FD.io VPP  v20.01-48-g3e0dafb74
Vector Packet Processing
ipsec_tun.c
Go to the documentation of this file.
1 /*
2  * ipsec_tun.h : IPSEC tunnel protection
3  *
4  * Copyright (c) 2015 Cisco and/or its affiliates.
5  * Licensed under the Apache License, Version 2.0 (the "License");
6  * you may not use this file except in compliance with the License.
7  * You may obtain a copy of the License at:
8  *
9  * http://www.apache.org/licenses/LICENSE-2.0
10  *
11  * Unless required by applicable law or agreed to in writing, software
12  * distributed under the License is distributed on an "AS IS" BASIS,
13  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14  * See the License for the specific language governing permissions and
15  * limitations under the License.
16  */
17 
18 #include <vnet/ipsec/ipsec_tun.h>
19 #include <vnet/ipsec/esp.h>
20 #include <vnet/udp/udp.h>
21 
22 /**
23  * Pool of tunnel protection objects
24  */
26 
27 /**
28  * DB of protected tunnels
29  */
30 typedef struct ipsec_protect_db_t_
31 {
35 
37 
38 static void
40 {
41  u32 sai;
42 
43  sai = itp->itp_out_sa;
44 
45  if (itp->itp_flags & IPSEC_PROTECT_L2)
46  {
47  /* l2-GRE only supported by the vnet ipsec code */
48  vnet_feature_enable_disable ("ethernet-output",
50  "esp4-encrypt-tun" :
51  "esp6-encrypt-tun"),
52  itp->itp_sw_if_index, enable,
53  &sai, sizeof (sai));
54  }
55  else
56  {
57  ipsec_main_t *im;
58  ipsec_sa_t *sa;
59  u32 fi4, fi6;
60 
61  im = &ipsec_main;
62  sa = ipsec_sa_get (sai);
63 
64  if (sa->crypto_alg == IPSEC_CRYPTO_ALG_NONE &&
65  sa->integ_alg == IPSEC_INTEG_ALG_NONE)
66  {
69  }
70  else
71  {
72  if (ip46_address_is_ip4 (&itp->itp_tun.src))
73  {
74  /* tunnel destination is v4 so we need the Xo4 indexes */
77  }
78  else
79  {
80  /* tunnel destination is v6 so we need the Xo6 indexes */
83  }
84  }
85 
87  (vnet_get_feature_arc_index ("ip4-output"),
88  fi4, itp->itp_sw_if_index, enable, &sai, sizeof (sai));
90  (vnet_get_feature_arc_index ("ip6-output"),
91  fi6, itp->itp_sw_if_index, enable, &sai, sizeof (sai));
92  }
93 }
94 
95 static void
97 {
98  const ipsec_sa_t *sa;
99  u32 sai;
100 
101  /* *INDENT-OFF* */
103  ({
104  sa = ipsec_sa_get (sai);
105 
107  .tun_index = itp - ipsec_protect_pool,
108  .sa_index = sai,
109  };
110 
111  /*
112  * The key is formed from the tunnel's destination
113  * as the packet lookup is done from the packet's source
114  */
115  if (ip46_address_is_ip4 (&itp->itp_crypto.dst))
116  {
117  ipsec4_tunnel_key_t key = {
118  .remote_ip = itp->itp_crypto.dst.ip4,
119  .spi = clib_host_to_net_u32 (sa->spi),
120  };
121  hash_set (im->tun4_protect_by_key, key.as_u64, res.as_u64);
122  if (1 == hash_elts(im->tun4_protect_by_key))
124  UDP_DST_PORT_ipsec,
125  ipsec4_tun_input_node.index, 1);
126  }
127  else
128  {
129  ipsec6_tunnel_key_t key = {
130  .remote_ip = itp->itp_crypto.dst.ip6,
131  .spi = clib_host_to_net_u32 (sa->spi),
132  };
134  }
135  }))
136  /* *INDENT-ON* */
137 }
138 
139 static void
141  const ipsec_tun_protect_t * itp)
142 {
143  const ipsec_sa_t *sa;
144 
145  /* *INDENT-OFF* */
147  ({
148  if (ip46_address_is_ip4 (&itp->itp_crypto.dst))
149  {
150  ipsec4_tunnel_key_t key = {
151  .remote_ip = itp->itp_crypto.dst.ip4,
152  .spi = clib_host_to_net_u32 (sa->spi),
153  };
154  hash_unset (im->tun4_protect_by_key, key.as_u64);
155  if (0 == hash_elts(im->tun4_protect_by_key))
157  UDP_DST_PORT_ipsec,
158  1);
159  }
160  else
161  {
162  ipsec6_tunnel_key_t key = {
163  .remote_ip = itp->itp_crypto.dst.ip6,
164  .spi = clib_host_to_net_u32 (sa->spi),
165  };
167  }
168  }))
169  /* *INDENT-ON* */
170 }
171 
172 static void
174  ipsec_tun_protect_t * itp, u32 sa_out, u32 * sas_in)
175 {
176  ipsec_sa_t *sa;
177  index_t sai;
178  u32 ii;
179 
180  itp->itp_n_sa_in = vec_len (sas_in);
181  for (ii = 0; ii < itp->itp_n_sa_in; ii++)
182  itp->itp_in_sas[ii] = sas_in[ii];
183  itp->itp_out_sa = sa_out;
184 
185  ipsec_sa_lock (itp->itp_out_sa);
186 
187  /* *INDENT-OFF* */
189  ({
190  ipsec_sa_lock(sai);
191  }));
193  ({
194  if (ipsec_sa_is_set_IS_TUNNEL (sa))
195  {
196  itp->itp_crypto.src = sa->tunnel_dst_addr;
197  itp->itp_crypto.dst = sa->tunnel_src_addr;
198  ipsec_sa_set_IS_PROTECT (sa);
200  }
201  else
202  {
203  itp->itp_crypto.src = itp->itp_tun.src;
204  itp->itp_crypto.dst = itp->itp_tun.dst;
206  }
207  }));
208  /* *INDENT-ON* */
209 
210  /*
211  * add to the DB against each SA
212  */
213  ipsec_tun_protect_db_add (im, itp);
214 
215  /*
216  * enable the encrypt feature for egress.
217  */
219 }
220 
221 static void
223 {
224  ipsec_sa_t *sa;
225  index_t sai;
226 
228 
229  /* *INDENT-OFF* */
231  ({
232  ipsec_sa_unset_IS_PROTECT (sa);
233  }));
234 
235  ipsec_tun_protect_db_remove (im, itp);
236 
238 
240  ({
241  ipsec_sa_unlock(sai);
242  }));
243  /* *INDENT-ON* */
244 }
245 
246 index_t
248 {
249  if (vec_len (ipsec_protect_db.tunnels) < sw_if_index)
250  return (INDEX_INVALID);
251 
252  return (ipsec_protect_db.tunnels[sw_if_index]);
253 }
254 
255 int
257 {
258  u32 *sas_in = NULL;
259  int rv;
260 
261  vec_add1 (sas_in, sa_in);
262  rv = ipsec_tun_protect_update (sw_if_index, sa_out, sas_in);
263 
264  return (rv);
265 }
266 
267 int
269 {
270  u32 itpi, *sas_in, sai, *saip;
271  ipsec_tun_protect_t *itp;
272  ipsec_main_t *im;
273  int rv;
274 
275  sas_in = NULL;
276  rv = 0;
277  im = &ipsec_main;
278  vec_validate_init_empty (ipsec_protect_db.tunnels, sw_if_index,
279  INDEX_INVALID);
280  itpi = ipsec_protect_db.tunnels[sw_if_index];
281 
282  if (INDEX_INVALID == itpi)
283  {
284  return (VNET_API_ERROR_INVALID_INTERFACE);
285  }
286 
287  itp = pool_elt_at_index (ipsec_protect_pool, itpi);
288 
289  /* *INDENT-0FF* */
291  {
292  ipsec_sa_lock (sai);
293  vec_add1 (sas_in, sai);
294  }
295  ));
296  /* *INDENT-ON* */
297 
298  sa_out = ipsec_sa_find_and_lock (sa_out);
299 
300  if (~0 == sa_out)
301  {
302  rv = VNET_API_ERROR_INVALID_VALUE;
303  goto out;
304  }
305 
306  ipsec_tun_protect_unconfig (im, itp);
307  ipsec_tun_protect_config (im, itp, sa_out, sas_in);
308 
309  ipsec_sa_unlock (sa_out);
310  vec_foreach (saip, sas_in) ipsec_sa_unlock (*saip);
311 
312 out:
313  vec_free (sas_in);
314  return (rv);
315 }
316 
317 int
319 {
320  u32 itpi, *sas_in, sa_out;
321  ipsec_tun_protect_t *itp;
322  ipsec_main_t *im;
323  int rv;
324 
325  sas_in = NULL;
326  rv = 0;
327  im = &ipsec_main;
328  vec_validate_init_empty (ipsec_protect_db.tunnels, sw_if_index,
329  INDEX_INVALID);
330  itpi = ipsec_protect_db.tunnels[sw_if_index];
331 
332  if (INDEX_INVALID == itpi)
333  {
334  return (VNET_API_ERROR_INVALID_INTERFACE);
335  }
336 
337  sa_in = ipsec_sa_find_and_lock (sa_in);
338 
339  if (~0 == sa_in)
340  {
341  rv = VNET_API_ERROR_INVALID_VALUE;
342  goto out;
343  }
344  vec_add1 (sas_in, sa_in);
345 
346  itp = pool_elt_at_index (ipsec_protect_pool, itpi);
347  sa_out = itp->itp_out_sa;
348 
349  ipsec_sa_lock (sa_out);
350 
351  ipsec_tun_protect_unconfig (im, itp);
352  ipsec_tun_protect_config (im, itp, sa_out, sas_in);
353 
354  ipsec_sa_unlock (sa_out);
355  ipsec_sa_unlock (sa_in);
356 out:
357  vec_free (sas_in);
358  return (rv);
359 }
360 
361 int
363 {
364  ipsec_tun_protect_t *itp;
365  u32 itpi, ii, *saip;
366  ipsec_main_t *im;
367  int rv;
368 
369  rv = 0;
370  im = &ipsec_main;
371  vec_validate_init_empty (ipsec_protect_db.tunnels, sw_if_index,
372  INDEX_INVALID);
373  itpi = ipsec_protect_db.tunnels[sw_if_index];
374 
375  vec_foreach_index (ii, sas_in)
376  {
377  sas_in[ii] = ipsec_sa_find_and_lock (sas_in[ii]);
378  if (~0 == sas_in[ii])
379  {
380  rv = VNET_API_ERROR_INVALID_VALUE;
381  goto out;
382  }
383  }
384 
385  sa_out = ipsec_sa_find_and_lock (sa_out);
386 
387  if (~0 == sa_out)
388  {
389  rv = VNET_API_ERROR_INVALID_VALUE;
390  goto out;
391  }
392 
393  if (INDEX_INVALID == itpi)
394  {
395  vnet_device_class_t *dev_class;
397  vnet_main_t *vnm;
398  u8 is_l2;
399 
400  vnm = vnet_get_main ();
401  hi = vnet_get_sup_hw_interface (vnm, sw_if_index);
402  dev_class = vnet_get_device_class (vnm, hi->dev_class_index);
403 
404  if (NULL == dev_class->ip_tun_desc)
405  {
406  rv = VNET_API_ERROR_INVALID_SW_IF_INDEX;
407  goto out;
408  }
409 
410  pool_get_zero (ipsec_protect_pool, itp);
411 
413  ipsec_protect_db.tunnels[sw_if_index] = itp - ipsec_protect_pool;
414  ipsec_protect_db.count++;
415 
416  itp->itp_n_sa_in = vec_len (sas_in);
417  for (ii = 0; ii < itp->itp_n_sa_in; ii++)
418  itp->itp_in_sas[ii] = sas_in[ii];
419  itp->itp_out_sa = sa_out;
420 
421  rv = dev_class->ip_tun_desc (sw_if_index,
422  &itp->itp_tun.src,
423  &itp->itp_tun.dst, &is_l2);
424 
425  if (rv)
426  goto out;
427 
428  if (is_l2)
429  itp->itp_flags |= IPSEC_PROTECT_L2;
430 
431  /*
432  * add to the tunnel DB for ingress
433  * - if the SA is in trasnport mode, then the packates will arrivw
434  * with the IP src,dst of the protected tunnel, in which case we can
435  * simply strip the IP header and hand the payload to the protocol
436  * appropriate input handler
437  * - if the SA is in tunnel mode then there are two IP headers present
438  * one for the crytpo tunnel endpoints (described in the SA) and one
439  * for the tunnel endpoints. The outer IP headers in the srriving
440  * packets will have the crypto endpoints. So the DB needs to contain
441  * the crpto endpoint. Once the crypto header is stripped, revealing,
442  * the tunnel-IP we have 2 choices:
443  * 1) do a tunnel lookup based on the revealed header
444  * 2) skip the tunnel lookup and assume that the packet matches the
445  * one that is protected here.
446  * If we did 1) then we would allow our peer to use the SA for tunnel
447  * X to inject traffic onto tunnel Y, this is not good. If we do 2)
448  * then we don't verify that the peer is indeed using SA for tunnel
449  * X and addressing tunnel X. So we take a compromise, once the SA
450  * matches to tunnel X we veriy that the inner IP matches the value
451  * of the tunnel we are protecting, else it's dropped.
452  */
453  ipsec_tun_protect_config (im, itp, sa_out, sas_in);
454 
455  if (1 == hash_elts (im->tun4_protect_by_key))
456  ip4_register_protocol (IP_PROTOCOL_IPSEC_ESP,
457  ipsec4_tun_input_node.index);
458  if (1 == hash_elts (im->tun6_protect_by_key))
459  ip6_register_protocol (IP_PROTOCOL_IPSEC_ESP,
460  ipsec6_tun_input_node.index);
461  }
462  else
463  {
464  /* updating SAs only */
465  itp = pool_elt_at_index (ipsec_protect_pool, itpi);
466 
467  ipsec_tun_protect_unconfig (im, itp);
468  ipsec_tun_protect_config (im, itp, sa_out, sas_in);
469  }
470 
471  ipsec_sa_unlock (sa_out);
472  vec_foreach (saip, sas_in) ipsec_sa_unlock (*saip);
473  vec_free (sas_in);
474 
475 out:
476  return (rv);
477 }
478 
479 int
481 {
482  ipsec_tun_protect_t *itp;
483  ipsec_main_t *im;
484  index_t itpi;
485 
486  im = &ipsec_main;
487 
488  vec_validate_init_empty (ipsec_protect_db.tunnels, sw_if_index,
489  INDEX_INVALID);
490  itpi = ipsec_protect_db.tunnels[sw_if_index];
491 
492  if (INDEX_INVALID == itpi)
493  return (VNET_API_ERROR_NO_SUCH_ENTRY);
494 
495  itp = ipsec_tun_protect_get (itpi);
496  ipsec_tun_protect_unconfig (im, itp);
497 
498  ipsec_protect_db.tunnels[itp->itp_sw_if_index] = INDEX_INVALID;
499 
500  pool_put (ipsec_protect_pool, itp);
501 
502  if (0 == hash_elts (im->tun4_protect_by_key))
503  ip4_unregister_protocol (IP_PROTOCOL_IPSEC_ESP);
504  if (0 == hash_elts (im->tun6_protect_by_key))
505  ip6_unregister_protocol (IP_PROTOCOL_IPSEC_ESP);
506 
507  return (0);
508 }
509 
510 void
512 {
513  index_t itpi;
514 
515  /* *INDENT-OFF* */
516  pool_foreach_index(itpi, ipsec_protect_pool,
517  ({
518  fn (itpi, ctx);
519  }));
520  /* *INDENT-ON* */
521 }
522 
523 clib_error_t *
525 {
526  ipsec_main_t *im;
527 
528  im = &ipsec_main;
530  sizeof (ipsec6_tunnel_key_t),
531  sizeof (u64));
532  im->tun4_protect_by_key = hash_create (0, sizeof (u64));
533 
534  /* set up feature nodes to drop outbound packets with no crypto alg set */
535  ipsec_add_feature ("ip4-output", "esp4-no-crypto",
537  ipsec_add_feature ("ip6-output", "esp6-no-crypto",
539 
540  return 0;
541 }
542 
544 
545 
546 /*
547  * fd.io coding-style-patch-verification: ON
548  *
549  * Local Variables:
550  * eval: (c-set-style "gnu")
551  * End:
552  */
#define vec_foreach_index(var, v)
Iterate over vector indices.
walk_rc_t(* ipsec_tun_protect_walk_cb_t)(index_t itpi, void *arg)
Definition: ipsec_tun.h:108
#define hash_set(h, key, value)
Definition: hash.h:255
static void ipsec_tun_protect_db_add(ipsec_main_t *im, const ipsec_tun_protect_t *itp)
Definition: ipsec_tun.c:96
ip46_address_t tunnel_src_addr
Definition: ipsec_sa.h:156
uword * tun6_protect_by_key
Definition: ipsec.h:121
#define hash_unset(h, key)
Definition: hash.h:261
u8 vnet_get_feature_arc_index(const char *s)
Definition: feature.c:198
void ip6_register_protocol(u32 protocol, u32 node_index)
Definition: ip6_forward.c:1590
vlib_node_registration_t ipsec6_tun_input_node
(constructor) VLIB_REGISTER_NODE (ipsec6_tun_input_node)
Definition: ipsec_tun_in.c:387
vnet_main_t * vnet_get_main(void)
Definition: misc.c:46
static vnet_hw_interface_t * vnet_get_sup_hw_interface(vnet_main_t *vnm, u32 sw_if_index)
#define pool_get_zero(P, E)
Allocate an object E from a pool P and zero it.
Definition: pool.h:240
void ip6_unregister_protocol(u32 protocol)
Definition: ip6_forward.c:1602
unsigned long u64
Definition: types.h:89
#define NULL
Definition: clib.h:58
DB of protected tunnels.
Definition: ipsec_tun.c:30
ipsec_integ_alg_t integ_alg
Definition: ipsec_sa.h:152
u32 esp46_encrypt_tun_feature_index
Definition: ipsec.h:150
void ipsec_sa_lock(index_t sai)
Definition: ipsec_sa.c:323
u32 index_t
A Data-Path Object is an object that represents actions that are applied to packets are they are swit...
Definition: dpo.h:41
#define vec_add1(V, E)
Add 1 element to end of vector (unspecified alignment).
Definition: vec.h:523
#define FOR_EACH_IPSEC_PROTECT_INPUT_SA(_itp, _sa, body)
Definition: ipsec_tun.h:90
struct _vnet_device_class vnet_device_class_t
void ip4_register_protocol(u32 protocol, u32 node_index)
Definition: ip4_forward.c:1866
static ipsec_protect_db_t ipsec_protect_db
Definition: ipsec_tun.c:36
static u8 ip46_address_is_ip4(const ip46_address_t *ip46)
Definition: ip46_address.h:55
void ipsec_tun_protect_walk(ipsec_tun_protect_walk_cb_t fn, void *ctx)
Definition: ipsec_tun.c:511
unsigned char u8
Definition: types.h:56
u32 esp44_encrypt_tun_feature_index
Definition: ipsec.h:148
ip46_address_t src
Definition: ipsec_tun.h:58
vl_api_interface_index_t sw_if_index
Definition: gre.api:59
#define VLIB_INIT_FUNCTION(x)
Definition: init.h:173
ipsec_main_t ipsec_main
Definition: ipsec.c:28
static vnet_device_class_t * vnet_get_device_class(vnet_main_t *vnm, u32 dev_class_index)
static void ipsec_tun_protect_unconfig(ipsec_main_t *im, ipsec_tun_protect_t *itp)
Definition: ipsec_tun.c:222
int vnet_feature_enable_disable_with_index(u8 arc_index, u32 feature_index, u32 sw_if_index, int enable_disable, void *feature_config, u32 n_feature_config_bytes)
Definition: feature.c:252
ipsec_ep_t itp_tun
Definition: ipsec_tun.h:78
unsigned int u32
Definition: types.h:88
u32 sa_in[n_sa_in]
Definition: ipsec.api:245
index_t itp_in_sas[4]
Definition: ipsec_tun.h:70
vlib_node_registration_t ipsec4_tun_input_node
(constructor) VLIB_REGISTER_NODE (ipsec4_tun_input_node)
Definition: ipsec_tun_in.c:364
u32 sa_out
Definition: ipsec.api:243
#define hash_create_mem(elts, key_bytes, value_bytes)
Definition: hash.h:661
#define pool_elt_at_index(p, i)
Returns pointer to element at given index.
Definition: pool.h:519
index_t ipsec_sa_find_and_lock(u32 id)
Definition: ipsec_sa.c:337
int ipsec_tun_protect_update_in(u32 sw_if_index, u32 sa_in)
Definition: ipsec_tun.c:318
static void ipsec_tun_protect_feature_set(ipsec_tun_protect_t *itp, u8 enable)
Definition: ipsec_tun.c:39
static void ipsec_tun_protect_config(ipsec_main_t *im, ipsec_tun_protect_t *itp, u32 sa_out, u32 *sas_in)
Definition: ipsec_tun.c:173
long ctx[MAX_CONNS]
Definition: main.c:144
#define pool_put(P, E)
Free an object E in pool P.
Definition: pool.h:287
int ipsec_tun_protect_del(u32 sw_if_index)
Definition: ipsec_tun.c:480
vlib_main_t * vm
Definition: in2out_ed.c:1810
static ipsec_sa_t * ipsec_sa_get(u32 sa_index)
Definition: ipsec.h:273
ip46_address_t tunnel_dst_addr
Definition: ipsec_sa.h:157
static void ipsec_tun_protect_db_remove(ipsec_main_t *im, const ipsec_tun_protect_t *itp)
Definition: ipsec_tun.c:140
u32 esp4_no_crypto_tun_feature_index
Definition: ipsec.h:154
int ipsec_tun_protect_update(u32 sw_if_index, u32 sa_out, u32 *sas_in)
Definition: ipsec_tun.c:362
#define vec_free(V)
Free vector&#39;s memory (no header).
Definition: vec.h:342
clib_error_t * ipsec_tunnel_protect_init(vlib_main_t *vm)
Definition: ipsec_tun.c:524
void udp_unregister_dst_port(vlib_main_t *vm, udp_dst_port_t dst_port, u8 is_ip4)
Definition: udp_local.c:509
#define FOR_EACH_IPSEC_PROTECT_INPUT_SAI(_itp, _sai, body)
Definition: ipsec_tun.h:82
void ipsec_sa_unlock(index_t sai)
Definition: ipsec_sa.c:309
#define hash_create(elts, value_bytes)
Definition: hash.h:696
ip46_address_t dst
Definition: ipsec_tun.h:59
static uword hash_elts(void *v)
Definition: hash.h:118
ipsec_tun_protect_t * ipsec_protect_pool
Pool of tunnel protection objects.
Definition: ipsec_tun.c:25
int ipsec_tun_protect_update_out(u32 sw_if_index, u32 sa_out)
Definition: ipsec_tun.c:268
static ipsec_tun_protect_t * ipsec_tun_protect_get(u32 index)
Definition: ipsec_tun.h:138
u32 esp64_encrypt_tun_feature_index
Definition: ipsec.h:149
static void hash_unset_mem_free(uword **h, const void *key)
Definition: hash.h:295
static vlib_main_t * vlib_get_main(void)
Definition: global_funcs.h:23
vl_api_ip4_address_t hi
Definition: arp.api:37
u32 esp66_encrypt_tun_feature_index
Definition: ipsec.h:151
typedef key
Definition: ipsec_types.api:83
ipsec_ep_t itp_crypto
Definition: ipsec_tun.h:74
#define vec_len(v)
Number of elements in vector (rvalue-only, NULL tolerant)
#define INDEX_INVALID
Invalid index - used when no index is known blazoned capitals INVALID speak volumes where ~0 does not...
Definition: dpo.h:47
int ipsec_tun_protect_update_one(u32 sw_if_index, u32 sa_out, u32 sa_in)
Definition: ipsec_tun.c:256
ipsec_protect_flags_t itp_flags
Definition: ipsec_tun.h:76
void ipsec_add_feature(const char *arc_name, const char *node_name, u32 *out_feature_index)
Definition: ipsec.c:126
ipsec_crypto_alg_t crypto_alg
Definition: ipsec_sa.h:148
index_t ipsec_tun_protect_find(u32 sw_if_index)
Definition: ipsec_tun.c:247
#define vec_foreach(var, vec)
Vector iterator.
static void hash_set_mem_alloc(uword **h, const void *key, uword v)
Definition: hash.h:279
void udp_register_dst_port(vlib_main_t *vm, udp_dst_port_t dst_port, u32 node_index, u8 is_ip4)
Definition: udp_local.c:471
#define pool_foreach_index(i, v, body)
Iterate pool by index.
Definition: pool.h:543
u32 esp6_no_crypto_tun_feature_index
Definition: ipsec.h:155
#define vec_validate_init_empty(V, I, INIT)
Make sure vector is long enough for given index and initialize empty space (no header, unspecified alignment)
Definition: vec.h:487
struct ipsec_protect_db_t_ ipsec_protect_db_t
DB of protected tunnels.
void ip4_unregister_protocol(u32 protocolx)
Definition: ip4_forward.c:1878
int vnet_feature_enable_disable(const char *arc_name, const char *node_name, u32 sw_if_index, int enable_disable, void *feature_config, u32 n_feature_config_bytes)
Definition: feature.c:304
uword * tun4_protect_by_key
Definition: ipsec.h:120