Skip to content

[vslib]Add MACsec forward and filters to HostInterfaceInfo #719

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 5 commits into from
Dec 1, 2020
Merged

[vslib]Add MACsec forward and filters to HostInterfaceInfo #719

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
8b4cb33
Add MACsec forward and filters to HostInterfaceInfo
Pterosaur Nov 23, 2020
fe58aaa
Polish code
Pterosaur Nov 26, 2020
8b7f3f8
Polish code
Pterosaur Nov 26, 2020
38be8ab
Move variables into namespace
Pterosaur Nov 27, 2020
f98468c
Change TrafficForwarder::sendTo function to be virtual
Pterosaur Nov 27, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion vslib/inc/HostInterfaceInfo.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ extern "C" {

#include "EventQueue.h"
#include "TrafficFilterPipes.h"
#include "TrafficForwarder.h"

#include "swss/selectableevent.h"

Expand All @@ -15,7 +16,8 @@ extern "C" {

namespace saivs
{
class HostInterfaceInfo
class HostInterfaceInfo :
public TrafficForwarder
{
private:

Expand Down
6 changes: 3 additions & 3 deletions vslib/inc/MACsecForwarder.h
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
#pragma once

#include "HostInterfaceInfo.h"
#include "TrafficForwarder.h"

#include "swss/sal.h"
#include "swss/selectableevent.h"
Expand All @@ -11,12 +12,12 @@

namespace saivs
{
class MACsecForwarder
class MACsecForwarder :
public TrafficForwarder
{
public:
MACsecForwarder(
_In_ const std::string &macsecInterfaceName,
_In_ int tapfd,
_In_ std::shared_ptr<HostInterfaceInfo> info);

virtual ~MACsecForwarder();
Expand All @@ -26,7 +27,6 @@ namespace saivs
void forward();

private:
int m_tapfd;
int m_macsecfd;

const std::string m_macsecInterfaceName;
Expand Down
29 changes: 29 additions & 0 deletions vslib/inc/TrafficForwarder.h
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
#pragma once

#include "swss/sal.h"

#include <stddef.h>
#include <sys/socket.h>

namespace saivs
{
class TrafficForwarder
{
public:
virtual ~TrafficForwarder() = default;

protected:
TrafficForwarder() = default;

void add_vlan_tag(
_Inout_ unsigned char *buffer,
_Inout_ size_t &length,
_Inout_ struct msghdr &msg) const;

bool send_to(
_In_ int fd,
_In_ const unsigned char *buffer,
_In_ size_t &length) const;

};
}
63 changes: 8 additions & 55 deletions vslib/src/HostInterfaceInfo.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -195,9 +195,10 @@ void HostInterfaceInfo::veth2tap_fun()
continue;
}

// Buffer include the ingress packets
// MACsec scenario: EAPOL packets and encrypted packets
size_t length = static_cast<size_t>(size);
auto ret = m_e2tFilters.execute(buffer, length);
size = static_cast<ssize_t>(length);

if (ret == TrafficFilter::TERMINATE)
{
Expand All @@ -209,63 +210,13 @@ void HostInterfaceInfo::veth2tap_fun()
return;
}

struct cmsghdr *cmsg;

for (cmsg = CMSG_FIRSTHDR(&msg); cmsg != NULL; cmsg = CMSG_NXTHDR(&msg, cmsg))
{
if (cmsg->cmsg_level != SOL_PACKET || cmsg->cmsg_type != PACKET_AUXDATA)
continue;

struct tpacket_auxdata* aux = (struct tpacket_auxdata*)CMSG_DATA(cmsg);

if ((aux->tp_status & TP_STATUS_VLAN_VALID) &&
(aux->tp_status & TP_STATUS_VLAN_TPID_VALID))
{
SWSS_LOG_DEBUG("got vlan tci: 0x%x, vlanid: %d", aux->tp_vlan_tci, aux->tp_vlan_tci & 0xFFF);

// inject vlan tag into frame

// for overlapping buffers
memmove(buffer + 2 * MAC_ADDRESS_SIZE + VLAN_TAG_SIZE,
buffer + 2 * MAC_ADDRESS_SIZE,
size - (2 * MAC_ADDRESS_SIZE));

uint16_t tci = htons(aux->tp_vlan_tci);
uint16_t tpid = htons(IEEE_8021Q_ETHER_TYPE);

uint8_t* pvlan = (uint8_t *)(buffer + 2 * MAC_ADDRESS_SIZE);
memcpy(pvlan, &tpid, sizeof(uint16_t));
memcpy(pvlan + sizeof(uint16_t), &tci, sizeof(uint16_t));

size += VLAN_TAG_SIZE;

break;
}
}
add_vlan_tag(buffer, length, msg);

async_process_packet_for_fdb_event(buffer, size);
async_process_packet_for_fdb_event(buffer, length);

if (write(m_tapfd, buffer, size) < 0)
if (!send_to(m_tapfd, buffer, length))
{
/*
* We filter out EIO because of this patch:
* https://github.com/torvalds/linux/commit/1bd4978a88ac2589f3105f599b1d404a312fb7f6
*/

if (errno != ENETDOWN && errno != EIO)
{
SWSS_LOG_ERROR("failed to write to tap device fd %d, errno(%d): %s",
m_tapfd, errno, strerror(errno));
}

if (errno == EBADF)
{
// bad file descriptor, just end thread
SWSS_LOG_NOTICE("ending thread for tap fd %d", m_tapfd);
return;
}

continue;
break;
}
}

Expand Down Expand Up @@ -316,6 +267,8 @@ void HostInterfaceInfo::tap2veth_fun()
continue;
}

// Buffer include the egress packets
// MACsec scenario: EAPOL packets and plaintext packets
size_t length = static_cast<size_t>(size);
auto ret = m_t2eFilters.execute(buffer, length);
size = static_cast<ssize_t>(length);
Expand Down
79 changes: 12 additions & 67 deletions vslib/src/MACsecForwarder.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,15 +22,18 @@ using namespace saivs;

MACsecForwarder::MACsecForwarder(
_In_ const std::string &macsecInterfaceName,
_In_ int tapfd,
_In_ std::shared_ptr<HostInterfaceInfo> info):
m_tapfd(tapfd),
m_macsecInterfaceName(macsecInterfaceName),
m_runThread(true),
m_info(info)
{
SWSS_LOG_ENTER();

if (m_info == nullptr)
{
SWSS_LOG_THROW("The HostInterfaceInfo on the MACsec port %s is empty", m_macsecInterfaceName.c_str());
}

m_macsecfd = socket(AF_PACKET, SOCK_RAW, htons(ETH_P_ALL));

if (m_macsecfd < 0)
Expand Down Expand Up @@ -118,17 +121,17 @@ void MACsecForwarder::forward()

while (m_runThread)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why you need separate thread in macsec ? there is already thread thats deals with packet processing, why not tap into that ?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we already have 2 threads per port that transfer the data, and you are having some another thread for the path that is already processing data, this seems a waist of resources

Copy link
Contributor Author

@Pterosaur Pterosaur Nov 24, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I remember you asked this question before, sorry that I did not explain it clear.
I think we need three threads in current design. The previous two are for forwarding data between tap and veth, and the new one is for forwarding the plaintext data from macsec to tap.

Meanwhile, all encrypted data on the thread 2 will be dropped by the macsec ingress filter. Because linux kernel will help us to forward the encrypted data.
All plaintext data, except EAPOL traffic, from tap interface will be captured by the MACsec egress filter that forwards to the macsec device for encryption.
Who will help us to forward the plaintext data from macsec device? I believe it should be thread 3.

image

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

so mu understanding here is now like this: we have regular traffic, and encrypted traffic coming to the same interface then based on something (dont know what it is) you can distinguish which one is which, and for encrypted traffic you are sending this traffic to separate created socket that will decrypt this traffic inside kernel and then you can read that socket (or other one?) to get planetext traffic, process it, block or forward, maybe generate fdb notification, and then forward back encrypted traffic (re-encrypted if some filters are applied that modify pakcket) to the existing tap device?

if this is the case, both encrypted and plain text traffic come to the single tap interface, and right now this traffic is processing 1 by 1 packet in order that they arrived, with your async solution there is possibility that arrived packets will be reordered, and this is probably whats not happening in real hardware, but thats my guess. Anyway in this case i think you should block for processing in the pipeline.

if my understanding here is wrong, please setup a call meeting with me, we can talk and share on teams. I'm in CET timezone and available from 11am to 10pm everyday

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

basically this MACsecForwarder::forward() is exactly the same as HostInterfaceInfo::veth2tap_fun, but not having this filter option, and just uses different FD, but other processes are the same, i think this could be somehow unified, but maybe not this PR

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agree. I add a new super class TrafficForwarder. Maybe we can leverage it to refactor this part in the another PR.

{
struct msghdr msg;
struct msghdr msg;
memset(&msg, 0, sizeof(struct msghdr));

struct sockaddr_storage srcAddr;

struct iovec iov[1];

iov[0].iov_base = buffer; // buffer for message
iov[0].iov_base = buffer; // buffer for message
iov[0].iov_len = sizeof(buffer);

char control[CONTROL_MESSAGE_BUFFER_SIZE]; // buffer for control messages
char control[CONTROL_MESSAGE_BUFFER_SIZE]; // buffer for control messages

msg.msg_name = &srcAddr;
msg.msg_namelen = sizeof(srcAddr);
Expand Down Expand Up @@ -183,77 +186,19 @@ void MACsecForwarder::forward()
continue;
}

struct cmsghdr *cmsg;

for (cmsg = CMSG_FIRSTHDR(&msg); cmsg != NULL; cmsg = CMSG_NXTHDR(&msg, cmsg))
{
if (cmsg->cmsg_level != SOL_PACKET || cmsg->cmsg_type != PACKET_AUXDATA)
continue;

struct tpacket_auxdata* aux = (struct tpacket_auxdata*)CMSG_DATA(cmsg);

if ((aux->tp_status & TP_STATUS_VLAN_VALID) &&
(aux->tp_status & TP_STATUS_VLAN_TPID_VALID))
{
SWSS_LOG_DEBUG("got vlan tci: 0x%x, vlanid: %d", aux->tp_vlan_tci, aux->tp_vlan_tci & 0xFFF);
size_t length = static_cast<size_t>(size);

// inject vlan tag into frame
add_vlan_tag(buffer, length, msg);

// for overlapping buffers
memmove(buffer + 2 * MAC_ADDRESS_SIZE + VLAN_TAG_SIZE,
buffer + 2 * MAC_ADDRESS_SIZE,
size - (2 * MAC_ADDRESS_SIZE));

uint16_t tci = htons(aux->tp_vlan_tci);
uint16_t tpid = htons(IEEE_8021Q_ETHER_TYPE);

uint8_t* pvlan = (uint8_t *)(buffer + 2 * MAC_ADDRESS_SIZE);
memcpy(pvlan, &tpid, sizeof(uint16_t));
memcpy(pvlan + sizeof(uint16_t), &tci, sizeof(uint16_t));

size += VLAN_TAG_SIZE;

break;
}
}
m_info->async_process_packet_for_fdb_event(buffer, length);

if (m_info == nullptr)
if (!send_to(m_info->m_tapfd, buffer, length))
{
SWSS_LOG_ERROR("The HostInterfaceInfo on the MACsec port %s is empty", m_macsecInterfaceName.c_str());

break;
}

m_info->async_process_packet_for_fdb_event(buffer, size);

if (write(m_tapfd, buffer, static_cast<int>(size)) < 0)
{
if (errno != ENETDOWN && errno != EIO)
{
SWSS_LOG_ERROR(
"failed to write to macsec device %s fd %d, errno(%d): %s",
m_macsecInterfaceName.c_str(),
m_macsecfd,
errno,
strerror(errno));
}

if (errno == EBADF)
{
// bad file descriptor, just end thread
SWSS_LOG_ERROR(
"ending thread for macsec device %s fd %d",
m_macsecInterfaceName.c_str(),
m_macsecfd);
return;
}

continue;
}
}

SWSS_LOG_NOTICE(
"ending thread proc for %s",
m_macsecInterfaceName.c_str());
}

2 changes: 1 addition & 1 deletion vslib/src/MACsecManager.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -579,7 +579,7 @@ bool MACsecManager::add_macsec_forwarder(

auto &manager = itr->second;

manager.m_forwarder = std::make_shared<MACsecForwarder>(macsecInterface, manager.m_info->m_tapfd, manager.m_info);
manager.m_forwarder = std::make_shared<MACsecForwarder>(macsecInterface, manager.m_info);
return true;
}

Expand Down
2 changes: 2 additions & 0 deletions vslib/src/Makefile.am
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,8 @@ libSaiVS_a_SOURCES = \
MACsecFilter.cpp \
MACsecEgressFilter.cpp \
MACsecIngressFilter.cpp \
TrafficForwarder.cpp \
MACsecForwarder.cpp \
TrafficFilterPipes.cpp

libsaivs_la_SOURCES = \
Expand Down
Loading