({
if (ipsec_sa_is_set_IS_TUNNEL (sa))
{
- itp->itp_crypto.src = sa->tunnel_dst_addr;
- itp->itp_crypto.dst = sa->tunnel_src_addr;
- if (!(itp->itp_flags & IPSEC_PROTECT_ITF))
- {
- ipsec_sa_set_IS_PROTECT (sa);
- itp->itp_flags |= IPSEC_PROTECT_ENCAPED;
- }
+ itp->itp_crypto.src = ip_addr_46 (&sa->tunnel.t_dst);
+ itp->itp_crypto.dst = ip_addr_46 (&sa->tunnel.t_src);
+ if (!(itp->itp_flags & IPSEC_PROTECT_ITF))
+ {
+ ipsec_sa_set_IS_PROTECT (sa);
+ itp->itp_flags |= IPSEC_PROTECT_ENCAPED;
+ }
}
else
{
fn (idi->id_itp, ctx);
}
+static void
+ipsec_tun_feature_update (u32 sw_if_index, u8 arc_index, u8 is_enable,
+ void *data)
+{
+ ipsec_tun_protect_t *itp;
+ index_t itpi;
+
+ if (arc_index != feature_main.device_input_feature_arc_index)
+ return;
+
+ /* Only p2p tunnels supported */
+ itpi = ipsec_tun_protect_find (sw_if_index, &IP_ADDR_ALL_0);
+ if (itpi == INDEX_INVALID)
+ return;
+
+ itp = ipsec_tun_protect_get (itpi);
+
+ if (is_enable)
+ {
+ u32 decrypt_tun = ip46_address_is_ip4 (&itp->itp_crypto.dst) ?
+ ipsec_main.esp4_decrypt_tun_node_index :
+ ipsec_main.esp6_decrypt_tun_node_index;
+
+ vnet_feature_modify_end_node (
+ feature_main.device_input_feature_arc_index, sw_if_index, decrypt_tun);
+ itp->itp_flags |= IPSEC_PROTECT_FEAT;
+ }
+ else
+ {
+ u32 eth_in =
+ vlib_get_node_by_name (vlib_get_main (), (u8 *) "ethernet-input")
+ ->index;
+
+ vnet_feature_modify_end_node (
+ feature_main.device_input_feature_arc_index, sw_if_index, eth_in);
+ itp->itp_flags &= ~IPSEC_PROTECT_FEAT;
+ }
+
+ /* Propagate flag change into lookup entries */
+ ipsec_tun_protect_rx_db_remove (&ipsec_main, itp);
+ ipsec_tun_protect_rx_db_add (&ipsec_main, itp);
+}
+
static void
ipsec_tun_protect_adj_delegate_adj_deleted (adj_delegate_t * ad)
{
.nv_deleted = ipsec_tun_teib_entry_deleted,
};
-static void
+void
ipsec_tun_table_init (ip_address_family_t af, uword table_size, u32 n_buckets)
{
ipsec_main_t *im;
teib_register (&ipsec_tun_teib_vft);
- return 0;
-}
-
-VLIB_INIT_FUNCTION (ipsec_tunnel_protect_init);
-
-static clib_error_t *
-ipsec_config (vlib_main_t * vm, unformat_input_t * input)
-{
- unformat_input_t sub_input;
-
- while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT)
- {
- if (unformat (input, "ip4 %U", unformat_vlib_cli_sub_input, &sub_input))
- {
- uword table_size = ~0;
- u32 n_buckets = ~0;
-
- while (unformat_check_input (&sub_input) != UNFORMAT_END_OF_INPUT)
- {
- if (unformat (&sub_input, "num-buckets %u", &n_buckets))
- ;
- else
- return clib_error_return (0, "unknown input `%U'",
- format_unformat_error, &sub_input);
- }
-
- ipsec_tun_table_init (AF_IP4, table_size, n_buckets);
- }
- else if (unformat (input, "ip6 %U", unformat_vlib_cli_sub_input,
- &sub_input))
- {
- uword table_size = ~0;
- u32 n_buckets = ~0;
-
- while (unformat_check_input (&sub_input) != UNFORMAT_END_OF_INPUT)
- {
- if (unformat (&sub_input, "num-buckets %u", &n_buckets))
- ;
- else
- return clib_error_return (0, "unknown input `%U'",
- format_unformat_error, &sub_input);
- }
-
- ipsec_tun_table_init (AF_IP6, table_size, n_buckets);
- }
- else
- return clib_error_return (0, "unknown input `%U'",
- format_unformat_error, input);
- }
+ vnet_feature_register (ipsec_tun_feature_update, NULL);
return 0;
}
-VLIB_CONFIG_FUNCTION (ipsec_config, "ipsec");
+VLIB_INIT_FUNCTION (ipsec_tunnel_protect_init);
/*
* fd.io coding-style-patch-verification: ON
Code Review / vpp.git / blobdiff