diff --git a/tests/common/config.py b/tests/common/config.py index 2735627..3a3717c 100644 --- a/tests/common/config.py +++ b/tests/common/config.py @@ -490,6 +490,13 @@ def setup_tunnel_routes(r1con, r2con, tun_ipv6, network3): return r1ipnh, r1ip6nh, r2ipnh, r2ip6nh +def esp_args_filter_dir(direction, esp_args): + """Filter out esp args inappropriate for the direction.""" + if direction != "in": + esp_args = re.sub(r"replay-window \d+", "", esp_args) + return esp_args + + def esp_flags_filter_dir(direction, esp_flags): """Filter out esp flags inappropriate for the direction.""" if direction == "in": @@ -523,6 +530,7 @@ async def setup_policy_tun( trex=False, r1only=False, ipsec_intf="eth2", + esp_args="", esp_flags="", iptfs_opts="", ipv4=True, @@ -594,12 +602,12 @@ async def setup_policy_tun( # direction = "out" if r == r1 else "in" eflags = esp_flags_filter_dir(direction, esp_flags) - esp_args = "replay-window 128" if direction == "in" else "" + eargs = esp_args_filter_dir(direction, esp_args) repl.cmd_raises( ( f"ip xfrm state add src {r1ip} dst {r2ip} proto esp " f"spi {spi_1to2} mode {mode} {sa_auth} {sa_enc} " - f"{esp_args} {eflags} reqid {reqid_1to2} dir {direction} " + f"{eargs} {eflags} reqid {reqid_1to2} dir {direction} " # f"reqid {reqid_1to2} " ) + iptfs_opts_filter_dir(direction, iptfs_opts) @@ -607,12 +615,12 @@ async def setup_policy_tun( direction = "in" if r == r1 else "out" eflags = esp_flags_filter_dir(direction, esp_flags) - esp_args = "replay-window 128" if direction == "in" else "" + eargs = esp_args_filter_dir(direction, esp_args) repl.cmd_raises( ( f"ip xfrm state add src {r2ip} dst {r1ip} proto esp " f"spi {spi_2to1} mode {mode} {sa_auth} {sa_enc} " - f"{esp_args} {eflags} reqid {reqid_2to1} dir {direction} " + f"{eargs} {eflags} reqid {reqid_2to1} dir {direction} " # f"reqid {reqid_2to1} " ) + iptfs_opts_filter_dir(direction, iptfs_opts) @@ -757,6 +765,7 @@ async def setup_routed_tun( r1only=False, ipsec_intf="eth2", iptfs_opts="", + esp_args="", esp_flags="", ipv4=True, ipv6=False, @@ -835,23 +844,23 @@ async def setup_routed_tun( direction = "out" if r == r1 else "in" eflags = esp_flags_filter_dir(direction, esp_flags) - esp_args = "replay-window 128" if direction == "in" else "" + eargs = esp_args_filter_dir(direction, esp_args) repl.cmd_raises( ( f"ip xfrm state add src {r1ip} dst {r2ip} proto esp " f"spi {spi_1to2} mode {mode} {sa_auth} {sa_enc} " - f"{esp_args} {eflags} if_id 55 reqid {reqid_1to2} dir {direction} " + f"{eargs} {eflags} if_id 55 reqid {reqid_1to2} dir {direction} " ) + iptfs_opts_filter_dir(direction, iptfs_opts) ) direction = "in" if r == r1 else "out" eflags = esp_flags_filter_dir(direction, esp_flags) - esp_args = "replay-window 128" if direction == "in" else "" + eargs = esp_args_filter_dir(direction, esp_args) repl.cmd_raises( ( f"ip xfrm state add src {r2ip} dst {r1ip} proto esp " f"spi {spi_2to1} mode {mode} {sa_auth} {sa_enc} " - f"{esp_args} {eflags} if_id 55 reqid {reqid_2to1} dir {direction} " + f"{eargs} {eflags} if_id 55 reqid {reqid_2to1} dir {direction} " ) + iptfs_opts_filter_dir(direction, iptfs_opts) ) diff --git a/tests/flood/test_flood.py b/tests/flood/test_flood.py index 738312b..7b35726 100644 --- a/tests/flood/test_flood.py +++ b/tests/flood/test_flood.py @@ -78,6 +78,7 @@ async def test_policy_tun_agg(unet, astepf, tun_ipv6): await setup_policy_tun( unet, mode="iptfs", + esp_args="replay-window 128", iptfs_opts=f"init-delay {INIT_DELAY}", ipv6=True, tun_ipv6=tun_ipv6, @@ -95,6 +96,7 @@ async def test_routed_tun_agg(unet, astepf, tun_ipv6): await setup_routed_tun( unet, mode="iptfs", + esp_args="replay-window 128", esp_flags="esn", iptfs_opts=f"init-delay {INIT_DELAY}", ipv6=True,