diff options
author | Neale Ranns <nranns@cisco.com> | 2019-04-23 20:57:55 -0400 |
---|---|---|
committer | Neale Ranns <nranns@cisco.com> | 2019-04-24 18:35:02 -0400 |
commit | 873b9ed405f291a954a8f45a0bba6b136d6ff19f (patch) | |
tree | 4c812bfdca2aeea94998ea8e0bdb726e37e74c49 /src/plugins/dpdk | |
parent | 3d18a191aaf31ef8b1524ab80fed22a304adf75d (diff) |
IPSEC; dpdk backend for tunnel interface encryption (VPP-1662)v19.04.1-rc0
Change-Id: Ide2a9df18db371c8428855d7f12f246006d7c04c
Signed-off-by: Neale Ranns <nranns@cisco.com>
Diffstat (limited to 'src/plugins/dpdk')
-rw-r--r-- | src/plugins/dpdk/ipsec/esp_encrypt.c | 77 | ||||
-rw-r--r-- | src/plugins/dpdk/ipsec/ipsec.c | 2 |
2 files changed, 75 insertions, 4 deletions
diff --git a/src/plugins/dpdk/ipsec/esp_encrypt.c b/src/plugins/dpdk/ipsec/esp_encrypt.c index 908f846e315..6c3258602dd 100644 --- a/src/plugins/dpdk/ipsec/esp_encrypt.c +++ b/src/plugins/dpdk/ipsec/esp_encrypt.c @@ -110,7 +110,7 @@ format_esp_encrypt_trace (u8 * s, va_list * args) always_inline uword dpdk_esp_encrypt_inline (vlib_main_t * vm, vlib_node_runtime_t * node, - vlib_frame_t * from_frame, int is_ip6) + vlib_frame_t * from_frame, int is_ip6, int is_tun) { u32 n_left_from, *from, *to_next, next_index, thread_index; ipsec_main_t *im = &ipsec_main; @@ -200,7 +200,16 @@ dpdk_esp_encrypt_inline (vlib_main_t * vm, sizeof (op[0]) + sizeof (op[0].sym[0]) + sizeof (priv[0]); CLIB_PREFETCH (op, op_len, STORE); - sa_index0 = vnet_buffer (b0)->ipsec.sad_index; + if (is_tun) + { + u32 tmp; + /* we are on a ipsec tunnel's feature arc */ + sa_index0 = *(u32 *) vnet_feature_next_with_data (&tmp, b0, + sizeof + (sa_index0)); + } + else + sa_index0 = vnet_buffer (b0)->ipsec.sad_index; if (sa_index0 != last_sa_index) { @@ -576,7 +585,7 @@ VLIB_NODE_FN (dpdk_esp4_encrypt_node) (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * from_frame) { - return dpdk_esp_encrypt_inline (vm, node, from_frame, 0 /*is_ip6 */ ); + return dpdk_esp_encrypt_inline (vm, node, from_frame, 0 /*is_ip6 */ , 0); } /* *INDENT-OFF* */ @@ -599,7 +608,7 @@ VLIB_NODE_FN (dpdk_esp6_encrypt_node) (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * from_frame) { - return dpdk_esp_encrypt_inline (vm, node, from_frame, 1 /*is_ip6 */ ); + return dpdk_esp_encrypt_inline (vm, node, from_frame, 1 /*is_ip6 */ , 0); } /* *INDENT-OFF* */ @@ -618,6 +627,66 @@ VLIB_REGISTER_NODE (dpdk_esp6_encrypt_node) = { }; /* *INDENT-ON* */ +VLIB_NODE_FN (dpdk_esp4_encrypt_tun_node) (vlib_main_t * vm, + vlib_node_runtime_t * node, + vlib_frame_t * from_frame) +{ + return dpdk_esp_encrypt_inline (vm, node, from_frame, 0 /*is_ip6 */ , 1); +} + +/* *INDENT-OFF* */ +VLIB_REGISTER_NODE (dpdk_esp4_encrypt_tun_node) = { + .name = "dpdk-esp4-encrypt-tun", + .flags = VLIB_NODE_FLAG_IS_OUTPUT, + .vector_size = sizeof (u32), + .format_trace = format_esp_encrypt_trace, + .n_errors = ARRAY_LEN (esp_encrypt_error_strings), + .error_strings = esp_encrypt_error_strings, + .n_next_nodes = 1, + .next_nodes = + { + [ESP_ENCRYPT_NEXT_DROP] = "error-drop", + } +}; + +VNET_FEATURE_INIT (dpdk_esp4_encrypt_tun_feat_node, static) = +{ + .arc_name = "ip4-output", + .node_name = "dpdk-esp4-encrypt-tun", + .runs_before = VNET_FEATURES ("adj-midchain-tx"), +}; +/* *INDENT-ON* */ + +VLIB_NODE_FN (dpdk_esp6_encrypt_tun_node) (vlib_main_t * vm, + vlib_node_runtime_t * node, + vlib_frame_t * from_frame) +{ + return dpdk_esp_encrypt_inline (vm, node, from_frame, 1 /*is_ip6 */ , 1); +} + +/* *INDENT-OFF* */ +VLIB_REGISTER_NODE (dpdk_esp6_encrypt_tun_node) = { + .name = "dpdk-esp6-encrypt-tun", + .flags = VLIB_NODE_FLAG_IS_OUTPUT, + .vector_size = sizeof (u32), + .format_trace = format_esp_encrypt_trace, + .n_errors = ARRAY_LEN (esp_encrypt_error_strings), + .error_strings = esp_encrypt_error_strings, + .n_next_nodes = 1, + .next_nodes = + { + [ESP_ENCRYPT_NEXT_DROP] = "error-drop", + } +}; + +VNET_FEATURE_INIT (dpdk_esp6_encrypt_tun_feat_node, static) = +{ + .arc_name = "ip6-output", + .node_name = "dpdk-esp6-encrypt-tun", + .runs_before = VNET_FEATURES ("adj-midchain-tx"), +}; +/* *INDENT-ON* */ + /* * fd.io coding-style-patch-verification: ON * diff --git a/src/plugins/dpdk/ipsec/ipsec.c b/src/plugins/dpdk/ipsec/ipsec.c index 682bcaf21c8..88fd75dcf1a 100644 --- a/src/plugins/dpdk/ipsec/ipsec.c +++ b/src/plugins/dpdk/ipsec/ipsec.c @@ -1069,8 +1069,10 @@ dpdk_ipsec_process (vlib_main_t * vm, vlib_node_runtime_t * rt, u32 idx = ipsec_register_esp_backend (vm, im, "dpdk backend", "dpdk-esp4-encrypt", + "dpdk-esp4-encrypt-tun", "dpdk-esp4-decrypt", "dpdk-esp6-encrypt", + "dpdk-esp6-encrypt-tun", "dpdk-esp6-decrypt", dpdk_ipsec_check_support, add_del_sa_session); |