From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga01.intel.com (mga01.intel.com [192.55.52.88]) by dpdk.org (Postfix) with ESMTP id 0BE974F93; Thu, 28 Mar 2019 13:47:42 +0100 (CET) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga007.jf.intel.com ([10.7.209.58]) by fmsmga101.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 28 Mar 2019 05:47:42 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.60,280,1549958400"; d="scan'208";a="126621379" Received: from sivswdev08.ir.intel.com ([10.237.217.47]) by orsmga007.jf.intel.com with ESMTP; 28 Mar 2019 05:47:40 -0700 From: Konstantin Ananyev To: dev@dpdk.org Cc: akhil.goyal@nxp.com, Konstantin Ananyev , stable@dpdk.org Date: Thu, 28 Mar 2019 12:47:33 +0000 Message-Id: <20190328124733.25580-1-konstantin.ananyev@intel.com> X-Mailer: git-send-email 2.18.0 Subject: [dpdk-dev] [PATCH] examples/ipsec-secgw: fix SPD no-match is misinterpreted X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Mar 2019 12:47:43 -0000 acl_classify() returns zero value when no matching rule was found. Currently ipsec-secgw treats it as a valid SPI value, though it has to discard such packets. Error could be easily observed by sending outbound unmatched packets, user will see something like that in the log: IPSEC: No cryptodev: core 7, cipher_algo 0, auth_algo 0, aead_algo 0 To fix it we need to treat packets with zero result from acl_classify() as invalid ones. Also we can change DISCARD and BYPASS values to simplify checks and save some extra space for valid SPI values. Fixes: 906257e965b7 ("examples/ipsec-secgw: support IPv6") Fixes: 2a5106af132b ("examples/ipsec-secgw: fix corner case for SPI value") Cc: stable@dpdk.org Signed-off-by: Konstantin Ananyev --- examples/ipsec-secgw/ipsec-secgw.c | 12 ++++++------ examples/ipsec-secgw/ipsec.h | 6 ++---- examples/ipsec-secgw/sp4.c | 11 ++++++++--- examples/ipsec-secgw/sp6.c | 11 ++++++++--- 4 files changed, 24 insertions(+), 16 deletions(-) diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-secgw/ipsec-secgw.c index ffbd00b08..59e084234 100644 --- a/examples/ipsec-secgw/ipsec-secgw.c +++ b/examples/ipsec-secgw/ipsec-secgw.c @@ -438,11 +438,11 @@ inbound_sp_sa(struct sp_ctx *sp, struct sa_ctx *sa, struct traffic_type *ip, for (i = 0; i < ip->num; i++) { m = ip->pkts[i]; res = ip->res[i]; - if (res & BYPASS) { + if (res == BYPASS) { ip->pkts[j++] = m; continue; } - if (res & DISCARD) { + if (res == DISCARD) { rte_pktmbuf_free(m); continue; } @@ -453,7 +453,7 @@ inbound_sp_sa(struct sp_ctx *sp, struct sa_ctx *sa, struct traffic_type *ip, continue; } - sa_idx = ip->res[i] & PROTECT_MASK; + sa_idx = ip->res[i]; if (sa_idx >= IPSEC_SA_MAX_ENTRIES || !inbound_sa_check(sa, m, sa_idx)) { rte_pktmbuf_free(m); @@ -541,10 +541,10 @@ outbound_sp(struct sp_ctx *sp, struct traffic_type *ip, j = 0; for (i = 0; i < ip->num; i++) { m = ip->pkts[i]; - sa_idx = ip->res[i] & PROTECT_MASK; - if (ip->res[i] & DISCARD) + sa_idx = ip->res[i]; + if (sa_idx == DISCARD) rte_pktmbuf_free(m); - else if (ip->res[i] & BYPASS) + else if (sa_idx == BYPASS) ip->pkts[j++] = m; else if (sa_idx < IPSEC_SA_MAX_ENTRIES) { ipsec->res[ipsec->num] = sa_idx; diff --git a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h index 99f49d65f..44daf384b 100644 --- a/examples/ipsec-secgw/ipsec.h +++ b/examples/ipsec-secgw/ipsec.h @@ -41,10 +41,8 @@ #define SPI2IDX(spi) (spi & (IPSEC_SA_MAX_ENTRIES - 1)) #define INVALID_SPI (0) -#define DISCARD (0x80000000) -#define BYPASS (0x40000000) -#define PROTECT_MASK (0x3fffffff) -#define PROTECT(sa_idx) (SPI2IDX(sa_idx) & PROTECT_MASK) /* SA idx 30 bits */ +#define DISCARD INVALID_SPI +#define BYPASS UINT32_MAX #define IPSEC_XFORM_MAX 2 diff --git a/examples/ipsec-secgw/sp4.c b/examples/ipsec-secgw/sp4.c index d1dc64bad..bfaddc52e 100644 --- a/examples/ipsec-secgw/sp4.c +++ b/examples/ipsec-secgw/sp4.c @@ -99,6 +99,7 @@ parse_sp4_tokens(char **tokens, uint32_t n_tokens, uint32_t *ri = NULL; /* rule index */ uint32_t ti = 0; /* token index */ + uint32_t tv; uint32_t esp_p = 0; uint32_t protect_p = 0; @@ -169,8 +170,12 @@ parse_sp4_tokens(char **tokens, uint32_t n_tokens, if (status->status < 0) return; - rule_ipv4->data.userdata = - PROTECT(atoi(tokens[ti])); + tv = atoi(tokens[ti]); + APP_CHECK(tv != DISCARD && tv != BYPASS, status, + "invalid SPI: %s", tokens[ti]); + if (status->status < 0) + return; + rule_ipv4->data.userdata = tv; protect_p = 1; continue; @@ -523,7 +528,7 @@ sp4_spi_present(uint32_t spi, int inbound) } for (i = 0; i != num; i++) { - if (acr[i].data.userdata == PROTECT(spi)) + if (acr[i].data.userdata == spi) return i; } diff --git a/examples/ipsec-secgw/sp6.c b/examples/ipsec-secgw/sp6.c index e67d85aaf..b7fcf7c16 100644 --- a/examples/ipsec-secgw/sp6.c +++ b/examples/ipsec-secgw/sp6.c @@ -130,6 +130,7 @@ parse_sp6_tokens(char **tokens, uint32_t n_tokens, uint32_t *ri = NULL; /* rule index */ uint32_t ti = 0; /* token index */ + uint32_t tv; uint32_t esp_p = 0; uint32_t protect_p = 0; @@ -202,8 +203,12 @@ parse_sp6_tokens(char **tokens, uint32_t n_tokens, if (status->status < 0) return; - rule_ipv6->data.userdata = - PROTECT(atoi(tokens[ti])); + tv = atoi(tokens[ti]); + APP_CHECK(tv != DISCARD && tv != BYPASS, status, + "invalid SPI: %s", tokens[ti]); + if (status->status < 0) + return; + rule_ipv6->data.userdata = tv; protect_p = 1; continue; @@ -637,7 +642,7 @@ sp6_spi_present(uint32_t spi, int inbound) } for (i = 0; i != num; i++) { - if (acr[i].data.userdata == PROTECT(spi)) + if (acr[i].data.userdata == spi) return i; } -- 2.17.1 From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dpdk.org (dpdk.org [92.243.14.124]) by dpdk.space (Postfix) with ESMTP id 83003A0679 for ; Thu, 28 Mar 2019 13:47:46 +0100 (CET) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id 4F67E1B1EA; Thu, 28 Mar 2019 13:47:45 +0100 (CET) Received: from mga01.intel.com (mga01.intel.com [192.55.52.88]) by dpdk.org (Postfix) with ESMTP id 0BE974F93; Thu, 28 Mar 2019 13:47:42 +0100 (CET) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga007.jf.intel.com ([10.7.209.58]) by fmsmga101.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 28 Mar 2019 05:47:42 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.60,280,1549958400"; d="scan'208";a="126621379" Received: from sivswdev08.ir.intel.com ([10.237.217.47]) by orsmga007.jf.intel.com with ESMTP; 28 Mar 2019 05:47:40 -0700 From: Konstantin Ananyev To: dev@dpdk.org Cc: akhil.goyal@nxp.com, Konstantin Ananyev , stable@dpdk.org Date: Thu, 28 Mar 2019 12:47:33 +0000 Message-Id: <20190328124733.25580-1-konstantin.ananyev@intel.com> X-Mailer: git-send-email 2.18.0 Subject: [dpdk-dev] [PATCH] examples/ipsec-secgw: fix SPD no-match is misinterpreted X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Content-Type: text/plain; charset="UTF-8" Message-ID: <20190328124733.eSnsPVYPuS2212CgK7KNzf4o8D8Adpf976sRFDTTneY@z> acl_classify() returns zero value when no matching rule was found. Currently ipsec-secgw treats it as a valid SPI value, though it has to discard such packets. Error could be easily observed by sending outbound unmatched packets, user will see something like that in the log: IPSEC: No cryptodev: core 7, cipher_algo 0, auth_algo 0, aead_algo 0 To fix it we need to treat packets with zero result from acl_classify() as invalid ones. Also we can change DISCARD and BYPASS values to simplify checks and save some extra space for valid SPI values. Fixes: 906257e965b7 ("examples/ipsec-secgw: support IPv6") Fixes: 2a5106af132b ("examples/ipsec-secgw: fix corner case for SPI value") Cc: stable@dpdk.org Signed-off-by: Konstantin Ananyev --- examples/ipsec-secgw/ipsec-secgw.c | 12 ++++++------ examples/ipsec-secgw/ipsec.h | 6 ++---- examples/ipsec-secgw/sp4.c | 11 ++++++++--- examples/ipsec-secgw/sp6.c | 11 ++++++++--- 4 files changed, 24 insertions(+), 16 deletions(-) diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-secgw/ipsec-secgw.c index ffbd00b08..59e084234 100644 --- a/examples/ipsec-secgw/ipsec-secgw.c +++ b/examples/ipsec-secgw/ipsec-secgw.c @@ -438,11 +438,11 @@ inbound_sp_sa(struct sp_ctx *sp, struct sa_ctx *sa, struct traffic_type *ip, for (i = 0; i < ip->num; i++) { m = ip->pkts[i]; res = ip->res[i]; - if (res & BYPASS) { + if (res == BYPASS) { ip->pkts[j++] = m; continue; } - if (res & DISCARD) { + if (res == DISCARD) { rte_pktmbuf_free(m); continue; } @@ -453,7 +453,7 @@ inbound_sp_sa(struct sp_ctx *sp, struct sa_ctx *sa, struct traffic_type *ip, continue; } - sa_idx = ip->res[i] & PROTECT_MASK; + sa_idx = ip->res[i]; if (sa_idx >= IPSEC_SA_MAX_ENTRIES || !inbound_sa_check(sa, m, sa_idx)) { rte_pktmbuf_free(m); @@ -541,10 +541,10 @@ outbound_sp(struct sp_ctx *sp, struct traffic_type *ip, j = 0; for (i = 0; i < ip->num; i++) { m = ip->pkts[i]; - sa_idx = ip->res[i] & PROTECT_MASK; - if (ip->res[i] & DISCARD) + sa_idx = ip->res[i]; + if (sa_idx == DISCARD) rte_pktmbuf_free(m); - else if (ip->res[i] & BYPASS) + else if (sa_idx == BYPASS) ip->pkts[j++] = m; else if (sa_idx < IPSEC_SA_MAX_ENTRIES) { ipsec->res[ipsec->num] = sa_idx; diff --git a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h index 99f49d65f..44daf384b 100644 --- a/examples/ipsec-secgw/ipsec.h +++ b/examples/ipsec-secgw/ipsec.h @@ -41,10 +41,8 @@ #define SPI2IDX(spi) (spi & (IPSEC_SA_MAX_ENTRIES - 1)) #define INVALID_SPI (0) -#define DISCARD (0x80000000) -#define BYPASS (0x40000000) -#define PROTECT_MASK (0x3fffffff) -#define PROTECT(sa_idx) (SPI2IDX(sa_idx) & PROTECT_MASK) /* SA idx 30 bits */ +#define DISCARD INVALID_SPI +#define BYPASS UINT32_MAX #define IPSEC_XFORM_MAX 2 diff --git a/examples/ipsec-secgw/sp4.c b/examples/ipsec-secgw/sp4.c index d1dc64bad..bfaddc52e 100644 --- a/examples/ipsec-secgw/sp4.c +++ b/examples/ipsec-secgw/sp4.c @@ -99,6 +99,7 @@ parse_sp4_tokens(char **tokens, uint32_t n_tokens, uint32_t *ri = NULL; /* rule index */ uint32_t ti = 0; /* token index */ + uint32_t tv; uint32_t esp_p = 0; uint32_t protect_p = 0; @@ -169,8 +170,12 @@ parse_sp4_tokens(char **tokens, uint32_t n_tokens, if (status->status < 0) return; - rule_ipv4->data.userdata = - PROTECT(atoi(tokens[ti])); + tv = atoi(tokens[ti]); + APP_CHECK(tv != DISCARD && tv != BYPASS, status, + "invalid SPI: %s", tokens[ti]); + if (status->status < 0) + return; + rule_ipv4->data.userdata = tv; protect_p = 1; continue; @@ -523,7 +528,7 @@ sp4_spi_present(uint32_t spi, int inbound) } for (i = 0; i != num; i++) { - if (acr[i].data.userdata == PROTECT(spi)) + if (acr[i].data.userdata == spi) return i; } diff --git a/examples/ipsec-secgw/sp6.c b/examples/ipsec-secgw/sp6.c index e67d85aaf..b7fcf7c16 100644 --- a/examples/ipsec-secgw/sp6.c +++ b/examples/ipsec-secgw/sp6.c @@ -130,6 +130,7 @@ parse_sp6_tokens(char **tokens, uint32_t n_tokens, uint32_t *ri = NULL; /* rule index */ uint32_t ti = 0; /* token index */ + uint32_t tv; uint32_t esp_p = 0; uint32_t protect_p = 0; @@ -202,8 +203,12 @@ parse_sp6_tokens(char **tokens, uint32_t n_tokens, if (status->status < 0) return; - rule_ipv6->data.userdata = - PROTECT(atoi(tokens[ti])); + tv = atoi(tokens[ti]); + APP_CHECK(tv != DISCARD && tv != BYPASS, status, + "invalid SPI: %s", tokens[ti]); + if (status->status < 0) + return; + rule_ipv6->data.userdata = tv; protect_p = 1; continue; @@ -637,7 +642,7 @@ sp6_spi_present(uint32_t spi, int inbound) } for (i = 0; i != num; i++) { - if (acr[i].data.userdata == PROTECT(spi)) + if (acr[i].data.userdata == spi) return i; } -- 2.17.1