ipsec: support header construction

Add support for RFC 4301(5.1.2) to update of
Type of service field and Traffic class field
bits inside ipv4/ipv6 packets for outbound cases
and inbound cases which deals with the update of
the DSCP/ENC bits inside each of the fields.

Signed-off-by: Marko Kovacevic <marko.kovacevic@intel.com>
Signed-off-by: Fan Zhang <roy.fan.zhang@intel.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Tested-by: Konstantin Ananyev <konstantin.ananyev@intel.com>

lib/librte_ipsec/esp_inb.c

@@ -464,6 +464,8 @@ tun_process(const struct rte_ipsec_sa *sa, struct rte_mbuf *mb[],
 	uint32_t hl[num], to[num];
 	struct esp_tail espt[num];
 	struct rte_mbuf *ml[num];
+	const void *outh;
+	void *inh;
 
 	/*
 	 * remove icv, esp trailer and high-order
@@ -489,9 +491,16 @@ tun_process(const struct rte_ipsec_sa *sa, struct rte_mbuf *mb[],
 		if (tun_process_check(mb[i], &ml[i], &to[i], espt[i], adj, tl,
 					sa->proto) == 0) {
 
+			outh = rte_pktmbuf_mtod_offset(mb[i], uint8_t *,
+					mb[i]->l2_len);
+
 			/* modify packet's layout */
-			tun_process_step2(mb[i], ml[i], hl[i], adj, to[i],
-				tl, sqn + k);
+			inh = tun_process_step2(mb[i], ml[i], hl[i], adj,
+					to[i], tl, sqn + k);
+
+			/* update inner ip header */
+			update_tun_inb_l3hdr(sa, outh, inh);
+
 			/* update mbuf's metadata */
 			tun_process_step3(mb[i], sa->tx_offload.msk,
 				sa->tx_offload.val);

lib/librte_ipsec/esp_outb.c

@@ -152,8 +152,8 @@ outb_tun_pkt_prepare(struct rte_ipsec_sa *sa, rte_be64_t sqc,
 	rte_memcpy(ph, sa->hdr, sa->hdr_len);
 
 	/* update original and new ip header fields */
-	update_tun_l3hdr(sa, ph + sa->hdr_l3_off, mb->pkt_len - sqh_len,
-			sa->hdr_l3_off, sqn_low16(sqc));
+	update_tun_outb_l3hdr(sa, ph + sa->hdr_l3_off, ph + hlen,
+			mb->pkt_len - sqh_len, sa->hdr_l3_off, sqn_low16(sqc));
 
 	/* update spi, seqn and iv */
 	esph = (struct rte_esp_hdr *)(ph + sa->hdr_len);

lib/librte_ipsec/iph.h

@@ -101,23 +101,179 @@ update_trs_l3hdr(const struct rte_ipsec_sa *sa, void *p, uint32_t plen,
 	return rc;
 }
 
-/* update original and new ip header fields for tunnel case */
-static inline void
-update_tun_l3hdr(const struct rte_ipsec_sa *sa, void *p, uint32_t plen,
-		uint32_t l2len, rte_be16_t pid)
+/*
+ * Inline functions to get and set ipv6 packet header traffic class (TC) field.
+ */
+static inline uint8_t
+get_ipv6_tc(rte_be32_t vtc_flow)
 {
-	struct rte_ipv4_hdr *v4h;
-	struct rte_ipv6_hdr *v6h;
+	uint32_t v;
 
-	if (sa->type & RTE_IPSEC_SATP_MODE_TUNLV4) {
-		v4h = p;
-		v4h->packet_id = pid;
-		v4h->total_length = rte_cpu_to_be_16(plen - l2len);
-	} else {
-		v6h = p;
-		v6h->payload_len = rte_cpu_to_be_16(plen - l2len -
-				sizeof(*v6h));
+	v = rte_be_to_cpu_32(vtc_flow);
+	return v >> RTE_IPV6_HDR_TC_SHIFT;
+}
+
+static inline rte_be32_t
+set_ipv6_tc(rte_be32_t vtc_flow, uint32_t tos)
+{
+	uint32_t v;
+
+	v = rte_cpu_to_be_32(tos << RTE_IPV6_HDR_TC_SHIFT);
+	vtc_flow &= ~rte_cpu_to_be_32(RTE_IPV6_HDR_TC_MASK);
+
+	return (v | vtc_flow);
+}
+
+/**
+ * Update type-of-service/traffic-class field of outbound tunnel packet.
+ *
+ * @param ref_h: reference header, for outbound it is inner header, otherwise
+ *   outer header.
+ * @param update_h: header to be updated tos/tc field, for outbound it is outer
+ *   header, otherwise inner header.
+ * @param tos_mask: type-of-service mask stored in sa.
+ * @param is_outh_ipv4: 1 if outer header is ipv4, 0 if it is ipv6.
+ * @param is_inner_ipv4: 1 if inner header is ipv4, 0 if it is ipv6.
+ */
+static inline void
+update_outb_tun_tos(const void *ref_h, void *update_h, uint32_t tos_mask,
+		uint8_t is_outh_ipv4, uint8_t is_inh_ipv4)
+{
+	uint8_t idx = ((is_outh_ipv4 << 1) | is_inh_ipv4);
+	struct rte_ipv4_hdr *v4out_h;
+	struct rte_ipv6_hdr *v6out_h;
+	uint32_t itp, otp;
+
+	switch (idx) {
+	case 0: /*outh ipv6, inh ipv6 */
+		v6out_h = update_h;
+		otp = get_ipv6_tc(v6out_h->vtc_flow) & ~tos_mask;
+		itp = get_ipv6_tc(((const struct rte_ipv6_hdr *)ref_h)->
+				vtc_flow) & tos_mask;
+		v6out_h->vtc_flow = set_ipv6_tc(v6out_h->vtc_flow, otp | itp);
+		break;
+	case 1: /*outh ipv6, inh ipv4 */
+		v6out_h = update_h;
+		otp = get_ipv6_tc(v6out_h->vtc_flow) & ~tos_mask;
+		itp = ((const struct rte_ipv4_hdr *)ref_h)->type_of_service &
+				tos_mask;
+		v6out_h->vtc_flow = set_ipv6_tc(v6out_h->vtc_flow, otp | itp);
+		break;
+	case 2: /*outh ipv4, inh ipv6 */
+		v4out_h = update_h;
+		otp = v4out_h->type_of_service & ~tos_mask;
+		itp = get_ipv6_tc(((const struct rte_ipv6_hdr *)ref_h)->
+				vtc_flow) & tos_mask;
+		v4out_h->type_of_service = (otp | itp);
+		break;
+	case 3: /* outh ipv4, inh ipv4 */
+		v4out_h = update_h;
+		otp = v4out_h->type_of_service & ~tos_mask;
+		itp = ((const struct rte_ipv4_hdr *)ref_h)->type_of_service &
+				tos_mask;
+		v4out_h->type_of_service = (otp | itp);
+		break;
 	}
 }
 
+/**
+ * Update type-of-service/traffic-class field of inbound tunnel packet.
+ *
+ * @param ref_h: reference header, for outbound it is inner header, otherwise
+ *   outer header.
+ * @param update_h: header to be updated tos/tc field, for outbound it is outer
+ *   header, otherwise inner header.
+ * @param is_outh_ipv4: 1 if outer header is ipv4, 0 if it is ipv6.
+ * @param is_inner_ipv4: 1 if inner header is ipv4, 0 if it is ipv6.
+ */
+static inline void
+update_inb_tun_tos(const void *ref_h, void *update_h,
+		uint8_t is_outh_ipv4, uint8_t is_inh_ipv4)
+{
+	uint8_t idx = ((is_outh_ipv4 << 1) | is_inh_ipv4);
+	struct rte_ipv4_hdr *v4in_h;
+	struct rte_ipv6_hdr *v6in_h;
+	uint8_t ecn_v4out, ecn_v4in;
+	uint32_t ecn_v6out, ecn_v6in;
+
+	switch (idx) {
+	case 0: /* outh ipv6, inh ipv6 */
+		v6in_h = update_h;
+		ecn_v6out = ((const struct rte_ipv6_hdr *)ref_h)->vtc_flow &
+				rte_cpu_to_be_32(RTE_IPV6_HDR_ECN_MASK);
+		ecn_v6in = v6in_h->vtc_flow &
+				rte_cpu_to_be_32(RTE_IPV6_HDR_ECN_MASK);
+		if ((ecn_v6out == rte_cpu_to_be_32(RTE_IPV6_HDR_ECN_CE)) &&
+				(ecn_v6in != 0))
+			v6in_h->vtc_flow |=
+					rte_cpu_to_be_32(RTE_IPV6_HDR_ECN_CE);
+		break;
+	case 1: /* outh ipv6, inh ipv4 */
+		v4in_h = update_h;
+		ecn_v6out = ((const struct rte_ipv6_hdr *)ref_h)->vtc_flow &
+				rte_cpu_to_be_32(RTE_IPV6_HDR_ECN_MASK);
+		ecn_v4in = v4in_h->type_of_service & RTE_IPV4_HDR_ECN_MASK;
+		if ((ecn_v6out == rte_cpu_to_be_32(RTE_IPV6_HDR_ECN_CE)) &&
+				(ecn_v4in != 0))
+			v4in_h->type_of_service |= RTE_IPV4_HDR_ECN_CE;
+		break;
+	case 2: /* outh ipv4, inh ipv6 */
+		v6in_h = update_h;
+		ecn_v4out = ((const struct rte_ipv4_hdr *)ref_h)->
+				type_of_service & RTE_IPV4_HDR_ECN_MASK;
+		ecn_v6in = v6in_h->vtc_flow &
+				rte_cpu_to_be_32(RTE_IPV6_HDR_ECN_MASK);
+		if (ecn_v4out == RTE_IPV4_HDR_ECN_CE && ecn_v6in != 0)
+			v6in_h->vtc_flow |=
+					rte_cpu_to_be_32(RTE_IPV6_HDR_ECN_CE);
+		break;
+	case 3: /* outh ipv4, inh ipv4 */
+		v4in_h = update_h;
+		ecn_v4out = ((const struct rte_ipv4_hdr *)ref_h)->
+				type_of_service & RTE_IPV4_HDR_ECN_MASK;
+		ecn_v4in = v4in_h->type_of_service & RTE_IPV4_HDR_ECN_MASK;
+		if (ecn_v4out == RTE_IPV4_HDR_ECN_CE && ecn_v4in != 0)
+			v4in_h->type_of_service |= RTE_IPV4_HDR_ECN_CE;
+		break;
+	}
+}
+
+/* update original and new ip header fields for tunnel case */
+static inline void
+update_tun_outb_l3hdr(const struct rte_ipsec_sa *sa, void *outh,
+		const void *inh, uint32_t plen, uint32_t l2len, rte_be16_t pid)
+{
+	struct rte_ipv4_hdr *v4h;
+	struct rte_ipv6_hdr *v6h;
+	uint8_t is_outh_ipv4;
+
+	if (sa->type & RTE_IPSEC_SATP_MODE_TUNLV4) {
+		is_outh_ipv4 = 1;
+		v4h = outh;
+		v4h->packet_id = pid;
+		v4h->total_length = rte_cpu_to_be_16(plen - l2len);
+	} else {
+		is_outh_ipv4 = 0;
+		v6h = outh;
+		v6h->payload_len = rte_cpu_to_be_16(plen - l2len -
+				sizeof(*v6h));
+	}
+
+	if (sa->type & TUN_HDR_MSK)
+		update_outb_tun_tos(inh, outh, sa->tos_mask, is_outh_ipv4,
+				((sa->type & RTE_IPSEC_SATP_IPV_MASK) ==
+					RTE_IPSEC_SATP_IPV4));
+}
+
+static inline void
+update_tun_inb_l3hdr(const struct rte_ipsec_sa *sa, const void *outh,
+		void *inh)
+{
+	if (sa->type & TUN_HDR_MSK)
+		update_inb_tun_tos(outh, inh,
+				((sa->type & RTE_IPSEC_SATP_MODE_TUNLV4) != 0),
+				((sa->type & RTE_IPSEC_SATP_IPV_MASK) ==
+						RTE_IPSEC_SATP_IPV4));
+}
+
 #endif /* _IPH_H_ */

lib/librte_ipsec/rte_ipsec_sa.h

@@ -95,6 +95,8 @@ enum {
 	RTE_SATP_LOG2_MODE,
 	RTE_SATP_LOG2_SQN = RTE_SATP_LOG2_MODE + 2,
 	RTE_SATP_LOG2_ESN,
+	RTE_SATP_LOG2_ECN,
+	RTE_SATP_LOG2_DSCP,
 	RTE_SATP_LOG2_NUM
 };
 
@@ -123,6 +125,14 @@ enum {
 #define RTE_IPSEC_SATP_ESN_DISABLE	(0ULL << RTE_SATP_LOG2_ESN)
 #define RTE_IPSEC_SATP_ESN_ENABLE	(1ULL << RTE_SATP_LOG2_ESN)
 
+#define RTE_IPSEC_SATP_ECN_MASK		(1ULL << RTE_SATP_LOG2_ECN)
+#define RTE_IPSEC_SATP_ECN_DISABLE	(0ULL << RTE_SATP_LOG2_ECN)
+#define RTE_IPSEC_SATP_ECN_ENABLE	(1ULL << RTE_SATP_LOG2_ECN)
+
+#define RTE_IPSEC_SATP_DSCP_MASK	(1ULL << RTE_SATP_LOG2_DSCP)
+#define RTE_IPSEC_SATP_DSCP_DISABLE	(0ULL << RTE_SATP_LOG2_DSCP)
+#define RTE_IPSEC_SATP_DSCP_ENABLE	(1ULL << RTE_SATP_LOG2_DSCP)
+
 /**
  * get type of given SA
  * @return

lib/librte_ipsec/sa.c

@@ -214,6 +214,18 @@ fill_sa_type(const struct rte_ipsec_sa_prm *prm, uint64_t *type)
 	else
 		tp |= RTE_IPSEC_SATP_ESN_ENABLE;
 
+	/* check for ECN flag */
+	if (prm->ipsec_xform.options.ecn == 0)
+		tp |= RTE_IPSEC_SATP_ECN_DISABLE;
+	else
+		tp |= RTE_IPSEC_SATP_ECN_ENABLE;
+
+	/* check for DSCP flag */
+	if (prm->ipsec_xform.options.copy_dscp == 0)
+		tp |= RTE_IPSEC_SATP_DSCP_DISABLE;
+	else
+		tp |= RTE_IPSEC_SATP_DSCP_ENABLE;
+
 	/* interpret flags */
 	if (prm->flags & RTE_IPSEC_SAFLAG_SQN_ATOM)
 		tp |= RTE_IPSEC_SATP_SQN_ATOM;
@@ -310,6 +322,12 @@ esp_sa_init(struct rte_ipsec_sa *sa, const struct rte_ipsec_sa_prm *prm,
 	static const uint64_t msk = RTE_IPSEC_SATP_DIR_MASK |
 				RTE_IPSEC_SATP_MODE_MASK;
 
+	if (prm->ipsec_xform.options.ecn)
+		sa->tos_mask |= RTE_IPV4_HDR_ECN_MASK;
+
+	if (prm->ipsec_xform.options.copy_dscp)
+		sa->tos_mask |= RTE_IPV4_HDR_DSCP_MASK;
+
 	if (cxf->aead != NULL) {
 		switch (cxf->aead->algo) {
 		case RTE_CRYPTO_AEAD_AES_GCM:

lib/librte_ipsec/sa.h

@@ -10,6 +10,7 @@
 #define IPSEC_MAX_HDR_SIZE	64
 #define IPSEC_MAX_IV_SIZE	16
 #define IPSEC_MAX_IV_QWORD	(IPSEC_MAX_IV_SIZE / sizeof(uint64_t))
+#define TUN_HDR_MSK (RTE_IPSEC_SATP_ECN_MASK | RTE_IPSEC_SATP_DSCP_MASK)
 
 /* padding alignment for different algorithms */
 enum {
@@ -103,6 +104,7 @@ struct rte_ipsec_sa {
 	uint8_t iv_ofs; /* offset for algo-specific IV inside crypto op */
 	uint8_t iv_len;
 	uint8_t pad_align;
+	uint8_t tos_mask;
 
 	/* template for tunnel header */
 	uint8_t hdr[IPSEC_MAX_HDR_SIZE];

lib/librte_net/rte_ip.h

@@ -63,6 +63,7 @@ struct rte_ipv4_hdr {
 /* Type of Service fields */
 #define RTE_IPV4_HDR_DSCP_MASK	(0xfc)
 #define RTE_IPV4_HDR_ECN_MASK	(0x03)
+#define RTE_IPV4_HDR_ECN_CE	RTE_IPV4_HDR_ECN_MASK
 
 /* Fragment Offset * Flags. */
 #define	RTE_IPV4_HDR_DF_SHIFT	14
@@ -368,6 +369,7 @@ struct rte_ipv6_hdr {
 #define RTE_IPV6_HDR_TC_MASK	(0xff << RTE_IPV6_HDR_TC_SHIFT)
 #define RTE_IPV6_HDR_DSCP_MASK	(0xfc << RTE_IPV6_HDR_TC_SHIFT)
 #define RTE_IPV6_HDR_ECN_MASK	(0x03 << RTE_IPV6_HDR_TC_SHIFT)
+#define RTE_IPV6_HDR_ECN_CE	RTE_IPV6_HDR_ECN_MASK
 
 /**
  * Process the pseudo-header checksum of an IPv6 header.

lib/librte_security/rte_security.h

@@ -163,6 +163,15 @@ struct rte_security_ipsec_sa_options {
 	 * * 0: Inner packet is not modified.
 	 */
 	uint32_t dec_ttl : 1;
+
+	/**< Explicit Congestion Notification (ECN)
+	 *
+	 * * 1: In tunnel mode, enable outer header ECN Field copied from
+	 *      inner header in tunnel encapsulation, or inner header ECN
+	 *      field construction in decapsulation.
+	 * * 0: Inner/outer header are not modified.
+	 */
+	uint32_t ecn : 1;
 };
 
 /** IPSec security association direction */