vlib_frame_t * from_frame, int is_ip6)
{
u32 n_left_from, *from, *to_next, next_index, thread_index;
- ipsec_main_t *im = &ipsec_main;
u32 thread_idx = vlib_get_thread_index ();
dpdk_crypto_main_t *dcm = &dpdk_crypto_main;
crypto_resource_t *res = 0;
if (sa_index0 != last_sa_index)
{
- sa0 = pool_elt_at_index (im->sad, sa_index0);
+ sa0 = ipsec_sa_get (sa_index0);
cipher_alg =
vec_elt_at_index (dcm->cipher_algs, sa0->crypto_alg);
u32 n_left_from, *from, *to_next = 0, next_index;
ipsec_sa_t *sa0;
u32 sa_index0 = ~0;
- ipsec_main_t *im = &ipsec_main;
dpdk_crypto_main_t *dcm = &dpdk_crypto_main;
from = vlib_frame_vector_args (from_frame);
esp0 = vlib_buffer_get_current (b0);
sa_index0 = vnet_buffer (b0)->ipsec.sad_index;
- sa0 = pool_elt_at_index (im->sad, sa_index0);
+ sa0 = ipsec_sa_get (sa_index0);
to_next[0] = bi0;
to_next += 1;
if (sa_index0 != last_sa_index)
{
- sa0 = pool_elt_at_index (im->sad, sa_index0);
+ sa0 = ipsec_sa_get (sa_index0);
cipher_alg =
vec_elt_at_index (dcm->cipher_algs, sa0->crypto_alg);
crypto_worker_main_t * cwm, u8 is_outbound)
{
dpdk_crypto_main_t *dcm = &dpdk_crypto_main;
- ipsec_main_t *im = &ipsec_main;
crypto_data_t *data;
ipsec_sa_t *sa;
struct rte_crypto_sym_xform cipher_xform = { 0 };
struct rte_cryptodev_sym_session **s;
clib_error_t *error = 0;
-
- sa = pool_elt_at_index (im->sad, sa_idx);
+ sa = ipsec_sa_get (sa_idx);
if ((sa->crypto_alg == IPSEC_CRYPTO_ALG_AES_GCM_128) |
(sa->crypto_alg == IPSEC_CRYPTO_ALG_AES_GCM_192) |
vlib_frame_t * f)
{
ikev2_main_t *km = &ikev2_main;
- ipsec_main_t *im = &ipsec_main;
ikev2_profile_t *p;
ikev2_child_sa_t *c;
u32 *sai;
/* process ipsec sas */
ipsec_sa_t *sa;
/* *INDENT-OFF* */
- pool_foreach (sa, im->sad) {
- ikev2_mngr_process_ipsec_sa(sa);
- }
+ pool_foreach (sa, ipsec_sa_pool)
+ {
+ ikev2_mngr_process_ipsec_sa (sa);
+ }
/* *INDENT-ON* */
ikev2_process_pending_sa_init (km);
if (~0 != sa_id)
{
- ipsec_main_t *im = &ipsec_main;
ipsec_sa_t *sa;
u32 sa_index;
sa_index = ipsec_sa_find_and_lock (sa_id);
- sa = pool_elt_at_index (im->sad, sa_index);
+ sa = ipsec_sa_get (sa_index);
sa->seq = seq_num & 0xffffffff;
sa->seq_hi = seq_num >> 32;
current_sa_pkts,
current_sa_bytes);
current_sa_index = vnet_buffer (b[0])->ipsec.sad_index;
- sa0 = pool_elt_at_index (im->sad, current_sa_index);
+ sa0 = ipsec_sa_get (current_sa_index);
current_sa_bytes = current_sa_pkts = 0;
vlib_prefetch_combined_counter (&ipsec_sa_counters,
if (next[0] < AH_DECRYPT_N_NEXT)
goto trace;
- sa0 = vec_elt_at_index (im->sad, pd->sa_index);
+ sa0 = ipsec_sa_get (pd->sa_index);
if (PREDICT_TRUE (sa0->integ_alg != IPSEC_INTEG_ALG_NONE))
{
trace:
if (PREDICT_FALSE (b[0]->flags & VLIB_BUFFER_IS_TRACED))
{
- sa0 = pool_elt_at_index (im->sad,
- vnet_buffer (b[0])->ipsec.sad_index);
+ sa0 = ipsec_sa_get (vnet_buffer (b[0])->ipsec.sad_index);
ah_decrypt_trace_t *tr =
vlib_add_trace (vm, node, b[0], sizeof (*tr));
tr->integ_alg = sa0->integ_alg;
current_sa_pkts,
current_sa_bytes);
current_sa_index = vnet_buffer (b[0])->ipsec.sad_index;
- sa0 = pool_elt_at_index (im->sad, current_sa_index);
+ sa0 = ipsec_sa_get (current_sa_index);
current_sa_bytes = current_sa_pkts = 0;
}
next:
if (PREDICT_FALSE (b[0]->flags & VLIB_BUFFER_IS_TRACED))
{
- sa0 = vec_elt_at_index (im->sad, pd->sa_index);
+ sa0 = ipsec_sa_get (pd->sa_index);
ah_encrypt_trace_t *tr =
vlib_add_trace (vm, node, b[0], sizeof (*tr));
tr->spi = sa0->spi;
esp_decrypt_packet_data2_t * pd2, vlib_buffer_t * b,
u16 * next, int is_ip6, int is_tun, int is_async)
{
- ipsec_main_t *im = &ipsec_main;
- ipsec_sa_t *sa0 = vec_elt_at_index (im->sad, pd->sa_index);
+ ipsec_sa_t *sa0 = ipsec_sa_get (pd->sa_index);
vlib_buffer_t *lb = b;
const u8 esp_sz = sizeof (esp_header_t);
const u8 tun_flags = IPSEC_SA_FLAG_IS_TUNNEL | IPSEC_SA_FLAG_IS_TUNNEL_V6;
current_sa_bytes = current_sa_pkts = 0;
current_sa_index = vnet_buffer (b[0])->ipsec.sad_index;
- sa0 = pool_elt_at_index (im->sad, current_sa_index);
+ sa0 = ipsec_sa_get (current_sa_index);
/* fetch the second cacheline ASAP */
CLIB_PREFETCH (sa0->cacheline1, CLIB_CACHE_LINE_BYTES, LOAD);
{
esp_decrypt_trace_t *tr;
tr = vlib_add_trace (vm, node, b[0], sizeof (*tr));
- sa0 = pool_elt_at_index (im->sad, current_sa_index);
+ sa0 = ipsec_sa_get (current_sa_index);
tr->crypto_alg = sa0->crypto_alg;
tr->integ_alg = sa0->integ_alg;
tr->seq = pd->seq;
vlib_node_runtime_t * node,
vlib_frame_t * from_frame, int is_ip6, int is_tun)
{
- ipsec_main_t *im = &ipsec_main;
u32 *from = vlib_frame_vector_args (from_frame);
u32 n_left = from_frame->n_vectors;
vlib_buffer_t *bufs[VLIB_FRAME_SIZE], **b = bufs;
/*trace: */
if (PREDICT_FALSE (b[0]->flags & VLIB_BUFFER_IS_TRACED))
{
- ipsec_sa_t *sa0 = pool_elt_at_index (im->sad, pd->sa_index);
+ ipsec_sa_t *sa0 = ipsec_sa_get (pd->sa_index);
esp_decrypt_trace_t *tr;
esp_decrypt_packet_data_t *async_pd =
&(esp_post_data (b[0]))->decrypt_data;
tr = vlib_add_trace (vm, node, b[0], sizeof (*tr));
- sa0 = pool_elt_at_index (im->sad, async_pd->sa_index);
+ sa0 = ipsec_sa_get (async_pd->sa_index);
tr->crypto_alg = sa0->crypto_alg;
tr->integ_alg = sa0->integ_alg;
current_sa_bytes);
current_sa_packets = current_sa_bytes = 0;
- sa0 = pool_elt_at_index (im->sad, sa_index0);
+ sa0 = ipsec_sa_get (sa_index0);
/* fetch the second cacheline ASAP */
CLIB_PREFETCH (sa0->cacheline1, CLIB_CACHE_LINE_BYTES, LOAD);
ipsec_rsc_in_use (ipsec_main_t * im)
{
/* return an error is crypto resource are in use */
- if (pool_elts (im->sad) > 0)
- return clib_error_return (0,
- "%d SA entries configured",
- pool_elts (im->sad));
+ if (pool_elts (ipsec_sa_pool) > 0)
+ return clib_error_return (0, "%d SA entries configured",
+ pool_elts (ipsec_sa_pool));
return (NULL);
}
ipsec_sa_t *sa;
/* lock all SAs before change im->async_mode */
- pool_foreach (sa, im->sad)
- {
- fib_node_lock (&sa->node);
- }
+ pool_foreach (sa, ipsec_sa_pool)
+ {
+ fib_node_lock (&sa->node);
+ }
im->async_mode = is_enabled;
/* change SA crypto op data before unlock them */
- pool_foreach (sa, im->sad)
- {
- sa->crypto_op_data = is_enabled ?
- sa->async_op_data.data : sa->sync_op_data.data;
- fib_node_unlock (&sa->node);
- }
+ pool_foreach (sa, ipsec_sa_pool)
+ {
+ sa->crypto_op_data =
+ is_enabled ? sa->async_op_data.data : sa->sync_op_data.data;
+ fib_node_unlock (&sa->node);
+ }
}
static void
{
/* pool of tunnel instances */
ipsec_spd_t *spds;
- /* Pool of security associations */
- ipsec_sa_t *sad;
/* pool of policies */
ipsec_policy_t *policies;
/*
* functions
*/
-u8 *format_ipsec_replay_window (u8 * s, va_list * args);
/*
* inline functions
clib_error_t *ipsec_rsc_in_use (ipsec_main_t * im);
void ipsec_set_async_mode (u32 is_enabled);
-always_inline ipsec_sa_t *
-ipsec_sa_get (u32 sa_index)
-{
- return (pool_elt_at_index (ipsec_main.sad, sa_index));
-}
-
extern void ipsec_register_udp_port (u16 udp_port);
extern void ipsec_unregister_udp_port (u16 udp_port);
{
ipsec_dump_walk_ctx_t *ctx = arg;
vl_api_ipsec_sa_details_t *mp;
- ipsec_main_t *im = &ipsec_main;
mp = vl_msg_api_alloc (sizeof (*mp));
clib_memset (mp, 0, sizeof (*mp));
if (ipsec_sa_is_set_IS_PROTECT (sa))
{
ipsec_sa_dump_match_ctx_t ctx = {
- .sai = sa - im->sad,
- .sw_if_index = ~0,
+ .sai = sa - ipsec_sa_pool,
+ .sw_if_index = ~0,
};
ipsec_tun_protect_walk (ipsec_sa_dump_match_sa, &ctx);
{
ipsec_dump_walk_ctx_t *ctx = arg;
vl_api_ipsec_sa_v2_details_t *mp;
- ipsec_main_t *im = &ipsec_main;
mp = vl_msg_api_alloc (sizeof (*mp));
clib_memset (mp, 0, sizeof (*mp));
if (ipsec_sa_is_set_IS_PROTECT (sa))
{
ipsec_sa_dump_match_ctx_t ctx = {
- .sai = sa - im->sad,
- .sw_if_index = ~0,
+ .sai = sa - ipsec_sa_pool,
+ .sw_if_index = ~0,
};
ipsec_tun_protect_walk (ipsec_sa_dump_match_sa, &ctx);
{
ipsec_dump_walk_ctx_t *ctx = arg;
vl_api_ipsec_sa_v3_details_t *mp;
- ipsec_main_t *im = &ipsec_main;
mp = vl_msg_api_alloc (sizeof (*mp));
clib_memset (mp, 0, sizeof (*mp));
if (ipsec_sa_is_set_IS_PROTECT (sa))
{
ipsec_sa_dump_match_ctx_t ctx = {
- .sai = sa - im->sad,
+ .sai = sa - ipsec_sa_pool,
.sw_if_index = ~0,
};
ipsec_tun_protect_walk (ipsec_sa_dump_match_sa, &ctx);
vl_api_ipsec_select_backend_reply_t *rmp;
ipsec_protocol_t protocol;
int rv = 0;
- if (pool_elts (im->sad) > 0)
+ if (pool_elts (ipsec_sa_pool) > 0)
{
rv = VNET_API_ERROR_INSTANCE_IN_USE;
goto done;
u32 sai;
/* *INDENT-OFF* */
- pool_foreach_index (sai, im->sad) {
- vlib_cli_output(vm, "%U", format_ipsec_sa, sai,
- (detail ? IPSEC_FORMAT_DETAIL : IPSEC_FORMAT_BRIEF));
- }
+ pool_foreach_index (sai, ipsec_sa_pool)
+ {
+ vlib_cli_output (vm, "%U", format_ipsec_sa, sai,
+ (detail ? IPSEC_FORMAT_DETAIL : IPSEC_FORMAT_BRIEF));
+ }
/* *INDENT-ON* */
}
clear_ipsec_sa_command_fn (vlib_main_t * vm,
unformat_input_t * input, vlib_cli_command_t * cmd)
{
- ipsec_main_t *im = &ipsec_main;
u32 sai = ~0;
while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT)
if (~0 == sai)
{
/* *INDENT-OFF* */
- pool_foreach_index (sai, im->sad) {
- ipsec_sa_clear(sai);
- }
+ pool_foreach_index (sai, ipsec_sa_pool)
+ {
+ ipsec_sa_clear (sai);
+ }
/* *INDENT-ON* */
}
else
{
- if (pool_is_free_index (im->sad, sai))
+ if (pool_is_free_index (ipsec_sa_pool, sai))
return clib_error_return (0, "unknown SA index: %d", sai);
else
ipsec_sa_clear (sai);
{
u32 sai = va_arg (*args, u32);
ipsec_format_flags_t flags = va_arg (*args, ipsec_format_flags_t);
- ipsec_main_t *im = &ipsec_main;
vlib_counter_t counts;
ipsec_sa_t *sa;
- if (pool_is_free_index (im->sad, sai))
+ if (pool_is_free_index (ipsec_sa_pool, sai))
{
s = format (s, "No such SA index: %d", sai);
goto done;
}
- sa = pool_elt_at_index (im->sad, sai);
+ sa = ipsec_sa_get (sai);
s = format (s, "[%d] sa %u (0x%x) spi %u (0x%08x) protocol:%s flags:[%U]",
sai, sa->id, sa->id, sa->spi, sa->spi,
vec_foreach (i, spd->policies[IPSEC_SPD_POLICY_IP4_INBOUND_PROTECT])
{
p = pool_elt_at_index (im->policies, *i);
- s = pool_elt_at_index (im->sad, p->sa_index);
+ s = ipsec_sa_get (p->sa_index);
if (spi != s->spi)
continue;
vec_foreach (i, spd->policies[IPSEC_SPD_POLICY_IP6_INBOUND_PROTECT])
{
p = pool_elt_at_index (im->policies, *i);
- s = pool_elt_at_index (im->sad, p->sa_index);
+ s = ipsec_sa_get (p->sa_index);
if (spi != s->spi)
continue;
{
ipsec_sa_t *sa = 0;
nc_protect++;
- sa = pool_elt_at_index (im->sad, p0->sa_index);
+ sa = ipsec_sa_get (p0->sa_index);
if (sa->protocol == IPSEC_PROTOCOL_ESP)
if (is_ipv6)
next_node_index = im->esp6_encrypt_node_index;
.stat_segment_name = "/net/ipsec/sa",
};
+ipsec_sa_t *ipsec_sa_pool;
static clib_error_t *
ipsec_call_add_del_callbacks (ipsec_main_t * im, ipsec_sa_t * sa,
if (p)
return VNET_API_ERROR_ENTRY_ALREADY_EXISTS;
- pool_get_aligned_zero (im->sad, sa, CLIB_CACHE_LINE_BYTES);
+ pool_get_aligned_zero (ipsec_sa_pool, sa, CLIB_CACHE_LINE_BYTES);
fib_node_init (&sa->node, FIB_NODE_TYPE_IPSEC_SA);
fib_node_lock (&sa->node);
- sa_index = sa - im->sad;
+ sa_index = sa - ipsec_sa_pool;
vlib_validate_combined_counter (&ipsec_sa_counters, sa_index);
vlib_zero_combined_counter (&ipsec_sa_counters, sa_index);
(u8 *) ck->data, ck->len);
if (~0 == sa->crypto_key_index)
{
- pool_put (im->sad, sa);
+ pool_put (ipsec_sa_pool, sa);
return VNET_API_ERROR_KEY_LENGTH;
}
(u8 *) ik->data, ik->len);
if (~0 == sa->integ_key_index)
{
- pool_put (im->sad, sa);
+ pool_put (ipsec_sa_pool, sa);
return VNET_API_ERROR_KEY_LENGTH;
}
}
if (err)
{
clib_warning ("%s", err->what);
- pool_put (im->sad, sa);
+ pool_put (ipsec_sa_pool, sa);
return VNET_API_ERROR_UNIMPLEMENTED;
}
err = ipsec_call_add_del_callbacks (im, sa, sa_index, 1);
if (err)
{
- pool_put (im->sad, sa);
+ pool_put (ipsec_sa_pool, sa);
return VNET_API_ERROR_SYSCALL_ERROR_1;
}
if (rv)
{
- pool_put (im->sad, sa);
+ pool_put (ipsec_sa_pool, sa);
return rv;
}
ipsec_sa_stack (sa);
ipsec_main_t *im = &ipsec_main;
u32 sa_index;
- sa_index = sa - im->sad;
+ sa_index = sa - ipsec_sa_pool;
hash_unset (im->sa_index_by_sa_id, sa->id);
tunnel_unresolve (&sa->tunnel);
vnet_crypto_key_del (vm, sa->crypto_key_index);
if (sa->integ_alg != IPSEC_INTEG_ALG_NONE)
vnet_crypto_key_del (vm, sa->integ_key_index);
- pool_put (im->sad, sa);
+ pool_put (ipsec_sa_pool, sa);
}
void
ipsec_sa_unlock (index_t sai)
{
- ipsec_main_t *im = &ipsec_main;
ipsec_sa_t *sa;
if (INDEX_INVALID == sai)
return;
- sa = pool_elt_at_index (im->sad, sai);
+ sa = ipsec_sa_get (sai);
fib_node_unlock (&sa->node);
}
void
ipsec_sa_lock (index_t sai)
{
- ipsec_main_t *im = &ipsec_main;
ipsec_sa_t *sa;
if (INDEX_INVALID == sai)
return;
- sa = pool_elt_at_index (im->sad, sai);
+ sa = ipsec_sa_get (sai);
fib_node_lock (&sa->node);
}
if (!p)
return INDEX_INVALID;
- sa = pool_elt_at_index (im->sad, p[0]);
+ sa = ipsec_sa_get (p[0]);
fib_node_lock (&sa->node);
void
ipsec_sa_walk (ipsec_sa_walk_cb_t cb, void *ctx)
{
- ipsec_main_t *im = &ipsec_main;
ipsec_sa_t *sa;
/* *INDENT-OFF* */
- pool_foreach (sa, im->sad)
- {
- if (WALK_CONTINUE != cb(sa, ctx))
- break;
- }
+ pool_foreach (sa, ipsec_sa_pool)
+ {
+ if (WALK_CONTINUE != cb (sa, ctx))
+ break;
+ }
/* *INDENT-ON* */
}
static fib_node_t *
ipsec_sa_fib_node_get (fib_node_index_t index)
{
- ipsec_main_t *im;
ipsec_sa_t *sa;
- im = &ipsec_main;
- sa = pool_elt_at_index (im->sad, index);
+ sa = ipsec_sa_get (index);
return (&sa->node);
}
STATIC_ASSERT_OFFSET_OF (ipsec_sa_t, cacheline1, CLIB_CACHE_LINE_BYTES);
STATIC_ASSERT_OFFSET_OF (ipsec_sa_t, cacheline2, 2 * CLIB_CACHE_LINE_BYTES);
+/**
+ * Pool of IPSec SAs
+ */
+extern ipsec_sa_t *ipsec_sa_pool;
+
/*
* Ensure that the IPsec data does not overlap with the IP data in
* the buffer meta data
typedef walk_rc_t (*ipsec_sa_walk_cb_t) (ipsec_sa_t * sa, void *ctx);
extern void ipsec_sa_walk (ipsec_sa_walk_cb_t cd, void *ctx);
+extern u8 *format_ipsec_replay_window (u8 *s, va_list *args);
extern u8 *format_ipsec_crypto_alg (u8 * s, va_list * args);
extern u8 *format_ipsec_integ_alg (u8 * s, va_list * args);
extern u8 *format_ipsec_sa (u8 * s, va_list * args);
: (unix_time_now_nsec () % vlib_num_workers ()) + 1);
}
+always_inline ipsec_sa_t *
+ipsec_sa_get (u32 sa_index)
+{
+ return (pool_elt_at_index (ipsec_sa_pool, sa_index));
+}
+
#endif /* __IPSEC_SPD_SA_H__ */
/*
Code Review / vpp.git / commitdiff