FD.io VPP  v20.01-48-g3e0dafb74
Vector Packet Processing
ipsec_sa.c
Go to the documentation of this file.
1 /*
2  * Copyright (c) 2015 Cisco and/or its affiliates.
3  * Licensed under the Apache License, Version 2.0 (the "License");
4  * you may not use this file except in compliance with the License.
5  * You may obtain a copy of the License at:
6  *
7  * http://www.apache.org/licenses/LICENSE-2.0
8  *
9  * Unless required by applicable law or agreed to in writing, software
10  * distributed under the License is distributed on an "AS IS" BASIS,
11  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12  * See the License for the specific language governing permissions and
13  * limitations under the License.
14  */
15 
16 #include <vnet/ipsec/ipsec.h>
17 #include <vnet/ipsec/esp.h>
18 #include <vnet/udp/udp.h>
19 #include <vnet/fib/fib_table.h>
21 #include <vnet/ipsec/ipsec_tun.h>
22 
23 /**
24  * @brief
25  * SA packet & bytes counters
26  */
27 vlib_combined_counter_main_t ipsec_sa_counters = {
28  .name = "SA",
29  .stat_segment_name = "/net/ipsec/sa",
30 };
31 
32 
33 static clib_error_t *
35  u32 sa_index, int is_add)
36 {
39  switch (sa->protocol)
40  {
41  case IPSEC_PROTOCOL_AH:
43  if (ab->add_del_sa_sess_cb)
44  return ab->add_del_sa_sess_cb (sa_index, is_add);
45  break;
46  case IPSEC_PROTOCOL_ESP:
48  if (eb->add_del_sa_sess_cb)
49  return eb->add_del_sa_sess_cb (sa_index, is_add);
50  break;
51  }
52  return 0;
53 }
54 
55 void
57 {
58  memset (key, 0, sizeof (*key));
59 
60  if (len > sizeof (key->data))
61  key->len = sizeof (key->data);
62  else
63  key->len = len;
64 
65  memcpy (key->data, data, key->len);
66 }
67 
68 /**
69  * 'stack' (resolve the recursion for) the SA tunnel destination
70  */
71 static void
73 {
74  ipsec_main_t *im = &ipsec_main;
76  dpo_id_t tmp = DPO_INVALID;
77 
78  fct =
79  fib_forw_chain_type_from_fib_proto ((ipsec_sa_is_set_IS_TUNNEL_V6 (sa) ?
82 
84 
85  if (IPSEC_PROTOCOL_AH == sa->protocol)
86  dpo_stack_from_node ((ipsec_sa_is_set_IS_TUNNEL_V6 (sa) ?
88  im->ah4_encrypt_node_index), &sa->dpo, &tmp);
89  else
90  dpo_stack_from_node ((ipsec_sa_is_set_IS_TUNNEL_V6 (sa) ?
92  im->esp4_encrypt_node_index), &sa->dpo, &tmp);
93  dpo_reset (&tmp);
94 }
95 
96 void
98 {
99  ipsec_main_t *im = &ipsec_main;
100  sa->crypto_alg = crypto_alg;
101  sa->crypto_iv_size = im->crypto_algs[crypto_alg].iv_size;
102  sa->crypto_block_size = im->crypto_algs[crypto_alg].block_size;
103  sa->crypto_enc_op_id = im->crypto_algs[crypto_alg].enc_op_id;
104  sa->crypto_dec_op_id = im->crypto_algs[crypto_alg].dec_op_id;
105  sa->crypto_calg = im->crypto_algs[crypto_alg].alg;
108  if (IPSEC_CRYPTO_ALG_IS_GCM (crypto_alg))
109  {
110  sa->integ_icv_size = im->crypto_algs[crypto_alg].icv_size;
111  ipsec_sa_set_IS_AEAD (sa);
112  }
113 }
114 
115 void
117 {
118  ipsec_main_t *im = &ipsec_main;
119  sa->integ_alg = integ_alg;
120  sa->integ_icv_size = im->integ_algs[integ_alg].icv_size;
121  sa->integ_op_id = im->integ_algs[integ_alg].op_id;
122  sa->integ_calg = im->integ_algs[integ_alg].alg;
124 }
125 
126 int
128  u32 spi,
130  ipsec_crypto_alg_t crypto_alg,
131  const ipsec_key_t * ck,
132  ipsec_integ_alg_t integ_alg,
133  const ipsec_key_t * ik,
136  u32 salt,
137  const ip46_address_t * tun_src,
138  const ip46_address_t * tun_dst, u32 * sa_out_index)
139 {
141  ipsec_main_t *im = &ipsec_main;
142  clib_error_t *err;
143  ipsec_sa_t *sa;
144  u32 sa_index;
145  uword *p;
146 
147  p = hash_get (im->sa_index_by_sa_id, id);
148  if (p)
149  return VNET_API_ERROR_ENTRY_ALREADY_EXISTS;
150 
152 
154  fib_node_lock (&sa->node);
155  sa_index = sa - im->sad;
156 
157  vlib_validate_combined_counter (&ipsec_sa_counters, sa_index);
158  vlib_zero_combined_counter (&ipsec_sa_counters, sa_index);
159 
160  sa->id = id;
161  sa->spi = spi;
162  sa->stat_index = sa_index;
163  sa->protocol = proto;
164  sa->flags = flags;
165  sa->salt = salt;
166  sa->encrypt_thread_index = (vlib_num_workers ())? ~0 : 0;
167  sa->decrypt_thread_index = (vlib_num_workers ())? ~0 : 0;
168  if (integ_alg != IPSEC_INTEG_ALG_NONE)
169  {
170  ipsec_sa_set_integ_alg (sa, integ_alg);
171  clib_memcpy (&sa->integ_key, ik, sizeof (sa->integ_key));
172  }
173  ipsec_sa_set_crypto_alg (sa, crypto_alg);
174  clib_memcpy (&sa->crypto_key, ck, sizeof (sa->crypto_key));
175  ip46_address_copy (&sa->tunnel_src_addr, tun_src);
176  ip46_address_copy (&sa->tunnel_dst_addr, tun_dst);
177 
179  im->crypto_algs[crypto_alg].alg,
180  (u8 *) ck->data, ck->len);
181  if (~0 == sa->crypto_key_index)
182  {
183  pool_put (im->sad, sa);
184  return VNET_API_ERROR_KEY_LENGTH;
185  }
186 
187  if (integ_alg != IPSEC_INTEG_ALG_NONE)
188  {
190  im->
191  integ_algs[integ_alg].alg,
192  (u8 *) ik->data, ik->len);
193  if (~0 == sa->integ_key_index)
194  {
195  pool_put (im->sad, sa);
196  return VNET_API_ERROR_KEY_LENGTH;
197  }
198  }
199 
200  err = ipsec_check_support_cb (im, sa);
201  if (err)
202  {
203  clib_warning ("%s", err->what);
204  pool_put (im->sad, sa);
205  return VNET_API_ERROR_UNIMPLEMENTED;
206  }
207 
208  err = ipsec_call_add_del_callbacks (im, sa, sa_index, 1);
209  if (err)
210  {
211  pool_put (im->sad, sa);
212  return VNET_API_ERROR_SYSCALL_ERROR_1;
213  }
214 
215  if (ipsec_sa_is_set_IS_TUNNEL (sa) && !ipsec_sa_is_set_IS_INBOUND (sa))
216  {
217  fib_protocol_t fproto = (ipsec_sa_is_set_IS_TUNNEL_V6 (sa) ?
219  fib_prefix_t pfx = {
220  .fp_addr = sa->tunnel_dst_addr,
221  .fp_len = (ipsec_sa_is_set_IS_TUNNEL_V6 (sa) ? 128 : 32),
222  .fp_proto = fproto,
223  };
224  sa->tx_fib_index = fib_table_find (fproto, tx_table_id);
225  if (sa->tx_fib_index == ~((u32) 0))
226  {
227  pool_put (im->sad, sa);
228  return VNET_API_ERROR_NO_SUCH_FIB;
229  }
230 
232  &pfx,
234  sa_index, &sa->sibling);
235  ipsec_sa_stack (sa);
236 
237  /* generate header templates */
238  if (ipsec_sa_is_set_IS_TUNNEL_V6 (sa))
239  {
241  sa->ip6_hdr.hop_limit = 254;
242  sa->ip6_hdr.src_address.as_u64[0] =
243  sa->tunnel_src_addr.ip6.as_u64[0];
244  sa->ip6_hdr.src_address.as_u64[1] =
245  sa->tunnel_src_addr.ip6.as_u64[1];
246  sa->ip6_hdr.dst_address.as_u64[0] =
247  sa->tunnel_dst_addr.ip6.as_u64[0];
248  sa->ip6_hdr.dst_address.as_u64[1] =
249  sa->tunnel_dst_addr.ip6.as_u64[1];
250  if (ipsec_sa_is_set_UDP_ENCAP (sa))
251  sa->ip6_hdr.protocol = IP_PROTOCOL_UDP;
252  else
253  sa->ip6_hdr.protocol = IP_PROTOCOL_IPSEC_ESP;
254  }
255  else
256  {
258  sa->ip4_hdr.ttl = 254;
259  sa->ip4_hdr.src_address.as_u32 = sa->tunnel_src_addr.ip4.as_u32;
260  sa->ip4_hdr.dst_address.as_u32 = sa->tunnel_dst_addr.ip4.as_u32;
261 
262  if (ipsec_sa_is_set_UDP_ENCAP (sa))
263  sa->ip4_hdr.protocol = IP_PROTOCOL_UDP;
264  else
265  sa->ip4_hdr.protocol = IP_PROTOCOL_IPSEC_ESP;
267  }
268  }
269 
270  if (ipsec_sa_is_set_UDP_ENCAP (sa))
271  {
272  sa->udp_hdr.src_port = clib_host_to_net_u16 (UDP_DST_PORT_ipsec);
273  sa->udp_hdr.dst_port = clib_host_to_net_u16 (UDP_DST_PORT_ipsec);
274  }
275 
276  hash_set (im->sa_index_by_sa_id, sa->id, sa_index);
277 
278  if (sa_out_index)
279  *sa_out_index = sa_index;
280 
281  return (0);
282 }
283 
284 static void
286 {
288  ipsec_main_t *im = &ipsec_main;
289  u32 sa_index;
290 
291  sa_index = sa - im->sad;
292  hash_unset (im->sa_index_by_sa_id, sa->id);
293 
294  /* no recovery possible when deleting an SA */
295  (void) ipsec_call_add_del_callbacks (im, sa, sa_index, 0);
296 
297  if (ipsec_sa_is_set_IS_TUNNEL (sa) && !ipsec_sa_is_set_IS_INBOUND (sa))
298  {
300  dpo_reset (&sa->dpo);
301  }
303  if (sa->integ_alg != IPSEC_INTEG_ALG_NONE)
305  pool_put (im->sad, sa);
306 }
307 
308 void
310 {
311  ipsec_main_t *im = &ipsec_main;
312  ipsec_sa_t *sa;
313 
314  if (INDEX_INVALID == sai)
315  return;
316 
317  sa = pool_elt_at_index (im->sad, sai);
318 
319  fib_node_unlock (&sa->node);
320 }
321 
322 void
324 {
325  ipsec_main_t *im = &ipsec_main;
326  ipsec_sa_t *sa;
327 
328  if (INDEX_INVALID == sai)
329  return;
330 
331  sa = pool_elt_at_index (im->sad, sai);
332 
333  fib_node_lock (&sa->node);
334 }
335 
336 index_t
338 {
339  ipsec_main_t *im = &ipsec_main;
340  ipsec_sa_t *sa;
341  uword *p;
342 
343  p = hash_get (im->sa_index_by_sa_id, id);
344 
345  if (!p)
346  return INDEX_INVALID;
347 
348  sa = pool_elt_at_index (im->sad, p[0]);
349 
350  fib_node_lock (&sa->node);
351 
352  return (p[0]);
353 }
354 
355 int
357 {
358  ipsec_main_t *im = &ipsec_main;
359  uword *p;
360 
361  p = hash_get (im->sa_index_by_sa_id, id);
362 
363  if (!p)
364  return VNET_API_ERROR_NO_SUCH_ENTRY;
365 
366  ipsec_sa_unlock (p[0]);
367 
368  return (0);
369 }
370 
371 void
373 {
374  vlib_zero_combined_counter (&ipsec_sa_counters, sai);
375 }
376 
377 void
379 {
380  ipsec_main_t *im = &ipsec_main;
381  ipsec_sa_t *sa;
382 
383  /* *INDENT-OFF* */
384  pool_foreach (sa, im->sad,
385  ({
386  if (WALK_CONTINUE != cb(sa, ctx))
387  break;
388  }));
389  /* *INDENT-ON* */
390 }
391 
392 /**
393  * Function definition to get a FIB node from its index
394  */
395 static fib_node_t *
397 {
398  ipsec_main_t *im;
399  ipsec_sa_t *sa;
400 
401  im = &ipsec_main;
402  sa = pool_elt_at_index (im->sad, index);
403 
404  return (&sa->node);
405 }
406 
407 static ipsec_sa_t *
409 {
411  return ((ipsec_sa_t *) (((char *) node) -
412  STRUCT_OFFSET_OF (ipsec_sa_t, node)));
413 
414 }
415 
416 /**
417  * Function definition to inform the FIB node that its last lock has gone.
418  */
419 static void
421 {
422  /*
423  * The ipsec SA is a root of the graph. As such
424  * it never has children and thus is never locked.
425  */
427 }
428 
429 /**
430  * Function definition to backwalk a FIB node
431  */
434 {
436 
438 }
439 
440 /*
441  * Virtual function table registered by SAs
442  * for participation in the FIB object graph.
443  */
444 const static fib_node_vft_t ipsec_sa_vft = {
446  .fnv_last_lock = ipsec_sa_last_lock_gone,
447  .fnv_back_walk = ipsec_sa_back_walk,
448 };
449 
450 /* force inclusion from application's main.c */
451 clib_error_t *
453 {
455 
456  return 0;
457 }
458 
460 
461 /*
462  * fd.io coding-style-patch-verification: ON
463  *
464  * Local Variables:
465  * eval: (c-set-style "gnu")
466  * End:
467  */
void dpo_stack_from_node(u32 child_node_index, dpo_id_t *dpo, const dpo_id_t *parent)
Stack one DPO object on another, and thus establish a child parent relationship.
Definition: dpo.c:531
u32 spi
fib_node_index_t fib_entry_track(u32 fib_index, const fib_prefix_t *prefix, fib_node_type_t child_type, index_t child_index, u32 *sibling)
Trackers are used on FIB entries by objects that which to track the changing state of the entry...
static void ipsec_sa_last_lock_gone(fib_node_t *node)
Function definition to inform the FIB node that its last lock has gone.
Definition: ipsec_sa.c:420
fib_node_t node
Definition: ipsec_sa.h:143
u8 proto
Definition: acl_types.api:47
#define hash_set(h, key, value)
Definition: hash.h:255
ipsec_main_crypto_alg_t * crypto_algs
Definition: ipsec.h:171
ip46_address_t tunnel_src_addr
Definition: ipsec_sa.h:156
void vlib_validate_combined_counter(vlib_combined_counter_main_t *cm, u32 index)
validate a combined counter
Definition: counter.c:94
#define hash_unset(h, key)
Definition: hash.h:261
ip4_address_t src_address
Definition: ip4_packet.h:170
void fib_node_init(fib_node_t *node, fib_node_type_t type)
Definition: fib_node.c:185
ipsec_integ_alg_t
Definition: ipsec_sa.h:58
u64 as_u64[2]
Definition: ip6_packet.h:51
enum fib_node_back_walk_rc_t_ fib_node_back_walk_rc_t
Return code from a back walk function.
void fib_entry_contribute_forwarding(fib_node_index_t fib_entry_index, fib_forward_chain_type_t fct, dpo_id_t *dpo)
Definition: fib_entry.c:437
ipsec_key_t crypto_key
Definition: ipsec_sa.h:149
static void ipsec_sa_del(ipsec_sa_t *sa)
Definition: ipsec_sa.c:285
ipsec_integ_alg_t integ_alg
Definition: ipsec_sa.h:152
void ipsec_sa_lock(index_t sai)
Definition: ipsec_sa.c:323
u32 index_t
A Data-Path Object is an object that represents actions that are applied to packets are they are swit...
Definition: dpo.h:41
ipsec_protocol_t
Definition: ipsec_sa.h:66
void ipsec_sa_clear(index_t sai)
Definition: ipsec_sa.c:372
u32 tx_table_id
#define STRUCT_OFFSET_OF(t, f)
Definition: clib.h:65
u32 ah_current_backend
Definition: ipsec.h:162
u32 esp_current_backend
Definition: ipsec.h:164
vnet_crypto_op_id_t integ_op_id
Definition: ipsec_sa.h:131
void ipsec_mk_key(ipsec_key_t *key, const u8 *data, u8 len)
Definition: ipsec_sa.c:56
ip6_address_t src_address
Definition: ip6_packet.h:307
unsigned char u8
Definition: types.h:56
enum fib_protocol_t_ fib_protocol_t
Protocol Type.
u8 id[64]
Definition: dhcp.api:160
void fib_node_register_type(fib_node_type_t type, const fib_node_vft_t *vft)
fib_node_register_type
Definition: fib_node.c:60
#define clib_memcpy(d, s, n)
Definition: string.h:180
vnet_crypto_alg_t alg
Definition: ipsec.h:87
vnet_crypto_key_index_t crypto_key_index
Definition: ipsec_sa.h:127
walk_rc_t(* ipsec_sa_walk_cb_t)(ipsec_sa_t *sa, void *ctx)
Definition: ipsec_sa.h:223
static ipsec_sa_t * ipsec_sa_from_fib_node(fib_node_t *node)
Definition: ipsec_sa.c:408
void ipsec_sa_walk(ipsec_sa_walk_cb_t cb, void *ctx)
Definition: ipsec_sa.c:378
#define pool_foreach(VAR, POOL, BODY)
Iterate through pool.
Definition: pool.h:498
#define VLIB_INIT_FUNCTION(x)
Definition: init.h:173
ipsec_main_t ipsec_main
Definition: ipsec.c:28
ip4_address_t dst_address
Definition: ip4_packet.h:170
u32 esp6_encrypt_node_index
Definition: ipsec.h:130
Aggregate type for a prefix.
Definition: fib_types.h:203
int ipsec_sa_unlock_id(u32 id)
Definition: ipsec_sa.c:356
u32 salt
unsigned int u32
Definition: types.h:88
#define IPSEC_CRYPTO_ALG_IS_GCM(_alg)
Definition: ipsec_sa.h:44
u32 fib_table_find(fib_protocol_t proto, u32 table_id)
Get the index of the FIB for a Table-ID.
Definition: fib_table.c:1097
ipsec_sa_flags_t flags
Definition: ipsec_sa.h:112
u32 vnet_crypto_key_add(vlib_main_t *vm, vnet_crypto_alg_t alg, u8 *data, u16 length)
Definition: crypto.c:207
u32 stat_index
Definition: ipsec_sa.h:145
The identity of a DPO is a combination of its type and its instance number/index of objects of that t...
Definition: dpo.h:170
#define ESP_MAX_IV_SIZE
Definition: esp.h:77
#define hash_get(h, key)
Definition: hash.h:249
u32 encrypt_thread_index
Definition: ipsec_sa.h:117
u32 tx_fib_index
Definition: ipsec_sa.h:162
#define ESP_MAX_ICV_SIZE
Definition: esp.h:78
#define pool_elt_at_index(p, i)
Returns pointer to element at given index.
Definition: pool.h:519
static void vlib_zero_combined_counter(vlib_combined_counter_main_t *cm, u32 index)
Clear a combined counter Clears the set of per-thread counters.
Definition: counter.h:285
static_always_inline void ip46_address_copy(ip46_address_t *dst, const ip46_address_t *src)
Definition: ip46_address.h:123
index_t ipsec_sa_find_and_lock(u32 id)
Definition: ipsec_sa.c:337
ip46_address_t fp_addr
The address type is not deriveable from the fp_addr member.
Definition: fib_types.h:226
void fib_node_lock(fib_node_t *node)
Definition: fib_node.c:203
long ctx[MAX_CONNS]
Definition: main.c:144
u32 esp4_encrypt_node_index
Definition: ipsec.h:125
u32 salt
Definition: ipsec_sa.h:165
clib_error_t * ipsec_check_support_cb(ipsec_main_t *im, ipsec_sa_t *sa)
Definition: ipsec.c:89
vnet_crypto_op_id_t enc_op_id
Definition: ipsec.h:76
void vnet_crypto_key_del(vlib_main_t *vm, vnet_crypto_key_index_t index)
Definition: crypto.c:233
fib_node_index_t fib_entry_index
Definition: ipsec_sa.h:159
#define pool_put(P, E)
Free an object E in pool P.
Definition: pool.h:287
static clib_error_t * ipsec_call_add_del_callbacks(ipsec_main_t *im, ipsec_sa_t *sa, u32 sa_index, int is_add)
Definition: ipsec_sa.c:34
#define pool_get_aligned_zero(P, E, A)
Allocate an object E from a pool P with alignment A and zero it.
Definition: pool.h:234
fib_node_type_t fn_type
The node&#39;s type.
Definition: fib_node.h:299
An node in the FIB graph.
Definition: fib_node.h:295
void fib_node_unlock(fib_node_t *node)
Definition: fib_node.c:209
vlib_main_t * vm
Definition: in2out_ed.c:1810
u8 len
Definition: ip_types.api:91
ip46_address_t tunnel_dst_addr
Definition: ipsec_sa.h:157
u32 flags
Definition: vhost_user.h:141
void ipsec_sa_set_integ_alg(ipsec_sa_t *sa, ipsec_integ_alg_t integ_alg)
Definition: ipsec_sa.c:116
ipsec_ah_backend_t * ah_backends
Definition: ipsec.h:158
static fib_node_t * ipsec_sa_fib_node_get(fib_node_index_t index)
Function definition to get a FIB node from its index.
Definition: ipsec_sa.c:396
static fib_node_back_walk_rc_t ipsec_sa_back_walk(fib_node_t *node, fib_node_back_walk_ctx_t *ctx)
Function definition to backwalk a FIB node.
Definition: ipsec_sa.c:433
#define clib_warning(format, args...)
Definition: error.h:59
fib_node_get_t fnv_get
Definition: fib_node.h:283
udp_header_t udp_hdr
Definition: ipsec_sa.h:141
enum ipsec_sad_flags_t_ ipsec_sa_flags_t
uword * sa_index_by_sa_id
Definition: ipsec.h:115
u32 fib_node_index_t
A typedef of a node index.
Definition: fib_types.h:30
vlib_main_t vlib_node_runtime_t * node
Definition: in2out_ed.c:1810
#define ESP_MAX_BLOCK_SIZE
Definition: esp.h:76
void ipsec_sa_unlock(index_t sai)
Definition: ipsec_sa.c:309
Context passed between object during a back walk.
Definition: fib_node.h:208
void ipsec_sa_set_crypto_alg(ipsec_sa_t *sa, ipsec_crypto_alg_t crypto_alg)
Definition: ipsec_sa.c:97
u8 data[IPSEC_KEY_MAX_LEN]
Definition: ipsec_sa.h:76
vnet_crypto_op_id_t op_id
Definition: ipsec.h:86
#define ASSERT(truth)
void fib_entry_untrack(fib_node_index_t fei, u32 sibling)
Stop tracking a FIB entry.
u32 ah4_encrypt_node_index
Definition: ipsec.h:128
ipsec_main_integ_alg_t * integ_algs
Definition: ipsec.h:174
u8 data[128]
Definition: ipsec_types.api:87
ip6_header_t ip6_hdr
Definition: ipsec_sa.h:139
ipsec_sa_t * sad
Definition: ipsec.h:102
enum fib_forward_chain_type_t_ fib_forward_chain_type_t
FIB output chain type.
static void ipsec_sa_stack(ipsec_sa_t *sa)
&#39;stack&#39; (resolve the recursion for) the SA tunnel destination
Definition: ipsec_sa.c:72
ipsec_protocol_t protocol
Definition: ipsec_sa.h:146
u32 sibling
Definition: ipsec_sa.h:160
vnet_crypto_key_index_t integ_key_index
Definition: ipsec_sa.h:128
vnet_crypto_alg_t integ_calg
Definition: ipsec_sa.h:154
add_del_sa_sess_cb_t add_del_sa_sess_cb
Definition: ipsec.h:53
vnet_crypto_op_id_t dec_op_id
Definition: ipsec.h:77
static vlib_main_t * vlib_get_main(void)
Definition: global_funcs.h:23
vnet_crypto_alg_t crypto_calg
Definition: ipsec_sa.h:150
typedef key
Definition: ipsec_types.api:83
u32 ip_version_traffic_class_and_flow_label
Definition: ip6_packet.h:294
u32 ah6_encrypt_node_index
Definition: ipsec.h:133
int ipsec_sa_add_and_lock(u32 id, u32 spi, ipsec_protocol_t proto, ipsec_crypto_alg_t crypto_alg, const ipsec_key_t *ck, ipsec_integ_alg_t integ_alg, const ipsec_key_t *ik, ipsec_sa_flags_t flags, u32 tx_table_id, u32 salt, const ip46_address_t *tun_src, const ip46_address_t *tun_dst, u32 *sa_out_index)
Definition: ipsec_sa.c:127
#define INDEX_INVALID
Invalid index - used when no index is known blazoned capitals INVALID speak volumes where ~0 does not...
Definition: dpo.h:47
u64 uword
Definition: types.h:112
ipsec_crypto_alg_t
Definition: ipsec_sa.h:36
#define DPO_INVALID
An initialiser for DPOs declared on the stack.
Definition: dpo.h:197
char * name
The counter collection&#39;s name.
Definition: counter.h:193
vnet_crypto_op_id_t crypto_enc_op_id
Definition: ipsec_sa.h:129
A collection of combined counters.
Definition: counter.h:188
A FIB graph nodes virtual function table.
Definition: fib_node.h:282
dpo_id_t dpo
Definition: ipsec_sa.h:125
ipsec_crypto_alg_t crypto_alg
Definition: ipsec_sa.h:148
ip4_header_t ip4_hdr
Definition: ipsec_sa.h:138
static u32 vlib_num_workers()
Definition: threads.h:372
void dpo_reset(dpo_id_t *dpo)
reset a DPO ID The DPO will be unlocked.
Definition: dpo.c:232
clib_error_t * ipsec_sa_interface_init(vlib_main_t *vm)
Definition: ipsec_sa.c:452
u8 crypto_block_size
Definition: ipsec_sa.h:115
vnet_crypto_alg_t alg
Definition: ipsec.h:78
add_del_sa_sess_cb_t add_del_sa_sess_cb
Definition: ipsec.h:36
u8 ip_version_and_header_length
Definition: ip4_packet.h:138
ipsec_esp_backend_t * esp_backends
Definition: ipsec.h:160
u8 crypto_iv_size
Definition: ipsec_sa.h:114
#define CLIB_CACHE_LINE_BYTES
Definition: cache.h:59
ipsec_key_t integ_key
Definition: ipsec_sa.h:153
vnet_crypto_op_id_t crypto_dec_op_id
Definition: ipsec_sa.h:130
u8 integ_icv_size
Definition: ipsec_sa.h:116
static u16 ip4_header_checksum(ip4_header_t *i)
Definition: ip4_packet.h:247
u32 decrypt_thread_index
Definition: ipsec_sa.h:118
fib_forward_chain_type_t fib_forw_chain_type_from_fib_proto(fib_protocol_t proto)
Convert from a fib-protocol to a chain type.
Definition: fib_types.c:366
ip6_address_t dst_address
Definition: ip6_packet.h:307