ipsec: re-enable DPDK IPSec for tunnel decap/encap (VPP-1823)

Type: fix

Change-Id: Iff9b1960b122f7d326efc37770b4ae3e81eb3122
Signed-off-by: Neale Ranns <nranns@cisco.com>

.gitreview

@@ -2,3 +2,4 @@
 host=gerrit.fd.io
 port=29418
 project=vpp
+defaultbranch=stable/2001

src/plugins/dpdk/ipsec/esp_decrypt.c

@@ -256,7 +256,10 @@ dpdk_esp_decrypt_inline (vlib_main_t * vm,
 	  if (is_ip6)
 	    priv->next = DPDK_CRYPTO_INPUT_NEXT_DECRYPT6_POST;
 	  else
-	    priv->next = DPDK_CRYPTO_INPUT_NEXT_DECRYPT4_POST;
+	    {
+	      priv->next = DPDK_CRYPTO_INPUT_NEXT_DECRYPT4_POST;
+	      b0->flags |= VNET_BUFFER_F_IS_IP4;
+	    }
 
 	  /* FIXME multi-seg */
 	  vlib_increment_combined_counter

src/plugins/dpdk/ipsec/esp_encrypt.c

@@ -66,6 +66,8 @@ static char *esp_encrypt_error_strings[] = {
 
 extern vlib_node_registration_t dpdk_esp4_encrypt_node;
 extern vlib_node_registration_t dpdk_esp6_encrypt_node;
+extern vlib_node_registration_t dpdk_esp4_encrypt_tun_node;
+extern vlib_node_registration_t dpdk_esp6_encrypt_tun_node;
 
 typedef struct
 {
@@ -411,8 +413,16 @@ dpdk_esp_encrypt_inline (vlib_main_t * vm,
 	    }
 	  else			/* transport mode */
 	    {
-	      priv->next = DPDK_CRYPTO_INPUT_NEXT_INTERFACE_OUTPUT;
-	      rewrite_len = vnet_buffer (b0)->ip.save_rewrite_length;
+	      if (is_tun)
+		{
+		  rewrite_len = 0;
+		  priv->next = DPDK_CRYPTO_INPUT_NEXT_MIDCHAIN;
+		}
+	      else
+		{
+		  priv->next = DPDK_CRYPTO_INPUT_NEXT_INTERFACE_OUTPUT;
+		  rewrite_len = vnet_buffer (b0)->ip.save_rewrite_length;
+		}
 	      u16 adv = sizeof (esp_header_t) + iv_size + udp_encap_adv;
 	      vlib_buffer_advance (b0, -adv - rewrite_len);
 	      u8 *src = ((u8 *) ih0) - rewrite_len;
@@ -576,7 +586,10 @@ dpdk_esp_encrypt_inline (vlib_main_t * vm,
     }
   if (is_ip6)
     {
-      vlib_node_increment_counter (vm, dpdk_esp6_encrypt_node.index,
+      vlib_node_increment_counter (vm,
+				   (is_tun ?
+				    dpdk_esp6_encrypt_tun_node.index :
+				    dpdk_esp6_encrypt_node.index),
 				   ESP_ENCRYPT_ERROR_RX_PKTS,
 				   from_frame->n_vectors);
 
@@ -585,7 +598,10 @@ dpdk_esp_encrypt_inline (vlib_main_t * vm,
     }
   else
     {
-      vlib_node_increment_counter (vm, dpdk_esp4_encrypt_node.index,
+      vlib_node_increment_counter (vm,
+				   (is_tun ?
+				    dpdk_esp4_encrypt_tun_node.index :
+				    dpdk_esp4_encrypt_node.index),
 				   ESP_ENCRYPT_ERROR_RX_PKTS,
 				   from_frame->n_vectors);
 

src/plugins/dpdk/ipsec/ipsec.c

@@ -1049,9 +1049,11 @@ dpdk_ipsec_process (vlib_main_t * vm, vlib_node_runtime_t * rt,
 					"dpdk-esp4-encrypt",
 					"dpdk-esp4-encrypt-tun",
 					"dpdk-esp4-decrypt",
+					"dpdk-esp4-decrypt",
 					"dpdk-esp6-encrypt",
 					"dpdk-esp6-encrypt-tun",
 					"dpdk-esp6-decrypt",
+					"dpdk-esp6-decrypt",
 					dpdk_ipsec_check_support,
 					add_del_sa_session);
   int rv = ipsec_select_esp_backend (im, idx);

src/plugins/dpdk/ipsec/ipsec.h

@@ -38,6 +38,7 @@
   _(IP4_LOOKUP, "ip4-lookup")                   \
   _(IP6_LOOKUP, "ip6-lookup")                   \
   _(INTERFACE_OUTPUT, "interface-output")	\
+  _(MIDCHAIN, "adj-midchain-tx")                 \
   _(DECRYPT4_POST, "dpdk-esp4-decrypt-post")     \
   _(DECRYPT6_POST, "dpdk-esp6-decrypt-post")
 

src/vnet/adj/adj_nbr.c

@@ -347,7 +347,7 @@ adj_nbr_update_rewrite_internal (ip_adjacency_t *adj,
 				 u8 *rewrite)
 {
     ip_adjacency_t *walk_adj;
-    adj_index_t walk_ai;
+    adj_index_t walk_ai, ai;
     vlib_main_t * vm;
     u32 old_next;
     int do_walk;
@@ -355,7 +355,7 @@ adj_nbr_update_rewrite_internal (ip_adjacency_t *adj,
     vm = vlib_get_main();
     old_next = adj->lookup_next_index;
 
-    walk_ai = adj_get_index(adj);
+    ai = walk_ai = adj_get_index(adj);
     if (VNET_LINK_MPLS == adj->ia_link)
     {
         /*
@@ -399,7 +399,7 @@ adj_nbr_update_rewrite_internal (ip_adjacency_t *adj,
      * DPO, this adj will no longer be in use and its lock count will drop to 0.
      * We don't want it to be deleted as part of this endeavour.
      */
-    adj_lock(adj_get_index(adj));
+    adj_lock(ai);
     adj_lock(walk_ai);
 
     /*
@@ -514,7 +514,7 @@ adj_nbr_update_rewrite_internal (ip_adjacency_t *adj,
         walk_adj->ia_flags &= ~ADJ_FLAG_SYNC_WALK_ACTIVE;
     }
 
-    adj_unlock(adj_get_index(adj));
+    adj_unlock(ai);
     adj_unlock(walk_ai);
 }
 

src/vnet/ipsec/ipsec.c

@@ -167,9 +167,11 @@ ipsec_register_esp_backend (vlib_main_t * vm, ipsec_main_t * im,
 			    const char *esp4_encrypt_node_name,
 			    const char *esp4_encrypt_node_tun_name,
 			    const char *esp4_decrypt_node_name,
+			    const char *esp4_decrypt_tun_node_name,
 			    const char *esp6_encrypt_node_name,
 			    const char *esp6_encrypt_node_tun_name,
 			    const char *esp6_decrypt_node_name,
+			    const char *esp6_decrypt_tun_node_name,
 			    check_support_cb_t esp_check_support_cb,
 			    add_del_sa_sess_cb_t esp_add_del_sa_sess_cb)
 {
@@ -186,6 +188,12 @@ ipsec_register_esp_backend (vlib_main_t * vm, ipsec_main_t * im,
 		  &b->esp6_encrypt_node_index, &b->esp6_encrypt_next_index);
   ipsec_add_node (vm, esp6_decrypt_node_name, "ipsec6-input-feature",
 		  &b->esp6_decrypt_node_index, &b->esp6_decrypt_next_index);
+  ipsec_add_node (vm, esp4_decrypt_tun_node_name, "ipsec4-tun-input",
+		  &b->esp4_decrypt_tun_node_index,
+		  &b->esp4_decrypt_tun_next_index);
+  ipsec_add_node (vm, esp6_decrypt_tun_node_name, "ipsec6-tun-input",
+		  &b->esp6_decrypt_tun_node_index,
+		  &b->esp6_decrypt_tun_next_index);
 
   ipsec_add_feature ("ip4-output", esp4_encrypt_node_tun_name,
 		     &b->esp44_encrypt_tun_feature_index);
@@ -255,6 +263,10 @@ ipsec_select_esp_backend (ipsec_main_t * im, u32 backend_idx)
   im->esp6_decrypt_node_index = b->esp6_decrypt_node_index;
   im->esp6_encrypt_next_index = b->esp6_encrypt_next_index;
   im->esp6_decrypt_next_index = b->esp6_decrypt_next_index;
+  im->esp4_decrypt_tun_node_index = b->esp4_decrypt_tun_node_index;
+  im->esp4_decrypt_tun_next_index = b->esp4_decrypt_tun_next_index;
+  im->esp6_decrypt_tun_node_index = b->esp6_decrypt_tun_node_index;
+  im->esp6_decrypt_tun_next_index = b->esp6_decrypt_tun_next_index;
 
   im->esp44_encrypt_tun_feature_index = b->esp44_encrypt_tun_feature_index;
   im->esp64_encrypt_tun_feature_index = b->esp64_encrypt_tun_feature_index;
@@ -303,9 +315,11 @@ ipsec_init (vlib_main_t * vm)
 				    "esp4-encrypt",
 				    "esp4-encrypt-tun",
 				    "esp4-decrypt",
+				    "esp4-decrypt-tun",
 				    "esp6-encrypt",
 				    "esp6-encrypt-tun",
 				    "esp6-decrypt",
+				    "esp6-decrypt-tun",
 				    ipsec_check_esp_support, NULL);
   im->esp_default_backend = idx;
 

src/vnet/ipsec/ipsec.h

@@ -61,6 +61,10 @@ typedef struct
   u32 esp6_decrypt_node_index;
   u32 esp6_encrypt_next_index;
   u32 esp6_decrypt_next_index;
+  u32 esp4_decrypt_tun_node_index;
+  u32 esp4_decrypt_tun_next_index;
+  u32 esp6_decrypt_tun_node_index;
+  u32 esp6_decrypt_tun_next_index;
   u32 esp44_encrypt_tun_feature_index;
   u32 esp46_encrypt_tun_feature_index;
   u32 esp66_encrypt_tun_feature_index;
@@ -120,19 +124,23 @@ typedef struct
   u32 error_drop_node_index;
   u32 esp4_encrypt_node_index;
   u32 esp4_decrypt_node_index;
+  u32 esp4_decrypt_tun_node_index;
   u32 ah4_encrypt_node_index;
   u32 ah4_decrypt_node_index;
   u32 esp6_encrypt_node_index;
   u32 esp6_decrypt_node_index;
+  u32 esp6_decrypt_tun_node_index;
   u32 ah6_encrypt_node_index;
   u32 ah6_decrypt_node_index;
   /* next node indices */
   u32 esp4_encrypt_next_index;
   u32 esp4_decrypt_next_index;
+  u32 esp4_decrypt_tun_next_index;
   u32 ah4_encrypt_next_index;
   u32 ah4_decrypt_next_index;
   u32 esp6_encrypt_next_index;
   u32 esp6_decrypt_next_index;
+  u32 esp6_decrypt_tun_next_index;
   u32 ah6_encrypt_next_index;
   u32 ah6_decrypt_next_index;
 
@@ -248,9 +256,11 @@ u32 ipsec_register_esp_backend (vlib_main_t * vm, ipsec_main_t * im,
 				const char *esp4_encrypt_node_name,
 				const char *esp4_encrypt_tun_node_name,
 				const char *esp4_decrypt_node_name,
+				const char *esp4_decrypt_tun_node_name,
 				const char *esp6_encrypt_node_name,
 				const char *esp6_encrypt_tun_node_name,
 				const char *esp6_decrypt_node_name,
+				const char *esp6_decrypt_tun_node_name,
 				check_support_cb_t esp_check_support_cb,
 				add_del_sa_sess_cb_t esp_add_del_sa_sess_cb);
 

src/vnet/ipsec/ipsec_tun_in.c

@@ -55,8 +55,7 @@ typedef enum ipsec_tun_next_t_
 #define _(v, s) IPSEC_TUN_PROTECT_NEXT_##v,
   foreach_ipsec_input_next
 #undef _
-    IPSEC_TUN_PROTECT_NEXT_DECRYPT,
-  IPSEC_TUN_PROTECT_N_NEXT,
+    IPSEC_TUN_PROTECT_N_NEXT,
 } ipsec_tun_next_t;
 
 typedef struct
@@ -311,7 +310,7 @@ ipsec_tun_protect_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
 	      n_bytes = len0;
 	    }
 
-	  next[0] = IPSEC_TUN_PROTECT_NEXT_DECRYPT;
+	  next[0] = im->esp4_decrypt_tun_next_index;	//IPSEC_TUN_PROTECT_NEXT_DECRYPT;
 	}
     trace00:
       if (PREDICT_FALSE (is_trace))
@@ -358,8 +357,7 @@ VLIB_NODE_FN (ipsec4_tun_input_node) (vlib_main_t * vm,
 				      vlib_node_runtime_t * node,
 				      vlib_frame_t * from_frame)
 {
-  return ipsec_tun_protect_input_inline (vm, node, from_frame,
-					 0 /* is_ip6 */ );
+  return ipsec_tun_protect_input_inline (vm, node, from_frame, 0);
 }
 
 /* *INDENT-OFF* */
@@ -374,7 +372,6 @@ VLIB_REGISTER_NODE (ipsec4_tun_input_node) = {
   .next_nodes = {
     [IPSEC_TUN_PROTECT_NEXT_DROP] = "ip4-drop",
     [IPSEC_TUN_PROTECT_NEXT_PUNT] = "punt-dispatch",
-    [IPSEC_TUN_PROTECT_NEXT_DECRYPT] = "esp4-decrypt-tun",
   }
 };
 /* *INDENT-ON* */
@@ -383,8 +380,7 @@ VLIB_NODE_FN (ipsec6_tun_input_node) (vlib_main_t * vm,
 				      vlib_node_runtime_t * node,
 				      vlib_frame_t * from_frame)
 {
-  return ipsec_tun_protect_input_inline (vm, node, from_frame,
-					 1 /* is_ip6 */ );
+  return ipsec_tun_protect_input_inline (vm, node, from_frame, 1);
 }
 
 /* *INDENT-OFF* */
@@ -399,7 +395,6 @@ VLIB_REGISTER_NODE (ipsec6_tun_input_node) = {
   .next_nodes = {
     [IPSEC_TUN_PROTECT_NEXT_DROP] = "ip6-drop",
     [IPSEC_TUN_PROTECT_NEXT_PUNT] = "punt-dispatch",
-    [IPSEC_TUN_PROTECT_NEXT_DECRYPT] = "esp6-decrypt-tun",
   }
 };
 /* *INDENT-ON* */