Adding support for sonic-mgmt ACL testing

docs/README.acl.md

@@ -1,4 +1,221 @@
-# Use a simple routing topology as below to demonstrate SONiC VPP traffic filtering using ingress Access List
+# Sonic-Mgmt ACL testing
+
+The Sonic-VPP ACL implementation has been updated to support testing with sonic-mgmt.
+
+The test cases in [`test_acl.py`](https://github.com/sonic-net/sonic-mgmt/blob/master/tests/acl/test_acl.py) can be executed on the T1 topology, subjet to the following limitations:
+
+1. Empty ACL tables cannot be applied on a port before the ACL table under test is configured.
+
+2. After config reload, the test must wait for the interfaces to come up before proceeding.
+
+These VPP limitations are codified in the following sonic-mgmt PR: https://github.com/sonic-net/sonic-mgmt/pull/18313
+
+Future support on sonic-mgmt will include:
+
+- T1-lag / PortChannel support
+- Incremental, Reload and PortToggle variations (800 tests)
+
+The following results summarize the current status of the ACL test runs on the T1 topology:
+
+```
+========= 188 passed, 612 skipped, 663 warnings in 1039.06s (0:17:19) ==========
+SKIPPED [4] acl/test_acl.py:1000: Only run for egress
+SKIPPED [600] acl/test_acl.py: Phase 2 enablement
+SKIPPED [4] acl/test_acl.py:992: Only run for ingress
+SKIPPED [4] acl/test_acl.py: Failure on VPP
+PASSED test_ingress_unmatched_blocked[ipv4-ingress-downlink->uplink-default-no_vlan]
+PASSED test_source_ip_match_forwarded[ipv4-ingress-downlink->uplink-default-no_vlan]
+PASSED test_rules_priority_forwarded[ipv4-ingress-downlink->uplink-default-no_vlan]
+PASSED test_rules_priority_dropped[ipv4-ingress-downlink->uplink-default-no_vlan]
+PASSED test_dest_ip_match_forwarded[ipv4-ingress-downlink->uplink-default-no_vlan]
+PASSED test_dest_ip_match_dropped[ipv4-ingress-downlink->uplink-default-no_vlan]
+PASSED test_source_ip_match_dropped[ipv4-ingress-downlink->uplink-default-no_vlan]
+PASSED test_udp_source_ip_match_forwarded[ipv4-ingress-downlink->uplink-default-no_vlan]
+PASSED test_udp_source_ip_match_dropped[ipv4-ingress-downlink->uplink-default-no_vlan]
+PASSED test_icmp_source_ip_match_dropped[ipv4-ingress-downlink->uplink-default-no_vlan]
+PASSED test_icmp_source_ip_match_forwarded[ipv4-ingress-downlink->uplink-default-no_vlan]
+PASSED test_l4_dport_match_forwarded[ipv4-ingress-downlink->uplink-default-no_vlan]
+PASSED test_l4_sport_match_forwarded[ipv4-ingress-downlink->uplink-default-no_vlan]
+PASSED test_l4_dport_range_match_forwarded[ipv4-ingress-downlink->uplink-default-no_vlan]
+PASSED test_l4_sport_range_match_forwarded[ipv4-ingress-downlink->uplink-default-no_vlan]
+PASSED test_l4_dport_range_match_dropped[ipv4-ingress-downlink->uplink-default-no_vlan]
+PASSED test_l4_sport_range_match_dropped[ipv4-ingress-downlink->uplink-default-no_vlan]
+PASSED test_ip_proto_match_forwarded[ipv4-ingress-downlink->uplink-default-no_vlan]
+PASSED test_tcp_flags_match_forwarded[ipv4-ingress-downlink->uplink-default-no_vlan]
+PASSED test_l4_dport_match_dropped[ipv4-ingress-downlink->uplink-default-no_vlan]
+PASSED test_l4_sport_match_dropped[ipv4-ingress-downlink->uplink-default-no_vlan]
+PASSED test_ip_proto_match_dropped[ipv4-ingress-downlink->uplink-default-no_vlan]
+PASSED test_tcp_flags_match_dropped[ipv4-ingress-downlink->uplink-default-no_vlan]
+PASSED test_icmp_match_forwarded[ipv4-ingress-downlink->uplink-default-no_vlan]
+PASSED test_ingress_unmatched_blocked[ipv4-ingress-uplink->downlink-default-no_vlan]
+PASSED test_source_ip_match_forwarded[ipv4-ingress-uplink->downlink-default-no_vlan]
+PASSED test_rules_priority_forwarded[ipv4-ingress-uplink->downlink-default-no_vlan]
+PASSED test_rules_priority_dropped[ipv4-ingress-uplink->downlink-default-no_vlan]
+PASSED test_dest_ip_match_forwarded[ipv4-ingress-uplink->downlink-default-no_vlan]
+PASSED test_dest_ip_match_dropped[ipv4-ingress-uplink->downlink-default-no_vlan]
+PASSED test_source_ip_match_dropped[ipv4-ingress-uplink->downlink-default-no_vlan]
+PASSED test_udp_source_ip_match_forwarded[ipv4-ingress-uplink->downlink-default-no_vlan]
+PASSED test_udp_source_ip_match_dropped[ipv4-ingress-uplink->downlink-default-no_vlan]
+PASSED test_icmp_source_ip_match_dropped[ipv4-ingress-uplink->downlink-default-no_vlan]
+PASSED test_icmp_source_ip_match_forwarded[ipv4-ingress-uplink->downlink-default-no_vlan]
+PASSED test_l4_dport_match_forwarded[ipv4-ingress-uplink->downlink-default-no_vlan]
+PASSED test_l4_sport_match_forwarded[ipv4-ingress-uplink->downlink-default-no_vlan]
+PASSED test_l4_dport_range_match_forwarded[ipv4-ingress-uplink->downlink-default-no_vlan]
+PASSED test_l4_sport_range_match_forwarded[ipv4-ingress-uplink->downlink-default-no_vlan]
+PASSED test_l4_dport_range_match_dropped[ipv4-ingress-uplink->downlink-default-no_vlan]
+PASSED test_l4_sport_range_match_dropped[ipv4-ingress-uplink->downlink-default-no_vlan]
+PASSED test_ip_proto_match_forwarded[ipv4-ingress-uplink->downlink-default-no_vlan]
+PASSED test_tcp_flags_match_forwarded[ipv4-ingress-uplink->downlink-default-no_vlan]
+PASSED test_l4_dport_match_dropped[ipv4-ingress-uplink->downlink-default-no_vlan]
+PASSED test_l4_sport_match_dropped[ipv4-ingress-uplink->downlink-default-no_vlan]
+PASSED test_ip_proto_match_dropped[ipv4-ingress-uplink->downlink-default-no_vlan]
+PASSED test_tcp_flags_match_dropped[ipv4-ingress-uplink->downlink-default-no_vlan]
+PASSED test_icmp_match_forwarded[ipv4-ingress-uplink->downlink-default-no_vlan]
+PASSED test_source_ip_match_forwarded[ipv4-egress-downlink->uplink-default-no_vlan]
+PASSED test_rules_priority_forwarded[ipv4-egress-downlink->uplink-default-no_vlan]
+PASSED test_rules_priority_dropped[ipv4-egress-downlink->uplink-default-no_vlan]
+PASSED test_dest_ip_match_forwarded[ipv4-egress-downlink->uplink-default-no_vlan]
+PASSED test_dest_ip_match_dropped[ipv4-egress-downlink->uplink-default-no_vlan]
+PASSED test_source_ip_match_dropped[ipv4-egress-downlink->uplink-default-no_vlan]
+PASSED test_udp_source_ip_match_forwarded[ipv4-egress-downlink->uplink-default-no_vlan]
+PASSED test_udp_source_ip_match_dropped[ipv4-egress-downlink->uplink-default-no_vlan]
+PASSED test_icmp_source_ip_match_dropped[ipv4-egress-downlink->uplink-default-no_vlan]
+PASSED test_icmp_source_ip_match_forwarded[ipv4-egress-downlink->uplink-default-no_vlan]
+PASSED test_l4_dport_match_forwarded[ipv4-egress-downlink->uplink-default-no_vlan]
+PASSED test_l4_sport_match_forwarded[ipv4-egress-downlink->uplink-default-no_vlan]
+PASSED test_l4_dport_range_match_forwarded[ipv4-egress-downlink->uplink-default-no_vlan]
+PASSED test_l4_sport_range_match_forwarded[ipv4-egress-downlink->uplink-default-no_vlan]
+PASSED test_l4_dport_range_match_dropped[ipv4-egress-downlink->uplink-default-no_vlan]
+PASSED test_l4_sport_range_match_dropped[ipv4-egress-downlink->uplink-default-no_vlan]
+PASSED test_ip_proto_match_forwarded[ipv4-egress-downlink->uplink-default-no_vlan]
+PASSED test_tcp_flags_match_forwarded[ipv4-egress-downlink->uplink-default-no_vlan]
+PASSED test_l4_dport_match_dropped[ipv4-egress-downlink->uplink-default-no_vlan]
+PASSED test_l4_sport_match_dropped[ipv4-egress-downlink->uplink-default-no_vlan]
+PASSED test_ip_proto_match_dropped[ipv4-egress-downlink->uplink-default-no_vlan]
+PASSED test_tcp_flags_match_dropped[ipv4-egress-downlink->uplink-default-no_vlan]
+PASSED test_icmp_match_forwarded[ipv4-egress-downlink->uplink-default-no_vlan]
+PASSED test_source_ip_match_forwarded[ipv4-egress-uplink->downlink-default-no_vlan]
+PASSED test_rules_priority_forwarded[ipv4-egress-uplink->downlink-default-no_vlan]
+PASSED test_rules_priority_dropped[ipv4-egress-uplink->downlink-default-no_vlan]
+PASSED test_dest_ip_match_forwarded[ipv4-egress-uplink->downlink-default-no_vlan]
+PASSED test_dest_ip_match_dropped[ipv4-egress-uplink->downlink-default-no_vlan]
+PASSED test_source_ip_match_dropped[ipv4-egress-uplink->downlink-default-no_vlan]
+PASSED test_udp_source_ip_match_forwarded[ipv4-egress-uplink->downlink-default-no_vlan]
+PASSED test_udp_source_ip_match_dropped[ipv4-egress-uplink->downlink-default-no_vlan]
+PASSED test_icmp_source_ip_match_dropped[ipv4-egress-uplink->downlink-default-no_vlan]
+PASSED test_icmp_source_ip_match_forwarded[ipv4-egress-uplink->downlink-default-no_vlan]
+PASSED test_l4_dport_match_forwarded[ipv4-egress-uplink->downlink-default-no_vlan]
+PASSED test_l4_sport_match_forwarded[ipv4-egress-uplink->downlink-default-no_vlan]
+PASSED test_l4_dport_range_match_forwarded[ipv4-egress-uplink->downlink-default-no_vlan]
+PASSED test_l4_sport_range_match_forwarded[ipv4-egress-uplink->downlink-default-no_vlan]
+PASSED test_l4_dport_range_match_dropped[ipv4-egress-uplink->downlink-default-no_vlan]
+PASSED test_l4_sport_range_match_dropped[ipv4-egress-uplink->downlink-default-no_vlan]
+PASSED test_ip_proto_match_forwarded[ipv4-egress-uplink->downlink-default-no_vlan]
+PASSED test_tcp_flags_match_forwarded[ipv4-egress-uplink->downlink-default-no_vlan]
+PASSED test_l4_dport_match_dropped[ipv4-egress-uplink->downlink-default-no_vlan]
+PASSED test_l4_sport_match_dropped[ipv4-egress-uplink->downlink-default-no_vlan]
+PASSED test_ip_proto_match_dropped[ipv4-egress-uplink->downlink-default-no_vlan]
+PASSED test_tcp_flags_match_dropped[ipv4-egress-uplink->downlink-default-no_vlan]
+PASSED test_icmp_match_forwarded[ipv4-egress-uplink->downlink-default-no_vlan]
+PASSED test_source_ip_match_forwarded[ipv6-egress-downlink->uplink-default-no_vlan]
+PASSED test_rules_priority_forwarded[ipv6-egress-downlink->uplink-default-no_vlan]
+PASSED test_rules_priority_dropped[ipv6-egress-downlink->uplink-default-no_vlan]
+PASSED test_dest_ip_match_forwarded[ipv6-egress-downlink->uplink-default-no_vlan]
+PASSED test_dest_ip_match_dropped[ipv6-egress-downlink->uplink-default-no_vlan]
+PASSED test_source_ip_match_dropped[ipv6-egress-downlink->uplink-default-no_vlan]
+PASSED test_udp_source_ip_match_forwarded[ipv6-egress-downlink->uplink-default-no_vlan]
+PASSED test_udp_source_ip_match_dropped[ipv6-egress-downlink->uplink-default-no_vlan]
+PASSED test_icmp_source_ip_match_dropped[ipv6-egress-downlink->uplink-default-no_vlan]
+PASSED test_icmp_source_ip_match_forwarded[ipv6-egress-downlink->uplink-default-no_vlan]
+PASSED test_l4_dport_match_forwarded[ipv6-egress-downlink->uplink-default-no_vlan]
+PASSED test_l4_sport_match_forwarded[ipv6-egress-downlink->uplink-default-no_vlan]
+PASSED test_l4_dport_range_match_forwarded[ipv6-egress-downlink->uplink-default-no_vlan]
+PASSED test_l4_sport_range_match_forwarded[ipv6-egress-downlink->uplink-default-no_vlan]
+PASSED test_l4_dport_range_match_dropped[ipv6-egress-downlink->uplink-default-no_vlan]
+PASSED test_l4_sport_range_match_dropped[ipv6-egress-downlink->uplink-default-no_vlan]
+PASSED test_ip_proto_match_forwarded[ipv6-egress-downlink->uplink-default-no_vlan]
+PASSED test_tcp_flags_match_forwarded[ipv6-egress-downlink->uplink-default-no_vlan]
+PASSED test_l4_dport_match_dropped[ipv6-egress-downlink->uplink-default-no_vlan]
+PASSED test_l4_sport_match_dropped[ipv6-egress-downlink->uplink-default-no_vlan]
+PASSED test_ip_proto_match_dropped[ipv6-egress-downlink->uplink-default-no_vlan]
+PASSED test_tcp_flags_match_dropped[ipv6-egress-downlink->uplink-default-no_vlan]
+PASSED test_icmp_match_forwarded[ipv6-egress-downlink->uplink-default-no_vlan]
+PASSED test_source_ip_match_forwarded[ipv6-egress-uplink->downlink-default-no_vlan]
+PASSED test_rules_priority_forwarded[ipv6-egress-uplink->downlink-default-no_vlan]
+PASSED test_rules_priority_dropped[ipv6-egress-uplink->downlink-default-no_vlan]
+PASSED test_dest_ip_match_forwarded[ipv6-egress-uplink->downlink-default-no_vlan]
+PASSED test_dest_ip_match_dropped[ipv6-egress-uplink->downlink-default-no_vlan]
+PASSED test_source_ip_match_dropped[ipv6-egress-uplink->downlink-default-no_vlan]
+PASSED test_udp_source_ip_match_forwarded[ipv6-egress-uplink->downlink-default-no_vlan]
+PASSED test_udp_source_ip_match_dropped[ipv6-egress-uplink->downlink-default-no_vlan]
+PASSED test_icmp_source_ip_match_dropped[ipv6-egress-uplink->downlink-default-no_vlan]
+PASSED test_icmp_source_ip_match_forwarded[ipv6-egress-uplink->downlink-default-no_vlan]
+PASSED test_l4_dport_match_forwarded[ipv6-egress-uplink->downlink-default-no_vlan]
+PASSED test_l4_sport_match_forwarded[ipv6-egress-uplink->downlink-default-no_vlan]
+PASSED test_l4_dport_range_match_forwarded[ipv6-egress-uplink->downlink-default-no_vlan]
+PASSED test_l4_sport_range_match_forwarded[ipv6-egress-uplink->downlink-default-no_vlan]
+PASSED test_l4_dport_range_match_dropped[ipv6-egress-uplink->downlink-default-no_vlan]
+PASSED test_l4_sport_range_match_dropped[ipv6-egress-uplink->downlink-default-no_vlan]
+PASSED test_ip_proto_match_forwarded[ipv6-egress-uplink->downlink-default-no_vlan]
+PASSED test_tcp_flags_match_forwarded[ipv6-egress-uplink->downlink-default-no_vlan]
+PASSED test_l4_dport_match_dropped[ipv6-egress-uplink->downlink-default-no_vlan]
+PASSED test_l4_sport_match_dropped[ipv6-egress-uplink->downlink-default-no_vlan]
+PASSED test_ip_proto_match_dropped[ipv6-egress-uplink->downlink-default-no_vlan]
+PASSED test_tcp_flags_match_dropped[ipv6-egress-uplink->downlink-default-no_vlan]
+PASSED test_icmp_match_forwarded[ipv6-egress-uplink->downlink-default-no_vlan]
+PASSED test_ingress_unmatched_blocked[ipv6-ingress-downlink->uplink-default-no_vlan]
+PASSED test_source_ip_match_forwarded[ipv6-ingress-downlink->uplink-default-no_vlan]
+PASSED test_rules_priority_forwarded[ipv6-ingress-downlink->uplink-default-no_vlan]
+PASSED test_rules_priority_dropped[ipv6-ingress-downlink->uplink-default-no_vlan]
+PASSED test_dest_ip_match_forwarded[ipv6-ingress-downlink->uplink-default-no_vlan]
+PASSED test_dest_ip_match_dropped[ipv6-ingress-downlink->uplink-default-no_vlan]
+PASSED test_source_ip_match_dropped[ipv6-ingress-downlink->uplink-default-no_vlan]
+PASSED test_udp_source_ip_match_forwarded[ipv6-ingress-downlink->uplink-default-no_vlan]
+PASSED test_udp_source_ip_match_dropped[ipv6-ingress-downlink->uplink-default-no_vlan]
+PASSED test_icmp_source_ip_match_dropped[ipv6-ingress-downlink->uplink-default-no_vlan]
+PASSED test_icmp_source_ip_match_forwarded[ipv6-ingress-downlink->uplink-default-no_vlan]
+PASSED test_l4_dport_match_forwarded[ipv6-ingress-downlink->uplink-default-no_vlan]
+PASSED test_l4_sport_match_forwarded[ipv6-ingress-downlink->uplink-default-no_vlan]
+PASSED test_l4_dport_range_match_forwarded[ipv6-ingress-downlink->uplink-default-no_vlan]
+PASSED test_l4_sport_range_match_forwarded[ipv6-ingress-downlink->uplink-default-no_vlan]
+PASSED test_l4_dport_range_match_dropped[ipv6-ingress-downlink->uplink-default-no_vlan]
+PASSED test_l4_sport_range_match_dropped[ipv6-ingress-downlink->uplink-default-no_vlan]
+PASSED test_ip_proto_match_forwarded[ipv6-ingress-downlink->uplink-default-no_vlan]
+PASSED test_tcp_flags_match_forwarded[ipv6-ingress-downlink->uplink-default-no_vlan]
+PASSED test_l4_dport_match_dropped[ipv6-ingress-downlink->uplink-default-no_vlan]
+PASSED test_l4_sport_match_dropped[ipv6-ingress-downlink->uplink-default-no_vlan]
+PASSED test_ip_proto_match_dropped[ipv6-ingress-downlink->uplink-default-no_vlan]
+PASSED test_tcp_flags_match_dropped[ipv6-ingress-downlink->uplink-default-no_vlan]
+PASSED test_icmp_match_forwarded[ipv6-ingress-downlink->uplink-default-no_vlan]
+PASSED test_ingress_unmatched_blocked[ipv6-ingress-uplink->downlink-default-no_vlan]
+PASSED test_source_ip_match_forwarded[ipv6-ingress-uplink->downlink-default-no_vlan]
+PASSED test_rules_priority_forwarded[ipv6-ingress-uplink->downlink-default-no_vlan]
+PASSED test_rules_priority_dropped[ipv6-ingress-uplink->downlink-default-no_vlan]
+PASSED test_dest_ip_match_forwarded[ipv6-ingress-uplink->downlink-default-no_vlan]
+PASSED test_dest_ip_match_dropped[ipv6-ingress-uplink->downlink-default-no_vlan]
+PASSED test_source_ip_match_dropped[ipv6-ingress-uplink->downlink-default-no_vlan]
+PASSED test_udp_source_ip_match_forwarded[ipv6-ingress-uplink->downlink-default-no_vlan]
+PASSED test_udp_source_ip_match_dropped[ipv6-ingress-uplink->downlink-default-no_vlan]
+PASSED test_icmp_source_ip_match_dropped[ipv6-ingress-uplink->downlink-default-no_vlan]
+PASSED test_icmp_source_ip_match_forwarded[ipv6-ingress-uplink->downlink-default-no_vlan]
+PASSED test_l4_dport_match_forwarded[ipv6-ingress-uplink->downlink-default-no_vlan]
+PASSED test_l4_sport_match_forwarded[ipv6-ingress-uplink->downlink-default-no_vlan]
+PASSED test_l4_dport_range_match_forwarded[ipv6-ingress-uplink->downlink-default-no_vlan]
+PASSED test_l4_sport_range_match_forwarded[ipv6-ingress-uplink->downlink-default-no_vlan]
+PASSED test_l4_dport_range_match_dropped[ipv6-ingress-uplink->downlink-default-no_vlan]
+PASSED test_l4_sport_range_match_dropped[ipv6-ingress-uplink->downlink-default-no_vlan]
+PASSED test_ip_proto_match_forwarded[ipv6-ingress-uplink->downlink-default-no_vlan]
+PASSED test_tcp_flags_match_forwarded[ipv6-ingress-uplink->downlink-default-no_vlan]
+PASSED test_l4_dport_match_dropped[ipv6-ingress-uplink->downlink-default-no_vlan]
+PASSED test_l4_sport_match_dropped[ipv6-ingress-uplink->downlink-default-no_vlan]
+PASSED test_ip_proto_match_dropped[ipv6-ingress-uplink->downlink-default-no_vlan]
+PASSED test_tcp_flags_match_dropped[ipv6-ingress-uplink->downlink-default-no_vlan]
+PASSED test_icmp_match_forwarded[ipv6-ingress-uplink->downlink-default-no_vlan]
+```
+
+# Simple Topology Testing
+
+You can use a simple routing topology as below to demonstrate SONiC VPP traffic filtering using ingress Access List
 
 Host1 --------------------- Sonic-VPP-Router1 -------------- Sonic-VPP-Router2 ---------------- Host2