"""IPsec utilities library."""
-import os
-
from enum import Enum, IntEnum
from io import open
from ipaddress import ip_network, ip_address
from random import choice
from string import ascii_letters
+from robot.libraries.BuiltIn import BuiltIn
+
from resources.libraries.python.Constants import Constants
from resources.libraries.python.IncrementUtil import ObjIncrement
from resources.libraries.python.InterfaceUtil import InterfaceUtil, \
def vpp_ipsec_set_async_mode(node, async_enable=1):
"""Set IPsec async mode on|off.
+ Unconditionally, attempt to switch crypto dispatch into polling mode.
+
:param node: VPP node to set IPsec async mode.
:param async_enable: Async mode on or off.
:type node: dict
:raises RuntimeError: If failed to set IPsec async mode or if no API
reply received.
"""
- cmd = u"ipsec_set_async_mode"
- err_msg = f"Failed to set IPsec async mode on host {node[u'host']}"
- args = dict(
- async_enable=async_enable
- )
with PapiSocketExecutor(node) as papi_exec:
+ cmd = u"ipsec_set_async_mode"
+ err_msg = f"Failed to set IPsec async mode on host {node[u'host']}"
+ args = dict(
+ async_enable=async_enable
+ )
papi_exec.add(cmd, **args).get_reply(err_msg)
+ cmd = "crypto_set_async_dispatch_v2"
+ err_msg = "Failed to set dispatch mode."
+ args = dict(mode=0, adaptive=False)
+ try:
+ papi_exec.add(cmd, **args).get_reply(err_msg)
+ except (AttributeError, RuntimeError):
+ # Expected when VPP build does not have the _v2 yet
+ # (after and before the first CRC check).
+ # TODO: Fail here when testing of pre-23.10 builds is over.
+ pass
@staticmethod
def vpp_ipsec_crypto_sw_scheduler_set_worker(
@staticmethod
def vpp_ipsec_crypto_sw_scheduler_set_worker_on_all_duts(
- nodes, workers, crypto_enable=False):
+ nodes, crypto_enable=False):
"""Enable or disable crypto on specific vpp worker threads.
:param node: VPP node to enable or disable crypto for worker threads.
- :param workers: List of VPP thread numbers.
:param crypto_enable: Disable or enable crypto work.
:type node: dict
- :type workers: Iterable[int]
:type crypto_enable: bool
:raises RuntimeError: If failed to enable or disable crypto for worker
thread or if no API reply received.
"""
- for node in nodes.values():
- if node[u"type"] == NodeType.DUT:
+ for node_name, node in nodes.items():
+ if node["type"] == NodeType.DUT:
thread_data = VPPUtil.vpp_show_threads(node)
worker_cnt = len(thread_data) - 1
if not worker_cnt:
return None
worker_ids = list()
+ workers = BuiltIn().get_variable_value(
+ f"${{{node_name}_cpu_dp}}"
+ )
for item in thread_data:
if str(item.cpu_id) in workers.split(u","):
worker_ids.append(item.id)
@staticmethod
def vpp_ipsec_add_sad_entries(
node, n_entries, sad_id, spi, crypto_alg, crypto_key,
- integ_alg=None, integ_key=u"", tunnel_src=None,tunnel_dst=None,
+ integ_alg=None, integ_key=u"", tunnel_src=None, tunnel_dst=None,
tunnel_addr_incr=True):
"""Create multiple Security Association Database entries on VPP node.
local_net = ip_network(laddr_range, strict=False)
remote_net = ip_network(raddr_range, strict=False)
- cmd = u"ipsec_spd_entry_add_del"
+ cmd = u"ipsec_spd_entry_add_del_v2"
spd_entry = dict(
spd_id=int(spd_id),
is_outbound=not inbound,
sa_id=int(sa_id) if sa_id else 0,
policy=int(action),
- protocol=int(proto) if proto else 0,
+ protocol=255 if proto is None else int(proto),
remote_address_start=IPAddress.create_ip_address_object(
remote_net.network_address
),
sa_id_2 = 200000
spi_1 = 300000
spi_2 = 400000
- dut1_local_outbound_range = ip_network(f"{tunnel_ip1}/8", False).\
- with_prefixlen
- dut1_remote_outbound_range = ip_network(f"{tunnel_ip2}/8", False).\
- with_prefixlen
crypto_key = gen_key(
IPsecUtil.get_crypto_alg_key_len(crypto_alg)
IPsecUtil.vpp_ipsec_add_spd(nodes[u"DUT1"], spd_id)
IPsecUtil.vpp_ipsec_spd_add_if(nodes[u"DUT1"], spd_id, interface1)
- IPsecUtil.vpp_ipsec_add_spd_entry(
- nodes[u"DUT1"], spd_id, p_hi, PolicyAction.BYPASS, inbound=False,
- proto=50, laddr_range=dut1_local_outbound_range,
- raddr_range=dut1_remote_outbound_range
- )
- IPsecUtil.vpp_ipsec_add_spd_entry(
- nodes[u"DUT1"], spd_id, p_hi, PolicyAction.BYPASS, inbound=True,
- proto=50, laddr_range=dut1_remote_outbound_range,
- raddr_range=dut1_local_outbound_range
- )
+
+ addr_incr = 1 << (128 - 96) if ip_address(tunnel_ip1).version == 6 \
+ else 1 << (32 - 24)
+ for i in range(n_tunnels//(addr_incr**2)+1):
+ dut1_local_outbound_range = \
+ ip_network(f"{ip_address(tunnel_ip1) + i*(addr_incr**3)}/8",
+ False).with_prefixlen
+ dut1_remote_outbound_range = \
+ ip_network(f"{ip_address(tunnel_ip2) + i*(addr_incr**3)}/8",
+ False).with_prefixlen
+
+ IPsecUtil.vpp_ipsec_add_spd_entry(
+ nodes[u"DUT1"], spd_id, p_hi, PolicyAction.BYPASS, inbound=False,
+ proto=50, laddr_range=dut1_local_outbound_range,
+ raddr_range=dut1_remote_outbound_range
+ )
+ IPsecUtil.vpp_ipsec_add_spd_entry(
+ nodes[u"DUT1"], spd_id, p_hi, PolicyAction.BYPASS, inbound=True,
+ proto=50, laddr_range=dut1_remote_outbound_range,
+ raddr_range=dut1_local_outbound_range
+ )
IPsecUtil.vpp_ipsec_add_sad_entries(
nodes[u"DUT1"], n_tunnels, sa_id_1, spi_1, crypto_alg, crypto_key,
IPsecUtil.vpp_ipsec_add_spd(nodes[u"DUT2"], spd_id)
IPsecUtil.vpp_ipsec_spd_add_if(nodes[u"DUT2"], spd_id, interface2)
- IPsecUtil.vpp_ipsec_add_spd_entry(
- nodes[u"DUT2"], spd_id, p_hi, PolicyAction.BYPASS,
- inbound=False, proto=50, laddr_range=dut1_remote_outbound_range,
- raddr_range=dut1_local_outbound_range
- )
- IPsecUtil.vpp_ipsec_add_spd_entry(
- nodes[u"DUT2"], spd_id, p_hi, PolicyAction.BYPASS,
- inbound=True, proto=50, laddr_range=dut1_local_outbound_range,
- raddr_range=dut1_remote_outbound_range
- )
+ for i in range(n_tunnels//(addr_incr**2)+1):
+ dut2_local_outbound_range = \
+ ip_network(f"{ip_address(tunnel_ip1) + i*(addr_incr**3)}/8",
+ False).with_prefixlen
+ dut2_remote_outbound_range = \
+ ip_network(f"{ip_address(tunnel_ip2) + i*(addr_incr**3)}/8",
+ False).with_prefixlen
+
+ IPsecUtil.vpp_ipsec_add_spd_entry(
+ nodes[u"DUT2"], spd_id, p_hi, PolicyAction.BYPASS,
+ inbound=False, proto=50,
+ laddr_range=dut2_remote_outbound_range,
+ raddr_range=dut2_local_outbound_range
+ )
+ IPsecUtil.vpp_ipsec_add_spd_entry(
+ nodes[u"DUT2"], spd_id, p_hi, PolicyAction.BYPASS,
+ inbound=True, proto=50,
+ laddr_range=dut2_local_outbound_range,
+ raddr_range=dut2_remote_outbound_range
+ )
IPsecUtil.vpp_ipsec_add_sad_entries(
nodes[u"DUT2"], n_tunnels, sa_id_1, spi_1, crypto_alg,
for i in range(0, n_flows):
rx_queue = i%rx_queues
-
spi = spi_start + i
flow_index = FlowUtil.vpp_create_ip4_ipsec_flow(
- node, "ESP", spi, "redirect-to-queue", value=rx_queue)
+ node, "ESP", spi, "redirect-to-queue", value=rx_queue)
FlowUtil.vpp_flow_enable(node, interface, flow_index)