X-Git-Url: https://gerrit.fd.io/r/gitweb?a=blobdiff_plain;f=src%2Fvnet%2Fipsec%2Fipsec.c;h=6e4c7f1b687e31a7bea5e5f31e1df4a9e703a575;hb=b7b929931a07fbb27b43d5cd105f366c3e29807e;hp=cd05c1bb9bfaaf7575ebc9330d7bed5c3b0a860d;hpb=ca514fda1125573d513215cb6ea7f22057a82d6b;p=vpp.git diff --git a/src/vnet/ipsec/ipsec.c b/src/vnet/ipsec/ipsec.c index cd05c1bb9bf..6e4c7f1b687 100644 --- a/src/vnet/ipsec/ipsec.c +++ b/src/vnet/ipsec/ipsec.c @@ -19,10 +19,13 @@ #include #include #include +#include #include #include #include +#include + ipsec_main_t ipsec_main; @@ -70,15 +73,17 @@ ipsec_set_interface_spd (vlib_main_t * vm, u32 sw_if_index, u32 spd_id, sw_if_index, spd_id, spd_index); /* enable IPsec on TX */ - vnet_feature_enable_disable ("ip4-output", "ipsec-output-ip4", sw_if_index, + vnet_feature_enable_disable ("ip4-output", "ipsec4-output", sw_if_index, is_add, 0, 0); - vnet_feature_enable_disable ("ip6-output", "ipsec-output-ip6", sw_if_index, + vnet_feature_enable_disable ("ip6-output", "ipsec6-output", sw_if_index, is_add, 0, 0); + config.spd_index = spd_index; + /* enable IPsec on RX */ - vnet_feature_enable_disable ("ip4-unicast", "ipsec-input-ip4", sw_if_index, + vnet_feature_enable_disable ("ip4-unicast", "ipsec4-input", sw_if_index, is_add, &config, sizeof (config)); - vnet_feature_enable_disable ("ip6-unicast", "ipsec-input-ip6", sw_if_index, + vnet_feature_enable_disable ("ip6-unicast", "ipsec6-input", sw_if_index, is_add, &config, sizeof (config)); return 0; @@ -121,7 +126,7 @@ ipsec_add_del_spd (vlib_main_t * vm, u32 spd_id, int is_add) else /* create new SPD */ { pool_get (im->spds, spd); - memset (spd, 0, sizeof (*spd)); + clib_memset (spd, 0, sizeof (*spd)); spd_index = spd - im->spds; spd->id = spd_id; hash_set (im->spd_index_by_spd_id, spd_id, spd_index); @@ -132,20 +137,15 @@ ipsec_add_del_spd (vlib_main_t * vm, u32 spd_id, int is_add) static int ipsec_spd_entry_sort (void *a1, void *a2) { - ipsec_main_t *im = &ipsec_main; u32 *id1 = a1; u32 *id2 = a2; - ipsec_spd_t *spd; + ipsec_spd_t *spd = ipsec_main.spd_to_sort; ipsec_policy_t *p1, *p2; - /* *INDENT-OFF* */ - pool_foreach (spd, im->spds, ({ - p1 = pool_elt_at_index(spd->policies, *id1); - p2 = pool_elt_at_index(spd->policies, *id2); - if (p1 && p2) - return p2->priority - p1->priority; - })); - /* *INDENT-ON* */ + p1 = pool_elt_at_index (spd->policies, *id1); + p2 = pool_elt_at_index (spd->policies, *id2); + if (p1 && p2) + return p2->priority - p1->priority; return 0; } @@ -188,6 +188,8 @@ ipsec_add_del_policy (vlib_main_t * vm, ipsec_policy_t * policy, int is_add) clib_memcpy (vp, policy, sizeof (*vp)); policy_index = vp - spd->policies; + ipsec_main.spd_to_sort = spd; + if (policy->is_outbound) { if (policy->is_ipv6) @@ -253,6 +255,7 @@ ipsec_add_del_policy (vlib_main_t * vm, ipsec_policy_t * policy, int is_add) } } + ipsec_main.spd_to_sort = NULL; } else { @@ -365,13 +368,13 @@ ipsec_add_del_policy (vlib_main_t * vm, ipsec_policy_t * policy, int is_add) if (vec_elt(spd->ipv4_inbound_policy_discard_and_bypass_indices, j) == i) { vec_del1 (spd->ipv4_inbound_policy_discard_and_bypass_indices, j); break; + } } } } } pool_put (spd->policies, vp); break; - } })); /* *INDENT-ON* */ } @@ -543,7 +546,7 @@ ipsec_init (vlib_main_t * vm) ipsec_rand_seed (); - memset (im, 0, sizeof (im[0])); + clib_memset (im, 0, sizeof (im[0])); im->vnet_main = vnet_get_main (); im->vlib_main = vm; @@ -559,16 +562,47 @@ ipsec_init (vlib_main_t * vm) ASSERT (node); im->error_drop_node_index = node->index; - node = vlib_get_node_by_name (vm, (u8 *) "esp-encrypt"); + node = vlib_get_node_by_name (vm, (u8 *) "esp4-encrypt"); + ASSERT (node); + im->esp4_encrypt_node_index = node->index; + + node = vlib_get_node_by_name (vm, (u8 *) "esp4-decrypt"); + ASSERT (node); + im->esp4_decrypt_node_index = node->index; + + node = vlib_get_node_by_name (vm, (u8 *) "ah4-encrypt"); + ASSERT (node); + im->ah4_encrypt_node_index = node->index; + + node = vlib_get_node_by_name (vm, (u8 *) "ah4-decrypt"); + ASSERT (node); + im->ah4_decrypt_node_index = node->index; + + im->esp4_encrypt_next_index = IPSEC_OUTPUT_NEXT_ESP4_ENCRYPT; + im->esp4_decrypt_next_index = IPSEC_INPUT_NEXT_ESP4_DECRYPT; + im->ah4_encrypt_next_index = IPSEC_OUTPUT_NEXT_AH4_ENCRYPT; + im->ah4_decrypt_next_index = IPSEC_INPUT_NEXT_AH4_DECRYPT; + + node = vlib_get_node_by_name (vm, (u8 *) "esp6-encrypt"); + ASSERT (node); + im->esp6_encrypt_node_index = node->index; + + node = vlib_get_node_by_name (vm, (u8 *) "esp6-decrypt"); + ASSERT (node); + im->esp6_decrypt_node_index = node->index; + + node = vlib_get_node_by_name (vm, (u8 *) "ah6-encrypt"); ASSERT (node); - im->esp_encrypt_node_index = node->index; + im->ah6_encrypt_node_index = node->index; - node = vlib_get_node_by_name (vm, (u8 *) "esp-decrypt"); + node = vlib_get_node_by_name (vm, (u8 *) "ah6-decrypt"); ASSERT (node); - im->esp_decrypt_node_index = node->index; + im->ah6_decrypt_node_index = node->index; - im->esp_encrypt_next_index = IPSEC_OUTPUT_NEXT_ESP_ENCRYPT; - im->esp_decrypt_next_index = IPSEC_INPUT_NEXT_ESP_DECRYPT; + im->esp6_encrypt_next_index = IPSEC_OUTPUT_NEXT_ESP6_ENCRYPT; + im->esp6_decrypt_next_index = IPSEC_INPUT_NEXT_ESP6_DECRYPT; + im->ah6_encrypt_next_index = IPSEC_OUTPUT_NEXT_AH6_ENCRYPT; + im->ah6_decrypt_next_index = IPSEC_INPUT_NEXT_AH6_DECRYPT; im->cb.check_support_cb = ipsec_check_support; @@ -578,7 +612,7 @@ ipsec_init (vlib_main_t * vm) if ((error = vlib_call_init_function (vm, ipsec_tunnel_if_init))) return error; - esp_init (); + ipsec_proto_init (); if ((error = ikev2_init (vm))) return error;