summaryrefslogtreecommitdiffstats
path: root/test/test_ipsec_spd_fp_input.py
diff options
context:
space:
mode:
Diffstat (limited to 'test/test_ipsec_spd_fp_input.py')
-rw-r--r--test/test_ipsec_spd_fp_input.py67
1 files changed, 35 insertions, 32 deletions
diff --git a/test/test_ipsec_spd_fp_input.py b/test/test_ipsec_spd_fp_input.py
index 9037ed25902..bf00c1c26ab 100644
--- a/test/test_ipsec_spd_fp_input.py
+++ b/test/test_ipsec_spd_fp_input.py
@@ -118,7 +118,10 @@ class IPSec4SpdTestCaseBypass(SpdFastPathInbound):
# create input rules
# bypass rule should take precedence over discard rule,
- # even though it's lower priority
+ # even though it's lower priority, because for input policies
+ # matching PROTECT policies precedes matching BYPASS policies
+ # which preceeds matching for DISCARD policies.
+ # Any hit stops the process.
policy_0 = self.spd_add_rem_policy( # inbound, priority 10
1,
self.pg1,
@@ -128,10 +131,10 @@ class IPSec4SpdTestCaseBypass(SpdFastPathInbound):
priority=10,
policy_type="bypass",
ip_range=True,
- local_ip_start=self.pg0.remote_ip4,
- local_ip_stop=self.pg0.remote_ip4,
- remote_ip_start=self.pg1.remote_ip4,
- remote_ip_stop=self.pg1.remote_ip4,
+ local_ip_start=self.pg1.remote_ip4,
+ local_ip_stop=self.pg1.remote_ip4,
+ remote_ip_start=self.pg0.remote_ip4,
+ remote_ip_stop=self.pg0.remote_ip4,
)
policy_1 = self.spd_add_rem_policy( # inbound, priority 15
1,
@@ -142,10 +145,10 @@ class IPSec4SpdTestCaseBypass(SpdFastPathInbound):
priority=15,
policy_type="discard",
ip_range=True,
- local_ip_start=self.pg0.remote_ip4,
- local_ip_stop=self.pg0.remote_ip4,
- remote_ip_start=self.pg1.remote_ip4,
- remote_ip_stop=self.pg1.remote_ip4,
+ local_ip_start=self.pg1.remote_ip4,
+ local_ip_stop=self.pg1.remote_ip4,
+ remote_ip_start=self.pg0.remote_ip4,
+ remote_ip_stop=self.pg0.remote_ip4,
)
# create output rule so we can capture forwarded packets
@@ -204,8 +207,8 @@ class IPSec4SpdTestCaseDiscard(SpdFastPathInbound):
# even though it's lower priority
policy_0 = self.spd_add_rem_policy( # inbound, priority 10
1,
- self.pg0,
self.pg1,
+ self.pg0,
socket.IPPROTO_UDP,
is_out=0,
priority=10,
@@ -215,8 +218,8 @@ class IPSec4SpdTestCaseDiscard(SpdFastPathInbound):
# create output rule so we can capture forwarded packets
policy_1 = self.spd_add_rem_policy( # outbound, priority 10
1,
- self.pg0,
self.pg1,
+ self.pg0,
socket.IPPROTO_UDP,
is_out=1,
priority=10,
@@ -268,8 +271,8 @@ class IPSec4SpdTestCaseProtect(SpdFastPathInboundProtect):
p,
p.scapy_tra_sa,
self.tra_if,
- src=self.tra_if.local_ip4,
- dst=self.tra_if.remote_ip4,
+ src=self.tra_if.remote_ip4,
+ dst=self.tra_if.local_ip4,
count=pkt_count,
payload_size=payload_size,
)
@@ -326,10 +329,10 @@ class IPSec4SpdTestCaseAddIPRange(SpdFastPathInbound):
priority=10,
policy_type="bypass",
ip_range=True,
- local_ip_start=s_ip_s0,
- local_ip_stop=s_ip_e0,
- remote_ip_start=d_ip_s0,
- remote_ip_stop=d_ip_e0,
+ local_ip_start=d_ip_s0,
+ local_ip_stop=d_ip_e0,
+ remote_ip_start=s_ip_s0,
+ remote_ip_stop=s_ip_e0,
)
policy_1 = self.spd_add_rem_policy( # outbound, priority 5
1,
@@ -478,8 +481,8 @@ class IPSec4SpdTestCaseRemove(SpdFastPathInbound):
self.spd_create_and_intf_add(1, [self.pg0, self.pg1])
policy_0 = self.spd_add_rem_policy( # inbound, priority 10
1,
- self.pg0,
self.pg1,
+ self.pg0,
socket.IPPROTO_UDP,
is_out=0,
priority=10,
@@ -487,8 +490,8 @@ class IPSec4SpdTestCaseRemove(SpdFastPathInbound):
)
policy_1 = self.spd_add_rem_policy( # inbound, priority 5
1,
- self.pg0,
self.pg1,
+ self.pg0,
socket.IPPROTO_UDP,
is_out=0,
priority=5,
@@ -533,8 +536,8 @@ class IPSec4SpdTestCaseRemove(SpdFastPathInbound):
# now remove the bypass rule
self.spd_add_rem_policy( # outbound, priority 10
1,
- self.pg0,
self.pg1,
+ self.pg0,
socket.IPPROTO_UDP,
is_out=0,
priority=10,
@@ -579,8 +582,8 @@ class IPSec4SpdTestCaseReadd(SpdFastPathInbound):
self.spd_create_and_intf_add(1, [self.pg0, self.pg1])
policy_0 = self.spd_add_rem_policy( # inbound, priority 10
1,
- self.pg0,
self.pg1,
+ self.pg0,
socket.IPPROTO_UDP,
is_out=0,
priority=10,
@@ -588,8 +591,8 @@ class IPSec4SpdTestCaseReadd(SpdFastPathInbound):
)
policy_1 = self.spd_add_rem_policy( # inbound, priority 5
1,
- self.pg0,
self.pg1,
+ self.pg0,
socket.IPPROTO_UDP,
is_out=0,
priority=5,
@@ -633,8 +636,8 @@ class IPSec4SpdTestCaseReadd(SpdFastPathInbound):
# remove the bypass rule, leaving only the discard rule
self.spd_add_rem_policy( # inbound, priority 10
1,
- self.pg0,
self.pg1,
+ self.pg0,
socket.IPPROTO_UDP,
is_out=0,
priority=10,
@@ -659,8 +662,8 @@ class IPSec4SpdTestCaseReadd(SpdFastPathInbound):
# now readd the bypass rule
policy_0 = self.spd_add_rem_policy( # outbound, priority 10
1,
- self.pg0,
self.pg1,
+ self.pg0,
socket.IPPROTO_UDP,
is_out=0,
priority=10,
@@ -712,8 +715,8 @@ class IPSec4SpdTestCaseMultiple(SpdFastPathInbound):
# add rules on all interfaces
policy_01 = self.spd_add_rem_policy( # inbound, priority 10
1,
- self.pg0,
self.pg1,
+ self.pg0,
socket.IPPROTO_UDP,
is_out=0,
priority=10,
@@ -721,8 +724,8 @@ class IPSec4SpdTestCaseMultiple(SpdFastPathInbound):
)
policy_02 = self.spd_add_rem_policy( # inbound, priority 5
1,
- self.pg0,
self.pg1,
+ self.pg0,
socket.IPPROTO_UDP,
is_out=0,
priority=5,
@@ -731,8 +734,8 @@ class IPSec4SpdTestCaseMultiple(SpdFastPathInbound):
policy_11 = self.spd_add_rem_policy( # inbound, priority 10
1,
- self.pg1,
self.pg2,
+ self.pg1,
socket.IPPROTO_UDP,
is_out=0,
priority=10,
@@ -740,8 +743,8 @@ class IPSec4SpdTestCaseMultiple(SpdFastPathInbound):
)
policy_12 = self.spd_add_rem_policy( # inbound, priority 5
1,
- self.pg1,
self.pg2,
+ self.pg1,
socket.IPPROTO_UDP,
is_out=0,
priority=5,
@@ -750,8 +753,8 @@ class IPSec4SpdTestCaseMultiple(SpdFastPathInbound):
policy_21 = self.spd_add_rem_policy( # inbound, priority 5
1,
- self.pg2,
self.pg0,
+ self.pg2,
socket.IPPROTO_UDP,
is_out=0,
priority=5,
@@ -759,8 +762,8 @@ class IPSec4SpdTestCaseMultiple(SpdFastPathInbound):
)
policy_22 = self.spd_add_rem_policy( # inbound, priority 10
1,
- self.pg2,
self.pg0,
+ self.pg2,
socket.IPPROTO_UDP,
is_out=0,
priority=10,
@@ -852,8 +855,8 @@ class IPSec6SpdTestCaseProtect(SpdFastPathIPv6InboundProtect):
p,
p.scapy_tra_sa,
self.tra_if,
- src=self.tra_if.local_ip6,
- dst=self.tra_if.remote_ip6,
+ src=self.tra_if.remote_ip6,
+ dst=self.tra_if.local_ip6,
count=pkt_count,
payload_size=payload_size,
)