FD.io VPP  v19.04.4-rc0-5-ge88582fac
Vector Packet Processing
ipsec_sa.c
Go to the documentation of this file.
1 /*
2  * Copyright (c) 2015 Cisco and/or its affiliates.
3  * Licensed under the Apache License, Version 2.0 (the "License");
4  * you may not use this file except in compliance with the License.
5  * You may obtain a copy of the License at:
6  *
7  * http://www.apache.org/licenses/LICENSE-2.0
8  *
9  * Unless required by applicable law or agreed to in writing, software
10  * distributed under the License is distributed on an "AS IS" BASIS,
11  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12  * See the License for the specific language governing permissions and
13  * limitations under the License.
14  */
15 
16 #include <vnet/ipsec/ipsec.h>
17 #include <vnet/ipsec/esp.h>
18 #include <vnet/udp/udp.h>
19 #include <vnet/fib/fib_table.h>
20 
21 /**
22  * @brief
23  * SA packet & bytes counters
24  */
25 vlib_combined_counter_main_t ipsec_sa_counters = {
26  .name = "SA",
27  .stat_segment_name = "/net/ipsec/sa",
28 };
29 
30 
31 static clib_error_t *
33  u32 sa_index, int is_add)
34 {
37  switch (sa->protocol)
38  {
39  case IPSEC_PROTOCOL_AH:
41  if (ab->add_del_sa_sess_cb)
42  return ab->add_del_sa_sess_cb (sa_index, is_add);
43  break;
44  case IPSEC_PROTOCOL_ESP:
46  if (eb->add_del_sa_sess_cb)
47  return eb->add_del_sa_sess_cb (sa_index, is_add);
48  break;
49  }
50  return 0;
51 }
52 
53 void
55 {
56  memset (key, 0, sizeof (*key));
57 
58  if (len > sizeof (key->data))
59  key->len = sizeof (key->data);
60  else
61  key->len = len;
62 
63  memcpy (key->data, data, key->len);
64 }
65 
66 /**
67  * 'stack' (resolve the recursion for) the SA tunnel destination
68  */
69 static void
71 {
72  ipsec_main_t *im = &ipsec_main;
74  dpo_id_t tmp = DPO_INVALID;
75 
76  fct =
77  fib_forw_chain_type_from_fib_proto ((ipsec_sa_is_set_IS_TUNNEL_V6 (sa) ?
80 
82 
83  dpo_stack_from_node ((ipsec_sa_is_set_IS_TUNNEL_V6 (sa) ?
86  &sa->dpo[IPSEC_PROTOCOL_AH], &tmp);
87  dpo_stack_from_node ((ipsec_sa_is_set_IS_TUNNEL_V6 (sa) ?
90  &sa->dpo[IPSEC_PROTOCOL_ESP], &tmp);
91  dpo_reset (&tmp);
92 }
93 
94 void
96 {
97  ipsec_main_t *im = &ipsec_main;
98  sa->crypto_alg = crypto_alg;
99  sa->crypto_iv_size = im->crypto_algs[crypto_alg].iv_size;
100  sa->crypto_block_size = im->crypto_algs[crypto_alg].block_size;
101  sa->crypto_enc_op_id = im->crypto_algs[crypto_alg].enc_op_id;
102  sa->crypto_dec_op_id = im->crypto_algs[crypto_alg].dec_op_id;
105  if (IPSEC_CRYPTO_ALG_IS_GCM (crypto_alg))
106  {
107  sa->integ_icv_size = im->crypto_algs[crypto_alg].icv_size;
108  ipsec_sa_set_IS_AEAD (sa);
109  }
110 }
111 
112 void
114 {
115  ipsec_main_t *im = &ipsec_main;
116  sa->integ_alg = integ_alg;
117  sa->integ_icv_size = im->integ_algs[integ_alg].icv_size;
118  sa->integ_op_id = im->integ_algs[integ_alg].op_id;
120 }
121 
122 int
124  u32 spi,
125  ipsec_protocol_t proto,
126  ipsec_crypto_alg_t crypto_alg,
127  const ipsec_key_t * ck,
128  ipsec_integ_alg_t integ_alg,
129  const ipsec_key_t * ik,
132  u32 salt,
133  const ip46_address_t * tun_src,
134  const ip46_address_t * tun_dst, u32 * sa_out_index)
135 {
136  ipsec_main_t *im = &ipsec_main;
137  clib_error_t *err;
138  ipsec_sa_t *sa;
139  u32 sa_index;
140  uword *p;
141 
142  p = hash_get (im->sa_index_by_sa_id, id);
143  if (p)
144  return VNET_API_ERROR_ENTRY_ALREADY_EXISTS;
145 
147 
149  sa_index = sa - im->sad;
150 
151  vlib_validate_combined_counter (&ipsec_sa_counters, sa_index);
152  vlib_zero_combined_counter (&ipsec_sa_counters, sa_index);
153 
154  sa->id = id;
155  sa->spi = spi;
156  sa->stat_index = sa_index;
157  sa->protocol = proto;
158  sa->flags = flags;
159  sa->salt = salt;
160  ipsec_sa_set_integ_alg (sa, integ_alg);
161  clib_memcpy (&sa->integ_key, ik, sizeof (sa->integ_key));
162  ipsec_sa_set_crypto_alg (sa, crypto_alg);
163  clib_memcpy (&sa->crypto_key, ck, sizeof (sa->crypto_key));
164  ip46_address_copy (&sa->tunnel_src_addr, tun_src);
165  ip46_address_copy (&sa->tunnel_dst_addr, tun_dst);
166 
167  err = ipsec_check_support_cb (im, sa);
168  if (err)
169  {
170  clib_warning ("%s", err->what);
171  pool_put (im->sad, sa);
172  return VNET_API_ERROR_UNIMPLEMENTED;
173  }
174 
175  err = ipsec_call_add_del_callbacks (im, sa, sa_index, 1);
176  if (err)
177  {
178  pool_put (im->sad, sa);
179  return VNET_API_ERROR_SYSCALL_ERROR_1;
180  }
181 
182  if (ipsec_sa_is_set_IS_TUNNEL (sa) && !ipsec_sa_is_set_IS_INBOUND (sa))
183  {
184  fib_protocol_t fproto = (ipsec_sa_is_set_IS_TUNNEL_V6 (sa) ?
186  fib_prefix_t pfx = {
187  .fp_addr = sa->tunnel_dst_addr,
188  .fp_len = (ipsec_sa_is_set_IS_TUNNEL_V6 (sa) ? 128 : 32),
189  .fp_proto = fproto,
190  };
191  sa->tx_fib_index = fib_table_find (fproto, tx_table_id);
192  if (sa->tx_fib_index == ~((u32) 0))
193  {
194  pool_put (im->sad, sa);
195  return VNET_API_ERROR_NO_SUCH_FIB;
196  }
197 
199  &pfx,
203  FIB_NODE_TYPE_IPSEC_SA, sa_index);
204  ipsec_sa_stack (sa);
205 
206  /* generate header templates */
207  if (ipsec_sa_is_set_IS_TUNNEL_V6 (sa))
208  {
210  sa->ip6_hdr.hop_limit = 254;
211  sa->ip6_hdr.src_address.as_u64[0] =
212  sa->tunnel_src_addr.ip6.as_u64[0];
213  sa->ip6_hdr.src_address.as_u64[1] =
214  sa->tunnel_src_addr.ip6.as_u64[1];
215  sa->ip6_hdr.dst_address.as_u64[0] =
216  sa->tunnel_dst_addr.ip6.as_u64[0];
217  sa->ip6_hdr.dst_address.as_u64[1] =
218  sa->tunnel_dst_addr.ip6.as_u64[1];
219  if (ipsec_sa_is_set_UDP_ENCAP (sa))
220  sa->ip6_hdr.protocol = IP_PROTOCOL_UDP;
221  else
222  sa->ip6_hdr.protocol = IP_PROTOCOL_IPSEC_ESP;
223  }
224  else
225  {
227  sa->ip4_hdr.ttl = 254;
228  sa->ip4_hdr.src_address.as_u32 = sa->tunnel_src_addr.ip4.as_u32;
229  sa->ip4_hdr.dst_address.as_u32 = sa->tunnel_dst_addr.ip4.as_u32;
230 
231  if (ipsec_sa_is_set_UDP_ENCAP (sa))
232  sa->ip4_hdr.protocol = IP_PROTOCOL_UDP;
233  else
234  sa->ip4_hdr.protocol = IP_PROTOCOL_IPSEC_ESP;
236  }
237  }
238 
239  if (ipsec_sa_is_set_UDP_ENCAP (sa))
240  {
241  sa->udp_hdr.src_port = clib_host_to_net_u16 (UDP_DST_PORT_ipsec);
242  sa->udp_hdr.dst_port = clib_host_to_net_u16 (UDP_DST_PORT_ipsec);
243  }
244 
245  hash_set (im->sa_index_by_sa_id, sa->id, sa_index);
246 
247  if (sa_out_index)
248  *sa_out_index = sa_index;
249 
250  return (0);
251 }
252 
253 u32
255 {
256  ipsec_main_t *im = &ipsec_main;
257  ipsec_sa_t *sa = 0;
258  uword *p;
259  u32 sa_index;
260  clib_error_t *err;
261 
262  p = hash_get (im->sa_index_by_sa_id, id);
263 
264  if (!p)
265  return VNET_API_ERROR_NO_SUCH_ENTRY;
266 
267  sa_index = p[0];
268  sa = pool_elt_at_index (im->sad, sa_index);
269  if (ipsec_is_sa_used (sa_index))
270  {
271  clib_warning ("sa_id %u used in policy", sa->id);
272  /* sa used in policy */
273  return VNET_API_ERROR_SYSCALL_ERROR_1;
274  }
275  hash_unset (im->sa_index_by_sa_id, sa->id);
276  err = ipsec_call_add_del_callbacks (im, sa, sa_index, 0);
277  if (err)
278  return VNET_API_ERROR_SYSCALL_ERROR_2;
279 
280  if (ipsec_sa_is_set_IS_TUNNEL (sa) && !ipsec_sa_is_set_IS_INBOUND (sa))
281  {
284  (sa->tx_fib_index,
288  }
289  pool_put (im->sad, sa);
290  return 0;
291 }
292 
293 u8
295 {
296  ipsec_main_t *im = &ipsec_main;
298  ipsec_policy_t *p;
299 
300  /* *INDENT-OFF* */
301  pool_foreach(p, im->policies, ({
302  if (p->policy == IPSEC_POLICY_ACTION_PROTECT)
303  {
304  if (p->sa_index == sa_index)
305  return 1;
306  }
307  }));
308 
309  pool_foreach(t, im->tunnel_interfaces, ({
310  if (t->input_sa_index == sa_index)
311  return 1;
312  if (t->output_sa_index == sa_index)
313  return 1;
314  }));
315  /* *INDENT-ON* */
316 
317  return 0;
318 }
319 
320 int
321 ipsec_set_sa_key (u32 id, const ipsec_key_t * ck, const ipsec_key_t * ik)
322 {
323  ipsec_main_t *im = &ipsec_main;
324  uword *p;
325  u32 sa_index;
326  ipsec_sa_t *sa = 0;
327  clib_error_t *err;
328 
329  p = hash_get (im->sa_index_by_sa_id, id);
330  if (!p)
331  return VNET_API_ERROR_SYSCALL_ERROR_1; /* no such sa-id */
332 
333  sa_index = p[0];
334  sa = pool_elt_at_index (im->sad, sa_index);
335 
336  /* new crypto key */
337  if (ck)
338  {
339  clib_memcpy (&sa->crypto_key, ck, sizeof (sa->crypto_key));
340  }
341 
342  /* new integ key */
343  if (ik)
344  {
345  clib_memcpy (&sa->integ_key, 0, sizeof (sa->integ_key));
346  }
347 
348  if (ck || ik)
349  {
350  err = ipsec_call_add_del_callbacks (im, sa, sa_index, 0);
351  if (err)
352  {
353  clib_error_free (err);
354  return VNET_API_ERROR_SYSCALL_ERROR_1;
355  }
356  }
357 
358  return 0;
359 }
360 
361 u32
363 {
364  ipsec_main_t *im = &ipsec_main;
365  uword *p = hash_get (im->sa_index_by_sa_id, sa_id);
366  if (!p)
367  return ~0;
368 
369  return p[0];
370 }
371 
372 void
374 {
375  ipsec_main_t *im = &ipsec_main;
376  ipsec_sa_t *sa;
377 
378  /* *INDENT-OFF* */
379  pool_foreach (sa, im->sad,
380  ({
381  if (WALK_CONTINUE != cb(sa, ctx))
382  break;
383  }));
384  /* *INDENT-ON* */
385 }
386 
387 /**
388  * Function definition to get a FIB node from its index
389  */
390 static fib_node_t *
392 {
393  ipsec_main_t *im;
394  ipsec_sa_t *sa;
395 
396  im = &ipsec_main;
397  sa = pool_elt_at_index (im->sad, index);
398 
399  return (&sa->node);
400 }
401 
402 /**
403  * Function definition to inform the FIB node that its last lock has gone.
404  */
405 static void
407 {
408  /*
409  * The ipsec SA is a root of the graph. As such
410  * it never has children and thus is never locked.
411  */
412  ASSERT (0);
413 }
414 
415 static ipsec_sa_t *
417 {
419  return ((ipsec_sa_t *) (((char *) node) -
420  STRUCT_OFFSET_OF (ipsec_sa_t, node)));
421 
422 }
423 
424 /**
425  * Function definition to backwalk a FIB node
426  */
429 {
431 
433 }
434 
435 /*
436  * Virtual function table registered by MPLS GRE tunnels
437  * for participation in the FIB object graph.
438  */
439 const static fib_node_vft_t ipsec_sa_vft = {
441  .fnv_last_lock = ipsec_sa_last_lock_gone,
442  .fnv_back_walk = ipsec_sa_back_walk,
443 };
444 
445 /* force inclusion from application's main.c */
446 clib_error_t *
448 {
450 
451  return 0;
452 }
453 
455 
456 /*
457  * fd.io coding-style-patch-verification: ON
458  *
459  * Local Variables:
460  * eval: (c-set-style "gnu")
461  * End:
462  */
void dpo_stack_from_node(u32 child_node_index, dpo_id_t *dpo, const dpo_id_t *parent)
Stack one DPO object on another, and thus establish a child parent relationship.
Definition: dpo.c:530
u32 tx_table_id
Definition: ipsec.api:284
static void ipsec_sa_last_lock_gone(fib_node_t *node)
Function definition to inform the FIB node that its last lock has gone.
Definition: ipsec_sa.c:406
Recursive resolution source.
Definition: fib_entry.h:125
fib_node_t node
Definition: ipsec_sa.h:145
#define hash_set(h, key, value)
Definition: hash.h:255
u32 flags
Definition: vhost_user.h:115
ipsec_main_crypto_alg_t * crypto_algs
Definition: ipsec.h:155
ip46_address_t tunnel_src_addr
Definition: ipsec_sa.h:156
u32 ipsec_sa_del(u32 id)
Definition: ipsec_sa.c:254
void vlib_validate_combined_counter(vlib_combined_counter_main_t *cm, u32 index)
validate a combined counter
Definition: counter.c:106
#define hash_unset(h, key)
Definition: hash.h:261
ip4_address_t src_address
Definition: ip4_packet.h:170
void fib_node_init(fib_node_t *node, fib_node_type_t type)
Definition: fib_node.c:185
u32 fib_entry_child_add(fib_node_index_t fib_entry_index, fib_node_type_t child_type, fib_node_index_t child_index)
Definition: fib_entry.c:565
ipsec_integ_alg_t
Definition: ipsec_sa.h:60
u64 as_u64[2]
Definition: ip6_packet.h:51
enum fib_node_back_walk_rc_t_ fib_node_back_walk_rc_t
Return code from a back walk function.
void fib_entry_contribute_forwarding(fib_node_index_t fib_entry_index, fib_forward_chain_type_t fct, dpo_id_t *dpo)
Definition: fib_entry.c:447
ipsec_key_t crypto_key
Definition: ipsec_sa.h:151
int ipsec_set_sa_key(u32 id, const ipsec_key_t *ck, const ipsec_key_t *ik)
Definition: ipsec_sa.c:321
ipsec_integ_alg_t integ_alg
Definition: ipsec_sa.h:153
void fib_entry_child_remove(fib_node_index_t fib_entry_index, u32 sibling_index)
Definition: fib_entry.c:576
ipsec_protocol_t
Definition: ipsec_sa.h:68
#define STRUCT_OFFSET_OF(t, f)
Definition: clib.h:65
const fib_prefix_t * fib_entry_get_prefix(fib_node_index_t fib_entry_index)
Definition: fib_entry.c:1688
u32 ah_current_backend
Definition: ipsec.h:146
u8 data[128]
Definition: ipsec.api:248
u32 esp_current_backend
Definition: ipsec.h:148
vnet_crypto_op_id_t integ_op_id
Definition: ipsec_sa.h:130
void ipsec_mk_key(ipsec_key_t *key, const u8 *data, u8 len)
Definition: ipsec_sa.c:54
ip6_address_t src_address
Definition: ip6_packet.h:385
unsigned char u8
Definition: types.h:56
enum fib_protocol_t_ fib_protocol_t
Protocol Type.
void fib_node_register_type(fib_node_type_t type, const fib_node_vft_t *vft)
fib_node_register_type
Definition: fib_node.c:60
#define clib_memcpy(d, s, n)
Definition: string.h:180
walk_rc_t(* ipsec_sa_walk_cb_t)(ipsec_sa_t *sa, void *ctx)
Definition: ipsec_sa.h:216
static ipsec_sa_t * ipsec_sa_from_fib_node(fib_node_t *node)
Definition: ipsec_sa.c:416
void ipsec_sa_walk(ipsec_sa_walk_cb_t cb, void *ctx)
Definition: ipsec_sa.c:373
#define pool_foreach(VAR, POOL, BODY)
Iterate through pool.
Definition: pool.h:493
#define VLIB_INIT_FUNCTION(x)
Definition: init.h:163
ipsec_main_t ipsec_main
Definition: ipsec.c:28
void fib_table_entry_special_remove(u32 fib_index, const fib_prefix_t *prefix, fib_source_t source)
Remove a &#39;special&#39; entry from the FIB.
Definition: fib_table.c:407
ip4_address_t dst_address
Definition: ip4_packet.h:170
u32 esp6_encrypt_node_index
Definition: ipsec.h:123
Aggregrate type for a prefix.
Definition: fib_types.h:203
unsigned int u32
Definition: types.h:88
#define IPSEC_CRYPTO_ALG_IS_GCM(_alg)
Definition: ipsec_sa.h:46
u32 fib_table_find(fib_protocol_t proto, u32 table_id)
Get the index of the FIB for a Table-ID.
Definition: fib_table.c:1064
ipsec_sa_flags_t flags
Definition: ipsec_sa.h:116
u32 stat_index
Definition: ipsec_sa.h:147
Definition: fib_entry.h:275
The identity of a DPO is a combination of its type and its instance number/index of objects of that t...
Definition: dpo.h:168
#define ESP_MAX_IV_SIZE
Definition: esp.h:73
#define hash_get(h, key)
Definition: hash.h:249
u32 tx_fib_index
Definition: ipsec_sa.h:162
#define ESP_MAX_ICV_SIZE
Definition: esp.h:74
#define pool_elt_at_index(p, i)
Returns pointer to element at given index.
Definition: pool.h:514
static void vlib_zero_combined_counter(vlib_combined_counter_main_t *cm, u32 index)
Clear a combined counter Clears the set of per-thread counters.
Definition: counter.h:285
u32 sa_id
Definition: ipsec.api:94
ip46_address_t fp_addr
The address type is not deriveable from the fp_addr member.
Definition: fib_types.h:226
long ctx[MAX_CONNS]
Definition: main.c:144
u32 esp4_encrypt_node_index
Definition: ipsec.h:119
u32 salt
Definition: ipsec_sa.h:163
clib_error_t * ipsec_check_support_cb(ipsec_main_t *im, ipsec_sa_t *sa)
Definition: ipsec.c:67
vnet_crypto_op_id_t enc_op_id
Definition: ipsec.h:71
fib_node_index_t fib_entry_index
Definition: ipsec_sa.h:159
#define pool_put(P, E)
Free an object E in pool P.
Definition: pool.h:286
u8 ipsec_is_sa_used(u32 sa_index)
Definition: ipsec_sa.c:294
static clib_error_t * ipsec_call_add_del_callbacks(ipsec_main_t *im, ipsec_sa_t *sa, u32 sa_index, int is_add)
Definition: ipsec_sa.c:32
#define pool_get_aligned_zero(P, E, A)
Allocate an object E from a pool P with alignment A and zero it.
Definition: pool.h:233
fib_node_type_t fn_type
The node&#39;s type.
Definition: fib_node.h:295
An node in the FIB graph.
Definition: fib_node.h:291
u8 len
Definition: ip_types.api:49
ip46_address_t tunnel_dst_addr
Definition: ipsec_sa.h:157
u32 ipsec_get_sa_index_by_sa_id(u32 sa_id)
Definition: ipsec_sa.c:362
fib_node_index_t fib_table_entry_special_add(u32 fib_index, const fib_prefix_t *prefix, fib_source_t source, fib_entry_flag_t flags)
Add a &#39;special&#39; entry to the FIB.
Definition: fib_table.c:388
void ipsec_sa_set_integ_alg(ipsec_sa_t *sa, ipsec_integ_alg_t integ_alg)
Definition: ipsec_sa.c:113
vlib_main_t * vm
Definition: buffer.c:312
ipsec_ah_backend_t * ah_backends
Definition: ipsec.h:142
static fib_node_t * ipsec_sa_fib_node_get(fib_node_index_t index)
Function definition to get a FIB node from its index.
Definition: ipsec_sa.c:391
static fib_node_back_walk_rc_t ipsec_sa_back_walk(fib_node_t *node, fib_node_back_walk_ctx_t *ctx)
Function definition to backwalk a FIB node.
Definition: ipsec_sa.c:428
#define clib_warning(format, args...)
Definition: error.h:59
fib_node_get_t fnv_get
Definition: fib_node.h:279
udp_header_t udp_hdr
Definition: ipsec_sa.h:142
enum ipsec_sad_flags_t_ ipsec_sa_flags_t
uword * sa_index_by_sa_id
Definition: ipsec.h:111
static_always_inline void ip46_address_copy(ip46_address_t *dst, const ip46_address_t *src)
Definition: ip6_packet.h:99
u32 fib_node_index_t
A typedef of a node index.
Definition: fib_types.h:30
A Secruity Policy.
#define ESP_MAX_BLOCK_SIZE
Definition: esp.h:72
Context passed between object during a back walk.
Definition: fib_node.h:204
void ipsec_sa_set_crypto_alg(ipsec_sa_t *sa, ipsec_crypto_alg_t crypto_alg)
Definition: ipsec_sa.c:95
u8 data[IPSEC_KEY_MAX_LEN]
Definition: ipsec_sa.h:80
vnet_crypto_op_id_t op_id
Definition: ipsec.h:80
#define ASSERT(truth)
u32 ah4_encrypt_node_index
Definition: ipsec.h:121
u32 spi
Definition: ipsec.api:270
ipsec_main_integ_alg_t * integ_algs
Definition: ipsec.h:158
ipsec_policy_t * policies
Definition: ipsec.h:97
u8 is_add
Definition: ipsec_gre.api:36
ip6_header_t ip6_hdr
Definition: ipsec_sa.h:140
ipsec_sa_t * sad
Definition: ipsec.h:95
dpo_id_t dpo[IPSEC_N_PROTOCOLS]
Definition: ipsec_sa.h:132
enum fib_forward_chain_type_t_ fib_forward_chain_type_t
FIB output chain type.
static void ipsec_sa_stack(ipsec_sa_t *sa)
&#39;stack&#39; (resolve the recursion for) the SA tunnel destination
Definition: ipsec_sa.c:70
ipsec_protocol_t protocol
Definition: ipsec_sa.h:148
u32 sibling
Definition: ipsec_sa.h:160
add_del_sa_sess_cb_t add_del_sa_sess_cb
Definition: ipsec.h:54
vnet_crypto_op_id_t dec_op_id
Definition: ipsec.h:72
u32 ip_version_traffic_class_and_flow_label
Definition: ip6_packet.h:372
u32 ah6_encrypt_node_index
Definition: ipsec.h:125
int ipsec_sa_add(u32 id, u32 spi, ipsec_protocol_t proto, ipsec_crypto_alg_t crypto_alg, const ipsec_key_t *ck, ipsec_integ_alg_t integ_alg, const ipsec_key_t *ik, ipsec_sa_flags_t flags, u32 tx_table_id, u32 salt, const ip46_address_t *tun_src, const ip46_address_t *tun_dst, u32 *sa_out_index)
Definition: ipsec_sa.c:123
u64 uword
Definition: types.h:112
ipsec_crypto_alg_t
Definition: ipsec_sa.h:38
typedef key
Definition: ipsec.api:244
#define DPO_INVALID
An initialiser for DPOs declared on the stack.
Definition: dpo.h:195
char * name
The counter collection&#39;s name.
Definition: counter.h:193
vnet_crypto_op_id_t crypto_enc_op_id
Definition: ipsec_sa.h:128
A collection of combined counters.
Definition: counter.h:188
#define clib_error_free(e)
Definition: error.h:86
A FIB graph nodes virtual function table.
Definition: fib_node.h:278
ipsec_crypto_alg_t crypto_alg
Definition: ipsec_sa.h:150
ip4_header_t ip4_hdr
Definition: ipsec_sa.h:139
void dpo_reset(dpo_id_t *dpo)
reset a DPO ID The DPO will be unlocked.
Definition: dpo.c:231
clib_error_t * ipsec_sa_interface_init(vlib_main_t *vm)
Definition: ipsec_sa.c:447
u8 crypto_block_size
Definition: ipsec_sa.h:119
u32 id
Definition: udp.api:45
add_del_sa_sess_cb_t add_del_sa_sess_cb
Definition: ipsec.h:37
u8 ip_version_and_header_length
Definition: ip4_packet.h:138
ipsec_esp_backend_t * esp_backends
Definition: ipsec.h:144
u8 crypto_iv_size
Definition: ipsec_sa.h:118
#define CLIB_CACHE_LINE_BYTES
Definition: cache.h:59
ipsec_key_t integ_key
Definition: ipsec_sa.h:154
vnet_crypto_op_id_t crypto_dec_op_id
Definition: ipsec_sa.h:129
u8 integ_icv_size
Definition: ipsec_sa.h:120
static u16 ip4_header_checksum(ip4_header_t *i)
Definition: ip4_packet.h:247
fib_forward_chain_type_t fib_forw_chain_type_from_fib_proto(fib_protocol_t proto)
Convert from a fib-protocol to a chain type.
Definition: fib_types.c:350
ip6_address_t dst_address
Definition: ip6_packet.h:385