diff options
| author |   Matus Fabian <matfabia@cisco.com> | 2016-08-10 01:55:36 -0700 |
|---|---|---|
| committer |   Keith Burns <alagalah@gmail.com> | 2016-08-17 23:21:46 +0000 |
| commit | 694265d4f10dc86bd27bfd29a2b7c49440aeb6b5 (patch) | |
| tree | 48dac360be791a6de945b4eaf1eca495ef08ef0a /vnet/vnet/ipsec/esp_encrypt.c | |
| parent | 0c25d1f2a872e693d22b81f1d9cd48cc46b10cc1 (diff) | |
VPP-202: L2-GRE over IPSecv16.12-rc0
GRE encapsulate layer 2 traffic and IPSec encrypt what is encapsulated by GRE.
The whole point of L2-GRE over IPSec is to tunnel layer 2 over GRE and IPSec by
bridging the physical interface with IPSec-GRE tunnel interface.
Change-Id: Ia4cf9ed407bf663770e0d8905c0ad44ce73bd23b
Signed-off-by: Matus Fabian <matfabia@cisco.com>
Diffstat (limited to 'vnet/vnet/ipsec/esp_encrypt.c')
| -rw-r--r-- | vnet/vnet/ipsec/esp_encrypt.c | 33 |
1 files changed, 18 insertions, 15 deletions
diff --git a/vnet/vnet/ipsec/esp_encrypt.c b/vnet/vnet/ipsec/esp_encrypt.c index 45b4b3bb72b..0516d43f09b 100644 --- a/vnet/vnet/ipsec/esp_encrypt.c +++ b/vnet/vnet/ipsec/esp_encrypt.c @@ -248,6 +248,8 @@ esp_encrypt_node_fn (vlib_main_t * vm, oh6_0->esp.spi = clib_net_to_host_u32 (sa0->spi); oh6_0->esp.seq = clib_net_to_host_u32 (sa0->seq); ip_proto = ih6_0->ip6.protocol; + + next0 = ESP_ENCRYPT_NEXT_IP6_INPUT; } else { @@ -268,6 +270,8 @@ esp_encrypt_node_fn (vlib_main_t * vm, oh0->esp.spi = clib_net_to_host_u32 (sa0->spi); oh0->esp.seq = clib_net_to_host_u32 (sa0->seq); ip_proto = ih0->ip4.protocol; + + next0 = ESP_ENCRYPT_NEXT_IP4_INPUT; } if (PREDICT_TRUE @@ -276,8 +280,6 @@ esp_encrypt_node_fn (vlib_main_t * vm, oh0->ip4.src_address.as_u32 = sa0->tunnel_src_addr.ip4.as_u32; oh0->ip4.dst_address.as_u32 = sa0->tunnel_dst_addr.ip4.as_u32; - /* in tunnel mode send it back to FIB */ - next0 = ESP_ENCRYPT_NEXT_IP4_INPUT; vnet_buffer (o_b0)->sw_if_index[VLIB_TX] = (u32) ~ 0; } else if (is_ipv6 && sa0->is_tunnel && sa0->is_tunnel_ip6) @@ -291,25 +293,26 @@ esp_encrypt_node_fn (vlib_main_t * vm, oh6_0->ip6.dst_address.as_u64[1] = sa0->tunnel_dst_addr.ip6.as_u64[1]; - /* in tunnel mode send it back to FIB */ - next0 = ESP_ENCRYPT_NEXT_IP6_INPUT; vnet_buffer (o_b0)->sw_if_index[VLIB_TX] = (u32) ~ 0; } else { - transport_mode = 1; - ethernet_header_t *ieh0, *oeh0; - ieh0 = (ethernet_header_t *) i_b0->data; - oeh0 = (ethernet_header_t *) o_b0->data; - clib_memcpy (oeh0, ieh0, sizeof (ethernet_header_t)); vlib_buffer_advance (i_b0, ip_hdr_size); next_hdr_type = ip_proto; - next0 = ESP_ENCRYPT_NEXT_INTERFACE_OUTPUT; - o_b0->flags |= BUFFER_OUTPUT_FEAT_DONE; - vnet_buffer (o_b0)->sw_if_index[VLIB_TX] = - vnet_buffer (i_b0)->sw_if_index[VLIB_TX]; - vnet_buffer (o_b0)->output_features.bitmap = - vnet_buffer (i_b0)->output_features.bitmap; + if (vnet_buffer (i_b0)->sw_if_index[VLIB_TX] != ~0) + { + transport_mode = 1; + ethernet_header_t *ieh0, *oeh0; + ieh0 = (ethernet_header_t *) i_b0->data; + oeh0 = (ethernet_header_t *) o_b0->data; + clib_memcpy (oeh0, ieh0, sizeof (ethernet_header_t)); + next0 = ESP_ENCRYPT_NEXT_INTERFACE_OUTPUT; + o_b0->flags |= BUFFER_OUTPUT_FEAT_DONE; + vnet_buffer (o_b0)->sw_if_index[VLIB_TX] = + vnet_buffer (i_b0)->sw_if_index[VLIB_TX]; + vnet_buffer (o_b0)->output_features.bitmap = + vnet_buffer (i_b0)->output_features.bitmap; + } } ASSERT (sa0->crypto_alg < IPSEC_CRYPTO_N_ALG); |