ipsec: add support for header construction

Fan Zhang Tue, 25 Jun 2019 06:50:05 -0700

From: Marko Kovacevic <marko.kovace...@intel.com>

Add support for RFC 4301(5.1.2) to update of
Type of service field and Traffic class field
bits inside ipv4/ipv6 packets for outbound cases
and inbound cases which deals with the update of
the DSCP/ENC bits inside each of the fields.


Signed-off-by: Marko Kovacevic <marko.kovace...@intel.com>
Signed-off-by: Fan Zhang <roy.fan.zh...@intel.com>
---
 lib/librte_ipsec/esp_inb.c         |  14 +++-
 lib/librte_ipsec/esp_outb.c        |   4 +-
 lib/librte_ipsec/iph.h             | 134 +++++++++++++++++++++++++++++++++++--
 lib/librte_ipsec/rte_ipsec_sa.h    |  25 +++++++
 lib/librte_ipsec/sa.c              |  17 +++++
 lib/librte_ipsec/sa.h              |   2 +
 lib/librte_net/rte_ip.h            |  11 +++
 lib/librte_security/rte_security.h |   9 +++
 8 files changed, 205 insertions(+), 11 deletions(-)

diff --git a/lib/librte_ipsec/esp_inb.c b/lib/librte_ipsec/esp_inb.c
index 3e12ca103..8c68f8913 100644
--- a/lib/librte_ipsec/esp_inb.c
+++ b/lib/librte_ipsec/esp_inb.c
@@ -377,9 +377,10 @@ tun_process(const struct rte_ipsec_sa *sa, struct rte_mbuf 
*mb[],
 {
        uint32_t adj, i, k, tl;
        uint32_t hl[num];
+       void *inner_h;
+       const void *outter_h;
        struct esp_tail espt[num];
        struct rte_mbuf *ml[num];
-
        const uint32_t tlen = sa->icv_len + sizeof(espt[0]);
        const uint32_t cofs = sa->ctp.cipher.offset;
 
@@ -400,9 +401,16 @@ tun_process(const struct rte_ipsec_sa *sa, struct rte_mbuf 
*mb[],
                if (tun_process_check(mb[i], ml[i], espt[i], adj, tl,
                                        sa->proto) == 0) {
 
+                       outter_h = rte_pktmbuf_mtod_offset(mb[i], uint8_t *,
+                                       mb[i]->l2_len);
+
                        /* modify packet's layout */
-                       tun_process_step2(mb[i], ml[i], hl[i], adj,
-                               tl, sqn + k);
+                       inner_h = tun_process_step2(mb[i], ml[i], hl[i], adj,
+                                       tl, sqn + k);
+
+                       if ((sa->type & INB_TUN_HDR_MSK) != 0)
+                               update_inb_tun_l3_hdr(sa, inner_h, outter_h);
+
                        /* update mbuf's metadata */
                        tun_process_step3(mb[i], sa->tx_offload.msk,
                                sa->tx_offload.val);
diff --git a/lib/librte_ipsec/esp_outb.c b/lib/librte_ipsec/esp_outb.c
index 862a9982d..a0fa9e660 100644
--- a/lib/librte_ipsec/esp_outb.c
+++ b/lib/librte_ipsec/esp_outb.c
@@ -152,8 +152,8 @@ outb_tun_pkt_prepare(struct rte_ipsec_sa *sa, rte_be64_t 
sqc,
        rte_memcpy(ph, sa->hdr, sa->hdr_len);
 
        /* update original and new ip header fields */
-       update_tun_l3hdr(sa, ph + sa->hdr_l3_off, mb->pkt_len, sa->hdr_l3_off,
-                       sqn_low16(sqc));
+       update_outb_tun_l3hdr(sa, ph + sa->hdr_l3_off, ph + hlen, mb->pkt_len,
+                       sa->hdr_l3_off, sqn_low16(sqc));
 
        /* update spi, seqn and iv */
        esph = (struct rte_esp_hdr *)(ph + sa->hdr_len);
diff --git a/lib/librte_ipsec/iph.h b/lib/librte_ipsec/iph.h
index 62d78b7b1..a4e7070e3 100644
--- a/lib/librte_ipsec/iph.h
+++ b/lib/librte_ipsec/iph.h
@@ -5,14 +5,17 @@
 #ifndef _IPH_H_
 #define _IPH_H_
 
-#include <rte_ip.h>
-
 /**
  * @file iph.h
  * Contains functions/structures/macros to manipulate IPv4/IPv6 headers
  * used internally by ipsec library.
  */
 
+#define IPV6_DSCP_MASK (RTE_IP_DSCP_MASK << RTE_IPV6_HDR_TC_SHIFT)
+#define IPV6_ECN_MASK  (RTE_IP_ECN_MASK << RTE_IPV6_HDR_TC_SHIFT)
+#define IPV6_TOS_MASK  (IPV6_ECN_MASK | IPV6_DSCP_MASK)
+#define IPV6_ECN_CE    IPV6_ECN_MASK
+
 /*
  * Move preceding (L3) headers down to remove ESP header and IV.
  */
@@ -37,6 +40,26 @@ insert_esph(char *np, char *op, uint32_t hlen)
                np[i] = op[i];
 }
 
+static inline uint8_t
+get_ipv6_tos(rte_be32_t vtc_flow)
+{
+       uint32_t v;
+
+       v = rte_be_to_cpu_32(vtc_flow);
+       return v >> RTE_IPV6_HDR_TC_SHIFT;
+}
+
+static inline rte_be32_t
+set_ipv6_tos(rte_be32_t vtc_flow, uint32_t tos)
+{
+       uint32_t v;
+
+       v = rte_cpu_to_be_32(tos << RTE_IPV6_HDR_TC_SHIFT);
+       vtc_flow &= ~rte_cpu_to_be_32(IPV6_TOS_MASK);
+
+       return (v | vtc_flow);
+}
+
 /* update original ip header fields for transport case */
 static inline int
 update_trs_l3hdr(const struct rte_ipsec_sa *sa, void *p, uint32_t plen,
@@ -103,21 +126,120 @@ update_trs_l3hdr(const struct rte_ipsec_sa *sa, void *p, 
uint32_t plen,
 
 /* update original and new ip header fields for tunnel case */
 static inline void
-update_tun_l3hdr(const struct rte_ipsec_sa *sa, void *p, uint32_t plen,
-               uint32_t l2len, rte_be16_t pid)
+update_outb_tun_l3hdr(const struct rte_ipsec_sa *sa, void *outh,
+               const void *inh, uint32_t plen, uint32_t l2len, rte_be16_t pid)
 {
        struct rte_ipv4_hdr *v4h;
        struct rte_ipv6_hdr *v6h;
+       uint32_t itp, otp;
+       const struct rte_ipv4_hdr *v4in_h;
+       const struct rte_ipv6_hdr *v6in_h;
 
        if (sa->type & RTE_IPSEC_SATP_MODE_TUNLV4) {
-               v4h = p;
+               v4h = outh;
                v4h->packet_id = pid;
                v4h->total_length = rte_cpu_to_be_16(plen - l2len);
+
+               if ((sa->type & INB_TUN_HDR_MSK) == 0)
+                       return;
+
+               if ((sa->type & RTE_IPSEC_SATP_IPV_MASK) ==
+                               RTE_IPSEC_SATP_IPV4) {
+                       /* ipv4 inner header */
+                       v4in_h = inh;
+
+                       otp = v4h->type_of_service & ~sa->tos_mask;
+                       itp = v4in_h->type_of_service & sa->tos_mask;
+                       v4h->type_of_service = (otp | itp);
+               } else {
+                       /* ipv6 inner header */
+                       v6in_h = inh;
+
+                       otp = v4h->type_of_service & ~sa->tos_mask;
+                       itp = get_ipv6_tos(v6in_h->vtc_flow) & sa->tos_mask;
+                       v4h->type_of_service = (otp | itp);
+               }
        } else {
-               v6h = p;
+               v6h = outh;
                v6h->payload_len = rte_cpu_to_be_16(plen - l2len -
                                sizeof(*v6h));
+
+               if ((sa->type & INB_TUN_HDR_MSK) == 0)
+                       return;
+
+               if ((sa->type & RTE_IPSEC_SATP_IPV_MASK) ==
+                               RTE_IPSEC_SATP_IPV4) {
+                       /* ipv4 inner header */
+                       v4in_h = inh;
+
+                       otp = get_ipv6_tos(v6h->vtc_flow) & ~sa->tos_mask;
+                       itp = v4in_h->type_of_service & sa->tos_mask;
+                       v6h->vtc_flow = set_ipv6_tos(v6h->vtc_flow, otp | itp);
+               } else {
+                       /* ipv6 inner header */
+                       v6in_h = inh;
+
+                       otp = get_ipv6_tos(v6h->vtc_flow) & ~sa->tos_mask;
+                       itp = get_ipv6_tos(v6in_h->vtc_flow) & sa->tos_mask;
+                       v6h->vtc_flow = set_ipv6_tos(v6h->vtc_flow, otp | itp);
+               }
+       }
+}
+
+static inline void
+update_inb_tun_l3_hdr(const struct rte_ipsec_sa *sa, void *ip_inner,
+               const void *ip_outter)
+{
+       struct rte_ipv4_hdr *inner_v4h;
+       const struct rte_ipv4_hdr *outter_v4h;
+       struct rte_ipv6_hdr *inner_v6h;
+       const struct rte_ipv6_hdr *outter_v6h;
+       uint8_t ecn_v4out, ecn_v4in;
+       uint32_t ecn_v6out, ecn_v6in;
+
+       inner_v4h = ip_inner;
+       outter_v4h = ip_outter;
+
+       inner_v6h = ip_inner;
+       outter_v6h = ip_outter;
+
+       /* <update ecn bits in inner IP header> */
+       if (sa->type & RTE_IPSEC_SATP_MODE_TUNLV4) {
+
+               ecn_v4out = outter_v4h->type_of_service & RTE_IP_ECN_MASK;
+
+               if ((sa->type & RTE_IPSEC_SATP_IPV_MASK) ==
+                               RTE_IPSEC_SATP_IPV4) {
+                       ecn_v4in = inner_v4h->type_of_service & RTE_IP_ECN_MASK;
+                       if (ecn_v4out == RTE_IP_ECN_CE && ecn_v4in != 0)
+                               inner_v4h->type_of_service |= RTE_IP_ECN_CE;
+               } else {
+                       ecn_v6in = inner_v6h->vtc_flow &
+                                       rte_cpu_to_be_32(IPV6_ECN_MASK);
+                       if (ecn_v4out == RTE_IP_ECN_CE && ecn_v6in != 0)
+                               inner_v6h->vtc_flow |=
+                                               rte_cpu_to_be_32(IPV6_ECN_CE);
+               }
+       } else {
+               ecn_v6out = outter_v6h->vtc_flow &
+                               rte_cpu_to_be_32(IPV6_ECN_MASK);
+
+               if ((sa->type & RTE_IPSEC_SATP_IPV_MASK) ==
+                               RTE_IPSEC_SATP_IPV6) {
+                       ecn_v6in = inner_v6h->vtc_flow &
+                                       rte_cpu_to_be_32(IPV6_ECN_MASK);
+                       if ((ecn_v6out == rte_cpu_to_be_32(IPV6_ECN_CE)) &&
+                                       (ecn_v6in != 0))
+                               inner_v6h->vtc_flow |=
+                                               rte_cpu_to_be_32(IPV6_ECN_CE);
+               } else {
+                       ecn_v4in = inner_v4h->type_of_service & RTE_IP_ECN_MASK;
+                       if ((ecn_v6out == rte_cpu_to_be_32(IPV6_ECN_CE)) &&
+                                       (ecn_v4in != 0))
+                               inner_v4h->type_of_service |= RTE_IP_ECN_CE;
+               }
        }
 }
 
 #endif /* _IPH_H_ */
+
diff --git a/lib/librte_ipsec/rte_ipsec_sa.h b/lib/librte_ipsec/rte_ipsec_sa.h
index fd9b3ed60..8f179ee9d 100644
--- a/lib/librte_ipsec/rte_ipsec_sa.h
+++ b/lib/librte_ipsec/rte_ipsec_sa.h
@@ -95,6 +95,11 @@ enum {
        RTE_SATP_LOG2_MODE,
        RTE_SATP_LOG2_SQN = RTE_SATP_LOG2_MODE + 2,
        RTE_SATP_LOG2_ESN,
+       RTE_SATP_LOG2_ECN,
+       RTE_SATP_LOG2_DSCP,
+       RTE_SATP_LOG2_TTL,
+       RTE_SATP_LOG2_DF,
+       RTE_SATP_LOG2_FLABEL,
        RTE_SATP_LOG2_NUM
 };
 
@@ -123,6 +128,26 @@ enum {
 #define RTE_IPSEC_SATP_ESN_DISABLE     (0ULL << RTE_SATP_LOG2_ESN)
 #define RTE_IPSEC_SATP_ESN_ENABLE      (1ULL << RTE_SATP_LOG2_ESN)
 
+#define RTE_IPSEC_SATP_ECN_MASK                (1ULL << RTE_SATP_LOG2_ECN)
+#define RTE_IPSEC_SATP_ECN_DISABLE     (0ULL << RTE_SATP_LOG2_ECN)
+#define RTE_IPSEC_SATP_ECN_ENABLE      (1ULL << RTE_SATP_LOG2_ECN)
+
+#define RTE_IPSEC_SATP_DSCP_MASK       (1ULL << RTE_SATP_LOG2_DSCP)
+#define RTE_IPSEC_SATP_DSCP_DISABLE    (0ULL << RTE_SATP_LOG2_DSCP)
+#define RTE_IPSEC_SATP_DSCP_ENABLE     (1ULL << RTE_SATP_LOG2_DSCP)
+
+#define RTE_IPSEC_SATP_TTL_MASK                (1ULL << RTE_SATP_LOG2_TTL)
+#define RTE_IPSEC_SATP_TTL_DISABLE     (0ULL << RTE_SATP_LOG2_TTL)
+#define RTE_IPSEC_SATP_TTL_ENABLE      (1ULL << RTE_SATP_LOG2_TTL)
+
+#define RTE_IPSEC_SATP_DF_MASK         (1ULL << RTE_SATP_LOG2_DF)
+#define RTE_IPSEC_SATP_DF_DISABLE      (0ULL << RTE_SATP_LOG2_DF)
+#define RTE_IPSEC_SATP_DF_ENABLE       (1ULL << RTE_SATP_LOG2_DF)
+
+#define RTE_IPSEC_SATP_FLABEL_MASK     (1ULL << RTE_SATP_LOG2_FLABEL)
+#define RTE_IPSEC_SATP_FLABEL_DISABLE  (0ULL << RTE_SATP_LOG2_FLABEL)
+#define RTE_IPSEC_SATP_FLABEL_ENABLE   (1ULL << RTE_SATP_LOG2_FLABEL)
+
 /**
  * get type of given SA
  * @return
diff --git a/lib/librte_ipsec/sa.c b/lib/librte_ipsec/sa.c
index 1cb71caa1..952442785 100644
--- a/lib/librte_ipsec/sa.c
+++ b/lib/librte_ipsec/sa.c
@@ -220,6 +220,17 @@ fill_sa_type(const struct rte_ipsec_sa_prm *prm, uint64_t 
*type)
        else
                tp |= RTE_IPSEC_SATP_SQN_RAW;
 
+       /* check for ECN flag */
+       if (prm->ipsec_xform.options.ecn == 0)
+               tp |= RTE_IPSEC_SATP_ECN_DISABLE;
+       else
+               tp |= RTE_IPSEC_SATP_ECN_ENABLE;
+       /* check for DSCP flag */
+       if (prm->ipsec_xform.options.copy_dscp == 0)
+               tp |= RTE_IPSEC_SATP_DSCP_DISABLE;
+       else
+               tp |= RTE_IPSEC_SATP_DSCP_ENABLE;
+
        *type = tp;
        return 0;
 }
@@ -310,6 +321,12 @@ esp_sa_init(struct rte_ipsec_sa *sa, const struct 
rte_ipsec_sa_prm *prm,
        static const uint64_t msk = RTE_IPSEC_SATP_DIR_MASK |
                                RTE_IPSEC_SATP_MODE_MASK;
 
+       if (prm->ipsec_xform.options.ecn)
+               sa->tos_mask |= RTE_IP_ECN_MASK;
+
+       if (prm->ipsec_xform.options.copy_dscp)
+               sa->tos_mask |= RTE_IP_DSCP_MASK;
+
        if (cxf->aead != NULL) {
                switch (cxf->aead->algo) {
                case RTE_CRYPTO_AEAD_AES_GCM:
diff --git a/lib/librte_ipsec/sa.h b/lib/librte_ipsec/sa.h
index ffb5fb4f8..41e0b78c9 100644
--- a/lib/librte_ipsec/sa.h
+++ b/lib/librte_ipsec/sa.h
@@ -10,6 +10,7 @@
 #define IPSEC_MAX_HDR_SIZE     64
 #define IPSEC_MAX_IV_SIZE      16
 #define IPSEC_MAX_IV_QWORD     (IPSEC_MAX_IV_SIZE / sizeof(uint64_t))
+#define INB_TUN_HDR_MSK (RTE_IPSEC_SATP_ECN_MASK | RTE_IPSEC_SATP_DSCP_MASK)
 
 /* padding alignment for different algorithms */
 enum {
@@ -103,6 +104,7 @@ struct rte_ipsec_sa {
        uint8_t iv_ofs; /* offset for algo-specific IV inside crypto op */
        uint8_t iv_len;
        uint8_t pad_align;
+       uint8_t tos_mask;
 
        /* template for tunnel header */
        uint8_t hdr[IPSEC_MAX_HDR_SIZE];
diff --git a/lib/librte_net/rte_ip.h b/lib/librte_net/rte_ip.h
index c2c67b85d..85c53e8d9 100644
--- a/lib/librte_net/rte_ip.h
+++ b/lib/librte_net/rte_ip.h
@@ -46,6 +46,17 @@ struct rte_ipv4_hdr {
                                           (((b) & 0xff) << 16) | \
                                           (((c) & 0xff) << 8)  | \
                                           ((d) & 0xff))
+/**
+ * RFC 3168 Explicit Congestion Notification (ECN)
+ * * ECT(1) (ECN-Capable Transport(1))
+ * * ECT(0) (ECN-Capable Transport(0))
+ * * ECT(CE)(CE (Congestion Experienced))
+ */
+#define RTE_IP_ECN_MASK                (0x03)
+#define RTE_IP_ECN_CE          RTE_IP_ECN_MASK
+
+/** Packet Option Masks */
+#define RTE_IP_DSCP_MASK               (0xFC)
 
 /** Maximal IPv4 packet length (including a header) */
 #define RTE_IPV4_MAX_PKT_LEN        65535
diff --git a/lib/librte_security/rte_security.h 
b/lib/librte_security/rte_security.h
index 76f54e0e0..d0492928c 100644
--- a/lib/librte_security/rte_security.h
+++ b/lib/librte_security/rte_security.h
@@ -163,6 +163,15 @@ struct rte_security_ipsec_sa_options {
         * * 0: Inner packet is not modified.
         */
        uint32_t dec_ttl : 1;
+
+       /**< Explicit Congestion Notification (ECN)
+        *
+        * * 1: In tunnel mode, enable outer header ECN Field copied from
+        *      inner header in tunnel encapsulation, or inner header ECN
+        *      field construction in decapsulation.
+        * * 0: Inner/outer header are not modified.
+        */
+       uint32_t ecn : 1;
 };
 
 /** IPSec security association direction */
-- 
2.14.5

[dpdk-dev] [PATCH v2 1/2] lib/ipsec: add support for header construction

Reply via email to