xref: /dpdk/lib/ipsec/rte_ipsec_sad.h (revision 9ac91e2f7339e66658ef55b756a06b328e336fde) 
1 
2 /* SPDX-License-Identifier: BSD-3-Clause
3  * Copyright(c) 2019 Intel Corporation
4  */
5 
6 #ifndef _RTE_IPSEC_SAD_H_
7 #define _RTE_IPSEC_SAD_H_
8 
9 #include <stdint.h>
10 
11 #include <rte_ip6.h>
12 
13 /**
14  * @file rte_ipsec_sad.h
15  *
16  * RTE IPsec security association database (SAD) support.
17  * Contains helper functions to lookup and maintain SAD
18  */
19 
20 #ifdef __cplusplus
21 extern "C" {
22 #endif
23 
24 struct rte_ipsec_sad;
25 
26 /** Type of key */
27 enum {
28 	RTE_IPSEC_SAD_SPI_ONLY = 0,
29 	RTE_IPSEC_SAD_SPI_DIP,
30 	RTE_IPSEC_SAD_SPI_DIP_SIP,
31 	RTE_IPSEC_SAD_KEY_TYPE_MASK,
32 };
33 
34 struct rte_ipsec_sadv4_key {
35 	uint32_t spi;
36 	uint32_t dip;
37 	uint32_t sip;
38 };
39 
40 struct rte_ipsec_sadv6_key {
41 	uint32_t spi;
42 	struct rte_ipv6_addr dip;
43 	struct rte_ipv6_addr sip;
44 };
45 
46 union rte_ipsec_sad_key {
47 	struct rte_ipsec_sadv4_key	v4;
48 	struct rte_ipsec_sadv6_key	v6;
49 };
50 
51 /** Max number of characters in SAD name. */
52 #define RTE_IPSEC_SAD_NAMESIZE		64
53 /** Flag to create SAD with ipv6 dip and sip addresses */
54 #define RTE_IPSEC_SAD_FLAG_IPV6			0x1
55 /** Flag to support reader writer concurrency */
56 #define RTE_IPSEC_SAD_FLAG_RW_CONCURRENCY	0x2
57 
58 /** IPsec SAD configuration structure */
59 struct rte_ipsec_sad_conf {
60 	/** CPU socket ID where rte_ipsec_sad should be allocated */
61 	int		socket_id;
62 	/** maximum number of SA for each type of key */
63 	uint32_t	max_sa[RTE_IPSEC_SAD_KEY_TYPE_MASK];
64 	/** RTE_IPSEC_SAD_FLAG_* flags */
65 	uint32_t	flags;
66 };
67 
68 /**
69  * Add a rule into the SAD. Could be safely called with concurrent lookups
70  *  if RTE_IPSEC_SAD_FLAG_RW_CONCURRENCY flag was configured on creation time.
71  *  While with this flag multi-reader - one-writer model Is MT safe,
72  *  multi-writer model is not and required extra synchronisation.
73  *
74  * @param sad
75  *   SAD object handle
76  * @param key
77  *   pointer to the key
78  * @param key_type
79  *   key type (spi only/spi+dip/spi+dip+sip)
80  * @param sa
81  *   Pointer associated with the key to save in a SAD
82  *   Must be 4 bytes aligned.
83  * @return
84  *   0 on success, negative value otherwise
85  */
86 int
87 rte_ipsec_sad_add(struct rte_ipsec_sad *sad,
88 	const union rte_ipsec_sad_key *key,
89 	int key_type, void *sa);
90 
91 /**
92  * Delete a rule from the SAD. Could be safely called with concurrent lookups
93  *  if RTE_IPSEC_SAD_FLAG_RW_CONCURRENCY flag was configured on creation time.
94  *  While with this flag multi-reader - one-writer model Is MT safe,
95  *  multi-writer model is not and required extra synchronisation.
96  *
97  * @param sad
98  *   SAD object handle
99  * @param key
100  *   pointer to the key
101  * @param key_type
102  *   key type (spi only/spi+dip/spi+dip+sip)
103  * @return
104  *   0 on success, negative value otherwise
105  */
106 int
107 rte_ipsec_sad_del(struct rte_ipsec_sad *sad,
108 	const union rte_ipsec_sad_key *key,
109 	int key_type);
110 /*
111  * Create SAD
112  *
113  * @param name
114  *  SAD name
115  * @param conf
116  *  Structure containing the configuration
117  * @return
118  *  Handle to SAD object on success
119  *  NULL otherwise with rte_errno set to an appropriate values.
120  */
121 struct rte_ipsec_sad *
122 rte_ipsec_sad_create(const char *name, const struct rte_ipsec_sad_conf *conf);
123 
124 /**
125  * Find an existing SAD object and return a pointer to it.
126  *
127  * @param name
128  *  Name of the SAD object as passed to rte_ipsec_sad_create()
129  * @return
130  *  Pointer to sad object or NULL if object not found with rte_errno
131  *  set appropriately. Possible rte_errno values include:
132  *   - ENOENT - required entry not available to return.
133  */
134 struct rte_ipsec_sad *
135 rte_ipsec_sad_find_existing(const char *name);
136 
137 /**
138  * Destroy SAD object.
139  *
140  * @param sad
141  *   pointer to the SAD object
142  */
143 void
144 rte_ipsec_sad_destroy(struct rte_ipsec_sad *sad);
145 
146 /**
147  * Lookup multiple keys in the SAD.
148  *
149  * @param sad
150  *   SAD object handle
151  * @param keys
152  *   Array of keys to be looked up in the SAD
153  * @param sa
154  *   Pointer associated with the keys.
155  *   If the lookup for the given key failed, then corresponding sa
156  *   will be NULL
157  * @param n
158  *   Number of elements in keys array to lookup.
159  *  @return
160  *   -EINVAL for incorrect arguments, otherwise number of successful lookups.
161  */
162 int
163 rte_ipsec_sad_lookup(const struct rte_ipsec_sad *sad,
164 	const union rte_ipsec_sad_key *keys[],
165 	void *sa[], uint32_t n);
166 
167 #ifdef __cplusplus
168 }
169 #endif
170 
171 #endif /* _RTE_IPSEC_SAD_H_ */
172