From 9534696b4637185c9f296375e63c50d8976d153d Mon Sep 17 00:00:00 2001 From: Neale Ranns Date: Mon, 25 Nov 2019 13:04:44 +0000 Subject: [PATCH] ipip: Tunnel flags controlling copying data to/from payload/encap Type: feature Signed-off-by: Neale Ranns Change-Id: I9467f11775936754406892b8e9e275f989ac9b30 --- src/plugins/ikev2/ikev2.c | 3 +- src/vnet/CMakeLists.txt | 7 +- src/vnet/ip/ip.c | 17 ++ src/vnet/ip/ip4_format.c | 4 + src/vnet/ip/ip4_packet.h | 64 +++++ src/vnet/ip/ip6_packet.h | 34 +++ src/vnet/ip/ip_packet.h | 29 +- src/vnet/ipip/ipip.api | 10 +- src/vnet/ipip/ipip.c | 69 +++-- src/vnet/ipip/ipip.h | 28 +- src/vnet/ipip/ipip_api.c | 12 +- src/vnet/ipip/ipip_cli.c | 18 +- src/vnet/ipip/ipip_types.api | 33 +++ src/vnet/ipip/ipip_types_api.c | 53 ++++ src/vnet/ipip/ipip_types_api.h | 41 +++ src/vnet/ipip/node.c | 28 +- src/vnet/ipsec/ipsec_api.c | 3 +- src/vnet/ipsec/ipsec_cli.c | 4 +- test/test_ipip.py | 620 +++++++++++++++++++++++++++++++++++------ test/vpp_ipip_tun_interface.py | 12 +- 20 files changed, 965 insertions(+), 124 deletions(-) create mode 100644 src/vnet/ipip/ipip_types.api create mode 100644 src/vnet/ipip/ipip_types_api.c create mode 100644 src/vnet/ipip/ipip_types_api.h diff --git a/src/plugins/ikev2/ikev2.c b/src/plugins/ikev2/ikev2.c index b6202aeec6a..a260bb16617 100644 --- a/src/plugins/ikev2/ikev2.c +++ b/src/plugins/ikev2/ikev2.c @@ -1542,7 +1542,8 @@ ikev2_add_tunnel_from_main (ikev2_add_ipsec_tunnel_args_t * a) int rv; rv = ipip_add_tunnel (IPIP_TRANSPORT_IP4, ~0, - &a->local_ip, &a->remote_ip, 0, 0, &sw_if_index); + &a->local_ip, &a->remote_ip, 0, + IPIP_TUNNEL_FLAG_NONE, IP_DSCP_CS0, &sw_if_index); rv |= ipsec_sa_add_and_lock (a->local_sa_id, a->local_spi, diff --git a/src/vnet/CMakeLists.txt b/src/vnet/CMakeLists.txt index 18898e152d1..658e8d9a696 100644 --- a/src/vnet/CMakeLists.txt +++ b/src/vnet/CMakeLists.txt @@ -722,6 +722,7 @@ list(APPEND VNET_SOURCES ipip/sixrd.c ipip/ipip_api.c ipip/ipip_cli.c + ipip/ipip_types_api.c ) list(APPEND VNET_MULTIARCH_SOURCES @@ -730,9 +731,13 @@ list(APPEND VNET_MULTIARCH_SOURCES list(APPEND VNET_HEADERS ipip/ipip.h + ipip/ipip_types_api.h ) -list(APPEND VNET_API_FILES ipip/ipip.api) +list(APPEND VNET_API_FILES + ipip/ipip_types.api + ipip/ipip.api +) ############################################################################## # Tunnel protocol: l2tpv3 diff --git a/src/vnet/ip/ip.c b/src/vnet/ip/ip.c index 785cd491b57..88eff4f4d59 100644 --- a/src/vnet/ip/ip.c +++ b/src/vnet/ip/ip.c @@ -312,6 +312,23 @@ format_ip_dscp (u8 * s, va_list * va) return (format (s, "unknown")); } +u8 * +format_ip_ecn (u8 * s, va_list * va) +{ + ip_ecn_t ecn = va_arg (*va, u32); // int promotion of u8 + + switch (ecn) + { +#define _(n,v) \ + case IP_ECN_##v: \ + return (format (s, "%s", #v)); + foreach_ip_ecn +#undef _ + } + + return (format (s, "unknown")); +} + /* * fd.io coding-style-patch-verification: ON * diff --git a/src/vnet/ip/ip4_format.c b/src/vnet/ip/ip4_format.c index eebd5ad8bd3..786a01d396b 100644 --- a/src/vnet/ip/ip4_format.c +++ b/src/vnet/ip/ip4_format.c @@ -155,6 +155,10 @@ format_ip4_header (u8 * s, va_list * args) s = format (s, " (should be 0x%04x)", clib_net_to_host_u16 (c)); } + s = format (s, " dscp %U ecn %U", + format_ip_dscp, ip4_header_get_dscp (ip), + format_ip_ecn, ip4_header_get_ecn (ip)); + { u32 f = clib_net_to_host_u16 (ip->flags_and_fragment_offset); u32 o; diff --git a/src/vnet/ip/ip4_packet.h b/src/vnet/ip/ip4_packet.h index c1852fc3ff2..79cf22c4d70 100644 --- a/src/vnet/ip/ip4_packet.h +++ b/src/vnet/ip/ip4_packet.h @@ -264,6 +264,70 @@ ip4_header_checksum (ip4_header_t * i) return csum; } +always_inline void +ip4_header_set_dscp (ip4_header_t * ip4, ip_dscp_t dscp) +{ + ip4->tos &= ~0xfc; + /* not masking the dscp value to save th instruction + * it shouldn't b necessary since the argument is an enum + * whose range is therefore constrained in the CP. in the + * DP it will have been taken from another packet, so again + * constrained in value */ + ip4->tos |= dscp << IP_PACKET_TC_FIELD_DSCP_BIT_SHIFT; +} + +always_inline void +ip4_header_set_ecn (ip4_header_t * ip4, ip_ecn_t ecn) +{ + ip4->tos &= ~IP_PACKET_TC_FIELD_ECN_MASK; + ip4->tos |= ecn; +} + +always_inline void +ip4_header_set_ecn_w_chksum (ip4_header_t * ip4, ip_ecn_t ecn) +{ + ip_csum_t sum = ip4->checksum; + u8 old = ip4->tos; + u8 new = (old & ~IP_PACKET_TC_FIELD_ECN_MASK) | ecn; + + sum = ip_csum_update (sum, old, new, ip4_header_t, tos); + ip4->checksum = ip_csum_fold (sum); + ip4->tos = new; +} + +always_inline ip_dscp_t +ip4_header_get_dscp (const ip4_header_t * ip4) +{ + return (ip4->tos >> IP_PACKET_TC_FIELD_DSCP_BIT_SHIFT); +} + +always_inline ip_ecn_t +ip4_header_get_ecn (const ip4_header_t * ip4) +{ + return (ip4->tos & IP_PACKET_TC_FIELD_ECN_MASK); +} + +always_inline void +ip4_header_set_df (ip4_header_t * ip4) +{ + ip4->flags_and_fragment_offset |= + clib_host_to_net_u16 (IP4_HEADER_FLAG_DONT_FRAGMENT); +} + +always_inline void +ip4_header_clear_df (ip4_header_t * ip4) +{ + ip4->flags_and_fragment_offset &= + ~clib_host_to_net_u16 (IP4_HEADER_FLAG_DONT_FRAGMENT); +} + +always_inline u8 +ip4_header_get_df (ip4_header_t * ip4) +{ + return (! !(ip4->flags_and_fragment_offset & + clib_host_to_net_u16 (IP4_HEADER_FLAG_DONT_FRAGMENT))); +} + static inline uword ip4_header_checksum_is_valid (ip4_header_t * i) { diff --git a/src/vnet/ip/ip6_packet.h b/src/vnet/ip/ip6_packet.h index ed96ece1e7f..8c0698440e3 100644 --- a/src/vnet/ip/ip6_packet.h +++ b/src/vnet/ip/ip6_packet.h @@ -396,6 +396,20 @@ ip6_traffic_class_network_order (const ip6_header_t * ip6) & 0x0ff00000) >> 20; } +static_always_inline ip_dscp_t +ip6_dscp_network_order (const ip6_header_t * ip6) +{ + return (clib_net_to_host_u32 (ip6->ip_version_traffic_class_and_flow_label) + & 0x0fc00000) >> 22; +} + +static_always_inline ip_ecn_t +ip6_ecn_network_order (const ip6_header_t * ip6) +{ + return (clib_net_to_host_u32 (ip6->ip_version_traffic_class_and_flow_label) + & 0x00300000) >> 20; +} + static_always_inline void ip6_set_traffic_class_network_order (ip6_header_t * ip6, ip_dscp_t dscp) { @@ -406,6 +420,26 @@ ip6_set_traffic_class_network_order (ip6_header_t * ip6, ip_dscp_t dscp) ip6->ip_version_traffic_class_and_flow_label = clib_host_to_net_u32 (tmp); } +static_always_inline void +ip6_set_dscp_network_order (ip6_header_t * ip6, ip_dscp_t dscp) +{ + u32 tmp = + clib_net_to_host_u32 (ip6->ip_version_traffic_class_and_flow_label); + tmp &= 0xf03fffff; + tmp |= (dscp << 22); + ip6->ip_version_traffic_class_and_flow_label = clib_host_to_net_u32 (tmp); +} + +static_always_inline void +ip6_set_ecn_network_order (ip6_header_t * ip6, ip_ecn_t ecn) +{ + u32 tmp = + clib_net_to_host_u32 (ip6->ip_version_traffic_class_and_flow_label); + tmp &= 0xffcfffff; + tmp |= (ecn << 20); + ip6->ip_version_traffic_class_and_flow_label = clib_host_to_net_u32 (tmp); +} + always_inline void * ip6_next_header (ip6_header_t * i) { diff --git a/src/vnet/ip/ip_packet.h b/src/vnet/ip/ip_packet.h index 63a59f87668..9a55d5f644e 100644 --- a/src/vnet/ip/ip_packet.h +++ b/src/vnet/ip/ip_packet.h @@ -118,10 +118,35 @@ typedef enum ip_dscp_t_ #undef _ } __clib_packed ip_dscp_t; -STATIC_ASSERT_SIZEOF (ip_dscp_t, 1); - extern u8 *format_ip_dscp (u8 * s, va_list * va); +/** + * IP DSCP bit shift + * The ECN occupies the 2 least significant bits of the TC field + */ +#define IP_PACKET_TC_FIELD_DSCP_BIT_SHIFT 2 +#define IP_PACKET_TC_FIELD_ECN_MASK 0x03 + +/** + * The set of RFC defined DSCP values. + */ +#define foreach_ip_ecn \ + _(0, NON_ECN) \ + _(1, ECT_0) \ + _(2, ECT_1) \ + _(3, CE) + +typedef enum ip_ecn_t_ +{ +#define _(n,f) IP_ECN_##f = n, + foreach_ip_ecn +#undef _ +} __clib_packed ip_ecn_t; + +STATIC_ASSERT_SIZEOF (ip_ecn_t, 1); + +extern u8 *format_ip_ecn (u8 * s, va_list * va); + /* IP checksum support. */ static_always_inline u16 diff --git a/src/vnet/ipip/ipip.api b/src/vnet/ipip/ipip.api index 8a6e726eba4..baf0e508cf0 100644 --- a/src/vnet/ipip/ipip.api +++ b/src/vnet/ipip/ipip.api @@ -1,3 +1,4 @@ +/* Hey Emacs use -*- mode: C -*- */ /* * Copyright (c) 2018 Cisco and/or its affiliates. * Licensed under the Apache License, Version 2.0 (the "License"); @@ -48,9 +49,11 @@ * */ -option version = "1.2.0"; +option version = "2.0.0"; + import "vnet/interface_types.api"; import "vnet/ip/ip_types.api"; +import "vnet/ipip/ipip_types.api"; /** * An IP{v4,v6} over IP{v4,v6} tunnel. @@ -63,8 +66,9 @@ typedef ipip_tunnel vl_api_interface_index_t sw_if_index; /* ignored on create, set in details/dump */ u32 table_id; - u8 tc_tos; /* If ~0, the TOS/TC value is copied from - inner packet, otherwise set to value */ + vl_api_ipip_tunnel_flags_t flags; + vl_api_ip_dscp_t dscp; /* DSCP value for the tunnel encap, + ignored if ECNAP_COPY_DSCP flag is set */ }; /** diff --git a/src/vnet/ipip/ipip.c b/src/vnet/ipip/ipip.c index 66c945e346e..15f453a8c7e 100644 --- a/src/vnet/ipip/ipip.c +++ b/src/vnet/ipip/ipip.c @@ -75,8 +75,10 @@ ipip_build_rewrite (vnet_main_t * vnm, u32 sw_if_index, ip4->src_address.as_u32 = t->tunnel_src.ip4.as_u32; ip4->dst_address.as_u32 = t->tunnel_dst.ip4.as_u32; ip4->checksum = ip4_header_checksum (ip4); - if (t->tc_tos != 0xFF) - ip4->tos = t->tc_tos; + if (!(t->flags & IPIP_TUNNEL_FLAG_ENCAP_COPY_DSCP)) + ip4_header_set_dscp (ip4, t->dscp); + if (t->flags & IPIP_TUNNEL_FLAG_ENCAP_SET_DF) + ip4_header_set_df (ip4); break; case IPIP_TRANSPORT_IP6: @@ -84,14 +86,14 @@ ipip_build_rewrite (vnet_main_t * vnm, u32 sw_if_index, ip6 = (ip6_header_t *) rewrite; ip6->ip_version_traffic_class_and_flow_label = clib_host_to_net_u32 (6 << 28); - if (t->tc_tos != 0xFF) - ip6_set_traffic_class_network_order (ip6, t->tc_tos); ip6->hop_limit = 64; /* fixup ip6 header length and protocol after-the-fact */ ip6->src_address.as_u64[0] = t->tunnel_src.ip6.as_u64[0]; ip6->src_address.as_u64[1] = t->tunnel_src.ip6.as_u64[1]; ip6->dst_address.as_u64[0] = t->tunnel_dst.ip6.as_u64[0]; ip6->dst_address.as_u64[1] = t->tunnel_dst.ip6.as_u64[1]; + if (!(t->flags & IPIP_TUNNEL_FLAG_ENCAP_COPY_DSCP)) + ip6_set_dscp_network_order (ip6, t->dscp); break; default: @@ -114,15 +116,25 @@ ipip4_fixup (vlib_main_t * vm, ip_adjacency_t * adj, vlib_buffer_t * b, { case VNET_LINK_IP6: ip4->protocol = IP_PROTOCOL_IPV6; - if (t->tc_tos == 0xFF) - ip4->tos = - ip6_traffic_class_network_order ((const ip6_header_t *) (ip4 + 1)); + if (t->flags & IPIP_TUNNEL_FLAG_ENCAP_COPY_DSCP) + ip4_header_set_dscp (ip4, + ip6_dscp_network_order ((ip6_header_t *) (ip4 + + 1))); + if (t->flags & IPIP_TUNNEL_FLAG_ENCAP_COPY_ECN) + ip4_header_set_ecn (ip4, + ip6_ecn_network_order ((ip6_header_t *) (ip4 + + 1))); break; case VNET_LINK_IP4: ip4->protocol = IP_PROTOCOL_IP_IN_IP; - if (t->tc_tos == 0xFF) - ip4->tos = ((ip4_header_t *) (ip4 + 1))->tos; + if (t->flags & IPIP_TUNNEL_FLAG_ENCAP_COPY_DSCP) + ip4_header_set_dscp (ip4, ip4_header_get_dscp (ip4 + 1)); + if (t->flags & IPIP_TUNNEL_FLAG_ENCAP_COPY_ECN) + ip4_header_set_ecn (ip4, ip4_header_get_ecn (ip4 + 1)); + if ((t->flags & IPIP_TUNNEL_FLAG_ENCAP_COPY_DF) && + ip4_header_get_df (ip4 + 1)) + ip4_header_set_df (ip4); break; default: @@ -151,17 +163,20 @@ ipip6_fixup (vlib_main_t * vm, ip_adjacency_t * adj, vlib_buffer_t * b, { case VNET_LINK_IP6: ip6->protocol = IP_PROTOCOL_IPV6; - if (t->tc_tos == 0xFF) - ip6_set_traffic_class_network_order (ip6, - ip6_traffic_class_network_order ((const ip6_header_t *) (ip6 + 1))); + if (t->flags & IPIP_TUNNEL_FLAG_ENCAP_COPY_DSCP) + ip6_set_dscp_network_order (ip6, ip6_dscp_network_order (ip6 + 1)); + if (t->flags & IPIP_TUNNEL_FLAG_ENCAP_COPY_ECN) + ip6_set_ecn_network_order (ip6, ip6_ecn_network_order (ip6 + 1)); break; case VNET_LINK_IP4: ip6->protocol = IP_PROTOCOL_IP_IN_IP; - if (t->tc_tos == 0xFF) - ip6_set_traffic_class_network_order (ip6, - ((ip4_header_t *) (ip6 + - 1))->tos); + if (t->flags & IPIP_TUNNEL_FLAG_ENCAP_COPY_DSCP) + ip6_set_dscp_network_order + (ip6, ip4_header_get_dscp ((ip4_header_t *) (ip6 + 1))); + if (t->flags & IPIP_TUNNEL_FLAG_ENCAP_COPY_ECN) + ip6_set_ecn_network_order + (ip6, ip4_header_get_ecn ((ip4_header_t *) (ip6 + 1))); break; default: @@ -250,6 +265,20 @@ ipip_update_adj (vnet_main_t * vnm, u32 sw_if_index, adj_index_t ai) ipip_tunnel_stack (ai); } +u8 * +format_ipip_tunnel_flags (u8 * s, va_list * args) +{ + ipip_tunnel_flags_t f = va_arg (*args, int); + + if (f == IPIP_TUNNEL_FLAG_NONE) + return (format (s, "none")); + +#define _(a,b,c) if (f & IPIP_TUNNEL_FLAG_##a) s = format(s, "%s ", b); + forech_ipip_tunnel_flag +#undef _ + return (s); +} + static u8 * format_ipip_tunnel_name (u8 * s, va_list * args) { @@ -384,7 +413,8 @@ ipip_tunnel_db_remove (ipip_tunnel_t * t) int ipip_add_tunnel (ipip_transport_t transport, u32 instance, ip46_address_t * src, ip46_address_t * dst, - u32 fib_index, u8 tc_tos, u32 * sw_if_indexp) + u32 fib_index, ipip_tunnel_flags_t flags, + ip_dscp_t dscp, u32 * sw_if_indexp) { ipip_main_t *gm = &ipip_main; vnet_main_t *vnm = gm->vnet_main; @@ -430,9 +460,10 @@ ipip_add_tunnel (ipip_transport_t transport, t->hw_if_index = hw_if_index; t->fib_index = fib_index; t->sw_if_index = sw_if_index; - t->tc_tos = tc_tos; - + t->dscp = dscp; + t->flags = flags; t->transport = transport; + vec_validate_init_empty (gm->tunnel_index_by_sw_if_index, sw_if_index, ~0); gm->tunnel_index_by_sw_if_index[sw_if_index] = t_idx; diff --git a/src/vnet/ipip/ipip.h b/src/vnet/ipip/ipip.h index c55d1d7c644..be944507b40 100644 --- a/src/vnet/ipip/ipip.h +++ b/src/vnet/ipip/ipip.h @@ -64,6 +64,28 @@ typedef enum IPIP_MODE_6RD, } ipip_mode_t; +/** + * Keep these idenitical to those in ipip.api + */ +#define forech_ipip_tunnel_flag \ + _(NONE, "none", 0x0) \ + _(ENCAP_COPY_DF, "encap-copy-df", 0x1) \ + _(ENCAP_SET_DF, "encap-set-df", 0x2) \ + _(ENCAP_COPY_DSCP, "encap-copy-dscp", 0x4) \ + _(ENCAP_COPY_ECN, "encap-copy-ecn", 0x8) \ + _(DECAP_COPY_ECN, "decap-copy-ecn", 0x10) + +typedef enum ipip_tunnel_flags_t_ +{ +#define _(a,b,c) IPIP_TUNNEL_FLAG_##a = c, + forech_ipip_tunnel_flag +#undef _ +} __clib_packed ipip_tunnel_flags_t; + +#define IPIP_TUNNEL_FLAG_MASK (0x1f) + +extern u8 *format_ipip_tunnel_flags (u8 * s, va_list * args); + /** * @brief A representation of a IPIP tunnel */ @@ -82,7 +104,8 @@ typedef struct u32 sw_if_index; u32 dev_instance; /* Real device instance in tunnel vector */ u32 user_instance; /* Instance name being shown to user */ - u8 tc_tos; + ipip_tunnel_flags_t flags; + ip_dscp_t dscp; struct { @@ -143,7 +166,8 @@ sixrd_get_addr_net (const ipip_tunnel_t * t, u64 dal) int ipip_add_tunnel (ipip_transport_t transport, u32 instance, ip46_address_t * src, ip46_address_t * dst, - u32 fib_index, u8 tc_tos, u32 * sw_if_indexp); + u32 fib_index, ipip_tunnel_flags_t flags, + ip_dscp_t dscp, u32 * sw_if_indexp); int ipip_del_tunnel (u32 sw_if_index); int sixrd_add_tunnel (ip6_address_t * ip6_prefix, u8 ip6_prefix_len, ip4_address_t * ip4_prefix, u8 ip4_prefix_len, diff --git a/src/vnet/ipip/ipip_api.c b/src/vnet/ipip/ipip_api.c index da0cb169296..47ff159b703 100644 --- a/src/vnet/ipip/ipip_api.c +++ b/src/vnet/ipip/ipip_api.c @@ -22,6 +22,7 @@ #include #include #include +#include #include #include @@ -36,6 +37,7 @@ vl_api_ipip_add_tunnel_t_handler (vl_api_ipip_add_tunnel_t * mp) vl_api_ipip_add_tunnel_reply_t *rmp; int rv = 0; u32 fib_index, sw_if_index = ~0; + ipip_tunnel_flags_t flags; ip46_address_t src, dst; ip46_type_t itype[2]; @@ -54,6 +56,11 @@ vl_api_ipip_add_tunnel_t_handler (vl_api_ipip_add_tunnel_t * mp) goto out; } + rv = ipip_tunnel_flags_decode (mp->tunnel.flags, &flags); + + if (rv) + goto out; + fib_index = fib_table_find (fib_proto_from_ip46 (itype[0]), ntohl (mp->tunnel.table_id)); @@ -67,7 +74,8 @@ vl_api_ipip_add_tunnel_t_handler (vl_api_ipip_add_tunnel_t * mp) IPIP_TRANSPORT_IP6 : IPIP_TRANSPORT_IP4), ntohl (mp->tunnel.instance), &src, &dst, - fib_index, mp->tunnel.tc_tos, &sw_if_index); + fib_index, flags, + ip_dscp_decode (mp->tunnel.dscp), &sw_if_index); } out: @@ -110,6 +118,8 @@ send_ipip_tunnel_details (ipip_tunnel_t * t, vl_api_ipip_tunnel_dump_t * mp) rmp->tunnel.table_id = htonl (ft->ft_table_id); rmp->tunnel.instance = htonl (t->user_instance); rmp->tunnel.sw_if_index = htonl (t->sw_if_index); + rmp->tunnel.dscp = ip_dscp_encode(t->dscp); + rmp->tunnel.flags = ipip_tunnel_flags_encode(t->flags); })); /* *INDENT-ON* */ } diff --git a/src/vnet/ipip/ipip_cli.c b/src/vnet/ipip/ipip_cli.c index 58f5b1c3039..e252f3a519e 100644 --- a/src/vnet/ipip/ipip_cli.c +++ b/src/vnet/ipip/ipip_cli.c @@ -82,7 +82,8 @@ static clib_error_t *create_ipip_tunnel_command_fn(vlib_main_t *vm, &src, &dst, fib_index, - 0, + IPIP_TUNNEL_FLAG_NONE, + IP_DSCP_CS0, &sw_if_index); } @@ -175,22 +176,25 @@ static u8 *format_ipip_tunnel(u8 *s, va_list *args) { fib_proto_from_ip46(type)); switch (t->mode) { case IPIP_MODE_6RD: - s = format(s, "[%d] 6rd src %U ip6-pfx %U/%d table-ID %d sw-if-idx %d ", + s = format(s, "[%d] 6rd src %U ip6-pfx %U/%d ", t->dev_instance, format_ip46_address, &t->tunnel_src, type, - format_ip6_address, &t->sixrd.ip6_prefix, t->sixrd.ip6_prefix_len, - table_id, t->sw_if_index); + format_ip6_address, &t->sixrd.ip6_prefix, t->sixrd.ip6_prefix_len); break; case IPIP_MODE_P2P: default: - s = format(s, "[%d] instance %d src %U dst %U table-ID %d sw-if-idx %d ", + s = format(s, "[%d] instance %d src %U dst %U ", t->dev_instance, t->user_instance, format_ip46_address, &t->tunnel_src, type, - format_ip46_address, &t->tunnel_dst, type, - table_id, t->sw_if_index); + format_ip46_address, &t->tunnel_dst, type); break; } + s = format(s, "table-ID %d sw-if-idx %d flags [%U] dscp %U", + table_id, t->sw_if_index, + format_ipip_tunnel_flags, t->flags, + format_ip_dscp, t->dscp); + return s; } diff --git a/src/vnet/ipip/ipip_types.api b/src/vnet/ipip/ipip_types.api new file mode 100644 index 00000000000..3e52fe74c1d --- /dev/null +++ b/src/vnet/ipip/ipip_types.api @@ -0,0 +1,33 @@ +/* Hey Emacs use -*- mode: C -*- */ +/* + * Copyright (c) 2019 Cisco and/or its affiliates. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +/** + * Flags controlling tunnel behaviour + */ +enum ipip_tunnel_flags : u8 +{ + IPIP_TUNNEL_API_FLAG_NONE = 0, + /** at encap, copy the DF bit of the payload into the tunnel header */ + IPIP_TUNNEL_API_FLAG_ENCAP_COPY_DF = 0x1, + /** at encap, set the DF bit in the tunnel header */ + IPIP_TUNNEL_API_FLAG_ENCAP_SET_DF = 0x2, + /** at encap, copy the DSCP bits of the payload into the tunnel header */ + IPIP_TUNNEL_API_FLAG_ENCAP_COPY_DSCP = 0x4, + /** at encap, copy the ECN bit of the payload into the tunnel header */ + IPIP_TUNNEL_API_FLAG_ENCAP_COPY_ECN = 0x8, + /** at decap, copy the ECN bit of the tunnel header into the payload */ + IPIP_TUNNEL_API_FLAG_DECAP_COPY_ECN = 0x10, +}; diff --git a/src/vnet/ipip/ipip_types_api.c b/src/vnet/ipip/ipip_types_api.c new file mode 100644 index 00000000000..5625b85af68 --- /dev/null +++ b/src/vnet/ipip/ipip_types_api.c @@ -0,0 +1,53 @@ +/* + * ipip_api.c - ipip api + * + * Copyright (c) 2018 Cisco and/or its affiliates. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include +#include + +#include +#include + + +STATIC_ASSERT (sizeof (vl_api_ipip_tunnel_flags_t) == + sizeof (ipip_tunnel_flags_t), + "IPIP tunnel API and internal flags enum size differ"); + +int +ipip_tunnel_flags_decode (vl_api_ipip_tunnel_flags_t f, + ipip_tunnel_flags_t * o) +{ + if (f & ~IPIP_TUNNEL_FLAG_MASK) + /* unknown flags set */ + return (VNET_API_ERROR_INVALID_VALUE_2); + + *o = (ipip_tunnel_flags_t) f; + return (0); +} + +vl_api_ipip_tunnel_flags_t +ipip_tunnel_flags_encode (ipip_tunnel_flags_t f) +{ + return ((vl_api_ipip_tunnel_flags_t) f); +} + +/* + * fd.io coding-style-patch-verification: ON + * + * Local Variables: + * eval: (c-set-style "gnu") + * End: + */ diff --git a/src/vnet/ipip/ipip_types_api.h b/src/vnet/ipip/ipip_types_api.h new file mode 100644 index 00000000000..17b1f1bb210 --- /dev/null +++ b/src/vnet/ipip/ipip_types_api.h @@ -0,0 +1,41 @@ +/* + * Copyright (c) 2018 Cisco and/or its affiliates. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#ifndef __IPIP_TYPES_API_H__ +#define __IPIP_TYPES_API_H__ + +/** + * Conversion functions to/from (decode/encode) API types to VPP internal types + */ + +#include +#include + +/** + * These enum decode/encodes use 'int' as the type for the enum because + * one cannot forward declare an enum + */ +extern int ipip_tunnel_flags_decode (u8 _f, ipip_tunnel_flags_t * out); +extern u8 ipip_tunnel_flags_encode (ipip_tunnel_flags_t f); + +#endif + +/* + * fd.io coding-style-patch-verification: ON + * + * Local Variables: + * eval: (c-set-style "gnu") + * End: + */ diff --git a/src/vnet/ipip/node.c b/src/vnet/ipip/node.c index 0cea4d50895..cd26b8a8b85 100644 --- a/src/vnet/ipip/node.c +++ b/src/vnet/ipip/node.c @@ -158,9 +158,33 @@ ipip_input (vlib_main_t * vm, vlib_node_runtime_t * node, vnet_buffer (b0)->sw_if_index[VLIB_RX] = tunnel_sw_if_index; if (inner_protocol0 == IP_PROTOCOL_IPV6) - next0 = IPIP_INPUT_NEXT_IP6_INPUT; + { + next0 = IPIP_INPUT_NEXT_IP6_INPUT; + + if (t0->flags & IPIP_TUNNEL_FLAG_DECAP_COPY_ECN) + { + if (is_ipv6) + ip6_set_ecn_network_order ((ip60 + 1), + ip6_ecn_network_order (ip60)); + else + ip6_set_ecn_network_order ((ip6_header_t *) (ip40 + 1), + ip4_header_get_ecn (ip40)); + } + } else if (inner_protocol0 == IP_PROTOCOL_IP_IN_IP) - next0 = IPIP_INPUT_NEXT_IP4_INPUT; + { + next0 = IPIP_INPUT_NEXT_IP4_INPUT; + if (t0->flags & IPIP_TUNNEL_FLAG_DECAP_COPY_ECN) + { + if (is_ipv6) + ip4_header_set_ecn_w_chksum ((ip4_header_t *) (ip60 + 1), + ip6_ecn_network_order + (ip60)); + else + ip4_header_set_ecn_w_chksum (ip40 + 1, + ip4_header_get_ecn (ip40)); + } + } if (!is_ipv6 && t0->mode == IPIP_MODE_6RD && t0->sixrd.security_check) diff --git a/src/vnet/ipsec/ipsec_api.c b/src/vnet/ipsec/ipsec_api.c index 893eee45ac9..ed79193906a 100644 --- a/src/vnet/ipsec/ipsec_api.c +++ b/src/vnet/ipsec/ipsec_api.c @@ -645,7 +645,8 @@ vl_api_ipsec_tunnel_if_add_del_t_handler (vl_api_ipsec_tunnel_if_add_del_t * rv = ipip_add_tunnel (transport, (mp->renumber ? ntohl (mp->show_instance) : ~0), &local_ip, - &remote_ip, fib_index, 0, &sw_if_index); + &remote_ip, fib_index, + IPIP_TUNNEL_FLAG_NONE, IP_DSCP_CS0, &sw_if_index); if (rv) goto done; diff --git a/src/vnet/ipsec/ipsec_cli.c b/src/vnet/ipsec/ipsec_cli.c index 5385a0f15c8..b304458d565 100644 --- a/src/vnet/ipsec/ipsec_cli.c +++ b/src/vnet/ipsec/ipsec_cli.c @@ -840,8 +840,8 @@ create_ipsec_tunnel_command_fn (vlib_main_t * vm, /* create an ip-ip tunnel, then the two SA, then bind them */ rv = ipip_add_tunnel (ipv6_set ? IPIP_TRANSPORT_IP6 : IPIP_TRANSPORT_IP4, - instance, &local_ip, &remote_ip, fib_index, 0, - &sw_if_index); + instance, &local_ip, &remote_ip, fib_index, + IPIP_TUNNEL_FLAG_NONE, IP_DSCP_CS0, &sw_if_index); rv |= ipsec_sa_add_and_lock (ipsec_tun_mk_local_sa_id (sw_if_index), local_spi, IPSEC_PROTOCOL_ESP, crypto_alg, diff --git a/test/test_ipip.py b/test/test_ipip.py index e723950b7a7..cb4166ab5db 100644 --- a/test/test_ipip.py +++ b/test/test_ipip.py @@ -7,6 +7,8 @@ from scapy.all import fragment, fragment6, RandShort, defragment6 from framework import VppTestCase, VppTestRunner from vpp_ip import DpoProto from vpp_ip_route import VppIpRoute, VppRoutePath, VppIpTable, FibPathProto +from vpp_ipip_tun_interface import VppIpIpTunInterface +from vpp_papi import VppEnum from socket import AF_INET, AF_INET6, inet_pton from util import reassemble4 @@ -17,7 +19,8 @@ IPIP tests. """ -def ipip_add_tunnel(test, src, dst, table_id=0, tc_tos=0xff): +def ipip_add_tunnel(test, src, dst, table_id=0, dscp=0x0, + flags=0): """ Add a IPIP tunnel """ return test.vapi.ipip_add_tunnel( tunnel={ @@ -25,10 +28,15 @@ def ipip_add_tunnel(test, src, dst, table_id=0, tc_tos=0xff): 'dst': dst, 'table_id': table_id, 'instance': 0xffffffff, - 'tc_tos': tc_tos + 'dscp': dscp, + 'flags': flags } ) +# the number of packets to send when injecting traffic. +# a multiple of 8 minus one, so we test all by 8/4/2/1 loops +N_PACKETS = 64 - 1 + class TestIPIP(VppTestCase): """ IPIP Test Case """ @@ -76,99 +84,285 @@ class TestIPIP(VppTestCase): p4_reply.ttl -= 1 return frags, p4_reply + def verify_ip4ip4_encaps(self, a, p_ip4s, p_ip4_encaps): + for i, p_ip4 in enumerate(p_ip4s): + p_ip4.dst = a + p4 = (self.p_ether / p_ip4 / self.p_payload) + p_ip4_inner = p_ip4 + p_ip4_inner.ttl -= 1 + p4_reply = (p_ip4_encaps[i] / p_ip4_inner / self.p_payload) + p4_reply.ttl -= 1 + p4_reply.id = 0 + rx = self.send_and_expect(self.pg0, p4 * N_PACKETS, self.pg1) + for p in rx: + self.validate(p[1], p4_reply) + self.assert_packet_checksums_valid(p) + + def verify_ip6ip4_encaps(self, a, p_ip6s, p_ip4_encaps): + for i, p_ip6 in enumerate(p_ip6s): + p_ip6.dst = a + p6 = (self.p_ether / p_ip6 / self.p_payload) + p_inner_ip6 = p_ip6 + p_inner_ip6.hlim -= 1 + p6_reply = (p_ip4_encaps[i] / p_inner_ip6 / self.p_payload) + p6_reply.ttl -= 1 + rx = self.send_and_expect(self.pg0, p6 * N_PACKETS, self.pg1) + for p in rx: + self.validate(p[1], p6_reply) + self.assert_packet_checksums_valid(p) + def test_ipip4(self): """ ip{v4,v6} over ip4 test """ - p_ether = Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) - p_ip6 = IPv6(src="1::1", dst="DEAD::1", nh='UDP', tc=42) - p_ip4 = IP(src="1.2.3.4", dst="130.67.0.1", tos=42) - p_payload = UDP(sport=1234, dport=1234) / Raw(b'X' * 100) - - # IPv4 transport - rv = ipip_add_tunnel(self, - self.pg0.local_ip4, - self.pg1.remote_ip4, - tc_tos=0xFF) - sw_if_index = rv.sw_if_index - # Set interface up and enable IP on it - self.vapi.sw_interface_set_flags(sw_if_index, 1) - self.vapi.sw_interface_set_unnumbered( - sw_if_index=self.pg0.sw_if_index, - unnumbered_sw_if_index=sw_if_index) + self.pg1.generate_remote_hosts(5) + self.pg1.configure_ipv4_neighbors() + e = VppEnum.vl_api_ipip_tunnel_flags_t + d = VppEnum.vl_api_ip_dscp_t + self.p_ether = Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) + self.p_payload = UDP(sport=1234, dport=1234) / Raw(b'X' * 100) + + # create a TOS byte by shifting a DSCP code point 2 bits. those 2 bits + # are for the ECN. + dscp = d.IP_API_DSCP_AF31 << 2 + ecn = 3 + dscp_ecn = d.IP_API_DSCP_AF31 << 2 | ecn + + # IPv4 transport that copies the DCSP from the payload + tun_dscp = VppIpIpTunInterface( + self, + self.pg0, + self.pg0.local_ip4, + self.pg1.remote_hosts[0].ip4, + flags=e.IPIP_TUNNEL_API_FLAG_ENCAP_COPY_DSCP).add_vpp_config() + # IPv4 transport that copies the DCSP and ECN from the payload + tun_dscp_ecn = VppIpIpTunInterface( + self, + self.pg0, + self.pg0.local_ip4, + self.pg1.remote_hosts[1].ip4, + flags=(e.IPIP_TUNNEL_API_FLAG_ENCAP_COPY_DSCP | + e.IPIP_TUNNEL_API_FLAG_ENCAP_COPY_ECN)).add_vpp_config() + # IPv4 transport that copies the ECN from the payload and sets the + # DF bit on encap. copies the ECN on decap + tun_ecn = VppIpIpTunInterface( + self, + self.pg0, + self.pg0.local_ip4, + self.pg1.remote_hosts[2].ip4, + flags=(e.IPIP_TUNNEL_API_FLAG_ENCAP_COPY_ECN | + e.IPIP_TUNNEL_API_FLAG_ENCAP_SET_DF | + e.IPIP_TUNNEL_API_FLAG_DECAP_COPY_ECN)).add_vpp_config() + # IPv4 transport that sets a fixed DSCP in the encap and copies + # the DF bit + tun = VppIpIpTunInterface( + self, + self.pg0, + self.pg0.local_ip4, + self.pg1.remote_hosts[3].ip4, + dscp=d.IP_API_DSCP_AF11, + flags=e.IPIP_TUNNEL_API_FLAG_ENCAP_COPY_DF).add_vpp_config() + + # array of all the tunnels + tuns = [tun_dscp, tun_dscp_ecn, tun_ecn, tun] + + # addresses for prefixes routed via each tunnel + a4s = ["" for i in range(len(tuns))] + a6s = ["" for i in range(len(tuns))] + + # IP headers with each combination of DSCp/ECN tested + p_ip6s = [IPv6(src="1::1", dst="DEAD::1", nh='UDP', tc=dscp), + IPv6(src="1::1", dst="DEAD::1", nh='UDP', tc=dscp_ecn), + IPv6(src="1::1", dst="DEAD::1", nh='UDP', tc=ecn), + IPv6(src="1::1", dst="DEAD::1", nh='UDP', tc=0xff)] + p_ip4s = [IP(src="1.2.3.4", dst="130.67.0.1", tos=dscp, flags='DF'), + IP(src="1.2.3.4", dst="130.67.0.1", tos=dscp_ecn), + IP(src="1.2.3.4", dst="130.67.0.1", tos=ecn), + IP(src="1.2.3.4", dst="130.67.0.1", tos=0xff)] + + # Configure each tunnel + for i, t in enumerate(tuns): + # Set interface up and enable IP on it + self.vapi.sw_interface_set_flags(t.sw_if_index, 1) + self.vapi.sw_interface_set_unnumbered( + sw_if_index=self.pg0.sw_if_index, + unnumbered_sw_if_index=t.sw_if_index) + + # prefix for route / destination address for packets + a4s[i] = "130.67.%d.0" % i + a6s[i] = "dead:%d::" % i + + # Add IPv4 and IPv6 routes via tunnel interface + ip4_via_tunnel = VppIpRoute( + self, a4s[i], 24, + [VppRoutePath("0.0.0.0", + t.sw_if_index, + proto=FibPathProto.FIB_PATH_NH_PROTO_IP4)]) + ip4_via_tunnel.add_vpp_config() + + ip6_via_tunnel = VppIpRoute( + self, a6s[i], 64, + [VppRoutePath("::", + t.sw_if_index, + proto=FibPathProto.FIB_PATH_NH_PROTO_IP6)]) + ip6_via_tunnel.add_vpp_config() - # Add IPv4 and IPv6 routes via tunnel interface - ip4_via_tunnel = VppIpRoute( - self, "130.67.0.0", 16, - [VppRoutePath("0.0.0.0", - sw_if_index, - proto=FibPathProto.FIB_PATH_NH_PROTO_IP4)]) - ip4_via_tunnel.add_vpp_config() - - ip6_via_tunnel = VppIpRoute( - self, "dead::", 16, - [VppRoutePath("::", - sw_if_index, - proto=FibPathProto.FIB_PATH_NH_PROTO_IP6)]) - ip6_via_tunnel.add_vpp_config() + # + # Encapsulation + # - # IPv6 in to IPv4 tunnel - p6 = (p_ether / p_ip6 / p_payload) - p_inner_ip6 = p_ip6 - p_inner_ip6.hlim -= 1 - p6_reply = (IP(src=self.pg0.local_ip4, dst=self.pg1.remote_ip4, - proto='ipv6', id=0, tos=42) / p_inner_ip6 / p_payload) - p6_reply.ttl -= 1 - rx = self.send_and_expect(self.pg0, p6 * 10, self.pg1) - for p in rx: - self.validate(p[1], p6_reply) - self.assert_packet_checksums_valid(p) + # tun_dscp copies only the dscp + # expected TC values are thus only the DCSP value is present from the + # inner + exp_tcs = [dscp, dscp, 0, 0xfc] + p_ip44_encaps = [IP(src=self.pg0.local_ip4, + dst=tun_dscp.dst, + tos=tc) for tc in exp_tcs] + p_ip64_encaps = [IP(src=self.pg0.local_ip4, + dst=tun_dscp.dst, + proto='ipv6', id=0, tos=tc) for tc in exp_tcs] # IPv4 in to IPv4 tunnel - p4 = (p_ether / p_ip4 / p_payload) - p_ip4_inner = p_ip4 - p_ip4_inner.ttl -= 1 - p4_reply = (IP(src=self.pg0.local_ip4, dst=self.pg1.remote_ip4, - tos=42) / - p_ip4_inner / p_payload) - p4_reply.ttl -= 1 - p4_reply.id = 0 - rx = self.send_and_expect(self.pg0, p4 * 10, self.pg1) - for p in rx: - self.validate(p[1], p4_reply) - self.assert_packet_checksums_valid(p) + self.verify_ip4ip4_encaps(a4s[0], p_ip4s, p_ip44_encaps) + # IPv6 in to IPv4 tunnel + self.verify_ip6ip4_encaps(a6s[0], p_ip6s, p_ip64_encaps) + + # tun_dscp_ecn copies the dscp and the ecn + exp_tcs = [dscp, dscp_ecn, ecn, 0xff] + p_ip44_encaps = [IP(src=self.pg0.local_ip4, + dst=tun_dscp_ecn.dst, + tos=tc) for tc in exp_tcs] + p_ip64_encaps = [IP(src=self.pg0.local_ip4, + dst=tun_dscp_ecn.dst, + proto='ipv6', id=0, tos=tc) for tc in exp_tcs] + + self.verify_ip4ip4_encaps(a4s[1], p_ip4s, p_ip44_encaps) + self.verify_ip6ip4_encaps(a6s[1], p_ip6s, p_ip64_encaps) + + # tun_ecn copies only the ecn and always sets DF + exp_tcs = [0, ecn, ecn, ecn] + p_ip44_encaps = [IP(src=self.pg0.local_ip4, + dst=tun_ecn.dst, + flags='DF', tos=tc) for tc in exp_tcs] + p_ip64_encaps = [IP(src=self.pg0.local_ip4, + dst=tun_ecn.dst, + flags='DF', proto='ipv6', id=0, tos=tc) + for tc in exp_tcs] + + self.verify_ip4ip4_encaps(a4s[2], p_ip4s, p_ip44_encaps) + self.verify_ip6ip4_encaps(a6s[2], p_ip6s, p_ip64_encaps) + + # tun sets a fixed dscp and copies DF + fixed_dscp = tun.dscp << 2 + flags = ['DF', 0, 0, 0] + p_ip44_encaps = [IP(src=self.pg0.local_ip4, + dst=tun.dst, + flags=f, + tos=fixed_dscp) for f in flags] + p_ip64_encaps = [IP(src=self.pg0.local_ip4, + dst=tun.dst, + proto='ipv6', id=0, + tos=fixed_dscp) for i in range(len(p_ip4s))] + + self.verify_ip4ip4_encaps(a4s[3], p_ip4s, p_ip44_encaps) + self.verify_ip6ip4_encaps(a6s[3], p_ip6s, p_ip64_encaps) + # # Decapsulation - p_ether = Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) + # + n_packets_decapped = 0 + self.p_ether = Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) # IPv4 tunnel to IPv4 + tcs = [0, dscp, dscp_ecn, ecn] + + # one overlay packet and all combinations of its encap p_ip4 = IP(src="1.2.3.4", dst=self.pg0.remote_ip4) - p4 = (p_ether / IP(src=self.pg1.remote_ip4, - dst=self.pg0.local_ip4) / p_ip4 / p_payload) - p4_reply = (p_ip4 / p_payload) - p4_reply.ttl -= 1 - rx = self.send_and_expect(self.pg1, p4 * 10, self.pg0) - for p in rx: - self.validate(p[1], p4_reply) - self.assert_packet_checksums_valid(p) + p_ip4_encaps = [IP(src=tun.dst, + dst=self.pg0.local_ip4, + tos=tc) for tc in tcs] + + # for each encap tun will produce the same inner packet because it does + # not copy up fields from the payload + for p_ip4_encap in p_ip4_encaps: + p4 = (self.p_ether / p_ip4_encap / p_ip4 / self.p_payload) + p4_reply = (p_ip4 / self.p_payload) + p4_reply.ttl -= 1 + rx = self.send_and_expect(self.pg1, p4 * N_PACKETS, self.pg0) + n_packets_decapped += N_PACKETS + for p in rx: + self.validate(p[1], p4_reply) + self.assert_packet_checksums_valid(p) + + err = self.statistics.get_err_counter( + '/err/ipip4-input/packets decapsulated') + self.assertEqual(err, n_packets_decapped) + + # tun_ecn copies the ECN bits from the encap to the inner + p_ip4_encaps = [IP(src=tun_ecn.dst, + dst=self.pg0.local_ip4, + tos=tc) for tc in tcs] + p_ip4_replys = [p_ip4.copy() for i in range(len(p_ip4_encaps))] + p_ip4_replys[2].tos = ecn + p_ip4_replys[3].tos = ecn + for i, p_ip4_encap in enumerate(p_ip4_encaps): + p4 = (self.p_ether / p_ip4_encap / p_ip4 / self.p_payload) + p4_reply = (p_ip4_replys[i] / self.p_payload) + p4_reply.ttl -= 1 + rx = self.send_and_expect(self.pg1, p4 * N_PACKETS, self.pg0) + n_packets_decapped += N_PACKETS + for p in rx: + self.validate(p[1], p4_reply) + self.assert_packet_checksums_valid(p) err = self.statistics.get_err_counter( '/err/ipip4-input/packets decapsulated') - self.assertEqual(err, 10) + self.assertEqual(err, n_packets_decapped) # IPv4 tunnel to IPv6 + # for each encap tun will produce the same inner packet because it does + # not copy up fields from the payload + p_ip4_encaps = [IP(src=tun.dst, + dst=self.pg0.local_ip4, + tos=tc) for tc in tcs] p_ip6 = IPv6(src="1:2:3::4", dst=self.pg0.remote_ip6) - p6 = (p_ether / IP(src=self.pg1.remote_ip4, - dst=self.pg0.local_ip4) / p_ip6 / p_payload) - p6_reply = (p_ip6 / p_payload) - p6_reply.hlim = 63 - rx = self.send_and_expect(self.pg1, p6 * 10, self.pg0) - for p in rx: - self.validate(p[1], p6_reply) - self.assert_packet_checksums_valid(p) + for p_ip4_encap in p_ip4_encaps: + p6 = (self.p_ether / + p_ip4_encap / p_ip6 / + self.p_payload) + p6_reply = (p_ip6 / self.p_payload) + p6_reply.hlim = 63 + rx = self.send_and_expect(self.pg1, p6 * N_PACKETS, self.pg0) + n_packets_decapped += N_PACKETS + for p in rx: + self.validate(p[1], p6_reply) + self.assert_packet_checksums_valid(p) err = self.statistics.get_err_counter( '/err/ipip4-input/packets decapsulated') - self.assertEqual(err, 20) + self.assertEqual(err, n_packets_decapped) + + # IPv4 tunnel to IPv6 + # tun_ecn copies the ECN bits from the encap to the inner + p_ip4_encaps = [IP(src=tun_ecn.dst, + dst=self.pg0.local_ip4, + tos=tc) for tc in tcs] + p_ip6 = IPv6(src="1:2:3::4", dst=self.pg0.remote_ip6) + p_ip6_replys = [p_ip6.copy() for i in range(len(p_ip4_encaps))] + p_ip6_replys[2].tc = ecn + p_ip6_replys[3].tc = ecn + for i, p_ip4_encap in enumerate(p_ip4_encaps): + p6 = (self.p_ether / p_ip4_encap / p_ip6 / self.p_payload) + p6_reply = (p_ip6_replys[i] / self.p_payload) + p6_reply.hlim = 63 + rx = self.send_and_expect(self.pg1, p6 * N_PACKETS, self.pg0) + n_packets_decapped += N_PACKETS + for p in rx: + self.validate(p[1], p6_reply) + self.assert_packet_checksums_valid(p) + + err = self.statistics.get_err_counter( + '/err/ipip4-input/packets decapsulated') + self.assertEqual(err, n_packets_decapped) # # Fragmentation / Reassembly and Re-fragmentation @@ -191,13 +385,14 @@ class TestIPIP(VppTestCase): self.pg_enable_capture() self.pg_start() rx = self.pg0.get_capture(1000) + n_packets_decapped += 1000 for p in rx: self.validate(p[1], p4_reply) err = self.statistics.get_err_counter( '/err/ipip4-input/packets decapsulated') - self.assertEqual(err, 1020) + self.assertEqual(err, n_packets_decapped) f = [] r = [] @@ -240,7 +435,7 @@ class TestIPIP(VppTestCase): self.validate(reass_pkt, p4_reply) # send large packets through the tunnel, expect them to be fragmented - self.vapi.sw_interface_set_mtu(sw_if_index, [600, 0, 0, 0]) + self.vapi.sw_interface_set_mtu(tun_dscp.sw_if_index, [600, 0, 0, 0]) p4 = (Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) / IP(src="1.2.3.4", dst="130.67.0.1", tos=42) / @@ -310,8 +505,7 @@ class TestIPIP6(VppTestCase): # IPv6 transport rv = ipip_add_tunnel(self, self.pg0.local_ip6, - self.pg1.remote_ip6, - tc_tos=255) + self.pg1.remote_ip6) sw_if_index = rv.sw_if_index self.tunnel_if_index = sw_if_index @@ -385,7 +579,7 @@ class TestIPIP6(VppTestCase): # IPv6 in to IPv6 tunnel p6 = (p_ether / p_ip6 / p_payload) p6_reply = (IPv6(src=self.pg0.local_ip6, dst=self.pg1.remote_ip6, - hlim=64, tc=42) / + hlim=64) / p_ip6 / p_payload) p6_reply[1].hlim -= 1 rx = self.send_and_expect(self.pg0, p6 * 11, self.pg1) @@ -395,7 +589,7 @@ class TestIPIP6(VppTestCase): # IPv4 in to IPv6 tunnel p4 = (p_ether / p_ip4 / p_payload) p4_reply = (IPv6(src=self.pg0.local_ip6, - dst=self.pg1.remote_ip6, hlim=64, tc=42) / + dst=self.pg1.remote_ip6, hlim=64) / p_ip4 / p_payload) p4_reply[1].ttl -= 1 rx = self.send_and_expect(self.pg0, p4 * 11, self.pg1) @@ -431,6 +625,270 @@ class TestIPIP6(VppTestCase): for p in rx: self.validate(p[1], p6_reply) + def verify_ip4ip6_encaps(self, a, p_ip4s, p_ip6_encaps): + for i, p_ip4 in enumerate(p_ip4s): + p_ip4.dst = a + p4 = (self.p_ether / p_ip4 / self.p_payload) + p_ip4_inner = p_ip4 + p_ip4_inner.ttl -= 1 + p6_reply = (p_ip6_encaps[i] / p_ip4_inner / self.p_payload) + rx = self.send_and_expect(self.pg0, p4 * N_PACKETS, self.pg1) + for p in rx: + self.validate(p[1], p6_reply) + self.assert_packet_checksums_valid(p) + + def verify_ip6ip6_encaps(self, a, p_ip6s, p_ip6_encaps): + for i, p_ip6 in enumerate(p_ip6s): + p_ip6.dst = a + p6 = (self.p_ether / p_ip6 / self.p_payload) + p_inner_ip6 = p_ip6 + p_inner_ip6.hlim -= 1 + p6_reply = (p_ip6_encaps[i] / p_inner_ip6 / self.p_payload) + rx = self.send_and_expect(self.pg0, p6 * N_PACKETS, self.pg1) + for p in rx: + self.validate(p[1], p6_reply) + self.assert_packet_checksums_valid(p) + + def test_ipip6(self): + """ ip{v4,v6} over ip6 test """ + + # that's annoying + self.destroy_tunnel() + + self.pg1.generate_remote_hosts(5) + self.pg1.configure_ipv6_neighbors() + e = VppEnum.vl_api_ipip_tunnel_flags_t + d = VppEnum.vl_api_ip_dscp_t + self.p_ether = Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) + self.p_payload = UDP(sport=1234, dport=1234) / Raw(b'X' * 100) + + # create a TOS byte by shifting a DSCP code point 2 bits. those 2 bits + # are for the ECN. + dscp = d.IP_API_DSCP_AF31 << 2 + ecn = 3 + dscp_ecn = d.IP_API_DSCP_AF31 << 2 | ecn + + # IPv4 transport that copies the DCSP from the payload + tun_dscp = VppIpIpTunInterface( + self, + self.pg0, + self.pg0.local_ip6, + self.pg1.remote_hosts[0].ip6, + flags=e.IPIP_TUNNEL_API_FLAG_ENCAP_COPY_DSCP).add_vpp_config() + # IPv4 transport that copies the DCSP and ECN from the payload + tun_dscp_ecn = VppIpIpTunInterface( + self, + self.pg0, + self.pg0.local_ip6, + self.pg1.remote_hosts[1].ip6, + flags=(e.IPIP_TUNNEL_API_FLAG_ENCAP_COPY_DSCP | + e.IPIP_TUNNEL_API_FLAG_ENCAP_COPY_ECN)).add_vpp_config() + # IPv4 transport that copies the ECN from the payload and sets the + # DF bit on encap. copies the ECN on decap + tun_ecn = VppIpIpTunInterface( + self, + self.pg0, + self.pg0.local_ip6, + self.pg1.remote_hosts[2].ip6, + flags=(e.IPIP_TUNNEL_API_FLAG_ENCAP_COPY_ECN | + e.IPIP_TUNNEL_API_FLAG_ENCAP_SET_DF | + e.IPIP_TUNNEL_API_FLAG_DECAP_COPY_ECN)).add_vpp_config() + # IPv4 transport that sets a fixed DSCP in the encap and copies + # the DF bit + tun = VppIpIpTunInterface( + self, + self.pg0, + self.pg0.local_ip6, + self.pg1.remote_hosts[3].ip6, + dscp=d.IP_API_DSCP_AF11, + flags=e.IPIP_TUNNEL_API_FLAG_ENCAP_COPY_DF).add_vpp_config() + + # array of all the tunnels + tuns = [tun_dscp, tun_dscp_ecn, tun_ecn, tun] + + # addresses for prefixes routed via each tunnel + a4s = ["" for i in range(len(tuns))] + a6s = ["" for i in range(len(tuns))] + + # IP headers for inner packets with each combination of DSCp/ECN tested + p_ip6s = [IPv6(src="1::1", dst="DEAD::1", nh='UDP', tc=dscp), + IPv6(src="1::1", dst="DEAD::1", nh='UDP', tc=dscp_ecn), + IPv6(src="1::1", dst="DEAD::1", nh='UDP', tc=ecn), + IPv6(src="1::1", dst="DEAD::1", nh='UDP', tc=0xff)] + p_ip4s = [IP(src="1.2.3.4", dst="130.67.0.1", tos=dscp, flags='DF'), + IP(src="1.2.3.4", dst="130.67.0.1", tos=dscp_ecn), + IP(src="1.2.3.4", dst="130.67.0.1", tos=ecn), + IP(src="1.2.3.4", dst="130.67.0.1", tos=0xff)] + + # Configure each tunnel + for i, t in enumerate(tuns): + # Set interface up and enable IP on it + self.vapi.sw_interface_set_flags(t.sw_if_index, 1) + self.vapi.sw_interface_set_unnumbered( + sw_if_index=self.pg0.sw_if_index, + unnumbered_sw_if_index=t.sw_if_index) + + # prefix for route / destination address for packets + a4s[i] = "130.67.%d.0" % i + a6s[i] = "dead:%d::" % i + + # Add IPv4 and IPv6 routes via tunnel interface + ip4_via_tunnel = VppIpRoute( + self, a4s[i], 24, + [VppRoutePath("0.0.0.0", + t.sw_if_index, + proto=FibPathProto.FIB_PATH_NH_PROTO_IP4)]) + ip4_via_tunnel.add_vpp_config() + + ip6_via_tunnel = VppIpRoute( + self, a6s[i], 64, + [VppRoutePath("::", + t.sw_if_index, + proto=FibPathProto.FIB_PATH_NH_PROTO_IP6)]) + ip6_via_tunnel.add_vpp_config() + + # + # Encapsulation + # + + # tun_dscp copies only the dscp + # expected TC values are thus only the DCSP value is present from the + # inner + exp_tcs = [dscp, dscp, 0, 0xfc] + p_ip6_encaps = [IPv6(src=self.pg0.local_ip6, + dst=tun_dscp.dst, + tc=tc) for tc in exp_tcs] + + # IPv4 in to IPv4 tunnel + self.verify_ip4ip6_encaps(a4s[0], p_ip4s, p_ip6_encaps) + # IPv6 in to IPv4 tunnel + self.verify_ip6ip6_encaps(a6s[0], p_ip6s, p_ip6_encaps) + + # tun_dscp_ecn copies the dscp and the ecn + exp_tcs = [dscp, dscp_ecn, ecn, 0xff] + p_ip6_encaps = [IPv6(src=self.pg0.local_ip6, + dst=tun_dscp_ecn.dst, + tc=tc) for tc in exp_tcs] + + self.verify_ip4ip6_encaps(a4s[1], p_ip4s, p_ip6_encaps) + self.verify_ip6ip6_encaps(a6s[1], p_ip6s, p_ip6_encaps) + + # tun_ecn copies only the ecn and always sets DF + exp_tcs = [0, ecn, ecn, ecn] + p_ip6_encaps = [IPv6(src=self.pg0.local_ip6, + dst=tun_ecn.dst, + tc=tc) for tc in exp_tcs] + + self.verify_ip4ip6_encaps(a4s[2], p_ip4s, p_ip6_encaps) + self.verify_ip6ip6_encaps(a6s[2], p_ip6s, p_ip6_encaps) + + # tun sets a fixed dscp + fixed_dscp = tun.dscp << 2 + p_ip6_encaps = [IPv6(src=self.pg0.local_ip6, + dst=tun.dst, + tc=fixed_dscp) for i in range(len(p_ip4s))] + + self.verify_ip4ip6_encaps(a4s[3], p_ip4s, p_ip6_encaps) + self.verify_ip6ip6_encaps(a6s[3], p_ip6s, p_ip6_encaps) + + # + # Decapsulation + # + n_packets_decapped = self.statistics.get_err_counter( + '/err/ipip6-input/packets decapsulated') + + self.p_ether = Ether(src=self.pg1.remote_mac, dst=self.pg1.local_mac) + + # IPv6 tunnel to IPv4 + tcs = [0, dscp, dscp_ecn, ecn] + + # one overlay packet and all combinations of its encap + p_ip4 = IP(src="1.2.3.4", dst=self.pg0.remote_ip4) + p_ip6_encaps = [IPv6(src=tun.dst, + dst=self.pg0.local_ip6, + tc=tc) for tc in tcs] + + # for each encap tun will produce the same inner packet because it does + # not copy up fields from the payload + for p_ip6_encap in p_ip6_encaps: + p6 = (self.p_ether / p_ip6_encap / p_ip4 / self.p_payload) + p4_reply = (p_ip4 / self.p_payload) + p4_reply.ttl -= 1 + rx = self.send_and_expect(self.pg1, p6 * N_PACKETS, self.pg0) + n_packets_decapped += N_PACKETS + for p in rx: + self.validate(p[1], p4_reply) + self.assert_packet_checksums_valid(p) + + err = self.statistics.get_err_counter( + '/err/ipip6-input/packets decapsulated') + self.assertEqual(err, n_packets_decapped) + + # tun_ecn copies the ECN bits from the encap to the inner + p_ip6_encaps = [IPv6(src=tun_ecn.dst, + dst=self.pg0.local_ip6, + tc=tc) for tc in tcs] + p_ip4_replys = [p_ip4.copy() for i in range(len(p_ip6_encaps))] + p_ip4_replys[2].tos = ecn + p_ip4_replys[3].tos = ecn + for i, p_ip6_encap in enumerate(p_ip6_encaps): + p6 = (self.p_ether / p_ip6_encap / p_ip4 / self.p_payload) + p4_reply = (p_ip4_replys[i] / self.p_payload) + p4_reply.ttl -= 1 + rx = self.send_and_expect(self.pg1, p6 * N_PACKETS, self.pg0) + n_packets_decapped += N_PACKETS + for p in rx: + self.validate(p[1], p4_reply) + self.assert_packet_checksums_valid(p) + + err = self.statistics.get_err_counter( + '/err/ipip6-input/packets decapsulated') + self.assertEqual(err, n_packets_decapped) + + # IPv6 tunnel to IPv6 + # for each encap tun will produce the same inner packet because it does + # not copy up fields from the payload + p_ip6_encaps = [IPv6(src=tun.dst, + dst=self.pg0.local_ip6, + tc=tc) for tc in tcs] + p_ip6 = IPv6(src="1:2:3::4", dst=self.pg0.remote_ip6) + for p_ip6_encap in p_ip6_encaps: + p6 = (self.p_ether / p_ip6_encap / p_ip6 / self.p_payload) + p6_reply = (p_ip6 / self.p_payload) + p6_reply.hlim = 63 + rx = self.send_and_expect(self.pg1, p6 * N_PACKETS, self.pg0) + n_packets_decapped += N_PACKETS + for p in rx: + self.validate(p[1], p6_reply) + self.assert_packet_checksums_valid(p) + + err = self.statistics.get_err_counter( + '/err/ipip6-input/packets decapsulated') + self.assertEqual(err, n_packets_decapped) + + # IPv6 tunnel to IPv6 + # tun_ecn copies the ECN bits from the encap to the inner + p_ip6_encaps = [IPv6(src=tun_ecn.dst, + dst=self.pg0.local_ip6, + tc=tc) for tc in tcs] + p_ip6 = IPv6(src="1:2:3::4", dst=self.pg0.remote_ip6) + p_ip6_replys = [p_ip6.copy() for i in range(len(p_ip6_encaps))] + p_ip6_replys[2].tc = ecn + p_ip6_replys[3].tc = ecn + for i, p_ip6_encap in enumerate(p_ip6_encaps): + p6 = (self.p_ether / p_ip6_encap / p_ip6 / self.p_payload) + p6_reply = (p_ip6_replys[i] / self.p_payload) + p6_reply.hlim = 63 + rx = self.send_and_expect(self.pg1, p6 * N_PACKETS, self.pg0) + n_packets_decapped += N_PACKETS + for p in rx: + self.validate(p[1], p6_reply) + self.assert_packet_checksums_valid(p) + + err = self.statistics.get_err_counter( + '/err/ipip6-input/packets decapsulated') + self.assertEqual(err, n_packets_decapped) + def test_frag(self): """ ip{v4,v6} over ip6 test frag """ @@ -495,7 +953,7 @@ class TestIPIP6(VppTestCase): p6 = (p_ether / p_ip6 / p_payload) p6_reply = (IPv6(src=self.pg0.local_ip6, dst=self.pg1.remote_ip6, - hlim=63, tc=42) / + hlim=63) / p_ip6 / p_payload) p6_reply[1].hlim -= 1 self.pg_enable_capture() diff --git a/test/vpp_ipip_tun_interface.py b/test/vpp_ipip_tun_interface.py index 3558523f61d..ea5cfa118aa 100644 --- a/test/vpp_ipip_tun_interface.py +++ b/test/vpp_ipip_tun_interface.py @@ -7,21 +7,29 @@ class VppIpIpTunInterface(VppTunnelInterface): VPP IP-IP Tunnel interface """ - def __init__(self, test, parent_if, src, dst): + def __init__(self, test, parent_if, src, dst, + table_id=0, dscp=0x0, + flags=0): super(VppIpIpTunInterface, self).__init__(test, parent_if) self.src = src self.dst = dst + self.table_id = table_id + self.dscp = dscp + self.flags = flags def add_vpp_config(self): r = self.test.vapi.ipip_add_tunnel( tunnel={ 'src': self.src, 'dst': self.dst, - 'table_id': 0, + 'table_id': self.table_id, + 'flags': self.flags, + 'dscp': self.dscp, 'instance': 0xffffffff, }) self.set_sw_if_index(r.sw_if_index) self.test.registry.register(self, self.test.logger) + return self def remove_vpp_config(self): self.test.vapi.ipip_del_tunnel(sw_if_index=self._sw_if_index) -- 2.16.6