1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
|
# Copyright (c) 2016-2017 Intel Corporation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
import logging
import ipaddress
import six
from yardstick.common import utils
from yardstick.common import exceptions
from yardstick.network_services.vnf_generic.vnf.sample_vnf import SampleVNF, DpdkVnfSetupEnvHelper
from yardstick.network_services.helpers.samplevnf_helper import PortPairs
from itertools import chain
LOG = logging.getLogger(__name__)
# ACL should work the same on all systems, we can provide the binary
ACL_PIPELINE_COMMAND = \
'sudo {tool_path} -p {port_mask_hex} -f {cfg_file} -s {script} {hwlb}'
ACL_COLLECT_KPI = r"""\
ACL TOTAL:[^p]+pkts_processed"?:\s(\d+),[^p]+pkts_drop"?:\s(\d+),[^p]+pkts_received"?:\s(\d+),"""
class AclApproxSetupEnvSetupEnvHelper(DpdkVnfSetupEnvHelper):
APP_NAME = "vACL"
CFG_CONFIG = "/tmp/acl_config"
CFG_SCRIPT = "/tmp/acl_script"
PIPELINE_COMMAND = ACL_PIPELINE_COMMAND
HW_DEFAULT_CORE = 2
SW_DEFAULT_CORE = 5
DEFAULT_CONFIG_TPL_CFG = "acl.cfg"
VNF_TYPE = "ACL"
RULE_CMD = "acl"
DEFAULT_PRIORITY = 1
DEFAULT_PROTOCOL = 0
DEFAULT_PROTOCOL_MASK = 0
# Default actions to be applied to SampleVNF. Please note,
# that this list is extended with `fwd` action when default
# actions are generated.
DEFAULT_FWD_ACTIONS = ["accept", "count"]
def __init__(self, vnfd_helper, ssh_helper, scenario_helper):
super(AclApproxSetupEnvSetupEnvHelper, self).__init__(vnfd_helper,
ssh_helper,
scenario_helper)
self._action_id = 0
def get_ip_from_port(self, port):
# we can't use gateway because in OpenStack gateways interfere with floating ip routing
# return self.make_ip_addr(self.get_ports_gateway(port), self.get_netmask_gateway(port))
vintf = self.vnfd_helper.find_interface(name=port)["virtual-interface"]
return utils.make_ip_addr(vintf["local_ip"], vintf["netmask"])
def get_network_and_prefixlen_from_ip_of_port(self, port):
ip_addr = self.get_ip_from_port(port)
# handle cases with no gateway
if ip_addr:
return ip_addr.network.network_address.exploded, ip_addr.network.prefixlen
else:
return None, None
@property
def new_action_id(self):
"""Get new action id"""
self._action_id += 1
return self._action_id
def get_default_flows(self):
"""Get default actions/rules
Returns: (<actions>, <rules>)
<actions>:
{ <action_id>: [ <list of actions> ]}
Example:
{ 0 : [ "accept", "count", {"fwd" : "port": 0} ], ... }
<rules>:
[ {"src_ip": "x.x.x.x", "src_ip_mask", 24, ...}, ... ]
Note:
See `generate_rule_cmds()` to get list of possible map keys.
"""
actions, rules = {}, []
_port_pairs = PortPairs(self.vnfd_helper.interfaces)
port_pair_list = _port_pairs.port_pair_list
for src_intf, dst_intf in port_pair_list:
# get port numbers of the interfaces
src_port = self.vnfd_helper.port_num(src_intf)
dst_port = self.vnfd_helper.port_num(dst_intf)
# get interface addresses and prefixes
src_net, src_prefix_len = self.get_network_and_prefixlen_from_ip_of_port(src_intf)
dst_net, dst_prefix_len = self.get_network_and_prefixlen_from_ip_of_port(dst_intf)
# ignore entries with empty values
if all((src_net, src_prefix_len, dst_net, dst_prefix_len)):
# flow: src_net:dst_net -> dst_port
action_id = self.new_action_id
actions[action_id] = self.DEFAULT_FWD_ACTIONS[:]
actions[action_id].append({"fwd": {"port": dst_port}})
rules.append({"priority": 1, 'cmd': self.RULE_CMD,
"src_ip": src_net, "src_ip_mask": src_prefix_len,
"dst_ip": dst_net, "dst_ip_mask": dst_prefix_len,
"src_port_from": 0, "src_port_to": 65535,
"dst_port_from": 0, "dst_port_to": 65535,
"protocol": 0, "protocol_mask": 0,
"action_id": action_id})
# flow: dst_net:src_net -> src_port
action_id = self.new_action_id
actions[action_id] = self.DEFAULT_FWD_ACTIONS[:]
actions[action_id].append({"fwd": {"port": src_port}})
rules.append({"cmd":self.RULE_CMD, "priority": 1,
"src_ip": dst_net, "src_ip_mask": dst_prefix_len,
"dst_ip": src_net, "dst_ip_mask": src_prefix_len,
"src_port_from": 0, "src_port_to": 65535,
"dst_port_from": 0, "dst_port_to": 65535,
"protocol": 0, "protocol_mask": 0,
"action_id": action_id})
return actions, rules
def get_flows(self, options):
"""Get actions/rules based on provided options.
The `options` is a dict representing the ACL rules configuration
file. Result is the same as described in `get_default_flows()`.
"""
actions, rules = {}, []
for ace in options['access-list-entries']:
# Generate list of actions
action_id = self.new_action_id
actions[action_id] = ace['actions']
# Destination nestwork
matches = ace['matches']
dst_ipv4_net = matches['destination-ipv4-network']
dst_ipv4_net_ip = ipaddress.ip_interface(six.text_type(dst_ipv4_net))
# Source network
src_ipv4_net = matches['source-ipv4-network']
src_ipv4_net_ip = ipaddress.ip_interface(six.text_type(src_ipv4_net))
# Append the rule
rules.append({'action_id': action_id, 'cmd': self.RULE_CMD,
'dst_ip': dst_ipv4_net_ip.network.network_address.exploded,
'dst_ip_mask': dst_ipv4_net_ip.network.prefixlen,
'src_ip': src_ipv4_net_ip.network.network_address.exploded,
'src_ip_mask': src_ipv4_net_ip.network.prefixlen,
'dst_port_from': matches['destination-port-range']['lower-port'],
'dst_port_to': matches['destination-port-range']['upper-port'],
'src_port_from': matches['source-port-range']['lower-port'],
'src_port_to': matches['source-port-range']['upper-port'],
'priority': matches.get('priority', self.DEFAULT_PRIORITY),
'protocol': matches.get('protocol', self.DEFAULT_PROTOCOL),
'protocol_mask': matches.get('protocol_mask',
self.DEFAULT_PROTOCOL_MASK)
})
return actions, rules
def generate_rule_cmds(self, rules, apply_rules=False):
"""Convert rules into list of SampleVNF CLI commands"""
rule_template = ("p {cmd} add {priority} {src_ip} {src_ip_mask} "
"{dst_ip} {dst_ip_mask} {src_port_from} {src_port_to} "
"{dst_port_from} {dst_port_to} {protocol} "
"{protocol_mask} {action_id}")
rule_cmd_list = []
for rule in rules:
rule_cmd_list.append(rule_template.format(**rule))
if apply_rules:
# add command to apply all rules at the end
rule_cmd_list.append("p {cmd} applyruleset".format(cmd=self.RULE_CMD))
return rule_cmd_list
def generate_action_cmds(self, actions):
"""Convert actions into list of SampleVNF CLI commands.
These method doesn't validate the provided list of actions. Supported
list of actions are limited by SampleVNF. Thus, the user should be
responsible to specify correct action name(s). Yardstick should take
the provided action by user and apply it to SampleVNF.
Anyway, some of the actions require addition parameters to be
specified. In case of `fwd` & `nat` action used have to specify
the port attribute.
"""
_action_template_map = {
"fwd": "p action add {action_id} fwd {port}",
"nat": "p action add {action_id} nat {port}"
}
action_cmd_list = []
for action_id, actions in actions.items():
for action in actions:
if isinstance(action, dict):
for action_name in action.keys():
# user provided an action name with addition options
# e.g.: {"fwd": {"port": 0}}
# format action CLI command and add it to the list
if action_name not in _action_template_map.keys():
raise exceptions.AclUknownActionTemplate(
action_name=action_name)
template = _action_template_map[action_name]
try:
action_cmd_list.append(template.format(
action_id=action_id, **action[action_name]))
except KeyError as exp:
raise exceptions.AclMissingActionArguments(
action_name=action_name,
action_param=exp.args[0])
else:
# user provided an action name w/o addition options
# e.g.: "accept", "count"
action_cmd_list.append(
"p action add {action_id} {action}".format(
action_id=action_id, action=action))
return action_cmd_list
def get_flows_config(self, options=None):
"""Get action/rules configuration commands (string) to be
applied to SampleVNF to configure ACL rules (flows).
"""
action_cmd_list, rule_cmd_list = [], []
if options:
# if file name is set, read actions/rules from the file
actions, rules = self.get_flows(options)
action_cmd_list = self.generate_action_cmds(actions)
rule_cmd_list = self.generate_rule_cmds(rules)
# default actions/rules
dft_actions, dft_rules = self.get_default_flows()
dft_action_cmd_list = self.generate_action_cmds(dft_actions)
dft_rule_cmd_list = self.generate_rule_cmds(dft_rules, apply_rules=True)
# generate multi-line commands to add actions/rules
return '\n'.join(chain(action_cmd_list, dft_action_cmd_list,
rule_cmd_list, dft_rule_cmd_list))
class AclApproxVnf(SampleVNF):
APP_NAME = "vACL"
APP_WORD = 'acl'
COLLECT_KPI = ACL_COLLECT_KPI
COLLECT_MAP = {
'packets_in': 3,
'packets_fwd': 1,
'packets_dropped': 2,
}
def __init__(self, name, vnfd, setup_env_helper_type=None, resource_helper_type=None):
if setup_env_helper_type is None:
setup_env_helper_type = AclApproxSetupEnvSetupEnvHelper
super(AclApproxVnf, self).__init__(name, vnfd, setup_env_helper_type, resource_helper_type)
|
