[SDFAB-1140] Test DENY app filtering rule via QER gating in STC

.env.stable

@@ -2,9 +2,9 @@
 # SPDX-License-Identifier: Apache-2.0
 #
 
-PFCP_AGENT_IMAGE=omecproject/upf-epc-pfcpiface:master-dac1f1d
+PFCP_AGENT_IMAGE=omecproject/upf-epc-pfcpiface:master-7611c8a
 ONOS_IMAGE=opennetworking/sdfabric-onos:master-2022-03-05
-PFCPSIM_IMAGE=opennetworking/pfcpsim:1da9a55c
+PFCPSIM_IMAGE=opennetworking/pfcpsim:259d7fa4
 ATOMIX_IMAGE=atomix/atomix:3.1.12
 DBUF_IMAGE=opennetworking/dbuf:1.0.0
 MN_STRATUM_IMAGE=opennetworking/mn-stratum:latest@sha256:5f53ea1c5784ca89753e7a23ae64d52fe39371f9e0ac218883bc28864c37e373

scenarios/pfcp-app-filtering.xml

@@ -3,56 +3,106 @@
  ~ SPDX-FileCopyrightText: 2022-present Open Networking Foundation <[email protected]>
   -->
 <scenario name="pfcp-app-filtering" description="Set up and test application filtering with the PFCP client">
+<!-- FIXME: create two app with ALLOW and DENY to test app filtering in the same session.
+      Currently we do two separate tests one with ALLOW and another with DENY because
+      pfcpsim doesn't support multiple app-filtering rules
+-->
     <group name="Pfcp-App-Filtering">
-        <group name="Pfcp-Setup-App-Filtering">
-            <group name="Pfcp-Push-App-Filtering" delay="5">
+        <group name="Pfcp-Setup-App-Filtering-1">
+            <group name="Pfcp-Push-App-Filtering-1" delay="5">
                 <sequential var="${ENODEB#}"
-                            starts="Pfcp-Session-Create-App-Filtering-${#}"
-                            ends="Pfcp-Session-App-Filtering-${#-1}">
-                    <step name="Pfcp-Session-Create-App-Filtering-${#}"
-                          exec="${DOCKER_COMPOSE_CMD} exec -T mock-smf pfcpctl session create --count 5 --baseID ${#}0 --ue-pool 17.0.${#-1}.0/24 --gnb-addr 140.0.10${#-1}.1 --sdf-filter 'permit out ip from 0.0.0.0/0 to assigned 81-81'"/>
-                    <step name="Pfcp-Session-App-Filtering-${#}" requires="^"
+                            starts="Pfcp-Session-Create-App-Filtering-${#}-1"
+                            ends="Pfcp-Session-App-Filtering-${#-1}-1">
+                    <step name="Pfcp-Session-Create-App-Filtering-${#}-1"
+                          exec="${DOCKER_COMPOSE_CMD} exec -T mock-smf pfcpctl session create --count 5 --baseID ${#}0 --ue-pool 17.0.${#-1}.0/24 --gnb-addr 140.0.10${#-1}.1 --app-filter 'udp:0.0.0.0/0:81-81:allow'"/>
+                    <step name="Pfcp-Session-App-Filtering-${#}-1" requires="^"
                           exec="${DOCKER_COMPOSE_CMD} exec -T mock-smf pfcpctl session modify --count 5 --baseID ${#}0 --ue-pool 17.0.${#-1}.0/24 --gnb-addr 140.0.10${#-1}.1"/>
                 </sequential>
             </group>
-            <step name="Check-Up4-Flows-App-Filtering" requires="Pfcp-Push-App-Filtering" delay="5"
+            <step name="Check-Up4-Flows-App-Filtering-1" requires="Pfcp-Push-App-Filtering-1" delay="5"
                   exec="onos-cli-grep ${OCI} up4:read-flows 'Apps=1, UL sess=${PFCP_UP4_FLOWS}, UL flows=${PFCP_UP4_FLOWS}, DL flows=${PFCP_UP4_FLOWS}'"/>
-            <step name="Check-Flow-Rules-App-Filtering" requires="Pfcp-Push-App-Filtering" delay="5"
+            <step name="Check-Flow-Rules-App-Filtering-1" requires="Pfcp-Push-App-Filtering-1" delay="5"
                   exec="onos-check-flows ${OCI}"/>
         </group>
-        <group name="Check-Traffic-App-Filtering-Negative" requires="Pfcp-Setup-App-Filtering" delay="5">
+        <!-- Verify that traffic not matching the application filter is dropped -->
+        <group name="Check-Traffic-App-Filtering-Negative-1" requires="Pfcp-Setup-App-Filtering-1" delay="5">
             <parallel var="${ENODEB#}">
                 <!-- Downlink -->
-                <step name="Downlink-Enb-Recv-Gtp-Drop-App-Filtering-${#}" requires="Pfcp-Setup-App-Filtering" env="!"
-                      exec="mn-cmd ${ENODEB#} traffic.py recv-gtp -t 10 --teid-base ${#}0 --ue-pool 17.0.${#-1}.0/24 --enb-addr 140.0.10${#-1}.1 --pdn-port ${#}00"/>
-                <step name="Downlink-Pdn-Send-Udp-Drop-App-Filtering-${#}" requires="Pfcp-Setup-App-Filtering" delay="5"
-                      exec="mn-cmd pdn traffic.py send-udp -c 10 --ue-pool 17.0.${#-1}.0/24 --enb-addr 140.0.10${#-1}.1 --pdn-port ${#}00"/>
+                <step name="Downlink-Enb-Recv-Gtp-Drop-App-Filtering-${#}-1" requires="Pfcp-Setup-App-Filtering-1"
+                      exec="mn-cmd ${ENODEB#} traffic.py recv-none -t 10"/>
+                <step name="Downlink-Pdn-Send-Udp-Drop-App-Filtering-${#}-1" requires="Pfcp-Setup-App-Filtering-1" delay="5"
+                      exec="mn-cmd pdn traffic.py send-udp -c 10 --ue-pool 17.0.${#-1}.0/24 --enb-addr 140.0.10${#-1}.1 --pdn-port 100"/>
                 <!-- Uplink -->
-                <step name="Uplink-Pdn-Recv-Udp-Drop-App-Filtering-${#}" requires="Pfcp-Setup-App-Filtering" env="!"
-                      exec="mn-cmd pdn traffic.py recv-udp -t 10 --ue-pool 17.0.${#-1}.0/24 --enb-addr 140.0.10${#-1}.1 --pdn-port ${#}00"/>
-                <step name="Uplink-Enb-Send-Gtp-Drop-App-Filtering-${#}" requires="Pfcp-Setup-App-Filtering" delay="5"
-                      exec="mn-cmd ${ENODEB#} traffic.py send-gtp -c 10 --teid-base ${#}0 --ue-pool 17.0.${#-1}.0/24 --enb-addr 140.0.10${#-1}.1 --pdn-port ${#}00"/>
+                <step name="Uplink-Pdn-Recv-Udp-Drop-App-Filtering-${#}-1"
+                      requires="Pfcp-Setup-App-Filtering-1,~Downlink-Enb-Recv-Gtp-Drop-App-Filtering-${#}-1,~Downlink-Pdn-Send-Udp-Drop-App-Filtering-${#}-1"
+                      exec="mn-cmd pdn traffic.py recv-none -t 10"/>
+                <step name="Uplink-Enb-Send-Gtp-Drop-App-Filtering-${#}-1"
+                      requires="Pfcp-Setup-App-Filtering-1,~Downlink-Enb-Recv-Gtp-Drop-App-Filtering-${#}-1,~Downlink-Pdn-Send-Udp-Drop-App-Filtering-${#}-1"
+                      delay="5"
+                      exec="mn-cmd ${ENODEB#} traffic.py send-gtp -c 10 --teid-base ${#}0 --ue-pool 17.0.${#-1}.0/24 --enb-addr 140.0.10${#-1}.1 --pdn-port 100"/>
             </parallel>
         </group>
-        <group name="Check-Traffic-App-Filtering-Positive" requires="~Check-Traffic-App-Filtering-Negative" delay="5">
+        <!-- Verify that traffic matching the application filter is forwarded -->
+        <group name="Check-Traffic-App-Filtering-Positive-1" requires="~Check-Traffic-App-Filtering-Negative-1" delay="5">
             <parallel var="${ENODEB#}">
                 <!-- Downlink -->
-                <step name="Downlink-Enb-Recv-Gtp-App-Filtering-${#}" requires="~Check-Traffic-App-Filtering-Negative"
+                <step name="Downlink-Enb-Recv-Gtp-App-Filtering-${#}-1" requires="~Check-Traffic-App-Filtering-Negative-1"
                       exec="mn-cmd ${ENODEB#} traffic.py recv-gtp -t 10 --flow-count 5 --teid-base ${#}0 --ue-pool 17.0.${#-1}.0/24 --enb-addr 140.0.10${#-1}.1 --pdn-port 81"/>
-                <step name="Downlink-Pdn-Send-Udp-App-Filtering-${#}" requires="~Check-Traffic-App-Filtering-Negative" delay="5"
+                <step name="Downlink-Pdn-Send-Udp-App-Filtering-${#}-1" requires="~Check-Traffic-App-Filtering-Negative-1" delay="5"
                       exec="mn-cmd pdn traffic.py send-udp -c 10 --flow-count 5 --ue-pool 17.0.${#-1}.0/24 --enb-addr 140.0.10${#-1}.1 --pdn-port 81"/>
                 <!-- Uplink -->
-                <step name="Uplink-Pdn-Recv-Udp-App-Filtering-${#}" requires="~Check-Traffic-App-Filtering-Negative"
+                <step name="Uplink-Pdn-Recv-Udp-App-Filtering-${#}-1" requires="~Check-Traffic-App-Filtering-Negative-1"
                       exec="mn-cmd pdn traffic.py recv-udp -t 10 --flow-count 5 --ue-pool 17.0.${#-1}.0/24 --enb-addr 140.0.10${#-1}.1 --pdn-port 81"/>
-                <step name="Uplink-Enb-Send-Gtp-App-Filtering-${#}" requires="~Check-Traffic-App-Filtering-Negative" delay="5"
+                <step name="Uplink-Enb-Send-Gtp-App-Filtering-${#}-1" requires="~Check-Traffic-App-Filtering-Negative-1" delay="5"
                       exec="mn-cmd ${ENODEB#} traffic.py send-gtp -c 10 --flow-count 5 --teid-base ${#}0 --ue-pool 17.0.${#-1}.0/24 --enb-addr 140.0.10${#-1}.1 --pdn-port 81"/>
             </parallel>
         </group>
-        <group name="Pfcp-Clear-App-Filtering">
+        <group name="Pfcp-Clear-App-Filtering-1">
+            <sequential var="${ENODEB#}"
+                        starts="Clear-App-Filtering-${#}-1"
+                        ends="Clear-App-Filtering-${#-1}-1">
+                <step name="Clear-App-Filtering-${#}-1" requires="~Check-Traffic-App-Filtering-Negative-1,~Check-Traffic-App-Filtering-Positive-1"
+                      exec="${DOCKER_COMPOSE_CMD} exec -T mock-smf pfcpctl session delete --count 5 --baseID ${#}0"/>
+            </sequential>
+        </group>
+        <group name="Pfcp-Setup-App-Filtering-2" requires="Pfcp-Clear-App-Filtering-1">
+            <group name="Pfcp-Push-App-Filtering-2" delay="5">
+                <sequential var="${ENODEB#}"
+                            starts="Pfcp-Session-Create-App-Filtering-${#}-2"
+                            ends="Pfcp-Session-App-Filtering-${#-1}-2">
+                    <step name="Pfcp-Session-Create-App-Filtering-${#}-2"
+                          exec="${DOCKER_COMPOSE_CMD} exec -T mock-smf pfcpctl session create --count 5 --baseID ${#}0 --ue-pool 17.0.${#-1}.0/24 --gnb-addr 140.0.10${#-1}.1 --app-filter 'ip:any:any:deny'"/>
+                    <step name="Pfcp-Session-App-Filtering-${#}-2" requires="Pfcp-Session-Create-App-Filtering-${#}-2"
+                          exec="${DOCKER_COMPOSE_CMD} exec -T mock-smf pfcpctl session modify --count 5 --baseID ${#}0 --ue-pool 17.0.${#-1}.0/24 --gnb-addr 140.0.10${#-1}.1"/>
+                </sequential>
+            </group>
+            <step name="Check-Up4-Flows-App-Filtering-2" requires="Pfcp-Push-App-Filtering-2" delay="5"
+                  exec="onos-cli-grep ${OCI} up4:read-flows 'Apps=1, UL sess=${PFCP_UP4_FLOWS}, UL flows=${PFCP_UP4_FLOWS}, DL flows=${PFCP_UP4_FLOWS}'"/>
+            <step name="Check-Flow-Rules-App-Filtering-2" requires="Pfcp-Push-App-Filtering-2" delay="5"
+                  exec="onos-check-flows ${OCI}"/>
+        </group>
+        <group name="Check-Traffic-App-Filtering-Negative-2" requires="Pfcp-Setup-App-Filtering-2" delay="5">
+            <parallel var="${ENODEB#}">
+                <!-- Downlink -->
+                <step name="Downlink-Enb-Recv-Gtp-Drop-App-Filtering-${#}-2" requires="Pfcp-Setup-App-Filtering-2"
+                      exec="mn-cmd ${ENODEB#} traffic.py recv-none -t 10"/>
+                <step name="Downlink-Pdn-Send-Udp-Drop-App-Filtering-${#}-2" requires="Pfcp-Setup-App-Filtering-2" delay="5"
+                      exec="mn-cmd pdn traffic.py send-udp -c 10 --ue-pool 17.0.${#-1}.0/24 --enb-addr 140.0.10${#-1}.1 --pdn-port ${#}00"/>
+                <!-- Uplink -->
+                <step name="Uplink-Pdn-Recv-Udp-Drop-App-Filtering-${#}-2"
+                      requires="Pfcp-Setup-App-Filtering-2,~Downlink-Enb-Recv-Gtp-Drop-App-Filtering-${#}-2,~Downlink-Pdn-Send-Udp-Drop-App-Filtering-${#}-2"
+                      exec="mn-cmd pdn traffic.py recv-none -t 10"/>
+                <step name="Uplink-Enb-Send-Gtp-Drop-App-Filtering-${#}-2"
+                      requires="Pfcp-Setup-App-Filtering-2,~Downlink-Enb-Recv-Gtp-Drop-App-Filtering-${#}-2,~Downlink-Pdn-Send-Udp-Drop-App-Filtering-${#}-2"
+                      delay="5"
+                      exec="mn-cmd ${ENODEB#} traffic.py send-gtp -c 10 --teid-base ${#}0 --ue-pool 17.0.${#-1}.0/24 --enb-addr 140.0.10${#-1}.1 --pdn-port ${#}00"/>
+            </parallel>
+        </group>
+        <group name="Pfcp-Clear-App-Filtering-2">
             <sequential var="${ENODEB#}"
-                starts="Clear-App-Filtering-${#}"
-                ends="Clear-App-Filtering-${#-1}">
-                <step name="Clear-App-Filtering-${#}" requires="~Check-Traffic-App-Filtering-Negative,~Check-Traffic-App-Filtering-Positive"
+                        starts="Clear-App-Filtering-${#}-2"
+                        ends="Clear-App-Filtering-${#-1}-2">
+                <step name="Clear-App-Filtering-${#}-2" requires="~Check-Traffic-App-Filtering-Negative-2"
                       exec="${DOCKER_COMPOSE_CMD} exec -T mock-smf pfcpctl session delete --count 5 --baseID ${#}0"/>
             </sequential>
         </group>