summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorEric Kinzie <ekinzie@labn.net>2020-10-13 20:02:11 -0400
committerNeale Ranns <nranns@cisco.com>2020-10-16 12:32:31 +0000
commit609d579ed27d78e3fd5f430fb9893edda19ba6e4 (patch)
treedbc5750d730ae5088ef96348fd8c34292906673c
parentc1b94c835396d4b81b9dea99a5306ed7836bde39 (diff)
ipsec: fix instance, and cli del for new ipsec interface
- use user instance number in interface name Restore the behavior of previous versions where the IPsec tunnel interface name contained the value of the user-provided instance number. For example, a command similar to create ipsec tunnel local-ip . . . instance 5 would result in the creation of interface "ipsec5". - ipsec: delete tunnel protection when asked The "ipsec tunnel protect" command will parse a "del" argument but does not undo the tunnel protection, leaving the SAs hanging around with reference counts that were incremented by a previous invocation of the command. Allow the tunnel protection to be deleted and also update the help text to indicate that deletion is an option. - test: ipsec: add test for ipsec interface instance Also cleanup (unconfig) after TestIpsecItf4 NULL algo test. Type: fix Fixes: dd4ccf2623b5 ("ipsec: Dedicated IPSec interface type") Signed-off-by: Eric Kinzie <ekinzie@labn.net> Signed-off-by: Christian Hopps <chopps@labn.net> Change-Id: Idb59ceafa0633040344473c9942b6536e3d941ce
-rw-r--r--src/vnet/ipsec/ipsec_cli.c4
-rw-r--r--src/vnet/ipsec/ipsec_itf.c4
-rw-r--r--test/test_ipsec_tun_if_esp.py22
-rw-r--r--test/vpp_ipsec.py5
4 files changed, 27 insertions, 8 deletions
diff --git a/src/vnet/ipsec/ipsec_cli.c b/src/vnet/ipsec/ipsec_cli.c
index 937e0f6b2e4..7d265f7e64d 100644
--- a/src/vnet/ipsec/ipsec_cli.c
+++ b/src/vnet/ipsec/ipsec_cli.c
@@ -997,6 +997,8 @@ ipsec_tun_protect_cmd (vlib_main_t * vm,
if (!is_del)
ipsec_tun_protect_update (sw_if_index, &peer, sa_out, sa_ins);
+ else
+ ipsec_tun_protect_del (sw_if_index, &peer);
unformat_free (line_input);
return NULL;
@@ -1010,7 +1012,7 @@ VLIB_CLI_COMMAND (ipsec_tun_protect_cmd_node, static) =
{
.path = "ipsec tunnel protect",
.function = ipsec_tun_protect_cmd,
- .short_help = "ipsec tunnel protect <interface> input-sa <SA> output-sa <SA>",
+ .short_help = "ipsec tunnel protect <interface> input-sa <SA> output-sa <SA> [add|del]",
// this is not MP safe
};
/* *INDENT-ON* */
diff --git a/src/vnet/ipsec/ipsec_itf.c b/src/vnet/ipsec/ipsec_itf.c
index 756bc19fbef..6724eab73a8 100644
--- a/src/vnet/ipsec/ipsec_itf.c
+++ b/src/vnet/ipsec/ipsec_itf.c
@@ -294,12 +294,10 @@ ipsec_itf_create (u32 user_instance, tunnel_mode_t mode, u32 * sw_if_indexp)
ipsec_itf->ii_mode = mode;
ipsec_itf->ii_user_instance = instance;
- if (~0 == ipsec_itf->ii_user_instance)
- ipsec_itf->ii_user_instance = t_idx;
hw_if_index = vnet_register_interface (vnm,
ipsec_itf_device_class.index,
- t_idx,
+ ipsec_itf->ii_user_instance,
ipsec_hw_interface_class.index,
t_idx);
diff --git a/test/test_ipsec_tun_if_esp.py b/test/test_ipsec_tun_if_esp.py
index a722ce77bb1..9d01b93114e 100644
--- a/test/test_ipsec_tun_if_esp.py
+++ b/test/test_ipsec_tun_if_esp.py
@@ -21,6 +21,7 @@ from vpp_sub_interface import L2_VTR_OP, VppDot1QSubint
from vpp_teib import VppTeib
from util import ppp
from vpp_papi import VppEnum
+from vpp_papi_provider import CliFailedCommandError
from vpp_acl import AclRule, VppAcl, VppAclInterface
@@ -2512,8 +2513,8 @@ class TemplateIpsecItf4(object):
[p.tun_sa_in])
p.tun_protect.add_vpp_config()
- def config_network(self, p):
- p.tun_if = VppIpsecInterface(self)
+ def config_network(self, p, instance=0xffffffff):
+ p.tun_if = VppIpsecInterface(self, instance=instance)
p.tun_if.add_vpp_config()
p.tun_if.admin_up()
@@ -2555,6 +2556,18 @@ class TestIpsecItf4(TemplateIpsec,
def tearDown(self):
super(TestIpsecItf4, self).tearDown()
+ def test_tun_instance_44(self):
+ p = self.ipv4_params
+ self.config_network(p, instance=3)
+
+ with self.assertRaises(CliFailedCommandError):
+ self.vapi.cli("show interface ipsec0")
+
+ output = self.vapi.cli("show interface ipsec3")
+ self.assertTrue("unknown" not in output)
+
+ self.unconfig_network(p)
+
def test_tun_44(self):
"""IPSEC interface IPv4"""
@@ -2644,6 +2657,11 @@ class TestIpsecItf4(TemplateIpsec,
self.verify_tun_44(p, count=n_pkts)
+ # teardown
+ self.unconfig_protect(p)
+ self.unconfig_sa(p)
+ self.unconfig_network(p)
+
class TemplateIpsecItf6(object):
""" IPsec Interface IPv6 """
diff --git a/test/vpp_ipsec.py b/test/vpp_ipsec.py
index f012a4a1e84..f9dcdf09f1a 100644
--- a/test/vpp_ipsec.py
+++ b/test/vpp_ipsec.py
@@ -376,16 +376,17 @@ class VppIpsecInterface(VppInterface):
VPP IPSec interface
"""
- def __init__(self, test, mode=None):
+ def __init__(self, test, mode=None, instance=0xffffffff):
super(VppIpsecInterface, self).__init__(test)
# only p2p mode is supported currently
self.mode = (VppEnum.vl_api_tunnel_mode_t.
TUNNEL_API_MODE_P2P)
+ self.instance = instance
def add_vpp_config(self):
r = self.test.vapi.ipsec_itf_create(itf={
- 'user_instance': 0xffffffff,
+ 'user_instance': self.instance,
'mode': self.mode,
})
self.set_sw_if_index(r.sw_if_index)