2 * Copyright (c) 2015 Cisco and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
15 #ifndef __IPSEC_SPD_POLICY_H__
16 #define __IPSEC_SPD_POLICY_H__
18 #include <vppinfra/bihash_40_8.h>
19 #include <vppinfra/bihash_16_8.h>
20 #include <vnet/ipsec/ipsec_spd.h>
22 * calculated as max number of flows (2^10) divided by KVP_PER_PAGE (4)
24 #define IPSEC_FP_HASH_LOOKUP_HASH_BUCKETS (1 << 8)
26 #define IPSEC_POLICY_PROTOCOL_ANY IP_PROTOCOL_RESERVED
28 #define foreach_ipsec_policy_action \
29 _ (0, BYPASS, "bypass") \
30 _ (1, DISCARD, "discard") \
31 _ (2, RESOLVE, "resolve") \
32 _ (3, PROTECT, "protect")
36 #define _(v, f, s) IPSEC_POLICY_ACTION_##f = v,
37 foreach_ipsec_policy_action
39 } ipsec_policy_action_t;
41 #define IPSEC_POLICY_N_ACTION (IPSEC_POLICY_ACTION_PROTECT + 1)
45 ip46_address_t start, stop;
46 } ip46_address_range_t;
55 * Policy packet & bytes counters
57 extern vlib_combined_counter_main_t ipsec_spd_policy_counters;
60 * @brief A Secruity Policy. An entry in an SPD
62 typedef struct ipsec_policy_t_
68 ipsec_spd_policy_type_t type;
72 ip46_address_range_t laddr;
73 ip46_address_range_t raddr;
79 ipsec_policy_action_t policy;
85 * @brief Add/Delete a SPD
87 extern int ipsec_add_del_policy (vlib_main_t * vm,
88 ipsec_policy_t * policy,
89 int is_add, u32 * stat_index);
91 extern u8 *format_ipsec_policy (u8 * s, va_list * args);
92 extern u8 *format_ipsec_policy_action (u8 * s, va_list * args);
93 extern uword unformat_ipsec_policy_action (unformat_input_t * input,
97 extern int ipsec_policy_mk_type (bool is_outbound,
99 ipsec_policy_action_t action,
100 ipsec_spd_policy_type_t * type);
102 /* A 5-tuple used to calculate the bihash entry */
115 ip6_address_t ip6_laddr;
116 ip6_address_t ip6_raddr;
125 clib_bihash_kv_40_8_t kv_40_8;
129 u64 padding_for_kv_16_8[3];
130 clib_bihash_kv_16_8_t kv_16_8;
135 * An element describing a particular policy mask,
136 * and refcount of policies with same mask.
140 /** Required for pool_get_aligned */
141 CLIB_CACHE_LINE_ALIGN_MARK (cacheline0);
142 ipsec_fp_5tuple_t mask;
143 u32 refcount; /* counts how many policies use this mask */
144 } ipsec_fp_mask_type_entry_t;
147 * Bihash lookup value,
148 * contains an unordered vector of policies indices in policy pool.
155 u32 *fp_policies_ids;
157 } ipsec_fp_lookup_value_t;
159 #endif /* __IPSEC_SPD_POLICY_H__ */
162 * fd.io coding-style-patch-verification: ON
165 * eval: (c-set-style "gnu")