From 041add7d12217494934b651e4e38b5eab5216ddc Mon Sep 17 00:00:00 2001 From: Neale Ranns Date: Thu, 2 Jan 2020 04:06:10 +0000 Subject: [PATCH] ipsec: Tunnel SA DSCP behaviour Type: feature - use tunnel_encap_decap_flags to control the copying of DSCP/ECN/etc during IPSEC tunnel mode encap. - use DSCP value to have fixed encap value. Signed-off-by: Neale Ranns Change-Id: If4f51fd4c1dcbb0422aac9bd078e5c14af5bf11f --- src/plugins/ikev2/ikev2.c | 8 +- src/vnet/ip/ip.c | 18 ++++ src/vnet/ip/ip6_packet.h | 13 ++- src/vnet/ip/ip_packet.h | 2 + src/vnet/ipsec/ah_encrypt.c | 38 +++++++-- src/vnet/ipsec/esp_encrypt.c | 39 +++++++-- src/vnet/ipsec/ipsec.api | 48 +++++++---- src/vnet/ipsec/ipsec_api.c | 188 ++++++++++++++++++++++++++++++++++++++++- src/vnet/ipsec/ipsec_cli.c | 16 ++-- src/vnet/ipsec/ipsec_format.c | 6 +- src/vnet/ipsec/ipsec_sa.c | 11 ++- src/vnet/ipsec/ipsec_sa.h | 7 +- src/vnet/ipsec/ipsec_types.api | 30 +++++++ src/vnet/tunnel/tunnel_dp.h | 57 +++++++++++++ test/template_ipsec.py | 12 ++- test/test_ipsec_ah.py | 96 ++++++++++++++++++++- test/test_ipsec_esp.py | 93 ++++++++++++++++++++ test/test_ipsec_tun_if_esp.py | 30 ++++--- test/vpp_ipsec.py | 20 +++-- test/vpp_papi_provider.py | 4 - 20 files changed, 664 insertions(+), 72 deletions(-) diff --git a/src/plugins/ikev2/ikev2.c b/src/plugins/ikev2/ikev2.c index 05dfb604006..f3ac6f69318 100644 --- a/src/plugins/ikev2/ikev2.c +++ b/src/plugins/ikev2/ikev2.c @@ -1856,13 +1856,17 @@ ikev2_add_tunnel_from_main (ikev2_add_ipsec_tunnel_args_t * a) IPSEC_PROTOCOL_ESP, a->encr_type, &a->loc_ckey, a->integ_type, &a->loc_ikey, a->flags, 0, a->salt_local, &zero_addr, - &zero_addr, NULL, a->src_port, a->dst_port); + &zero_addr, TUNNEL_ENCAP_DECAP_FLAG_NONE, + IP_DSCP_CS0, NULL, a->src_port, a->dst_port); + rv |= ipsec_sa_add_and_lock (a->remote_sa_id, a->remote_spi, IPSEC_PROTOCOL_ESP, a->encr_type, &a->rem_ckey, a->integ_type, &a->rem_ikey, (a->flags | IPSEC_SA_FLAG_IS_INBOUND), 0, a->salt_remote, &zero_addr, - &zero_addr, NULL, a->ipsec_over_udp_port, + &zero_addr, TUNNEL_ENCAP_DECAP_FLAG_NONE, + IP_DSCP_CS0, NULL, + a->ipsec_over_udp_port, a->ipsec_over_udp_port); rv |= ipsec_tun_protect_update (sw_if_index, NULL, a->local_sa_id, sas_in); diff --git a/src/vnet/ip/ip.c b/src/vnet/ip/ip.c index bceb529ee6f..062f5e7a4ef 100644 --- a/src/vnet/ip/ip.c +++ b/src/vnet/ip/ip.c @@ -155,6 +155,24 @@ format_ip_dscp (u8 * s, va_list * va) return (format (s, "unknown")); } +uword +unformat_ip_dscp (unformat_input_t * input, va_list * args) +{ + ip_dscp_t *dscp = va_arg (*args, ip_dscp_t *); + + if (0) + ; +#define _(n,v) \ + else if (unformat (input, #v)) \ + *dscp = IP_DSCP_##v; + foreach_ip_dscp +#undef _ + else + return 0; + + return 1; +} + u8 * format_ip_ecn (u8 * s, va_list * va) { diff --git a/src/vnet/ip/ip6_packet.h b/src/vnet/ip/ip6_packet.h index 7bbdd197f2f..34bc7a8ec1a 100644 --- a/src/vnet/ip/ip6_packet.h +++ b/src/vnet/ip/ip6_packet.h @@ -310,31 +310,36 @@ typedef struct ip6_address_t src_address, dst_address; } ip6_header_t; +#define IP6_PACKET_TC_MASK 0x0FF00000 +#define IP6_PACKET_DSCP_MASK 0x0FC00000 +#define IP6_PACKET_ECN_MASK 0x00300000 + always_inline ip_dscp_t ip6_traffic_class (const ip6_header_t * i) { - return (i->ip_version_traffic_class_and_flow_label & 0x0FF00000) >> 20; + return (i->ip_version_traffic_class_and_flow_label & IP6_PACKET_TC_MASK) >> + 20; } static_always_inline ip_dscp_t ip6_traffic_class_network_order (const ip6_header_t * ip6) { return (clib_net_to_host_u32 (ip6->ip_version_traffic_class_and_flow_label) - & 0x0ff00000) >> 20; + & IP6_PACKET_TC_MASK) >> 20; } static_always_inline ip_dscp_t ip6_dscp_network_order (const ip6_header_t * ip6) { return (clib_net_to_host_u32 (ip6->ip_version_traffic_class_and_flow_label) - & 0x0fc00000) >> 22; + & IP6_PACKET_DSCP_MASK) >> 22; } static_always_inline ip_ecn_t ip6_ecn_network_order (const ip6_header_t * ip6) { return (clib_net_to_host_u32 (ip6->ip_version_traffic_class_and_flow_label) - & 0x00300000) >> 20; + & IP6_PACKET_ECN_MASK) >> 20; } static_always_inline void diff --git a/src/vnet/ip/ip_packet.h b/src/vnet/ip/ip_packet.h index 52a65e78c24..e1089ec308e 100644 --- a/src/vnet/ip/ip_packet.h +++ b/src/vnet/ip/ip_packet.h @@ -42,6 +42,7 @@ #include #include +#include typedef enum ip_protocol { @@ -119,6 +120,7 @@ typedef enum ip_dscp_t_ } __clib_packed ip_dscp_t; extern u8 *format_ip_dscp (u8 * s, va_list * va); +unformat_function_t unformat_ip_dscp; /** * IP DSCP bit shift diff --git a/src/vnet/ipsec/ah_encrypt.c b/src/vnet/ipsec/ah_encrypt.c index b4e9af34802..d89cb093f26 100644 --- a/src/vnet/ipsec/ah_encrypt.c +++ b/src/vnet/ipsec/ah_encrypt.c @@ -22,6 +22,7 @@ #include #include #include +#include #define foreach_ah_encrypt_next \ _ (DROP, "error-drop") \ @@ -111,12 +112,13 @@ typedef struct { union { + /* Variable fields in the IP header not covered by the AH + * integrity check */ struct { u8 hop_limit; u32 ip_version_traffic_class_and_flow_label; }; - struct { u8 ttl; @@ -209,8 +211,6 @@ ah_encrypt_inline (vlib_main_t * vm, ssize_t adv; ih0 = vlib_buffer_get_current (b[0]); - pd->ttl = ih0->ip4.ttl; - pd->tos = ih0->ip4.tos; if (PREDICT_TRUE (ipsec_sa_is_set_IS_TUNNEL (sa0))) { @@ -246,10 +246,20 @@ ah_encrypt_inline (vlib_main_t * vm, ip_hdr_size = sizeof (ip6_header_t); oh6_0 = vlib_buffer_get_current (b[0]); pd->current_data = b[0]->current_data; - pd->hop_limit = ih6_0->ip6.hop_limit; - pd->ip_version_traffic_class_and_flow_label = + + oh6_0->ip6.ip_version_traffic_class_and_flow_label = ih6_0->ip6.ip_version_traffic_class_and_flow_label; + + ip6_set_dscp_network_order (&oh6_0->ip6, sa0->dscp); + + tunnel_encap_fixup_6o6 (sa0->tunnel_flags, + &ih6_0->ip6, &oh6_0->ip6); + + pd->ip_version_traffic_class_and_flow_label = + oh6_0->ip6.ip_version_traffic_class_and_flow_label; + oh6_0->ip6.ip_version_traffic_class_and_flow_label = 0; + if (PREDICT_TRUE (ipsec_sa_is_set_IS_TUNNEL (sa0))) { next_hdr_type = IP_PROTOCOL_IPV6; @@ -275,8 +285,24 @@ ah_encrypt_inline (vlib_main_t * vm, { ip_hdr_size = sizeof (ip4_header_t); oh0 = vlib_buffer_get_current (b[0]); - clib_memset (oh0, 0, sizeof (ip4_and_ah_header_t)); + pd->ttl = ih0->ip4.ttl; + + if (sa0->dscp) + pd->tos = sa0->dscp << 2; + else + { + pd->tos = ih0->ip4.tos; + if (! + (sa0->tunnel_flags & + TUNNEL_ENCAP_DECAP_FLAG_ENCAP_COPY_DSCP)) + pd->tos &= 0x3; + if (! + (sa0->tunnel_flags & + TUNNEL_ENCAP_DECAP_FLAG_ENCAP_COPY_ECN)) + pd->tos &= 0xfc; + } pd->current_data = b[0]->current_data; + clib_memset (oh0, 0, sizeof (ip4_and_ah_header_t)); if (PREDICT_TRUE (ipsec_sa_is_set_IS_TUNNEL (sa0))) { diff --git a/src/vnet/ipsec/esp_encrypt.c b/src/vnet/ipsec/esp_encrypt.c index f5461684166..ed49cdc97eb 100644 --- a/src/vnet/ipsec/esp_encrypt.c +++ b/src/vnet/ipsec/esp_encrypt.c @@ -24,6 +24,7 @@ #include #include #include +#include #define foreach_esp_encrypt_next \ _(DROP4, "ip4-drop") \ @@ -743,9 +744,22 @@ esp_encrypt_inline (vlib_main_t * vm, vlib_node_runtime_t * node, u16 len = sizeof (ip6_header_t); hdr_len += len; ip6 = (ip6_header_t *) (payload - hdr_len); - clib_memcpy_fast (ip6, &sa0->ip6_hdr, len); - *next_hdr_ptr = (is_ip6 ? - IP_PROTOCOL_IPV6 : IP_PROTOCOL_IP_IN_IP); + clib_memcpy_fast (ip6, &sa0->ip6_hdr, sizeof (ip6_header_t)); + + if (is_ip6) + { + *next_hdr_ptr = IP_PROTOCOL_IPV6; + tunnel_encap_fixup_6o6 (sa0->tunnel_flags, + (const ip6_header_t *) payload, + ip6); + } + else + { + *next_hdr_ptr = IP_PROTOCOL_IP_IN_IP; + tunnel_encap_fixup_4o6 (sa0->tunnel_flags, + (const ip4_header_t *) payload, + ip6); + } len = payload_len_total + hdr_len - len; ip6->payload_length = clib_net_to_host_u16 (len); } @@ -755,9 +769,22 @@ esp_encrypt_inline (vlib_main_t * vm, vlib_node_runtime_t * node, u16 len = sizeof (ip4_header_t); hdr_len += len; ip4 = (ip4_header_t *) (payload - hdr_len); - clib_memcpy_fast (ip4, &sa0->ip4_hdr, len); - *next_hdr_ptr = (is_ip6 ? - IP_PROTOCOL_IPV6 : IP_PROTOCOL_IP_IN_IP); + clib_memcpy_fast (ip4, &sa0->ip4_hdr, sizeof (ip4_header_t)); + + if (is_ip6) + { + *next_hdr_ptr = IP_PROTOCOL_IPV6; + tunnel_encap_fixup_6o4_w_chksum (sa0->tunnel_flags, + (const ip6_header_t *) + payload, ip4); + } + else + { + *next_hdr_ptr = IP_PROTOCOL_IP_IN_IP; + tunnel_encap_fixup_4o4_w_chksum (sa0->tunnel_flags, + (const ip4_header_t *) + payload, ip4); + } len = payload_len_total + hdr_len; esp_update_ip4_hdr (ip4, len, /* is_transport */ 0, 0); } diff --git a/src/vnet/ipsec/ipsec.api b/src/vnet/ipsec/ipsec.api index 89dcdb761de..178c7c6f46e 100644 --- a/src/vnet/ipsec/ipsec.api +++ b/src/vnet/ipsec/ipsec.api @@ -196,12 +196,25 @@ define ipsec_sad_entry_add_del bool is_add; vl_api_ipsec_sad_entry_t entry; }; +define ipsec_sad_entry_add_del_v2 +{ + u32 client_index; + u32 context; + bool is_add; + vl_api_ipsec_sad_entry_v2_t entry; +}; define ipsec_sad_entry_add_del_reply { u32 context; i32 retval; u32 stat_index; }; +define ipsec_sad_entry_add_del_v2_reply +{ + u32 context; + i32 retval; + u32 stat_index; +}; /** \brief Add or Update Protection for a tunnel with IPSEC @@ -439,25 +452,17 @@ define ipsec_sa_dump u32 context; u32 sa_id; }; +define ipsec_sa_v2_dump +{ + u32 client_index; + u32 context; + u32 sa_id; +}; /** \brief IPsec security association database response @param context - sender context which was passed in the request - @param sa_id - SA ID, policy-based SAs >=0, tunnel interface SAs = 0 + @param entry - The SA details @param sw_if_index - sw_if_index of tunnel interface, policy-based SAs = ~0 - @param spi - security parameter index - @param protocol - IPsec protocol (value from ipsec_protocol_t) - @param crypto_alg - crypto algorithm (value from ipsec_crypto_alg_t) - @param crypto_key_len - length of crypto_key in bytes - @param crypto_key - crypto keying material - @param integ_alg - integrity algorithm (value from ipsec_integ_alg_t) - @param integ_key_len - length of integ_key in bytes - @param integ_key - integrity keying material - @param use_esn - using extended sequence numbers when non-zero - @param use_anti_replay - using anti-replay window when non-zero - @param is_tunnel - IPsec tunnel mode when non-zero, else transport mode - @param is_tunnel_ipv6 - If using tunnel mode, endpoints are IPv6 - @param tunnel_src_addr - Tunnel source address if using tunnel mode - @param tunnel_dst_addr - Tunnel destination address is using tunnel mode @param salt - 4 byte salt @param seq - current sequence number for outbound @param seq_hi - high 32 bits of ESN for outbound @@ -465,7 +470,6 @@ define ipsec_sa_dump @param last_seq_hi - high 32 bits of highest ESN received inbound @param replay_window - bit map of seq nums received relative to last_seq if using anti-replay @param stat_index - index for the SA in the stats segment @ /net/ipsec/sa - @param udp_encap - 1 if UDP encap enabled, 0 otherwise */ define ipsec_sa_details { u32 context; @@ -479,6 +483,18 @@ define ipsec_sa_details { u32 stat_index; }; +define ipsec_sa_v2_details { + u32 context; + vl_api_ipsec_sad_entry_v2_t entry; + + vl_api_interface_index_t sw_if_index; + u32 salt; + u64 seq_outbound; + u64 last_seq_inbound; + u64 replay_window; + + u32 stat_index; +}; /** \brief Set new SA on IPsec interface diff --git a/src/vnet/ipsec/ipsec_api.c b/src/vnet/ipsec/ipsec_api.c index f623cced0c7..7003791c8c8 100644 --- a/src/vnet/ipsec/ipsec_api.c +++ b/src/vnet/ipsec/ipsec_api.c @@ -28,6 +28,7 @@ #include #include #include +#include #include @@ -58,7 +59,9 @@ _(IPSEC_SPD_ADD_DEL, ipsec_spd_add_del) \ _(IPSEC_INTERFACE_ADD_DEL_SPD, ipsec_interface_add_del_spd) \ _(IPSEC_SPD_ENTRY_ADD_DEL, ipsec_spd_entry_add_del) \ _(IPSEC_SAD_ENTRY_ADD_DEL, ipsec_sad_entry_add_del) \ +_(IPSEC_SAD_ENTRY_ADD_DEL_V2, ipsec_sad_entry_add_del_v2) \ _(IPSEC_SA_DUMP, ipsec_sa_dump) \ +_(IPSEC_SA_V2_DUMP, ipsec_sa_v2_dump) \ _(IPSEC_SPDS_DUMP, ipsec_spds_dump) \ _(IPSEC_SPD_DUMP, ipsec_spd_dump) \ _(IPSEC_SPD_INTERFACE_DUMP, ipsec_spd_interface_dump) \ @@ -380,7 +383,10 @@ static void vl_api_ipsec_sad_entry_add_del_t_handler crypto_alg, &crypto_key, integ_alg, &integ_key, flags, 0, mp->entry.salt, &tun_src, &tun_dst, - &sa_index, htons (mp->entry.udp_src_port), + TUNNEL_ENCAP_DECAP_FLAG_NONE, + IP_DSCP_CS0, + &sa_index, + htons (mp->entry.udp_src_port), htons (mp->entry.udp_dst_port)); else rv = ipsec_sa_unlock_id (id); @@ -398,6 +404,83 @@ out: /* *INDENT-ON* */ } +static void vl_api_ipsec_sad_entry_add_del_v2_t_handler + (vl_api_ipsec_sad_entry_add_del_v2_t * mp) +{ + vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main (); + vl_api_ipsec_sad_entry_add_del_v2_reply_t *rmp; + ip46_address_t tun_src = { }, tun_dst = + { + }; + tunnel_encap_decap_flags_t tunnel_flags; + ipsec_key_t crypto_key, integ_key; + ipsec_crypto_alg_t crypto_alg; + ipsec_integ_alg_t integ_alg; + ipsec_protocol_t proto; + ipsec_sa_flags_t flags; + u32 id, spi, sa_index = ~0; + int rv; + +#if WITH_LIBSSL > 0 + + id = ntohl (mp->entry.sad_id); + spi = ntohl (mp->entry.spi); + + rv = ipsec_proto_decode (mp->entry.protocol, &proto); + + if (rv) + goto out; + + rv = ipsec_crypto_algo_decode (mp->entry.crypto_algorithm, &crypto_alg); + + if (rv) + goto out; + + rv = ipsec_integ_algo_decode (mp->entry.integrity_algorithm, &integ_alg); + + if (rv) + goto out; + + rv = + tunnel_encap_decap_flags_decode (mp->entry.tunnel_flags, &tunnel_flags); + + if (rv) + goto out; + + ipsec_key_decode (&mp->entry.crypto_key, &crypto_key); + ipsec_key_decode (&mp->entry.integrity_key, &integ_key); + + flags = ipsec_sa_flags_decode (mp->entry.flags); + + ip_address_decode (&mp->entry.tunnel_src, &tun_src); + ip_address_decode (&mp->entry.tunnel_dst, &tun_dst); + + if (mp->is_add) + rv = ipsec_sa_add_and_lock (id, spi, proto, + crypto_alg, &crypto_key, + integ_alg, &integ_key, flags, + 0, mp->entry.salt, &tun_src, &tun_dst, + tunnel_flags, + ip_dscp_decode (mp->entry.dscp), + &sa_index, + htons (mp->entry.udp_src_port), + htons (mp->entry.udp_dst_port)); + else + rv = ipsec_sa_unlock_id (id); + +#else + rv = VNET_API_ERROR_UNIMPLEMENTED; +#endif + +out: + /* *INDENT-OFF* */ + REPLY_MACRO2 (VL_API_IPSEC_SAD_ENTRY_ADD_DEL_V2_REPLY, + { + rmp->stat_index = htonl (sa_index); + }); + /* *INDENT-ON* */ +} + static void send_ipsec_spds_details (ipsec_spd_t * spd, vl_api_registration_t * reg, u32 context) @@ -671,7 +754,9 @@ vl_api_ipsec_tunnel_if_add_del_t_handler (vl_api_ipsec_tunnel_if_add_del_t * &integ_key, (flags | IPSEC_SA_FLAG_IS_INBOUND), ntohl (mp->tx_table_id), - mp->salt, &remote_ip, &local_ip, NULL, + mp->salt, &remote_ip, &local_ip, + TUNNEL_ENCAP_DECAP_FLAG_NONE, + IP_DSCP_CS0, NULL, IPSEC_UDP_PORT_NONE, IPSEC_UDP_PORT_NONE); if (rv) @@ -686,7 +771,9 @@ vl_api_ipsec_tunnel_if_add_del_t_handler (vl_api_ipsec_tunnel_if_add_del_t * &integ_key, flags, ntohl (mp->tx_table_id), - mp->salt, &local_ip, &remote_ip, NULL, + mp->salt, &local_ip, &remote_ip, + TUNNEL_ENCAP_DECAP_FLAG_NONE, + IP_DSCP_CS0, NULL, IPSEC_UDP_PORT_NONE, IPSEC_UDP_PORT_NONE); if (rv) @@ -905,6 +992,101 @@ vl_api_ipsec_sa_dump_t_handler (vl_api_ipsec_sa_dump_t * mp) #endif } +static walk_rc_t +send_ipsec_sa_v2_details (ipsec_sa_t * sa, void *arg) +{ + ipsec_dump_walk_ctx_t *ctx = arg; + vl_api_ipsec_sa_v2_details_t *mp; + ipsec_main_t *im = &ipsec_main; + + mp = vl_msg_api_alloc (sizeof (*mp)); + clib_memset (mp, 0, sizeof (*mp)); + mp->_vl_msg_id = ntohs (VL_API_IPSEC_SA_V2_DETAILS); + mp->context = ctx->context; + + mp->entry.sad_id = htonl (sa->id); + mp->entry.spi = htonl (sa->spi); + mp->entry.protocol = ipsec_proto_encode (sa->protocol); + mp->entry.tx_table_id = + htonl (fib_table_get_table_id (sa->tx_fib_index, FIB_PROTOCOL_IP4)); + + mp->entry.crypto_algorithm = ipsec_crypto_algo_encode (sa->crypto_alg); + ipsec_key_encode (&sa->crypto_key, &mp->entry.crypto_key); + + mp->entry.integrity_algorithm = ipsec_integ_algo_encode (sa->integ_alg); + ipsec_key_encode (&sa->integ_key, &mp->entry.integrity_key); + + mp->entry.flags = ipsec_sad_flags_encode (sa); + mp->entry.salt = clib_host_to_net_u32 (sa->salt); + + if (ipsec_sa_is_set_IS_PROTECT (sa)) + { + ipsec_sa_dump_match_ctx_t ctx = { + .sai = sa - im->sad, + .sw_if_index = ~0, + }; + ipsec_tun_protect_walk (ipsec_sa_dump_match_sa, &ctx); + + mp->sw_if_index = htonl (ctx.sw_if_index); + } + else + mp->sw_if_index = ~0; + + if (ipsec_sa_is_set_IS_TUNNEL (sa)) + { + ip_address_encode (&sa->tunnel_src_addr, IP46_TYPE_ANY, + &mp->entry.tunnel_src); + ip_address_encode (&sa->tunnel_dst_addr, IP46_TYPE_ANY, + &mp->entry.tunnel_dst); + } + if (ipsec_sa_is_set_UDP_ENCAP (sa)) + { + mp->entry.udp_src_port = sa->udp_hdr.src_port; + mp->entry.udp_dst_port = sa->udp_hdr.dst_port; + } + + mp->entry.tunnel_flags = tunnel_encap_decap_flags_encode (sa->tunnel_flags); + mp->entry.dscp = ip_dscp_encode (sa->dscp); + + mp->seq_outbound = clib_host_to_net_u64 (((u64) sa->seq)); + mp->last_seq_inbound = clib_host_to_net_u64 (((u64) sa->last_seq)); + if (ipsec_sa_is_set_USE_ESN (sa)) + { + mp->seq_outbound |= (u64) (clib_host_to_net_u32 (sa->seq_hi)); + mp->last_seq_inbound |= (u64) (clib_host_to_net_u32 (sa->last_seq_hi)); + } + if (ipsec_sa_is_set_USE_ANTI_REPLAY (sa)) + mp->replay_window = clib_host_to_net_u64 (sa->replay_window); + + mp->stat_index = clib_host_to_net_u32 (sa->stat_index); + + vl_api_send_msg (ctx->reg, (u8 *) mp); + + return (WALK_CONTINUE); +} + +static void +vl_api_ipsec_sa_v2_dump_t_handler (vl_api_ipsec_sa_dump_t * mp) +{ + vl_api_registration_t *reg; + +#if WITH_LIBSSL > 0 + reg = vl_api_client_index_to_registration (mp->client_index); + if (!reg) + return; + + ipsec_dump_walk_ctx_t ctx = { + .reg = reg, + .context = mp->context, + }; + + ipsec_sa_walk (send_ipsec_sa_v2_details, &ctx); + +#else + clib_warning ("unimplemented"); +#endif +} + static void vl_api_ipsec_tunnel_if_set_sa_t_handler (vl_api_ipsec_tunnel_if_set_sa_t * mp) { diff --git a/src/vnet/ipsec/ipsec_cli.c b/src/vnet/ipsec/ipsec_cli.c index d7378534eb8..fc79c4ca347 100644 --- a/src/vnet/ipsec/ipsec_cli.c +++ b/src/vnet/ipsec/ipsec_cli.c @@ -90,6 +90,7 @@ ipsec_sa_add_del_command_fn (vlib_main_t * vm, u16 udp_src, udp_dst; int is_add, rv; u32 m_args = 0; + ip_dscp_t dscp; salt = 0; error = NULL; @@ -99,6 +100,7 @@ ipsec_sa_add_del_command_fn (vlib_main_t * vm, integ_alg = IPSEC_INTEG_ALG_NONE; crypto_alg = IPSEC_CRYPTO_ALG_NONE; udp_src = udp_dst = IPSEC_UDP_PORT_NONE; + dscp = IP_DSCP_CS0; if (!unformat_user (input, unformat_line_input, line_input)) return 0; @@ -182,7 +184,9 @@ ipsec_sa_add_del_command_fn (vlib_main_t * vm, rv = ipsec_sa_add_and_lock (id, spi, proto, crypto_alg, &ck, integ_alg, &ik, flags, 0, clib_host_to_net_u32 (salt), - &tun_src, &tun_dst, &sai, udp_src, udp_dst); + &tun_src, &tun_dst, + TUNNEL_ENCAP_DECAP_FLAG_NONE, dscp, + &sai, udp_src, udp_dst); } else { @@ -910,16 +914,18 @@ create_ipsec_tunnel_command_fn (vlib_main_t * vm, local_spi, IPSEC_PROTOCOL_ESP, crypto_alg, &lck, integ_alg, &lik, flags, table_id, clib_host_to_net_u32 (salt), &local_ip, - &remote_ip, NULL, IPSEC_UDP_PORT_NONE, - IPSEC_UDP_PORT_NONE); + &remote_ip, TUNNEL_ENCAP_DECAP_FLAG_NONE, + IP_DSCP_CS0, NULL, + IPSEC_UDP_PORT_NONE, IPSEC_UDP_PORT_NONE); rv |= ipsec_sa_add_and_lock (ipsec_tun_mk_remote_sa_id (sw_if_index), remote_spi, IPSEC_PROTOCOL_ESP, crypto_alg, &rck, integ_alg, &rik, (flags | IPSEC_SA_FLAG_IS_INBOUND), table_id, clib_host_to_net_u32 (salt), &remote_ip, - &local_ip, NULL, IPSEC_UDP_PORT_NONE, - IPSEC_UDP_PORT_NONE); + &local_ip, TUNNEL_ENCAP_DECAP_FLAG_NONE, + IP_DSCP_CS0, NULL, + IPSEC_UDP_PORT_NONE, IPSEC_UDP_PORT_NONE); rv |= ipsec_tun_protect_update_one (sw_if_index, &nh, ipsec_tun_mk_local_sa_id (sw_if_index), diff --git a/src/vnet/ipsec/ipsec_format.c b/src/vnet/ipsec/ipsec_format.c index 6781fe580c1..bf5ea3750e2 100644 --- a/src/vnet/ipsec/ipsec_format.c +++ b/src/vnet/ipsec/ipsec_format.c @@ -322,10 +322,12 @@ format_ipsec_sa (u8 * s, va_list * args) { tx_table_id = fib_table_get_table_id (sa->tx_fib_index, FIB_PROTOCOL_IP4); - s = format (s, "\n table-ID %d tunnel src %U dst %U", + s = format (s, "\n table-ID %d tunnel %U src %U dst %U flags %U", tx_table_id, + format_ip_dscp, sa->dscp, format_ip46_address, &sa->tunnel_src_addr, IP46_TYPE_ANY, - format_ip46_address, &sa->tunnel_dst_addr, IP46_TYPE_ANY); + format_ip46_address, &sa->tunnel_dst_addr, IP46_TYPE_ANY, + format_tunnel_encap_decap_flags, sa->tunnel_flags); if (!ipsec_sa_is_set_IS_INBOUND (sa)) { s = diff --git a/src/vnet/ipsec/ipsec_sa.c b/src/vnet/ipsec/ipsec_sa.c index 9b2f2b53fa5..71e86ac5c45 100644 --- a/src/vnet/ipsec/ipsec_sa.c +++ b/src/vnet/ipsec/ipsec_sa.c @@ -178,8 +178,10 @@ ipsec_sa_add_and_lock (u32 id, u32 tx_table_id, u32 salt, const ip46_address_t * tun_src, - const ip46_address_t * tun_dst, u32 * sa_out_index, - u16 src_port, u16 dst_port) + const ip46_address_t * tun_dst, + tunnel_encap_decap_flags_t tunnel_flags, + ip_dscp_t dscp, + u32 * sa_out_index, u16 src_port, u16 dst_port) { vlib_main_t *vm = vlib_get_main (); ipsec_main_t *im = &ipsec_main; @@ -206,6 +208,8 @@ ipsec_sa_add_and_lock (u32 id, sa->stat_index = sa_index; sa->protocol = proto; sa->flags = flags; + sa->tunnel_flags = tunnel_flags; + sa->dscp = dscp; sa->salt = salt; sa->encrypt_thread_index = (vlib_num_workers ())? ~0 : 0; sa->decrypt_thread_index = (vlib_num_workers ())? ~0 : 0; @@ -297,6 +301,8 @@ ipsec_sa_add_and_lock (u32 id, if (ipsec_sa_is_set_IS_TUNNEL_V6 (sa)) { sa->ip6_hdr.ip_version_traffic_class_and_flow_label = 0x60; + ip6_set_dscp_network_order (&sa->ip6_hdr, sa->dscp); + sa->ip6_hdr.hop_limit = 254; sa->ip6_hdr.src_address.as_u64[0] = sa->tunnel_src_addr.ip6.as_u64[0]; @@ -317,6 +323,7 @@ ipsec_sa_add_and_lock (u32 id, sa->ip4_hdr.ttl = 254; sa->ip4_hdr.src_address.as_u32 = sa->tunnel_src_addr.ip4.as_u32; sa->ip4_hdr.dst_address.as_u32 = sa->tunnel_dst_addr.ip4.as_u32; + sa->ip4_hdr.tos = sa->dscp << 2; if (ipsec_sa_is_set_UDP_ENCAP (sa)) sa->ip4_hdr.protocol = IP_PROTOCOL_UDP; diff --git a/src/vnet/ipsec/ipsec_sa.h b/src/vnet/ipsec/ipsec_sa.h index 02f5eaf03a0..6ed71325f69 100644 --- a/src/vnet/ipsec/ipsec_sa.h +++ b/src/vnet/ipsec/ipsec_sa.h @@ -19,6 +19,7 @@ #include #include #include +#include #define foreach_ipsec_crypto_alg \ _ (0, NONE, "none") \ @@ -163,7 +164,9 @@ typedef struct u32 salt; ipsec_protocol_t protocol; - u8 __pad[3]; + tunnel_encap_decap_flags_t tunnel_flags; + ip_dscp_t dscp; + u8 __pad[1]; /* data accessed by dataplane code should be above this comment */ CLIB_CACHE_LINE_ALIGN_MARK (cacheline2); @@ -258,6 +261,8 @@ extern int ipsec_sa_add_and_lock (u32 id, u32 salt, const ip46_address_t * tunnel_src_addr, const ip46_address_t * tunnel_dst_addr, + tunnel_encap_decap_flags_t tunnel_flags, + ip_dscp_t dscp, u32 * sa_index, u16 src_port, u16 dst_port); extern index_t ipsec_sa_find_and_lock (u32 id); extern int ipsec_sa_unlock_id (u32 id); diff --git a/src/vnet/ipsec/ipsec_types.api b/src/vnet/ipsec/ipsec_types.api index 715f3de0e12..ca1b3788e64 100644 --- a/src/vnet/ipsec/ipsec_types.api +++ b/src/vnet/ipsec/ipsec_types.api @@ -17,6 +17,7 @@ option version = "3.0.0"; import "vnet/ip/ip_types.api"; +import "vnet/tunnel/tunnel_types.api"; /* * @brief Support cryptographic algorithms @@ -108,6 +109,8 @@ typedef key TX. It is ignored for RX. @param udp_dst_port - If using UDP Encapsulation, use this destination port for TX. Expect traffic on this port for RX. + @param tunnel_flags - Flags controlling the copying of encap/decap value + @param dscp - Fixed DSCP vaule for tunnel encap */ typedef ipsec_sad_entry { @@ -133,6 +136,33 @@ typedef ipsec_sad_entry u16 udp_dst_port [default=4500]; }; +typedef ipsec_sad_entry_v2 +{ + u32 sad_id; + + u32 spi; + + vl_api_ipsec_proto_t protocol; + + vl_api_ipsec_crypto_alg_t crypto_algorithm; + vl_api_key_t crypto_key; + + vl_api_ipsec_integ_alg_t integrity_algorithm; + vl_api_key_t integrity_key; + + vl_api_ipsec_sad_flags_t flags; + + vl_api_address_t tunnel_src; + vl_api_address_t tunnel_dst; + vl_api_tunnel_encap_decap_flags_t tunnel_flags; + vl_api_ip_dscp_t dscp; + u32 tx_table_id; + u32 salt; + u16 udp_src_port [default=4500]; + u16 udp_dst_port [default=4500]; +}; + + /* * Local Variables: * eval: (c-set-style "gnu") diff --git a/src/vnet/tunnel/tunnel_dp.h b/src/vnet/tunnel/tunnel_dp.h index a00a3b3e222..f84e764f7ea 100644 --- a/src/vnet/tunnel/tunnel_dp.h +++ b/src/vnet/tunnel/tunnel_dp.h @@ -33,6 +33,41 @@ tunnel_encap_fixup_4o4 (tunnel_encap_decap_flags_t flags, ip4_header_set_df (outer); } +static_always_inline void +tunnel_encap_fixup_4o4_w_chksum (tunnel_encap_decap_flags_t flags, + const ip4_header_t * inner, + ip4_header_t * outer) +{ + if (flags & (TUNNEL_ENCAP_DECAP_FLAG_ENCAP_COPY_DSCP | + TUNNEL_ENCAP_DECAP_FLAG_ENCAP_COPY_ECN)) + { + ip_csum_t sum = outer->checksum; + u8 tos = outer->tos; + + if (flags & TUNNEL_ENCAP_DECAP_FLAG_ENCAP_COPY_DSCP) + ip4_header_set_dscp (outer, ip4_header_get_dscp (inner)); + if (flags & TUNNEL_ENCAP_DECAP_FLAG_ENCAP_COPY_ECN) + ip4_header_set_ecn (outer, ip4_header_get_ecn (inner)); + + sum = + ip_csum_update (outer->checksum, tos, outer->tos, ip4_header_t, tos); + outer->checksum = ip_csum_fold (sum); + } + if ((flags & TUNNEL_ENCAP_DECAP_FLAG_ENCAP_COPY_DF) && + ip4_header_get_df (inner)) + { + ip_csum_t sum = outer->checksum; + u16 tos = outer->flags_and_fragment_offset; + + ip4_header_set_df (outer); + + sum = + ip_csum_update (outer->checksum, tos, outer->tos, ip4_header_t, + flags_and_fragment_offset); + outer->checksum = ip_csum_fold (sum); + } +} + static_always_inline void tunnel_encap_fixup_6o4 (tunnel_encap_decap_flags_t flags, const ip6_header_t * inner, ip4_header_t * outer) @@ -43,6 +78,28 @@ tunnel_encap_fixup_6o4 (tunnel_encap_decap_flags_t flags, ip4_header_set_ecn (outer, ip6_ecn_network_order ((inner))); } +static_always_inline void +tunnel_encap_fixup_6o4_w_chksum (tunnel_encap_decap_flags_t flags, + const ip6_header_t * inner, + ip4_header_t * outer) +{ + if (flags & (TUNNEL_ENCAP_DECAP_FLAG_ENCAP_COPY_DSCP | + TUNNEL_ENCAP_DECAP_FLAG_ENCAP_COPY_ECN)) + { + ip_csum_t sum = outer->checksum; + u8 tos = outer->tos; + + if (flags & TUNNEL_ENCAP_DECAP_FLAG_ENCAP_COPY_DSCP) + ip4_header_set_dscp (outer, ip6_dscp_network_order (inner)); + if (flags & TUNNEL_ENCAP_DECAP_FLAG_ENCAP_COPY_ECN) + ip4_header_set_ecn (outer, ip6_ecn_network_order ((inner))); + + sum = + ip_csum_update (outer->checksum, tos, outer->tos, ip4_header_t, tos); + outer->checksum = ip_csum_fold (sum); + } +} + static_always_inline void tunnel_encap_fixup_6o6 (tunnel_encap_decap_flags_t flags, const ip6_header_t * inner, ip6_header_t * outer) diff --git a/test/template_ipsec.py b/test/template_ipsec.py index 532a7a0a189..7bd0b9ec81f 100644 --- a/test/template_ipsec.py +++ b/test/template_ipsec.py @@ -49,6 +49,9 @@ class IPsecIPv4Params(object): self.salt = 0 self.flags = 0 self.nat_header = None + self.tun_flags = (VppEnum.vl_api_tunnel_encap_decap_flags_t. + TUNNEL_API_ENCAP_DECAP_FLAG_NONE) + self.dscp = 0 class IPsecIPv6Params(object): @@ -85,6 +88,9 @@ class IPsecIPv6Params(object): self.salt = 0 self.flags = 0 self.nat_header = None + self.tun_flags = (VppEnum.vl_api_tunnel_encap_decap_flags_t. + TUNNEL_API_ENCAP_DECAP_FLAG_NONE) + self.dscp = 0 def mk_scapy_crypt_key(p): @@ -181,8 +187,10 @@ class TemplateIpsec(VppTestCase): super(TemplateIpsec, cls).tearDownClass() def setup_params(self): - self.ipv4_params = IPsecIPv4Params() - self.ipv6_params = IPsecIPv6Params() + if not hasattr(self, 'ipv4_params'): + self.ipv4_params = IPsecIPv4Params() + if not hasattr(self, 'ipv6_params'): + self.ipv6_params = IPsecIPv6Params() self.params = {self.ipv4_params.addr_type: self.ipv4_params, self.ipv6_params.addr_type: self.ipv6_params} diff --git a/test/test_ipsec_ah.py b/test/test_ipsec_ah.py index bc539a2bd03..d44492ddd26 100644 --- a/test/test_ipsec_ah.py +++ b/test/test_ipsec_ah.py @@ -2,6 +2,10 @@ import socket import unittest from scapy.layers.ipsec import AH +from scapy.layers.inet import IP, UDP +from scapy.layers.inet6 import IPv6 +from scapy.layers.l2 import Ether +from scapy.packet import Raw from framework import VppTestRunner from template_ipsec import TemplateIpsec, IpsecTra46Tests, IpsecTun46Tests, \ @@ -119,6 +123,7 @@ class ConfigIpsecAH(TemplateIpsec): addr_any = params.addr_any addr_bcast = params.addr_bcast flags = params.flags + tun_flags = params.tun_flags e = VppEnum.vl_api_ipsec_spd_action_t objs = [] @@ -128,7 +133,9 @@ class ConfigIpsecAH(TemplateIpsec): self.vpp_ah_protocol, self.tun_if.local_addr[addr_type], self.tun_if.remote_addr[addr_type], - flags=flags) + tun_flags=tun_flags, + flags=flags, + dscp=params.dscp) params.tun_sa_out = VppIpsecSA(self, vpp_tun_sa_id, vpp_tun_spi, auth_algo_vpp_id, auth_key, @@ -136,7 +143,9 @@ class ConfigIpsecAH(TemplateIpsec): self.vpp_ah_protocol, self.tun_if.remote_addr[addr_type], self.tun_if.local_addr[addr_type], - flags=flags) + tun_flags=tun_flags, + flags=flags, + dscp=params.dscp) objs.append(params.tun_sa_in) objs.append(params.tun_sa_out) @@ -302,6 +311,89 @@ class TestIpsecAh2(TemplateIpsecAh, IpsecTra46Tests, IpsecTun46Tests): pass +class TestIpsecAhTun(TemplateIpsecAh, IpsecTun46Tests): + """ Ipsec AH - TUN encap tests """ + + def setUp(self): + self.ipv4_params = IPsecIPv4Params() + self.ipv6_params = IPsecIPv6Params() + + c = (VppEnum.vl_api_tunnel_encap_decap_flags_t. + TUNNEL_API_ENCAP_DECAP_FLAG_ENCAP_COPY_DSCP) + c1 = c | (VppEnum.vl_api_tunnel_encap_decap_flags_t. + TUNNEL_API_ENCAP_DECAP_FLAG_ENCAP_COPY_ECN) + + self.ipv4_params.tun_flags = c + self.ipv6_params.tun_flags = c1 + + super(TestIpsecAhTun, self).setUp() + + def gen_pkts(self, sw_intf, src, dst, count=1, payload_size=54): + # set the DSCP + ECN - flags are set to copy only DSCP + return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) / + IP(src=src, dst=dst, tos=5) / + UDP(sport=4444, dport=4444) / + Raw(b'X' * payload_size) + for i in range(count)] + + def gen_pkts6(self, sw_intf, src, dst, count=1, payload_size=54): + # set the DSCP + ECN - flags are set to copy both + return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) / + IPv6(src=src, dst=dst, tc=5) / + UDP(sport=4444, dport=4444) / + Raw(b'X' * payload_size) + for i in range(count)] + + def verify_encrypted(self, p, sa, rxs): + # just check that only the DSCP is copied + for rx in rxs: + self.assertEqual(rx[IP].tos, 4) + + def verify_encrypted6(self, p, sa, rxs): + # just check that the DSCP & ECN are copied + for rx in rxs: + self.assertEqual(rx[IPv6].tc, 5) + + +class TestIpsecAhTun2(TemplateIpsecAh, IpsecTun46Tests): + """ Ipsec AH - TUN encap tests """ + + def setUp(self): + self.ipv4_params = IPsecIPv4Params() + self.ipv6_params = IPsecIPv6Params() + + self.ipv4_params.dscp = 3 + self.ipv6_params.dscp = 4 + + super(TestIpsecAhTun2, self).setUp() + + def gen_pkts(self, sw_intf, src, dst, count=1, payload_size=54): + # set the DSCP + ECN - flags are set to copy only DSCP + return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) / + IP(src=src, dst=dst, tos=0) / + UDP(sport=4444, dport=4444) / + Raw(b'X' * payload_size) + for i in range(count)] + + def gen_pkts6(self, sw_intf, src, dst, count=1, payload_size=54): + # set the DSCP + ECN - flags are set to copy both + return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) / + IPv6(src=src, dst=dst, tc=0) / + UDP(sport=4444, dport=4444) / + Raw(b'X' * payload_size) + for i in range(count)] + + def verify_encrypted(self, p, sa, rxs): + # just check that only the DSCP is copied + for rx in rxs: + self.assertEqual(rx[IP].tos, 0xc) + + def verify_encrypted6(self, p, sa, rxs): + # just check that the DSCP & ECN are copied + for rx in rxs: + self.assertEqual(rx[IPv6].tc, 0x10) + + class TestIpsecAhHandoff(TemplateIpsecAh, IpsecTun6HandoffTests, IpsecTun4HandoffTests): diff --git a/test/test_ipsec_esp.py b/test/test_ipsec_esp.py index dbd21f1f5fe..78da401ea8a 100644 --- a/test/test_ipsec_esp.py +++ b/test/test_ipsec_esp.py @@ -2,6 +2,9 @@ import socket import unittest from scapy.layers.ipsec import ESP from scapy.layers.inet import IP, ICMP, UDP +from scapy.layers.inet6 import IPv6 +from scapy.layers.l2 import Ether +from scapy.packet import Raw from parameterized import parameterized from framework import VppTestRunner @@ -107,6 +110,7 @@ class ConfigIpsecESP(TemplateIpsec): addr_bcast = params.addr_bcast e = VppEnum.vl_api_ipsec_spd_action_t flags = params.flags + tun_flags = params.tun_flags salt = params.salt objs = [] @@ -116,6 +120,8 @@ class ConfigIpsecESP(TemplateIpsec): self.vpp_esp_protocol, self.tun_if.local_addr[addr_type], self.tun_if.remote_addr[addr_type], + tun_flags=tun_flags, + dscp=params.dscp, flags=flags, salt=salt) params.tun_sa_out = VppIpsecSA(self, vpp_tun_sa_id, vpp_tun_spi, @@ -124,6 +130,8 @@ class ConfigIpsecESP(TemplateIpsec): self.vpp_esp_protocol, self.tun_if.remote_addr[addr_type], self.tun_if.local_addr[addr_type], + tun_flags=tun_flags, + dscp=params.dscp, flags=flags, salt=salt) objs.append(params.tun_sa_in) @@ -368,6 +376,91 @@ class TestIpsecEsp1(TemplateIpsecEsp, IpsecTra46Tests, self.tun4_encrypt_node_name = old_name +class TestIpsecEspTun(TemplateIpsecEsp, IpsecTun46Tests): + """ Ipsec ESP - TUN encap tests """ + + def setUp(self): + self.ipv4_params = IPsecIPv4Params() + self.ipv6_params = IPsecIPv6Params() + + c = (VppEnum.vl_api_tunnel_encap_decap_flags_t. + TUNNEL_API_ENCAP_DECAP_FLAG_ENCAP_COPY_DSCP) + c1 = c | (VppEnum.vl_api_tunnel_encap_decap_flags_t. + TUNNEL_API_ENCAP_DECAP_FLAG_ENCAP_COPY_ECN) + + self.ipv4_params.tun_flags = c + self.ipv6_params.tun_flags = c1 + + super(TestIpsecEspTun, self).setUp() + + def gen_pkts(self, sw_intf, src, dst, count=1, payload_size=54): + # set the DSCP + ECN - flags are set to copy only DSCP + return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) / + IP(src=src, dst=dst, tos=5) / + UDP(sport=4444, dport=4444) / + Raw(b'X' * payload_size) + for i in range(count)] + + def gen_pkts6(self, sw_intf, src, dst, count=1, payload_size=54): + # set the DSCP + ECN - flags are set to copy both + return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) / + IPv6(src=src, dst=dst, tc=5) / + UDP(sport=4444, dport=4444) / + Raw(b'X' * payload_size) + for i in range(count)] + + def verify_encrypted(self, p, sa, rxs): + # just check that only the DSCP is copied + for rx in rxs: + self.assertEqual(rx[IP].tos, 4) + + def verify_encrypted6(self, p, sa, rxs): + # just check that the DSCP & ECN are copied + for rx in rxs: + self.assertEqual(rx[IPv6].tc, 5) + + +class TestIpsecEspTun2(TemplateIpsecEsp, IpsecTun46Tests): + """ Ipsec ESP - TUN DSCP tests """ + + def setUp(self): + self.ipv4_params = IPsecIPv4Params() + self.ipv6_params = IPsecIPv6Params() + + self.ipv4_params.dscp = VppEnum.vl_api_ip_dscp_t.IP_API_DSCP_EF + self.ipv6_params.dscp = VppEnum.vl_api_ip_dscp_t.IP_API_DSCP_AF11 + + super(TestIpsecEspTun2, self).setUp() + + def gen_pkts(self, sw_intf, src, dst, count=1, payload_size=54): + # set the DSCP + ECN - flags are set to copy only DSCP + return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) / + IP(src=src, dst=dst) / + UDP(sport=4444, dport=4444) / + Raw(b'X' * payload_size) + for i in range(count)] + + def gen_pkts6(self, sw_intf, src, dst, count=1, payload_size=54): + # set the DSCP + ECN - flags are set to copy both + return [Ether(src=sw_intf.remote_mac, dst=sw_intf.local_mac) / + IPv6(src=src, dst=dst) / + UDP(sport=4444, dport=4444) / + Raw(b'X' * payload_size) + for i in range(count)] + + def verify_encrypted(self, p, sa, rxs): + # just check that only the DSCP is copied + for rx in rxs: + self.assertEqual(rx[IP].tos, + VppEnum.vl_api_ip_dscp_t.IP_API_DSCP_EF << 2) + + def verify_encrypted6(self, p, sa, rxs): + # just check that the DSCP & ECN are copied + for rx in rxs: + self.assertEqual(rx[IPv6].tc, + VppEnum.vl_api_ip_dscp_t.IP_API_DSCP_AF11 << 2) + + class TestIpsecEsp2(TemplateIpsecEsp, IpsecTcpTests): """ Ipsec ESP - TCP tests """ pass diff --git a/test/test_ipsec_tun_if_esp.py b/test/test_ipsec_tun_if_esp.py index fb31f221aed..ba421694d60 100644 --- a/test/test_ipsec_tun_if_esp.py +++ b/test/test_ipsec_tun_if_esp.py @@ -2841,6 +2841,8 @@ class TestIpsecMIfEsp4(TemplateIpsec, IpsecTun4): def verify_encrypted(self, p, sa, rxs): for rx in rxs: try: + self.assertEqual(rx[IP].tos, + VppEnum.vl_api_ip_dscp_t.IP_API_DSCP_EF << 2) pkt = sa.decrypt(rx[IP]) if not pkt.haslayer(IP): pkt = IP(pkt[Raw].load) @@ -2887,20 +2889,24 @@ class TestIpsecMIfEsp4(TemplateIpsec, IpsecTun4): p.scapy_tra_spi = p.scapy_tra_spi + ii p.vpp_tra_sa_id = p.vpp_tra_sa_id + ii p.vpp_tra_spi = p.vpp_tra_spi + ii - p.tun_sa_out = VppIpsecSA(self, p.scapy_tun_sa_id, p.scapy_tun_spi, - p.auth_algo_vpp_id, p.auth_key, - p.crypt_algo_vpp_id, p.crypt_key, - self.vpp_esp_protocol, - self.pg0.local_ip4, - self.pg0.remote_hosts[ii].ip4) + p.tun_sa_out = VppIpsecSA( + self, p.scapy_tun_sa_id, p.scapy_tun_spi, + p.auth_algo_vpp_id, p.auth_key, + p.crypt_algo_vpp_id, p.crypt_key, + self.vpp_esp_protocol, + self.pg0.local_ip4, + self.pg0.remote_hosts[ii].ip4, + dscp=VppEnum.vl_api_ip_dscp_t.IP_API_DSCP_EF) p.tun_sa_out.add_vpp_config() - p.tun_sa_in = VppIpsecSA(self, p.vpp_tun_sa_id, p.vpp_tun_spi, - p.auth_algo_vpp_id, p.auth_key, - p.crypt_algo_vpp_id, p.crypt_key, - self.vpp_esp_protocol, - self.pg0.remote_hosts[ii].ip4, - self.pg0.local_ip4) + p.tun_sa_in = VppIpsecSA( + self, p.vpp_tun_sa_id, p.vpp_tun_spi, + p.auth_algo_vpp_id, p.auth_key, + p.crypt_algo_vpp_id, p.crypt_key, + self.vpp_esp_protocol, + self.pg0.remote_hosts[ii].ip4, + self.pg0.local_ip4, + dscp=VppEnum.vl_api_ip_dscp_t.IP_API_DSCP_EF) p.tun_sa_in.add_vpp_config() p.tun_protect = VppIpsecTunProtect( diff --git a/test/vpp_ipsec.py b/test/vpp_ipsec.py index 479870621e0..d7ed8564fc4 100644 --- a/test/vpp_ipsec.py +++ b/test/vpp_ipsec.py @@ -192,8 +192,9 @@ class VppIpsecSA(VppObject): crypto_alg, crypto_key, proto, tun_src=None, tun_dst=None, - flags=None, salt=0, udp_src=None, - udp_dst=None): + flags=None, salt=0, tun_flags=None, + dscp=None, + udp_src=None, udp_dst=None): e = VppEnum.vl_api_ipsec_sad_flags_t self.test = test self.id = id @@ -220,6 +221,13 @@ class VppIpsecSA(VppObject): self.tun_dst = ip_address(text_type(tun_dst)) self.udp_src = udp_src self.udp_dst = udp_dst + self.tun_flags = (VppEnum.vl_api_tunnel_encap_decap_flags_t. + TUNNEL_API_ENCAP_DECAP_FLAG_NONE) + if tun_flags: + self.tun_flags = tun_flags + self.dscp = VppEnum.vl_api_ip_dscp_t.IP_API_DSCP_CS0 + if dscp: + self.dscp = dscp def add_vpp_config(self): entry = { @@ -238,6 +246,8 @@ class VppIpsecSA(VppObject): 'protocol': self.proto, 'tunnel_src': (self.tun_src if self.tun_src else []), 'tunnel_dst': (self.tun_dst if self.tun_dst else []), + 'tunnel_flags': self.tun_flags, + 'dscp': self.dscp, 'flags': self.flags, 'salt': self.salt } @@ -246,12 +256,12 @@ class VppIpsecSA(VppObject): entry['udp_src_port'] = self.udp_src if self.udp_dst: entry['udp_dst_port'] = self.udp_dst - r = self.test.vapi.ipsec_sad_entry_add_del(is_add=1, entry=entry) + r = self.test.vapi.ipsec_sad_entry_add_del_v2(is_add=1, entry=entry) self.stat_index = r.stat_index self.test.registry.register(self, self.test.logger) def remove_vpp_config(self): - r = self.test.vapi.ipsec_sad_entry_add_del( + r = self.test.vapi.ipsec_sad_entry_add_del_v2( is_add=0, entry={ 'sad_id': self.id, @@ -279,7 +289,7 @@ class VppIpsecSA(VppObject): def query_vpp_config(self): e = VppEnum.vl_api_ipsec_sad_flags_t - bs = self.test.vapi.ipsec_sa_dump() + bs = self.test.vapi.ipsec_sa_v2_dump() for b in bs: if b.entry.sad_id == self.id: # if udp encap is configured then the ports should match diff --git a/test/vpp_papi_provider.py b/test/vpp_papi_provider.py index ec2f222b540..6e5ebc25fb4 100644 --- a/test/vpp_papi_provider.py +++ b/test/vpp_papi_provider.py @@ -946,10 +946,6 @@ class VppPapiProvider(object): {'spd_index': spd_index if spd_index else 0, 'spd_index_valid': 1 if spd_index else 0}) - def ipsec_sa_dump(self, sa_id=None): - return self.api(self.papi.ipsec_sa_dump, - {'sa_id': sa_id if sa_id else 0xffffffff}) - def ipsec_spd_entry_add_del(self, spd_id, sa_id, -- 2.16.6