diff options
| author |   Piotr Bronowski <piotrx.bronowski@intel.com> | 2023-02-13 18:18:59 +0000 |
|---|---|---|
| committer |   Fan Zhang <fanzhang.oss@gmail.com> | 2023-03-20 16:38:36 +0000 |
| commit | 645a588ee3a136bd68b1e89414c6b0a192df3c31 (patch) | |
| tree | fe8b6bfffcd4e0b26f18cf4f75daf1e318b2e2cf /src/vnet/ipsec | |
| parent | 8a4b79778f8b3149d663face83d37fbf96e12d05 (diff) | |
ipsec: set fast path 5tuple ip addresses based on sa traffic selector values
Previously, even if sa defined traffic selectors esp packet src and dst
have been used for fast path inbound spd matching. This patch provides
a fix for that issue.
Type: fix
Signed-off-by: Piotr Bronowski <piotrx.bronowski@intel.com>
Change-Id: Ibd3ca224b155cc9e0c6aedd0f36aff489b7af5b8
Diffstat (limited to 'src/vnet/ipsec')
| -rw-r--r-- | src/vnet/ipsec/ipsec_spd_policy.c | 39 |
1 files changed, 35 insertions, 4 deletions
diff --git a/src/vnet/ipsec/ipsec_spd_policy.c b/src/vnet/ipsec/ipsec_spd_policy.c index 4a17062b80e..6a66a2de269 100644 --- a/src/vnet/ipsec/ipsec_spd_policy.c +++ b/src/vnet/ipsec/ipsec_spd_policy.c @@ -378,7 +378,6 @@ ipsec_fp_get_policy_ports_mask (ipsec_policy_t *policy, } mask->protocol = (policy->protocol == IPSEC_POLICY_PROTOCOL_ANY) ? 0 : ~0; - mask->action = 0; } static_always_inline void @@ -395,6 +394,15 @@ ipsec_fp_ip4_get_policy_mask (ipsec_policy_t *policy, ipsec_fp_5tuple_t *mask, clib_memset_u8 (mask, 0xff, sizeof (ipsec_fp_5tuple_t)); clib_memset_u8 (&mask->l3_zero_pad, 0, sizeof (mask->l3_zero_pad)); + if (inbound && (policy->type == IPSEC_SPD_POLICY_IP4_INBOUND_PROTECT && + policy->sa_index != INDEX_INVALID)) + { + ipsec_sa_t *s = ipsec_sa_get (policy->sa_index); + + if (ipsec_sa_is_set_IS_TUNNEL (s)) + goto set_spi_mask; + } + /* find bits where start != stop */ *plmask = *pladdr_start ^ *pladdr_stop; *prmask = *praddr_start ^ *praddr_stop; @@ -409,6 +417,7 @@ ipsec_fp_ip4_get_policy_mask (ipsec_policy_t *policy, ipsec_fp_5tuple_t *mask, *prmask = clib_host_to_net_u32 ( mask_out_highest_set_bit_u32 (clib_net_to_host_u32 (*prmask))); +set_spi_mask: if (inbound) { if (policy->type != IPSEC_SPD_POLICY_IP4_INBOUND_PROTECT) @@ -436,6 +445,15 @@ ipsec_fp_ip6_get_policy_mask (ipsec_policy_t *policy, ipsec_fp_5tuple_t *mask, clib_memset_u8 (mask, 0xff, sizeof (ipsec_fp_5tuple_t)); + if (inbound && (policy->type == IPSEC_SPD_POLICY_IP6_INBOUND_PROTECT && + policy->sa_index != INDEX_INVALID)) + { + ipsec_sa_t *s = ipsec_sa_get (policy->sa_index); + + if (ipsec_sa_is_set_IS_TUNNEL (s)) + goto set_spi_mask; + } + *plmask = (*pladdr_start++ ^ *pladdr_stop++); *prmask = (*praddr_start++ ^ *praddr_stop++); @@ -468,10 +486,10 @@ ipsec_fp_ip6_get_policy_mask (ipsec_policy_t *policy, ipsec_fp_5tuple_t *mask, } else *prmask = 0; - +set_spi_mask: if (inbound) { - if (policy->type != IPSEC_SPD_POLICY_IP4_INBOUND_PROTECT) + if (policy->type != IPSEC_SPD_POLICY_IP6_INBOUND_PROTECT) mask->spi = 0; mask->protocol = 0; @@ -508,7 +526,21 @@ ipsec_fp_get_policy_5tuple (ipsec_policy_t *policy, ipsec_fp_5tuple_t *tuple, policy->sa_index != INDEX_INVALID) { ipsec_sa_t *s = ipsec_sa_get (policy->sa_index); + tuple->spi = s->spi; + if (ipsec_sa_is_set_IS_TUNNEL (s)) + { + if (tuple->is_ipv6) + { + tuple->ip6_laddr = s->tunnel.t_dst.ip.ip6; + tuple->ip6_raddr = s->tunnel.t_src.ip.ip6; + } + else + { + tuple->laddr = s->tunnel.t_dst.ip.ip4; + tuple->raddr = s->tunnel.t_src.ip.ip4; + } + } } else tuple->spi = INDEX_INVALID; @@ -517,7 +549,6 @@ ipsec_fp_get_policy_5tuple (ipsec_policy_t *policy, ipsec_fp_5tuple_t *tuple, } tuple->protocol = policy->protocol; - tuple->lport = policy->lport.start; tuple->rport = policy->rport.start; } |