blob: c79fb902decfd78529b2bc14bdfa644e2f434909 [file] [log] [blame]
Neale Rannsc87b66c2019-02-07 07:26:12 -08001/*
2 * ipsec_tun.h : IPSEC tunnel protection
3 *
4 * Copyright (c) 2015 Cisco and/or its affiliates.
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 */
17
18#include <vnet/ipsec/ipsec.h>
19
Brian Russell7a29a2d2021-02-22 18:42:24 +000020#define foreach_ipsec_protect_flags \
21 _ (L2, 1, "l2") \
22 _ (ENCAPED, 2, "encapped") \
23 _ (ITF, 4, "itf") \
24 _ (FEAT, 8, "feat")
Neale Ranns302b25a2020-10-19 13:23:33 +000025
26typedef enum ipsec_protect_flags_t_
27{
28 IPSEC_PROTECT_NONE = 0,
29#define _(a,b,c) IPSEC_PROTECT_##a = b,
30 foreach_ipsec_protect_flags
31#undef _
32} __clib_packed ipsec_protect_flags_t;
33
34extern u8 *format_ipsec_tun_protect_flags (u8 * s, va_list * args);
35
Neale Ranns7b4e52f2020-05-24 16:17:50 +000036/**
37 * result of a lookup in the protection bihash
38 */
39typedef struct ipsec_tun_lkup_result_t_
40{
Neale Ranns302b25a2020-10-19 13:23:33 +000041 u32 tun_index;
42 u32 sa_index;
43 u32 sw_if_index;
44 ipsec_protect_flags_t flags;
45 u8 __pad[3];
Neale Ranns7b4e52f2020-05-24 16:17:50 +000046} ipsec_tun_lkup_result_t;
Neale Ranns12989b52019-09-26 16:20:19 +000047
Neale Ranns7b4e52f2020-05-24 16:17:50 +000048typedef struct ipsec4_tunnel_kv_t
49{
Neale Ranns12989b52019-09-26 16:20:19 +000050 /*
51 * Key fields: remote ip and spi on incoming packet
52 * all fields in NET byte order
53 */
Neale Ranns7b4e52f2020-05-24 16:17:50 +000054 u64 key;
55 ipsec_tun_lkup_result_t value;
56} __clib_packed ipsec4_tunnel_kv_t;
Neale Ranns12989b52019-09-26 16:20:19 +000057
Neale Ranns302b25a2020-10-19 13:23:33 +000058STATIC_ASSERT_SIZEOF (ipsec4_tunnel_kv_t, sizeof (clib_bihash_kv_8_16_t));
Neale Ranns7b4e52f2020-05-24 16:17:50 +000059STATIC_ASSERT_OFFSET_OF (ipsec4_tunnel_kv_t, value,
Neale Ranns302b25a2020-10-19 13:23:33 +000060 STRUCT_OFFSET_OF (clib_bihash_kv_8_16_t, value));
Neale Ranns7b4e52f2020-05-24 16:17:50 +000061
62static inline void
63ipsec4_tunnel_mk_key (ipsec4_tunnel_kv_t * k,
64 const ip4_address_t * ip, u32 spi)
65{
66 k->key = (((u64) ip->as_u32) << 32 | spi);
67}
68
69static inline void
70ipsec4_tunnel_extract_key (const ipsec4_tunnel_kv_t * k,
71 ip4_address_t * ip, u32 * spi)
72{
73 *spi = (u32) k->key;
74 (*ip).as_u32 = k->key >> 32;
75}
76
77typedef struct ipsec6_tunnel_kv_t_
78{
79 /*
80 * Key fields: remote ip and spi on incoming packet
81 * all fields in NET byte order
82 */
83 struct
84 {
85 ip6_address_t remote_ip;
86 u32 spi;
87 u32 __pad;
88 } key;
89 ipsec_tun_lkup_result_t value;
90} __clib_packed ipsec6_tunnel_kv_t;
91
Neale Ranns302b25a2020-10-19 13:23:33 +000092STATIC_ASSERT_SIZEOF (ipsec6_tunnel_kv_t, sizeof (clib_bihash_kv_24_16_t));
Neale Ranns7b4e52f2020-05-24 16:17:50 +000093STATIC_ASSERT_OFFSET_OF (ipsec6_tunnel_kv_t, value,
Neale Ranns302b25a2020-10-19 13:23:33 +000094 STRUCT_OFFSET_OF (clib_bihash_kv_24_16_t, value));
Neale Ranns7b4e52f2020-05-24 16:17:50 +000095
96extern u8 *format_ipsec4_tunnel_kv (u8 * s, va_list * args);
97extern u8 *format_ipsec6_tunnel_kv (u8 * s, va_list * args);
Neale Ranns12989b52019-09-26 16:20:19 +000098
Neale Rannsc87b66c2019-02-07 07:26:12 -080099typedef struct ipsec_ep_t_
100{
101 ip46_address_t src;
102 ip46_address_t dst;
103} ipsec_ep_t;
104
Matthew Smithdc3e9662020-04-10 20:27:33 -0500105#define ITP_MAX_N_SA_IN 4
106
Neale Rannsc87b66c2019-02-07 07:26:12 -0800107typedef struct ipsec_tun_protect_t_
108{
109 CLIB_CACHE_LINE_ALIGN_MARK (cacheline0);
Neale Ranns495d7ff2019-07-12 09:15:26 +0000110 index_t itp_out_sa;
Neale Rannsc87b66c2019-02-07 07:26:12 -0800111
112 /* not using a vector since we want the memory inline
113 * with this struct */
114 u32 itp_n_sa_in;
Matthew Smithdc3e9662020-04-10 20:27:33 -0500115 index_t itp_in_sas[ITP_MAX_N_SA_IN];
Neale Rannsc87b66c2019-02-07 07:26:12 -0800116
117 u32 itp_sw_if_index;
118
119 ipsec_ep_t itp_crypto;
120
121 ipsec_protect_flags_t itp_flags;
Neale Rannsdd4ccf22020-06-30 07:47:14 +0000122 adj_index_t itp_ai;
Neale Rannsc87b66c2019-02-07 07:26:12 -0800123
124 ipsec_ep_t itp_tun;
125
Neale Ranns28287212019-12-16 00:53:11 +0000126 ip_address_t *itp_key;
127
Neale Rannsc87b66c2019-02-07 07:26:12 -0800128} ipsec_tun_protect_t;
129
130#define FOR_EACH_IPSEC_PROTECT_INPUT_SAI(_itp, _sai, body) \
131{ \
132 u32 __ii; \
133 for (__ii = 0; __ii < _itp->itp_n_sa_in; __ii++) { \
134 _sai = itp->itp_in_sas[__ii]; \
135 body; \
136 } \
137}
138#define FOR_EACH_IPSEC_PROTECT_INPUT_SA(_itp, _sa, body) \
139{ \
140 u32 __ii; \
141 for (__ii = 0; __ii < _itp->itp_n_sa_in; __ii++) { \
142 _sa = ipsec_sa_get(itp->itp_in_sas[__ii]); \
143 body; \
144 } \
145}
146
Neale Ranns28287212019-12-16 00:53:11 +0000147extern int ipsec_tun_protect_update (u32 sw_if_index,
148 const ip_address_t * nh,
149 u32 sa_out, u32 * sa_ins);
Neale Ranns12989b52019-09-26 16:20:19 +0000150
Neale Ranns28287212019-12-16 00:53:11 +0000151extern int ipsec_tun_protect_del (u32 sw_if_index, const ip_address_t * nh);
Neale Rannsc87b66c2019-02-07 07:26:12 -0800152
153typedef walk_rc_t (*ipsec_tun_protect_walk_cb_t) (index_t itpi, void *arg);
154extern void ipsec_tun_protect_walk (ipsec_tun_protect_walk_cb_t fn,
155 void *cttx);
Neale Ranns28287212019-12-16 00:53:11 +0000156extern void ipsec_tun_protect_walk_itf (u32 sw_if_index,
157 ipsec_tun_protect_walk_cb_t fn,
158 void *cttx);
Neale Rannsc87b66c2019-02-07 07:26:12 -0800159
160extern u8 *format_ipsec_tun_protect (u8 * s, va_list * args);
Neale Ranns28287212019-12-16 00:53:11 +0000161extern u8 *format_ipsec_tun_protect_index (u8 * s, va_list * args);
Neale Rannsc87b66c2019-02-07 07:26:12 -0800162
Neale Ranns8d6d74c2020-02-20 09:45:16 +0000163extern void ipsec_tun_register_nodes (ip_address_family_t af);
164extern void ipsec_tun_unregister_nodes (ip_address_family_t af);
165
Neale Rannsc87b66c2019-02-07 07:26:12 -0800166/*
167 * DP API
168 */
Neale Ranns28287212019-12-16 00:53:11 +0000169extern ipsec_tun_protect_t *ipsec_tun_protect_pool;
Neale Rannsc87b66c2019-02-07 07:26:12 -0800170
Neale Rannsc87b66c2019-02-07 07:26:12 -0800171always_inline ipsec_tun_protect_t *
172ipsec_tun_protect_get (u32 index)
173{
Neale Ranns28287212019-12-16 00:53:11 +0000174 return (pool_elt_at_index (ipsec_tun_protect_pool, index));
175}
176
177extern index_t *ipsec_tun_protect_sa_by_adj_index;
178always_inline index_t
179ipsec_tun_protect_get_sa_out (adj_index_t ai)
180{
181 ASSERT (vec_len (ipsec_tun_protect_sa_by_adj_index) > ai);
182 ASSERT (INDEX_INVALID != ipsec_tun_protect_sa_by_adj_index[ai]);
183
184 return (ipsec_tun_protect_sa_by_adj_index[ai]);
Neale Rannsc87b66c2019-02-07 07:26:12 -0800185}
186
187/*
188 * fd.io coding-style-patch-verification: ON
189 *
190 * Local Variables:
191 * eval: (c-set-style "gnu")
192 * End:
193 */