#include <vnet/ipsec/esp.h>
#include <vnet/udp/udp.h>
#include <vnet/fib/fib_table.h>
+#include <vnet/fib/fib_entry_track.h>
#include <vnet/ipsec/ipsec_tun.h>
/**
sa->protocol = proto;
sa->flags = flags;
sa->salt = salt;
- ipsec_sa_set_integ_alg (sa, integ_alg);
- clib_memcpy (&sa->integ_key, ik, sizeof (sa->integ_key));
+ sa->encrypt_thread_index = (vlib_num_workers ())? ~0 : 0;
+ sa->decrypt_thread_index = (vlib_num_workers ())? ~0 : 0;
+ if (integ_alg != IPSEC_INTEG_ALG_NONE)
+ {
+ ipsec_sa_set_integ_alg (sa, integ_alg);
+ clib_memcpy (&sa->integ_key, ik, sizeof (sa->integ_key));
+ }
ipsec_sa_set_crypto_alg (sa, crypto_alg);
clib_memcpy (&sa->crypto_key, ck, sizeof (sa->crypto_key));
ip46_address_copy (&sa->tunnel_src_addr, tun_src);
return VNET_API_ERROR_KEY_LENGTH;
}
- sa->integ_key_index = vnet_crypto_key_add (vm,
- im->integ_algs[integ_alg].alg,
- (u8 *) ik->data, ik->len);
- if (~0 == sa->integ_key_index)
+ if (integ_alg != IPSEC_INTEG_ALG_NONE)
{
- pool_put (im->sad, sa);
- return VNET_API_ERROR_KEY_LENGTH;
+ sa->integ_key_index = vnet_crypto_key_add (vm,
+ im->
+ integ_algs[integ_alg].alg,
+ (u8 *) ik->data, ik->len);
+ if (~0 == sa->integ_key_index)
+ {
+ pool_put (im->sad, sa);
+ return VNET_API_ERROR_KEY_LENGTH;
+ }
}
err = ipsec_check_support_cb (im, sa);
return VNET_API_ERROR_NO_SUCH_FIB;
}
- sa->fib_entry_index = fib_table_entry_special_add (sa->tx_fib_index,
- &pfx,
- FIB_SOURCE_RR,
- FIB_ENTRY_FLAG_NONE);
- sa->sibling = fib_entry_child_add (sa->fib_entry_index,
- FIB_NODE_TYPE_IPSEC_SA, sa_index);
+ sa->fib_entry_index = fib_entry_track (sa->tx_fib_index,
+ &pfx,
+ FIB_NODE_TYPE_IPSEC_SA,
+ sa_index, &sa->sibling);
ipsec_sa_stack (sa);
/* generate header templates */
if (ipsec_sa_is_set_IS_TUNNEL (sa) && !ipsec_sa_is_set_IS_INBOUND (sa))
{
- fib_entry_child_remove (sa->fib_entry_index, sa->sibling);
- fib_table_entry_special_remove
- (sa->tx_fib_index,
- fib_entry_get_prefix (sa->fib_entry_index), FIB_SOURCE_RR);
+ fib_entry_untrack (sa->fib_entry_index, sa->sibling);
dpo_reset (&sa->dpo);
}
vnet_crypto_key_del (vm, sa->crypto_key_index);
- vnet_crypto_key_del (vm, sa->integ_key_index);
+ if (sa->integ_alg != IPSEC_INTEG_ALG_NONE)
+ vnet_crypto_key_del (vm, sa->integ_key_index);
pool_put (im->sad, sa);
}
fib_node_unlock (&sa->node);
}
+void
+ipsec_sa_lock (index_t sai)
+{
+ ipsec_main_t *im = &ipsec_main;
+ ipsec_sa_t *sa;
+
+ if (INDEX_INVALID == sai)
+ return;
+
+ sa = pool_elt_at_index (im->sad, sai);
+
+ fib_node_lock (&sa->node);
+}
+
index_t
ipsec_sa_find_and_lock (u32 id)
{