2 * Copyright (c) 2015 Cisco and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
16 #include <vnet/ipsec/ipsec.h>
19 ipsec_spd_entry_sort (void *a1, void *a2)
23 ipsec_spd_t *spd = ipsec_main.spd_to_sort;
24 ipsec_policy_t *p1, *p2;
26 p1 = pool_elt_at_index (spd->policies, *id1);
27 p2 = pool_elt_at_index (spd->policies, *id2);
29 return p2->priority - p1->priority;
35 ipsec_add_del_policy (vlib_main_t * vm, ipsec_policy_t * policy, int is_add)
37 ipsec_main_t *im = &ipsec_main;
43 clib_warning ("policy-id %u priority %d is_outbound %u", policy->id,
44 policy->priority, policy->is_outbound);
46 if (policy->policy == IPSEC_POLICY_ACTION_PROTECT)
48 p = hash_get (im->sa_index_by_sa_id, policy->sa_id);
50 return VNET_API_ERROR_SYSCALL_ERROR_1;
51 policy->sa_index = p[0];
54 p = hash_get (im->spd_index_by_spd_id, policy->id);
57 return VNET_API_ERROR_SYSCALL_ERROR_1;
60 spd = pool_elt_at_index (im->spds, spd_index);
62 return VNET_API_ERROR_SYSCALL_ERROR_1;
68 pool_get (spd->policies, vp);
69 clib_memcpy (vp, policy, sizeof (*vp));
70 policy_index = vp - spd->policies;
72 ipsec_main.spd_to_sort = spd;
74 if (policy->is_outbound)
78 vec_add1 (spd->ipv6_outbound_policies, policy_index);
79 vec_sort_with_function (spd->ipv6_outbound_policies,
80 ipsec_spd_entry_sort);
84 vec_add1 (spd->ipv4_outbound_policies, policy_index);
85 vec_sort_with_function (spd->ipv4_outbound_policies,
86 ipsec_spd_entry_sort);
93 if (policy->policy == IPSEC_POLICY_ACTION_PROTECT)
95 vec_add1 (spd->ipv6_inbound_protect_policy_indices,
97 vec_sort_with_function
98 (spd->ipv6_inbound_protect_policy_indices,
99 ipsec_spd_entry_sort);
104 (spd->ipv6_inbound_policy_discard_and_bypass_indices,
106 vec_sort_with_function
107 (spd->ipv6_inbound_policy_discard_and_bypass_indices,
108 ipsec_spd_entry_sort);
113 if (policy->policy == IPSEC_POLICY_ACTION_PROTECT)
115 vec_add1 (spd->ipv4_inbound_protect_policy_indices,
117 vec_sort_with_function
118 (spd->ipv4_inbound_protect_policy_indices,
119 ipsec_spd_entry_sort);
124 (spd->ipv4_inbound_policy_discard_and_bypass_indices,
126 vec_sort_with_function
127 (spd->ipv4_inbound_policy_discard_and_bypass_indices,
128 ipsec_spd_entry_sort);
133 ipsec_main.spd_to_sort = NULL;
139 pool_foreach_index(i, spd->policies, ({
140 vp = pool_elt_at_index(spd->policies, i);
141 if (vp->priority != policy->priority)
143 if (vp->is_outbound != policy->is_outbound)
145 if (vp->policy != policy->policy)
147 if (vp->sa_id != policy->sa_id)
149 if (vp->protocol != policy->protocol)
151 if (vp->lport.start != policy->lport.start)
153 if (vp->lport.stop != policy->lport.stop)
155 if (vp->rport.start != policy->rport.start)
157 if (vp->rport.stop != policy->rport.stop)
159 if (vp->is_ipv6 != policy->is_ipv6)
163 if (vp->laddr.start.ip6.as_u64[0] != policy->laddr.start.ip6.as_u64[0])
165 if (vp->laddr.start.ip6.as_u64[1] != policy->laddr.start.ip6.as_u64[1])
167 if (vp->laddr.stop.ip6.as_u64[0] != policy->laddr.stop.ip6.as_u64[0])
169 if (vp->laddr.stop.ip6.as_u64[1] != policy->laddr.stop.ip6.as_u64[1])
171 if (vp->raddr.start.ip6.as_u64[0] != policy->raddr.start.ip6.as_u64[0])
173 if (vp->raddr.start.ip6.as_u64[1] != policy->raddr.start.ip6.as_u64[1])
175 if (vp->raddr.stop.ip6.as_u64[0] != policy->raddr.stop.ip6.as_u64[0])
177 if (vp->laddr.stop.ip6.as_u64[1] != policy->laddr.stop.ip6.as_u64[1])
179 if (policy->is_outbound)
181 vec_foreach_index(j, spd->ipv6_outbound_policies) {
182 if (vec_elt(spd->ipv6_outbound_policies, j) == i) {
183 vec_del1 (spd->ipv6_outbound_policies, j);
190 if (policy->policy == IPSEC_POLICY_ACTION_PROTECT)
192 vec_foreach_index(j, spd->ipv6_inbound_protect_policy_indices) {
193 if (vec_elt(spd->ipv6_inbound_protect_policy_indices, j) == i) {
194 vec_del1 (spd->ipv6_inbound_protect_policy_indices, j);
201 vec_foreach_index(j, spd->ipv6_inbound_policy_discard_and_bypass_indices) {
202 if (vec_elt(spd->ipv6_inbound_policy_discard_and_bypass_indices, j) == i) {
203 vec_del1 (spd->ipv6_inbound_policy_discard_and_bypass_indices, j);
212 if (vp->laddr.start.ip4.as_u32 != policy->laddr.start.ip4.as_u32)
214 if (vp->laddr.stop.ip4.as_u32 != policy->laddr.stop.ip4.as_u32)
216 if (vp->raddr.start.ip4.as_u32 != policy->raddr.start.ip4.as_u32)
218 if (vp->raddr.stop.ip4.as_u32 != policy->raddr.stop.ip4.as_u32)
220 if (policy->is_outbound)
222 vec_foreach_index(j, spd->ipv4_outbound_policies) {
223 if (vec_elt(spd->ipv4_outbound_policies, j) == i) {
224 vec_del1 (spd->ipv4_outbound_policies, j);
231 if (policy->policy == IPSEC_POLICY_ACTION_PROTECT)
233 vec_foreach_index(j, spd->ipv4_inbound_protect_policy_indices) {
234 if (vec_elt(spd->ipv4_inbound_protect_policy_indices, j) == i) {
235 vec_del1 (spd->ipv4_inbound_protect_policy_indices, j);
242 vec_foreach_index(j, spd->ipv4_inbound_policy_discard_and_bypass_indices) {
243 if (vec_elt(spd->ipv4_inbound_policy_discard_and_bypass_indices, j) == i) {
244 vec_del1 (spd->ipv4_inbound_policy_discard_and_bypass_indices, j);
251 pool_put (spd->policies, vp);
261 * fd.io coding-style-patch-verification: ON
264 * eval: (c-set-style "gnu")
Code Review / vpp.git / blob