aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMatthew G Smith <mgsmith@netgate.com>2019-08-06 08:43:50 -0500
committerNeale Ranns <nranns@cisco.com>2019-08-15 10:15:32 +0000
commit5025d40a1134272ab57c3c3f10311e31a65cd63c (patch)
treef747e725d22e75295a1c946d0975dad1c01c8c23
parent531969ef614bdc15c45dae0f1b5e90afaf86eb7b (diff)
dpdk: ipsec tunnel support for ip6-in-ip4
Type: feature If an attempt was made to send an IPv6 packet over an IPv4 tunnel, the DPDK esp_encrypt did not complete setting up the crypto operation for a buffer, but still queued the crypto operations that were allocated. This results in a SEGV when attempting to dequeue them in dpdk-crypto-input. Allow IPv6 packets to be sent over a v4 tunnel when using the DPDK plugin esp crypto nodes. Change-Id: Ic9a4cd69b7fc06a17ab2f64ae806ec2ceacfef27 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
-rw-r--r--src/plugins/dpdk/ipsec/esp_decrypt.c3
-rw-r--r--src/plugins/dpdk/ipsec/esp_encrypt.c30
2 files changed, 10 insertions, 23 deletions
diff --git a/src/plugins/dpdk/ipsec/esp_decrypt.c b/src/plugins/dpdk/ipsec/esp_decrypt.c
index a82f63e6e5b..afbab963009 100644
--- a/src/plugins/dpdk/ipsec/esp_decrypt.c
+++ b/src/plugins/dpdk/ipsec/esp_decrypt.c
@@ -587,8 +587,7 @@ dpdk_esp_decrypt_post_inline (vlib_main_t * vm,
{
if (f0->next_header == IP_PROTOCOL_IP_IN_IP)
next0 = ESP_DECRYPT_NEXT_IP4_INPUT;
- else if (ipsec_sa_is_set_IS_TUNNEL_V6 (sa0)
- && f0->next_header == IP_PROTOCOL_IPV6)
+ else if (f0->next_header == IP_PROTOCOL_IPV6)
next0 = ESP_DECRYPT_NEXT_IP6_INPUT;
else
{
diff --git a/src/plugins/dpdk/ipsec/esp_encrypt.c b/src/plugins/dpdk/ipsec/esp_encrypt.c
index af0e4b6211b..5fa84fbf31a 100644
--- a/src/plugins/dpdk/ipsec/esp_encrypt.c
+++ b/src/plugins/dpdk/ipsec/esp_encrypt.c
@@ -333,7 +333,7 @@ dpdk_esp_encrypt_inline (vlib_main_t * vm,
if (ipsec_sa_is_set_IS_TUNNEL (sa0))
{
rewrite_len = 0;
- if (!is_ip6 && !ipsec_sa_is_set_IS_TUNNEL_V6 (sa0)) /* ip4inip4 */
+ if (!ipsec_sa_is_set_IS_TUNNEL_V6 (sa0)) /* ip4 */
{
/* in tunnel mode send it back to FIB */
priv->next = DPDK_CRYPTO_INPUT_NEXT_IP4_LOOKUP;
@@ -342,7 +342,8 @@ dpdk_esp_encrypt_inline (vlib_main_t * vm,
vlib_buffer_advance (b0, -adv);
oh0 = vlib_buffer_get_current (b0);
ouh0 = vlib_buffer_get_current (b0);
- next_hdr_type = IP_PROTOCOL_IP_IN_IP;
+ next_hdr_type = (is_ip6 ?
+ IP_PROTOCOL_IPV6 : IP_PROTOCOL_IP_IN_IP);
/*
* oh0->ip4.ip_version_and_header_length = 0x45;
* oh0->ip4.tos = ih0->ip4.tos;
@@ -373,9 +374,9 @@ dpdk_esp_encrypt_inline (vlib_main_t * vm,
esp0->spi = clib_host_to_net_u32 (sa0->spi);
esp0->seq = clib_host_to_net_u32 (sa0->seq);
}
- else if (is_ip6 && ipsec_sa_is_set_IS_TUNNEL_V6 (sa0))
+ else
{
- /* ip6inip6 */
+ /* ip6 */
/* in tunnel mode send it back to FIB */
priv->next = DPDK_CRYPTO_INPUT_NEXT_IP6_LOOKUP;
@@ -385,7 +386,8 @@ dpdk_esp_encrypt_inline (vlib_main_t * vm,
ih6_0 = (ip6_and_esp_header_t *) ih0;
oh6_0 = vlib_buffer_get_current (b0);
- next_hdr_type = IP_PROTOCOL_IPV6;
+ next_hdr_type = (is_ip6 ?
+ IP_PROTOCOL_IPV6 : IP_PROTOCOL_IP_IN_IP);
oh6_0->ip6.ip_version_traffic_class_and_flow_label =
ih6_0->ip6.ip_version_traffic_class_and_flow_label;
@@ -404,21 +406,7 @@ dpdk_esp_encrypt_inline (vlib_main_t * vm,
oh6_0->esp.spi = clib_host_to_net_u32 (sa0->spi);
oh6_0->esp.seq = clib_host_to_net_u32 (sa0->seq);
}
- else /* unsupported ip4inip6, ip6inip4 */
- {
- if (is_ip6)
- vlib_node_increment_counter (vm,
- dpdk_esp6_encrypt_node.index,
- ESP_ENCRYPT_ERROR_NOSUP, 1);
- else
- vlib_node_increment_counter (vm,
- dpdk_esp4_encrypt_node.index,
- ESP_ENCRYPT_ERROR_NOSUP, 1);
- to_next[0] = bi0;
- to_next += 1;
- n_left_to_next -= 1;
- goto trace;
- }
+
vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
}
else /* transport mode */
@@ -487,7 +475,7 @@ dpdk_esp_encrypt_inline (vlib_main_t * vm,
f0->pad_length = pad_bytes;
f0->next_header = next_hdr_type;
- if (is_ip6)
+ if (ipsec_sa_is_set_IS_TUNNEL_V6 (sa0))
{
u16 len = b0->current_length - sizeof (ip6_header_t);
oh6_0->ip6.payload_length =
an class="cm"> Copyright (c) 2017 Cisco and/or its affiliates. * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at: * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ /* * Note: to instantiate the template multiple times in a single file, * #undef __included_cuckoo_template_h__... */ #ifndef __included_cuckoo_common_h__ #define __included_cuckoo_common_h__ #include <vppinfra/types.h> #define CLIB_CUCKOO_OPTIMIZE_PREFETCH 1 #define CLIB_CUCKOO_OPTIMIZE_CMP_REDUCED_HASH 1 #define CLIB_CUCKOO_OPTIMIZE_UNROLL 1 #define CLIB_CUCKOO_OPTIMIZE_USE_COUNT_LIMITS_SEARCH 1 #define foreach_clib_cuckoo_error(F) \ F (CLIB_CUCKOO_ERROR_SUCCESS, 0, "success") \ F (CLIB_CUCKOO_ERROR_NOT_FOUND, -1, "object not found") \ F (CLIB_CUCKOO_ERROR_AGAIN, -2, "object busy") typedef enum { #define F(n, v, s) n = v, foreach_clib_cuckoo_error (F) #undef F } clib_cuckoo_error_e; typedef struct { uword bucket1; uword bucket2; u8 reduced_hash; } clib_cuckoo_lookup_info_t; #endif /* __included_cuckoo_common_h__ */ /** @endcond */ /* * fd.io coding-style-patch-verification: ON * * Local Variables: * eval: (c-set-style "gnu") * End: */