From 41afb33efe81a93ddf5879138802bf23602ccc81 Mon Sep 17 00:00:00 2001
From: Neale Ranns <nranns@cisco.com>
Date: Tue, 16 Jul 2019 06:19:35 -0700
Subject: ipsec: handle UDP keepalives

Type: feature

Change-Id: I87cc1168466f267e8c4bbec318401982f4bdf03a
Signed-off-by: Neale Ranns <nranns@cisco.com>
---
 src/vnet/ipsec/esp.h          |  6 +++-
 src/vnet/ipsec/ipsec_cli.c    | 52 +++++++++++++++++++++++++++++
 src/vnet/ipsec/ipsec_format.c | 34 +++++++++++++++----
 src/vnet/ipsec/ipsec_if.c     | 27 +++++++++------
 src/vnet/ipsec/ipsec_if.h     |  5 ++-
 src/vnet/ipsec/ipsec_if_in.c  | 76 ++++++++++++++++++++++++++++++++++++++-----
 src/vnet/ipsec/ipsec_tun.c    | 20 ++++++++----
 src/vnet/ipsec/ipsec_tun_in.c | 45 +++++++++++++++++++++----
 8 files changed, 227 insertions(+), 38 deletions(-)

(limited to 'src')

diff --git a/src/vnet/ipsec/esp.h b/src/vnet/ipsec/esp.h
index f36f52a4752..2ab7299d7c8 100644
--- a/src/vnet/ipsec/esp.h
+++ b/src/vnet/ipsec/esp.h
@@ -21,7 +21,11 @@
 
 typedef struct
 {
-  u32 spi;
+  union
+  {
+    u32 spi;
+    u8 spi_bytes[4];
+  };
   u32 seq;
   u8 data[0];
 } esp_header_t;
diff --git a/src/vnet/ipsec/ipsec_cli.c b/src/vnet/ipsec/ipsec_cli.c
index a5972bbf2c1..a7a6c0c0d5b 100644
--- a/src/vnet/ipsec/ipsec_cli.c
+++ b/src/vnet/ipsec/ipsec_cli.c
@@ -942,6 +942,58 @@ VLIB_CLI_COMMAND (ipsec_tun_protect_show_node, static) =
 };
 /* *INDENT-ON* */
 
+static clib_error_t *
+ipsec_tun_protect_hash_show (vlib_main_t * vm,
+			     unformat_input_t * input,
+			     vlib_cli_command_t * cmd)
+{
+  ipsec_main_t *im = &ipsec_main;
+
+  {
+    ipsec_tun_lkup_result_t value;
+    ipsec4_tunnel_key_t key;
+
+    vlib_cli_output (vm, "IPv4:");
+
+    /* *INDENT-OFF* */
+    hash_foreach(key.as_u64, value.as_u64, im->tun4_protect_by_key,
+    ({
+      vlib_cli_output (vm, " %U", format_ipsec4_tunnel_key, &key);
+      vlib_cli_output (vm, "  tun:%d sa:%d", value.tun_index, value.sa_index);
+    }));
+    /* *INDENT-ON* */
+  }
+
+  {
+    ipsec_tun_lkup_result_t value;
+    ipsec6_tunnel_key_t *key;
+
+    vlib_cli_output (vm, "IPv6:");
+
+    /* *INDENT-OFF* */
+    hash_foreach_mem(key, value.as_u64, im->tun6_protect_by_key,
+    ({
+      vlib_cli_output (vm, " %U", format_ipsec6_tunnel_key, key);
+      vlib_cli_output (vm, "  tun:%d sa:%d", value.tun_index, value.sa_index);
+    }));
+    /* *INDENT-ON* */
+  }
+
+  return NULL;
+}
+
+/**
+ * show IPSEC tunnel protection hash tables
+ */
+/* *INDENT-OFF* */
+VLIB_CLI_COMMAND (ipsec_tun_protect_hash_show_node, static) =
+{
+  .path = "show ipsec protect-hash",
+  .function = ipsec_tun_protect_hash_show,
+  .short_help =  "show ipsec protect-hash",
+};
+/* *INDENT-ON* */
+
 clib_error_t *
 ipsec_cli_init (vlib_main_t * vm)
 {
diff --git a/src/vnet/ipsec/ipsec_format.c b/src/vnet/ipsec/ipsec_format.c
index 0d596c0c973..7a5e2584719 100644
--- a/src/vnet/ipsec/ipsec_format.c
+++ b/src/vnet/ipsec/ipsec_format.c
@@ -259,9 +259,7 @@ format_ipsec_sa_flags (u8 * s, va_list * args)
 {
   ipsec_sa_flags_t flags = va_arg (*args, int);
 
-  if (0)
-    ;
-#define _(v, f, str) else if (flags & IPSEC_SA_FLAG_##f) s = format(s, "%s ", str);
+#define _(v, f, str) if (flags & IPSEC_SA_FLAG_##f) s = format(s, "%s ", str);
   foreach_ipsec_sa_flags
 #undef _
     return (s);
@@ -285,10 +283,8 @@ format_ipsec_sa (u8 * s, va_list * args)
 
   sa = pool_elt_at_index (im->sad, sai);
 
-  s = format (s, "[%d] sa %d (0x%x) spi %u (0x%08x) mode %s%s protocol %s %U",
+  s = format (s, "[%d] sa %u (0x%x) spi %u (0x%08x) protocol:%s flags:[%U]",
 	      sai, sa->id, sa->id, sa->spi, sa->spi,
-	      ipsec_sa_is_set_IS_TUNNEL (sa) ? "tunnel" : "transport",
-	      ipsec_sa_is_set_IS_TUNNEL_V6 (sa) ? "-ip6" : "",
 	      sa->protocol ? "esp" : "ah", format_ipsec_sa_flags, sa->flags);
 
   if (!(flags & IPSEC_FORMAT_DETAIL))
@@ -402,6 +398,32 @@ done:
   return (s);
 }
 
+u8 *
+format_ipsec4_tunnel_key (u8 * s, va_list * args)
+{
+  ipsec4_tunnel_key_t *key = va_arg (*args, ipsec4_tunnel_key_t *);
+
+  s = format (s, "remote:%U spi:%u (0x%08x)",
+	      format_ip4_address, &key->remote_ip,
+	      clib_net_to_host_u32 (key->spi),
+	      clib_net_to_host_u32 (key->spi));
+
+  return (s);
+}
+
+u8 *
+format_ipsec6_tunnel_key (u8 * s, va_list * args)
+{
+  ipsec6_tunnel_key_t *key = va_arg (*args, ipsec6_tunnel_key_t *);
+
+  s = format (s, "remote:%U spi:%u (0x%08x)",
+	      format_ip6_address, &key->remote_ip,
+	      clib_net_to_host_u32 (key->spi),
+	      clib_net_to_host_u32 (key->spi));
+
+  return (s);
+}
+
 /*
  * fd.io coding-style-patch-verification: ON
  *
diff --git a/src/vnet/ipsec/ipsec_if.c b/src/vnet/ipsec/ipsec_if.c
index 562f40ec9ab..43997bc86c1 100644
--- a/src/vnet/ipsec/ipsec_if.c
+++ b/src/vnet/ipsec/ipsec_if.c
@@ -284,7 +284,7 @@ ipsec_add_del_tunnel_if_internal (vnet_main_t * vnm,
 
   if (!is_ip6)
     {
-      key4.remote_ip = args->remote_ip.ip4.as_u32;
+      key4.remote_ip.as_u32 = args->remote_ip.ip4.as_u32;
       key4.spi = clib_host_to_net_u32 (args->remote_spi);
       p = hash_get (im->ipsec4_if_pool_index_by_key, key4.as_u64);
     }
@@ -375,8 +375,14 @@ ipsec_add_del_tunnel_if_internal (vnet_main_t * vnm,
 	hash_set_mem_alloc (&im->ipsec6_if_pool_index_by_key, &key6,
 			    t - im->tunnel_interfaces);
       else
-	hash_set (im->ipsec4_if_pool_index_by_key, key4.as_u64,
-		  t - im->tunnel_interfaces);
+	{
+	  hash_set (im->ipsec4_if_pool_index_by_key, key4.as_u64,
+		    t - im->tunnel_interfaces);
+	  if (1 == hash_elts (im->ipsec4_if_pool_index_by_key))
+	    udp_register_dst_port (vlib_get_main (),
+				   UDP_DST_PORT_ipsec,
+				   ipsec4_if_input_node.index, 1);
+	}
 
       hw_if_index = vnet_register_interface (vnm, ipsec_device_class.index,
 					     t - im->tunnel_interfaces,
@@ -427,9 +433,13 @@ ipsec_add_del_tunnel_if_internal (vnet_main_t * vnm,
       if (is_ip6)
 	hash_unset_mem_free (&im->ipsec6_if_pool_index_by_key, &key6);
       else
-	hash_unset (im->ipsec4_if_pool_index_by_key, key4.as_u64);
-
+	{
+	  hash_unset (im->ipsec4_if_pool_index_by_key, key4.as_u64);
+	  if (0 == hash_elts (im->ipsec4_if_pool_index_by_key))
+	    udp_unregister_dst_port (vlib_get_main (), UDP_DST_PORT_ipsec, 1);
+	}
       hash_unset (im->ipsec_if_real_dev_by_show_dev, t->show_instance);
+
       im->ipsec_if_by_sw_if_index[t->sw_if_index] = ~0;
 
       /* delete input and output SA */
@@ -506,7 +516,7 @@ ipsec_set_interface_sa (vnet_main_t * vnm, u32 hw_if_index, u32 sa_id,
 	  ipsec4_tunnel_key_t key;
 
 	  /* unset old inbound hash entry. packets should stop arriving */
-	  key.remote_ip = old_sa->tunnel_src_addr.ip4.as_u32;
+	  key.remote_ip.as_u32 = old_sa->tunnel_src_addr.ip4.as_u32;
 	  key.spi = clib_host_to_net_u32 (old_sa->spi);
 
 	  p = hash_get (im->ipsec4_if_pool_index_by_key, key.as_u64);
@@ -515,7 +525,7 @@ ipsec_set_interface_sa (vnet_main_t * vnm, u32 hw_if_index, u32 sa_id,
 
 	  /* set new inbound SA, then set new hash entry */
 	  t->input_sa_index = sa_index;
-	  key.remote_ip = sa->tunnel_src_addr.ip4.as_u32;
+	  key.remote_ip.as_u32 = sa->tunnel_src_addr.ip4.as_u32;
 	  key.spi = clib_host_to_net_u32 (sa->spi);
 
 	  hash_set (im->ipsec4_if_pool_index_by_key, key.as_u64,
@@ -572,9 +582,6 @@ ipsec_tunnel_if_init (vlib_main_t * vm)
 						     sizeof (uword));
   im->ipsec_if_real_dev_by_show_dev = hash_create (0, sizeof (uword));
 
-  udp_register_dst_port (vm, UDP_DST_PORT_ipsec, ipsec4_if_input_node.index,
-			 1);
-
   /* set up feature nodes to drop outbound packets with no crypto alg set */
   ipsec_add_feature ("ip4-output", "esp4-no-crypto",
 		     &im->esp4_no_crypto_tun_feature_index);
diff --git a/src/vnet/ipsec/ipsec_if.h b/src/vnet/ipsec/ipsec_if.h
index 042dddee880..ecaf3c94205 100644
--- a/src/vnet/ipsec/ipsec_if.h
+++ b/src/vnet/ipsec/ipsec_if.h
@@ -64,7 +64,7 @@ typedef CLIB_PACKED
    */
   union {
     struct {
-      u32 remote_ip;
+      ip4_address_t remote_ip;
       u32 spi;
     };
     u64 as_u64;
@@ -84,6 +84,9 @@ typedef CLIB_PACKED
 }) ipsec6_tunnel_key_t;
 /* *INDENT-ON* */
 
+extern u8 *format_ipsec4_tunnel_key (u8 * s, va_list * args);
+extern u8 *format_ipsec6_tunnel_key (u8 * s, va_list * args);
+
 extern int ipsec_add_del_tunnel_if_internal (vnet_main_t * vnm,
 					     ipsec_add_del_tunnel_args_t *
 					     args, u32 * sw_if_index);
diff --git a/src/vnet/ipsec/ipsec_if_in.c b/src/vnet/ipsec/ipsec_if_in.c
index fea25fe8cee..f9341d62a68 100644
--- a/src/vnet/ipsec/ipsec_if_in.c
+++ b/src/vnet/ipsec/ipsec_if_in.c
@@ -29,6 +29,8 @@
 _(RX, "good packets received")					  \
 _(DISABLED, "ipsec packets received on disabled interface")       \
 _(NO_TUNNEL, "no matching tunnel")                                \
+_(NAT_KEEPALIVE, "NAT Keepalive")                                 \
+_(TOO_SHORT, "Too Short")                                         \
 _(SPI_0, "SPI 0")
 
 static char *ipsec_if_input_error_strings[] = {
@@ -48,7 +50,12 @@ typedef enum
 
 typedef struct
 {
-  u32 spi;
+  union
+  {
+    ipsec4_tunnel_key_t key4;
+    ipsec6_tunnel_key_t key6;
+  };
+  u8 is_ip6;
   u32 seq;
 } ipsec_if_input_trace_t;
 
@@ -59,7 +66,12 @@ format_ipsec_if_input_trace (u8 * s, va_list * args)
   CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
   ipsec_if_input_trace_t *t = va_arg (*args, ipsec_if_input_trace_t *);
 
-  s = format (s, "IPSec: spi %u (0x%08x) seq %u", t->spi, t->spi, t->seq);
+  if (t->is_ip6)
+    s = format (s, "IPSec: %U seq %u",
+		format_ipsec6_tunnel_key, &t->key6, t->seq);
+  else
+    s = format (s, "IPSec: %U seq %u",
+		format_ipsec4_tunnel_key, &t->key4, t->seq);
   return s;
 }
 
@@ -215,6 +227,19 @@ ipsec_if_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
       len0 = vlib_buffer_length_in_chain (vm, b[0]);
       len1 = vlib_buffer_length_in_chain (vm, b[1]);
 
+      /* If the packet is too short to contain an SPI, then maybe
+       * it's a keep alive */
+      if (len0 < sizeof (esp_header_t))
+	{
+	  if (esp0->spi_bytes[0] == 0xff)
+	    b[0]->error = node->errors[IPSEC_IF_INPUT_ERROR_NAT_KEEPALIVE];
+	  else
+	    b[0]->error = node->errors[IPSEC_IF_INPUT_ERROR_TOO_SHORT];
+
+	  next[0] = IPSEC_INPUT_NEXT_DROP;
+	  goto pkt1;
+	}
+
       if (is_ip6)
 	{
 	  key60.remote_ip = ip60->src_address;
@@ -245,7 +270,7 @@ ipsec_if_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
 	}
       else			/* !is_ip6 */
 	{
-	  key40.remote_ip = ip40->src_address.as_u32;
+	  key40.remote_ip = ip40->src_address;
 	  key40.spi = esp0->spi;
 
 	  if (key40.as_u64 == last_key4.as_u64)
@@ -312,6 +337,18 @@ ipsec_if_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
 	}
 
     pkt1:
+
+      if (len1 < sizeof (esp_header_t))
+	{
+	  if (esp0->spi_bytes[0] == 0xff)
+	    b[1]->error = node->errors[IPSEC_IF_INPUT_ERROR_NAT_KEEPALIVE];
+	  else
+	    b[1]->error = node->errors[IPSEC_IF_INPUT_ERROR_TOO_SHORT];
+
+	  next[1] = IPSEC_INPUT_NEXT_DROP;
+	  goto trace1;
+	}
+
       if (is_ip6)
 	{
 	  key61.remote_ip = ip61->src_address;
@@ -342,7 +379,7 @@ ipsec_if_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
 	}
       else			/* !is_ip6 */
 	{
-	  key41.remote_ip = ip41->src_address.as_u32;
+	  key41.remote_ip = ip41->src_address;
 	  key41.spi = esp1->spi;
 
 	  if (key41.as_u64 == last_key4.as_u64)
@@ -415,14 +452,22 @@ ipsec_if_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
 	    {
 	      ipsec_if_input_trace_t *tr =
 		vlib_add_trace (vm, node, b[0], sizeof (*tr));
-	      tr->spi = clib_host_to_net_u32 (esp0->spi);
+	      if (is_ip6)
+		clib_memcpy (&tr->key6, &key60, sizeof (tr->key6));
+	      else
+		clib_memcpy (&tr->key4, &key40, sizeof (tr->key4));
+	      tr->is_ip6 = is_ip6;
 	      tr->seq = clib_host_to_net_u32 (esp0->seq);
 	    }
 	  if (b[1]->flags & VLIB_BUFFER_IS_TRACED)
 	    {
 	      ipsec_if_input_trace_t *tr =
 		vlib_add_trace (vm, node, b[1], sizeof (*tr));
-	      tr->spi = clib_host_to_net_u32 (esp1->spi);
+	      if (is_ip6)
+		clib_memcpy (&tr->key6, &key61, sizeof (tr->key6));
+	      else
+		clib_memcpy (&tr->key4, &key41, sizeof (tr->key4));
+	      tr->is_ip6 = is_ip6;
 	      tr->seq = clib_host_to_net_u32 (esp1->seq);
 	    }
 	}
@@ -477,6 +522,17 @@ ipsec_if_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
       vlib_buffer_advance (b[0], buf_adv0);
       len0 = vlib_buffer_length_in_chain (vm, b[0]);
 
+      if (len0 < sizeof (esp_header_t))
+	{
+	  if (esp0->spi_bytes[0] == 0xff)
+	    b[0]->error = node->errors[IPSEC_IF_INPUT_ERROR_NAT_KEEPALIVE];
+	  else
+	    b[0]->error = node->errors[IPSEC_IF_INPUT_ERROR_TOO_SHORT];
+
+	  next[0] = IPSEC_INPUT_NEXT_DROP;
+	  goto trace00;
+	}
+
       if (is_ip6)
 	{
 	  key60.remote_ip = ip60->src_address;
@@ -507,7 +563,7 @@ ipsec_if_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
 	}
       else			/* !is_ip6 */
 	{
-	  key40.remote_ip = ip40->src_address.as_u32;
+	  key40.remote_ip = ip40->src_address;
 	  key40.spi = esp0->spi;
 
 	  if (key40.as_u64 == last_key4.as_u64)
@@ -580,7 +636,11 @@ ipsec_if_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
 	    {
 	      ipsec_if_input_trace_t *tr =
 		vlib_add_trace (vm, node, b[0], sizeof (*tr));
-	      tr->spi = clib_host_to_net_u32 (esp0->spi);
+	      if (is_ip6)
+		clib_memcpy (&tr->key6, &key60, sizeof (tr->key6));
+	      else
+		clib_memcpy (&tr->key4, &key40, sizeof (tr->key4));
+	      tr->is_ip6 = is_ip6;
 	      tr->seq = clib_host_to_net_u32 (esp0->seq);
 	    }
 	}
diff --git a/src/vnet/ipsec/ipsec_tun.c b/src/vnet/ipsec/ipsec_tun.c
index 46980df101b..859fab8899e 100644
--- a/src/vnet/ipsec/ipsec_tun.c
+++ b/src/vnet/ipsec/ipsec_tun.c
@@ -98,10 +98,14 @@ ipsec_tun_protect_db_add (ipsec_main_t * im, const ipsec_tun_protect_t * itp)
       if (ip46_address_is_ip4 (&itp->itp_crypto.dst))
         {
           ipsec4_tunnel_key_t key = {
-            .remote_ip = itp->itp_crypto.dst.ip4.as_u32,
+            .remote_ip = itp->itp_crypto.dst.ip4,
             .spi = clib_host_to_net_u32 (sa->spi),
           };
           hash_set (im->tun4_protect_by_key, key.as_u64, res.as_u64);
+          if (1 == hash_elts(im->tun4_protect_by_key))
+            udp_register_dst_port (vlib_get_main(),
+                                   UDP_DST_PORT_ipsec,
+                                   ipsec4_tun_input_node.index, 1);
         }
       else
         {
@@ -127,10 +131,14 @@ ipsec_tun_protect_db_remove (ipsec_main_t * im,
       if (ip46_address_is_ip4 (&itp->itp_crypto.dst))
         {
           ipsec4_tunnel_key_t key = {
-            .remote_ip = itp->itp_crypto.dst.ip4.as_u32,
+            .remote_ip = itp->itp_crypto.dst.ip4,
             .spi = clib_host_to_net_u32 (sa->spi),
           };
           hash_unset (im->tun4_protect_by_key, &key);
+          if (0 == hash_elts(im->tun4_protect_by_key))
+            udp_unregister_dst_port (vlib_get_main(),
+                                     UDP_DST_PORT_ipsec,
+                                     1);
         }
       else
         {
@@ -359,10 +367,10 @@ ipsec_tun_protect_del (u32 sw_if_index)
 
   pool_put (ipsec_protect_pool, itp);
 
-  /* if (0 == hash_elts (im->tun4_protect_by_key)) */
-  /*   ip4_unregister_protocol (IP_PROTOCOL_IPSEC_ESP); */
-  /* if (0 == hash_elts (im->tun6_protect_by_key)) */
-  /*   ip6_unregister_protocol (IP_PROTOCOL_IPSEC_ESP); */
+  if (0 == hash_elts (im->tun4_protect_by_key))
+    ip4_unregister_protocol (IP_PROTOCOL_IPSEC_ESP);
+  if (0 == hash_elts (im->tun6_protect_by_key))
+    ip6_unregister_protocol (IP_PROTOCOL_IPSEC_ESP);
 
   return (0);
 }
diff --git a/src/vnet/ipsec/ipsec_tun_in.c b/src/vnet/ipsec/ipsec_tun_in.c
index df6d9278303..04f7a9296ab 100644
--- a/src/vnet/ipsec/ipsec_tun_in.c
+++ b/src/vnet/ipsec/ipsec_tun_in.c
@@ -32,6 +32,8 @@
   _(DISABLED, "ipsec packets received on disabled interface")     \
   _(NO_TUNNEL, "no matching tunnel")                              \
   _(TUNNEL_MISMATCH, "SPI-tunnel mismatch")                       \
+  _(NAT_KEEPALIVE, "NAT Keepalive")                               \
+  _(TOO_SHORT, "Too Short")                                       \
   _(SPI_0, "SPI 0")
 
 static char *ipsec_tun_protect_input_error_strings[] = {
@@ -59,7 +61,12 @@ typedef enum ipsec_tun_next_t_
 
 typedef struct
 {
-  u32 spi;
+  union
+  {
+    ipsec4_tunnel_key_t key4;
+    ipsec6_tunnel_key_t key6;
+  };
+  u8 is_ip6;
   u32 seq;
 } ipsec_tun_protect_input_trace_t;
 
@@ -71,7 +78,12 @@ format_ipsec_tun_protect_input_trace (u8 * s, va_list * args)
   ipsec_tun_protect_input_trace_t *t =
     va_arg (*args, ipsec_tun_protect_input_trace_t *);
 
-  s = format (s, "IPSec: spi %u seq %u", t->spi, t->seq);
+  if (t->is_ip6)
+    s = format (s, "IPSec: %U seq %u",
+		format_ipsec6_tunnel_key, &t->key6, t->seq);
+  else
+    s = format (s, "IPSec: %U seq %u",
+		format_ipsec4_tunnel_key, &t->key4, t->seq);
   return s;
 }
 
@@ -160,8 +172,10 @@ ipsec_tun_protect_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
       ip4_header_t *ip40;
       ip6_header_t *ip60;
       esp_header_t *esp0;
+      u16 buf_rewind0;
 
-      ip40 = vlib_buffer_get_current (b[0]);
+      ip40 =
+	(ip4_header_t *) (b[0]->data + vnet_buffer (b[0])->l3_hdr_offset);
 
       if (is_ip6)
 	{
@@ -178,11 +192,12 @@ ipsec_tun_protect_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
 		(esp_header_t *) ((u8 *) ip40 + ip4_header_bytes (ip40) +
 				  sizeof (udp_header_t));
 	      hdr_sz0 = 0;
+	      buf_rewind0 = ip4_header_bytes (ip40) + sizeof (udp_header_t);
 	    }
 	  else
 	    {
 	      esp0 = (esp_header_t *) ((u8 *) ip40 + ip4_header_bytes (ip40));
-	      hdr_sz0 = ip4_header_bytes (ip40);
+	      buf_rewind0 = hdr_sz0 = ip4_header_bytes (ip40);
 	    }
 	}
 
@@ -191,6 +206,19 @@ ipsec_tun_protect_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
       vlib_buffer_advance (b[0], hdr_sz0);
       len0 = vlib_buffer_length_in_chain (vm, b[0]);
 
+      if (len0 < sizeof (esp_header_t))
+	{
+	  if (esp0->spi_bytes[0] == 0xff)
+	    b[0]->error =
+	      node->errors[IPSEC_TUN_PROTECT_INPUT_ERROR_NAT_KEEPALIVE];
+	  else
+	    b[0]->error =
+	      node->errors[IPSEC_TUN_PROTECT_INPUT_ERROR_TOO_SHORT];
+
+	  next[0] = IPSEC_INPUT_NEXT_DROP;
+	  goto trace00;
+	}
+
       if (is_ip6)
 	{
 	  key60.remote_ip = ip60->src_address;
@@ -219,7 +247,7 @@ ipsec_tun_protect_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
 	}
       else
 	{
-	  key40.remote_ip = ip40->src_address.as_u32;
+	  key40.remote_ip = ip40->src_address;
 	  key40.spi = esp0->spi;
 
 	  if (key40.as_u64 == last_key4.as_u64)
@@ -238,6 +266,7 @@ ipsec_tun_protect_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
 	      else
 		{
 		  next[0] = ipsec_ip4_if_no_tunnel (node, b[0], esp0, ip40);
+		  vlib_buffer_advance (b[0], -buf_rewind0);
 		  n_no_tunnel++;
 		  goto trace00;
 		}
@@ -342,7 +371,11 @@ ipsec_tun_protect_input_inline (vlib_main_t * vm, vlib_node_runtime_t * node,
 	    {
 	      ipsec_tun_protect_input_trace_t *tr =
 		vlib_add_trace (vm, node, b[0], sizeof (*tr));
-	      tr->spi = clib_host_to_net_u32 (esp0->spi);
+	      if (is_ip6)
+		clib_memcpy (&tr->key6, &key60, sizeof (tr->key6));
+	      else
+		clib_memcpy (&tr->key4, &key40, sizeof (tr->key4));
+	      tr->is_ip6 = is_ip6;
 	      tr->seq = clib_host_to_net_u32 (esp0->seq);
 	    }
 	}
-- 
cgit 1.2.3-korg