ligang/vpp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

ipsec: set fast path 5tuple ip addresses based on sa traffic selector values

Browse Source 
Previously, even if sa defined traffic selectors esp packet src and dst
have been used for fast path inbound spd matching. This patch provides
a fix for that issue.

Type: fix
Signed-off-by: Piotr Bronowski <piotrx.bronowski@intel.com>
Change-Id: Ibd3ca224b155cc9e0c6aedd0f36aff489b7af5b8
This commit is contained in:
Piotr Bronowski
2023-02-13 18:18:59 +00:00
committed by Fan Zhang
parent 8a4b79778f
commit 645a588ee3
1 changed files with 35 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
src/vnet/ipsec/ipsec_spd_policy.c
View File

@ -378,7 +378,6 @@ ipsec_fp_get_policy_ports_mask (ipsec_policy_t *policy,
}
mask->protocol = (policy->protocol == IPSEC_POLICY_PROTOCOL_ANY) ? 0 : ~0;
mask->action = 0;
}
static_always_inline void
@ -395,6 +394,15 @@ ipsec_fp_ip4_get_policy_mask (ipsec_policy_t *policy, ipsec_fp_5tuple_t *mask,
clib_memset_u8 (mask, 0xff, sizeof (ipsec_fp_5tuple_t));
clib_memset_u8 (&mask->l3_zero_pad, 0, sizeof (mask->l3_zero_pad));
if (inbound && (policy->type == IPSEC_SPD_POLICY_IP4_INBOUND_PROTECT &&
policy->sa_index != INDEX_INVALID))
{
ipsec_sa_t *s = ipsec_sa_get (policy->sa_index);
if (ipsec_sa_is_set_IS_TUNNEL (s))
goto set_spi_mask;
}
/* find bits where start != stop */
*plmask = *pladdr_start ^ *pladdr_stop;
*prmask = *praddr_start ^ *praddr_stop;
@ -409,6 +417,7 @@ ipsec_fp_ip4_get_policy_mask (ipsec_policy_t *policy, ipsec_fp_5tuple_t *mask,
*prmask = clib_host_to_net_u32 (
mask_out_highest_set_bit_u32 (clib_net_to_host_u32 (*prmask)));
set_spi_mask:
if (inbound)
{
if (policy->type != IPSEC_SPD_POLICY_IP4_INBOUND_PROTECT)
@ -436,6 +445,15 @@ ipsec_fp_ip6_get_policy_mask (ipsec_policy_t *policy, ipsec_fp_5tuple_t *mask,
clib_memset_u8 (mask, 0xff, sizeof (ipsec_fp_5tuple_t));
if (inbound && (policy->type == IPSEC_SPD_POLICY_IP6_INBOUND_PROTECT &&
policy->sa_index != INDEX_INVALID))
{
ipsec_sa_t *s = ipsec_sa_get (policy->sa_index);
if (ipsec_sa_is_set_IS_TUNNEL (s))
goto set_spi_mask;
}
*plmask = (*pladdr_start++ ^ *pladdr_stop++);
*prmask = (*praddr_start++ ^ *praddr_stop++);
@ -468,10 +486,10 @@ ipsec_fp_ip6_get_policy_mask (ipsec_policy_t *policy, ipsec_fp_5tuple_t *mask,
}
else
*prmask = 0;
set_spi_mask:
if (inbound)
{
if (policy->type != IPSEC_SPD_POLICY_IP4_INBOUND_PROTECT)
if (policy->type != IPSEC_SPD_POLICY_IP6_INBOUND_PROTECT)
mask->spi = 0;
mask->protocol = 0;
@ -508,7 +526,21 @@ ipsec_fp_get_policy_5tuple (ipsec_policy_t *policy, ipsec_fp_5tuple_t *tuple,
policy->sa_index != INDEX_INVALID)
{
ipsec_sa_t *s = ipsec_sa_get (policy->sa_index);
tuple->spi = s->spi;
if (ipsec_sa_is_set_IS_TUNNEL (s))
{
if (tuple->is_ipv6)
{
tuple->ip6_laddr = s->tunnel.t_dst.ip.ip6;
tuple->ip6_raddr = s->tunnel.t_src.ip.ip6;
}
else
{
tuple->laddr = s->tunnel.t_dst.ip.ip4;
tuple->raddr = s->tunnel.t_src.ip.ip4;
}
}
}
else
tuple->spi = INDEX_INVALID;
@ -517,7 +549,6 @@ ipsec_fp_get_policy_5tuple (ipsec_policy_t *policy, ipsec_fp_5tuple_t *tuple,
}
tuple->protocol = policy->protocol;
tuple->lport = policy->lport.start;
tuple->rport = policy->rport.start;
}