ipsec: support 4o6 and 6o4 for tunnel protect
Type: feature Change-Id: Ib2352ca4c7abf4645f21fa16aaaf27408890a2bf Signed-off-by: Neale Ranns <nranns@cisco.com> (cherry picked from commit b325983a4461dd806e86a31abc47533b09482157)
This commit is contained in:
Neale Ranns
committed by
Andrew Yourtchenko
Andrew Yourtchenko
parent
24f486cb56
commit
2e6d739344
@ -630,6 +630,13 @@ VNET_FEATURE_INIT (esp4_encrypt_tun_feat_node, static) =
|
||||
.runs_before = VNET_FEATURES ("adj-midchain-tx"),
|
||||
};
|
||||
|
||||
VNET_FEATURE_INIT (esp6o4_encrypt_tun_feat_node, static) =
|
||||
{
|
||||
.arc_name = "ip6-output",
|
||||
.node_name = "esp4-encrypt-tun",
|
||||
.runs_before = VNET_FEATURES ("adj-midchain-tx"),
|
||||
};
|
||||
|
||||
VNET_FEATURE_INIT (esp4_ethernet_encrypt_tun_feat_node, static) =
|
||||
{
|
||||
.arc_name = "ethernet-output",
|
||||
@ -667,6 +674,14 @@ VNET_FEATURE_INIT (esp6_encrypt_tun_feat_node, static) =
|
||||
.node_name = "esp6-encrypt-tun",
|
||||
.runs_before = VNET_FEATURES ("adj-midchain-tx"),
|
||||
};
|
||||
|
||||
VNET_FEATURE_INIT (esp4o6_encrypt_tun_feat_node, static) =
|
||||
{
|
||||
.arc_name = "ip4-output",
|
||||
.node_name = "esp6-encrypt-tun",
|
||||
.runs_before = VNET_FEATURES ("adj-midchain-tx"),
|
||||
};
|
||||
|
||||
/* *INDENT-ON* */
|
||||
|
||||
typedef struct
|
||||
|
||||
@ -39,38 +39,29 @@ static int
|
||||
ipsec_tun_protect_feature_set (ipsec_tun_protect_t * itp, u8 enable)
|
||||
{
|
||||
u32 sai = itp->itp_out_sa;
|
||||
int is_ip4, is_l2, rv;
|
||||
int rv;
|
||||
|
||||
is_ip4 = ip46_address_is_ip4 (&itp->itp_tun.src);
|
||||
is_l2 = itp->itp_flags & IPSEC_PROTECT_L2;
|
||||
const char *enc_node = (ip46_address_is_ip4 (&itp->itp_tun.src) ?
|
||||
"esp4-encrypt-tun" : "esp6-encrypt-tun");
|
||||
|
||||
if (is_ip4)
|
||||
if (itp->itp_flags & IPSEC_PROTECT_L2)
|
||||
{
|
||||
if (is_l2)
|
||||
rv = vnet_feature_enable_disable ("ethernet-output",
|
||||
"esp4-encrypt-tun",
|
||||
itp->itp_sw_if_index, enable,
|
||||
&sai, sizeof (sai));
|
||||
else
|
||||
rv = vnet_feature_enable_disable ("ip4-output",
|
||||
"esp4-encrypt-tun",
|
||||
itp->itp_sw_if_index, enable,
|
||||
&sai, sizeof (sai));
|
||||
rv = vnet_feature_enable_disable ("ethernet-output",
|
||||
enc_node,
|
||||
itp->itp_sw_if_index, enable,
|
||||
&sai, sizeof (sai));
|
||||
}
|
||||
else
|
||||
{
|
||||
if (is_l2)
|
||||
rv = vnet_feature_enable_disable ("ethernet-output",
|
||||
"esp6-encrypt-tun",
|
||||
itp->itp_sw_if_index, enable,
|
||||
&sai, sizeof (sai));
|
||||
else
|
||||
rv = vnet_feature_enable_disable ("ip6-output",
|
||||
"esp6-encrypt-tun",
|
||||
itp->itp_sw_if_index, enable,
|
||||
&sai, sizeof (sai));
|
||||
rv = vnet_feature_enable_disable ("ip4-output",
|
||||
enc_node,
|
||||
itp->itp_sw_if_index, enable,
|
||||
&sai, sizeof (sai));
|
||||
rv = vnet_feature_enable_disable ("ip6-output",
|
||||
enc_node,
|
||||
itp->itp_sw_if_index, enable,
|
||||
&sai, sizeof (sai));
|
||||
}
|
||||
|
||||
ASSERT (!rv);
|
||||
return (rv);
|
||||
}
|
||||
|
||||
@ -785,11 +785,17 @@ class TemplateIpsec4TunProtect(object):
|
||||
p.tun_if.add_vpp_config()
|
||||
p.tun_if.admin_up()
|
||||
p.tun_if.config_ip4()
|
||||
p.tun_if.config_ip6()
|
||||
|
||||
p.route = VppIpRoute(self, p.remote_tun_if_host, 32,
|
||||
[VppRoutePath(p.tun_if.remote_ip4,
|
||||
0xffffffff)])
|
||||
p.route.add_vpp_config()
|
||||
r = VppIpRoute(self, p.remote_tun_if_host6, 128,
|
||||
[VppRoutePath(p.tun_if.remote_ip6,
|
||||
0xffffffff,
|
||||
proto=DpoProto.DPO_PROTO_IP6)])
|
||||
r.add_vpp_config()
|
||||
|
||||
def unconfig_network(self, p):
|
||||
p.route.remove_vpp_config()
|
||||
@ -831,6 +837,13 @@ class TestIpsec4TunProtect(TemplateIpsec,
|
||||
c = p.tun_if.get_tx_stats()
|
||||
self.assertEqual(c['packets'], 127)
|
||||
|
||||
self.vapi.cli("clear ipsec sa")
|
||||
self.verify_tun_64(p, count=127)
|
||||
c = p.tun_if.get_rx_stats()
|
||||
self.assertEqual(c['packets'], 254)
|
||||
c = p.tun_if.get_tx_stats()
|
||||
self.assertEqual(c['packets'], 254)
|
||||
|
||||
# rekey - create new SAs and update the tunnel protection
|
||||
np = copy.copy(p)
|
||||
np.crypt_key = 'X' + p.crypt_key[1:]
|
||||
@ -847,9 +860,9 @@ class TestIpsec4TunProtect(TemplateIpsec,
|
||||
|
||||
self.verify_tun_44(np, count=127)
|
||||
c = p.tun_if.get_rx_stats()
|
||||
self.assertEqual(c['packets'], 254)
|
||||
self.assertEqual(c['packets'], 381)
|
||||
c = p.tun_if.get_tx_stats()
|
||||
self.assertEqual(c['packets'], 254)
|
||||
self.assertEqual(c['packets'], 381)
|
||||
|
||||
# teardown
|
||||
self.unconfig_protect(np)
|
||||
@ -1052,12 +1065,17 @@ class TemplateIpsec6TunProtect(object):
|
||||
p.tun_if.add_vpp_config()
|
||||
p.tun_if.admin_up()
|
||||
p.tun_if.config_ip6()
|
||||
p.tun_if.config_ip4()
|
||||
|
||||
p.route = VppIpRoute(self, p.remote_tun_if_host, 128,
|
||||
[VppRoutePath(p.tun_if.remote_ip6,
|
||||
0xffffffff,
|
||||
proto=DpoProto.DPO_PROTO_IP6)])
|
||||
p.route.add_vpp_config()
|
||||
r = VppIpRoute(self, p.remote_tun_if_host4, 32,
|
||||
[VppRoutePath(p.tun_if.remote_ip4,
|
||||
0xffffffff)])
|
||||
r.add_vpp_config()
|
||||
|
||||
def unconfig_network(self, p):
|
||||
p.route.remove_vpp_config()
|
||||
@ -1167,6 +1185,26 @@ class TestIpsec6TunProtect(TemplateIpsec,
|
||||
self.unconfig_sa(np3)
|
||||
self.unconfig_network(p)
|
||||
|
||||
def test_tun_46(self):
|
||||
"""IPSEC tunnel protect"""
|
||||
|
||||
p = self.ipv6_params
|
||||
|
||||
self.config_network(p)
|
||||
self.config_sa_tra(p)
|
||||
self.config_protect(p)
|
||||
|
||||
self.verify_tun_46(p, count=127)
|
||||
c = p.tun_if.get_rx_stats()
|
||||
self.assertEqual(c['packets'], 127)
|
||||
c = p.tun_if.get_tx_stats()
|
||||
self.assertEqual(c['packets'], 127)
|
||||
|
||||
# teardown
|
||||
self.unconfig_protect(p)
|
||||
self.unconfig_sa(p)
|
||||
self.unconfig_network(p)
|
||||
|
||||
|
||||
class TestIpsec6TunProtectTun(TemplateIpsec,
|
||||
TemplateIpsec6TunProtect,
|
||||
|
||||
Reference in New Issue
Block a user