ipsec: change wildcard value for any protocol of spd policy

Currently 0 has been used as the wildcard representing ANY type of protocol. However 0 is valid value of ip protocol (HOPOPT) and therefore it should not be used as a wildcard. Instead 255 is used which is guaranteed by IANA to be reserved and not used as a protocol id. Type: improvement Signed-off-by: Piotr Bronowski <piotrx.bronowski@intel.com> Change-Id: I2320bae6fe380cb999dc5a9187beb68fda2d31eb
author: Piotr Bronowski <piotrx.bronowski@intel.com> 2022-06-09 09:09:28 +0000
committer: Fan Zhang <roy.fan.zhang@intel.com> 2022-06-28 14:53:07 +0000
commit: 815c6a4fbcbb636ce3b4dc98446ad205a30670a6 (patch)
tree: 36e3b6aec51cdd5603dce1c9dd701da869c11c39 /src/vnet/ipsec/ipsec.api
parent: 5b4b4c05ff06b866b90b0df9b2be2ed28e606f16 (diff)
1 files changed, 31 insertions, 53 deletions
diff --git a/src/vnet/ipsec/ipsec.api b/src/vnet/ipsec/ipsec.api
index be45c3e2401..18df893c0d4 100644
--- a/src/vnet/ipsec/ipsec.api
+++ b/src/vnet/ipsec/ipsec.api
@@ -57,74 +57,35 @@ autoreply define ipsec_interface_add_del_spd
   u32 spd_id;
 };
 
+/** \brief IPsec: Add/delete Security Policy Database entry
 
-enum ipsec_spd_action
-{
-  /* bypass - no IPsec processing */
-  IPSEC_API_SPD_ACTION_BYPASS = 0,
-  /* discard - discard packet with ICMP processing */
-  IPSEC_API_SPD_ACTION_DISCARD,
-  /* resolve - send request to control plane for SA resolving */
-  IPSEC_API_SPD_ACTION_RESOLVE,
-  /* protect - apply IPsec policy using following parameters */
-  IPSEC_API_SPD_ACTION_PROTECT,
-};
-
-/** \brief IPsec: Security Policy Database entry
-
-    See RFC 4301, 4.4.1.1 on how to match packet to selectors
-
-    @param spd_id - SPD instance id (control plane allocated)
-    @param priority - priority of SPD entry (non-unique value).  Used to order SPD matching - higher priorities match before lower
-    @param is_outbound - entry applies to outbound traffic if non-zero, otherwise applies to inbound traffic
-    @param remote_address_start - start of remote address range to match
-    @param remote_address_stop - end of remote address range to match
-    @param local_address_start - start of local address range to match
-    @param local_address_stop - end of local address range to match
-    @param protocol - protocol type to match [0 means any] otherwise IANA value
-    @param remote_port_start - start of remote port range to match ...
-    @param remote_port_stop - end of remote port range to match [0 to 65535 means ANY, 65535 to 0 means OPAQUE]
-    @param local_port_start - start of local port range to match ...
-    @param local_port_stop - end of remote port range to match [0 to 65535 means ANY, 65535 to 0 means OPAQUE]
-    @param policy - action to perform on match
-    @param sa_id - SAD instance id (control plane allocated)
+    @param client_index - opaque cookie to identify the sender
+    @param context - sender context, to match reply w/ request
+    @param is_add - add SPD if non-zero, else delete
+    @param entry - Description of the entry to add/dell
 */
-typedef ipsec_spd_entry
+define ipsec_spd_entry_add_del
 {
-  u32 spd_id;
-  i32 priority;
-  bool is_outbound;
-
-  u32 sa_id;
-  vl_api_ipsec_spd_action_t policy;
-  /* Which protocol?? */
-  u8 protocol;
-
-  // Selector
-  vl_api_address_t remote_address_start;
-  vl_api_address_t remote_address_stop;
-  vl_api_address_t local_address_start;
-  vl_api_address_t local_address_stop;
-
-  u16 remote_port_start;
-  u16 remote_port_stop;
-  u16 local_port_start;
-  u16 local_port_stop;
+  option deprecated;
+  u32 client_index;
+  u32 context;
+  bool is_add;
+  vl_api_ipsec_spd_entry_t entry;
 };
 
-/** \brief IPsec: Add/delete Security Policy Database entry
+/** \brief IPsec: Add/delete Security Policy Database entry v2
 
     @param client_index - opaque cookie to identify the sender
     @param context - sender context, to match reply w/ request
     @param is_add - add SPD if non-zero, else delete
     @param entry - Description of the entry to add/dell
 */
-define ipsec_spd_entry_add_del
+define ipsec_spd_entry_add_del_v2
 {
   u32 client_index;
   u32 context;
   bool is_add;
-  vl_api_ipsec_spd_entry_t entry;
+  vl_api_ipsec_spd_entry_v2_t entry;
 };
 
 /** \brief IPsec: Reply Add/delete Security Policy Database entry
@@ -140,6 +101,19 @@ define ipsec_spd_entry_add_del_reply
   u32 stat_index;
 };
 
+/** \brief IPsec: Reply Add/delete Security Policy Database entry v2
+
+    @param context - sender context, to match reply w/ request
+    @param retval - success/fail rutrun code
+    @param stat_index - An index for the policy in the stats segment @ /net/ipec/policy
+*/
+define ipsec_spd_entry_add_del_v2_reply
+{
+  u32 context;
+  i32 retval;
+  u32 stat_index;
+};
+
 /** \brief Dump IPsec all SPD IDs
     @param client_index - opaque cookie to identify the sender
     @param context - sender context, to match reply w/ request
@@ -197,6 +171,7 @@ define ipsec_sad_entry_add_del
   bool is_add;
   vl_api_ipsec_sad_entry_t entry;
 };
+
 define ipsec_sad_entry_add_del_v2
 {
   u32 client_index;
@@ -204,6 +179,7 @@ define ipsec_sad_entry_add_del_v2
   bool is_add;
   vl_api_ipsec_sad_entry_v2_t entry;
 };
+
 define ipsec_sad_entry_add_del_v3
 {
   u32 client_index;
@@ -231,12 +207,14 @@ define ipsec_sad_entry_add_del_reply
   i32 retval;
   u32 stat_index;
 };
+
 define ipsec_sad_entry_add_del_v2_reply
 {
   u32 context;
   i32 retval;
   u32 stat_index;
 };
+
 define ipsec_sad_entry_add_del_v3_reply
 {
   u32 context;
author	Piotr Bronowski <piotrx.bronowski@intel.com>	2022-06-09 09:09:28 +0000
committer	Fan Zhang <roy.fan.zhang@intel.com>	2022-06-28 14:53:07 +0000
commit	815c6a4fbcbb636ce3b4dc98446ad205a30670a6 (patch)
tree	36e3b6aec51cdd5603dce1c9dd701da869c11c39 /src/vnet/ipsec/ipsec.api
parent	5b4b4c05ff06b866b90b0df9b2be2ed28e606f16 (diff)