ipsec: change wildcard value for any protocol of spd policy
Currently 0 has been used as the wildcard representing ANY type of
protocol. However 0 is valid value of ip protocol (HOPOPT) and therefore
it should not be used as a wildcard. Instead 255 is used which is
guaranteed by IANA to be reserved and not used as a protocol id.
Type: improvement
Signed-off-by: Piotr Bronowski <piotrx.bronowski@intel.com>
Change-Id: I2320bae6fe380cb999dc5a9187beb68fda2d31eb
diff --git a/test/test_ipsec_ah.py b/test/test_ipsec_ah.py
index 190bde7..b23dd3f 100644
--- a/test/test_ipsec_ah.py
+++ b/test/test_ipsec_ah.py
@@ -213,7 +213,7 @@
remote_tun_if_host,
self.pg1.remote_addr[addr_type],
self.pg1.remote_addr[addr_type],
- 0,
+ socket.IPPROTO_RAW,
priority=10,
policy=e.IPSEC_API_SPD_ACTION_PROTECT,
is_outbound=0,
@@ -226,7 +226,7 @@
self.pg1.remote_addr[addr_type],
remote_tun_if_host,
remote_tun_if_host,
- 0,
+ socket.IPPROTO_RAW,
policy=e.IPSEC_API_SPD_ACTION_PROTECT,
priority=10,
)
@@ -238,7 +238,7 @@
remote_tun_if_host,
self.pg0.local_addr[addr_type],
self.pg0.local_addr[addr_type],
- 0,
+ socket.IPPROTO_RAW,
priority=20,
policy=e.IPSEC_API_SPD_ACTION_PROTECT,
is_outbound=0,
@@ -251,7 +251,7 @@
self.pg0.local_addr[addr_type],
remote_tun_if_host,
remote_tun_if_host,
- 0,
+ socket.IPPROTO_RAW,
policy=e.IPSEC_API_SPD_ACTION_PROTECT,
priority=20,
)
@@ -341,7 +341,7 @@
self.tra_if.local_addr[addr_type],
self.tra_if.remote_addr[addr_type],
self.tra_if.remote_addr[addr_type],
- 0,
+ socket.IPPROTO_RAW,
priority=10,
policy=e.IPSEC_API_SPD_ACTION_PROTECT,
is_outbound=0,
@@ -356,7 +356,7 @@
self.tra_if.local_addr[addr_type],
self.tra_if.remote_addr[addr_type],
self.tra_if.remote_addr[addr_type],
- 0,
+ socket.IPPROTO_RAW,
policy=e.IPSEC_API_SPD_ACTION_PROTECT,
priority=10,
)
diff --git a/test/test_ipsec_esp.py b/test/test_ipsec_esp.py
index 54b8771..90f013f 100644
--- a/test/test_ipsec_esp.py
+++ b/test/test_ipsec_esp.py
@@ -206,7 +206,7 @@
remote_tun_if_host,
self.pg1.remote_addr[addr_type],
self.pg1.remote_addr[addr_type],
- 0,
+ socket.IPPROTO_RAW,
priority=10,
policy=e.IPSEC_API_SPD_ACTION_PROTECT,
is_outbound=0,
@@ -221,7 +221,7 @@
self.pg1.remote_addr[addr_type],
remote_tun_if_host,
remote_tun_if_host,
- 0,
+ socket.IPPROTO_RAW,
policy=e.IPSEC_API_SPD_ACTION_PROTECT,
priority=10,
)
@@ -235,7 +235,7 @@
remote_tun_if_host,
self.pg0.local_addr[addr_type],
self.pg0.local_addr[addr_type],
- 0,
+ socket.IPPROTO_RAW,
priority=20,
policy=e.IPSEC_API_SPD_ACTION_PROTECT,
is_outbound=0,
@@ -250,7 +250,7 @@
self.pg0.local_addr[addr_type],
remote_tun_if_host,
remote_tun_if_host,
- 0,
+ socket.IPPROTO_RAW,
policy=e.IPSEC_API_SPD_ACTION_PROTECT,
priority=20,
)
@@ -337,7 +337,7 @@
self.tra_if.local_addr[addr_type],
self.tra_if.remote_addr[addr_type],
self.tra_if.remote_addr[addr_type],
- 0,
+ socket.IPPROTO_RAW,
priority=10,
policy=e.IPSEC_API_SPD_ACTION_PROTECT,
is_outbound=0,
@@ -352,7 +352,7 @@
self.tra_if.local_addr[addr_type],
self.tra_if.remote_addr[addr_type],
self.tra_if.remote_addr[addr_type],
- 0,
+ socket.IPPROTO_RAW,
policy=e.IPSEC_API_SPD_ACTION_PROTECT,
priority=10,
)
@@ -452,7 +452,7 @@
self.pg1.remote_addr[p4.addr_type],
p6.remote_tun_if_host4,
p6.remote_tun_if_host4,
- 0,
+ socket.IPPROTO_RAW,
priority=10,
policy=e.IPSEC_API_SPD_ACTION_PROTECT,
is_outbound=1,
@@ -487,7 +487,7 @@
self.pg1.remote_addr[p6.addr_type],
p4.remote_tun_if_host6,
p4.remote_tun_if_host6,
- 0,
+ socket.IPPROTO_RAW,
priority=10,
policy=e.IPSEC_API_SPD_ACTION_PROTECT,
is_outbound=1,
@@ -648,7 +648,7 @@
self.pg1.remote_addr[self.p_sync.addr_type],
self.p_sync.remote_tun_if_host,
self.p_sync.remote_tun_if_host,
- 0,
+ socket.IPPROTO_RAW,
priority=1,
policy=e.IPSEC_API_SPD_ACTION_PROTECT,
is_outbound=1,
@@ -707,7 +707,7 @@
self.pg1.remote_addr[self.p_async.addr_type],
self.p_async.remote_tun_if_host,
self.p_async.remote_tun_if_host,
- 0,
+ socket.IPPROTO_RAW,
priority=2,
policy=e.IPSEC_API_SPD_ACTION_PROTECT,
is_outbound=1,
diff --git a/test/test_ipsec_nat.py b/test/test_ipsec_nat.py
index 64a2725..881b5a7 100644
--- a/test/test_ipsec_nat.py
+++ b/test/test_ipsec_nat.py
@@ -275,7 +275,7 @@
self.tun_if.remote_addr[addr_type],
self.pg1.remote_addr[addr_type],
self.pg1.remote_addr[addr_type],
- 0,
+ socket.IPPROTO_RAW,
priority=10,
policy=e.IPSEC_API_SPD_ACTION_PROTECT,
is_outbound=0,
@@ -288,7 +288,7 @@
self.pg1.remote_addr[addr_type],
self.tun_if.remote_addr[addr_type],
self.tun_if.remote_addr[addr_type],
- 0,
+ socket.IPPROTO_RAW,
policy=e.IPSEC_API_SPD_ACTION_PROTECT,
priority=10,
).add_vpp_config()
diff --git a/test/vpp_ipsec.py b/test/vpp_ipsec.py
index 1db7f85..eb0209f 100644
--- a/test/vpp_ipsec.py
+++ b/test/vpp_ipsec.py
@@ -85,7 +85,7 @@
local_stop,
remote_start,
remote_stop,
- proto,
+ proto=socket.IPPROTO_RAW,
priority=100,
policy=None,
is_outbound=1,
diff --git a/test/vpp_papi_provider.py b/test/vpp_papi_provider.py
index a4a3799..db2b32e 100644
--- a/test/vpp_papi_provider.py
+++ b/test/vpp_papi_provider.py
@@ -980,7 +980,7 @@
local_port_stop=65535,
remote_port_start=0,
remote_port_stop=65535,
- protocol=0,
+ protocol=socket.IPPROTO_RAW,
policy=0,
priority=100,
is_outbound=1,
@@ -1010,7 +1010,7 @@
:param is_add: (Default value = 1)
"""
return self.api(
- self.papi.ipsec_spd_entry_add_del,
+ self.papi.ipsec_spd_entry_add_del_v2,
{
"is_add": is_add,
"entry": {