IPSEC: tunnel scaling - don't stack the inbould SA
Change-Id: I0b47590400aebea09aa1b27de753be638e1ba870
Signed-off-by: Neale Ranns <nranns@cisco.com>
diff --git a/src/vnet/ipsec/ipsec_format.c b/src/vnet/ipsec/ipsec_format.c
index a861655..c91a9ba 100644
--- a/src/vnet/ipsec/ipsec_format.c
+++ b/src/vnet/ipsec/ipsec_format.c
@@ -294,11 +294,16 @@
tx_table_id,
format_ip46_address, &sa->tunnel_src_addr, IP46_TYPE_ANY,
format_ip46_address, &sa->tunnel_dst_addr, IP46_TYPE_ANY);
- s = format (s, "\n resovle via fib-entry: %d", sa->fib_entry_index);
- s = format (s, "\n stacked on:");
- s =
- format (s, "\n %U", format_dpo_id, &sa->dpo[IPSEC_PROTOCOL_ESP],
- 6);
+ if (!ipsec_sa_is_set_IS_INBOUND (sa))
+ {
+ s =
+ format (s, "\n resovle via fib-entry: %d",
+ sa->fib_entry_index);
+ s = format (s, "\n stacked on:");
+ s =
+ format (s, "\n %U", format_dpo_id,
+ &sa->dpo[IPSEC_PROTOCOL_ESP], 6);
+ }
}
return (s);
diff --git a/src/vnet/ipsec/ipsec_if.c b/src/vnet/ipsec/ipsec_if.c
index bfdc2bb..3c1f845 100644
--- a/src/vnet/ipsec/ipsec_if.c
+++ b/src/vnet/ipsec/ipsec_if.c
@@ -306,7 +306,7 @@
&crypto_key,
args->integ_alg,
&integ_key,
- flags,
+ (flags | IPSEC_SA_FLAG_IS_INBOUND),
args->tx_table_id,
&args->remote_ip,
&args->local_ip, &t->input_sa_index);
diff --git a/src/vnet/ipsec/ipsec_sa.c b/src/vnet/ipsec/ipsec_sa.c
index 9f2d850..0ca2f37 100644
--- a/src/vnet/ipsec/ipsec_sa.c
+++ b/src/vnet/ipsec/ipsec_sa.c
@@ -149,6 +149,7 @@
sa->spi = spi;
sa->stat_index = sa_index;
sa->protocol = proto;
+ sa->flags = flags;
ipsec_sa_set_crypto_alg (sa, crypto_alg);
clib_memcpy (&sa->crypto_key, ck, sizeof (sa->crypto_key));
ipsec_sa_set_integ_alg (sa, integ_alg);
@@ -156,17 +157,6 @@
ip46_address_copy (&sa->tunnel_src_addr, tun_src);
ip46_address_copy (&sa->tunnel_dst_addr, tun_dst);
- if (flags & IPSEC_SA_FLAG_USE_ESN)
- ipsec_sa_set_USE_ESN (sa);
- if (flags & IPSEC_SA_FLAG_USE_ANTI_REPLAY)
- ipsec_sa_set_USE_ANTI_REPLAY (sa);
- if (flags & IPSEC_SA_FLAG_IS_TUNNEL)
- ipsec_sa_set_IS_TUNNEL (sa);
- if (flags & IPSEC_SA_FLAG_IS_TUNNEL_V6)
- ipsec_sa_set_IS_TUNNEL_V6 (sa);
- if (flags & IPSEC_SA_FLAG_UDP_ENCAP)
- ipsec_sa_set_UDP_ENCAP (sa);
-
err = ipsec_check_support_cb (im, sa);
if (err)
{
@@ -182,7 +172,7 @@
return VNET_API_ERROR_SYSCALL_ERROR_1;
}
- if (ipsec_sa_is_set_IS_TUNNEL (sa))
+ if (ipsec_sa_is_set_IS_TUNNEL (sa) && !ipsec_sa_is_set_IS_INBOUND (sa))
{
fib_protocol_t fproto = (ipsec_sa_is_set_IS_TUNNEL_V6 (sa) ?
FIB_PROTOCOL_IP6 : FIB_PROTOCOL_IP4);
@@ -280,7 +270,7 @@
if (err)
return VNET_API_ERROR_SYSCALL_ERROR_1;
- if (ipsec_sa_is_set_IS_TUNNEL (sa))
+ if (ipsec_sa_is_set_IS_TUNNEL (sa) && !ipsec_sa_is_set_IS_INBOUND (sa))
{
fib_entry_child_remove (sa->fib_entry_index, sa->sibling);
fib_table_entry_special_remove
diff --git a/src/vnet/ipsec/ipsec_sa.h b/src/vnet/ipsec/ipsec_sa.h
index cfb44b9..66bdcc7 100644
--- a/src/vnet/ipsec/ipsec_sa.h
+++ b/src/vnet/ipsec/ipsec_sa.h
@@ -91,6 +91,7 @@
_ (8, IS_TUNNEL_V6, "tunnel-v6") \
_ (16, UDP_ENCAP, "udp-encap") \
_ (32, IS_GRE, "GRE") \
+ _ (64, IS_INBOUND, "inboud") \
typedef enum ipsec_sad_flags_t_
{