1999c8ee6SNeale Ranns/*
2999c8ee6SNeale Ranns * Copyright (c) 2015 Cisco and/or its affiliates.
3999c8ee6SNeale Ranns * Licensed under the Apache License, Version 2.0 (the "License");
4999c8ee6SNeale Ranns * you may not use this file except in compliance with the License.
5999c8ee6SNeale Ranns * You may obtain a copy of the License at:
6999c8ee6SNeale Ranns *
7999c8ee6SNeale Ranns *     http://www.apache.org/licenses/LICENSE-2.0
8999c8ee6SNeale Ranns *
9999c8ee6SNeale Ranns * Unless required by applicable law or agreed to in writing, software
10999c8ee6SNeale Ranns * distributed under the License is distributed on an "AS IS" BASIS,
11999c8ee6SNeale Ranns * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12999c8ee6SNeale Ranns * See the License for the specific language governing permissions and
13999c8ee6SNeale Ranns * limitations under the License.
14999c8ee6SNeale Ranns */
15999c8ee6SNeale Ranns
16999c8ee6SNeale Ranns#include <vnet/ipsec/ipsec.h>
17999c8ee6SNeale Ranns
18a09c1ff5SNeale Ranns/**
19a09c1ff5SNeale Ranns * @brief
20a09c1ff5SNeale Ranns * Policy packet & bytes counters
21a09c1ff5SNeale Ranns */
22a09c1ff5SNeale Rannsvlib_combined_counter_main_t ipsec_spd_policy_counters = {
23a09c1ff5SNeale Ranns  .name = "policy",
24a09c1ff5SNeale Ranns  .stat_segment_name = "/net/ipsec/policy",
25a09c1ff5SNeale Ranns};
26a09c1ff5SNeale Ranns
27a09c1ff5SNeale Rannsstatic int
28a09c1ff5SNeale Rannsipsec_policy_is_equal (ipsec_policy_t * p1, ipsec_policy_t * p2)
29a09c1ff5SNeale Ranns{
30a09c1ff5SNeale Ranns  if (p1->priority != p2->priority)
31a09c1ff5SNeale Ranns    return 0;
329f231d4fSNeale Ranns  if (p1->type != p2->type)
33a09c1ff5SNeale Ranns    return (0);
34a09c1ff5SNeale Ranns  if (p1->policy != p2->policy)
35a09c1ff5SNeale Ranns    return (0);
36a09c1ff5SNeale Ranns  if (p1->sa_id != p2->sa_id)
37a09c1ff5SNeale Ranns    return (0);
38a09c1ff5SNeale Ranns  if (p1->protocol != p2->protocol)
39a09c1ff5SNeale Ranns    return (0);
40a09c1ff5SNeale Ranns  if (p1->lport.start != p2->lport.start)
41a09c1ff5SNeale Ranns    return (0);
42a09c1ff5SNeale Ranns  if (p1->lport.stop != p2->lport.stop)
43a09c1ff5SNeale Ranns    return (0);
44a09c1ff5SNeale Ranns  if (p1->rport.start != p2->rport.start)
45a09c1ff5SNeale Ranns    return (0);
46a09c1ff5SNeale Ranns  if (p1->rport.stop != p2->rport.stop)
47a09c1ff5SNeale Ranns    return (0);
48a09c1ff5SNeale Ranns  if (p1->is_ipv6 != p2->is_ipv6)
49a09c1ff5SNeale Ranns    return (0);
50a09c1ff5SNeale Ranns  if (p2->is_ipv6)
51a09c1ff5SNeale Ranns    {
52a09c1ff5SNeale Ranns      if (p1->laddr.start.ip6.as_u64[0] != p2->laddr.start.ip6.as_u64[0])
53a09c1ff5SNeale Ranns	return (0);
54a09c1ff5SNeale Ranns      if (p1->laddr.start.ip6.as_u64[1] != p2->laddr.start.ip6.as_u64[1])
55a09c1ff5SNeale Ranns	return (0);
56a09c1ff5SNeale Ranns      if (p1->laddr.stop.ip6.as_u64[0] != p2->laddr.stop.ip6.as_u64[0])
57a09c1ff5SNeale Ranns	return (0);
58a09c1ff5SNeale Ranns      if (p1->laddr.stop.ip6.as_u64[1] != p2->laddr.stop.ip6.as_u64[1])
59a09c1ff5SNeale Ranns	return (0);
60a09c1ff5SNeale Ranns      if (p1->raddr.start.ip6.as_u64[0] != p2->raddr.start.ip6.as_u64[0])
61a09c1ff5SNeale Ranns	return (0);
62a09c1ff5SNeale Ranns      if (p1->raddr.start.ip6.as_u64[1] != p2->raddr.start.ip6.as_u64[1])
63a09c1ff5SNeale Ranns	return (0);
64a09c1ff5SNeale Ranns      if (p1->raddr.stop.ip6.as_u64[0] != p2->raddr.stop.ip6.as_u64[0])
65a09c1ff5SNeale Ranns	return (0);
66a09c1ff5SNeale Ranns      if (p1->laddr.stop.ip6.as_u64[1] != p2->laddr.stop.ip6.as_u64[1])
67a09c1ff5SNeale Ranns	return (0);
68a09c1ff5SNeale Ranns    }
69a09c1ff5SNeale Ranns  else
70a09c1ff5SNeale Ranns    {
71a09c1ff5SNeale Ranns      if (p1->laddr.start.ip4.as_u32 != p2->laddr.start.ip4.as_u32)
72a09c1ff5SNeale Ranns	return (0);
73a09c1ff5SNeale Ranns      if (p1->laddr.stop.ip4.as_u32 != p2->laddr.stop.ip4.as_u32)
74a09c1ff5SNeale Ranns	return (0);
75a09c1ff5SNeale Ranns      if (p1->raddr.start.ip4.as_u32 != p2->raddr.start.ip4.as_u32)
76a09c1ff5SNeale Ranns	return (0);
77a09c1ff5SNeale Ranns      if (p1->raddr.stop.ip4.as_u32 != p2->raddr.stop.ip4.as_u32)
78a09c1ff5SNeale Ranns	return (0);
79a09c1ff5SNeale Ranns    }
80a09c1ff5SNeale Ranns  return (1);
81a09c1ff5SNeale Ranns}
82a09c1ff5SNeale Ranns
83999c8ee6SNeale Rannsstatic int
84999c8ee6SNeale Rannsipsec_spd_entry_sort (void *a1, void *a2)
85999c8ee6SNeale Ranns{
86a09c1ff5SNeale Ranns  ipsec_main_t *im = &ipsec_main;
87999c8ee6SNeale Ranns  u32 *id1 = a1;
88999c8ee6SNeale Ranns  u32 *id2 = a2;
89999c8ee6SNeale Ranns  ipsec_policy_t *p1, *p2;
90999c8ee6SNeale Ranns
91a09c1ff5SNeale Ranns  p1 = pool_elt_at_index (im->policies, *id1);
92a09c1ff5SNeale Ranns  p2 = pool_elt_at_index (im->policies, *id2);
93999c8ee6SNeale Ranns  if (p1 && p2)
94999c8ee6SNeale Ranns    return p2->priority - p1->priority;
95999c8ee6SNeale Ranns
96999c8ee6SNeale Ranns  return 0;
97999c8ee6SNeale Ranns}
98999c8ee6SNeale Ranns
999f231d4fSNeale Rannsint
1009f231d4fSNeale Rannsipsec_policy_mk_type (bool is_outbound,
1019f231d4fSNeale Ranns		      bool is_ipv6,
1029f231d4fSNeale Ranns		      ipsec_policy_action_t action,
1039f231d4fSNeale Ranns		      ipsec_spd_policy_type_t * type)
1049f231d4fSNeale Ranns{
1059f231d4fSNeale Ranns  if (is_outbound)
1069f231d4fSNeale Ranns    {
1079f231d4fSNeale Ranns      *type = (is_ipv6 ?
1089f231d4fSNeale Ranns	       IPSEC_SPD_POLICY_IP6_OUTBOUND : IPSEC_SPD_POLICY_IP4_OUTBOUND);
1099f231d4fSNeale Ranns      return (0);
1109f231d4fSNeale Ranns    }
1119f231d4fSNeale Ranns  else
1129f231d4fSNeale Ranns    {
1139f231d4fSNeale Ranns      switch (action)
1149f231d4fSNeale Ranns	{
1159f231d4fSNeale Ranns	case IPSEC_POLICY_ACTION_PROTECT:
1169f231d4fSNeale Ranns	  *type = (is_ipv6 ?
1179f231d4fSNeale Ranns		   IPSEC_SPD_POLICY_IP6_INBOUND_PROTECT :
1189f231d4fSNeale Ranns		   IPSEC_SPD_POLICY_IP4_INBOUND_PROTECT);
1199f231d4fSNeale Ranns	  return (0);
1209f231d4fSNeale Ranns	case IPSEC_POLICY_ACTION_BYPASS:
1219f231d4fSNeale Ranns	  *type = (is_ipv6 ?
1229f231d4fSNeale Ranns		   IPSEC_SPD_POLICY_IP6_INBOUND_BYPASS :
1239f231d4fSNeale Ranns		   IPSEC_SPD_POLICY_IP4_INBOUND_BYPASS);
1249f231d4fSNeale Ranns	  return (0);
1259f231d4fSNeale Ranns	case IPSEC_POLICY_ACTION_DISCARD:
1260546483cSShivaShankarK	  *type = (is_ipv6 ?
1270546483cSShivaShankarK		   IPSEC_SPD_POLICY_IP6_INBOUND_DISCARD :
1280546483cSShivaShankarK		   IPSEC_SPD_POLICY_IP4_INBOUND_DISCARD);
1290546483cSShivaShankarK	  return (0);
1309f231d4fSNeale Ranns	case IPSEC_POLICY_ACTION_RESOLVE:
1319f231d4fSNeale Ranns	  break;
1329f231d4fSNeale Ranns	}
1339f231d4fSNeale Ranns    }
1349f231d4fSNeale Ranns
1359f231d4fSNeale Ranns  /* Unsupported type */
1369f231d4fSNeale Ranns  return (-1);
1379f231d4fSNeale Ranns}
1389f231d4fSNeale Ranns
139999c8ee6SNeale Rannsint
140a09c1ff5SNeale Rannsipsec_add_del_policy (vlib_main_t * vm,
141a09c1ff5SNeale Ranns		      ipsec_policy_t * policy, int is_add, u32 * stat_index)
142999c8ee6SNeale Ranns{
143999c8ee6SNeale Ranns  ipsec_main_t *im = &ipsec_main;
144999c8ee6SNeale Ranns  ipsec_spd_t *spd = 0;
145999c8ee6SNeale Ranns  ipsec_policy_t *vp;
146999c8ee6SNeale Ranns  u32 spd_index;
147a09c1ff5SNeale Ranns  uword *p;
148999c8ee6SNeale Ranns
149999c8ee6SNeale Ranns  p = hash_get (im->spd_index_by_spd_id, policy->id);
150999c8ee6SNeale Ranns
151999c8ee6SNeale Ranns  if (!p)
152999c8ee6SNeale Ranns    return VNET_API_ERROR_SYSCALL_ERROR_1;
153999c8ee6SNeale Ranns
154999c8ee6SNeale Ranns  spd_index = p[0];
155999c8ee6SNeale Ranns  spd = pool_elt_at_index (im->spds, spd_index);
156999c8ee6SNeale Ranns  if (!spd)
157999c8ee6SNeale Ranns    return VNET_API_ERROR_SYSCALL_ERROR_1;
158999c8ee6SNeale Ranns
159999c8ee6SNeale Ranns  if (is_add)
160999c8ee6SNeale Ranns    {
161999c8ee6SNeale Ranns      u32 policy_index;
162999c8ee6SNeale Ranns
163495d7ffbSNeale Ranns      if (policy->policy == IPSEC_POLICY_ACTION_PROTECT)
164495d7ffbSNeale Ranns	{
165495d7ffbSNeale Ranns	  index_t sa_index = ipsec_sa_find_and_lock (policy->sa_id);
166495d7ffbSNeale Ranns
167495d7ffbSNeale Ranns	  if (INDEX_INVALID == sa_index)
168495d7ffbSNeale Ranns	    return VNET_API_ERROR_SYSCALL_ERROR_1;
169495d7ffbSNeale Ranns	  policy->sa_index = sa_index;
170495d7ffbSNeale Ranns	}
171495d7ffbSNeale Ranns      else
172495d7ffbSNeale Ranns	policy->sa_index = INDEX_INVALID;
173495d7ffbSNeale Ranns
174a09c1ff5SNeale Ranns      pool_get (im->policies, vp);
175999c8ee6SNeale Ranns      clib_memcpy (vp, policy, sizeof (*vp));
176a09c1ff5SNeale Ranns      policy_index = vp - im->policies;
177999c8ee6SNeale Ranns
178a09c1ff5SNeale Ranns      vlib_validate_combined_counter (&ipsec_spd_policy_counters,
179a09c1ff5SNeale Ranns				      policy_index);
180a09c1ff5SNeale Ranns      vlib_zero_combined_counter (&ipsec_spd_policy_counters, policy_index);
181999c8ee6SNeale Ranns
1829f231d4fSNeale Ranns      vec_add1 (spd->policies[policy->type], policy_index);
1839f231d4fSNeale Ranns      vec_sort_with_function (spd->policies[policy->type],
1849f231d4fSNeale Ranns			      ipsec_spd_entry_sort);
185a09c1ff5SNeale Ranns      *stat_index = policy_index;
186999c8ee6SNeale Ranns    }
187999c8ee6SNeale Ranns  else
188999c8ee6SNeale Ranns    {
189a09c1ff5SNeale Ranns      u32 ii;
190a09c1ff5SNeale Ranns
19150d5069aSNeale Ranns      vec_foreach_index (ii, (spd->policies[policy->type]))
192a09c1ff5SNeale Ranns      {
19350d5069aSNeale Ranns	vp = pool_elt_at_index (im->policies,
19450d5069aSNeale Ranns				spd->policies[policy->type][ii]);
19550d5069aSNeale Ranns	if (ipsec_policy_is_equal (vp, policy))
19650d5069aSNeale Ranns	  {
19750d5069aSNeale Ranns	    vec_del1 (spd->policies[policy->type], ii);
198495d7ffbSNeale Ranns	    ipsec_sa_unlock (vp->sa_index);
19950d5069aSNeale Ranns	    pool_put (im->policies, vp);
20050d5069aSNeale Ranns	    break;
20150d5069aSNeale Ranns	  }
202a09c1ff5SNeale Ranns      }
203999c8ee6SNeale Ranns    }
204999c8ee6SNeale Ranns
205999c8ee6SNeale Ranns  return 0;
206999c8ee6SNeale Ranns}
207999c8ee6SNeale Ranns
208999c8ee6SNeale Ranns/*
209999c8ee6SNeale Ranns * fd.io coding-style-patch-verification: ON
210999c8ee6SNeale Ranns *
211999c8ee6SNeale Ranns * Local Variables:
212999c8ee6SNeale Ranns * eval: (c-set-style "gnu")
213999c8ee6SNeale Ranns * End:
214999c8ee6SNeale Ranns */
215