From 82fc98fa4578dbbfb156effb11dea6a4e2d0b898 Mon Sep 17 00:00:00 2001 From: Alexander Chernavin Date: Fri, 3 Apr 2020 10:18:44 -0400 Subject: [PATCH] dpdk: fix udp-encap for esp in transport mode Now UDP encapsulation doesn't work in transport mode because: - the encrypt node misses filling of UDP header and it gets sent with all zeros; - the decrypt node misses filling of new IP header and it contains garbage data. With this commit, fill UDP header during encryption and fill IP header during decryption. Change-Id: I87a7bd594f0e312b16d3e5eb19e568b4e3164d36 Type: fix Signed-off-by: Alexander Chernavin --- src/plugins/dpdk/ipsec/esp_decrypt.c | 16 +++++++--------- src/plugins/dpdk/ipsec/esp_encrypt.c | 3 ++- 2 files changed, 9 insertions(+), 10 deletions(-) diff --git a/src/plugins/dpdk/ipsec/esp_decrypt.c b/src/plugins/dpdk/ipsec/esp_decrypt.c index 315251694ba..ae35ab5aaae 100644 --- a/src/plugins/dpdk/ipsec/esp_decrypt.c +++ b/src/plugins/dpdk/ipsec/esp_decrypt.c @@ -616,16 +616,14 @@ dpdk_esp_decrypt_post_inline (vlib_main_t * vm, if ((ih4->ip_version_and_header_length & 0xF0) == 0x40) { u16 ih4_len = ip4_header_bytes (ih4); - vlib_buffer_advance (b0, -ih4_len - udp_encap_adv); + vlib_buffer_advance (b0, -ih4_len); next0 = ESP_DECRYPT_NEXT_IP4_INPUT; - if (!ipsec_sa_is_set_UDP_ENCAP (sa0)) - { - oh4 = vlib_buffer_get_current (b0); - memmove (oh4, ih4, ih4_len); - oh4->protocol = f0->next_header; - oh4->length = clib_host_to_net_u16 (b0->current_length); - oh4->checksum = ip4_header_checksum (oh4); - } + + oh4 = vlib_buffer_get_current (b0); + memmove (oh4, ih4, ih4_len); + oh4->protocol = f0->next_header; + oh4->length = clib_host_to_net_u16 (b0->current_length); + oh4->checksum = ip4_header_checksum (oh4); } else if ((ih4->ip_version_and_header_length & 0xF0) == 0x60) { diff --git a/src/plugins/dpdk/ipsec/esp_encrypt.c b/src/plugins/dpdk/ipsec/esp_encrypt.c index c024f97e1e2..73f2081152d 100644 --- a/src/plugins/dpdk/ipsec/esp_encrypt.c +++ b/src/plugins/dpdk/ipsec/esp_encrypt.c @@ -428,6 +428,7 @@ dpdk_esp_encrypt_inline (vlib_main_t * vm, u8 *src = ((u8 *) ih0) - rewrite_len; u8 *dst = vlib_buffer_get_current (b0); oh0 = vlib_buffer_get_current (b0) + rewrite_len; + ouh0 = vlib_buffer_get_current (b0) + rewrite_len; if (is_ip6) { @@ -577,7 +578,7 @@ dpdk_esp_encrypt_inline (vlib_main_t * vm, tr->crypto_alg = sa0->crypto_alg; tr->integ_alg = sa0->integ_alg; u8 *p = vlib_buffer_get_current (b0); - if (!ipsec_sa_is_set_IS_TUNNEL (sa0)) + if (!ipsec_sa_is_set_IS_TUNNEL (sa0) && !is_tun) p += vnet_buffer (b0)->ip.save_rewrite_length; clib_memcpy_fast (tr->packet_data, p, sizeof (tr->packet_data)); } -- 2.16.6