1/*
2 * Copyright (c) 2015 Cisco and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
6 *
7 *     http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16#include <vnet/ipsec/ipsec.h>
17
18/**
19 * @brief
20 * Policy packet & bytes counters
21 */
22vlib_combined_counter_main_t ipsec_spd_policy_counters = {
23  .name = "policy",
24  .stat_segment_name = "/net/ipsec/policy",
25};
26
27static int
28ipsec_policy_is_equal (ipsec_policy_t * p1, ipsec_policy_t * p2)
29{
30  if (p1->priority != p2->priority)
31    return 0;
32  if (p1->type != p2->type)
33    return (0);
34  if (p1->policy != p2->policy)
35    return (0);
36  if (p1->sa_id != p2->sa_id)
37    return (0);
38  if (p1->protocol != p2->protocol)
39    return (0);
40  if (p1->lport.start != p2->lport.start)
41    return (0);
42  if (p1->lport.stop != p2->lport.stop)
43    return (0);
44  if (p1->rport.start != p2->rport.start)
45    return (0);
46  if (p1->rport.stop != p2->rport.stop)
47    return (0);
48  if (p1->is_ipv6 != p2->is_ipv6)
49    return (0);
50  if (p2->is_ipv6)
51    {
52      if (p1->laddr.start.ip6.as_u64[0] != p2->laddr.start.ip6.as_u64[0])
53	return (0);
54      if (p1->laddr.start.ip6.as_u64[1] != p2->laddr.start.ip6.as_u64[1])
55	return (0);
56      if (p1->laddr.stop.ip6.as_u64[0] != p2->laddr.stop.ip6.as_u64[0])
57	return (0);
58      if (p1->laddr.stop.ip6.as_u64[1] != p2->laddr.stop.ip6.as_u64[1])
59	return (0);
60      if (p1->raddr.start.ip6.as_u64[0] != p2->raddr.start.ip6.as_u64[0])
61	return (0);
62      if (p1->raddr.start.ip6.as_u64[1] != p2->raddr.start.ip6.as_u64[1])
63	return (0);
64      if (p1->raddr.stop.ip6.as_u64[0] != p2->raddr.stop.ip6.as_u64[0])
65	return (0);
66      if (p1->laddr.stop.ip6.as_u64[1] != p2->laddr.stop.ip6.as_u64[1])
67	return (0);
68    }
69  else
70    {
71      if (p1->laddr.start.ip4.as_u32 != p2->laddr.start.ip4.as_u32)
72	return (0);
73      if (p1->laddr.stop.ip4.as_u32 != p2->laddr.stop.ip4.as_u32)
74	return (0);
75      if (p1->raddr.start.ip4.as_u32 != p2->raddr.start.ip4.as_u32)
76	return (0);
77      if (p1->raddr.stop.ip4.as_u32 != p2->raddr.stop.ip4.as_u32)
78	return (0);
79    }
80  return (1);
81}
82
83static int
84ipsec_spd_entry_sort (void *a1, void *a2)
85{
86  ipsec_main_t *im = &ipsec_main;
87  u32 *id1 = a1;
88  u32 *id2 = a2;
89  ipsec_policy_t *p1, *p2;
90
91  p1 = pool_elt_at_index (im->policies, *id1);
92  p2 = pool_elt_at_index (im->policies, *id2);
93  if (p1 && p2)
94    return p2->priority - p1->priority;
95
96  return 0;
97}
98
99int
100ipsec_policy_mk_type (bool is_outbound,
101		      bool is_ipv6,
102		      ipsec_policy_action_t action,
103		      ipsec_spd_policy_type_t * type)
104{
105  if (is_outbound)
106    {
107      *type = (is_ipv6 ?
108	       IPSEC_SPD_POLICY_IP6_OUTBOUND : IPSEC_SPD_POLICY_IP4_OUTBOUND);
109      return (0);
110    }
111  else
112    {
113      switch (action)
114	{
115	case IPSEC_POLICY_ACTION_PROTECT:
116	  *type = (is_ipv6 ?
117		   IPSEC_SPD_POLICY_IP6_INBOUND_PROTECT :
118		   IPSEC_SPD_POLICY_IP4_INBOUND_PROTECT);
119	  return (0);
120	case IPSEC_POLICY_ACTION_BYPASS:
121	  *type = (is_ipv6 ?
122		   IPSEC_SPD_POLICY_IP6_INBOUND_BYPASS :
123		   IPSEC_SPD_POLICY_IP4_INBOUND_BYPASS);
124	  return (0);
125	case IPSEC_POLICY_ACTION_DISCARD:
126	  *type = (is_ipv6 ?
127		   IPSEC_SPD_POLICY_IP6_INBOUND_DISCARD :
128		   IPSEC_SPD_POLICY_IP4_INBOUND_DISCARD);
129	  return (0);
130	case IPSEC_POLICY_ACTION_RESOLVE:
131	  break;
132	}
133    }
134
135  /* Unsupported type */
136  return (-1);
137}
138
139int
140ipsec_add_del_policy (vlib_main_t * vm,
141		      ipsec_policy_t * policy, int is_add, u32 * stat_index)
142{
143  ipsec_main_t *im = &ipsec_main;
144  ipsec_spd_t *spd = 0;
145  ipsec_policy_t *vp;
146  u32 spd_index;
147  uword *p;
148
149  p = hash_get (im->spd_index_by_spd_id, policy->id);
150
151  if (!p)
152    return VNET_API_ERROR_SYSCALL_ERROR_1;
153
154  spd_index = p[0];
155  spd = pool_elt_at_index (im->spds, spd_index);
156  if (!spd)
157    return VNET_API_ERROR_SYSCALL_ERROR_1;
158
159  if (is_add)
160    {
161      u32 policy_index;
162
163      if (policy->policy == IPSEC_POLICY_ACTION_PROTECT)
164	{
165	  index_t sa_index = ipsec_sa_find_and_lock (policy->sa_id);
166
167	  if (INDEX_INVALID == sa_index)
168	    return VNET_API_ERROR_SYSCALL_ERROR_1;
169	  policy->sa_index = sa_index;
170	}
171      else
172	policy->sa_index = INDEX_INVALID;
173
174      pool_get (im->policies, vp);
175      clib_memcpy (vp, policy, sizeof (*vp));
176      policy_index = vp - im->policies;
177
178      vlib_validate_combined_counter (&ipsec_spd_policy_counters,
179				      policy_index);
180      vlib_zero_combined_counter (&ipsec_spd_policy_counters, policy_index);
181
182      vec_add1 (spd->policies[policy->type], policy_index);
183      vec_sort_with_function (spd->policies[policy->type],
184			      ipsec_spd_entry_sort);
185      *stat_index = policy_index;
186    }
187  else
188    {
189      u32 ii;
190
191      vec_foreach_index (ii, (spd->policies[policy->type]))
192      {
193	vp = pool_elt_at_index (im->policies,
194				spd->policies[policy->type][ii]);
195	if (ipsec_policy_is_equal (vp, policy))
196	  {
197	    vec_del1 (spd->policies[policy->type], ii);
198	    ipsec_sa_unlock (vp->sa_index);
199	    pool_put (im->policies, vp);
200	    break;
201	  }
202      }
203    }
204
205  return 0;
206}
207
208/*
209 * fd.io coding-style-patch-verification: ON
210 *
211 * Local Variables:
212 * eval: (c-set-style "gnu")
213 * End:
214 */
215