diff options
| author |   Eric Kinzie <ekinzie@labn.net> | 2020-10-13 20:02:11 -0400 |
|---|---|---|
| committer |   Neale Ranns <nranns@cisco.com> | 2020-10-16 12:32:31 +0000 |
| commit | 609d579ed27d78e3fd5f430fb9893edda19ba6e4 (patch) | |
| tree | dbc5750d730ae5088ef96348fd8c34292906673c | |
| parent | c1b94c835396d4b81b9dea99a5306ed7836bde39 (diff) | |
ipsec: fix instance, and cli del for new ipsec interface
- use user instance number in interface name
Restore the behavior of previous versions where the IPsec tunnel
interface name contained the value of the user-provided instance number.
For example, a command similar to
create ipsec tunnel local-ip . . . instance 5
would result in the creation of interface "ipsec5".
- ipsec: delete tunnel protection when asked
The "ipsec tunnel protect" command will parse a "del" argument but does
not undo the tunnel protection, leaving the SAs hanging around with
reference counts that were incremented by a previous invocation of the
command. Allow the tunnel protection to be deleted and also update the
help text to indicate that deletion is an option.
- test: ipsec: add test for ipsec interface instance
Also cleanup (unconfig) after TestIpsecItf4 NULL algo test.
Type: fix
Fixes: dd4ccf2623b5 ("ipsec: Dedicated IPSec interface type")
Signed-off-by: Eric Kinzie <ekinzie@labn.net>
Signed-off-by: Christian Hopps <chopps@labn.net>
Change-Id: Idb59ceafa0633040344473c9942b6536e3d941ce
| -rw-r--r-- | src/vnet/ipsec/ipsec_cli.c | 4 | ||||
| -rw-r--r-- | src/vnet/ipsec/ipsec_itf.c | 4 | ||||
| -rw-r--r-- | test/test_ipsec_tun_if_esp.py | 22 | ||||
| -rw-r--r-- | test/vpp_ipsec.py | 5 |
4 files changed, 27 insertions, 8 deletions
diff --git a/src/vnet/ipsec/ipsec_cli.c b/src/vnet/ipsec/ipsec_cli.c index 937e0f6b2e4..7d265f7e64d 100644 --- a/src/vnet/ipsec/ipsec_cli.c +++ b/src/vnet/ipsec/ipsec_cli.c @@ -997,6 +997,8 @@ ipsec_tun_protect_cmd (vlib_main_t * vm, if (!is_del) ipsec_tun_protect_update (sw_if_index, &peer, sa_out, sa_ins); + else + ipsec_tun_protect_del (sw_if_index, &peer); unformat_free (line_input); return NULL; @@ -1010,7 +1012,7 @@ VLIB_CLI_COMMAND (ipsec_tun_protect_cmd_node, static) = { .path = "ipsec tunnel protect", .function = ipsec_tun_protect_cmd, - .short_help = "ipsec tunnel protect <interface> input-sa <SA> output-sa <SA>", + .short_help = "ipsec tunnel protect <interface> input-sa <SA> output-sa <SA> [add|del]", // this is not MP safe }; /* *INDENT-ON* */ diff --git a/src/vnet/ipsec/ipsec_itf.c b/src/vnet/ipsec/ipsec_itf.c index 756bc19fbef..6724eab73a8 100644 --- a/src/vnet/ipsec/ipsec_itf.c +++ b/src/vnet/ipsec/ipsec_itf.c @@ -294,12 +294,10 @@ ipsec_itf_create (u32 user_instance, tunnel_mode_t mode, u32 * sw_if_indexp) ipsec_itf->ii_mode = mode; ipsec_itf->ii_user_instance = instance; - if (~0 == ipsec_itf->ii_user_instance) - ipsec_itf->ii_user_instance = t_idx; hw_if_index = vnet_register_interface (vnm, ipsec_itf_device_class.index, - t_idx, + ipsec_itf->ii_user_instance, ipsec_hw_interface_class.index, t_idx); diff --git a/test/test_ipsec_tun_if_esp.py b/test/test_ipsec_tun_if_esp.py index a722ce77bb1..9d01b93114e 100644 --- a/test/test_ipsec_tun_if_esp.py +++ b/test/test_ipsec_tun_if_esp.py @@ -21,6 +21,7 @@ from vpp_sub_interface import L2_VTR_OP, VppDot1QSubint from vpp_teib import VppTeib from util import ppp from vpp_papi import VppEnum +from vpp_papi_provider import CliFailedCommandError from vpp_acl import AclRule, VppAcl, VppAclInterface @@ -2512,8 +2513,8 @@ class TemplateIpsecItf4(object): [p.tun_sa_in]) p.tun_protect.add_vpp_config() - def config_network(self, p): - p.tun_if = VppIpsecInterface(self) + def config_network(self, p, instance=0xffffffff): + p.tun_if = VppIpsecInterface(self, instance=instance) p.tun_if.add_vpp_config() p.tun_if.admin_up() @@ -2555,6 +2556,18 @@ class TestIpsecItf4(TemplateIpsec, def tearDown(self): super(TestIpsecItf4, self).tearDown() + def test_tun_instance_44(self): + p = self.ipv4_params + self.config_network(p, instance=3) + + with self.assertRaises(CliFailedCommandError): + self.vapi.cli("show interface ipsec0") + + output = self.vapi.cli("show interface ipsec3") + self.assertTrue("unknown" not in output) + + self.unconfig_network(p) + def test_tun_44(self): """IPSEC interface IPv4""" @@ -2644,6 +2657,11 @@ class TestIpsecItf4(TemplateIpsec, self.verify_tun_44(p, count=n_pkts) + # teardown + self.unconfig_protect(p) + self.unconfig_sa(p) + self.unconfig_network(p) + class TemplateIpsecItf6(object): """ IPsec Interface IPv6 """ diff --git a/test/vpp_ipsec.py b/test/vpp_ipsec.py index f012a4a1e84..f9dcdf09f1a 100644 --- a/test/vpp_ipsec.py +++ b/test/vpp_ipsec.py @@ -376,16 +376,17 @@ class VppIpsecInterface(VppInterface): VPP IPSec interface """ - def __init__(self, test, mode=None): + def __init__(self, test, mode=None, instance=0xffffffff): super(VppIpsecInterface, self).__init__(test) # only p2p mode is supported currently self.mode = (VppEnum.vl_api_tunnel_mode_t. TUNNEL_API_MODE_P2P) + self.instance = instance def add_vpp_config(self): r = self.test.vapi.ipsec_itf_create(itf={ - 'user_instance': 0xffffffff, + 'user_instance': self.instance, 'mode': self.mode, }) self.set_sw_if_index(r.sw_if_index) |