#2775 - Purging of more instances where the ARP acl rule is set and no longer necessary. Added a new test to show ARP is unaffected by ACL rules and actioned review comments

tests/conftest.py

@@ -350,7 +350,6 @@ def install_stuff_to_sim(sim: Simulation):
     network.connect(endpoint_a=server_2.network_interface[1], endpoint_b=switch_2.network_interface[2])
 
     # 2: Configure base ACL
-    router.acl.add_rule(action=ACLAction.PERMIT, src_port=Port.ARP, dst_port=Port.ARP, position=22)
     router.acl.add_rule(action=ACLAction.PERMIT, protocol=IPProtocol.ICMP, position=23)
     router.acl.add_rule(action=ACLAction.PERMIT, src_port=Port.DNS, dst_port=Port.DNS, position=1)
     router.acl.add_rule(action=ACLAction.PERMIT, src_port=Port.HTTP, dst_port=Port.HTTP, position=3)
@@ -382,8 +381,6 @@ def install_stuff_to_sim(sim: Simulation):
             assert acl_rule.src_port == acl_rule.dst_port == Port.DNS
         elif i == 3:
             assert acl_rule.src_port == acl_rule.dst_port == Port.HTTP
-        elif i == 22:
-            assert acl_rule.src_port == acl_rule.dst_port == Port.ARP
         elif i == 23:
             assert acl_rule.protocol == IPProtocol.ICMP
         elif i == 24:

tests/integration_tests/game_layer/test_actions.py

@@ -115,7 +115,7 @@ def test_router_acl_addrule_integration(game_and_agent: Tuple[PrimaiteGame, Prox
     server_1 = game.simulation.network.get_node_by_hostname("server_1")
     server_2 = game.simulation.network.get_node_by_hostname("server_2")
     router = game.simulation.network.get_node_by_hostname("router")
-    assert router.acl.num_rules == 4
+    assert router.acl.num_rules == 3
     assert client_1.ping("10.0.2.3")  # client_1 can ping server_2
     assert server_2.ping("10.0.1.2")  # server_2 can ping client_1
 
@@ -138,8 +138,8 @@ def test_router_acl_addrule_integration(game_and_agent: Tuple[PrimaiteGame, Prox
     agent.store_action(action)
     game.step()
 
-    # 3: Check that the ACL now has 5 rules, and that client 1 cannot ping server 2
-    assert router.acl.num_rules == 5
+    # 3: Check that the ACL now has 4 rules, and that client 1 cannot ping server 2
+    assert router.acl.num_rules == 4
     assert not client_1.ping("10.0.2.3")  # Cannot ping server_2
     assert client_1.ping("10.0.2.2")  # Can ping server_1
     assert not server_2.ping(
@@ -165,8 +165,8 @@ def test_router_acl_addrule_integration(game_and_agent: Tuple[PrimaiteGame, Prox
     agent.store_action(action)
     game.step()
 
-    # 5: Check that the ACL now has 6 rules, but that server_1 can still ping server_2
-    assert router.acl.num_rules == 6
+    # 5: Check that the ACL now has 5 rules, but that server_1 can still ping server_2
+    assert router.acl.num_rules == 5
     assert server_1.ping("10.0.2.3")  # Can ping server_2
 
 
@@ -195,8 +195,8 @@ def test_router_acl_removerule_integration(game_and_agent: Tuple[PrimaiteGame, P
     agent.store_action(action)
     game.step()
 
-    # 3: Check that the ACL now has 3 rules, and that client 1 cannot access example.com
-    assert router.acl.num_rules == 3
+    # 3: Check that the ACL now has 2 rules, and that client 1 cannot access example.com
+    assert router.acl.num_rules == 2
     assert not browser.get_webpage()
     client_1.software_manager.software.get("DNSClient").dns_cache.clear()
     assert client_1.ping("10.0.2.2")  # pinging still works because ICMP is allowed

tests/integration_tests/network/test_routing.py

@@ -73,7 +73,6 @@ def multi_hop_network() -> Network:
     router_1.enable_port(2)
 
     # Configure Router 1 ACLs
-    router_1.acl.add_rule(action=ACLAction.PERMIT, src_port=Port.ARP, dst_port=Port.ARP, position=22)
     router_1.acl.add_rule(action=ACLAction.PERMIT, protocol=IPProtocol.ICMP, position=23)
 
     # Configure PC B

tests/integration_tests/network/test_wireless_router.py

@@ -37,7 +37,6 @@ def wireless_wan_network():
     network.connect(pc_a.network_interface[1], router_1.network_interface[2])
 
     # Configure Router 1 ACLs
-    router_1.acl.add_rule(action=ACLAction.PERMIT, src_port=Port.ARP, dst_port=Port.ARP, position=22)
     router_1.acl.add_rule(action=ACLAction.PERMIT, protocol=IPProtocol.ICMP, position=23)
 
     # Configure PC B

tests/integration_tests/system/test_arp.py

@@ -1,5 +1,7 @@
 # © Crown-owned copyright 2024, Defence Science and Technology Laboratory UK
-from primaite.simulator.network.hardware.nodes.network.router import RouterARP
+from primaite.simulator.network.hardware.nodes.network.router import ACLAction, Router, RouterARP
+from primaite.simulator.network.transmission.network_layer import IPProtocol
+from primaite.simulator.network.transmission.transport_layer import Port
 from primaite.simulator.system.services.arp.arp import ARP
 from tests.integration_tests.network.test_routing import multi_hop_network
 
@@ -48,3 +50,19 @@ def test_arp_fails_for_network_address_between_routers(multi_hop_network):
     actual_result = router_1_arp.get_arp_cache_mac_address(router_1.network_interface[1].ip_network.network_address)
 
     assert actual_result == expected_result
+
+
+def test_arp_not_affected_by_acl(multi_hop_network):
+    pc_a = multi_hop_network.get_node_by_hostname("pc_a")
+    router_1: Router = multi_hop_network.get_node_by_hostname("router_1")
+
+    # Add explicit rule to block ARP traffic. This shouldn't actually stop ARP traffic
+    # as it operates a different layer within the network.
+    router_1.acl.add_rule(action=ACLAction.DENY, src_port=Port.ARP, dst_port=Port.ARP, position=23)
+
+    pc_a_arp: ARP = pc_a.software_manager.arp
+
+    expected_result = router_1.network_interface[2].mac_address
+    actual_result = pc_a_arp.get_arp_cache_mac_address(router_1.network_interface[2].ip_address)
+
+    assert actual_result == expected_result

tests/unit_tests/_primaite/_simulator/_system/_services/test_terminal.py

@@ -77,7 +77,6 @@ def wireless_wan_network():
     network.connect(pc_a.network_interface[1], router_1.network_interface[2])
 
     # Configure Router 1 ACLs
-    router_1.acl.add_rule(action=ACLAction.PERMIT, src_port=Port.ARP, dst_port=Port.ARP, position=22)
     router_1.acl.add_rule(action=ACLAction.PERMIT, protocol=IPProtocol.ICMP, position=23)
 
     # add ACL rule to allow SSH traffic