aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNeale Ranns <nranns@cisco.com>2019-02-13 02:08:06 -0800
committerNeale Ranns <nranns@cisco.com>2019-02-13 02:08:06 -0800
commitb4cfd55f25cb87acff732fc40633d055cfedd816 (patch)
tree4bd0ce349148f944f106236077f0f6596a994398
parent6fef74ad3083f630648eae65545a0dd46af1102e (diff)
IPSEC: restack SAs on backend change
Change-Id: I5852ca02d684fa9d59e1690efcaca06371c5faff Signed-off-by: Neale Ranns <nranns@cisco.com>
-rw-r--r--src/vnet/ipsec/ipsec.c12
-rw-r--r--src/vnet/ipsec/ipsec_sa.c39
-rw-r--r--src/vnet/ipsec/ipsec_sa.h4
3 files changed, 42 insertions, 13 deletions
diff --git a/src/vnet/ipsec/ipsec.c b/src/vnet/ipsec/ipsec.c
index e88a72e8bac..0ad11ba842e 100644
--- a/src/vnet/ipsec/ipsec.c
+++ b/src/vnet/ipsec/ipsec.c
@@ -181,6 +181,14 @@ ipsec_register_esp_backend (vlib_main_t * vm, ipsec_main_t * im,
return b - im->esp_backends;
}
+static walk_rc_t
+ipsec_sa_restack (ipsec_sa_t * sa, void *ctx)
+{
+ ipsec_sa_stack (sa);
+
+ return (WALK_CONTINUE);
+}
+
int
ipsec_select_ah_backend (ipsec_main_t * im, u32 backend_idx)
{
@@ -199,6 +207,8 @@ ipsec_select_ah_backend (ipsec_main_t * im, u32 backend_idx)
im->ah6_decrypt_node_index = b->ah6_decrypt_node_index;
im->ah6_encrypt_next_index = b->ah6_encrypt_next_index;
im->ah6_decrypt_next_index = b->ah6_decrypt_next_index;
+
+ ipsec_sa_walk (ipsec_sa_restack, NULL);
return 0;
}
@@ -220,6 +230,8 @@ ipsec_select_esp_backend (ipsec_main_t * im, u32 backend_idx)
im->esp6_decrypt_node_index = b->esp6_decrypt_node_index;
im->esp6_encrypt_next_index = b->esp6_encrypt_next_index;
im->esp6_decrypt_next_index = b->esp6_decrypt_next_index;
+
+ ipsec_sa_walk (ipsec_sa_restack, NULL);
return 0;
}
diff --git a/src/vnet/ipsec/ipsec_sa.c b/src/vnet/ipsec/ipsec_sa.c
index f20d941fd68..b0de76ac508 100644
--- a/src/vnet/ipsec/ipsec_sa.c
+++ b/src/vnet/ipsec/ipsec_sa.c
@@ -54,12 +54,12 @@ ipsec_mk_key (ipsec_key_t * key, const u8 * data, u8 len)
/**
* 'stack' (resolve the recursion for) the SA tunnel destination
*/
-static void
+void
ipsec_sa_stack (ipsec_sa_t * sa)
{
+ ipsec_main_t *im = &ipsec_main;
fib_forward_chain_type_t fct;
dpo_id_t tmp = DPO_INVALID;
- vlib_node_t *node;
fct = fib_forw_chain_type_from_fib_proto ((sa->is_tunnel_ip6 ?
FIB_PROTOCOL_IP6 :
@@ -67,17 +67,15 @@ ipsec_sa_stack (ipsec_sa_t * sa)
fib_entry_contribute_forwarding (sa->fib_entry_index, fct, &tmp);
- node = vlib_get_node_by_name (vlib_get_main (),
- (sa->is_tunnel_ip6 ?
- (u8 *) "ah6-encrypt" :
- (u8 *) "ah4-encrypt"));
- dpo_stack_from_node (node->index, &sa->dpo[IPSEC_PROTOCOL_AH], &tmp);
-
- node = vlib_get_node_by_name (vlib_get_main (),
- (sa->is_tunnel_ip6 ?
- (u8 *) "esp6-encrypt" :
- (u8 *) "esp4-encrypt"));
- dpo_stack_from_node (node->index, &sa->dpo[IPSEC_PROTOCOL_ESP], &tmp);
+ dpo_stack_from_node ((sa->is_tunnel_ip6 ?
+ im->ah6_encrypt_node_index :
+ im->ah4_encrypt_node_index),
+ &sa->dpo[IPSEC_PROTOCOL_AH], &tmp);
+ dpo_stack_from_node ((sa->is_tunnel_ip6 ?
+ im->esp6_encrypt_node_index :
+ im->esp4_encrypt_node_index),
+ &sa->dpo[IPSEC_PROTOCOL_ESP], &tmp);
+ dpo_reset (&tmp);
}
int
@@ -291,6 +289,21 @@ ipsec_get_sa_index_by_sa_id (u32 sa_id)
return p[0];
}
+void
+ipsec_sa_walk (ipsec_sa_walk_cb_t cb, void *ctx)
+{
+ ipsec_main_t *im = &ipsec_main;
+ ipsec_sa_t *sa;
+
+ /* *INDENT-OFF* */
+ pool_foreach (sa, im->sad,
+ ({
+ if (WALK_CONTINUE != cb(sa, ctx))
+ break;
+ }));
+ /* *INDENT-ON* */
+}
+
/**
* Function definition to get a FIB node from its index
*/
diff --git a/src/vnet/ipsec/ipsec_sa.h b/src/vnet/ipsec/ipsec_sa.h
index 775343b4b73..2e39566bd63 100644
--- a/src/vnet/ipsec/ipsec_sa.h
+++ b/src/vnet/ipsec/ipsec_sa.h
@@ -151,12 +151,16 @@ extern int ipsec_sa_add (u32 id,
const ip46_address_t * tunnel_dst_addr,
u32 * sa_index);
extern u32 ipsec_sa_del (u32 id);
+extern void ipsec_sa_stack (ipsec_sa_t * sa);
extern u8 ipsec_is_sa_used (u32 sa_index);
extern int ipsec_set_sa_key (u32 id,
const ipsec_key_t * ck, const ipsec_key_t * ik);
extern u32 ipsec_get_sa_index_by_sa_id (u32 sa_id);
+typedef walk_rc_t (*ipsec_sa_walk_cb_t) (ipsec_sa_t * sa, void *ctx);
+extern void ipsec_sa_walk (ipsec_sa_walk_cb_t cd, void *ctx);
+
extern u8 *format_ipsec_crypto_alg (u8 * s, va_list * args);
extern u8 *format_ipsec_integ_alg (u8 * s, va_list * args);
extern u8 *format_ipsec_sa (u8 * s, va_list * args);