ipsec: enable input features on tunnels

[vpp.git] / src / vnet / ipsec / ipsec_tun.c

diff --git a/src/vnet/ipsec/ipsec_tun.c b/src/vnet/ipsec/ipsec_tun.c
index 7434025..0b6ec0e 100644 (file)
--- a/src/vnet/ipsec/ipsec_tun.c
+++ b/src/vnet/ipsec/ipsec_tun.c
@@ -778,6 +778,49 @@ ipsec_tun_protect_walk_itf (u32 sw_if_index,
     fn (idi->id_itp, ctx);
 }
 
+static void
+ipsec_tun_feature_update (u32 sw_if_index, u8 arc_index, u8 is_enable,
+                         void *data)
+{
+  ipsec_tun_protect_t *itp;
+  index_t itpi;
+
+  if (arc_index != feature_main.device_input_feature_arc_index)
+    return;
+
+  /* Only p2p tunnels supported */
+  itpi = ipsec_tun_protect_find (sw_if_index, &IP_ADDR_ALL_0);
+  if (itpi == INDEX_INVALID)
+    return;
+
+  itp = ipsec_tun_protect_get (itpi);
+
+  if (is_enable)
+    {
+      u32 decrypt_tun = ip46_address_is_ip4 (&itp->itp_crypto.dst) ?
+                         ipsec_main.esp4_decrypt_tun_node_index :
+                         ipsec_main.esp6_decrypt_tun_node_index;
+
+      vnet_feature_modify_end_node (
+       feature_main.device_input_feature_arc_index, sw_if_index, decrypt_tun);
+      itp->itp_flags |= IPSEC_PROTECT_FEAT;
+    }
+  else
+    {
+      u32 eth_in =
+       vlib_get_node_by_name (vlib_get_main (), (u8 *) "ethernet-input")
+         ->index;
+
+      vnet_feature_modify_end_node (
+       feature_main.device_input_feature_arc_index, sw_if_index, eth_in);
+      itp->itp_flags &= ~IPSEC_PROTECT_FEAT;
+    }
+
+  /* Propagate flag change into lookup entries */
+  ipsec_tun_protect_rx_db_remove (&ipsec_main, itp);
+  ipsec_tun_protect_rx_db_add (&ipsec_main, itp);
+}
+
 static void
 ipsec_tun_protect_adj_delegate_adj_deleted (adj_delegate_t * ad)
 {
@@ -929,6 +972,8 @@ ipsec_tunnel_protect_init (vlib_main_t *vm)
 
   teib_register (&ipsec_tun_teib_vft);
 
+  vnet_feature_register (ipsec_tun_feature_update, NULL);
+
   return 0;
 }