Add E2E tests for bypassing the proxy via higher-precendence PDRs

miguelbf-alb · Jan 21, 2022 · 80f0387 · 80f0387
1 parent 23442a7
commit 80f0387
Show file tree

Hide file tree

Showing 2 changed files with 100 additions and 9 deletions.
diff --git a/test/e2e/framework/sessionconfig.go b/test/e2e/framework/sessionconfig.go
@@ -34,6 +34,7 @@ type SessionConfig struct {
 	SGWIP             net.IP
 	AppName           string
 	Redirect          bool
+	NoADFSDFFilter    string
 	Mode              UPGMode
 	TEIDPGWs5u        uint32
 	TEIDSGWs5u        uint32
@@ -142,7 +143,7 @@ func (cfg SessionConfig) ueIPAddress(flags uint8) *ie.IE {
 	return ie.NewUEIPAddress(flags|pfcp.UEIPAddress_V6, "", cfg.UEIP.String(), 0)
 }
 
-func (cfg SessionConfig) forwardPDR(pdrID uint16, farID, urrID, precedence uint32, appID string) *ie.IE {
+func (cfg SessionConfig) forwardPDR(pdrID uint16, farID, urrID, precedence uint32, appID string, sdfFilter string) *ie.IE {
 	ies := []*ie.IE{
 		ie.NewPDRID(pdrID),
 		ie.NewFARID(farID),
@@ -179,9 +180,12 @@ func (cfg SessionConfig) forwardPDR(pdrID uint16, farID, urrID, precedence uint3
 	}
 
 	if appID == "" {
-		pdiIEs = append(pdiIEs,
-			ie.NewSDFFilter("permit out ip from any to assigned", "", "", "", 0))
+		if sdfFilter == "" {
+			sdfFilter = "permit out ip from any to assigned"
+		}
+		pdiIEs = append(pdiIEs, ie.NewSDFFilter(sdfFilter, "", "", "", 0))
 	}
+
 	ies = append(ies, ie.NewPDI(pdiIEs...))
 	if urrID != 0 {
 		ies = append(ies, ie.NewURRID(urrID))
@@ -190,7 +194,7 @@ func (cfg SessionConfig) forwardPDR(pdrID uint16, farID, urrID, precedence uint3
 	return ie.NewCreatePDR(ies...)
 }
 
-func (cfg SessionConfig) reversePDR(pdrID uint16, farID, urrID, precedence uint32, appID string) *ie.IE {
+func (cfg SessionConfig) reversePDR(pdrID uint16, farID, urrID, precedence uint32, appID, sdfFilter string) *ie.IE {
 	ies := []*ie.IE{
 		ie.NewPDRID(pdrID),
 		ie.NewFARID(farID),
@@ -218,8 +222,11 @@ func (cfg SessionConfig) reversePDR(pdrID uint16, farID, urrID, precedence uint3
 	}
 
 	if appID == "" {
+		if sdfFilter == "" {
+			sdfFilter = "permit out ip from any to assigned"
+		}
 		pdiIEs = append(pdiIEs,
-			ie.NewSDFFilter("permit out ip from any to assigned", "", "", "", 0))
+			ie.NewSDFFilter(sdfFilter, "", "", "", 0))
 	}
 	ies = append(ies, ie.NewPDI(pdiIEs...))
 	if urrID != 0 {
@@ -297,13 +304,18 @@ func (cfg SessionConfig) CreatePDRs() []*ie.IE {
 		appURRId = 0
 	}
 	ies := []*ie.IE{
-		cfg.forwardPDR(cfg.IdBase, 1, defaultURRId, 200, ""),
-		cfg.reversePDR(cfg.IdBase+1, 2, defaultURRId, 200, ""),
+		cfg.forwardPDR(cfg.IdBase, 1, defaultURRId, 200, "", ""),
+		cfg.reversePDR(cfg.IdBase+1, 2, defaultURRId, 200, "", ""),
 	}
 	if cfg.AppName != "" {
 		ies = append(ies,
-			cfg.forwardPDR(cfg.IdBase+2, 1, appURRId, 100, cfg.AppName),
-			cfg.reversePDR(cfg.IdBase+3, 2, appURRId, 100, cfg.AppName))
+			cfg.forwardPDR(cfg.IdBase+2, 1, appURRId, 100, cfg.AppName, ""),
+			cfg.reversePDR(cfg.IdBase+3, 2, appURRId, 100, cfg.AppName, ""))
+		if cfg.NoADFSDFFilter != "" {
+			ies = append(ies,
+				cfg.forwardPDR(cfg.IdBase+4, 1, 0, 10, "", cfg.NoADFSDFFilter),
+				cfg.reversePDR(cfg.IdBase+5, 2, 0, 10, "", cfg.NoADFSDFFilter))
+		}
 	}
 	return ies
 }

diff --git a/test/e2e/upg_e2e.go b/test/e2e/upg_e2e.go
@@ -270,6 +270,85 @@ func describeMeasurement(f *framework.Framework) {
 			})
 		})
 
+		ginkgo.Context("[proxy bypass]", func() {
+			var bypassTrafficCfg traffic.HTTPConfig
+
+			describeProxyBypass := func(skipIPv6 bool) {
+				ginkgo.It("should not proxy traffic when higher precedence PDRs have no app id", func() {
+					// FIXME: there's an IPv6-related problem with extra server IPs that is not caused
+					// by the proxy bypass, as it also happens if proxy bypass PDRs are removed together
+					// with app id. For now, let's only test IPv6 mode with port-based SDF Filters.
+					if skipIPv6 && f.IPMode == framework.UPGIPModeV6 {
+						ginkgo.Skip("FIXME: skipping IPv6 version of the test")
+					}
+					verify(&bypassTrafficCfg)
+					// the flow should not be proxied
+					flowStr, err := f.VPP.Ctl("show upf flows")
+					framework.ExpectNoError(err)
+					gomega.Expect(flowStr).To(gomega.ContainSubstring("proxy 0"))
+					gomega.Expect(flowStr).NotTo(gomega.ContainSubstring("proxy 1"))
+				})
+
+				ginkgo.It("should not prevent ADF from working (no app hit)", func() {
+					verify(smallVolumeHTTPConfig(nil))
+					verifyNonAppMeasurement(f, ms, layers.IPProtocolTCP, nil)
+
+					// the flow should be proxied
+					flowStr, err := f.VPP.Ctl("show upf flows")
+					framework.ExpectNoError(err)
+					gomega.Expect(flowStr).NotTo(gomega.ContainSubstring("proxy 0"))
+					gomega.Expect(flowStr).To(gomega.ContainSubstring("proxy 1"))
+				})
+
+				ginkgo.It("should not prevent ADF from working (app hit)", func() {
+					verify(smallVolumeHTTPConfig(&traffic.HTTPConfig{
+						UseFakeHostname: true,
+					}))
+					verifyAppMeasurement(f, ms, layers.IPProtocolTCP, nil)
+
+					// the flow should be proxied
+					flowStr, err := f.VPP.Ctl("show upf flows")
+					framework.ExpectNoError(err)
+					gomega.Expect(flowStr).NotTo(gomega.ContainSubstring("proxy 0"))
+					gomega.Expect(flowStr).To(gomega.ContainSubstring("proxy 1"))
+				})
+			}
+
+			ginkgo.Context("[port based]", func() {
+				ginkgo.BeforeEach(func() {
+					bypassTrafficCfg = traffic.HTTPConfig{
+						ClientPort: 8883,
+						ServerPort: 8883,
+					}
+					sessionCfg := framework.SessionConfig{
+						AppName:        framework.HTTPAppName,
+						NoADFSDFFilter: "permit out ip from any 8883 to assigned",
+					}
+					seid = startMeasurementSession(f, &sessionCfg)
+				})
+
+				describeProxyBypass(false)
+			})
+
+			ginkgo.Context("[ip based]", func() {
+				ginkgo.BeforeEach(func() {
+					bypassServerIP := f.AddServerIP()
+					bypassTrafficCfg = traffic.HTTPConfig{
+						ServerIPs: []net.IP{bypassServerIP},
+					}
+					sessionCfg := framework.SessionConfig{
+						AppName: framework.HTTPAppName,
+						NoADFSDFFilter: fmt.Sprintf(
+							"permit out ip from %s to assigned",
+							bypassServerIP),
+					}
+					seid = startMeasurementSession(f, &sessionCfg)
+				})
+
+				describeProxyBypass(true)
+			})
+		})
+
 		sessionContext("[redirects]", framework.SessionConfig{Redirect: true}, func() {
 			ginkgo.It("counts UPG's HTTP redirects", func() {
 				verify(&traffic.RedirectConfig{