1 2 /* SPDX-License-Identifier: BSD-3-Clause 3 * Copyright(c) 2019 Intel Corporation 4 */ 5 6 #ifndef _RTE_IPSEC_SAD_H_ 7 #define _RTE_IPSEC_SAD_H_ 8 9 #include <rte_compat.h> 10 11 /** 12 * @file rte_ipsec_sad.h 13 * 14 * RTE IPsec security association database (SAD) support. 15 * Contains helper functions to lookup and maintain SAD 16 */ 17 18 #ifdef __cplusplus 19 extern "C" { 20 #endif 21 22 struct rte_ipsec_sad; 23 24 /** Type of key */ 25 enum { 26 RTE_IPSEC_SAD_SPI_ONLY = 0, 27 RTE_IPSEC_SAD_SPI_DIP, 28 RTE_IPSEC_SAD_SPI_DIP_SIP, 29 RTE_IPSEC_SAD_KEY_TYPE_MASK, 30 }; 31 32 struct rte_ipsec_sadv4_key { 33 uint32_t spi; 34 uint32_t dip; 35 uint32_t sip; 36 }; 37 38 struct rte_ipsec_sadv6_key { 39 uint32_t spi; 40 uint8_t dip[16]; 41 uint8_t sip[16]; 42 }; 43 44 union rte_ipsec_sad_key { 45 struct rte_ipsec_sadv4_key v4; 46 struct rte_ipsec_sadv6_key v6; 47 }; 48 49 /** Max number of characters in SAD name. */ 50 #define RTE_IPSEC_SAD_NAMESIZE 64 51 /** Flag to create SAD with ipv6 dip and sip addresses */ 52 #define RTE_IPSEC_SAD_FLAG_IPV6 0x1 53 /** Flag to support reader writer concurrency */ 54 #define RTE_IPSEC_SAD_FLAG_RW_CONCURRENCY 0x2 55 56 /** IPsec SAD configuration structure */ 57 struct rte_ipsec_sad_conf { 58 /** CPU socket ID where rte_ipsec_sad should be allocated */ 59 int socket_id; 60 /** maximum number of SA for each type of key */ 61 uint32_t max_sa[RTE_IPSEC_SAD_KEY_TYPE_MASK]; 62 /** RTE_IPSEC_SAD_FLAG_* flags */ 63 uint32_t flags; 64 }; 65 66 /** 67 * Add a rule into the SAD. Could be safely called with concurrent lookups 68 * if RTE_IPSEC_SAD_FLAG_RW_CONCURRENCY flag was configured on creation time. 69 * While with this flag multi-reader - one-writer model Is MT safe, 70 * multi-writer model is not and required extra synchronisation. 71 * 72 * @param sad 73 * SAD object handle 74 * @param key 75 * pointer to the key 76 * @param key_type 77 * key type (spi only/spi+dip/spi+dip+sip) 78 * @param sa 79 * Pointer associated with the key to save in a SAD 80 * Must be 4 bytes aligned. 81 * @return 82 * 0 on success, negative value otherwise 83 */ 84 int 85 rte_ipsec_sad_add(struct rte_ipsec_sad *sad, 86 const union rte_ipsec_sad_key *key, 87 int key_type, void *sa); 88 89 /** 90 * Delete a rule from the SAD. Could be safely called with concurrent lookups 91 * if RTE_IPSEC_SAD_FLAG_RW_CONCURRENCY flag was configured on creation time. 92 * While with this flag multi-reader - one-writer model Is MT safe, 93 * multi-writer model is not and required extra synchronisation. 94 * 95 * @param sad 96 * SAD object handle 97 * @param key 98 * pointer to the key 99 * @param key_type 100 * key type (spi only/spi+dip/spi+dip+sip) 101 * @return 102 * 0 on success, negative value otherwise 103 */ 104 int 105 rte_ipsec_sad_del(struct rte_ipsec_sad *sad, 106 const union rte_ipsec_sad_key *key, 107 int key_type); 108 /* 109 * Create SAD 110 * 111 * @param name 112 * SAD name 113 * @param conf 114 * Structure containing the configuration 115 * @return 116 * Handle to SAD object on success 117 * NULL otherwise with rte_errno set to an appropriate values. 118 */ 119 struct rte_ipsec_sad * 120 rte_ipsec_sad_create(const char *name, const struct rte_ipsec_sad_conf *conf); 121 122 /** 123 * Find an existing SAD object and return a pointer to it. 124 * 125 * @param name 126 * Name of the SAD object as passed to rte_ipsec_sad_create() 127 * @return 128 * Pointer to sad object or NULL if object not found with rte_errno 129 * set appropriately. Possible rte_errno values include: 130 * - ENOENT - required entry not available to return. 131 */ 132 struct rte_ipsec_sad * 133 rte_ipsec_sad_find_existing(const char *name); 134 135 /** 136 * Destroy SAD object. 137 * 138 * @param sad 139 * pointer to the SAD object 140 * @return 141 * None 142 */ 143 void 144 rte_ipsec_sad_destroy(struct rte_ipsec_sad *sad); 145 146 /** 147 * Lookup multiple keys in the SAD. 148 * 149 * @param sad 150 * SAD object handle 151 * @param keys 152 * Array of keys to be looked up in the SAD 153 * @param sa 154 * Pointer assocoated with the keys. 155 * If the lookup for the given key failed, then corresponding sa 156 * will be NULL 157 * @param n 158 * Number of elements in keys array to lookup. 159 * @return 160 * -EINVAL for incorrect arguments, otherwise number of successful lookups. 161 */ 162 int 163 rte_ipsec_sad_lookup(const struct rte_ipsec_sad *sad, 164 const union rte_ipsec_sad_key *keys[], 165 void *sa[], uint32_t n); 166 167 #ifdef __cplusplus 168 } 169 #endif 170 171 #endif /* _RTE_IPSEC_SAD_H_ */ 172