Hi Fan,
> From: Zhang, Roy Fan
> Sent: Friday, June 28, 2019 2:23 PM
> To: dev@dpdk.org
> Cc: akhil.goyal@nxp.com; Ananyev, Konstantin <konstantin.ananyev@intel.com>; Zhang, Roy Fan <roy.fan.zhang@intel.com>; Kovacevic,
> Marko <marko.kovacevic@intel.com>
> Subject: [PATCH v5 1/2] lib/ipsec: add support for header construction
>
> Add support for RFC 4301(5.1.2) to update of
> Type of service field and Traffic class field
> bits inside ipv4/ipv6 packets for outbound cases
> and inbound cases which deals with the update of
> the DSCP/ENC bits inside each of the fields.
Two minor nits below.
Apart from that:
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Tested-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
>
> Signed-off-by: Marko Kovacevic <marko.kovacevic@intel.com>
> Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
> ---
> diff --git a/lib/librte_ipsec/iph.h b/lib/librte_ipsec/iph.h
> index 62d78b7b1..dcf26df1d 100644
> --- a/lib/librte_ipsec/iph.h
> +++ b/lib/librte_ipsec/iph.h
> @@ -101,23 +101,154 @@ update_trs_l3hdr(const struct rte_ipsec_sa *sa, void *p, uint32_t plen,
> return rc;
> }
>
> +/*
> + * The masks for ipv6 header reconstruction (RFC4301)
> + */
> +#define IPV6_DSCP_MASK (RTE_IP_DSCP_MASK << RTE_IPV6_HDR_TC_SHIFT)
> +#define IPV6_ECN_MASK (RTE_IP_ECN_MASK << RTE_IPV6_HDR_TC_SHIFT)
> +#define IPV6_TOS_MASK (IPV6_ECN_MASK | IPV6_DSCP_MASK)
> +#define IPV6_ECN_CE IPV6_ECN_MASK
> +
> +/*
> + * The macros to get and set traffic class (TC) for ipv6 packets
> + */
> +#define GET_IPV6_TC(vtc_flow) \
> + (uint32_t)((rte_be_to_cpu_32(vtc_flow)) >> RTE_IPV6_HDR_TC_SHIFT)
> +
> +#define SET_IPV6_TC(vtc_flow, tc) \
> + (vtc_flow = rte_cpu_to_be_32(tc << RTE_IPV6_HDR_TC_SHIFT) | \
> + (vtc_flow & (~rte_cpu_to_be_32(IPV6_TOS_MASK))))
> +
For macros we need all its parameter references to be in ().
i.e. (vtc_flow) = rte_cpu_to_be_32((tc) << ...
Though I think inline function would suit better (as you have in previous patch version).
> +/**
> + * Update type-of-service/traffic-class field of inbound/outbound tunnel
> + * packet.
> + *
> + * @param ref_h: reference header, for outbound it is inner header, otherwise
> + * outer header.
> + * @param update_h: header to be updated tos/tc field, for outbound it is outer
> + * header, otherwise inner header.
> + * @param tos_mask: type-of-service mask stored in sa.
> + * @param is_outh_ipv4: 1 if outer header is ipv4, 0 if it is ipv6.
> + * @param is_inner_ipv4: 1 if inner header is ipv4, 0 if it is ipv6.
> + * @param is_inbound: 1 if it is a inbound packet, 0 if it is outbound.
> + */
> +static inline void
> +update_tun_tos(const void *ref_h, void *update_h, uint32_t tos_mask,
> + uint8_t is_outh_ipv4, uint8_t is_inh_ipv4, uint8_t is_inbound)
> +{
> + uint8_t idx = ((is_inbound << 2) | (is_outh_ipv4 << 1) | is_inh_ipv4);
> + struct rte_ipv4_hdr *v4out_h;
> + struct rte_ipv6_hdr *v6out_h;
> + struct rte_ipv4_hdr *v4in_h;
> + struct rte_ipv6_hdr *v6in_h;
> + uint32_t itp, otp;
> + uint8_t ecn_v4out, ecn_v4in;
> + uint32_t ecn_v6out, ecn_v6in;
> +
> + switch (idx) {
> + /* outbound */
> + case 0: /*outh ipv6, inh ipv6 */
> + v6out_h = update_h;
> + otp = GET_IPV6_TC(v6out_h->vtc_flow) & ~tos_mask;
> + itp = GET_IPV6_TC(((const struct rte_ipv6_hdr *)ref_h)->
> + vtc_flow) & tos_mask;
> + SET_IPV6_TC(v6out_h->vtc_flow, (otp | itp));
> + break;
> + case 1: /*outh ipv6, inh ipv4 */
> + v6out_h = update_h;
> + otp = GET_IPV6_TC(v6out_h->vtc_flow) & ~tos_mask;
> + itp = ((const struct rte_ipv4_hdr *)ref_h)->type_of_service &
> + tos_mask;
> + SET_IPV6_TC(v6out_h->vtc_flow, (otp | itp));
> + break;
> + case 2: /*outh ipv4, inh ipv6 */
> + v4out_h = update_h;
> + otp = v4out_h->type_of_service & ~tos_mask;
> + itp = GET_IPV6_TC(((const struct rte_ipv6_hdr *)ref_h)->
> + vtc_flow) & tos_mask;
> + v4out_h->type_of_service = (otp | itp);
> + break;
> + case 3: /* outh ipv4, inh ipv4 */
> + v4out_h = update_h;
> + otp = v4out_h->type_of_service & ~tos_mask;
> + itp = ((const struct rte_ipv4_hdr *)ref_h)->type_of_service &
> + tos_mask;
> + v4out_h->type_of_service = (otp | itp);
> + break;
Looking at the function - it might be better to split it into 2 separate functions:
one for inbound, another for outbound.
Then you'll have identical cases (0-3) for both, and that would probably be easier to follow.
Again in that case you wouldn't need to:
uint8_t idx = ((is_inbound << 2) |...
> + /* inbound */
> + case 4: /* outh ipv6, inh ipv6 */
> + v6in_h = update_h;
> + ecn_v6out = ((const struct rte_ipv6_hdr *)ref_h)->vtc_flow &
> + rte_cpu_to_be_32(IPV6_ECN_MASK);
> + ecn_v6in = v6in_h->vtc_flow & rte_cpu_to_be_32(IPV6_ECN_MASK);
> + if ((ecn_v6out == rte_cpu_to_be_32(IPV6_ECN_CE)) &&
> + (ecn_v6in != 0))
> + v6in_h->vtc_flow |= rte_cpu_to_be_32(IPV6_ECN_CE);
> + break;
> + case 5: /* outh ipv6, inh ipv4 */
> + v4in_h = update_h;
> + ecn_v6out = ((const struct rte_ipv6_hdr *)ref_h)->vtc_flow &
> + rte_cpu_to_be_32(IPV6_ECN_MASK);
> + ecn_v4in = v4in_h->type_of_service & RTE_IP_ECN_MASK;
> + if ((ecn_v6out == rte_cpu_to_be_32(IPV6_ECN_CE)) &&
> + (ecn_v4in != 0))
> + v4in_h->type_of_service |= RTE_IP_ECN_CE;
> + break;
> + case 6: /* outh ipv4, inh ipv6 */
> + v6in_h = update_h;
> + ecn_v4out = ((const struct rte_ipv4_hdr *)ref_h)->
> + type_of_service & RTE_IP_ECN_MASK;
> + ecn_v6in = v6in_h->vtc_flow & rte_cpu_to_be_32(IPV6_ECN_MASK);
> + if (ecn_v4out == RTE_IP_ECN_CE && ecn_v6in != 0)
> + v6in_h->vtc_flow |= rte_cpu_to_be_32(IPV6_ECN_CE);
> + break;
> + case 7: /* outh ipv4, inh ipv4 */
> + v4in_h = update_h;
> + ecn_v4out = ((const struct rte_ipv4_hdr *)ref_h)->
> + type_of_service & RTE_IP_ECN_MASK;
> + ecn_v4in = v4in_h->type_of_service & RTE_IP_ECN_MASK;
> + if (ecn_v4out == RTE_IP_ECN_CE && ecn_v4in != 0)
> + v4in_h->type_of_service |= RTE_IP_ECN_CE;
> + break;
> + }
> +}
> +
@@ -464,6 +464,8 @@ tun_process(const struct rte_ipsec_sa *sa, struct rte_mbuf *mb[],
uint32_t hl[num], to[num];
struct esp_tail espt[num];
struct rte_mbuf *ml[num];
+ const void *outh;
+ void *inh;
/*
* remove icv, esp trailer and high-order
@@ -489,9 +491,16 @@ tun_process(const struct rte_ipsec_sa *sa, struct rte_mbuf *mb[],
if (tun_process_check(mb[i], &ml[i], &to[i], espt[i], adj, tl,
sa->proto) == 0) {
+ outh = rte_pktmbuf_mtod_offset(mb[i], uint8_t *,
+ mb[i]->l2_len);
+
/* modify packet's layout */
- tun_process_step2(mb[i], ml[i], hl[i], adj, to[i],
- tl, sqn + k);
+ inh = tun_process_step2(mb[i], ml[i], hl[i], adj,
+ to[i], tl, sqn + k);
+
+ /* update inner ip header */
+ update_tun_inb_l3hdr(sa, outh, inh);
+
/* update mbuf's metadata */
tun_process_step3(mb[i], sa->tx_offload.msk,
sa->tx_offload.val);
@@ -152,8 +152,8 @@ outb_tun_pkt_prepare(struct rte_ipsec_sa *sa, rte_be64_t sqc,
rte_memcpy(ph, sa->hdr, sa->hdr_len);
/* update original and new ip header fields */
- update_tun_l3hdr(sa, ph + sa->hdr_l3_off, mb->pkt_len - sqh_len,
- sa->hdr_l3_off, sqn_low16(sqc));
+ update_tun_outb_l3hdr(sa, ph + sa->hdr_l3_off, ph + hlen,
+ mb->pkt_len - sqh_len, sa->hdr_l3_off, sqn_low16(sqc));
/* update spi, seqn and iv */
esph = (struct rte_esp_hdr *)(ph + sa->hdr_len);
@@ -101,23 +101,154 @@ update_trs_l3hdr(const struct rte_ipsec_sa *sa, void *p, uint32_t plen,
return rc;
}
+/*
+ * The masks for ipv6 header reconstruction (RFC4301)
+ */
+#define IPV6_DSCP_MASK (RTE_IP_DSCP_MASK << RTE_IPV6_HDR_TC_SHIFT)
+#define IPV6_ECN_MASK (RTE_IP_ECN_MASK << RTE_IPV6_HDR_TC_SHIFT)
+#define IPV6_TOS_MASK (IPV6_ECN_MASK | IPV6_DSCP_MASK)
+#define IPV6_ECN_CE IPV6_ECN_MASK
+
+/*
+ * The macros to get and set traffic class (TC) for ipv6 packets
+ */
+#define GET_IPV6_TC(vtc_flow) \
+ (uint32_t)((rte_be_to_cpu_32(vtc_flow)) >> RTE_IPV6_HDR_TC_SHIFT)
+
+#define SET_IPV6_TC(vtc_flow, tc) \
+ (vtc_flow = rte_cpu_to_be_32(tc << RTE_IPV6_HDR_TC_SHIFT) | \
+ (vtc_flow & (~rte_cpu_to_be_32(IPV6_TOS_MASK))))
+
+/**
+ * Update type-of-service/traffic-class field of inbound/outbound tunnel
+ * packet.
+ *
+ * @param ref_h: reference header, for outbound it is inner header, otherwise
+ * outer header.
+ * @param update_h: header to be updated tos/tc field, for outbound it is outer
+ * header, otherwise inner header.
+ * @param tos_mask: type-of-service mask stored in sa.
+ * @param is_outh_ipv4: 1 if outer header is ipv4, 0 if it is ipv6.
+ * @param is_inner_ipv4: 1 if inner header is ipv4, 0 if it is ipv6.
+ * @param is_inbound: 1 if it is a inbound packet, 0 if it is outbound.
+ */
+static inline void
+update_tun_tos(const void *ref_h, void *update_h, uint32_t tos_mask,
+ uint8_t is_outh_ipv4, uint8_t is_inh_ipv4, uint8_t is_inbound)
+{
+ uint8_t idx = ((is_inbound << 2) | (is_outh_ipv4 << 1) | is_inh_ipv4);
+ struct rte_ipv4_hdr *v4out_h;
+ struct rte_ipv6_hdr *v6out_h;
+ struct rte_ipv4_hdr *v4in_h;
+ struct rte_ipv6_hdr *v6in_h;
+ uint32_t itp, otp;
+ uint8_t ecn_v4out, ecn_v4in;
+ uint32_t ecn_v6out, ecn_v6in;
+
+ switch (idx) {
+ /* outbound */
+ case 0: /*outh ipv6, inh ipv6 */
+ v6out_h = update_h;
+ otp = GET_IPV6_TC(v6out_h->vtc_flow) & ~tos_mask;
+ itp = GET_IPV6_TC(((const struct rte_ipv6_hdr *)ref_h)->
+ vtc_flow) & tos_mask;
+ SET_IPV6_TC(v6out_h->vtc_flow, (otp | itp));
+ break;
+ case 1: /*outh ipv6, inh ipv4 */
+ v6out_h = update_h;
+ otp = GET_IPV6_TC(v6out_h->vtc_flow) & ~tos_mask;
+ itp = ((const struct rte_ipv4_hdr *)ref_h)->type_of_service &
+ tos_mask;
+ SET_IPV6_TC(v6out_h->vtc_flow, (otp | itp));
+ break;
+ case 2: /*outh ipv4, inh ipv6 */
+ v4out_h = update_h;
+ otp = v4out_h->type_of_service & ~tos_mask;
+ itp = GET_IPV6_TC(((const struct rte_ipv6_hdr *)ref_h)->
+ vtc_flow) & tos_mask;
+ v4out_h->type_of_service = (otp | itp);
+ break;
+ case 3: /* outh ipv4, inh ipv4 */
+ v4out_h = update_h;
+ otp = v4out_h->type_of_service & ~tos_mask;
+ itp = ((const struct rte_ipv4_hdr *)ref_h)->type_of_service &
+ tos_mask;
+ v4out_h->type_of_service = (otp | itp);
+ break;
+ /* inbound */
+ case 4: /* outh ipv6, inh ipv6 */
+ v6in_h = update_h;
+ ecn_v6out = ((const struct rte_ipv6_hdr *)ref_h)->vtc_flow &
+ rte_cpu_to_be_32(IPV6_ECN_MASK);
+ ecn_v6in = v6in_h->vtc_flow & rte_cpu_to_be_32(IPV6_ECN_MASK);
+ if ((ecn_v6out == rte_cpu_to_be_32(IPV6_ECN_CE)) &&
+ (ecn_v6in != 0))
+ v6in_h->vtc_flow |= rte_cpu_to_be_32(IPV6_ECN_CE);
+ break;
+ case 5: /* outh ipv6, inh ipv4 */
+ v4in_h = update_h;
+ ecn_v6out = ((const struct rte_ipv6_hdr *)ref_h)->vtc_flow &
+ rte_cpu_to_be_32(IPV6_ECN_MASK);
+ ecn_v4in = v4in_h->type_of_service & RTE_IP_ECN_MASK;
+ if ((ecn_v6out == rte_cpu_to_be_32(IPV6_ECN_CE)) &&
+ (ecn_v4in != 0))
+ v4in_h->type_of_service |= RTE_IP_ECN_CE;
+ break;
+ case 6: /* outh ipv4, inh ipv6 */
+ v6in_h = update_h;
+ ecn_v4out = ((const struct rte_ipv4_hdr *)ref_h)->
+ type_of_service & RTE_IP_ECN_MASK;
+ ecn_v6in = v6in_h->vtc_flow & rte_cpu_to_be_32(IPV6_ECN_MASK);
+ if (ecn_v4out == RTE_IP_ECN_CE && ecn_v6in != 0)
+ v6in_h->vtc_flow |= rte_cpu_to_be_32(IPV6_ECN_CE);
+ break;
+ case 7: /* outh ipv4, inh ipv4 */
+ v4in_h = update_h;
+ ecn_v4out = ((const struct rte_ipv4_hdr *)ref_h)->
+ type_of_service & RTE_IP_ECN_MASK;
+ ecn_v4in = v4in_h->type_of_service & RTE_IP_ECN_MASK;
+ if (ecn_v4out == RTE_IP_ECN_CE && ecn_v4in != 0)
+ v4in_h->type_of_service |= RTE_IP_ECN_CE;
+ break;
+ }
+}
+
/* update original and new ip header fields for tunnel case */
static inline void
-update_tun_l3hdr(const struct rte_ipsec_sa *sa, void *p, uint32_t plen,
- uint32_t l2len, rte_be16_t pid)
+update_tun_outb_l3hdr(const struct rte_ipsec_sa *sa, void *outh,
+ const void *inh, uint32_t plen, uint32_t l2len, rte_be16_t pid)
{
struct rte_ipv4_hdr *v4h;
struct rte_ipv6_hdr *v6h;
+ uint8_t is_outh_ipv4;
if (sa->type & RTE_IPSEC_SATP_MODE_TUNLV4) {
- v4h = p;
+ is_outh_ipv4 = 1;
+ v4h = outh;
v4h->packet_id = pid;
v4h->total_length = rte_cpu_to_be_16(plen - l2len);
} else {
- v6h = p;
+ is_outh_ipv4 = 0;
+ v6h = outh;
v6h->payload_len = rte_cpu_to_be_16(plen - l2len -
sizeof(*v6h));
}
+
+ if (sa->type & TUN_HDR_MSK)
+ update_tun_tos(inh, outh, sa->tos_mask, is_outh_ipv4,
+ ((sa->type & RTE_IPSEC_SATP_IPV_MASK) ==
+ RTE_IPSEC_SATP_IPV4), 0);
+}
+
+static inline void
+update_tun_inb_l3hdr(const struct rte_ipsec_sa *sa, const void *outh,
+ void *inh)
+{
+ if (sa->type & TUN_HDR_MSK)
+ update_tun_tos(outh, inh, sa->tos_mask,
+ ((sa->type & RTE_IPSEC_SATP_MODE_TUNLV4) != 0),
+ ((sa->type & RTE_IPSEC_SATP_IPV_MASK) ==
+ RTE_IPSEC_SATP_IPV4), 1);
}
#endif /* _IPH_H_ */
@@ -95,6 +95,8 @@ enum {
RTE_SATP_LOG2_MODE,
RTE_SATP_LOG2_SQN = RTE_SATP_LOG2_MODE + 2,
RTE_SATP_LOG2_ESN,
+ RTE_SATP_LOG2_ECN,
+ RTE_SATP_LOG2_DSCP,
RTE_SATP_LOG2_NUM
};
@@ -123,6 +125,14 @@ enum {
#define RTE_IPSEC_SATP_ESN_DISABLE (0ULL << RTE_SATP_LOG2_ESN)
#define RTE_IPSEC_SATP_ESN_ENABLE (1ULL << RTE_SATP_LOG2_ESN)
+#define RTE_IPSEC_SATP_ECN_MASK (1ULL << RTE_SATP_LOG2_ECN)
+#define RTE_IPSEC_SATP_ECN_DISABLE (0ULL << RTE_SATP_LOG2_ECN)
+#define RTE_IPSEC_SATP_ECN_ENABLE (1ULL << RTE_SATP_LOG2_ECN)
+
+#define RTE_IPSEC_SATP_DSCP_MASK (1ULL << RTE_SATP_LOG2_DSCP)
+#define RTE_IPSEC_SATP_DSCP_DISABLE (0ULL << RTE_SATP_LOG2_DSCP)
+#define RTE_IPSEC_SATP_DSCP_ENABLE (1ULL << RTE_SATP_LOG2_DSCP)
+
/**
* get type of given SA
* @return
@@ -214,6 +214,18 @@ fill_sa_type(const struct rte_ipsec_sa_prm *prm, uint64_t *type)
else
tp |= RTE_IPSEC_SATP_ESN_ENABLE;
+ /* check for ECN flag */
+ if (prm->ipsec_xform.options.ecn == 0)
+ tp |= RTE_IPSEC_SATP_ECN_DISABLE;
+ else
+ tp |= RTE_IPSEC_SATP_ECN_ENABLE;
+
+ /* check for DSCP flag */
+ if (prm->ipsec_xform.options.copy_dscp == 0)
+ tp |= RTE_IPSEC_SATP_DSCP_DISABLE;
+ else
+ tp |= RTE_IPSEC_SATP_DSCP_ENABLE;
+
/* interpret flags */
if (prm->flags & RTE_IPSEC_SAFLAG_SQN_ATOM)
tp |= RTE_IPSEC_SATP_SQN_ATOM;
@@ -310,6 +322,12 @@ esp_sa_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm,
static const uint64_t msk = RTE_IPSEC_SATP_DIR_MASK |
RTE_IPSEC_SATP_MODE_MASK;
+ if (prm->ipsec_xform.options.ecn)
+ sa->tos_mask |= RTE_IP_ECN_MASK;
+
+ if (prm->ipsec_xform.options.copy_dscp)
+ sa->tos_mask |= RTE_IP_DSCP_MASK;
+
if (cxf->aead != NULL) {
switch (cxf->aead->algo) {
case RTE_CRYPTO_AEAD_AES_GCM:
@@ -10,6 +10,7 @@
#define IPSEC_MAX_HDR_SIZE 64
#define IPSEC_MAX_IV_SIZE 16
#define IPSEC_MAX_IV_QWORD (IPSEC_MAX_IV_SIZE / sizeof(uint64_t))
+#define TUN_HDR_MSK (RTE_IPSEC_SATP_ECN_MASK | RTE_IPSEC_SATP_DSCP_MASK)
/* padding alignment for different algorithms */
enum {
@@ -103,6 +104,7 @@ struct rte_ipsec_sa {
uint8_t iv_ofs; /* offset for algo-specific IV inside crypto op */
uint8_t iv_len;
uint8_t pad_align;
+ uint8_t tos_mask;
/* template for tunnel header */
uint8_t hdr[IPSEC_MAX_HDR_SIZE];
@@ -70,6 +70,18 @@ struct rte_ipv4_hdr {
#define RTE_IPV4_HDR_OFFSET_UNITS 8
+/**
+ * RFC 3168 Explicit Congestion Notification (ECN)
+ * * ECT(1) (ECN-Capable Transport(1))
+ * * ECT(0) (ECN-Capable Transport(0))
+ * * ECT(CE)(CE (Congestion Experienced))
+ */
+#define RTE_IP_ECN_MASK (0x03)
+#define RTE_IP_ECN_CE RTE_IP_ECN_MASK
+
+/** Packet Option Masks */
+#define RTE_IP_DSCP_MASK (0xFC)
+
/*
* IPv4 address types
*/
@@ -163,6 +163,15 @@ struct rte_security_ipsec_sa_options {
* * 0: Inner packet is not modified.
*/
uint32_t dec_ttl : 1;
+
+ /**< Explicit Congestion Notification (ECN)
+ *
+ * * 1: In tunnel mode, enable outer header ECN Field copied from
+ * inner header in tunnel encapsulation, or inner header ECN
+ * field construction in decapsulation.
+ * * 0: Inner/outer header are not modified.
+ */
+ uint32_t ecn : 1;
};
/** IPSec security association direction */