IPSEC: tunnel scaling - don't stack the inbould SA

Change-Id: I0b47590400aebea09aa1b27de753be638e1ba870
Signed-off-by: Neale Ranns <nranns@cisco.com>

4 files changed, 15 insertions, 19 deletions

diff --git a/src/vnet/ipsec/ipsec_format.c b/src/vnet/ipsec/ipsec_format.c
index a8616555629..c91a9ba632e 100644
--- a/src/vnet/ipsec/ipsec_format.c
+++ b/src/vnet/ipsec/ipsec_format.c
@@ -294,11 +294,16 @@ format_ipsec_sa (u8 * s, va_list * args)
 		  tx_table_id,
 		  format_ip46_address, &sa->tunnel_src_addr, IP46_TYPE_ANY,
 		  format_ip46_address, &sa->tunnel_dst_addr, IP46_TYPE_ANY);
-      s = format (s, "\n    resovle via fib-entry: %d", sa->fib_entry_index);
-      s = format (s, "\n    stacked on:");
-      s =
-	format (s, "\n      %U", format_dpo_id, &sa->dpo[IPSEC_PROTOCOL_ESP],
-		6);
+      if (!ipsec_sa_is_set_IS_INBOUND (sa))
+	{
+	  s =
+	    format (s, "\n    resovle via fib-entry: %d",
+		    sa->fib_entry_index);
+	  s = format (s, "\n    stacked on:");
+	  s =
+	    format (s, "\n      %U", format_dpo_id,
+		    &sa->dpo[IPSEC_PROTOCOL_ESP], 6);
+	}
     }
 
   return (s);
diff --git a/src/vnet/ipsec/ipsec_if.c b/src/vnet/ipsec/ipsec_if.c
index bfdc2bb6814..3c1f84576d4 100644
--- a/src/vnet/ipsec/ipsec_if.c
+++ b/src/vnet/ipsec/ipsec_if.c
@@ -306,7 +306,7 @@ ipsec_add_del_tunnel_if_internal (vnet_main_t * vnm,
 			 &crypto_key,
 			 args->integ_alg,
 			 &integ_key,
-			 flags,
+			 (flags | IPSEC_SA_FLAG_IS_INBOUND),
 			 args->tx_table_id,
 			 &args->remote_ip,
 			 &args->local_ip, &t->input_sa_index);
diff --git a/src/vnet/ipsec/ipsec_sa.c b/src/vnet/ipsec/ipsec_sa.c
index 9f2d8505c35..0ca2f376c67 100644
--- a/src/vnet/ipsec/ipsec_sa.c
+++ b/src/vnet/ipsec/ipsec_sa.c
@@ -149,6 +149,7 @@ ipsec_sa_add (u32 id,
   sa->spi = spi;
   sa->stat_index = sa_index;
   sa->protocol = proto;
+  sa->flags = flags;
   ipsec_sa_set_crypto_alg (sa, crypto_alg);
   clib_memcpy (&sa->crypto_key, ck, sizeof (sa->crypto_key));
   ipsec_sa_set_integ_alg (sa, integ_alg);
@@ -156,17 +157,6 @@ ipsec_sa_add (u32 id,
   ip46_address_copy (&sa->tunnel_src_addr, tun_src);
   ip46_address_copy (&sa->tunnel_dst_addr, tun_dst);
 
-  if (flags & IPSEC_SA_FLAG_USE_ESN)
-    ipsec_sa_set_USE_ESN (sa);
-  if (flags & IPSEC_SA_FLAG_USE_ANTI_REPLAY)
-    ipsec_sa_set_USE_ANTI_REPLAY (sa);
-  if (flags & IPSEC_SA_FLAG_IS_TUNNEL)
-    ipsec_sa_set_IS_TUNNEL (sa);
-  if (flags & IPSEC_SA_FLAG_IS_TUNNEL_V6)
-    ipsec_sa_set_IS_TUNNEL_V6 (sa);
-  if (flags & IPSEC_SA_FLAG_UDP_ENCAP)
-    ipsec_sa_set_UDP_ENCAP (sa);
-
   err = ipsec_check_support_cb (im, sa);
   if (err)
     {
@@ -182,7 +172,7 @@ ipsec_sa_add (u32 id,
       return VNET_API_ERROR_SYSCALL_ERROR_1;
     }
 
-  if (ipsec_sa_is_set_IS_TUNNEL (sa))
+  if (ipsec_sa_is_set_IS_TUNNEL (sa) && !ipsec_sa_is_set_IS_INBOUND (sa))
     {
       fib_protocol_t fproto = (ipsec_sa_is_set_IS_TUNNEL_V6 (sa) ?
 			       FIB_PROTOCOL_IP6 : FIB_PROTOCOL_IP4);
@@ -280,7 +270,7 @@ ipsec_sa_del (u32 id)
   if (err)
     return VNET_API_ERROR_SYSCALL_ERROR_1;
 
-  if (ipsec_sa_is_set_IS_TUNNEL (sa))
+  if (ipsec_sa_is_set_IS_TUNNEL (sa) && !ipsec_sa_is_set_IS_INBOUND (sa))
     {
       fib_entry_child_remove (sa->fib_entry_index, sa->sibling);
       fib_table_entry_special_remove
diff --git a/src/vnet/ipsec/ipsec_sa.h b/src/vnet/ipsec/ipsec_sa.h
index cfb44b9e86d..66bdcc72308 100644
--- a/src/vnet/ipsec/ipsec_sa.h
+++ b/src/vnet/ipsec/ipsec_sa.h
@@ -91,6 +91,7 @@ typedef struct ipsec_key_t_
   _ (8, IS_TUNNEL_V6, "tunnel-v6")                        \
   _ (16, UDP_ENCAP, "udp-encap")                          \
   _ (32, IS_GRE, "GRE")                                   \
+  _ (64, IS_INBOUND, "inboud")                            \
 
 typedef enum ipsec_sad_flags_t_
 {