From 4a58e49cfe03150034a65e147a2ffe8d24391b86 Mon Sep 17 00:00:00 2001 From: Neale Ranns Date: Mon, 21 Dec 2020 13:19:10 +0000 Subject: ipsec: Support MPLS over IPSec[46] interface Type: feature Signed-off-by: Neale Ranns Change-Id: I89dc3815eabfee135cd5b3c910dea5e2e2ef1333 --- src/vnet/ipsec/esp.h | 1 + src/vnet/ipsec/esp_decrypt.c | 35 +++++++--- src/vnet/ipsec/esp_encrypt.c | 151 +++++++++++++++++++++++++++++++---------- src/vnet/ipsec/ipsec.c | 46 ++++++------- src/vnet/ipsec/ipsec.h | 27 ++++---- src/vnet/ipsec/ipsec_handoff.c | 21 ++++++ src/vnet/ipsec/ipsec_tun.c | 47 ++++++++----- 7 files changed, 227 insertions(+), 101 deletions(-) (limited to 'src/vnet/ipsec') diff --git a/src/vnet/ipsec/esp.h b/src/vnet/ipsec/esp.h index 01210157734..d24b5ea4102 100644 --- a/src/vnet/ipsec/esp.h +++ b/src/vnet/ipsec/esp.h @@ -235,6 +235,7 @@ typedef struct u32 esp6_post_next; u32 esp4_tun_post_next; u32 esp6_tun_post_next; + u32 esp_mpls_tun_post_next; } esp_async_post_next_t; extern esp_async_post_next_t esp_encrypt_async_next; diff --git a/src/vnet/ipsec/esp_decrypt.c b/src/vnet/ipsec/esp_decrypt.c index 1390f80a1ba..f5b6232dbd8 100644 --- a/src/vnet/ipsec/esp_decrypt.c +++ b/src/vnet/ipsec/esp_decrypt.c @@ -27,12 +27,13 @@ #include -#define foreach_esp_decrypt_next \ -_(DROP, "error-drop") \ -_(IP4_INPUT, "ip4-input-no-checksum") \ -_(IP6_INPUT, "ip6-input") \ -_(L2_INPUT, "l2-input") \ -_(HANDOFF, "handoff") +#define foreach_esp_decrypt_next \ + _ (DROP, "error-drop") \ + _ (IP4_INPUT, "ip4-input-no-checksum") \ + _ (IP6_INPUT, "ip6-input") \ + _ (L2_INPUT, "l2-input") \ + _ (MPLS_INPUT, "mpls-input") \ + _ (HANDOFF, "handoff") #define _(v, s) ESP_DECRYPT_NEXT_##v, typedef enum @@ -42,11 +43,12 @@ typedef enum ESP_DECRYPT_N_NEXT, } esp_decrypt_next_t; -#define foreach_esp_decrypt_post_next \ -_(DROP, "error-drop") \ -_(IP4_INPUT, "ip4-input-no-checksum") \ -_(IP6_INPUT, "ip6-input") \ -_(L2_INPUT, "l2-input") +#define foreach_esp_decrypt_post_next \ + _ (DROP, "error-drop") \ + _ (IP4_INPUT, "ip4-input-no-checksum") \ + _ (IP6_INPUT, "ip6-input") \ + _ (MPLS_INPUT, "mpls-input") \ + _ (L2_INPUT, "l2-input") #define _(v, s) ESP_DECRYPT_POST_NEXT_##v, typedef enum @@ -913,6 +915,13 @@ esp_decrypt_post_crypto (vlib_main_t * vm, vlib_node_runtime_t * node, b->current_length = pd->current_length - adv; esp_remove_tail (vm, b, lb, tail); } + else if (next_header == IP_PROTOCOL_MPLS_IN_IP) + { + next[0] = ESP_DECRYPT_NEXT_MPLS_INPUT; + b->current_data = pd->current_data + adv; + b->current_length = pd->current_length - adv; + esp_remove_tail (vm, b, lb, tail); + } else { if (is_tun && next_header == IP_PROTOCOL_GRE) @@ -1457,6 +1466,7 @@ VLIB_REGISTER_NODE (esp4_decrypt_node) = { [ESP_DECRYPT_NEXT_DROP] = "ip4-drop", [ESP_DECRYPT_NEXT_IP4_INPUT] = "ip4-input-no-checksum", [ESP_DECRYPT_NEXT_IP6_INPUT] = "ip6-input", + [ESP_DECRYPT_NEXT_MPLS_INPUT] = "mpls-drop", [ESP_DECRYPT_NEXT_L2_INPUT] = "l2-input", [ESP_DECRYPT_NEXT_HANDOFF] = "esp4-decrypt-handoff", }, @@ -1488,6 +1498,7 @@ VLIB_REGISTER_NODE (esp6_decrypt_node) = { [ESP_DECRYPT_NEXT_DROP] = "ip6-drop", [ESP_DECRYPT_NEXT_IP4_INPUT] = "ip4-input-no-checksum", [ESP_DECRYPT_NEXT_IP6_INPUT] = "ip6-input", + [ESP_DECRYPT_NEXT_MPLS_INPUT] = "mpls-drop", [ESP_DECRYPT_NEXT_L2_INPUT] = "l2-input", [ESP_DECRYPT_NEXT_HANDOFF]= "esp6-decrypt-handoff", }, @@ -1517,6 +1528,7 @@ VLIB_REGISTER_NODE (esp4_decrypt_tun_node) = { [ESP_DECRYPT_NEXT_DROP] = "ip4-drop", [ESP_DECRYPT_NEXT_IP4_INPUT] = "ip4-input-no-checksum", [ESP_DECRYPT_NEXT_IP6_INPUT] = "ip6-input", + [ESP_DECRYPT_NEXT_MPLS_INPUT] = "mpls-input", [ESP_DECRYPT_NEXT_L2_INPUT] = "l2-input", [ESP_DECRYPT_NEXT_HANDOFF] = "esp4-decrypt-tun-handoff", }, @@ -1546,6 +1558,7 @@ VLIB_REGISTER_NODE (esp6_decrypt_tun_node) = { [ESP_DECRYPT_NEXT_DROP] = "ip6-drop", [ESP_DECRYPT_NEXT_IP4_INPUT] = "ip4-input-no-checksum", [ESP_DECRYPT_NEXT_IP6_INPUT] = "ip6-input", + [ESP_DECRYPT_NEXT_MPLS_INPUT] = "mpls-input", [ESP_DECRYPT_NEXT_L2_INPUT] = "l2-input", [ESP_DECRYPT_NEXT_HANDOFF]= "esp6-decrypt-tun-handoff", }, diff --git a/src/vnet/ipsec/esp_encrypt.c b/src/vnet/ipsec/esp_encrypt.c index a2316944acd..bd6e7641f4a 100644 --- a/src/vnet/ipsec/esp_encrypt.c +++ b/src/vnet/ipsec/esp_encrypt.c @@ -26,12 +26,14 @@ #include #include -#define foreach_esp_encrypt_next \ -_(DROP4, "ip4-drop") \ -_(DROP6, "ip6-drop") \ -_(HANDOFF4, "handoff4") \ -_(HANDOFF6, "handoff6") \ -_(INTERFACE_OUTPUT, "interface-output") +#define foreach_esp_encrypt_next \ + _ (DROP4, "ip4-drop") \ + _ (DROP6, "ip6-drop") \ + _ (DROP_MPLS, "mpls-drop") \ + _ (HANDOFF4, "handoff4") \ + _ (HANDOFF6, "handoff6") \ + _ (HANDOFF_MPLS, "handoff-mpls") \ + _ (INTERFACE_OUTPUT, "interface-output") #define _(v, s) ESP_ENCRYPT_NEXT_##v, typedef enum @@ -555,8 +557,8 @@ out: } always_inline uword -esp_encrypt_inline (vlib_main_t * vm, vlib_node_runtime_t * node, - vlib_frame_t * frame, int is_ip6, int is_tun, +esp_encrypt_inline (vlib_main_t *vm, vlib_node_runtime_t *node, + vlib_frame_t *frame, vnet_link_t lt, int is_tun, u16 async_next) { ipsec_main_t *im = &ipsec_main; @@ -578,7 +580,14 @@ esp_encrypt_inline (vlib_main_t * vm, vlib_node_runtime_t * node, vnet_crypto_async_frame_t *async_frame = 0; int is_async = im->async_mode; vnet_crypto_async_op_id_t last_async_op = ~0; - u16 drop_next = (is_ip6 ? ESP_ENCRYPT_NEXT_DROP6 : ESP_ENCRYPT_NEXT_DROP4); + u16 drop_next = + (lt == VNET_LINK_IP6 ? ESP_ENCRYPT_NEXT_DROP6 : + (lt == VNET_LINK_IP4 ? ESP_ENCRYPT_NEXT_DROP4 : + ESP_ENCRYPT_NEXT_DROP_MPLS)); + u16 handoff_next = (lt == VNET_LINK_IP6 ? + ESP_ENCRYPT_NEXT_HANDOFF6 : + (lt == VNET_LINK_IP4 ? ESP_ENCRYPT_NEXT_HANDOFF4 : + ESP_ENCRYPT_NEXT_HANDOFF_MPLS)); u16 n_async_drop = 0; vlib_get_buffers (vm, from, b, n_left); @@ -672,9 +681,7 @@ esp_encrypt_inline (vlib_main_t * vm, vlib_node_runtime_t * node, if (PREDICT_FALSE (thread_index != sa0->encrypt_thread_index)) { esp_set_next_index (is_async, from, nexts, from[b - bufs], - &n_async_drop, - (is_ip6 ? ESP_ENCRYPT_NEXT_HANDOFF6 : - ESP_ENCRYPT_NEXT_HANDOFF4), next); + &n_async_drop, handoff_next, next); goto trace; } @@ -746,20 +753,30 @@ esp_encrypt_inline (vlib_main_t * vm, vlib_node_runtime_t * node, ip6 = (ip6_header_t *) (payload - hdr_len); clib_memcpy_fast (ip6, &sa0->ip6_hdr, sizeof (ip6_header_t)); - if (is_ip6) + if (VNET_LINK_IP6 == lt) { *next_hdr_ptr = IP_PROTOCOL_IPV6; tunnel_encap_fixup_6o6 (sa0->tunnel_flags, (const ip6_header_t *) payload, ip6); } - else + else if (VNET_LINK_IP4 == lt) { *next_hdr_ptr = IP_PROTOCOL_IP_IN_IP; tunnel_encap_fixup_4o6 (sa0->tunnel_flags, (const ip4_header_t *) payload, ip6); } + else if (VNET_LINK_MPLS == lt) + { + *next_hdr_ptr = IP_PROTOCOL_MPLS_IN_IP; + tunnel_encap_fixup_mplso6 ( + sa0->tunnel_flags, (const mpls_unicast_header_t *) payload, + ip6); + } + else + ASSERT (0); + len = payload_len_total + hdr_len - len; ip6->payload_length = clib_net_to_host_u16 (len); } @@ -771,20 +788,30 @@ esp_encrypt_inline (vlib_main_t * vm, vlib_node_runtime_t * node, ip4 = (ip4_header_t *) (payload - hdr_len); clib_memcpy_fast (ip4, &sa0->ip4_hdr, sizeof (ip4_header_t)); - if (is_ip6) + if (VNET_LINK_IP6 == lt) { *next_hdr_ptr = IP_PROTOCOL_IPV6; tunnel_encap_fixup_6o4_w_chksum (sa0->tunnel_flags, (const ip6_header_t *) payload, ip4); } - else + else if (VNET_LINK_IP4 == lt) { *next_hdr_ptr = IP_PROTOCOL_IP_IN_IP; tunnel_encap_fixup_4o4_w_chksum (sa0->tunnel_flags, (const ip4_header_t *) payload, ip4); } + else if (VNET_LINK_MPLS == lt) + { + *next_hdr_ptr = IP_PROTOCOL_MPLS_IN_IP; + tunnel_encap_fixup_mplso4_w_chksum ( + sa0->tunnel_flags, (const mpls_unicast_header_t *) payload, + ip4); + } + else + ASSERT (0); + len = payload_len_total + hdr_len; esp_update_ip4_hdr (ip4, len, /* is_transport */ 0, 0); } @@ -806,9 +833,10 @@ esp_encrypt_inline (vlib_main_t * vm, vlib_node_runtime_t * node, u16 udp_len = 0; u8 *old_ip_hdr = vlib_buffer_get_current (b[0]); - ip_len = is_ip6 ? - esp_get_ip6_hdr_len ((ip6_header_t *) old_ip_hdr, &ext_hdr) : - ip4_header_bytes ((ip4_header_t *) old_ip_hdr); + ip_len = + (VNET_LINK_IP6 == lt ? + esp_get_ip6_hdr_len ((ip6_header_t *) old_ip_hdr, &ext_hdr) : + ip4_header_bytes ((ip4_header_t *) old_ip_hdr)); vlib_buffer_advance (b[0], ip_len); payload = vlib_buffer_get_current (b[0]); @@ -856,7 +884,7 @@ esp_encrypt_inline (vlib_main_t * vm, vlib_node_runtime_t * node, else l2_len = 0; - if (is_ip6) + if (VNET_LINK_IP6 == lt) { ip6_header_t *ip6 = (ip6_header_t *) (old_ip_hdr); if (PREDICT_TRUE (NULL == ext_hdr)) @@ -873,7 +901,7 @@ esp_encrypt_inline (vlib_main_t * vm, vlib_node_runtime_t * node, clib_host_to_net_u16 (payload_len_total + hdr_len - l2_len - sizeof (ip6_header_t)); } - else + else if (VNET_LINK_IP4 == lt) { u16 len; ip4_header_t *ip4 = (ip4_header_t *) (old_ip_hdr); @@ -1096,7 +1124,7 @@ VLIB_NODE_FN (esp4_encrypt_node) (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * from_frame) { - return esp_encrypt_inline (vm, node, from_frame, 0 /* is_ip6 */ , 0, + return esp_encrypt_inline (vm, node, from_frame, VNET_LINK_IP4, 0, esp_encrypt_async_next.esp4_post_next); } @@ -1107,17 +1135,17 @@ VLIB_REGISTER_NODE (esp4_encrypt_node) = { .format_trace = format_esp_encrypt_trace, .type = VLIB_NODE_TYPE_INTERNAL, - .n_errors = ARRAY_LEN(esp_encrypt_error_strings), + .n_errors = ARRAY_LEN (esp_encrypt_error_strings), .error_strings = esp_encrypt_error_strings, .n_next_nodes = ESP_ENCRYPT_N_NEXT, - .next_nodes = { - [ESP_ENCRYPT_NEXT_DROP4] = "ip4-drop", - [ESP_ENCRYPT_NEXT_DROP6] = "ip6-drop", - [ESP_ENCRYPT_NEXT_HANDOFF4] = "esp4-encrypt-handoff", - [ESP_ENCRYPT_NEXT_HANDOFF6] = "esp6-encrypt-handoff", - [ESP_ENCRYPT_NEXT_INTERFACE_OUTPUT] = "interface-output" - }, + .next_nodes = { [ESP_ENCRYPT_NEXT_DROP4] = "ip4-drop", + [ESP_ENCRYPT_NEXT_DROP6] = "ip6-drop", + [ESP_ENCRYPT_NEXT_DROP_MPLS] = "mpls-drop", + [ESP_ENCRYPT_NEXT_HANDOFF4] = "esp4-encrypt-handoff", + [ESP_ENCRYPT_NEXT_HANDOFF6] = "esp6-encrypt-handoff", + [ESP_ENCRYPT_NEXT_HANDOFF_MPLS] = "error-drop", + [ESP_ENCRYPT_NEXT_INTERFACE_OUTPUT] = "interface-output" }, }; /* *INDENT-ON* */ @@ -1145,7 +1173,7 @@ VLIB_NODE_FN (esp6_encrypt_node) (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * from_frame) { - return esp_encrypt_inline (vm, node, from_frame, 1 /* is_ip6 */ , 0, + return esp_encrypt_inline (vm, node, from_frame, VNET_LINK_IP6, 0, esp_encrypt_async_next.esp6_post_next); } @@ -1186,7 +1214,7 @@ VLIB_NODE_FN (esp4_encrypt_tun_node) (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * from_frame) { - return esp_encrypt_inline (vm, node, from_frame, 0 /* is_ip6 */ , 1, + return esp_encrypt_inline (vm, node, from_frame, VNET_LINK_IP4, 1, esp_encrypt_async_next.esp4_tun_post_next); } @@ -1204,8 +1232,10 @@ VLIB_REGISTER_NODE (esp4_encrypt_tun_node) = { .next_nodes = { [ESP_ENCRYPT_NEXT_DROP4] = "ip4-drop", [ESP_ENCRYPT_NEXT_DROP6] = "ip6-drop", + [ESP_ENCRYPT_NEXT_DROP_MPLS] = "mpls-drop", [ESP_ENCRYPT_NEXT_HANDOFF4] = "esp4-encrypt-tun-handoff", - [ESP_ENCRYPT_NEXT_HANDOFF6] = "error-drop", + [ESP_ENCRYPT_NEXT_HANDOFF6] = "esp6-encrypt-tun-handoff", + [ESP_ENCRYPT_NEXT_HANDOFF_MPLS] = "esp-mpls-encrypt-tun-handoff", [ESP_ENCRYPT_NEXT_INTERFACE_OUTPUT] = "adj-midchain-tx", }, }; @@ -1234,7 +1264,7 @@ VLIB_NODE_FN (esp6_encrypt_tun_node) (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * from_frame) { - return esp_encrypt_inline (vm, node, from_frame, 1 /* is_ip6 */ , 1, + return esp_encrypt_inline (vm, node, from_frame, VNET_LINK_IP6, 1, esp_encrypt_async_next.esp6_tun_post_next); } @@ -1252,8 +1282,10 @@ VLIB_REGISTER_NODE (esp6_encrypt_tun_node) = { .next_nodes = { [ESP_ENCRYPT_NEXT_DROP4] = "ip4-drop", [ESP_ENCRYPT_NEXT_DROP6] = "ip6-drop", - [ESP_ENCRYPT_NEXT_HANDOFF4] = "error-drop", + [ESP_ENCRYPT_NEXT_DROP_MPLS] = "mpls-drop", + [ESP_ENCRYPT_NEXT_HANDOFF4] = "esp4-encrypt-tun-handoff", [ESP_ENCRYPT_NEXT_HANDOFF6] = "esp6-encrypt-tun-handoff", + [ESP_ENCRYPT_NEXT_HANDOFF_MPLS] = "esp-mpls-encrypt-tun-handoff", [ESP_ENCRYPT_NEXT_INTERFACE_OUTPUT] = "adj-midchain-tx", }, }; @@ -1273,13 +1305,58 @@ VLIB_REGISTER_NODE (esp6_encrypt_tun_post_node) = { .vector_size = sizeof (u32), .format_trace = format_esp_post_encrypt_trace, .type = VLIB_NODE_TYPE_INTERNAL, - .sibling_of = "esp6-encrypt-tun", + .sibling_of = "esp-mpls-encrypt-tun", - .n_errors = ARRAY_LEN(esp_encrypt_error_strings), + .n_errors = ARRAY_LEN (esp_encrypt_error_strings), .error_strings = esp_encrypt_error_strings, }; /* *INDENT-ON* */ +VLIB_NODE_FN (esp_mpls_encrypt_tun_node) +(vlib_main_t *vm, vlib_node_runtime_t *node, vlib_frame_t *from_frame) +{ + return esp_encrypt_inline (vm, node, from_frame, VNET_LINK_MPLS, 1, + esp_encrypt_async_next.esp_mpls_tun_post_next); +} + +VLIB_REGISTER_NODE (esp_mpls_encrypt_tun_node) = { + .name = "esp-mpls-encrypt-tun", + .vector_size = sizeof (u32), + .format_trace = format_esp_encrypt_trace, + .type = VLIB_NODE_TYPE_INTERNAL, + + .n_errors = ARRAY_LEN(esp_encrypt_error_strings), + .error_strings = esp_encrypt_error_strings, + + .n_next_nodes = ESP_ENCRYPT_N_NEXT, + .next_nodes = { + [ESP_ENCRYPT_NEXT_DROP4] = "ip4-drop", + [ESP_ENCRYPT_NEXT_DROP6] = "ip6-drop", + [ESP_ENCRYPT_NEXT_DROP_MPLS] = "mpls-drop", + [ESP_ENCRYPT_NEXT_HANDOFF4] = "esp4-encrypt-tun-handoff", + [ESP_ENCRYPT_NEXT_HANDOFF6] = "esp6-encrypt-tun-handoff", + [ESP_ENCRYPT_NEXT_HANDOFF_MPLS] = "esp-mpls-encrypt-tun-handoff", + [ESP_ENCRYPT_NEXT_INTERFACE_OUTPUT] = "adj-midchain-tx", + }, +}; + +VLIB_NODE_FN (esp_mpls_encrypt_tun_post_node) +(vlib_main_t *vm, vlib_node_runtime_t *node, vlib_frame_t *from_frame) +{ + return esp_encrypt_post_inline (vm, node, from_frame); +} + +VLIB_REGISTER_NODE (esp_mpls_encrypt_tun_post_node) = { + .name = "esp-mpls-encrypt-tun-post", + .vector_size = sizeof (u32), + .format_trace = format_esp_post_encrypt_trace, + .type = VLIB_NODE_TYPE_INTERNAL, + .sibling_of = "esp-mpls-encrypt-tun", + + .n_errors = ARRAY_LEN (esp_encrypt_error_strings), + .error_strings = esp_encrypt_error_strings, +}; + typedef struct { u32 sa_index; diff --git a/src/vnet/ipsec/ipsec.c b/src/vnet/ipsec/ipsec.c index 1d92676706a..b63b2a71160 100644 --- a/src/vnet/ipsec/ipsec.c +++ b/src/vnet/ipsec/ipsec.c @@ -208,19 +208,16 @@ ipsec_register_ah_backend (vlib_main_t * vm, ipsec_main_t * im, } u32 -ipsec_register_esp_backend (vlib_main_t * vm, ipsec_main_t * im, - const char *name, - const char *esp4_encrypt_node_name, - const char *esp4_encrypt_node_tun_name, - const char *esp4_decrypt_node_name, - const char *esp4_decrypt_tun_node_name, - const char *esp6_encrypt_node_name, - const char *esp6_encrypt_node_tun_name, - const char *esp6_decrypt_node_name, - const char *esp6_decrypt_tun_node_name, - check_support_cb_t esp_check_support_cb, - add_del_sa_sess_cb_t esp_add_del_sa_sess_cb, - enable_disable_cb_t enable_disable_cb) +ipsec_register_esp_backend ( + vlib_main_t *vm, ipsec_main_t *im, const char *name, + const char *esp4_encrypt_node_name, const char *esp4_encrypt_node_tun_name, + const char *esp4_decrypt_node_name, const char *esp4_decrypt_tun_node_name, + const char *esp6_encrypt_node_name, const char *esp6_encrypt_node_tun_name, + const char *esp6_decrypt_node_name, const char *esp6_decrypt_tun_node_name, + const char *esp_mpls_encrypt_node_tun_name, + check_support_cb_t esp_check_support_cb, + add_del_sa_sess_cb_t esp_add_del_sa_sess_cb, + enable_disable_cb_t enable_disable_cb) { ipsec_esp_backend_t *b; @@ -244,6 +241,8 @@ ipsec_register_esp_backend (vlib_main_t * vm, ipsec_main_t * im, b->esp6_encrypt_tun_node_index = vlib_get_node_by_name (vm, (u8 *) esp6_encrypt_node_tun_name)->index; + b->esp_mpls_encrypt_tun_node_index = + vlib_get_node_by_name (vm, (u8 *) esp_mpls_encrypt_node_tun_name)->index; b->esp4_encrypt_tun_node_index = vlib_get_node_by_name (vm, (u8 *) esp4_encrypt_node_tun_name)->index; @@ -326,6 +325,7 @@ ipsec_select_esp_backend (ipsec_main_t * im, u32 backend_idx) im->esp6_decrypt_tun_next_index = b->esp6_decrypt_tun_next_index; im->esp4_encrypt_tun_node_index = b->esp4_encrypt_tun_node_index; im->esp6_encrypt_tun_node_index = b->esp6_encrypt_tun_node_index; + im->esp_mpls_encrypt_tun_node_index = b->esp_mpls_encrypt_tun_node_index; if (b->enable_disable_cb) { @@ -373,6 +373,8 @@ crypto_engine_backend_register_post_node (vlib_main_t * vm) vnet_crypto_register_post_node (vm, "esp4-encrypt-tun-post"); eit->esp6_tun_post_next = vnet_crypto_register_post_node (vm, "esp6-encrypt-tun-post"); + eit->esp_mpls_tun_post_next = + vnet_crypto_register_post_node (vm, "esp-mpls-encrypt-tun-post"); dit = &esp_decrypt_async_next; dit->esp4_post_next = @@ -423,17 +425,11 @@ ipsec_init (vlib_main_t * vm) ASSERT (0 == rv); (void) (rv); // avoid warning - idx = ipsec_register_esp_backend (vm, im, "crypto engine backend", - "esp4-encrypt", - "esp4-encrypt-tun", - "esp4-decrypt", - "esp4-decrypt-tun", - "esp6-encrypt", - "esp6-encrypt-tun", - "esp6-decrypt", - "esp6-decrypt-tun", - ipsec_check_esp_support, - NULL, crypto_dispatch_enable_disable); + idx = ipsec_register_esp_backend ( + vm, im, "crypto engine backend", "esp4-encrypt", "esp4-encrypt-tun", + "esp4-decrypt", "esp4-decrypt-tun", "esp6-encrypt", "esp6-encrypt-tun", + "esp6-decrypt", "esp6-decrypt-tun", "esp-mpls-encrypt-tun", + ipsec_check_esp_support, NULL, crypto_dispatch_enable_disable); im->esp_default_backend = idx; rv = ipsec_select_esp_backend (im, idx); @@ -562,6 +558,8 @@ ipsec_init (vlib_main_t * vm) vlib_frame_queue_main_init (esp4_encrypt_tun_node.index, 0); im->esp6_enc_tun_fq_index = vlib_frame_queue_main_init (esp6_encrypt_tun_node.index, 0); + im->esp_mpls_enc_tun_fq_index = + vlib_frame_queue_main_init (esp_mpls_encrypt_tun_node.index, 0); im->esp4_dec_tun_fq_index = vlib_frame_queue_main_init (esp4_decrypt_tun_node.index, 0); im->esp6_dec_tun_fq_index = diff --git a/src/vnet/ipsec/ipsec.h b/src/vnet/ipsec/ipsec.h index 97ef6262f71..c370fb1aed5 100644 --- a/src/vnet/ipsec/ipsec.h +++ b/src/vnet/ipsec/ipsec.h @@ -74,6 +74,7 @@ typedef struct u32 esp6_decrypt_tun_node_index; u32 esp6_decrypt_tun_next_index; u32 esp6_encrypt_tun_node_index; + u32 esp_mpls_encrypt_tun_node_index; } ipsec_esp_backend_t; typedef struct @@ -145,6 +146,7 @@ typedef struct u32 esp6_decrypt_node_index; u32 esp6_decrypt_tun_node_index; u32 esp6_encrypt_tun_node_index; + u32 esp_mpls_encrypt_tun_node_index; u32 ah6_encrypt_node_index; u32 ah6_decrypt_node_index; /* next node indices */ @@ -201,6 +203,7 @@ typedef struct u32 esp6_dec_fq_index; u32 esp4_enc_tun_fq_index; u32 esp6_enc_tun_fq_index; + u32 esp_mpls_enc_tun_fq_index; u32 esp4_dec_tun_fq_index; u32 esp6_dec_tun_fq_index; @@ -231,6 +234,7 @@ extern vlib_node_registration_t esp6_encrypt_node; extern vlib_node_registration_t esp6_decrypt_node; extern vlib_node_registration_t esp4_encrypt_tun_node; extern vlib_node_registration_t esp6_encrypt_tun_node; +extern vlib_node_registration_t esp_mpls_encrypt_tun_node; extern vlib_node_registration_t esp4_decrypt_tun_node; extern vlib_node_registration_t esp6_decrypt_tun_node; extern vlib_node_registration_t ipsec4_tun_input_node; @@ -266,19 +270,16 @@ u32 ipsec_register_ah_backend (vlib_main_t * vm, ipsec_main_t * im, check_support_cb_t ah_check_support_cb, add_del_sa_sess_cb_t ah_add_del_sa_sess_cb); -u32 ipsec_register_esp_backend (vlib_main_t * vm, ipsec_main_t * im, - const char *name, - const char *esp4_encrypt_node_name, - const char *esp4_encrypt_tun_node_name, - const char *esp4_decrypt_node_name, - const char *esp4_decrypt_tun_node_name, - const char *esp6_encrypt_node_name, - const char *esp6_encrypt_tun_node_name, - const char *esp6_decrypt_node_name, - const char *esp6_decrypt_tun_node_name, - check_support_cb_t esp_check_support_cb, - add_del_sa_sess_cb_t esp_add_del_sa_sess_cb, - enable_disable_cb_t enable_disable_cb); +u32 ipsec_register_esp_backend ( + vlib_main_t *vm, ipsec_main_t *im, const char *name, + const char *esp4_encrypt_node_name, const char *esp4_encrypt_tun_node_name, + const char *esp4_decrypt_node_name, const char *esp4_decrypt_tun_node_name, + const char *esp6_encrypt_node_name, const char *esp6_encrypt_tun_node_name, + const char *esp6_decrypt_node_name, const char *esp6_decrypt_tun_node_name, + const char *esp_mpls_encrypt_tun_node_name, + check_support_cb_t esp_check_support_cb, + add_del_sa_sess_cb_t esp_add_del_sa_sess_cb, + enable_disable_cb_t enable_disable_cb); int ipsec_select_ah_backend (ipsec_main_t * im, u32 ah_backend_idx); int ipsec_select_esp_backend (ipsec_main_t * im, u32 esp_backend_idx); diff --git a/src/vnet/ipsec/ipsec_handoff.c b/src/vnet/ipsec/ipsec_handoff.c index 4446f1e523a..87eb801f76f 100644 --- a/src/vnet/ipsec/ipsec_handoff.c +++ b/src/vnet/ipsec/ipsec_handoff.c @@ -220,6 +220,15 @@ VLIB_NODE_FN (esp6_encrypt_tun_handoff) (vlib_main_t * vm, true); } +VLIB_NODE_FN (esp_mpls_encrypt_tun_handoff) +(vlib_main_t *vm, vlib_node_runtime_t *node, vlib_frame_t *from_frame) +{ + ipsec_main_t *im = &ipsec_main; + + return ipsec_handoff (vm, node, from_frame, im->esp_mpls_enc_tun_fq_index, + true); +} + VLIB_NODE_FN (esp4_decrypt_handoff) (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_frame_t * from_frame) @@ -343,6 +352,18 @@ VLIB_REGISTER_NODE (esp6_encrypt_tun_handoff) = { [0] = "error-drop", }, }; +VLIB_REGISTER_NODE (esp_mpls_encrypt_tun_handoff) = { + .name = "esp-mpls-encrypt-tun-handoff", + .vector_size = sizeof (u32), + .format_trace = format_ipsec_handoff_trace, + .type = VLIB_NODE_TYPE_INTERNAL, + .n_errors = ARRAY_LEN(ipsec_handoff_error_strings), + .error_strings = ipsec_handoff_error_strings, + .n_next_nodes = 1, + .next_nodes = { + [0] = "error-drop", + }, +}; VLIB_REGISTER_NODE (esp4_decrypt_handoff) = { .name = "esp4-decrypt-handoff", .vector_size = sizeof (u32), diff --git a/src/vnet/ipsec/ipsec_tun.c b/src/vnet/ipsec/ipsec_tun.c index c3f50a6ffe9..ea60ab44a8c 100644 --- a/src/vnet/ipsec/ipsec_tun.c +++ b/src/vnet/ipsec/ipsec_tun.c @@ -141,33 +141,48 @@ ipsec_tun_protect_get_adj_next (vnet_link_t linkt, { ipsec_main_t *im; ipsec_sa_t *sa; - bool is_ip4; u32 next; - - if (itp->itp_flags & IPSEC_PROTECT_ITF) - is_ip4 = linkt == VNET_LINK_IP4; - else - is_ip4 = ip46_address_is_ip4 (&itp->itp_tun.src); + if (!(itp->itp_flags & IPSEC_PROTECT_ITF)) + { + if (ip46_address_is_ip4 (&itp->itp_tun.src)) + linkt = VNET_LINK_IP4; + else + linkt = VNET_LINK_IP6; + } sa = ipsec_sa_get (itp->itp_out_sa); im = &ipsec_main; + next = 0; if ((sa->crypto_alg == IPSEC_CRYPTO_ALG_NONE && sa->integ_alg == IPSEC_INTEG_ALG_NONE) && !(itp->itp_flags & IPSEC_PROTECT_ITF)) - next = (is_ip4 ? - im->esp4_no_crypto_tun_node_index : - im->esp6_no_crypto_tun_node_index); + next = (VNET_LINK_IP4 == linkt ? im->esp4_no_crypto_tun_node_index : + im->esp6_no_crypto_tun_node_index); else if (itp->itp_flags & IPSEC_PROTECT_L2) - next = (is_ip4 ? - im->esp4_encrypt_l2_tun_node_index : - im->esp6_encrypt_l2_tun_node_index); + next = (VNET_LINK_IP4 == linkt ? im->esp4_encrypt_l2_tun_node_index : + im->esp6_encrypt_l2_tun_node_index); else - next = (is_ip4 ? - im->esp4_encrypt_tun_node_index : - im->esp6_encrypt_tun_node_index); - + { + switch (linkt) + { + case VNET_LINK_IP4: + next = im->esp4_encrypt_tun_node_index; + break; + case VNET_LINK_IP6: + next = im->esp6_encrypt_tun_node_index; + break; + case VNET_LINK_MPLS: + next = im->esp_mpls_encrypt_tun_node_index; + break; + case VNET_LINK_ARP: + case VNET_LINK_NSH: + case VNET_LINK_ETHERNET: + ASSERT (0); + break; + } + } return (next); } -- cgit 1.2.3-korg