ligang/vpp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

dpdk: fix udp-encap for esp in transport mode

Browse Source 
Now UDP encapsulation doesn't work in transport mode because:
 - the encrypt node misses filling of UDP header and it gets sent with
   all zeros;
 - the decrypt node misses filling of new IP header and it contains
   garbage data.

With this commit, fill UDP header during encryption and fill IP header
during decryption.

Change-Id: I87a7bd594f0e312b16d3e5eb19e568b4e3164d36
Type: fix
Signed-off-by: Alexander Chernavin <achernavin@netgate.com>
(cherry picked from commit 82fc98fa45)
This commit is contained in:
Alexander Chernavin
2020-04-03 10:18:44 -04:00
committed by Andrew Yourtchenko
parent 8f8c625f21
commit ec50d9ff1e
2 changed files with 9 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
src/plugins/dpdk/ipsec/esp_decrypt.c
View File

@@ -613,16 +613,14 @@ dpdk_esp_decrypt_post_inline (vlib_main_t * vm,
if ((ih4->ip_version_and_header_length & 0xF0) == 0x40) if ((ih4->ip_version_and_header_length & 0xF0) == 0x40)
{ {
u16 ih4_len = ip4_header_bytes (ih4); u16 ih4_len = ip4_header_bytes (ih4);
vlib_buffer_advance (b0, -ih4_len - udp_encap_adv); vlib_buffer_advance (b0, -ih4_len);
next0 = ESP_DECRYPT_NEXT_IP4_INPUT; next0 = ESP_DECRYPT_NEXT_IP4_INPUT;
if (!ipsec_sa_is_set_UDP_ENCAP (sa0))
{ oh4 = vlib_buffer_get_current (b0);
oh4 = vlib_buffer_get_current (b0); memmove (oh4, ih4, ih4_len);
memmove (oh4, ih4, ih4_len); oh4->protocol = f0->next_header;
oh4->protocol = f0->next_header; oh4->length = clib_host_to_net_u16 (b0->current_length);
oh4->length = clib_host_to_net_u16 (b0->current_length); oh4->checksum = ip4_header_checksum (oh4);
oh4->checksum = ip4_header_checksum (oh4);
}
} }
else if ((ih4->ip_version_and_header_length & 0xF0) == 0x60) else if ((ih4->ip_version_and_header_length & 0xF0) == 0x60)
{ {

3
src/plugins/dpdk/ipsec/esp_encrypt.c
View File

@@ -418,6 +418,7 @@ dpdk_esp_encrypt_inline (vlib_main_t * vm,
u8 *src = ((u8 *) ih0) - rewrite_len; u8 *src = ((u8 *) ih0) - rewrite_len;
u8 *dst = vlib_buffer_get_current (b0); u8 *dst = vlib_buffer_get_current (b0);
oh0 = vlib_buffer_get_current (b0) + rewrite_len; oh0 = vlib_buffer_get_current (b0) + rewrite_len;
ouh0 = vlib_buffer_get_current (b0) + rewrite_len;
if (is_ip6) if (is_ip6)
{ {
@@ -567,7 +568,7 @@ dpdk_esp_encrypt_inline (vlib_main_t * vm,
tr->crypto_alg = sa0->crypto_alg; tr->crypto_alg = sa0->crypto_alg;
tr->integ_alg = sa0->integ_alg; tr->integ_alg = sa0->integ_alg;
u8 *p = vlib_buffer_get_current (b0); u8 *p = vlib_buffer_get_current (b0);
if (!ipsec_sa_is_set_IS_TUNNEL (sa0)) if (!ipsec_sa_is_set_IS_TUNNEL (sa0) && !is_tun)
p += vnet_buffer (b0)->ip.save_rewrite_length; p += vnet_buffer (b0)->ip.save_rewrite_length;
clib_memcpy_fast (tr->packet_data, p, sizeof (tr->packet_data)); clib_memcpy_fast (tr->packet_data, p, sizeof (tr->packet_data));
} }