diff options
| author |   Neale Ranns <nranns@cisco.com> | 2020-05-12 13:33:56 +0000 |
|---|---|---|
| committer |   Andrew Yourtchenko <ayourtch@gmail.com> | 2020-05-13 11:15:57 +0000 |
| commit | b1fd80f0999e4dbbebdbc2471aeab2cad418ca4d (patch) | |
| tree | 9d717e9982e829bfe6a0322be78df41edc5223e1 /src/vnet/ipsec/ipsec_cli.c | |
| parent | 103d355db504527cc6fa1d563ce6976b8490d22c (diff) | |
ipsec: Support 4o6 and 6o4 for SPD tunnel mode SAs
Type: feature
the es4-encrypt and esp6-encrypt nodes need to be siblings so they both have the same edges for the DPO on which the tunnel mode SA stacks.
Signed-off-by: Neale Ranns <nranns@cisco.com>
Change-Id: I2126589135a1df6c95ee14503dfde9ff406df60a
Diffstat (limited to 'src/vnet/ipsec/ipsec_cli.c')
| -rw-r--r-- | src/vnet/ipsec/ipsec_cli.c | 27 |
1 files changed, 23 insertions, 4 deletions
diff --git a/src/vnet/ipsec/ipsec_cli.c b/src/vnet/ipsec/ipsec_cli.c index 695e5f01c74..4d452d53d22 100644 --- a/src/vnet/ipsec/ipsec_cli.c +++ b/src/vnet/ipsec/ipsec_cli.c @@ -234,13 +234,13 @@ ipsec_policy_add_del_command_fn (vlib_main_t * vm, unformat_input_t _line_input, *line_input = &_line_input; ipsec_policy_t p; int rv, is_add = 0; - u32 tmp, tmp2, stat_index; + u32 tmp, tmp2, stat_index, local_range_set, remote_range_set; clib_error_t *error = NULL; u32 is_outbound; clib_memset (&p, 0, sizeof (p)); p.lport.stop = p.rport.stop = ~0; - is_outbound = 0; + remote_range_set = local_range_set = is_outbound = 0; if (!unformat_user (input, unformat_line_input, line_input)) return 0; @@ -251,6 +251,8 @@ ipsec_policy_add_del_command_fn (vlib_main_t * vm, is_add = 1; else if (unformat (line_input, "del")) is_add = 0; + else if (unformat (line_input, "ip6")) + p.is_ipv6 = 1; else if (unformat (line_input, "spd %u", &p.id)) ; else if (unformat (line_input, "inbound")) @@ -277,22 +279,24 @@ ipsec_policy_add_del_command_fn (vlib_main_t * vm, else if (unformat (line_input, "local-ip-range %U - %U", unformat_ip4_address, &p.laddr.start.ip4, unformat_ip4_address, &p.laddr.stop.ip4)) - ; + local_range_set = 1; else if (unformat (line_input, "remote-ip-range %U - %U", unformat_ip4_address, &p.raddr.start.ip4, unformat_ip4_address, &p.raddr.stop.ip4)) - ; + remote_range_set = 1; else if (unformat (line_input, "local-ip-range %U - %U", unformat_ip6_address, &p.laddr.start.ip6, unformat_ip6_address, &p.laddr.stop.ip6)) { p.is_ipv6 = 1; + local_range_set = 1; } else if (unformat (line_input, "remote-ip-range %U - %U", unformat_ip6_address, &p.raddr.start.ip6, unformat_ip6_address, &p.raddr.stop.ip6)) { p.is_ipv6 = 1; + remote_range_set = 1; } else if (unformat (line_input, "local-port-range %u - %u", &tmp, &tmp2)) { @@ -313,6 +317,21 @@ ipsec_policy_add_del_command_fn (vlib_main_t * vm, } } + if (!remote_range_set) + { + if (p.is_ipv6) + clib_memset (&p.raddr.stop.ip6, 0xff, 16); + else + clib_memset (&p.raddr.stop.ip4, 0xff, 4); + } + if (!local_range_set) + { + if (p.is_ipv6) + clib_memset (&p.laddr.stop.ip6, 0xff, 16); + else + clib_memset (&p.laddr.stop.ip4, 0xff, 4); + } + rv = ipsec_policy_mk_type (is_outbound, p.is_ipv6, p.policy, &p.type); if (rv) |