aboutsummaryrefslogtreecommitdiffstats
path: root/src/vnet/ipsec
diff options
context:
space:
mode:
authorNeale Ranns <nranns@cisco.com>2020-12-23 16:22:28 +0000
committerAndrew Yourtchenko <ayourtch@gmail.com>2021-01-07 09:15:13 +0000
commita9e2774f5561ccb77c8243a196f93f5070f6c5ad (patch)
tree9bf88556378551ca3bc8ba24b2e2a42878b11208 /src/vnet/ipsec
parent3b6c84c8411f0052410fa0f207fd90f99cee5a2b (diff)
ipsec: Deprecated the old IPsec Tunnel interface
Type: fix it's been 2 releases since it was marked deprecated. Signed-off-by: Neale Ranns <nranns@cisco.com> Change-Id: I0eba7ed607826ed0d00e7d2d8f9b27d09e8e9a6e
Diffstat (limited to 'src/vnet/ipsec')
-rw-r--r--src/vnet/ipsec/ipsec.api92
-rw-r--r--src/vnet/ipsec/ipsec_api.c190
-rw-r--r--src/vnet/ipsec/ipsec_cli.c195
-rw-r--r--src/vnet/ipsec/ipsec_tun.c111
-rw-r--r--src/vnet/ipsec/ipsec_tun.h10
5 files changed, 4 insertions, 594 deletions
diff --git a/src/vnet/ipsec/ipsec.api b/src/vnet/ipsec/ipsec.api
index 9b091317ee0..c009d8dffaa 100644
--- a/src/vnet/ipsec/ipsec.api
+++ b/src/vnet/ipsec/ipsec.api
@@ -14,7 +14,7 @@
* limitations under the License.
*/
-option version = "4.0.0";
+option version = "5.0.0";
import "vnet/ipsec/ipsec_types.api";
import "vnet/interface_types.api";
@@ -324,77 +324,6 @@ define ipsec_spd_interface_details {
vl_api_interface_index_t sw_if_index;
};
-/** \brief Add or delete IPsec tunnel interface
-
- !!DEPRECATED!!
- use the tunnel protect APIs instead
-
- @param client_index - opaque cookie to identify the sender
- @param context - sender context, to match reply w/ request
- @param is_add - add IPsec tunnel interface if nonzero, else delete
- @param is_ip6 - tunnel v6 or v4
- @param esn - enable extended sequence numbers if nonzero, else disable
- @param anti_replay - enable anti replay check if nonzero, else disable
- @param local_ip - local IP address
- @param remote_ip - IP address of remote IPsec peer
- @param local_spi - SPI of outbound IPsec SA
- @param remote_spi - SPI of inbound IPsec SA
- @param crypto_alg - encryption algorithm ID
- @param local_crypto_key_len - length of local crypto key in bytes
- @param local_crypto_key - crypto key for outbound IPsec SA
- @param remote_crypto_key_len - length of remote crypto key in bytes
- @param remote_crypto_key - crypto key for inbound IPsec SA
- @param integ_alg - integrity algorithm ID
- @param local_integ_key_len - length of local integrity key in bytes
- @param local_integ_key - integrity key for outbound IPsec SA
- @param remote_integ_key_len - length of remote integrity key in bytes
- @param remote_integ_key - integrity key for inbound IPsec SA
- @param renumber - intf display name uses a specified instance if != 0
- @param show_instance - instance to display for intf if renumber is set
- @param udp_encap - enable UDP encapsulation for NAT traversal
- @param tx_table_id - the FIB id used after packet encap
- @param salt - for use with counter mode ciphers
-*/
-define ipsec_tunnel_if_add_del {
- option deprecated;
- u32 client_index;
- u32 context;
- bool is_add;
- bool esn;
- bool anti_replay;
- vl_api_address_t local_ip;
- vl_api_address_t remote_ip;
- u32 local_spi;
- u32 remote_spi;
- u8 crypto_alg;
- u8 local_crypto_key_len;
- u8 local_crypto_key[128];
- u8 remote_crypto_key_len;
- u8 remote_crypto_key[128];
- u8 integ_alg;
- u8 local_integ_key_len;
- u8 local_integ_key[128];
- u8 remote_integ_key_len;
- u8 remote_integ_key[128];
- bool renumber;
- u32 show_instance;
- bool udp_encap;
- u32 tx_table_id;
- u32 salt;
-};
-
-/** \brief Add/delete IPsec tunnel interface response
- @param context - sender context, to match reply w/ request
- @param retval - return status
- @param sw_if_index - sw_if_index of new interface (for successful add)
-*/
-define ipsec_tunnel_if_add_del_reply {
- option deprecated;
- u32 context;
- i32 retval;
- vl_api_interface_index_t sw_if_index;
-};
-
typedef ipsec_itf
{
u32 user_instance [default=0xffffffff];
@@ -497,25 +426,6 @@ define ipsec_sa_v2_details {
u32 stat_index;
};
-/** \brief Set new SA on IPsec interface
-
- !! DEPRECATED !!
-
- @param client_index - opaque cookie to identify the sender
- @param context - sender context, to match reply w/ request
- @param sw_if_index - index of tunnel interface
- @param sa_id - ID of SA to use
- @param is_outbound - 1 if outbound (local) SA, 0 if inbound (remote)
-*/
-autoreply define ipsec_tunnel_if_set_sa {
- option deprecated;
- u32 client_index;
- u32 context;
- vl_api_interface_index_t sw_if_index;
- u32 sa_id;
- u8 is_outbound;
-};
-
/** \brief Dump IPsec backends
@param client_index - opaque cookie to identify the sender
@param context - sender context, to match reply w/ request
diff --git a/src/vnet/ipsec/ipsec_api.c b/src/vnet/ipsec/ipsec_api.c
index 06e7ba0d784..335996ee077 100644
--- a/src/vnet/ipsec/ipsec_api.c
+++ b/src/vnet/ipsec/ipsec_api.c
@@ -68,8 +68,6 @@ _(IPSEC_SPD_INTERFACE_DUMP, ipsec_spd_interface_dump) \
_(IPSEC_ITF_CREATE, ipsec_itf_create) \
_(IPSEC_ITF_DELETE, ipsec_itf_delete) \
_(IPSEC_ITF_DUMP, ipsec_itf_dump) \
-_(IPSEC_TUNNEL_IF_ADD_DEL, ipsec_tunnel_if_add_del) \
-_(IPSEC_TUNNEL_IF_SET_SA, ipsec_tunnel_if_set_sa) \
_(IPSEC_SELECT_BACKEND, ipsec_select_backend) \
_(IPSEC_BACKEND_DUMP, ipsec_backend_dump) \
_(IPSEC_TUNNEL_PROTECT_UPDATE, ipsec_tunnel_protect_update) \
@@ -666,169 +664,6 @@ vl_api_ipsec_spd_interface_dump_t_handler (vl_api_ipsec_spd_interface_dump_t *
#endif
}
-static u32
-ipsec_tun_mk_input_sa_id (u32 ti)
-{
- return (0x80000000 | ti);
-}
-
-static u32
-ipsec_tun_mk_output_sa_id (u32 ti)
-{
- return (0xc0000000 | ti);
-}
-
-static void
-vl_api_ipsec_tunnel_if_add_del_t_handler (vl_api_ipsec_tunnel_if_add_del_t *
- mp)
-{
- vl_api_ipsec_tunnel_if_add_del_reply_t *rmp;
- u32 sw_if_index = ~0;
- int rv;
-
-#if WITH_LIBSSL > 0
- ip46_address_t local_ip = ip46_address_initializer;
- ip46_address_t remote_ip = ip46_address_initializer;
- ipsec_key_t crypto_key, integ_key;
- ipsec_sa_flags_t flags;
- ip46_type_t local_ip_type, remote_ip_type;
- ipip_transport_t transport;
- u32 fib_index;
-
- local_ip_type = ip_address_decode (&mp->local_ip, &local_ip);
- remote_ip_type = ip_address_decode (&mp->remote_ip, &remote_ip);
- transport = (IP46_TYPE_IP6 == local_ip_type ?
- IPIP_TRANSPORT_IP6 : IPIP_TRANSPORT_IP4);
-
- if (local_ip_type != remote_ip_type)
- {
- rv = VNET_API_ERROR_INVALID_VALUE;
- goto done;
- }
-
- flags = IPSEC_SA_FLAG_NONE;
-
- if (mp->udp_encap)
- flags |= IPSEC_SA_FLAG_UDP_ENCAP;
- if (mp->esn)
- flags |= IPSEC_SA_FLAG_USE_ESN;
- if (mp->anti_replay)
- flags |= IPSEC_SA_FLAG_USE_ANTI_REPLAY;
-
- ipsec_mk_key (&crypto_key, mp->remote_crypto_key,
- mp->remote_crypto_key_len);
- ipsec_mk_key (&integ_key, mp->remote_integ_key, mp->remote_integ_key_len);
- ipsec_mk_key (&crypto_key, mp->local_crypto_key, mp->local_crypto_key_len);
- ipsec_mk_key (&integ_key, mp->local_integ_key, mp->local_integ_key_len);
-
- fib_index =
- fib_table_find (fib_proto_from_ip46 (local_ip_type),
- ntohl (mp->tx_table_id));
-
- if (~0 == fib_index)
- {
- rv = VNET_API_ERROR_NO_SUCH_FIB;
- goto done;
- }
-
- if (mp->is_add)
- {
- // remote = input, local = output
- /* create an ip-ip tunnel, then the two SA, then bind them */
- rv = ipip_add_tunnel (transport,
- (mp->renumber ? ntohl (mp->show_instance) : ~0),
- &local_ip,
- &remote_ip, fib_index,
- TUNNEL_ENCAP_DECAP_FLAG_NONE, IP_DSCP_CS0,
- TUNNEL_MODE_P2P, &sw_if_index);
-
- if (rv)
- goto done;
-
- rv = ipsec_sa_add_and_lock (ipsec_tun_mk_input_sa_id (sw_if_index),
- ntohl (mp->remote_spi),
- IPSEC_PROTOCOL_ESP,
- mp->crypto_alg,
- &crypto_key,
- mp->integ_alg,
- &integ_key,
- (flags | IPSEC_SA_FLAG_IS_INBOUND),
- ntohl (mp->tx_table_id),
- mp->salt, &remote_ip, &local_ip,
- TUNNEL_ENCAP_DECAP_FLAG_NONE,
- IP_DSCP_CS0, NULL,
- IPSEC_UDP_PORT_NONE, IPSEC_UDP_PORT_NONE);
-
- if (rv)
- goto done;
-
- rv = ipsec_sa_add_and_lock (ipsec_tun_mk_output_sa_id (sw_if_index),
- ntohl (mp->local_spi),
- IPSEC_PROTOCOL_ESP,
- mp->crypto_alg,
- &crypto_key,
- mp->integ_alg,
- &integ_key,
- flags,
- ntohl (mp->tx_table_id),
- mp->salt, &local_ip, &remote_ip,
- TUNNEL_ENCAP_DECAP_FLAG_NONE,
- IP_DSCP_CS0, NULL,
- IPSEC_UDP_PORT_NONE, IPSEC_UDP_PORT_NONE);
-
- if (rv)
- goto done;
-
- rv = ipsec_tun_protect_update_one (sw_if_index, NULL,
- ipsec_tun_mk_output_sa_id
- (sw_if_index),
- ipsec_tun_mk_input_sa_id
- (sw_if_index));
- if (rv)
- goto done;
-
- /* the SAs are locked as a result of being used for proection,
- * they cannot be removed from the API, since they cannot be refered
- * to by the API. unlock them now, so that if the tunnel is rekeyed
- * they-ll disapper
- */
- ipsec_sa_unlock_id (ipsec_tun_mk_input_sa_id (sw_if_index));
- ipsec_sa_unlock_id (ipsec_tun_mk_output_sa_id (sw_if_index));
- }
- else
- {
- /* *INDENT-OFF* */
- ipip_tunnel_key_t key = {
- .transport = transport,
- .fib_index = fib_index,
- .src = local_ip,
- .dst = remote_ip
- };
- /* *INDENT-ON* */
-
- ipip_tunnel_t *t = ipip_tunnel_db_find (&key);
-
- if (NULL != t)
- {
- rv = ipsec_tun_protect_del (t->sw_if_index, NULL);
- ipip_del_tunnel (t->sw_if_index);
- }
- else
- rv = VNET_API_ERROR_NO_SUCH_ENTRY;
- }
-
-#else
- rv = VNET_API_ERROR_UNIMPLEMENTED;
-#endif
-done:
- /* *INDENT-OFF* */
- REPLY_MACRO2 (VL_API_IPSEC_TUNNEL_IF_ADD_DEL_REPLY,
- ({
- rmp->sw_if_index = htonl (sw_if_index);
- }));
- /* *INDENT-ON* */
-}
-
static void
vl_api_ipsec_itf_create_t_handler (vl_api_ipsec_itf_create_t * mp)
{
@@ -1088,31 +923,6 @@ vl_api_ipsec_sa_v2_dump_t_handler (vl_api_ipsec_sa_dump_t * mp)
}
static void
-vl_api_ipsec_tunnel_if_set_sa_t_handler (vl_api_ipsec_tunnel_if_set_sa_t * mp)
-{
- vl_api_ipsec_tunnel_if_set_sa_reply_t *rmp;
- int rv;
-
-#if WITH_LIBSSL > 0
- VALIDATE_SW_IF_INDEX(mp);
-
- if (mp->is_outbound)
- rv = ipsec_tun_protect_update_out (ntohl (mp->sw_if_index), NULL,
- ntohl (mp->sa_id));
- else
- rv = ipsec_tun_protect_update_in (ntohl (mp->sw_if_index), NULL,
- ntohl (mp->sa_id));
-
-#else
- clib_warning ("unimplemented");
-#endif
-
- BAD_SW_IF_INDEX_LABEL;
-
- REPLY_MACRO (VL_API_IPSEC_TUNNEL_IF_SET_SA_REPLY);
-}
-
-static void
vl_api_ipsec_backend_dump_t_handler (vl_api_ipsec_backend_dump_t * mp)
{
vl_api_registration_t *rp;
diff --git a/src/vnet/ipsec/ipsec_cli.c b/src/vnet/ipsec/ipsec_cli.c
index 1486bbd89fd..0b0ed6c4f12 100644
--- a/src/vnet/ipsec/ipsec_cli.c
+++ b/src/vnet/ipsec/ipsec_cli.c
@@ -784,201 +784,6 @@ VLIB_CLI_COMMAND (clear_ipsec_counters_command, static) = {
};
/* *INDENT-ON* */
-static u32
-ipsec_tun_mk_local_sa_id (u32 ti)
-{
- return (0x80000000 | ti);
-}
-
-static u32
-ipsec_tun_mk_remote_sa_id (u32 ti)
-{
- return (0xc0000000 | ti);
-}
-
-static clib_error_t *
-create_ipsec_tunnel_command_fn (vlib_main_t * vm,
- unformat_input_t * input,
- vlib_cli_command_t * cmd)
-{
- unformat_input_t _line_input, *line_input = &_line_input;
- ip46_address_t local_ip = ip46_address_initializer;
- ip46_address_t remote_ip = ip46_address_initializer;
- ip_address_t nh = IP_ADDRESS_V4_ALL_0S;
- ipsec_crypto_alg_t crypto_alg = IPSEC_CRYPTO_ALG_NONE;
- ipsec_integ_alg_t integ_alg = IPSEC_INTEG_ALG_NONE;
- ipsec_sa_flags_t flags;
- u32 local_spi, remote_spi, salt = 0, table_id, fib_index;
- u32 instance = ~0;
- int rv;
- u32 m_args = 0;
- u8 ipv4_set = 0;
- u8 ipv6_set = 0;
- u8 is_add = 1;
- clib_error_t *error = NULL;
- ipsec_key_t rck = { 0 };
- ipsec_key_t lck = { 0 };
- ipsec_key_t lik = { 0 };
- ipsec_key_t rik = { 0 };
-
- table_id = 0;
- flags = IPSEC_SA_FLAG_NONE;
-
- /* Get a line of input. */
- if (!unformat_user (input, unformat_line_input, line_input))
- return 0;
-
- while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
- {
- if (unformat
- (line_input, "local-ip %U", unformat_ip46_address, &local_ip,
- IP46_TYPE_ANY))
- {
- ip46_address_is_ip4 (&local_ip) ? (ipv4_set = 1) : (ipv6_set = 1);
- m_args |= 1 << 0;
- }
- else
- if (unformat
- (line_input, "remote-ip %U", unformat_ip46_address, &remote_ip,
- IP46_TYPE_ANY))
- {
- ip46_address_is_ip4 (&remote_ip) ? (ipv4_set = 1) : (ipv6_set = 1);
- m_args |= 1 << 1;
- }
- else if (unformat (line_input, "local-spi %u", &local_spi))
- m_args |= 1 << 2;
- else if (unformat (line_input, "remote-spi %u", &remote_spi))
- m_args |= 1 << 3;
- else if (unformat (line_input, "salt 0x%x", &salt))
- ;
- else if (unformat (line_input, "udp-encap"))
- flags |= IPSEC_SA_FLAG_UDP_ENCAP;
- else if (unformat (line_input, "use-esn"))
- flags |= IPSEC_SA_FLAG_USE_ESN;
- else if (unformat (line_input, "use-anti-replay"))
- flags |= IPSEC_SA_FLAG_USE_ANTI_REPLAY;
- else if (unformat (line_input, "instance %u", &instance))
- ;
- else if (unformat (line_input, "tx-table %u", &table_id))
- ;
- else
- if (unformat
- (line_input, "local-crypto-key %U", unformat_ipsec_key, &lck))
- ;
- else
- if (unformat
- (line_input, "remote-crypto-key %U", unformat_ipsec_key, &rck))
- ;
- else if (unformat (line_input, "crypto-alg %U",
- unformat_ipsec_crypto_alg, &crypto_alg))
- ;
- else
- if (unformat
- (line_input, "local-integ-key %U", unformat_ipsec_key, &lik))
- ;
- else
- if (unformat
- (line_input, "remote-integ-key %U", unformat_ipsec_key, &rik))
- ;
- else if (unformat (line_input, "integ-alg %U",
- unformat_ipsec_integ_alg, &integ_alg))
- ;
- else if (unformat (line_input, "del"))
- is_add = 0;
- else if (unformat (line_input, "nh %U", unformat_ip_address, &nh))
- ;
- else
- {
- error = clib_error_return (0, "unknown input `%U'",
- format_unformat_error, line_input);
- goto done;
- }
- }
-
- if (0xf != m_args)
- {
- error = clib_error_return (0, "mandatory argument(s) missing");
- goto done;
- }
-
- if (ipv4_set && ipv6_set)
- return clib_error_return (0, "both IPv4 and IPv6 addresses specified");
-
- fib_index = fib_table_find (fib_ip_proto (ipv6_set), table_id);
-
- if (~0 == fib_index)
- {
- rv = VNET_API_ERROR_NO_SUCH_FIB;
- goto done;
- }
-
- if (is_add)
- {
- // remote = input, local = output
- u32 sw_if_index;
-
- /* create an ip-ip tunnel, then the two SA, then bind them */
- rv =
- ipip_add_tunnel (ipv6_set ? IPIP_TRANSPORT_IP6 : IPIP_TRANSPORT_IP4,
- instance, &local_ip, &remote_ip, fib_index,
- TUNNEL_ENCAP_DECAP_FLAG_NONE, IP_DSCP_CS0,
- TUNNEL_MODE_P2P, &sw_if_index);
- rv |=
- ipsec_sa_add_and_lock (ipsec_tun_mk_local_sa_id (sw_if_index),
- local_spi, IPSEC_PROTOCOL_ESP, crypto_alg,
- &lck, integ_alg, &lik, flags, table_id,
- clib_host_to_net_u32 (salt), &local_ip,
- &remote_ip, TUNNEL_ENCAP_DECAP_FLAG_NONE,
- IP_DSCP_CS0, NULL,
- IPSEC_UDP_PORT_NONE, IPSEC_UDP_PORT_NONE);
- rv |=
- ipsec_sa_add_and_lock (ipsec_tun_mk_remote_sa_id (sw_if_index),
- remote_spi, IPSEC_PROTOCOL_ESP, crypto_alg,
- &rck, integ_alg, &rik,
- (flags | IPSEC_SA_FLAG_IS_INBOUND), table_id,
- clib_host_to_net_u32 (salt), &remote_ip,
- &local_ip, TUNNEL_ENCAP_DECAP_FLAG_NONE,
- IP_DSCP_CS0, NULL,
- IPSEC_UDP_PORT_NONE, IPSEC_UDP_PORT_NONE);
- rv |=
- ipsec_tun_protect_update_one (sw_if_index, &nh,
- ipsec_tun_mk_local_sa_id (sw_if_index),
- ipsec_tun_mk_remote_sa_id
- (sw_if_index));
- }
- else
- rv = 0;
-
- switch (rv)
- {
- case 0:
- break;
- case VNET_API_ERROR_INVALID_VALUE:
- error = clib_error_return (0,
- "IPSec tunnel interface already exists...");
- goto done;
- default:
- error = clib_error_return (0, "ipsec_register_interface returned %d",
- rv);
- goto done;
- }
-
-done:
- unformat_free (line_input);
-
- return error;
-}
-
-/* *INDENT-OFF* */
-VLIB_CLI_COMMAND (create_ipsec_tunnel_command, static) = {
- .path = "create ipsec tunnel",
- .short_help = "create ipsec tunnel local-ip <addr> local-spi <spi> "
- "remote-ip <addr> remote-spi <spi> [instance <inst_num>] [udp-encap] [use-esn] [use-anti-replay] "
- "[tx-table <table-id>]",
- .function = create_ipsec_tunnel_command_fn,
-};
-/* *INDENT-ON* */
-
static clib_error_t *
ipsec_tun_protect_cmd (vlib_main_t * vm,
unformat_input_t * input, vlib_cli_command_t * cmd)
diff --git a/src/vnet/ipsec/ipsec_tun.c b/src/vnet/ipsec/ipsec_tun.c
index a35b6190c44..c3f50a6ffe9 100644
--- a/src/vnet/ipsec/ipsec_tun.c
+++ b/src/vnet/ipsec/ipsec_tun.c
@@ -529,111 +529,6 @@ ipsec_tun_protect_unconfig (ipsec_main_t * im, ipsec_tun_protect_t * itp)
ITP_DBG (itp, "unconfigured");
}
-int
-ipsec_tun_protect_update_one (u32 sw_if_index,
- const ip_address_t * nh, u32 sa_out, u32 sa_in)
-{
- u32 *sas_in = NULL;
- int rv;
-
- vec_add1 (sas_in, sa_in);
- rv = ipsec_tun_protect_update (sw_if_index, nh, sa_out, sas_in);
-
- return (rv);
-}
-
-int
-ipsec_tun_protect_update_out (u32 sw_if_index,
- const ip_address_t * nh, u32 sa_out)
-{
- u32 itpi, *sas_in, sai, *saip;
- ipsec_tun_protect_t *itp;
- ipsec_main_t *im;
- int rv;
-
- sas_in = NULL;
- rv = 0;
- im = &ipsec_main;
-
- itpi = ipsec_tun_protect_find (sw_if_index, nh);
-
- if (INDEX_INVALID == itpi)
- {
- return (VNET_API_ERROR_INVALID_INTERFACE);
- }
-
- itp = pool_elt_at_index (ipsec_tun_protect_pool, itpi);
-
- /* *INDENT-OFF* */
- FOR_EACH_IPSEC_PROTECT_INPUT_SAI (itp, sai,
- ({
- ipsec_sa_lock (sai);
- vec_add1 (sas_in, sai);
- }));
- /* *INDENT-ON* */
-
- sa_out = ipsec_sa_find_and_lock (sa_out);
-
- if (~0 == sa_out)
- {
- rv = VNET_API_ERROR_INVALID_VALUE;
- goto out;
- }
-
- ipsec_tun_protect_unconfig (im, itp);
- ipsec_tun_protect_config (im, itp, sa_out, sas_in);
-
- ipsec_sa_unlock (sa_out);
- vec_foreach (saip, sas_in) ipsec_sa_unlock (*saip);
-
-out:
- vec_free (sas_in);
- return (rv);
-}
-
-int
-ipsec_tun_protect_update_in (u32 sw_if_index,
- const ip_address_t * nh, u32 sa_in)
-{
- u32 itpi, *sas_in, sa_out;
- ipsec_tun_protect_t *itp;
- ipsec_main_t *im;
- int rv;
-
- sas_in = NULL;
- rv = 0;
- im = &ipsec_main;
- itpi = ipsec_tun_protect_find (sw_if_index, nh);
-
- if (INDEX_INVALID == itpi)
- {
- return (VNET_API_ERROR_INVALID_INTERFACE);
- }
-
- sa_in = ipsec_sa_find_and_lock (sa_in);
-
- if (~0 == sa_in)
- {
- rv = VNET_API_ERROR_INVALID_VALUE;
- goto out;
- }
- vec_add1 (sas_in, sa_in);
-
- itp = pool_elt_at_index (ipsec_tun_protect_pool, itpi);
- sa_out = itp->itp_out_sa;
-
- ipsec_sa_lock (sa_out);
-
- ipsec_tun_protect_unconfig (im, itp);
- ipsec_tun_protect_config (im, itp, sa_out, sas_in);
-
- ipsec_sa_unlock (sa_out);
- ipsec_sa_unlock (sa_in);
-out:
- vec_free (sas_in);
- return (rv);
-}
-
static void
ipsec_tun_protect_update_from_teib (ipsec_tun_protect_t * itp,
const teib_entry_t * ne)
@@ -972,7 +867,7 @@ const static teib_vft_t ipsec_tun_teib_vft = {
.nv_deleted = ipsec_tun_teib_entry_deleted,
};
-void
+static void
ipsec_tun_table_init (ip_address_family_t af, uword table_size, u32 n_buckets)
{
ipsec_main_t *im;
@@ -987,8 +882,8 @@ ipsec_tun_table_init (ip_address_family_t af, uword table_size, u32 n_buckets)
"IPSec IPv6 tunnels", n_buckets, table_size);
}
-clib_error_t *
-ipsec_tunnel_protect_init (vlib_main_t * vm)
+static clib_error_t *
+ipsec_tunnel_protect_init (vlib_main_t *vm)
{
ipsec_main_t *im;
diff --git a/src/vnet/ipsec/ipsec_tun.h b/src/vnet/ipsec/ipsec_tun.h
index b8e80d3565f..7ae00992faa 100644
--- a/src/vnet/ipsec/ipsec_tun.h
+++ b/src/vnet/ipsec/ipsec_tun.h
@@ -143,16 +143,9 @@ typedef struct ipsec_tun_protect_t_
} \
}
-extern int ipsec_tun_protect_update_one (u32 sw_if_index,
- const ip_address_t * nh,
- u32 sa_out, u32 sa_in);
extern int ipsec_tun_protect_update (u32 sw_if_index,
const ip_address_t * nh,
u32 sa_out, u32 * sa_ins);
-extern int ipsec_tun_protect_update_in (u32 sw_if_index,
- const ip_address_t * nh, u32 sa_in);
-extern int ipsec_tun_protect_update_out (u32 sw_if_index,
- const ip_address_t * nh, u32 sa_out);
extern int ipsec_tun_protect_del (u32 sw_if_index, const ip_address_t * nh);
@@ -169,9 +162,6 @@ extern u8 *format_ipsec_tun_protect_index (u8 * s, va_list * args);
extern void ipsec_tun_register_nodes (ip_address_family_t af);
extern void ipsec_tun_unregister_nodes (ip_address_family_t af);
-extern void ipsec_tun_table_init (ip_address_family_t af,
- uword table_size, u32 n_buckets);
-
// FIXME
extern vlib_node_registration_t ipsec4_tun_input_node;
extern vlib_node_registration_t ipsec6_tun_input_node;