}
/**
- * @brief Call back when restacking all adjacencies on a GRE interface
+ * @brief Call back when restacking all adjacencies on a IPSec interface
*/
static adj_walk_rc_t
ipsec_if_adj_walk_cb (adj_index_t ai, void *ctx)
fib_protocol_t proto;
/*
- * walk all the adjacencies on th GRE interface and restack them
+ * walk all the adjacencies on the IPSec interface and restack them
*/
FOR_EACH_FIB_IP_PROTOCOL (proto)
{
}
static void
-ipsec_tunnel_feature_set (ipsec_tunnel_if_t * t, u8 enable)
+ipsec_tunnel_feature_set (ipsec_main_t * im, ipsec_tunnel_if_t * t, u8 enable)
{
- vnet_feature_enable_disable ("ip4-output",
- "esp4-encrypt-tun",
- t->sw_if_index, enable,
- &t->output_sa_index,
- sizeof (t->output_sa_index));
- vnet_feature_enable_disable ("ip6-output",
- "esp6-encrypt-tun",
- t->sw_if_index, enable,
- &t->output_sa_index,
- sizeof (t->output_sa_index));
+ u8 arc;
+
+ arc = vnet_get_feature_arc_index ("ip4-output");
+
+ vnet_feature_enable_disable_with_index (arc,
+ im->esp4_encrypt_tun_feature_index,
+ t->sw_if_index, enable,
+ &t->output_sa_index,
+ sizeof (t->output_sa_index));
+
+ arc = vnet_get_feature_arc_index ("ip6-output");
+
+ vnet_feature_enable_disable_with_index (arc,
+ im->esp6_encrypt_tun_feature_index,
+ t->sw_if_index, enable,
+ &t->output_sa_index,
+ sizeof (t->output_sa_index));
}
int
&args->local_ip, &t->input_sa_index);
if (rv)
- return VNET_API_ERROR_INVALID_SRC_ADDRESS;
+ return rv;
ipsec_mk_key (&crypto_key,
args->local_crypto_key, args->local_crypto_key_len);
&args->remote_ip, &t->output_sa_index);
if (rv)
- return VNET_API_ERROR_INVALID_DST_ADDRESS;
+ return rv;
/* copy the key */
if (is_ip6)
~0);
im->ipsec_if_by_sw_if_index[t->sw_if_index] = dev_instance;
- ipsec_tunnel_feature_set (t, 1);
+ ipsec_tunnel_feature_set (im, t, 1);
/*1st interface, register protocol */
if (pool_elts (im->tunnel_interfaces) == 1)
hi = vnet_get_hw_interface (vnm, t->hw_if_index);
vnet_sw_interface_set_flags (vnm, hi->sw_if_index, 0); /* admin down */
- ipsec_tunnel_feature_set (t, 0);
+ ipsec_tunnel_feature_set (im, t, 0);
vnet_delete_hw_interface (vnm, t->hw_if_index);
if (is_ip6)
return 0;
}
-int
-ipsec_add_del_ipsec_gre_tunnel (vnet_main_t * vnm,
- const ipsec_gre_tunnel_add_del_args_t * args)
-{
- ipsec_tunnel_if_t *t = 0;
- ipsec_main_t *im = &ipsec_main;
- uword *p;
- ipsec_sa_t *sa;
- ipsec4_tunnel_key_t key;
- u32 isa, osa;
-
- p = hash_get (im->sa_index_by_sa_id, args->local_sa_id);
- if (!p)
- return VNET_API_ERROR_INVALID_VALUE;
- osa = p[0];
- sa = pool_elt_at_index (im->sad, p[0]);
- ipsec_sa_set_IS_GRE (sa);
-
- p = hash_get (im->sa_index_by_sa_id, args->remote_sa_id);
- if (!p)
- return VNET_API_ERROR_INVALID_VALUE;
- isa = p[0];
- sa = pool_elt_at_index (im->sad, p[0]);
- ipsec_sa_set_IS_GRE (sa);
-
- /* we form the key from the input/remote SA whose tunnel is srouce
- * at the remote end */
- if (ipsec_sa_is_set_IS_TUNNEL (sa))
- {
- key.remote_ip = sa->tunnel_src_addr.ip4.as_u32;
- key.spi = clib_host_to_net_u32 (sa->spi);
- }
- else
- {
- key.remote_ip = args->src.as_u32;
- key.spi = clib_host_to_net_u32 (sa->spi);
- }
-
- p = hash_get (im->ipsec4_if_pool_index_by_key, key.as_u64);
-
- if (args->is_add)
- {
- /* check if same src/dst pair exists */
- if (p)
- return VNET_API_ERROR_INVALID_VALUE;
-
- pool_get_aligned (im->tunnel_interfaces, t, CLIB_CACHE_LINE_BYTES);
- clib_memset (t, 0, sizeof (*t));
-
- t->input_sa_index = isa;
- t->output_sa_index = osa;
- t->hw_if_index = ~0;
- hash_set (im->ipsec4_if_pool_index_by_key, key.as_u64,
- t - im->tunnel_interfaces);
-
- /*1st interface, register protocol */
- if (pool_elts (im->tunnel_interfaces) == 1)
- {
- ip4_register_protocol (IP_PROTOCOL_IPSEC_ESP,
- ipsec4_if_input_node.index);
- /* TBD, GRE IPSec6
- *
- ip6_register_protocol (IP_PROTOCOL_IPSEC_ESP,
- ipsec6_if_input_node.index);
- */
- }
- }
- else
- {
- /* check if exists */
- if (!p)
- return VNET_API_ERROR_INVALID_VALUE;
-
- t = pool_elt_at_index (im->tunnel_interfaces, p[0]);
- hash_unset (im->ipsec4_if_pool_index_by_key, key.as_u64);
- pool_put (im->tunnel_interfaces, t);
- }
- return 0;
-}
-
-int
-ipsec_set_interface_key (vnet_main_t * vnm, u32 hw_if_index,
- ipsec_if_set_key_type_t type, u8 alg, u8 * key)
-{
- ipsec_main_t *im = &ipsec_main;
- vnet_hw_interface_t *hi;
- ipsec_tunnel_if_t *t;
- ipsec_sa_t *sa;
-
- hi = vnet_get_hw_interface (vnm, hw_if_index);
- t = pool_elt_at_index (im->tunnel_interfaces, hi->dev_instance);
-
- if (hi->flags & VNET_HW_INTERFACE_FLAG_LINK_UP)
- return VNET_API_ERROR_SYSCALL_ERROR_1;
-
- if (type == IPSEC_IF_SET_KEY_TYPE_LOCAL_CRYPTO)
- {
- sa = pool_elt_at_index (im->sad, t->output_sa_index);
- ipsec_sa_set_crypto_alg (sa, alg);
- ipsec_mk_key (&sa->crypto_key, key, vec_len (key));
- }
- else if (type == IPSEC_IF_SET_KEY_TYPE_LOCAL_INTEG)
- {
- sa = pool_elt_at_index (im->sad, t->output_sa_index);
- ipsec_sa_set_integ_alg (sa, alg);
- ipsec_mk_key (&sa->integ_key, key, vec_len (key));
- }
- else if (type == IPSEC_IF_SET_KEY_TYPE_REMOTE_CRYPTO)
- {
- sa = pool_elt_at_index (im->sad, t->input_sa_index);
- ipsec_sa_set_crypto_alg (sa, alg);
- ipsec_mk_key (&sa->crypto_key, key, vec_len (key));
- }
- else if (type == IPSEC_IF_SET_KEY_TYPE_REMOTE_INTEG)
- {
- sa = pool_elt_at_index (im->sad, t->input_sa_index);
- ipsec_sa_set_integ_alg (sa, alg);
- ipsec_mk_key (&sa->integ_key, key, vec_len (key));
- }
- else
- return VNET_API_ERROR_INVALID_VALUE;
-
- return 0;
-}
-
-
int
ipsec_set_interface_sa (vnet_main_t * vnm, u32 hw_if_index, u32 sa_id,
u8 is_outbound)
* re-enable the feature to get the new SA in
* the workers are stopped so no packets are sent in the clear
*/
- ipsec_tunnel_feature_set (t, 0);
+ ipsec_tunnel_feature_set (im, t, 0);
t->output_sa_index = sa_index;
- ipsec_tunnel_feature_set (t, 1);
+ ipsec_tunnel_feature_set (im, t, 1);
}
/* remove sa_id to sa_index mapping on old SA */
return 0;
}
-
clib_error_t *
ipsec_tunnel_if_init (vlib_main_t * vm)
{