diff options
| author |   Zachary Leaf <zachary.leaf@arm.com> | 2021-10-26 10:05:58 -0500 |
|---|---|---|
| committer |   Fan Zhang <roy.fan.zhang@intel.com> | 2022-03-08 17:43:43 +0000 |
| commit | 26fec718f2fa7913a484008fca7b1bc015c6efb5 (patch) | |
| tree | d1ff50ea37c938f7caa4b88ca25885c13f83d4bb /test/template_ipsec.py | |
| parent | 1031098b903e6eb4bca4d268350795e6827abdda (diff) | |
ipsec: input: drop by default for non-matching pkts
As per IPSec RFC4301 [1], any non-matching packets should be dropped by
default. This is handled correctly in ipsec_output.c, however in
ipsec_input.c non-matching packets are allowed to pass as per a matched
BYPASS rule.
For full details, see:
https://lists.fd.io/g/vpp-dev/topic/ipsec_input_output_default/84943480
It appears the ipsec6_input_node only matches PROTECT policies. Until
this is extended to handle BYPASS + DISCARD, we may wish to not drop
by default here, since all IPv6 traffic not matching a PROTECT policy
will be dropped.
[1]: https://datatracker.ietf.org/doc/html/rfc4301
Type: fix
Signed-off-by: Zachary Leaf <zachary.leaf@arm.com>
Change-Id: Iddbfd008dbe082486d1928f6a10ffbd83d859a20
Diffstat (limited to 'test/template_ipsec.py')
| -rw-r--r-- | test/template_ipsec.py | 34 |
1 files changed, 23 insertions, 11 deletions
diff --git a/test/template_ipsec.py b/test/template_ipsec.py index 725cec58846..c2a14e36097 100644 --- a/test/template_ipsec.py +++ b/test/template_ipsec.py @@ -1605,19 +1605,14 @@ class IpsecTun46Tests(IpsecTun4Tests, IpsecTun6Tests): pass -class SpdFlowCacheTemplate(VppTestCase): +class IPSecIPv4Fwd(VppTestCase): + """ Test IPSec by capturing and verifying IPv4 forwarded pkts """ @classmethod def setUpConstants(cls): - super(SpdFlowCacheTemplate, cls).setUpConstants() - # Override this method with required cmdline parameters e.g. - # cls.vpp_cmdline.extend(["ipsec", "{", - # "ipv4-outbound-spd-flow-cache on", - # "}"]) - # cls.logger.info("VPP modified cmdline is %s" % " " - # .join(cls.vpp_cmdline)) + super(IPSecIPv4Fwd, cls).setUpConstants() def setUp(self): - super(SpdFlowCacheTemplate, self).setUp() + super(IPSecIPv4Fwd, self).setUp() # store SPD objects so we can remove configs on tear down self.spd_objs = [] self.spd_policies = [] @@ -1635,7 +1630,7 @@ class SpdFlowCacheTemplate(VppTestCase): for pg in self.pg_interfaces: pg.unconfig_ip4() pg.admin_down() - super(SpdFlowCacheTemplate, self).tearDown() + super(IPSecIPv4Fwd, self).tearDown() def create_interfaces(self, num_ifs=2): # create interfaces pg0 ... pg<num_ifs> @@ -1772,6 +1767,24 @@ class SpdFlowCacheTemplate(VppTestCase): "Policy %s matched: %d pkts", str(spdEntry), matched_pkts) self.assert_equal(pkt_count, matched_pkts) + +class SpdFlowCacheTemplate(IPSecIPv4Fwd): + @classmethod + def setUpConstants(cls): + super(SpdFlowCacheTemplate, cls).setUpConstants() + # Override this method with required cmdline parameters e.g. + # cls.vpp_cmdline.extend(["ipsec", "{", + # "ipv4-outbound-spd-flow-cache on", + # "}"]) + # cls.logger.info("VPP modified cmdline is %s" % " " + # .join(cls.vpp_cmdline)) + + def setUp(self): + super(SpdFlowCacheTemplate, self).setUp() + + def tearDown(self): + super(SpdFlowCacheTemplate, self).tearDown() + def get_spd_flow_cache_entries(self): """ 'show ipsec spd' output: ip4-outbound-spd-flow-cache-entries: 0 @@ -1809,6 +1822,5 @@ class SpdFlowCacheTemplate(VppTestCase): self.logger.info("\ncrc32 NOT supported:\n" + cpu_info) return False - if __name__ == '__main__': unittest.main(testRunner=VppTestRunner) |