+ if action == PolicyAction.PROTECT:
+ raise NotImplementedError("Policy action PROTECT is not supported.")
+
+ spd_id_dir1 = 1
+ spd_id_dir2 = 2
+ matching_priority = 1
+
+ IPsecUtil.vpp_ipsec_add_spd(node, spd_id_dir1)
+ IPsecUtil.vpp_ipsec_spd_add_if(node, spd_id_dir1, dir1_interface)
+ # matching entry direction 1
+ IPsecUtil.vpp_ipsec_add_spd_entry(
+ node,
+ spd_id_dir1,
+ matching_priority,
+ action,
+ inbound=inbound,
+ laddr_range=local_addr_range,
+ raddr_range=remote_addr_range,
+ )
+
+ if bidirectional:
+ IPsecUtil.vpp_ipsec_add_spd(node, spd_id_dir2)
+ IPsecUtil.vpp_ipsec_spd_add_if(node, spd_id_dir2, dir2_interface)
+
+ # matching entry direction 2, the address ranges are switched
+ IPsecUtil.vpp_ipsec_add_spd_entry(
+ node,
+ spd_id_dir2,
+ matching_priority,
+ action,
+ inbound=inbound,
+ laddr_range=remote_addr_range,
+ raddr_range=local_addr_range,
+ )
+
+ # non-matching entries
+ no_match_entry_amount = entry_amount - 1
+ if no_match_entry_amount > 0:
+ # create a NetworkIncrement representation of the network,
+ # then skip the matching network
+ no_match_local_addr_range = NetworkIncrement(
+ ip_network(local_addr_range)
+ )
+ next(no_match_local_addr_range)
+
+ no_match_remote_addr_range = NetworkIncrement(
+ ip_network(remote_addr_range)
+ )
+ next(no_match_remote_addr_range)
+
+ # non-matching entries direction 1
+ IPsecUtil.vpp_ipsec_add_spd_entries(
+ node,
+ no_match_entry_amount,
+ spd_id_dir1,
+ ObjIncrement(matching_priority + 1, 1),
+ action,
+ inbound=inbound,
+ laddr_range=no_match_local_addr_range,
+ raddr_range=no_match_remote_addr_range,
+ )
+
+ if bidirectional:
+ # reset the networks so that we're using a unified config
+ # the address ranges are switched
+ no_match_remote_addr_range = NetworkIncrement(
+ ip_network(local_addr_range)
+ )
+ next(no_match_remote_addr_range)
+
+ no_match_local_addr_range = NetworkIncrement(
+ ip_network(remote_addr_range)
+ )
+ next(no_match_local_addr_range)
+ # non-matching entries direction 2
+ IPsecUtil.vpp_ipsec_add_spd_entries(
+ node,
+ no_match_entry_amount,
+ spd_id_dir2,
+ ObjIncrement(matching_priority + 1, 1),
+ action,
+ inbound=inbound,
+ laddr_range=no_match_local_addr_range,
+ raddr_range=no_match_remote_addr_range,
+ )
+
+ IPsecUtil.vpp_ipsec_show_all(node)
+
+ @staticmethod
+ def _vpp_ipsec_add_spd_entry_internal(
+ executor: PapiSocketExecutor,
+ spd_id: int,
+ priority: int,
+ action: PolicyAction,
+ inbound: bool = True,
+ sa_id: Optional[int] = None,
+ proto: Optional[int] = None,
+ laddr_range: Optional[str] = None,
+ raddr_range: Optional[str] = None,
+ lport_range: Optional[str] = None,
+ rport_range: Optional[str] = None,
+ is_ipv6: bool = False,
+ ) -> None:
+ """Prepare to create Security Policy Database entry on the VPP node.
+
+ This just adds one more command to the executor.
+ The call site shall get replies once all entries are added,
+ to get speed benefit from async PAPI.
+
+ :param executor: Open PAPI executor (async handling) to add commands to.