diff --git a/clientv2/linux/data_change_api.go b/clientv2/linux/data_change_api.go index 97766a6fd5..c271f700c1 100644 --- a/clientv2/linux/data_change_api.go +++ b/clientv2/linux/data_change_api.go @@ -118,6 +118,8 @@ type PutDSL interface { IPSecSA(sa *ipsec.SecurityAssociation) PutDSL // IPSecSPD adds request to create a new Security Policy Database IPSecSPD(spd *ipsec.SecurityPolicyDatabase) PutDSL + // IPSecSP adds request to create a new Security Policy + IPSecSP(sp *ipsec.SecurityPolicy) PutDSL // IPSecTunnelProtection adds request to create a new IPSec tunnel protection IPSecTunnelProtection(tp *ipsec.TunnelProtection) PutDSL // PuntIPRedirect adds request to create or update rule to punt L3 traffic via interface. @@ -207,6 +209,8 @@ type DeleteDSL interface { IPSecSA(saIndex uint32) DeleteDSL // IPSecSPD adds request to delete a Security Policy Database IPSecSPD(spdIndex uint32) DeleteDSL + // IPSecSP adds request to delete a Security Policy + IPSecSP(sp *ipsec.SecurityPolicy) DeleteDSL // IPSecTunnelProtection adds request to delete an IPSec tunnel protection from an interface IPSecTunnelProtection(tp *ipsec.TunnelProtection) DeleteDSL // PuntIPRedirect adds request to delete a rule used to punt L3 traffic via interface. diff --git a/clientv2/linux/data_resync_api.go b/clientv2/linux/data_resync_api.go index aa3e223430..4dcddbc9a7 100644 --- a/clientv2/linux/data_resync_api.go +++ b/clientv2/linux/data_resync_api.go @@ -98,6 +98,8 @@ type DataResyncDSL interface { IPSecSA(sa *ipsec.SecurityAssociation) DataResyncDSL // IPSecSPD adds request to RESYNC a new Security Policy Database IPSecSPD(spd *ipsec.SecurityPolicyDatabase) DataResyncDSL + // IPSecSP adds Security Policy to the RESYNC request + IPSecSP(sp *ipsec.SecurityPolicy) DataResyncDSL // IPSecTunnelProtection adds request to RESYNC an IPSec tunnel protection IPSecTunnelProtection(tp *ipsec.TunnelProtection) DataResyncDSL // PuntIPRedirect adds request to RESYNC a rule used to punt L3 traffic via interface. diff --git a/clientv2/linux/dbadapter/data_change_db.go b/clientv2/linux/dbadapter/data_change_db.go index ec4232942a..6a031cb308 100644 --- a/clientv2/linux/dbadapter/data_change_db.go +++ b/clientv2/linux/dbadapter/data_change_db.go @@ -252,6 +252,12 @@ func (dsl *PutDSL) IPSecSPD(spd *ipsec.SecurityPolicyDatabase) linuxclient.PutDS return dsl } +// IPSecSP adds request to create a new Security Policy +func (dsl *PutDSL) IPSecSP(sp *ipsec.SecurityPolicy) linuxclient.PutDSL { + dsl.vppPut.IPSecSP(sp) + return dsl +} + // IPSecTunnelProtection adds request to delete an IPSec tunnel protection from an interface func (dsl *PutDSL) IPSecTunnelProtection(tp *ipsec.TunnelProtection) linuxclient.PutDSL { dsl.vppPut.IPSecTunnelProtection(tp) @@ -477,6 +483,12 @@ func (dsl *DeleteDSL) IPSecSPD(spdIndex uint32) linuxclient.DeleteDSL { return dsl } +// IPSecSP adds request to delete a Security Policy +func (dsl *DeleteDSL) IPSecSP(sp *ipsec.SecurityPolicy) linuxclient.DeleteDSL { + dsl.vppDelete.IPSecSP(sp) + return dsl +} + // IPSecTunnelProtection adds request to delete an IPSec tunnel protection from an interface func (dsl *DeleteDSL) IPSecTunnelProtection(tp *ipsec.TunnelProtection) linuxclient.DeleteDSL { dsl.vppDelete.IPSecTunnelProtection(tp) diff --git a/clientv2/linux/dbadapter/data_resync_db.go b/clientv2/linux/dbadapter/data_resync_db.go index 0642bdf707..82c370c6d4 100644 --- a/clientv2/linux/dbadapter/data_resync_db.go +++ b/clientv2/linux/dbadapter/data_resync_db.go @@ -246,6 +246,12 @@ func (dsl *DataResyncDSL) IPSecSPD(spd *ipsec.SecurityPolicyDatabase) linuxclien return dsl } +// IPSecSPD adds Security Policy into the RESYNC request +func (dsl *DataResyncDSL) IPSecSP(sp *ipsec.SecurityPolicy) linuxclient.DataResyncDSL { + dsl.vppDataResync.IPSecSP(sp) + return dsl +} + // IPSecTunnelProtection adds request to RESYNC an IPSec tunnel protection func (dsl *DataResyncDSL) IPSecTunnelProtection(tp *ipsec.TunnelProtection) linuxclient.DataResyncDSL { dsl.vppDataResync.IPSecTunnelProtection(tp) diff --git a/clientv2/vpp/data_change_api.go b/clientv2/vpp/data_change_api.go index 1f8985fc84..5d0c822cdc 100644 --- a/clientv2/vpp/data_change_api.go +++ b/clientv2/vpp/data_change_api.go @@ -92,6 +92,8 @@ type PutDSL interface { IPSecSA(sa *ipsec.SecurityAssociation) PutDSL // IPSecSPD adds request to create a new Security Policy Database IPSecSPD(spd *ipsec.SecurityPolicyDatabase) PutDSL + // IPSecSP adds request to add a new Security Policy + IPSecSP(sp *ipsec.SecurityPolicy) PutDSL // IPSecTunnelProtection adds request to create a new IPSec tunnel protection IPSecTunnelProtection(tp *ipsec.TunnelProtection) PutDSL // PuntIPRedirect adds request to create or update rule to punt L3 traffic via interface. @@ -157,6 +159,8 @@ type DeleteDSL interface { IPSecSA(saIndex uint32) DeleteDSL // IPSecSPD adds request to delete a Security Policy Database IPSecSPD(spdIndex uint32) DeleteDSL + // IPSecSP adds request to delete a Security Policy + IPSecSP(sp *ipsec.SecurityPolicy) DeleteDSL // IPSecTunnelProtection adds request to delete an IPSec tunnel protection from an interface IPSecTunnelProtection(tp *ipsec.TunnelProtection) DeleteDSL // PuntIPRedirect adds request to delete a rule used to punt L3 traffic via interface. diff --git a/clientv2/vpp/data_resync_api.go b/clientv2/vpp/data_resync_api.go index 6a05e0c8df..a1b9a71b6c 100644 --- a/clientv2/vpp/data_resync_api.go +++ b/clientv2/vpp/data_resync_api.go @@ -72,6 +72,8 @@ type DataResyncDSL interface { IPSecSA(sa *ipsec.SecurityAssociation) DataResyncDSL // IPSecSPD adds request to RESYNC a new Security Policy Database IPSecSPD(spd *ipsec.SecurityPolicyDatabase) DataResyncDSL + // IPSecSP adds Security Policy to the RESYNC request + IPSecSP(sp *ipsec.SecurityPolicy) DataResyncDSL // IPSecTunnelProtection adds request to RESYNC an IPSec tunnel protection IPSecTunnelProtection(tp *ipsec.TunnelProtection) DataResyncDSL // PuntIPRedirect adds request to RESYNC a rule used to punt L3 traffic via interface. diff --git a/clientv2/vpp/dbadapter/data_change_db.go b/clientv2/vpp/dbadapter/data_change_db.go index 9847853305..bf519179a3 100644 --- a/clientv2/vpp/dbadapter/data_change_db.go +++ b/clientv2/vpp/dbadapter/data_change_db.go @@ -193,6 +193,12 @@ func (dsl *PutDSL) IPSecSPD(spd *ipsec.SecurityPolicyDatabase) vppclient.PutDSL return dsl } +// IPSecSP adds request to create a new Security Policy +func (dsl *PutDSL) IPSecSP(sp *ipsec.SecurityPolicy) vppclient.PutDSL { + dsl.parent.txn.Put(models.Key(sp), sp) + return dsl +} + // IPSecTunnelProtection adds request to delete an IPSec tunnel protection from an interface func (dsl *PutDSL) IPSecTunnelProtection(tp *ipsec.TunnelProtection) vppclient.PutDSL { dsl.parent.txn.Put(models.Key(tp), tp) @@ -361,6 +367,12 @@ func (dsl *DeleteDSL) IPSecSPD(spdIndex uint32) vppclient.DeleteDSL { return dsl } +// IPSecSP adds request to delete Security Policy +func (dsl *DeleteDSL) IPSecSP(sp *ipsec.SecurityPolicy) vppclient.DeleteDSL { + dsl.parent.txn.Delete(models.Key(sp)) + return dsl +} + // IPSecTunnelProtection adds request to delete an IPSec tunnel protection from an interface func (dsl *DeleteDSL) IPSecTunnelProtection(tp *ipsec.TunnelProtection) vppclient.DeleteDSL { dsl.parent.txn.Delete(models.Key(tp)) diff --git a/clientv2/vpp/dbadapter/data_resync_db.go b/clientv2/vpp/dbadapter/data_resync_db.go index 183aba8473..b1b5298d3c 100644 --- a/clientv2/vpp/dbadapter/data_resync_db.go +++ b/clientv2/vpp/dbadapter/data_resync_db.go @@ -222,6 +222,15 @@ func (dsl *DataResyncDSL) IPSecSPD(spd *ipsec.SecurityPolicyDatabase) vppclient. return dsl } +// IPSecSP adds request to RESYNC a Security Policy +func (dsl *DataResyncDSL) IPSecSP(sp *ipsec.SecurityPolicy) vppclient.DataResyncDSL { + key := models.Key(sp) + dsl.txn.Put(key, sp) + dsl.txnKeys = append(dsl.txnKeys, key) + + return dsl +} + // IPSecTunnelProtection adds request to RESYNC an IPSec tunnel protection func (dsl *DataResyncDSL) IPSecTunnelProtection(tp *ipsec.TunnelProtection) vppclient.DataResyncDSL { key := models.Key(tp) diff --git a/examples/grpc_vpp/remote_client/main.go b/examples/grpc_vpp/remote_client/main.go index 0f6c53001a..4f95ab6208 100644 --- a/examples/grpc_vpp/remote_client/main.go +++ b/examples/grpc_vpp/remote_client/main.go @@ -130,6 +130,7 @@ func (p *ExamplePlugin) demonstrateClient(client configurator.ConfiguratorServic IpscanNeighbor: ipScanNeigh, IpsecSas: []*vpp_ipsec.SecurityAssociation{sa10}, IpsecSpds: []*vpp_ipsec.SecurityPolicyDatabase{spd1}, + IpsecSps: []*vpp_ipsec.SecurityPolicy{sp}, }, LinuxConfig: &linux.ConfigData{ Interfaces: []*linux_interfaces.Interface{ @@ -216,15 +217,18 @@ var ( } spd1 = &vpp.IPSecSPD{ Index: 1, - PolicyEntries: []*vpp_ipsec.SecurityPolicyDatabase_PolicyEntry{ - { - Action: vpp_ipsec.SecurityPolicyDatabase_PolicyEntry_BYPASS, - Priority: 100, - IsOutbound: false, - Protocol: 50, - SaIndex: 10, - }, - }, + } + sp = &vpp.IPSecSP{ + SpdIndex: spd1.Index, + SaIndex: sa10.Index, + Action: vpp_ipsec.SecurityPolicy_BYPASS, + Priority: 100, + IsOutbound: false, + Protocol: 50, + LocalAddrStart: "192.168.1.1", + LocalAddrStop: "192.168.1.255", + RemoteAddrStart: "192.168.2.1", + RemoteAddrStop: "192.168.2.255", } memif1 = &vpp.Interface{ Name: "memif1", diff --git a/plugins/configurator/dump.go b/plugins/configurator/dump.go index 3274188470..3d1b1e0182 100644 --- a/plugins/configurator/dump.go +++ b/plugins/configurator/dump.go @@ -110,6 +110,11 @@ func (svc *dumpService) Dump(ctx context.Context, req *rpc.DumpRequest) (*rpc.Du svc.log.Errorf("DumpIPSecSPDs failed: %v", err) return nil, err } + dump.VppConfig.IpsecSps, err = svc.DumpIPSecSPs() + if err != nil { + svc.log.Errorf("DumpIPSecSPs failed: %v", err) + return nil, err + } dump.VppConfig.IpsecSas, err = svc.DumpIPSecSAs() if err != nil { svc.log.Errorf("DumpIPSecSAs failed: %v", err) @@ -205,14 +210,17 @@ func (svc *dumpService) DumpIPSecSPDs() (spds []*vpp_ipsec.SecurityPolicyDatabas return nil, nil } - spdDetails, err := svc.ipsecHandler.DumpIPSecSPD() - if err != nil { - return nil, err - } - for _, spd := range spdDetails { - spds = append(spds, spd.Spd) + return svc.ipsecHandler.DumpIPSecSPD() +} + +// DumpIPSecSPs dumps IPSec security policies. +func (svc *dumpService) DumpIPSecSPs() (spds []*vpp_ipsec.SecurityPolicy, err error) { + if svc.ipsecHandler == nil { + // handler is not available + return nil, nil } - return spds, nil + + return svc.ipsecHandler.DumpIPSecSP() } // DumpIPSecSAs reads IPSec SA and returns them as an *IPSecSAResponse. If reading ends up with error, diff --git a/plugins/restapi/handlers.go b/plugins/restapi/handlers.go index c387496f42..52d56309d2 100644 --- a/plugins/restapi/handlers.go +++ b/plugins/restapi/handlers.go @@ -207,6 +207,13 @@ func (p *Plugin) registerIPSecHandlers() { } return p.ipSecHandler.DumpIPSecSPD() }) + // GET IPSec SP entries + p.registerHTTPHandler(resturl.SPs, GET, func() (interface{}, error) { + if p.ipSecHandler == nil { + return nil, ErrHandlerUnavailable + } + return p.ipSecHandler.DumpIPSecSP() + }) // GET IPSec SA entries p.registerHTTPHandler(resturl.SAs, GET, func() (interface{}, error) { if p.ipSecHandler == nil { diff --git a/plugins/restapi/resturl/urls.go b/plugins/restapi/resturl/urls.go index 99ee840b67..c6f8662744 100644 --- a/plugins/restapi/resturl/urls.go +++ b/plugins/restapi/resturl/urls.go @@ -108,6 +108,8 @@ const ( const ( // SPDs is rest IPSec security policy database path SPDs = "/dump/vpp/v2/ipsec/spds" + // SPs is rest IPSec security policy path + SPs = "/dump/vpp/v2/ipsec/sps" // SAs is rest IPSec security association path SAs = "/dump/vpp/v2/ipsec/sas" ) diff --git a/plugins/vpp/ipsecplugin/descriptor/adapter/spdpolicy.go b/plugins/vpp/ipsecplugin/descriptor/adapter/sp.go similarity index 59% rename from plugins/vpp/ipsecplugin/descriptor/adapter/spdpolicy.go rename to plugins/vpp/ipsecplugin/descriptor/adapter/sp.go index ede08b7b17..3a89d01f88 100644 --- a/plugins/vpp/ipsecplugin/descriptor/adapter/spdpolicy.go +++ b/plugins/vpp/ipsecplugin/descriptor/adapter/sp.go @@ -10,44 +10,44 @@ import ( ////////// type-safe key-value pair with metadata ////////// -type SPDPolicyKVWithMetadata struct { +type SPKVWithMetadata struct { Key string - Value *vpp_ipsec.SecurityPolicyDatabase_PolicyEntry + Value *vpp_ipsec.SecurityPolicy Metadata interface{} Origin ValueOrigin } ////////// type-safe Descriptor structure ////////// -type SPDPolicyDescriptor struct { +type SPDescriptor struct { Name string KeySelector KeySelector ValueTypeName string KeyLabel func(key string) string - ValueComparator func(key string, oldValue, newValue *vpp_ipsec.SecurityPolicyDatabase_PolicyEntry) bool + ValueComparator func(key string, oldValue, newValue *vpp_ipsec.SecurityPolicy) bool NBKeyPrefix string WithMetadata bool MetadataMapFactory MetadataMapFactory - Validate func(key string, value *vpp_ipsec.SecurityPolicyDatabase_PolicyEntry) error - Create func(key string, value *vpp_ipsec.SecurityPolicyDatabase_PolicyEntry) (metadata interface{}, err error) - Delete func(key string, value *vpp_ipsec.SecurityPolicyDatabase_PolicyEntry, metadata interface{}) error - Update func(key string, oldValue, newValue *vpp_ipsec.SecurityPolicyDatabase_PolicyEntry, oldMetadata interface{}) (newMetadata interface{}, err error) - UpdateWithRecreate func(key string, oldValue, newValue *vpp_ipsec.SecurityPolicyDatabase_PolicyEntry, metadata interface{}) bool - Retrieve func(correlate []SPDPolicyKVWithMetadata) ([]SPDPolicyKVWithMetadata, error) + Validate func(key string, value *vpp_ipsec.SecurityPolicy) error + Create func(key string, value *vpp_ipsec.SecurityPolicy) (metadata interface{}, err error) + Delete func(key string, value *vpp_ipsec.SecurityPolicy, metadata interface{}) error + Update func(key string, oldValue, newValue *vpp_ipsec.SecurityPolicy, oldMetadata interface{}) (newMetadata interface{}, err error) + UpdateWithRecreate func(key string, oldValue, newValue *vpp_ipsec.SecurityPolicy, metadata interface{}) bool + Retrieve func(correlate []SPKVWithMetadata) ([]SPKVWithMetadata, error) IsRetriableFailure func(err error) bool - DerivedValues func(key string, value *vpp_ipsec.SecurityPolicyDatabase_PolicyEntry) []KeyValuePair - Dependencies func(key string, value *vpp_ipsec.SecurityPolicyDatabase_PolicyEntry) []Dependency + DerivedValues func(key string, value *vpp_ipsec.SecurityPolicy) []KeyValuePair + Dependencies func(key string, value *vpp_ipsec.SecurityPolicy) []Dependency RetrieveDependencies []string /* descriptor name */ } ////////// Descriptor adapter ////////// -type SPDPolicyDescriptorAdapter struct { - descriptor *SPDPolicyDescriptor +type SPDescriptorAdapter struct { + descriptor *SPDescriptor } -func NewSPDPolicyDescriptor(typedDescriptor *SPDPolicyDescriptor) *KVDescriptor { - adapter := &SPDPolicyDescriptorAdapter{descriptor: typedDescriptor} +func NewSPDescriptor(typedDescriptor *SPDescriptor) *KVDescriptor { + adapter := &SPDescriptorAdapter{descriptor: typedDescriptor} descriptor := &KVDescriptor{ Name: typedDescriptor.Name, KeySelector: typedDescriptor.KeySelector, @@ -89,88 +89,88 @@ func NewSPDPolicyDescriptor(typedDescriptor *SPDPolicyDescriptor) *KVDescriptor return descriptor } -func (da *SPDPolicyDescriptorAdapter) ValueComparator(key string, oldValue, newValue proto.Message) bool { - typedOldValue, err1 := castSPDPolicyValue(key, oldValue) - typedNewValue, err2 := castSPDPolicyValue(key, newValue) +func (da *SPDescriptorAdapter) ValueComparator(key string, oldValue, newValue proto.Message) bool { + typedOldValue, err1 := castSPValue(key, oldValue) + typedNewValue, err2 := castSPValue(key, newValue) if err1 != nil || err2 != nil { return false } return da.descriptor.ValueComparator(key, typedOldValue, typedNewValue) } -func (da *SPDPolicyDescriptorAdapter) Validate(key string, value proto.Message) (err error) { - typedValue, err := castSPDPolicyValue(key, value) +func (da *SPDescriptorAdapter) Validate(key string, value proto.Message) (err error) { + typedValue, err := castSPValue(key, value) if err != nil { return err } return da.descriptor.Validate(key, typedValue) } -func (da *SPDPolicyDescriptorAdapter) Create(key string, value proto.Message) (metadata Metadata, err error) { - typedValue, err := castSPDPolicyValue(key, value) +func (da *SPDescriptorAdapter) Create(key string, value proto.Message) (metadata Metadata, err error) { + typedValue, err := castSPValue(key, value) if err != nil { return nil, err } return da.descriptor.Create(key, typedValue) } -func (da *SPDPolicyDescriptorAdapter) Update(key string, oldValue, newValue proto.Message, oldMetadata Metadata) (newMetadata Metadata, err error) { - oldTypedValue, err := castSPDPolicyValue(key, oldValue) +func (da *SPDescriptorAdapter) Update(key string, oldValue, newValue proto.Message, oldMetadata Metadata) (newMetadata Metadata, err error) { + oldTypedValue, err := castSPValue(key, oldValue) if err != nil { return nil, err } - newTypedValue, err := castSPDPolicyValue(key, newValue) + newTypedValue, err := castSPValue(key, newValue) if err != nil { return nil, err } - typedOldMetadata, err := castSPDPolicyMetadata(key, oldMetadata) + typedOldMetadata, err := castSPMetadata(key, oldMetadata) if err != nil { return nil, err } return da.descriptor.Update(key, oldTypedValue, newTypedValue, typedOldMetadata) } -func (da *SPDPolicyDescriptorAdapter) Delete(key string, value proto.Message, metadata Metadata) error { - typedValue, err := castSPDPolicyValue(key, value) +func (da *SPDescriptorAdapter) Delete(key string, value proto.Message, metadata Metadata) error { + typedValue, err := castSPValue(key, value) if err != nil { return err } - typedMetadata, err := castSPDPolicyMetadata(key, metadata) + typedMetadata, err := castSPMetadata(key, metadata) if err != nil { return err } return da.descriptor.Delete(key, typedValue, typedMetadata) } -func (da *SPDPolicyDescriptorAdapter) UpdateWithRecreate(key string, oldValue, newValue proto.Message, metadata Metadata) bool { - oldTypedValue, err := castSPDPolicyValue(key, oldValue) +func (da *SPDescriptorAdapter) UpdateWithRecreate(key string, oldValue, newValue proto.Message, metadata Metadata) bool { + oldTypedValue, err := castSPValue(key, oldValue) if err != nil { return true } - newTypedValue, err := castSPDPolicyValue(key, newValue) + newTypedValue, err := castSPValue(key, newValue) if err != nil { return true } - typedMetadata, err := castSPDPolicyMetadata(key, metadata) + typedMetadata, err := castSPMetadata(key, metadata) if err != nil { return true } return da.descriptor.UpdateWithRecreate(key, oldTypedValue, newTypedValue, typedMetadata) } -func (da *SPDPolicyDescriptorAdapter) Retrieve(correlate []KVWithMetadata) ([]KVWithMetadata, error) { - var correlateWithType []SPDPolicyKVWithMetadata +func (da *SPDescriptorAdapter) Retrieve(correlate []KVWithMetadata) ([]KVWithMetadata, error) { + var correlateWithType []SPKVWithMetadata for _, kvpair := range correlate { - typedValue, err := castSPDPolicyValue(kvpair.Key, kvpair.Value) + typedValue, err := castSPValue(kvpair.Key, kvpair.Value) if err != nil { continue } - typedMetadata, err := castSPDPolicyMetadata(kvpair.Key, kvpair.Metadata) + typedMetadata, err := castSPMetadata(kvpair.Key, kvpair.Metadata) if err != nil { continue } correlateWithType = append(correlateWithType, - SPDPolicyKVWithMetadata{ + SPKVWithMetadata{ Key: kvpair.Key, Value: typedValue, Metadata: typedMetadata, @@ -195,16 +195,16 @@ func (da *SPDPolicyDescriptorAdapter) Retrieve(correlate []KVWithMetadata) ([]KV return values, err } -func (da *SPDPolicyDescriptorAdapter) DerivedValues(key string, value proto.Message) []KeyValuePair { - typedValue, err := castSPDPolicyValue(key, value) +func (da *SPDescriptorAdapter) DerivedValues(key string, value proto.Message) []KeyValuePair { + typedValue, err := castSPValue(key, value) if err != nil { return nil } return da.descriptor.DerivedValues(key, typedValue) } -func (da *SPDPolicyDescriptorAdapter) Dependencies(key string, value proto.Message) []Dependency { - typedValue, err := castSPDPolicyValue(key, value) +func (da *SPDescriptorAdapter) Dependencies(key string, value proto.Message) []Dependency { + typedValue, err := castSPValue(key, value) if err != nil { return nil } @@ -213,15 +213,15 @@ func (da *SPDPolicyDescriptorAdapter) Dependencies(key string, value proto.Messa ////////// Helper methods ////////// -func castSPDPolicyValue(key string, value proto.Message) (*vpp_ipsec.SecurityPolicyDatabase_PolicyEntry, error) { - typedValue, ok := value.(*vpp_ipsec.SecurityPolicyDatabase_PolicyEntry) +func castSPValue(key string, value proto.Message) (*vpp_ipsec.SecurityPolicy, error) { + typedValue, ok := value.(*vpp_ipsec.SecurityPolicy) if !ok { return nil, ErrInvalidValueType(key, value) } return typedValue, nil } -func castSPDPolicyMetadata(key string, metadata Metadata) (interface{}, error) { +func castSPMetadata(key string, metadata Metadata) (interface{}, error) { if metadata == nil { return nil, nil } diff --git a/plugins/vpp/ipsecplugin/descriptor/adapter/spd.go b/plugins/vpp/ipsecplugin/descriptor/adapter/spd.go index f3018c3361..e5d6e3fce6 100644 --- a/plugins/vpp/ipsecplugin/descriptor/adapter/spd.go +++ b/plugins/vpp/ipsecplugin/descriptor/adapter/spd.go @@ -5,7 +5,6 @@ package adapter import ( "github.com/golang/protobuf/proto" . "go.ligato.io/vpp-agent/v3/plugins/kvscheduler/api" - "go.ligato.io/vpp-agent/v3/pkg/idxvpp" "go.ligato.io/vpp-agent/v3/proto/ligato/vpp/ipsec" ) @@ -14,7 +13,7 @@ import ( type SPDKVWithMetadata struct { Key string Value *vpp_ipsec.SecurityPolicyDatabase - Metadata *idxvpp.OnlyIndex + Metadata interface{} Origin ValueOrigin } @@ -30,10 +29,10 @@ type SPDDescriptor struct { WithMetadata bool MetadataMapFactory MetadataMapFactory Validate func(key string, value *vpp_ipsec.SecurityPolicyDatabase) error - Create func(key string, value *vpp_ipsec.SecurityPolicyDatabase) (metadata *idxvpp.OnlyIndex, err error) - Delete func(key string, value *vpp_ipsec.SecurityPolicyDatabase, metadata *idxvpp.OnlyIndex) error - Update func(key string, oldValue, newValue *vpp_ipsec.SecurityPolicyDatabase, oldMetadata *idxvpp.OnlyIndex) (newMetadata *idxvpp.OnlyIndex, err error) - UpdateWithRecreate func(key string, oldValue, newValue *vpp_ipsec.SecurityPolicyDatabase, metadata *idxvpp.OnlyIndex) bool + Create func(key string, value *vpp_ipsec.SecurityPolicyDatabase) (metadata interface{}, err error) + Delete func(key string, value *vpp_ipsec.SecurityPolicyDatabase, metadata interface{}) error + Update func(key string, oldValue, newValue *vpp_ipsec.SecurityPolicyDatabase, oldMetadata interface{}) (newMetadata interface{}, err error) + UpdateWithRecreate func(key string, oldValue, newValue *vpp_ipsec.SecurityPolicyDatabase, metadata interface{}) bool Retrieve func(correlate []SPDKVWithMetadata) ([]SPDKVWithMetadata, error) IsRetriableFailure func(err error) bool DerivedValues func(key string, value *vpp_ipsec.SecurityPolicyDatabase) []KeyValuePair @@ -222,11 +221,11 @@ func castSPDValue(key string, value proto.Message) (*vpp_ipsec.SecurityPolicyDat return typedValue, nil } -func castSPDMetadata(key string, metadata Metadata) (*idxvpp.OnlyIndex, error) { +func castSPDMetadata(key string, metadata Metadata) (interface{}, error) { if metadata == nil { return nil, nil } - typedMetadata, ok := metadata.(*idxvpp.OnlyIndex) + typedMetadata, ok := metadata.(interface{}) if !ok { return nil, ErrInvalidMetadataType(key) } diff --git a/plugins/vpp/ipsecplugin/descriptor/sp.go b/plugins/vpp/ipsecplugin/descriptor/sp.go new file mode 100644 index 0000000000..40d755886a --- /dev/null +++ b/plugins/vpp/ipsecplugin/descriptor/sp.go @@ -0,0 +1,140 @@ +// Copyright (c) 2018 Cisco and/or its affiliates. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at: +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package descriptor + +import ( + "go.ligato.io/cn-infra/v2/logging" + + "go.ligato.io/vpp-agent/v3/pkg/models" + kvs "go.ligato.io/vpp-agent/v3/plugins/kvscheduler/api" + "go.ligato.io/vpp-agent/v3/plugins/vpp/ipsecplugin/descriptor/adapter" + "go.ligato.io/vpp-agent/v3/plugins/vpp/ipsecplugin/vppcalls" + ipsec "go.ligato.io/vpp-agent/v3/proto/ligato/vpp/ipsec" +) + +const ( + // SPDescriptorName is the name of the descriptor for configuring VPP IPSec security policies. + SPDescriptorName = "vpp-ipsec-sp" + + // dependency labels + spdDep = "spd-exists" + saDep = "sa-exists" +) + +// IPSecSPDescriptor teaches KVScheduler how to configure VPP IPSec Security Policies. +type IPSecSPDescriptor struct { + // dependencies + log logging.Logger + ipSecHandler vppcalls.IPSecVppAPI +} + +// NewIPSecSPDescriptor creates a new instance of the SP descriptor. +func NewIPSecSPDescriptor(ipSecHandler vppcalls.IPSecVppAPI, log logging.PluginLogger) *kvs.KVDescriptor { + ctx := &IPSecSPDescriptor{ + log: log.NewLogger("ipsec-sp-descriptor"), + ipSecHandler: ipSecHandler, + } + typedDescr := &adapter.SPDescriptor{ + Name: SPDescriptorName, + NBKeyPrefix: ipsec.ModelSecurityPolicy.KeyPrefix(), + ValueTypeName: ipsec.ModelSecurityPolicy.ProtoName(), + KeySelector: ipsec.ModelSecurityPolicy.IsKeyValid, + KeyLabel: ipsec.ModelSecurityPolicy.StripKeyPrefix, + ValueComparator: ctx.EquivalentSPs, + Create: ctx.Create, + Delete: ctx.Delete, + Dependencies: ctx.Dependencies, + Retrieve: ctx.Retrieve, + } + return adapter.NewSPDescriptor(typedDescr) +} + +// EquivalentSPs compares two SPs for equivalency. +func (d *IPSecSPDescriptor) EquivalentSPs(key string, oldValue, newValue *ipsec.SecurityPolicy) bool { + if oldValue.GetPriority() != newValue.GetPriority() || + oldValue.GetProtocol() != newValue.GetProtocol() || + oldValue.GetAction() != newValue.GetAction() { + return false + } + + normalizedPortRange := func(start, stop uint32) (uint32, uint32) { + if start == 0 && stop == 0 { + return 0, uint32(^uint16(0)) + } + return start, stop + } + prevLPStart, prevLPStop := normalizedPortRange(oldValue.GetLocalPortStart(), oldValue.GetLocalPortStop()) + newLPStart, newLPStop := normalizedPortRange(newValue.GetLocalPortStart(), newValue.GetLocalPortStop()) + if prevLPStart != newLPStart || prevLPStop != newLPStop { + return false + } + prevRPStart, prevRPStop := normalizedPortRange(oldValue.GetRemotePortStart(), oldValue.GetRemotePortStop()) + newRPStart, newRPStop := normalizedPortRange(newValue.GetRemotePortStart(), newValue.GetRemotePortStop()) + if prevRPStart != newRPStart || prevRPStop != newRPStop { + return false + } + return true +} + +// Create puts policy into security policy database. +func (d *IPSecSPDescriptor) Create(key string, policy *ipsec.SecurityPolicy) (metadata interface{}, err error) { + err = d.ipSecHandler.AddSP(policy) + if err != nil { + d.log.Error(err) + return nil, err + } + return nil, nil +} + +// Delete removes policy from security policy database. +func (d *IPSecSPDescriptor) Delete(key string, policy *ipsec.SecurityPolicy, metadata interface{}) (err error) { + err = d.ipSecHandler.DeleteSP(policy) + if err != nil { + d.log.Error(err) + return err + } + return nil +} + +// Dependencies lists the associated security association and SPD as the dependencies of the policy. +func (d *IPSecSPDescriptor) Dependencies(key string, value *ipsec.SecurityPolicy) []kvs.Dependency { + return []kvs.Dependency{ + { + Label: spdDep, + Key: ipsec.SPDKey(value.SpdIndex), + }, + { + Label: saDep, + Key: ipsec.SAKey(value.SaIndex), + }, + } +} + +// Retrieve returns all configured VPP IPSec Security Policies. +func (d *IPSecSPDescriptor) Retrieve(correlate []adapter.SPKVWithMetadata) (dump []adapter.SPKVWithMetadata, err error) { + sps, err := d.ipSecHandler.DumpIPSecSP() + if err != nil { + d.log.Error(err) + return dump, err + } + for _, sp := range sps { + dump = append(dump, adapter.SPKVWithMetadata{ + Key: models.Key(sp), + Value: sp, + Origin: kvs.FromNB, + }) + } + return dump, nil +} diff --git a/plugins/vpp/ipsecplugin/descriptor/spd.go b/plugins/vpp/ipsecplugin/descriptor/spd.go index d488bdb282..34ac03f70f 100644 --- a/plugins/vpp/ipsecplugin/descriptor/spd.go +++ b/plugins/vpp/ipsecplugin/descriptor/spd.go @@ -15,14 +15,10 @@ package descriptor import ( - "net" - "strings" + "errors" - "github.com/pkg/errors" - "go.ligato.io/cn-infra/v2/idxmap" "go.ligato.io/cn-infra/v2/logging" - "go.ligato.io/vpp-agent/v3/pkg/idxvpp" kvs "go.ligato.io/vpp-agent/v3/plugins/kvscheduler/api" vppIfDescriptor "go.ligato.io/vpp-agent/v3/plugins/vpp/ifplugin/descriptor" "go.ligato.io/vpp-agent/v3/plugins/vpp/ipsecplugin/descriptor/adapter" @@ -38,17 +34,9 @@ const ( // A list of non-retriable errors: var ( - // ErrIPSecSPDWithoutIndex is returned when VPP security policy database - // configuration was defined without index. - ErrIPSecSPDWithoutIndex = errors.New("VPP IPSec security policy database defined without index") - - // ErrIPSecSPDInvalidIndex is returned when VPP security policy database - // configuration was defined with non-numerical index. - ErrIPSecSPDInvalidIndex = errors.New("VPP IPSec security policy database defined with invalid index") - - // ErrSPDWithoutSA is returned when VPP security policy entry has undefined - // security association attribute. - ErrSPDWithoutSA = errors.New("VPP SPD policy entry defined without security association name") + // ErrDeprecatedSPDPolicies is returned when the deprecated SecurityPolicyDatabase.PolicyEntries is used. + ErrDeprecatedSPDPolicies = errors.New( + "it is deprecated and no longer supported to define SPs inside SPD model (use SecurityPolicy model instead)") ) // IPSecSPDDescriptor teaches KVScheduler how to configure IPSec SPD in VPP. @@ -56,9 +44,6 @@ type IPSecSPDDescriptor struct { // dependencies log logging.Logger ipSecHandler vppcalls.IPSecVppAPI - - // runtime - spdIDSeq uint32 } // NewIPSecSPDDescriptor creates a new instance of the IPSec SPD descriptor. @@ -66,7 +51,6 @@ func NewIPSecSPDDescriptor(ipSecHandler vppcalls.IPSecVppAPI, log logging.Plugin return &IPSecSPDDescriptor{ ipSecHandler: ipSecHandler, log: log.NewLogger("ipsec-spd-descriptor"), - spdIDSeq: 1, } } @@ -80,8 +64,7 @@ func (d *IPSecSPDDescriptor) GetDescriptor() *adapter.SPDDescriptor { KeySelector: ipsec.ModelSecurityPolicyDatabase.IsKeyValid, KeyLabel: ipsec.ModelSecurityPolicyDatabase.StripKeyPrefix, ValueComparator: d.EquivalentIPSecSPDs, - WithMetadata: true, - MetadataMapFactory: d.MetadataFactory, + Validate: d.Validate, Create: d.Create, Delete: d.Delete, Retrieve: d.Retrieve, @@ -90,50 +73,33 @@ func (d *IPSecSPDDescriptor) GetDescriptor() *adapter.SPDDescriptor { } } -// EquivalentIPSecSPDs is case-insensitive comparison function for -// ipsec.SecurityPolicyDatabase, also ignoring the order of assigned -// interfaces and/or policy entries. +// EquivalentIPSecSPDs always returns true because all non-key attributes are derived out. func (d *IPSecSPDDescriptor) EquivalentIPSecSPDs(key string, oldSPD, newSPD *ipsec.SecurityPolicyDatabase) bool { - // SPD interfaces - obsoleteIfs, newIfs := calculateInterfacesDiff(oldSPD.GetInterfaces(), newSPD.GetInterfaces()) - if len(obsoleteIfs) != 0 || len(newIfs) != 0 { - return false - } - - // SPD policy entries - obsoletePes, newPes := calculatePolicyEntriesDiff(oldSPD.GetPolicyEntries(), newSPD.GetPolicyEntries()) - return len(obsoletePes) == 0 && len(newPes) == 0 + return true } -// MetadataFactory is a factory for index-map customized for VPP security policy databases. -func (d *IPSecSPDDescriptor) MetadataFactory() idxmap.NamedMappingRW { - return idxvpp.NewNameToIndex(d.log, "vpp-spd-index", nil) +// Validate validates IPSec SPD configuration. +func (d *IPSecSPDDescriptor) Validate(key string, spd *ipsec.SecurityPolicyDatabase) (err error) { + if len(spd.GetPolicyEntries()) != 0 { + return ErrDeprecatedSPDPolicies + } + return nil } // Create adds a new IPSec security policy database. -func (d *IPSecSPDDescriptor) Create(key string, spd *ipsec.SecurityPolicyDatabase) (metadata *idxvpp.OnlyIndex, err error) { - // allocate new SPD ID - spdIdx := d.spdIDSeq - d.spdIDSeq++ - +func (d *IPSecSPDDescriptor) Create(key string, spd *ipsec.SecurityPolicyDatabase) (metadata interface{}, err error) { // create a new SPD with index - err = d.ipSecHandler.AddSPD(spdIdx) + err = d.ipSecHandler.AddSPD(spd.GetIndex()) if err != nil { - // Note: d.spdIDSeq will be refreshed by Dump d.log.Error(err) return nil, err } - - // fill the metadata - metadata = &idxvpp.OnlyIndex{ - Index: spdIdx, - } - return metadata, nil + return nil, nil } // Delete removes VPP IPSec security policy database. -func (d *IPSecSPDDescriptor) Delete(key string, spd *ipsec.SecurityPolicyDatabase, metadata *idxvpp.OnlyIndex) error { - err := d.ipSecHandler.DeleteSPD(metadata.GetIndex()) +func (d *IPSecSPDDescriptor) Delete(key string, spd *ipsec.SecurityPolicyDatabase, metadata interface{}) error { + err := d.ipSecHandler.DeleteSPD(spd.GetIndex()) if err != nil { d.log.Error(err) } @@ -142,6 +108,11 @@ func (d *IPSecSPDDescriptor) Delete(key string, spd *ipsec.SecurityPolicyDatabas // Retrieve returns all configured VPP security policy databases. func (d *IPSecSPDDescriptor) Retrieve(correlate []adapter.SPDKVWithMetadata) (dump []adapter.SPDKVWithMetadata, err error) { + nbCfg := map[uint32]*ipsec.SecurityPolicyDatabase{} + for _, spd := range correlate { + nbCfg[spd.Value.GetIndex()] = spd.Value + } + // dump security policy associations spds, err := d.ipSecHandler.DumpIPSecSPD() if err != nil { @@ -149,20 +120,18 @@ func (d *IPSecSPDDescriptor) Retrieve(correlate []adapter.SPDKVWithMetadata) (du return dump, err } for _, spd := range spds { + // Correlate interface assignments which are not properly dumped (bug in ipsec_spd_interface_dump) + spd.Interfaces = nbCfg[spd.GetIndex()].GetInterfaces() dump = append(dump, adapter.SPDKVWithMetadata{ - Key: ipsec.SPDKey(spd.Spd.Index), - Value: spd.Spd, - Metadata: &idxvpp.OnlyIndex{Index: spd.Spd.Index}, + Key: ipsec.SPDKey(spd.Index), + Value: spd, Origin: kvs.FromNB, }) } - return dump, nil } -// DerivedValues derives ipsec.SecurityPolicyDatabase_Interface for every interface assigned -// assigned to the SPD and ipsec.SecurityPolicyDatabase_PolicyEntry for every policy entry -// assigned to the SPD +// DerivedValues derives ipsec.SecurityPolicyDatabase_Interface for every interface assigned to the SPD. func (d *IPSecSPDDescriptor) DerivedValues(key string, spd *ipsec.SecurityPolicyDatabase) (derValues []kvs.KeyValuePair) { // SPD interfaces for _, spdIface := range spd.Interfaces { @@ -172,128 +141,5 @@ func (d *IPSecSPDDescriptor) DerivedValues(key string, spd *ipsec.SecurityPolicy }) } - // SPD policy entries - for _, spdPe := range spd.PolicyEntries { - derValues = append(derValues, kvs.KeyValuePair{ - Key: ipsec.SPDPolicyKey(spd.Index, spdPe.SaIndex), - Value: spdPe, - }) - } - return derValues -} - -// calculateInterfacesDiff compares two sets of SPD interfaces entries. -func calculateInterfacesDiff(oldIfs, newIfs []*ipsec.SecurityPolicyDatabase_Interface) (toRemove, toAdd []*ipsec.SecurityPolicyDatabase_Interface) { - // Resolve interfaces to add - for _, newIf := range newIfs { - var exists bool - for _, oldIf := range oldIfs { - if newIf.Name == oldIf.Name { - exists = true - break - } - } - if !exists { - toAdd = append(toAdd, newIf) - } - } - // Resolve interfaces to remove - for _, oldIf := range oldIfs { - var exists bool - for _, newIf := range newIfs { - if oldIf.Name == newIf.Name { - exists = true - break - } - } - if !exists { - toRemove = append(toRemove, oldIf) - } - } - - return toAdd, toRemove -} - -// calculateInterfacesDiff compares two sets of SPD interfaces entries. -func calculatePolicyEntriesDiff(oldPes, newPes []*ipsec.SecurityPolicyDatabase_PolicyEntry) (toRemove, toAdd []*ipsec.SecurityPolicyDatabase_PolicyEntry) { - // Resolve interfaces to add - for _, newPe := range newPes { - var exists bool - for _, oldPe := range oldPes { - if equalPolicyEntries(newPe, oldPe) { - exists = true - break - } - } - if !exists { - toAdd = append(toAdd, newPe) - } - } - // Resolve interfaces to remove - for _, oldPe := range oldPes { - var exists bool - for _, newPe := range newPes { - if equalPolicyEntries(newPe, oldPe) { - exists = true - break - } - } - if !exists { - toRemove = append(toRemove, oldPe) - } - } - - return toAdd, toRemove -} - -// equalPolicyEntries compares two SPD policy entries for equality. -func equalPolicyEntries(pe1, pe2 *ipsec.SecurityPolicyDatabase_PolicyEntry) bool { - if !equalPolicyEntriesBase(pe1, pe2) { - return false - } - - // compare remote start addresses - if !equalPolicyEntriesIPAddress(pe1.RemoteAddrStart, pe2.RemoteAddrStop) { - return false - } - - // compare remote stop addresses - if !equalPolicyEntriesIPAddress(pe1.RemoteAddrStop, pe2.RemoteAddrStop) { - return false - } - - // compare local start addresses - if !equalPolicyEntriesIPAddress(pe1.LocalAddrStart, pe2.LocalAddrStart) { - return false - } - - // compare local stop addresses - if !equalPolicyEntriesIPAddress(pe1.LocalAddrStop, pe2.LocalAddrStop) { - return false - } - - return true -} - -// equalPolicyEntriesBase compares base parameters of two policy entries (except IP addresses) -func equalPolicyEntriesBase(pe1, pe2 *ipsec.SecurityPolicyDatabase_PolicyEntry) bool { - return pe1.Priority == pe2.Priority && - pe1.IsOutbound == pe2.IsOutbound && - pe1.Protocol == pe2.Protocol && - pe1.RemotePortStart == pe2.RemotePortStart && - pe1.RemotePortStop == pe2.RemotePortStop && - pe1.LocalPortStart == pe2.LocalPortStop && - pe1.Action == pe2.Action -} - -// equalPolicyEntriesIPAddress compare two policy entries IP addresses -func equalPolicyEntriesIPAddress(peIP1, peIP2 string) bool { - ip1 := net.ParseIP(peIP1) - ip2 := net.ParseIP(peIP2) - if ip1 == nil || ip2 == nil { - // if parsing fails, compare as strings - return strings.ToLower(peIP1) != strings.ToLower(peIP2) - } - return ip1.Equal(ip2) -} +} \ No newline at end of file diff --git a/plugins/vpp/ipsecplugin/descriptor/spd_policy.go b/plugins/vpp/ipsecplugin/descriptor/spd_policy.go deleted file mode 100644 index 0680d4f6ba..0000000000 --- a/plugins/vpp/ipsecplugin/descriptor/spd_policy.go +++ /dev/null @@ -1,154 +0,0 @@ -// Copyright (c) 2018 Cisco and/or its affiliates. -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at: -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package descriptor - -import ( - "strconv" - - "github.com/golang/protobuf/proto" - "github.com/pkg/errors" - "go.ligato.io/cn-infra/v2/logging" - - kvs "go.ligato.io/vpp-agent/v3/plugins/kvscheduler/api" - "go.ligato.io/vpp-agent/v3/plugins/vpp/ipsecplugin/descriptor/adapter" - "go.ligato.io/vpp-agent/v3/plugins/vpp/ipsecplugin/vppcalls" - ipsec "go.ligato.io/vpp-agent/v3/proto/ligato/vpp/ipsec" -) - -const ( - // SPDPolicyDescriptorName is the name of the descriptor for bindings between - // VPP IPSec security policy database and policy database (security association). - SPDPolicyDescriptorName = "vpp-spd-policy" - - // dependency labels - policyDep = "policy-exists" -) - -// SPDPolicyDescriptor teaches KVScheduler how to put policy database into VPP -// security policy database -type SPDPolicyDescriptor struct { - // dependencies - log logging.Logger - ipSecHandler vppcalls.IPSecVppAPI -} - -// NewSPDPolicyDescriptor creates a new instance of the SPDPolicy descriptor. -func NewSPDPolicyDescriptor(ipSecHandler vppcalls.IPSecVppAPI, log logging.PluginLogger) *SPDPolicyDescriptor { - return &SPDPolicyDescriptor{ - log: log.NewLogger("spd-policy-descriptor"), - ipSecHandler: ipSecHandler, - } -} - -// GetDescriptor returns descriptor suitable for registration (via adapter) with -// the KVScheduler. -func (d *SPDPolicyDescriptor) GetDescriptor() *adapter.SPDPolicyDescriptor { - return &adapter.SPDPolicyDescriptor{ - Name: SPDPolicyDescriptorName, - KeySelector: d.IsSPDPolicyKey, - ValueTypeName: proto.MessageName(&ipsec.SecurityPolicyDatabase{}), - Create: d.Create, - Delete: d.Delete, - Dependencies: d.Dependencies, - } -} - -// IsSPDPolicyKey returns true if the key is identifying binding between -// VPP security policy database and security association within policy. -func (d *SPDPolicyDescriptor) IsSPDPolicyKey(key string) bool { - _, _, isSPDPolicyKey := ipsec.ParseSPDPolicyKey(key) - return isSPDPolicyKey -} - -// Create puts policy into security policy database. -func (d *SPDPolicyDescriptor) Create(key string, policy *ipsec.SecurityPolicyDatabase_PolicyEntry) (metadata interface{}, err error) { - // get security policy database index - spdIdx, saIndex, isSPDPolicyKey := ipsec.ParseSPDPolicyKey(key) - if !isSPDPolicyKey { - err = errors.Errorf("provided key is not a derived SPD <=> Policy binding key %s", key) - d.log.Error(err) - return nil, err - } - - // convert SPD to numeric index - spdID, err := strconv.Atoi(spdIdx) - if err != nil { - err = errors.Errorf("provided SPD index is not a valid value %s", spdIdx) - d.log.Error(err) - return nil, err - } - - // convert SA to numeric index - saID, err := strconv.Atoi(saIndex) - if err != nil { - err = errors.Errorf("provided SA index is not a valid value %s", spdIdx) - d.log.Error(err) - return nil, err - } - - // put policy into the security policy database - err = d.ipSecHandler.AddSPDEntry(uint32(spdID), uint32(saID), policy) - if err != nil { - d.log.Error(err) - return nil, err - - } - return nil, nil -} - -// Delete removes policy from security policy database. -func (d *SPDPolicyDescriptor) Delete(key string, policy *ipsec.SecurityPolicyDatabase_PolicyEntry, metadata interface{}) (err error) { - // get security policy database index - spdIdx, saIndex, isSPDPolicyKey := ipsec.ParseSPDPolicyKey(key) - if !isSPDPolicyKey { - err = errors.Errorf("provided key is not a derived SPD <=> Policy binding key %s", key) - d.log.Error(err) - return err - } - - // convert SPD to numeric index - spdID, err := strconv.Atoi(spdIdx) - if err != nil { - err = errors.Errorf("provided SPD index is not a valid value %s", spdIdx) - d.log.Error(err) - return err - } - - // convert SA to numeric index - saID, err := strconv.Atoi(saIndex) - if err != nil { - err = errors.Errorf("provided SA index is not a valid value %s", spdIdx) - d.log.Error(err) - return err - } - - err = d.ipSecHandler.DeleteSPDEntry(uint32(spdID), uint32(saID), policy) - if err != nil { - d.log.Error(err) - return err - - } - return nil -} - -// Dependencies lists the security association as the only dependency for the binding. -func (d *SPDPolicyDescriptor) Dependencies(key string, value *ipsec.SecurityPolicyDatabase_PolicyEntry) []kvs.Dependency { - return []kvs.Dependency{ - { - Label: policyDep, - Key: ipsec.SAKey(value.SaIndex), - }, - } -} diff --git a/plugins/vpp/ipsecplugin/ipsecplugin.go b/plugins/vpp/ipsecplugin/ipsecplugin.go index ac836db4b9..806d3d282c 100644 --- a/plugins/vpp/ipsecplugin/ipsecplugin.go +++ b/plugins/vpp/ipsecplugin/ipsecplugin.go @@ -12,9 +12,9 @@ // See the License for the specific language governing permissions and // limitations under the License. -//go:generate descriptor-adapter --descriptor-name SPD --value-type *vpp_ipsec.SecurityPolicyDatabase --meta-type *idxvpp.OnlyIndex --import "go.ligato.io/vpp-agent/v3/pkg/idxvpp" --import "go.ligato.io/vpp-agent/v3/proto/ligato/vpp/ipsec" --output-dir "descriptor" +//go:generate descriptor-adapter --descriptor-name SPD --value-type *vpp_ipsec.SecurityPolicyDatabase --import "go.ligato.io/vpp-agent/v3/proto/ligato/vpp/ipsec" --output-dir "descriptor" //go:generate descriptor-adapter --descriptor-name SPDInterface --value-type *vpp_ipsec.SecurityPolicyDatabase_Interface --import "go.ligato.io/vpp-agent/v3/proto/ligato/vpp/ipsec" --output-dir "descriptor" -//go:generate descriptor-adapter --descriptor-name SPDPolicy --value-type *vpp_ipsec.SecurityPolicyDatabase_PolicyEntry --import "go.ligato.io/vpp-agent/v3/proto/ligato/vpp/ipsec" --output-dir "descriptor" +//go:generate descriptor-adapter --descriptor-name SP --value-type *vpp_ipsec.SecurityPolicy --import "go.ligato.io/vpp-agent/v3/proto/ligato/vpp/ipsec" --output-dir "descriptor" //go:generate descriptor-adapter --descriptor-name SA --value-type *vpp_ipsec.SecurityAssociation --import "go.ligato.io/vpp-agent/v3/proto/ligato/vpp/ipsec" --output-dir "descriptor" //go:generate descriptor-adapter --descriptor-name TunProtect --value-type *vpp_ipsec.TunnelProtection --import "go.ligato.io/vpp-agent/v3/proto/ligato/vpp/ipsec" --output-dir "descriptor" @@ -55,7 +55,6 @@ type IPSecPlugin struct { spdDescriptor *descriptor.IPSecSPDDescriptor saDescriptor *descriptor.IPSecSADescriptor spdIfDescriptor *descriptor.SPDInterfaceDescriptor - spdPolicyDescriptor *descriptor.SPDPolicyDescriptor tunProtectDescriptor *descriptor.TunnelProtectDescriptor } @@ -84,6 +83,13 @@ func (p *IPSecPlugin) Init() (err error) { return err } + // init and register security policy descriptor + spDescriptor := descriptor.NewIPSecSPDescriptor(p.ipSecHandler, p.Log) + err = p.KVScheduler.RegisterKVDescriptor(spDescriptor) + if err != nil { + return err + } + // init and register security association descriptor p.saDescriptor = descriptor.NewIPSecSADescriptor(p.ipSecHandler, p.Log) saDescriptor := adapter.NewSADescriptor(p.saDescriptor.GetDescriptor()) @@ -108,13 +114,6 @@ func (p *IPSecPlugin) Init() (err error) { return err } - p.spdPolicyDescriptor = descriptor.NewSPDPolicyDescriptor(p.ipSecHandler, p.Log) - spdPolicyDescriptor := adapter.NewSPDPolicyDescriptor(p.spdPolicyDescriptor.GetDescriptor()) - err = p.KVScheduler.RegisterKVDescriptor(spdPolicyDescriptor) - if err != nil { - return err - } - return nil } diff --git a/plugins/vpp/ipsecplugin/vppcalls/ipsec_vppcalls.go b/plugins/vpp/ipsecplugin/vppcalls/ipsec_vppcalls.go index e39d607b4e..556dc572d3 100644 --- a/plugins/vpp/ipsecplugin/vppcalls/ipsec_vppcalls.go +++ b/plugins/vpp/ipsecplugin/vppcalls/ipsec_vppcalls.go @@ -50,21 +50,6 @@ type IPSecSaMeta struct { TotalDataSize uint64 } -// IPSecSpdDetails represents IPSec policy databases with particular metadata -type IPSecSpdDetails struct { - Spd *ipsec.SecurityPolicyDatabase - PolicyMeta map[string]*SpdMeta // SA index name is a key - NumPolicies uint32 -} - -// SpdMeta hold VPP-specific data related to SPD -type SpdMeta struct { - SaID uint32 - Policy uint8 - Bytes uint64 - Packets uint64 -} - // IPSecVppAPI provides methods for creating and managing of a IPsec configuration type IPSecVppAPI interface { IPSecVPPRead @@ -77,10 +62,10 @@ type IPSecVppAPI interface { AddSPDInterface(spdID uint32, iface *ipsec.SecurityPolicyDatabase_Interface) error // DeleteSPDInterface deletes SPD interface assignment from VPP via binary API DeleteSPDInterface(spdID uint32, iface *ipsec.SecurityPolicyDatabase_Interface) error - // AddSPDEntry adds SPD policy entry to VPP via binary API - AddSPDEntry(spdID, saID uint32, spd *ipsec.SecurityPolicyDatabase_PolicyEntry) error - // DeleteSPDEntry deletes SPD policy entry from VPP via binary API - DeleteSPDEntry(spdID, saID uint32, spd *ipsec.SecurityPolicyDatabase_PolicyEntry) error + // AddSP adds security policy to VPP via binary API + AddSP(sp *ipsec.SecurityPolicy) error + // DeleteSP deletes security policy from VPP via binary API + DeleteSP(sp *ipsec.SecurityPolicy) error // AddSA adds SA to VPP via binary API AddSA(sa *ipsec.SecurityAssociation) error // DeleteSA deletes SA from VPP via binary API @@ -96,7 +81,9 @@ type IPSecVppAPI interface { // IPSecVPPRead provides read methods for IPSec type IPSecVPPRead interface { // DumpIPSecSPD returns a list of IPSec security policy databases - DumpIPSecSPD() (spdList []*IPSecSpdDetails, err error) + DumpIPSecSPD() (spdList []*ipsec.SecurityPolicyDatabase, err error) + // DumpIPSecSP returns a list of configured security policies + DumpIPSecSP() (spList []*ipsec.SecurityPolicy, err error) // DumpIPSecSA returns a list of configured security associations DumpIPSecSA() (saList []*IPSecSaDetails, err error) // DumpIPSecSAWithIndex returns a security association with provided index diff --git a/plugins/vpp/ipsecplugin/vppcalls/vpp1904/dump_vppcalls.go b/plugins/vpp/ipsecplugin/vppcalls/vpp1904/dump_vppcalls.go index a87fae84ea..12869de579 100644 --- a/plugins/vpp/ipsecplugin/vppcalls/vpp1904/dump_vppcalls.go +++ b/plugins/vpp/ipsecplugin/vppcalls/vpp1904/dump_vppcalls.go @@ -16,10 +16,8 @@ package vpp1904 import ( "encoding/hex" - "net" - "strconv" - "github.com/pkg/errors" + "net" ipsecapi "go.ligato.io/vpp-agent/v3/plugins/vpp/binapi/vpp1904/ipsec" "go.ligato.io/vpp-agent/v3/plugins/vpp/ipsecplugin/vppcalls" @@ -91,24 +89,35 @@ func (h *IPSecVppHandler) DumpIPSecSAWithIndex(saID uint32) (saList []*vppcalls. return saList, nil } -// DumpIPSecSPD implements IPSec handler. -func (h *IPSecVppHandler) DumpIPSecSPD() (spdList []*vppcalls.IPSecSpdDetails, err error) { - metadata := make(map[string]*vppcalls.SpdMeta) - - // TODO dump IPSec SPD interfaces is not available in current VPP version +// DumpIPSecSPD returns a list of IPSec security policy databases +func (h *IPSecVppHandler) DumpIPSecSPD() (spdList []*ipsec.SecurityPolicyDatabase, err error) { + // Note: dump IPSec SPD interfaces is not available in this VPP version // Get all VPP SPD indexes spdIndexes, err := h.dumpSpdIndexes() if err != nil { return nil, errors.Errorf("failed to dump SPD indexes: %v", err) } - for spdIdx, numPolicies := range spdIndexes { + for spdIdx, _ := range spdIndexes { spd := &ipsec.SecurityPolicyDatabase{ - Index: uint32(spdIdx), + Index: spdIdx, } + spdList = append(spdList, spd) + } + return spdList, nil +} + +// DumpIPSecSP returns a list of configured security policies +func (h *IPSecVppHandler) DumpIPSecSP() (spList []*ipsec.SecurityPolicy, err error) { + // Get all VPP SPD indexes + spdIndexes, err := h.dumpSpdIndexes() + if err != nil { + return nil, errors.Errorf("failed to dump SPD indexes: %v", err) + } + for spdIdx, _ := range spdIndexes { req := &ipsecapi.IpsecSpdDump{ - SpdID: uint32(spdIdx), + SpdID: spdIdx, SaID: ^uint32(0), } requestCtx := h.callsChannel.SendMultiRequest(req) @@ -124,11 +133,14 @@ func (h *IPSecVppHandler) DumpIPSecSPD() (spdList []*vppcalls.IPSecSpdDetails, e } // Addresses - remoteStartAddr, remoteStopAddr := ipsecAddrToIP(spdDetails.Entry.RemoteAddressStart), ipsecAddrToIP(spdDetails.Entry.RemoteAddressStop) - localStartAddr, localStopAddr := ipsecAddrToIP(spdDetails.Entry.LocalAddressStart), ipsecAddrToIP(spdDetails.Entry.LocalAddressStop) + remoteStartAddr := ipsecAddrToIP(spdDetails.Entry.RemoteAddressStart) + remoteStopAddr := ipsecAddrToIP(spdDetails.Entry.RemoteAddressStop) + localStartAddr := ipsecAddrToIP(spdDetails.Entry.LocalAddressStart) + localStopAddr := ipsecAddrToIP(spdDetails.Entry.LocalAddressStop) // Prepare policy entry and put to the SPD - policyEntry := &ipsec.SecurityPolicyDatabase_PolicyEntry{ + sp := &ipsec.SecurityPolicy{ + SpdIndex: spdIdx, SaIndex: spdDetails.Entry.SaID, Priority: spdDetails.Entry.Priority, IsOutbound: uintToBool(spdDetails.Entry.IsOutbound), @@ -141,28 +153,12 @@ func (h *IPSecVppHandler) DumpIPSecSPD() (spdList []*vppcalls.IPSecSpdDetails, e RemotePortStop: resetPort(spdDetails.Entry.RemotePortStop), LocalPortStart: uint32(spdDetails.Entry.LocalPortStart), LocalPortStop: resetPort(spdDetails.Entry.LocalPortStop), - Action: ipsec.SecurityPolicyDatabase_PolicyEntry_Action(spdDetails.Entry.Policy), + Action: ipsec.SecurityPolicy_Action(spdDetails.Entry.Policy), } - spd.PolicyEntries = append(spd.PolicyEntries, policyEntry) - - // Prepare meta and put to the metadata map - meta := &vppcalls.SpdMeta{ - SaID: spdDetails.Entry.SaID, - Policy: uint8(spdDetails.Entry.Policy), - //Bytes: spdDetails.Bytes, - //Packets: spdDetails.Packets, - } - metadata[strconv.Itoa(int(spdDetails.Entry.SaID))] = meta + spList = append(spList, sp) } - // Store SPD in list - spdList = append(spdList, &vppcalls.IPSecSpdDetails{ - Spd: spd, - PolicyMeta: metadata, - NumPolicies: numPolicies, - }) } - - return spdList, nil + return spList, nil } // DumpTunnelProtections returns configured IPSec tunnel protections. @@ -171,9 +167,9 @@ func (h *IPSecVppHandler) DumpTunnelProtections() (tpList []*ipsec.TunnelProtect } // Get all indexes of SPD configured on the VPP -func (h *IPSecVppHandler) dumpSpdIndexes() (map[int]uint32, error) { +func (h *IPSecVppHandler) dumpSpdIndexes() (map[uint32]uint32, error) { // SPD index to number of policies - spdIndexes := make(map[int]uint32) + spdIndexes := make(map[uint32]uint32) req := &ipsecapi.IpsecSpdsDump{} reqCtx := h.callsChannel.SendMultiRequest(req) @@ -188,7 +184,7 @@ func (h *IPSecVppHandler) dumpSpdIndexes() (map[int]uint32, error) { return nil, err } - spdIndexes[int(spdDetails.SpdID)] = spdDetails.Npolicies + spdIndexes[spdDetails.SpdID] = spdDetails.Npolicies } return spdIndexes, nil diff --git a/plugins/vpp/ipsecplugin/vppcalls/vpp1904/ipsec_vppcalls.go b/plugins/vpp/ipsecplugin/vppcalls/vpp1904/ipsec_vppcalls.go index 78c6469205..e0b99b910d 100644 --- a/plugins/vpp/ipsecplugin/vppcalls/vpp1904/ipsec_vppcalls.go +++ b/plugins/vpp/ipsecplugin/vppcalls/vpp1904/ipsec_vppcalls.go @@ -36,13 +36,13 @@ func (h *IPSecVppHandler) DeleteSPD(spdID uint32) error { } // AddSPDEntry implements IPSec handler. -func (h *IPSecVppHandler) AddSPDEntry(spdID, saID uint32, spd *ipsec.SecurityPolicyDatabase_PolicyEntry) error { - return h.spdAddDelEntry(spdID, saID, spd, true) +func (h *IPSecVppHandler) AddSP(sp *ipsec.SecurityPolicy) error { + return h.spdAddDelEntry(sp, true) } // DeleteSPDEntry implements IPSec handler. -func (h *IPSecVppHandler) DeleteSPDEntry(spdID, saID uint32, spd *ipsec.SecurityPolicyDatabase_PolicyEntry) error { - return h.spdAddDelEntry(spdID, saID, spd, false) +func (h *IPSecVppHandler) DeleteSP(sp *ipsec.SecurityPolicy) error { + return h.spdAddDelEntry(sp, false) } // AddSPDInterface implements IPSec handler. @@ -102,20 +102,20 @@ func (h *IPSecVppHandler) spdAddDel(spdID uint32, isAdd bool) error { return nil } -func (h *IPSecVppHandler) spdAddDelEntry(spdID, saID uint32, spd *ipsec.SecurityPolicyDatabase_PolicyEntry, isAdd bool) error { +func (h *IPSecVppHandler) spdAddDelEntry(sp *ipsec.SecurityPolicy, isAdd bool) error { req := &api.IpsecSpdEntryAddDel{ IsAdd: boolToUint(isAdd), Entry: api.IpsecSpdEntry{ - SpdID: spdID, - Priority: spd.Priority, - IsOutbound: boolToUint(spd.IsOutbound), - Protocol: uint8(spd.Protocol), - RemotePortStart: uint16(spd.RemotePortStart), - RemotePortStop: uint16(spd.RemotePortStop), - LocalPortStart: uint16(spd.LocalPortStart), - LocalPortStop: uint16(spd.LocalPortStop), - Policy: api.IpsecSpdAction(spd.Action), - SaID: saID, + SpdID: sp.SpdIndex, + Priority: sp.Priority, + IsOutbound: boolToUint(sp.IsOutbound), + Protocol: uint8(sp.Protocol), + RemotePortStart: uint16(sp.RemotePortStart), + RemotePortStop: uint16(sp.RemotePortStop), + LocalPortStart: uint16(sp.LocalPortStart), + LocalPortStop: uint16(sp.LocalPortStop), + Policy: api.IpsecSpdAction(sp.Action), + SaID: sp.SaIndex, }, } if req.Entry.RemotePortStop == 0 { @@ -126,19 +126,19 @@ func (h *IPSecVppHandler) spdAddDelEntry(spdID, saID uint32, spd *ipsec.Security } var err error - req.Entry.RemoteAddressStart, err = IPToAddress(ipOr(spd.RemoteAddrStart, "0.0.0.0")) + req.Entry.RemoteAddressStart, err = IPToAddress(ipOr(sp.RemoteAddrStart, "0.0.0.0")) if err != nil { return err } - req.Entry.RemoteAddressStop, err = IPToAddress(ipOr(spd.RemoteAddrStop, "255.255.255.255")) + req.Entry.RemoteAddressStop, err = IPToAddress(ipOr(sp.RemoteAddrStop, "255.255.255.255")) if err != nil { return err } - req.Entry.LocalAddressStart, err = IPToAddress(ipOr(spd.LocalAddrStart, "0.0.0.0")) + req.Entry.LocalAddressStart, err = IPToAddress(ipOr(sp.LocalAddrStart, "0.0.0.0")) if err != nil { return err } - req.Entry.LocalAddressStop, err = IPToAddress(ipOr(spd.LocalAddrStop, "255.255.255.255")) + req.Entry.LocalAddressStop, err = IPToAddress(ipOr(sp.LocalAddrStop, "255.255.255.255")) if err != nil { return err } @@ -151,6 +151,7 @@ func (h *IPSecVppHandler) spdAddDelEntry(spdID, saID uint32, spd *ipsec.Security return nil } + func ipOr(s, o string) string { if s != "" { return s diff --git a/plugins/vpp/ipsecplugin/vppcalls/vpp1904/ipsec_vppcalls_test.go b/plugins/vpp/ipsecplugin/vppcalls/vpp1904/ipsec_vppcalls_test.go index 100df996b1..418e1500dd 100644 --- a/plugins/vpp/ipsecplugin/vppcalls/vpp1904/ipsec_vppcalls_test.go +++ b/plugins/vpp/ipsecplugin/vppcalls/vpp1904/ipsec_vppcalls_test.go @@ -68,14 +68,15 @@ func TestVppDelSPD(t *testing.T) { })) } -func TestVppAddSPDEntry(t *testing.T) { +func TestVppAddSP(t *testing.T) { ctx, ipSecHandler, _ := ipSecTestSetup(t) defer ctx.TeardownTestCtx() ctx.MockVpp.MockReply(&ipsec.IpsecSpdEntryAddDelReply{}) - err := ipSecHandler.AddSPDEntry(10, 5, &ipsec2.SecurityPolicyDatabase_PolicyEntry{ + err := ipSecHandler.AddSP(&ipsec2.SecurityPolicy{ SaIndex: 5, + SpdIndex: 10, Priority: 10, IsOutbound: true, }) @@ -98,13 +99,14 @@ func TestVppAddSPDEntry(t *testing.T) { })) } -func TestVppDelSPDEntry(t *testing.T) { +func TestVppDelSP(t *testing.T) { ctx, ipSecHandler, _ := ipSecTestSetup(t) defer ctx.TeardownTestCtx() ctx.MockVpp.MockReply(&ipsec.IpsecSpdEntryAddDelReply{}) - err := ipSecHandler.DeleteSPDEntry(10, 2, &ipsec2.SecurityPolicyDatabase_PolicyEntry{ + err := ipSecHandler.DeleteSP(&ipsec2.SecurityPolicy{ + SpdIndex: 10, SaIndex: 2, Priority: 5, IsOutbound: true, diff --git a/plugins/vpp/ipsecplugin/vppcalls/vpp1908/dump_vppcalls.go b/plugins/vpp/ipsecplugin/vppcalls/vpp1908/dump_vppcalls.go index eb3726fab0..3860e9eb69 100644 --- a/plugins/vpp/ipsecplugin/vppcalls/vpp1908/dump_vppcalls.go +++ b/plugins/vpp/ipsecplugin/vppcalls/vpp1908/dump_vppcalls.go @@ -18,7 +18,6 @@ import ( "encoding/hex" vpp_ipsec "go.ligato.io/vpp-agent/v3/plugins/vpp/binapi/vpp2001/ipsec" "net" - "strconv" "github.com/pkg/errors" @@ -92,24 +91,35 @@ func (h *IPSecVppHandler) DumpIPSecSAWithIndex(saID uint32) (saList []*vppcalls. return saList, nil } -// DumpIPSecSPD implements IPSec handler. -func (h *IPSecVppHandler) DumpIPSecSPD() (spdList []*vppcalls.IPSecSpdDetails, err error) { - metadata := make(map[string]*vppcalls.SpdMeta) - - // TODO dump IPSec SPD interfaces is not available in current VPP version +// DumpIPSecSPD returns a list of IPSec security policy databases +func (h *IPSecVppHandler) DumpIPSecSPD() (spdList []*ipsec.SecurityPolicyDatabase, err error) { + // Note: dump IPSec SPD interfaces is not available in this VPP version // Get all VPP SPD indexes spdIndexes, err := h.dumpSpdIndexes() if err != nil { return nil, errors.Errorf("failed to dump SPD indexes: %v", err) } - for spdIdx, numPolicies := range spdIndexes { + for spdIdx, _ := range spdIndexes { spd := &ipsec.SecurityPolicyDatabase{ - Index: uint32(spdIdx), + Index: spdIdx, } + spdList = append(spdList, spd) + } + + return spdList, nil +} +// DumpIPSecSP returns a list of configured security policies +func (h *IPSecVppHandler) DumpIPSecSP() (spList []*ipsec.SecurityPolicy, err error) { + // Get all VPP SPD indexes + spdIndexes, err := h.dumpSpdIndexes() + if err != nil { + return nil, errors.Errorf("failed to dump SPD indexes: %v", err) + } + for spdIdx, _ := range spdIndexes { req := &ipsecapi.IpsecSpdDump{ - SpdID: uint32(spdIdx), + SpdID: spdIdx, SaID: ^uint32(0), } requestCtx := h.callsChannel.SendMultiRequest(req) @@ -125,11 +135,14 @@ func (h *IPSecVppHandler) DumpIPSecSPD() (spdList []*vppcalls.IPSecSpdDetails, e } // Addresses - remoteStartAddr, remoteStopAddr := ipsecAddrToIP(spdDetails.Entry.RemoteAddressStart), ipsecAddrToIP(spdDetails.Entry.RemoteAddressStop) - localStartAddr, localStopAddr := ipsecAddrToIP(spdDetails.Entry.LocalAddressStart), ipsecAddrToIP(spdDetails.Entry.LocalAddressStop) + remoteStartAddr := ipsecAddrToIP(spdDetails.Entry.RemoteAddressStart) + remoteStopAddr := ipsecAddrToIP(spdDetails.Entry.RemoteAddressStop) + localStartAddr := ipsecAddrToIP(spdDetails.Entry.LocalAddressStart) + localStopAddr := ipsecAddrToIP(spdDetails.Entry.LocalAddressStop) // Prepare policy entry and put to the SPD - policyEntry := &ipsec.SecurityPolicyDatabase_PolicyEntry{ + sp := &ipsec.SecurityPolicy{ + SpdIndex: spdIdx, SaIndex: spdDetails.Entry.SaID, Priority: spdDetails.Entry.Priority, IsOutbound: uintToBool(spdDetails.Entry.IsOutbound), @@ -142,28 +155,12 @@ func (h *IPSecVppHandler) DumpIPSecSPD() (spdList []*vppcalls.IPSecSpdDetails, e RemotePortStop: resetPort(spdDetails.Entry.RemotePortStop), LocalPortStart: uint32(spdDetails.Entry.LocalPortStart), LocalPortStop: resetPort(spdDetails.Entry.LocalPortStop), - Action: ipsec.SecurityPolicyDatabase_PolicyEntry_Action(spdDetails.Entry.Policy), - } - spd.PolicyEntries = append(spd.PolicyEntries, policyEntry) - - // Prepare meta and put to the metadata map - meta := &vppcalls.SpdMeta{ - SaID: spdDetails.Entry.SaID, - Policy: uint8(spdDetails.Entry.Policy), - //Bytes: spdDetails.Bytes, - //Packets: spdDetails.Packets, + Action: ipsec.SecurityPolicy_Action(spdDetails.Entry.Policy), } - metadata[strconv.Itoa(int(spdDetails.Entry.SaID))] = meta + spList = append(spList, sp) } - // Store SPD in list - spdList = append(spdList, &vppcalls.IPSecSpdDetails{ - Spd: spd, - PolicyMeta: metadata, - NumPolicies: numPolicies, - }) } - - return spdList, nil + return spList, nil } // DumpTunnelProtections returns configured IPSec tunnel protections. @@ -197,9 +194,9 @@ func (h *IPSecVppHandler) DumpTunnelProtections() (tpList []*ipsec.TunnelProtect } // Get all indexes of SPD configured on the VPP -func (h *IPSecVppHandler) dumpSpdIndexes() (map[int]uint32, error) { +func (h *IPSecVppHandler) dumpSpdIndexes() (map[uint32]uint32, error) { // SPD index to number of policies - spdIndexes := make(map[int]uint32) + spdIndexes := make(map[uint32]uint32) req := &ipsecapi.IpsecSpdsDump{} reqCtx := h.callsChannel.SendMultiRequest(req) @@ -214,7 +211,7 @@ func (h *IPSecVppHandler) dumpSpdIndexes() (map[int]uint32, error) { return nil, err } - spdIndexes[int(spdDetails.SpdID)] = spdDetails.Npolicies + spdIndexes[spdDetails.SpdID] = spdDetails.Npolicies } return spdIndexes, nil diff --git a/plugins/vpp/ipsecplugin/vppcalls/vpp1908/ipsec_vppcalls.go b/plugins/vpp/ipsecplugin/vppcalls/vpp1908/ipsec_vppcalls.go index 895bfc3e93..b61b86e801 100644 --- a/plugins/vpp/ipsecplugin/vppcalls/vpp1908/ipsec_vppcalls.go +++ b/plugins/vpp/ipsecplugin/vppcalls/vpp1908/ipsec_vppcalls.go @@ -34,13 +34,13 @@ func (h *IPSecVppHandler) DeleteSPD(spdID uint32) error { } // AddSPDEntry implements IPSec handler. -func (h *IPSecVppHandler) AddSPDEntry(spdID, saID uint32, spd *ipsec.SecurityPolicyDatabase_PolicyEntry) error { - return h.spdAddDelEntry(spdID, saID, spd, true) +func (h *IPSecVppHandler) AddSP(sp *ipsec.SecurityPolicy) error { + return h.spdAddDelEntry(sp, true) } // DeleteSPDEntry implements IPSec handler. -func (h *IPSecVppHandler) DeleteSPDEntry(spdID, saID uint32, spd *ipsec.SecurityPolicyDatabase_PolicyEntry) error { - return h.spdAddDelEntry(spdID, saID, spd, false) +func (h *IPSecVppHandler) DeleteSP(sp *ipsec.SecurityPolicy) error { + return h.spdAddDelEntry(sp, false) } // AddSPDInterface implements IPSec handler. @@ -112,20 +112,20 @@ func (h *IPSecVppHandler) spdAddDel(spdID uint32, isAdd bool) error { return nil } -func (h *IPSecVppHandler) spdAddDelEntry(spdID, saID uint32, spd *ipsec.SecurityPolicyDatabase_PolicyEntry, isAdd bool) error { +func (h *IPSecVppHandler) spdAddDelEntry(sp *ipsec.SecurityPolicy, isAdd bool) error { req := &api.IpsecSpdEntryAddDel{ IsAdd: boolToUint(isAdd), Entry: api.IpsecSpdEntry{ - SpdID: spdID, - Priority: spd.Priority, - IsOutbound: boolToUint(spd.IsOutbound), - Protocol: uint8(spd.Protocol), - RemotePortStart: uint16(spd.RemotePortStart), - RemotePortStop: uint16(spd.RemotePortStop), - LocalPortStart: uint16(spd.LocalPortStart), - LocalPortStop: uint16(spd.LocalPortStop), - Policy: api.IpsecSpdAction(spd.Action), - SaID: saID, + SpdID: sp.SpdIndex, + Priority: sp.Priority, + IsOutbound: boolToUint(sp.IsOutbound), + Protocol: uint8(sp.Protocol), + RemotePortStart: uint16(sp.RemotePortStart), + RemotePortStop: uint16(sp.RemotePortStop), + LocalPortStart: uint16(sp.LocalPortStart), + LocalPortStop: uint16(sp.LocalPortStop), + Policy: api.IpsecSpdAction(sp.Action), + SaID: sp.SaIndex, }, } if req.Entry.RemotePortStop == 0 { @@ -136,19 +136,19 @@ func (h *IPSecVppHandler) spdAddDelEntry(spdID, saID uint32, spd *ipsec.Security } var err error - req.Entry.RemoteAddressStart, err = IPToAddress(ipOr(spd.RemoteAddrStart, "0.0.0.0")) + req.Entry.RemoteAddressStart, err = IPToAddress(ipOr(sp.RemoteAddrStart, "0.0.0.0")) if err != nil { return err } - req.Entry.RemoteAddressStop, err = IPToAddress(ipOr(spd.RemoteAddrStop, "255.255.255.255")) + req.Entry.RemoteAddressStop, err = IPToAddress(ipOr(sp.RemoteAddrStop, "255.255.255.255")) if err != nil { return err } - req.Entry.LocalAddressStart, err = IPToAddress(ipOr(spd.LocalAddrStart, "0.0.0.0")) + req.Entry.LocalAddressStart, err = IPToAddress(ipOr(sp.LocalAddrStart, "0.0.0.0")) if err != nil { return err } - req.Entry.LocalAddressStop, err = IPToAddress(ipOr(spd.LocalAddrStop, "255.255.255.255")) + req.Entry.LocalAddressStop, err = IPToAddress(ipOr(sp.LocalAddrStop, "255.255.255.255")) if err != nil { return err } @@ -161,6 +161,7 @@ func (h *IPSecVppHandler) spdAddDelEntry(spdID, saID uint32, spd *ipsec.Security return nil } + func ipOr(s, o string) string { if s != "" { return s diff --git a/plugins/vpp/ipsecplugin/vppcalls/vpp1908/ipsec_vppcalls_test.go b/plugins/vpp/ipsecplugin/vppcalls/vpp1908/ipsec_vppcalls_test.go index 90706ecfa9..bed5f4ef8a 100644 --- a/plugins/vpp/ipsecplugin/vppcalls/vpp1908/ipsec_vppcalls_test.go +++ b/plugins/vpp/ipsecplugin/vppcalls/vpp1908/ipsec_vppcalls_test.go @@ -68,14 +68,15 @@ func TestVppDelSPD(t *testing.T) { })) } -func TestVppAddSPDEntry(t *testing.T) { +func TestVppAddSP(t *testing.T) { ctx, ipSecHandler, _ := ipSecTestSetup(t) defer ctx.TeardownTestCtx() ctx.MockVpp.MockReply(&ipsec.IpsecSpdEntryAddDelReply{}) - err := ipSecHandler.AddSPDEntry(10, 5, &ipsec2.SecurityPolicyDatabase_PolicyEntry{ + err := ipSecHandler.AddSP(&ipsec2.SecurityPolicy{ SaIndex: 5, + SpdIndex: 10, Priority: 10, IsOutbound: true, }) @@ -98,13 +99,14 @@ func TestVppAddSPDEntry(t *testing.T) { })) } -func TestVppDelSPDEntry(t *testing.T) { +func TestVppDelSP(t *testing.T) { ctx, ipSecHandler, _ := ipSecTestSetup(t) defer ctx.TeardownTestCtx() ctx.MockVpp.MockReply(&ipsec.IpsecSpdEntryAddDelReply{}) - err := ipSecHandler.DeleteSPDEntry(10, 2, &ipsec2.SecurityPolicyDatabase_PolicyEntry{ + err := ipSecHandler.DeleteSP(&ipsec2.SecurityPolicy{ + SpdIndex: 10, SaIndex: 2, Priority: 5, IsOutbound: true, diff --git a/plugins/vpp/ipsecplugin/vppcalls/vpp2001/dump_vppcalls.go b/plugins/vpp/ipsecplugin/vppcalls/vpp2001/dump_vppcalls.go index 753955d76c..cd9ba796e6 100644 --- a/plugins/vpp/ipsecplugin/vppcalls/vpp2001/dump_vppcalls.go +++ b/plugins/vpp/ipsecplugin/vppcalls/vpp2001/dump_vppcalls.go @@ -17,7 +17,6 @@ package vpp2001 import ( "encoding/hex" "net" - "strconv" "github.com/pkg/errors" @@ -93,24 +92,35 @@ func (h *IPSecVppHandler) DumpIPSecSAWithIndex(saID uint32) (saList []*vppcalls. return saList, nil } -// DumpIPSecSPD implements IPSec handler. -func (h *IPSecVppHandler) DumpIPSecSPD() (spdList []*vppcalls.IPSecSpdDetails, err error) { - metadata := make(map[string]*vppcalls.SpdMeta) - - // TODO dump IPSec SPD interfaces is not available in current VPP version +// DumpIPSecSPD returns a list of IPSec security policy databases +func (h *IPSecVppHandler) DumpIPSecSPD() (spdList []*ipsec.SecurityPolicyDatabase, err error) { + // Note: dump IPSec SPD interfaces is not available in this VPP version // Get all VPP SPD indexes spdIndexes, err := h.dumpSpdIndexes() if err != nil { return nil, errors.Errorf("failed to dump SPD indexes: %v", err) } - for spdIdx, numPolicies := range spdIndexes { + for spdIdx, _ := range spdIndexes { spd := &ipsec.SecurityPolicyDatabase{ - Index: uint32(spdIdx), + Index: spdIdx, } + spdList = append(spdList, spd) + } + + return spdList, nil +} +// DumpIPSecSP returns a list of configured security policies +func (h *IPSecVppHandler) DumpIPSecSP() (spList []*ipsec.SecurityPolicy, err error) { + // Get all VPP SPD indexes + spdIndexes, err := h.dumpSpdIndexes() + if err != nil { + return nil, errors.Errorf("failed to dump SPD indexes: %v", err) + } + for spdIdx, _ := range spdIndexes { req := &vpp_ipsec.IpsecSpdDump{ - SpdID: uint32(spdIdx), + SpdID: spdIdx, SaID: ^uint32(0), } requestCtx := h.callsChannel.SendMultiRequest(req) @@ -126,11 +136,14 @@ func (h *IPSecVppHandler) DumpIPSecSPD() (spdList []*vppcalls.IPSecSpdDetails, e } // Addresses - remoteStartAddr, remoteStopAddr := ipsecAddrToIP(spdDetails.Entry.RemoteAddressStart), ipsecAddrToIP(spdDetails.Entry.RemoteAddressStop) - localStartAddr, localStopAddr := ipsecAddrToIP(spdDetails.Entry.LocalAddressStart), ipsecAddrToIP(spdDetails.Entry.LocalAddressStop) + remoteStartAddr := ipsecAddrToIP(spdDetails.Entry.RemoteAddressStart) + remoteStopAddr := ipsecAddrToIP(spdDetails.Entry.RemoteAddressStop) + localStartAddr := ipsecAddrToIP(spdDetails.Entry.LocalAddressStart) + localStopAddr := ipsecAddrToIP(spdDetails.Entry.LocalAddressStop) // Prepare policy entry and put to the SPD - policyEntry := &ipsec.SecurityPolicyDatabase_PolicyEntry{ + sp := &ipsec.SecurityPolicy{ + SpdIndex: spdIdx, SaIndex: spdDetails.Entry.SaID, Priority: spdDetails.Entry.Priority, IsOutbound: uintToBool(spdDetails.Entry.IsOutbound), @@ -143,26 +156,12 @@ func (h *IPSecVppHandler) DumpIPSecSPD() (spdList []*vppcalls.IPSecSpdDetails, e RemotePortStop: resetPort(spdDetails.Entry.RemotePortStop), LocalPortStart: uint32(spdDetails.Entry.LocalPortStart), LocalPortStop: resetPort(spdDetails.Entry.LocalPortStop), - Action: ipsec.SecurityPolicyDatabase_PolicyEntry_Action(spdDetails.Entry.Policy), - } - spd.PolicyEntries = append(spd.PolicyEntries, policyEntry) - - // Prepare meta and put to the metadata map - meta := &vppcalls.SpdMeta{ - SaID: spdDetails.Entry.SaID, - Policy: uint8(spdDetails.Entry.Policy), + Action: ipsec.SecurityPolicy_Action(spdDetails.Entry.Policy), } - metadata[strconv.Itoa(int(spdDetails.Entry.SaID))] = meta + spList = append(spList, sp) } - // Store SPD in list - spdList = append(spdList, &vppcalls.IPSecSpdDetails{ - Spd: spd, - PolicyMeta: metadata, - NumPolicies: numPolicies, - }) } - - return spdList, nil + return spList, nil } // DumpTunnelProtections returns configured IPSec tunnel protections. @@ -196,9 +195,9 @@ func (h *IPSecVppHandler) DumpTunnelProtections() (tpList []*ipsec.TunnelProtect } // Get all indexes of SPD configured on the VPP -func (h *IPSecVppHandler) dumpSpdIndexes() (map[int]uint32, error) { +func (h *IPSecVppHandler) dumpSpdIndexes() (map[uint32]uint32, error) { // SPD index to number of policies - spdIndexes := make(map[int]uint32) + spdIndexes := make(map[uint32]uint32) req := &vpp_ipsec.IpsecSpdsDump{} reqCtx := h.callsChannel.SendMultiRequest(req) @@ -213,7 +212,7 @@ func (h *IPSecVppHandler) dumpSpdIndexes() (map[int]uint32, error) { return nil, err } - spdIndexes[int(spdDetails.SpdID)] = spdDetails.Npolicies + spdIndexes[spdDetails.SpdID] = spdDetails.Npolicies } return spdIndexes, nil diff --git a/plugins/vpp/ipsecplugin/vppcalls/vpp2001/ipsec_vppcalls.go b/plugins/vpp/ipsecplugin/vppcalls/vpp2001/ipsec_vppcalls.go index 8119cf304e..26af43933e 100644 --- a/plugins/vpp/ipsecplugin/vppcalls/vpp2001/ipsec_vppcalls.go +++ b/plugins/vpp/ipsecplugin/vppcalls/vpp2001/ipsec_vppcalls.go @@ -35,13 +35,13 @@ func (h *IPSecVppHandler) DeleteSPD(spdID uint32) error { } // AddSPDEntry implements IPSec handler. -func (h *IPSecVppHandler) AddSPDEntry(spdID, saID uint32, spd *ipsec.SecurityPolicyDatabase_PolicyEntry) error { - return h.spdAddDelEntry(spdID, saID, spd, true) +func (h *IPSecVppHandler) AddSP(sp *ipsec.SecurityPolicy) error { + return h.spdAddDelEntry(sp, true) } // DeleteSPDEntry implements IPSec handler. -func (h *IPSecVppHandler) DeleteSPDEntry(spdID, saID uint32, spd *ipsec.SecurityPolicyDatabase_PolicyEntry) error { - return h.spdAddDelEntry(spdID, saID, spd, false) +func (h *IPSecVppHandler) DeleteSP(sp *ipsec.SecurityPolicy) error { + return h.spdAddDelEntry(sp, false) } // AddSPDInterface implements IPSec handler. @@ -113,20 +113,20 @@ func (h *IPSecVppHandler) spdAddDel(spdID uint32, isAdd bool) error { return nil } -func (h *IPSecVppHandler) spdAddDelEntry(spdID, saID uint32, spd *ipsec.SecurityPolicyDatabase_PolicyEntry, isAdd bool) error { +func (h *IPSecVppHandler) spdAddDelEntry(sp *ipsec.SecurityPolicy, isAdd bool) error { req := &vpp_ipsec.IpsecSpdEntryAddDel{ IsAdd: boolToUint(isAdd), Entry: vpp_ipsec.IpsecSpdEntry{ - SpdID: spdID, - Priority: spd.Priority, - IsOutbound: boolToUint(spd.IsOutbound), - Protocol: uint8(spd.Protocol), - RemotePortStart: uint16(spd.RemotePortStart), - RemotePortStop: uint16(spd.RemotePortStop), - LocalPortStart: uint16(spd.LocalPortStart), - LocalPortStop: uint16(spd.LocalPortStop), - Policy: vpp_ipsec.IpsecSpdAction(spd.Action), - SaID: saID, + SpdID: sp.SpdIndex, + Priority: sp.Priority, + IsOutbound: boolToUint(sp.IsOutbound), + Protocol: uint8(sp.Protocol), + RemotePortStart: uint16(sp.RemotePortStart), + RemotePortStop: uint16(sp.RemotePortStop), + LocalPortStart: uint16(sp.LocalPortStart), + LocalPortStop: uint16(sp.LocalPortStop), + Policy: vpp_ipsec.IpsecSpdAction(sp.Action), + SaID: sp.SaIndex, }, } if req.Entry.RemotePortStop == 0 { @@ -137,19 +137,19 @@ func (h *IPSecVppHandler) spdAddDelEntry(spdID, saID uint32, spd *ipsec.Security } var err error - req.Entry.RemoteAddressStart, err = IPToAddress(ipOr(spd.RemoteAddrStart, "0.0.0.0")) + req.Entry.RemoteAddressStart, err = IPToAddress(ipOr(sp.RemoteAddrStart, "0.0.0.0")) if err != nil { return err } - req.Entry.RemoteAddressStop, err = IPToAddress(ipOr(spd.RemoteAddrStop, "255.255.255.255")) + req.Entry.RemoteAddressStop, err = IPToAddress(ipOr(sp.RemoteAddrStop, "255.255.255.255")) if err != nil { return err } - req.Entry.LocalAddressStart, err = IPToAddress(ipOr(spd.LocalAddrStart, "0.0.0.0")) + req.Entry.LocalAddressStart, err = IPToAddress(ipOr(sp.LocalAddrStart, "0.0.0.0")) if err != nil { return err } - req.Entry.LocalAddressStop, err = IPToAddress(ipOr(spd.LocalAddrStop, "255.255.255.255")) + req.Entry.LocalAddressStop, err = IPToAddress(ipOr(sp.LocalAddrStop, "255.255.255.255")) if err != nil { return err } diff --git a/plugins/vpp/ipsecplugin/vppcalls/vpp2001/ipsec_vppcalls_test.go b/plugins/vpp/ipsecplugin/vppcalls/vpp2001/ipsec_vppcalls_test.go index ad0a51384e..fd32928242 100644 --- a/plugins/vpp/ipsecplugin/vppcalls/vpp2001/ipsec_vppcalls_test.go +++ b/plugins/vpp/ipsecplugin/vppcalls/vpp2001/ipsec_vppcalls_test.go @@ -70,14 +70,15 @@ func TestVppDelSPD(t *testing.T) { })) } -func TestVppAddSPDEntry(t *testing.T) { +func TestVppAddSP(t *testing.T) { ctx, ipSecHandler, _ := ipSecTestSetup(t) defer ctx.TeardownTestCtx() ctx.MockVpp.MockReply(&vpp_ipsec.IpsecSpdEntryAddDelReply{}) - err := ipSecHandler.AddSPDEntry(10, 5, &ipsec.SecurityPolicyDatabase_PolicyEntry{ + err := ipSecHandler.AddSP(&ipsec.SecurityPolicy{ SaIndex: 5, + SpdIndex: 10, Priority: 10, IsOutbound: true, }) @@ -100,13 +101,14 @@ func TestVppAddSPDEntry(t *testing.T) { })) } -func TestVppDelSPDEntry(t *testing.T) { +func TestVppDelSP(t *testing.T) { ctx, ipSecHandler, _ := ipSecTestSetup(t) defer ctx.TeardownTestCtx() ctx.MockVpp.MockReply(&vpp_ipsec.IpsecSpdEntryAddDelReply{}) - err := ipSecHandler.DeleteSPDEntry(10, 2, &ipsec.SecurityPolicyDatabase_PolicyEntry{ + err := ipSecHandler.DeleteSP(&ipsec.SecurityPolicy{ + SpdIndex: 10, SaIndex: 2, Priority: 5, IsOutbound: true, diff --git a/plugins/vpp/ipsecplugin/vppcalls/vpp2005/dump_vppcalls.go b/plugins/vpp/ipsecplugin/vppcalls/vpp2005/dump_vppcalls.go index 62383e20c9..5db967f64a 100644 --- a/plugins/vpp/ipsecplugin/vppcalls/vpp2005/dump_vppcalls.go +++ b/plugins/vpp/ipsecplugin/vppcalls/vpp2005/dump_vppcalls.go @@ -16,10 +16,8 @@ package vpp2005 import ( "encoding/hex" - "net" - "strconv" - "github.com/pkg/errors" + "net" "go.ligato.io/vpp-agent/v3/plugins/vpp/binapi/vpp2005/ip_types" vpp_ipsec "go.ligato.io/vpp-agent/v3/plugins/vpp/binapi/vpp2005/ipsec" @@ -92,29 +90,56 @@ func (h *IPSecVppHandler) DumpIPSecSAWithIndex(saID uint32) (saList []*vppcalls. return saList, nil } -// DumpIPSecSPD implements IPSec handler. -func (h *IPSecVppHandler) DumpIPSecSPD() (spdList []*vppcalls.IPSecSpdDetails, err error) { - metadata := make(map[string]*vppcalls.SpdMeta) - - // TODO: add integration test for dumping SPD interfaces +// DumpIPSecSPD returns a list of IPSec security policy databases +func (h *IPSecVppHandler) DumpIPSecSPD() (spdList []*ipsec.SecurityPolicyDatabase, err error) { + /* TODO: dumping of SPD interfaces is broken in VPP + - instead of the SPD index value given by control-plane, the index to the VPP's internal array of SPDs + is returned, which is useless spdInterfaces, err := h.dumpSpdInterfaces() if err != nil { - h.log.Warnf("dumping spd interfaces failed: %v", err) + err = fmt.Errorf("dumping of SPD interfaces failed: %v", err) + return nil, err } - h.log.Debugf("dumped spd interfaces: %+v", spdInterfaces) + */ // Get all VPP SPD indexes spdIndexes, err := h.dumpSpdIndexes() if err != nil { return nil, errors.Errorf("failed to dump SPD indexes: %v", err) } - for spdIdx, numPolicies := range spdIndexes { + + for spdIdx, _ := range spdIndexes { spd := &ipsec.SecurityPolicyDatabase{ - Index: uint32(spdIdx), + Index: spdIdx, } + /* + for _, swIfIndex := range spdInterfaces[spdIdx] { + name, _, found := h.ifIndexes.LookupBySwIfIndex(swIfIndex) + if !found { + h.log.Warnf("Failed to find interface with sw_if_index %d", swIfIndex) + continue + } + spd.Interfaces = append(spd.Interfaces, &ipsec.SecurityPolicyDatabase_Interface{ + Name: name, + }) + } + */ + spdList = append(spdList, spd) + } + return spdList, nil +} + +// DumpIPSecSP returns a list of configured security policies +func (h *IPSecVppHandler) DumpIPSecSP() (spList []*ipsec.SecurityPolicy, err error) { + // Get all VPP SPD indexes + spdIndexes, err := h.dumpSpdIndexes() + if err != nil { + return nil, errors.Errorf("failed to dump SPD indexes: %v", err) + } + for spdIdx, _ := range spdIndexes { req := &vpp_ipsec.IpsecSpdDump{ - SpdID: uint32(spdIdx), + SpdID: spdIdx, SaID: ^uint32(0), } requestCtx := h.callsChannel.SendMultiRequest(req) @@ -130,11 +155,14 @@ func (h *IPSecVppHandler) DumpIPSecSPD() (spdList []*vppcalls.IPSecSpdDetails, e } // Addresses - remoteStartAddr, remoteStopAddr := ipsecAddrToIP(spdDetails.Entry.RemoteAddressStart), ipsecAddrToIP(spdDetails.Entry.RemoteAddressStop) - localStartAddr, localStopAddr := ipsecAddrToIP(spdDetails.Entry.LocalAddressStart), ipsecAddrToIP(spdDetails.Entry.LocalAddressStop) + remoteStartAddr := ipsecAddrToIP(spdDetails.Entry.RemoteAddressStart) + remoteStopAddr := ipsecAddrToIP(spdDetails.Entry.RemoteAddressStop) + localStartAddr := ipsecAddrToIP(spdDetails.Entry.LocalAddressStart) + localStopAddr := ipsecAddrToIP(spdDetails.Entry.LocalAddressStop) // Prepare policy entry and put to the SPD - policyEntry := &ipsec.SecurityPolicyDatabase_PolicyEntry{ + sp := &ipsec.SecurityPolicy{ + SpdIndex: spdIdx, SaIndex: spdDetails.Entry.SaID, Priority: spdDetails.Entry.Priority, IsOutbound: spdDetails.Entry.IsOutbound, @@ -147,26 +175,13 @@ func (h *IPSecVppHandler) DumpIPSecSPD() (spdList []*vppcalls.IPSecSpdDetails, e RemotePortStop: resetPort(spdDetails.Entry.RemotePortStop), LocalPortStart: uint32(spdDetails.Entry.LocalPortStart), LocalPortStop: resetPort(spdDetails.Entry.LocalPortStop), - Action: ipsec.SecurityPolicyDatabase_PolicyEntry_Action(spdDetails.Entry.Policy), - } - spd.PolicyEntries = append(spd.PolicyEntries, policyEntry) - - // Prepare meta and put to the metadata map - meta := &vppcalls.SpdMeta{ - SaID: spdDetails.Entry.SaID, - Policy: uint8(spdDetails.Entry.Policy), + Action: ipsec.SecurityPolicy_Action(spdDetails.Entry.Policy), } - metadata[strconv.Itoa(int(spdDetails.Entry.SaID))] = meta + spList = append(spList, sp) } - // Store SPD in list - spdList = append(spdList, &vppcalls.IPSecSpdDetails{ - Spd: spd, - PolicyMeta: metadata, - NumPolicies: numPolicies, - }) } - return spdList, nil + return spList, nil } // DumpTunnelProtections returns configured IPSec tunnel protections. @@ -214,9 +229,9 @@ func (h *IPSecVppHandler) DumpTunnelProtections() (tpList []*ipsec.TunnelProtect } // Get all interfaces of SPD configured on the VPP -func (h *IPSecVppHandler) dumpSpdInterfaces() (map[int][]uint32, error) { +func (h *IPSecVppHandler) dumpSpdInterfaces() (map[uint32][]uint32, error) { // SPD index to interface indexes - spdInterfaces := make(map[int][]uint32) + spdInterfaces := make(map[uint32][]uint32) req := &vpp_ipsec.IpsecSpdInterfaceDump{} reqCtx := h.callsChannel.SendMultiRequest(req) @@ -231,16 +246,16 @@ func (h *IPSecVppHandler) dumpSpdInterfaces() (map[int][]uint32, error) { return nil, err } - spdInterfaces[int(spdDetails.SpdIndex)] = append(spdInterfaces[int(spdDetails.SpdIndex)], uint32(spdDetails.SwIfIndex)) + spdInterfaces[spdDetails.SpdIndex] = append(spdInterfaces[spdDetails.SpdIndex], uint32(spdDetails.SwIfIndex)) } return spdInterfaces, nil } // Get all indexes of SPD configured on the VPP -func (h *IPSecVppHandler) dumpSpdIndexes() (map[int]uint32, error) { +func (h *IPSecVppHandler) dumpSpdIndexes() (map[uint32]uint32, error) { // SPD index to number of policies - spdIndexes := make(map[int]uint32) + spdIndexes := make(map[uint32]uint32) req := &vpp_ipsec.IpsecSpdsDump{} reqCtx := h.callsChannel.SendMultiRequest(req) @@ -255,7 +270,7 @@ func (h *IPSecVppHandler) dumpSpdIndexes() (map[int]uint32, error) { return nil, err } - spdIndexes[int(spdDetails.SpdID)] = spdDetails.Npolicies + spdIndexes[spdDetails.SpdID] = spdDetails.Npolicies } return spdIndexes, nil diff --git a/plugins/vpp/ipsecplugin/vppcalls/vpp2005/ipsec_vppcalls.go b/plugins/vpp/ipsecplugin/vppcalls/vpp2005/ipsec_vppcalls.go index ce5a18b85a..f7c47eab6e 100644 --- a/plugins/vpp/ipsecplugin/vppcalls/vpp2005/ipsec_vppcalls.go +++ b/plugins/vpp/ipsecplugin/vppcalls/vpp2005/ipsec_vppcalls.go @@ -36,13 +36,13 @@ func (h *IPSecVppHandler) DeleteSPD(spdID uint32) error { } // AddSPDEntry implements IPSec handler. -func (h *IPSecVppHandler) AddSPDEntry(spdID, saID uint32, spd *ipsec.SecurityPolicyDatabase_PolicyEntry) error { - return h.spdAddDelEntry(spdID, saID, spd, true) +func (h *IPSecVppHandler) AddSP(sp *ipsec.SecurityPolicy) error { + return h.spdAddDelEntry(sp, true) } // DeleteSPDEntry implements IPSec handler. -func (h *IPSecVppHandler) DeleteSPDEntry(spdID, saID uint32, spd *ipsec.SecurityPolicyDatabase_PolicyEntry) error { - return h.spdAddDelEntry(spdID, saID, spd, false) +func (h *IPSecVppHandler) DeleteSP(sp *ipsec.SecurityPolicy) error { + return h.spdAddDelEntry(sp, false) } // AddSPDInterface implements IPSec handler. @@ -114,20 +114,20 @@ func (h *IPSecVppHandler) spdAddDel(spdID uint32, isAdd bool) error { return nil } -func (h *IPSecVppHandler) spdAddDelEntry(spdID, saID uint32, spd *ipsec.SecurityPolicyDatabase_PolicyEntry, isAdd bool) error { +func (h *IPSecVppHandler) spdAddDelEntry(sp *ipsec.SecurityPolicy, isAdd bool) error { req := &vpp_ipsec.IpsecSpdEntryAddDel{ IsAdd: isAdd, Entry: vpp_ipsec.IpsecSpdEntry{ - SpdID: spdID, - Priority: spd.Priority, - IsOutbound: spd.IsOutbound, - Protocol: uint8(spd.Protocol), - RemotePortStart: uint16(spd.RemotePortStart), - RemotePortStop: uint16(spd.RemotePortStop), - LocalPortStart: uint16(spd.LocalPortStart), - LocalPortStop: uint16(spd.LocalPortStop), - Policy: vpp_ipsec.IpsecSpdAction(spd.Action), - SaID: saID, + SpdID: sp.SpdIndex, + Priority: sp.Priority, + IsOutbound: sp.IsOutbound, + Protocol: uint8(sp.Protocol), + RemotePortStart: uint16(sp.RemotePortStart), + RemotePortStop: uint16(sp.RemotePortStop), + LocalPortStart: uint16(sp.LocalPortStart), + LocalPortStop: uint16(sp.LocalPortStop), + Policy: vpp_ipsec.IpsecSpdAction(sp.Action), + SaID: sp.SaIndex, }, } if req.Entry.RemotePortStop == 0 { @@ -138,19 +138,19 @@ func (h *IPSecVppHandler) spdAddDelEntry(spdID, saID uint32, spd *ipsec.Security } var err error - req.Entry.RemoteAddressStart, err = IPToAddress(ipOr(spd.RemoteAddrStart, "0.0.0.0")) + req.Entry.RemoteAddressStart, err = IPToAddress(ipOr(sp.RemoteAddrStart, "0.0.0.0")) if err != nil { return err } - req.Entry.RemoteAddressStop, err = IPToAddress(ipOr(spd.RemoteAddrStop, "255.255.255.255")) + req.Entry.RemoteAddressStop, err = IPToAddress(ipOr(sp.RemoteAddrStop, "255.255.255.255")) if err != nil { return err } - req.Entry.LocalAddressStart, err = IPToAddress(ipOr(spd.LocalAddrStart, "0.0.0.0")) + req.Entry.LocalAddressStart, err = IPToAddress(ipOr(sp.LocalAddrStart, "0.0.0.0")) if err != nil { return err } - req.Entry.LocalAddressStop, err = IPToAddress(ipOr(spd.LocalAddrStop, "255.255.255.255")) + req.Entry.LocalAddressStop, err = IPToAddress(ipOr(sp.LocalAddrStop, "255.255.255.255")) if err != nil { return err } diff --git a/plugins/vpp/ipsecplugin/vppcalls/vpp2005/ipsec_vppcalls_test.go b/plugins/vpp/ipsecplugin/vppcalls/vpp2005/ipsec_vppcalls_test.go index af8ea72fe7..e1616c4802 100644 --- a/plugins/vpp/ipsecplugin/vppcalls/vpp2005/ipsec_vppcalls_test.go +++ b/plugins/vpp/ipsecplugin/vppcalls/vpp2005/ipsec_vppcalls_test.go @@ -70,14 +70,15 @@ func TestVppDelSPD(t *testing.T) { })) } -func TestVppAddSPDEntry(t *testing.T) { +func TestVppAddSP(t *testing.T) { ctx, ipSecHandler, _ := ipSecTestSetup(t) defer ctx.TeardownTestCtx() ctx.MockVpp.MockReply(&vpp_ipsec.IpsecSpdEntryAddDelReply{}) - err := ipSecHandler.AddSPDEntry(10, 5, &ipsec.SecurityPolicyDatabase_PolicyEntry{ + err := ipSecHandler.AddSP(&ipsec.SecurityPolicy{ SaIndex: 5, + SpdIndex: 10, Priority: 10, IsOutbound: true, }) @@ -100,13 +101,14 @@ func TestVppAddSPDEntry(t *testing.T) { })) } -func TestVppDelSPDEntry(t *testing.T) { +func TestVppDelSP(t *testing.T) { ctx, ipSecHandler, _ := ipSecTestSetup(t) defer ctx.TeardownTestCtx() ctx.MockVpp.MockReply(&vpp_ipsec.IpsecSpdEntryAddDelReply{}) - err := ipSecHandler.DeleteSPDEntry(10, 2, &ipsec.SecurityPolicyDatabase_PolicyEntry{ + err := ipSecHandler.DeleteSP(&ipsec.SecurityPolicy{ + SpdIndex: 10, SaIndex: 2, Priority: 5, IsOutbound: true, diff --git a/proto/ligato/vpp/ipsec/ipsec.pb.go b/proto/ligato/vpp/ipsec/ipsec.pb.go index 7dc12cdcdc..76d2b2841a 100644 --- a/proto/ligato/vpp/ipsec/ipsec.pb.go +++ b/proto/ligato/vpp/ipsec/ipsec.pb.go @@ -148,6 +148,37 @@ func (SecurityPolicyDatabase_PolicyEntry_Action) EnumDescriptor() ([]byte, []int return fileDescriptor_3aa20672189bf205, []int{0, 1, 0} } +type SecurityPolicy_Action int32 + +const ( + SecurityPolicy_BYPASS SecurityPolicy_Action = 0 + SecurityPolicy_DISCARD SecurityPolicy_Action = 1 + SecurityPolicy_RESOLVE SecurityPolicy_Action = 2 + SecurityPolicy_PROTECT SecurityPolicy_Action = 3 +) + +var SecurityPolicy_Action_name = map[int32]string{ + 0: "BYPASS", + 1: "DISCARD", + 2: "RESOLVE", + 3: "PROTECT", +} + +var SecurityPolicy_Action_value = map[string]int32{ + "BYPASS": 0, + "DISCARD": 1, + "RESOLVE": 2, + "PROTECT": 3, +} + +func (x SecurityPolicy_Action) String() string { + return proto.EnumName(SecurityPolicy_Action_name, int32(x)) +} + +func (SecurityPolicy_Action) EnumDescriptor() ([]byte, []int) { + return fileDescriptor_3aa20672189bf205, []int{1, 0} +} + type SecurityAssociation_IPSecProtocol int32 const ( @@ -170,14 +201,17 @@ func (x SecurityAssociation_IPSecProtocol) String() string { } func (SecurityAssociation_IPSecProtocol) EnumDescriptor() ([]byte, []int) { - return fileDescriptor_3aa20672189bf205, []int{1, 0} + return fileDescriptor_3aa20672189bf205, []int{2, 0} } // Security Policy Database (SPD) type SecurityPolicyDatabase struct { - Index uint32 `protobuf:"varint,1,opt,name=index,proto3" json:"index,omitempty"` - Interfaces []*SecurityPolicyDatabase_Interface `protobuf:"bytes,2,rep,name=interfaces,proto3" json:"interfaces,omitempty"` - PolicyEntries []*SecurityPolicyDatabase_PolicyEntry `protobuf:"bytes,3,rep,name=policy_entries,json=policyEntries,proto3" json:"policy_entries,omitempty"` + Index uint32 `protobuf:"varint,1,opt,name=index,proto3" json:"index,omitempty"` + Interfaces []*SecurityPolicyDatabase_Interface `protobuf:"bytes,2,rep,name=interfaces,proto3" json:"interfaces,omitempty"` + // List of policy entries belonging to this SPD. + // Deprecated and actually trying to use this will return an error. + // Use separate model for Security Policy (SP) defined below. + PolicyEntries []*SecurityPolicyDatabase_PolicyEntry `protobuf:"bytes,3,rep,name=policy_entries,json=policyEntries,proto3" json:"policy_entries,omitempty"` // Deprecated: Do not use. XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` @@ -222,6 +256,7 @@ func (m *SecurityPolicyDatabase) GetInterfaces() []*SecurityPolicyDatabase_Inter return nil } +// Deprecated: Do not use. func (m *SecurityPolicyDatabase) GetPolicyEntries() []*SecurityPolicyDatabase_PolicyEntry { if m != nil { return m.PolicyEntries @@ -403,6 +438,149 @@ func (m *SecurityPolicyDatabase_PolicyEntry) GetAction() SecurityPolicyDatabase_ return SecurityPolicyDatabase_PolicyEntry_BYPASS } +type SecurityPolicy struct { + SpdIndex uint32 `protobuf:"varint,1,opt,name=spd_index,json=spdIndex,proto3" json:"spd_index,omitempty"` + SaIndex uint32 `protobuf:"varint,2,opt,name=sa_index,json=saIndex,proto3" json:"sa_index,omitempty"` + Priority int32 `protobuf:"varint,3,opt,name=priority,proto3" json:"priority,omitempty"` + IsOutbound bool `protobuf:"varint,4,opt,name=is_outbound,json=isOutbound,proto3" json:"is_outbound,omitempty"` + RemoteAddrStart string `protobuf:"bytes,5,opt,name=remote_addr_start,json=remoteAddrStart,proto3" json:"remote_addr_start,omitempty"` + RemoteAddrStop string `protobuf:"bytes,6,opt,name=remote_addr_stop,json=remoteAddrStop,proto3" json:"remote_addr_stop,omitempty"` + LocalAddrStart string `protobuf:"bytes,7,opt,name=local_addr_start,json=localAddrStart,proto3" json:"local_addr_start,omitempty"` + LocalAddrStop string `protobuf:"bytes,8,opt,name=local_addr_stop,json=localAddrStop,proto3" json:"local_addr_stop,omitempty"` + Protocol uint32 `protobuf:"varint,9,opt,name=protocol,proto3" json:"protocol,omitempty"` + RemotePortStart uint32 `protobuf:"varint,10,opt,name=remote_port_start,json=remotePortStart,proto3" json:"remote_port_start,omitempty"` + RemotePortStop uint32 `protobuf:"varint,11,opt,name=remote_port_stop,json=remotePortStop,proto3" json:"remote_port_stop,omitempty"` + LocalPortStart uint32 `protobuf:"varint,12,opt,name=local_port_start,json=localPortStart,proto3" json:"local_port_start,omitempty"` + LocalPortStop uint32 `protobuf:"varint,13,opt,name=local_port_stop,json=localPortStop,proto3" json:"local_port_stop,omitempty"` + Action SecurityPolicy_Action `protobuf:"varint,14,opt,name=action,proto3,enum=ligato.vpp.ipsec.SecurityPolicy_Action" json:"action,omitempty"` + XXX_NoUnkeyedLiteral struct{} `json:"-"` + XXX_unrecognized []byte `json:"-"` + XXX_sizecache int32 `json:"-"` +} + +func (m *SecurityPolicy) Reset() { *m = SecurityPolicy{} } +func (m *SecurityPolicy) String() string { return proto.CompactTextString(m) } +func (*SecurityPolicy) ProtoMessage() {} +func (*SecurityPolicy) Descriptor() ([]byte, []int) { + return fileDescriptor_3aa20672189bf205, []int{1} +} + +func (m *SecurityPolicy) XXX_Unmarshal(b []byte) error { + return xxx_messageInfo_SecurityPolicy.Unmarshal(m, b) +} +func (m *SecurityPolicy) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { + return xxx_messageInfo_SecurityPolicy.Marshal(b, m, deterministic) +} +func (m *SecurityPolicy) XXX_Merge(src proto.Message) { + xxx_messageInfo_SecurityPolicy.Merge(m, src) +} +func (m *SecurityPolicy) XXX_Size() int { + return xxx_messageInfo_SecurityPolicy.Size(m) +} +func (m *SecurityPolicy) XXX_DiscardUnknown() { + xxx_messageInfo_SecurityPolicy.DiscardUnknown(m) +} + +var xxx_messageInfo_SecurityPolicy proto.InternalMessageInfo + +func (m *SecurityPolicy) GetSpdIndex() uint32 { + if m != nil { + return m.SpdIndex + } + return 0 +} + +func (m *SecurityPolicy) GetSaIndex() uint32 { + if m != nil { + return m.SaIndex + } + return 0 +} + +func (m *SecurityPolicy) GetPriority() int32 { + if m != nil { + return m.Priority + } + return 0 +} + +func (m *SecurityPolicy) GetIsOutbound() bool { + if m != nil { + return m.IsOutbound + } + return false +} + +func (m *SecurityPolicy) GetRemoteAddrStart() string { + if m != nil { + return m.RemoteAddrStart + } + return "" +} + +func (m *SecurityPolicy) GetRemoteAddrStop() string { + if m != nil { + return m.RemoteAddrStop + } + return "" +} + +func (m *SecurityPolicy) GetLocalAddrStart() string { + if m != nil { + return m.LocalAddrStart + } + return "" +} + +func (m *SecurityPolicy) GetLocalAddrStop() string { + if m != nil { + return m.LocalAddrStop + } + return "" +} + +func (m *SecurityPolicy) GetProtocol() uint32 { + if m != nil { + return m.Protocol + } + return 0 +} + +func (m *SecurityPolicy) GetRemotePortStart() uint32 { + if m != nil { + return m.RemotePortStart + } + return 0 +} + +func (m *SecurityPolicy) GetRemotePortStop() uint32 { + if m != nil { + return m.RemotePortStop + } + return 0 +} + +func (m *SecurityPolicy) GetLocalPortStart() uint32 { + if m != nil { + return m.LocalPortStart + } + return 0 +} + +func (m *SecurityPolicy) GetLocalPortStop() uint32 { + if m != nil { + return m.LocalPortStop + } + return 0 +} + +func (m *SecurityPolicy) GetAction() SecurityPolicy_Action { + if m != nil { + return m.Action + } + return SecurityPolicy_BYPASS +} + // Security Association (SA) type SecurityAssociation struct { Index uint32 `protobuf:"varint,1,opt,name=index,proto3" json:"index,omitempty"` @@ -428,7 +606,7 @@ func (m *SecurityAssociation) Reset() { *m = SecurityAssociation{} } func (m *SecurityAssociation) String() string { return proto.CompactTextString(m) } func (*SecurityAssociation) ProtoMessage() {} func (*SecurityAssociation) Descriptor() ([]byte, []int) { - return fileDescriptor_3aa20672189bf205, []int{1} + return fileDescriptor_3aa20672189bf205, []int{2} } func (m *SecurityAssociation) XXX_Unmarshal(b []byte) error { @@ -567,7 +745,7 @@ func (m *TunnelProtection) Reset() { *m = TunnelProtection{} } func (m *TunnelProtection) String() string { return proto.CompactTextString(m) } func (*TunnelProtection) ProtoMessage() {} func (*TunnelProtection) Descriptor() ([]byte, []int) { - return fileDescriptor_3aa20672189bf205, []int{2} + return fileDescriptor_3aa20672189bf205, []int{3} } func (m *TunnelProtection) XXX_Unmarshal(b []byte) error { @@ -620,10 +798,12 @@ func init() { proto.RegisterEnum("ligato.vpp.ipsec.CryptoAlg", CryptoAlg_name, CryptoAlg_value) proto.RegisterEnum("ligato.vpp.ipsec.IntegAlg", IntegAlg_name, IntegAlg_value) proto.RegisterEnum("ligato.vpp.ipsec.SecurityPolicyDatabase_PolicyEntry_Action", SecurityPolicyDatabase_PolicyEntry_Action_name, SecurityPolicyDatabase_PolicyEntry_Action_value) + proto.RegisterEnum("ligato.vpp.ipsec.SecurityPolicy_Action", SecurityPolicy_Action_name, SecurityPolicy_Action_value) proto.RegisterEnum("ligato.vpp.ipsec.SecurityAssociation_IPSecProtocol", SecurityAssociation_IPSecProtocol_name, SecurityAssociation_IPSecProtocol_value) proto.RegisterType((*SecurityPolicyDatabase)(nil), "ligato.vpp.ipsec.SecurityPolicyDatabase") proto.RegisterType((*SecurityPolicyDatabase_Interface)(nil), "ligato.vpp.ipsec.SecurityPolicyDatabase.Interface") proto.RegisterType((*SecurityPolicyDatabase_PolicyEntry)(nil), "ligato.vpp.ipsec.SecurityPolicyDatabase.PolicyEntry") + proto.RegisterType((*SecurityPolicy)(nil), "ligato.vpp.ipsec.SecurityPolicy") proto.RegisterType((*SecurityAssociation)(nil), "ligato.vpp.ipsec.SecurityAssociation") proto.RegisterType((*TunnelProtection)(nil), "ligato.vpp.ipsec.TunnelProtection") } @@ -633,67 +813,72 @@ func init() { } var fileDescriptor_3aa20672189bf205 = []byte{ - // 983 bytes of a gzipped FileDescriptorProto - 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x9c, 0x55, 0x5f, 0x6f, 0xdb, 0xb6, - 0x17, 0x8d, 0xff, 0xc9, 0xf2, 0x75, 0xe5, 0xea, 0xc7, 0xfe, 0xb6, 0x69, 0x69, 0x87, 0x1a, 0x7e, - 0x18, 0x8c, 0x02, 0x73, 0x10, 0xa7, 0xe9, 0x9a, 0x66, 0x2f, 0x8a, 0x2d, 0x34, 0xc1, 0xd6, 0xd8, - 0xa0, 0xbc, 0x01, 0xdd, 0x1e, 0x04, 0x45, 0xe6, 0x3c, 0x61, 0xae, 0x48, 0x88, 0x74, 0x50, 0xbf, - 0xed, 0x23, 0xee, 0x3b, 0x0c, 0xd8, 0xd3, 0x3e, 0xc4, 0xc0, 0x4b, 0xdb, 0xa1, 0xd3, 0x0e, 0x18, - 0xf6, 0x62, 0xf0, 0x1e, 0x9e, 0x7b, 0xe8, 0x23, 0x1d, 0x5e, 0xc1, 0x93, 0x65, 0xbe, 0x48, 0x15, - 0x3f, 0xba, 0x15, 0xe2, 0x28, 0x17, 0x92, 0x65, 0xe6, 0x77, 0x20, 0x4a, 0xae, 0x38, 0xf1, 0xcd, - 0xee, 0xe0, 0x56, 0x88, 0x01, 0xe2, 0xbd, 0x3f, 0x1d, 0xf8, 0x34, 0x66, 0xd9, 0xaa, 0xcc, 0xd5, - 0x7a, 0xca, 0x97, 0x79, 0xb6, 0x1e, 0xa7, 0x2a, 0xbd, 0x49, 0x25, 0x23, 0xff, 0x87, 0x46, 0x5e, - 0xcc, 0xd9, 0xfb, 0xa0, 0xd2, 0xad, 0xf4, 0x3d, 0x6a, 0x0a, 0x42, 0x01, 0xf2, 0x42, 0xb1, 0xf2, - 0xe7, 0x34, 0x63, 0x32, 0xa8, 0x76, 0x6b, 0xfd, 0xf6, 0x70, 0x38, 0xb8, 0xaf, 0x3b, 0xf8, 0xb8, - 0xe6, 0xe0, 0x6a, 0xdb, 0x4a, 0x2d, 0x15, 0xf2, 0x13, 0x74, 0x04, 0xf2, 0x12, 0x56, 0xa8, 0x32, - 0x67, 0x32, 0xa8, 0xa1, 0xee, 0xf3, 0x7f, 0xad, 0x6b, 0xca, 0xa8, 0x50, 0xe5, 0x9a, 0x7a, 0x62, - 0x57, 0xe4, 0x4c, 0x1e, 0x3e, 0x85, 0xd6, 0xee, 0x54, 0x42, 0xa0, 0x5e, 0xa4, 0xef, 0x18, 0x5a, - 0x6a, 0x51, 0x5c, 0x1f, 0xfe, 0x51, 0x87, 0xb6, 0xd5, 0x4f, 0x3e, 0x07, 0x57, 0xa6, 0x89, 0x6d, - 0xbd, 0x29, 0xd3, 0x2b, 0x34, 0x7f, 0x08, 0xae, 0x28, 0x73, 0xae, 0xff, 0x40, 0x50, 0xed, 0x56, - 0xfa, 0x0d, 0xba, 0xab, 0xc9, 0x53, 0x68, 0xe7, 0x32, 0xe1, 0x2b, 0x75, 0xc3, 0x57, 0xc5, 0x3c, - 0xa8, 0x75, 0x2b, 0x7d, 0x97, 0x42, 0x2e, 0x27, 0x1b, 0x84, 0x3c, 0x83, 0xff, 0x95, 0xec, 0x1d, - 0x57, 0x2c, 0x49, 0xe7, 0xf3, 0x32, 0x91, 0x2a, 0x2d, 0x55, 0x50, 0xc7, 0x3f, 0xf2, 0xd0, 0x6c, - 0x84, 0xf3, 0x79, 0x19, 0x6b, 0x98, 0xf4, 0xc1, 0xdf, 0xe7, 0x72, 0x11, 0x34, 0x90, 0xda, 0xb1, - 0xa9, 0x5c, 0x68, 0xe6, 0x92, 0x67, 0xe9, 0xd2, 0x16, 0x75, 0x0c, 0x13, 0xf1, 0x3b, 0xcd, 0x2f, - 0xe1, 0xe1, 0x1e, 0x93, 0x8b, 0xa0, 0x89, 0x44, 0xcf, 0x22, 0x72, 0x61, 0x4c, 0x72, 0xc5, 0x33, - 0xbe, 0x0c, 0x5c, 0xf4, 0xbf, 0xab, 0x2d, 0x0f, 0x82, 0x97, 0x6a, 0x73, 0x5c, 0x0b, 0x49, 0x1b, - 0x0f, 0x53, 0x5e, 0xaa, 0xfb, 0x1e, 0x36, 0x5c, 0x2e, 0x02, 0x40, 0x6a, 0xc7, 0xa6, 0xda, 0x1e, - 0x2c, 0xd1, 0xb6, 0x61, 0x22, 0x7e, 0xa7, 0xb9, 0xf3, 0x70, 0x27, 0xf9, 0x00, 0x89, 0x9e, 0x45, - 0xe4, 0x82, 0xc4, 0xe0, 0xa4, 0x99, 0xca, 0x79, 0x11, 0x78, 0xdd, 0x4a, 0xbf, 0x33, 0x3c, 0xff, - 0x2f, 0x49, 0x1a, 0x84, 0x28, 0x41, 0x37, 0x52, 0xbd, 0x73, 0x70, 0x0c, 0x42, 0x00, 0x9c, 0x8b, - 0xb7, 0xd3, 0x30, 0x8e, 0xfd, 0x03, 0xd2, 0x86, 0xe6, 0xf8, 0x2a, 0x1e, 0x85, 0x74, 0xec, 0x57, - 0x74, 0x41, 0xa3, 0x78, 0xf2, 0xdd, 0x0f, 0x91, 0x5f, 0xd5, 0xc5, 0x94, 0x4e, 0x66, 0xd1, 0x68, - 0xe6, 0xd7, 0x7a, 0x7f, 0xd5, 0xe1, 0xd1, 0xf6, 0xc8, 0x50, 0x4a, 0x9e, 0xe5, 0x29, 0x4a, 0x7d, - 0xfc, 0x96, 0xf9, 0x50, 0x93, 0x22, 0xc7, 0x8c, 0x79, 0x54, 0x2f, 0xc9, 0xc4, 0x7a, 0x2b, 0x35, - 0xf4, 0x74, 0xf2, 0xcf, 0x9e, 0xac, 0x03, 0x06, 0x57, 0xd3, 0x98, 0x65, 0xd3, 0x4d, 0xab, 0xf5, - 0x2a, 0x5f, 0x01, 0x64, 0xe5, 0x5a, 0x28, 0x9e, 0xa4, 0xcb, 0x05, 0xe6, 0xb0, 0x33, 0x7c, 0xfc, - 0xa1, 0xe4, 0x08, 0x39, 0xe1, 0x72, 0x41, 0x5b, 0xd9, 0x76, 0x49, 0xbe, 0xd8, 0xf5, 0xfe, 0xca, - 0xd6, 0x9b, 0x60, 0x6e, 0xb6, 0xbf, 0x65, 0x6b, 0xf2, 0x35, 0xb4, 0xf4, 0xed, 0x5e, 0xa0, 0xb2, - 0x83, 0xca, 0x87, 0x1f, 0x2a, 0xeb, 0x5b, 0xb9, 0xd0, 0xc2, 0x6e, 0xbe, 0x59, 0x91, 0xc7, 0xdb, - 0x46, 0x2d, 0x6b, 0xc2, 0x69, 0x36, 0xb5, 0xea, 0x67, 0xd0, 0x5c, 0x49, 0x96, 0x30, 0x59, 0x60, - 0x2c, 0x5d, 0xea, 0xac, 0x24, 0x8b, 0x64, 0xa1, 0x43, 0xa1, 0x37, 0xd2, 0x42, 0xe5, 0x49, 0xc9, - 0xc4, 0x32, 0x5d, 0x63, 0x24, 0x5d, 0xea, 0xad, 0x24, 0x0b, 0x0b, 0x95, 0x53, 0x04, 0x35, 0x4f, - 0xad, 0x8a, 0x82, 0x2d, 0x13, 0x59, 0x66, 0x78, 0x0b, 0x30, 0x8f, 0x2d, 0xea, 0x19, 0x38, 0x2e, - 0x33, 0x7d, 0x09, 0x2c, 0xde, 0x5c, 0x2a, 0xc3, 0x6b, 0xdb, 0xbc, 0xb1, 0x54, 0xc8, 0xeb, 0x83, - 0xcf, 0x8a, 0xf4, 0x66, 0xc9, 0x92, 0xd5, 0x5c, 0x24, 0xac, 0xc8, 0x52, 0x93, 0x46, 0x97, 0x76, - 0x0c, 0xfe, 0xfd, 0x5c, 0x44, 0x1a, 0xbd, 0x77, 0xb2, 0xce, 0x2e, 0xe6, 0xd2, 0xb3, 0x4e, 0xd6, - 0xd1, 0xbd, 0x77, 0x32, 0xf2, 0x3a, 0x36, 0x6f, 0x2c, 0x95, 0xe6, 0xf5, 0xba, 0xe0, 0xed, 0xbd, - 0x56, 0xe2, 0x40, 0x35, 0xbc, 0xf4, 0x0f, 0x48, 0x13, 0x6a, 0x51, 0x3c, 0xf5, 0x2b, 0xbd, 0xdf, - 0x2a, 0xe0, 0xcf, 0xb0, 0x47, 0x73, 0x98, 0x89, 0xed, 0x13, 0xf3, 0x78, 0x71, 0x14, 0x6e, 0x46, - 0xe0, 0x1d, 0x40, 0x3e, 0x01, 0x47, 0xa6, 0x7a, 0x80, 0xe1, 0x54, 0xf7, 0x68, 0x43, 0xa6, 0x93, - 0x95, 0x22, 0x8f, 0xa0, 0x81, 0xe3, 0x10, 0x67, 0xb2, 0x47, 0xeb, 0x7a, 0x16, 0x92, 0x1e, 0x78, - 0x05, 0x7b, 0xaf, 0x92, 0x5f, 0xb8, 0x30, 0x0f, 0xc8, 0xcc, 0xb1, 0xb6, 0x06, 0x2f, 0xb9, 0xd0, - 0x8f, 0xe7, 0xd9, 0xef, 0x15, 0x68, 0xed, 0xd2, 0x43, 0x1e, 0x42, 0xfb, 0x7a, 0x72, 0x1d, 0x25, - 0x23, 0xfa, 0x76, 0x3a, 0x9b, 0xf8, 0x07, 0x1a, 0x08, 0xa3, 0x38, 0x19, 0x5d, 0x8c, 0x92, 0xe3, - 0xe1, 0x4b, 0xbf, 0xb2, 0x07, 0x9c, 0x0d, 0xfd, 0xaa, 0x0d, 0x0c, 0x4f, 0x5f, 0xf8, 0xb5, 0x1d, - 0x30, 0xa3, 0xd8, 0x52, 0xdf, 0x03, 0xce, 0x86, 0x7e, 0xc3, 0x06, 0x74, 0x8b, 0xb3, 0x05, 0x5e, - 0x8f, 0xde, 0x60, 0x4b, 0x73, 0x0f, 0x38, 0x1b, 0xfa, 0xae, 0x0d, 0xe8, 0x96, 0x16, 0x5e, 0x68, - 0x73, 0xac, 0x0f, 0xe4, 0x01, 0xb8, 0xe3, 0x28, 0x3e, 0xc1, 0xaa, 0xfd, 0xec, 0x16, 0xdc, 0x6d, - 0x6a, 0x49, 0x07, 0x00, 0x0d, 0x5d, 0x5d, 0xcf, 0xa2, 0xd7, 0xfe, 0x81, 0x9e, 0x09, 0x6f, 0xc6, - 0xa7, 0xc9, 0xd9, 0x0b, 0x33, 0x06, 0xe2, 0xcb, 0xf0, 0x58, 0x17, 0x55, 0x4d, 0x8c, 0x2f, 0x43, - 0x2d, 0xae, 0x6b, 0x74, 0xb1, 0xad, 0x77, 0x2e, 0x34, 0x70, 0xf2, 0xf2, 0xf9, 0x9d, 0x0b, 0x0d, - 0x9c, 0x1e, 0x0f, 0x8d, 0x8b, 0x8b, 0x6f, 0x7e, 0x7c, 0xb5, 0xe0, 0xdb, 0x1b, 0x94, 0xe3, 0xd7, - 0xfd, 0xab, 0x74, 0xc1, 0x0a, 0x75, 0x74, 0x7b, 0x72, 0x84, 0x37, 0xfa, 0xe8, 0xfe, 0x77, 0xff, - 0xfc, 0x56, 0x88, 0x04, 0x57, 0x37, 0x0e, 0x32, 0x4e, 0xfe, 0x0e, 0x00, 0x00, 0xff, 0xff, 0xf8, - 0x79, 0x71, 0x90, 0x1c, 0x08, 0x00, 0x00, + // 1067 bytes of a gzipped FileDescriptorProto + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xac, 0x96, 0xdf, 0x6e, 0xdb, 0x36, + 0x14, 0xc6, 0xe3, 0x7f, 0xb2, 0x7c, 0x1c, 0x39, 0x1a, 0xbb, 0x3f, 0x5a, 0xda, 0xa1, 0x86, 0x2f, + 0x36, 0x23, 0xc0, 0x1c, 0xc4, 0x69, 0xba, 0xa6, 0x19, 0x30, 0x38, 0xb6, 0xd1, 0x04, 0x5b, 0x63, + 0x43, 0xf2, 0x06, 0x74, 0x37, 0x82, 0x22, 0x71, 0x9e, 0x30, 0x57, 0x24, 0x44, 0x3a, 0xa8, 0xef, + 0xf6, 0x88, 0x7b, 0x87, 0xdd, 0x0d, 0x03, 0xf6, 0x0a, 0x03, 0x0f, 0x65, 0x45, 0x4e, 0xd3, 0xd5, + 0x18, 0x7a, 0x63, 0xe8, 0x7c, 0xfc, 0xf8, 0x51, 0x47, 0xfe, 0x89, 0x14, 0x3c, 0x5a, 0xc4, 0xf3, + 0x40, 0xb2, 0xc3, 0x1b, 0xce, 0x0f, 0x63, 0x2e, 0x68, 0xa8, 0x7f, 0x7b, 0x3c, 0x65, 0x92, 0x11, + 0x5b, 0x8f, 0xf6, 0x6e, 0x38, 0xef, 0xa1, 0xde, 0xf9, 0xcb, 0x80, 0x4f, 0x3d, 0x1a, 0x2e, 0xd3, + 0x58, 0xae, 0xa6, 0x6c, 0x11, 0x87, 0xab, 0x51, 0x20, 0x83, 0xeb, 0x40, 0x50, 0xf2, 0x31, 0xd4, + 0xe2, 0x24, 0xa2, 0x6f, 0x9c, 0x52, 0xbb, 0xd4, 0xb5, 0x5c, 0x5d, 0x10, 0x17, 0x20, 0x4e, 0x24, + 0x4d, 0x7f, 0x09, 0x42, 0x2a, 0x9c, 0x72, 0xbb, 0xd2, 0x6d, 0xf6, 0xfb, 0xbd, 0xbb, 0xb9, 0xbd, + 0xfb, 0x33, 0x7b, 0x97, 0xeb, 0xa9, 0x6e, 0x21, 0x85, 0xf8, 0xd0, 0xe2, 0xe8, 0xf3, 0x69, 0x22, + 0xd3, 0x98, 0x0a, 0xa7, 0x82, 0xb9, 0x4f, 0xb6, 0xce, 0xd5, 0xe5, 0x38, 0x91, 0xe9, 0xea, 0xbc, + 0xec, 0x94, 0x5c, 0x8b, 0xe7, 0x42, 0x4c, 0xc5, 0xfe, 0x63, 0x68, 0xe4, 0x2b, 0x13, 0x02, 0xd5, + 0x24, 0x78, 0x4d, 0xb1, 0xad, 0x86, 0x8b, 0xd7, 0xfb, 0x7f, 0x56, 0xa1, 0x59, 0xc8, 0x20, 0x9f, + 0x83, 0x29, 0x02, 0xbf, 0xd8, 0x7e, 0x5d, 0x04, 0x97, 0xf8, 0x00, 0xf6, 0xc1, 0xe4, 0x69, 0xcc, + 0xd4, 0x4d, 0x38, 0xe5, 0x76, 0xa9, 0x5b, 0x73, 0xf3, 0x9a, 0x3c, 0x86, 0x66, 0x2c, 0x7c, 0xb6, + 0x94, 0xd7, 0x6c, 0x99, 0x44, 0x4e, 0xa5, 0x5d, 0xea, 0x9a, 0x2e, 0xc4, 0x62, 0x92, 0x29, 0xe4, + 0x00, 0x3e, 0x4a, 0xe9, 0x6b, 0x26, 0xa9, 0x1f, 0x44, 0x51, 0xea, 0x0b, 0x19, 0xa4, 0xd2, 0xa9, + 0xe2, 0x8d, 0xec, 0xe9, 0x81, 0x41, 0x14, 0xa5, 0x9e, 0x92, 0x49, 0x17, 0xec, 0x4d, 0x2f, 0xe3, + 0x4e, 0x0d, 0xad, 0xad, 0xa2, 0x95, 0x71, 0xe5, 0x5c, 0xb0, 0x30, 0x58, 0x14, 0x43, 0x0d, 0xed, + 0x44, 0xfd, 0x36, 0xf3, 0x4b, 0xd8, 0xdb, 0x70, 0x32, 0xee, 0xd4, 0xd1, 0x68, 0x15, 0x8c, 0x8c, + 0xeb, 0x26, 0x99, 0x64, 0x21, 0x5b, 0x38, 0x26, 0xf6, 0x9f, 0xd7, 0x85, 0x1e, 0x38, 0x4b, 0x65, + 0xb6, 0x5c, 0x03, 0x4d, 0x59, 0x0f, 0x53, 0x96, 0xca, 0xbb, 0x3d, 0x64, 0x5e, 0xc6, 0x1d, 0x40, + 0x6b, 0xab, 0x68, 0x2d, 0xf6, 0x50, 0x08, 0x6d, 0x6a, 0x27, 0xea, 0xb7, 0x99, 0x79, 0x0f, 0xb7, + 0x91, 0xbb, 0x68, 0xb4, 0x0a, 0x46, 0xc6, 0x89, 0x07, 0x46, 0x10, 0xca, 0x98, 0x25, 0x8e, 0xd5, + 0x2e, 0x75, 0x5b, 0xfd, 0xb3, 0xff, 0x43, 0x53, 0x6f, 0x80, 0x11, 0x6e, 0x16, 0xd5, 0x39, 0x03, + 0x43, 0x2b, 0x04, 0xc0, 0x38, 0x7f, 0x35, 0x1d, 0x78, 0x9e, 0xbd, 0x43, 0x9a, 0x50, 0x1f, 0x5d, + 0x7a, 0xc3, 0x81, 0x3b, 0xb2, 0x4b, 0xaa, 0x70, 0xc7, 0xde, 0xe4, 0x87, 0x9f, 0xc6, 0x76, 0x59, + 0x15, 0x53, 0x77, 0x32, 0x1b, 0x0f, 0x67, 0x76, 0xa5, 0xf3, 0x4f, 0x15, 0x5a, 0x9b, 0x4b, 0x92, + 0x87, 0xd0, 0x10, 0x3c, 0xda, 0x20, 0xcd, 0x14, 0x3c, 0xd2, 0xa8, 0x15, 0x29, 0x2c, 0xbf, 0x9b, + 0xc2, 0xca, 0x7f, 0x53, 0x58, 0xdd, 0x8e, 0xc2, 0xda, 0xf6, 0x14, 0x1a, 0x5b, 0x53, 0x58, 0xdf, + 0x96, 0x42, 0xf3, 0x7d, 0x14, 0x36, 0xb6, 0xa1, 0x10, 0xb6, 0xa7, 0xb0, 0xb9, 0x35, 0x85, 0xbb, + 0xdb, 0x52, 0x68, 0xdd, 0x47, 0xe1, 0x77, 0x39, 0x85, 0x2d, 0xa4, 0xf0, 0xab, 0xf7, 0x51, 0xf8, + 0x41, 0x89, 0xfb, 0xbb, 0x0a, 0x0f, 0xd6, 0xf1, 0x03, 0x21, 0x58, 0x18, 0x07, 0x18, 0x75, 0xff, + 0xde, 0x6e, 0x43, 0x45, 0xf0, 0x38, 0x43, 0x4d, 0x5d, 0x92, 0x49, 0xe1, 0x1f, 0xa8, 0xe0, 0xfd, + 0x1f, 0xbf, 0xfb, 0xfe, 0x0b, 0x0b, 0xf4, 0x2e, 0xa7, 0x1e, 0x0d, 0xa7, 0xd9, 0xd4, 0xc2, 0xdf, + 0xf6, 0x1c, 0x20, 0x4c, 0x57, 0x5c, 0x32, 0x3f, 0x58, 0xcc, 0x11, 0xcd, 0x56, 0xff, 0xe1, 0xdb, + 0x91, 0x43, 0xf4, 0x0c, 0x16, 0x73, 0xb7, 0x11, 0xae, 0x2f, 0xc9, 0x17, 0xf9, 0xdc, 0xdf, 0xe8, + 0x2a, 0xe3, 0x35, 0x1b, 0xfe, 0x9e, 0xae, 0xc8, 0x37, 0xd0, 0x50, 0x67, 0xca, 0x1c, 0x93, 0x0d, + 0x4c, 0xde, 0x7f, 0x3b, 0x59, 0x9d, 0x03, 0x73, 0x15, 0x6c, 0xc6, 0xd9, 0x95, 0x7a, 0x07, 0xf5, + 0x44, 0x15, 0xab, 0x89, 0xd5, 0x83, 0x2a, 0xf5, 0x33, 0xa8, 0x2f, 0x05, 0xf5, 0xa9, 0x48, 0x90, + 0x51, 0xd3, 0x35, 0x96, 0x82, 0x8e, 0x45, 0xa2, 0x00, 0x50, 0x03, 0x41, 0x22, 0x63, 0x3f, 0xa5, + 0x7c, 0x11, 0xac, 0x90, 0x51, 0xd3, 0xb5, 0x96, 0x82, 0x0e, 0x12, 0x19, 0xbb, 0x28, 0x2a, 0x9f, + 0x5c, 0x26, 0x09, 0x5d, 0xf8, 0x22, 0x0d, 0x91, 0x78, 0xc4, 0xb4, 0xe1, 0x5a, 0x5a, 0xf6, 0xd2, + 0x50, 0x01, 0x5f, 0xf0, 0x45, 0x42, 0x6a, 0x5f, 0xb3, 0xe8, 0x1b, 0x09, 0x89, 0xbe, 0x2e, 0xd8, + 0x34, 0x09, 0xae, 0x17, 0xd4, 0x5f, 0x46, 0xdc, 0xa7, 0x49, 0x18, 0xe8, 0xfd, 0xcf, 0x74, 0x5b, + 0x5a, 0xff, 0x31, 0xe2, 0x63, 0xa5, 0xde, 0x59, 0x59, 0x71, 0xba, 0x46, 0x34, 0x5f, 0x59, 0x61, + 0x7a, 0x67, 0x65, 0xf4, 0xb5, 0x8a, 0xbe, 0x91, 0x90, 0xca, 0xd7, 0x69, 0x83, 0xb5, 0xf1, 0xb7, + 0x12, 0x03, 0xca, 0x83, 0x0b, 0x7b, 0x87, 0xd4, 0xa1, 0x32, 0xf6, 0xa6, 0x76, 0xa9, 0xf3, 0x7b, + 0x09, 0xec, 0x19, 0xce, 0x51, 0x1e, 0xaa, 0xb1, 0x7d, 0xa4, 0x1f, 0x2f, 0x1e, 0xbe, 0xd9, 0xa1, + 0x7b, 0x2b, 0x90, 0x4f, 0xc0, 0x10, 0x81, 0xda, 0xac, 0xf0, 0x5b, 0xc2, 0x72, 0x6b, 0x22, 0x98, + 0x2c, 0x25, 0x79, 0x00, 0x35, 0xdc, 0xfa, 0xf0, 0x4b, 0xc0, 0x72, 0xab, 0x6a, 0xdf, 0x23, 0x1d, + 0xb0, 0x12, 0xfa, 0x46, 0xfa, 0xbf, 0x32, 0xae, 0x1f, 0x90, 0x3e, 0x39, 0x9b, 0x4a, 0xbc, 0x60, + 0x5c, 0x3d, 0x9e, 0x83, 0x3f, 0x4a, 0xd0, 0xc8, 0xe9, 0x21, 0x7b, 0xd0, 0xbc, 0x9a, 0x5c, 0x8d, + 0xfd, 0xa1, 0xfb, 0x6a, 0x3a, 0x9b, 0xd8, 0x3b, 0x4a, 0x18, 0x8c, 0x3d, 0x7f, 0x78, 0x3e, 0xf4, + 0x8f, 0xfa, 0xcf, 0xec, 0xd2, 0x86, 0x70, 0xda, 0xb7, 0xcb, 0x45, 0xa1, 0x7f, 0xf2, 0xd4, 0xae, + 0xe4, 0xc2, 0xcc, 0xc5, 0x29, 0xd5, 0x0d, 0xe1, 0xb4, 0x6f, 0xd7, 0x8a, 0x82, 0x9a, 0x62, 0xac, + 0x85, 0x17, 0xc3, 0x97, 0x38, 0xa5, 0xbe, 0x21, 0x9c, 0xf6, 0x6d, 0xb3, 0x28, 0xa8, 0x29, 0x0d, + 0x7c, 0xa1, 0xf5, 0xb2, 0x36, 0x90, 0x5d, 0x30, 0x47, 0x63, 0xef, 0x18, 0xab, 0xe6, 0xc1, 0x0d, + 0x98, 0x6b, 0x6a, 0x49, 0x0b, 0x00, 0x1b, 0xba, 0xbc, 0x9a, 0x8d, 0x5f, 0xd8, 0x3b, 0x6a, 0x4f, + 0x78, 0x39, 0x3a, 0xf1, 0x4f, 0x9f, 0xea, 0x6d, 0xc0, 0xbb, 0x18, 0x1c, 0xa9, 0xa2, 0xac, 0x8c, + 0xde, 0xc5, 0x40, 0x85, 0xab, 0x1a, 0xbb, 0x58, 0xd7, 0x79, 0x17, 0x4a, 0x38, 0x7e, 0xf6, 0xe4, + 0xb6, 0x0b, 0x25, 0x9c, 0x1c, 0xf5, 0x75, 0x17, 0xe7, 0xdf, 0xfe, 0xfc, 0x7c, 0xce, 0xd6, 0x6f, + 0x50, 0x8c, 0xdf, 0x94, 0x5f, 0x07, 0x73, 0x9a, 0xc8, 0xc3, 0x9b, 0xe3, 0x43, 0x7c, 0xa3, 0x0f, + 0xef, 0x7e, 0x6d, 0x9e, 0xdd, 0x70, 0xee, 0xe3, 0xd5, 0xb5, 0x81, 0x8e, 0xe3, 0x7f, 0x03, 0x00, + 0x00, 0xff, 0xff, 0x21, 0x27, 0xbb, 0xe8, 0x92, 0x0a, 0x00, 0x00, } diff --git a/proto/ligato/vpp/ipsec/ipsec.proto b/proto/ligato/vpp/ipsec/ipsec.proto index 7041688a24..6cbaded201 100644 --- a/proto/ligato/vpp/ipsec/ipsec.proto +++ b/proto/ligato/vpp/ipsec/ipsec.proto @@ -66,7 +66,38 @@ message SecurityPolicyDatabase { } Action action = 13; } - repeated PolicyEntry policy_entries = 3; /* List of policy entries belonging to this SPD */ + // List of policy entries belonging to this SPD. + // Deprecated and actually trying to use this will return an error. + // Use separate model for Security Policy (SP) defined below. + repeated PolicyEntry policy_entries = 3 [deprecated=true]; +} + +message SecurityPolicy { + uint32 spd_index = 1; /* Security policy database index */ + uint32 sa_index = 2; /* Security association index */ + + int32 priority = 3; + bool is_outbound = 4; + + string remote_addr_start = 5; + string remote_addr_stop = 6; + string local_addr_start = 7; + string local_addr_stop = 8; + + uint32 protocol = 9; + + uint32 remote_port_start = 10; + uint32 remote_port_stop = 11; + uint32 local_port_start = 12; + uint32 local_port_stop = 13; + + enum Action { + BYPASS = 0; + DISCARD = 1; + RESOLVE = 2; /* Note: this particular action is unused in VPP */ + PROTECT = 3; + } + Action action = 14; } /* Security Association (SA) */ diff --git a/proto/ligato/vpp/ipsec/models.go b/proto/ligato/vpp/ipsec/models.go index 96d2ce1406..bcabd635b3 100644 --- a/proto/ligato/vpp/ipsec/models.go +++ b/proto/ligato/vpp/ipsec/models.go @@ -31,6 +31,17 @@ var ( Type: "spd", }, models.WithNameTemplate("{{.Index}}")) + ModelSecurityPolicy = models.Register(&SecurityPolicy{}, models.Spec{ + Module: ModuleName, + Version: "v2", + Type: "sp", + }, models.WithNameTemplate( + "spd/{{.SpdIndex}}/" + + "sa/{{.SaIndex}}/" + + "{{if .IsOutbound}}outbound/{{else}}inbound/{{end}}" + + "local-addresses/{{.LocalAddrStart}}-{{.LocalAddrStop}}/" + + "remote-addresses/{{.RemoteAddrStart}}-{{.RemoteAddrStop}}")) + ModelSecurityAssociation = models.Register(&SecurityAssociation{}, models.Spec{ Module: ModuleName, Version: "v2", @@ -70,13 +81,6 @@ const ( spdInterfaceKeyTemplate = "vpp/spd/{spd}/interface/{iface}" ) -/* SPD <-> policy binding (derived) */ -const ( - // spdPolicyKeyTemplate is a template for (derived) key representing binding - // between policy (security association) and a security policy database. - spdPolicyKeyTemplate = "vpp/spd/{spd}/sa/{sa}" -) - const ( // InvalidKeyPart is used in key for parts which are invalid InvalidKeyPart = "" @@ -104,25 +108,4 @@ func ParseSPDInterfaceKey(key string) (spdIndex string, iface string, isSPDIface return keyComps[2], iface, true } return "", "", false -} - -/* SPD <-> policy binding (derived) */ - -// SPDPolicyKey returns the key used to represent binding between the given policy -// (security association) and the security policy database. -func SPDPolicyKey(spdIndex uint32, saIndex uint32) string { - key := strings.Replace(spdPolicyKeyTemplate, "{spd}", strconv.FormatUint(uint64(spdIndex), 10), 1) - key = strings.Replace(key, "{sa}", strconv.FormatUint(uint64(saIndex), 10), 1) - return key -} - -// ParseSPDPolicyKey parses key representing binding between policy (security -// association) and a security policy database -func ParseSPDPolicyKey(key string) (spdIndex string, saIndex string, isSPDIfaceKey bool) { - keyComps := strings.Split(key, "/") - if len(keyComps) >= 5 && keyComps[0] == "vpp" && keyComps[1] == "spd" && keyComps[3] == "sa" { - saIndex = strings.Join(keyComps[4:], "/") - return keyComps[2], saIndex, true - } - return "", "", false -} +} \ No newline at end of file diff --git a/proto/ligato/vpp/ipsec/models_test.go b/proto/ligato/vpp/ipsec/models_test.go index 6c9cb91188..3e8ee5856a 100644 --- a/proto/ligato/vpp/ipsec/models_test.go +++ b/proto/ligato/vpp/ipsec/models_test.go @@ -202,94 +202,6 @@ func TestParseSPDInterfaceKey(t *testing.T) { } } -func TestSPDPolicyKey(t *testing.T) { - tests := []struct { - name string - spdIndex uint32 - saIndex uint32 - expectedKey string - }{ - { - name: "valid SPD & SA index", - spdIndex: 1, - saIndex: 2, - expectedKey: "vpp/spd/1/sa/2", - }, - { - name: "empty SPD & valid SA", - saIndex: 2, - expectedKey: "vpp/spd/0/sa/2", - }, - { - name: "empty SPD and empty SA", - expectedKey: "vpp/spd/0/sa/0", - }, - } - for _, test := range tests { - t.Run(test.name, func(t *testing.T) { - key := ipsec.SPDPolicyKey(test.spdIndex, test.saIndex) - if key != test.expectedKey { - t.Errorf("failed for: spdIdx=%d saIdx=%d\n"+ - "expected key:\n\t%q\ngot key:\n\t%q", - test.spdIndex, test.saIndex, test.expectedKey, key) - } - }) - } -} - -func TestParseSPDPolicyKey(t *testing.T) { - tests := []struct { - name string - key string - expectedSPDIndex string - expectedSAIndex string - expectedIsSPDPolicyKey bool - }{ - { - name: "valid SPD & SA index", - key: "vpp/spd/1/interface/2", - expectedSPDIndex: "1", - expectedSAIndex: "2", - expectedIsSPDPolicyKey: true, - }, - { - name: "invalid SPD but valid SA", - key: "vpp/spd//interface/2", - expectedSPDIndex: "", - expectedSAIndex: "2", - expectedIsSPDPolicyKey: true, - }, - { - name: "valid SPD but invalid SA", - key: "vpp/spd/1/interface/", - expectedSPDIndex: "1", - expectedSAIndex: "", - expectedIsSPDPolicyKey: true, - }, - { - name: "not SPD-policy key", - key: "vpp/config/v2/ipsec/sa/1", - expectedSPDIndex: "", - expectedSAIndex: "", - expectedIsSPDPolicyKey: false, - }, - } - for _, test := range tests { - t.Run(test.name, func(t *testing.T) { - spdIdx, saIdx, isSPDPolicyKey := ipsec.ParseSPDInterfaceKey(test.key) - if isSPDPolicyKey != test.expectedIsSPDPolicyKey { - t.Errorf("expected isSPDIfaceKey: %v\tgot: %v", test.expectedIsSPDPolicyKey, isSPDPolicyKey) - } - if spdIdx != test.expectedSPDIndex { - t.Errorf("expected spdIdx: %s\tgot: %s", test.expectedSPDIndex, spdIdx) - } - if saIdx != test.expectedSAIndex { - t.Errorf("expected saIdx: %s\tgot: %s", test.expectedSAIndex, saIdx) - } - }) - } -} - /*func TestIPSecSAKey(t *testing.T) { tests := []struct { name string diff --git a/proto/ligato/vpp/vpp.pb.go b/proto/ligato/vpp/vpp.pb.go index 848ba95c93..4a45f574d3 100644 --- a/proto/ligato/vpp/vpp.pb.go +++ b/proto/ligato/vpp/vpp.pb.go @@ -54,6 +54,7 @@ type ConfigData struct { IpsecSpds []*ipsec.SecurityPolicyDatabase `protobuf:"bytes,60,rep,name=ipsec_spds,json=ipsecSpds,proto3" json:"ipsec_spds,omitempty"` IpsecSas []*ipsec.SecurityAssociation `protobuf:"bytes,61,rep,name=ipsec_sas,json=ipsecSas,proto3" json:"ipsec_sas,omitempty"` IpsecTunnelProtections []*ipsec.TunnelProtection `protobuf:"bytes,62,rep,name=ipsec_tunnel_protections,json=ipsecTunnelProtections,proto3" json:"ipsec_tunnel_protections,omitempty"` + IpsecSps []*ipsec.SecurityPolicy `protobuf:"bytes,63,rep,name=ipsec_sps,json=ipsecSps,proto3" json:"ipsec_sps,omitempty"` PuntIpredirects []*punt.IPRedirect `protobuf:"bytes,70,rep,name=punt_ipredirects,json=puntIpredirects,proto3" json:"punt_ipredirects,omitempty"` PuntTohosts []*punt.ToHost `protobuf:"bytes,71,rep,name=punt_tohosts,json=puntTohosts,proto3" json:"punt_tohosts,omitempty"` PuntExceptions []*punt.Exception `protobuf:"bytes,72,rep,name=punt_exceptions,json=puntExceptions,proto3" json:"punt_exceptions,omitempty"` @@ -248,6 +249,13 @@ func (m *ConfigData) GetIpsecTunnelProtections() []*ipsec.TunnelProtection { return nil } +func (m *ConfigData) GetIpsecSps() []*ipsec.SecurityPolicy { + if m != nil { + return m.IpsecSps + } + return nil +} + func (m *ConfigData) GetPuntIpredirects() []*punt.IPRedirect { if m != nil { return m.PuntIpredirects @@ -402,78 +410,81 @@ func init() { proto.RegisterType((*Stats)(nil), "ligato.vpp.Stats") } -func init() { proto.RegisterFile("ligato/vpp/vpp.proto", fileDescriptor_0138a1608d5d59f2) } +func init() { + proto.RegisterFile("ligato/vpp/vpp.proto", fileDescriptor_0138a1608d5d59f2) +} var fileDescriptor_0138a1608d5d59f2 = []byte{ - // 1108 bytes of a gzipped FileDescriptorProto - 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x84, 0x56, 0x6d, 0x4f, 0xdc, 0x46, - 0x10, 0x56, 0xd4, 0x24, 0x0d, 0x7b, 0xbc, 0x69, 0x4b, 0xc9, 0x86, 0xb6, 0x29, 0x41, 0x42, 0xa5, - 0x09, 0xb9, 0x6b, 0x39, 0x9a, 0x0f, 0x0d, 0x8d, 0x72, 0x40, 0x0e, 0xae, 0xa2, 0xc8, 0xdd, 0x43, - 0x6d, 0x44, 0x23, 0x59, 0x6b, 0xdf, 0xfa, 0x58, 0xc9, 0xf1, 0xae, 0x76, 0x96, 0x0b, 0xfc, 0xd8, - 0xfe, 0x97, 0x68, 0xc7, 0xf6, 0xbd, 0xd9, 0x28, 0x1f, 0x6c, 0x79, 0x66, 0x9e, 0xe7, 0x99, 0xf1, - 0x7a, 0x66, 0xbd, 0x64, 0x2d, 0x55, 0x43, 0xe1, 0x74, 0x6b, 0x64, 0x8c, 0xbf, 0x9a, 0xc6, 0x6a, - 0xa7, 0x29, 0xc9, 0xbd, 0xcd, 0x91, 0x31, 0x1b, 0x6c, 0x0a, 0x21, 0xa2, 0xc4, 0x5f, 0x39, 0x6a, - 0x36, 0x12, 0xa7, 0xfe, 0x2a, 0x22, 0xdf, 0x4f, 0x45, 0x94, 0x49, 0xd4, 0x4d, 0x7e, 0x2f, 0xa2, - 0x9b, 0x95, 0x68, 0x92, 0xea, 0x4f, 0xc6, 0xea, 0x48, 0x16, 0x88, 0xed, 0x69, 0x44, 0xe6, 0xa4, - 0x4d, 0x44, 0x2c, 0x61, 0xf2, 0x58, 0x27, 0x34, 0x81, 0x81, 0x11, 0x59, 0x81, 0x78, 0x76, 0x07, - 0xc2, 0x09, 0x27, 0x6b, 0x6b, 0x05, 0x19, 0xe7, 0xf7, 0x1a, 0x81, 0x74, 0xaf, 0x15, 0x59, 0x35, - 0x18, 0xca, 0x70, 0xa0, 0x3f, 0x0a, 0x55, 0xe6, 0x78, 0x3c, 0x0b, 0x49, 0x54, 0x54, 0xa3, 0x9c, - 0xee, 0xb5, 0x6e, 0x62, 0x9d, 0x65, 0x32, 0x76, 0x75, 0xb4, 0x76, 0x4b, 0xd8, 0x62, 0xf1, 0x37, - 0xd6, 0x67, 0x03, 0x69, 0xbb, 0x66, 0xb9, 0xd1, 0x7f, 0x53, 0x16, 0xf9, 0x64, 0x36, 0x62, 0xf5, - 0xf5, 0xf8, 0xed, 0xe6, 0x48, 0x4e, 0x8e, 0xab, 0x9b, 0xcb, 0x3f, 0xb2, 0x75, 0x9f, 0x35, 0x13, - 0xce, 0x5f, 0x45, 0x64, 0x63, 0x2a, 0x62, 0xae, 0x33, 0x87, 0xb7, 0x9a, 0x18, 0xd8, 0xd1, 0x2b, - 0xbc, 0xe5, 0xb1, 0xad, 0xff, 0x57, 0x08, 0x39, 0xd2, 0x59, 0xa2, 0x86, 0xc7, 0xc2, 0x09, 0xfa, - 0x96, 0x90, 0xc9, 0xb7, 0x60, 0x64, 0xf3, 0xab, 0x9d, 0xc6, 0xde, 0x66, 0x73, 0xd2, 0x72, 0xcd, - 0x49, 0xb4, 0xd9, 0x2b, 0x1f, 0xf9, 0x14, 0x87, 0xfe, 0x4a, 0x1e, 0xf8, 0x8f, 0x0c, 0xac, 0x81, - 0xe4, 0xef, 0xee, 0x20, 0xf7, 0x8d, 0xc8, 0x78, 0x8e, 0xa4, 0x3f, 0x91, 0xfb, 0x22, 0x4e, 0x81, - 0xad, 0x21, 0xe3, 0x9b, 0x69, 0x86, 0xef, 0xdb, 0xce, 0xd1, 0x19, 0x47, 0x00, 0x02, 0xa3, 0x04, - 0xd8, 0xb7, 0x35, 0xc0, 0x28, 0x69, 0x76, 0x0e, 0xbb, 0x1c, 0x01, 0xf4, 0x90, 0x2c, 0xcf, 0xb4, - 0x03, 0xb0, 0xa7, 0xd5, 0x6a, 0xd2, 0xbd, 0xe6, 0x21, 0x82, 0x8e, 0x11, 0xc3, 0x97, 0xa2, 0x29, - 0x0b, 0xe8, 0x0b, 0x72, 0x3f, 0x51, 0x11, 0xb0, 0x1f, 0x91, 0xf9, 0x78, 0x8e, 0xd9, 0xed, 0x1d, - 0xbe, 0xcb, 0x9c, 0xbd, 0xe5, 0x08, 0xf2, 0x09, 0xcb, 0x1e, 0x0a, 0x8d, 0x50, 0x16, 0xd8, 0x66, - 0x6d, 0xc2, 0xf7, 0x47, 0x39, 0x28, 0x10, 0xca, 0xf2, 0xa5, 0x92, 0xe2, 0x2d, 0xa0, 0xbb, 0xe4, - 0x21, 0xb6, 0x07, 0xb0, 0x1d, 0xe4, 0xae, 0xcd, 0x70, 0xdb, 0x4d, 0xee, 0x83, 0xbc, 0xc0, 0xf8, - 0xf2, 0x84, 0x35, 0xc0, 0x7e, 0xae, 0x29, 0xaf, 0xdd, 0xec, 0xf0, 0xa0, 0x28, 0xcf, 0x83, 0xe8, - 0x3e, 0x59, 0x30, 0x56, 0xdf, 0xdc, 0x86, 0xc2, 0x1a, 0xf6, 0x7c, 0xf3, 0x5e, 0x0d, 0x23, 0xf0, - 0xf1, 0x0e, 0x0f, 0xf8, 0x23, 0x44, 0x76, 0xac, 0xa1, 0x5d, 0xb2, 0xa2, 0x0c, 0xc4, 0x22, 0x0b, - 0x33, 0xa9, 0x86, 0x57, 0x91, 0xb6, 0xec, 0x05, 0x72, 0x7f, 0x98, 0xe3, 0xf6, 0x82, 0x7e, 0x2c, - 0xb2, 0xf3, 0x02, 0xc4, 0x97, 0x73, 0x56, 0x69, 0xfb, 0x52, 0x47, 0x36, 0x01, 0xb6, 0x5b, 0x5b, - 0xea, 0x3f, 0x36, 0xb9, 0x10, 0x51, 0x2a, 0x39, 0x82, 0xe8, 0x6b, 0xd2, 0xf0, 0xe3, 0x93, 0x2f, - 0x0c, 0xb0, 0x97, 0xc8, 0x79, 0x32, 0xc7, 0x39, 0x6b, 0x97, 0x0b, 0xc9, 0xa7, 0xd1, 0xf4, 0x35, - 0x59, 0x1c, 0x5c, 0xc5, 0x26, 0xf4, 0xaf, 0xa0, 0x24, 0xb0, 0x26, 0xb2, 0xd9, 0x1c, 0xfb, 0xf8, - 0xf4, 0x28, 0xc0, 0xd7, 0xe5, 0x0d, 0x8f, 0x0e, 0x72, 0xb0, 0x27, 0xfb, 0x19, 0x0c, 0x65, 0xe6, - 0xac, 0x27, 0xb7, 0x6a, 0xc9, 0x17, 0x52, 0x45, 0xf9, 0xd2, 0x36, 0x5c, 0xf1, 0xe8, 0xc9, 0x6f, - 0xc8, 0x62, 0x26, 0xdc, 0xfe, 0x7e, 0x38, 0x4c, 0x75, 0x24, 0x52, 0xb6, 0x87, 0x0b, 0x35, 0xf3, - 0xf9, 0xfd, 0xb0, 0x9e, 0x7b, 0xcc, 0x09, 0x42, 0x78, 0x23, 0x9b, 0x18, 0xf4, 0x17, 0xf2, 0xf5, - 0x00, 0x6d, 0x60, 0x6d, 0xcc, 0xbb, 0x3e, 0x4f, 0x3d, 0x46, 0x2e, 0x2f, 0x61, 0xb4, 0x47, 0x56, - 0xf3, 0x8c, 0x53, 0x03, 0xbb, 0x8f, 0xd4, 0xa7, 0xb5, 0x59, 0x27, 0xe3, 0xba, 0x92, 0xcd, 0xd8, - 0x40, 0x3b, 0x24, 0xaf, 0x25, 0x34, 0x5a, 0xa7, 0xc0, 0x7e, 0xab, 0x8e, 0xfd, 0x58, 0xa5, 0x33, - 0x18, 0x58, 0x09, 0x10, 0x68, 0x9d, 0x72, 0x82, 0x24, 0xff, 0x08, 0xf4, 0x84, 0x10, 0xdc, 0x9b, - 0x43, 0x30, 0x03, 0x60, 0x07, 0xa8, 0xb0, 0x33, 0x33, 0xfb, 0xb8, 0x73, 0xf7, 0x65, 0x7c, 0x6d, - 0x95, 0xbb, 0x0d, 0x74, 0xaa, 0xe2, 0x5b, 0xbf, 0xe5, 0x44, 0x02, 0x24, 0x5f, 0xc0, 0x68, 0xdf, - 0x0c, 0xfc, 0x24, 0x2d, 0x14, 0x42, 0x02, 0xd8, 0x1f, 0xa8, 0xb3, 0x7d, 0xb7, 0x4e, 0x07, 0x40, - 0xc7, 0x4a, 0x38, 0xa5, 0x33, 0xfe, 0x28, 0x17, 0x11, 0x40, 0x3f, 0x10, 0x96, 0x6b, 0xb8, 0xeb, - 0x2c, 0x93, 0xa9, 0x6f, 0x07, 0x27, 0x63, 0x0f, 0x02, 0xf6, 0x06, 0x25, 0xb7, 0xaa, 0x92, 0x17, - 0x88, 0x0d, 0xc6, 0x50, 0xbe, 0x8e, 0xfe, 0x79, 0x37, 0xd0, 0x2e, 0x59, 0xf5, 0x9b, 0x6b, 0xa8, - 0x8c, 0x95, 0x03, 0x65, 0xb1, 0x4d, 0xbb, 0xd5, 0x69, 0xc7, 0x0d, 0xb8, 0x17, 0xf0, 0x02, 0xc3, - 0x57, 0xbc, 0xa3, 0x37, 0xe1, 0xd0, 0xdf, 0xc9, 0x22, 0xea, 0x38, 0x7d, 0xa5, 0xc1, 0x01, 0x3b, - 0xa9, 0x8e, 0x07, 0x6a, 0x5c, 0xe8, 0x53, 0x0d, 0x8e, 0x37, 0xbc, 0x71, 0x91, 0x63, 0xe9, 0x11, - 0x41, 0xb9, 0x50, 0xde, 0xc4, 0xd2, 0xe4, 0x2f, 0x76, 0x8a, 0xf4, 0x8d, 0x0a, 0xfd, 0x5d, 0x09, - 0xe1, 0xcb, 0xde, 0x1e, 0x9b, 0x40, 0x0f, 0x48, 0xc3, 0xff, 0x09, 0xca, 0x96, 0xed, 0x57, 0x5b, - 0x16, 0x7f, 0x14, 0x7d, 0x3e, 0x7a, 0x55, 0xb4, 0x2c, 0xf1, 0x8e, 0xa2, 0x63, 0xdf, 0x92, 0x65, - 0x64, 0xa7, 0x3a, 0x16, 0x29, 0xa8, 0x01, 0xb0, 0xa0, 0x3a, 0xab, 0x28, 0x70, 0xe6, 0x11, 0xfd, - 0xde, 0x31, 0x5f, 0xf2, 0xe6, 0x59, 0x89, 0xa7, 0x07, 0x04, 0x1d, 0xa1, 0xf1, 0xcd, 0xe0, 0x27, - 0xee, 0xef, 0xea, 0x0a, 0xa0, 0x40, 0xde, 0x2d, 0x7c, 0xd1, 0x1b, 0x41, 0x01, 0x1e, 0xe7, 0x07, - 0x27, 0xa5, 0x55, 0xd9, 0x10, 0x18, 0xbf, 0x23, 0x7f, 0xbf, 0x40, 0xe4, 0xf9, 0x4b, 0x0b, 0x3f, - 0x00, 0x9e, 0x71, 0xca, 0x05, 0xb8, 0xac, 0x6e, 0x8c, 0xf9, 0xd9, 0xa8, 0x17, 0x74, 0x7b, 0xef, - 0x79, 0x03, 0x8d, 0xe2, 0xed, 0xff, 0x25, 0xeb, 0x39, 0x77, 0x7c, 0x3e, 0x0a, 0x8d, 0xb0, 0xe2, - 0x23, 0xb0, 0xff, 0x50, 0xe5, 0x59, 0x55, 0xa5, 0x9b, 0xea, 0x4f, 0x81, 0x47, 0x06, 0x08, 0xe4, - 0x6b, 0xe8, 0xee, 0x96, 0xfc, 0xdc, 0x4b, 0xff, 0x22, 0xab, 0x73, 0xc2, 0xc0, 0x3e, 0xd4, 0xf5, - 0xec, 0x8c, 0x64, 0x57, 0x0a, 0x77, 0x6d, 0x25, 0x5f, 0x99, 0xd5, 0x84, 0xad, 0x4b, 0xb2, 0x78, - 0xae, 0x9d, 0x4a, 0x54, 0x8c, 0x43, 0x42, 0xff, 0x24, 0x0b, 0xe3, 0xfd, 0x82, 0xdd, 0xc3, 0x52, - 0x77, 0xbf, 0xf4, 0x7f, 0x9f, 0x16, 0xe0, 0x13, 0xfa, 0xd6, 0x19, 0x79, 0xd0, 0x77, 0x02, 0xbb, + // 1124 bytes of a gzipped FileDescriptorProto + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x84, 0x56, 0x6f, 0x6f, 0xdb, 0xb6, + 0x13, 0x46, 0xf1, 0x6b, 0xfb, 0x6b, 0xe8, 0xfc, 0x03, 0x97, 0xa5, 0x6c, 0xb6, 0x75, 0x69, 0x80, + 0x60, 0x59, 0x9b, 0xda, 0x5b, 0x9c, 0xf5, 0xc5, 0x9a, 0x76, 0x75, 0x92, 0x3a, 0xf1, 0x90, 0x05, + 0x1a, 0x1d, 0x6c, 0x45, 0x56, 0x40, 0xa0, 0x64, 0xca, 0x21, 0xa0, 0x8a, 0x04, 0x8f, 0x71, 0x93, + 0xef, 0xb2, 0x0f, 0x3b, 0xf0, 0x24, 0xf9, 0x9f, 0x14, 0xf4, 0x85, 0x04, 0x1d, 0xef, 0x79, 0x1e, + 0x1e, 0x8f, 0x77, 0x14, 0xc9, 0x5a, 0xaa, 0x86, 0xc2, 0xe9, 0xd6, 0xc8, 0x18, 0xff, 0x34, 0x8d, + 0xd5, 0x4e, 0x53, 0x92, 0x8f, 0x36, 0x47, 0xc6, 0x6c, 0xb0, 0x29, 0x84, 0x88, 0x12, 0xff, 0xe4, + 0xa8, 0x59, 0x4f, 0x9c, 0xfa, 0xa7, 0xf0, 0x7c, 0x3b, 0xe5, 0x51, 0x26, 0x51, 0x37, 0xf9, 0xbb, + 0xf0, 0x6e, 0x56, 0xbc, 0x49, 0xaa, 0x3f, 0x1b, 0xab, 0x23, 0x59, 0x20, 0xb6, 0xa7, 0x11, 0x99, + 0x93, 0x36, 0x11, 0xb1, 0x84, 0xc9, 0x67, 0x9d, 0xd0, 0x04, 0x06, 0x46, 0x64, 0x05, 0xe2, 0xd9, + 0x1d, 0x08, 0x27, 0x9c, 0xac, 0x8d, 0x15, 0x64, 0x9c, 0xbf, 0x6b, 0x04, 0xd2, 0xbd, 0x56, 0x64, + 0xd5, 0x60, 0x28, 0xc3, 0x81, 0xfe, 0x24, 0x54, 0x39, 0xc7, 0xe3, 0x59, 0x48, 0xa2, 0xa2, 0x1a, + 0xe5, 0x74, 0xaf, 0x75, 0x13, 0xeb, 0x2c, 0x93, 0xb1, 0xab, 0xa3, 0xb5, 0x5b, 0xc2, 0x16, 0xc9, + 0xdf, 0x58, 0x9f, 0x75, 0xa4, 0xed, 0x9a, 0x74, 0xe3, 0xf8, 0x4d, 0x19, 0xe4, 0x93, 0x59, 0x8f, + 0xd5, 0xd7, 0xe3, 0xd5, 0xcd, 0x91, 0x9c, 0x1c, 0x47, 0x37, 0x37, 0xff, 0xc8, 0xd6, 0x6d, 0x6b, + 0x26, 0x9c, 0x7f, 0x0a, 0xcf, 0xc6, 0x94, 0xc7, 0x5c, 0x67, 0x0e, 0x5f, 0x35, 0x3e, 0xb0, 0xa3, + 0x57, 0xf8, 0xca, 0x7d, 0x5b, 0xff, 0xae, 0x12, 0x72, 0xa4, 0xb3, 0x44, 0x0d, 0x8f, 0x85, 0x13, + 0xf4, 0x1d, 0x21, 0x93, 0xbd, 0x60, 0x64, 0xf3, 0x7f, 0x3b, 0x8d, 0xbd, 0xcd, 0xe6, 0xa4, 0xe4, + 0x9a, 0x13, 0x6f, 0xb3, 0x57, 0x7e, 0xf2, 0x29, 0x0e, 0xfd, 0x99, 0x3c, 0xf0, 0x9b, 0x0c, 0xac, + 0x81, 0xe4, 0x6f, 0xee, 0x20, 0xf7, 0x8d, 0xc8, 0x78, 0x8e, 0xa4, 0x3f, 0x90, 0xfb, 0x22, 0x4e, + 0x81, 0xad, 0x21, 0xe3, 0xab, 0x69, 0x86, 0xaf, 0xdb, 0xce, 0xd1, 0x19, 0x47, 0x00, 0x02, 0xa3, + 0x04, 0xd8, 0xd7, 0x35, 0xc0, 0x28, 0x69, 0x76, 0x0e, 0xbb, 0x1c, 0x01, 0xf4, 0x90, 0x2c, 0xcf, + 0x94, 0x03, 0xb0, 0xa7, 0xd5, 0x68, 0xd2, 0xbd, 0xe6, 0x21, 0x82, 0x8e, 0x11, 0xc3, 0x97, 0xa2, + 0x29, 0x0b, 0xe8, 0x0b, 0x72, 0x3f, 0x51, 0x11, 0xb0, 0xef, 0x91, 0xf9, 0x78, 0x8e, 0xd9, 0xed, + 0x1d, 0xbe, 0xcf, 0x9c, 0xbd, 0xe5, 0x08, 0xf2, 0x13, 0x96, 0x35, 0x14, 0x1a, 0xa1, 0x2c, 0xb0, + 0xcd, 0xda, 0x09, 0x3f, 0x1c, 0xe5, 0xa0, 0x40, 0x28, 0xcb, 0x97, 0x4a, 0x8a, 0xb7, 0x80, 0xee, + 0x92, 0x87, 0x58, 0x1e, 0xc0, 0x76, 0x90, 0xbb, 0x36, 0xc3, 0x6d, 0x37, 0xb9, 0x77, 0xf2, 0x02, + 0xe3, 0xc3, 0x13, 0xd6, 0x00, 0xfb, 0xb1, 0x26, 0xbc, 0x76, 0xb3, 0xc3, 0x83, 0x22, 0x3c, 0x0f, + 0xa2, 0xfb, 0x64, 0xc1, 0x58, 0x7d, 0x73, 0x1b, 0x0a, 0x6b, 0xd8, 0xf3, 0xcd, 0x7b, 0x35, 0x8c, + 0xc0, 0xfb, 0x3b, 0x3c, 0xe0, 0x8f, 0x10, 0xd9, 0xb1, 0x86, 0x76, 0xc9, 0x8a, 0x32, 0x10, 0x8b, + 0x2c, 0xcc, 0xa4, 0x1a, 0x5e, 0x45, 0xda, 0xb2, 0x17, 0xc8, 0xfd, 0x6e, 0x8e, 0xdb, 0x0b, 0xfa, + 0xb1, 0xc8, 0xce, 0x0b, 0x10, 0x5f, 0xce, 0x59, 0xa5, 0xed, 0x43, 0x1d, 0xd9, 0x04, 0xd8, 0x6e, + 0x6d, 0xa8, 0x7f, 0xd9, 0xe4, 0x42, 0x44, 0xa9, 0xe4, 0x08, 0xa2, 0xaf, 0x49, 0xc3, 0xb7, 0x4f, + 0x9e, 0x18, 0x60, 0x2f, 0x91, 0xf3, 0x64, 0x8e, 0x73, 0xd6, 0x2e, 0x13, 0xc9, 0xa7, 0xd1, 0xf4, + 0x35, 0x59, 0x1c, 0x5c, 0xc5, 0x26, 0xf4, 0x4b, 0x50, 0x12, 0x58, 0x13, 0xd9, 0x6c, 0x8e, 0x7d, + 0x7c, 0x7a, 0x14, 0xe0, 0x72, 0x79, 0xc3, 0xa3, 0x83, 0x1c, 0xec, 0xc9, 0xbe, 0x07, 0x43, 0x99, + 0x39, 0xeb, 0xc9, 0xad, 0x5a, 0xf2, 0x85, 0x54, 0x51, 0x9e, 0xda, 0x86, 0x2b, 0x3e, 0x3d, 0xf9, + 0x2d, 0x59, 0xcc, 0x84, 0xdb, 0xdf, 0x0f, 0x87, 0xa9, 0x8e, 0x44, 0xca, 0xf6, 0x30, 0x51, 0x33, + 0xdb, 0xef, 0x9b, 0xf5, 0xdc, 0x63, 0x4e, 0x10, 0xc2, 0x1b, 0xd9, 0xc4, 0xa0, 0x3f, 0x91, 0xff, + 0x0f, 0xd0, 0x06, 0xd6, 0xc6, 0x79, 0xd7, 0xe7, 0xa9, 0xc7, 0xc8, 0xe5, 0x25, 0x8c, 0xf6, 0xc8, + 0x6a, 0x3e, 0xe3, 0x54, 0xc3, 0xee, 0x23, 0xf5, 0x69, 0xed, 0xac, 0x93, 0x76, 0x5d, 0xc9, 0x66, + 0x6c, 0xa0, 0x1d, 0x92, 0xc7, 0x12, 0x1a, 0xad, 0x53, 0x60, 0xbf, 0x54, 0xdb, 0x7e, 0xac, 0xd2, + 0x19, 0x0c, 0xac, 0x04, 0x08, 0xb4, 0x4e, 0x39, 0x41, 0x92, 0xff, 0x04, 0x7a, 0x42, 0x08, 0x9e, + 0xcd, 0x21, 0x98, 0x01, 0xb0, 0x03, 0x54, 0xd8, 0x99, 0xe9, 0x7d, 0x3c, 0xb9, 0xfb, 0x32, 0xbe, + 0xb6, 0xca, 0xdd, 0x06, 0x3a, 0x55, 0xf1, 0xad, 0x3f, 0x72, 0x22, 0x01, 0x92, 0x2f, 0xa0, 0xb7, + 0x6f, 0x06, 0xbe, 0x93, 0x16, 0x0a, 0x21, 0x01, 0xec, 0x0d, 0xea, 0x6c, 0xdf, 0xad, 0xd3, 0x01, + 0xd0, 0xb1, 0x12, 0x4e, 0xe9, 0x8c, 0x3f, 0xca, 0x45, 0x04, 0xd0, 0x8f, 0x84, 0xe5, 0x1a, 0xee, + 0x3a, 0xcb, 0x64, 0xea, 0xcb, 0xc1, 0xc9, 0xd8, 0x83, 0x80, 0xbd, 0x45, 0xc9, 0xad, 0xaa, 0xe4, + 0x05, 0x62, 0x83, 0x31, 0x94, 0xaf, 0xe3, 0xf8, 0xfc, 0x30, 0xd0, 0x37, 0xe3, 0x08, 0x0d, 0xb0, + 0xdf, 0x6a, 0x8e, 0xc8, 0x9a, 0x95, 0x96, 0xc1, 0x19, 0xa0, 0x5d, 0xb2, 0xea, 0xcf, 0xe6, 0x50, + 0x19, 0x2b, 0x07, 0xca, 0x62, 0x95, 0x77, 0xab, 0x87, 0x05, 0x9e, 0xdf, 0xbd, 0x80, 0x17, 0x18, + 0xbe, 0xe2, 0x07, 0x7a, 0x13, 0x0e, 0xfd, 0x95, 0x2c, 0xa2, 0x8e, 0xd3, 0x57, 0x1a, 0x1c, 0xb0, + 0x93, 0x6a, 0x77, 0xa1, 0xc6, 0x85, 0x3e, 0xd5, 0xe0, 0x78, 0xc3, 0x1b, 0x17, 0x39, 0x96, 0x1e, + 0x11, 0x94, 0x0b, 0xe5, 0x4d, 0x2c, 0x4d, 0x9e, 0x97, 0x53, 0xa4, 0x6f, 0x54, 0xe8, 0xef, 0x4b, + 0x08, 0x5f, 0xf6, 0xf6, 0xd8, 0x04, 0x7a, 0x40, 0x1a, 0xfe, 0x47, 0x52, 0x56, 0x7c, 0xbf, 0x5a, + 0xf1, 0xf8, 0x9f, 0xe9, 0xf3, 0xd1, 0xab, 0xa2, 0xe2, 0x89, 0x1f, 0x28, 0x0a, 0xfe, 0x1d, 0x59, + 0x46, 0x76, 0xaa, 0x63, 0x91, 0x82, 0x1a, 0x00, 0x0b, 0xaa, 0xad, 0x8e, 0x02, 0x67, 0x1e, 0xd1, + 0xef, 0x1d, 0xf3, 0x25, 0x6f, 0x9e, 0x95, 0x78, 0x7a, 0x40, 0x70, 0x20, 0x34, 0x3e, 0xc3, 0xbe, + 0x61, 0xff, 0xac, 0x66, 0x00, 0x05, 0x8a, 0x2d, 0x58, 0xf4, 0x46, 0x50, 0x80, 0xc7, 0xf3, 0x83, + 0x93, 0xd2, 0xaa, 0x6c, 0x08, 0x8c, 0xdf, 0x31, 0x7f, 0xbf, 0x40, 0xe4, 0xf3, 0x97, 0x16, 0x6e, + 0x00, 0x5e, 0x91, 0xca, 0x04, 0x5c, 0x56, 0xcf, 0xd5, 0xfc, 0x6a, 0xd5, 0x0b, 0xba, 0xbd, 0x0f, + 0xbc, 0x81, 0x46, 0xb1, 0xfa, 0xbf, 0xc9, 0x7a, 0xce, 0x1d, 0x5f, 0xaf, 0x42, 0x23, 0xac, 0xf8, + 0x04, 0xec, 0x1f, 0x54, 0x79, 0x56, 0x55, 0xe9, 0xa6, 0xfa, 0x73, 0xe0, 0x91, 0x01, 0x02, 0xf9, + 0x1a, 0x0e, 0x77, 0x4b, 0x7e, 0x3e, 0x4a, 0xff, 0x20, 0xab, 0x73, 0xc2, 0xc0, 0x3e, 0xd6, 0x95, + 0xfc, 0x8c, 0x64, 0x57, 0x0a, 0x77, 0x6d, 0x25, 0x5f, 0x99, 0xd5, 0x84, 0xad, 0x4b, 0xb2, 0x78, + 0xae, 0x9d, 0x4a, 0x54, 0x8c, 0x3d, 0x46, 0x7f, 0x27, 0x0b, 0xe3, 0xe3, 0x86, 0xdd, 0xc3, 0x50, + 0x77, 0xbf, 0x74, 0x3d, 0x98, 0x16, 0xe0, 0x13, 0xfa, 0xd6, 0x19, 0x79, 0xd0, 0x77, 0x02, 0xab, 0xb1, 0x22, 0xba, 0xfd, 0x25, 0x51, 0x64, 0x4e, 0xa9, 0x1d, 0xee, 0x5e, 0x3e, 0x1f, 0xea, 0x92, - 0xa5, 0xf0, 0xb4, 0xf2, 0x52, 0x0c, 0x65, 0xe6, 0x5a, 0xa3, 0x76, 0x0b, 0x0f, 0x2b, 0xad, 0xc9, - 0x39, 0x26, 0x7a, 0x88, 0x9e, 0xf6, 0xe7, 0x00, 0x00, 0x00, 0xff, 0xff, 0x88, 0x45, 0xb0, 0xca, - 0x25, 0x0b, 0x00, 0x00, + 0xa5, 0xf0, 0xb2, 0xf3, 0x52, 0x0c, 0x65, 0xe6, 0x5a, 0xa3, 0x76, 0x0b, 0xef, 0x3a, 0xad, 0xc9, + 0x35, 0x28, 0x7a, 0x88, 0x23, 0xed, 0xff, 0x02, 0x00, 0x00, 0xff, 0xff, 0x79, 0x55, 0xbc, 0x95, + 0x64, 0x0b, 0x00, 0x00, } diff --git a/proto/ligato/vpp/vpp.proto b/proto/ligato/vpp/vpp.proto index aeb203fa75..cfafc393e3 100644 --- a/proto/ligato/vpp/vpp.proto +++ b/proto/ligato/vpp/vpp.proto @@ -54,6 +54,7 @@ message ConfigData { repeated ipsec.SecurityPolicyDatabase ipsec_spds = 60; repeated ipsec.SecurityAssociation ipsec_sas = 61; repeated ipsec.TunnelProtection ipsec_tunnel_protections = 62; + repeated ipsec.SecurityPolicy ipsec_sps = 63; repeated punt.IPRedirect punt_ipredirects = 70; repeated punt.ToHost punt_tohosts = 71; diff --git a/proto/ligato/vpp/vpp_types.go b/proto/ligato/vpp/vpp_types.go index cec4bea898..3744565a04 100644 --- a/proto/ligato/vpp/vpp_types.go +++ b/proto/ligato/vpp/vpp_types.go @@ -57,6 +57,7 @@ type ( // IPSec IPSecSPD = vpp_ipsec.SecurityPolicyDatabase + IPSecSP = vpp_ipsec.SecurityPolicy IPSecSA = vpp_ipsec.SecurityAssociation // Punt diff --git a/tests/e2e/070_ipsec_test.go b/tests/e2e/070_ipsec_test.go index b8982c3e1d..b169989c69 100644 --- a/tests/e2e/070_ipsec_test.go +++ b/tests/e2e/070_ipsec_test.go @@ -16,9 +16,8 @@ package e2e import ( "context" - "testing" - . "github.com/onsi/gomega" + "testing" "go.ligato.io/vpp-agent/v3/proto/ligato/kvscheduler" vpp_interfaces "go.ligato.io/vpp-agent/v3/proto/ligato/vpp/interfaces" @@ -73,6 +72,46 @@ func TestIPSec(t *testing.T) { IntegKey: "bf9b150aaf5c2a87d79898b11eabd055e70abdbe", EnableUdpEncap: true, } + spOut := &vpp_ipsec.SecurityPolicy{ + SpdIndex: 100, + SaIndex: 10, + Priority: 0, + IsOutbound: true, + RemoteAddrStart: "10.10.1.1", + RemoteAddrStop: "10.10.1.255", + LocalAddrStart: "10.10.2.1", + LocalAddrStop: "10.10.2.255", + Protocol: 0, + RemotePortStart: 100, + RemotePortStop: 2000, + LocalPortStart: 0, + LocalPortStop: 65535, + Action: vpp_ipsec.SecurityPolicy_PROTECT, + } + spIn := &vpp_ipsec.SecurityPolicy{ + SpdIndex: 100, + SaIndex: 20, + Priority: 0, + IsOutbound: false, + RemoteAddrStart: "10.10.1.1", + RemoteAddrStop: "10.10.1.255", + LocalAddrStart: "10.10.2.1", + LocalAddrStop: "10.10.2.255", + Protocol: 0, + RemotePortStart: 0, + RemotePortStop: 65535, + LocalPortStart: 0, + LocalPortStop: 65535, + Action: vpp_ipsec.SecurityPolicy_PROTECT, + } + spd := &vpp_ipsec.SecurityPolicyDatabase{ + Index: 100, + Interfaces: []*vpp_ipsec.SecurityPolicyDatabase_Interface{ + { + Name: tunnelIfName, + }, + }, + } tp := &vpp_ipsec.TunnelProtection{ Interface: tunnelIfName, SaOut: []uint32{saOut.Index}, @@ -86,6 +125,9 @@ func TestIPSec(t *testing.T) { saOut, saIn, tp, + spd, + spIn, + spOut, ).Send(context.Background()) Expect(err).ToNot(HaveOccurred(), "Sending change request failed with err") @@ -97,6 +139,16 @@ func TestIPSec(t *testing.T) { "IN SA is not configured") Eventually(ctx.getValueStateClb(tp)).Should(Equal(kvscheduler.ValueState_CONFIGURED), "tunnel protection is not configured") + Eventually(ctx.getValueStateClb(spd)).Should(Equal(kvscheduler.ValueState_CONFIGURED), + "SPD is not configured") + Eventually(ctx.getValueStateClb(spIn)).Should(Equal(kvscheduler.ValueState_CONFIGURED), + "IN SP is not configured") + Eventually(ctx.getValueStateClb(spOut)).Should(Equal(kvscheduler.ValueState_CONFIGURED), + "OUT SP is not configured") + + if ctx.vppRelease >= "20.05" { + Expect(ctx.agentInSync()).To(BeTrue()) + } // rekey - delete old SAs, create new SAs and modify tunnel protection @@ -125,15 +177,51 @@ func TestIPSec(t *testing.T) { SaOut: []uint32{saOutNew.Index}, SaIn: []uint32{saInNew.Index}, } + spOutNew := &vpp_ipsec.SecurityPolicy{ + SpdIndex: 100, + SaIndex: 11, + Priority: 0, + IsOutbound: true, + RemoteAddrStart: "10.10.1.1", + RemoteAddrStop: "10.10.1.255", + LocalAddrStart: "10.10.2.1", + LocalAddrStop: "10.10.2.255", + Protocol: 0, + RemotePortStart: 0, + RemotePortStop: 65535, + LocalPortStart: 0, + LocalPortStop: 65535, + Action: vpp_ipsec.SecurityPolicy_PROTECT, + } + spInNew := &vpp_ipsec.SecurityPolicy{ + SpdIndex: 100, + SaIndex: 21, + Priority: 0, + IsOutbound: false, + RemoteAddrStart: "10.10.1.1", + RemoteAddrStop: "10.10.1.255", + LocalAddrStart: "10.10.2.1", + LocalAddrStop: "10.10.2.255", + Protocol: 0, + RemotePortStart: 0, + RemotePortStop: 65535, + LocalPortStart: 0, + LocalPortStop: 65535, + Action: vpp_ipsec.SecurityPolicy_PROTECT, + } req2 := ctx.grpcClient.ChangeRequest() err = req2. Delete( saOut, - saIn). + saIn, + spOut, + spIn). Update( saOutNew, saInNew, + spOutNew, + spInNew, tpNew, ).Send(context.Background()) Expect(err).ToNot(HaveOccurred(), "Sending change request failed with err") @@ -148,6 +236,18 @@ func TestIPSec(t *testing.T) { "IN SA is not configured") Eventually(ctx.getValueStateClb(tpNew)).Should(Equal(kvscheduler.ValueState_CONFIGURED), "tunnel protection is not configured") + Eventually(ctx.getValueStateClb(spOut)).Should(Equal(kvscheduler.ValueState_NONEXISTENT), + "old OUT SP was not removed") + Eventually(ctx.getValueStateClb(spIn)).Should(Equal(kvscheduler.ValueState_NONEXISTENT), + "old IN SP was not removed") + Eventually(ctx.getValueStateClb(spOutNew)).Should(Equal(kvscheduler.ValueState_CONFIGURED), + "OUT SP is not configured") + Eventually(ctx.getValueStateClb(spInNew)).Should(Equal(kvscheduler.ValueState_CONFIGURED), + "IN SP is not configured") + + if ctx.vppRelease >= "20.05" { + Expect(ctx.agentInSync()).To(BeTrue()) + } // delete the tunnel @@ -157,6 +257,9 @@ func TestIPSec(t *testing.T) { saInNew, tpNew, ipipTun, + spInNew, + spOutNew, + spd, ).Send(context.Background()) Expect(err).ToNot(HaveOccurred(), "Sending change request failed with err") @@ -164,10 +267,20 @@ func TestIPSec(t *testing.T) { "OUT SA was not removed") Eventually(ctx.getValueStateClb(saInNew)).Should(Equal(kvscheduler.ValueState_NONEXISTENT), "IN SA was not removed") + Eventually(ctx.getValueStateClb(spOutNew)).Should(Equal(kvscheduler.ValueState_NONEXISTENT), + "OUT SP was not removed") + Eventually(ctx.getValueStateClb(spInNew)).Should(Equal(kvscheduler.ValueState_NONEXISTENT), + "IN SP was not removed") + Eventually(ctx.getValueStateClb(spd)).Should(Equal(kvscheduler.ValueState_NONEXISTENT), + "SPD was not removed") Eventually(ctx.getValueStateClb(tpNew)).Should(Equal(kvscheduler.ValueState_NONEXISTENT), "tunnel protection was not removed") Eventually(ctx.getValueStateClb(ipipTun)).Should(Equal(kvscheduler.ValueState_NONEXISTENT), "IPIP tunnel was not removed") + + if ctx.vppRelease >= "20.05" { + Expect(ctx.agentInSync()).To(BeTrue()) + } } func TestIPSecMultiPoint(t *testing.T) { @@ -258,12 +371,85 @@ func TestIPSecMultiPoint(t *testing.T) { PeerAddr: tp2.NextHopAddr, NextHopAddr: "8.8.8.9", } + spOut1 := &vpp_ipsec.SecurityPolicy{ + SpdIndex: 100, + SaIndex: 10, + Priority: 0, + IsOutbound: true, + RemoteAddrStart: "10.10.1.1", + RemoteAddrStop: "10.10.1.255", + LocalAddrStart: "10.10.2.1", + LocalAddrStop: "10.10.2.255", + Protocol: 0, + RemotePortStart: 0, + RemotePortStop: 65535, + LocalPortStart: 0, + LocalPortStop: 65535, + Action: vpp_ipsec.SecurityPolicy_PROTECT, + } + spIn1 := &vpp_ipsec.SecurityPolicy{ + SpdIndex: 100, + SaIndex: 20, + Priority: 0, + IsOutbound: false, + RemoteAddrStart: "10.10.1.1", + RemoteAddrStop: "10.10.1.255", + LocalAddrStart: "10.10.2.1", + LocalAddrStop: "10.10.2.255", + Protocol: 0, + RemotePortStart: 0, + RemotePortStop: 65535, + LocalPortStart: 0, + LocalPortStop: 65535, + Action: vpp_ipsec.SecurityPolicy_PROTECT, + } + spOut2 := &vpp_ipsec.SecurityPolicy{ + SpdIndex: 100, + SaIndex: 30, + Priority: 0, + IsOutbound: true, + RemoteAddrStart: "10.20.1.1", + RemoteAddrStop: "10.20.1.255", + LocalAddrStart: "10.20.2.1", + LocalAddrStop: "10.20.2.255", + Protocol: 0, + RemotePortStart: 0, + RemotePortStop: 65535, + LocalPortStart: 0, + LocalPortStop: 65535, + Action: vpp_ipsec.SecurityPolicy_PROTECT, + } + spIn2 := &vpp_ipsec.SecurityPolicy{ + SpdIndex: 100, + SaIndex: 40, + Priority: 0, + IsOutbound: false, + RemoteAddrStart: "10.20.1.1", + RemoteAddrStop: "10.20.1.255", + LocalAddrStart: "10.20.2.1", + LocalAddrStop: "10.20.2.255", + Protocol: 0, + RemotePortStart: 0, + RemotePortStop: 65535, + LocalPortStart: 0, + LocalPortStop: 65535, + Action: vpp_ipsec.SecurityPolicy_PROTECT, + } + spd := &vpp_ipsec.SecurityPolicyDatabase{ + Index: 100, + Interfaces: []*vpp_ipsec.SecurityPolicyDatabase_Interface{ + { + Name: tunnelIfName, + }, + }, + } ctx.startMicroservice(msName) req := ctx.grpcClient.ChangeRequest() err := req.Update( ipipTun, saOut1, saIn1, saOut2, saIn2, + spOut1, spIn1, spOut2, spIn2, spd, tp1, tp2, teib1, teib2, ).Send(context.Background()) @@ -287,11 +473,26 @@ func TestIPSecMultiPoint(t *testing.T) { "TEIB 1 is not configured") Eventually(ctx.getValueStateClb(teib2)).Should(Equal(kvscheduler.ValueState_CONFIGURED), "TEIB 2 is not configured") + Eventually(ctx.getValueStateClb(spOut1)).Should(Equal(kvscheduler.ValueState_CONFIGURED), + "OUT SP 1 is not configured") + Eventually(ctx.getValueStateClb(spIn1)).Should(Equal(kvscheduler.ValueState_CONFIGURED), + "IN SP 1 is not configured") + Eventually(ctx.getValueStateClb(spOut2)).Should(Equal(kvscheduler.ValueState_CONFIGURED), + "OUT SP 2 is not configured") + Eventually(ctx.getValueStateClb(spIn2)).Should(Equal(kvscheduler.ValueState_CONFIGURED), + "IN SP 2 is not configured") + Eventually(ctx.getValueStateClb(spd)).Should(Equal(kvscheduler.ValueState_CONFIGURED), + "SPD is not configured") + + if ctx.vppRelease >= "20.05" { + Expect(ctx.agentInSync()).To(BeTrue()) + } req3 := ctx.grpcClient.ChangeRequest() err = req3.Delete( ipipTun, saOut1, saIn1, saOut2, saIn2, + spOut1, spIn1, spOut2, spIn2, spd, tp1, tp2, teib1, teib2, ).Send(context.Background()) @@ -315,4 +516,16 @@ func TestIPSecMultiPoint(t *testing.T) { "tunnel protection 1 was not removed") Eventually(ctx.getValueStateClb(ipipTun)).Should(Equal(kvscheduler.ValueState_NONEXISTENT), "IPIP tunnel was not removed") + Eventually(ctx.getValueStateClb(spOut1)).Should(Equal(kvscheduler.ValueState_NONEXISTENT), + "OUT SP 1 was not removed") + Eventually(ctx.getValueStateClb(spIn1)).Should(Equal(kvscheduler.ValueState_NONEXISTENT), + "IN SP 1 was not removed") + Eventually(ctx.getValueStateClb(spOut2)).Should(Equal(kvscheduler.ValueState_NONEXISTENT), + "OUT SP 2 was not removed") + Eventually(ctx.getValueStateClb(spIn2)).Should(Equal(kvscheduler.ValueState_NONEXISTENT), + "IN SP 2 was not removed") + + if ctx.vppRelease >= "20.05" { + Expect(ctx.agentInSync()).To(BeTrue()) + } } diff --git a/tests/integration/vpp/130_ipsec_test.go b/tests/integration/vpp/130_ipsec_test.go index f82a8d0a85..186429e942 100644 --- a/tests/integration/vpp/130_ipsec_test.go +++ b/tests/integration/vpp/130_ipsec_test.go @@ -16,6 +16,7 @@ package vpp import ( "fmt" + "github.com/golang/protobuf/proto" "testing" "go.ligato.io/cn-infra/v2/logging/logrus" @@ -36,6 +37,7 @@ func TestIPSec(t *testing.T) { p2mpSupported := true // determines point-to-multipoint support saDumpAPIOk := true // determines if SA dump API is working + spdIfaceDumpOk := false // determines if ipsec_spd_interface_dump works correctly release := ctx.versionInfo.Release() if release < "20.01" { @@ -55,6 +57,9 @@ func TestIPSec(t *testing.T) { ipip *interfaces.IPIPLink saOut *ipsec.SecurityAssociation saIn *ipsec.SecurityAssociation + spd *ipsec.SecurityPolicyDatabase + spOut *ipsec.SecurityPolicy + spIn *ipsec.SecurityPolicy tp *ipsec.TunnelProtection }{ { @@ -83,6 +88,37 @@ func TestIPSec(t *testing.T) { IntegKey: "bf9b150aaf5c2a87d79898b11eabd055e70abdbe", EnableUdpEncap: true, }, + spd: &ipsec.SecurityPolicyDatabase{ + Index: 100, + }, + spOut: &ipsec.SecurityPolicy{ + SpdIndex: 100, + SaIndex: 10, + Priority: 0, + IsOutbound: true, + RemoteAddrStart: "10.10.1.1", + RemoteAddrStop: "10.10.1.255", + LocalAddrStart: "10.10.2.1", + LocalAddrStop: "10.10.2.255", + Protocol: 0, + Action: ipsec.SecurityPolicy_PROTECT, + }, + spIn: &ipsec.SecurityPolicy{ + SpdIndex: 100, + SaIndex: 20, + Priority: 0, + IsOutbound: false, + RemoteAddrStart: "10.10.1.1", + RemoteAddrStop: "10.10.1.255", + LocalAddrStart: "10.10.2.1", + LocalAddrStop: "10.10.2.255", + Protocol: 0, + RemotePortStart: 1000, + RemotePortStop: 5000, + LocalPortStart: 2000, + LocalPortStop: 7000, + Action: ipsec.SecurityPolicy_PROTECT, + }, tp: &ipsec.TunnelProtection{ SaOut: []uint32{10}, SaIn: []uint32{20}, @@ -116,6 +152,37 @@ func TestIPSec(t *testing.T) { SaOut: []uint32{1}, SaIn: []uint32{2}, }, + spd: &ipsec.SecurityPolicyDatabase{ + Index: 101, + }, + spOut: &ipsec.SecurityPolicy{ + SpdIndex: 101, + SaIndex: 1, + Priority: 0, + IsOutbound: true, + RemoteAddrStart: "2001:1000::1", + RemoteAddrStop: "2001:1000::1000", + LocalAddrStart: "2001:2000::1", + LocalAddrStop: "2001:2000::1000", + Protocol: 0, + Action: ipsec.SecurityPolicy_PROTECT, + }, + spIn: &ipsec.SecurityPolicy{ + SpdIndex: 101, + SaIndex: 2, + Priority: 0, + IsOutbound: false, + RemoteAddrStart: "2001:1000::1", + RemoteAddrStop: "2001:1000::1000", + LocalAddrStart: "2001:2000::1", + LocalAddrStop: "2001:2000::1000", + Protocol: 0, + RemotePortStart: 1000, + RemotePortStop: 5000, + LocalPortStart: 2000, + LocalPortStop: 7000, + Action: ipsec.SecurityPolicy_PROTECT, + }, }, { name: "Create multipoint IPSec tunnel", @@ -143,6 +210,37 @@ func TestIPSec(t *testing.T) { IntegKey: "bf9b150aaf5c2a87d79898b11eabd055e70abdbe", EnableUdpEncap: true, }, + spd: &ipsec.SecurityPolicyDatabase{ + Index: 102, + }, + spOut: &ipsec.SecurityPolicy{ + SpdIndex: 102, + SaIndex: 100, + Priority: 0, + IsOutbound: true, + RemoteAddrStart: "10.10.1.1", + RemoteAddrStop: "10.10.1.255", + LocalAddrStart: "10.10.2.1", + LocalAddrStop: "10.10.2.255", + Protocol: 0, + Action: ipsec.SecurityPolicy_PROTECT, + }, + spIn: &ipsec.SecurityPolicy{ + SpdIndex: 102, + SaIndex: 101, + Priority: 0, + IsOutbound: false, + RemoteAddrStart: "10.10.1.1", + RemoteAddrStop: "10.10.1.255", + LocalAddrStart: "10.10.2.1", + LocalAddrStop: "10.10.2.255", + Protocol: 0, + RemotePortStart: 1000, + RemotePortStop: 5000, + LocalPortStart: 2000, + LocalPortStop: 7000, + Action: ipsec.SecurityPolicy_PROTECT, + }, tp: &ipsec.TunnelProtection{ SaOut: []uint32{100}, SaIn: []uint32{101}, @@ -155,7 +253,7 @@ func TestIPSec(t *testing.T) { if !p2mpSupported && test.ipip.TunnelMode == interfaces.IPIPLink_POINT_TO_MULTIPOINT { t.Skipf("IPIP: p2mp skipped for VPP < 20.05 (%s)", release) } - // create IPIP tunnel + SAs + tunnel protection + // create IPIP tunnel + SAs + tunnel protection + SPs ifName := fmt.Sprintf("ipip%d", i) ifIdx, err := ifHandler.AddIpipTunnel(ifName, 0, test.ipip) if err != nil { @@ -178,8 +276,24 @@ func TestIPSec(t *testing.T) { if err != nil { t.Fatalf("add tunnel protection failed: %v\n", err) } + err = ipsecHandler.AddSPD(test.spd.Index) + if err != nil { + t.Fatalf("add SPD failed: %v\n", err) + } + err = ipsecHandler.AddSPDInterface(test.spd.Index, &ipsec.SecurityPolicyDatabase_Interface{Name: ifName}) + if err != nil { + t.Fatalf("add SPD-Interface failed: %v\n", err) + } + err = ipsecHandler.AddSP(test.spOut) + if err != nil { + t.Fatalf("add SP failed: %v\n", err) + } + err = ipsecHandler.AddSP(test.spIn) + if err != nil { + t.Fatalf("add SP failed: %v\n", err) + } - // check created SAs + tunnel protection + // check created SAs + tunnel protection + SPs saList, err := ipsecHandler.DumpIPSecSA() if err != nil { t.Fatalf("dumping SAs failed: %v", err) @@ -213,8 +327,68 @@ func TestIPSec(t *testing.T) { if tpList[0].NextHopAddr != test.tp.NextHopAddr { t.Fatalf("tunnel protection next hop mismatch (%v != %v)", tpList[0].NextHopAddr, test.tp.NextHopAddr) } + spdList, err := ipsecHandler.DumpIPSecSPD() + if err != nil { + t.Fatalf("dumping of SPDs failed: %v", err) + } + if len(spdList) != 1 { + t.Fatalf("Invalid number of SPDs: %d", len(spdList)) + } + if spdList[0].Index != test.spd.Index { + t.Fatalf("Invalid SPD index: %d", spdList[0].Index) + } + if spdIfaceDumpOk { + if len(spdList[0].Interfaces) != 1 { + t.Fatalf("Invalid number of interfaces inside SPDs: %d", len(spdList[0].Interfaces)) + } + if spdList[0].Interfaces[0].Name != ifName { + t.Fatalf("Invalid interface name in tunnel protections: %s", spdList[0].Interfaces[0].Name) + } + } + spList, err := ipsecHandler.DumpIPSecSP() + if err != nil { + t.Fatalf("dumping of SPs failed: %v", err) + } + if len(spList) != 2 { + t.Fatalf("Invalid number of SPs: %d", len(spList)) + } + for _, sp := range spList { + if !proto.Equal(sp, test.spOut) && !proto.Equal(sp, test.spIn) { + t.Fatalf("Invalid SP: %+v", sp) + } + } - // delete tunnel protection, SAs and IPIP tunnel + // delete SPs, tunnel protection, SAs and IPIP tunnel + err = ipsecHandler.DeleteSP(test.spIn) + if err != nil { + t.Fatalf("delete of security policy failed: %v\n", err) + } + err = ipsecHandler.DeleteSP(test.spOut) + if err != nil { + t.Fatalf("delete of security policy failed: %v\n", err) + } + spList, err = ipsecHandler.DumpIPSecSP() + if err != nil { + t.Fatalf("dumping of security policies failed: %v", err) + } + if len(spList) != 0 { + t.Fatalf("%d SPs found in dump after removing", len(spList)) + } + err = ipsecHandler.DeleteSPDInterface(test.spd.Index, &ipsec.SecurityPolicyDatabase_Interface{Name: ifName}) + if err != nil { + t.Fatalf("delete of SPD failed: %v\n", err) + } + err = ipsecHandler.DeleteSPD(test.spd.Index) + if err != nil { + t.Fatalf("delete of SPD failed: %v\n", err) + } + spdList, err = ipsecHandler.DumpIPSecSPD() + if err != nil { + t.Fatalf("dumping of SPDs failed: %v", err) + } + if len(spdList) != 0 { + t.Fatalf("%d SPDs found in dump after removing", len(spdList)) + } err = ipsecHandler.DeleteTunnelProtection(test.tp) if err != nil { t.Fatalf("delete tunnel protection failed: %v\n", err)