From d57f63698f99fad0288ac040d83b3ecd380d4bfd Mon Sep 17 00:00:00 2001 From: Ole Troan Date: Thu, 24 May 2018 13:21:43 +0200 Subject: [PATCH] VPP-1277: IPIP - Copy TOS/TC from inner packet to outer. Add support for either copying TOS/TC from inner packet to outer, or set to fixed value. Change-Id: I716a95f875349acec94317b266c8cf9f2f81a785 Signed-off-by: Ole Troan --- src/vnet/ipip/ipip.api | 66 ++++++++++++++++++++++++++++++++++++++++------- src/vnet/ipip/ipip.c | 55 ++++++++++++++++++++++++++++++++++----- src/vnet/ipip/ipip.h | 3 ++- src/vnet/ipip/ipip_api.c | 2 +- src/vnet/ipip/ipip_cli.c | 1 + test/test_ipip.py | 35 +++++++++++++------------ test/vpp_papi_provider.py | 5 ++-- 7 files changed, 131 insertions(+), 36 deletions(-) diff --git a/src/vnet/ipip/ipip.api b/src/vnet/ipip/ipip.api index 988eee599b1..95fc48a5962 100644 --- a/src/vnet/ipip/ipip.api +++ b/src/vnet/ipip/ipip.api @@ -13,17 +13,46 @@ * limitations under the License. */ -option version = "1.0.0"; +/** + * The IPIP module implements IP{v4,v6} over IP{v4,v6} tunnelling as + * described in RFC2473 and to some extent the largely historical + * RFC1853. The module also supports an IPv4 over IPv6 automatic + * tunnelling mechanism called 6RD (RFC5969). + * + * The IPIP API module supports a CRD model for adding, deleting and + * listing tunnels. A tunnel is represented as an interface in + * VPP. The "handle" representing a tunnel is the sw_if_index. As any + * interface, the user must configure an IPv4 and/or IPv6 address on + * the interface. This is the inner or payload protocol. + * + * Tunnel MTU: The tunnel MTU (the payload MTU) is configurable per + * protocol. If a tunnel MTU is larger than the path MTU, the outer + * packet will be fragmented. Fragmentation support is configurable, + * as it can have severe performance issues, and might be used as an + * attack vector (the remote side must reassemble.) + * + * Traffic class / TOS field can either be configured to a fixed + * value, or can be copied from the inner to the outer header. + * (For now we have stolen ~0 to indicate copy). + * + * Note: + * + * - The Tunnel encapsulation limit described in RFC2473 is not + * implemented. + * + * - ICMP proxying, as in a tunnel head-end receiving ICMP erors on + * the outer packet is currently not relayed to the original source + * of the packet. + * + * - PMTUD / MTU probing and tunnel keepalives are not yet implemented. + * + */ + +option version = "1.1.0"; -/** \brief Create or delete an IPIP tunnel - @param client_index - opaque cookie to identify the sender - @param context - sender context, to match reply w/ request - @param is_ipv6 - Use 0 for IPv4, 1 for IPv6 - @param instance - optional unique custom device instance, else ~0. - @param src_address - Source IP address - @param dst_address - Destination IP address, can be multicast - @param fib_index - Encap FIB table ID -*/ +/** + * Create an IP{v4,v6} over IP{v4,v6} tunnel. + */ define ipip_add_tunnel { u32 client_index; @@ -33,6 +62,8 @@ define ipip_add_tunnel u8 src_address[16]; u8 dst_address[16]; u32 fib_index; + u8 tc_tos; /* If ~0, the TOS/TC value is copied from + inner packet, otherwise set to value */ }; define ipip_add_tunnel_reply @@ -42,6 +73,9 @@ define ipip_add_tunnel_reply u32 sw_if_index; }; +/** + * Delete an IP{v4,v6} over IP{v4,v6} tunnel. + */ autoreply define ipip_del_tunnel { u32 client_index; @@ -49,6 +83,9 @@ autoreply define ipip_del_tunnel u32 sw_if_index; }; +/** + * Create an IPv4 over IPv6 automatic tunnel (6RD) + */ define ipip_6rd_add_tunnel { u32 client_index; @@ -60,6 +97,8 @@ define ipip_6rd_add_tunnel u8 ip6_prefix_len; u8 ip4_prefix_len; u8 security_check; + u8 tc_tos; /* If ~0, the TOS/TC value is copied from + inner packet, otherwise set to value */ }; define ipip_6rd_add_tunnel_reply @@ -69,6 +108,9 @@ define ipip_6rd_add_tunnel_reply u32 sw_if_index; }; +/** + * Delete an IPv4 over IPv6 automatic tunnel (6RD) + */ autoreply define ipip_6rd_del_tunnel { u32 client_index; @@ -76,6 +118,9 @@ autoreply define ipip_6rd_del_tunnel u32 sw_if_index; }; +/** + * List all IPIP tunnels + */ define ipip_tunnel_dump { u32 client_index; @@ -92,6 +137,7 @@ define ipip_tunnel_details u8 src_address[16]; u8 dst_address[16]; u32 fib_index; + u8 tc_tos; }; /* diff --git a/src/vnet/ipip/ipip.c b/src/vnet/ipip/ipip.c index 82c961cdddd..c39d27d5e4f 100644 --- a/src/vnet/ipip/ipip.c +++ b/src/vnet/ipip/ipip.c @@ -74,6 +74,8 @@ ipip_build_rewrite (vnet_main_t * vnm, u32 sw_if_index, ip4->src_address.as_u32 = t->tunnel_src.ip4.as_u32; ip4->dst_address.as_u32 = t->tunnel_dst.ip4.as_u32; ip4->checksum = ip4_header_checksum (ip4); + if (t->tc_tos != 0xFF) + ip4->tos = t->tc_tos; break; case IPIP_TRANSPORT_IP6: @@ -81,6 +83,8 @@ ipip_build_rewrite (vnet_main_t * vnm, u32 sw_if_index, ip6 = (ip6_header_t *) rewrite; ip6->ip_version_traffic_class_and_flow_label = clib_host_to_net_u32 (6 << 28); + if (t->tc_tos != 0xFF) + ip6_set_traffic_class_network_order (ip6, t->tc_tos); ip6->hop_limit = 64; /* fixup ip6 header length and protocol after-the-fact */ ip6->src_address.as_u64[0] = t->tunnel_src.ip6.as_u64[0]; @@ -88,6 +92,7 @@ ipip_build_rewrite (vnet_main_t * vnm, u32 sw_if_index, ip6->dst_address.as_u64[0] = t->tunnel_dst.ip6.as_u64[0]; ip6->dst_address.as_u64[1] = t->tunnel_dst.ip6.as_u64[1]; break; + default: /* pass through */ ; @@ -100,11 +105,29 @@ ipip4_fixup (vlib_main_t * vm, ip_adjacency_t * adj, vlib_buffer_t * b, const void *data) { ip4_header_t *ip4; + const ipip_tunnel_t *t = data; ip4 = vlib_buffer_get_current (b); ip4->length = clib_host_to_net_u16 (vlib_buffer_length_in_chain (vm, b)); - ip4->protocol = - adj->ia_link == VNET_LINK_IP6 ? IP_PROTOCOL_IPV6 : IP_PROTOCOL_IP_IN_IP; + switch (adj->ia_link) + { + case VNET_LINK_IP6: + ip4->protocol = IP_PROTOCOL_IPV6; + if (t->tc_tos == 0xFF) + ip4->tos = + ip6_traffic_class_network_order ((const ip6_header_t *) (ip4 + 1)); + break; + + case VNET_LINK_IP4: + ip4->protocol = IP_PROTOCOL_IP_IN_IP; + if (t->tc_tos == 0xFF) + ip4->tos = ((ip4_header_t *) (ip4 + 1))->tos; + break; + + default: + break; + } + ip4->checksum = ip4_header_checksum (ip4); } @@ -113,13 +136,32 @@ ipip6_fixup (vlib_main_t * vm, ip_adjacency_t * adj, vlib_buffer_t * b, const void *data) { ip6_header_t *ip6; + const ipip_tunnel_t *t = data; ip6 = vlib_buffer_get_current (b); ip6->payload_length = clib_host_to_net_u16 (vlib_buffer_length_in_chain (vm, b) - sizeof (*ip6)); - ip6->protocol = - adj->ia_link == VNET_LINK_IP6 ? IP_PROTOCOL_IPV6 : IP_PROTOCOL_IP_IN_IP; + switch (adj->ia_link) + { + case VNET_LINK_IP6: + ip6->protocol = IP_PROTOCOL_IPV6; + if (t->tc_tos == 0xFF) + ip6_set_traffic_class_network_order (ip6, + ip6_traffic_class_network_order ((const ip6_header_t *) (ip6 + 1))); + break; + + case VNET_LINK_IP4: + ip6->protocol = IP_PROTOCOL_IP_IN_IP; + if (t->tc_tos == 0xFF) + ip6_set_traffic_class_network_order (ip6, + ((ip4_header_t *) (ip6 + + 1))->tos); + break; + + default: + break; + } } static void @@ -216,7 +258,7 @@ ipip_update_adj (vnet_main_t * vnm, u32 sw_if_index, adj_index_t ai) f = t->transport == IPIP_TRANSPORT_IP6 ? ipip6_fixup : ipip4_fixup; - adj_nbr_midchain_update_rewrite (ai, f, NULL, + adj_nbr_midchain_update_rewrite (ai, f, t, (VNET_LINK_ETHERNET == adj_get_link_type (ai) ? ADJ_FLAG_MIDCHAIN_NO_COUNT : @@ -420,7 +462,7 @@ ipip_fib_delete (ipip_tunnel_t * t) int ipip_add_tunnel (ipip_transport_t transport, u32 instance, ip46_address_t * src, ip46_address_t * dst, - u32 fib_index, u32 * sw_if_indexp) + u32 fib_index, u8 tc_tos, u32 * sw_if_indexp) { ipip_main_t *gm = &ipip_main; vnet_main_t *vnm = gm->vnet_main; @@ -467,6 +509,7 @@ ipip_add_tunnel (ipip_transport_t transport, t->hw_if_index = hw_if_index; t->fib_index = fib_index; t->sw_if_index = sw_if_index; + t->tc_tos = tc_tos; t->transport = transport; vec_validate_init_empty (gm->tunnel_index_by_sw_if_index, sw_if_index, ~0); diff --git a/src/vnet/ipip/ipip.h b/src/vnet/ipip/ipip.h index f52094f1f0c..6afb188f8ee 100644 --- a/src/vnet/ipip/ipip.h +++ b/src/vnet/ipip/ipip.h @@ -81,6 +81,7 @@ typedef struct u32 sw_if_index; u32 dev_instance; /* Real device instance in tunnel vector */ u32 user_instance; /* Instance name being shown to user */ + u8 tc_tos; union { @@ -148,7 +149,7 @@ sixrd_get_addr_net (const ipip_tunnel_t * t, u64 dal) int ipip_add_tunnel (ipip_transport_t transport, u32 instance, ip46_address_t * src, ip46_address_t * dst, - u32 fib_index, u32 * sw_if_indexp); + u32 fib_index, u8 tc_tos, u32 * sw_if_indexp); int ipip_del_tunnel (u32 sw_if_index); int sixrd_add_tunnel (ip6_address_t * ip6_prefix, u8 ip6_prefix_len, ip4_address_t * ip4_prefix, u8 ip4_prefix_len, diff --git a/src/vnet/ipip/ipip_api.c b/src/vnet/ipip/ipip_api.c index a6633296515..455792ba133 100644 --- a/src/vnet/ipip/ipip_api.c +++ b/src/vnet/ipip/ipip_api.c @@ -69,7 +69,7 @@ vl_api_ipip_add_tunnel_t_handler (vl_api_ipip_add_tunnel_t * mp) rv = ipip_add_tunnel (mp->is_ipv6 ? IPIP_TRANSPORT_IP6 : IPIP_TRANSPORT_IP4, ntohl (mp->instance), &src, &dst, - ntohl (mp->fib_index), &sw_if_index); + ntohl (mp->fib_index), mp->tc_tos, &sw_if_index); /* *INDENT-OFF* */ REPLY_MACRO2(VL_API_IPIP_ADD_TUNNEL_REPLY, diff --git a/src/vnet/ipip/ipip_cli.c b/src/vnet/ipip/ipip_cli.c index 45e6451d69a..7a68c20319e 100644 --- a/src/vnet/ipip/ipip_cli.c +++ b/src/vnet/ipip/ipip_cli.c @@ -72,6 +72,7 @@ static clib_error_t *create_ipip_tunnel_command_fn(vlib_main_t *vm, &src, &dst, fib_index, + 0, &sw_if_index); switch (rv) { diff --git a/test/test_ipip.py b/test/test_ipip.py index 3a0c401f8af..00721ec90a0 100644 --- a/test/test_ipip.py +++ b/test/test_ipip.py @@ -47,15 +47,15 @@ class TestIPIP(VppTestCase): def test_ipip4(self): """ ip{v4,v6} over ip4 test """ p_ether = Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) - p_ip6 = IPv6(src="1::1", dst="DEAD::1", nh='UDP') - p_ip4 = IP(src="1.2.3.4", dst="130.67.0.1") + p_ip6 = IPv6(src="1::1", dst="DEAD::1", nh='UDP', tc=42) + p_ip4 = IP(src="1.2.3.4", dst="130.67.0.1", tos=42) p_payload = UDP(sport=1234, dport=1234) # IPv4 transport rv = self.vapi.ipip_add_tunnel( src_address=self.pg0.local_ip4n, dst_address=self.pg1.remote_ip4n, - is_ipv6=0) + is_ipv6=0, tc_tos=0xFF) sw_if_index = rv.sw_if_index # Set interface up and enable IP on it @@ -84,7 +84,7 @@ class TestIPIP(VppTestCase): p_inner_ip6 = p_ip6 p_inner_ip6.hlim -= 1 p6_reply = (IP(src=self.pg0.local_ip4, dst=self.pg1.remote_ip4, - proto='ipv6', id=0) / p_inner_ip6 / p_payload) + proto='ipv6', id=0, tos=42) / p_inner_ip6 / p_payload) p6_reply.ttl -= 1 rx = self.send_and_expect(self.pg0, p6*10, self.pg1) for p in rx: @@ -94,8 +94,9 @@ class TestIPIP(VppTestCase): p4 = (p_ether / p_ip4 / p_payload) p_ip4_inner = p_ip4 p_ip4_inner.ttl -= 1 - p4_reply = (IP(src=self.pg0.local_ip4, - dst=self.pg1.remote_ip4) / p_ip4_inner / p_payload) + p4_reply = (IP(src=self.pg0.local_ip4, dst=self.pg1.remote_ip4, + tos=42) / + p_ip4_inner / p_payload) p4_reply.ttl -= 1 p4_reply.id = 0 rx = self.send_and_expect(self.pg0, p4*10, self.pg1) @@ -128,14 +129,14 @@ class TestIPIP(VppTestCase): def test_ipip6(self): """ ip{v4,v6} over ip6 test """ p_ether = Ether(src=self.pg0.remote_mac, dst=self.pg0.local_mac) - p_ip6 = IPv6(src="1::1", dst="DEAD::1", nh='UDP') - p_ip4 = IP(src="1.2.3.4", dst="130.67.0.1") + p_ip6 = IPv6(src="1::1", dst="DEAD::1", tc=42, nh='UDP') + p_ip4 = IP(src="1.2.3.4", dst="130.67.0.1", tos=42) p_payload = UDP(sport=1234, dport=1234) # IPv6 transport rv = self.vapi.ipip_add_tunnel( src_address=self.pg0.local_ip6n, - dst_address=self.pg1.remote_ip6n) + dst_address=self.pg1.remote_ip6n, tc_tos=255) sw_if_index = rv.sw_if_index @@ -162,19 +163,21 @@ class TestIPIP(VppTestCase): # IPv6 in to IPv6 tunnel p6 = (p_ether / p_ip6 / p_payload) - p6_reply = (IPv6(src=self.pg0.local_ip6, - dst=self.pg1.remote_ip6, hlim=63) / p_ip6 / p_payload) + p6_reply = (IPv6(src=self.pg0.local_ip6, dst=self.pg1.remote_ip6, + hlim=63, tc=42) / + p_ip6 / p_payload) p6_reply[1].hlim -= 1 - rx = self.send_and_expect(self.pg0, p6*10, self.pg1) + rx = self.send_and_expect(self.pg0, p6*11, self.pg1) for p in rx: self.validate(p[1], p6_reply) # IPv4 in to IPv6 tunnel p4 = (p_ether / p_ip4 / p_payload) p4_reply = (IPv6(src=self.pg0.local_ip6, - dst=self.pg1.remote_ip6, hlim=63) / p_ip4 / p_payload) + dst=self.pg1.remote_ip6, hlim=63, tc=42) / + p_ip4 / p_payload) p4_reply[1].ttl -= 1 - rx = self.send_and_expect(self.pg0, p4*10, self.pg1) + rx = self.send_and_expect(self.pg0, p4*11, self.pg1) for p in rx: self.validate(p[1], p4_reply) @@ -188,7 +191,7 @@ class TestIPIP(VppTestCase): dst=self.pg0.local_ip6) / p_ip4 / p_payload) p4_reply = (p_ip4 / p_payload) p4_reply.ttl -= 1 - rx = self.send_and_expect(self.pg1, p4*10, self.pg0) + rx = self.send_and_expect(self.pg1, p4*11, self.pg0) for p in rx: self.validate(p[1], p4_reply) @@ -198,7 +201,7 @@ class TestIPIP(VppTestCase): dst=self.pg0.local_ip6) / p_ip6 / p_payload) p6_reply = (p_ip6 / p_payload) p6_reply.hlim = 63 - rx = self.send_and_expect(self.pg1, p6*10, self.pg0) + rx = self.send_and_expect(self.pg1, p6*11, self.pg0) for p in rx: self.validate(p[1], p6_reply) diff --git a/test/vpp_papi_provider.py b/test/vpp_papi_provider.py index 105a54f55d9..f72d37df7b2 100644 --- a/test/vpp_papi_provider.py +++ b/test/vpp_papi_provider.py @@ -3359,14 +3359,15 @@ class VppPapiProvider(object): {'sw_if_index': sw_if_index}) def ipip_add_tunnel(self, src_address, dst_address, is_ipv6=1, - instance=0xFFFFFFFF, fib_index=0): + instance=0xFFFFFFFF, fib_index=0, tc_tos=0): """ IPIP tunnel Add/Del """ return self.api(self.papi.ipip_add_tunnel, {'is_ipv6': is_ipv6, 'instance': instance, 'src_address': src_address, 'dst_address': dst_address, - 'fib_index': fib_index}) + 'fib_index': fib_index, + 'tc_tos': tc_tos}) def ipip_del_tunnel(self, sw_if_index): """ IPIP tunnel Delete """ -- 2.16.6