From 7a29a2d400bbc3740a6a98863f290aa654d5f724 Mon Sep 17 00:00:00 2001 From: Brian Russell Date: Mon, 22 Feb 2021 18:42:24 +0000 Subject: ipsec: enable input features on tunnels Make the ipsec[46]-tun-input nodes siblings of device-input so that input features can be enabled on them. Register ipsec-tun for feature updates. When a feature is enabled on the device-input arc and the ifindex is an IPSec tunnel, change the end node of the arc for that ifindex to be the appropriate ESP decrypt node. Set a flag on the tunnel to indicate that the feature arc should be started for packets input on the tunnel. Test input policing on ESP IPSec tunnels. Type: improvement Signed-off-by: Brian Russell Change-Id: I3b9f047e5e737f3ea4c58fc82cd3c15700b6f9f7 --- src/vnet/devices/devices.h | 26 +++-- src/vnet/ipsec/ipsec_tun.c | 45 ++++++++ src/vnet/ipsec/ipsec_tun.h | 9 +- src/vnet/ipsec/ipsec_tun_in.c | 43 ++++---- test/template_ipsec.py | 6 ++ test/test_ipsec_tun_if_esp.py | 236 ++++++++++++++++++++++++++++++++++++++++++ 6 files changed, 335 insertions(+), 30 deletions(-) diff --git a/src/vnet/devices/devices.h b/src/vnet/devices/devices.h index a14c1966e44..e54c7a29130 100644 --- a/src/vnet/devices/devices.h +++ b/src/vnet/devices/devices.h @@ -27,17 +27,27 @@ typedef enum VNET_DEVICE_INPUT_NEXT_MPLS_INPUT, VNET_DEVICE_INPUT_NEXT_ETHERNET_INPUT, VNET_DEVICE_INPUT_NEXT_DROP, + + /* For tunnels */ + VNET_DEVICE_INPUT_NEXT_IP4_DROP, + VNET_DEVICE_INPUT_NEXT_IP6_DROP, + VNET_DEVICE_INPUT_NEXT_PUNT, + VNET_DEVICE_INPUT_N_NEXT_NODES, } vnet_device_input_next_t; -#define VNET_DEVICE_INPUT_NEXT_NODES { \ - [VNET_DEVICE_INPUT_NEXT_DROP] = "error-drop", \ - [VNET_DEVICE_INPUT_NEXT_ETHERNET_INPUT] = "ethernet-input", \ - [VNET_DEVICE_INPUT_NEXT_IP4_NCS_INPUT] = "ip4-input-no-checksum", \ - [VNET_DEVICE_INPUT_NEXT_IP4_INPUT] = "ip4-input", \ - [VNET_DEVICE_INPUT_NEXT_IP6_INPUT] = "ip6-input", \ - [VNET_DEVICE_INPUT_NEXT_MPLS_INPUT] = "mpls-input", \ -} +#define VNET_DEVICE_INPUT_NEXT_NODES \ + { \ + [VNET_DEVICE_INPUT_NEXT_DROP] = "error-drop", \ + [VNET_DEVICE_INPUT_NEXT_ETHERNET_INPUT] = "ethernet-input", \ + [VNET_DEVICE_INPUT_NEXT_IP4_NCS_INPUT] = "ip4-input-no-checksum", \ + [VNET_DEVICE_INPUT_NEXT_IP4_INPUT] = "ip4-input", \ + [VNET_DEVICE_INPUT_NEXT_IP6_INPUT] = "ip6-input", \ + [VNET_DEVICE_INPUT_NEXT_MPLS_INPUT] = "mpls-input", \ + [VNET_DEVICE_INPUT_NEXT_IP4_DROP] = "ip4-drop", \ + [VNET_DEVICE_INPUT_NEXT_IP6_DROP] = "ip6-drop", \ + [VNET_DEVICE_INPUT_NEXT_PUNT] = "punt-dispatch", \ + } typedef struct { diff --git a/src/vnet/ipsec/ipsec_tun.c b/src/vnet/ipsec/ipsec_tun.c index 74340256f38..0b6ec0ea33e 100644 --- a/src/vnet/ipsec/ipsec_tun.c +++ b/src/vnet/ipsec/ipsec_tun.c @@ -778,6 +778,49 @@ ipsec_tun_protect_walk_itf (u32 sw_if_index, fn (idi->id_itp, ctx); } +static void +ipsec_tun_feature_update (u32 sw_if_index, u8 arc_index, u8 is_enable, + void *data) +{ + ipsec_tun_protect_t *itp; + index_t itpi; + + if (arc_index != feature_main.device_input_feature_arc_index) + return; + + /* Only p2p tunnels supported */ + itpi = ipsec_tun_protect_find (sw_if_index, &IP_ADDR_ALL_0); + if (itpi == INDEX_INVALID) + return; + + itp = ipsec_tun_protect_get (itpi); + + if (is_enable) + { + u32 decrypt_tun = ip46_address_is_ip4 (&itp->itp_crypto.dst) ? + ipsec_main.esp4_decrypt_tun_node_index : + ipsec_main.esp6_decrypt_tun_node_index; + + vnet_feature_modify_end_node ( + feature_main.device_input_feature_arc_index, sw_if_index, decrypt_tun); + itp->itp_flags |= IPSEC_PROTECT_FEAT; + } + else + { + u32 eth_in = + vlib_get_node_by_name (vlib_get_main (), (u8 *) "ethernet-input") + ->index; + + vnet_feature_modify_end_node ( + feature_main.device_input_feature_arc_index, sw_if_index, eth_in); + itp->itp_flags &= ~IPSEC_PROTECT_FEAT; + } + + /* Propagate flag change into lookup entries */ + ipsec_tun_protect_rx_db_remove (&ipsec_main, itp); + ipsec_tun_protect_rx_db_add (&ipsec_main, itp); +} + static void ipsec_tun_protect_adj_delegate_adj_deleted (adj_delegate_t * ad) { @@ -929,6 +972,8 @@ ipsec_tunnel_protect_init (vlib_main_t *vm) teib_register (&ipsec_tun_teib_vft); + vnet_feature_register (ipsec_tun_feature_update, NULL); + return 0; } diff --git a/src/vnet/ipsec/ipsec_tun.h b/src/vnet/ipsec/ipsec_tun.h index 070831fdca9..c79fb902dec 100644 --- a/src/vnet/ipsec/ipsec_tun.h +++ b/src/vnet/ipsec/ipsec_tun.h @@ -17,10 +17,11 @@ #include -#define foreach_ipsec_protect_flags \ - _(L2, 1, "l2") \ - _(ENCAPED, 2, "encapped") \ - _(ITF, 4, "itf") \ +#define foreach_ipsec_protect_flags \ + _ (L2, 1, "l2") \ + _ (ENCAPED, 2, "encapped") \ + _ (ITF, 4, "itf") \ + _ (FEAT, 8, "feat") typedef enum ipsec_protect_flags_t_ { diff --git a/src/vnet/ipsec/ipsec_tun_in.c b/src/vnet/ipsec/ipsec_tun_in.c index 6b7abce2866..4f8af006d2b 100644 --- a/src/vnet/ipsec/ipsec_tun_in.c +++ b/src/vnet/ipsec/ipsec_tun_in.c @@ -103,7 +103,7 @@ ipsec_ip4_if_no_tunnel (vlib_node_runtime_t * node, b->error = node->errors[IPSEC_TUN_PROTECT_INPUT_ERROR_NO_TUNNEL]; b->punt_reason = ipsec_punt_reason[IPSEC_PUNT_IP4_NO_SUCH_TUNNEL]; } - return IPSEC_INPUT_NEXT_PUNT; + return VNET_DEVICE_INPUT_NEXT_PUNT; } always_inline u16 @@ -113,7 +113,7 @@ ipsec_ip6_if_no_tunnel (vlib_node_runtime_t * node, b->error = node->errors[IPSEC_TUN_PROTECT_INPUT_ERROR_NO_TUNNEL]; b->punt_reason = ipsec_punt_reason[IPSEC_PUNT_IP6_NO_SUCH_TUNNEL]; - return (IPSEC_INPUT_NEXT_PUNT); + return VNET_DEVICE_INPUT_NEXT_PUNT; } always_inline uword @@ -138,7 +138,9 @@ ipsec_tun_protect_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node, b = bufs; next = nexts; - clib_memset_u16 (nexts, im->esp4_decrypt_next_index, n_left_from); + clib_memset_u16 ( + nexts, is_ip6 ? im->esp6_decrypt_next_index : im->esp4_decrypt_next_index, + n_left_from); u64 n_bytes = 0, n_packets = 0; u32 n_disabled = 0, n_no_tunnel = 0; @@ -218,7 +220,8 @@ ipsec_tun_protect_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node, b[0]->error = node->errors[IPSEC_TUN_PROTECT_INPUT_ERROR_TOO_SHORT]; - next[0] = IPSEC_INPUT_NEXT_DROP; + next[0] = is_ip6 ? VNET_DEVICE_INPUT_NEXT_IP6_DROP : + VNET_DEVICE_INPUT_NEXT_IP4_DROP; goto trace00; } @@ -294,7 +297,8 @@ ipsec_tun_protect_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node, (drop_counter, thread_index, sw_if_index0, 1, len0); n_disabled++; b[0]->error = node->errors[IPSEC_TUN_PROTECT_INPUT_ERROR_DISABLED]; - next[0] = IPSEC_INPUT_NEXT_DROP; + next[0] = is_ip6 ? VNET_DEVICE_INPUT_NEXT_IP6_DROP : + VNET_DEVICE_INPUT_NEXT_IP4_DROP; goto trace00; } else @@ -319,7 +323,18 @@ ipsec_tun_protect_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node, } //IPSEC_TUN_PROTECT_NEXT_DECRYPT; - next[0] = im->esp4_decrypt_tun_next_index; + next[0] = is_ip6 ? im->esp6_decrypt_tun_next_index : + im->esp4_decrypt_tun_next_index; + + if (itr0.flags & IPSEC_PROTECT_FEAT) + { + u32 next32; + u8 arc = feature_main.device_input_feature_arc_index; + + next32 = next[0]; + vnet_feature_arc_start (arc, sw_if_index0, &next32, b[0]); + next[0] = next32; + } } trace00: if (PREDICT_FALSE (is_trace)) @@ -375,13 +390,9 @@ VLIB_REGISTER_NODE (ipsec4_tun_input_node) = { .vector_size = sizeof (u32), .format_trace = format_ipsec_tun_protect_input_trace, .type = VLIB_NODE_TYPE_INTERNAL, - .n_errors = ARRAY_LEN(ipsec_tun_protect_input_error_strings), + .n_errors = ARRAY_LEN (ipsec_tun_protect_input_error_strings), .error_strings = ipsec_tun_protect_input_error_strings, - .n_next_nodes = IPSEC_TUN_PROTECT_N_NEXT, - .next_nodes = { - [IPSEC_TUN_PROTECT_NEXT_DROP] = "ip4-drop", - [IPSEC_TUN_PROTECT_NEXT_PUNT] = "punt-dispatch", - } + .sibling_of = "device-input", }; /* *INDENT-ON* */ @@ -398,13 +409,9 @@ VLIB_REGISTER_NODE (ipsec6_tun_input_node) = { .vector_size = sizeof (u32), .format_trace = format_ipsec_tun_protect_input_trace, .type = VLIB_NODE_TYPE_INTERNAL, - .n_errors = ARRAY_LEN(ipsec_tun_protect_input_error_strings), + .n_errors = ARRAY_LEN (ipsec_tun_protect_input_error_strings), .error_strings = ipsec_tun_protect_input_error_strings, - .n_next_nodes = IPSEC_TUN_PROTECT_N_NEXT, - .next_nodes = { - [IPSEC_TUN_PROTECT_NEXT_DROP] = "ip6-drop", - [IPSEC_TUN_PROTECT_NEXT_PUNT] = "punt-dispatch", - } + .sibling_of = "device-input", }; /* *INDENT-ON* */ diff --git a/test/template_ipsec.py b/test/template_ipsec.py index 0c1f5a19298..48ac270df72 100644 --- a/test/template_ipsec.py +++ b/test/template_ipsec.py @@ -1202,6 +1202,9 @@ class IpsecTun6HandoffTests(IpsecTun6): def test_tun_handoff_66(self): """ ipsec 6o6 tunnel worker hand-off test """ + self.vapi.cli("clear errors") + self.vapi.cli("clear ipsec sa") + N_PKTS = 15 p = self.params[socket.AF_INET6] @@ -1233,6 +1236,9 @@ class IpsecTun4HandoffTests(IpsecTun4): def test_tun_handooff_44(self): """ ipsec 4o4 tunnel worker hand-off test """ + self.vapi.cli("clear errors") + self.vapi.cli("clear ipsec sa") + N_PKTS = 15 p = self.params[socket.AF_INET] diff --git a/test/test_ipsec_tun_if_esp.py b/test/test_ipsec_tun_if_esp.py index 49c4d63161d..6f7752915d0 100644 --- a/test/test_ipsec_tun_if_esp.py +++ b/test/test_ipsec_tun_if_esp.py @@ -25,6 +25,7 @@ from util import ppp from vpp_papi import VppEnum from vpp_papi_provider import CliFailedCommandError from vpp_acl import AclRule, VppAcl, VppAclInterface +from vpp_policer import PolicerAction, VppPolicer def config_tun_params(p, encryption_type, tun_if, src=None, dst=None): @@ -469,6 +470,71 @@ class TestIpsec6TunIfEspHandoff(TemplateIpsec6TunIfEsp, tun6_encrypt_node_name = "esp6-encrypt-tun" tun6_decrypt_node_name = "esp6-decrypt-tun" + def test_tun_handoff_66_police(self): + """ ESP 6o6 tunnel with policer worker hand-off test """ + self.vapi.cli("clear errors") + self.vapi.cli("clear ipsec sa") + + N_PKTS = 15 + p = self.params[socket.AF_INET6] + + action_tx = PolicerAction( + VppEnum.vl_api_sse2_qos_action_type_t.SSE2_QOS_ACTION_API_TRANSMIT, + 0) + policer = VppPolicer(self, "pol1", 80, 0, 1000, 0, + conform_action=action_tx, + exceed_action=action_tx, + violate_action=action_tx) + policer.add_vpp_config() + + # Start policing on tun + policer.apply_vpp_config(p.tun_if.sw_if_index, True) + + for pol_bind in [1, 0]: + policer.bind_vpp_config(pol_bind, True) + + # inject alternately on worker 0 and 1. + for worker in [0, 1, 0, 1]: + send_pkts = self.gen_encrypt_pkts6(p, p.scapy_tun_sa, + self.tun_if, + src=p.remote_tun_if_host, + dst=self.pg1.remote_ip6, + count=N_PKTS) + recv_pkts = self.send_and_expect(self.tun_if, send_pkts, + self.pg1, worker=worker) + self.verify_decrypted6(p, recv_pkts) + self.logger.debug(self.vapi.cli("show trace max 100")) + + stats = policer.get_stats() + stats0 = policer.get_stats(worker=0) + stats1 = policer.get_stats(worker=1) + + if pol_bind is 1: + # First pass: Worker 1, should have done all the policing + self.assertEqual(stats, stats1) + + # Worker 0, should have handed everything off + self.assertEqual(stats0['conform_packets'], 0) + self.assertEqual(stats0['exceed_packets'], 0) + self.assertEqual(stats0['violate_packets'], 0) + else: + # Second pass: both workers should have policed equal amounts + self.assertGreater(stats1['conform_packets'], 0) + self.assertEqual(stats1['exceed_packets'], 0) + self.assertGreater(stats1['violate_packets'], 0) + + self.assertGreater(stats0['conform_packets'], 0) + self.assertEqual(stats0['exceed_packets'], 0) + self.assertGreater(stats0['violate_packets'], 0) + + self.assertEqual(stats0['conform_packets'] + + stats0['violate_packets'], + stats1['conform_packets'] + + stats1['violate_packets']) + + policer.apply_vpp_config(p.tun_if.sw_if_index, False) + policer.remove_vpp_config() + class TestIpsec4TunIfEspHandoff(TemplateIpsec4TunIfEsp, IpsecTun4HandoffTests): @@ -476,6 +542,71 @@ class TestIpsec4TunIfEspHandoff(TemplateIpsec4TunIfEsp, tun4_encrypt_node_name = "esp4-encrypt-tun" tun4_decrypt_node_name = "esp4-decrypt-tun" + def test_tun_handoff_44_police(self): + """ ESP 4o4 tunnel with policer worker hand-off test """ + self.vapi.cli("clear errors") + self.vapi.cli("clear ipsec sa") + + N_PKTS = 15 + p = self.params[socket.AF_INET] + + action_tx = PolicerAction( + VppEnum.vl_api_sse2_qos_action_type_t.SSE2_QOS_ACTION_API_TRANSMIT, + 0) + policer = VppPolicer(self, "pol1", 80, 0, 1000, 0, + conform_action=action_tx, + exceed_action=action_tx, + violate_action=action_tx) + policer.add_vpp_config() + + # Start policing on tun + policer.apply_vpp_config(p.tun_if.sw_if_index, True) + + for pol_bind in [1, 0]: + policer.bind_vpp_config(pol_bind, True) + + # inject alternately on worker 0 and 1. + for worker in [0, 1, 0, 1]: + send_pkts = self.gen_encrypt_pkts(p, p.scapy_tun_sa, + self.tun_if, + src=p.remote_tun_if_host, + dst=self.pg1.remote_ip4, + count=N_PKTS) + recv_pkts = self.send_and_expect(self.tun_if, send_pkts, + self.pg1, worker=worker) + self.verify_decrypted(p, recv_pkts) + self.logger.debug(self.vapi.cli("show trace max 100")) + + stats = policer.get_stats() + stats0 = policer.get_stats(worker=0) + stats1 = policer.get_stats(worker=1) + + if pol_bind is 1: + # First pass: Worker 1, should have done all the policing + self.assertEqual(stats, stats1) + + # Worker 0, should have handed everything off + self.assertEqual(stats0['conform_packets'], 0) + self.assertEqual(stats0['exceed_packets'], 0) + self.assertEqual(stats0['violate_packets'], 0) + else: + # Second pass: both workers should have policed equal amounts + self.assertGreater(stats1['conform_packets'], 0) + self.assertEqual(stats1['exceed_packets'], 0) + self.assertGreater(stats1['violate_packets'], 0) + + self.assertGreater(stats0['conform_packets'], 0) + self.assertEqual(stats0['exceed_packets'], 0) + self.assertGreater(stats0['violate_packets'], 0) + + self.assertEqual(stats0['conform_packets'] + + stats0['violate_packets'], + stats1['conform_packets'] + + stats1['violate_packets']) + + policer.apply_vpp_config(p.tun_if.sw_if_index, False) + policer.remove_vpp_config() + @tag_fixme_vpp_workers class TestIpsec4MultiTunIfEsp(TemplateIpsec4TunProtect, @@ -2580,6 +2711,56 @@ class TestIpsecItf4(TemplateIpsec, self.unconfig_sa(p) self.unconfig_network(p) + def test_tun_44_police(self): + """IPSEC interface IPv4 with input policer""" + n_pkts = 127 + p = self.ipv4_params + + self.config_network(p) + self.config_sa_tun(p, + self.pg0.local_ip4, + self.pg0.remote_ip4) + self.config_protect(p) + + action_tx = PolicerAction( + VppEnum.vl_api_sse2_qos_action_type_t.SSE2_QOS_ACTION_API_TRANSMIT, + 0) + policer = VppPolicer(self, "pol1", 80, 0, 1000, 0, + conform_action=action_tx, + exceed_action=action_tx, + violate_action=action_tx) + policer.add_vpp_config() + + # Start policing on tun + policer.apply_vpp_config(p.tun_if.sw_if_index, True) + + self.verify_tun_44(p, count=n_pkts) + c = p.tun_if.get_rx_stats() + self.assertEqual(c['packets'], n_pkts) + c = p.tun_if.get_tx_stats() + self.assertEqual(c['packets'], n_pkts) + + stats = policer.get_stats() + + # Single rate, 2 colour policer - expect conform, violate but no exceed + self.assertGreater(stats['conform_packets'], 0) + self.assertEqual(stats['exceed_packets'], 0) + self.assertGreater(stats['violate_packets'], 0) + + # Stop policing on tun + policer.apply_vpp_config(p.tun_if.sw_if_index, False) + self.verify_tun_44(p, count=n_pkts) + + # No new policer stats + statsnew = policer.get_stats() + self.assertEqual(stats, statsnew) + + # teardown + policer.remove_vpp_config() + self.unconfig_protect(p) + self.unconfig_sa(p) + self.unconfig_network(p) + class TestIpsecItf4MPLS(TemplateIpsec, TemplateIpsecItf4, @@ -2822,6 +3003,61 @@ class TestIpsecItf6(TemplateIpsec, self.unconfig_sa(np) self.unconfig_network(p) + def test_tun_66_police(self): + """IPSEC interface IPv6 with input policer""" + tf = VppEnum.vl_api_tunnel_encap_decap_flags_t + n_pkts = 127 + p = self.ipv6_params + p.inner_hop_limit = 24 + p.outer_hop_limit = 23 + p.outer_flow_label = 243224 + p.tun_flags = tf.TUNNEL_API_ENCAP_DECAP_FLAG_ENCAP_COPY_HOP_LIMIT + + self.config_network(p) + self.config_sa_tun(p, + self.pg0.local_ip6, + self.pg0.remote_ip6) + self.config_protect(p) + + action_tx = PolicerAction( + VppEnum.vl_api_sse2_qos_action_type_t.SSE2_QOS_ACTION_API_TRANSMIT, + 0) + policer = VppPolicer(self, "pol1", 80, 0, 1000, 0, + conform_action=action_tx, + exceed_action=action_tx, + violate_action=action_tx) + policer.add_vpp_config() + + # Start policing on tun + policer.apply_vpp_config(p.tun_if.sw_if_index, True) + + self.verify_tun_66(p, count=n_pkts) + c = p.tun_if.get_rx_stats() + self.assertEqual(c['packets'], n_pkts) + c = p.tun_if.get_tx_stats() + self.assertEqual(c['packets'], n_pkts) + + stats = policer.get_stats() + + # Single rate, 2 colour policer - expect conform, violate but no exceed + self.assertGreater(stats['conform_packets'], 0) + self.assertEqual(stats['exceed_packets'], 0) + self.assertGreater(stats['violate_packets'], 0) + + # Stop policing on tun + policer.apply_vpp_config(p.tun_if.sw_if_index, False) + self.verify_tun_66(p, count=n_pkts) + + # No new policer stats + statsnew = policer.get_stats() + self.assertEqual(stats, statsnew) + + # teardown + policer.remove_vpp_config() + self.unconfig_protect(p) + self.unconfig_sa(p) + self.unconfig_network(p) + class TestIpsecMIfEsp4(TemplateIpsec, IpsecTun4): """ Ipsec P2MP ESP v4 tests """ -- cgit 1.2.3-korg