api: ipsec: add missing IS_INBOUND flag.

External IKE daemons need to be able to flag an SA as inbound (just as
the included ike plugin does). This commit adds this flag to the API.
This change is backward bug-compatible as not setting the flag (old
clients) continues to mean all SAs are created as outbound and fib nodes
are created for them. The addition of this flag inhibits this forwarding
node creation as well as properly flagging the SA as inbound.

Ticket: VPP-1845
Type: fix
Signed-off-by: Christian Hopps <chopps@labn.net>
Change-Id: I195e32c430e51155fac2d9f33671e06ef42a3f7f

diff --git a/src/vnet/ipsec/ipsec_types.api b/src/vnet/ipsec/ipsec_types.api
index 3015613..cba22c8 100644 (file)
--- a/src/vnet/ipsec/ipsec_types.api
+++ b/src/vnet/ipsec/ipsec_types.api
@@ -71,6 +71,8 @@ enum ipsec_sad_flags
   IPSEC_API_SAD_FLAG_IS_TUNNEL_V6 = 0x08,
   /* enable UDP encapsulation for NAT traversal */
   IPSEC_API_SAD_FLAG_UDP_ENCAP = 0x10,
+  /* IPsec SA is for inbound traffic */
+  IPSEC_API_SAD_FLAG_IS_INBOUND = 0x40,
 };
 
 enum ipsec_proto

diff --git a/src/vnet/ipsec/ipsec_types_api.c b/src/vnet/ipsec/ipsec_types_api.c
index 0c59e48..44b129b 100644 (file)
--- a/src/vnet/ipsec/ipsec_types_api.c
+++ b/src/vnet/ipsec/ipsec_types_api.c
@@ -145,6 +145,8 @@ ipsec_sa_flags_decode (vl_api_ipsec_sad_flags_t in)
     flags |= IPSEC_SA_FLAG_IS_TUNNEL_V6;
   if (in & IPSEC_API_SAD_FLAG_UDP_ENCAP)
     flags |= IPSEC_SA_FLAG_UDP_ENCAP;
+  if (in & IPSEC_API_SAD_FLAG_IS_INBOUND)
+    flags |= IPSEC_SA_FLAG_IS_INBOUND;
 
   return (flags);
 }
@@ -164,6 +166,8 @@ ipsec_sad_flags_encode (const ipsec_sa_t * sa)
     flags |= IPSEC_API_SAD_FLAG_IS_TUNNEL_V6;
   if (ipsec_sa_is_set_UDP_ENCAP (sa))
     flags |= IPSEC_API_SAD_FLAG_UDP_ENCAP;
+  if (ipsec_sa_is_set_IS_INBOUND (sa))
+    flags |= IPSEC_API_SAD_FLAG_IS_INBOUND;
 
   return clib_host_to_net_u32 (flags);
 }