aboutsummaryrefslogtreecommitdiffstats
path: root/src/vnet/ipsec/ipsec_cli.c
diff options
context:
space:
mode:
authorPierre Pfister <ppfister@cisco.com>2018-12-10 11:19:08 +0100
committerNeale Ranns <nranns@cisco.com>2018-12-11 12:42:09 +0000
commit4c422f9a3c9d5a4ecae3f4ef6bee16bb8ce35bb2 (patch)
tree4e144869c29d93d2df240058a4b871f60c96b654 /src/vnet/ipsec/ipsec_cli.c
parent240f69aed757720cfb78a140aaa84eb31db198f4 (diff)
Add IPSec interface FIB index for TX packet
This patch adds a configuration parameter to IPSec tunnels, enabling custom FIB selection for encapsulated packets. Although this option could also be used for policy-based IPSec, this change only enables it for virtual-tunnel-interface mode. Note that this patch does change the API default behavior regarding TX fib selection for encapsulated packets. Previous behavior was to use the same FIB after and before encap. The new default behavior consists in using the FIB 0 as default. Change-Id: I5c212af909940a8cf6c7e3971bdc7623a2296452 Signed-off-by: Pierre Pfister <ppfister@cisco.com>
Diffstat (limited to 'src/vnet/ipsec/ipsec_cli.c')
-rw-r--r--src/vnet/ipsec/ipsec_cli.c16
1 files changed, 13 insertions, 3 deletions
diff --git a/src/vnet/ipsec/ipsec_cli.c b/src/vnet/ipsec/ipsec_cli.c
index f96551429af..f0717e91dd1 100644
--- a/src/vnet/ipsec/ipsec_cli.c
+++ b/src/vnet/ipsec/ipsec_cli.c
@@ -19,6 +19,7 @@
#include <vnet/api_errno.h>
#include <vnet/ip/ip.h>
#include <vnet/interface.h>
+#include <vnet/fib/fib.h>
#include <vnet/ipsec/ipsec.h>
@@ -80,6 +81,7 @@ ipsec_sa_add_del_command_fn (vlib_main_t * vm,
clib_error_t *error = NULL;
clib_memset (&sa, 0, sizeof (sa));
+ sa.tx_fib_index = ~((u32) 0); /* Only supported for ipsec interfaces */
if (!unformat_user (input, unformat_line_input, line_input))
return 0;
@@ -458,6 +460,7 @@ show_ipsec_command_fn (vlib_main_t * vm,
vnet_hw_interface_t *hi;
u8 *protocol = NULL;
u8 *policy = NULL;
+ u32 tx_table_id;
/* *INDENT-OFF* */
pool_foreach (sa, im->sad, ({
@@ -670,8 +673,11 @@ show_ipsec_command_fn (vlib_main_t * vm,
hi = vnet_get_hw_interface (im->vnet_main, t->hw_if_index);
vlib_cli_output(vm, " %s seq", hi->name);
sa = pool_elt_at_index(im->sad, t->output_sa_index);
- vlib_cli_output(vm, " seq %u seq-hi %u esn %u anti-replay %u udp-encap %u",
- sa->seq, sa->seq_hi, sa->use_esn, sa->use_anti_replay, sa->udp_encap);
+
+ tx_table_id = fib_table_get_table_id(sa->tx_fib_index, FIB_PROTOCOL_IP4);
+
+ vlib_cli_output(vm, " seq %u seq-hi %u esn %u anti-replay %u udp-encap %u tx-table %u",
+ sa->seq, sa->seq_hi, sa->use_esn, sa->use_anti_replay, sa->udp_encap, tx_table_id);
vlib_cli_output(vm, " local-spi %u local-ip %U", sa->spi,
format_ip4_address, &sa->tunnel_src_addr.ip4);
vlib_cli_output(vm, " local-crypto %U %U",
@@ -910,6 +916,8 @@ create_ipsec_tunnel_command_fn (vlib_main_t * vm,
a.is_add = 0;
else if (unformat (line_input, "udp-encap"))
a.udp_encap = 1;
+ else if (unformat (line_input, "tx-table %u", &a.tx_table_id))
+ ;
else
{
error = clib_error_return (0, "unknown input `%U'",
@@ -952,7 +960,9 @@ done:
/* *INDENT-OFF* */
VLIB_CLI_COMMAND (create_ipsec_tunnel_command, static) = {
.path = "create ipsec tunnel",
- .short_help = "create ipsec tunnel local-ip <addr> local-spi <spi> remote-ip <addr> remote-spi <spi> [instance <inst_num>] [udp-encap]",
+ .short_help = "create ipsec tunnel local-ip <addr> local-spi <spi> "
+ "remote-ip <addr> remote-spi <spi> [instance <inst_num>] [udp-encap] "
+ "[tx-table <table-id>]",
.function = create_ipsec_tunnel_command_fn,
};
/* *INDENT-ON* */