[qca-nss-ecm] Support for IPSec Inner/outer
Enable IPsec inner/outer support
Change-Id: I276c3a19d93d9eba6274b1c9c97b0d63ebee9d9d
Signed-off-by: ratheesh kannoth <rkannoth@codeaurora.org>
diff --git a/Makefile b/Makefile
index 397cf98..ac2ebee 100755
--- a/Makefile
+++ b/Makefile
@@ -1,5 +1,5 @@
##########################################################################
-# Copyright (c) 2014-2016, 2018, The Linux Foundation. All rights reserved.
+# Copyright (c) 2014-2016, 2018-2019, The Linux Foundation. All rights reserved.
# Permission to use, copy, modify, and/or distribute this software for
# any purpose with or without fee is hereby granted, provided that the
# above copyright notice and this permission notice appear in all copies.
@@ -174,6 +174,12 @@
# #############################################################################
ccflags-$(ECM_INTERFACE_IPSEC_ENABLE) += -DECM_INTERFACE_IPSEC_ENABLE
+ECM_INTERFACE_IPSEC_GLUE_LAYER_SUPPORT_ENABLE=n
+ifeq ($(SoC),$(filter $(SoC), ipq807x ipq807x_64 ipq60xx ipq60xx_64))
+ECM_INTERFACE_IPSEC_GLUE_LAYER_SUPPORT_ENABLE=$(ECM_INTERFACE_IPSEC_ENABLE)
+ccflags-$(ECM_INTERFACE_IPSEC_GLUE_LAYER_SUPPORT_ENABLE) += -DECM_INTERFACE_IPSEC_GLUE_LAYER_SUPPORT_ENABLE
+endif
+
# #############################################################################
# Define ECM_IPV6_ENABLE=y in order to enable IPv6 support in the ECM.
# #############################################################################
diff --git a/ecm_db/ecm_db_iface.c b/ecm_db/ecm_db_iface.c
index 5347324..2f49fa5 100644
--- a/ecm_db/ecm_db_iface.c
+++ b/ecm_db/ecm_db_iface.c
@@ -1,6 +1,6 @@
/*
**************************************************************************
- * Copyright (c) 2014-2018, The Linux Foundation. All rights reserved.
+ * Copyright (c) 2014-2019, The Linux Foundation. All rights reserved.
* Permission to use, copy, modify, and/or distribute this software for
* any purpose with or without fee is hereby granted, provided that the
* above copyright notice and this permission notice appear in all copies.
@@ -1069,7 +1069,6 @@
}
EXPORT_SYMBOL(ecm_db_interface_get_and_ref_next);
-
#ifdef ECM_INTERFACE_SIT_ENABLE
/*
* ecm_db_iface_generate_hash_index_sit()
@@ -1949,7 +1948,7 @@
* Lookup and return a iface reference if any.
* GGG TODO Flesh this out using tunnel endpoint keys
*/
-struct ecm_db_iface_instance *ecm_db_iface_find_and_ref_ipsec_tunnel(uint32_t os_specific_ident)
+struct ecm_db_iface_instance *ecm_db_iface_find_and_ref_ipsec_tunnel(uint32_t os_specific_ident, int32_t ae_interface_num)
{
ecm_db_iface_hash_t hash_index;
struct ecm_db_iface_instance *ii;
@@ -1967,7 +1966,9 @@
spin_lock_bh(&ecm_db_lock);
ii = ecm_db_iface_table[hash_index];
while (ii) {
- if ((ii->type != ECM_DB_IFACE_TYPE_IPSEC_TUNNEL) || (ii->type_info.ipsec_tunnel.os_specific_ident != os_specific_ident)) {
+ if ((ii->type != ECM_DB_IFACE_TYPE_IPSEC_TUNNEL)
+ || (ii->type_info.ipsec_tunnel.os_specific_ident != os_specific_ident)
+ || (ii->ae_interface_identifier != ae_interface_num)) {
ii = ii->hash_next;
continue;
}
diff --git a/ecm_db/ecm_db_iface.h b/ecm_db/ecm_db_iface.h
index fa49fda..69c9a7a 100644
--- a/ecm_db/ecm_db_iface.h
+++ b/ecm_db/ecm_db_iface.h
@@ -1,6 +1,6 @@
/*
**************************************************************************
- * Copyright (c) 2014-2018, The Linux Foundation. All rights reserved.
+ * Copyright (c) 2014-2019, The Linux Foundation. All rights reserved.
* Permission to use, copy, modify, and/or distribute this software for
* any purpose with or without fee is hereby granted, provided that the
* above copyright notice and this permission notice appear in all copies.
@@ -246,7 +246,7 @@
struct ecm_db_iface_instance *ecm_db_iface_find_and_ref_loopback(uint32_t os_specific_ident);
#ifdef ECM_INTERFACE_IPSEC_ENABLE
-struct ecm_db_iface_instance *ecm_db_iface_find_and_ref_ipsec_tunnel(uint32_t os_specific_ident);
+struct ecm_db_iface_instance *ecm_db_iface_find_and_ref_ipsec_tunnel(uint32_t os_specific_ident, int32_t ae_interface_num);
void ecm_db_iface_add_ipsec_tunnel(struct ecm_db_iface_instance *ii,
uint32_t os_specific_ident, char *name, int32_t mtu,
int32_t interface_identifier, int32_t ae_interface_identifier,
diff --git a/ecm_interface.c b/ecm_interface.c
index 14baccb..e6bdc12 100644
--- a/ecm_interface.c
+++ b/ecm_interface.c
@@ -1,6 +1,6 @@
/*
**************************************************************************
- * Copyright (c) 2014-2018 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2014-2019 The Linux Foundation. All rights reserved.
* Permission to use, copy, modify, and/or distribute this software for
* any purpose with or without fee is hereby granted, provided that the
* above copyright notice and this permission notice appear in all copies.
@@ -114,6 +114,7 @@
#include "ecm_tracker_tcp.h"
#include "ecm_db.h"
#include "ecm_interface.h"
+#include "exports/ecm_interface_ipsec.h"
/*
* Wifi event handler structure.
@@ -132,6 +133,13 @@
struct net_device *ipv6_dev_find(struct net *net, struct in6_addr *addr, int strict);
#endif
+#ifdef ECM_INTERFACE_IPSEC_ENABLE
+/*
+ * Get ipsecmgr tunnel netdevice method
+ */
+static struct ecm_interface_ipsec_callback ecm_interface_ipsec_cb;
+#endif
+
/*
* Locking - concurrency control
*/
@@ -1836,7 +1844,7 @@
/*
* Locate the iface
*/
- ii = ecm_db_iface_find_and_ref_ipsec_tunnel(type_info->os_specific_ident);
+ ii = ecm_db_iface_find_and_ref_ipsec_tunnel(type_info->os_specific_ident, ae_interface_num);
if (ii) {
DEBUG_TRACE("%p: iface established\n", ii);
return ii;
@@ -1855,7 +1863,7 @@
* Add iface into the database, atomically to avoid races creating the same thing
*/
spin_lock_bh(&ecm_interface_lock);
- ii = ecm_db_iface_find_and_ref_ipsec_tunnel(type_info->os_specific_ident);
+ ii = ecm_db_iface_find_and_ref_ipsec_tunnel(type_info->os_specific_ident, ae_interface_num);
if (ii) {
spin_unlock_bh(&ecm_interface_lock);
ecm_db_iface_deref(nii);
@@ -2213,11 +2221,41 @@
* IPSEC?
*/
if (dev_type == ECM_ARPHRD_IPSEC_TUNNEL_TYPE) {
+
+#ifdef ECM_INTERFACE_IPSEC_GLUE_LAYER_SUPPORT_ENABLE
+ struct net_device *ipsec_dev;
+
DEBUG_TRACE("Net device: %p is IPSec tunnel type: %d\n", dev, dev_type);
+
+ spin_lock_bh(&ecm_interface_lock);
+ if (!ecm_interface_ipsec_cb.tunnel_get_and_hold) {
+ spin_unlock_bh(&ecm_interface_lock);
+ DEBUG_WARN("IPSec glue module is not loaded yet for dev=%s\n", dev->name);
+ return NULL;
+ }
+
+ ipsec_dev = ecm_interface_ipsec_cb.tunnel_get_and_hold(dev, skb, &interface_type);
+ spin_unlock_bh(&ecm_interface_lock);
+
+ if (!ipsec_dev) {
+ DEBUG_WARN("Failed to find NSS IPSec dev for: %s and type: %d\n", dev->name, dev_type);
+ return NULL;
+ }
+
+ ae_interface_num = feci->ae_interface_number_by_dev_type_get(ipsec_dev, interface_type);
+ if (ae_interface_num < 0) {
+ DEBUG_TRACE("IPSec interface %s is not ready yet\n", ipsec_dev->name);
+ dev_put(ipsec_dev);
+ return NULL;
+ }
+ dev_put(ipsec_dev);
+#endif
type_info.ipsec_tunnel.os_specific_ident = dev_interface_num;
- // GGG TODO Flesh this out with tunnel endpoint addressing detail
ii = ecm_interface_ipsec_tunnel_interface_establish(&type_info.ipsec_tunnel, dev_name, dev_interface_num, ae_interface_num, dev_mtu);
+ if (ii) {
+ ecm_db_iface_identifier_hash_table_entry_check_and_update(ii, dev_interface_num);
+ }
return ii;
}
#endif
@@ -6228,6 +6266,33 @@
{ }
};
+#ifdef ECM_INTERFACE_IPSEC_GLUE_LAYER_SUPPORT_ENABLE
+/*
+ * ecm_interface_ipsec_register_callbacks()
+ * Register callbacks
+ */
+void ecm_interface_ipsec_register_callbacks(struct ecm_interface_ipsec_callback *cb)
+{
+ spin_lock_bh(&ecm_interface_lock);
+ memcpy(&ecm_interface_ipsec_cb, cb, sizeof(struct ecm_interface_ipsec_callback));
+ spin_unlock_bh(&ecm_interface_lock);
+}
+EXPORT_SYMBOL(ecm_interface_ipsec_register_callbacks);
+
+/*
+ * ecm_interface_ipsec_unregister_callbacks
+ * Unregister callbacks
+ */
+void ecm_interface_ipsec_unregister_callbacks(void)
+{
+ spin_lock_bh(&ecm_interface_lock);
+ memset(&ecm_interface_ipsec_cb, 0, sizeof(struct ecm_interface_ipsec_callback));
+ spin_unlock_bh(&ecm_interface_lock);
+}
+EXPORT_SYMBOL(ecm_interface_ipsec_unregister_callbacks);
+
+#endif
+
/*
* ecm_interface_init()
*/
diff --git a/ecm_interface.h b/ecm_interface.h
index e6597b3..2668269 100644
--- a/ecm_interface.h
+++ b/ecm_interface.h
@@ -1,6 +1,6 @@
/*
**************************************************************************
- * Copyright (c) 2014-2018 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2014-2019 The Linux Foundation. All rights reserved.
* Permission to use, copy, modify, and/or distribute this software for
* any purpose with or without fee is hereby granted, provided that the
* above copyright notice and this permission notice appear in all copies.
@@ -39,7 +39,6 @@
*/
#define ECM_INTERFACE_IPSEC_DEFAULT_CORE 0x2
#define ECM_INTERFACE_IPSEC_CORE_OFFSET 24
-#define ECM_INTERFACE_IPSEC_IF_NUM ((ECM_INTERFACE_IPSEC_DEFAULT_CORE << ECM_INTERFACE_IPSEC_CORE_OFFSET) | NSS_IPSEC_RULE_INTERFACE)
/*
* External defined functions
diff --git a/exports/ecm_interface_ipsec.h b/exports/ecm_interface_ipsec.h
new file mode 100644
index 0000000..936cc31
--- /dev/null
+++ b/exports/ecm_interface_ipsec.h
@@ -0,0 +1,26 @@
+/*
+ **************************************************************************
+ * Copyright (c) 2018-2019 The Linux Foundation. All rights reserved.
+ * Permission to use, copy, modify, and/or distribute this software for
+ * any purpose with or without fee is hereby granted, provided that the
+ * above copyright notice and this permission notice appear in all copies.
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+ * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ **************************************************************************
+ */
+#ifndef __ECM_INTERFACE_IPSEC_H__
+#define __ECM_INTERFACE_IPSEC_H__
+
+struct ecm_interface_ipsec_callback{
+ struct net_device *(*tunnel_get_and_hold)(struct net_device *dev, struct sk_buff *skb, int *if_type);
+};
+
+void ecm_interface_ipsec_register_callbacks(struct ecm_interface_ipsec_callback *cb);
+void ecm_interface_ipsec_unregister_callbacks(void);
+
+#endif
diff --git a/frontends/nss/ecm_nss_common.h b/frontends/nss/ecm_nss_common.h
index 5a59757..8ae7cdc 100644
--- a/frontends/nss/ecm_nss_common.h
+++ b/frontends/nss/ecm_nss_common.h
@@ -1,6 +1,6 @@
/*
**************************************************************************
- * Copyright (c) 2015, 2018, The Linux Foundation. All rights reserved.
+ * Copyright (c) 2015, 2018-2019, The Linux Foundation. All rights reserved.
* Permission to use, copy, modify, and/or distribute this software for
* any purpose with or without fee is hereby granted, provided that the
* above copyright notice and this permission notice appear in all copies.
@@ -18,6 +18,14 @@
#include <nat46-core.h>
#endif
+#ifdef ECM_INTERFACE_IPSEC_ENABLE
+#ifdef ECM_INTERFACE_IPSEC_GLUE_LAYER_SUPPORT_ENABLE
+#include "nss_ipsec_cmn.h"
+#else
+#include "nss_ipsec.h"
+#endif
+#endif
+
/*
* Some constants used with constructing NSS acceleration rules.
* GGG TODO These should be provided by the NSS driver itself!
@@ -61,7 +69,7 @@
* nss_interface_num for all IPsec tunnels will always be the one specific to acceleration engine.
*/
if (dev->type == ECM_ARPHRD_IPSEC_TUNNEL_TYPE) {
- return ECM_INTERFACE_IPSEC_IF_NUM;
+ return NSS_IPSEC_CMN_INTERFACE;
}
return nss_cmn_get_interface_number_by_dev(dev);
@@ -76,8 +84,8 @@
/*
* nss_interface_num for all IPsec tunnels will always be the one specific to acceleration engine.
*/
- if (dev->type == ECM_ARPHRD_IPSEC_TUNNEL_TYPE) {
- return ECM_INTERFACE_IPSEC_IF_NUM;
+ if ((dev->type == ECM_ARPHRD_IPSEC_TUNNEL_TYPE) && !type) {
+ return NSS_IPSEC_CMN_INTERFACE;
}
return nss_cmn_get_interface_number_by_dev_and_type(dev, type);
@@ -184,3 +192,18 @@
*/
return NSS_DYNAMIC_INTERFACE_TYPE_NONE;
}
+
+#ifdef ECM_INTERFACE_IPSEC_ENABLE
+/*
+ * ecm_nss_common_ipsec_get_ifnum()
+ * Get ipsec specific interface number appended with coreid
+ */
+static inline int32_t ecm_nss_common_ipsec_get_ifnum(int32_t ifnum)
+{
+#ifdef ECM_INTERFACE_IPSEC_GLUE_LAYER_SUPPORT_ENABLE
+ return nss_ipsec_cmn_get_ifnum_with_coreid(ifnum);
+#else
+ return nss_ipsec_get_ifnum(ifnum);
+#endif
+}
+#endif
diff --git a/frontends/nss/ecm_nss_multicast_ipv4.c b/frontends/nss/ecm_nss_multicast_ipv4.c
index 2fb1fd1..111bb72 100644
--- a/frontends/nss/ecm_nss_multicast_ipv4.c
+++ b/frontends/nss/ecm_nss_multicast_ipv4.c
@@ -1,6 +1,6 @@
/*
**************************************************************************
- * Copyright (c) 2014-2018 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2014-2019 The Linux Foundation. All rights reserved.
* Permission to use, copy, modify, and/or distribute this software for
* any purpose with or without fee is hereby granted, provided that the
* above copyright notice and this permission notice appear in all copies.
@@ -91,6 +91,7 @@
#include "ecm_interface.h"
#include "ecm_nss_ipv4.h"
#include "ecm_nss_multicast_ipv4.h"
+
#include "ecm_nss_common.h"
/*
diff --git a/frontends/nss/ecm_nss_non_ported_ipv4.c b/frontends/nss/ecm_nss_non_ported_ipv4.c
index 8f6212a..303e7e1 100644
--- a/frontends/nss/ecm_nss_non_ported_ipv4.c
+++ b/frontends/nss/ecm_nss_non_ported_ipv4.c
@@ -1,6 +1,6 @@
/*
**************************************************************************
- * Copyright (c) 2014-2018 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2014-2019 The Linux Foundation. All rights reserved.
* Permission to use, copy, modify, and/or distribute this software for
* any purpose with or without fee is hereby granted, provided that the
* above copyright notice and this permission notice appear in all copies.
@@ -68,6 +68,10 @@
#include <nss_api_if.h>
+#ifdef ECM_INTERFACE_IPSEC_ENABLE
+#include "nss_ipsec_cmn.h"
+#endif
+
#include "ecm_types.h"
#include "ecm_db_types.h"
#include "ecm_state.h"
@@ -708,7 +712,9 @@
DEBUG_TRACE("%p: IPSEC - additional unsupported\n", nnpci);
break;
}
- nircm->conn_rule.flow_interface_num = ECM_INTERFACE_IPSEC_IF_NUM;
+
+ nircm->conn_rule.flow_interface_num = ecm_nss_common_ipsec_get_ifnum(from_nss_iface_id);
+ nircm->nexthop_rule.flow_nexthop = ecm_nss_common_ipsec_get_ifnum(nircm->nexthop_rule.flow_nexthop);
#else
rule_invalid = true;
DEBUG_TRACE("%p: IPSEC - unsupported\n", nnpci);
@@ -897,7 +903,9 @@
DEBUG_TRACE("%p: IPSEC - additional unsupported\n", nnpci);
break;
}
- nircm->conn_rule.return_interface_num = ECM_INTERFACE_IPSEC_IF_NUM;
+
+ nircm->conn_rule.return_interface_num = ecm_nss_common_ipsec_get_ifnum(to_nss_iface_id);
+ nircm->nexthop_rule.return_nexthop = ecm_nss_common_ipsec_get_ifnum(nircm->nexthop_rule.return_nexthop);
#else
rule_invalid = true;
DEBUG_TRACE("%p: IPSEC - unsupported\n", nnpci);
diff --git a/frontends/nss/ecm_nss_non_ported_ipv6.c b/frontends/nss/ecm_nss_non_ported_ipv6.c
index 7ab0114..9c43993 100644
--- a/frontends/nss/ecm_nss_non_ported_ipv6.c
+++ b/frontends/nss/ecm_nss_non_ported_ipv6.c
@@ -1,6 +1,6 @@
/*
**************************************************************************
- * Copyright (c) 2014-2018 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2014-2019 The Linux Foundation. All rights reserved.
* Permission to use, copy, modify, and/or distribute this software for
* any purpose with or without fee is hereby granted, provided that the
* above copyright notice and this permission notice appear in all copies.
@@ -69,6 +69,10 @@
#include <nss_api_if.h>
+#ifdef ECM_INTERFACE_IPSEC_ENABLE
+#include "nss_ipsec_cmn.h"
+#endif
+
#include "ecm_types.h"
#include "ecm_db_types.h"
#include "ecm_state.h"
@@ -622,7 +626,9 @@
DEBUG_TRACE("%p: IPSEC - additional unsupported\n", nnpci);
break;
}
- nircm->conn_rule.flow_interface_num = ECM_INTERFACE_IPSEC_IF_NUM;
+
+ nircm->conn_rule.flow_interface_num = ecm_nss_common_ipsec_get_ifnum(from_nss_iface_id);
+ nircm->nexthop_rule.flow_nexthop = ecm_nss_common_ipsec_get_ifnum(nircm->nexthop_rule.flow_nexthop);
#else
rule_invalid = true;
DEBUG_TRACE("%p: IPSEC - unsupported\n", nnpci);
@@ -800,7 +806,9 @@
DEBUG_TRACE("%p: IPSEC - additional unsupported\n", nnpci);
break;
}
- nircm->conn_rule.return_interface_num = ECM_INTERFACE_IPSEC_IF_NUM;
+
+ nircm->conn_rule.return_interface_num = ecm_nss_common_ipsec_get_ifnum(to_nss_iface_id);
+ nircm->nexthop_rule.return_nexthop = ecm_nss_common_ipsec_get_ifnum(nircm->nexthop_rule.return_nexthop);
#else
rule_invalid = true;
DEBUG_TRACE("%p: IPSEC - unsupported\n", nnpci);
diff --git a/frontends/nss/ecm_nss_ported_ipv4.c b/frontends/nss/ecm_nss_ported_ipv4.c
index cb9b122..bf4f820 100644
--- a/frontends/nss/ecm_nss_ported_ipv4.c
+++ b/frontends/nss/ecm_nss_ported_ipv4.c
@@ -1,6 +1,6 @@
/*
**************************************************************************
- * Copyright (c) 2014-2018 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2014-2019 The Linux Foundation. All rights reserved.
* Permission to use, copy, modify, and/or distribute this software for
* any purpose with or without fee is hereby granted, provided that the
* above copyright notice and this permission notice appear in all copies.
@@ -69,6 +69,10 @@
#include <nss_api_if.h>
+#ifdef ECM_INTERFACE_IPSEC_ENABLE
+#include "nss_ipsec_cmn.h"
+#endif
+
#include "ecm_types.h"
#include "ecm_db_types.h"
#include "ecm_state.h"
@@ -613,7 +617,9 @@
DEBUG_TRACE("%p: IPSEC - additional unsupported\n", npci);
break;
}
- nircm->conn_rule.flow_interface_num = ECM_INTERFACE_IPSEC_IF_NUM;
+
+ nircm->conn_rule.flow_interface_num = ecm_nss_common_ipsec_get_ifnum(from_nss_iface_id);
+ nircm->nexthop_rule.flow_nexthop = ecm_nss_common_ipsec_get_ifnum(nircm->nexthop_rule.flow_nexthop);
#else
rule_invalid = true;
DEBUG_TRACE("%p: IPSEC - unsupported\n", npci);
@@ -818,7 +824,9 @@
DEBUG_TRACE("%p: IPSEC - additional unsupported\n", npci);
break;
}
- nircm->conn_rule.return_interface_num = ECM_INTERFACE_IPSEC_IF_NUM;
+
+ nircm->conn_rule.return_interface_num = ecm_nss_common_ipsec_get_ifnum(to_nss_iface_id);
+ nircm->nexthop_rule.return_nexthop = ecm_nss_common_ipsec_get_ifnum(nircm->nexthop_rule.return_nexthop);
#else
rule_invalid = true;
DEBUG_TRACE("%p: IPSEC - unsupported\n", npci);
diff --git a/frontends/nss/ecm_nss_ported_ipv6.c b/frontends/nss/ecm_nss_ported_ipv6.c
index df8820e..cc2f6d7 100644
--- a/frontends/nss/ecm_nss_ported_ipv6.c
+++ b/frontends/nss/ecm_nss_ported_ipv6.c
@@ -1,6 +1,6 @@
/*
**************************************************************************
- * Copyright (c) 2014-2018 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2014-2019 The Linux Foundation. All rights reserved.
* Permission to use, copy, modify, and/or distribute this software for
* any purpose with or without fee is hereby granted, provided that the
* above copyright notice and this permission notice appear in all copies.
@@ -70,6 +70,10 @@
#include <nss_api_if.h>
+#ifdef ECM_INTERFACE_IPSEC_ENABLE
+#include "nss_ipsec_cmn.h"
+#endif
+
#include "ecm_types.h"
#include "ecm_db_types.h"
#include "ecm_state.h"
@@ -616,7 +620,9 @@
DEBUG_TRACE("%p: IPSEC - additional unsupported\n", npci);
break;
}
- nircm->conn_rule.flow_interface_num = ECM_INTERFACE_IPSEC_IF_NUM;
+
+ nircm->conn_rule.flow_interface_num = ecm_nss_common_ipsec_get_ifnum(from_nss_iface_id);
+ nircm->nexthop_rule.flow_nexthop = ecm_nss_common_ipsec_get_ifnum(nircm->nexthop_rule.flow_nexthop);
#else
rule_invalid = true;
DEBUG_TRACE("%p: IPSEC - unsupported\n", npci);
@@ -794,7 +800,9 @@
DEBUG_TRACE("%p: IPSEC - additional unsupported\n", npci);
break;
}
- nircm->conn_rule.return_interface_num = ECM_INTERFACE_IPSEC_IF_NUM;
+
+ nircm->conn_rule.return_interface_num = ecm_nss_common_ipsec_get_ifnum(to_nss_iface_id);
+ nircm->nexthop_rule.return_nexthop = ecm_nss_common_ipsec_get_ifnum(nircm->nexthop_rule.return_nexthop);
#else
rule_invalid = true;
DEBUG_TRACE("%p: IPSEC - unsupported\n", npci);