ipsec: fix udp-encap in transport mode

[vpp.git] / src / vnet / ipsec / esp_encrypt.c

diff --git a/src/vnet/ipsec/esp_encrypt.c b/src/vnet/ipsec/esp_encrypt.c
index 2c4da5d..4793fdd 100644 (file)
--- a/src/vnet/ipsec/esp_encrypt.c
+++ b/src/vnet/ipsec/esp_encrypt.c
@@ -23,6 +23,7 @@
 #include <vnet/crypto/crypto.h>
 
 #include <vnet/ipsec/ipsec.h>
+#include <vnet/ipsec/ipsec_tun.h>
 #include <vnet/ipsec/esp.h>
 
 #define foreach_esp_encrypt_next                   \
@@ -319,13 +320,11 @@ esp_encrypt_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
       if (is_tun)
        {
          /* we are on a ipsec tunnel's feature arc */
-         u32 next0;
          config_index = b[0]->current_config_index;
-         sa_index0 = *(u32 *) vnet_feature_next_with_data (&next0, b[0],
-                                                           sizeof
-                                                           (sa_index0));
-         vnet_buffer (b[0])->ipsec.sad_index = sa_index0;
-         next[0] = next0;
+         vnet_feature_next_u16 (&next[0], b[0]);
+         vnet_buffer (b[0])->ipsec.sad_index =
+           sa_index0 = ipsec_tun_protect_get_sa_out
+           (vnet_buffer (b[0])->ip.adj_index[VLIB_TX]);
        }
       else
        sa_index0 = vnet_buffer (b[0])->ipsec.sad_index;
@@ -464,6 +463,7 @@ esp_encrypt_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
          u8 *l2_hdr, l2_len, *ip_hdr, ip_len;
          ip6_ext_header_t *ext_hdr;
          udp_header_t *udp = 0;
+         u16 udp_len = 0;
          u8 *old_ip_hdr = vlib_buffer_get_current (b[0]);
 
          ip_len = is_ip6 ?
@@ -538,7 +538,7 @@ esp_encrypt_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
              if (udp)
                {
                  esp_update_ip4_hdr (ip4, len, /* is_transport */ 1, 1);
-                 esp_fill_udp_hdr (sa0, udp, len - ip_len);
+                 udp_len = len - ip_len;
                }
              else
                esp_update_ip4_hdr (ip4, len, /* is_transport */ 1, 0);
@@ -546,6 +546,11 @@ esp_encrypt_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
 
          clib_memcpy_le64 (ip_hdr, old_ip_hdr, ip_len);
 
+         if (udp)
+           {
+             esp_fill_udp_hdr (sa0, udp, udp_len);
+           }
+
          if (!is_tun)
            next[0] = ESP_ENCRYPT_NEXT_INTERFACE_OUTPUT;
        }