diff options
author | Neale Ranns <nranns@cisco.com> | 2019-02-13 02:08:06 -0800 |
---|---|---|
committer | Neale Ranns <nranns@cisco.com> | 2019-02-13 02:08:06 -0800 |
commit | b4cfd55f25cb87acff732fc40633d055cfedd816 (patch) | |
tree | 4bd0ce349148f944f106236077f0f6596a994398 | |
parent | 6fef74ad3083f630648eae65545a0dd46af1102e (diff) |
IPSEC: restack SAs on backend change
Change-Id: I5852ca02d684fa9d59e1690efcaca06371c5faff
Signed-off-by: Neale Ranns <nranns@cisco.com>
-rw-r--r-- | src/vnet/ipsec/ipsec.c | 12 | ||||
-rw-r--r-- | src/vnet/ipsec/ipsec_sa.c | 39 | ||||
-rw-r--r-- | src/vnet/ipsec/ipsec_sa.h | 4 |
3 files changed, 42 insertions, 13 deletions
diff --git a/src/vnet/ipsec/ipsec.c b/src/vnet/ipsec/ipsec.c index e88a72e8bac..0ad11ba842e 100644 --- a/src/vnet/ipsec/ipsec.c +++ b/src/vnet/ipsec/ipsec.c @@ -181,6 +181,14 @@ ipsec_register_esp_backend (vlib_main_t * vm, ipsec_main_t * im, return b - im->esp_backends; } +static walk_rc_t +ipsec_sa_restack (ipsec_sa_t * sa, void *ctx) +{ + ipsec_sa_stack (sa); + + return (WALK_CONTINUE); +} + int ipsec_select_ah_backend (ipsec_main_t * im, u32 backend_idx) { @@ -199,6 +207,8 @@ ipsec_select_ah_backend (ipsec_main_t * im, u32 backend_idx) im->ah6_decrypt_node_index = b->ah6_decrypt_node_index; im->ah6_encrypt_next_index = b->ah6_encrypt_next_index; im->ah6_decrypt_next_index = b->ah6_decrypt_next_index; + + ipsec_sa_walk (ipsec_sa_restack, NULL); return 0; } @@ -220,6 +230,8 @@ ipsec_select_esp_backend (ipsec_main_t * im, u32 backend_idx) im->esp6_decrypt_node_index = b->esp6_decrypt_node_index; im->esp6_encrypt_next_index = b->esp6_encrypt_next_index; im->esp6_decrypt_next_index = b->esp6_decrypt_next_index; + + ipsec_sa_walk (ipsec_sa_restack, NULL); return 0; } diff --git a/src/vnet/ipsec/ipsec_sa.c b/src/vnet/ipsec/ipsec_sa.c index f20d941fd68..b0de76ac508 100644 --- a/src/vnet/ipsec/ipsec_sa.c +++ b/src/vnet/ipsec/ipsec_sa.c @@ -54,12 +54,12 @@ ipsec_mk_key (ipsec_key_t * key, const u8 * data, u8 len) /** * 'stack' (resolve the recursion for) the SA tunnel destination */ -static void +void ipsec_sa_stack (ipsec_sa_t * sa) { + ipsec_main_t *im = &ipsec_main; fib_forward_chain_type_t fct; dpo_id_t tmp = DPO_INVALID; - vlib_node_t *node; fct = fib_forw_chain_type_from_fib_proto ((sa->is_tunnel_ip6 ? FIB_PROTOCOL_IP6 : @@ -67,17 +67,15 @@ ipsec_sa_stack (ipsec_sa_t * sa) fib_entry_contribute_forwarding (sa->fib_entry_index, fct, &tmp); - node = vlib_get_node_by_name (vlib_get_main (), - (sa->is_tunnel_ip6 ? - (u8 *) "ah6-encrypt" : - (u8 *) "ah4-encrypt")); - dpo_stack_from_node (node->index, &sa->dpo[IPSEC_PROTOCOL_AH], &tmp); - - node = vlib_get_node_by_name (vlib_get_main (), - (sa->is_tunnel_ip6 ? - (u8 *) "esp6-encrypt" : - (u8 *) "esp4-encrypt")); - dpo_stack_from_node (node->index, &sa->dpo[IPSEC_PROTOCOL_ESP], &tmp); + dpo_stack_from_node ((sa->is_tunnel_ip6 ? + im->ah6_encrypt_node_index : + im->ah4_encrypt_node_index), + &sa->dpo[IPSEC_PROTOCOL_AH], &tmp); + dpo_stack_from_node ((sa->is_tunnel_ip6 ? + im->esp6_encrypt_node_index : + im->esp4_encrypt_node_index), + &sa->dpo[IPSEC_PROTOCOL_ESP], &tmp); + dpo_reset (&tmp); } int @@ -291,6 +289,21 @@ ipsec_get_sa_index_by_sa_id (u32 sa_id) return p[0]; } +void +ipsec_sa_walk (ipsec_sa_walk_cb_t cb, void *ctx) +{ + ipsec_main_t *im = &ipsec_main; + ipsec_sa_t *sa; + + /* *INDENT-OFF* */ + pool_foreach (sa, im->sad, + ({ + if (WALK_CONTINUE != cb(sa, ctx)) + break; + })); + /* *INDENT-ON* */ +} + /** * Function definition to get a FIB node from its index */ diff --git a/src/vnet/ipsec/ipsec_sa.h b/src/vnet/ipsec/ipsec_sa.h index 775343b4b73..2e39566bd63 100644 --- a/src/vnet/ipsec/ipsec_sa.h +++ b/src/vnet/ipsec/ipsec_sa.h @@ -151,12 +151,16 @@ extern int ipsec_sa_add (u32 id, const ip46_address_t * tunnel_dst_addr, u32 * sa_index); extern u32 ipsec_sa_del (u32 id); +extern void ipsec_sa_stack (ipsec_sa_t * sa); extern u8 ipsec_is_sa_used (u32 sa_index); extern int ipsec_set_sa_key (u32 id, const ipsec_key_t * ck, const ipsec_key_t * ik); extern u32 ipsec_get_sa_index_by_sa_id (u32 sa_id); +typedef walk_rc_t (*ipsec_sa_walk_cb_t) (ipsec_sa_t * sa, void *ctx); +extern void ipsec_sa_walk (ipsec_sa_walk_cb_t cd, void *ctx); + extern u8 *format_ipsec_crypto_alg (u8 * s, va_list * args); extern u8 *format_ipsec_integ_alg (u8 * s, va_list * args); extern u8 *format_ipsec_sa (u8 * s, va_list * args); |