From d4c3666b9aef1050796677320460dee2df44a830 Mon Sep 17 00:00:00 2001 From: Chenmin Sun Date: Mon, 22 Jun 2020 18:21:31 +0800 Subject: flow: add IPSec ESP/AH flow This patch adds the IPSec ESP/AH type flow support Have tested on E810 with Intel iAVF driver Type: feature Signed-off-by: Chenmin Sun Change-Id: I6ab8e69f67c423cc4e33f3c363881a97cdb98c30 --- src/vnet/flow/flow.h | 14 ++++++++++++++ src/vnet/flow/flow_cli.c | 30 +++++++++++++++++++++++++++++- 2 files changed, 43 insertions(+), 1 deletion(-) (limited to 'src/vnet') diff --git a/src/vnet/flow/flow.h b/src/vnet/flow/flow.h index a880b8a69be..b5ec7ccd142 100644 --- a/src/vnet/flow/flow.h +++ b/src/vnet/flow/flow.h @@ -33,6 +33,8 @@ _(IP6_N_TUPLE_TAGGED, ip6_n_tuple_tagged, "ipv6-n-tuple-tagged") \ /* IP tunnel flow */ \ _(IP4_L2TPV3OIP, ip4_l2tpv3oip, "ipv4-l2tpv3oip") \ + _(IP4_IPSEC_ESP, ip4_ipsec_esp, "ipv4-ipsec-esp") \ + _(IP4_IPSEC_AH, ip4_ipsec_ah, "ipv4-ipsec-ah") \ /* L4 tunnel flow*/ \ _(IP4_VXLAN, ip4_vxlan, "ipv4-vxlan") \ _(IP6_VXLAN, ip6_vxlan, "ipv6-vxlan") \ @@ -82,6 +84,18 @@ _fe(ip_protocol_t, protocol) \ _fe(u32, session_id) +#define foreach_flow_entry_ip4_ipsec_esp \ + _fe(ip4_address_and_mask_t, src_addr) \ + _fe(ip4_address_and_mask_t, dst_addr) \ + _fe(ip_protocol_t, protocol) \ + _fe(u32, spi) + +#define foreach_flow_entry_ip4_ipsec_ah \ + _fe(ip4_address_and_mask_t, src_addr) \ + _fe(ip4_address_and_mask_t, dst_addr) \ + _fe(ip_protocol_t, protocol) \ + _fe(u32, spi) + #define foreach_flow_entry_ip4_vxlan \ _fe(ip4_address_t, src_addr) \ _fe(ip4_address_t, dst_addr) \ diff --git a/src/vnet/flow/flow_cli.c b/src/vnet/flow/flow_cli.c index 364b475dc3e..98007a7723e 100644 --- a/src/vnet/flow/flow_cli.c +++ b/src/vnet/flow/flow_cli.c @@ -276,11 +276,12 @@ test_flow (vlib_main_t * vm, unformat_input_t * input, } action = FLOW_UNKNOWN_ACTION; u32 hw_if_index = ~0, flow_index = ~0; int rv; - u32 prot = 0, teid = 0, session_id = 0; + u32 prot = 0, teid = 0, session_id = 0, spi = 0; vnet_flow_type_t type = VNET_FLOW_TYPE_IP4_N_TUPLE; bool is_gtpc_set = false; bool is_gtpu_set = false; bool is_l2tpv3oip_set = false; + bool is_ipsec_esp_set = false, is_ipsec_ah_set = false; vnet_flow_type_t outer_type = VNET_FLOW_TYPE_UNKNOWN; vnet_flow_type_t inner_type = VNET_FLOW_TYPE_UNKNOWN; bool outer_ip4_set = false, inner_ip4_set = false; @@ -363,6 +364,13 @@ test_flow (vlib_main_t * vm, unformat_input_t * input, if (prot == IP_PROTOCOL_L2TP) is_l2tpv3oip_set = true; } + else if (unformat (line_input, "spi %u", &spi)) + { + if (prot == IP_PROTOCOL_IPSEC_ESP) + is_ipsec_esp_set = true; + else if (prot == IP_PROTOCOL_IPSEC_AH) + is_ipsec_ah_set = true; + } else if (unformat (line_input, "index %u", &flow_index)) ; else if (unformat (line_input, "next-node %U", unformat_vlib_node, vm, @@ -489,6 +497,10 @@ test_flow (vlib_main_t * vm, unformat_input_t * input, type = VNET_FLOW_TYPE_IP4_GTPU; else if (is_l2tpv3oip_set) type = VNET_FLOW_TYPE_IP4_L2TPV3OIP; + else if (is_ipsec_esp_set) + type = VNET_FLOW_TYPE_IP4_IPSEC_ESP; + else if (is_ipsec_ah_set) + type = VNET_FLOW_TYPE_IP4_IPSEC_AH; } else if (inner_type == VNET_FLOW_TYPE_IP4_N_TUPLE) { @@ -539,6 +551,22 @@ test_flow (vlib_main_t * vm, unformat_input_t * input, flow.ip4_l2tpv3oip.protocol = prot; flow.ip4_l2tpv3oip.session_id = session_id; break; + case VNET_FLOW_TYPE_IP4_IPSEC_ESP: + clib_memcpy (&flow.ip4_ipsec_esp.src_addr, &ip4s, + sizeof (ip4_address_and_mask_t)); + clib_memcpy (&flow.ip4_ipsec_esp.dst_addr, &ip4d, + sizeof (ip4_address_and_mask_t)); + flow.ip4_ipsec_esp.protocol = prot; + flow.ip4_ipsec_esp.spi = spi; + break; + case VNET_FLOW_TYPE_IP4_IPSEC_AH: + clib_memcpy (&flow.ip4_ipsec_ah.src_addr, &ip4s, + sizeof (ip4_address_and_mask_t)); + clib_memcpy (&flow.ip4_ipsec_ah.dst_addr, &ip4d, + sizeof (ip4_address_and_mask_t)); + flow.ip4_ipsec_ah.protocol = prot; + flow.ip4_ipsec_ah.spi = spi; + break; case VNET_FLOW_TYPE_IP4_N_TUPLE: case VNET_FLOW_TYPE_IP4_GTPC: case VNET_FLOW_TYPE_IP4_GTPU: -- cgit 1.2.3-korg