summaryrefslogtreecommitdiffstats
path: root/test
diff options
context:
space:
mode:
authorFilip Tehlar <ftehlar@cisco.com>2020-02-04 09:36:04 +0000
committerDamjan Marion <dmarion@me.com>2020-02-11 23:07:38 +0000
commitefcad1a9d22c4a664f3004cafe09d9c3a68e1620 (patch)
tree5d0668c307083f096f6034d5ae8a608078640d18 /test
parent16d974ec59776f0103ad62d0d04dc57989eef7ed (diff)
ipsec: add support for chained buffers
Type: feature Change-Id: Ie072a7c2bbb1e4a77f7001754f01897efd30fc53 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
Diffstat (limited to 'test')
-rw-r--r--test/template_ipsec.py58
-rw-r--r--test/test_ipsec_esp.py23
2 files changed, 30 insertions, 51 deletions
diff --git a/test/template_ipsec.py b/test/template_ipsec.py
index 2eeb63c16d1..56f4b456468 100644
--- a/test/template_ipsec.py
+++ b/test/template_ipsec.py
@@ -556,7 +556,7 @@ class IpsecTra4(object):
p.scapy_tra_sa.seq_num = 351
p.vpp_tra_sa.seq_num = 351
- def verify_tra_basic4(self, count=1):
+ def verify_tra_basic4(self, count=1, payload_size=54):
""" ipsec v4 transport basic test """
self.vapi.cli("clear errors")
self.vapi.cli("clear ipsec sa")
@@ -565,7 +565,8 @@ class IpsecTra4(object):
send_pkts = self.gen_encrypt_pkts(p.scapy_tra_sa, self.tra_if,
src=self.tra_if.remote_ip4,
dst=self.tra_if.local_ip4,
- count=count)
+ count=count,
+ payload_size=payload_size)
recv_pkts = self.send_and_expect(self.tra_if, send_pkts,
self.tra_if)
for rx in recv_pkts:
@@ -611,14 +612,16 @@ class IpsecTra4Tests(IpsecTra4):
class IpsecTra6(object):
""" verify methods for Transport v6 """
- def verify_tra_basic6(self, count=1):
+ def verify_tra_basic6(self, count=1, payload_size=54):
self.vapi.cli("clear errors")
+ self.vapi.cli("clear ipsec sa")
try:
p = self.params[socket.AF_INET6]
send_pkts = self.gen_encrypt_pkts6(p.scapy_tra_sa, self.tra_if,
src=self.tra_if.remote_ip6,
dst=self.tra_if.local_ip6,
- count=count)
+ count=count,
+ payload_size=payload_size)
recv_pkts = self.send_and_expect(self.tra_if, send_pkts,
self.tra_if)
for rx in recv_pkts:
@@ -834,7 +837,8 @@ class IpsecTun4(object):
send_pkts = self.gen_encrypt_pkts(p.scapy_tun_sa, self.tun_if,
src=p.remote_tun_if_host,
dst=self.pg1.remote_ip4,
- count=count)
+ count=count,
+ payload_size=payload_size)
recv_pkts = self.send_and_expect(self.tun_if, send_pkts, self.pg1)
self.verify_decrypted(p, recv_pkts)
@@ -857,41 +861,6 @@ class IpsecTun4(object):
self.logger.info(self.vapi.ppcli("show ipsec sa 4"))
self.verify_counters4(p, count, n_rx)
- """ verify methods for Transport v4 """
- def verify_tun_44_bad_packet_sizes(self, p):
- # with a buffer size of 2048, 1989 bytes of payload
- # means there isn't space to insert the ESP header
- N_PKTS = 63
- for p_siz in [1989, 8500]:
- send_pkts = self.gen_encrypt_pkts(p.scapy_tun_sa, self.tun_if,
- src=p.remote_tun_if_host,
- dst=self.pg1.remote_ip4,
- count=N_PKTS,
- payload_size=p_siz)
- self.send_and_assert_no_replies(self.tun_if, send_pkts)
- send_pkts = self.gen_pkts(self.pg1, src=self.pg1.remote_ip4,
- dst=p.remote_tun_if_host, count=N_PKTS,
- payload_size=p_siz)
- self.send_and_assert_no_replies(self.pg1, send_pkts,
- self.tun_if)
-
- # both large packets on decrpyt count against chained buffers
- # the 9000 bytes one does on encrypt
- self.assertEqual(2 * N_PKTS,
- self.statistics.get_err_counter(
- '/err/%s/chained buffers (packet dropped)' %
- self.tun4_decrypt_node_name))
- self.assertEqual(N_PKTS,
- self.statistics.get_err_counter(
- '/err/%s/chained buffers (packet dropped)' %
- self.tun4_encrypt_node_name))
-
- # on encrypt the 1989 size is no trailer space
- self.assertEqual(N_PKTS,
- self.statistics.get_err_counter(
- '/err/%s/no trailer space (packet dropped)' %
- self.tun4_encrypt_node_name))
-
def verify_tun_reass_44(self, p):
self.vapi.cli("clear errors")
self.vapi.ip_reassembly_enable_disable(
@@ -996,12 +965,6 @@ class IpsecTun4Tests(IpsecTun4):
self.verify_tun_44(self.params[socket.AF_INET], count=127)
-class IpsecTunEsp4Tests(IpsecTun4):
- def test_tun_bad_packet_sizes(self):
- """ ipsec v4 tunnel bad packet size """
- self.verify_tun_44_bad_packet_sizes(self.params[socket.AF_INET])
-
-
class IpsecTun6(object):
""" verify methods for Tunnel v6 """
def verify_counters6(self, p_in, p_out, count, worker=None):
@@ -1064,7 +1027,8 @@ class IpsecTun6(object):
send_pkts = self.gen_encrypt_pkts6(p_in.scapy_tun_sa, self.tun_if,
src=p_in.remote_tun_if_host,
dst=self.pg1.remote_ip6,
- count=count)
+ count=count,
+ payload_size=payload_size)
recv_pkts = self.send_and_expect(self.tun_if, send_pkts, self.pg1)
self.verify_decrypted6(p_in, recv_pkts)
diff --git a/test/test_ipsec_esp.py b/test/test_ipsec_esp.py
index 60e5c93ed65..5b057e750cc 100644
--- a/test/test_ipsec_esp.py
+++ b/test/test_ipsec_esp.py
@@ -10,7 +10,7 @@ from template_ipsec import IpsecTra46Tests, IpsecTun46Tests, TemplateIpsec, \
config_tun_params, IPsecIPv4Params, IPsecIPv6Params, \
IpsecTra4, IpsecTun4, IpsecTra6, IpsecTun6, \
IpsecTun6HandoffTests, IpsecTun4HandoffTests, \
- IpsecTra6ExtTests, IpsecTunEsp4Tests
+ IpsecTra6ExtTests
from vpp_ipsec import VppIpsecSpd, VppIpsecSpdEntry, VppIpsecSA,\
VppIpsecSpdItfBinding
from vpp_ip_route import VppIpRoute, VppRoutePath
@@ -18,6 +18,7 @@ from vpp_ip import DpoProto
from vpp_papi import VppEnum
NUM_PKTS = 67
+engines_supporting_chain_bufs = ["openssl"]
class ConfigIpsecESP(TemplateIpsec):
@@ -288,8 +289,7 @@ class TemplateIpsecEsp(ConfigIpsecESP):
class TestIpsecEsp1(TemplateIpsecEsp, IpsecTra46Tests,
- IpsecTun46Tests, IpsecTunEsp4Tests,
- IpsecTra6ExtTests):
+ IpsecTun46Tests, IpsecTra6ExtTests):
""" Ipsec ESP - TUN & TRA tests """
pass
@@ -469,7 +469,7 @@ class RunTestIpsecEspAll(ConfigIpsecESP,
def run_test(self):
self.run_a_test(self.engine, self.flag, self.algo)
- def run_a_test(self, engine, flag, algo):
+ def run_a_test(self, engine, flag, algo, payload_size=None):
self.vapi.cli("set crypto handler all %s" % engine)
self.ipv4_params = IPsecIPv4Params()
@@ -508,6 +508,21 @@ class RunTestIpsecEspAll(ConfigIpsecESP,
self.verify_tun_44(self.params[socket.AF_INET],
count=NUM_PKTS)
+ LARGE_PKT_SZ = [
+ 4010, # ICV ends up splitted accross 2 buffers in esp_decrypt
+ # for transport4; transport6 takes normal path
+
+ 4020, # same as above but tra4 and tra6 are switched
+ ]
+ if self.engine in engines_supporting_chain_bufs:
+ for sz in LARGE_PKT_SZ:
+ self.verify_tra_basic4(count=NUM_PKTS, payload_size=sz)
+ self.verify_tra_basic6(count=NUM_PKTS, payload_size=sz)
+ self.verify_tun_66(self.params[socket.AF_INET6],
+ count=NUM_PKTS, payload_size=sz)
+ self.verify_tun_44(self.params[socket.AF_INET],
+ count=NUM_PKTS, payload_size=sz)
+
#
# remove the SPDs, SAs, etc
#