In fast path implementation of spd policy lookup opposite convention to
the original implementation has been applied and local ip range has been
interchanged with the remote ip range. This fix addresses this issue.
Type: fix
Signed-off-by: Piotr Bronowski <piotrx.bronowski@intel.com>
Change-Id: I0b6cccc80bf52b34524e98cfd1f1d542008bb7d0
-ipsec_fp_in_5tuple_from_ip4_range (ipsec_fp_5tuple_t *tuple, u32 la, u32 ra,
+ipsec_fp_in_5tuple_from_ip4_range (ipsec_fp_5tuple_t *tuple, u32 sa, u32 da,
u32 spi, u8 action)
{
clib_memset (tuple->l3_zero_pad, 0, sizeof (tuple->l3_zero_pad));
u32 spi, u8 action)
{
clib_memset (tuple->l3_zero_pad, 0, sizeof (tuple->l3_zero_pad));
- tuple->laddr.as_u32 = la;
- tuple->raddr.as_u32 = ra;
+ tuple->laddr.as_u32 = da;
+ tuple->raddr.as_u32 = sa;
tuple->spi = spi;
tuple->action = action;
tuple->is_ipv6 = 0;
}
always_inline void
tuple->spi = spi;
tuple->action = action;
tuple->is_ipv6 = 0;
}
always_inline void
-ipsec_fp_in_5tuple_from_ip6_range (ipsec_fp_5tuple_t *tuple, ip6_address_t *la,
- ip6_address_t *ra, u32 spi, u8 action)
+ipsec_fp_in_5tuple_from_ip6_range (ipsec_fp_5tuple_t *tuple, ip6_address_t *sa,
+ ip6_address_t *da, u32 spi, u8 action)
- clib_memcpy (&tuple->ip6_laddr, la, sizeof (ip6_address_t));
- clib_memcpy (&tuple->ip6_raddr, ra, sizeof (ip6_address_t));
+ clib_memcpy (&tuple->ip6_laddr, da, sizeof (ip6_address_t));
+ clib_memcpy (&tuple->ip6_raddr, sa, sizeof (ip6_address_t));
tuple->spi = spi;
tuple->action = action;
tuple->spi = spi;
tuple->action = action;
single_rule_in_match_5tuple (ipsec_policy_t *policy, ipsec_fp_5tuple_t *match)
{
single_rule_in_match_5tuple (ipsec_policy_t *policy, ipsec_fp_5tuple_t *match)
{
- u32 sa = clib_net_to_host_u32 (match->laddr.as_u32);
- u32 da = clib_net_to_host_u32 (match->raddr.as_u32);
+ u32 da = clib_net_to_host_u32 (match->laddr.as_u32);
+ u32 sa = clib_net_to_host_u32 (match->raddr.as_u32);
if (policy->policy == IPSEC_POLICY_ACTION_PROTECT)
{
if (policy->policy == IPSEC_POLICY_ACTION_PROTECT)
{
- if (da < clib_net_to_host_u32 (policy->raddr.start.ip4.as_u32))
+ if (sa < clib_net_to_host_u32 (policy->raddr.start.ip4.as_u32))
- if (da > clib_net_to_host_u32 (policy->raddr.stop.ip4.as_u32))
+ if (sa > clib_net_to_host_u32 (policy->raddr.stop.ip4.as_u32))
- if (sa < clib_net_to_host_u32 (policy->laddr.start.ip4.as_u32))
+ if (da < clib_net_to_host_u32 (policy->laddr.start.ip4.as_u32))
- if (sa > clib_net_to_host_u32 (policy->laddr.stop.ip4.as_u32))
+ if (da > clib_net_to_host_u32 (policy->laddr.stop.ip4.as_u32))
return (0);
}
return (1);
return (0);
}
return (1);
# create input rules
# bypass rule should take precedence over discard rule,
# create input rules
# bypass rule should take precedence over discard rule,
- # even though it's lower priority
+ # even though it's lower priority, because for input policies
+ # matching PROTECT policies precedes matching BYPASS policies
+ # which preceeds matching for DISCARD policies.
+ # Any hit stops the process.
policy_0 = self.spd_add_rem_policy( # inbound, priority 10
1,
self.pg1,
policy_0 = self.spd_add_rem_policy( # inbound, priority 10
1,
self.pg1,
priority=10,
policy_type="bypass",
ip_range=True,
priority=10,
policy_type="bypass",
ip_range=True,
- local_ip_start=self.pg0.remote_ip4,
- local_ip_stop=self.pg0.remote_ip4,
- remote_ip_start=self.pg1.remote_ip4,
- remote_ip_stop=self.pg1.remote_ip4,
+ local_ip_start=self.pg1.remote_ip4,
+ local_ip_stop=self.pg1.remote_ip4,
+ remote_ip_start=self.pg0.remote_ip4,
+ remote_ip_stop=self.pg0.remote_ip4,
)
policy_1 = self.spd_add_rem_policy( # inbound, priority 15
1,
)
policy_1 = self.spd_add_rem_policy( # inbound, priority 15
1,
priority=15,
policy_type="discard",
ip_range=True,
priority=15,
policy_type="discard",
ip_range=True,
- local_ip_start=self.pg0.remote_ip4,
- local_ip_stop=self.pg0.remote_ip4,
- remote_ip_start=self.pg1.remote_ip4,
- remote_ip_stop=self.pg1.remote_ip4,
+ local_ip_start=self.pg1.remote_ip4,
+ local_ip_stop=self.pg1.remote_ip4,
+ remote_ip_start=self.pg0.remote_ip4,
+ remote_ip_stop=self.pg0.remote_ip4,
)
# create output rule so we can capture forwarded packets
)
# create output rule so we can capture forwarded packets
# even though it's lower priority
policy_0 = self.spd_add_rem_policy( # inbound, priority 10
1,
# even though it's lower priority
policy_0 = self.spd_add_rem_policy( # inbound, priority 10
1,
socket.IPPROTO_UDP,
is_out=0,
priority=10,
socket.IPPROTO_UDP,
is_out=0,
priority=10,
# create output rule so we can capture forwarded packets
policy_1 = self.spd_add_rem_policy( # outbound, priority 10
1,
# create output rule so we can capture forwarded packets
policy_1 = self.spd_add_rem_policy( # outbound, priority 10
1,
socket.IPPROTO_UDP,
is_out=1,
priority=10,
socket.IPPROTO_UDP,
is_out=1,
priority=10,
p,
p.scapy_tra_sa,
self.tra_if,
p,
p.scapy_tra_sa,
self.tra_if,
- src=self.tra_if.local_ip4,
- dst=self.tra_if.remote_ip4,
+ src=self.tra_if.remote_ip4,
+ dst=self.tra_if.local_ip4,
count=pkt_count,
payload_size=payload_size,
)
count=pkt_count,
payload_size=payload_size,
)
priority=10,
policy_type="bypass",
ip_range=True,
priority=10,
policy_type="bypass",
ip_range=True,
- local_ip_start=s_ip_s0,
- local_ip_stop=s_ip_e0,
- remote_ip_start=d_ip_s0,
- remote_ip_stop=d_ip_e0,
+ local_ip_start=d_ip_s0,
+ local_ip_stop=d_ip_e0,
+ remote_ip_start=s_ip_s0,
+ remote_ip_stop=s_ip_e0,
)
policy_1 = self.spd_add_rem_policy( # outbound, priority 5
1,
)
policy_1 = self.spd_add_rem_policy( # outbound, priority 5
1,
self.spd_create_and_intf_add(1, [self.pg0, self.pg1])
policy_0 = self.spd_add_rem_policy( # inbound, priority 10
1,
self.spd_create_and_intf_add(1, [self.pg0, self.pg1])
policy_0 = self.spd_add_rem_policy( # inbound, priority 10
1,
socket.IPPROTO_UDP,
is_out=0,
priority=10,
socket.IPPROTO_UDP,
is_out=0,
priority=10,
)
policy_1 = self.spd_add_rem_policy( # inbound, priority 5
1,
)
policy_1 = self.spd_add_rem_policy( # inbound, priority 5
1,
socket.IPPROTO_UDP,
is_out=0,
priority=5,
socket.IPPROTO_UDP,
is_out=0,
priority=5,
# now remove the bypass rule
self.spd_add_rem_policy( # outbound, priority 10
1,
# now remove the bypass rule
self.spd_add_rem_policy( # outbound, priority 10
1,
socket.IPPROTO_UDP,
is_out=0,
priority=10,
socket.IPPROTO_UDP,
is_out=0,
priority=10,
self.spd_create_and_intf_add(1, [self.pg0, self.pg1])
policy_0 = self.spd_add_rem_policy( # inbound, priority 10
1,
self.spd_create_and_intf_add(1, [self.pg0, self.pg1])
policy_0 = self.spd_add_rem_policy( # inbound, priority 10
1,
socket.IPPROTO_UDP,
is_out=0,
priority=10,
socket.IPPROTO_UDP,
is_out=0,
priority=10,
)
policy_1 = self.spd_add_rem_policy( # inbound, priority 5
1,
)
policy_1 = self.spd_add_rem_policy( # inbound, priority 5
1,
socket.IPPROTO_UDP,
is_out=0,
priority=5,
socket.IPPROTO_UDP,
is_out=0,
priority=5,
# remove the bypass rule, leaving only the discard rule
self.spd_add_rem_policy( # inbound, priority 10
1,
# remove the bypass rule, leaving only the discard rule
self.spd_add_rem_policy( # inbound, priority 10
1,
socket.IPPROTO_UDP,
is_out=0,
priority=10,
socket.IPPROTO_UDP,
is_out=0,
priority=10,
# now readd the bypass rule
policy_0 = self.spd_add_rem_policy( # outbound, priority 10
1,
# now readd the bypass rule
policy_0 = self.spd_add_rem_policy( # outbound, priority 10
1,
socket.IPPROTO_UDP,
is_out=0,
priority=10,
socket.IPPROTO_UDP,
is_out=0,
priority=10,
# add rules on all interfaces
policy_01 = self.spd_add_rem_policy( # inbound, priority 10
1,
# add rules on all interfaces
policy_01 = self.spd_add_rem_policy( # inbound, priority 10
1,
socket.IPPROTO_UDP,
is_out=0,
priority=10,
socket.IPPROTO_UDP,
is_out=0,
priority=10,
)
policy_02 = self.spd_add_rem_policy( # inbound, priority 5
1,
)
policy_02 = self.spd_add_rem_policy( # inbound, priority 5
1,
socket.IPPROTO_UDP,
is_out=0,
priority=5,
socket.IPPROTO_UDP,
is_out=0,
priority=5,
policy_11 = self.spd_add_rem_policy( # inbound, priority 10
1,
policy_11 = self.spd_add_rem_policy( # inbound, priority 10
1,
socket.IPPROTO_UDP,
is_out=0,
priority=10,
socket.IPPROTO_UDP,
is_out=0,
priority=10,
)
policy_12 = self.spd_add_rem_policy( # inbound, priority 5
1,
)
policy_12 = self.spd_add_rem_policy( # inbound, priority 5
1,
socket.IPPROTO_UDP,
is_out=0,
priority=5,
socket.IPPROTO_UDP,
is_out=0,
priority=5,
policy_21 = self.spd_add_rem_policy( # inbound, priority 5
1,
policy_21 = self.spd_add_rem_policy( # inbound, priority 5
1,
socket.IPPROTO_UDP,
is_out=0,
priority=5,
socket.IPPROTO_UDP,
is_out=0,
priority=5,
)
policy_22 = self.spd_add_rem_policy( # inbound, priority 10
1,
)
policy_22 = self.spd_add_rem_policy( # inbound, priority 10
1,
socket.IPPROTO_UDP,
is_out=0,
priority=10,
socket.IPPROTO_UDP,
is_out=0,
priority=10,
p,
p.scapy_tra_sa,
self.tra_if,
p,
p.scapy_tra_sa,
self.tra_if,
- src=self.tra_if.local_ip6,
- dst=self.tra_if.remote_ip6,
+ src=self.tra_if.remote_ip6,
+ dst=self.tra_if.local_ip6,
count=pkt_count,
payload_size=payload_size,
)
count=pkt_count,
payload_size=payload_size,
)