diff options
author | Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com> | 2016-12-12 10:37:49 +0000 |
---|---|---|
committer | Damjan Marion <dmarion.lists@gmail.com> | 2016-12-12 13:03:27 +0000 |
commit | 1b6f90204682fdd43d899ab454349536de785b86 (patch) | |
tree | e868069447bf42ff24badf5602701abf6a0e5499 /vnet | |
parent | 64bc612d4ce682fdd4a6e1c8a47b7538f200b24f (diff) |
ipsec: go straight to lookup after esp encrypt
Currently, IPsec tunnel traffic goes to ip4-input/ip6-input after esp-encrypt.
It is not necessary to check that the new IP header is valid (if it is not
valid then we have otehr issues).
Instead, just send packets straight to ip4-lookup/ip6-lookup after esp-encrypt.
Change-Id: I5e35d500cb0f33f418f8554ed1f4390f02b6647d
Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
Diffstat (limited to 'vnet')
-rw-r--r-- | vnet/vnet/devices/dpdk/ipsec/esp_encrypt.c | 8 | ||||
-rw-r--r-- | vnet/vnet/ipsec/esp_encrypt.c | 8 |
2 files changed, 8 insertions, 8 deletions
diff --git a/vnet/vnet/devices/dpdk/ipsec/esp_encrypt.c b/vnet/vnet/devices/dpdk/ipsec/esp_encrypt.c index 7e41007c..10bb4616 100644 --- a/vnet/vnet/devices/dpdk/ipsec/esp_encrypt.c +++ b/vnet/vnet/devices/dpdk/ipsec/esp_encrypt.c @@ -25,8 +25,8 @@ #define foreach_esp_encrypt_next \ _(DROP, "error-drop") \ -_(IP4_INPUT, "ip4-input") \ -_(IP6_INPUT, "ip6-input") \ +_(IP4_LOOKUP, "ip4-lookup") \ +_(IP6_LOOKUP, "ip6-lookup") \ _(INTERFACE_OUTPUT, "interface-output") #define _(v, s) ESP_ENCRYPT_NEXT_##v, @@ -287,7 +287,7 @@ dpdk_esp_encrypt_node_fn (vlib_main_t * vm, oh0->ip4.dst_address.as_u32 = sa0->tunnel_dst_addr.ip4.as_u32; /* in tunnel mode send it back to FIB */ - next0 = ESP_ENCRYPT_NEXT_IP4_INPUT; + next0 = ESP_ENCRYPT_NEXT_IP4_LOOKUP; vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0; } else if (sa0->is_tunnel && sa0->is_tunnel_ip6) @@ -302,7 +302,7 @@ dpdk_esp_encrypt_node_fn (vlib_main_t * vm, sa0->tunnel_dst_addr.ip6.as_u64[1]; /* in tunnel mode send it back to FIB */ - next0 = ESP_ENCRYPT_NEXT_IP6_INPUT; + next0 = ESP_ENCRYPT_NEXT_IP6_LOOKUP; vnet_buffer (b0)->sw_if_index[VLIB_TX] = (u32) ~ 0; } else diff --git a/vnet/vnet/ipsec/esp_encrypt.c b/vnet/vnet/ipsec/esp_encrypt.c index b947611e..7b7f9b9c 100644 --- a/vnet/vnet/ipsec/esp_encrypt.c +++ b/vnet/vnet/ipsec/esp_encrypt.c @@ -25,8 +25,8 @@ #define foreach_esp_encrypt_next \ _(DROP, "error-drop") \ -_(IP4_INPUT, "ip4-input") \ -_(IP6_INPUT, "ip6-input") \ +_(IP4_LOOKUP, "ip4-lookup") \ +_(IP6_LOOKUP, "ip6-lookup") \ _(INTERFACE_OUTPUT, "interface-output") #define _(v, s) ESP_ENCRYPT_NEXT_##v, @@ -226,7 +226,7 @@ esp_encrypt_node_fn (vlib_main_t * vm, oh6_0->esp.seq = clib_net_to_host_u32 (sa0->seq); ip_proto = ih6_0->ip6.protocol; - next0 = ESP_ENCRYPT_NEXT_IP6_INPUT; + next0 = ESP_ENCRYPT_NEXT_IP6_LOOKUP; } else { @@ -248,7 +248,7 @@ esp_encrypt_node_fn (vlib_main_t * vm, oh0->esp.seq = clib_net_to_host_u32 (sa0->seq); ip_proto = ih0->ip4.protocol; - next0 = ESP_ENCRYPT_NEXT_IP4_INPUT; + next0 = ESP_ENCRYPT_NEXT_IP4_LOOKUP; } if (PREDICT_TRUE |