#include <vnet/api_errno.h>
#include <vnet/ip/ip.h>
#include <vnet/interface.h>
+#include <vnet/udp/udp.h>
#include <vnet/ipsec/ipsec.h>
#include <vnet/ipsec/ikev2.h>
#include <vnet/ipsec/esp.h>
+#include <vnet/ipsec/ah.h>
+
+
+ipsec_main_t ipsec_main;
u32
ipsec_get_sa_index_by_sa_id (u32 sa_id)
sw_if_index, spd_id, spd_index);
/* enable IPsec on TX */
- vnet_feature_enable_disable ("ip4-output", "ipsec-output-ip4", sw_if_index,
+ vnet_feature_enable_disable ("ip4-output", "ipsec4-output", sw_if_index,
is_add, 0, 0);
- vnet_feature_enable_disable ("ip6-output", "ipsec-output-ip6", sw_if_index,
+ vnet_feature_enable_disable ("ip6-output", "ipsec6-output", sw_if_index,
is_add, 0, 0);
+ config.spd_index = spd_index;
+
/* enable IPsec on RX */
- vnet_feature_enable_disable ("ip4-unicast", "ipsec-input-ip4", sw_if_index,
+ vnet_feature_enable_disable ("ip4-unicast", "ipsec4-input", sw_if_index,
is_add, &config, sizeof (config));
- vnet_feature_enable_disable ("ip6-unicast", "ipsec-input-ip6", sw_if_index,
+ vnet_feature_enable_disable ("ip6-unicast", "ipsec6-input", sw_if_index,
is_add, &config, sizeof (config));
return 0;
static int
ipsec_spd_entry_sort (void *a1, void *a2)
{
- ipsec_main_t *im = &ipsec_main;
u32 *id1 = a1;
u32 *id2 = a2;
- ipsec_spd_t *spd;
+ ipsec_spd_t *spd = ipsec_main.spd_to_sort;
ipsec_policy_t *p1, *p2;
- /* *INDENT-OFF* */
- pool_foreach (spd, im->spds, ({
- p1 = pool_elt_at_index(spd->policies, *id1);
- p2 = pool_elt_at_index(spd->policies, *id2);
- if (p1 && p2)
- return p2->priority - p1->priority;
- }));
- /* *INDENT-ON* */
+ p1 = pool_elt_at_index (spd->policies, *id1);
+ p2 = pool_elt_at_index (spd->policies, *id2);
+ if (p1 && p2)
+ return p2->priority - p1->priority;
return 0;
}
clib_memcpy (vp, policy, sizeof (*vp));
policy_index = vp - spd->policies;
+ ipsec_main.spd_to_sort = spd;
+
if (policy->is_outbound)
{
if (policy->is_ipv6)
}
}
+ ipsec_main.spd_to_sort = NULL;
}
else
{
if (vec_elt(spd->ipv4_inbound_policy_discard_and_bypass_indices, j) == i) {
vec_del1 (spd->ipv4_inbound_policy_discard_and_bypass_indices, j);
break;
+ }
}
}
}
}
pool_put (spd->policies, vp);
break;
- }
}));
/* *INDENT-ON* */
}
return 0;
}
-static u8
+u8
ipsec_is_sa_used (u32 sa_index)
{
ipsec_main_t *im = &ipsec_main;
ASSERT (node);
im->error_drop_node_index = node->index;
- node = vlib_get_node_by_name (vm, (u8 *) "esp-encrypt");
+ node = vlib_get_node_by_name (vm, (u8 *) "esp4-encrypt");
+ ASSERT (node);
+ im->esp4_encrypt_node_index = node->index;
+
+ node = vlib_get_node_by_name (vm, (u8 *) "esp4-decrypt");
+ ASSERT (node);
+ im->esp4_decrypt_node_index = node->index;
+
+ node = vlib_get_node_by_name (vm, (u8 *) "ah4-encrypt");
+ ASSERT (node);
+ im->ah4_encrypt_node_index = node->index;
+
+ node = vlib_get_node_by_name (vm, (u8 *) "ah4-decrypt");
+ ASSERT (node);
+ im->ah4_decrypt_node_index = node->index;
+
+ im->esp4_encrypt_next_index = IPSEC_OUTPUT_NEXT_ESP4_ENCRYPT;
+ im->esp4_decrypt_next_index = IPSEC_INPUT_NEXT_ESP4_DECRYPT;
+ im->ah4_encrypt_next_index = IPSEC_OUTPUT_NEXT_AH4_ENCRYPT;
+ im->ah4_decrypt_next_index = IPSEC_INPUT_NEXT_AH4_DECRYPT;
+
+ node = vlib_get_node_by_name (vm, (u8 *) "esp6-encrypt");
+ ASSERT (node);
+ im->esp6_encrypt_node_index = node->index;
+
+ node = vlib_get_node_by_name (vm, (u8 *) "esp6-decrypt");
+ ASSERT (node);
+ im->esp6_decrypt_node_index = node->index;
+
+ node = vlib_get_node_by_name (vm, (u8 *) "ah6-encrypt");
ASSERT (node);
- im->esp_encrypt_node_index = node->index;
+ im->ah6_encrypt_node_index = node->index;
- node = vlib_get_node_by_name (vm, (u8 *) "esp-decrypt");
+ node = vlib_get_node_by_name (vm, (u8 *) "ah6-decrypt");
ASSERT (node);
- im->esp_decrypt_node_index = node->index;
+ im->ah6_decrypt_node_index = node->index;
- im->esp_encrypt_next_index = IPSEC_OUTPUT_NEXT_ESP_ENCRYPT;
- im->esp_decrypt_next_index = IPSEC_INPUT_NEXT_ESP_DECRYPT;
+ im->esp6_encrypt_next_index = IPSEC_OUTPUT_NEXT_ESP6_ENCRYPT;
+ im->esp6_decrypt_next_index = IPSEC_INPUT_NEXT_ESP6_DECRYPT;
+ im->ah6_encrypt_next_index = IPSEC_OUTPUT_NEXT_AH6_ENCRYPT;
+ im->ah6_decrypt_next_index = IPSEC_INPUT_NEXT_AH6_DECRYPT;
im->cb.check_support_cb = ipsec_check_support;
if ((error = vlib_call_init_function (vm, ipsec_tunnel_if_init)))
return error;
- esp_init ();
+ ipsec_proto_init ();
if ((error = ikev2_init (vm)))
return error;