sw_if_index, spd_id, spd_index);
/* enable IPsec on TX */
- vnet_feature_enable_disable ("ip4-output", "ipsec4-output", sw_if_index,
- is_add, 0, 0);
- vnet_feature_enable_disable ("ip6-output", "ipsec6-output", sw_if_index,
- is_add, 0, 0);
+ vnet_feature_enable_disable ("ip4-output", "ipsec4-output-feature",
+ sw_if_index, is_add, 0, 0);
+ vnet_feature_enable_disable ("ip6-output", "ipsec6-output-feature",
+ sw_if_index, is_add, 0, 0);
config.spd_index = spd_index;
/* enable IPsec on RX */
- vnet_feature_enable_disable ("ip4-unicast", "ipsec4-input", sw_if_index,
- is_add, &config, sizeof (config));
- vnet_feature_enable_disable ("ip6-unicast", "ipsec6-input", sw_if_index,
- is_add, &config, sizeof (config));
+ vnet_feature_enable_disable ("ip4-unicast", "ipsec4-input-feature",
+ sw_if_index, is_add, &config, sizeof (config));
+ vnet_feature_enable_disable ("ip6-unicast", "ipsec6-input-feature",
+ sw_if_index, is_add, &config, sizeof (config));
return 0;
}
p = hash_get (im->spd_index_by_spd_id, spd_id);
if (p && is_add)
- return VNET_API_ERROR_INVALID_VALUE;
+ return VNET_API_ERROR_ENTRY_ALREADY_EXISTS;
if (!p && !is_add)
- return VNET_API_ERROR_INVALID_VALUE;
+ return VNET_API_ERROR_NO_SUCH_ENTRY;
if (!is_add) /* delete */
{
p = hash_get (im->sa_index_by_sa_id, new_sa->id);
if (p && is_add)
- return VNET_API_ERROR_SYSCALL_ERROR_1; /* already exists */
+ return VNET_API_ERROR_ENTRY_ALREADY_EXISTS;
if (!p && !is_add)
- return VNET_API_ERROR_SYSCALL_ERROR_1;
+ return VNET_API_ERROR_NO_SUCH_ENTRY;
if (!is_add) /* delete */
{
}
static clib_error_t *
-ipsec_check_support (ipsec_sa_t * sa)
+ipsec_check_ah_support (ipsec_sa_t * sa)
{
- if (sa->crypto_alg == IPSEC_CRYPTO_ALG_AES_GCM_128)
- return clib_error_return (0, "unsupported aes-gcm-128 crypto-alg");
if (sa->integ_alg == IPSEC_INTEG_ALG_NONE)
return clib_error_return (0, "unsupported none integ-alg");
+ return 0;
+}
+
+static clib_error_t *
+ipsec_check_esp_support (ipsec_sa_t * sa)
+{
+ if (sa->crypto_alg == IPSEC_CRYPTO_ALG_AES_GCM_128)
+ return clib_error_return (0, "unsupported aes-gcm-128 crypto-alg");
+ if (sa->crypto_alg == IPSEC_CRYPTO_ALG_AES_GCM_192)
+ return clib_error_return (0, "unsupported aes-gcm-192 crypto-alg");
+ if (sa->crypto_alg == IPSEC_CRYPTO_ALG_AES_GCM_256)
+ return clib_error_return (0, "unsupported aes-gcm-256 crypto-alg");
return 0;
}
ipsec_check_support_cb (ipsec_main_t * im, ipsec_sa_t * sa)
{
clib_error_t *error = 0;
- ipsec_ah_backend_t *ah =
- pool_elt_at_index (im->ah_backends, im->ah_current_backend);
- ASSERT (ah->check_support_cb);
- error = ah->check_support_cb (sa);
- if (error)
- return error;
- ipsec_esp_backend_t *esp =
- pool_elt_at_index (im->esp_backends, im->esp_current_backend);
- ASSERT (esp->check_support_cb);
- error = esp->check_support_cb (sa);
+
+ if (PREDICT_FALSE (sa->protocol == IPSEC_PROTOCOL_AH))
+ {
+ ipsec_ah_backend_t *ah =
+ pool_elt_at_index (im->ah_backends, im->ah_current_backend);
+ ASSERT (ah->check_support_cb);
+ error = ah->check_support_cb (sa);
+ }
+ else
+ {
+ ipsec_esp_backend_t *esp =
+ pool_elt_at_index (im->esp_backends, im->esp_current_backend);
+ ASSERT (esp->check_support_cb);
+ error = esp->check_support_cb (sa);
+ }
return error;
}
pool_get (im->ah_backends, b);
b->name = format (NULL, "%s", name);
- ipsec_add_node (vm, ah4_encrypt_node_name, "ipsec4-output",
+ ipsec_add_node (vm, ah4_encrypt_node_name, "ipsec4-output-feature",
&b->ah4_encrypt_node_index, &b->ah4_encrypt_next_index);
- ipsec_add_node (vm, ah4_decrypt_node_name, "ipsec4-input",
+ ipsec_add_node (vm, ah4_decrypt_node_name, "ipsec4-input-feature",
&b->ah4_decrypt_node_index, &b->ah4_decrypt_next_index);
- ipsec_add_node (vm, ah6_encrypt_node_name, "ipsec6-output",
+ ipsec_add_node (vm, ah6_encrypt_node_name, "ipsec6-output-feature",
&b->ah6_encrypt_node_index, &b->ah6_encrypt_next_index);
- ipsec_add_node (vm, ah6_decrypt_node_name, "ipsec6-input",
+ ipsec_add_node (vm, ah6_decrypt_node_name, "ipsec6-input-feature",
&b->ah6_decrypt_node_index, &b->ah6_decrypt_next_index);
b->check_support_cb = ah_check_support_cb;
pool_get (im->esp_backends, b);
b->name = format (NULL, "%s", name);
- ipsec_add_node (vm, esp4_encrypt_node_name, "ipsec4-output",
+ ipsec_add_node (vm, esp4_encrypt_node_name, "ipsec4-output-feature",
&b->esp4_encrypt_node_index, &b->esp4_encrypt_next_index);
- ipsec_add_node (vm, esp4_decrypt_node_name, "ipsec4-input",
+ ipsec_add_node (vm, esp4_decrypt_node_name, "ipsec4-input-feature",
&b->esp4_decrypt_node_index, &b->esp4_decrypt_next_index);
- ipsec_add_node (vm, esp6_encrypt_node_name, "ipsec6-output",
+ ipsec_add_node (vm, esp6_encrypt_node_name, "ipsec6-output-feature",
&b->esp6_encrypt_node_index, &b->esp6_encrypt_next_index);
- ipsec_add_node (vm, esp6_decrypt_node_name, "ipsec6-input",
+ ipsec_add_node (vm, esp6_decrypt_node_name, "ipsec6-input-feature",
&b->esp6_decrypt_node_index, &b->esp6_decrypt_next_index);
b->check_support_cb = esp_check_support_cb;
"ah4-decrypt",
"ah6-encrypt",
"ah6-decrypt",
- ipsec_check_support,
+ ipsec_check_ah_support,
NULL);
im->ah_default_backend = idx;
"esp4-decrypt",
"esp6-encrypt",
"esp6-decrypt",
- ipsec_check_support, NULL);
+ ipsec_check_esp_support, NULL);
im->esp_default_backend = idx;
rv = ipsec_select_esp_backend (im, idx);