DPDK patches and discussions
 help / color / mirror / Atom feed
From: Marcin Smoczynski <marcinx.smoczynski@intel.com>
To: marko.kovacevic@intel.com, orika@mellanox.com,
	bruce.richardson@intel.com, pablo.de.lara.guarch@intel.com,
	radu.nicolau@intel.com, akhil.goyal@nxp.com,
	tomasz.kantecki@intel.com, konstantin.ananyev@intel.com,
	bernard.iremonger@intel.com, olivier.matz@6wind.com
Cc: dev@dpdk.org, Marcin Smoczynski <marcinx.smoczynski@intel.com>
Subject: [dpdk-dev] [PATCH 2/3] ipsec: fix transport mode for ipv6 with extensions
Date: Wed,  8 May 2019 12:47:16 +0200	[thread overview]
Message-ID: <20190508104717.13448-2-marcinx.smoczynski@intel.com> (raw)
Message-ID: <20190508104716.fQNHkDd1VOzCvNpy6-ik0IkGPh7dajNGK7QjUYb9U8E@z> (raw)
In-Reply-To: <20190508104717.13448-1-marcinx.smoczynski@intel.com>

Reconstructing IPv6 header after encryption or decryption requires
updating 'next header' value in the preceding protocol header, which
is determined by parsing IPv6 header and iteratively looking for
next IPv6 header extension.

It is required that 'l3_len' in the mbuf metadata contains a total
length of the IPv6 header with header extensions up to ESP header.

Signed-off-by: Marcin Smoczynski <marcinx.smoczynski@intel.com>
---
 lib/Makefile           |  3 ++-
 lib/librte_ipsec/iph.h | 55 ++++++++++++++++++++++++++++++++++++------
 2 files changed, 49 insertions(+), 9 deletions(-)

diff --git a/lib/Makefile b/lib/Makefile
index 791e0d991..3ad579f68 100644
--- a/lib/Makefile
+++ b/lib/Makefile
@@ -108,7 +108,8 @@ DEPDIRS-librte_gso += librte_mempool
 DIRS-$(CONFIG_RTE_LIBRTE_BPF) += librte_bpf
 DEPDIRS-librte_bpf := librte_eal librte_mempool librte_mbuf librte_ethdev
 DIRS-$(CONFIG_RTE_LIBRTE_IPSEC) += librte_ipsec
-DEPDIRS-librte_ipsec := librte_eal librte_mbuf librte_cryptodev librte_security
+DEPDIRS-librte_ipsec := librte_eal librte_mbuf librte_cryptodev librte_security \
+			librte_net
 DIRS-$(CONFIG_RTE_LIBRTE_TELEMETRY) += librte_telemetry
 DEPDIRS-librte_telemetry := librte_eal librte_metrics librte_ethdev
 DIRS-$(CONFIG_RTE_LIBRTE_RCU) += librte_rcu
diff --git a/lib/librte_ipsec/iph.h b/lib/librte_ipsec/iph.h
index 58930cf18..082e4e73e 100644
--- a/lib/librte_ipsec/iph.h
+++ b/lib/librte_ipsec/iph.h
@@ -5,6 +5,8 @@
 #ifndef _IPH_H_
 #define _IPH_H_
 
+#include <rte_ip.h>
+
 /**
  * @file iph.h
  * Contains functions/structures/macros to manipulate IPv4/IPv6 headers
@@ -40,24 +42,61 @@ static inline int
 update_trs_l3hdr(const struct rte_ipsec_sa *sa, void *p, uint32_t plen,
 		uint32_t l2len, uint32_t l3len, uint8_t proto)
 {
-	struct ipv4_hdr *v4h;
-	struct ipv6_hdr *v6h;
 	int32_t rc;
 
+	/* IPv4 */
 	if ((sa->type & RTE_IPSEC_SATP_IPV_MASK) == RTE_IPSEC_SATP_IPV4) {
+		struct ipv4_hdr *v4h;
+
 		v4h = p;
 		rc = v4h->next_proto_id;
 		v4h->next_proto_id = proto;
 		v4h->total_length = rte_cpu_to_be_16(plen - l2len);
-	} else if (l3len == sizeof(*v6h)) {
+	/* IPv6 */
+	} else {
+		struct ipv6_hdr *v6h;
+		uint8_t *next_proto_off;
+
 		v6h = p;
-		rc = v6h->proto;
-		v6h->proto = proto;
+
+		/* basic IPv6 header with no extensions */
+		if (l3len == sizeof(struct ipv6_hdr))
+			next_proto_off = &v6h->proto;
+
+		/* IPv6 with extensions */
+		else {
+			size_t ext_len;
+			int nh;
+			uint8_t *pd, *plimit;
+
+			/* locate last extension within l3len bytes */
+			pd = (uint8_t *)p;
+			plimit = pd + l3len;
+			ext_len = sizeof(struct ipv6_hdr);
+			nh = v6h->proto;
+			while (pd + ext_len < plimit) {
+				pd += ext_len;
+				nh = rte_ipv6_get_next_ext(pd, nh, &ext_len);
+				if (unlikely(nh < 0))
+					return -EINVAL;
+			}
+
+			/* invalid l3len - extension exceeds header length */
+			if (unlikely(pd + ext_len != plimit))
+				return -EINVAL;
+
+			/* save last extension offset */
+			next_proto_off = pd;
+		}
+
+		/* update header type; return original value */
+		rc = *next_proto_off;
+		*next_proto_off = proto;
+
+		/* fix packet length */
 		v6h->payload_len = rte_cpu_to_be_16(plen - l2len -
 				sizeof(*v6h));
-	/* need to add support for IPv6 with options */
-	} else
-		rc = -ENOTSUP;
+	}
 
 	return rc;
 }
-- 
2.21.0.windows.1


  parent reply	other threads:[~2019-05-08 10:48 UTC|newest]

Thread overview: 29+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-05-08 10:47 [dpdk-dev] [PATCH 1/3] net: new ipv6 header extension parsing function Marcin Smoczynski
2019-05-08 10:47 ` Marcin Smoczynski
2019-05-08 10:47 ` Marcin Smoczynski [this message]
2019-05-08 10:47   ` [dpdk-dev] [PATCH 2/3] ipsec: fix transport mode for ipv6 with extensions Marcin Smoczynski
2019-05-14 12:42   ` Ananyev, Konstantin
2019-05-14 12:42     ` Ananyev, Konstantin
2019-06-20 12:07   ` Akhil Goyal
2019-05-08 10:47 ` [dpdk-dev] [PATCH 3/3] examples/ipsec-secgw: add support for ipv6 options Marcin Smoczynski
2019-05-08 10:47   ` Marcin Smoczynski
2019-05-14 12:51   ` Ananyev, Konstantin
2019-05-14 12:51     ` Ananyev, Konstantin
2019-05-14 12:48 ` [dpdk-dev] [PATCH 1/3] net: new ipv6 header extension parsing function Ananyev, Konstantin
2019-05-14 12:48   ` Ananyev, Konstantin
2019-06-20 11:40 ` Akhil Goyal
2019-06-20 17:40   ` Ananyev, Konstantin
2019-06-21  8:01     ` Akhil Goyal
2019-06-24 11:45       ` Smoczynski, MarcinX
2019-06-25 12:57         ` Akhil Goyal
2019-06-24 13:39 ` [dpdk-dev] [PATCH v2 0/4] IPv6 with options support for IPsec transport Marcin Smoczynski
2019-06-24 13:39   ` [dpdk-dev] [PATCH v2 1/4] net: new ipv6 header extension parsing function Marcin Smoczynski
2019-06-24 18:54     ` Ananyev, Konstantin
2019-07-02  9:06     ` Olivier Matz
2019-06-24 13:39   ` [dpdk-dev] [PATCH v2 2/4] ipsec: fix transport mode for ipv6 with extensions Marcin Smoczynski
2019-06-24 18:55     ` Ananyev, Konstantin
2019-06-24 13:39   ` [dpdk-dev] [PATCH v2 3/4] examples/ipsec-secgw: add support for ipv6 options Marcin Smoczynski
2019-06-24 18:55     ` Ananyev, Konstantin
2019-06-24 13:40   ` [dpdk-dev] [PATCH v2 4/4] examples/ipsec-secgw: add scapy based unittests Marcin Smoczynski
2019-06-24 18:56     ` Ananyev, Konstantin
2019-06-25 12:59   ` [dpdk-dev] [PATCH v2 0/4] IPv6 with options support for IPsec transport Akhil Goyal

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190508104717.13448-2-marcinx.smoczynski@intel.com \
    --to=marcinx.smoczynski@intel.com \
    --cc=akhil.goyal@nxp.com \
    --cc=bernard.iremonger@intel.com \
    --cc=bruce.richardson@intel.com \
    --cc=dev@dpdk.org \
    --cc=konstantin.ananyev@intel.com \
    --cc=marko.kovacevic@intel.com \
    --cc=olivier.matz@6wind.com \
    --cc=orika@mellanox.com \
    --cc=pablo.de.lara.guarch@intel.com \
    --cc=radu.nicolau@intel.com \
    --cc=tomasz.kantecki@intel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).