aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorBrian Russell <brian@graphiant.com>2021-02-22 18:42:24 +0000
committerNeale Ranns <neale@graphiant.com>2021-02-25 09:13:28 +0000
commit7a29a2d400bbc3740a6a98863f290aa654d5f724 (patch)
tree11df1d06c2ce717c741da0b3bb88ca4e0f9d5c11 /src
parent0eaf4e6784efb2d058fe2f031578251b6bcc0aa8 (diff)
ipsec: enable input features on tunnels
Make the ipsec[46]-tun-input nodes siblings of device-input so that input features can be enabled on them. Register ipsec-tun for feature updates. When a feature is enabled on the device-input arc and the ifindex is an IPSec tunnel, change the end node of the arc for that ifindex to be the appropriate ESP decrypt node. Set a flag on the tunnel to indicate that the feature arc should be started for packets input on the tunnel. Test input policing on ESP IPSec tunnels. Type: improvement Signed-off-by: Brian Russell <brian@graphiant.com> Change-Id: I3b9f047e5e737f3ea4c58fc82cd3c15700b6f9f7
Diffstat (limited to 'src')
-rw-r--r--src/vnet/devices/devices.h26
-rw-r--r--src/vnet/ipsec/ipsec_tun.c45
-rw-r--r--src/vnet/ipsec/ipsec_tun.h9
-rw-r--r--src/vnet/ipsec/ipsec_tun_in.c43
4 files changed, 93 insertions, 30 deletions
diff --git a/src/vnet/devices/devices.h b/src/vnet/devices/devices.h
index a14c1966e44..e54c7a29130 100644
--- a/src/vnet/devices/devices.h
+++ b/src/vnet/devices/devices.h
@@ -27,17 +27,27 @@ typedef enum
VNET_DEVICE_INPUT_NEXT_MPLS_INPUT,
VNET_DEVICE_INPUT_NEXT_ETHERNET_INPUT,
VNET_DEVICE_INPUT_NEXT_DROP,
+
+ /* For tunnels */
+ VNET_DEVICE_INPUT_NEXT_IP4_DROP,
+ VNET_DEVICE_INPUT_NEXT_IP6_DROP,
+ VNET_DEVICE_INPUT_NEXT_PUNT,
+
VNET_DEVICE_INPUT_N_NEXT_NODES,
} vnet_device_input_next_t;
-#define VNET_DEVICE_INPUT_NEXT_NODES { \
- [VNET_DEVICE_INPUT_NEXT_DROP] = "error-drop", \
- [VNET_DEVICE_INPUT_NEXT_ETHERNET_INPUT] = "ethernet-input", \
- [VNET_DEVICE_INPUT_NEXT_IP4_NCS_INPUT] = "ip4-input-no-checksum", \
- [VNET_DEVICE_INPUT_NEXT_IP4_INPUT] = "ip4-input", \
- [VNET_DEVICE_INPUT_NEXT_IP6_INPUT] = "ip6-input", \
- [VNET_DEVICE_INPUT_NEXT_MPLS_INPUT] = "mpls-input", \
-}
+#define VNET_DEVICE_INPUT_NEXT_NODES \
+ { \
+ [VNET_DEVICE_INPUT_NEXT_DROP] = "error-drop", \
+ [VNET_DEVICE_INPUT_NEXT_ETHERNET_INPUT] = "ethernet-input", \
+ [VNET_DEVICE_INPUT_NEXT_IP4_NCS_INPUT] = "ip4-input-no-checksum", \
+ [VNET_DEVICE_INPUT_NEXT_IP4_INPUT] = "ip4-input", \
+ [VNET_DEVICE_INPUT_NEXT_IP6_INPUT] = "ip6-input", \
+ [VNET_DEVICE_INPUT_NEXT_MPLS_INPUT] = "mpls-input", \
+ [VNET_DEVICE_INPUT_NEXT_IP4_DROP] = "ip4-drop", \
+ [VNET_DEVICE_INPUT_NEXT_IP6_DROP] = "ip6-drop", \
+ [VNET_DEVICE_INPUT_NEXT_PUNT] = "punt-dispatch", \
+ }
typedef struct
{
diff --git a/src/vnet/ipsec/ipsec_tun.c b/src/vnet/ipsec/ipsec_tun.c
index 74340256f38..0b6ec0ea33e 100644
--- a/src/vnet/ipsec/ipsec_tun.c
+++ b/src/vnet/ipsec/ipsec_tun.c
@@ -779,6 +779,49 @@ ipsec_tun_protect_walk_itf (u32 sw_if_index,
}
static void
+ipsec_tun_feature_update (u32 sw_if_index, u8 arc_index, u8 is_enable,
+ void *data)
+{
+ ipsec_tun_protect_t *itp;
+ index_t itpi;
+
+ if (arc_index != feature_main.device_input_feature_arc_index)
+ return;
+
+ /* Only p2p tunnels supported */
+ itpi = ipsec_tun_protect_find (sw_if_index, &IP_ADDR_ALL_0);
+ if (itpi == INDEX_INVALID)
+ return;
+
+ itp = ipsec_tun_protect_get (itpi);
+
+ if (is_enable)
+ {
+ u32 decrypt_tun = ip46_address_is_ip4 (&itp->itp_crypto.dst) ?
+ ipsec_main.esp4_decrypt_tun_node_index :
+ ipsec_main.esp6_decrypt_tun_node_index;
+
+ vnet_feature_modify_end_node (
+ feature_main.device_input_feature_arc_index, sw_if_index, decrypt_tun);
+ itp->itp_flags |= IPSEC_PROTECT_FEAT;
+ }
+ else
+ {
+ u32 eth_in =
+ vlib_get_node_by_name (vlib_get_main (), (u8 *) "ethernet-input")
+ ->index;
+
+ vnet_feature_modify_end_node (
+ feature_main.device_input_feature_arc_index, sw_if_index, eth_in);
+ itp->itp_flags &= ~IPSEC_PROTECT_FEAT;
+ }
+
+ /* Propagate flag change into lookup entries */
+ ipsec_tun_protect_rx_db_remove (&ipsec_main, itp);
+ ipsec_tun_protect_rx_db_add (&ipsec_main, itp);
+}
+
+static void
ipsec_tun_protect_adj_delegate_adj_deleted (adj_delegate_t * ad)
{
/* remove our delegate */
@@ -929,6 +972,8 @@ ipsec_tunnel_protect_init (vlib_main_t *vm)
teib_register (&ipsec_tun_teib_vft);
+ vnet_feature_register (ipsec_tun_feature_update, NULL);
+
return 0;
}
diff --git a/src/vnet/ipsec/ipsec_tun.h b/src/vnet/ipsec/ipsec_tun.h
index 070831fdca9..c79fb902dec 100644
--- a/src/vnet/ipsec/ipsec_tun.h
+++ b/src/vnet/ipsec/ipsec_tun.h
@@ -17,10 +17,11 @@
#include <vnet/ipsec/ipsec.h>
-#define foreach_ipsec_protect_flags \
- _(L2, 1, "l2") \
- _(ENCAPED, 2, "encapped") \
- _(ITF, 4, "itf") \
+#define foreach_ipsec_protect_flags \
+ _ (L2, 1, "l2") \
+ _ (ENCAPED, 2, "encapped") \
+ _ (ITF, 4, "itf") \
+ _ (FEAT, 8, "feat")
typedef enum ipsec_protect_flags_t_
{
diff --git a/src/vnet/ipsec/ipsec_tun_in.c b/src/vnet/ipsec/ipsec_tun_in.c
index 6b7abce2866..4f8af006d2b 100644
--- a/src/vnet/ipsec/ipsec_tun_in.c
+++ b/src/vnet/ipsec/ipsec_tun_in.c
@@ -103,7 +103,7 @@ ipsec_ip4_if_no_tunnel (vlib_node_runtime_t * node,
b->error = node->errors[IPSEC_TUN_PROTECT_INPUT_ERROR_NO_TUNNEL];
b->punt_reason = ipsec_punt_reason[IPSEC_PUNT_IP4_NO_SUCH_TUNNEL];
}
- return IPSEC_INPUT_NEXT_PUNT;
+ return VNET_DEVICE_INPUT_NEXT_PUNT;
}
always_inline u16
@@ -113,7 +113,7 @@ ipsec_ip6_if_no_tunnel (vlib_node_runtime_t * node,
b->error = node->errors[IPSEC_TUN_PROTECT_INPUT_ERROR_NO_TUNNEL];
b->punt_reason = ipsec_punt_reason[IPSEC_PUNT_IP6_NO_SUCH_TUNNEL];
- return (IPSEC_INPUT_NEXT_PUNT);
+ return VNET_DEVICE_INPUT_NEXT_PUNT;
}
always_inline uword
@@ -138,7 +138,9 @@ ipsec_tun_protect_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
b = bufs;
next = nexts;
- clib_memset_u16 (nexts, im->esp4_decrypt_next_index, n_left_from);
+ clib_memset_u16 (
+ nexts, is_ip6 ? im->esp6_decrypt_next_index : im->esp4_decrypt_next_index,
+ n_left_from);
u64 n_bytes = 0, n_packets = 0;
u32 n_disabled = 0, n_no_tunnel = 0;
@@ -218,7 +220,8 @@ ipsec_tun_protect_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
b[0]->error =
node->errors[IPSEC_TUN_PROTECT_INPUT_ERROR_TOO_SHORT];
- next[0] = IPSEC_INPUT_NEXT_DROP;
+ next[0] = is_ip6 ? VNET_DEVICE_INPUT_NEXT_IP6_DROP :
+ VNET_DEVICE_INPUT_NEXT_IP4_DROP;
goto trace00;
}
@@ -294,7 +297,8 @@ ipsec_tun_protect_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
(drop_counter, thread_index, sw_if_index0, 1, len0);
n_disabled++;
b[0]->error = node->errors[IPSEC_TUN_PROTECT_INPUT_ERROR_DISABLED];
- next[0] = IPSEC_INPUT_NEXT_DROP;
+ next[0] = is_ip6 ? VNET_DEVICE_INPUT_NEXT_IP6_DROP :
+ VNET_DEVICE_INPUT_NEXT_IP4_DROP;
goto trace00;
}
else
@@ -319,7 +323,18 @@ ipsec_tun_protect_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
}
//IPSEC_TUN_PROTECT_NEXT_DECRYPT;
- next[0] = im->esp4_decrypt_tun_next_index;
+ next[0] = is_ip6 ? im->esp6_decrypt_tun_next_index :
+ im->esp4_decrypt_tun_next_index;
+
+ if (itr0.flags & IPSEC_PROTECT_FEAT)
+ {
+ u32 next32;
+ u8 arc = feature_main.device_input_feature_arc_index;
+
+ next32 = next[0];
+ vnet_feature_arc_start (arc, sw_if_index0, &next32, b[0]);
+ next[0] = next32;
+ }
}
trace00:
if (PREDICT_FALSE (is_trace))
@@ -375,13 +390,9 @@ VLIB_REGISTER_NODE (ipsec4_tun_input_node) = {
.vector_size = sizeof (u32),
.format_trace = format_ipsec_tun_protect_input_trace,
.type = VLIB_NODE_TYPE_INTERNAL,
- .n_errors = ARRAY_LEN(ipsec_tun_protect_input_error_strings),
+ .n_errors = ARRAY_LEN (ipsec_tun_protect_input_error_strings),
.error_strings = ipsec_tun_protect_input_error_strings,
- .n_next_nodes = IPSEC_TUN_PROTECT_N_NEXT,
- .next_nodes = {
- [IPSEC_TUN_PROTECT_NEXT_DROP] = "ip4-drop",
- [IPSEC_TUN_PROTECT_NEXT_PUNT] = "punt-dispatch",
- }
+ .sibling_of = "device-input",
};
/* *INDENT-ON* */
@@ -398,13 +409,9 @@ VLIB_REGISTER_NODE (ipsec6_tun_input_node) = {
.vector_size = sizeof (u32),
.format_trace = format_ipsec_tun_protect_input_trace,
.type = VLIB_NODE_TYPE_INTERNAL,
- .n_errors = ARRAY_LEN(ipsec_tun_protect_input_error_strings),
+ .n_errors = ARRAY_LEN (ipsec_tun_protect_input_error_strings),
.error_strings = ipsec_tun_protect_input_error_strings,
- .n_next_nodes = IPSEC_TUN_PROTECT_N_NEXT,
- .next_nodes = {
- [IPSEC_TUN_PROTECT_NEXT_DROP] = "ip6-drop",
- [IPSEC_TUN_PROTECT_NEXT_PUNT] = "punt-dispatch",
- }
+ .sibling_of = "device-input",
};
/* *INDENT-ON* */