diff options
Diffstat (limited to 'src/vnet/ipsec/ipsec_spd_policy.c')
-rw-r--r-- | src/vnet/ipsec/ipsec_spd_policy.c | 111 |
1 files changed, 43 insertions, 68 deletions
diff --git a/src/vnet/ipsec/ipsec_spd_policy.c b/src/vnet/ipsec/ipsec_spd_policy.c index 5ad147b934f..d4a32e38568 100644 --- a/src/vnet/ipsec/ipsec_spd_policy.c +++ b/src/vnet/ipsec/ipsec_spd_policy.c @@ -29,7 +29,7 @@ ipsec_policy_is_equal (ipsec_policy_t * p1, ipsec_policy_t * p2) { if (p1->priority != p2->priority) return 0; - if (p1->is_outbound != p2->is_outbound) + if (p1->type != p2->type) return (0); if (p1->policy != p2->policy) return (0); @@ -97,6 +97,42 @@ ipsec_spd_entry_sort (void *a1, void *a2) } int +ipsec_policy_mk_type (bool is_outbound, + bool is_ipv6, + ipsec_policy_action_t action, + ipsec_spd_policy_type_t * type) +{ + if (is_outbound) + { + *type = (is_ipv6 ? + IPSEC_SPD_POLICY_IP6_OUTBOUND : IPSEC_SPD_POLICY_IP4_OUTBOUND); + return (0); + } + else + { + switch (action) + { + case IPSEC_POLICY_ACTION_PROTECT: + *type = (is_ipv6 ? + IPSEC_SPD_POLICY_IP6_INBOUND_PROTECT : + IPSEC_SPD_POLICY_IP4_INBOUND_PROTECT); + return (0); + case IPSEC_POLICY_ACTION_BYPASS: + *type = (is_ipv6 ? + IPSEC_SPD_POLICY_IP6_INBOUND_BYPASS : + IPSEC_SPD_POLICY_IP4_INBOUND_BYPASS); + return (0); + case IPSEC_POLICY_ACTION_DISCARD: + case IPSEC_POLICY_ACTION_RESOLVE: + break; + } + } + + /* Unsupported type */ + return (-1); +} + +int ipsec_add_del_policy (vlib_main_t * vm, ipsec_policy_t * policy, int is_add, u32 * stat_index) { @@ -106,8 +142,8 @@ ipsec_add_del_policy (vlib_main_t * vm, u32 spd_index; uword *p; - clib_warning ("policy-id %u priority %d is_outbound %u", policy->id, - policy->priority, policy->is_outbound); + clib_warning ("policy-id %u priority %d type %U", policy->id, + policy->priority, format_ipsec_policy_type, policy->type); if (policy->policy == IPSEC_POLICY_ACTION_PROTECT) { @@ -139,75 +175,14 @@ ipsec_add_del_policy (vlib_main_t * vm, policy_index); vlib_zero_combined_counter (&ipsec_spd_policy_counters, policy_index); - if (policy->is_outbound) - { - if (policy->is_ipv6) - { - vec_add1 (spd->policies[IPSEC_SPD_POLICY_IP6_OUTBOUND], - policy_index); - vec_sort_with_function (spd->policies - [IPSEC_SPD_POLICY_IP6_OUTBOUND], - ipsec_spd_entry_sort); - } - else - { - vec_add1 (spd->policies[IPSEC_SPD_POLICY_IP4_OUTBOUND], - policy_index); - vec_sort_with_function (spd->policies - [IPSEC_SPD_POLICY_IP4_OUTBOUND], - ipsec_spd_entry_sort); - } - } - else - { - if (policy->is_ipv6) - { - if (policy->policy == IPSEC_POLICY_ACTION_PROTECT) - { - vec_add1 (spd->policies - [IPSEC_SPD_POLICY_IP6_INBOUND_PROTECT], - policy_index); - vec_sort_with_function (spd->policies - [IPSEC_SPD_POLICY_IP6_INBOUND_PROTECT], - ipsec_spd_entry_sort); - } - else - { - vec_add1 - (spd->policies[IPSEC_SPD_POLICY_IP6_INBOUND_BYPASS], - policy_index); - vec_sort_with_function - (spd->policies[IPSEC_SPD_POLICY_IP6_INBOUND_BYPASS], - ipsec_spd_entry_sort); - } - } - else - { - if (policy->policy == IPSEC_POLICY_ACTION_PROTECT) - { - vec_add1 (spd->policies - [IPSEC_SPD_POLICY_IP4_INBOUND_PROTECT], - policy_index); - vec_sort_with_function (spd->policies - [IPSEC_SPD_POLICY_IP4_INBOUND_PROTECT], - ipsec_spd_entry_sort); - } - else - { - vec_add1 - (spd->policies[IPSEC_SPD_POLICY_IP4_INBOUND_BYPASS], - policy_index); - vec_sort_with_function - (spd->policies[IPSEC_SPD_POLICY_IP4_INBOUND_BYPASS], - ipsec_spd_entry_sort); - } - } - } + vec_add1 (spd->policies[policy->type], policy_index); + vec_sort_with_function (spd->policies[policy->type], + ipsec_spd_entry_sort); *stat_index = policy_index; } else { - ipsec_spd_policy_t ptype; + ipsec_spd_policy_type_t ptype; u32 ii; FOR_EACH_IPSEC_SPD_POLICY_TYPE (ptype) |