aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPiotr Bronowski <piotrx.bronowski@intel.com>2023-02-13 18:18:59 +0000
committerFan Zhang <fanzhang.oss@gmail.com>2023-03-20 16:38:36 +0000
commit645a588ee3a136bd68b1e89414c6b0a192df3c31 (patch)
treefe8b6bfffcd4e0b26f18cf4f75daf1e318b2e2cf
parent8a4b79778f8b3149d663face83d37fbf96e12d05 (diff)
ipsec: set fast path 5tuple ip addresses based on sa traffic selector values
Previously, even if sa defined traffic selectors esp packet src and dst have been used for fast path inbound spd matching. This patch provides a fix for that issue. Type: fix Signed-off-by: Piotr Bronowski <piotrx.bronowski@intel.com> Change-Id: Ibd3ca224b155cc9e0c6aedd0f36aff489b7af5b8
-rw-r--r--src/vnet/ipsec/ipsec_spd_policy.c39
1 files changed, 35 insertions, 4 deletions
diff --git a/src/vnet/ipsec/ipsec_spd_policy.c b/src/vnet/ipsec/ipsec_spd_policy.c
index 4a17062b80e..6a66a2de269 100644
--- a/src/vnet/ipsec/ipsec_spd_policy.c
+++ b/src/vnet/ipsec/ipsec_spd_policy.c
@@ -378,7 +378,6 @@ ipsec_fp_get_policy_ports_mask (ipsec_policy_t *policy,
}
mask->protocol = (policy->protocol == IPSEC_POLICY_PROTOCOL_ANY) ? 0 : ~0;
- mask->action = 0;
}
static_always_inline void
@@ -395,6 +394,15 @@ ipsec_fp_ip4_get_policy_mask (ipsec_policy_t *policy, ipsec_fp_5tuple_t *mask,
clib_memset_u8 (mask, 0xff, sizeof (ipsec_fp_5tuple_t));
clib_memset_u8 (&mask->l3_zero_pad, 0, sizeof (mask->l3_zero_pad));
+ if (inbound && (policy->type == IPSEC_SPD_POLICY_IP4_INBOUND_PROTECT &&
+ policy->sa_index != INDEX_INVALID))
+ {
+ ipsec_sa_t *s = ipsec_sa_get (policy->sa_index);
+
+ if (ipsec_sa_is_set_IS_TUNNEL (s))
+ goto set_spi_mask;
+ }
+
/* find bits where start != stop */
*plmask = *pladdr_start ^ *pladdr_stop;
*prmask = *praddr_start ^ *praddr_stop;
@@ -409,6 +417,7 @@ ipsec_fp_ip4_get_policy_mask (ipsec_policy_t *policy, ipsec_fp_5tuple_t *mask,
*prmask = clib_host_to_net_u32 (
mask_out_highest_set_bit_u32 (clib_net_to_host_u32 (*prmask)));
+set_spi_mask:
if (inbound)
{
if (policy->type != IPSEC_SPD_POLICY_IP4_INBOUND_PROTECT)
@@ -436,6 +445,15 @@ ipsec_fp_ip6_get_policy_mask (ipsec_policy_t *policy, ipsec_fp_5tuple_t *mask,
clib_memset_u8 (mask, 0xff, sizeof (ipsec_fp_5tuple_t));
+ if (inbound && (policy->type == IPSEC_SPD_POLICY_IP6_INBOUND_PROTECT &&
+ policy->sa_index != INDEX_INVALID))
+ {
+ ipsec_sa_t *s = ipsec_sa_get (policy->sa_index);
+
+ if (ipsec_sa_is_set_IS_TUNNEL (s))
+ goto set_spi_mask;
+ }
+
*plmask = (*pladdr_start++ ^ *pladdr_stop++);
*prmask = (*praddr_start++ ^ *praddr_stop++);
@@ -468,10 +486,10 @@ ipsec_fp_ip6_get_policy_mask (ipsec_policy_t *policy, ipsec_fp_5tuple_t *mask,
}
else
*prmask = 0;
-
+set_spi_mask:
if (inbound)
{
- if (policy->type != IPSEC_SPD_POLICY_IP4_INBOUND_PROTECT)
+ if (policy->type != IPSEC_SPD_POLICY_IP6_INBOUND_PROTECT)
mask->spi = 0;
mask->protocol = 0;
@@ -508,7 +526,21 @@ ipsec_fp_get_policy_5tuple (ipsec_policy_t *policy, ipsec_fp_5tuple_t *tuple,
policy->sa_index != INDEX_INVALID)
{
ipsec_sa_t *s = ipsec_sa_get (policy->sa_index);
+
tuple->spi = s->spi;
+ if (ipsec_sa_is_set_IS_TUNNEL (s))
+ {
+ if (tuple->is_ipv6)
+ {
+ tuple->ip6_laddr = s->tunnel.t_dst.ip.ip6;
+ tuple->ip6_raddr = s->tunnel.t_src.ip.ip6;
+ }
+ else
+ {
+ tuple->laddr = s->tunnel.t_dst.ip.ip4;
+ tuple->raddr = s->tunnel.t_src.ip.ip4;
+ }
+ }
}
else
tuple->spi = INDEX_INVALID;
@@ -517,7 +549,6 @@ ipsec_fp_get_policy_5tuple (ipsec_policy_t *policy, ipsec_fp_5tuple_t *tuple,
}
tuple->protocol = policy->protocol;
-
tuple->lport = policy->lport.start;
tuple->rport = policy->rport.start;
}