From 7a29a2d400bbc3740a6a98863f290aa654d5f724 Mon Sep 17 00:00:00 2001
From: Brian Russell <brian@graphiant.com>
Date: Mon, 22 Feb 2021 18:42:24 +0000
Subject: ipsec: enable input features on tunnels

Make the ipsec[46]-tun-input nodes siblings of device-input so that
input features can be enabled on them. Register ipsec-tun for feature
updates. When a feature is enabled on the device-input arc and the
ifindex is an IPSec tunnel, change the end node of the arc for that
ifindex to be the appropriate ESP decrypt node. Set a flag on the
tunnel to indicate that the feature arc should be started for packets
input on the tunnel.

Test input policing on ESP IPSec tunnels.

Type: improvement
Signed-off-by: Brian Russell <brian@graphiant.com>
Change-Id: I3b9f047e5e737f3ea4c58fc82cd3c15700b6f9f7
---
 src/vnet/devices/devices.h | 26 ++++++++++++++++++--------
 1 file changed, 18 insertions(+), 8 deletions(-)

(limited to 'src/vnet/devices/devices.h')

diff --git a/src/vnet/devices/devices.h b/src/vnet/devices/devices.h
index a14c1966e44..e54c7a29130 100644
--- a/src/vnet/devices/devices.h
+++ b/src/vnet/devices/devices.h
@@ -27,17 +27,27 @@ typedef enum
   VNET_DEVICE_INPUT_NEXT_MPLS_INPUT,
   VNET_DEVICE_INPUT_NEXT_ETHERNET_INPUT,
   VNET_DEVICE_INPUT_NEXT_DROP,
+
+  /* For tunnels */
+  VNET_DEVICE_INPUT_NEXT_IP4_DROP,
+  VNET_DEVICE_INPUT_NEXT_IP6_DROP,
+  VNET_DEVICE_INPUT_NEXT_PUNT,
+
   VNET_DEVICE_INPUT_N_NEXT_NODES,
 } vnet_device_input_next_t;
 
-#define VNET_DEVICE_INPUT_NEXT_NODES {					\
-    [VNET_DEVICE_INPUT_NEXT_DROP] = "error-drop",			\
-    [VNET_DEVICE_INPUT_NEXT_ETHERNET_INPUT] = "ethernet-input",		\
-    [VNET_DEVICE_INPUT_NEXT_IP4_NCS_INPUT] = "ip4-input-no-checksum",	\
-    [VNET_DEVICE_INPUT_NEXT_IP4_INPUT] = "ip4-input",			\
-    [VNET_DEVICE_INPUT_NEXT_IP6_INPUT] = "ip6-input",			\
-    [VNET_DEVICE_INPUT_NEXT_MPLS_INPUT] = "mpls-input",			\
-}
+#define VNET_DEVICE_INPUT_NEXT_NODES                                          \
+  {                                                                           \
+    [VNET_DEVICE_INPUT_NEXT_DROP] = "error-drop",                             \
+    [VNET_DEVICE_INPUT_NEXT_ETHERNET_INPUT] = "ethernet-input",               \
+    [VNET_DEVICE_INPUT_NEXT_IP4_NCS_INPUT] = "ip4-input-no-checksum",         \
+    [VNET_DEVICE_INPUT_NEXT_IP4_INPUT] = "ip4-input",                         \
+    [VNET_DEVICE_INPUT_NEXT_IP6_INPUT] = "ip6-input",                         \
+    [VNET_DEVICE_INPUT_NEXT_MPLS_INPUT] = "mpls-input",                       \
+    [VNET_DEVICE_INPUT_NEXT_IP4_DROP] = "ip4-drop",                           \
+    [VNET_DEVICE_INPUT_NEXT_IP6_DROP] = "ip6-drop",                           \
+    [VNET_DEVICE_INPUT_NEXT_PUNT] = "punt-dispatch",                          \
+  }
 
 typedef struct
 {
-- 
cgit 1.2.3-korg