oh0->ip4.src_address.as_u32 = sa0->tunnel_src_addr.ip4.as_u32;
oh0->ip4.dst_address.as_u32 = sa0->tunnel_dst_addr.ip4.as_u32;
- vnet_buffer (o_b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
+ vnet_buffer (o_b0)->sw_if_index[VLIB_TX] = sa0->tx_fib_index;
}
else if (is_ip6 && sa0->is_tunnel && sa0->is_tunnel_ip6)
{
oh6_0->ip6.dst_address.as_u64[1] =
sa0->tunnel_dst_addr.ip6.as_u64[1];
- vnet_buffer (o_b0)->sw_if_index[VLIB_TX] = (u32) ~ 0;
+ vnet_buffer (o_b0)->sw_if_index[VLIB_TX] = sa0->tx_fib_index;
}
else
{
* limitations under the License.
*/
-option version = "2.0.0";
+option version = "2.1.0";
/** \brief IPsec: Add/delete Security Policy Database
@param client_index - opaque cookie to identify the sender
@param renumber - intf display name uses a specified instance if != 0
@param show_instance - instance to display for intf if renumber is set
@param udp_encap - enable UDP encapsulation for NAT traversal
+ @param tx_table_id - the FIB id used after packet encap
*/
define ipsec_tunnel_if_add_del {
u32 client_index;
u8 renumber;
u32 show_instance;
u8 udp_encap;
+ u32 tx_table_id;
};
/** \brief Add/delete IPsec tunnel interface response
@param replay_window - bit map of seq nums received relative to last_seq if using anti-replay
@param total_data_size - total bytes sent or received
@param udp_encap - 1 if UDP encap enabled, 0 otherwise
+ @param tx_table_id - the FIB id used for encapsulated packets
*/
define ipsec_sa_details {
u32 context;
u64 total_data_size;
u8 udp_encap;
+
+ u32 tx_table_id;
};
/** \brief Set key on IPsec interface
ip46_address_t tunnel_src_addr;
ip46_address_t tunnel_dst_addr;
+ u32 tx_fib_index;
u32 salt;
/* runtime */
u8 renumber;
u32 show_instance;
u8 udp_encap;
+ u32 tx_table_id;
} ipsec_add_del_tunnel_args_t;
typedef struct
#include <vnet/interface.h>
#include <vnet/api_errno.h>
#include <vnet/ip/ip.h>
+#include <vnet/fib/fib.h>
#include <vnet/vnet_msg_enum.h>
tun.local_integ_key_len = mp->local_integ_key_len;
tun.remote_integ_key_len = mp->remote_integ_key_len;
tun.udp_encap = mp->udp_encap;
+ tun.tx_table_id = ntohl (mp->tx_table_id);
memcpy (&tun.local_ip, mp->local_ip, 4);
memcpy (&tun.remote_ip, mp->remote_ip, 4);
memcpy (&tun.local_crypto_key, &mp->local_crypto_key,
mp->total_data_size = clib_host_to_net_u64 (sa->total_data_size);
mp->udp_encap = sa->udp_encap;
+ mp->tx_table_id =
+ htonl (fib_table_get_table_id (sa->tx_fib_index, FIB_PROTOCOL_IP4));
+
vl_api_send_msg (reg, (u8 *) mp);
}
#include <vnet/api_errno.h>
#include <vnet/ip/ip.h>
#include <vnet/interface.h>
+#include <vnet/fib/fib.h>
#include <vnet/ipsec/ipsec.h>
clib_error_t *error = NULL;
clib_memset (&sa, 0, sizeof (sa));
+ sa.tx_fib_index = ~((u32) 0); /* Only supported for ipsec interfaces */
if (!unformat_user (input, unformat_line_input, line_input))
return 0;
vnet_hw_interface_t *hi;
u8 *protocol = NULL;
u8 *policy = NULL;
+ u32 tx_table_id;
/* *INDENT-OFF* */
pool_foreach (sa, im->sad, ({
hi = vnet_get_hw_interface (im->vnet_main, t->hw_if_index);
vlib_cli_output(vm, " %s seq", hi->name);
sa = pool_elt_at_index(im->sad, t->output_sa_index);
- vlib_cli_output(vm, " seq %u seq-hi %u esn %u anti-replay %u udp-encap %u",
- sa->seq, sa->seq_hi, sa->use_esn, sa->use_anti_replay, sa->udp_encap);
+
+ tx_table_id = fib_table_get_table_id(sa->tx_fib_index, FIB_PROTOCOL_IP4);
+
+ vlib_cli_output(vm, " seq %u seq-hi %u esn %u anti-replay %u udp-encap %u tx-table %u",
+ sa->seq, sa->seq_hi, sa->use_esn, sa->use_anti_replay, sa->udp_encap, tx_table_id);
vlib_cli_output(vm, " local-spi %u local-ip %U", sa->spi,
format_ip4_address, &sa->tunnel_src_addr.ip4);
vlib_cli_output(vm, " local-crypto %U %U",
a.is_add = 0;
else if (unformat (line_input, "udp-encap"))
a.udp_encap = 1;
+ else if (unformat (line_input, "tx-table %u", &a.tx_table_id))
+ ;
else
{
error = clib_error_return (0, "unknown input `%U'",
/* *INDENT-OFF* */
VLIB_CLI_COMMAND (create_ipsec_tunnel_command, static) = {
.path = "create ipsec tunnel",
- .short_help = "create ipsec tunnel local-ip <addr> local-spi <spi> remote-ip <addr> remote-spi <spi> [instance <inst_num>] [udp-encap]",
+ .short_help = "create ipsec tunnel local-ip <addr> local-spi <spi> "
+ "remote-ip <addr> remote-spi <spi> [instance <inst_num>] [udp-encap] "
+ "[tx-table <table-id>]",
.function = create_ipsec_tunnel_command_fn,
};
/* *INDENT-ON* */
#include <vnet/vnet.h>
#include <vnet/api_errno.h>
#include <vnet/ip/ip.h>
+#include <vnet/fib/fib.h>
#include <vnet/ipsec/ipsec.h>
#include <vnet/ipsec/esp.h>
ipsec_sa_t *sa;
u32 dev_instance;
u32 slot;
+ u32 tx_fib_index = ~0;
u64 key = (u64) args->remote_ip.as_u32 << 32 | (u64) args->remote_spi;
p = hash_get (im->ipsec_if_pool_index_by_key, key);
if (p)
return VNET_API_ERROR_INVALID_VALUE;
+ tx_fib_index = fib_table_find (FIB_PROTOCOL_IP4, args->tx_table_id);
+ if (tx_fib_index == ~((u32) 0))
+ return VNET_API_ERROR_NO_SUCH_FIB;
+
pool_get_aligned (im->tunnel_interfaces, t, CLIB_CACHE_LINE_BYTES);
clib_memset (t, 0, sizeof (*t));
sa->use_anti_replay = args->anti_replay;
sa->integ_alg = args->integ_alg;
sa->udp_encap = args->udp_encap;
+ sa->tx_fib_index = ~((u32) 0); /* Not used, but set for troubleshooting */
if (args->remote_integ_key_len <= sizeof (args->remote_integ_key))
{
sa->integ_key_len = args->remote_integ_key_len;
sa->use_anti_replay = args->anti_replay;
sa->integ_alg = args->integ_alg;
sa->udp_encap = args->udp_encap;
+ sa->tx_fib_index = tx_fib_index;
if (args->local_integ_key_len <= sizeof (args->local_integ_key))
{
sa->integ_key_len = args->local_integ_key_len;