1 files changed, 308 insertions, 86 deletions

diff --git a/test/test_trace_filter.py b/test/test_trace_filter.py
index fd250ac17c7..58494cd7ad9 100644
--- a/test/test_trace_filter.py
+++ b/test/test_trace_filter.py
@@ -1,32 +1,35 @@
 #!/usr/bin/env python3
 
 import unittest
+import secrets
+import socket
 
-from framework import VppTestCase, VppTestRunner, running_extended_tests
-from vpp_ip_route import VppIpTable, VppIpRoute, VppRoutePath
+from framework import VppTestCase
+from asfframework import VppTestRunner
+from vpp_papi import VppEnum
+from vpp_ipsec import VppIpsecSA, VppIpsecSpd, VppIpsecSpdItfBinding, VppIpsecSpdEntry
 
 from scapy.contrib.geneve import GENEVE
 from scapy.packet import Raw
 from scapy.layers.l2 import Ether
-from scapy.layers.inet import IP, UDP
+from scapy.layers.inet import IP, UDP, TCP
 from scapy.layers.vxlan import VXLAN
+from scapy.layers.ipsec import ESP, SecurityAssociation
 from scapy.compat import raw
 from scapy.utils import rdpcap
 
 
-class TestTracefilter(VppTestCase):
-    """ Packet Tracer Filter Test """
-
+class TemplateTraceFilter(VppTestCase):
     @classmethod
     def setUpClass(cls):
-        super(TestTracefilter, cls).setUpClass()
+        super().setUpClass()
 
     @classmethod
     def tearDownClass(cls):
-        super(TestTracefilter, cls).tearDownClass()
+        super().tearDownClass()
 
     def setUp(self):
-        super(TestTracefilter, self).setUp()
+        super().setUp()
         self.create_pg_interfaces(range(2))
         self.pg0.generate_remote_hosts(11)
         for i in self.pg_interfaces:
@@ -35,7 +38,7 @@ class TestTracefilter(VppTestCase):
             i.resolve_arp()
 
     def tearDown(self):
-        super(TestTracefilter, self).tearDown()
+        super().tearDown()
         for i in self.pg_interfaces:
             i.unconfig()
             i.admin_down()
@@ -43,8 +46,11 @@ class TestTracefilter(VppTestCase):
     def cli(self, cmd):
         r = self.vapi.cli_return_response(cmd)
         if r.retval != 0:
-            s = "reply '%s'" % r.reply if hasattr(
-                r, "reply") else "retval '%s'" % r.retval
+            s = (
+                "reply '%s'" % r.reply
+                if hasattr(r, "reply")
+                else "retval '%s'" % r.retval
+            )
             raise RuntimeError("cli command '%s' FAIL with %s" % (cmd, s))
         return r
 
@@ -53,9 +59,12 @@ class TestTracefilter(VppTestCase):
         r = self.cli("show classify table verbose")
         self.assertTrue(r.reply.find("hits %i" % n) != -1)
 
+    def clear(self):
+        self.cli("clear trace")
+
     def add_trace_filter(self, mask, match):
         self.cli("classify filter trace mask %s match %s" % (mask, match))
-        self.cli("clear trace")
+        self.clear()
         self.cli("trace add pg-input 1000 filter")
 
     def del_trace_filters(self):
@@ -70,27 +79,46 @@ class TestTracefilter(VppTestCase):
         s = "pcap rx/tx/drop:               first table none"
         self.assertTrue(r.reply.find(s) != -1)
 
+    # install a classify rule, inject traffic and check for hits
+    def assert_classify(self, mask, match, packets, n=None):
+        self.add_trace_filter("hex %s" % mask, "hex %s" % match)
+        self.send_and_expect(self.pg0, packets, self.pg1, trace=False)
+        self.assert_hits(n if n is not None else len(packets))
+        self.del_trace_filters()
+
+
+class TestTracefilter(TemplateTraceFilter):
+    """Packet Tracer Filter Test"""
+
     def test_basic(self):
-        """ Packet Tracer Filter Test """
+        """Packet Tracer Filter Test"""
         self.add_trace_filter(
-            "l3 ip4 src",
-            "l3 ip4 src %s" %
-            self.pg0.remote_hosts[5].ip4)
+            "l3 ip4 src", "l3 ip4 src %s" % self.pg0.remote_hosts[5].ip4
+        )
         self.add_trace_filter(
-            "l3 ip4 proto l4 src_port",
-            "l3 ip4 proto 17 l4 src_port 2345")
+            "l3 ip4 proto l4 src_port", "l3 ip4 proto 17 l4 src_port 2345"
+        )
         # the packet we are trying to match
         p = list()
         for i in range(100):
             src = self.pg0.remote_hosts[i % len(self.pg0.remote_hosts)].ip4
-            p.append((Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
-                      IP(src=src, dst=self.pg1.remote_ip4) /
-                      UDP(sport=1234, dport=2345) / Raw('\xa5' * 100)))
+            p.append(
+                (
+                    Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
+                    / IP(src=src, dst=self.pg1.remote_ip4)
+                    / UDP(sport=1234, dport=2345)
+                    / Raw("\xa5" * 100)
+                )
+            )
         for i in range(17):
-            p.append((Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
-                      IP(src=self.pg0.remote_hosts[0].ip4,
-                         dst=self.pg1.remote_ip4) /
-                      UDP(sport=2345, dport=1234) / Raw('\xa5' * 100)))
+            p.append(
+                (
+                    Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
+                    / IP(src=self.pg0.remote_hosts[0].ip4, dst=self.pg1.remote_ip4)
+                    / UDP(sport=2345, dport=1234)
+                    / Raw("\xa5" * 100)
+                )
+            )
 
         self.send_and_expect(self.pg0, p, self.pg1, trace=False)
 
@@ -100,29 +128,24 @@ class TestTracefilter(VppTestCase):
 
         self.del_trace_filters()
 
-    # install a classify rule, inject traffic and check for hits
-    def assert_classify(self, mask, match, packets, n=None):
-        self.add_trace_filter("hex %s" % mask, "hex %s" % match)
-        self.send_and_expect(self.pg0, packets, self.pg1, trace=False)
-        self.assert_hits(n if n is not None else len(packets))
-        self.del_trace_filters()
-
     def test_encap(self):
-        """ Packet Tracer Filter Test with encap """
+        """Packet Tracer Filter Test with encap"""
 
         # the packet we are trying to match
-        p = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
-             IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4) /
-             UDP() /
-             VXLAN() /
-             Ether() /
-             IP() /
-             UDP() /
-             GENEVE(vni=1234) /
-             Ether() /
-             IP(src='192.168.4.167') /
-             UDP() /
-             Raw('\xa5' * 100))
+        p = (
+            Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
+            / IP(src=self.pg0.remote_ip4, dst=self.pg1.remote_ip4)
+            / UDP()
+            / VXLAN()
+            / Ether()
+            / IP()
+            / UDP()
+            / GENEVE(vni=1234)
+            / Ether()
+            / IP(src="192.168.4.167")
+            / UDP()
+            / Raw("\xa5" * 100)
+        )
 
         #
         # compute filter mask & value
@@ -130,29 +153,31 @@ class TestTracefilter(VppTestCase):
         # we need to set checksums to 0 to make sure scapy will not recompute
         # them
         #
-        tmpl = (Ether() /
-                IP(chksum=0) /
-                UDP(chksum=0) /
-                VXLAN() /
-                Ether() /
-                IP(chksum=0) /
-                UDP(chksum=0) /
-                GENEVE(vni=0) /
-                Ether() /
-                IP(src='0.0.0.0', chksum=0))
+        tmpl = (
+            Ether()
+            / IP(chksum=0)
+            / UDP(chksum=0)
+            / VXLAN()
+            / Ether()
+            / IP(chksum=0)
+            / UDP(chksum=0)
+            / GENEVE(vni=0)
+            / Ether()
+            / IP(src="0.0.0.0", chksum=0)
+        )
         ori = raw(tmpl)
 
         # the mask
-        tmpl[GENEVE].vni = 0xffffff
+        tmpl[GENEVE].vni = 0xFFFFFF
         user = tmpl[GENEVE].payload
-        user[IP].src = '255.255.255.255'
+        user[IP].src = "255.255.255.255"
         new = raw(tmpl)
         mask = "".join(("{:02x}".format(o ^ n) for o, n in zip(ori, new)))
 
         # this does not match (wrong vni)
         tmpl[GENEVE].vni = 1
         user = tmpl[GENEVE].payload
-        user[IP].src = '192.168.4.167'
+        user[IP].src = "192.168.4.167"
         new = raw(tmpl)
         match = "".join(("{:02x}".format(o ^ n) for o, n in zip(ori, new)))
         self.assert_classify(mask, match, [p] * 11, 0)
@@ -164,29 +189,41 @@ class TestTracefilter(VppTestCase):
         self.assert_classify(mask, match, [p] * 17)
 
     def test_pcap(self):
-        """ Packet Capture Filter Test """
+        """Packet Capture Filter Test"""
         self.cli(
-            "classify filter pcap mask l3 ip4 src match l3 ip4 src %s" %
-            self.pg0.remote_hosts[5].ip4)
+            "classify filter pcap mask l3 ip4 src match l3 ip4 src %s"
+            % self.pg0.remote_hosts[5].ip4
+        )
         self.cli(
             "classify filter pcap "
             "mask l3 ip4 proto l4 src_port "
-            "match l3 ip4 proto 17 l4 src_port 2345")
+            "match l3 ip4 proto 17 l4 src_port 2345"
+        )
         self.cli(
             "pcap trace rx tx max 1000 intfc pg0 "
-            "file vpp_test_trace_filter_test_pcap.pcap filter")
+            "file vpp_test_trace_filter_test_pcap.pcap filter"
+        )
         # the packet we are trying to match
         p = list()
         for i in range(100):
             src = self.pg0.remote_hosts[i % len(self.pg0.remote_hosts)].ip4
-            p.append((Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
-                      IP(src=src, dst=self.pg1.remote_ip4) /
-                      UDP(sport=1234, dport=2345) / Raw('\xa5' * 100)))
+            p.append(
+                (
+                    Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
+                    / IP(src=src, dst=self.pg1.remote_ip4)
+                    / UDP(sport=1234, dport=2345)
+                    / Raw("\xa5" * 100)
+                )
+            )
         for i in range(17):
-            p.append((Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
-                      IP(src=self.pg0.remote_hosts[0].ip4,
-                         dst=self.pg1.remote_ip4) /
-                      UDP(sport=2345, dport=1234) / Raw('\xa5' * 100)))
+            p.append(
+                (
+                    Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
+                    / IP(src=self.pg0.remote_hosts[0].ip4, dst=self.pg1.remote_ip4)
+                    / UDP(sport=2345, dport=1234)
+                    / Raw("\xa5" * 100)
+                )
+            )
 
         self.send_and_expect(self.pg0, p, self.pg1, trace=False)
 
@@ -208,28 +245,42 @@ class TestTracefilter(VppTestCase):
             self.assertEqual(str(pcap[i]), p_)
 
     def test_pcap_drop(self):
-        """ Drop Packet Capture Filter Test """
+        """Drop Packet Capture Filter Test"""
         self.cli(
             "pcap trace drop max 1000 "
-            "error {ip4-udp-lookup}.{No listener for dst port} "
-            "file vpp_test_trace_filter_test_pcap_drop.pcap")
+            "error {ip4-udp-lookup}.{no_listener} "
+            "file vpp_test_trace_filter_test_pcap_drop.pcap"
+        )
         # the packet we are trying to match
         p = list()
         for i in range(17):
             # this packet should be forwarded
-            p.append((Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
-                      IP(src=self.pg0.remote_hosts[0].ip4,
-                         dst=self.pg1.remote_ip4) /
-                      UDP(sport=2345, dport=1234) / Raw('\xa5' * 100)))
+            p.append(
+                (
+                    Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
+                    / IP(src=self.pg0.remote_hosts[0].ip4, dst=self.pg1.remote_ip4)
+                    / UDP(sport=2345, dport=1234)
+                    / Raw("\xa5" * 100)
+                )
+            )
             # this packet should be captured (no listener)
-            p.append((Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
-                      IP(src=self.pg0.remote_hosts[0].ip4,
-                         dst=self.pg0.local_ip4) /
-                      UDP(sport=2345, dport=1234) / Raw('\xa5' * 100)))
+            p.append(
+                (
+                    Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
+                    / IP(src=self.pg0.remote_hosts[0].ip4, dst=self.pg0.local_ip4)
+                    / UDP(sport=2345, dport=1234)
+                    / Raw("\xa5" * 100)
+                )
+            )
         # this packet will be blackholed but not captured
-        p.append((Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
-                  IP(src=self.pg0.remote_hosts[0].ip4, dst="0.0.0.0") /
-                  UDP(sport=2345, dport=1234) / Raw('\xa5' * 100)))
+        p.append(
+            (
+                Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
+                / IP(src=self.pg0.remote_hosts[0].ip4, dst="0.0.0.0")
+                / UDP(sport=2345, dport=1234)
+                / Raw("\xa5" * 100)
+            )
+        )
 
         self.send_and_expect(self.pg0, p, self.pg1, n_rx=17, trace=False)
 
@@ -240,5 +291,176 @@ class TestTracefilter(VppTestCase):
         self.assertEqual(len(pcap), 17)
 
 
-if __name__ == '__main__':
+class TestTraceFilterInner(TemplateTraceFilter):
+    """Packet Tracer Filter Inner Test"""
+
+    extra_vpp_plugin_config = [
+        "plugin tracenode_plugin.so {enable}",
+    ]
+
+    def add_trace_filter(self, mask, match, tn_feature_intfc_index=None):
+        if tn_feature_intfc_index is not None:
+            self.logger.info("fffff")
+            self.vapi.tracenode_enable_disable(sw_if_index=tn_feature_intfc_index)
+        super().add_trace_filter(mask, match)
+
+    def del_trace_filters(self, tn_feature_intfc_index=None):
+        if tn_feature_intfc_index is not None:
+            self.vapi.tracenode_enable_disable(
+                sw_if_index=tn_feature_intfc_index, enable=False
+            )
+        super().del_trace_filters()
+
+    def __add_sa(self, id_, tun_src, tun_dst):
+        # AES-CTR-128 / SHA2-256
+        crypto_key_length = 16
+        salt_length = 4
+        integ_key_lenght = 16
+        crypto_key = secrets.token_bytes(crypto_key_length)
+        salt = secrets.randbits(salt_length * 8)
+        integ_key = secrets.token_bytes(integ_key_lenght)
+
+        flags = VppEnum.vl_api_ipsec_sad_flags_t.IPSEC_API_SAD_FLAG_UDP_ENCAP
+
+        vpp_sa_in = VppIpsecSA(
+            test=self,
+            id=id_,
+            spi=id_,
+            integ_alg=VppEnum.vl_api_ipsec_integ_alg_t.IPSEC_API_INTEG_ALG_SHA_256_128,
+            integ_key=integ_key,
+            crypto_alg=VppEnum.vl_api_ipsec_crypto_alg_t.IPSEC_API_CRYPTO_ALG_AES_CTR_128,
+            crypto_key=crypto_key,
+            proto=VppEnum.vl_api_ipsec_proto_t.IPSEC_API_PROTO_ESP,
+            flags=flags,
+            salt=salt,
+            tun_src=tun_src,
+            tun_dst=tun_dst,
+            udp_src=4500,
+            udp_dst=4500,
+        )
+        vpp_sa_in.add_vpp_config()
+
+        scapy_sa_in = SecurityAssociation(
+            ESP,
+            spi=id_,
+            crypt_algo="AES-CTR",
+            crypt_key=crypto_key + salt.to_bytes(salt_length, "big"),
+            auth_algo="SHA2-256-128",
+            auth_key=integ_key,
+            tunnel_header=IP(src=tun_src, dst=tun_dst),
+            nat_t_header=UDP(sport=4500, dport=4500),
+        )
+
+        id_ += 1
+
+        vpp_sa_out = VppIpsecSA(
+            test=self,
+            id=id_,
+            spi=id_,
+            integ_alg=VppEnum.vl_api_ipsec_integ_alg_t.IPSEC_API_INTEG_ALG_SHA_256_128,
+            integ_key=integ_key,
+            crypto_alg=VppEnum.vl_api_ipsec_crypto_alg_t.IPSEC_API_CRYPTO_ALG_AES_CTR_128,
+            crypto_key=crypto_key,
+            proto=VppEnum.vl_api_ipsec_proto_t.IPSEC_API_PROTO_ESP,
+            flags=flags,
+            salt=salt,
+            tun_src=tun_dst,
+            tun_dst=tun_src,
+            udp_src=4500,
+            udp_dst=4500,
+        )
+        vpp_sa_out.add_vpp_config()
+
+        scapy_sa_out = SecurityAssociation(
+            ESP,
+            spi=id_,
+            crypt_algo="AES-CTR",
+            crypt_key=crypto_key + salt.to_bytes(salt_length, "big"),
+            auth_algo="SHA2-256-128",
+            auth_key=integ_key,
+            tunnel_header=IP(src=tun_dst, dst=tun_src),
+            nat_t_header=UDP(sport=4500, dport=4500),
+        )
+
+        return vpp_sa_in, scapy_sa_in, vpp_sa_out, scapy_sa_out
+
+    def __gen_encrypt_pkt(self, scapy_sa, pkt):
+        return Ether(
+            src=self.pg0.local_mac, dst=self.pg0.remote_mac
+        ) / scapy_sa.encrypt(pkt)
+
+    def test_encrypted_encap(self):
+        """Packet Tracer Filter Test with encrypted encap"""
+
+        vpp_sa_in, scapy_sa_in, vpp_sa_out, _ = self.__add_sa(
+            1, self.pg0.local_ip4, self.pg0.remote_ip4
+        )
+
+        spd = VppIpsecSpd(self, 1)
+        spd.add_vpp_config()
+
+        spd_binding = VppIpsecSpdItfBinding(self, spd, self.pg0)
+        spd_binding.add_vpp_config()
+
+        spd_entry = VppIpsecSpdEntry(
+            self,
+            spd,
+            1,
+            self.pg0.local_ip4,
+            self.pg0.local_ip4,
+            self.pg0.remote_ip4,
+            self.pg0.remote_ip4,
+            socket.IPPROTO_ESP,
+            policy=VppEnum.vl_api_ipsec_spd_action_t.IPSEC_API_SPD_ACTION_PROTECT,
+            is_outbound=0,
+        ).add_vpp_config()
+
+        # the inner packet we are trying to match
+        inner_pkt = (
+            IP(src=self.pg1.local_ip4, dst=self.pg1.remote_ip4)
+            / TCP(sport=1234, dport=4321)
+            / Raw(b"\xa5" * 100)
+        )
+        pkt = self.__gen_encrypt_pkt(scapy_sa_in, inner_pkt)
+
+        # self.add_trace_filter("l3 ip4 src", f"l3 ip4 src {self.pg0.local_ip4}")
+
+        self.add_trace_filter(
+            "l2 none l3 ip4 src proto l4 dst_port",
+            f"l2 none l3 ip4 src {self.pg1.local_ip4} proto 6 l4 dst_port 4321",
+            tn_feature_intfc_index=self.pg0.sw_if_index,
+        )
+
+        self.logger.info("Sending packet with matching inner")
+        self.send_and_expect(self.pg0, pkt * 67, self.pg1, trace=False)
+        self.assert_hits(67)
+        self.clear()
+
+        self.logger.info("Sending packet with wrong inner port")
+        inner_pkt[TCP].dport = 1111
+        pkt = self.__gen_encrypt_pkt(scapy_sa_in, inner_pkt)
+        self.send_and_expect(self.pg0, pkt * 67, self.pg1, trace=False)
+        # the classify session should still have the 67 previous hits.
+        # In another way, the delta is 0
+        self.assert_hits(67)
+        self.clear()
+
+        self.logger.info("Sending packet with wrong source address")
+        inner_pkt[IP].src = "1.2.3.4"
+        inner_pkt[TCP].dport = 4321
+        pkt = self.__gen_encrypt_pkt(scapy_sa_in, inner_pkt)
+        self.send_and_expect(self.pg0, pkt * 67, self.pg1, trace=False)
+        self.assert_hits(67)
+        self.clear()
+
+        self.del_trace_filters(tn_feature_intfc_index=self.pg0.sw_if_index)
+
+        spd_entry.remove_vpp_config()
+        spd_binding.remove_vpp_config()
+        spd.remove_vpp_config()
+        vpp_sa_in.remove_vpp_config()
+        vpp_sa_out.remove_vpp_config()
+
+
+if __name__ == "__main__":
     unittest.main(testRunner=VppTestRunner)