#define MAX_ACL_RULE_NUM 1024
+#define IPV6_FROM_SP(acr, fidx_low, fidx_high) \
+ (((uint64_t)(acr).field[(fidx_high)].value.u32 << 32) | \
+ (acr).field[(fidx_low)].value.u32)
+
+#define IPV6_DST_FROM_SP(addr, acr) do {\
+ (addr).ip.ip6.ip6[0] = rte_cpu_to_be_64(IPV6_FROM_SP((acr), \
+ IP6_DST1, IP6_DST0));\
+ (addr).ip.ip6.ip6[1] = rte_cpu_to_be_64(IPV6_FROM_SP((acr), \
+ IP6_DST3, IP6_DST2));\
+ } while (0)
+
+#define IPV6_SRC_FROM_SP(addr, acr) do {\
+ (addr).ip.ip6.ip6[0] = rte_cpu_to_be_64(IPV6_FROM_SP((acr), \
+ IP6_SRC1, IP6_SRC0));\
+ (addr).ip.ip6.ip6[1] = rte_cpu_to_be_64(IPV6_FROM_SP((acr), \
+ IP6_SRC3, IP6_SRC2));\
+ } while (0)
+
+#define IPV6_DST_MASK_FROM_SP(mask, acr) \
+ ((mask) = (acr).field[IP6_DST0].mask_range.u32 + \
+ (acr).field[IP6_DST1].mask_range.u32 + \
+ (acr).field[IP6_DST2].mask_range.u32 + \
+ (acr).field[IP6_DST3].mask_range.u32)
+
+#define IPV6_SRC_MASK_FROM_SP(mask, acr) \
+ ((mask) = (acr).field[IP6_SRC0].mask_range.u32 + \
+ (acr).field[IP6_SRC1].mask_range.u32 + \
+ (acr).field[IP6_SRC2].mask_range.u32 + \
+ (acr).field[IP6_SRC3].mask_range.u32)
+
enum {
IP6_PROTO,
IP6_SRC0,
uint32_t *ri = NULL; /* rule index */
uint32_t ti = 0; /* token index */
+ uint32_t tv;
uint32_t esp_p = 0;
uint32_t protect_p = 0;
if (status->status < 0)
return;
- rule_ipv6->data.userdata =
- PROTECT(atoi(tokens[ti]));
+ tv = atoi(tokens[ti]);
+ APP_CHECK(tv != DISCARD && tv != BYPASS, status,
+ "invalid SPI: %s", tokens[ti]);
+ if (status->status < 0)
+ return;
+ rule_ipv6->data.userdata = tv;
protect_p = 1;
continue;
return ctx;
}
+/*
+ * check that for each rule it's SPI has a correspondent entry in SAD
+ */
+static int
+check_spi_value(struct sa_ctx *sa_ctx, int inbound)
+{
+ uint32_t i, num, spi;
+ int32_t spi_idx;
+ struct acl6_rules *acr;
+
+ if (inbound != 0) {
+ acr = acl6_rules_in;
+ num = nb_acl6_rules_in;
+ } else {
+ acr = acl6_rules_out;
+ num = nb_acl6_rules_out;
+ }
+
+ for (i = 0; i != num; i++) {
+ spi = acr[i].data.userdata;
+ if (spi != DISCARD && spi != BYPASS) {
+ spi_idx = sa_spi_present(sa_ctx, spi, inbound);
+ if (spi_idx < 0) {
+ RTE_LOG(ERR, IPSEC,
+ "SPI %u is not present in SAD\n",
+ spi);
+ return -ENOENT;
+ }
+ /* Update userdata with spi index */
+ acr[i].data.userdata = spi_idx + 1;
+ }
+ }
+
+ return 0;
+}
+
void
sp6_init(struct socket_ctx *ctx, int32_t socket_id)
{
rte_exit(EXIT_FAILURE, "Outbound IPv6 SP DB for socket %u "
"already initialized\n", socket_id);
+ if (check_spi_value(ctx->sa_in, 1) < 0)
+ rte_exit(EXIT_FAILURE,
+ "Inbound IPv6 SP DB has unmatched in SAD SPIs\n");
+
+ if (check_spi_value(ctx->sa_out, 0) < 0)
+ rte_exit(EXIT_FAILURE,
+ "Outbound IPv6 SP DB has unmatched in SAD SPIs\n");
+
if (nb_acl6_rules_in > 0) {
name = "sp_ip6_in";
ctx->sp_ip6_in = (struct sp_ctx *)acl6_init(name,
RTE_LOG(WARNING, IPSEC, "No IPv6 SP Outbound rule "
"specified\n");
}
+
+/*
+ * Search though SP rules for given SPI.
+ */
+int
+sp6_spi_present(uint32_t spi, int inbound, struct ip_addr ip_addr[2],
+ uint32_t mask[2])
+{
+ uint32_t i, num;
+ const struct acl6_rules *acr;
+
+ if (inbound != 0) {
+ acr = acl6_rules_in;
+ num = nb_acl6_rules_in;
+ } else {
+ acr = acl6_rules_out;
+ num = nb_acl6_rules_out;
+ }
+
+ for (i = 0; i != num; i++) {
+ if (acr[i].data.userdata == spi) {
+ if (NULL != ip_addr && NULL != mask) {
+ IPV6_SRC_FROM_SP(ip_addr[0], acr[i]);
+ IPV6_DST_FROM_SP(ip_addr[1], acr[i]);
+ IPV6_SRC_MASK_FROM_SP(mask[0], acr[i]);
+ IPV6_DST_MASK_FROM_SP(mask[1], acr[i]);
+ }
+ return i;
+ }
+ }
+
+ return -ENOENT;
+}