Add admin-up flag to L2TP tunnels and start tunnels set to down

L2TP tunnels use virtual interfaces but directly send
packets to l2-input node (not ethernet-input).
This node requires a bridge-domain to be associated with
the interface.

Past code was immediatly turning the interface up, but
some packets could be sent to l2-input without bridge domain
between interface creation and association with a bridge domain.

The tunnel is now created as down and has to be set up later
(typically after being associated with a bridge-domain).

Another option would have been to change the api and enforce
a bridge-domain to be specified before the tunnel, but this
is less flexible for the user.

Change-Id: I26d1f36bb4f327d9fa1c8044023f2210c4117904
Signed-off-by: Pierre Pfister <ppfister@cisco.com>

1 files changed, 8 insertions, 1 deletions

diff --git a/vnet/vnet/l2tp/decap.c b/vnet/vnet/l2tp/decap.c
index 54400281890..68b7fabe76d 100644
--- a/vnet/vnet/l2tp/decap.c
+++ b/vnet/vnet/l2tp/decap.c
@@ -27,7 +27,8 @@
 _(USER_TO_NETWORK, "L2TP user (ip6) to L2 network pkts")        \
 _(SESSION_ID_MISMATCH, "l2tpv3 local session id mismatches")    \
 _(COOKIE_MISMATCH, "l2tpv3 local cookie mismatches")            \
-_(NO_SESSION, "l2tpv3 session not found")
+_(NO_SESSION, "l2tpv3 session not found")                       \
+_(ADMIN_DOWN, "l2tpv3 tunnel is down")
 
 static char * l2t_decap_error_strings[] = {
 #define _(sym,string) string,
@@ -169,6 +170,12 @@ static inline u32 last_stage (vlib_main_t *vm, vlib_node_runtime_t *node,
 
     vnet_buffer(b)->sw_if_index[VLIB_RX] = session->sw_if_index;
 
+    if (PREDICT_FALSE(!(session->admin_up))) {
+	b->error = node->errors[L2T_DECAP_ERROR_ADMIN_DOWN];
+	next_index = L2T_DECAP_NEXT_DROP;
+	goto done;
+    }
+
     /* strip the ip6 and L2TP header */
     vlib_buffer_advance (b, sizeof (*ip6) + session->l2tp_hdr_size);