diff --git a/ansible/roles/test/files/acstests/acltb_test.py b/ansible/roles/test/files/acstests/acltb_test.py new file mode 100644 index 00000000000..eeb73a9f1d9 --- /dev/null +++ b/ansible/roles/test/files/acstests/acltb_test.py @@ -0,0 +1,266 @@ +''' +Description: This file contains the ACL test for SONiC testbed + + Implemented according to the https://github.com/Azure/SONiC/wiki/ACL-test-plan + +Usage: Examples of how to use: + ptf --test-dir acstests acltb_test.AclTest --platform remote -t 'router_mac="00:02:03:04:05:00";verbose=True;route_info="/tmp/route_info.txt"' +''' + +#--------------------------------------------------------------------- +# Global imports +#--------------------------------------------------------------------- +import random +import time +import logging +import ptf.packet as scapy +import socket +import ptf.dataplane as dataplane + +from ptf.testutils import * +from ptf.mask import Mask +import ipaddress + +import os +import logging +import unittest + +import ptf +from ptf.base_tests import BaseTest +from ptf import config +import ptf.dataplane as dataplane +import ptf.testutils as testutils + +import pprint + +class AclTest(BaseTest): + ''' + @summary: ACL tests on testbed topo: t1 + ''' + + #--------------------------------------------------------------------- + # Class variables + #--------------------------------------------------------------------- + PORT_COUNT = 31 # temporary exclude the last port + + def __init__(self): + ''' + @summary: constructor + ''' + BaseTest.__init__(self) + self.test_params = testutils.test_params_get() + #--------------------------------------------------------------------- + + def setUp(self): + ''' + @summary: Setup for the test + ''' + + self.dataplane = ptf.dataplane_instance + self.router_mac = self.test_params['router_mac'] + + #--------------------------------------------------------------------- + + ''' + For diagnostic purposes only + ''' + def print_route_info(self): + pprint.pprint(self.route_info) + return + #--------------------------------------------------------------------- + + def verify_packet_any_port(self, pkt, ports=[], device_number=0): + """ + @summary: Check that the packet is received on _any_ of the specified ports belonging to + the given device (default device_number is 0). + + The function returns when either the expected packet is received or timeout (1 second). + + Also verifies that the packet is or received on any other ports for this + device, and that no other packets are received on the device (unless --relax + is in effect). + @param pkt : packet to verify + @param ports : list of ports + + @return: index of the port on which the packet is received and the packet. + """ + received = False + match_index = 0 + (rcv_device, rcv_port, rcv_pkt, pkt_time) = dp_poll(self, device_number=device_number, exp_pkt=pkt, timeout=1) + + if rcv_port in ports: + match_index = ports.index(rcv_port) + received = True + + return (match_index, rcv_pkt, received) + #--------------------------------------------------------------------- + + def runSendReceiveTest(self, pkt2send, src_port , pkt2recv, destination_ports): + """ + @summary Send packet and verify it is received/not received on the expected ports + """ + + masked2recv = Mask(pkt2recv) + masked2recv.set_do_not_care_scapy(scapy.Ether, "dst") + masked2recv.set_do_not_care_scapy(scapy.Ether, "src") + + send_packet(self, src_port, pkt2send) + (index, rcv_pkt, received) = self.verify_packet_any_port(masked2recv, destination_ports) + + self.tests_total += 1 + + return received + + #--------------------------------------------------------------------- + def runAclTests(self, dst_ip, dst_ip_blocked, src_port, dst_ports): + """ + @summary: Crete and send packet to verify each ACL rule + @return: Number of tests passed + """ + + tests_passed = 0 + self.tests_total = 0 + + print "\nPort to sent packets to: %d" % src_port + print "Destination IP: %s" % dst_ip_blocked + print "Ports to expect packet from: ", + pprint.pprint(dst_ports) + print "Dst IP expected to be blocked: ", dst_ip_blocked + + pkt0 = simple_tcp_packet( + eth_dst = self.router_mac, + eth_src = self.dataplane.get_mac(0, 0), + ip_src = "10.0.0.1", + ip_dst = dst_ip, + tcp_sport = 0x1234, + tcp_dport = 0x50, + ip_ttl = 64 + ) + #exp_pkt = pkt.deepcopy() + exp_pkt0 = simple_tcp_packet( + eth_dst = self.dataplane.get_mac(0, 0), + eth_src = self.router_mac, + ip_src = "10.0.0.1", + ip_dst = dst_ip, + tcp_sport = 0x1234, + tcp_dport = 0x50, + ip_ttl = 63 + ) + + print "" + # Test #1 - Verify source IP match + pkt = pkt0.copy() + exp_pkt = exp_pkt0.copy() + pkt['IP'].src = "10.0.0.2" + exp_pkt['IP'].src = "10.0.0.2" + res = self.runSendReceiveTest(pkt, src_port, exp_pkt, dst_ports) + tests_passed += (0 if res else 1) + print "Test #1 %s" % ("FAILED" if res else "PASSED") + + # Test #2 - Verify destination IP match + pkt = pkt0.copy() + exp_pkt = exp_pkt0.copy() + pkt['IP'].dst = dst_ip_blocked + exp_pkt['IP'].dst = dst_ip_blocked + res = self.runSendReceiveTest(pkt, src_port, exp_pkt, dst_ports) + tests_passed += (0 if res else 1) + print "Test #2 %s" % ("FAILED" if res else "PASSED") + + # Test #3 - Verify L4 source port match + pkt = pkt0.copy() + exp_pkt = exp_pkt0.copy() + pkt['TCP'].sport = 0x1235 + exp_pkt['TCP'].sport = 0x1235 + res = self.runSendReceiveTest(pkt, src_port, exp_pkt, dst_ports) + tests_passed += (0 if res else 1) + print "Test #3 %s" % ("FAILED" if res else "PASSED") + + # Test #4 - Verify L4 destination port match + pkt = pkt0.copy() + exp_pkt = exp_pkt0.copy() + pkt['TCP'].dport = 0x1235 + exp_pkt['TCP'].dport = 0x1235 + res = self.runSendReceiveTest(pkt, src_port, exp_pkt, dst_ports) + tests_passed += (0 if res else 1) + print "Test #4 %s" % ("FAILED" if res else "PASSED") + + # Test #5 - Verify ether type match + pkt = pkt0.copy() + exp_pkt = exp_pkt0.copy() + pkt['Ethernet'].type = 0x1234 + exp_pkt['Ethernet'].type = 0x1234 + res = self.runSendReceiveTest(pkt, src_port, exp_pkt, dst_ports) + tests_passed += (0 if res else 1) + print "Test #5 %s" % ("FAILED" if res else "PASSED") + + # Test #6 - Verify ip protocol match + pkt = pkt0.copy() + exp_pkt = exp_pkt0.copy() + pkt['IP'].proto = 0x7E + exp_pkt['IP'].proto = 0x7E + res = self.runSendReceiveTest(pkt, src_port, exp_pkt, dst_ports) + tests_passed += (0 if res else 1) + print "Test #6 %s" % ("FAILED" if res else "PASSED") + + # Test #7 - Verify TCP flags match + pkt = pkt0.copy() + exp_pkt = exp_pkt0.copy() + pkt['TCP'].flags = 0x12 + exp_pkt['TCP'].flags = 0x12 + res = self.runSendReceiveTest(pkt, src_port, exp_pkt, dst_ports) + tests_passed += (0 if res else 1) + print "Test #7 %s" % ("FAILED" if res else "PASSED") + + # Test #9 - Verify source port range match + pkt = pkt0.copy() + exp_pkt = exp_pkt0.copy() + pkt['TCP'].sport = 0x123A + exp_pkt['TCP'].sport = 0x123A + res = self.runSendReceiveTest(pkt, src_port, exp_pkt, dst_ports) + tests_passed += (0 if res else 1) + print "Test #9 %s" % ("FAILED" if res else "PASSED") + + # Test #10 - Verify destination port range match + pkt = pkt0.copy() + exp_pkt = exp_pkt0.copy() + pkt['TCP'].dport = 0x123A + exp_pkt['TCP'].dport = 0x123A + res = self.runSendReceiveTest(pkt, src_port, exp_pkt, dst_ports) + tests_passed += (0 if res else 1) + print "Test #10 %s" % ("FAILED" if res else "PASSED") + + # Test #11 - Verify rules priority + pkt = pkt0.copy() + exp_pkt = exp_pkt0.copy() + pkt['IP'].src = "10.0.0.3" + exp_pkt['IP'].src = "10.0.0.3" + res = self.runSendReceiveTest(pkt, src_port, exp_pkt, dst_ports) + tests_passed += (1 if res else 0) + print "Test #11 %s" % ("PASSED" if res else "FAILED") + + return tests_passed, self.tests_total + + #--------------------------------------------------------------------- + + def runTest(self): + """ + @summary: Crete and send packet to verify each ACL rule + """ + + test_result = False + + self.switch_info = open(self.test_params["switch_info"], 'r').readlines() + self.tor_ports = map(int, self.switch_info[0].rstrip(",\n").split(",")) + self.spine_ports = map(int, self.switch_info[1].rstrip(",\n").split(",")) + self.dest_ip_addr_spine = self.switch_info[2].strip() + self.dest_ip_addr_spine_blocked = self.switch_info[3].strip() + self.dest_ip_addr_tor = self.switch_info[4].strip() + self.dest_ip_addr_tor_blocked = self.switch_info[5].strip() + + # Verify ACLs on tor port + (tests_passed, tests_total) = self.runAclTests(self.dest_ip_addr_spine, self.dest_ip_addr_spine_blocked, self.tor_ports[0], self.spine_ports) + assert(tests_passed == tests_total) + + # Verify ACLs on spine port + (tests_passed, tests_total) = self.runAclTests(self.dest_ip_addr_tor, self.dest_ip_addr_tor_blocked, self.spine_ports[0], self.tor_ports) + assert(tests_passed == tests_total) diff --git a/ansible/roles/test/tasks/acl/acltb_expect_messages.txt b/ansible/roles/test/tasks/acl/acltb_expect_messages.txt new file mode 100644 index 00000000000..e69de29bb2d diff --git a/ansible/roles/test/tasks/acl/acltb_ignore_messages.txt b/ansible/roles/test/tasks/acl/acltb_ignore_messages.txt new file mode 100644 index 00000000000..e69de29bb2d diff --git a/ansible/roles/test/tasks/acl/acltb_match_messages.txt b/ansible/roles/test/tasks/acl/acltb_match_messages.txt new file mode 100644 index 00000000000..b6898ebbf4c --- /dev/null +++ b/ansible/roles/test/tasks/acl/acltb_match_messages.txt @@ -0,0 +1 @@ +s, "removeNeighbor: Neighbor is still referenced" diff --git a/ansible/roles/test/tasks/acltb.yml b/ansible/roles/test/tasks/acltb.yml new file mode 100644 index 00000000000..bd10a48bb89 --- /dev/null +++ b/ansible/roles/test/tasks/acltb.yml @@ -0,0 +1,20 @@ +#----------------------------------------- +# Apply ACL configuration +#----------------------------------------- +- name: Acl test setup on testbed + include: acltb_configure.yml + tags: acltb_configure + +#----------------------------------------- +# Run ACL test +#----------------------------------------- +- name: Acl test run on testbed + include: acltb_test.yml + tags: acltb_test + +#----------------------------------------- +# Clean up ACL configuration +#----------------------------------------- +- name: Clean up ACL test configuration on the testbed + include: acltb_cleanup.yml + tags: acltb_cleanup diff --git a/ansible/roles/test/tasks/acltb_cleanup.yml b/ansible/roles/test/tasks/acltb_cleanup.yml new file mode 100644 index 00000000000..7c4b9495fa7 --- /dev/null +++ b/ansible/roles/test/tasks/acltb_cleanup.yml @@ -0,0 +1,87 @@ +# Set facts for ACL configuration +- set_fact: + acltb_configs: + - "{{ 'acltb_test_rules.json' }}" + - "{{ 'acltb_test_table.json' }}" + +# Set facts for the loganalizer +- set_fact: + testname: acl + run_dir: /tmp + out_dir: /tmp/ansible-loganalyzer-results + test_match_file: acltb_match_messages.txt + test_ignore_file: acltb_ignore_messages.txt + test_expect_file: acltb_expect_messages.txt + match_file: loganalyzer_common_match.txt + ignore_file: loganalyzer_common_ignore.txt + tests_location: "{{ 'roles/test/tasks' }}" + +# Separate set_fact is required to be able to use 'testname' fact. +- set_fact: + testname_unique: "{{ testname }}.{{ ansible_date_time.date}}.{{ ansible_date_time.hour}}-{{ ansible_date_time.minute}}-{{ ansible_date_time.second}}" + +# Separate set_fact is required to be able to use 'testname_unique' fact. +- set_fact: + test_out_dir: "{{ out_dir }}/{{testname_unique}}" + match_file_list: "{{ run_dir }}/{{test_match_file}},{{ run_dir }}/{{match_file}}" + ignore_file_list: "{{ run_dir }}/{{test_ignore_file}},{{ run_dir }}/{{ignore_file}}" + result_file: result.loganalysis.{{testname_unique}}.log + summary_file: summary.loganalysis.{{testname_unique}}.log + +# Gather minigraph facts +- name: Gathering minigraph facts about the device + minigraph_facts: host={{ inventory_hostname }} + become: no + connection: local + +- name: Read port reverse alias mapping + set_fact: + alias_reverse_map: "{{ lookup('file', 'roles/sonicv2/files/ssw/{{ sonic_hwsku }}/alias_reverse_map.json') | from_json }}" + +# Generate json files with ACL configuration for tests +- template: src=acltb_test_table.j2 dest=/tmp/acltb_test_table.json + connection: local + +- template: src=acltb_test_rules.j2 dest=/tmp/acltb_test_rules.json + connection: local + +# Copy ACL config to the swss container via the switch +- name: Copy ACL config file to the DUT + copy: src="/tmp/{{ item }}" dest="/tmp/{{ item }}" + with_items: + - "{{ acltb_configs }}" + +- name: Copy ACL config file to the swss container + command: docker cp "/tmp/{{ item }}" swss:/etc/swss/config.d/"{{ item }}" + with_items: + - "{{ acltb_configs }}" + +- name: Create ACL configuration to delete rules/tables + command: docker exec -t swss bash -c "sed -i 's/SET/DEL/g' /etc/swss/config.d/{{ item }}" + with_items: + - "{{ acltb_configs }}" + +- include: roles/test/files/tools/loganalyzer/loganalyzer_init.yml + +- block: + - name: Apply ACL delete configuration + command: docker exec -t swss bash -c "swssconfig /etc/swss/config.d/{{ item }}" + with_items: + - "{{ acltb_configs }}" + always: + - include: roles/test/files/tools/loganalyzer/loganalyzer_analyze.yml + + # Output content of result files to ansible console + - shell: cat {{ test_out_dir }}/* + register: out + - debug: var=out.stdout_lines + + - name: Get the total number of error messages. + shell: grep "TOTAL MATCHES" "{{ test_out_dir }}/{{ summary_file }}" | sed -n "s/TOTAL MATCHES:[[:space:]]*//p" + register: errors_found + + - name: Check the number of error messages (positive tests only). + fail: msg="{{ errors_found.stdout }} errors found while running {{ testname }} test. Please see {{ test_out_dir }}/{{ result_file }}" + when: errors_found.stdout != "0" + + - include: roles/test/files/tools/loganalyzer/loganalyzer_end.yml diff --git a/ansible/roles/test/tasks/acltb_configure.yml b/ansible/roles/test/tasks/acltb_configure.yml new file mode 100644 index 00000000000..f1ef50f5eff --- /dev/null +++ b/ansible/roles/test/tasks/acltb_configure.yml @@ -0,0 +1,82 @@ +# Set facts for ACL configuration +- set_fact: + acltb_configs: + - "{{ 'acltb_test_table.json' }}" + - "{{ 'acltb_test_rules.json' }}" + +# Set facts for the loganalizer +- set_fact: + testname: acl + run_dir: /tmp + out_dir: /tmp/ansible-loganalyzer-results + test_match_file: acltb_match_messages.txt + test_ignore_file: acltb_ignore_messages.txt + test_expect_file: acltb_expect_messages.txt + match_file: loganalyzer_common_match.txt + ignore_file: loganalyzer_common_ignore.txt + tests_location: "{{ 'roles/test/tasks' }}" + +# Separate set_fact is required to be able to use 'testname' fact. +- set_fact: + testname_unique: "{{ testname }}.{{ ansible_date_time.date}}.{{ ansible_date_time.hour}}-{{ ansible_date_time.minute}}-{{ ansible_date_time.second}}" + +# Separate set_fact is required to be able to use 'testname_unique' fact. +- set_fact: + test_out_dir: "{{ out_dir }}/{{testname_unique}}" + match_file_list: "{{ run_dir }}/{{test_match_file}},{{ run_dir }}/{{match_file}}" + ignore_file_list: "{{ run_dir }}/{{test_ignore_file}},{{ run_dir }}/{{ignore_file}}" + result_file: result.loganalysis.{{testname_unique}}.log + summary_file: summary.loganalysis.{{testname_unique}}.log + +# Gather minigraph facts +- name: Gathering minigraph facts about the device + minigraph_facts: host={{ inventory_hostname }} + become: no + connection: local + +- name: Read port reverse alias mapping + set_fact: + alias_reverse_map: "{{ lookup('file', 'roles/sonicv2/files/ssw/{{ sonic_hwsku }}/alias_reverse_map.json') | from_json }}" + +# Generate json files with ACL configuration for tests +- template: src=acltb_test_table.j2 dest=/tmp/acltb_test_table.json + connection: local + +- template: src=acltb_test_rules.j2 dest=/tmp/acltb_test_rules.json + connection: local + +# Copy ACL config to the swss container via the switch +- name: Copy ACL config file to the DUT + copy: src="/tmp/{{ item }}" dest="/tmp/{{ item }}" + with_items: + - "{{ acltb_configs }}" + +- name: Copy ACL config file to the swss container + command: docker cp "/tmp/{{ item }}" swss:/etc/swss/config.d/"{{ item }}" + with_items: + - "{{ acltb_configs }}" + +- include: roles/test/files/tools/loganalyzer/loganalyzer_init.yml + +- block: + - name: Apply ACL configuration + command: docker exec -t swss bash -c "swssconfig /etc/swss/config.d/{{ item }}" + with_items: + - "{{ acltb_configs }}" + always: + - include: roles/test/files/tools/loganalyzer/loganalyzer_analyze.yml + + # Output content of result files to ansible console + - shell: cat {{ test_out_dir }}/* + register: out + - debug: var=out.stdout_lines + + - name: Get the total number of error messages. + shell: grep "TOTAL MATCHES" "{{ test_out_dir }}/{{ summary_file }}" | sed -n "s/TOTAL MATCHES:[[:space:]]*//p" + register: errors_found + + - name: Check the number of error messages (positive tests only). + fail: msg="{{ errors_found.stdout }} errors found while running {{ testname }} test. Please see {{ test_out_dir }}/{{ result_file }}" + when: errors_found.stdout != "0" + + - include: roles/test/files/tools/loganalyzer/loganalyzer_end.yml diff --git a/ansible/roles/test/tasks/acltb_test.yml b/ansible/roles/test/tasks/acltb_test.yml new file mode 100644 index 00000000000..4d65ba1fb8e --- /dev/null +++ b/ansible/roles/test/tasks/acltb_test.yml @@ -0,0 +1,96 @@ +#----------------------------------------- +# Run ACL test and Perform log analysis. +#----------------------------------------- + +# Pre-check testbed_type value +- fail: msg="testbed_type is not defined." + when: testbed_type is not defined + +- fail: msg="testbed_type {{testbed_type}} is invalid." + when: testbed_type not in ['t1-lag', 't1'] + +- include_vars: "vars/topo_{{testbed_type}}.yml" + +# Gather minigraph facts +- name: Gathering minigraph facts about the device + minigraph_facts: host={{ inventory_hostname }} + become: no + connection: local + +- name: Read port reverse alias mapping + set_fact: + alias_reverse_map: "{{ lookup('file', 'roles/sonicv2/files/ssw/{{ sonic_hwsku }}/alias_reverse_map.json') | from_json }}" + +- name: Expand properties into props + set_fact: props="{{configuration_properties['spine']}}" + when: testbed_type in ['t1', 't1-lag'] + +# Generate file with switch information +- template: src=acltb.j2 dest=/tmp/acltb_switch_info.txt + connection: local + +- name: Copy switch info file to the PTF host + copy: src=/tmp/acltb_switch_info.txt dest=/tmp/acltb_switch_info.txt + delegate_to: "{{ ptf_host }}" + +- set_fact: + testname: acl + run_dir: /tmp + out_dir: /tmp/ansible-loganalyzer-results + test_match_file: acltb_match_messages.txt + test_ignore_file: acltb_ignore_messages.txt + test_expect_file: acltb_expect_messages.txt + match_file: loganalyzer_common_match.txt + ignore_file: loganalyzer_common_ignore.txt + tests_location: "{{ 'roles/test/tasks' }}" + +# Separate set_fact is required to be able to use 'testname' fact. +- set_fact: + testname_unique: "{{ testname }}.{{ ansible_date_time.date}}.{{ ansible_date_time.hour}}-{{ ansible_date_time.minute}}-{{ ansible_date_time.second}}" + +# Separate set_fact is required to be able to use 'testname_unique' fact. +- set_fact: + test_out_dir: "{{ out_dir }}/{{testname_unique}}" + match_file_list: "{{ run_dir }}/{{test_match_file}},{{ run_dir }}/{{match_file}}" + ignore_file_list: "{{ run_dir }}/{{test_ignore_file}},{{ run_dir }}/{{ignore_file}}" + result_file: result.loganalysis.{{testname_unique}}.log + summary_file: summary.loganalysis.{{testname_unique}}.log + +- name: Copy the ACL test to PTF container + become: true + copy: src=roles/test/files/acstests/acltb_test.py dest=/root/test/ + delegate_to: "{{ ptf_host }}" + +- include: roles/test/files/tools/loganalyzer/loganalyzer_init.yml + +# Run the ACL PTF test +- block: + - name: Run the test + include: ptf_runner.yml + vars: + ptf_test_name: ACL Test + ptf_test_dir: test + ptf_test_path: acltb_test.AclTest + ptf_platform: remote + ptf_test_params: + - verbose=True + - router_mac=\"{{ ansible_Ethernet0['macaddress'] }}\" + - switch_info=\"/tmp/acltb_switch_info.txt\" + + always: + - include: roles/test/files/tools/loganalyzer/loganalyzer_analyze.yml + + # Output content of result files to ansible console + - shell: cat {{ test_out_dir }}/* + register: out + - debug: var=out.stdout_lines + + - name: Get the total number of error messages. + shell: grep "TOTAL MATCHES" "{{ test_out_dir }}/{{ summary_file }}" | sed -n "s/TOTAL MATCHES:[[:space:]]*//p" + register: errors_found + + - name: Check the number of error messages (positive tests only). + fail: msg="{{ errors_found.stdout }} errors found while running {{ testname }} test. Please see {{ test_out_dir }}/{{ result_file }}" + when: errors_found.stdout != "0" + + - include: roles/test/files/tools/loganalyzer/loganalyzer_end.yml diff --git a/ansible/roles/test/tasks/sonic.yml b/ansible/roles/test/tasks/sonic.yml index 5dc71725ab7..d94a4917671 100644 --- a/ansible/roles/test/tasks/sonic.yml +++ b/ansible/roles/test/tasks/sonic.yml @@ -68,6 +68,9 @@ include: fib.yml tags: fib +- name: Acl test setup on testbed + include: acltb.yml + - name: Test ACL include: acl.yml tags: acl diff --git a/ansible/roles/test/templates/acltb.j2 b/ansible/roles/test/templates/acltb.j2 new file mode 100644 index 00000000000..e30d899d605 --- /dev/null +++ b/ansible/roles/test/templates/acltb.j2 @@ -0,0 +1,10 @@ +{# tor ports #} +{% for ifname, v in minigraph_neighbors.iteritems() %}{% if "T0" in v.name %}{{ '%d' % (alias_reverse_map[ifname]|replace("Ethernet","")|int / 4)}},{% endif %}{% endfor %} + +{# spine ports #} +{% for ifname, v in minigraph_neighbors.iteritems() %}{% if "T2" in v.name %}{{ '%d' % (alias_reverse_map[ifname]|replace("Ethernet","")|int / 4)}},{% endif %}{% endfor %} + +192.168.0.0 +192.168.0.16 +172.16.1.0 +172.16.2.0 diff --git a/ansible/roles/test/templates/acltb_test_rules.j2 b/ansible/roles/test/templates/acltb_test_rules.j2 new file mode 100644 index 00000000000..cb842e3adba --- /dev/null +++ b/ansible/roles/test/templates/acltb_test_rules.j2 @@ -0,0 +1,109 @@ +{% set break = 0 %} +{% set acltb_dst_ip_block = "" %} +{% set acltb_dst_ip_priority = "" %} +{% for podset in range(0, podset_number) if break == 0 %} +{% for tor in range(0, 15) if break == 0 %} +{% if loop.index == 2 %} +[ + { + "ACL_RULE_TABLE:ACL_Testbed_Test_Table:Rule01_SRC_IP_test": { + "priority" : "50", + "src_ip" : "10.0.0.2", + "packet_action" : "drop" + }, + "OP": "SET" + }, + { + "ACL_RULE_TABLE:ACL_Testbed_Test_Table:Rule02_DST_IP_test": { + "priority" : "50", + "dst_ip" : "192.168.{{ podset }}.{{ tor * 16 }}", + "packet_action" : "drop" + }, + "OP": "SET" + }, + { + "ACL_RULE_TABLE:ACL_Testbed_Test_Table:Rule03_SRC_port_test": { + "priority" : "50", + "l4_src_port" : "0x1235", + "packet_action" : "drop" + }, + "OP": "SET" + }, + { + "ACL_RULE_TABLE:ACL_Testbed_Test_Table:Rule04_DST_port_test": { + "priority" : "50", + "l4_dst_port" : "0x1235", + "packet_action" : "drop" + }, + "OP": "SET" + }, + { + "ACL_RULE_TABLE:ACL_Testbed_Test_Table:Rule05_Ethertype_test": { + "priority" : "50", + "ether_type" : "0x1234", + "packet_action" : "drop" + }, + "OP": "SET" + }, + { + "ACL_RULE_TABLE:ACL_Testbed_Test_Table:Rule06_IP_protocol_test": { + "priority" : "50", + "ip_protocol" : "0x7E", + "packet_action" : "drop" + }, + "OP": "SET" + }, + { + "ACL_RULE_TABLE:ACL_Testbed_Test_Table:Rule07_tcp_flags_test": { + "priority" : "50", + "tcp_flags" : "0x12/0x12", + "packet_action" : "drop" + }, + "OP": "SET" + }, + { + "ACL_RULE_TABLE:ACL_Testbed_Test_Table:Rule08_IP_type_test": { + "priority" : "50", + "ip_type" : "IPv6ANY", + "packet_action" : "drop" + }, + "OP": "SET" + }, + { + "ACL_RULE_TABLE:ACL_Testbed_Test_Table:Rule091_SRC_port_range_test": { + "priority" : "50", + "l4_src_port_range" : "4656-4671", + "packet_action" : "drop" + }, + "OP": "SET" + }, + { + "ACL_RULE_TABLE:ACL_Testbed_Test_Table:Rule0A1_DST_port_range_test": { + "priority" : "50", + "l4_dst_port_range" : "4640-4687", + "packet_action" : "drop" + }, + "OP": "SET" + }, + { + "ACL_RULE_TABLE:ACL_Testbed_Test_Table:RuleB1_Priority_test_drop": { + "priority" : "50", + "src_ip" : "10.0.0.3", + "packet_action" : "drop" + }, + "OP": "SET" + }, + { + "ACL_RULE_TABLE:ACL_Testbed_Test_Table:RuleB2_Priority_test_permit": { + "priority" : "51", + "src_ip" : "10.0.0.3", + "packet_action" : "forward" + }, + "OP": "SET" + } +] +{% set break = 1 %} +{% endif %} +{% endfor %} +{% set break = 1 %} +{% endfor %} diff --git a/ansible/roles/test/templates/acltb_test_table.j2 b/ansible/roles/test/templates/acltb_test_table.j2 new file mode 100644 index 00000000000..ad171fccbc8 --- /dev/null +++ b/ansible/roles/test/templates/acltb_test_table.j2 @@ -0,0 +1,10 @@ +[ + { + "ACL_TABLE:ACL_Testbed_Test_Table": { + "policy_desc" : "This_table_contains_rules_needed_for_the_testbed_regression_tests", + "type" : "L3", + "ports" : "{% for ifname, v in minigraph_neighbors.iteritems() %}{{"%s" % alias_reverse_map[ifname]}},{% endfor %}" + }, + "OP": "SET" + } +]