diff options
| author |   Neale Ranns <neale@graphiant.com> | 2021-10-08 07:30:47 +0000 |
|---|---|---|
| committer |   Beno�t Ganne <bganne@cisco.com> | 2021-11-19 14:41:28 +0000 |
| commit | 6fdcc3daa40ebfcb793998b6e4527dd6db03cfb7 (patch) | |
| tree | 8b8afab4ef1f1d1f8381b388010e92e4d470022b /src/vnet/ipsec | |
| parent | ad80663eb3fd954f42607168ad4babb91cb0edcc (diff) | |
fib: Don't use [midchain] adjacencies to change an interface's feature arc
Type: fix
Using the adjacency to modify the interface's feature arc doesn't work, since there are potentially more than one adj per-interface.
Instead have the interface, when it is created, register what the end node of the feature arc is. This end node is then also used as the interface's tx node (i.e. it is used as the adjacency's next-node).
rename adj-midhcain-tx as 'tunnel-output', that's a bit more intuitive.
There's also a fix in config string handling to:
1- prevent false sharing of strings when the end node of the arc is different.
2- call registered listeners when the end node is changed
For IPSec the consequences are that one cannot provide per-adjacency behaviour using different end-nodes - this was previously done for the no-SA and an SA with no protection. These cases are no handled in the esp-encrypt node.
Signed-off-by: Neale Ranns <neale@graphiant.com>
Change-Id: If3a83d03a3000f28820d9a9cb4101d244803d084
Diffstat (limited to 'src/vnet/ipsec')
| -rw-r--r-- | src/vnet/ipsec/esp_encrypt.c | 162 | ||||
| -rw-r--r-- | src/vnet/ipsec/ipsec.c | 4 | ||||
| -rw-r--r-- | src/vnet/ipsec/ipsec.h | 8 | ||||
| -rw-r--r-- | src/vnet/ipsec/ipsec_itf.c | 8 | ||||
| -rw-r--r-- | src/vnet/ipsec/ipsec_itf.h | 1 | ||||
| -rw-r--r-- | src/vnet/ipsec/ipsec_sa.h | 3 | ||||
| -rw-r--r-- | src/vnet/ipsec/ipsec_tun.c | 128 | ||||
| -rw-r--r-- | src/vnet/ipsec/ipsec_tun.h | 1 |
8 files changed, 123 insertions, 192 deletions
diff --git a/src/vnet/ipsec/esp_encrypt.c b/src/vnet/ipsec/esp_encrypt.c index 33484e9cf43..0d29604e61f 100644 --- a/src/vnet/ipsec/esp_encrypt.c +++ b/src/vnet/ipsec/esp_encrypt.c @@ -50,7 +50,9 @@ typedef enum _ (SEQ_CYCLED, "sequence number cycled (packet dropped)") \ _ (CRYPTO_ENGINE_ERROR, "crypto engine error (packet dropped)") \ _ (CRYPTO_QUEUE_FULL, "crypto queue full (packet dropped)") \ - _ (NO_BUFFERS, "no buffers (packet dropped)") + _ (NO_BUFFERS, "no buffers (packet dropped)") \ + _ (NO_PROTECTION, "no protecting SA (packet dropped)") \ + _ (NO_ENCRYPTION, "no Encrypting SA (packet dropped)") typedef enum { @@ -640,6 +642,14 @@ esp_encrypt_inline (vlib_main_t *vm, vlib_node_runtime_t *node, vnet_buffer (b[0])->ipsec.sad_index = sa_index0 = ipsec_tun_protect_get_sa_out (vnet_buffer (b[0])->ip.adj_index[VLIB_TX]); + + if (PREDICT_FALSE (INDEX_INVALID == sa_index0)) + { + err = ESP_ENCRYPT_ERROR_NO_PROTECTION; + esp_set_next_index (b[0], node, err, n_noop, noop_nexts, + drop_next); + goto trace; + } } else sa_index0 = vnet_buffer (b[0])->ipsec.sad_index; @@ -655,6 +665,15 @@ esp_encrypt_inline (vlib_main_t *vm, vlib_node_runtime_t *node, sa0 = ipsec_sa_get (sa_index0); + if (PREDICT_FALSE ((sa0->crypto_alg == IPSEC_CRYPTO_ALG_NONE && + sa0->integ_alg == IPSEC_INTEG_ALG_NONE) && + !ipsec_sa_is_set_NO_ALGO_NO_DROP (sa0))) + { + err = ESP_ENCRYPT_ERROR_NO_ENCRYPTION; + esp_set_next_index (b[0], node, err, n_noop, noop_nexts, + drop_next); + goto trace; + } /* fetch the second cacheline ASAP */ clib_prefetch_load (sa0->cacheline1); @@ -970,13 +989,19 @@ esp_encrypt_inline (vlib_main_t *vm, vlib_node_runtime_t *node, { esp_encrypt_trace_t *tr = vlib_add_trace (vm, node, b[0], sizeof (*tr)); - tr->sa_index = sa_index0; - tr->spi = sa0->spi; - tr->seq = sa0->seq; - tr->sa_seq_hi = sa0->seq_hi; - tr->udp_encap = ipsec_sa_is_set_UDP_ENCAP (sa0); - tr->crypto_alg = sa0->crypto_alg; - tr->integ_alg = sa0->integ_alg; + if (INDEX_INVALID == sa_index0) + clib_memset_u8 (tr, 0xff, sizeof (*tr)); + else + { + tr->sa_index = sa_index0; + tr->spi = sa0->spi; + tr->spi = sa0->spi; + tr->seq = sa0->seq; + tr->sa_seq_hi = sa0->seq_hi; + tr->udp_encap = ipsec_sa_is_set_UDP_ENCAP (sa0); + tr->crypto_alg = sa0->crypto_alg; + tr->integ_alg = sa0->integ_alg; + } } /* next */ @@ -1002,9 +1027,10 @@ esp_encrypt_inline (vlib_main_t *vm, vlib_node_runtime_t *node, b += 1; } - vlib_increment_combined_counter (&ipsec_sa_counters, thread_index, - current_sa_index, current_sa_packets, - current_sa_bytes); + if (INDEX_INVALID != current_sa_index) + vlib_increment_combined_counter (&ipsec_sa_counters, thread_index, + current_sa_index, current_sa_packets, + current_sa_bytes); if (n_sync) { esp_process_ops (vm, node, ptd->crypto_ops, sync_bufs, sync_nexts, @@ -1368,120 +1394,6 @@ VLIB_REGISTER_NODE (esp_mpls_encrypt_tun_post_node) = { .error_strings = esp_encrypt_error_strings, }; -typedef struct -{ - u32 sa_index; -} esp_no_crypto_trace_t; - -static u8 * -format_esp_no_crypto_trace (u8 * s, va_list * args) -{ - CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *); - CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *); - esp_no_crypto_trace_t *t = va_arg (*args, esp_no_crypto_trace_t *); - - s = format (s, "esp-no-crypto: sa-index %u", t->sa_index); - - return s; -} - -enum -{ - ESP_NO_CRYPTO_NEXT_DROP, - ESP_NO_CRYPTO_N_NEXT, -}; - -enum -{ - ESP_NO_CRYPTO_ERROR_RX_PKTS, -}; - -static char *esp_no_crypto_error_strings[] = { - "Outbound ESP packets received", -}; - -always_inline uword -esp_no_crypto_inline (vlib_main_t * vm, vlib_node_runtime_t * node, - vlib_frame_t * frame) -{ - vlib_buffer_t *bufs[VLIB_FRAME_SIZE], **b = bufs; - u32 *from = vlib_frame_vector_args (frame); - u32 n_left = frame->n_vectors; - - vlib_get_buffers (vm, from, b, n_left); - - while (n_left > 0) - { - u32 sa_index0; - - /* packets are always going to be dropped, but get the sa_index */ - sa_index0 = ipsec_tun_protect_get_sa_out - (vnet_buffer (b[0])->ip.adj_index[VLIB_TX]); - - if (PREDICT_FALSE (b[0]->flags & VLIB_BUFFER_IS_TRACED)) - { - esp_no_crypto_trace_t *tr = vlib_add_trace (vm, node, b[0], - sizeof (*tr)); - tr->sa_index = sa_index0; - } - - n_left -= 1; - b += 1; - } - - vlib_node_increment_counter (vm, node->node_index, - ESP_NO_CRYPTO_ERROR_RX_PKTS, frame->n_vectors); - - vlib_buffer_enqueue_to_single_next (vm, node, from, - ESP_NO_CRYPTO_NEXT_DROP, - frame->n_vectors); - - return frame->n_vectors; -} - -VLIB_NODE_FN (esp4_no_crypto_tun_node) (vlib_main_t * vm, - vlib_node_runtime_t * node, - vlib_frame_t * from_frame) -{ - return esp_no_crypto_inline (vm, node, from_frame); -} - -/* *INDENT-OFF* */ -VLIB_REGISTER_NODE (esp4_no_crypto_tun_node) = -{ - .name = "esp4-no-crypto", - .vector_size = sizeof (u32), - .format_trace = format_esp_no_crypto_trace, - .n_errors = ARRAY_LEN(esp_no_crypto_error_strings), - .error_strings = esp_no_crypto_error_strings, - .n_next_nodes = ESP_NO_CRYPTO_N_NEXT, - .next_nodes = { - [ESP_NO_CRYPTO_NEXT_DROP] = "ip4-drop", - }, -}; - -VLIB_NODE_FN (esp6_no_crypto_tun_node) (vlib_main_t * vm, - vlib_node_runtime_t * node, - vlib_frame_t * from_frame) -{ - return esp_no_crypto_inline (vm, node, from_frame); -} - -/* *INDENT-OFF* */ -VLIB_REGISTER_NODE (esp6_no_crypto_tun_node) = -{ - .name = "esp6-no-crypto", - .vector_size = sizeof (u32), - .format_trace = format_esp_no_crypto_trace, - .n_errors = ARRAY_LEN(esp_no_crypto_error_strings), - .error_strings = esp_no_crypto_error_strings, - .n_next_nodes = ESP_NO_CRYPTO_N_NEXT, - .next_nodes = { - [ESP_NO_CRYPTO_NEXT_DROP] = "ip6-drop", - }, -}; -/* *INDENT-ON* */ - #ifndef CLIB_MARCH_VARIANT static clib_error_t * diff --git a/src/vnet/ipsec/ipsec.c b/src/vnet/ipsec/ipsec.c index 30774ec10ff..5cc8044e3d4 100644 --- a/src/vnet/ipsec/ipsec.c +++ b/src/vnet/ipsec/ipsec.c @@ -25,6 +25,7 @@ #include <vnet/ipsec/esp.h> #include <vnet/ipsec/ah.h> #include <vnet/ipsec/ipsec_tun.h> +#include <vnet/ipsec/ipsec_itf.h> /* Flow cache is sized for 1 million flows with a load factor of .25. */ @@ -254,6 +255,9 @@ ipsec_rsc_in_use (ipsec_main_t * im) if (pool_elts (ipsec_sa_pool) > 0) return clib_error_return (0, "%d SA entries configured", pool_elts (ipsec_sa_pool)); + if (ipsec_itf_count () > 0) + return clib_error_return (0, "%d IPSec interface configured", + ipsec_itf_count ()); return (NULL); } diff --git a/src/vnet/ipsec/ipsec.h b/src/vnet/ipsec/ipsec.h index 968d377cea0..38feaed6f77 100644 --- a/src/vnet/ipsec/ipsec.h +++ b/src/vnet/ipsec/ipsec.h @@ -181,14 +181,6 @@ typedef struct u32 ah6_encrypt_next_index; u32 ah6_decrypt_next_index; - /* tun nodes to drop packets when no crypto alg set on outbound SA */ - u32 esp4_no_crypto_tun_node_index; - u32 esp6_no_crypto_tun_node_index; - - /* tun nodes for encrypt on L2 interfaces */ - u32 esp4_encrypt_l2_tun_node_index; - u32 esp6_encrypt_l2_tun_node_index; - /* pool of ah backends */ ipsec_ah_backend_t *ah_backends; /* pool of esp backends */ diff --git a/src/vnet/ipsec/ipsec_itf.c b/src/vnet/ipsec/ipsec_itf.c index 532d5be4c07..fc0bf85a517 100644 --- a/src/vnet/ipsec/ipsec_itf.c +++ b/src/vnet/ipsec/ipsec_itf.c @@ -36,6 +36,12 @@ ipsec_itf_get (index_t ii) return (pool_elt_at_index (ipsec_itf_pool, ii)); } +u32 +ipsec_itf_count (void) +{ + return (pool_elts (ipsec_itf_pool)); +} + static ipsec_itf_t * ipsec_itf_find_by_sw_if_index (u32 sw_if_index) { @@ -336,6 +342,8 @@ ipsec_itf_delete (u32 sw_if_index) if (ipsec_itf_instance_free (hw->dev_instance) < 0) return VNET_API_ERROR_INVALID_SW_IF_INDEX; + vnet_reset_interface_l3_output_node (vnm->vlib_main, sw_if_index); + vnet_delete_hw_interface (vnm, hw->hw_if_index); pool_put (ipsec_itf_pool, ipsec_itf); diff --git a/src/vnet/ipsec/ipsec_itf.h b/src/vnet/ipsec/ipsec_itf.h index 4958d102b65..7de02745b81 100644 --- a/src/vnet/ipsec/ipsec_itf.h +++ b/src/vnet/ipsec/ipsec_itf.h @@ -109,6 +109,7 @@ extern void ipsec_itf_adj_unstack (adj_index_t ai); extern u8 *format_ipsec_itf (u8 * s, va_list * a); extern ipsec_itf_t *ipsec_itf_get (index_t ii); +extern u32 ipsec_itf_count (void); typedef walk_rc_t (*ipsec_itf_walk_cb_t) (ipsec_itf_t *itf, void *ctx); extern void ipsec_itf_walk (ipsec_itf_walk_cb_t cd, void *ctx); diff --git a/src/vnet/ipsec/ipsec_sa.h b/src/vnet/ipsec/ipsec_sa.h index 2cc64e19546..ec5ca11b179 100644 --- a/src/vnet/ipsec/ipsec_sa.h +++ b/src/vnet/ipsec/ipsec_sa.h @@ -102,7 +102,8 @@ typedef struct ipsec_key_t_ _ (64, IS_INBOUND, "inbound") \ _ (128, IS_AEAD, "aead") \ _ (256, IS_CTR, "ctr") \ - _ (512, IS_ASYNC, "async") + _ (512, IS_ASYNC, "async") \ + _ (1024, NO_ALGO_NO_DROP, "no-algo-no-drop") typedef enum ipsec_sad_flags_t_ { diff --git a/src/vnet/ipsec/ipsec_tun.c b/src/vnet/ipsec/ipsec_tun.c index 1a9a25783ae..ef84d13a373 100644 --- a/src/vnet/ipsec/ipsec_tun.c +++ b/src/vnet/ipsec/ipsec_tun.c @@ -22,6 +22,7 @@ #include <vnet/adj/adj_delegate.h> #include <vnet/adj/adj_midchain.h> #include <vnet/teib/teib.h> +#include <vnet/mpls/mpls.h> /* instantiate the bihash functions */ #include <vppinfra/bihash_8_16.h> @@ -137,12 +138,14 @@ ipsec_tun_protect_from_const_base (const adj_delegate_t * ad) static u32 ipsec_tun_protect_get_adj_next (vnet_link_t linkt, - const ipsec_tun_protect_t * itp) + const ipsec_tun_protect_t *itp) { ipsec_main_t *im; - ipsec_sa_t *sa; u32 next; + im = &ipsec_main; + next = 0; + if (!(itp->itp_flags & IPSEC_PROTECT_ITF)) { if (ip46_address_is_ip4 (&itp->itp_tun.src)) @@ -151,42 +154,48 @@ ipsec_tun_protect_get_adj_next (vnet_link_t linkt, linkt = VNET_LINK_IP6; } - sa = ipsec_sa_get (itp->itp_out_sa); - im = &ipsec_main; - next = 0; - - if ((sa->crypto_alg == IPSEC_CRYPTO_ALG_NONE && - sa->integ_alg == IPSEC_INTEG_ALG_NONE) && - !(itp->itp_flags & IPSEC_PROTECT_ITF)) - next = (VNET_LINK_IP4 == linkt ? im->esp4_no_crypto_tun_node_index : - im->esp6_no_crypto_tun_node_index); - else if (itp->itp_flags & IPSEC_PROTECT_L2) - next = (VNET_LINK_IP4 == linkt ? im->esp4_encrypt_l2_tun_node_index : - im->esp6_encrypt_l2_tun_node_index); - else + switch (linkt) { - switch (linkt) - { - case VNET_LINK_IP4: - next = im->esp4_encrypt_tun_node_index; - break; - case VNET_LINK_IP6: - next = im->esp6_encrypt_tun_node_index; - break; - case VNET_LINK_MPLS: - next = im->esp_mpls_encrypt_tun_node_index; - break; - case VNET_LINK_ARP: - case VNET_LINK_NSH: - case VNET_LINK_ETHERNET: - ASSERT (0); - break; - } + case VNET_LINK_IP4: + next = im->esp4_encrypt_tun_node_index; + break; + case VNET_LINK_IP6: + next = im->esp6_encrypt_tun_node_index; + break; + case VNET_LINK_MPLS: + next = im->esp_mpls_encrypt_tun_node_index; + break; + case VNET_LINK_ARP: + case VNET_LINK_NSH: + case VNET_LINK_ETHERNET: + ASSERT (0); + break; } + return (next); } static void +ipsec_tun_reset_tx_nodes (u32 sw_if_index) +{ + vnet_reset_interface_l3_output_node (vlib_get_main (), sw_if_index); +} + +static void +ipsec_tun_setup_tx_nodes (u32 sw_if_index, const ipsec_tun_protect_t *itp) +{ + vnet_feature_modify_end_node ( + ip4_main.lookup_main.output_feature_arc_index, sw_if_index, + ipsec_tun_protect_get_adj_next (VNET_LINK_IP4, itp)); + vnet_feature_modify_end_node ( + ip6_main.lookup_main.output_feature_arc_index, sw_if_index, + ipsec_tun_protect_get_adj_next (VNET_LINK_IP6, itp)); + vnet_feature_modify_end_node ( + mpls_main.output_feature_arc_index, sw_if_index, + ipsec_tun_protect_get_adj_next (VNET_LINK_MPLS, itp)); +} + +static void ipsec_tun_protect_add_adj (adj_index_t ai, const ipsec_tun_protect_t * itp) { vec_validate_init_empty (ipsec_tun_protect_sa_by_adj_index, ai, @@ -200,8 +209,8 @@ ipsec_tun_protect_add_adj (adj_index_t ai, const ipsec_tun_protect_t * itp) else { ipsec_tun_protect_sa_by_adj_index[ai] = itp->itp_out_sa; - adj_nbr_midchain_update_next_node - (ai, ipsec_tun_protect_get_adj_next (adj_get_link_type (ai), itp)); + adj_nbr_midchain_update_next_node ( + ai, ipsec_tun_protect_get_adj_next (adj_get_link_type (ai), itp)); } } @@ -329,7 +338,7 @@ ipsec_tun_protect_tx_db_add (ipsec_tun_protect_t * itp) { if (INDEX_INVALID == idi->id_itp) { - // ipsec_tun_protect_feature_set (itp, 1); + ipsec_tun_setup_tx_nodes (itp->itp_sw_if_index, itp); } idi->id_itp = itp - ipsec_tun_protect_pool; @@ -347,7 +356,7 @@ ipsec_tun_protect_tx_db_add (ipsec_tun_protect_t * itp) * enable the encrypt feature for egress if this is the first addition * on this interface */ - // ipsec_tun_protect_feature_set (itp, 1); + ipsec_tun_setup_tx_nodes (itp->itp_sw_if_index, itp); } hash_set_mem (idi->id_hash, itp->itp_key, itp - ipsec_tun_protect_pool); @@ -435,7 +444,7 @@ ipsec_tun_protect_tx_db_remove (ipsec_tun_protect_t * itp) if (vnet_sw_interface_is_p2p (vnet_get_main (), itp->itp_sw_if_index)) { - // ipsec_tun_protect_feature_set (itp, 0); + ipsec_tun_reset_tx_nodes (itp->itp_sw_if_index); idi->id_itp = INDEX_INVALID; FOR_EACH_FIB_IP_PROTOCOL (nh_proto) @@ -451,7 +460,7 @@ ipsec_tun_protect_tx_db_remove (ipsec_tun_protect_t * itp) if (0 == hash_elts (idi->id_hash)) { - // ipsec_tun_protect_feature_set (itp, 0); + ipsec_tun_reset_tx_nodes (itp->itp_sw_if_index); hash_free (idi->id_hash); idi->id_hash = NULL; } @@ -502,6 +511,9 @@ ipsec_tun_protect_config (ipsec_main_t * im, ipsec_sa_lock (itp->itp_out_sa); + if (itp->itp_flags & IPSEC_PROTECT_ITF) + ipsec_sa_set_NO_ALGO_NO_DROP (ipsec_sa_get (itp->itp_out_sa)); + /* *INDENT-OFF* */ FOR_EACH_IPSEC_PROTECT_INPUT_SAI(itp, sai, ({ @@ -534,6 +546,7 @@ ipsec_tun_protect_unconfig (ipsec_main_t * im, ipsec_tun_protect_t * itp) ipsec_tun_protect_rx_db_remove (im, itp); ipsec_tun_protect_tx_db_remove (itp); + ipsec_sa_unset_NO_ALGO_NO_DROP (ipsec_sa_get (itp->itp_out_sa)); ipsec_sa_unlock(itp->itp_out_sa); FOR_EACH_IPSEC_PROTECT_INPUT_SAI(itp, sai, @@ -802,19 +815,27 @@ ipsec_tun_feature_update (u32 sw_if_index, u8 arc_index, u8 is_enable, ipsec_main.esp4_decrypt_tun_node_index : ipsec_main.esp6_decrypt_tun_node_index; - vnet_feature_modify_end_node ( - feature_main.device_input_feature_arc_index, sw_if_index, decrypt_tun); - itp->itp_flags |= IPSEC_PROTECT_FEAT; + if (!(itp->itp_flags & IPSEC_PROTECT_FEAT)) + { + itp->itp_flags |= IPSEC_PROTECT_FEAT; + vnet_feature_modify_end_node ( + feature_main.device_input_feature_arc_index, sw_if_index, + decrypt_tun); + } } else { - u32 eth_in = - vlib_get_node_by_name (vlib_get_main (), (u8 *) "ethernet-input") - ->index; + if (itp->itp_flags & IPSEC_PROTECT_FEAT) + { + itp->itp_flags &= ~IPSEC_PROTECT_FEAT; + + u32 eth_in = + vlib_get_node_by_name (vlib_get_main (), (u8 *) "ethernet-input") + ->index; - vnet_feature_modify_end_node ( - feature_main.device_input_feature_arc_index, sw_if_index, eth_in); - itp->itp_flags &= ~IPSEC_PROTECT_FEAT; + vnet_feature_modify_end_node ( + feature_main.device_input_feature_arc_index, sw_if_index, eth_in); + } } /* Propagate flag change into lookup entries */ @@ -848,6 +869,9 @@ ipsec_tun_protect_adj_delegate_adj_created (adj_index_t ai) if (!adj_is_midchain (ai)) return; + vec_validate_init_empty (ipsec_tun_protect_sa_by_adj_index, ai, + INDEX_INVALID); + adj = adj_get (ai); ip_address_from_46 (&adj->sub_type.midchain.next_hop, @@ -956,16 +980,6 @@ ipsec_tunnel_protect_init (vlib_main_t *vm) IPSEC_TUN_DEFAULT_HASH_NUM_BUCKETS, IPSEC_TUN_DEFAULT_HASH_MEMORY_SIZE); - /* set up feature nodes to drop outbound packets with no crypto alg set */ - im->esp4_no_crypto_tun_node_index = - vlib_get_node_by_name (vm, (u8 *) "esp4-no-crypto")->index; - im->esp6_no_crypto_tun_node_index = - vlib_get_node_by_name (vm, (u8 *) "esp6-no-crypto")->index; - im->esp6_encrypt_l2_tun_node_index = - vlib_get_node_by_name (vm, (u8 *) "esp6-encrypt-tun")->index; - im->esp4_encrypt_l2_tun_node_index = - vlib_get_node_by_name (vm, (u8 *) "esp4-encrypt-tun")->index; - ipsec_tun_adj_delegate_type = adj_delegate_register_new_type (&ipsec_tun_adj_delegate_vft); diff --git a/src/vnet/ipsec/ipsec_tun.h b/src/vnet/ipsec/ipsec_tun.h index f452fa4354c..9d8a124443d 100644 --- a/src/vnet/ipsec/ipsec_tun.h +++ b/src/vnet/ipsec/ipsec_tun.h @@ -182,7 +182,6 @@ always_inline index_t ipsec_tun_protect_get_sa_out (adj_index_t ai) { ASSERT (vec_len (ipsec_tun_protect_sa_by_adj_index) > ai); - ASSERT (INDEX_INVALID != ipsec_tun_protect_sa_by_adj_index[ai]); return (ipsec_tun_protect_sa_by_adj_index[ai]); } |