*/
#include <vnet/ipsec/ipsec_tun.h>
+#include <vnet/ipsec/ipsec_itf.h>
#include <vnet/ipsec/esp.h>
#include <vnet/udp/udp.h>
#include <vnet/adj/adj_delegate.h>
}
static u32
-ipsec_tun_protect_get_adj_next (const ipsec_tun_protect_t * itp)
+ipsec_tun_protect_get_adj_next (vnet_link_t linkt,
+ const ipsec_tun_protect_t * itp)
{
ipsec_main_t *im;
ipsec_sa_t *sa;
bool is_ip4;
u32 next;
- is_ip4 = ip46_address_is_ip4 (&itp->itp_tun.src);
+
+ if (itp->itp_flags & IPSEC_PROTECT_ITF)
+ is_ip4 = linkt == VNET_LINK_IP4;
+ else
+ is_ip4 = ip46_address_is_ip4 (&itp->itp_tun.src);
+
sa = ipsec_sa_get (itp->itp_out_sa);
im = &ipsec_main;
{
ipsec_tun_protect_sa_by_adj_index[ai] = itp->itp_out_sa;
adj_nbr_midchain_update_next_node
- (ai, ipsec_tun_protect_get_adj_next (itp));
+ (ai, ipsec_tun_protect_get_adj_next (adj_get_link_type (ai), itp));
}
}
itp - ipsec_tun_protect_pool);
ipsec_tun_protect_add_adj (ai, itp);
+ if (itp->itp_flags & IPSEC_PROTECT_ITF)
+ ipsec_itf_adj_stack (ai, itp->itp_out_sa);
+
return (ADJ_WALK_RC_CONTINUE);
}
static adj_walk_rc_t
ipsec_tun_protect_adj_remove (adj_index_t ai, void *arg)
{
+ ipsec_tun_protect_t *itp = arg;
+
adj_delegate_remove (ai, ipsec_tun_adj_delegate_type);
ipsec_tun_protect_add_adj (ai, NULL);
+ if (itp->itp_flags & IPSEC_PROTECT_ITF)
+ ipsec_itf_adj_unstack (ai);
+
return (ADJ_WALK_RC_CONTINUE);
}
{
itp->itp_crypto.src = sa->tunnel_dst_addr;
itp->itp_crypto.dst = sa->tunnel_src_addr;
- ipsec_sa_set_IS_PROTECT (sa);
- itp->itp_flags |= IPSEC_PROTECT_ENCAPED;
+ if (!(itp->itp_flags & IPSEC_PROTECT_ITF))
+ {
+ ipsec_sa_set_IS_PROTECT (sa);
+ itp->itp_flags |= IPSEC_PROTECT_ENCAPED;
+ }
}
else
{
pool_get_zero (ipsec_tun_protect_pool, itp);
itp->itp_sw_if_index = sw_if_index;
+ itp->itp_ai = ADJ_INDEX_INVALID;
itp->itp_n_sa_in = vec_len (sas_in);
for (ii = 0; ii < itp->itp_n_sa_in; ii++)
if (rv)
goto out;
- if (ip46_address_is_zero (&itp->itp_tun.dst))
+ if (ip46_address_is_zero (&itp->itp_tun.src))
+ {
+ /* must be one of thos pesky ipsec interfaces that has no encap.
+ * the encap then MUST comefrom the tunnel mode SA.
+ */
+ ipsec_sa_t *sa;
+
+ sa = ipsec_sa_get (itp->itp_out_sa);
+
+ if (!ipsec_sa_is_set_IS_TUNNEL (sa))
+ {
+ rv = VNET_API_ERROR_INVALID_DST_ADDRESS;
+ goto out;
+ }
+
+ itp->itp_flags |= IPSEC_PROTECT_ITF;
+ }
+ else if (ip46_address_is_zero (&itp->itp_tun.dst))
{
/* tunnel has no destination address, presumably because it's p2mp
in which case we use the nh that this is protection for */
/*
* add to the tunnel DB for ingress
- * - if the SA is in trasnport mode, then the packates will arrivw
+ * - if the SA is in trasnport mode, then the packates will arrive
* with the IP src,dst of the protected tunnel, in which case we can
* simply strip the IP header and hand the payload to the protocol
* appropriate input handler
itp = ipsec_tun_protect_get (itpi);
ipsec_tun_protect_unconfig (im, itp);
+ if (ADJ_INDEX_INVALID != itp->itp_ai)
+ adj_unlock (itp->itp_ai);
+
clib_mem_free (itp->itp_key);
pool_put (ipsec_tun_protect_pool, itp);
itpi = ipsec_tun_protect_find (adj->rewrite_header.sw_if_index, &ip);
if (INDEX_INVALID != itpi)
- {
- const ipsec_tun_protect_t *itp;
-
- itp = ipsec_tun_protect_get (itpi);
- adj_delegate_add (adj_get (ai), ipsec_tun_adj_delegate_type, itpi);
- ipsec_tun_protect_add_adj (ai, itp);
- }
+ ipsec_tun_protect_adj_add (ai, ipsec_tun_protect_get (itpi));
}
static u8 *
Code Review / vpp.git / blobdiff