29 .stat_segment_name =
"/net/ipsec/sa",
35 u32 sa_index,
int is_add)
58 memset (key, 0,
sizeof (*key));
60 if (len >
sizeof (key->
data))
65 memcpy (key->
data, data, key->
len);
111 ipsec_sa_set_IS_AEAD (sa);
130 if (ipsec_sa_is_set_USE_ESN (sa))
133 if( sa->sync_op_data.crypto_enc_op_id == VNET_CRYPTO_OP_##n##_ENC ) \ 134 sa->async_op_data.crypto_async_enc_op_id = \ 135 VNET_CRYPTO_OP_##n##_TAG16_AAD12_ENC; \ 136 if( sa->sync_op_data.crypto_dec_op_id == VNET_CRYPTO_OP_##n##_DEC ) \ 137 sa->async_op_data.crypto_async_dec_op_id = \ 138 VNET_CRYPTO_OP_##n##_TAG16_AAD12_DEC; 145 if( sa->sync_op_data.crypto_enc_op_id == VNET_CRYPTO_OP_##n##_ENC ) \ 146 sa->async_op_data.crypto_async_enc_op_id = \ 147 VNET_CRYPTO_OP_##n##_TAG16_AAD8_ENC; \ 148 if( sa->sync_op_data.crypto_dec_op_id == VNET_CRYPTO_OP_##n##_DEC ) \ 149 sa->async_op_data.crypto_async_dec_op_id = \ 150 VNET_CRYPTO_OP_##n##_TAG16_AAD8_DEC; 155 #define _(c, h, s, k ,d) \ 156 if( sa->sync_op_data.crypto_enc_op_id == VNET_CRYPTO_OP_##c##_ENC && \ 157 sa->sync_op_data.integ_op_id == VNET_CRYPTO_OP_##h##_HMAC) \ 158 sa->async_op_data.crypto_async_enc_op_id = \ 159 VNET_CRYPTO_OP_##c##_##h##_TAG##d##_ENC; \ 160 if( sa->sync_op_data.crypto_dec_op_id == VNET_CRYPTO_OP_##c##_DEC && \ 161 sa->sync_op_data.integ_op_id == VNET_CRYPTO_OP_##h##_HMAC) \ 162 sa->async_op_data.crypto_async_dec_op_id = \ 163 VNET_CRYPTO_OP_##c##_##h##_TAG##d##_DEC; 180 const ip46_address_t * tun_src,
181 const ip46_address_t * tun_dst,
u32 * sa_out_index,
193 return VNET_API_ERROR_ENTRY_ALREADY_EXISTS;
199 sa_index = sa - im->
sad;
212 if (integ_alg != IPSEC_INTEG_ALG_NONE)
230 return VNET_API_ERROR_KEY_LENGTH;
233 if (integ_alg != IPSEC_INTEG_ALG_NONE)
237 integ_algs[integ_alg].alg,
242 return VNET_API_ERROR_KEY_LENGTH;
247 !ipsec_sa_is_set_IS_AEAD (sa))
264 return VNET_API_ERROR_UNIMPLEMENTED;
271 return VNET_API_ERROR_SYSCALL_ERROR_1;
274 if (ipsec_sa_is_set_IS_TUNNEL (sa) && !ipsec_sa_is_set_IS_INBOUND (sa))
280 .fp_len = (ipsec_sa_is_set_IS_TUNNEL_V6 (sa) ? 128 : 32),
287 return VNET_API_ERROR_NO_SUCH_FIB;
297 if (ipsec_sa_is_set_IS_TUNNEL_V6 (sa))
309 if (ipsec_sa_is_set_UDP_ENCAP (sa))
321 if (ipsec_sa_is_set_UDP_ENCAP (sa))
329 if (ipsec_sa_is_set_UDP_ENCAP (sa))
341 if (ipsec_sa_is_set_IS_INBOUND (sa))
348 *sa_out_index = sa_index;
360 sa_index = sa - im->
sad;
366 if (ipsec_sa_is_set_UDP_ENCAP (sa) && ipsec_sa_is_set_IS_INBOUND (sa))
369 if (ipsec_sa_is_set_IS_TUNNEL (sa) && !ipsec_sa_is_set_IS_INBOUND (sa))
375 if (sa->
integ_alg != IPSEC_INTEG_ALG_NONE)
436 return VNET_API_ERROR_NO_SUCH_ENTRY;
458 if (WALK_CONTINUE != cb(sa, ctx))
void dpo_stack_from_node(u32 child_node_index, dpo_id_t *dpo, const dpo_id_t *parent)
Stack one DPO object on another, and thus establish a child parent relationship.
union ipsec_sa_t::@433 sync_op_data
fib_node_index_t fib_entry_track(u32 fib_index, const fib_prefix_t *prefix, fib_node_type_t child_type, index_t child_index, u32 *sibling)
Trackers are used on FIB entries by objects that which to track the changing state of the entry...
static void ipsec_sa_last_lock_gone(fib_node_t *node)
Function definition to inform the FIB node that its last lock has gone.
union ipsec_sa_t::@434 async_op_data
#define hash_set(h, key, value)
ipsec_main_crypto_alg_t * crypto_algs
#define foreach_crypto_link_async_alg
ip46_address_t tunnel_src_addr
void vlib_validate_combined_counter(vlib_combined_counter_main_t *cm, u32 index)
validate a combined counter
#define hash_unset(h, key)
vl_api_wireguard_peer_flags_t flags
void ipsec_unregister_udp_port(u16 port)
void fib_node_init(fib_node_t *node, fib_node_type_t type)
vl_api_ip_port_and_mask_t dst_port
enum fib_node_back_walk_rc_t_ fib_node_back_walk_rc_t
Return code from a back walk function.
void fib_entry_contribute_forwarding(fib_node_index_t fib_entry_index, fib_forward_chain_type_t fct, dpo_id_t *dpo)
static void ipsec_sa_del(ipsec_sa_t *sa)
ipsec_integ_alg_t integ_alg
void ipsec_sa_lock(index_t sai)
u32 index_t
A Data-Path Object is an object that represents actions that are applied to packets are they are swit...
void ipsec_sa_clear(index_t sai)
#define STRUCT_OFFSET_OF(t, f)
int ipsec_sa_add_and_lock(u32 id, u32 spi, ipsec_protocol_t proto, ipsec_crypto_alg_t crypto_alg, const ipsec_key_t *ck, ipsec_integ_alg_t integ_alg, const ipsec_key_t *ik, ipsec_sa_flags_t flags, u32 tx_table_id, u32 salt, const ip46_address_t *tun_src, const ip46_address_t *tun_dst, u32 *sa_out_index, u16 src_port, u16 dst_port)
vnet_crypto_op_id_t integ_op_id
void ipsec_mk_key(ipsec_key_t *key, const u8 *data, u8 len)
enum fib_protocol_t_ fib_protocol_t
Protocol Type.
void fib_node_register_type(fib_node_type_t type, const fib_node_vft_t *vft)
fib_node_register_type
#define clib_memcpy(d, s, n)
vnet_crypto_key_index_t linked_key_index
vnet_crypto_key_index_t crypto_key_index
walk_rc_t(* ipsec_sa_walk_cb_t)(ipsec_sa_t *sa, void *ctx)
static ipsec_sa_t * ipsec_sa_from_fib_node(fib_node_t *node)
void ipsec_sa_walk(ipsec_sa_walk_cb_t cb, void *ctx)
#define pool_foreach(VAR, POOL, BODY)
Iterate through pool.
#define VLIB_INIT_FUNCTION(x)
#define foreach_crypto_aead_alg
void ipsec_register_udp_port(u16 port)
u32 esp6_encrypt_node_index
Aggregate type for a prefix.
int ipsec_sa_unlock_id(u32 id)
#define IPSEC_CRYPTO_ALG_IS_GCM(_alg)
u32 fib_table_find(fib_protocol_t proto, u32 table_id)
Get the index of the FIB for a Table-ID.
u32 vnet_crypto_key_add(vlib_main_t *vm, vnet_crypto_alg_t alg, u8 *data, u16 length)
The identity of a DPO is a combination of its type and its instance number/index of objects of that t...
#define pool_elt_at_index(p, i)
Returns pointer to element at given index.
static void vlib_zero_combined_counter(vlib_combined_counter_main_t *cm, u32 index)
Clear a combined counter Clears the set of per-thread counters.
static_always_inline void ip46_address_copy(ip46_address_t *dst, const ip46_address_t *src)
index_t ipsec_sa_find_and_lock(u32 id)
ip46_address_t fp_addr
The address type is not deriveable from the fp_addr member.
void fib_node_lock(fib_node_t *node)
u32 esp4_encrypt_node_index
clib_error_t * ipsec_check_support_cb(ipsec_main_t *im, ipsec_sa_t *sa)
vnet_crypto_op_id_t enc_op_id
void vnet_crypto_key_del(vlib_main_t *vm, vnet_crypto_key_index_t index)
fib_node_index_t fib_entry_index
#define pool_put(P, E)
Free an object E in pool P.
static clib_error_t * ipsec_call_add_del_callbacks(ipsec_main_t *im, ipsec_sa_t *sa, u32 sa_index, int is_add)
#define pool_get_aligned_zero(P, E, A)
Allocate an object E from a pool P with alignment A and zero it.
fib_node_type_t fn_type
The node's type.
An node in the FIB graph.
void fib_node_unlock(fib_node_t *node)
ip46_address_t tunnel_dst_addr
vl_api_ip_port_and_mask_t src_port
void ipsec_sa_set_integ_alg(ipsec_sa_t *sa, ipsec_integ_alg_t integ_alg)
ipsec_ah_backend_t * ah_backends
static fib_node_t * ipsec_sa_fib_node_get(fib_node_index_t index)
Function definition to get a FIB node from its index.
void ipsec_sa_set_async_op_ids(ipsec_sa_t *sa)
static fib_node_back_walk_rc_t ipsec_sa_back_walk(fib_node_t *node, fib_node_back_walk_ctx_t *ctx)
Function definition to backwalk a FIB node.
#define clib_warning(format, args...)
enum ipsec_sad_flags_t_ ipsec_sa_flags_t
uword * sa_index_by_sa_id
u32 fib_node_index_t
A typedef of a node index.
#define ESP_MAX_BLOCK_SIZE
vlib_main_t vlib_node_runtime_t * node
void ipsec_sa_unlock(index_t sai)
Context passed between object during a back walk.
void ipsec_sa_set_crypto_alg(ipsec_sa_t *sa, ipsec_crypto_alg_t crypto_alg)
u8 data[IPSEC_KEY_MAX_LEN]
vnet_crypto_op_id_t op_id
void fib_entry_untrack(fib_node_index_t fei, u32 sibling)
Stop tracking a FIB entry.
u32 ah4_encrypt_node_index
ipsec_main_integ_alg_t * integ_algs
enum fib_forward_chain_type_t_ fib_forward_chain_type_t
FIB output chain type.
static void ipsec_sa_stack(ipsec_sa_t *sa)
'stack' (resolve the recursion for) the SA tunnel destination
ipsec_protocol_t protocol
vnet_crypto_key_index_t integ_key_index
vnet_crypto_alg_t integ_calg
add_del_sa_sess_cb_t add_del_sa_sess_cb
vnet_crypto_op_id_t dec_op_id
static vlib_main_t * vlib_get_main(void)
vnet_crypto_alg_t crypto_calg
u32 vnet_crypto_key_add_linked(vlib_main_t *vm, vnet_crypto_key_index_t index_crypto, vnet_crypto_key_index_t index_integ)
Use 2 created keys to generate new key for linked algs (cipher + integ) The returned key index is to ...
u32 ah6_encrypt_node_index
#define INDEX_INVALID
Invalid index - used when no index is known blazoned capitals INVALID speak volumes where ~0 does not...
#define DPO_INVALID
An initialiser for DPOs declared on the stack.
char * name
The counter collection's name.
vnet_crypto_op_id_t crypto_enc_op_id
A collection of combined counters.
A FIB graph nodes virtual function table.
ipsec_crypto_alg_t crypto_alg
vnet_crypto_async_op_id_t crypto_async_enc_op_id
static u32 vlib_num_workers()
void dpo_reset(dpo_id_t *dpo)
reset a DPO ID The DPO will be unlocked.
clib_error_t * ipsec_sa_interface_init(vlib_main_t *vm)
add_del_sa_sess_cb_t add_del_sa_sess_cb
ipsec_esp_backend_t * esp_backends
#define CLIB_CACHE_LINE_BYTES
vnet_crypto_op_id_t crypto_dec_op_id
#define IPSEC_UDP_PORT_NONE
static u16 ip4_header_checksum(ip4_header_t *i)
fib_forward_chain_type_t fib_forw_chain_type_from_fib_proto(fib_protocol_t proto)
Convert from a fib-protocol to a chain type.