From 0e36bbfd1b058b4febe895bad3d254851194ad6c Mon Sep 17 00:00:00 2001 From: Matthew Smith Date: Thu, 5 Jul 2018 14:45:58 -0500 Subject: Fix IPsec intf tx node setup at intf creation When using a DPDK cryptodev with IPsec, sending outbound packets results in a crash on division by zero if using an algorithm not supported by the OpenSSL ESP nodes. This includes AES-GCM and MD5. At IPsec intf creation time, the next node at slot IPSEC_OUTPUT_NEXT_ESP_ENCRYPT for ipsec_if_tx_node_fn is set to the node named esp-encrypt. This is the OpenSSL ESP encrypt function. If DPDK cryptodevs are configured, dpdk-esp-encrypt is the correct next node. Change to setting the next node according to the value in ipsec_main.esp_encrypt_node_index. That value is set to esp-encrypt by default. If DPDK cryptodevs are configured it gets set to dpdk-esp-encrypt. Change-Id: I83896c76b975d74aead247a162c85eccca9575a8 Signed-off-by: Matthew Smith --- src/vnet/ipsec/ipsec_if.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'src/vnet/ipsec') diff --git a/src/vnet/ipsec/ipsec_if.c b/src/vnet/ipsec/ipsec_if.c index a7dbcbadb16..e950a5e0455 100644 --- a/src/vnet/ipsec/ipsec_if.c +++ b/src/vnet/ipsec/ipsec_if.c @@ -366,8 +366,8 @@ ipsec_add_del_tunnel_if_internal (vnet_main_t * vnm, hi = vnet_get_hw_interface (vnm, hw_if_index); - slot = vlib_node_add_named_next_with_slot - (vnm->vlib_main, hi->tx_node_index, "esp-encrypt", + slot = vlib_node_add_next_with_slot + (vnm->vlib_main, hi->tx_node_index, im->esp_encrypt_node_index, IPSEC_OUTPUT_NEXT_ESP_ENCRYPT); ASSERT (slot == IPSEC_OUTPUT_NEXT_ESP_ENCRYPT); -- cgit 1.2.3-korg