X-Git-Url: https://gerrit.fd.io/r/gitweb?a=blobdiff_plain;f=src%2Fvnet%2Fipsec%2Fipsec_if.c;h=a7372747797501b4eff8835c78c1459e4c3d75fb;hb=f1653e62fe41e3df429aadaaab22d0cc8aaa227a;hp=562f40ec9ab2deac82087a6cdc34ccc97e59c92d;hpb=401aedfb032d69daa876544e8e0a2973d69c50ac;p=vpp.git diff --git a/src/vnet/ipsec/ipsec_if.c b/src/vnet/ipsec/ipsec_if.c index 562f40ec9ab..a7372747797 100644 --- a/src/vnet/ipsec/ipsec_if.c +++ b/src/vnet/ipsec/ipsec_if.c @@ -238,7 +238,8 @@ ipsec_tunnel_feature_set (ipsec_main_t * im, ipsec_tunnel_if_t * t, u8 enable) ipsec_sa_t *sa; sa = ipsec_sa_get (t->output_sa_index); - if (sa->crypto_alg == IPSEC_CRYPTO_ALG_NONE) + if (sa->crypto_alg == IPSEC_CRYPTO_ALG_NONE && + sa->integ_alg == IPSEC_INTEG_ALG_NONE) { esp4_feature_index = im->esp4_no_crypto_tun_feature_index; esp6_feature_index = im->esp6_no_crypto_tun_feature_index; @@ -267,12 +268,13 @@ ipsec_tunnel_feature_set (ipsec_main_t * im, ipsec_tunnel_if_t * t, u8 enable) int ipsec_add_del_tunnel_if_internal (vnet_main_t * vnm, ipsec_add_del_tunnel_args_t * args, - u32 * sw_if_index) + u32 * sw_if_index_p) { ipsec_tunnel_if_t *t; ipsec_main_t *im = &ipsec_main; vnet_hw_interface_t *hi = NULL; u32 hw_if_index = ~0; + u32 sw_if_index = ~0; uword *p; u32 dev_instance; ipsec_key_t crypto_key, integ_key; @@ -284,7 +286,7 @@ ipsec_add_del_tunnel_if_internal (vnet_main_t * vnm, if (!is_ip6) { - key4.remote_ip = args->remote_ip.ip4.as_u32; + key4.remote_ip.as_u32 = args->remote_ip.ip4.as_u32; key4.spi = clib_host_to_net_u32 (args->remote_spi); p = hash_get (im->ipsec4_if_pool_index_by_key, key4.as_u64); } @@ -384,6 +386,7 @@ ipsec_add_del_tunnel_if_internal (vnet_main_t * vnm, t - im->tunnel_interfaces); hi = vnet_get_hw_interface (vnm, hw_if_index); + sw_if_index = hi->sw_if_index; t->hw_if_index = hw_if_index; t->sw_if_index = hi->sw_if_index; @@ -419,6 +422,8 @@ ipsec_add_del_tunnel_if_internal (vnet_main_t * vnm, ti = p[0]; t = pool_elt_at_index (im->tunnel_interfaces, ti); hi = vnet_get_hw_interface (vnm, t->hw_if_index); + sw_if_index = hi->sw_if_index; + vnet_sw_interface_set_flags (vnm, hi->sw_if_index, 0); /* admin down */ ipsec_tunnel_feature_set (im, t, 0); @@ -428,8 +433,8 @@ ipsec_add_del_tunnel_if_internal (vnet_main_t * vnm, hash_unset_mem_free (&im->ipsec6_if_pool_index_by_key, &key6); else hash_unset (im->ipsec4_if_pool_index_by_key, key4.as_u64); - hash_unset (im->ipsec_if_real_dev_by_show_dev, t->show_instance); + im->ipsec_if_by_sw_if_index[t->sw_if_index] = ~0; /* delete input and output SA */ @@ -439,8 +444,8 @@ ipsec_add_del_tunnel_if_internal (vnet_main_t * vnm, pool_put (im->tunnel_interfaces, t); } - if (sw_if_index) - *sw_if_index = hi->sw_if_index; + if (sw_if_index_p) + *sw_if_index_p = sw_if_index; return 0; } @@ -506,7 +511,7 @@ ipsec_set_interface_sa (vnet_main_t * vnm, u32 hw_if_index, u32 sa_id, ipsec4_tunnel_key_t key; /* unset old inbound hash entry. packets should stop arriving */ - key.remote_ip = old_sa->tunnel_src_addr.ip4.as_u32; + key.remote_ip.as_u32 = old_sa->tunnel_src_addr.ip4.as_u32; key.spi = clib_host_to_net_u32 (old_sa->spi); p = hash_get (im->ipsec4_if_pool_index_by_key, key.as_u64); @@ -515,7 +520,7 @@ ipsec_set_interface_sa (vnet_main_t * vnm, u32 hw_if_index, u32 sa_id, /* set new inbound SA, then set new hash entry */ t->input_sa_index = sa_index; - key.remote_ip = sa->tunnel_src_addr.ip4.as_u32; + key.remote_ip.as_u32 = sa->tunnel_src_addr.ip4.as_u32; key.spi = clib_host_to_net_u32 (sa->spi); hash_set (im->ipsec4_if_pool_index_by_key, key.as_u64, @@ -572,15 +577,14 @@ ipsec_tunnel_if_init (vlib_main_t * vm) sizeof (uword)); im->ipsec_if_real_dev_by_show_dev = hash_create (0, sizeof (uword)); - udp_register_dst_port (vm, UDP_DST_PORT_ipsec, ipsec4_if_input_node.index, - 1); - /* set up feature nodes to drop outbound packets with no crypto alg set */ ipsec_add_feature ("ip4-output", "esp4-no-crypto", &im->esp4_no_crypto_tun_feature_index); ipsec_add_feature ("ip6-output", "esp6-no-crypto", &im->esp6_no_crypto_tun_feature_index); + udp_register_dst_port (vlib_get_main (), + UDP_DST_PORT_ipsec, ipsec4_if_input_node.index, 1); return 0; }