diff options
Diffstat (limited to 'vnet')
-rw-r--r-- | vnet/vnet/ipsec/ikev2.c | 94 | ||||
-rw-r--r-- | vnet/vnet/ipsec/ikev2_cli.c | 193 | ||||
-rw-r--r-- | vnet/vnet/ipsec/ikev2_priv.h | 11 | ||||
-rw-r--r-- | vnet/vnet/ipsec/ipsec.h | 13 | ||||
-rw-r--r-- | vnet/vnet/ipsec/ipsec_cli.c | 7 | ||||
-rw-r--r-- | vnet/vnet/ipsec/ipsec_if.c | 52 |
6 files changed, 222 insertions, 148 deletions
diff --git a/vnet/vnet/ipsec/ikev2.c b/vnet/vnet/ipsec/ikev2.c index 17b297b8217..8455c1263d6 100644 --- a/vnet/vnet/ipsec/ikev2.c +++ b/vnet/vnet/ipsec/ikev2.c @@ -292,15 +292,16 @@ static void ikev2_delete_sa(ikev2_sa_t *sa) { ikev2_main_t * km = &ikev2_main; + u32 cpu_index = os_get_cpu_number(); uword * p; ikev2_sa_free_all_vec(sa); - p = hash_get(km->sa_by_rspi, sa->rspi); + p = hash_get(km->per_thread_data[cpu_index].sa_by_rspi, sa->rspi); if (p) { - hash_unset(km->sa_by_rspi, sa->rspi); - pool_put(km->sas, sa); + hash_unset(km->per_thread_data[cpu_index].sa_by_rspi, sa->rspi); + pool_put(km->per_thread_data[cpu_index].sas, sa); } } @@ -603,24 +604,25 @@ ikev2_initial_contact_cleanup (ikev2_sa_t * sa) ikev2_sa_t * tmp; u32 i, * delete = 0; ikev2_child_sa_t * c; + u32 cpu_index = os_get_cpu_number(); if (!sa->initial_contact) return; /* find old IKE SAs with the same authenticated identity */ - pool_foreach (tmp, km->sas, ({ + pool_foreach (tmp, km->per_thread_data[cpu_index].sas, ({ if (tmp->i_id.type != sa->i_id.type || vec_len(tmp->i_id.data) != vec_len(sa->i_id.data) || memcmp(sa->i_id.data, tmp->i_id.data, vec_len(sa->i_id.data))) continue; if (sa->rspi != tmp->rspi) - vec_add1(delete, tmp - km->sas); + vec_add1(delete, tmp - km->per_thread_data[cpu_index].sas); })); for (i = 0; i < vec_len(delete); i++) { - tmp = pool_elt_at_index(km->sas, delete[i]); + tmp = pool_elt_at_index(km->per_thread_data[cpu_index].sas, delete[i]); vec_foreach(c, tmp->childs) ikev2_delete_tunnel_interface(km->vnet_main, tmp, c); ikev2_delete_sa(tmp); @@ -1153,7 +1155,6 @@ ikev2_create_tunnel_interface(vnet_main_t * vnm, ikev2_sa_t *sa, ikev2_child_sa_ { ipsec_add_del_tunnel_args_t a; ikev2_sa_transform_t * tr; - u32 hw_if_index; u8 encr_type = 0; if (!child->r_proposals) @@ -1162,6 +1163,7 @@ ikev2_create_tunnel_interface(vnet_main_t * vnm, ikev2_sa_t *sa, ikev2_child_sa_ return 1; } + memset(&a, 0, sizeof(a)); a.is_add = 1; a.local_ip.as_u32 = sa->raddr.as_u32; a.remote_ip.as_u32 = sa->iaddr.as_u32; @@ -1224,36 +1226,21 @@ ikev2_create_tunnel_interface(vnet_main_t * vnm, ikev2_sa_t *sa, ikev2_child_sa_ return 1; } - hw_if_index = ipsec_add_del_tunnel_if(vnm, &a); - if (hw_if_index == VNET_API_ERROR_INVALID_VALUE) - { - clib_warning("create tunnel interface failed remote-ip %U remote-spi %u", - format_ip4_address, &sa->raddr, child->r_proposals[0].spi); - ikev2_set_state(sa, IKEV2_STATE_DELETED); - return hw_if_index; - } - ikev2_calc_child_keys(sa, child); - ipsec_set_interface_key(vnm, hw_if_index, - IPSEC_IF_SET_KEY_TYPE_LOCAL_CRYPTO, - encr_type, - child->sk_er); - - ipsec_set_interface_key(vnm, hw_if_index, - IPSEC_IF_SET_KEY_TYPE_REMOTE_CRYPTO, - encr_type, - child->sk_ei); + a.integ_alg = IPSEC_INTEG_ALG_SHA1_96; + a.local_integ_key_len = vec_len(child->sk_ar); + clib_memcpy(a.local_integ_key, child->sk_ar, a.local_integ_key_len); + a.remote_integ_key_len = vec_len(child->sk_ai); + clib_memcpy(a.remote_integ_key, child->sk_ai, a.remote_integ_key_len); - ipsec_set_interface_key(vnm, hw_if_index, - IPSEC_IF_SET_KEY_TYPE_LOCAL_INTEG, - IPSEC_INTEG_ALG_SHA1_96, - child->sk_ar); + a.crypto_alg = encr_type; + a.local_crypto_key_len = vec_len(child->sk_er); + clib_memcpy(a.local_crypto_key, child->sk_er, a.local_crypto_key_len); + a.remote_crypto_key_len = vec_len(child->sk_ei); + clib_memcpy(a.remote_crypto_key, child->sk_ei, a.remote_crypto_key_len); - ipsec_set_interface_key(vnm, hw_if_index, - IPSEC_IF_SET_KEY_TYPE_REMOTE_INTEG, - IPSEC_INTEG_ALG_SHA1_96, - child->sk_ai); + ipsec_add_del_tunnel_if(&a); return 0; } @@ -1272,7 +1259,8 @@ ikev2_delete_tunnel_interface(vnet_main_t * vnm, ikev2_sa_t *sa, ikev2_child_sa_ a.local_spi = child->i_proposals[0].spi; a.remote_spi = child->r_proposals[0].spi; - return ipsec_add_del_tunnel_if(vnm, &a); + ipsec_add_del_tunnel_if(&a); + return 0; } static u32 @@ -1505,8 +1493,9 @@ ikev2_retransmit_sa_init (ike_header_t * ike, { ikev2_main_t * km = &ikev2_main; ikev2_sa_t * sa; + u32 cpu_index = os_get_cpu_number(); - pool_foreach (sa, km->sas, ({ + pool_foreach (sa, km->per_thread_data[cpu_index].sas, ({ if (sa->ispi == clib_net_to_host_u64(ike->ispi) && sa->iaddr.as_u32 == iaddr.as_u32 && sa->raddr.as_u32 == raddr.as_u32) @@ -1617,6 +1606,7 @@ ikev2_node_fn (vlib_main_t * vm, u32 n_left_from, * from, * to_next; ikev2_next_t next_index; ikev2_main_t * km = &ikev2_main; + u32 cpu_index = os_get_cpu_number(); from = vlib_frame_vector_args (frame); n_left_from = frame->n_vectors; @@ -1710,9 +1700,11 @@ ikev2_node_fn (vlib_main_t * vm, if (sa0->state == IKEV2_STATE_SA_INIT) { /* add SA to the pool */ - pool_get (km->sas, sa0); + pool_get (km->per_thread_data[cpu_index].sas, sa0); clib_memcpy(sa0, &sa, sizeof(*sa0)); - hash_set (km->sa_by_rspi, sa0->rspi, sa0 - km->sas); + hash_set (km->per_thread_data[cpu_index].sa_by_rspi, + sa0->rspi, + sa0 - km->per_thread_data[cpu_index].sas); } else { @@ -1723,10 +1715,12 @@ ikev2_node_fn (vlib_main_t * vm, else if (ike0->exchange == IKEV2_EXCHANGE_IKE_AUTH) { uword * p; - p = hash_get(km->sa_by_rspi, clib_net_to_host_u64(ike0->rspi)); + p = hash_get(km->per_thread_data[cpu_index].sa_by_rspi, + clib_net_to_host_u64(ike0->rspi)); if (p) { - sa0 = pool_elt_at_index (km->sas, p[0]); + sa0 = pool_elt_at_index (km->per_thread_data[cpu_index].sas, + p[0]); r = ikev2_retransmit_resp(sa0, ike0); if (r == 1) @@ -1761,10 +1755,12 @@ ikev2_node_fn (vlib_main_t * vm, else if (ike0->exchange == IKEV2_EXCHANGE_INFORMATIONAL) { uword * p; - p = hash_get(km->sa_by_rspi, clib_net_to_host_u64(ike0->rspi)); + p = hash_get(km->per_thread_data[cpu_index].sa_by_rspi, + clib_net_to_host_u64(ike0->rspi)); if (p) { - sa0 = pool_elt_at_index (km->sas, p[0]); + sa0 = pool_elt_at_index (km->per_thread_data[cpu_index].sas, + p[0]); r = ikev2_retransmit_resp(sa0, ike0); if (r == 1) @@ -1814,10 +1810,12 @@ ikev2_node_fn (vlib_main_t * vm, else if (ike0->exchange == IKEV2_EXCHANGE_CREATE_CHILD_SA) { uword * p; - p = hash_get(km->sa_by_rspi, clib_net_to_host_u64(ike0->rspi)); + p = hash_get(km->per_thread_data[cpu_index].sa_by_rspi, + clib_net_to_host_u64(ike0->rspi)); if (p) { - sa0 = pool_elt_at_index (km->sas, p[0]); + sa0 = pool_elt_at_index (km->per_thread_data[cpu_index].sas, + p[0]); r = ikev2_retransmit_resp(sa0, ike0); if (r == 1) @@ -2092,6 +2090,8 @@ ikev2_init (vlib_main_t * vm) { ikev2_main_t * km = &ikev2_main; clib_error_t * error; + vlib_thread_main_t * tm = vlib_get_thread_main(); + int thread_id; memset (km, 0, sizeof (ikev2_main_t)); km->vnet_main = vnet_get_main(); @@ -2099,9 +2099,15 @@ ikev2_init (vlib_main_t * vm) ikev2_crypto_init(km); - km->sa_by_rspi = hash_create (0, sizeof (uword)); mhash_init_vec_string (&km->profile_index_by_name, sizeof (uword)); + vec_validate(km->per_thread_data, tm->n_vlib_mains-1); + for (thread_id = 0; thread_id < tm->n_vlib_mains - 1; thread_id++) + { + km->per_thread_data[thread_id].sa_by_rspi = + hash_create (0, sizeof (uword)); + } + if ((error = vlib_call_init_function (vm, ikev2_cli_init))) return error; diff --git a/vnet/vnet/ipsec/ikev2_cli.c b/vnet/vnet/ipsec/ikev2_cli.c index e42f16d8f18..c8c8ea140b5 100644 --- a/vnet/vnet/ipsec/ikev2_cli.c +++ b/vnet/vnet/ipsec/ikev2_cli.c @@ -50,106 +50,109 @@ show_ikev2_sa_command_fn (vlib_main_t * vm, vlib_cli_command_t * cmd) { ikev2_main_t * km = &ikev2_main; + ikev2_main_per_thread_data_t * tkm; ikev2_sa_t * sa; ikev2_ts_t * ts; ikev2_child_sa_t * child; ikev2_sa_transform_t * tr; - pool_foreach (sa, km->sas, ({ - u8 * s = 0; - vlib_cli_output(vm, " iip %U ispi %lx rip %U rspi %lx", - format_ip4_address, &sa->iaddr, sa->ispi, - format_ip4_address, &sa->raddr, sa->rspi); - - tr = ikev2_sa_get_td_for_type(sa->r_proposals, IKEV2_TRANSFORM_TYPE_ENCR); - s = format(s, "%U ", format_ikev2_sa_transform, tr); - - tr = ikev2_sa_get_td_for_type(sa->r_proposals, IKEV2_TRANSFORM_TYPE_PRF); - s = format(s, "%U ", format_ikev2_sa_transform, tr); - - tr = ikev2_sa_get_td_for_type(sa->r_proposals, IKEV2_TRANSFORM_TYPE_INTEG); - s = format(s, "%U ", format_ikev2_sa_transform, tr); - - tr = ikev2_sa_get_td_for_type(sa->r_proposals, IKEV2_TRANSFORM_TYPE_DH); - s = format(s, "%U ", format_ikev2_sa_transform, tr); - - vlib_cli_output(vm, " %v", s); - vec_free(s); - - vlib_cli_output(vm, " nonce i:%U\n r:%U", - format_hex_bytes, sa->i_nonce, vec_len(sa->i_nonce), - format_hex_bytes, sa->r_nonce, vec_len(sa->r_nonce)); - - vlib_cli_output(vm, " SK_d %U", - format_hex_bytes, sa->sk_d, vec_len(sa->sk_d)); - vlib_cli_output(vm, " SK_a i:%U\n r:%U", - format_hex_bytes, sa->sk_ai, vec_len(sa->sk_ai), - format_hex_bytes, sa->sk_ar, vec_len(sa->sk_ar)); - vlib_cli_output(vm, " SK_e i:%U\n r:%U", - format_hex_bytes, sa->sk_ei, vec_len(sa->sk_ei), - format_hex_bytes, sa->sk_er, vec_len(sa->sk_er)); - vlib_cli_output(vm, " SK_p i:%U\n r:%U", - format_hex_bytes, sa->sk_pi, vec_len(sa->sk_pi), - format_hex_bytes, sa->sk_pr, vec_len(sa->sk_pr)); - - vlib_cli_output(vm, " identifier (i) %U", - format_ikev2_id_type_and_data, &sa->i_id); - vlib_cli_output(vm, " identifier (r) %U", - format_ikev2_id_type_and_data, &sa->r_id); - - vec_foreach(child, sa->childs) - { - vlib_cli_output(vm, " child sa %u:", child - sa->childs); - - tr = ikev2_sa_get_td_for_type(child->r_proposals, IKEV2_TRANSFORM_TYPE_ENCR); - s = format(s, "%U ", format_ikev2_sa_transform, tr); - - tr = ikev2_sa_get_td_for_type(child->r_proposals, IKEV2_TRANSFORM_TYPE_INTEG); - s = format(s, "%U ", format_ikev2_sa_transform, tr); - - tr = ikev2_sa_get_td_for_type(child->r_proposals, IKEV2_TRANSFORM_TYPE_ESN); - s = format(s, "%U ", format_ikev2_sa_transform, tr); - - vlib_cli_output(vm, " %v", s); - vec_free(s); - - vlib_cli_output(vm, " spi(i) %lx spi(r) %lx", - child->i_proposals ? child->i_proposals[0].spi : 0, - child->r_proposals ? child->r_proposals[0].spi : 0); - - vlib_cli_output(vm, " SK_e i:%U\n r:%U", - format_hex_bytes, child->sk_ei, vec_len(child->sk_ei), - format_hex_bytes, child->sk_er, vec_len(child->sk_er)); - vlib_cli_output(vm, " SK_a i:%U\n r:%U", - format_hex_bytes, child->sk_ai, vec_len(child->sk_ai), - format_hex_bytes, child->sk_ar, vec_len(child->sk_ar)); - vlib_cli_output(vm, " traffic selectors (i):"); - vec_foreach(ts, child->tsi) - { - vlib_cli_output(vm, " %u type %u protocol_id %u addr " - "%U - %U port %u - %u", - ts - child->tsi, - ts->ts_type, ts->protocol_id, - format_ip4_address, &ts->start_addr, - format_ip4_address, &ts->end_addr, - clib_net_to_host_u16( ts->start_port), - clib_net_to_host_u16( ts->end_port)); - } - vlib_cli_output(vm, " traffic selectors (r):"); - vec_foreach(ts, child->tsr) - { - vlib_cli_output(vm, " %u type %u protocol_id %u addr " - "%U - %U port %u - %u", - ts - child->tsr, - ts->ts_type, ts->protocol_id, - format_ip4_address, &ts->start_addr, - format_ip4_address, &ts->end_addr, - clib_net_to_host_u16( ts->start_port), - clib_net_to_host_u16( ts->end_port)); - } - } - vlib_cli_output(vm, ""); - })); + vec_foreach(tkm, km->per_thread_data) { + pool_foreach (sa, tkm->sas, ({ + u8 * s = 0; + vlib_cli_output(vm, " iip %U ispi %lx rip %U rspi %lx", + format_ip4_address, &sa->iaddr, sa->ispi, + format_ip4_address, &sa->raddr, sa->rspi); + + tr = ikev2_sa_get_td_for_type(sa->r_proposals, IKEV2_TRANSFORM_TYPE_ENCR); + s = format(s, "%U ", format_ikev2_sa_transform, tr); + + tr = ikev2_sa_get_td_for_type(sa->r_proposals, IKEV2_TRANSFORM_TYPE_PRF); + s = format(s, "%U ", format_ikev2_sa_transform, tr); + + tr = ikev2_sa_get_td_for_type(sa->r_proposals, IKEV2_TRANSFORM_TYPE_INTEG); + s = format(s, "%U ", format_ikev2_sa_transform, tr); + + tr = ikev2_sa_get_td_for_type(sa->r_proposals, IKEV2_TRANSFORM_TYPE_DH); + s = format(s, "%U ", format_ikev2_sa_transform, tr); + + vlib_cli_output(vm, " %v", s); + vec_free(s); + + vlib_cli_output(vm, " nonce i:%U\n r:%U", + format_hex_bytes, sa->i_nonce, vec_len(sa->i_nonce), + format_hex_bytes, sa->r_nonce, vec_len(sa->r_nonce)); + + vlib_cli_output(vm, " SK_d %U", + format_hex_bytes, sa->sk_d, vec_len(sa->sk_d)); + vlib_cli_output(vm, " SK_a i:%U\n r:%U", + format_hex_bytes, sa->sk_ai, vec_len(sa->sk_ai), + format_hex_bytes, sa->sk_ar, vec_len(sa->sk_ar)); + vlib_cli_output(vm, " SK_e i:%U\n r:%U", + format_hex_bytes, sa->sk_ei, vec_len(sa->sk_ei), + format_hex_bytes, sa->sk_er, vec_len(sa->sk_er)); + vlib_cli_output(vm, " SK_p i:%U\n r:%U", + format_hex_bytes, sa->sk_pi, vec_len(sa->sk_pi), + format_hex_bytes, sa->sk_pr, vec_len(sa->sk_pr)); + + vlib_cli_output(vm, " identifier (i) %U", + format_ikev2_id_type_and_data, &sa->i_id); + vlib_cli_output(vm, " identifier (r) %U", + format_ikev2_id_type_and_data, &sa->r_id); + + vec_foreach(child, sa->childs) + { + vlib_cli_output(vm, " child sa %u:", child - sa->childs); + + tr = ikev2_sa_get_td_for_type(child->r_proposals, IKEV2_TRANSFORM_TYPE_ENCR); + s = format(s, "%U ", format_ikev2_sa_transform, tr); + + tr = ikev2_sa_get_td_for_type(child->r_proposals, IKEV2_TRANSFORM_TYPE_INTEG); + s = format(s, "%U ", format_ikev2_sa_transform, tr); + + tr = ikev2_sa_get_td_for_type(child->r_proposals, IKEV2_TRANSFORM_TYPE_ESN); + s = format(s, "%U ", format_ikev2_sa_transform, tr); + + vlib_cli_output(vm, " %v", s); + vec_free(s); + + vlib_cli_output(vm, " spi(i) %lx spi(r) %lx", + child->i_proposals ? child->i_proposals[0].spi : 0, + child->r_proposals ? child->r_proposals[0].spi : 0); + + vlib_cli_output(vm, " SK_e i:%U\n r:%U", + format_hex_bytes, child->sk_ei, vec_len(child->sk_ei), + format_hex_bytes, child->sk_er, vec_len(child->sk_er)); + vlib_cli_output(vm, " SK_a i:%U\n r:%U", + format_hex_bytes, child->sk_ai, vec_len(child->sk_ai), + format_hex_bytes, child->sk_ar, vec_len(child->sk_ar)); + vlib_cli_output(vm, " traffic selectors (i):"); + vec_foreach(ts, child->tsi) + { + vlib_cli_output(vm, " %u type %u protocol_id %u addr " + "%U - %U port %u - %u", + ts - child->tsi, + ts->ts_type, ts->protocol_id, + format_ip4_address, &ts->start_addr, + format_ip4_address, &ts->end_addr, + clib_net_to_host_u16( ts->start_port), + clib_net_to_host_u16( ts->end_port)); + } + vlib_cli_output(vm, " traffic selectors (r):"); + vec_foreach(ts, child->tsr) + { + vlib_cli_output(vm, " %u type %u protocol_id %u addr " + "%U - %U port %u - %u", + ts - child->tsr, + ts->ts_type, ts->protocol_id, + format_ip4_address, &ts->start_addr, + format_ip4_address, &ts->end_addr, + clib_net_to_host_u16( ts->start_port), + clib_net_to_host_u16( ts->end_port)); + } + } + vlib_cli_output(vm, ""); + })); + } return 0; } diff --git a/vnet/vnet/ipsec/ikev2_priv.h b/vnet/vnet/ipsec/ikev2_priv.h index 4f05a60a621..731bb15e6b2 100644 --- a/vnet/vnet/ipsec/ikev2_priv.h +++ b/vnet/vnet/ipsec/ikev2_priv.h @@ -213,14 +213,18 @@ typedef struct { /* pool of IKEv2 Security Associations */ ikev2_sa_t * sas; + /* hash */ + uword * sa_by_rspi; +} ikev2_main_per_thread_data_t; + +typedef struct { /* pool of IKEv2 profiles */ ikev2_profile_t * profiles; /* vector of supported transform types */ ikev2_sa_transform_t * supported_transforms; - /* hashes */ - uword * sa_by_rspi; + /* hash */ mhash_t profile_index_by_name; /* local private key */ @@ -229,6 +233,9 @@ typedef struct { /* convenience */ vlib_main_t * vlib_main; vnet_main_t * vnet_main; + + ikev2_main_per_thread_data_t * per_thread_data; + } ikev2_main_t; ikev2_main_t ikev2_main; diff --git a/vnet/vnet/ipsec/ipsec.h b/vnet/vnet/ipsec/ipsec.h index 8cd2b41c92f..564a8e12fb8 100644 --- a/vnet/vnet/ipsec/ipsec.h +++ b/vnet/vnet/ipsec/ipsec.h @@ -107,6 +107,16 @@ typedef struct { ip4_address_t local_ip, remote_ip; u32 local_spi; u32 remote_spi; + ipsec_crypto_alg_t crypto_alg; + u8 local_crypto_key_len; + u8 local_crypto_key[128]; + u8 remote_crypto_key_len; + u8 remote_crypto_key[128]; + ipsec_integ_alg_t integ_alg; + u8 local_integ_key_len; + u8 local_integ_key[128]; + u8 remote_integ_key_len; + u8 remote_integ_key[128]; } ipsec_add_del_tunnel_args_t; typedef enum { @@ -225,7 +235,8 @@ uword unformat_ipsec_policy_action (unformat_input_t * input, va_list * args); uword unformat_ipsec_crypto_alg (unformat_input_t * input, va_list * args); uword unformat_ipsec_integ_alg (unformat_input_t * input, va_list * args); -u32 ipsec_add_del_tunnel_if (vnet_main_t * vnm, ipsec_add_del_tunnel_args_t * args); +/*u32 ipsec_add_del_tunnel_if (vnet_main_t * vnm, ipsec_add_del_tunnel_args_t * args); */ +int ipsec_add_del_tunnel_if (ipsec_add_del_tunnel_args_t * args); int ipsec_set_interface_key(vnet_main_t * vnm, u32 hw_if_index, ipsec_if_set_key_type_t type, u8 alg, u8 * key); diff --git a/vnet/vnet/ipsec/ipsec_cli.c b/vnet/vnet/ipsec/ipsec_cli.c index 0205d8bc877..1d19e537b88 100644 --- a/vnet/vnet/ipsec/ipsec_cli.c +++ b/vnet/vnet/ipsec/ipsec_cli.c @@ -585,12 +585,11 @@ create_ipsec_tunnel_command_fn (vlib_main_t * vm, { unformat_input_t _line_input, * line_input = &_line_input; ipsec_add_del_tunnel_args_t a; - ipsec_main_t *im = &ipsec_main; int rv; u32 num_m_args = 0; + + memset(&a, 0, sizeof(a)); a.is_add = 1; - a.anti_replay = 0; - a.esn = 0; /* Get a line of input. */ if (! unformat_user (input, unformat_line_input, line_input)) @@ -616,7 +615,7 @@ create_ipsec_tunnel_command_fn (vlib_main_t * vm, if (num_m_args < 4) return clib_error_return (0, "mandatory argument(s) missing"); - rv = ipsec_add_del_tunnel_if (im->vnet_main, &a); + rv = ipsec_add_del_tunnel_if (&a); switch(rv) { diff --git a/vnet/vnet/ipsec/ipsec_if.c b/vnet/vnet/ipsec/ipsec_if.c index 30631b60587..7a85fb16781 100644 --- a/vnet/vnet/ipsec/ipsec_if.c +++ b/vnet/vnet/ipsec/ipsec_if.c @@ -21,6 +21,8 @@ #include <vnet/ipsec/ipsec.h> +void vl_api_rpc_call_main_thread (void *fp, u8 * data, u32 data_length); + static u8 * format_ipsec_name (u8 * s, va_list * args) { u32 dev_instance = va_arg (*args, u32); @@ -46,8 +48,30 @@ VNET_HW_INTERFACE_CLASS (ipsec_hw_class) = { .name = "IPSec", }; -u32 -ipsec_add_del_tunnel_if (vnet_main_t * vnm, ipsec_add_del_tunnel_args_t * args) + +static int +ipsec_add_del_tunnel_if_internal (vnet_main_t * vnm, + ipsec_add_del_tunnel_args_t * args); + +static int +ipsec_add_del_tunnel_if_rpc_callback (ipsec_add_del_tunnel_args_t *a) +{ + vnet_main_t * vnm = vnet_get_main(); + ASSERT(os_get_cpu_number() == 0); + + return ipsec_add_del_tunnel_if_internal(vnm, a); +} + +int +ipsec_add_del_tunnel_if (ipsec_add_del_tunnel_args_t * args) +{ + vl_api_rpc_call_main_thread (ipsec_add_del_tunnel_if_rpc_callback, + (u8 *) args, sizeof(*args)); + return 0; +} + +int +ipsec_add_del_tunnel_if_internal (vnet_main_t * vnm, ipsec_add_del_tunnel_args_t * args) { ipsec_tunnel_if_t * t; ipsec_main_t * im = &ipsec_main; @@ -77,6 +101,18 @@ ipsec_add_del_tunnel_if (vnet_main_t * vnm, ipsec_add_del_tunnel_args_t * args) sa->is_tunnel = 1; sa->use_esn = args->esn; sa->use_anti_replay = args->anti_replay; + sa->integ_alg = args->integ_alg; + if (args->remote_integ_key_len <= sizeof(args->remote_integ_key)) + { + sa->integ_key_len = args->remote_integ_key_len; + clib_memcpy(sa->integ_key, args->remote_integ_key, args->remote_integ_key_len); + } + sa->crypto_alg = args->crypto_alg; + if (args->remote_crypto_key_len <= sizeof(args->remote_crypto_key)) + { + sa->crypto_key_len = args->remote_crypto_key_len; + clib_memcpy(sa->crypto_key, args->remote_crypto_key, args->remote_crypto_key_len); + } pool_get (im->sad, sa); memset (sa, 0, sizeof (*sa)); @@ -88,6 +124,18 @@ ipsec_add_del_tunnel_if (vnet_main_t * vnm, ipsec_add_del_tunnel_args_t * args) sa->seq = 1; sa->use_esn = args->esn; sa->use_anti_replay = args->anti_replay; + sa->integ_alg = args->integ_alg; + if (args->local_integ_key_len <= sizeof(args->local_integ_key)) + { + sa->integ_key_len = args->local_integ_key_len; + clib_memcpy(sa->integ_key, args->local_integ_key, args->local_integ_key_len); + } + sa->crypto_alg = args->crypto_alg; + if (args->local_crypto_key_len <= sizeof(args->local_crypto_key)) + { + sa->crypto_key_len = args->local_crypto_key_len; + clib_memcpy(sa->crypto_key, args->local_crypto_key, args->local_crypto_key_len); + } hash_set (im->ipsec_if_pool_index_by_key, key, t - im->tunnel_interfaces); |