X-Git-Url: https://gerrit.fd.io/r/gitweb?a=blobdiff_plain;f=resources%2Flibraries%2Fpython%2FIPsecUtil.py;h=e455dd7a886490572647b2d4f163b55e541118fb;hb=cc63395c056c520d4e43643a8c5c2a2b18ad6515;hp=6bf3e8de7fdda9fd72675121802cad4b82040db6;hpb=75eb3abbac136bd6e9fb47f595b4f7b8a8294038;p=csit.git diff --git a/resources/libraries/python/IPsecUtil.py b/resources/libraries/python/IPsecUtil.py index 6bf3e8de7f..e455dd7a88 100644 --- a/resources/libraries/python/IPsecUtil.py +++ b/resources/libraries/python/IPsecUtil.py @@ -437,7 +437,7 @@ class IPsecUtil: src_addr = u"" dst_addr = u"" - cmd = u"ipsec_sad_entry_add_del_v2" + cmd = u"ipsec_sad_entry_add_del_v3" err_msg = f"Failed to add Security Association Database entry " \ f"on host {node[u'host']}" sad_entry = dict( @@ -448,12 +448,15 @@ class IPsecUtil: integrity_algorithm=integ_alg.alg_int_repr if integ_alg else 0, integrity_key=ikey, flags=flags, - tunnel_src=str(src_addr), - tunnel_dst=str(dst_addr), - tunnel_flags=int( - TunnelEncpaDecapFlags.TUNNEL_API_ENCAP_DECAP_FLAG_NONE + tunnel=dict( + src=str(src_addr), + dst=str(dst_addr), + table_id=0, + encap_decap_flags=int( + TunnelEncpaDecapFlags.TUNNEL_API_ENCAP_DECAP_FLAG_NONE + ), + dscp=int(IpDscp.IP_API_DSCP_CS0), ), - dscp=int(IpDscp.IP_API_DSCP_CS0), protocol=int(IPsecProto.IPSEC_API_PROTO_ESP), udp_src_port=4500, # default value in api udp_dst_port=4500 # default value in api @@ -551,7 +554,7 @@ class IPsecUtil: IPsecSadFlags.IPSEC_API_SAD_FLAG_IS_TUNNEL_V6 ) - cmd = u"ipsec_sad_entry_add_del_v2" + cmd = u"ipsec_sad_entry_add_del_v3" err_msg = f"Failed to add Security Association Database entry " \ f"on host {node[u'host']}" @@ -563,12 +566,15 @@ class IPsecUtil: integrity_algorithm=integ_alg.alg_int_repr if integ_alg else 0, integrity_key=ikey, flags=flags, - tunnel_src=str(src_addr), - tunnel_dst=str(dst_addr), - tunnel_flags=int( - TunnelEncpaDecapFlags.TUNNEL_API_ENCAP_DECAP_FLAG_NONE + tunnel=dict( + src=str(src_addr), + dst=str(dst_addr), + table_id=0, + encap_decap_flags=int( + TunnelEncpaDecapFlags.TUNNEL_API_ENCAP_DECAP_FLAG_NONE + ), + dscp=int(IpDscp.IP_API_DSCP_CS0), ), - dscp=int(IpDscp.IP_API_DSCP_CS0), protocol=int(IPsecProto.IPSEC_API_PROTO_ESP), udp_src_port=4500, # default value in api udp_dst_port=4500 # default value in api @@ -581,10 +587,14 @@ class IPsecUtil: for i in range(n_entries): args[u"entry"][u"sad_id"] = int(sad_id) + i args[u"entry"][u"spi"] = int(spi) + i - args[u"entry"][u"tunnel_src"] = str(src_addr + i * addr_incr) \ + args[u"entry"][u"tunnel"][u"src"] = ( + str(src_addr + i * addr_incr) if tunnel_src and tunnel_dst else src_addr - args[u"entry"][u"tunnel_dst"] = str(dst_addr + i * addr_incr) \ + ) + args[u"entry"][u"tunnel"][u"dst"] = ( + str(dst_addr + i * addr_incr) if tunnel_src and tunnel_dst else dst_addr + ) history = bool(not 1 < i < n_entries - 2) papi_exec.add(cmd, history=history, **args) papi_exec.get_replies(err_msg) @@ -777,11 +787,11 @@ class IPsecUtil: :type action: IPsecUtil.PolicyAction :type inbound: bool :type bidirectional: bool - :raises NotImplemented: When the action is PolicyAction.PROTECT. + :raises NotImplementedError: When the action is PolicyAction.PROTECT. """ if action == PolicyAction.PROTECT: - raise NotImplemented('Policy action PROTECT is not supported.') + raise NotImplementedError('Policy action PROTECT is not supported.') spd_id_dir1 = 1 spd_id_dir2 = 2 @@ -813,12 +823,12 @@ class IPsecUtil: # create a NetworkIncrement representation of the network, # then skip the matching network no_match_local_addr_range = NetworkIncrement( - ip_network(local_addr_range), 1 + ip_network(local_addr_range) ) next(no_match_local_addr_range) no_match_remote_addr_range = NetworkIncrement( - ip_network(remote_addr_range), 1 + ip_network(remote_addr_range) ) next(no_match_remote_addr_range) @@ -834,12 +844,12 @@ class IPsecUtil: # reset the networks so that we're using a unified config # the address ranges are switched no_match_remote_addr_range = NetworkIncrement( - ip_network(local_addr_range), 1 + ip_network(local_addr_range) ) next(no_match_remote_addr_range) no_match_local_addr_range = NetworkIncrement( - ip_network(remote_addr_range), 1 + ip_network(remote_addr_range) ) next(no_match_local_addr_range) # non-matching entries direction 2 @@ -1004,7 +1014,7 @@ class IPsecUtil: tmp_filename = f"/tmp/ipsec_spd_{spd_id}_add_del_entry.script" with open(tmp_filename, 'w') as tmp_file: - for i in range(n_entries): + for _ in range(n_entries): direction = u'inbound' if inbound else u'outbound' sa = f' sa {sa_id.inc_fmt()}' if sa_id is not None else '' protocol = f' protocol {protocol}' if proto else '' @@ -1031,7 +1041,7 @@ class IPsecUtil: os.remove(tmp_filename) return - for i in range(n_entries): + for _ in range(n_entries): IPsecUtil.vpp_ipsec_add_spd_entry( node, spd_id, next(priority), action, inbound, next(sa_id) if sa_id is not None else sa_id, @@ -1439,7 +1449,7 @@ class IPsecUtil: # Configure IPSec SAD entries ckeys = [bytes()] * existing_tunnels ikeys = [bytes()] * existing_tunnels - cmd = u"ipsec_sad_entry_add_del_v2" + cmd = u"ipsec_sad_entry_add_del_v3" c_key = dict( length=0, data=None @@ -1457,16 +1467,18 @@ class IPsecUtil: integrity_algorithm=integ_alg.alg_int_repr if integ_alg else 0, integrity_key=i_key, flags=None, - tunnel_src=0, - tunnel_dst=0, - tunnel_flags=int( - TunnelEncpaDecapFlags.TUNNEL_API_ENCAP_DECAP_FLAG_NONE + tunnel=dict( + src=0, + dst=0, + table_id=0, + encap_decap_flags=int( + TunnelEncpaDecapFlags.TUNNEL_API_ENCAP_DECAP_FLAG_NONE + ), + dscp=int(IpDscp.IP_API_DSCP_CS0), ), - dscp=int(IpDscp.IP_API_DSCP_CS0), - table_id=0, salt=0, udp_src_port=IPSEC_UDP_PORT_NONE, - udp_dst_port=IPSEC_UDP_PORT_NONE + udp_dst_port=IPSEC_UDP_PORT_NONE, ) args = dict( is_add=True, @@ -1679,7 +1691,7 @@ class IPsecUtil: ] ) # Configure IPSec SAD entries - cmd = u"ipsec_sad_entry_add_del_v2" + cmd = u"ipsec_sad_entry_add_del_v3" c_key = dict( length=0, data=None @@ -1692,23 +1704,23 @@ class IPsecUtil: sad_id=None, spi=None, protocol=int(IPsecProto.IPSEC_API_PROTO_ESP), - crypto_algorithm=crypto_alg.alg_int_repr, crypto_key=c_key, integrity_algorithm=integ_alg.alg_int_repr if integ_alg else 0, integrity_key=i_key, - flags=None, - tunnel_src=0, - tunnel_dst=0, - tunnel_flags=int( - TunnelEncpaDecapFlags.TUNNEL_API_ENCAP_DECAP_FLAG_NONE + tunnel=dict( + src=0, + dst=0, + table_id=0, + encap_decap_flags=int( + TunnelEncpaDecapFlags.TUNNEL_API_ENCAP_DECAP_FLAG_NONE + ), + dscp=int(IpDscp.IP_API_DSCP_CS0), ), - dscp=int(IpDscp.IP_API_DSCP_CS0), - table_id=0, salt=0, udp_src_port=IPSEC_UDP_PORT_NONE, - udp_dst_port=IPSEC_UDP_PORT_NONE + udp_dst_port=IPSEC_UDP_PORT_NONE, ) args = dict( is_add=True, @@ -2159,7 +2171,7 @@ class IPsecUtil: nodes[u"DUT1"], n_tunnels, spd_id, priority=ObjIncrement(p_lo, 0), action=PolicyAction.PROTECT, inbound=False, sa_id=ObjIncrement(sa_id_1, 1), - raddr_range=NetworkIncrement(ip_network(raddr_ip2), 1) + raddr_range=NetworkIncrement(ip_network(raddr_ip2)) ) IPsecUtil.vpp_ipsec_add_sad_entries( @@ -2170,7 +2182,7 @@ class IPsecUtil: nodes[u"DUT1"], n_tunnels, spd_id, priority=ObjIncrement(p_lo, 0), action=PolicyAction.PROTECT, inbound=True, sa_id=ObjIncrement(sa_id_2, 1), - raddr_range=NetworkIncrement(ip_network(raddr_ip1), 1) + raddr_range=NetworkIncrement(ip_network(raddr_ip1)) ) if u"DUT2" in nodes.keys(): @@ -2196,10 +2208,11 @@ class IPsecUtil: crypto_key, integ_alg, integ_key, tunnel_ip1, tunnel_ip2 ) IPsecUtil.vpp_ipsec_add_spd_entries( - nodes[u"DUT2"], n_tunnels, spd_id, priority=ObjIncrement(p_lo, 0), + nodes[u"DUT2"], n_tunnels, spd_id, + priority=ObjIncrement(p_lo, 0), action=PolicyAction.PROTECT, inbound=True, sa_id=ObjIncrement(sa_id_1, 1), - raddr_range=NetworkIncrement(ip_network(raddr_ip2), 1) + raddr_range=NetworkIncrement(ip_network(raddr_ip2)) ) IPsecUtil.vpp_ipsec_add_sad_entries( @@ -2207,10 +2220,11 @@ class IPsecUtil: crypto_key, integ_alg, integ_key, tunnel_ip2, tunnel_ip1 ) IPsecUtil.vpp_ipsec_add_spd_entries( - nodes[u"DUT2"], n_tunnels, spd_id, priority=ObjIncrement(p_lo, 0), + nodes[u"DUT2"], n_tunnels, spd_id, + priority=ObjIncrement(p_lo, 0), action=PolicyAction.PROTECT, inbound=False, sa_id=ObjIncrement(sa_id_2, 1), - raddr_range=NetworkIncrement(ip_network(raddr_ip1), 1) + raddr_range=NetworkIncrement(ip_network(raddr_ip1)) ) @staticmethod @@ -2230,6 +2244,6 @@ class IPsecUtil: :type node: dict """ cmds = [ - u"ipsec_sa_v2_dump" + u"ipsec_sa_v3_dump" ] PapiSocketExecutor.dump_and_log(node, cmds)