diff options
| author |   Neale Ranns <nranns@cisco.com> | 2020-01-02 04:06:10 +0000 |
|---|---|---|
| committer |   Ole Tr�an <otroan@employees.org> | 2020-11-02 08:49:08 +0000 |
| commit | 041add7d12217494934b651e4e38b5eab5216ddc (patch) | |
| tree | 42f6ed8c3e4477b7c7cf93b19f227e4fc0afb4cb /src/vnet/ipsec/esp_encrypt.c | |
| parent | 62877029aac3e05a1e1db579aeaad42bca5a70a4 (diff) | |
ipsec: Tunnel SA DSCP behaviour
Type: feature
- use tunnel_encap_decap_flags to control the copying of DSCP/ECN/etc
during IPSEC tunnel mode encap.
- use DSCP value to have fixed encap value.
Signed-off-by: Neale Ranns <nranns@cisco.com>
Change-Id: If4f51fd4c1dcbb0422aac9bd078e5c14af5bf11f
Diffstat (limited to 'src/vnet/ipsec/esp_encrypt.c')
| -rw-r--r-- | src/vnet/ipsec/esp_encrypt.c | 39 |
1 files changed, 33 insertions, 6 deletions
diff --git a/src/vnet/ipsec/esp_encrypt.c b/src/vnet/ipsec/esp_encrypt.c index f5461684166..ed49cdc97eb 100644 --- a/src/vnet/ipsec/esp_encrypt.c +++ b/src/vnet/ipsec/esp_encrypt.c @@ -24,6 +24,7 @@ #include <vnet/ipsec/ipsec.h> #include <vnet/ipsec/ipsec_tun.h> #include <vnet/ipsec/esp.h> +#include <vnet/tunnel/tunnel_dp.h> #define foreach_esp_encrypt_next \ _(DROP4, "ip4-drop") \ @@ -743,9 +744,22 @@ esp_encrypt_inline (vlib_main_t * vm, vlib_node_runtime_t * node, u16 len = sizeof (ip6_header_t); hdr_len += len; ip6 = (ip6_header_t *) (payload - hdr_len); - clib_memcpy_fast (ip6, &sa0->ip6_hdr, len); - *next_hdr_ptr = (is_ip6 ? - IP_PROTOCOL_IPV6 : IP_PROTOCOL_IP_IN_IP); + clib_memcpy_fast (ip6, &sa0->ip6_hdr, sizeof (ip6_header_t)); + + if (is_ip6) + { + *next_hdr_ptr = IP_PROTOCOL_IPV6; + tunnel_encap_fixup_6o6 (sa0->tunnel_flags, + (const ip6_header_t *) payload, + ip6); + } + else + { + *next_hdr_ptr = IP_PROTOCOL_IP_IN_IP; + tunnel_encap_fixup_4o6 (sa0->tunnel_flags, + (const ip4_header_t *) payload, + ip6); + } len = payload_len_total + hdr_len - len; ip6->payload_length = clib_net_to_host_u16 (len); } @@ -755,9 +769,22 @@ esp_encrypt_inline (vlib_main_t * vm, vlib_node_runtime_t * node, u16 len = sizeof (ip4_header_t); hdr_len += len; ip4 = (ip4_header_t *) (payload - hdr_len); - clib_memcpy_fast (ip4, &sa0->ip4_hdr, len); - *next_hdr_ptr = (is_ip6 ? - IP_PROTOCOL_IPV6 : IP_PROTOCOL_IP_IN_IP); + clib_memcpy_fast (ip4, &sa0->ip4_hdr, sizeof (ip4_header_t)); + + if (is_ip6) + { + *next_hdr_ptr = IP_PROTOCOL_IPV6; + tunnel_encap_fixup_6o4_w_chksum (sa0->tunnel_flags, + (const ip6_header_t *) + payload, ip4); + } + else + { + *next_hdr_ptr = IP_PROTOCOL_IP_IN_IP; + tunnel_encap_fixup_4o4_w_chksum (sa0->tunnel_flags, + (const ip4_header_t *) + payload, ip4); + } len = payload_len_total + hdr_len; esp_update_ip4_hdr (ip4, len, /* is_transport */ 0, 0); } |