From 2b5ba9501c3dda3645bf01eb53b2821471f2a946 Mon Sep 17 00:00:00 2001 From: Neale Ranns Date: Tue, 2 Apr 2019 10:15:40 +0000 Subject: IPSEC: tunnel scaling - don't stack the inbould SA Change-Id: I0b47590400aebea09aa1b27de753be638e1ba870 Signed-off-by: Neale Ranns --- src/vnet/ipsec/ipsec_format.c | 15 ++++++++++----- src/vnet/ipsec/ipsec_if.c | 2 +- src/vnet/ipsec/ipsec_sa.c | 16 +++------------- src/vnet/ipsec/ipsec_sa.h | 1 + 4 files changed, 15 insertions(+), 19 deletions(-) (limited to 'src/vnet') diff --git a/src/vnet/ipsec/ipsec_format.c b/src/vnet/ipsec/ipsec_format.c index a8616555629..c91a9ba632e 100644 --- a/src/vnet/ipsec/ipsec_format.c +++ b/src/vnet/ipsec/ipsec_format.c @@ -294,11 +294,16 @@ format_ipsec_sa (u8 * s, va_list * args) tx_table_id, format_ip46_address, &sa->tunnel_src_addr, IP46_TYPE_ANY, format_ip46_address, &sa->tunnel_dst_addr, IP46_TYPE_ANY); - s = format (s, "\n resovle via fib-entry: %d", sa->fib_entry_index); - s = format (s, "\n stacked on:"); - s = - format (s, "\n %U", format_dpo_id, &sa->dpo[IPSEC_PROTOCOL_ESP], - 6); + if (!ipsec_sa_is_set_IS_INBOUND (sa)) + { + s = + format (s, "\n resovle via fib-entry: %d", + sa->fib_entry_index); + s = format (s, "\n stacked on:"); + s = + format (s, "\n %U", format_dpo_id, + &sa->dpo[IPSEC_PROTOCOL_ESP], 6); + } } return (s); diff --git a/src/vnet/ipsec/ipsec_if.c b/src/vnet/ipsec/ipsec_if.c index bfdc2bb6814..3c1f84576d4 100644 --- a/src/vnet/ipsec/ipsec_if.c +++ b/src/vnet/ipsec/ipsec_if.c @@ -306,7 +306,7 @@ ipsec_add_del_tunnel_if_internal (vnet_main_t * vnm, &crypto_key, args->integ_alg, &integ_key, - flags, + (flags | IPSEC_SA_FLAG_IS_INBOUND), args->tx_table_id, &args->remote_ip, &args->local_ip, &t->input_sa_index); diff --git a/src/vnet/ipsec/ipsec_sa.c b/src/vnet/ipsec/ipsec_sa.c index 9f2d8505c35..0ca2f376c67 100644 --- a/src/vnet/ipsec/ipsec_sa.c +++ b/src/vnet/ipsec/ipsec_sa.c @@ -149,6 +149,7 @@ ipsec_sa_add (u32 id, sa->spi = spi; sa->stat_index = sa_index; sa->protocol = proto; + sa->flags = flags; ipsec_sa_set_crypto_alg (sa, crypto_alg); clib_memcpy (&sa->crypto_key, ck, sizeof (sa->crypto_key)); ipsec_sa_set_integ_alg (sa, integ_alg); @@ -156,17 +157,6 @@ ipsec_sa_add (u32 id, ip46_address_copy (&sa->tunnel_src_addr, tun_src); ip46_address_copy (&sa->tunnel_dst_addr, tun_dst); - if (flags & IPSEC_SA_FLAG_USE_ESN) - ipsec_sa_set_USE_ESN (sa); - if (flags & IPSEC_SA_FLAG_USE_ANTI_REPLAY) - ipsec_sa_set_USE_ANTI_REPLAY (sa); - if (flags & IPSEC_SA_FLAG_IS_TUNNEL) - ipsec_sa_set_IS_TUNNEL (sa); - if (flags & IPSEC_SA_FLAG_IS_TUNNEL_V6) - ipsec_sa_set_IS_TUNNEL_V6 (sa); - if (flags & IPSEC_SA_FLAG_UDP_ENCAP) - ipsec_sa_set_UDP_ENCAP (sa); - err = ipsec_check_support_cb (im, sa); if (err) { @@ -182,7 +172,7 @@ ipsec_sa_add (u32 id, return VNET_API_ERROR_SYSCALL_ERROR_1; } - if (ipsec_sa_is_set_IS_TUNNEL (sa)) + if (ipsec_sa_is_set_IS_TUNNEL (sa) && !ipsec_sa_is_set_IS_INBOUND (sa)) { fib_protocol_t fproto = (ipsec_sa_is_set_IS_TUNNEL_V6 (sa) ? FIB_PROTOCOL_IP6 : FIB_PROTOCOL_IP4); @@ -280,7 +270,7 @@ ipsec_sa_del (u32 id) if (err) return VNET_API_ERROR_SYSCALL_ERROR_1; - if (ipsec_sa_is_set_IS_TUNNEL (sa)) + if (ipsec_sa_is_set_IS_TUNNEL (sa) && !ipsec_sa_is_set_IS_INBOUND (sa)) { fib_entry_child_remove (sa->fib_entry_index, sa->sibling); fib_table_entry_special_remove diff --git a/src/vnet/ipsec/ipsec_sa.h b/src/vnet/ipsec/ipsec_sa.h index cfb44b9e86d..66bdcc72308 100644 --- a/src/vnet/ipsec/ipsec_sa.h +++ b/src/vnet/ipsec/ipsec_sa.h @@ -91,6 +91,7 @@ typedef struct ipsec_key_t_ _ (8, IS_TUNNEL_V6, "tunnel-v6") \ _ (16, UDP_ENCAP, "udp-encap") \ _ (32, IS_GRE, "GRE") \ + _ (64, IS_INBOUND, "inboud") \ typedef enum ipsec_sad_flags_t_ { -- cgit 1.2.3-korg