ipsec: print spi in hexadecimal

[vpp.git] / src / vnet / ipsec / esp_encrypt.c

diff --git a/src/vnet/ipsec/esp_encrypt.c b/src/vnet/ipsec/esp_encrypt.c
index 4d1aa31..c879a40 100644 (file)
--- a/src/vnet/ipsec/esp_encrypt.c
+++ b/src/vnet/ipsec/esp_encrypt.c
@@ -78,11 +78,12 @@ format_esp_encrypt_trace (u8 * s, va_list * args)
   CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
   esp_encrypt_trace_t *t = va_arg (*args, esp_encrypt_trace_t *);
 
-  s = format (s, "esp: sa-index %d spi %u seq %u crypto %U integrity %U%s",
-             t->sa_index, t->spi, t->seq,
-             format_ipsec_crypto_alg, t->crypto_alg,
-             format_ipsec_integ_alg, t->integ_alg,
-             t->udp_encap ? " udp-encap-enabled" : "");
+  s =
+    format (s,
+           "esp: sa-index %d spi %u (0x%08x) seq %u crypto %U integrity %U%s",
+           t->sa_index, t->spi, t->spi, t->seq, format_ipsec_crypto_alg,
+           t->crypto_alg, format_ipsec_integ_alg, t->integ_alg,
+           t->udp_encap ? " udp-encap-enabled" : "");
   return s;
 }
 
@@ -288,12 +289,15 @@ esp_encrypt_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
 
       if (sa_index0 != current_sa_index)
        {
+         if (current_sa_packets)
+           vlib_increment_combined_counter (&ipsec_sa_counters, thread_index,
+                                            current_sa_index,
+                                            current_sa_packets,
+                                            current_sa_bytes);
+         current_sa_packets = current_sa_bytes = 0;
+
          sa0 = pool_elt_at_index (im->sad, sa_index0);
          current_sa_index = sa_index0;
-         vlib_increment_combined_counter (&ipsec_sa_counters, thread_index,
-                                          sa_index0, current_sa_packets,
-                                          current_sa_bytes);
-         current_sa_packets = current_sa_bytes = 0;
          spi = clib_net_to_host_u32 (sa0->spi);
          block_sz = sa0->crypto_block_size;
          icv_sz = sa0->integ_icv_size;
@@ -364,7 +368,7 @@ esp_encrypt_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
              esp_update_ip4_hdr (ip4, len, /* is_transport */ 0, 0);
            }
 
-         dpo = sa0->dpo + IPSEC_PROTOCOL_ESP;
+         dpo = &sa0->dpo;
          if (!is_tun)
            {
              next[0] = dpo->dpoi_next_node;
@@ -405,12 +409,18 @@ esp_encrypt_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
          ip_hdr = payload - hdr_len;
 
          /* L2 header */
-         l2_len = vnet_buffer (b[0])->ip.save_rewrite_length;
-         hdr_len += l2_len;
-         l2_hdr = payload - hdr_len;
+         if (!is_tun)
+           {
+             l2_len = vnet_buffer (b[0])->ip.save_rewrite_length;
+             hdr_len += l2_len;
+             l2_hdr = payload - hdr_len;
+
+             /* copy l2 and ip header */
+             clib_memcpy_le32 (l2_hdr, old_ip_hdr - l2_len, l2_len);
+           }
+         else
+           l2_len = 0;
 
-         /* copy l2 and ip header */
-         clib_memcpy_le32 (l2_hdr, old_ip_hdr - l2_len, l2_len);
          clib_memcpy_le64 (ip_hdr, old_ip_hdr, ip_len);
 
          if (is_ip6)
@@ -437,7 +447,8 @@ esp_encrypt_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
                esp_update_ip4_hdr (ip4, len, /* is_transport */ 1, 0);
            }
 
-         next[0] = ESP_ENCRYPT_NEXT_INTERFACE_OUTPUT;
+         if (!is_tun)
+           next[0] = ESP_ENCRYPT_NEXT_INTERFACE_OUTPUT;
        }
 
       esp->spi = spi;
@@ -615,6 +626,13 @@ VNET_FEATURE_INIT (esp4_encrypt_tun_feat_node, static) =
   .node_name = "esp4-encrypt-tun",
   .runs_before = VNET_FEATURES ("adj-midchain-tx"),
 };
+
+VNET_FEATURE_INIT (esp4_ethernet_encrypt_tun_feat_node, static) =
+{
+  .arc_name = "ethernet-output",
+  .node_name = "esp4-encrypt-tun",
+  .runs_before = VNET_FEATURES ("adj-midchain-tx", "adj-midchain-tx-no-count"),
+};
 /* *INDENT-ON* */
 
 VLIB_NODE_FN (esp6_encrypt_tun_node) (vlib_main_t * vm,