ipsec: fix transpose local ip range position with remote ip range in fast path implementation

In fast path implementation of spd policy lookup opposite convention to the original implementation has been applied and local ip range has been interchanged with the remote ip range. This fix addresses this issue. Type: fix Signed-off-by: Piotr Bronowski <piotrx.bronowski@intel.com> Change-Id: I0b6cccc80bf52b34524e98cfd1f1d542008bb7d0
2022-10-21 15:48:55 +00:00
parent e917bf75d9
commit 1d9780a43f
3 changed files with 48 additions and 45 deletions
--- a/src/vnet/ipsec/ipsec_input.c
+++ b/src/vnet/ipsec/ipsec_input.c
@ -153,24 +153,24 @@ ipsec4_input_spd_find_flow_cache_entry (ipsec_main_t *im, u32 sa, u32 da,
 }

 always_inline void
-ipsec_fp_in_5tuple_from_ip4_range (ipsec_fp_5tuple_t *tuple, u32 la, u32 ra,
+ipsec_fp_in_5tuple_from_ip4_range (ipsec_fp_5tuple_t *tuple, u32 sa, u32 da,
 				   u32 spi, u8 action)
 {
  clib_memset (tuple->l3_zero_pad, 0, sizeof (tuple->l3_zero_pad));
-  tuple->laddr.as_u32 = la;
-  tuple->raddr.as_u32 = ra;
+  tuple->laddr.as_u32 = da;
+  tuple->raddr.as_u32 = sa;
  tuple->spi = spi;
  tuple->action = action;
  tuple->is_ipv6 = 0;
 }

 always_inline void
-ipsec_fp_in_5tuple_from_ip6_range (ipsec_fp_5tuple_t *tuple, ip6_address_t *la,
-				   ip6_address_t *ra, u32 spi, u8 action)
+ipsec_fp_in_5tuple_from_ip6_range (ipsec_fp_5tuple_t *tuple, ip6_address_t *sa,
+				   ip6_address_t *da, u32 spi, u8 action)

 {
-  clib_memcpy (&tuple->ip6_laddr, la, sizeof (ip6_address_t));
-  clib_memcpy (&tuple->ip6_raddr, ra, sizeof (ip6_address_t));
+  clib_memcpy (&tuple->ip6_laddr, da, sizeof (ip6_address_t));
+  clib_memcpy (&tuple->ip6_raddr, sa, sizeof (ip6_address_t));

  tuple->spi = spi;
  tuple->action = action;
--- a/src/vnet/ipsec/ipsec_spd_fp_lookup.h
+++ b/src/vnet/ipsec/ipsec_spd_fp_lookup.h
@ -97,8 +97,8 @@ static_always_inline int
 single_rule_in_match_5tuple (ipsec_policy_t *policy, ipsec_fp_5tuple_t *match)
 {

-  u32 sa = clib_net_to_host_u32 (match->laddr.as_u32);
-  u32 da = clib_net_to_host_u32 (match->raddr.as_u32);
+  u32 da = clib_net_to_host_u32 (match->laddr.as_u32);
+  u32 sa = clib_net_to_host_u32 (match->raddr.as_u32);

  if (policy->policy == IPSEC_POLICY_ACTION_PROTECT)
    {
@ -118,16 +118,16 @@ single_rule_in_match_5tuple (ipsec_policy_t *policy, ipsec_fp_5tuple_t *match)
    }
  else
    {
-      if (da < clib_net_to_host_u32 (policy->raddr.start.ip4.as_u32))
+      if (sa < clib_net_to_host_u32 (policy->raddr.start.ip4.as_u32))
 	return (0);

-      if (da > clib_net_to_host_u32 (policy->raddr.stop.ip4.as_u32))
+      if (sa > clib_net_to_host_u32 (policy->raddr.stop.ip4.as_u32))
 	return (0);

-      if (sa < clib_net_to_host_u32 (policy->laddr.start.ip4.as_u32))
+      if (da < clib_net_to_host_u32 (policy->laddr.start.ip4.as_u32))
 	return (0);

-      if (sa > clib_net_to_host_u32 (policy->laddr.stop.ip4.as_u32))
+      if (da > clib_net_to_host_u32 (policy->laddr.stop.ip4.as_u32))
 	return (0);
    }
  return (1);
--- a/test/test_ipsec_spd_fp_input.py
+++ b/test/test_ipsec_spd_fp_input.py
@ -118,7 +118,10 @@ class IPSec4SpdTestCaseBypass(SpdFastPathInbound):

        # create input rules
        # bypass rule should take precedence over discard rule,
-        # even though it's lower priority
+        # even though it's lower priority, because for input policies
+        # matching PROTECT policies precedes matching BYPASS policies
+        # which preceeds matching for DISCARD policies.
+        # Any hit stops the process.
        policy_0 = self.spd_add_rem_policy(  # inbound, priority 10
            1,
            self.pg1,
@ -128,10 +131,10 @@ class IPSec4SpdTestCaseBypass(SpdFastPathInbound):
            priority=10,
            policy_type="bypass",
            ip_range=True,
-            local_ip_start=self.pg0.remote_ip4,
-            local_ip_stop=self.pg0.remote_ip4,
-            remote_ip_start=self.pg1.remote_ip4,
-            remote_ip_stop=self.pg1.remote_ip4,
+            local_ip_start=self.pg1.remote_ip4,
+            local_ip_stop=self.pg1.remote_ip4,
+            remote_ip_start=self.pg0.remote_ip4,
+            remote_ip_stop=self.pg0.remote_ip4,
        )
        policy_1 = self.spd_add_rem_policy(  # inbound, priority 15
            1,
@ -142,10 +145,10 @@ class IPSec4SpdTestCaseBypass(SpdFastPathInbound):
            priority=15,
            policy_type="discard",
            ip_range=True,
-            local_ip_start=self.pg0.remote_ip4,
-            local_ip_stop=self.pg0.remote_ip4,
-            remote_ip_start=self.pg1.remote_ip4,
-            remote_ip_stop=self.pg1.remote_ip4,
+            local_ip_start=self.pg1.remote_ip4,
+            local_ip_stop=self.pg1.remote_ip4,
+            remote_ip_start=self.pg0.remote_ip4,
+            remote_ip_stop=self.pg0.remote_ip4,
        )

        # create output rule so we can capture forwarded packets
@ -204,8 +207,8 @@ class IPSec4SpdTestCaseDiscard(SpdFastPathInbound):
        # even though it's lower priority
        policy_0 = self.spd_add_rem_policy(  # inbound, priority 10
            1,
-            self.pg0,
            self.pg1,
+            self.pg0,
            socket.IPPROTO_UDP,
            is_out=0,
            priority=10,
@ -215,8 +218,8 @@ class IPSec4SpdTestCaseDiscard(SpdFastPathInbound):
        # create output rule so we can capture forwarded packets
        policy_1 = self.spd_add_rem_policy(  # outbound, priority 10
            1,
-            self.pg0,
            self.pg1,
+            self.pg0,
            socket.IPPROTO_UDP,
            is_out=1,
            priority=10,
@ -268,8 +271,8 @@ class IPSec4SpdTestCaseProtect(SpdFastPathInboundProtect):
            p,
            p.scapy_tra_sa,
            self.tra_if,
-            src=self.tra_if.local_ip4,
-            dst=self.tra_if.remote_ip4,
+            src=self.tra_if.remote_ip4,
+            dst=self.tra_if.local_ip4,
            count=pkt_count,
            payload_size=payload_size,
        )
@ -326,10 +329,10 @@ class IPSec4SpdTestCaseAddIPRange(SpdFastPathInbound):
            priority=10,
            policy_type="bypass",
            ip_range=True,
-            local_ip_start=s_ip_s0,
-            local_ip_stop=s_ip_e0,
-            remote_ip_start=d_ip_s0,
-            remote_ip_stop=d_ip_e0,
+            local_ip_start=d_ip_s0,
+            local_ip_stop=d_ip_e0,
+            remote_ip_start=s_ip_s0,
+            remote_ip_stop=s_ip_e0,
        )
        policy_1 = self.spd_add_rem_policy(  # outbound, priority 5
            1,
@ -478,8 +481,8 @@ class IPSec4SpdTestCaseRemove(SpdFastPathInbound):
        self.spd_create_and_intf_add(1, [self.pg0, self.pg1])
        policy_0 = self.spd_add_rem_policy(  # inbound, priority 10
            1,
-            self.pg0,
            self.pg1,
+            self.pg0,
            socket.IPPROTO_UDP,
            is_out=0,
            priority=10,
@ -487,8 +490,8 @@ class IPSec4SpdTestCaseRemove(SpdFastPathInbound):
        )
        policy_1 = self.spd_add_rem_policy(  # inbound, priority 5
            1,
-            self.pg0,
            self.pg1,
+            self.pg0,
            socket.IPPROTO_UDP,
            is_out=0,
            priority=5,
@ -533,8 +536,8 @@ class IPSec4SpdTestCaseRemove(SpdFastPathInbound):
        # now remove the bypass rule
        self.spd_add_rem_policy(  # outbound, priority 10
            1,
-            self.pg0,
            self.pg1,
+            self.pg0,
            socket.IPPROTO_UDP,
            is_out=0,
            priority=10,
@ -579,8 +582,8 @@ class IPSec4SpdTestCaseReadd(SpdFastPathInbound):
        self.spd_create_and_intf_add(1, [self.pg0, self.pg1])
        policy_0 = self.spd_add_rem_policy(  # inbound, priority 10
            1,
-            self.pg0,
            self.pg1,
+            self.pg0,
            socket.IPPROTO_UDP,
            is_out=0,
            priority=10,
@ -588,8 +591,8 @@ class IPSec4SpdTestCaseReadd(SpdFastPathInbound):
        )
        policy_1 = self.spd_add_rem_policy(  # inbound, priority 5
            1,
-            self.pg0,
            self.pg1,
+            self.pg0,
            socket.IPPROTO_UDP,
            is_out=0,
            priority=5,
@ -633,8 +636,8 @@ class IPSec4SpdTestCaseReadd(SpdFastPathInbound):
        # remove the bypass rule, leaving only the discard rule
        self.spd_add_rem_policy(  # inbound, priority 10
            1,
-            self.pg0,
            self.pg1,
+            self.pg0,
            socket.IPPROTO_UDP,
            is_out=0,
            priority=10,
@ -659,8 +662,8 @@ class IPSec4SpdTestCaseReadd(SpdFastPathInbound):
        # now readd the bypass rule
        policy_0 = self.spd_add_rem_policy(  # outbound, priority 10
            1,
-            self.pg0,
            self.pg1,
+            self.pg0,
            socket.IPPROTO_UDP,
            is_out=0,
            priority=10,
@ -712,8 +715,8 @@ class IPSec4SpdTestCaseMultiple(SpdFastPathInbound):
        # add rules on all interfaces
        policy_01 = self.spd_add_rem_policy(  # inbound, priority 10
            1,
-            self.pg0,
            self.pg1,
+            self.pg0,
            socket.IPPROTO_UDP,
            is_out=0,
            priority=10,
@ -721,8 +724,8 @@ class IPSec4SpdTestCaseMultiple(SpdFastPathInbound):
        )
        policy_02 = self.spd_add_rem_policy(  # inbound, priority 5
            1,
-            self.pg0,
            self.pg1,
+            self.pg0,
            socket.IPPROTO_UDP,
            is_out=0,
            priority=5,
@ -731,8 +734,8 @@ class IPSec4SpdTestCaseMultiple(SpdFastPathInbound):

        policy_11 = self.spd_add_rem_policy(  # inbound, priority 10
            1,
-            self.pg1,
            self.pg2,
+            self.pg1,
            socket.IPPROTO_UDP,
            is_out=0,
            priority=10,
@ -740,8 +743,8 @@ class IPSec4SpdTestCaseMultiple(SpdFastPathInbound):
        )
        policy_12 = self.spd_add_rem_policy(  # inbound, priority 5
            1,
-            self.pg1,
            self.pg2,
+            self.pg1,
            socket.IPPROTO_UDP,
            is_out=0,
            priority=5,
@ -750,8 +753,8 @@ class IPSec4SpdTestCaseMultiple(SpdFastPathInbound):

        policy_21 = self.spd_add_rem_policy(  # inbound, priority 5
            1,
-            self.pg2,
            self.pg0,
+            self.pg2,
            socket.IPPROTO_UDP,
            is_out=0,
            priority=5,
@ -759,8 +762,8 @@ class IPSec4SpdTestCaseMultiple(SpdFastPathInbound):
        )
        policy_22 = self.spd_add_rem_policy(  # inbound, priority 10
            1,
-            self.pg2,
            self.pg0,
+            self.pg2,
            socket.IPPROTO_UDP,
            is_out=0,
            priority=10,
@ -852,8 +855,8 @@ class IPSec6SpdTestCaseProtect(SpdFastPathIPv6InboundProtect):
            p,
            p.scapy_tra_sa,
            self.tra_if,
-            src=self.tra_if.local_ip6,
-            dst=self.tra_if.remote_ip6,
+            src=self.tra_if.remote_ip6,
+            dst=self.tra_if.local_ip6,
            count=pkt_count,
            payload_size=payload_size,
        )