FD.io VPP  v21.01.1
Vector Packet Processing
ipsec_tun.c
Go to the documentation of this file.
1 /*
2  * ipsec_tun.h : IPSEC tunnel protection
3  *
4  * Copyright (c) 2015 Cisco and/or its affiliates.
5  * Licensed under the Apache License, Version 2.0 (the "License");
6  * you may not use this file except in compliance with the License.
7  * You may obtain a copy of the License at:
8  *
9  * http://www.apache.org/licenses/LICENSE-2.0
10  *
11  * Unless required by applicable law or agreed to in writing, software
12  * distributed under the License is distributed on an "AS IS" BASIS,
13  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14  * See the License for the specific language governing permissions and
15  * limitations under the License.
16  */
17 
18 #include <vnet/ipsec/ipsec_tun.h>
19 #include <vnet/ipsec/ipsec_itf.h>
20 #include <vnet/ipsec/esp.h>
21 #include <vnet/udp/udp_local.h>
22 #include <vnet/adj/adj_delegate.h>
23 #include <vnet/adj/adj_midchain.h>
24 #include <vnet/teib/teib.h>
25 
26 /* instantiate the bihash functions */
27 #include <vppinfra/bihash_8_16.h>
29 #include <vppinfra/bihash_24_16.h>
31 
32 #define IPSEC_TUN_DEFAULT_HASH_NUM_BUCKETS (64 * 1024)
33 #define IPSEC_TUN_DEFAULT_HASH_MEMORY_SIZE 512 << 20
34 
35 /**
36  * The logger
37  */
39 
40 /**
41  * Pool of tunnel protection objects
42  */
44 
45 /**
46  * Adj delegate registered type
47  */
49 
50 /**
51  * Adj index to TX SA mapping
52  */
54 
55 const ip_address_t IP_ADDR_ALL_0 = IP_ADDRESS_V4_ALL_0S;
56 
57 /**
58  * The DB of all added per-nh tunnel protectiond
59  */
61 {
62  /** A hash table key'd on IP (4 or 6) address */
64  /** If the interface is P2P then there is only one protect
65  * object associated with the auto-adj for each NH proto */
68 
70 {
71  /** Per-interface vector */
74 
76 
77 const static ipsec_tun_protect_itf_db_t IPSEC_TUN_PROTECT_DEFAULT_DB_ENTRY = {
79 };
80 
81 #define ITP_DBG(_itp, _fmt, _args...) \
82 { \
83  vlib_log_debug(ipsec_tun_protect_logger, \
84  "[%U]: " _fmt, \
85  format_ipsec_tun_protect, \
86  _itp, ##_args); \
87 }
88 
89 #define ITP_DBG2(_fmt, _args...) \
90 { \
91  vlib_log_debug(ipsec_tun_protect_logger, \
92  _fmt, ##_args); \
93 }
94 
96 
97 void
99 {
100  if (0 == ipsec_tun_node_regs[af]++)
101  {
102  if (AF_IP4 == af)
103  {
104  ipsec_register_udp_port (UDP_DST_PORT_ipsec);
105  ip4_register_protocol (IP_PROTOCOL_IPSEC_ESP,
106  ipsec4_tun_input_node.index);
107  }
108  else
109  ip6_register_protocol (IP_PROTOCOL_IPSEC_ESP,
110  ipsec6_tun_input_node.index);
111  }
112 }
113 
114 void
116 {
117  ASSERT (0 != ipsec_tun_node_regs[af]);
118  if (0 == --ipsec_tun_node_regs[af])
119  {
120  if (AF_IP4 == af)
121  {
122  ipsec_unregister_udp_port (UDP_DST_PORT_ipsec);
123  ip4_unregister_protocol (IP_PROTOCOL_IPSEC_ESP);
124  }
125  else
126  ip6_unregister_protocol (IP_PROTOCOL_IPSEC_ESP);
127  }
128 }
129 
130 static inline const ipsec_tun_protect_t *
132 {
133  if (ad == NULL)
134  return (NULL);
135  return (pool_elt_at_index (ipsec_tun_protect_pool, ad->ad_index));
136 }
137 
138 static u32
140  const ipsec_tun_protect_t * itp)
141 {
142  ipsec_main_t *im;
143  ipsec_sa_t *sa;
144  bool is_ip4;
145  u32 next;
146 
147 
148  if (itp->itp_flags & IPSEC_PROTECT_ITF)
149  is_ip4 = linkt == VNET_LINK_IP4;
150  else
151  is_ip4 = ip46_address_is_ip4 (&itp->itp_tun.src);
152 
153  sa = ipsec_sa_get (itp->itp_out_sa);
154  im = &ipsec_main;
155 
156  if ((sa->crypto_alg == IPSEC_CRYPTO_ALG_NONE &&
157  sa->integ_alg == IPSEC_INTEG_ALG_NONE) &&
158  !(itp->itp_flags & IPSEC_PROTECT_ITF))
159  next = (is_ip4 ?
162  else if (itp->itp_flags & IPSEC_PROTECT_L2)
163  next = (is_ip4 ?
166  else
167  next = (is_ip4 ?
170 
171  return (next);
172 }
173 
174 static void
176 {
178  INDEX_INVALID);
179 
180  if (NULL == itp)
181  {
184  }
185  else
186  {
190  }
191 }
192 
193 static index_t
195 {
197  uword *p;
198 
199  if (vec_len (itp_db.id_itf) <= sw_if_index)
200  return INDEX_INVALID;
201 
202  if (vnet_sw_interface_is_p2p (vnet_get_main (), sw_if_index))
203  return (itp_db.id_itf[sw_if_index].id_itp);
204 
205  idi = &itp_db.id_itf[sw_if_index];
206  p = hash_get_mem (idi->id_hash, nh);
207 
208  if (NULL == p)
209  {
210  return INDEX_INVALID;
211  }
212  return (p[0]);
213 }
214 
215 static void
217  const ipsec_tun_protect_t * itp)
218 {
219  const ipsec_sa_t *sa;
220  u32 sai;
221 
222  if (ip46_address_is_zero (&itp->itp_crypto.dst))
223  return;
224 
225  /* *INDENT-OFF* */
227  ({
228  sa = ipsec_sa_get (sai);
229 
232  .sa_index = sai,
233  .flags = itp->itp_flags,
234  .sw_if_index = itp->itp_sw_if_index,
235  };
236 
237  /*
238  * The key is formed from the tunnel's destination
239  * as the packet lookup is done from the packet's source
240  */
241  if (ip46_address_is_ip4 (&itp->itp_crypto.dst))
242  {
244  .value = res,
245  };
247 
248  ipsec4_tunnel_mk_key(&key, &itp->itp_crypto.dst.ip4,
249  clib_host_to_net_u32 (sa->spi));
250 
251  if (!im->tun4_protect_by_key.nbuckets)
252  clib_bihash_init_8_16 (&im->tun4_protect_by_key,
253  "IPSec IPv4 tunnels",
256 
257  clib_bihash_add_del_8_16 (&im->tun4_protect_by_key, bkey, 1);
259  }
260  else
261  {
263  .key = {
264  .remote_ip = itp->itp_crypto.dst.ip6,
265  .spi = clib_host_to_net_u32 (sa->spi),
266  },
267  .value = res,
268  };
270 
271  if (!im->tun4_protect_by_key.nbuckets)
272  clib_bihash_init_24_16 (&im->tun6_protect_by_key,
273  "IPSec IPv6 tunnels",
276  clib_bihash_add_del_24_16 (&im->tun6_protect_by_key, bkey, 1);
278  }
279  }))
280  /* *INDENT-ON* */
281 }
282 
283 static adj_walk_rc_t
285 {
286  ipsec_tun_protect_t *itp = arg;
288  itp - ipsec_tun_protect_pool);
289  ipsec_tun_protect_add_adj (ai, itp);
290 
291  if (itp->itp_flags & IPSEC_PROTECT_ITF)
292  ipsec_itf_adj_stack (ai, itp->itp_out_sa);
293 
294  return (ADJ_WALK_RC_CONTINUE);
295 }
296 
297 static void
299 {
300  /*
301  * add the delegate to the adj
302  */
304  fib_protocol_t nh_proto;
305  ip46_address_t nh;
306 
308  itp->itp_sw_if_index,
309  IPSEC_TUN_PROTECT_DEFAULT_DB_ENTRY);
310 
311  idi = &itp_db.id_itf[itp->itp_sw_if_index];
312 
314  {
315  if (INDEX_INVALID == idi->id_itp)
316  {
317  // ipsec_tun_protect_feature_set (itp, 1);
318  }
319  idi->id_itp = itp - ipsec_tun_protect_pool;
320 
321  FOR_EACH_FIB_IP_PROTOCOL (nh_proto)
323  nh_proto, ipsec_tun_protect_adj_add, itp);
324  }
325  else
326  {
327  if (NULL == idi->id_hash)
328  {
329  idi->id_hash =
330  hash_create_mem (0, sizeof (ip_address_t), sizeof (uword));
331  /*
332  * enable the encrypt feature for egress if this is the first addition
333  * on this interface
334  */
335  // ipsec_tun_protect_feature_set (itp, 1);
336  }
337 
338  hash_set_mem (idi->id_hash, itp->itp_key, itp - ipsec_tun_protect_pool);
339 
340  /*
341  * walk all the adjs with the same nh on this interface
342  * to associate them with this protection
343  */
344  nh_proto = ip_address_to_46 (itp->itp_key, &nh);
345 
347  nh_proto, &nh, ipsec_tun_protect_adj_add, itp);
348 
350  AF_IP6 : AF_IP4);
351  }
352 }
353 
354 static void
356  const ipsec_tun_protect_t * itp)
357 {
358  const ipsec_sa_t *sa;
359 
360  /* *INDENT-OFF* */
362  ({
363  if (ip46_address_is_ip4 (&itp->itp_crypto.dst))
364  {
365  ipsec4_tunnel_kv_t key;
366  clib_bihash_kv_8_16_t res, *bkey = (clib_bihash_kv_8_16_t*)&key;
367 
368  ipsec4_tunnel_mk_key(&key, &itp->itp_crypto.dst.ip4,
369  clib_host_to_net_u32 (sa->spi));
370 
371  if (!clib_bihash_search_8_16 (&im->tun4_protect_by_key, bkey, &res))
372  {
373  clib_bihash_add_del_8_16 (&im->tun4_protect_by_key, bkey, 0);
374  ipsec_tun_unregister_nodes(AF_IP4);
375  }
376  }
377  else
378  {
380  .key = {
381  .remote_ip = itp->itp_crypto.dst.ip6,
382  .spi = clib_host_to_net_u32 (sa->spi),
383  },
384  };
386 
387  if (!clib_bihash_search_24_16 (&im->tun6_protect_by_key, bkey, &res))
388  {
389  clib_bihash_add_del_24_16 (&im->tun6_protect_by_key, bkey, 0);
391  }
392  }
393  }));
394  /* *INDENT-ON* */
395 }
396 
397 static adj_walk_rc_t
399 {
400  ipsec_tun_protect_t *itp = arg;
401 
403  ipsec_tun_protect_add_adj (ai, NULL);
404 
405  if (itp->itp_flags & IPSEC_PROTECT_ITF)
407 
408  return (ADJ_WALK_RC_CONTINUE);
409 }
410 
411 static void
413 {
415  fib_protocol_t nh_proto;
416  ip46_address_t nh;
417 
418  nh_proto = ip_address_to_46 (itp->itp_key, &nh);
419  idi = &itp_db.id_itf[itp->itp_sw_if_index];
420 
422  {
423  // ipsec_tun_protect_feature_set (itp, 0);
424  idi->id_itp = INDEX_INVALID;
425 
426  FOR_EACH_FIB_IP_PROTOCOL (nh_proto)
428  nh_proto, ipsec_tun_protect_adj_remove, itp);
429  }
430  else
431  {
433  nh_proto, &nh, ipsec_tun_protect_adj_remove, itp);
434 
435  hash_unset_mem (idi->id_hash, itp->itp_key);
436 
437  if (0 == hash_elts (idi->id_hash))
438  {
439  // ipsec_tun_protect_feature_set (itp, 0);
440  hash_free (idi->id_hash);
441  idi->id_hash = NULL;
442  }
444  AF_IP6 : AF_IP4);
445  }
446 }
447 
448 static void
450 {
451  ipsec_sa_t *sa;
452 
453  /* *INDENT-OFF* */
455  ({
456  if (ipsec_sa_is_set_IS_TUNNEL (sa))
457  {
458  itp->itp_crypto.src = sa->tunnel_dst_addr;
459  itp->itp_crypto.dst = sa->tunnel_src_addr;
460  if (!(itp->itp_flags & IPSEC_PROTECT_ITF))
461  {
462  ipsec_sa_set_IS_PROTECT (sa);
463  itp->itp_flags |= IPSEC_PROTECT_ENCAPED;
464  }
465  }
466  else
467  {
468  itp->itp_crypto.src = itp->itp_tun.src;
469  itp->itp_crypto.dst = itp->itp_tun.dst;
470  itp->itp_flags &= ~IPSEC_PROTECT_ENCAPED;
471  }
472  }));
473  /* *INDENT-ON* */
474 }
475 
476 static void
478  ipsec_tun_protect_t * itp, u32 sa_out, u32 * sas_in)
479 {
480  index_t sai;
481  u32 ii;
482 
483  itp->itp_n_sa_in = vec_len (sas_in);
484  for (ii = 0; ii < itp->itp_n_sa_in; ii++)
485  itp->itp_in_sas[ii] = sas_in[ii];
486  itp->itp_out_sa = sa_out;
487 
488  ipsec_sa_lock (itp->itp_out_sa);
489 
490  /* *INDENT-OFF* */
492  ({
493  ipsec_sa_lock(sai);
494  }));
496  /* *INDENT-ON* */
497 
498  /*
499  * add to the DB against each SA
500  */
501  ipsec_tun_protect_rx_db_add (im, itp);
503 
504  ITP_DBG (itp, "configured");
505 }
506 
507 static void
509 {
510  ipsec_sa_t *sa;
511  index_t sai;
512 
513  /* *INDENT-OFF* */
515  ({
516  ipsec_sa_unset_IS_PROTECT (sa);
517  }));
518 
521 
523 
525  ({
526  ipsec_sa_unlock(sai);
527  }));
528  /* *INDENT-ON* */
529  ITP_DBG (itp, "unconfigured");
530 }
531 
532 int
534  const ip_address_t * nh, u32 sa_out, u32 sa_in)
535 {
536  u32 *sas_in = NULL;
537  int rv;
538 
539  vec_add1 (sas_in, sa_in);
540  rv = ipsec_tun_protect_update (sw_if_index, nh, sa_out, sas_in);
541 
542  return (rv);
543 }
544 
545 int
547  const ip_address_t * nh, u32 sa_out)
548 {
549  u32 itpi, *sas_in, sai, *saip;
550  ipsec_tun_protect_t *itp;
551  ipsec_main_t *im;
552  int rv;
553 
554  sas_in = NULL;
555  rv = 0;
556  im = &ipsec_main;
557 
558  itpi = ipsec_tun_protect_find (sw_if_index, nh);
559 
560  if (INDEX_INVALID == itpi)
561  {
562  return (VNET_API_ERROR_INVALID_INTERFACE);
563  }
564 
565  itp = pool_elt_at_index (ipsec_tun_protect_pool, itpi);
566 
567  /* *INDENT-OFF* */
569  ({
570  ipsec_sa_lock (sai);
571  vec_add1 (sas_in, sai);
572  }));
573  /* *INDENT-ON* */
574 
575  sa_out = ipsec_sa_find_and_lock (sa_out);
576 
577  if (~0 == sa_out)
578  {
579  rv = VNET_API_ERROR_INVALID_VALUE;
580  goto out;
581  }
582 
583  ipsec_tun_protect_unconfig (im, itp);
584  ipsec_tun_protect_config (im, itp, sa_out, sas_in);
585 
586  ipsec_sa_unlock (sa_out);
587  vec_foreach (saip, sas_in) ipsec_sa_unlock (*saip);
588 
589 out:
590  vec_free (sas_in);
591  return (rv);
592 }
593 
594 int
596  const ip_address_t * nh, u32 sa_in)
597 {
598  u32 itpi, *sas_in, sa_out;
599  ipsec_tun_protect_t *itp;
600  ipsec_main_t *im;
601  int rv;
602 
603  sas_in = NULL;
604  rv = 0;
605  im = &ipsec_main;
606  itpi = ipsec_tun_protect_find (sw_if_index, nh);
607 
608  if (INDEX_INVALID == itpi)
609  {
610  return (VNET_API_ERROR_INVALID_INTERFACE);
611  }
612 
613  sa_in = ipsec_sa_find_and_lock (sa_in);
614 
615  if (~0 == sa_in)
616  {
617  rv = VNET_API_ERROR_INVALID_VALUE;
618  goto out;
619  }
620  vec_add1 (sas_in, sa_in);
621 
622  itp = pool_elt_at_index (ipsec_tun_protect_pool, itpi);
623  sa_out = itp->itp_out_sa;
624 
625  ipsec_sa_lock (sa_out);
626 
627  ipsec_tun_protect_unconfig (im, itp);
628  ipsec_tun_protect_config (im, itp, sa_out, sas_in);
629 
630  ipsec_sa_unlock (sa_out);
631  ipsec_sa_unlock (sa_in);
632 out:
633  vec_free (sas_in);
634  return (rv);
635 }
636 
637 static void
639  const teib_entry_t * ne)
640 {
641  if (NULL != ne)
642  {
643  const fib_prefix_t *pfx;
644 
645  pfx = teib_entry_get_nh (ne);
646 
647  ip46_address_copy (&itp->itp_tun.dst, &pfx->fp_addr);
648  }
649  else
651 }
652 
653 int
655  const ip_address_t * nh, u32 sa_out, u32 * sas_in)
656 {
657  ipsec_tun_protect_t *itp;
658  u32 itpi, ii, *saip;
659  ipsec_main_t *im;
660  int rv;
661 
662  ITP_DBG2 ("update: %U/%U",
664  format_ip_address, nh);
665 
666  if (vec_len (sas_in) > ITP_MAX_N_SA_IN)
667  {
668  rv = VNET_API_ERROR_LIMIT_EXCEEDED;
669  goto out;
670  }
671 
672  rv = 0;
673  im = &ipsec_main;
674  if (NULL == nh)
675  nh = &IP_ADDR_ALL_0;
676  itpi = ipsec_tun_protect_find (sw_if_index, nh);
677 
678  vec_foreach_index (ii, sas_in)
679  {
680  sas_in[ii] = ipsec_sa_find_and_lock (sas_in[ii]);
681  if (~0 == sas_in[ii])
682  {
683  rv = VNET_API_ERROR_INVALID_VALUE;
684  goto out;
685  }
686  }
687 
688  sa_out = ipsec_sa_find_and_lock (sa_out);
689 
690  if (~0 == sa_out)
691  {
692  rv = VNET_API_ERROR_INVALID_VALUE;
693  goto out;
694  }
695 
696  if (INDEX_INVALID == itpi)
697  {
698  vnet_device_class_t *dev_class;
700  vnet_main_t *vnm;
701  u8 is_l2;
702 
703  vnm = vnet_get_main ();
704  hi = vnet_get_sup_hw_interface (vnm, sw_if_index);
705  dev_class = vnet_get_device_class (vnm, hi->dev_class_index);
706 
707  if (NULL == dev_class->ip_tun_desc)
708  {
709  rv = VNET_API_ERROR_INVALID_SW_IF_INDEX;
710  goto out;
711  }
712 
713  pool_get_zero (ipsec_tun_protect_pool, itp);
714 
716  itp->itp_ai = ADJ_INDEX_INVALID;
717 
718  itp->itp_n_sa_in = vec_len (sas_in);
719  for (ii = 0; ii < itp->itp_n_sa_in; ii++)
720  itp->itp_in_sas[ii] = sas_in[ii];
721  itp->itp_out_sa = sa_out;
722 
723  itp->itp_key = clib_mem_alloc (sizeof (*itp->itp_key));
724  ip_address_copy (itp->itp_key, nh);
725 
726  rv = dev_class->ip_tun_desc (sw_if_index,
727  &itp->itp_tun.src,
728  &itp->itp_tun.dst, &is_l2);
729 
730  if (rv)
731  goto out;
732 
733  if (ip46_address_is_zero (&itp->itp_tun.src))
734  {
735  /*
736  * must be one of those pesky ipsec interfaces that has no encap.
737  * the encap then MUST come from the tunnel mode SA.
738  */
739  ipsec_sa_t *sa;
740 
741  sa = ipsec_sa_get (itp->itp_out_sa);
742 
743  if (!ipsec_sa_is_set_IS_TUNNEL (sa))
744  {
745  rv = VNET_API_ERROR_INVALID_DST_ADDRESS;
746  goto out;
747  }
748 
749  itp->itp_flags |= IPSEC_PROTECT_ITF;
750  }
751  else if (ip46_address_is_zero (&itp->itp_tun.dst))
752  {
753  /* tunnel has no destination address, presumably because it's p2mp
754  in which case we use the nh that this is protection for */
756  (itp, teib_entry_find (sw_if_index, nh));
757  }
758 
759  if (is_l2)
760  itp->itp_flags |= IPSEC_PROTECT_L2;
761 
762  /*
763  * add to the tunnel DB for ingress
764  * - if the SA is in trasnport mode, then the packates will arrive
765  * with the IP src,dst of the protected tunnel, in which case we can
766  * simply strip the IP header and hand the payload to the protocol
767  * appropriate input handler
768  * - if the SA is in tunnel mode then there are two IP headers present
769  * one for the crytpo tunnel endpoints (described in the SA) and one
770  * for the tunnel endpoints. The outer IP headers in the srriving
771  * packets will have the crypto endpoints. So the DB needs to contain
772  * the crpto endpoint. Once the crypto header is stripped, revealing,
773  * the tunnel-IP we have 2 choices:
774  * 1) do a tunnel lookup based on the revealed header
775  * 2) skip the tunnel lookup and assume that the packet matches the
776  * one that is protected here.
777  * If we did 1) then we would allow our peer to use the SA for tunnel
778  * X to inject traffic onto tunnel Y, this is not good. If we do 2)
779  * then we don't verify that the peer is indeed using SA for tunnel
780  * X and addressing tunnel X. So we take a compromise, once the SA
781  * matches to tunnel X we veriy that the inner IP matches the value
782  * of the tunnel we are protecting, else it's dropped.
783  */
784  ipsec_tun_protect_config (im, itp, sa_out, sas_in);
785  }
786  else
787  {
788  /* updating SAs only */
789  itp = pool_elt_at_index (ipsec_tun_protect_pool, itpi);
790 
791  ipsec_tun_protect_unconfig (im, itp);
792  ipsec_tun_protect_config (im, itp, sa_out, sas_in);
793  }
794 
795  ipsec_sa_unlock (sa_out);
796  vec_foreach (saip, sas_in) ipsec_sa_unlock (*saip);
797  vec_free (sas_in);
798 
799 out:
800  return (rv);
801 }
802 
803 int
805 {
806  ipsec_tun_protect_t *itp;
807  ipsec_main_t *im;
808  index_t itpi;
809 
810  ITP_DBG2 ("delete: %U/%U",
812  format_ip_address, nh);
813 
814  im = &ipsec_main;
815  if (NULL == nh)
816  nh = &IP_ADDR_ALL_0;
817 
818  itpi = ipsec_tun_protect_find (sw_if_index, nh);
819 
820  if (INDEX_INVALID == itpi)
821  return (VNET_API_ERROR_NO_SUCH_ENTRY);
822 
823  itp = ipsec_tun_protect_get (itpi);
824  ipsec_tun_protect_unconfig (im, itp);
825 
826  if (ADJ_INDEX_INVALID != itp->itp_ai)
827  adj_unlock (itp->itp_ai);
828 
829  clib_mem_free (itp->itp_key);
830  pool_put (ipsec_tun_protect_pool, itp);
831 
832  return (0);
833 }
834 
835 void
837 {
838  index_t itpi;
839 
840  /* *INDENT-OFF* */
841  pool_foreach_index (itpi, ipsec_tun_protect_pool)
842  {
843  fn (itpi, ctx);
844  }
845  /* *INDENT-ON* */
846 }
847 
848 void
851 {
853  ip_address_t *key;
854  index_t itpi;
855 
856  if (vec_len (itp_db.id_itf) <= sw_if_index)
857  return;
858 
859  idi = &itp_db.id_itf[sw_if_index];
860 
861  /* *INDENT-OFF* */
862  hash_foreach(key, itpi, idi->id_hash,
863  ({
864  fn (itpi, ctx);
865  }));
866  /* *INDENT-ON* */
867  if (INDEX_INVALID != idi->id_itp)
868  fn (idi->id_itp, ctx);
869 }
870 
871 static void
873 {
874  /* remove our delegate */
877 }
878 
879 static void
881 {
884 }
885 
886 static void
888 {
889  /* add our delegate if there is protection for this neighbour */
891  ip_adjacency_t *adj;
892  index_t itpi;
893 
894  if (!adj_is_midchain (ai))
895  return;
896 
897  adj = adj_get (ai);
898 
899  ip_address_from_46 (&adj->sub_type.midchain.next_hop,
900  adj->ia_nh_proto, &ip);
901 
902  itpi = ipsec_tun_protect_find (adj->rewrite_header.sw_if_index, &ip);
903 
904  if (INDEX_INVALID != itpi)
906 }
907 
908 static u8 *
910 {
911  const ipsec_tun_protect_t *itp;
912 
914  s = format (s, "ipsec-tun-protect:\n%U", format_ipsec_tun_protect, itp);
915 
916  return (s);
917 }
918 
919 static void
921 {
922  ipsec_tun_protect_t *itp;
923  index_t itpi;
924 
926  teib_entry_get_peer (ne));
927 
928  if (INDEX_INVALID == itpi)
929  return;
930 
931  itp = ipsec_tun_protect_get (itpi);
936 
937  ITP_DBG (itp, "teib-added");
938 }
939 
940 static void
942 {
943  ipsec_tun_protect_t *itp;
944  index_t itpi;
945 
947  teib_entry_get_peer (ne));
948 
949  if (INDEX_INVALID == itpi)
950  return;
951 
952  itp = ipsec_tun_protect_get (itpi);
956 
957  ITP_DBG (itp, "teib-removed");
958 }
959 
960 /**
961  * VFT registered with the adjacency delegate
962  */
963 const static adj_delegate_vft_t ipsec_tun_adj_delegate_vft = {
968 };
969 
970 const static teib_vft_t ipsec_tun_teib_vft = {
972  .nv_deleted = ipsec_tun_teib_entry_deleted,
973 };
974 
975 void
977 {
978  ipsec_main_t *im;
979 
980  im = &ipsec_main;
981 
982  if (AF_IP4 == af)
983  clib_bihash_init_8_16 (&im->tun4_protect_by_key,
984  "IPSec IPv4 tunnels", n_buckets, table_size);
985  else
986  clib_bihash_init_24_16 (&im->tun6_protect_by_key,
987  "IPSec IPv6 tunnels", n_buckets, table_size);
988 }
989 
990 clib_error_t *
992 {
993  ipsec_main_t *im;
994 
995  im = &ipsec_main;
996  clib_bihash_init_24_16 (&im->tun6_protect_by_key,
997  "IPSec IPv6 tunnels",
1000  clib_bihash_init_8_16 (&im->tun4_protect_by_key,
1001  "IPSec IPv4 tunnels",
1004 
1005  /* set up feature nodes to drop outbound packets with no crypto alg set */
1007  vlib_get_node_by_name (vm, (u8 *) "esp4-no-crypto")->index;
1009  vlib_get_node_by_name (vm, (u8 *) "esp6-no-crypto")->index;
1011  vlib_get_node_by_name (vm, (u8 *) "esp6-encrypt-tun")->index;
1013  vlib_get_node_by_name (vm, (u8 *) "esp4-encrypt-tun")->index;
1014 
1016  adj_delegate_register_new_type (&ipsec_tun_adj_delegate_vft);
1017 
1019 
1020  teib_register (&ipsec_tun_teib_vft);
1021 
1022  return 0;
1023 }
1024 
1026 
1027 static clib_error_t *
1029 {
1030  unformat_input_t sub_input;
1031 
1032  while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT)
1033  {
1034  if (unformat (input, "ip4 %U", unformat_vlib_cli_sub_input, &sub_input))
1035  {
1036  uword table_size = ~0;
1037  u32 n_buckets = ~0;
1038 
1039  while (unformat_check_input (&sub_input) != UNFORMAT_END_OF_INPUT)
1040  {
1041  if (unformat (&sub_input, "num-buckets %u", &n_buckets))
1042  ;
1043  else
1044  return clib_error_return (0, "unknown input `%U'",
1045  format_unformat_error, &sub_input);
1046  }
1047 
1048  ipsec_tun_table_init (AF_IP4, table_size, n_buckets);
1049  }
1050  else if (unformat (input, "ip6 %U", unformat_vlib_cli_sub_input,
1051  &sub_input))
1052  {
1053  uword table_size = ~0;
1054  u32 n_buckets = ~0;
1055 
1056  while (unformat_check_input (&sub_input) != UNFORMAT_END_OF_INPUT)
1057  {
1058  if (unformat (&sub_input, "num-buckets %u", &n_buckets))
1059  ;
1060  else
1061  return clib_error_return (0, "unknown input `%U'",
1062  format_unformat_error, &sub_input);
1063  }
1064 
1065  ipsec_tun_table_init (AF_IP6, table_size, n_buckets);
1066  }
1067  else
1068  return clib_error_return (0, "unknown input `%U'",
1069  format_unformat_error, input);
1070  }
1071 
1072  return 0;
1073 }
1074 
1076 
1077 /*
1078  * fd.io coding-style-patch-verification: ON
1079  *
1080  * Local Variables:
1081  * eval: (c-set-style "gnu")
1082  * End:
1083  */
vlib_log_class_t vlib_log_register_class(char *class, char *subclass)
Definition: log.c:338
void adj_nbr_walk_nh(u32 sw_if_index, fib_protocol_t adj_nh_proto, const ip46_address_t *nh, adj_walk_cb_t cb, void *ctx)
Walk adjacencies on a link with a given next-hop.
Definition: adj_nbr.c:663
#define vec_foreach_index(var, v)
Iterate over vector indices.
walk_rc_t(* ipsec_tun_protect_walk_cb_t)(index_t itpi, void *arg)
Definition: ipsec_tun.h:159
static adj_walk_rc_t ipsec_tun_protect_adj_add(adj_index_t ai, void *arg)
Definition: ipsec_tun.c:284
#define pool_foreach_index(i, v)
Definition: pool.h:569
ip46_address_t tunnel_src_addr
Definition: ipsec_sa.h:197
adj_delegate_adj_deleted_t adv_adj_deleted
Definition: adj_delegate.h:96
void ip6_register_protocol(u32 protocol, u32 node_index)
Definition: ip6_forward.c:1668
vnet_main_t * vnet_get_main(void)
Definition: misc.c:46
static vnet_hw_interface_t * vnet_get_sup_hw_interface(vnet_main_t *vnm, u32 sw_if_index)
void ipsec_unregister_udp_port(u16 port)
Definition: ipsec.c:139
#define pool_get_zero(P, E)
Allocate an object E from a pool P and zero it.
Definition: pool.h:254
vl_api_fib_path_nh_t nh
Definition: fib_types.api:126
void ip6_unregister_protocol(u32 protocol)
Definition: ip6_forward.c:1680
static void ipsec_tun_protect_adj_delegate_adj_modified(adj_delegate_t *ad)
Definition: ipsec_tun.c:880
static void ipsec_tun_teib_entry_added(const teib_entry_t *ne)
Definition: ipsec_tun.c:920
vnet_link_t adj_get_link_type(adj_index_t ai)
Return the link type of the adjacency.
Definition: adj.c:506
struct ipsec_tun_protect_db_t_ ipsec_tun_protect_db_t
u32 index
Definition: node.h:280
static void ipsec_tun_protect_add_adj(adj_index_t ai, const ipsec_tun_protect_t *itp)
Definition: ipsec_tun.c:175
IP unicast adjacency.
Definition: adj.h:235
ipsec_integ_alg_t integ_alg
Definition: ipsec_sa.h:214
static void ipsec_tun_protect_update_from_teib(ipsec_tun_protect_t *itp, const teib_entry_t *ne)
Definition: ipsec_tun.c:638
void ipsec_sa_lock(index_t sai)
Definition: ipsec_sa.c:402
u32 index_t
A Data-Path Object is an object that represents actions that are applied to packets are they are swit...
Definition: dpo.h:41
#define vec_add1(V, E)
Add 1 element to end of vector (unspecified alignment).
Definition: vec.h:592
void ipsec_tun_protect_walk_itf(u32 sw_if_index, ipsec_tun_protect_walk_cb_t fn, void *ctx)
Definition: ipsec_tun.c:849
static void ipsec_tun_protect_adj_delegate_adj_created(adj_index_t ai)
Definition: ipsec_tun.c:887
#define hash_set_mem(h, key, value)
Definition: hash.h:275
struct ip_adjacency_t_::@161::@163 midchain
IP_LOOKUP_NEXT_MIDCHAIN.
vlib_main_t * vm
Definition: in2out_ed.c:1580
#define FOR_EACH_IPSEC_PROTECT_INPUT_SA(_itp, _sa, body)
Definition: ipsec_tun.h:137
struct _vnet_device_class vnet_device_class_t
void ip4_register_protocol(u32 protocol, u32 node_index)
Definition: ip4_forward.c:1894
static u8 ip46_address_is_ip4(const ip46_address_t *ip46)
Definition: ip46_address.h:55
u32 esp6_encrypt_l2_tun_node_index
Definition: ipsec.h:168
void ipsec_tun_protect_walk(ipsec_tun_protect_walk_cb_t fn, void *ctx)
Definition: ipsec_tun.c:836
format_function_t format_vnet_sw_if_index_name
unsigned char u8
Definition: types.h:56
enum fib_protocol_t_ fib_protocol_t
Protocol Type.
static const ipsec_tun_protect_t * ipsec_tun_protect_from_const_base(const adj_delegate_t *ad)
Definition: ipsec_tun.c:131
const ip_address_t IP_ADDR_ALL_0
Definition: ipsec_tun.c:55
static void ip46_address_reset(ip46_address_t *ip46)
Definition: ip46_address.h:74
static ip_adjacency_t * adj_get(adj_index_t adj_index)
Get a pointer to an adjacency object from its index.
Definition: adj.h:467
u32 vlib_log_class_t
Definition: vlib.h:51
void ipsec_itf_adj_unstack(adj_index_t ai)
Definition: ipsec_itf.c:58
void ipsec_tun_table_init(ip_address_family_t af, uword table_size, u32 n_buckets)
Definition: ipsec_tun.c:976
ip46_address_t src
Definition: ipsec_tun.h:100
#define VLIB_INIT_FUNCTION(x)
Definition: init.h:173
ipsec_main_t ipsec_main
Definition: ipsec.c:28
static vnet_device_class_t * vnet_get_device_class(vnet_main_t *vnm, u32 dev_class_index)
int ipsec_tun_protect_del(u32 sw_if_index, const ip_address_t *nh)
Definition: ipsec_tun.c:804
static void ipsec_tun_protect_unconfig(ipsec_main_t *im, ipsec_tun_protect_t *itp)
Definition: ipsec_tun.c:508
void ipsec_register_udp_port(u16 port)
Definition: ipsec.c:164
teib_entry_added_t nv_added
Definition: teib.h:74
enum adj_walk_rc_t_ adj_walk_rc_t
return codes from a adjacency walker callback function
description fragment has unexpected format
Definition: map.api:433
u8 * format_ipsec_tun_protect(u8 *s, va_list *args)
Definition: ipsec_format.c:376
#define hash_foreach(key_var, value_var, h, body)
Definition: hash.h:442
void adj_nbr_midchain_update_next_node(adj_index_t adj_index, u32 next_node)
Update the VLIB node to which packets are sent post processing.
Definition: adj_midchain.c:473
ipsec_ep_t itp_tun
Definition: ipsec_tun.h:123
Aggregate type for a prefix.
Definition: fib_types.h:202
index_t * ipsec_tun_protect_sa_by_adj_index
Adj index to TX SA mapping.
Definition: ipsec_tun.c:53
static void ipsec4_tunnel_mk_key(ipsec4_tunnel_kv_t *k, const ip4_address_t *ip, u32 spi)
Definition: ipsec_tun.h:62
#define clib_error_return(e, args...)
Definition: error.h:99
static void ipsec_tun_protect_rx_db_add(ipsec_main_t *im, const ipsec_tun_protect_t *itp)
Definition: ipsec_tun.c:216
void adj_unlock(adj_index_t adj_index)
Release a reference counting lock on the adjacency.
Definition: adj.c:347
Adj delegate.
Definition: adj_delegate.h:50
unsigned int u32
Definition: types.h:88
clib_bihash_8_16_t tun4_protect_by_key
Definition: ipsec.h:133
adj_index_t itp_ai
Definition: ipsec_tun.h:121
u32 sa_in[n_sa_in]
Definition: ipsec.api:266
u32 sa_out
Definition: ipsec.api:264
u32 esp4_encrypt_l2_tun_node_index
Definition: ipsec.h:167
#define hash_create_mem(elts, key_bytes, value_bytes)
Definition: hash.h:661
#define ADJ_INDEX_INVALID
Invalid ADJ index - used when no adj is known likewise blazoned capitals INVALID speak volumes where ...
Definition: adj_types.h:36
#define pool_elt_at_index(p, i)
Returns pointer to element at given index.
Definition: pool.h:546
#define hash_unset_mem(h, key)
Definition: hash.h:291
int adj_delegate_add(ip_adjacency_t *adj, adj_delegate_type_t adt, index_t adi)
Add a delegate to an adjacency.
Definition: adj_delegate.c:107
static_always_inline void ip46_address_copy(ip46_address_t *dst, const ip46_address_t *src)
Definition: ip46_address.h:123
vlib_node_t * vlib_get_node_by_name(vlib_main_t *vm, u8 *name)
Definition: node.c:45
index_t ipsec_sa_find_and_lock(u32 id)
Definition: ipsec_sa.c:416
ipsec_tun_protect_t * ipsec_tun_protect_pool
Pool of tunnel protection objects.
Definition: ipsec_tun.c:43
void ip_address_from_46(const ip46_address_t *nh, fib_protocol_t fproto, ip_address_t *ip)
Definition: ip_types.c:260
vlib_log_class_t ipsec_tun_protect_logger
The logger.
Definition: ipsec_tun.c:38
ip46_address_t fp_addr
The address type is not deriveable from the fp_addr member.
Definition: fib_types.h:225
u32 teib_entry_get_sw_if_index(const teib_entry_t *te)
accessors for the opaque struct
Definition: teib.c:72
static void ipsec_tun_protect_config(ipsec_main_t *im, ipsec_tun_protect_t *itp, u32 sa_out, u32 *sas_in)
Definition: ipsec_tun.c:477
static u8 ip46_address_is_zero(const ip46_address_t *ip46)
Definition: ip46_address.h:87
long ctx[MAX_CONNS]
Definition: main.c:144
clib_bihash_24_16_t tun6_protect_by_key
Definition: ipsec.h:134
struct _unformat_input_t unformat_input_t
enum adj_delegate_type_t_ adj_delegate_type_t
A Delagate is a means to implement the Delagation design pattern; the extension of an object&#39;s functi...
u32 esp6_no_crypto_tun_node_index
Definition: ipsec.h:164
adj_index_t ad_adj_index
The ADJ entry object to which the delagate is attached.
Definition: adj_delegate.h:55
#define hash_free(h)
Definition: hash.h:310
#define pool_put(P, E)
Free an object E in pool P.
Definition: pool.h:301
static void ipsec_tun_teib_entry_deleted(const teib_entry_t *ne)
Definition: ipsec_tun.c:941
#define VLIB_CONFIG_FUNCTION(x, n,...)
Definition: init.h:182
fib_protocol_t ip_address_to_46(const ip_address_t *addr, ip46_address_t *a)
Definition: ip_types.c:253
void ipsec_tun_register_nodes(ip_address_family_t af)
Definition: ipsec_tun.c:98
static ipsec_sa_t * ipsec_sa_get(u32 sa_index)
Definition: ipsec.h:290
vlib_node_registration_t ipsec6_tun_input_node
(constructor) VLIB_REGISTER_NODE (ipsec6_tun_input_node)
Definition: ipsec_tun_in.c:396
static clib_error_t * ipsec_config(vlib_main_t *vm, unformat_input_t *input)
Definition: ipsec_tun.c:1028
#define IP_ADDRESS_V4_ALL_0S
Definition: ip_types.h:86
ip46_address_t tunnel_dst_addr
Definition: ipsec_sa.h:198
int ipsec_tun_protect_update_one(u32 sw_if_index, const ip_address_t *nh, u32 sa_out, u32 sa_in)
Definition: ipsec_tun.c:533
static adj_delegate_type_t ipsec_tun_adj_delegate_type
Adj delegate registered type.
Definition: ipsec_tun.c:48
index_t itp_in_sas[ITP_MAX_N_SA_IN]
Definition: ipsec_tun.h:114
#define UNFORMAT_END_OF_INPUT
Definition: format.h:144
Definition: teib.c:33
teib_entry_t * teib_entry_find(u32 sw_if_index, const ip_address_t *peer)
Definition: teib.c:114
const ip_address_t * teib_entry_get_peer(const teib_entry_t *te)
Definition: teib.c:90
index_t ad_index
The index passed by the provider to identify its delegate instance.
Definition: adj_delegate.h:66
8 octet key, 8 octet key value pair
Definition: bihash_8_16.h:41
static ipsec_tun_protect_db_t itp_db
Definition: ipsec_tun.c:75
#define vec_free(V)
Free vector&#39;s memory (no header).
Definition: vec.h:380
clib_error_t * ipsec_tunnel_protect_init(vlib_main_t *vm)
Definition: ipsec_tun.c:991
void ipsec_itf_adj_stack(adj_index_t ai, u32 sai)
Definition: ipsec_itf.c:64
u8 * format_ip_address(u8 *s, va_list *args)
Definition: ip_types.c:21
int ipsec_tun_protect_update_out(u32 sw_if_index, const ip_address_t *nh, u32 sa_out)
Definition: ipsec_tun.c:546
#define FOR_EACH_IPSEC_PROTECT_INPUT_SAI(_itp, _sai, body)
Definition: ipsec_tun.h:129
#define ITP_DBG2(_fmt, _args...)
Definition: ipsec_tun.c:89
u32 esp4_encrypt_tun_node_index
Definition: ipsec.h:141
u32 adj_index_t
An index for adjacencies.
Definition: adj_types.h:30
uword * id_hash
A hash table key&#39;d on IP (4 or 6) address.
Definition: ipsec_tun.c:63
u32 esp4_no_crypto_tun_node_index
Definition: ipsec.h:163
void adj_nbr_walk(u32 sw_if_index, fib_protocol_t adj_nh_proto, adj_walk_cb_t cb, void *ctx)
Walk all adjacencies on a link for a given next-hop protocol.
Definition: adj_nbr.c:571
#define ITP_MAX_N_SA_IN
Definition: ipsec_tun.h:104
void ipsec_sa_unlock(index_t sai)
Definition: ipsec_sa.c:388
struct ipsec_tun_protect_itf_db_t_ ipsec_tun_protect_itf_db_t
The DB of all added per-nh tunnel protectiond.
index_t id_itp
If the interface is P2P then there is only one protect object associated with the auto-adj for each N...
Definition: ipsec_tun.c:66
uword unformat_vlib_cli_sub_input(unformat_input_t *i, va_list *args)
Definition: cli.c:163
ip46_address_t dst
Definition: ipsec_tun.h:101
static uword hash_elts(void *v)
Definition: hash.h:118
#define ASSERT(truth)
adj_delegate_type_t adj_delegate_register_new_type(const adj_delegate_vft_t *vft)
adj_delegate_register_new_type
Definition: adj_delegate.c:218
static void ipsec_tun_protect_tx_db_remove(ipsec_tun_protect_t *itp)
Definition: ipsec_tun.c:412
enum vnet_link_t_ vnet_link_t
Link Type: A description of the protocol of packets on the link.
static ipsec_tun_protect_t * ipsec_tun_protect_get(u32 index)
Definition: ipsec_tun.h:185
static void ipsec_tun_protect_adj_delegate_adj_deleted(adj_delegate_t *ad)
Definition: ipsec_tun.c:872
static void ipsec_tun_protect_rx_db_remove(ipsec_main_t *im, const ipsec_tun_protect_t *itp)
Definition: ipsec_tun.c:355
#define IPSEC_TUN_DEFAULT_HASH_NUM_BUCKETS
Definition: ipsec_tun.c:32
int ipsec_tun_protect_update_in(u32 sw_if_index, const ip_address_t *nh, u32 sa_in)
Definition: ipsec_tun.c:595
result of a lookup in the protection bihash
Definition: ipsec_tun.h:38
static void clib_mem_free(void *p)
Definition: mem.h:311
static void * clib_mem_alloc(uword size)
Definition: mem.h:253
vlib_node_registration_t ipsec4_tun_input_node
(constructor) VLIB_REGISTER_NODE (ipsec4_tun_input_node)
Definition: ipsec_tun_in.c:373
vl_api_ip4_address_t hi
Definition: arp.api:37
enum ip_address_family_t_ ip_address_family_t
union ip_adjacency_t_::@161 sub_type
typedef key
Definition: ipsec_types.api:86
#define N_AF
Definition: ip_types.h:27
fib_protocol_t ia_nh_proto
The protocol of the neighbor/peer.
Definition: adj.h:350
u8 adj_is_midchain(adj_index_t ai)
Definition: adj_midchain.c:256
vl_api_address_t ip
Definition: l2.api:501
static u32 ipsec_tun_protect_get_adj_next(vnet_link_t linkt, const ipsec_tun_protect_t *itp)
Definition: ipsec_tun.c:139
#define ITP_DBG(_itp, _fmt, _args...)
Definition: ipsec_tun.c:81
ipsec_ep_t itp_crypto
Definition: ipsec_tun.h:118
#define vec_len(v)
Number of elements in vector (rvalue-only, NULL tolerant)
#define IPSEC_TUN_DEFAULT_HASH_MEMORY_SIZE
Definition: ipsec_tun.c:33
#define INDEX_INVALID
Invalid index - used when no index is known blazoned capitals INVALID speak volumes where ~0 does not...
Definition: dpo.h:47
static adj_walk_rc_t ipsec_tun_protect_adj_remove(adj_index_t ai, void *arg)
Definition: ipsec_tun.c:398
u64 uword
Definition: types.h:112
ipsec_protect_flags_t itp_flags
Definition: ipsec_tun.h:120
An ADJ delegate virtual function table.
Definition: adj_delegate.h:94
#define FOR_EACH_FIB_IP_PROTOCOL(_item)
Definition: fib_types.h:69
#define hash_get_mem(h, key)
Definition: hash.h:269
The DB of all added per-nh tunnel protectiond.
Definition: ipsec_tun.c:60
u8 * format_unformat_error(u8 *s, va_list *va)
Definition: unformat.c:91
void ip_address_copy(ip_address_t *dst, const ip_address_t *src)
Definition: ip_types.c:133
ipsec_crypto_alg_t crypto_alg
Definition: ipsec_sa.h:213
void adj_nbr_midchain_reset_next_node(adj_index_t adj_index)
Return the adjacency&#39;s next node to its default value.
Definition: adj_midchain.c:499
static u8 * ipsec_tun_protect_adj_delegate_format(const adj_delegate_t *aed, u8 *s)
Definition: ipsec_tun.c:909
static void ipsec_tun_protect_tx_db_add(ipsec_tun_protect_t *itp)
Definition: ipsec_tun.c:298
static void ipsec_tun_protect_set_crypto_addr(ipsec_tun_protect_t *itp)
Definition: ipsec_tun.c:449
#define vec_foreach(var, vec)
Vector iterator.
void ipsec_tun_unregister_nodes(ip_address_family_t af)
Definition: ipsec_tun.c:115
ip_address_t * itp_key
Definition: ipsec_tun.h:125
ipsec_tun_protect_itf_db_t * id_itf
Per-interface vector.
Definition: ipsec_tun.c:72
#define vec_validate_init_empty(V, I, INIT)
Make sure vector is long enough for given index and initialize empty space (no header, unspecified alignment)
Definition: vec.h:556
static u32 ipsec_tun_node_regs[N_AF]
Definition: ipsec_tun.c:95
void teib_register(const teib_vft_t *vft)
Definition: teib.c:408
static index_t ipsec_tun_protect_find(u32 sw_if_index, const ip_address_t *nh)
Definition: ipsec_tun.c:194
void ip4_unregister_protocol(u32 protocolx)
Definition: ip4_forward.c:1906
u32 esp6_encrypt_tun_node_index
Definition: ipsec.h:147
int vnet_sw_interface_is_p2p(vnet_main_t *vnm, u32 sw_if_index)
Definition: interface.c:1271
vl_api_interface_index_t sw_if_index
Definition: wireguard.api:34
uword unformat(unformat_input_t *i, const char *fmt,...)
Definition: unformat.c:978
void adj_delegate_remove(adj_index_t ai, adj_delegate_type_t type)
Remove a delegate from an adjacency.
Definition: adj_delegate.c:65
static uword unformat_check_input(unformat_input_t *i)
Definition: format.h:170
const fib_prefix_t * teib_entry_get_nh(const teib_entry_t *te)
Definition: teib.c:96
int ipsec_tun_protect_update(u32 sw_if_index, const ip_address_t *nh, u32 sa_out, u32 *sas_in)
Definition: ipsec_tun.c:654