X-Git-Url: https://gerrit.fd.io/r/gitweb?a=blobdiff_plain;f=src%2Fvnet%2Fipsec%2Fipsec_itf.c;h=b86bf6a110c4324010707bd91f56d0b9b4026abe;hb=HEAD;hp=5f04fcf0a0478a7db04ed426fb6335d0f5f4fa85;hpb=9ec846c2684b69f47505d73ea9f873b793a11558;p=vpp.git

diff --git a/src/vnet/ipsec/ipsec_itf.c b/src/vnet/ipsec/ipsec_itf.c
index 5f04fcf0a04..b86bf6a110c 100644
--- a/src/vnet/ipsec/ipsec_itf.c
+++ b/src/vnet/ipsec/ipsec_itf.c
@@ -21,6 +21,7 @@
 #include <vnet/ipsec/ipsec.h>
 #include <vnet/adj/adj_midchain.h>
 #include <vnet/ethernet/mac_address.h>
+#include <vnet/mpls/mpls.h>
 
 /* bitmap of Allocated IPSEC_ITF instances */
 static uword *ipsec_itf_instances;
@@ -36,6 +37,12 @@ ipsec_itf_get (index_t ii)
   return (pool_elt_at_index (ipsec_itf_pool, ii));
 }
 
+u32
+ipsec_itf_count (void)
+{
+  return (pool_elts (ipsec_itf_pool));
+}
+
 static ipsec_itf_t *
 ipsec_itf_find_by_sw_if_index (u32 sw_if_index)
 {
@@ -181,7 +188,6 @@ ipsec_itf_update_adj (vnet_main_t * vnm, u32 sw_if_index, adj_index_t ai)
     (ai, NULL, NULL, ADJ_FLAG_MIDCHAIN_IP_STACK, ipsec_itf_build_rewrite ());
 }
 
-/* *INDENT-OFF* */
 VNET_DEVICE_CLASS (ipsec_itf_device_class) = {
   .name = "IPSEC Tunnel",
   .format_device_name = format_ipsec_itf_name,
@@ -201,7 +207,6 @@ VNET_HW_INTERFACE_CLASS(ipsec_p2mp_hw_interface_class) = {
   .update_adjacency = ipsec_itf_update_adj,
   .flags = VNET_HW_INTERFACE_CLASS_FLAG_NBMA,
 };
-/* *INDENT-ON* */
 
 /*
  * Maintain a bitmap of allocated ipsec_itf instance numbers.
@@ -268,6 +273,20 @@ ipsec_itf_instance_free (u32 instance)
   return 0;
 }
 
+void
+ipsec_itf_reset_tx_nodes (u32 sw_if_index)
+{
+  vnet_feature_modify_end_node (
+    ip4_main.lookup_main.output_feature_arc_index, sw_if_index,
+    vlib_get_node_by_name (vlib_get_main (), (u8 *) "ip4-drop")->index);
+  vnet_feature_modify_end_node (
+    ip6_main.lookup_main.output_feature_arc_index, sw_if_index,
+    vlib_get_node_by_name (vlib_get_main (), (u8 *) "ip6-drop")->index);
+  vnet_feature_modify_end_node (
+    mpls_main.output_feature_arc_index, sw_if_index,
+    vlib_get_node_by_name (vlib_get_main (), (u8 *) "mpls-drop")->index);
+}
+
 int
 ipsec_itf_create (u32 user_instance, tunnel_mode_t mode, u32 * sw_if_indexp)
 {
@@ -305,12 +324,14 @@ ipsec_itf_create (u32 user_instance, tunnel_mode_t mode, u32 * sw_if_indexp)
 					 t_idx);
 
   hi = vnet_get_hw_interface (vnm, hw_if_index);
+  vnet_sw_interface_set_mtu (vnm, hi->sw_if_index, 9000);
 
   vec_validate_init_empty (ipsec_itf_index_by_sw_if_index, hi->sw_if_index,
 			   INDEX_INVALID);
   ipsec_itf_index_by_sw_if_index[hi->sw_if_index] = t_idx;
 
   ipsec_itf->ii_sw_if_index = *sw_if_indexp = hi->sw_if_index;
+  ipsec_itf_reset_tx_nodes (hi->sw_if_index);
 
   return 0;
 }
@@ -335,17 +356,32 @@ ipsec_itf_delete (u32 sw_if_index)
   if (ipsec_itf_instance_free (hw->dev_instance) < 0)
     return VNET_API_ERROR_INVALID_SW_IF_INDEX;
 
+  vnet_reset_interface_l3_output_node (vnm->vlib_main, sw_if_index);
+
   vnet_delete_hw_interface (vnm, hw->hw_if_index);
   pool_put (ipsec_itf_pool, ipsec_itf);
 
   return 0;
 }
 
+void
+ipsec_itf_walk (ipsec_itf_walk_cb_t cb, void *ctx)
+{
+  ipsec_itf_t *itf;
+
+  pool_foreach (itf, ipsec_itf_pool)
+    {
+      if (WALK_CONTINUE != cb (itf, ctx))
+	break;
+    }
+}
+
 static clib_error_t *
 ipsec_itf_create_cli (vlib_main_t * vm,
 		      unformat_input_t * input, vlib_cli_command_t * cmd)
 {
   unformat_input_t _line_input, *line_input = &_line_input;
+  tunnel_mode_t mode = TUNNEL_MODE_P2P;
   u32 instance, sw_if_index;
   clib_error_t *error;
   mac_address_t mac;
@@ -361,6 +397,8 @@ ipsec_itf_create_cli (vlib_main_t * vm,
 	{
 	  if (unformat (line_input, "instance %d", &instance))
 	    ;
+	  else if (unformat (line_input, "p2mp"))
+	    mode = TUNNEL_MODE_MP;
 	  else
 	    {
 	      error = clib_error_return (0, "unknown input: %U",
@@ -375,7 +413,7 @@ ipsec_itf_create_cli (vlib_main_t * vm,
 	return error;
     }
 
-  rv = ipsec_itf_create (instance, TUNNEL_MODE_P2P, &sw_if_index);
+  rv = ipsec_itf_create (instance, mode, &sw_if_index);
 
   if (rv)
     return clib_error_return (0, "iPSec interface create failed");
@@ -390,17 +428,15 @@ ipsec_itf_create_cli (vlib_main_t * vm,
  *
  * @cliexpar
  * The following two command syntaxes are equivalent:
- * @cliexcmd{ipsec itf create [instance <instance>]}
+ * @cliexcmd{ipsec itf create [instance <instance>] [p2mp]}
  * Example of how to create a ipsec interface:
  * @cliexcmd{ipsec itf create}
 ?*/
-/* *INDENT-OFF* */
 VLIB_CLI_COMMAND (ipsec_itf_create_command, static) = {
   .path = "ipsec itf create",
-  .short_help = "ipsec itf create [instance <instance>]",
+  .short_help = "ipsec itf create [instance <instance>] [p2mp]",
   .function = ipsec_itf_create_cli,
 };
-/* *INDENT-ON* */
 
 static clib_error_t *
 ipsec_itf_delete_cli (vlib_main_t * vm,
@@ -445,13 +481,11 @@ ipsec_itf_delete_cli (vlib_main_t * vm,
  * Example of how to create a ipsec_itf interface:
  * @cliexcmd{ipsec itf delete ipsec0}
 ?*/
-/* *INDENT-OFF* */
 VLIB_CLI_COMMAND (ipsec_itf_delete_command, static) = {
   .path = "ipsec itf delete",
   .short_help = "ipsec itf delete <interface>",
   .function = ipsec_itf_delete_cli,
 };
-/* *INDENT-ON* */
 
 static clib_error_t *
 ipsec_interface_show (vlib_main_t * vm,
@@ -459,12 +493,10 @@ ipsec_interface_show (vlib_main_t * vm,
 {
   index_t ii;
 
-  /* *INDENT-OFF* */
   pool_foreach_index (ii, ipsec_itf_pool)
    {
     vlib_cli_output (vm, "%U", format_ipsec_itf, ii);
   }
-  /* *INDENT-ON* */
 
   return NULL;
 }
@@ -472,14 +504,12 @@ ipsec_interface_show (vlib_main_t * vm,
 /**
  * show IPSEC tunnel protection hash tables
  */
-/* *INDENT-OFF* */
 VLIB_CLI_COMMAND (ipsec_interface_show_node, static) =
 {
   .path = "show ipsec interface",
   .function = ipsec_interface_show,
   .short_help =  "show ipsec interface",
 };
-/* *INDENT-ON* */
 
 /*
  * fd.io coding-style-patch-verification: ON