X-Git-Url: https://gerrit.fd.io/r/gitweb?a=blobdiff_plain;f=test%2Ftest_ipsec_tun_if_esp.py;h=8b6f619b47f33f2f63d333d9a69e2d86705dc27b;hb=48bdf24ad2a1266f8c6bf4932b92d0165f370171;hp=6f7752915d05ee61bd92cec0948f44edfcc31cc5;hpb=7a29a2d400bbc3740a6a98863f290aa654d5f724;p=vpp.git diff --git a/test/test_ipsec_tun_if_esp.py b/test/test_ipsec_tun_if_esp.py index 6f7752915d0..8b6f619b47f 100644 --- a/test/test_ipsec_tun_if_esp.py +++ b/test/test_ipsec_tun_if_esp.py @@ -4,7 +4,7 @@ import copy from scapy.layers.ipsec import SecurityAssociation, ESP from scapy.layers.l2 import Ether, GRE, Dot1Q -from scapy.packet import Raw +from scapy.packet import Raw, bind_layers from scapy.layers.inet import IP, UDP from scapy.layers.inet6 import IPv6 from scapy.contrib.mpls import MPLS @@ -40,6 +40,18 @@ def config_tun_params(p, encryption_type, tun_if, src=None, dst=None): p.tun_dst = dst p.tun_src = src + if p.nat_header: + is_default_port = (p.nat_header.dport == 4500) + else: + is_default_port = True + + if is_default_port: + outbound_nat_header = p.nat_header + else: + outbound_nat_header = UDP(sport=p.nat_header.dport, + dport=p.nat_header.sport) + bind_layers(UDP, ESP, dport=p.nat_header.dport) + p.scapy_tun_sa = SecurityAssociation( encryption_type, spi=p.vpp_tun_spi, crypt_algo=p.crypt_algo, @@ -48,7 +60,7 @@ def config_tun_params(p, encryption_type, tun_if, src=None, dst=None): tunnel_header=ip_class_by_addr_type[p.addr_type]( src=p.tun_dst, dst=p.tun_src), - nat_t_header=p.nat_header, + nat_t_header=outbound_nat_header, esn_en=esn_en) p.vpp_tun_sa = SecurityAssociation( encryption_type, spi=p.scapy_tun_spi, @@ -69,13 +81,26 @@ def config_tra_params(p, encryption_type, tun_if): crypt_key = mk_scapy_crypt_key(p) p.tun_dst = tun_if.remote_ip p.tun_src = tun_if.local_ip + + if p.nat_header: + is_default_port = (p.nat_header.dport == 4500) + else: + is_default_port = True + + if is_default_port: + outbound_nat_header = p.nat_header + else: + outbound_nat_header = UDP(sport=p.nat_header.dport, + dport=p.nat_header.sport) + bind_layers(UDP, ESP, dport=p.nat_header.dport) + p.scapy_tun_sa = SecurityAssociation( encryption_type, spi=p.vpp_tun_spi, crypt_algo=p.crypt_algo, crypt_key=crypt_key, auth_algo=p.auth_algo, auth_key=p.auth_key, esn_en=esn_en, - nat_t_header=p.nat_header) + nat_t_header=outbound_nat_header) p.vpp_tun_sa = SecurityAssociation( encryption_type, spi=p.scapy_tun_spi, crypt_algo=p.crypt_algo, @@ -90,7 +115,7 @@ class TemplateIpsec4TunProtect(object): encryption_type = ESP tun4_encrypt_node_name = "esp4-encrypt-tun" - tun4_decrypt_node_name = "esp4-decrypt-tun" + tun4_decrypt_node_name = ["esp4-decrypt-tun", "esp4-decrypt-tun-post"] tun4_input_node = "ipsec4-tun-input" def config_sa_tra(self, p): @@ -207,7 +232,7 @@ class TemplateIpsec4TunIfEspUdp(TemplateIpsec4TunProtect, """ IPsec UDP tunnel interface tests """ tun4_encrypt_node_name = "esp4-encrypt-tun" - tun4_decrypt_node_name = "esp4-decrypt-tun" + tun4_decrypt_node_name = ["esp4-decrypt-tun", "esp4-decrypt-tun-post"] encryption_type = ESP @classmethod @@ -284,7 +309,7 @@ class TemplateIpsec4TunIfEspUdp(TemplateIpsec4TunProtect, class TestIpsec4TunIfEsp1(TemplateIpsec4TunIfEsp, IpsecTun4Tests): """ Ipsec ESP - TUN tests """ tun4_encrypt_node_name = "esp4-encrypt-tun" - tun4_decrypt_node_name = "esp4-decrypt-tun" + tun4_decrypt_node_name = ["esp4-decrypt-tun", "esp4-decrypt-tun-post"] def test_tun_basic64(self): """ ipsec 6o4 tunnel basic test """ @@ -451,7 +476,7 @@ class TestIpsec6TunIfEsp1(TemplateIpsec6TunIfEsp, IpsecTun6Tests): """ Ipsec ESP - TUN tests """ tun6_encrypt_node_name = "esp6-encrypt-tun" - tun6_decrypt_node_name = "esp6-decrypt-tun" + tun6_decrypt_node_name = ["esp6-decrypt-tun", "esp6-decrypt-tun-post"] def test_tun_basic46(self): """ ipsec 4o6 tunnel basic test """ @@ -468,7 +493,7 @@ class TestIpsec6TunIfEspHandoff(TemplateIpsec6TunIfEsp, IpsecTun6HandoffTests): """ Ipsec ESP 6 Handoff tests """ tun6_encrypt_node_name = "esp6-encrypt-tun" - tun6_decrypt_node_name = "esp6-decrypt-tun" + tun6_decrypt_node_name = ["esp6-decrypt-tun", "esp6-decrypt-tun-post"] def test_tun_handoff_66_police(self): """ ESP 6o6 tunnel with policer worker hand-off test """ @@ -509,7 +534,7 @@ class TestIpsec6TunIfEspHandoff(TemplateIpsec6TunIfEsp, stats0 = policer.get_stats(worker=0) stats1 = policer.get_stats(worker=1) - if pol_bind is 1: + if pol_bind == 1: # First pass: Worker 1, should have done all the policing self.assertEqual(stats, stats1) @@ -540,7 +565,7 @@ class TestIpsec4TunIfEspHandoff(TemplateIpsec4TunIfEsp, IpsecTun4HandoffTests): """ Ipsec ESP 4 Handoff tests """ tun4_encrypt_node_name = "esp4-encrypt-tun" - tun4_decrypt_node_name = "esp4-decrypt-tun" + tun4_decrypt_node_name = ["esp4-decrypt-tun", "esp4-decrypt-tun-post"] def test_tun_handoff_44_police(self): """ ESP 4o4 tunnel with policer worker hand-off test """ @@ -581,7 +606,7 @@ class TestIpsec4TunIfEspHandoff(TemplateIpsec4TunIfEsp, stats0 = policer.get_stats(worker=0) stats1 = policer.get_stats(worker=1) - if pol_bind is 1: + if pol_bind == 1: # First pass: Worker 1, should have done all the policing self.assertEqual(stats, stats1) @@ -616,7 +641,7 @@ class TestIpsec4MultiTunIfEsp(TemplateIpsec4TunProtect, encryption_type = ESP tun4_encrypt_node_name = "esp4-encrypt-tun" - tun4_decrypt_node_name = "esp4-decrypt-tun" + tun4_decrypt_node_name = ["esp4-decrypt-tun", "esp4-decrypt-tun-post"] def setUp(self): super(TestIpsec4MultiTunIfEsp, self).setUp() @@ -654,10 +679,8 @@ class TestIpsec4MultiTunIfEsp(TemplateIpsec4TunProtect, """Multiple IPSEC tunnel interfaces """ for p in self.multi_params: self.verify_tun_44(p, count=127) - c = p.tun_if.get_rx_stats() - self.assertEqual(c['packets'], 127) - c = p.tun_if.get_tx_stats() - self.assertEqual(c['packets'], 127) + self.assertEqual(p.tun_if.get_rx_stats(), 127) + self.assertEqual(p.tun_if.get_tx_stats(), 127) def test_tun_rr_44(self): """ Round-robin packets acrros multiple interface """ @@ -688,7 +711,7 @@ class TestIpsec4TunIfEspAll(TemplateIpsec4TunProtect, encryption_type = ESP tun4_encrypt_node_name = "esp4-encrypt-tun" - tun4_decrypt_node_name = "esp4-decrypt-tun" + tun4_decrypt_node_name = ["esp4-decrypt-tun", "esp4-decrypt-tun-post"] def setUp(self): super(TestIpsec4TunIfEspAll, self).setUp() @@ -846,7 +869,7 @@ class TestIpsec4TunIfEspNoAlgo(TemplateIpsec4TunProtect, encryption_type = ESP tun4_encrypt_node_name = "esp4-encrypt-tun" - tun4_decrypt_node_name = "esp4-decrypt-tun" + tun4_decrypt_node_name = ["esp4-decrypt-tun", "esp4-decrypt-tun-post"] def setUp(self): super(TestIpsec4TunIfEspNoAlgo, self).setUp() @@ -891,7 +914,7 @@ class TestIpsec6MultiTunIfEsp(TemplateIpsec6TunProtect, encryption_type = ESP tun6_encrypt_node_name = "esp6-encrypt-tun" - tun6_decrypt_node_name = "esp6-decrypt-tun" + tun6_decrypt_node_name = ["esp6-decrypt-tun", "esp6-decrypt-tun-post"] def setUp(self): super(TestIpsec6MultiTunIfEsp, self).setUp() @@ -929,17 +952,15 @@ class TestIpsec6MultiTunIfEsp(TemplateIpsec6TunProtect, """Multiple IPSEC tunnel interfaces """ for p in self.multi_params: self.verify_tun_66(p, count=127) - c = p.tun_if.get_rx_stats() - self.assertEqual(c['packets'], 127) - c = p.tun_if.get_tx_stats() - self.assertEqual(c['packets'], 127) + self.assertEqual(p.tun_if.get_rx_stats(), 127) + self.assertEqual(p.tun_if.get_tx_stats(), 127) class TestIpsecGreTebIfEsp(TemplateIpsec, IpsecTun4Tests): """ Ipsec GRE TEB ESP - TUN tests """ tun4_encrypt_node_name = "esp4-encrypt-tun" - tun4_decrypt_node_name = "esp4-decrypt-tun" + tun4_decrypt_node_name = ["esp4-decrypt-tun", "esp4-decrypt-tun-post"] encryption_type = ESP omac = "00:11:22:33:44:55" @@ -1050,7 +1071,7 @@ class TestIpsecGreTebVlanIfEsp(TemplateIpsec, IpsecTun4Tests): """ Ipsec GRE TEB ESP - TUN tests """ tun4_encrypt_node_name = "esp4-encrypt-tun" - tun4_decrypt_node_name = "esp4-decrypt-tun" + tun4_decrypt_node_name = ["esp4-decrypt-tun", "esp4-decrypt-tun-post"] encryption_type = ESP omac = "00:11:22:33:44:55" @@ -1170,7 +1191,7 @@ class TestIpsecGreTebIfEspTra(TemplateIpsec, IpsecTun4Tests): """ Ipsec GRE TEB ESP - Tra tests """ tun4_encrypt_node_name = "esp4-encrypt-tun" - tun4_decrypt_node_name = "esp4-decrypt-tun" + tun4_decrypt_node_name = ["esp4-decrypt-tun", "esp4-decrypt-tun-post"] encryption_type = ESP omac = "00:11:22:33:44:55" @@ -1275,7 +1296,7 @@ class TestIpsecGreTebUdpIfEspTra(TemplateIpsec, IpsecTun4Tests): """ Ipsec GRE TEB UDP ESP - Tra tests """ tun4_encrypt_node_name = "esp4-encrypt-tun" - tun4_decrypt_node_name = "esp4-decrypt-tun" + tun4_decrypt_node_name = ["esp4-decrypt-tun", "esp4-decrypt-tun-post"] encryption_type = ESP omac = "00:11:22:33:44:55" @@ -1358,8 +1379,8 @@ class TestIpsecGreTebUdpIfEspTra(TemplateIpsec, flags=(p.flags | VppEnum.vl_api_ipsec_sad_flags_t. IPSEC_API_SAD_FLAG_IS_INBOUND), - udp_src=5454, - udp_dst=4545) + udp_src=4545, + udp_dst=5454) p.tun_sa_in.add_vpp_config() p.tun_if = VppGreInterface(self, @@ -1396,7 +1417,7 @@ class TestIpsecGreIfEsp(TemplateIpsec, IpsecTun4Tests): """ Ipsec GRE ESP - TUN tests """ tun4_encrypt_node_name = "esp4-encrypt-tun" - tun4_decrypt_node_name = "esp4-decrypt-tun" + tun4_decrypt_node_name = ["esp4-decrypt-tun", "esp4-decrypt-tun-post"] encryption_type = ESP def gen_encrypt_pkts(self, p, sa, sw_intf, src, dst, count=1, @@ -1499,7 +1520,7 @@ class TestIpsecGreIfEspTra(TemplateIpsec, IpsecTun4Tests): """ Ipsec GRE ESP - TRA tests """ tun4_encrypt_node_name = "esp4-encrypt-tun" - tun4_decrypt_node_name = "esp4-decrypt-tun" + tun4_decrypt_node_name = ["esp4-decrypt-tun", "esp4-decrypt-tun-post"] encryption_type = ESP def gen_encrypt_pkts(self, p, sa, sw_intf, src, dst, count=1, @@ -1605,7 +1626,7 @@ class TestIpsecGreIfEspTra(TemplateIpsec, dst=self.pg1.remote_ip6) self.send_and_assert_no_replies(self.tun_if, tx) node_name = ('/err/%s/unsupported payload' % - self.tun4_decrypt_node_name) + self.tun4_decrypt_node_name[0]) self.assertEqual(1, self.statistics.get_err_counter(node_name)) @@ -1613,7 +1634,7 @@ class TestIpsecGre6IfEspTra(TemplateIpsec, IpsecTun6Tests): """ Ipsec GRE ESP - TRA tests """ tun6_encrypt_node_name = "esp6-encrypt-tun" - tun6_decrypt_node_name = "esp6-decrypt-tun" + tun6_decrypt_node_name = ["esp6-decrypt-tun", "esp6-decrypt-tun-post"] encryption_type = ESP def gen_encrypt_pkts6(self, p, sa, sw_intf, src, dst, count=1, @@ -1711,7 +1732,7 @@ class TestIpsecGre6IfEspTra(TemplateIpsec, class TestIpsecMGreIfEspTra4(TemplateIpsec, IpsecTun4): """ Ipsec mGRE ESP v4 TRA tests """ tun4_encrypt_node_name = "esp4-encrypt-tun" - tun4_decrypt_node_name = "esp4-decrypt-tun" + tun4_decrypt_node_name = ["esp4-decrypt-tun", "esp4-decrypt-tun-post"] encryption_type = ESP def gen_encrypt_pkts(self, p, sa, sw_intf, src, dst, count=1, @@ -1843,7 +1864,7 @@ class TestIpsecMGreIfEspTra4(TemplateIpsec, IpsecTun4): class TestIpsecMGreIfEspTra6(TemplateIpsec, IpsecTun6): """ Ipsec mGRE ESP v6 TRA tests """ tun6_encrypt_node_name = "esp6-encrypt-tun" - tun6_decrypt_node_name = "esp6-decrypt-tun" + tun6_decrypt_node_name = ["esp6-decrypt-tun", "esp6-decrypt-tun-post"] encryption_type = ESP def gen_encrypt_pkts6(self, p, sa, sw_intf, src, dst, count=1, @@ -1997,17 +2018,13 @@ class TestIpsec4TunProtect(TemplateIpsec, self.config_protect(p) self.verify_tun_44(p, count=127) - c = p.tun_if.get_rx_stats() - self.assertEqual(c['packets'], 127) - c = p.tun_if.get_tx_stats() - self.assertEqual(c['packets'], 127) + self.assertEqual(p.tun_if.get_rx_stats(), 127) + self.assertEqual(p.tun_if.get_tx_stats(), 127) self.vapi.cli("clear ipsec sa") self.verify_tun_64(p, count=127) - c = p.tun_if.get_rx_stats() - self.assertEqual(c['packets'], 254) - c = p.tun_if.get_tx_stats() - self.assertEqual(c['packets'], 254) + self.assertEqual(p.tun_if.get_rx_stats(), 254) + self.assertEqual(p.tun_if.get_tx_stats(), 254) # rekey - create new SAs and update the tunnel protection np = copy.copy(p) @@ -2024,10 +2041,8 @@ class TestIpsec4TunProtect(TemplateIpsec, self.unconfig_sa(p) self.verify_tun_44(np, count=127) - c = p.tun_if.get_rx_stats() - self.assertEqual(c['packets'], 381) - c = p.tun_if.get_tx_stats() - self.assertEqual(c['packets'], 381) + self.assertEqual(p.tun_if.get_rx_stats(), 381) + self.assertEqual(p.tun_if.get_tx_stats(), 381) # teardown self.unconfig_protect(np) @@ -2074,10 +2089,8 @@ class TestIpsec4TunProtectUdp(TemplateIpsec, p = self.ipv4_params self.verify_tun_44(p, count=127) - c = p.tun_if.get_rx_stats() - self.assertEqual(c['packets'], 127) - c = p.tun_if.get_tx_stats() - self.assertEqual(c['packets'], 127) + self.assertEqual(p.tun_if.get_rx_stats(), 127) + self.assertEqual(p.tun_if.get_tx_stats(), 127) def test_keepalive(self): """ IPSEC NAT Keepalive """ @@ -2092,7 +2105,7 @@ class TestIpsec4TunProtectTun(TemplateIpsec, encryption_type = ESP tun4_encrypt_node_name = "esp4-encrypt-tun" - tun4_decrypt_node_name = "esp4-decrypt-tun" + tun4_decrypt_node_name = ["esp4-decrypt-tun", "esp4-decrypt-tun-post"] def setUp(self): super(TestIpsec4TunProtectTun, self).setUp() @@ -2168,10 +2181,8 @@ class TestIpsec4TunProtectTun(TemplateIpsec, self.verify_tun_44(p, count=127) - c = p.tun_if.get_rx_stats() - self.assertEqual(c['packets'], 127) - c = p.tun_if.get_tx_stats() - self.assertEqual(c['packets'], 127) + self.assertEqual(p.tun_if.get_rx_stats(), 127) + self.assertEqual(p.tun_if.get_tx_stats(), 127) # rekey - create new SAs and update the tunnel protection np = copy.copy(p) @@ -2188,10 +2199,8 @@ class TestIpsec4TunProtectTun(TemplateIpsec, self.unconfig_sa(p) self.verify_tun_44(np, count=127) - c = p.tun_if.get_rx_stats() - self.assertEqual(c['packets'], 254) - c = p.tun_if.get_tx_stats() - self.assertEqual(c['packets'], 254) + self.assertEqual(p.tun_if.get_rx_stats(), 254) + self.assertEqual(p.tun_if.get_tx_stats(), 254) # teardown self.unconfig_protect(np) @@ -2206,7 +2215,7 @@ class TestIpsec4TunProtectTunDrop(TemplateIpsec, encryption_type = ESP tun4_encrypt_node_name = "esp4-encrypt-tun" - tun4_decrypt_node_name = "esp4-decrypt-tun" + tun4_decrypt_node_name = ["esp4-decrypt-tun", "esp4-decrypt-tun-post"] def setUp(self): super(TestIpsec4TunProtectTunDrop, self).setUp() @@ -2255,7 +2264,7 @@ class TestIpsec6TunProtect(TemplateIpsec, encryption_type = ESP tun6_encrypt_node_name = "esp6-encrypt-tun" - tun6_decrypt_node_name = "esp6-decrypt-tun" + tun6_decrypt_node_name = ["esp6-decrypt-tun", "esp6-decrypt-tun-post"] def setUp(self): super(TestIpsec6TunProtect, self).setUp() @@ -2275,10 +2284,8 @@ class TestIpsec6TunProtect(TemplateIpsec, self.config_protect(p) self.verify_tun_66(p, count=127) - c = p.tun_if.get_rx_stats() - self.assertEqual(c['packets'], 127) - c = p.tun_if.get_tx_stats() - self.assertEqual(c['packets'], 127) + self.assertEqual(p.tun_if.get_rx_stats(), 127) + self.assertEqual(p.tun_if.get_tx_stats(), 127) # rekey - create new SAs and update the tunnel protection np = copy.copy(p) @@ -2295,10 +2302,8 @@ class TestIpsec6TunProtect(TemplateIpsec, self.unconfig_sa(p) self.verify_tun_66(np, count=127) - c = p.tun_if.get_rx_stats() - self.assertEqual(c['packets'], 254) - c = p.tun_if.get_tx_stats() - self.assertEqual(c['packets'], 254) + self.assertEqual(p.tun_if.get_rx_stats(), 254) + self.assertEqual(p.tun_if.get_tx_stats(), 254) # bounce the interface state p.tun_if.admin_down() @@ -2340,12 +2345,10 @@ class TestIpsec6TunProtect(TemplateIpsec, p.tun_protect.update_vpp_config(np3.tun_sa_out, [np3.tun_sa_in]) self.verify_tun_66(np3, np3, count=127) - self.verify_drop_tun_66(np, count=127) + self.verify_drop_tun_rx_66(np, count=127) - c = p.tun_if.get_rx_stats() - self.assertEqual(c['packets'], 127*9) - c = p.tun_if.get_tx_stats() - self.assertEqual(c['packets'], 127*8) + self.assertEqual(p.tun_if.get_rx_stats(), 127*9) + self.assertEqual(p.tun_if.get_tx_stats(), 127*8) self.unconfig_sa(np) # teardown @@ -2363,10 +2366,8 @@ class TestIpsec6TunProtect(TemplateIpsec, self.config_protect(p) self.verify_tun_46(p, count=127) - c = p.tun_if.get_rx_stats() - self.assertEqual(c['packets'], 127) - c = p.tun_if.get_tx_stats() - self.assertEqual(c['packets'], 127) + self.assertEqual(p.tun_if.get_rx_stats(), 127) + self.assertEqual(p.tun_if.get_tx_stats(), 127) # teardown self.unconfig_protect(p) @@ -2382,7 +2383,7 @@ class TestIpsec6TunProtectTun(TemplateIpsec, encryption_type = ESP tun6_encrypt_node_name = "esp6-encrypt-tun" - tun6_decrypt_node_name = "esp6-decrypt-tun" + tun6_decrypt_node_name = ["esp6-decrypt-tun", "esp6-decrypt-tun-post"] def setUp(self): super(TestIpsec6TunProtectTun, self).setUp() @@ -2447,10 +2448,8 @@ class TestIpsec6TunProtectTun(TemplateIpsec, self.verify_tun_66(p, count=127) - c = p.tun_if.get_rx_stats() - self.assertEqual(c['packets'], 127) - c = p.tun_if.get_tx_stats() - self.assertEqual(c['packets'], 127) + self.assertEqual(p.tun_if.get_rx_stats(), 127) + self.assertEqual(p.tun_if.get_tx_stats(), 127) # rekey - create new SAs and update the tunnel protection np = copy.copy(p) @@ -2467,10 +2466,8 @@ class TestIpsec6TunProtectTun(TemplateIpsec, self.unconfig_sa(p) self.verify_tun_66(np, count=127) - c = p.tun_if.get_rx_stats() - self.assertEqual(c['packets'], 254) - c = p.tun_if.get_tx_stats() - self.assertEqual(c['packets'], 254) + self.assertEqual(p.tun_if.get_rx_stats(), 254) + self.assertEqual(p.tun_if.get_tx_stats(), 254) # teardown self.unconfig_protect(np) @@ -2485,7 +2482,7 @@ class TestIpsec6TunProtectTunDrop(TemplateIpsec, encryption_type = ESP tun6_encrypt_node_name = "esp6-encrypt-tun" - tun6_decrypt_node_name = "esp6-decrypt-tun" + tun6_decrypt_node_name = ["esp6-decrypt-tun", "esp6-decrypt-tun-post"] def setUp(self): super(TestIpsec6TunProtectTunDrop, self).setUp() @@ -2532,7 +2529,7 @@ class TemplateIpsecItf4(object): encryption_type = ESP tun4_encrypt_node_name = "esp4-encrypt-tun" - tun4_decrypt_node_name = "esp4-decrypt-tun" + tun4_decrypt_node_name = ["esp4-decrypt-tun", "esp4-decrypt-tun-post"] tun4_input_node = "ipsec4-tun-input" def config_sa_tun(self, p, src, dst): @@ -2624,35 +2621,33 @@ class TestIpsecItf4(TemplateIpsec, p = self.ipv4_params self.config_network(p) + config_tun_params(p, self.encryption_type, None, + self.pg0.local_ip4, + self.pg0.remote_ip4) + self.verify_tun_dropped_44(p, count=n_pkts) self.config_sa_tun(p, self.pg0.local_ip4, self.pg0.remote_ip4) self.config_protect(p) self.verify_tun_44(p, count=n_pkts) - c = p.tun_if.get_rx_stats() - self.assertEqual(c['packets'], n_pkts) - c = p.tun_if.get_tx_stats() - self.assertEqual(c['packets'], n_pkts) + self.assertEqual(p.tun_if.get_rx_stats(), n_pkts) + self.assertEqual(p.tun_if.get_tx_stats(), n_pkts) p.tun_if.admin_down() self.verify_tun_dropped_44(p, count=n_pkts) p.tun_if.admin_up() self.verify_tun_44(p, count=n_pkts) - c = p.tun_if.get_rx_stats() - self.assertEqual(c['packets'], 3*n_pkts) - c = p.tun_if.get_tx_stats() - self.assertEqual(c['packets'], 2*n_pkts) + self.assertEqual(p.tun_if.get_rx_stats(), 3*n_pkts) + self.assertEqual(p.tun_if.get_tx_stats(), 2*n_pkts) # it's a v6 packet when its encrypted self.tun4_encrypt_node_name = "esp6-encrypt-tun" self.verify_tun_64(p, count=n_pkts) - c = p.tun_if.get_rx_stats() - self.assertEqual(c['packets'], 4*n_pkts) - c = p.tun_if.get_tx_stats() - self.assertEqual(c['packets'], 3*n_pkts) + self.assertEqual(p.tun_if.get_rx_stats(), 4*n_pkts) + self.assertEqual(p.tun_if.get_tx_stats(), 3*n_pkts) self.tun4_encrypt_node_name = "esp4-encrypt-tun" @@ -2675,10 +2670,8 @@ class TestIpsecItf4(TemplateIpsec, self.unconfig_sa(p) self.verify_tun_44(np, count=n_pkts) - c = p.tun_if.get_rx_stats() - self.assertEqual(c['packets'], n_pkts) - c = p.tun_if.get_tx_stats() - self.assertEqual(c['packets'], n_pkts) + self.assertEqual(p.tun_if.get_rx_stats(), n_pkts) + self.assertEqual(p.tun_if.get_tx_stats(), n_pkts) # teardown self.unconfig_protect(np) @@ -2704,6 +2697,7 @@ class TestIpsecItf4(TemplateIpsec, self.pg0.remote_ip4) self.config_protect(p) + self.logger.info(self.vapi.cli("sh ipsec sa")) self.verify_tun_44(p, count=n_pkts) # teardown @@ -2735,10 +2729,8 @@ class TestIpsecItf4(TemplateIpsec, policer.apply_vpp_config(p.tun_if.sw_if_index, True) self.verify_tun_44(p, count=n_pkts) - c = p.tun_if.get_rx_stats() - self.assertEqual(c['packets'], n_pkts) - c = p.tun_if.get_tx_stats() - self.assertEqual(c['packets'], n_pkts) + self.assertEqual(p.tun_if.get_rx_stats(), n_pkts) + self.assertEqual(p.tun_if.get_tx_stats(), n_pkts) stats = policer.get_stats() @@ -2843,7 +2835,7 @@ class TemplateIpsecItf6(object): encryption_type = ESP tun6_encrypt_node_name = "esp6-encrypt-tun" - tun6_decrypt_node_name = "esp6-decrypt-tun" + tun6_decrypt_node_name = ["esp6-decrypt-tun", "esp6-decrypt-tun-post"] tun6_input_node = "ipsec6-tun-input" def config_sa_tun(self, p, src, dst): @@ -2924,7 +2916,7 @@ class TestIpsecItf6(TemplateIpsec, def tearDown(self): super(TestIpsecItf6, self).tearDown() - def test_tun_44(self): + def test_tun_66(self): """IPSEC interface IPv6""" tf = VppEnum.vl_api_tunnel_encap_decap_flags_t @@ -2936,35 +2928,33 @@ class TestIpsecItf6(TemplateIpsec, p.tun_flags = tf.TUNNEL_API_ENCAP_DECAP_FLAG_ENCAP_COPY_HOP_LIMIT self.config_network(p) + config_tun_params(p, self.encryption_type, None, + self.pg0.local_ip6, + self.pg0.remote_ip6) + self.verify_drop_tun_66(p, count=n_pkts) self.config_sa_tun(p, self.pg0.local_ip6, self.pg0.remote_ip6) self.config_protect(p) self.verify_tun_66(p, count=n_pkts) - c = p.tun_if.get_rx_stats() - self.assertEqual(c['packets'], n_pkts) - c = p.tun_if.get_tx_stats() - self.assertEqual(c['packets'], n_pkts) + self.assertEqual(p.tun_if.get_rx_stats(), n_pkts) + self.assertEqual(p.tun_if.get_tx_stats(), n_pkts) p.tun_if.admin_down() self.verify_drop_tun_66(p, count=n_pkts) p.tun_if.admin_up() self.verify_tun_66(p, count=n_pkts) - c = p.tun_if.get_rx_stats() - self.assertEqual(c['packets'], 3*n_pkts) - c = p.tun_if.get_tx_stats() - self.assertEqual(c['packets'], 2*n_pkts) + self.assertEqual(p.tun_if.get_rx_stats(), 3*n_pkts) + self.assertEqual(p.tun_if.get_tx_stats(), 2*n_pkts) # it's a v4 packet when its encrypted self.tun6_encrypt_node_name = "esp4-encrypt-tun" self.verify_tun_46(p, count=n_pkts) - c = p.tun_if.get_rx_stats() - self.assertEqual(c['packets'], 4*n_pkts) - c = p.tun_if.get_tx_stats() - self.assertEqual(c['packets'], 3*n_pkts) + self.assertEqual(p.tun_if.get_rx_stats(), 4*n_pkts) + self.assertEqual(p.tun_if.get_tx_stats(), 3*n_pkts) self.tun6_encrypt_node_name = "esp6-encrypt-tun" @@ -2993,10 +2983,8 @@ class TestIpsecItf6(TemplateIpsec, self.unconfig_sa(p) self.verify_tun_66(np, count=n_pkts) - c = p.tun_if.get_rx_stats() - self.assertEqual(c['packets'], n_pkts) - c = p.tun_if.get_tx_stats() - self.assertEqual(c['packets'], n_pkts) + self.assertEqual(p.tun_if.get_rx_stats(), n_pkts) + self.assertEqual(p.tun_if.get_tx_stats(), n_pkts) # teardown self.unconfig_protect(np) @@ -3032,10 +3020,8 @@ class TestIpsecItf6(TemplateIpsec, policer.apply_vpp_config(p.tun_if.sw_if_index, True) self.verify_tun_66(p, count=n_pkts) - c = p.tun_if.get_rx_stats() - self.assertEqual(c['packets'], n_pkts) - c = p.tun_if.get_tx_stats() - self.assertEqual(c['packets'], n_pkts) + self.assertEqual(p.tun_if.get_rx_stats(), n_pkts) + self.assertEqual(p.tun_if.get_tx_stats(), n_pkts) stats = policer.get_stats() @@ -3062,7 +3048,7 @@ class TestIpsecItf6(TemplateIpsec, class TestIpsecMIfEsp4(TemplateIpsec, IpsecTun4): """ Ipsec P2MP ESP v4 tests """ tun4_encrypt_node_name = "esp4-encrypt-tun" - tun4_decrypt_node_name = "esp4-decrypt-tun" + tun4_decrypt_node_name = ["esp4-decrypt-tun", "esp4-decrypt-tun-post"] encryption_type = ESP def gen_encrypt_pkts(self, p, sa, sw_intf, src, dst, count=1, @@ -3125,6 +3111,15 @@ class TestIpsecMIfEsp4(TemplateIpsec, IpsecTun4): self.pg0.generate_remote_hosts(N_NHS) self.pg0.configure_ipv4_neighbors() + r_all = AclRule(True, + src_prefix="0.0.0.0/0", + dst_prefix="0.0.0.0/0", + proto=0) + a = VppAcl(self, [r_all]).add_vpp_config() + + VppAclInterface(self, self.pg0.sw_if_index, [a]).add_vpp_config() + VppAclInterface(self, p.tun_if.sw_if_index, [a]).add_vpp_config() + # setup some SAs for several next-hops on the interface self.multi_params = [] @@ -3176,9 +3171,10 @@ class TestIpsecMIfEsp4(TemplateIpsec, IpsecTun4): self.pg0.remote_hosts[ii].ip4) self.multi_params.append(p) - VppIpRoute(self, p.remote_tun_if_host, 32, - [VppRoutePath(p.tun_if.remote_hosts[ii].ip4, - p.tun_if.sw_if_index)]).add_vpp_config() + p.via_tun_route = VppIpRoute( + self, p.remote_tun_if_host, 32, + [VppRoutePath(p.tun_if.remote_hosts[ii].ip4, + p.tun_if.sw_if_index)]).add_vpp_config() p.tun_dst = self.pg0.remote_hosts[ii].ip4 @@ -3193,6 +3189,21 @@ class TestIpsecMIfEsp4(TemplateIpsec, IpsecTun4): for p in self.multi_params: self.verify_tun_44(p, count=N_PKTS) + # remove one tunnel protect, the rest should still work + self.multi_params[0].tun_protect.remove_vpp_config() + self.verify_tun_dropped_44(self.multi_params[0], count=N_PKTS) + self.multi_params[0].via_tun_route.remove_vpp_config() + self.verify_tun_dropped_44(self.multi_params[0], count=N_PKTS) + + for p in self.multi_params[1:]: + self.verify_tun_44(p, count=N_PKTS) + + self.multi_params[0].tun_protect.add_vpp_config() + self.multi_params[0].via_tun_route.add_vpp_config() + + for p in self.multi_params: + self.verify_tun_44(p, count=N_PKTS) + class TestIpsecItf6MPLS(TemplateIpsec, TemplateIpsecItf6,