Fix IPsec intf tx node setup at intf creation

When using a DPDK cryptodev with IPsec, sending outbound
packets results in a crash on division by zero if using an
algorithm not supported by the OpenSSL ESP nodes. This
includes AES-GCM and MD5.

At IPsec intf creation time, the next node at slot
IPSEC_OUTPUT_NEXT_ESP_ENCRYPT for ipsec_if_tx_node_fn is
set to the node named esp-encrypt. This is the OpenSSL
ESP encrypt function. If DPDK cryptodevs are configured,
dpdk-esp-encrypt is the correct next node.

Change to setting the next node according to the value in
ipsec_main.esp_encrypt_node_index. That value is set to
esp-encrypt by default. If DPDK cryptodevs are configured
it gets set to dpdk-esp-encrypt.

Change-Id: I83896c76b975d74aead247a162c85eccca9575a8
Signed-off-by: Matthew Smith <mgsmith@netgate.com>
This commit is contained in:
Matthew Smith
2018-07-05 14:45:58 -05:00
committed by Damjan Marion
parent 7b13e0df70
commit 0e36bbfd1b

View File

@ -366,8 +366,8 @@ ipsec_add_del_tunnel_if_internal (vnet_main_t * vnm,
hi = vnet_get_hw_interface (vnm, hw_if_index);
slot = vlib_node_add_named_next_with_slot
(vnm->vlib_main, hi->tx_node_index, "esp-encrypt",
slot = vlib_node_add_next_with_slot
(vnm->vlib_main, hi->tx_node_index, im->esp_encrypt_node_index,
IPSEC_OUTPUT_NEXT_ESP_ENCRYPT);
ASSERT (slot == IPSEC_OUTPUT_NEXT_ESP_ENCRYPT);