ipsec: refactor security policies

Signed-off-by: Milan Lenco <milan.lenco@pantheon.tech>

clientv2/linux/data_change_api.go

@@ -118,6 +118,8 @@ type PutDSL interface {
 	IPSecSA(sa *ipsec.SecurityAssociation) PutDSL
 	// IPSecSPD adds request to create a new Security Policy Database
 	IPSecSPD(spd *ipsec.SecurityPolicyDatabase) PutDSL
+	// IPSecSP adds request to create a new Security Policy
+	IPSecSP(sp *ipsec.SecurityPolicy) PutDSL
 	// IPSecTunnelProtection adds request to create a new IPSec tunnel protection
 	IPSecTunnelProtection(tp *ipsec.TunnelProtection) PutDSL
 	// PuntIPRedirect adds request to create or update rule to punt L3 traffic via interface.
@@ -207,6 +209,8 @@ type DeleteDSL interface {
 	IPSecSA(saIndex uint32) DeleteDSL
 	// IPSecSPD adds request to delete a Security Policy Database
 	IPSecSPD(spdIndex uint32) DeleteDSL
+	// IPSecSP adds request to delete a Security Policy
+	IPSecSP(sp *ipsec.SecurityPolicy) DeleteDSL
 	// IPSecTunnelProtection adds request to delete an IPSec tunnel protection from an interface
 	IPSecTunnelProtection(tp *ipsec.TunnelProtection) DeleteDSL
 	// PuntIPRedirect adds request to delete a rule used to punt L3 traffic via interface.

clientv2/linux/data_resync_api.go

@@ -98,6 +98,8 @@ type DataResyncDSL interface {
 	IPSecSA(sa *ipsec.SecurityAssociation) DataResyncDSL
 	// IPSecSPD adds request to RESYNC a new Security Policy Database
 	IPSecSPD(spd *ipsec.SecurityPolicyDatabase) DataResyncDSL
+	// IPSecSP adds Security Policy to the RESYNC request
+	IPSecSP(sp *ipsec.SecurityPolicy) DataResyncDSL
 	// IPSecTunnelProtection adds request to RESYNC an IPSec tunnel protection
 	IPSecTunnelProtection(tp *ipsec.TunnelProtection) DataResyncDSL
 	// PuntIPRedirect adds request to RESYNC a rule used to punt L3 traffic via interface.

clientv2/linux/dbadapter/data_change_db.go

@@ -252,6 +252,12 @@ func (dsl *PutDSL) IPSecSPD(spd *ipsec.SecurityPolicyDatabase) linuxclient.PutDS
 	return dsl
 }
 
+// IPSecSP adds request to create a new Security Policy
+func (dsl *PutDSL) IPSecSP(sp *ipsec.SecurityPolicy) linuxclient.PutDSL {
+	dsl.vppPut.IPSecSP(sp)
+	return dsl
+}
+
 // IPSecTunnelProtection adds request to delete an IPSec tunnel protection from an interface
 func (dsl *PutDSL) IPSecTunnelProtection(tp *ipsec.TunnelProtection) linuxclient.PutDSL {
 	dsl.vppPut.IPSecTunnelProtection(tp)
@@ -477,6 +483,12 @@ func (dsl *DeleteDSL) IPSecSPD(spdIndex uint32) linuxclient.DeleteDSL {
 	return dsl
 }
 
+// IPSecSP adds request to delete a Security Policy
+func (dsl *DeleteDSL) IPSecSP(sp *ipsec.SecurityPolicy) linuxclient.DeleteDSL {
+	dsl.vppDelete.IPSecSP(sp)
+	return dsl
+}
+
 // IPSecTunnelProtection adds request to delete an IPSec tunnel protection from an interface
 func (dsl *DeleteDSL) IPSecTunnelProtection(tp *ipsec.TunnelProtection) linuxclient.DeleteDSL {
 	dsl.vppDelete.IPSecTunnelProtection(tp)

clientv2/linux/dbadapter/data_resync_db.go

@@ -246,6 +246,12 @@ func (dsl *DataResyncDSL) IPSecSPD(spd *ipsec.SecurityPolicyDatabase) linuxclien
 	return dsl
 }
 
+// IPSecSPD adds Security Policy into the RESYNC request
+func (dsl *DataResyncDSL) IPSecSP(sp *ipsec.SecurityPolicy) linuxclient.DataResyncDSL {
+	dsl.vppDataResync.IPSecSP(sp)
+	return dsl
+}
+
 // IPSecTunnelProtection adds request to RESYNC an IPSec tunnel protection
 func (dsl *DataResyncDSL) IPSecTunnelProtection(tp *ipsec.TunnelProtection) linuxclient.DataResyncDSL {
 	dsl.vppDataResync.IPSecTunnelProtection(tp)

clientv2/vpp/data_change_api.go

@@ -92,6 +92,8 @@ type PutDSL interface {
 	IPSecSA(sa *ipsec.SecurityAssociation) PutDSL
 	// IPSecSPD adds request to create a new Security Policy Database
 	IPSecSPD(spd *ipsec.SecurityPolicyDatabase) PutDSL
+	// IPSecSP adds request to add a new Security Policy
+	IPSecSP(sp *ipsec.SecurityPolicy) PutDSL
 	// IPSecTunnelProtection adds request to create a new IPSec tunnel protection
 	IPSecTunnelProtection(tp *ipsec.TunnelProtection) PutDSL
 	// PuntIPRedirect adds request to create or update rule to punt L3 traffic via interface.
@@ -157,6 +159,8 @@ type DeleteDSL interface {
 	IPSecSA(saIndex uint32) DeleteDSL
 	// IPSecSPD adds request to delete a Security Policy Database
 	IPSecSPD(spdIndex uint32) DeleteDSL
+	// IPSecSP adds request to delete a Security Policy
+	IPSecSP(sp *ipsec.SecurityPolicy) DeleteDSL
 	// IPSecTunnelProtection adds request to delete an IPSec tunnel protection from an interface
 	IPSecTunnelProtection(tp *ipsec.TunnelProtection) DeleteDSL
 	// PuntIPRedirect adds request to delete a rule used to punt L3 traffic via interface.

clientv2/vpp/data_resync_api.go

@@ -72,6 +72,8 @@ type DataResyncDSL interface {
 	IPSecSA(sa *ipsec.SecurityAssociation) DataResyncDSL
 	// IPSecSPD adds request to RESYNC a new Security Policy Database
 	IPSecSPD(spd *ipsec.SecurityPolicyDatabase) DataResyncDSL
+	// IPSecSP adds Security Policy to the RESYNC request
+	IPSecSP(sp *ipsec.SecurityPolicy) DataResyncDSL
 	// IPSecTunnelProtection adds request to RESYNC an IPSec tunnel protection
 	IPSecTunnelProtection(tp *ipsec.TunnelProtection) DataResyncDSL
 	// PuntIPRedirect adds request to RESYNC a rule used to punt L3 traffic via interface.

clientv2/vpp/dbadapter/data_change_db.go

@@ -193,6 +193,12 @@ func (dsl *PutDSL) IPSecSPD(spd *ipsec.SecurityPolicyDatabase) vppclient.PutDSL
 	return dsl
 }
 
+// IPSecSP adds request to create a new Security Policy
+func (dsl *PutDSL) IPSecSP(sp *ipsec.SecurityPolicy) vppclient.PutDSL {
+	dsl.parent.txn.Put(models.Key(sp), sp)
+	return dsl
+}
+
 // IPSecTunnelProtection adds request to delete an IPSec tunnel protection from an interface
 func (dsl *PutDSL) IPSecTunnelProtection(tp *ipsec.TunnelProtection) vppclient.PutDSL {
 	dsl.parent.txn.Put(models.Key(tp), tp)
@@ -361,6 +367,12 @@ func (dsl *DeleteDSL) IPSecSPD(spdIndex uint32) vppclient.DeleteDSL {
 	return dsl
 }
 
+// IPSecSP adds request to delete Security Policy
+func (dsl *DeleteDSL) IPSecSP(sp *ipsec.SecurityPolicy) vppclient.DeleteDSL {
+	dsl.parent.txn.Delete(models.Key(sp))
+	return dsl
+}
+
 // IPSecTunnelProtection adds request to delete an IPSec tunnel protection from an interface
 func (dsl *DeleteDSL) IPSecTunnelProtection(tp *ipsec.TunnelProtection) vppclient.DeleteDSL {
 	dsl.parent.txn.Delete(models.Key(tp))

clientv2/vpp/dbadapter/data_resync_db.go

@@ -222,6 +222,15 @@ func (dsl *DataResyncDSL) IPSecSPD(spd *ipsec.SecurityPolicyDatabase) vppclient.
 	return dsl
 }
 
+// IPSecSP adds request to RESYNC a Security Policy
+func (dsl *DataResyncDSL) IPSecSP(sp *ipsec.SecurityPolicy) vppclient.DataResyncDSL {
+	key := models.Key(sp)
+	dsl.txn.Put(key, sp)
+	dsl.txnKeys = append(dsl.txnKeys, key)
+
+	return dsl
+}
+
 // IPSecTunnelProtection adds request to RESYNC an IPSec tunnel protection
 func (dsl *DataResyncDSL) IPSecTunnelProtection(tp *ipsec.TunnelProtection) vppclient.DataResyncDSL {
 	key := models.Key(tp)

examples/grpc_vpp/remote_client/main.go

@@ -130,6 +130,7 @@ func (p *ExamplePlugin) demonstrateClient(client configurator.ConfiguratorServic
 			IpscanNeighbor: ipScanNeigh,
 			IpsecSas:       []*vpp_ipsec.SecurityAssociation{sa10},
 			IpsecSpds:      []*vpp_ipsec.SecurityPolicyDatabase{spd1},
+			IpsecSps:       []*vpp_ipsec.SecurityPolicy{sp},
 		},
 		LinuxConfig: &linux.ConfigData{
 			Interfaces: []*linux_interfaces.Interface{
@@ -216,15 +217,18 @@ var (
 	}
 	spd1 = &vpp.IPSecSPD{
 		Index: 1,
-		PolicyEntries: []*vpp_ipsec.SecurityPolicyDatabase_PolicyEntry{
-			{
-				Action:     vpp_ipsec.SecurityPolicyDatabase_PolicyEntry_BYPASS,
-				Priority:   100,
-				IsOutbound: false,
-				Protocol:   50,
-				SaIndex:    10,
-			},
-		},
+	}
+	sp = &vpp.IPSecSP{
+		SpdIndex:        spd1.Index,
+		SaIndex:         sa10.Index,
+		Action:          vpp_ipsec.SecurityPolicy_BYPASS,
+		Priority:        100,
+		IsOutbound:      false,
+		Protocol:        50,
+		LocalAddrStart:  "192.168.1.1",
+		LocalAddrStop:   "192.168.1.255",
+		RemoteAddrStart: "192.168.2.1",
+		RemoteAddrStop:  "192.168.2.255",
 	}
 	memif1 = &vpp.Interface{
 		Name:        "memif1",

plugins/configurator/dump.go

@@ -110,6 +110,11 @@ func (svc *dumpService) Dump(ctx context.Context, req *rpc.DumpRequest) (*rpc.Du
 		svc.log.Errorf("DumpIPSecSPDs failed: %v", err)
 		return nil, err
 	}
+	dump.VppConfig.IpsecSps, err = svc.DumpIPSecSPs()
+	if err != nil {
+		svc.log.Errorf("DumpIPSecSPs failed: %v", err)
+		return nil, err
+	}
 	dump.VppConfig.IpsecSas, err = svc.DumpIPSecSAs()
 	if err != nil {
 		svc.log.Errorf("DumpIPSecSAs failed: %v", err)
@@ -205,14 +210,17 @@ func (svc *dumpService) DumpIPSecSPDs() (spds []*vpp_ipsec.SecurityPolicyDatabas
 		return nil, nil
 	}
 
-	spdDetails, err := svc.ipsecHandler.DumpIPSecSPD()
-	if err != nil {
-		return nil, err
-	}
-	for _, spd := range spdDetails {
-		spds = append(spds, spd.Spd)
+	return svc.ipsecHandler.DumpIPSecSPD()
+}
+
+// DumpIPSecSPs dumps IPSec security policies.
+func (svc *dumpService) DumpIPSecSPs() (spds []*vpp_ipsec.SecurityPolicy, err error) {
+	if svc.ipsecHandler == nil {
+		// handler is not available
+		return nil, nil
 	}
-	return spds, nil
+
+	return svc.ipsecHandler.DumpIPSecSP()
 }
 
 // DumpIPSecSAs reads IPSec SA and returns them as an *IPSecSAResponse. If reading ends up with error,

plugins/restapi/handlers.go

@@ -207,6 +207,13 @@ func (p *Plugin) registerIPSecHandlers() {
 		}
 		return p.ipSecHandler.DumpIPSecSPD()
 	})
+	// GET IPSec SP entries
+	p.registerHTTPHandler(resturl.SPs, GET, func() (interface{}, error) {
+		if p.ipSecHandler == nil {
+			return nil, ErrHandlerUnavailable
+		}
+		return p.ipSecHandler.DumpIPSecSP()
+	})
 	// GET IPSec SA entries
 	p.registerHTTPHandler(resturl.SAs, GET, func() (interface{}, error) {
 		if p.ipSecHandler == nil {

plugins/restapi/resturl/urls.go

@@ -108,6 +108,8 @@ const (
 const (
 	// SPDs is rest IPSec security policy database path
 	SPDs = "/dump/vpp/v2/ipsec/spds"
+	// SPs is rest IPSec security policy path
+	SPs = "/dump/vpp/v2/ipsec/sps"
 	// SAs is rest IPSec security association path
 	SAs = "/dump/vpp/v2/ipsec/sas"
 )