1 2/* SPDX-License-Identifier: BSD-3-Clause 3 * Copyright(c) 2019 Intel Corporation 4 */ 5 6#ifndef _RTE_IPSEC_SAD_H_ 7#define _RTE_IPSEC_SAD_H_ 8 9#include <stdint.h> 10 11#include <rte_compat.h> 12 13/** 14 * @file rte_ipsec_sad.h 15 * 16 * RTE IPsec security association database (SAD) support. 17 * Contains helper functions to lookup and maintain SAD 18 */ 19 20#ifdef __cplusplus 21extern "C" { 22#endif 23 24struct rte_ipsec_sad; 25 26/** Type of key */ 27enum { 28 RTE_IPSEC_SAD_SPI_ONLY = 0, 29 RTE_IPSEC_SAD_SPI_DIP, 30 RTE_IPSEC_SAD_SPI_DIP_SIP, 31 RTE_IPSEC_SAD_KEY_TYPE_MASK, 32}; 33 34struct rte_ipsec_sadv4_key { 35 uint32_t spi; 36 uint32_t dip; 37 uint32_t sip; 38}; 39 40struct rte_ipsec_sadv6_key { 41 uint32_t spi; 42 uint8_t dip[16]; 43 uint8_t sip[16]; 44}; 45 46union rte_ipsec_sad_key { 47 struct rte_ipsec_sadv4_key v4; 48 struct rte_ipsec_sadv6_key v6; 49}; 50 51/** Max number of characters in SAD name. */ 52#define RTE_IPSEC_SAD_NAMESIZE 64 53/** Flag to create SAD with ipv6 dip and sip addresses */ 54#define RTE_IPSEC_SAD_FLAG_IPV6 0x1 55/** Flag to support reader writer concurrency */ 56#define RTE_IPSEC_SAD_FLAG_RW_CONCURRENCY 0x2 57 58/** IPsec SAD configuration structure */ 59struct rte_ipsec_sad_conf { 60 /** CPU socket ID where rte_ipsec_sad should be allocated */ 61 int socket_id; 62 /** maximum number of SA for each type of key */ 63 uint32_t max_sa[RTE_IPSEC_SAD_KEY_TYPE_MASK]; 64 /** RTE_IPSEC_SAD_FLAG_* flags */ 65 uint32_t flags; 66}; 67 68/** 69 * Add a rule into the SAD. Could be safely called with concurrent lookups 70 * if RTE_IPSEC_SAD_FLAG_RW_CONCURRENCY flag was configured on creation time. 71 * While with this flag multi-reader - one-writer model Is MT safe, 72 * multi-writer model is not and required extra synchronisation. 73 * 74 * @param sad 75 * SAD object handle 76 * @param key 77 * pointer to the key 78 * @param key_type 79 * key type (spi only/spi+dip/spi+dip+sip) 80 * @param sa 81 * Pointer associated with the key to save in a SAD 82 * Must be 4 bytes aligned. 83 * @return 84 * 0 on success, negative value otherwise 85 */ 86int 87rte_ipsec_sad_add(struct rte_ipsec_sad *sad, 88 const union rte_ipsec_sad_key *key, 89 int key_type, void *sa); 90 91/** 92 * Delete a rule from the SAD. Could be safely called with concurrent lookups 93 * if RTE_IPSEC_SAD_FLAG_RW_CONCURRENCY flag was configured on creation time. 94 * While with this flag multi-reader - one-writer model Is MT safe, 95 * multi-writer model is not and required extra synchronisation. 96 * 97 * @param sad 98 * SAD object handle 99 * @param key 100 * pointer to the key 101 * @param key_type 102 * key type (spi only/spi+dip/spi+dip+sip) 103 * @return 104 * 0 on success, negative value otherwise 105 */ 106int 107rte_ipsec_sad_del(struct rte_ipsec_sad *sad, 108 const union rte_ipsec_sad_key *key, 109 int key_type); 110/* 111 * Create SAD 112 * 113 * @param name 114 * SAD name 115 * @param conf 116 * Structure containing the configuration 117 * @return 118 * Handle to SAD object on success 119 * NULL otherwise with rte_errno set to an appropriate values. 120 */ 121struct rte_ipsec_sad * 122rte_ipsec_sad_create(const char *name, const struct rte_ipsec_sad_conf *conf); 123 124/** 125 * Find an existing SAD object and return a pointer to it. 126 * 127 * @param name 128 * Name of the SAD object as passed to rte_ipsec_sad_create() 129 * @return 130 * Pointer to sad object or NULL if object not found with rte_errno 131 * set appropriately. Possible rte_errno values include: 132 * - ENOENT - required entry not available to return. 133 */ 134struct rte_ipsec_sad * 135rte_ipsec_sad_find_existing(const char *name); 136 137/** 138 * Destroy SAD object. 139 * 140 * @param sad 141 * pointer to the SAD object 142 * @return 143 * None 144 */ 145void 146rte_ipsec_sad_destroy(struct rte_ipsec_sad *sad); 147 148/** 149 * Lookup multiple keys in the SAD. 150 * 151 * @param sad 152 * SAD object handle 153 * @param keys 154 * Array of keys to be looked up in the SAD 155 * @param sa 156 * Pointer assocoated with the keys. 157 * If the lookup for the given key failed, then corresponding sa 158 * will be NULL 159 * @param n 160 * Number of elements in keys array to lookup. 161 * @return 162 * -EINVAL for incorrect arguments, otherwise number of successful lookups. 163 */ 164int 165rte_ipsec_sad_lookup(const struct rte_ipsec_sad *sad, 166 const union rte_ipsec_sad_key *keys[], 167 void *sa[], uint32_t n); 168 169#ifdef __cplusplus 170} 171#endif 172 173#endif /* _RTE_IPSEC_SAD_H_ */ 174