FD.io VPP  v21.06-3-gbb25fbf28
Vector Packet Processing
ipsec_spd_policy.c
Go to the documentation of this file.
1 /*
2  * Copyright (c) 2015 Cisco and/or its affiliates.
3  * Licensed under the Apache License, Version 2.0 (the "License");
4  * you may not use this file except in compliance with the License.
5  * You may obtain a copy of the License at:
6  *
7  * http://www.apache.org/licenses/LICENSE-2.0
8  *
9  * Unless required by applicable law or agreed to in writing, software
10  * distributed under the License is distributed on an "AS IS" BASIS,
11  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12  * See the License for the specific language governing permissions and
13  * limitations under the License.
14  */
15 
16 #include <vnet/ipsec/ipsec.h>
17 
18 /**
19  * @brief
20  * Policy packet & bytes counters
21  */
23  .name = "policy",
24  .stat_segment_name = "/net/ipsec/policy",
25 };
26 
27 static int
29 {
30  if (p1->priority != p2->priority)
31  return 0;
32  if (p1->type != p2->type)
33  return (0);
34  if (p1->policy != p2->policy)
35  return (0);
36  if (p1->sa_id != p2->sa_id)
37  return (0);
38  if (p1->protocol != p2->protocol)
39  return (0);
40  if (p1->lport.start != p2->lport.start)
41  return (0);
42  if (p1->lport.stop != p2->lport.stop)
43  return (0);
44  if (p1->rport.start != p2->rport.start)
45  return (0);
46  if (p1->rport.stop != p2->rport.stop)
47  return (0);
48  if (p1->is_ipv6 != p2->is_ipv6)
49  return (0);
50  if (p2->is_ipv6)
51  {
52  if (p1->laddr.start.ip6.as_u64[0] != p2->laddr.start.ip6.as_u64[0])
53  return (0);
54  if (p1->laddr.start.ip6.as_u64[1] != p2->laddr.start.ip6.as_u64[1])
55  return (0);
56  if (p1->laddr.stop.ip6.as_u64[0] != p2->laddr.stop.ip6.as_u64[0])
57  return (0);
58  if (p1->laddr.stop.ip6.as_u64[1] != p2->laddr.stop.ip6.as_u64[1])
59  return (0);
60  if (p1->raddr.start.ip6.as_u64[0] != p2->raddr.start.ip6.as_u64[0])
61  return (0);
62  if (p1->raddr.start.ip6.as_u64[1] != p2->raddr.start.ip6.as_u64[1])
63  return (0);
64  if (p1->raddr.stop.ip6.as_u64[0] != p2->raddr.stop.ip6.as_u64[0])
65  return (0);
66  if (p1->laddr.stop.ip6.as_u64[1] != p2->laddr.stop.ip6.as_u64[1])
67  return (0);
68  }
69  else
70  {
71  if (p1->laddr.start.ip4.as_u32 != p2->laddr.start.ip4.as_u32)
72  return (0);
73  if (p1->laddr.stop.ip4.as_u32 != p2->laddr.stop.ip4.as_u32)
74  return (0);
75  if (p1->raddr.start.ip4.as_u32 != p2->raddr.start.ip4.as_u32)
76  return (0);
77  if (p1->raddr.stop.ip4.as_u32 != p2->raddr.stop.ip4.as_u32)
78  return (0);
79  }
80  return (1);
81 }
82 
83 static int
84 ipsec_spd_entry_sort (void *a1, void *a2)
85 {
87  u32 *id1 = a1;
88  u32 *id2 = a2;
89  ipsec_policy_t *p1, *p2;
90 
91  p1 = pool_elt_at_index (im->policies, *id1);
92  p2 = pool_elt_at_index (im->policies, *id2);
93  if (p1 && p2)
94  return p2->priority - p1->priority;
95 
96  return 0;
97 }
98 
99 int
101  bool is_ipv6,
104 {
105  if (is_outbound)
106  {
107  *type = (is_ipv6 ?
108  IPSEC_SPD_POLICY_IP6_OUTBOUND : IPSEC_SPD_POLICY_IP4_OUTBOUND);
109  return (0);
110  }
111  else
112  {
113  switch (action)
114  {
115  case IPSEC_POLICY_ACTION_PROTECT:
116  *type = (is_ipv6 ?
117  IPSEC_SPD_POLICY_IP6_INBOUND_PROTECT :
118  IPSEC_SPD_POLICY_IP4_INBOUND_PROTECT);
119  return (0);
120  case IPSEC_POLICY_ACTION_BYPASS:
121  *type = (is_ipv6 ?
122  IPSEC_SPD_POLICY_IP6_INBOUND_BYPASS :
123  IPSEC_SPD_POLICY_IP4_INBOUND_BYPASS);
124  return (0);
125  case IPSEC_POLICY_ACTION_DISCARD:
126  *type = (is_ipv6 ?
127  IPSEC_SPD_POLICY_IP6_INBOUND_DISCARD :
128  IPSEC_SPD_POLICY_IP4_INBOUND_DISCARD);
129  return (0);
130  case IPSEC_POLICY_ACTION_RESOLVE:
131  break;
132  }
133  }
134 
135  /* Unsupported type */
136  return (-1);
137 }
138 
139 int
141  ipsec_policy_t * policy, int is_add, u32 * stat_index)
142 {
144  ipsec_spd_t *spd = 0;
145  ipsec_policy_t *vp;
146  u32 spd_index;
147  uword *p;
148 
149  p = hash_get (im->spd_index_by_spd_id, policy->id);
150 
151  if (!p)
152  return VNET_API_ERROR_SYSCALL_ERROR_1;
153 
154  spd_index = p[0];
155  spd = pool_elt_at_index (im->spds, spd_index);
156  if (!spd)
157  return VNET_API_ERROR_SYSCALL_ERROR_1;
158 
159  if (is_add)
160  {
161  u32 policy_index;
162 
163  if (policy->policy == IPSEC_POLICY_ACTION_PROTECT)
164  {
165  index_t sa_index = ipsec_sa_find_and_lock (policy->sa_id);
166 
167  if (INDEX_INVALID == sa_index)
168  return VNET_API_ERROR_SYSCALL_ERROR_1;
169  policy->sa_index = sa_index;
170  }
171  else
172  policy->sa_index = INDEX_INVALID;
173 
174  pool_get (im->policies, vp);
175  clib_memcpy (vp, policy, sizeof (*vp));
176  policy_index = vp - im->policies;
177 
179  policy_index);
181 
182  vec_add1 (spd->policies[policy->type], policy_index);
185  *stat_index = policy_index;
186  }
187  else
188  {
189  u32 ii;
190 
191  vec_foreach_index (ii, (spd->policies[policy->type]))
192  {
193  vp = pool_elt_at_index (im->policies,
194  spd->policies[policy->type][ii]);
195  if (ipsec_policy_is_equal (vp, policy))
196  {
197  vec_del1 (spd->policies[policy->type], ii);
199  pool_put (im->policies, vp);
200  break;
201  }
202  }
203  }
204 
205  return 0;
206 }
207 
208 /*
209  * fd.io coding-style-patch-verification: ON
210  *
211  * Local Variables:
212  * eval: (c-set-style "gnu")
213  * End:
214  */
ipsec.h
im
vnet_interface_main_t * im
Definition: interface_output.c:395
is_ipv6
bool is_ipv6
Definition: dhcp.api:202
ipsec_policy_t_::priority
i32 priority
Definition: ipsec_spd_policy.h:57
clib_memcpy
#define clib_memcpy(d, s, n)
Definition: string.h:197
port_range_t::stop
u16 stop
Definition: ipsec_spd_policy.h:42
ipsec_policy_t_::raddr
ip46_address_range_t raddr
Definition: ipsec_spd_policy.h:65
policy
vl_api_ipsec_spd_action_t policy
Definition: ipsec.api:99
pool_elt_at_index
#define pool_elt_at_index(p, i)
Returns pointer to element at given index.
Definition: pool.h:553
ipsec_policy_is_equal
static int ipsec_policy_is_equal(ipsec_policy_t *p1, ipsec_policy_t *p2)
Definition: ipsec_spd_policy.c:28
ipsec_spd_entry_sort
static int ipsec_spd_entry_sort(void *a1, void *a2)
Definition: ipsec_spd_policy.c:84
vlib_validate_combined_counter
void vlib_validate_combined_counter(vlib_combined_counter_main_t *cm, u32 index)
validate a combined counter
Definition: counter.c:119
pool_put
#define pool_put(P, E)
Free an object E in pool P.
Definition: pool.h:305
ipsec_sa_find_and_lock
index_t ipsec_sa_find_and_lock(u32 id)
Definition: ipsec_sa.c:383
vm
vlib_main_t * vm
X-connect all packets from the HOST to the PHY.
Definition: nat44_ei.c:3047
vlib_combined_counter_main_t::name
char * name
The counter collection's name.
Definition: counter.h:206
ipsec_policy_action_t
ipsec_policy_action_t
Definition: ipsec_spd_policy.h:26
ipsec_policy_t_::is_ipv6
u8 is_ipv6
Definition: ipsec_spd_policy.h:63
is_outbound
bool is_outbound
Definition: ipsec.api:96
vec_add1
#define vec_add1(V, E)
Add 1 element to end of vector (unspecified alignment).
Definition: vec.h:606
ipsec_policy_mk_type
int ipsec_policy_mk_type(bool is_outbound, bool is_ipv6, ipsec_policy_action_t action, ipsec_spd_policy_type_t *type)
Definition: ipsec_spd_policy.c:100
ip46_address_range_t::stop
ip46_address_t stop
Definition: ipsec_spd_policy.h:37
ipsec_main_t
Definition: ipsec.h:108
index_t
u32 index_t
A Data-Path Object is an object that represents actions that are applied to packets are they are swit...
Definition: dpo.h:43
vec_foreach_index
#define vec_foreach_index(var, v)
Iterate over vector indices.
Definition: vec_bootstrap.h:220
uword
u64 uword
Definition: types.h:112
vlib_zero_combined_counter
static void vlib_zero_combined_counter(vlib_combined_counter_main_t *cm, u32 index)
Clear a combined counter Clears the set of per-thread counters.
Definition: counter.h:298
hash_get
#define hash_get(h, key)
Definition: hash.h:249
ipsec_main
ipsec_main_t ipsec_main
Definition: ipsec.c:28
ipsec_sa_unlock
void ipsec_sa_unlock(index_t sai)
Definition: ipsec_sa.c:357
pool_get
#define pool_get(P, E)
Allocate an object E from a pool P (unspecified alignment).
Definition: pool.h:255
ipsec_policy_t_::sa_id
u32 sa_id
Definition: ipsec_spd_policy.h:72
ip46_address_range_t::start
ip46_address_t start
Definition: ipsec_spd_policy.h:37
ipsec_policy_t_::rport
port_range_t rport
Definition: ipsec_spd_policy.h:68
ipsec_spd_policy_counters
vlib_combined_counter_main_t ipsec_spd_policy_counters
Policy packet & bytes counters.
Definition: ipsec_spd_policy.c:22
vlib_combined_counter_main_t
A collection of combined counters.
Definition: counter.h:203
u32
unsigned int u32
Definition: types.h:88
ipsec_policy_t_
A Secruity Policy.
Definition: ipsec_spd_policy.h:54
ipsec_add_del_policy
int ipsec_add_del_policy(vlib_main_t *vm, ipsec_policy_t *policy, int is_add, u32 *stat_index)
Add/Delete a SPD.
Definition: ipsec_spd_policy.c:140
ipsec_spd_t
A Secruity Policy Database.
Definition: ipsec_spd.h:46
port_range_t::start
u16 start
Definition: ipsec_spd_policy.h:42
ipsec_policy_t_::lport
port_range_t lport
Definition: ipsec_spd_policy.h:67
vec_sort_with_function
#define vec_sort_with_function(vec, f)
Sort a vector using the supplied element comparison function.
Definition: vec.h:1097
ipsec_policy_t_::type
ipsec_spd_policy_type_t type
Definition: ipsec_spd_policy.h:60
vlib_main_t
Definition: main.h:102
ipsec_policy_t_::laddr
ip46_address_range_t laddr
Definition: ipsec_spd_policy.h:64
ipsec_spd_t::policies
u32 * policies[IPSEC_SPD_POLICY_N_TYPES]
vectors for each of the policy types
Definition: ipsec_spd.h:51
ipsec_spd_policy_type_t
enum ipsec_spd_policy_t_ ipsec_spd_policy_type_t
ipsec_policy_t_::policy
ipsec_policy_action_t policy
Definition: ipsec_spd_policy.h:71
INDEX_INVALID
#define INDEX_INVALID
Invalid index - used when no index is known blazoned capitals INVALID speak volumes where ~0 does not...
Definition: dpo.h:49
action
vl_api_mac_event_action_t action
Definition: l2.api:211
ipsec_policy_t_::sa_index
u32 sa_index
Definition: ipsec_spd_policy.h:73
type
vl_api_fib_path_type_t type
Definition: fib_types.api:123
vec_del1
#define vec_del1(v, i)
Delete the element at index I.
Definition: vec.h:896
ipsec_policy_t_::protocol
u8 protocol
Definition: ipsec_spd_policy.h:66