From 03984cf5e2affcb715559fad5f68b8ba165ff8cd Mon Sep 17 00:00:00 2001 From: Juraj Linkeš Date: Fri, 26 Nov 2021 11:03:05 +0100 Subject: fix(IPsec): fix policy tests MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Replace the hardcoded SPD inbound/outbound ranges with values derived from test inputs. Add the necessary routes now that the tunnel endpoints are not in the same subnet. Also add ip neighbor entry on DUT2 for the same reason. Also replace ipsec sa dump with show ipsec all in teardown of tests where both SAs and SPDs are configured to improve troubleshooting. Change-Id: I7d89a99fcf457a701c87bf6ac07364b62802677d Signed-off-by: Juraj Linkeš --- resources/libraries/python/IPsecUtil.py | 49 +++++++++++++++------- .../libraries/robot/shared/test_teardown.robot | 14 ++++++- 2 files changed, 47 insertions(+), 16 deletions(-) (limited to 'resources/libraries') diff --git a/resources/libraries/python/IPsecUtil.py b/resources/libraries/python/IPsecUtil.py index e455dd7a88..e3b3c88941 100644 --- a/resources/libraries/python/IPsecUtil.py +++ b/resources/libraries/python/IPsecUtil.py @@ -1,5 +1,5 @@ -# Copyright (c) 2021 Cisco and/or its affiliates. -# Copyright (c) 2021 PANTHEON.tech s.r.o. +# Copyright (c) 2022 Cisco and/or its affiliates. +# Copyright (c) 2022 PANTHEON.tech s.r.o. # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at: @@ -627,6 +627,7 @@ class IPsecUtil: tunnel_src = ip_address(tunnel_src) tunnel_dst = ip_address(tunnel_dst) traffic_addr = ip_address(traffic_addr) + tunnel_dst_prefix = 128 if tunnel_dst.version == 6 else 32 addr_incr = 1 << (128 - raddr_range) if tunnel_src.version == 6 \ else 1 << (32 - raddr_range) @@ -636,11 +637,15 @@ class IPsecUtil: with open(tmp_filename, 'w') as tmp_file: if_name = Topology.get_interface_name(node, interface) for i in range(n_tunnels): + tunnel_dst_addr = tunnel_dst + i * addr_incr conf = f"exec set interface ip address {if_name} " \ f"{tunnel_src + i * addr_incr}/{raddr_range}\n" \ f"exec ip route add {traffic_addr + i}/" \ - f"{128 if traffic_addr.version == 6 else 32} " \ - f"via {tunnel_dst + i * addr_incr} {if_name}\n" + f"{tunnel_dst_prefix} " \ + f"via {tunnel_dst_addr} {if_name}\n" \ + f"exec ip route add {tunnel_dst_addr}/" \ + f"{tunnel_dst_prefix} " \ + f"via {tunnel_dst_addr} {if_name}\n" if dst_mac: conf = f"{conf}exec set ip neighbor {if_name} " \ f"{tunnel_dst + i * addr_incr} {dst_mac}\n" @@ -684,20 +689,29 @@ class IPsecUtil: with PapiSocketExecutor(node) as papi_exec: for i in range(n_tunnels): + tunnel_dst_addr = tunnel_dst + i * addr_incr args1[u"prefix"] = IPUtil.create_prefix_object( tunnel_src + i * addr_incr, raddr_range ) args2[u"route"] = IPUtil.compose_vpp_route_structure( node, traffic_addr + i, - prefix_len=128 if traffic_addr.version == 6 else 32, - interface=interface, gateway=tunnel_dst + i * addr_incr + prefix_len=tunnel_dst_prefix, + interface=interface, gateway=tunnel_dst_addr ) history = bool(not 1 < i < n_tunnels - 2) papi_exec.add(cmd1, history=history, **args1).\ add(cmd2, history=history, **args2) + + args2[u"route"] = IPUtil.compose_vpp_route_structure( + node, tunnel_dst_addr, + prefix_len=tunnel_dst_prefix, + interface=interface, gateway=tunnel_dst_addr + ) + papi_exec.add(cmd2, history=history, **args2) + if dst_mac: args3[u"neighbor"][u"ip_address"] = ip_address( - tunnel_dst + i * addr_incr + tunnel_dst_addr ) papi_exec.add(cmd3, history=history, **args3) papi_exec.get_replies(err_msg) @@ -2136,6 +2150,10 @@ class IPsecUtil: sa_id_2 = 200000 spi_1 = 300000 spi_2 = 400000 + dut1_local_outbound_range = ip_network(f"{tunnel_ip1}/8", False).\ + with_prefixlen + dut1_remote_outbound_range = ip_network(f"{tunnel_ip2}/8", False).\ + with_prefixlen crypto_key = gen_key( IPsecUtil.get_crypto_alg_key_len(crypto_alg) @@ -2155,11 +2173,13 @@ class IPsecUtil: IPsecUtil.vpp_ipsec_spd_add_if(nodes[u"DUT1"], spd_id, interface1) IPsecUtil.vpp_ipsec_add_spd_entry( nodes[u"DUT1"], spd_id, p_hi, PolicyAction.BYPASS, inbound=False, - proto=50, laddr_range=u"100.0.0.0/8", raddr_range=u"100.0.0.0/8" + proto=50, laddr_range=dut1_local_outbound_range, + raddr_range=dut1_remote_outbound_range ) IPsecUtil.vpp_ipsec_add_spd_entry( nodes[u"DUT1"], spd_id, p_hi, PolicyAction.BYPASS, inbound=True, - proto=50, laddr_range=u"100.0.0.0/8", raddr_range=u"100.0.0.0/8" + proto=50, laddr_range=dut1_remote_outbound_range, + raddr_range=dut1_local_outbound_range ) IPsecUtil.vpp_ipsec_add_sad_entries( @@ -2186,21 +2206,22 @@ class IPsecUtil: ) if u"DUT2" in nodes.keys(): + rmac = Topology.get_interface_mac(nodes[u"DUT1"], interface1) IPsecUtil.vpp_ipsec_set_ip_route( nodes[u"DUT2"], n_tunnels, tunnel_ip2, raddr_ip1, tunnel_ip1, - interface2, raddr_range) + interface2, raddr_range, rmac) IPsecUtil.vpp_ipsec_add_spd(nodes[u"DUT2"], spd_id) IPsecUtil.vpp_ipsec_spd_add_if(nodes[u"DUT2"], spd_id, interface2) IPsecUtil.vpp_ipsec_add_spd_entry( nodes[u"DUT2"], spd_id, p_hi, PolicyAction.BYPASS, - inbound=False, proto=50, laddr_range=u"100.0.0.0/8", - raddr_range=u"100.0.0.0/8" + inbound=False, proto=50, laddr_range=dut1_remote_outbound_range, + raddr_range=dut1_local_outbound_range ) IPsecUtil.vpp_ipsec_add_spd_entry( nodes[u"DUT2"], spd_id, p_hi, PolicyAction.BYPASS, - inbound=True, proto=50, laddr_range=u"100.0.0.0/8", - raddr_range=u"100.0.0.0/8" + inbound=True, proto=50, laddr_range=dut1_local_outbound_range, + raddr_range=dut1_remote_outbound_range ) IPsecUtil.vpp_ipsec_add_sad_entries( diff --git a/resources/libraries/robot/shared/test_teardown.robot b/resources/libraries/robot/shared/test_teardown.robot index 474a6e9385..6bfb532fbe 100644 --- a/resources/libraries/robot/shared/test_teardown.robot +++ b/resources/libraries/robot/shared/test_teardown.robot @@ -1,4 +1,4 @@ -# Copyright (c) 2021 Cisco and/or its affiliates. +# Copyright (c) 2022 Cisco and/or its affiliates. # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at: @@ -130,6 +130,16 @@ | | | ... | Show Ipsec Security Association | ${nodes['${dut}']} | | END +| Additional Test Tear Down Action For ipsec_all +| | [Documentation] +| | ... | Additional teardown for tests which use varied IPSec configuration. +| | ... | Databases. +| | +| | FOR | ${dut} | IN | @{duts} +| | | Run Keyword If Test Failed +| | | ... | Vpp Ipsec Show All | ${nodes['${dut}']} +| | END + | Additional Test Tear Down Action For linux_bridge | | [Documentation] | | ... | Additional teardown for tests which uses linux_bridge. @@ -222,4 +232,4 @@ | | | | ${vnf_status} | ${value}= | Run Keyword And Ignore Error | | ... | Keyword Should Exist | vnf_manager.Kill All VMs -| | Run Keyword If | '${vnf_status}' == 'PASS' | vnf_manager.Kill All VMs \ No newline at end of file +| | Run Keyword If | '${vnf_status}' == 'PASS' | vnf_manager.Kill All VMs -- cgit 1.2.3-korg