ipsec: IPSec interface correct drop w/ no protection

Type: improvement

When an IPSec interface is first constructed, the end node of the feature arc is not changed, which means it is interface-output.
This means that traffic directed into adjacencies on the link, that do not have protection (w/ an SA), drop like this:

...
00:00:01:111710: ip4-midchain
  tx_sw_if_index 4 dpo-idx 24 : ipv4 via 0.0.0.0 ipsec0: mtu:9000 next:6 flags:[]
  stacked-on:
    [@1]: dpo-drop ip4 flow hash: 0x00000000
  00000000: 4500005c000100003f01cb8cac100202010101010800ecf40000000058585858
  00000020: 58585858585858585858585858585858585858585858585858585858
00:00:01:111829: local0-output
  ipsec0
  00000000: 4500005c000100003f01cb8cac100202010101010800ecf40000000058585858
  00000020: 5858585858585858585858585858585858585858585858585858585858585858
  00000040: 58585858585858585858585858585858585858585858585858585858c2cf08c0
  00000060: 2a2c103cd0126bd8b03c4ec20ce2bd02dd77b3e3a4f49664
00:00:01:112017: error-drop
  rx:pg1
00:00:01:112034: drop
  local0-output: interface is down

although that's a drop, no packets should go to local0, and we want all IPvX packets to go through ipX-drop.

This change sets the interface's end-arc node to the appropriate drop node when the interface is created, and when the last protection is removed.
The resulting drop is:

...
00:00:01:111504: ip4-midchain
  tx_sw_if_index 4 dpo-idx 24 : ipv4 via 0.0.0.0 ipsec0: mtu:9000 next:0 flags:[]
  stacked-on:
    [@1]: dpo-drop ip4 flow hash: 0x00000000
  00000000: 4500005c000100003f01cb8cac100202010101010800ecf40000000058585858
  00000020: 58585858585858585858585858585858585858585858585858585858
00:00:01:111533: ip4-drop
    ICMP: 172.16.2.2 -> 1.1.1.1
      tos 0x00, ttl 63, length 92, checksum 0xcb8c dscp CS0 ecn NON_ECN
      fragment id 0x0001
    ICMP echo_request checksum 0xecf4 id 0
00:00:01:111620: error-drop
  rx:pg1
00:00:01:111640: drop
  null-node: blackholed packets

Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: I7e7de23c541d9f1210a05e6984a688f1f821a155

2 files changed, 28 insertions, 5 deletions

diff --git a/test/template_ipsec.py b/test/template_ipsec.py
index d9a9d1b78c1..9927cc7bcc3 100644
--- a/test/template_ipsec.py
+++ b/test/template_ipsec.py
@@ -1375,7 +1375,17 @@ class IpsecTun6(object):
                     pass
                 raise
 
-    def verify_drop_tun_66(self, p_in, count=1, payload_size=64):
+    def verify_drop_tun_tx_66(self, p_in, count=1, payload_size=64):
+        self.vapi.cli("clear errors")
+        self.vapi.cli("clear ipsec sa")
+
+        send_pkts = self.gen_pkts6(p_in, self.pg1, src=self.pg1.remote_ip6,
+                                   dst=p_in.remote_tun_if_host, count=count,
+                                   payload_size=payload_size)
+        self.send_and_assert_no_replies(self.tun_if, send_pkts)
+        self.logger.info(self.vapi.cli("sh punt stats"))
+
+    def verify_drop_tun_rx_66(self, p_in, count=1, payload_size=64):
         self.vapi.cli("clear errors")
         self.vapi.cli("clear ipsec sa")
 
@@ -1385,7 +1395,12 @@ class IpsecTun6(object):
                                            dst=self.pg1.remote_ip6,
                                            count=count)
         self.send_and_assert_no_replies(self.tun_if, send_pkts)
-        self.logger.info(self.vapi.cli("sh punt stats"))
+
+    def verify_drop_tun_66(self, p_in, count=1, payload_size=64):
+        self.verify_drop_tun_tx_66(p_in, count=count,
+                                   payload_size=payload_size)
+        self.verify_drop_tun_rx_66(p_in, count=count,
+                                   payload_size=payload_size)
 
     def verify_tun_66(self, p_in, p_out=None, count=1, payload_size=64):
         self.vapi.cli("clear errors")
diff --git a/test/test_ipsec_tun_if_esp.py b/test/test_ipsec_tun_if_esp.py
index 6865c9050a9..8b6f619b47f 100644
--- a/test/test_ipsec_tun_if_esp.py
+++ b/test/test_ipsec_tun_if_esp.py
@@ -2345,7 +2345,7 @@ class TestIpsec6TunProtect(TemplateIpsec,
         p.tun_protect.update_vpp_config(np3.tun_sa_out,
                                         [np3.tun_sa_in])
         self.verify_tun_66(np3, np3, count=127)
-        self.verify_drop_tun_66(np, count=127)
+        self.verify_drop_tun_rx_66(np, count=127)
 
         self.assertEqual(p.tun_if.get_rx_stats(), 127*9)
         self.assertEqual(p.tun_if.get_tx_stats(), 127*8)
@@ -2621,6 +2621,10 @@ class TestIpsecItf4(TemplateIpsec,
         p = self.ipv4_params
 
         self.config_network(p)
+        config_tun_params(p, self.encryption_type, None,
+                          self.pg0.local_ip4,
+                          self.pg0.remote_ip4)
+        self.verify_tun_dropped_44(p, count=n_pkts)
         self.config_sa_tun(p,
                            self.pg0.local_ip4,
                            self.pg0.remote_ip4)
@@ -2693,7 +2697,7 @@ class TestIpsecItf4(TemplateIpsec,
                            self.pg0.remote_ip4)
         self.config_protect(p)
 
-        self.logger.error(self.vapi.cli("sh ipsec sa"))
+        self.logger.info(self.vapi.cli("sh ipsec sa"))
         self.verify_tun_44(p, count=n_pkts)
 
         # teardown
@@ -2912,7 +2916,7 @@ class TestIpsecItf6(TemplateIpsec,
     def tearDown(self):
         super(TestIpsecItf6, self).tearDown()
 
-    def test_tun_44(self):
+    def test_tun_66(self):
         """IPSEC interface IPv6"""
 
         tf = VppEnum.vl_api_tunnel_encap_decap_flags_t
@@ -2924,6 +2928,10 @@ class TestIpsecItf6(TemplateIpsec,
         p.tun_flags = tf.TUNNEL_API_ENCAP_DECAP_FLAG_ENCAP_COPY_HOP_LIMIT
 
         self.config_network(p)
+        config_tun_params(p, self.encryption_type, None,
+                          self.pg0.local_ip6,
+                          self.pg0.remote_ip6)
+        self.verify_drop_tun_66(p, count=n_pkts)
         self.config_sa_tun(p,
                            self.pg0.local_ip6,
                            self.pg0.remote_ip6)