summaryrefslogtreecommitdiffstats
path: root/src/vnet/ipsec
diff options
context:
space:
mode:
authorNeale Ranns <nranns@cisco.com>2020-01-21 04:58:02 +0000
committerNeale Ranns <nranns@cisco.com>2020-01-22 22:35:03 +0000
commit7ec120e8dd8ab366fab27eca4e6402f213e24cc8 (patch)
tree936060953b9f27189b3172d2692c2768565126c5 /src/vnet/ipsec
parent66300f6ab8da91201e78dcf502b0f6c872e5f23f (diff)
ipsec: re-enable DPDK IPSec for tunnel decap/encap (VPP-1823)
Type: fix Change-Id: Iff9b1960b122f7d326efc37770b4ae3e81eb3122 Signed-off-by: Neale Ranns <nranns@cisco.com>
Diffstat (limited to 'src/vnet/ipsec')
-rw-r--r--src/vnet/ipsec/ipsec.c14
-rw-r--r--src/vnet/ipsec/ipsec.h10
-rw-r--r--src/vnet/ipsec/ipsec_tun_in.c13
3 files changed, 28 insertions, 9 deletions
diff --git a/src/vnet/ipsec/ipsec.c b/src/vnet/ipsec/ipsec.c
index 1075fe48d84..c6511fd9b03 100644
--- a/src/vnet/ipsec/ipsec.c
+++ b/src/vnet/ipsec/ipsec.c
@@ -167,9 +167,11 @@ ipsec_register_esp_backend (vlib_main_t * vm, ipsec_main_t * im,
const char *esp4_encrypt_node_name,
const char *esp4_encrypt_node_tun_name,
const char *esp4_decrypt_node_name,
+ const char *esp4_decrypt_tun_node_name,
const char *esp6_encrypt_node_name,
const char *esp6_encrypt_node_tun_name,
const char *esp6_decrypt_node_name,
+ const char *esp6_decrypt_tun_node_name,
check_support_cb_t esp_check_support_cb,
add_del_sa_sess_cb_t esp_add_del_sa_sess_cb)
{
@@ -186,6 +188,12 @@ ipsec_register_esp_backend (vlib_main_t * vm, ipsec_main_t * im,
&b->esp6_encrypt_node_index, &b->esp6_encrypt_next_index);
ipsec_add_node (vm, esp6_decrypt_node_name, "ipsec6-input-feature",
&b->esp6_decrypt_node_index, &b->esp6_decrypt_next_index);
+ ipsec_add_node (vm, esp4_decrypt_tun_node_name, "ipsec4-tun-input",
+ &b->esp4_decrypt_tun_node_index,
+ &b->esp4_decrypt_tun_next_index);
+ ipsec_add_node (vm, esp6_decrypt_tun_node_name, "ipsec6-tun-input",
+ &b->esp6_decrypt_tun_node_index,
+ &b->esp6_decrypt_tun_next_index);
ipsec_add_feature ("ip4-output", esp4_encrypt_node_tun_name,
&b->esp44_encrypt_tun_feature_index);
@@ -255,6 +263,10 @@ ipsec_select_esp_backend (ipsec_main_t * im, u32 backend_idx)
im->esp6_decrypt_node_index = b->esp6_decrypt_node_index;
im->esp6_encrypt_next_index = b->esp6_encrypt_next_index;
im->esp6_decrypt_next_index = b->esp6_decrypt_next_index;
+ im->esp4_decrypt_tun_node_index = b->esp4_decrypt_tun_node_index;
+ im->esp4_decrypt_tun_next_index = b->esp4_decrypt_tun_next_index;
+ im->esp6_decrypt_tun_node_index = b->esp6_decrypt_tun_node_index;
+ im->esp6_decrypt_tun_next_index = b->esp6_decrypt_tun_next_index;
im->esp44_encrypt_tun_feature_index = b->esp44_encrypt_tun_feature_index;
im->esp64_encrypt_tun_feature_index = b->esp64_encrypt_tun_feature_index;
@@ -303,9 +315,11 @@ ipsec_init (vlib_main_t * vm)
"esp4-encrypt",
"esp4-encrypt-tun",
"esp4-decrypt",
+ "esp4-decrypt-tun",
"esp6-encrypt",
"esp6-encrypt-tun",
"esp6-decrypt",
+ "esp6-decrypt-tun",
ipsec_check_esp_support, NULL);
im->esp_default_backend = idx;
diff --git a/src/vnet/ipsec/ipsec.h b/src/vnet/ipsec/ipsec.h
index 65b888e51a2..0c3e5778e6d 100644
--- a/src/vnet/ipsec/ipsec.h
+++ b/src/vnet/ipsec/ipsec.h
@@ -61,6 +61,10 @@ typedef struct
u32 esp6_decrypt_node_index;
u32 esp6_encrypt_next_index;
u32 esp6_decrypt_next_index;
+ u32 esp4_decrypt_tun_node_index;
+ u32 esp4_decrypt_tun_next_index;
+ u32 esp6_decrypt_tun_node_index;
+ u32 esp6_decrypt_tun_next_index;
u32 esp44_encrypt_tun_feature_index;
u32 esp46_encrypt_tun_feature_index;
u32 esp66_encrypt_tun_feature_index;
@@ -120,19 +124,23 @@ typedef struct
u32 error_drop_node_index;
u32 esp4_encrypt_node_index;
u32 esp4_decrypt_node_index;
+ u32 esp4_decrypt_tun_node_index;
u32 ah4_encrypt_node_index;
u32 ah4_decrypt_node_index;
u32 esp6_encrypt_node_index;
u32 esp6_decrypt_node_index;
+ u32 esp6_decrypt_tun_node_index;
u32 ah6_encrypt_node_index;
u32 ah6_decrypt_node_index;
/* next node indices */
u32 esp4_encrypt_next_index;
u32 esp4_decrypt_next_index;
+ u32 esp4_decrypt_tun_next_index;
u32 ah4_encrypt_next_index;
u32 ah4_decrypt_next_index;
u32 esp6_encrypt_next_index;
u32 esp6_decrypt_next_index;
+ u32 esp6_decrypt_tun_next_index;
u32 ah6_encrypt_next_index;
u32 ah6_decrypt_next_index;
@@ -248,9 +256,11 @@ u32 ipsec_register_esp_backend (vlib_main_t * vm, ipsec_main_t * im,
const char *esp4_encrypt_node_name,
const char *esp4_encrypt_tun_node_name,
const char *esp4_decrypt_node_name,
+ const char *esp4_decrypt_tun_node_name,
const char *esp6_encrypt_node_name,
const char *esp6_encrypt_tun_node_name,
const char *esp6_decrypt_node_name,
+ const char *esp6_decrypt_tun_node_name,
check_support_cb_t esp_check_support_cb,
add_del_sa_sess_cb_t esp_add_del_sa_sess_cb);
diff --git a/src/vnet/ipsec/ipsec_tun_in.c b/src/vnet/ipsec/ipsec_tun_in.c
index e6ad67b433a..35d268f58bc 100644
--- a/src/vnet/ipsec/ipsec_tun_in.c
+++ b/src/vnet/ipsec/ipsec_tun_in.c
@@ -55,8 +55,7 @@ typedef enum ipsec_tun_next_t_
#define _(v, s) IPSEC_TUN_PROTECT_NEXT_##v,
foreach_ipsec_input_next
#undef _
- IPSEC_TUN_PROTECT_NEXT_DECRYPT,
- IPSEC_TUN_PROTECT_N_NEXT,
+ IPSEC_TUN_PROTECT_N_NEXT,
} ipsec_tun_next_t;
typedef struct
@@ -311,7 +310,7 @@ ipsec_tun_protect_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
n_bytes = len0;
}
- next[0] = IPSEC_TUN_PROTECT_NEXT_DECRYPT;
+ next[0] = im->esp4_decrypt_tun_next_index; //IPSEC_TUN_PROTECT_NEXT_DECRYPT;
}
trace00:
if (PREDICT_FALSE (is_trace))
@@ -358,8 +357,7 @@ VLIB_NODE_FN (ipsec4_tun_input_node) (vlib_main_t * vm,
vlib_node_runtime_t * node,
vlib_frame_t * from_frame)
{
- return ipsec_tun_protect_input_inline (vm, node, from_frame,
- 0 /* is_ip6 */ );
+ return ipsec_tun_protect_input_inline (vm, node, from_frame, 0);
}
/* *INDENT-OFF* */
@@ -374,7 +372,6 @@ VLIB_REGISTER_NODE (ipsec4_tun_input_node) = {
.next_nodes = {
[IPSEC_TUN_PROTECT_NEXT_DROP] = "ip4-drop",
[IPSEC_TUN_PROTECT_NEXT_PUNT] = "punt-dispatch",
- [IPSEC_TUN_PROTECT_NEXT_DECRYPT] = "esp4-decrypt-tun",
}
};
/* *INDENT-ON* */
@@ -383,8 +380,7 @@ VLIB_NODE_FN (ipsec6_tun_input_node) (vlib_main_t * vm,
vlib_node_runtime_t * node,
vlib_frame_t * from_frame)
{
- return ipsec_tun_protect_input_inline (vm, node, from_frame,
- 1 /* is_ip6 */ );
+ return ipsec_tun_protect_input_inline (vm, node, from_frame, 1);
}
/* *INDENT-OFF* */
@@ -399,7 +395,6 @@ VLIB_REGISTER_NODE (ipsec6_tun_input_node) = {
.next_nodes = {
[IPSEC_TUN_PROTECT_NEXT_DROP] = "ip6-drop",
[IPSEC_TUN_PROTECT_NEXT_PUNT] = "punt-dispatch",
- [IPSEC_TUN_PROTECT_NEXT_DECRYPT] = "esp6-decrypt-tun",
}
};
/* *INDENT-ON* */