45 &sw_if_index, &spd_id))
47 else if (
unformat (line_input,
"del"))
66 .path =
"set interface ipsec spd",
68 "set interface ipsec spd <int> <id>",
79 ip46_address_t tun_src = { }, tun_dst =
96 flags = IPSEC_SA_FLAG_NONE;
98 integ_alg = IPSEC_INTEG_ALG_NONE;
99 crypto_alg = IPSEC_CRYPTO_ALG_NONE;
107 if (
unformat (line_input,
"add %u", &
id))
109 else if (
unformat (line_input,
"del %u", &
id))
111 else if (
unformat (line_input,
"spi %u", &spi))
113 else if (
unformat (line_input,
"salt 0x%x", &salt))
115 else if (
unformat (line_input,
"esp"))
117 else if (
unformat (line_input,
"ah"))
119 else if (
unformat (line_input,
"crypto-key %U",
122 else if (
unformat (line_input,
"crypto-alg %U",
127 else if (
unformat (line_input,
"integ-alg %U",
130 else if (
unformat (line_input,
"tunnel-src %U",
133 flags |= IPSEC_SA_FLAG_IS_TUNNEL;
135 flags |= IPSEC_SA_FLAG_IS_TUNNEL_V6;
137 else if (
unformat (line_input,
"tunnel-dst %U",
140 else if (
unformat (line_input,
"udp-encap"))
141 flags |= IPSEC_SA_FLAG_UDP_ENCAP;
152 &ck, integ_alg, &ik, flags,
153 0, clib_host_to_net_u32 (salt),
154 &tun_src, &tun_dst, &sai, udp_src, udp_dst);
171 "ipsec sa [add|del]",
193 else if (
unformat (line_input,
"del"))
195 else if (
unformat (line_input,
"%u", &spd_id))
223 "ipsec spd [add|del] <id>",
237 u32 tmp, tmp2, stat_index, local_range_set, remote_range_set;
243 remote_range_set = local_range_set = is_outbound = 0;
252 else if (
unformat (line_input,
"del"))
254 else if (
unformat (line_input,
"ip6"))
256 else if (
unformat (line_input,
"spd %u", &p.
id))
258 else if (
unformat (line_input,
"inbound"))
260 else if (
unformat (line_input,
"outbound"))
264 else if (
unformat (line_input,
"protocol %u", &tmp))
271 if (p.
policy == IPSEC_POLICY_ACTION_RESOLVE)
279 else if (
unformat (line_input,
"local-ip-range %U - %U",
283 else if (
unformat (line_input,
"remote-ip-range %U - %U",
286 remote_range_set = 1;
287 else if (
unformat (line_input,
"local-ip-range %U - %U",
294 else if (
unformat (line_input,
"remote-ip-range %U - %U",
299 remote_range_set = 1;
301 else if (
unformat (line_input,
"local-port-range %u - %u", &tmp, &tmp2))
307 if (
unformat (line_input,
"remote-port-range %u - %u", &tmp, &tmp2))
320 if (!remote_range_set)
327 if (!local_range_set)
340 " outboud:%s %s action:%U",
341 (is_outbound ?
"yes" :
"no"),
362 .path =
"ipsec policy",
364 "ipsec policy [add|del] spd <id> priority <n> ",
376 vlib_cli_output(vm,
"%U", format_ipsec_sa, sai,
377 (detail ? IPSEC_FORMAT_DETAIL : IPSEC_FORMAT_BRIEF));
389 vlib_cli_output(vm,
"%U", format_ipsec_spd, spdi);
404 spd = pool_elt_at_index (im->spds, spd_id);
405 vlib_cli_output (vm,
" %d -> %U", spd->id,
406 format_vnet_sw_if_index_name, im->vnet_main,
445 .path =
"show ipsec all",
446 .short_help =
"show ipsec all",
514 .path =
"show ipsec sa",
515 .short_help =
"show ipsec sa [index]",
520 .path =
"clear ipsec sa",
521 .short_help =
"clear ipsec sa [index]",
531 u8 show_bindings = 0;
538 else if (
unformat (input,
"bindings"))
556 .path =
"show ipsec spd",
557 .short_help =
"show ipsec spd [index]",
574 .path =
"show ipsec tunnel",
575 .short_help =
"show ipsec tunnel",
588 (void)
unformat (input,
"verbose %u", &verbose);
591 u8 *s =
format (NULL,
"%=25s %=25s %=10s\n",
"Name",
"Index",
"Active");
595 s = format (s,
"%=25s %=25u %=10s\n", ab->name, ab - im->ah_backends,
596 ab - im->ah_backends == im->ah_current_backend ?
"yes" :
"no");
599 n = vlib_get_node (vm, ab->ah4_encrypt_node_index);
600 s = format (s,
" enc4 %s (next %d)\n", n->name, ab->ah4_encrypt_next_index);
601 n = vlib_get_node (vm, ab->ah4_decrypt_node_index);
602 s = format (s,
" dec4 %s (next %d)\n", n->name, ab->ah4_decrypt_next_index);
603 n = vlib_get_node (vm, ab->ah6_encrypt_node_index);
604 s = format (s,
" enc6 %s (next %d)\n", n->name, ab->ah6_encrypt_next_index);
605 n = vlib_get_node (vm, ab->ah6_decrypt_node_index);
606 s = format (s,
" dec6 %s (next %d)\n", n->name, ab->ah6_decrypt_next_index);
613 s =
format (s,
"%=25s %=25s %=10s\n",
"Name",
"Index",
"Active");
617 s = format (s,
"%=25s %=25u %=10s\n", eb->name, eb - im->esp_backends,
618 eb - im->esp_backends == im->esp_current_backend ?
"yes" 622 n = vlib_get_node (vm, eb->esp4_encrypt_node_index);
623 s = format (s,
" enc4 %s (next %d)\n", n->name, eb->esp4_encrypt_next_index);
624 n = vlib_get_node (vm, eb->esp4_decrypt_node_index);
625 s = format (s,
" dec4 %s (next %d)\n", n->name, eb->esp4_decrypt_next_index);
626 n = vlib_get_node (vm, eb->esp6_encrypt_node_index);
627 s = format (s,
" enc6 %s (next %d)\n", n->name, eb->esp6_encrypt_next_index);
628 n = vlib_get_node (vm, eb->esp6_decrypt_node_index);
629 s = format (s,
" dec6 %s (next %d)\n", n->name, eb->esp6_decrypt_next_index);
641 .path =
"show ipsec backends",
642 .short_help =
"show ipsec backends",
668 if (
unformat (line_input,
"%u", &backend_index))
682 else if (
unformat (line_input,
"esp"))
684 if (
unformat (line_input,
"%u", &backend_index))
709 .path =
"ipsec select backend",
710 .short_help =
"ipsec select backend <ah|esp> <backend index>",
729 .path =
"clear ipsec counters",
730 .short_help =
"clear ipsec counters",
738 return (0x80000000 | ti);
744 return (0xc0000000 | ti);
773 flags = IPSEC_SA_FLAG_NONE;
796 else if (
unformat (line_input,
"local-spi %u", &local_spi))
798 else if (
unformat (line_input,
"remote-spi %u", &remote_spi))
800 else if (
unformat (line_input,
"salt 0x%x", &salt))
802 else if (
unformat (line_input,
"udp-encap"))
803 flags |= IPSEC_SA_FLAG_UDP_ENCAP;
804 else if (
unformat (line_input,
"use-esn"))
805 flags |= IPSEC_SA_FLAG_USE_ESN;
806 else if (
unformat (line_input,
"use-anti-replay"))
807 flags |= IPSEC_SA_FLAG_USE_ANTI_REPLAY;
808 else if (
unformat (line_input,
"instance %u", &instance))
810 else if (
unformat (line_input,
"tx-table %u", &table_id))
820 else if (
unformat (line_input,
"crypto-alg %U",
831 else if (
unformat (line_input,
"integ-alg %U",
834 else if (
unformat (line_input,
"del"))
852 if (ipv4_set && ipv6_set)
859 rv = VNET_API_ERROR_NO_SUCH_FIB;
871 instance, &local_ip, &remote_ip, fib_index,
872 TUNNEL_ENCAP_DECAP_FLAG_NONE, IP_DSCP_CS0,
873 TUNNEL_MODE_P2P, &sw_if_index);
877 &lck, integ_alg, &lik, flags, table_id,
878 clib_host_to_net_u32 (salt), &local_ip,
884 &rck, integ_alg, &rik,
885 (flags | IPSEC_SA_FLAG_IS_INBOUND), table_id,
886 clib_host_to_net_u32 (salt), &remote_ip,
902 case VNET_API_ERROR_INVALID_VALUE:
904 "IPSec tunnel interface already exists...");
920 .path =
"create ipsec tunnel",
921 .short_help =
"create ipsec tunnel local-ip <addr> local-spi <spi> " 922 "remote-ip <addr> remote-spi <spi> [instance <inst_num>] [udp-encap] [use-esn] [use-anti-replay] " 923 "[tx-table <table-id>]",
948 else if (
unformat (line_input,
"add"))
950 else if (
unformat (line_input,
"sa-in %d", &sa_in))
952 else if (
unformat (line_input,
"sa-out %d", &sa_out))
954 else if (
unformat (line_input,
"%U",
977 .path =
"ipsec tunnel protect",
979 .short_help =
"ipsec tunnel protect <interface> input-sa <SA> output-sa <SA>",
1000 .path =
"show ipsec protect",
1002 .short_help =
"show ipsec protect",
1015 ipsec4_tunnel_key_t
key;
1022 vlib_cli_output (vm,
" %U", format_ipsec4_tunnel_key, &key);
1023 vlib_cli_output (vm,
" tun:%d sa:%d", value.tun_index, value.sa_index);
1030 ipsec6_tunnel_key_t *
key;
1037 vlib_cli_output (vm,
" %U", format_ipsec6_tunnel_key, key);
1038 vlib_cli_output (vm,
" tun:%d sa:%d", value.tun_index, value.sa_index);
1052 .path =
"show ipsec protect-hash",
1054 .short_help =
"show ipsec protect-hash",
1071 int async_enable = 0;
1080 else if (
unformat (line_input,
"off"))
1096 .path =
"set ipsec async mode",
1097 .short_help =
"set ipsec async mode on|off",
static clib_error_t * ipsec_select_backend_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
uword * tun6_protect_by_key
static u32 ipsec_tun_mk_local_sa_id(u32 ti)
vnet_main_t * vnet_get_main(void)
ip46_address_range_t laddr
static clib_error_t * show_ipsec_spd_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
clib_memset(h->entries, 0, sizeof(h->entries[0]) *entries)
int ipsec_policy_mk_type(bool is_outbound, bool is_ipv6, ipsec_policy_action_t action, ipsec_spd_policy_type_t *type)
void vnet_crypto_request_async_mode(int is_enable)
static clib_error_t * create_ipsec_tunnel_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
u32 index_t
A Data-Path Object is an object that represents actions that are applied to packets are they are swit...
#define vec_add1(V, E)
Add 1 element to end of vector (unspecified alignment).
void ipsec_sa_clear(index_t sai)
int ipsec_select_ah_backend(ipsec_main_t *im, u32 backend_idx)
unformat_function_t unformat_vnet_sw_interface
A Secruity Policy Database.
int ipsec_sa_add_and_lock(u32 id, u32 spi, ipsec_protocol_t proto, ipsec_crypto_alg_t crypto_alg, const ipsec_key_t *ck, ipsec_integ_alg_t integ_alg, const ipsec_key_t *ik, ipsec_sa_flags_t flags, u32 tx_table_id, u32 salt, const ip46_address_t *tun_src, const ip46_address_t *tun_dst, u32 *sa_out_index, u16 src_port, u16 dst_port)
int ipip_add_tunnel(ipip_transport_t transport, u32 instance, ip46_address_t *src, ip46_address_t *dst, u32 fib_index, tunnel_encap_decap_flags_t flags, ip_dscp_t dscp, tunnel_mode_t tmode, u32 *sw_if_indexp)
static u8 ip46_address_is_ip4(const ip46_address_t *ip46)
void ipsec_tun_protect_walk(ipsec_tun_protect_walk_cb_t fn, void *ctx)
static void ipsec_tunnel_show_all(vlib_main_t *vm)
uword * spd_index_by_sw_if_index
enum walk_rc_t_ walk_rc_t
Walk return code.
void vlib_clear_combined_counters(vlib_combined_counter_main_t *cm)
Clear a collection of combined counters.
#define pool_foreach(VAR, POOL, BODY)
Iterate through pool.
vl_api_interface_index_t sw_if_index
#define VLIB_INIT_FUNCTION(x)
int ipsec_select_esp_backend(ipsec_main_t *im, u32 backend_idx)
#define hash_foreach(key_var, value_var, h, body)
#define clib_error_return(e, args...)
int ipsec_sa_unlock_id(u32 id)
u32 fib_table_find(fib_protocol_t proto, u32 table_id)
Get the index of the FIB for a Table-ID.
static clib_error_t * ipsec_tun_protect_show(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
vlib_combined_counter_main_t ipsec_spd_policy_counters
Policy packet & bytes counters.
static clib_error_t * ipsec_policy_add_del_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
int ipsec_add_del_policy(vlib_main_t *vm, ipsec_policy_t *policy, int is_add, u32 *stat_index)
Add/Delete a SPD.
static clib_error_t * set_interface_spd_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
static clib_error_t * set_async_mode_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
clib_error_t * ipsec_rsc_in_use(ipsec_main_t *im)
static clib_error_t * ipsec_show_backends_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
ipsec_spd_policy_type_t type
uword unformat_ip_address(unformat_input_t *input, va_list *args)
#define hash_foreach_mem(key_var, value_var, h, body)
#define IP_ADDRESS_V4_ALL_0S
static void ipsec_spd_bindings_show_all(vlib_main_t *vm, ipsec_main_t *im)
static clib_error_t * clear_ipsec_counters_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
int ipsec_tun_protect_update_one(u32 sw_if_index, const ip_address_t *nh, u32 sa_out, u32 sa_in)
static void ipsec_sa_show_all(vlib_main_t *vm, ipsec_main_t *im, u8 detail)
ipsec_ah_backend_t * ah_backends
clib_error_t * ipsec_cli_init(vlib_main_t *vm)
#define vec_free(V)
Free vector's memory (no header).
static clib_error_t * clear_ipsec_sa_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
ipsec_policy_action_t policy
enum ipsec_sad_flags_t_ ipsec_sa_flags_t
#define pool_is_free_index(P, I)
Use free bitmap to query whether given index is free.
#define VLIB_CLI_COMMAND(x,...)
static void ipsec_spd_show_all(vlib_main_t *vm, ipsec_main_t *im)
vlib_combined_counter_main_t ipsec_sa_counters
SA packet & bytes counters.
void ipsec_set_async_mode(u32 is_enabled)
void vlib_cli_output(vlib_main_t *vm, char *fmt,...)
static clib_error_t * show_ipsec_sa_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
static clib_error_t * ipsec_tun_protect_cmd(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
ip46_address_range_t raddr
static fib_protocol_t fib_ip_proto(bool is_ip6)
Convert from boolean is_ip6 to FIB protocol.
static u32 ipsec_tun_mk_remote_sa_id(u32 ti)
static clib_error_t * show_ipsec_tunnel_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
static clib_error_t * ipsec_sa_add_del_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
int ipsec_set_interface_spd(vlib_main_t *vm, u32 sw_if_index, u32 spd_id, int is_add)
Bind/attach a SPD to an interface.
static clib_error_t * ipsec_tun_protect_hash_show(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
int ipsec_add_del_spd(vlib_main_t *vm, u32 spd_id, int is_add)
Add/Delete a SPD.
static clib_error_t * show_ipsec_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
static walk_rc_t ipsec_tun_protect_show_one(index_t itpi, void *ctx)
#define pool_foreach_index(i, v, body)
Iterate pool by index.
static clib_error_t * ipsec_spd_add_del_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
#define IPSEC_UDP_PORT_NONE
#define ip46_address_initializer
uword * tun4_protect_by_key
int ipsec_tun_protect_update(u32 sw_if_index, const ip_address_t *nh, u32 sa_out, u32 *sas_in)