-#define _(v, s) IPSEC_OUTPUT_NEXT_##v,
-typedef enum
-{
- foreach_ipsec_output_next
-#undef _
- IPSEC_OUTPUT_N_NEXT,
-} ipsec_output_next_t;
-
-
-#define foreach_ipsec_input_next \
-_(DROP, "error-drop") \
-_(ESP_DECRYPT, "esp-decrypt")
-
-#define _(v, s) IPSEC_INPUT_NEXT_##v,
-typedef enum
-{
- foreach_ipsec_input_next
-#undef _
- IPSEC_INPUT_N_NEXT,
-} ipsec_input_next_t;
-
-
-#define foreach_ipsec_policy_action \
- _(0, BYPASS, "bypass") \
- _(1, DISCARD, "discard") \
- _(2, RESOLVE, "resolve") \
- _(3, PROTECT, "protect")
-
-typedef enum
-{
-#define _(v,f,s) IPSEC_POLICY_ACTION_##f = v,
- foreach_ipsec_policy_action
-#undef _
- IPSEC_POLICY_N_ACTION,
-} ipsec_policy_action_t;
-
-#define foreach_ipsec_crypto_alg \
- _(0, NONE, "none") \
- _(1, AES_CBC_128, "aes-cbc-128") \
- _(2, AES_CBC_192, "aes-cbc-192") \
- _(3, AES_CBC_256, "aes-cbc-256") \
- _(4, AES_GCM_128, "aes-gcm-128")
-
-typedef enum
-{
-#define _(v,f,s) IPSEC_CRYPTO_ALG_##f = v,
- foreach_ipsec_crypto_alg
-#undef _
- IPSEC_CRYPTO_N_ALG,
-} ipsec_crypto_alg_t;
-
-#define foreach_ipsec_integ_alg \
- _(0, NONE, "none") \
- _(1, MD5_96, "md5-96") /* RFC2403 */ \
- _(2, SHA1_96, "sha1-96") /* RFC2404 */ \
- _(3, SHA_256_96, "sha-256-96") /* draft-ietf-ipsec-ciph-sha-256-00 */ \
- _(4, SHA_256_128, "sha-256-128") /* RFC4868 */ \
- _(5, SHA_384_192, "sha-384-192") /* RFC4868 */ \
- _(6, SHA_512_256, "sha-512-256") /* RFC4868 */ \
- _(7, AES_GCM_128, "aes-gcm-128") /* RFC4106 */
-
-typedef enum
-{
-#define _(v,f,s) IPSEC_INTEG_ALG_##f = v,
- foreach_ipsec_integ_alg
-#undef _
- IPSEC_INTEG_N_ALG,
-} ipsec_integ_alg_t;
-
-typedef enum
-{
- IPSEC_PROTOCOL_AH = 0,
- IPSEC_PROTOCOL_ESP = 1
-} ipsec_protocol_t;
-
-typedef struct
-{
- u32 id;
- u32 spi;
- ipsec_protocol_t protocol;
-
- ipsec_crypto_alg_t crypto_alg;
- u8 crypto_key_len;
- u8 crypto_key[128];
-
- ipsec_integ_alg_t integ_alg;
- u8 integ_key_len;
- u8 integ_key[128];
-
- u8 use_esn;
- u8 use_anti_replay;
-
- u8 is_tunnel;
- u8 is_tunnel_ip6;
- ip46_address_t tunnel_src_addr;
- ip46_address_t tunnel_dst_addr;
-
- u32 salt;
-
- /* runtime */
- u32 seq;
- u32 seq_hi;
- u32 last_seq;
- u32 last_seq_hi;
- u64 replay_window;
-} ipsec_sa_t;
-
-typedef struct
-{
- ip46_address_t start, stop;
-} ip46_address_range_t;
-
-typedef struct
-{
- u16 start, stop;
-} port_range_t;
-
-typedef struct
-{
- u8 is_add;
- u8 esn;
- u8 anti_replay;
- ip4_address_t local_ip, remote_ip;
- u32 local_spi;
- u32 remote_spi;
- ipsec_crypto_alg_t crypto_alg;
- u8 local_crypto_key_len;
- u8 local_crypto_key[128];
- u8 remote_crypto_key_len;
- u8 remote_crypto_key[128];
- ipsec_integ_alg_t integ_alg;
- u8 local_integ_key_len;
- u8 local_integ_key[128];
- u8 remote_integ_key_len;
- u8 remote_integ_key[128];
-} ipsec_add_del_tunnel_args_t;
-
-typedef struct
-{
- u8 is_add;
- u32 local_sa_id;
- u32 remote_sa_id;
- ip4_address_t local_ip;
- ip4_address_t remote_ip;
-} ipsec_add_del_ipsec_gre_tunnel_args_t;
-
-typedef enum
-{
- IPSEC_IF_SET_KEY_TYPE_NONE,
- IPSEC_IF_SET_KEY_TYPE_LOCAL_CRYPTO,
- IPSEC_IF_SET_KEY_TYPE_REMOTE_CRYPTO,
- IPSEC_IF_SET_KEY_TYPE_LOCAL_INTEG,
- IPSEC_IF_SET_KEY_TYPE_REMOTE_INTEG,
-} ipsec_if_set_key_type_t;
-
-typedef struct
-{
- u32 id;
- i32 priority;
- u8 is_outbound;
-
- // Selector
- u8 is_ipv6;
- ip46_address_range_t laddr;
- ip46_address_range_t raddr;
- u8 protocol;
- port_range_t lport;
- port_range_t rport;
-
- // Policy
- u8 policy;
- u32 sa_id;
- u32 sa_index;
-
- // Counter
- vlib_counter_t counter;
-} ipsec_policy_t;
-
-typedef struct
-{
- u32 id;
- /* pool of policies */
- ipsec_policy_t *policies;
- /* vectors of policy indices */
- u32 *ipv4_outbound_policies;
- u32 *ipv6_outbound_policies;
- u32 *ipv4_inbound_protect_policy_indices;
- u32 *ipv4_inbound_policy_discard_and_bypass_indices;
- u32 *ipv6_inbound_protect_policy_indices;
- u32 *ipv6_inbound_policy_discard_and_bypass_indices;
-} ipsec_spd_t;