+ def vpp_ipsec_create_spds_match_nth_entry(
+ node, dir1_interface, dir2_interface, entry_amount,
+ local_addr_range, remote_addr_range, action=PolicyAction.BYPASS,
+ inbound=False, bidirectional=True):
+ """Create one matching SPD entry for inbound or outbound traffic on
+ a DUT for each traffic direction and also create entry_amount - 1
+ non-matching SPD entries. Create a Security Policy Database on each
+ outbound interface where these entries will be configured.
+ The matching SPD entry will have the lowest priority, input action and
+ will be configured to match the IP flow. The non-matching entries will
+ be the same, except with higher priority and non-matching IP flows.
+
+ Action Protect is currently not supported.
+
+ :param node: VPP node to configured the SPDs and their entries.
+ :param dir1_interface: The interface in direction 1 where the entries
+ will be checked.
+ :param dir2_interface: The interface in direction 2 where the entries
+ will be checked.
+ :param entry_amount: The number of SPD entries to configure. If
+ entry_amount == 1, no non-matching entries will be configured.
+ :param local_addr_range: Matching local address range in direction 1
+ in format IP/prefix or IP/mask. If no mask is provided, it's
+ considered to be /32.
+ :param remote_addr_range: Matching remote address range in
+ direction 1 in format IP/prefix or IP/mask. If no mask is
+ provided, it's considered to be /32.
+ :param action: Policy action.
+ :param inbound: If True policy is for inbound traffic, otherwise
+ outbound.
+ :param bidirectional: When True, will create SPDs in both directions
+ of traffic. When False, only in one direction.
+ :type node: dict
+ :type dir1_interface: Union[string, int]
+ :type dir2_interface: Union[string, int]
+ :type entry_amount: int
+ :type local_addr_range:
+ Union[string, ipaddress.IPv4Address, ipaddress.IPv6Address]
+ :type remote_addr_range:
+ Union[string, ipaddress.IPv4Address, ipaddress.IPv6Address]
+ :type action: IPsecUtil.PolicyAction
+ :type inbound: bool
+ :type bidirectional: bool
+ :raises NotImplemented: When the action is PolicyAction.PROTECT.
+ """
+
+ if action == PolicyAction.PROTECT:
+ raise NotImplemented('Policy action PROTECT is not supported.')
+
+ spd_id_dir1 = 1
+ spd_id_dir2 = 2
+ matching_priority = 1
+
+ IPsecUtil.vpp_ipsec_add_spd(node, spd_id_dir1)
+ IPsecUtil.vpp_ipsec_spd_add_if(node, spd_id_dir1, dir1_interface)
+ # matching entry direction 1
+ IPsecUtil.vpp_ipsec_add_spd_entry(
+ node, spd_id_dir1, matching_priority, action,
+ inbound=inbound, laddr_range=local_addr_range,
+ raddr_range=remote_addr_range
+ )
+
+ if bidirectional:
+ IPsecUtil.vpp_ipsec_add_spd(node, spd_id_dir2)
+ IPsecUtil.vpp_ipsec_spd_add_if(node, spd_id_dir2, dir2_interface)
+
+ # matching entry direction 2, the address ranges are switched
+ IPsecUtil.vpp_ipsec_add_spd_entry(
+ node, spd_id_dir2, matching_priority, action,
+ inbound=inbound, laddr_range=remote_addr_range,
+ raddr_range=local_addr_range
+ )
+
+ # non-matching entries
+ no_match_entry_amount = entry_amount - 1
+ if no_match_entry_amount > 0:
+ # create a NetworkIncrement representation of the network,
+ # then skip the matching network
+ no_match_local_addr_range = NetworkIncrement(
+ ip_network(local_addr_range), 1
+ )
+ next(no_match_local_addr_range)
+
+ no_match_remote_addr_range = NetworkIncrement(
+ ip_network(remote_addr_range), 1
+ )
+ next(no_match_remote_addr_range)
+
+ # non-matching entries direction 1
+ IPsecUtil.vpp_ipsec_add_spd_entries(
+ node, no_match_entry_amount, spd_id_dir1,
+ ObjIncrement(matching_priority + 1, 1), action,
+ inbound=inbound, laddr_range=no_match_local_addr_range,
+ raddr_range=no_match_remote_addr_range
+ )
+
+ if bidirectional:
+ # reset the networks so that we're using a unified config
+ # the address ranges are switched
+ no_match_remote_addr_range = NetworkIncrement(
+ ip_network(local_addr_range), 1
+ )
+ next(no_match_remote_addr_range)
+
+ no_match_local_addr_range = NetworkIncrement(
+ ip_network(remote_addr_range), 1
+ )
+ next(no_match_local_addr_range)
+ # non-matching entries direction 2
+ IPsecUtil.vpp_ipsec_add_spd_entries(
+ node, no_match_entry_amount, spd_id_dir2,
+ ObjIncrement(matching_priority + 1, 1), action,
+ inbound=inbound, laddr_range=no_match_local_addr_range,
+ raddr_range=no_match_remote_addr_range
+ )
+
+ IPsecUtil.vpp_ipsec_show_all(node)
+
+ @staticmethod
+ def vpp_ipsec_add_spd_entry(