aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMatthew Smith <mgsmith@netgate.com>2017-11-06 12:12:13 -0600
committerDamjan Marion <dmarion.lists@gmail.com>2017-11-10 19:50:44 +0000
commit890955866f5953727a782363cf3ece051ae7d4c5 (patch)
tree84223fc6ead942cff43cb436d713bf7e04096c12
parent6e8c6679883f59542d85d1de3edabc7e811108d2 (diff)
Fix bug in key calculation for IPsec tunnel interface
When IPsec tunnel interface has the inbound SA updated, the key used to find the right interface for inbound packets was being generated using the destination address instead of the source. Change-Id: Id5a6fb1511637c912b329aad65188789646a5889 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
-rw-r--r--src/vnet/ipsec/ipsec_if.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/src/vnet/ipsec/ipsec_if.c b/src/vnet/ipsec/ipsec_if.c
index 5a0d4898ccb..0a080819523 100644
--- a/src/vnet/ipsec/ipsec_if.c
+++ b/src/vnet/ipsec/ipsec_if.c
@@ -442,14 +442,14 @@ ipsec_set_interface_sa (vnet_main_t * vnm, u32 hw_if_index, u32 sa_id,
/* unset old inbound hash entry. packets should stop arriving */
key =
- (u64) old_sa->tunnel_dst_addr.ip4.as_u32 << 32 | (u64) old_sa->spi;
+ (u64) old_sa->tunnel_src_addr.ip4.as_u32 << 32 | (u64) old_sa->spi;
p = hash_get (im->ipsec_if_pool_index_by_key, key);
if (p)
hash_unset (im->ipsec_if_pool_index_by_key, key);
/* set new inbound SA, then set new hash entry */
t->input_sa_index = sa_index;
- key = (u64) sa->tunnel_dst_addr.ip4.as_u32 << 32 | (u64) sa->spi;
+ key = (u64) sa->tunnel_src_addr.ip4.as_u32 << 32 | (u64) sa->spi;
hash_set (im->ipsec_if_pool_index_by_key, key, hi->dev_instance);
}
else