aboutsummaryrefslogtreecommitdiffstats
path: root/src/vnet/ipsec
diff options
context:
space:
mode:
Diffstat (limited to 'src/vnet/ipsec')
-rw-r--r--src/vnet/ipsec/ipsec.c51
-rw-r--r--src/vnet/ipsec/ipsec.h63
-rw-r--r--src/vnet/ipsec/ipsec_api.c43
-rw-r--r--src/vnet/ipsec/ipsec_cli.c31
-rw-r--r--src/vnet/ipsec/ipsec_if.c73
-rw-r--r--src/vnet/ipsec/ipsec_if_in.c24
-rw-r--r--src/vnet/ipsec/ipsec_if_out.c22
-rw-r--r--src/vnet/ipsec/ipsec_input.c24
-rw-r--r--src/vnet/ipsec/ipsec_output.c20
9 files changed, 148 insertions, 203 deletions
diff --git a/src/vnet/ipsec/ipsec.c b/src/vnet/ipsec/ipsec.c
index ee85c402..cfe434ab 100644
--- a/src/vnet/ipsec/ipsec.c
+++ b/src/vnet/ipsec/ipsec.c
@@ -22,23 +22,7 @@
#include <vnet/ipsec/ipsec.h>
#include <vnet/ipsec/ikev2.h>
-
-#if DPDK_CRYPTO==1
-#include <vnet/devices/dpdk/ipsec/esp.h>
-#define ESP_NODE "dpdk-esp-encrypt"
-#else
#include <vnet/ipsec/esp.h>
-#define ESP_NODE "esp-encrypt"
-#endif
-
-#if DPDK_CRYPTO==0
-/* dummy function */
-static int
-add_del_sa_sess (u32 sa_index, u8 is_add)
-{
- return 0;
-}
-#endif
u32
ipsec_get_sa_index_by_sa_id (u32 sa_id)
@@ -449,7 +433,9 @@ ipsec_add_del_sa (vlib_main_t * vm, ipsec_sa_t * new_sa, int is_add)
return VNET_API_ERROR_SYSCALL_ERROR_1; /* sa used in policy */
}
hash_unset (im->sa_index_by_sa_id, sa->id);
- add_del_sa_sess (sa_index, is_add);
+ if (im->cb.add_del_sa_sess_cb &&
+ im->cb.add_del_sa_sess_cb (sa_index, is_add) < 0)
+ return VNET_API_ERROR_SYSCALL_ERROR_1;
pool_put (im->sad, sa);
}
else /* create new SA */
@@ -458,7 +444,8 @@ ipsec_add_del_sa (vlib_main_t * vm, ipsec_sa_t * new_sa, int is_add)
clib_memcpy (sa, new_sa, sizeof (*sa));
sa_index = sa - im->sad;
hash_set (im->sa_index_by_sa_id, sa->id, sa_index);
- if (add_del_sa_sess (sa_index, is_add) < 0)
+ if (im->cb.add_del_sa_sess_cb &&
+ im->cb.add_del_sa_sess_cb (sa_index, is_add) < 0)
return VNET_API_ERROR_SYSCALL_ERROR_1;
}
return 0;
@@ -497,7 +484,8 @@ ipsec_set_sa_key (vlib_main_t * vm, ipsec_sa_t * sa_update)
if (sa->crypto_key_len + sa->integ_key_len > 0)
{
- if (add_del_sa_sess (sa_index, 0) < 0)
+ if (im->cb.add_del_sa_sess_cb &&
+ im->cb.add_del_sa_sess_cb (sa_index, 0) < 0)
return VNET_API_ERROR_SYSCALL_ERROR_1;
}
@@ -522,6 +510,19 @@ ipsec_rand_seed (void)
}
static clib_error_t *
+ipsec_check_support (ipsec_sa_t * sa)
+{
+ if (sa->crypto_alg == IPSEC_CRYPTO_ALG_AES_GCM_128)
+ return clib_error_return (0, "unsupported aes-gcm-128 crypto-alg");
+ if (sa->integ_alg == IPSEC_INTEG_ALG_NONE)
+ return clib_error_return (0, "unsupported none integ-alg");
+ if (sa->integ_alg == IPSEC_INTEG_ALG_AES_GCM_128)
+ return clib_error_return (0, "unsupported aes-gcm-128 integ-alg");
+
+ return 0;
+}
+
+static clib_error_t *
ipsec_init (vlib_main_t * vm)
{
clib_error_t *error;
@@ -547,14 +548,18 @@ ipsec_init (vlib_main_t * vm)
ASSERT (node);
im->error_drop_node_index = node->index;
- node = vlib_get_node_by_name (vm, (u8 *) ESP_NODE);
-
+ node = vlib_get_node_by_name (vm, (u8 *) "esp-encrypt");
ASSERT (node);
im->esp_encrypt_node_index = node->index;
- node = vlib_get_node_by_name (vm, (u8 *) "ip4-lookup");
+ node = vlib_get_node_by_name (vm, (u8 *) "esp-decrypt");
ASSERT (node);
- im->ip4_lookup_node_index = node->index;
+ im->esp_decrypt_node_index = node->index;
+
+ im->esp_encrypt_next_index = IPSEC_OUTPUT_NEXT_ESP_ENCRYPT;
+ im->esp_decrypt_next_index = IPSEC_INPUT_NEXT_ESP_DECRYPT;
+
+ im->cb.check_support_cb = ipsec_check_support;
if ((error = vlib_call_init_function (vm, ipsec_cli_init)))
return error;
diff --git a/src/vnet/ipsec/ipsec.h b/src/vnet/ipsec/ipsec.h
index 32c7edfc..6726dba0 100644
--- a/src/vnet/ipsec/ipsec.h
+++ b/src/vnet/ipsec/ipsec.h
@@ -17,6 +17,33 @@
#define IPSEC_FLAG_IPSEC_GRE_TUNNEL (1 << 0)
+
+#define foreach_ipsec_output_next \
+_(DROP, "error-drop") \
+_(ESP_ENCRYPT, "esp-encrypt")
+
+#define _(v, s) IPSEC_OUTPUT_NEXT_##v,
+typedef enum
+{
+ foreach_ipsec_output_next
+#undef _
+ IPSEC_OUTPUT_N_NEXT,
+} ipsec_output_next_t;
+
+
+#define foreach_ipsec_input_next \
+_(DROP, "error-drop") \
+_(ESP_DECRYPT, "esp-decrypt")
+
+#define _(v, s) IPSEC_INPUT_NEXT_##v,
+typedef enum
+{
+ foreach_ipsec_input_next
+#undef _
+ IPSEC_INPUT_N_NEXT,
+} ipsec_input_next_t;
+
+
#define foreach_ipsec_policy_action \
_(0, BYPASS, "bypass") \
_(1, DISCARD, "discard") \
@@ -31,20 +58,12 @@ typedef enum
IPSEC_POLICY_N_ACTION,
} ipsec_policy_action_t;
-#if DPDK_CRYPTO==1
#define foreach_ipsec_crypto_alg \
_(0, NONE, "none") \
_(1, AES_CBC_128, "aes-cbc-128") \
_(2, AES_CBC_192, "aes-cbc-192") \
_(3, AES_CBC_256, "aes-cbc-256") \
_(4, AES_GCM_128, "aes-gcm-128")
-#else
-#define foreach_ipsec_crypto_alg \
- _(0, NONE, "none") \
- _(1, AES_CBC_128, "aes-cbc-128") \
- _(2, AES_CBC_192, "aes-cbc-192") \
- _(3, AES_CBC_256, "aes-cbc-256")
-#endif
typedef enum
{
@@ -54,7 +73,6 @@ typedef enum
IPSEC_CRYPTO_N_ALG,
} ipsec_crypto_alg_t;
-#if DPDK_CRYPTO==1
#define foreach_ipsec_integ_alg \
_(0, NONE, "none") \
_(1, MD5_96, "md5-96") /* RFC2403 */ \
@@ -63,17 +81,7 @@ typedef enum
_(4, SHA_256_128, "sha-256-128") /* RFC4868 */ \
_(5, SHA_384_192, "sha-384-192") /* RFC4868 */ \
_(6, SHA_512_256, "sha-512-256") /* RFC4868 */ \
- _(7, AES_GCM_128, "aes-gcm-128")
-#else
-#define foreach_ipsec_integ_alg \
- _(0, NONE, "none") \
- _(1, MD5_96, "md5-96") /* RFC2403 */ \
- _(2, SHA1_96, "sha1-96") /* RFC2404 */ \
- _(3, SHA_256_96, "sha-256-96") /* draft-ietf-ipsec-ciph-sha-256-00 */ \
- _(4, SHA_256_128, "sha-256-128") /* RFC4868 */ \
- _(5, SHA_384_192, "sha-384-192") /* RFC4868 */ \
- _(6, SHA_512_256, "sha-512-256") /* RFC4868 */
-#endif
+ _(7, AES_GCM_128, "aes-gcm-128") /* RFC4106 */
typedef enum
{
@@ -225,6 +233,12 @@ typedef struct
typedef struct
{
+ i32 (*add_del_sa_sess_cb) (u32 sa_index, u8 is_add);
+ clib_error_t *(*check_support_cb) (ipsec_sa_t * sa);
+} ipsec_main_callbacks_t;
+
+typedef struct
+{
/* pool of tunnel instances */
ipsec_spd_t *spds;
ipsec_sa_t *sad;
@@ -250,11 +264,16 @@ typedef struct
uword *sa_index_by_sa_id;
uword *ipsec_if_pool_index_by_key;
- /* node indexes */
+ /* node indeces */
u32 error_drop_node_index;
- u32 ip4_lookup_node_index;
u32 esp_encrypt_node_index;
+ u32 esp_decrypt_node_index;
+ /* next node indeces */
+ u32 esp_encrypt_next_index;
+ u32 esp_decrypt_next_index;
+ /* callbacks */
+ ipsec_main_callbacks_t cb;
} ipsec_main_t;
ipsec_main_t ipsec_main;
diff --git a/src/vnet/ipsec/ipsec_api.c b/src/vnet/ipsec/ipsec_api.c
index 9bcf63b4..30732266 100644
--- a/src/vnet/ipsec/ipsec_api.c
+++ b/src/vnet/ipsec/ipsec_api.c
@@ -177,6 +177,7 @@ static void vl_api_ipsec_sad_add_del_entry_t_handler
vl_api_ipsec_sad_add_del_entry_reply_t *rmp;
int rv;
#if WITH_LIBSSL > 0
+ ipsec_main_t *im = &ipsec_main;
ipsec_sa_t sa;
memset (&sa, 0, sizeof (sa));
@@ -204,11 +205,7 @@ static void vl_api_ipsec_sad_add_del_entry_t_handler
sa.crypto_key_len = mp->crypto_key_length;
clib_memcpy (&sa.crypto_key, mp->crypto_key, sizeof (sa.crypto_key));
/* check for unsupported integ-alg */
-#if DPDK_CRYPTO==1
if (mp->integrity_algorithm < IPSEC_INTEG_ALG_NONE ||
-#else
- if (mp->integrity_algorithm < IPSEC_INTEG_ALG_SHA1_96 ||
-#endif
mp->integrity_algorithm >= IPSEC_INTEG_N_ALG)
{
clib_warning ("unsupported integ-alg: '%U'", format_ipsec_integ_alg,
@@ -217,35 +214,6 @@ static void vl_api_ipsec_sad_add_del_entry_t_handler
goto out;
}
-#if DPDK_CRYPTO==1
- /*Special cases, aes-gcm-128 encryption */
- if (mp->crypto_algorithm == IPSEC_CRYPTO_ALG_AES_GCM_128)
- {
- if (mp->integrity_algorithm != IPSEC_INTEG_ALG_NONE
- && mp->integrity_algorithm != IPSEC_INTEG_ALG_AES_GCM_128)
- {
- clib_warning
- ("unsupported: aes-gcm-128 crypto-alg needs none as integ-alg");
- rv = VNET_API_ERROR_UNIMPLEMENTED;
- goto out;
- }
- else /*set integ-alg internally to aes-gcm-128 */
- mp->integrity_algorithm = IPSEC_INTEG_ALG_AES_GCM_128;
- }
- else if (mp->integrity_algorithm == IPSEC_INTEG_ALG_AES_GCM_128)
- {
- clib_warning ("unsupported integ-alg: aes-gcm-128");
- rv = VNET_API_ERROR_UNIMPLEMENTED;
- goto out;
- }
- else if (mp->integrity_algorithm == IPSEC_INTEG_ALG_NONE)
- {
- clib_warning ("unsupported integ-alg: none");
- rv = VNET_API_ERROR_UNIMPLEMENTED;
- goto out;
- }
-#endif
-
sa.integ_alg = mp->integrity_algorithm;
sa.integ_key_len = mp->integrity_key_length;
clib_memcpy (&sa.integ_key, mp->integrity_key, sizeof (sa.integ_key));
@@ -263,6 +231,15 @@ static void vl_api_ipsec_sad_add_del_entry_t_handler
clib_memcpy (&sa.tunnel_dst_addr.ip4.data, mp->tunnel_dst_address, 4);
}
+ ASSERT (im->cb.check_support_cb);
+ clib_error_t *err = im->cb.check_support_cb (&sa);
+ if (err)
+ {
+ clib_warning ("%s", err->what);
+ rv = VNET_API_ERROR_UNIMPLEMENTED;
+ goto out;
+ }
+
rv = ipsec_add_del_sa (vm, &sa, mp->is_add);
#else
rv = VNET_API_ERROR_UNIMPLEMENTED;
diff --git a/src/vnet/ipsec/ipsec_cli.c b/src/vnet/ipsec/ipsec_cli.c
index 7ab85d4a..3c1e26f2 100644
--- a/src/vnet/ipsec/ipsec_cli.c
+++ b/src/vnet/ipsec/ipsec_cli.c
@@ -67,10 +67,12 @@ ipsec_sa_add_del_command_fn (vlib_main_t * vm,
unformat_input_t * input,
vlib_cli_command_t * cmd)
{
+ ipsec_main_t *im = &ipsec_main;
unformat_input_t _line_input, *line_input = &_line_input;
ipsec_sa_t sa;
int is_add = ~0;
u8 *ck = 0, *ik = 0;
+ clib_error_t *err = 0;
memset (&sa, 0, sizeof (sa));
@@ -109,11 +111,7 @@ ipsec_sa_add_del_command_fn (vlib_main_t * vm,
else if (unformat (line_input, "integ-alg %U", unformat_ipsec_integ_alg,
&sa.integ_alg))
{
-#if DPDK_CRYPTO==1
- if (sa.integ_alg < IPSEC_INTEG_ALG_NONE ||
-#else
if (sa.integ_alg < IPSEC_INTEG_ALG_SHA1_96 ||
-#endif
sa.integ_alg >= IPSEC_INTEG_N_ALG)
return clib_error_return (0, "unsupported integ-alg: '%U'",
format_ipsec_integ_alg, sa.integ_alg);
@@ -141,23 +139,6 @@ ipsec_sa_add_del_command_fn (vlib_main_t * vm,
format_unformat_error, line_input);
}
-#if DPDK_CRYPTO==1
- /*Special cases, aes-gcm-128 encryption */
- if (sa.crypto_alg == IPSEC_CRYPTO_ALG_AES_GCM_128)
- {
- if (sa.integ_alg != IPSEC_INTEG_ALG_NONE
- && sa.integ_alg != IPSEC_INTEG_ALG_AES_GCM_128)
- return clib_error_return (0,
- "unsupported: aes-gcm-128 crypto-alg needs none as integ-alg");
- else /*set integ-alg internally to aes-gcm-128 */
- sa.integ_alg = IPSEC_INTEG_ALG_AES_GCM_128;
- }
- else if (sa.integ_alg == IPSEC_INTEG_ALG_AES_GCM_128)
- return clib_error_return (0, "unsupported integ-alg: aes-gcm-128");
- else if (sa.integ_alg == IPSEC_INTEG_ALG_NONE)
- return clib_error_return (0, "unsupported integ-alg: none");
-#endif
-
unformat_free (line_input);
if (sa.crypto_key_len > sizeof (sa.crypto_key))
@@ -172,6 +153,14 @@ ipsec_sa_add_del_command_fn (vlib_main_t * vm,
if (ik)
strncpy ((char *) sa.integ_key, (char *) ik, sa.integ_key_len);
+ if (is_add)
+ {
+ ASSERT (im->cb.check_support_cb);
+ err = im->cb.check_support_cb (&sa);
+ if (err)
+ return err;
+ }
+
ipsec_add_del_sa (vm, &sa, is_add);
return 0;
diff --git a/src/vnet/ipsec/ipsec_if.c b/src/vnet/ipsec/ipsec_if.c
index a8da046f..ca6b0092 100644
--- a/src/vnet/ipsec/ipsec_if.c
+++ b/src/vnet/ipsec/ipsec_if.c
@@ -20,20 +20,7 @@
#include <vnet/ip/ip.h>
#include <vnet/ipsec/ipsec.h>
-#if DPDK_CRYPTO==1
-#include <vnet/devices/dpdk/ipsec/esp.h>
-#else
#include <vnet/ipsec/esp.h>
-#endif
-
-#if DPDK_CRYPTO==0
-/* dummy function */
-static int
-add_del_sa_sess (u32 sa_index, u8 is_add)
-{
- return 0;
-}
-#endif
void vl_api_rpc_call_main_thread (void *fp, u8 * data, u32 data_length);
@@ -52,6 +39,39 @@ dummy_interface_tx (vlib_main_t * vm,
return frame->n_vectors;
}
+static clib_error_t *
+ipsec_admin_up_down_function (vnet_main_t * vnm, u32 hw_if_index, u32 flags)
+{
+ ipsec_main_t *im = &ipsec_main;
+ clib_error_t *err = 0;
+ ipsec_tunnel_if_t *t;
+ vnet_hw_interface_t *hi;
+ ipsec_sa_t *sa;
+
+ hi = vnet_get_hw_interface (vnm, hw_if_index);
+ if (flags & VNET_SW_INTERFACE_FLAG_ADMIN_UP)
+ {
+ t = pool_elt_at_index (im->tunnel_interfaces, hi->hw_instance);
+ ASSERT (im->cb.check_support_cb);
+ sa = pool_elt_at_index (im->sad, t->input_sa_index);
+ err = im->cb.check_support_cb (sa);
+ if (err)
+ return err;
+
+ sa = pool_elt_at_index (im->sad, t->output_sa_index);
+ err = im->cb.check_support_cb (sa);
+ if (err)
+ return err;
+
+ vnet_sw_interface_set_flags (vnm, hi->sw_if_index,
+ VNET_HW_INTERFACE_FLAG_LINK_UP);
+ }
+ else
+ vnet_sw_interface_set_flags (vnm, hi->sw_if_index, 0 /* down */ );
+
+ return /* no error */ 0;
+}
+
/* *INDENT-OFF* */
VNET_DEVICE_CLASS (ipsec_device_class, static) =
{
@@ -59,6 +79,7 @@ VNET_DEVICE_CLASS (ipsec_device_class, static) =
.format_device_name = format_ipsec_name,
.format_tx_trace = format_ipsec_if_output_trace,
.tx_function = dummy_interface_tx,
+ .admin_up_down_function = ipsec_admin_up_down_function,
};
/* *INDENT-ON* */
@@ -138,7 +159,9 @@ ipsec_add_del_tunnel_if_internal (vnet_main_t * vnm,
args->remote_crypto_key_len);
}
- add_del_sa_sess (t->input_sa_index, args->is_add);
+ if (im->cb.add_del_sa_sess_cb &&
+ im->cb.add_del_sa_sess_cb (t->input_sa_index, args->is_add) < 0)
+ return VNET_API_ERROR_SYSCALL_ERROR_1;
pool_get (im->sad, sa);
memset (sa, 0, sizeof (*sa));
@@ -165,7 +188,9 @@ ipsec_add_del_tunnel_if_internal (vnet_main_t * vnm,
args->local_crypto_key_len);
}
- add_del_sa_sess (t->output_sa_index, args->is_add);
+ if (im->cb.add_del_sa_sess_cb &&
+ im->cb.add_del_sa_sess_cb (t->output_sa_index, args->is_add) < 0)
+ return VNET_API_ERROR_SYSCALL_ERROR_1;
hash_set (im->ipsec_if_pool_index_by_key, key,
t - im->tunnel_interfaces);
@@ -211,14 +236,16 @@ ipsec_add_del_tunnel_if_internal (vnet_main_t * vnm,
/* delete input and output SA */
sa = pool_elt_at_index (im->sad, t->input_sa_index);
- if (add_del_sa_sess (t->input_sa_index, args->is_add) < 0)
+ if (im->cb.add_del_sa_sess_cb &&
+ im->cb.add_del_sa_sess_cb (t->input_sa_index, args->is_add) < 0)
return VNET_API_ERROR_SYSCALL_ERROR_1;
pool_put (im->sad, sa);
sa = pool_elt_at_index (im->sad, t->output_sa_index);
- if (add_del_sa_sess (t->output_sa_index, args->is_add) < 0)
+ if (im->cb.add_del_sa_sess_cb &&
+ im->cb.add_del_sa_sess_cb (t->output_sa_index, args->is_add) < 0)
return VNET_API_ERROR_SYSCALL_ERROR_1;
pool_put (im->sad, sa);
@@ -310,7 +337,8 @@ ipsec_set_interface_key (vnet_main_t * vnm, u32 hw_if_index,
sa->crypto_key_len = vec_len (key);
clib_memcpy (sa->crypto_key, key, vec_len (key));
- if (add_del_sa_sess (t->input_sa_index, 0) < 0)
+ if (im->cb.add_del_sa_sess_cb &&
+ im->cb.add_del_sa_sess_cb (t->output_sa_index, 0) < 0)
return VNET_API_ERROR_SYSCALL_ERROR_1;
}
else if (type == IPSEC_IF_SET_KEY_TYPE_LOCAL_INTEG)
@@ -320,7 +348,8 @@ ipsec_set_interface_key (vnet_main_t * vnm, u32 hw_if_index,
sa->integ_key_len = vec_len (key);
clib_memcpy (sa->integ_key, key, vec_len (key));
- if (add_del_sa_sess (t->output_sa_index, 0) < 0)
+ if (im->cb.add_del_sa_sess_cb &&
+ im->cb.add_del_sa_sess_cb (t->output_sa_index, 0) < 0)
return VNET_API_ERROR_SYSCALL_ERROR_1;
}
else if (type == IPSEC_IF_SET_KEY_TYPE_REMOTE_CRYPTO)
@@ -330,7 +359,8 @@ ipsec_set_interface_key (vnet_main_t * vnm, u32 hw_if_index,
sa->crypto_key_len = vec_len (key);
clib_memcpy (sa->crypto_key, key, vec_len (key));
- if (add_del_sa_sess (t->input_sa_index, 0) < 0)
+ if (im->cb.add_del_sa_sess_cb &&
+ im->cb.add_del_sa_sess_cb (t->input_sa_index, 0) < 0)
return VNET_API_ERROR_SYSCALL_ERROR_1;
}
else if (type == IPSEC_IF_SET_KEY_TYPE_REMOTE_INTEG)
@@ -340,7 +370,8 @@ ipsec_set_interface_key (vnet_main_t * vnm, u32 hw_if_index,
sa->integ_key_len = vec_len (key);
clib_memcpy (sa->integ_key, key, vec_len (key));
- if (add_del_sa_sess (t->output_sa_index, 0) < 0)
+ if (im->cb.add_del_sa_sess_cb &&
+ im->cb.add_del_sa_sess_cb (t->input_sa_index, 0) < 0)
return VNET_API_ERROR_SYSCALL_ERROR_1;
}
else
diff --git a/src/vnet/ipsec/ipsec_if_in.c b/src/vnet/ipsec/ipsec_if_in.c
index db75ab92..bd2a9f78 100644
--- a/src/vnet/ipsec/ipsec_if_in.c
+++ b/src/vnet/ipsec/ipsec_if_in.c
@@ -22,12 +22,6 @@
#include <vnet/ipsec/ipsec.h>
#include <vnet/ipsec/esp.h>
-#if DPDK_CRYPTO==1
-#define ESP_NODE "dpdk-esp-decrypt"
-#else
-#define ESP_NODE "esp-decrypt"
-#endif
-
/* Statistics (not really errors) */
#define foreach_ipsec_if_input_error \
_(RX, "good packets received")
@@ -46,12 +40,6 @@ typedef enum
IPSEC_IF_INPUT_N_ERROR,
} ipsec_if_input_error_t;
-typedef enum
-{
- IPSEC_IF_INPUT_NEXT_ESP_DECRYPT,
- IPSEC_IF_INPUT_NEXT_DROP,
- IPSEC_IF_INPUT_N_NEXT,
-} ipsec_if_input_next_t;
typedef struct
{
@@ -59,7 +47,6 @@ typedef struct
u32 seq;
} ipsec_if_input_trace_t;
-
u8 *
format_ipsec_if_input_trace (u8 * s, va_list * args)
{
@@ -106,7 +93,7 @@ ipsec_if_input_node_fn (vlib_main_t * vm, vlib_node_runtime_t * node,
ip0 = vlib_buffer_get_current (b0);
esp0 = (esp_header_t *) ((u8 *) ip0 + ip4_header_bytes (ip0));
- next0 = IPSEC_IF_INPUT_NEXT_DROP;
+ next0 = IPSEC_INPUT_NEXT_DROP;
u64 key = (u64) ip0->src_address.as_u32 << 32 |
(u64) clib_net_to_host_u32 (esp0->spi);
@@ -121,7 +108,7 @@ ipsec_if_input_node_fn (vlib_main_t * vm, vlib_node_runtime_t * node,
vnet_buffer (b0)->ipsec.flags =
t->hw_if_index == ~0 ? IPSEC_FLAG_IPSEC_GRE_TUNNEL : 0;
vlib_buffer_advance (b0, ip4_header_bytes (ip0));
- next0 = IPSEC_IF_INPUT_NEXT_ESP_DECRYPT;
+ next0 = im->esp_decrypt_next_index;
}
if (PREDICT_FALSE (b0->flags & VLIB_BUFFER_IS_TRACED))
@@ -156,12 +143,7 @@ VLIB_REGISTER_NODE (ipsec_if_input_node) = {
.n_errors = ARRAY_LEN(ipsec_if_input_error_strings),
.error_strings = ipsec_if_input_error_strings,
- .n_next_nodes = IPSEC_IF_INPUT_N_NEXT,
-
- .next_nodes = {
- [IPSEC_IF_INPUT_NEXT_ESP_DECRYPT] = ESP_NODE,
- [IPSEC_IF_INPUT_NEXT_DROP] = "error-drop",
- },
+ .sibling_of = "ipsec-input-ip4",
};
/* *INDENT-ON* */
diff --git a/src/vnet/ipsec/ipsec_if_out.c b/src/vnet/ipsec/ipsec_if_out.c
index 8f062828..62ff67ac 100644
--- a/src/vnet/ipsec/ipsec_if_out.c
+++ b/src/vnet/ipsec/ipsec_if_out.c
@@ -21,12 +21,6 @@
#include <vnet/ipsec/ipsec.h>
-#if DPDK_CRYPTO==1
-#define ESP_NODE "dpdk-esp-encrypt"
-#else
-#define ESP_NODE "esp-encrypt"
-#endif
-
/* Statistics (not really errors) */
#define foreach_ipsec_if_output_error \
_(TX, "good packets transmitted")
@@ -45,12 +39,6 @@ typedef enum
IPSEC_IF_OUTPUT_N_ERROR,
} ipsec_if_output_error_t;
-typedef enum
-{
- IPSEC_IF_OUTPUT_NEXT_ESP_ENCRYPT,
- IPSEC_IF_OUTPUT_NEXT_DROP,
- IPSEC_IF_OUTPUT_N_NEXT,
-} ipsec_if_output_next_t;
typedef struct
{
@@ -58,7 +46,6 @@ typedef struct
u32 seq;
} ipsec_if_output_trace_t;
-
u8 *
format_ipsec_if_output_trace (u8 * s, va_list * args)
{
@@ -106,7 +93,7 @@ ipsec_if_output_node_fn (vlib_main_t * vm, vlib_node_runtime_t * node,
hi0 = vnet_get_sup_hw_interface (vnm, sw_if_index0);
t0 = pool_elt_at_index (im->tunnel_interfaces, hi0->dev_instance);
vnet_buffer (b0)->ipsec.sad_index = t0->output_sa_index;
- next0 = IPSEC_IF_OUTPUT_NEXT_ESP_ENCRYPT;
+ next0 = im->esp_encrypt_next_index;
if (PREDICT_FALSE (b0->flags & VLIB_BUFFER_IS_TRACED))
{
@@ -142,12 +129,7 @@ VLIB_REGISTER_NODE (ipsec_if_output_node) = {
.n_errors = ARRAY_LEN(ipsec_if_output_error_strings),
.error_strings = ipsec_if_output_error_strings,
- .n_next_nodes = IPSEC_IF_OUTPUT_N_NEXT,
-
- .next_nodes = {
- [IPSEC_IF_OUTPUT_NEXT_ESP_ENCRYPT] = ESP_NODE,
- [IPSEC_IF_OUTPUT_NEXT_DROP] = "error-drop",
- },
+ .sibling_of = "ipsec-output-ip4",
};
/* *INDENT-ON* */
diff --git a/src/vnet/ipsec/ipsec_input.c b/src/vnet/ipsec/ipsec_input.c
index 4662c1a1..deaa7b7b 100644
--- a/src/vnet/ipsec/ipsec_input.c
+++ b/src/vnet/ipsec/ipsec_input.c
@@ -23,30 +23,10 @@
#include <vnet/ipsec/ipsec.h>
#include <vnet/ipsec/esp.h>
-#if DPDK_CRYPTO==1
-#define ESP_NODE "dpdk-esp-decrypt"
-#else
-#define ESP_NODE "esp-decrypt"
-#endif
-
-#define foreach_ipsec_input_next \
-_(DROP, "error-drop") \
-_(ESP_DECRYPT, ESP_NODE)
-
-#define _(v, s) IPSEC_INPUT_NEXT_##v,
-typedef enum
-{
- foreach_ipsec_input_next
-#undef _
- IPSEC_INPUT_N_NEXT,
-} ipsec_input_next_t;
-
-
#define foreach_ipsec_input_error \
_(RX_PKTS, "IPSEC pkts received") \
_(DECRYPTION_FAILED, "IPSEC decryption failed")
-
typedef enum
{
#define _(sym,str) IPSEC_INPUT_ERROR_##sym,
@@ -262,7 +242,7 @@ ipsec_input_ip4_node_fn (vlib_main_t * vm,
p0->counter.bytes += clib_net_to_host_u16 (ip0->length);
vnet_buffer (b0)->ipsec.sad_index = p0->sa_index;
vnet_buffer (b0)->ipsec.flags = 0;
- next0 = IPSEC_INPUT_NEXT_ESP_DECRYPT;
+ next0 = im->esp_decrypt_next_index;
vlib_buffer_advance (b0, ip4_header_bytes (ip0));
goto trace0;
}
@@ -392,7 +372,7 @@ VLIB_NODE_FUNCTION_MULTIARCH (ipsec_input_ip4_node, ipsec_input_ip4_node_fn)
p0->counter.bytes += header_size;
vnet_buffer (b0)->ipsec.sad_index = p0->sa_index;
vnet_buffer (b0)->ipsec.flags = 0;
- next0 = IPSEC_INPUT_NEXT_ESP_DECRYPT;
+ next0 = im->esp_decrypt_next_index;
vlib_buffer_advance (b0, header_size);
goto trace0;
}
diff --git a/src/vnet/ipsec/ipsec_output.c b/src/vnet/ipsec/ipsec_output.c
index df93b5e4..1b8070d6 100644
--- a/src/vnet/ipsec/ipsec_output.c
+++ b/src/vnet/ipsec/ipsec_output.c
@@ -21,27 +21,8 @@
#include <vnet/ipsec/ipsec.h>
-#if DPDK_CRYPTO==1
-#define ESP_NODE "dpdk-esp-encrypt"
-#else
-#define ESP_NODE "esp-encrypt"
-#endif
-
#if WITH_LIBSSL > 0
-#define foreach_ipsec_output_next \
-_(DROP, "error-drop") \
-_(ESP_ENCRYPT, ESP_NODE)
-
-#define _(v, s) IPSEC_OUTPUT_NEXT_##v,
-typedef enum
-{
- foreach_ipsec_output_next
-#undef _
- IPSEC_OUTPUT_N_NEXT,
-} ipsec_output_next_t;
-
-
#define foreach_ipsec_output_error \
_(RX_PKTS, "IPSec pkts received") \
_(POLICY_DISCARD, "IPSec policy discard") \
@@ -50,7 +31,6 @@ typedef enum
_(POLICY_BYPASS, "IPSec policy bypass") \
_(ENCAPS_FAILED, "IPSec encapsulation failed")
-
typedef enum
{
#define _(sym,str) IPSEC_OUTPUT_ERROR_##sym,