FD.io VPP  v21.06-3-gbb25fbf28
Vector Packet Processing
ipsec_output.c
Go to the documentation of this file.
1 /*
2  * ipsec_output.c : IPSec output node
3  *
4  * Copyright (c) 2015 Cisco and/or its affiliates.
5  * Licensed under the Apache License, Version 2.0 (the "License");
6  * you may not use this file except in compliance with the License.
7  * You may obtain a copy of the License at:
8  *
9  * http://www.apache.org/licenses/LICENSE-2.0
10  *
11  * Unless required by applicable law or agreed to in writing, software
12  * distributed under the License is distributed on an "AS IS" BASIS,
13  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14  * See the License for the specific language governing permissions and
15  * limitations under the License.
16  */
17 
18 #include <vnet/vnet.h>
19 #include <vnet/api_errno.h>
20 #include <vnet/ip/ip.h>
21 
22 #include <vnet/ipsec/ipsec.h>
23 #include <vnet/ipsec/ipsec_io.h>
24 
25 #define foreach_ipsec_output_error \
26  _(RX_PKTS, "IPSec pkts received") \
27  _(POLICY_DISCARD, "IPSec policy discard") \
28  _(POLICY_NO_MATCH, "IPSec policy (no match)") \
29  _(POLICY_PROTECT, "IPSec policy protect") \
30  _(POLICY_BYPASS, "IPSec policy bypass") \
31  _(ENCAPS_FAILED, "IPSec encapsulation failed")
32 
33 typedef enum
34 {
35 #define _(sym,str) IPSEC_OUTPUT_ERROR_##sym,
37 #undef _
40 
41 static char *ipsec_output_error_strings[] = {
42 #define _(sym,string) string,
44 #undef _
45 };
46 
47 typedef struct
48 {
52 
53 /* packet trace format function */
54 static u8 *
55 format_ipsec_output_trace (u8 * s, va_list * args)
56 {
57  CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
58  CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
59  ipsec_output_trace_t *t = va_arg (*args, ipsec_output_trace_t *);
60 
61  s = format (s, "spd %u policy %d", t->spd_id, t->policy_id);
62 
63  return s;
64 }
65 
68  u16 rp)
69 {
71  ipsec_policy_t *p;
72  u32 *i;
73 
74  if (!spd)
75  return 0;
76 
77  vec_foreach (i, spd->policies[IPSEC_SPD_POLICY_IP4_OUTBOUND])
78  {
79  p = pool_elt_at_index (im->policies, *i);
80  if (PREDICT_FALSE (p->protocol && (p->protocol != pr)))
81  continue;
82 
83  if (ra < clib_net_to_host_u32 (p->raddr.start.ip4.as_u32))
84  continue;
85 
86  if (ra > clib_net_to_host_u32 (p->raddr.stop.ip4.as_u32))
87  continue;
88 
89  if (la < clib_net_to_host_u32 (p->laddr.start.ip4.as_u32))
90  continue;
91 
92  if (la > clib_net_to_host_u32 (p->laddr.stop.ip4.as_u32))
93  continue;
94 
95  if (PREDICT_FALSE
96  ((pr != IP_PROTOCOL_TCP) && (pr != IP_PROTOCOL_UDP)
97  && (pr != IP_PROTOCOL_SCTP)))
98  return p;
99 
100  if (lp < p->lport.start)
101  continue;
102 
103  if (lp > p->lport.stop)
104  continue;
105 
106  if (rp < p->rport.start)
107  continue;
108 
109  if (rp > p->rport.stop)
110  continue;
111 
112  return p;
113  }
114  return 0;
115 }
116 
118 ip6_addr_match_range (ip6_address_t * a, ip6_address_t * la,
119  ip6_address_t * ua)
120 {
121  if ((memcmp (a->as_u64, la->as_u64, 2 * sizeof (u64)) >= 0) &&
122  (memcmp (a->as_u64, ua->as_u64, 2 * sizeof (u64)) <= 0))
123  return 1;
124  return 0;
125 }
126 
129  ip6_address_t * la,
130  ip6_address_t * ra, u16 lp, u16 rp, u8 pr)
131 {
133  ipsec_policy_t *p;
134  u32 *i;
135 
136  if (!spd)
137  return 0;
138 
139  vec_foreach (i, spd->policies[IPSEC_SPD_POLICY_IP6_OUTBOUND])
140  {
141  p = pool_elt_at_index (im->policies, *i);
142  if (PREDICT_FALSE (p->protocol && (p->protocol != pr)))
143  continue;
144 
145  if (!ip6_addr_match_range (ra, &p->raddr.start.ip6, &p->raddr.stop.ip6))
146  continue;
147 
148  if (!ip6_addr_match_range (la, &p->laddr.start.ip6, &p->laddr.stop.ip6))
149  continue;
150 
151  if (PREDICT_FALSE
152  ((pr != IP_PROTOCOL_TCP) && (pr != IP_PROTOCOL_UDP)
153  && (pr != IP_PROTOCOL_SCTP)))
154  return p;
155 
156  if (lp < p->lport.start)
157  continue;
158 
159  if (lp > p->lport.stop)
160  continue;
161 
162  if (rp < p->rport.start)
163  continue;
164 
165  if (rp > p->rport.stop)
166  continue;
167 
168  return p;
169  }
170 
171  return 0;
172 }
173 
174 static inline uword
177 {
179 
180  u32 *from, *to_next = 0, thread_index;
181  u32 n_left_from, sw_if_index0, last_sw_if_index = (u32) ~ 0;
182  u32 next_node_index = (u32) ~ 0, last_next_node_index = (u32) ~ 0;
183  vlib_frame_t *f = 0;
184  u32 spd_index0 = ~0;
185  ipsec_spd_t *spd0 = 0;
186  int bogus;
187  u64 nc_protect = 0, nc_bypass = 0, nc_discard = 0, nc_nomatch = 0;
188 
190  n_left_from = from_frame->n_vectors;
192 
193  while (n_left_from > 0)
194  {
195  u32 bi0, pi0, bi1;
196  vlib_buffer_t *b0, *b1;
197  ipsec_policy_t *p0;
198  ip4_header_t *ip0;
199  ip6_header_t *ip6_0 = 0;
200  udp_header_t *udp0;
201  u32 iph_offset = 0;
202  tcp_header_t *tcp0;
203  u64 bytes0;
204 
205  bi0 = from[0];
206  b0 = vlib_get_buffer (vm, bi0);
207  if (n_left_from > 1)
208  {
209  bi1 = from[1];
210  b1 = vlib_get_buffer (vm, bi1);
211  CLIB_PREFETCH (b1, CLIB_CACHE_LINE_BYTES * 2, STORE);
212  vlib_prefetch_buffer_data (b1, LOAD);
213  }
214  sw_if_index0 = vnet_buffer (b0)->sw_if_index[VLIB_TX];
215  iph_offset = vnet_buffer (b0)->ip.save_rewrite_length;
216  ip0 = (ip4_header_t *) ((u8 *) vlib_buffer_get_current (b0)
217  + iph_offset);
218 
219  /* lookup for SPD only if sw_if_index is changed */
220  if (PREDICT_FALSE (last_sw_if_index != sw_if_index0))
221  {
222  uword *p = hash_get (im->spd_index_by_sw_if_index, sw_if_index0);
223  ALWAYS_ASSERT (p);
224  spd_index0 = p[0];
225  spd0 = pool_elt_at_index (im->spds, spd_index0);
226  last_sw_if_index = sw_if_index0;
227  }
228 
229  if (is_ipv6)
230  {
231  ip6_0 = (ip6_header_t *) ((u8 *) vlib_buffer_get_current (b0)
232  + iph_offset);
233 
234  udp0 = ip6_next_header (ip6_0);
235 #if 0
237  ("packet received from %U port %u to %U port %u spd_id %u",
239  clib_net_to_host_u16 (udp0->src_port), format_ip6_address,
240  &ip6_0->dst_address, clib_net_to_host_u16 (udp0->dst_port),
241  spd0->id);
242 #endif
243 
244  p0 = ipsec6_output_policy_match (spd0,
245  &ip6_0->src_address,
246  &ip6_0->dst_address,
247  clib_net_to_host_u16
248  (udp0->src_port),
249  clib_net_to_host_u16
250  (udp0->dst_port), ip6_0->protocol);
251  }
252  else
253  {
254  udp0 = (udp_header_t *) ((u8 *) ip0 + ip4_header_bytes (ip0));
255 
256 #if 0
257  clib_warning ("packet received from %U to %U port %u",
260  clib_net_to_host_u16 (udp0->dst_port));
261  clib_warning ("sw_if_index0 %u spd_index0 %u spd_id %u",
262  sw_if_index0, spd_index0, spd0->id);
263 #endif
264 
265  p0 = ipsec_output_policy_match (spd0, ip0->protocol,
266  clib_net_to_host_u32
267  (ip0->src_address.as_u32),
268  clib_net_to_host_u32
269  (ip0->dst_address.as_u32),
270  clib_net_to_host_u16
271  (udp0->src_port),
272  clib_net_to_host_u16
273  (udp0->dst_port));
274  }
275  tcp0 = (void *) udp0;
276 
277  if (PREDICT_TRUE (p0 != NULL))
278  {
279  pi0 = p0 - im->policies;
280 
282  thread_index, pi0);
283 
284  if (is_ipv6)
285  {
286  bytes0 = clib_net_to_host_u16 (ip6_0->payload_length);
287  bytes0 += sizeof (ip6_header_t);
288  }
289  else
290  {
291  bytes0 = clib_net_to_host_u16 (ip0->length);
292  }
293 
294  if (p0->policy == IPSEC_POLICY_ACTION_PROTECT)
295  {
296  ipsec_sa_t *sa = 0;
297  nc_protect++;
298  sa = ipsec_sa_get (p0->sa_index);
299  if (sa->protocol == IPSEC_PROTOCOL_ESP)
300  if (is_ipv6)
301  next_node_index = im->esp6_encrypt_node_index;
302  else
303  next_node_index = im->esp4_encrypt_node_index;
304  else if (is_ipv6)
305  next_node_index = im->ah6_encrypt_node_index;
306  else
307  next_node_index = im->ah4_encrypt_node_index;
308  vnet_buffer (b0)->ipsec.sad_index = p0->sa_index;
309 
310  if (PREDICT_FALSE (b0->flags & VNET_BUFFER_F_OFFLOAD))
311  {
312  vnet_buffer_oflags_t oflags = vnet_buffer (b0)->oflags;
313 
314  /*
315  * Clearing offload flags before checksum is computed
316  * It guarantees the cache hit!
317  */
318  vnet_buffer_offload_flags_clear (b0, oflags);
319 
320  if (is_ipv6)
321  {
322  if (PREDICT_FALSE (oflags &
323  VNET_BUFFER_OFFLOAD_F_TCP_CKSUM))
324  {
325  tcp0->checksum = ip6_tcp_udp_icmp_compute_checksum (
326  vm, b0, ip6_0, &bogus);
327  }
328  if (PREDICT_FALSE (oflags &
329  VNET_BUFFER_OFFLOAD_F_UDP_CKSUM))
330  {
332  vm, b0, ip6_0, &bogus);
333  }
334  }
335  else
336  {
337  if (PREDICT_FALSE (oflags &
338  VNET_BUFFER_OFFLOAD_F_IP_CKSUM))
339  {
340  ip0->checksum = ip4_header_checksum (ip0);
341  }
342  if (PREDICT_FALSE (oflags &
343  VNET_BUFFER_OFFLOAD_F_TCP_CKSUM))
344  {
345  tcp0->checksum =
346  ip4_tcp_udp_compute_checksum (vm, b0, ip0);
347  }
348  if (PREDICT_FALSE (oflags &
349  VNET_BUFFER_OFFLOAD_F_UDP_CKSUM))
350  {
351  udp0->checksum =
352  ip4_tcp_udp_compute_checksum (vm, b0, ip0);
353  }
354  }
355  }
356  vlib_buffer_advance (b0, iph_offset);
357  }
358  else if (p0->policy == IPSEC_POLICY_ACTION_BYPASS)
359  {
360  nc_bypass++;
361  next_node_index = get_next_output_feature_node_index (b0, node);
362  }
363  else
364  {
365  nc_discard++;
366  next_node_index = im->error_drop_node_index;
367  }
369  (&ipsec_spd_policy_counters, thread_index, pi0, 1, bytes0);
370  }
371  else
372  {
373  pi0 = ~0;
374  nc_nomatch++;
375  next_node_index = im->error_drop_node_index;
376  }
377 
378  from += 1;
379  n_left_from -= 1;
380 
381  if (PREDICT_FALSE ((last_next_node_index != next_node_index) || f == 0))
382  {
383  /* if this is not 1st frame */
384  if (f)
385  vlib_put_frame_to_node (vm, last_next_node_index, f);
386 
387  last_next_node_index = next_node_index;
388 
389  f = vlib_get_frame_to_node (vm, next_node_index);
390 
391  /* frame->frame_flags, copy it from node */
392  /* Copy trace flag from next_frame and from runtime. */
393  f->frame_flags |= node->flags & VLIB_NODE_FLAG_TRACE;
394 
395  to_next = vlib_frame_vector_args (f);
396  }
397 
398  to_next[0] = bi0;
399  to_next += 1;
400  f->n_vectors++;
401 
402  if (PREDICT_FALSE (node->flags & VLIB_NODE_FLAG_TRACE) &&
403  PREDICT_FALSE (b0->flags & VLIB_BUFFER_IS_TRACED))
404  {
406  vlib_add_trace (vm, node, b0, sizeof (*tr));
407  if (spd0)
408  tr->spd_id = spd0->id;
409  tr->policy_id = pi0;
410  }
411  }
412 
413  vlib_put_frame_to_node (vm, next_node_index, f);
414  vlib_node_increment_counter (vm, node->node_index,
415  IPSEC_OUTPUT_ERROR_POLICY_PROTECT, nc_protect);
416  vlib_node_increment_counter (vm, node->node_index,
417  IPSEC_OUTPUT_ERROR_POLICY_BYPASS, nc_bypass);
418  vlib_node_increment_counter (vm, node->node_index,
419  IPSEC_OUTPUT_ERROR_POLICY_DISCARD, nc_discard);
420  vlib_node_increment_counter (vm, node->node_index,
421  IPSEC_OUTPUT_ERROR_POLICY_NO_MATCH,
422  nc_nomatch);
423  return from_frame->n_vectors;
424 }
425 
429 {
430  return ipsec_output_inline (vm, node, frame, 0);
431 }
432 
433 /* *INDENT-OFF* */
435  .name = "ipsec4-output-feature",
436  .vector_size = sizeof (u32),
437  .format_trace = format_ipsec_output_trace,
439 
441  .error_strings = ipsec_output_error_strings,
442 
443  .n_next_nodes = IPSEC_OUTPUT_N_NEXT,
444  .next_nodes = {
445 #define _(s,n) [IPSEC_OUTPUT_NEXT_##s] = n,
447 #undef _
448  },
449 };
450 /* *INDENT-ON* */
451 
455 {
456  return ipsec_output_inline (vm, node, frame, 1);
457 }
458 
460  .name = "ipsec6-output-feature",
461  .vector_size = sizeof (u32),
462  .format_trace = format_ipsec_output_trace,
464 
466  .error_strings = ipsec_output_error_strings,
467 
468  .n_next_nodes = IPSEC_OUTPUT_N_NEXT,
469  .next_nodes = {
470 #define _(s,n) [IPSEC_OUTPUT_NEXT_##s] = n,
472 #undef _
473  },
474 };
475 
ipsec.h
vlib_frame_t::n_vectors
u16 n_vectors
Definition: node.h:387
format_ipsec_output_trace
static u8 * format_ipsec_output_trace(u8 *s, va_list *args)
Definition: ipsec_output.c:55
im
vnet_interface_main_t * im
Definition: interface_output.c:395
udp_header_t::src_port
u16 src_port
Definition: udp_packet.h:48
ipsec_sa_t::protocol
ipsec_protocol_t protocol
Definition: ipsec_sa.h:176
thread_index
u32 thread_index
Definition: nat44_ei_hairpinning.c:492
frame
vlib_main_t vlib_node_runtime_t vlib_frame_t * frame
Definition: nat44_ei.c:3048
is_ipv6
bool is_ipv6
Definition: dhcp.api:202
ip6_tcp_udp_icmp_compute_checksum
u16 ip6_tcp_udp_icmp_compute_checksum(vlib_main_t *vm, vlib_buffer_t *p0, ip6_header_t *ip0, int *bogus_lengthp)
Definition: ip6_forward.c:1098
format_ip4_address
format_function_t format_ip4_address
Definition: format.h:73
port_range_t::stop
u16 stop
Definition: ipsec_spd_policy.h:42
ipsec_policy_t_::raddr
ip46_address_range_t raddr
Definition: ipsec_spd_policy.h:65
vlib_get_buffer
static vlib_buffer_t * vlib_get_buffer(vlib_main_t *vm, u32 buffer_index)
Translate buffer index into buffer pointer.
Definition: buffer_funcs.h:111
f
vlib_frame_t * f
Definition: interface_output.c:1080
pool_elt_at_index
#define pool_elt_at_index(p, i)
Returns pointer to element at given index.
Definition: pool.h:553
get_next_output_feature_node_index
static_always_inline u32 get_next_output_feature_node_index(vlib_buffer_t *b, vlib_node_runtime_t *nr)
Definition: ipsec.h:238
ip6_header_t::protocol
u8 protocol
Definition: ip6_packet.h:304
tcp_header_t
struct _tcp_header tcp_header_t
VLIB_NODE_TYPE_INTERNAL
@ VLIB_NODE_TYPE_INTERNAL
Definition: node.h:72
node
vlib_main_t vlib_node_runtime_t * node
Definition: nat44_ei.c:3047
ipsec6_output_node
vlib_node_registration_t ipsec6_output_node
(constructor) VLIB_REGISTER_NODE (ipsec6_output_node)
Definition: ipsec_output.c:459
vnet_buffer_oflags_t
vnet_buffer_oflags_t
Definition: buffer.h:118
ip4_address_t::as_u32
u32 as_u32
Definition: ip4_packet.h:57
u16
unsigned short u16
Definition: types.h:57
vm
vlib_main_t * vm
X-connect all packets from the HOST to the PHY.
Definition: nat44_ei.c:3047
from_frame
vlib_main_t vlib_node_runtime_t vlib_frame_t * from_frame
Definition: esp_encrypt.c:1328
IPSEC_PROTOCOL_ESP
@ IPSEC_PROTOCOL_ESP
Definition: ipsec_sa.h:76
vlib_frame_t::frame_flags
u16 frame_flags
Definition: node.h:375
ip6_next_header
static void * ip6_next_header(ip6_header_t *i)
Definition: ip6_packet.h:407
vlib_frame_t
Definition: node.h:372
vlib_get_frame_to_node
vlib_frame_t * vlib_get_frame_to_node(vlib_main_t *vm, u32 to_node_index)
Definition: main.c:184
ipsec6_output_policy_match
static ipsec_policy_t * ipsec6_output_policy_match(ipsec_spd_t *spd, ip6_address_t *la, ip6_address_t *ra, u16 lp, u16 rp, u8 pr)
Definition: ipsec_output.c:128
udp_header_t
Definition: udp_packet.h:45
ip4_header_t
Definition: ip4_packet.h:87
ip4_header_t::length
u16 length
Definition: ip4_packet.h:99
ipsec_spd_t::id
u32 id
the User's ID for this policy
Definition: ipsec_spd.h:49
CLIB_PREFETCH
#define CLIB_PREFETCH(addr, size, type)
Definition: cache.h:80
vlib_put_frame_to_node
void vlib_put_frame_to_node(vlib_main_t *vm, u32 to_node_index, vlib_frame_t *f)
Definition: main.c:218
vlib_buffer_advance
static void vlib_buffer_advance(vlib_buffer_t *b, word l)
Advance current data pointer by the supplied (signed!) amount.
Definition: buffer.h:276
VLIB_NODE_FN
#define VLIB_NODE_FN(node)
Definition: node.h:202
ipsec_sa_get
static ipsec_sa_t * ipsec_sa_get(u32 sa_index)
Definition: ipsec_sa.h:519
CLIB_UNUSED
#define CLIB_UNUSED(x)
Definition: clib.h:90
vnet_buffer
#define vnet_buffer(b)
Definition: buffer.h:437
VLIB_NODE_FLAG_TRACE
#define VLIB_NODE_FLAG_TRACE
Definition: node.h:291
vnet_buffer_offload_flags_clear
static_always_inline void vnet_buffer_offload_flags_clear(vlib_buffer_t *b, vnet_buffer_oflags_t oflags)
Definition: buffer.h:538
ip46_address_range_t::stop
ip46_address_t stop
Definition: ipsec_spd_policy.h:37
PREDICT_FALSE
#define PREDICT_FALSE(x)
Definition: clib.h:124
ARRAY_LEN
#define ARRAY_LEN(x)
Definition: clib.h:70
vlib_frame_vector_args
static void * vlib_frame_vector_args(vlib_frame_t *f)
Get pointer to frame vector data.
Definition: node_funcs.h:301
ipsec_main_t
Definition: ipsec.h:108
ip4_tcp_udp_compute_checksum
u16 ip4_tcp_udp_compute_checksum(vlib_main_t *vm, vlib_buffer_t *p0, ip4_header_t *ip0)
Definition: pnat_test_stubs.h:59
vlib_prefetch_combined_counter
static void vlib_prefetch_combined_counter(const vlib_combined_counter_main_t *cm, u32 thread_index, u32 index)
Pre-fetch a per-thread combined counter for the given object index.
Definition: counter.h:248
uword
u64 uword
Definition: types.h:112
hash_get
#define hash_get(h, key)
Definition: hash.h:249
ipsec_main
ipsec_main_t ipsec_main
Definition: ipsec.c:28
vlib_main_t::thread_index
u32 thread_index
Definition: main.h:213
vlib_node_increment_counter
static void vlib_node_increment_counter(vlib_main_t *vm, u32 node_index, u32 counter_index, u64 increment)
Definition: node_funcs.h:1244
ipsec_output_trace_t::spd_id
u32 spd_id
Definition: ipsec_output.c:49
i
sll srl srl sll sra u16x4 i
Definition: vector_sse42.h:261
ip6_header_t::dst_address
ip6_address_t dst_address
Definition: ip6_packet.h:310
ipsec_output_trace_t
Definition: ipsec_output.c:47
ip4_header_t::checksum
u16 checksum
Definition: ip4_packet.h:118
ipsec_output_error_strings
static char * ipsec_output_error_strings[]
Definition: ipsec_output.c:41
ALWAYS_ASSERT
#define ALWAYS_ASSERT(truth)
Definition: error_bootstrap.h:89
CLIB_CACHE_LINE_BYTES
#define CLIB_CACHE_LINE_BYTES
Definition: cache.h:59
vlib_node_registration_t
struct _vlib_node_registration vlib_node_registration_t
ipsec_output_trace_t::policy_id
u32 policy_id
Definition: ipsec_output.c:50
ip4_header_t::dst_address
ip4_address_t dst_address
Definition: ip4_packet.h:125
ipsec_output_policy_match
static ipsec_policy_t * ipsec_output_policy_match(ipsec_spd_t *spd, u8 pr, u32 la, u32 ra, u16 lp, u16 rp)
Definition: ipsec_output.c:67
udp_header_t::checksum
u16 checksum
Definition: udp_packet.h:55
ipsec_output_error_t
ipsec_output_error_t
Definition: ipsec_output.c:33
IPSEC_OUTPUT_N_NEXT
@ IPSEC_OUTPUT_N_NEXT
Definition: ipsec_io.h:26
ipsec_sa_t
Definition: ipsec_sa.h:116
ip4_address_t::as_u8
u8 as_u8[4]
Definition: ip4_packet.h:55
always_inline
#define always_inline
Definition: rdma_mlx5dv.h:23
ip4_header_t::src_address
ip4_address_t src_address
Definition: ip4_packet.h:125
ip46_address_range_t::start
ip46_address_t start
Definition: ipsec_spd_policy.h:37
ipsec_policy_t_::rport
port_range_t rport
Definition: ipsec_spd_policy.h:68
u64
unsigned long u64
Definition: types.h:89
format
description fragment has unexpected format
Definition: map.api:433
ipsec_spd_policy_counters
vlib_combined_counter_main_t ipsec_spd_policy_counters
Policy packet & bytes counters.
Definition: ipsec_spd_policy.c:22
ip.h
u32
unsigned int u32
Definition: types.h:88
udp_header_t::dst_port
u16 dst_port
Definition: udp_packet.h:48
ipsec_policy_t_
A Secruity Policy.
Definition: ipsec_spd_policy.h:54
ip6_addr_match_range
static uword ip6_addr_match_range(ip6_address_t *a, ip6_address_t *la, ip6_address_t *ua)
Definition: ipsec_output.c:118
vec_foreach
#define vec_foreach(var, vec)
Vector iterator.
Definition: vec_bootstrap.h:213
ipsec_spd_t
A Secruity Policy Database.
Definition: ipsec_spd.h:46
ip6_header_t
Definition: ip6_packet.h:294
ipsec_policy_t_::lport
port_range_t lport
Definition: ipsec_spd_policy.h:67
ip6_header_t::src_address
ip6_address_t src_address
Definition: ip6_packet.h:310
vlib_main_t
Definition: main.h:102
IPSEC_DECAP_N_ERROR
@ IPSEC_DECAP_N_ERROR
Definition: ipsec_output.c:38
vlib_node_t
Definition: node.h:247
vlib_add_trace
void * vlib_add_trace(vlib_main_t *vm, vlib_node_runtime_t *r, vlib_buffer_t *b, u32 n_data_bytes)
Definition: trace.c:628
foreach_ipsec_output_error
#define foreach_ipsec_output_error
Definition: ipsec_output.c:25
ipsec_policy_t_::laddr
ip46_address_range_t laddr
Definition: ipsec_spd_policy.h:64
u8
unsigned char u8
Definition: types.h:56
a
a
Definition: bitmap.h:544
foreach_ipsec_output_next
#define foreach_ipsec_output_next
Definition: ipsec_io.h:18
vlib_buffer_get_current
static void * vlib_buffer_get_current(vlib_buffer_t *b)
Get pointer to current data to process.
Definition: buffer.h:257
ip4_header_checksum
static u16 ip4_header_checksum(ip4_header_t *i)
Definition: ip4_packet.h:314
format_ip6_address
format_function_t format_ip6_address
Definition: format.h:91
clib_warning
#define clib_warning(format, args...)
Definition: error.h:59
ipsec_spd_t::policies
u32 * policies[IPSEC_SPD_POLICY_N_TYPES]
vectors for each of the policy types
Definition: ipsec_spd.h:51
ip4_header_bytes
static int ip4_header_bytes(const ip4_header_t *i)
Definition: ip4_packet.h:190
vnet.h
api_errno.h
ip6_header_t::payload_length
u16 payload_length
Definition: ip6_packet.h:301
vlib_node_runtime_t
Definition: node.h:454
ipsec_policy_t_::policy
ipsec_policy_action_t policy
Definition: ipsec_spd_policy.h:71
ipsec_output_inline
static uword ipsec_output_inline(vlib_main_t *vm, vlib_node_runtime_t *node, vlib_frame_t *from_frame, int is_ipv6)
Definition: ipsec_output.c:175
from
from
Definition: nat44_ei_hairpinning.c:415
PREDICT_TRUE
#define PREDICT_TRUE(x)
Definition: clib.h:125
ipsec_io.h
VLIB_TX
@ VLIB_TX
Definition: defs.h:47
n_left_from
n_left_from
Definition: nat44_ei_hairpinning.c:416
ipsec4_output_node
vlib_node_registration_t ipsec4_output_node
(constructor) VLIB_REGISTER_NODE (ipsec4_output_node)
Definition: ipsec_output.c:434
ipsec_policy_t_::sa_index
u32 sa_index
Definition: ipsec_spd_policy.h:73
type
vl_api_fib_path_type_t type
Definition: fib_types.api:123
ip4_header_t::protocol
u8 protocol
Definition: ip4_packet.h:115
vlib_increment_combined_counter
vlib_increment_combined_counter(ccm, ti, sw_if_index, n_buffers, n_bytes)
vlib_prefetch_buffer_data
#define vlib_prefetch_buffer_data(b, type)
Definition: buffer.h:232
vlib_buffer_t::flags
u32 flags
buffer flags: VLIB_BUFFER_FREE_LIST_INDEX_MASK: bits used to store free list index,...
Definition: buffer.h:133
vlib_buffer_t
VLIB buffer representation.
Definition: buffer.h:111
ipsec_policy_t_::protocol
u8 protocol
Definition: ipsec_spd_policy.h:66
VLIB_REGISTER_NODE
#define VLIB_REGISTER_NODE(x,...)
Definition: node.h:169