yanet-platform · GeorgyKirichenko · Sep 20, 2024 · Aug 2, 2024 · Aug 5, 2024 · Sep 17, 2024
@@ -26,3 +26,4 @@ steps:
   - port: kni0
     send: 002-send.pcap
     expect: 002-expect.pcap
+- clearFWState: 1
@@ -1,7 +1,8 @@
 steps:
 - ipv4Update: "0.0.0.0/0 -> 200.0.0.1"
-- clearFWState:
+- clearFWState: 1
 - sendPackets:
   - port: kni0
     send: 001-send.pcap
     expect: 001-expect.pcap
+- clearFWState: 1
@@ -0,0 +1,49 @@
+steps:
+- ipv4Update: "0.0.0.0/0 -> 10.0.0.2"
+
+- sendPackets:
+  - port: kni0
+    send: 001-send.pcap
+    expect: 001-expect.pcap
+
+- cli_check: |
+    fw list states
+    id        ruleno    label  rule
+    --------  --------  -----  --------------------------------------------------------------------------------------------
+    16777215  16777215         allow tcp from 10.0.0.1 80 to 10.0.0.2 12345 [own, last seen: 2s ago flags S:][packets: 0/0]
+
+- sleep: 6  # Wait for state to expire
+
+- cli_check: |
+    fw list states
+    id  ruleno  label  rule
+    --  ------  -----  ----
+
+- clearFWState: 1
+
+- sendPackets:
+  - port: kni0
+    send: 001-send.pcap
+    expect: 001-expect.pcap
+
+- cli_check: |
+    fw list states
+    id        ruleno    label  rule
+    --------  --------  -----  --------------------------------------------------------------------------------------------
+    16777215  16777215         allow tcp from 10.0.0.1 80 to 10.0.0.2 12345 [own, last seen: 2s ago flags S:][packets: 0/0]
+
+- sleep: 3  # Wait but state should still be present
+
+  # note that last seen value changes
+- cli_check: |
+    fw list states
+    id        ruleno    label  rule
+    --------  --------  -----  --------------------------------------------------------------------------------------------
+    16777215  16777215         allow tcp from 10.0.0.1 80 to 10.0.0.2 12345 [own, last seen: 5s ago flags S:][packets: 0/0]
+
+- sleep: 3  # Wait for state to expire
+
+- cli_check: |
+    fw list states
+    id  ruleno  label  rule
+    --  ------  -----  ----
@@ -0,0 +1,26 @@
+{
+  "modules": {
+    "lp0": {
+      "type": "logicalPort",
+      "physicalPort": "kni0",
+      "macAddress": "00:11:22:33:44:55",
+      "nextModule": "acl0"
+    },
+    "acl0": {
+      "type": "acl",
+      "firewall": "firewall.txt",
+      "nextModules": ["vrf0"]
+    },
+    "vrf0": {
+      "type": "route",
+      "interfaces": {
+        "kni0": {
+          "ipv4Prefix": "10.0.0.1/24",
+          "neighborIPv4Address": "10.0.0.2",
+          "neighborMacAddress": "00:00:00:11:11:11",
+          "nextModule": "lp0"
+        }
+      }
+    }
+  }
+}
@@ -0,0 +1,9 @@
+:BEGIN
+add state-timeout 1 ip from any to any
+add state-timeout 2 ip from any to any
+add state-timeout 3 ip from any to any
+add state-timeout 4 ip from any to any
+add state-timeout 5 ip from any to any
+# only the last occurence matters
+add allow ip from any to any keep-state
+
@@ -0,0 +1,29 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+from typing import List
+
+from scapy.layers.inet import IP, TCP
+from scapy.layers.l2 import Ether
+from scapy.packet import Packet
+from scapy.utils import PcapWriter
+
+def write_pcap(path: str, packets: List[Packet]) -> None:
+    with PcapWriter(path, sync=True) as fh:
+        for p in packets:
+            fh.write(p)
+
+def ipv4_send(src: str, dst: str) -> Packet:
+    return Ether(dst="00:11:22:33:44:55", src="00:00:00:11:11:11") / IP(src=src, dst=dst, ttl=64)
+
+def ipv4_recv(src: str, dst: str) -> Packet:
+    return Ether(dst="00:00:00:11:11:11", src="00:11:22:33:44:55") / IP(src=src, dst=dst, ttl=63)
+
+# Send packet from 10.0.0.2 to 10.0.0.1
+write_pcap("001-send.pcap", [
+    ipv4_send("10.0.0.2", "10.0.0.1") / TCP(sport=12345, dport=80, flags="S"),
+])
+
+# Expect the packet forwarded
+write_pcap("001-expect.pcap", [
+    ipv4_recv("10.0.0.2", "10.0.0.1") / TCP(sport=12345, dport=80, flags="S"),
+])
@@ -0,0 +1,38 @@
+steps:
+- ipv4Update: "0.0.0.0/0 -> 10.0.0.2"
+
+- sendPackets:
+  - port: kni0
+    send: 001-send.pcap
+    expect: 001-expect.pcap
+
+- cli_check: |
+    fw list states
+    id        ruleno    label  rule
+    --------  --------  -----  ------------------------------------------------------------------------------------------------
+    16777215  16777215         allow tcp from 10.0.0.1 80 to 192.168.1.10 12345 [own, last seen: 2s ago flags S:][packets: 0/0]
+    16777216  16777215         allow tcp from 10.0.0.1 80 to 192.168.2.20 12346 [own, last seen: 2s ago flags S:][packets: 0/0]
+
+- sleep: 3  # Wait, states should still be present
+
+- cli_check: |
+    fw list states
+    id        ruleno    label  rule
+    --------  --------  -----  ------------------------------------------------------------------------------------------------
+    16777215  16777215         allow tcp from 10.0.0.1 80 to 192.168.1.10 12345 [own, last seen: 5s ago flags S:][packets: 0/0]
+    16777216  16777215         allow tcp from 10.0.0.1 80 to 192.168.2.20 12346 [own, last seen: 5s ago flags S:][packets: 0/0]
+
+- sleep: 3  # Wait for first state to expire (total sleep 6s)
+
+- cli_check: |
+    fw list states
+    id        ruleno    label  rule
+    --------  --------  -----  ------------------------------------------------------------------------------------------------
+    16777215  16777215         allow tcp from 10.0.0.1 80 to 192.168.2.20 12346 [own, last seen: 8s ago flags S:][packets: 0/0]
+
+- sleep: 3  # Wait for second state to expire (total sleep 9s)
+
+- cli_check: |
+    fw list states
+    id  ruleno  label  rule
+    --  ------  -----  ----
@@ -0,0 +1,26 @@
+{
+  "modules": {
+    "lp0": {
+      "type": "logicalPort",
+      "physicalPort": "kni0",
+      "macAddress": "00:11:22:33:44:55",
+      "nextModule": "acl0"
+    },
+    "acl0": {
+      "type": "acl",
+      "firewall": "firewall.txt",
+      "nextModules": ["vrf0"]
+    },
+    "vrf0": {
+      "type": "route",
+      "interfaces": {
+        "kni0": {
+          "ipv4Prefix": "10.0.0.1/24",
+          "neighborIPv4Address": "10.0.0.2",
+          "neighborMacAddress": "00:00:00:11:11:11",
+          "nextModule": "lp0"
+        }
+      }
+    }
+  }
+}
@@ -0,0 +1,4 @@
+:BEGIN
+add state-timeout 5 ip from 192.168.1.0/24 to any
+add state-timeout 10 ip from 192.168.2.0/24 to any
+add allow ip from any to any keep-state
@@ -0,0 +1,31 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+from typing import List
+
+from scapy.layers.inet import IP, TCP
+from scapy.layers.l2 import Ether
+from scapy.packet import Packet
+from scapy.utils import PcapWriter
+
+def write_pcap(path: str, packets: List[Packet]) -> None:
+    with PcapWriter(path, sync=True) as fh:
+        for p in packets:
+            fh.write(p)
+
+def ipv4_send(src: str, dst: str, ttl: int = 64) -> Packet:
+    return Ether(dst="00:11:22:33:44:55", src="00:00:00:11:11:11") / IP(src=src, dst=dst, ttl=ttl)
+
+def ipv4_recv(src: str, dst: str, ttl: int = 63) -> Packet:
+    return Ether(dst="00:00:00:11:11:11", src="00:11:22:33:44:55") / IP(src=src, dst=dst, ttl=ttl)
+
+# Send packets from two different subnets
+write_pcap("001-send.pcap", [
+    ipv4_send("192.168.1.10", "10.0.0.1") / TCP(sport=12345, dport=80, flags="S"),
+    ipv4_send("192.168.2.20", "10.0.0.1") / TCP(sport=12346, dport=80, flags="S"),
+])
+
+# Expect the same packets forwarded
+write_pcap("001-expect.pcap", [
+    ipv4_recv("192.168.1.10", "10.0.0.1") / TCP(sport=12345, dport=80, flags="S"),
+    ipv4_recv("192.168.2.20", "10.0.0.1") / TCP(sport=12346, dport=80, flags="S"),
+])
@@ -0,0 +1,63 @@
+steps:
+- ipv4Update: "0.0.0.0/0 -> 10.0.0.2"
+
+- sendPackets:
+  - port: kni0
+    send: 001-send.pcap
+    expect: 001-expect.pcap
+
+- dumpPackets:
+  - ringTag: shm_2_0
+    expect: 001-expect-dump-ring1.pcap
+
+- cli_check: |
+    fw list states
+    id        ruleno    label  rule
+    --------  --------  -----  -------------------------------------------------------------------------------------------
+    16777215  16777215         allow udp from 10.0.0.1 53 to 10.0.0.10 1024 [own, last seen: 2s ago flags :][packets: 0/0]
+
+- sleep: 3  # Wait, state should still be present
+
+- cli_check: |
+    fw list states
+    id        ruleno    label  rule
+    --------  --------  -----  -------------------------------------------------------------------------------------------
+    16777215  16777215         allow udp from 10.0.0.1 53 to 10.0.0.10 1024 [own, last seen: 5s ago flags :][packets: 0/0]
+
+- sleep: 3  # Wait for state to expire (total sleep 6s)
+
+- cli_check: |
+    fw list states
+    id  ruleno  label  rule
+    --  ------  -----  ----
+
+- sendPackets:
+  - port: kni0
+    send: 002-send.pcap
+    expect: 002-expect.pcap
+
+- dumpPackets:
+  - ringTag: shm_2_0
+    expect: 002-expect-dump-ring1.pcap
+
+- cli_check: |
+    fw list states
+    id        ruleno    label  rule
+    --------  --------  -----  -------------------------------------------------------------------------------------------
+    16777215  16777215         allow udp from 10.0.0.1 53 to 10.0.0.10 1024 [own, last seen: 2s ago flags :][packets: 0/0]
+
+- sleep: 3  # Wait, state should still be present
+
+- cli_check: |
+    fw list states
+    id        ruleno    label  rule
+    --------  --------  -----  -------------------------------------------------------------------------------------------
+    16777215  16777215         allow udp from 10.0.0.1 53 to 10.0.0.10 1024 [own, last seen: 5s ago flags :][packets: 0/0]
+
+- sleep: 3  # Wait for state to expire (total sleep 6s)
+
+- cli_check: |
+    fw list states
+    id  ruleno  label  rule
+    --  ------  -----  ----
+
@@ -0,0 +1,26 @@
+{
+  "modules": {
+    "lp0": {
+      "type": "logicalPort",
+      "physicalPort": "kni0",
+      "macAddress": "00:11:22:33:44:55",
+      "nextModule": "acl0"
+    },
+    "acl0": {
+      "type": "acl",
+      "firewall": "firewall.txt",
+      "nextModules": ["vrf0"]
+    },
+    "vrf0": {
+      "type": "route",
+      "interfaces": {
+        "kni0": {
+          "ipv4Prefix": "10.0.0.1/24",
+          "neighborIPv4Address": "10.0.0.2",
+          "neighborMacAddress": "00:00:00:11:11:11",
+          "nextModule": "lp0"
+        }
+      }
+    }
+  }
+}
@@ -0,0 +1,6 @@
+:BEGIN
+add state-timeout 5 ip from any to any
+add check-state
+add dump ring1 ip from any to any
+add allow udp from 10.0.0.0/24 to any 53 record-state
+add deny ip from any to any
@@ -0,0 +1,50 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+from typing import List
+
+from scapy.layers.inet import IP, UDP
+from scapy.layers.l2 import Ether
+from scapy.packet import Packet
+from scapy.utils import PcapWriter
+
+def write_pcap(path: str, packets: List[Packet]) -> None:
+    with PcapWriter(path, sync=True) as fh:
+        for p in packets:
+            fh.write(p)
+
+def ipv4_send(src: str, dst: str, ttl: int = 64) -> Packet:
+    return Ether(dst="00:11:22:33:44:55", src="00:00:00:11:11:11") / IP(src=src, dst=dst, ttl=ttl)
+
+def ipv4_recv(src: str, dst: str, ttl: int = 63) -> Packet:
+    return Ether(dst="00:00:00:11:11:11", src="00:11:22:33:44:55") / IP(src=src, dst=dst, ttl=ttl)
+
+# Initial packet to create state
+write_pcap("001-send.pcap", [
+    ipv4_send("10.0.0.10", "10.0.0.1") / UDP(sport=1024, dport=53),
+])
+
+# Expect the packet to be forwarded
+write_pcap("001-expect.pcap", [
+    ipv4_recv("10.0.0.10", "10.0.0.1") / UDP(sport=1024, dport=53),
+])
+
+# Expected dump (initial packet)
+write_pcap("001-expect-dump-ring1.pcap", [
+    ipv4_send("10.0.0.10", "10.0.0.1") / UDP(sport=1024, dport=53),
+])
+
+# Packet after state expiration
+write_pcap("002-send.pcap", [
+    ipv4_send("10.0.0.10", "10.0.0.1") / UDP(sport=1024, dport=53),
+])
+
+# Expect the packet to be forwarded
+write_pcap("002-expect.pcap", [
+    ipv4_recv("10.0.0.10", "10.0.0.1") / UDP(sport=1024, dport=53),
+])
+
+# Expected dump after state expiration
+write_pcap("002-expect-dump-ring1.pcap", [
+    ipv4_send("10.0.0.10", "10.0.0.1") / UDP(sport=1024, dport=53), #result of a first dump (the ring is the same)
+    ipv4_send("10.0.0.10", "10.0.0.1") / UDP(sport=1024, dport=53),
+])