlockLTE.test_blocking_ip_match.snapshot b/...hots/test_access_control.AccessControlTestLocalIpBlockLTE.test_blocking_ip_match.snapshot
@@ -1,12 +1,38 @@
  cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=100,icmp,reg1=0x1,nw_dst=10.1.0.1 actions=resubmit(,middle(main_table)),set_field:0->reg0,set_field:0->reg3
+ cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=100,icmp6,reg1=0x1,ipv6_dst=fe80::linkLocalSuffix actions=resubmit(,middle(main_table)),set_field:0->reg0,set_field:0->reg3
  cookie=0x0, table=access_control(main_table), n_packets=2, n_bytes=68, priority=10,ip,reg1=0x1,nw_dst=127.0.0.0/8 actions=drop
  cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ip,reg1=0x1,nw_dst=10.0.2.15 actions=drop
  cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ip,reg1=0x1,nw_dst=192.168.60.142 actions=drop
  cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ip,reg1=0x1,nw_dst=192.168.129.1 actions=drop
+ cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ip,reg1=0x1,nw_dst=172.17.0.1 actions=drop
  cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ip,reg1=0x1,nw_dst=192.168.128.1 actions=drop
  cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ip,reg1=0x1,nw_dst=10.1.0.1 actions=drop
- cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ip,reg1=0x1,nw_dst=172.17.0.1 actions=drop
  cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ip,reg1=0x1,nw_dst=192.168.1.1 actions=drop
+ cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ipv6,reg1=0x1,ipv6_dst=::1 actions=drop
+ cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ipv6,reg1=0x1,ipv6_dst=2020::10 actions=drop
+ cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ipv6,reg1=0x1,ipv6_dst=fe80::linkLocalSuffix actions=drop
+ cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ipv6,reg1=0x1,ipv6_dst=fe80::linkLocalSuffix actions=drop
+ cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ipv6,reg1=0x1,ipv6_dst=fe80::linkLocalSuffix actions=drop
+ cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ipv6,reg1=0x1,ipv6_dst=fe80::linkLocalSuffix actions=drop
+ cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ipv6,reg1=0x1,ipv6_dst=fe80::linkLocalSuffix actions=drop
+ cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ipv6,reg1=0x1,ipv6_dst=fe80::linkLocalSuffix actions=drop
+ cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ipv6,reg1=0x1,ipv6_dst=fe80::linkLocalSuffix actions=drop
+ cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ipv6,reg1=0x1,ipv6_dst=fe80::linkLocalSuffix actions=drop
+ cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ipv6,reg1=0x1,ipv6_dst=fe80::linkLocalSuffix actions=drop
+ cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ipv6,reg1=0x1,ipv6_dst=fe80::linkLocalSuffix actions=drop
+ cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ipv6,reg1=0x1,ipv6_dst=fe80::linkLocalSuffix actions=drop
+ cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ipv6,reg1=0x1,ipv6_dst=fe80::linkLocalSuffix actions=drop
+ cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ipv6,reg1=0x1,ipv6_dst=fe80::linkLocalSuffix actions=drop
+ cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ipv6,reg1=0x1,ipv6_dst=fe80::linkLocalSuffix actions=drop
+ cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ipv6,reg1=0x1,ipv6_dst=fe80::linkLocalSuffix actions=drop
+ cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ipv6,reg1=0x1,ipv6_dst=fe80::linkLocalSuffix actions=drop
+ cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ipv6,reg1=0x1,ipv6_dst=fe80::linkLocalSuffix actions=drop
+ cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ipv6,reg1=0x1,ipv6_dst=fe80::linkLocalSuffix actions=drop
+ cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ipv6,reg1=0x1,ipv6_dst=fe80::linkLocalSuffix actions=drop
+ cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ipv6,reg1=0x1,ipv6_dst=fe80::linkLocalSuffix actions=drop
+ cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ipv6,reg1=0x1,ipv6_dst=fe80::linkLocalSuffix actions=drop
+ cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ipv6,reg1=0x1,ipv6_dst=fe80::linkLocalSuffix actions=drop
+ cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ipv6,reg1=0x1,ipv6_dst=fe80::linkLocalSuffix actions=drop
  cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=0,reg1=0x10 actions=resubmit(,middle(main_table)),set_field:0->reg0,set_field:0->reg3
  cookie=0x0, table=access_control(main_table), n_packets=1, n_bytes=34, priority=0,reg1=0x1 actions=resubmit(,access_control(scratch_table_0)),set_field:0->reg0,set_field:0->reg3
  cookie=0x0, table=access_control(scratch_table_0), n_packets=1, n_bytes=34, priority=0 actions=resubmit(,middle(main_table)),set_field:0->reg0,set_field:0->reg3
diff --git a/.../test_access_control.AccessControlTestLocalIpBlockLTEIpV6.test_blocking_ip_match.snapshot b/.../test_access_control.AccessControlTestLocalIpBlockLTEIpV6.test_blocking_ip_match.snapshot
@@ -0,0 +1,38 @@
+ cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=100,icmp,reg1=0x1,nw_dst=10.1.0.1 actions=resubmit(,middle(main_table)),set_field:0->reg0,set_field:0->reg3
+ cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=100,icmp6,reg1=0x1,ipv6_dst=fe80::linkLocalSuffix actions=resubmit(,middle(main_table)),set_field:0->reg0,set_field:0->reg3
+ cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ip,reg1=0x1,nw_dst=127.0.0.0/8 actions=drop
+ cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ip,reg1=0x1,nw_dst=10.0.2.15 actions=drop
+ cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ip,reg1=0x1,nw_dst=192.168.60.142 actions=drop
+ cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ip,reg1=0x1,nw_dst=192.168.129.1 actions=drop
+ cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ip,reg1=0x1,nw_dst=172.17.0.1 actions=drop
+ cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ip,reg1=0x1,nw_dst=192.168.128.1 actions=drop
+ cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ip,reg1=0x1,nw_dst=10.1.0.1 actions=drop
+ cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ip,reg1=0x1,nw_dst=192.168.1.1 actions=drop
+ cookie=0x0, table=access_control(main_table), n_packets=1, n_bytes=54, priority=10,ipv6,reg1=0x1,ipv6_dst=::1 actions=drop
+ cookie=0x0, table=access_control(main_table), n_packets=1, n_bytes=54, priority=10,ipv6,reg1=0x1,ipv6_dst=2020::10 actions=drop
+ cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ipv6,reg1=0x1,ipv6_dst=fe80::linkLocalSuffix actions=drop
+ cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ipv6,reg1=0x1,ipv6_dst=fe80::linkLocalSuffix actions=drop
+ cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ipv6,reg1=0x1,ipv6_dst=fe80::linkLocalSuffix actions=drop
+ cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ipv6,reg1=0x1,ipv6_dst=fe80::linkLocalSuffix actions=drop
+ cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ipv6,reg1=0x1,ipv6_dst=fe80::linkLocalSuffix actions=drop
+ cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ipv6,reg1=0x1,ipv6_dst=fe80::linkLocalSuffix actions=drop
+ cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ipv6,reg1=0x1,ipv6_dst=fe80::linkLocalSuffix actions=drop
+ cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ipv6,reg1=0x1,ipv6_dst=fe80::linkLocalSuffix actions=drop
+ cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ipv6,reg1=0x1,ipv6_dst=fe80::linkLocalSuffix actions=drop
+ cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ipv6,reg1=0x1,ipv6_dst=fe80::linkLocalSuffix actions=drop
+ cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ipv6,reg1=0x1,ipv6_dst=fe80::linkLocalSuffix actions=drop
+ cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ipv6,reg1=0x1,ipv6_dst=fe80::linkLocalSuffix actions=drop
+ cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ipv6,reg1=0x1,ipv6_dst=fe80::linkLocalSuffix actions=drop
+ cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ipv6,reg1=0x1,ipv6_dst=fe80::linkLocalSuffix actions=drop
+ cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ipv6,reg1=0x1,ipv6_dst=fe80::linkLocalSuffix actions=drop
+ cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ipv6,reg1=0x1,ipv6_dst=fe80::linkLocalSuffix actions=drop
+ cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ipv6,reg1=0x1,ipv6_dst=fe80::linkLocalSuffix actions=drop
+ cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ipv6,reg1=0x1,ipv6_dst=fe80::linkLocalSuffix actions=drop
+ cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ipv6,reg1=0x1,ipv6_dst=fe80::linkLocalSuffix actions=drop
+ cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ipv6,reg1=0x1,ipv6_dst=fe80::linkLocalSuffix actions=drop
+ cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ipv6,reg1=0x1,ipv6_dst=fe80::linkLocalSuffix actions=drop
+ cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ipv6,reg1=0x1,ipv6_dst=fe80::linkLocalSuffix actions=drop
+ cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=10,ipv6,reg1=0x1,ipv6_dst=fe80::linkLocalSuffix actions=drop
+ cookie=0x0, table=access_control(main_table), n_packets=0, n_bytes=0, priority=0,reg1=0x10 actions=resubmit(,middle(main_table)),set_field:0->reg0,set_field:0->reg3
+ cookie=0x0, table=access_control(main_table), n_packets=1, n_bytes=54, priority=0,reg1=0x1 actions=resubmit(,access_control(scratch_table_0)),set_field:0->reg0,set_field:0->reg3
+ cookie=0x0, table=access_control(scratch_table_0), n_packets=1, n_bytes=54, priority=0 actions=resubmit(,middle(main_table)),set_field:0->reg0,set_field:0->reg3
diff --git a/lte/gateway/python/magma/pipelined/tests/test_access_control.py b/lte/gateway/python/magma/pipelined/tests/test_access_control.py
@@ -21,7 +21,10 @@
 from magma.pipelined.openflow.magma_match import MagmaMatch
 from magma.pipelined.openflow.registers import Direction
 from magma.pipelined.tests.app.flow_query import RyuDirectFlowQuery as FlowQuery
-from magma.pipelined.tests.app.packet_builder import IPPacketBuilder
+from magma.pipelined.tests.app.packet_builder import (
+    IPPacketBuilder, 
+    IPv6PacketBuilder,
+)
 from magma.pipelined.tests.app.packet_injector import ScapyPacketInjector
 from magma.pipelined.tests.app.start_pipelined import (
     PipelinedController,
@@ -120,6 +123,12 @@ def _setupSubscribers(self):
             default_ambr_config, self._tbl_num,
         )
 
+    def _setupSubscribersIpV6(self):
+        return SubContextConfig(
+            'IMSI001010000000013', 'ab42::74',
+            default_ambr_config, self._tbl_num,
+        )
+
 class AccessControlTestLTE(AbstractAccessControlTest):
     INBOUND_TEST_IP = '127.0.0.1'
     OUTBOUND_TEST_IP = '127.1.0.1'
@@ -496,6 +505,72 @@ def test_blocking_ip_match(self):
             self,
             self.BRIDGE,
             self.service_manager,
+            ipv6_prefix_only=True,
+        )
+
+class AccessControlTestLocalIpBlockLTEIpV6(AbstractAccessControlTest):
+    OUTBOUND_TEST_IP1 = '::1'
+    OUTBOUND_TEST_IP2 = '2020::10'
+    OUTBOUND_TEST_IP3 = 'ab23::42'
+
+    @classmethod
+    def getConfig(cls):
+        config = {
+                'setup_type': 'LTE',
+                'allow_unknown_arps': False,
+                'bridge_name': cls.BRIDGE,
+                'bridge_ip_address': cls.BRIDGE_IP,
+                'nat_iface': 'eth2',
+                'enodeb_iface': 'eth1',
+                'qos': {'enable': False},
+                'access_control': {
+                    'ip_blocklist': [],
+                    'block_agw_local_ips': True,
+                },
+                'clean_restart': True,
+                'mtr_interface': 'mtr0',
+            }
+        return config
+
+    @classmethod
+    def getMconfig(cls):
+        return PipelineD(
+                allowed_gre_peers=[{'ip': '1.2.3.4/24', 'key': 123}],
+            )
+
+    def test_blocking_ip_match(self):
+        """
+        Inbound ip match test, checks that packets are properly matched when
+        the inbound traffic matches an ip in the blocklist.
+
+        Assert:
+            Both packets are matched
+            Ip match flows are added
+        """
+        sub = self._setupSubscribersIpV6()
+
+        isolator = RyuDirectTableIsolator(
+            RyuForwardFlowArgsBuilder.from_subscriber(sub).build_requests(),
+            self.testing_controller,
+        )
+
+        # Set up packets
+        pkt_sender = ScapyPacketInjector(self.BRIDGE)
+        packets = [
+            _build_default_ipv6_packet(self.MAC_DEST, self.OUTBOUND_TEST_IP1, sub.ip),
+            _build_default_ipv6_packet(self.MAC_DEST, self.OUTBOUND_TEST_IP2, sub.ip),
+            _build_default_ipv6_packet(self.MAC_DEST, self.OUTBOUND_TEST_IP3, sub.ip),
+        ]
+
+        with isolator:
+            for packet in packets:
+                pkt_sender.send(packet)
+
+        assert_bridge_snapshot_match(
+            self,
+            self.BRIDGE,
+            self.service_manager,
+            ipv6_prefix_only=True,
         )
 
 
@@ -504,3 +579,9 @@ def _build_default_ip_packet(mac, dst, src):
         .set_ip_layer(dst, src) \
         .set_ether_layer(mac, "00:00:00:00:00:00") \
         .build()
+
+def _build_default_ipv6_packet(mac, dst, src):
+    return IPv6PacketBuilder() \
+        .set_ip_layer(dst, src) \
+        .set_ether_layer(mac, "00:00:00:00:00:00") \
+        .build()