diff options
Diffstat (limited to 'src/vnet/ipsec')
-rw-r--r-- | src/vnet/ipsec/ipsec_input.c | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/src/vnet/ipsec/ipsec_input.c b/src/vnet/ipsec/ipsec_input.c index 96bad28c2b5..c47ea34f288 100644 --- a/src/vnet/ipsec/ipsec_input.c +++ b/src/vnet/ipsec/ipsec_input.c @@ -331,6 +331,11 @@ VLIB_NODE_FN (ipsec4_input_node) (vlib_main_t * vm, p0 = 0; pi0 = ~0; }; + + /* Drop by default if no match on PROTECT, BYPASS or DISCARD */ + ipsec_unprocessed += 1; + next[0] = IPSEC_INPUT_NEXT_DROP; + trace0: if (PREDICT_FALSE (node->flags & VLIB_NODE_FLAG_TRACE) && PREDICT_FALSE (b[0]->flags & VLIB_BUFFER_IS_TRACED)) @@ -427,6 +432,11 @@ VLIB_NODE_FN (ipsec4_input_node) (vlib_main_t * vm, p0 = 0; pi0 = ~0; }; + + /* Drop by default if no match on PROTECT, BYPASS or DISCARD */ + ipsec_unprocessed += 1; + next[0] = IPSEC_INPUT_NEXT_DROP; + trace1: if (PREDICT_FALSE (node->flags & VLIB_NODE_FLAG_TRACE) && PREDICT_FALSE (b[0]->flags & VLIB_BUFFER_IS_TRACED)) @@ -581,6 +591,8 @@ VLIB_NODE_FN (ipsec6_input_node) (vlib_main_t * vm, else { pi0 = ~0; + ipsec_unprocessed += 1; + next0 = IPSEC_INPUT_NEXT_DROP; } } else if (ip0->protocol == IP_PROTOCOL_IPSEC_AH) @@ -608,6 +620,8 @@ VLIB_NODE_FN (ipsec6_input_node) (vlib_main_t * vm, else { pi0 = ~0; + ipsec_unprocessed += 1; + next0 = IPSEC_INPUT_NEXT_DROP; } } else |