ligang/vpp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

ipsec: change wildcard value for any protocol of spd policy

Browse Source 
Currently 0 has been used as the wildcard representing ANY type of
protocol. However 0 is valid value of ip protocol (HOPOPT) and therefore
it should not be used as a wildcard. Instead 255 is used which is
guaranteed by IANA to be reserved and not used as a protocol id.

Type: improvement
Signed-off-by: Piotr Bronowski <piotrx.bronowski@intel.com>
Change-Id: I2320bae6fe380cb999dc5a9187beb68fda2d31eb
This commit is contained in:
Piotr Bronowski 2022-06-09 09:09:28 +00:00 committed by Fan Zhang
parent 5b4b4c05ff
commit 815c6a4fbc
13 changed files with 323 additions and 81 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

88
src/vnet/ipsec/ipsec.api
View File

@ -57,61 +57,6 @@ autoreply define ipsec_interface_add_del_spd
u32 spd_id;
};
enum ipsec_spd_action
{
/* bypass - no IPsec processing */
IPSEC_API_SPD_ACTION_BYPASS = 0,
/* discard - discard packet with ICMP processing */
IPSEC_API_SPD_ACTION_DISCARD,
/* resolve - send request to control plane for SA resolving */
IPSEC_API_SPD_ACTION_RESOLVE,
/* protect - apply IPsec policy using following parameters */
IPSEC_API_SPD_ACTION_PROTECT,
};
/** \brief IPsec: Security Policy Database entry
See RFC 4301, 4.4.1.1 on how to match packet to selectors
@param spd_id - SPD instance id (control plane allocated)
@param priority - priority of SPD entry (non-unique value). Used to order SPD matching - higher priorities match before lower
@param is_outbound - entry applies to outbound traffic if non-zero, otherwise applies to inbound traffic
@param remote_address_start - start of remote address range to match
@param remote_address_stop - end of remote address range to match
@param local_address_start - start of local address range to match
@param local_address_stop - end of local address range to match
@param protocol - protocol type to match [0 means any] otherwise IANA value
@param remote_port_start - start of remote port range to match ...
@param remote_port_stop - end of remote port range to match [0 to 65535 means ANY, 65535 to 0 means OPAQUE]
@param local_port_start - start of local port range to match ...
@param local_port_stop - end of remote port range to match [0 to 65535 means ANY, 65535 to 0 means OPAQUE]
@param policy - action to perform on match
@param sa_id - SAD instance id (control plane allocated)
*/
typedef ipsec_spd_entry
{
u32 spd_id;
i32 priority;
bool is_outbound;
u32 sa_id;
vl_api_ipsec_spd_action_t policy;
/* Which protocol?? */
u8 protocol;
// Selector
vl_api_address_t remote_address_start;
vl_api_address_t remote_address_stop;
vl_api_address_t local_address_start;
vl_api_address_t local_address_stop;
u16 remote_port_start;
u16 remote_port_stop;
u16 local_port_start;
u16 local_port_stop;
};
/** \brief IPsec: Add/delete Security Policy Database entry
@param client_index - opaque cookie to identify the sender
@ -121,12 +66,28 @@ typedef ipsec_spd_entry
*/
define ipsec_spd_entry_add_del
{
option deprecated;
u32 client_index;
u32 context;
bool is_add;
vl_api_ipsec_spd_entry_t entry;
};
/** \brief IPsec: Add/delete Security Policy Database entry v2
@param client_index - opaque cookie to identify the sender
@param context - sender context, to match reply w/ request
@param is_add - add SPD if non-zero, else delete
@param entry - Description of the entry to add/dell
*/
define ipsec_spd_entry_add_del_v2
{
u32 client_index;
u32 context;
bool is_add;
vl_api_ipsec_spd_entry_v2_t entry;
};
/** \brief IPsec: Reply Add/delete Security Policy Database entry
@param context - sender context, to match reply w/ request
@ -140,6 +101,19 @@ define ipsec_spd_entry_add_del_reply
u32 stat_index;
};
/** \brief IPsec: Reply Add/delete Security Policy Database entry v2
@param context - sender context, to match reply w/ request
@param retval - success/fail rutrun code
@param stat_index - An index for the policy in the stats segment @ /net/ipec/policy
*/
define ipsec_spd_entry_add_del_v2_reply
{
u32 context;
i32 retval;
u32 stat_index;
};
/** \brief Dump IPsec all SPD IDs
@param client_index - opaque cookie to identify the sender
@param context - sender context, to match reply w/ request
@ -197,6 +171,7 @@ define ipsec_sad_entry_add_del
bool is_add;
vl_api_ipsec_sad_entry_t entry;
};
define ipsec_sad_entry_add_del_v2
{
u32 client_index;
@ -204,6 +179,7 @@ define ipsec_sad_entry_add_del_v2
bool is_add;
vl_api_ipsec_sad_entry_v2_t entry;
};
define ipsec_sad_entry_add_del_v3
{
u32 client_index;
@ -231,12 +207,14 @@ define ipsec_sad_entry_add_del_reply
i32 retval;
u32 stat_index;
};
define ipsec_sad_entry_add_del_v2_reply
{
u32 context;
i32 retval;
u32 stat_index;
};
define ipsec_sad_entry_add_del_v3_reply
{
u32 context;

62
src/vnet/ipsec/ipsec_api.c
View File

@ -233,7 +233,8 @@ static void vl_api_ipsec_spd_entry_add_del_t_handler
p.is_ipv6 = (itype == IP46_TYPE_IP6);
p.protocol = mp->entry.protocol;
p.protocol =
mp->entry.protocol ? mp->entry.protocol : IPSEC_POLICY_PROTOCOL_ANY;
p.rport.start = ntohs (mp->entry.remote_port_start);
p.rport.stop = ntohs (mp->entry.remote_port_stop);
p.lport.start = ntohs (mp->entry.local_port_start);
@ -271,6 +272,65 @@ out:
/* *INDENT-ON* */
}
static void
vl_api_ipsec_spd_entry_add_del_v2_t_handler (
vl_api_ipsec_spd_entry_add_del_v2_t *mp)
{
vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main ();
vl_api_ipsec_spd_entry_add_del_reply_t *rmp;
ip46_type_t itype;
u32 stat_index;
int rv;
stat_index = ~0;
ipsec_policy_t p;
clib_memset (&p, 0, sizeof (p));
p.id = ntohl (mp->entry.spd_id);
p.priority = ntohl (mp->entry.priority);
itype = ip_address_decode (&mp->entry.remote_address_start, &p.raddr.start);
ip_address_decode (&mp->entry.remote_address_stop, &p.raddr.stop);
ip_address_decode (&mp->entry.local_address_start, &p.laddr.start);
ip_address_decode (&mp->entry.local_address_stop, &p.laddr.stop);
p.is_ipv6 = (itype == IP46_TYPE_IP6);
p.protocol = mp->entry.protocol;
p.rport.start = ntohs (mp->entry.remote_port_start);
p.rport.stop = ntohs (mp->entry.remote_port_stop);
p.lport.start = ntohs (mp->entry.local_port_start);
p.lport.stop = ntohs (mp->entry.local_port_stop);
rv = ipsec_spd_action_decode (mp->entry.policy, &p.policy);
if (rv)
goto out;
/* policy action resolve unsupported */
if (p.policy == IPSEC_POLICY_ACTION_RESOLVE)
{
clib_warning ("unsupported action: 'resolve'");
rv = VNET_API_ERROR_UNIMPLEMENTED;
goto out;
}
p.sa_id = ntohl (mp->entry.sa_id);
rv =
ipsec_policy_mk_type (mp->entry.is_outbound, p.is_ipv6, p.policy, &p.type);
if (rv)
goto out;
rv = ipsec_add_del_policy (vm, &p, mp->is_add, &stat_index);
if (rv)
goto out;
out:
REPLY_MACRO2 (VL_API_IPSEC_SPD_ENTRY_ADD_DEL_REPLY,
({ rmp->stat_index = ntohl (stat_index); }));
}
static void vl_api_ipsec_sad_entry_add_del_t_handler
(vl_api_ipsec_sad_entry_add_del_t * mp)
{

1
src/vnet/ipsec/ipsec_cli.c
View File

@ -279,6 +279,7 @@ ipsec_policy_add_del_command_fn (vlib_main_t * vm,
clib_memset (&p, 0, sizeof (p));
p.lport.stop = p.rport.stop = ~0;
remote_range_set = local_range_set = is_outbound = 0;
p.protocol = IPSEC_POLICY_PROTOCOL_ANY;
if (!unformat_user (input, unformat_line_input, line_input))
return 0;

2
src/vnet/ipsec/ipsec_format.c
View File

@ -168,7 +168,7 @@ format_ipsec_policy (u8 * s, va_list * args)
pi, p->priority,
format_ipsec_policy_action, p->policy,
format_ipsec_policy_type, p->type);
if (p->protocol)
if (p->protocol != IPSEC_POLICY_PROTOCOL_ANY)
{
s = format (s, "%U", format_ip_protocol, p->protocol);
}

6
src/vnet/ipsec/ipsec_output.c
View File

@ -158,7 +158,8 @@ ipsec_output_policy_match (ipsec_spd_t *spd, u8 pr, u32 la, u32 ra, u16 lp,
vec_foreach (i, spd->policies[IPSEC_SPD_POLICY_IP4_OUTBOUND])
{
p = pool_elt_at_index (im->policies, *i);
if (PREDICT_FALSE (p->protocol && (p->protocol != pr)))
if (PREDICT_FALSE ((p->protocol != IPSEC_POLICY_PROTOCOL_ANY) &&
(p->protocol != pr)))
continue;
if (ra < clib_net_to_host_u32 (p->raddr.start.ip4.as_u32))
@ -232,7 +233,8 @@ ipsec6_output_policy_match (ipsec_spd_t * spd,
vec_foreach (i, spd->policies[IPSEC_SPD_POLICY_IP6_OUTBOUND])
{
p = pool_elt_at_index (im->policies, *i);
if (PREDICT_FALSE (p->protocol && (p->protocol != pr)))
if (PREDICT_FALSE ((p->protocol != IPSEC_POLICY_PROTOCOL_ANY) &&
(p->protocol != pr)))
continue;
if (!ip6_addr_match_range (ra, &p->raddr.start.ip6, &p->raddr.stop.ip6))

2
src/vnet/ipsec/ipsec_spd_policy.h
View File

@ -17,6 +17,8 @@
#include <vnet/ipsec/ipsec_spd.h>
#define IPSEC_POLICY_PROTOCOL_ANY IP_PROTOCOL_RESERVED
#define foreach_ipsec_policy_action \
_ (0, BYPASS, "bypass") \
_ (1, DISCARD, "discard") \

104
src/vnet/ipsec/ipsec_test.c
View File

@ -73,7 +73,103 @@ api_ipsec_spd_entry_add_del (vat_main_t *vam)
unformat_input_t *i = vam->input;
vl_api_ipsec_spd_entry_add_del_t *mp;
u8 is_add = 1, is_outbound = 0;
u32 spd_id = 0, sa_id = 0, protocol = 0, policy = 0;
u32 spd_id = 0, sa_id = 0, protocol = IPSEC_POLICY_PROTOCOL_ANY, policy = 0;
i32 priority = 0;
u32 rport_start = 0, rport_stop = (u32) ~0;
u32 lport_start = 0, lport_stop = (u32) ~0;
vl_api_address_t laddr_start = {}, laddr_stop = {}, raddr_start = {},
raddr_stop = {};
int ret;
while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT)
{
if (unformat (i, "del"))
is_add = 0;
if (unformat (i, "outbound"))
is_outbound = 1;
if (unformat (i, "inbound"))
is_outbound = 0;
else if (unformat (i, "spd_id %d", &spd_id))
;
else if (unformat (i, "sa_id %d", &sa_id))
;
else if (unformat (i, "priority %d", &priority))
;
else if (unformat (i, "protocol %d", &protocol))
;
else if (unformat (i, "lport_start %d", &lport_start))
;
else if (unformat (i, "lport_stop %d", &lport_stop))
;
else if (unformat (i, "rport_start %d", &rport_start))
;
else if (unformat (i, "rport_stop %d", &rport_stop))
;
else if (unformat (i, "laddr_start %U", unformat_vl_api_address,
&laddr_start))
;
else if (unformat (i, "laddr_stop %U", unformat_vl_api_address,
&laddr_stop))
;
else if (unformat (i, "raddr_start %U", unformat_vl_api_address,
&raddr_start))
;
else if (unformat (i, "raddr_stop %U", unformat_vl_api_address,
&raddr_stop))
;
else if (unformat (i, "action %U", unformat_ipsec_policy_action,
&policy))
{
if (policy == IPSEC_POLICY_ACTION_RESOLVE)
{
clib_warning ("unsupported action: 'resolve'");
return -99;
}
}
else
{
clib_warning ("parse error '%U'", format_unformat_error, i);
return -99;
}
}
M (IPSEC_SPD_ENTRY_ADD_DEL, mp);
mp->is_add = is_add;
mp->entry.spd_id = ntohl (spd_id);
mp->entry.priority = ntohl (priority);
mp->entry.is_outbound = is_outbound;
clib_memcpy (&mp->entry.remote_address_start, &raddr_start,
sizeof (vl_api_address_t));
clib_memcpy (&mp->entry.remote_address_stop, &raddr_stop,
sizeof (vl_api_address_t));
clib_memcpy (&mp->entry.local_address_start, &laddr_start,
sizeof (vl_api_address_t));
clib_memcpy (&mp->entry.local_address_stop, &laddr_stop,
sizeof (vl_api_address_t));
mp->entry.protocol = protocol ? (u8) protocol : IPSEC_POLICY_PROTOCOL_ANY;
mp->entry.local_port_start = ntohs ((u16) lport_start);
mp->entry.local_port_stop = ntohs ((u16) lport_stop);
mp->entry.remote_port_start = ntohs ((u16) rport_start);
mp->entry.remote_port_stop = ntohs ((u16) rport_stop);
mp->entry.policy = (u8) policy;
mp->entry.sa_id = ntohl (sa_id);
S (mp);
W (ret);
return ret;
}
static int
api_ipsec_spd_entry_add_del_v2 (vat_main_t *vam)
{
unformat_input_t *i = vam->input;
vl_api_ipsec_spd_entry_add_del_t *mp;
u8 is_add = 1, is_outbound = 0;
u32 spd_id = 0, sa_id = 0, protocol = IPSEC_POLICY_PROTOCOL_ANY, policy = 0;
i32 priority = 0;
u32 rport_start = 0, rport_stop = (u32) ~0;
u32 lport_start = 0, lport_stop = (u32) ~0;
@ -257,6 +353,12 @@ vl_api_ipsec_spd_entry_add_del_reply_t_handler (
{
}
static void
vl_api_ipsec_spd_entry_add_del_v2_reply_t_handler (
vl_api_ipsec_spd_entry_add_del_v2_reply_t *mp)
{
}
static int
api_ipsec_spds_dump (vat_main_t *vam)
{

97
src/vnet/ipsec/ipsec_types.api
View File

@ -95,6 +95,102 @@ typedef key
u8 data[128];
};
enum ipsec_spd_action
{
/* bypass - no IPsec processing */
IPSEC_API_SPD_ACTION_BYPASS = 0,
/* discard - discard packet with ICMP processing */
IPSEC_API_SPD_ACTION_DISCARD,
/* resolve - send request to control plane for SA resolving */
IPSEC_API_SPD_ACTION_RESOLVE,
/* protect - apply IPsec policy using following parameters */
IPSEC_API_SPD_ACTION_PROTECT,
};
/** \brief IPsec: Security Policy Database entry
See RFC 4301, 4.4.1.1 on how to match packet to selectors
@param spd_id - SPD instance id (control plane allocated)
@param priority - priority of SPD entry (non-unique value). Used to order SPD matching - higher priorities match before lower
@param is_outbound - entry applies to outbound traffic if non-zero, otherwise applies to inbound traffic
@param remote_address_start - start of remote address range to match
@param remote_address_stop - end of remote address range to match
@param local_address_start - start of local address range to match
@param local_address_stop - end of local address range to match
@param protocol - protocol type to match [0 means any] otherwise IANA value
@param remote_port_start - start of remote port range to match ...
@param remote_port_stop - end of remote port range to match [0 to 65535 means ANY, 65535 to 0 means OPAQUE]
@param local_port_start - start of local port range to match ...
@param local_port_stop - end of remote port range to match [0 to 65535 means ANY, 65535 to 0 means OPAQUE]
@param policy - action to perform on match
@param sa_id - SAD instance id (control plane allocated)
*/
typedef ipsec_spd_entry
{
u32 spd_id;
i32 priority;
bool is_outbound;
u32 sa_id;
vl_api_ipsec_spd_action_t policy;
/* Which protocol?? */
u8 protocol;
// Selector
vl_api_address_t remote_address_start;
vl_api_address_t remote_address_stop;
vl_api_address_t local_address_start;
vl_api_address_t local_address_stop;
u16 remote_port_start;
u16 remote_port_stop;
u16 local_port_start;
u16 local_port_stop;
};
/** \brief IPsec: Security Policy Database entry v2
See RFC 4301, 4.4.1.1 on how to match packet to selectors
@param spd_id - SPD instance id (control plane allocated)
@param priority - priority of SPD entry (non-unique value). Used to order SPD matching - higher priorities match before lower
@param is_outbound - entry applies to outbound traffic if non-zero, otherwise applies to inbound traffic
@param remote_address_start - start of remote address range to match
@param remote_address_stop - end of remote address range to match
@param local_address_start - start of local address range to match
@param local_address_stop - end of local address range to match
@param protocol - protocol type to match [255 means any] otherwise IANA value
@param remote_port_start - start of remote port range to match ...
@param remote_port_stop - end of remote port range to match [0 to 65535 means ANY, 65535 to 0 means OPAQUE]
@param local_port_start - start of local port range to match ...
@param local_port_stop - end of remote port range to match [0 to 65535 means ANY, 65535 to 0 means OPAQUE]
@param policy - action to perform on match
@param sa_id - SAD instance id (control plane allocated)
*/
typedef ipsec_spd_entry_v2
{
u32 spd_id;
i32 priority;
bool is_outbound;
u32 sa_id;
vl_api_ipsec_spd_action_t policy;
u8 protocol;
// Selector
vl_api_address_t remote_address_start;
vl_api_address_t remote_address_stop;
vl_api_address_t local_address_start;
vl_api_address_t local_address_stop;
u16 remote_port_start;
u16 remote_port_stop;
u16 local_port_start;
u16 local_port_stop;
};
/** \brief IPsec: Security Association Database entry
@param client_index - opaque cookie to identify the sender
@param context - sender context, to match reply w/ request
@ -117,6 +213,7 @@ typedef key
@param tunnel_flags - Flags controlling the copying of encap/decap value
@param dscp - Fixed DSCP vaule for tunnel encap
*/
typedef ipsec_sad_entry
{
u32 sad_id;

12
test/test_ipsec_ah.py
View File

@ -213,7 +213,7 @@ class ConfigIpsecAH(TemplateIpsec):
remote_tun_if_host,
self.pg1.remote_addr[addr_type],
self.pg1.remote_addr[addr_type],
0,
socket.IPPROTO_RAW,
priority=10,
policy=e.IPSEC_API_SPD_ACTION_PROTECT,
is_outbound=0,
@ -226,7 +226,7 @@ class ConfigIpsecAH(TemplateIpsec):
self.pg1.remote_addr[addr_type],
remote_tun_if_host,
remote_tun_if_host,
0,
socket.IPPROTO_RAW,
policy=e.IPSEC_API_SPD_ACTION_PROTECT,
priority=10,
)
@ -238,7 +238,7 @@ class ConfigIpsecAH(TemplateIpsec):
remote_tun_if_host,
self.pg0.local_addr[addr_type],
self.pg0.local_addr[addr_type],
0,
socket.IPPROTO_RAW,
priority=20,
policy=e.IPSEC_API_SPD_ACTION_PROTECT,
is_outbound=0,
@ -251,7 +251,7 @@ class ConfigIpsecAH(TemplateIpsec):
self.pg0.local_addr[addr_type],
remote_tun_if_host,
remote_tun_if_host,
0,
socket.IPPROTO_RAW,
policy=e.IPSEC_API_SPD_ACTION_PROTECT,
priority=20,
)
@ -341,7 +341,7 @@ class ConfigIpsecAH(TemplateIpsec):
self.tra_if.local_addr[addr_type],
self.tra_if.remote_addr[addr_type],
self.tra_if.remote_addr[addr_type],
0,
socket.IPPROTO_RAW,
priority=10,
policy=e.IPSEC_API_SPD_ACTION_PROTECT,
is_outbound=0,
@ -356,7 +356,7 @@ class ConfigIpsecAH(TemplateIpsec):
self.tra_if.local_addr[addr_type],
self.tra_if.remote_addr[addr_type],
self.tra_if.remote_addr[addr_type],
0,
socket.IPPROTO_RAW,
policy=e.IPSEC_API_SPD_ACTION_PROTECT,
priority=10,
)

20
test/test_ipsec_esp.py
View File

@ -206,7 +206,7 @@ class ConfigIpsecESP(TemplateIpsec):
remote_tun_if_host,
self.pg1.remote_addr[addr_type],
self.pg1.remote_addr[addr_type],
0,
socket.IPPROTO_RAW,
priority=10,
policy=e.IPSEC_API_SPD_ACTION_PROTECT,
is_outbound=0,
@ -221,7 +221,7 @@ class ConfigIpsecESP(TemplateIpsec):
self.pg1.remote_addr[addr_type],
remote_tun_if_host,
remote_tun_if_host,
0,
socket.IPPROTO_RAW,
policy=e.IPSEC_API_SPD_ACTION_PROTECT,
priority=10,
)
@ -235,7 +235,7 @@ class ConfigIpsecESP(TemplateIpsec):
remote_tun_if_host,
self.pg0.local_addr[addr_type],
self.pg0.local_addr[addr_type],
0,
socket.IPPROTO_RAW,
priority=20,
policy=e.IPSEC_API_SPD_ACTION_PROTECT,
is_outbound=0,
@ -250,7 +250,7 @@ class ConfigIpsecESP(TemplateIpsec):
self.pg0.local_addr[addr_type],
remote_tun_if_host,
remote_tun_if_host,
0,
socket.IPPROTO_RAW,
policy=e.IPSEC_API_SPD_ACTION_PROTECT,
priority=20,
)
@ -337,7 +337,7 @@ class ConfigIpsecESP(TemplateIpsec):
self.tra_if.local_addr[addr_type],
self.tra_if.remote_addr[addr_type],
self.tra_if.remote_addr[addr_type],
0,
socket.IPPROTO_RAW,
priority=10,
policy=e.IPSEC_API_SPD_ACTION_PROTECT,
is_outbound=0,
@ -352,7 +352,7 @@ class ConfigIpsecESP(TemplateIpsec):
self.tra_if.local_addr[addr_type],
self.tra_if.remote_addr[addr_type],
self.tra_if.remote_addr[addr_type],
0,
socket.IPPROTO_RAW,
policy=e.IPSEC_API_SPD_ACTION_PROTECT,
priority=10,
)
@ -452,7 +452,7 @@ class TestIpsecEsp1(
self.pg1.remote_addr[p4.addr_type],
p6.remote_tun_if_host4,
p6.remote_tun_if_host4,
0,
socket.IPPROTO_RAW,
priority=10,
policy=e.IPSEC_API_SPD_ACTION_PROTECT,
is_outbound=1,
@ -487,7 +487,7 @@ class TestIpsecEsp1(
self.pg1.remote_addr[p6.addr_type],
p4.remote_tun_if_host6,
p4.remote_tun_if_host6,
0,
socket.IPPROTO_RAW,
priority=10,
policy=e.IPSEC_API_SPD_ACTION_PROTECT,
is_outbound=1,
@ -648,7 +648,7 @@ class TestIpsecEspAsync(TemplateIpsecEsp):
self.pg1.remote_addr[self.p_sync.addr_type],
self.p_sync.remote_tun_if_host,
self.p_sync.remote_tun_if_host,
0,
socket.IPPROTO_RAW,
priority=1,
policy=e.IPSEC_API_SPD_ACTION_PROTECT,
is_outbound=1,
@ -707,7 +707,7 @@ class TestIpsecEspAsync(TemplateIpsecEsp):
self.pg1.remote_addr[self.p_async.addr_type],
self.p_async.remote_tun_if_host,
self.p_async.remote_tun_if_host,
0,
socket.IPPROTO_RAW,
priority=2,
policy=e.IPSEC_API_SPD_ACTION_PROTECT,
is_outbound=1,

4
test/test_ipsec_nat.py
View File

@ -275,7 +275,7 @@ class IPSecNATTestCase(TemplateIpsec):
self.tun_if.remote_addr[addr_type],
self.pg1.remote_addr[addr_type],
self.pg1.remote_addr[addr_type],
0,
socket.IPPROTO_RAW,
priority=10,
policy=e.IPSEC_API_SPD_ACTION_PROTECT,
is_outbound=0,
@ -288,7 +288,7 @@ class IPSecNATTestCase(TemplateIpsec):
self.pg1.remote_addr[addr_type],
self.tun_if.remote_addr[addr_type],
self.tun_if.remote_addr[addr_type],
0,
socket.IPPROTO_RAW,
policy=e.IPSEC_API_SPD_ACTION_PROTECT,
priority=10,
).add_vpp_config()

2
test/vpp_ipsec.py
View File

@ -85,7 +85,7 @@ class VppIpsecSpdEntry(VppObject):
local_stop,
remote_start,
remote_stop,
proto,
proto=socket.IPPROTO_RAW,
priority=100,
policy=None,
is_outbound=1,

4
test/vpp_papi_provider.py
View File

@ -980,7 +980,7 @@ class VppPapiProvider(object):
local_port_stop=65535,
remote_port_start=0,
remote_port_stop=65535,
protocol=0,
protocol=socket.IPPROTO_RAW,
policy=0,
priority=100,
is_outbound=1,
@ -1010,7 +1010,7 @@ class VppPapiProvider(object):
:param is_add: (Default value = 1)
"""
return self.api(
self.papi.ipsec_spd_entry_add_del,
self.papi.ipsec_spd_entry_add_del_v2,
{
"is_add": is_add,
"entry": {