diff options
author | Piotr Bronowski <piotrx.bronowski@intel.com> | 2022-10-21 15:48:55 +0000 |
---|---|---|
committer | Fan Zhang <fanzhang.oss@gmail.com> | 2023-01-16 14:54:06 +0000 |
commit | 1d9780a43fe54a55c7540f3528b8703ede0a5871 (patch) | |
tree | da7bc83cdd7f214bab2db46dfd535c1bf2a3a7b0 /src | |
parent | e917bf75d911fae3a553b77e64cd4c37984948a8 (diff) |
ipsec: fix transpose local ip range position with remote ip range in fast path implementation
In fast path implementation of spd policy lookup opposite convention to
the original implementation has been applied and local ip range has been
interchanged with the remote ip range. This fix addresses this issue.
Type: fix
Signed-off-by: Piotr Bronowski <piotrx.bronowski@intel.com>
Change-Id: I0b6cccc80bf52b34524e98cfd1f1d542008bb7d0
Diffstat (limited to 'src')
-rw-r--r-- | src/vnet/ipsec/ipsec_input.c | 14 | ||||
-rw-r--r-- | src/vnet/ipsec/ipsec_spd_fp_lookup.h | 12 |
2 files changed, 13 insertions, 13 deletions
diff --git a/src/vnet/ipsec/ipsec_input.c b/src/vnet/ipsec/ipsec_input.c index 62723d4ffa8..4412ff331ea 100644 --- a/src/vnet/ipsec/ipsec_input.c +++ b/src/vnet/ipsec/ipsec_input.c @@ -153,24 +153,24 @@ ipsec4_input_spd_find_flow_cache_entry (ipsec_main_t *im, u32 sa, u32 da, } always_inline void -ipsec_fp_in_5tuple_from_ip4_range (ipsec_fp_5tuple_t *tuple, u32 la, u32 ra, +ipsec_fp_in_5tuple_from_ip4_range (ipsec_fp_5tuple_t *tuple, u32 sa, u32 da, u32 spi, u8 action) { clib_memset (tuple->l3_zero_pad, 0, sizeof (tuple->l3_zero_pad)); - tuple->laddr.as_u32 = la; - tuple->raddr.as_u32 = ra; + tuple->laddr.as_u32 = da; + tuple->raddr.as_u32 = sa; tuple->spi = spi; tuple->action = action; tuple->is_ipv6 = 0; } always_inline void -ipsec_fp_in_5tuple_from_ip6_range (ipsec_fp_5tuple_t *tuple, ip6_address_t *la, - ip6_address_t *ra, u32 spi, u8 action) +ipsec_fp_in_5tuple_from_ip6_range (ipsec_fp_5tuple_t *tuple, ip6_address_t *sa, + ip6_address_t *da, u32 spi, u8 action) { - clib_memcpy (&tuple->ip6_laddr, la, sizeof (ip6_address_t)); - clib_memcpy (&tuple->ip6_raddr, ra, sizeof (ip6_address_t)); + clib_memcpy (&tuple->ip6_laddr, da, sizeof (ip6_address_t)); + clib_memcpy (&tuple->ip6_raddr, sa, sizeof (ip6_address_t)); tuple->spi = spi; tuple->action = action; diff --git a/src/vnet/ipsec/ipsec_spd_fp_lookup.h b/src/vnet/ipsec/ipsec_spd_fp_lookup.h index a372ac77a50..71260855317 100644 --- a/src/vnet/ipsec/ipsec_spd_fp_lookup.h +++ b/src/vnet/ipsec/ipsec_spd_fp_lookup.h @@ -97,8 +97,8 @@ static_always_inline int single_rule_in_match_5tuple (ipsec_policy_t *policy, ipsec_fp_5tuple_t *match) { - u32 sa = clib_net_to_host_u32 (match->laddr.as_u32); - u32 da = clib_net_to_host_u32 (match->raddr.as_u32); + u32 da = clib_net_to_host_u32 (match->laddr.as_u32); + u32 sa = clib_net_to_host_u32 (match->raddr.as_u32); if (policy->policy == IPSEC_POLICY_ACTION_PROTECT) { @@ -118,16 +118,16 @@ single_rule_in_match_5tuple (ipsec_policy_t *policy, ipsec_fp_5tuple_t *match) } else { - if (da < clib_net_to_host_u32 (policy->raddr.start.ip4.as_u32)) + if (sa < clib_net_to_host_u32 (policy->raddr.start.ip4.as_u32)) return (0); - if (da > clib_net_to_host_u32 (policy->raddr.stop.ip4.as_u32)) + if (sa > clib_net_to_host_u32 (policy->raddr.stop.ip4.as_u32)) return (0); - if (sa < clib_net_to_host_u32 (policy->laddr.start.ip4.as_u32)) + if (da < clib_net_to_host_u32 (policy->laddr.start.ip4.as_u32)) return (0); - if (sa > clib_net_to_host_u32 (policy->laddr.stop.ip4.as_u32)) + if (da > clib_net_to_host_u32 (policy->laddr.stop.ip4.as_u32)) return (0); } return (1); |