*/
#include <vnet/ipsec/ipsec_tun.h>
+#include <vnet/ipsec/ipsec_itf.h>
#include <vnet/ipsec/esp.h>
#include <vnet/udp/udp.h>
#include <vnet/adj/adj_delegate.h>
#include <vnet/adj/adj_midchain.h>
#include <vnet/teib/teib.h>
+#define IPSEC_TUN_DEFAULT_HASH_NUM_BUCKETS (64 * 1024)
+#define IPSEC_TUN_DEFAULT_HASH_MEMORY_SIZE 512 << 20
+
/**
* The logger
*/
}
static u32
-ipsec_tun_protect_get_adj_next (const ipsec_tun_protect_t * itp)
+ipsec_tun_protect_get_adj_next (vnet_link_t linkt,
+ const ipsec_tun_protect_t * itp)
{
ipsec_main_t *im;
ipsec_sa_t *sa;
bool is_ip4;
u32 next;
- is_ip4 = ip46_address_is_ip4 (&itp->itp_tun.src);
+
+ if (itp->itp_flags & IPSEC_PROTECT_ITF)
+ is_ip4 = linkt == VNET_LINK_IP4;
+ else
+ is_ip4 = ip46_address_is_ip4 (&itp->itp_tun.src);
+
sa = ipsec_sa_get (itp->itp_out_sa);
im = &ipsec_main;
- if (sa->crypto_alg == IPSEC_CRYPTO_ALG_NONE &&
- sa->integ_alg == IPSEC_INTEG_ALG_NONE)
+ if ((sa->crypto_alg == IPSEC_CRYPTO_ALG_NONE &&
+ sa->integ_alg == IPSEC_INTEG_ALG_NONE) &&
+ !(itp->itp_flags & IPSEC_PROTECT_ITF))
next = (is_ip4 ?
im->esp4_no_crypto_tun_node_index :
im->esp6_no_crypto_tun_node_index);
{
ipsec_tun_protect_sa_by_adj_index[ai] = itp->itp_out_sa;
adj_nbr_midchain_update_next_node
- (ai, ipsec_tun_protect_get_adj_next (itp));
+ (ai, ipsec_tun_protect_get_adj_next (adj_get_link_type (ai), itp));
}
}
*/
if (ip46_address_is_ip4 (&itp->itp_crypto.dst))
{
- ipsec4_tunnel_key_t key = {
- .remote_ip = itp->itp_crypto.dst.ip4,
- .spi = clib_host_to_net_u32 (sa->spi),
+ ipsec4_tunnel_kv_t key = {
+ .value = res,
};
- hash_set (im->tun4_protect_by_key, key.as_u64, res.as_u64);
+ clib_bihash_kv_8_8_t *bkey = (clib_bihash_kv_8_8_t*)&key;
+
+ ipsec4_tunnel_mk_key(&key, &itp->itp_crypto.dst.ip4,
+ clib_host_to_net_u32 (sa->spi));
+
+ if (!im->tun4_protect_by_key.nbuckets)
+ clib_bihash_init_8_8 (&im->tun4_protect_by_key,
+ "IPSec IPv4 tunnels",
+ IPSEC_TUN_DEFAULT_HASH_NUM_BUCKETS,
+ IPSEC_TUN_DEFAULT_HASH_MEMORY_SIZE);
+
+ clib_bihash_add_del_8_8 (&im->tun4_protect_by_key, bkey, 1);
ipsec_tun_register_nodes(AF_IP4);
}
else
{
- ipsec6_tunnel_key_t key = {
- .remote_ip = itp->itp_crypto.dst.ip6,
- .spi = clib_host_to_net_u32 (sa->spi),
+ ipsec6_tunnel_kv_t key = {
+ .key = {
+ .remote_ip = itp->itp_crypto.dst.ip6,
+ .spi = clib_host_to_net_u32 (sa->spi),
+ },
+ .value = res,
};
- hash_set_mem_alloc (&im->tun6_protect_by_key, &key, res.as_u64);
+ clib_bihash_kv_24_8_t *bkey = (clib_bihash_kv_24_8_t*)&key;
+
+ if (!im->tun4_protect_by_key.nbuckets)
+ clib_bihash_init_24_8 (&im->tun6_protect_by_key,
+ "IPSec IPv6 tunnels",
+ IPSEC_TUN_DEFAULT_HASH_NUM_BUCKETS,
+ IPSEC_TUN_DEFAULT_HASH_MEMORY_SIZE);
+ clib_bihash_add_del_24_8 (&im->tun6_protect_by_key, bkey, 1);
ipsec_tun_register_nodes(AF_IP6);
}
}))
itp - ipsec_tun_protect_pool);
ipsec_tun_protect_add_adj (ai, itp);
+ if (itp->itp_flags & IPSEC_PROTECT_ITF)
+ ipsec_itf_adj_stack (ai, itp->itp_out_sa);
+
return (ADJ_WALK_RC_CONTINUE);
}
({
if (ip46_address_is_ip4 (&itp->itp_crypto.dst))
{
- ipsec4_tunnel_key_t key = {
- .remote_ip = itp->itp_crypto.dst.ip4,
- .spi = clib_host_to_net_u32 (sa->spi),
- };
- if (hash_get(im->tun4_protect_by_key, key.as_u64))
- {
- hash_unset (im->tun4_protect_by_key, key.as_u64);
- ipsec_tun_unregister_nodes(AF_IP4);
- }
+ ipsec4_tunnel_kv_t key;
+ clib_bihash_kv_8_8_t res, *bkey = (clib_bihash_kv_8_8_t*)&key;
+
+ ipsec4_tunnel_mk_key(&key, &itp->itp_crypto.dst.ip4,
+ clib_host_to_net_u32 (sa->spi));
+
+ if (!clib_bihash_search_8_8 (&im->tun4_protect_by_key, bkey, &res))
+ {
+ clib_bihash_add_del_8_8 (&im->tun4_protect_by_key, bkey, 0);
+ ipsec_tun_unregister_nodes(AF_IP4);
+ }
}
else
{
- ipsec6_tunnel_key_t key = {
- .remote_ip = itp->itp_crypto.dst.ip6,
- .spi = clib_host_to_net_u32 (sa->spi),
+ ipsec6_tunnel_kv_t key = {
+ .key = {
+ .remote_ip = itp->itp_crypto.dst.ip6,
+ .spi = clib_host_to_net_u32 (sa->spi),
+ },
};
- if (hash_get_mem(im->tun6_protect_by_key, &key))
+ clib_bihash_kv_24_8_t res, *bkey = (clib_bihash_kv_24_8_t*)&key;
+
+ if (!clib_bihash_search_24_8 (&im->tun6_protect_by_key, bkey, &res))
{
- hash_unset_mem_free (&im->tun6_protect_by_key, &key);
+ clib_bihash_add_del_24_8 (&im->tun6_protect_by_key, bkey, 0);
ipsec_tun_unregister_nodes(AF_IP6);
}
}
static adj_walk_rc_t
ipsec_tun_protect_adj_remove (adj_index_t ai, void *arg)
{
+ ipsec_tun_protect_t *itp = arg;
+
adj_delegate_remove (ai, ipsec_tun_adj_delegate_type);
ipsec_tun_protect_add_adj (ai, NULL);
+ if (itp->itp_flags & IPSEC_PROTECT_ITF)
+ ipsec_itf_adj_unstack (ai);
+
return (ADJ_WALK_RC_CONTINUE);
}
{
itp->itp_crypto.src = sa->tunnel_dst_addr;
itp->itp_crypto.dst = sa->tunnel_src_addr;
- ipsec_sa_set_IS_PROTECT (sa);
- itp->itp_flags |= IPSEC_PROTECT_ENCAPED;
+ if (!(itp->itp_flags & IPSEC_PROTECT_ITF))
+ {
+ ipsec_sa_set_IS_PROTECT (sa);
+ itp->itp_flags |= IPSEC_PROTECT_ENCAPED;
+ }
}
else
{
pool_get_zero (ipsec_tun_protect_pool, itp);
itp->itp_sw_if_index = sw_if_index;
+ itp->itp_ai = ADJ_INDEX_INVALID;
itp->itp_n_sa_in = vec_len (sas_in);
for (ii = 0; ii < itp->itp_n_sa_in; ii++)
if (rv)
goto out;
- if (ip46_address_is_zero (&itp->itp_tun.dst))
+ if (ip46_address_is_zero (&itp->itp_tun.src))
{
- /* tunnel has no destination address, presumably because it's p2mp
- in which case we use the nh that this is protection for */
- ip46_address_t peer;
+ /* must be one of thos pesky ipsec interfaces that has no encap.
+ * the encap then MUST comefrom the tunnel mode SA.
+ */
+ ipsec_sa_t *sa;
+
+ sa = ipsec_sa_get (itp->itp_out_sa);
- ip_address_to_46 (nh, &peer);
+ if (!ipsec_sa_is_set_IS_TUNNEL (sa))
+ {
+ rv = VNET_API_ERROR_INVALID_DST_ADDRESS;
+ goto out;
+ }
+ itp->itp_flags |= IPSEC_PROTECT_ITF;
+ }
+ else if (ip46_address_is_zero (&itp->itp_tun.dst))
+ {
+ /* tunnel has no destination address, presumably because it's p2mp
+ in which case we use the nh that this is protection for */
ipsec_tun_protect_update_from_teib
- (itp, teib_entry_find (sw_if_index, &peer));
+ (itp, teib_entry_find (sw_if_index, nh));
}
if (is_l2)
/*
* add to the tunnel DB for ingress
- * - if the SA is in trasnport mode, then the packates will arrivw
+ * - if the SA is in trasnport mode, then the packates will arrive
* with the IP src,dst of the protected tunnel, in which case we can
* simply strip the IP header and hand the payload to the protocol
* appropriate input handler
itp = ipsec_tun_protect_get (itpi);
ipsec_tun_protect_unconfig (im, itp);
+ if (ADJ_INDEX_INVALID != itp->itp_ai)
+ adj_unlock (itp->itp_ai);
+
clib_mem_free (itp->itp_key);
pool_put (ipsec_tun_protect_pool, itp);
itpi = ipsec_tun_protect_find (adj->rewrite_header.sw_if_index, &ip);
if (INDEX_INVALID != itpi)
- {
- const ipsec_tun_protect_t *itp;
-
- itp = ipsec_tun_protect_get (itpi);
- adj_delegate_add (adj_get (ai), ipsec_tun_adj_delegate_type, itpi);
- ipsec_tun_protect_add_adj (ai, itp);
- }
+ ipsec_tun_protect_adj_add (ai, ipsec_tun_protect_get (itpi));
}
static u8 *
static void
ipsec_tun_teib_entry_added (const teib_entry_t * ne)
{
- const ip46_address_t *peer46;
ipsec_tun_protect_t *itp;
- ip_address_t peer;
index_t itpi;
- peer46 = teib_entry_get_peer (ne);
- ip_address_from_46 (peer46,
- (ip46_address_is_ip4 (peer46) ?
- FIB_PROTOCOL_IP4 : FIB_PROTOCOL_IP6), &peer);
-
- itpi = ipsec_tun_protect_find (teib_entry_get_sw_if_index (ne), &peer);
+ itpi = ipsec_tun_protect_find (teib_entry_get_sw_if_index (ne),
+ teib_entry_get_peer (ne));
if (INDEX_INVALID == itpi)
return;
static void
ipsec_tun_teib_entry_deleted (const teib_entry_t * ne)
{
- const ip46_address_t *peer46;
ipsec_tun_protect_t *itp;
- ip_address_t peer;
index_t itpi;
- peer46 = teib_entry_get_peer (ne);
- ip_address_from_46 (peer46,
- (ip46_address_is_ip4 (peer46) ?
- FIB_PROTOCOL_IP4 : FIB_PROTOCOL_IP6), &peer);
-
- itpi = ipsec_tun_protect_find (teib_entry_get_sw_if_index (ne), &peer);
+ itpi = ipsec_tun_protect_find (teib_entry_get_sw_if_index (ne),
+ teib_entry_get_peer (ne));
if (INDEX_INVALID == itpi)
return;
.nv_deleted = ipsec_tun_teib_entry_deleted,
};
+void
+ipsec_tun_table_init (ip_address_family_t af, uword table_size, u32 n_buckets)
+{
+ ipsec_main_t *im;
+
+ im = &ipsec_main;
+
+ if (AF_IP4 == af)
+ clib_bihash_init_8_8 (&im->tun4_protect_by_key,
+ "IPSec IPv4 tunnels", n_buckets, table_size);
+ else
+ clib_bihash_init_24_8 (&im->tun6_protect_by_key,
+ "IPSec IPv6 tunnels", n_buckets, table_size);
+}
clib_error_t *
ipsec_tunnel_protect_init (vlib_main_t * vm)
ipsec_main_t *im;
im = &ipsec_main;
- im->tun6_protect_by_key = hash_create_mem (0,
- sizeof (ipsec6_tunnel_key_t),
- sizeof (u64));
- im->tun4_protect_by_key = hash_create (0, sizeof (u64));
+ clib_bihash_init_24_8 (&im->tun6_protect_by_key,
+ "IPSec IPv6 tunnels",
+ IPSEC_TUN_DEFAULT_HASH_NUM_BUCKETS,
+ IPSEC_TUN_DEFAULT_HASH_MEMORY_SIZE);
+ clib_bihash_init_8_8 (&im->tun4_protect_by_key,
+ "IPSec IPv4 tunnels",
+ IPSEC_TUN_DEFAULT_HASH_NUM_BUCKETS,
+ IPSEC_TUN_DEFAULT_HASH_MEMORY_SIZE);
/* set up feature nodes to drop outbound packets with no crypto alg set */
im->esp4_no_crypto_tun_node_index =
VLIB_INIT_FUNCTION (ipsec_tunnel_protect_init);
+static clib_error_t *
+ipsec_config (vlib_main_t * vm, unformat_input_t * input)
+{
+ unformat_input_t sub_input;
+
+ while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT)
+ {
+ if (unformat (input, "ip4 %U", unformat_vlib_cli_sub_input, &sub_input))
+ {
+ uword table_size = ~0;
+ u32 n_buckets = ~0;
+
+ while (unformat_check_input (&sub_input) != UNFORMAT_END_OF_INPUT)
+ {
+ if (unformat (&sub_input, "num-buckets %u", &n_buckets))
+ ;
+ else
+ return clib_error_return (0, "unknown input `%U'",
+ format_unformat_error, &sub_input);
+ }
+
+ ipsec_tun_table_init (AF_IP4, table_size, n_buckets);
+ }
+ else if (unformat (input, "ip6 %U", unformat_vlib_cli_sub_input,
+ &sub_input))
+ {
+ uword table_size = ~0;
+ u32 n_buckets = ~0;
+
+ while (unformat_check_input (&sub_input) != UNFORMAT_END_OF_INPUT)
+ {
+ if (unformat (&sub_input, "num-buckets %u", &n_buckets))
+ ;
+ else
+ return clib_error_return (0, "unknown input `%U'",
+ format_unformat_error, &sub_input);
+ }
+
+ ipsec_tun_table_init (AF_IP6, table_size, n_buckets);
+ }
+ else
+ return clib_error_return (0, "unknown input `%U'",
+ format_unformat_error, input);
+ }
+
+ return 0;
+}
+
+VLIB_CONFIG_FUNCTION (ipsec_config, "ipsec");
/*
* fd.io coding-style-patch-verification: ON
Code Review / vpp.git / blobdiff