aboutsummaryrefslogtreecommitdiffstats
path: root/src/vnet
diff options
context:
space:
mode:
authorNeale Ranns <nranns@cisco.com>2020-01-02 04:06:10 +0000
committerOle Tr�an <otroan@employees.org>2020-11-02 08:49:08 +0000
commit041add7d12217494934b651e4e38b5eab5216ddc (patch)
tree42f6ed8c3e4477b7c7cf93b19f227e4fc0afb4cb /src/vnet
parent62877029aac3e05a1e1db579aeaad42bca5a70a4 (diff)
ipsec: Tunnel SA DSCP behaviour
Type: feature - use tunnel_encap_decap_flags to control the copying of DSCP/ECN/etc during IPSEC tunnel mode encap. - use DSCP value to have fixed encap value. Signed-off-by: Neale Ranns <nranns@cisco.com> Change-Id: If4f51fd4c1dcbb0422aac9bd078e5c14af5bf11f
Diffstat (limited to 'src/vnet')
-rw-r--r--src/vnet/ip/ip.c18
-rw-r--r--src/vnet/ip/ip6_packet.h13
-rw-r--r--src/vnet/ip/ip_packet.h2
-rw-r--r--src/vnet/ipsec/ah_encrypt.c38
-rw-r--r--src/vnet/ipsec/esp_encrypt.c39
-rw-r--r--src/vnet/ipsec/ipsec.api48
-rw-r--r--src/vnet/ipsec/ipsec_api.c188
-rw-r--r--src/vnet/ipsec/ipsec_cli.c16
-rw-r--r--src/vnet/ipsec/ipsec_format.c6
-rw-r--r--src/vnet/ipsec/ipsec_sa.c11
-rw-r--r--src/vnet/ipsec/ipsec_sa.h7
-rw-r--r--src/vnet/ipsec/ipsec_types.api30
-rw-r--r--src/vnet/tunnel/tunnel_dp.h57
13 files changed, 428 insertions, 45 deletions
diff --git a/src/vnet/ip/ip.c b/src/vnet/ip/ip.c
index bceb529ee6f..062f5e7a4ef 100644
--- a/src/vnet/ip/ip.c
+++ b/src/vnet/ip/ip.c
@@ -155,6 +155,24 @@ format_ip_dscp (u8 * s, va_list * va)
return (format (s, "unknown"));
}
+uword
+unformat_ip_dscp (unformat_input_t * input, va_list * args)
+{
+ ip_dscp_t *dscp = va_arg (*args, ip_dscp_t *);
+
+ if (0)
+ ;
+#define _(n,v) \
+ else if (unformat (input, #v)) \
+ *dscp = IP_DSCP_##v;
+ foreach_ip_dscp
+#undef _
+ else
+ return 0;
+
+ return 1;
+}
+
u8 *
format_ip_ecn (u8 * s, va_list * va)
{
diff --git a/src/vnet/ip/ip6_packet.h b/src/vnet/ip/ip6_packet.h
index 7bbdd197f2f..34bc7a8ec1a 100644
--- a/src/vnet/ip/ip6_packet.h
+++ b/src/vnet/ip/ip6_packet.h
@@ -310,31 +310,36 @@ typedef struct
ip6_address_t src_address, dst_address;
} ip6_header_t;
+#define IP6_PACKET_TC_MASK 0x0FF00000
+#define IP6_PACKET_DSCP_MASK 0x0FC00000
+#define IP6_PACKET_ECN_MASK 0x00300000
+
always_inline ip_dscp_t
ip6_traffic_class (const ip6_header_t * i)
{
- return (i->ip_version_traffic_class_and_flow_label & 0x0FF00000) >> 20;
+ return (i->ip_version_traffic_class_and_flow_label & IP6_PACKET_TC_MASK) >>
+ 20;
}
static_always_inline ip_dscp_t
ip6_traffic_class_network_order (const ip6_header_t * ip6)
{
return (clib_net_to_host_u32 (ip6->ip_version_traffic_class_and_flow_label)
- & 0x0ff00000) >> 20;
+ & IP6_PACKET_TC_MASK) >> 20;
}
static_always_inline ip_dscp_t
ip6_dscp_network_order (const ip6_header_t * ip6)
{
return (clib_net_to_host_u32 (ip6->ip_version_traffic_class_and_flow_label)
- & 0x0fc00000) >> 22;
+ & IP6_PACKET_DSCP_MASK) >> 22;
}
static_always_inline ip_ecn_t
ip6_ecn_network_order (const ip6_header_t * ip6)
{
return (clib_net_to_host_u32 (ip6->ip_version_traffic_class_and_flow_label)
- & 0x00300000) >> 20;
+ & IP6_PACKET_ECN_MASK) >> 20;
}
static_always_inline void
diff --git a/src/vnet/ip/ip_packet.h b/src/vnet/ip/ip_packet.h
index 52a65e78c24..e1089ec308e 100644
--- a/src/vnet/ip/ip_packet.h
+++ b/src/vnet/ip/ip_packet.h
@@ -42,6 +42,7 @@
#include <vppinfra/byte_order.h>
#include <vppinfra/error.h>
+#include <vppinfra/format.h>
typedef enum ip_protocol
{
@@ -119,6 +120,7 @@ typedef enum ip_dscp_t_
} __clib_packed ip_dscp_t;
extern u8 *format_ip_dscp (u8 * s, va_list * va);
+unformat_function_t unformat_ip_dscp;
/**
* IP DSCP bit shift
diff --git a/src/vnet/ipsec/ah_encrypt.c b/src/vnet/ipsec/ah_encrypt.c
index b4e9af34802..d89cb093f26 100644
--- a/src/vnet/ipsec/ah_encrypt.c
+++ b/src/vnet/ipsec/ah_encrypt.c
@@ -22,6 +22,7 @@
#include <vnet/ipsec/ipsec.h>
#include <vnet/ipsec/esp.h>
#include <vnet/ipsec/ah.h>
+#include <vnet/tunnel/tunnel_dp.h>
#define foreach_ah_encrypt_next \
_ (DROP, "error-drop") \
@@ -111,12 +112,13 @@ typedef struct
{
union
{
+ /* Variable fields in the IP header not covered by the AH
+ * integrity check */
struct
{
u8 hop_limit;
u32 ip_version_traffic_class_and_flow_label;
};
-
struct
{
u8 ttl;
@@ -209,8 +211,6 @@ ah_encrypt_inline (vlib_main_t * vm,
ssize_t adv;
ih0 = vlib_buffer_get_current (b[0]);
- pd->ttl = ih0->ip4.ttl;
- pd->tos = ih0->ip4.tos;
if (PREDICT_TRUE (ipsec_sa_is_set_IS_TUNNEL (sa0)))
{
@@ -246,10 +246,20 @@ ah_encrypt_inline (vlib_main_t * vm,
ip_hdr_size = sizeof (ip6_header_t);
oh6_0 = vlib_buffer_get_current (b[0]);
pd->current_data = b[0]->current_data;
-
pd->hop_limit = ih6_0->ip6.hop_limit;
- pd->ip_version_traffic_class_and_flow_label =
+
+ oh6_0->ip6.ip_version_traffic_class_and_flow_label =
ih6_0->ip6.ip_version_traffic_class_and_flow_label;
+
+ ip6_set_dscp_network_order (&oh6_0->ip6, sa0->dscp);
+
+ tunnel_encap_fixup_6o6 (sa0->tunnel_flags,
+ &ih6_0->ip6, &oh6_0->ip6);
+
+ pd->ip_version_traffic_class_and_flow_label =
+ oh6_0->ip6.ip_version_traffic_class_and_flow_label;
+ oh6_0->ip6.ip_version_traffic_class_and_flow_label = 0;
+
if (PREDICT_TRUE (ipsec_sa_is_set_IS_TUNNEL (sa0)))
{
next_hdr_type = IP_PROTOCOL_IPV6;
@@ -275,8 +285,24 @@ ah_encrypt_inline (vlib_main_t * vm,
{
ip_hdr_size = sizeof (ip4_header_t);
oh0 = vlib_buffer_get_current (b[0]);
- clib_memset (oh0, 0, sizeof (ip4_and_ah_header_t));
+ pd->ttl = ih0->ip4.ttl;
+
+ if (sa0->dscp)
+ pd->tos = sa0->dscp << 2;
+ else
+ {
+ pd->tos = ih0->ip4.tos;
+ if (!
+ (sa0->tunnel_flags &
+ TUNNEL_ENCAP_DECAP_FLAG_ENCAP_COPY_DSCP))
+ pd->tos &= 0x3;
+ if (!
+ (sa0->tunnel_flags &
+ TUNNEL_ENCAP_DECAP_FLAG_ENCAP_COPY_ECN))
+ pd->tos &= 0xfc;
+ }
pd->current_data = b[0]->current_data;
+ clib_memset (oh0, 0, sizeof (ip4_and_ah_header_t));
if (PREDICT_TRUE (ipsec_sa_is_set_IS_TUNNEL (sa0)))
{
diff --git a/src/vnet/ipsec/esp_encrypt.c b/src/vnet/ipsec/esp_encrypt.c
index f5461684166..ed49cdc97eb 100644
--- a/src/vnet/ipsec/esp_encrypt.c
+++ b/src/vnet/ipsec/esp_encrypt.c
@@ -24,6 +24,7 @@
#include <vnet/ipsec/ipsec.h>
#include <vnet/ipsec/ipsec_tun.h>
#include <vnet/ipsec/esp.h>
+#include <vnet/tunnel/tunnel_dp.h>
#define foreach_esp_encrypt_next \
_(DROP4, "ip4-drop") \
@@ -743,9 +744,22 @@ esp_encrypt_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
u16 len = sizeof (ip6_header_t);
hdr_len += len;
ip6 = (ip6_header_t *) (payload - hdr_len);
- clib_memcpy_fast (ip6, &sa0->ip6_hdr, len);
- *next_hdr_ptr = (is_ip6 ?
- IP_PROTOCOL_IPV6 : IP_PROTOCOL_IP_IN_IP);
+ clib_memcpy_fast (ip6, &sa0->ip6_hdr, sizeof (ip6_header_t));
+
+ if (is_ip6)
+ {
+ *next_hdr_ptr = IP_PROTOCOL_IPV6;
+ tunnel_encap_fixup_6o6 (sa0->tunnel_flags,
+ (const ip6_header_t *) payload,
+ ip6);
+ }
+ else
+ {
+ *next_hdr_ptr = IP_PROTOCOL_IP_IN_IP;
+ tunnel_encap_fixup_4o6 (sa0->tunnel_flags,
+ (const ip4_header_t *) payload,
+ ip6);
+ }
len = payload_len_total + hdr_len - len;
ip6->payload_length = clib_net_to_host_u16 (len);
}
@@ -755,9 +769,22 @@ esp_encrypt_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
u16 len = sizeof (ip4_header_t);
hdr_len += len;
ip4 = (ip4_header_t *) (payload - hdr_len);
- clib_memcpy_fast (ip4, &sa0->ip4_hdr, len);
- *next_hdr_ptr = (is_ip6 ?
- IP_PROTOCOL_IPV6 : IP_PROTOCOL_IP_IN_IP);
+ clib_memcpy_fast (ip4, &sa0->ip4_hdr, sizeof (ip4_header_t));
+
+ if (is_ip6)
+ {
+ *next_hdr_ptr = IP_PROTOCOL_IPV6;
+ tunnel_encap_fixup_6o4_w_chksum (sa0->tunnel_flags,
+ (const ip6_header_t *)
+ payload, ip4);
+ }
+ else
+ {
+ *next_hdr_ptr = IP_PROTOCOL_IP_IN_IP;
+ tunnel_encap_fixup_4o4_w_chksum (sa0->tunnel_flags,
+ (const ip4_header_t *)
+ payload, ip4);
+ }
len = payload_len_total + hdr_len;
esp_update_ip4_hdr (ip4, len, /* is_transport */ 0, 0);
}
diff --git a/src/vnet/ipsec/ipsec.api b/src/vnet/ipsec/ipsec.api
index 89dcdb761de..178c7c6f46e 100644
--- a/src/vnet/ipsec/ipsec.api
+++ b/src/vnet/ipsec/ipsec.api
@@ -196,12 +196,25 @@ define ipsec_sad_entry_add_del
bool is_add;
vl_api_ipsec_sad_entry_t entry;
};
+define ipsec_sad_entry_add_del_v2
+{
+ u32 client_index;
+ u32 context;
+ bool is_add;
+ vl_api_ipsec_sad_entry_v2_t entry;
+};
define ipsec_sad_entry_add_del_reply
{
u32 context;
i32 retval;
u32 stat_index;
};
+define ipsec_sad_entry_add_del_v2_reply
+{
+ u32 context;
+ i32 retval;
+ u32 stat_index;
+};
/** \brief Add or Update Protection for a tunnel with IPSEC
@@ -439,25 +452,17 @@ define ipsec_sa_dump
u32 context;
u32 sa_id;
};
+define ipsec_sa_v2_dump
+{
+ u32 client_index;
+ u32 context;
+ u32 sa_id;
+};
/** \brief IPsec security association database response
@param context - sender context which was passed in the request
- @param sa_id - SA ID, policy-based SAs >=0, tunnel interface SAs = 0
+ @param entry - The SA details
@param sw_if_index - sw_if_index of tunnel interface, policy-based SAs = ~0
- @param spi - security parameter index
- @param protocol - IPsec protocol (value from ipsec_protocol_t)
- @param crypto_alg - crypto algorithm (value from ipsec_crypto_alg_t)
- @param crypto_key_len - length of crypto_key in bytes
- @param crypto_key - crypto keying material
- @param integ_alg - integrity algorithm (value from ipsec_integ_alg_t)
- @param integ_key_len - length of integ_key in bytes
- @param integ_key - integrity keying material
- @param use_esn - using extended sequence numbers when non-zero
- @param use_anti_replay - using anti-replay window when non-zero
- @param is_tunnel - IPsec tunnel mode when non-zero, else transport mode
- @param is_tunnel_ipv6 - If using tunnel mode, endpoints are IPv6
- @param tunnel_src_addr - Tunnel source address if using tunnel mode
- @param tunnel_dst_addr - Tunnel destination address is using tunnel mode
@param salt - 4 byte salt
@param seq - current sequence number for outbound
@param seq_hi - high 32 bits of ESN for outbound
@@ -465,7 +470,6 @@ define ipsec_sa_dump
@param last_seq_hi - high 32 bits of highest ESN received inbound
@param replay_window - bit map of seq nums received relative to last_seq if using anti-replay
@param stat_index - index for the SA in the stats segment @ /net/ipsec/sa
- @param udp_encap - 1 if UDP encap enabled, 0 otherwise
*/
define ipsec_sa_details {
u32 context;
@@ -479,6 +483,18 @@ define ipsec_sa_details {
u32 stat_index;
};
+define ipsec_sa_v2_details {
+ u32 context;
+ vl_api_ipsec_sad_entry_v2_t entry;
+
+ vl_api_interface_index_t sw_if_index;
+ u32 salt;
+ u64 seq_outbound;
+ u64 last_seq_inbound;
+ u64 replay_window;
+
+ u32 stat_index;
+};
/** \brief Set new SA on IPsec interface
diff --git a/src/vnet/ipsec/ipsec_api.c b/src/vnet/ipsec/ipsec_api.c
index f623cced0c7..7003791c8c8 100644
--- a/src/vnet/ipsec/ipsec_api.c
+++ b/src/vnet/ipsec/ipsec_api.c
@@ -28,6 +28,7 @@
#include <vnet/tunnel/tunnel_types_api.h>
#include <vnet/fib/fib.h>
#include <vnet/ipip/ipip.h>
+#include <vnet/tunnel/tunnel_types_api.h>
#include <vnet/vnet_msg_enum.h>
@@ -58,7 +59,9 @@ _(IPSEC_SPD_ADD_DEL, ipsec_spd_add_del) \
_(IPSEC_INTERFACE_ADD_DEL_SPD, ipsec_interface_add_del_spd) \
_(IPSEC_SPD_ENTRY_ADD_DEL, ipsec_spd_entry_add_del) \
_(IPSEC_SAD_ENTRY_ADD_DEL, ipsec_sad_entry_add_del) \
+_(IPSEC_SAD_ENTRY_ADD_DEL_V2, ipsec_sad_entry_add_del_v2) \
_(IPSEC_SA_DUMP, ipsec_sa_dump) \
+_(IPSEC_SA_V2_DUMP, ipsec_sa_v2_dump) \
_(IPSEC_SPDS_DUMP, ipsec_spds_dump) \
_(IPSEC_SPD_DUMP, ipsec_spd_dump) \
_(IPSEC_SPD_INTERFACE_DUMP, ipsec_spd_interface_dump) \
@@ -380,7 +383,10 @@ static void vl_api_ipsec_sad_entry_add_del_t_handler
crypto_alg, &crypto_key,
integ_alg, &integ_key, flags,
0, mp->entry.salt, &tun_src, &tun_dst,
- &sa_index, htons (mp->entry.udp_src_port),
+ TUNNEL_ENCAP_DECAP_FLAG_NONE,
+ IP_DSCP_CS0,
+ &sa_index,
+ htons (mp->entry.udp_src_port),
htons (mp->entry.udp_dst_port));
else
rv = ipsec_sa_unlock_id (id);
@@ -398,6 +404,83 @@ out:
/* *INDENT-ON* */
}
+static void vl_api_ipsec_sad_entry_add_del_v2_t_handler
+ (vl_api_ipsec_sad_entry_add_del_v2_t * mp)
+{
+ vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main ();
+ vl_api_ipsec_sad_entry_add_del_v2_reply_t *rmp;
+ ip46_address_t tun_src = { }, tun_dst =
+ {
+ };
+ tunnel_encap_decap_flags_t tunnel_flags;
+ ipsec_key_t crypto_key, integ_key;
+ ipsec_crypto_alg_t crypto_alg;
+ ipsec_integ_alg_t integ_alg;
+ ipsec_protocol_t proto;
+ ipsec_sa_flags_t flags;
+ u32 id, spi, sa_index = ~0;
+ int rv;
+
+#if WITH_LIBSSL > 0
+
+ id = ntohl (mp->entry.sad_id);
+ spi = ntohl (mp->entry.spi);
+
+ rv = ipsec_proto_decode (mp->entry.protocol, &proto);
+
+ if (rv)
+ goto out;
+
+ rv = ipsec_crypto_algo_decode (mp->entry.crypto_algorithm, &crypto_alg);
+
+ if (rv)
+ goto out;
+
+ rv = ipsec_integ_algo_decode (mp->entry.integrity_algorithm, &integ_alg);
+
+ if (rv)
+ goto out;
+
+ rv =
+ tunnel_encap_decap_flags_decode (mp->entry.tunnel_flags, &tunnel_flags);
+
+ if (rv)
+ goto out;
+
+ ipsec_key_decode (&mp->entry.crypto_key, &crypto_key);
+ ipsec_key_decode (&mp->entry.integrity_key, &integ_key);
+
+ flags = ipsec_sa_flags_decode (mp->entry.flags);
+
+ ip_address_decode (&mp->entry.tunnel_src, &tun_src);
+ ip_address_decode (&mp->entry.tunnel_dst, &tun_dst);
+
+ if (mp->is_add)
+ rv = ipsec_sa_add_and_lock (id, spi, proto,
+ crypto_alg, &crypto_key,
+ integ_alg, &integ_key, flags,
+ 0, mp->entry.salt, &tun_src, &tun_dst,
+ tunnel_flags,
+ ip_dscp_decode (mp->entry.dscp),
+ &sa_index,
+ htons (mp->entry.udp_src_port),
+ htons (mp->entry.udp_dst_port));
+ else
+ rv = ipsec_sa_unlock_id (id);
+
+#else
+ rv = VNET_API_ERROR_UNIMPLEMENTED;
+#endif
+
+out:
+ /* *INDENT-OFF* */
+ REPLY_MACRO2 (VL_API_IPSEC_SAD_ENTRY_ADD_DEL_V2_REPLY,
+ {
+ rmp->stat_index = htonl (sa_index);
+ });
+ /* *INDENT-ON* */
+}
+
static void
send_ipsec_spds_details (ipsec_spd_t * spd, vl_api_registration_t * reg,
u32 context)
@@ -671,7 +754,9 @@ vl_api_ipsec_tunnel_if_add_del_t_handler (vl_api_ipsec_tunnel_if_add_del_t *
&integ_key,
(flags | IPSEC_SA_FLAG_IS_INBOUND),
ntohl (mp->tx_table_id),
- mp->salt, &remote_ip, &local_ip, NULL,
+ mp->salt, &remote_ip, &local_ip,
+ TUNNEL_ENCAP_DECAP_FLAG_NONE,
+ IP_DSCP_CS0, NULL,
IPSEC_UDP_PORT_NONE, IPSEC_UDP_PORT_NONE);
if (rv)
@@ -686,7 +771,9 @@ vl_api_ipsec_tunnel_if_add_del_t_handler (vl_api_ipsec_tunnel_if_add_del_t *
&integ_key,
flags,
ntohl (mp->tx_table_id),
- mp->salt, &local_ip, &remote_ip, NULL,
+ mp->salt, &local_ip, &remote_ip,
+ TUNNEL_ENCAP_DECAP_FLAG_NONE,
+ IP_DSCP_CS0, NULL,
IPSEC_UDP_PORT_NONE, IPSEC_UDP_PORT_NONE);
if (rv)
@@ -905,6 +992,101 @@ vl_api_ipsec_sa_dump_t_handler (vl_api_ipsec_sa_dump_t * mp)
#endif
}
+static walk_rc_t
+send_ipsec_sa_v2_details (ipsec_sa_t * sa, void *arg)
+{
+ ipsec_dump_walk_ctx_t *ctx = arg;
+ vl_api_ipsec_sa_v2_details_t *mp;
+ ipsec_main_t *im = &ipsec_main;
+
+ mp = vl_msg_api_alloc (sizeof (*mp));
+ clib_memset (mp, 0, sizeof (*mp));
+ mp->_vl_msg_id = ntohs (VL_API_IPSEC_SA_V2_DETAILS);
+ mp->context = ctx->context;
+
+ mp->entry.sad_id = htonl (sa->id);
+ mp->entry.spi = htonl (sa->spi);
+ mp->entry.protocol = ipsec_proto_encode (sa->protocol);
+ mp->entry.tx_table_id =
+ htonl (fib_table_get_table_id (sa->tx_fib_index, FIB_PROTOCOL_IP4));
+
+ mp->entry.crypto_algorithm = ipsec_crypto_algo_encode (sa->crypto_alg);
+ ipsec_key_encode (&sa->crypto_key, &mp->entry.crypto_key);
+
+ mp->entry.integrity_algorithm = ipsec_integ_algo_encode (sa->integ_alg);
+ ipsec_key_encode (&sa->integ_key, &mp->entry.integrity_key);
+
+ mp->entry.flags = ipsec_sad_flags_encode (sa);
+ mp->entry.salt = clib_host_to_net_u32 (sa->salt);
+
+ if (ipsec_sa_is_set_IS_PROTECT (sa))
+ {
+ ipsec_sa_dump_match_ctx_t ctx = {
+ .sai = sa - im->sad,
+ .sw_if_index = ~0,
+ };
+ ipsec_tun_protect_walk (ipsec_sa_dump_match_sa, &ctx);
+
+ mp->sw_if_index = htonl (ctx.sw_if_index);
+ }
+ else
+ mp->sw_if_index = ~0;
+
+ if (ipsec_sa_is_set_IS_TUNNEL (sa))
+ {
+ ip_address_encode (&sa->tunnel_src_addr, IP46_TYPE_ANY,
+ &mp->entry.tunnel_src);
+ ip_address_encode (&sa->tunnel_dst_addr, IP46_TYPE_ANY,
+ &mp->entry.tunnel_dst);
+ }
+ if (ipsec_sa_is_set_UDP_ENCAP (sa))
+ {
+ mp->entry.udp_src_port = sa->udp_hdr.src_port;
+ mp->entry.udp_dst_port = sa->udp_hdr.dst_port;
+ }
+
+ mp->entry.tunnel_flags = tunnel_encap_decap_flags_encode (sa->tunnel_flags);
+ mp->entry.dscp = ip_dscp_encode (sa->dscp);
+
+ mp->seq_outbound = clib_host_to_net_u64 (((u64) sa->seq));
+ mp->last_seq_inbound = clib_host_to_net_u64 (((u64) sa->last_seq));
+ if (ipsec_sa_is_set_USE_ESN (sa))
+ {
+ mp->seq_outbound |= (u64) (clib_host_to_net_u32 (sa->seq_hi));
+ mp->last_seq_inbound |= (u64) (clib_host_to_net_u32 (sa->last_seq_hi));
+ }
+ if (ipsec_sa_is_set_USE_ANTI_REPLAY (sa))
+ mp->replay_window = clib_host_to_net_u64 (sa->replay_window);
+
+ mp->stat_index = clib_host_to_net_u32 (sa->stat_index);
+
+ vl_api_send_msg (ctx->reg, (u8 *) mp);
+
+ return (WALK_CONTINUE);
+}
+
+static void
+vl_api_ipsec_sa_v2_dump_t_handler (vl_api_ipsec_sa_dump_t * mp)
+{
+ vl_api_registration_t *reg;
+
+#if WITH_LIBSSL > 0
+ reg = vl_api_client_index_to_registration (mp->client_index);
+ if (!reg)
+ return;
+
+ ipsec_dump_walk_ctx_t ctx = {
+ .reg = reg,
+ .context = mp->context,
+ };
+
+ ipsec_sa_walk (send_ipsec_sa_v2_details, &ctx);
+
+#else
+ clib_warning ("unimplemented");
+#endif
+}
+
static void
vl_api_ipsec_tunnel_if_set_sa_t_handler (vl_api_ipsec_tunnel_if_set_sa_t * mp)
{
diff --git a/src/vnet/ipsec/ipsec_cli.c b/src/vnet/ipsec/ipsec_cli.c
index d7378534eb8..fc79c4ca347 100644
--- a/src/vnet/ipsec/ipsec_cli.c
+++ b/src/vnet/ipsec/ipsec_cli.c
@@ -90,6 +90,7 @@ ipsec_sa_add_del_command_fn (vlib_main_t * vm,
u16 udp_src, udp_dst;
int is_add, rv;
u32 m_args = 0;
+ ip_dscp_t dscp;
salt = 0;
error = NULL;
@@ -99,6 +100,7 @@ ipsec_sa_add_del_command_fn (vlib_main_t * vm,
integ_alg = IPSEC_INTEG_ALG_NONE;
crypto_alg = IPSEC_CRYPTO_ALG_NONE;
udp_src = udp_dst = IPSEC_UDP_PORT_NONE;
+ dscp = IP_DSCP_CS0;
if (!unformat_user (input, unformat_line_input, line_input))
return 0;
@@ -182,7 +184,9 @@ ipsec_sa_add_del_command_fn (vlib_main_t * vm,
rv = ipsec_sa_add_and_lock (id, spi, proto, crypto_alg,
&ck, integ_alg, &ik, flags,
0, clib_host_to_net_u32 (salt),
- &tun_src, &tun_dst, &sai, udp_src, udp_dst);
+ &tun_src, &tun_dst,
+ TUNNEL_ENCAP_DECAP_FLAG_NONE, dscp,
+ &sai, udp_src, udp_dst);
}
else
{
@@ -910,16 +914,18 @@ create_ipsec_tunnel_command_fn (vlib_main_t * vm,
local_spi, IPSEC_PROTOCOL_ESP, crypto_alg,
&lck, integ_alg, &lik, flags, table_id,
clib_host_to_net_u32 (salt), &local_ip,
- &remote_ip, NULL, IPSEC_UDP_PORT_NONE,
- IPSEC_UDP_PORT_NONE);
+ &remote_ip, TUNNEL_ENCAP_DECAP_FLAG_NONE,
+ IP_DSCP_CS0, NULL,
+ IPSEC_UDP_PORT_NONE, IPSEC_UDP_PORT_NONE);
rv |=
ipsec_sa_add_and_lock (ipsec_tun_mk_remote_sa_id (sw_if_index),
remote_spi, IPSEC_PROTOCOL_ESP, crypto_alg,
&rck, integ_alg, &rik,
(flags | IPSEC_SA_FLAG_IS_INBOUND), table_id,
clib_host_to_net_u32 (salt), &remote_ip,
- &local_ip, NULL, IPSEC_UDP_PORT_NONE,
- IPSEC_UDP_PORT_NONE);
+ &local_ip, TUNNEL_ENCAP_DECAP_FLAG_NONE,
+ IP_DSCP_CS0, NULL,
+ IPSEC_UDP_PORT_NONE, IPSEC_UDP_PORT_NONE);
rv |=
ipsec_tun_protect_update_one (sw_if_index, &nh,
ipsec_tun_mk_local_sa_id (sw_if_index),
diff --git a/src/vnet/ipsec/ipsec_format.c b/src/vnet/ipsec/ipsec_format.c
index 6781fe580c1..bf5ea3750e2 100644
--- a/src/vnet/ipsec/ipsec_format.c
+++ b/src/vnet/ipsec/ipsec_format.c
@@ -322,10 +322,12 @@ format_ipsec_sa (u8 * s, va_list * args)
{
tx_table_id = fib_table_get_table_id (sa->tx_fib_index,
FIB_PROTOCOL_IP4);
- s = format (s, "\n table-ID %d tunnel src %U dst %U",
+ s = format (s, "\n table-ID %d tunnel %U src %U dst %U flags %U",
tx_table_id,
+ format_ip_dscp, sa->dscp,
format_ip46_address, &sa->tunnel_src_addr, IP46_TYPE_ANY,
- format_ip46_address, &sa->tunnel_dst_addr, IP46_TYPE_ANY);
+ format_ip46_address, &sa->tunnel_dst_addr, IP46_TYPE_ANY,
+ format_tunnel_encap_decap_flags, sa->tunnel_flags);
if (!ipsec_sa_is_set_IS_INBOUND (sa))
{
s =
diff --git a/src/vnet/ipsec/ipsec_sa.c b/src/vnet/ipsec/ipsec_sa.c
index 9b2f2b53fa5..71e86ac5c45 100644
--- a/src/vnet/ipsec/ipsec_sa.c
+++ b/src/vnet/ipsec/ipsec_sa.c
@@ -178,8 +178,10 @@ ipsec_sa_add_and_lock (u32 id,
u32 tx_table_id,
u32 salt,
const ip46_address_t * tun_src,
- const ip46_address_t * tun_dst, u32 * sa_out_index,
- u16 src_port, u16 dst_port)
+ const ip46_address_t * tun_dst,
+ tunnel_encap_decap_flags_t tunnel_flags,
+ ip_dscp_t dscp,
+ u32 * sa_out_index, u16 src_port, u16 dst_port)
{
vlib_main_t *vm = vlib_get_main ();
ipsec_main_t *im = &ipsec_main;
@@ -206,6 +208,8 @@ ipsec_sa_add_and_lock (u32 id,
sa->stat_index = sa_index;
sa->protocol = proto;
sa->flags = flags;
+ sa->tunnel_flags = tunnel_flags;
+ sa->dscp = dscp;
sa->salt = salt;
sa->encrypt_thread_index = (vlib_num_workers ())? ~0 : 0;
sa->decrypt_thread_index = (vlib_num_workers ())? ~0 : 0;
@@ -297,6 +301,8 @@ ipsec_sa_add_and_lock (u32 id,
if (ipsec_sa_is_set_IS_TUNNEL_V6 (sa))
{
sa->ip6_hdr.ip_version_traffic_class_and_flow_label = 0x60;
+ ip6_set_dscp_network_order (&sa->ip6_hdr, sa->dscp);
+
sa->ip6_hdr.hop_limit = 254;
sa->ip6_hdr.src_address.as_u64[0] =
sa->tunnel_src_addr.ip6.as_u64[0];
@@ -317,6 +323,7 @@ ipsec_sa_add_and_lock (u32 id,
sa->ip4_hdr.ttl = 254;
sa->ip4_hdr.src_address.as_u32 = sa->tunnel_src_addr.ip4.as_u32;
sa->ip4_hdr.dst_address.as_u32 = sa->tunnel_dst_addr.ip4.as_u32;
+ sa->ip4_hdr.tos = sa->dscp << 2;
if (ipsec_sa_is_set_UDP_ENCAP (sa))
sa->ip4_hdr.protocol = IP_PROTOCOL_UDP;
diff --git a/src/vnet/ipsec/ipsec_sa.h b/src/vnet/ipsec/ipsec_sa.h
index 02f5eaf03a0..6ed71325f69 100644
--- a/src/vnet/ipsec/ipsec_sa.h
+++ b/src/vnet/ipsec/ipsec_sa.h
@@ -19,6 +19,7 @@
#include <vnet/crypto/crypto.h>
#include <vnet/ip/ip.h>
#include <vnet/fib/fib_node.h>
+#include <vnet/tunnel/tunnel.h>
#define foreach_ipsec_crypto_alg \
_ (0, NONE, "none") \
@@ -163,7 +164,9 @@ typedef struct
u32 salt;
ipsec_protocol_t protocol;
- u8 __pad[3];
+ tunnel_encap_decap_flags_t tunnel_flags;
+ ip_dscp_t dscp;
+ u8 __pad[1];
/* data accessed by dataplane code should be above this comment */
CLIB_CACHE_LINE_ALIGN_MARK (cacheline2);
@@ -258,6 +261,8 @@ extern int ipsec_sa_add_and_lock (u32 id,
u32 salt,
const ip46_address_t * tunnel_src_addr,
const ip46_address_t * tunnel_dst_addr,
+ tunnel_encap_decap_flags_t tunnel_flags,
+ ip_dscp_t dscp,
u32 * sa_index, u16 src_port, u16 dst_port);
extern index_t ipsec_sa_find_and_lock (u32 id);
extern int ipsec_sa_unlock_id (u32 id);
diff --git a/src/vnet/ipsec/ipsec_types.api b/src/vnet/ipsec/ipsec_types.api
index 715f3de0e12..ca1b3788e64 100644
--- a/src/vnet/ipsec/ipsec_types.api
+++ b/src/vnet/ipsec/ipsec_types.api
@@ -17,6 +17,7 @@
option version = "3.0.0";
import "vnet/ip/ip_types.api";
+import "vnet/tunnel/tunnel_types.api";
/*
* @brief Support cryptographic algorithms
@@ -108,6 +109,8 @@ typedef key
TX. It is ignored for RX.
@param udp_dst_port - If using UDP Encapsulation, use this destination port
for TX. Expect traffic on this port for RX.
+ @param tunnel_flags - Flags controlling the copying of encap/decap value
+ @param dscp - Fixed DSCP vaule for tunnel encap
*/
typedef ipsec_sad_entry
{
@@ -133,6 +136,33 @@ typedef ipsec_sad_entry
u16 udp_dst_port [default=4500];
};
+typedef ipsec_sad_entry_v2
+{
+ u32 sad_id;
+
+ u32 spi;
+
+ vl_api_ipsec_proto_t protocol;
+
+ vl_api_ipsec_crypto_alg_t crypto_algorithm;
+ vl_api_key_t crypto_key;
+
+ vl_api_ipsec_integ_alg_t integrity_algorithm;
+ vl_api_key_t integrity_key;
+
+ vl_api_ipsec_sad_flags_t flags;
+
+ vl_api_address_t tunnel_src;
+ vl_api_address_t tunnel_dst;
+ vl_api_tunnel_encap_decap_flags_t tunnel_flags;
+ vl_api_ip_dscp_t dscp;
+ u32 tx_table_id;
+ u32 salt;
+ u16 udp_src_port [default=4500];
+ u16 udp_dst_port [default=4500];
+};
+
+
/*
* Local Variables:
* eval: (c-set-style "gnu")
diff --git a/src/vnet/tunnel/tunnel_dp.h b/src/vnet/tunnel/tunnel_dp.h
index a00a3b3e222..f84e764f7ea 100644
--- a/src/vnet/tunnel/tunnel_dp.h
+++ b/src/vnet/tunnel/tunnel_dp.h
@@ -34,6 +34,41 @@ tunnel_encap_fixup_4o4 (tunnel_encap_decap_flags_t flags,
}
static_always_inline void
+tunnel_encap_fixup_4o4_w_chksum (tunnel_encap_decap_flags_t flags,
+ const ip4_header_t * inner,
+ ip4_header_t * outer)
+{
+ if (flags & (TUNNEL_ENCAP_DECAP_FLAG_ENCAP_COPY_DSCP |
+ TUNNEL_ENCAP_DECAP_FLAG_ENCAP_COPY_ECN))
+ {
+ ip_csum_t sum = outer->checksum;
+ u8 tos = outer->tos;
+
+ if (flags & TUNNEL_ENCAP_DECAP_FLAG_ENCAP_COPY_DSCP)
+ ip4_header_set_dscp (outer, ip4_header_get_dscp (inner));
+ if (flags & TUNNEL_ENCAP_DECAP_FLAG_ENCAP_COPY_ECN)
+ ip4_header_set_ecn (outer, ip4_header_get_ecn (inner));
+
+ sum =
+ ip_csum_update (outer->checksum, tos, outer->tos, ip4_header_t, tos);
+ outer->checksum = ip_csum_fold (sum);
+ }
+ if ((flags & TUNNEL_ENCAP_DECAP_FLAG_ENCAP_COPY_DF) &&
+ ip4_header_get_df (inner))
+ {
+ ip_csum_t sum = outer->checksum;
+ u16 tos = outer->flags_and_fragment_offset;
+
+ ip4_header_set_df (outer);
+
+ sum =
+ ip_csum_update (outer->checksum, tos, outer->tos, ip4_header_t,
+ flags_and_fragment_offset);
+ outer->checksum = ip_csum_fold (sum);
+ }
+}
+
+static_always_inline void
tunnel_encap_fixup_6o4 (tunnel_encap_decap_flags_t flags,
const ip6_header_t * inner, ip4_header_t * outer)
{
@@ -44,6 +79,28 @@ tunnel_encap_fixup_6o4 (tunnel_encap_decap_flags_t flags,
}
static_always_inline void
+tunnel_encap_fixup_6o4_w_chksum (tunnel_encap_decap_flags_t flags,
+ const ip6_header_t * inner,
+ ip4_header_t * outer)
+{
+ if (flags & (TUNNEL_ENCAP_DECAP_FLAG_ENCAP_COPY_DSCP |
+ TUNNEL_ENCAP_DECAP_FLAG_ENCAP_COPY_ECN))
+ {
+ ip_csum_t sum = outer->checksum;
+ u8 tos = outer->tos;
+
+ if (flags & TUNNEL_ENCAP_DECAP_FLAG_ENCAP_COPY_DSCP)
+ ip4_header_set_dscp (outer, ip6_dscp_network_order (inner));
+ if (flags & TUNNEL_ENCAP_DECAP_FLAG_ENCAP_COPY_ECN)
+ ip4_header_set_ecn (outer, ip6_ecn_network_order ((inner)));
+
+ sum =
+ ip_csum_update (outer->checksum, tos, outer->tos, ip4_header_t, tos);
+ outer->checksum = ip_csum_fold (sum);
+ }
+}
+
+static_always_inline void
tunnel_encap_fixup_6o6 (tunnel_encap_decap_flags_t flags,
const ip6_header_t * inner, ip6_header_t * outer)
{