summaryrefslogtreecommitdiffstats
path: root/test/test_ipsec_spd_flow_cache.py
diff options
context:
space:
mode:
authorZachary Leaf <zachary.leaf@arm.com>2021-10-26 10:05:58 -0500
committerFan Zhang <roy.fan.zhang@intel.com>2022-03-08 17:43:43 +0000
commit26fec718f2fa7913a484008fca7b1bc015c6efb5 (patch)
treed1ff50ea37c938f7caa4b88ca25885c13f83d4bb /test/test_ipsec_spd_flow_cache.py
parent1031098b903e6eb4bca4d268350795e6827abdda (diff)
ipsec: input: drop by default for non-matching pkts
As per IPSec RFC4301 [1], any non-matching packets should be dropped by default. This is handled correctly in ipsec_output.c, however in ipsec_input.c non-matching packets are allowed to pass as per a matched BYPASS rule. For full details, see: https://lists.fd.io/g/vpp-dev/topic/ipsec_input_output_default/84943480 It appears the ipsec6_input_node only matches PROTECT policies. Until this is extended to handle BYPASS + DISCARD, we may wish to not drop by default here, since all IPv6 traffic not matching a PROTECT policy will be dropped. [1]: https://datatracker.ietf.org/doc/html/rfc4301 Type: fix Signed-off-by: Zachary Leaf <zachary.leaf@arm.com> Change-Id: Iddbfd008dbe082486d1928f6a10ffbd83d859a20
Diffstat (limited to 'test/test_ipsec_spd_flow_cache.py')
-rw-r--r--test/test_ipsec_spd_flow_cache.py21
1 files changed, 21 insertions, 0 deletions
diff --git a/test/test_ipsec_spd_flow_cache.py b/test/test_ipsec_spd_flow_cache.py
index 0c26e7b9e6a..54571c6741a 100644
--- a/test/test_ipsec_spd_flow_cache.py
+++ b/test/test_ipsec_spd_flow_cache.py
@@ -306,6 +306,13 @@ class IPSec4SpdTestCaseMultiple(SpdFlowCacheOutbound):
1, self.pg2, self.pg0, socket.IPPROTO_UDP,
is_out=1, priority=10, policy_type="discard")
+ # interfaces bound to an SPD, will by default drop inbound
+ # traffic with no matching policies. add catch-all inbound
+ # bypass rule to SPD:
+ self.spd_add_rem_policy( # inbound, all interfaces
+ 1, None, None, socket.IPPROTO_UDP, is_out=0, priority=10,
+ policy_type="bypass", all_ips=True)
+
# check flow cache is empty (0 active elements) before sending traffic
self.verify_num_outbound_flow_cache_entries(0)
@@ -390,6 +397,13 @@ class IPSec4SpdTestCaseOverwriteStale(SpdFlowCacheOutbound):
1, self.pg2, self.pg0, socket.IPPROTO_UDP,
is_out=1, priority=10, policy_type="discard")
+ # interfaces bound to an SPD, will by default drop inbound
+ # traffic with no matching policies. add catch-all inbound
+ # bypass rule to SPD:
+ self.spd_add_rem_policy( # inbound, all interfaces
+ 1, None, None, socket.IPPROTO_UDP, is_out=0, priority=10,
+ policy_type="bypass", all_ips=True)
+
# check flow cache is empty (0 active elements) before sending traffic
self.verify_num_outbound_flow_cache_entries(0)
@@ -527,6 +541,13 @@ class IPSec4SpdTestCaseCollision(SpdFlowCacheOutbound):
1, self.pg2, self.pg0, socket.IPPROTO_UDP,
is_out=1, priority=10, policy_type="bypass")
+ # interfaces bound to an SPD, will by default drop inbound
+ # traffic with no matching policies. add catch-all inbound
+ # bypass rule to SPD:
+ self.spd_add_rem_policy( # inbound, all interfaces
+ 1, None, None, socket.IPPROTO_UDP, is_out=0, priority=10,
+ policy_type="bypass", all_ips=True)
+
# check flow cache is empty (0 active elements) before sending traffic
self.verify_num_outbound_flow_cache_entries(0)