de/d60/ipsec__format_8c_source.html

 /*
  * decap.c : IPSec tunnel support
  *
  * Copyright (c) 2015 Cisco and/or its affiliates.
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at:
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */

 #include <vnet/vnet.h>
 #include <vnet/api_errno.h>
 #include <vnet/ip/ip.h>
 #include <vnet/interface.h>
 #include <vnet/fib/fib_table.h>

 #include <vnet/ipsec/ipsec.h>

 u8 *
 format_ipsec_policy_action (u8 * s, va_list * args)
 {
   u32 i = va_arg (*args, u32);
   char *t = 0;

   switch (i)
     {
 #define _(v,f,str) case IPSEC_POLICY_ACTION_##f: t = str; break;
       foreach_ipsec_policy_action
 #undef _
     default:
       s = format (s, "unknown");
     }
   s = format (s, "%s", t);
   return s;
 }

 u8 *
 format_ipsec_policy_type (u8 * s, va_list * args)
 {
   u32 i = va_arg (*args, u32);
   char *t = 0;

   switch (i)
     {
 #define _(f,str) case IPSEC_SPD_POLICY_##f: t = str; break;
       foreach_ipsec_spd_policy_type
 #undef _
     default:
       s = format (s, "unknown");
     }
   s = format (s, "%s", t);
   return s;
 }

 uword
 unformat_ipsec_policy_action (unformat_input_t * input, va_list * args)
 {
   u32 *r = va_arg (*args, u32 *);

   if (0);
 #define _(v,f,s) else if (unformat (input, s)) *r = IPSEC_POLICY_ACTION_##f;
   foreach_ipsec_policy_action
 #undef _
     else
     return 0;
   return 1;
 }

 u8 *
 format_ipsec_crypto_alg (u8 * s, va_list * args)
 {
   u32 i = va_arg (*args, u32);
   u8 *t = 0;

   switch (i)
     {
 #define _(v,f,str) case IPSEC_CRYPTO_ALG_##f: t = (u8 *) str; break;
       foreach_ipsec_crypto_alg
 #undef _
     default:
       s = format (s, "unknown");
     }
   s = format (s, "%s", t);
   return s;
 }

 uword
 unformat_ipsec_crypto_alg (unformat_input_t * input, va_list * args)
 {
   u32 *r = va_arg (*args, u32 *);

   if (0);
 #define _(v,f,s) else if (unformat (input, s)) *r = IPSEC_CRYPTO_ALG_##f;
   foreach_ipsec_crypto_alg
 #undef _
     else
     return 0;
   return 1;
 }

 u8 *
 format_ipsec_integ_alg (u8 * s, va_list * args)
 {
   u32 i = va_arg (*args, u32);
   u8 *t = 0;

   switch (i)
     {
 #define _(v,f,str) case IPSEC_INTEG_ALG_##f: t = (u8 *) str; break;
       foreach_ipsec_integ_alg
 #undef _
     default:
       s = format (s, "unknown");
     }
   s = format (s, "%s", t);
   return s;
 }

 uword
 unformat_ipsec_integ_alg (unformat_input_t * input, va_list * args)
 {
   u32 *r = va_arg (*args, u32 *);

   if (0);
 #define _(v,f,s) else if (unformat (input, s)) *r = IPSEC_INTEG_ALG_##f;
   foreach_ipsec_integ_alg
 #undef _
     else
     return 0;
   return 1;
 }

 u8 *
 format_ipsec_replay_window (u8 * s, va_list * args)
 {
   u64 w = va_arg (*args, u64);
   u8 i;

   for (i = 0; i < 64; i++)
     {
       s = format (s, "%u", w & (1ULL << i) ? 1 : 0);
     }

   return s;
 }

 u8 *
 format_ipsec_policy (u8 * s, va_list * args)
 {
   u32 pi = va_arg (*args, u32);
   ipsec_main_t *im = &ipsec_main;
   ipsec_policy_t *p;
   vlib_counter_t counts;
   ip46_type_t ip_type;

   p = pool_elt_at_index (im->policies, pi);

   s = format (s, "  [%d] priority %d action %U type %U protocol ",
               pi, p->priority,
               format_ipsec_policy_action, p->policy,
               format_ipsec_policy_type, p->type);
   if (p->protocol)
     {
       s = format (s, "%U", format_ip_protocol, p->protocol);
     }
   else
     {
       s = format (s, "any");
     }
   if (p->policy == IPSEC_POLICY_ACTION_PROTECT)
     {
       s = format (s, " sa %u", p->sa_id);
     }
   if (p->is_ipv6)
     {
       ip_type = IP46_TYPE_IP6;
     }

   s = format (s, "\n     local addr range %U - %U port range %u - %u",
               format_ip46_address, &p->laddr.start, ip_type,
               format_ip46_address, &p->laddr.stop, ip_type,
               p->lport.start, p->lport.stop);
   s = format (s, "\n     remote addr range %U - %U port range %u - %u",
               format_ip46_address, &p->raddr.start, ip_type,
               format_ip46_address, &p->raddr.stop, ip_type,
               p->rport.start, p->rport.stop);

   vlib_get_combined_counter (&ipsec_spd_policy_counters, pi, &counts);
   s = format (s, "\n     packets %u bytes %u", counts.packets, counts.bytes);

   return (s);
 }

 u8 *
 format_ipsec_spd (u8 * s, va_list * args)
 {
   u32 si = va_arg (*args, u32);
   ipsec_main_t *im = &ipsec_main;
   ipsec_spd_t *spd;
   u32 *i;

   if (pool_is_free_index (im->spds, si))
     {
       s = format (s, "No such SPD index: %d", si);
       goto done;
     }

   spd = pool_elt_at_index (im->spds, si);

   s = format (s, "spd %u", spd->id);

 #define _(v, n)                                                 \
   s = format (s, "\n %s:", n);                                  \
   vec_foreach(i, spd->policies[IPSEC_SPD_POLICY_##v])           \
   {                                                             \
     s = format (s, "\n %U", format_ipsec_policy, *i);           \
   }
   foreach_ipsec_spd_policy_type;
 #undef _

 done:
   return (s);
 }

 u8 *
 format_ipsec_key (u8 * s, va_list * args)
 {
   ipsec_key_t *key = va_arg (*args, ipsec_key_t *);

   return (format (s, "%U", format_hex_bytes, key->data, key->len));
 }

 uword
 unformat_ipsec_key (unformat_input_t * input, va_list * args)
 {
   ipsec_key_t *key = va_arg (*args, ipsec_key_t *);
   u8 *data;

   if (unformat (input, "%U", unformat_hex_string, &data))
     {
       ipsec_mk_key (key, data, vec_len (data));
       vec_free (data);
     }
   else
     return 0;
   return 1;
 }

 u8 *
 format_ipsec_sa_flags (u8 * s, va_list * args)
 {
   ipsec_sa_flags_t flags = va_arg (*args, int);

   if (0)
     ;
 #define _(v, f, str) else if (flags & IPSEC_SA_FLAG_##f) s = format(s, "%s ", str);
   foreach_ipsec_sa_flags
 #undef _
     return (s);
 }

 u8 *
 format_ipsec_sa (u8 * s, va_list * args)
 {
   u32 sai = va_arg (*args, u32);
   ipsec_format_flags_t flags = va_arg (*args, ipsec_format_flags_t);
   ipsec_main_t *im = &ipsec_main;
   vlib_counter_t counts;
   u32 tx_table_id;
   ipsec_sa_t *sa;

   if (pool_is_free_index (im->sad, sai))
     {
       s = format (s, "No such SA index: %d", sai);
       goto done;
     }

   sa = pool_elt_at_index (im->sad, sai);

   s = format (s, "[%d] sa 0x%x spi %u mode %s%s protocol %s %U",
               sai, sa->id, sa->spi,
               ipsec_sa_is_set_IS_TUNNEL (sa) ? "tunnel" : "transport",
               ipsec_sa_is_set_IS_TUNNEL_V6 (sa) ? "-ip6" : "",
               sa->protocol ? "esp" : "ah", format_ipsec_sa_flags, sa->flags);

   if (!(flags & IPSEC_FORMAT_DETAIL))
     goto done;

   s = format (s, "\n   salt 0x%x", sa->salt);
   s = format (s, "\n   seq %u seq-hi %u", sa->seq, sa->seq_hi);
   s = format (s, "\n   last-seq %u last-seq-hi %u window %U",
               sa->last_seq, sa->last_seq_hi,
               format_ipsec_replay_window, sa->replay_window);
   s = format (s, "\n   crypto alg %U%s%U",
               format_ipsec_crypto_alg, sa->crypto_alg,
               sa->crypto_alg ? " key " : "",
               format_ipsec_key, &sa->crypto_key);
   s = format (s, "\n   integrity alg %U%s%U",
               format_ipsec_integ_alg, sa->integ_alg,
               sa->integ_alg ? " key " : "", format_ipsec_key, &sa->integ_key);
   vlib_get_combined_counter (&ipsec_sa_counters, sai, &counts);
   s = format (s, "\n   packets %u bytes %u", counts.packets, counts.bytes);

   if (ipsec_sa_is_set_IS_TUNNEL (sa))
     {
       tx_table_id = fib_table_get_table_id (sa->tx_fib_index,
                                             FIB_PROTOCOL_IP4);
       s = format (s, "\n   table-ID %d tunnel src %U dst %U",
                   tx_table_id,
                   format_ip46_address, &sa->tunnel_src_addr, IP46_TYPE_ANY,
                   format_ip46_address, &sa->tunnel_dst_addr, IP46_TYPE_ANY);
       if (!ipsec_sa_is_set_IS_INBOUND (sa))
         {
           s =
             format (s, "\n    resovle via fib-entry: %d",
                     sa->fib_entry_index);
           s = format (s, "\n    stacked on:");
           s =
             format (s, "\n      %U", format_dpo_id,
                     &sa->dpo[IPSEC_PROTOCOL_ESP], 6);
         }
     }

 done:
   return (s);
 }

 u8 *
 format_ipsec_tunnel (u8 * s, va_list * args)
 {
   ipsec_main_t *im = &ipsec_main;
   u32 ti = va_arg (*args, u32);
   vnet_hw_interface_t *hi;
   ipsec_tunnel_if_t *t;

   if (pool_is_free_index (im->tunnel_interfaces, ti))
     {
       s = format (s, "No such tunnel index: %d", ti);
       goto done;
     }

   t = pool_elt_at_index (im->tunnel_interfaces, ti);

   if (t->hw_if_index == ~0)
     goto done;

   hi = vnet_get_hw_interface (im->vnet_main, t->hw_if_index);

   s = format (s, "%s\n", hi->name);

   s = format (s, "   out-bound sa: ");
   s = format (s, "%U\n", format_ipsec_sa, t->output_sa_index,
               IPSEC_FORMAT_BRIEF);

   s = format (s, "    in-bound sa: ");
   s = format (s, "%U\n", format_ipsec_sa, t->input_sa_index,
               IPSEC_FORMAT_BRIEF);

 done:
   return (s);
 }

 /*
  * fd.io coding-style-patch-verification: ON
  *
  * Local Variables:
  * eval: (c-set-style "gnu")
  * End:
  */
ip46_address_range_t::stop
ip46_address_t stop
Definition: ipsec_spd_policy.h:37

tx_table_id
u32 tx_table_id
Definition: ipsec.api:284

hi
vmrglw vmrglh hi
Definition: vector_altivec.h:99

format_ip_protocol
format_function_t format_ip_protocol
Definition: format.h:45

format_ipsec_integ_alg
u8 * format_ipsec_integ_alg(u8 *s, va_list *args)
Definition: ipsec_format.c:109

ipsec_main_t::spds
ipsec_spd_t * spds
Definition: ipsec.h:93

flags
u32 flags
Definition: vhost_user.h:115

ipsec_main_t::tunnel_interfaces
ipsec_tunnel_if_t * tunnel_interfaces
Definition: ipsec.h:100

port_range_t::stop
u16 stop
Definition: ipsec_spd_policy.h:42

ipsec_sa_t::tunnel_src_addr
ip46_address_t tunnel_src_addr
Definition: ipsec_sa.h:156

IP46_TYPE_IP6
Definition: ip6_packet.h:74

ipsec_policy_t_::sa_id
u32 sa_id
Definition: ipsec_spd_policy.h:72

ipsec_sa_t::id
u32 id
Definition: ipsec_sa.h:146

IP46_TYPE_ANY
Definition: ip6_packet.h:72

u64
unsigned long u64
Definition: types.h:89

ipsec_policy_t_::laddr
ip46_address_range_t laddr
Definition: ipsec_spd_policy.h:64

foreach_ipsec_crypto_alg
#define foreach_ipsec_crypto_alg
Definition: ipsec_sa.h:24

unformat_hex_string
unformat_function_t unformat_hex_string
Definition: format.h:288

ipsec_format_flags_t
enum ipsec_format_flags_t_ ipsec_format_flags_t

ipsec_sa_t::crypto_key
ipsec_key_t crypto_key
Definition: ipsec_sa.h:151

ipsec.h

ipsec_sa_t::integ_alg
ipsec_integ_alg_t integ_alg
Definition: ipsec_sa.h:153

vnet_get_hw_interface
static vnet_hw_interface_t * vnet_get_hw_interface(vnet_main_t *vnm, u32 hw_if_index)
Definition: interface_funcs.h:44

vlib_counter_t
Combined counter to hold both packets and byte differences.
Definition: counter_types.h:26

i
int i
Definition: flowhash_template.h:376

IPSEC_PROTOCOL_ESP
Definition: ipsec_sa.h:71

foreach_ipsec_integ_alg
#define foreach_ipsec_integ_alg
Definition: ipsec_sa.h:51

format_ip46_address
format_function_t format_ip46_address
Definition: format.h:61

format
u8 * format(u8 *s, const char *fmt,...)
Definition: format.c:424

data
u8 data[128]
Definition: ipsec.api:248

ipsec_spd_t
A Secruity Policy Database.
Definition: ipsec_spd.h:44

ipsec_tunnel_if_t
Definition: ipsec_if.h:29

ip.h

ipsec_mk_key
void ipsec_mk_key(ipsec_key_t *key, const u8 *data, u8 len)
Definition: ipsec_sa.c:54

ipsec_key_t_::len
u8 len
Definition: ipsec_sa.h:79

IPSEC_FORMAT_BRIEF
Definition: ipsec.h:166

u8
unsigned char u8
Definition: types.h:56

ipsec_sa_t::spi
u32 spi
Definition: ipsec_sa.h:121

ipsec_sa_t::seq_hi
u32 seq_hi
Definition: ipsec_sa.h:123

ipsec_sa_t::replay_window
u64 replay_window
Definition: ipsec_sa.h:126

ipsec_policy_t_::protocol
u8 protocol
Definition: ipsec_spd_policy.h:66

ipsec_main
ipsec_main_t ipsec_main
Definition: ipsec.c:28

foreach_ipsec_policy_action
Definition: ipsec_spd_policy.h:29

unformat_ipsec_crypto_alg
uword unformat_ipsec_crypto_alg(unformat_input_t *input, va_list *args)
Definition: ipsec_format.c:95

format_hex_bytes
u8 * format_hex_bytes(u8 *s, va_list *va)
Definition: std-formats.c:84

port_range_t::start
u16 start
Definition: ipsec_spd_policy.h:42

api_errno.h

format_ipsec_replay_window
u8 * format_ipsec_replay_window(u8 *s, va_list *args)
Definition: ipsec_format.c:141

ipsec_policy_t_::rport
port_range_t rport
Definition: ipsec_spd_policy.h:68

format_ipsec_sa
u8 * format_ipsec_sa(u8 *s, va_list *args)
Definition: ipsec_format.c:270

format_ipsec_crypto_alg
u8 * format_ipsec_crypto_alg(u8 *s, va_list *args)
Definition: ipsec_format.c:77

u32
unsigned int u32
Definition: types.h:88

ipsec_sa_t::flags
ipsec_sa_flags_t flags
Definition: ipsec_sa.h:116

ipsec_main_t
Definition: ipsec.h:90

ipsec_sa_t::last_seq
u32 last_seq
Definition: ipsec_sa.h:124

ipsec_sa_t::tx_fib_index
u32 tx_fib_index
Definition: ipsec_sa.h:162

pool_elt_at_index
#define pool_elt_at_index(p, i)
Returns pointer to element at given index.
Definition: pool.h:514

ipsec_spd_policy_counters
vlib_combined_counter_main_t ipsec_spd_policy_counters
Policy packet & bytes counters.
Definition: ipsec_spd_policy.c:22

vlib_counter_t::packets
counter_t packets
packet counter
Definition: counter_types.h:28

interface.h

format_ipsec_spd
u8 * format_ipsec_spd(u8 *s, va_list *args)
Definition: ipsec_format.c:202

ipsec_sa_t::salt
u32 salt
Definition: ipsec_sa.h:163

ipsec_main_t::vnet_main
vnet_main_t * vnet_main
Definition: ipsec.h:106

unformat_input_t
struct _unformat_input_t unformat_input_t

ipsec_sa_t::fib_entry_index
fib_node_index_t fib_entry_index
Definition: ipsec_sa.h:159

ipsec_sa_t::last_seq_hi
u32 last_seq_hi
Definition: ipsec_sa.h:125

format_ipsec_tunnel
u8 * format_ipsec_tunnel(u8 *s, va_list *args)
Definition: ipsec_format.c:336

ipsec_policy_t_::type
ipsec_spd_policy_type_t type
Definition: ipsec_spd_policy.h:60

ipsec_sa_t
Definition: ipsec_sa.h:111

vnet.h

ipsec_sa_t::tunnel_dst_addr
ip46_address_t tunnel_dst_addr
Definition: ipsec_sa.h:157

format_ipsec_policy
u8 * format_ipsec_policy(u8 *s, va_list *args)
Definition: ipsec_format.c:155

foreach_ipsec_sa_flags
Definition: ipsec_sa.h:105

vlib_get_combined_counter
static void vlib_get_combined_counter(const vlib_combined_counter_main_t *cm, u32 index, vlib_counter_t *result)
Get the value of a combined counter, never called in the speed path Scrapes the entire set of per-thr...
Definition: counter.h:259

vnet_hw_interface_t
Definition: interface.h:488

ipsec_policy_t_::priority
i32 priority
Definition: ipsec_spd_policy.h:57

vec_free
#define vec_free(V)
Free vector&#39;s memory (no header).
Definition: vec.h:341

ipsec_policy_t_::policy
ipsec_policy_action_t policy
Definition: ipsec_spd_policy.h:71

ip46_address_range_t::start
ip46_address_t start
Definition: ipsec_spd_policy.h:37

ipsec_sa_flags_t
enum ipsec_sad_flags_t_ ipsec_sa_flags_t

pool_is_free_index
#define pool_is_free_index(P, I)
Use free bitmap to query whether given index is free.
Definition: pool.h:283

ipsec_policy_t_
A Secruity Policy.
Definition: ipsec_spd_policy.h:54

ipsec_tunnel_if_t::output_sa_index
u32 output_sa_index
Definition: ipsec_if.h:34

fib_table.h

ipsec_sa_counters
vlib_combined_counter_main_t ipsec_sa_counters
SA packet & bytes counters.
Definition: ipsec_sa.c:25

ipsec_key_t_::data
u8 data[IPSEC_KEY_MAX_LEN]
Definition: ipsec_sa.h:80

ipsec_main_t::policies
ipsec_policy_t * policies
Definition: ipsec.h:97

ipsec_tunnel_if_t::hw_if_index
u32 hw_if_index
Definition: ipsec_if.h:35

ip46_type_t
ip46_type_t
Definition: ip6_packet.h:70

ipsec_main_t::sad
ipsec_sa_t * sad
Definition: ipsec.h:95

fib_table_get_table_id
u32 fib_table_get_table_id(u32 fib_index, fib_protocol_t proto)
Get the Table-ID of the FIB from protocol and index.
Definition: fib_table.c:1053

ipsec_sa_t::dpo
dpo_id_t dpo[IPSEC_N_PROTOCOLS]
Definition: ipsec_sa.h:132

unformat_ipsec_integ_alg
uword unformat_ipsec_integ_alg(unformat_input_t *input, va_list *args)
Definition: ipsec_format.c:127

format_ipsec_policy_type
u8 * format_ipsec_policy_type(u8 *s, va_list *args)
Definition: ipsec_format.c:45

ipsec_sa_t::protocol
ipsec_protocol_t protocol
Definition: ipsec_sa.h:148

format_ipsec_policy_action
u8 * format_ipsec_policy_action(u8 *s, va_list *args)
Definition: ipsec_format.c:27

format_dpo_id
u8 * format_dpo_id(u8 *s, va_list *args)
Format a DPO_id_t oject
Definition: dpo.c:147

unformat_ipsec_policy_action
uword unformat_ipsec_policy_action(unformat_input_t *input, va_list *args)
Definition: ipsec_format.c:63

ipsec_tunnel_if_t::input_sa_index
u32 input_sa_index
Definition: ipsec_if.h:33

ipsec_sa_t::seq
u32 seq
Definition: ipsec_sa.h:122

vlib_counter_t::bytes
counter_t bytes
byte counter
Definition: counter_types.h:29

vec_len
#define vec_len(v)
Number of elements in vector (rvalue-only, NULL tolerant)
Definition: vec_bootstrap.h:143

ipsec_policy_t_::raddr
ip46_address_range_t raddr
Definition: ipsec_spd_policy.h:65

FIB_PROTOCOL_IP4
Definition: fib_types.h:37

uword
u64 uword
Definition: types.h:112

key
typedef key
Definition: ipsec.api:244

ipsec_spd_t::id
u32 id
the User&#39;s ID for this policy
Definition: ipsec_spd.h:47

ipsec_sa_t::crypto_alg
ipsec_crypto_alg_t crypto_alg
Definition: ipsec_sa.h:150

ipsec_policy_t_::lport
port_range_t lport
Definition: ipsec_spd_policy.h:67

foreach_ipsec_spd_policy_type
#define foreach_ipsec_spd_policy_type
Definition: ipsec_spd.h:20

format_ipsec_sa_flags
u8 * format_ipsec_sa_flags(u8 *s, va_list *args)
Definition: ipsec_format.c:257

vnet_hw_interface_t::name
u8 * name
Definition: interface.h:491

IPSEC_FORMAT_DETAIL
Definition: ipsec.h:167

ipsec_sa_t::integ_key
ipsec_key_t integ_key
Definition: ipsec_sa.h:154

ipsec_key_t_
Definition: ipsec_sa.h:77

unformat_ipsec_key
uword unformat_ipsec_key(unformat_input_t *input, va_list *args)
Definition: ipsec_format.c:241

ipsec_policy_t_::is_ipv6
u8 is_ipv6
Definition: ipsec_spd_policy.h:63

unformat
uword unformat(unformat_input_t *i, const char *fmt,...)
Definition: unformat.c:972

format_ipsec_key
u8 * format_ipsec_key(u8 *s, va_list *args)
Definition: ipsec_format.c:233