typedef struct
{
- u64 key[2];
+ u64 key[2]; // 16 bytes
u64 value;
i32 bucket_lock;
u32 un_used;
ipsec4_hash_kv_16_8_t kv_16_8;
} ipsec4_spd_5tuple_t;
+typedef union
+{
+ struct
+ {
+ ip4_address_t ip4_src_addr;
+ ip4_address_t ip4_dest_addr;
+ ipsec_spd_policy_type_t policy_type;
+ u8 pad[4];
+ }; // 16 bytes total
+ ipsec4_hash_kv_16_8_t kv_16_8;
+} ipsec4_inbound_spd_tuple_t;
+
typedef struct
{
u8 *name;
/* pool of policies */
ipsec_policy_t *policies;
+ u32 ipv4_fp_spd_is_enabled;
+ u32 ipv6_fp_spd_is_enabled;
+
+ ipsec_fp_mask_type_entry_t *fp_mask_types;
+ u32 fp_lookup_hash_buckets; /* number of buckets should be power of two */
+
/* hash tables of UDP port registrations */
uword *udp_port_registrations;
uword *tunnel_index_by_key;
+ /* next_header protocol registration */
+ u16 *next_header_registrations;
+
/* convenience */
vlib_main_t *vlib_main;
vnet_main_t *vnet_main;
uword *ipsec_if_by_sw_if_index;
ipsec4_hash_kv_16_8_t *ipsec4_out_spd_hash_tbl;
+ ipsec4_hash_kv_16_8_t *ipsec4_in_spd_hash_tbl;
clib_bihash_8_16_t tun4_protect_by_key;
clib_bihash_24_16_t tun6_protect_by_key;
u32 ah6_encrypt_next_index;
u32 ah6_decrypt_next_index;
- /* tun nodes to drop packets when no crypto alg set on outbound SA */
- u32 esp4_no_crypto_tun_node_index;
- u32 esp6_no_crypto_tun_node_index;
-
- /* tun nodes for encrypt on L2 interfaces */
- u32 esp4_encrypt_l2_tun_node_index;
- u32 esp6_encrypt_l2_tun_node_index;
-
/* pool of ah backends */
ipsec_ah_backend_t *ah_backends;
/* pool of esp backends */
u32 ipsec4_out_spd_hash_num_buckets;
u32 ipsec4_out_spd_flow_cache_entries;
u32 epoch_count;
+ u8 output_flow_cache_flag;
+
+ u32 ipsec4_in_spd_hash_num_buckets;
+ u32 ipsec4_in_spd_flow_cache_entries;
+ u32 input_epoch_count;
+ u8 input_flow_cache_flag;
+
u8 async_mode;
u16 msg_id_base;
- u8 flow_cache_flag;
} ipsec_main_t;
typedef enum ipsec_format_flags_t_
extern void ipsec_register_udp_port (u16 udp_port);
extern void ipsec_unregister_udp_port (u16 udp_port);
+extern clib_error_t *ipsec_register_next_header (vlib_main_t *vm,
+ u8 next_header,
+ const char *next_node);
+
#endif /* __IPSEC_H__ */
/*