aboutsummaryrefslogtreecommitdiffstats
path: root/src/vnet/ipsec
diff options
context:
space:
mode:
authorNeale Ranns <neale@graphiant.com>2021-06-24 14:57:56 +0000
committerMatthew Smith <mgsmith@netgate.com>2021-06-28 21:26:30 +0000
commitff2e4138cc020dea4ab0f21f1b172b28f5ed3565 (patch)
tree9ba66a5ef80aff8d8d8fb56c6f7d1cd873d70380 /src/vnet/ipsec
parent9c23ff8c8ab2ba881540a1c9c6d331d2ed6c8c6a (diff)
ipsec: Split the SA add_del API into an separate add and del
Type: improvement the rationale being that the del only requires the SA's ID, so it's a bit mean to require the client to fill out all the other information as well. Signed-off-by: Neale Ranns <neale@graphiant.com> Change-Id: Ibbc20405e74d6a0e1a3797465ead5271f15888e4
Diffstat (limited to 'src/vnet/ipsec')
-rw-r--r--src/vnet/ipsec/ipsec.api20
-rw-r--r--src/vnet/ipsec/ipsec_api.c114
2 files changed, 98 insertions, 36 deletions
diff --git a/src/vnet/ipsec/ipsec.api b/src/vnet/ipsec/ipsec.api
index 8d4580a2c28..be45c3e2401 100644
--- a/src/vnet/ipsec/ipsec.api
+++ b/src/vnet/ipsec/ipsec.api
@@ -14,7 +14,7 @@
* limitations under the License.
*/
-option version = "5.0.1";
+option version = "5.0.2";
import "vnet/ipsec/ipsec_types.api";
import "vnet/interface_types.api";
@@ -211,6 +211,18 @@ define ipsec_sad_entry_add_del_v3
bool is_add;
vl_api_ipsec_sad_entry_v3_t entry;
};
+define ipsec_sad_entry_add
+{
+ u32 client_index;
+ u32 context;
+ vl_api_ipsec_sad_entry_v3_t entry;
+};
+autoreply define ipsec_sad_entry_del
+{
+ u32 client_index;
+ u32 context;
+ u32 id;
+};
define ipsec_sad_entry_add_del_reply
{
@@ -231,6 +243,12 @@ define ipsec_sad_entry_add_del_v3_reply
i32 retval;
u32 stat_index;
};
+define ipsec_sad_entry_add_reply
+{
+ u32 context;
+ i32 retval;
+ u32 stat_index;
+};
/** \brief Add or Update Protection for a tunnel with IPSEC
diff --git a/src/vnet/ipsec/ipsec_api.c b/src/vnet/ipsec/ipsec_api.c
index a0c2768318f..73f4474a604 100644
--- a/src/vnet/ipsec/ipsec_api.c
+++ b/src/vnet/ipsec/ipsec_api.c
@@ -291,6 +291,11 @@ static void vl_api_ipsec_sad_entry_add_del_t_handler
int rv;
id = ntohl (mp->entry.sad_id);
+ if (!mp->is_add)
+ {
+ rv = ipsec_sa_unlock_id (id);
+ goto out;
+ }
spi = ntohl (mp->entry.spi);
rv = ipsec_proto_decode (mp->entry.protocol, &proto);
@@ -316,13 +321,10 @@ static void vl_api_ipsec_sad_entry_add_del_t_handler
ip_address_decode2 (&mp->entry.tunnel_src, &tun.t_src);
ip_address_decode2 (&mp->entry.tunnel_dst, &tun.t_dst);
- if (mp->is_add)
- rv = ipsec_sa_add_and_lock (
- id, spi, proto, crypto_alg, &crypto_key, integ_alg, &integ_key, flags,
- mp->entry.salt, htons (mp->entry.udp_src_port),
- htons (mp->entry.udp_dst_port), &tun, &sa_index);
- else
- rv = ipsec_sa_unlock_id (id);
+ rv = ipsec_sa_add_and_lock (id, spi, proto, crypto_alg, &crypto_key,
+ integ_alg, &integ_key, flags, mp->entry.salt,
+ htons (mp->entry.udp_src_port),
+ htons (mp->entry.udp_dst_port), &tun, &sa_index);
out:
/* *INDENT-OFF* */
@@ -355,6 +357,12 @@ static void vl_api_ipsec_sad_entry_add_del_v2_t_handler
};
id = ntohl (mp->entry.sad_id);
+ if (!mp->is_add)
+ {
+ rv = ipsec_sa_unlock_id (id);
+ goto out;
+ }
+
spi = ntohl (mp->entry.spi);
rv = ipsec_proto_decode (mp->entry.protocol, &proto);
@@ -387,13 +395,10 @@ static void vl_api_ipsec_sad_entry_add_del_v2_t_handler
ip_address_decode2 (&mp->entry.tunnel_src, &tun.t_src);
ip_address_decode2 (&mp->entry.tunnel_dst, &tun.t_dst);
- if (mp->is_add)
rv = ipsec_sa_add_and_lock (
id, spi, proto, crypto_alg, &crypto_key, integ_alg, &integ_key, flags,
mp->entry.salt, htons (mp->entry.udp_src_port),
htons (mp->entry.udp_dst_port), &tun, &sa_index);
- else
- rv = ipsec_sa_unlock_id (id);
out:
/* *INDENT-OFF* */
@@ -404,65 +409,104 @@ out:
/* *INDENT-ON* */
}
-static void
-vl_api_ipsec_sad_entry_add_del_v3_t_handler (
- vl_api_ipsec_sad_entry_add_del_v3_t *mp)
+static int
+ipsec_sad_entry_add_v3 (const vl_api_ipsec_sad_entry_v3_t *entry,
+ u32 *sa_index)
{
- vl_api_ipsec_sad_entry_add_del_v3_reply_t *rmp;
ipsec_key_t crypto_key, integ_key;
ipsec_crypto_alg_t crypto_alg;
ipsec_integ_alg_t integ_alg;
ipsec_protocol_t proto;
ipsec_sa_flags_t flags;
- u32 id, spi, sa_index = ~0;
+ u32 id, spi;
tunnel_t tun;
int rv;
- id = ntohl (mp->entry.sad_id);
- spi = ntohl (mp->entry.spi);
+ id = ntohl (entry->sad_id);
+ spi = ntohl (entry->spi);
- rv = ipsec_proto_decode (mp->entry.protocol, &proto);
+ rv = ipsec_proto_decode (entry->protocol, &proto);
if (rv)
- goto out;
+ return (rv);
- rv = ipsec_crypto_algo_decode (mp->entry.crypto_algorithm, &crypto_alg);
+ rv = ipsec_crypto_algo_decode (entry->crypto_algorithm, &crypto_alg);
if (rv)
- goto out;
+ return (rv);
- rv = ipsec_integ_algo_decode (mp->entry.integrity_algorithm, &integ_alg);
+ rv = ipsec_integ_algo_decode (entry->integrity_algorithm, &integ_alg);
if (rv)
- goto out;
+ return (rv);
- flags = ipsec_sa_flags_decode (mp->entry.flags);
+ flags = ipsec_sa_flags_decode (entry->flags);
if (flags & IPSEC_SA_FLAG_IS_TUNNEL)
{
- rv = tunnel_decode (&mp->entry.tunnel, &tun);
+ rv = tunnel_decode (&entry->tunnel, &tun);
if (rv)
- goto out;
+ return (rv);
}
- ipsec_key_decode (&mp->entry.crypto_key, &crypto_key);
- ipsec_key_decode (&mp->entry.integrity_key, &integ_key);
+ ipsec_key_decode (&entry->crypto_key, &crypto_key);
+ ipsec_key_decode (&entry->integrity_key, &integ_key);
- if (mp->is_add)
- rv = ipsec_sa_add_and_lock (
- id, spi, proto, crypto_alg, &crypto_key, integ_alg, &integ_key, flags,
- mp->entry.salt, htons (mp->entry.udp_src_port),
- htons (mp->entry.udp_dst_port), &tun, &sa_index);
+ return ipsec_sa_add_and_lock (id, spi, proto, crypto_alg, &crypto_key,
+ integ_alg, &integ_key, flags, entry->salt,
+ htons (entry->udp_src_port),
+ htons (entry->udp_dst_port), &tun, sa_index);
+}
+
+static void
+vl_api_ipsec_sad_entry_add_del_v3_t_handler (
+ vl_api_ipsec_sad_entry_add_del_v3_t *mp)
+{
+ vl_api_ipsec_sad_entry_add_del_v3_reply_t *rmp;
+ u32 id, sa_index = ~0;
+ int rv;
+
+ id = ntohl (mp->entry.sad_id);
+
+ if (!mp->is_add)
+ {
+ rv = ipsec_sa_unlock_id (id);
+ }
else
- rv = ipsec_sa_unlock_id (id);
+ {
+ rv = ipsec_sad_entry_add_v3 (&mp->entry, &sa_index);
+ }
-out:
REPLY_MACRO2 (VL_API_IPSEC_SAD_ENTRY_ADD_DEL_V3_REPLY,
{ rmp->stat_index = htonl (sa_index); });
}
static void
+vl_api_ipsec_sad_entry_del_t_handler (vl_api_ipsec_sad_entry_del_t *mp)
+{
+ vl_api_ipsec_sad_entry_del_reply_t *rmp;
+ int rv;
+
+ rv = ipsec_sa_unlock_id (ntohl (mp->id));
+
+ REPLY_MACRO (VL_API_IPSEC_SAD_ENTRY_DEL_REPLY);
+}
+
+static void
+vl_api_ipsec_sad_entry_add_t_handler (vl_api_ipsec_sad_entry_add_t *mp)
+{
+ vl_api_ipsec_sad_entry_add_reply_t *rmp;
+ u32 sa_index = ~0;
+ int rv;
+
+ rv = ipsec_sad_entry_add_v3 (&mp->entry, &sa_index);
+
+ REPLY_MACRO2 (VL_API_IPSEC_SAD_ENTRY_ADD_REPLY,
+ { rmp->stat_index = htonl (sa_index); });
+}
+
+static void
send_ipsec_spds_details (ipsec_spd_t * spd, vl_api_registration_t * reg,
u32 context)
{