From: Chenmin Sun <chenmin.sun@intel.com>
Date: Mon, 22 Jun 2020 10:21:31 +0000 (+0800)
Subject: flow: add IPSec ESP/AH flow
X-Git-Tag: v21.01-rc0~243
X-Git-Url: https://gerrit.fd.io/r/gitweb?a=commitdiff_plain;h=d4c3666b9aef1050796677320460dee2df44a830;p=vpp.git

flow: add IPSec ESP/AH flow

This patch adds the IPSec ESP/AH type flow support
Have tested on E810 with Intel iAVF driver

Type: feature

Signed-off-by: Chenmin Sun <chenmin.sun@intel.com>
Change-Id: I6ab8e69f67c423cc4e33f3c363881a97cdb98c30
---

diff --git a/src/plugins/dpdk/device/flow.c b/src/plugins/dpdk/device/flow.c
index 59dd14df97f..674f2f50e64 100644
--- a/src/plugins/dpdk/device/flow.c
+++ b/src/plugins/dpdk/device/flow.c
@@ -118,6 +118,8 @@ dpdk_flow_add (dpdk_device_t * xd, vnet_flow_t * f, dpdk_flow_entry_t * fe)
   struct rte_flow_item_tcp tcp[2] = { };
   struct rte_flow_item_gtp gtp[2] = { };
   struct rte_flow_item_l2tpv3oip l2tp[2] = { };
+  struct rte_flow_item_esp esp[2] = { };
+  struct rte_flow_item_ah ah[2] = { };
   struct rte_flow_action_mark mark = { 0 };
   struct rte_flow_action_queue queue = { 0 };
   struct rte_flow_action_rss rss = { 0 };
@@ -219,6 +221,48 @@ dpdk_flow_add (dpdk_device_t * xd, vnet_flow_t * f, dpdk_flow_entry_t * fe)
 	}
       protocol = l2tp->protocol;
     }
+  if (f->type == VNET_FLOW_TYPE_IP4_IPSEC_ESP)
+    {
+      vnet_flow_ip4_ipsec_esp_t *tesp = &f->ip4_ipsec_esp;
+      item->type = RTE_FLOW_ITEM_TYPE_IPV4;
+
+      if (!tesp->src_addr.mask.as_u32 && !tesp->dst_addr.mask.as_u32)
+	{
+	  item->spec = NULL;
+	  item->mask = NULL;
+	}
+      else
+	{
+	  ip4[0].hdr.src_addr = tesp->src_addr.addr.as_u32;
+	  ip4[1].hdr.src_addr = tesp->src_addr.mask.as_u32;
+	  ip4[0].hdr.dst_addr = tesp->dst_addr.addr.as_u32;
+	  ip4[1].hdr.dst_addr = tesp->dst_addr.mask.as_u32;
+	  item->spec = ip4;
+	  item->mask = ip4 + 1;
+	}
+      protocol = tesp->protocol;
+    }
+  else if (f->type == VNET_FLOW_TYPE_IP4_IPSEC_AH)
+    {
+      vnet_flow_ip4_ipsec_ah_t *tah = &f->ip4_ipsec_ah;
+      item->type = RTE_FLOW_ITEM_TYPE_IPV4;
+
+      if (!tah->src_addr.mask.as_u32 && !tah->dst_addr.mask.as_u32)
+	{
+	  item->spec = NULL;
+	  item->mask = NULL;
+	}
+      else
+	{
+	  ip4[0].hdr.src_addr = tah->src_addr.addr.as_u32;
+	  ip4[1].hdr.src_addr = tah->src_addr.mask.as_u32;
+	  ip4[0].hdr.dst_addr = tah->dst_addr.addr.as_u32;
+	  ip4[1].hdr.dst_addr = tah->dst_addr.mask.as_u32;
+	  item->spec = ip4;
+	  item->mask = ip4 + 1;
+	}
+      protocol = tah->protocol;
+    }
   else if ((f->type == VNET_FLOW_TYPE_IP6_N_TUPLE) ||
 	   (f->type == VNET_FLOW_TYPE_IP6_GTPC) ||
 	   (f->type == VNET_FLOW_TYPE_IP6_GTPU) ||
@@ -344,6 +388,30 @@ dpdk_flow_add (dpdk_device_t * xd, vnet_flow_t * f, dpdk_flow_entry_t * fe)
 	  item->mask = tcp + 1;
 	}
     }
+  else if (protocol == IP_PROTOCOL_IPSEC_ESP)
+    {
+      vec_add2 (items, item, 1);
+      item->type = RTE_FLOW_ITEM_TYPE_ESP;
+
+      vnet_flow_ip4_ipsec_esp_t *tesp = &f->ip4_ipsec_esp;
+      esp[0].hdr.spi = clib_host_to_net_u32 (tesp->spi);
+      esp[1].hdr.spi = ~0;
+
+      item->spec = esp;
+      item->mask = esp + 1;
+    }
+  else if (protocol == IP_PROTOCOL_IPSEC_AH)
+    {
+      vec_add2 (items, item, 1);
+      item->type = RTE_FLOW_ITEM_TYPE_AH;
+
+      vnet_flow_ip4_ipsec_ah_t *tah = &f->ip4_ipsec_ah;
+      ah[0].spi = clib_host_to_net_u32 (tah->spi);
+      ah[1].spi = ~0;
+
+      item->spec = ah;
+      item->mask = ah + 1;
+    }
   else if (protocol == IP_PROTOCOL_RESERVED)
     {
       rv = VNET_FLOW_ERROR_NOT_SUPPORTED;
@@ -363,6 +431,7 @@ dpdk_flow_add (dpdk_device_t * xd, vnet_flow_t * f, dpdk_flow_entry_t * fe)
       item->spec = l2tp;
       item->mask = l2tp + 1;
     }
+
   if (f->type == VNET_FLOW_TYPE_IP4_VXLAN)
     {
       u32 vni = f->ip4_vxlan.vni;
@@ -768,6 +837,8 @@ dpdk_flow_ops_fn (vnet_main_t * vnm, vnet_flow_dev_op_t op, u32 dev_instance,
     case VNET_FLOW_TYPE_IP6_GTPU_IP4:
     case VNET_FLOW_TYPE_IP6_GTPU_IP6:
     case VNET_FLOW_TYPE_IP4_L2TPV3OIP:
+    case VNET_FLOW_TYPE_IP4_IPSEC_ESP:
+    case VNET_FLOW_TYPE_IP4_IPSEC_AH:
       if ((rv = dpdk_flow_add (xd, flow, fe)))
 	goto done;
       break;
diff --git a/src/vnet/flow/flow.h b/src/vnet/flow/flow.h
index a880b8a69be..b5ec7ccd142 100644
--- a/src/vnet/flow/flow.h
+++ b/src/vnet/flow/flow.h
@@ -33,6 +33,8 @@
   _(IP6_N_TUPLE_TAGGED, ip6_n_tuple_tagged, "ipv6-n-tuple-tagged") \
   /* IP tunnel flow */ \
   _(IP4_L2TPV3OIP, ip4_l2tpv3oip, "ipv4-l2tpv3oip") \
+  _(IP4_IPSEC_ESP, ip4_ipsec_esp, "ipv4-ipsec-esp") \
+  _(IP4_IPSEC_AH, ip4_ipsec_ah, "ipv4-ipsec-ah") \
   /* L4 tunnel flow*/ \
   _(IP4_VXLAN, ip4_vxlan, "ipv4-vxlan") \
   _(IP6_VXLAN, ip6_vxlan, "ipv6-vxlan") \
@@ -82,6 +84,18 @@
   _fe(ip_protocol_t, protocol)          \
   _fe(u32, session_id)
 
+#define foreach_flow_entry_ip4_ipsec_esp \
+  _fe(ip4_address_and_mask_t, src_addr) \
+  _fe(ip4_address_and_mask_t, dst_addr) \
+  _fe(ip_protocol_t, protocol)          \
+  _fe(u32, spi)
+
+#define foreach_flow_entry_ip4_ipsec_ah \
+  _fe(ip4_address_and_mask_t, src_addr) \
+  _fe(ip4_address_and_mask_t, dst_addr) \
+  _fe(ip_protocol_t, protocol)          \
+  _fe(u32, spi)
+
 #define foreach_flow_entry_ip4_vxlan \
   _fe(ip4_address_t, src_addr) \
   _fe(ip4_address_t, dst_addr) \
diff --git a/src/vnet/flow/flow_cli.c b/src/vnet/flow/flow_cli.c
index 364b475dc3e..98007a7723e 100644
--- a/src/vnet/flow/flow_cli.c
+++ b/src/vnet/flow/flow_cli.c
@@ -276,11 +276,12 @@ test_flow (vlib_main_t * vm, unformat_input_t * input,
   } action = FLOW_UNKNOWN_ACTION;
   u32 hw_if_index = ~0, flow_index = ~0;
   int rv;
-  u32 prot = 0, teid = 0, session_id = 0;
+  u32 prot = 0, teid = 0, session_id = 0, spi = 0;
   vnet_flow_type_t type = VNET_FLOW_TYPE_IP4_N_TUPLE;
   bool is_gtpc_set = false;
   bool is_gtpu_set = false;
   bool is_l2tpv3oip_set = false;
+  bool is_ipsec_esp_set = false, is_ipsec_ah_set = false;
   vnet_flow_type_t outer_type = VNET_FLOW_TYPE_UNKNOWN;
   vnet_flow_type_t inner_type = VNET_FLOW_TYPE_UNKNOWN;
   bool outer_ip4_set = false, inner_ip4_set = false;
@@ -363,6 +364,13 @@ test_flow (vlib_main_t * vm, unformat_input_t * input,
 	  if (prot == IP_PROTOCOL_L2TP)
 	    is_l2tpv3oip_set = true;
 	}
+      else if (unformat (line_input, "spi %u", &spi))
+	{
+	  if (prot == IP_PROTOCOL_IPSEC_ESP)
+	    is_ipsec_esp_set = true;
+	  else if (prot == IP_PROTOCOL_IPSEC_AH)
+	    is_ipsec_ah_set = true;
+	}
       else if (unformat (line_input, "index %u", &flow_index))
 	;
       else if (unformat (line_input, "next-node %U", unformat_vlib_node, vm,
@@ -489,6 +497,10 @@ test_flow (vlib_main_t * vm, unformat_input_t * input,
 		type = VNET_FLOW_TYPE_IP4_GTPU;
 	      else if (is_l2tpv3oip_set)
 		type = VNET_FLOW_TYPE_IP4_L2TPV3OIP;
+	      else if (is_ipsec_esp_set)
+		type = VNET_FLOW_TYPE_IP4_IPSEC_ESP;
+	      else if (is_ipsec_ah_set)
+		type = VNET_FLOW_TYPE_IP4_IPSEC_AH;
 	    }
 	  else if (inner_type == VNET_FLOW_TYPE_IP4_N_TUPLE)
 	    {
@@ -539,6 +551,22 @@ test_flow (vlib_main_t * vm, unformat_input_t * input,
 	  flow.ip4_l2tpv3oip.protocol = prot;
 	  flow.ip4_l2tpv3oip.session_id = session_id;
 	  break;
+	case VNET_FLOW_TYPE_IP4_IPSEC_ESP:
+	  clib_memcpy (&flow.ip4_ipsec_esp.src_addr, &ip4s,
+		       sizeof (ip4_address_and_mask_t));
+	  clib_memcpy (&flow.ip4_ipsec_esp.dst_addr, &ip4d,
+		       sizeof (ip4_address_and_mask_t));
+	  flow.ip4_ipsec_esp.protocol = prot;
+	  flow.ip4_ipsec_esp.spi = spi;
+	  break;
+	case VNET_FLOW_TYPE_IP4_IPSEC_AH:
+	  clib_memcpy (&flow.ip4_ipsec_ah.src_addr, &ip4s,
+		       sizeof (ip4_address_and_mask_t));
+	  clib_memcpy (&flow.ip4_ipsec_ah.dst_addr, &ip4d,
+		       sizeof (ip4_address_and_mask_t));
+	  flow.ip4_ipsec_ah.protocol = prot;
+	  flow.ip4_ipsec_ah.spi = spi;
+	  break;
 	case VNET_FLOW_TYPE_IP4_N_TUPLE:
 	case VNET_FLOW_TYPE_IP4_GTPC:
 	case VNET_FLOW_TYPE_IP4_GTPU: