X-Git-Url: https://gerrit.fd.io/r/gitweb?a=blobdiff_plain;f=src%2Fvnet%2Fipsec%2Fipsec_if.c;fp=src%2Fvnet%2Fipsec%2Fipsec_if.c;h=562f40ec9ab2deac82087a6cdc34ccc97e59c92d;hb=401aedfb032d69daa876544e8e0a2973d69c50ac;hp=5fc49e1af4eeab85a1c06dc77b2ac7fae0f63af4;hpb=43ba29267b1f1db04cba0af1f994a5c8477ca870;p=vpp.git diff --git a/src/vnet/ipsec/ipsec_if.c b/src/vnet/ipsec/ipsec_if.c index 5fc49e1af4e..562f40ec9ab 100644 --- a/src/vnet/ipsec/ipsec_if.c +++ b/src/vnet/ipsec/ipsec_if.c @@ -234,19 +234,31 @@ static void ipsec_tunnel_feature_set (ipsec_main_t * im, ipsec_tunnel_if_t * t, u8 enable) { u8 arc; + u32 esp4_feature_index, esp6_feature_index; + ipsec_sa_t *sa; + + sa = ipsec_sa_get (t->output_sa_index); + if (sa->crypto_alg == IPSEC_CRYPTO_ALG_NONE) + { + esp4_feature_index = im->esp4_no_crypto_tun_feature_index; + esp6_feature_index = im->esp6_no_crypto_tun_feature_index; + } + else + { + esp4_feature_index = im->esp4_encrypt_tun_feature_index; + esp6_feature_index = im->esp6_encrypt_tun_feature_index; + } arc = vnet_get_feature_arc_index ("ip4-output"); - vnet_feature_enable_disable_with_index (arc, - im->esp4_encrypt_tun_feature_index, + vnet_feature_enable_disable_with_index (arc, esp4_feature_index, t->sw_if_index, enable, &t->output_sa_index, sizeof (t->output_sa_index)); arc = vnet_get_feature_arc_index ("ip6-output"); - vnet_feature_enable_disable_with_index (arc, - im->esp6_encrypt_tun_feature_index, + vnet_feature_enable_disable_with_index (arc, esp6_feature_index, t->sw_if_index, enable, &t->output_sa_index, sizeof (t->output_sa_index)); @@ -562,6 +574,13 @@ ipsec_tunnel_if_init (vlib_main_t * vm) udp_register_dst_port (vm, UDP_DST_PORT_ipsec, ipsec4_if_input_node.index, 1); + + /* set up feature nodes to drop outbound packets with no crypto alg set */ + ipsec_add_feature ("ip4-output", "esp4-no-crypto", + &im->esp4_no_crypto_tun_feature_index); + ipsec_add_feature ("ip6-output", "esp6-no-crypto", + &im->esp6_no_crypto_tun_feature_index); + return 0; }