From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: <dev-bounces@dpdk.org> Received: from dpdk.org (dpdk.org [92.243.14.124]) by inbox.dpdk.org (Postfix) with ESMTP id 2AC14A0487 for <public@inbox.dpdk.org>; Mon, 1 Jul 2019 14:07:26 +0200 (CEST) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id 6AA3A1B945; Mon, 1 Jul 2019 14:07:21 +0200 (CEST) Received: from mga04.intel.com (mga04.intel.com [192.55.52.120]) by dpdk.org (Postfix) with ESMTP id B55F53195 for <dev@dpdk.org>; Mon, 1 Jul 2019 14:07:18 +0200 (CEST) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga004.jf.intel.com ([10.7.209.38]) by fmsmga104.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 01 Jul 2019 05:07:18 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.63,439,1557212400"; d="scan'208";a="314864218" Received: from silpixa00398673.ir.intel.com (HELO silpixa00398673.ger.corp.intel.com) ([10.237.223.136]) by orsmga004.jf.intel.com with ESMTP; 01 Jul 2019 05:07:16 -0700 From: Fan Zhang <roy.fan.zhang@intel.com> To: dev@dpdk.org Cc: akhil.goyal@nxp.com, pablo.de.lara.guarch@intel.com, Fan Zhang <roy.fan.zhang@intel.com>, Marko Kovacevic <marko.kovacevic@intel.com> Date: Mon, 1 Jul 2019 13:01:23 +0100 Message-Id: <20190701120124.70418-2-roy.fan.zhang@intel.com> X-Mailer: git-send-email 2.14.5 In-Reply-To: <20190701120124.70418-1-roy.fan.zhang@intel.com> References: <20190626150509.17442-1-roy.fan.zhang@intel.com> <20190701120124.70418-1-roy.fan.zhang@intel.com> Subject: [dpdk-dev] [PATCH v6 1/2] lib/ipsec: add support for header construction X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions <dev.dpdk.org> List-Unsubscribe: <https://mails.dpdk.org/options/dev>, <mailto:dev-request@dpdk.org?subject=unsubscribe> List-Archive: <http://mails.dpdk.org/archives/dev/> List-Post: <mailto:dev@dpdk.org> List-Help: <mailto:dev-request@dpdk.org?subject=help> List-Subscribe: <https://mails.dpdk.org/listinfo/dev>, <mailto:dev-request@dpdk.org?subject=subscribe> Errors-To: dev-bounces@dpdk.org Sender: "dev" <dev-bounces@dpdk.org> Add support for RFC 4301(5.1.2) to update of Type of service field and Traffic class field bits inside ipv4/ipv6 packets for outbound cases and inbound cases which deals with the update of the DSCP/ENC bits inside each of the fields. Signed-off-by: Marko Kovacevic <marko.kovacevic@intel.com> Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com> Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com> Tested-by: Konstantin Ananyev <konstantin.ananyev@intel.com> --- lib/librte_ipsec/esp_inb.c | 13 ++- lib/librte_ipsec/esp_outb.c | 4 +- lib/librte_ipsec/iph.h | 168 ++++++++++++++++++++++++++++++++++++- lib/librte_ipsec/rte_ipsec_sa.h | 10 +++ lib/librte_ipsec/sa.c | 18 ++++ lib/librte_ipsec/sa.h | 2 + lib/librte_net/rte_ip.h | 12 +++ lib/librte_security/rte_security.h | 9 ++ 8 files changed, 228 insertions(+), 8 deletions(-) diff --git a/lib/librte_ipsec/esp_inb.c b/lib/librte_ipsec/esp_inb.c index fb10b7085..8e3ecbc64 100644 --- a/lib/librte_ipsec/esp_inb.c +++ b/lib/librte_ipsec/esp_inb.c @@ -464,6 +464,8 @@ tun_process(const struct rte_ipsec_sa *sa, struct rte_mbuf *mb[], uint32_t hl[num], to[num]; struct esp_tail espt[num]; struct rte_mbuf *ml[num]; + const void *outh; + void *inh; /* * remove icv, esp trailer and high-order @@ -489,9 +491,16 @@ tun_process(const struct rte_ipsec_sa *sa, struct rte_mbuf *mb[], if (tun_process_check(mb[i], &ml[i], &to[i], espt[i], adj, tl, sa->proto) == 0) { + outh = rte_pktmbuf_mtod_offset(mb[i], uint8_t *, + mb[i]->l2_len); + /* modify packet's layout */ - tun_process_step2(mb[i], ml[i], hl[i], adj, to[i], - tl, sqn + k); + inh = tun_process_step2(mb[i], ml[i], hl[i], adj, + to[i], tl, sqn + k); + + /* update inner ip header */ + update_tun_inb_l3hdr(sa, outh, inh); + /* update mbuf's metadata */ tun_process_step3(mb[i], sa->tx_offload.msk, sa->tx_offload.val); diff --git a/lib/librte_ipsec/esp_outb.c b/lib/librte_ipsec/esp_outb.c index 8c6db3553..55799a867 100644 --- a/lib/librte_ipsec/esp_outb.c +++ b/lib/librte_ipsec/esp_outb.c @@ -152,8 +152,8 @@ outb_tun_pkt_prepare(struct rte_ipsec_sa *sa, rte_be64_t sqc, rte_memcpy(ph, sa->hdr, sa->hdr_len); /* update original and new ip header fields */ - update_tun_l3hdr(sa, ph + sa->hdr_l3_off, mb->pkt_len - sqh_len, - sa->hdr_l3_off, sqn_low16(sqc)); + update_tun_outb_l3hdr(sa, ph + sa->hdr_l3_off, ph + hlen, + mb->pkt_len - sqh_len, sa->hdr_l3_off, sqn_low16(sqc)); /* update spi, seqn and iv */ esph = (struct rte_esp_hdr *)(ph + sa->hdr_len); diff --git a/lib/librte_ipsec/iph.h b/lib/librte_ipsec/iph.h index 62d78b7b1..90faff6d5 100644 --- a/lib/librte_ipsec/iph.h +++ b/lib/librte_ipsec/iph.h @@ -101,23 +101,183 @@ update_trs_l3hdr(const struct rte_ipsec_sa *sa, void *p, uint32_t plen, return rc; } +/* + * The masks for ipv6 header reconstruction (RFC4301) + */ +#define IPV6_DSCP_MASK (RTE_IP_DSCP_MASK << RTE_IPV6_HDR_TC_SHIFT) +#define IPV6_ECN_MASK (RTE_IP_ECN_MASK << RTE_IPV6_HDR_TC_SHIFT) +#define IPV6_TOS_MASK (IPV6_ECN_MASK | IPV6_DSCP_MASK) +#define IPV6_ECN_CE IPV6_ECN_MASK + +/* + * Inline functions to get and set ipv6 packet header traffic class (TC) field. + */ +static inline uint8_t +get_ipv6_tc(rte_be32_t vtc_flow) +{ + uint32_t v; + + v = rte_be_to_cpu_32(vtc_flow); + return v >> RTE_IPV6_HDR_TC_SHIFT; +} + +static inline rte_be32_t +set_ipv6_tc(rte_be32_t vtc_flow, uint32_t tos) +{ + uint32_t v; + + v = rte_cpu_to_be_32(tos << RTE_IPV6_HDR_TC_SHIFT); + vtc_flow &= ~rte_cpu_to_be_32(IPV6_TOS_MASK); + + return (v | vtc_flow); +} + +/** + * Update type-of-service/traffic-class field of outbound tunnel packet. + * + * @param ref_h: reference header, for outbound it is inner header, otherwise + * outer header. + * @param update_h: header to be updated tos/tc field, for outbound it is outer + * header, otherwise inner header. + * @param tos_mask: type-of-service mask stored in sa. + * @param is_outh_ipv4: 1 if outer header is ipv4, 0 if it is ipv6. + * @param is_inner_ipv4: 1 if inner header is ipv4, 0 if it is ipv6. + */ +static inline void +update_outb_tun_tos(const void *ref_h, void *update_h, uint32_t tos_mask, + uint8_t is_outh_ipv4, uint8_t is_inh_ipv4) +{ + uint8_t idx = ((is_outh_ipv4 << 1) | is_inh_ipv4); + struct rte_ipv4_hdr *v4out_h; + struct rte_ipv6_hdr *v6out_h; + uint32_t itp, otp; + + switch (idx) { + case 0: /*outh ipv6, inh ipv6 */ + v6out_h = update_h; + otp = get_ipv6_tc(v6out_h->vtc_flow) & ~tos_mask; + itp = get_ipv6_tc(((const struct rte_ipv6_hdr *)ref_h)-> + vtc_flow) & tos_mask; + v6out_h->vtc_flow = set_ipv6_tc(v6out_h->vtc_flow, otp | itp); + break; + case 1: /*outh ipv6, inh ipv4 */ + v6out_h = update_h; + otp = get_ipv6_tc(v6out_h->vtc_flow) & ~tos_mask; + itp = ((const struct rte_ipv4_hdr *)ref_h)->type_of_service & + tos_mask; + v6out_h->vtc_flow = set_ipv6_tc(v6out_h->vtc_flow, otp | itp); + break; + case 2: /*outh ipv4, inh ipv6 */ + v4out_h = update_h; + otp = v4out_h->type_of_service & ~tos_mask; + itp = get_ipv6_tc(((const struct rte_ipv6_hdr *)ref_h)-> + vtc_flow) & tos_mask; + v4out_h->type_of_service = (otp | itp); + break; + case 3: /* outh ipv4, inh ipv4 */ + v4out_h = update_h; + otp = v4out_h->type_of_service & ~tos_mask; + itp = ((const struct rte_ipv4_hdr *)ref_h)->type_of_service & + tos_mask; + v4out_h->type_of_service = (otp | itp); + break; + } +} + +/** + * Update type-of-service/traffic-class field of inbound tunnel packet. + * + * @param ref_h: reference header, for outbound it is inner header, otherwise + * outer header. + * @param update_h: header to be updated tos/tc field, for outbound it is outer + * header, otherwise inner header. + * @param is_outh_ipv4: 1 if outer header is ipv4, 0 if it is ipv6. + * @param is_inner_ipv4: 1 if inner header is ipv4, 0 if it is ipv6. + */ +static inline void +update_inb_tun_tos(const void *ref_h, void *update_h, + uint8_t is_outh_ipv4, uint8_t is_inh_ipv4) +{ + uint8_t idx = ((is_outh_ipv4 << 1) | is_inh_ipv4); + struct rte_ipv4_hdr *v4in_h; + struct rte_ipv6_hdr *v6in_h; + uint8_t ecn_v4out, ecn_v4in; + uint32_t ecn_v6out, ecn_v6in; + + switch (idx) { + case 0: /* outh ipv6, inh ipv6 */ + v6in_h = update_h; + ecn_v6out = ((const struct rte_ipv6_hdr *)ref_h)->vtc_flow & + rte_cpu_to_be_32(IPV6_ECN_MASK); + ecn_v6in = v6in_h->vtc_flow & rte_cpu_to_be_32(IPV6_ECN_MASK); + if ((ecn_v6out == rte_cpu_to_be_32(IPV6_ECN_CE)) && + (ecn_v6in != 0)) + v6in_h->vtc_flow |= rte_cpu_to_be_32(IPV6_ECN_CE); + break; + case 1: /* outh ipv6, inh ipv4 */ + v4in_h = update_h; + ecn_v6out = ((const struct rte_ipv6_hdr *)ref_h)->vtc_flow & + rte_cpu_to_be_32(IPV6_ECN_MASK); + ecn_v4in = v4in_h->type_of_service & RTE_IP_ECN_MASK; + if ((ecn_v6out == rte_cpu_to_be_32(IPV6_ECN_CE)) && + (ecn_v4in != 0)) + v4in_h->type_of_service |= RTE_IP_ECN_CE; + break; + case 2: /* outh ipv4, inh ipv6 */ + v6in_h = update_h; + ecn_v4out = ((const struct rte_ipv4_hdr *)ref_h)-> + type_of_service & RTE_IP_ECN_MASK; + ecn_v6in = v6in_h->vtc_flow & rte_cpu_to_be_32(IPV6_ECN_MASK); + if (ecn_v4out == RTE_IP_ECN_CE && ecn_v6in != 0) + v6in_h->vtc_flow |= rte_cpu_to_be_32(IPV6_ECN_CE); + break; + case 3: /* outh ipv4, inh ipv4 */ + v4in_h = update_h; + ecn_v4out = ((const struct rte_ipv4_hdr *)ref_h)-> + type_of_service & RTE_IP_ECN_MASK; + ecn_v4in = v4in_h->type_of_service & RTE_IP_ECN_MASK; + if (ecn_v4out == RTE_IP_ECN_CE && ecn_v4in != 0) + v4in_h->type_of_service |= RTE_IP_ECN_CE; + break; + } +} + /* update original and new ip header fields for tunnel case */ static inline void -update_tun_l3hdr(const struct rte_ipsec_sa *sa, void *p, uint32_t plen, - uint32_t l2len, rte_be16_t pid) +update_tun_outb_l3hdr(const struct rte_ipsec_sa *sa, void *outh, + const void *inh, uint32_t plen, uint32_t l2len, rte_be16_t pid) { struct rte_ipv4_hdr *v4h; struct rte_ipv6_hdr *v6h; + uint8_t is_outh_ipv4; if (sa->type & RTE_IPSEC_SATP_MODE_TUNLV4) { - v4h = p; + is_outh_ipv4 = 1; + v4h = outh; v4h->packet_id = pid; v4h->total_length = rte_cpu_to_be_16(plen - l2len); } else { - v6h = p; + is_outh_ipv4 = 0; + v6h = outh; v6h->payload_len = rte_cpu_to_be_16(plen - l2len - sizeof(*v6h)); } + + if (sa->type & TUN_HDR_MSK) + update_outb_tun_tos(inh, outh, sa->tos_mask, is_outh_ipv4, + ((sa->type & RTE_IPSEC_SATP_IPV_MASK) == + RTE_IPSEC_SATP_IPV4)); +} + +static inline void +update_tun_inb_l3hdr(const struct rte_ipsec_sa *sa, const void *outh, + void *inh) +{ + if (sa->type & TUN_HDR_MSK) + update_inb_tun_tos(outh, inh, + ((sa->type & RTE_IPSEC_SATP_MODE_TUNLV4) != 0), + ((sa->type & RTE_IPSEC_SATP_IPV_MASK) == + RTE_IPSEC_SATP_IPV4)); } #endif /* _IPH_H_ */ diff --git a/lib/librte_ipsec/rte_ipsec_sa.h b/lib/librte_ipsec/rte_ipsec_sa.h index fd9b3ed60..a71b55f68 100644 --- a/lib/librte_ipsec/rte_ipsec_sa.h +++ b/lib/librte_ipsec/rte_ipsec_sa.h @@ -95,6 +95,8 @@ enum { RTE_SATP_LOG2_MODE, RTE_SATP_LOG2_SQN = RTE_SATP_LOG2_MODE + 2, RTE_SATP_LOG2_ESN, + RTE_SATP_LOG2_ECN, + RTE_SATP_LOG2_DSCP, RTE_SATP_LOG2_NUM }; @@ -123,6 +125,14 @@ enum { #define RTE_IPSEC_SATP_ESN_DISABLE (0ULL << RTE_SATP_LOG2_ESN) #define RTE_IPSEC_SATP_ESN_ENABLE (1ULL << RTE_SATP_LOG2_ESN) +#define RTE_IPSEC_SATP_ECN_MASK (1ULL << RTE_SATP_LOG2_ECN) +#define RTE_IPSEC_SATP_ECN_DISABLE (0ULL << RTE_SATP_LOG2_ECN) +#define RTE_IPSEC_SATP_ECN_ENABLE (1ULL << RTE_SATP_LOG2_ECN) + +#define RTE_IPSEC_SATP_DSCP_MASK (1ULL << RTE_SATP_LOG2_DSCP) +#define RTE_IPSEC_SATP_DSCP_DISABLE (0ULL << RTE_SATP_LOG2_DSCP) +#define RTE_IPSEC_SATP_DSCP_ENABLE (1ULL << RTE_SATP_LOG2_DSCP) + /** * get type of given SA * @return diff --git a/lib/librte_ipsec/sa.c b/lib/librte_ipsec/sa.c index 087de958a..4dec9c37d 100644 --- a/lib/librte_ipsec/sa.c +++ b/lib/librte_ipsec/sa.c @@ -214,6 +214,18 @@ fill_sa_type(const struct rte_ipsec_sa_prm *prm, uint64_t *type) else tp |= RTE_IPSEC_SATP_ESN_ENABLE; + /* check for ECN flag */ + if (prm->ipsec_xform.options.ecn == 0) + tp |= RTE_IPSEC_SATP_ECN_DISABLE; + else + tp |= RTE_IPSEC_SATP_ECN_ENABLE; + + /* check for DSCP flag */ + if (prm->ipsec_xform.options.copy_dscp == 0) + tp |= RTE_IPSEC_SATP_DSCP_DISABLE; + else + tp |= RTE_IPSEC_SATP_DSCP_ENABLE; + /* interpret flags */ if (prm->flags & RTE_IPSEC_SAFLAG_SQN_ATOM) tp |= RTE_IPSEC_SATP_SQN_ATOM; @@ -310,6 +322,12 @@ esp_sa_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm, static const uint64_t msk = RTE_IPSEC_SATP_DIR_MASK | RTE_IPSEC_SATP_MODE_MASK; + if (prm->ipsec_xform.options.ecn) + sa->tos_mask |= RTE_IP_ECN_MASK; + + if (prm->ipsec_xform.options.copy_dscp) + sa->tos_mask |= RTE_IP_DSCP_MASK; + if (cxf->aead != NULL) { switch (cxf->aead->algo) { case RTE_CRYPTO_AEAD_AES_GCM: diff --git a/lib/librte_ipsec/sa.h b/lib/librte_ipsec/sa.h index 20c0a65c0..51e69ad05 100644 --- a/lib/librte_ipsec/sa.h +++ b/lib/librte_ipsec/sa.h @@ -10,6 +10,7 @@ #define IPSEC_MAX_HDR_SIZE 64 #define IPSEC_MAX_IV_SIZE 16 #define IPSEC_MAX_IV_QWORD (IPSEC_MAX_IV_SIZE / sizeof(uint64_t)) +#define TUN_HDR_MSK (RTE_IPSEC_SATP_ECN_MASK | RTE_IPSEC_SATP_DSCP_MASK) /* padding alignment for different algorithms */ enum { @@ -103,6 +104,7 @@ struct rte_ipsec_sa { uint8_t iv_ofs; /* offset for algo-specific IV inside crypto op */ uint8_t iv_len; uint8_t pad_align; + uint8_t tos_mask; /* template for tunnel header */ uint8_t hdr[IPSEC_MAX_HDR_SIZE]; diff --git a/lib/librte_net/rte_ip.h b/lib/librte_net/rte_ip.h index c2c67b85d..2e5790691 100644 --- a/lib/librte_net/rte_ip.h +++ b/lib/librte_net/rte_ip.h @@ -70,6 +70,18 @@ struct rte_ipv4_hdr { #define RTE_IPV4_HDR_OFFSET_UNITS 8 +/** + * RFC 3168 Explicit Congestion Notification (ECN) + * * ECT(1) (ECN-Capable Transport(1)) + * * ECT(0) (ECN-Capable Transport(0)) + * * ECT(CE)(CE (Congestion Experienced)) + */ +#define RTE_IP_ECN_MASK (0x03) +#define RTE_IP_ECN_CE RTE_IP_ECN_MASK + +/** Packet Option Masks */ +#define RTE_IP_DSCP_MASK (0xFC) + /* * IPv4 address types */ diff --git a/lib/librte_security/rte_security.h b/lib/librte_security/rte_security.h index 76f54e0e0..d0492928c 100644 --- a/lib/librte_security/rte_security.h +++ b/lib/librte_security/rte_security.h @@ -163,6 +163,15 @@ struct rte_security_ipsec_sa_options { * * 0: Inner packet is not modified. */ uint32_t dec_ttl : 1; + + /**< Explicit Congestion Notification (ECN) + * + * * 1: In tunnel mode, enable outer header ECN Field copied from + * inner header in tunnel encapsulation, or inner header ECN + * field construction in decapsulation. + * * 0: Inner/outer header are not modified. + */ + uint32_t ecn : 1; }; /** IPSec security association direction */ -- 2.14.5