IPSEC: remove byte swap operations in DP during SPD classify
Change-Id: I4bfde738f9585b045cb5ba62cf51b141d639b1b2
Signed-off-by: Neale Ranns <nranns@cisco.com>
diff --git a/src/vnet/ipsec/ipsec_api.c b/src/vnet/ipsec/ipsec_api.c
index d0f543f..e6f5bd3 100644
--- a/src/vnet/ipsec/ipsec_api.c
+++ b/src/vnet/ipsec/ipsec_api.c
@@ -150,10 +150,11 @@
p.is_ipv6 = (itype == IP46_TYPE_IP6);
p.protocol = mp->entry.protocol;
- p.rport.start = ntohs (mp->entry.remote_port_start);
- p.rport.stop = ntohs (mp->entry.remote_port_stop);
- p.lport.start = ntohs (mp->entry.local_port_start);
- p.lport.stop = ntohs (mp->entry.local_port_stop);
+ /* leave the ports in network order */
+ p.rport.start = mp->entry.remote_port_start;
+ p.rport.stop = mp->entry.remote_port_stop;
+ p.lport.start = mp->entry.local_port_start;
+ p.lport.stop = mp->entry.local_port_stop;
rv = ipsec_spd_action_decode (mp->entry.policy, &p.policy);
@@ -481,10 +482,10 @@
&mp->entry.remote_address_start);
ip_address_encode (&p->raddr.stop, IP46_TYPE_ANY,
&mp->entry.remote_address_stop);
- mp->entry.local_port_start = htons (p->lport.start);
- mp->entry.local_port_stop = htons (p->lport.stop);
- mp->entry.remote_port_start = htons (p->rport.start);
- mp->entry.remote_port_stop = htons (p->rport.stop);
+ mp->entry.local_port_start = p->lport.start;
+ mp->entry.local_port_stop = p->lport.stop;
+ mp->entry.remote_port_start = p->rport.start;
+ mp->entry.remote_port_stop = p->rport.stop;
mp->entry.protocol = p->protocol;
mp->entry.policy = ipsec_spd_action_encode (p->policy);
mp->entry.sa_id = htonl (p->sa_id);
diff --git a/src/vnet/ipsec/ipsec_cli.c b/src/vnet/ipsec/ipsec_cli.c
index 8a4d068..2020e79 100644
--- a/src/vnet/ipsec/ipsec_cli.c
+++ b/src/vnet/ipsec/ipsec_cli.c
@@ -291,12 +291,16 @@
{
p.lport.start = tmp;
p.lport.stop = tmp2;
+ p.lport.start = clib_host_to_net_u16 (p.lport.start);
+ p.lport.stop = clib_host_to_net_u16 (p.lport.stop);
}
else
if (unformat (line_input, "remote-port-range %u - %u", &tmp, &tmp2))
{
p.rport.start = tmp;
p.rport.stop = tmp2;
+ p.rport.start = clib_host_to_net_u16 (p.rport.start);
+ p.rport.stop = clib_host_to_net_u16 (p.rport.stop);
}
else
{
diff --git a/src/vnet/ipsec/ipsec_format.c b/src/vnet/ipsec/ipsec_format.c
index aa5562c..3659a7a 100644
--- a/src/vnet/ipsec/ipsec_format.c
+++ b/src/vnet/ipsec/ipsec_format.c
@@ -177,28 +177,18 @@
{
s = format (s, " sa %u", p->sa_id);
}
- if (p->is_ipv6)
- {
- s = format (s, "\n local addr range %U - %U port range %u - %u",
- format_ip6_address, &p->laddr.start.ip6,
- format_ip6_address, &p->laddr.stop.ip6,
- p->lport.start, p->lport.stop);
- s = format (s, "\n remote addr range %U - %U port range %u - %u",
- format_ip6_address, &p->raddr.start.ip6,
- format_ip6_address, &p->raddr.stop.ip6,
- p->rport.start, p->rport.stop);
- }
- else
- {
- s = format (s, "\n local addr range %U - %U port range %u - %u",
- format_ip4_address, &p->laddr.start.ip4,
- format_ip4_address, &p->laddr.stop.ip4,
- p->lport.start, p->lport.stop);
- s = format (s, "\n remote addr range %U - %U port range %u - %u",
- format_ip4_address, &p->raddr.start.ip4,
- format_ip4_address, &p->raddr.stop.ip4,
- p->rport.start, p->rport.stop);
- }
+
+ s = format (s, "\n local addr range %U - %U port range %u - %u",
+ format_ip46_address, &p->laddr.start, IP46_TYPE_ANY,
+ format_ip46_address, &p->laddr.stop, IP46_TYPE_ANY,
+ clib_net_to_host_u16 (p->lport.start),
+ clib_net_to_host_u16 (p->lport.stop));
+ s = format (s, "\n remote addr range %U - %U port range %u - %u",
+ format_ip46_address, &p->raddr.start, IP46_TYPE_ANY,
+ format_ip46_address, &p->raddr.stop, IP46_TYPE_ANY,
+ clib_net_to_host_u16 (p->rport.start),
+ clib_net_to_host_u16 (p->rport.stop));
+
vlib_get_combined_counter (&ipsec_spd_policy_counters, pi, &counts);
s = format (s, "\n packets %u bytes %u", counts.packets, counts.bytes);
diff --git a/src/vnet/ipsec/ipsec_output.c b/src/vnet/ipsec/ipsec_output.c
index a255376..83ab629 100644
--- a/src/vnet/ipsec/ipsec_output.c
+++ b/src/vnet/ipsec/ipsec_output.c
@@ -82,16 +82,16 @@
if (PREDICT_FALSE (p->protocol && (p->protocol != pr)))
continue;
- if (ra < clib_net_to_host_u32 (p->raddr.start.ip4.as_u32))
+ if (ra < p->raddr.start.ip4.as_u32)
continue;
- if (ra > clib_net_to_host_u32 (p->raddr.stop.ip4.as_u32))
+ if (ra > p->raddr.stop.ip4.as_u32)
continue;
- if (la < clib_net_to_host_u32 (p->laddr.start.ip4.as_u32))
+ if (la < p->laddr.start.ip4.as_u32)
continue;
- if (la > clib_net_to_host_u32 (p->laddr.stop.ip4.as_u32))
+ if (la > p->laddr.stop.ip4.as_u32)
continue;
if (PREDICT_FALSE
@@ -239,10 +239,8 @@
p0 = ipsec6_output_policy_match (spd0,
&ip6_0->src_address,
&ip6_0->dst_address,
- clib_net_to_host_u16
- (udp0->src_port),
- clib_net_to_host_u16
- (udp0->dst_port), ip6_0->protocol);
+ udp0->src_port,
+ udp0->dst_port, ip6_0->protocol);
}
else
{
@@ -258,14 +256,9 @@
#endif
p0 = ipsec_output_policy_match (spd0, ip0->protocol,
- clib_net_to_host_u32
- (ip0->src_address.as_u32),
- clib_net_to_host_u32
- (ip0->dst_address.as_u32),
- clib_net_to_host_u16
- (udp0->src_port),
- clib_net_to_host_u16
- (udp0->dst_port));
+ ip0->src_address.as_u32,
+ ip0->dst_address.as_u32,
+ udp0->src_port, udp0->dst_port);
}
tcp0 = (void *) udp0;
diff --git a/src/vnet/ipsec/ipsec_spd_policy.h b/src/vnet/ipsec/ipsec_spd_policy.h
index 6d6b695..d4472e6 100644
--- a/src/vnet/ipsec/ipsec_spd_policy.h
+++ b/src/vnet/ipsec/ipsec_spd_policy.h
@@ -39,6 +39,7 @@
typedef struct
{
+ /* Ports stored in network byte order */
u16 start, stop;
} port_range_t;