summaryrefslogtreecommitdiffstats
path: root/src/vnet
diff options
context:
space:
mode:
authorChristian Hopps <chopps@labn.net>2020-02-26 05:40:40 -0500
committerDave Wallace <dwallacelf@gmail.com>2020-04-01 16:10:31 +0000
commit597d4df6cf8b96e645e21447974cd82c3285aee0 (patch)
tree43bd8e1ed0515da7104f0ea2253db2b30df82b9d /src/vnet
parentd643e5f30155e46aa6f345aa52d8ef5026d879a6 (diff)
api: ipsec: add missing IS_INBOUND flag
External IKE daemons need to be able to flag an SA as inbound (just as the included ike plugin does). This commit adds this flag to the API. This change is backward bug-compatible as not setting the flag (old clients) continues to mean all SAs are created as outbound and fib nodes are created for them. The addition of this flag inhibits this forwarding node creation as well as properly flagging the SA as inbound. Ticket: VPP-1845 Type: fix Signed-off-by: Christian Hopps <chopps@labn.net> Change-Id: Ifa6fd664587380aa53e95d0e4eb2e1a4b1df7909
Diffstat (limited to 'src/vnet')
-rw-r--r--src/vnet/ipsec/ipsec.api2
-rw-r--r--src/vnet/ipsec/ipsec_api.c4
2 files changed, 6 insertions, 0 deletions
diff --git a/src/vnet/ipsec/ipsec.api b/src/vnet/ipsec/ipsec.api
index 12bdad0f9c3..ca310e7b590 100644
--- a/src/vnet/ipsec/ipsec.api
+++ b/src/vnet/ipsec/ipsec.api
@@ -233,6 +233,8 @@ enum ipsec_sad_flags
IPSEC_API_SAD_FLAG_IS_TUNNEL_V6 = 0x08,
/* enable UDP encapsulation for NAT traversal */
IPSEC_API_SAD_FLAG_UDP_ENCAP = 0x10,
+ /* IPsec SA is for inbound traffic */
+ IPSEC_API_SAD_FLAG_IS_INBOUND = 0x40,
};
enum ipsec_proto
diff --git a/src/vnet/ipsec/ipsec_api.c b/src/vnet/ipsec/ipsec_api.c
index 371e4fe4ed0..abebd5baea3 100644
--- a/src/vnet/ipsec/ipsec_api.c
+++ b/src/vnet/ipsec/ipsec_api.c
@@ -445,6 +445,8 @@ ipsec_sa_flags_decode (vl_api_ipsec_sad_flags_t in)
flags |= IPSEC_SA_FLAG_IS_TUNNEL_V6;
if (in & IPSEC_API_SAD_FLAG_UDP_ENCAP)
flags |= IPSEC_SA_FLAG_UDP_ENCAP;
+ if (in & IPSEC_API_SAD_FLAG_IS_INBOUND)
+ flags |= IPSEC_SA_FLAG_IS_INBOUND;
return (flags);
}
@@ -464,6 +466,8 @@ ipsec_sad_flags_encode (const ipsec_sa_t * sa)
flags |= IPSEC_API_SAD_FLAG_IS_TUNNEL_V6;
if (ipsec_sa_is_set_UDP_ENCAP (sa))
flags |= IPSEC_API_SAD_FLAG_UDP_ENCAP;
+ if (ipsec_sa_is_set_IS_INBOUND (sa))
+ flags |= IPSEC_API_SAD_FLAG_IS_INBOUND;
return clib_host_to_net_u32 (flags);
}