Code Review
/
vpp.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
review
|
tree
raw
|
inline
| side by side
ipsec: support UDP encap/decap for NAT traversal
[vpp.git]
/
src
/
vnet
/
ipsec
/
ipsec.c
diff --git
a/src/vnet/ipsec/ipsec.c
b/src/vnet/ipsec/ipsec.c
index
ba0d68b
..
928cafd
100644
(file)
--- a/
src/vnet/ipsec/ipsec.c
+++ b/
src/vnet/ipsec/ipsec.c
@@
-19,10
+19,15
@@
#include <vnet/api_errno.h>
#include <vnet/ip/ip.h>
#include <vnet/interface.h>
#include <vnet/api_errno.h>
#include <vnet/ip/ip.h>
#include <vnet/interface.h>
+#include <vnet/udp/udp.h>
#include <vnet/ipsec/ipsec.h>
#include <vnet/ipsec/ikev2.h>
#include <vnet/ipsec/esp.h>
#include <vnet/ipsec/ipsec.h>
#include <vnet/ipsec/ikev2.h>
#include <vnet/ipsec/esp.h>
+#include <vnet/ipsec/ah.h>
+
+
+ipsec_main_t ipsec_main;
u32
ipsec_get_sa_index_by_sa_id (u32 sa_id)
u32
ipsec_get_sa_index_by_sa_id (u32 sa_id)
@@
-363,13
+368,13
@@
ipsec_add_del_policy (vlib_main_t * vm, ipsec_policy_t * policy, int is_add)
if (vec_elt(spd->ipv4_inbound_policy_discard_and_bypass_indices, j) == i) {
vec_del1 (spd->ipv4_inbound_policy_discard_and_bypass_indices, j);
break;
if (vec_elt(spd->ipv4_inbound_policy_discard_and_bypass_indices, j) == i) {
vec_del1 (spd->ipv4_inbound_policy_discard_and_bypass_indices, j);
break;
+ }
}
}
}
}
pool_put (spd->policies, vp);
break;
}
}
}
}
pool_put (spd->policies, vp);
break;
- }
}));
/* *INDENT-ON* */
}
}));
/* *INDENT-ON* */
}
@@
-377,7
+382,7
@@
ipsec_add_del_policy (vlib_main_t * vm, ipsec_policy_t * policy, int is_add)
return 0;
}
return 0;
}
-
static
u8
+u8
ipsec_is_sa_used (u32 sa_index)
{
ipsec_main_t *im = &ipsec_main;
ipsec_is_sa_used (u32 sa_index)
{
ipsec_main_t *im = &ipsec_main;
@@
-408,12
+413,14
@@
ipsec_is_sa_used (u32 sa_index)
}
int
}
int
-ipsec_add_del_sa (vlib_main_t * vm, ipsec_sa_t * new_sa, int is_add)
+ipsec_add_del_sa (vlib_main_t * vm, ipsec_sa_t * new_sa, int is_add,
+ u8 udp_encap)
{
ipsec_main_t *im = &ipsec_main;
ipsec_sa_t *sa = 0;
uword *p;
u32 sa_index;
{
ipsec_main_t *im = &ipsec_main;
ipsec_sa_t *sa = 0;
uword *p;
u32 sa_index;
+ clib_error_t *err;
clib_warning ("id %u spi %u", new_sa->id, new_sa->spi);
clib_warning ("id %u spi %u", new_sa->id, new_sa->spi);
@@
-433,9
+440,12
@@
ipsec_add_del_sa (vlib_main_t * vm, ipsec_sa_t * new_sa, int is_add)
return VNET_API_ERROR_SYSCALL_ERROR_1; /* sa used in policy */
}
hash_unset (im->sa_index_by_sa_id, sa->id);
return VNET_API_ERROR_SYSCALL_ERROR_1; /* sa used in policy */
}
hash_unset (im->sa_index_by_sa_id, sa->id);
- if (im->cb.add_del_sa_sess_cb &&
- im->cb.add_del_sa_sess_cb (sa_index, 0) < 0)
- return VNET_API_ERROR_SYSCALL_ERROR_1;
+ if (im->cb.add_del_sa_sess_cb)
+ {
+ err = im->cb.add_del_sa_sess_cb (sa_index, 0);
+ if (err)
+ return VNET_API_ERROR_SYSCALL_ERROR_1;
+ }
pool_put (im->sad, sa);
}
else /* create new SA */
pool_put (im->sad, sa);
}
else /* create new SA */
@@
-443,10
+453,14
@@
ipsec_add_del_sa (vlib_main_t * vm, ipsec_sa_t * new_sa, int is_add)
pool_get (im->sad, sa);
clib_memcpy (sa, new_sa, sizeof (*sa));
sa_index = sa - im->sad;
pool_get (im->sad, sa);
clib_memcpy (sa, new_sa, sizeof (*sa));
sa_index = sa - im->sad;
+ sa->udp_encap = udp_encap ? 1 : 0;
hash_set (im->sa_index_by_sa_id, sa->id, sa_index);
hash_set (im->sa_index_by_sa_id, sa->id, sa_index);
- if (im->cb.add_del_sa_sess_cb &&
- im->cb.add_del_sa_sess_cb (sa_index, 1) < 0)
- return VNET_API_ERROR_SYSCALL_ERROR_1;
+ if (im->cb.add_del_sa_sess_cb)
+ {
+ err = im->cb.add_del_sa_sess_cb (sa_index, 1);
+ if (err)
+ return VNET_API_ERROR_SYSCALL_ERROR_1;
+ }
}
return 0;
}
}
return 0;
}
@@
-458,6
+472,7
@@
ipsec_set_sa_key (vlib_main_t * vm, ipsec_sa_t * sa_update)
uword *p;
u32 sa_index;
ipsec_sa_t *sa = 0;
uword *p;
u32 sa_index;
ipsec_sa_t *sa = 0;
+ clib_error_t *err;
p = hash_get (im->sa_index_by_sa_id, sa_update->id);
if (!p)
p = hash_get (im->sa_index_by_sa_id, sa_update->id);
if (!p)
@@
-484,9
+499,12
@@
ipsec_set_sa_key (vlib_main_t * vm, ipsec_sa_t * sa_update)
if (0 < sa_update->crypto_key_len || 0 < sa_update->integ_key_len)
{
if (0 < sa_update->crypto_key_len || 0 < sa_update->integ_key_len)
{
- if (im->cb.add_del_sa_sess_cb &&
- im->cb.add_del_sa_sess_cb (sa_index, 0) < 0)
- return VNET_API_ERROR_SYSCALL_ERROR_1;
+ if (im->cb.add_del_sa_sess_cb)
+ {
+ err = im->cb.add_del_sa_sess_cb (sa_index, 0);
+ if (err)
+ return VNET_API_ERROR_SYSCALL_ERROR_1;
+ }
}
return 0;
}
return 0;
@@
-554,8
+572,18
@@
ipsec_init (vlib_main_t * vm)
ASSERT (node);
im->esp_decrypt_node_index = node->index;
ASSERT (node);
im->esp_decrypt_node_index = node->index;
+ node = vlib_get_node_by_name (vm, (u8 *) "ah-encrypt");
+ ASSERT (node);
+ im->ah_encrypt_node_index = node->index;
+
+ node = vlib_get_node_by_name (vm, (u8 *) "ah-decrypt");
+ ASSERT (node);
+ im->ah_decrypt_node_index = node->index;
+
im->esp_encrypt_next_index = IPSEC_OUTPUT_NEXT_ESP_ENCRYPT;
im->esp_decrypt_next_index = IPSEC_INPUT_NEXT_ESP_DECRYPT;
im->esp_encrypt_next_index = IPSEC_OUTPUT_NEXT_ESP_ENCRYPT;
im->esp_decrypt_next_index = IPSEC_INPUT_NEXT_ESP_DECRYPT;
+ im->ah_encrypt_next_index = IPSEC_OUTPUT_NEXT_AH_ENCRYPT;
+ im->ah_decrypt_next_index = IPSEC_INPUT_NEXT_AH_DECRYPT;
im->cb.check_support_cb = ipsec_check_support;
im->cb.check_support_cb = ipsec_check_support;
@@
-565,7
+593,7
@@
ipsec_init (vlib_main_t * vm)
if ((error = vlib_call_init_function (vm, ipsec_tunnel_if_init)))
return error;
if ((error = vlib_call_init_function (vm, ipsec_tunnel_if_init)))
return error;
-
esp
_init ();
+
ipsec_proto
_init ();
if ((error = ikev2_init (vm)))
return error;
if ((error = ikev2_init (vm)))
return error;