summaryrefslogtreecommitdiffstats
path: root/test/template_ipsec.py
diff options
context:
space:
mode:
authorNeale Ranns <neale@graphiant.com>2022-01-10 10:38:43 +0000
committerMatthew Smith <mgsmith@netgate.com>2022-01-17 19:55:13 +0000
commit49378f206b8e780a898e632f7dd8db912b9b118e (patch)
tree35c6629f14b753878251fe92d5afcdd9c837554b /test/template_ipsec.py
parent88a9c0e02ab919cadd4e035133995a6afb4d1c32 (diff)
ipsec: IPSec interface correct drop w/ no protection
Type: improvement When an IPSec interface is first constructed, the end node of the feature arc is not changed, which means it is interface-output. This means that traffic directed into adjacencies on the link, that do not have protection (w/ an SA), drop like this: ... 00:00:01:111710: ip4-midchain tx_sw_if_index 4 dpo-idx 24 : ipv4 via 0.0.0.0 ipsec0: mtu:9000 next:6 flags:[] stacked-on: [@1]: dpo-drop ip4 flow hash: 0x00000000 00000000: 4500005c000100003f01cb8cac100202010101010800ecf40000000058585858 00000020: 58585858585858585858585858585858585858585858585858585858 00:00:01:111829: local0-output ipsec0 00000000: 4500005c000100003f01cb8cac100202010101010800ecf40000000058585858 00000020: 5858585858585858585858585858585858585858585858585858585858585858 00000040: 58585858585858585858585858585858585858585858585858585858c2cf08c0 00000060: 2a2c103cd0126bd8b03c4ec20ce2bd02dd77b3e3a4f49664 00:00:01:112017: error-drop rx:pg1 00:00:01:112034: drop local0-output: interface is down although that's a drop, no packets should go to local0, and we want all IPvX packets to go through ipX-drop. This change sets the interface's end-arc node to the appropriate drop node when the interface is created, and when the last protection is removed. The resulting drop is: ... 00:00:01:111504: ip4-midchain tx_sw_if_index 4 dpo-idx 24 : ipv4 via 0.0.0.0 ipsec0: mtu:9000 next:0 flags:[] stacked-on: [@1]: dpo-drop ip4 flow hash: 0x00000000 00000000: 4500005c000100003f01cb8cac100202010101010800ecf40000000058585858 00000020: 58585858585858585858585858585858585858585858585858585858 00:00:01:111533: ip4-drop ICMP: 172.16.2.2 -> 1.1.1.1 tos 0x00, ttl 63, length 92, checksum 0xcb8c dscp CS0 ecn NON_ECN fragment id 0x0001 ICMP echo_request checksum 0xecf4 id 0 00:00:01:111620: error-drop rx:pg1 00:00:01:111640: drop null-node: blackholed packets Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: I7e7de23c541d9f1210a05e6984a688f1f821a155
Diffstat (limited to 'test/template_ipsec.py')
-rw-r--r--test/template_ipsec.py19
1 files changed, 17 insertions, 2 deletions
diff --git a/test/template_ipsec.py b/test/template_ipsec.py
index d9a9d1b78c1..9927cc7bcc3 100644
--- a/test/template_ipsec.py
+++ b/test/template_ipsec.py
@@ -1375,7 +1375,17 @@ class IpsecTun6(object):
pass
raise
- def verify_drop_tun_66(self, p_in, count=1, payload_size=64):
+ def verify_drop_tun_tx_66(self, p_in, count=1, payload_size=64):
+ self.vapi.cli("clear errors")
+ self.vapi.cli("clear ipsec sa")
+
+ send_pkts = self.gen_pkts6(p_in, self.pg1, src=self.pg1.remote_ip6,
+ dst=p_in.remote_tun_if_host, count=count,
+ payload_size=payload_size)
+ self.send_and_assert_no_replies(self.tun_if, send_pkts)
+ self.logger.info(self.vapi.cli("sh punt stats"))
+
+ def verify_drop_tun_rx_66(self, p_in, count=1, payload_size=64):
self.vapi.cli("clear errors")
self.vapi.cli("clear ipsec sa")
@@ -1385,7 +1395,12 @@ class IpsecTun6(object):
dst=self.pg1.remote_ip6,
count=count)
self.send_and_assert_no_replies(self.tun_if, send_pkts)
- self.logger.info(self.vapi.cli("sh punt stats"))
+
+ def verify_drop_tun_66(self, p_in, count=1, payload_size=64):
+ self.verify_drop_tun_tx_66(p_in, count=count,
+ payload_size=payload_size)
+ self.verify_drop_tun_rx_66(p_in, count=count,
+ payload_size=payload_size)
def verify_tun_66(self, p_in, p_out=None, count=1, payload_size=64):
self.vapi.cli("clear errors")