29 .stat_segment_name =
"/net/ipsec/sa",
35 u32 sa_index,
int is_add)
58 memset (key, 0,
sizeof (*key));
60 if (len >
sizeof (key->
data))
65 memcpy (key->
data, data, key->
len);
111 ipsec_sa_set_IS_AEAD (sa);
137 const ip46_address_t * tun_src,
138 const ip46_address_t * tun_dst,
u32 * sa_out_index)
149 return VNET_API_ERROR_ENTRY_ALREADY_EXISTS;
155 sa_index = sa - im->
sad;
168 if (integ_alg != IPSEC_INTEG_ALG_NONE)
184 return VNET_API_ERROR_KEY_LENGTH;
187 if (integ_alg != IPSEC_INTEG_ALG_NONE)
191 integ_algs[integ_alg].alg,
196 return VNET_API_ERROR_KEY_LENGTH;
205 return VNET_API_ERROR_UNIMPLEMENTED;
212 return VNET_API_ERROR_SYSCALL_ERROR_1;
215 if (ipsec_sa_is_set_IS_TUNNEL (sa) && !ipsec_sa_is_set_IS_INBOUND (sa))
221 .fp_len = (ipsec_sa_is_set_IS_TUNNEL_V6 (sa) ? 128 : 32),
228 return VNET_API_ERROR_NO_SUCH_FIB;
238 if (ipsec_sa_is_set_IS_TUNNEL_V6 (sa))
250 if (ipsec_sa_is_set_UDP_ENCAP (sa))
262 if (ipsec_sa_is_set_UDP_ENCAP (sa))
270 if (ipsec_sa_is_set_UDP_ENCAP (sa))
279 *sa_out_index = sa_index;
291 sa_index = sa - im->
sad;
297 if (ipsec_sa_is_set_IS_TUNNEL (sa) && !ipsec_sa_is_set_IS_INBOUND (sa))
303 if (sa->
integ_alg != IPSEC_INTEG_ALG_NONE)
364 return VNET_API_ERROR_NO_SUCH_ENTRY;
386 if (WALK_CONTINUE != cb(sa, ctx))
void dpo_stack_from_node(u32 child_node_index, dpo_id_t *dpo, const dpo_id_t *parent)
Stack one DPO object on another, and thus establish a child parent relationship.
fib_node_index_t fib_entry_track(u32 fib_index, const fib_prefix_t *prefix, fib_node_type_t child_type, index_t child_index, u32 *sibling)
Trackers are used on FIB entries by objects that which to track the changing state of the entry...
static void ipsec_sa_last_lock_gone(fib_node_t *node)
Function definition to inform the FIB node that its last lock has gone.
#define hash_set(h, key, value)
ipsec_main_crypto_alg_t * crypto_algs
ip46_address_t tunnel_src_addr
void vlib_validate_combined_counter(vlib_combined_counter_main_t *cm, u32 index)
validate a combined counter
#define hash_unset(h, key)
void fib_node_init(fib_node_t *node, fib_node_type_t type)
enum fib_node_back_walk_rc_t_ fib_node_back_walk_rc_t
Return code from a back walk function.
void fib_entry_contribute_forwarding(fib_node_index_t fib_entry_index, fib_forward_chain_type_t fct, dpo_id_t *dpo)
static void ipsec_sa_del(ipsec_sa_t *sa)
ipsec_integ_alg_t integ_alg
void ipsec_sa_lock(index_t sai)
u32 index_t
A Data-Path Object is an object that represents actions that are applied to packets are they are swit...
void ipsec_sa_clear(index_t sai)
#define STRUCT_OFFSET_OF(t, f)
vnet_crypto_op_id_t integ_op_id
void ipsec_mk_key(ipsec_key_t *key, const u8 *data, u8 len)
enum fib_protocol_t_ fib_protocol_t
Protocol Type.
void fib_node_register_type(fib_node_type_t type, const fib_node_vft_t *vft)
fib_node_register_type
#define clib_memcpy(d, s, n)
vnet_crypto_key_index_t crypto_key_index
walk_rc_t(* ipsec_sa_walk_cb_t)(ipsec_sa_t *sa, void *ctx)
static ipsec_sa_t * ipsec_sa_from_fib_node(fib_node_t *node)
void ipsec_sa_walk(ipsec_sa_walk_cb_t cb, void *ctx)
#define pool_foreach(VAR, POOL, BODY)
Iterate through pool.
#define VLIB_INIT_FUNCTION(x)
u32 esp6_encrypt_node_index
Aggregate type for a prefix.
int ipsec_sa_unlock_id(u32 id)
#define IPSEC_CRYPTO_ALG_IS_GCM(_alg)
u32 fib_table_find(fib_protocol_t proto, u32 table_id)
Get the index of the FIB for a Table-ID.
u32 vnet_crypto_key_add(vlib_main_t *vm, vnet_crypto_alg_t alg, u8 *data, u16 length)
The identity of a DPO is a combination of its type and its instance number/index of objects of that t...
#define pool_elt_at_index(p, i)
Returns pointer to element at given index.
static void vlib_zero_combined_counter(vlib_combined_counter_main_t *cm, u32 index)
Clear a combined counter Clears the set of per-thread counters.
static_always_inline void ip46_address_copy(ip46_address_t *dst, const ip46_address_t *src)
index_t ipsec_sa_find_and_lock(u32 id)
ip46_address_t fp_addr
The address type is not deriveable from the fp_addr member.
void fib_node_lock(fib_node_t *node)
u32 esp4_encrypt_node_index
clib_error_t * ipsec_check_support_cb(ipsec_main_t *im, ipsec_sa_t *sa)
vnet_crypto_op_id_t enc_op_id
void vnet_crypto_key_del(vlib_main_t *vm, vnet_crypto_key_index_t index)
fib_node_index_t fib_entry_index
#define pool_put(P, E)
Free an object E in pool P.
static clib_error_t * ipsec_call_add_del_callbacks(ipsec_main_t *im, ipsec_sa_t *sa, u32 sa_index, int is_add)
#define pool_get_aligned_zero(P, E, A)
Allocate an object E from a pool P with alignment A and zero it.
fib_node_type_t fn_type
The node's type.
An node in the FIB graph.
void fib_node_unlock(fib_node_t *node)
ip46_address_t tunnel_dst_addr
void ipsec_sa_set_integ_alg(ipsec_sa_t *sa, ipsec_integ_alg_t integ_alg)
ipsec_ah_backend_t * ah_backends
static fib_node_t * ipsec_sa_fib_node_get(fib_node_index_t index)
Function definition to get a FIB node from its index.
static fib_node_back_walk_rc_t ipsec_sa_back_walk(fib_node_t *node, fib_node_back_walk_ctx_t *ctx)
Function definition to backwalk a FIB node.
#define clib_warning(format, args...)
enum ipsec_sad_flags_t_ ipsec_sa_flags_t
uword * sa_index_by_sa_id
u32 fib_node_index_t
A typedef of a node index.
vlib_main_t vlib_node_runtime_t * node
#define ESP_MAX_BLOCK_SIZE
void ipsec_sa_unlock(index_t sai)
Context passed between object during a back walk.
void ipsec_sa_set_crypto_alg(ipsec_sa_t *sa, ipsec_crypto_alg_t crypto_alg)
u8 data[IPSEC_KEY_MAX_LEN]
vnet_crypto_op_id_t op_id
void fib_entry_untrack(fib_node_index_t fei, u32 sibling)
Stop tracking a FIB entry.
u32 ah4_encrypt_node_index
ipsec_main_integ_alg_t * integ_algs
enum fib_forward_chain_type_t_ fib_forward_chain_type_t
FIB output chain type.
static void ipsec_sa_stack(ipsec_sa_t *sa)
'stack' (resolve the recursion for) the SA tunnel destination
ipsec_protocol_t protocol
vnet_crypto_key_index_t integ_key_index
vnet_crypto_alg_t integ_calg
add_del_sa_sess_cb_t add_del_sa_sess_cb
vnet_crypto_op_id_t dec_op_id
static vlib_main_t * vlib_get_main(void)
vnet_crypto_alg_t crypto_calg
u32 ah6_encrypt_node_index
int ipsec_sa_add_and_lock(u32 id, u32 spi, ipsec_protocol_t proto, ipsec_crypto_alg_t crypto_alg, const ipsec_key_t *ck, ipsec_integ_alg_t integ_alg, const ipsec_key_t *ik, ipsec_sa_flags_t flags, u32 tx_table_id, u32 salt, const ip46_address_t *tun_src, const ip46_address_t *tun_dst, u32 *sa_out_index)
#define INDEX_INVALID
Invalid index - used when no index is known blazoned capitals INVALID speak volumes where ~0 does not...
#define DPO_INVALID
An initialiser for DPOs declared on the stack.
char * name
The counter collection's name.
vnet_crypto_op_id_t crypto_enc_op_id
A collection of combined counters.
A FIB graph nodes virtual function table.
ipsec_crypto_alg_t crypto_alg
static u32 vlib_num_workers()
void dpo_reset(dpo_id_t *dpo)
reset a DPO ID The DPO will be unlocked.
clib_error_t * ipsec_sa_interface_init(vlib_main_t *vm)
add_del_sa_sess_cb_t add_del_sa_sess_cb
ipsec_esp_backend_t * esp_backends
#define CLIB_CACHE_LINE_BYTES
vnet_crypto_op_id_t crypto_dec_op_id
static u16 ip4_header_checksum(ip4_header_t *i)
fib_forward_chain_type_t fib_forw_chain_type_from_fib_proto(fib_protocol_t proto)
Convert from a fib-protocol to a chain type.