X-Git-Url: https://gerrit.fd.io/r/gitweb?a=blobdiff_plain;f=src%2Fvnet%2Fipsec%2Fipsec_cli.c;h=0f47c7b84276ddff1cbd9965b95f018ed1be5642;hb=1ba5bc8d888d0164dd6e38857cbed09ab7ce1d8b;hp=ee2e870c34329c729e4d8e486fec9100d1adff1b;hpb=fd06084a9e86c5f67c4b1dc37e78a95a9bacf2a4;p=vpp.git

diff --git a/src/vnet/ipsec/ipsec_cli.c b/src/vnet/ipsec/ipsec_cli.c
index ee2e870c343..0f47c7b8427 100644
--- a/src/vnet/ipsec/ipsec_cli.c
+++ b/src/vnet/ipsec/ipsec_cli.c
@@ -82,7 +82,8 @@ ipsec_sa_add_del_command_fn (vlib_main_t * vm,
   ipsec_protocol_t proto;
   ipsec_sa_flags_t flags;
   clib_error_t *error;
-  ipsec_key_t ck, ik;
+  ipsec_key_t ck = { 0 };
+  ipsec_key_t ik = { 0 };
   int is_add, rv;
   u32 id, spi;
 
@@ -225,12 +226,14 @@ ipsec_policy_add_del_command_fn (vlib_main_t * vm,
   int rv, is_add = 0;
   u32 tmp, tmp2, stat_index;
   clib_error_t *error = NULL;
+  u32 is_outbound;
 
   clib_memset (&p, 0, sizeof (p));
   p.lport.stop = p.rport.stop = ~0;
   p.laddr.stop.ip4.as_u32 = p.raddr.stop.ip4.as_u32 = (u32) ~ 0;
   p.laddr.stop.ip6.as_u64[0] = p.laddr.stop.ip6.as_u64[1] = (u64) ~ 0;
   p.raddr.stop.ip6.as_u64[0] = p.raddr.stop.ip6.as_u64[1] = (u64) ~ 0;
+  is_outbound = 0;
 
   if (!unformat_user (input, unformat_line_input, line_input))
     return 0;
@@ -244,9 +247,9 @@ ipsec_policy_add_del_command_fn (vlib_main_t * vm,
       else if (unformat (line_input, "spd %u", &p.id))
 	;
       else if (unformat (line_input, "inbound"))
-	p.is_outbound = 0;
+	is_outbound = 0;
       else if (unformat (line_input, "outbound"))
-	p.is_outbound = 1;
+	is_outbound = 1;
       else if (unformat (line_input, "priority %d", &p.priority))
 	;
       else if (unformat (line_input, "protocol %u", &tmp))
@@ -288,12 +291,16 @@ ipsec_policy_add_del_command_fn (vlib_main_t * vm,
 	{
 	  p.lport.start = tmp;
 	  p.lport.stop = tmp2;
+	  p.lport.start = clib_host_to_net_u16 (p.lport.start);
+	  p.lport.stop = clib_host_to_net_u16 (p.lport.stop);
 	}
       else
 	if (unformat (line_input, "remote-port-range %u - %u", &tmp, &tmp2))
 	{
 	  p.rport.start = tmp;
 	  p.rport.stop = tmp2;
+	  p.rport.start = clib_host_to_net_u16 (p.rport.start);
+	  p.rport.stop = clib_host_to_net_u16 (p.rport.stop);
 	}
       else
 	{
@@ -324,6 +331,19 @@ ipsec_policy_add_del_command_fn (vlib_main_t * vm,
 	  goto done;
 	}
     }
+
+  rv = ipsec_policy_mk_type (is_outbound, p.is_ipv6, p.policy, &p.type);
+
+  if (rv)
+    {
+      error = clib_error_return (0, "unsupported policy type for:",
+				 " outboud:%s %s action:%U",
+				 (is_outbound ? "yes" : "no"),
+				 (p.is_ipv6 ? "IPv4" : "IPv6"),
+				 format_ipsec_policy_action, p.policy);
+      goto done;
+    }
+
   rv = ipsec_add_del_policy (vm, &p, is_add, &stat_index);
 
   if (!rv)
@@ -619,7 +639,10 @@ create_ipsec_tunnel_command_fn (vlib_main_t * vm,
   u8 ipv4_set = 0;
   u8 ipv6_set = 0;
   clib_error_t *error = NULL;
-  ipsec_key_t rck, lck, lik, rik;
+  ipsec_key_t rck = { 0 };
+  ipsec_key_t lck = { 0 };
+  ipsec_key_t lik = { 0 };
+  ipsec_key_t rik = { 0 };
 
   clib_memset (&a, 0, sizeof (a));
   a.is_add = 1;
@@ -698,20 +721,19 @@ create_ipsec_tunnel_command_fn (vlib_main_t * vm,
       goto done;
     }
 
-  if (ipv6_set)
-    return clib_error_return (0, "currently only IPv4 supported");
-
   if (ipv4_set && ipv6_set)
     return clib_error_return (0, "both IPv4 and IPv6 addresses specified");
 
+  a.is_ip6 = ipv6_set;
+
   clib_memcpy (a.local_crypto_key, lck.data, lck.len);
   a.local_crypto_key_len = lck.len;
   clib_memcpy (a.remote_crypto_key, rck.data, rck.len);
   a.remote_crypto_key_len = rck.len;
 
-  clib_memcpy (a.local_integ_key, lck.data, lck.len);
+  clib_memcpy (a.local_integ_key, lik.data, lik.len);
   a.local_integ_key_len = lck.len;
-  clib_memcpy (a.remote_integ_key, rck.data, rck.len);
+  clib_memcpy (a.remote_integ_key, rik.data, rik.len);
   a.remote_integ_key_len = rck.len;
 
   rv = ipsec_add_del_tunnel_if (&a);