summaryrefslogtreecommitdiffstats
path: root/src/vnet/ipsec/ipsec.h
diff options
context:
space:
mode:
authorNeale Ranns <nranns@cisco.com>2020-03-31 09:21:29 -0400
committerDamjan Marion <dmarion@me.com>2020-05-04 17:09:34 +0000
commit4ec36c5535849a4e456ed99b57968d54d5e03b62 (patch)
tree47c807c525858db02f7d1e0e4df32b14441ed5c8 /src/vnet/ipsec/ipsec.h
parentb723ccf95ffd8581be15e0752eac2c5f7233b340 (diff)
fib: midchain adjacency optimisations
Type: improvement - inline some common encap fixup functions into the midchain rewrite node so we don't incur the cost of the virtual function call - change the copy 'guess' from ethernet_header (which will never happen) to an ip4 header - add adj-midchain-tx to multiarch sources - don't run adj-midchain-tx as a feature, instead put this node as the adj's next and at the end of the feature arc. - cache the feature arc config index (to save the cache miss going to fetch it) - don't check if features are enabled when taking the arc (since we know they are) the last two changes will also benefit normal adjacencies taking the arc (i.e. for NAT, ACLs, etc) for IPSec: - don't run esp_encrypt as a feature, instead when required insert this node into the adj's next and into the end of the feature arc. this implies that encrypt is always 'the last feature' run, which is symmetric with decrypt always being the first. - esp_encrpyt for tunnels has adj-midchain-tx as next node Change-Id: Ida0af56a704302cf2d7797ded5f118a781e8acb7 Signed-off-by: Neale Ranns <nranns@cisco.com>
Diffstat (limited to 'src/vnet/ipsec/ipsec.h')
-rw-r--r--src/vnet/ipsec/ipsec.h28
1 files changed, 11 insertions, 17 deletions
diff --git a/src/vnet/ipsec/ipsec.h b/src/vnet/ipsec/ipsec.h
index 712e16dab4c..7646ffb2ddd 100644
--- a/src/vnet/ipsec/ipsec.h
+++ b/src/vnet/ipsec/ipsec.h
@@ -66,12 +66,10 @@ typedef struct
u32 esp6_decrypt_next_index;
u32 esp4_decrypt_tun_node_index;
u32 esp4_decrypt_tun_next_index;
+ u32 esp4_encrypt_tun_node_index;
u32 esp6_decrypt_tun_node_index;
u32 esp6_decrypt_tun_next_index;
- u32 esp44_encrypt_tun_feature_index;
- u32 esp46_encrypt_tun_feature_index;
- u32 esp66_encrypt_tun_feature_index;
- u32 esp64_encrypt_tun_feature_index;
+ u32 esp6_encrypt_tun_node_index;
} ipsec_esp_backend_t;
typedef struct
@@ -132,11 +130,13 @@ typedef struct
u32 esp4_encrypt_node_index;
u32 esp4_decrypt_node_index;
u32 esp4_decrypt_tun_node_index;
+ u32 esp4_encrypt_tun_node_index;
u32 ah4_encrypt_node_index;
u32 ah4_decrypt_node_index;
u32 esp6_encrypt_node_index;
u32 esp6_decrypt_node_index;
u32 esp6_decrypt_tun_node_index;
+ u32 esp6_encrypt_tun_node_index;
u32 ah6_encrypt_node_index;
u32 ah6_decrypt_node_index;
/* next node indices */
@@ -151,15 +151,13 @@ typedef struct
u32 ah6_encrypt_next_index;
u32 ah6_decrypt_next_index;
- /* tun encrypt arcs and feature nodes */
- u32 esp44_encrypt_tun_feature_index;
- u32 esp64_encrypt_tun_feature_index;
- u32 esp46_encrypt_tun_feature_index;
- u32 esp66_encrypt_tun_feature_index;
-
/* tun nodes to drop packets when no crypto alg set on outbound SA */
- u32 esp4_no_crypto_tun_feature_index;
- u32 esp6_no_crypto_tun_feature_index;
+ u32 esp4_no_crypto_tun_node_index;
+ u32 esp6_no_crypto_tun_node_index;
+
+ /* tun nodes for encrypt on L2 interfaces */
+ u32 esp4_encrypt_l2_tun_node_index;
+ u32 esp6_encrypt_l2_tun_node_index;
/* pool of ah backends */
ipsec_ah_backend_t *ah_backends;
@@ -278,6 +276,7 @@ int ipsec_select_ah_backend (ipsec_main_t * im, u32 ah_backend_idx);
int ipsec_select_esp_backend (ipsec_main_t * im, u32 esp_backend_idx);
clib_error_t *ipsec_rsc_in_use (ipsec_main_t * im);
+void ipsec_set_async_mode (u32 is_enabled);
always_inline ipsec_sa_t *
ipsec_sa_get (u32 sa_index)
@@ -285,11 +284,6 @@ ipsec_sa_get (u32 sa_index)
return (pool_elt_at_index (ipsec_main.sad, sa_index));
}
-void ipsec_add_feature (const char *arc_name, const char *node_name,
- u32 * out_feature_index);
-
-void ipsec_set_async_mode (u32 is_enabled);
-
#endif /* __IPSEC_H__ */
/*