2 * ipsec_output.c : IPSec output node
4 * Copyright (c) 2015 Cisco and/or its affiliates.
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
9 * http://www.apache.org/licenses/LICENSE-2.0
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
18 #include <vnet/vnet.h>
19 #include <vnet/api_errno.h>
20 #include <vnet/ip/ip.h>
22 #include <vnet/ipsec/ipsec.h>
26 #define foreach_ipsec_output_next \
27 _(DROP, "error-drop") \
28 _(ESP_ENCRYPT, "esp-encrypt")
30 #define _(v, s) IPSEC_OUTPUT_NEXT_##v,
33 foreach_intf_output_feat foreach_ipsec_output_next
36 } ipsec_output_next_t;
39 #define foreach_ipsec_output_error \
40 _(RX_PKTS, "IPSec pkts received") \
41 _(POLICY_DISCARD, "IPSec policy discard") \
42 _(POLICY_NO_MATCH, "IPSec policy (no match)") \
43 _(POLICY_PROTECT, "IPSec policy protect") \
44 _(POLICY_BYPASS, "IPSec policy bypass") \
45 _(ENCAPS_FAILED, "IPSec encapsulation failed")
50 #define _(sym,str) IPSEC_OUTPUT_ERROR_##sym,
51 foreach_ipsec_output_error
54 } ipsec_output_error_t;
56 static char *ipsec_output_error_strings[] = {
57 #define _(sym,string) string,
58 foreach_ipsec_output_error
62 static vlib_node_registration_t ipsec_output_node;
67 } ipsec_output_trace_t;
69 /* packet trace format function */
71 format_ipsec_output_trace (u8 * s, va_list * args)
73 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
74 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
75 ipsec_output_trace_t *t = va_arg (*args, ipsec_output_trace_t *);
79 s = format (s, "spd %u ", t->spd_id);
83 s = format (s, "no spd");
88 always_inline intf_output_feat_t __attribute__ ((unused))
89 get_next_intf_output_feature_and_reset_bit (vlib_buffer_t * b)
92 count_trailing_zeros (next_feature,
93 vnet_buffer (b)->output_features.bitmap);
94 if (next_feature != INTF_OUTPUT_FEAT_DONE)
95 vnet_buffer (b)->output_features.bitmap &= ~(1 << next_feature);
99 always_inline ipsec_policy_t *
100 ipsec_output_policy_match (ipsec_spd_t * spd, u8 pr, u32 la, u32 ra, u16 lp,
106 vec_foreach (i, spd->ipv4_outbound_policies)
108 p = pool_elt_at_index (spd->policies, *i);
109 if (PREDICT_FALSE (p->protocol && (p->protocol != pr)))
112 if (la < clib_net_to_host_u32 (p->laddr.start.ip4.as_u32))
115 if (la > clib_net_to_host_u32 (p->laddr.stop.ip4.as_u32))
118 if (ra < clib_net_to_host_u32 (p->raddr.start.ip4.as_u32))
121 if (ra > clib_net_to_host_u32 (p->raddr.stop.ip4.as_u32))
124 if (PREDICT_FALSE ((pr != IP_PROTOCOL_TCP) && (pr != IP_PROTOCOL_UDP)))
127 if (lp < p->lport.start)
130 if (lp > p->lport.stop)
133 if (rp < p->rport.start)
136 if (rp > p->rport.stop)
145 ip6_addr_match_range (ip6_address_t * a, ip6_address_t * la,
148 if ((memcmp (a->as_u64, la->as_u64, 2 * sizeof (u64)) >= 0) &&
149 (memcmp (a->as_u64, ua->as_u64, 2 * sizeof (u64)) <= 0))
154 always_inline ipsec_policy_t *
155 ipsec_output_ip6_policy_match (ipsec_spd_t * spd,
157 ip6_address_t * ra, u16 lp, u16 rp, u8 pr)
162 vec_foreach (i, spd->ipv6_outbound_policies)
164 p = pool_elt_at_index (spd->policies, *i);
165 if (PREDICT_FALSE (p->protocol && (p->protocol != pr)))
168 if (!ip6_addr_match_range (ra, &p->raddr.start.ip6, &p->raddr.stop.ip6))
171 if (!ip6_addr_match_range (la, &p->laddr.start.ip6, &p->laddr.stop.ip6))
174 if (PREDICT_FALSE ((pr != IP_PROTOCOL_TCP) && (pr != IP_PROTOCOL_UDP)))
177 if (lp < p->lport.start)
180 if (lp > p->lport.stop)
183 if (rp < p->rport.start)
186 if (rp > p->rport.stop)
196 ipsec_output_node_fn (vlib_main_t * vm,
197 vlib_node_runtime_t * node, vlib_frame_t * from_frame)
199 ipsec_main_t *im = &ipsec_main;
200 vnet_main_t *vnm = im->vnet_main;
202 u32 *from, *to_next = 0;
203 u32 n_left_from, sw_if_index0, last_sw_if_index = (u32) ~ 0;
204 u32 next_node_index = (u32) ~ 0, last_next_node_index = (u32) ~ 0;
207 ipsec_spd_t *spd0 = 0;
208 u64 nc_protect = 0, nc_bypass = 0, nc_discard = 0, nc_nomatch = 0;
210 from = vlib_frame_vector_args (from_frame);
211 n_left_from = from_frame->n_vectors;
213 while (n_left_from > 0)
219 ip6_header_t *ip6_0 = 0;
224 b0 = vlib_get_buffer (vm, bi0);
225 sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_TX];
228 ip0 = (ip4_header_t *) ((u8 *) vlib_buffer_get_current (b0) +
229 sizeof (ethernet_header_t));
231 /* just forward non ipv4 packets */
232 if (PREDICT_FALSE ((ip0->ip_version_and_header_length & 0xF0) != 0x40))
236 ((ip0->ip_version_and_header_length & 0xF0) == 0x60))
239 ip6_0 = (ip6_header_t *) ((u8 *) vlib_buffer_get_current (b0) +
240 sizeof (ethernet_header_t));
244 next_node_index = get_next_output_feature_node_index (vnm, b0);
249 /* lookup for SPD only if sw_if_index is changed */
250 if (PREDICT_FALSE (last_sw_if_index != sw_if_index0))
252 uword *p = hash_get (im->spd_index_by_sw_if_index, sw_if_index0);
255 spd0 = pool_elt_at_index (im->spds, spd_index0);
256 last_sw_if_index = sw_if_index0;
261 udp0 = ip6_next_header (ip6_0);
264 ("packet received from %U port %u to %U port %u spd_id %u",
265 format_ip6_address, &ip6_0->src_address,
266 clib_net_to_host_u16 (udp0->src_port), format_ip6_address,
267 &ip6_0->dst_address, clib_net_to_host_u16 (udp0->dst_port),
271 p0 = ipsec_output_ip6_policy_match (spd0,
274 clib_net_to_host_u16 (udp0->
276 clib_net_to_host_u16 (udp0->
282 udp0 = (udp_header_t *) ((u8 *) ip0 + ip4_header_bytes (ip0));
285 clib_warning ("packet received from %U to %U port %u",
286 format_ip4_address, ip0->src_address.as_u8,
287 format_ip4_address, ip0->dst_address.as_u8,
288 clib_net_to_host_u16 (udp0->dst_port));
289 clib_warning ("sw_if_index0 %u spd_index0 %u spd_id %u",
290 sw_if_index0, spd_index0, spd0->id);
293 p0 = ipsec_output_policy_match (spd0, ip0->protocol,
294 clib_net_to_host_u32 (ip0->
297 clib_net_to_host_u32 (ip0->
300 clib_net_to_host_u16 (udp0->
302 clib_net_to_host_u16 (udp0->
306 if (PREDICT_TRUE (p0 != NULL))
308 if (p0->policy == IPSEC_POLICY_ACTION_PROTECT)
311 next_node_index = im->esp_encrypt_node_index;
312 vnet_buffer (b0)->output_features.ipsec_sad_index =
314 vlib_buffer_advance (b0, sizeof (ethernet_header_t));
315 p0->counter.packets++;
319 clib_net_to_host_u16 (ip6_0->payload_length);
320 p0->counter.bytes += sizeof (ip6_header_t);
324 p0->counter.bytes += clib_net_to_host_u16 (ip0->length);
327 else if (p0->policy == IPSEC_POLICY_ACTION_BYPASS)
330 next_node_index = get_next_output_feature_node_index (vnm, b0);
331 p0->counter.packets++;
335 clib_net_to_host_u16 (ip6_0->payload_length);
336 p0->counter.bytes += sizeof (ip6_header_t);
340 p0->counter.bytes += clib_net_to_host_u16 (ip0->length);
346 p0->counter.packets++;
350 clib_net_to_host_u16 (ip6_0->payload_length);
351 p0->counter.bytes += sizeof (ip6_header_t);
355 p0->counter.bytes += clib_net_to_host_u16 (ip0->length);
357 next_node_index = im->error_drop_node_index;
363 next_node_index = im->error_drop_node_index;
370 if (PREDICT_FALSE ((last_next_node_index != next_node_index)))
372 /* if this is not 1st frame */
374 vlib_put_frame_to_node (vm, last_next_node_index, f);
376 last_next_node_index = next_node_index;
378 f = vlib_get_frame_to_node (vm, next_node_index);
379 to_next = vlib_frame_vector_args (f);
386 if (PREDICT_FALSE (b0->flags & VLIB_BUFFER_IS_TRACED))
388 ipsec_output_trace_t *tr =
389 vlib_add_trace (vm, node, b0, sizeof (*tr));
391 tr->spd_id = spd0->id;
395 vlib_put_frame_to_node (vm, next_node_index, f);
396 vlib_node_increment_counter (vm, ipsec_output_node.index,
397 IPSEC_OUTPUT_ERROR_POLICY_PROTECT, nc_protect);
398 vlib_node_increment_counter (vm, ipsec_output_node.index,
399 IPSEC_OUTPUT_ERROR_POLICY_BYPASS, nc_bypass);
400 vlib_node_increment_counter (vm, ipsec_output_node.index,
401 IPSEC_OUTPUT_ERROR_POLICY_DISCARD, nc_discard);
402 vlib_node_increment_counter (vm, ipsec_output_node.index,
403 IPSEC_OUTPUT_ERROR_POLICY_NO_MATCH,
405 return from_frame->n_vectors;
409 VLIB_REGISTER_NODE (ipsec_output_node,static) = {
410 .function = ipsec_output_node_fn,
411 .name = "ipsec-output",
412 .vector_size = sizeof (u32),
413 .format_trace = format_ipsec_output_trace,
414 .type = VLIB_NODE_TYPE_INTERNAL,
416 .n_errors = ARRAY_LEN(ipsec_output_error_strings),
417 .error_strings = ipsec_output_error_strings,
419 .n_next_nodes = IPSEC_OUTPUT_N_NEXT,
421 #define _(s,n) [IPSEC_OUTPUT_NEXT_##s] = n,
422 foreach_intf_output_feat
423 foreach_ipsec_output_next
429 VLIB_NODE_FUNCTION_MULTIARCH (ipsec_output_node, ipsec_output_node_fn)
430 #else /* IPSEC > 1 */
432 /* Dummy ipsec output node, in case when IPSec is disabled */
435 ipsec_output_node_fn (vlib_main_t * vm,
436 vlib_node_runtime_t * node, vlib_frame_t * frame)
438 clib_warning ("IPSec disabled");
443 VLIB_REGISTER_NODE (ipsec_output_node) = {
444 .vector_size = sizeof (u32),
445 .function = ipsec_output_node_fn,
446 .name = "ipsec-output",
452 * fd.io coding-style-patch-verification: ON
455 * eval: (c-set-style "gnu")