ipsec: Reference count the SAs

[vpp.git] / src / vnet / ipsec / ipsec_if.c

diff --git a/src/vnet/ipsec/ipsec_if.c b/src/vnet/ipsec/ipsec_if.c
index 8e4f3f1..5fc49e1 100644 (file)
--- a/src/vnet/ipsec/ipsec_if.c
+++ b/src/vnet/ipsec/ipsec_if.c
@@ -321,18 +321,18 @@ ipsec_add_del_tunnel_if_internal (vnet_main_t * vnm,
       ipsec_mk_key (&integ_key,
                    args->remote_integ_key, args->remote_integ_key_len);
 
-      rv = ipsec_sa_add (ipsec_tun_mk_input_sa_id (dev_instance),
-                        args->remote_spi,
-                        IPSEC_PROTOCOL_ESP,
-                        args->crypto_alg,
-                        &crypto_key,
-                        args->integ_alg,
-                        &integ_key,
-                        (flags | IPSEC_SA_FLAG_IS_INBOUND),
-                        args->tx_table_id,
-                        args->salt,
-                        &args->remote_ip,
-                        &args->local_ip, &t->input_sa_index);
+      rv = ipsec_sa_add_and_lock (ipsec_tun_mk_input_sa_id (dev_instance),
+                                 args->remote_spi,
+                                 IPSEC_PROTOCOL_ESP,
+                                 args->crypto_alg,
+                                 &crypto_key,
+                                 args->integ_alg,
+                                 &integ_key,
+                                 (flags | IPSEC_SA_FLAG_IS_INBOUND),
+                                 args->tx_table_id,
+                                 args->salt,
+                                 &args->remote_ip,
+                                 &args->local_ip, &t->input_sa_index);
 
       if (rv)
        return rv;
@@ -342,18 +342,18 @@ ipsec_add_del_tunnel_if_internal (vnet_main_t * vnm,
       ipsec_mk_key (&integ_key,
                    args->local_integ_key, args->local_integ_key_len);
 
-      rv = ipsec_sa_add (ipsec_tun_mk_output_sa_id (dev_instance),
-                        args->local_spi,
-                        IPSEC_PROTOCOL_ESP,
-                        args->crypto_alg,
-                        &crypto_key,
-                        args->integ_alg,
-                        &integ_key,
-                        flags,
-                        args->tx_table_id,
-                        args->salt,
-                        &args->local_ip,
-                        &args->remote_ip, &t->output_sa_index);
+      rv = ipsec_sa_add_and_lock (ipsec_tun_mk_output_sa_id (dev_instance),
+                                 args->local_spi,
+                                 IPSEC_PROTOCOL_ESP,
+                                 args->crypto_alg,
+                                 &crypto_key,
+                                 args->integ_alg,
+                                 &integ_key,
+                                 flags,
+                                 args->tx_table_id,
+                                 args->salt,
+                                 &args->local_ip,
+                                 &args->remote_ip, &t->output_sa_index);
 
       if (rv)
        return rv;
@@ -420,11 +420,11 @@ ipsec_add_del_tunnel_if_internal (vnet_main_t * vnm,
       hash_unset (im->ipsec_if_real_dev_by_show_dev, t->show_instance);
       im->ipsec_if_by_sw_if_index[t->sw_if_index] = ~0;
 
-      pool_put (im->tunnel_interfaces, t);
-
       /* delete input and output SA */
-      ipsec_sa_del (ipsec_tun_mk_input_sa_id (ti));
-      ipsec_sa_del (ipsec_tun_mk_output_sa_id (ti));
+      ipsec_sa_unlock (t->input_sa_index);
+      ipsec_sa_unlock (t->output_sa_index);
+
+      pool_put (im->tunnel_interfaces, t);
     }
 
   if (sw_if_index)
@@ -447,17 +447,12 @@ ipsec_set_interface_sa (vnet_main_t * vnm, u32 hw_if_index, u32 sa_id,
   hi = vnet_get_hw_interface (vnm, hw_if_index);
   t = pool_elt_at_index (im->tunnel_interfaces, hi->dev_instance);
 
-  sa_index = ipsec_get_sa_index_by_sa_id (sa_id);
-  if (sa_index == ~0)
-    {
-      clib_warning ("SA with ID %u not found", sa_id);
-      return VNET_API_ERROR_INVALID_VALUE;
-    }
+  sa_index = ipsec_sa_find_and_lock (sa_id);
 
-  if (ipsec_is_sa_used (sa_index))
+  if (INDEX_INVALID == sa_index)
     {
-      clib_warning ("SA with ID %u is already in use", sa_id);
-      return VNET_API_ERROR_INVALID_VALUE;
+      clib_warning ("SA with ID %u not found", sa_id);
+      return VNET_API_ERROR_NO_SUCH_ENTRY;
     }
 
   sa = pool_elt_at_index (im->sad, sa_index);
@@ -537,15 +532,15 @@ ipsec_set_interface_sa (vnet_main_t * vnm, u32 hw_if_index, u32 sa_id,
     }
 
   /* remove sa_id to sa_index mapping on old SA */
-  if (ipsec_get_sa_index_by_sa_id (old_sa->id) == old_sa_index)
-    hash_unset (im->sa_index_by_sa_id, old_sa->id);
+  hash_unset (im->sa_index_by_sa_id, old_sa->id);
 
   if (ipsec_add_del_sa_sess_cb (im, old_sa_index, 0))
     {
       clib_warning ("IPsec backend add/del callback returned error");
       return VNET_API_ERROR_SYSCALL_ERROR_1;
     }
-  ipsec_sa_del (old_sa->id);
+
+  ipsec_sa_unlock (old_sa_index);
 
   return 0;
 }