diff options
author | Neale Ranns <nranns@cisco.com> | 2019-09-27 13:32:02 +0000 |
---|---|---|
committer | Andrew Yourtchenko <ayourtch@gmail.com> | 2019-10-04 14:22:12 +0000 |
commit | 2e6d7393441bb42aa2f48e210931422e07248a64 (patch) | |
tree | c4e4e62f6642509ba75d59082b6c0db631073eb8 /src | |
parent | 24f486cb563399babf553eb0a09082572ab4a303 (diff) |
ipsec: support 4o6 and 6o4 for tunnel protect
Type: feature
Change-Id: Ib2352ca4c7abf4645f21fa16aaaf27408890a2bf
Signed-off-by: Neale Ranns <nranns@cisco.com>
(cherry picked from commit b325983a4461dd806e86a31abc47533b09482157)
Diffstat (limited to 'src')
-rw-r--r-- | src/vnet/ipsec/esp_encrypt.c | 15 | ||||
-rw-r--r-- | src/vnet/ipsec/ipsec_tun.c | 41 |
2 files changed, 31 insertions, 25 deletions
diff --git a/src/vnet/ipsec/esp_encrypt.c b/src/vnet/ipsec/esp_encrypt.c index 47c079d95d2..730a2b83c11 100644 --- a/src/vnet/ipsec/esp_encrypt.c +++ b/src/vnet/ipsec/esp_encrypt.c @@ -630,6 +630,13 @@ VNET_FEATURE_INIT (esp4_encrypt_tun_feat_node, static) = .runs_before = VNET_FEATURES ("adj-midchain-tx"), }; +VNET_FEATURE_INIT (esp6o4_encrypt_tun_feat_node, static) = +{ + .arc_name = "ip6-output", + .node_name = "esp4-encrypt-tun", + .runs_before = VNET_FEATURES ("adj-midchain-tx"), +}; + VNET_FEATURE_INIT (esp4_ethernet_encrypt_tun_feat_node, static) = { .arc_name = "ethernet-output", @@ -667,6 +674,14 @@ VNET_FEATURE_INIT (esp6_encrypt_tun_feat_node, static) = .node_name = "esp6-encrypt-tun", .runs_before = VNET_FEATURES ("adj-midchain-tx"), }; + +VNET_FEATURE_INIT (esp4o6_encrypt_tun_feat_node, static) = +{ + .arc_name = "ip4-output", + .node_name = "esp6-encrypt-tun", + .runs_before = VNET_FEATURES ("adj-midchain-tx"), +}; + /* *INDENT-ON* */ typedef struct diff --git a/src/vnet/ipsec/ipsec_tun.c b/src/vnet/ipsec/ipsec_tun.c index 859fab8899e..ad544a919db 100644 --- a/src/vnet/ipsec/ipsec_tun.c +++ b/src/vnet/ipsec/ipsec_tun.c @@ -39,38 +39,29 @@ static int ipsec_tun_protect_feature_set (ipsec_tun_protect_t * itp, u8 enable) { u32 sai = itp->itp_out_sa; - int is_ip4, is_l2, rv; + int rv; - is_ip4 = ip46_address_is_ip4 (&itp->itp_tun.src); - is_l2 = itp->itp_flags & IPSEC_PROTECT_L2; + const char *enc_node = (ip46_address_is_ip4 (&itp->itp_tun.src) ? + "esp4-encrypt-tun" : "esp6-encrypt-tun"); - if (is_ip4) + if (itp->itp_flags & IPSEC_PROTECT_L2) { - if (is_l2) - rv = vnet_feature_enable_disable ("ethernet-output", - "esp4-encrypt-tun", - itp->itp_sw_if_index, enable, - &sai, sizeof (sai)); - else - rv = vnet_feature_enable_disable ("ip4-output", - "esp4-encrypt-tun", - itp->itp_sw_if_index, enable, - &sai, sizeof (sai)); + rv = vnet_feature_enable_disable ("ethernet-output", + enc_node, + itp->itp_sw_if_index, enable, + &sai, sizeof (sai)); } else { - if (is_l2) - rv = vnet_feature_enable_disable ("ethernet-output", - "esp6-encrypt-tun", - itp->itp_sw_if_index, enable, - &sai, sizeof (sai)); - else - rv = vnet_feature_enable_disable ("ip6-output", - "esp6-encrypt-tun", - itp->itp_sw_if_index, enable, - &sai, sizeof (sai)); + rv = vnet_feature_enable_disable ("ip4-output", + enc_node, + itp->itp_sw_if_index, enable, + &sai, sizeof (sai)); + rv = vnet_feature_enable_disable ("ip6-output", + enc_node, + itp->itp_sw_if_index, enable, + &sai, sizeof (sai)); } - ASSERT (!rv); return (rv); } |