aboutsummaryrefslogtreecommitdiffstats
path: root/test
diff options
context:
space:
mode:
authorMatthew Smith <mgsmith@netgate.com>2021-02-08 22:13:59 +0000
committerMatthew Smith <mgsmith@netgate.com>2021-02-09 04:18:37 +0000
commit751bb131ef504b64fe82f393df21dba95ca92e97 (patch)
tree46e567343cb71124297aacb1a0b405b95f392bab /test
parenta8f4ebd08e6d7fddf6fca4f2ef7081321c51a451 (diff)
Revert "ipsec: Use the new tunnel API types to add flow label and TTL copy"
This reverts commit c7eaa711f3e25580687df0618e9ca80d3dc85e5f. Reason for revert: The jenkins job named 'vpp-merge-master-ubuntu1804-x86_64' had 2 IPv6 AH tests fail after the change was merged. Those 2 tests also failed the next time that job ran after an unrelated change was merged. Change-Id: I0e2c3ee895114029066c82624e79807af575b6c0 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
Diffstat (limited to 'test')
-rw-r--r--test/template_ipsec.py32
-rw-r--r--test/test_ipsec_ah.py6
-rw-r--r--test/test_ipsec_esp.py17
-rw-r--r--test/test_ipsec_tun_if_esp.py34
-rw-r--r--test/vpp_ipsec.py30
5 files changed, 34 insertions, 85 deletions
diff --git a/test/template_ipsec.py b/test/template_ipsec.py
index 0c1f5a19298..918c99383af 100644
--- a/test/template_ipsec.py
+++ b/test/template_ipsec.py
@@ -37,11 +37,6 @@ class IPsecIPv4Params:
self.vpp_tra_sa_id = 400
self.vpp_tra_spi = 4000
- self.outer_hop_limit = 64
- self.inner_hop_limit = 255
- self.outer_flow_label = 0
- self.inner_flow_label = 0x12345
-
self.auth_algo_vpp_id = (VppEnum.vl_api_ipsec_integ_alg_t.
IPSEC_API_INTEG_ALG_SHA1_96)
self.auth_algo = 'HMAC-SHA1-96' # scapy name
@@ -81,11 +76,6 @@ class IPsecIPv6Params:
self.vpp_tra_sa_id = 800
self.vpp_tra_spi = 4000
- self.outer_hop_limit = 64
- self.inner_hop_limit = 255
- self.outer_flow_label = 0
- self.inner_flow_label = 0x12345
-
self.auth_algo_vpp_id = (VppEnum.vl_api_ipsec_integ_alg_t.
IPSEC_API_INTEG_ALG_SHA1_96)
self.auth_algo = 'HMAC-SHA1-96' # scapy name
@@ -252,9 +242,7 @@ class TemplateIpsec(VppTestCase):
def gen_encrypt_pkts6(self, p, sa, sw_intf, src, dst, count=1,
payload_size=54):
return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
- sa.encrypt(IPv6(src=src, dst=dst,
- hlim=p.inner_hop_limit,
- fl=p.inner_flow_label) /
+ sa.encrypt(IPv6(src=src, dst=dst) /
ICMPv6EchoRequest(id=0, seq=1,
data='X' * payload_size))
for i in range(count)]
@@ -264,10 +252,9 @@ class TemplateIpsec(VppTestCase):
IP(src=src, dst=dst) / ICMP() / Raw(b'X' * payload_size)
for i in range(count)]
- def gen_pkts6(self, p, sw_intf, src, dst, count=1, payload_size=54):
+ def gen_pkts6(self, sw_intf, src, dst, count=1, payload_size=54):
return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
- IPv6(src=src, dst=dst,
- hlim=p.inner_hop_limit, fl=p.inner_flow_label) /
+ IPv6(src=src, dst=dst) /
ICMPv6EchoRequest(id=0, seq=1, data='X' * payload_size)
for i in range(count)]
@@ -958,7 +945,7 @@ class IpsecTun4(object):
self.assert_equal(recv_pkt[IPv6].src, p.remote_tun_if_host6)
self.assert_equal(recv_pkt[IPv6].dst, self.pg1.remote_ip6)
self.assert_packet_checksums_valid(recv_pkt)
- send_pkts = self.gen_pkts6(p, self.pg1, src=self.pg1.remote_ip6,
+ send_pkts = self.gen_pkts6(self.pg1, src=self.pg1.remote_ip6,
dst=p.remote_tun_if_host6, count=count)
recv_pkts = self.send_and_expect(self.pg1, send_pkts, self.tun_if)
for recv_pkt in recv_pkts:
@@ -1047,9 +1034,6 @@ class IpsecTun6(object):
self.assert_packet_checksums_valid(rx)
self.assertEqual(len(rx) - len(Ether()) - len(IPv6()),
rx[IPv6].plen)
- self.assert_equal(rx[IPv6].hlim, p.outer_hop_limit)
- if p.outer_flow_label:
- self.assert_equal(rx[IPv6].fl, p.outer_flow_label)
try:
decrypt_pkt = p.vpp_tun_sa.decrypt(rx[IPv6])
if not decrypt_pkt.haslayer(IPv6):
@@ -1057,8 +1041,6 @@ class IpsecTun6(object):
self.assert_packet_checksums_valid(decrypt_pkt)
self.assert_equal(decrypt_pkt.src, self.pg1.remote_ip6)
self.assert_equal(decrypt_pkt.dst, p.remote_tun_if_host)
- self.assert_equal(decrypt_pkt.hlim, p.inner_hop_limit - 1)
- self.assert_equal(decrypt_pkt.fl, p.inner_flow_label)
except:
self.logger.debug(ppp("Unexpected packet:", rx))
try:
@@ -1094,7 +1076,7 @@ class IpsecTun6(object):
recv_pkts = self.send_and_expect(self.tun_if, send_pkts, self.pg1)
self.verify_decrypted6(p_in, recv_pkts)
- send_pkts = self.gen_pkts6(p_in, self.pg1, src=self.pg1.remote_ip6,
+ send_pkts = self.gen_pkts6(self.pg1, src=self.pg1.remote_ip6,
dst=p_out.remote_tun_if_host,
count=count,
payload_size=payload_size)
@@ -1126,7 +1108,7 @@ class IpsecTun6(object):
self.pg1, n_rx=1)
self.verify_decrypted6(p, recv_pkts)
- send_pkts = self.gen_pkts6(p, self.pg1, src=self.pg1.remote_ip6,
+ send_pkts = self.gen_pkts6(self.pg1, src=self.pg1.remote_ip6,
dst=p.remote_tun_if_host,
count=1,
payload_size=64)
@@ -1216,7 +1198,7 @@ class IpsecTun6HandoffTests(IpsecTun6):
self.pg1, worker=worker)
self.verify_decrypted6(p, recv_pkts)
- send_pkts = self.gen_pkts6(p, self.pg1, src=self.pg1.remote_ip6,
+ send_pkts = self.gen_pkts6(self.pg1, src=self.pg1.remote_ip6,
dst=p.remote_tun_if_host,
count=N_PKTS)
recv_pkts = self.send_and_expect(self.pg1, send_pkts,
diff --git a/test/test_ipsec_ah.py b/test/test_ipsec_ah.py
index ef6725e6a10..d44492ddd26 100644
--- a/test/test_ipsec_ah.py
+++ b/test/test_ipsec_ah.py
@@ -126,8 +126,6 @@ class ConfigIpsecAH(TemplateIpsec):
tun_flags = params.tun_flags
e = VppEnum.vl_api_ipsec_spd_action_t
objs = []
- params.outer_hop_limit = 253
- params.outer_flow_label = 0x12345
params.tun_sa_in = VppIpsecSA(self, scapy_tun_sa_id, scapy_tun_spi,
auth_algo_vpp_id, auth_key,
@@ -338,7 +336,7 @@ class TestIpsecAhTun(TemplateIpsecAh, IpsecTun46Tests):
Raw(b'X' * payload_size)
for i in range(count)]
- def gen_pkts6(self, p, sw_intf, src, dst, count=1, payload_size=54):
+ def gen_pkts6(self, sw_intf, src, dst, count=1, payload_size=54):
# set the DSCP + ECN - flags are set to copy both
return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
IPv6(src=src, dst=dst, tc=5) /
@@ -377,7 +375,7 @@ class TestIpsecAhTun2(TemplateIpsecAh, IpsecTun46Tests):
Raw(b'X' * payload_size)
for i in range(count)]
- def gen_pkts6(self, p, sw_intf, src, dst, count=1, payload_size=54):
+ def gen_pkts6(self, sw_intf, src, dst, count=1, payload_size=54):
# set the DSCP + ECN - flags are set to copy both
return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
IPv6(src=src, dst=dst, tc=0) /
diff --git a/test/test_ipsec_esp.py b/test/test_ipsec_esp.py
index 11d44049aeb..178b1d248bf 100644
--- a/test/test_ipsec_esp.py
+++ b/test/test_ipsec_esp.py
@@ -123,8 +123,7 @@ class ConfigIpsecESP(TemplateIpsec):
tun_flags=tun_flags,
dscp=params.dscp,
flags=flags,
- salt=salt,
- hop_limit=params.outer_hop_limit)
+ salt=salt)
params.tun_sa_out = VppIpsecSA(self, vpp_tun_sa_id, vpp_tun_spi,
auth_algo_vpp_id, auth_key,
crypt_algo_vpp_id, crypt_key,
@@ -134,8 +133,7 @@ class ConfigIpsecESP(TemplateIpsec):
tun_flags=tun_flags,
dscp=params.dscp,
flags=flags,
- salt=salt,
- hop_limit=params.outer_hop_limit)
+ salt=salt)
objs.append(params.tun_sa_in)
objs.append(params.tun_sa_out)
@@ -403,7 +401,7 @@ class TestIpsecEspTun(TemplateIpsecEsp, IpsecTun46Tests):
Raw(b'X' * payload_size)
for i in range(count)]
- def gen_pkts6(self, p, sw_intf, src, dst, count=1, payload_size=54):
+ def gen_pkts6(self, sw_intf, src, dst, count=1, payload_size=54):
# set the DSCP + ECN - flags are set to copy both
return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
IPv6(src=src, dst=dst, tc=5) /
@@ -435,13 +433,15 @@ class TestIpsecEspTun2(TemplateIpsecEsp, IpsecTun46Tests):
super(TestIpsecEspTun2, self).setUp()
def gen_pkts(self, sw_intf, src, dst, count=1, payload_size=54):
+ # set the DSCP + ECN - flags are set to copy only DSCP
return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
IP(src=src, dst=dst) /
UDP(sport=4444, dport=4444) /
Raw(b'X' * payload_size)
for i in range(count)]
- def gen_pkts6(self, p, sw_intf, src, dst, count=1, payload_size=54):
+ def gen_pkts6(self, sw_intf, src, dst, count=1, payload_size=54):
+ # set the DSCP + ECN - flags are set to copy both
return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
IPv6(src=src, dst=dst) /
UDP(sport=4444, dport=4444) /
@@ -449,13 +449,13 @@ class TestIpsecEspTun2(TemplateIpsecEsp, IpsecTun46Tests):
for i in range(count)]
def verify_encrypted(self, p, sa, rxs):
- # just check that only the DSCP is set
+ # just check that only the DSCP is copied
for rx in rxs:
self.assertEqual(rx[IP].tos,
VppEnum.vl_api_ip_dscp_t.IP_API_DSCP_EF << 2)
def verify_encrypted6(self, p, sa, rxs):
- # just check that the DSCP is set
+ # just check that the DSCP & ECN are copied
for rx in rxs:
self.assertEqual(rx[IPv6].tc,
VppEnum.vl_api_ip_dscp_t.IP_API_DSCP_AF11 << 2)
@@ -684,7 +684,6 @@ class RunTestIpsecEspAll(ConfigIpsecESP,
p.crypt_key = algo['key']
p.salt = algo['salt']
p.flags = p.flags | flag
- p.outer_flow_label = 243224
self.reporter.send_keep_alive(self)
diff --git a/test/test_ipsec_tun_if_esp.py b/test/test_ipsec_tun_if_esp.py
index 2ef1351ae7f..5bcd9ddfae0 100644
--- a/test/test_ipsec_tun_if_esp.py
+++ b/test/test_ipsec_tun_if_esp.py
@@ -1494,7 +1494,7 @@ class TestIpsecGre6IfEspTra(TemplateIpsec,
Raw(b'X' * payload_size))
for i in range(count)]
- def gen_pkts6(self, p, sw_intf, src, dst, count=1,
+ def gen_pkts6(self, sw_intf, src, dst, count=1,
payload_size=100):
return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
IPv6(src="1::1", dst="1::2") /
@@ -1724,7 +1724,7 @@ class TestIpsecMGreIfEspTra6(TemplateIpsec, IpsecTun6):
Raw(b'X' * payload_size))
for i in range(count)]
- def gen_pkts6(self, p, sw_intf, src, dst, count=1,
+ def gen_pkts6(self, sw_intf, src, dst, count=1,
payload_size=100):
return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
IPv6(src="1::1", dst=dst) /
@@ -2263,7 +2263,7 @@ class TestIpsec6TunProtectTun(TemplateIpsec,
Raw(b'X' * payload_size))
for i in range(count)]
- def gen_pkts6(self, p, sw_intf, src, dst, count=1,
+ def gen_pkts6(self, sw_intf, src, dst, count=1,
payload_size=100):
return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) /
IPv6(src=src, dst=dst) /
@@ -2659,19 +2659,12 @@ class TemplateIpsecItf6(object):
def config_sa_tun(self, p, src, dst):
config_tun_params(p, self.encryption_type, None, src, dst)
- if not hasattr(p, 'tun_flags'):
- p.tun_flags = None
- if not hasattr(p, 'hop_limit'):
- p.hop_limit = 255
-
p.tun_sa_out = VppIpsecSA(self, p.scapy_tun_sa_id, p.scapy_tun_spi,
p.auth_algo_vpp_id, p.auth_key,
p.crypt_algo_vpp_id, p.crypt_key,
self.vpp_esp_protocol,
src, dst,
- flags=p.flags,
- tun_flags=p.tun_flags,
- hop_limit=p.hop_limit)
+ flags=p.flags)
p.tun_sa_out.add_vpp_config()
p.tun_sa_in = VppIpsecSA(self, p.vpp_tun_sa_id, p.vpp_tun_spi,
@@ -2736,13 +2729,8 @@ class TestIpsecItf6(TemplateIpsec,
def test_tun_44(self):
"""IPSEC interface IPv6"""
- tf = VppEnum.vl_api_tunnel_encap_decap_flags_t
n_pkts = 127
p = self.ipv6_params
- p.inner_hop_limit = 24
- p.outer_hop_limit = 23
- p.outer_flow_label = 243224
- p.tun_flags = tf.TUNNEL_API_ENCAP_DECAP_FLAG_ENCAP_COPY_HOP_LIMIT
self.config_network(p)
self.config_sa_tun(p,
@@ -2788,12 +2776,6 @@ class TestIpsecItf6(TemplateIpsec,
np.vpp_tun_sa_id += 1
np.tun_if.local_spi = p.vpp_tun_spi
np.tun_if.remote_spi = p.scapy_tun_spi
- np.inner_hop_limit = 24
- np.outer_hop_limit = 128
- np.inner_flow_label = 0xabcde
- np.outer_flow_label = 0xabcde
- np.hop_limit = 128
- np.tun_flags = tf.TUNNEL_API_ENCAP_DECAP_FLAG_ENCAP_COPY_FLOW_LABEL
self.config_sa_tun(np,
self.pg0.local_ip6,
@@ -2846,7 +2828,6 @@ class TestIpsecMIfEsp4(TemplateIpsec, IpsecTun4):
try:
self.assertEqual(rx[IP].tos,
VppEnum.vl_api_ip_dscp_t.IP_API_DSCP_EF << 2)
- self.assertEqual(rx[IP].ttl, p.hop_limit)
pkt = sa.decrypt(rx[IP])
if not pkt.haslayer(IP):
pkt = IP(pkt[Raw].load)
@@ -2895,7 +2876,6 @@ class TestIpsecMIfEsp4(TemplateIpsec, IpsecTun4):
p.scapy_tra_spi = p.scapy_tra_spi + ii
p.vpp_tra_sa_id = p.vpp_tra_sa_id + ii
p.vpp_tra_spi = p.vpp_tra_spi + ii
- p.hop_limit = ii+10
p.tun_sa_out = VppIpsecSA(
self, p.scapy_tun_sa_id, p.scapy_tun_spi,
p.auth_algo_vpp_id, p.auth_key,
@@ -2903,8 +2883,7 @@ class TestIpsecMIfEsp4(TemplateIpsec, IpsecTun4):
self.vpp_esp_protocol,
self.pg0.local_ip4,
self.pg0.remote_hosts[ii].ip4,
- dscp=VppEnum.vl_api_ip_dscp_t.IP_API_DSCP_EF,
- hop_limit=p.hop_limit)
+ dscp=VppEnum.vl_api_ip_dscp_t.IP_API_DSCP_EF)
p.tun_sa_out.add_vpp_config()
p.tun_sa_in = VppIpsecSA(
@@ -2914,8 +2893,7 @@ class TestIpsecMIfEsp4(TemplateIpsec, IpsecTun4):
self.vpp_esp_protocol,
self.pg0.remote_hosts[ii].ip4,
self.pg0.local_ip4,
- dscp=VppEnum.vl_api_ip_dscp_t.IP_API_DSCP_EF,
- hop_limit=p.hop_limit)
+ dscp=VppEnum.vl_api_ip_dscp_t.IP_API_DSCP_EF)
p.tun_sa_in.add_vpp_config()
p.tun_protect = VppIpsecTunProtect(
diff --git a/test/vpp_ipsec.py b/test/vpp_ipsec.py
index d0ceeae2e4d..013e3d7310b 100644
--- a/test/vpp_ipsec.py
+++ b/test/vpp_ipsec.py
@@ -194,7 +194,7 @@ class VppIpsecSA(VppObject):
tun_src=None, tun_dst=None,
flags=None, salt=0, tun_flags=None,
dscp=None,
- udp_src=None, udp_dst=None, hop_limit=None):
+ udp_src=None, udp_dst=None):
e = VppEnum.vl_api_ipsec_sad_flags_t
self.test = test
self.id = id
@@ -206,7 +206,6 @@ class VppIpsecSA(VppObject):
self.proto = proto
self.salt = salt
- self.table_id = 0
self.tun_src = tun_src
self.tun_dst = tun_dst
if not flags:
@@ -229,18 +228,6 @@ class VppIpsecSA(VppObject):
self.dscp = VppEnum.vl_api_ip_dscp_t.IP_API_DSCP_CS0
if dscp:
self.dscp = dscp
- self.hop_limit = 255
- if hop_limit:
- self.hop_limit = hop_limit
-
- def tunnel_encode(self):
- return {'src': (self.tun_src if self.tun_src else []),
- 'dst': (self.tun_dst if self.tun_dst else []),
- 'encap_decap_flags': self.tun_flags,
- 'dscp': self.dscp,
- 'hop_limit': self.hop_limit,
- 'table_id': self.table_id
- }
def add_vpp_config(self):
entry = {
@@ -257,7 +244,10 @@ class VppIpsecSA(VppObject):
'length': len(self.crypto_key),
},
'protocol': self.proto,
- 'tunnel': self.tunnel_encode(),
+ 'tunnel_src': (self.tun_src if self.tun_src else []),
+ 'tunnel_dst': (self.tun_dst if self.tun_dst else []),
+ 'tunnel_flags': self.tun_flags,
+ 'dscp': self.dscp,
'flags': self.flags,
'salt': self.salt
}
@@ -266,13 +256,13 @@ class VppIpsecSA(VppObject):
entry['udp_src_port'] = self.udp_src
if self.udp_dst:
entry['udp_dst_port'] = self.udp_dst
- r = self.test.vapi.ipsec_sad_entry_add_del_v3(is_add=1, entry=entry)
+ r = self.test.vapi.ipsec_sad_entry_add_del_v2(is_add=1, entry=entry)
self.stat_index = r.stat_index
self.test.registry.register(self, self.test.logger)
return self
def remove_vpp_config(self):
- r = self.test.vapi.ipsec_sad_entry_add_del_v3(
+ r = self.test.vapi.ipsec_sad_entry_add_del_v2(
is_add=0,
entry={
'sad_id': self.id,
@@ -288,7 +278,9 @@ class VppIpsecSA(VppObject):
'length': len(self.crypto_key),
},
'protocol': self.proto,
- 'tunnel': self.tunnel_encode(),
+ 'tunnel_src': (self.tun_src if self.tun_src else []),
+ 'tunnel_dst': (self.tun_dst if self.tun_dst else []),
+ 'flags': self.flags,
'salt': self.salt
})
@@ -298,7 +290,7 @@ class VppIpsecSA(VppObject):
def query_vpp_config(self):
e = VppEnum.vl_api_ipsec_sad_flags_t
- bs = self.test.vapi.ipsec_sa_v3_dump()
+ bs = self.test.vapi.ipsec_sa_v2_dump()
for b in bs:
if b.entry.sad_id == self.id:
# if udp encap is configured then the ports should match