#include <vnet/ipsec/ipsec.h>
-#if DPDK_CRYPTO==1
-#define ESP_NODE "dpdk-esp-encrypt"
-#else
-#define ESP_NODE "esp-encrypt"
-#endif
-
-#if IPSEC > 0
-
-#define foreach_ipsec_output_next \
-_(DROP, "error-drop") \
-_(ESP_ENCRYPT, ESP_NODE)
-
-#define _(v, s) IPSEC_OUTPUT_NEXT_##v,
-typedef enum
-{
- foreach_ipsec_output_next
-#undef _
- IPSEC_OUTPUT_N_NEXT,
-} ipsec_output_next_t;
-
+#if WITH_LIBSSL > 0
#define foreach_ipsec_output_error \
_(RX_PKTS, "IPSec pkts received") \
_(POLICY_BYPASS, "IPSec policy bypass") \
_(ENCAPS_FAILED, "IPSec encapsulation failed")
-
typedef enum
{
#define _(sym,str) IPSEC_OUTPUT_ERROR_##sym,
if (PREDICT_FALSE (p->protocol && (p->protocol != pr)))
continue;
- if (la < clib_net_to_host_u32 (p->laddr.start.ip4.as_u32))
+ if (ra < clib_net_to_host_u32 (p->raddr.start.ip4.as_u32))
continue;
- if (la > clib_net_to_host_u32 (p->laddr.stop.ip4.as_u32))
+ if (ra > clib_net_to_host_u32 (p->raddr.stop.ip4.as_u32))
continue;
- if (ra < clib_net_to_host_u32 (p->raddr.start.ip4.as_u32))
+ if (la < clib_net_to_host_u32 (p->laddr.start.ip4.as_u32))
continue;
- if (ra > clib_net_to_host_u32 (p->raddr.stop.ip4.as_u32))
+ if (la > clib_net_to_host_u32 (p->laddr.stop.ip4.as_u32))
continue;
- if (PREDICT_FALSE ((pr != IP_PROTOCOL_TCP) && (pr != IP_PROTOCOL_UDP)))
+ if (PREDICT_FALSE
+ ((pr != IP_PROTOCOL_TCP) && (pr != IP_PROTOCOL_UDP)
+ && (pr != IP_PROTOCOL_SCTP)))
return p;
if (lp < p->lport.start)
if (!ip6_addr_match_range (la, &p->laddr.start.ip6, &p->laddr.stop.ip6))
continue;
- if (PREDICT_FALSE ((pr != IP_PROTOCOL_TCP) && (pr != IP_PROTOCOL_UDP)))
+ if (PREDICT_FALSE
+ ((pr != IP_PROTOCOL_TCP) && (pr != IP_PROTOCOL_UDP)
+ && (pr != IP_PROTOCOL_SCTP)))
return p;
if (lp < p->lport.start)
vlib_frame_t *f = 0;
u32 spd_index0 = ~0;
ipsec_spd_t *spd0 = 0;
+ int bogus;
u64 nc_protect = 0, nc_bypass = 0, nc_discard = 0, nc_nomatch = 0;
from = vlib_frame_vector_args (from_frame);
ip6_header_t *ip6_0 = 0;
udp_header_t *udp0;
u32 iph_offset = 0;
+ tcp_header_t *tcp0;
bi0 = from[0];
b0 = vlib_get_buffer (vm, bi0);
clib_net_to_host_u16
(udp0->dst_port));
}
+ tcp0 = (void *) udp0;
if (PREDICT_TRUE (p0 != NULL))
{
if (p0->policy == IPSEC_POLICY_ACTION_PROTECT)
{
+ ipsec_sa_t *sa = 0;
nc_protect++;
- next_node_index = im->esp_encrypt_node_index;
+ sa = pool_elt_at_index (im->sad, p0->sa_index);
+ if (sa->protocol == IPSEC_PROTOCOL_ESP)
+ next_node_index = im->esp_encrypt_node_index;
+ else
+ next_node_index = im->ah_encrypt_node_index;
vnet_buffer (b0)->ipsec.sad_index = p0->sa_index;
- vlib_buffer_advance (b0, iph_offset);
p0->counter.packets++;
if (is_ipv6)
{
p0->counter.bytes +=
clib_net_to_host_u16 (ip6_0->payload_length);
p0->counter.bytes += sizeof (ip6_header_t);
+ if (PREDICT_FALSE
+ (b0->flags & VNET_BUFFER_F_OFFLOAD_TCP_CKSUM))
+ {
+ tcp0->checksum =
+ ip6_tcp_udp_icmp_compute_checksum (vm, b0, ip6_0,
+ &bogus);
+ b0->flags &= ~VNET_BUFFER_F_OFFLOAD_TCP_CKSUM;
+ }
+ if (PREDICT_FALSE
+ (b0->flags & VNET_BUFFER_F_OFFLOAD_UDP_CKSUM))
+ {
+ udp0->checksum =
+ ip6_tcp_udp_icmp_compute_checksum (vm, b0, ip6_0,
+ &bogus);
+ b0->flags &= ~VNET_BUFFER_F_OFFLOAD_UDP_CKSUM;
+ }
}
else
{
p0->counter.bytes += clib_net_to_host_u16 (ip0->length);
+ if (b0->flags & VNET_BUFFER_F_OFFLOAD_IP_CKSUM)
+ {
+ ip0->checksum = ip4_header_checksum (ip0);
+ b0->flags &= ~VNET_BUFFER_F_OFFLOAD_IP_CKSUM;
+ }
+ if (PREDICT_FALSE
+ (b0->flags & VNET_BUFFER_F_OFFLOAD_TCP_CKSUM))
+ {
+ tcp0->checksum =
+ ip4_tcp_udp_compute_checksum (vm, b0, ip0);
+ b0->flags &= ~VNET_BUFFER_F_OFFLOAD_TCP_CKSUM;
+ }
+ if (PREDICT_FALSE
+ (b0->flags & VNET_BUFFER_F_OFFLOAD_UDP_CKSUM))
+ {
+ udp0->checksum =
+ ip4_tcp_udp_compute_checksum (vm, b0, ip0);
+ b0->flags &= ~VNET_BUFFER_F_OFFLOAD_UDP_CKSUM;
+ }
}
+ vlib_buffer_advance (b0, iph_offset);
}
else if (p0->policy == IPSEC_POLICY_ACTION_BYPASS)
{