From 231c4696872cb344f28648949603840136c0795d Mon Sep 17 00:00:00 2001
From: Neale Ranns <nranns@cisco.com>
Date: Mon, 18 Mar 2019 17:11:28 +0000
Subject: [PATCH] IPSEC: remove byte swap operations in DP during SPD classify

Change-Id: I4bfde738f9585b045cb5ba62cf51b141d639b1b2
Signed-off-by: Neale Ranns <nranns@cisco.com>
---
 src/vnet/ipsec/ipsec_api.c        | 17 +++++++++--------
 src/vnet/ipsec/ipsec_cli.c        |  4 ++++
 src/vnet/ipsec/ipsec_format.c     | 34 ++++++++++++----------------------
 src/vnet/ipsec/ipsec_output.c     | 25 +++++++++----------------
 src/vnet/ipsec/ipsec_spd_policy.h |  1 +
 5 files changed, 35 insertions(+), 46 deletions(-)

diff --git a/src/vnet/ipsec/ipsec_api.c b/src/vnet/ipsec/ipsec_api.c
index d0f543fe520..e6f5bd31428 100644
--- a/src/vnet/ipsec/ipsec_api.c
+++ b/src/vnet/ipsec/ipsec_api.c
@@ -150,10 +150,11 @@ static void vl_api_ipsec_spd_entry_add_del_t_handler
   p.is_ipv6 = (itype == IP46_TYPE_IP6);
 
   p.protocol = mp->entry.protocol;
-  p.rport.start = ntohs (mp->entry.remote_port_start);
-  p.rport.stop = ntohs (mp->entry.remote_port_stop);
-  p.lport.start = ntohs (mp->entry.local_port_start);
-  p.lport.stop = ntohs (mp->entry.local_port_stop);
+  /* leave the ports in network order */
+  p.rport.start = mp->entry.remote_port_start;
+  p.rport.stop = mp->entry.remote_port_stop;
+  p.lport.start = mp->entry.local_port_start;
+  p.lport.stop = mp->entry.local_port_stop;
 
   rv = ipsec_spd_action_decode (mp->entry.policy, &p.policy);
 
@@ -481,10 +482,10 @@ send_ipsec_spd_details (ipsec_policy_t * p, vl_api_registration_t * reg,
 		     &mp->entry.remote_address_start);
   ip_address_encode (&p->raddr.stop, IP46_TYPE_ANY,
 		     &mp->entry.remote_address_stop);
-  mp->entry.local_port_start = htons (p->lport.start);
-  mp->entry.local_port_stop = htons (p->lport.stop);
-  mp->entry.remote_port_start = htons (p->rport.start);
-  mp->entry.remote_port_stop = htons (p->rport.stop);
+  mp->entry.local_port_start = p->lport.start;
+  mp->entry.local_port_stop = p->lport.stop;
+  mp->entry.remote_port_start = p->rport.start;
+  mp->entry.remote_port_stop = p->rport.stop;
   mp->entry.protocol = p->protocol;
   mp->entry.policy = ipsec_spd_action_encode (p->policy);
   mp->entry.sa_id = htonl (p->sa_id);
diff --git a/src/vnet/ipsec/ipsec_cli.c b/src/vnet/ipsec/ipsec_cli.c
index 8a4d068f9f7..2020e7909a3 100644
--- a/src/vnet/ipsec/ipsec_cli.c
+++ b/src/vnet/ipsec/ipsec_cli.c
@@ -291,12 +291,16 @@ ipsec_policy_add_del_command_fn (vlib_main_t * vm,
 	{
 	  p.lport.start = tmp;
 	  p.lport.stop = tmp2;
+	  p.lport.start = clib_host_to_net_u16 (p.lport.start);
+	  p.lport.stop = clib_host_to_net_u16 (p.lport.stop);
 	}
       else
 	if (unformat (line_input, "remote-port-range %u - %u", &tmp, &tmp2))
 	{
 	  p.rport.start = tmp;
 	  p.rport.stop = tmp2;
+	  p.rport.start = clib_host_to_net_u16 (p.rport.start);
+	  p.rport.stop = clib_host_to_net_u16 (p.rport.stop);
 	}
       else
 	{
diff --git a/src/vnet/ipsec/ipsec_format.c b/src/vnet/ipsec/ipsec_format.c
index aa5562caf63..3659a7a897f 100644
--- a/src/vnet/ipsec/ipsec_format.c
+++ b/src/vnet/ipsec/ipsec_format.c
@@ -177,28 +177,18 @@ format_ipsec_policy (u8 * s, va_list * args)
     {
       s = format (s, " sa %u", p->sa_id);
     }
-  if (p->is_ipv6)
-    {
-      s = format (s, "\n     local addr range %U - %U port range %u - %u",
-		  format_ip6_address, &p->laddr.start.ip6,
-		  format_ip6_address, &p->laddr.stop.ip6,
-		  p->lport.start, p->lport.stop);
-      s = format (s, "\n     remote addr range %U - %U port range %u - %u",
-		  format_ip6_address, &p->raddr.start.ip6,
-		  format_ip6_address, &p->raddr.stop.ip6,
-		  p->rport.start, p->rport.stop);
-    }
-  else
-    {
-      s = format (s, "\n     local addr range %U - %U port range %u - %u",
-		  format_ip4_address, &p->laddr.start.ip4,
-		  format_ip4_address, &p->laddr.stop.ip4,
-		  p->lport.start, p->lport.stop);
-      s = format (s, "\n     remote addr range %U - %U port range %u - %u",
-		  format_ip4_address, &p->raddr.start.ip4,
-		  format_ip4_address, &p->raddr.stop.ip4,
-		  p->rport.start, p->rport.stop);
-    }
+
+  s = format (s, "\n     local addr range %U - %U port range %u - %u",
+	      format_ip46_address, &p->laddr.start, IP46_TYPE_ANY,
+	      format_ip46_address, &p->laddr.stop, IP46_TYPE_ANY,
+	      clib_net_to_host_u16 (p->lport.start),
+	      clib_net_to_host_u16 (p->lport.stop));
+  s = format (s, "\n     remote addr range %U - %U port range %u - %u",
+	      format_ip46_address, &p->raddr.start, IP46_TYPE_ANY,
+	      format_ip46_address, &p->raddr.stop, IP46_TYPE_ANY,
+	      clib_net_to_host_u16 (p->rport.start),
+	      clib_net_to_host_u16 (p->rport.stop));
+
   vlib_get_combined_counter (&ipsec_spd_policy_counters, pi, &counts);
   s = format (s, "\n     packets %u bytes %u", counts.packets, counts.bytes);
 
diff --git a/src/vnet/ipsec/ipsec_output.c b/src/vnet/ipsec/ipsec_output.c
index a2553764192..83ab629453d 100644
--- a/src/vnet/ipsec/ipsec_output.c
+++ b/src/vnet/ipsec/ipsec_output.c
@@ -82,16 +82,16 @@ ipsec_output_policy_match (ipsec_spd_t * spd, u8 pr, u32 la, u32 ra, u16 lp,
     if (PREDICT_FALSE (p->protocol && (p->protocol != pr)))
       continue;
 
-    if (ra < clib_net_to_host_u32 (p->raddr.start.ip4.as_u32))
+    if (ra < p->raddr.start.ip4.as_u32)
       continue;
 
-    if (ra > clib_net_to_host_u32 (p->raddr.stop.ip4.as_u32))
+    if (ra > p->raddr.stop.ip4.as_u32)
       continue;
 
-    if (la < clib_net_to_host_u32 (p->laddr.start.ip4.as_u32))
+    if (la < p->laddr.start.ip4.as_u32)
       continue;
 
-    if (la > clib_net_to_host_u32 (p->laddr.stop.ip4.as_u32))
+    if (la > p->laddr.stop.ip4.as_u32)
       continue;
 
     if (PREDICT_FALSE
@@ -239,10 +239,8 @@ ipsec_output_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
 	  p0 = ipsec6_output_policy_match (spd0,
 					   &ip6_0->src_address,
 					   &ip6_0->dst_address,
-					   clib_net_to_host_u16
-					   (udp0->src_port),
-					   clib_net_to_host_u16
-					   (udp0->dst_port), ip6_0->protocol);
+					   udp0->src_port,
+					   udp0->dst_port, ip6_0->protocol);
 	}
       else
 	{
@@ -258,14 +256,9 @@ ipsec_output_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
 #endif
 
 	  p0 = ipsec_output_policy_match (spd0, ip0->protocol,
-					  clib_net_to_host_u32
-					  (ip0->src_address.as_u32),
-					  clib_net_to_host_u32
-					  (ip0->dst_address.as_u32),
-					  clib_net_to_host_u16
-					  (udp0->src_port),
-					  clib_net_to_host_u16
-					  (udp0->dst_port));
+					  ip0->src_address.as_u32,
+					  ip0->dst_address.as_u32,
+					  udp0->src_port, udp0->dst_port);
 	}
       tcp0 = (void *) udp0;
 
diff --git a/src/vnet/ipsec/ipsec_spd_policy.h b/src/vnet/ipsec/ipsec_spd_policy.h
index 6d6b69592b0..d4472e68d89 100644
--- a/src/vnet/ipsec/ipsec_spd_policy.h
+++ b/src/vnet/ipsec/ipsec_spd_policy.h
@@ -39,6 +39,7 @@ typedef struct
 
 typedef struct
 {
+  /* Ports stored in network byte order */
   u16 start, stop;
 } port_range_t;
 
-- 
2.16.6