#define foreach_esp_encrypt_next \
_(DROP, "error-drop") \
-_(IP4_LOOKUP, "ip4-lookup") \
-_(IP6_LOOKUP, "ip6-lookup") \
+_(HANDOFF, "handoff") \
_(INTERFACE_OUTPUT, "interface-output")
#define _(v, s) ESP_ENCRYPT_NEXT_##v,
}
static_always_inline u8
-esp_get_ip6_hdr_len (ip6_header_t * ip6)
+esp_get_ip6_hdr_len (ip6_header_t * ip6, ip6_ext_header_t ** ext_hdr)
{
/* this code assumes that HbH, route and frag headers will be before
others, if that is not the case, they will end up encrypted */
-
u8 len = sizeof (ip6_header_t);
ip6_ext_header_t *p;
/* if next packet doesn't have ext header */
if (ext_hdr_is_pre_esp (ip6->protocol) == 0)
- return len;
+ {
+ *ext_hdr = NULL;
+ return len;
+ }
p = (void *) (ip6 + 1);
len += ip6_ext_header_len (p);
p = ip6_ext_next_header (p);
}
+ *ext_hdr = p;
return len;
}
esp_header_t *esp;
u8 *payload, *next_hdr_ptr;
u16 payload_len;
- u32 hdr_len;
+ u32 hdr_len, config_index;
if (n_left > 2)
{
{
/* we are on a ipsec tunnel's feature arc */
u32 next0;
+ config_index = b[0]->current_config_index;
sa_index0 = *(u32 *) vnet_feature_next_with_data (&next0, b[0],
sizeof
(sa_index0));
+ vnet_buffer (b[0])->ipsec.sad_index = sa_index0;
next[0] = next0;
}
else
iv_sz = sa0->crypto_iv_size;
}
+ if (PREDICT_FALSE (~0 == sa0->encrypt_thread_index))
+ {
+ /* this is the first packet to use this SA, claim the SA
+ * for this thread. this could happen simultaneously on
+ * another thread */
+ clib_atomic_cmp_and_swap (&sa0->encrypt_thread_index, ~0,
+ ipsec_sa_assign_thread (thread_index));
+ }
+
+ if (PREDICT_TRUE (thread_index != sa0->encrypt_thread_index))
+ {
+ next[0] = ESP_ENCRYPT_NEXT_HANDOFF;
+ if (is_tun)
+ {
+ b[0]->current_config_index = config_index;
+ }
+ goto trace;
+ }
+
if (vlib_buffer_chain_linearize (vm, b[0]) != 1)
{
b[0]->error = node->errors[ESP_ENCRYPT_ERROR_CHAINED_BUFFER];
else /* transport mode */
{
u8 *l2_hdr, l2_len, *ip_hdr, ip_len;
+ ip6_ext_header_t *ext_hdr;
udp_header_t *udp = 0;
u8 *old_ip_hdr = vlib_buffer_get_current (b[0]);
ip_len = is_ip6 ?
- esp_get_ip6_hdr_len ((ip6_header_t *) old_ip_hdr) :
+ esp_get_ip6_hdr_len ((ip6_header_t *) old_ip_hdr, &ext_hdr) :
ip4_header_bytes ((ip4_header_t *) old_ip_hdr);
vlib_buffer_advance (b[0], ip_len);
else
l2_len = 0;
- clib_memcpy_le64 (ip_hdr, old_ip_hdr, ip_len);
-
if (is_ip6)
{
- ip6_header_t *ip6 = (ip6_header_t *) (ip_hdr);
- *next_hdr_ptr = ip6->protocol;
- ip6->protocol = IP_PROTOCOL_IPSEC_ESP;
+ ip6_header_t *ip6 = (ip6_header_t *) (old_ip_hdr);
+ if (PREDICT_TRUE (NULL == ext_hdr))
+ {
+ *next_hdr_ptr = ip6->protocol;
+ ip6->protocol = IP_PROTOCOL_IPSEC_ESP;
+ }
+ else
+ {
+ *next_hdr_ptr = ext_hdr->next_hdr;
+ ext_hdr->next_hdr = IP_PROTOCOL_IPSEC_ESP;
+ }
ip6->payload_length =
clib_host_to_net_u16 (payload_len + hdr_len - l2_len -
- ip_len);
+ sizeof (ip6_header_t));
}
else
{
u16 len;
- ip4_header_t *ip4 = (ip4_header_t *) (ip_hdr);
+ ip4_header_t *ip4 = (ip4_header_t *) (old_ip_hdr);
*next_hdr_ptr = ip4->protocol;
len = payload_len + hdr_len - l2_len;
if (udp)
esp_update_ip4_hdr (ip4, len, /* is_transport */ 1, 0);
}
+ clib_memcpy_le64 (ip_hdr, old_ip_hdr, ip_len);
+
if (!is_tun)
next[0] = ESP_ENCRYPT_NEXT_INTERFACE_OUTPUT;
}
.n_next_nodes = ESP_ENCRYPT_N_NEXT,
.next_nodes = {
-#define _(s,n) [ESP_ENCRYPT_NEXT_##s] = n,
- foreach_esp_encrypt_next
-#undef _
+ [ESP_ENCRYPT_NEXT_DROP] = "ip4-drop",
+ [ESP_ENCRYPT_NEXT_HANDOFF] = "esp4-encrypt-handoff",
+ [ESP_ENCRYPT_NEXT_INTERFACE_OUTPUT] = "interface-output",
},
};
/* *INDENT-ON* */
.n_next_nodes = ESP_ENCRYPT_N_NEXT,
.next_nodes = {
-#define _(s,n) [ESP_ENCRYPT_NEXT_##s] = n,
- foreach_esp_encrypt_next
-#undef _
+ [ESP_ENCRYPT_NEXT_DROP] = "ip6-drop",
+ [ESP_ENCRYPT_NEXT_HANDOFF] = "esp6-encrypt-handoff",
+ [ESP_ENCRYPT_NEXT_INTERFACE_OUTPUT] = "interface-output",
},
};
/* *INDENT-ON* */
.n_errors = ARRAY_LEN(esp_encrypt_error_strings),
.error_strings = esp_encrypt_error_strings,
- .n_next_nodes = 1,
+ .n_next_nodes = ESP_ENCRYPT_N_NEXT,
.next_nodes = {
[ESP_ENCRYPT_NEXT_DROP] = "ip4-drop",
+ [ESP_ENCRYPT_NEXT_HANDOFF] = "esp4-encrypt-tun-handoff",
+ [ESP_ENCRYPT_NEXT_INTERFACE_OUTPUT] = "error-drop",
},
};
.n_errors = ARRAY_LEN(esp_encrypt_error_strings),
.error_strings = esp_encrypt_error_strings,
- .n_next_nodes = 1,
+ .n_next_nodes = ESP_ENCRYPT_N_NEXT,
.next_nodes = {
[ESP_ENCRYPT_NEXT_DROP] = "ip6-drop",
+ [ESP_ENCRYPT_NEXT_HANDOFF] = "esp6-encrypt-tun-handoff",
+ [ESP_ENCRYPT_NEXT_INTERFACE_OUTPUT] = "error-drop",
},
};