}
always_inline void
-ipsec_fp_in_5tuple_from_ip4_range (ipsec_fp_5tuple_t *tuple, u32 la, u32 ra,
+ipsec_fp_in_5tuple_from_ip4_range (ipsec_fp_5tuple_t *tuple, u32 sa, u32 da,
u32 spi, u8 action)
{
clib_memset (tuple->l3_zero_pad, 0, sizeof (tuple->l3_zero_pad));
- tuple->laddr.as_u32 = la;
- tuple->raddr.as_u32 = ra;
+ tuple->laddr.as_u32 = da;
+ tuple->raddr.as_u32 = sa;
tuple->spi = spi;
tuple->action = action;
tuple->is_ipv6 = 0;
}
always_inline void
-ipsec_fp_in_5tuple_from_ip6_range (ipsec_fp_5tuple_t *tuple, ip6_address_t *la,
- ip6_address_t *ra, u32 spi, u8 action)
+ipsec_fp_in_5tuple_from_ip6_range (ipsec_fp_5tuple_t *tuple, ip6_address_t *sa,
+ ip6_address_t *da, u32 spi, u8 action)
{
- clib_memcpy (&tuple->ip6_laddr, la, sizeof (ip6_address_t));
- clib_memcpy (&tuple->ip6_raddr, ra, sizeof (ip6_address_t));
+ clib_memcpy (&tuple->ip6_laddr, da, sizeof (ip6_address_t));
+ clib_memcpy (&tuple->ip6_raddr, sa, sizeof (ip6_address_t));
tuple->spi = spi;
tuple->action = action;
# create input rules
# bypass rule should take precedence over discard rule,
- # even though it's lower priority
+ # even though it's lower priority, because for input policies
+ # matching PROTECT policies precedes matching BYPASS policies
+ # which preceeds matching for DISCARD policies.
+ # Any hit stops the process.
policy_0 = self.spd_add_rem_policy( # inbound, priority 10
1,
self.pg1,
priority=10,
policy_type="bypass",
ip_range=True,
- local_ip_start=self.pg0.remote_ip4,
- local_ip_stop=self.pg0.remote_ip4,
- remote_ip_start=self.pg1.remote_ip4,
- remote_ip_stop=self.pg1.remote_ip4,
+ local_ip_start=self.pg1.remote_ip4,
+ local_ip_stop=self.pg1.remote_ip4,
+ remote_ip_start=self.pg0.remote_ip4,
+ remote_ip_stop=self.pg0.remote_ip4,
)
policy_1 = self.spd_add_rem_policy( # inbound, priority 15
1,
priority=15,
policy_type="discard",
ip_range=True,
- local_ip_start=self.pg0.remote_ip4,
- local_ip_stop=self.pg0.remote_ip4,
- remote_ip_start=self.pg1.remote_ip4,
- remote_ip_stop=self.pg1.remote_ip4,
+ local_ip_start=self.pg1.remote_ip4,
+ local_ip_stop=self.pg1.remote_ip4,
+ remote_ip_start=self.pg0.remote_ip4,
+ remote_ip_stop=self.pg0.remote_ip4,
)
# create output rule so we can capture forwarded packets
# even though it's lower priority
policy_0 = self.spd_add_rem_policy( # inbound, priority 10
1,
- self.pg0,
self.pg1,
+ self.pg0,
socket.IPPROTO_UDP,
is_out=0,
priority=10,
# create output rule so we can capture forwarded packets
policy_1 = self.spd_add_rem_policy( # outbound, priority 10
1,
- self.pg0,
self.pg1,
+ self.pg0,
socket.IPPROTO_UDP,
is_out=1,
priority=10,
p,
p.scapy_tra_sa,
self.tra_if,
- src=self.tra_if.local_ip4,
- dst=self.tra_if.remote_ip4,
+ src=self.tra_if.remote_ip4,
+ dst=self.tra_if.local_ip4,
count=pkt_count,
payload_size=payload_size,
)
priority=10,
policy_type="bypass",
ip_range=True,
- local_ip_start=s_ip_s0,
- local_ip_stop=s_ip_e0,
- remote_ip_start=d_ip_s0,
- remote_ip_stop=d_ip_e0,
+ local_ip_start=d_ip_s0,
+ local_ip_stop=d_ip_e0,
+ remote_ip_start=s_ip_s0,
+ remote_ip_stop=s_ip_e0,
)
policy_1 = self.spd_add_rem_policy( # outbound, priority 5
1,
self.spd_create_and_intf_add(1, [self.pg0, self.pg1])
policy_0 = self.spd_add_rem_policy( # inbound, priority 10
1,
- self.pg0,
self.pg1,
+ self.pg0,
socket.IPPROTO_UDP,
is_out=0,
priority=10,
)
policy_1 = self.spd_add_rem_policy( # inbound, priority 5
1,
- self.pg0,
self.pg1,
+ self.pg0,
socket.IPPROTO_UDP,
is_out=0,
priority=5,
# now remove the bypass rule
self.spd_add_rem_policy( # outbound, priority 10
1,
- self.pg0,
self.pg1,
+ self.pg0,
socket.IPPROTO_UDP,
is_out=0,
priority=10,
self.spd_create_and_intf_add(1, [self.pg0, self.pg1])
policy_0 = self.spd_add_rem_policy( # inbound, priority 10
1,
- self.pg0,
self.pg1,
+ self.pg0,
socket.IPPROTO_UDP,
is_out=0,
priority=10,
)
policy_1 = self.spd_add_rem_policy( # inbound, priority 5
1,
- self.pg0,
self.pg1,
+ self.pg0,
socket.IPPROTO_UDP,
is_out=0,
priority=5,
# remove the bypass rule, leaving only the discard rule
self.spd_add_rem_policy( # inbound, priority 10
1,
- self.pg0,
self.pg1,
+ self.pg0,
socket.IPPROTO_UDP,
is_out=0,
priority=10,
# now readd the bypass rule
policy_0 = self.spd_add_rem_policy( # outbound, priority 10
1,
- self.pg0,
self.pg1,
+ self.pg0,
socket.IPPROTO_UDP,
is_out=0,
priority=10,
# add rules on all interfaces
policy_01 = self.spd_add_rem_policy( # inbound, priority 10
1,
- self.pg0,
self.pg1,
+ self.pg0,
socket.IPPROTO_UDP,
is_out=0,
priority=10,
)
policy_02 = self.spd_add_rem_policy( # inbound, priority 5
1,
- self.pg0,
self.pg1,
+ self.pg0,
socket.IPPROTO_UDP,
is_out=0,
priority=5,
policy_11 = self.spd_add_rem_policy( # inbound, priority 10
1,
- self.pg1,
self.pg2,
+ self.pg1,
socket.IPPROTO_UDP,
is_out=0,
priority=10,
)
policy_12 = self.spd_add_rem_policy( # inbound, priority 5
1,
- self.pg1,
self.pg2,
+ self.pg1,
socket.IPPROTO_UDP,
is_out=0,
priority=5,
policy_21 = self.spd_add_rem_policy( # inbound, priority 5
1,
- self.pg2,
self.pg0,
+ self.pg2,
socket.IPPROTO_UDP,
is_out=0,
priority=5,
)
policy_22 = self.spd_add_rem_policy( # inbound, priority 10
1,
- self.pg2,
self.pg0,
+ self.pg2,
socket.IPPROTO_UDP,
is_out=0,
priority=10,
p,
p.scapy_tra_sa,
self.tra_if,
- src=self.tra_if.local_ip6,
- dst=self.tra_if.remote_ip6,
+ src=self.tra_if.remote_ip6,
+ dst=self.tra_if.local_ip6,
count=pkt_count,
payload_size=payload_size,
)