diff options
| author |   Neale Ranns <neale@graphiant.com> | 2022-01-10 10:38:43 +0000 |
|---|---|---|
| committer |   Matthew Smith <mgsmith@netgate.com> | 2022-01-17 19:55:13 +0000 |
| commit | 49378f206b8e780a898e632f7dd8db912b9b118e (patch) | |
| tree | 35c6629f14b753878251fe92d5afcdd9c837554b /src/vnet/ipsec | |
| parent | 88a9c0e02ab919cadd4e035133995a6afb4d1c32 (diff) | |
ipsec: IPSec interface correct drop w/ no protection
Type: improvement
When an IPSec interface is first constructed, the end node of the feature arc is not changed, which means it is interface-output.
This means that traffic directed into adjacencies on the link, that do not have protection (w/ an SA), drop like this:
...
00:00:01:111710: ip4-midchain
tx_sw_if_index 4 dpo-idx 24 : ipv4 via 0.0.0.0 ipsec0: mtu:9000 next:6 flags:[]
stacked-on:
[@1]: dpo-drop ip4 flow hash: 0x00000000
00000000: 4500005c000100003f01cb8cac100202010101010800ecf40000000058585858
00000020: 58585858585858585858585858585858585858585858585858585858
00:00:01:111829: local0-output
ipsec0
00000000: 4500005c000100003f01cb8cac100202010101010800ecf40000000058585858
00000020: 5858585858585858585858585858585858585858585858585858585858585858
00000040: 58585858585858585858585858585858585858585858585858585858c2cf08c0
00000060: 2a2c103cd0126bd8b03c4ec20ce2bd02dd77b3e3a4f49664
00:00:01:112017: error-drop
rx:pg1
00:00:01:112034: drop
local0-output: interface is down
although that's a drop, no packets should go to local0, and we want all IPvX packets to go through ipX-drop.
This change sets the interface's end-arc node to the appropriate drop node when the interface is created, and when the last protection is removed.
The resulting drop is:
...
00:00:01:111504: ip4-midchain
tx_sw_if_index 4 dpo-idx 24 : ipv4 via 0.0.0.0 ipsec0: mtu:9000 next:0 flags:[]
stacked-on:
[@1]: dpo-drop ip4 flow hash: 0x00000000
00000000: 4500005c000100003f01cb8cac100202010101010800ecf40000000058585858
00000020: 58585858585858585858585858585858585858585858585858585858
00:00:01:111533: ip4-drop
ICMP: 172.16.2.2 -> 1.1.1.1
tos 0x00, ttl 63, length 92, checksum 0xcb8c dscp CS0 ecn NON_ECN
fragment id 0x0001
ICMP echo_request checksum 0xecf4 id 0
00:00:01:111620: error-drop
rx:pg1
00:00:01:111640: drop
null-node: blackholed packets
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: I7e7de23c541d9f1210a05e6984a688f1f821a155
Diffstat (limited to 'src/vnet/ipsec')
| -rw-r--r-- | src/vnet/ipsec/ipsec_itf.c | 16 | ||||
| -rw-r--r-- | src/vnet/ipsec/ipsec_itf.h | 1 | ||||
| -rw-r--r-- | src/vnet/ipsec/ipsec_tun.c | 10 |
3 files changed, 19 insertions, 8 deletions
diff --git a/src/vnet/ipsec/ipsec_itf.c b/src/vnet/ipsec/ipsec_itf.c index fc0bf85a517..f9c1d77a37d 100644 --- a/src/vnet/ipsec/ipsec_itf.c +++ b/src/vnet/ipsec/ipsec_itf.c @@ -21,6 +21,7 @@ #include <vnet/ipsec/ipsec.h> #include <vnet/adj/adj_midchain.h> #include <vnet/ethernet/mac_address.h> +#include <vnet/mpls/mpls.h> /* bitmap of Allocated IPSEC_ITF instances */ static uword *ipsec_itf_instances; @@ -274,6 +275,20 @@ ipsec_itf_instance_free (u32 instance) return 0; } +void +ipsec_itf_reset_tx_nodes (u32 sw_if_index) +{ + vnet_feature_modify_end_node ( + ip4_main.lookup_main.output_feature_arc_index, sw_if_index, + vlib_get_node_by_name (vlib_get_main (), (u8 *) "ip4-drop")->index); + vnet_feature_modify_end_node ( + ip6_main.lookup_main.output_feature_arc_index, sw_if_index, + vlib_get_node_by_name (vlib_get_main (), (u8 *) "ip6-drop")->index); + vnet_feature_modify_end_node ( + mpls_main.output_feature_arc_index, sw_if_index, + vlib_get_node_by_name (vlib_get_main (), (u8 *) "mpls-drop")->index); +} + int ipsec_itf_create (u32 user_instance, tunnel_mode_t mode, u32 * sw_if_indexp) { @@ -318,6 +333,7 @@ ipsec_itf_create (u32 user_instance, tunnel_mode_t mode, u32 * sw_if_indexp) ipsec_itf_index_by_sw_if_index[hi->sw_if_index] = t_idx; ipsec_itf->ii_sw_if_index = *sw_if_indexp = hi->sw_if_index; + ipsec_itf_reset_tx_nodes (hi->sw_if_index); return 0; } diff --git a/src/vnet/ipsec/ipsec_itf.h b/src/vnet/ipsec/ipsec_itf.h index 7de02745b81..bf13096ed8f 100644 --- a/src/vnet/ipsec/ipsec_itf.h +++ b/src/vnet/ipsec/ipsec_itf.h @@ -102,6 +102,7 @@ typedef struct ipsec_itf_t_ extern int ipsec_itf_create (u32 user_instance, tunnel_mode_t mode, u32 * sw_if_indexp); extern int ipsec_itf_delete (u32 sw_if_index); +extern void ipsec_itf_reset_tx_nodes (u32 sw_if_index); extern void ipsec_itf_adj_stack (adj_index_t ai, u32 sai); extern void ipsec_itf_adj_unstack (adj_index_t ai); diff --git a/src/vnet/ipsec/ipsec_tun.c b/src/vnet/ipsec/ipsec_tun.c index ef84d13a373..543be8a7faa 100644 --- a/src/vnet/ipsec/ipsec_tun.c +++ b/src/vnet/ipsec/ipsec_tun.c @@ -176,12 +176,6 @@ ipsec_tun_protect_get_adj_next (vnet_link_t linkt, } static void -ipsec_tun_reset_tx_nodes (u32 sw_if_index) -{ - vnet_reset_interface_l3_output_node (vlib_get_main (), sw_if_index); -} - -static void ipsec_tun_setup_tx_nodes (u32 sw_if_index, const ipsec_tun_protect_t *itp) { vnet_feature_modify_end_node ( @@ -444,7 +438,7 @@ ipsec_tun_protect_tx_db_remove (ipsec_tun_protect_t * itp) if (vnet_sw_interface_is_p2p (vnet_get_main (), itp->itp_sw_if_index)) { - ipsec_tun_reset_tx_nodes (itp->itp_sw_if_index); + ipsec_itf_reset_tx_nodes (itp->itp_sw_if_index); idi->id_itp = INDEX_INVALID; FOR_EACH_FIB_IP_PROTOCOL (nh_proto) @@ -460,7 +454,7 @@ ipsec_tun_protect_tx_db_remove (ipsec_tun_protect_t * itp) if (0 == hash_elts (idi->id_hash)) { - ipsec_tun_reset_tx_nodes (itp->itp_sw_if_index); + ipsec_itf_reset_tx_nodes (itp->itp_sw_if_index); hash_free (idi->id_hash); idi->id_hash = NULL; } |