a748d24d79
Since librte_ipsec was first introduced in 19.02 and there were no changes in it's public API since 19.11, it should be considered mature enough to remove the 'experimental' tag from it. The RTE_SATP_LOG2_NUM enum is also being dropped from rte_ipsec_sa.h to avoid possible ABI problems in the future. Signed-off-by: Conor Walsh <conor.walsh@intel.com> Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com> Acked-by: Ray Kinsella <mdr@ashroe.eu> Acked-by: Akhil Goyal <akhil.goyal@nxp.com>
172 lines
4.1 KiB
C
172 lines
4.1 KiB
C
|
|
/* SPDX-License-Identifier: BSD-3-Clause
|
|
* Copyright(c) 2019 Intel Corporation
|
|
*/
|
|
|
|
#ifndef _RTE_IPSEC_SAD_H_
|
|
#define _RTE_IPSEC_SAD_H_
|
|
|
|
#include <rte_compat.h>
|
|
|
|
/**
|
|
* @file rte_ipsec_sad.h
|
|
*
|
|
* RTE IPsec security association database (SAD) support.
|
|
* Contains helper functions to lookup and maintain SAD
|
|
*/
|
|
|
|
#ifdef __cplusplus
|
|
extern "C" {
|
|
#endif
|
|
|
|
struct rte_ipsec_sad;
|
|
|
|
/** Type of key */
|
|
enum {
|
|
RTE_IPSEC_SAD_SPI_ONLY = 0,
|
|
RTE_IPSEC_SAD_SPI_DIP,
|
|
RTE_IPSEC_SAD_SPI_DIP_SIP,
|
|
RTE_IPSEC_SAD_KEY_TYPE_MASK,
|
|
};
|
|
|
|
struct rte_ipsec_sadv4_key {
|
|
uint32_t spi;
|
|
uint32_t dip;
|
|
uint32_t sip;
|
|
};
|
|
|
|
struct rte_ipsec_sadv6_key {
|
|
uint32_t spi;
|
|
uint8_t dip[16];
|
|
uint8_t sip[16];
|
|
};
|
|
|
|
union rte_ipsec_sad_key {
|
|
struct rte_ipsec_sadv4_key v4;
|
|
struct rte_ipsec_sadv6_key v6;
|
|
};
|
|
|
|
/** Max number of characters in SAD name. */
|
|
#define RTE_IPSEC_SAD_NAMESIZE 64
|
|
/** Flag to create SAD with ipv6 dip and sip addresses */
|
|
#define RTE_IPSEC_SAD_FLAG_IPV6 0x1
|
|
/** Flag to support reader writer concurrency */
|
|
#define RTE_IPSEC_SAD_FLAG_RW_CONCURRENCY 0x2
|
|
|
|
/** IPsec SAD configuration structure */
|
|
struct rte_ipsec_sad_conf {
|
|
/** CPU socket ID where rte_ipsec_sad should be allocated */
|
|
int socket_id;
|
|
/** maximum number of SA for each type of key */
|
|
uint32_t max_sa[RTE_IPSEC_SAD_KEY_TYPE_MASK];
|
|
/** RTE_IPSEC_SAD_FLAG_* flags */
|
|
uint32_t flags;
|
|
};
|
|
|
|
/**
|
|
* Add a rule into the SAD. Could be safely called with concurrent lookups
|
|
* if RTE_IPSEC_SAD_FLAG_RW_CONCURRENCY flag was configured on creation time.
|
|
* While with this flag multi-reader - one-writer model Is MT safe,
|
|
* multi-writer model is not and required extra synchronisation.
|
|
*
|
|
* @param sad
|
|
* SAD object handle
|
|
* @param key
|
|
* pointer to the key
|
|
* @param key_type
|
|
* key type (spi only/spi+dip/spi+dip+sip)
|
|
* @param sa
|
|
* Pointer associated with the key to save in a SAD
|
|
* Must be 4 bytes aligned.
|
|
* @return
|
|
* 0 on success, negative value otherwise
|
|
*/
|
|
int
|
|
rte_ipsec_sad_add(struct rte_ipsec_sad *sad,
|
|
const union rte_ipsec_sad_key *key,
|
|
int key_type, void *sa);
|
|
|
|
/**
|
|
* Delete a rule from the SAD. Could be safely called with concurrent lookups
|
|
* if RTE_IPSEC_SAD_FLAG_RW_CONCURRENCY flag was configured on creation time.
|
|
* While with this flag multi-reader - one-writer model Is MT safe,
|
|
* multi-writer model is not and required extra synchronisation.
|
|
*
|
|
* @param sad
|
|
* SAD object handle
|
|
* @param key
|
|
* pointer to the key
|
|
* @param key_type
|
|
* key type (spi only/spi+dip/spi+dip+sip)
|
|
* @return
|
|
* 0 on success, negative value otherwise
|
|
*/
|
|
int
|
|
rte_ipsec_sad_del(struct rte_ipsec_sad *sad,
|
|
const union rte_ipsec_sad_key *key,
|
|
int key_type);
|
|
/*
|
|
* Create SAD
|
|
*
|
|
* @param name
|
|
* SAD name
|
|
* @param conf
|
|
* Structure containing the configuration
|
|
* @return
|
|
* Handle to SAD object on success
|
|
* NULL otherwise with rte_errno set to an appropriate values.
|
|
*/
|
|
struct rte_ipsec_sad *
|
|
rte_ipsec_sad_create(const char *name, const struct rte_ipsec_sad_conf *conf);
|
|
|
|
/**
|
|
* Find an existing SAD object and return a pointer to it.
|
|
*
|
|
* @param name
|
|
* Name of the SAD object as passed to rte_ipsec_sad_create()
|
|
* @return
|
|
* Pointer to sad object or NULL if object not found with rte_errno
|
|
* set appropriately. Possible rte_errno values include:
|
|
* - ENOENT - required entry not available to return.
|
|
*/
|
|
struct rte_ipsec_sad *
|
|
rte_ipsec_sad_find_existing(const char *name);
|
|
|
|
/**
|
|
* Destroy SAD object.
|
|
*
|
|
* @param sad
|
|
* pointer to the SAD object
|
|
* @return
|
|
* None
|
|
*/
|
|
void
|
|
rte_ipsec_sad_destroy(struct rte_ipsec_sad *sad);
|
|
|
|
/**
|
|
* Lookup multiple keys in the SAD.
|
|
*
|
|
* @param sad
|
|
* SAD object handle
|
|
* @param keys
|
|
* Array of keys to be looked up in the SAD
|
|
* @param sa
|
|
* Pointer assocoated with the keys.
|
|
* If the lookup for the given key failed, then corresponding sa
|
|
* will be NULL
|
|
* @param n
|
|
* Number of elements in keys array to lookup.
|
|
* @return
|
|
* -EINVAL for incorrect arguments, otherwise number of successful lookups.
|
|
*/
|
|
int
|
|
rte_ipsec_sad_lookup(const struct rte_ipsec_sad *sad,
|
|
const union rte_ipsec_sad_key *keys[],
|
|
void *sa[], uint32_t n);
|
|
|
|
#ifdef __cplusplus
|
|
}
|
|
#endif
|
|
|
|
#endif /* _RTE_IPSEC_SAD_H_ */
|