X-Git-Url: https://gerrit.fd.io/r/gitweb?a=blobdiff_plain;ds=inline;f=src%2Fvnet%2Fipsec%2Fipsec_sa.c;h=0e1e63d0db4ab16b976ba5c0f5bf88c027e22c74;hb=ca578521686790ce1f3b1a8bc43a182fd4949a36;hp=e3eff5869068ec69c6a9505cf4b95573768fdec9;hpb=495d7ffbc82823edccabab960fc81a909f80075d;p=vpp.git diff --git a/src/vnet/ipsec/ipsec_sa.c b/src/vnet/ipsec/ipsec_sa.c index e3eff586906..0e1e63d0db4 100644 --- a/src/vnet/ipsec/ipsec_sa.c +++ b/src/vnet/ipsec/ipsec_sa.c @@ -17,6 +17,7 @@ #include #include #include +#include #include /** @@ -134,7 +135,8 @@ ipsec_sa_add_and_lock (u32 id, u32 tx_table_id, u32 salt, const ip46_address_t * tun_src, - const ip46_address_t * tun_dst, u32 * sa_out_index) + const ip46_address_t * tun_dst, u32 * sa_out_index, + u16 dst_port) { vlib_main_t *vm = vlib_get_main (); ipsec_main_t *im = &ipsec_main; @@ -162,8 +164,13 @@ ipsec_sa_add_and_lock (u32 id, sa->protocol = proto; sa->flags = flags; sa->salt = salt; - ipsec_sa_set_integ_alg (sa, integ_alg); - clib_memcpy (&sa->integ_key, ik, sizeof (sa->integ_key)); + sa->encrypt_thread_index = (vlib_num_workers ())? ~0 : 0; + sa->decrypt_thread_index = (vlib_num_workers ())? ~0 : 0; + if (integ_alg != IPSEC_INTEG_ALG_NONE) + { + ipsec_sa_set_integ_alg (sa, integ_alg); + clib_memcpy (&sa->integ_key, ik, sizeof (sa->integ_key)); + } ipsec_sa_set_crypto_alg (sa, crypto_alg); clib_memcpy (&sa->crypto_key, ck, sizeof (sa->crypto_key)); ip46_address_copy (&sa->tunnel_src_addr, tun_src); @@ -178,13 +185,17 @@ ipsec_sa_add_and_lock (u32 id, return VNET_API_ERROR_KEY_LENGTH; } - sa->integ_key_index = vnet_crypto_key_add (vm, - im->integ_algs[integ_alg].alg, - (u8 *) ik->data, ik->len); - if (~0 == sa->integ_key_index) + if (integ_alg != IPSEC_INTEG_ALG_NONE) { - pool_put (im->sad, sa); - return VNET_API_ERROR_KEY_LENGTH; + sa->integ_key_index = vnet_crypto_key_add (vm, + im-> + integ_algs[integ_alg].alg, + (u8 *) ik->data, ik->len); + if (~0 == sa->integ_key_index) + { + pool_put (im->sad, sa); + return VNET_API_ERROR_KEY_LENGTH; + } } err = ipsec_check_support_cb (im, sa); @@ -218,12 +229,10 @@ ipsec_sa_add_and_lock (u32 id, return VNET_API_ERROR_NO_SUCH_FIB; } - sa->fib_entry_index = fib_table_entry_special_add (sa->tx_fib_index, - &pfx, - FIB_SOURCE_RR, - FIB_ENTRY_FLAG_NONE); - sa->sibling = fib_entry_child_add (sa->fib_entry_index, - FIB_NODE_TYPE_IPSEC_SA, sa_index); + sa->fib_entry_index = fib_entry_track (sa->tx_fib_index, + &pfx, + FIB_NODE_TYPE_IPSEC_SA, + sa_index, &sa->sibling); ipsec_sa_stack (sa); /* generate header templates */ @@ -261,8 +270,16 @@ ipsec_sa_add_and_lock (u32 id, if (ipsec_sa_is_set_UDP_ENCAP (sa)) { - sa->udp_hdr.src_port = clib_host_to_net_u16 (UDP_DST_PORT_ipsec); - sa->udp_hdr.dst_port = clib_host_to_net_u16 (UDP_DST_PORT_ipsec); + if (dst_port == IPSEC_UDP_PORT_NONE) + { + sa->udp_hdr.src_port = clib_host_to_net_u16 (UDP_DST_PORT_ipsec); + sa->udp_hdr.dst_port = clib_host_to_net_u16 (UDP_DST_PORT_ipsec); + } + else + { + sa->udp_hdr.src_port = clib_host_to_net_u16 (dst_port); + sa->udp_hdr.dst_port = clib_host_to_net_u16 (dst_port); + } } hash_set (im->sa_index_by_sa_id, sa->id, sa_index); @@ -288,14 +305,12 @@ ipsec_sa_del (ipsec_sa_t * sa) if (ipsec_sa_is_set_IS_TUNNEL (sa) && !ipsec_sa_is_set_IS_INBOUND (sa)) { - fib_entry_child_remove (sa->fib_entry_index, sa->sibling); - fib_table_entry_special_remove - (sa->tx_fib_index, - fib_entry_get_prefix (sa->fib_entry_index), FIB_SOURCE_RR); + fib_entry_untrack (sa->fib_entry_index, sa->sibling); dpo_reset (&sa->dpo); } vnet_crypto_key_del (vm, sa->crypto_key_index); - vnet_crypto_key_del (vm, sa->integ_key_index); + if (sa->integ_alg != IPSEC_INTEG_ALG_NONE) + vnet_crypto_key_del (vm, sa->integ_key_index); pool_put (im->sad, sa); } @@ -313,6 +328,20 @@ ipsec_sa_unlock (index_t sai) fib_node_unlock (&sa->node); } +void +ipsec_sa_lock (index_t sai) +{ + ipsec_main_t *im = &ipsec_main; + ipsec_sa_t *sa; + + if (INDEX_INVALID == sai) + return; + + sa = pool_elt_at_index (im->sad, sai); + + fib_node_lock (&sa->node); +} + index_t ipsec_sa_find_and_lock (u32 id) {