summaryrefslogtreecommitdiffstats
path: root/src/vnet/ipsec/ipsec_api.c
diff options
context:
space:
mode:
authorPiotr Bronowski <piotrx.bronowski@intel.com>2022-06-09 09:09:28 +0000
committerFan Zhang <roy.fan.zhang@intel.com>2022-06-28 14:53:07 +0000
commit815c6a4fbcbb636ce3b4dc98446ad205a30670a6 (patch)
tree36e3b6aec51cdd5603dce1c9dd701da869c11c39 /src/vnet/ipsec/ipsec_api.c
parent5b4b4c05ff06b866b90b0df9b2be2ed28e606f16 (diff)
ipsec: change wildcard value for any protocol of spd policy
Currently 0 has been used as the wildcard representing ANY type of protocol. However 0 is valid value of ip protocol (HOPOPT) and therefore it should not be used as a wildcard. Instead 255 is used which is guaranteed by IANA to be reserved and not used as a protocol id. Type: improvement Signed-off-by: Piotr Bronowski <piotrx.bronowski@intel.com> Change-Id: I2320bae6fe380cb999dc5a9187beb68fda2d31eb
Diffstat (limited to 'src/vnet/ipsec/ipsec_api.c')
-rw-r--r--src/vnet/ipsec/ipsec_api.c62
1 files changed, 61 insertions, 1 deletions
diff --git a/src/vnet/ipsec/ipsec_api.c b/src/vnet/ipsec/ipsec_api.c
index 72231f656ff..15f7bfafad3 100644
--- a/src/vnet/ipsec/ipsec_api.c
+++ b/src/vnet/ipsec/ipsec_api.c
@@ -233,7 +233,8 @@ static void vl_api_ipsec_spd_entry_add_del_t_handler
p.is_ipv6 = (itype == IP46_TYPE_IP6);
- p.protocol = mp->entry.protocol;
+ p.protocol =
+ mp->entry.protocol ? mp->entry.protocol : IPSEC_POLICY_PROTOCOL_ANY;
p.rport.start = ntohs (mp->entry.remote_port_start);
p.rport.stop = ntohs (mp->entry.remote_port_stop);
p.lport.start = ntohs (mp->entry.local_port_start);
@@ -271,6 +272,65 @@ out:
/* *INDENT-ON* */
}
+static void
+vl_api_ipsec_spd_entry_add_del_v2_t_handler (
+ vl_api_ipsec_spd_entry_add_del_v2_t *mp)
+{
+ vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main ();
+ vl_api_ipsec_spd_entry_add_del_reply_t *rmp;
+ ip46_type_t itype;
+ u32 stat_index;
+ int rv;
+
+ stat_index = ~0;
+
+ ipsec_policy_t p;
+
+ clib_memset (&p, 0, sizeof (p));
+
+ p.id = ntohl (mp->entry.spd_id);
+ p.priority = ntohl (mp->entry.priority);
+
+ itype = ip_address_decode (&mp->entry.remote_address_start, &p.raddr.start);
+ ip_address_decode (&mp->entry.remote_address_stop, &p.raddr.stop);
+ ip_address_decode (&mp->entry.local_address_start, &p.laddr.start);
+ ip_address_decode (&mp->entry.local_address_stop, &p.laddr.stop);
+
+ p.is_ipv6 = (itype == IP46_TYPE_IP6);
+
+ p.protocol = mp->entry.protocol;
+ p.rport.start = ntohs (mp->entry.remote_port_start);
+ p.rport.stop = ntohs (mp->entry.remote_port_stop);
+ p.lport.start = ntohs (mp->entry.local_port_start);
+ p.lport.stop = ntohs (mp->entry.local_port_stop);
+
+ rv = ipsec_spd_action_decode (mp->entry.policy, &p.policy);
+
+ if (rv)
+ goto out;
+
+ /* policy action resolve unsupported */
+ if (p.policy == IPSEC_POLICY_ACTION_RESOLVE)
+ {
+ clib_warning ("unsupported action: 'resolve'");
+ rv = VNET_API_ERROR_UNIMPLEMENTED;
+ goto out;
+ }
+ p.sa_id = ntohl (mp->entry.sa_id);
+ rv =
+ ipsec_policy_mk_type (mp->entry.is_outbound, p.is_ipv6, p.policy, &p.type);
+ if (rv)
+ goto out;
+
+ rv = ipsec_add_del_policy (vm, &p, mp->is_add, &stat_index);
+ if (rv)
+ goto out;
+
+out:
+ REPLY_MACRO2 (VL_API_IPSEC_SPD_ENTRY_ADD_DEL_REPLY,
+ ({ rmp->stat_index = ntohl (stat_index); }));
+}
+
static void vl_api_ipsec_sad_entry_add_del_t_handler
(vl_api_ipsec_sad_entry_add_del_t * mp)
{