1999c8ee6SNeale Ranns/*
2999c8ee6SNeale Ranns * Copyright (c) 2015 Cisco and/or its affiliates.
3999c8ee6SNeale Ranns * Licensed under the Apache License, Version 2.0 (the "License");
4999c8ee6SNeale Ranns * you may not use this file except in compliance with the License.
5999c8ee6SNeale Ranns * You may obtain a copy of the License at:
6999c8ee6SNeale Ranns *
7999c8ee6SNeale Ranns *     http://www.apache.org/licenses/LICENSE-2.0
8999c8ee6SNeale Ranns *
9999c8ee6SNeale Ranns * Unless required by applicable law or agreed to in writing, software
10999c8ee6SNeale Ranns * distributed under the License is distributed on an "AS IS" BASIS,
11999c8ee6SNeale Ranns * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12999c8ee6SNeale Ranns * See the License for the specific language governing permissions and
13999c8ee6SNeale Ranns * limitations under the License.
14999c8ee6SNeale Ranns */
15999c8ee6SNeale Ranns#ifndef __IPSEC_SPD_POLICY_H__
16999c8ee6SNeale Ranns#define __IPSEC_SPD_POLICY_H__
17999c8ee6SNeale Ranns
189f231d4fSNeale Ranns#include <vnet/ipsec/ipsec_spd.h>
19999c8ee6SNeale Ranns
20999c8ee6SNeale Ranns#define foreach_ipsec_policy_action \
21999c8ee6SNeale Ranns  _ (0, BYPASS, "bypass")           \
22999c8ee6SNeale Ranns  _ (1, DISCARD, "discard")         \
23999c8ee6SNeale Ranns  _ (2, RESOLVE, "resolve")         \
24999c8ee6SNeale Ranns  _ (3, PROTECT, "protect")
25999c8ee6SNeale Ranns
26999c8ee6SNeale Rannstypedef enum
27999c8ee6SNeale Ranns{
28999c8ee6SNeale Ranns#define _(v, f, s) IPSEC_POLICY_ACTION_##f = v,
29999c8ee6SNeale Ranns  foreach_ipsec_policy_action
30999c8ee6SNeale Ranns#undef _
31999c8ee6SNeale Ranns} ipsec_policy_action_t;
32999c8ee6SNeale Ranns
33999c8ee6SNeale Ranns#define IPSEC_POLICY_N_ACTION (IPSEC_POLICY_ACTION_PROTECT + 1)
34999c8ee6SNeale Ranns
35999c8ee6SNeale Rannstypedef struct
36999c8ee6SNeale Ranns{
37999c8ee6SNeale Ranns  ip46_address_t start, stop;
38999c8ee6SNeale Ranns} ip46_address_range_t;
39999c8ee6SNeale Ranns
40999c8ee6SNeale Rannstypedef struct
41999c8ee6SNeale Ranns{
42999c8ee6SNeale Ranns  u16 start, stop;
43999c8ee6SNeale Ranns} port_range_t;
44999c8ee6SNeale Ranns
45a09c1ff5SNeale Ranns/**
46a09c1ff5SNeale Ranns * @brief
47a09c1ff5SNeale Ranns * Policy packet & bytes counters
48a09c1ff5SNeale Ranns */
49a09c1ff5SNeale Rannsextern vlib_combined_counter_main_t ipsec_spd_policy_counters;
50a09c1ff5SNeale Ranns
51999c8ee6SNeale Ranns/**
52999c8ee6SNeale Ranns * @brief A Secruity Policy. An entry in an SPD
53999c8ee6SNeale Ranns */
54999c8ee6SNeale Rannstypedef struct ipsec_policy_t_
55999c8ee6SNeale Ranns{
56999c8ee6SNeale Ranns  u32 id;
57999c8ee6SNeale Ranns  i32 priority;
589f231d4fSNeale Ranns
599f231d4fSNeale Ranns  // the type of policy
609f231d4fSNeale Ranns  ipsec_spd_policy_type_t type;
61999c8ee6SNeale Ranns
62999c8ee6SNeale Ranns  // Selector
63999c8ee6SNeale Ranns  u8 is_ipv6;
64999c8ee6SNeale Ranns  ip46_address_range_t laddr;
65999c8ee6SNeale Ranns  ip46_address_range_t raddr;
66999c8ee6SNeale Ranns  u8 protocol;
67999c8ee6SNeale Ranns  port_range_t lport;
68999c8ee6SNeale Ranns  port_range_t rport;
69999c8ee6SNeale Ranns
70999c8ee6SNeale Ranns  // Policy
71999c8ee6SNeale Ranns  ipsec_policy_action_t policy;
72999c8ee6SNeale Ranns  u32 sa_id;
73999c8ee6SNeale Ranns  u32 sa_index;
74999c8ee6SNeale Ranns} ipsec_policy_t;
75999c8ee6SNeale Ranns
76999c8ee6SNeale Ranns/**
77999c8ee6SNeale Ranns * @brief Add/Delete a SPD
78999c8ee6SNeale Ranns */
79999c8ee6SNeale Rannsextern int ipsec_add_del_policy (vlib_main_t * vm,
80a09c1ff5SNeale Ranns				 ipsec_policy_t * policy,
81a09c1ff5SNeale Ranns				 int is_add, u32 * stat_index);
82999c8ee6SNeale Ranns
83a09c1ff5SNeale Rannsextern u8 *format_ipsec_policy (u8 * s, va_list * args);
84999c8ee6SNeale Rannsextern u8 *format_ipsec_policy_action (u8 * s, va_list * args);
85999c8ee6SNeale Rannsextern uword unformat_ipsec_policy_action (unformat_input_t * input,
86999c8ee6SNeale Ranns					   va_list * args);
87999c8ee6SNeale Ranns
88999c8ee6SNeale Ranns
899f231d4fSNeale Rannsextern int ipsec_policy_mk_type (bool is_outbound,
909f231d4fSNeale Ranns				 bool is_ipv6,
919f231d4fSNeale Ranns				 ipsec_policy_action_t action,
929f231d4fSNeale Ranns				 ipsec_spd_policy_type_t * type);
939f231d4fSNeale Ranns
94999c8ee6SNeale Ranns#endif /* __IPSEC_SPD_POLICY_H__ */
95999c8ee6SNeale Ranns
96999c8ee6SNeale Ranns/*
97999c8ee6SNeale Ranns * fd.io coding-style-patch-verification: ON
98999c8ee6SNeale Ranns *
99999c8ee6SNeale Ranns * Local Variables:
100999c8ee6SNeale Ranns * eval: (c-set-style "gnu")
101999c8ee6SNeale Ranns * End:
102999c8ee6SNeale Ranns */
103