diff options
Diffstat (limited to 'examples/ipsec-secgw')
-rw-r--r-- | examples/ipsec-secgw/Makefile | 2 | ||||
-rw-r--r-- | examples/ipsec-secgw/esp.c | 5 | ||||
-rw-r--r-- | examples/ipsec-secgw/ipsec-secgw.c | 26 | ||||
-rw-r--r-- | examples/ipsec-secgw/ipsec.h | 14 | ||||
-rw-r--r-- | examples/ipsec-secgw/sa.c | 58 | ||||
-rw-r--r-- | examples/ipsec-secgw/sp4.c | 47 | ||||
-rw-r--r-- | examples/ipsec-secgw/sp6.c | 47 |
7 files changed, 166 insertions, 33 deletions
diff --git a/examples/ipsec-secgw/Makefile b/examples/ipsec-secgw/Makefile index 02d41e39..a6933801 100644 --- a/examples/ipsec-secgw/Makefile +++ b/examples/ipsec-secgw/Makefile @@ -52,7 +52,7 @@ clean: else ifeq ($(RTE_SDK),) - $(error "Please define RTE_SDK environment variable") +$(error "Please define RTE_SDK environment variable") endif # Default target, can be overridden by command line or environment diff --git a/examples/ipsec-secgw/esp.c b/examples/ipsec-secgw/esp.c index e33232c9..faa84ddd 100644 --- a/examples/ipsec-secgw/esp.c +++ b/examples/ipsec-secgw/esp.c @@ -162,7 +162,7 @@ esp_inbound_post(struct rte_mbuf *m, struct ipsec_sa *sa, } if (cop->status != RTE_CRYPTO_OP_STATUS_SUCCESS) { - RTE_LOG(ERR, IPSEC_ESP, "failed crypto op\n"); + RTE_LOG(ERR, IPSEC_ESP, "%s() failed crypto op\n", __func__); return -1; } @@ -455,7 +455,8 @@ esp_outbound_post(struct rte_mbuf *m, } else { RTE_ASSERT(cop != NULL); if (cop->status != RTE_CRYPTO_OP_STATUS_SUCCESS) { - RTE_LOG(ERR, IPSEC_ESP, "Failed crypto op\n"); + RTE_LOG(ERR, IPSEC_ESP, "%s() failed crypto op\n", + __func__); return -1; } } diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-secgw/ipsec-secgw.c index f88fdb4c..dfb93375 100644 --- a/examples/ipsec-secgw/ipsec-secgw.c +++ b/examples/ipsec-secgw/ipsec-secgw.c @@ -255,7 +255,8 @@ prepare_one_packet(struct rte_mbuf *pkt, struct ipsec_traffic *t) } } else { /* Unknown/Unsupported type, drop the packet */ - RTE_LOG(ERR, IPSEC, "Unsupported packet type\n"); + RTE_LOG(ERR, IPSEC, "Unsupported packet type 0x%x\n", + rte_be_to_cpu_16(eth->ether_type)); rte_pktmbuf_free(pkt); } @@ -425,11 +426,11 @@ inbound_sp_sa(struct sp_ctx *sp, struct sa_ctx *sa, struct traffic_type *ip, for (i = 0; i < ip->num; i++) { m = ip->pkts[i]; res = ip->res[i]; - if (res & BYPASS) { + if (res == BYPASS) { ip->pkts[j++] = m; continue; } - if (res & DISCARD) { + if (res == DISCARD) { rte_pktmbuf_free(m); continue; } @@ -440,9 +441,8 @@ inbound_sp_sa(struct sp_ctx *sp, struct sa_ctx *sa, struct traffic_type *ip, continue; } - sa_idx = ip->res[i] & PROTECT_MASK; - if (sa_idx >= IPSEC_SA_MAX_ENTRIES || - !inbound_sa_check(sa, m, sa_idx)) { + sa_idx = SPI2IDX(res); + if (!inbound_sa_check(sa, m, sa_idx)) { rte_pktmbuf_free(m); continue; } @@ -523,16 +523,15 @@ outbound_sp(struct sp_ctx *sp, struct traffic_type *ip, j = 0; for (i = 0; i < ip->num; i++) { m = ip->pkts[i]; - sa_idx = ip->res[i] & PROTECT_MASK; - if (ip->res[i] & DISCARD) + sa_idx = SPI2IDX(ip->res[i]); + if (ip->res[i] == DISCARD) rte_pktmbuf_free(m); - else if (ip->res[i] & BYPASS) + else if (ip->res[i] == BYPASS) ip->pkts[j++] = m; - else if (sa_idx < IPSEC_SA_MAX_ENTRIES) { + else { ipsec->res[ipsec->num] = sa_idx; ipsec->pkts[ipsec->num++] = m; - } else /* invalid SA idx */ - rte_pktmbuf_free(m); + } } ip->num = j; } @@ -932,7 +931,8 @@ main_loop(__attribute__((unused)) void *dummy) qconf->outbound.session_pool = socket_ctx[socket_id].session_pool; if (qconf->nb_rx_queue == 0) { - RTE_LOG(INFO, IPSEC, "lcore %u has nothing to do\n", lcore_id); + RTE_LOG(DEBUG, IPSEC, "lcore %u has nothing to do\n", + lcore_id); return 0; } diff --git a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h index 508d87af..86d8f7df 100644 --- a/examples/ipsec-secgw/ipsec.h +++ b/examples/ipsec-secgw/ipsec.h @@ -40,10 +40,8 @@ #define SPI2IDX(spi) (spi & (IPSEC_SA_MAX_ENTRIES - 1)) #define INVALID_SPI (0) -#define DISCARD (0x80000000) -#define BYPASS (0x40000000) -#define PROTECT_MASK (0x3fffffff) -#define PROTECT(sa_idx) (SPI2IDX(sa_idx) & PROTECT_MASK) /* SA idx 30 bits */ +#define DISCARD INVALID_SPI +#define BYPASS UINT32_MAX #define IPSEC_XFORM_MAX 2 @@ -241,6 +239,14 @@ sp4_init(struct socket_ctx *ctx, int32_t socket_id); void sp6_init(struct socket_ctx *ctx, int32_t socket_id); +/* + * Search through SA entries for given SPI. + * Returns first entry index if found(greater or equal then zero), + * or -ENOENT otherwise. + */ +int +sa_spi_present(uint32_t spi, int inbound); + void sa_init(struct socket_ctx *ctx, int32_t socket_id); diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c index 640f1d79..f7b6eb0b 100644 --- a/examples/ipsec-secgw/sa.c +++ b/examples/ipsec-secgw/sa.c @@ -79,7 +79,7 @@ const struct supported_cipher_algo cipher_algos[] = { .keyword = "aes-128-ctr", .algo = RTE_CRYPTO_CIPHER_AES_CTR, .iv_len = 8, - .block_size = 16, /* XXX AESNI MB limition, should be 4 */ + .block_size = 4, .key_len = 20 }, { @@ -125,11 +125,11 @@ const struct supported_aead_algo aead_algos[] = { } }; -struct ipsec_sa sa_out[IPSEC_SA_MAX_ENTRIES]; -uint32_t nb_sa_out; +static struct ipsec_sa sa_out[IPSEC_SA_MAX_ENTRIES]; +static uint32_t nb_sa_out; -struct ipsec_sa sa_in[IPSEC_SA_MAX_ENTRIES]; -uint32_t nb_sa_in; +static struct ipsec_sa sa_in[IPSEC_SA_MAX_ENTRIES]; +static uint32_t nb_sa_in; static const struct supported_cipher_algo * find_match_cipher_algo(const char *cipher_keyword) @@ -630,7 +630,7 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens, *ri = *ri + 1; } -static inline void +static void print_one_sa_rule(const struct ipsec_sa *sa, int inbound) { uint32_t i; @@ -687,7 +687,22 @@ print_one_sa_rule(const struct ipsec_sa *sa, int inbound) } break; case TRANSPORT: - printf("Transport"); + printf("Transport "); + break; + } + printf(" type:"); + switch (sa->type) { + case RTE_SECURITY_ACTION_TYPE_NONE: + printf("no-offload "); + break; + case RTE_SECURITY_ACTION_TYPE_INLINE_CRYPTO: + printf("inline-crypto-offload "); + break; + case RTE_SECURITY_ACTION_TYPE_INLINE_PROTOCOL: + printf("inline-protocol-offload "); + break; + case RTE_SECURITY_ACTION_TYPE_LOOKASIDE_PROTOCOL: + printf("lookaside-protocol-offload "); break; } printf("\n"); @@ -714,8 +729,8 @@ sa_create(const char *name, int32_t socket_id) snprintf(s, sizeof(s), "%s_%u", name, socket_id); /* Create SA array table */ - printf("Creating SA context with %u maximum entries\n", - IPSEC_SA_MAX_ENTRIES); + printf("Creating SA context with %u maximum entries on socket %d\n", + IPSEC_SA_MAX_ENTRIES, socket_id); mz_size = sizeof(struct sa_ctx); mz = rte_memzone_reserve(s, mz_size, socket_id, @@ -901,6 +916,31 @@ sa_in_add_rules(struct sa_ctx *sa_ctx, const struct ipsec_sa entries[], return sa_add_rules(sa_ctx, entries, nb_entries, 1); } +/* + * Walk through all SA rules to find an SA with given SPI + */ +int +sa_spi_present(uint32_t spi, int inbound) +{ + uint32_t i, num; + const struct ipsec_sa *sar; + + if (inbound != 0) { + sar = sa_in; + num = nb_sa_in; + } else { + sar = sa_out; + num = nb_sa_out; + } + + for (i = 0; i != num; i++) { + if (sar[i].spi == spi) + return i; + } + + return -ENOENT; +} + void sa_init(struct socket_ctx *ctx, int32_t socket_id) { diff --git a/examples/ipsec-secgw/sp4.c b/examples/ipsec-secgw/sp4.c index 6b05daaa..99362a68 100644 --- a/examples/ipsec-secgw/sp4.c +++ b/examples/ipsec-secgw/sp4.c @@ -99,6 +99,7 @@ parse_sp4_tokens(char **tokens, uint32_t n_tokens, uint32_t *ri = NULL; /* rule index */ uint32_t ti = 0; /* token index */ + uint32_t tv; uint32_t esp_p = 0; uint32_t protect_p = 0; @@ -169,8 +170,12 @@ parse_sp4_tokens(char **tokens, uint32_t n_tokens, if (status->status < 0) return; - rule_ipv4->data.userdata = - PROTECT(atoi(tokens[ti])); + tv = atoi(tokens[ti]); + APP_CHECK(tv != DISCARD && tv != BYPASS, status, + "invalid SPI: %s", tokens[ti]); + if (status->status < 0) + return; + rule_ipv4->data.userdata = tv; protect_p = 1; continue; @@ -472,6 +477,36 @@ acl4_init(const char *name, int32_t socketid, const struct acl4_rules *rules, return ctx; } +/* + * check that for each rule it's SPI has a correspondent entry in SAD + */ +static int +check_spi_value(int inbound) +{ + uint32_t i, num, spi; + const struct acl4_rules *acr; + + if (inbound != 0) { + acr = acl4_rules_in; + num = nb_acl4_rules_in; + } else { + acr = acl4_rules_out; + num = nb_acl4_rules_out; + } + + for (i = 0; i != num; i++) { + spi = acr[i].data.userdata; + if (spi != DISCARD && spi != BYPASS && + sa_spi_present(spi, inbound) < 0) { + RTE_LOG(ERR, IPSEC, "SPI %u is not present in SAD\n", + spi); + return -ENOENT; + } + } + + return 0; +} + void sp4_init(struct socket_ctx *ctx, int32_t socket_id) { @@ -488,6 +523,14 @@ sp4_init(struct socket_ctx *ctx, int32_t socket_id) rte_exit(EXIT_FAILURE, "Outbound SP DB for socket %u already " "initialized\n", socket_id); + if (check_spi_value(1) < 0) + rte_exit(EXIT_FAILURE, + "Inbound IPv4 SP DB has unmatched in SAD SPIs\n"); + + if (check_spi_value(0) < 0) + rte_exit(EXIT_FAILURE, + "Outbound IPv4 SP DB has unmatched in SAD SPIs\n"); + if (nb_acl4_rules_in > 0) { name = "sp_ip4_in"; ctx->sp_ip4_in = (struct sp_ctx *)acl4_init(name, diff --git a/examples/ipsec-secgw/sp6.c b/examples/ipsec-secgw/sp6.c index dc5b94c6..bfcabf39 100644 --- a/examples/ipsec-secgw/sp6.c +++ b/examples/ipsec-secgw/sp6.c @@ -130,6 +130,7 @@ parse_sp6_tokens(char **tokens, uint32_t n_tokens, uint32_t *ri = NULL; /* rule index */ uint32_t ti = 0; /* token index */ + uint32_t tv; uint32_t esp_p = 0; uint32_t protect_p = 0; @@ -202,8 +203,12 @@ parse_sp6_tokens(char **tokens, uint32_t n_tokens, if (status->status < 0) return; - rule_ipv6->data.userdata = - PROTECT(atoi(tokens[ti])); + tv = atoi(tokens[ti]); + APP_CHECK(tv != DISCARD && tv != BYPASS, status, + "invalid SPI: %s", tokens[ti]); + if (status->status < 0) + return; + rule_ipv6->data.userdata = tv; protect_p = 1; continue; @@ -586,6 +591,36 @@ acl6_init(const char *name, int32_t socketid, const struct acl6_rules *rules, return ctx; } +/* + * check that for each rule it's SPI has a correspondent entry in SAD + */ +static int +check_spi_value(int inbound) +{ + uint32_t i, num, spi; + const struct acl6_rules *acr; + + if (inbound != 0) { + acr = acl6_rules_in; + num = nb_acl6_rules_in; + } else { + acr = acl6_rules_out; + num = nb_acl6_rules_out; + } + + for (i = 0; i != num; i++) { + spi = acr[i].data.userdata; + if (spi != DISCARD && spi != BYPASS && + sa_spi_present(spi, inbound) < 0) { + RTE_LOG(ERR, IPSEC, "SPI %u is not present in SAD\n", + spi); + return -ENOENT; + } + } + + return 0; +} + void sp6_init(struct socket_ctx *ctx, int32_t socket_id) { @@ -602,6 +637,14 @@ sp6_init(struct socket_ctx *ctx, int32_t socket_id) rte_exit(EXIT_FAILURE, "Outbound IPv6 SP DB for socket %u " "already initialized\n", socket_id); + if (check_spi_value(1) < 0) + rte_exit(EXIT_FAILURE, + "Inbound IPv6 SP DB has unmatched in SAD SPIs\n"); + + if (check_spi_value(0) < 0) + rte_exit(EXIT_FAILURE, + "Outbound IPv6 SP DB has unmatched in SAD SPIs\n"); + if (nb_acl6_rules_in > 0) { name = "sp_ip6_in"; ctx->sp_ip6_in = (struct sp_ctx *)acl6_init(name, |