-
Notifications
You must be signed in to change notification settings - Fork 18
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- firewall with resend fwsync - send fwsync to unicast - tun64 - firewall samples - acl gapped mask - balancer wlc scheduler - acl intersected gapped mask - balancer icmp - ruleset with 'table' - check RIB - nat64stateful
- Loading branch information
Showing
215 changed files
with
6,051 additions
and
0 deletions.
There are no files selected for viewing
Binary file added
BIN
+244 Bytes
autotest/units/001_one_port/050_firewall_state_resend/001-expect.pcap
Binary file not shown.
Binary file added
BIN
+106 Bytes
autotest/units/001_one_port/050_firewall_state_resend/001-send.pcap
Binary file not shown.
Binary file added
BIN
+106 Bytes
autotest/units/001_one_port/050_firewall_state_resend/002-expect.pcap
Binary file not shown.
Binary file added
BIN
+106 Bytes
autotest/units/001_one_port/050_firewall_state_resend/002-send.pcap
Binary file not shown.
Binary file added
BIN
+162 Bytes
autotest/units/001_one_port/050_firewall_state_resend/003-expect.pcap
Binary file not shown.
Binary file not shown.
Binary file added
BIN
+24 Bytes
autotest/units/001_one_port/050_firewall_state_resend/004-expect.pcap
Binary file not shown.
Binary file added
BIN
+162 Bytes
autotest/units/001_one_port/050_firewall_state_resend/004-send.pcap
Binary file not shown.
Binary file added
BIN
+106 Bytes
autotest/units/001_one_port/050_firewall_state_resend/005-expect.pcap
Binary file not shown.
Binary file added
BIN
+106 Bytes
autotest/units/001_one_port/050_firewall_state_resend/005-send.pcap
Binary file not shown.
Binary file added
BIN
+162 Bytes
autotest/units/001_one_port/050_firewall_state_resend/006-expect.pcap
Binary file not shown.
Binary file not shown.
Binary file added
BIN
+224 Bytes
autotest/units/001_one_port/050_firewall_state_resend/007-expect.pcap
Binary file not shown.
Binary file not shown.
Binary file added
BIN
+86 Bytes
autotest/units/001_one_port/050_firewall_state_resend/008-expect.pcap
Binary file not shown.
Binary file not shown.
Binary file added
BIN
+162 Bytes
autotest/units/001_one_port/050_firewall_state_resend/009-expect.pcap
Binary file not shown.
Binary file not shown.
Binary file added
BIN
+24 Bytes
autotest/units/001_one_port/050_firewall_state_resend/010-expect.pcap
Binary file not shown.
Binary file added
BIN
+162 Bytes
autotest/units/001_one_port/050_firewall_state_resend/010-send.pcap
Binary file not shown.
Binary file added
BIN
+86 Bytes
autotest/units/001_one_port/050_firewall_state_resend/011-expect.pcap
Binary file not shown.
Binary file not shown.
Binary file added
BIN
+162 Bytes
autotest/units/001_one_port/050_firewall_state_resend/012-expect.pcap
Binary file not shown.
Binary file not shown.
61 changes: 61 additions & 0 deletions
61
autotest/units/001_one_port/050_firewall_state_resend/autotest.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,61 @@ | ||
| steps: | ||
| - ipv4Update: "0.0.0.0/0 -> 200.0.0.1" | ||
| - ipv6Update: "::/0 -> fe80::1" | ||
| - sendPackets: | ||
| - port: kni0 | ||
| send: 001-send.pcap | ||
| expect: 001-expect.pcap | ||
| - sendPackets: | ||
| - port: kni0 | ||
| send: 002-send.pcap | ||
| expect: 002-expect.pcap | ||
| - sleep: 10 | ||
| - sendPackets: | ||
| - port: kni0 | ||
| send: 003-send.pcap | ||
| expect: 003-expect.pcap | ||
| - clearFWState: 1 | ||
| - sendPackets: | ||
| - port: kni0 | ||
| send: 004-send.pcap | ||
| expect: 004-expect.pcap | ||
| - sleep: 1 | ||
| - sendPackets: | ||
| - port: kni0 | ||
| send: 005-send.pcap | ||
| expect: 005-expect.pcap | ||
| - sleep: 9 | ||
| - sendPackets: | ||
| - port: kni0 | ||
| send: 006-send.pcap | ||
| expect: 006-expect.pcap | ||
| - clearFWState: 1 | ||
| - sendPackets: | ||
| - port: kni0 | ||
| send: 007-send.pcap | ||
| expect: 007-expect.pcap | ||
| - sendPackets: | ||
| - port: kni0 | ||
| send: 008-send.pcap | ||
| expect: 008-expect.pcap | ||
| - sleep: 10 | ||
| - sendPackets: | ||
| - port: kni0 | ||
| send: 009-send.pcap | ||
| expect: 009-expect.pcap | ||
| - clearFWState: 1 | ||
| - sendPackets: | ||
| - port: kni0 | ||
| send: 010-send.pcap | ||
| expect: 010-expect.pcap | ||
| - sleep: 1 | ||
| - sendPackets: | ||
| - port: kni0 | ||
| send: 011-send.pcap | ||
| expect: 011-expect.pcap | ||
| - sleep: 9 | ||
| - sendPackets: | ||
| - port: kni0 | ||
| send: 012-send.pcap | ||
| expect: 012-expect.pcap | ||
| - clearFWState: 1 |
64 changes: 64 additions & 0 deletions
64
autotest/units/001_one_port/050_firewall_state_resend/controlplane.conf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,64 @@ | ||
| { | ||
| "modules": { | ||
| "lp0.100": { | ||
| "type": "logicalPort", | ||
| "physicalPort": "kni0", | ||
| "vlanId": "100", | ||
| "macAddress": "00:11:22:33:44:55", | ||
| "nextModule": "acl0" | ||
| }, | ||
| "lp0.200": { | ||
| "type": "logicalPort", | ||
| "physicalPort": "kni0", | ||
| "vlanId": "200", | ||
| "macAddress": "00:11:22:33:44:55", | ||
| "nextModule": "acl0" | ||
| }, | ||
| "lp0.2000": { | ||
| "type": "logicalPort", | ||
| "physicalPort": "kni0", | ||
| "vlanId": "2000", | ||
| "macAddress": "00:11:22:33:44:55", | ||
| "nextModule": "acl0" | ||
| }, | ||
| "acl0": { | ||
| "type": "acl", | ||
| "firewall": "firewall.txt", | ||
| "synchronization": { | ||
| "ipv6SourceAddress": "fe80::f1", | ||
| "multicastIpv6Address": "ff02::1", | ||
| "multicastDestinationPort": 11995, | ||
| "logicalPorts": [ | ||
| "lp0.2000" | ||
| ], | ||
| "ingressNextModule": "vrf0" | ||
| }, | ||
| "nextModules": [ | ||
| "vrf0" | ||
| ] | ||
| }, | ||
| "vrf0": { | ||
| "type": "route", | ||
| "interfaces": { | ||
| "kni0.100": { | ||
| "ipv6Prefix": "fe80::2/64", | ||
| "neighborIPv6Address": "fe80::1", | ||
| "neighborMacAddress": "00:00:00:11:11:11", | ||
| "nextModule": "lp0.100" | ||
| }, | ||
| "kni0.200": { | ||
| "ipv4Prefix": "200.0.0.2/24", | ||
| "neighborIPv4Address": "200.0.0.1", | ||
| "neighborMacAddress": "00:00:00:22:22:22", | ||
| "nextModule": "lp0.200" | ||
| }, | ||
| "kni0.2000": { | ||
| "ipAddresses": ["ff02::2000"], | ||
| "neighborIPv6Address": "fe80::2000", | ||
| "neighborMacAddress": "00:00:00:33:33:33", | ||
| "nextModule": "lp0.2000" | ||
| } | ||
| } | ||
| } | ||
| } | ||
| } |
7 changes: 7 additions & 0 deletions
7
autotest/units/001_one_port/050_firewall_state_resend/firewall.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,7 @@ | ||
| :BEGIN | ||
| add skipto :IN ip from any to any in | ||
|
|
||
| :IN | ||
| add allow udp from 10.0.0.0/24 to any 53 keep-state | ||
| add allow udp from any to 2020:ddd:ff1c:2030::/60 53 keep-state | ||
| add deny ip from any to any |
200 changes: 200 additions & 0 deletions
200
autotest/units/001_one_port/050_firewall_state_resend/gen.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,200 @@ | ||
| #!/usr/bin/env python3 | ||
| # -*- coding: utf-8 -*- | ||
| import ipaddress | ||
| import socket | ||
| import struct | ||
| from typing import List | ||
|
|
||
| from scapy.layers.inet import UDP, IP | ||
| from scapy.layers.inet6 import IPv6 | ||
| from scapy.layers.l2 import Ether, Dot1Q | ||
| from scapy.packet import Packet, Raw | ||
| from scapy.utils import PcapWriter | ||
|
|
||
|
|
||
| def write_pcap(path: str, packets: List[Packet]) -> None: | ||
| with PcapWriter(path) as fh: | ||
| for p in packets: | ||
| fh.write(p) | ||
|
|
||
|
|
||
| def ipv4_send(src: str, dst: str) -> Packet: | ||
| return Ether(dst="00:11:22:33:44:55", src="00:00:00:11:11:11") / Dot1Q(vlan=100) / IP(src=src, dst=dst, ttl=64) | ||
|
|
||
|
|
||
| def ipv4_recv(src: str, dst: str) -> Packet: | ||
| return Ether(dst="00:00:00:22:22:22", src="00:11:22:33:44:55") / Dot1Q(vlan=200) / IP(src=src, dst=dst, ttl=63) | ||
|
|
||
|
|
||
| def ipv6_send(src: str, dst: str) -> Packet: | ||
| return Ether(dst="00:11:22:33:44:55", src="00:00:00:22:22:22") / \ | ||
| Dot1Q(vlan=200) / \ | ||
| IPv6(src=src, dst=dst, hlim=64, fl=0) | ||
|
|
||
|
|
||
| def ipv6_recv(src: str, dst: str) -> Packet: | ||
| return Ether(dst="00:00:00:11:11:11", src="00:11:22:33:44:55") / \ | ||
| Dot1Q(vlan=100) / \ | ||
| IPv6(src=src, dst=dst, hlim=63, fl=0) | ||
|
|
||
|
|
||
| def make_payload6(src_ip: str, dst_ip: str, src_port: int, dst_port: int) -> bytes: | ||
| data = struct.pack( | ||
| "<IIHHBBBB", | ||
| 0, # dst_ip | ||
| 0, # src_ip | ||
| dst_port, | ||
| src_port, | ||
| 0, # fib | ||
| socket.IPPROTO_UDP, | ||
| 0, # flags | ||
| 6, # addr_type | ||
| ) | ||
|
|
||
| data += ipaddress.ip_address(dst_ip).packed | ||
| data += ipaddress.ip_address(src_ip).packed | ||
|
|
||
| data += struct.pack( | ||
| "<II", | ||
| 0, # flow_id6 | ||
| 0, # extra | ||
| ) | ||
|
|
||
| return data | ||
|
|
||
|
|
||
| def make_payload4(src_ip: str, dst_ip: str, src_port: int, dst_port: int) -> bytes: | ||
| data = b'' | ||
| data += ipaddress.ip_address(dst_ip).packed | ||
| data += ipaddress.ip_address(src_ip).packed | ||
|
|
||
| data += struct.pack( | ||
| "<HHBBBB", | ||
| dst_port, | ||
| src_port, | ||
| 0, # fib | ||
| socket.IPPROTO_UDP, | ||
| 0, # flags | ||
| 4, # addr_type | ||
| ) | ||
|
|
||
| data += ipaddress.ip_address('::').packed | ||
| data += ipaddress.ip_address('::').packed | ||
|
|
||
| data += struct.pack( | ||
| "<II", | ||
| 0, # flow_id6 | ||
| 0, # extra | ||
| ) | ||
|
|
||
| return data | ||
|
|
||
|
|
||
| # IPv6 | ||
| write_pcap("001-send.pcap", [ | ||
| ipv6_send("1111:2222::1", "2020:ddd:ff1c:2030::1") / UDP(sport=1024, dport=53), | ||
| ]) | ||
|
|
||
| write_pcap("001-expect.pcap", [ | ||
| ipv6_recv("1111:2222::1", "2020:ddd:ff1c:2030::1") / UDP(sport=1024, dport=53), | ||
| Ether(src="00:11:22:33:44:55", dst="33:33:00:00:00:01") / Dot1Q(vlan=2000) / IPv6(src="fe80::f1", dst="ff02::1", hlim=64, fl=0) / UDP(sport=11995, dport=11995) / Raw(make_payload6("1111:2222::1", "2020:ddd:ff1c:2030::1", 1024, 53)), | ||
| ]) | ||
|
|
||
| write_pcap("002-send.pcap", [ | ||
| ipv6_send("1111:2222::1", "2020:ddd:ff1c:2030::1") / UDP(sport=1024, dport=53), | ||
| ]) | ||
|
|
||
| write_pcap("002-expect.pcap", [ | ||
| ipv6_recv("1111:2222::1", "2020:ddd:ff1c:2030::1") / UDP(sport=1024, dport=53), | ||
| ]) | ||
| # Sleep for 10s | ||
|
|
||
| write_pcap("003-send.pcap", [ | ||
| ]) | ||
|
|
||
| write_pcap("003-expect.pcap", [ | ||
| Ether(src="00:11:22:33:44:55", dst="33:33:00:00:00:01") / Dot1Q(vlan=2000) / IPv6(src="fe80::f1", dst="ff02::1", hlim=64, fl=0) / UDP(sport=11995, dport=11995) / Raw(make_payload6("1111:2222::1", "2020:ddd:ff1c:2030::1", 1024, 53)), | ||
| ]) | ||
| # FW clear | ||
|
|
||
|
|
||
| write_pcap("004-send.pcap", [ | ||
| # Mimic external multicast sync event. | ||
| Ether(src="00:00:00:33:33:33", dst="33:33:00:00:00:01") / Dot1Q(vlan=2000) / IPv6(src="fe80::f2", dst="ff02::1", hlim=63, fl=0) / UDP(sport=11995, dport=11995) / Raw(make_payload6("1111:2222::10", "2020:ddd:ff1c:2030::10", 10240, 530)), | ||
| ]) | ||
|
|
||
| write_pcap("004-expect.pcap", [ | ||
| ]) | ||
| # Sleep for 1s | ||
|
|
||
| write_pcap("005-send.pcap", [ | ||
| ipv6_send("2020:ddd:ff1c:2030::10", "1111:2222::10") / UDP(sport=530, dport=10240), | ||
| ]) | ||
|
|
||
| write_pcap("005-expect.pcap", [ | ||
| ipv6_recv("2020:ddd:ff1c:2030::10", "1111:2222::10") / UDP(sport=530, dport=10240), | ||
| ]) | ||
| # Sleep for 9s | ||
|
|
||
| write_pcap("006-send.pcap", [ | ||
| ]) | ||
|
|
||
| write_pcap("006-expect.pcap", [ | ||
| Ether(src="00:11:22:33:44:55", dst="33:33:00:00:00:01") / Dot1Q(vlan=2000) / IPv6(src="fe80::f1", dst="ff02::1", hlim=64, fl=0) / UDP(sport=11995, dport=11995) / Raw(make_payload6("1111:2222::10", "2020:ddd:ff1c:2030::10", 10240, 530)), | ||
| ]) | ||
| # FW clear | ||
|
|
||
|
|
||
| # IPv4 | ||
| write_pcap("007-send.pcap", [ | ||
| ipv4_send("10.0.0.1", "1.1.1.1") / UDP(sport=1000, dport=53), | ||
| ]) | ||
|
|
||
| write_pcap("007-expect.pcap", [ | ||
| ipv4_recv("10.0.0.1", "1.1.1.1") / UDP(sport=1000, dport=53), | ||
| Ether(src="00:11:22:33:44:55", dst="33:33:00:00:00:01") / Dot1Q(vlan=2000) / IPv6(src="fe80::f1", dst="ff02::1", hlim=64, fl=0) / UDP(sport=11995, dport=11995) / Raw(make_payload4("10.0.0.1", "1.1.1.1", 1000, 53)), | ||
| ]) | ||
|
|
||
| write_pcap("008-send.pcap", [ | ||
| ipv4_send("10.0.0.1", "1.1.1.1") / UDP(sport=1000, dport=53), | ||
| ]) | ||
|
|
||
| write_pcap("008-expect.pcap", [ | ||
| ipv4_recv("10.0.0.1", "1.1.1.1") / UDP(sport=1000, dport=53), | ||
| ]) | ||
| # Sleep for 10s | ||
|
|
||
| write_pcap("009-send.pcap", [ | ||
| ]) | ||
|
|
||
| write_pcap("009-expect.pcap", [ | ||
| Ether(src="00:11:22:33:44:55", dst="33:33:00:00:00:01") / Dot1Q(vlan=2000) / IPv6(src="fe80::f1", dst="ff02::1", hlim=64, fl=0) / UDP(sport=11995, dport=11995) / Raw(make_payload4("10.0.0.1", "1.1.1.1", 1000, 53)), | ||
| ]) | ||
| # FW clear | ||
|
|
||
| write_pcap("010-send.pcap", [ | ||
| # Mimic external multicast sync event. | ||
| Ether(src="00:00:00:33:33:33", dst="33:33:00:00:00:01") / Dot1Q(vlan=2000) / IPv6(src="fe80::f2", dst="ff02::1", hlim=63, fl=0) / UDP(sport=11995, dport=11995) / Raw(make_payload4("10.0.0.10", "1.1.1.10", 10000, 530)), | ||
| ]) | ||
|
|
||
| write_pcap("010-expect.pcap", [ | ||
| ]) | ||
|
|
||
| # Sleep for 1s | ||
| write_pcap("011-send.pcap", [ | ||
| ipv4_send("1.1.1.10", "10.0.0.10") / UDP(sport=530, dport=10000), | ||
| ]) | ||
|
|
||
| write_pcap("011-expect.pcap", [ | ||
| ipv4_recv("1.1.1.10", "10.0.0.10") / UDP(sport=530, dport=10000), | ||
| ]) | ||
|
|
||
| # Sleep for 9s | ||
|
|
||
| write_pcap("012-send.pcap", [ | ||
| ]) | ||
|
|
||
| write_pcap("012-expect.pcap", [ | ||
| Ether(src="00:11:22:33:44:55", dst="33:33:00:00:00:01") / Dot1Q(vlan=2000) / IPv6(src="fe80::f1", dst="ff02::1", hlim=64, fl=0) / UDP(sport=11995, dport=11995) / Raw(make_payload4("10.0.0.10", "1.1.1.10", 10000, 530)), | ||
| ]) | ||
|
|
Binary file added
BIN
+394 Bytes
autotest/units/001_one_port/051_firewall_keepstate_with_sync_unicast/001-expect.pcap
Binary file not shown.
Binary file added
BIN
+118 Bytes
autotest/units/001_one_port/051_firewall_keepstate_with_sync_unicast/001-send.pcap
Binary file not shown.
Binary file added
BIN
+24 Bytes
autotest/units/001_one_port/051_firewall_keepstate_with_sync_unicast/002-expect.pcap
Binary file not shown.
Binary file added
BIN
+162 Bytes
autotest/units/001_one_port/051_firewall_keepstate_with_sync_unicast/002-send.pcap
Binary file not shown.
Binary file added
BIN
+118 Bytes
autotest/units/001_one_port/051_firewall_keepstate_with_sync_unicast/003-expect.pcap
Binary file not shown.
Binary file added
BIN
+118 Bytes
autotest/units/001_one_port/051_firewall_keepstate_with_sync_unicast/003-send.pcap
Binary file not shown.
Binary file added
BIN
+374 Bytes
autotest/units/001_one_port/051_firewall_keepstate_with_sync_unicast/004-expect.pcap
Binary file not shown.
Binary file added
BIN
+98 Bytes
autotest/units/001_one_port/051_firewall_keepstate_with_sync_unicast/004-send.pcap
Binary file not shown.
Binary file added
BIN
+24 Bytes
autotest/units/001_one_port/051_firewall_keepstate_with_sync_unicast/005-expect.pcap
Binary file not shown.
Binary file added
BIN
+162 Bytes
autotest/units/001_one_port/051_firewall_keepstate_with_sync_unicast/005-send.pcap
Binary file not shown.
Binary file added
BIN
+98 Bytes
autotest/units/001_one_port/051_firewall_keepstate_with_sync_unicast/006-expect.pcap
Binary file not shown.
Binary file added
BIN
+98 Bytes
autotest/units/001_one_port/051_firewall_keepstate_with_sync_unicast/006-send.pcap
Binary file not shown.
Binary file added
BIN
+588 Bytes
autotest/units/001_one_port/051_firewall_keepstate_with_sync_unicast/007-expect-tcp.pcap
Binary file not shown.
Binary file added
BIN
+300 Bytes
autotest/units/001_one_port/051_firewall_keepstate_with_sync_unicast/007-expect-tech.pcap
Binary file not shown.
Binary file added
BIN
+588 Bytes
autotest/units/001_one_port/051_firewall_keepstate_with_sync_unicast/007-send.pcap
Binary file not shown.
38 changes: 38 additions & 0 deletions
38
autotest/units/001_one_port/051_firewall_keepstate_with_sync_unicast/autotest.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,38 @@ | ||
| steps: | ||
| - ipv4Update: "0.0.0.0/0 -> 200.0.0.1" | ||
| - ipv6Update: "::/0 -> fe80::1" | ||
| - sendPackets: | ||
| - port: kni0 | ||
| send: 001-send.pcap | ||
| expect: 001-expect.pcap | ||
| - sendPackets: | ||
| - port: kni0 | ||
| send: 002-send.pcap | ||
| expect: 002-expect.pcap | ||
| - sleep: 1 | ||
| - sendPackets: | ||
| - port: kni0 | ||
| send: 003-send.pcap | ||
| expect: 003-expect.pcap | ||
| - clearFWState: 1 | ||
| - sendPackets: | ||
| - port: kni0 | ||
| send: 004-send.pcap | ||
| expect: 004-expect.pcap | ||
| - sendPackets: | ||
| - port: kni0 | ||
| send: 005-send.pcap | ||
| expect: 005-expect.pcap | ||
| - sleep: 1 | ||
| - sendPackets: | ||
| - port: kni0 | ||
| send: 006-send.pcap | ||
| expect: 006-expect.pcap | ||
| - sendPackets: | ||
| - port: kni0 | ||
| send: 007-send.pcap | ||
| expect: | ||
| - 007-expect-tcp.pcap | ||
| - 007-expect-tech.pcap | ||
| - cli: "fw list states | grep 'allow tcp from 2220:ddd:ff1c:2030::1 12345 to 1111:2222::1 777' | grep 'flags SAF:SAF'" | ||
| - clearFWState: 1 |
Oops, something went wrong.