From: Eric Kinzie <ekinzie@labn.net>
Date: Wed, 14 Oct 2020 00:02:11 +0000 (-0400)
Subject: ipsec: fix instance, and cli del for new ipsec interface
X-Git-Tag: v21.06-rc0~346
X-Git-Url: https://gerrit.fd.io/r/gitweb?p=vpp.git;a=commitdiff_plain;h=609d579ed27d78e3fd5f430fb9893edda19ba6e4

ipsec: fix instance, and cli del for new ipsec interface

- use user instance number in interface name

Restore the behavior of previous versions where the IPsec tunnel
interface name contained the value of the user-provided instance number.
For example, a command similar to

	create ipsec tunnel local-ip . . . instance 5

would result in the creation of interface "ipsec5".

- ipsec: delete tunnel protection when asked

The "ipsec tunnel protect" command will parse a "del" argument but does
not undo the tunnel protection, leaving the SAs hanging around with
reference counts that were incremented by a previous invocation of the
command. Allow the tunnel protection to be deleted and also update the
help text to indicate that deletion is an option.

- test: ipsec: add test for ipsec interface instance

Also cleanup (unconfig) after TestIpsecItf4 NULL algo test.

Type: fix
Fixes: dd4ccf2623b5 ("ipsec: Dedicated IPSec interface type")
Signed-off-by: Eric Kinzie <ekinzie@labn.net>
Signed-off-by: Christian Hopps <chopps@labn.net>
Change-Id: Idb59ceafa0633040344473c9942b6536e3d941ce
---

diff --git a/src/vnet/ipsec/ipsec_cli.c b/src/vnet/ipsec/ipsec_cli.c
index 937e0f6b2e4..7d265f7e64d 100644
--- a/src/vnet/ipsec/ipsec_cli.c
+++ b/src/vnet/ipsec/ipsec_cli.c
@@ -997,6 +997,8 @@ ipsec_tun_protect_cmd (vlib_main_t * vm,
 
   if (!is_del)
     ipsec_tun_protect_update (sw_if_index, &peer, sa_out, sa_ins);
+  else
+    ipsec_tun_protect_del (sw_if_index, &peer);
 
   unformat_free (line_input);
   return NULL;
@@ -1010,7 +1012,7 @@ VLIB_CLI_COMMAND (ipsec_tun_protect_cmd_node, static) =
 {
   .path = "ipsec tunnel protect",
   .function = ipsec_tun_protect_cmd,
-  .short_help = "ipsec tunnel protect <interface> input-sa <SA> output-sa <SA>",
+  .short_help = "ipsec tunnel protect <interface> input-sa <SA> output-sa <SA> [add|del]",
     // this is not MP safe
 };
 /* *INDENT-ON* */
diff --git a/src/vnet/ipsec/ipsec_itf.c b/src/vnet/ipsec/ipsec_itf.c
index 756bc19fbef..6724eab73a8 100644
--- a/src/vnet/ipsec/ipsec_itf.c
+++ b/src/vnet/ipsec/ipsec_itf.c
@@ -294,12 +294,10 @@ ipsec_itf_create (u32 user_instance, tunnel_mode_t mode, u32 * sw_if_indexp)
 
   ipsec_itf->ii_mode = mode;
   ipsec_itf->ii_user_instance = instance;
-  if (~0 == ipsec_itf->ii_user_instance)
-    ipsec_itf->ii_user_instance = t_idx;
 
   hw_if_index = vnet_register_interface (vnm,
 					 ipsec_itf_device_class.index,
-					 t_idx,
+					 ipsec_itf->ii_user_instance,
 					 ipsec_hw_interface_class.index,
 					 t_idx);
 
diff --git a/test/test_ipsec_tun_if_esp.py b/test/test_ipsec_tun_if_esp.py
index a722ce77bb1..9d01b93114e 100644
--- a/test/test_ipsec_tun_if_esp.py
+++ b/test/test_ipsec_tun_if_esp.py
@@ -21,6 +21,7 @@ from vpp_sub_interface import L2_VTR_OP, VppDot1QSubint
 from vpp_teib import VppTeib
 from util import ppp
 from vpp_papi import VppEnum
+from vpp_papi_provider import CliFailedCommandError
 from vpp_acl import AclRule, VppAcl, VppAclInterface
 
 
@@ -2512,8 +2513,8 @@ class TemplateIpsecItf4(object):
                                            [p.tun_sa_in])
         p.tun_protect.add_vpp_config()
 
-    def config_network(self, p):
-        p.tun_if = VppIpsecInterface(self)
+    def config_network(self, p, instance=0xffffffff):
+        p.tun_if = VppIpsecInterface(self, instance=instance)
 
         p.tun_if.add_vpp_config()
         p.tun_if.admin_up()
@@ -2555,6 +2556,18 @@ class TestIpsecItf4(TemplateIpsec,
     def tearDown(self):
         super(TestIpsecItf4, self).tearDown()
 
+    def test_tun_instance_44(self):
+        p = self.ipv4_params
+        self.config_network(p, instance=3)
+
+        with self.assertRaises(CliFailedCommandError):
+            self.vapi.cli("show interface ipsec0")
+
+        output = self.vapi.cli("show interface ipsec3")
+        self.assertTrue("unknown" not in output)
+
+        self.unconfig_network(p)
+
     def test_tun_44(self):
         """IPSEC interface IPv4"""
 
@@ -2644,6 +2657,11 @@ class TestIpsecItf4(TemplateIpsec,
 
         self.verify_tun_44(p, count=n_pkts)
 
+        # teardown
+        self.unconfig_protect(p)
+        self.unconfig_sa(p)
+        self.unconfig_network(p)
+
 
 class TemplateIpsecItf6(object):
     """ IPsec Interface IPv6 """
diff --git a/test/vpp_ipsec.py b/test/vpp_ipsec.py
index f012a4a1e84..f9dcdf09f1a 100644
--- a/test/vpp_ipsec.py
+++ b/test/vpp_ipsec.py
@@ -376,16 +376,17 @@ class VppIpsecInterface(VppInterface):
     VPP IPSec interface
     """
 
-    def __init__(self, test, mode=None):
+    def __init__(self, test, mode=None, instance=0xffffffff):
         super(VppIpsecInterface, self).__init__(test)
 
         # only p2p mode is supported currently
         self.mode = (VppEnum.vl_api_tunnel_mode_t.
                      TUNNEL_API_MODE_P2P)
+        self.instance = instance
 
     def add_vpp_config(self):
         r = self.test.vapi.ipsec_itf_create(itf={
-            'user_instance': 0xffffffff,
+            'user_instance': self.instance,
             'mode': self.mode,
         })
         self.set_sw_if_index(r.sw_if_index)