From e8915fc707a03260c05624425f9548d796c089fb Mon Sep 17 00:00:00 2001 From: Neale Ranns Date: Tue, 23 Apr 2019 20:57:55 -0400 Subject: IPSEC; dpdk backend for tunnel interface encryption Change-Id: Ide2a9df18db371c8428855d7f12f246006d7c04c Signed-off-by: Neale Ranns --- src/plugins/dpdk/ipsec/esp_encrypt.c | 77 ++++++++++++++++++++++++++++++++++-- src/plugins/dpdk/ipsec/ipsec.c | 2 + 2 files changed, 75 insertions(+), 4 deletions(-) (limited to 'src/plugins/dpdk') diff --git a/src/plugins/dpdk/ipsec/esp_encrypt.c b/src/plugins/dpdk/ipsec/esp_encrypt.c index 653c158fb94..45a6257f7e8 100644 --- a/src/plugins/dpdk/ipsec/esp_encrypt.c +++ b/src/plugins/dpdk/ipsec/esp_encrypt.c @@ -110,7 +110,7 @@ format_esp_encrypt_trace (u8 * s, va_list * args) always_inline uword dpdk_esp_encrypt_inline (vlib_main_t * vm, vlib_node_runtime_t * node, - vlib_frame_t * from_frame, int is_ip6) + vlib_frame_t * from_frame, int is_ip6, int is_tun) { u32 n_left_from, *from, *to_next, next_index, thread_index; ipsec_main_t *im = &ipsec_main; @@ -210,7 +210,16 @@ dpdk_esp_encrypt_inline (vlib_main_t * vm, sizeof (op[0]) + sizeof (op[0].sym[0]) + sizeof (priv[0]); CLIB_PREFETCH (op, op_len, STORE); - sa_index0 = vnet_buffer (b0)->ipsec.sad_index; + if (is_tun) + { + u32 tmp; + /* we are on a ipsec tunnel's feature arc */ + sa_index0 = *(u32 *) vnet_feature_next_with_data (&tmp, b0, + sizeof + (sa_index0)); + } + else + sa_index0 = vnet_buffer (b0)->ipsec.sad_index; if (sa_index0 != last_sa_index) { @@ -586,7 +595,7 @@ VLIB_NODE_FN (dpdk_esp4_encrypt_node) (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * from_frame) { - return dpdk_esp_encrypt_inline (vm, node, from_frame, 0 /*is_ip6 */ ); + return dpdk_esp_encrypt_inline (vm, node, from_frame, 0 /*is_ip6 */ , 0); } /* *INDENT-OFF* */ @@ -609,7 +618,7 @@ VLIB_NODE_FN (dpdk_esp6_encrypt_node) (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * from_frame) { - return dpdk_esp_encrypt_inline (vm, node, from_frame, 1 /*is_ip6 */ ); + return dpdk_esp_encrypt_inline (vm, node, from_frame, 1 /*is_ip6 */ , 0); } /* *INDENT-OFF* */ @@ -628,6 +637,66 @@ VLIB_REGISTER_NODE (dpdk_esp6_encrypt_node) = { }; /* *INDENT-ON* */ +VLIB_NODE_FN (dpdk_esp4_encrypt_tun_node) (vlib_main_t * vm, + vlib_node_runtime_t * node, + vlib_frame_t * from_frame) +{ + return dpdk_esp_encrypt_inline (vm, node, from_frame, 0 /*is_ip6 */ , 1); +} + +/* *INDENT-OFF* */ +VLIB_REGISTER_NODE (dpdk_esp4_encrypt_tun_node) = { + .name = "dpdk-esp4-encrypt-tun", + .flags = VLIB_NODE_FLAG_IS_OUTPUT, + .vector_size = sizeof (u32), + .format_trace = format_esp_encrypt_trace, + .n_errors = ARRAY_LEN (esp_encrypt_error_strings), + .error_strings = esp_encrypt_error_strings, + .n_next_nodes = 1, + .next_nodes = + { + [ESP_ENCRYPT_NEXT_DROP] = "error-drop", + } +}; + +VNET_FEATURE_INIT (dpdk_esp4_encrypt_tun_feat_node, static) = +{ + .arc_name = "ip4-output", + .node_name = "dpdk-esp4-encrypt-tun", + .runs_before = VNET_FEATURES ("adj-midchain-tx"), +}; +/* *INDENT-ON* */ + +VLIB_NODE_FN (dpdk_esp6_encrypt_tun_node) (vlib_main_t * vm, + vlib_node_runtime_t * node, + vlib_frame_t * from_frame) +{ + return dpdk_esp_encrypt_inline (vm, node, from_frame, 1 /*is_ip6 */ , 1); +} + +/* *INDENT-OFF* */ +VLIB_REGISTER_NODE (dpdk_esp6_encrypt_tun_node) = { + .name = "dpdk-esp6-encrypt-tun", + .flags = VLIB_NODE_FLAG_IS_OUTPUT, + .vector_size = sizeof (u32), + .format_trace = format_esp_encrypt_trace, + .n_errors = ARRAY_LEN (esp_encrypt_error_strings), + .error_strings = esp_encrypt_error_strings, + .n_next_nodes = 1, + .next_nodes = + { + [ESP_ENCRYPT_NEXT_DROP] = "error-drop", + } +}; + +VNET_FEATURE_INIT (dpdk_esp6_encrypt_tun_feat_node, static) = +{ + .arc_name = "ip6-output", + .node_name = "dpdk-esp6-encrypt-tun", + .runs_before = VNET_FEATURES ("adj-midchain-tx"), +}; +/* *INDENT-ON* */ + /* * fd.io coding-style-patch-verification: ON * diff --git a/src/plugins/dpdk/ipsec/ipsec.c b/src/plugins/dpdk/ipsec/ipsec.c index 682bcaf21c8..88fd75dcf1a 100644 --- a/src/plugins/dpdk/ipsec/ipsec.c +++ b/src/plugins/dpdk/ipsec/ipsec.c @@ -1069,8 +1069,10 @@ dpdk_ipsec_process (vlib_main_t * vm, vlib_node_runtime_t * rt, u32 idx = ipsec_register_esp_backend (vm, im, "dpdk backend", "dpdk-esp4-encrypt", + "dpdk-esp4-encrypt-tun", "dpdk-esp4-decrypt", "dpdk-esp6-encrypt", + "dpdk-esp6-encrypt-tun", "dpdk-esp6-decrypt", dpdk_ipsec_check_support, add_del_sa_session); -- cgit 1.2.3-korg