- ipsec_add_del_tunnel_args_t tun;
-
- clib_memset (&tun, 0, sizeof (ipsec_add_del_tunnel_args_t));
-
- tun.is_add = mp->is_add;
- tun.esn = mp->esn;
- tun.anti_replay = mp->anti_replay;
- tun.local_spi = ntohl (mp->local_spi);
- tun.remote_spi = ntohl (mp->remote_spi);
- tun.crypto_alg = mp->crypto_alg;
- tun.local_crypto_key_len = mp->local_crypto_key_len;
- tun.remote_crypto_key_len = mp->remote_crypto_key_len;
- tun.integ_alg = mp->integ_alg;
- tun.local_integ_key_len = mp->local_integ_key_len;
- tun.remote_integ_key_len = mp->remote_integ_key_len;
- tun.udp_encap = mp->udp_encap;
- tun.tx_table_id = ntohl (mp->tx_table_id);
- tun.salt = mp->salt;
- itype = ip_address_decode (&mp->local_ip, &tun.local_ip);
- itype = ip_address_decode (&mp->remote_ip, &tun.remote_ip);
- tun.is_ip6 = (IP46_TYPE_IP6 == itype);
- memcpy (&tun.local_crypto_key, &mp->local_crypto_key,
- mp->local_crypto_key_len);
- memcpy (&tun.remote_crypto_key, &mp->remote_crypto_key,
- mp->remote_crypto_key_len);
- memcpy (&tun.local_integ_key, &mp->local_integ_key,
- mp->local_integ_key_len);
- memcpy (&tun.remote_integ_key, &mp->remote_integ_key,
- mp->remote_integ_key_len);
- tun.renumber = mp->renumber;
- tun.show_instance = ntohl (mp->show_instance);
-
- rv = ipsec_add_del_tunnel_if_internal (vnm, &tun, &sw_if_index);
+ ip46_address_t local_ip = ip46_address_initializer;
+ ip46_address_t remote_ip = ip46_address_initializer;
+ ipsec_key_t crypto_key, integ_key;
+ ipsec_sa_flags_t flags;
+ ip46_type_t local_ip_type, remote_ip_type;
+ ipip_transport_t transport;
+ u32 fib_index;
+
+ local_ip_type = ip_address_decode (&mp->local_ip, &local_ip);
+ remote_ip_type = ip_address_decode (&mp->remote_ip, &remote_ip);
+ transport = (IP46_TYPE_IP6 == local_ip_type ?
+ IPIP_TRANSPORT_IP6 : IPIP_TRANSPORT_IP4);
+
+ if (local_ip_type != remote_ip_type)
+ {
+ rv = VNET_API_ERROR_INVALID_VALUE;
+ goto done;
+ }
+
+ flags = IPSEC_SA_FLAG_NONE;
+
+ if (mp->udp_encap)
+ flags |= IPSEC_SA_FLAG_UDP_ENCAP;
+ if (mp->esn)
+ flags |= IPSEC_SA_FLAG_USE_ESN;
+ if (mp->anti_replay)
+ flags |= IPSEC_SA_FLAG_USE_ANTI_REPLAY;
+
+ ipsec_mk_key (&crypto_key, mp->remote_crypto_key,
+ mp->remote_crypto_key_len);
+ ipsec_mk_key (&integ_key, mp->remote_integ_key, mp->remote_integ_key_len);
+ ipsec_mk_key (&crypto_key, mp->local_crypto_key, mp->local_crypto_key_len);
+ ipsec_mk_key (&integ_key, mp->local_integ_key, mp->local_integ_key_len);
+
+ fib_index =
+ fib_table_find (fib_proto_from_ip46 (local_ip_type),
+ ntohl (mp->tx_table_id));
+
+ if (~0 == fib_index)
+ {
+ rv = VNET_API_ERROR_NO_SUCH_FIB;
+ goto done;
+ }
+
+ if (mp->is_add)
+ {
+ // remote = input, local = output
+ /* create an ip-ip tunnel, then the two SA, then bind them */
+ rv = ipip_add_tunnel (transport,
+ ntohl (mp->show_instance),
+ &local_ip,
+ &remote_ip, fib_index, 0, &sw_if_index);
+
+ if (rv)
+ goto done;
+
+ rv = ipsec_sa_add_and_lock (ipsec_tun_mk_input_sa_id (sw_if_index),
+ ntohl (mp->remote_spi),
+ IPSEC_PROTOCOL_ESP,
+ mp->crypto_alg,
+ &crypto_key,
+ mp->integ_alg,
+ &integ_key,
+ (flags | IPSEC_SA_FLAG_IS_INBOUND),
+ ntohl (mp->tx_table_id),
+ mp->salt, &remote_ip, &local_ip, NULL);
+
+ if (rv)
+ goto done;
+
+ rv = ipsec_sa_add_and_lock (ipsec_tun_mk_output_sa_id (sw_if_index),
+ ntohl (mp->local_spi),
+ IPSEC_PROTOCOL_ESP,
+ mp->crypto_alg,
+ &crypto_key,
+ mp->integ_alg,
+ &integ_key,
+ flags,
+ ntohl (mp->tx_table_id),
+ mp->salt, &local_ip, &remote_ip, NULL);
+
+ if (rv)
+ goto done;
+
+ rv = ipsec_tun_protect_update_one (sw_if_index,
+ ipsec_tun_mk_output_sa_id
+ (sw_if_index),
+ ipsec_tun_mk_input_sa_id
+ (sw_if_index));
+ if (rv)
+ goto done;
+
+ /* the SAs are locked as a result of being used for proection,
+ * they cannot be removed from the API, since they cannot be refered
+ * to by the API. unlock them now, so that if the tunnel is rekeyed
+ * they-ll disapper
+ */
+ ipsec_sa_unlock_id (ipsec_tun_mk_input_sa_id (sw_if_index));
+ ipsec_sa_unlock_id (ipsec_tun_mk_output_sa_id (sw_if_index));
+ }
+ else
+ {
+
+ ipip_tunnel_key_t key = {
+ .transport = transport,
+ .fib_index = fib_index,
+ .src = local_ip,
+ .dst = remote_ip
+ };
+ ipip_tunnel_t *t = ipip_tunnel_db_find (&key);
+
+ rv = ipsec_tun_protect_del (t->sw_if_index);
+ ipip_del_tunnel (t->sw_if_index);
+ }