[dpdk-dev] [PATCH v4 1/2] lib/ipsec: add support for header construction

[Fan Zhang <roy.fan.zhang@intel.com>]

Add support for RFC 4301(5.1.2) to update of
Type of service field and Traffic class field
bits inside ipv4/ipv6 packets for outbound cases
and inbound cases which deals with the update of
the DSCP/ENC bits inside each of the fields.

Signed-off-by: Marko Kovacevic <marko.kovacevic@intel.com>
Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
---
 lib/librte_ipsec/esp_inb.c         |  13 +++-
 lib/librte_ipsec/esp_outb.c        |   4 +-
 lib/librte_ipsec/iph.h             | 139 +++++++++++++++++++++++++++++++++++--
 lib/librte_ipsec/rte_ipsec_sa.h    |  10 +++
 lib/librte_ipsec/sa.c              |  18 +++++
 lib/librte_ipsec/sa.h              |   2 +
 lib/librte_net/rte_ip.h            |  12 ++++
 lib/librte_security/rte_security.h |   9 +++
 8 files changed, 199 insertions(+), 8 deletions(-)

diff --git a/lib/librte_ipsec/esp_inb.c b/lib/librte_ipsec/esp_inb.c
index fb10b7085..8e3ecbc64 100644
--- a/lib/librte_ipsec/esp_inb.c
+++ b/lib/librte_ipsec/esp_inb.c
@@ -464,6 +464,8 @@ tun_process(const struct rte_ipsec_sa *sa, struct rte_mbuf *mb[],
 	uint32_t hl[num], to[num];
 	struct esp_tail espt[num];
 	struct rte_mbuf *ml[num];
+	const void *outh;
+	void *inh;
 
 	/*
 	 * remove icv, esp trailer and high-order
@@ -489,9 +491,16 @@ tun_process(const struct rte_ipsec_sa *sa, struct rte_mbuf *mb[],
 		if (tun_process_check(mb[i], &ml[i], &to[i], espt[i], adj, tl,
 					sa->proto) == 0) {
 
+			outh = rte_pktmbuf_mtod_offset(mb[i], uint8_t *,
+					mb[i]->l2_len);
+
 			/* modify packet's layout */
-			tun_process_step2(mb[i], ml[i], hl[i], adj, to[i],
-				tl, sqn + k);
+			inh = tun_process_step2(mb[i], ml[i], hl[i], adj,
+					to[i], tl, sqn + k);
+
+			/* update inner ip header */
+			update_tun_inb_l3hdr(sa, outh, inh);
+
 			/* update mbuf's metadata */
 			tun_process_step3(mb[i], sa->tx_offload.msk,
 				sa->tx_offload.val);
diff --git a/lib/librte_ipsec/esp_outb.c b/lib/librte_ipsec/esp_outb.c
index 8c6db3553..55799a867 100644
--- a/lib/librte_ipsec/esp_outb.c
+++ b/lib/librte_ipsec/esp_outb.c
@@ -152,8 +152,8 @@ outb_tun_pkt_prepare(struct rte_ipsec_sa *sa, rte_be64_t sqc,
 	rte_memcpy(ph, sa->hdr, sa->hdr_len);
 
 	/* update original and new ip header fields */
-	update_tun_l3hdr(sa, ph + sa->hdr_l3_off, mb->pkt_len - sqh_len,
-			sa->hdr_l3_off, sqn_low16(sqc));
+	update_tun_outb_l3hdr(sa, ph + sa->hdr_l3_off, ph + hlen,
+			mb->pkt_len - sqh_len, sa->hdr_l3_off, sqn_low16(sqc));
 
 	/* update spi, seqn and iv */
 	esph = (struct rte_esp_hdr *)(ph + sa->hdr_len);
diff --git a/lib/librte_ipsec/iph.h b/lib/librte_ipsec/iph.h
index 62d78b7b1..e6a134ff8 100644
--- a/lib/librte_ipsec/iph.h
+++ b/lib/librte_ipsec/iph.h
@@ -101,23 +101,154 @@ update_trs_l3hdr(const struct rte_ipsec_sa *sa, void *p, uint32_t plen,
 	return rc;
 }
 
+/*
+ * The masks for ipv6 header reconstruction (RFC4301)
+ */
+#define IPV6_DSCP_MASK	(RTE_IP_DSCP_MASK << RTE_IPV6_HDR_TC_SHIFT)
+#define IPV6_ECN_MASK	(RTE_IP_ECN_MASK << RTE_IPV6_HDR_TC_SHIFT)
+#define IPV6_TOS_MASK	(IPV6_ECN_MASK | IPV6_DSCP_MASK)
+#define IPV6_ECN_CE	IPV6_ECN_MASK
+
+/*
+ * The macros to get and set traffic class (TC) for ipv6 packets
+ */
+#define GET_IPV6_TC(vtc_flow)		\
+	(uint32_t)((rte_be_to_cpu_32(vtc_flow)) >> RTE_IPV6_HDR_TC_SHIFT)
+
+#define SET_IPV6_TC(vtc_flow, tc)					\
+	vtc_flow = rte_cpu_to_be_32(tc << RTE_IPV6_HDR_TC_SHIFT) |	\
+		(vtc_flow & (~rte_cpu_to_be_32(IPV6_TOS_MASK)))		\
+
+/**
+ * Update type-of-service/traffic-class field of inbound/outbound tunnel
+ * packet.
+ *
+ * @param ref_h: reference header, for outbound it is inner header, otherwise
+ *   outer header.
+ * @param update_h: header to be updated tos/tc field, for outbound it is outer
+ *   header, otherwise inner header.
+ * @param tos_mask: type-of-service mask stored in sa.
+ * @param is_outh_ipv4: 1 if outer header is ipv4, 0 if it is ipv6.
+ * @param is_inner_ipv4: 1 if inner header is ipv4, 0 if it is ipv6.
+ * @param is_inbound: 1 if it is a inbound packet, 0 if it is outbound.
+ */
+static inline void
+update_tun_tos(const void *ref_h, void *update_h, uint32_t tos_mask,
+		uint8_t is_outh_ipv4, uint8_t is_inh_ipv4, uint8_t is_inbound)
+{
+	uint8_t idx = ((is_inbound << 2) | (is_outh_ipv4 << 1) | is_inh_ipv4);
+	struct rte_ipv4_hdr *v4out_h;
+	struct rte_ipv6_hdr *v6out_h;
+	struct rte_ipv4_hdr *v4in_h;
+	struct rte_ipv6_hdr *v6in_h;
+	uint32_t itp, otp;
+	uint8_t ecn_v4out, ecn_v4in;
+	uint32_t ecn_v6out, ecn_v6in;
+
+	switch (idx) {
+	/* outbound */
+	case 0: /*outh ipv6, inh ipv6 */
+		v6out_h = update_h;
+		otp = GET_IPV6_TC(v6out_h->vtc_flow) & ~tos_mask;
+		itp = GET_IPV6_TC(((const struct rte_ipv6_hdr *)ref_h)->
+				vtc_flow) & tos_mask;
+		SET_IPV6_TC(v6out_h->vtc_flow, (otp | itp));
+		break;
+	case 1: /*outh ipv6, inh ipv4 */
+		v6out_h = update_h;
+		otp = GET_IPV6_TC(v6out_h->vtc_flow) & ~tos_mask;
+		itp = ((const struct rte_ipv4_hdr *)ref_h)->type_of_service &
+				tos_mask;
+		SET_IPV6_TC(v6out_h->vtc_flow, (otp | itp));
+		break;
+	case 2: /*outh ipv4, inh ipv6 */
+		v4out_h = update_h;
+		otp = v4out_h->type_of_service & ~tos_mask;
+		itp = GET_IPV6_TC(((const struct rte_ipv6_hdr *)ref_h)->
+				vtc_flow) & tos_mask;
+		v4out_h->type_of_service = (otp | itp);
+		break;
+	case 3: /* outh ipv4, inh ipv4 */
+		v4out_h = update_h;
+		otp = v4out_h->type_of_service & ~tos_mask;
+		itp = ((const struct rte_ipv4_hdr *)ref_h)->type_of_service &
+				tos_mask;
+		v4out_h->type_of_service = (otp | itp);
+		break;
+	/* inbound */
+	case 4: /* outh ipv6, inh ipv6 */
+		v6in_h = update_h;
+		ecn_v6out = ((const struct rte_ipv6_hdr *)ref_h)->vtc_flow &
+				rte_cpu_to_be_32(IPV6_ECN_MASK);
+		ecn_v6in = v6in_h->vtc_flow & rte_cpu_to_be_32(IPV6_ECN_MASK);
+		if ((ecn_v6out == rte_cpu_to_be_32(IPV6_ECN_CE)) &&
+				(ecn_v6in != 0))
+			v6in_h->vtc_flow |= rte_cpu_to_be_32(IPV6_ECN_CE);
+		break;
+	case 5: /* outh ipv6, inh ipv4 */
+		v4in_h = update_h;
+		ecn_v6out = ((const struct rte_ipv6_hdr *)ref_h)->vtc_flow &
+				rte_cpu_to_be_32(IPV6_ECN_MASK);
+		ecn_v4in = v4in_h->type_of_service & RTE_IP_ECN_MASK;
+		if ((ecn_v6out == rte_cpu_to_be_32(IPV6_ECN_CE)) &&
+				(ecn_v4in != 0))
+			v4in_h->type_of_service |= RTE_IP_ECN_CE;
+		break;
+	case 6: /* outh ipv4, inh ipv6 */
+		v6in_h = update_h;
+		ecn_v4out = ((const struct rte_ipv4_hdr *)ref_h)->
+				type_of_service & RTE_IP_ECN_MASK;
+		ecn_v6in = v6in_h->vtc_flow & rte_cpu_to_be_32(IPV6_ECN_MASK);
+		if (ecn_v4out == RTE_IP_ECN_CE && ecn_v6in != 0)
+			v6in_h->vtc_flow |= rte_cpu_to_be_32(IPV6_ECN_CE);
+		break;
+	case 7: /* outh ipv4, inh ipv4 */
+		v4in_h = update_h;
+		ecn_v4out = ((const struct rte_ipv4_hdr *)ref_h)->
+				type_of_service & RTE_IP_ECN_MASK;
+		ecn_v4in = v4in_h->type_of_service & RTE_IP_ECN_MASK;
+		if (ecn_v4out == RTE_IP_ECN_CE && ecn_v4in != 0)
+			v4in_h->type_of_service |= RTE_IP_ECN_CE;
+		break;
+	}
+}
+
 /* update original and new ip header fields for tunnel case */
 static inline void
-update_tun_l3hdr(const struct rte_ipsec_sa *sa, void *p, uint32_t plen,
-		uint32_t l2len, rte_be16_t pid)
+update_tun_outb_l3hdr(const struct rte_ipsec_sa *sa, void *outh,
+		const void *inh, uint32_t plen, uint32_t l2len, rte_be16_t pid)
 {
 	struct rte_ipv4_hdr *v4h;
 	struct rte_ipv6_hdr *v6h;
+	uint8_t is_outh_ipv4;
 
 	if (sa->type & RTE_IPSEC_SATP_MODE_TUNLV4) {
-		v4h = p;
+		is_outh_ipv4 = 1;
+		v4h = outh;
 		v4h->packet_id = pid;
 		v4h->total_length = rte_cpu_to_be_16(plen - l2len);
 	} else {
-		v6h = p;
+		is_outh_ipv4 = 0;
+		v6h = outh;
 		v6h->payload_len = rte_cpu_to_be_16(plen - l2len -
 				sizeof(*v6h));
 	}
+
+	if (sa->type & TUN_HDR_MSK)
+		update_tun_tos(inh, outh, sa->tos_mask, is_outh_ipv4,
+				((sa->type & RTE_IPSEC_SATP_IPV_MASK) ==
+					RTE_IPSEC_SATP_IPV4), 0);
+}
+
+static inline void
+update_tun_inb_l3hdr(const struct rte_ipsec_sa *sa, const void *outh,
+		void *inh)
+{
+	if (sa->type & TUN_HDR_MSK)
+		update_tun_tos(outh, inh, sa->tos_mask,
+				((sa->type & RTE_IPSEC_SATP_MODE_TUNLV4) != 0),
+				((sa->type & RTE_IPSEC_SATP_IPV_MASK) ==
+						RTE_IPSEC_SATP_IPV4), 1);
 }
 
 #endif /* _IPH_H_ */
diff --git a/lib/librte_ipsec/rte_ipsec_sa.h b/lib/librte_ipsec/rte_ipsec_sa.h
index fd9b3ed60..a71b55f68 100644
--- a/lib/librte_ipsec/rte_ipsec_sa.h
+++ b/lib/librte_ipsec/rte_ipsec_sa.h
@@ -95,6 +95,8 @@ enum {
 	RTE_SATP_LOG2_MODE,
 	RTE_SATP_LOG2_SQN = RTE_SATP_LOG2_MODE + 2,
 	RTE_SATP_LOG2_ESN,
+	RTE_SATP_LOG2_ECN,
+	RTE_SATP_LOG2_DSCP,
 	RTE_SATP_LOG2_NUM
 };
 
@@ -123,6 +125,14 @@ enum {
 #define RTE_IPSEC_SATP_ESN_DISABLE	(0ULL << RTE_SATP_LOG2_ESN)
 #define RTE_IPSEC_SATP_ESN_ENABLE	(1ULL << RTE_SATP_LOG2_ESN)
 
+#define RTE_IPSEC_SATP_ECN_MASK		(1ULL << RTE_SATP_LOG2_ECN)
+#define RTE_IPSEC_SATP_ECN_DISABLE	(0ULL << RTE_SATP_LOG2_ECN)
+#define RTE_IPSEC_SATP_ECN_ENABLE	(1ULL << RTE_SATP_LOG2_ECN)
+
+#define RTE_IPSEC_SATP_DSCP_MASK	(1ULL << RTE_SATP_LOG2_DSCP)
+#define RTE_IPSEC_SATP_DSCP_DISABLE	(0ULL << RTE_SATP_LOG2_DSCP)
+#define RTE_IPSEC_SATP_DSCP_ENABLE	(1ULL << RTE_SATP_LOG2_DSCP)
+
 /**
  * get type of given SA
  * @return
diff --git a/lib/librte_ipsec/sa.c b/lib/librte_ipsec/sa.c
index 087de958a..4dec9c37d 100644
--- a/lib/librte_ipsec/sa.c
+++ b/lib/librte_ipsec/sa.c
@@ -214,6 +214,18 @@ fill_sa_type(const struct rte_ipsec_sa_prm *prm, uint64_t *type)
 	else
 		tp |= RTE_IPSEC_SATP_ESN_ENABLE;
 
+	/* check for ECN flag */
+	if (prm->ipsec_xform.options.ecn == 0)
+		tp |= RTE_IPSEC_SATP_ECN_DISABLE;
+	else
+		tp |= RTE_IPSEC_SATP_ECN_ENABLE;
+
+	/* check for DSCP flag */
+	if (prm->ipsec_xform.options.copy_dscp == 0)
+		tp |= RTE_IPSEC_SATP_DSCP_DISABLE;
+	else
+		tp |= RTE_IPSEC_SATP_DSCP_ENABLE;
+
 	/* interpret flags */
 	if (prm->flags & RTE_IPSEC_SAFLAG_SQN_ATOM)
 		tp |= RTE_IPSEC_SATP_SQN_ATOM;
@@ -310,6 +322,12 @@ esp_sa_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm,
 	static const uint64_t msk = RTE_IPSEC_SATP_DIR_MASK |
 				RTE_IPSEC_SATP_MODE_MASK;
 
+	if (prm->ipsec_xform.options.ecn)
+		sa->tos_mask |= RTE_IP_ECN_MASK;
+
+	if (prm->ipsec_xform.options.copy_dscp)
+		sa->tos_mask |= RTE_IP_DSCP_MASK;
+
 	if (cxf->aead != NULL) {
 		switch (cxf->aead->algo) {
 		case RTE_CRYPTO_AEAD_AES_GCM:
diff --git a/lib/librte_ipsec/sa.h b/lib/librte_ipsec/sa.h
index 20c0a65c0..51e69ad05 100644
--- a/lib/librte_ipsec/sa.h
+++ b/lib/librte_ipsec/sa.h
@@ -10,6 +10,7 @@
 #define IPSEC_MAX_HDR_SIZE	64
 #define IPSEC_MAX_IV_SIZE	16
 #define IPSEC_MAX_IV_QWORD	(IPSEC_MAX_IV_SIZE / sizeof(uint64_t))
+#define TUN_HDR_MSK (RTE_IPSEC_SATP_ECN_MASK | RTE_IPSEC_SATP_DSCP_MASK)
 
 /* padding alignment for different algorithms */
 enum {
@@ -103,6 +104,7 @@ struct rte_ipsec_sa {
 	uint8_t iv_ofs; /* offset for algo-specific IV inside crypto op */
 	uint8_t iv_len;
 	uint8_t pad_align;
+	uint8_t tos_mask;
 
 	/* template for tunnel header */
 	uint8_t hdr[IPSEC_MAX_HDR_SIZE];
diff --git a/lib/librte_net/rte_ip.h b/lib/librte_net/rte_ip.h
index c2c67b85d..2e5790691 100644
--- a/lib/librte_net/rte_ip.h
+++ b/lib/librte_net/rte_ip.h
@@ -70,6 +70,18 @@ struct rte_ipv4_hdr {
 
 #define	RTE_IPV4_HDR_OFFSET_UNITS	8
 
+/**
+ * RFC 3168 Explicit Congestion Notification (ECN)
+ * * ECT(1) (ECN-Capable Transport(1))
+ * * ECT(0) (ECN-Capable Transport(0))
+ * * ECT(CE)(CE (Congestion Experienced))
+ */
+#define RTE_IP_ECN_MASK		(0x03)
+#define RTE_IP_ECN_CE		RTE_IP_ECN_MASK
+
+/** Packet Option Masks */
+#define RTE_IP_DSCP_MASK		(0xFC)
+
 /*
  * IPv4 address types
  */
diff --git a/lib/librte_security/rte_security.h b/lib/librte_security/rte_security.h
index 76f54e0e0..d0492928c 100644
--- a/lib/librte_security/rte_security.h
+++ b/lib/librte_security/rte_security.h
@@ -163,6 +163,15 @@ struct rte_security_ipsec_sa_options {
 	 * * 0: Inner packet is not modified.
 	 */
 	uint32_t dec_ttl : 1;
+
+	/**< Explicit Congestion Notification (ECN)
+	 *
+	 * * 1: In tunnel mode, enable outer header ECN Field copied from
+	 *      inner header in tunnel encapsulation, or inner header ECN
+	 *      field construction in decapsulation.
+	 * * 0: Inner/outer header are not modified.
+	 */
+	uint32_t ecn : 1;
 };
 
 /** IPSec security association direction */
-- 
2.14.5