diff options
| author |   Neale Ranns <nranns@cisco.com> | 2019-12-20 00:54:57 +0000 |
|---|---|---|
| committer | Neale Ranns <nranns@cisco.com> | 2020-01-04 04:50:47 +0000 |
| commit | 02950406c49a743f631395ed52073921744e1afd (patch) | |
| tree | 2891403e2fe8cc879f43d4e46e314a2f412763cb /src/vnet/ipsec/ipsec_tun.c | |
| parent | 2f04cb9f142abef82cd379432cecdafef9e776db (diff) | |
ipsec: Targeted unit testing
Type: fix
1 - big packets; chained buffers and those without enoguh space to add
ESP header
2 - IPv6 extension headers in packets that are encrypted/decrypted
3 - Interface protection with SAs that have null algorithms
Signed-off-by: Neale Ranns <nranns@cisco.com>
Change-Id: Ie330861fb06a9b248d9dcd5c730e21326ac8e973
Diffstat (limited to 'src/vnet/ipsec/ipsec_tun.c')
| -rw-r--r-- | src/vnet/ipsec/ipsec_tun.c | 70 |
1 files changed, 51 insertions, 19 deletions
diff --git a/src/vnet/ipsec/ipsec_tun.c b/src/vnet/ipsec/ipsec_tun.c index ca0091b3545..f6b09d65f2c 100644 --- a/src/vnet/ipsec/ipsec_tun.c +++ b/src/vnet/ipsec/ipsec_tun.c @@ -35,35 +35,61 @@ typedef struct ipsec_protect_db_t_ static ipsec_protect_db_t ipsec_protect_db; -static int +static void ipsec_tun_protect_feature_set (ipsec_tun_protect_t * itp, u8 enable) { - u32 sai = itp->itp_out_sa; - int rv; + u32 sai; - const char *enc_node = (ip46_address_is_ip4 (&itp->itp_tun.src) ? - "esp4-encrypt-tun" : "esp6-encrypt-tun"); + sai = itp->itp_out_sa; if (itp->itp_flags & IPSEC_PROTECT_L2) { - rv = vnet_feature_enable_disable ("ethernet-output", - enc_node, - itp->itp_sw_if_index, enable, - &sai, sizeof (sai)); + /* l2-GRE only supported by the vnet ipsec code */ + vnet_feature_enable_disable ("ethernet-output", + (ip46_address_is_ip4 (&itp->itp_tun.src) ? + "esp4-encrypt-tun" : + "esp6-encrypt-tun"), + itp->itp_sw_if_index, enable, + &sai, sizeof (sai)); } else { - rv = vnet_feature_enable_disable ("ip4-output", - enc_node, - itp->itp_sw_if_index, enable, - &sai, sizeof (sai)); - rv = vnet_feature_enable_disable ("ip6-output", - enc_node, - itp->itp_sw_if_index, enable, - &sai, sizeof (sai)); + ipsec_main_t *im; + ipsec_sa_t *sa; + u32 fi4, fi6; + + im = &ipsec_main; + sa = ipsec_sa_get (sai); + + if (sa->crypto_alg == IPSEC_CRYPTO_ALG_NONE && + sa->integ_alg == IPSEC_INTEG_ALG_NONE) + { + fi4 = im->esp4_no_crypto_tun_feature_index; + fi6 = im->esp6_no_crypto_tun_feature_index; + } + else + { + if (ip46_address_is_ip4 (&itp->itp_tun.src)) + { + /* tunnel destination is v4 so we need the Xo4 indexes */ + fi4 = im->esp44_encrypt_tun_feature_index; + fi6 = im->esp64_encrypt_tun_feature_index; + } + else + { + /* tunnel destination is v6 so we need the Xo6 indexes */ + fi4 = im->esp46_encrypt_tun_feature_index; + fi6 = im->esp66_encrypt_tun_feature_index; + } + } + + vnet_feature_enable_disable_with_index + (vnet_get_feature_arc_index ("ip4-output"), + fi4, itp->itp_sw_if_index, enable, &sai, sizeof (sai)); + vnet_feature_enable_disable_with_index + (vnet_get_feature_arc_index ("ip6-output"), + fi6, itp->itp_sw_if_index, enable, &sai, sizeof (sai)); } - ASSERT (!rv); - return (rv); } static void @@ -505,6 +531,12 @@ ipsec_tunnel_protect_init (vlib_main_t * vm) sizeof (u64)); im->tun4_protect_by_key = hash_create (0, sizeof (u64)); + /* set up feature nodes to drop outbound packets with no crypto alg set */ + ipsec_add_feature ("ip4-output", "esp4-no-crypto", + &im->esp4_no_crypto_tun_feature_index); + ipsec_add_feature ("ip6-output", "esp6-no-crypto", + &im->esp6_no_crypto_tun_feature_index); + return 0; } |