2 /* SPDX-License-Identifier: BSD-3-Clause
3 * Copyright(c) 2019 Intel Corporation
6 #ifndef _RTE_IPSEC_SAD_H_
7 #define _RTE_IPSEC_SAD_H_
9 #include <rte_compat.h>
12 * @file rte_ipsec_sad.h
14 * RTE IPsec security association database (SAD) support.
15 * Contains helper functions to lookup and maintain SAD
26 RTE_IPSEC_SAD_SPI_ONLY = 0,
27 RTE_IPSEC_SAD_SPI_DIP,
28 RTE_IPSEC_SAD_SPI_DIP_SIP,
29 RTE_IPSEC_SAD_KEY_TYPE_MASK,
32 struct rte_ipsec_sadv4_key {
38 struct rte_ipsec_sadv6_key {
44 union rte_ipsec_sad_key {
45 struct rte_ipsec_sadv4_key v4;
46 struct rte_ipsec_sadv6_key v6;
49 /** Max number of characters in SAD name. */
50 #define RTE_IPSEC_SAD_NAMESIZE 64
51 /** Flag to create SAD with ipv6 dip and sip addresses */
52 #define RTE_IPSEC_SAD_FLAG_IPV6 0x1
53 /** Flag to support reader writer concurrency */
54 #define RTE_IPSEC_SAD_FLAG_RW_CONCURRENCY 0x2
56 /** IPsec SAD configuration structure */
57 struct rte_ipsec_sad_conf {
58 /** CPU socket ID where rte_ipsec_sad should be allocated */
60 /** maximum number of SA for each type of key */
61 uint32_t max_sa[RTE_IPSEC_SAD_KEY_TYPE_MASK];
62 /** RTE_IPSEC_SAD_FLAG_* flags */
67 * Add a rule into the SAD. Could be safely called with concurrent lookups
68 * if RTE_IPSEC_SAD_FLAG_RW_CONCURRENCY flag was configured on creation time.
69 * While with this flag multi-reader - one-writer model Is MT safe,
70 * multi-writer model is not and required extra synchronisation.
77 * key type (spi only/spi+dip/spi+dip+sip)
79 * Pointer associated with the key to save in a SAD
80 * Must be 4 bytes aligned.
82 * 0 on success, negative value otherwise
85 rte_ipsec_sad_add(struct rte_ipsec_sad *sad,
86 const union rte_ipsec_sad_key *key,
87 int key_type, void *sa);
90 * Delete a rule from the SAD. Could be safely called with concurrent lookups
91 * if RTE_IPSEC_SAD_FLAG_RW_CONCURRENCY flag was configured on creation time.
92 * While with this flag multi-reader - one-writer model Is MT safe,
93 * multi-writer model is not and required extra synchronisation.
100 * key type (spi only/spi+dip/spi+dip+sip)
102 * 0 on success, negative value otherwise
105 rte_ipsec_sad_del(struct rte_ipsec_sad *sad,
106 const union rte_ipsec_sad_key *key,
114 * Structure containing the configuration
116 * Handle to SAD object on success
117 * NULL otherwise with rte_errno set to an appropriate values.
119 struct rte_ipsec_sad *
120 rte_ipsec_sad_create(const char *name, const struct rte_ipsec_sad_conf *conf);
123 * Find an existing SAD object and return a pointer to it.
126 * Name of the SAD object as passed to rte_ipsec_sad_create()
128 * Pointer to sad object or NULL if object not found with rte_errno
129 * set appropriately. Possible rte_errno values include:
130 * - ENOENT - required entry not available to return.
132 struct rte_ipsec_sad *
133 rte_ipsec_sad_find_existing(const char *name);
136 * Destroy SAD object.
139 * pointer to the SAD object
144 rte_ipsec_sad_destroy(struct rte_ipsec_sad *sad);
147 * Lookup multiple keys in the SAD.
152 * Array of keys to be looked up in the SAD
154 * Pointer assocoated with the keys.
155 * If the lookup for the given key failed, then corresponding sa
158 * Number of elements in keys array to lookup.
160 * -EINVAL for incorrect arguments, otherwise number of successful lookups.
163 rte_ipsec_sad_lookup(const struct rte_ipsec_sad *sad,
164 const union rte_ipsec_sad_key *keys[],
165 void *sa[], uint32_t n);
171 #endif /* _RTE_IPSEC_SAD_H_ */