From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dpdk.org (dpdk.org [92.243.14.124]) by dpdk.space (Postfix) with ESMTP id A4186A0096 for ; Thu, 9 May 2019 20:20:14 +0200 (CEST) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id 7290F2C18; Thu, 9 May 2019 20:20:14 +0200 (CEST) Received: from mga07.intel.com (mga07.intel.com [134.134.136.100]) by dpdk.org (Postfix) with ESMTP id D438A2C18 for ; Thu, 9 May 2019 20:20:12 +0200 (CEST) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga008.jf.intel.com ([10.7.209.65]) by orsmga105.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 09 May 2019 11:20:12 -0700 X-ExtLoop1: 1 Received: from irsmsx108.ger.corp.intel.com ([163.33.3.3]) by orsmga008.jf.intel.com with ESMTP; 09 May 2019 11:20:10 -0700 Received: from irsmsx105.ger.corp.intel.com ([169.254.7.31]) by IRSMSX108.ger.corp.intel.com ([169.254.11.82]) with mapi id 14.03.0415.000; Thu, 9 May 2019 19:20:09 +0100 From: "Ananyev, Konstantin" To: Kevin Traynor CC: "Zhang, Roy Fan" , Akhil Goyal , dpdk stable Thread-Topic: patch 'examples/ipsec-secgw: fix SPD no-match case' has been queued to LTS release 18.11.2 Thread-Index: AQHVBY8FeMhkvGOXG0u3NpDwTCtGsaZjHF0w Date: Thu, 9 May 2019 18:20:09 +0000 Message-ID: <2601191342CEEE43887BDE71AB9772580148AA3485@irsmsx105.ger.corp.intel.com> References: <20190508111235.746-1-ktraynor@redhat.com> In-Reply-To: <20190508111235.746-1-ktraynor@redhat.com> Accept-Language: en-IE, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiMDExOTNhYjUtMmM4OS00MzEzLWI5MTQtZWIzYWNjZjZhYzQwIiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjEwLjE4MDQuNDkiLCJUcnVzdGVkTGFiZWxIYXNoIjoid3lBWWhBNDhuOVU4QTRQbzkyS2toQUpJNEw4eTQ0VTkyRm11UENVRjA1NkY2VWM4SUpQNFJOb3pDTFE1QWxLVSJ9 x-ctpclassification: CTP_NT dlp-product: dlpe-windows dlp-version: 11.0.600.7 dlp-reaction: no-action x-originating-ip: [163.33.239.181] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Subject: Re: [dpdk-stable] patch 'examples/ipsec-secgw: fix SPD no-match case' has been queued to LTS release 18.11.2 X-BeenThere: stable@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: patches for DPDK stable branches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: stable-bounces@dpdk.org Sender: "stable" Hi Kevin, > Hi Konstantin, >=20 > I could rebase this patch but there is a lot of new code in master now, > so can you check the diff and ack if it looks ok or if not, send a backpo= rt > for 18.11 branch, or let me know it's not needed on stable. >=20 > This queued commit can be viewed at: > https://github.com/kevintraynor/dpdk-stable-queue/commit/25df4326290ef72e= b23d74c121a947c911376380 Looks good to me. Thanks Konstantin >=20 > Thanks. >=20 > Kevin Traynor >=20 > --- > From 25df4326290ef72eb23d74c121a947c911376380 Mon Sep 17 00:00:00 2001 > From: Konstantin Ananyev > Date: Thu, 4 Apr 2019 13:13:26 +0100 > Subject: [PATCH] examples/ipsec-secgw: fix SPD no-match case >=20 > [ upstream commit 49757b6845835394d1a9a6efad9356a6da58fd85 ] >=20 > acl_classify() returns zero value when no matching rule was found. > Currently ipsec-secgw treats it as a valid SPI value, though it has > to discard such packets. > Error could be easily observed by sending outbound unmatched packets, > user will see something like that in the log: > IPSEC: No cryptodev: core 7, cipher_algo 0, auth_algo 0, aead_algo 0 >=20 > To fix it we need to treat packets with zero result from acl_classify() > as invalid ones. Also we can change DISCARD and BYPASS values to > simplify checks and save some extra space for valid SPI values. > To summarize the approach: > 1. have special SPI values for DISCARD and BYPASS. > 2. store in SPD full SPI value. > 3. after acl_classify(), first check SPI value for DISCARD and BYPASS, > then convert it in SA index. > 4. add check at initilisation time that for each SPD rule there is a > corresponding SA entry (with the same SPI). >=20 > Also marked few global variables as *static*. >=20 > Fixes: 906257e965b7 ("examples/ipsec-secgw: support IPv6") > Fixes: 2a5106af132b ("examples/ipsec-secgw: fix corner case for SPI value= ") >=20 > Signed-off-by: Konstantin Ananyev > Acked-by: Fan Zhang > Acked-by: Akhil Goyal > --- > examples/ipsec-secgw/ipsec-secgw.c | 20 ++++++------- > examples/ipsec-secgw/ipsec.h | 14 ++++++--- > examples/ipsec-secgw/sa.c | 35 ++++++++++++++++++---- > examples/ipsec-secgw/sp4.c | 47 ++++++++++++++++++++++++++++-- > examples/ipsec-secgw/sp6.c | 47 ++++++++++++++++++++++++++++-- > 5 files changed, 139 insertions(+), 24 deletions(-) >=20 > diff --git a/examples/ipsec-secgw/ipsec-secgw.c b/examples/ipsec-secgw/ip= sec-secgw.c > index 84fd4de12..dfb93375a 100644 > --- a/examples/ipsec-secgw/ipsec-secgw.c > +++ b/examples/ipsec-secgw/ipsec-secgw.c > @@ -427,9 +427,9 @@ inbound_sp_sa(struct sp_ctx *sp, struct sa_ctx *sa, s= truct traffic_type *ip, > m =3D ip->pkts[i]; > res =3D ip->res[i]; > - if (res & BYPASS) { > + if (res =3D=3D BYPASS) { > ip->pkts[j++] =3D m; > continue; > } > - if (res & DISCARD) { > + if (res =3D=3D DISCARD) { > rte_pktmbuf_free(m); > continue; > @@ -442,7 +442,6 @@ inbound_sp_sa(struct sp_ctx *sp, struct sa_ctx *sa, s= truct traffic_type *ip, > } >=20 > - sa_idx =3D ip->res[i] & PROTECT_MASK; > - if (sa_idx >=3D IPSEC_SA_MAX_ENTRIES || > - !inbound_sa_check(sa, m, sa_idx)) { > + sa_idx =3D SPI2IDX(res); > + if (!inbound_sa_check(sa, m, sa_idx)) { > rte_pktmbuf_free(m); > continue; > @@ -525,14 +524,13 @@ outbound_sp(struct sp_ctx *sp, struct traffic_type = *ip, > for (i =3D 0; i < ip->num; i++) { > m =3D ip->pkts[i]; > - sa_idx =3D ip->res[i] & PROTECT_MASK; > - if (ip->res[i] & DISCARD) > + sa_idx =3D SPI2IDX(ip->res[i]); > + if (ip->res[i] =3D=3D DISCARD) > rte_pktmbuf_free(m); > - else if (ip->res[i] & BYPASS) > + else if (ip->res[i] =3D=3D BYPASS) > ip->pkts[j++] =3D m; > - else if (sa_idx < IPSEC_SA_MAX_ENTRIES) { > + else { > ipsec->res[ipsec->num] =3D sa_idx; > ipsec->pkts[ipsec->num++] =3D m; > - } else /* invalid SA idx */ > - rte_pktmbuf_free(m); > + } > } > ip->num =3D j; > diff --git a/examples/ipsec-secgw/ipsec.h b/examples/ipsec-secgw/ipsec.h > index 508d87af3..86d8f7df4 100644 > --- a/examples/ipsec-secgw/ipsec.h > +++ b/examples/ipsec-secgw/ipsec.h > @@ -41,8 +41,6 @@ > #define INVALID_SPI (0) >=20 > -#define DISCARD (0x80000000) > -#define BYPASS (0x40000000) > -#define PROTECT_MASK (0x3fffffff) > -#define PROTECT(sa_idx) (SPI2IDX(sa_idx) & PROTECT_MASK) /* SA idx 30 bi= ts */ > +#define DISCARD INVALID_SPI > +#define BYPASS UINT32_MAX >=20 > #define IPSEC_XFORM_MAX 2 > @@ -242,4 +240,12 @@ void > sp6_init(struct socket_ctx *ctx, int32_t socket_id); >=20 > +/* > + * Search through SA entries for given SPI. > + * Returns first entry index if found(greater or equal then zero), > + * or -ENOENT otherwise. > + */ > +int > +sa_spi_present(uint32_t spi, int inbound); > + > void > sa_init(struct socket_ctx *ctx, int32_t socket_id); > diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c > index cd4f369f3..f7b6eb0bb 100644 > --- a/examples/ipsec-secgw/sa.c > +++ b/examples/ipsec-secgw/sa.c > @@ -126,9 +126,9 @@ const struct supported_aead_algo aead_algos[] =3D { > }; >=20 > -struct ipsec_sa sa_out[IPSEC_SA_MAX_ENTRIES]; > -uint32_t nb_sa_out; > +static struct ipsec_sa sa_out[IPSEC_SA_MAX_ENTRIES]; > +static uint32_t nb_sa_out; >=20 > -struct ipsec_sa sa_in[IPSEC_SA_MAX_ENTRIES]; > -uint32_t nb_sa_in; > +static struct ipsec_sa sa_in[IPSEC_SA_MAX_ENTRIES]; > +static uint32_t nb_sa_in; >=20 > static const struct supported_cipher_algo * > @@ -631,5 +631,5 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens, > } >=20 > -static inline void > +static void > print_one_sa_rule(const struct ipsec_sa *sa, int inbound) > { > @@ -917,4 +917,29 @@ sa_in_add_rules(struct sa_ctx *sa_ctx, const struct = ipsec_sa entries[], > } >=20 > +/* > + * Walk through all SA rules to find an SA with given SPI > + */ > +int > +sa_spi_present(uint32_t spi, int inbound) > +{ > + uint32_t i, num; > + const struct ipsec_sa *sar; > + > + if (inbound !=3D 0) { > + sar =3D sa_in; > + num =3D nb_sa_in; > + } else { > + sar =3D sa_out; > + num =3D nb_sa_out; > + } > + > + for (i =3D 0; i !=3D num; i++) { > + if (sar[i].spi =3D=3D spi) > + return i; > + } > + > + return -ENOENT; > +} > + > void > sa_init(struct socket_ctx *ctx, int32_t socket_id) > diff --git a/examples/ipsec-secgw/sp4.c b/examples/ipsec-secgw/sp4.c > index 6b05daaa9..99362a684 100644 > --- a/examples/ipsec-secgw/sp4.c > +++ b/examples/ipsec-secgw/sp4.c > @@ -100,4 +100,5 @@ parse_sp4_tokens(char **tokens, uint32_t n_tokens, > uint32_t *ri =3D NULL; /* rule index */ > uint32_t ti =3D 0; /* token index */ > + uint32_t tv; >=20 > uint32_t esp_p =3D 0; > @@ -170,6 +171,10 @@ parse_sp4_tokens(char **tokens, uint32_t n_tokens, > return; >=20 > - rule_ipv4->data.userdata =3D > - PROTECT(atoi(tokens[ti])); > + tv =3D atoi(tokens[ti]); > + APP_CHECK(tv !=3D DISCARD && tv !=3D BYPASS, status, > + "invalid SPI: %s", tokens[ti]); > + if (status->status < 0) > + return; > + rule_ipv4->data.userdata =3D tv; >=20 > protect_p =3D 1; > @@ -473,4 +478,34 @@ acl4_init(const char *name, int32_t socketid, const = struct acl4_rules *rules, > } >=20 > +/* > + * check that for each rule it's SPI has a correspondent entry in SAD > + */ > +static int > +check_spi_value(int inbound) > +{ > + uint32_t i, num, spi; > + const struct acl4_rules *acr; > + > + if (inbound !=3D 0) { > + acr =3D acl4_rules_in; > + num =3D nb_acl4_rules_in; > + } else { > + acr =3D acl4_rules_out; > + num =3D nb_acl4_rules_out; > + } > + > + for (i =3D 0; i !=3D num; i++) { > + spi =3D acr[i].data.userdata; > + if (spi !=3D DISCARD && spi !=3D BYPASS && > + sa_spi_present(spi, inbound) < 0) { > + RTE_LOG(ERR, IPSEC, "SPI %u is not present in SAD\n", > + spi); > + return -ENOENT; > + } > + } > + > + return 0; > +} > + > void > sp4_init(struct socket_ctx *ctx, int32_t socket_id) > @@ -489,4 +524,12 @@ sp4_init(struct socket_ctx *ctx, int32_t socket_id) > "initialized\n", socket_id); >=20 > + if (check_spi_value(1) < 0) > + rte_exit(EXIT_FAILURE, > + "Inbound IPv4 SP DB has unmatched in SAD SPIs\n"); > + > + if (check_spi_value(0) < 0) > + rte_exit(EXIT_FAILURE, > + "Outbound IPv4 SP DB has unmatched in SAD SPIs\n"); > + > if (nb_acl4_rules_in > 0) { > name =3D "sp_ip4_in"; > diff --git a/examples/ipsec-secgw/sp6.c b/examples/ipsec-secgw/sp6.c > index dc5b94c6a..bfcabf39c 100644 > --- a/examples/ipsec-secgw/sp6.c > +++ b/examples/ipsec-secgw/sp6.c > @@ -131,4 +131,5 @@ parse_sp6_tokens(char **tokens, uint32_t n_tokens, > uint32_t *ri =3D NULL; /* rule index */ > uint32_t ti =3D 0; /* token index */ > + uint32_t tv; >=20 > uint32_t esp_p =3D 0; > @@ -203,6 +204,10 @@ parse_sp6_tokens(char **tokens, uint32_t n_tokens, > return; >=20 > - rule_ipv6->data.userdata =3D > - PROTECT(atoi(tokens[ti])); > + tv =3D atoi(tokens[ti]); > + APP_CHECK(tv !=3D DISCARD && tv !=3D BYPASS, status, > + "invalid SPI: %s", tokens[ti]); > + if (status->status < 0) > + return; > + rule_ipv6->data.userdata =3D tv; >=20 > protect_p =3D 1; > @@ -587,4 +592,34 @@ acl6_init(const char *name, int32_t socketid, const = struct acl6_rules *rules, > } >=20 > +/* > + * check that for each rule it's SPI has a correspondent entry in SAD > + */ > +static int > +check_spi_value(int inbound) > +{ > + uint32_t i, num, spi; > + const struct acl6_rules *acr; > + > + if (inbound !=3D 0) { > + acr =3D acl6_rules_in; > + num =3D nb_acl6_rules_in; > + } else { > + acr =3D acl6_rules_out; > + num =3D nb_acl6_rules_out; > + } > + > + for (i =3D 0; i !=3D num; i++) { > + spi =3D acr[i].data.userdata; > + if (spi !=3D DISCARD && spi !=3D BYPASS && > + sa_spi_present(spi, inbound) < 0) { > + RTE_LOG(ERR, IPSEC, "SPI %u is not present in SAD\n", > + spi); > + return -ENOENT; > + } > + } > + > + return 0; > +} > + > void > sp6_init(struct socket_ctx *ctx, int32_t socket_id) > @@ -603,4 +638,12 @@ sp6_init(struct socket_ctx *ctx, int32_t socket_id) > "already initialized\n", socket_id); >=20 > + if (check_spi_value(1) < 0) > + rte_exit(EXIT_FAILURE, > + "Inbound IPv6 SP DB has unmatched in SAD SPIs\n"); > + > + if (check_spi_value(0) < 0) > + rte_exit(EXIT_FAILURE, > + "Outbound IPv6 SP DB has unmatched in SAD SPIs\n"); > + > if (nb_acl6_rules_in > 0) { > name =3D "sp_ip6_in"; > -- > 2.20.1 >=20 > --- > Diff of the applied patch vs upstream commit (please double-check if no= n-empty: > --- > --- - 2019-05-08 11:56:59.988734912 +0100 > +++ 0001-examples-ipsec-secgw-fix-SPD-no-match-case.patch 2019-05-08 11:5= 6:59.945803452 +0100 > @@ -1 +1 @@ > -From 49757b6845835394d1a9a6efad9356a6da58fd85 Mon Sep 17 00:00:00 2001 > +From 25df4326290ef72eb23d74c121a947c911376380 Mon Sep 17 00:00:00 2001 > @@ -5,0 +6,2 @@ > +[ upstream commit 49757b6845835394d1a9a6efad9356a6da58fd85 ] > + > @@ -28 +29,0 @@ > -Cc: stable@dpdk.org > @@ -34 +35 @@ > - examples/ipsec-secgw/ipsec-secgw.c | 20 ++++++------ > + examples/ipsec-secgw/ipsec-secgw.c | 20 ++++++------- > @@ -36,4 +37,4 @@ > - examples/ipsec-secgw/sa.c | 35 ++++++++++++++++++--- > - examples/ipsec-secgw/sp4.c | 49 ++++++++++++++++++++++++++++-- > - examples/ipsec-secgw/sp6.c | 49 ++++++++++++++++++++++++++++-- > - 5 files changed, 141 insertions(+), 26 deletions(-) > + examples/ipsec-secgw/sa.c | 35 ++++++++++++++++++---- > + examples/ipsec-secgw/sp4.c | 47 ++++++++++++++++++++++++++++-- > + examples/ipsec-secgw/sp6.c | 47 ++++++++++++++++++++++++++++-- > + 5 files changed, 139 insertions(+), 24 deletions(-) > @@ -42 +43 @@ > -index ffbd00b08..2e203393d 100644 > +index 84fd4de12..dfb93375a 100644 > @@ -45 +46 @@ > -@@ -439,9 +439,9 @@ inbound_sp_sa(struct sp_ctx *sp, struct sa_ctx *sa, = struct traffic_type *ip, > +@@ -427,9 +427,9 @@ inbound_sp_sa(struct sp_ctx *sp, struct sa_ctx *sa, = struct traffic_type *ip, > @@ -57 +58 @@ > -@@ -454,7 +454,6 @@ inbound_sp_sa(struct sp_ctx *sp, struct sa_ctx *sa, = struct traffic_type *ip, > +@@ -442,7 +442,6 @@ inbound_sp_sa(struct sp_ctx *sp, struct sa_ctx *sa, = struct traffic_type *ip, > @@ -67 +68 @@ > -@@ -542,14 +541,13 @@ outbound_sp(struct sp_ctx *sp, struct traffic_type= *ip, > +@@ -525,14 +524,13 @@ outbound_sp(struct sp_ctx *sp, struct traffic_type= *ip, > @@ -88 +89 @@ > -index 99f49d65f..589398f6f 100644 > +index 508d87af3..86d8f7df4 100644 > @@ -91 +92 @@ > -@@ -42,8 +42,6 @@ > +@@ -41,8 +41,6 @@ > @@ -102,2 +103,2 @@ > -@@ -290,4 +288,12 @@ int > - sp6_spi_present(uint32_t spi, int inbound); > +@@ -242,4 +240,12 @@ void > + sp6_init(struct socket_ctx *ctx, int32_t socket_id); > @@ -116 +117 @@ > -index a7298a30c..b850e9839 100644 > +index cd4f369f3..f7b6eb0bb 100644 > @@ -119 +120 @@ > -@@ -127,9 +127,9 @@ const struct supported_aead_algo aead_algos[] =3D { > +@@ -126,9 +126,9 @@ const struct supported_aead_algo aead_algos[] =3D { > @@ -133 +134 @@ > -@@ -632,5 +632,5 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens, > +@@ -631,5 +631,5 @@ parse_sa_tokens(char **tokens, uint32_t n_tokens, > @@ -140 +141 @@ > -@@ -1117,4 +1117,29 @@ ipsec_satbl_init(struct sa_ctx *ctx, const struct= ipsec_sa *ent, > +@@ -917,4 +917,29 @@ sa_in_add_rules(struct sa_ctx *sa_ctx, const struct= ipsec_sa entries[], > @@ -171 +172 @@ > -index d1dc64bad..ca9ee7f24 100644 > +index 6b05daaa9..99362a684 100644 > @@ -241,7 +241,0 @@ > -@@ -524,5 +567,5 @@ sp4_spi_present(uint32_t spi, int inbound) > - > - for (i =3D 0; i !=3D num; i++) { > -- if (acr[i].data.userdata =3D=3D PROTECT(spi)) > -+ if (acr[i].data.userdata =3D=3D spi) > - return i; > - } > @@ -249 +243 @@ > -index e67d85aaf..76be3d3e9 100644 > +index dc5b94c6a..bfcabf39c 100644 > @@ -319,7 +312,0 @@ > -@@ -638,5 +681,5 @@ sp6_spi_present(uint32_t spi, int inbound) > - > - for (i =3D 0; i !=3D num; i++) { > -- if (acr[i].data.userdata =3D=3D PROTECT(spi)) > -+ if (acr[i].data.userdata =3D=3D spi) > - return i; > - }