Change the way IP header pointer is calculated in esp_decrypt nodes

The pointer to IP header was derived from l3_hdr_offset,
which would be ok, if l3_hdr_offset was valid. But it does not
have to be, so it was a bad solution. Now the previous nodes
mark whether it is a IPv6 or IPv4 packet tyle, and in esp_decrypt
we count get ip header pointer by substracting the size
of the ip header from the pointer to esp header (which lies
in front of the ip header).

Change-Id: I6d425b90931053711e8ce9126811b77ae6002a16
Signed-off-by: Szymon Sliwa <szs@semihalf.com>

diff --git a/src/plugins/dpdk/ipsec/esp_decrypt.c b/src/plugins/dpdk/ipsec/esp_decrypt.c
index 85bfb64..06909b3 100644 (file)
--- a/src/plugins/dpdk/ipsec/esp_decrypt.c
+++ b/src/plugins/dpdk/ipsec/esp_decrypt.c
@@ -476,7 +476,13 @@ dpdk_esp_decrypt_post_node_fn (vlib_main_t * vm,
                esp_replay_advance(sa0, seq);
            }
 
-          ih4 = (ip4_header_t *) (b0->data + vnet_buffer(b0)->l3_hdr_offset);
+          if (b0->flags & VNET_BUFFER_F_IS_IP4)
+            ih4 =
+               (ip4_header_t *) ((u8 *) esp0 - sizeof (ip4_header_t));
+          else
+            ih4 =
+               (ip4_header_t *) ((u8 *) esp0 - sizeof (ip6_header_t));
+
          vlib_buffer_advance (b0, sizeof (esp_header_t) + iv_size);
 
          b0->flags |= VLIB_BUFFER_TOTAL_LENGTH_VALID;

diff --git a/src/vnet/ipsec/esp_decrypt.c b/src/vnet/ipsec/esp_decrypt.c
index 62b12db..a0eeed4 100644 (file)
--- a/src/vnet/ipsec/esp_decrypt.c
+++ b/src/vnet/ipsec/esp_decrypt.c
@@ -269,9 +269,13 @@ esp_decrypt_node_fn (vlib_main_t * vm,
                {
                  tunnel_mode = 0;
 
-                 ih4 =
-                   (ip4_header_t *) ((u8 *) i_b0->data +
-                                     vnet_buffer (i_b0)->l3_hdr_offset);
+                 if (i_b0->flags & VNET_BUFFER_F_IS_IP4)
+                   ih4 =
+                     (ip4_header_t *) ((u8 *) esp0 - sizeof (ip4_header_t));
+                 else
+                   ih4 =
+                     (ip4_header_t *) ((u8 *) esp0 - sizeof (ip6_header_t));
+
                  if (PREDICT_TRUE
                      ((ih4->ip_version_and_header_length & 0xF0) != 0x40))
                    {

diff --git a/src/vnet/ipsec/ipsec_input.c b/src/vnet/ipsec/ipsec_input.c
index 08269d0..d617555 100644 (file)
--- a/src/vnet/ipsec/ipsec_input.c
+++ b/src/vnet/ipsec/ipsec_input.c
@@ -207,6 +207,8 @@ ipsec_input_ip4_node_fn (vlib_main_t * vm,
          n_left_to_next -= 1;
 
          b0 = vlib_get_buffer (vm, bi0);
+         b0->flags |= VNET_BUFFER_F_IS_IP4;
+         b0->flags &= ~VNET_BUFFER_F_IS_IP6;
          c0 =
            vnet_feature_next_with_data (vnet_buffer (b0)->sw_if_index
                                         [VLIB_RX], &next0, b0,
@@ -389,6 +391,8 @@ VLIB_NODE_FUNCTION_MULTIARCH (ipsec_input_ip4_node, ipsec_input_ip4_node_fn)
          n_left_to_next -= 1;
 
          b0 = vlib_get_buffer (vm, bi0);
+         b0->flags |= VNET_BUFFER_F_IS_IP6;
+         b0->flags &= ~VNET_BUFFER_F_IS_IP4;
          c0 =
            vnet_feature_next_with_data (vnet_buffer (b0)->sw_if_index
                                         [VLIB_RX], &next0, b0,