FD.io VPP  v17.01.1-3-gc6833f8
Vector Packet Processing
ipsec_cli.c
Go to the documentation of this file.
1 /*
2  * decap.c : IPSec tunnel support
3  *
4  * Copyright (c) 2015 Cisco and/or its affiliates.
5  * Licensed under the Apache License, Version 2.0 (the "License");
6  * you may not use this file except in compliance with the License.
7  * You may obtain a copy of the License at:
8  *
9  * http://www.apache.org/licenses/LICENSE-2.0
10  *
11  * Unless required by applicable law or agreed to in writing, software
12  * distributed under the License is distributed on an "AS IS" BASIS,
13  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14  * See the License for the specific language governing permissions and
15  * limitations under the License.
16  */
17 
18 #include <vnet/vnet.h>
19 #include <vnet/api_errno.h>
20 #include <vnet/ip/ip.h>
21 #include <vnet/interface.h>
22 
23 #include <vnet/ipsec/ipsec.h>
24 
25 static clib_error_t *
26 set_interface_spd_command_fn (vlib_main_t * vm,
27  unformat_input_t * input,
28  vlib_cli_command_t * cmd)
29 {
30  unformat_input_t _line_input, *line_input = &_line_input;
31  ipsec_main_t *im = &ipsec_main;
32  u32 sw_if_index = (u32) ~ 0;
33  u32 spd_id;
34  int is_add = 1;
35 
36  if (!unformat_user (input, unformat_line_input, line_input))
37  return 0;
38 
39  if (unformat
40  (line_input, "%U %u", unformat_vnet_sw_interface, im->vnet_main,
41  &sw_if_index, &spd_id))
42  ;
43  else if (unformat (line_input, "del"))
44  is_add = 0;
45  else
46  return clib_error_return (0, "parse error: '%U'",
47  format_unformat_error, line_input);
48 
49  unformat_free (line_input);
50 
51  ipsec_set_interface_spd (vm, sw_if_index, spd_id, is_add);
52 
53  return 0;
54 }
55 
56 /* *INDENT-OFF* */
57 VLIB_CLI_COMMAND (set_interface_spd_command, static) = {
58  .path = "set interface ipsec spd",
59  .short_help =
60  "set interface ipsec spd <int> <id>",
61  .function = set_interface_spd_command_fn,
62 };
63 /* *INDENT-ON* */
64 
65 static clib_error_t *
66 ipsec_sa_add_del_command_fn (vlib_main_t * vm,
67  unformat_input_t * input,
68  vlib_cli_command_t * cmd)
69 {
70  unformat_input_t _line_input, *line_input = &_line_input;
71  ipsec_sa_t sa;
72  int is_add = ~0;
73  u8 *ck = 0, *ik = 0;
74 
75  memset (&sa, 0, sizeof (sa));
76 
77  if (!unformat_user (input, unformat_line_input, line_input))
78  return 0;
79 
80  while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
81  {
82  if (unformat (line_input, "add %u", &sa.id))
83  is_add = 1;
84  else if (unformat (line_input, "del %u", &sa.id))
85  is_add = 0;
86  else if (unformat (line_input, "spi %u", &sa.spi))
87  ;
88  else if (unformat (line_input, "esp"))
89  sa.protocol = IPSEC_PROTOCOL_ESP;
90  else if (unformat (line_input, "ah"))
91  //sa.protocol = IPSEC_PROTOCOL_AH;
92  return clib_error_return (0, "unsupported security protocol 'AH'");
93  else
94  if (unformat (line_input, "crypto-key %U", unformat_hex_string, &ck))
95  sa.crypto_key_len = vec_len (ck);
96  else
97  if (unformat
98  (line_input, "crypto-alg %U", unformat_ipsec_crypto_alg,
99  &sa.crypto_alg))
100  {
101  if (sa.crypto_alg < IPSEC_CRYPTO_ALG_AES_CBC_128 ||
102  sa.crypto_alg >= IPSEC_CRYPTO_N_ALG)
103  return clib_error_return (0, "unsupported crypto-alg: '%U'",
104  format_ipsec_crypto_alg, sa.crypto_alg);
105  }
106  else
107  if (unformat (line_input, "integ-key %U", unformat_hex_string, &ik))
108  sa.integ_key_len = vec_len (ik);
109  else if (unformat (line_input, "integ-alg %U", unformat_ipsec_integ_alg,
110  &sa.integ_alg))
111  {
112 #if DPDK_CRYPTO==1
113  if (sa.integ_alg < IPSEC_INTEG_ALG_NONE ||
114 #else
115  if (sa.integ_alg < IPSEC_INTEG_ALG_SHA1_96 ||
116 #endif
117  sa.integ_alg >= IPSEC_INTEG_N_ALG)
118  return clib_error_return (0, "unsupported integ-alg: '%U'",
119  format_ipsec_integ_alg, sa.integ_alg);
120  }
121  else if (unformat (line_input, "tunnel-src %U",
122  unformat_ip4_address, &sa.tunnel_src_addr.ip4))
123  sa.is_tunnel = 1;
124  else if (unformat (line_input, "tunnel-dst %U",
125  unformat_ip4_address, &sa.tunnel_dst_addr.ip4))
126  sa.is_tunnel = 1;
127  else if (unformat (line_input, "tunnel-src %U",
128  unformat_ip6_address, &sa.tunnel_src_addr.ip6))
129  {
130  sa.is_tunnel = 1;
131  sa.is_tunnel_ip6 = 1;
132  }
133  else if (unformat (line_input, "tunnel-dst %U",
134  unformat_ip6_address, &sa.tunnel_dst_addr.ip6))
135  {
136  sa.is_tunnel = 1;
137  sa.is_tunnel_ip6 = 1;
138  }
139  else
140  return clib_error_return (0, "parse error: '%U'",
141  format_unformat_error, line_input);
142  }
143 
144 #if DPDK_CRYPTO==1
145  /*Special cases, aes-gcm-128 encryption */
146  if (sa.crypto_alg == IPSEC_CRYPTO_ALG_AES_GCM_128)
147  {
148  if (sa.integ_alg != IPSEC_INTEG_ALG_NONE
149  && sa.integ_alg != IPSEC_INTEG_ALG_AES_GCM_128)
150  return clib_error_return (0,
151  "unsupported: aes-gcm-128 crypto-alg needs none as integ-alg");
152  else /*set integ-alg internally to aes-gcm-128 */
153  sa.integ_alg = IPSEC_INTEG_ALG_AES_GCM_128;
154  }
155  else if (sa.integ_alg == IPSEC_INTEG_ALG_AES_GCM_128)
156  return clib_error_return (0, "unsupported integ-alg: aes-gcm-128");
157  else if (sa.integ_alg == IPSEC_INTEG_ALG_NONE)
158  return clib_error_return (0, "unsupported integ-alg: none");
159 #endif
160 
161  unformat_free (line_input);
162 
163  if (sa.crypto_key_len > sizeof (sa.crypto_key))
164  sa.crypto_key_len = sizeof (sa.crypto_key);
165 
166  if (sa.integ_key_len > sizeof (sa.integ_key))
167  sa.integ_key_len = sizeof (sa.integ_key);
168 
169  if (ck)
170  strncpy ((char *) sa.crypto_key, (char *) ck, sa.crypto_key_len);
171 
172  if (ik)
173  strncpy ((char *) sa.integ_key, (char *) ik, sa.integ_key_len);
174 
175  ipsec_add_del_sa (vm, &sa, is_add);
176 
177  return 0;
178 }
179 
180 /* *INDENT-OFF* */
181 VLIB_CLI_COMMAND (ipsec_sa_add_del_command, static) = {
182  .path = "ipsec sa",
183  .short_help =
184  "ipsec sa [add|del]",
185  .function = ipsec_sa_add_del_command_fn,
186 };
187 /* *INDENT-ON* */
188 
189 static clib_error_t *
190 ipsec_spd_add_del_command_fn (vlib_main_t * vm,
191  unformat_input_t * input,
192  vlib_cli_command_t * cmd)
193 {
194  unformat_input_t _line_input, *line_input = &_line_input;
195  u32 spd_id = ~0;
196  int is_add = ~0;
197 
198  if (!unformat_user (input, unformat_line_input, line_input))
199  return 0;
200 
201  while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
202  {
203  if (unformat (line_input, "add"))
204  is_add = 1;
205  else if (unformat (line_input, "del"))
206  is_add = 0;
207  else if (unformat (line_input, "%u", &spd_id))
208  ;
209  else
210  return clib_error_return (0, "parse error: '%U'",
211  format_unformat_error, line_input);
212  }
213 
214  unformat_free (line_input);
215 
216  if (spd_id == ~0)
217  return clib_error_return (0, "please specify SPD ID");
218 
219  ipsec_add_del_spd (vm, spd_id, is_add);
220 
221  return 0;
222 }
223 
224 /* *INDENT-OFF* */
225 VLIB_CLI_COMMAND (ipsec_spd_add_del_command, static) = {
226  .path = "ipsec spd",
227  .short_help =
228  "ipsec spd [add|del] <id>",
229  .function = ipsec_spd_add_del_command_fn,
230 };
231 /* *INDENT-ON* */
232 
233 
234 static clib_error_t *
235 ipsec_policy_add_del_command_fn (vlib_main_t * vm,
236  unformat_input_t * input,
237  vlib_cli_command_t * cmd)
238 {
239  unformat_input_t _line_input, *line_input = &_line_input;
240  ipsec_policy_t p;
241  int is_add = 0;
242  int is_ip_any = 1;
243  u32 tmp, tmp2;
244 
245  memset (&p, 0, sizeof (p));
246  p.lport.stop = p.rport.stop = ~0;
247  p.laddr.stop.ip4.as_u32 = p.raddr.stop.ip4.as_u32 = (u32) ~ 0;
248  p.laddr.stop.ip6.as_u64[0] = p.laddr.stop.ip6.as_u64[1] = (u64) ~ 0;
249  p.raddr.stop.ip6.as_u64[0] = p.raddr.stop.ip6.as_u64[1] = (u64) ~ 0;
250 
251  if (!unformat_user (input, unformat_line_input, line_input))
252  return 0;
253 
254  while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
255  {
256  if (unformat (line_input, "add"))
257  is_add = 1;
258  else if (unformat (line_input, "del"))
259  is_add = 0;
260  else if (unformat (line_input, "spd %u", &p.id))
261  ;
262  else if (unformat (line_input, "inbound"))
263  p.is_outbound = 0;
264  else if (unformat (line_input, "outbound"))
265  p.is_outbound = 1;
266  else if (unformat (line_input, "priority %d", &p.priority))
267  ;
268  else if (unformat (line_input, "protocol %u", &tmp))
269  p.protocol = (u8) tmp;
270  else
271  if (unformat
272  (line_input, "action %U", unformat_ipsec_policy_action,
273  &p.policy))
274  {
275  if (p.policy == IPSEC_POLICY_ACTION_RESOLVE)
276  return clib_error_return (0, "unsupported action: 'resolve'");
277  }
278  else if (unformat (line_input, "sa %u", &p.sa_id))
279  ;
280  else if (unformat (line_input, "local-ip-range %U - %U",
281  unformat_ip4_address, &p.laddr.start.ip4,
282  unformat_ip4_address, &p.laddr.stop.ip4))
283  is_ip_any = 0;
284  else if (unformat (line_input, "remote-ip-range %U - %U",
285  unformat_ip4_address, &p.raddr.start.ip4,
286  unformat_ip4_address, &p.raddr.stop.ip4))
287  is_ip_any = 0;
288  else if (unformat (line_input, "local-ip-range %U - %U",
289  unformat_ip6_address, &p.laddr.start.ip6,
290  unformat_ip6_address, &p.laddr.stop.ip6))
291  {
292  p.is_ipv6 = 1;
293  is_ip_any = 0;
294  }
295  else if (unformat (line_input, "remote-ip-range %U - %U",
296  unformat_ip6_address, &p.raddr.start.ip6,
297  unformat_ip6_address, &p.raddr.stop.ip6))
298  {
299  p.is_ipv6 = 1;
300  is_ip_any = 0;
301  }
302  else if (unformat (line_input, "local-port-range %u - %u", &tmp, &tmp2))
303  {
304  p.lport.start = tmp;
305  p.lport.stop = tmp2;
306  }
307  else
308  if (unformat (line_input, "remote-port-range %u - %u", &tmp, &tmp2))
309  {
310  p.rport.start = tmp;
311  p.rport.stop = tmp2;
312  }
313  else
314  return clib_error_return (0, "parse error: '%U'",
315  format_unformat_error, line_input);
316  }
317 
318  unformat_free (line_input);
319 
320  ipsec_add_del_policy (vm, &p, is_add);
321  if (is_ip_any)
322  {
323  p.is_ipv6 = 1;
324  ipsec_add_del_policy (vm, &p, is_add);
325  }
326  return 0;
327 }
328 
329 /* *INDENT-OFF* */
330 VLIB_CLI_COMMAND (ipsec_policy_add_del_command, static) = {
331  .path = "ipsec policy",
332  .short_help =
333  "ipsec policy [add|del] spd <id> priority <n> ",
334  .function = ipsec_policy_add_del_command_fn,
335 };
336 /* *INDENT-ON* */
337 
338 static clib_error_t *
339 set_ipsec_sa_key_command_fn (vlib_main_t * vm,
340  unformat_input_t * input,
341  vlib_cli_command_t * cmd)
342 {
343  unformat_input_t _line_input, *line_input = &_line_input;
344  ipsec_sa_t sa;
345  u8 *ck = 0, *ik = 0;
346 
347  memset (&sa, 0, sizeof (sa));
348 
349  if (!unformat_user (input, unformat_line_input, line_input))
350  return 0;
351 
352  while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
353  {
354  if (unformat (line_input, "%u", &sa.id))
355  ;
356  else
357  if (unformat (line_input, "crypto-key %U", unformat_hex_string, &ck))
358  sa.crypto_key_len = vec_len (ck);
359  else
360  if (unformat (line_input, "integ-key %U", unformat_hex_string, &ik))
361  sa.integ_key_len = vec_len (ik);
362  else
363  return clib_error_return (0, "parse error: '%U'",
364  format_unformat_error, line_input);
365  }
366 
367  unformat_free (line_input);
368 
369  if (sa.crypto_key_len > sizeof (sa.crypto_key))
370  sa.crypto_key_len = sizeof (sa.crypto_key);
371 
372  if (sa.integ_key_len > sizeof (sa.integ_key))
373  sa.integ_key_len = sizeof (sa.integ_key);
374 
375  if (ck)
376  strncpy ((char *) sa.crypto_key, (char *) ck, sa.crypto_key_len);
377 
378  if (ik)
379  strncpy ((char *) sa.integ_key, (char *) ik, sa.integ_key_len);
380 
381  ipsec_set_sa_key (vm, &sa);
382 
383  return 0;
384 }
385 
386 /* *INDENT-OFF* */
387 VLIB_CLI_COMMAND (set_ipsec_sa_key_command, static) = {
388  .path = "set ipsec sa",
389  .short_help =
390  "set ipsec sa <id> crypto-key <key> integ-key <key>",
391  .function = set_ipsec_sa_key_command_fn,
392 };
393 /* *INDENT-ON* */
394 
395 static clib_error_t *
396 show_ipsec_command_fn (vlib_main_t * vm,
397  unformat_input_t * input, vlib_cli_command_t * cmd)
398 {
399  ipsec_spd_t *spd;
400  ipsec_sa_t *sa;
401  ipsec_policy_t *p;
402  ipsec_main_t *im = &ipsec_main;
403  u32 *i;
404  ipsec_tunnel_if_t *t;
405  vnet_hw_interface_t *hi;
406 
407  /* *INDENT-OFF* */
408  pool_foreach (sa, im->sad, ({
409  if (sa->id) {
410  vlib_cli_output(vm, "sa %u spi %u mode %s protocol %s", sa->id, sa->spi,
411  sa->is_tunnel ? "tunnel" : "transport",
412  sa->protocol ? "esp" : "ah");
413  if (sa->protocol == IPSEC_PROTOCOL_ESP) {
414  vlib_cli_output(vm, " crypto alg %U%s%U integrity alg %U%s%U",
415  format_ipsec_crypto_alg, sa->crypto_alg,
416  sa->crypto_alg ? " key " : "",
417  format_hex_bytes, sa->crypto_key, sa->crypto_key_len,
418  format_ipsec_integ_alg, sa->integ_alg,
419  sa->integ_alg ? " key " : "",
420  format_hex_bytes, sa->integ_key, sa->integ_key_len);
421  }
422  if (sa->is_tunnel && sa->is_tunnel_ip6) {
423  vlib_cli_output(vm, " tunnel src %U dst %U",
424  format_ip6_address, &sa->tunnel_src_addr.ip6,
425  format_ip6_address, &sa->tunnel_dst_addr.ip6);
426  } else if (sa->is_tunnel) {
427  vlib_cli_output(vm, " tunnel src %U dst %U",
428  format_ip4_address, &sa->tunnel_src_addr.ip4,
429  format_ip4_address, &sa->tunnel_dst_addr.ip4);
430  }
431  }
432  }));
433  /* *INDENT-ON* */
434 
435  /* *INDENT-OFF* */
436  pool_foreach (spd, im->spds, ({
437  vlib_cli_output(vm, "spd %u", spd->id);
438 
439  vlib_cli_output(vm, " outbound policies");
440  vec_foreach(i, spd->ipv4_outbound_policies)
441  {
442  p = pool_elt_at_index(spd->policies, *i);
443  vlib_cli_output(vm, " priority %d action %U protocol %s%s",
444  p->priority,
445  format_ipsec_policy_action, p->policy,
446  p->protocol ?
447  format(0, "%U", format_ip_protocol, p->protocol) :
448  (u8 *) "any",
449  p->policy == IPSEC_POLICY_ACTION_PROTECT ?
450  format(0, " sa %u", p->sa_id) :
451  (u8 *) "");
452  vlib_cli_output(vm, " local addr range %U - %U port range %u - %u",
453  format_ip4_address, &p->laddr.start.ip4,
454  format_ip4_address, &p->laddr.stop.ip4,
455  p->lport.start, p->lport.stop);
456  vlib_cli_output(vm, " remte addr range %U - %U port range %u - %u",
457  format_ip4_address, &p->raddr.start.ip4,
458  format_ip4_address, &p->raddr.stop.ip4,
459  p->rport.start, p->rport.stop);
460  vlib_cli_output(vm, " packets %u bytes %u", p->counter.packets,
461  p->counter.bytes);
462  };
463  vec_foreach(i, spd->ipv6_outbound_policies)
464  {
465  p = pool_elt_at_index(spd->policies, *i);
466  vlib_cli_output(vm, " priority %d action %U protocol %s%s",
467  p->priority,
468  format_ipsec_policy_action, p->policy,
469  p->protocol ?
470  format(0, "%U", format_ip_protocol, p->protocol) :
471  (u8 *) "any",
472  p->policy == IPSEC_POLICY_ACTION_PROTECT ?
473  format(0, " sa %u", p->sa_id) :
474  (u8 *) "");
475  vlib_cli_output(vm, " local addr range %U - %U port range %u - %u",
476  format_ip6_address, &p->laddr.start.ip6,
477  format_ip6_address, &p->laddr.stop.ip6,
478  p->lport.start, p->lport.stop);
479  vlib_cli_output(vm, " remote addr range %U - %U port range %u - %u",
480  format_ip6_address, &p->raddr.start.ip6,
481  format_ip6_address, &p->raddr.stop.ip6,
482  p->rport.start, p->rport.stop);
483  vlib_cli_output(vm, " packets %u bytes %u", p->counter.packets,
484  p->counter.bytes);
485  };
486  vlib_cli_output(vm, " inbound policies");
487  vec_foreach(i, spd->ipv4_inbound_protect_policy_indices)
488  {
489  p = pool_elt_at_index(spd->policies, *i);
490  vlib_cli_output(vm, " priority %d action %U protocol %s%s",
491  p->priority,
492  format_ipsec_policy_action, p->policy,
493  p->protocol ?
494  format(0, "%U", format_ip_protocol, p->protocol) :
495  (u8 *) "any",
496  p->policy == IPSEC_POLICY_ACTION_PROTECT ?
497  format(0, " sa %u", p->sa_id) :
498  (u8 *) "");
499  vlib_cli_output(vm, " local addr range %U - %U port range %u - %u",
500  format_ip4_address, &p->laddr.start.ip4,
501  format_ip4_address, &p->laddr.stop.ip4,
502  p->lport.start, p->lport.stop);
503  vlib_cli_output(vm, " remte addr range %U - %U port range %u - %u",
504  format_ip4_address, &p->raddr.start.ip4,
505  format_ip4_address, &p->raddr.stop.ip4,
506  p->rport.start, p->rport.stop);
507  vlib_cli_output(vm, " packets %u bytes %u", p->counter.packets,
508  p->counter.bytes);
509  };
510  vec_foreach(i, spd->ipv4_inbound_policy_discard_and_bypass_indices)
511  {
512  p = pool_elt_at_index(spd->policies, *i);
513  vlib_cli_output(vm, " priority %d action %U protocol %s%s",
514  p->priority,
515  format_ipsec_policy_action, p->policy,
516  p->protocol ?
517  format(0, "%U", format_ip_protocol, p->protocol) :
518  (u8 *) "any",
519  p->policy == IPSEC_POLICY_ACTION_PROTECT ?
520  format(0, " sa %u", p->sa_id) :
521  (u8 *) "");
522  vlib_cli_output(vm, " local addr range %U - %U port range %u - %u",
523  format_ip4_address, &p->laddr.start.ip4,
524  format_ip4_address, &p->laddr.stop.ip4,
525  p->lport.start, p->lport.stop);
526  vlib_cli_output(vm, " remte addr range %U - %U port range %u - %u",
527  format_ip4_address, &p->raddr.start.ip4,
528  format_ip4_address, &p->raddr.stop.ip4,
529  p->rport.start, p->rport.stop);
530  vlib_cli_output(vm, " packets %u bytes %u", p->counter.packets,
531  p->counter.bytes);
532  };
533  vec_foreach(i, spd->ipv6_inbound_protect_policy_indices)
534  {
535  p = pool_elt_at_index(spd->policies, *i);
536  vlib_cli_output(vm, " priority %d action %U protocol %s%s",
537  p->priority,
538  format_ipsec_policy_action, p->policy,
539  p->protocol ?
540  format(0, "%U", format_ip_protocol, p->protocol) :
541  (u8 *) "any",
542  p->policy == IPSEC_POLICY_ACTION_PROTECT ?
543  format(0, " sa %u", p->sa_id) :
544  (u8 *) "");
545  vlib_cli_output(vm, " local addr range %U - %U port range %u - %u",
546  format_ip6_address, &p->laddr.start.ip6,
547  format_ip6_address, &p->laddr.stop.ip6,
548  p->lport.start, p->lport.stop);
549  vlib_cli_output(vm, " remote addr range %U - %U port range %u - %u",
550  format_ip6_address, &p->raddr.start.ip6,
551  format_ip6_address, &p->raddr.stop.ip6,
552  p->rport.start, p->rport.stop);
553  vlib_cli_output(vm, " packets %u bytes %u", p->counter.packets,
554  p->counter.bytes);
555  };
556  vec_foreach(i, spd->ipv6_inbound_policy_discard_and_bypass_indices)
557  {
558  p = pool_elt_at_index(spd->policies, *i);
559  vlib_cli_output(vm, " priority %d action %U protocol %s%s",
560  p->priority,
561  format_ipsec_policy_action, p->policy,
562  p->protocol ?
563  format(0, "%U", format_ip_protocol, p->protocol) :
564  (u8 *) "any",
565  p->policy == IPSEC_POLICY_ACTION_PROTECT ?
566  format(0, " sa %u", p->sa_id) :
567  (u8 *) "");
568  vlib_cli_output(vm, " local addr range %U - %U port range %u - %u",
569  format_ip6_address, &p->laddr.start.ip6,
570  format_ip6_address, &p->laddr.stop.ip6,
571  p->lport.start, p->lport.stop);
572  vlib_cli_output(vm, " remote addr range %U - %U port range %u - %u",
573  format_ip6_address, &p->raddr.start.ip6,
574  format_ip6_address, &p->raddr.stop.ip6,
575  p->rport.start, p->rport.stop);
576  vlib_cli_output(vm, " packets %u bytes %u", p->counter.packets,
577  p->counter.bytes);
578  };
579  }));
580  /* *INDENT-ON* */
581 
582  vlib_cli_output (vm, "tunnel interfaces");
583  /* *INDENT-OFF* */
584  pool_foreach (t, im->tunnel_interfaces, ({
585  if (t->hw_if_index == ~0)
586  continue;
587  hi = vnet_get_hw_interface (im->vnet_main, t->hw_if_index);
588  vlib_cli_output(vm, " %s seq", hi->name);
589  sa = pool_elt_at_index(im->sad, t->output_sa_index);
590  vlib_cli_output(vm, " seq %u seq-hi %u esn %u anti-replay %u",
591  sa->seq, sa->seq_hi, sa->use_esn, sa->use_anti_replay);
592  vlib_cli_output(vm, " local-spi %u local-ip %U", sa->spi,
593  format_ip4_address, &sa->tunnel_src_addr.ip4);
594  vlib_cli_output(vm, " local-crypto %U %U",
595  format_ipsec_crypto_alg, sa->crypto_alg,
596  format_hex_bytes, sa->crypto_key, sa->crypto_key_len);
597  vlib_cli_output(vm, " local-integrity %U %U",
598  format_ipsec_integ_alg, sa->integ_alg,
599  format_hex_bytes, sa->integ_key, sa->integ_key_len);
600  sa = pool_elt_at_index(im->sad, t->input_sa_index);
601  vlib_cli_output(vm, " last-seq %u last-seq-hi %u esn %u anti-replay %u window %U",
602  sa->last_seq, sa->last_seq_hi, sa->use_esn,
603  sa->use_anti_replay,
604  format_ipsec_replay_window, sa->replay_window);
605  vlib_cli_output(vm, " remote-spi %u remote-ip %U", sa->spi,
606  format_ip4_address, &sa->tunnel_src_addr.ip4);
607  vlib_cli_output(vm, " remote-crypto %U %U",
608  format_ipsec_crypto_alg, sa->crypto_alg,
609  format_hex_bytes, sa->crypto_key, sa->crypto_key_len);
610  vlib_cli_output(vm, " remote-integrity %U %U",
611  format_ipsec_integ_alg, sa->integ_alg,
612  format_hex_bytes, sa->integ_key, sa->integ_key_len);
613  }));
614  /* *INDENT-ON* */
615  return 0;
616 }
617 
618 /* *INDENT-OFF* */
619 VLIB_CLI_COMMAND (show_ipsec_command, static) = {
620  .path = "show ipsec",
621  .short_help = "show ipsec",
622  .function = show_ipsec_command_fn,
623 };
624 /* *INDENT-ON* */
625 
626 static clib_error_t *
627 clear_ipsec_counters_command_fn (vlib_main_t * vm,
628  unformat_input_t * input,
629  vlib_cli_command_t * cmd)
630 {
631  ipsec_main_t *im = &ipsec_main;
632  ipsec_spd_t *spd;
633  ipsec_policy_t *p;
634 
635  /* *INDENT-OFF* */
636  pool_foreach (spd, im->spds, ({
637  pool_foreach(p, spd->policies, ({
638  p->counter.packets = p->counter.bytes = 0;
639  }));
640  }));
641  /* *INDENT-ON* */
642 
643  return 0;
644 }
645 
646 /* *INDENT-OFF* */
647 VLIB_CLI_COMMAND (clear_ipsec_counters_command, static) = {
648  .path = "clear ipsec counters",
649  .short_help = "clear ipsec counters",
650  .function = clear_ipsec_counters_command_fn,
651 };
652 /* *INDENT-ON* */
653 
654 static clib_error_t *
655 create_ipsec_tunnel_command_fn (vlib_main_t * vm,
656  unformat_input_t * input,
657  vlib_cli_command_t * cmd)
658 {
659  unformat_input_t _line_input, *line_input = &_line_input;
660  ipsec_add_del_tunnel_args_t a;
661  int rv;
662  u32 num_m_args = 0;
663 
664  memset (&a, 0, sizeof (a));
665  a.is_add = 1;
666 
667  /* Get a line of input. */
668  if (!unformat_user (input, unformat_line_input, line_input))
669  return 0;
670 
671  while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
672  {
673  if (unformat
674  (line_input, "local-ip %U", unformat_ip4_address, &a.local_ip))
675  num_m_args++;
676  else
677  if (unformat
678  (line_input, "remote-ip %U", unformat_ip4_address, &a.remote_ip))
679  num_m_args++;
680  else if (unformat (line_input, "local-spi %u", &a.local_spi))
681  num_m_args++;
682  else if (unformat (line_input, "remote-spi %u", &a.remote_spi))
683  num_m_args++;
684  else if (unformat (line_input, "del"))
685  a.is_add = 0;
686  else
687  return clib_error_return (0, "unknown input `%U'",
688  format_unformat_error, input);
689  }
690  unformat_free (line_input);
691 
692  if (num_m_args < 4)
693  return clib_error_return (0, "mandatory argument(s) missing");
694 
695  rv = ipsec_add_del_tunnel_if (&a);
696 
697  switch (rv)
698  {
699  case 0:
700  break;
701  case VNET_API_ERROR_INVALID_VALUE:
702  if (a.is_add)
703  return clib_error_return (0,
704  "IPSec tunnel interface already exists...");
705  else
706  return clib_error_return (0, "IPSec tunnel interface not exists...");
707  default:
708  return clib_error_return (0, "ipsec_register_interface returned %d",
709  rv);
710  }
711 
712  return 0;
713 }
714 
715 /* *INDENT-OFF* */
716 VLIB_CLI_COMMAND (create_ipsec_tunnel_command, static) = {
717  .path = "create ipsec tunnel",
718  .short_help = "create ipsec tunnel local-ip <addr> local-spi <spi> remote-ip <addr> remote-spi <spi>",
719  .function = create_ipsec_tunnel_command_fn,
720 };
721 /* *INDENT-ON* */
722 
723 static clib_error_t *
724 set_interface_key_command_fn (vlib_main_t * vm,
725  unformat_input_t * input,
726  vlib_cli_command_t * cmd)
727 {
728  unformat_input_t _line_input, *line_input = &_line_input;
729  ipsec_main_t *im = &ipsec_main;
730  ipsec_if_set_key_type_t type = IPSEC_IF_SET_KEY_TYPE_NONE;
731  u32 hw_if_index = (u32) ~ 0;
732  u32 alg;
733  u8 *key = 0;
734 
735  if (!unformat_user (input, unformat_line_input, line_input))
736  return 0;
737 
738  while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
739  {
740  if (unformat (line_input, "%U",
741  unformat_vnet_hw_interface, im->vnet_main, &hw_if_index))
742  ;
743  else
744  if (unformat
745  (line_input, "local crypto %U", unformat_ipsec_crypto_alg, &alg))
746  type = IPSEC_IF_SET_KEY_TYPE_LOCAL_CRYPTO;
747  else
748  if (unformat
749  (line_input, "remote crypto %U", unformat_ipsec_crypto_alg, &alg))
750  type = IPSEC_IF_SET_KEY_TYPE_REMOTE_CRYPTO;
751  else
752  if (unformat
753  (line_input, "local integ %U", unformat_ipsec_integ_alg, &alg))
754  type = IPSEC_IF_SET_KEY_TYPE_LOCAL_INTEG;
755  else
756  if (unformat
757  (line_input, "remote integ %U", unformat_ipsec_integ_alg, &alg))
758  type = IPSEC_IF_SET_KEY_TYPE_REMOTE_INTEG;
759  else if (unformat (line_input, "%U", unformat_hex_string, &key))
760  ;
761  else
762  return clib_error_return (0, "parse error: '%U'",
763  format_unformat_error, line_input);
764  }
765 
766  unformat_free (line_input);
767 
768  if (type == IPSEC_IF_SET_KEY_TYPE_NONE)
769  return clib_error_return (0, "unknown key type");
770 
771  if (alg > 0 && vec_len (key) == 0)
772  return clib_error_return (0, "key is not specified");
773 
774  if (hw_if_index == (u32) ~ 0)
775  return clib_error_return (0, "interface not specified");
776 
777  ipsec_set_interface_key (im->vnet_main, hw_if_index, type, alg, key);
778  vec_free (key);
779 
780  return 0;
781 }
782 
783 /* *INDENT-OFF* */
784 VLIB_CLI_COMMAND (set_interface_key_command, static) = {
785  .path = "set interface ipsec key",
786  .short_help =
787  "set interface ipsec key <int> <local|remote> <crypto|integ> <key type> <key>",
788  .function = set_interface_key_command_fn,
789 };
790 /* *INDENT-ON* */
791 
792 clib_error_t *
793 ipsec_cli_init (vlib_main_t * vm)
794 {
795  return 0;
796 }
797 
798 VLIB_INIT_FUNCTION (ipsec_cli_init);
799 
800 
801 /*
802  * fd.io coding-style-patch-verification: ON
803  *
804  * Local Variables:
805  * eval: (c-set-style "gnu")
806  * End:
807  */
unformat_vnet_hw_interface
unformat_function_t unformat_vnet_hw_interface
Definition: interface_funcs.h:260
ip46_address_range_t::stop
ip46_address_t stop
Definition: ipsec.h:126
hi
vmrglw vmrglh hi
Definition: vector_altivec.h:119
ipsec_main_t::spds
ipsec_spd_t * spds
Definition: ipsec.h:229
i
sll srl srl sll sra u16x4 i
Definition: vector_sse2.h:343
port_range_t::stop
u16 stop
Definition: ipsec.h:131
unformat
uword unformat(unformat_input_t *i, char *fmt,...)
Definition: unformat.c:966
ipsec_sa_t::tunnel_src_addr
ip46_address_t tunnel_src_addr
Definition: ipsec.h:111
set_ipsec_sa_key_command_fn
static clib_error_t * set_ipsec_sa_key_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
Definition: ipsec_cli.c:339
a
a
Definition: bitmap.h:516
ipsec_sa_t::id
u32 id
Definition: ipsec.h:94
format_ip6_address
format_function_t format_ip6_address
Definition: format.h:95
type
bad routing header type(not 4)") sr_error (NO_MORE_SEGMENTS
ipsec_set_interface_spd
int ipsec_set_interface_spd(vlib_main_t *vm, u32 sw_if_index, u32 spd_id, int is_add)
Definition: ipsec.c:55
ipsec_policy_t::priority
i32 priority
Definition: ipsec.h:175
UNFORMAT_END_OF_INPUT
#define UNFORMAT_END_OF_INPUT
Definition: format.h:143
ipsec_sa_t::integ_alg
ipsec_integ_alg_t integ_alg
Definition: ipsec.h:102
create_ipsec_tunnel_command_fn
static clib_error_t * create_ipsec_tunnel_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
Definition: ipsec_cli.c:655
ipsec_sa_t::is_tunnel
u8 is_tunnel
Definition: ipsec.h:109
ipsec_set_sa_key
int ipsec_set_sa_key(vlib_main_t *vm, ipsec_sa_t *sa_update)
Definition: ipsec.c:468
set_interface_key_command_fn
static clib_error_t * set_interface_key_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
Definition: ipsec_cli.c:724
unformat_vnet_sw_interface
unformat_function_t unformat_vnet_sw_interface
Definition: interface_funcs.h:259
ipsec_spd_t
Definition: ipsec.h:195
ipsec_tunnel_if_t
Definition: ipsec.h:219
unformat_ipsec_integ_alg
uword unformat_ipsec_integ_alg(unformat_input_t *input, va_list *args)
Definition: ipsec_format.c:108
format_ip4_address
format_function_t format_ip4_address
Definition: format.h:79
unformat_ipsec_crypto_alg
uword unformat_ipsec_crypto_alg(unformat_input_t *input, va_list *args)
Definition: ipsec_format.c:76
set_interface_key_command
static vlib_cli_command_t set_interface_key_command
(constructor) VLIB_CLI_COMMAND (set_interface_key_command)
Definition: ipsec_cli.c:784
ipsec_sa_t::crypto_key
u8 crypto_key[128]
Definition: ipsec.h:100
ipsec_sa_t::spi
u32 spi
Definition: ipsec.h:95
ipsec_policy_t::lport
port_range_t lport
Definition: ipsec.h:183
ipsec_policy_t::sa_id
u32 sa_id
Definition: ipsec.h:188
ipsec_sa_t::integ_key
u8 integ_key[128]
Definition: ipsec.h:104
ipsec_add_del_tunnel_args_t::remote_spi
u32 remote_spi
Definition: ipsec.h:141
pool_foreach
#define pool_foreach(VAR, POOL, BODY)
Iterate through pool.
Definition: pool.h:348
show_ipsec_command
static vlib_cli_command_t show_ipsec_command
(constructor) VLIB_CLI_COMMAND (show_ipsec_command)
Definition: ipsec_cli.c:619
VLIB_INIT_FUNCTION
#define VLIB_INIT_FUNCTION(x)
Definition: init.h:111
ipsec_add_del_tunnel_args_t::local_spi
u32 local_spi
Definition: ipsec.h:140
ipsec_set_interface_key
int ipsec_set_interface_key(vnet_main_t *vnm, u32 hw_if_index, ipsec_if_set_key_type_t type, u8 alg, u8 *key)
Definition: ipsec_if.c:295
unformat_hex_string
unformat_function_t unformat_hex_string
Definition: format.h:287
ipsec_add_del_tunnel_args_t::remote_ip
ip4_address_t remote_ip
Definition: ipsec.h:139
port_range_t::start
u16 start
Definition: ipsec.h:131
api_errno.h
unformat_free
static void unformat_free(unformat_input_t *i)
Definition: format.h:161
u64
unsigned long u64
Definition: types.h:89
unformat_user
uword unformat_user(unformat_input_t *input, unformat_function_t *func,...)
Definition: unformat.c:977
ipsec_main_t
Definition: ipsec.h:226
format_ip_protocol
format_function_t format_ip_protocol
Definition: format.h:45
unformat_ip4_address
unformat_function_t unformat_ip4_address
Definition: format.h:76
pool_elt_at_index
#define pool_elt_at_index(p, i)
Returns pointer to element at given index.
Definition: pool.h:369
create_ipsec_tunnel_command
static vlib_cli_command_t create_ipsec_tunnel_command
(constructor) VLIB_CLI_COMMAND (create_ipsec_tunnel_command)
Definition: ipsec_cli.c:716
ipsec_policy_t::protocol
u8 protocol
Definition: ipsec.h:182
ipsec_policy_add_del_command_fn
static clib_error_t * ipsec_policy_add_del_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
Definition: ipsec_cli.c:235
ipsec_main_t::vnet_main
vnet_main_t * vnet_main
Definition: ipsec.h:242
set_interface_spd_command_fn
static clib_error_t * set_interface_spd_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
Definition: ipsec_cli.c:26
ipsec_if_set_key_type_t
ipsec_if_set_key_type_t
Definition: ipsec.h:163
ipsec_policy_t
Definition: ipsec.h:172
ipsec_sa_t
Definition: ipsec.h:92
ipsec_policy_t::laddr
ip46_address_range_t laddr
Definition: ipsec.h:180
ipsec_add_del_policy
int ipsec_add_del_policy(vlib_main_t *vm, ipsec_policy_t *policy, int is_add)
Definition: ipsec.c:168
vlib_cli_output
void vlib_cli_output(vlib_main_t *vm, char *fmt,...)
Definition: cli.c:576
unformat_ip6_address
unformat_function_t unformat_ip6_address
Definition: format.h:94
ipsec_sa_t::tunnel_dst_addr
ip46_address_t tunnel_dst_addr
Definition: ipsec.h:112
clear_ipsec_counters_command_fn
static clib_error_t * clear_ipsec_counters_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
Definition: ipsec_cli.c:627
ipsec_main
ipsec_main_t ipsec_main
Definition: ipsec.h:260
ipsec_add_del_tunnel_args_t
Definition: ipsec.h:134
vnet_hw_interface_t
Definition: interface.h:370
ipsec_cli_init
clib_error_t * ipsec_cli_init(vlib_main_t *vm)
Definition: ipsec_cli.c:793
vec_free
#define vec_free(V)
Free vector&#39;s memory (no header).
Definition: vec.h:300
ip46_address_range_t::start
ip46_address_t start
Definition: ipsec.h:126
ipsec_policy_t::rport
port_range_t rport
Definition: ipsec.h:184
VLIB_CLI_COMMAND
#define VLIB_CLI_COMMAND(x,...)
Definition: cli.h:154
ipsec_policy_t::raddr
ip46_address_range_t raddr
Definition: ipsec.h:181
u32
unsigned int u32
Definition: types.h:88
format_ipsec_crypto_alg
u8 * format_ipsec_crypto_alg(u8 *s, va_list *args)
Definition: ipsec_format.c:58
format_unformat_error
u8 * format_unformat_error(u8 *s, va_list *va)
Definition: unformat.c:91
ipsec_add_del_tunnel_args_t::local_ip
ip4_address_t local_ip
Definition: ipsec.h:139
ipsec_main_t::sad
ipsec_sa_t * sad
Definition: ipsec.h:230
ipsec_policy_t::is_ipv6
u8 is_ipv6
Definition: ipsec.h:179
format_ipsec_policy_action
u8 * format_ipsec_policy_action(u8 *s, va_list *args)
Definition: ipsec_format.c:26
ipsec_sa_t::integ_key_len
u8 integ_key_len
Definition: ipsec.h:103
ipsec_sa_t::protocol
ipsec_protocol_t protocol
Definition: ipsec.h:96
clib_error_t
Definition: error.h:75
ipsec_sa_t::crypto_key_len
u8 crypto_key_len
Definition: ipsec.h:99
format_ipsec_integ_alg
u8 * format_ipsec_integ_alg(u8 *s, va_list *args)
Definition: ipsec_format.c:90
ipsec_add_del_sa
int ipsec_add_del_sa(vlib_main_t *vm, ipsec_sa_t *new_sa, int is_add)
Definition: ipsec.c:427
ipsec_add_del_tunnel_if
int ipsec_add_del_tunnel_if(ipsec_add_del_tunnel_args_t *args)
Definition: ipsec_if.c:87
vec_len
#define vec_len(v)
Number of elements in vector (rvalue-only, NULL tolerant)
Definition: vec_bootstrap.h:142
u8
unsigned char u8
Definition: types.h:56
ipsec_policy_t::is_outbound
u8 is_outbound
Definition: ipsec.h:176
vlib_main_t
Definition: main.h:59
ipsec_add_del_spd
int ipsec_add_del_spd(vlib_main_t *vm, u32 spd_id, int is_add)
Definition: ipsec.c:102
vlib_cli_command_t
Definition: cli.h:91
ipsec_sa_add_del_command_fn
static clib_error_t * ipsec_sa_add_del_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
Definition: ipsec_cli.c:66
ipsec_policy_t::id
u32 id
Definition: ipsec.h:174
unformat_check_input
static uword unformat_check_input(unformat_input_t *i)
Definition: format.h:169
ipsec_add_del_tunnel_args_t::is_add
u8 is_add
Definition: ipsec.h:136
ipsec_sa_t::crypto_alg
ipsec_crypto_alg_t crypto_alg
Definition: ipsec.h:98
format
u8 * format(u8 *s, const char *fmt,...)
Definition: format.c:418
show_ipsec_command_fn
static clib_error_t * show_ipsec_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
Definition: ipsec_cli.c:396
ipsec_policy_t::policy
u8 policy
Definition: ipsec.h:187
vec_foreach
#define vec_foreach(var, vec)
Vector iterator.
Definition: vec_bootstrap.h:184
clib_error_return
#define clib_error_return(e, args...)
Definition: error.h:111
unformat_ipsec_policy_action
uword unformat_ipsec_policy_action(unformat_input_t *input, va_list *args)
Definition: ipsec_format.c:44
unformat_input_t
struct _unformat_input_t unformat_input_t
ipsec_spd_add_del_command_fn
static clib_error_t * ipsec_spd_add_del_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
Definition: ipsec_cli.c:190
unformat_line_input
unformat_function_t unformat_line_input
Definition: format.h:281
clear_ipsec_counters_command
static vlib_cli_command_t clear_ipsec_counters_command
(constructor) VLIB_CLI_COMMAND (clear_ipsec_counters_command)
Definition: ipsec_cli.c:647