diff options
author | Matthew Smith <mgsmith@netgate.com> | 2018-04-12 07:32:56 -0500 |
---|---|---|
committer | Damjan Marion <dmarion.lists@gmail.com> | 2018-04-19 10:35:25 +0000 |
commit | 8e1039a8231cd1d817a24256c421b9fc512f45fa (patch) | |
tree | 656a6902ae128794b76e879c74a8dad895c52294 /src | |
parent | 1e5c07d379a092f4829e7081aa962d013b31fdfc (diff) |
Allow an IPsec tunnel interface to be renumbered
When creating an IPsec tunnel interface, allow a numeric
identifier to be set for use in the interface's name in
place of the dev instance. Default to using the dev instance
if no value is explicitly set.
When an IPsec tunnel is deleted, the interface is deleted
now instead of being kept in a pool of available hw
interfaces. Otherwise there was the possibility of
conflicting tx node names between deleted tunnels and
newly created ones.
Change-Id: Ic525466622a0dec38a845fa5871c084f6d9da380
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
Diffstat (limited to 'src')
-rw-r--r-- | src/vat/api_format.c | 13 | ||||
-rw-r--r-- | src/vnet/ipsec/ipsec.api | 4 | ||||
-rw-r--r-- | src/vnet/ipsec/ipsec.h | 4 | ||||
-rw-r--r-- | src/vnet/ipsec/ipsec_api.c | 2 | ||||
-rw-r--r-- | src/vnet/ipsec/ipsec_cli.c | 4 | ||||
-rw-r--r-- | src/vnet/ipsec/ipsec_if.c | 57 |
6 files changed, 54 insertions, 30 deletions
diff --git a/src/vat/api_format.c b/src/vat/api_format.c index ceb074ccfe2..8c2fb13ecfe 100644 --- a/src/vat/api_format.c +++ b/src/vat/api_format.c @@ -15285,6 +15285,8 @@ api_ipsec_tunnel_if_add_del (vat_main_t * vam) u8 is_add = 1; u8 esn = 0; u8 anti_replay = 0; + u8 renumber = 0; + u32 instance = ~0; int ret; while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) @@ -15336,6 +15338,8 @@ api_ipsec_tunnel_if_add_del (vat_main_t * vam) return -99; } } + else if (unformat (i, "instance %u", &instance)) + renumber = 1; else { errmsg ("parse error '%U'\n", format_unformat_error, i); @@ -15394,6 +15398,12 @@ api_ipsec_tunnel_if_add_del (vat_main_t * vam) clib_memcpy (mp->remote_integ_key, rik, mp->remote_integ_key_len); } + if (renumber) + { + mp->renumber = renumber; + mp->show_instance = ntohl (instance); + } + S (mp); W (ret); return ret; @@ -23477,7 +23487,8 @@ _(ipsec_sa_set_key, "sa_id <n> crypto_key <hex> integ_key <hex>") \ _(ipsec_tunnel_if_add_del, "local_spi <n> remote_spi <n>\n" \ " crypto_alg <alg> local_crypto_key <hex> remote_crypto_key <hex>\n" \ " integ_alg <alg> local_integ_key <hex> remote_integ_key <hex>\n" \ - " local_ip <addr> remote_ip <addr> [esn] [anti_replay] [del]\n") \ + " local_ip <addr> remote_ip <addr> [esn] [anti_replay] [del]\n" \ + " [instance <n>]") \ _(ipsec_sa_dump, "[sa_id <n>]") \ _(ipsec_tunnel_if_set_key, "<intfc> <local|remote> <crypto|integ>\n" \ " <alg> <hex>\n") \ diff --git a/src/vnet/ipsec/ipsec.api b/src/vnet/ipsec/ipsec.api index bf2bc606e65..89c8a8b8240 100644 --- a/src/vnet/ipsec/ipsec.api +++ b/src/vnet/ipsec/ipsec.api @@ -513,6 +513,8 @@ define ipsec_spd_details { @param local_integ_key - integrity key for outbound IPsec SA @param remote_integ_key_len - length of remote integrity key in bytes @param remote_integ_key - integrity key for inbound IPsec SA + @param renumber - intf display name uses a specified instance if != 0 + @param show_instance - instance to display for intf if renumber is set */ define ipsec_tunnel_if_add_del { u32 client_index; @@ -534,6 +536,8 @@ define ipsec_tunnel_if_add_del { u8 local_integ_key[128]; u8 remote_integ_key_len; u8 remote_integ_key[128]; + u8 renumber; + u32 show_instance; }; /** \brief Add/delete IPsec tunnel interface response diff --git a/src/vnet/ipsec/ipsec.h b/src/vnet/ipsec/ipsec.h index 32bdee9c062..0269eb05261 100644 --- a/src/vnet/ipsec/ipsec.h +++ b/src/vnet/ipsec/ipsec.h @@ -171,6 +171,8 @@ typedef struct u8 local_integ_key[128]; u8 remote_integ_key_len; u8 remote_integ_key[128]; + u8 renumber; + u32 show_instance; } ipsec_add_del_tunnel_args_t; typedef struct @@ -243,6 +245,7 @@ typedef struct u32 input_sa_index; u32 output_sa_index; u32 hw_if_index; + u32 show_instance; } ipsec_tunnel_if_t; typedef struct @@ -277,6 +280,7 @@ typedef struct uword *spd_index_by_sw_if_index; uword *sa_index_by_sa_id; uword *ipsec_if_pool_index_by_key; + uword *ipsec_if_real_dev_by_show_dev; /* node indeces */ u32 error_drop_node_index; diff --git a/src/vnet/ipsec/ipsec_api.c b/src/vnet/ipsec/ipsec_api.c index da78f3d2496..6fb4f556c50 100644 --- a/src/vnet/ipsec/ipsec_api.c +++ b/src/vnet/ipsec/ipsec_api.c @@ -385,6 +385,8 @@ vl_api_ipsec_tunnel_if_add_del_t_handler (vl_api_ipsec_tunnel_if_add_del_t * mp->local_integ_key_len); memcpy (&tun.remote_integ_key, &mp->remote_integ_key, mp->remote_integ_key_len); + tun.renumber = mp->renumber; + tun.show_instance = ntohl (mp->show_instance); rv = ipsec_add_del_tunnel_if_internal (vnm, &tun, &sw_if_index); diff --git a/src/vnet/ipsec/ipsec_cli.c b/src/vnet/ipsec/ipsec_cli.c index 711403ff81a..09134e3901b 100644 --- a/src/vnet/ipsec/ipsec_cli.c +++ b/src/vnet/ipsec/ipsec_cli.c @@ -726,6 +726,8 @@ create_ipsec_tunnel_command_fn (vlib_main_t * vm, num_m_args++; else if (unformat (line_input, "remote-spi %u", &a.remote_spi)) num_m_args++; + else if (unformat (line_input, "instance %u", &a.show_instance)) + a.renumber = 1; else if (unformat (line_input, "del")) a.is_add = 0; else @@ -770,7 +772,7 @@ done: /* *INDENT-OFF* */ VLIB_CLI_COMMAND (create_ipsec_tunnel_command, static) = { .path = "create ipsec tunnel", - .short_help = "create ipsec tunnel local-ip <addr> local-spi <spi> remote-ip <addr> remote-spi <spi>", + .short_help = "create ipsec tunnel local-ip <addr> local-spi <spi> remote-ip <addr> remote-spi <spi> [instance <inst_num>]", .function = create_ipsec_tunnel_command_fn, }; /* *INDENT-ON* */ diff --git a/src/vnet/ipsec/ipsec_if.c b/src/vnet/ipsec/ipsec_if.c index 852b142717f..e7536b2756e 100644 --- a/src/vnet/ipsec/ipsec_if.c +++ b/src/vnet/ipsec/ipsec_if.c @@ -28,7 +28,10 @@ static u8 * format_ipsec_name (u8 * s, va_list * args) { u32 dev_instance = va_arg (*args, u32); - return format (s, "ipsec%d", dev_instance); + ipsec_main_t *im = &ipsec_main; + ipsec_tunnel_if_t *t = im->tunnel_interfaces + dev_instance; + + return format (s, "ipsec%d", t->show_instance); } static uword @@ -158,6 +161,7 @@ ipsec_add_del_tunnel_if_internal (vnet_main_t * vnm, u32 hw_if_index = ~0; uword *p; ipsec_sa_t *sa; + u32 dev_instance; u64 key = (u64) args->remote_ip.as_u32 << 32 | (u64) args->remote_spi; p = hash_get (im->ipsec_if_pool_index_by_key, key); @@ -171,6 +175,21 @@ ipsec_add_del_tunnel_if_internal (vnet_main_t * vnm, pool_get_aligned (im->tunnel_interfaces, t, CLIB_CACHE_LINE_BYTES); memset (t, 0, sizeof (*t)); + dev_instance = t - im->tunnel_interfaces; + if (args->renumber) + t->show_instance = args->show_instance; + else + t->show_instance = dev_instance; + + if (hash_get (im->ipsec_if_real_dev_by_show_dev, t->show_instance)) + { + pool_put (im->tunnel_interfaces, t); + return VNET_API_ERROR_INSTANCE_IN_USE; + } + + hash_set (im->ipsec_if_real_dev_by_show_dev, t->show_instance, + dev_instance); + pool_get (im->sad, sa); memset (sa, 0, sizeof (*sa)); t->input_sa_index = sa - im->sad; @@ -222,21 +241,10 @@ ipsec_add_del_tunnel_if_internal (vnet_main_t * vnm, hash_set (im->ipsec_if_pool_index_by_key, key, t - im->tunnel_interfaces); - if (vec_len (im->free_tunnel_if_indices) > 0) - { - hw_if_index = - im->free_tunnel_if_indices[vec_len (im->free_tunnel_if_indices) - - 1]; - _vec_len (im->free_tunnel_if_indices) -= 1; - } - else - { - hw_if_index = - vnet_register_interface (vnm, ipsec_device_class.index, - t - im->tunnel_interfaces, - ipsec_hw_class.index, - t - im->tunnel_interfaces); - } + hw_if_index = vnet_register_interface (vnm, ipsec_device_class.index, + t - im->tunnel_interfaces, + ipsec_hw_class.index, + t - im->tunnel_interfaces); hi = vnet_get_hw_interface (vnm, hw_if_index); hi->output_node_index = ipsec_if_output_node.index; @@ -253,8 +261,6 @@ ipsec_add_del_tunnel_if_internal (vnet_main_t * vnm, } else { - vnet_interface_main_t *vim = &vnm->interface_main; - /* check if exists */ if (!p) return VNET_API_ERROR_INVALID_VALUE; @@ -266,25 +272,19 @@ ipsec_add_del_tunnel_if_internal (vnet_main_t * vnm, vnet_feature_enable_disable ("interface-output", "ipsec-if-output", hi->sw_if_index, 0, 0, 0); - vec_add1 (im->free_tunnel_if_indices, t->hw_if_index); - - vnet_interface_counter_lock (vim); - vlib_zero_combined_counter (vim->combined_sw_if_counters + - VNET_INTERFACE_COUNTER_TX, hi->sw_if_index); - vlib_zero_combined_counter (vim->combined_sw_if_counters + - VNET_INTERFACE_COUNTER_RX, hi->sw_if_index); - vnet_interface_counter_unlock (vim); + vnet_delete_hw_interface (vnm, t->hw_if_index); /* delete input and output SA */ - sa = pool_elt_at_index (im->sad, t->input_sa_index); + sa = pool_elt_at_index (im->sad, t->input_sa_index); pool_put (im->sad, sa); sa = pool_elt_at_index (im->sad, t->output_sa_index); - pool_put (im->sad, sa); hash_unset (im->ipsec_if_pool_index_by_key, key); + hash_unset (im->ipsec_if_real_dev_by_show_dev, t->show_instance); + pool_put (im->tunnel_interfaces, t); } @@ -491,6 +491,7 @@ ipsec_tunnel_if_init (vlib_main_t * vm) ipsec_main_t *im = &ipsec_main; im->ipsec_if_pool_index_by_key = hash_create (0, sizeof (uword)); + im->ipsec_if_real_dev_by_show_dev = hash_create (0, sizeof (uword)); return 0; } |