Skip to content

Commit 7c0b56a

Browse files
ZhaohuiSZhaohuiS
committed
Add 4 test cases for external_client_acl, including single port and port range for ipv4 and ipv6
Signed-off-by: Zhaohui Sun <[email protected]>
1 parent d992dc0 commit 7c0b56a

File tree

2 files changed

+211
-0
lines changed

2 files changed

+211
-0
lines changed

tests/caclmgrd/caclmgrd_external_client_acl_test.py

+44
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,44 @@
1+
import os
2+
import sys
3+
4+
from swsscommon import swsscommon
5+
from parameterized import parameterized
6+
from sonic_py_common.general import load_module_from_source
7+
from unittest import TestCase, mock
8+
from pyfakefs.fake_filesystem_unittest import patchfs
9+
10+
from .test_external_client_acl_vectors import EXTERNAL_CLIENT_ACL_TEST_VECTOR
11+
from tests.common.mock_configdb import MockConfigDb
12+
13+
14+
DBCONFIG_PATH = '/var/run/redis/sonic-db/database_config.json'
15+
16+
17+
class TestCaclmgrdExternalClientAcl(TestCase):
18+
"""
19+
Test caclmgrd EXTERNAL_CLIENT_ACL
20+
"""
21+
def setUp(self):
22+
swsscommon.ConfigDBConnector = MockConfigDb
23+
test_path = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
24+
modules_path = os.path.dirname(test_path)
25+
scripts_path = os.path.join(modules_path, "scripts")
26+
sys.path.insert(0, modules_path)
27+
caclmgrd_path = os.path.join(scripts_path, 'caclmgrd')
28+
self.caclmgrd = load_module_from_source('caclmgrd', caclmgrd_path)
29+
30+
@parameterized.expand(EXTERNAL_CLIENT_ACL_TEST_VECTOR)
31+
@patchfs
32+
def test_caclmgrd_external_client_acl(self, test_name, test_data, fs):
33+
if not os.path.exists(DBCONFIG_PATH):
34+
fs.create_file(DBCONFIG_PATH) # fake database_config.json
35+
36+
MockConfigDb.set_config_db(test_data["config_db"])
37+
self.caclmgrd.ControlPlaneAclManager.get_namespace_mgmt_ip = mock.MagicMock()
38+
self.caclmgrd.ControlPlaneAclManager.get_namespace_mgmt_ipv6 = mock.MagicMock()
39+
self.caclmgrd.ControlPlaneAclManager.generate_block_ip2me_traffic_iptables_commands = mock.MagicMock(return_value=[])
40+
self.caclmgrd.ControlPlaneAclManager.get_chain_list = mock.MagicMock(return_value=["INPUT", "FORWARD", "OUTPUT"])
41+
caclmgrd_daemon = self.caclmgrd.ControlPlaneAclManager("caclmgrd")
42+
43+
iptables_rules_ret, _ = caclmgrd_daemon.get_acl_rules_and_translate_to_iptables_commands('')
44+
self.assertEqual(set(test_data["return"]).issubset(set(iptables_rules_ret)), True)

tests/caclmgrd/test_external_client_acl_vectors.py

+167
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,167 @@
1+
from unittest.mock import call
2+
3+
"""
4+
caclmgrd test external_client_acl vector
5+
"""
6+
EXTERNAL_CLIENT_ACL_TEST_VECTOR = [
7+
[
8+
"Test single IPv4 dst port + src ip for EXTERNAL_CLIENT_ACL",
9+
{
10+
"config_db": {
11+
"ACL_TABLE": {
12+
"EXTERNAL_CLIENT_ACL": {
13+
"stage": "INGRESS",
14+
"type": "CTRLPLANE",
15+
"services": [
16+
"EXTERNAL_CLIENT"
17+
]
18+
}
19+
},
20+
"ACL_RULE": {
21+
"EXTERNAL_CLIENT_ACL|DEFAULT_RULE": {
22+
"ETHER_TYPE": "2048",
23+
"PACKET_ACTION": "DROP",
24+
"PRIORITY": "1"
25+
},
26+
"EXTERNAL_CLIENT_ACL|RULE_1": {
27+
"L4_DST_PORT": "8081",
28+
"PACKET_ACTION": "ACCEPT",
29+
"PRIORITY": "9998",
30+
"SRC_IP": "20.0.0.55/32"
31+
},
32+
},
33+
"DEVICE_METADATA": {
34+
"localhost": {
35+
}
36+
},
37+
"FEATURE": {},
38+
},
39+
"return": [
40+
"iptables -A INPUT -p tcp -s 20.0.0.55/32 --dport 8081 -j ACCEPT",
41+
"iptables -A INPUT -p tcp --dport 8081 -j DROP"
42+
],
43+
}
44+
],
45+
[
46+
"Test IPv4 dst port range + src ip forEXTERNAL_CLIENT_ACL",
47+
{
48+
"config_db": {
49+
"ACL_TABLE": {
50+
"EXTERNAL_CLIENT_ACL": {
51+
"stage": "INGRESS",
52+
"type": "CTRLPLANE",
53+
"services": [
54+
"EXTERNAL_CLIENT"
55+
]
56+
}
57+
},
58+
"ACL_RULE": {
59+
"EXTERNAL_CLIENT_ACL|DEFAULT_RULE": {
60+
"ETHER_TYPE": "2048",
61+
"PACKET_ACTION": "DROP",
62+
"PRIORITY": "1"
63+
},
64+
"EXTERNAL_CLIENT_ACL|RULE_1": {
65+
"L4_DST_PORT_RANGE": "8081-8083",
66+
"PACKET_ACTION": "ACCEPT",
67+
"PRIORITY": "9998",
68+
"SRC_IP": "20.0.0.55/32"
69+
},
70+
},
71+
"DEVICE_METADATA": {
72+
"localhost": {
73+
}
74+
},
75+
"FEATURE": {},
76+
},
77+
"return": [
78+
"iptables -A INPUT -p tcp -s 20.0.0.55/32 --dport 8081 -j ACCEPT",
79+
"iptables -A INPUT -p tcp -s 20.0.0.55/32 --dport 8082 -j ACCEPT",
80+
"iptables -A INPUT -p tcp -s 20.0.0.55/32 --dport 8083 -j ACCEPT",
81+
"iptables -A INPUT -p tcp --dport 8081 -j DROP",
82+
"iptables -A INPUT -p tcp --dport 8082 -j DROP",
83+
"iptables -A INPUT -p tcp --dport 8083 -j DROP",
84+
],
85+
}
86+
],
87+
[
88+
"Test IPv6 single dst port range + src ip forEXTERNAL_CLIENT_ACL",
89+
{
90+
"config_db": {
91+
"ACL_TABLE": {
92+
"EXTERNAL_CLIENT_ACL": {
93+
"stage": "INGRESS",
94+
"type": "CTRLPLANE",
95+
"services": [
96+
"EXTERNAL_CLIENT"
97+
]
98+
}
99+
},
100+
"ACL_RULE": {
101+
"EXTERNAL_CLIENT_ACL|DEFAULT_RULE": {
102+
"ETHER_TYPE": "2048",
103+
"PACKET_ACTION": "DROP",
104+
"PRIORITY": "1"
105+
},
106+
"EXTERNAL_CLIENT_ACL|RULE_1": {
107+
"L4_DST_PORT": "8081",
108+
"PACKET_ACTION": "ACCEPT",
109+
"PRIORITY": "9998",
110+
"SRC_IP": "2001::2/128"
111+
},
112+
},
113+
"DEVICE_METADATA": {
114+
"localhost": {
115+
}
116+
},
117+
"FEATURE": {},
118+
},
119+
"return": [
120+
"iptables -A INPUT -p tcp -s 2001::2/128 --dport 8081 -j ACCEPT",
121+
"iptables -A INPUT -p tcp --dport 8081 -j DROP"
122+
],
123+
}
124+
],
125+
[
126+
"Test IPv6 dst port range + src ip forEXTERNAL_CLIENT_ACL",
127+
{
128+
"config_db": {
129+
"ACL_TABLE": {
130+
"EXTERNAL_CLIENT_ACL": {
131+
"stage": "INGRESS",
132+
"type": "CTRLPLANE",
133+
"services": [
134+
"EXTERNAL_CLIENT"
135+
]
136+
}
137+
},
138+
"ACL_RULE": {
139+
"EXTERNAL_CLIENT_ACL|DEFAULT_RULE": {
140+
"ETHER_TYPE": "2048",
141+
"PACKET_ACTION": "DROP",
142+
"PRIORITY": "1"
143+
},
144+
"EXTERNAL_CLIENT_ACL|RULE_1": {
145+
"L4_DST_PORT_RANGE": "8081-8083",
146+
"PACKET_ACTION": "ACCEPT",
147+
"PRIORITY": "9998",
148+
"SRC_IP": "2001::2/128"
149+
},
150+
},
151+
"DEVICE_METADATA": {
152+
"localhost": {
153+
}
154+
},
155+
"FEATURE": {},
156+
},
157+
"return": [
158+
"iptables -A INPUT -p tcp -s 2001::2/128 --dport 8081 -j ACCEPT",
159+
"iptables -A INPUT -p tcp -s 2001::2/128 --dport 8082 -j ACCEPT",
160+
"iptables -A INPUT -p tcp -s 2001::2/128 --dport 8083 -j ACCEPT",
161+
"iptables -A INPUT -p tcp --dport 8081 -j DROP",
162+
"iptables -A INPUT -p tcp --dport 8082 -j DROP",
163+
"iptables -A INPUT -p tcp --dport 8083 -j DROP",
164+
],
165+
}
166+
]
167+
]

0 commit comments

Comments
 (0)