aboutsummaryrefslogtreecommitdiffstats
path: root/src/vnet/ipsec
diff options
context:
space:
mode:
Diffstat (limited to 'src/vnet/ipsec')
-rw-r--r--src/vnet/ipsec/ipsec_api.c17
-rw-r--r--src/vnet/ipsec/ipsec_cli.c4
-rw-r--r--src/vnet/ipsec/ipsec_format.c34
-rw-r--r--src/vnet/ipsec/ipsec_output.c25
-rw-r--r--src/vnet/ipsec/ipsec_spd_policy.h1
5 files changed, 35 insertions, 46 deletions
diff --git a/src/vnet/ipsec/ipsec_api.c b/src/vnet/ipsec/ipsec_api.c
index d0f543fe520..e6f5bd31428 100644
--- a/src/vnet/ipsec/ipsec_api.c
+++ b/src/vnet/ipsec/ipsec_api.c
@@ -150,10 +150,11 @@ static void vl_api_ipsec_spd_entry_add_del_t_handler
p.is_ipv6 = (itype == IP46_TYPE_IP6);
p.protocol = mp->entry.protocol;
- p.rport.start = ntohs (mp->entry.remote_port_start);
- p.rport.stop = ntohs (mp->entry.remote_port_stop);
- p.lport.start = ntohs (mp->entry.local_port_start);
- p.lport.stop = ntohs (mp->entry.local_port_stop);
+ /* leave the ports in network order */
+ p.rport.start = mp->entry.remote_port_start;
+ p.rport.stop = mp->entry.remote_port_stop;
+ p.lport.start = mp->entry.local_port_start;
+ p.lport.stop = mp->entry.local_port_stop;
rv = ipsec_spd_action_decode (mp->entry.policy, &p.policy);
@@ -481,10 +482,10 @@ send_ipsec_spd_details (ipsec_policy_t * p, vl_api_registration_t * reg,
&mp->entry.remote_address_start);
ip_address_encode (&p->raddr.stop, IP46_TYPE_ANY,
&mp->entry.remote_address_stop);
- mp->entry.local_port_start = htons (p->lport.start);
- mp->entry.local_port_stop = htons (p->lport.stop);
- mp->entry.remote_port_start = htons (p->rport.start);
- mp->entry.remote_port_stop = htons (p->rport.stop);
+ mp->entry.local_port_start = p->lport.start;
+ mp->entry.local_port_stop = p->lport.stop;
+ mp->entry.remote_port_start = p->rport.start;
+ mp->entry.remote_port_stop = p->rport.stop;
mp->entry.protocol = p->protocol;
mp->entry.policy = ipsec_spd_action_encode (p->policy);
mp->entry.sa_id = htonl (p->sa_id);
diff --git a/src/vnet/ipsec/ipsec_cli.c b/src/vnet/ipsec/ipsec_cli.c
index 8a4d068f9f7..2020e7909a3 100644
--- a/src/vnet/ipsec/ipsec_cli.c
+++ b/src/vnet/ipsec/ipsec_cli.c
@@ -291,12 +291,16 @@ ipsec_policy_add_del_command_fn (vlib_main_t * vm,
{
p.lport.start = tmp;
p.lport.stop = tmp2;
+ p.lport.start = clib_host_to_net_u16 (p.lport.start);
+ p.lport.stop = clib_host_to_net_u16 (p.lport.stop);
}
else
if (unformat (line_input, "remote-port-range %u - %u", &tmp, &tmp2))
{
p.rport.start = tmp;
p.rport.stop = tmp2;
+ p.rport.start = clib_host_to_net_u16 (p.rport.start);
+ p.rport.stop = clib_host_to_net_u16 (p.rport.stop);
}
else
{
diff --git a/src/vnet/ipsec/ipsec_format.c b/src/vnet/ipsec/ipsec_format.c
index aa5562caf63..3659a7a897f 100644
--- a/src/vnet/ipsec/ipsec_format.c
+++ b/src/vnet/ipsec/ipsec_format.c
@@ -177,28 +177,18 @@ format_ipsec_policy (u8 * s, va_list * args)
{
s = format (s, " sa %u", p->sa_id);
}
- if (p->is_ipv6)
- {
- s = format (s, "\n local addr range %U - %U port range %u - %u",
- format_ip6_address, &p->laddr.start.ip6,
- format_ip6_address, &p->laddr.stop.ip6,
- p->lport.start, p->lport.stop);
- s = format (s, "\n remote addr range %U - %U port range %u - %u",
- format_ip6_address, &p->raddr.start.ip6,
- format_ip6_address, &p->raddr.stop.ip6,
- p->rport.start, p->rport.stop);
- }
- else
- {
- s = format (s, "\n local addr range %U - %U port range %u - %u",
- format_ip4_address, &p->laddr.start.ip4,
- format_ip4_address, &p->laddr.stop.ip4,
- p->lport.start, p->lport.stop);
- s = format (s, "\n remote addr range %U - %U port range %u - %u",
- format_ip4_address, &p->raddr.start.ip4,
- format_ip4_address, &p->raddr.stop.ip4,
- p->rport.start, p->rport.stop);
- }
+
+ s = format (s, "\n local addr range %U - %U port range %u - %u",
+ format_ip46_address, &p->laddr.start, IP46_TYPE_ANY,
+ format_ip46_address, &p->laddr.stop, IP46_TYPE_ANY,
+ clib_net_to_host_u16 (p->lport.start),
+ clib_net_to_host_u16 (p->lport.stop));
+ s = format (s, "\n remote addr range %U - %U port range %u - %u",
+ format_ip46_address, &p->raddr.start, IP46_TYPE_ANY,
+ format_ip46_address, &p->raddr.stop, IP46_TYPE_ANY,
+ clib_net_to_host_u16 (p->rport.start),
+ clib_net_to_host_u16 (p->rport.stop));
+
vlib_get_combined_counter (&ipsec_spd_policy_counters, pi, &counts);
s = format (s, "\n packets %u bytes %u", counts.packets, counts.bytes);
diff --git a/src/vnet/ipsec/ipsec_output.c b/src/vnet/ipsec/ipsec_output.c
index a2553764192..83ab629453d 100644
--- a/src/vnet/ipsec/ipsec_output.c
+++ b/src/vnet/ipsec/ipsec_output.c
@@ -82,16 +82,16 @@ ipsec_output_policy_match (ipsec_spd_t * spd, u8 pr, u32 la, u32 ra, u16 lp,
if (PREDICT_FALSE (p->protocol && (p->protocol != pr)))
continue;
- if (ra < clib_net_to_host_u32 (p->raddr.start.ip4.as_u32))
+ if (ra < p->raddr.start.ip4.as_u32)
continue;
- if (ra > clib_net_to_host_u32 (p->raddr.stop.ip4.as_u32))
+ if (ra > p->raddr.stop.ip4.as_u32)
continue;
- if (la < clib_net_to_host_u32 (p->laddr.start.ip4.as_u32))
+ if (la < p->laddr.start.ip4.as_u32)
continue;
- if (la > clib_net_to_host_u32 (p->laddr.stop.ip4.as_u32))
+ if (la > p->laddr.stop.ip4.as_u32)
continue;
if (PREDICT_FALSE
@@ -239,10 +239,8 @@ ipsec_output_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
p0 = ipsec6_output_policy_match (spd0,
&ip6_0->src_address,
&ip6_0->dst_address,
- clib_net_to_host_u16
- (udp0->src_port),
- clib_net_to_host_u16
- (udp0->dst_port), ip6_0->protocol);
+ udp0->src_port,
+ udp0->dst_port, ip6_0->protocol);
}
else
{
@@ -258,14 +256,9 @@ ipsec_output_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
#endif
p0 = ipsec_output_policy_match (spd0, ip0->protocol,
- clib_net_to_host_u32
- (ip0->src_address.as_u32),
- clib_net_to_host_u32
- (ip0->dst_address.as_u32),
- clib_net_to_host_u16
- (udp0->src_port),
- clib_net_to_host_u16
- (udp0->dst_port));
+ ip0->src_address.as_u32,
+ ip0->dst_address.as_u32,
+ udp0->src_port, udp0->dst_port);
}
tcp0 = (void *) udp0;
diff --git a/src/vnet/ipsec/ipsec_spd_policy.h b/src/vnet/ipsec/ipsec_spd_policy.h
index 6d6b69592b0..d4472e68d89 100644
--- a/src/vnet/ipsec/ipsec_spd_policy.h
+++ b/src/vnet/ipsec/ipsec_spd_policy.h
@@ -39,6 +39,7 @@ typedef struct
typedef struct
{
+ /* Ports stored in network byte order */
u16 start, stop;
} port_range_t;