diff options
| author |   Neale Ranns <nranns@cisco.com> | 2019-09-27 13:32:02 +0000 |
|---|---|---|
| committer |   Damjan Marion <dmarion@me.com> | 2019-09-27 16:52:09 +0000 |
| commit | b325983a4461dd806e86a31abc47533b09482157 (patch) | |
| tree | efb498a71c02c9e967f06724998d7431c6f2265b | |
| parent | 35174b428b99978503332107a9f330d8b3478bd5 (diff) | |
ipsec: support 4o6 and 6o4 for tunnel protect
Type: feature
Change-Id: Ib2352ca4c7abf4645f21fa16aaaf27408890a2bf
Signed-off-by: Neale Ranns <nranns@cisco.com>
| -rw-r--r-- | src/vnet/ipsec/esp_encrypt.c | 15 | ||||
| -rw-r--r-- | src/vnet/ipsec/ipsec_tun.c | 41 | ||||
| -rw-r--r-- | test/test_ipsec_tun_if_esp.py | 42 |
3 files changed, 71 insertions, 27 deletions
diff --git a/src/vnet/ipsec/esp_encrypt.c b/src/vnet/ipsec/esp_encrypt.c index 47c079d95d2..730a2b83c11 100644 --- a/src/vnet/ipsec/esp_encrypt.c +++ b/src/vnet/ipsec/esp_encrypt.c @@ -630,6 +630,13 @@ VNET_FEATURE_INIT (esp4_encrypt_tun_feat_node, static) = .runs_before = VNET_FEATURES ("adj-midchain-tx"), }; +VNET_FEATURE_INIT (esp6o4_encrypt_tun_feat_node, static) = +{ + .arc_name = "ip6-output", + .node_name = "esp4-encrypt-tun", + .runs_before = VNET_FEATURES ("adj-midchain-tx"), +}; + VNET_FEATURE_INIT (esp4_ethernet_encrypt_tun_feat_node, static) = { .arc_name = "ethernet-output", @@ -667,6 +674,14 @@ VNET_FEATURE_INIT (esp6_encrypt_tun_feat_node, static) = .node_name = "esp6-encrypt-tun", .runs_before = VNET_FEATURES ("adj-midchain-tx"), }; + +VNET_FEATURE_INIT (esp4o6_encrypt_tun_feat_node, static) = +{ + .arc_name = "ip4-output", + .node_name = "esp6-encrypt-tun", + .runs_before = VNET_FEATURES ("adj-midchain-tx"), +}; + /* *INDENT-ON* */ typedef struct diff --git a/src/vnet/ipsec/ipsec_tun.c b/src/vnet/ipsec/ipsec_tun.c index 859fab8899e..ad544a919db 100644 --- a/src/vnet/ipsec/ipsec_tun.c +++ b/src/vnet/ipsec/ipsec_tun.c @@ -39,38 +39,29 @@ static int ipsec_tun_protect_feature_set (ipsec_tun_protect_t * itp, u8 enable) { u32 sai = itp->itp_out_sa; - int is_ip4, is_l2, rv; + int rv; - is_ip4 = ip46_address_is_ip4 (&itp->itp_tun.src); - is_l2 = itp->itp_flags & IPSEC_PROTECT_L2; + const char *enc_node = (ip46_address_is_ip4 (&itp->itp_tun.src) ? + "esp4-encrypt-tun" : "esp6-encrypt-tun"); - if (is_ip4) + if (itp->itp_flags & IPSEC_PROTECT_L2) { - if (is_l2) - rv = vnet_feature_enable_disable ("ethernet-output", - "esp4-encrypt-tun", - itp->itp_sw_if_index, enable, - &sai, sizeof (sai)); - else - rv = vnet_feature_enable_disable ("ip4-output", - "esp4-encrypt-tun", - itp->itp_sw_if_index, enable, - &sai, sizeof (sai)); + rv = vnet_feature_enable_disable ("ethernet-output", + enc_node, + itp->itp_sw_if_index, enable, + &sai, sizeof (sai)); } else { - if (is_l2) - rv = vnet_feature_enable_disable ("ethernet-output", - "esp6-encrypt-tun", - itp->itp_sw_if_index, enable, - &sai, sizeof (sai)); - else - rv = vnet_feature_enable_disable ("ip6-output", - "esp6-encrypt-tun", - itp->itp_sw_if_index, enable, - &sai, sizeof (sai)); + rv = vnet_feature_enable_disable ("ip4-output", + enc_node, + itp->itp_sw_if_index, enable, + &sai, sizeof (sai)); + rv = vnet_feature_enable_disable ("ip6-output", + enc_node, + itp->itp_sw_if_index, enable, + &sai, sizeof (sai)); } - ASSERT (!rv); return (rv); } diff --git a/test/test_ipsec_tun_if_esp.py b/test/test_ipsec_tun_if_esp.py index 00c1d143c30..28854cefa99 100644 --- a/test/test_ipsec_tun_if_esp.py +++ b/test/test_ipsec_tun_if_esp.py @@ -785,11 +785,17 @@ class TemplateIpsec4TunProtect(object): p.tun_if.add_vpp_config() p.tun_if.admin_up() p.tun_if.config_ip4() + p.tun_if.config_ip6() p.route = VppIpRoute(self, p.remote_tun_if_host, 32, [VppRoutePath(p.tun_if.remote_ip4, 0xffffffff)]) p.route.add_vpp_config() + r = VppIpRoute(self, p.remote_tun_if_host6, 128, + [VppRoutePath(p.tun_if.remote_ip6, + 0xffffffff, + proto=DpoProto.DPO_PROTO_IP6)]) + r.add_vpp_config() def unconfig_network(self, p): p.route.remove_vpp_config() @@ -831,6 +837,13 @@ class TestIpsec4TunProtect(TemplateIpsec, c = p.tun_if.get_tx_stats() self.assertEqual(c['packets'], 127) + self.vapi.cli("clear ipsec sa") + self.verify_tun_64(p, count=127) + c = p.tun_if.get_rx_stats() + self.assertEqual(c['packets'], 254) + c = p.tun_if.get_tx_stats() + self.assertEqual(c['packets'], 254) + # rekey - create new SAs and update the tunnel protection np = copy.copy(p) np.crypt_key = 'X' + p.crypt_key[1:] @@ -847,9 +860,9 @@ class TestIpsec4TunProtect(TemplateIpsec, self.verify_tun_44(np, count=127) c = p.tun_if.get_rx_stats() - self.assertEqual(c['packets'], 254) + self.assertEqual(c['packets'], 381) c = p.tun_if.get_tx_stats() - self.assertEqual(c['packets'], 254) + self.assertEqual(c['packets'], 381) # teardown self.unconfig_protect(np) @@ -1052,12 +1065,17 @@ class TemplateIpsec6TunProtect(object): p.tun_if.add_vpp_config() p.tun_if.admin_up() p.tun_if.config_ip6() + p.tun_if.config_ip4() p.route = VppIpRoute(self, p.remote_tun_if_host, 128, [VppRoutePath(p.tun_if.remote_ip6, 0xffffffff, proto=DpoProto.DPO_PROTO_IP6)]) p.route.add_vpp_config() + r = VppIpRoute(self, p.remote_tun_if_host4, 32, + [VppRoutePath(p.tun_if.remote_ip4, + 0xffffffff)]) + r.add_vpp_config() def unconfig_network(self, p): p.route.remove_vpp_config() @@ -1167,6 +1185,26 @@ class TestIpsec6TunProtect(TemplateIpsec, self.unconfig_sa(np3) self.unconfig_network(p) + def test_tun_46(self): + """IPSEC tunnel protect""" + + p = self.ipv6_params + + self.config_network(p) + self.config_sa_tra(p) + self.config_protect(p) + + self.verify_tun_46(p, count=127) + c = p.tun_if.get_rx_stats() + self.assertEqual(c['packets'], 127) + c = p.tun_if.get_tx_stats() + self.assertEqual(c['packets'], 127) + + # teardown + self.unconfig_protect(p) + self.unconfig_sa(p) + self.unconfig_network(p) + class TestIpsec6TunProtectTun(TemplateIpsec, TemplateIpsec6TunProtect, |