ipsec: change wildcard value for any protocol of spd policy

Currently 0 has been used as the wildcard representing ANY type of protocol. However 0 is valid value of ip protocol (HOPOPT) and therefore it should not be used as a wildcard. Instead 255 is used which is guaranteed by IANA to be reserved and not used as a protocol id. Type: improvement Signed-off-by: Piotr Bronowski <piotrx.bronowski@intel.com> Change-Id: I2320bae6fe380cb999dc5a9187beb68fda2d31eb
author: Piotr Bronowski <piotrx.bronowski@intel.com> 2022-06-09 09:09:28 +0000
committer: Fan Zhang <roy.fan.zhang@intel.com> 2022-06-28 14:53:07 +0000
commit: 815c6a4fbcbb636ce3b4dc98446ad205a30670a6 (patch)
tree: 36e3b6aec51cdd5603dce1c9dd701da869c11c39 /src/vnet/ipsec/ipsec_types.api
parent: 5b4b4c05ff06b866b90b0df9b2be2ed28e606f16 (diff)
1 files changed, 97 insertions, 0 deletions
diff --git a/src/vnet/ipsec/ipsec_types.api b/src/vnet/ipsec/ipsec_types.api
index ed04f470fd2..fd7068e926e 100644
--- a/src/vnet/ipsec/ipsec_types.api
+++ b/src/vnet/ipsec/ipsec_types.api
@@ -95,6 +95,102 @@ typedef key
   u8 data[128];
 };
 
+enum ipsec_spd_action
+{
+  /* bypass - no IPsec processing */
+  IPSEC_API_SPD_ACTION_BYPASS = 0,
+  /* discard - discard packet with ICMP processing */
+  IPSEC_API_SPD_ACTION_DISCARD,
+  /* resolve - send request to control plane for SA resolving */
+  IPSEC_API_SPD_ACTION_RESOLVE,
+  /* protect - apply IPsec policy using following parameters */
+  IPSEC_API_SPD_ACTION_PROTECT,
+};
+
+/** \brief IPsec: Security Policy Database entry
+
+    See RFC 4301, 4.4.1.1 on how to match packet to selectors
+
+    @param spd_id - SPD instance id (control plane allocated)
+    @param priority - priority of SPD entry (non-unique value).  Used to order SPD matching - higher priorities match before lower
+    @param is_outbound - entry applies to outbound traffic if non-zero, otherwise applies to inbound traffic
+    @param remote_address_start - start of remote address range to match
+    @param remote_address_stop - end of remote address range to match
+    @param local_address_start - start of local address range to match
+    @param local_address_stop - end of local address range to match
+    @param protocol - protocol type to match [0 means any] otherwise IANA value
+    @param remote_port_start - start of remote port range to match ...
+    @param remote_port_stop - end of remote port range to match [0 to 65535 means ANY, 65535 to 0 means OPAQUE]
+    @param local_port_start - start of local port range to match ...
+    @param local_port_stop - end of remote port range to match [0 to 65535 means ANY, 65535 to 0 means OPAQUE]
+    @param policy - action to perform on match
+    @param sa_id - SAD instance id (control plane allocated)
+*/
+typedef ipsec_spd_entry
+{
+  u32 spd_id;
+  i32 priority;
+  bool is_outbound;
+
+  u32 sa_id;
+  vl_api_ipsec_spd_action_t policy;
+  /* Which protocol?? */
+  u8 protocol;
+
+  // Selector
+  vl_api_address_t remote_address_start;
+  vl_api_address_t remote_address_stop;
+  vl_api_address_t local_address_start;
+  vl_api_address_t local_address_stop;
+
+  u16 remote_port_start;
+  u16 remote_port_stop;
+  u16 local_port_start;
+  u16 local_port_stop;
+};
+
+/** \brief IPsec: Security Policy Database entry v2
+
+    See RFC 4301, 4.4.1.1 on how to match packet to selectors
+
+    @param spd_id - SPD instance id (control plane allocated)
+    @param priority - priority of SPD entry (non-unique value).  Used to order SPD matching - higher priorities match before lower
+    @param is_outbound - entry applies to outbound traffic if non-zero, otherwise applies to inbound traffic
+    @param remote_address_start - start of remote address range to match
+    @param remote_address_stop - end of remote address range to match
+    @param local_address_start - start of local address range to match
+    @param local_address_stop - end of local address range to match
+    @param protocol - protocol type to match [255 means any] otherwise IANA value
+    @param remote_port_start - start of remote port range to match ...
+    @param remote_port_stop - end of remote port range to match [0 to 65535 means ANY, 65535 to 0 means OPAQUE]
+    @param local_port_start - start of local port range to match ...
+    @param local_port_stop - end of remote port range to match [0 to 65535 means ANY, 65535 to 0 means OPAQUE]
+    @param policy - action to perform on match
+    @param sa_id - SAD instance id (control plane allocated)
+*/
+typedef ipsec_spd_entry_v2
+{
+  u32 spd_id;
+  i32 priority;
+  bool is_outbound;
+
+  u32 sa_id;
+  vl_api_ipsec_spd_action_t policy;
+  u8 protocol;
+
+  // Selector
+  vl_api_address_t remote_address_start;
+  vl_api_address_t remote_address_stop;
+  vl_api_address_t local_address_start;
+  vl_api_address_t local_address_stop;
+
+  u16 remote_port_start;
+  u16 remote_port_stop;
+  u16 local_port_start;
+  u16 local_port_stop;
+};
+
+
 /** \brief IPsec: Security Association Database entry
     @param client_index - opaque cookie to identify the sender
     @param context - sender context, to match reply w/ request
@@ -117,6 +213,7 @@ typedef key
     @param tunnel_flags - Flags controlling the copying of encap/decap value
     @param dscp - Fixed DSCP vaule for tunnel encap
  */
+
 typedef ipsec_sad_entry
 {
   u32 sad_id;
author	Piotr Bronowski <piotrx.bronowski@intel.com>	2022-06-09 09:09:28 +0000
committer	Fan Zhang <roy.fan.zhang@intel.com>	2022-06-28 14:53:07 +0000
commit	815c6a4fbcbb636ce3b4dc98446ad205a30670a6 (patch)
tree	36e3b6aec51cdd5603dce1c9dd701da869c11c39 /src/vnet/ipsec/ipsec_types.api
parent	5b4b4c05ff06b866b90b0df9b2be2ed28e606f16 (diff)