geneve gtpu vxlan vxlan-gpe: VRF-aware bypass node
Bypass node MUST NOT intercept a packet if destination IP doesn’t match
a local address. However IP address interpretation depends on the VRF,
hence bypass node must take that into account.
This patch also factors-out common VTEP management and checking code.
Type: improvement
Signed-off-by: Nick Zavaritsky <nick.zavaritsky@emnify.com>
Change-Id: I5665d94882bbf45d15f8da140c7ada528ec7fa94
diff --git a/src/vnet/vxlan/decap.c b/src/vnet/vxlan/decap.c
index 764dfca..3b428be 100644
--- a/src/vnet/vxlan/decap.c
+++ b/src/vnet/vxlan/decap.c
@@ -46,20 +46,6 @@
t->tunnel_index, t->vni, t->next_index, t->error);
}
-always_inline u32
-buf_fib_index (vlib_buffer_t * b, u32 is_ip4)
-{
- u32 sw_if_index = vnet_buffer (b)->sw_if_index[VLIB_TX];
- if (sw_if_index != (u32) ~ 0)
- return sw_if_index;
-
- u32 *fib_index_by_sw_if_index = is_ip4 ?
- ip4_main.fib_index_by_sw_if_index : ip6_main.fib_index_by_sw_if_index;
- sw_if_index = vnet_buffer (b)->sw_if_index[VLIB_RX];
-
- return vec_elt (fib_index_by_sw_if_index, sw_if_index);
-}
-
typedef vxlan4_tunnel_key_t last_tunnel_cache4;
static const vxlan_decap_info_t decap_not_found = {
@@ -246,8 +232,8 @@
vlib_buffer_advance (b[0], sizeof *vxlan0);
vlib_buffer_advance (b[1], sizeof *vxlan1);
- u32 fi0 = buf_fib_index (b[0], is_ip4);
- u32 fi1 = buf_fib_index (b[1], is_ip4);
+ u32 fi0 = vlib_buffer_get_ip_fib_index (b[0], is_ip4);
+ u32 fi1 = vlib_buffer_get_ip_fib_index (b[1], is_ip4);
vxlan_decap_info_t di0 = is_ip4 ?
vxlan4_find_tunnel (vxm, &last4, fi0, ip4_0, vxlan0, &stats_if0) :
@@ -349,7 +335,7 @@
/* pop (ip, udp, vxlan) */
vlib_buffer_advance (b[0], sizeof (*vxlan0));
- u32 fi0 = buf_fib_index (b[0], is_ip4);
+ u32 fi0 = vlib_buffer_get_ip_fib_index (b[0], is_ip4);
vxlan_decap_info_t di0 = is_ip4 ?
vxlan4_find_tunnel (vxm, &last4, fi0, ip4_0, vxlan0, &stats_if0) :
@@ -468,8 +454,10 @@
u32 *from, *to_next, n_left_from, n_left_to_next, next_index;
vlib_node_runtime_t *error_node =
vlib_node_get_runtime (vm, ip4_input_node.index);
- ip4_address_t addr4; /* last IPv4 address matching a local VTEP address */
- ip6_address_t addr6; /* last IPv6 address matching a local VTEP address */
+ vtep4_key_t last_vtep4; /* last IPv4 address / fib index
+ matching a local VTEP address */
+ vtep6_key_t last_vtep6; /* last IPv6 address / fib index
+ matching a local VTEP address */
from = vlib_frame_vector_args (frame);
n_left_from = frame->n_vectors;
@@ -479,9 +467,9 @@
ip4_forward_next_trace (vm, node, frame, VLIB_TX);
if (is_ip4)
- addr4.data_u32 = ~0;
+ vtep4_key_init (&last_vtep4);
else
- ip6_address_set_zero (&addr6);
+ vtep6_key_init (&last_vtep6);
while (n_left_from > 0)
{
@@ -565,21 +553,13 @@
/* Validate DIP against VTEPs */
if (is_ip4)
{
- if (addr4.as_u32 != ip40->dst_address.as_u32)
- {
- if (!hash_get (vxm->vtep4, ip40->dst_address.as_u32))
- goto exit0; /* no local VTEP for VXLAN packet */
- addr4 = ip40->dst_address;
- }
+ if (!vtep4_check (&vxm->vtep_table, b0, ip40, &last_vtep4))
+ goto exit0; /* no local VTEP for VXLAN packet */
}
else
{
- if (!ip6_address_is_equal (&addr6, &ip60->dst_address))
- {
- if (!hash_get_mem (vxm->vtep6, &ip60->dst_address))
- goto exit0; /* no local VTEP for VXLAN packet */
- addr6 = ip60->dst_address;
- }
+ if (!vtep6_check (&vxm->vtep_table, b0, ip60, &last_vtep6))
+ goto exit0; /* no local VTEP for VXLAN packet */
}
flags0 = b0->flags;
@@ -651,21 +631,13 @@
/* Validate DIP against VTEPs */
if (is_ip4)
{
- if (addr4.as_u32 != ip41->dst_address.as_u32)
- {
- if (!hash_get (vxm->vtep4, ip41->dst_address.as_u32))
- goto exit1; /* no local VTEP for VXLAN packet */
- addr4 = ip41->dst_address;
- }
+ if (!vtep4_check (&vxm->vtep_table, b1, ip41, &last_vtep4))
+ goto exit1; /* no local VTEP for VXLAN packet */
}
else
{
- if (!ip6_address_is_equal (&addr6, &ip61->dst_address))
- {
- if (!hash_get_mem (vxm->vtep6, &ip61->dst_address))
- goto exit1; /* no local VTEP for VXLAN packet */
- addr6 = ip61->dst_address;
- }
+ if (!vtep6_check (&vxm->vtep_table, b1, ip61, &last_vtep6))
+ goto exit1; /* no local VTEP for VXLAN packet */
}
flags1 = b1->flags;
@@ -773,21 +745,13 @@
/* Validate DIP against VTEPs */
if (is_ip4)
{
- if (addr4.as_u32 != ip40->dst_address.as_u32)
- {
- if (!hash_get (vxm->vtep4, ip40->dst_address.as_u32))
- goto exit; /* no local VTEP for VXLAN packet */
- addr4 = ip40->dst_address;
- }
+ if (!vtep4_check (&vxm->vtep_table, b0, ip40, &last_vtep4))
+ goto exit; /* no local VTEP for VXLAN packet */
}
else
{
- if (!ip6_address_is_equal (&addr6, &ip60->dst_address))
- {
- if (!hash_get_mem (vxm->vtep6, &ip60->dst_address))
- goto exit; /* no local VTEP for VXLAN packet */
- addr6 = ip60->dst_address;
- }
+ if (!vtep6_check (&vxm->vtep_table, b0, ip60, &last_vtep6))
+ goto exit; /* no local VTEP for VXLAN packet */
}
flags0 = b0->flags;
diff --git a/src/vnet/vxlan/vxlan.c b/src/vnet/vxlan/vxlan.c
index 3264749..ea1748c 100644
--- a/src/vnet/vxlan/vxlan.c
+++ b/src/vnet/vxlan/vxlan.c
@@ -291,35 +291,6 @@
return decap_next_index < r->n_next_nodes;
}
-static uword
-vtep_addr_ref (ip46_address_t * ip)
-{
- uword *vtep = ip46_address_is_ip4 (ip) ?
- hash_get (vxlan_main.vtep4, ip->ip4.as_u32) :
- hash_get_mem (vxlan_main.vtep6, &ip->ip6);
- if (vtep)
- return ++(*vtep);
- ip46_address_is_ip4 (ip) ?
- hash_set (vxlan_main.vtep4, ip->ip4.as_u32, 1) :
- hash_set_mem_alloc (&vxlan_main.vtep6, &ip->ip6, 1);
- return 1;
-}
-
-static uword
-vtep_addr_unref (ip46_address_t * ip)
-{
- uword *vtep = ip46_address_is_ip4 (ip) ?
- hash_get (vxlan_main.vtep4, ip->ip4.as_u32) :
- hash_get_mem (vxlan_main.vtep6, &ip->ip6);
- ALWAYS_ASSERT (vtep);
- if (--(*vtep) != 0)
- return *vtep;
- ip46_address_is_ip4 (ip) ?
- hash_unset (vxlan_main.vtep4, ip->ip4.as_u32) :
- hash_unset_mem_free (&vxlan_main.vtep6, &ip->ip6);
- return 0;
-}
-
/* *INDENT-OFF* */
typedef CLIB_PACKED(union
{
@@ -513,7 +484,7 @@
* when the forwarding for the entry updates, and the tunnel can
* re-stack accordingly
*/
- vtep_addr_ref (&t->src);
+ vtep_addr_ref (&vxm->vtep_table, t->encap_fib_index, &t->src);
t->fib_entry_index = fib_entry_track (t->encap_fib_index,
&tun_dst_pfx,
FIB_NODE_TYPE_VXLAN_TUNNEL,
@@ -530,7 +501,8 @@
*/
fib_protocol_t fp = fib_ip_proto (is_ip6);
- if (vtep_addr_ref (&t->dst) == 1)
+ if (vtep_addr_ref (&vxm->vtep_table,
+ t->encap_fib_index, &t->dst) == 1)
{
fib_node_index_t mfei;
adj_index_t ai;
@@ -619,10 +591,11 @@
if (t->flow_index != ~0)
vnet_flow_del (vnm, t->flow_index);
- vtep_addr_unref (&t->src);
+ vtep_addr_unref (&vxm->vtep_table, t->encap_fib_index, &t->src);
fib_entry_untrack (t->fib_entry_index, t->sibling_index);
}
- else if (vtep_addr_unref (&t->dst) == 0)
+ else if (vtep_addr_unref (&vxm->vtep_table,
+ t->encap_fib_index, &t->dst) == 0)
{
mcast_shared_remove (&t->dst);
}
@@ -1261,7 +1234,7 @@
VXLAN_HASH_NUM_BUCKETS, VXLAN_HASH_MEMORY_SIZE);
clib_bihash_init_24_8 (&vxm->vxlan6_tunnel_by_key, "vxlan6",
VXLAN_HASH_NUM_BUCKETS, VXLAN_HASH_MEMORY_SIZE);
- vxm->vtep6 = hash_create_mem (0, sizeof (ip6_address_t), sizeof (uword));
+ vxm->vtep_table = vtep_table_create ();
vxm->mcast_shared = hash_create_mem (0,
sizeof (ip46_address_t),
sizeof (mcast_shared_t));
diff --git a/src/vnet/vxlan/vxlan.h b/src/vnet/vxlan/vxlan.h
index e8fc15b..772c9d7 100644
--- a/src/vnet/vxlan/vxlan.h
+++ b/src/vnet/vxlan/vxlan.h
@@ -21,6 +21,7 @@
#include <vppinfra/bihash_24_8.h>
#include <vnet/vnet.h>
#include <vnet/ip/ip.h>
+#include <vnet/ip/vtep.h>
#include <vnet/l2/l2_input.h>
#include <vnet/l2/l2_output.h>
#include <vnet/l2/l2_bd.h>
@@ -163,8 +164,7 @@
/* local VTEP IPs ref count used by vxlan-bypass node to check if
received VXLAN packet DIP matches any local VTEP address */
- uword *vtep4; /* local ip4 VTEPs keyed on their ip4 addr */
- uword *vtep6; /* local ip6 VTEPs keyed on their ip6 addr */
+ vtep_table_t vtep_table;
/* mcast shared info */
uword *mcast_shared; /* keyed on mcast ip46 addr */