summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorChenmin Sun <chenmin.sun@intel.com>2020-06-22 18:21:31 +0800
committerDamjan Marion <dmarion@me.com>2020-06-27 10:18:05 +0000
commitd4c3666b9aef1050796677320460dee2df44a830 (patch)
tree4ca4806b9ed8bfbae58d0278270c23ad402d1a40
parentb5ca55962d3a9e10068b153cc863fed421871fff (diff)
flow: add IPSec ESP/AH flow
This patch adds the IPSec ESP/AH type flow support Have tested on E810 with Intel iAVF driver Type: feature Signed-off-by: Chenmin Sun <chenmin.sun@intel.com> Change-Id: I6ab8e69f67c423cc4e33f3c363881a97cdb98c30
-rw-r--r--src/plugins/dpdk/device/flow.c71
-rw-r--r--src/vnet/flow/flow.h14
-rw-r--r--src/vnet/flow/flow_cli.c30
3 files changed, 114 insertions, 1 deletions
diff --git a/src/plugins/dpdk/device/flow.c b/src/plugins/dpdk/device/flow.c
index 59dd14df97f..674f2f50e64 100644
--- a/src/plugins/dpdk/device/flow.c
+++ b/src/plugins/dpdk/device/flow.c
@@ -118,6 +118,8 @@ dpdk_flow_add (dpdk_device_t * xd, vnet_flow_t * f, dpdk_flow_entry_t * fe)
struct rte_flow_item_tcp tcp[2] = { };
struct rte_flow_item_gtp gtp[2] = { };
struct rte_flow_item_l2tpv3oip l2tp[2] = { };
+ struct rte_flow_item_esp esp[2] = { };
+ struct rte_flow_item_ah ah[2] = { };
struct rte_flow_action_mark mark = { 0 };
struct rte_flow_action_queue queue = { 0 };
struct rte_flow_action_rss rss = { 0 };
@@ -219,6 +221,48 @@ dpdk_flow_add (dpdk_device_t * xd, vnet_flow_t * f, dpdk_flow_entry_t * fe)
}
protocol = l2tp->protocol;
}
+ if (f->type == VNET_FLOW_TYPE_IP4_IPSEC_ESP)
+ {
+ vnet_flow_ip4_ipsec_esp_t *tesp = &f->ip4_ipsec_esp;
+ item->type = RTE_FLOW_ITEM_TYPE_IPV4;
+
+ if (!tesp->src_addr.mask.as_u32 && !tesp->dst_addr.mask.as_u32)
+ {
+ item->spec = NULL;
+ item->mask = NULL;
+ }
+ else
+ {
+ ip4[0].hdr.src_addr = tesp->src_addr.addr.as_u32;
+ ip4[1].hdr.src_addr = tesp->src_addr.mask.as_u32;
+ ip4[0].hdr.dst_addr = tesp->dst_addr.addr.as_u32;
+ ip4[1].hdr.dst_addr = tesp->dst_addr.mask.as_u32;
+ item->spec = ip4;
+ item->mask = ip4 + 1;
+ }
+ protocol = tesp->protocol;
+ }
+ else if (f->type == VNET_FLOW_TYPE_IP4_IPSEC_AH)
+ {
+ vnet_flow_ip4_ipsec_ah_t *tah = &f->ip4_ipsec_ah;
+ item->type = RTE_FLOW_ITEM_TYPE_IPV4;
+
+ if (!tah->src_addr.mask.as_u32 && !tah->dst_addr.mask.as_u32)
+ {
+ item->spec = NULL;
+ item->mask = NULL;
+ }
+ else
+ {
+ ip4[0].hdr.src_addr = tah->src_addr.addr.as_u32;
+ ip4[1].hdr.src_addr = tah->src_addr.mask.as_u32;
+ ip4[0].hdr.dst_addr = tah->dst_addr.addr.as_u32;
+ ip4[1].hdr.dst_addr = tah->dst_addr.mask.as_u32;
+ item->spec = ip4;
+ item->mask = ip4 + 1;
+ }
+ protocol = tah->protocol;
+ }
else if ((f->type == VNET_FLOW_TYPE_IP6_N_TUPLE) ||
(f->type == VNET_FLOW_TYPE_IP6_GTPC) ||
(f->type == VNET_FLOW_TYPE_IP6_GTPU) ||
@@ -344,6 +388,30 @@ dpdk_flow_add (dpdk_device_t * xd, vnet_flow_t * f, dpdk_flow_entry_t * fe)
item->mask = tcp + 1;
}
}
+ else if (protocol == IP_PROTOCOL_IPSEC_ESP)
+ {
+ vec_add2 (items, item, 1);
+ item->type = RTE_FLOW_ITEM_TYPE_ESP;
+
+ vnet_flow_ip4_ipsec_esp_t *tesp = &f->ip4_ipsec_esp;
+ esp[0].hdr.spi = clib_host_to_net_u32 (tesp->spi);
+ esp[1].hdr.spi = ~0;
+
+ item->spec = esp;
+ item->mask = esp + 1;
+ }
+ else if (protocol == IP_PROTOCOL_IPSEC_AH)
+ {
+ vec_add2 (items, item, 1);
+ item->type = RTE_FLOW_ITEM_TYPE_AH;
+
+ vnet_flow_ip4_ipsec_ah_t *tah = &f->ip4_ipsec_ah;
+ ah[0].spi = clib_host_to_net_u32 (tah->spi);
+ ah[1].spi = ~0;
+
+ item->spec = ah;
+ item->mask = ah + 1;
+ }
else if (protocol == IP_PROTOCOL_RESERVED)
{
rv = VNET_FLOW_ERROR_NOT_SUPPORTED;
@@ -363,6 +431,7 @@ dpdk_flow_add (dpdk_device_t * xd, vnet_flow_t * f, dpdk_flow_entry_t * fe)
item->spec = l2tp;
item->mask = l2tp + 1;
}
+
if (f->type == VNET_FLOW_TYPE_IP4_VXLAN)
{
u32 vni = f->ip4_vxlan.vni;
@@ -768,6 +837,8 @@ dpdk_flow_ops_fn (vnet_main_t * vnm, vnet_flow_dev_op_t op, u32 dev_instance,
case VNET_FLOW_TYPE_IP6_GTPU_IP4:
case VNET_FLOW_TYPE_IP6_GTPU_IP6:
case VNET_FLOW_TYPE_IP4_L2TPV3OIP:
+ case VNET_FLOW_TYPE_IP4_IPSEC_ESP:
+ case VNET_FLOW_TYPE_IP4_IPSEC_AH:
if ((rv = dpdk_flow_add (xd, flow, fe)))
goto done;
break;
diff --git a/src/vnet/flow/flow.h b/src/vnet/flow/flow.h
index a880b8a69be..b5ec7ccd142 100644
--- a/src/vnet/flow/flow.h
+++ b/src/vnet/flow/flow.h
@@ -33,6 +33,8 @@
_(IP6_N_TUPLE_TAGGED, ip6_n_tuple_tagged, "ipv6-n-tuple-tagged") \
/* IP tunnel flow */ \
_(IP4_L2TPV3OIP, ip4_l2tpv3oip, "ipv4-l2tpv3oip") \
+ _(IP4_IPSEC_ESP, ip4_ipsec_esp, "ipv4-ipsec-esp") \
+ _(IP4_IPSEC_AH, ip4_ipsec_ah, "ipv4-ipsec-ah") \
/* L4 tunnel flow*/ \
_(IP4_VXLAN, ip4_vxlan, "ipv4-vxlan") \
_(IP6_VXLAN, ip6_vxlan, "ipv6-vxlan") \
@@ -82,6 +84,18 @@
_fe(ip_protocol_t, protocol) \
_fe(u32, session_id)
+#define foreach_flow_entry_ip4_ipsec_esp \
+ _fe(ip4_address_and_mask_t, src_addr) \
+ _fe(ip4_address_and_mask_t, dst_addr) \
+ _fe(ip_protocol_t, protocol) \
+ _fe(u32, spi)
+
+#define foreach_flow_entry_ip4_ipsec_ah \
+ _fe(ip4_address_and_mask_t, src_addr) \
+ _fe(ip4_address_and_mask_t, dst_addr) \
+ _fe(ip_protocol_t, protocol) \
+ _fe(u32, spi)
+
#define foreach_flow_entry_ip4_vxlan \
_fe(ip4_address_t, src_addr) \
_fe(ip4_address_t, dst_addr) \
diff --git a/src/vnet/flow/flow_cli.c b/src/vnet/flow/flow_cli.c
index 364b475dc3e..98007a7723e 100644
--- a/src/vnet/flow/flow_cli.c
+++ b/src/vnet/flow/flow_cli.c
@@ -276,11 +276,12 @@ test_flow (vlib_main_t * vm, unformat_input_t * input,
} action = FLOW_UNKNOWN_ACTION;
u32 hw_if_index = ~0, flow_index = ~0;
int rv;
- u32 prot = 0, teid = 0, session_id = 0;
+ u32 prot = 0, teid = 0, session_id = 0, spi = 0;
vnet_flow_type_t type = VNET_FLOW_TYPE_IP4_N_TUPLE;
bool is_gtpc_set = false;
bool is_gtpu_set = false;
bool is_l2tpv3oip_set = false;
+ bool is_ipsec_esp_set = false, is_ipsec_ah_set = false;
vnet_flow_type_t outer_type = VNET_FLOW_TYPE_UNKNOWN;
vnet_flow_type_t inner_type = VNET_FLOW_TYPE_UNKNOWN;
bool outer_ip4_set = false, inner_ip4_set = false;
@@ -363,6 +364,13 @@ test_flow (vlib_main_t * vm, unformat_input_t * input,
if (prot == IP_PROTOCOL_L2TP)
is_l2tpv3oip_set = true;
}
+ else if (unformat (line_input, "spi %u", &spi))
+ {
+ if (prot == IP_PROTOCOL_IPSEC_ESP)
+ is_ipsec_esp_set = true;
+ else if (prot == IP_PROTOCOL_IPSEC_AH)
+ is_ipsec_ah_set = true;
+ }
else if (unformat (line_input, "index %u", &flow_index))
;
else if (unformat (line_input, "next-node %U", unformat_vlib_node, vm,
@@ -489,6 +497,10 @@ test_flow (vlib_main_t * vm, unformat_input_t * input,
type = VNET_FLOW_TYPE_IP4_GTPU;
else if (is_l2tpv3oip_set)
type = VNET_FLOW_TYPE_IP4_L2TPV3OIP;
+ else if (is_ipsec_esp_set)
+ type = VNET_FLOW_TYPE_IP4_IPSEC_ESP;
+ else if (is_ipsec_ah_set)
+ type = VNET_FLOW_TYPE_IP4_IPSEC_AH;
}
else if (inner_type == VNET_FLOW_TYPE_IP4_N_TUPLE)
{
@@ -539,6 +551,22 @@ test_flow (vlib_main_t * vm, unformat_input_t * input,
flow.ip4_l2tpv3oip.protocol = prot;
flow.ip4_l2tpv3oip.session_id = session_id;
break;
+ case VNET_FLOW_TYPE_IP4_IPSEC_ESP:
+ clib_memcpy (&flow.ip4_ipsec_esp.src_addr, &ip4s,
+ sizeof (ip4_address_and_mask_t));
+ clib_memcpy (&flow.ip4_ipsec_esp.dst_addr, &ip4d,
+ sizeof (ip4_address_and_mask_t));
+ flow.ip4_ipsec_esp.protocol = prot;
+ flow.ip4_ipsec_esp.spi = spi;
+ break;
+ case VNET_FLOW_TYPE_IP4_IPSEC_AH:
+ clib_memcpy (&flow.ip4_ipsec_ah.src_addr, &ip4s,
+ sizeof (ip4_address_and_mask_t));
+ clib_memcpy (&flow.ip4_ipsec_ah.dst_addr, &ip4d,
+ sizeof (ip4_address_and_mask_t));
+ flow.ip4_ipsec_ah.protocol = prot;
+ flow.ip4_ipsec_ah.spi = spi;
+ break;
case VNET_FLOW_TYPE_IP4_N_TUPLE:
case VNET_FLOW_TYPE_IP4_GTPC:
case VNET_FLOW_TYPE_IP4_GTPU: