dpdk: ipsec tunnel support for ip6-in-ip4

Type: feature

If an attempt was made to send an IPv6 packet over an IPv4 tunnel,
the DPDK esp_encrypt did not complete setting up
the crypto operation for a buffer, but still queued the crypto
operations that were allocated. This results in a SEGV when
attempting to dequeue them in dpdk-crypto-input.

Allow IPv6 packets to be sent over a v4 tunnel when using the DPDK
plugin esp crypto nodes.

Change-Id: Ic9a4cd69b7fc06a17ab2f64ae806ec2ceacfef27
Signed-off-by: Matthew Smith <mgsmith@netgate.com>

diff --git a/src/plugins/dpdk/ipsec/esp_decrypt.c b/src/plugins/dpdk/ipsec/esp_decrypt.c
index a82f63e..afbab96 100644 (file)
--- a/src/plugins/dpdk/ipsec/esp_decrypt.c
+++ b/src/plugins/dpdk/ipsec/esp_decrypt.c
@@ -587,8 +587,7 @@ dpdk_esp_decrypt_post_inline (vlib_main_t * vm,
            {
              if (f0->next_header == IP_PROTOCOL_IP_IN_IP)
                next0 = ESP_DECRYPT_NEXT_IP4_INPUT;
-             else if (ipsec_sa_is_set_IS_TUNNEL_V6 (sa0)
-                      && f0->next_header == IP_PROTOCOL_IPV6)
+             else if (f0->next_header == IP_PROTOCOL_IPV6)
                next0 = ESP_DECRYPT_NEXT_IP6_INPUT;
              else
                {

diff --git a/src/plugins/dpdk/ipsec/esp_encrypt.c b/src/plugins/dpdk/ipsec/esp_encrypt.c
index af0e4b6..5fa84fb 100644 (file)
--- a/src/plugins/dpdk/ipsec/esp_encrypt.c
+++ b/src/plugins/dpdk/ipsec/esp_encrypt.c
@@ -333,7 +333,7 @@ dpdk_esp_encrypt_inline (vlib_main_t * vm,
          if (ipsec_sa_is_set_IS_TUNNEL (sa0))
            {
              rewrite_len = 0;
-             if (!is_ip6 && !ipsec_sa_is_set_IS_TUNNEL_V6 (sa0))       /* ip4inip4 */
+             if (!ipsec_sa_is_set_IS_TUNNEL_V6 (sa0))  /* ip4 */
                {
                  /* in tunnel mode send it back to FIB */
                  priv->next = DPDK_CRYPTO_INPUT_NEXT_IP4_LOOKUP;
@@ -342,7 +342,8 @@ dpdk_esp_encrypt_inline (vlib_main_t * vm,
                  vlib_buffer_advance (b0, -adv);
                  oh0 = vlib_buffer_get_current (b0);
                  ouh0 = vlib_buffer_get_current (b0);
-                 next_hdr_type = IP_PROTOCOL_IP_IN_IP;
+                 next_hdr_type = (is_ip6 ?
+                                  IP_PROTOCOL_IPV6 : IP_PROTOCOL_IP_IN_IP);
                  /*
                   * oh0->ip4.ip_version_and_header_length = 0x45;
                   * oh0->ip4.tos = ih0->ip4.tos;
@@ -373,9 +374,9 @@ dpdk_esp_encrypt_inline (vlib_main_t * vm,
                  esp0->spi = clib_host_to_net_u32 (sa0->spi);
                  esp0->seq = clib_host_to_net_u32 (sa0->seq);
                }
-             else if (is_ip6 && ipsec_sa_is_set_IS_TUNNEL_V6 (sa0))
+             else
                {
-                 /* ip6inip6 */
+                 /* ip6 */
                  /* in tunnel mode send it back to FIB */
                  priv->next = DPDK_CRYPTO_INPUT_NEXT_IP6_LOOKUP;
 
@@ -385,7 +386,8 @@ dpdk_esp_encrypt_inline (vlib_main_t * vm,
                  ih6_0 = (ip6_and_esp_header_t *) ih0;
                  oh6_0 = vlib_buffer_get_current (b0);
 
-                 next_hdr_type = IP_PROTOCOL_IPV6;
+                 next_hdr_type = (is_ip6 ?
+                                  IP_PROTOCOL_IPV6 : IP_PROTOCOL_IP_IN_IP);
 
                  oh6_0->ip6.ip_version_traffic_class_and_flow_label =
                    ih6_0->ip6.ip_version_traffic_class_and_flow_label;
@@ -404,21 +406,7 @@ dpdk_esp_encrypt_inline (vlib_main_t * vm,
                  oh6_0->esp.spi = clib_host_to_net_u32 (sa0->spi);
                  oh6_0->esp.seq = clib_host_to_net_u32 (sa0->seq);
                }
-             else              /* unsupported ip4inip6, ip6inip4 */
-               {
-                 if (is_ip6)
-                   vlib_node_increment_counter (vm,
-                                                dpdk_esp6_encrypt_node.index,
-                                                ESP_ENCRYPT_ERROR_NOSUP, 1);
-                 else
-                   vlib_node_increment_counter (vm,
-                                                dpdk_esp4_encrypt_node.index,
-                                                ESP_ENCRYPT_ERROR_NOSUP, 1);
-                 to_next[0] = bi0;
-                 to_next += 1;
-                 n_left_to_next -= 1;
-                 goto trace;
-               }
+
              vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
            }
          else                  /* transport mode */
@@ -487,7 +475,7 @@ dpdk_esp_encrypt_inline (vlib_main_t * vm,
          f0->pad_length = pad_bytes;
          f0->next_header = next_hdr_type;
 
-         if (is_ip6)
+         if (ipsec_sa_is_set_IS_TUNNEL_V6 (sa0))
            {
              u16 len = b0->current_length - sizeof (ip6_header_t);
              oh6_0->ip6.payload_length =