2 /* SPDX-License-Identifier: BSD-3-Clause
3 * Copyright(c) 2019 Intel Corporation
6 #ifndef _RTE_IPSEC_SAD_H_
7 #define _RTE_IPSEC_SAD_H_
9 #include <rte_compat.h>
12 * @file rte_ipsec_sad.h
13 * @b EXPERIMENTAL: this API may change without prior notice
15 * RTE IPsec security association database (SAD) support.
16 * Contains helper functions to lookup and maintain SAD
27 RTE_IPSEC_SAD_SPI_ONLY = 0,
28 RTE_IPSEC_SAD_SPI_DIP,
29 RTE_IPSEC_SAD_SPI_DIP_SIP,
30 RTE_IPSEC_SAD_KEY_TYPE_MASK,
33 struct rte_ipsec_sadv4_key {
39 struct rte_ipsec_sadv6_key {
45 union rte_ipsec_sad_key {
46 struct rte_ipsec_sadv4_key v4;
47 struct rte_ipsec_sadv6_key v6;
50 /** Max number of characters in SAD name. */
51 #define RTE_IPSEC_SAD_NAMESIZE 64
52 /** Flag to create SAD with ipv6 dip and sip addresses */
53 #define RTE_IPSEC_SAD_FLAG_IPV6 0x1
54 /** Flag to support reader writer concurrency */
55 #define RTE_IPSEC_SAD_FLAG_RW_CONCURRENCY 0x2
57 /** IPsec SAD configuration structure */
58 struct rte_ipsec_sad_conf {
59 /** CPU socket ID where rte_ipsec_sad should be allocated */
61 /** maximum number of SA for each type of key */
62 uint32_t max_sa[RTE_IPSEC_SAD_KEY_TYPE_MASK];
63 /** RTE_IPSEC_SAD_FLAG_* flags */
68 * Add a rule into the SAD. Could be safely called with concurrent lookups
69 * if RTE_IPSEC_SAD_FLAG_RW_CONCURRENCY flag was configured on creation time.
70 * While with this flag multi-reader - one-writer model Is MT safe,
71 * multi-writer model is not and required extra synchronisation.
78 * key type (spi only/spi+dip/spi+dip+sip)
80 * Pointer associated with the key to save in a SAD
81 * Must be 4 bytes aligned.
83 * 0 on success, negative value otherwise
87 rte_ipsec_sad_add(struct rte_ipsec_sad *sad,
88 const union rte_ipsec_sad_key *key,
89 int key_type, void *sa);
92 * Delete a rule from the SAD. Could be safely called with concurrent lookups
93 * if RTE_IPSEC_SAD_FLAG_RW_CONCURRENCY flag was configured on creation time.
94 * While with this flag multi-reader - one-writer model Is MT safe,
95 * multi-writer model is not and required extra synchronisation.
102 * key type (spi only/spi+dip/spi+dip+sip)
104 * 0 on success, negative value otherwise
108 rte_ipsec_sad_del(struct rte_ipsec_sad *sad,
109 const union rte_ipsec_sad_key *key,
117 * Structure containing the configuration
119 * Handle to SAD object on success
120 * NULL otherwise with rte_errno set to an appropriate values.
123 struct rte_ipsec_sad *
124 rte_ipsec_sad_create(const char *name, const struct rte_ipsec_sad_conf *conf);
127 * Find an existing SAD object and return a pointer to it.
130 * Name of the SAD object as passed to rte_ipsec_sad_create()
132 * Pointer to sad object or NULL if object not found with rte_errno
133 * set appropriately. Possible rte_errno values include:
134 * - ENOENT - required entry not available to return.
137 struct rte_ipsec_sad *
138 rte_ipsec_sad_find_existing(const char *name);
141 * Destroy SAD object.
144 * pointer to the SAD object
150 rte_ipsec_sad_destroy(struct rte_ipsec_sad *sad);
153 * Lookup multiple keys in the SAD.
158 * Array of keys to be looked up in the SAD
160 * Pointer assocoated with the keys.
161 * If the lookup for the given key failed, then corresponding sa
164 * Number of elements in keys array to lookup.
166 * -EINVAL for incorrect arguments, otherwise number of successful lookups.
170 rte_ipsec_sad_lookup(const struct rte_ipsec_sad *sad,
171 const union rte_ipsec_sad_key *keys[],
172 void *sa[], uint32_t n);
178 #endif /* _RTE_IPSEC_SAD_H_ */