ipsec: add input node bypass/discard functionality

add bypass/discard functionality to ipsec4-input-feature node Type: feature Signed-off-by: ShivaShankarK <shivaashankar1204@gmail.com> Change-Id: I152a5dfee0296109cccabe349a330dbbe395cc6c
2020-04-14 14:01:03 +05:30
parent b5c0d35f94
commit 0546483ce0
3 changed files with 267 additions and 168 deletions
--- a/src/vnet/ipsec/ipsec_input.c
+++ b/src/vnet/ipsec/ipsec_input.c
--- a/src/vnet/ipsec/ipsec_spd.h
+++ b/src/vnet/ipsec/ipsec_spd.h
@ -23,7 +23,9 @@
  _(IP4_INBOUND_PROTECT, "ip4-inbound-protect")       \
  _(IP6_INBOUND_PROTECT, "ip6-inbound-protect")       \
  _(IP4_INBOUND_BYPASS,  "ip4-inbound-bypass")        \
-  _(IP6_INBOUND_BYPASS,  "ip6-inbound-bypass")
+  _(IP6_INBOUND_BYPASS,  "ip6-inbound-bypass")	      \
+  _(IP4_INBOUND_DISCARD,  "ip4-inbound-discard")      \
+  _(IP6_INBOUND_DISCARD,  "ip6-inbound-discard")

 typedef enum ipsec_spd_policy_t_
 {
--- a/src/vnet/ipsec/ipsec_spd_policy.c
+++ b/src/vnet/ipsec/ipsec_spd_policy.c
@ -123,6 +123,10 @@ ipsec_policy_mk_type (bool is_outbound,
 		   IPSEC_SPD_POLICY_IP4_INBOUND_BYPASS);
 	  return (0);
 	case IPSEC_POLICY_ACTION_DISCARD:
+	  *type = (is_ipv6 ?
+		   IPSEC_SPD_POLICY_IP6_INBOUND_DISCARD :
+		   IPSEC_SPD_POLICY_IP4_INBOUND_DISCARD);
+	  return (0);
 	case IPSEC_POLICY_ACTION_RESOLVE:
 	  break;
 	}