summaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorPiotr Bronowski <piotrx.bronowski@intel.com>2022-10-21 15:48:55 +0000
committerFan Zhang <fanzhang.oss@gmail.com>2023-01-16 14:54:06 +0000
commit1d9780a43fe54a55c7540f3528b8703ede0a5871 (patch)
treeda7bc83cdd7f214bab2db46dfd535c1bf2a3a7b0 /src
parente917bf75d911fae3a553b77e64cd4c37984948a8 (diff)
ipsec: fix transpose local ip range position with remote ip range in fast path implementation
In fast path implementation of spd policy lookup opposite convention to the original implementation has been applied and local ip range has been interchanged with the remote ip range. This fix addresses this issue. Type: fix Signed-off-by: Piotr Bronowski <piotrx.bronowski@intel.com> Change-Id: I0b6cccc80bf52b34524e98cfd1f1d542008bb7d0
Diffstat (limited to 'src')
-rw-r--r--src/vnet/ipsec/ipsec_input.c14
-rw-r--r--src/vnet/ipsec/ipsec_spd_fp_lookup.h12
2 files changed, 13 insertions, 13 deletions
diff --git a/src/vnet/ipsec/ipsec_input.c b/src/vnet/ipsec/ipsec_input.c
index 62723d4ffa8..4412ff331ea 100644
--- a/src/vnet/ipsec/ipsec_input.c
+++ b/src/vnet/ipsec/ipsec_input.c
@@ -153,24 +153,24 @@ ipsec4_input_spd_find_flow_cache_entry (ipsec_main_t *im, u32 sa, u32 da,
}
always_inline void
-ipsec_fp_in_5tuple_from_ip4_range (ipsec_fp_5tuple_t *tuple, u32 la, u32 ra,
+ipsec_fp_in_5tuple_from_ip4_range (ipsec_fp_5tuple_t *tuple, u32 sa, u32 da,
u32 spi, u8 action)
{
clib_memset (tuple->l3_zero_pad, 0, sizeof (tuple->l3_zero_pad));
- tuple->laddr.as_u32 = la;
- tuple->raddr.as_u32 = ra;
+ tuple->laddr.as_u32 = da;
+ tuple->raddr.as_u32 = sa;
tuple->spi = spi;
tuple->action = action;
tuple->is_ipv6 = 0;
}
always_inline void
-ipsec_fp_in_5tuple_from_ip6_range (ipsec_fp_5tuple_t *tuple, ip6_address_t *la,
- ip6_address_t *ra, u32 spi, u8 action)
+ipsec_fp_in_5tuple_from_ip6_range (ipsec_fp_5tuple_t *tuple, ip6_address_t *sa,
+ ip6_address_t *da, u32 spi, u8 action)
{
- clib_memcpy (&tuple->ip6_laddr, la, sizeof (ip6_address_t));
- clib_memcpy (&tuple->ip6_raddr, ra, sizeof (ip6_address_t));
+ clib_memcpy (&tuple->ip6_laddr, da, sizeof (ip6_address_t));
+ clib_memcpy (&tuple->ip6_raddr, sa, sizeof (ip6_address_t));
tuple->spi = spi;
tuple->action = action;
diff --git a/src/vnet/ipsec/ipsec_spd_fp_lookup.h b/src/vnet/ipsec/ipsec_spd_fp_lookup.h
index a372ac77a50..71260855317 100644
--- a/src/vnet/ipsec/ipsec_spd_fp_lookup.h
+++ b/src/vnet/ipsec/ipsec_spd_fp_lookup.h
@@ -97,8 +97,8 @@ static_always_inline int
single_rule_in_match_5tuple (ipsec_policy_t *policy, ipsec_fp_5tuple_t *match)
{
- u32 sa = clib_net_to_host_u32 (match->laddr.as_u32);
- u32 da = clib_net_to_host_u32 (match->raddr.as_u32);
+ u32 da = clib_net_to_host_u32 (match->laddr.as_u32);
+ u32 sa = clib_net_to_host_u32 (match->raddr.as_u32);
if (policy->policy == IPSEC_POLICY_ACTION_PROTECT)
{
@@ -118,16 +118,16 @@ single_rule_in_match_5tuple (ipsec_policy_t *policy, ipsec_fp_5tuple_t *match)
}
else
{
- if (da < clib_net_to_host_u32 (policy->raddr.start.ip4.as_u32))
+ if (sa < clib_net_to_host_u32 (policy->raddr.start.ip4.as_u32))
return (0);
- if (da > clib_net_to_host_u32 (policy->raddr.stop.ip4.as_u32))
+ if (sa > clib_net_to_host_u32 (policy->raddr.stop.ip4.as_u32))
return (0);
- if (sa < clib_net_to_host_u32 (policy->laddr.start.ip4.as_u32))
+ if (da < clib_net_to_host_u32 (policy->laddr.start.ip4.as_u32))
return (0);
- if (sa > clib_net_to_host_u32 (policy->laddr.stop.ip4.as_u32))
+ if (da > clib_net_to_host_u32 (policy->laddr.stop.ip4.as_u32))
return (0);
}
return (1);