diff options
author | Matthew G Smith <mgsmith@netgate.com> | 2019-08-06 08:43:50 -0500 |
---|---|---|
committer | Neale Ranns <nranns@cisco.com> | 2019-08-15 10:15:32 +0000 |
commit | 5025d40a1134272ab57c3c3f10311e31a65cd63c (patch) | |
tree | f747e725d22e75295a1c946d0975dad1c01c8c23 | |
parent | 531969ef614bdc15c45dae0f1b5e90afaf86eb7b (diff) |
dpdk: ipsec tunnel support for ip6-in-ip4
Type: feature
If an attempt was made to send an IPv6 packet over an IPv4 tunnel,
the DPDK esp_encrypt did not complete setting up
the crypto operation for a buffer, but still queued the crypto
operations that were allocated. This results in a SEGV when
attempting to dequeue them in dpdk-crypto-input.
Allow IPv6 packets to be sent over a v4 tunnel when using the DPDK
plugin esp crypto nodes.
Change-Id: Ic9a4cd69b7fc06a17ab2f64ae806ec2ceacfef27
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
-rw-r--r-- | src/plugins/dpdk/ipsec/esp_decrypt.c | 3 | ||||
-rw-r--r-- | src/plugins/dpdk/ipsec/esp_encrypt.c | 30 |
2 files changed, 10 insertions, 23 deletions
diff --git a/src/plugins/dpdk/ipsec/esp_decrypt.c b/src/plugins/dpdk/ipsec/esp_decrypt.c index a82f63e6e5b..afbab963009 100644 --- a/src/plugins/dpdk/ipsec/esp_decrypt.c +++ b/src/plugins/dpdk/ipsec/esp_decrypt.c @@ -587,8 +587,7 @@ dpdk_esp_decrypt_post_inline (vlib_main_t * vm, { if (f0->next_header == IP_PROTOCOL_IP_IN_IP) next0 = ESP_DECRYPT_NEXT_IP4_INPUT; - else if (ipsec_sa_is_set_IS_TUNNEL_V6 (sa0) - && f0->next_header == IP_PROTOCOL_IPV6) + else if (f0->next_header == IP_PROTOCOL_IPV6) next0 = ESP_DECRYPT_NEXT_IP6_INPUT; else { diff --git a/src/plugins/dpdk/ipsec/esp_encrypt.c b/src/plugins/dpdk/ipsec/esp_encrypt.c index af0e4b6211b..5fa84fbf31a 100644 --- a/src/plugins/dpdk/ipsec/esp_encrypt.c +++ b/src/plugins/dpdk/ipsec/esp_encrypt.c @@ -333,7 +333,7 @@ dpdk_esp_encrypt_inline (vlib_main_t * vm, if (ipsec_sa_is_set_IS_TUNNEL (sa0)) { rewrite_len = 0; - if (!is_ip6 && !ipsec_sa_is_set_IS_TUNNEL_V6 (sa0)) /* ip4inip4 */ + if (!ipsec_sa_is_set_IS_TUNNEL_V6 (sa0)) /* ip4 */ { /* in tunnel mode send it back to FIB */ priv->next = DPDK_CRYPTO_INPUT_NEXT_IP4_LOOKUP; @@ -342,7 +342,8 @@ dpdk_esp_encrypt_inline (vlib_main_t * vm, vlib_buffer_advance (b0, -adv); oh0 = vlib_buffer_get_current (b0); ouh0 = vlib_buffer_get_current (b0); - next_hdr_type = IP_PROTOCOL_IP_IN_IP; + next_hdr_type = (is_ip6 ? + IP_PROTOCOL_IPV6 : IP_PROTOCOL_IP_IN_IP); /* * oh0->ip4.ip_version_and_header_length = 0x45; * oh0->ip4.tos = ih0->ip4.tos; @@ -373,9 +374,9 @@ dpdk_esp_encrypt_inline (vlib_main_t * vm, esp0->spi = clib_host_to_net_u32 (sa0->spi); esp0->seq = clib_host_to_net_u32 (sa0->seq); } - else if (is_ip6 && ipsec_sa_is_set_IS_TUNNEL_V6 (sa0)) + else { - /* ip6inip6 */ + /* ip6 */ /* in tunnel mode send it back to FIB */ priv->next = DPDK_CRYPTO_INPUT_NEXT_IP6_LOOKUP; @@ -385,7 +386,8 @@ dpdk_esp_encrypt_inline (vlib_main_t * vm, ih6_0 = (ip6_and_esp_header_t *) ih0; oh6_0 = vlib_buffer_get_current (b0); - next_hdr_type = IP_PROTOCOL_IPV6; + next_hdr_type = (is_ip6 ? + IP_PROTOCOL_IPV6 : IP_PROTOCOL_IP_IN_IP); oh6_0->ip6.ip_version_traffic_class_and_flow_label = ih6_0->ip6.ip_version_traffic_class_and_flow_label; @@ -404,21 +406,7 @@ dpdk_esp_encrypt_inline (vlib_main_t * vm, oh6_0->esp.spi = clib_host_to_net_u32 (sa0->spi); oh6_0->esp.seq = clib_host_to_net_u32 (sa0->seq); } - else /* unsupported ip4inip6, ip6inip4 */ - { - if (is_ip6) - vlib_node_increment_counter (vm, - dpdk_esp6_encrypt_node.index, - ESP_ENCRYPT_ERROR_NOSUP, 1); - else - vlib_node_increment_counter (vm, - dpdk_esp4_encrypt_node.index, - ESP_ENCRYPT_ERROR_NOSUP, 1); - to_next[0] = bi0; - to_next += 1; - n_left_to_next -= 1; - goto trace; - } + vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0; } else /* transport mode */ @@ -487,7 +475,7 @@ dpdk_esp_encrypt_inline (vlib_main_t * vm, f0->pad_length = pad_bytes; f0->next_header = next_hdr_type; - if (is_ip6) + if (ipsec_sa_is_set_IS_TUNNEL_V6 (sa0)) { u16 len = b0->current_length - sizeof (ip6_header_t); oh6_0->ip6.payload_length = |