FD.io VPP  v19.08.3-2-gbabecb413
Vector Packet Processing
ipsec_if.c
Go to the documentation of this file.
1 /*
2  * ipsec_if.c : IPSec interface support
3  *
4  * Copyright (c) 2015 Cisco and/or its affiliates.
5  * Licensed under the Apache License, Version 2.0 (the "License");
6  * you may not use this file except in compliance with the License.
7  * You may obtain a copy of the License at:
8  *
9  * http://www.apache.org/licenses/LICENSE-2.0
10  *
11  * Unless required by applicable law or agreed to in writing, software
12  * distributed under the License is distributed on an "AS IS" BASIS,
13  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14  * See the License for the specific language governing permissions and
15  * limitations under the License.
16  */
17 
18 #include <vnet/vnet.h>
19 #include <vnet/api_errno.h>
20 #include <vnet/ip/ip.h>
21 #include <vnet/fib/fib.h>
22 #include <vnet/udp/udp.h>
23 #include <vnet/adj/adj_midchain.h>
24 
25 #include <vnet/ipsec/ipsec.h>
26 #include <vnet/ipsec/esp.h>
27 
28 void vl_api_rpc_call_main_thread (void *fp, u8 * data, u32 data_length);
29 
30 static u8 *
31 format_ipsec_name (u8 * s, va_list * args)
32 {
33  u32 dev_instance = va_arg (*args, u32);
34  ipsec_main_t *im = &ipsec_main;
35  ipsec_tunnel_if_t *t = im->tunnel_interfaces + dev_instance;
36 
37  return format (s, "ipsec%d", t->show_instance);
38 }
39 
40 /* Statistics (not really errors) */
41 #define foreach_ipsec_if_tx_error \
42 _(TX, "good packets transmitted")
43 
44 static void
46 {
47  ipsec_main_t *ipm = &ipsec_main;
49  ip_adjacency_t *adj;
51 
52  adj = adj_get (ai);
53  sw_if_index = adj->rewrite_header.sw_if_index;
54 
55  if ((vec_len (ipm->ipsec_if_by_sw_if_index) <= sw_if_index) ||
56  (~0 == ipm->ipsec_if_by_sw_if_index[sw_if_index]))
57  return;
58 
60  ipm->ipsec_if_by_sw_if_index[sw_if_index]);
61 
63  {
65  }
66  else
67  {
68  ipsec_sa_t *sa;
69 
70  sa = ipsec_sa_get (it->output_sa_index);
71 
72  /* *INDENT-OFF* */
73  fib_prefix_t pfx = {
74  .fp_addr = sa->tunnel_dst_addr,
75  .fp_len = (ipsec_sa_is_set_IS_TUNNEL_V6(sa) ? 128 : 32),
76  .fp_proto = (ipsec_sa_is_set_IS_TUNNEL_V6(sa) ?
79  };
80  /* *INDENT-ON* */
81 
83  }
84 }
85 
86 /**
87  * @brief Call back when restacking all adjacencies on a IPSec interface
88  */
89 static adj_walk_rc_t
91 {
93 
94  return (ADJ_WALK_RC_CONTINUE);
95 }
96 
97 static void
99 {
101 
102  /*
103  * walk all the adjacencies on the IPSec interface and restack them
104  */
106  {
107  adj_nbr_walk (it->sw_if_index, proto, ipsec_if_adj_walk_cb, NULL);
108  }
109 }
110 
111 static clib_error_t *
113 {
114  ipsec_main_t *im = &ipsec_main;
115  clib_error_t *err = 0;
118  ipsec_sa_t *sa;
119 
120  hi = vnet_get_hw_interface (vnm, hw_if_index);
122  t->flags = flags;
123 
125  {
126  sa = pool_elt_at_index (im->sad, t->input_sa_index);
127 
128  err = ipsec_check_support_cb (im, sa);
129  if (err)
130  return err;
131 
132  err = ipsec_add_del_sa_sess_cb (im, t->input_sa_index, 1);
133  if (err)
134  return err;
135 
136  sa = pool_elt_at_index (im->sad, t->output_sa_index);
137 
138  err = ipsec_check_support_cb (im, sa);
139  if (err)
140  return err;
141 
142  err = ipsec_add_del_sa_sess_cb (im, t->output_sa_index, 1);
143  if (err)
144  return err;
145 
146  vnet_hw_interface_set_flags (vnm, hw_if_index,
148  }
149  else
150  {
151  vnet_hw_interface_set_flags (vnm, hw_if_index, 0 /* down */ );
152  sa = pool_elt_at_index (im->sad, t->input_sa_index);
153  err = ipsec_add_del_sa_sess_cb (im, t->input_sa_index, 0);
154  if (err)
155  return err;
156  sa = pool_elt_at_index (im->sad, t->output_sa_index);
157  err = ipsec_add_del_sa_sess_cb (im, t->output_sa_index, 0);
158  if (err)
159  return err;
160  }
161 
163 
164  return (NULL);
165 }
166 
167 static u8 *
170  vnet_link_t link_type, const void *dst_address)
171 {
172  return (NULL);
173 }
174 
175 static void
177 {
179  (ai, NULL, NULL, ADJ_FLAG_MIDCHAIN_IP_STACK,
180  ipsec_if_build_rewrite (vnm, sw_if_index, adj_get_link_type (ai), NULL));
181 
183 }
184 
185 /* *INDENT-OFF* */
186 VNET_DEVICE_CLASS (ipsec_device_class) =
187 {
188  .name = "IPSec",
189  .format_device_name = format_ipsec_name,
190  .admin_up_down_function = ipsec_admin_up_down_function,
191 };
192 /* *INDENT-ON* */
193 
194 /* *INDENT-OFF* */
195 VNET_HW_INTERFACE_CLASS (ipsec_hw_class) =
196 {
197  .name = "IPSec",
198  .build_rewrite = default_build_rewrite,
199  .update_adjacency = ipsec_if_update_adj,
201 };
202 /* *INDENT-ON* */
203 
204 static int
206 {
207  vnet_main_t *vnm = vnet_get_main ();
208  ASSERT (vlib_get_thread_index () == 0);
209 
210  return ipsec_add_del_tunnel_if_internal (vnm, a, NULL);
211 }
212 
213 int
215 {
217  (u8 *) args, sizeof (*args));
218  return 0;
219 }
220 
221 static u32
223 {
224  return (0x80000000 | ti);
225 }
226 
227 static u32
229 {
230  return (0xc0000000 | ti);
231 }
232 
233 static void
235 {
236  u8 arc;
237  u32 esp4_feature_index, esp6_feature_index;
238  ipsec_sa_t *sa;
239 
240  sa = ipsec_sa_get (t->output_sa_index);
241  if (sa->crypto_alg == IPSEC_CRYPTO_ALG_NONE &&
242  sa->integ_alg == IPSEC_INTEG_ALG_NONE)
243  {
244  esp4_feature_index = im->esp4_no_crypto_tun_feature_index;
245  esp6_feature_index = im->esp6_no_crypto_tun_feature_index;
246  }
247  else
248  {
249  esp4_feature_index = im->esp4_encrypt_tun_feature_index;
250  esp6_feature_index = im->esp6_encrypt_tun_feature_index;
251  }
252 
253  arc = vnet_get_feature_arc_index ("ip4-output");
254 
255  vnet_feature_enable_disable_with_index (arc, esp4_feature_index,
256  t->sw_if_index, enable,
257  &t->output_sa_index,
258  sizeof (t->output_sa_index));
259 
260  arc = vnet_get_feature_arc_index ("ip6-output");
261 
262  vnet_feature_enable_disable_with_index (arc, esp6_feature_index,
263  t->sw_if_index, enable,
264  &t->output_sa_index,
265  sizeof (t->output_sa_index));
266 }
267 
268 int
271  u32 * sw_if_index_p)
272 {
274  ipsec_main_t *im = &ipsec_main;
275  vnet_hw_interface_t *hi = NULL;
276  u32 hw_if_index = ~0;
277  u32 sw_if_index = ~0;
278  uword *p;
279  u32 dev_instance;
280  ipsec_key_t crypto_key, integ_key;
282  int rv;
283  int is_ip6 = args->is_ip6;
284  ipsec4_tunnel_key_t key4;
285  ipsec6_tunnel_key_t key6;
286 
287  if (!is_ip6)
288  {
289  key4.remote_ip.as_u32 = args->remote_ip.ip4.as_u32;
290  key4.spi = clib_host_to_net_u32 (args->remote_spi);
291  p = hash_get (im->ipsec4_if_pool_index_by_key, key4.as_u64);
292  }
293  else
294  {
295  key6.remote_ip = args->remote_ip.ip6;
296  key6.spi = clib_host_to_net_u32 (args->remote_spi);
297  p = hash_get_mem (im->ipsec6_if_pool_index_by_key, &key6);
298  }
299 
300  if (args->is_add)
301  {
302  /* check if same src/dst pair exists */
303  if (p)
304  return VNET_API_ERROR_INVALID_VALUE;
305 
307 
308  dev_instance = t - im->tunnel_interfaces;
309  if (args->renumber)
310  t->show_instance = args->show_instance;
311  else
312  t->show_instance = dev_instance;
313 
315  {
316  pool_put (im->tunnel_interfaces, t);
317  return VNET_API_ERROR_INSTANCE_IN_USE;
318  }
319 
321  dev_instance);
322 
323  flags = IPSEC_SA_FLAG_IS_TUNNEL;
324  if (args->is_ip6)
325  flags |= IPSEC_SA_FLAG_IS_TUNNEL_V6;
326  if (args->udp_encap)
327  flags |= IPSEC_SA_FLAG_UDP_ENCAP;
328  if (args->esn)
329  flags |= IPSEC_SA_FLAG_USE_ESN;
330  if (args->anti_replay)
331  flags |= IPSEC_SA_FLAG_USE_ANTI_REPLAY;
332 
333  ipsec_mk_key (&crypto_key,
335  ipsec_mk_key (&integ_key,
337 
338  rv = ipsec_sa_add_and_lock (ipsec_tun_mk_input_sa_id (dev_instance),
339  args->remote_spi,
341  args->crypto_alg,
342  &crypto_key,
343  args->integ_alg,
344  &integ_key,
345  (flags | IPSEC_SA_FLAG_IS_INBOUND),
346  args->tx_table_id,
347  args->salt,
348  &args->remote_ip,
349  &args->local_ip, &t->input_sa_index);
350 
351  if (rv)
352  return rv;
353 
354  ipsec_mk_key (&crypto_key,
356  ipsec_mk_key (&integ_key,
357  args->local_integ_key, args->local_integ_key_len);
358 
360  args->local_spi,
362  args->crypto_alg,
363  &crypto_key,
364  args->integ_alg,
365  &integ_key,
366  flags,
367  args->tx_table_id,
368  args->salt,
369  &args->local_ip,
370  &args->remote_ip, &t->output_sa_index);
371 
372  if (rv)
373  return rv;
374 
375  /* copy the key */
376  if (is_ip6)
378  t - im->tunnel_interfaces);
379  else
380  hash_set (im->ipsec4_if_pool_index_by_key, key4.as_u64,
381  t - im->tunnel_interfaces);
382 
383  hw_if_index = vnet_register_interface (vnm, ipsec_device_class.index,
384  t - im->tunnel_interfaces,
385  ipsec_hw_class.index,
386  t - im->tunnel_interfaces);
387 
388  hi = vnet_get_hw_interface (vnm, hw_if_index);
389  sw_if_index = hi->sw_if_index;
390 
391  t->hw_if_index = hw_if_index;
392  t->sw_if_index = hi->sw_if_index;
393 
394  /* Standard default jumbo MTU. */
395  vnet_sw_interface_set_mtu (vnm, t->sw_if_index, 9000);
396 
397  /* Add the new tunnel to the DB of tunnels per sw_if_index ... */
399  ~0);
400  im->ipsec_if_by_sw_if_index[t->sw_if_index] = dev_instance;
401 
402  ipsec_tunnel_feature_set (im, t, 1);
403 
404  /*1st interface, register protocol */
405  if (pool_elts (im->tunnel_interfaces) == 1)
406  {
407  ip4_register_protocol (IP_PROTOCOL_IPSEC_ESP,
408  ipsec4_if_input_node.index);
409  ip6_register_protocol (IP_PROTOCOL_IPSEC_ESP,
410  ipsec6_if_input_node.index);
411  }
412 
413  }
414  else
415  {
416  u32 ti;
417 
418  /* check if exists */
419  if (!p)
420  return VNET_API_ERROR_INVALID_VALUE;
421 
422  ti = p[0];
423  t = pool_elt_at_index (im->tunnel_interfaces, ti);
424  hi = vnet_get_hw_interface (vnm, t->hw_if_index);
425  sw_if_index = hi->sw_if_index;
426 
427  vnet_sw_interface_set_flags (vnm, hi->sw_if_index, 0); /* admin down */
428 
429  ipsec_tunnel_feature_set (im, t, 0);
431 
432  if (is_ip6)
434  else
435  hash_unset (im->ipsec4_if_pool_index_by_key, key4.as_u64);
437 
439 
440  /* delete input and output SA */
443 
444  pool_put (im->tunnel_interfaces, t);
445  }
446 
447  if (sw_if_index_p)
448  *sw_if_index_p = sw_if_index;
449 
450  return 0;
451 }
452 
453 int
455  u8 is_outbound)
456 {
457  ipsec_main_t *im = &ipsec_main;
460  ipsec_sa_t *sa, *old_sa;
461  u32 sa_index, old_sa_index;
462  uword *p;
463 
464  hi = vnet_get_hw_interface (vnm, hw_if_index);
466 
467  sa_index = ipsec_sa_find_and_lock (sa_id);
468 
469  if (INDEX_INVALID == sa_index)
470  {
471  clib_warning ("SA with ID %u not found", sa_id);
472  return VNET_API_ERROR_NO_SUCH_ENTRY;
473  }
474 
475  sa = pool_elt_at_index (im->sad, sa_index);
476 
477  if (!is_outbound)
478  {
479  old_sa_index = t->input_sa_index;
480  old_sa = pool_elt_at_index (im->sad, old_sa_index);
481 
482  if (ipsec_sa_is_set_IS_TUNNEL_V6 (sa) ^
483  ipsec_sa_is_set_IS_TUNNEL_V6 (old_sa))
484  {
485  clib_warning ("IPsec interface SA endpoints type can't be changed");
486  return VNET_API_ERROR_INVALID_VALUE;
487  }
488 
489  if (ipsec_sa_is_set_IS_TUNNEL_V6 (sa))
490  {
491  ipsec6_tunnel_key_t key;
492 
493  /* unset old inbound hash entry. packets should stop arriving */
494  key.remote_ip = old_sa->tunnel_src_addr.ip6;
495  key.spi = clib_host_to_net_u32 (old_sa->spi);
496 
498  if (p)
500 
501  /* set new inbound SA, then set new hash entry */
502  t->input_sa_index = sa_index;
503  key.remote_ip = sa->tunnel_src_addr.ip6;
504  key.spi = clib_host_to_net_u32 (sa->spi);
505 
507  hi->dev_instance);
508  }
509  else
510  {
511  ipsec4_tunnel_key_t key;
512 
513  /* unset old inbound hash entry. packets should stop arriving */
514  key.remote_ip.as_u32 = old_sa->tunnel_src_addr.ip4.as_u32;
515  key.spi = clib_host_to_net_u32 (old_sa->spi);
516 
517  p = hash_get (im->ipsec4_if_pool_index_by_key, key.as_u64);
518  if (p)
519  hash_unset (im->ipsec4_if_pool_index_by_key, key.as_u64);
520 
521  /* set new inbound SA, then set new hash entry */
522  t->input_sa_index = sa_index;
523  key.remote_ip.as_u32 = sa->tunnel_src_addr.ip4.as_u32;
524  key.spi = clib_host_to_net_u32 (sa->spi);
525 
526  hash_set (im->ipsec4_if_pool_index_by_key, key.as_u64,
527  hi->dev_instance);
528  }
529  }
530  else
531  {
532  old_sa_index = t->output_sa_index;
533  old_sa = pool_elt_at_index (im->sad, old_sa_index);
534 
535  if (ipsec_sa_is_set_IS_TUNNEL_V6 (sa) ^
536  ipsec_sa_is_set_IS_TUNNEL_V6 (old_sa))
537  {
538  clib_warning ("IPsec interface SA endpoints type can't be changed");
539  return VNET_API_ERROR_INVALID_VALUE;
540  }
541 
542  /*
543  * re-enable the feature to get the new SA in
544  * the workers are stopped so no packets are sent in the clear
545  */
546  ipsec_tunnel_feature_set (im, t, 0);
547  t->output_sa_index = sa_index;
548  ipsec_tunnel_feature_set (im, t, 1);
549  }
550 
551  /* remove sa_id to sa_index mapping on old SA */
552  hash_unset (im->sa_index_by_sa_id, old_sa->id);
553 
554  if (ipsec_add_del_sa_sess_cb (im, old_sa_index, 0))
555  {
556  clib_warning ("IPsec backend add/del callback returned error");
557  return VNET_API_ERROR_SYSCALL_ERROR_1;
558  }
559 
560  ipsec_sa_unlock (old_sa_index);
561 
562  return 0;
563 }
564 
565 clib_error_t *
567 {
568  ipsec_main_t *im = &ipsec_main;
569 
570  /* initialize the ipsec-if ip4 hash */
572  hash_create (0, sizeof (ipsec4_tunnel_key_t));
573  /* initialize the ipsec-if ip6 hash */
575  sizeof
576  (ipsec6_tunnel_key_t),
577  sizeof (uword));
578  im->ipsec_if_real_dev_by_show_dev = hash_create (0, sizeof (uword));
579 
580  /* set up feature nodes to drop outbound packets with no crypto alg set */
581  ipsec_add_feature ("ip4-output", "esp4-no-crypto",
583  ipsec_add_feature ("ip6-output", "esp6-no-crypto",
585 
587  UDP_DST_PORT_ipsec, ipsec4_if_input_node.index, 1);
588  return 0;
589 }
590 
592 
593 
594 /*
595  * fd.io coding-style-patch-verification: ON
596  *
597  * Local Variables:
598  * eval: (c-set-style "gnu")
599  * End:
600  */
vmrglw vmrglh hi
static u32 ipsec_tun_mk_output_sa_id(u32 ti)
Definition: ipsec_if.c:228
#define hash_set(h, key, value)
Definition: hash.h:255
u32 flags
Definition: vhost_user.h:141
ipsec_tunnel_if_t * tunnel_interfaces
Definition: ipsec.h:102
ip46_address_t tunnel_src_addr
Definition: ipsec_sa.h:154
#define hash_unset(h, key)
Definition: hash.h:261
u8 vnet_get_feature_arc_index(const char *s)
Definition: feature.c:169
a
Definition: bitmap.h:538
void ip6_register_protocol(u32 protocol, u32 node_index)
Definition: ip6_forward.c:1581
vnet_main_t * vnet_get_main(void)
Definition: misc.c:46
uword * ipsec4_if_pool_index_by_key
Definition: ipsec.h:114
ip46_address_t local_ip
Definition: ipsec_if.h:38
void adj_midchain_delegate_stack(adj_index_t ai, u32 fib_index, const fib_prefix_t *pfx)
create/attach a midchain delegate and stack it on the prefix passed
vnet_link_t adj_get_link_type(adj_index_t ai)
Return the link type of the adjacency.
Definition: adj.c:497
IP unicast adjacency.
Definition: adj.h:221
int ipsec_set_interface_sa(vnet_main_t *vnm, u32 hw_if_index, u32 sa_id, u8 is_outbound)
Definition: ipsec_if.c:454
ipsec_integ_alg_t integ_alg
Definition: ipsec_sa.h:150
static vnet_hw_interface_t * vnet_get_hw_interface(vnet_main_t *vnm, u32 hw_if_index)
static void ipsec_if_update_adj(vnet_main_t *vnm, u32 sw_if_index, adj_index_t ai)
Definition: ipsec_if.c:176
int ipsec_add_del_tunnel_if(ipsec_add_del_tunnel_args_t *args)
Definition: ipsec_if.c:214
static adj_walk_rc_t ipsec_if_adj_walk_cb(adj_index_t ai, void *ctx)
Call back when restacking all adjacencies on a IPSec interface.
Definition: ipsec_if.c:90
VNET_DEVICE_CLASS(ipsec_device_class)
u8 * format(u8 *s, const char *fmt,...)
Definition: format.c:424
u8 data[128]
Definition: ipsec.api:251
void ip4_register_protocol(u32 protocol, u32 node_index)
Definition: ip4_forward.c:1865
void ipsec_mk_key(ipsec_key_t *key, const u8 *data, u8 len)
Definition: ipsec_sa.c:56
unsigned char u8
Definition: types.h:56
enum fib_protocol_t_ fib_protocol_t
Protocol Type.
clib_error_t * ipsec_tunnel_if_init(vlib_main_t *vm)
Definition: ipsec_if.c:566
vl_api_key_t crypto_key
Definition: ipsec.api:279
static ip_adjacency_t * adj_get(adj_index_t adj_index)
Get a pointer to an adjacency object from its index.
Definition: adj.h:433
uword * ipsec6_if_pool_index_by_key
Definition: ipsec.h:115
vl_api_interface_index_t sw_if_index
Definition: gre.api:50
#define VLIB_INIT_FUNCTION(x)
Definition: init.h:173
ipsec_main_t ipsec_main
Definition: ipsec.c:28
enum adj_walk_rc_t_ adj_walk_rc_t
return codes from a adjacency walker callback function
int vnet_feature_enable_disable_with_index(u8 arc_index, u32 feature_index, u32 sw_if_index, int enable_disable, void *feature_config, u32 n_feature_config_bytes)
Definition: feature.c:223
uword * ipsec_if_by_sw_if_index
Definition: ipsec.h:117
static void ipsec_if_tunnel_stack(adj_index_t ai)
Definition: ipsec_if.c:45
Aggregate type for a prefix.
Definition: fib_types.h:203
unsigned int u32
Definition: types.h:88
u32 esp6_encrypt_tun_feature_index
Definition: ipsec.h:143
u32 vnet_register_interface(vnet_main_t *vnm, u32 dev_class_index, u32 dev_instance, u32 hw_class_index, u32 hw_instance)
Definition: interface.c:762
static clib_error_t * ipsec_admin_up_down_function(vnet_main_t *vnm, u32 hw_if_index, u32 flags)
Definition: ipsec_if.c:112
#define hash_create_mem(elts, key_bytes, value_bytes)
Definition: hash.h:661
#define hash_get(h, key)
Definition: hash.h:249
u32 tx_fib_index
Definition: ipsec_sa.h:160
#define pool_elt_at_index(p, i)
Returns pointer to element at given index.
Definition: pool.h:514
u32 sa_id
Definition: ipsec.api:95
index_t ipsec_sa_find_and_lock(u32 id)
Definition: ipsec_sa.c:313
ip46_address_t fp_addr
The address type is not deriveable from the fp_addr member.
Definition: fib_types.h:226
long ctx[MAX_CONNS]
Definition: main.c:144
clib_error_t * ipsec_check_support_cb(ipsec_main_t *im, ipsec_sa_t *sa)
Definition: ipsec.c:89
ip46_address_t remote_ip
Definition: ipsec_if.h:38
#define pool_put(P, E)
Free an object E in pool P.
Definition: pool.h:286
static u8 * ipsec_if_build_rewrite(vnet_main_t *vnm, u32 sw_if_index, vnet_link_t link_type, const void *dst_address)
Definition: ipsec_if.c:168
#define pool_get_aligned_zero(P, E, A)
Allocate an object E from a pool P with alignment A and zero it.
Definition: pool.h:233
static ipsec_sa_t * ipsec_sa_get(u32 sa_index)
Definition: ipsec.h:244
ip46_address_t tunnel_dst_addr
Definition: ipsec_sa.h:155
ipsec_crypto_alg_t crypto_alg
Definition: ipsec_if.h:41
clib_error_t * ipsec_add_del_sa_sess_cb(ipsec_main_t *im, u32 sa_index, u8 is_add)
Definition: ipsec.c:67
static_always_inline uword vlib_get_thread_index(void)
Definition: threads.h:218
u32 esp4_no_crypto_tun_feature_index
Definition: ipsec.h:146
vlib_main_t * vm
Definition: buffer.c:323
void vl_api_rpc_call_main_thread(void *fp, u8 *data, u32 data_length)
Definition: vlib_api.c:608
#define clib_warning(format, args...)
Definition: error.h:59
void adj_nbr_midchain_update_rewrite(adj_index_t adj_index, adj_midchain_fixup_t fixup, const void *fixup_data, adj_flags_t flags, u8 *rewrite)
adj_nbr_midchain_update_rewrite
Definition: adj_midchain.c:532
enum ipsec_sad_flags_t_ ipsec_sa_flags_t
uword * sa_index_by_sa_id
Definition: ipsec.h:113
u8 is_outbound
Definition: ipsec.api:93
u32 adj_index_t
An index for adjacencies.
Definition: adj_types.h:30
uword * ipsec_if_real_dev_by_show_dev
Definition: ipsec.h:116
void adj_nbr_walk(u32 sw_if_index, fib_protocol_t adj_nh_proto, adj_walk_cb_t cb, void *ctx)
Walk the neighbour Adjacencies on a given interface.
Definition: adj_nbr.c:581
static void ipsec_if_tunnel_restack(ipsec_tunnel_if_t *it)
Definition: ipsec_if.c:98
u8 * default_build_rewrite(vnet_main_t *vnm, u32 sw_if_index, vnet_link_t link_type, const void *dst_address)
Return a complete, zero-length (aka dummy) rewrite.
Definition: interface.c:1578
void ipsec_sa_unlock(index_t sai)
Definition: ipsec_sa.c:299
void adj_midchain_delegate_unstack(adj_index_t ai)
unstack a midchain delegate (this stacks it on a drop)
#define hash_create(elts, value_bytes)
Definition: hash.h:696
#define ASSERT(truth)
static int ipsec_add_del_tunnel_if_rpc_callback(ipsec_add_del_tunnel_args_t *a)
Definition: ipsec_if.c:205
vnet_hw_interface_flags_t flags
Definition: ipsec_if.h:28
ipsec_integ_alg_t integ_alg
Definition: ipsec_if.h:46
enum vnet_link_t_ vnet_link_t
Link Type: A description of the protocol of packets on the link.
ipsec_sa_t * sad
Definition: ipsec.h:97
vlib_node_registration_t ipsec4_if_input_node
(constructor) VLIB_REGISTER_NODE (ipsec4_if_input_node)
Definition: ipsec_if_in.c:685
static void ipsec_tunnel_feature_set(ipsec_main_t *im, ipsec_tunnel_if_t *t, u8 enable)
Definition: ipsec_if.c:234
static vlib_main_t * vlib_get_main(void)
Definition: global_funcs.h:23
void vnet_delete_hw_interface(vnet_main_t *vnm, u32 hw_if_index)
Definition: interface.c:974
int ipsec_sa_add_and_lock(u32 id, u32 spi, ipsec_protocol_t proto, ipsec_crypto_alg_t crypto_alg, const ipsec_key_t *ck, ipsec_integ_alg_t integ_alg, const ipsec_key_t *ik, ipsec_sa_flags_t flags, u32 tx_table_id, u32 salt, const ip46_address_t *tun_src, const ip46_address_t *tun_dst, u32 *sa_out_index)
Definition: ipsec_sa.c:127
#define vec_len(v)
Number of elements in vector (rvalue-only, NULL tolerant)
VNET_HW_INTERFACE_CLASS(ipsec_hw_class)
#define INDEX_INVALID
Invalid index - used when no index is known blazoned capitals INVALID speak volumes where ~0 does not...
Definition: dpo.h:47
clib_error_t * vnet_hw_interface_set_flags(vnet_main_t *vnm, u32 hw_if_index, vnet_hw_interface_flags_t flags)
Definition: interface.c:492
u64 uword
Definition: types.h:112
static void hash_set_mem_alloc(uword **h, void *key, uword v)
Definition: hash.h:279
typedef key
Definition: ipsec.api:247
a point 2 point interface
Definition: interface.h:368
vlib_node_registration_t ipsec6_if_input_node
(constructor) VLIB_REGISTER_NODE (ipsec6_if_input_node)
Definition: ipsec_if_in.c:704
void ipsec_add_feature(const char *arc_name, const char *node_name, u32 *out_feature_index)
Definition: ipsec.c:126
void vnet_sw_interface_set_mtu(vnet_main_t *vnm, u32 sw_if_index, u32 mtu)
Definition: interface.c:664
#define FOR_EACH_FIB_IP_PROTOCOL(_item)
Definition: fib_types.h:70
#define hash_get_mem(h, key)
Definition: hash.h:269
static void hash_unset_mem_free(uword **h, void *key)
Definition: hash.h:295
ipsec_crypto_alg_t crypto_alg
Definition: ipsec_sa.h:146
static u8 * format_ipsec_name(u8 *s, va_list *args)
Definition: ipsec_if.c:31
clib_error_t * vnet_sw_interface_set_flags(vnet_main_t *vnm, u32 sw_if_index, vnet_sw_interface_flags_t flags)
Definition: interface.c:501
u32 esp4_encrypt_tun_feature_index
Definition: ipsec.h:142
static u32 ipsec_tun_mk_input_sa_id(u32 ti)
Definition: ipsec_if.c:222
void udp_register_dst_port(vlib_main_t *vm, udp_dst_port_t dst_port, u32 node_index, u8 is_ip4)
Definition: udp_local.c:468
int ipsec_add_del_tunnel_if_internal(vnet_main_t *vnm, ipsec_add_del_tunnel_args_t *args, u32 *sw_if_index_p)
Definition: ipsec_if.c:269
u32 esp6_no_crypto_tun_feature_index
Definition: ipsec.h:147
#define vec_validate_init_empty(V, I, INIT)
Make sure vector is long enough for given index and initialize empty space (no header, unspecified alignment)
Definition: vec.h:486
#define CLIB_CACHE_LINE_BYTES
Definition: cache.h:59
static uword vnet_hw_interface_is_link_up(vnet_main_t *vnm, u32 hw_if_index)
vl_api_fib_path_nh_proto_t proto
Definition: fib_types.api:125
static uword pool_elts(void *v)
Number of active elements in a pool.
Definition: pool.h:128