FD.io VPP  v20.09-64-g4f7b92f0a
Vector Packet Processing
ipsec.c
Go to the documentation of this file.
1 /*
2  * ipsec.c : IPSEC module functions
3  *
4  * Copyright (c) 2015 Cisco and/or its affiliates.
5  * Licensed under the Apache License, Version 2.0 (the "License");
6  * you may not use this file except in compliance with the License.
7  * You may obtain a copy of the License at:
8  *
9  * http://www.apache.org/licenses/LICENSE-2.0
10  *
11  * Unless required by applicable law or agreed to in writing, software
12  * distributed under the License is distributed on an "AS IS" BASIS,
13  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14  * See the License for the specific language governing permissions and
15  * limitations under the License.
16  */
17 
18 #include <vnet/vnet.h>
19 #include <vnet/api_errno.h>
20 #include <vnet/ip/ip.h>
21 #include <vnet/interface.h>
22 #include <vnet/udp/udp.h>
23 
24 #include <vnet/ipsec/ipsec.h>
25 #include <vnet/ipsec/esp.h>
26 #include <vnet/ipsec/ah.h>
27 
31 
32 static clib_error_t *
34 {
35  ipsec_main_t *im = &ipsec_main;
36 
37  if (sa->integ_alg == IPSEC_INTEG_ALG_NONE)
38  return clib_error_return (0, "unsupported none integ-alg");
39 
41  return clib_error_return (0, "No crypto engine support for %U",
43 
44  return 0;
45 }
46 
47 static clib_error_t *
49 {
50  ipsec_main_t *im = &ipsec_main;
51 
52  if (IPSEC_INTEG_ALG_NONE != sa->integ_alg)
53  {
55  return clib_error_return (0, "No crypto engine support for %U",
57  }
58  if (IPSEC_CRYPTO_ALG_NONE != sa->crypto_alg)
59  {
61  return clib_error_return (0, "No crypto engine support for %U",
63  }
64 
65  return (0);
66 }
67 
69 ipsec_add_del_sa_sess_cb (ipsec_main_t * im, u32 sa_index, u8 is_add)
70 {
71  ipsec_ah_backend_t *ah =
73  if (ah->add_del_sa_sess_cb)
74  {
75  clib_error_t *err = ah->add_del_sa_sess_cb (sa_index, is_add);
76  if (err)
77  return err;
78  }
79  ipsec_esp_backend_t *esp =
81  if (esp->add_del_sa_sess_cb)
82  {
83  clib_error_t *err = esp->add_del_sa_sess_cb (sa_index, is_add);
84  if (err)
85  return err;
86  }
87  return 0;
88 }
89 
92 {
93  clib_error_t *error = 0;
94 
96  {
97  ipsec_ah_backend_t *ah =
100  error = ah->check_support_cb (sa);
101  }
102  else
103  {
104  ipsec_esp_backend_t *esp =
106  ASSERT (esp->check_support_cb);
107  error = esp->check_support_cb (sa);
108  }
109  return error;
110 }
111 
112 
113 static void
114 ipsec_add_node (vlib_main_t * vm, const char *node_name,
115  const char *prev_node_name, u32 * out_node_index,
116  u32 * out_next_index)
117 {
118  vlib_node_t *prev_node, *node;
119  prev_node = vlib_get_node_by_name (vm, (u8 *) prev_node_name);
120  ASSERT (prev_node);
121  node = vlib_get_node_by_name (vm, (u8 *) node_name);
122  ASSERT (node);
123  *out_node_index = node->index;
124  *out_next_index = vlib_node_add_next (vm, prev_node->index, node->index);
125 }
126 
127 void
128 ipsec_add_feature (const char *arc_name,
129  const char *node_name, u32 * out_feature_index)
130 {
131  u8 arc;
132 
133  arc = vnet_get_feature_arc_index (arc_name);
134  ASSERT (arc != (u8) ~ 0);
135  *out_feature_index = vnet_get_feature_index (arc, node_name);
136 }
137 
138 void
140 {
141  ipsec_main_t *im = &ipsec_main;
142  u32 n_regs;
143  uword *p;
144 
145  p = hash_get (im->udp_port_registrations, port);
146 
147  ASSERT (p);
148 
149  n_regs = p[0];
150 
151  if (0 == --n_regs)
152  {
155  }
156  else
157  {
159  hash_set (im->udp_port_registrations, port, n_regs);
160  }
161 }
162 
163 void
165 {
166  ipsec_main_t *im = &ipsec_main;
167  u32 n_regs;
168  uword *p;
169 
170  p = hash_get (im->udp_port_registrations, port);
171 
172  n_regs = (p ? p[0] : 0);
173 
174  if (0 == n_regs++)
176  ipsec4_tun_input_node.index, 1);
177 
179  hash_set (im->udp_port_registrations, port, n_regs);
180 }
181 
182 u32
184  const char *name,
185  const char *ah4_encrypt_node_name,
186  const char *ah4_decrypt_node_name,
187  const char *ah6_encrypt_node_name,
188  const char *ah6_decrypt_node_name,
189  check_support_cb_t ah_check_support_cb,
190  add_del_sa_sess_cb_t ah_add_del_sa_sess_cb)
191 {
193  pool_get (im->ah_backends, b);
194  b->name = format (0, "%s%c", name, 0);
195 
196  ipsec_add_node (vm, ah4_encrypt_node_name, "ipsec4-output-feature",
198  ipsec_add_node (vm, ah4_decrypt_node_name, "ipsec4-input-feature",
200  ipsec_add_node (vm, ah6_encrypt_node_name, "ipsec6-output-feature",
202  ipsec_add_node (vm, ah6_decrypt_node_name, "ipsec6-input-feature",
204 
205  b->check_support_cb = ah_check_support_cb;
206  b->add_del_sa_sess_cb = ah_add_del_sa_sess_cb;
207  return b - im->ah_backends;
208 }
209 
210 u32
212  const char *name,
213  const char *esp4_encrypt_node_name,
214  const char *esp4_encrypt_node_tun_name,
215  const char *esp4_decrypt_node_name,
216  const char *esp4_decrypt_tun_node_name,
217  const char *esp6_encrypt_node_name,
218  const char *esp6_encrypt_node_tun_name,
219  const char *esp6_decrypt_node_name,
220  const char *esp6_decrypt_tun_node_name,
221  check_support_cb_t esp_check_support_cb,
222  add_del_sa_sess_cb_t esp_add_del_sa_sess_cb,
223  enable_disable_cb_t enable_disable_cb)
224 {
226 
227  pool_get (im->esp_backends, b);
228  b->name = format (0, "%s%c", name, 0);
229 
230  ipsec_add_node (vm, esp4_encrypt_node_name, "ipsec4-output-feature",
232  ipsec_add_node (vm, esp4_decrypt_node_name, "ipsec4-input-feature",
234  ipsec_add_node (vm, esp6_encrypt_node_name, "ipsec6-output-feature",
236  ipsec_add_node (vm, esp6_decrypt_node_name, "ipsec6-input-feature",
238  ipsec_add_node (vm, esp4_decrypt_tun_node_name, "ipsec4-tun-input",
241  ipsec_add_node (vm, esp6_decrypt_tun_node_name, "ipsec6-tun-input",
244 
246  vlib_get_node_by_name (vm, (u8 *) esp6_encrypt_node_tun_name)->index;
248  vlib_get_node_by_name (vm, (u8 *) esp4_encrypt_node_tun_name)->index;
249 
250  b->check_support_cb = esp_check_support_cb;
251  b->add_del_sa_sess_cb = esp_add_del_sa_sess_cb;
252  b->enable_disable_cb = enable_disable_cb;
253 
254  return b - im->esp_backends;
255 }
256 
257 clib_error_t *
259 {
260  /* return an error is crypto resource are in use */
261  if (pool_elts (im->sad) > 0)
262  return clib_error_return (0,
263  "%d SA entries configured",
264  pool_elts (im->sad));
265 
266  return (NULL);
267 }
268 
269 int
271 {
272  if (ipsec_rsc_in_use (im))
273  return VNET_API_ERROR_RSRC_IN_USE;
274 
275  if (pool_is_free_index (im->ah_backends, backend_idx))
276  return VNET_API_ERROR_INVALID_VALUE;
277 
278  ipsec_ah_backend_t *b = pool_elt_at_index (im->ah_backends, backend_idx);
279  im->ah_current_backend = backend_idx;
288 
289  return 0;
290 }
291 
292 int
294 {
295  if (ipsec_rsc_in_use (im))
296  return VNET_API_ERROR_RSRC_IN_USE;
297 
298  if (pool_is_free_index (im->esp_backends, backend_idx))
299  return VNET_API_ERROR_INVALID_VALUE;
300 
301  /* disable current backend */
302  if (im->esp_current_backend != ~0)
303  {
305  im->esp_current_backend);
306  if (cb->enable_disable_cb)
307  {
308  if ((cb->enable_disable_cb) (0) != 0)
309  return -1;
310  }
311  }
312 
313  ipsec_esp_backend_t *b = pool_elt_at_index (im->esp_backends, backend_idx);
314  im->esp_current_backend = backend_idx;
329 
330  if (b->enable_disable_cb)
331  {
332  if ((b->enable_disable_cb) (1) != 0)
333  return -1;
334  }
335  return 0;
336 }
337 
338 void
340 {
341  ipsec_main_t *im = &ipsec_main;
342  ipsec_sa_t *sa;
343 
344  /* lock all SAs before change im->async_mode */
345  pool_foreach (sa, im->sad, (
346  {
347  fib_node_lock (&sa->node);
348  }));
349 
350  im->async_mode = is_enabled;
351 
352  /* change SA crypto op data before unlock them */
353  pool_foreach (sa, im->sad, (
354  {
355  sa->crypto_op_data = is_enabled ?
356  sa->async_op_data.data : sa->sync_op_data.data;
357  fib_node_unlock (&sa->node);
358  }));
359 }
360 
361 static void
363 {
366 
367  eit = &esp_encrypt_async_next;
368  eit->esp4_post_next =
369  vnet_crypto_register_post_node (vm, "esp4-encrypt-post");
370  eit->esp6_post_next =
371  vnet_crypto_register_post_node (vm, "esp6-encrypt-post");
372  eit->esp4_tun_post_next =
373  vnet_crypto_register_post_node (vm, "esp4-encrypt-tun-post");
374  eit->esp6_tun_post_next =
375  vnet_crypto_register_post_node (vm, "esp6-encrypt-tun-post");
376 
377  dit = &esp_decrypt_async_next;
378  dit->esp4_post_next =
379  vnet_crypto_register_post_node (vm, "esp4-decrypt-post");
380  dit->esp6_post_next =
381  vnet_crypto_register_post_node (vm, "esp6-decrypt-post");
382  dit->esp4_tun_post_next =
383  vnet_crypto_register_post_node (vm, "esp4-decrypt-tun-post");
384  dit->esp6_tun_post_next =
385  vnet_crypto_register_post_node (vm, "esp6-decrypt-tun-post");
386 }
387 
388 static clib_error_t *
390 {
391  clib_error_t *error;
392  ipsec_main_t *im = &ipsec_main;
394 
395  /* Backend registration requires the feature arcs to be set up */
396  if ((error = vlib_call_init_function (vm, vnet_feature_init)))
397  return (error);
398 
399  im->vnet_main = vnet_get_main ();
400  im->vlib_main = vm;
401 
402  im->spd_index_by_spd_id = hash_create (0, sizeof (uword));
403  im->sa_index_by_sa_id = hash_create (0, sizeof (uword));
404  im->spd_index_by_sw_if_index = hash_create (0, sizeof (uword));
405 
406  vlib_node_t *node = vlib_get_node_by_name (vm, (u8 *) "error-drop");
407  ASSERT (node);
408  im->error_drop_node_index = node->index;
409 
410  im->ah_current_backend = ~0;
411  im->esp_current_backend = ~0;
412 
413  u32 idx = ipsec_register_ah_backend (vm, im, "crypto engine backend",
414  "ah4-encrypt",
415  "ah4-decrypt",
416  "ah6-encrypt",
417  "ah6-decrypt",
419  NULL);
420 
421  im->ah_default_backend = idx;
422  int rv = ipsec_select_ah_backend (im, idx);
423  ASSERT (0 == rv);
424  (void) (rv); // avoid warning
425 
426  idx = ipsec_register_esp_backend (vm, im, "crypto engine backend",
427  "esp4-encrypt",
428  "esp4-encrypt-tun",
429  "esp4-decrypt",
430  "esp4-decrypt-tun",
431  "esp6-encrypt",
432  "esp6-encrypt-tun",
433  "esp6-decrypt",
434  "esp6-decrypt-tun",
437  im->esp_default_backend = idx;
438 
439  rv = ipsec_select_esp_backend (im, idx);
440  ASSERT (0 == rv);
441  (void) (rv); // avoid warning
442 
443  if ((error = vlib_call_init_function (vm, ipsec_cli_init)))
444  return error;
445 
447 
448  a = im->crypto_algs + IPSEC_CRYPTO_ALG_NONE;
452  a->iv_size = 0;
453  a->block_align = 1;
454 
455  a = im->crypto_algs + IPSEC_CRYPTO_ALG_DES_CBC;
456  a->enc_op_id = VNET_CRYPTO_OP_DES_CBC_ENC;
457  a->dec_op_id = VNET_CRYPTO_OP_DES_CBC_DEC;
458  a->alg = VNET_CRYPTO_ALG_DES_CBC;
459  a->iv_size = a->block_align = 8;
460 
461  a = im->crypto_algs + IPSEC_CRYPTO_ALG_3DES_CBC;
462  a->enc_op_id = VNET_CRYPTO_OP_3DES_CBC_ENC;
463  a->dec_op_id = VNET_CRYPTO_OP_3DES_CBC_DEC;
464  a->alg = VNET_CRYPTO_ALG_3DES_CBC;
465  a->iv_size = a->block_align = 8;
466 
467  a = im->crypto_algs + IPSEC_CRYPTO_ALG_AES_CBC_128;
468  a->enc_op_id = VNET_CRYPTO_OP_AES_128_CBC_ENC;
469  a->dec_op_id = VNET_CRYPTO_OP_AES_128_CBC_DEC;
470  a->alg = VNET_CRYPTO_ALG_AES_128_CBC;
471  a->iv_size = a->block_align = 16;
472 
473  a = im->crypto_algs + IPSEC_CRYPTO_ALG_AES_CBC_192;
474  a->enc_op_id = VNET_CRYPTO_OP_AES_192_CBC_ENC;
475  a->dec_op_id = VNET_CRYPTO_OP_AES_192_CBC_DEC;
476  a->alg = VNET_CRYPTO_ALG_AES_192_CBC;
477  a->iv_size = a->block_align = 16;
478 
479  a = im->crypto_algs + IPSEC_CRYPTO_ALG_AES_CBC_256;
480  a->enc_op_id = VNET_CRYPTO_OP_AES_256_CBC_ENC;
481  a->dec_op_id = VNET_CRYPTO_OP_AES_256_CBC_DEC;
482  a->alg = VNET_CRYPTO_ALG_AES_256_CBC;
483  a->iv_size = a->block_align = 16;
484 
485  a = im->crypto_algs + IPSEC_CRYPTO_ALG_AES_GCM_128;
486  a->enc_op_id = VNET_CRYPTO_OP_AES_128_GCM_ENC;
487  a->dec_op_id = VNET_CRYPTO_OP_AES_128_GCM_DEC;
488  a->alg = VNET_CRYPTO_ALG_AES_128_GCM;
489  a->iv_size = 8;
490  a->block_align = 1;
491  a->icv_size = 16;
492 
493  a = im->crypto_algs + IPSEC_CRYPTO_ALG_AES_GCM_192;
494  a->enc_op_id = VNET_CRYPTO_OP_AES_192_GCM_ENC;
495  a->dec_op_id = VNET_CRYPTO_OP_AES_192_GCM_DEC;
496  a->alg = VNET_CRYPTO_ALG_AES_192_GCM;
497  a->iv_size = 8;
498  a->block_align = 1;
499  a->icv_size = 16;
500 
501  a = im->crypto_algs + IPSEC_CRYPTO_ALG_AES_GCM_256;
502  a->enc_op_id = VNET_CRYPTO_OP_AES_256_GCM_ENC;
503  a->dec_op_id = VNET_CRYPTO_OP_AES_256_GCM_DEC;
504  a->alg = VNET_CRYPTO_ALG_AES_256_GCM;
505  a->iv_size = 8;
506  a->block_align = 1;
507  a->icv_size = 16;
508 
511 
512  i = &im->integ_algs[IPSEC_INTEG_ALG_MD5_96];
513  i->op_id = VNET_CRYPTO_OP_MD5_HMAC;
514  i->alg = VNET_CRYPTO_ALG_HMAC_MD5;
515  i->icv_size = 12;
516 
517  i = &im->integ_algs[IPSEC_INTEG_ALG_SHA1_96];
518  i->op_id = VNET_CRYPTO_OP_SHA1_HMAC;
519  i->alg = VNET_CRYPTO_ALG_HMAC_SHA1;
520  i->icv_size = 12;
521 
522  i = &im->integ_algs[IPSEC_INTEG_ALG_SHA_256_96];
523  i->op_id = VNET_CRYPTO_OP_SHA1_HMAC;
524  i->alg = VNET_CRYPTO_ALG_HMAC_SHA256;
525  i->icv_size = 12;
526 
527  i = &im->integ_algs[IPSEC_INTEG_ALG_SHA_256_128];
528  i->op_id = VNET_CRYPTO_OP_SHA256_HMAC;
529  i->alg = VNET_CRYPTO_ALG_HMAC_SHA256;
530  i->icv_size = 16;
531 
532  i = &im->integ_algs[IPSEC_INTEG_ALG_SHA_384_192];
533  i->op_id = VNET_CRYPTO_OP_SHA384_HMAC;
534  i->alg = VNET_CRYPTO_ALG_HMAC_SHA384;
535  i->icv_size = 24;
536 
537  i = &im->integ_algs[IPSEC_INTEG_ALG_SHA_512_256];
538  i->op_id = VNET_CRYPTO_OP_SHA512_HMAC;
539  i->alg = VNET_CRYPTO_ALG_HMAC_SHA512;
540  i->icv_size = 32;
541 
543 
544  im->ah4_enc_fq_index =
546  im->ah4_dec_fq_index =
548  im->ah6_enc_fq_index =
550  im->ah6_dec_fq_index =
552 
553  im->esp4_enc_fq_index =
555  im->esp4_dec_fq_index =
557  im->esp6_enc_fq_index =
559  im->esp6_dec_fq_index =
569 
570  im->async_mode = 0;
572 
573  return 0;
574 }
575 
577 
578 /*
579  * fd.io coding-style-patch-verification: ON
580  *
581  * Local Variables:
582  * eval: (c-set-style "gnu")
583  * End:
584  */
#define vec_validate(V, I)
Make sure vector is long enough for given index (no header, unspecified alignment) ...
Definition: vec.h:509
u32 esp4_decrypt_tun_node_index
Definition: ipsec.h:135
u8 * format_ipsec_integ_alg(u8 *s, va_list *args)
Definition: ipsec_format.c:110
u32 ipsec_register_ah_backend(vlib_main_t *vm, ipsec_main_t *im, const char *name, const char *ah4_encrypt_node_name, const char *ah4_decrypt_node_name, const char *ah6_encrypt_node_name, const char *ah6_decrypt_node_name, check_support_cb_t ah_check_support_cb, add_del_sa_sess_cb_t ah_add_del_sa_sess_cb)
Definition: ipsec.c:183
#define hash_set(h, key, value)
Definition: hash.h:255
u32 esp_default_backend
Definition: ipsec.h:176
u32 esp4_encrypt_next_index
Definition: ipsec.h:61
ipsec_main_crypto_alg_t * crypto_algs
Definition: ipsec.h:179
ipsec_per_thread_data_t * ptd
Definition: ipsec.h:185
u32 esp6_decrypt_node_index
Definition: ipsec.h:140
#define hash_unset(h, key)
Definition: hash.h:261
enable_disable_cb_t enable_disable_cb
Definition: ipsec.h:58
u8 vnet_get_feature_arc_index(const char *s)
Definition: feature.c:197
u32 ah4_decrypt_next_index
Definition: ipsec.h:150
a
Definition: bitmap.h:538
vnet_main_t * vnet_get_main(void)
Definition: misc.c:46
void ipsec_unregister_udp_port(u16 port)
Definition: ipsec.c:139
static void ipsec_add_node(vlib_main_t *vm, const char *node_name, const char *prev_node_name, u32 *out_node_index, u32 *out_next_index)
Definition: ipsec.c:114
u32 esp6_encrypt_tun_node_index
Definition: ipsec.h:72
u32 index
Definition: node.h:279
u32 esp4_decrypt_node_index
Definition: ipsec.h:60
u32 esp6_post_next
Definition: esp.h:195
u32 vlib_frame_queue_main_init(u32 node_index, u32 frame_queue_nelts)
Definition: threads.c:1873
ipsec_integ_alg_t integ_alg
Definition: ipsec_sa.h:171
u32 ah6_decrypt_next_index
Definition: ipsec.h:47
u32 esp6_decrypt_tun_node_index
Definition: ipsec.h:141
u32 esp6_decrypt_next_index
Definition: ipsec.h:66
u32 ah4_encrypt_next_index
Definition: ipsec.h:149
Definition: esp.h:191
u32 ah4_encrypt_node_index
Definition: ipsec.h:40
u32 esp6_encrypt_node_index
Definition: ipsec.h:63
vlib_node_registration_t ah6_encrypt_node
(constructor) VLIB_REGISTER_NODE (ah6_encrypt_node)
Definition: ah_encrypt.c:452
vlib_main_t * vm
Definition: in2out_ed.c:1582
int ipsec_select_ah_backend(ipsec_main_t *im, u32 backend_idx)
Definition: ipsec.c:270
u32 ah_current_backend
Definition: ipsec.h:170
u8 * format(u8 *s, const char *fmt,...)
Definition: format.c:424
u32 esp6_decrypt_tun_next_index
Definition: ipsec.h:71
#define vec_validate_aligned(V, I, A)
Make sure vector is long enough for given index (no header, specified alignment)
Definition: vec.h:520
u32 esp_current_backend
Definition: ipsec.h:172
#define pool_get(P, E)
Allocate an object E from a pool P (unspecified alignment).
Definition: pool.h:252
u32 ah6_decrypt_node_index
Definition: ipsec.h:45
static uword vlib_node_add_next(vlib_main_t *vm, uword node, uword next_node)
Definition: node_funcs.h:1173
unsigned char u8
Definition: types.h:56
vlib_node_registration_t esp4_encrypt_tun_node
(constructor) VLIB_REGISTER_NODE (esp4_encrypt_tun_node)
Definition: esp_encrypt.c:1146
uword * spd_index_by_sw_if_index
Definition: ipsec.h:122
int vnet_crypto_is_set_handler(vnet_crypto_alg_t alg)
Definition: crypto.c:189
u32 esp4_decrypt_tun_next_index
Definition: ipsec.h:148
vnet_crypto_alg_t alg
Definition: ipsec.h:88
u32 esp4_enc_tun_fq_index
Definition: ipsec.h:197
vlib_node_registration_t esp6_decrypt_tun_node
(constructor) VLIB_REGISTER_NODE (esp6_decrypt_tun_node)
Definition: esp_decrypt.c:1541
u32 esp6_encrypt_next_index
Definition: ipsec.h:65
static clib_error_t * ipsec_check_ah_support(ipsec_sa_t *sa)
Definition: ipsec.c:33
u32 ah6_encrypt_node_index
Definition: ipsec.h:44
vlib_node_registration_t ah6_decrypt_node
(constructor) VLIB_REGISTER_NODE (ah6_decrypt_node)
Definition: ah_decrypt.c:456
#define pool_foreach(VAR, POOL, BODY)
Iterate through pool.
Definition: pool.h:513
uword * udp_port_registrations
Definition: ipsec.h:112
#define VLIB_INIT_FUNCTION(x)
Definition: init.h:173
ipsec_main_t ipsec_main
Definition: ipsec.c:28
u32 ah_default_backend
Definition: ipsec.h:174
u32 esp4_tun_post_next
Definition: esp.h:196
void ipsec_register_udp_port(u16 port)
Definition: ipsec.c:164
u32 esp6_encrypt_node_index
Definition: ipsec.h:139
u32 esp4_decrypt_next_index
Definition: ipsec.h:147
u32 ipsec_register_esp_backend(vlib_main_t *vm, ipsec_main_t *im, const char *name, const char *esp4_encrypt_node_name, const char *esp4_encrypt_node_tun_name, const char *esp4_decrypt_node_name, const char *esp4_decrypt_tun_node_name, const char *esp6_encrypt_node_name, const char *esp6_encrypt_node_tun_name, const char *esp6_decrypt_node_name, const char *esp6_decrypt_tun_node_name, check_support_cb_t esp_check_support_cb, add_del_sa_sess_cb_t esp_add_del_sa_sess_cb, enable_disable_cb_t enable_disable_cb)
Definition: ipsec.c:211
u32 ah6_encrypt_next_index
Definition: ipsec.h:46
int ipsec_select_esp_backend(ipsec_main_t *im, u32 backend_idx)
Definition: ipsec.c:293
u32 esp4_dec_tun_fq_index
Definition: ipsec.h:199
#define clib_error_return(e, args...)
Definition: error.h:99
check_support_cb_t check_support_cb
Definition: ipsec.h:56
vlib_node_registration_t esp4_decrypt_tun_node
(constructor) VLIB_REGISTER_NODE (esp4_decrypt_tun_node)
Definition: esp_decrypt.c:1511
u32 ah6_dec_fq_index
Definition: ipsec.h:191
u32 esp4_dec_fq_index
Definition: ipsec.h:194
u8 * format_ipsec_crypto_alg(u8 *s, va_list *args)
Definition: ipsec_format.c:78
unsigned int u32
Definition: types.h:88
clib_error_t *(* add_del_sa_sess_cb_t)(u32 sa_index, u8 is_add)
Definition: ipsec.h:29
#define vlib_call_init_function(vm, x)
Definition: init.h:270
u32 esp6_decrypt_node_index
Definition: ipsec.h:64
u32 vnet_get_feature_index(u8 arc, const char *s)
Definition: feature.c:233
static clib_error_t * vnet_feature_init(vlib_main_t *vm)
Definition: feature.c:50
u32 ah4_decrypt_node_index
Definition: ipsec.h:138
vlib_node_registration_t esp6_encrypt_node
(constructor) VLIB_REGISTER_NODE (esp6_encrypt_node)
Definition: esp_encrypt.c:1105
clib_error_t * crypto_dispatch_enable_disable(int is_enable)
Definition: crypto.c:447
u32 error_drop_node_index
Definition: ipsec.h:132
#define hash_get(h, key)
Definition: hash.h:249
#define pool_elt_at_index(p, i)
Returns pointer to element at given index.
Definition: pool.h:534
vlib_node_t * vlib_get_node_by_name(vlib_main_t *vm, u8 *name)
Definition: node.c:45
vlib_node_registration_t esp6_encrypt_tun_node
(constructor) VLIB_REGISTER_NODE (esp6_encrypt_tun_node)
Definition: esp_encrypt.c:1195
u32 esp4_encrypt_node_index
Definition: ipsec.h:133
vnet_main_t * vnet_main
Definition: ipsec.h:118
clib_error_t * ipsec_check_support_cb(ipsec_main_t *im, ipsec_sa_t *sa)
Definition: ipsec.c:91
vnet_crypto_op_id_t enc_op_id
Definition: ipsec.h:77
unsigned short u16
Definition: types.h:57
u32 ah4_decrypt_next_index
Definition: ipsec.h:43
u32 esp6_dec_tun_fq_index
Definition: ipsec.h:200
clib_error_t * ipsec_rsc_in_use(ipsec_main_t *im)
Definition: ipsec.c:258
u32 esp4_decrypt_tun_next_index
Definition: ipsec.h:68
u32 vnet_crypto_register_post_node(vlib_main_t *vm, char *post_node_name)
async crypto register functions
Definition: crypto.c:529
#define PREDICT_FALSE(x)
Definition: clib.h:120
u32 ah4_enc_fq_index
Worker handoff.
Definition: ipsec.h:188
u32 esp6_decrypt_tun_node_index
Definition: ipsec.h:70
vlib_node_registration_t ah4_encrypt_node
(constructor) VLIB_REGISTER_NODE (ah4_encrypt_node)
Definition: ah_encrypt.c:426
u32 ah4_dec_fq_index
Definition: ipsec.h:189
u32 esp4_encrypt_node_index
Definition: ipsec.h:59
uword * spd_index_by_spd_id
Definition: ipsec.h:121
u32 ah6_enc_fq_index
Definition: ipsec.h:190
u32 ah4_decrypt_node_index
Definition: ipsec.h:41
clib_error_t * ipsec_add_del_sa_sess_cb(ipsec_main_t *im, u32 sa_index, u8 is_add)
Definition: ipsec.c:69
u32 ah6_encrypt_next_index
Definition: ipsec.h:154
clib_error_t *(* enable_disable_cb_t)(int is_enable)
Definition: ipsec.h:31
u32 esp6_decrypt_tun_next_index
Definition: ipsec.h:153
ipsec_ah_backend_t * ah_backends
Definition: ipsec.h:166
clib_error_t * ipsec_cli_init(vlib_main_t *vm)
Definition: ipsec_cli.c:1107
sll srl srl sll sra u16x4 i
Definition: vector_sse42.h:317
vlib_node_registration_t ah4_decrypt_node
(constructor) VLIB_REGISTER_NODE (ah4_decrypt_node)
Definition: ah_decrypt.c:429
static void crypto_engine_backend_register_post_node(vlib_main_t *vm)
Definition: ipsec.c:362
void udp_unregister_dst_port(vlib_main_t *vm, udp_dst_port_t dst_port, u8 is_ip4)
Definition: udp_local.c:506
u32 esp6_enc_tun_fq_index
Definition: ipsec.h:198
u32 esp4_encrypt_next_index
Definition: ipsec.h:146
vlib_node_registration_t esp4_encrypt_node
(constructor) VLIB_REGISTER_NODE (esp4_encrypt_node)
Definition: esp_encrypt.c:1055
u32 ah4_encrypt_next_index
Definition: ipsec.h:42
uword * sa_index_by_sa_id
Definition: ipsec.h:123
u32 esp6_decrypt_next_index
Definition: ipsec.h:152
#define pool_is_free_index(P, I)
Use free bitmap to query whether given index is free.
Definition: pool.h:299
u32 esp4_encrypt_tun_node_index
Definition: ipsec.h:136
vlib_main_t * vlib_main
Definition: ipsec.h:117
string name[64]
Definition: ip.api:44
u32 esp4_post_next
Definition: esp.h:194
vlib_main_t vlib_node_runtime_t * node
Definition: in2out_ed.c:1582
u32 esp6_tun_post_next
Definition: esp.h:197
static clib_error_t * ipsec_init(vlib_main_t *vm)
Definition: ipsec.c:389
esp_async_post_next_t esp_decrypt_async_next
Definition: ipsec.c:30
u32 esp6_encrypt_next_index
Definition: ipsec.h:151
static clib_error_t * ipsec_check_esp_support(ipsec_sa_t *sa)
Definition: ipsec.c:48
clib_error_t *(* check_support_cb_t)(ipsec_sa_t *sa)
Definition: ipsec.h:30
#define hash_create(elts, value_bytes)
Definition: hash.h:696
vnet_crypto_op_id_t op_id
Definition: ipsec.h:87
#define ASSERT(truth)
void ipsec_set_async_mode(u32 is_enabled)
Definition: ipsec.c:339
u32 ah4_encrypt_node_index
Definition: ipsec.h:137
ipsec_main_integ_alg_t * integ_algs
Definition: ipsec.h:182
u32 esp6_dec_fq_index
Definition: ipsec.h:196
u32 esp6_enc_fq_index
Definition: ipsec.h:195
ipsec_sa_t * sad
Definition: ipsec.h:107
u32 esp4_decrypt_node_index
Definition: ipsec.h:134
ipsec_protocol_t protocol
Definition: ipsec_sa.h:165
add_del_sa_sess_cb_t add_del_sa_sess_cb
Definition: ipsec.h:54
vnet_crypto_op_id_t dec_op_id
Definition: ipsec.h:78
vlib_node_registration_t ipsec4_tun_input_node
(constructor) VLIB_REGISTER_NODE (ipsec4_tun_input_node)
Definition: ipsec_tun_in.c:367
u32 ah6_decrypt_node_index
Definition: ipsec.h:144
static vlib_main_t * vlib_get_main(void)
Definition: global_funcs.h:23
u32 esp4_enc_fq_index
Definition: ipsec.h:193
u32 ah6_encrypt_node_index
Definition: ipsec.h:143
u32 ah6_decrypt_next_index
Definition: ipsec.h:155
check_support_cb_t check_support_cb
Definition: ipsec.h:39
u32 esp4_decrypt_tun_node_index
Definition: ipsec.h:67
u64 uword
Definition: types.h:112
esp_async_post_next_t esp_encrypt_async_next
Definition: ipsec.c:29
u32 esp4_encrypt_tun_node_index
Definition: ipsec.h:69
void ipsec_add_feature(const char *arc_name, const char *node_name, u32 *out_feature_index)
Definition: ipsec.c:128
u16 port
Definition: lb_types.api:72
u32 esp4_decrypt_next_index
Definition: ipsec.h:62
ipsec_crypto_alg_t crypto_alg
Definition: ipsec_sa.h:167
static u32 vlib_num_workers()
Definition: threads.h:377
vnet_crypto_alg_t alg
Definition: ipsec.h:79
void udp_register_dst_port(vlib_main_t *vm, udp_dst_port_t dst_port, u32 node_index, u8 is_ip4)
Definition: udp_local.c:468
add_del_sa_sess_cb_t add_del_sa_sess_cb
Definition: ipsec.h:37
ipsec_esp_backend_t * esp_backends
Definition: ipsec.h:168
#define CLIB_CACHE_LINE_BYTES
Definition: cache.h:59
u8 async_mode
Definition: ipsec.h:202
vlib_node_registration_t esp6_decrypt_node
(constructor) VLIB_REGISTER_NODE (esp6_decrypt_node)
Definition: esp_decrypt.c:1479
u32 esp6_encrypt_tun_node_index
Definition: ipsec.h:142
vlib_node_registration_t esp4_decrypt_node
(constructor) VLIB_REGISTER_NODE (esp4_decrypt_node)
Definition: esp_decrypt.c:1447
static uword pool_elts(void *v)
Number of active elements in a pool.
Definition: pool.h:128