clib_error_t *error;
ipsec_key_t ck = { 0 };
ipsec_key_t ik = { 0 };
- u32 id, spi, salt;
+ u32 id, spi, salt, sai;
+ u16 udp_src, udp_dst;
int is_add, rv;
salt = 0;
proto = IPSEC_PROTOCOL_ESP;
integ_alg = IPSEC_INTEG_ALG_NONE;
crypto_alg = IPSEC_CRYPTO_ALG_NONE;
+ udp_src = udp_dst = IPSEC_UDP_PORT_NONE;
if (!unformat_user (input, unformat_line_input, line_input))
return 0;
rv = ipsec_sa_add_and_lock (id, spi, proto, crypto_alg,
&ck, integ_alg, &ik, flags,
0, clib_host_to_net_u32 (salt),
- &tun_src, &tun_dst, NULL,
- IPSEC_UDP_PORT_NONE);
+ &tun_src, &tun_dst, &sai, udp_src, udp_dst);
else
rv = ipsec_sa_unlock_id (id);
unformat_input_t _line_input, *line_input = &_line_input;
ipsec_policy_t p;
int rv, is_add = 0;
- u32 tmp, tmp2, stat_index;
+ u32 tmp, tmp2, stat_index, local_range_set, remote_range_set;
clib_error_t *error = NULL;
u32 is_outbound;
clib_memset (&p, 0, sizeof (p));
p.lport.stop = p.rport.stop = ~0;
- is_outbound = 0;
+ remote_range_set = local_range_set = is_outbound = 0;
if (!unformat_user (input, unformat_line_input, line_input))
return 0;
is_add = 1;
else if (unformat (line_input, "del"))
is_add = 0;
+ else if (unformat (line_input, "ip6"))
+ p.is_ipv6 = 1;
else if (unformat (line_input, "spd %u", &p.id))
;
else if (unformat (line_input, "inbound"))
else if (unformat (line_input, "local-ip-range %U - %U",
unformat_ip4_address, &p.laddr.start.ip4,
unformat_ip4_address, &p.laddr.stop.ip4))
- ;
+ local_range_set = 1;
else if (unformat (line_input, "remote-ip-range %U - %U",
unformat_ip4_address, &p.raddr.start.ip4,
unformat_ip4_address, &p.raddr.stop.ip4))
- ;
+ remote_range_set = 1;
else if (unformat (line_input, "local-ip-range %U - %U",
unformat_ip6_address, &p.laddr.start.ip6,
unformat_ip6_address, &p.laddr.stop.ip6))
{
p.is_ipv6 = 1;
+ local_range_set = 1;
}
else if (unformat (line_input, "remote-ip-range %U - %U",
unformat_ip6_address, &p.raddr.start.ip6,
unformat_ip6_address, &p.raddr.stop.ip6))
{
p.is_ipv6 = 1;
+ remote_range_set = 1;
}
else if (unformat (line_input, "local-port-range %u - %u", &tmp, &tmp2))
{
}
}
+ if (!remote_range_set)
+ {
+ if (p.is_ipv6)
+ clib_memset (&p.raddr.stop.ip6, 0xff, 16);
+ else
+ clib_memset (&p.raddr.stop.ip4, 0xff, 4);
+ }
+ if (!local_range_set)
+ {
+ if (p.is_ipv6)
+ clib_memset (&p.laddr.stop.ip6, 0xff, 16);
+ else
+ clib_memset (&p.laddr.stop.ip4, 0xff, 4);
+ }
+
rv = ipsec_policy_mk_type (is_outbound, p.is_ipv6, p.policy, &p.type);
if (rv)
local_spi, IPSEC_PROTOCOL_ESP, crypto_alg,
&lck, integ_alg, &lik, flags, table_id,
clib_host_to_net_u32 (salt), &local_ip,
- &remote_ip, NULL, IPSEC_UDP_PORT_NONE);
+ &remote_ip, NULL, IPSEC_UDP_PORT_NONE,
+ IPSEC_UDP_PORT_NONE);
rv |=
ipsec_sa_add_and_lock (ipsec_tun_mk_remote_sa_id (sw_if_index),
remote_spi, IPSEC_PROTOCOL_ESP, crypto_alg,
&rck, integ_alg, &rik,
(flags | IPSEC_SA_FLAG_IS_INBOUND), table_id,
clib_host_to_net_u32 (salt), &remote_ip,
- &local_ip, NULL, IPSEC_UDP_PORT_NONE);
+ &local_ip, NULL, IPSEC_UDP_PORT_NONE,
+ IPSEC_UDP_PORT_NONE);
rv |=
ipsec_tun_protect_update_one (sw_if_index, &nh,
ipsec_tun_mk_local_sa_id (sw_if_index),