ipsec: Correctly rewind the buffer to the IP header when punting UDP encapped SPI-0 packets

Type: fix Fixes: b71fa75d48 Change-Id: I2d81b373f7659e702759939c096b315afa36f621 Signed-off-by: Neale Ranns <nranns@cisco.com>
author: Neale Ranns <nranns@cisco.com> 2019-06-14 01:13:25 -0700
committer: Damjan Marion <dmarion@me.com> 2019-06-14 11:19:01 +0000
commit: a6bee0a11a07e4e1e4ac67e5041e9ad197766ba2 (patch)
tree: 260e9b7809b61d3e8efc043d2ac9a78013589b48 /test/test_punt.py
parent: f5b017615d25b8fb8760fa6b9b7e4249d93c6564 (diff)
1 files changed, 40 insertions, 13 deletions
diff --git a/test/test_punt.py b/test/test_punt.py
index 598f140547b..b93188e4fe2 100644
--- a/test/test_punt.py
+++ b/test/test_punt.py
@@ -141,6 +141,7 @@ class TestPuntSocket(VppTestCase):
     def verify_udp_pkts(self, rxs, n_rx, port):
         n_match = 0
         for rx in rxs:
+            rx.show()
             self.assertTrue(rx.haslayer(UDP))
             if rx[UDP].dport == port:
                 n_match += 1
@@ -772,11 +773,14 @@ class TestExceptionPuntSocket(TestPuntSocket):
         punts = self.vapi.punt_socket_dump(type=pt_ex)
         self.assertEqual(len(punts), 0)
 
-    def verify_esp_pkts(self, rxs, n_sent, spi):
+    def verify_esp_pkts(self, rxs, n_sent, spi, has_udp):
         self.assertEqual(len(rxs), n_sent)
         for rx in rxs:
+            self.assertTrue(rx.haslayer(IP))
             self.assertTrue(rx.haslayer(ESP))
             self.assertEqual(rx[ESP].spi, spi)
+            if has_udp:
+                self.assertTrue(rx.haslayer(UDP))
 
     def test_traffic(self):
         """ Punt socket traffic """
@@ -791,7 +795,7 @@ class TestExceptionPuntSocket(TestPuntSocket):
         }
 
         #
-        # we need an IPSec tunnel for this to work otherwise ESP gets dropped
+        # we need an IPSec tunnels for this to work otherwise ESP gets dropped
         # due to unknown IP proto
         #
         VppIpsecTunInterface(self, self.pg0, 1000, 1000,
@@ -803,14 +807,25 @@ class TestExceptionPuntSocket(TestPuntSocket):
                               IPSEC_API_INTEG_ALG_SHA1_96),
                              "0123456701234567",
                              "0123456701234567").add_vpp_config()
+        VppIpsecTunInterface(self, self.pg0, 1001, 1001,
+                             (VppEnum.vl_api_ipsec_crypto_alg_t.
+                              IPSEC_API_CRYPTO_ALG_AES_CBC_128),
+                             "0123456701234567",
+                             "0123456701234567",
+                             (VppEnum.vl_api_ipsec_integ_alg_t.
+                              IPSEC_API_INTEG_ALG_SHA1_96),
+                             "0123456701234567",
+                             "0123456701234567",
+                             udp_encap=True).add_vpp_config()
 
         #
         # we're dealing with IPSec tunnels punting for no-such-tunnel
         # adn SPI=0
         #
         cfgs = dict()
-        cfgs['ipsec4-no-such-tunnel'] = {'spi': 99}
-        cfgs['ipsec4-spi-0'] = {'spi': 0}
+        cfgs['ipsec4-no-such-tunnel'] = {'spi': 99, 'udp': False}
+        cfgs['ipsec4-spi-0'] = {'spi': 0, 'udp': False}
+        cfgs['ipsec4-spi-o-udp-0'] = {'spi': 0, 'udp': True}
 
         #
         # find the VPP ID for these punt exception reasin
@@ -826,16 +841,9 @@ class TestExceptionPuntSocket(TestPuntSocket):
                     break
 
         #
-        # create packet streams and configure a punt sockets
+        # configure punt sockets
         #
         for cfg in cfgs.values():
-            pkt = (Ether(src=self.pg0.remote_mac,
-                         dst=self.pg0.local_mac) /
-                   IP(src=self.pg0.remote_ip4, dst=self.pg0.local_ip4) /
-                   ESP(spi=cfg['spi'], seq=3) /
-                   Raw('\xa5' * 100))
-            cfg['pkts'] = pkt * self.nr_packets
-
             cfg['sock'] = self.socket_client_create(b"%s/socket_%d" % (
                 six.ensure_binary(self.tempdir), cfg['id']))
             self.vapi.punt_socket_register(
@@ -844,6 +852,19 @@ class TestExceptionPuntSocket(TestPuntSocket):
                                    cfg['id']))
 
         #
+        # create packet streams for 'no-such-tunnel' exception
+        #
+        for cfg in cfgs.values():
+            pkt = (Ether(src=self.pg0.remote_mac,
+                         dst=self.pg0.local_mac) /
+                   IP(src=self.pg0.remote_ip4, dst=self.pg0.local_ip4))
+            if (cfg['udp']):
+                pkt = pkt / UDP(sport=666, dport=4500)
+            pkt = (pkt / ESP(spi=cfg['spi'], seq=3) /
+                   Raw('\xa5' * 100))
+            cfg['pkts'] = [pkt]
+
+        #
         # send packets for each SPI we expect to be punted
         #
         for cfg in cfgs.values():
@@ -854,7 +875,13 @@ class TestExceptionPuntSocket(TestPuntSocket):
         #
         for cfg in cfgs.values():
             rx = cfg['sock'].close()
-            self.verify_esp_pkts(rx, len(cfg['pkts']), cfg['spi'])
+            self.verify_esp_pkts(rx, len(cfg['pkts']),
+                                 cfg['spi'], cfg['udp'])
+
+        #
+        # socket deregister
+        #
+        for cfg in cfgs.values():
             self.vapi.punt_socket_deregister(cfg['vpp'])
author	Neale Ranns <nranns@cisco.com>	2019-06-14 01:13:25 -0700
committer	Damjan Marion <dmarion@me.com>	2019-06-14 11:19:01 +0000
commit	a6bee0a11a07e4e1e4ac67e5041e9ad197766ba2 (patch)
tree	260e9b7809b61d3e8efc043d2ac9a78013589b48 /test/test_punt.py
parent	f5b017615d25b8fb8760fa6b9b7e4249d93c6564 (diff)