api: ipsec: add missing IS_INBOUND flag

External IKE daemons need to be able to flag an SA as inbound (just as the included ike plugin does). This commit adds this flag to the API. This change is backward bug-compatible as not setting the flag (old clients) continues to mean all SAs are created as outbound and fib nodes are created for them. The addition of this flag inhibits this forwarding node creation as well as properly flagging the SA as inbound. Ticket: VPP-1845 Type: fix Signed-off-by: Christian Hopps <chopps@labn.net> Change-Id: Ifa6fd664587380aa53e95d0e4eb2e1a4b1df7909
FDio · Apr 1, 2020 · 597d4df · 597d4df
1 parent d643e5f
commit 597d4df
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 0 deletions.
diff --git a/src/vnet/ipsec/ipsec.api b/src/vnet/ipsec/ipsec.api
@@ -233,6 +233,8 @@ enum ipsec_sad_flags
   IPSEC_API_SAD_FLAG_IS_TUNNEL_V6 = 0x08,
   /* enable UDP encapsulation for NAT traversal */
   IPSEC_API_SAD_FLAG_UDP_ENCAP = 0x10,
+  /* IPsec SA is for inbound traffic */
+  IPSEC_API_SAD_FLAG_IS_INBOUND = 0x40,
 };
 
 enum ipsec_proto

diff --git a/src/vnet/ipsec/ipsec_api.c b/src/vnet/ipsec/ipsec_api.c
@@ -445,6 +445,8 @@ ipsec_sa_flags_decode (vl_api_ipsec_sad_flags_t in)
     flags |= IPSEC_SA_FLAG_IS_TUNNEL_V6;
   if (in & IPSEC_API_SAD_FLAG_UDP_ENCAP)
     flags |= IPSEC_SA_FLAG_UDP_ENCAP;
+  if (in & IPSEC_API_SAD_FLAG_IS_INBOUND)
+    flags |= IPSEC_SA_FLAG_IS_INBOUND;
 
   return (flags);
 }
@@ -464,6 +466,8 @@ ipsec_sad_flags_encode (const ipsec_sa_t * sa)
     flags |= IPSEC_API_SAD_FLAG_IS_TUNNEL_V6;
   if (ipsec_sa_is_set_UDP_ENCAP (sa))
     flags |= IPSEC_API_SAD_FLAG_UDP_ENCAP;
+  if (ipsec_sa_is_set_IS_INBOUND (sa))
+    flags |= IPSEC_API_SAD_FLAG_IS_INBOUND;
 
   return clib_host_to_net_u32 (flags);
 }