diff options
author | Klement Sekera <ksekera@cisco.com> | 2018-10-09 16:05:48 +0200 |
---|---|---|
committer | Damjan Marion <dmarion@me.com> | 2018-10-22 08:22:52 +0000 |
commit | be5a5dd904d4d25857c53a4b5dee7951f724e3e2 (patch) | |
tree | f1623d508a65daf534b8307d29eb6d5492d7cb06 /src/plugins | |
parent | b9ffffd61967ba9bc9453c93348be1ea5412c638 (diff) |
ipsec: split ipsec nodes into ip4/ip6 nodes
Change-Id: Ic6b27659f1fe9e8df39e80a0441305e4e952195a
Signed-off-by: Klement Sekera <ksekera@cisco.com>
Diffstat (limited to 'src/plugins')
-rw-r--r-- | src/plugins/dpdk/ipsec/esp_decrypt.c | 148 | ||||
-rw-r--r-- | src/plugins/dpdk/ipsec/esp_encrypt.c | 145 | ||||
-rw-r--r-- | src/plugins/dpdk/ipsec/ipsec.c | 32 |
3 files changed, 254 insertions, 71 deletions
diff --git a/src/plugins/dpdk/ipsec/esp_decrypt.c b/src/plugins/dpdk/ipsec/esp_decrypt.c index 8327e743d47..bc40b4ba2f8 100644 --- a/src/plugins/dpdk/ipsec/esp_decrypt.c +++ b/src/plugins/dpdk/ipsec/esp_decrypt.c @@ -62,7 +62,8 @@ static char * esp_decrypt_error_strings[] = { #undef _ }; -vlib_node_registration_t dpdk_esp_decrypt_node; +vlib_node_registration_t dpdk_esp4_decrypt_node; +vlib_node_registration_t dpdk_esp6_decrypt_node; typedef struct { ipsec_crypto_alg_t crypto_alg; @@ -87,10 +88,11 @@ static u8 * format_esp_decrypt_trace (u8 * s, va_list * args) return s; } -static uword -dpdk_esp_decrypt_node_fn (vlib_main_t * vm, +always_inline uword +dpdk_esp_decrypt_inline (vlib_main_t * vm, vlib_node_runtime_t * node, - vlib_frame_t * from_frame) + vlib_frame_t * from_frame, + int is_ip6) { u32 n_left_from, *from, *to_next, next_index; ipsec_main_t *im = &ipsec_main; @@ -113,7 +115,11 @@ dpdk_esp_decrypt_node_fn (vlib_main_t * vm, ret = crypto_alloc_ops (numa, ops, n_left_from); if (ret) { - vlib_node_increment_counter (vm, dpdk_esp_decrypt_node.index, + if(is_ip6) + vlib_node_increment_counter (vm, dpdk_esp6_decrypt_node.index, + ESP_DECRYPT_ERROR_DISCARD, 1); + else + vlib_node_increment_counter (vm, dpdk_esp4_decrypt_node.index, ESP_DECRYPT_ERROR_DISCARD, 1); /* Discard whole frame */ return n_left_from; @@ -179,7 +185,11 @@ dpdk_esp_decrypt_node_fn (vlib_main_t * vm, if (PREDICT_FALSE (res_idx == (u16) ~0)) { clib_warning ("unsupported SA by thread index %u", thread_idx); - vlib_node_increment_counter (vm, dpdk_esp_decrypt_node.index, + if(is_ip6) + vlib_node_increment_counter (vm, dpdk_esp6_decrypt_node.index, + ESP_DECRYPT_ERROR_NOSUP, 1); + else + vlib_node_increment_counter (vm, dpdk_esp4_decrypt_node.index, ESP_DECRYPT_ERROR_NOSUP, 1); to_next[0] = bi0; to_next += 1; @@ -192,7 +202,11 @@ dpdk_esp_decrypt_node_fn (vlib_main_t * vm, if (PREDICT_FALSE (error || !session)) { clib_warning ("failed to get crypto session"); - vlib_node_increment_counter (vm, dpdk_esp_decrypt_node.index, + if(is_ip6) + vlib_node_increment_counter (vm, dpdk_esp6_decrypt_node.index, + ESP_DECRYPT_ERROR_SESSION, 1); + else + vlib_node_increment_counter (vm, dpdk_esp4_decrypt_node.index, ESP_DECRYPT_ERROR_SESSION, 1); to_next[0] = bi0; to_next += 1; @@ -218,7 +232,11 @@ dpdk_esp_decrypt_node_fn (vlib_main_t * vm, if (PREDICT_FALSE (rv)) { clib_warning ("failed anti-replay check"); - vlib_node_increment_counter (vm, dpdk_esp_decrypt_node.index, + if(is_ip6) + vlib_node_increment_counter (vm, dpdk_esp6_decrypt_node.index, + ESP_DECRYPT_ERROR_REPLAY, 1); + else + vlib_node_increment_counter (vm, dpdk_esp4_decrypt_node.index, ESP_DECRYPT_ERROR_REPLAY, 1); to_next[0] = bi0; to_next += 1; @@ -254,7 +272,11 @@ dpdk_esp_decrypt_node_fn (vlib_main_t * vm, { clib_warning ("payload %u not multiple of %d\n", payload_len, cipher_alg->boundary); - vlib_node_increment_counter (vm, dpdk_esp_decrypt_node.index, + if(is_ip6) + vlib_node_increment_counter (vm, dpdk_esp6_decrypt_node.index, + ESP_DECRYPT_ERROR_BAD_LEN, 1); + else + vlib_node_increment_counter (vm, dpdk_esp4_decrypt_node.index, ESP_DECRYPT_ERROR_BAD_LEN, 1); res->n_ops -= 1; to_next[0] = bi0; @@ -331,22 +353,41 @@ trace: vlib_put_next_frame (vm, node, next_index, n_left_to_next); } - vlib_node_increment_counter (vm, dpdk_esp_decrypt_node.index, - ESP_DECRYPT_ERROR_RX_PKTS, - from_frame->n_vectors); + if(is_ip6){ + vlib_node_increment_counter (vm, dpdk_esp6_decrypt_node.index, + ESP_DECRYPT_ERROR_RX_PKTS, + from_frame->n_vectors); + + crypto_enqueue_ops (vm, cwm, 0, dpdk_esp6_decrypt_node.index, + ESP_DECRYPT_ERROR_ENQ_FAIL, numa); + } + else + { + vlib_node_increment_counter (vm, dpdk_esp4_decrypt_node.index, + ESP_DECRYPT_ERROR_RX_PKTS, + from_frame->n_vectors); - crypto_enqueue_ops (vm, cwm, 0, dpdk_esp_decrypt_node.index, + crypto_enqueue_ops (vm, cwm, 0, dpdk_esp4_decrypt_node.index, ESP_DECRYPT_ERROR_ENQ_FAIL, numa); + } crypto_free_ops (numa, ops, cwm->ops + from_frame->n_vectors - ops); return from_frame->n_vectors; } +static uword +dpdk_esp4_decrypt_node_fn (vlib_main_t * vm, + vlib_node_runtime_t * node, + vlib_frame_t * from_frame) +{ + return dpdk_esp_decrypt_inline(vm, node, from_frame, 0 /*is_ip6*/); +} + /* *INDENT-OFF* */ -VLIB_REGISTER_NODE (dpdk_esp_decrypt_node) = { - .function = dpdk_esp_decrypt_node_fn, - .name = "dpdk-esp-decrypt", +VLIB_REGISTER_NODE (dpdk_esp4_decrypt_node) = { + .function = dpdk_esp4_decrypt_node_fn, + .name = "dpdk4-esp-decrypt", .vector_size = sizeof (u32), .format_trace = format_esp_decrypt_trace, .type = VLIB_NODE_TYPE_INTERNAL, @@ -363,7 +404,7 @@ VLIB_REGISTER_NODE (dpdk_esp_decrypt_node) = { }; /* *INDENT-ON* */ -VLIB_NODE_FUNCTION_MULTIARCH (dpdk_esp_decrypt_node, dpdk_esp_decrypt_node_fn) +VLIB_NODE_FUNCTION_MULTIARCH (dpdk_esp4_decrypt_node, dpdk_esp4_decrypt_node_fn); /* * Decrypt Post Node @@ -385,7 +426,8 @@ static char * esp_decrypt_post_error_strings[] = { #undef _ }; -vlib_node_registration_t dpdk_esp_decrypt_post_node; +vlib_node_registration_t dpdk_esp4_decrypt_post_node; +vlib_node_registration_t dpdk_esp6_decrypt_post_node; static u8 * format_esp_decrypt_post_trace (u8 * s, va_list * args) { @@ -407,10 +449,11 @@ static u8 * format_esp_decrypt_post_trace (u8 * s, va_list * args) return s; } -static uword -dpdk_esp_decrypt_post_node_fn (vlib_main_t * vm, +always_inline uword +dpdk_esp_decrypt_post_inline (vlib_main_t * vm, vlib_node_runtime_t * node, - vlib_frame_t * from_frame) + vlib_frame_t * from_frame, + int is_ip6) { u32 n_left_from, *from, *to_next = 0, next_index; ipsec_sa_t * sa0; @@ -516,7 +559,12 @@ dpdk_esp_decrypt_post_node_fn (vlib_main_t * vm, else { clib_warning("next header: 0x%x", f0->next_header); - vlib_node_increment_counter (vm, dpdk_esp_decrypt_node.index, + if(is_ip6) + vlib_node_increment_counter (vm, dpdk_esp6_decrypt_node.index, + ESP_DECRYPT_ERROR_DECRYPTION_FAILED, + 1); + else + vlib_node_increment_counter (vm, dpdk_esp4_decrypt_node.index, ESP_DECRYPT_ERROR_DECRYPTION_FAILED, 1); goto trace; @@ -553,7 +601,12 @@ dpdk_esp_decrypt_post_node_fn (vlib_main_t * vm, else { clib_warning("next header: 0x%x", f0->next_header); - vlib_node_increment_counter (vm, dpdk_esp_decrypt_node.index, + if(is_ip6) + vlib_node_increment_counter (vm, dpdk_esp6_decrypt_node.index, + ESP_DECRYPT_ERROR_DECRYPTION_FAILED, + 1); + else + vlib_node_increment_counter (vm, dpdk_esp4_decrypt_node.index, ESP_DECRYPT_ERROR_DECRYPTION_FAILED, 1); goto trace; @@ -578,17 +631,56 @@ dpdk_esp_decrypt_post_node_fn (vlib_main_t * vm, vlib_put_next_frame (vm, node, next_index, n_left_to_next); } - vlib_node_increment_counter (vm, dpdk_esp_decrypt_post_node.index, + if(is_ip6) + vlib_node_increment_counter (vm, dpdk_esp6_decrypt_post_node.index, + ESP_DECRYPT_POST_ERROR_PKTS, + from_frame->n_vectors); + else + vlib_node_increment_counter (vm, dpdk_esp4_decrypt_post_node.index, ESP_DECRYPT_POST_ERROR_PKTS, from_frame->n_vectors); return from_frame->n_vectors; } +static uword +dpdk_esp4_decrypt_post_node_fn (vlib_main_t * vm, + vlib_node_runtime_t * node, + vlib_frame_t * from_frame) +{return dpdk_esp_decrypt_post_inline(vm, node, from_frame, 0/*is_ip6*/);} + +/* *INDENT-OFF* */ +VLIB_REGISTER_NODE (dpdk_esp4_decrypt_post_node) = { + .function = dpdk_esp4_decrypt_post_node_fn, + .name = "dpdk4-esp-decrypt-post", + .vector_size = sizeof (u32), + .format_trace = format_esp_decrypt_post_trace, + .type = VLIB_NODE_TYPE_INTERNAL, + + .n_errors = ARRAY_LEN(esp_decrypt_post_error_strings), + .error_strings = esp_decrypt_post_error_strings, + + .n_next_nodes = ESP_DECRYPT_N_NEXT, + .next_nodes = { +#define _(s,n) [ESP_DECRYPT_NEXT_##s] = n, + foreach_esp_decrypt_next +#undef _ + }, +}; +/* *INDENT-ON* */ + +VLIB_NODE_FUNCTION_MULTIARCH (dpdk_esp4_decrypt_post_node, dpdk_esp4_decrypt_post_node_fn); + +static uword +dpdk_esp6_decrypt_post_node_fn (vlib_main_t * vm, + vlib_node_runtime_t * node, + vlib_frame_t * from_frame) +{return dpdk_esp_decrypt_post_inline(vm, node, from_frame, 0/*is_ip6*/);} + /* *INDENT-OFF* */ -VLIB_REGISTER_NODE (dpdk_esp_decrypt_post_node) = { - .function = dpdk_esp_decrypt_post_node_fn, - .name = "dpdk-esp-decrypt-post", +VLIB_REGISTER_NODE (dpdk_esp6_decrypt_post_node) = { + .function = dpdk_esp6_decrypt_post_node_fn, + .name = "dpdk6-esp-decrypt-post", .vector_size = sizeof (u32), .format_trace = format_esp_decrypt_post_trace, .type = VLIB_NODE_TYPE_INTERNAL, @@ -605,4 +697,4 @@ VLIB_REGISTER_NODE (dpdk_esp_decrypt_post_node) = { }; /* *INDENT-ON* */ -VLIB_NODE_FUNCTION_MULTIARCH (dpdk_esp_decrypt_post_node, dpdk_esp_decrypt_post_node_fn) +VLIB_NODE_FUNCTION_MULTIARCH (dpdk_esp6_decrypt_post_node, dpdk_esp6_decrypt_post_node_fn); diff --git a/src/plugins/dpdk/ipsec/esp_encrypt.c b/src/plugins/dpdk/ipsec/esp_encrypt.c index 7947a8e9d02..6be8e97b7c5 100644 --- a/src/plugins/dpdk/ipsec/esp_encrypt.c +++ b/src/plugins/dpdk/ipsec/esp_encrypt.c @@ -63,7 +63,8 @@ static char *esp_encrypt_error_strings[] = { #undef _ }; -vlib_node_registration_t dpdk_esp_encrypt_node; +vlib_node_registration_t dpdk_esp4_encrypt_node; +vlib_node_registration_t dpdk_esp6_encrypt_node; typedef struct { @@ -105,10 +106,10 @@ format_esp_encrypt_trace (u8 * s, va_list * args) return s; } -static uword -dpdk_esp_encrypt_node_fn (vlib_main_t * vm, - vlib_node_runtime_t * node, - vlib_frame_t * from_frame) +always_inline uword +dpdk_esp_encrypt_inline (vlib_main_t * vm, + vlib_node_runtime_t * node, + vlib_frame_t * from_frame, int is_ip6) { u32 n_left_from, *from, *to_next, next_index; ipsec_main_t *im = &ipsec_main; @@ -131,8 +132,12 @@ dpdk_esp_encrypt_node_fn (vlib_main_t * vm, ret = crypto_alloc_ops (numa, ops, n_left_from); if (ret) { - vlib_node_increment_counter (vm, dpdk_esp_encrypt_node.index, - ESP_ENCRYPT_ERROR_DISCARD, 1); + if (is_ip6) + vlib_node_increment_counter (vm, dpdk_esp6_encrypt_node.index, + ESP_ENCRYPT_ERROR_DISCARD, 1); + else + vlib_node_increment_counter (vm, dpdk_esp4_encrypt_node.index, + ESP_ENCRYPT_ERROR_DISCARD, 1); /* Discard whole frame */ return n_left_from; } @@ -156,7 +161,7 @@ dpdk_esp_encrypt_node_fn (vlib_main_t * vm, ip4_and_udp_and_esp_header_t *ouh0 = 0; esp_header_t *esp0; esp_footer_t *f0; - u8 is_ipv6, next_hdr_type; + u8 next_hdr_type; u32 iv_size; u16 orig_sz; u8 trunc_size; @@ -212,9 +217,14 @@ dpdk_esp_encrypt_node_fn (vlib_main_t * vm, { clib_warning ("unsupported SA by thread index %u", thread_idx); - vlib_node_increment_counter (vm, - dpdk_esp_encrypt_node.index, - ESP_ENCRYPT_ERROR_NOSUP, 1); + if (is_ip6) + vlib_node_increment_counter (vm, + dpdk_esp6_encrypt_node.index, + ESP_ENCRYPT_ERROR_NOSUP, 1); + else + vlib_node_increment_counter (vm, + dpdk_esp4_encrypt_node.index, + ESP_ENCRYPT_ERROR_NOSUP, 1); to_next[0] = bi0; to_next += 1; n_left_to_next -= 1; @@ -226,9 +236,16 @@ dpdk_esp_encrypt_node_fn (vlib_main_t * vm, if (PREDICT_FALSE (error || !session)) { clib_warning ("failed to get crypto session"); - vlib_node_increment_counter (vm, - dpdk_esp_encrypt_node.index, - ESP_ENCRYPT_ERROR_SESSION, 1); + if (is_ip6) + vlib_node_increment_counter (vm, + dpdk_esp6_encrypt_node.index, + ESP_ENCRYPT_ERROR_SESSION, + 1); + else + vlib_node_increment_counter (vm, + dpdk_esp4_encrypt_node.index, + ESP_ENCRYPT_ERROR_SESSION, + 1); to_next[0] = bi0; to_next += 1; n_left_to_next -= 1; @@ -242,8 +259,14 @@ dpdk_esp_encrypt_node_fn (vlib_main_t * vm, { clib_warning ("sequence number counter has cycled SPI %u", sa0->spi); - vlib_node_increment_counter (vm, dpdk_esp_encrypt_node.index, - ESP_ENCRYPT_ERROR_SEQ_CYCLED, 1); + if (is_ip6) + vlib_node_increment_counter (vm, + dpdk_esp6_encrypt_node.index, + ESP_ENCRYPT_ERROR_SEQ_CYCLED, 1); + else + vlib_node_increment_counter (vm, + dpdk_esp4_encrypt_node.index, + ESP_ENCRYPT_ERROR_SEQ_CYCLED, 1); //TODO: rekey SA to_next[0] = bi0; to_next += 1; @@ -264,19 +287,17 @@ dpdk_esp_encrypt_node_fn (vlib_main_t * vm, crypto_set_icb (icb, sa0->salt, sa0->seq, sa0->seq_hi); - is_ipv6 = (ih0->ip4.ip_version_and_header_length & 0xF0) == 0x60; - iv_size = cipher_alg->iv_len; trunc_size = auth_alg->trunc_size; /* if UDP encapsulation is used adjust the address of the IP header */ - if (sa0->udp_encap && !is_ipv6) + if (sa0->udp_encap && !is_ip6) udp_encap_adv = sizeof (udp_header_t); if (sa0->is_tunnel) { rewrite_len = 0; - if (!is_ipv6 && !sa0->is_tunnel_ip6) /* ip4inip4 */ + if (!is_ip6 && !sa0->is_tunnel_ip6) /* ip4inip4 */ { /* in tunnel mode send it back to FIB */ priv->next = DPDK_CRYPTO_INPUT_NEXT_IP4_LOOKUP; @@ -316,7 +337,7 @@ dpdk_esp_encrypt_node_fn (vlib_main_t * vm, esp0->spi = clib_host_to_net_u32 (sa0->spi); esp0->seq = clib_host_to_net_u32 (sa0->seq); } - else if (is_ipv6 && sa0->is_tunnel_ip6) /* ip6inip6 */ + else if (is_ip6 && sa0->is_tunnel_ip6) /* ip6inip6 */ { /* in tunnel mode send it back to FIB */ priv->next = DPDK_CRYPTO_INPUT_NEXT_IP6_LOOKUP; @@ -348,9 +369,14 @@ dpdk_esp_encrypt_node_fn (vlib_main_t * vm, } else /* unsupported ip4inip6, ip6inip4 */ { - vlib_node_increment_counter (vm, - dpdk_esp_encrypt_node.index, - ESP_ENCRYPT_ERROR_NOSUP, 1); + if (is_ip6) + vlib_node_increment_counter (vm, + dpdk_esp6_encrypt_node.index, + ESP_ENCRYPT_ERROR_NOSUP, 1); + else + vlib_node_increment_counter (vm, + dpdk_esp4_encrypt_node.index, + ESP_ENCRYPT_ERROR_NOSUP, 1); to_next[0] = bi0; to_next += 1; n_left_to_next -= 1; @@ -368,7 +394,7 @@ dpdk_esp_encrypt_node_fn (vlib_main_t * vm, u8 *dst = vlib_buffer_get_current (b0); oh0 = vlib_buffer_get_current (b0) + rewrite_len; - if (is_ipv6) + if (is_ip6) { orig_sz -= sizeof (ip6_header_t); ih6_0 = (ip6_and_esp_header_t *) ih0; @@ -424,7 +450,7 @@ dpdk_esp_encrypt_node_fn (vlib_main_t * vm, f0->pad_length = pad_bytes; f0->next_header = next_hdr_type; - if (is_ipv6) + if (is_ip6) { u16 len = b0->current_length - sizeof (ip6_header_t); oh6_0->ip6.payload_length = @@ -517,22 +543,70 @@ dpdk_esp_encrypt_node_fn (vlib_main_t * vm, } vlib_put_next_frame (vm, node, next_index, n_left_to_next); } - vlib_node_increment_counter (vm, dpdk_esp_encrypt_node.index, - ESP_ENCRYPT_ERROR_RX_PKTS, - from_frame->n_vectors); + if (is_ip6) + { + vlib_node_increment_counter (vm, dpdk_esp6_encrypt_node.index, + ESP_ENCRYPT_ERROR_RX_PKTS, + from_frame->n_vectors); + + crypto_enqueue_ops (vm, cwm, 1, dpdk_esp6_encrypt_node.index, + ESP_ENCRYPT_ERROR_ENQ_FAIL, numa); + } + else + { + vlib_node_increment_counter (vm, dpdk_esp4_encrypt_node.index, + ESP_ENCRYPT_ERROR_RX_PKTS, + from_frame->n_vectors); - crypto_enqueue_ops (vm, cwm, 1, dpdk_esp_encrypt_node.index, - ESP_ENCRYPT_ERROR_ENQ_FAIL, numa); + crypto_enqueue_ops (vm, cwm, 1, dpdk_esp4_encrypt_node.index, + ESP_ENCRYPT_ERROR_ENQ_FAIL, numa); + } crypto_free_ops (numa, ops, cwm->ops + from_frame->n_vectors - ops); return from_frame->n_vectors; } +static uword +dpdk_esp4_encrypt_node_fn (vlib_main_t * vm, + vlib_node_runtime_t * node, + vlib_frame_t * from_frame) +{ + return dpdk_esp_encrypt_inline (vm, node, from_frame, 0 /*is_ip6 */ ); +} + +/* *INDENT-OFF* */ +VLIB_REGISTER_NODE (dpdk_esp4_encrypt_node) = { + .function = dpdk_esp4_encrypt_node_fn, + .name = "dpdk4-esp-encrypt", + .flags = VLIB_NODE_FLAG_IS_OUTPUT, + .vector_size = sizeof (u32), + .format_trace = format_esp_encrypt_trace, + .n_errors = ARRAY_LEN (esp_encrypt_error_strings), + .error_strings = esp_encrypt_error_strings, + .n_next_nodes = 1, + .next_nodes = + { + [ESP_ENCRYPT_NEXT_DROP] = "error-drop", + } +}; +/* *INDENT-ON* */ + +VLIB_NODE_FUNCTION_MULTIARCH (dpdk_esp4_encrypt_node, + dpdk_esp4_encrypt_node_fn); + +static uword +dpdk_esp6_encrypt_node_fn (vlib_main_t * vm, + vlib_node_runtime_t * node, + vlib_frame_t * from_frame) +{ + return dpdk_esp_encrypt_inline (vm, node, from_frame, 1 /*is_ip6 */ ); +} + /* *INDENT-OFF* */ -VLIB_REGISTER_NODE (dpdk_esp_encrypt_node) = { - .function = dpdk_esp_encrypt_node_fn, - .name = "dpdk-esp-encrypt", +VLIB_REGISTER_NODE (dpdk_esp6_encrypt_node) = { + .function = dpdk_esp6_encrypt_node_fn, + .name = "dpdk6-esp-encrypt", .flags = VLIB_NODE_FLAG_IS_OUTPUT, .vector_size = sizeof (u32), .format_trace = format_esp_encrypt_trace, @@ -546,7 +620,8 @@ VLIB_REGISTER_NODE (dpdk_esp_encrypt_node) = { }; /* *INDENT-ON* */ -VLIB_NODE_FUNCTION_MULTIARCH (dpdk_esp_encrypt_node, dpdk_esp_encrypt_node_fn) +VLIB_NODE_FUNCTION_MULTIARCH (dpdk_esp6_encrypt_node, + dpdk_esp6_encrypt_node_fn); /* * fd.io coding-style-patch-verification: ON * diff --git a/src/plugins/dpdk/ipsec/ipsec.c b/src/plugins/dpdk/ipsec/ipsec.c index a7f501f9d9d..1bd46d55b8e 100644 --- a/src/plugins/dpdk/ipsec/ipsec.c +++ b/src/plugins/dpdk/ipsec/ipsec.c @@ -1051,20 +1051,36 @@ dpdk_ipsec_process (vlib_main_t * vm, vlib_node_runtime_t * rt, /* Add new next node and set it as default */ vlib_node_t *node, *next_node; - next_node = vlib_get_node_by_name (vm, (u8 *) "dpdk-esp-encrypt"); + next_node = vlib_get_node_by_name (vm, (u8 *) "dpdk-esp4-encrypt"); ASSERT (next_node); - node = vlib_get_node_by_name (vm, (u8 *) "ipsec-output-ip4"); + node = vlib_get_node_by_name (vm, (u8 *) "ipsec4-output"); ASSERT (node); - im->esp_encrypt_node_index = next_node->index; - im->esp_encrypt_next_index = + im->esp4_encrypt_node_index = next_node->index; + im->esp4_encrypt_next_index = vlib_node_add_next (vm, node->index, next_node->index); - next_node = vlib_get_node_by_name (vm, (u8 *) "dpdk-esp-decrypt"); + next_node = vlib_get_node_by_name (vm, (u8 *) "dpdk-esp4-decrypt"); ASSERT (next_node); - node = vlib_get_node_by_name (vm, (u8 *) "ipsec-input-ip4"); + node = vlib_get_node_by_name (vm, (u8 *) "ipsec4-input"); ASSERT (node); - im->esp_decrypt_node_index = next_node->index; - im->esp_decrypt_next_index = + im->esp4_decrypt_node_index = next_node->index; + im->esp4_decrypt_next_index = + vlib_node_add_next (vm, node->index, next_node->index); + + next_node = vlib_get_node_by_name (vm, (u8 *) "dpdk-esp6-encrypt"); + ASSERT (next_node); + node = vlib_get_node_by_name (vm, (u8 *) "ipsec6-output"); + ASSERT (node); + im->esp6_encrypt_node_index = next_node->index; + im->esp6_encrypt_next_index = + vlib_node_add_next (vm, node->index, next_node->index); + + next_node = vlib_get_node_by_name (vm, (u8 *) "dpdk-esp6-decrypt"); + ASSERT (next_node); + node = vlib_get_node_by_name (vm, (u8 *) "ipsec6-input"); + ASSERT (node); + im->esp6_decrypt_node_index = next_node->index; + im->esp6_decrypt_next_index = vlib_node_add_next (vm, node->index, next_node->index); im->cb.check_support_cb = dpdk_ipsec_check_support; |