diff options
Diffstat (limited to 'src/vnet/ipsec')
-rw-r--r-- | src/vnet/ipsec/ah_decrypt.c | 5 | ||||
-rw-r--r-- | src/vnet/ipsec/esp_decrypt.c | 2 | ||||
-rw-r--r-- | src/vnet/ipsec/ipsec_api.c | 17 | ||||
-rw-r--r-- | src/vnet/ipsec/ipsec_format.c | 21 | ||||
-rw-r--r-- | src/vnet/ipsec/ipsec_if.c | 15 | ||||
-rw-r--r-- | src/vnet/ipsec/ipsec_if.h | 11 | ||||
-rw-r--r-- | src/vnet/ipsec/ipsec_if_in.c | 31 | ||||
-rw-r--r-- | src/vnet/ipsec/ipsec_input.c | 4 | ||||
-rw-r--r-- | src/vnet/ipsec/ipsec_io.h | 2 | ||||
-rw-r--r-- | src/vnet/ipsec/ipsec_sa.h | 1 |
10 files changed, 57 insertions, 52 deletions
diff --git a/src/vnet/ipsec/ah_decrypt.c b/src/vnet/ipsec/ah_decrypt.c index cf955889420..e68accd9da2 100644 --- a/src/vnet/ipsec/ah_decrypt.c +++ b/src/vnet/ipsec/ah_decrypt.c @@ -259,12 +259,9 @@ ah_decrypt_inline (vlib_main_t * vm, } /* for IPSec-GRE tunnel next node is ipsec-gre-input */ - if (PREDICT_FALSE - ((vnet_buffer (i_b0)->ipsec.flags) & - IPSEC_FLAG_IPSEC_GRE_TUNNEL)) + if (PREDICT_FALSE (ipsec_sa_is_set_IS_GRE (sa0))) next0 = AH_DECRYPT_NEXT_IPSEC_GRE_INPUT; - vnet_buffer (i_b0)->sw_if_index[VLIB_TX] = (u32) ~ 0; trace: if (PREDICT_FALSE (i_b0->flags & VLIB_BUFFER_IS_TRACED)) diff --git a/src/vnet/ipsec/esp_decrypt.c b/src/vnet/ipsec/esp_decrypt.c index 3e09d9d74c2..c6cb439f1f8 100644 --- a/src/vnet/ipsec/esp_decrypt.c +++ b/src/vnet/ipsec/esp_decrypt.c @@ -396,7 +396,7 @@ esp_decrypt_inline (vlib_main_t * vm, } } - if (vnet_buffer (b[0])->ipsec.flags & IPSEC_FLAG_IPSEC_GRE_TUNNEL) + if (PREDICT_FALSE (ipsec_sa_is_set_IS_GRE (sa0))) next[0] = ESP_DECRYPT_NEXT_IPSEC_GRE_INPUT; trace: diff --git a/src/vnet/ipsec/ipsec_api.c b/src/vnet/ipsec/ipsec_api.c index 4c7242da30a..753d7530de4 100644 --- a/src/vnet/ipsec/ipsec_api.c +++ b/src/vnet/ipsec/ipsec_api.c @@ -308,11 +308,18 @@ ipsec_sa_flags_decode (vl_api_ipsec_sad_flags_t in) ipsec_sa_flags_t flags = IPSEC_SA_FLAG_NONE; in = clib_net_to_host_u32 (in); -#define _(v,f,s) if (in & IPSEC_API_SAD_FLAG_##f) \ - flags |= IPSEC_SA_FLAG_##f; - foreach_ipsec_sa_flags -#undef _ - return (flags); + if (in & IPSEC_API_SAD_FLAG_USE_ESN) + flags |= IPSEC_SA_FLAG_USE_ESN; + if (in & IPSEC_API_SAD_FLAG_USE_ANTI_REPLAY) + flags |= IPSEC_SA_FLAG_USE_ANTI_REPLAY; + if (in & IPSEC_API_SAD_FLAG_IS_TUNNEL) + flags |= IPSEC_SA_FLAG_IS_TUNNEL; + if (in & IPSEC_API_SAD_FLAG_IS_TUNNEL_V6) + flags |= IPSEC_SA_FLAG_IS_TUNNEL_V6; + if (in & IPSEC_API_SAD_FLAG_UDP_ENCAP) + flags |= IPSEC_SA_FLAG_UDP_ENCAP; + + return (flags); } static vl_api_ipsec_sad_flags_t diff --git a/src/vnet/ipsec/ipsec_format.c b/src/vnet/ipsec/ipsec_format.c index dd99f780be6..a8616555629 100644 --- a/src/vnet/ipsec/ipsec_format.c +++ b/src/vnet/ipsec/ipsec_format.c @@ -244,6 +244,19 @@ unformat_ipsec_key (unformat_input_t * input, va_list * args) } u8 * +format_ipsec_sa_flags (u8 * s, va_list * args) +{ + ipsec_sa_flags_t flags = va_arg (*args, int); + + if (0) + ; +#define _(v, f, str) else if (flags & IPSEC_SA_FLAG_##f) s = format(s, "%s ", str); + foreach_ipsec_sa_flags +#undef _ + return (s); +} + +u8 * format_ipsec_sa (u8 * s, va_list * args) { u32 sai = va_arg (*args, u32); @@ -254,15 +267,11 @@ format_ipsec_sa (u8 * s, va_list * args) sa = pool_elt_at_index (im->sad, sai); - s = format (s, "[%d] sa 0x%x spi %u mode %s%s protocol %s%s%s%s", + s = format (s, "[%d] sa 0x%x spi %u mode %s%s protocol %s %U", sai, sa->id, sa->spi, ipsec_sa_is_set_IS_TUNNEL (sa) ? "tunnel" : "transport", ipsec_sa_is_set_IS_TUNNEL_V6 (sa) ? "-ip6" : "", - sa->protocol ? "esp" : "ah", - ipsec_sa_is_set_UDP_ENCAP (sa) ? " udp-encap-enabled" : "", - ipsec_sa_is_set_USE_ANTI_REPLAY (sa) ? " anti-replay" : "", - ipsec_sa_is_set_USE_ESN (sa) ? - " extended-sequence-number" : ""); + sa->protocol ? "esp" : "ah", format_ipsec_sa_flags, sa->flags); s = format (s, "\n seq %u seq-hi %u", sa->seq, sa->seq_hi); s = format (s, "\n last-seq %u last-seq-hi %u window %U", sa->last_seq, sa->last_seq_hi, diff --git a/src/vnet/ipsec/ipsec_if.c b/src/vnet/ipsec/ipsec_if.c index 17f28a09ac8..bfdc2bb6814 100644 --- a/src/vnet/ipsec/ipsec_if.c +++ b/src/vnet/ipsec/ipsec_if.c @@ -429,7 +429,7 @@ ipsec_add_del_tunnel_if_internal (vnet_main_t * vnm, int ipsec_add_del_ipsec_gre_tunnel (vnet_main_t * vnm, - ipsec_add_del_ipsec_gre_tunnel_args_t * args) + const ipsec_gre_tunnel_add_del_args_t * args) { ipsec_tunnel_if_t *t = 0; ipsec_main_t *im = &ipsec_main; @@ -441,22 +441,27 @@ ipsec_add_del_ipsec_gre_tunnel (vnet_main_t * vnm, p = hash_get (im->sa_index_by_sa_id, args->local_sa_id); if (!p) return VNET_API_ERROR_INVALID_VALUE; - isa = p[0]; + osa = p[0]; + sa = pool_elt_at_index (im->sad, p[0]); + ipsec_sa_set_IS_GRE (sa); p = hash_get (im->sa_index_by_sa_id, args->remote_sa_id); if (!p) return VNET_API_ERROR_INVALID_VALUE; - osa = p[0]; + isa = p[0]; sa = pool_elt_at_index (im->sad, p[0]); + ipsec_sa_set_IS_GRE (sa); + /* we form the key from the input/remote SA whose tunnel is srouce + * at the remote end */ if (ipsec_sa_is_set_IS_TUNNEL (sa)) { - key.remote_ip = sa->tunnel_dst_addr.ip4.as_u32; + key.remote_ip = sa->tunnel_src_addr.ip4.as_u32; key.spi = clib_host_to_net_u32 (sa->spi); } else { - key.remote_ip = args->remote_ip.as_u32; + key.remote_ip = args->src.as_u32; key.spi = clib_host_to_net_u32 (sa->spi); } diff --git a/src/vnet/ipsec/ipsec_if.h b/src/vnet/ipsec/ipsec_if.h index 7f0eb08b24c..34a1721f4fc 100644 --- a/src/vnet/ipsec/ipsec_if.h +++ b/src/vnet/ipsec/ipsec_if.h @@ -97,17 +97,18 @@ typedef struct u8 is_add; u32 local_sa_id; u32 remote_sa_id; - ip4_address_t local_ip; - ip4_address_t remote_ip; -} ipsec_add_del_ipsec_gre_tunnel_args_t; + ip4_address_t src; + ip4_address_t dst; +} ipsec_gre_tunnel_add_del_args_t; extern int ipsec_add_del_tunnel_if_internal (vnet_main_t * vnm, ipsec_add_del_tunnel_args_t * args, u32 * sw_if_index); extern int ipsec_add_del_tunnel_if (ipsec_add_del_tunnel_args_t * args); extern int ipsec_add_del_ipsec_gre_tunnel (vnet_main_t * vnm, - ipsec_add_del_ipsec_gre_tunnel_args_t - * args); + const + ipsec_gre_tunnel_add_del_args_t * + args); extern int ipsec_set_interface_key (vnet_main_t * vnm, u32 hw_if_index, ipsec_if_set_key_type_t type, diff --git a/src/vnet/ipsec/ipsec_if_in.c b/src/vnet/ipsec/ipsec_if_in.c index 63d463bd633..9ba2c10bca6 100644 --- a/src/vnet/ipsec/ipsec_if_in.c +++ b/src/vnet/ipsec/ipsec_if_in.c @@ -197,6 +197,7 @@ ipsec_if_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node, } else { + b[0]->error = node->errors[IPSEC_IF_INPUT_ERROR_NO_TUNNEL]; n_no_tunnel++; next[0] = IPSEC_INPUT_NEXT_DROP; goto pkt1; @@ -224,6 +225,7 @@ ipsec_if_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node, } else { + b[0]->error = node->errors[IPSEC_IF_INPUT_ERROR_NO_TUNNEL]; n_no_tunnel++; next[0] = IPSEC_INPUT_NEXT_DROP; goto pkt1; @@ -236,7 +238,6 @@ ipsec_if_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node, if (PREDICT_TRUE (t0->hw_if_index != ~0)) { - vnet_buffer (b[0])->ipsec.flags = 0; sw_if_index0 = t0->sw_if_index; vnet_buffer (b[0])->sw_if_index[VLIB_RX] = sw_if_index0; @@ -245,6 +246,7 @@ ipsec_if_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_increment_combined_counter (drop_counter, thread_index, sw_if_index0, 1, len0); n_disabled++; + b[0]->error = node->errors[IPSEC_IF_INPUT_ERROR_DISABLED]; next[0] = IPSEC_INPUT_NEXT_DROP; goto pkt1; } @@ -268,10 +270,6 @@ ipsec_if_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node, n_bytes = len0; } } - else - { - vnet_buffer (b[0])->ipsec.flags = IPSEC_FLAG_IPSEC_GRE_TUNNEL; - } pkt1: if (is_ip6) @@ -295,6 +293,7 @@ ipsec_if_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node, } else { + b[1]->error = node->errors[IPSEC_IF_INPUT_ERROR_NO_TUNNEL]; n_no_tunnel++; next[1] = IPSEC_INPUT_NEXT_DROP; goto trace1; @@ -322,6 +321,7 @@ ipsec_if_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node, } else { + b[1]->error = node->errors[IPSEC_IF_INPUT_ERROR_NO_TUNNEL]; n_no_tunnel++; next[1] = IPSEC_INPUT_NEXT_DROP; goto trace1; @@ -334,7 +334,6 @@ ipsec_if_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node, if (PREDICT_TRUE (t1->hw_if_index != ~0)) { - vnet_buffer (b[1])->ipsec.flags = 0; sw_if_index1 = t1->sw_if_index; vnet_buffer (b[1])->sw_if_index[VLIB_RX] = sw_if_index1; @@ -343,6 +342,7 @@ ipsec_if_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_increment_combined_counter (drop_counter, thread_index, sw_if_index1, 1, len1); n_disabled++; + b[1]->error = node->errors[IPSEC_IF_INPUT_ERROR_DISABLED]; next[1] = IPSEC_INPUT_NEXT_DROP; goto trace1; } @@ -366,10 +366,6 @@ ipsec_if_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node, n_bytes = len1; } } - else - { - vnet_buffer (b[1])->ipsec.flags = IPSEC_FLAG_IPSEC_GRE_TUNNEL; - } trace1: if (PREDICT_FALSE (is_trace)) @@ -460,6 +456,7 @@ ipsec_if_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node, } else { + b[0]->error = node->errors[IPSEC_IF_INPUT_ERROR_NO_TUNNEL]; n_no_tunnel++; next[0] = IPSEC_INPUT_NEXT_DROP; goto trace00; @@ -487,6 +484,7 @@ ipsec_if_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node, } else { + b[0]->error = node->errors[IPSEC_IF_INPUT_ERROR_NO_TUNNEL]; n_no_tunnel++; next[0] = IPSEC_INPUT_NEXT_DROP; goto trace00; @@ -499,7 +497,6 @@ ipsec_if_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node, if (PREDICT_TRUE (t0->hw_if_index != ~0)) { - vnet_buffer (b[0])->ipsec.flags = 0; sw_if_index0 = t0->sw_if_index; vnet_buffer (b[0])->sw_if_index[VLIB_RX] = sw_if_index0; @@ -508,6 +505,7 @@ ipsec_if_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_increment_combined_counter (drop_counter, thread_index, sw_if_index0, 1, len0); n_disabled++; + b[0]->error = node->errors[IPSEC_IF_INPUT_ERROR_DISABLED]; next[0] = IPSEC_INPUT_NEXT_DROP; goto trace00; } @@ -531,10 +529,6 @@ ipsec_if_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node, n_bytes = len0; } } - else - { - vnet_buffer (b[0])->ipsec.flags = IPSEC_FLAG_IPSEC_GRE_TUNNEL; - } trace00: if (PREDICT_FALSE (is_trace)) @@ -563,11 +557,8 @@ ipsec_if_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node, vlib_node_increment_counter (vm, node->node_index, IPSEC_IF_INPUT_ERROR_RX, - from_frame->n_vectors - n_disabled); - vlib_node_increment_counter (vm, node->node_index, - IPSEC_IF_INPUT_ERROR_DISABLED, n_disabled); - vlib_node_increment_counter (vm, node->node_index, - IPSEC_IF_INPUT_ERROR_NO_TUNNEL, n_no_tunnel); + from_frame->n_vectors - (n_disabled + + n_no_tunnel)); vlib_buffer_enqueue_to_next (vm, node, from, nexts, from_frame->n_vectors); diff --git a/src/vnet/ipsec/ipsec_input.c b/src/vnet/ipsec/ipsec_input.c index 970211eccaa..5be72c3a161 100644 --- a/src/vnet/ipsec/ipsec_input.c +++ b/src/vnet/ipsec/ipsec_input.c @@ -253,7 +253,6 @@ VLIB_NODE_FN (ipsec4_input_node) (vlib_main_t * vm, clib_net_to_host_u16 (ip0->length)); vnet_buffer (b0)->ipsec.sad_index = p0->sa_index; - vnet_buffer (b0)->ipsec.flags = 0; next0 = im->esp4_decrypt_next_index; vlib_buffer_advance (b0, ((u8 *) esp0 - (u8 *) ip0)); goto trace0; @@ -304,7 +303,6 @@ VLIB_NODE_FN (ipsec4_input_node) (vlib_main_t * vm, clib_net_to_host_u16 (ip0->length)); vnet_buffer (b0)->ipsec.sad_index = p0->sa_index; - vnet_buffer (b0)->ipsec.flags = 0; next0 = im->ah4_decrypt_next_index; goto trace1; } @@ -450,7 +448,6 @@ VLIB_NODE_FN (ipsec6_input_node) (vlib_main_t * vm, header_size); vnet_buffer (b0)->ipsec.sad_index = p0->sa_index; - vnet_buffer (b0)->ipsec.flags = 0; next0 = im->esp6_decrypt_next_index; vlib_buffer_advance (b0, header_size); goto trace0; @@ -479,7 +476,6 @@ VLIB_NODE_FN (ipsec6_input_node) (vlib_main_t * vm, header_size); vnet_buffer (b0)->ipsec.sad_index = p0->sa_index; - vnet_buffer (b0)->ipsec.flags = 0; next0 = im->ah6_decrypt_next_index; goto trace0; } diff --git a/src/vnet/ipsec/ipsec_io.h b/src/vnet/ipsec/ipsec_io.h index c180a784eaa..f156b48360f 100644 --- a/src/vnet/ipsec/ipsec_io.h +++ b/src/vnet/ipsec/ipsec_io.h @@ -15,8 +15,6 @@ #ifndef __IPSEC_IO_H__ #define __IPSEC_IO_H__ -#define IPSEC_FLAG_IPSEC_GRE_TUNNEL (1 << 0) - #define foreach_ipsec_output_next \ _ (DROP, "error-drop") diff --git a/src/vnet/ipsec/ipsec_sa.h b/src/vnet/ipsec/ipsec_sa.h index 94f1554112f..cfb44b9e86d 100644 --- a/src/vnet/ipsec/ipsec_sa.h +++ b/src/vnet/ipsec/ipsec_sa.h @@ -90,6 +90,7 @@ typedef struct ipsec_key_t_ _ (4, IS_TUNNEL, "tunnel") \ _ (8, IS_TUNNEL_V6, "tunnel-v6") \ _ (16, UDP_ENCAP, "udp-encap") \ + _ (32, IS_GRE, "GRE") \ typedef enum ipsec_sad_flags_t_ { |