b->error = node->errors[IPSEC_TUN_PROTECT_INPUT_ERROR_NO_TUNNEL];
b->punt_reason = ipsec_punt_reason[IPSEC_PUNT_IP4_NO_SUCH_TUNNEL];
}
- return IPSEC_INPUT_NEXT_PUNT;
+ return VNET_DEVICE_INPUT_NEXT_PUNT;
}
always_inline u16
b->error = node->errors[IPSEC_TUN_PROTECT_INPUT_ERROR_NO_TUNNEL];
b->punt_reason = ipsec_punt_reason[IPSEC_PUNT_IP6_NO_SUCH_TUNNEL];
- return (IPSEC_INPUT_NEXT_PUNT);
+ return VNET_DEVICE_INPUT_NEXT_PUNT;
}
always_inline uword
b = bufs;
next = nexts;
- clib_memset_u16 (nexts, im->esp4_decrypt_next_index, n_left_from);
+ clib_memset_u16 (
+ nexts, is_ip6 ? im->esp6_decrypt_next_index : im->esp4_decrypt_next_index,
+ n_left_from);
u64 n_bytes = 0, n_packets = 0;
u32 n_disabled = 0, n_no_tunnel = 0;
b[0]->error =
node->errors[IPSEC_TUN_PROTECT_INPUT_ERROR_TOO_SHORT];
- next[0] = IPSEC_INPUT_NEXT_DROP;
+ next[0] = is_ip6 ? VNET_DEVICE_INPUT_NEXT_IP6_DROP :
+ VNET_DEVICE_INPUT_NEXT_IP4_DROP;
goto trace00;
}
(drop_counter, thread_index, sw_if_index0, 1, len0);
n_disabled++;
b[0]->error = node->errors[IPSEC_TUN_PROTECT_INPUT_ERROR_DISABLED];
- next[0] = IPSEC_INPUT_NEXT_DROP;
+ next[0] = is_ip6 ? VNET_DEVICE_INPUT_NEXT_IP6_DROP :
+ VNET_DEVICE_INPUT_NEXT_IP4_DROP;
goto trace00;
}
else
}
//IPSEC_TUN_PROTECT_NEXT_DECRYPT;
- next[0] = im->esp4_decrypt_tun_next_index;
+ next[0] = is_ip6 ? im->esp6_decrypt_tun_next_index :
+ im->esp4_decrypt_tun_next_index;
+
+ if (itr0.flags & IPSEC_PROTECT_FEAT)
+ {
+ u32 next32;
+ u8 arc = feature_main.device_input_feature_arc_index;
+
+ next32 = next[0];
+ vnet_feature_arc_start (arc, sw_if_index0, &next32, b[0]);
+ next[0] = next32;
+ }
}
trace00:
if (PREDICT_FALSE (is_trace))
.vector_size = sizeof (u32),
.format_trace = format_ipsec_tun_protect_input_trace,
.type = VLIB_NODE_TYPE_INTERNAL,
- .n_errors = ARRAY_LEN(ipsec_tun_protect_input_error_strings),
+ .n_errors = ARRAY_LEN (ipsec_tun_protect_input_error_strings),
.error_strings = ipsec_tun_protect_input_error_strings,
- .n_next_nodes = IPSEC_TUN_PROTECT_N_NEXT,
- .next_nodes = {
- [IPSEC_TUN_PROTECT_NEXT_DROP] = "ip4-drop",
- [IPSEC_TUN_PROTECT_NEXT_PUNT] = "punt-dispatch",
- }
+ .sibling_of = "device-input",
};
/* *INDENT-ON* */
.vector_size = sizeof (u32),
.format_trace = format_ipsec_tun_protect_input_trace,
.type = VLIB_NODE_TYPE_INTERNAL,
- .n_errors = ARRAY_LEN(ipsec_tun_protect_input_error_strings),
+ .n_errors = ARRAY_LEN (ipsec_tun_protect_input_error_strings),
.error_strings = ipsec_tun_protect_input_error_strings,
- .n_next_nodes = IPSEC_TUN_PROTECT_N_NEXT,
- .next_nodes = {
- [IPSEC_TUN_PROTECT_NEXT_DROP] = "ip6-drop",
- [IPSEC_TUN_PROTECT_NEXT_PUNT] = "punt-dispatch",
- }
+ .sibling_of = "device-input",
};
/* *INDENT-ON* */
from vpp_papi import VppEnum
from vpp_papi_provider import CliFailedCommandError
from vpp_acl import AclRule, VppAcl, VppAclInterface
+from vpp_policer import PolicerAction, VppPolicer
def config_tun_params(p, encryption_type, tun_if, src=None, dst=None):
tun6_encrypt_node_name = "esp6-encrypt-tun"
tun6_decrypt_node_name = "esp6-decrypt-tun"
+ def test_tun_handoff_66_police(self):
+ """ ESP 6o6 tunnel with policer worker hand-off test """
+ self.vapi.cli("clear errors")
+ self.vapi.cli("clear ipsec sa")
+
+ N_PKTS = 15
+ p = self.params[socket.AF_INET6]
+
+ action_tx = PolicerAction(
+ VppEnum.vl_api_sse2_qos_action_type_t.SSE2_QOS_ACTION_API_TRANSMIT,
+ 0)
+ policer = VppPolicer(self, "pol1", 80, 0, 1000, 0,
+ conform_action=action_tx,
+ exceed_action=action_tx,
+ violate_action=action_tx)
+ policer.add_vpp_config()
+
+ # Start policing on tun
+ policer.apply_vpp_config(p.tun_if.sw_if_index, True)
+
+ for pol_bind in [1, 0]:
+ policer.bind_vpp_config(pol_bind, True)
+
+ # inject alternately on worker 0 and 1.
+ for worker in [0, 1, 0, 1]:
+ send_pkts = self.gen_encrypt_pkts6(p, p.scapy_tun_sa,
+ self.tun_if,
+ src=p.remote_tun_if_host,
+ dst=self.pg1.remote_ip6,
+ count=N_PKTS)
+ recv_pkts = self.send_and_expect(self.tun_if, send_pkts,
+ self.pg1, worker=worker)
+ self.verify_decrypted6(p, recv_pkts)
+ self.logger.debug(self.vapi.cli("show trace max 100"))
+
+ stats = policer.get_stats()
+ stats0 = policer.get_stats(worker=0)
+ stats1 = policer.get_stats(worker=1)
+
+ if pol_bind is 1:
+ # First pass: Worker 1, should have done all the policing
+ self.assertEqual(stats, stats1)
+
+ # Worker 0, should have handed everything off
+ self.assertEqual(stats0['conform_packets'], 0)
+ self.assertEqual(stats0['exceed_packets'], 0)
+ self.assertEqual(stats0['violate_packets'], 0)
+ else:
+ # Second pass: both workers should have policed equal amounts
+ self.assertGreater(stats1['conform_packets'], 0)
+ self.assertEqual(stats1['exceed_packets'], 0)
+ self.assertGreater(stats1['violate_packets'], 0)
+
+ self.assertGreater(stats0['conform_packets'], 0)
+ self.assertEqual(stats0['exceed_packets'], 0)
+ self.assertGreater(stats0['violate_packets'], 0)
+
+ self.assertEqual(stats0['conform_packets'] +
+ stats0['violate_packets'],
+ stats1['conform_packets'] +
+ stats1['violate_packets'])
+
+ policer.apply_vpp_config(p.tun_if.sw_if_index, False)
+ policer.remove_vpp_config()
+
class TestIpsec4TunIfEspHandoff(TemplateIpsec4TunIfEsp,
IpsecTun4HandoffTests):
tun4_encrypt_node_name = "esp4-encrypt-tun"
tun4_decrypt_node_name = "esp4-decrypt-tun"
+ def test_tun_handoff_44_police(self):
+ """ ESP 4o4 tunnel with policer worker hand-off test """
+ self.vapi.cli("clear errors")
+ self.vapi.cli("clear ipsec sa")
+
+ N_PKTS = 15
+ p = self.params[socket.AF_INET]
+
+ action_tx = PolicerAction(
+ VppEnum.vl_api_sse2_qos_action_type_t.SSE2_QOS_ACTION_API_TRANSMIT,
+ 0)
+ policer = VppPolicer(self, "pol1", 80, 0, 1000, 0,
+ conform_action=action_tx,
+ exceed_action=action_tx,
+ violate_action=action_tx)
+ policer.add_vpp_config()
+
+ # Start policing on tun
+ policer.apply_vpp_config(p.tun_if.sw_if_index, True)
+
+ for pol_bind in [1, 0]:
+ policer.bind_vpp_config(pol_bind, True)
+
+ # inject alternately on worker 0 and 1.
+ for worker in [0, 1, 0, 1]:
+ send_pkts = self.gen_encrypt_pkts(p, p.scapy_tun_sa,
+ self.tun_if,
+ src=p.remote_tun_if_host,
+ dst=self.pg1.remote_ip4,
+ count=N_PKTS)
+ recv_pkts = self.send_and_expect(self.tun_if, send_pkts,
+ self.pg1, worker=worker)
+ self.verify_decrypted(p, recv_pkts)
+ self.logger.debug(self.vapi.cli("show trace max 100"))
+
+ stats = policer.get_stats()
+ stats0 = policer.get_stats(worker=0)
+ stats1 = policer.get_stats(worker=1)
+
+ if pol_bind is 1:
+ # First pass: Worker 1, should have done all the policing
+ self.assertEqual(stats, stats1)
+
+ # Worker 0, should have handed everything off
+ self.assertEqual(stats0['conform_packets'], 0)
+ self.assertEqual(stats0['exceed_packets'], 0)
+ self.assertEqual(stats0['violate_packets'], 0)
+ else:
+ # Second pass: both workers should have policed equal amounts
+ self.assertGreater(stats1['conform_packets'], 0)
+ self.assertEqual(stats1['exceed_packets'], 0)
+ self.assertGreater(stats1['violate_packets'], 0)
+
+ self.assertGreater(stats0['conform_packets'], 0)
+ self.assertEqual(stats0['exceed_packets'], 0)
+ self.assertGreater(stats0['violate_packets'], 0)
+
+ self.assertEqual(stats0['conform_packets'] +
+ stats0['violate_packets'],
+ stats1['conform_packets'] +
+ stats1['violate_packets'])
+
+ policer.apply_vpp_config(p.tun_if.sw_if_index, False)
+ policer.remove_vpp_config()
+
@tag_fixme_vpp_workers
class TestIpsec4MultiTunIfEsp(TemplateIpsec4TunProtect,
self.unconfig_sa(p)
self.unconfig_network(p)
+ def test_tun_44_police(self):
+ """IPSEC interface IPv4 with input policer"""
+ n_pkts = 127
+ p = self.ipv4_params
+
+ self.config_network(p)
+ self.config_sa_tun(p,
+ self.pg0.local_ip4,
+ self.pg0.remote_ip4)
+ self.config_protect(p)
+
+ action_tx = PolicerAction(
+ VppEnum.vl_api_sse2_qos_action_type_t.SSE2_QOS_ACTION_API_TRANSMIT,
+ 0)
+ policer = VppPolicer(self, "pol1", 80, 0, 1000, 0,
+ conform_action=action_tx,
+ exceed_action=action_tx,
+ violate_action=action_tx)
+ policer.add_vpp_config()
+
+ # Start policing on tun
+ policer.apply_vpp_config(p.tun_if.sw_if_index, True)
+
+ self.verify_tun_44(p, count=n_pkts)
+ c = p.tun_if.get_rx_stats()
+ self.assertEqual(c['packets'], n_pkts)
+ c = p.tun_if.get_tx_stats()
+ self.assertEqual(c['packets'], n_pkts)
+
+ stats = policer.get_stats()
+
+ # Single rate, 2 colour policer - expect conform, violate but no exceed
+ self.assertGreater(stats['conform_packets'], 0)
+ self.assertEqual(stats['exceed_packets'], 0)
+ self.assertGreater(stats['violate_packets'], 0)
+
+ # Stop policing on tun
+ policer.apply_vpp_config(p.tun_if.sw_if_index, False)
+ self.verify_tun_44(p, count=n_pkts)
+
+ # No new policer stats
+ statsnew = policer.get_stats()
+ self.assertEqual(stats, statsnew)
+
+ # teardown
+ policer.remove_vpp_config()
+ self.unconfig_protect(p)
+ self.unconfig_sa(p)
+ self.unconfig_network(p)
+
class TestIpsecItf4MPLS(TemplateIpsec,
TemplateIpsecItf4,
self.unconfig_sa(np)
self.unconfig_network(p)
+ def test_tun_66_police(self):
+ """IPSEC interface IPv6 with input policer"""
+ tf = VppEnum.vl_api_tunnel_encap_decap_flags_t
+ n_pkts = 127
+ p = self.ipv6_params
+ p.inner_hop_limit = 24
+ p.outer_hop_limit = 23
+ p.outer_flow_label = 243224
+ p.tun_flags = tf.TUNNEL_API_ENCAP_DECAP_FLAG_ENCAP_COPY_HOP_LIMIT
+
+ self.config_network(p)
+ self.config_sa_tun(p,
+ self.pg0.local_ip6,
+ self.pg0.remote_ip6)
+ self.config_protect(p)
+
+ action_tx = PolicerAction(
+ VppEnum.vl_api_sse2_qos_action_type_t.SSE2_QOS_ACTION_API_TRANSMIT,
+ 0)
+ policer = VppPolicer(self, "pol1", 80, 0, 1000, 0,
+ conform_action=action_tx,
+ exceed_action=action_tx,
+ violate_action=action_tx)
+ policer.add_vpp_config()
+
+ # Start policing on tun
+ policer.apply_vpp_config(p.tun_if.sw_if_index, True)
+
+ self.verify_tun_66(p, count=n_pkts)
+ c = p.tun_if.get_rx_stats()
+ self.assertEqual(c['packets'], n_pkts)
+ c = p.tun_if.get_tx_stats()
+ self.assertEqual(c['packets'], n_pkts)
+
+ stats = policer.get_stats()
+
+ # Single rate, 2 colour policer - expect conform, violate but no exceed
+ self.assertGreater(stats['conform_packets'], 0)
+ self.assertEqual(stats['exceed_packets'], 0)
+ self.assertGreater(stats['violate_packets'], 0)
+
+ # Stop policing on tun
+ policer.apply_vpp_config(p.tun_if.sw_if_index, False)
+ self.verify_tun_66(p, count=n_pkts)
+
+ # No new policer stats
+ statsnew = policer.get_stats()
+ self.assertEqual(stats, statsnew)
+
+ # teardown
+ policer.remove_vpp_config()
+ self.unconfig_protect(p)
+ self.unconfig_sa(p)
+ self.unconfig_network(p)
+
class TestIpsecMIfEsp4(TemplateIpsec, IpsecTun4):
""" Ipsec P2MP ESP v4 tests """