summaryrefslogtreecommitdiffstats
path: root/test/template_ipsec.py
diff options
context:
space:
mode:
authorZachary Leaf <zachary.leaf@arm.com>2021-10-26 10:05:58 -0500
committerFan Zhang <roy.fan.zhang@intel.com>2022-03-08 17:43:43 +0000
commit26fec718f2fa7913a484008fca7b1bc015c6efb5 (patch)
treed1ff50ea37c938f7caa4b88ca25885c13f83d4bb /test/template_ipsec.py
parent1031098b903e6eb4bca4d268350795e6827abdda (diff)
ipsec: input: drop by default for non-matching pkts
As per IPSec RFC4301 [1], any non-matching packets should be dropped by default. This is handled correctly in ipsec_output.c, however in ipsec_input.c non-matching packets are allowed to pass as per a matched BYPASS rule. For full details, see: https://lists.fd.io/g/vpp-dev/topic/ipsec_input_output_default/84943480 It appears the ipsec6_input_node only matches PROTECT policies. Until this is extended to handle BYPASS + DISCARD, we may wish to not drop by default here, since all IPv6 traffic not matching a PROTECT policy will be dropped. [1]: https://datatracker.ietf.org/doc/html/rfc4301 Type: fix Signed-off-by: Zachary Leaf <zachary.leaf@arm.com> Change-Id: Iddbfd008dbe082486d1928f6a10ffbd83d859a20
Diffstat (limited to 'test/template_ipsec.py')
-rw-r--r--test/template_ipsec.py34
1 files changed, 23 insertions, 11 deletions
diff --git a/test/template_ipsec.py b/test/template_ipsec.py
index 725cec58846..c2a14e36097 100644
--- a/test/template_ipsec.py
+++ b/test/template_ipsec.py
@@ -1605,19 +1605,14 @@ class IpsecTun46Tests(IpsecTun4Tests, IpsecTun6Tests):
pass
-class SpdFlowCacheTemplate(VppTestCase):
+class IPSecIPv4Fwd(VppTestCase):
+ """ Test IPSec by capturing and verifying IPv4 forwarded pkts """
@classmethod
def setUpConstants(cls):
- super(SpdFlowCacheTemplate, cls).setUpConstants()
- # Override this method with required cmdline parameters e.g.
- # cls.vpp_cmdline.extend(["ipsec", "{",
- # "ipv4-outbound-spd-flow-cache on",
- # "}"])
- # cls.logger.info("VPP modified cmdline is %s" % " "
- # .join(cls.vpp_cmdline))
+ super(IPSecIPv4Fwd, cls).setUpConstants()
def setUp(self):
- super(SpdFlowCacheTemplate, self).setUp()
+ super(IPSecIPv4Fwd, self).setUp()
# store SPD objects so we can remove configs on tear down
self.spd_objs = []
self.spd_policies = []
@@ -1635,7 +1630,7 @@ class SpdFlowCacheTemplate(VppTestCase):
for pg in self.pg_interfaces:
pg.unconfig_ip4()
pg.admin_down()
- super(SpdFlowCacheTemplate, self).tearDown()
+ super(IPSecIPv4Fwd, self).tearDown()
def create_interfaces(self, num_ifs=2):
# create interfaces pg0 ... pg<num_ifs>
@@ -1772,6 +1767,24 @@ class SpdFlowCacheTemplate(VppTestCase):
"Policy %s matched: %d pkts", str(spdEntry), matched_pkts)
self.assert_equal(pkt_count, matched_pkts)
+
+class SpdFlowCacheTemplate(IPSecIPv4Fwd):
+ @classmethod
+ def setUpConstants(cls):
+ super(SpdFlowCacheTemplate, cls).setUpConstants()
+ # Override this method with required cmdline parameters e.g.
+ # cls.vpp_cmdline.extend(["ipsec", "{",
+ # "ipv4-outbound-spd-flow-cache on",
+ # "}"])
+ # cls.logger.info("VPP modified cmdline is %s" % " "
+ # .join(cls.vpp_cmdline))
+
+ def setUp(self):
+ super(SpdFlowCacheTemplate, self).setUp()
+
+ def tearDown(self):
+ super(SpdFlowCacheTemplate, self).tearDown()
+
def get_spd_flow_cache_entries(self):
""" 'show ipsec spd' output:
ip4-outbound-spd-flow-cache-entries: 0
@@ -1809,6 +1822,5 @@ class SpdFlowCacheTemplate(VppTestCase):
self.logger.info("\ncrc32 NOT supported:\n" + cpu_info)
return False
-
if __name__ == '__main__':
unittest.main(testRunner=VppTestRunner)