ipip: Tunnel flags controlling copying data to/from payload/encap

Type: feature

Signed-off-by: Neale Ranns <nranns@cisco.com>
Change-Id: I9467f11775936754406892b8e9e275f989ac9b30

diff --git a/src/plugins/ikev2/ikev2.c b/src/plugins/ikev2/ikev2.c
index b6202ae..a260bb1 100644 (file)
--- a/src/plugins/ikev2/ikev2.c
+++ b/src/plugins/ikev2/ikev2.c
@@ -1542,7 +1542,8 @@ ikev2_add_tunnel_from_main (ikev2_add_ipsec_tunnel_args_t * a)
   int rv;
 
   rv = ipip_add_tunnel (IPIP_TRANSPORT_IP4, ~0,
-                       &a->local_ip, &a->remote_ip, 0, 0, &sw_if_index);
+                       &a->local_ip, &a->remote_ip, 0,
+                       IPIP_TUNNEL_FLAG_NONE, IP_DSCP_CS0, &sw_if_index);
 
   rv |= ipsec_sa_add_and_lock (a->local_sa_id,
                               a->local_spi,

diff --git a/src/vnet/CMakeLists.txt b/src/vnet/CMakeLists.txt
index 18898e1..658e8d9 100644 (file)
--- a/src/vnet/CMakeLists.txt
+++ b/src/vnet/CMakeLists.txt
@@ -722,6 +722,7 @@ list(APPEND VNET_SOURCES
   ipip/sixrd.c
   ipip/ipip_api.c
   ipip/ipip_cli.c
+  ipip/ipip_types_api.c
 )
 
 list(APPEND VNET_MULTIARCH_SOURCES
@@ -730,9 +731,13 @@ list(APPEND VNET_MULTIARCH_SOURCES
 
 list(APPEND VNET_HEADERS
   ipip/ipip.h
+  ipip/ipip_types_api.h
 )
 
-list(APPEND VNET_API_FILES ipip/ipip.api)
+list(APPEND VNET_API_FILES
+  ipip/ipip_types.api
+  ipip/ipip.api
+)
 
 ##############################################################################
 # Tunnel protocol: l2tpv3

diff --git a/src/vnet/ip/ip.c b/src/vnet/ip/ip.c
index 785cd49..88eff4f 100644 (file)
--- a/src/vnet/ip/ip.c
+++ b/src/vnet/ip/ip.c
@@ -312,6 +312,23 @@ format_ip_dscp (u8 * s, va_list * va)
   return (format (s, "unknown"));
 }
 
+u8 *
+format_ip_ecn (u8 * s, va_list * va)
+{
+  ip_ecn_t ecn = va_arg (*va, u32);    // int promotion of u8
+
+  switch (ecn)
+    {
+#define _(n,v)                                                  \
+    case IP_ECN_##v:                                           \
+      return (format (s, "%s", #v));
+      foreach_ip_ecn
+#undef _
+    }
+
+  return (format (s, "unknown"));
+}
+
 /*
  * fd.io coding-style-patch-verification: ON
  *

diff --git a/src/vnet/ip/ip4_format.c b/src/vnet/ip/ip4_format.c
index eebd5ad..786a01d 100644 (file)
--- a/src/vnet/ip/ip4_format.c
+++ b/src/vnet/ip/ip4_format.c
@@ -155,6 +155,10 @@ format_ip4_header (u8 * s, va_list * args)
       s = format (s, " (should be 0x%04x)", clib_net_to_host_u16 (c));
   }
 
+  s = format (s, " dscp %U ecn %U",
+             format_ip_dscp, ip4_header_get_dscp (ip),
+             format_ip_ecn, ip4_header_get_ecn (ip));
+
   {
     u32 f = clib_net_to_host_u16 (ip->flags_and_fragment_offset);
     u32 o;

diff --git a/src/vnet/ip/ip4_packet.h b/src/vnet/ip/ip4_packet.h
index c1852fc..79cf22c 100644 (file)
--- a/src/vnet/ip/ip4_packet.h
+++ b/src/vnet/ip/ip4_packet.h
@@ -264,6 +264,70 @@ ip4_header_checksum (ip4_header_t * i)
   return csum;
 }
 
+always_inline void
+ip4_header_set_dscp (ip4_header_t * ip4, ip_dscp_t dscp)
+{
+  ip4->tos &= ~0xfc;
+  /* not masking the dscp value to save th instruction
+   * it shouldn't b necessary since the argument is an enum
+   * whose range is therefore constrained in the CP. in the
+   * DP it will have been taken from another packet, so again
+   * constrained in  value */
+  ip4->tos |= dscp << IP_PACKET_TC_FIELD_DSCP_BIT_SHIFT;
+}
+
+always_inline void
+ip4_header_set_ecn (ip4_header_t * ip4, ip_ecn_t ecn)
+{
+  ip4->tos &= ~IP_PACKET_TC_FIELD_ECN_MASK;
+  ip4->tos |= ecn;
+}
+
+always_inline void
+ip4_header_set_ecn_w_chksum (ip4_header_t * ip4, ip_ecn_t ecn)
+{
+  ip_csum_t sum = ip4->checksum;
+  u8 old = ip4->tos;
+  u8 new = (old & ~IP_PACKET_TC_FIELD_ECN_MASK) | ecn;
+
+  sum = ip_csum_update (sum, old, new, ip4_header_t, tos);
+  ip4->checksum = ip_csum_fold (sum);
+  ip4->tos = new;
+}
+
+always_inline ip_dscp_t
+ip4_header_get_dscp (const ip4_header_t * ip4)
+{
+  return (ip4->tos >> IP_PACKET_TC_FIELD_DSCP_BIT_SHIFT);
+}
+
+always_inline ip_ecn_t
+ip4_header_get_ecn (const ip4_header_t * ip4)
+{
+  return (ip4->tos & IP_PACKET_TC_FIELD_ECN_MASK);
+}
+
+always_inline void
+ip4_header_set_df (ip4_header_t * ip4)
+{
+  ip4->flags_and_fragment_offset |=
+    clib_host_to_net_u16 (IP4_HEADER_FLAG_DONT_FRAGMENT);
+}
+
+always_inline void
+ip4_header_clear_df (ip4_header_t * ip4)
+{
+  ip4->flags_and_fragment_offset &=
+    ~clib_host_to_net_u16 (IP4_HEADER_FLAG_DONT_FRAGMENT);
+}
+
+always_inline u8
+ip4_header_get_df (ip4_header_t * ip4)
+{
+  return (! !(ip4->flags_and_fragment_offset &
+             clib_host_to_net_u16 (IP4_HEADER_FLAG_DONT_FRAGMENT)));
+}
+
 static inline uword
 ip4_header_checksum_is_valid (ip4_header_t * i)
 {

diff --git a/src/vnet/ip/ip6_packet.h b/src/vnet/ip/ip6_packet.h
index ed96ece..8c06984 100644 (file)
--- a/src/vnet/ip/ip6_packet.h
+++ b/src/vnet/ip/ip6_packet.h
@@ -396,6 +396,20 @@ ip6_traffic_class_network_order (const ip6_header_t * ip6)
          & 0x0ff00000) >> 20;
 }
 
+static_always_inline ip_dscp_t
+ip6_dscp_network_order (const ip6_header_t * ip6)
+{
+  return (clib_net_to_host_u32 (ip6->ip_version_traffic_class_and_flow_label)
+         & 0x0fc00000) >> 22;
+}
+
+static_always_inline ip_ecn_t
+ip6_ecn_network_order (const ip6_header_t * ip6)
+{
+  return (clib_net_to_host_u32 (ip6->ip_version_traffic_class_and_flow_label)
+         & 0x00300000) >> 20;
+}
+
 static_always_inline void
 ip6_set_traffic_class_network_order (ip6_header_t * ip6, ip_dscp_t dscp)
 {
@@ -406,6 +420,26 @@ ip6_set_traffic_class_network_order (ip6_header_t * ip6, ip_dscp_t dscp)
   ip6->ip_version_traffic_class_and_flow_label = clib_host_to_net_u32 (tmp);
 }
 
+static_always_inline void
+ip6_set_dscp_network_order (ip6_header_t * ip6, ip_dscp_t dscp)
+{
+  u32 tmp =
+    clib_net_to_host_u32 (ip6->ip_version_traffic_class_and_flow_label);
+  tmp &= 0xf03fffff;
+  tmp |= (dscp << 22);
+  ip6->ip_version_traffic_class_and_flow_label = clib_host_to_net_u32 (tmp);
+}
+
+static_always_inline void
+ip6_set_ecn_network_order (ip6_header_t * ip6, ip_ecn_t ecn)
+{
+  u32 tmp =
+    clib_net_to_host_u32 (ip6->ip_version_traffic_class_and_flow_label);
+  tmp &= 0xffcfffff;
+  tmp |= (ecn << 20);
+  ip6->ip_version_traffic_class_and_flow_label = clib_host_to_net_u32 (tmp);
+}
+
 always_inline void *
 ip6_next_header (ip6_header_t * i)
 {

diff --git a/src/vnet/ip/ip_packet.h b/src/vnet/ip/ip_packet.h
index 63a59f8..9a55d5f 100644 (file)
--- a/src/vnet/ip/ip_packet.h
+++ b/src/vnet/ip/ip_packet.h
@@ -118,10 +118,35 @@ typedef enum ip_dscp_t_
 #undef _
 } __clib_packed ip_dscp_t;
 
-STATIC_ASSERT_SIZEOF (ip_dscp_t, 1);
-
 extern u8 *format_ip_dscp (u8 * s, va_list * va);
 
+/**
+ * IP DSCP bit shift
+ *  The ECN occupies the 2 least significant bits of the TC field
+ */
+#define IP_PACKET_TC_FIELD_DSCP_BIT_SHIFT 2
+#define IP_PACKET_TC_FIELD_ECN_MASK 0x03
+
+/**
+ * The set of RFC defined DSCP values.
+ */
+#define foreach_ip_ecn                        \
+  _(0, NON_ECN)                               \
+  _(1, ECT_0)                                 \
+  _(2, ECT_1)                                 \
+  _(3, CE)
+
+typedef enum ip_ecn_t_
+{
+#define _(n,f) IP_ECN_##f = n,
+  foreach_ip_ecn
+#undef _
+} __clib_packed ip_ecn_t;
+
+STATIC_ASSERT_SIZEOF (ip_ecn_t, 1);
+
+extern u8 *format_ip_ecn (u8 * s, va_list * va);
+
 /* IP checksum support. */
 
 static_always_inline u16

diff --git a/src/vnet/ipip/ipip.api b/src/vnet/ipip/ipip.api
index 8a6e726..baf0e50 100644 (file)
--- a/src/vnet/ipip/ipip.api
+++ b/src/vnet/ipip/ipip.api
@@ -1,3 +1,4 @@
+/* Hey Emacs use -*- mode: C -*- */
 /*
  * Copyright (c) 2018 Cisco and/or its affiliates.
  * Licensed under the Apache License, Version 2.0 (the "License");
@@ -48,9 +49,11 @@
  *
  */
 
-option version = "1.2.0";
+option version = "2.0.0";
+
 import "vnet/interface_types.api";
 import "vnet/ip/ip_types.api";
+import "vnet/ipip/ipip_types.api";
 
 /**
  * An IP{v4,v6} over IP{v4,v6} tunnel.
@@ -63,8 +66,9 @@ typedef ipip_tunnel
   vl_api_interface_index_t sw_if_index; /* ignored on create, set in
                                           details/dump */
   u32 table_id;
-  u8 tc_tos; /* If ~0, the TOS/TC value is copied from
-                inner packet, otherwise set to value */
+  vl_api_ipip_tunnel_flags_t flags;
+  vl_api_ip_dscp_t dscp; /* DSCP value for the tunnel encap,
+                            ignored if ECNAP_COPY_DSCP flag is set */
 };
 
 /**

diff --git a/src/vnet/ipip/ipip.c b/src/vnet/ipip/ipip.c
index 66c945e..15f453a 100644 (file)
--- a/src/vnet/ipip/ipip.c
+++ b/src/vnet/ipip/ipip.c
@@ -75,8 +75,10 @@ ipip_build_rewrite (vnet_main_t * vnm, u32 sw_if_index,
       ip4->src_address.as_u32 = t->tunnel_src.ip4.as_u32;
       ip4->dst_address.as_u32 = t->tunnel_dst.ip4.as_u32;
       ip4->checksum = ip4_header_checksum (ip4);
-      if (t->tc_tos != 0xFF)
-       ip4->tos = t->tc_tos;
+      if (!(t->flags & IPIP_TUNNEL_FLAG_ENCAP_COPY_DSCP))
+       ip4_header_set_dscp (ip4, t->dscp);
+      if (t->flags & IPIP_TUNNEL_FLAG_ENCAP_SET_DF)
+       ip4_header_set_df (ip4);
       break;
 
     case IPIP_TRANSPORT_IP6:
@@ -84,14 +86,14 @@ ipip_build_rewrite (vnet_main_t * vnm, u32 sw_if_index,
       ip6 = (ip6_header_t *) rewrite;
       ip6->ip_version_traffic_class_and_flow_label =
        clib_host_to_net_u32 (6 << 28);
-      if (t->tc_tos != 0xFF)
-       ip6_set_traffic_class_network_order (ip6, t->tc_tos);
       ip6->hop_limit = 64;
       /* fixup ip6 header length and protocol after-the-fact */
       ip6->src_address.as_u64[0] = t->tunnel_src.ip6.as_u64[0];
       ip6->src_address.as_u64[1] = t->tunnel_src.ip6.as_u64[1];
       ip6->dst_address.as_u64[0] = t->tunnel_dst.ip6.as_u64[0];
       ip6->dst_address.as_u64[1] = t->tunnel_dst.ip6.as_u64[1];
+      if (!(t->flags & IPIP_TUNNEL_FLAG_ENCAP_COPY_DSCP))
+       ip6_set_dscp_network_order (ip6, t->dscp);
       break;
 
     default:
@@ -114,15 +116,25 @@ ipip4_fixup (vlib_main_t * vm, ip_adjacency_t * adj, vlib_buffer_t * b,
     {
     case VNET_LINK_IP6:
       ip4->protocol = IP_PROTOCOL_IPV6;
-      if (t->tc_tos == 0xFF)
-       ip4->tos =
-         ip6_traffic_class_network_order ((const ip6_header_t *) (ip4 + 1));
+      if (t->flags & IPIP_TUNNEL_FLAG_ENCAP_COPY_DSCP)
+       ip4_header_set_dscp (ip4,
+                            ip6_dscp_network_order ((ip6_header_t *) (ip4 +
+                                                                      1)));
+      if (t->flags & IPIP_TUNNEL_FLAG_ENCAP_COPY_ECN)
+       ip4_header_set_ecn (ip4,
+                           ip6_ecn_network_order ((ip6_header_t *) (ip4 +
+                                                                    1)));
       break;
 
     case VNET_LINK_IP4:
       ip4->protocol = IP_PROTOCOL_IP_IN_IP;
-      if (t->tc_tos == 0xFF)
-       ip4->tos = ((ip4_header_t *) (ip4 + 1))->tos;
+      if (t->flags & IPIP_TUNNEL_FLAG_ENCAP_COPY_DSCP)
+       ip4_header_set_dscp (ip4, ip4_header_get_dscp (ip4 + 1));
+      if (t->flags & IPIP_TUNNEL_FLAG_ENCAP_COPY_ECN)
+       ip4_header_set_ecn (ip4, ip4_header_get_ecn (ip4 + 1));
+      if ((t->flags & IPIP_TUNNEL_FLAG_ENCAP_COPY_DF) &&
+         ip4_header_get_df (ip4 + 1))
+       ip4_header_set_df (ip4);
       break;
 
     default:
@@ -151,17 +163,20 @@ ipip6_fixup (vlib_main_t * vm, ip_adjacency_t * adj, vlib_buffer_t * b,
     {
     case VNET_LINK_IP6:
       ip6->protocol = IP_PROTOCOL_IPV6;
-      if (t->tc_tos == 0xFF)
-       ip6_set_traffic_class_network_order (ip6,
-                                            ip6_traffic_class_network_order ((const ip6_header_t *) (ip6 + 1)));
+      if (t->flags & IPIP_TUNNEL_FLAG_ENCAP_COPY_DSCP)
+       ip6_set_dscp_network_order (ip6, ip6_dscp_network_order (ip6 + 1));
+      if (t->flags & IPIP_TUNNEL_FLAG_ENCAP_COPY_ECN)
+       ip6_set_ecn_network_order (ip6, ip6_ecn_network_order (ip6 + 1));
       break;
 
     case VNET_LINK_IP4:
       ip6->protocol = IP_PROTOCOL_IP_IN_IP;
-      if (t->tc_tos == 0xFF)
-       ip6_set_traffic_class_network_order (ip6,
-                                            ((ip4_header_t *) (ip6 +
-                                                               1))->tos);
+      if (t->flags & IPIP_TUNNEL_FLAG_ENCAP_COPY_DSCP)
+       ip6_set_dscp_network_order
+         (ip6, ip4_header_get_dscp ((ip4_header_t *) (ip6 + 1)));
+      if (t->flags & IPIP_TUNNEL_FLAG_ENCAP_COPY_ECN)
+       ip6_set_ecn_network_order
+         (ip6, ip4_header_get_ecn ((ip4_header_t *) (ip6 + 1)));
       break;
 
     default:
@@ -250,6 +265,20 @@ ipip_update_adj (vnet_main_t * vnm, u32 sw_if_index, adj_index_t ai)
   ipip_tunnel_stack (ai);
 }
 
+u8 *
+format_ipip_tunnel_flags (u8 * s, va_list * args)
+{
+  ipip_tunnel_flags_t f = va_arg (*args, int);
+
+  if (f == IPIP_TUNNEL_FLAG_NONE)
+    return (format (s, "none"));
+
+#define _(a,b,c) if (f & IPIP_TUNNEL_FLAG_##a) s = format(s, "%s ", b);
+  forech_ipip_tunnel_flag
+#undef _
+    return (s);
+}
+
 static u8 *
 format_ipip_tunnel_name (u8 * s, va_list * args)
 {
@@ -384,7 +413,8 @@ ipip_tunnel_db_remove (ipip_tunnel_t * t)
 int
 ipip_add_tunnel (ipip_transport_t transport,
                 u32 instance, ip46_address_t * src, ip46_address_t * dst,
-                u32 fib_index, u8 tc_tos, u32 * sw_if_indexp)
+                u32 fib_index, ipip_tunnel_flags_t flags,
+                ip_dscp_t dscp, u32 * sw_if_indexp)
 {
   ipip_main_t *gm = &ipip_main;
   vnet_main_t *vnm = gm->vnet_main;
@@ -430,9 +460,10 @@ ipip_add_tunnel (ipip_transport_t transport,
   t->hw_if_index = hw_if_index;
   t->fib_index = fib_index;
   t->sw_if_index = sw_if_index;
-  t->tc_tos = tc_tos;
-
+  t->dscp = dscp;
+  t->flags = flags;
   t->transport = transport;
+
   vec_validate_init_empty (gm->tunnel_index_by_sw_if_index, sw_if_index, ~0);
   gm->tunnel_index_by_sw_if_index[sw_if_index] = t_idx;
 

diff --git a/src/vnet/ipip/ipip.h b/src/vnet/ipip/ipip.h
index c55d1d7..be94450 100644 (file)
--- a/src/vnet/ipip/ipip.h
+++ b/src/vnet/ipip/ipip.h
@@ -64,6 +64,28 @@ typedef enum
   IPIP_MODE_6RD,
 } ipip_mode_t;
 
+/**
+ * Keep these idenitical to those in ipip.api
+ */
+#define forech_ipip_tunnel_flag                     \
+  _(NONE, "none", 0x0)                              \
+  _(ENCAP_COPY_DF, "encap-copy-df", 0x1)            \
+  _(ENCAP_SET_DF, "encap-set-df", 0x2)              \
+  _(ENCAP_COPY_DSCP, "encap-copy-dscp", 0x4)        \
+  _(ENCAP_COPY_ECN, "encap-copy-ecn", 0x8)          \
+  _(DECAP_COPY_ECN, "decap-copy-ecn", 0x10)
+
+typedef enum ipip_tunnel_flags_t_
+{
+#define _(a,b,c) IPIP_TUNNEL_FLAG_##a = c,
+  forech_ipip_tunnel_flag
+#undef _
+} __clib_packed ipip_tunnel_flags_t;
+
+#define IPIP_TUNNEL_FLAG_MASK (0x1f)
+
+extern u8 *format_ipip_tunnel_flags (u8 * s, va_list * args);
+
 /**
  * @brief A representation of a IPIP tunnel
  */
@@ -82,7 +104,8 @@ typedef struct
   u32 sw_if_index;
   u32 dev_instance;            /* Real device instance in tunnel vector */
   u32 user_instance;           /* Instance name being shown to user */
-  u8 tc_tos;
+  ipip_tunnel_flags_t flags;
+  ip_dscp_t dscp;
 
   struct
   {
@@ -143,7 +166,8 @@ sixrd_get_addr_net (const ipip_tunnel_t * t, u64 dal)
 
 int ipip_add_tunnel (ipip_transport_t transport, u32 instance,
                     ip46_address_t * src, ip46_address_t * dst,
-                    u32 fib_index, u8 tc_tos, u32 * sw_if_indexp);
+                    u32 fib_index, ipip_tunnel_flags_t flags,
+                    ip_dscp_t dscp, u32 * sw_if_indexp);
 int ipip_del_tunnel (u32 sw_if_index);
 int sixrd_add_tunnel (ip6_address_t * ip6_prefix, u8 ip6_prefix_len,
                      ip4_address_t * ip4_prefix, u8 ip4_prefix_len,

diff --git a/src/vnet/ipip/ipip_api.c b/src/vnet/ipip/ipip_api.c
index da0cb16..47ff159 100644 (file)
--- a/src/vnet/ipip/ipip_api.c
+++ b/src/vnet/ipip/ipip_api.c
@@ -22,6 +22,7 @@
 #include <vnet/ipip/ipip.h>
 #include <vnet/vnet.h>
 #include <vnet/ip/ip_types_api.h>
+#include <vnet/ipip/ipip_types_api.h>
 
 #include <vnet/ipip/ipip.api_enum.h>
 #include <vnet/ipip/ipip.api_types.h>
@@ -36,6 +37,7 @@ vl_api_ipip_add_tunnel_t_handler (vl_api_ipip_add_tunnel_t * mp)
   vl_api_ipip_add_tunnel_reply_t *rmp;
   int rv = 0;
   u32 fib_index, sw_if_index = ~0;
+  ipip_tunnel_flags_t flags;
   ip46_address_t src, dst;
   ip46_type_t itype[2];
 
@@ -54,6 +56,11 @@ vl_api_ipip_add_tunnel_t_handler (vl_api_ipip_add_tunnel_t * mp)
       goto out;
     }
 
+  rv = ipip_tunnel_flags_decode (mp->tunnel.flags, &flags);
+
+  if (rv)
+    goto out;
+
   fib_index = fib_table_find (fib_proto_from_ip46 (itype[0]),
                              ntohl (mp->tunnel.table_id));
 
@@ -67,7 +74,8 @@ vl_api_ipip_add_tunnel_t_handler (vl_api_ipip_add_tunnel_t * mp)
                             IPIP_TRANSPORT_IP6 :
                             IPIP_TRANSPORT_IP4),
                            ntohl (mp->tunnel.instance), &src, &dst,
-                           fib_index, mp->tunnel.tc_tos, &sw_if_index);
+                           fib_index, flags,
+                           ip_dscp_decode (mp->tunnel.dscp), &sw_if_index);
     }
 
 out:
@@ -110,6 +118,8 @@ send_ipip_tunnel_details (ipip_tunnel_t * t, vl_api_ipip_tunnel_dump_t * mp)
     rmp->tunnel.table_id = htonl (ft->ft_table_id);
     rmp->tunnel.instance = htonl (t->user_instance);
     rmp->tunnel.sw_if_index = htonl (t->sw_if_index);
+    rmp->tunnel.dscp = ip_dscp_encode(t->dscp);
+    rmp->tunnel.flags = ipip_tunnel_flags_encode(t->flags);
   }));
     /* *INDENT-ON* */
 }

diff --git a/src/vnet/ipip/ipip_cli.c b/src/vnet/ipip/ipip_cli.c
index 58f5b1c..e252f3a 100644 (file)
--- a/src/vnet/ipip/ipip_cli.c
+++ b/src/vnet/ipip/ipip_cli.c
@@ -82,7 +82,8 @@ static clib_error_t *create_ipip_tunnel_command_fn(vlib_main_t *vm,
                            &src,
                            &dst,
                            fib_index,
-                           0,
+                           IPIP_TUNNEL_FLAG_NONE,
+                           IP_DSCP_CS0,
                            &sw_if_index);
     }
 
@@ -175,22 +176,25 @@ static u8 *format_ipip_tunnel(u8 *s, va_list *args) {
                                     fib_proto_from_ip46(type));
   switch (t->mode) {
   case IPIP_MODE_6RD:
-    s = format(s, "[%d] 6rd src %U ip6-pfx %U/%d table-ID %d sw-if-idx %d ",
+    s = format(s, "[%d] 6rd src %U ip6-pfx %U/%d ",
               t->dev_instance,
               format_ip46_address, &t->tunnel_src, type,
-              format_ip6_address, &t->sixrd.ip6_prefix, t->sixrd.ip6_prefix_len,
-              table_id, t->sw_if_index);
+              format_ip6_address, &t->sixrd.ip6_prefix, t->sixrd.ip6_prefix_len);
     break;
   case IPIP_MODE_P2P:
   default:
-    s = format(s, "[%d] instance %d src %U dst %U table-ID %d sw-if-idx %d ",
+    s = format(s, "[%d] instance %d src %U dst %U ",
               t->dev_instance, t->user_instance,
               format_ip46_address, &t->tunnel_src, type,
-              format_ip46_address, &t->tunnel_dst, type,
-              table_id, t->sw_if_index);
+              format_ip46_address, &t->tunnel_dst, type);
     break;
   }
 
+  s = format(s, "table-ID %d sw-if-idx %d flags [%U] dscp %U",
+             table_id, t->sw_if_index,
+             format_ipip_tunnel_flags, t->flags,
+             format_ip_dscp, t->dscp);
+
   return s;
 }
 

diff --git a/src/vnet/ipip/ipip_types.api b/src/vnet/ipip/ipip_types.api
new file mode 100644 (file)
index 0000000..3e52fe7
--- /dev/null
+++ b/src/vnet/ipip/ipip_types.api
@@ -0,0 +1,33 @@
+/* Hey Emacs use -*- mode: C -*- */
+/*
+ * Copyright (c) 2019 Cisco and/or its affiliates.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * Flags controlling tunnel behaviour
+ */
+enum ipip_tunnel_flags : u8
+{
+  IPIP_TUNNEL_API_FLAG_NONE = 0,
+  /** at encap, copy the DF bit of the payload into the tunnel header */
+  IPIP_TUNNEL_API_FLAG_ENCAP_COPY_DF = 0x1,
+  /** at encap, set the DF bit in the tunnel header */
+  IPIP_TUNNEL_API_FLAG_ENCAP_SET_DF = 0x2,
+  /** at encap, copy the DSCP bits of the payload into the tunnel header */
+  IPIP_TUNNEL_API_FLAG_ENCAP_COPY_DSCP = 0x4,
+  /** at encap, copy the ECN bit of the payload into the tunnel header */
+  IPIP_TUNNEL_API_FLAG_ENCAP_COPY_ECN = 0x8,
+  /** at decap, copy the ECN bit of the tunnel header into the payload */
+  IPIP_TUNNEL_API_FLAG_DECAP_COPY_ECN = 0x10,
+};

diff --git a/src/vnet/ipip/ipip_types_api.c b/src/vnet/ipip/ipip_types_api.c
new file mode 100644 (file)
index 0000000..5625b85
--- /dev/null
+++ b/src/vnet/ipip/ipip_types_api.c
@@ -0,0 +1,53 @@
+/*
+ * ipip_api.c - ipip api
+ *
+ * Copyright (c) 2018 Cisco and/or its affiliates.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <vnet/api_errno.h>
+#include <vnet/ipip/ipip_types_api.h>
+
+#include <vnet/ipip/ipip_types.api_enum.h>
+#include <vnet/ipip/ipip_types.api_types.h>
+
+
+STATIC_ASSERT (sizeof (vl_api_ipip_tunnel_flags_t) ==
+              sizeof (ipip_tunnel_flags_t),
+              "IPIP tunnel API and internal flags enum size differ");
+
+int
+ipip_tunnel_flags_decode (vl_api_ipip_tunnel_flags_t f,
+                         ipip_tunnel_flags_t * o)
+{
+  if (f & ~IPIP_TUNNEL_FLAG_MASK)
+    /* unknown flags set */
+    return (VNET_API_ERROR_INVALID_VALUE_2);
+
+  *o = (ipip_tunnel_flags_t) f;
+  return (0);
+}
+
+vl_api_ipip_tunnel_flags_t
+ipip_tunnel_flags_encode (ipip_tunnel_flags_t f)
+{
+  return ((vl_api_ipip_tunnel_flags_t) f);
+}
+
+/*
+ * fd.io coding-style-patch-verification: ON
+ *
+ * Local Variables:
+ * eval: (c-set-style "gnu")
+ * End:
+ */

diff --git a/src/vnet/ipip/ipip_types_api.h b/src/vnet/ipip/ipip_types_api.h
new file mode 100644 (file)
index 0000000..17b1f1b
--- /dev/null
+++ b/src/vnet/ipip/ipip_types_api.h
@@ -0,0 +1,41 @@
+/*
+ * Copyright (c) 2018 Cisco and/or its affiliates.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef __IPIP_TYPES_API_H__
+#define __IPIP_TYPES_API_H__
+
+/**
+ * Conversion functions to/from (decode/encode) API types to VPP internal types
+ */
+
+#include <vnet/ipip/ipip.h>
+#include <vnet/ipip/ipip.api_types.h>
+
+/**
+ * These enum decode/encodes use 'int' as the type for the enum because
+ * one cannot forward declare an enum
+ */
+extern int ipip_tunnel_flags_decode (u8 _f, ipip_tunnel_flags_t * out);
+extern u8 ipip_tunnel_flags_encode (ipip_tunnel_flags_t f);
+
+#endif
+
+/*
+ * fd.io coding-style-patch-verification: ON
+ *
+ * Local Variables:
+ * eval: (c-set-style "gnu")
+ * End:
+ */

diff --git a/src/vnet/ipip/node.c b/src/vnet/ipip/node.c
index 0cea4d5..cd26b8a 100644 (file)
--- a/src/vnet/ipip/node.c
+++ b/src/vnet/ipip/node.c
@@ -158,9 +158,33 @@ ipip_input (vlib_main_t * vm, vlib_node_runtime_t * node,
          vnet_buffer (b0)->sw_if_index[VLIB_RX] = tunnel_sw_if_index;
 
          if (inner_protocol0 == IP_PROTOCOL_IPV6)
-           next0 = IPIP_INPUT_NEXT_IP6_INPUT;
+           {
+             next0 = IPIP_INPUT_NEXT_IP6_INPUT;
+
+             if (t0->flags & IPIP_TUNNEL_FLAG_DECAP_COPY_ECN)
+               {
+                 if (is_ipv6)
+                   ip6_set_ecn_network_order ((ip60 + 1),
+                                              ip6_ecn_network_order (ip60));
+                 else
+                   ip6_set_ecn_network_order ((ip6_header_t *) (ip40 + 1),
+                                              ip4_header_get_ecn (ip40));
+               }
+           }
          else if (inner_protocol0 == IP_PROTOCOL_IP_IN_IP)
-           next0 = IPIP_INPUT_NEXT_IP4_INPUT;
+           {
+             next0 = IPIP_INPUT_NEXT_IP4_INPUT;
+             if (t0->flags & IPIP_TUNNEL_FLAG_DECAP_COPY_ECN)
+               {
+                 if (is_ipv6)
+                   ip4_header_set_ecn_w_chksum ((ip4_header_t *) (ip60 + 1),
+                                                ip6_ecn_network_order
+                                                (ip60));
+                 else
+                   ip4_header_set_ecn_w_chksum (ip40 + 1,
+                                                ip4_header_get_ecn (ip40));
+               }
+           }
 
          if (!is_ipv6 && t0->mode == IPIP_MODE_6RD
              && t0->sixrd.security_check)

diff --git a/src/vnet/ipsec/ipsec_api.c b/src/vnet/ipsec/ipsec_api.c
index 893eee4..ed79193 100644 (file)
--- a/src/vnet/ipsec/ipsec_api.c
+++ b/src/vnet/ipsec/ipsec_api.c
@@ -645,7 +645,8 @@ vl_api_ipsec_tunnel_if_add_del_t_handler (vl_api_ipsec_tunnel_if_add_del_t *
       rv = ipip_add_tunnel (transport,
                            (mp->renumber ? ntohl (mp->show_instance) : ~0),
                            &local_ip,
-                           &remote_ip, fib_index, 0, &sw_if_index);
+                           &remote_ip, fib_index,
+                           IPIP_TUNNEL_FLAG_NONE, IP_DSCP_CS0, &sw_if_index);
 
       if (rv)
        goto done;

diff --git a/src/vnet/ipsec/ipsec_cli.c b/src/vnet/ipsec/ipsec_cli.c
index 5385a0f..b304458 100644 (file)
--- a/src/vnet/ipsec/ipsec_cli.c
+++ b/src/vnet/ipsec/ipsec_cli.c
@@ -840,8 +840,8 @@ create_ipsec_tunnel_command_fn (vlib_main_t * vm,
       /* create an ip-ip tunnel, then the two SA, then bind them */
       rv =
        ipip_add_tunnel (ipv6_set ? IPIP_TRANSPORT_IP6 : IPIP_TRANSPORT_IP4,
-                        instance, &local_ip, &remote_ip, fib_index, 0,
-                        &sw_if_index);
+                        instance, &local_ip, &remote_ip, fib_index,
+                        IPIP_TUNNEL_FLAG_NONE, IP_DSCP_CS0, &sw_if_index);
       rv |=
        ipsec_sa_add_and_lock (ipsec_tun_mk_local_sa_id (sw_if_index),
                               local_spi, IPSEC_PROTOCOL_ESP, crypto_alg,

diff --git a/test/test_ipip.py b/test/test_ipip.py
index e723950..cb4166a 100644 (file)
--- a/test/test_ipip.py
+++ b/test/test_ipip.py
@@ -7,6 +7,8 @@ from scapy.all import fragment, fragment6, RandShort, defragment6
 from framework import VppTestCase, VppTestRunner
 from vpp_ip import DpoProto
 from vpp_ip_route import VppIpRoute, VppRoutePath, VppIpTable, FibPathProto
+from vpp_ipip_tun_interface import VppIpIpTunInterface
+from vpp_papi import VppEnum
 from socket import AF_INET, AF_INET6, inet_pton
 from util import reassemble4
 
@@ -17,7 +19,8 @@ IPIP tests.
 """
 
 
-def ipip_add_tunnel(test, src, dst, table_id=0, tc_tos=0xff):
+def ipip_add_tunnel(test, src, dst, table_id=0, dscp=0x0,
+                    flags=0):
     """ Add a IPIP tunnel """
     return test.vapi.ipip_add_tunnel(
         tunnel={
@@ -25,10 +28,15 @@ def ipip_add_tunnel(test, src, dst, table_id=0, tc_tos=0xff):
             'dst': dst,
             'table_id': table_id,
             'instance': 0xffffffff,
-            'tc_tos': tc_tos
+            'dscp': dscp,
+            'flags': flags
         }
     )
 
+# the number of packets to send when injecting traffic.
+# a multiple of 8 minus one, so we test all by 8/4/2/1 loops
+N_PACKETS = 64 - 1
+
 
 class TestIPIP(VppTestCase):
     """ IPIP Test Case """
@@ -76,99 +84,285 @@ class TestIPIP(VppTestCase):
         p4_reply.ttl -= 1
         return frags, p4_reply
 
+    def verify_ip4ip4_encaps(self, a, p_ip4s, p_ip4_encaps):
+        for i, p_ip4 in enumerate(p_ip4s):
+            p_ip4.dst = a
+            p4 = (self.p_ether / p_ip4 / self.p_payload)
+            p_ip4_inner = p_ip4
+            p_ip4_inner.ttl -= 1
+            p4_reply = (p_ip4_encaps[i] / p_ip4_inner / self.p_payload)
+            p4_reply.ttl -= 1
+            p4_reply.id = 0
+            rx = self.send_and_expect(self.pg0, p4 * N_PACKETS, self.pg1)
+            for p in rx:
+                self.validate(p[1], p4_reply)
+                self.assert_packet_checksums_valid(p)
+
+    def verify_ip6ip4_encaps(self, a, p_ip6s, p_ip4_encaps):
+        for i, p_ip6 in enumerate(p_ip6s):
+            p_ip6.dst = a
+            p6 = (self.p_ether / p_ip6 / self.p_payload)
+            p_inner_ip6 = p_ip6
+            p_inner_ip6.hlim -= 1
+            p6_reply = (p_ip4_encaps[i] / p_inner_ip6 / self.p_payload)
+            p6_reply.ttl -= 1
+            rx = self.send_and_expect(self.pg0, p6 * N_PACKETS, self.pg1)
+            for p in rx:
+                self.validate(p[1], p6_reply)
+                self.assert_packet_checksums_valid(p)
+
     def test_ipip4(self):
         """ ip{v4,v6} over ip4 test """
-        p_ether = Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
-        p_ip6 = IPv6(src="1::1", dst="DEAD::1", nh='UDP', tc=42)
-        p_ip4 = IP(src="1.2.3.4", dst="130.67.0.1", tos=42)
-        p_payload = UDP(sport=1234, dport=1234) / Raw(b'X' * 100)
-
-        # IPv4 transport
-        rv = ipip_add_tunnel(self,
-                             self.pg0.local_ip4,
-                             self.pg1.remote_ip4,
-                             tc_tos=0xFF)
-        sw_if_index = rv.sw_if_index
 
-        # Set interface up and enable IP on it
-        self.vapi.sw_interface_set_flags(sw_if_index, 1)
-        self.vapi.sw_interface_set_unnumbered(
-            sw_if_index=self.pg0.sw_if_index,
-            unnumbered_sw_if_index=sw_if_index)
+        self.pg1.generate_remote_hosts(5)
+        self.pg1.configure_ipv4_neighbors()
+        e = VppEnum.vl_api_ipip_tunnel_flags_t
+        d = VppEnum.vl_api_ip_dscp_t
+        self.p_ether = Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
+        self.p_payload = UDP(sport=1234, dport=1234) / Raw(b'X' * 100)
+
+        # create a TOS byte by shifting a DSCP code point 2 bits. those 2 bits
+        # are for the ECN.
+        dscp = d.IP_API_DSCP_AF31 << 2
+        ecn = 3
+        dscp_ecn = d.IP_API_DSCP_AF31 << 2 | ecn
+
+        # IPv4 transport that copies the DCSP from the payload
+        tun_dscp = VppIpIpTunInterface(
+            self,
+            self.pg0,
+            self.pg0.local_ip4,
+            self.pg1.remote_hosts[0].ip4,
+            flags=e.IPIP_TUNNEL_API_FLAG_ENCAP_COPY_DSCP).add_vpp_config()
+        # IPv4 transport that copies the DCSP and ECN from the payload
+        tun_dscp_ecn = VppIpIpTunInterface(
+            self,
+            self.pg0,
+            self.pg0.local_ip4,
+            self.pg1.remote_hosts[1].ip4,
+            flags=(e.IPIP_TUNNEL_API_FLAG_ENCAP_COPY_DSCP |
+                   e.IPIP_TUNNEL_API_FLAG_ENCAP_COPY_ECN)).add_vpp_config()
+        # IPv4 transport that copies the ECN from the payload and sets the
+        # DF bit on encap. copies the ECN on decap
+        tun_ecn = VppIpIpTunInterface(
+            self,
+            self.pg0,
+            self.pg0.local_ip4,
+            self.pg1.remote_hosts[2].ip4,
+            flags=(e.IPIP_TUNNEL_API_FLAG_ENCAP_COPY_ECN |
+                   e.IPIP_TUNNEL_API_FLAG_ENCAP_SET_DF |
+                   e.IPIP_TUNNEL_API_FLAG_DECAP_COPY_ECN)).add_vpp_config()
+        # IPv4 transport that sets a fixed DSCP in the encap and copies
+        # the DF bit
+        tun = VppIpIpTunInterface(
+            self,
+            self.pg0,
+            self.pg0.local_ip4,
+            self.pg1.remote_hosts[3].ip4,
+            dscp=d.IP_API_DSCP_AF11,
+            flags=e.IPIP_TUNNEL_API_FLAG_ENCAP_COPY_DF).add_vpp_config()
+
+        # array of all the tunnels
+        tuns = [tun_dscp, tun_dscp_ecn, tun_ecn, tun]
+
+        # addresses for prefixes routed via each tunnel
+        a4s = ["" for i in range(len(tuns))]
+        a6s = ["" for i in range(len(tuns))]
+
+        # IP headers with each combination of DSCp/ECN tested
+        p_ip6s = [IPv6(src="1::1", dst="DEAD::1", nh='UDP', tc=dscp),
+                  IPv6(src="1::1", dst="DEAD::1", nh='UDP', tc=dscp_ecn),
+                  IPv6(src="1::1", dst="DEAD::1", nh='UDP', tc=ecn),
+                  IPv6(src="1::1", dst="DEAD::1", nh='UDP', tc=0xff)]
+        p_ip4s = [IP(src="1.2.3.4", dst="130.67.0.1", tos=dscp, flags='DF'),
+                  IP(src="1.2.3.4", dst="130.67.0.1", tos=dscp_ecn),
+                  IP(src="1.2.3.4", dst="130.67.0.1", tos=ecn),
+                  IP(src="1.2.3.4", dst="130.67.0.1", tos=0xff)]
+
+        # Configure each tunnel
+        for i, t in enumerate(tuns):
+            # Set interface up and enable IP on it
+            self.vapi.sw_interface_set_flags(t.sw_if_index, 1)
+            self.vapi.sw_interface_set_unnumbered(
+                sw_if_index=self.pg0.sw_if_index,
+                unnumbered_sw_if_index=t.sw_if_index)
+
+            # prefix for route / destination address for packets
+            a4s[i] = "130.67.%d.0" % i
+            a6s[i] = "dead:%d::" % i
+
+            # Add IPv4 and IPv6 routes via tunnel interface
+            ip4_via_tunnel = VppIpRoute(
+                self, a4s[i], 24,
+                [VppRoutePath("0.0.0.0",
+                              t.sw_if_index,
+                              proto=FibPathProto.FIB_PATH_NH_PROTO_IP4)])
+            ip4_via_tunnel.add_vpp_config()
+
+            ip6_via_tunnel = VppIpRoute(
+                self, a6s[i], 64,
+                [VppRoutePath("::",
+                              t.sw_if_index,
+                              proto=FibPathProto.FIB_PATH_NH_PROTO_IP6)])
+            ip6_via_tunnel.add_vpp_config()
 
-        # Add IPv4 and IPv6 routes via tunnel interface
-        ip4_via_tunnel = VppIpRoute(
-            self, "130.67.0.0", 16,
-            [VppRoutePath("0.0.0.0",
-                          sw_if_index,
-                          proto=FibPathProto.FIB_PATH_NH_PROTO_IP4)])
-        ip4_via_tunnel.add_vpp_config()
-
-        ip6_via_tunnel = VppIpRoute(
-            self, "dead::", 16,
-            [VppRoutePath("::",
-                          sw_if_index,
-                          proto=FibPathProto.FIB_PATH_NH_PROTO_IP6)])
-        ip6_via_tunnel.add_vpp_config()
+        #
+        # Encapsulation
+        #
 
-        # IPv6 in to IPv4 tunnel
-        p6 = (p_ether / p_ip6 / p_payload)
-        p_inner_ip6 = p_ip6
-        p_inner_ip6.hlim -= 1
-        p6_reply = (IP(src=self.pg0.local_ip4, dst=self.pg1.remote_ip4,
-                       proto='ipv6', id=0, tos=42) / p_inner_ip6 / p_payload)
-        p6_reply.ttl -= 1
-        rx = self.send_and_expect(self.pg0, p6 * 10, self.pg1)
-        for p in rx:
-            self.validate(p[1], p6_reply)
-            self.assert_packet_checksums_valid(p)
+        # tun_dscp copies only the dscp
+        # expected TC values are thus only the DCSP value is present from the
+        # inner
+        exp_tcs = [dscp, dscp, 0, 0xfc]
+        p_ip44_encaps = [IP(src=self.pg0.local_ip4,
+                            dst=tun_dscp.dst,
+                            tos=tc) for tc in exp_tcs]
+        p_ip64_encaps = [IP(src=self.pg0.local_ip4,
+                            dst=tun_dscp.dst,
+                            proto='ipv6', id=0, tos=tc) for tc in exp_tcs]
 
         # IPv4 in to IPv4 tunnel
-        p4 = (p_ether / p_ip4 / p_payload)
-        p_ip4_inner = p_ip4
-        p_ip4_inner.ttl -= 1
-        p4_reply = (IP(src=self.pg0.local_ip4, dst=self.pg1.remote_ip4,
-                       tos=42) /
-                    p_ip4_inner / p_payload)
-        p4_reply.ttl -= 1
-        p4_reply.id = 0
-        rx = self.send_and_expect(self.pg0, p4 * 10, self.pg1)
-        for p in rx:
-            self.validate(p[1], p4_reply)
-            self.assert_packet_checksums_valid(p)
+        self.verify_ip4ip4_encaps(a4s[0], p_ip4s, p_ip44_encaps)
+        # IPv6 in to IPv4 tunnel
+        self.verify_ip6ip4_encaps(a6s[0], p_ip6s, p_ip64_encaps)
+
+        # tun_dscp_ecn copies the dscp and the ecn
+        exp_tcs = [dscp, dscp_ecn, ecn, 0xff]
+        p_ip44_encaps = [IP(src=self.pg0.local_ip4,
+                            dst=tun_dscp_ecn.dst,
+                            tos=tc) for tc in exp_tcs]
+        p_ip64_encaps = [IP(src=self.pg0.local_ip4,
+                            dst=tun_dscp_ecn.dst,
+                            proto='ipv6', id=0, tos=tc) for tc in exp_tcs]
+
+        self.verify_ip4ip4_encaps(a4s[1], p_ip4s, p_ip44_encaps)
+        self.verify_ip6ip4_encaps(a6s[1], p_ip6s, p_ip64_encaps)
+
+        # tun_ecn copies only the ecn and always sets DF
+        exp_tcs = [0, ecn, ecn, ecn]
+        p_ip44_encaps = [IP(src=self.pg0.local_ip4,
+                            dst=tun_ecn.dst,
+                            flags='DF', tos=tc) for tc in exp_tcs]
+        p_ip64_encaps = [IP(src=self.pg0.local_ip4,
+                            dst=tun_ecn.dst,
+                            flags='DF', proto='ipv6', id=0, tos=tc)
+                         for tc in exp_tcs]
+
+        self.verify_ip4ip4_encaps(a4s[2], p_ip4s, p_ip44_encaps)
+        self.verify_ip6ip4_encaps(a6s[2], p_ip6s, p_ip64_encaps)
+
+        # tun sets a fixed dscp and copies DF
+        fixed_dscp = tun.dscp << 2
+        flags = ['DF', 0, 0, 0]
+        p_ip44_encaps = [IP(src=self.pg0.local_ip4,
+                            dst=tun.dst,
+                            flags=f,
+                            tos=fixed_dscp) for f in flags]
+        p_ip64_encaps = [IP(src=self.pg0.local_ip4,
+                            dst=tun.dst,
+                            proto='ipv6', id=0,
+                            tos=fixed_dscp) for i in range(len(p_ip4s))]
+
+        self.verify_ip4ip4_encaps(a4s[3], p_ip4s, p_ip44_encaps)
+        self.verify_ip6ip4_encaps(a6s[3], p_ip6s, p_ip64_encaps)
 
+        #
         # Decapsulation
-        p_ether = Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
+        #
+        n_packets_decapped = 0
+        self.p_ether = Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
 
         # IPv4 tunnel to IPv4
+        tcs = [0, dscp, dscp_ecn, ecn]
+
+        # one overlay packet and all combinations of its encap
         p_ip4 = IP(src="1.2.3.4", dst=self.pg0.remote_ip4)
-        p4 = (p_ether / IP(src=self.pg1.remote_ip4,
-                           dst=self.pg0.local_ip4) / p_ip4 / p_payload)
-        p4_reply = (p_ip4 / p_payload)
-        p4_reply.ttl -= 1
-        rx = self.send_and_expect(self.pg1, p4 * 10, self.pg0)
-        for p in rx:
-            self.validate(p[1], p4_reply)
-            self.assert_packet_checksums_valid(p)
+        p_ip4_encaps = [IP(src=tun.dst,
+                           dst=self.pg0.local_ip4,
+                           tos=tc) for tc in tcs]
+
+        # for each encap tun will produce the same inner packet because it does
+        # not copy up fields from the payload
+        for p_ip4_encap in p_ip4_encaps:
+            p4 = (self.p_ether / p_ip4_encap / p_ip4 / self.p_payload)
+            p4_reply = (p_ip4 / self.p_payload)
+            p4_reply.ttl -= 1
+            rx = self.send_and_expect(self.pg1, p4 * N_PACKETS, self.pg0)
+            n_packets_decapped += N_PACKETS
+            for p in rx:
+                self.validate(p[1], p4_reply)
+                self.assert_packet_checksums_valid(p)
+
+        err = self.statistics.get_err_counter(
+            '/err/ipip4-input/packets decapsulated')
+        self.assertEqual(err, n_packets_decapped)
+
+        # tun_ecn copies the ECN bits from the encap to the inner
+        p_ip4_encaps = [IP(src=tun_ecn.dst,
+                           dst=self.pg0.local_ip4,
+                           tos=tc) for tc in tcs]
+        p_ip4_replys = [p_ip4.copy() for i in range(len(p_ip4_encaps))]
+        p_ip4_replys[2].tos = ecn
+        p_ip4_replys[3].tos = ecn
+        for i, p_ip4_encap in enumerate(p_ip4_encaps):
+            p4 = (self.p_ether / p_ip4_encap / p_ip4 / self.p_payload)
+            p4_reply = (p_ip4_replys[i] / self.p_payload)
+            p4_reply.ttl -= 1
+            rx = self.send_and_expect(self.pg1, p4 * N_PACKETS, self.pg0)
+            n_packets_decapped += N_PACKETS
+            for p in rx:
+                self.validate(p[1], p4_reply)
+                self.assert_packet_checksums_valid(p)
 
         err = self.statistics.get_err_counter(
             '/err/ipip4-input/packets decapsulated')
-        self.assertEqual(err, 10)
+        self.assertEqual(err, n_packets_decapped)
 
         # IPv4 tunnel to IPv6
+        # for each encap tun will produce the same inner packet because it does
+        # not copy up fields from the payload
+        p_ip4_encaps = [IP(src=tun.dst,
+                           dst=self.pg0.local_ip4,
+                           tos=tc) for tc in tcs]
         p_ip6 = IPv6(src="1:2:3::4", dst=self.pg0.remote_ip6)
-        p6 = (p_ether / IP(src=self.pg1.remote_ip4,
-                           dst=self.pg0.local_ip4) / p_ip6 / p_payload)
-        p6_reply = (p_ip6 / p_payload)
-        p6_reply.hlim = 63
-        rx = self.send_and_expect(self.pg1, p6 * 10, self.pg0)
-        for p in rx:
-            self.validate(p[1], p6_reply)
-            self.assert_packet_checksums_valid(p)
+        for p_ip4_encap in p_ip4_encaps:
+            p6 = (self.p_ether /
+                  p_ip4_encap / p_ip6 /
+                  self.p_payload)
+            p6_reply = (p_ip6 / self.p_payload)
+            p6_reply.hlim = 63
+            rx = self.send_and_expect(self.pg1, p6 * N_PACKETS, self.pg0)
+            n_packets_decapped += N_PACKETS
+            for p in rx:
+                self.validate(p[1], p6_reply)
+                self.assert_packet_checksums_valid(p)
 
         err = self.statistics.get_err_counter(
             '/err/ipip4-input/packets decapsulated')
-        self.assertEqual(err, 20)
+        self.assertEqual(err, n_packets_decapped)
+
+        # IPv4 tunnel to IPv6
+        # tun_ecn copies the ECN bits from the encap to the inner
+        p_ip4_encaps = [IP(src=tun_ecn.dst,
+                           dst=self.pg0.local_ip4,
+                           tos=tc) for tc in tcs]
+        p_ip6 = IPv6(src="1:2:3::4", dst=self.pg0.remote_ip6)
+        p_ip6_replys = [p_ip6.copy() for i in range(len(p_ip4_encaps))]
+        p_ip6_replys[2].tc = ecn
+        p_ip6_replys[3].tc = ecn
+        for i, p_ip4_encap in enumerate(p_ip4_encaps):
+            p6 = (self.p_ether / p_ip4_encap / p_ip6 / self.p_payload)
+            p6_reply = (p_ip6_replys[i] / self.p_payload)
+            p6_reply.hlim = 63
+            rx = self.send_and_expect(self.pg1, p6 * N_PACKETS, self.pg0)
+            n_packets_decapped += N_PACKETS
+            for p in rx:
+                self.validate(p[1], p6_reply)
+                self.assert_packet_checksums_valid(p)
+
+        err = self.statistics.get_err_counter(
+            '/err/ipip4-input/packets decapsulated')
+        self.assertEqual(err, n_packets_decapped)
 
         #
         # Fragmentation / Reassembly and Re-fragmentation
@@ -191,13 +385,14 @@ class TestIPIP(VppTestCase):
         self.pg_enable_capture()
         self.pg_start()
         rx = self.pg0.get_capture(1000)
+        n_packets_decapped += 1000
 
         for p in rx:
             self.validate(p[1], p4_reply)
 
         err = self.statistics.get_err_counter(
             '/err/ipip4-input/packets decapsulated')
-        self.assertEqual(err, 1020)
+        self.assertEqual(err, n_packets_decapped)
 
         f = []
         r = []
@@ -240,7 +435,7 @@ class TestIPIP(VppTestCase):
         self.validate(reass_pkt, p4_reply)
 
         # send large packets through the tunnel, expect them to be fragmented
-        self.vapi.sw_interface_set_mtu(sw_if_index, [600, 0, 0, 0])
+        self.vapi.sw_interface_set_mtu(tun_dscp.sw_if_index, [600, 0, 0, 0])
 
         p4 = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) /
               IP(src="1.2.3.4", dst="130.67.0.1", tos=42) /
@@ -310,8 +505,7 @@ class TestIPIP6(VppTestCase):
         # IPv6 transport
         rv = ipip_add_tunnel(self,
                              self.pg0.local_ip6,
-                             self.pg1.remote_ip6,
-                             tc_tos=255)
+                             self.pg1.remote_ip6)
 
         sw_if_index = rv.sw_if_index
         self.tunnel_if_index = sw_if_index
@@ -385,7 +579,7 @@ class TestIPIP6(VppTestCase):
         # IPv6 in to IPv6 tunnel
         p6 = (p_ether / p_ip6 / p_payload)
         p6_reply = (IPv6(src=self.pg0.local_ip6, dst=self.pg1.remote_ip6,
-                         hlim=64, tc=42) /
+                         hlim=64) /
                     p_ip6 / p_payload)
         p6_reply[1].hlim -= 1
         rx = self.send_and_expect(self.pg0, p6 * 11, self.pg1)
@@ -395,7 +589,7 @@ class TestIPIP6(VppTestCase):
         # IPv4 in to IPv6 tunnel
         p4 = (p_ether / p_ip4 / p_payload)
         p4_reply = (IPv6(src=self.pg0.local_ip6,
-                         dst=self.pg1.remote_ip6, hlim=64, tc=42) /
+                         dst=self.pg1.remote_ip6, hlim=64) /
                     p_ip4 / p_payload)
         p4_reply[1].ttl -= 1
         rx = self.send_and_expect(self.pg0, p4 * 11, self.pg1)
@@ -431,6 +625,270 @@ class TestIPIP6(VppTestCase):
         for p in rx:
             self.validate(p[1], p6_reply)
 
+    def verify_ip4ip6_encaps(self, a, p_ip4s, p_ip6_encaps):
+        for i, p_ip4 in enumerate(p_ip4s):
+            p_ip4.dst = a
+            p4 = (self.p_ether / p_ip4 / self.p_payload)
+            p_ip4_inner = p_ip4
+            p_ip4_inner.ttl -= 1
+            p6_reply = (p_ip6_encaps[i] / p_ip4_inner / self.p_payload)
+            rx = self.send_and_expect(self.pg0, p4 * N_PACKETS, self.pg1)
+            for p in rx:
+                self.validate(p[1], p6_reply)
+                self.assert_packet_checksums_valid(p)
+
+    def verify_ip6ip6_encaps(self, a, p_ip6s, p_ip6_encaps):
+        for i, p_ip6 in enumerate(p_ip6s):
+            p_ip6.dst = a
+            p6 = (self.p_ether / p_ip6 / self.p_payload)
+            p_inner_ip6 = p_ip6
+            p_inner_ip6.hlim -= 1
+            p6_reply = (p_ip6_encaps[i] / p_inner_ip6 / self.p_payload)
+            rx = self.send_and_expect(self.pg0, p6 * N_PACKETS, self.pg1)
+            for p in rx:
+                self.validate(p[1], p6_reply)
+                self.assert_packet_checksums_valid(p)
+
+    def test_ipip6(self):
+        """ ip{v4,v6} over ip6 test """
+
+        # that's annoying
+        self.destroy_tunnel()
+
+        self.pg1.generate_remote_hosts(5)
+        self.pg1.configure_ipv6_neighbors()
+        e = VppEnum.vl_api_ipip_tunnel_flags_t
+        d = VppEnum.vl_api_ip_dscp_t
+        self.p_ether = Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac)
+        self.p_payload = UDP(sport=1234, dport=1234) / Raw(b'X' * 100)
+
+        # create a TOS byte by shifting a DSCP code point 2 bits. those 2 bits
+        # are for the ECN.
+        dscp = d.IP_API_DSCP_AF31 << 2
+        ecn = 3
+        dscp_ecn = d.IP_API_DSCP_AF31 << 2 | ecn
+
+        # IPv4 transport that copies the DCSP from the payload
+        tun_dscp = VppIpIpTunInterface(
+            self,
+            self.pg0,
+            self.pg0.local_ip6,
+            self.pg1.remote_hosts[0].ip6,
+            flags=e.IPIP_TUNNEL_API_FLAG_ENCAP_COPY_DSCP).add_vpp_config()
+        # IPv4 transport that copies the DCSP and ECN from the payload
+        tun_dscp_ecn = VppIpIpTunInterface(
+            self,
+            self.pg0,
+            self.pg0.local_ip6,
+            self.pg1.remote_hosts[1].ip6,
+            flags=(e.IPIP_TUNNEL_API_FLAG_ENCAP_COPY_DSCP |
+                   e.IPIP_TUNNEL_API_FLAG_ENCAP_COPY_ECN)).add_vpp_config()
+        # IPv4 transport that copies the ECN from the payload and sets the
+        # DF bit on encap. copies the ECN on decap
+        tun_ecn = VppIpIpTunInterface(
+            self,
+            self.pg0,
+            self.pg0.local_ip6,
+            self.pg1.remote_hosts[2].ip6,
+            flags=(e.IPIP_TUNNEL_API_FLAG_ENCAP_COPY_ECN |
+                   e.IPIP_TUNNEL_API_FLAG_ENCAP_SET_DF |
+                   e.IPIP_TUNNEL_API_FLAG_DECAP_COPY_ECN)).add_vpp_config()
+        # IPv4 transport that sets a fixed DSCP in the encap and copies
+        # the DF bit
+        tun = VppIpIpTunInterface(
+            self,
+            self.pg0,
+            self.pg0.local_ip6,
+            self.pg1.remote_hosts[3].ip6,
+            dscp=d.IP_API_DSCP_AF11,
+            flags=e.IPIP_TUNNEL_API_FLAG_ENCAP_COPY_DF).add_vpp_config()
+
+        # array of all the tunnels
+        tuns = [tun_dscp, tun_dscp_ecn, tun_ecn, tun]
+
+        # addresses for prefixes routed via each tunnel
+        a4s = ["" for i in range(len(tuns))]
+        a6s = ["" for i in range(len(tuns))]
+
+        # IP headers for inner packets with each combination of DSCp/ECN tested
+        p_ip6s = [IPv6(src="1::1", dst="DEAD::1", nh='UDP', tc=dscp),
+                  IPv6(src="1::1", dst="DEAD::1", nh='UDP', tc=dscp_ecn),
+                  IPv6(src="1::1", dst="DEAD::1", nh='UDP', tc=ecn),
+                  IPv6(src="1::1", dst="DEAD::1", nh='UDP', tc=0xff)]
+        p_ip4s = [IP(src="1.2.3.4", dst="130.67.0.1", tos=dscp, flags='DF'),
+                  IP(src="1.2.3.4", dst="130.67.0.1", tos=dscp_ecn),
+                  IP(src="1.2.3.4", dst="130.67.0.1", tos=ecn),
+                  IP(src="1.2.3.4", dst="130.67.0.1", tos=0xff)]
+
+        # Configure each tunnel
+        for i, t in enumerate(tuns):
+            # Set interface up and enable IP on it
+            self.vapi.sw_interface_set_flags(t.sw_if_index, 1)
+            self.vapi.sw_interface_set_unnumbered(
+                sw_if_index=self.pg0.sw_if_index,
+                unnumbered_sw_if_index=t.sw_if_index)
+
+            # prefix for route / destination address for packets
+            a4s[i] = "130.67.%d.0" % i
+            a6s[i] = "dead:%d::" % i
+
+            # Add IPv4 and IPv6 routes via tunnel interface
+            ip4_via_tunnel = VppIpRoute(
+                self, a4s[i], 24,
+                [VppRoutePath("0.0.0.0",
+                              t.sw_if_index,
+                              proto=FibPathProto.FIB_PATH_NH_PROTO_IP4)])
+            ip4_via_tunnel.add_vpp_config()
+
+            ip6_via_tunnel = VppIpRoute(
+                self, a6s[i], 64,
+                [VppRoutePath("::",
+                              t.sw_if_index,
+                              proto=FibPathProto.FIB_PATH_NH_PROTO_IP6)])
+            ip6_via_tunnel.add_vpp_config()
+
+        #
+        # Encapsulation
+        #
+
+        # tun_dscp copies only the dscp
+        # expected TC values are thus only the DCSP value is present from the
+        # inner
+        exp_tcs = [dscp, dscp, 0, 0xfc]
+        p_ip6_encaps = [IPv6(src=self.pg0.local_ip6,
+                             dst=tun_dscp.dst,
+                             tc=tc) for tc in exp_tcs]
+
+        # IPv4 in to IPv4 tunnel
+        self.verify_ip4ip6_encaps(a4s[0], p_ip4s, p_ip6_encaps)
+        # IPv6 in to IPv4 tunnel
+        self.verify_ip6ip6_encaps(a6s[0], p_ip6s, p_ip6_encaps)
+
+        # tun_dscp_ecn copies the dscp and the ecn
+        exp_tcs = [dscp, dscp_ecn, ecn, 0xff]
+        p_ip6_encaps = [IPv6(src=self.pg0.local_ip6,
+                             dst=tun_dscp_ecn.dst,
+                             tc=tc) for tc in exp_tcs]
+
+        self.verify_ip4ip6_encaps(a4s[1], p_ip4s, p_ip6_encaps)
+        self.verify_ip6ip6_encaps(a6s[1], p_ip6s, p_ip6_encaps)
+
+        # tun_ecn copies only the ecn and always sets DF
+        exp_tcs = [0, ecn, ecn, ecn]
+        p_ip6_encaps = [IPv6(src=self.pg0.local_ip6,
+                             dst=tun_ecn.dst,
+                             tc=tc) for tc in exp_tcs]
+
+        self.verify_ip4ip6_encaps(a4s[2], p_ip4s, p_ip6_encaps)
+        self.verify_ip6ip6_encaps(a6s[2], p_ip6s, p_ip6_encaps)
+
+        # tun sets a fixed dscp
+        fixed_dscp = tun.dscp << 2
+        p_ip6_encaps = [IPv6(src=self.pg0.local_ip6,
+                             dst=tun.dst,
+                             tc=fixed_dscp) for i in range(len(p_ip4s))]
+
+        self.verify_ip4ip6_encaps(a4s[3], p_ip4s, p_ip6_encaps)
+        self.verify_ip6ip6_encaps(a6s[3], p_ip6s, p_ip6_encaps)
+
+        #
+        # Decapsulation
+        #
+        n_packets_decapped = self.statistics.get_err_counter(
+            '/err/ipip6-input/packets decapsulated')
+
+        self.p_ether = Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac)
+
+        # IPv6 tunnel to IPv4
+        tcs = [0, dscp, dscp_ecn, ecn]
+
+        # one overlay packet and all combinations of its encap
+        p_ip4 = IP(src="1.2.3.4", dst=self.pg0.remote_ip4)
+        p_ip6_encaps = [IPv6(src=tun.dst,
+                             dst=self.pg0.local_ip6,
+                             tc=tc) for tc in tcs]
+
+        # for each encap tun will produce the same inner packet because it does
+        # not copy up fields from the payload
+        for p_ip6_encap in p_ip6_encaps:
+            p6 = (self.p_ether / p_ip6_encap / p_ip4 / self.p_payload)
+            p4_reply = (p_ip4 / self.p_payload)
+            p4_reply.ttl -= 1
+            rx = self.send_and_expect(self.pg1, p6 * N_PACKETS, self.pg0)
+            n_packets_decapped += N_PACKETS
+            for p in rx:
+                self.validate(p[1], p4_reply)
+                self.assert_packet_checksums_valid(p)
+
+        err = self.statistics.get_err_counter(
+            '/err/ipip6-input/packets decapsulated')
+        self.assertEqual(err, n_packets_decapped)
+
+        # tun_ecn copies the ECN bits from the encap to the inner
+        p_ip6_encaps = [IPv6(src=tun_ecn.dst,
+                             dst=self.pg0.local_ip6,
+                             tc=tc) for tc in tcs]
+        p_ip4_replys = [p_ip4.copy() for i in range(len(p_ip6_encaps))]
+        p_ip4_replys[2].tos = ecn
+        p_ip4_replys[3].tos = ecn
+        for i, p_ip6_encap in enumerate(p_ip6_encaps):
+            p6 = (self.p_ether / p_ip6_encap / p_ip4 / self.p_payload)
+            p4_reply = (p_ip4_replys[i] / self.p_payload)
+            p4_reply.ttl -= 1
+            rx = self.send_and_expect(self.pg1, p6 * N_PACKETS, self.pg0)
+            n_packets_decapped += N_PACKETS
+            for p in rx:
+                self.validate(p[1], p4_reply)
+                self.assert_packet_checksums_valid(p)
+
+        err = self.statistics.get_err_counter(
+            '/err/ipip6-input/packets decapsulated')
+        self.assertEqual(err, n_packets_decapped)
+
+        # IPv6 tunnel to IPv6
+        # for each encap tun will produce the same inner packet because it does
+        # not copy up fields from the payload
+        p_ip6_encaps = [IPv6(src=tun.dst,
+                             dst=self.pg0.local_ip6,
+                             tc=tc) for tc in tcs]
+        p_ip6 = IPv6(src="1:2:3::4", dst=self.pg0.remote_ip6)
+        for p_ip6_encap in p_ip6_encaps:
+            p6 = (self.p_ether / p_ip6_encap / p_ip6 / self.p_payload)
+            p6_reply = (p_ip6 / self.p_payload)
+            p6_reply.hlim = 63
+            rx = self.send_and_expect(self.pg1, p6 * N_PACKETS, self.pg0)
+            n_packets_decapped += N_PACKETS
+            for p in rx:
+                self.validate(p[1], p6_reply)
+                self.assert_packet_checksums_valid(p)
+
+        err = self.statistics.get_err_counter(
+            '/err/ipip6-input/packets decapsulated')
+        self.assertEqual(err, n_packets_decapped)
+
+        # IPv6 tunnel to IPv6
+        # tun_ecn copies the ECN bits from the encap to the inner
+        p_ip6_encaps = [IPv6(src=tun_ecn.dst,
+                             dst=self.pg0.local_ip6,
+                             tc=tc) for tc in tcs]
+        p_ip6 = IPv6(src="1:2:3::4", dst=self.pg0.remote_ip6)
+        p_ip6_replys = [p_ip6.copy() for i in range(len(p_ip6_encaps))]
+        p_ip6_replys[2].tc = ecn
+        p_ip6_replys[3].tc = ecn
+        for i, p_ip6_encap in enumerate(p_ip6_encaps):
+            p6 = (self.p_ether / p_ip6_encap / p_ip6 / self.p_payload)
+            p6_reply = (p_ip6_replys[i] / self.p_payload)
+            p6_reply.hlim = 63
+            rx = self.send_and_expect(self.pg1, p6 * N_PACKETS, self.pg0)
+            n_packets_decapped += N_PACKETS
+            for p in rx:
+                self.validate(p[1], p6_reply)
+                self.assert_packet_checksums_valid(p)
+
+        err = self.statistics.get_err_counter(
+            '/err/ipip6-input/packets decapsulated')
+        self.assertEqual(err, n_packets_decapped)
+
     def test_frag(self):
         """ ip{v4,v6} over ip6 test frag """
 
@@ -495,7 +953,7 @@ class TestIPIP6(VppTestCase):
 
         p6 = (p_ether / p_ip6 / p_payload)
         p6_reply = (IPv6(src=self.pg0.local_ip6, dst=self.pg1.remote_ip6,
-                         hlim=63, tc=42) /
+                         hlim=63) /
                     p_ip6 / p_payload)
         p6_reply[1].hlim -= 1
         self.pg_enable_capture()

diff --git a/test/vpp_ipip_tun_interface.py b/test/vpp_ipip_tun_interface.py
index 3558523..ea5cfa1 100644 (file)
--- a/test/vpp_ipip_tun_interface.py
+++ b/test/vpp_ipip_tun_interface.py
@@ -7,21 +7,29 @@ class VppIpIpTunInterface(VppTunnelInterface):
     VPP IP-IP Tunnel interface
     """
 
-    def __init__(self, test, parent_if, src, dst):
+    def __init__(self, test, parent_if, src, dst,
+                 table_id=0, dscp=0x0,
+                 flags=0):
         super(VppIpIpTunInterface, self).__init__(test, parent_if)
         self.src = src
         self.dst = dst
+        self.table_id = table_id
+        self.dscp = dscp
+        self.flags = flags
 
     def add_vpp_config(self):
         r = self.test.vapi.ipip_add_tunnel(
             tunnel={
                 'src': self.src,
                 'dst': self.dst,
-                'table_id': 0,
+                'table_id': self.table_id,
+                'flags': self.flags,
+                'dscp': self.dscp,
                 'instance': 0xffffffff,
             })
         self.set_sw_if_index(r.sw_if_index)
         self.test.registry.register(self, self.test.logger)
+        return self
 
     def remove_vpp_config(self):
         self.test.vapi.ipip_del_tunnel(sw_if_index=self._sw_if_index)