vppinfra: AVX512 mask load/stores and compress store

[vpp.git] / test / test_ipsec_tun_if_esp.py
diff --git a/test/test_ipsec_tun_if_esp.py b/test/test_ipsec_tun_if_esp.py

index 7e36d13..6534dd6 100644 (file)
--- a/test/test_ipsec_tun_if_esp.py
+++ b/test/test_ipsec_tun_if_esp.py
@@ -7,13 +7,16 @@ from scapy.layers.l2 import Ether, GRE, Dot1Q
  from scapy.packet import Raw
  from scapy.layers.inet import IP, UDP
  from scapy.layers.inet6 import IPv6
  from scapy.packet import Raw
  from scapy.layers.inet import IP, UDP
  from scapy.layers.inet6 import IPv6
+from scapy.contrib.mpls import MPLS
+from framework import tag_fixme_vpp_workers
  from framework import VppTestRunner
  from template_ipsec import TemplateIpsec, IpsecTun4Tests, IpsecTun6Tests, \
      IpsecTun4, IpsecTun6,  IpsecTcpTests, mk_scapy_crypt_key, \
      IpsecTun6HandoffTests, IpsecTun4HandoffTests, config_tun_params
  from vpp_gre_interface import VppGreInterface
  from vpp_ipip_tun_interface import VppIpIpTunInterface
  from framework import VppTestRunner
  from template_ipsec import TemplateIpsec, IpsecTun4Tests, IpsecTun6Tests, \
      IpsecTun4, IpsecTun6,  IpsecTcpTests, mk_scapy_crypt_key, \
      IpsecTun6HandoffTests, IpsecTun4HandoffTests, config_tun_params
  from vpp_gre_interface import VppGreInterface
  from vpp_ipip_tun_interface import VppIpIpTunInterface
-from vpp_ip_route import VppIpRoute, VppRoutePath, DpoProto
+from vpp_ip_route import VppIpRoute, VppRoutePath, DpoProto, VppMplsLabel, \
+    VppMplsTable, VppMplsRoute, FibPathProto
  from vpp_ipsec import VppIpsecSA, VppIpsecTunProtect, VppIpsecInterface
  from vpp_l2 import VppBridgeDomain, VppBridgeDomainPort
  from vpp_sub_interface import L2_VTR_OP, VppDot1QSubint
  from vpp_ipsec import VppIpsecSA, VppIpsecTunProtect, VppIpsecInterface
  from vpp_l2 import VppBridgeDomain, VppBridgeDomainPort
  from vpp_sub_interface import L2_VTR_OP, VppDot1QSubint
@@ -22,6 +25,7 @@ from util import ppp
  from vpp_papi import VppEnum
  from vpp_papi_provider import CliFailedCommandError
  from vpp_acl import AclRule, VppAcl, VppAclInterface
  from vpp_papi import VppEnum
  from vpp_papi_provider import CliFailedCommandError
  from vpp_acl import AclRule, VppAcl, VppAclInterface
+from vpp_policer import PolicerAction, VppPolicer
  
  
  def config_tun_params(p, encryption_type, tun_if, src=None, dst=None):
  
  
  def config_tun_params(p, encryption_type, tun_if, src=None, dst=None):
@@ -86,7 +90,7 @@ class TemplateIpsec4TunProtect(object):
  
      encryption_type = ESP
      tun4_encrypt_node_name = "esp4-encrypt-tun"
  
      encryption_type = ESP
      tun4_encrypt_node_name = "esp4-encrypt-tun"
-    tun4_decrypt_node_name = "esp4-decrypt-tun"
+    tun4_decrypt_node_name = ["esp4-decrypt-tun", "esp4-decrypt-tun-post"]
      tun4_input_node = "ipsec4-tun-input"
  
      def config_sa_tra(self, p):
      tun4_input_node = "ipsec4-tun-input"
  
      def config_sa_tra(self, p):
@@ -203,7 +207,7 @@ class TemplateIpsec4TunIfEspUdp(TemplateIpsec4TunProtect,
      """ IPsec UDP tunnel interface tests """
  
      tun4_encrypt_node_name = "esp4-encrypt-tun"
      """ IPsec UDP tunnel interface tests """
  
      tun4_encrypt_node_name = "esp4-encrypt-tun"
-    tun4_decrypt_node_name = "esp4-decrypt-tun"
+    tun4_decrypt_node_name = ["esp4-decrypt-tun", "esp4-decrypt-tun-post"]
      encryption_type = ESP
  
      @classmethod
      encryption_type = ESP
  
      @classmethod
@@ -280,7 +284,7 @@ class TemplateIpsec4TunIfEspUdp(TemplateIpsec4TunProtect,
  class TestIpsec4TunIfEsp1(TemplateIpsec4TunIfEsp, IpsecTun4Tests):
      """ Ipsec ESP - TUN tests """
      tun4_encrypt_node_name = "esp4-encrypt-tun"
  class TestIpsec4TunIfEsp1(TemplateIpsec4TunIfEsp, IpsecTun4Tests):
      """ Ipsec ESP - TUN tests """
      tun4_encrypt_node_name = "esp4-encrypt-tun"
-    tun4_decrypt_node_name = "esp4-decrypt-tun"
+    tun4_decrypt_node_name = ["esp4-decrypt-tun", "esp4-decrypt-tun-post"]
  
      def test_tun_basic64(self):
          """ ipsec 6o4 tunnel basic test """
  
      def test_tun_basic64(self):
          """ ipsec 6o4 tunnel basic test """
@@ -447,7 +451,7 @@ class TestIpsec6TunIfEsp1(TemplateIpsec6TunIfEsp,
                            IpsecTun6Tests):
      """ Ipsec ESP - TUN tests """
      tun6_encrypt_node_name = "esp6-encrypt-tun"
                            IpsecTun6Tests):
      """ Ipsec ESP - TUN tests """
      tun6_encrypt_node_name = "esp6-encrypt-tun"
-    tun6_decrypt_node_name = "esp6-decrypt-tun"
+    tun6_decrypt_node_name = ["esp6-decrypt-tun", "esp6-decrypt-tun-post"]
  
      def test_tun_basic46(self):
          """ ipsec 4o6 tunnel basic test """
  
      def test_tun_basic46(self):
          """ ipsec 4o6 tunnel basic test """
@@ -464,16 +468,147 @@ class TestIpsec6TunIfEspHandoff(TemplateIpsec6TunIfEsp,
                                  IpsecTun6HandoffTests):
      """ Ipsec ESP 6 Handoff tests """
      tun6_encrypt_node_name = "esp6-encrypt-tun"
                                  IpsecTun6HandoffTests):
      """ Ipsec ESP 6 Handoff tests """
      tun6_encrypt_node_name = "esp6-encrypt-tun"
-    tun6_decrypt_node_name = "esp6-decrypt-tun"
+    tun6_decrypt_node_name = ["esp6-decrypt-tun", "esp6-decrypt-tun-post"]
+
+    def test_tun_handoff_66_police(self):
+        """ ESP 6o6 tunnel with policer worker hand-off test """
+        self.vapi.cli("clear errors")
+        self.vapi.cli("clear ipsec sa")
+
+        N_PKTS = 15
+        p = self.params[socket.AF_INET6]
+
+        action_tx = PolicerAction(
+            VppEnum.vl_api_sse2_qos_action_type_t.SSE2_QOS_ACTION_API_TRANSMIT,
+            0)
+        policer = VppPolicer(self, "pol1", 80, 0, 1000, 0,
+                             conform_action=action_tx,
+                             exceed_action=action_tx,
+                             violate_action=action_tx)
+        policer.add_vpp_config()
+
+        # Start policing on tun
+        policer.apply_vpp_config(p.tun_if.sw_if_index, True)
+
+        for pol_bind in [1, 0]:
+            policer.bind_vpp_config(pol_bind, True)
+
+            # inject alternately on worker 0 and 1.
+            for worker in [0, 1, 0, 1]:
+                send_pkts = self.gen_encrypt_pkts6(p, p.scapy_tun_sa,
+                                                   self.tun_if,
+                                                   src=p.remote_tun_if_host,
+                                                   dst=self.pg1.remote_ip6,
+                                                   count=N_PKTS)
+                recv_pkts = self.send_and_expect(self.tun_if, send_pkts,
+                                                 self.pg1, worker=worker)
+                self.verify_decrypted6(p, recv_pkts)
+                self.logger.debug(self.vapi.cli("show trace max 100"))
+
+            stats = policer.get_stats()
+            stats0 = policer.get_stats(worker=0)
+            stats1 = policer.get_stats(worker=1)
+
+            if pol_bind == 1:
+                # First pass: Worker 1, should have done all the policing
+                self.assertEqual(stats, stats1)
+
+                # Worker 0, should have handed everything off
+                self.assertEqual(stats0['conform_packets'], 0)
+                self.assertEqual(stats0['exceed_packets'], 0)
+                self.assertEqual(stats0['violate_packets'], 0)
+            else:
+                # Second pass: both workers should have policed equal amounts
+                self.assertGreater(stats1['conform_packets'], 0)
+                self.assertEqual(stats1['exceed_packets'], 0)
+                self.assertGreater(stats1['violate_packets'], 0)
+
+                self.assertGreater(stats0['conform_packets'], 0)
+                self.assertEqual(stats0['exceed_packets'], 0)
+                self.assertGreater(stats0['violate_packets'], 0)
+
+                self.assertEqual(stats0['conform_packets'] +
+                                 stats0['violate_packets'],
+                                 stats1['conform_packets'] +
+                                 stats1['violate_packets'])
+
+        policer.apply_vpp_config(p.tun_if.sw_if_index, False)
+        policer.remove_vpp_config()
  
  
  class TestIpsec4TunIfEspHandoff(TemplateIpsec4TunIfEsp,
                                  IpsecTun4HandoffTests):
      """ Ipsec ESP 4 Handoff tests """
      tun4_encrypt_node_name = "esp4-encrypt-tun"
  
  
  class TestIpsec4TunIfEspHandoff(TemplateIpsec4TunIfEsp,
                                  IpsecTun4HandoffTests):
      """ Ipsec ESP 4 Handoff tests """
      tun4_encrypt_node_name = "esp4-encrypt-tun"
-    tun4_decrypt_node_name = "esp4-decrypt-tun"
+    tun4_decrypt_node_name = ["esp4-decrypt-tun", "esp4-decrypt-tun-post"]
  
  
+    def test_tun_handoff_44_police(self):
+        """ ESP 4o4 tunnel with policer worker hand-off test """
+        self.vapi.cli("clear errors")
+        self.vapi.cli("clear ipsec sa")
  
  
+        N_PKTS = 15
+        p = self.params[socket.AF_INET]
+
+        action_tx = PolicerAction(
+            VppEnum.vl_api_sse2_qos_action_type_t.SSE2_QOS_ACTION_API_TRANSMIT,
+            0)
+        policer = VppPolicer(self, "pol1", 80, 0, 1000, 0,
+                             conform_action=action_tx,
+                             exceed_action=action_tx,
+                             violate_action=action_tx)
+        policer.add_vpp_config()
+
+        # Start policing on tun
+        policer.apply_vpp_config(p.tun_if.sw_if_index, True)
+
+        for pol_bind in [1, 0]:
+            policer.bind_vpp_config(pol_bind, True)
+
+            # inject alternately on worker 0 and 1.
+            for worker in [0, 1, 0, 1]:
+                send_pkts = self.gen_encrypt_pkts(p, p.scapy_tun_sa,
+                                                  self.tun_if,
+                                                  src=p.remote_tun_if_host,
+                                                  dst=self.pg1.remote_ip4,
+                                                  count=N_PKTS)
+                recv_pkts = self.send_and_expect(self.tun_if, send_pkts,
+                                                 self.pg1, worker=worker)
+                self.verify_decrypted(p, recv_pkts)
+                self.logger.debug(self.vapi.cli("show trace max 100"))
+
+            stats = policer.get_stats()
+            stats0 = policer.get_stats(worker=0)
+            stats1 = policer.get_stats(worker=1)
+
+            if pol_bind == 1:
+                # First pass: Worker 1, should have done all the policing
+                self.assertEqual(stats, stats1)
+
+                # Worker 0, should have handed everything off
+                self.assertEqual(stats0['conform_packets'], 0)
+                self.assertEqual(stats0['exceed_packets'], 0)
+                self.assertEqual(stats0['violate_packets'], 0)
+            else:
+                # Second pass: both workers should have policed equal amounts
+                self.assertGreater(stats1['conform_packets'], 0)
+                self.assertEqual(stats1['exceed_packets'], 0)
+                self.assertGreater(stats1['violate_packets'], 0)
+
+                self.assertGreater(stats0['conform_packets'], 0)
+                self.assertEqual(stats0['exceed_packets'], 0)
+                self.assertGreater(stats0['violate_packets'], 0)
+
+                self.assertEqual(stats0['conform_packets'] +
+                                 stats0['violate_packets'],
+                                 stats1['conform_packets'] +
+                                 stats1['violate_packets'])
+
+        policer.apply_vpp_config(p.tun_if.sw_if_index, False)
+        policer.remove_vpp_config()
+
+
+@tag_fixme_vpp_workers
  class TestIpsec4MultiTunIfEsp(TemplateIpsec4TunProtect,
                                TemplateIpsec,
                                IpsecTun4):
  class TestIpsec4MultiTunIfEsp(TemplateIpsec4TunProtect,
                                TemplateIpsec,
                                IpsecTun4):
@@ -481,7 +616,7 @@ class TestIpsec4MultiTunIfEsp(TemplateIpsec4TunProtect,
  
      encryption_type = ESP
      tun4_encrypt_node_name = "esp4-encrypt-tun"
  
      encryption_type = ESP
      tun4_encrypt_node_name = "esp4-encrypt-tun"
-    tun4_decrypt_node_name = "esp4-decrypt-tun"
+    tun4_decrypt_node_name = ["esp4-decrypt-tun", "esp4-decrypt-tun-post"]
  
      def setUp(self):
          super(TestIpsec4MultiTunIfEsp, self).setUp()
  
      def setUp(self):
          super(TestIpsec4MultiTunIfEsp, self).setUp()
@@ -519,10 +654,8 @@ class TestIpsec4MultiTunIfEsp(TemplateIpsec4TunProtect,
          """Multiple IPSEC tunnel interfaces """
          for p in self.multi_params:
              self.verify_tun_44(p, count=127)
          """Multiple IPSEC tunnel interfaces """
          for p in self.multi_params:
              self.verify_tun_44(p, count=127)
-            c = p.tun_if.get_rx_stats()
-            self.assertEqual(c['packets'], 127)
-            c = p.tun_if.get_tx_stats()
-            self.assertEqual(c['packets'], 127)
+            self.assertEqual(p.tun_if.get_rx_stats(), 127)
+            self.assertEqual(p.tun_if.get_tx_stats(), 127)
  
      def test_tun_rr_44(self):
          """ Round-robin packets acrros multiple interface """
  
      def test_tun_rr_44(self):
          """ Round-robin packets acrros multiple interface """
@@ -553,7 +686,7 @@ class TestIpsec4TunIfEspAll(TemplateIpsec4TunProtect,
  
      encryption_type = ESP
      tun4_encrypt_node_name = "esp4-encrypt-tun"
  
      encryption_type = ESP
      tun4_encrypt_node_name = "esp4-encrypt-tun"
-    tun4_decrypt_node_name = "esp4-decrypt-tun"
+    tun4_decrypt_node_name = ["esp4-decrypt-tun", "esp4-decrypt-tun-post"]
  
      def setUp(self):
          super(TestIpsec4TunIfEspAll, self).setUp()
  
      def setUp(self):
          super(TestIpsec4TunIfEspAll, self).setUp()
@@ -711,7 +844,7 @@ class TestIpsec4TunIfEspNoAlgo(TemplateIpsec4TunProtect,
  
      encryption_type = ESP
      tun4_encrypt_node_name = "esp4-encrypt-tun"
  
      encryption_type = ESP
      tun4_encrypt_node_name = "esp4-encrypt-tun"
-    tun4_decrypt_node_name = "esp4-decrypt-tun"
+    tun4_decrypt_node_name = ["esp4-decrypt-tun", "esp4-decrypt-tun-post"]
  
      def setUp(self):
          super(TestIpsec4TunIfEspNoAlgo, self).setUp()
  
      def setUp(self):
          super(TestIpsec4TunIfEspNoAlgo, self).setUp()
@@ -748,6 +881,7 @@ class TestIpsec4TunIfEspNoAlgo(TemplateIpsec4TunProtect,
          self.unconfig_network(p)
  
  
          self.unconfig_network(p)
  
  
+@tag_fixme_vpp_workers
  class TestIpsec6MultiTunIfEsp(TemplateIpsec6TunProtect,
                                TemplateIpsec,
                                IpsecTun6):
  class TestIpsec6MultiTunIfEsp(TemplateIpsec6TunProtect,
                                TemplateIpsec,
                                IpsecTun6):
@@ -755,7 +889,7 @@ class TestIpsec6MultiTunIfEsp(TemplateIpsec6TunProtect,
  
      encryption_type = ESP
      tun6_encrypt_node_name = "esp6-encrypt-tun"
  
      encryption_type = ESP
      tun6_encrypt_node_name = "esp6-encrypt-tun"
-    tun6_decrypt_node_name = "esp6-decrypt-tun"
+    tun6_decrypt_node_name = ["esp6-decrypt-tun", "esp6-decrypt-tun-post"]
  
      def setUp(self):
          super(TestIpsec6MultiTunIfEsp, self).setUp()
  
      def setUp(self):
          super(TestIpsec6MultiTunIfEsp, self).setUp()
@@ -793,17 +927,15 @@ class TestIpsec6MultiTunIfEsp(TemplateIpsec6TunProtect,
          """Multiple IPSEC tunnel interfaces """
          for p in self.multi_params:
              self.verify_tun_66(p, count=127)
          """Multiple IPSEC tunnel interfaces """
          for p in self.multi_params:
              self.verify_tun_66(p, count=127)
-            c = p.tun_if.get_rx_stats()
-            self.assertEqual(c['packets'], 127)
-            c = p.tun_if.get_tx_stats()
-            self.assertEqual(c['packets'], 127)
+            self.assertEqual(p.tun_if.get_rx_stats(), 127)
+            self.assertEqual(p.tun_if.get_tx_stats(), 127)
  
  
  class TestIpsecGreTebIfEsp(TemplateIpsec,
                             IpsecTun4Tests):
      """ Ipsec GRE TEB ESP - TUN tests """
      tun4_encrypt_node_name = "esp4-encrypt-tun"
  
  
  class TestIpsecGreTebIfEsp(TemplateIpsec,
                             IpsecTun4Tests):
      """ Ipsec GRE TEB ESP - TUN tests """
      tun4_encrypt_node_name = "esp4-encrypt-tun"
-    tun4_decrypt_node_name = "esp4-decrypt-tun"
+    tun4_decrypt_node_name = ["esp4-decrypt-tun", "esp4-decrypt-tun-post"]
      encryption_type = ESP
      omac = "00:11:22:33:44:55"
  
      encryption_type = ESP
      omac = "00:11:22:33:44:55"
  
@@ -914,7 +1046,7 @@ class TestIpsecGreTebVlanIfEsp(TemplateIpsec,
                                 IpsecTun4Tests):
      """ Ipsec GRE TEB ESP - TUN tests """
      tun4_encrypt_node_name = "esp4-encrypt-tun"
                                 IpsecTun4Tests):
      """ Ipsec GRE TEB ESP - TUN tests """
      tun4_encrypt_node_name = "esp4-encrypt-tun"
-    tun4_decrypt_node_name = "esp4-decrypt-tun"
+    tun4_decrypt_node_name = ["esp4-decrypt-tun", "esp4-decrypt-tun-post"]
      encryption_type = ESP
      omac = "00:11:22:33:44:55"
  
      encryption_type = ESP
      omac = "00:11:22:33:44:55"
  
@@ -1034,7 +1166,7 @@ class TestIpsecGreTebIfEspTra(TemplateIpsec,
                                IpsecTun4Tests):
      """ Ipsec GRE TEB ESP - Tra tests """
      tun4_encrypt_node_name = "esp4-encrypt-tun"
                                IpsecTun4Tests):
      """ Ipsec GRE TEB ESP - Tra tests """
      tun4_encrypt_node_name = "esp4-encrypt-tun"
-    tun4_decrypt_node_name = "esp4-decrypt-tun"
+    tun4_decrypt_node_name = ["esp4-decrypt-tun", "esp4-decrypt-tun-post"]
      encryption_type = ESP
      omac = "00:11:22:33:44:55"
  
      encryption_type = ESP
      omac = "00:11:22:33:44:55"
  
@@ -1139,7 +1271,7 @@ class TestIpsecGreTebUdpIfEspTra(TemplateIpsec,
                                   IpsecTun4Tests):
      """ Ipsec GRE TEB UDP ESP - Tra tests """
      tun4_encrypt_node_name = "esp4-encrypt-tun"
                                   IpsecTun4Tests):
      """ Ipsec GRE TEB UDP ESP - Tra tests """
      tun4_encrypt_node_name = "esp4-encrypt-tun"
-    tun4_decrypt_node_name = "esp4-decrypt-tun"
+    tun4_decrypt_node_name = ["esp4-decrypt-tun", "esp4-decrypt-tun-post"]
      encryption_type = ESP
      omac = "00:11:22:33:44:55"
  
      encryption_type = ESP
      omac = "00:11:22:33:44:55"
  
@@ -1260,7 +1392,7 @@ class TestIpsecGreIfEsp(TemplateIpsec,
                          IpsecTun4Tests):
      """ Ipsec GRE ESP - TUN tests """
      tun4_encrypt_node_name = "esp4-encrypt-tun"
                          IpsecTun4Tests):
      """ Ipsec GRE ESP - TUN tests """
      tun4_encrypt_node_name = "esp4-encrypt-tun"
-    tun4_decrypt_node_name = "esp4-decrypt-tun"
+    tun4_decrypt_node_name = ["esp4-decrypt-tun", "esp4-decrypt-tun-post"]
      encryption_type = ESP
  
      def gen_encrypt_pkts(self, p, sa, sw_intf, src, dst, count=1,
      encryption_type = ESP
  
      def gen_encrypt_pkts(self, p, sa, sw_intf, src, dst, count=1,
@@ -1363,7 +1495,7 @@ class TestIpsecGreIfEspTra(TemplateIpsec,
                             IpsecTun4Tests):
      """ Ipsec GRE ESP - TRA tests """
      tun4_encrypt_node_name = "esp4-encrypt-tun"
                             IpsecTun4Tests):
      """ Ipsec GRE ESP - TRA tests """
      tun4_encrypt_node_name = "esp4-encrypt-tun"
-    tun4_decrypt_node_name = "esp4-decrypt-tun"
+    tun4_decrypt_node_name = ["esp4-decrypt-tun", "esp4-decrypt-tun-post"]
      encryption_type = ESP
  
      def gen_encrypt_pkts(self, p, sa, sw_intf, src, dst, count=1,
      encryption_type = ESP
  
      def gen_encrypt_pkts(self, p, sa, sw_intf, src, dst, count=1,
@@ -1469,7 +1601,7 @@ class TestIpsecGreIfEspTra(TemplateIpsec,
                                            dst=self.pg1.remote_ip6)
          self.send_and_assert_no_replies(self.tun_if, tx)
          node_name = ('/err/%s/unsupported payload' %
                                            dst=self.pg1.remote_ip6)
          self.send_and_assert_no_replies(self.tun_if, tx)
          node_name = ('/err/%s/unsupported payload' %
-                     self.tun4_decrypt_node_name)
+                     self.tun4_decrypt_node_name[0])
          self.assertEqual(1, self.statistics.get_err_counter(node_name))
  
  
          self.assertEqual(1, self.statistics.get_err_counter(node_name))
  
  
@@ -1477,7 +1609,7 @@ class TestIpsecGre6IfEspTra(TemplateIpsec,
                              IpsecTun6Tests):
      """ Ipsec GRE ESP - TRA tests """
      tun6_encrypt_node_name = "esp6-encrypt-tun"
                              IpsecTun6Tests):
      """ Ipsec GRE ESP - TRA tests """
      tun6_encrypt_node_name = "esp6-encrypt-tun"
-    tun6_decrypt_node_name = "esp6-decrypt-tun"
+    tun6_decrypt_node_name = ["esp6-decrypt-tun", "esp6-decrypt-tun-post"]
      encryption_type = ESP
  
      def gen_encrypt_pkts6(self, p, sa, sw_intf, src, dst, count=1,
      encryption_type = ESP
  
      def gen_encrypt_pkts6(self, p, sa, sw_intf, src, dst, count=1,
@@ -1492,7 +1624,7 @@ class TestIpsecGre6IfEspTra(TemplateIpsec,
                             Raw(b'X' * payload_size))
                  for i in range(count)]
  
                             Raw(b'X' * payload_size))
                  for i in range(count)]
  
-    def gen_pkts6(self, sw_intf, src, dst, count=1,
+    def gen_pkts6(self, p, sw_intf, src, dst, count=1,
                    payload_size=100):
          return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
                  IPv6(src="1::1", dst="1::2") /
                    payload_size=100):
          return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
                  IPv6(src="1::1", dst="1::2") /
@@ -1575,7 +1707,7 @@ class TestIpsecGre6IfEspTra(TemplateIpsec,
  class TestIpsecMGreIfEspTra4(TemplateIpsec, IpsecTun4):
      """ Ipsec mGRE ESP v4 TRA tests """
      tun4_encrypt_node_name = "esp4-encrypt-tun"
  class TestIpsecMGreIfEspTra4(TemplateIpsec, IpsecTun4):
      """ Ipsec mGRE ESP v4 TRA tests """
      tun4_encrypt_node_name = "esp4-encrypt-tun"
-    tun4_decrypt_node_name = "esp4-decrypt-tun"
+    tun4_decrypt_node_name = ["esp4-decrypt-tun", "esp4-decrypt-tun-post"]
      encryption_type = ESP
  
      def gen_encrypt_pkts(self, p, sa, sw_intf, src, dst, count=1,
      encryption_type = ESP
  
      def gen_encrypt_pkts(self, p, sa, sw_intf, src, dst, count=1,
@@ -1707,7 +1839,7 @@ class TestIpsecMGreIfEspTra4(TemplateIpsec, IpsecTun4):
  class TestIpsecMGreIfEspTra6(TemplateIpsec, IpsecTun6):
      """ Ipsec mGRE ESP v6 TRA tests """
      tun6_encrypt_node_name = "esp6-encrypt-tun"
  class TestIpsecMGreIfEspTra6(TemplateIpsec, IpsecTun6):
      """ Ipsec mGRE ESP v6 TRA tests """
      tun6_encrypt_node_name = "esp6-encrypt-tun"
-    tun6_decrypt_node_name = "esp6-decrypt-tun"
+    tun6_decrypt_node_name = ["esp6-decrypt-tun", "esp6-decrypt-tun-post"]
      encryption_type = ESP
  
      def gen_encrypt_pkts6(self, p, sa, sw_intf, src, dst, count=1,
      encryption_type = ESP
  
      def gen_encrypt_pkts6(self, p, sa, sw_intf, src, dst, count=1,
@@ -1722,7 +1854,7 @@ class TestIpsecMGreIfEspTra6(TemplateIpsec, IpsecTun6):
                             Raw(b'X' * payload_size))
                  for i in range(count)]
  
                             Raw(b'X' * payload_size))
                  for i in range(count)]
  
-    def gen_pkts6(self, sw_intf, src, dst, count=1,
+    def gen_pkts6(self, p, sw_intf, src, dst, count=1,
                    payload_size=100):
          return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
                  IPv6(src="1::1", dst=dst) /
                    payload_size=100):
          return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
                  IPv6(src="1::1", dst=dst) /
@@ -1837,6 +1969,7 @@ class TestIpsecMGreIfEspTra6(TemplateIpsec, IpsecTun6):
              self.verify_tun_66(p, count=63)
  
  
              self.verify_tun_66(p, count=63)
  
  
+@tag_fixme_vpp_workers
  class TestIpsec4TunProtect(TemplateIpsec,
                             TemplateIpsec4TunProtect,
                             IpsecTun4):
  class TestIpsec4TunProtect(TemplateIpsec,
                             TemplateIpsec4TunProtect,
                             IpsecTun4):
@@ -1860,17 +1993,13 @@ class TestIpsec4TunProtect(TemplateIpsec,
          self.config_protect(p)
  
          self.verify_tun_44(p, count=127)
          self.config_protect(p)
  
          self.verify_tun_44(p, count=127)
-        c = p.tun_if.get_rx_stats()
-        self.assertEqual(c['packets'], 127)
-        c = p.tun_if.get_tx_stats()
-        self.assertEqual(c['packets'], 127)
+        self.assertEqual(p.tun_if.get_rx_stats(), 127)
+        self.assertEqual(p.tun_if.get_tx_stats(), 127)
  
          self.vapi.cli("clear ipsec sa")
          self.verify_tun_64(p, count=127)
  
          self.vapi.cli("clear ipsec sa")
          self.verify_tun_64(p, count=127)
-        c = p.tun_if.get_rx_stats()
-        self.assertEqual(c['packets'], 254)
-        c = p.tun_if.get_tx_stats()
-        self.assertEqual(c['packets'], 254)
+        self.assertEqual(p.tun_if.get_rx_stats(), 254)
+        self.assertEqual(p.tun_if.get_tx_stats(), 254)
  
          # rekey - create new SAs and update the tunnel protection
          np = copy.copy(p)
  
          # rekey - create new SAs and update the tunnel protection
          np = copy.copy(p)
@@ -1887,10 +2016,8 @@ class TestIpsec4TunProtect(TemplateIpsec,
          self.unconfig_sa(p)
  
          self.verify_tun_44(np, count=127)
          self.unconfig_sa(p)
  
          self.verify_tun_44(np, count=127)
-        c = p.tun_if.get_rx_stats()
-        self.assertEqual(c['packets'], 381)
-        c = p.tun_if.get_tx_stats()
-        self.assertEqual(c['packets'], 381)
+        self.assertEqual(p.tun_if.get_rx_stats(), 381)
+        self.assertEqual(p.tun_if.get_tx_stats(), 381)
  
          # teardown
          self.unconfig_protect(np)
  
          # teardown
          self.unconfig_protect(np)
@@ -1898,6 +2025,7 @@ class TestIpsec4TunProtect(TemplateIpsec,
          self.unconfig_network(p)
  
  
          self.unconfig_network(p)
  
  
+@tag_fixme_vpp_workers
  class TestIpsec4TunProtectUdp(TemplateIpsec,
                                TemplateIpsec4TunProtect,
                                IpsecTun4):
  class TestIpsec4TunProtectUdp(TemplateIpsec,
                                TemplateIpsec4TunProtect,
                                IpsecTun4):
@@ -1936,16 +2064,15 @@ class TestIpsec4TunProtectUdp(TemplateIpsec,
          p = self.ipv4_params
  
          self.verify_tun_44(p, count=127)
          p = self.ipv4_params
  
          self.verify_tun_44(p, count=127)
-        c = p.tun_if.get_rx_stats()
-        self.assertEqual(c['packets'], 127)
-        c = p.tun_if.get_tx_stats()
-        self.assertEqual(c['packets'], 127)
+        self.assertEqual(p.tun_if.get_rx_stats(), 127)
+        self.assertEqual(p.tun_if.get_tx_stats(), 127)
  
      def test_keepalive(self):
          """ IPSEC NAT Keepalive """
          self.verify_keepalive(self.ipv4_params)
  
  
  
      def test_keepalive(self):
          """ IPSEC NAT Keepalive """
          self.verify_keepalive(self.ipv4_params)
  
  
+@tag_fixme_vpp_workers
  class TestIpsec4TunProtectTun(TemplateIpsec,
                                TemplateIpsec4TunProtect,
                                IpsecTun4):
  class TestIpsec4TunProtectTun(TemplateIpsec,
                                TemplateIpsec4TunProtect,
                                IpsecTun4):
@@ -1953,7 +2080,7 @@ class TestIpsec4TunProtectTun(TemplateIpsec,
  
      encryption_type = ESP
      tun4_encrypt_node_name = "esp4-encrypt-tun"
  
      encryption_type = ESP
      tun4_encrypt_node_name = "esp4-encrypt-tun"
-    tun4_decrypt_node_name = "esp4-decrypt-tun"
+    tun4_decrypt_node_name = ["esp4-decrypt-tun", "esp4-decrypt-tun-post"]
  
      def setUp(self):
          super(TestIpsec4TunProtectTun, self).setUp()
  
      def setUp(self):
          super(TestIpsec4TunProtectTun, self).setUp()
@@ -2029,10 +2156,8 @@ class TestIpsec4TunProtectTun(TemplateIpsec,
  
          self.verify_tun_44(p, count=127)
  
  
          self.verify_tun_44(p, count=127)
  
-        c = p.tun_if.get_rx_stats()
-        self.assertEqual(c['packets'], 127)
-        c = p.tun_if.get_tx_stats()
-        self.assertEqual(c['packets'], 127)
+        self.assertEqual(p.tun_if.get_rx_stats(), 127)
+        self.assertEqual(p.tun_if.get_tx_stats(), 127)
  
          # rekey - create new SAs and update the tunnel protection
          np = copy.copy(p)
  
          # rekey - create new SAs and update the tunnel protection
          np = copy.copy(p)
@@ -2049,10 +2174,8 @@ class TestIpsec4TunProtectTun(TemplateIpsec,
          self.unconfig_sa(p)
  
          self.verify_tun_44(np, count=127)
          self.unconfig_sa(p)
  
          self.verify_tun_44(np, count=127)
-        c = p.tun_if.get_rx_stats()
-        self.assertEqual(c['packets'], 254)
-        c = p.tun_if.get_tx_stats()
-        self.assertEqual(c['packets'], 254)
+        self.assertEqual(p.tun_if.get_rx_stats(), 254)
+        self.assertEqual(p.tun_if.get_tx_stats(), 254)
  
          # teardown
          self.unconfig_protect(np)
  
          # teardown
          self.unconfig_protect(np)
@@ -2067,7 +2190,7 @@ class TestIpsec4TunProtectTunDrop(TemplateIpsec,
  
      encryption_type = ESP
      tun4_encrypt_node_name = "esp4-encrypt-tun"
  
      encryption_type = ESP
      tun4_encrypt_node_name = "esp4-encrypt-tun"
-    tun4_decrypt_node_name = "esp4-decrypt-tun"
+    tun4_decrypt_node_name = ["esp4-decrypt-tun", "esp4-decrypt-tun-post"]
  
      def setUp(self):
          super(TestIpsec4TunProtectTunDrop, self).setUp()
  
      def setUp(self):
          super(TestIpsec4TunProtectTunDrop, self).setUp()
@@ -2108,6 +2231,7 @@ class TestIpsec4TunProtectTunDrop(TemplateIpsec,
          self.unconfig_network(p)
  
  
          self.unconfig_network(p)
  
  
+@tag_fixme_vpp_workers
  class TestIpsec6TunProtect(TemplateIpsec,
                             TemplateIpsec6TunProtect,
                             IpsecTun6):
  class TestIpsec6TunProtect(TemplateIpsec,
                             TemplateIpsec6TunProtect,
                             IpsecTun6):
@@ -2115,7 +2239,7 @@ class TestIpsec6TunProtect(TemplateIpsec,
  
      encryption_type = ESP
      tun6_encrypt_node_name = "esp6-encrypt-tun"
  
      encryption_type = ESP
      tun6_encrypt_node_name = "esp6-encrypt-tun"
-    tun6_decrypt_node_name = "esp6-decrypt-tun"
+    tun6_decrypt_node_name = ["esp6-decrypt-tun", "esp6-decrypt-tun-post"]
  
      def setUp(self):
          super(TestIpsec6TunProtect, self).setUp()
  
      def setUp(self):
          super(TestIpsec6TunProtect, self).setUp()
@@ -2135,10 +2259,8 @@ class TestIpsec6TunProtect(TemplateIpsec,
          self.config_protect(p)
  
          self.verify_tun_66(p, count=127)
          self.config_protect(p)
  
          self.verify_tun_66(p, count=127)
-        c = p.tun_if.get_rx_stats()
-        self.assertEqual(c['packets'], 127)
-        c = p.tun_if.get_tx_stats()
-        self.assertEqual(c['packets'], 127)
+        self.assertEqual(p.tun_if.get_rx_stats(), 127)
+        self.assertEqual(p.tun_if.get_tx_stats(), 127)
  
          # rekey - create new SAs and update the tunnel protection
          np = copy.copy(p)
  
          # rekey - create new SAs and update the tunnel protection
          np = copy.copy(p)
@@ -2155,10 +2277,8 @@ class TestIpsec6TunProtect(TemplateIpsec,
          self.unconfig_sa(p)
  
          self.verify_tun_66(np, count=127)
          self.unconfig_sa(p)
  
          self.verify_tun_66(np, count=127)
-        c = p.tun_if.get_rx_stats()
-        self.assertEqual(c['packets'], 254)
-        c = p.tun_if.get_tx_stats()
-        self.assertEqual(c['packets'], 254)
+        self.assertEqual(p.tun_if.get_rx_stats(), 254)
+        self.assertEqual(p.tun_if.get_tx_stats(), 254)
  
          # bounce the interface state
          p.tun_if.admin_down()
  
          # bounce the interface state
          p.tun_if.admin_down()
@@ -2202,10 +2322,8 @@ class TestIpsec6TunProtect(TemplateIpsec,
          self.verify_tun_66(np3, np3, count=127)
          self.verify_drop_tun_66(np, count=127)
  
          self.verify_tun_66(np3, np3, count=127)
          self.verify_drop_tun_66(np, count=127)
  
-        c = p.tun_if.get_rx_stats()
-        self.assertEqual(c['packets'], 127*9)
-        c = p.tun_if.get_tx_stats()
-        self.assertEqual(c['packets'], 127*8)
+        self.assertEqual(p.tun_if.get_rx_stats(), 127*9)
+        self.assertEqual(p.tun_if.get_tx_stats(), 127*8)
          self.unconfig_sa(np)
  
          # teardown
          self.unconfig_sa(np)
  
          # teardown
@@ -2223,10 +2341,8 @@ class TestIpsec6TunProtect(TemplateIpsec,
          self.config_protect(p)
  
          self.verify_tun_46(p, count=127)
          self.config_protect(p)
  
          self.verify_tun_46(p, count=127)
-        c = p.tun_if.get_rx_stats()
-        self.assertEqual(c['packets'], 127)
-        c = p.tun_if.get_tx_stats()
-        self.assertEqual(c['packets'], 127)
+        self.assertEqual(p.tun_if.get_rx_stats(), 127)
+        self.assertEqual(p.tun_if.get_tx_stats(), 127)
  
          # teardown
          self.unconfig_protect(p)
  
          # teardown
          self.unconfig_protect(p)
@@ -2234,6 +2350,7 @@ class TestIpsec6TunProtect(TemplateIpsec,
          self.unconfig_network(p)
  
  
          self.unconfig_network(p)
  
  
+@tag_fixme_vpp_workers
  class TestIpsec6TunProtectTun(TemplateIpsec,
                                TemplateIpsec6TunProtect,
                                IpsecTun6):
  class TestIpsec6TunProtectTun(TemplateIpsec,
                                TemplateIpsec6TunProtect,
                                IpsecTun6):
@@ -2241,7 +2358,7 @@ class TestIpsec6TunProtectTun(TemplateIpsec,
  
      encryption_type = ESP
      tun6_encrypt_node_name = "esp6-encrypt-tun"
  
      encryption_type = ESP
      tun6_encrypt_node_name = "esp6-encrypt-tun"
-    tun6_decrypt_node_name = "esp6-decrypt-tun"
+    tun6_decrypt_node_name = ["esp6-decrypt-tun", "esp6-decrypt-tun-post"]
  
      def setUp(self):
          super(TestIpsec6TunProtectTun, self).setUp()
  
      def setUp(self):
          super(TestIpsec6TunProtectTun, self).setUp()
@@ -2261,7 +2378,7 @@ class TestIpsec6TunProtectTun(TemplateIpsec,
                             Raw(b'X' * payload_size))
                  for i in range(count)]
  
                             Raw(b'X' * payload_size))
                  for i in range(count)]
  
-    def gen_pkts6(self, sw_intf, src, dst, count=1,
+    def gen_pkts6(self, p, sw_intf, src, dst, count=1,
                    payload_size=100):
          return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
                  IPv6(src=src, dst=dst) /
                    payload_size=100):
          return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
                  IPv6(src=src, dst=dst) /
@@ -2306,10 +2423,8 @@ class TestIpsec6TunProtectTun(TemplateIpsec,
  
          self.verify_tun_66(p, count=127)
  
  
          self.verify_tun_66(p, count=127)
  
-        c = p.tun_if.get_rx_stats()
-        self.assertEqual(c['packets'], 127)
-        c = p.tun_if.get_tx_stats()
-        self.assertEqual(c['packets'], 127)
+        self.assertEqual(p.tun_if.get_rx_stats(), 127)
+        self.assertEqual(p.tun_if.get_tx_stats(), 127)
  
          # rekey - create new SAs and update the tunnel protection
          np = copy.copy(p)
  
          # rekey - create new SAs and update the tunnel protection
          np = copy.copy(p)
@@ -2326,10 +2441,8 @@ class TestIpsec6TunProtectTun(TemplateIpsec,
          self.unconfig_sa(p)
  
          self.verify_tun_66(np, count=127)
          self.unconfig_sa(p)
  
          self.verify_tun_66(np, count=127)
-        c = p.tun_if.get_rx_stats()
-        self.assertEqual(c['packets'], 254)
-        c = p.tun_if.get_tx_stats()
-        self.assertEqual(c['packets'], 254)
+        self.assertEqual(p.tun_if.get_rx_stats(), 254)
+        self.assertEqual(p.tun_if.get_tx_stats(), 254)
  
          # teardown
          self.unconfig_protect(np)
  
          # teardown
          self.unconfig_protect(np)
@@ -2344,7 +2457,7 @@ class TestIpsec6TunProtectTunDrop(TemplateIpsec,
  
      encryption_type = ESP
      tun6_encrypt_node_name = "esp6-encrypt-tun"
  
      encryption_type = ESP
      tun6_encrypt_node_name = "esp6-encrypt-tun"
-    tun6_decrypt_node_name = "esp6-decrypt-tun"
+    tun6_decrypt_node_name = ["esp6-decrypt-tun", "esp6-decrypt-tun-post"]
  
      def setUp(self):
          super(TestIpsec6TunProtectTunDrop, self).setUp()
  
      def setUp(self):
          super(TestIpsec6TunProtectTunDrop, self).setUp()
@@ -2391,7 +2504,7 @@ class TemplateIpsecItf4(object):
  
      encryption_type = ESP
      tun4_encrypt_node_name = "esp4-encrypt-tun"
  
      encryption_type = ESP
      tun4_encrypt_node_name = "esp4-encrypt-tun"
-    tun4_decrypt_node_name = "esp4-decrypt-tun"
+    tun4_decrypt_node_name = ["esp4-decrypt-tun", "esp4-decrypt-tun-post"]
      tun4_input_node = "ipsec4-tun-input"
  
      def config_sa_tun(self, p, src, dst):
      tun4_input_node = "ipsec4-tun-input"
  
      def config_sa_tun(self, p, src, dst):
@@ -2450,6 +2563,7 @@ class TemplateIpsecItf4(object):
          p.tun_sa_in.remove_vpp_config()
  
  
          p.tun_sa_in.remove_vpp_config()
  
  
+@tag_fixme_vpp_workers
  class TestIpsecItf4(TemplateIpsec,
                      TemplateIpsecItf4,
                      IpsecTun4):
  class TestIpsecItf4(TemplateIpsec,
                      TemplateIpsecItf4,
                      IpsecTun4):
@@ -2488,29 +2602,23 @@ class TestIpsecItf4(TemplateIpsec,
          self.config_protect(p)
  
          self.verify_tun_44(p, count=n_pkts)
          self.config_protect(p)
  
          self.verify_tun_44(p, count=n_pkts)
-        c = p.tun_if.get_rx_stats()
-        self.assertEqual(c['packets'], n_pkts)
-        c = p.tun_if.get_tx_stats()
-        self.assertEqual(c['packets'], n_pkts)
+        self.assertEqual(p.tun_if.get_rx_stats(), n_pkts)
+        self.assertEqual(p.tun_if.get_tx_stats(), n_pkts)
  
          p.tun_if.admin_down()
          self.verify_tun_dropped_44(p, count=n_pkts)
          p.tun_if.admin_up()
          self.verify_tun_44(p, count=n_pkts)
  
  
          p.tun_if.admin_down()
          self.verify_tun_dropped_44(p, count=n_pkts)
          p.tun_if.admin_up()
          self.verify_tun_44(p, count=n_pkts)
  
-        c = p.tun_if.get_rx_stats()
-        self.assertEqual(c['packets'], 3*n_pkts)
-        c = p.tun_if.get_tx_stats()
-        self.assertEqual(c['packets'], 2*n_pkts)
+        self.assertEqual(p.tun_if.get_rx_stats(), 3*n_pkts)
+        self.assertEqual(p.tun_if.get_tx_stats(), 2*n_pkts)
  
          # it's a v6 packet when its encrypted
          self.tun4_encrypt_node_name = "esp6-encrypt-tun"
  
          self.verify_tun_64(p, count=n_pkts)
  
          # it's a v6 packet when its encrypted
          self.tun4_encrypt_node_name = "esp6-encrypt-tun"
  
          self.verify_tun_64(p, count=n_pkts)
-        c = p.tun_if.get_rx_stats()
-        self.assertEqual(c['packets'], 4*n_pkts)
-        c = p.tun_if.get_tx_stats()
-        self.assertEqual(c['packets'], 3*n_pkts)
+        self.assertEqual(p.tun_if.get_rx_stats(), 4*n_pkts)
+        self.assertEqual(p.tun_if.get_tx_stats(), 3*n_pkts)
  
          self.tun4_encrypt_node_name = "esp4-encrypt-tun"
  
  
          self.tun4_encrypt_node_name = "esp4-encrypt-tun"
  
@@ -2533,10 +2641,8 @@ class TestIpsecItf4(TemplateIpsec,
          self.unconfig_sa(p)
  
          self.verify_tun_44(np, count=n_pkts)
          self.unconfig_sa(p)
  
          self.verify_tun_44(np, count=n_pkts)
-        c = p.tun_if.get_rx_stats()
-        self.assertEqual(c['packets'], n_pkts)
-        c = p.tun_if.get_tx_stats()
-        self.assertEqual(c['packets'], n_pkts)
+        self.assertEqual(p.tun_if.get_rx_stats(), n_pkts)
+        self.assertEqual(p.tun_if.get_tx_stats(), n_pkts)
  
          # teardown
          self.unconfig_protect(np)
  
          # teardown
          self.unconfig_protect(np)
@@ -2569,24 +2675,155 @@ class TestIpsecItf4(TemplateIpsec,
          self.unconfig_sa(p)
          self.unconfig_network(p)
  
          self.unconfig_sa(p)
          self.unconfig_network(p)
  
+    def test_tun_44_police(self):
+        """IPSEC interface IPv4 with input policer"""
+        n_pkts = 127
+        p = self.ipv4_params
+
+        self.config_network(p)
+        self.config_sa_tun(p,
+                           self.pg0.local_ip4,
+                           self.pg0.remote_ip4)
+        self.config_protect(p)
+
+        action_tx = PolicerAction(
+            VppEnum.vl_api_sse2_qos_action_type_t.SSE2_QOS_ACTION_API_TRANSMIT,
+            0)
+        policer = VppPolicer(self, "pol1", 80, 0, 1000, 0,
+                             conform_action=action_tx,
+                             exceed_action=action_tx,
+                             violate_action=action_tx)
+        policer.add_vpp_config()
+
+        # Start policing on tun
+        policer.apply_vpp_config(p.tun_if.sw_if_index, True)
+
+        self.verify_tun_44(p, count=n_pkts)
+        self.assertEqual(p.tun_if.get_rx_stats(), n_pkts)
+        self.assertEqual(p.tun_if.get_tx_stats(), n_pkts)
+
+        stats = policer.get_stats()
+
+        # Single rate, 2 colour policer - expect conform, violate but no exceed
+        self.assertGreater(stats['conform_packets'], 0)
+        self.assertEqual(stats['exceed_packets'], 0)
+        self.assertGreater(stats['violate_packets'], 0)
+
+        # Stop policing on tun
+        policer.apply_vpp_config(p.tun_if.sw_if_index, False)
+        self.verify_tun_44(p, count=n_pkts)
+
+        # No new policer stats
+        statsnew = policer.get_stats()
+        self.assertEqual(stats, statsnew)
+
+        # teardown
+        policer.remove_vpp_config()
+        self.unconfig_protect(p)
+        self.unconfig_sa(p)
+        self.unconfig_network(p)
+
+
+class TestIpsecItf4MPLS(TemplateIpsec,
+                        TemplateIpsecItf4,
+                        IpsecTun4):
+    """ IPsec Interface MPLSoIPv4 """
+
+    tun4_encrypt_node_name = "esp-mpls-encrypt-tun"
+
+    def setUp(self):
+        super(TestIpsecItf4MPLS, self).setUp()
+
+        self.tun_if = self.pg0
+
+    def tearDown(self):
+        super(TestIpsecItf4MPLS, self).tearDown()
+
+    def gen_encrypt_pkts(self, p, sa, sw_intf, src, dst, count=1,
+                         payload_size=100):
+        return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
+                sa.encrypt(MPLS(label=44, ttl=3) /
+                           IP(src=src, dst=dst) /
+                           UDP(sport=1166, dport=2233) /
+                           Raw(b'X' * payload_size))
+                for i in range(count)]
+
+    def verify_encrypted(self, p, sa, rxs):
+        for rx in rxs:
+            try:
+                pkt = sa.decrypt(rx[IP])
+                if not pkt.haslayer(IP):
+                    pkt = IP(pkt[Raw].load)
+                self.assert_packet_checksums_valid(pkt)
+                self.assert_equal(pkt[MPLS].label, 44)
+                self.assert_equal(pkt[IP].dst, p.remote_tun_if_host)
+            except (IndexError, AssertionError):
+                self.logger.debug(ppp("Unexpected packet:", rx))
+                try:
+                    self.logger.debug(ppp("Decrypted packet:", pkt))
+                except:
+                    pass
+                raise
+
+    def test_tun_mpls_o_ip4(self):
+        """IPSEC interface MPLS over IPv4"""
+
+        n_pkts = 127
+        p = self.ipv4_params
+        f = FibPathProto
+
+        tbl = VppMplsTable(self, 0)
+        tbl.add_vpp_config()
+
+        self.config_network(p)
+        # deag MPLS routes from the tunnel
+        r4 = VppMplsRoute(self, 44, 1,
+                          [VppRoutePath(
+                              self.pg1.remote_ip4,
+                              self.pg1.sw_if_index)]).add_vpp_config()
+        p.route.modify([VppRoutePath(p.tun_if.remote_ip4,
+                                     p.tun_if.sw_if_index,
+                                     labels=[VppMplsLabel(44)])])
+        p.tun_if.enable_mpls()
+
+        self.config_sa_tun(p,
+                           self.pg0.local_ip4,
+                           self.pg0.remote_ip4)
+        self.config_protect(p)
+
+        self.verify_tun_44(p, count=n_pkts)
+
+        # cleanup
+        p.tun_if.disable_mpls()
+        self.unconfig_protect(p)
+        self.unconfig_sa(p)
+        self.unconfig_network(p)
+
  
  class TemplateIpsecItf6(object):
      """ IPsec Interface IPv6 """
  
      encryption_type = ESP
      tun6_encrypt_node_name = "esp6-encrypt-tun"
  
  class TemplateIpsecItf6(object):
      """ IPsec Interface IPv6 """
  
      encryption_type = ESP
      tun6_encrypt_node_name = "esp6-encrypt-tun"
-    tun6_decrypt_node_name = "esp6-decrypt-tun"
+    tun6_decrypt_node_name = ["esp6-decrypt-tun", "esp6-decrypt-tun-post"]
      tun6_input_node = "ipsec6-tun-input"
  
      def config_sa_tun(self, p, src, dst):
          config_tun_params(p, self.encryption_type, None, src, dst)
  
      tun6_input_node = "ipsec6-tun-input"
  
      def config_sa_tun(self, p, src, dst):
          config_tun_params(p, self.encryption_type, None, src, dst)
  
+        if not hasattr(p, 'tun_flags'):
+            p.tun_flags = None
+        if not hasattr(p, 'hop_limit'):
+            p.hop_limit = 255
+
          p.tun_sa_out = VppIpsecSA(self, p.scapy_tun_sa_id, p.scapy_tun_spi,
                                    p.auth_algo_vpp_id, p.auth_key,
                                    p.crypt_algo_vpp_id, p.crypt_key,
                                    self.vpp_esp_protocol,
                                    src, dst,
          p.tun_sa_out = VppIpsecSA(self, p.scapy_tun_sa_id, p.scapy_tun_spi,
                                    p.auth_algo_vpp_id, p.auth_key,
                                    p.crypt_algo_vpp_id, p.crypt_key,
                                    self.vpp_esp_protocol,
                                    src, dst,
-                                  flags=p.flags)
+                                  flags=p.flags,
+                                  tun_flags=p.tun_flags,
+                                  hop_limit=p.hop_limit)
          p.tun_sa_out.add_vpp_config()
  
          p.tun_sa_in = VppIpsecSA(self, p.vpp_tun_sa_id, p.vpp_tun_spi,
          p.tun_sa_out.add_vpp_config()
  
          p.tun_sa_in = VppIpsecSA(self, p.vpp_tun_sa_id, p.vpp_tun_spi,
@@ -2635,6 +2872,7 @@ class TemplateIpsecItf6(object):
          p.tun_sa_in.remove_vpp_config()
  
  
          p.tun_sa_in.remove_vpp_config()
  
  
+@tag_fixme_vpp_workers
  class TestIpsecItf6(TemplateIpsec,
                      TemplateIpsecItf6,
                      IpsecTun6):
  class TestIpsecItf6(TemplateIpsec,
                      TemplateIpsecItf6,
                      IpsecTun6):
@@ -2651,8 +2889,13 @@ class TestIpsecItf6(TemplateIpsec,
      def test_tun_44(self):
          """IPSEC interface IPv6"""
  
      def test_tun_44(self):
          """IPSEC interface IPv6"""
  
+        tf = VppEnum.vl_api_tunnel_encap_decap_flags_t
          n_pkts = 127
          p = self.ipv6_params
          n_pkts = 127
          p = self.ipv6_params
+        p.inner_hop_limit = 24
+        p.outer_hop_limit = 23
+        p.outer_flow_label = 243224
+        p.tun_flags = tf.TUNNEL_API_ENCAP_DECAP_FLAG_ENCAP_COPY_HOP_LIMIT
  
          self.config_network(p)
          self.config_sa_tun(p,
  
          self.config_network(p)
          self.config_sa_tun(p,
@@ -2661,29 +2904,23 @@ class TestIpsecItf6(TemplateIpsec,
          self.config_protect(p)
  
          self.verify_tun_66(p, count=n_pkts)
          self.config_protect(p)
  
          self.verify_tun_66(p, count=n_pkts)
-        c = p.tun_if.get_rx_stats()
-        self.assertEqual(c['packets'], n_pkts)
-        c = p.tun_if.get_tx_stats()
-        self.assertEqual(c['packets'], n_pkts)
+        self.assertEqual(p.tun_if.get_rx_stats(), n_pkts)
+        self.assertEqual(p.tun_if.get_tx_stats(), n_pkts)
  
          p.tun_if.admin_down()
          self.verify_drop_tun_66(p, count=n_pkts)
          p.tun_if.admin_up()
          self.verify_tun_66(p, count=n_pkts)
  
  
          p.tun_if.admin_down()
          self.verify_drop_tun_66(p, count=n_pkts)
          p.tun_if.admin_up()
          self.verify_tun_66(p, count=n_pkts)
  
-        c = p.tun_if.get_rx_stats()
-        self.assertEqual(c['packets'], 3*n_pkts)
-        c = p.tun_if.get_tx_stats()
-        self.assertEqual(c['packets'], 2*n_pkts)
+        self.assertEqual(p.tun_if.get_rx_stats(), 3*n_pkts)
+        self.assertEqual(p.tun_if.get_tx_stats(), 2*n_pkts)
  
          # it's a v4 packet when its encrypted
          self.tun6_encrypt_node_name = "esp4-encrypt-tun"
  
          self.verify_tun_46(p, count=n_pkts)
  
          # it's a v4 packet when its encrypted
          self.tun6_encrypt_node_name = "esp4-encrypt-tun"
  
          self.verify_tun_46(p, count=n_pkts)
-        c = p.tun_if.get_rx_stats()
-        self.assertEqual(c['packets'], 4*n_pkts)
-        c = p.tun_if.get_tx_stats()
-        self.assertEqual(c['packets'], 3*n_pkts)
+        self.assertEqual(p.tun_if.get_rx_stats(), 4*n_pkts)
+        self.assertEqual(p.tun_if.get_tx_stats(), 3*n_pkts)
  
          self.tun6_encrypt_node_name = "esp6-encrypt-tun"
  
  
          self.tun6_encrypt_node_name = "esp6-encrypt-tun"
  
@@ -2698,6 +2935,12 @@ class TestIpsecItf6(TemplateIpsec,
          np.vpp_tun_sa_id += 1
          np.tun_if.local_spi = p.vpp_tun_spi
          np.tun_if.remote_spi = p.scapy_tun_spi
          np.vpp_tun_sa_id += 1
          np.tun_if.local_spi = p.vpp_tun_spi
          np.tun_if.remote_spi = p.scapy_tun_spi
+        np.inner_hop_limit = 24
+        np.outer_hop_limit = 128
+        np.inner_flow_label = 0xabcde
+        np.outer_flow_label = 0xabcde
+        np.hop_limit = 128
+        np.tun_flags = tf.TUNNEL_API_ENCAP_DECAP_FLAG_ENCAP_COPY_FLOW_LABEL
  
          self.config_sa_tun(np,
                             self.pg0.local_ip6,
  
          self.config_sa_tun(np,
                             self.pg0.local_ip6,
@@ -2706,21 +2949,72 @@ class TestIpsecItf6(TemplateIpsec,
          self.unconfig_sa(p)
  
          self.verify_tun_66(np, count=n_pkts)
          self.unconfig_sa(p)
  
          self.verify_tun_66(np, count=n_pkts)
-        c = p.tun_if.get_rx_stats()
-        self.assertEqual(c['packets'], n_pkts)
-        c = p.tun_if.get_tx_stats()
-        self.assertEqual(c['packets'], n_pkts)
+        self.assertEqual(p.tun_if.get_rx_stats(), n_pkts)
+        self.assertEqual(p.tun_if.get_tx_stats(), n_pkts)
  
          # teardown
          self.unconfig_protect(np)
          self.unconfig_sa(np)
          self.unconfig_network(p)
  
  
          # teardown
          self.unconfig_protect(np)
          self.unconfig_sa(np)
          self.unconfig_network(p)
  
+    def test_tun_66_police(self):
+        """IPSEC interface IPv6 with input policer"""
+        tf = VppEnum.vl_api_tunnel_encap_decap_flags_t
+        n_pkts = 127
+        p = self.ipv6_params
+        p.inner_hop_limit = 24
+        p.outer_hop_limit = 23
+        p.outer_flow_label = 243224
+        p.tun_flags = tf.TUNNEL_API_ENCAP_DECAP_FLAG_ENCAP_COPY_HOP_LIMIT
+
+        self.config_network(p)
+        self.config_sa_tun(p,
+                           self.pg0.local_ip6,
+                           self.pg0.remote_ip6)
+        self.config_protect(p)
+
+        action_tx = PolicerAction(
+            VppEnum.vl_api_sse2_qos_action_type_t.SSE2_QOS_ACTION_API_TRANSMIT,
+            0)
+        policer = VppPolicer(self, "pol1", 80, 0, 1000, 0,
+                             conform_action=action_tx,
+                             exceed_action=action_tx,
+                             violate_action=action_tx)
+        policer.add_vpp_config()
+
+        # Start policing on tun
+        policer.apply_vpp_config(p.tun_if.sw_if_index, True)
+
+        self.verify_tun_66(p, count=n_pkts)
+        self.assertEqual(p.tun_if.get_rx_stats(), n_pkts)
+        self.assertEqual(p.tun_if.get_tx_stats(), n_pkts)
+
+        stats = policer.get_stats()
+
+        # Single rate, 2 colour policer - expect conform, violate but no exceed
+        self.assertGreater(stats['conform_packets'], 0)
+        self.assertEqual(stats['exceed_packets'], 0)
+        self.assertGreater(stats['violate_packets'], 0)
+
+        # Stop policing on tun
+        policer.apply_vpp_config(p.tun_if.sw_if_index, False)
+        self.verify_tun_66(p, count=n_pkts)
+
+        # No new policer stats
+        statsnew = policer.get_stats()
+        self.assertEqual(stats, statsnew)
+
+        # teardown
+        policer.remove_vpp_config()
+        self.unconfig_protect(p)
+        self.unconfig_sa(p)
+        self.unconfig_network(p)
+
  
  class TestIpsecMIfEsp4(TemplateIpsec, IpsecTun4):
      """ Ipsec P2MP ESP v4 tests """
      tun4_encrypt_node_name = "esp4-encrypt-tun"
  
  class TestIpsecMIfEsp4(TemplateIpsec, IpsecTun4):
      """ Ipsec P2MP ESP v4 tests """
      tun4_encrypt_node_name = "esp4-encrypt-tun"
-    tun4_decrypt_node_name = "esp4-decrypt-tun"
+    tun4_decrypt_node_name = ["esp4-decrypt-tun", "esp4-decrypt-tun-post"]
      encryption_type = ESP
  
      def gen_encrypt_pkts(self, p, sa, sw_intf, src, dst, count=1,
      encryption_type = ESP
  
      def gen_encrypt_pkts(self, p, sa, sw_intf, src, dst, count=1,
@@ -2750,6 +3044,7 @@ class TestIpsecMIfEsp4(TemplateIpsec, IpsecTun4):
              try:
                  self.assertEqual(rx[IP].tos,
                                   VppEnum.vl_api_ip_dscp_t.IP_API_DSCP_EF << 2)
              try:
                  self.assertEqual(rx[IP].tos,
                                   VppEnum.vl_api_ip_dscp_t.IP_API_DSCP_EF << 2)
+                self.assertEqual(rx[IP].ttl, p.hop_limit)
                  pkt = sa.decrypt(rx[IP])
                  if not pkt.haslayer(IP):
                      pkt = IP(pkt[Raw].load)
                  pkt = sa.decrypt(rx[IP])
                  if not pkt.haslayer(IP):
                      pkt = IP(pkt[Raw].load)
@@ -2798,6 +3093,7 @@ class TestIpsecMIfEsp4(TemplateIpsec, IpsecTun4):
              p.scapy_tra_spi = p.scapy_tra_spi + ii
              p.vpp_tra_sa_id = p.vpp_tra_sa_id + ii
              p.vpp_tra_spi = p.vpp_tra_spi + ii
              p.scapy_tra_spi = p.scapy_tra_spi + ii
              p.vpp_tra_sa_id = p.vpp_tra_sa_id + ii
              p.vpp_tra_spi = p.vpp_tra_spi + ii
+            p.hop_limit = ii+10
              p.tun_sa_out = VppIpsecSA(
                  self, p.scapy_tun_sa_id, p.scapy_tun_spi,
                  p.auth_algo_vpp_id, p.auth_key,
              p.tun_sa_out = VppIpsecSA(
                  self, p.scapy_tun_sa_id, p.scapy_tun_spi,
                  p.auth_algo_vpp_id, p.auth_key,
@@ -2805,7 +3101,8 @@ class TestIpsecMIfEsp4(TemplateIpsec, IpsecTun4):
                  self.vpp_esp_protocol,
                  self.pg0.local_ip4,
                  self.pg0.remote_hosts[ii].ip4,
                  self.vpp_esp_protocol,
                  self.pg0.local_ip4,
                  self.pg0.remote_hosts[ii].ip4,
-                dscp=VppEnum.vl_api_ip_dscp_t.IP_API_DSCP_EF)
+                dscp=VppEnum.vl_api_ip_dscp_t.IP_API_DSCP_EF,
+                hop_limit=p.hop_limit)
              p.tun_sa_out.add_vpp_config()
  
              p.tun_sa_in = VppIpsecSA(
              p.tun_sa_out.add_vpp_config()
  
              p.tun_sa_in = VppIpsecSA(
@@ -2815,7 +3112,8 @@ class TestIpsecMIfEsp4(TemplateIpsec, IpsecTun4):
                  self.vpp_esp_protocol,
                  self.pg0.remote_hosts[ii].ip4,
                  self.pg0.local_ip4,
                  self.vpp_esp_protocol,
                  self.pg0.remote_hosts[ii].ip4,
                  self.pg0.local_ip4,
-                dscp=VppEnum.vl_api_ip_dscp_t.IP_API_DSCP_EF)
+                dscp=VppEnum.vl_api_ip_dscp_t.IP_API_DSCP_EF,
+                hop_limit=p.hop_limit)
              p.tun_sa_in.add_vpp_config()
  
              p.tun_protect = VppIpsecTunProtect(
              p.tun_sa_in.add_vpp_config()
  
              p.tun_protect = VppIpsecTunProtect(
@@ -2848,5 +3146,82 @@ class TestIpsecMIfEsp4(TemplateIpsec, IpsecTun4):
              self.verify_tun_44(p, count=N_PKTS)
  
  
              self.verify_tun_44(p, count=N_PKTS)
  
  
+class TestIpsecItf6MPLS(TemplateIpsec,
+                        TemplateIpsecItf6,
+                        IpsecTun6):
+    """ IPsec Interface MPLSoIPv6 """
+
+    tun6_encrypt_node_name = "esp-mpls-encrypt-tun"
+
+    def setUp(self):
+        super(TestIpsecItf6MPLS, self).setUp()
+
+        self.tun_if = self.pg0
+
+    def tearDown(self):
+        super(TestIpsecItf6MPLS, self).tearDown()
+
+    def gen_encrypt_pkts6(self, p, sa, sw_intf, src, dst, count=1,
+                          payload_size=100):
+        return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
+                sa.encrypt(MPLS(label=66, ttl=3) /
+                           IPv6(src=src, dst=dst) /
+                           UDP(sport=1166, dport=2233) /
+                           Raw(b'X' * payload_size))
+                for i in range(count)]
+
+    def verify_encrypted6(self, p, sa, rxs):
+        for rx in rxs:
+            try:
+                pkt = sa.decrypt(rx[IPv6])
+                if not pkt.haslayer(IPv6):
+                    pkt = IP(pkt[Raw].load)
+                self.assert_packet_checksums_valid(pkt)
+                self.assert_equal(pkt[MPLS].label, 66)
+                self.assert_equal(pkt[IPv6].dst, p.remote_tun_if_host)
+            except (IndexError, AssertionError):
+                self.logger.debug(ppp("Unexpected packet:", rx))
+                try:
+                    self.logger.debug(ppp("Decrypted packet:", pkt))
+                except:
+                    pass
+                raise
+
+    def test_tun_mpls_o_ip6(self):
+        """IPSEC interface MPLS over IPv6"""
+
+        n_pkts = 127
+        p = self.ipv6_params
+        f = FibPathProto
+
+        tbl = VppMplsTable(self, 0)
+        tbl.add_vpp_config()
+
+        self.config_network(p)
+        # deag MPLS routes from the tunnel
+        r6 = VppMplsRoute(self, 66, 1,
+                          [VppRoutePath(
+                              self.pg1.remote_ip6,
+                              self.pg1.sw_if_index)],
+                          eos_proto=f.FIB_PATH_NH_PROTO_IP6).add_vpp_config()
+        p.route.modify([VppRoutePath(p.tun_if.remote_ip6,
+                                     p.tun_if.sw_if_index,
+                                     labels=[VppMplsLabel(66)])])
+        p.tun_if.enable_mpls()
+
+        self.config_sa_tun(p,
+                           self.pg0.local_ip6,
+                           self.pg0.remote_ip6)
+        self.config_protect(p)
+
+        self.verify_tun_66(p, count=n_pkts)
+
+        # cleanup
+        p.tun_if.disable_mpls()
+        self.unconfig_protect(p)
+        self.unconfig_sa(p)
+        self.unconfig_network(p)
+
+
  if __name__ == '__main__':
      unittest.main(testRunner=VppTestRunner)
  if __name__ == '__main__':
      unittest.main(testRunner=VppTestRunner)