FD.io VPP  v16.09
Vector Packet Processing
ipsec_cli.c
Go to the documentation of this file.
1 /*
2  * decap.c : IPSec tunnel support
3  *
4  * Copyright (c) 2015 Cisco and/or its affiliates.
5  * Licensed under the Apache License, Version 2.0 (the "License");
6  * you may not use this file except in compliance with the License.
7  * You may obtain a copy of the License at:
8  *
9  * http://www.apache.org/licenses/LICENSE-2.0
10  *
11  * Unless required by applicable law or agreed to in writing, software
12  * distributed under the License is distributed on an "AS IS" BASIS,
13  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14  * See the License for the specific language governing permissions and
15  * limitations under the License.
16  */
17 
18 #include <vnet/vnet.h>
19 #include <vnet/api_errno.h>
20 #include <vnet/ip/ip.h>
21 #include <vnet/interface.h>
22 
23 #include <vnet/ipsec/ipsec.h>
24 
25 static clib_error_t *
27  unformat_input_t * input,
28  vlib_cli_command_t * cmd)
29 {
30  unformat_input_t _line_input, *line_input = &_line_input;
31  ipsec_main_t *im = &ipsec_main;
32  u32 sw_if_index = (u32) ~ 0;
33  u32 spd_id;
34  int is_add = 1;
35 
36  if (!unformat_user (input, unformat_line_input, line_input))
37  return 0;
38 
39  if (unformat
40  (line_input, "%U %u", unformat_vnet_sw_interface, im->vnet_main,
41  &sw_if_index, &spd_id))
42  ;
43  else if (unformat (line_input, "del"))
44  is_add = 0;
45  else
46  return clib_error_return (0, "parse error: '%U'",
47  format_unformat_error, line_input);
48 
49  unformat_free (line_input);
50 
51  ipsec_set_interface_spd (vm, sw_if_index, spd_id, is_add);
52 
53  return 0;
54 }
55 
56 /* *INDENT-OFF* */
57 VLIB_CLI_COMMAND (set_interface_spd_command, static) = {
58  .path = "set interface ipsec spd",
59  .short_help =
60  "set interface ipsec spd <int> <id>",
61  .function = set_interface_spd_command_fn,
62 };
63 /* *INDENT-ON* */
64 
65 static clib_error_t *
67  unformat_input_t * input,
68  vlib_cli_command_t * cmd)
69 {
70  unformat_input_t _line_input, *line_input = &_line_input;
71  ipsec_sa_t sa;
72  int is_add = ~0;
73  u8 *ck = 0, *ik = 0;
74 
75  memset (&sa, 0, sizeof (sa));
76 
77  if (!unformat_user (input, unformat_line_input, line_input))
78  return 0;
79 
80  while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
81  {
82  if (unformat (line_input, "add %u", &sa.id))
83  is_add = 1;
84  else if (unformat (line_input, "del %u", &sa.id))
85  is_add = 0;
86  else if (unformat (line_input, "spi %u", &sa.spi))
87  ;
88  else if (unformat (line_input, "esp"))
90  else if (unformat (line_input, "ah"))
91  //sa.protocol = IPSEC_PROTOCOL_AH;
92  return clib_error_return (0, "unsupported security protocol 'AH'");
93  else
94  if (unformat (line_input, "crypto-key %U", unformat_hex_string, &ck))
95  sa.crypto_key_len = vec_len (ck);
96  else
97  if (unformat
98  (line_input, "crypto-alg %U", unformat_ipsec_crypto_alg,
99  &sa.crypto_alg))
100  {
101  if (sa.crypto_alg < IPSEC_CRYPTO_ALG_AES_CBC_128 ||
102  sa.crypto_alg > IPSEC_CRYPTO_ALG_AES_CBC_256)
103  return clib_error_return (0, "unsupported crypto-alg: '%U'",
105  }
106  else
107  if (unformat (line_input, "integ-key %U", unformat_hex_string, &ik))
108  sa.integ_key_len = vec_len (ik);
109  else if (unformat (line_input, "integ-alg %U", unformat_ipsec_integ_alg,
110  &sa.integ_alg))
111  {
112  if (sa.integ_alg < IPSEC_INTEG_ALG_SHA1_96 ||
113  sa.integ_alg > IPSEC_INTEG_ALG_SHA_512_256)
114  return clib_error_return (0, "unsupported integ-alg: '%U'",
116  }
117  else if (unformat (line_input, "tunnel-src %U",
119  sa.is_tunnel = 1;
120  else if (unformat (line_input, "tunnel-dst %U",
122  sa.is_tunnel = 1;
123  else if (unformat (line_input, "tunnel-src %U",
125  {
126  sa.is_tunnel = 1;
127  sa.is_tunnel_ip6 = 1;
128  }
129  else if (unformat (line_input, "tunnel-dst %U",
131  {
132  sa.is_tunnel = 1;
133  sa.is_tunnel_ip6 = 1;
134  }
135  else
136  return clib_error_return (0, "parse error: '%U'",
137  format_unformat_error, line_input);
138  }
139 
140  unformat_free (line_input);
141 
142  if (sa.crypto_key_len > sizeof (sa.crypto_key))
143  sa.crypto_key_len = sizeof (sa.crypto_key);
144 
145  if (sa.integ_key_len > sizeof (sa.integ_key))
146  sa.integ_key_len = sizeof (sa.integ_key);
147 
148  if (ck)
149  strncpy ((char *) sa.crypto_key, (char *) ck, sa.crypto_key_len);
150 
151  if (ik)
152  strncpy ((char *) sa.integ_key, (char *) ik, sa.integ_key_len);
153 
154  ipsec_add_del_sa (vm, &sa, is_add);
155 
156  return 0;
157 }
158 
159 /* *INDENT-OFF* */
160 VLIB_CLI_COMMAND (ipsec_sa_add_del_command, static) = {
161  .path = "ipsec sa",
162  .short_help =
163  "ipsec sa [add|del]",
164  .function = ipsec_sa_add_del_command_fn,
165 };
166 /* *INDENT-ON* */
167 
168 static clib_error_t *
170  unformat_input_t * input,
171  vlib_cli_command_t * cmd)
172 {
173  unformat_input_t _line_input, *line_input = &_line_input;
174  u32 spd_id = ~0;
175  int is_add = ~0;
176 
177  if (!unformat_user (input, unformat_line_input, line_input))
178  return 0;
179 
180  while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
181  {
182  if (unformat (line_input, "add"))
183  is_add = 1;
184  else if (unformat (line_input, "del"))
185  is_add = 0;
186  else if (unformat (line_input, "%u", &spd_id))
187  ;
188  else
189  return clib_error_return (0, "parse error: '%U'",
190  format_unformat_error, line_input);
191  }
192 
193  unformat_free (line_input);
194 
195  if (spd_id == ~0)
196  return clib_error_return (0, "please specify SPD ID");
197 
198  ipsec_add_del_spd (vm, spd_id, is_add);
199 
200  return 0;
201 }
202 
203 /* *INDENT-OFF* */
204 VLIB_CLI_COMMAND (ipsec_spd_add_del_command, static) = {
205  .path = "ipsec spd",
206  .short_help =
207  "ipsec spd [add|del] <id>",
208  .function = ipsec_spd_add_del_command_fn,
209 };
210 /* *INDENT-ON* */
211 
212 
213 static clib_error_t *
215  unformat_input_t * input,
216  vlib_cli_command_t * cmd)
217 {
218  unformat_input_t _line_input, *line_input = &_line_input;
219  ipsec_policy_t p;
220  int is_add = 0;
221  int is_ip_any = 1;
222  u32 tmp, tmp2;
223 
224  memset (&p, 0, sizeof (p));
225  p.lport.stop = p.rport.stop = ~0;
226  p.laddr.stop.ip4.as_u32 = p.raddr.stop.ip4.as_u32 = (u32) ~ 0;
227  p.laddr.stop.ip6.as_u64[0] = p.laddr.stop.ip6.as_u64[1] = (u64) ~ 0;
228  p.raddr.stop.ip6.as_u64[0] = p.raddr.stop.ip6.as_u64[1] = (u64) ~ 0;
229 
230  if (!unformat_user (input, unformat_line_input, line_input))
231  return 0;
232 
233  while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
234  {
235  if (unformat (line_input, "add"))
236  is_add = 1;
237  else if (unformat (line_input, "del"))
238  is_add = 0;
239  else if (unformat (line_input, "spd %u", &p.id))
240  ;
241  else if (unformat (line_input, "inbound"))
242  p.is_outbound = 0;
243  else if (unformat (line_input, "outbound"))
244  p.is_outbound = 1;
245  else if (unformat (line_input, "priority %d", &p.priority))
246  ;
247  else if (unformat (line_input, "protocol %u", &tmp))
248  p.protocol = (u8) tmp;
249  else
250  if (unformat
251  (line_input, "action %U", unformat_ipsec_policy_action,
252  &p.policy))
253  {
254  if (p.policy == IPSEC_POLICY_ACTION_RESOLVE)
255  return clib_error_return (0, "unsupported action: 'resolve'");
256  }
257  else if (unformat (line_input, "sa %u", &p.sa_id))
258  ;
259  else if (unformat (line_input, "local-ip-range %U - %U",
262  is_ip_any = 0;
263  else if (unformat (line_input, "remote-ip-range %U - %U",
266  is_ip_any = 0;
267  else if (unformat (line_input, "local-ip-range %U - %U",
270  {
271  p.is_ipv6 = 1;
272  is_ip_any = 0;
273  }
274  else if (unformat (line_input, "remote-ip-range %U - %U",
277  {
278  p.is_ipv6 = 1;
279  is_ip_any = 0;
280  }
281  else if (unformat (line_input, "local-port-range %u - %u", &tmp, &tmp2))
282  {
283  p.lport.start = tmp;
284  p.lport.stop = tmp2;
285  }
286  else
287  if (unformat (line_input, "remote-port-range %u - %u", &tmp, &tmp2))
288  {
289  p.rport.start = tmp;
290  p.rport.stop = tmp2;
291  }
292  else
293  return clib_error_return (0, "parse error: '%U'",
294  format_unformat_error, line_input);
295  }
296 
297  unformat_free (line_input);
298 
299  ipsec_add_del_policy (vm, &p, is_add);
300  if (is_ip_any)
301  {
302  p.is_ipv6 = 1;
303  ipsec_add_del_policy (vm, &p, is_add);
304  }
305  return 0;
306 }
307 
308 /* *INDENT-OFF* */
309 VLIB_CLI_COMMAND (ipsec_policy_add_del_command, static) = {
310  .path = "ipsec policy",
311  .short_help =
312  "ipsec policy [add|del] spd <id> priority <n> ",
314 };
315 /* *INDENT-ON* */
316 
317 static clib_error_t *
319  unformat_input_t * input,
320  vlib_cli_command_t * cmd)
321 {
322  unformat_input_t _line_input, *line_input = &_line_input;
323  ipsec_sa_t sa;
324  u8 *ck = 0, *ik = 0;
325 
326  memset (&sa, 0, sizeof (sa));
327 
328  if (!unformat_user (input, unformat_line_input, line_input))
329  return 0;
330 
331  while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
332  {
333  if (unformat (line_input, "%u", &sa.id))
334  ;
335  else
336  if (unformat (line_input, "crypto-key %U", unformat_hex_string, &ck))
337  sa.crypto_key_len = vec_len (ck);
338  else
339  if (unformat (line_input, "integ-key %U", unformat_hex_string, &ik))
340  sa.integ_key_len = vec_len (ik);
341  else
342  return clib_error_return (0, "parse error: '%U'",
343  format_unformat_error, line_input);
344  }
345 
346  unformat_free (line_input);
347 
348  if (sa.crypto_key_len > sizeof (sa.crypto_key))
349  sa.crypto_key_len = sizeof (sa.crypto_key);
350 
351  if (sa.integ_key_len > sizeof (sa.integ_key))
352  sa.integ_key_len = sizeof (sa.integ_key);
353 
354  if (ck)
355  strncpy ((char *) sa.crypto_key, (char *) ck, sa.crypto_key_len);
356 
357  if (ik)
358  strncpy ((char *) sa.integ_key, (char *) ik, sa.integ_key_len);
359 
360  ipsec_set_sa_key (vm, &sa);
361 
362  return 0;
363 }
364 
365 /* *INDENT-OFF* */
366 VLIB_CLI_COMMAND (set_ipsec_sa_key_command, static) = {
367  .path = "set ipsec sa",
368  .short_help =
369  "set ipsec sa <id> crypto-key <key> integ-key <key>",
370  .function = set_ipsec_sa_key_command_fn,
371 };
372 /* *INDENT-ON* */
373 
374 static clib_error_t *
376  unformat_input_t * input, vlib_cli_command_t * cmd)
377 {
378  ipsec_spd_t *spd;
379  ipsec_sa_t *sa;
380  ipsec_policy_t *p;
381  ipsec_main_t *im = &ipsec_main;
382  u32 *i;
385 
386  /* *INDENT-OFF* */
387  pool_foreach (sa, im->sad, ({
388  if (sa->id) {
389  vlib_cli_output(vm, "sa %u spi %u mode %s protocol %s", sa->id, sa->spi,
390  sa->is_tunnel ? "tunnel" : "transport",
391  sa->protocol ? "esp" : "ah");
392  if (sa->protocol == IPSEC_PROTOCOL_ESP) {
393  vlib_cli_output(vm, " crypto alg %U%s%U integrity alg %U%s%U",
394  format_ipsec_crypto_alg, sa->crypto_alg,
395  sa->crypto_alg ? " key " : "",
396  format_hex_bytes, sa->crypto_key, sa->crypto_key_len,
397  format_ipsec_integ_alg, sa->integ_alg,
398  sa->integ_alg ? " key " : "",
399  format_hex_bytes, sa->integ_key, sa->integ_key_len);
400  }
401  if (sa->is_tunnel && sa->is_tunnel_ip6) {
402  vlib_cli_output(vm, " tunnel src %U dst %U",
403  format_ip6_address, &sa->tunnel_src_addr.ip6,
404  format_ip6_address, &sa->tunnel_dst_addr.ip6);
405  } else if (sa->is_tunnel) {
406  vlib_cli_output(vm, " tunnel src %U dst %U",
407  format_ip4_address, &sa->tunnel_src_addr.ip4,
408  format_ip4_address, &sa->tunnel_dst_addr.ip4);
409  }
410  }
411  }));
412  /* *INDENT-ON* */
413 
414  /* *INDENT-OFF* */
415  pool_foreach (spd, im->spds, ({
416  vlib_cli_output(vm, "spd %u", spd->id);
417 
418  vlib_cli_output(vm, " outbound policies");
419  vec_foreach(i, spd->ipv4_outbound_policies)
420  {
421  p = pool_elt_at_index(spd->policies, *i);
422  vlib_cli_output(vm, " priority %d action %U protocol %s%s",
423  p->priority,
424  format_ipsec_policy_action, p->policy,
425  p->protocol ?
426  format(0, "%U", format_ip_protocol, p->protocol) :
427  (u8 *) "any",
428  p->policy == IPSEC_POLICY_ACTION_PROTECT ?
429  format(0, " sa %u", p->sa_id) :
430  (u8 *) "");
431  vlib_cli_output(vm, " local addr range %U - %U port range %u - %u",
432  format_ip4_address, &p->laddr.start.ip4,
433  format_ip4_address, &p->laddr.stop.ip4,
434  p->lport.start, p->lport.stop);
435  vlib_cli_output(vm, " remte addr range %U - %U port range %u - %u",
436  format_ip4_address, &p->raddr.start.ip4,
437  format_ip4_address, &p->raddr.stop.ip4,
438  p->rport.start, p->rport.stop);
439  vlib_cli_output(vm, " packets %u bytes %u", p->counter.packets,
440  p->counter.bytes);
441  };
442  vec_foreach(i, spd->ipv6_outbound_policies)
443  {
444  p = pool_elt_at_index(spd->policies, *i);
445  vlib_cli_output(vm, " priority %d action %U protocol %s%s",
446  p->priority,
447  format_ipsec_policy_action, p->policy,
448  p->protocol ?
449  format(0, "%U", format_ip_protocol, p->protocol) :
450  (u8 *) "any",
451  p->policy == IPSEC_POLICY_ACTION_PROTECT ?
452  format(0, " sa %u", p->sa_id) :
453  (u8 *) "");
454  vlib_cli_output(vm, " local addr range %U - %U port range %u - %u",
455  format_ip6_address, &p->laddr.start.ip6,
456  format_ip6_address, &p->laddr.stop.ip6,
457  p->lport.start, p->lport.stop);
458  vlib_cli_output(vm, " remote addr range %U - %U port range %u - %u",
459  format_ip6_address, &p->raddr.start.ip6,
460  format_ip6_address, &p->raddr.stop.ip6,
461  p->rport.start, p->rport.stop);
462  vlib_cli_output(vm, " packets %u bytes %u", p->counter.packets,
463  p->counter.bytes);
464  };
465  vlib_cli_output(vm, " inbound policies");
466  vec_foreach(i, spd->ipv4_inbound_protect_policy_indices)
467  {
468  p = pool_elt_at_index(spd->policies, *i);
469  vlib_cli_output(vm, " priority %d action %U protocol %s%s",
470  p->priority,
471  format_ipsec_policy_action, p->policy,
472  p->protocol ?
473  format(0, "%U", format_ip_protocol, p->protocol) :
474  (u8 *) "any",
475  p->policy == IPSEC_POLICY_ACTION_PROTECT ?
476  format(0, " sa %u", p->sa_id) :
477  (u8 *) "");
478  vlib_cli_output(vm, " local addr range %U - %U port range %u - %u",
479  format_ip4_address, &p->laddr.start.ip4,
480  format_ip4_address, &p->laddr.stop.ip4,
481  p->lport.start, p->lport.stop);
482  vlib_cli_output(vm, " remte addr range %U - %U port range %u - %u",
483  format_ip4_address, &p->raddr.start.ip4,
484  format_ip4_address, &p->raddr.stop.ip4,
485  p->rport.start, p->rport.stop);
486  vlib_cli_output(vm, " packets %u bytes %u", p->counter.packets,
487  p->counter.bytes);
488  };
489  vec_foreach(i, spd->ipv4_inbound_policy_discard_and_bypass_indices)
490  {
491  p = pool_elt_at_index(spd->policies, *i);
492  vlib_cli_output(vm, " priority %d action %U protocol %s%s",
493  p->priority,
494  format_ipsec_policy_action, p->policy,
495  p->protocol ?
496  format(0, "%U", format_ip_protocol, p->protocol) :
497  (u8 *) "any",
498  p->policy == IPSEC_POLICY_ACTION_PROTECT ?
499  format(0, " sa %u", p->sa_id) :
500  (u8 *) "");
501  vlib_cli_output(vm, " local addr range %U - %U port range %u - %u",
502  format_ip4_address, &p->laddr.start.ip4,
503  format_ip4_address, &p->laddr.stop.ip4,
504  p->lport.start, p->lport.stop);
505  vlib_cli_output(vm, " remte addr range %U - %U port range %u - %u",
506  format_ip4_address, &p->raddr.start.ip4,
507  format_ip4_address, &p->raddr.stop.ip4,
508  p->rport.start, p->rport.stop);
509  vlib_cli_output(vm, " packets %u bytes %u", p->counter.packets,
510  p->counter.bytes);
511  };
512  vec_foreach(i, spd->ipv6_inbound_protect_policy_indices)
513  {
514  p = pool_elt_at_index(spd->policies, *i);
515  vlib_cli_output(vm, " priority %d action %U protocol %s%s",
516  p->priority,
517  format_ipsec_policy_action, p->policy,
518  p->protocol ?
519  format(0, "%U", format_ip_protocol, p->protocol) :
520  (u8 *) "any",
521  p->policy == IPSEC_POLICY_ACTION_PROTECT ?
522  format(0, " sa %u", p->sa_id) :
523  (u8 *) "");
524  vlib_cli_output(vm, " local addr range %U - %U port range %u - %u",
525  format_ip6_address, &p->laddr.start.ip6,
526  format_ip6_address, &p->laddr.stop.ip6,
527  p->lport.start, p->lport.stop);
528  vlib_cli_output(vm, " remote addr range %U - %U port range %u - %u",
529  format_ip6_address, &p->raddr.start.ip6,
530  format_ip6_address, &p->raddr.stop.ip6,
531  p->rport.start, p->rport.stop);
532  vlib_cli_output(vm, " packets %u bytes %u", p->counter.packets,
533  p->counter.bytes);
534  };
535  vec_foreach(i, spd->ipv6_inbound_policy_discard_and_bypass_indices)
536  {
537  p = pool_elt_at_index(spd->policies, *i);
538  vlib_cli_output(vm, " priority %d action %U protocol %s%s",
539  p->priority,
540  format_ipsec_policy_action, p->policy,
541  p->protocol ?
542  format(0, "%U", format_ip_protocol, p->protocol) :
543  (u8 *) "any",
544  p->policy == IPSEC_POLICY_ACTION_PROTECT ?
545  format(0, " sa %u", p->sa_id) :
546  (u8 *) "");
547  vlib_cli_output(vm, " local addr range %U - %U port range %u - %u",
548  format_ip6_address, &p->laddr.start.ip6,
549  format_ip6_address, &p->laddr.stop.ip6,
550  p->lport.start, p->lport.stop);
551  vlib_cli_output(vm, " remote addr range %U - %U port range %u - %u",
552  format_ip6_address, &p->raddr.start.ip6,
553  format_ip6_address, &p->raddr.stop.ip6,
554  p->rport.start, p->rport.stop);
555  vlib_cli_output(vm, " packets %u bytes %u", p->counter.packets,
556  p->counter.bytes);
557  };
558  }));
559  /* *INDENT-ON* */
560 
561  vlib_cli_output (vm, "tunnel interfaces");
562  /* *INDENT-OFF* */
563  pool_foreach (t, im->tunnel_interfaces, ({
564  if (t->hw_if_index == ~0)
565  continue;
566  hi = vnet_get_hw_interface (im->vnet_main, t->hw_if_index);
567  vlib_cli_output(vm, " %s seq", hi->name);
568  sa = pool_elt_at_index(im->sad, t->output_sa_index);
569  vlib_cli_output(vm, " seq %u seq-hi %u esn %u anti-replay %u",
570  sa->seq, sa->seq_hi, sa->use_esn, sa->use_anti_replay);
571  vlib_cli_output(vm, " local-spi %u local-ip %U", sa->spi,
572  format_ip4_address, &sa->tunnel_src_addr.ip4);
573  vlib_cli_output(vm, " local-crypto %U %U",
574  format_ipsec_crypto_alg, sa->crypto_alg,
575  format_hex_bytes, sa->crypto_key, sa->crypto_key_len);
576  vlib_cli_output(vm, " local-integrity %U %U",
577  format_ipsec_integ_alg, sa->integ_alg,
578  format_hex_bytes, sa->integ_key, sa->integ_key_len);
579  sa = pool_elt_at_index(im->sad, t->input_sa_index);
580  vlib_cli_output(vm, " last-seq %u last-seq-hi %u esn %u anti-replay %u window %U",
581  sa->last_seq, sa->last_seq_hi, sa->use_esn,
582  sa->use_anti_replay,
583  format_ipsec_replay_window, sa->replay_window);
584  vlib_cli_output(vm, " remote-spi %u remote-ip %U", sa->spi,
585  format_ip4_address, &sa->tunnel_src_addr.ip4);
586  vlib_cli_output(vm, " remote-crypto %U %U",
587  format_ipsec_crypto_alg, sa->crypto_alg,
588  format_hex_bytes, sa->crypto_key, sa->crypto_key_len);
589  vlib_cli_output(vm, " remote-integrity %U %U",
590  format_ipsec_integ_alg, sa->integ_alg,
591  format_hex_bytes, sa->integ_key, sa->integ_key_len);
592  }));
593  /* *INDENT-ON* */
594  return 0;
595 }
596 
597 /* *INDENT-OFF* */
599  .path = "show ipsec",
600  .short_help = "show ipsec",
601  .function = show_ipsec_command_fn,
602 };
603 /* *INDENT-ON* */
604 
605 static clib_error_t *
607  unformat_input_t * input,
608  vlib_cli_command_t * cmd)
609 {
610  ipsec_main_t *im = &ipsec_main;
611  ipsec_spd_t *spd;
612  ipsec_policy_t *p;
613 
614  /* *INDENT-OFF* */
615  pool_foreach (spd, im->spds, ({
616  pool_foreach(p, spd->policies, ({
617  p->counter.packets = p->counter.bytes = 0;
618  }));
619  }));
620  /* *INDENT-ON* */
621 
622  return 0;
623 }
624 
625 /* *INDENT-OFF* */
627  .path = "clear ipsec counters",
628  .short_help = "clear ipsec counters",
630 };
631 /* *INDENT-ON* */
632 
633 static clib_error_t *
635  unformat_input_t * input,
636  vlib_cli_command_t * cmd)
637 {
638  unformat_input_t _line_input, *line_input = &_line_input;
640  int rv;
641  u32 num_m_args = 0;
642 
643  memset (&a, 0, sizeof (a));
644  a.is_add = 1;
645 
646  /* Get a line of input. */
647  if (!unformat_user (input, unformat_line_input, line_input))
648  return 0;
649 
650  while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
651  {
652  if (unformat
653  (line_input, "local-ip %U", unformat_ip4_address, &a.local_ip))
654  num_m_args++;
655  else
656  if (unformat
657  (line_input, "remote-ip %U", unformat_ip4_address, &a.remote_ip))
658  num_m_args++;
659  else if (unformat (line_input, "local-spi %u", &a.local_spi))
660  num_m_args++;
661  else if (unformat (line_input, "remote-spi %u", &a.remote_spi))
662  num_m_args++;
663  else if (unformat (line_input, "del"))
664  a.is_add = 0;
665  else
666  return clib_error_return (0, "unknown input `%U'",
667  format_unformat_error, input);
668  }
669  unformat_free (line_input);
670 
671  if (num_m_args < 4)
672  return clib_error_return (0, "mandatory argument(s) missing");
673 
674  rv = ipsec_add_del_tunnel_if (&a);
675 
676  switch (rv)
677  {
678  case 0:
679  break;
680  case VNET_API_ERROR_INVALID_VALUE:
681  if (a.is_add)
682  return clib_error_return (0,
683  "IPSec tunnel interface already exists...");
684  else
685  return clib_error_return (0, "IPSec tunnel interface not exists...");
686  default:
687  return clib_error_return (0, "ipsec_register_interface returned %d",
688  rv);
689  }
690 
691  return 0;
692 }
693 
694 /* *INDENT-OFF* */
696  .path = "create ipsec tunnel",
697  .short_help = "create ipsec tunnel local-ip <addr> local-spi <spi> remote-ip <addr> remote-spi <spi>",
698  .function = create_ipsec_tunnel_command_fn,
699 };
700 /* *INDENT-ON* */
701 
702 static clib_error_t *
704  unformat_input_t * input,
705  vlib_cli_command_t * cmd)
706 {
707  unformat_input_t _line_input, *line_input = &_line_input;
708  ipsec_main_t *im = &ipsec_main;
710  u32 hw_if_index = (u32) ~ 0;
711  u32 alg;
712  u8 *key = 0;
713 
714  if (!unformat_user (input, unformat_line_input, line_input))
715  return 0;
716 
717  while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
718  {
719  if (unformat (line_input, "%U",
720  unformat_vnet_hw_interface, im->vnet_main, &hw_if_index))
721  ;
722  else
723  if (unformat
724  (line_input, "local crypto %U", unformat_ipsec_crypto_alg, &alg))
726  else
727  if (unformat
728  (line_input, "remote crypto %U", unformat_ipsec_crypto_alg, &alg))
730  else
731  if (unformat
732  (line_input, "local integ %U", unformat_ipsec_integ_alg, &alg))
734  else
735  if (unformat
736  (line_input, "remote integ %U", unformat_ipsec_integ_alg, &alg))
738  else if (unformat (line_input, "%U", unformat_hex_string, &key))
739  ;
740  else
741  return clib_error_return (0, "parse error: '%U'",
742  format_unformat_error, line_input);
743  }
744 
745  unformat_free (line_input);
746 
747  if (type == IPSEC_IF_SET_KEY_TYPE_NONE)
748  return clib_error_return (0, "unknown key type");
749 
750  if (alg > 0 && vec_len (key) == 0)
751  return clib_error_return (0, "key is not specified");
752 
753  if (hw_if_index == (u32) ~ 0)
754  return clib_error_return (0, "interface not specified");
755 
756  ipsec_set_interface_key (im->vnet_main, hw_if_index, type, alg, key);
757  vec_free (key);
758 
759  return 0;
760 }
761 
762 /* *INDENT-OFF* */
764  .path = "set interface ipsec key",
765  .short_help =
766  "set interface ipsec key <int> <local|remote> <crypto|integ> <key type> <key>",
767  .function = set_interface_key_command_fn,
768 };
769 /* *INDENT-ON* */
770 
771 
772 clib_error_t *
774 {
775  return 0;
776 }
777 
779 
780 
781 /*
782  * fd.io coding-style-patch-verification: ON
783  *
784  * Local Variables:
785  * eval: (c-set-style "gnu")
786  * End:
787  */
unformat_function_t unformat_vnet_hw_interface
ip46_address_t stop
Definition: ipsec.h:104
vmrglw vmrglh hi
ipsec_spd_t * spds
Definition: ipsec.h:207
sll srl srl sll sra u16x4 i
Definition: vector_sse2.h:343
u16 stop
Definition: ipsec.h:109
uword unformat(unformat_input_t *i, char *fmt,...)
Definition: unformat.c:966
ip46_address_t tunnel_src_addr
Definition: ipsec.h:91
static clib_error_t * set_ipsec_sa_key_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
Definition: ipsec_cli.c:318
a
Definition: bitmap.h:516
u32 id
Definition: ipsec.h:74
format_function_t format_ip6_address
Definition: format.h:87
bad routing header type(not 4)") sr_error (NO_MORE_SEGMENTS
i32 priority
Definition: ipsec.h:153
#define UNFORMAT_END_OF_INPUT
Definition: format.h:143
ipsec_integ_alg_t integ_alg
Definition: ipsec.h:82
static clib_error_t * create_ipsec_tunnel_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
Definition: ipsec_cli.c:634
ipsec_main_t ipsec_main
Definition: ipsec.h:238
u8 is_tunnel
Definition: ipsec.h:89
uword unformat_ipsec_integ_alg(unformat_input_t *input, va_list *args)
Definition: ipsec_format.c:108
static clib_error_t * set_interface_key_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
Definition: ipsec_cli.c:703
ipsec_if_set_key_type_t
Definition: ipsec.h:141
unformat_function_t unformat_vnet_sw_interface
format_function_t format_ip4_address
Definition: format.h:71
static vlib_cli_command_t set_interface_key_command
(constructor) VLIB_CLI_COMMAND (set_interface_key_command)
Definition: ipsec_cli.c:763
u8 crypto_key[128]
Definition: ipsec.h:80
u32 spi
Definition: ipsec.h:75
port_range_t lport
Definition: ipsec.h:161
u8 integ_key[128]
Definition: ipsec.h:84
#define pool_foreach(VAR, POOL, BODY)
Iterate through pool.
Definition: pool.h:348
static vlib_cli_command_t show_ipsec_command
(constructor) VLIB_CLI_COMMAND (show_ipsec_command)
Definition: ipsec_cli.c:598
#define VLIB_INIT_FUNCTION(x)
Definition: init.h:111
unformat_function_t unformat_hex_string
Definition: format.h:287
ip4_address_t remote_ip
Definition: ipsec.h:117
u16 start
Definition: ipsec.h:109
int ipsec_add_del_policy(vlib_main_t *vm, ipsec_policy_t *policy, int is_add)
Definition: ipsec.c:171
static void unformat_free(unformat_input_t *i)
Definition: format.h:161
unsigned long u64
Definition: types.h:89
uword unformat_user(unformat_input_t *input, unformat_function_t *func,...)
Definition: unformat.c:977
u8 * format_ipsec_integ_alg(u8 *s, va_list *args)
Definition: ipsec_format.c:90
format_function_t format_ip_protocol
Definition: format.h:45
unformat_function_t unformat_ip4_address
Definition: format.h:68
#define pool_elt_at_index(p, i)
Returns pointer to element at given index.
Definition: pool.h:369
static vlib_cli_command_t create_ipsec_tunnel_command
(constructor) VLIB_CLI_COMMAND (create_ipsec_tunnel_command)
Definition: ipsec_cli.c:695
uword unformat_ipsec_policy_action(unformat_input_t *input, va_list *args)
Definition: ipsec_format.c:44
u8 is_tunnel_ip6
Definition: ipsec.h:90
static clib_error_t * ipsec_policy_add_del_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
Definition: ipsec_cli.c:214
vnet_main_t * vnet_main
Definition: ipsec.h:220
static clib_error_t * set_interface_spd_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
Definition: ipsec_cli.c:26
int ipsec_add_del_sa(vlib_main_t *vm, ipsec_sa_t *new_sa, int is_add)
Definition: ipsec.c:430
ip46_address_range_t laddr
Definition: ipsec.h:158
void vlib_cli_output(vlib_main_t *vm, char *fmt,...)
Definition: cli.c:575
unformat_function_t unformat_ip6_address
Definition: format.h:86
ip46_address_t tunnel_dst_addr
Definition: ipsec.h:92
static clib_error_t * clear_ipsec_counters_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
Definition: ipsec_cli.c:606
int ipsec_set_sa_key(vlib_main_t *vm, ipsec_sa_t *sa_update)
Definition: ipsec.c:468
clib_error_t * ipsec_cli_init(vlib_main_t *vm)
Definition: ipsec_cli.c:773
#define vec_free(V)
Free vector&#39;s memory (no header).
Definition: vec.h:300
ip46_address_t start
Definition: ipsec.h:104
int ipsec_add_del_spd(vlib_main_t *vm, u32 spd_id, int is_add)
Definition: ipsec.c:105
port_range_t rport
Definition: ipsec.h:162
ip46_address_range_t raddr
Definition: ipsec.h:159
unsigned int u32
Definition: types.h:88
u8 * format_unformat_error(u8 *s, va_list *va)
Definition: unformat.c:91
ip4_address_t local_ip
Definition: ipsec.h:117
u8 * format(u8 *s, char *fmt,...)
Definition: format.c:418
ipsec_sa_t * sad
Definition: ipsec.h:208
u8 integ_key_len
Definition: ipsec.h:83
ipsec_protocol_t protocol
Definition: ipsec.h:76
u8 crypto_key_len
Definition: ipsec.h:79
VLIB_CLI_COMMAND(set_interface_ip_source_and_port_range_check_command, static)
#define vec_len(v)
Number of elements in vector (rvalue-only, NULL tolerant)
u8 * format_ipsec_policy_action(u8 *s, va_list *args)
Definition: ipsec_format.c:26
unsigned char u8
Definition: types.h:56
u8 is_outbound
Definition: ipsec.h:154
static clib_error_t * ipsec_sa_add_del_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
Definition: ipsec_cli.c:66
static uword unformat_check_input(unformat_input_t *i)
Definition: format.h:169
ipsec_crypto_alg_t crypto_alg
Definition: ipsec.h:78
static clib_error_t * show_ipsec_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
Definition: ipsec_cli.c:375
#define vec_foreach(var, vec)
Vector iterator.
#define clib_error_return(e, args...)
Definition: error.h:111
struct _unformat_input_t unformat_input_t
static clib_error_t * ipsec_spd_add_del_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
Definition: ipsec_cli.c:169
u8 * format_ipsec_crypto_alg(u8 *s, va_list *args)
Definition: ipsec_format.c:58
unformat_function_t unformat_line_input
Definition: format.h:281
int ipsec_set_interface_spd(vlib_main_t *vm, u32 sw_if_index, u32 spd_id, int is_add)
Definition: ipsec.c:39
uword unformat_ipsec_crypto_alg(unformat_input_t *input, va_list *args)
Definition: ipsec_format.c:76
int ipsec_set_interface_key(vnet_main_t *vnm, u32 hw_if_index, ipsec_if_set_key_type_t type, u8 alg, u8 *key)
Definition: ipsec_if.c:260
int ipsec_add_del_tunnel_if(ipsec_add_del_tunnel_args_t *args)
Definition: ipsec_if.c:65
static vlib_cli_command_t clear_ipsec_counters_command
(constructor) VLIB_CLI_COMMAND (clear_ipsec_counters_command)
Definition: ipsec_cli.c:626