FD.io VPP  v21.10.1-2-g0a485f517
Vector Packet Processing
ipsec_input.c
Go to the documentation of this file.
1 /*
2  * decap.c : IPSec tunnel decapsulation
3  *
4  * Copyright (c) 2015 Cisco and/or its affiliates.
5  * Licensed under the Apache License, Version 2.0 (the "License");
6  * you may not use this file except in compliance with the License.
7  * You may obtain a copy of the License at:
8  *
9  * http://www.apache.org/licenses/LICENSE-2.0
10  *
11  * Unless required by applicable law or agreed to in writing, software
12  * distributed under the License is distributed on an "AS IS" BASIS,
13  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14  * See the License for the specific language governing permissions and
15  * limitations under the License.
16  */
17 
18 #include <vnet/vnet.h>
19 #include <vnet/api_errno.h>
20 #include <vnet/ip/ip.h>
21 #include <vnet/feature/feature.h>
22 
23 #include <vnet/ipsec/ipsec.h>
24 #include <vnet/ipsec/esp.h>
25 #include <vnet/ipsec/ah.h>
26 #include <vnet/ipsec/ipsec_io.h>
27 
28 #define foreach_ipsec_input_error \
29 _(RX_PKTS, "IPSec pkts received") \
30 _(RX_POLICY_MATCH, "IPSec policy match") \
31 _(RX_POLICY_NO_MATCH, "IPSec policy not matched") \
32 _(RX_POLICY_BYPASS, "IPSec policy bypass") \
33 _(RX_POLICY_DISCARD, "IPSec policy discard")
34 
35 typedef enum
36 {
37 #define _(sym,str) IPSEC_INPUT_ERROR_##sym,
38  foreach_ipsec_input_error
39 #undef _
40  IPSEC_INPUT_N_ERROR,
41 } ipsec_input_error_t;
42 
43 static char *ipsec_input_error_strings[] = {
44 #define _(sym,string) string,
45  foreach_ipsec_input_error
46 #undef _
47 };
48 
49 typedef struct
50 {
51  ip_protocol_t proto;
52  u32 spd;
53  u32 policy_index;
54  u32 sa_id;
55  u32 spi;
56  u32 seq;
57 } ipsec_input_trace_t;
58 
59 /* packet trace format function */
60 static u8 *
61 format_ipsec_input_trace (u8 * s, va_list * args)
62 {
63  CLIB_UNUSED (vlib_main_t * vm) = va_arg (*args, vlib_main_t *);
64  CLIB_UNUSED (vlib_node_t * node) = va_arg (*args, vlib_node_t *);
65  ipsec_input_trace_t *t = va_arg (*args, ipsec_input_trace_t *);
66 
67  s = format (s, "%U: sa_id %u spd %u policy %d spi %u (0x%08x) seq %u",
68  format_ip_protocol, t->proto, t->sa_id,
69  t->spd, t->policy_index, t->spi, t->spi, t->seq);
70 
71  return s;
72 }
73 
74 always_inline ipsec_policy_t *
75 ipsec_input_policy_match (ipsec_spd_t * spd, u32 sa, u32 da,
76  ipsec_spd_policy_type_t policy_type)
77 {
78  ipsec_main_t *im = &ipsec_main;
79  ipsec_policy_t *p;
80  u32 *i;
81 
82  vec_foreach (i, spd->policies[policy_type])
83  {
84  p = pool_elt_at_index (im->policies, *i);
85 
86  if (da < clib_net_to_host_u32 (p->laddr.start.ip4.as_u32))
87  continue;
88 
89  if (da > clib_net_to_host_u32 (p->laddr.stop.ip4.as_u32))
90  continue;
91 
92  if (sa < clib_net_to_host_u32 (p->raddr.start.ip4.as_u32))
93  continue;
94 
95  if (sa > clib_net_to_host_u32 (p->raddr.stop.ip4.as_u32))
96  continue;
97 
98  return p;
99  }
100  return 0;
101 }
102 
103 always_inline ipsec_policy_t *
104 ipsec_input_protect_policy_match (ipsec_spd_t * spd, u32 sa, u32 da, u32 spi)
105 {
106  ipsec_main_t *im = &ipsec_main;
107  ipsec_policy_t *p;
108  ipsec_sa_t *s;
109  u32 *i;
110 
111  vec_foreach (i, spd->policies[IPSEC_SPD_POLICY_IP4_INBOUND_PROTECT])
112  {
113  p = pool_elt_at_index (im->policies, *i);
114  s = ipsec_sa_get (p->sa_index);
115 
116  if (spi != s->spi)
117  continue;
118 
119  if (ipsec_sa_is_set_IS_TUNNEL (s))
120  {
121  if (da != clib_net_to_host_u32 (s->tunnel.t_dst.ip.ip4.as_u32))
122  continue;
123 
124  if (sa != clib_net_to_host_u32 (s->tunnel.t_src.ip.ip4.as_u32))
125  continue;
126 
127  return p;
128  }
129 
130  if (da < clib_net_to_host_u32 (p->laddr.start.ip4.as_u32))
131  continue;
132 
133  if (da > clib_net_to_host_u32 (p->laddr.stop.ip4.as_u32))
134  continue;
135 
136  if (sa < clib_net_to_host_u32 (p->raddr.start.ip4.as_u32))
137  continue;
138 
139  if (sa > clib_net_to_host_u32 (p->raddr.stop.ip4.as_u32))
140  continue;
141 
142  return p;
143  }
144  return 0;
145 }
146 
147 always_inline uword
148 ip6_addr_match_range (ip6_address_t * a, ip6_address_t * la,
149  ip6_address_t * ua)
150 {
151  if ((memcmp (a->as_u64, la->as_u64, 2 * sizeof (u64)) >= 0) &&
152  (memcmp (a->as_u64, ua->as_u64, 2 * sizeof (u64)) <= 0))
153  return 1;
154  return 0;
155 }
156 
157 always_inline ipsec_policy_t *
158 ipsec6_input_protect_policy_match (ipsec_spd_t * spd,
159  ip6_address_t * sa,
160  ip6_address_t * da, u32 spi)
161 {
162  ipsec_main_t *im = &ipsec_main;
163  ipsec_policy_t *p;
164  ipsec_sa_t *s;
165  u32 *i;
166 
167  vec_foreach (i, spd->policies[IPSEC_SPD_POLICY_IP6_INBOUND_PROTECT])
168  {
169  p = pool_elt_at_index (im->policies, *i);
170  s = ipsec_sa_get (p->sa_index);
171 
172  if (spi != s->spi)
173  continue;
174 
175  if (ipsec_sa_is_set_IS_TUNNEL (s))
176  {
177  if (!ip6_address_is_equal (sa, &s->tunnel.t_src.ip.ip6))
178  continue;
179 
180  if (!ip6_address_is_equal (da, &s->tunnel.t_dst.ip.ip6))
181  continue;
182 
183  return p;
184  }
185 
186  if (!ip6_addr_match_range (sa, &p->raddr.start.ip6, &p->raddr.stop.ip6))
187  continue;
188 
189  if (!ip6_addr_match_range (da, &p->laddr.start.ip6, &p->laddr.stop.ip6))
190  continue;
191 
192  return p;
193  }
194  return 0;
195 }
196 
197 extern vlib_node_registration_t ipsec4_input_node;
198 
199 VLIB_NODE_FN (ipsec4_input_node) (vlib_main_t * vm,
200  vlib_node_runtime_t * node,
201  vlib_frame_t * frame)
202 {
203  u32 n_left_from, *from, thread_index;
204  ipsec_main_t *im = &ipsec_main;
205  u64 ipsec_unprocessed = 0, ipsec_matched = 0;
206  u64 ipsec_dropped = 0, ipsec_bypassed = 0;
207  vlib_buffer_t *bufs[VLIB_FRAME_SIZE];
208  vlib_buffer_t **b = bufs;
209  u16 nexts[VLIB_FRAME_SIZE], *next;
210 
211  from = vlib_frame_vector_args (frame);
212  n_left_from = frame->n_vectors;
213  next = nexts;
214  vlib_get_buffers (vm, from, bufs, n_left_from);
215  thread_index = vm->thread_index;
216 
217 
218  while (n_left_from > 0)
219  {
220  u32 next32, pi0;
221  ip4_header_t *ip0;
222  esp_header_t *esp0 = NULL;
223  ah_header_t *ah0;
224  ip4_ipsec_config_t *c0;
225  ipsec_spd_t *spd0;
226  ipsec_policy_t *p0 = NULL;
227  u8 has_space0;
228 
229  if (n_left_from > 2)
230  {
231  vlib_prefetch_buffer_data (b[1], LOAD);
232  }
233 
234  b[0]->flags |= VNET_BUFFER_F_IS_IP4;
235  b[0]->flags &= ~VNET_BUFFER_F_IS_IP6;
236  c0 = vnet_feature_next_with_data (&next32, b[0], sizeof (c0[0]));
237  next[0] = (u16) next32;
238 
239  spd0 = pool_elt_at_index (im->spds, c0->spd_index);
240 
241  ip0 = vlib_buffer_get_current (b[0]);
242 
243  if (PREDICT_TRUE
244  (ip0->protocol == IP_PROTOCOL_IPSEC_ESP
245  || ip0->protocol == IP_PROTOCOL_UDP))
246  {
247 
248  esp0 = (esp_header_t *) ((u8 *) ip0 + ip4_header_bytes (ip0));
249  if (PREDICT_FALSE (ip0->protocol == IP_PROTOCOL_UDP))
250  {
251  /* FIXME Skip, if not a UDP encapsulated packet */
252  esp0 = (esp_header_t *) ((u8 *) esp0 + sizeof (udp_header_t));
253  }
254 
255  p0 = ipsec_input_protect_policy_match (spd0,
256  clib_net_to_host_u32
257  (ip0->src_address.as_u32),
258  clib_net_to_host_u32
259  (ip0->dst_address.as_u32),
260  clib_net_to_host_u32
261  (esp0->spi));
262 
263  has_space0 =
264  vlib_buffer_has_space (b[0],
265  (clib_address_t) (esp0 + 1) -
266  (clib_address_t) ip0);
267 
268  if (PREDICT_TRUE ((p0 != NULL) & (has_space0)))
269  {
270  ipsec_matched += 1;
271 
272  pi0 = p0 - im->policies;
273  vlib_increment_combined_counter
274  (&ipsec_spd_policy_counters,
275  thread_index, pi0, 1, clib_net_to_host_u16 (ip0->length));
276 
277  vnet_buffer (b[0])->ipsec.sad_index = p0->sa_index;
278  next[0] = im->esp4_decrypt_next_index;
279  vlib_buffer_advance (b[0], ((u8 *) esp0 - (u8 *) ip0));
280  goto trace0;
281  }
282  else
283  {
284  p0 = 0;
285  pi0 = ~0;
286  };
287 
288  p0 = ipsec_input_policy_match (spd0,
289  clib_net_to_host_u32
290  (ip0->src_address.as_u32),
291  clib_net_to_host_u32
292  (ip0->dst_address.as_u32),
293  IPSEC_SPD_POLICY_IP4_INBOUND_BYPASS);
294  if (PREDICT_TRUE ((p0 != NULL)))
295  {
296  ipsec_bypassed += 1;
297 
298  pi0 = p0 - im->policies;
299  vlib_increment_combined_counter (
300  &ipsec_spd_policy_counters, thread_index, pi0, 1,
301  clib_net_to_host_u16 (ip0->length));
302 
303  goto trace0;
304  }
305  else
306  {
307  p0 = 0;
308  pi0 = ~0;
309  };
310 
311  p0 = ipsec_input_policy_match (spd0,
312  clib_net_to_host_u32
313  (ip0->src_address.as_u32),
314  clib_net_to_host_u32
315  (ip0->dst_address.as_u32),
316  IPSEC_SPD_POLICY_IP4_INBOUND_DISCARD);
317  if (PREDICT_TRUE ((p0 != NULL)))
318  {
319  ipsec_dropped += 1;
320 
321  pi0 = p0 - im->policies;
322  vlib_increment_combined_counter (
323  &ipsec_spd_policy_counters, thread_index, pi0, 1,
324  clib_net_to_host_u16 (ip0->length));
325 
326  next[0] = IPSEC_INPUT_NEXT_DROP;
327  goto trace0;
328  }
329  else
330  {
331  p0 = 0;
332  pi0 = ~0;
333  };
334  trace0:
335  if (PREDICT_FALSE (node->flags & VLIB_NODE_FLAG_TRACE) &&
336  PREDICT_FALSE (b[0]->flags & VLIB_BUFFER_IS_TRACED))
337  {
338  ipsec_input_trace_t *tr =
339  vlib_add_trace (vm, node, b[0], sizeof (*tr));
340 
341  tr->proto = ip0->protocol;
342  tr->sa_id = p0 ? p0->sa_id : ~0;
343  tr->spi = has_space0 ? clib_net_to_host_u32 (esp0->spi) : ~0;
344  tr->seq = has_space0 ? clib_net_to_host_u32 (esp0->seq) : ~0;
345  tr->spd = spd0->id;
346  tr->policy_index = pi0;
347  }
348  }
349  else if (ip0->protocol == IP_PROTOCOL_IPSEC_AH)
350  {
351  ah0 = (ah_header_t *) ((u8 *) ip0 + ip4_header_bytes (ip0));
352  p0 = ipsec_input_protect_policy_match (spd0,
353  clib_net_to_host_u32
354  (ip0->src_address.as_u32),
355  clib_net_to_host_u32
356  (ip0->dst_address.as_u32),
357  clib_net_to_host_u32
358  (ah0->spi));
359 
360  has_space0 =
361  vlib_buffer_has_space (b[0],
362  (clib_address_t) (ah0 + 1) -
363  (clib_address_t) ip0);
364 
365  if (PREDICT_TRUE ((p0 != NULL) & (has_space0)))
366  {
367  ipsec_matched += 1;
368 
369  pi0 = p0 - im->policies;
370  vlib_increment_combined_counter
371  (&ipsec_spd_policy_counters,
372  thread_index, pi0, 1, clib_net_to_host_u16 (ip0->length));
373 
374  vnet_buffer (b[0])->ipsec.sad_index = p0->sa_index;
375  next[0] = im->ah4_decrypt_next_index;
376  goto trace1;
377  }
378  else
379  {
380  p0 = 0;
381  pi0 = ~0;
382  }
383 
384  p0 = ipsec_input_policy_match (spd0,
385  clib_net_to_host_u32
386  (ip0->src_address.as_u32),
387  clib_net_to_host_u32
388  (ip0->dst_address.as_u32),
389  IPSEC_SPD_POLICY_IP4_INBOUND_BYPASS);
390  if (PREDICT_TRUE ((p0 != NULL)))
391  {
392  ipsec_bypassed += 1;
393 
394  pi0 = p0 - im->policies;
395  vlib_increment_combined_counter (
396  &ipsec_spd_policy_counters, thread_index, pi0, 1,
397  clib_net_to_host_u16 (ip0->length));
398 
399  goto trace1;
400  }
401  else
402  {
403  p0 = 0;
404  pi0 = ~0;
405  };
406 
407  p0 = ipsec_input_policy_match (spd0,
408  clib_net_to_host_u32
409  (ip0->src_address.as_u32),
410  clib_net_to_host_u32
411  (ip0->dst_address.as_u32),
412  IPSEC_SPD_POLICY_IP4_INBOUND_DISCARD);
413  if (PREDICT_TRUE ((p0 != NULL)))
414  {
415  ipsec_dropped += 1;
416 
417  pi0 = p0 - im->policies;
418  vlib_increment_combined_counter (
419  &ipsec_spd_policy_counters, thread_index, pi0, 1,
420  clib_net_to_host_u16 (ip0->length));
421 
422  next[0] = IPSEC_INPUT_NEXT_DROP;
423  goto trace1;
424  }
425  else
426  {
427  p0 = 0;
428  pi0 = ~0;
429  };
430  trace1:
431  if (PREDICT_FALSE (node->flags & VLIB_NODE_FLAG_TRACE) &&
432  PREDICT_FALSE (b[0]->flags & VLIB_BUFFER_IS_TRACED))
433  {
434  ipsec_input_trace_t *tr =
435  vlib_add_trace (vm, node, b[0], sizeof (*tr));
436 
437  tr->proto = ip0->protocol;
438  tr->sa_id = p0 ? p0->sa_id : ~0;
439  tr->spi = has_space0 ? clib_net_to_host_u32 (ah0->spi) : ~0;
440  tr->seq = has_space0 ? clib_net_to_host_u32 (ah0->seq_no) : ~0;
441  tr->spd = spd0->id;
442  tr->policy_index = pi0;
443  }
444  }
445  else
446  {
447  ipsec_unprocessed += 1;
448  }
449  n_left_from -= 1;
450  b += 1;
451  next += 1;
452  }
453 
454  vlib_buffer_enqueue_to_next (vm, node, from, nexts, frame->n_vectors);
455 
456  vlib_node_increment_counter (vm, ipsec4_input_node.index,
457  IPSEC_INPUT_ERROR_RX_PKTS, frame->n_vectors);
458 
459  vlib_node_increment_counter (vm, ipsec4_input_node.index,
460  IPSEC_INPUT_ERROR_RX_POLICY_MATCH,
461  ipsec_matched);
462 
463  vlib_node_increment_counter (vm, ipsec4_input_node.index,
464  IPSEC_INPUT_ERROR_RX_POLICY_NO_MATCH,
465  ipsec_unprocessed);
466 
467  vlib_node_increment_counter (vm, ipsec4_input_node.index,
468  IPSEC_INPUT_ERROR_RX_POLICY_DISCARD,
469  ipsec_dropped);
470 
471  vlib_node_increment_counter (vm, ipsec4_input_node.index,
472  IPSEC_INPUT_ERROR_RX_POLICY_BYPASS,
473  ipsec_bypassed);
474 
475  return frame->n_vectors;
476 }
477 
478 
479 /* *INDENT-OFF* */
480 VLIB_REGISTER_NODE (ipsec4_input_node) = {
481  .name = "ipsec4-input-feature",
482  .vector_size = sizeof (u32),
483  .format_trace = format_ipsec_input_trace,
484  .type = VLIB_NODE_TYPE_INTERNAL,
485  .n_errors = ARRAY_LEN(ipsec_input_error_strings),
486  .error_strings = ipsec_input_error_strings,
487  .n_next_nodes = IPSEC_INPUT_N_NEXT,
488  .next_nodes = {
489 #define _(s,n) [IPSEC_INPUT_NEXT_##s] = n,
490  foreach_ipsec_input_next
491 #undef _
492  },
493 };
494 /* *INDENT-ON* */
495 
496 extern vlib_node_registration_t ipsec6_input_node;
497 
498 
499 VLIB_NODE_FN (ipsec6_input_node) (vlib_main_t * vm,
500  vlib_node_runtime_t * node,
501  vlib_frame_t * from_frame)
502 {
503  u32 n_left_from, *from, next_index, *to_next, thread_index;
504  ipsec_main_t *im = &ipsec_main;
505  u32 ipsec_unprocessed = 0;
506  u32 ipsec_matched = 0;
507 
508  from = vlib_frame_vector_args (from_frame);
509  n_left_from = from_frame->n_vectors;
510  thread_index = vm->thread_index;
511 
512  next_index = node->cached_next_index;
513 
514  while (n_left_from > 0)
515  {
516  u32 n_left_to_next;
517 
518  vlib_get_next_frame (vm, node, next_index, to_next, n_left_to_next);
519 
520  while (n_left_from > 0 && n_left_to_next > 0)
521  {
522  u32 bi0, next0, pi0;
523  vlib_buffer_t *b0;
524  ip6_header_t *ip0;
525  esp_header_t *esp0;
526  ip4_ipsec_config_t *c0;
527  ipsec_spd_t *spd0;
528  ipsec_policy_t *p0 = 0;
529  ah_header_t *ah0;
530  u32 header_size = sizeof (ip0[0]);
531 
532  bi0 = to_next[0] = from[0];
533  from += 1;
534  n_left_from -= 1;
535  to_next += 1;
536  n_left_to_next -= 1;
537 
538  b0 = vlib_get_buffer (vm, bi0);
539  b0->flags |= VNET_BUFFER_F_IS_IP6;
540  b0->flags &= ~VNET_BUFFER_F_IS_IP4;
541  c0 = vnet_feature_next_with_data (&next0, b0, sizeof (c0[0]));
542 
543  spd0 = pool_elt_at_index (im->spds, c0->spd_index);
544 
545  ip0 = vlib_buffer_get_current (b0);
546  esp0 = (esp_header_t *) ((u8 *) ip0 + header_size);
547  ah0 = (ah_header_t *) ((u8 *) ip0 + header_size);
548 
549  if (PREDICT_TRUE (ip0->protocol == IP_PROTOCOL_IPSEC_ESP))
550  {
551 #if 0
552  clib_warning
553  ("packet received from %U to %U spi %u size %u spd_id %u",
554  format_ip6_address, &ip0->src_address, format_ip6_address,
555  &ip0->dst_address, clib_net_to_host_u32 (esp0->spi),
556  clib_net_to_host_u16 (ip0->payload_length) + header_size,
557  spd0->id);
558 #endif
559  p0 = ipsec6_input_protect_policy_match (spd0,
560  &ip0->src_address,
561  &ip0->dst_address,
562  clib_net_to_host_u32
563  (esp0->spi));
564 
565  if (PREDICT_TRUE (p0 != 0))
566  {
567  ipsec_matched += 1;
568 
569  pi0 = p0 - im->policies;
570  vlib_increment_combined_counter
571  (&ipsec_spd_policy_counters,
572  thread_index, pi0, 1,
573  clib_net_to_host_u16 (ip0->payload_length) +
574  header_size);
575 
576  vnet_buffer (b0)->ipsec.sad_index = p0->sa_index;
577  next0 = im->esp6_decrypt_next_index;
578  vlib_buffer_advance (b0, header_size);
579  goto trace0;
580  }
581  else
582  {
583  pi0 = ~0;
584  }
585  }
586  else if (ip0->protocol == IP_PROTOCOL_IPSEC_AH)
587  {
588  p0 = ipsec6_input_protect_policy_match (spd0,
589  &ip0->src_address,
590  &ip0->dst_address,
591  clib_net_to_host_u32
592  (ah0->spi));
593 
594  if (PREDICT_TRUE (p0 != 0))
595  {
596  ipsec_matched += 1;
597  pi0 = p0 - im->policies;
598  vlib_increment_combined_counter
599  (&ipsec_spd_policy_counters,
600  thread_index, pi0, 1,
601  clib_net_to_host_u16 (ip0->payload_length) +
602  header_size);
603 
604  vnet_buffer (b0)->ipsec.sad_index = p0->sa_index;
605  next0 = im->ah6_decrypt_next_index;
606  goto trace0;
607  }
608  else
609  {
610  pi0 = ~0;
611  }
612  }
613  else
614  {
615  ipsec_unprocessed += 1;
616  }
617 
618  trace0:
619  if (PREDICT_FALSE (node->flags & VLIB_NODE_FLAG_TRACE) &&
620  PREDICT_FALSE (b0->flags & VLIB_BUFFER_IS_TRACED))
621  {
622  ipsec_input_trace_t *tr =
623  vlib_add_trace (vm, node, b0, sizeof (*tr));
624 
625  if (p0)
626  tr->sa_id = p0->sa_id;
627  tr->proto = ip0->protocol;
628  tr->spi = clib_net_to_host_u32 (esp0->spi);
629  tr->seq = clib_net_to_host_u32 (esp0->seq);
630  tr->spd = spd0->id;
631  }
632 
633  vlib_validate_buffer_enqueue_x1 (vm, node, next_index, to_next,
634  n_left_to_next, bi0, next0);
635  }
636  vlib_put_next_frame (vm, node, next_index, n_left_to_next);
637  }
638 
639  vlib_node_increment_counter (vm, ipsec6_input_node.index,
640  IPSEC_INPUT_ERROR_RX_PKTS,
641  from_frame->n_vectors - ipsec_unprocessed);
642 
643  vlib_node_increment_counter (vm, ipsec6_input_node.index,
644  IPSEC_INPUT_ERROR_RX_POLICY_MATCH,
645  ipsec_matched);
646 
647  return from_frame->n_vectors;
648 }
649 
650 
651 /* *INDENT-OFF* */
652 VLIB_REGISTER_NODE (ipsec6_input_node) = {
653  .name = "ipsec6-input-feature",
654  .vector_size = sizeof (u32),
655  .format_trace = format_ipsec_input_trace,
656  .type = VLIB_NODE_TYPE_INTERNAL,
657  .n_errors = ARRAY_LEN(ipsec_input_error_strings),
658  .error_strings = ipsec_input_error_strings,
659  .n_next_nodes = IPSEC_INPUT_N_NEXT,
660  .next_nodes = {
661 #define _(s,n) [IPSEC_INPUT_NEXT_##s] = n,
662  foreach_ipsec_input_next
663 #undef _
664  },
665 };
666 /* *INDENT-ON* */
667 
668 /*
669  * fd.io coding-style-patch-verification: ON
670  *
671  * Local Variables:
672  * eval: (c-set-style "gnu")
673  * End:
674  */
ipsec.h
ip6_address_is_equal
static uword ip6_address_is_equal(const ip6_address_t *a, const ip6_address_t *b)
Definition: ip6_packet.h:167
im
vnet_interface_main_t * im
Definition: interface_output.c:415
thread_index
u32 thread_index
Definition: nat44_ei_hairpinning.c:495
bufs
vlib_buffer_t * bufs[VLIB_FRAME_SIZE]
Definition: nat44_ei_out2in.c:717
ipsec_input_trace_t::sa_id
u32 sa_id
Definition: ipsec_input.c:54
frame
vlib_main_t vlib_node_runtime_t vlib_frame_t * frame
Definition: nat44_ei.c:3048
ip4_ipsec_config_t::spd_index
u32 spd_index
Definition: ipsec_io.h:44
ipsec6_input_node
vlib_node_registration_t ipsec6_input_node
(constructor) VLIB_REGISTER_NODE (ipsec6_input_node)
Definition: ipsec_input.c:652
ipsec_input_error_t
ipsec_input_error_t
Definition: ipsec_input.c:35
next_index
nat44_ei_hairpin_src_next_t next_index
Definition: nat44_ei_hairpinning.c:412
ah_header_t
Definition: ah.h:21
ipsec_policy_t_::raddr
ip46_address_range_t raddr
Definition: ipsec_spd_policy.h:65
tunnel_t_::t_src
ip_address_t t_src
Definition: tunnel.h:87
vlib_get_buffer
static vlib_buffer_t * vlib_get_buffer(vlib_main_t *vm, u32 buffer_index)
Translate buffer index into buffer pointer.
Definition: buffer_funcs.h:111
ipsec_input_trace_t::spd
u32 spd
Definition: ipsec_input.c:52
pool_elt_at_index
#define pool_elt_at_index(p, i)
Returns pointer to element at given index.
Definition: pool.h:549
foreach_ipsec_input_error
#define foreach_ipsec_input_error
Definition: ipsec_input.c:28
esp_header_t::spi
u32 spi
Definition: esp.h:26
ipsec_input_trace_t::policy_index
u32 policy_index
Definition: ipsec_input.c:53
ip6_header_t::protocol
u8 protocol
Definition: ip6_packet.h:304
vlib_get_buffers
vlib_get_buffers(vm, from, b, n_left_from)
next
u16 * next
Definition: nat44_ei_out2in.c:718
VLIB_NODE_TYPE_INTERNAL
@ VLIB_NODE_TYPE_INTERNAL
Definition: node.h:72
VLIB_FRAME_SIZE
#define VLIB_FRAME_SIZE
Definition: node.h:368
node
vlib_main_t vlib_node_runtime_t * node
Definition: nat44_ei.c:3047
ip4_address_t::as_u32
u32 as_u32
Definition: ip4_packet.h:57
u16
unsigned short u16
Definition: types.h:57
vm
vlib_main_t * vm
X-connect all packets from the HOST to the PHY.
Definition: nat44_ei.c:3047
ipsec_input_trace_t::spi
u32 spi
Definition: ipsec_input.c:55
from_frame
vlib_main_t vlib_node_runtime_t vlib_frame_t * from_frame
Definition: esp_encrypt.c:1328
vlib_buffer_enqueue_to_next
vlib_buffer_enqueue_to_next(vm, node, from,(u16 *) nexts, frame->n_vectors)
vnet_feature_next_with_data
static_always_inline void * vnet_feature_next_with_data(u32 *next0, vlib_buffer_t *b0, u32 n_data_bytes)
Definition: feature.h:309
vlib_frame_t
Definition: node.h:372
ipsec_sa_t::tunnel
tunnel_t tunnel
Definition: ipsec_sa.h:204
esp_header_t::seq
u32 seq
Definition: esp.h:29
ipsec_input_error_strings
static char * ipsec_input_error_strings[]
Definition: ipsec_input.c:43
udp_header_t
Definition: udp_packet.h:45
ip4_header_t
Definition: ip4_packet.h:87
ipsec_spd_t::id
u32 id
the User's ID for this policy
Definition: ipsec_spd.h:49
esp.h
vlib_buffer_has_space
static u8 vlib_buffer_has_space(vlib_buffer_t *b, word l)
Check if there is enough space in buffer to advance.
Definition: buffer.h:293
vlib_buffer_advance
static void vlib_buffer_advance(vlib_buffer_t *b, word l)
Advance current data pointer by the supplied (signed!) amount.
Definition: buffer.h:276
clib_address_t
u64 clib_address_t
Definition: types.h:121
VLIB_NODE_FN
#define VLIB_NODE_FN(node)
Definition: node.h:202
feature.h
ipsec_sa_get
static ipsec_sa_t * ipsec_sa_get(u32 sa_index)
Definition: ipsec_sa.h:605
CLIB_UNUSED
#define CLIB_UNUSED(x)
Definition: clib.h:90
vnet_buffer
#define vnet_buffer(b)
Definition: buffer.h:441
ipsec_input_protect_policy_match
static ipsec_policy_t * ipsec_input_protect_policy_match(ipsec_spd_t *spd, u32 sa, u32 da, u32 spi)
Definition: ipsec_input.c:104
VLIB_NODE_FLAG_TRACE
#define VLIB_NODE_FLAG_TRACE
Definition: node.h:291
ip46_address_range_t::stop
ip46_address_t stop
Definition: ipsec_spd_policy.h:37
PREDICT_FALSE
#define PREDICT_FALSE(x)
Definition: clib.h:124
ARRAY_LEN
#define ARRAY_LEN(x)
Definition: clib.h:70
vlib_frame_vector_args
static void * vlib_frame_vector_args(vlib_frame_t *f)
Get pointer to frame vector data.
Definition: node_funcs.h:301
ipsec_main_t
Definition: ipsec.h:108
ipsec4_input_node
vlib_node_registration_t ipsec4_input_node
(constructor) VLIB_REGISTER_NODE (ipsec4_input_node)
Definition: ipsec_input.c:480
uword
u64 uword
Definition: types.h:112
format_ip_protocol
format_function_t format_ip_protocol
Definition: format.h:45
ipsec_main
ipsec_main_t ipsec_main
Definition: ipsec.c:29
vlib_main_t::thread_index
u32 thread_index
Definition: main.h:215
vlib_node_increment_counter
static void vlib_node_increment_counter(vlib_main_t *vm, u32 node_index, u32 counter_index, u64 increment)
Definition: node_funcs.h:1244
ip6_header_t::dst_address
ip6_address_t dst_address
Definition: ip6_packet.h:310
IPSEC_INPUT_N_ERROR
@ IPSEC_INPUT_N_ERROR
Definition: ipsec_input.c:40
esp_header_t
Definition: esp.h:22
ip6_addr_match_range
static uword ip6_addr_match_range(ip6_address_t *a, ip6_address_t *la, ip6_address_t *ua)
Definition: ipsec_input.c:148
foreach_ipsec_input_next
#define foreach_ipsec_input_next
Definition: ipsec_io.h:29
vlib_node_registration_t
struct _vlib_node_registration vlib_node_registration_t
ipsec_policy_t_::sa_id
u32 sa_id
Definition: ipsec_spd_policy.h:72
format_ipsec_input_trace
static u8 * format_ipsec_input_trace(u8 *s, va_list *args)
Definition: ipsec_input.c:61
ip4_header_t::dst_address
ip4_address_t dst_address
Definition: ip4_packet.h:125
ah.h
ipsec6_input_protect_policy_match
static ipsec_policy_t * ipsec6_input_protect_policy_match(ipsec_spd_t *spd, ip6_address_t *sa, ip6_address_t *da, u32 spi)
Definition: ipsec_input.c:158
ipsec_input_trace_t::proto
ip_protocol_t proto
Definition: ipsec_input.c:51
ipsec_sa_t
Definition: ipsec_sa.h:116
ah_header_t::spi
unsigned int spi
Definition: ah.h:26
ipsec_input_policy_match
static ipsec_policy_t * ipsec_input_policy_match(ipsec_spd_t *spd, u32 sa, u32 da, ipsec_spd_policy_type_t policy_type)
Definition: ipsec_input.c:75
vlib_validate_buffer_enqueue_x1
#define vlib_validate_buffer_enqueue_x1(vm, node, next_index, to_next, n_left_to_next, bi0, next0)
Finish enqueueing one buffer forward in the graph.
Definition: buffer_node.h:224
always_inline
#define always_inline
Definition: rdma_mlx5dv.h:23
ip4_header_t::src_address
ip4_address_t src_address
Definition: ip4_packet.h:125
ip46_address_range_t::start
ip46_address_t start
Definition: ipsec_spd_policy.h:37
ah_header_t::seq_no
unsigned int seq_no
Definition: ah.h:27
spi
u32 spi
Definition: flow_types.api:140
u64
unsigned long u64
Definition: types.h:89
format
description fragment has unexpected format
Definition: map.api:433
ipsec_spd_policy_counters
vlib_combined_counter_main_t ipsec_spd_policy_counters
Policy packet & bytes counters.
Definition: ipsec_spd_policy.c:22
vlib_put_next_frame
vlib_put_next_frame(vm, node, next_index, 0)
ip.h
u32
unsigned int u32
Definition: types.h:88
ipsec_policy_t_
A Secruity Policy.
Definition: ipsec_spd_policy.h:54
ipsec_input_trace_t::seq
u32 seq
Definition: ipsec_input.c:56
tunnel_t_::t_dst
ip_address_t t_dst
Definition: tunnel.h:88
vec_foreach
#define vec_foreach(var, vec)
Vector iterator.
Definition: vec_bootstrap.h:213
ipsec_spd_t
A Secruity Policy Database.
Definition: ipsec_spd.h:46
ip4_ipsec_config_t
Definition: ipsec_io.h:42
ip6_header_t
Definition: ip6_packet.h:294
ip_protocol_t
enum ip_protocol ip_protocol_t
ip6_header_t::src_address
ip6_address_t src_address
Definition: ip6_packet.h:310
vlib_main_t
Definition: main.h:102
vlib_node_t
Definition: node.h:247
vlib_add_trace
void * vlib_add_trace(vlib_main_t *vm, vlib_node_runtime_t *r, vlib_buffer_t *b, u32 n_data_bytes)
Definition: trace.c:628
b
vlib_buffer_t ** b
Definition: nat44_ei_out2in.c:717
ipsec_policy_t_::laddr
ip46_address_range_t laddr
Definition: ipsec_spd_policy.h:64
u8
unsigned char u8
Definition: types.h:56
a
a
Definition: bitmap.h:525
vlib_buffer_get_current
static void * vlib_buffer_get_current(vlib_buffer_t *b)
Get pointer to current data to process.
Definition: buffer.h:257
format_ip6_address
format_function_t format_ip6_address
Definition: format.h:91
i
int i
Definition: flowhash_template.h:376
clib_warning
#define clib_warning(format, args...)
Definition: error.h:59
ipsec_spd_t::policies
u32 * policies[IPSEC_SPD_POLICY_N_TYPES]
vectors for each of the policy types
Definition: ipsec_spd.h:51
ip_address::ip
ip46_address_t ip
Definition: ip_types.h:81
nexts
u16 nexts[VLIB_FRAME_SIZE]
Definition: nat44_ei_out2in.c:718
ip4_header_bytes
static int ip4_header_bytes(const ip4_header_t *i)
Definition: ip4_packet.h:190
vnet.h
api_errno.h
ip6_header_t::payload_length
u16 payload_length
Definition: ip6_packet.h:301
vlib_node_runtime_t
Definition: node.h:454
ipsec_spd_policy_type_t
enum ipsec_spd_policy_t_ ipsec_spd_policy_type_t
IPSEC_INPUT_N_NEXT
@ IPSEC_INPUT_N_NEXT
Definition: ipsec_io.h:38
from
from
Definition: nat44_ei_hairpinning.c:415
PREDICT_TRUE
#define PREDICT_TRUE(x)
Definition: clib.h:125
ipsec_input_trace_t
Definition: ipsec_input.c:49
vlib_get_next_frame
#define vlib_get_next_frame(vm, node, next_index, vectors, n_vectors_left)
Get pointer to next frame vector data by (vlib_node_runtime_t, next_index).
Definition: node_funcs.h:395
ipsec_io.h
n_left_from
n_left_from
Definition: nat44_ei_hairpinning.c:416
ipsec_sa_t::spi
u32 spi
Definition: ipsec_sa.h:131
ipsec_policy_t_::sa_index
u32 sa_index
Definition: ipsec_spd_policy.h:73
type
vl_api_fib_path_type_t type
Definition: fib_types.api:123
ip4_header_t::protocol
u8 protocol
Definition: ip4_packet.h:115
vlib_increment_combined_counter
vlib_increment_combined_counter(ccm, ti, sw_if_index, n_buffers, n_bytes)
vlib_prefetch_buffer_data
#define vlib_prefetch_buffer_data(b, type)
Definition: buffer.h:232
vlib_buffer_t::flags
u32 flags
buffer flags: VLIB_BUFFER_FREE_LIST_INDEX_MASK: bits used to store free list index,...
Definition: buffer.h:133
vlib_buffer_t
VLIB buffer representation.
Definition: buffer.h:111
VLIB_REGISTER_NODE
#define VLIB_REGISTER_NODE(x,...)
Definition: node.h:169
flags
vl_api_wireguard_peer_flags_t flags
Definition: wireguard.api:105