From 27518c2ffd0ef75e973a64870da0e3339f39ccce Mon Sep 17 00:00:00 2001 From: Nick Zavaritsky Date: Thu, 27 Feb 2020 15:54:58 +0000 Subject: geneve gtpu vxlan vxlan-gpe: VRF-aware bypass node MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Bypass node MUST NOT intercept a packet if destination IP doesn’t match a local address. However IP address interpretation depends on the VRF, hence bypass node must take that into account. This patch also factors-out common VTEP management and checking code. Type: improvement Signed-off-by: Nick Zavaritsky Change-Id: I5665d94882bbf45d15f8da140c7ada528ec7fa94 --- src/plugins/gtpu/gtpu.c | 41 ++++------------------- src/plugins/gtpu/gtpu.h | 4 +-- src/plugins/gtpu/gtpu_decap.c | 75 ++++++++++++------------------------------- 3 files changed, 30 insertions(+), 90 deletions(-) (limited to 'src/plugins/gtpu') diff --git a/src/plugins/gtpu/gtpu.c b/src/plugins/gtpu/gtpu.c index 0abac0053db..baa4d2481e2 100644 --- a/src/plugins/gtpu/gtpu.c +++ b/src/plugins/gtpu/gtpu.c @@ -298,35 +298,6 @@ gtpu_decap_next_is_valid (gtpu_main_t * gtm, u32 is_ip6, u32 decap_next_index) return decap_next_index < r->n_next_nodes; } -static uword -vtep_addr_ref (ip46_address_t * ip) -{ - uword *vtep = ip46_address_is_ip4 (ip) ? - hash_get (gtpu_main.vtep4, ip->ip4.as_u32) : - hash_get_mem (gtpu_main.vtep6, &ip->ip6); - if (vtep) - return ++(*vtep); - ip46_address_is_ip4 (ip) ? - hash_set (gtpu_main.vtep4, ip->ip4.as_u32, 1) : - hash_set_mem_alloc (>pu_main.vtep6, &ip->ip6, 1); - return 1; -} - -static uword -vtep_addr_unref (ip46_address_t * ip) -{ - uword *vtep = ip46_address_is_ip4 (ip) ? - hash_get (gtpu_main.vtep4, ip->ip4.as_u32) : - hash_get_mem (gtpu_main.vtep6, &ip->ip6); - ALWAYS_ASSERT (vtep); - if (--(*vtep) != 0) - return *vtep; - ip46_address_is_ip4 (ip) ? - hash_unset (gtpu_main.vtep4, ip->ip4.as_u32) : - hash_unset_mem_free (>pu_main.vtep6, &ip->ip6); - return 0; -} - typedef CLIB_PACKED (union { struct @@ -498,7 +469,7 @@ int vnet_gtpu_add_del_tunnel * when the forwarding for the entry updates, and the tunnel can * re-stack accordingly */ - vtep_addr_ref (&t->src); + vtep_addr_ref (>m->vtep_table, t->encap_fib_index, &t->src); t->fib_entry_index = fib_entry_track (t->encap_fib_index, &tun_dst_pfx, gtm->fib_node_type, @@ -515,7 +486,8 @@ int vnet_gtpu_add_del_tunnel */ fib_protocol_t fp = fib_ip_proto (is_ip6); - if (vtep_addr_ref (&t->dst) == 1) + if (vtep_addr_ref (>m->vtep_table, + t->encap_fib_index, &t->dst) == 1) { fib_node_index_t mfei; adj_index_t ai; @@ -608,10 +580,11 @@ int vnet_gtpu_add_del_tunnel if (t->flow_index != ~0) vnet_flow_del (vnm, t->flow_index); - vtep_addr_unref (&t->src); + vtep_addr_unref (>m->vtep_table, t->encap_fib_index, &t->src); fib_entry_untrack (t->fib_entry_index, t->sibling_index); } - else if (vtep_addr_unref (&t->dst) == 0) + else if (vtep_addr_unref (>m->vtep_table, + t->encap_fib_index, &t->dst) == 0) { mcast_shared_remove (&t->dst); } @@ -1243,7 +1216,7 @@ gtpu_init (vlib_main_t * vm) gtm->gtpu6_tunnel_by_key = hash_create_mem (0, sizeof (gtpu6_tunnel_key_t), sizeof (uword)); - gtm->vtep6 = hash_create_mem (0, sizeof (ip6_address_t), sizeof (uword)); + gtm->vtep_table = vtep_table_create (); gtm->mcast_shared = hash_create_mem (0, sizeof (ip46_address_t), sizeof (mcast_shared_t)); diff --git a/src/plugins/gtpu/gtpu.h b/src/plugins/gtpu/gtpu.h index 1d47f2d1b93..6a758ee6847 100644 --- a/src/plugins/gtpu/gtpu.h +++ b/src/plugins/gtpu/gtpu.h @@ -23,6 +23,7 @@ #include #include #include +#include #include #include #include @@ -210,8 +211,7 @@ typedef struct /* local VTEP IPs ref count used by gtpu-bypass node to check if received gtpu packet DIP matches any local VTEP address */ - uword *vtep4; /* local ip4 VTEPs keyed on their ip4 addr */ - uword *vtep6; /* local ip6 VTEPs keyed on their ip6 addr */ + vtep_table_t vtep_table; /* mcast shared info */ uword *mcast_shared; /* keyed on mcast ip46 addr */ diff --git a/src/plugins/gtpu/gtpu_decap.c b/src/plugins/gtpu/gtpu_decap.c index 99af7300025..4193e89c008 100644 --- a/src/plugins/gtpu/gtpu_decap.c +++ b/src/plugins/gtpu/gtpu_decap.c @@ -51,20 +51,7 @@ static u8 * format_gtpu_rx_trace (u8 * s, va_list * args) always_inline u32 validate_gtpu_fib (vlib_buffer_t *b, gtpu_tunnel_t *t, u32 is_ip4) { - u32 fib_index, sw_if_index; - - sw_if_index = vnet_buffer (b)->sw_if_index[VLIB_RX]; - - if (is_ip4) - fib_index = (vnet_buffer (b)->sw_if_index[VLIB_TX] == (u32) ~ 0) ? - vec_elt (ip4_main.fib_index_by_sw_if_index, sw_if_index) : - vnet_buffer (b)->sw_if_index[VLIB_TX]; - else - fib_index = (vnet_buffer (b)->sw_if_index[VLIB_TX] == (u32) ~ 0) ? - vec_elt (ip6_main.fib_index_by_sw_if_index, sw_if_index) : - vnet_buffer (b)->sw_if_index[VLIB_TX]; - - return (fib_index == t->encap_fib_index); + return t->encap_fib_index == vlib_buffer_get_ip_fib_index (b, is_ip4); } always_inline uword @@ -813,8 +800,10 @@ ip_gtpu_bypass_inline (vlib_main_t * vm, gtpu_main_t * gtm = >pu_main; u32 * from, * to_next, n_left_from, n_left_to_next, next_index; vlib_node_runtime_t * error_node = vlib_node_get_runtime (vm, ip4_input_node.index); - ip4_address_t addr4; /* last IPv4 address matching a local VTEP address */ - ip6_address_t addr6; /* last IPv6 address matching a local VTEP address */ + vtep4_key_t last_vtep4; /* last IPv4 address / fib index + matching a local VTEP address */ + vtep6_key_t last_vtep6; /* last IPv6 address / fib index + matching a local VTEP address */ from = vlib_frame_vector_args (frame); n_left_from = frame->n_vectors; @@ -823,8 +812,10 @@ ip_gtpu_bypass_inline (vlib_main_t * vm, if (node->flags & VLIB_NODE_FLAG_TRACE) ip4_forward_next_trace (vm, node, frame, VLIB_TX); - if (is_ip4) addr4.data_u32 = ~0; - else ip6_address_set_zero (&addr6); + if (is_ip4) + vtep4_key_init (&last_vtep4); + else + vtep6_key_init (&last_vtep6); while (n_left_from > 0) { @@ -908,21 +899,13 @@ ip_gtpu_bypass_inline (vlib_main_t * vm, /* Validate DIP against VTEPs*/ if (is_ip4) { - if (addr4.as_u32 != ip40->dst_address.as_u32) - { - if (!hash_get (gtm->vtep4, ip40->dst_address.as_u32)) - goto exit0; /* no local VTEP for GTPU packet */ - addr4 = ip40->dst_address; - } + if (!vtep4_check (>m->vtep_table, b0, ip40, &last_vtep4)) + goto exit0; /* no local VTEP for GTPU packet */ } else { - if (!ip6_address_is_equal (&addr6, &ip60->dst_address)) - { - if (!hash_get_mem (gtm->vtep6, &ip60->dst_address)) - goto exit0; /* no local VTEP for GTPU packet */ - addr6 = ip60->dst_address; - } + if (!vtep6_check (>m->vtep_table, b0, ip60, &last_vtep6)) + goto exit0; /* no local VTEP for GTPU packet */ } flags0 = b0->flags; @@ -990,21 +973,13 @@ ip_gtpu_bypass_inline (vlib_main_t * vm, /* Validate DIP against VTEPs*/ if (is_ip4) { - if (addr4.as_u32 != ip41->dst_address.as_u32) - { - if (!hash_get (gtm->vtep4, ip41->dst_address.as_u32)) - goto exit1; /* no local VTEP for GTPU packet */ - addr4 = ip41->dst_address; - } + if (!vtep4_check (>m->vtep_table, b1, ip41, &last_vtep4)) + goto exit1; /* no local VTEP for GTPU packet */ } else { - if (!ip6_address_is_equal (&addr6, &ip61->dst_address)) - { - if (!hash_get_mem (gtm->vtep6, &ip61->dst_address)) - goto exit1; /* no local VTEP for GTPU packet */ - addr6 = ip61->dst_address; - } + if (!vtep6_check (>m->vtep_table, b1, ip61, &last_vtep6)) + goto exit1; /* no local VTEP for GTPU packet */ } flags1 = b1->flags; @@ -1108,21 +1083,13 @@ ip_gtpu_bypass_inline (vlib_main_t * vm, /* Validate DIP against VTEPs*/ if (is_ip4) { - if (addr4.as_u32 != ip40->dst_address.as_u32) - { - if (!hash_get (gtm->vtep4, ip40->dst_address.as_u32)) - goto exit; /* no local VTEP for GTPU packet */ - addr4 = ip40->dst_address; - } + if (!vtep4_check (>m->vtep_table, b0, ip40, &last_vtep4)) + goto exit; /* no local VTEP for GTPU packet */ } else { - if (!ip6_address_is_equal (&addr6, &ip60->dst_address)) - { - if (!hash_get_mem (gtm->vtep6, &ip60->dst_address)) - goto exit; /* no local VTEP for GTPU packet */ - addr6 = ip60->dst_address; - } + if (!vtep6_check (>m->vtep_table, b0, ip60, &last_vtep6)) + goto exit; /* no local VTEP for GTPU packet */ } flags0 = b0->flags; -- cgit 1.2.3-korg