2 * ipsec_tun.h : IPSEC tunnel protection
4 * Copyright (c) 2015 Cisco and/or its affiliates.
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
9 * http://www.apache.org/licenses/LICENSE-2.0
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
18 #include <vnet/ipsec/ipsec_tun.h>
19 #include <vnet/ipsec/ipsec_itf.h>
20 #include <vnet/ipsec/esp.h>
21 #include <vnet/udp/udp_local.h>
22 #include <vnet/adj/adj_delegate.h>
23 #include <vnet/adj/adj_midchain.h>
24 #include <vnet/teib/teib.h>
25 #include <vnet/mpls/mpls.h>
27 /* instantiate the bihash functions */
28 #include <vppinfra/bihash_8_16.h>
29 #include <vppinfra/bihash_template.c>
30 #include <vppinfra/bihash_24_16.h>
31 #include <vppinfra/bihash_template.c>
33 #define IPSEC_TUN_DEFAULT_HASH_NUM_BUCKETS (64 * 1024)
34 #define IPSEC_TUN_DEFAULT_HASH_MEMORY_SIZE 512 << 20
39 vlib_log_class_t ipsec_tun_protect_logger;
42 * Pool of tunnel protection objects
44 ipsec_tun_protect_t *ipsec_tun_protect_pool;
47 * Adj delegate registered type
49 static adj_delegate_type_t ipsec_tun_adj_delegate_type;
52 * Adj index to TX SA mapping
54 index_t *ipsec_tun_protect_sa_by_adj_index;
56 const ip_address_t IP_ADDR_ALL_0 = IP_ADDRESS_V4_ALL_0S;
59 * The DB of all added per-nh tunnel protectiond
61 typedef struct ipsec_tun_protect_itf_db_t_
63 /** A hash table key'd on IP (4 or 6) address */
65 /** If the interface is P2P then there is only one protect
66 * object associated with the auto-adj for each NH proto */
68 } ipsec_tun_protect_itf_db_t;
70 typedef struct ipsec_tun_protect_db_t_
72 /** Per-interface vector */
73 ipsec_tun_protect_itf_db_t *id_itf;
74 } ipsec_tun_protect_db_t;
76 static ipsec_tun_protect_db_t itp_db;
78 const static ipsec_tun_protect_itf_db_t IPSEC_TUN_PROTECT_DEFAULT_DB_ENTRY = {
79 .id_itp = INDEX_INVALID,
82 #define ITP_DBG(_itp, _fmt, _args...) \
84 vlib_log_debug(ipsec_tun_protect_logger, \
86 format_ipsec_tun_protect, \
90 #define ITP_DBG2(_fmt, _args...) \
92 vlib_log_debug(ipsec_tun_protect_logger, \
96 static u32 ipsec_tun_node_regs[N_AF];
99 ipsec_tun_register_nodes (ip_address_family_t af)
101 if (0 == ipsec_tun_node_regs[af]++)
104 ip4_register_protocol (IP_PROTOCOL_IPSEC_ESP,
105 ipsec4_tun_input_node.index);
107 ip6_register_protocol (IP_PROTOCOL_IPSEC_ESP,
108 ipsec6_tun_input_node.index);
109 ipsec_register_udp_port (UDP_DST_PORT_ipsec, (AF_IP4 == af));
114 ipsec_tun_unregister_nodes (ip_address_family_t af)
116 ASSERT (0 != ipsec_tun_node_regs[af]);
117 if (0 == --ipsec_tun_node_regs[af])
120 ip4_unregister_protocol (IP_PROTOCOL_IPSEC_ESP);
122 ip6_unregister_protocol (IP_PROTOCOL_IPSEC_ESP);
123 ipsec_unregister_udp_port (UDP_DST_PORT_ipsec, (AF_IP4 == af));
127 static inline const ipsec_tun_protect_t *
128 ipsec_tun_protect_from_const_base (const adj_delegate_t * ad)
132 return (pool_elt_at_index (ipsec_tun_protect_pool, ad->ad_index));
136 ipsec_tun_protect_get_adj_next (vnet_link_t linkt,
137 const ipsec_tun_protect_t *itp)
145 if (!(itp->itp_flags & IPSEC_PROTECT_ITF))
147 if (ip46_address_is_ip4 (&itp->itp_tun.src))
148 linkt = VNET_LINK_IP4;
150 linkt = VNET_LINK_IP6;
156 next = im->esp4_encrypt_tun_node_index;
159 next = im->esp6_encrypt_tun_node_index;
162 next = im->esp_mpls_encrypt_tun_node_index;
166 case VNET_LINK_ETHERNET:
175 ipsec_tun_setup_tx_nodes (u32 sw_if_index, const ipsec_tun_protect_t *itp)
177 vnet_feature_modify_end_node (
178 ip4_main.lookup_main.output_feature_arc_index, sw_if_index,
179 ipsec_tun_protect_get_adj_next (VNET_LINK_IP4, itp));
180 vnet_feature_modify_end_node (
181 ip6_main.lookup_main.output_feature_arc_index, sw_if_index,
182 ipsec_tun_protect_get_adj_next (VNET_LINK_IP6, itp));
183 vnet_feature_modify_end_node (
184 mpls_main.output_feature_arc_index, sw_if_index,
185 ipsec_tun_protect_get_adj_next (VNET_LINK_MPLS, itp));
189 ipsec_tun_protect_add_adj (adj_index_t ai, const ipsec_tun_protect_t * itp)
191 vec_validate_init_empty (ipsec_tun_protect_sa_by_adj_index, ai,
196 ipsec_tun_protect_sa_by_adj_index[ai] = INDEX_INVALID;
197 adj_nbr_midchain_reset_next_node (ai);
201 ipsec_tun_protect_sa_by_adj_index[ai] = itp->itp_out_sa;
202 adj_nbr_midchain_update_next_node (
203 ai, ipsec_tun_protect_get_adj_next (adj_get_link_type (ai), itp));
208 ipsec_tun_protect_find (u32 sw_if_index, const ip_address_t * nh)
210 ipsec_tun_protect_itf_db_t *idi;
213 if (vec_len (itp_db.id_itf) <= sw_if_index)
214 return INDEX_INVALID;
216 if (vnet_sw_interface_is_p2p (vnet_get_main (), sw_if_index))
217 return (itp_db.id_itf[sw_if_index].id_itp);
219 idi = &itp_db.id_itf[sw_if_index];
220 p = hash_get_mem (idi->id_hash, nh);
224 return INDEX_INVALID;
230 ipsec_tun_protect_rx_db_add (ipsec_main_t * im,
231 const ipsec_tun_protect_t * itp)
233 const ipsec_sa_t *sa;
236 if (ip46_address_is_zero (&itp->itp_crypto.dst))
240 FOR_EACH_IPSEC_PROTECT_INPUT_SAI(itp, sai,
242 sa = ipsec_sa_get (sai);
244 ipsec_tun_lkup_result_t res = {
245 .tun_index = itp - ipsec_tun_protect_pool,
247 .flags = itp->itp_flags,
248 .sw_if_index = itp->itp_sw_if_index,
252 * The key is formed from the tunnel's destination
253 * as the packet lookup is done from the packet's source
255 if (ip46_address_is_ip4 (&itp->itp_crypto.dst))
257 ipsec4_tunnel_kv_t key = {
260 clib_bihash_kv_8_16_t *bkey = (clib_bihash_kv_8_16_t*)&key;
262 ipsec4_tunnel_mk_key(&key, &itp->itp_crypto.dst.ip4,
263 clib_host_to_net_u32 (sa->spi));
265 if (!clib_bihash_is_initialised_8_16 (&im->tun4_protect_by_key))
266 clib_bihash_init_8_16 (&im->tun4_protect_by_key,
267 "IPSec IPv4 tunnels",
268 IPSEC_TUN_DEFAULT_HASH_NUM_BUCKETS,
269 IPSEC_TUN_DEFAULT_HASH_MEMORY_SIZE);
271 clib_bihash_add_del_8_16 (&im->tun4_protect_by_key, bkey, 1);
272 ipsec_tun_register_nodes (AF_IP4);
276 ipsec6_tunnel_kv_t key = {
278 .remote_ip = itp->itp_crypto.dst.ip6,
279 .spi = clib_host_to_net_u32 (sa->spi),
283 clib_bihash_kv_24_16_t *bkey = (clib_bihash_kv_24_16_t*)&key;
285 if (!clib_bihash_is_initialised_24_16 (&im->tun6_protect_by_key))
286 clib_bihash_init_24_16 (&im->tun6_protect_by_key,
287 "IPSec IPv6 tunnels",
288 IPSEC_TUN_DEFAULT_HASH_NUM_BUCKETS,
289 IPSEC_TUN_DEFAULT_HASH_MEMORY_SIZE);
290 clib_bihash_add_del_24_16 (&im->tun6_protect_by_key, bkey, 1);
291 ipsec_tun_register_nodes (AF_IP6);
298 ipsec_tun_protect_adj_add (adj_index_t ai, void *arg)
300 ipsec_tun_protect_t *itp = arg;
301 adj_delegate_add (adj_get (ai), ipsec_tun_adj_delegate_type,
302 itp - ipsec_tun_protect_pool);
303 ipsec_tun_protect_add_adj (ai, itp);
305 if (itp->itp_flags & IPSEC_PROTECT_ITF)
306 ipsec_itf_adj_stack (ai, itp->itp_out_sa);
308 return (ADJ_WALK_RC_CONTINUE);
312 ipsec_tun_protect_tx_db_add (ipsec_tun_protect_t * itp)
315 * add the delegate to the adj
317 ipsec_tun_protect_itf_db_t *idi;
318 fib_protocol_t nh_proto;
321 vec_validate_init_empty (itp_db.id_itf,
322 itp->itp_sw_if_index,
323 IPSEC_TUN_PROTECT_DEFAULT_DB_ENTRY);
325 idi = &itp_db.id_itf[itp->itp_sw_if_index];
327 if (vnet_sw_interface_is_p2p (vnet_get_main (), itp->itp_sw_if_index))
329 if (INDEX_INVALID == idi->id_itp)
331 ipsec_tun_setup_tx_nodes (itp->itp_sw_if_index, itp);
333 idi->id_itp = itp - ipsec_tun_protect_pool;
335 FOR_EACH_FIB_IP_PROTOCOL (nh_proto)
336 adj_nbr_walk (itp->itp_sw_if_index,
337 nh_proto, ipsec_tun_protect_adj_add, itp);
341 if (NULL == idi->id_hash)
344 hash_create_mem (0, sizeof (ip_address_t), sizeof (uword));
346 * enable the encrypt feature for egress if this is the first addition
349 ipsec_tun_setup_tx_nodes (itp->itp_sw_if_index, itp);
352 hash_set_mem (idi->id_hash, itp->itp_key, itp - ipsec_tun_protect_pool);
355 * walk all the adjs with the same nh on this interface
356 * to associate them with this protection
358 nh_proto = ip_address_to_46 (itp->itp_key, &nh);
360 adj_nbr_walk_nh (itp->itp_sw_if_index,
361 nh_proto, &nh, ipsec_tun_protect_adj_add, itp);
363 ipsec_tun_register_nodes (FIB_PROTOCOL_IP6 == nh_proto ?
369 ipsec_tun_protect_rx_db_remove (ipsec_main_t * im,
370 const ipsec_tun_protect_t * itp)
372 const ipsec_sa_t *sa;
375 FOR_EACH_IPSEC_PROTECT_INPUT_SA(itp, sa,
377 if (ip46_address_is_ip4 (&itp->itp_crypto.dst))
379 ipsec4_tunnel_kv_t key;
380 clib_bihash_kv_8_16_t res, *bkey = (clib_bihash_kv_8_16_t*)&key;
382 ipsec4_tunnel_mk_key(&key, &itp->itp_crypto.dst.ip4,
383 clib_host_to_net_u32 (sa->spi));
385 if (!clib_bihash_search_8_16 (&im->tun4_protect_by_key, bkey, &res))
387 clib_bihash_add_del_8_16 (&im->tun4_protect_by_key, bkey, 0);
388 ipsec_tun_unregister_nodes(AF_IP4);
393 ipsec6_tunnel_kv_t key = {
395 .remote_ip = itp->itp_crypto.dst.ip6,
396 .spi = clib_host_to_net_u32 (sa->spi),
399 clib_bihash_kv_24_16_t res, *bkey = (clib_bihash_kv_24_16_t*)&key;
401 if (!clib_bihash_search_24_16 (&im->tun6_protect_by_key, bkey, &res))
403 clib_bihash_add_del_24_16 (&im->tun6_protect_by_key, bkey, 0);
404 ipsec_tun_unregister_nodes(AF_IP6);
412 ipsec_tun_protect_adj_remove (adj_index_t ai, void *arg)
414 ipsec_tun_protect_t *itp = arg;
416 adj_delegate_remove (ai, ipsec_tun_adj_delegate_type);
417 ipsec_tun_protect_add_adj (ai, NULL);
419 if (itp->itp_flags & IPSEC_PROTECT_ITF)
420 ipsec_itf_adj_unstack (ai);
422 return (ADJ_WALK_RC_CONTINUE);
426 ipsec_tun_protect_tx_db_remove (ipsec_tun_protect_t * itp)
428 ipsec_tun_protect_itf_db_t *idi;
429 fib_protocol_t nh_proto;
432 nh_proto = ip_address_to_46 (itp->itp_key, &nh);
433 idi = &itp_db.id_itf[itp->itp_sw_if_index];
435 if (vnet_sw_interface_is_p2p (vnet_get_main (), itp->itp_sw_if_index))
437 ipsec_itf_reset_tx_nodes (itp->itp_sw_if_index);
438 idi->id_itp = INDEX_INVALID;
440 FOR_EACH_FIB_IP_PROTOCOL (nh_proto)
441 adj_nbr_walk (itp->itp_sw_if_index,
442 nh_proto, ipsec_tun_protect_adj_remove, itp);
446 adj_nbr_walk_nh (itp->itp_sw_if_index,
447 nh_proto, &nh, ipsec_tun_protect_adj_remove, itp);
449 hash_unset_mem (idi->id_hash, itp->itp_key);
451 if (0 == hash_elts (idi->id_hash))
453 ipsec_itf_reset_tx_nodes (itp->itp_sw_if_index);
454 hash_free (idi->id_hash);
457 ipsec_tun_unregister_nodes (FIB_PROTOCOL_IP6 == nh_proto ?
463 ipsec_tun_protect_set_crypto_addr (ipsec_tun_protect_t * itp)
468 FOR_EACH_IPSEC_PROTECT_INPUT_SA(itp, sa,
470 if (ipsec_sa_is_set_IS_TUNNEL (sa))
472 itp->itp_crypto.src = ip_addr_46 (&sa->tunnel.t_dst);
473 itp->itp_crypto.dst = ip_addr_46 (&sa->tunnel.t_src);
474 if (!(itp->itp_flags & IPSEC_PROTECT_ITF))
476 ipsec_sa_set_IS_PROTECT (sa);
477 itp->itp_flags |= IPSEC_PROTECT_ENCAPED;
482 itp->itp_crypto.src = itp->itp_tun.src;
483 itp->itp_crypto.dst = itp->itp_tun.dst;
484 itp->itp_flags &= ~IPSEC_PROTECT_ENCAPED;
491 ipsec_tun_protect_config (ipsec_main_t * im,
492 ipsec_tun_protect_t * itp, u32 sa_out, u32 * sas_in)
497 itp->itp_n_sa_in = vec_len (sas_in);
498 for (ii = 0; ii < itp->itp_n_sa_in; ii++)
499 itp->itp_in_sas[ii] = sas_in[ii];
500 itp->itp_out_sa = sa_out;
502 ipsec_sa_lock (itp->itp_out_sa);
504 if (itp->itp_flags & IPSEC_PROTECT_ITF)
505 ipsec_sa_set_NO_ALGO_NO_DROP (ipsec_sa_get (itp->itp_out_sa));
508 FOR_EACH_IPSEC_PROTECT_INPUT_SAI(itp, sai,
512 ipsec_tun_protect_set_crypto_addr(itp);
516 * add to the DB against each SA
518 ipsec_tun_protect_rx_db_add (im, itp);
519 ipsec_tun_protect_tx_db_add (itp);
521 ITP_DBG (itp, "configured");
525 ipsec_tun_protect_unconfig (ipsec_main_t * im, ipsec_tun_protect_t * itp)
531 FOR_EACH_IPSEC_PROTECT_INPUT_SA(itp, sa,
533 ipsec_sa_unset_IS_PROTECT (sa);
536 ipsec_tun_protect_rx_db_remove (im, itp);
537 ipsec_tun_protect_tx_db_remove (itp);
539 ipsec_sa_unset_NO_ALGO_NO_DROP (ipsec_sa_get (itp->itp_out_sa));
540 ipsec_sa_unlock(itp->itp_out_sa);
542 FOR_EACH_IPSEC_PROTECT_INPUT_SAI(itp, sai,
544 ipsec_sa_unlock(sai);
547 ITP_DBG (itp, "unconfigured");
551 ipsec_tun_protect_update_from_teib (ipsec_tun_protect_t * itp,
552 const teib_entry_t * ne)
556 const fib_prefix_t *pfx;
558 pfx = teib_entry_get_nh (ne);
560 ip46_address_copy (&itp->itp_tun.dst, &pfx->fp_addr);
563 ip46_address_reset (&itp->itp_tun.dst);
567 ipsec_tun_protect_update (u32 sw_if_index,
568 const ip_address_t * nh, u32 sa_out, u32 * sas_in)
570 ipsec_tun_protect_t *itp;
578 ITP_DBG2 ("update: %U/%U",
579 format_vnet_sw_if_index_name, vnet_get_main (), sw_if_index,
580 format_ip_address, nh);
582 if (vec_len (sas_in) > ITP_MAX_N_SA_IN)
584 rv = VNET_API_ERROR_LIMIT_EXCEEDED;
590 itpi = ipsec_tun_protect_find (sw_if_index, nh);
592 vec_foreach_index (ii, sas_in)
594 sas_in[ii] = ipsec_sa_find_and_lock (sas_in[ii]);
595 if (~0 == sas_in[ii])
597 rv = VNET_API_ERROR_INVALID_VALUE;
602 sa_out = ipsec_sa_find_and_lock (sa_out);
606 rv = VNET_API_ERROR_INVALID_VALUE;
610 if (INDEX_INVALID == itpi)
612 vnet_device_class_t *dev_class;
613 vnet_hw_interface_t *hi;
617 vnm = vnet_get_main ();
618 hi = vnet_get_sup_hw_interface (vnm, sw_if_index);
619 dev_class = vnet_get_device_class (vnm, hi->dev_class_index);
621 if (NULL == dev_class->ip_tun_desc)
623 rv = VNET_API_ERROR_INVALID_SW_IF_INDEX;
627 pool_get_zero (ipsec_tun_protect_pool, itp);
629 itp->itp_sw_if_index = sw_if_index;
630 itp->itp_ai = ADJ_INDEX_INVALID;
632 itp->itp_n_sa_in = vec_len (sas_in);
633 for (ii = 0; ii < itp->itp_n_sa_in; ii++)
634 itp->itp_in_sas[ii] = sas_in[ii];
635 itp->itp_out_sa = sa_out;
637 itp->itp_key = clib_mem_alloc (sizeof (*itp->itp_key));
638 ip_address_copy (itp->itp_key, nh);
640 rv = dev_class->ip_tun_desc (sw_if_index,
642 &itp->itp_tun.dst, &is_l2);
647 if (ip46_address_is_zero (&itp->itp_tun.src))
650 * must be one of those pesky ipsec interfaces that has no encap.
651 * the encap then MUST come from the tunnel mode SA.
655 sa = ipsec_sa_get (itp->itp_out_sa);
657 if (!ipsec_sa_is_set_IS_TUNNEL (sa))
659 rv = VNET_API_ERROR_INVALID_DST_ADDRESS;
663 itp->itp_flags |= IPSEC_PROTECT_ITF;
665 else if (ip46_address_is_zero (&itp->itp_tun.dst))
667 /* tunnel has no destination address, presumably because it's p2mp
668 in which case we use the nh that this is protection for */
669 ipsec_tun_protect_update_from_teib
670 (itp, teib_entry_find (sw_if_index, nh));
674 itp->itp_flags |= IPSEC_PROTECT_L2;
677 * add to the tunnel DB for ingress
678 * - if the SA is in trasnport mode, then the packates will arrive
679 * with the IP src,dst of the protected tunnel, in which case we can
680 * simply strip the IP header and hand the payload to the protocol
681 * appropriate input handler
682 * - if the SA is in tunnel mode then there are two IP headers present
683 * one for the crytpo tunnel endpoints (described in the SA) and one
684 * for the tunnel endpoints. The outer IP headers in the srriving
685 * packets will have the crypto endpoints. So the DB needs to contain
686 * the crpto endpoint. Once the crypto header is stripped, revealing,
687 * the tunnel-IP we have 2 choices:
688 * 1) do a tunnel lookup based on the revealed header
689 * 2) skip the tunnel lookup and assume that the packet matches the
690 * one that is protected here.
691 * If we did 1) then we would allow our peer to use the SA for tunnel
692 * X to inject traffic onto tunnel Y, this is not good. If we do 2)
693 * then we don't verify that the peer is indeed using SA for tunnel
694 * X and addressing tunnel X. So we take a compromise, once the SA
695 * matches to tunnel X we veriy that the inner IP matches the value
696 * of the tunnel we are protecting, else it's dropped.
698 ipsec_tun_protect_config (im, itp, sa_out, sas_in);
702 /* updating SAs only */
703 itp = pool_elt_at_index (ipsec_tun_protect_pool, itpi);
705 ipsec_tun_protect_unconfig (im, itp);
706 ipsec_tun_protect_config (im, itp, sa_out, sas_in);
709 ipsec_sa_unlock (sa_out);
710 vec_foreach (saip, sas_in) ipsec_sa_unlock (*saip);
718 ipsec_tun_protect_del (u32 sw_if_index, const ip_address_t * nh)
720 ipsec_tun_protect_t *itp;
724 ITP_DBG2 ("delete: %U/%U",
725 format_vnet_sw_if_index_name, vnet_get_main (), sw_if_index,
726 format_ip_address, nh);
732 itpi = ipsec_tun_protect_find (sw_if_index, nh);
734 if (INDEX_INVALID == itpi)
735 return (VNET_API_ERROR_NO_SUCH_ENTRY);
737 itp = ipsec_tun_protect_get (itpi);
738 ipsec_tun_protect_unconfig (im, itp);
740 if (ADJ_INDEX_INVALID != itp->itp_ai)
741 adj_unlock (itp->itp_ai);
743 clib_mem_free (itp->itp_key);
744 pool_put (ipsec_tun_protect_pool, itp);
750 ipsec_tun_protect_walk (ipsec_tun_protect_walk_cb_t fn, void *ctx)
755 pool_foreach_index (itpi, ipsec_tun_protect_pool)
763 ipsec_tun_protect_walk_itf (u32 sw_if_index,
764 ipsec_tun_protect_walk_cb_t fn, void *ctx)
766 ipsec_tun_protect_itf_db_t *idi;
770 if (vec_len (itp_db.id_itf) <= sw_if_index)
773 idi = &itp_db.id_itf[sw_if_index];
776 hash_foreach(key, itpi, idi->id_hash,
781 if (INDEX_INVALID != idi->id_itp)
782 fn (idi->id_itp, ctx);
786 ipsec_tun_feature_update (u32 sw_if_index, u8 arc_index, u8 is_enable,
789 ipsec_tun_protect_t *itp;
792 if (arc_index != feature_main.device_input_feature_arc_index)
795 /* Only p2p tunnels supported */
796 itpi = ipsec_tun_protect_find (sw_if_index, &IP_ADDR_ALL_0);
797 if (itpi == INDEX_INVALID)
800 itp = ipsec_tun_protect_get (itpi);
804 u32 decrypt_tun = ip46_address_is_ip4 (&itp->itp_crypto.dst) ?
805 ipsec_main.esp4_decrypt_tun_node_index :
806 ipsec_main.esp6_decrypt_tun_node_index;
808 if (!(itp->itp_flags & IPSEC_PROTECT_FEAT))
810 itp->itp_flags |= IPSEC_PROTECT_FEAT;
811 vnet_feature_modify_end_node (
812 feature_main.device_input_feature_arc_index, sw_if_index,
818 if (itp->itp_flags & IPSEC_PROTECT_FEAT)
820 itp->itp_flags &= ~IPSEC_PROTECT_FEAT;
823 vlib_get_node_by_name (vlib_get_main (), (u8 *) "ethernet-input")
826 vnet_feature_modify_end_node (
827 feature_main.device_input_feature_arc_index, sw_if_index, eth_in);
831 /* Propagate flag change into lookup entries */
832 ipsec_tun_protect_rx_db_remove (&ipsec_main, itp);
833 ipsec_tun_protect_rx_db_add (&ipsec_main, itp);
837 ipsec_tun_protect_adj_delegate_adj_deleted (adj_delegate_t * ad)
839 /* remove our delegate */
840 ipsec_tun_protect_add_adj (ad->ad_adj_index, NULL);
841 adj_delegate_remove (ad->ad_adj_index, ipsec_tun_adj_delegate_type);
845 ipsec_tun_protect_adj_delegate_adj_modified (adj_delegate_t * ad)
847 ipsec_tun_protect_add_adj (ad->ad_adj_index,
848 ipsec_tun_protect_get (ad->ad_index));
852 ipsec_tun_protect_adj_delegate_adj_created (adj_index_t ai)
854 /* add our delegate if there is protection for this neighbour */
855 ip_address_t ip = IP_ADDRESS_V4_ALL_0S;
859 if (!adj_is_midchain (ai))
862 vec_validate_init_empty (ipsec_tun_protect_sa_by_adj_index, ai,
867 ip_address_from_46 (&adj->sub_type.midchain.next_hop,
868 adj->ia_nh_proto, &ip);
870 itpi = ipsec_tun_protect_find (adj->rewrite_header.sw_if_index, &ip);
872 if (INDEX_INVALID != itpi)
873 ipsec_tun_protect_adj_add (ai, ipsec_tun_protect_get (itpi));
877 ipsec_tun_protect_adj_delegate_format (const adj_delegate_t * aed, u8 * s)
879 const ipsec_tun_protect_t *itp;
881 itp = ipsec_tun_protect_from_const_base (aed);
882 s = format (s, "ipsec-tun-protect:\n%U", format_ipsec_tun_protect, itp);
888 ipsec_tun_teib_entry_added (const teib_entry_t * ne)
890 ipsec_tun_protect_t *itp;
893 itpi = ipsec_tun_protect_find (teib_entry_get_sw_if_index (ne),
894 teib_entry_get_peer (ne));
896 if (INDEX_INVALID == itpi)
899 itp = ipsec_tun_protect_get (itpi);
900 ipsec_tun_protect_rx_db_remove (&ipsec_main, itp);
901 ipsec_tun_protect_update_from_teib (itp, ne);
902 ipsec_tun_protect_set_crypto_addr (itp);
903 ipsec_tun_protect_rx_db_add (&ipsec_main, itp);
905 ITP_DBG (itp, "teib-added");
909 ipsec_tun_teib_entry_deleted (const teib_entry_t * ne)
911 ipsec_tun_protect_t *itp;
914 itpi = ipsec_tun_protect_find (teib_entry_get_sw_if_index (ne),
915 teib_entry_get_peer (ne));
917 if (INDEX_INVALID == itpi)
920 itp = ipsec_tun_protect_get (itpi);
921 ipsec_tun_protect_rx_db_remove (&ipsec_main, itp);
922 ipsec_tun_protect_update_from_teib (itp, NULL);
923 ipsec_tun_protect_set_crypto_addr (itp);
925 ITP_DBG (itp, "teib-removed");
929 * VFT registered with the adjacency delegate
931 const static adj_delegate_vft_t ipsec_tun_adj_delegate_vft = {
932 .adv_adj_deleted = ipsec_tun_protect_adj_delegate_adj_deleted,
933 .adv_adj_created = ipsec_tun_protect_adj_delegate_adj_created,
934 .adv_adj_modified = ipsec_tun_protect_adj_delegate_adj_modified,
935 .adv_format = ipsec_tun_protect_adj_delegate_format,
938 const static teib_vft_t ipsec_tun_teib_vft = {
939 .nv_added = ipsec_tun_teib_entry_added,
940 .nv_deleted = ipsec_tun_teib_entry_deleted,
944 ipsec_tun_table_init (ip_address_family_t af, uword table_size, u32 n_buckets)
951 clib_bihash_init_8_16 (&im->tun4_protect_by_key,
952 "IPSec IPv4 tunnels", n_buckets, table_size);
954 clib_bihash_init_24_16 (&im->tun6_protect_by_key,
955 "IPSec IPv6 tunnels", n_buckets, table_size);
958 static clib_error_t *
959 ipsec_tunnel_protect_init (vlib_main_t *vm)
964 clib_bihash_init_24_16 (&im->tun6_protect_by_key,
965 "IPSec IPv6 tunnels",
966 IPSEC_TUN_DEFAULT_HASH_NUM_BUCKETS,
967 IPSEC_TUN_DEFAULT_HASH_MEMORY_SIZE);
968 clib_bihash_init_8_16 (&im->tun4_protect_by_key,
969 "IPSec IPv4 tunnels",
970 IPSEC_TUN_DEFAULT_HASH_NUM_BUCKETS,
971 IPSEC_TUN_DEFAULT_HASH_MEMORY_SIZE);
973 ipsec_tun_adj_delegate_type =
974 adj_delegate_register_new_type (&ipsec_tun_adj_delegate_vft);
976 ipsec_tun_protect_logger = vlib_log_register_class ("ipsec", "tun");
978 teib_register (&ipsec_tun_teib_vft);
980 vnet_feature_register (ipsec_tun_feature_update, NULL);
985 VLIB_INIT_FUNCTION (ipsec_tunnel_protect_init);
988 * fd.io coding-style-patch-verification: ON
991 * eval: (c-set-style "gnu")
Code Review / vpp.git / blob