diff options
author | Neale Ranns <nranns@cisco.com> | 2019-02-06 01:41:05 -0800 |
---|---|---|
committer | Florin Coras <florin.coras@gmail.com> | 2019-02-07 19:13:32 +0000 |
commit | 8d7c502002636da1cb7c71a87757f328e7c2c4fd (patch) | |
tree | 1005d63dcb3a24f7bb2ad2d3224bfcb062909666 /src/vnet/ipsec/ah_encrypt.c | |
parent | 3d0ef26a0285b9baa486c91b2e6609125a2bc651 (diff) |
IPSEC: no second lookup after tunnel encap
in the same maaner as with other tunnel tyeps we use
the FIB to cache and track the destination used to reach
the tunnel endpoint. Post encap we can then ship the packet
straight to this adjacency and thus elide the costly second
lookup.
- SA add and del function so they can be used both directly
from the API and for tunnels.
- API change for the SA dump to use the SA type
- ipsec_key_t type for convenience (copying, [un]formating)
- no matching tunnel counters in ipsec-if-input
Change-Id: I9d144a59667f7bf96442f4ca66bef5c1d3c7f1ea
Signed-off-by: Neale Ranns <nranns@cisco.com>
Diffstat (limited to 'src/vnet/ipsec/ah_encrypt.c')
-rw-r--r-- | src/vnet/ipsec/ah_encrypt.c | 21 |
1 files changed, 13 insertions, 8 deletions
diff --git a/src/vnet/ipsec/ah_encrypt.c b/src/vnet/ipsec/ah_encrypt.c index 8b0c14f0cf3..66286094682 100644 --- a/src/vnet/ipsec/ah_encrypt.c +++ b/src/vnet/ipsec/ah_encrypt.c @@ -59,6 +59,7 @@ static char *ah_encrypt_error_strings[] = { typedef struct { + u32 sa_index; u32 spi; u32 seq; ipsec_integ_alg_t integ_alg; @@ -72,8 +73,9 @@ format_ah_encrypt_trace (u8 * s, va_list * args) CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *); ah_encrypt_trace_t *t = va_arg (*args, ah_encrypt_trace_t *); - s = format (s, "ah: spi %u seq %u integrity %U", - t->spi, t->seq, format_ipsec_integ_alg, t->integ_alg); + s = format (s, "ah: sa-index %d spi %u seq %u integrity %U", + t->sa_index, t->spi, t->seq, + format_ipsec_integ_alg, t->integ_alg); return s; } @@ -237,8 +239,9 @@ ah_encrypt_inline (vlib_main_t * vm, oh0->ip4.src_address.as_u32 = sa0->tunnel_src_addr.ip4.as_u32; oh0->ip4.dst_address.as_u32 = sa0->tunnel_dst_addr.ip4.as_u32; - next0 = AH_ENCRYPT_NEXT_IP4_LOOKUP; - vnet_buffer (i_b0)->sw_if_index[VLIB_TX] = (u32) ~ 0; + next0 = sa0->dpo[IPSEC_PROTOCOL_AH].dpoi_next_node; + vnet_buffer (i_b0)->ip.adj_index[VLIB_TX] = + sa0->dpo[IPSEC_PROTOCOL_AH].dpoi_index; } else if (is_ip6 && sa0->is_tunnel && sa0->is_tunnel_ip6) { @@ -251,8 +254,9 @@ ah_encrypt_inline (vlib_main_t * vm, oh6_0->ip6.dst_address.as_u64[1] = sa0->tunnel_dst_addr.ip6.as_u64[1]; - next0 = AH_ENCRYPT_NEXT_IP6_LOOKUP; - vnet_buffer (i_b0)->sw_if_index[VLIB_TX] = (u32) ~ 0; + next0 = sa0->dpo[IPSEC_PROTOCOL_AH].dpoi_next_node; + vnet_buffer (i_b0)->ip.adj_index[VLIB_TX] = + sa0->dpo[IPSEC_PROTOCOL_AH].dpoi_index; } u8 sig[64]; @@ -262,8 +266,8 @@ ah_encrypt_inline (vlib_main_t * vm, sizeof (ah_header_t); clib_memset (digest, 0, icv_size); - unsigned size = hmac_calc (sa0->integ_alg, sa0->integ_key, - sa0->integ_key_len, + unsigned size = hmac_calc (sa0->integ_alg, sa0->integ_key.data, + sa0->integ_key.len, vlib_buffer_get_current (i_b0), i_b0->current_length, sig, sa0->use_esn, sa0->seq_hi); @@ -297,6 +301,7 @@ ah_encrypt_inline (vlib_main_t * vm, tr->spi = sa0->spi; tr->seq = sa0->seq - 1; tr->integ_alg = sa0->integ_alg; + tr->sa_index = sa_index0; } vlib_validate_buffer_enqueue_x1 (vm, node, next_index, |