diff --git a/patches/vpp/0001-linux-cp-add-support-for-xfrm-netlink-notifcation.patch b/patches/vpp/0001-linux-cp-add-support-for-xfrm-netlink-notifcation.patch index 44145bf..867f2d0 100644 --- a/patches/vpp/0001-linux-cp-add-support-for-xfrm-netlink-notifcation.patch +++ b/patches/vpp/0001-linux-cp-add-support-for-xfrm-netlink-notifcation.patch @@ -1,7 +1,7 @@ From a3240c47714ae9ed447581c3557983630bb5f825 Mon Sep 17 00:00:00 2001 From: Aakash Date: Mon, 1 Aug 2022 04:59:02 -0400 -Subject: [PATCH 01/22] linux-cp: add support for xfrm netlink notifcation +Subject: [PATCH 01/24] linux-cp: add support for xfrm netlink notifcation This patch contains changes to add support for handlng xfrm notifications in linux-cp plugin. diff --git a/patches/vpp/0002-linux-cp-update-code-to-support-api-proto-changes.patch b/patches/vpp/0002-linux-cp-update-code-to-support-api-proto-changes.patch index 215d368..1dab235 100644 --- a/patches/vpp/0002-linux-cp-update-code-to-support-api-proto-changes.patch +++ b/patches/vpp/0002-linux-cp-update-code-to-support-api-proto-changes.patch @@ -1,7 +1,7 @@ From e238d4e62e66ed9a9e01425a844d57cc33ec316e Mon Sep 17 00:00:00 2001 From: Kommula Shiva Shankar Date: Tue, 6 Feb 2024 23:23:14 +0530 -Subject: [PATCH 02/22] linux-cp: update code to support api proto changes +Subject: [PATCH 02/24] linux-cp: update code to support api proto changes Type: fix diff --git a/patches/vpp/0003-linux-cp-add-ipsec-interface-support-for-xfrm.patch b/patches/vpp/0003-linux-cp-add-ipsec-interface-support-for-xfrm.patch index 68048b2..61636a4 100644 --- a/patches/vpp/0003-linux-cp-add-ipsec-interface-support-for-xfrm.patch +++ b/patches/vpp/0003-linux-cp-add-ipsec-interface-support-for-xfrm.patch @@ -1,7 +1,7 @@ From 70286cf59119cc1c122d449ee3fd678646ae1b40 Mon Sep 17 00:00:00 2001 From: Bheemappa Agasimundin Date: Tue, 5 Dec 2023 18:25:33 +0000 -Subject: [PATCH 03/22] linux-cp: add ipsec interface support for xfrm +Subject: [PATCH 03/24] linux-cp: add ipsec interface support for xfrm This patch adds ipsec interface support for strongswan based SA configuration. diff --git a/patches/vpp/0004-linux-cp-initialize-sw_if_index-variable.patch b/patches/vpp/0004-linux-cp-initialize-sw_if_index-variable.patch index 9a208bf..c38950c 100644 --- a/patches/vpp/0004-linux-cp-initialize-sw_if_index-variable.patch +++ b/patches/vpp/0004-linux-cp-initialize-sw_if_index-variable.patch @@ -1,7 +1,7 @@ From 0a6768dea23e4bf4621dac89b166b869f54cc53f Mon Sep 17 00:00:00 2001 From: Kommula Shiva Shankar Date: Wed, 7 Feb 2024 11:58:17 +0530 -Subject: [PATCH 04/22] linux-cp: initialize sw_if_index variable +Subject: [PATCH 04/24] linux-cp: initialize sw_if_index variable Type: fix diff --git a/patches/vpp/0005-linux-cp-add-readme-for-xfrm-implementation.patch b/patches/vpp/0005-linux-cp-add-readme-for-xfrm-implementation.patch index 78ddd8e..b44296f 100644 --- a/patches/vpp/0005-linux-cp-add-readme-for-xfrm-implementation.patch +++ b/patches/vpp/0005-linux-cp-add-readme-for-xfrm-implementation.patch @@ -1,7 +1,7 @@ From 33348f8e70e26c3fa93ca921cafef5e9af85337c Mon Sep 17 00:00:00 2001 From: Bheemappa Agasimundin Date: Sun, 24 Mar 2024 08:36:48 +0000 -Subject: [PATCH 05/22] linux-cp: add readme for xfrm implementation +Subject: [PATCH 05/24] linux-cp: add readme for xfrm implementation This patch adds REAMDE for XFRM changes design and startup.conf configuration details. diff --git a/patches/vpp/0006-linux-cp-fix-esn-and-anti-replay-issue.patch b/patches/vpp/0006-linux-cp-fix-esn-and-anti-replay-issue.patch index eff3818..d7b5af8 100644 --- a/patches/vpp/0006-linux-cp-fix-esn-and-anti-replay-issue.patch +++ b/patches/vpp/0006-linux-cp-fix-esn-and-anti-replay-issue.patch @@ -1,7 +1,7 @@ From adff1ecb857315e7d3e735efe31dc9b322183732 Mon Sep 17 00:00:00 2001 From: Bheemappa Agasimundin Date: Tue, 27 Aug 2024 17:29:30 +0000 -Subject: [PATCH 06/22] linux-cp: fix esn and anti-replay issue +Subject: [PATCH 06/24] linux-cp: fix esn and anti-replay issue This patch enables anti-replay when ESN is enabled on a Security Association (SA) configured via strongSwan. diff --git a/patches/vpp/0007-linux-cp-fix-ipsec-policy-incorrect-protocol-type.patch b/patches/vpp/0007-linux-cp-fix-ipsec-policy-incorrect-protocol-type.patch index 04b20eb..34ba080 100644 --- a/patches/vpp/0007-linux-cp-fix-ipsec-policy-incorrect-protocol-type.patch +++ b/patches/vpp/0007-linux-cp-fix-ipsec-policy-incorrect-protocol-type.patch @@ -1,7 +1,7 @@ From e5d9989fe860fd394d131c791c3e74bd8952c230 Mon Sep 17 00:00:00 2001 From: Bheemappa Agasimundin Date: Tue, 1 Oct 2024 15:06:41 +0000 -Subject: [PATCH 07/22] linux-cp: fix ipsec policy incorrect protocol type +Subject: [PATCH 07/24] linux-cp: fix ipsec policy incorrect protocol type This patch changes protocol type 0 to IPSEC_POLICY_PROTOCOL_ANY to allow any transport protocol for protect/bypass. diff --git a/patches/vpp/0008-linux-cp-Added-build-dependency-for-XFRM.patch b/patches/vpp/0008-linux-cp-Added-build-dependency-for-XFRM.patch index e31a582..64af37b 100644 --- a/patches/vpp/0008-linux-cp-Added-build-dependency-for-XFRM.patch +++ b/patches/vpp/0008-linux-cp-Added-build-dependency-for-XFRM.patch @@ -1,7 +1,7 @@ From 56275b6a0dbe20b8eb77a16b6525a34ab71b33ca Mon Sep 17 00:00:00 2001 From: zdc Date: Wed, 12 Feb 2025 12:29:57 +0200 -Subject: [PATCH 08/22] linux-cp: Added build dependency for XFRM +Subject: [PATCH 08/24] linux-cp: Added build dependency for XFRM Added `libnl-xfrm-3-200` to build dependencies to make build `linux-cp` with XFRM possible. diff --git a/patches/vpp/0009-linux-cp-Added-routing-for-prefixes-with-no-paths-av.patch b/patches/vpp/0009-linux-cp-Added-routing-for-prefixes-with-no-paths-av.patch index 7b54032..419f119 100644 --- a/patches/vpp/0009-linux-cp-Added-routing-for-prefixes-with-no-paths-av.patch +++ b/patches/vpp/0009-linux-cp-Added-routing-for-prefixes-with-no-paths-av.patch @@ -1,7 +1,7 @@ From a5f3779078cd93cfc821a23c681af68d1a3a39cf Mon Sep 17 00:00:00 2001 From: zsdc Date: Tue, 23 Jul 2024 20:06:41 +0300 -Subject: [PATCH 09/22] linux-cp: Added routing for prefixes with no paths +Subject: [PATCH 09/24] linux-cp: Added routing for prefixes with no paths available A new CLI and configuration file option is available: diff --git a/patches/vpp/0010-Resync-ip-fib-with-Linux-state.patch b/patches/vpp/0010-Resync-ip-fib-with-Linux-state.patch index 654cc61..3937cb6 100644 --- a/patches/vpp/0010-Resync-ip-fib-with-Linux-state.patch +++ b/patches/vpp/0010-Resync-ip-fib-with-Linux-state.patch @@ -1,7 +1,7 @@ From d87a33a4dd33f04dce319a1e410bc811808fb7b1 Mon Sep 17 00:00:00 2001 From: Denys Haryachyy Date: Wed, 24 Jul 2024 08:35:25 +0000 -Subject: [PATCH 10/22] Resync ip fib with Linux state. +Subject: [PATCH 10/24] Resync ip fib with Linux state. A new CLI and API file option is available: diff --git a/patches/vpp/0011-LCP-Improved-lcp-resync-CLI-and-API-to-wait-until-Ne.patch b/patches/vpp/0011-LCP-Improved-lcp-resync-CLI-and-API-to-wait-until-Ne.patch index 2a22803..e7afac4 100644 --- a/patches/vpp/0011-LCP-Improved-lcp-resync-CLI-and-API-to-wait-until-Ne.patch +++ b/patches/vpp/0011-LCP-Improved-lcp-resync-CLI-and-API-to-wait-until-Ne.patch @@ -1,7 +1,7 @@ From 759521ff07dcfb69a09d432e943319a8422ee47c Mon Sep 17 00:00:00 2001 From: Denys Haryachyy Date: Wed, 29 Jan 2025 11:57:01 +0200 -Subject: [PATCH 11/22] LCP: Improved lcp resync CLI and API to wait until +Subject: [PATCH 11/24] LCP: Improved lcp resync CLI and API to wait until Netlink sync is finished. (cherry picked from commit b19375e7e42023a5cdca84f259036574ccd9da77) diff --git a/patches/vpp/0012-build-Fixed-compatibility-with-build-on-Debian-12.patch b/patches/vpp/0012-build-Fixed-compatibility-with-build-on-Debian-12.patch index 1c523b2..8f97d22 100644 --- a/patches/vpp/0012-build-Fixed-compatibility-with-build-on-Debian-12.patch +++ b/patches/vpp/0012-build-Fixed-compatibility-with-build-on-Debian-12.patch @@ -1,7 +1,7 @@ From 99f5622c6945c0055e1a3dea4cd925bee1fecf31 Mon Sep 17 00:00:00 2001 From: zdc Date: Tue, 11 Feb 2025 20:33:46 +0200 -Subject: [PATCH 12/22] build: Fixed compatibility with build on Debian 12 +Subject: [PATCH 12/24] build: Fixed compatibility with build on Debian 12 (cherry picked from commit ca7d5bcd381edb68e9d4ae6ffa915bda4d2c1adf) --- diff --git a/patches/vpp/0013-linux-cp-Added-build-dependency-libunwind8-for-XFRM.patch b/patches/vpp/0013-linux-cp-Added-build-dependency-libunwind8-for-XFRM.patch index dc2e5b8..066e419 100644 --- a/patches/vpp/0013-linux-cp-Added-build-dependency-libunwind8-for-XFRM.patch +++ b/patches/vpp/0013-linux-cp-Added-build-dependency-libunwind8-for-XFRM.patch @@ -1,7 +1,7 @@ From 4958c7a4553d03532032c20932f5ab5905bff904 Mon Sep 17 00:00:00 2001 From: Viacheslav Hletenko Date: Thu, 13 Feb 2025 11:37:36 +0000 -Subject: [PATCH 13/22] linux-cp: Added build dependency libunwind8 for XFRM +Subject: [PATCH 13/24] linux-cp: Added build dependency libunwind8 for XFRM Added `libunwind8` to build dependencies required by `linux-cp` for XFRM diff --git a/patches/vpp/0014-Revert-linux-cp-Added-routing-for-prefixes-with-no-p.patch b/patches/vpp/0014-Revert-linux-cp-Added-routing-for-prefixes-with-no-p.patch index 6c6f40f..7cbf745 100644 --- a/patches/vpp/0014-Revert-linux-cp-Added-routing-for-prefixes-with-no-p.patch +++ b/patches/vpp/0014-Revert-linux-cp-Added-routing-for-prefixes-with-no-p.patch @@ -1,7 +1,7 @@ From 99cda14db43cc67345bb970ecb78891c1073580e Mon Sep 17 00:00:00 2001 From: Denys Haryachyy Date: Thu, 6 Mar 2025 16:27:51 +0200 -Subject: [PATCH 14/22] Revert "linux-cp: Added routing for prefixes with no +Subject: [PATCH 14/24] Revert "linux-cp: Added routing for prefixes with no paths available" This reverts commit c784244ca4092210ea74fcff1ec7c1a7d633e2ff. diff --git a/patches/vpp/0015-linux-cp-Added-routing-for-prefixes-with-no-paths-av.patch b/patches/vpp/0015-linux-cp-Added-routing-for-prefixes-with-no-paths-av.patch index 8039998..cf1ddd0 100644 --- a/patches/vpp/0015-linux-cp-Added-routing-for-prefixes-with-no-paths-av.patch +++ b/patches/vpp/0015-linux-cp-Added-routing-for-prefixes-with-no-paths-av.patch @@ -1,7 +1,7 @@ From f0fb2180a6ede48a3ef83c951e8c4e321eabd079 Mon Sep 17 00:00:00 2001 From: zsdc Date: Tue, 23 Jul 2024 20:06:41 +0300 -Subject: [PATCH 15/22] linux-cp: Added routing for prefixes with no paths +Subject: [PATCH 15/24] linux-cp: Added routing for prefixes with no paths available A new CLI and configuration file option is available: diff --git a/patches/vpp/0016-Revert-linux-cp-Added-routing-for-prefixes-with-no-p.patch b/patches/vpp/0016-Revert-linux-cp-Added-routing-for-prefixes-with-no-p.patch index 925e44f..d7e5957 100644 --- a/patches/vpp/0016-Revert-linux-cp-Added-routing-for-prefixes-with-no-p.patch +++ b/patches/vpp/0016-Revert-linux-cp-Added-routing-for-prefixes-with-no-p.patch @@ -1,7 +1,7 @@ From af8cc793670b14b177a13e9fb7f305ac9cce0ec7 Mon Sep 17 00:00:00 2001 From: Denys Haryachyy Date: Tue, 18 Mar 2025 21:32:51 +0200 -Subject: [PATCH 16/22] Revert "linux-cp: Added routing for prefixes with no +Subject: [PATCH 16/24] Revert "linux-cp: Added routing for prefixes with no paths available" This reverts commit 5583626fe1a9d11cffb8f759c996e341b7e54a7b. diff --git a/patches/vpp/0017-linux-cp-Added-routing-for-prefixes-with-no-paths-av.patch b/patches/vpp/0017-linux-cp-Added-routing-for-prefixes-with-no-paths-av.patch index cd4b8b2..a86b9cb 100644 --- a/patches/vpp/0017-linux-cp-Added-routing-for-prefixes-with-no-paths-av.patch +++ b/patches/vpp/0017-linux-cp-Added-routing-for-prefixes-with-no-paths-av.patch @@ -1,7 +1,7 @@ From 76436e797f22e2e3160d044bdd18ff83154fec3e Mon Sep 17 00:00:00 2001 From: zsdc Date: Tue, 23 Jul 2024 20:06:41 +0300 -Subject: [PATCH 17/22] linux-cp: Added routing for prefixes with no paths +Subject: [PATCH 17/24] linux-cp: Added routing for prefixes with no paths available Fixed GRE crashes in IPv4 and IPv6 FIB. diff --git a/patches/vpp/0018-pppoe.-Automated-session-management.-12.patch b/patches/vpp/0018-pppoe.-Automated-session-management.-12.patch index ba6159b..b6df3dd 100644 --- a/patches/vpp/0018-pppoe.-Automated-session-management.-12.patch +++ b/patches/vpp/0018-pppoe.-Automated-session-management.-12.patch @@ -1,7 +1,7 @@ From 46a6d61368157eb7fb7bf382e3fda9776c5a9a42 Mon Sep 17 00:00:00 2001 From: Denys Haryachyy Date: Thu, 15 May 2025 17:18:48 +0300 -Subject: [PATCH 18/22] pppoe. Automated session management. (#12) +Subject: [PATCH 18/24] pppoe. Automated session management. (#12) Purpose of Changes: Automate PPPoE session management by sniffing LCP, IPCP and PADT control frames. diff --git a/patches/vpp/0019-pppoe-Added-option-enable-pass-nd-and-dhcpv6.patch b/patches/vpp/0019-pppoe-Added-option-enable-pass-nd-and-dhcpv6.patch index d90ef20..62fc9fd 100644 --- a/patches/vpp/0019-pppoe-Added-option-enable-pass-nd-and-dhcpv6.patch +++ b/patches/vpp/0019-pppoe-Added-option-enable-pass-nd-and-dhcpv6.patch @@ -1,7 +1,7 @@ From f8c35e9dc43b36c4469a7586675e74a922af3d58 Mon Sep 17 00:00:00 2001 From: Andrii Melnychenko Date: Thu, 10 Jul 2025 17:42:44 +0200 -Subject: [PATCH 19/22] pppoe: Added option "enable-pass-nd-and-dhcpv6" +Subject: [PATCH 19/24] pppoe: Added option "enable-pass-nd-and-dhcpv6" This option would allow to pass ICMPv6 sl & ra and UDP-DHCPv6 packets to the PPPoE control plane. diff --git a/patches/vpp/0020-linux-cp-fix-multicast-route-updates-on-address-add-.patch b/patches/vpp/0020-linux-cp-fix-multicast-route-updates-on-address-add-.patch index 7055fe4..47dfc21 100644 --- a/patches/vpp/0020-linux-cp-fix-multicast-route-updates-on-address-add-.patch +++ b/patches/vpp/0020-linux-cp-fix-multicast-route-updates-on-address-add-.patch @@ -1,7 +1,7 @@ From 9960334b856d1d88ee66ad7a4f7b2949f20ae93a Mon Sep 17 00:00:00 2001 From: Denys Haryachyy Date: Tue, 29 Jul 2025 17:39:29 +0300 -Subject: [PATCH 20/22] linux-cp: fix multicast route updates on address +Subject: [PATCH 20/24] linux-cp: fix multicast route updates on address add/del Ensure multicast routes are only added when the first IPv4 address is configured on an interface, diff --git a/patches/vpp/0021-vyos-linux-cp-xfrm-Updated-XFRM-features-for-compati.patch b/patches/vpp/0021-vyos-linux-cp-xfrm-Updated-XFRM-features-for-compati.patch index d6f8d00..68a7b8f 100644 --- a/patches/vpp/0021-vyos-linux-cp-xfrm-Updated-XFRM-features-for-compati.patch +++ b/patches/vpp/0021-vyos-linux-cp-xfrm-Updated-XFRM-features-for-compati.patch @@ -1,7 +1,7 @@ From b01e1da6fc46a1ccda873b8ca3603ac81fdffd63 Mon Sep 17 00:00:00 2001 From: zdc Date: Fri, 1 Aug 2025 17:16:28 +0300 -Subject: [PATCH 21/22] vyos: linux-cp: xfrm: Updated XFRM features for +Subject: [PATCH 21/24] vyos: linux-cp: xfrm: Updated XFRM features for compatibility with VPP 25.06 - Updated headers for `file_main` (as per 2fa70d66482adb21178bad9ebf0d748358cd416e) diff --git a/patches/vpp/0022-ipsec-Improve-tunnel-mode-detection-in-ESP-decrypt-p.patch b/patches/vpp/0022-ipsec-Improve-tunnel-mode-detection-in-ESP-decrypt-p.patch index 73d3d8b..56fb856 100644 --- a/patches/vpp/0022-ipsec-Improve-tunnel-mode-detection-in-ESP-decrypt-p.patch +++ b/patches/vpp/0022-ipsec-Improve-tunnel-mode-detection-in-ESP-decrypt-p.patch @@ -1,7 +1,7 @@ From cfb1217a7954404891fe53c8aaa411ef9b142034 Mon Sep 17 00:00:00 2001 From: Denys Haryachyy Date: Thu, 28 Aug 2025 12:34:32 +0300 -Subject: [PATCH 22/22] ipsec: Improve tunnel mode detection in ESP decrypt +Subject: [PATCH 22/24] ipsec: Improve tunnel mode detection in ESP decrypt post-crypto (#24) Type: fix diff --git a/patches/vpp/0023-linux-cp-T7775-Add-AEAD-RFC4106-AES-GCM-support-in-x.patch b/patches/vpp/0023-linux-cp-T7775-Add-AEAD-RFC4106-AES-GCM-support-in-x.patch new file mode 100644 index 0000000..1a104c6 --- /dev/null +++ b/patches/vpp/0023-linux-cp-T7775-Add-AEAD-RFC4106-AES-GCM-support-in-x.patch @@ -0,0 +1,94 @@ +From a0dd2889dd2554c4ebb83b92abaf23f768aa4621 Mon Sep 17 00:00:00 2001 +From: Denys Haryachyy +Date: Thu, 18 Sep 2025 13:53:42 +0300 +Subject: [PATCH 23/24] linux-cp: T7775: Add AEAD (RFC4106 AES-GCM) support in + xfrm SA handling (#26) + +Type: fix + +- Parse AEAD parameters via libnl in nl_xfrm_sa_add() using xfrmnl_sa_get_aead_params() with fallback to legacy enc+auth. +- Map AEAD to VPP by setting AES-GCM crypto alg and integ_alg to IPSEC_INTEG_ALG_NONE; honor AEAD ICV length. +--- + src/plugins/linux-cp/lcp_ipsec.c | 49 +++++++++++++++++++++----------- + 1 file changed, 33 insertions(+), 16 deletions(-) + +diff --git a/src/plugins/linux-cp/lcp_ipsec.c b/src/plugins/linux-cp/lcp_ipsec.c +index cc3f327c7..c3a6362d4 100644 +--- a/src/plugins/linux-cp/lcp_ipsec.c ++++ b/src/plugins/linux-cp/lcp_ipsec.c +@@ -882,11 +882,13 @@ nl_xfrm_sa_add (struct xfrmnl_sa *sa) + ipsec_sa_flags_t flags = IPSEC_SA_FLAG_NONE; + char key[IPSEC_KEY_MAX_LEN], auth_key[IPSEC_KEY_MAX_LEN]; + char alg_name[ALGO_NAME], auth_alg_name[ALGO_NAME]; ++ char aead_alg_name[ALGO_NAME]; + struct nl_addr *dst = xfrmnl_sa_get_daddr (sa); + struct nl_addr *src = xfrmnl_sa_get_saddr (sa); + unsigned int udp_src, udp_dst, encap_type; + sa_life_limits_t *life = NULL, lifetime; + unsigned int key_len, auth_key_len; ++ unsigned int aead_icv_len = 0, aead_key_len = 0; + ipsec_key_t ck = { 0 }, ik = { 0 }; + u32 spi = xfrmnl_sa_get_spi (sa); + struct nl_addr *encap_oa = NULL; +@@ -951,27 +953,42 @@ nl_xfrm_sa_add (struct xfrmnl_sa *sa) + (50 == xfrmnl_sa_get_proto (sa)) ? IPSEC_PROTOCOL_ESP : IPSEC_PROTOCOL_AH; + ip_family = xfrmnl_sa_get_family (sa); + +- if (-1 == xfrmnl_sa_get_crypto_params (sa, alg_name, &key_len, key)) ++ if (0 == xfrmnl_sa_get_aead_params (sa, aead_alg_name, &aead_icv_len, ++ &aead_key_len, key)) + { +- NL_XFRM_ERR ("crypto param extraction failed"); +- goto error; ++ clib_memset (alg_name, 0, sizeof (alg_name)); ++ clib_strncpy (alg_name, aead_alg_name, sizeof (alg_name) - 1); ++ /* aead_key_len is cipher key bits; ip xfrm provides key||salt. ++ * Represent total bits here so downstream salt extraction works. */ ++ key_len = aead_key_len + (GCM_SALT_SIZE * 8); ++ /* No separate integrity algorithm when AEAD is used */ ++ integ_alg = IPSEC_INTEG_ALG_NONE; ++ auth_key_len = 0; + } +- if (-1 == xfrmnl_sa_get_auth_params (sa, auth_alg_name, &auth_key_len, NULL, +- auth_key)) ++ else + { +- NL_XFRM_ERR ("auth param extraction failed"); +- goto error; +- } ++ if (-1 == xfrmnl_sa_get_crypto_params (sa, alg_name, &key_len, key)) ++ { ++ NL_XFRM_ERR ("crypto param extraction failed"); ++ goto error; ++ } ++ if (-1 == xfrmnl_sa_get_auth_params (sa, auth_alg_name, &auth_key_len, ++ NULL, auth_key)) ++ { ++ NL_XFRM_ERR ("auth param extraction failed"); ++ goto error; ++ } + +- get_auth_algo (auth_alg_name, auth_key_len, &integ_alg); +- if (integ_alg == IPSEC_INTEG_N_ALG) +- { +- NL_XFRM_ERR ("Invalid/Unsupported integ algo: %s keylen: %u", +- auth_alg_name, auth_key_len); +- goto error; ++ get_auth_algo (auth_alg_name, auth_key_len, &integ_alg); ++ if (integ_alg == IPSEC_INTEG_N_ALG) ++ { ++ NL_XFRM_ERR ("Invalid/Unsupported integ algo: %s keylen: %u", ++ auth_alg_name, auth_key_len); ++ goto error; ++ } ++ ik.len = auth_key_len / 8; ++ clib_memcpy_fast (ik.data, (u8 *) auth_key, (auth_key_len / 8)); + } +- ik.len = auth_key_len / 8; +- clib_memcpy_fast (ik.data, (u8 *) auth_key, (auth_key_len / 8)); + + get_crypto_algo (alg_name, key_len, &crypto_alg); + if (crypto_alg == IPSEC_CRYPTO_N_ALG) +-- +2.39.5 + diff --git a/patches/vpp/0024-linux-cp-T7770-open-XFRM-netlink-socket-at-config-ti.patch b/patches/vpp/0024-linux-cp-T7770-open-XFRM-netlink-socket-at-config-ti.patch new file mode 100644 index 0000000..9bd987e --- /dev/null +++ b/patches/vpp/0024-linux-cp-T7770-open-XFRM-netlink-socket-at-config-ti.patch @@ -0,0 +1,41 @@ +From c726229ecb073a456dcee38116909b01b47456ae Mon Sep 17 00:00:00 2001 +From: Denys Haryachyy +Date: Thu, 18 Sep 2025 17:11:11 +0300 +Subject: [PATCH 24/24] linux-cp: T7770: open XFRM netlink socket at config + time. (#25) + +Type: fix + +Ensures XFRM netlink socket is opened only after explicit config is provided. +--- + src/plugins/linux-cp/lcp_xfrm_nl.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/src/plugins/linux-cp/lcp_xfrm_nl.c b/src/plugins/linux-cp/lcp_xfrm_nl.c +index 87092ad71..9c5bb88c6 100644 +--- a/src/plugins/linux-cp/lcp_xfrm_nl.c ++++ b/src/plugins/linux-cp/lcp_xfrm_nl.c +@@ -558,6 +558,10 @@ lcp_xfrm_itf_pair_config (vlib_main_t *vm, unformat_input_t *input) + return clib_error_return ( + 0, "enable-route-mode-ipsec configuration is missing"); + ++ lcp_xfrm_nl_open_socket (); ++ vlib_process_signal_event (vlib_get_main (), ++ ipsec_xfrm_expire_process_node.index, 0, 0); ++ + return NULL; + } + +@@ -658,9 +662,6 @@ lcp_nl_xfrm_init (vlib_main_t *vm) + nm->clib_file_index = ~0; + nm->nl_logger = vlib_log_register_class ("nl", "xfrm"); + +- lcp_xfrm_nl_open_socket (); +- vlib_process_signal_event (vlib_get_main (), +- ipsec_xfrm_expire_process_node.index, 0, 0); + return NULL; + } + +-- +2.39.5 +