FD.io VPP  v20.05.1-6-gf53edbc3b
Vector Packet Processing
ipsec_api.c
Go to the documentation of this file.
1 /*
2  *------------------------------------------------------------------
3  * ipsec_api.c - ipsec api
4  *
5  * Copyright (c) 2016 Cisco and/or its affiliates.
6  * Licensed under the Apache License, Version 2.0 (the "License");
7  * you may not use this file except in compliance with the License.
8  * You may obtain a copy of the License at:
9  *
10  * http://www.apache.org/licenses/LICENSE-2.0
11  *
12  * Unless required by applicable law or agreed to in writing, software
13  * distributed under the License is distributed on an "AS IS" BASIS,
14  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15  * See the License for the specific language governing permissions and
16  * limitations under the License.
17  *------------------------------------------------------------------
18  */
19 
20 #include <vnet/vnet.h>
21 #include <vlibmemory/api.h>
22 
23 #include <vnet/interface.h>
24 #include <vnet/api_errno.h>
25 #include <vnet/ip/ip.h>
26 #include <vnet/ip/ip_types_api.h>
28 #include <vnet/fib/fib.h>
29 #include <vnet/ipip/ipip.h>
30 
31 #include <vnet/vnet_msg_enum.h>
32 
33 #if WITH_LIBSSL > 0
34 #include <vnet/ipsec/ipsec.h>
35 #include <vnet/ipsec/ipsec_tun.h>
36 #endif /* IPSEC */
37 
38 #define vl_typedefs /* define message structures */
39 #include <vnet/vnet_all_api_h.h>
40 #undef vl_typedefs
41 
42 #define vl_endianfun /* define message structures */
43 #include <vnet/vnet_all_api_h.h>
44 #undef vl_endianfun
45 
46 /* instantiate all the print functions we know about */
47 #define vl_print(handle, ...) vlib_cli_output (handle, __VA_ARGS__)
48 #define vl_printfun
49 #include <vnet/vnet_all_api_h.h>
50 #undef vl_printfun
51 
53 
54 #define foreach_vpe_api_msg \
55 _(IPSEC_SPD_ADD_DEL, ipsec_spd_add_del) \
56 _(IPSEC_INTERFACE_ADD_DEL_SPD, ipsec_interface_add_del_spd) \
57 _(IPSEC_SPD_ENTRY_ADD_DEL, ipsec_spd_entry_add_del) \
58 _(IPSEC_SAD_ENTRY_ADD_DEL, ipsec_sad_entry_add_del) \
59 _(IPSEC_SA_DUMP, ipsec_sa_dump) \
60 _(IPSEC_SPDS_DUMP, ipsec_spds_dump) \
61 _(IPSEC_SPD_DUMP, ipsec_spd_dump) \
62 _(IPSEC_SPD_INTERFACE_DUMP, ipsec_spd_interface_dump) \
63 _(IPSEC_TUNNEL_IF_ADD_DEL, ipsec_tunnel_if_add_del) \
64 _(IPSEC_TUNNEL_IF_SET_SA, ipsec_tunnel_if_set_sa) \
65 _(IPSEC_SELECT_BACKEND, ipsec_select_backend) \
66 _(IPSEC_BACKEND_DUMP, ipsec_backend_dump) \
67 _(IPSEC_TUNNEL_PROTECT_UPDATE, ipsec_tunnel_protect_update) \
68 _(IPSEC_TUNNEL_PROTECT_DEL, ipsec_tunnel_protect_del) \
69 _(IPSEC_TUNNEL_PROTECT_DUMP, ipsec_tunnel_protect_dump)
70 
71 static void
73 {
74 #if WITH_LIBSSL == 0
75  clib_warning ("unimplemented");
76 #else
77 
78  vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main ();
79  vl_api_ipsec_spd_add_del_reply_t *rmp;
80  int rv;
81 
82  rv = ipsec_add_del_spd (vm, ntohl (mp->spd_id), mp->is_add);
83 
84  REPLY_MACRO (VL_API_IPSEC_SPD_ADD_DEL_REPLY);
85 #endif
86 }
87 
90 {
91  vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main ();
92  vl_api_ipsec_interface_add_del_spd_reply_t *rmp;
93  int rv;
94  u32 sw_if_index __attribute__ ((unused));
95  u32 spd_id __attribute__ ((unused));
96 
97  sw_if_index = ntohl (mp->sw_if_index);
98  spd_id = ntohl (mp->spd_id);
99 
101 
102 #if WITH_LIBSSL > 0
103  rv = ipsec_set_interface_spd (vm, sw_if_index, spd_id, mp->is_add);
104 #else
105  rv = VNET_API_ERROR_UNIMPLEMENTED;
106 #endif
107 
109 
110  REPLY_MACRO (VL_API_IPSEC_INTERFACE_ADD_DEL_SPD_REPLY);
111 }
112 
115 {
116  vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main ();
117  vl_api_ipsec_tunnel_protect_update_reply_t *rmp;
118  u32 sw_if_index, ii, *sa_ins = NULL;
120  int rv;
121 
122  sw_if_index = ntohl (mp->tunnel.sw_if_index);
123 
124  VALIDATE_SW_IF_INDEX (&(mp->tunnel));
125 
126 #if WITH_LIBSSL > 0
127 
128  for (ii = 0; ii < mp->tunnel.n_sa_in; ii++)
129  vec_add1 (sa_ins, ntohl (mp->tunnel.sa_in[ii]));
130 
131  ip_address_decode2 (&mp->tunnel.nh, &nh);
132 
133  rv = ipsec_tun_protect_update (sw_if_index, &nh,
134  ntohl (mp->tunnel.sa_out), sa_ins);
135 #else
136  rv = VNET_API_ERROR_UNIMPLEMENTED;
137 #endif
138 
140 
141  REPLY_MACRO (VL_API_IPSEC_TUNNEL_PROTECT_UPDATE_REPLY);
142 }
143 
146 {
147  vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main ();
148  vl_api_ipsec_tunnel_protect_del_reply_t *rmp;
151  int rv;
152 
153  sw_if_index = ntohl (mp->sw_if_index);
154 
156 
157 #if WITH_LIBSSL > 0
158  ip_address_decode2 (&mp->nh, &nh);
159  rv = ipsec_tun_protect_del (sw_if_index, &nh);
160 #else
161  rv = VNET_API_ERROR_UNIMPLEMENTED;
162 #endif
163 
165 
166  REPLY_MACRO (VL_API_IPSEC_TUNNEL_PROTECT_DEL_REPLY);
167 }
168 
170 {
174 
175 static walk_rc_t
177 {
178  ipsec_dump_walk_ctx_t *ctx = arg;
180  ipsec_tun_protect_t *itp;
181  u32 ii = 0;
182  ipsec_sa_t *sa;
183 
184  itp = ipsec_tun_protect_get (itpi);
185 
186  mp = vl_msg_api_alloc (sizeof (*mp) + (sizeof (u32) * itp->itp_n_sa_in));
187  clib_memset (mp, 0, sizeof (*mp));
188  mp->_vl_msg_id = ntohs (VL_API_IPSEC_TUNNEL_PROTECT_DETAILS);
189  mp->context = ctx->context;
190 
191  mp->tun.sw_if_index = htonl (itp->itp_sw_if_index);
192  ip_address_encode2 (itp->itp_key, &mp->tun.nh);
193 
194  sa = ipsec_sa_get (itp->itp_out_sa);
195  mp->tun.sa_out = htonl (sa->id);
196  mp->tun.n_sa_in = itp->itp_n_sa_in;
197  /* *INDENT-OFF* */
199  ({
200  mp->tun.sa_in[ii++] = htonl (sa->id);
201  }));
202  /* *INDENT-ON* */
203 
204  vl_api_send_msg (ctx->reg, (u8 *) mp);
205 
206  return (WALK_CONTINUE);
207 }
208 
209 static void
211  * mp)
212 {
215 
216 #if WITH_LIBSSL > 0
218  if (!reg)
219  return;
220 
222  .reg = reg,
223  .context = mp->context,
224  };
225 
226  sw_if_index = ntohl (mp->sw_if_index);
227 
228  if (~0 == sw_if_index)
229  {
231  }
232  else
233  {
234  ipsec_tun_protect_walk_itf (sw_if_index,
236  }
237 #else
238  clib_warning ("unimplemented");
239 #endif
240 }
241 
242 static int
243 ipsec_spd_action_decode (vl_api_ipsec_spd_action_t in,
244  ipsec_policy_action_t * out)
245 {
246  in = clib_net_to_host_u32 (in);
247 
248  switch (in)
249  {
250 #define _(v,f,s) case IPSEC_API_SPD_ACTION_##f: \
251  *out = IPSEC_POLICY_ACTION_##f; \
252  return (0);
254 #undef _
255  }
256  return (VNET_API_ERROR_UNIMPLEMENTED);
257 }
258 
261 {
262  vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main ();
264  ip46_type_t itype;
265  u32 stat_index;
266  int rv;
267 
268  stat_index = ~0;
269 
270 #if WITH_LIBSSL > 0
271  ipsec_policy_t p;
272 
273  clib_memset (&p, 0, sizeof (p));
274 
275  p.id = ntohl (mp->entry.spd_id);
276  p.priority = ntohl (mp->entry.priority);
277 
278  itype = ip_address_decode (&mp->entry.remote_address_start, &p.raddr.start);
279  ip_address_decode (&mp->entry.remote_address_stop, &p.raddr.stop);
280  ip_address_decode (&mp->entry.local_address_start, &p.laddr.start);
281  ip_address_decode (&mp->entry.local_address_stop, &p.laddr.stop);
282 
283  p.is_ipv6 = (itype == IP46_TYPE_IP6);
284 
285  p.protocol = mp->entry.protocol;
286  p.rport.start = ntohs (mp->entry.remote_port_start);
287  p.rport.stop = ntohs (mp->entry.remote_port_stop);
288  p.lport.start = ntohs (mp->entry.local_port_start);
289  p.lport.stop = ntohs (mp->entry.local_port_stop);
290 
291  rv = ipsec_spd_action_decode (mp->entry.policy, &p.policy);
292 
293  if (rv)
294  goto out;
295 
296  /* policy action resolve unsupported */
297  if (p.policy == IPSEC_POLICY_ACTION_RESOLVE)
298  {
299  clib_warning ("unsupported action: 'resolve'");
300  rv = VNET_API_ERROR_UNIMPLEMENTED;
301  goto out;
302  }
303  p.sa_id = ntohl (mp->entry.sa_id);
304  rv =
305  ipsec_policy_mk_type (mp->entry.is_outbound, p.is_ipv6, p.policy,
306  &p.type);
307  if (rv)
308  goto out;
309 
310  rv = ipsec_add_del_policy (vm, &p, mp->is_add, &stat_index);
311  if (rv)
312  goto out;
313 
314 #else
315  rv = VNET_API_ERROR_UNIMPLEMENTED;
316  goto out;
317 #endif
318 
319 out:
320  /* *INDENT-OFF* */
321  REPLY_MACRO2 (VL_API_IPSEC_SPD_ENTRY_ADD_DEL_REPLY,
322  ({
323  rmp->stat_index = ntohl(stat_index);
324  }));
325  /* *INDENT-ON* */
326 }
327 
330 {
331  vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main ();
333  ip46_address_t tun_src = { }, tun_dst =
334  {
335  };
336  ipsec_key_t crypto_key, integ_key;
337  ipsec_crypto_alg_t crypto_alg;
338  ipsec_integ_alg_t integ_alg;
341  u32 id, spi, sa_index = ~0;
342  int rv;
343 
344 #if WITH_LIBSSL > 0
345 
346  id = ntohl (mp->entry.sad_id);
347  spi = ntohl (mp->entry.spi);
348 
349  rv = ipsec_proto_decode (mp->entry.protocol, &proto);
350 
351  if (rv)
352  goto out;
353 
354  rv = ipsec_crypto_algo_decode (mp->entry.crypto_algorithm, &crypto_alg);
355 
356  if (rv)
357  goto out;
358 
359  rv = ipsec_integ_algo_decode (mp->entry.integrity_algorithm, &integ_alg);
360 
361  if (rv)
362  goto out;
363 
364  ipsec_key_decode (&mp->entry.crypto_key, &crypto_key);
365  ipsec_key_decode (&mp->entry.integrity_key, &integ_key);
366 
367  flags = ipsec_sa_flags_decode (mp->entry.flags);
368 
369  ip_address_decode (&mp->entry.tunnel_src, &tun_src);
370  ip_address_decode (&mp->entry.tunnel_dst, &tun_dst);
371 
372  if (mp->is_add)
373  rv = ipsec_sa_add_and_lock (id, spi, proto,
374  crypto_alg, &crypto_key,
375  integ_alg, &integ_key, flags,
376  0, mp->entry.salt, &tun_src, &tun_dst,
377  &sa_index, htons (mp->entry.udp_src_port),
378  htons (mp->entry.udp_dst_port));
379  else
380  rv = ipsec_sa_unlock_id (id);
381 
382 #else
383  rv = VNET_API_ERROR_UNIMPLEMENTED;
384 #endif
385 
386 out:
387  /* *INDENT-OFF* */
388  REPLY_MACRO2 (VL_API_IPSEC_SAD_ENTRY_ADD_DEL_REPLY,
389  {
390  rmp->stat_index = htonl (sa_index);
391  });
392  /* *INDENT-ON* */
393 }
394 
395 static void
397  u32 context)
398 {
400  u32 n_policies = 0;
401 
402  mp = vl_msg_api_alloc (sizeof (*mp));
403  clib_memset (mp, 0, sizeof (*mp));
404  mp->_vl_msg_id = ntohs (VL_API_IPSEC_SPDS_DETAILS);
405  mp->context = context;
406 
407  mp->spd_id = htonl (spd->id);
408 #define _(s, n) n_policies += vec_len (spd->policies[IPSEC_SPD_POLICY_##s]);
410 #undef _
411  mp->npolicies = htonl (n_policies);
412 
413  vl_api_send_msg (reg, (u8 *) mp);
414 }
415 
416 static void
418 {
420  ipsec_main_t *im = &ipsec_main;
421  ipsec_spd_t *spd;
422 #if WITH_LIBSSL > 0
424  if (!reg)
425  return;
426 
427  /* *INDENT-OFF* */
428  pool_foreach (spd, im->spds, ({
429  send_ipsec_spds_details (spd, reg, mp->context);
430  }));
431  /* *INDENT-ON* */
432 #else
433  clib_warning ("unimplemented");
434 #endif
435 }
436 
437 vl_api_ipsec_spd_action_t
439 {
440  vl_api_ipsec_spd_action_t out = IPSEC_API_SPD_ACTION_BYPASS;
441 
442  switch (in)
443  {
444 #define _(v,f,s) case IPSEC_POLICY_ACTION_##f: \
445  out = IPSEC_API_SPD_ACTION_##f; \
446  break;
448 #undef _
449  }
450  return (clib_host_to_net_u32 (out));
451 }
452 
453 static void
455  u32 context)
456 {
458 
459  mp = vl_msg_api_alloc (sizeof (*mp));
460  clib_memset (mp, 0, sizeof (*mp));
461  mp->_vl_msg_id = ntohs (VL_API_IPSEC_SPD_DETAILS);
462  mp->context = context;
463 
464  mp->entry.spd_id = htonl (p->id);
465  mp->entry.priority = htonl (p->priority);
466  mp->entry.is_outbound = ((p->type == IPSEC_SPD_POLICY_IP6_OUTBOUND) ||
467  (p->type == IPSEC_SPD_POLICY_IP4_OUTBOUND));
468 
470  &mp->entry.local_address_start);
472  &mp->entry.local_address_stop);
474  &mp->entry.remote_address_start);
476  &mp->entry.remote_address_stop);
477  mp->entry.local_port_start = htons (p->lport.start);
478  mp->entry.local_port_stop = htons (p->lport.stop);
479  mp->entry.remote_port_start = htons (p->rport.start);
480  mp->entry.remote_port_stop = htons (p->rport.stop);
481  mp->entry.protocol = p->protocol;
482  mp->entry.policy = ipsec_spd_action_encode (p->policy);
483  mp->entry.sa_id = htonl (p->sa_id);
484 
485  vl_api_send_msg (reg, (u8 *) mp);
486 }
487 
488 static void
490 {
492  ipsec_main_t *im = &ipsec_main;
495  ipsec_spd_t *spd;
496  uword *p;
497  u32 spd_index, *ii;
498 #if WITH_LIBSSL > 0
500  if (!reg)
501  return;
502 
503  p = hash_get (im->spd_index_by_spd_id, ntohl (mp->spd_id));
504  if (!p)
505  return;
506 
507  spd_index = p[0];
508  spd = pool_elt_at_index (im->spds, spd_index);
509 
510  /* *INDENT-OFF* */
512  vec_foreach(ii, spd->policies[ptype])
513  {
514  policy = pool_elt_at_index(im->policies, *ii);
515 
516  if (mp->sa_id == ~(0) || ntohl (mp->sa_id) == policy->sa_id)
517  send_ipsec_spd_details (policy, reg, mp->context);
518  }
519  }
520  /* *INDENT-ON* */
521 #else
522  clib_warning ("unimplemented");
523 #endif
524 }
525 
526 static void
529 {
531 
532  mp = vl_msg_api_alloc (sizeof (*mp));
533  clib_memset (mp, 0, sizeof (*mp));
534  mp->_vl_msg_id = ntohs (VL_API_IPSEC_SPD_INTERFACE_DETAILS);
535  mp->context = context;
536 
537  mp->spd_index = htonl (spd_index);
538  mp->sw_if_index = htonl (sw_if_index);
539 
540  vl_api_send_msg (reg, (u8 *) mp);
541 }
542 
543 static void
545  mp)
546 {
547  ipsec_main_t *im = &ipsec_main;
549  u32 k, v, spd_index;
550 
551 #if WITH_LIBSSL > 0
553  if (!reg)
554  return;
555 
556  if (mp->spd_index_valid)
557  {
558  spd_index = ntohl (mp->spd_index);
559  /* *INDENT-OFF* */
561  if (v == spd_index)
562  send_ipsec_spd_interface_details(reg, v, k, mp->context);
563  }));
564  /* *INDENT-ON* */
565  }
566  else
567  {
568  /* *INDENT-OFF* */
570  send_ipsec_spd_interface_details(reg, v, k, mp->context);
571  }));
572  /* *INDENT-ON* */
573  }
574 
575 #else
576  clib_warning ("unimplemented");
577 #endif
578 }
579 
580 static u32
582 {
583  return (0x80000000 | ti);
584 }
585 
586 static u32
588 {
589  return (0xc0000000 | ti);
590 }
591 
592 static void
594  mp)
595 {
597  u32 sw_if_index = ~0;
598  int rv;
599 
600 #if WITH_LIBSSL > 0
601  ip46_address_t local_ip = ip46_address_initializer;
602  ip46_address_t remote_ip = ip46_address_initializer;
603  ipsec_key_t crypto_key, integ_key;
605  ip46_type_t local_ip_type, remote_ip_type;
606  ipip_transport_t transport;
607  u32 fib_index;
608 
609  local_ip_type = ip_address_decode (&mp->local_ip, &local_ip);
610  remote_ip_type = ip_address_decode (&mp->remote_ip, &remote_ip);
611  transport = (IP46_TYPE_IP6 == local_ip_type ?
613 
614  if (local_ip_type != remote_ip_type)
615  {
616  rv = VNET_API_ERROR_INVALID_VALUE;
617  goto done;
618  }
619 
620  flags = IPSEC_SA_FLAG_NONE;
621 
622  if (mp->udp_encap)
623  flags |= IPSEC_SA_FLAG_UDP_ENCAP;
624  if (mp->esn)
625  flags |= IPSEC_SA_FLAG_USE_ESN;
626  if (mp->anti_replay)
627  flags |= IPSEC_SA_FLAG_USE_ANTI_REPLAY;
628 
629  ipsec_mk_key (&crypto_key, mp->remote_crypto_key,
631  ipsec_mk_key (&integ_key, mp->remote_integ_key, mp->remote_integ_key_len);
632  ipsec_mk_key (&crypto_key, mp->local_crypto_key, mp->local_crypto_key_len);
633  ipsec_mk_key (&integ_key, mp->local_integ_key, mp->local_integ_key_len);
634 
635  fib_index =
636  fib_table_find (fib_proto_from_ip46 (local_ip_type),
637  ntohl (mp->tx_table_id));
638 
639  if (~0 == fib_index)
640  {
641  rv = VNET_API_ERROR_NO_SUCH_FIB;
642  goto done;
643  }
644 
645  if (mp->is_add)
646  {
647  // remote = input, local = output
648  /* create an ip-ip tunnel, then the two SA, then bind them */
649  rv = ipip_add_tunnel (transport,
650  (mp->renumber ? ntohl (mp->show_instance) : ~0),
651  &local_ip,
652  &remote_ip, fib_index,
653  TUNNEL_ENCAP_DECAP_FLAG_NONE, IP_DSCP_CS0,
654  TUNNEL_MODE_P2P, &sw_if_index);
655 
656  if (rv)
657  goto done;
658 
660  ntohl (mp->remote_spi),
662  mp->crypto_alg,
663  &crypto_key,
664  mp->integ_alg,
665  &integ_key,
666  (flags | IPSEC_SA_FLAG_IS_INBOUND),
667  ntohl (mp->tx_table_id),
668  mp->salt, &remote_ip, &local_ip, NULL,
670 
671  if (rv)
672  goto done;
673 
675  ntohl (mp->local_spi),
677  mp->crypto_alg,
678  &crypto_key,
679  mp->integ_alg,
680  &integ_key,
681  flags,
682  ntohl (mp->tx_table_id),
683  mp->salt, &local_ip, &remote_ip, NULL,
685 
686  if (rv)
687  goto done;
688 
689  rv = ipsec_tun_protect_update_one (sw_if_index, NULL,
691  (sw_if_index),
693  (sw_if_index));
694  if (rv)
695  goto done;
696 
697  /* the SAs are locked as a result of being used for proection,
698  * they cannot be removed from the API, since they cannot be refered
699  * to by the API. unlock them now, so that if the tunnel is rekeyed
700  * they-ll disapper
701  */
704  }
705  else
706  {
707  /* *INDENT-OFF* */
708  ipip_tunnel_key_t key = {
709  .transport = transport,
710  .fib_index = fib_index,
711  .src = local_ip,
712  .dst = remote_ip
713  };
714  /* *INDENT-ON* */
715 
717 
718  if (NULL != t)
719  {
720  rv = ipsec_tun_protect_del (t->sw_if_index, NULL);
722  }
723  else
724  rv = VNET_API_ERROR_NO_SUCH_ENTRY;
725  }
726 
727 #else
728  rv = VNET_API_ERROR_UNIMPLEMENTED;
729 #endif
730 done:
731  /* *INDENT-OFF* */
732  REPLY_MACRO2 (VL_API_IPSEC_TUNNEL_IF_ADD_DEL_REPLY,
733  ({
734  rmp->sw_if_index = htonl (sw_if_index);
735  }));
736  /* *INDENT-ON* */
737 }
738 
740 {
744 
745 static walk_rc_t
747 {
749  ipsec_tun_protect_t *itp;
750  index_t sai;
751 
752  itp = ipsec_tun_protect_get (itpi);
753 
754  if (itp->itp_out_sa == ctx->sai)
755  {
756  ctx->sw_if_index = itp->itp_sw_if_index;
757  return (WALK_STOP);
758  }
759  /* *INDENT-OFF* */
761  ({
762  if (sai == ctx->sai)
763  {
764  ctx->sw_if_index = itp->itp_sw_if_index;
765  return (WALK_STOP);
766  }
767  }));
768  /* *INDENT-OFF* */
769 
770  return (WALK_CONTINUE);
771 }
772 
773 static walk_rc_t
775 {
776  ipsec_dump_walk_ctx_t *ctx = arg;
778  ipsec_main_t *im = &ipsec_main;
779 
780  mp = vl_msg_api_alloc (sizeof (*mp));
781  clib_memset (mp, 0, sizeof (*mp));
782  mp->_vl_msg_id = ntohs (VL_API_IPSEC_SA_DETAILS);
783  mp->context = ctx->context;
784 
785  mp->entry.sad_id = htonl (sa->id);
786  mp->entry.spi = htonl (sa->spi);
787  mp->entry.protocol = ipsec_proto_encode (sa->protocol);
788  mp->entry.tx_table_id =
790 
791  mp->entry.crypto_algorithm = ipsec_crypto_algo_encode (sa->crypto_alg);
792  ipsec_key_encode (&sa->crypto_key, &mp->entry.crypto_key);
793 
794  mp->entry.integrity_algorithm = ipsec_integ_algo_encode (sa->integ_alg);
795  ipsec_key_encode (&sa->integ_key, &mp->entry.integrity_key);
796 
797  mp->entry.flags = ipsec_sad_flags_encode (sa);
798  mp->entry.salt = clib_host_to_net_u32 (sa->salt);
799 
800  if (ipsec_sa_is_set_IS_PROTECT (sa))
801  {
803  .sai = sa - im->sad,
804  .sw_if_index = ~0,
805  };
807 
808  mp->sw_if_index = htonl (ctx.sw_if_index);
809  }
810  else
811  mp->sw_if_index = ~0;
812 
813  if (ipsec_sa_is_set_IS_TUNNEL (sa))
814  {
816  &mp->entry.tunnel_src);
818  &mp->entry.tunnel_dst);
819  }
820  if (ipsec_sa_is_set_UDP_ENCAP (sa))
821  {
822  mp->entry.udp_src_port = sa->udp_hdr.src_port;
823  mp->entry.udp_dst_port = sa->udp_hdr.dst_port;
824  }
825 
826  mp->seq_outbound = clib_host_to_net_u64 (((u64) sa->seq));
827  mp->last_seq_inbound = clib_host_to_net_u64 (((u64) sa->last_seq));
828  if (ipsec_sa_is_set_USE_ESN (sa))
829  {
830  mp->seq_outbound |= (u64) (clib_host_to_net_u32 (sa->seq_hi));
831  mp->last_seq_inbound |= (u64) (clib_host_to_net_u32 (sa->last_seq_hi));
832  }
833  if (ipsec_sa_is_set_USE_ANTI_REPLAY (sa))
834  mp->replay_window = clib_host_to_net_u64 (sa->replay_window);
835 
836  mp->stat_index = clib_host_to_net_u32 (sa->stat_index);
837 
838  vl_api_send_msg (ctx->reg, (u8 *) mp);
839 
840  return (WALK_CONTINUE);
841 }
842 
843 static void
845 {
847 
848 #if WITH_LIBSSL > 0
850  if (!reg)
851  return;
852 
854  .reg = reg,
855  .context = mp->context,
856  };
857 
859 
860 #else
861  clib_warning ("unimplemented");
862 #endif
863 }
864 
865 static void
867 {
868  vl_api_ipsec_tunnel_if_set_sa_reply_t *rmp;
869  int rv;
870 
871 #if WITH_LIBSSL > 0
873 
874  if (mp->is_outbound)
875  rv = ipsec_tun_protect_update_out (ntohl (mp->sw_if_index), NULL,
876  ntohl (mp->sa_id));
877  else
878  rv = ipsec_tun_protect_update_in (ntohl (mp->sw_if_index), NULL,
879  ntohl (mp->sa_id));
880 
881 #else
882  clib_warning ("unimplemented");
883 #endif
884 
886 
887  REPLY_MACRO (VL_API_IPSEC_TUNNEL_IF_SET_SA_REPLY);
888 }
889 
890 static void
892 {
894  ipsec_main_t *im = &ipsec_main;
895  u32 context = mp->context;
896 
898 
899  if (rp == 0)
900  {
901  clib_warning ("Client %d AWOL", mp->client_index);
902  return;
903  }
904 
905  ipsec_ah_backend_t *ab;
907  /* *INDENT-OFF* */
908  pool_foreach (ab, im->ah_backends, {
909  vl_api_ipsec_backend_details_t *mp = vl_msg_api_alloc (sizeof (*mp));
910  clib_memset (mp, 0, sizeof (*mp));
911  mp->_vl_msg_id = ntohs (VL_API_IPSEC_BACKEND_DETAILS);
912  mp->context = context;
913  snprintf ((char *)mp->name, sizeof (mp->name), "%.*s", vec_len (ab->name),
914  ab->name);
915  mp->protocol = ntohl (IPSEC_API_PROTO_AH);
916  mp->index = ab - im->ah_backends;
917  mp->active = mp->index == im->ah_current_backend ? 1 : 0;
918  vl_api_send_msg (rp, (u8 *)mp);
919  });
920  pool_foreach (eb, im->esp_backends, {
921  vl_api_ipsec_backend_details_t *mp = vl_msg_api_alloc (sizeof (*mp));
922  clib_memset (mp, 0, sizeof (*mp));
923  mp->_vl_msg_id = ntohs (VL_API_IPSEC_BACKEND_DETAILS);
924  mp->context = context;
925  snprintf ((char *)mp->name, sizeof (mp->name), "%.*s", vec_len (eb->name),
926  eb->name);
927  mp->protocol = ntohl (IPSEC_API_PROTO_ESP);
928  mp->index = eb - im->esp_backends;
929  mp->active = mp->index == im->esp_current_backend ? 1 : 0;
930  vl_api_send_msg (rp, (u8 *)mp);
931  });
932  /* *INDENT-ON* */
933 }
934 
935 static void
937 {
938  ipsec_main_t *im = &ipsec_main;
939  vl_api_ipsec_select_backend_reply_t *rmp;
941  int rv = 0;
942  if (pool_elts (im->sad) > 0)
943  {
944  rv = VNET_API_ERROR_INSTANCE_IN_USE;
945  goto done;
946  }
947 
948  rv = ipsec_proto_decode (mp->protocol, &protocol);
949 
950  if (rv)
951  goto done;
952 
953 #if WITH_LIBSSL > 0
954  switch (protocol)
955  {
956  case IPSEC_PROTOCOL_ESP:
957  rv = ipsec_select_esp_backend (im, mp->index);
958  break;
959  case IPSEC_PROTOCOL_AH:
960  rv = ipsec_select_ah_backend (im, mp->index);
961  break;
962  default:
963  rv = VNET_API_ERROR_INVALID_PROTOCOL;
964  break;
965  }
966 #else
967  clib_warning ("unimplemented"); /* FIXME */
968 #endif
969 done:
970  REPLY_MACRO (VL_API_IPSEC_SELECT_BACKEND_REPLY);
971 }
972 
973 /*
974  * ipsec_api_hookup
975  * Add vpe's API message handlers to the table.
976  * vlib has already mapped shared memory and
977  * added the client registration handlers.
978  * See .../vlib-api/vlibmemory/memclnt_vlib.c:memclnt_process()
979  */
980 #define vl_msg_name_crc_list
981 #include <vnet/vnet_all_api_h.h>
982 #undef vl_msg_name_crc_list
983 
984 static void
986 {
987 #define _(id,n,crc) vl_msg_api_add_msg_name_crc (am, #n "_" #crc, id);
988  foreach_vl_msg_name_crc_ipsec;
989 #undef _
990 }
991 
992 static clib_error_t *
994 {
995  api_main_t *am = vlibapi_get_main ();
996 
997 #define _(N,n) \
998  vl_msg_api_set_handlers(VL_API_##N, #n, \
999  vl_api_##n##_t_handler, \
1000  vl_noop_handler, \
1001  vl_api_##n##_t_endian, \
1002  vl_api_##n##_t_print, \
1003  sizeof(vl_api_##n##_t), 1);
1005 #undef _
1006 
1007  /*
1008  * Set up the (msg_name, crc, message-id) table
1009  */
1011 
1012  return 0;
1013 }
1014 
1016 
1017 /*
1018  * fd.io coding-style-patch-verification: ON
1019  *
1020  * Local Variables:
1021  * eval: (c-set-style "gnu")
1022  * End:
1023  */
ipip_tunnel_t * ipip_tunnel_db_find(const ipip_tunnel_key_t *key)
Definition: ipip.c:484
u32 spi
ipsec_spd_t * spds
Definition: ipsec.h:105
IPsec: Add/delete Security Policy Database entry.
Definition: ipsec.api:121
vl_api_ipsec_spd_action_t ipsec_spd_action_encode(ipsec_policy_action_t in)
Definition: ipsec_api.c:438
void ipsec_key_decode(const vl_api_key_t *key, ipsec_key_t *out)
ip46_address_t tunnel_src_addr
Definition: ipsec_sa.h:175
bool is_add
Definition: ipsec.api:125
void ip_address_encode2(const ip_address_t *in, vl_api_address_t *out)
Definition: ip_types_api.c:216
enum ipsec_spd_policy_t_ ipsec_spd_policy_type_t
IPsec: SPD interface response.
Definition: ipsec.api:307
A representation of a IPIP tunnel.
Definition: ipip.h:75
Dump IPsec backends.
Definition: ipsec.api:455
vl_api_fib_path_nh_t nh
Definition: fib_types.api:126
ipsec_integ_alg_t
Definition: ipsec_sa.h:59
VLIB_API_INIT_FUNCTION(ipsec_api_hookup)
unsigned long u64
Definition: types.h:89
ip46_address_range_t laddr
#define REPLY_MACRO2(t, body)
clib_memset(h->entries, 0, sizeof(h->entries[0]) *entries)
#define FOR_EACH_IPSEC_SPD_POLICY_TYPE(_t)
Definition: ipsec_spd.h:38
int ipsec_policy_mk_type(bool is_outbound, bool is_ipv6, ipsec_policy_action_t action, ipsec_spd_policy_type_t *type)
static void vl_api_send_msg(vl_api_registration_t *rp, u8 *elem)
Definition: api.h:35
ipsec_key_t crypto_key
Definition: ipsec_sa.h:168
vl_api_interface_index_t sw_if_index
Definition: ipsec.api:446
ipsec_integ_alg_t integ_alg
Definition: ipsec_sa.h:171
u32 index_t
A Data-Path Object is an object that represents actions that are applied to packets are they are swit...
Definition: dpo.h:41
#define vec_add1(V, E)
Add 1 element to end of vector (unspecified alignment).
Definition: vec.h:590
ipsec_protocol_t
Definition: ipsec_sa.h:67
void ipsec_tun_protect_walk_itf(u32 sw_if_index, ipsec_tun_protect_walk_cb_t fn, void *ctx)
Definition: ipsec_tun.c:775
static void setup_message_id_table(api_main_t *am)
Definition: ipsec_api.c:985
int ipsec_integ_algo_decode(vl_api_ipsec_integ_alg_t in, ipsec_integ_alg_t *out)
vl_api_ipsec_spd_action_t policy
Definition: ipsec.api:98
static void vl_api_ipsec_sa_dump_t_handler(vl_api_ipsec_sa_dump_t *mp)
Definition: ipsec_api.c:844
int ipsec_select_ah_backend(ipsec_main_t *im, u32 backend_idx)
Definition: ipsec.c:270
#define FOR_EACH_IPSEC_PROTECT_INPUT_SA(_itp, _sa, body)
Definition: ipsec_tun.h:94
A Secruity Policy Database.
Definition: ipsec_spd.h:46
int ipsec_sa_add_and_lock(u32 id, u32 spi, ipsec_protocol_t proto, ipsec_crypto_alg_t crypto_alg, const ipsec_key_t *ck, ipsec_integ_alg_t integ_alg, const ipsec_key_t *ik, ipsec_sa_flags_t flags, u32 tx_table_id, u32 salt, const ip46_address_t *tun_src, const ip46_address_t *tun_dst, u32 *sa_out_index, u16 src_port, u16 dst_port)
Definition: ipsec_sa.c:170
int ipip_add_tunnel(ipip_transport_t transport, u32 instance, ip46_address_t *src, ip46_address_t *dst, u32 fib_index, tunnel_encap_decap_flags_t flags, ip_dscp_t dscp, tunnel_mode_t tmode, u32 *sw_if_indexp)
Definition: ipip.c:653
void * vl_msg_api_alloc(int nbytes)
void ipsec_tun_protect_walk(ipsec_tun_protect_walk_cb_t fn, void *ctx)
Definition: ipsec_tun.c:762
void ipsec_mk_key(ipsec_key_t *key, const u8 *data, u8 len)
Definition: ipsec_sa.c:56
unsigned char u8
Definition: types.h:56
#define foreach_vpe_api_msg
Definition: ipsec_api.c:54
vl_api_interface_index_t sw_if_index
Definition: ipsec.api:279
vl_api_address_t remote_ip
Definition: ipsec.api:351
u8 id[64]
Definition: dhcp.api:160
struct ipsec_sa_dump_match_ctx_t_ ipsec_sa_dump_match_ctx_t
u32 seq_hi
Definition: ipsec_sa.h:122
uword * spd_index_by_sw_if_index
Definition: ipsec.h:122
static void vl_api_ipsec_interface_add_del_spd_t_handler(vl_api_ipsec_interface_add_del_spd_t *mp)
Definition: ipsec_api.c:89
enum walk_rc_t_ walk_rc_t
Walk return code.
vl_api_interface_index_t sw_if_index
Definition: ipsec.api:268
u64 replay_window
Definition: ipsec_sa.h:125
vl_api_ip_proto_t protocol
Definition: lb_types.api:71
void ipsec_sa_walk(ipsec_sa_walk_cb_t cb, void *ctx)
Definition: ipsec_sa.c:450
Select IPsec backend.
Definition: ipsec.api:480
#define pool_foreach(VAR, POOL, BODY)
Iterate through pool.
Definition: pool.h:513
vl_api_interface_index_t sw_if_index
Definition: gre.api:53
ipsec_main_t ipsec_main
Definition: ipsec.c:28
Definition: ipsec.api:198
int ipsec_tun_protect_del(u32 sw_if_index, const ip_address_t *nh)
Definition: ipsec_tun.c:733
static void vl_api_ipsec_tunnel_if_add_del_t_handler(vl_api_ipsec_tunnel_if_add_del_t *mp)
Definition: ipsec_api.c:593
static void vl_api_ipsec_backend_dump_t_handler(vl_api_ipsec_backend_dump_t *mp)
Definition: ipsec_api.c:891
int ipsec_select_esp_backend(ipsec_main_t *im, u32 backend_idx)
Definition: ipsec.c:293
#define hash_foreach(key_var, value_var, h, body)
Definition: hash.h:442
static void vl_api_ipsec_spd_dump_t_handler(vl_api_ipsec_spd_dump_t *mp)
Definition: ipsec_api.c:489
static void vl_api_ipsec_spd_interface_dump_t_handler(vl_api_ipsec_spd_interface_dump_t *mp)
Definition: ipsec_api.c:544
vl_api_address_t local_ip
Definition: ipsec.api:350
int ipsec_sa_unlock_id(u32 id)
Definition: ipsec_sa.c:428
port_range_t rport
Dump all tunnel protections.
Definition: ipsec.api:275
unsigned int u32
Definition: types.h:88
vl_api_ipsec_crypto_alg_t ipsec_crypto_algo_encode(ipsec_crypto_alg_t c)
u32 fib_table_find(fib_protocol_t proto, u32 table_id)
Get the index of the FIB for a Table-ID.
Definition: fib_table.c:1097
IPsec: Reply Add/delete Security Policy Database entry.
Definition: ipsec.api:135
ip46_type_t ip_address_decode(const vl_api_address_t *in, ip46_address_t *out)
Decode/Encode for struct/union types.
Definition: ip_types_api.c:160
u32 stat_index
Definition: ipsec_sa.h:164
static void vl_api_ipsec_spd_add_del_t_handler(vl_api_ipsec_spd_add_del_t *mp)
Definition: ipsec_api.c:72
fib_protocol_t fib_proto_from_ip46(ip46_type_t iproto)
Convert from ip46_type to fib_protocol.
Definition: fib_types.c:390
u32 last_seq
Definition: ipsec_sa.h:123
#define hash_get(h, key)
Definition: hash.h:249
IPsec: Add/delete Security Association Database entry.
Definition: ipsec.api:191
u32 tx_fib_index
Definition: ipsec_sa.h:181
#define pool_elt_at_index(p, i)
Returns pointer to element at given index.
Definition: pool.h:534
Dump IPsec all SPD IDs response.
Definition: ipsec.api:156
Add/delete IPsec tunnel interface response.
Definition: ipsec.api:376
vl_api_ip_proto_t proto
Definition: acl_types.api:50
long ctx[MAX_CONNS]
Definition: main.c:144
IPsec: Add/delete Security Policy Database.
Definition: ipsec.api:31
u32 salt
Definition: ipsec_sa.h:184
vl_api_ipsec_tunnel_protect_t tun
Definition: ipsec.api:285
vl_api_ipsec_proto_t ipsec_proto_encode(ipsec_protocol_t p)
int ipsec_add_del_policy(vlib_main_t *vm, ipsec_policy_t *policy, int is_add, u32 *stat_index)
Add/Delete a SPD.
u32 last_seq_hi
Definition: ipsec_sa.h:124
static int ipsec_spd_action_decode(vl_api_ipsec_spd_action_t in, ipsec_policy_action_t *out)
Definition: ipsec_api.c:243
#define REPLY_MACRO(t)
vl_api_ipsec_tunnel_protect_t tunnel
Definition: ipsec.api:260
ipsec_spd_policy_type_t type
vl_api_interface_index_t sw_if_index
Definition: ipsec.api:55
vlib_main_t * vm
Definition: in2out_ed.c:1599
static ipsec_sa_t * ipsec_sa_get(u32 sa_index)
Definition: ipsec.h:285
ipsec_policy_action_t
uword * spd_index_by_spd_id
Definition: ipsec.h:121
static void vl_api_ipsec_tunnel_if_set_sa_t_handler(vl_api_ipsec_tunnel_if_set_sa_t *mp)
Definition: ipsec_api.c:866
API main structure, used by both vpp and binary API clients.
Definition: api_common.h:226
ip46_address_t tunnel_dst_addr
Definition: ipsec_sa.h:176
void ip_address_decode2(const vl_api_address_t *in, ip_address_t *out)
Definition: ip_types_api.c:166
An API client registration, only in vpp/vlib.
Definition: api_common.h:47
int ipsec_tun_protect_update_one(u32 sw_if_index, const ip_address_t *nh, u32 sa_out, u32 sa_in)
Definition: ipsec_tun.c:477
#define BAD_SW_IF_INDEX_LABEL
IPsec: Add/delete SPD from interface.
Definition: ipsec.api:49
u32 flags
Definition: vhost_user.h:248
static walk_rc_t ipsec_sa_dump_match_sa(index_t itpi, void *arg)
Definition: ipsec_api.c:746
ipsec_ah_backend_t * ah_backends
Definition: ipsec.h:166
vl_api_ipsec_sad_flags_t ipsec_sad_flags_encode(const ipsec_sa_t *sa)
Dump IPsec all SPD IDs.
Definition: ipsec.api:146
vl_api_ipsec_sad_entry_t entry
Definition: ipsec.api:196
ipsec_policy_action_t policy
ip46_address_t start
#define clib_warning(format, args...)
Definition: error.h:59
vl_api_key_t crypto_key
udp_header_t udp_hdr
Definition: ipsec_sa.h:160
enum ipsec_sad_flags_t_ ipsec_sa_flags_t
vl_api_ipsec_proto_t protocol
Definition: ipsec.api:483
int ipsec_tun_protect_update_out(u32 sw_if_index, const ip_address_t *nh, u32 sa_out)
Definition: ipsec_tun.c:490
#define FOR_EACH_IPSEC_PROTECT_INPUT_SAI(_itp, _sai, body)
Definition: ipsec_tun.h:86
bool is_add
Definition: ipsec.api:195
static u32 ipsec_tun_mk_input_sa_id(u32 ti)
Definition: ipsec_api.c:581
Set new SA on IPsec interface.
Definition: ipsec.api:443
static vl_api_registration_t * vl_api_client_index_to_registration(u32 index)
Definition: api.h:57
A Secruity Policy.
static void vl_api_ipsec_spds_dump_t_handler(vl_api_ipsec_spds_dump_t *mp)
Definition: ipsec_api.c:417
static void vl_api_ipsec_tunnel_protect_dump_t_handler(vl_api_ipsec_tunnel_protect_dump_t *mp)
Definition: ipsec_api.c:210
static void send_ipsec_spd_interface_details(vl_api_registration_t *reg, u32 spd_index, u32 sw_if_index, u32 context)
Definition: ipsec_api.c:527
vl_api_ipsec_sad_entry_t entry
Definition: ipsec.api:422
static void send_ipsec_spd_details(ipsec_policy_t *p, vl_api_registration_t *reg, u32 context)
Definition: ipsec_api.c:454
vl_api_interface_index_t sw_if_index
Definition: ipsec.api:424
static void vl_api_ipsec_spd_entry_add_del_t_handler(vl_api_ipsec_spd_entry_add_del_t *mp)
Definition: ipsec_api.c:260
ipsec_policy_t * policies
Definition: ipsec.h:109
Dump IPsec security association.
Definition: ipsec.api:387
ipsec_sa_t * sad
Definition: ipsec.h:107
u32 fib_table_get_table_id(u32 fib_index, fib_protocol_t proto)
Get the Table-ID of the FIB from protocol and index.
Definition: fib_table.c:1086
static ipsec_tun_protect_t * ipsec_tun_protect_get(u32 index)
Definition: ipsec_tun.h:152
int ipsec_tun_protect_update_in(u32 sw_if_index, const ip_address_t *nh, u32 sa_in)
Definition: ipsec_tun.c:539
vl_api_ipsec_integ_alg_t ipsec_integ_algo_encode(ipsec_integ_alg_t i)
u32 * policies[IPSEC_SPD_POLICY_N_TYPES]
vectors for each of the policy types
Definition: ipsec_spd.h:51
ipsec_sa_flags_t ipsec_sa_flags_decode(vl_api_ipsec_sad_flags_t in)
vl_api_interface_index_t sw_if_index
Definition: ipsec.api:379
Dump ipsec policy database data.
Definition: ipsec.api:168
u32 stat_index
Definition: ipsec.api:139
ipsec_protocol_t protocol
Definition: ipsec_sa.h:165
static void vl_api_ipsec_tunnel_protect_update_t_handler(vl_api_ipsec_tunnel_protect_update_t *mp)
Definition: ipsec_api.c:114
static void send_ipsec_spds_details(ipsec_spd_t *spd, vl_api_registration_t *reg, u32 context)
Definition: ipsec_api.c:396
u32 sw_if_index
Definition: ipip.h:86
static vlib_main_t * vlib_get_main(void)
Definition: global_funcs.h:23
IPsec policy database response.
Definition: ipsec.api:181
IPsec: Get SPD interfaces.
Definition: ipsec.api:295
vl_api_ipsec_spd_entry_t entry
Definition: ipsec.api:183
typedef key
Definition: ipsec_types.api:85
vl_api_ipsec_spd_entry_t entry
Definition: ipsec.api:126
struct ipsec_dump_walk_ctx_t_ ipsec_dump_walk_ctx_t
static walk_rc_t send_ipsec_sa_details(ipsec_sa_t *sa, void *arg)
Definition: ipsec_api.c:774
static u32 ipsec_tun_mk_output_sa_id(u32 ti)
Definition: ipsec_api.c:587
ip46_address_range_t raddr
u64 uword
Definition: types.h:112
ipsec_crypto_alg_t
Definition: ipsec_sa.h:37
int ipip_del_tunnel(u32 sw_if_index)
Definition: ipip.c:761
int ipsec_set_interface_spd(vlib_main_t *vm, u32 sw_if_index, u32 spd_id, int is_add)
Bind/attach a SPD to an interface.
Definition: ipsec_spd.c:63
void ip_address_encode(const ip46_address_t *in, ip46_type_t type, vl_api_address_t *out)
Definition: ip_types_api.c:194
u32 id
the User&#39;s ID for this policy
Definition: ipsec_spd.h:49
static api_main_t * vlibapi_get_main(void)
Definition: api_common.h:379
vl_api_registration_t * reg
Definition: ipsec_api.c:171
ipsec_crypto_alg_t crypto_alg
Definition: ipsec_sa.h:167
port_range_t lport
int ipsec_add_del_spd(vlib_main_t *vm, u32 spd_id, int is_add)
Add/Delete a SPD.
Definition: ipsec_spd.c:20
static clib_error_t * ipsec_api_hookup(vlib_main_t *vm)
Definition: ipsec_api.c:993
#define foreach_ipsec_spd_policy_type
Definition: ipsec_spd.h:20
static void vl_api_ipsec_tunnel_protect_del_t_handler(vl_api_ipsec_tunnel_protect_del_t *mp)
Definition: ipsec_api.c:145
#define vec_foreach(var, vec)
Vector iterator.
ip_address_t * itp_key
Definition: ipsec_tun.h:82
static walk_rc_t send_ipsec_tunnel_protect_details(index_t itpi, void *arg)
Definition: ipsec_api.c:176
static void vl_api_ipsec_select_backend_t_handler(vl_api_ipsec_select_backend_t *mp)
Definition: ipsec_api.c:936
IPsec security association database response.
Definition: ipsec.api:420
ipsec_esp_backend_t * esp_backends
Definition: ipsec.h:168
int ipsec_crypto_algo_decode(vl_api_ipsec_crypto_alg_t in, ipsec_crypto_alg_t *out)
ipsec_key_t integ_key
Definition: ipsec_sa.h:172
#define IPSEC_UDP_PORT_NONE
Definition: ipsec_sa.h:277
Add or delete IPsec tunnel interface.
Definition: ipsec.api:344
#define ip46_address_initializer
Definition: ip46_address.h:52
int ipsec_proto_decode(vl_api_ipsec_proto_t in, ipsec_protocol_t *out)
Encode/decode function from/to API to internal types.
#define VALIDATE_SW_IF_INDEX(mp)
ip46_type_t
Definition: ip46_address.h:22
vl_api_interface_index_t sw_if_index
Definition: ipsec.api:310
u32 stat_index
Definition: ipsec.api:202
int ipsec_tun_protect_update(u32 sw_if_index, const ip_address_t *nh, u32 sa_out, u32 *sas_in)
Definition: ipsec_tun.c:598
static void vl_api_ipsec_sad_entry_add_del_t_handler(vl_api_ipsec_sad_entry_add_del_t *mp)
Definition: ipsec_api.c:329
void ipsec_key_encode(const ipsec_key_t *in, vl_api_key_t *out)
static uword pool_elts(void *v)
Number of active elements in a pool.
Definition: pool.h:128