FD.io VPP  v19.08.3-2-gbabecb413
Vector Packet Processing
ipsec_if_in.c
Go to the documentation of this file.
1 /*
2  * ipsec_if_in.c : IPSec interface input node
3  *
4  * Copyright (c) 2015 Cisco and/or its affiliates.
5  * Licensed under the Apache License, Version 2.0 (the "License");
6  * you may not use this file except in compliance with the License.
7  * You may obtain a copy of the License at:
8  *
9  * http://www.apache.org/licenses/LICENSE-2.0
10  *
11  * Unless required by applicable law or agreed to in writing, software
12  * distributed under the License is distributed on an "AS IS" BASIS,
13  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14  * See the License for the specific language governing permissions and
15  * limitations under the License.
16  */
17 
18 #include <vnet/vnet.h>
19 #include <vnet/api_errno.h>
20 #include <vnet/ip/ip.h>
21 
22 #include <vnet/ipsec/ipsec.h>
23 #include <vnet/ipsec/esp.h>
24 #include <vnet/ipsec/ipsec_io.h>
25 #include <vnet/ipsec/ipsec_punt.h>
26 
27 /* Statistics (not really errors) */
28 #define foreach_ipsec_if_input_error \
29 _(RX, "good packets received") \
30 _(DISABLED, "ipsec packets received on disabled interface") \
31 _(NO_TUNNEL, "no matching tunnel") \
32 _(NAT_KEEPALIVE, "NAT Keepalive") \
33 _(TOO_SHORT, "Too Short") \
34 _(SPI_0, "SPI 0")
35 
36 static char *ipsec_if_input_error_strings[] = {
37 #define _(sym,string) string,
39 #undef _
40 };
41 
42 typedef enum
43 {
44 #define _(sym,str) IPSEC_IF_INPUT_ERROR_##sym,
46 #undef _
49 
50 
51 typedef struct
52 {
53  union
54  {
55  ipsec4_tunnel_key_t key4;
56  ipsec6_tunnel_key_t key6;
57  };
61 
62 static u8 *
63 format_ipsec_if_input_trace (u8 * s, va_list * args)
64 {
65  CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
66  CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
67  ipsec_if_input_trace_t *t = va_arg (*args, ipsec_if_input_trace_t *);
68 
69  if (t->is_ip6)
70  s = format (s, "IPSec: %U seq %u",
72  else
73  s = format (s, "IPSec: %U seq %u",
75  return s;
76 }
77 
80  vlib_buffer_t * b,
81  const esp_header_t * esp,
82  const ip4_header_t * ip4, u16 offset)
83 {
84  if (PREDICT_FALSE (0 == esp->spi))
85  {
86  b->error = node->errors[IPSEC_IF_INPUT_ERROR_SPI_0];
87  b->punt_reason =
88  ipsec_punt_reason[(ip4->protocol == IP_PROTOCOL_UDP ?
89  IPSEC_PUNT_IP4_SPI_UDP_0 :
90  IPSEC_PUNT_IP4_NO_SUCH_TUNNEL)];
91  }
92  else
93  {
94  b->error = node->errors[IPSEC_IF_INPUT_ERROR_NO_TUNNEL];
95  b->punt_reason = ipsec_punt_reason[IPSEC_PUNT_IP4_NO_SUCH_TUNNEL];
96  }
97  vlib_buffer_advance (b, -offset);
98  return IPSEC_INPUT_NEXT_PUNT;
99 }
100 
103  vlib_buffer_t * b,
104  const esp_header_t * esp, u16 offset)
105 {
106  b->error = node->errors[IPSEC_IF_INPUT_ERROR_NO_TUNNEL];
107  b->punt_reason = ipsec_punt_reason[IPSEC_PUNT_IP6_NO_SUCH_TUNNEL];
108 
109  vlib_buffer_advance (b, -offset);
110  return (IPSEC_INPUT_NEXT_PUNT);
111 }
112 
115  vlib_frame_t * from_frame, int is_ip6)
116 {
117  ipsec_main_t *im = &ipsec_main;
118  vnet_main_t *vnm = im->vnet_main;
120 
121  int is_trace = node->flags & VLIB_NODE_FLAG_TRACE;
122  u32 thread_index = vm->thread_index;
123 
124  u32 n_left_from, *from;
125  u16 nexts[VLIB_FRAME_SIZE], *next;
126  vlib_buffer_t *bufs[VLIB_FRAME_SIZE], **b;
127 
128  from = vlib_frame_vector_args (from_frame);
129  n_left_from = from_frame->n_vectors;
130 
131  vlib_get_buffers (vm, from, bufs, n_left_from);
132  b = bufs;
133  next = nexts;
134 
135  clib_memset_u16 (nexts, im->esp4_decrypt_next_index, n_left_from);
136 
137  u64 n_bytes = 0, n_packets = 0;
138  u32 n_disabled = 0, n_no_tunnel = 0;
139 
140  u32 last_sw_if_index = ~0;
141  u32 last_tunnel_id = ~0;
142  ipsec4_tunnel_key_t last_key4;
143  ipsec6_tunnel_key_t last_key6;
144 
145  vlib_combined_counter_main_t *rx_counter;
146  vlib_combined_counter_main_t *drop_counter;
147 
148  if (is_ip6)
149  clib_memset (&last_key6, 0xff, sizeof (last_key6));
150  else
151  last_key4.as_u64 = ~0;
152 
155 
156  while (n_left_from >= 2)
157  {
158  u32 sw_if_index0, sw_if_index1;
159  ip4_header_t *ip40, *ip41;
160  ip6_header_t *ip60, *ip61;
161  esp_header_t *esp0, *esp1;
162  u32 len0, len1;
163  u16 buf_adv0, buf_adv1;
164  u16 buf_rewind0, buf_rewind1;
165  u32 tid0, tid1;
166  ipsec_tunnel_if_t *t0, *t1;
167  ipsec4_tunnel_key_t key40, key41;
168  ipsec6_tunnel_key_t key60, key61;
169 
170  if (n_left_from >= 4)
171  {
172  CLIB_PREFETCH (b[2], CLIB_CACHE_LINE_BYTES, STORE);
174  CLIB_PREFETCH (b[3], CLIB_CACHE_LINE_BYTES, STORE);
176  }
177 
178  ip40 =
179  (ip4_header_t *) (b[0]->data + vnet_buffer (b[0])->l3_hdr_offset);
180  ip41 =
181  (ip4_header_t *) (b[1]->data + vnet_buffer (b[1])->l3_hdr_offset);
182 
183  if (is_ip6)
184  {
185  ip60 = (ip6_header_t *) ip40;
186  ip61 = (ip6_header_t *) ip41;
187  esp0 = (esp_header_t *) ((u8 *) ip60 + sizeof (ip6_header_t));
188  esp1 = (esp_header_t *) ((u8 *) ip61 + sizeof (ip6_header_t));
189  buf_adv0 = sizeof (ip6_header_t);
190  buf_adv1 = sizeof (ip6_header_t);
191  }
192  else
193  {
194  /* NAT UDP port 4500 case, don't advance any more */
195  if (ip40->protocol == IP_PROTOCOL_UDP)
196  {
197  esp0 =
198  (esp_header_t *) ((u8 *) ip40 + ip4_header_bytes (ip40) +
199  sizeof (udp_header_t));
200  buf_adv0 = 0;
201  buf_rewind0 = ip4_header_bytes (ip40) + sizeof (udp_header_t);
202  }
203  else
204  {
205  esp0 = (esp_header_t *) ((u8 *) ip40 + ip4_header_bytes (ip40));
206  buf_rewind0 = buf_adv0 = ip4_header_bytes (ip40);
207  }
208  /* NAT UDP port 4500 case, don't advance any more */
209  if (ip41->protocol == IP_PROTOCOL_UDP)
210  {
211  esp1 =
212  (esp_header_t *) ((u8 *) ip41 + ip4_header_bytes (ip41) +
213  sizeof (udp_header_t));
214  buf_adv1 = 0;
215  buf_rewind1 = ip4_header_bytes (ip41) + sizeof (udp_header_t);
216  }
217  else
218  {
219  esp1 = (esp_header_t *) ((u8 *) ip41 + ip4_header_bytes (ip41));
220  buf_rewind1 = buf_adv1 = ip4_header_bytes (ip41);
221  }
222  }
223 
224  vlib_buffer_advance (b[0], buf_adv0);
225  vlib_buffer_advance (b[1], buf_adv1);
226 
227  len0 = vlib_buffer_length_in_chain (vm, b[0]);
228  len1 = vlib_buffer_length_in_chain (vm, b[1]);
229 
230  /* If the packet is too short to contain an SPI, then maybe
231  * it's a keep alive */
232  if (len0 < sizeof (esp_header_t))
233  {
234  if (esp0->spi_bytes[0] == 0xff)
235  b[0]->error = node->errors[IPSEC_IF_INPUT_ERROR_NAT_KEEPALIVE];
236  else
237  b[0]->error = node->errors[IPSEC_IF_INPUT_ERROR_TOO_SHORT];
238 
239  next[0] = IPSEC_INPUT_NEXT_DROP;
240  goto pkt1;
241  }
242 
243  if (is_ip6)
244  {
245  key60.remote_ip = ip60->src_address;
246  key60.spi = esp0->spi;
247 
248  if (memcmp (&key60, &last_key6, sizeof (last_key6)) == 0)
249  {
250  tid0 = last_tunnel_id;
251  }
252  else
253  {
254  uword *p =
256  if (p)
257  {
258  tid0 = p[0];
259  last_tunnel_id = tid0;
260  clib_memcpy_fast (&last_key6, &key60, sizeof (key60));
261  }
262  else
263  {
264  next[0] =
265  ipsec_ip6_if_no_tunnel (node, b[0], esp0, buf_adv0);
266  n_no_tunnel++;
267  goto pkt1;
268  }
269  }
270  }
271  else /* !is_ip6 */
272  {
273  key40.remote_ip = ip40->src_address;
274  key40.spi = esp0->spi;
275 
276  if (key40.as_u64 == last_key4.as_u64)
277  {
278  tid0 = last_tunnel_id;
279  }
280  else
281  {
282  uword *p =
283  hash_get (im->ipsec4_if_pool_index_by_key, key40.as_u64);
284  if (p)
285  {
286  tid0 = p[0];
287  last_tunnel_id = tid0;
288  last_key4.as_u64 = key40.as_u64;
289  }
290  else
291  {
292  next[0] =
293  ipsec_ip4_if_no_tunnel (node, b[0], esp0, ip40,
294  buf_rewind0);
295  n_no_tunnel++;
296  goto pkt1;
297  }
298  }
299  }
300 
301  t0 = pool_elt_at_index (im->tunnel_interfaces, tid0);
302  vnet_buffer (b[0])->ipsec.sad_index = t0->input_sa_index;
303 
304  if (PREDICT_TRUE (t0->hw_if_index != ~0))
305  {
306  sw_if_index0 = t0->sw_if_index;
307  vnet_buffer (b[0])->sw_if_index[VLIB_RX] = sw_if_index0;
308 
310  {
312  (drop_counter, thread_index, sw_if_index0, 1, len0);
313  n_disabled++;
314  b[0]->error = node->errors[IPSEC_IF_INPUT_ERROR_DISABLED];
315  next[0] = IPSEC_INPUT_NEXT_DROP;
316  goto pkt1;
317  }
318 
319  if (PREDICT_TRUE (sw_if_index0 == last_sw_if_index))
320  {
321  n_packets++;
322  n_bytes += len0;
323  }
324  else
325  {
326  if (n_packets)
327  {
329  (rx_counter, thread_index, last_sw_if_index,
330  n_packets, n_bytes);
331  }
332 
333  last_sw_if_index = sw_if_index0;
334  n_packets = 1;
335  n_bytes = len0;
336  }
337  }
338 
339  pkt1:
340 
341  if (len1 < sizeof (esp_header_t))
342  {
343  if (esp0->spi_bytes[0] == 0xff)
344  b[1]->error = node->errors[IPSEC_IF_INPUT_ERROR_NAT_KEEPALIVE];
345  else
346  b[1]->error = node->errors[IPSEC_IF_INPUT_ERROR_TOO_SHORT];
347 
348  next[1] = IPSEC_INPUT_NEXT_DROP;
349  goto trace1;
350  }
351 
352  if (is_ip6)
353  {
354  key61.remote_ip = ip61->src_address;
355  key61.spi = esp1->spi;
356 
357  if (memcmp (&key61, &last_key6, sizeof (last_key6)) == 0)
358  {
359  tid1 = last_tunnel_id;
360  }
361  else
362  {
363  uword *p =
365  if (p)
366  {
367  tid1 = p[0];
368  last_tunnel_id = tid1;
369  clib_memcpy_fast (&last_key6, &key61, sizeof (key61));
370  }
371  else
372  {
373  next[1] =
374  ipsec_ip6_if_no_tunnel (node, b[1], esp1, buf_adv1);
375  n_no_tunnel++;
376  goto trace1;
377  }
378  }
379  }
380  else /* !is_ip6 */
381  {
382  key41.remote_ip = ip41->src_address;
383  key41.spi = esp1->spi;
384 
385  if (key41.as_u64 == last_key4.as_u64)
386  {
387  tid1 = last_tunnel_id;
388  }
389  else
390  {
391  uword *p =
392  hash_get (im->ipsec4_if_pool_index_by_key, key41.as_u64);
393  if (p)
394  {
395  tid1 = p[0];
396  last_tunnel_id = tid1;
397  last_key4.as_u64 = key41.as_u64;
398  }
399  else
400  {
401  next[1] =
402  ipsec_ip4_if_no_tunnel (node, b[1], esp1, ip41,
403  buf_rewind1);
404  n_no_tunnel++;
405  goto trace1;
406  }
407  }
408  }
409 
410  t1 = pool_elt_at_index (im->tunnel_interfaces, tid1);
411  vnet_buffer (b[1])->ipsec.sad_index = t1->input_sa_index;
412 
413  if (PREDICT_TRUE (t1->hw_if_index != ~0))
414  {
415  sw_if_index1 = t1->sw_if_index;
416  vnet_buffer (b[1])->sw_if_index[VLIB_RX] = sw_if_index1;
417 
419  {
421  (drop_counter, thread_index, sw_if_index1, 1, len1);
422  n_disabled++;
423  b[1]->error = node->errors[IPSEC_IF_INPUT_ERROR_DISABLED];
424  next[1] = IPSEC_INPUT_NEXT_DROP;
425  goto trace1;
426  }
427 
428  if (PREDICT_TRUE (sw_if_index1 == last_sw_if_index))
429  {
430  n_packets++;
431  n_bytes += len1;
432  }
433  else
434  {
435  if (n_packets)
436  {
438  (rx_counter, thread_index, last_sw_if_index,
439  n_packets, n_bytes);
440  }
441 
442  last_sw_if_index = sw_if_index1;
443  n_packets = 1;
444  n_bytes = len1;
445  }
446  }
447 
448  trace1:
449  if (PREDICT_FALSE (is_trace))
450  {
451  if (b[0]->flags & VLIB_BUFFER_IS_TRACED)
452  {
454  vlib_add_trace (vm, node, b[0], sizeof (*tr));
455  if (is_ip6)
456  clib_memcpy (&tr->key6, &key60, sizeof (tr->key6));
457  else
458  clib_memcpy (&tr->key4, &key40, sizeof (tr->key4));
459  tr->is_ip6 = is_ip6;
460  tr->seq =
461  len0 >=
462  sizeof (*esp0) ? clib_host_to_net_u32 (esp0->seq) : ~0;
463  }
464  if (b[1]->flags & VLIB_BUFFER_IS_TRACED)
465  {
467  vlib_add_trace (vm, node, b[1], sizeof (*tr));
468  if (is_ip6)
469  clib_memcpy (&tr->key6, &key61, sizeof (tr->key6));
470  else
471  clib_memcpy (&tr->key4, &key41, sizeof (tr->key4));
472  tr->is_ip6 = is_ip6;
473  tr->seq =
474  len1 >=
475  sizeof (*esp1) ? clib_host_to_net_u32 (esp1->seq) : ~0;
476  }
477  }
478 
479  /* next */
480  b += 2;
481  next += 2;
482  n_left_from -= 2;
483  }
484  while (n_left_from > 0)
485  {
486  u32 sw_if_index0;
487  ip4_header_t *ip40;
488  ip6_header_t *ip60;
489  esp_header_t *esp0;
490  u32 len0;
491  u16 buf_adv0, buf_rewind0;
492  u32 tid0;
493  ipsec_tunnel_if_t *t0;
494  ipsec4_tunnel_key_t key40;
495  ipsec6_tunnel_key_t key60;
496 
497  ip40 =
498  (ip4_header_t *) (b[0]->data + vnet_buffer (b[0])->l3_hdr_offset);
499 
500  if (is_ip6)
501  {
502  ip60 = (ip6_header_t *) ip40;
503  esp0 = (esp_header_t *) ((u8 *) ip60 + sizeof (ip6_header_t));
504  buf_adv0 = sizeof (ip6_header_t);
505  }
506  else
507  {
508  /* NAT UDP port 4500 case, don't advance any more */
509  if (ip40->protocol == IP_PROTOCOL_UDP)
510  {
511  esp0 =
512  (esp_header_t *) ((u8 *) ip40 + ip4_header_bytes (ip40) +
513  sizeof (udp_header_t));
514  buf_adv0 = 0;
515  buf_rewind0 = ip4_header_bytes (ip40) + sizeof (udp_header_t);
516  }
517  else
518  {
519  esp0 = (esp_header_t *) ((u8 *) ip40 + ip4_header_bytes (ip40));
520  buf_rewind0 = buf_adv0 = ip4_header_bytes (ip40);
521  }
522  }
523 
524  /* stats for the tunnel include all the data after the IP header
525  just like a norml IP-IP tunnel */
526  vlib_buffer_advance (b[0], buf_adv0);
527  len0 = vlib_buffer_length_in_chain (vm, b[0]);
528 
529  if (len0 < sizeof (esp_header_t))
530  {
531  if (esp0->spi_bytes[0] == 0xff)
532  b[0]->error = node->errors[IPSEC_IF_INPUT_ERROR_NAT_KEEPALIVE];
533  else
534  b[0]->error = node->errors[IPSEC_IF_INPUT_ERROR_TOO_SHORT];
535 
536  next[0] = IPSEC_INPUT_NEXT_DROP;
537  goto trace00;
538  }
539 
540  if (is_ip6)
541  {
542  key60.remote_ip = ip60->src_address;
543  key60.spi = esp0->spi;
544 
545  if (memcmp (&key60, &last_key6, sizeof (last_key6)) == 0)
546  {
547  tid0 = last_tunnel_id;
548  }
549  else
550  {
551  uword *p =
553  if (p)
554  {
555  tid0 = p[0];
556  last_tunnel_id = tid0;
557  clib_memcpy_fast (&last_key6, &key60, sizeof (key60));
558  }
559  else
560  {
561  next[0] =
562  ipsec_ip6_if_no_tunnel (node, b[0], esp0, buf_adv0);
563  n_no_tunnel++;
564  goto trace00;
565  }
566  }
567  }
568  else /* !is_ip6 */
569  {
570  key40.remote_ip = ip40->src_address;
571  key40.spi = esp0->spi;
572 
573  if (key40.as_u64 == last_key4.as_u64)
574  {
575  tid0 = last_tunnel_id;
576  }
577  else
578  {
579  uword *p =
580  hash_get (im->ipsec4_if_pool_index_by_key, key40.as_u64);
581  if (p)
582  {
583  tid0 = p[0];
584  last_tunnel_id = tid0;
585  last_key4.as_u64 = key40.as_u64;
586  }
587  else
588  {
589  next[0] =
590  ipsec_ip4_if_no_tunnel (node, b[0], esp0, ip40,
591  buf_rewind0);
592  n_no_tunnel++;
593  goto trace00;
594  }
595  }
596  }
597 
598  t0 = pool_elt_at_index (im->tunnel_interfaces, tid0);
599  vnet_buffer (b[0])->ipsec.sad_index = t0->input_sa_index;
600 
601  if (PREDICT_TRUE (t0->hw_if_index != ~0))
602  {
603  sw_if_index0 = t0->sw_if_index;
604  vnet_buffer (b[0])->sw_if_index[VLIB_RX] = sw_if_index0;
605 
607  {
609  (drop_counter, thread_index, sw_if_index0, 1, len0);
610  n_disabled++;
611  b[0]->error = node->errors[IPSEC_IF_INPUT_ERROR_DISABLED];
612  next[0] = IPSEC_INPUT_NEXT_DROP;
613  goto trace00;
614  }
615 
616  if (PREDICT_TRUE (sw_if_index0 == last_sw_if_index))
617  {
618  n_packets++;
619  n_bytes += len0;
620  }
621  else
622  {
623  if (n_packets)
624  {
626  (rx_counter, thread_index, last_sw_if_index,
627  n_packets, n_bytes);
628  }
629 
630  last_sw_if_index = sw_if_index0;
631  n_packets = 1;
632  n_bytes = len0;
633  }
634  }
635 
636  trace00:
637  if (PREDICT_FALSE (is_trace))
638  {
639  if (b[0]->flags & VLIB_BUFFER_IS_TRACED)
640  {
642  vlib_add_trace (vm, node, b[0], sizeof (*tr));
643  if (is_ip6)
644  clib_memcpy (&tr->key6, &key60, sizeof (tr->key6));
645  else
646  clib_memcpy (&tr->key4, &key40, sizeof (tr->key4));
647  tr->is_ip6 = is_ip6;
648  tr->seq =
649  len0 >=
650  sizeof (*esp0) ? clib_host_to_net_u32 (esp0->seq) : ~0;
651  }
652  }
653 
654  /* next */
655  b += 1;
656  next += 1;
657  n_left_from -= 1;
658  }
659 
660  if (n_packets)
661  {
663  thread_index,
664  last_sw_if_index, n_packets, n_bytes);
665  }
666 
668  IPSEC_IF_INPUT_ERROR_RX,
669  from_frame->n_vectors - (n_disabled +
670  n_no_tunnel));
671 
672  vlib_buffer_enqueue_to_next (vm, node, from, nexts, from_frame->n_vectors);
673 
674  return from_frame->n_vectors;
675 }
676 
678  vlib_node_runtime_t * node,
679  vlib_frame_t * from_frame)
680 {
681  return ipsec_if_input_inline (vm, node, from_frame, 0 /* is_ip6 */ );
682 }
683 
684 /* *INDENT-OFF* */
686  .name = "ipsec4-if-input",
687  .vector_size = sizeof (u32),
688  .format_trace = format_ipsec_if_input_trace,
691  .error_strings = ipsec_if_input_error_strings,
692  .sibling_of = "ipsec4-input-feature",
693 };
694 /* *INDENT-ON* */
695 
697  vlib_node_runtime_t * node,
698  vlib_frame_t * from_frame)
699 {
700  return ipsec_if_input_inline (vm, node, from_frame, 1 /* is_ip6 */ );
701 }
702 
703 /* *INDENT-OFF* */
705  .name = "ipsec6-if-input",
706  .vector_size = sizeof (u32),
707  .format_trace = format_ipsec_if_input_trace,
710  .error_strings = ipsec_if_input_error_strings,
711  .sibling_of = "ipsec6-input-feature",
712 };
713 /* *INDENT-ON* */
714 
715 /*
716  * fd.io coding-style-patch-verification: ON
717  *
718  * Local Variables:
719  * eval: (c-set-style "gnu")
720  * End:
721  */
ipsec_if_input_error_t
Definition: ipsec_if_in.c:42
u32 flags
Definition: vhost_user.h:141
#define CLIB_UNUSED(x)
Definition: clib.h:83
ipsec_tunnel_if_t * tunnel_interfaces
Definition: ipsec.h:102
static void vlib_increment_combined_counter(vlib_combined_counter_main_t *cm, u32 thread_index, u32 index, u64 n_packets, u64 n_bytes)
Increment a combined counter.
Definition: counter.h:220
vlib_node_registration_t ipsec4_if_input_node
(constructor) VLIB_REGISTER_NODE (ipsec4_if_input_node)
Definition: ipsec_if_in.c:685
ip4_address_t src_address
Definition: ip4_packet.h:170
uword * ipsec4_if_pool_index_by_key
Definition: ipsec.h:114
vnet_interface_main_t interface_main
Definition: vnet.h:56
#define PREDICT_TRUE(x)
Definition: clib.h:113
unsigned long u64
Definition: types.h:89
#define foreach_ipsec_if_input_error
Definition: ipsec_if_in.c:28
#define clib_memcpy_fast(a, b, c)
Definition: string.h:81
clib_memset(h->entries, 0, sizeof(h->entries[0]) *entries)
u32 thread_index
Definition: main.h:218
static u8 * format_ipsec_if_input_trace(u8 *s, va_list *args)
Definition: ipsec_if_in.c:63
u8 * format_ipsec6_tunnel_key(u8 *s, va_list *args)
Definition: ipsec_format.c:419
u8 * format(u8 *s, const char *fmt,...)
Definition: format.c:424
u8 data[128]
Definition: ipsec.api:251
#define VLIB_NODE_FN(node)
Definition: node.h:202
vlib_error_t * errors
Vector of errors for this node.
Definition: node.h:470
static u16 ipsec_ip4_if_no_tunnel(vlib_node_runtime_t *node, vlib_buffer_t *b, const esp_header_t *esp, const ip4_header_t *ip4, u16 offset)
Definition: ipsec_if_in.c:79
static uword vlib_buffer_length_in_chain(vlib_main_t *vm, vlib_buffer_t *b)
Get length in bytes of the buffer chain.
Definition: buffer_funcs.h:366
ip6_address_t src_address
Definition: ip6_packet.h:383
unsigned char u8
Definition: types.h:56
#define clib_memcpy(d, s, n)
Definition: string.h:180
uword * ipsec6_if_pool_index_by_key
Definition: ipsec.h:115
ipsec_main_t ipsec_main
Definition: ipsec.c:28
#define always_inline
Definition: clib.h:99
vlib_combined_counter_main_t * combined_sw_if_counters
Definition: interface.h:846
u32 esp4_decrypt_next_index
Definition: ipsec.h:133
unsigned int u32
Definition: types.h:88
#define VLIB_FRAME_SIZE
Definition: node.h:378
vl_api_fib_path_type_t type
Definition: fib_types.api:123
vlib_error_t error
Error code for buffers to be enqueued to error handler.
Definition: buffer.h:136
#define hash_get(h, key)
Definition: hash.h:249
#define pool_elt_at_index(p, i)
Returns pointer to element at given index.
Definition: pool.h:514
vnet_main_t * vnet_main
Definition: ipsec.h:108
unsigned short u16
Definition: types.h:57
#define PREDICT_FALSE(x)
Definition: clib.h:112
static u16 ipsec_ip6_if_no_tunnel(vlib_node_runtime_t *node, vlib_buffer_t *b, const esp_header_t *esp, u16 offset)
Definition: ipsec_if_in.c:102
u32 node_index
Node index.
Definition: node.h:496
static void vlib_node_increment_counter(vlib_main_t *vm, u32 node_index, u32 counter_index, u64 increment)
Definition: node_funcs.h:1150
u32 punt_reason
Definition: buffer.h:149
vlib_punt_reason_t ipsec_punt_reason[IPSEC_PUNT_N_REASONS]
Definition: ipsec_punt.c:23
#define VLIB_REGISTER_NODE(x,...)
Definition: node.h:169
u16 n_vectors
Definition: node.h:397
#define CLIB_PREFETCH(addr, size, type)
Definition: cache.h:80
vlib_main_t * vm
Definition: buffer.c:323
static_always_inline void vlib_buffer_enqueue_to_next(vlib_main_t *vm, vlib_node_runtime_t *node, u32 *buffers, u16 *nexts, uword count)
Definition: buffer_node.h:332
u8 spi_bytes[4]
Definition: esp.h:27
vlib_node_registration_t ipsec6_if_input_node
(constructor) VLIB_REGISTER_NODE (ipsec6_if_input_node)
Definition: ipsec_if_in.c:704
#define ARRAY_LEN(x)
Definition: clib.h:63
ipsec4_tunnel_key_t key4
Definition: ipsec_if_in.c:55
static char * ipsec_if_input_error_strings[]
Definition: ipsec_if_in.c:36
vnet_hw_interface_flags_t flags
Definition: ipsec_if.h:28
ipsec6_tunnel_key_t key6
Definition: ipsec_if_in.c:56
u32 seq
Definition: esp.h:29
static void vlib_buffer_advance(vlib_buffer_t *b, word l)
Advance current data pointer by the supplied (signed!) amount.
Definition: buffer.h:248
u32 spi
Definition: esp.h:26
static void * vlib_add_trace(vlib_main_t *vm, vlib_node_runtime_t *r, vlib_buffer_t *b, u32 n_data_bytes)
Definition: trace_funcs.h:55
static_always_inline void clib_memset_u16(void *p, u16 val, uword count)
Definition: string.h:378
template key/value backing page structure
Definition: bihash_doc.h:44
VLIB buffer representation.
Definition: buffer.h:102
u64 uword
Definition: types.h:112
static uword ipsec_if_input_inline(vlib_main_t *vm, vlib_node_runtime_t *node, vlib_frame_t *from_frame, int is_ip6)
Definition: ipsec_if_in.c:114
static void * vlib_frame_vector_args(vlib_frame_t *f)
Get pointer to frame vector data.
Definition: node_funcs.h:244
A collection of combined counters.
Definition: counter.h:188
#define hash_get_mem(h, key)
Definition: hash.h:269
#define vnet_buffer(b)
Definition: buffer.h:365
u16 flags
Copy of main node flags.
Definition: node.h:509
static int ip4_header_bytes(const ip4_header_t *i)
Definition: ip4_packet.h:235
u8 * format_ipsec4_tunnel_key(u8 *s, va_list *args)
Definition: ipsec_format.c:406
static_always_inline void vlib_get_buffers(vlib_main_t *vm, u32 *bi, vlib_buffer_t **b, int count)
Translate array of buffer indices into buffer pointers.
Definition: buffer_funcs.h:244
#define VLIB_NODE_FLAG_TRACE
Definition: node.h:302
#define CLIB_CACHE_LINE_BYTES
Definition: cache.h:59
Definition: defs.h:46