2 * ipsec_output.c : IPSec output node
4 * Copyright (c) 2015 Cisco and/or its affiliates.
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
9 * http://www.apache.org/licenses/LICENSE-2.0
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
18 #include <vnet/vnet.h>
19 #include <vnet/api_errno.h>
20 #include <vnet/ip/ip.h>
22 #include <vnet/ipsec/ipsec.h>
26 #define foreach_ipsec_output_next \
27 _(DROP, "error-drop") \
28 _(ESP_ENCRYPT, "esp-encrypt")
30 #define _(v, s) IPSEC_OUTPUT_NEXT_##v,
33 foreach_ipsec_output_next
36 } ipsec_output_next_t;
39 #define foreach_ipsec_output_error \
40 _(RX_PKTS, "IPSec pkts received") \
41 _(POLICY_DISCARD, "IPSec policy discard") \
42 _(POLICY_NO_MATCH, "IPSec policy (no match)") \
43 _(POLICY_PROTECT, "IPSec policy protect") \
44 _(POLICY_BYPASS, "IPSec policy bypass") \
45 _(ENCAPS_FAILED, "IPSec encapsulation failed")
50 #define _(sym,str) IPSEC_OUTPUT_ERROR_##sym,
51 foreach_ipsec_output_error
54 } ipsec_output_error_t;
56 static char *ipsec_output_error_strings[] = {
57 #define _(sym,string) string,
58 foreach_ipsec_output_error
62 static vlib_node_registration_t ipsec_output_ip4_node;
63 static vlib_node_registration_t ipsec_output_ip6_node;
68 } ipsec_output_trace_t;
70 /* packet trace format function */
72 format_ipsec_output_trace (u8 * s, va_list * args)
74 CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
75 CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
76 ipsec_output_trace_t *t = va_arg (*args, ipsec_output_trace_t *);
80 s = format (s, "spd %u ", t->spd_id);
84 s = format (s, "no spd");
89 always_inline ipsec_policy_t *
90 ipsec_output_policy_match (ipsec_spd_t * spd, u8 pr, u32 la, u32 ra, u16 lp,
99 vec_foreach (i, spd->ipv4_outbound_policies)
101 p = pool_elt_at_index (spd->policies, *i);
102 if (PREDICT_FALSE (p->protocol && (p->protocol != pr)))
105 if (la < clib_net_to_host_u32 (p->laddr.start.ip4.as_u32))
108 if (la > clib_net_to_host_u32 (p->laddr.stop.ip4.as_u32))
111 if (ra < clib_net_to_host_u32 (p->raddr.start.ip4.as_u32))
114 if (ra > clib_net_to_host_u32 (p->raddr.stop.ip4.as_u32))
117 if (PREDICT_FALSE ((pr != IP_PROTOCOL_TCP) && (pr != IP_PROTOCOL_UDP)))
120 if (lp < p->lport.start)
123 if (lp > p->lport.stop)
126 if (rp < p->rport.start)
129 if (rp > p->rport.stop)
138 ip6_addr_match_range (ip6_address_t * a, ip6_address_t * la,
141 if ((memcmp (a->as_u64, la->as_u64, 2 * sizeof (u64)) >= 0) &&
142 (memcmp (a->as_u64, ua->as_u64, 2 * sizeof (u64)) <= 0))
147 always_inline ipsec_policy_t *
148 ipsec_output_ip6_policy_match (ipsec_spd_t * spd,
150 ip6_address_t * ra, u16 lp, u16 rp, u8 pr)
158 vec_foreach (i, spd->ipv6_outbound_policies)
160 p = pool_elt_at_index (spd->policies, *i);
161 if (PREDICT_FALSE (p->protocol && (p->protocol != pr)))
164 if (!ip6_addr_match_range (ra, &p->raddr.start.ip6, &p->raddr.stop.ip6))
167 if (!ip6_addr_match_range (la, &p->laddr.start.ip6, &p->laddr.stop.ip6))
170 if (PREDICT_FALSE ((pr != IP_PROTOCOL_TCP) && (pr != IP_PROTOCOL_UDP)))
173 if (lp < p->lport.start)
176 if (lp > p->lport.stop)
179 if (rp < p->rport.start)
182 if (rp > p->rport.stop)
192 ipsec_output_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
193 vlib_frame_t * from_frame, int is_ipv6)
195 ipsec_main_t *im = &ipsec_main;
197 u32 *from, *to_next = 0;
198 u32 n_left_from, sw_if_index0, last_sw_if_index = (u32) ~ 0;
199 u32 next_node_index = (u32) ~ 0, last_next_node_index = (u32) ~ 0;
202 ipsec_spd_t *spd0 = 0;
203 u64 nc_protect = 0, nc_bypass = 0, nc_discard = 0, nc_nomatch = 0;
205 from = vlib_frame_vector_args (from_frame);
206 n_left_from = from_frame->n_vectors;
208 while (n_left_from > 0)
214 ip6_header_t *ip6_0 = 0;
219 b0 = vlib_get_buffer (vm, bi0);
220 sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_TX];
221 iph_offset = vnet_buffer (b0)->ip.save_rewrite_length;
222 ip0 = (ip4_header_t *) ((u8 *) vlib_buffer_get_current (b0)
225 /* lookup for SPD only if sw_if_index is changed */
226 if (PREDICT_FALSE (last_sw_if_index != sw_if_index0))
228 uword *p = hash_get (im->spd_index_by_sw_if_index, sw_if_index0);
231 spd0 = pool_elt_at_index (im->spds, spd_index0);
232 last_sw_if_index = sw_if_index0;
237 ip6_0 = (ip6_header_t *) ((u8 *) vlib_buffer_get_current (b0)
240 udp0 = ip6_next_header (ip6_0);
243 ("packet received from %U port %u to %U port %u spd_id %u",
244 format_ip6_address, &ip6_0->src_address,
245 clib_net_to_host_u16 (udp0->src_port), format_ip6_address,
246 &ip6_0->dst_address, clib_net_to_host_u16 (udp0->dst_port),
250 p0 = ipsec_output_ip6_policy_match (spd0,
261 udp0 = (udp_header_t *) ((u8 *) ip0 + ip4_header_bytes (ip0));
264 clib_warning ("packet received from %U to %U port %u",
265 format_ip4_address, ip0->src_address.as_u8,
266 format_ip4_address, ip0->dst_address.as_u8,
267 clib_net_to_host_u16 (udp0->dst_port));
268 clib_warning ("sw_if_index0 %u spd_index0 %u spd_id %u",
269 sw_if_index0, spd_index0, spd0->id);
272 p0 = ipsec_output_policy_match (spd0, ip0->protocol,
274 (ip0->src_address.as_u32),
276 (ip0->dst_address.as_u32),
283 if (PREDICT_TRUE (p0 != NULL))
285 if (p0->policy == IPSEC_POLICY_ACTION_PROTECT)
288 next_node_index = im->esp_encrypt_node_index;
289 vnet_buffer (b0)->ipsec.sad_index = p0->sa_index;
290 vlib_buffer_advance (b0, iph_offset);
291 p0->counter.packets++;
295 clib_net_to_host_u16 (ip6_0->payload_length);
296 p0->counter.bytes += sizeof (ip6_header_t);
300 p0->counter.bytes += clib_net_to_host_u16 (ip0->length);
303 else if (p0->policy == IPSEC_POLICY_ACTION_BYPASS)
306 next_node_index = get_next_output_feature_node_index (b0, node);
307 p0->counter.packets++;
311 clib_net_to_host_u16 (ip6_0->payload_length);
312 p0->counter.bytes += sizeof (ip6_header_t);
316 p0->counter.bytes += clib_net_to_host_u16 (ip0->length);
322 p0->counter.packets++;
326 clib_net_to_host_u16 (ip6_0->payload_length);
327 p0->counter.bytes += sizeof (ip6_header_t);
331 p0->counter.bytes += clib_net_to_host_u16 (ip0->length);
333 next_node_index = im->error_drop_node_index;
339 next_node_index = im->error_drop_node_index;
345 if (PREDICT_FALSE ((last_next_node_index != next_node_index) || f == 0))
347 /* if this is not 1st frame */
349 vlib_put_frame_to_node (vm, last_next_node_index, f);
351 last_next_node_index = next_node_index;
353 f = vlib_get_frame_to_node (vm, next_node_index);
354 to_next = vlib_frame_vector_args (f);
361 if (PREDICT_FALSE (b0->flags & VLIB_BUFFER_IS_TRACED))
363 ipsec_output_trace_t *tr =
364 vlib_add_trace (vm, node, b0, sizeof (*tr));
366 tr->spd_id = spd0->id;
370 vlib_put_frame_to_node (vm, next_node_index, f);
371 vlib_node_increment_counter (vm, node->node_index,
372 IPSEC_OUTPUT_ERROR_POLICY_PROTECT, nc_protect);
373 vlib_node_increment_counter (vm, node->node_index,
374 IPSEC_OUTPUT_ERROR_POLICY_BYPASS, nc_bypass);
375 vlib_node_increment_counter (vm, node->node_index,
376 IPSEC_OUTPUT_ERROR_POLICY_DISCARD, nc_discard);
377 vlib_node_increment_counter (vm, node->node_index,
378 IPSEC_OUTPUT_ERROR_POLICY_NO_MATCH,
380 return from_frame->n_vectors;
384 ipsec_output_ip4_node_fn (vlib_main_t * vm, vlib_node_runtime_t * node,
385 vlib_frame_t * frame)
387 return ipsec_output_inline (vm, node, frame, 0);
391 VLIB_REGISTER_NODE (ipsec_output_ip4_node,static) = {
392 .function = ipsec_output_ip4_node_fn,
393 .name = "ipsec-output-ip4",
394 .vector_size = sizeof (u32),
395 .format_trace = format_ipsec_output_trace,
396 .type = VLIB_NODE_TYPE_INTERNAL,
398 .n_errors = ARRAY_LEN(ipsec_output_error_strings),
399 .error_strings = ipsec_output_error_strings,
401 .n_next_nodes = IPSEC_OUTPUT_N_NEXT,
403 #define _(s,n) [IPSEC_OUTPUT_NEXT_##s] = n,
404 foreach_ipsec_output_next
410 VLIB_NODE_FUNCTION_MULTIARCH (ipsec_output_ip4_node, ipsec_output_ip4_node_fn)
412 ipsec_output_ip6_node_fn (vlib_main_t * vm, vlib_node_runtime_t * node,
413 vlib_frame_t * frame)
415 return ipsec_output_inline (vm, node, frame, 1);
419 VLIB_REGISTER_NODE (ipsec_output_ip6_node,static) = {
420 .function = ipsec_output_ip6_node_fn,
421 .name = "ipsec-output-ip6",
422 .vector_size = sizeof (u32),
423 .format_trace = format_ipsec_output_trace,
424 .type = VLIB_NODE_TYPE_INTERNAL,
426 .n_errors = ARRAY_LEN(ipsec_output_error_strings),
427 .error_strings = ipsec_output_error_strings,
429 .n_next_nodes = IPSEC_OUTPUT_N_NEXT,
431 #define _(s,n) [IPSEC_OUTPUT_NEXT_##s] = n,
432 foreach_ipsec_output_next
438 VLIB_NODE_FUNCTION_MULTIARCH (ipsec_output_ip6_node, ipsec_output_ip6_node_fn)
439 #else /* IPSEC > 1 */
441 /* Dummy ipsec output node, in case when IPSec is disabled */
444 ipsec_output_node_fn (vlib_main_t * vm,
445 vlib_node_runtime_t * node, vlib_frame_t * frame)
447 clib_warning ("IPSec disabled");
452 VLIB_REGISTER_NODE (ipsec_output_node) = {
453 .vector_size = sizeof (u32),
454 .function = ipsec_output_node_fn,
455 .name = "ipsec-output-ip4",
458 VLIB_REGISTER_NODE (ipsec_output_node) = {
459 .vector_size = sizeof (u32),
460 .function = ipsec_output_node_fn,
461 .name = "ipsec-output-ip6",
467 * fd.io coding-style-patch-verification: ON
470 * eval: (c-set-style "gnu")