Code Review / vpp.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | inline | side by side
ipsec: fix support check when using AES-GCM
[vpp.git] / src / vnet / ipsec / ipsec.c
diff --git a/src/vnet/ipsec/ipsec.c b/src/vnet/ipsec/ipsec.c
index bb62560..fdd18c2 100644 (file)
--- a/src/vnet/ipsec/ipsec.c
+++ b/src/vnet/ipsec/ipsec.c
@@ -73,18 +73,18 @@ ipsec_set_interface_spd (vlib_main_t * vm, u32 sw_if_index, u32 spd_id,
                sw_if_index, spd_id, spd_index);
 
   /* enable IPsec on TX */
-  vnet_feature_enable_disable ("ip4-output", "ipsec4-output", sw_if_index,
-                              is_add, 0, 0);
-  vnet_feature_enable_disable ("ip6-output", "ipsec6-output", sw_if_index,
-                              is_add, 0, 0);
+  vnet_feature_enable_disable ("ip4-output", "ipsec4-output-feature",
+                              sw_if_index, is_add, 0, 0);
+  vnet_feature_enable_disable ("ip6-output", "ipsec6-output-feature",
+                              sw_if_index, is_add, 0, 0);
 
   config.spd_index = spd_index;
 
   /* enable IPsec on RX */
-  vnet_feature_enable_disable ("ip4-unicast", "ipsec4-input", sw_if_index,
-                              is_add, &config, sizeof (config));
-  vnet_feature_enable_disable ("ip6-unicast", "ipsec6-input", sw_if_index,
-                              is_add, &config, sizeof (config));
+  vnet_feature_enable_disable ("ip4-unicast", "ipsec4-input-feature",
+                              sw_if_index, is_add, &config, sizeof (config));
+  vnet_feature_enable_disable ("ip6-unicast", "ipsec6-input-feature",
+                              sw_if_index, is_add, &config, sizeof (config));
 
   return 0;
 }
@@ -569,16 +569,21 @@ clib_error_t *
 ipsec_check_support_cb (ipsec_main_t * im, ipsec_sa_t * sa)
 {
   clib_error_t *error = 0;
-  ipsec_ah_backend_t *ah =
-    pool_elt_at_index (im->ah_backends, im->ah_current_backend);
-  ASSERT (ah->check_support_cb);
-  error = ah->check_support_cb (sa);
-  if (error)
-    return error;
-  ipsec_esp_backend_t *esp =
-    pool_elt_at_index (im->esp_backends, im->esp_current_backend);
-  ASSERT (esp->check_support_cb);
-  error = esp->check_support_cb (sa);
+
+  if (PREDICT_FALSE (sa->protocol == IPSEC_PROTOCOL_AH))
+    {
+      ipsec_ah_backend_t *ah =
+       pool_elt_at_index (im->ah_backends, im->ah_current_backend);
+      ASSERT (ah->check_support_cb);
+      error = ah->check_support_cb (sa);
+    }
+  else
+    {
+      ipsec_esp_backend_t *esp =
+       pool_elt_at_index (im->esp_backends, im->esp_current_backend);
+      ASSERT (esp->check_support_cb);
+      error = esp->check_support_cb (sa);
+    }
   return error;
 }
 
@@ -611,13 +616,13 @@ ipsec_register_ah_backend (vlib_main_t * vm, ipsec_main_t * im,
   pool_get (im->ah_backends, b);
   b->name = format (NULL, "%s", name);
 
-  ipsec_add_node (vm, ah4_encrypt_node_name, "ipsec4-output",
+  ipsec_add_node (vm, ah4_encrypt_node_name, "ipsec4-output-feature",
                  &b->ah4_encrypt_node_index, &b->ah4_encrypt_next_index);
-  ipsec_add_node (vm, ah4_decrypt_node_name, "ipsec4-input",
+  ipsec_add_node (vm, ah4_decrypt_node_name, "ipsec4-input-feature",
                  &b->ah4_decrypt_node_index, &b->ah4_decrypt_next_index);
-  ipsec_add_node (vm, ah6_encrypt_node_name, "ipsec6-output",
+  ipsec_add_node (vm, ah6_encrypt_node_name, "ipsec6-output-feature",
                  &b->ah6_encrypt_node_index, &b->ah6_encrypt_next_index);
-  ipsec_add_node (vm, ah6_decrypt_node_name, "ipsec6-input",
+  ipsec_add_node (vm, ah6_decrypt_node_name, "ipsec6-input-feature",
                  &b->ah6_decrypt_node_index, &b->ah6_decrypt_next_index);
 
   b->check_support_cb = ah_check_support_cb;
@@ -639,13 +644,13 @@ ipsec_register_esp_backend (vlib_main_t * vm, ipsec_main_t * im,
   pool_get (im->esp_backends, b);
   b->name = format (NULL, "%s", name);
 
-  ipsec_add_node (vm, esp4_encrypt_node_name, "ipsec4-output",
+  ipsec_add_node (vm, esp4_encrypt_node_name, "ipsec4-output-feature",
                  &b->esp4_encrypt_node_index, &b->esp4_encrypt_next_index);
-  ipsec_add_node (vm, esp4_decrypt_node_name, "ipsec4-input",
+  ipsec_add_node (vm, esp4_decrypt_node_name, "ipsec4-input-feature",
                  &b->esp4_decrypt_node_index, &b->esp4_decrypt_next_index);
-  ipsec_add_node (vm, esp6_encrypt_node_name, "ipsec6-output",
+  ipsec_add_node (vm, esp6_encrypt_node_name, "ipsec6-output-feature",
                  &b->esp6_encrypt_node_index, &b->esp6_encrypt_next_index);
-  ipsec_add_node (vm, esp6_decrypt_node_name, "ipsec6-input",
+  ipsec_add_node (vm, esp6_decrypt_node_name, "ipsec6-input-feature",
                  &b->esp6_decrypt_node_index, &b->esp6_decrypt_next_index);
 
   b->check_support_cb = esp_check_support_cb;
Vector Packet Processing