ipsec: IPSec protection for multi-point tunnel interfaces

[vpp.git] / src / vnet / vxlan-gbp / decap.c

diff --git a/src/vnet/vxlan-gbp/decap.c b/src/vnet/vxlan-gbp/decap.c
index 1a8ece7..927c778 100644 (file)
--- a/src/vnet/vxlan-gbp/decap.c
+++ b/src/vnet/vxlan-gbp/decap.c
@@ -16,11 +16,8 @@
  */
 
 #include <vlib/vlib.h>
-#include <vnet/pg/pg.h>
-#include <vnet/vxlan-gbp/vxlan_gbp.h>
 
-vlib_node_registration_t vxlan4_gbp_input_node;
-vlib_node_registration_t vxlan6_gbp_input_node;
+#include <vnet/vxlan-gbp/vxlan_gbp.h>
 
 typedef struct
 {
@@ -79,9 +76,11 @@ vxlan4_gbp_find_tunnel (vxlan_gbp_main_t * vxm, last_tunnel_cache4 * cache,
   vxlan4_gbp_tunnel_key_t key4;
   int rv;
 
-  key4.key[1] = ((u64) fib_index << 32) | vxlan_gbp0->vni_reserved;
-  key4.key[0] = (((u64) ip4_0->dst_address.as_u32 << 32) |
-                ip4_0->src_address.as_u32);
+  key4.key[1] = (((u64) fib_index << 32) |
+                (vxlan_gbp0->vni_reserved &
+                 clib_host_to_net_u32 (0xffffff00)));
+  key4.key[0] =
+    (((u64) ip4_0->dst_address.as_u32 << 32) | ip4_0->src_address.as_u32);
 
   if (PREDICT_FALSE (key4.key[0] != cache->key[0] ||
                     key4.key[1] != cache->key[1]))
@@ -125,7 +124,9 @@ vxlan6_gbp_find_tunnel (vxlan_gbp_main_t * vxm, last_tunnel_cache6 * cache,
     .key = {
            [0] = ip6_0->src_address.as_u64[0],
            [1] = ip6_0->src_address.as_u64[1],
-           [2] = (((u64) fib_index) << 32) | vxlan_gbp0->vni_reserved,
+           [2] = ((((u64) fib_index) << 32) |
+                  (vxlan_gbp0->vni_reserved &
+                   clib_host_to_net_u32 (0xffffff00))),
            }
   };
   int rv;
@@ -296,13 +297,13 @@ vxlan_gbp_input (vlib_main_t * vm,
          vlib_buffer_advance (b0, sizeof *vxlan_gbp0);
          vlib_buffer_advance (b1, sizeof *vxlan_gbp1);
 
+         u8 i_and_g0 = ((flags0 & VXLAN_GBP_FLAGS_GI) == VXLAN_GBP_FLAGS_GI);
+         u8 i_and_g1 = ((flags1 & VXLAN_GBP_FLAGS_GI) == VXLAN_GBP_FLAGS_GI);
+
          /* Validate VXLAN_GBP tunnel encap-fib index against packet */
-         if (PREDICT_FALSE
-             (t0 == NULL
-              || flags0 != (VXLAN_GBP_FLAGS_I | VXLAN_GBP_FLAGS_G)))
+         if (PREDICT_FALSE (t0 == NULL || !i_and_g0))
            {
-             if (t0 != NULL
-                 && flags0 != (VXLAN_GBP_FLAGS_I | VXLAN_GBP_FLAGS_G))
+             if (t0 != NULL && !i_and_g0)
                {
                  error0 = VXLAN_GBP_ERROR_BAD_FLAGS;
                  vlib_increment_combined_counter
@@ -312,7 +313,13 @@ vxlan_gbp_input (vlib_main_t * vm,
              else
                {
                  error0 = VXLAN_GBP_ERROR_NO_SUCH_TUNNEL;
-                 next0 = VXLAN_GBP_INPUT_NEXT_NO_TUNNEL;
+                 next0 = VXLAN_GBP_INPUT_NEXT_PUNT;
+                 if (is_ip4)
+                   b0->punt_reason =
+                     vxm->punt_no_such_tunnel[FIB_PROTOCOL_IP4];
+                 else
+                   b0->punt_reason =
+                     vxm->punt_no_such_tunnel[FIB_PROTOCOL_IP6];
                }
              b0->error = node->errors[error0];
            }
@@ -327,15 +334,14 @@ vxlan_gbp_input (vlib_main_t * vm,
              pkts_decapsulated++;
            }
 
-         vnet_buffer2 (b0)->gbp.flags = vxlan_gbp_get_gpflags (vxlan_gbp0);
+         vnet_buffer2 (b0)->gbp.flags = (vxlan_gbp_get_gpflags (vxlan_gbp0) |
+                                         VXLAN_GBP_GPFLAGS_R);
          vnet_buffer2 (b0)->gbp.sclass = vxlan_gbp_get_sclass (vxlan_gbp0);
 
 
-         if (PREDICT_FALSE
-             (t1 == 0 || flags1 != (VXLAN_GBP_FLAGS_I | VXLAN_GBP_FLAGS_G)))
+         if (PREDICT_FALSE (t1 == NULL || !i_and_g1))
            {
-             if (t1 != 0
-                 && flags1 != (VXLAN_GBP_FLAGS_I | VXLAN_GBP_FLAGS_G))
+             if (t1 != NULL && !i_and_g1)
                {
                  error1 = VXLAN_GBP_ERROR_BAD_FLAGS;
                  vlib_increment_combined_counter
@@ -345,7 +351,13 @@ vxlan_gbp_input (vlib_main_t * vm,
              else
                {
                  error1 = VXLAN_GBP_ERROR_NO_SUCH_TUNNEL;
-                 next1 = VXLAN_GBP_INPUT_NEXT_NO_TUNNEL;
+                 next1 = VXLAN_GBP_INPUT_NEXT_PUNT;
+                 if (is_ip4)
+                   b1->punt_reason =
+                     vxm->punt_no_such_tunnel[FIB_PROTOCOL_IP4];
+                 else
+                   b1->punt_reason =
+                     vxm->punt_no_such_tunnel[FIB_PROTOCOL_IP6];
                }
              b1->error = node->errors[error1];
            }
@@ -361,7 +373,9 @@ vxlan_gbp_input (vlib_main_t * vm,
                (rx_counter, thread_index, t1->sw_if_index, 1, len1);
            }
 
-         vnet_buffer2 (b1)->gbp.flags = vxlan_gbp_get_gpflags (vxlan_gbp1);
+         vnet_buffer2 (b1)->gbp.flags = (vxlan_gbp_get_gpflags (vxlan_gbp1) |
+                                         VXLAN_GBP_GPFLAGS_R);
+
          vnet_buffer2 (b1)->gbp.sclass = vxlan_gbp_get_sclass (vxlan_gbp1);
 
          vnet_update_l2_len (b0);
@@ -431,13 +445,13 @@ vxlan_gbp_input (vlib_main_t * vm,
 
          /* pop (ip, udp, vxlan_gbp) */
          vlib_buffer_advance (b0, sizeof (*vxlan_gbp0));
+
+         u8 i_and_g0 = ((flags0 & VXLAN_GBP_FLAGS_GI) == VXLAN_GBP_FLAGS_GI);
+
          /* Validate VXLAN_GBP tunnel encap-fib index against packet */
-         if (PREDICT_FALSE
-             (t0 == NULL
-              || flags0 != (VXLAN_GBP_FLAGS_I | VXLAN_GBP_FLAGS_G)))
+         if (PREDICT_FALSE (t0 == NULL || !i_and_g0))
            {
-             if (t0 != NULL
-                 && flags0 != (VXLAN_GBP_FLAGS_I | VXLAN_GBP_FLAGS_G))
+             if (t0 != NULL && !i_and_g0)
                {
                  error0 = VXLAN_GBP_ERROR_BAD_FLAGS;
                  vlib_increment_combined_counter
@@ -447,7 +461,13 @@ vxlan_gbp_input (vlib_main_t * vm,
              else
                {
                  error0 = VXLAN_GBP_ERROR_NO_SUCH_TUNNEL;
-                 next0 = VXLAN_GBP_INPUT_NEXT_NO_TUNNEL;
+                 next0 = VXLAN_GBP_INPUT_NEXT_PUNT;
+                 if (is_ip4)
+                   b0->punt_reason =
+                     vxm->punt_no_such_tunnel[FIB_PROTOCOL_IP4];
+                 else
+                   b0->punt_reason =
+                     vxm->punt_no_such_tunnel[FIB_PROTOCOL_IP6];
                }
              b0->error = node->errors[error0];
            }
@@ -461,7 +481,9 @@ vxlan_gbp_input (vlib_main_t * vm,
              vlib_increment_combined_counter
                (rx_counter, thread_index, t0->sw_if_index, 1, len0);
            }
-         vnet_buffer2 (b0)->gbp.flags = vxlan_gbp_get_gpflags (vxlan_gbp0);
+         vnet_buffer2 (b0)->gbp.flags = (vxlan_gbp_get_gpflags (vxlan_gbp0) |
+                                         VXLAN_GBP_GPFLAGS_R);
+
          vnet_buffer2 (b0)->gbp.sclass = vxlan_gbp_get_sclass (vxlan_gbp0);
 
          /* Required to make the l2 tag push / pop code work on l2 subifs */
@@ -494,16 +516,16 @@ vxlan_gbp_input (vlib_main_t * vm,
   return from_frame->n_vectors;
 }
 
-static uword
-vxlan4_gbp_input (vlib_main_t * vm,
-                 vlib_node_runtime_t * node, vlib_frame_t * from_frame)
+VLIB_NODE_FN (vxlan4_gbp_input_node) (vlib_main_t * vm,
+                                     vlib_node_runtime_t * node,
+                                     vlib_frame_t * from_frame)
 {
   return vxlan_gbp_input (vm, node, from_frame, /* is_ip4 */ 1);
 }
 
-static uword
-vxlan6_gbp_input (vlib_main_t * vm,
-                 vlib_node_runtime_t * node, vlib_frame_t * from_frame)
+VLIB_NODE_FN (vxlan6_gbp_input_node) (vlib_main_t * vm,
+                                     vlib_node_runtime_t * node,
+                                     vlib_frame_t * from_frame)
 {
   return vxlan_gbp_input (vm, node, from_frame, /* is_ip4 */ 0);
 }
@@ -518,7 +540,6 @@ static char *vxlan_gbp_error_strings[] = {
 /* *INDENT-OFF* */
 VLIB_REGISTER_NODE (vxlan4_gbp_input_node) =
 {
-  .function = vxlan4_gbp_input,
   .name = "vxlan4-gbp-input",
   .vector_size = sizeof (u32),
   .n_errors = VXLAN_GBP_N_ERROR,
@@ -531,11 +552,9 @@ VLIB_REGISTER_NODE (vxlan4_gbp_input_node) =
 #undef _
   },
 };
-VLIB_NODE_FUNCTION_MULTIARCH (vxlan4_gbp_input_node, vxlan4_gbp_input)
 
 VLIB_REGISTER_NODE (vxlan6_gbp_input_node) =
 {
-  .function = vxlan6_gbp_input,
   .name = "vxlan6-gbp-input",
   .vector_size = sizeof (u32),
   .n_errors = VXLAN_GBP_N_ERROR,
@@ -548,7 +567,6 @@ VLIB_REGISTER_NODE (vxlan6_gbp_input_node) =
   },
   .format_trace = format_vxlan_gbp_rx_trace,
 };
-VLIB_NODE_FUNCTION_MULTIARCH (vxlan6_gbp_input_node, vxlan6_gbp_input)
 /* *INDENT-ON* */
 
 typedef enum
@@ -556,7 +574,7 @@ typedef enum
   IP_VXLAN_GBP_BYPASS_NEXT_DROP,
   IP_VXLAN_GBP_BYPASS_NEXT_VXLAN_GBP,
   IP_VXLAN_GBP_BYPASS_N_NEXT,
-} ip_vxan_gbp_bypass_next_t;
+} ip_vxlan_gbp_bypass_next_t;
 
 always_inline uword
 ip_vxlan_gbp_bypass_inline (vlib_main_t * vm,
@@ -957,9 +975,9 @@ ip_vxlan_gbp_bypass_inline (vlib_main_t * vm,
   return frame->n_vectors;
 }
 
-static uword
-ip4_vxlan_gbp_bypass (vlib_main_t * vm,
-                     vlib_node_runtime_t * node, vlib_frame_t * frame)
+VLIB_NODE_FN (ip4_vxlan_gbp_bypass_node) (vlib_main_t * vm,
+                                         vlib_node_runtime_t * node,
+                                         vlib_frame_t * frame)
 {
   return ip_vxlan_gbp_bypass_inline (vm, node, frame, /* is_ip4 */ 1);
 }
@@ -967,7 +985,6 @@ ip4_vxlan_gbp_bypass (vlib_main_t * vm,
 /* *INDENT-OFF* */
 VLIB_REGISTER_NODE (ip4_vxlan_gbp_bypass_node) =
 {
-  .function = ip4_vxlan_gbp_bypass,
   .name = "ip4-vxlan-gbp-bypass",
   .vector_size = sizeof (u32),
   .n_next_nodes = IP_VXLAN_GBP_BYPASS_N_NEXT,
@@ -978,10 +995,9 @@ VLIB_REGISTER_NODE (ip4_vxlan_gbp_bypass_node) =
   .format_buffer = format_ip4_header,
   .format_trace = format_ip4_forward_next_trace,
 };
-
-VLIB_NODE_FUNCTION_MULTIARCH (ip4_vxlan_gbp_bypass_node, ip4_vxlan_gbp_bypass)
 /* *INDENT-ON* */
 
+#ifndef CLIB_MARCH_VARIANT
 /* Dummy init function to get us linked in. */
 clib_error_t *
 ip4_vxlan_gbp_bypass_init (vlib_main_t * vm)
@@ -990,10 +1006,11 @@ ip4_vxlan_gbp_bypass_init (vlib_main_t * vm)
 }
 
 VLIB_INIT_FUNCTION (ip4_vxlan_gbp_bypass_init);
+#endif /* CLIB_MARCH_VARIANT */
 
-static uword
-ip6_vxlan_gbp_bypass (vlib_main_t * vm,
-                     vlib_node_runtime_t * node, vlib_frame_t * frame)
+VLIB_NODE_FN (ip6_vxlan_gbp_bypass_node) (vlib_main_t * vm,
+                                         vlib_node_runtime_t * node,
+                                         vlib_frame_t * frame)
 {
   return ip_vxlan_gbp_bypass_inline (vm, node, frame, /* is_ip4 */ 0);
 }
@@ -1001,7 +1018,6 @@ ip6_vxlan_gbp_bypass (vlib_main_t * vm,
 /* *INDENT-OFF* */
 VLIB_REGISTER_NODE (ip6_vxlan_gbp_bypass_node) =
 {
-  .function = ip6_vxlan_gbp_bypass,
   .name = "ip6-vxlan-gbp-bypass",
   .vector_size = sizeof (u32),
   .n_next_nodes = IP_VXLAN_GBP_BYPASS_N_NEXT,
@@ -1012,10 +1028,9 @@ VLIB_REGISTER_NODE (ip6_vxlan_gbp_bypass_node) =
   .format_buffer = format_ip6_header,
   .format_trace = format_ip6_forward_next_trace,
 };
-
-VLIB_NODE_FUNCTION_MULTIARCH (ip6_vxlan_gbp_bypass_node, ip6_vxlan_gbp_bypass)
 /* *INDENT-ON* */
 
+#ifndef CLIB_MARCH_VARIANT
 /* Dummy init function to get us linked in. */
 clib_error_t *
 ip6_vxlan_gbp_bypass_init (vlib_main_t * vm)
@@ -1024,6 +1039,7 @@ ip6_vxlan_gbp_bypass_init (vlib_main_t * vm)
 }
 
 VLIB_INIT_FUNCTION (ip6_vxlan_gbp_bypass_init);
+#endif /* CLIB_MARCH_VARIANT */
 
 /*
  * fd.io coding-style-patch-verification: ON