aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorChristian Hopps <chopps@labn.net>2020-03-04 13:21:41 -0500
committerNeale Ranns <nranns@cisco.com>2020-03-05 13:41:04 +0000
commit5893747d72acd0a507f74fe61c13cae54de23630 (patch)
tree8073b7a64480eb6101820c885ca882e65d8eb1ed
parentb49bc1ae6404f0dff373578786a9fd95d961e5cd (diff)
api: ipsec: add missing IS_INBOUND flag.
External IKE daemons need to be able to flag an SA as inbound (just as the included ike plugin does). This commit adds this flag to the API. This change is backward bug-compatible as not setting the flag (old clients) continues to mean all SAs are created as outbound and fib nodes are created for them. The addition of this flag inhibits this forwarding node creation as well as properly flagging the SA as inbound. Ticket: VPP-1845 Type: fix Signed-off-by: Christian Hopps <chopps@labn.net> Change-Id: I195e32c430e51155fac2d9f33671e06ef42a3f7f
-rw-r--r--src/vnet/ipsec/ipsec_types.api2
-rw-r--r--src/vnet/ipsec/ipsec_types_api.c4
2 files changed, 6 insertions, 0 deletions
diff --git a/src/vnet/ipsec/ipsec_types.api b/src/vnet/ipsec/ipsec_types.api
index 3015613b3c9..cba22c8c38b 100644
--- a/src/vnet/ipsec/ipsec_types.api
+++ b/src/vnet/ipsec/ipsec_types.api
@@ -71,6 +71,8 @@ enum ipsec_sad_flags
IPSEC_API_SAD_FLAG_IS_TUNNEL_V6 = 0x08,
/* enable UDP encapsulation for NAT traversal */
IPSEC_API_SAD_FLAG_UDP_ENCAP = 0x10,
+ /* IPsec SA is for inbound traffic */
+ IPSEC_API_SAD_FLAG_IS_INBOUND = 0x40,
};
enum ipsec_proto
diff --git a/src/vnet/ipsec/ipsec_types_api.c b/src/vnet/ipsec/ipsec_types_api.c
index 0c59e48c645..44b129b3b66 100644
--- a/src/vnet/ipsec/ipsec_types_api.c
+++ b/src/vnet/ipsec/ipsec_types_api.c
@@ -145,6 +145,8 @@ ipsec_sa_flags_decode (vl_api_ipsec_sad_flags_t in)
flags |= IPSEC_SA_FLAG_IS_TUNNEL_V6;
if (in & IPSEC_API_SAD_FLAG_UDP_ENCAP)
flags |= IPSEC_SA_FLAG_UDP_ENCAP;
+ if (in & IPSEC_API_SAD_FLAG_IS_INBOUND)
+ flags |= IPSEC_SA_FLAG_IS_INBOUND;
return (flags);
}
@@ -164,6 +166,8 @@ ipsec_sad_flags_encode (const ipsec_sa_t * sa)
flags |= IPSEC_API_SAD_FLAG_IS_TUNNEL_V6;
if (ipsec_sa_is_set_UDP_ENCAP (sa))
flags |= IPSEC_API_SAD_FLAG_UDP_ENCAP;
+ if (ipsec_sa_is_set_IS_INBOUND (sa))
+ flags |= IPSEC_API_SAD_FLAG_IS_INBOUND;
return clib_host_to_net_u32 (flags);
}