src_addr = u""
dst_addr = u""
- cmd = u"ipsec_sad_entry_add_del_v2"
+ cmd = u"ipsec_sad_entry_add_del_v3"
err_msg = f"Failed to add Security Association Database entry " \
f"on host {node[u'host']}"
sad_entry = dict(
integrity_algorithm=integ_alg.alg_int_repr if integ_alg else 0,
integrity_key=ikey,
flags=flags,
- tunnel_src=str(src_addr),
- tunnel_dst=str(dst_addr),
- tunnel_flags=int(
- TunnelEncpaDecapFlags.TUNNEL_API_ENCAP_DECAP_FLAG_NONE
+ tunnel=dict(
+ src=str(src_addr),
+ dst=str(dst_addr),
+ table_id=0,
+ encap_decap_flags=int(
+ TunnelEncpaDecapFlags.TUNNEL_API_ENCAP_DECAP_FLAG_NONE
+ ),
+ dscp=int(IpDscp.IP_API_DSCP_CS0),
),
- dscp=int(IpDscp.IP_API_DSCP_CS0),
protocol=int(IPsecProto.IPSEC_API_PROTO_ESP),
udp_src_port=4500, # default value in api
udp_dst_port=4500 # default value in api
IPsecSadFlags.IPSEC_API_SAD_FLAG_IS_TUNNEL_V6
)
- cmd = u"ipsec_sad_entry_add_del_v2"
+ cmd = u"ipsec_sad_entry_add_del_v3"
err_msg = f"Failed to add Security Association Database entry " \
f"on host {node[u'host']}"
integrity_algorithm=integ_alg.alg_int_repr if integ_alg else 0,
integrity_key=ikey,
flags=flags,
- tunnel_src=str(src_addr),
- tunnel_dst=str(dst_addr),
- tunnel_flags=int(
- TunnelEncpaDecapFlags.TUNNEL_API_ENCAP_DECAP_FLAG_NONE
+ tunnel=dict(
+ src=str(src_addr),
+ dst=str(dst_addr),
+ table_id=0,
+ encap_decap_flags=int(
+ TunnelEncpaDecapFlags.TUNNEL_API_ENCAP_DECAP_FLAG_NONE
+ ),
+ dscp=int(IpDscp.IP_API_DSCP_CS0),
),
- dscp=int(IpDscp.IP_API_DSCP_CS0),
protocol=int(IPsecProto.IPSEC_API_PROTO_ESP),
udp_src_port=4500, # default value in api
udp_dst_port=4500 # default value in api
for i in range(n_entries):
args[u"entry"][u"sad_id"] = int(sad_id) + i
args[u"entry"][u"spi"] = int(spi) + i
- args[u"entry"][u"tunnel_src"] = str(src_addr + i * addr_incr) \
+ args[u"entry"][u"tunnel"][u"src"] = (
+ str(src_addr + i * addr_incr)
if tunnel_src and tunnel_dst else src_addr
- args[u"entry"][u"tunnel_dst"] = str(dst_addr + i * addr_incr) \
+ )
+ args[u"entry"][u"tunnel"][u"dst"] = (
+ str(dst_addr + i * addr_incr)
if tunnel_src and tunnel_dst else dst_addr
+ )
history = bool(not 1 < i < n_entries - 2)
papi_exec.add(cmd, history=history, **args)
papi_exec.get_replies(err_msg)
:type action: IPsecUtil.PolicyAction
:type inbound: bool
:type bidirectional: bool
- :raises NotImplemented: When the action is PolicyAction.PROTECT.
+ :raises NotImplementedError: When the action is PolicyAction.PROTECT.
"""
if action == PolicyAction.PROTECT:
- raise NotImplemented('Policy action PROTECT is not supported.')
+ raise NotImplementedError('Policy action PROTECT is not supported.')
spd_id_dir1 = 1
spd_id_dir2 = 2
# create a NetworkIncrement representation of the network,
# then skip the matching network
no_match_local_addr_range = NetworkIncrement(
- ip_network(local_addr_range), 1
+ ip_network(local_addr_range)
)
next(no_match_local_addr_range)
no_match_remote_addr_range = NetworkIncrement(
- ip_network(remote_addr_range), 1
+ ip_network(remote_addr_range)
)
next(no_match_remote_addr_range)
# reset the networks so that we're using a unified config
# the address ranges are switched
no_match_remote_addr_range = NetworkIncrement(
- ip_network(local_addr_range), 1
+ ip_network(local_addr_range)
)
next(no_match_remote_addr_range)
no_match_local_addr_range = NetworkIncrement(
- ip_network(remote_addr_range), 1
+ ip_network(remote_addr_range)
)
next(no_match_local_addr_range)
# non-matching entries direction 2
tmp_filename = f"/tmp/ipsec_spd_{spd_id}_add_del_entry.script"
with open(tmp_filename, 'w') as tmp_file:
- for i in range(n_entries):
+ for _ in range(n_entries):
direction = u'inbound' if inbound else u'outbound'
sa = f' sa {sa_id.inc_fmt()}' if sa_id is not None else ''
protocol = f' protocol {protocol}' if proto else ''
os.remove(tmp_filename)
return
- for i in range(n_entries):
+ for _ in range(n_entries):
IPsecUtil.vpp_ipsec_add_spd_entry(
node, spd_id, next(priority), action, inbound,
next(sa_id) if sa_id is not None else sa_id,
# Configure IPSec SAD entries
ckeys = [bytes()] * existing_tunnels
ikeys = [bytes()] * existing_tunnels
- cmd = u"ipsec_sad_entry_add_del_v2"
+ cmd = u"ipsec_sad_entry_add_del_v3"
c_key = dict(
length=0,
data=None
integrity_algorithm=integ_alg.alg_int_repr if integ_alg else 0,
integrity_key=i_key,
flags=None,
- tunnel_src=0,
- tunnel_dst=0,
- tunnel_flags=int(
- TunnelEncpaDecapFlags.TUNNEL_API_ENCAP_DECAP_FLAG_NONE
+ tunnel=dict(
+ src=0,
+ dst=0,
+ table_id=0,
+ encap_decap_flags=int(
+ TunnelEncpaDecapFlags.TUNNEL_API_ENCAP_DECAP_FLAG_NONE
+ ),
+ dscp=int(IpDscp.IP_API_DSCP_CS0),
),
- dscp=int(IpDscp.IP_API_DSCP_CS0),
- table_id=0,
salt=0,
udp_src_port=IPSEC_UDP_PORT_NONE,
- udp_dst_port=IPSEC_UDP_PORT_NONE
+ udp_dst_port=IPSEC_UDP_PORT_NONE,
)
args = dict(
is_add=True,
]
)
# Configure IPSec SAD entries
- cmd = u"ipsec_sad_entry_add_del_v2"
+ cmd = u"ipsec_sad_entry_add_del_v3"
c_key = dict(
length=0,
data=None
sad_id=None,
spi=None,
protocol=int(IPsecProto.IPSEC_API_PROTO_ESP),
-
crypto_algorithm=crypto_alg.alg_int_repr,
crypto_key=c_key,
integrity_algorithm=integ_alg.alg_int_repr if integ_alg else 0,
integrity_key=i_key,
-
flags=None,
- tunnel_src=0,
- tunnel_dst=0,
- tunnel_flags=int(
- TunnelEncpaDecapFlags.TUNNEL_API_ENCAP_DECAP_FLAG_NONE
+ tunnel=dict(
+ src=0,
+ dst=0,
+ table_id=0,
+ encap_decap_flags=int(
+ TunnelEncpaDecapFlags.TUNNEL_API_ENCAP_DECAP_FLAG_NONE
+ ),
+ dscp=int(IpDscp.IP_API_DSCP_CS0),
),
- dscp=int(IpDscp.IP_API_DSCP_CS0),
- table_id=0,
salt=0,
udp_src_port=IPSEC_UDP_PORT_NONE,
- udp_dst_port=IPSEC_UDP_PORT_NONE
+ udp_dst_port=IPSEC_UDP_PORT_NONE,
)
args = dict(
is_add=True,
nodes[u"DUT1"], n_tunnels, spd_id, priority=ObjIncrement(p_lo, 0),
action=PolicyAction.PROTECT, inbound=False,
sa_id=ObjIncrement(sa_id_1, 1),
- raddr_range=NetworkIncrement(ip_network(raddr_ip2), 1)
+ raddr_range=NetworkIncrement(ip_network(raddr_ip2))
)
IPsecUtil.vpp_ipsec_add_sad_entries(
nodes[u"DUT1"], n_tunnels, spd_id, priority=ObjIncrement(p_lo, 0),
action=PolicyAction.PROTECT, inbound=True,
sa_id=ObjIncrement(sa_id_2, 1),
- raddr_range=NetworkIncrement(ip_network(raddr_ip1), 1)
+ raddr_range=NetworkIncrement(ip_network(raddr_ip1))
)
if u"DUT2" in nodes.keys():
crypto_key, integ_alg, integ_key, tunnel_ip1, tunnel_ip2
)
IPsecUtil.vpp_ipsec_add_spd_entries(
- nodes[u"DUT2"], n_tunnels, spd_id, priority=ObjIncrement(p_lo, 0),
+ nodes[u"DUT2"], n_tunnels, spd_id,
+ priority=ObjIncrement(p_lo, 0),
action=PolicyAction.PROTECT, inbound=True,
sa_id=ObjIncrement(sa_id_1, 1),
- raddr_range=NetworkIncrement(ip_network(raddr_ip2), 1)
+ raddr_range=NetworkIncrement(ip_network(raddr_ip2))
)
IPsecUtil.vpp_ipsec_add_sad_entries(
crypto_key, integ_alg, integ_key, tunnel_ip2, tunnel_ip1
)
IPsecUtil.vpp_ipsec_add_spd_entries(
- nodes[u"DUT2"], n_tunnels, spd_id, priority=ObjIncrement(p_lo, 0),
+ nodes[u"DUT2"], n_tunnels, spd_id,
+ priority=ObjIncrement(p_lo, 0),
action=PolicyAction.PROTECT, inbound=False,
sa_id=ObjIncrement(sa_id_2, 1),
- raddr_range=NetworkIncrement(ip_network(raddr_ip1), 1)
+ raddr_range=NetworkIncrement(ip_network(raddr_ip1))
)
@staticmethod
:type node: dict
"""
cmds = [
- u"ipsec_sa_v2_dump"
+ u"ipsec_sa_v3_dump"
]
PapiSocketExecutor.dump_and_log(node, cmds)