diff options
author | Brian Russell <brian@graphiant.com> | 2021-02-22 18:42:24 +0000 |
---|---|---|
committer | Neale Ranns <neale@graphiant.com> | 2021-02-25 09:13:28 +0000 |
commit | 7a29a2d400bbc3740a6a98863f290aa654d5f724 (patch) | |
tree | 11df1d06c2ce717c741da0b3bb88ca4e0f9d5c11 /src/vnet/ipsec/ipsec_tun_in.c | |
parent | 0eaf4e6784efb2d058fe2f031578251b6bcc0aa8 (diff) |
ipsec: enable input features on tunnels
Make the ipsec[46]-tun-input nodes siblings of device-input so that
input features can be enabled on them. Register ipsec-tun for feature
updates. When a feature is enabled on the device-input arc and the
ifindex is an IPSec tunnel, change the end node of the arc for that
ifindex to be the appropriate ESP decrypt node. Set a flag on the
tunnel to indicate that the feature arc should be started for packets
input on the tunnel.
Test input policing on ESP IPSec tunnels.
Type: improvement
Signed-off-by: Brian Russell <brian@graphiant.com>
Change-Id: I3b9f047e5e737f3ea4c58fc82cd3c15700b6f9f7
Diffstat (limited to 'src/vnet/ipsec/ipsec_tun_in.c')
-rw-r--r-- | src/vnet/ipsec/ipsec_tun_in.c | 43 |
1 files changed, 25 insertions, 18 deletions
diff --git a/src/vnet/ipsec/ipsec_tun_in.c b/src/vnet/ipsec/ipsec_tun_in.c index 6b7abce2866..4f8af006d2b 100644 --- a/src/vnet/ipsec/ipsec_tun_in.c +++ b/src/vnet/ipsec/ipsec_tun_in.c @@ -103,7 +103,7 @@ ipsec_ip4_if_no_tunnel (vlib_node_runtime_t * node, b->error = node->errors[IPSEC_TUN_PROTECT_INPUT_ERROR_NO_TUNNEL]; b->punt_reason = ipsec_punt_reason[IPSEC_PUNT_IP4_NO_SUCH_TUNNEL]; } - return IPSEC_INPUT_NEXT_PUNT; + return VNET_DEVICE_INPUT_NEXT_PUNT; } always_inline u16 @@ -113,7 +113,7 @@ ipsec_ip6_if_no_tunnel (vlib_node_runtime_t * node, b->error = node->errors[IPSEC_TUN_PROTECT_INPUT_ERROR_NO_TUNNEL]; b->punt_reason = ipsec_punt_reason[IPSEC_PUNT_IP6_NO_SUCH_TUNNEL]; - return (IPSEC_INPUT_NEXT_PUNT); + return VNET_DEVICE_INPUT_NEXT_PUNT; } always_inline uword @@ -138,7 +138,9 @@ ipsec_tun_protect_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node, b = bufs; next = nexts; - clib_memset_u16 (nexts, im->esp4_decrypt_next_index, n_left_from); + clib_memset_u16 ( + nexts, is_ip6 ? im->esp6_decrypt_next_index : im->esp4_decrypt_next_index, + n_left_from); u64 n_bytes = 0, n_packets = 0; u32 n_disabled = 0, n_no_tunnel = 0; @@ -218,7 +220,8 @@ ipsec_tun_protect_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node, b[0]->error = node->errors[IPSEC_TUN_PROTECT_INPUT_ERROR_TOO_SHORT]; - next[0] = IPSEC_INPUT_NEXT_DROP; + next[0] = is_ip6 ? VNET_DEVICE_INPUT_NEXT_IP6_DROP : + VNET_DEVICE_INPUT_NEXT_IP4_DROP; goto trace00; } @@ -294,7 +297,8 @@ ipsec_tun_protect_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node, (drop_counter, thread_index, sw_if_index0, 1, len0); n_disabled++; b[0]->error = node->errors[IPSEC_TUN_PROTECT_INPUT_ERROR_DISABLED]; - next[0] = IPSEC_INPUT_NEXT_DROP; + next[0] = is_ip6 ? VNET_DEVICE_INPUT_NEXT_IP6_DROP : + VNET_DEVICE_INPUT_NEXT_IP4_DROP; goto trace00; } else @@ -319,7 +323,18 @@ ipsec_tun_protect_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node, } //IPSEC_TUN_PROTECT_NEXT_DECRYPT; - next[0] = im->esp4_decrypt_tun_next_index; + next[0] = is_ip6 ? im->esp6_decrypt_tun_next_index : + im->esp4_decrypt_tun_next_index; + + if (itr0.flags & IPSEC_PROTECT_FEAT) + { + u32 next32; + u8 arc = feature_main.device_input_feature_arc_index; + + next32 = next[0]; + vnet_feature_arc_start (arc, sw_if_index0, &next32, b[0]); + next[0] = next32; + } } trace00: if (PREDICT_FALSE (is_trace)) @@ -375,13 +390,9 @@ VLIB_REGISTER_NODE (ipsec4_tun_input_node) = { .vector_size = sizeof (u32), .format_trace = format_ipsec_tun_protect_input_trace, .type = VLIB_NODE_TYPE_INTERNAL, - .n_errors = ARRAY_LEN(ipsec_tun_protect_input_error_strings), + .n_errors = ARRAY_LEN (ipsec_tun_protect_input_error_strings), .error_strings = ipsec_tun_protect_input_error_strings, - .n_next_nodes = IPSEC_TUN_PROTECT_N_NEXT, - .next_nodes = { - [IPSEC_TUN_PROTECT_NEXT_DROP] = "ip4-drop", - [IPSEC_TUN_PROTECT_NEXT_PUNT] = "punt-dispatch", - } + .sibling_of = "device-input", }; /* *INDENT-ON* */ @@ -398,13 +409,9 @@ VLIB_REGISTER_NODE (ipsec6_tun_input_node) = { .vector_size = sizeof (u32), .format_trace = format_ipsec_tun_protect_input_trace, .type = VLIB_NODE_TYPE_INTERNAL, - .n_errors = ARRAY_LEN(ipsec_tun_protect_input_error_strings), + .n_errors = ARRAY_LEN (ipsec_tun_protect_input_error_strings), .error_strings = ipsec_tun_protect_input_error_strings, - .n_next_nodes = IPSEC_TUN_PROTECT_N_NEXT, - .next_nodes = { - [IPSEC_TUN_PROTECT_NEXT_DROP] = "ip6-drop", - [IPSEC_TUN_PROTECT_NEXT_PUNT] = "punt-dispatch", - } + .sibling_of = "device-input", }; /* *INDENT-ON* */ |