27 .stat_segment_name =
"/net/ipsec/sa",
56 memset (key, 0,
sizeof (*key));
58 if (len >
sizeof (key->
data))
63 memcpy (key->
data, data, key->
len);
108 ipsec_sa_set_IS_AEAD (sa);
133 const ip46_address_t * tun_src,
134 const ip46_address_t * tun_dst,
u32 * sa_out_index)
144 return VNET_API_ERROR_ENTRY_ALREADY_EXISTS;
149 sa_index = sa - im->
sad;
172 return VNET_API_ERROR_UNIMPLEMENTED;
179 return VNET_API_ERROR_SYSCALL_ERROR_1;
182 if (ipsec_sa_is_set_IS_TUNNEL (sa) && !ipsec_sa_is_set_IS_INBOUND (sa))
188 .fp_len = (ipsec_sa_is_set_IS_TUNNEL_V6 (sa) ? 128 : 32),
195 return VNET_API_ERROR_NO_SUCH_FIB;
207 if (ipsec_sa_is_set_IS_TUNNEL_V6 (sa))
219 if (ipsec_sa_is_set_UDP_ENCAP (sa))
231 if (ipsec_sa_is_set_UDP_ENCAP (sa))
239 if (ipsec_sa_is_set_UDP_ENCAP (sa))
248 *sa_out_index = sa_index;
265 return VNET_API_ERROR_NO_SUCH_ENTRY;
273 return VNET_API_ERROR_SYSCALL_ERROR_1;
278 return VNET_API_ERROR_SYSCALL_ERROR_2;
280 if (ipsec_sa_is_set_IS_TUNNEL (sa) && !ipsec_sa_is_set_IS_INBOUND (sa))
302 if (p->policy == IPSEC_POLICY_ACTION_PROTECT)
304 if (p->sa_index == sa_index)
310 if (t->input_sa_index == sa_index)
312 if (t->output_sa_index == sa_index)
331 return VNET_API_ERROR_SYSCALL_ERROR_1;
354 return VNET_API_ERROR_SYSCALL_ERROR_1;
381 if (WALK_CONTINUE != cb(sa, ctx))
void dpo_stack_from_node(u32 child_node_index, dpo_id_t *dpo, const dpo_id_t *parent)
Stack one DPO object on another, and thus establish a child parent relationship.
static void ipsec_sa_last_lock_gone(fib_node_t *node)
Function definition to inform the FIB node that its last lock has gone.
Recursive resolution source.
#define hash_set(h, key, value)
ipsec_main_crypto_alg_t * crypto_algs
ip46_address_t tunnel_src_addr
void vlib_validate_combined_counter(vlib_combined_counter_main_t *cm, u32 index)
validate a combined counter
#define hash_unset(h, key)
void fib_node_init(fib_node_t *node, fib_node_type_t type)
u32 fib_entry_child_add(fib_node_index_t fib_entry_index, fib_node_type_t child_type, fib_node_index_t child_index)
enum fib_node_back_walk_rc_t_ fib_node_back_walk_rc_t
Return code from a back walk function.
void fib_entry_contribute_forwarding(fib_node_index_t fib_entry_index, fib_forward_chain_type_t fct, dpo_id_t *dpo)
int ipsec_set_sa_key(u32 id, const ipsec_key_t *ck, const ipsec_key_t *ik)
ipsec_integ_alg_t integ_alg
void fib_entry_child_remove(fib_node_index_t fib_entry_index, u32 sibling_index)
#define STRUCT_OFFSET_OF(t, f)
const fib_prefix_t * fib_entry_get_prefix(fib_node_index_t fib_entry_index)
vnet_crypto_op_id_t integ_op_id
void ipsec_mk_key(ipsec_key_t *key, const u8 *data, u8 len)
enum fib_protocol_t_ fib_protocol_t
Protocol Type.
void fib_node_register_type(fib_node_type_t type, const fib_node_vft_t *vft)
fib_node_register_type
#define clib_memcpy(d, s, n)
walk_rc_t(* ipsec_sa_walk_cb_t)(ipsec_sa_t *sa, void *ctx)
static ipsec_sa_t * ipsec_sa_from_fib_node(fib_node_t *node)
void ipsec_sa_walk(ipsec_sa_walk_cb_t cb, void *ctx)
#define pool_foreach(VAR, POOL, BODY)
Iterate through pool.
#define VLIB_INIT_FUNCTION(x)
void fib_table_entry_special_remove(u32 fib_index, const fib_prefix_t *prefix, fib_source_t source)
Remove a 'special' entry from the FIB.
u32 esp6_encrypt_node_index
Aggregrate type for a prefix.
#define IPSEC_CRYPTO_ALG_IS_GCM(_alg)
u32 fib_table_find(fib_protocol_t proto, u32 table_id)
Get the index of the FIB for a Table-ID.
The identity of a DPO is a combination of its type and its instance number/index of objects of that t...
#define pool_elt_at_index(p, i)
Returns pointer to element at given index.
static void vlib_zero_combined_counter(vlib_combined_counter_main_t *cm, u32 index)
Clear a combined counter Clears the set of per-thread counters.
ip46_address_t fp_addr
The address type is not deriveable from the fp_addr member.
u32 esp4_encrypt_node_index
clib_error_t * ipsec_check_support_cb(ipsec_main_t *im, ipsec_sa_t *sa)
vnet_crypto_op_id_t enc_op_id
fib_node_index_t fib_entry_index
#define pool_put(P, E)
Free an object E in pool P.
u8 ipsec_is_sa_used(u32 sa_index)
static clib_error_t * ipsec_call_add_del_callbacks(ipsec_main_t *im, ipsec_sa_t *sa, u32 sa_index, int is_add)
#define pool_get_aligned_zero(P, E, A)
Allocate an object E from a pool P with alignment A and zero it.
fib_node_type_t fn_type
The node's type.
An node in the FIB graph.
ip46_address_t tunnel_dst_addr
u32 ipsec_get_sa_index_by_sa_id(u32 sa_id)
fib_node_index_t fib_table_entry_special_add(u32 fib_index, const fib_prefix_t *prefix, fib_source_t source, fib_entry_flag_t flags)
Add a 'special' entry to the FIB.
void ipsec_sa_set_integ_alg(ipsec_sa_t *sa, ipsec_integ_alg_t integ_alg)
ipsec_ah_backend_t * ah_backends
static fib_node_t * ipsec_sa_fib_node_get(fib_node_index_t index)
Function definition to get a FIB node from its index.
static fib_node_back_walk_rc_t ipsec_sa_back_walk(fib_node_t *node, fib_node_back_walk_ctx_t *ctx)
Function definition to backwalk a FIB node.
#define clib_warning(format, args...)
enum ipsec_sad_flags_t_ ipsec_sa_flags_t
uword * sa_index_by_sa_id
static_always_inline void ip46_address_copy(ip46_address_t *dst, const ip46_address_t *src)
u32 fib_node_index_t
A typedef of a node index.
#define ESP_MAX_BLOCK_SIZE
Context passed between object during a back walk.
void ipsec_sa_set_crypto_alg(ipsec_sa_t *sa, ipsec_crypto_alg_t crypto_alg)
u8 data[IPSEC_KEY_MAX_LEN]
vnet_crypto_op_id_t op_id
u32 ah4_encrypt_node_index
ipsec_main_integ_alg_t * integ_algs
ipsec_policy_t * policies
dpo_id_t dpo[IPSEC_N_PROTOCOLS]
enum fib_forward_chain_type_t_ fib_forward_chain_type_t
FIB output chain type.
static void ipsec_sa_stack(ipsec_sa_t *sa)
'stack' (resolve the recursion for) the SA tunnel destination
ipsec_protocol_t protocol
add_del_sa_sess_cb_t add_del_sa_sess_cb
vnet_crypto_op_id_t dec_op_id
u32 ah6_encrypt_node_index
int ipsec_sa_add(u32 id, u32 spi, ipsec_protocol_t proto, ipsec_crypto_alg_t crypto_alg, const ipsec_key_t *ck, ipsec_integ_alg_t integ_alg, const ipsec_key_t *ik, ipsec_sa_flags_t flags, u32 tx_table_id, u32 salt, const ip46_address_t *tun_src, const ip46_address_t *tun_dst, u32 *sa_out_index)
#define DPO_INVALID
An initialiser for DPOs declared on the stack.
char * name
The counter collection's name.
vnet_crypto_op_id_t crypto_enc_op_id
A collection of combined counters.
#define clib_error_free(e)
A FIB graph nodes virtual function table.
ipsec_crypto_alg_t crypto_alg
void dpo_reset(dpo_id_t *dpo)
reset a DPO ID The DPO will be unlocked.
clib_error_t * ipsec_sa_interface_init(vlib_main_t *vm)
add_del_sa_sess_cb_t add_del_sa_sess_cb
ipsec_esp_backend_t * esp_backends
#define CLIB_CACHE_LINE_BYTES
vnet_crypto_op_id_t crypto_dec_op_id
static u16 ip4_header_checksum(ip4_header_t *i)
fib_forward_chain_type_t fib_forw_chain_type_from_fib_proto(fib_protocol_t proto)
Convert from a fib-protocol to a chain type.