diff options
| author |   Brian Russell <brian@graphiant.com> | 2021-02-22 18:42:24 +0000 |
|---|---|---|
| committer |   Neale Ranns <neale@graphiant.com> | 2021-02-25 09:13:28 +0000 |
| commit | 7a29a2d400bbc3740a6a98863f290aa654d5f724 (patch) | |
| tree | 11df1d06c2ce717c741da0b3bb88ca4e0f9d5c11 /src/vnet/ipsec/ipsec_tun.c | |
| parent | 0eaf4e6784efb2d058fe2f031578251b6bcc0aa8 (diff) | |
ipsec: enable input features on tunnels
Make the ipsec[46]-tun-input nodes siblings of device-input so that
input features can be enabled on them. Register ipsec-tun for feature
updates. When a feature is enabled on the device-input arc and the
ifindex is an IPSec tunnel, change the end node of the arc for that
ifindex to be the appropriate ESP decrypt node. Set a flag on the
tunnel to indicate that the feature arc should be started for packets
input on the tunnel.
Test input policing on ESP IPSec tunnels.
Type: improvement
Signed-off-by: Brian Russell <brian@graphiant.com>
Change-Id: I3b9f047e5e737f3ea4c58fc82cd3c15700b6f9f7
Diffstat (limited to 'src/vnet/ipsec/ipsec_tun.c')
| -rw-r--r-- | src/vnet/ipsec/ipsec_tun.c | 45 |
1 files changed, 45 insertions, 0 deletions
diff --git a/src/vnet/ipsec/ipsec_tun.c b/src/vnet/ipsec/ipsec_tun.c index 74340256f38..0b6ec0ea33e 100644 --- a/src/vnet/ipsec/ipsec_tun.c +++ b/src/vnet/ipsec/ipsec_tun.c @@ -779,6 +779,49 @@ ipsec_tun_protect_walk_itf (u32 sw_if_index, } static void +ipsec_tun_feature_update (u32 sw_if_index, u8 arc_index, u8 is_enable, + void *data) +{ + ipsec_tun_protect_t *itp; + index_t itpi; + + if (arc_index != feature_main.device_input_feature_arc_index) + return; + + /* Only p2p tunnels supported */ + itpi = ipsec_tun_protect_find (sw_if_index, &IP_ADDR_ALL_0); + if (itpi == INDEX_INVALID) + return; + + itp = ipsec_tun_protect_get (itpi); + + if (is_enable) + { + u32 decrypt_tun = ip46_address_is_ip4 (&itp->itp_crypto.dst) ? + ipsec_main.esp4_decrypt_tun_node_index : + ipsec_main.esp6_decrypt_tun_node_index; + + vnet_feature_modify_end_node ( + feature_main.device_input_feature_arc_index, sw_if_index, decrypt_tun); + itp->itp_flags |= IPSEC_PROTECT_FEAT; + } + else + { + u32 eth_in = + vlib_get_node_by_name (vlib_get_main (), (u8 *) "ethernet-input") + ->index; + + vnet_feature_modify_end_node ( + feature_main.device_input_feature_arc_index, sw_if_index, eth_in); + itp->itp_flags &= ~IPSEC_PROTECT_FEAT; + } + + /* Propagate flag change into lookup entries */ + ipsec_tun_protect_rx_db_remove (&ipsec_main, itp); + ipsec_tun_protect_rx_db_add (&ipsec_main, itp); +} + +static void ipsec_tun_protect_adj_delegate_adj_deleted (adj_delegate_t * ad) { /* remove our delegate */ @@ -929,6 +972,8 @@ ipsec_tunnel_protect_init (vlib_main_t *vm) teib_register (&ipsec_tun_teib_vft); + vnet_feature_register (ipsec_tun_feature_update, NULL); + return 0; } |