FD.io VPP  v19.08-27-gf4dcae4
Vector Packet Processing
ipsec.h
Go to the documentation of this file.
1 /*
2  * Copyright (c) 2015 Cisco and/or its affiliates.
3  * Licensed under the Apache License, Version 2.0 (the "License");
4  * you may not use this file except in compliance with the License.
5  * You may obtain a copy of the License at:
6  *
7  * http://www.apache.org/licenses/LICENSE-2.0
8  *
9  * Unless required by applicable law or agreed to in writing, software
10  * distributed under the License is distributed on an "AS IS" BASIS,
11  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12  * See the License for the specific language governing permissions and
13  * limitations under the License.
14  */
15 #ifndef __IPSEC_H__
16 #define __IPSEC_H__
17 
18 #include <vnet/ip/ip.h>
19 #include <vnet/crypto/crypto.h>
20 #include <vnet/feature/feature.h>
21 
22 #include <vppinfra/types.h>
23 #include <vppinfra/cache.h>
24 
25 #include <vnet/ipsec/ipsec_spd.h>
27 #include <vnet/ipsec/ipsec_sa.h>
28 #include <vnet/ipsec/ipsec_if.h>
29 
30 typedef clib_error_t *(*add_del_sa_sess_cb_t) (u32 sa_index, u8 is_add);
31 typedef clib_error_t *(*check_support_cb_t) (ipsec_sa_t * sa);
32 
33 typedef struct
34 {
35  u8 *name;
36  /* add/del callback */
38  /* check support function */
49 
50 typedef struct
51 {
52  u8 *name;
53  /* add/del callback */
55  /* check support function */
68 
69 typedef struct
70 {
78 
79 typedef struct
80 {
85 
86 typedef struct
87 {
91 
92 typedef struct
93 {
94  /* pool of tunnel instances */
96  /* Pool of security associations */
98  /* pool of policies */
100 
101  /* pool of tunnel interfaces */
103 
105 
106  /* convenience */
109 
110  /* hashes */
120 
121  /* node indices */
131  /* next node indices */
140 
141  /* tun encrypt arcs and feature nodes */
144 
145  /* tun nodes to drop packets when no crypto alg set on outbound SA */
148 
149  /* pool of ah backends */
151  /* pool of esp backends */
153  /* index of current ah backend */
155  /* index of current esp backend */
157  /* index of default ah backend */
159  /* index of default esp backend */
161 
162  /* crypto alg data */
164 
165  /* crypto integ data */
167 
168  /* per-thread data */
170 } ipsec_main_t;
171 
173 {
177 
178 extern ipsec_main_t ipsec_main;
179 
181  u8 is_add);
182 
184 
195 
196 /*
197  * functions
198  */
199 u8 *format_ipsec_replay_window (u8 * s, va_list * args);
200 
201 /*
202  * inline functions
203  */
204 
207  vlib_node_runtime_t * nr)
208 {
209  u32 next;
210  vlib_main_t *vm = vlib_get_main ();
211  vlib_node_t *node = vlib_get_node (vm, nr->node_index);
212 
213  vnet_feature_next (&next, b);
214  return node->next_nodes[next];
215 }
216 
218  const char *name,
219  const char *ah4_encrypt_node_name,
220  const char *ah4_decrypt_node_name,
221  const char *ah6_encrypt_node_name,
222  const char *ah6_decrypt_node_name,
223  check_support_cb_t ah_check_support_cb,
224  add_del_sa_sess_cb_t ah_add_del_sa_sess_cb);
225 
227  const char *name,
228  const char *esp4_encrypt_node_name,
229  const char *esp4_encrypt_tun_node_name,
230  const char *esp4_decrypt_node_name,
231  const char *esp6_encrypt_node_name,
232  const char *esp6_encrypt_tun_node_name,
233  const char *esp6_decrypt_node_name,
234  check_support_cb_t esp_check_support_cb,
235  add_del_sa_sess_cb_t esp_add_del_sa_sess_cb);
236 
237 int ipsec_select_ah_backend (ipsec_main_t * im, u32 ah_backend_idx);
238 int ipsec_select_esp_backend (ipsec_main_t * im, u32 esp_backend_idx);
239 
241 
243 ipsec_sa_get (u32 sa_index)
244 {
245  return (pool_elt_at_index (ipsec_main.sad, sa_index));
246 }
247 
248 void ipsec_add_feature (const char *arc_name, const char *node_name,
249  u32 * out_feature_index);
250 
251 #endif /* __IPSEC_H__ */
252 
253 /*
254  * fd.io coding-style-patch-verification: ON
255  *
256  * Local Variables:
257  * eval: (c-set-style "gnu")
258  * End:
259  */
u32 * next_nodes
Definition: node.h:333
ipsec_spd_t * spds
Definition: ipsec.h:95
void ipsec_add_feature(const char *arc_name, const char *node_name, u32 *out_feature_index)
Definition: ipsec.c:126
u32 esp_default_backend
Definition: ipsec.h:160
u32 esp4_encrypt_next_index
Definition: ipsec.h:59
ipsec_main_crypto_alg_t * crypto_algs
Definition: ipsec.h:163
ipsec_tunnel_if_t * tunnel_interfaces
Definition: ipsec.h:102
uword * tun6_protect_by_key
Definition: ipsec.h:119
ipsec_per_thread_data_t * ptd
Definition: ipsec.h:169
u32 esp6_decrypt_node_index
Definition: ipsec.h:128
vnet_crypto_op_t * integ_ops
Definition: ipsec.h:89
uword * tunnel_index_by_key
Definition: ipsec.h:104
u32 ah4_decrypt_next_index
Definition: ipsec.h:135
uword * ipsec4_if_pool_index_by_key
Definition: ipsec.h:114
u32 esp4_decrypt_node_index
Definition: ipsec.h:58
clib_error_t * ipsec_check_support_cb(ipsec_main_t *im, ipsec_sa_t *sa)
Definition: ipsec.c:89
enum ipsec_format_flags_t_ ipsec_format_flags_t
u32 ah6_decrypt_next_index
Definition: ipsec.h:47
u32 esp6_decrypt_next_index
Definition: ipsec.h:64
vnet_crypto_op_t * crypto_ops
Definition: ipsec.h:88
u32 ah4_encrypt_next_index
Definition: ipsec.h:134
u32 ah4_encrypt_node_index
Definition: ipsec.h:40
u32 esp6_encrypt_node_index
Definition: ipsec.h:61
u32 ah_current_backend
Definition: ipsec.h:154
A Secruity Policy Database.
Definition: ipsec_spd.h:44
u32 esp_current_backend
Definition: ipsec.h:156
u32 ah6_decrypt_node_index
Definition: ipsec.h:45
unsigned char u8
Definition: types.h:56
vlib_node_registration_t esp6_decrypt_node
(constructor) VLIB_REGISTER_NODE (esp6_decrypt_node)
Definition: esp_decrypt.c:596
ipsec_format_flags_t_
Definition: ipsec.h:172
uword * spd_index_by_sw_if_index
Definition: ipsec.h:112
int ipsec_select_esp_backend(ipsec_main_t *im, u32 esp_backend_idx)
Definition: ipsec.c:241
vnet_crypto_alg_t alg
Definition: ipsec.h:82
u32 esp6_encrypt_next_index
Definition: ipsec.h:63
uword * ipsec6_if_pool_index_by_key
Definition: ipsec.h:115
u32 ah6_encrypt_node_index
Definition: ipsec.h:44
#define static_always_inline
Definition: clib.h:99
vlib_node_registration_t esp4_encrypt_node
(constructor) VLIB_REGISTER_NODE (esp4_encrypt_node)
Definition: esp_encrypt.c:559
u32 ah_default_backend
Definition: ipsec.h:158
vlib_node_registration_t esp4_decrypt_node
(constructor) VLIB_REGISTER_NODE (esp4_decrypt_node)
Definition: esp_decrypt.c:579
ipsec_main_t ipsec_main
Definition: ipsec.c:28
u32 esp6_encrypt_node_index
Definition: ipsec.h:127
u32 esp4_decrypt_next_index
Definition: ipsec.h:133
u32 ah6_encrypt_next_index
Definition: ipsec.h:46
uword * ipsec_if_by_sw_if_index
Definition: ipsec.h:117
u32 ipsec_register_esp_backend(vlib_main_t *vm, ipsec_main_t *im, const char *name, const char *esp4_encrypt_node_name, const char *esp4_encrypt_tun_node_name, const char *esp4_decrypt_node_name, const char *esp6_encrypt_node_name, const char *esp6_encrypt_tun_node_name, const char *esp6_decrypt_node_name, check_support_cb_t esp_check_support_cb, add_del_sa_sess_cb_t esp_add_del_sa_sess_cb)
Definition: ipsec.c:165
check_support_cb_t check_support_cb
Definition: ipsec.h:56
unsigned int u32
Definition: types.h:88
clib_error_t *(* add_del_sa_sess_cb_t)(u32 sa_index, u8 is_add)
Definition: ipsec.h:30
u32 esp6_encrypt_tun_feature_index
Definition: ipsec.h:143
u32 esp6_decrypt_node_index
Definition: ipsec.h:62
vnet_crypto_alg_t
Definition: crypto.h:86
u32 ah4_decrypt_node_index
Definition: ipsec.h:126
u32 error_drop_node_index
Definition: ipsec.h:122
#define pool_elt_at_index(p, i)
Returns pointer to element at given index.
Definition: pool.h:514
u32 esp4_encrypt_node_index
Definition: ipsec.h:123
vnet_main_t * vnet_main
Definition: ipsec.h:108
vnet_crypto_op_id_t enc_op_id
Definition: ipsec.h:71
u32 ah4_decrypt_next_index
Definition: ipsec.h:43
vlib_node_registration_t ah6_decrypt_node
(constructor) VLIB_REGISTER_NODE (ah6_decrypt_node)
Definition: ah_decrypt.c:438
#define always_inline
Definition: ipsec.h:28
vlib_node_registration_t ah4_encrypt_node
(constructor) VLIB_REGISTER_NODE (ah4_encrypt_node)
Definition: ah_encrypt.c:412
vlib_node_registration_t esp6_encrypt_node
(constructor) VLIB_REGISTER_NODE (esp6_encrypt_node)
Definition: esp_encrypt.c:585
u32 node_index
Node index.
Definition: node.h:494
u8 name[64]
Definition: memclnt.api:152
u32 esp4_encrypt_node_index
Definition: ipsec.h:57
static ipsec_sa_t * ipsec_sa_get(u32 sa_index)
Definition: ipsec.h:243
uword * spd_index_by_spd_id
Definition: ipsec.h:111
u32 ah4_decrypt_node_index
Definition: ipsec.h:41
u32 ah6_encrypt_next_index
Definition: ipsec.h:138
u32 esp4_no_crypto_tun_feature_index
Definition: ipsec.h:146
ipsec_ah_backend_t * ah_backends
Definition: ipsec.h:150
u32 esp6_encrypt_tun_feature_index
Definition: ipsec.h:66
static_always_inline void vnet_feature_next(u32 *next0, vlib_buffer_t *b0)
Definition: feature.h:295
u32 esp4_encrypt_next_index
Definition: ipsec.h:132
u32 esp4_encrypt_tun_feature_index
Definition: ipsec.h:65
vlib_node_registration_t ah6_encrypt_node
(constructor) VLIB_REGISTER_NODE (ah6_encrypt_node)
Definition: ah_encrypt.c:438
u32 ah4_encrypt_next_index
Definition: ipsec.h:42
uword * sa_index_by_sa_id
Definition: ipsec.h:113
u32 esp6_decrypt_next_index
Definition: ipsec.h:137
clib_error_t * ipsec_add_del_sa_sess_cb(ipsec_main_t *im, u32 sa_index, u8 is_add)
Definition: ipsec.c:67
A Secruity Policy.
static_always_inline u32 get_next_output_feature_node_index(vlib_buffer_t *b, vlib_node_runtime_t *nr)
Definition: ipsec.h:206
vlib_main_t * vlib_main
Definition: ipsec.h:107
uword * ipsec_if_real_dev_by_show_dev
Definition: ipsec.h:116
u32 ipsec_register_ah_backend(vlib_main_t *vm, ipsec_main_t *im, const char *name, const char *ah4_encrypt_node_name, const char *ah4_decrypt_node_name, const char *ah6_encrypt_node_name, const char *ah6_decrypt_node_name, check_support_cb_t ah_check_support_cb, add_del_sa_sess_cb_t ah_add_del_sa_sess_cb)
Definition: ipsec.c:137
u32 esp6_encrypt_next_index
Definition: ipsec.h:136
clib_error_t *(* check_support_cb_t)(ipsec_sa_t *sa)
Definition: ipsec.h:31
vnet_crypto_op_id_t op_id
Definition: ipsec.h:81
u32 ah4_encrypt_node_index
Definition: ipsec.h:125
ipsec_main_integ_alg_t * integ_algs
Definition: ipsec.h:166
ipsec_policy_t * policies
Definition: ipsec.h:99
u8 * format_ipsec_replay_window(u8 *s, va_list *args)
Definition: ipsec_format.c:142
ipsec_sa_t * sad
Definition: ipsec.h:97
u32 esp4_decrypt_node_index
Definition: ipsec.h:124
vlib_node_registration_t ipsec4_if_input_node
(constructor) VLIB_REGISTER_NODE (ipsec4_if_input_node)
Definition: ipsec_if_in.c:679
add_del_sa_sess_cb_t add_del_sa_sess_cb
Definition: ipsec.h:54
vnet_crypto_op_id_t dec_op_id
Definition: ipsec.h:72
u32 ah6_decrypt_node_index
Definition: ipsec.h:130
static vlib_main_t * vlib_get_main(void)
Definition: global_funcs.h:23
struct _vlib_node_registration vlib_node_registration_t
u32 ah6_encrypt_node_index
Definition: ipsec.h:129
u32 ah6_decrypt_next_index
Definition: ipsec.h:139
check_support_cb_t check_support_cb
Definition: ipsec.h:39
VLIB buffer representation.
Definition: buffer.h:102
u64 uword
Definition: types.h:112
vlib_node_registration_t ipsec6_if_input_node
(constructor) VLIB_REGISTER_NODE (ipsec6_if_input_node)
Definition: ipsec_if_in.c:698
u32 esp4_decrypt_next_index
Definition: ipsec.h:60
vlib_node_registration_t ah4_decrypt_node
(constructor) VLIB_REGISTER_NODE (ah4_decrypt_node)
Definition: ah_decrypt.c:412
vnet_crypto_op_id_t
Definition: crypto.h:105
u32 esp4_encrypt_tun_feature_index
Definition: ipsec.h:142
int ipsec_select_ah_backend(ipsec_main_t *im, u32 ah_backend_idx)
Definition: ipsec.c:218
static vlib_node_t * vlib_get_node(vlib_main_t *vm, u32 i)
Get vlib node by index.
Definition: node_funcs.h:59
clib_error_t * ipsec_rsc_in_use(ipsec_main_t *im)
Definition: ipsec.c:201
vnet_crypto_alg_t alg
Definition: ipsec.h:73
add_del_sa_sess_cb_t add_del_sa_sess_cb
Definition: ipsec.h:37
ipsec_esp_backend_t * esp_backends
Definition: ipsec.h:152
u32 esp6_no_crypto_tun_feature_index
Definition: ipsec.h:147
uword * tun4_protect_by_key
Definition: ipsec.h:118