l2: Separating scan-delay and learn-limit into a separate API from want_l2_macs_events

[vpp.git] / src / vnet / ipsec / ipsec_spd_policy.c

diff --git a/src/vnet/ipsec/ipsec_spd_policy.c b/src/vnet/ipsec/ipsec_spd_policy.c
index 34b7dc2..05cfdf0 100644 (file)
--- a/src/vnet/ipsec/ipsec_spd_policy.c
+++ b/src/vnet/ipsec/ipsec_spd_policy.c
@@ -123,6 +123,10 @@ ipsec_policy_mk_type (bool is_outbound,
                   IPSEC_SPD_POLICY_IP4_INBOUND_BYPASS);
          return (0);
        case IPSEC_POLICY_ACTION_DISCARD:
+         *type = (is_ipv6 ?
+                  IPSEC_SPD_POLICY_IP6_INBOUND_DISCARD :
+                  IPSEC_SPD_POLICY_IP4_INBOUND_DISCARD);
+         return (0);
        case IPSEC_POLICY_ACTION_RESOLVE:
          break;
        }
@@ -142,14 +146,6 @@ ipsec_add_del_policy (vlib_main_t * vm,
   u32 spd_index;
   uword *p;
 
-  if (policy->policy == IPSEC_POLICY_ACTION_PROTECT)
-    {
-      p = hash_get (im->sa_index_by_sa_id, policy->sa_id);
-      if (!p)
-       return VNET_API_ERROR_SYSCALL_ERROR_1;
-      policy->sa_index = p[0];
-    }
-
   p = hash_get (im->spd_index_by_spd_id, policy->id);
 
   if (!p)
@@ -164,6 +160,17 @@ ipsec_add_del_policy (vlib_main_t * vm,
     {
       u32 policy_index;
 
+      if (policy->policy == IPSEC_POLICY_ACTION_PROTECT)
+       {
+         index_t sa_index = ipsec_sa_find_and_lock (policy->sa_id);
+
+         if (INDEX_INVALID == sa_index)
+           return VNET_API_ERROR_SYSCALL_ERROR_1;
+         policy->sa_index = sa_index;
+       }
+      else
+       policy->sa_index = INDEX_INVALID;
+
       pool_get (im->policies, vp);
       clib_memcpy (vp, policy, sizeof (*vp));
       policy_index = vp - im->policies;
@@ -188,6 +195,7 @@ ipsec_add_del_policy (vlib_main_t * vm,
        if (ipsec_policy_is_equal (vp, policy))
          {
            vec_del1 (spd->policies[policy->type], ii);
+           ipsec_sa_unlock (vp->sa_index);
            pool_put (im->policies, vp);
            break;
          }