FD.io VPP  v21.01.1
Vector Packet Processing
ipsec_cli.c
Go to the documentation of this file.
1 /*
2  * decap.c : IPSec tunnel support
3  *
4  * Copyright (c) 2015 Cisco and/or its affiliates.
5  * Licensed under the Apache License, Version 2.0 (the "License");
6  * you may not use this file except in compliance with the License.
7  * You may obtain a copy of the License at:
8  *
9  * http://www.apache.org/licenses/LICENSE-2.0
10  *
11  * Unless required by applicable law or agreed to in writing, software
12  * distributed under the License is distributed on an "AS IS" BASIS,
13  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14  * See the License for the specific language governing permissions and
15  * limitations under the License.
16  */
17 
18 #include <vnet/vnet.h>
19 #include <vnet/api_errno.h>
20 #include <vnet/ip/ip.h>
21 #include <vnet/interface.h>
22 #include <vnet/fib/fib.h>
23 #include <vnet/ipip/ipip.h>
24 
25 #include <vnet/ipsec/ipsec.h>
26 #include <vnet/ipsec/ipsec_tun.h>
27 
28 static clib_error_t *
29 set_interface_spd_command_fn (vlib_main_t * vm,
30  unformat_input_t * input,
31  vlib_cli_command_t * cmd)
32 {
33  unformat_input_t _line_input, *line_input = &_line_input;
34  ipsec_main_t *im = &ipsec_main;
35  u32 sw_if_index = (u32) ~ 0;
36  u32 spd_id;
37  int is_add = 1;
38  clib_error_t *error = NULL;
39  int err;
40 
41  if (!unformat_user (input, unformat_line_input, line_input))
42  return 0;
43 
44  if (unformat
45  (line_input, "%U %u", unformat_vnet_sw_interface, im->vnet_main,
46  &sw_if_index, &spd_id))
47  ;
48  else if (unformat (line_input, "del"))
49  is_add = 0;
50  else
51  {
52  error = clib_error_return (0, "parse error: '%U'",
53  format_unformat_error, line_input);
54  goto done;
55  }
56 
57  err = ipsec_set_interface_spd (vm, sw_if_index, spd_id, is_add);
58  switch (err)
59  {
60  case VNET_API_ERROR_SYSCALL_ERROR_1:
61  error = clib_error_return (0, "no such spd-id");
62  break;
63  case VNET_API_ERROR_SYSCALL_ERROR_2:
64  error = clib_error_return (0, "spd already assigned");
65  break;
66  }
67 
68 done:
69  unformat_free (line_input);
70 
71  return error;
72 }
73 
74 /* *INDENT-OFF* */
75 VLIB_CLI_COMMAND (set_interface_spd_command, static) = {
76  .path = "set interface ipsec spd",
77  .short_help =
78  "set interface ipsec spd <int> <id>",
79  .function = set_interface_spd_command_fn,
80 };
81 /* *INDENT-ON* */
82 
83 static clib_error_t *
84 ipsec_sa_add_del_command_fn (vlib_main_t * vm,
85  unformat_input_t * input,
86  vlib_cli_command_t * cmd)
87 {
88  unformat_input_t _line_input, *line_input = &_line_input;
89  ip46_address_t tun_src = { }, tun_dst =
90  {
91  };
92  ipsec_crypto_alg_t crypto_alg;
93  ipsec_integ_alg_t integ_alg;
94  ipsec_protocol_t proto;
95  ipsec_sa_flags_t flags;
96  clib_error_t *error;
97  ipsec_key_t ck = { 0 };
98  ipsec_key_t ik = { 0 };
99  u32 id, spi, salt, sai;
100  u16 udp_src, udp_dst;
101  int is_add, rv;
102  u32 m_args = 0;
103  ip_dscp_t dscp;
104  u32 tx_table_id;
105 
106  salt = 0;
107  error = NULL;
108  is_add = 0;
109  flags = IPSEC_SA_FLAG_NONE;
110  proto = IPSEC_PROTOCOL_ESP;
111  integ_alg = IPSEC_INTEG_ALG_NONE;
112  crypto_alg = IPSEC_CRYPTO_ALG_NONE;
113  udp_src = udp_dst = IPSEC_UDP_PORT_NONE;
114  dscp = IP_DSCP_CS0;
115  tx_table_id = 0;
116 
117  if (!unformat_user (input, unformat_line_input, line_input))
118  return 0;
119 
120  while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
121  {
122  if (unformat (line_input, "add %u", &id))
123  {
124  is_add = 1;
125  m_args |= 1 << 0;
126  }
127  else if (unformat (line_input, "del %u", &id))
128  {
129  is_add = 0;
130  m_args |= 1 << 0;
131  }
132  else if (unformat (line_input, "spi %u", &spi))
133  m_args |= 1 << 1;
134  else if (unformat (line_input, "salt 0x%x", &salt))
135  ;
136  else if (unformat (line_input, "esp"))
137  proto = IPSEC_PROTOCOL_ESP;
138  else if (unformat (line_input, "ah"))
139  proto = IPSEC_PROTOCOL_AH;
140  else if (unformat (line_input, "crypto-key %U",
141  unformat_ipsec_key, &ck))
142  ;
143  else if (unformat (line_input, "crypto-alg %U",
144  unformat_ipsec_crypto_alg, &crypto_alg))
145  ;
146  else if (unformat (line_input, "integ-key %U", unformat_ipsec_key, &ik))
147  ;
148  else if (unformat (line_input, "integ-alg %U",
149  unformat_ipsec_integ_alg, &integ_alg))
150  ;
151  else if (unformat (line_input, "tunnel-src %U",
152  unformat_ip46_address, &tun_src, IP46_TYPE_ANY))
153  {
154  flags |= IPSEC_SA_FLAG_IS_TUNNEL;
155  if (!ip46_address_is_ip4 (&tun_src))
156  flags |= IPSEC_SA_FLAG_IS_TUNNEL_V6;
157  }
158  else if (unformat (line_input, "tunnel-dst %U",
159  unformat_ip46_address, &tun_dst, IP46_TYPE_ANY))
160  ;
161  else if (unformat (line_input, "tx-table-id %d", &tx_table_id))
162  ;
163  else if (unformat (line_input, "inbound"))
164  flags |= IPSEC_SA_FLAG_IS_INBOUND;
165  else if (unformat (line_input, "use-anti-replay"))
166  flags |= IPSEC_SA_FLAG_USE_ANTI_REPLAY;
167  else if (unformat (line_input, "use-esn"))
168  flags |= IPSEC_SA_FLAG_USE_ESN;
169  else if (unformat (line_input, "udp-encap"))
170  flags |= IPSEC_SA_FLAG_UDP_ENCAP;
171  else
172  {
173  error = clib_error_return (0, "parse error: '%U'",
174  format_unformat_error, line_input);
175  goto done;
176  }
177  }
178  if ((flags & IPSEC_SA_FLAG_IS_INBOUND)
179  && !(flags & IPSEC_SA_FLAG_IS_TUNNEL))
180  {
181  error = clib_error_return (0, "inbound specified on non-tunnel SA");
182  goto done;
183  }
184 
185  if (!(m_args & 1))
186  {
187  error = clib_error_return (0, "missing id");
188  goto done;
189  }
190 
191  if (is_add)
192  {
193  if (!(m_args & 2))
194  {
195  error = clib_error_return (0, "missing spi");
196  goto done;
197  }
198  rv = ipsec_sa_add_and_lock (id, spi, proto, crypto_alg,
199  &ck, integ_alg, &ik, flags,
200  tx_table_id, clib_host_to_net_u32 (salt),
201  &tun_src, &tun_dst,
202  TUNNEL_ENCAP_DECAP_FLAG_NONE, dscp,
203  &sai, udp_src, udp_dst);
204  }
205  else
206  {
207  rv = ipsec_sa_unlock_id (id);
208  }
209 
210  if (rv)
211  error = clib_error_return (0, "failed");
212 
213 done:
214  unformat_free (line_input);
215 
216  return error;
217 }
218 
219 /* *INDENT-OFF* */
220 VLIB_CLI_COMMAND (ipsec_sa_add_del_command, static) = {
221  .path = "ipsec sa",
222  .short_help =
223  "ipsec sa [add|del]",
224  .function = ipsec_sa_add_del_command_fn,
225 };
226 /* *INDENT-ON* */
227 
228 static clib_error_t *
229 ipsec_spd_add_del_command_fn (vlib_main_t * vm,
230  unformat_input_t * input,
231  vlib_cli_command_t * cmd)
232 {
233  unformat_input_t _line_input, *line_input = &_line_input;
234  u32 spd_id = ~0;
235  int is_add = ~0;
236  clib_error_t *error = NULL;
237 
238  if (!unformat_user (input, unformat_line_input, line_input))
239  return 0;
240 
241  while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
242  {
243  if (unformat (line_input, "add"))
244  is_add = 1;
245  else if (unformat (line_input, "del"))
246  is_add = 0;
247  else if (unformat (line_input, "%u", &spd_id))
248  ;
249  else
250  {
251  error = clib_error_return (0, "parse error: '%U'",
252  format_unformat_error, line_input);
253  goto done;
254  }
255  }
256 
257  if (spd_id == ~0)
258  {
259  error = clib_error_return (0, "please specify SPD ID");
260  goto done;
261  }
262 
263  ipsec_add_del_spd (vm, spd_id, is_add);
264 
265 done:
266  unformat_free (line_input);
267 
268  return error;
269 }
270 
271 /* *INDENT-OFF* */
272 VLIB_CLI_COMMAND (ipsec_spd_add_del_command, static) = {
273  .path = "ipsec spd",
274  .short_help =
275  "ipsec spd [add|del] <id>",
276  .function = ipsec_spd_add_del_command_fn,
277 };
278 /* *INDENT-ON* */
279 
280 
281 static clib_error_t *
282 ipsec_policy_add_del_command_fn (vlib_main_t * vm,
283  unformat_input_t * input,
284  vlib_cli_command_t * cmd)
285 {
286  unformat_input_t _line_input, *line_input = &_line_input;
287  ipsec_policy_t p;
288  int rv, is_add = 0;
289  u32 tmp, tmp2, stat_index, local_range_set, remote_range_set;
290  clib_error_t *error = NULL;
291  u32 is_outbound;
292 
293  clib_memset (&p, 0, sizeof (p));
294  p.lport.stop = p.rport.stop = ~0;
295  remote_range_set = local_range_set = is_outbound = 0;
296 
297  if (!unformat_user (input, unformat_line_input, line_input))
298  return 0;
299 
300  while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
301  {
302  if (unformat (line_input, "add"))
303  is_add = 1;
304  else if (unformat (line_input, "del"))
305  is_add = 0;
306  else if (unformat (line_input, "ip6"))
307  p.is_ipv6 = 1;
308  else if (unformat (line_input, "spd %u", &p.id))
309  ;
310  else if (unformat (line_input, "inbound"))
311  is_outbound = 0;
312  else if (unformat (line_input, "outbound"))
313  is_outbound = 1;
314  else if (unformat (line_input, "priority %d", &p.priority))
315  ;
316  else if (unformat (line_input, "protocol %u", &tmp))
317  p.protocol = (u8) tmp;
318  else
319  if (unformat
320  (line_input, "action %U", unformat_ipsec_policy_action,
321  &p.policy))
322  {
323  if (p.policy == IPSEC_POLICY_ACTION_RESOLVE)
324  {
325  error = clib_error_return (0, "unsupported action: 'resolve'");
326  goto done;
327  }
328  }
329  else if (unformat (line_input, "sa %u", &p.sa_id))
330  ;
331  else if (unformat (line_input, "local-ip-range %U - %U",
332  unformat_ip4_address, &p.laddr.start.ip4,
333  unformat_ip4_address, &p.laddr.stop.ip4))
334  local_range_set = 1;
335  else if (unformat (line_input, "remote-ip-range %U - %U",
336  unformat_ip4_address, &p.raddr.start.ip4,
337  unformat_ip4_address, &p.raddr.stop.ip4))
338  remote_range_set = 1;
339  else if (unformat (line_input, "local-ip-range %U - %U",
340  unformat_ip6_address, &p.laddr.start.ip6,
341  unformat_ip6_address, &p.laddr.stop.ip6))
342  {
343  p.is_ipv6 = 1;
344  local_range_set = 1;
345  }
346  else if (unformat (line_input, "remote-ip-range %U - %U",
347  unformat_ip6_address, &p.raddr.start.ip6,
348  unformat_ip6_address, &p.raddr.stop.ip6))
349  {
350  p.is_ipv6 = 1;
351  remote_range_set = 1;
352  }
353  else if (unformat (line_input, "local-port-range %u - %u", &tmp, &tmp2))
354  {
355  p.lport.start = tmp;
356  p.lport.stop = tmp2;
357  }
358  else
359  if (unformat (line_input, "remote-port-range %u - %u", &tmp, &tmp2))
360  {
361  p.rport.start = tmp;
362  p.rport.stop = tmp2;
363  }
364  else
365  {
366  error = clib_error_return (0, "parse error: '%U'",
367  format_unformat_error, line_input);
368  goto done;
369  }
370  }
371 
372  if (!remote_range_set)
373  {
374  if (p.is_ipv6)
375  clib_memset (&p.raddr.stop.ip6, 0xff, 16);
376  else
377  clib_memset (&p.raddr.stop.ip4, 0xff, 4);
378  }
379  if (!local_range_set)
380  {
381  if (p.is_ipv6)
382  clib_memset (&p.laddr.stop.ip6, 0xff, 16);
383  else
384  clib_memset (&p.laddr.stop.ip4, 0xff, 4);
385  }
386 
387  rv = ipsec_policy_mk_type (is_outbound, p.is_ipv6, p.policy, &p.type);
388 
389  if (rv)
390  {
391  error = clib_error_return (0, "unsupported policy type for:",
392  " outboud:%s %s action:%U",
393  (is_outbound ? "yes" : "no"),
394  (p.is_ipv6 ? "IPv4" : "IPv6"),
395  format_ipsec_policy_action, p.policy);
396  goto done;
397  }
398 
399  rv = ipsec_add_del_policy (vm, &p, is_add, &stat_index);
400 
401  if (!rv)
402  vlib_cli_output (vm, "policy-index:%d", stat_index);
403  else
404  vlib_cli_output (vm, "error:%d", rv);
405 
406 done:
407  unformat_free (line_input);
408 
409  return error;
410 }
411 
412 /* *INDENT-OFF* */
413 VLIB_CLI_COMMAND (ipsec_policy_add_del_command, static) = {
414  .path = "ipsec policy",
415  .short_help =
416  "ipsec policy [add|del] spd <id> priority <n> ",
417  .function = ipsec_policy_add_del_command_fn,
418 };
419 /* *INDENT-ON* */
420 
421 static void
422 ipsec_sa_show_all (vlib_main_t * vm, ipsec_main_t * im, u8 detail)
423 {
424  u32 sai;
425 
426  /* *INDENT-OFF* */
427  pool_foreach_index (sai, im->sad) {
428  vlib_cli_output(vm, "%U", format_ipsec_sa, sai,
429  (detail ? IPSEC_FORMAT_DETAIL : IPSEC_FORMAT_BRIEF));
430  }
431  /* *INDENT-ON* */
432 }
433 
434 static void
435 ipsec_spd_show_all (vlib_main_t * vm, ipsec_main_t * im)
436 {
437  u32 spdi;
438 
439  /* *INDENT-OFF* */
440  pool_foreach_index (spdi, im->spds) {
441  vlib_cli_output(vm, "%U", format_ipsec_spd, spdi);
442  }
443  /* *INDENT-ON* */
444 }
445 
446 static void
447 ipsec_spd_bindings_show_all (vlib_main_t * vm, ipsec_main_t * im)
448 {
449  u32 spd_id, sw_if_index;
450  ipsec_spd_t *spd;
451 
452  vlib_cli_output (vm, "SPD Bindings:");
453 
454  /* *INDENT-OFF* */
455  hash_foreach(sw_if_index, spd_id, im->spd_index_by_sw_if_index, ({
456  spd = pool_elt_at_index (im->spds, spd_id);
457  vlib_cli_output (vm, " %d -> %U", spd->id,
458  format_vnet_sw_if_index_name, im->vnet_main,
459  sw_if_index);
460  }));
461  /* *INDENT-ON* */
462 }
463 
464 static walk_rc_t
465 ipsec_tun_protect_show_one (index_t itpi, void *ctx)
466 {
467  vlib_cli_output (ctx, "%U", format_ipsec_tun_protect_index, itpi);
468 
469  return (WALK_CONTINUE);
470 }
471 
472 static void
473 ipsec_tunnel_show_all (vlib_main_t * vm)
474 {
475  ipsec_tun_protect_walk (ipsec_tun_protect_show_one, vm);
476 }
477 
478 static clib_error_t *
479 show_ipsec_command_fn (vlib_main_t * vm,
480  unformat_input_t * input, vlib_cli_command_t * cmd)
481 {
482  ipsec_main_t *im = &ipsec_main;
483 
484  ipsec_sa_show_all (vm, im, 0);
485  ipsec_spd_show_all (vm, im);
486  ipsec_spd_bindings_show_all (vm, im);
487  ipsec_tun_protect_walk (ipsec_tun_protect_show_one, vm);
488 
489  vlib_cli_output (vm, "IPSec async mode: %s",
490  (im->async_mode ? "on" : "off"));
491 
492  return 0;
493 }
494 
495 /* *INDENT-OFF* */
496 VLIB_CLI_COMMAND (show_ipsec_command, static) = {
497  .path = "show ipsec all",
498  .short_help = "show ipsec all",
499  .function = show_ipsec_command_fn,
500 };
501 /* *INDENT-ON* */
502 
503 static clib_error_t *
504 show_ipsec_sa_command_fn (vlib_main_t * vm,
505  unformat_input_t * input, vlib_cli_command_t * cmd)
506 {
507  ipsec_main_t *im = &ipsec_main;
508  u32 sai = ~0;
509  u8 detail = 0;
510 
511  while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT)
512  {
513  if (unformat (input, "%u", &sai))
514  ;
515  if (unformat (input, "detail"))
516  detail = 1;
517  else
518  break;
519  }
520 
521  if (~0 == sai)
522  ipsec_sa_show_all (vm, im, detail);
523  else
524  vlib_cli_output (vm, "%U", format_ipsec_sa, sai,
525  IPSEC_FORMAT_DETAIL | IPSEC_FORMAT_INSECURE);
526 
527  return 0;
528 }
529 
530 static clib_error_t *
531 clear_ipsec_sa_command_fn (vlib_main_t * vm,
532  unformat_input_t * input, vlib_cli_command_t * cmd)
533 {
534  ipsec_main_t *im = &ipsec_main;
535  u32 sai = ~0;
536 
537  while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT)
538  {
539  if (unformat (input, "%u", &sai))
540  ;
541  else
542  break;
543  }
544 
545  if (~0 == sai)
546  {
547  /* *INDENT-OFF* */
548  pool_foreach_index (sai, im->sad) {
549  ipsec_sa_clear(sai);
550  }
551  /* *INDENT-ON* */
552  }
553  else
554  {
555  if (pool_is_free_index (im->sad, sai))
556  return clib_error_return (0, "unknown SA index: %d", sai);
557  else
558  ipsec_sa_clear (sai);
559  }
560 
561  return 0;
562 }
563 
564 /* *INDENT-OFF* */
565 VLIB_CLI_COMMAND (show_ipsec_sa_command, static) = {
566  .path = "show ipsec sa",
567  .short_help = "show ipsec sa [index]",
568  .function = show_ipsec_sa_command_fn,
569 };
570 
571 VLIB_CLI_COMMAND (clear_ipsec_sa_command, static) = {
572  .path = "clear ipsec sa",
573  .short_help = "clear ipsec sa [index]",
574  .function = clear_ipsec_sa_command_fn,
575 };
576 /* *INDENT-ON* */
577 
578 static clib_error_t *
579 show_ipsec_spd_command_fn (vlib_main_t * vm,
580  unformat_input_t * input, vlib_cli_command_t * cmd)
581 {
582  ipsec_main_t *im = &ipsec_main;
583  u8 show_bindings = 0;
584  u32 spdi = ~0;
585 
586  while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT)
587  {
588  if (unformat (input, "%u", &spdi))
589  ;
590  else if (unformat (input, "bindings"))
591  show_bindings = 1;
592  else
593  break;
594  }
595 
596  if (show_bindings)
597  ipsec_spd_bindings_show_all (vm, im);
598  else if (~0 != spdi)
599  vlib_cli_output (vm, "%U", format_ipsec_spd, spdi);
600  else
601  ipsec_spd_show_all (vm, im);
602 
603  return 0;
604 }
605 
606 /* *INDENT-OFF* */
607 VLIB_CLI_COMMAND (show_ipsec_spd_command, static) = {
608  .path = "show ipsec spd",
609  .short_help = "show ipsec spd [index]",
610  .function = show_ipsec_spd_command_fn,
611 };
612 /* *INDENT-ON* */
613 
614 static clib_error_t *
615 show_ipsec_tunnel_command_fn (vlib_main_t * vm,
616  unformat_input_t * input,
617  vlib_cli_command_t * cmd)
618 {
619  ipsec_tunnel_show_all (vm);
620 
621  return 0;
622 }
623 
624 /* *INDENT-OFF* */
625 VLIB_CLI_COMMAND (show_ipsec_tunnel_command, static) = {
626  .path = "show ipsec tunnel",
627  .short_help = "show ipsec tunnel",
628  .function = show_ipsec_tunnel_command_fn,
629 };
630 /* *INDENT-ON* */
631 
632 static clib_error_t *
633 ipsec_show_backends_command_fn (vlib_main_t * vm,
634  unformat_input_t * input,
635  vlib_cli_command_t * cmd)
636 {
637  ipsec_main_t *im = &ipsec_main;
638  u32 verbose = 0;
639 
640  (void) unformat (input, "verbose %u", &verbose);
641 
642  vlib_cli_output (vm, "IPsec AH backends available:");
643  u8 *s = format (NULL, "%=25s %=25s %=10s\n", "Name", "Index", "Active");
644  ipsec_ah_backend_t *ab;
645  /* *INDENT-OFF* */
646  pool_foreach (ab, im->ah_backends) {
647  s = format (s, "%=25s %=25u %=10s\n", ab->name, ab - im->ah_backends,
648  ab - im->ah_backends == im->ah_current_backend ? "yes" : "no");
649  if (verbose) {
650  vlib_node_t *n;
651  n = vlib_get_node (vm, ab->ah4_encrypt_node_index);
652  s = format (s, " enc4 %s (next %d)\n", n->name, ab->ah4_encrypt_next_index);
653  n = vlib_get_node (vm, ab->ah4_decrypt_node_index);
654  s = format (s, " dec4 %s (next %d)\n", n->name, ab->ah4_decrypt_next_index);
655  n = vlib_get_node (vm, ab->ah6_encrypt_node_index);
656  s = format (s, " enc6 %s (next %d)\n", n->name, ab->ah6_encrypt_next_index);
657  n = vlib_get_node (vm, ab->ah6_decrypt_node_index);
658  s = format (s, " dec6 %s (next %d)\n", n->name, ab->ah6_decrypt_next_index);
659  }
660  }
661  /* *INDENT-ON* */
662  vlib_cli_output (vm, "%v", s);
663  _vec_len (s) = 0;
664  vlib_cli_output (vm, "IPsec ESP backends available:");
665  s = format (s, "%=25s %=25s %=10s\n", "Name", "Index", "Active");
666  ipsec_esp_backend_t *eb;
667  /* *INDENT-OFF* */
668  pool_foreach (eb, im->esp_backends) {
669  s = format (s, "%=25s %=25u %=10s\n", eb->name, eb - im->esp_backends,
670  eb - im->esp_backends == im->esp_current_backend ? "yes"
671  : "no");
672  if (verbose) {
673  vlib_node_t *n;
674  n = vlib_get_node (vm, eb->esp4_encrypt_node_index);
675  s = format (s, " enc4 %s (next %d)\n", n->name, eb->esp4_encrypt_next_index);
676  n = vlib_get_node (vm, eb->esp4_decrypt_node_index);
677  s = format (s, " dec4 %s (next %d)\n", n->name, eb->esp4_decrypt_next_index);
678  n = vlib_get_node (vm, eb->esp6_encrypt_node_index);
679  s = format (s, " enc6 %s (next %d)\n", n->name, eb->esp6_encrypt_next_index);
680  n = vlib_get_node (vm, eb->esp6_decrypt_node_index);
681  s = format (s, " dec6 %s (next %d)\n", n->name, eb->esp6_decrypt_next_index);
682  }
683  }
684  /* *INDENT-ON* */
685  vlib_cli_output (vm, "%v", s);
686 
687  vec_free (s);
688  return 0;
689 }
690 
691 /* *INDENT-OFF* */
692 VLIB_CLI_COMMAND (ipsec_show_backends_command, static) = {
693  .path = "show ipsec backends",
694  .short_help = "show ipsec backends",
695  .function = ipsec_show_backends_command_fn,
696 };
697 /* *INDENT-ON* */
698 
699 static clib_error_t *
700 ipsec_select_backend_command_fn (vlib_main_t * vm,
701  unformat_input_t * input,
702  vlib_cli_command_t * cmd)
703 {
704  unformat_input_t _line_input, *line_input = &_line_input;
705  ipsec_main_t *im = &ipsec_main;
706  clib_error_t *error;
707  u32 backend_index;
708 
709  error = ipsec_rsc_in_use (im);
710 
711  if (error)
712  return error;
713 
714  /* Get a line of input. */
715  if (!unformat_user (input, unformat_line_input, line_input))
716  return 0;
717 
718  if (unformat (line_input, "ah"))
719  {
720  if (unformat (line_input, "%u", &backend_index))
721  {
722  if (ipsec_select_ah_backend (im, backend_index) < 0)
723  {
724  return clib_error_return (0, "Invalid AH backend index `%u'",
725  backend_index);
726  }
727  }
728  else
729  {
730  return clib_error_return (0, "Invalid backend index `%U'",
731  format_unformat_error, line_input);
732  }
733  }
734  else if (unformat (line_input, "esp"))
735  {
736  if (unformat (line_input, "%u", &backend_index))
737  {
738  if (ipsec_select_esp_backend (im, backend_index) < 0)
739  {
740  return clib_error_return (0, "Invalid ESP backend index `%u'",
741  backend_index);
742  }
743  }
744  else
745  {
746  return clib_error_return (0, "Invalid backend index `%U'",
747  format_unformat_error, line_input);
748  }
749  }
750  else
751  {
752  return clib_error_return (0, "Unknown input `%U'",
753  format_unformat_error, line_input);
754  }
755 
756  return 0;
757 }
758 
759 /* *INDENT-OFF* */
760 VLIB_CLI_COMMAND (ipsec_select_backend_command, static) = {
761  .path = "ipsec select backend",
762  .short_help = "ipsec select backend <ah|esp> <backend index>",
763  .function = ipsec_select_backend_command_fn,
764 };
765 
766 /* *INDENT-ON* */
767 
768 static clib_error_t *
769 clear_ipsec_counters_command_fn (vlib_main_t * vm,
770  unformat_input_t * input,
771  vlib_cli_command_t * cmd)
772 {
773  vlib_clear_combined_counters (&ipsec_spd_policy_counters);
774  vlib_clear_combined_counters (&ipsec_sa_counters);
775 
776  return (NULL);
777 }
778 
779 /* *INDENT-OFF* */
780 VLIB_CLI_COMMAND (clear_ipsec_counters_command, static) = {
781  .path = "clear ipsec counters",
782  .short_help = "clear ipsec counters",
783  .function = clear_ipsec_counters_command_fn,
784 };
785 /* *INDENT-ON* */
786 
787 static u32
788 ipsec_tun_mk_local_sa_id (u32 ti)
789 {
790  return (0x80000000 | ti);
791 }
792 
793 static u32
794 ipsec_tun_mk_remote_sa_id (u32 ti)
795 {
796  return (0xc0000000 | ti);
797 }
798 
799 static clib_error_t *
800 create_ipsec_tunnel_command_fn (vlib_main_t * vm,
801  unformat_input_t * input,
802  vlib_cli_command_t * cmd)
803 {
804  unformat_input_t _line_input, *line_input = &_line_input;
805  ip46_address_t local_ip = ip46_address_initializer;
806  ip46_address_t remote_ip = ip46_address_initializer;
807  ip_address_t nh = IP_ADDRESS_V4_ALL_0S;
808  ipsec_crypto_alg_t crypto_alg = IPSEC_CRYPTO_ALG_NONE;
809  ipsec_integ_alg_t integ_alg = IPSEC_INTEG_ALG_NONE;
810  ipsec_sa_flags_t flags;
811  u32 local_spi, remote_spi, salt = 0, table_id, fib_index;
812  u32 instance = ~0;
813  int rv;
814  u32 m_args = 0;
815  u8 ipv4_set = 0;
816  u8 ipv6_set = 0;
817  u8 is_add = 1;
818  clib_error_t *error = NULL;
819  ipsec_key_t rck = { 0 };
820  ipsec_key_t lck = { 0 };
821  ipsec_key_t lik = { 0 };
822  ipsec_key_t rik = { 0 };
823 
824  table_id = 0;
825  flags = IPSEC_SA_FLAG_NONE;
826 
827  /* Get a line of input. */
828  if (!unformat_user (input, unformat_line_input, line_input))
829  return 0;
830 
831  while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
832  {
833  if (unformat
834  (line_input, "local-ip %U", unformat_ip46_address, &local_ip,
835  IP46_TYPE_ANY))
836  {
837  ip46_address_is_ip4 (&local_ip) ? (ipv4_set = 1) : (ipv6_set = 1);
838  m_args |= 1 << 0;
839  }
840  else
841  if (unformat
842  (line_input, "remote-ip %U", unformat_ip46_address, &remote_ip,
843  IP46_TYPE_ANY))
844  {
845  ip46_address_is_ip4 (&remote_ip) ? (ipv4_set = 1) : (ipv6_set = 1);
846  m_args |= 1 << 1;
847  }
848  else if (unformat (line_input, "local-spi %u", &local_spi))
849  m_args |= 1 << 2;
850  else if (unformat (line_input, "remote-spi %u", &remote_spi))
851  m_args |= 1 << 3;
852  else if (unformat (line_input, "salt 0x%x", &salt))
853  ;
854  else if (unformat (line_input, "udp-encap"))
855  flags |= IPSEC_SA_FLAG_UDP_ENCAP;
856  else if (unformat (line_input, "use-esn"))
857  flags |= IPSEC_SA_FLAG_USE_ESN;
858  else if (unformat (line_input, "use-anti-replay"))
859  flags |= IPSEC_SA_FLAG_USE_ANTI_REPLAY;
860  else if (unformat (line_input, "instance %u", &instance))
861  ;
862  else if (unformat (line_input, "tx-table %u", &table_id))
863  ;
864  else
865  if (unformat
866  (line_input, "local-crypto-key %U", unformat_ipsec_key, &lck))
867  ;
868  else
869  if (unformat
870  (line_input, "remote-crypto-key %U", unformat_ipsec_key, &rck))
871  ;
872  else if (unformat (line_input, "crypto-alg %U",
873  unformat_ipsec_crypto_alg, &crypto_alg))
874  ;
875  else
876  if (unformat
877  (line_input, "local-integ-key %U", unformat_ipsec_key, &lik))
878  ;
879  else
880  if (unformat
881  (line_input, "remote-integ-key %U", unformat_ipsec_key, &rik))
882  ;
883  else if (unformat (line_input, "integ-alg %U",
884  unformat_ipsec_integ_alg, &integ_alg))
885  ;
886  else if (unformat (line_input, "del"))
887  is_add = 0;
888  else if (unformat (line_input, "nh &U", unformat_ip_address, &nh))
889  ;
890  else
891  {
892  error = clib_error_return (0, "unknown input `%U'",
893  format_unformat_error, line_input);
894  goto done;
895  }
896  }
897 
898  if (0xf != m_args)
899  {
900  error = clib_error_return (0, "mandatory argument(s) missing");
901  goto done;
902  }
903 
904  if (ipv4_set && ipv6_set)
905  return clib_error_return (0, "both IPv4 and IPv6 addresses specified");
906 
907  fib_index = fib_table_find (fib_ip_proto (ipv6_set), table_id);
908 
909  if (~0 == fib_index)
910  {
911  rv = VNET_API_ERROR_NO_SUCH_FIB;
912  goto done;
913  }
914 
915  if (is_add)
916  {
917  // remote = input, local = output
918  u32 sw_if_index;
919 
920  /* create an ip-ip tunnel, then the two SA, then bind them */
921  rv =
922  ipip_add_tunnel (ipv6_set ? IPIP_TRANSPORT_IP6 : IPIP_TRANSPORT_IP4,
923  instance, &local_ip, &remote_ip, fib_index,
924  TUNNEL_ENCAP_DECAP_FLAG_NONE, IP_DSCP_CS0,
925  TUNNEL_MODE_P2P, &sw_if_index);
926  rv |=
927  ipsec_sa_add_and_lock (ipsec_tun_mk_local_sa_id (sw_if_index),
928  local_spi, IPSEC_PROTOCOL_ESP, crypto_alg,
929  &lck, integ_alg, &lik, flags, table_id,
930  clib_host_to_net_u32 (salt), &local_ip,
931  &remote_ip, TUNNEL_ENCAP_DECAP_FLAG_NONE,
932  IP_DSCP_CS0, NULL,
933  IPSEC_UDP_PORT_NONE, IPSEC_UDP_PORT_NONE);
934  rv |=
935  ipsec_sa_add_and_lock (ipsec_tun_mk_remote_sa_id (sw_if_index),
936  remote_spi, IPSEC_PROTOCOL_ESP, crypto_alg,
937  &rck, integ_alg, &rik,
938  (flags | IPSEC_SA_FLAG_IS_INBOUND), table_id,
939  clib_host_to_net_u32 (salt), &remote_ip,
940  &local_ip, TUNNEL_ENCAP_DECAP_FLAG_NONE,
941  IP_DSCP_CS0, NULL,
942  IPSEC_UDP_PORT_NONE, IPSEC_UDP_PORT_NONE);
943  rv |=
944  ipsec_tun_protect_update_one (sw_if_index, &nh,
945  ipsec_tun_mk_local_sa_id (sw_if_index),
946  ipsec_tun_mk_remote_sa_id
947  (sw_if_index));
948  }
949  else
950  rv = 0;
951 
952  switch (rv)
953  {
954  case 0:
955  break;
956  case VNET_API_ERROR_INVALID_VALUE:
957  error = clib_error_return (0,
958  "IPSec tunnel interface already exists...");
959  goto done;
960  default:
961  error = clib_error_return (0, "ipsec_register_interface returned %d",
962  rv);
963  goto done;
964  }
965 
966 done:
967  unformat_free (line_input);
968 
969  return error;
970 }
971 
972 /* *INDENT-OFF* */
973 VLIB_CLI_COMMAND (create_ipsec_tunnel_command, static) = {
974  .path = "create ipsec tunnel",
975  .short_help = "create ipsec tunnel local-ip <addr> local-spi <spi> "
976  "remote-ip <addr> remote-spi <spi> [instance <inst_num>] [udp-encap] [use-esn] [use-anti-replay] "
977  "[tx-table <table-id>]",
978  .function = create_ipsec_tunnel_command_fn,
979 };
980 /* *INDENT-ON* */
981 
982 static clib_error_t *
983 ipsec_tun_protect_cmd (vlib_main_t * vm,
984  unformat_input_t * input, vlib_cli_command_t * cmd)
985 {
986  unformat_input_t _line_input, *line_input = &_line_input;
987  u32 sw_if_index, is_del, sa_in, sa_out, *sa_ins = NULL;
988  ip_address_t peer = { };
989  vnet_main_t *vnm;
990 
991  is_del = 0;
992  sw_if_index = ~0;
993  vnm = vnet_get_main ();
994 
995  if (!unformat_user (input, unformat_line_input, line_input))
996  return 0;
997 
998  while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
999  {
1000  if (unformat (line_input, "del"))
1001  is_del = 1;
1002  else if (unformat (line_input, "add"))
1003  is_del = 0;
1004  else if (unformat (line_input, "sa-in %d", &sa_in))
1005  vec_add1 (sa_ins, sa_in);
1006  else if (unformat (line_input, "sa-out %d", &sa_out))
1007  ;
1008  else if (unformat (line_input, "%U",
1009  unformat_vnet_sw_interface, vnm, &sw_if_index))
1010  ;
1011  else if (unformat (line_input, "%U", unformat_ip_address, &peer))
1012  ;
1013  else
1014  return (clib_error_return (0, "unknown input '%U'",
1015  format_unformat_error, line_input));
1016  }
1017 
1018  if (!is_del)
1019  ipsec_tun_protect_update (sw_if_index, &peer, sa_out, sa_ins);
1020  else
1021  ipsec_tun_protect_del (sw_if_index, &peer);
1022 
1023  unformat_free (line_input);
1024  return NULL;
1025 }
1026 
1027 /**
1028  * Protect tunnel with IPSEC
1029  */
1030 /* *INDENT-OFF* */
1031 VLIB_CLI_COMMAND (ipsec_tun_protect_cmd_node, static) =
1032 {
1033  .path = "ipsec tunnel protect",
1034  .function = ipsec_tun_protect_cmd,
1035  .short_help = "ipsec tunnel protect <interface> input-sa <SA> output-sa <SA> [add|del]",
1036  // this is not MP safe
1037 };
1038 /* *INDENT-ON* */
1039 
1040 
1041 static clib_error_t *
1042 ipsec_tun_protect_show (vlib_main_t * vm,
1043  unformat_input_t * input, vlib_cli_command_t * cmd)
1044 {
1045  ipsec_tun_protect_walk (ipsec_tun_protect_show_one, vm);
1046 
1047  return NULL;
1048 }
1049 
1050 /**
1051  * show IPSEC tunnel protection
1052  */
1053 /* *INDENT-OFF* */
1054 VLIB_CLI_COMMAND (ipsec_tun_protect_show_node, static) =
1055 {
1056  .path = "show ipsec protect",
1057  .function = ipsec_tun_protect_show,
1058  .short_help = "show ipsec protect",
1059 };
1060 /* *INDENT-ON* */
1061 
1062 static int
1063 ipsec_tun_protect4_hash_show_one (clib_bihash_kv_8_16_t * kv, void *arg)
1064 {
1065  ipsec4_tunnel_kv_t *ikv = (ipsec4_tunnel_kv_t *) kv;
1066  vlib_main_t *vm = arg;
1067 
1068  vlib_cli_output (vm, " %U", format_ipsec4_tunnel_kv, ikv);
1069 
1070  return (BIHASH_WALK_CONTINUE);
1071 }
1072 
1073 static int
1074 ipsec_tun_protect6_hash_show_one (clib_bihash_kv_24_16_t * kv, void *arg)
1075 {
1076  ipsec6_tunnel_kv_t *ikv = (ipsec6_tunnel_kv_t *) kv;
1077  vlib_main_t *vm = arg;
1078 
1079  vlib_cli_output (vm, " %U", format_ipsec6_tunnel_kv, ikv);
1080 
1081  return (BIHASH_WALK_CONTINUE);
1082 }
1083 
1084 static clib_error_t *
1085 ipsec_tun_protect_hash_show (vlib_main_t * vm,
1086  unformat_input_t * input,
1087  vlib_cli_command_t * cmd)
1088 {
1089  ipsec_main_t *im = &ipsec_main;
1090 
1091  {
1092  vlib_cli_output (vm, "IPv4:");
1093 
1094  clib_bihash_foreach_key_value_pair_8_16
1095  (&im->tun4_protect_by_key, ipsec_tun_protect4_hash_show_one, vm);
1096 
1097  vlib_cli_output (vm, "IPv6:");
1098 
1099  clib_bihash_foreach_key_value_pair_24_16
1100  (&im->tun6_protect_by_key, ipsec_tun_protect6_hash_show_one, vm);
1101  }
1102 
1103  return NULL;
1104 }
1105 
1106 /**
1107  * show IPSEC tunnel protection hash tables
1108  */
1109 /* *INDENT-OFF* */
1110 VLIB_CLI_COMMAND (ipsec_tun_protect_hash_show_node, static) =
1111 {
1112  .path = "show ipsec protect-hash",
1113  .function = ipsec_tun_protect_hash_show,
1114  .short_help = "show ipsec protect-hash",
1115 };
1116 /* *INDENT-ON* */
1117 
1118 clib_error_t *
1119 ipsec_cli_init (vlib_main_t * vm)
1120 {
1121  return 0;
1122 }
1123 
1124 VLIB_INIT_FUNCTION (ipsec_cli_init);
1125 
1126 static clib_error_t *
1127 set_async_mode_command_fn (vlib_main_t * vm, unformat_input_t * input,
1128  vlib_cli_command_t * cmd)
1129 {
1130  unformat_input_t _line_input, *line_input = &_line_input;
1131  int async_enable = 0;
1132 
1133  if (!unformat_user (input, unformat_line_input, line_input))
1134  return 0;
1135 
1136  while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
1137  {
1138  if (unformat (line_input, "on"))
1139  async_enable = 1;
1140  else if (unformat (line_input, "off"))
1141  async_enable = 0;
1142  else
1143  return (clib_error_return (0, "unknown input '%U'",
1144  format_unformat_error, line_input));
1145  }
1146 
1147  vnet_crypto_request_async_mode (async_enable);
1148  ipsec_set_async_mode (async_enable);
1149 
1150  unformat_free (line_input);
1151  return (NULL);
1152 }
1153 
1154 /* *INDENT-OFF* */
1155 VLIB_CLI_COMMAND (set_async_mode_command, static) = {
1156  .path = "set ipsec async mode",
1157  .short_help = "set ipsec async mode on|off",
1158  .function = set_async_mode_command_fn,
1159 };
1160 /* *INDENT-ON* */
1161 
1162 /*
1163  * fd.io coding-style-patch-verification: ON
1164  *
1165  * Local Variables:
1166  * eval: (c-set-style "gnu")
1167  * End:
1168  */
ipsec_select_backend_command_fn
static clib_error_t * ipsec_select_backend_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
Definition: ipsec_cli.c:700
ip46_address_range_t::stop
ip46_address_t stop
Definition: ipsec_spd_policy.h:37
ipsec_tun_protect6_hash_show_one
static int ipsec_tun_protect6_hash_show_one(clib_bihash_kv_24_16_t *kv, void *arg)
Definition: ipsec_cli.c:1074
ipsec_main_t::spds
ipsec_spd_t * spds
Definition: ipsec.h:109
ipsec_esp_backend_t::esp4_encrypt_next_index
u32 esp4_encrypt_next_index
Definition: ipsec.h:65
ipsec_sa_add_and_lock
int ipsec_sa_add_and_lock(u32 id, u32 spi, ipsec_protocol_t proto, ipsec_crypto_alg_t crypto_alg, const ipsec_key_t *ck, ipsec_integ_alg_t integ_alg, const ipsec_key_t *ik, ipsec_sa_flags_t flags, u32 tx_table_id, u32 salt, const ip46_address_t *tun_src, const ip46_address_t *tun_dst, tunnel_encap_decap_flags_t tunnel_flags, ip_dscp_t dscp, u32 *sa_out_index, u16 src_port, u16 dst_port)
Definition: ipsec_sa.c:170
pool_foreach_index
#define pool_foreach_index(i, v)
Definition: pool.h:569
IPSEC_PROTOCOL_ESP
Definition: ipsec_sa.h:71
port_range_t::stop
u16 stop
Definition: ipsec_spd_policy.h:42
ipsec_policy_t_::sa_id
u32 sa_id
Definition: ipsec_spd_policy.h:72
flags
vl_api_wireguard_peer_flags_t flags
Definition: wireguard.api:105
ipsec_tun_mk_local_sa_id
static u32 ipsec_tun_mk_local_sa_id(u32 ti)
Definition: ipsec_cli.c:788
vnet_get_main
vnet_main_t * vnet_get_main(void)
Definition: misc.c:46
pool_foreach
#define pool_foreach(VAR, POOL)
Iterate through pool.
Definition: pool.h:527
nh
vl_api_fib_path_nh_t nh
Definition: fib_types.api:126
ipsec_ah_backend_t
Definition: ipsec.h:37
ipsec_policy_t_::laddr
ip46_address_range_t laddr
Definition: ipsec_spd_policy.h:64
ipsec_policy_t_::id
u32 id
Definition: ipsec_spd_policy.h:56
show_ipsec_spd_command_fn
static clib_error_t * show_ipsec_spd_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
Definition: ipsec_cli.c:579
clib_memset
clib_memset(h->entries, 0, sizeof(h->entries[0]) *entries)
ipsec_esp_backend_t::esp4_decrypt_node_index
u32 esp4_decrypt_node_index
Definition: ipsec.h:64
ipsec_policy_mk_type
int ipsec_policy_mk_type(bool is_outbound, bool is_ipv6, ipsec_policy_action_t action, ipsec_spd_policy_type_t *type)
Definition: ipsec_spd_policy.c:100
WALK_CONTINUE
Definition: interface_funcs.h:174
ipsec_ah_backend_t::ah6_decrypt_next_index
u32 ah6_decrypt_next_index
Definition: ipsec.h:51
vnet_crypto_request_async_mode
void vnet_crypto_request_async_mode(int is_enable)
Definition: crypto.c:559
create_ipsec_tunnel_command_fn
static clib_error_t * create_ipsec_tunnel_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
Definition: ipsec_cli.c:800
ipsec_esp_backend_t::esp6_decrypt_next_index
u32 esp6_decrypt_next_index
Definition: ipsec.h:70
index_t
u32 index_t
A Data-Path Object is an object that represents actions that are applied to packets are they are swit...
Definition: dpo.h:41
vec_add1
#define vec_add1(V, E)
Add 1 element to end of vector (unspecified alignment).
Definition: vec.h:592
ipsec_ah_backend_t::ah4_encrypt_node_index
u32 ah4_encrypt_node_index
Definition: ipsec.h:44
ipsec_esp_backend_t::esp6_encrypt_node_index
u32 esp6_encrypt_node_index
Definition: ipsec.h:67
ipsec_sa_clear
void ipsec_sa_clear(index_t sai)
Definition: ipsec_sa.c:451
tx_table_id
u32 tx_table_id
Definition: ipsec_types.api:133
unformat_user
uword unformat_user(unformat_input_t *input, unformat_function_t *func,...)
Definition: unformat.c:989
vm
vlib_main_t * vm
Definition: in2out_ed.c:1580
ipsec_select_ah_backend
int ipsec_select_ah_backend(ipsec_main_t *im, u32 backend_idx)
Definition: ipsec.c:270
ipsec_main_t::ah_current_backend
u32 ah_current_backend
Definition: ipsec.h:175
unformat_vnet_sw_interface
unformat_function_t unformat_vnet_sw_interface
Definition: interface_funcs.h:449
ipsec_spd_t
A Secruity Policy Database.
Definition: ipsec_spd.h:46
ipsec_main_t::esp_current_backend
u32 esp_current_backend
Definition: ipsec.h:177
ipip_add_tunnel
int ipip_add_tunnel(ipip_transport_t transport, u32 instance, ip46_address_t *src, ip46_address_t *dst, u32 fib_index, tunnel_encap_decap_flags_t flags, ip_dscp_t dscp, tunnel_mode_t tmode, u32 *sw_if_indexp)
Definition: ipip.c:664
format_ipsec4_tunnel_kv
u8 * format_ipsec4_tunnel_kv(u8 *s, va_list *args)
Definition: ipsec_format.c:402
ip46_address_is_ip4
static u8 ip46_address_is_ip4(const ip46_address_t *ip46)
Definition: ip46_address.h:55
ipsec_ah_backend_t::ah6_decrypt_node_index
u32 ah6_decrypt_node_index
Definition: ipsec.h:49
ipsec_tun_protect_walk
void ipsec_tun_protect_walk(ipsec_tun_protect_walk_cb_t fn, void *ctx)
Definition: ipsec_tun.c:836
ipsec_tunnel_show_all
static void ipsec_tunnel_show_all(vlib_main_t *vm)
Definition: ipsec_cli.c:473
u8
unsigned char u8
Definition: types.h:56
id
u8 id[64]
Definition: dhcp.api:160
format_ipsec_tun_protect_index
u8 * format_ipsec_tun_protect_index(u8 *s, va_list *args)
Definition: ipsec_format.c:346
ipsec_main_t::spd_index_by_sw_if_index
uword * spd_index_by_sw_if_index
Definition: ipsec.h:126
walk_rc_t
enum walk_rc_t_ walk_rc_t
Walk return code.
ipsec_esp_backend_t::esp6_encrypt_next_index
u32 esp6_encrypt_next_index
Definition: ipsec.h:69
ipsec_policy_t_::protocol
u8 protocol
Definition: ipsec_spd_policy.h:66
ipsec_ah_backend_t::ah6_encrypt_node_index
u32 ah6_encrypt_node_index
Definition: ipsec.h:48
is_outbound
bool is_outbound
Definition: ipsec.api:96
vlib_clear_combined_counters
void vlib_clear_combined_counters(vlib_combined_counter_main_t *cm)
Clear a collection of combined counters.
Definition: counter.c:61
unformat_ip4_address
unformat_function_t unformat_ip4_address
Definition: format.h:68
VLIB_INIT_FUNCTION
#define VLIB_INIT_FUNCTION(x)
Definition: init.h:173
ipsec_main
ipsec_main_t ipsec_main
Definition: ipsec.c:28
ipsec_tun_protect_del
int ipsec_tun_protect_del(u32 sw_if_index, const ip_address_t *nh)
Definition: ipsec_tun.c:804
ipsec_ah_backend_t::ah6_encrypt_next_index
u32 ah6_encrypt_next_index
Definition: ipsec.h:50
format
description fragment has unexpected format
Definition: map.api:433
ipsec_select_esp_backend
int ipsec_select_esp_backend(ipsec_main_t *im, u32 backend_idx)
Definition: ipsec.c:293
hash_foreach
#define hash_foreach(key_var, value_var, h, body)
Definition: hash.h:442
unformat_ipsec_crypto_alg
uword unformat_ipsec_crypto_alg(unformat_input_t *input, va_list *args)
Definition: ipsec_format.c:97
IPSEC_PROTOCOL_AH
Definition: ipsec_sa.h:70
port_range_t::start
u16 start
Definition: ipsec_spd_policy.h:42
api_errno.h
clib_error_return
#define clib_error_return(e, args...)
Definition: error.h:99
ipsec_sa_unlock_id
int ipsec_sa_unlock_id(u32 id)
Definition: ipsec_sa.c:435
ipsec_policy_t_::rport
port_range_t rport
Definition: ipsec_spd_policy.h:68
format_ipsec_sa
u8 * format_ipsec_sa(u8 *s, va_list *args)
Definition: ipsec_format.c:270
salt
u32 salt
Definition: ipsec_types.api:134
u32
unsigned int u32
Definition: types.h:88
ipsec_main_t::tun4_protect_by_key
clib_bihash_8_16_t tun4_protect_by_key
Definition: ipsec.h:133
fib_table_find
u32 fib_table_find(fib_protocol_t proto, u32 table_id)
Get the index of the FIB for a Table-ID.
Definition: fib_table.c:1106
ipsec_esp_backend_t::esp6_decrypt_node_index
u32 esp6_decrypt_node_index
Definition: ipsec.h:68
sa_in
u32 sa_in[n_sa_in]
Definition: ipsec.api:266
ipsec_main_t
Definition: ipsec.h:106
ipsec_tun_protect_show
static clib_error_t * ipsec_tun_protect_show(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
Definition: ipsec_cli.c:1042
unformat_line_input
unformat_function_t unformat_line_input
Definition: format.h:282
sa_out
u32 sa_out
Definition: ipsec.api:264
dscp
vl_api_ip_dscp_t dscp
Definition: dhcp.api:163
error
Definition: cJSON.c:84
ipsec_spd_policy_counters
vlib_combined_counter_main_t ipsec_spd_policy_counters
Policy packet & bytes counters.
Definition: ipsec_spd_policy.c:22
clib_bihash_kv_24_16_t
Definition: bihash_24_16.h:40
integ_alg
u8 integ_alg
Definition: ikev2_types.api:59
format_ipsec_spd
u8 * format_ipsec_spd(u8 *s, va_list *args)
Definition: ipsec_format.c:204
proto
vl_api_ip_proto_t proto
Definition: acl_types.api:51
ipsec_policy_add_del_command_fn
static clib_error_t * ipsec_policy_add_del_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
Definition: ipsec_cli.c:282
ctx
long ctx[MAX_CONNS]
Definition: main.c:144
ipsec_main_t::tun6_protect_by_key
clib_bihash_24_16_t tun6_protect_by_key
Definition: ipsec.h:134
ipsec_main_t::vnet_main
vnet_main_t * vnet_main
Definition: ipsec.h:122
unformat_input_t
struct _unformat_input_t unformat_input_t
u16
unsigned short u16
Definition: types.h:57
ipsec_add_del_policy
int ipsec_add_del_policy(vlib_main_t *vm, ipsec_policy_t *policy, int is_add, u32 *stat_index)
Add/Delete a SPD.
Definition: ipsec_spd_policy.c:140
ipsec_ah_backend_t::ah4_decrypt_next_index
u32 ah4_decrypt_next_index
Definition: ipsec.h:47
set_interface_spd_command_fn
static clib_error_t * set_interface_spd_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
Definition: ipsec_cli.c:29
set_async_mode_command_fn
static clib_error_t * set_async_mode_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
Definition: ipsec_cli.c:1127
ipsec_rsc_in_use
clib_error_t * ipsec_rsc_in_use(ipsec_main_t *im)
Definition: ipsec.c:258
ipsec_show_backends_command_fn
static clib_error_t * ipsec_show_backends_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
Definition: ipsec_cli.c:633
ipsec_policy_t_::type
ipsec_spd_policy_type_t type
Definition: ipsec_spd_policy.h:60
ipsec_ah_backend_t::name
u8 * name
Definition: ipsec.h:39
unformat_ip_address
uword unformat_ip_address(unformat_input_t *input, va_list *args)
Definition: ip_types.c:41
ipsec_esp_backend_t::esp4_encrypt_node_index
u32 esp4_encrypt_node_index
Definition: ipsec.h:63
peer
vl_api_address_t peer
Definition: teib.api:28
IP_ADDRESS_V4_ALL_0S
#define IP_ADDRESS_V4_ALL_0S
Definition: ip_types.h:86
ipsec_spd_bindings_show_all
static void ipsec_spd_bindings_show_all(vlib_main_t *vm, ipsec_main_t *im)
Definition: ipsec_cli.c:447
vlib_node_t::name
u8 * name
Definition: node.h:264
ip_address
Definition: ip_types.h:79
clear_ipsec_counters_command_fn
static clib_error_t * clear_ipsec_counters_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
Definition: ipsec_cli.c:769
unformat_ip6_address
unformat_function_t unformat_ip6_address
Definition: format.h:89
ipsec_tun_protect_update_one
int ipsec_tun_protect_update_one(u32 sw_if_index, const ip_address_t *nh, u32 sa_out, u32 sa_in)
Definition: ipsec_tun.c:533
ipsec_ah_backend_t::ah4_decrypt_node_index
u32 ah4_decrypt_node_index
Definition: ipsec.h:45
UNFORMAT_END_OF_INPUT
#define UNFORMAT_END_OF_INPUT
Definition: format.h:144
ipsec_sa_show_all
static void ipsec_sa_show_all(vlib_main_t *vm, ipsec_main_t *im, u8 detail)
Definition: ipsec_cli.c:422
ipsec_main_t::ah_backends
ipsec_ah_backend_t * ah_backends
Definition: ipsec.h:171
ipsec_cli_init
clib_error_t * ipsec_cli_init(vlib_main_t *vm)
Definition: ipsec_cli.c:1119
clib_bihash_kv_8_16_t
8 octet key, 8 octet key value pair
Definition: bihash_8_16.h:41
ipsec_policy_t_::priority
i32 priority
Definition: ipsec_spd_policy.h:57
vec_free
#define vec_free(V)
Free vector&#39;s memory (no header).
Definition: vec.h:380
clear_ipsec_sa_command_fn
static clib_error_t * clear_ipsec_sa_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
Definition: ipsec_cli.c:531
ipsec_policy_t_::policy
ipsec_policy_action_t policy
Definition: ipsec_spd_policy.h:71
format_ipsec6_tunnel_kv
u8 * format_ipsec6_tunnel_kv(u8 *s, va_list *args)
Definition: ipsec_format.c:420
ip46_address_range_t::start
ip46_address_t start
Definition: ipsec_spd_policy.h:37
ipsec_ah_backend_t::ah4_encrypt_next_index
u32 ah4_encrypt_next_index
Definition: ipsec.h:46
ipsec_sa_flags_t
enum ipsec_sad_flags_t_ ipsec_sa_flags_t
spi
u32 spi
Definition: flow_types.api:140
ipsec_esp_backend_t
Definition: ipsec.h:54
ipsec6_tunnel_kv_t_
Definition: ipsec_tun.h:76
pool_is_free_index
#define pool_is_free_index(P, I)
Use free bitmap to query whether given index is free.
Definition: pool.h:298
ipsec_policy_t_
A Secruity Policy.
Definition: ipsec_spd_policy.h:54
ipsec_esp_backend_t::name
u8 * name
Definition: ipsec.h:56
VLIB_CLI_COMMAND
#define VLIB_CLI_COMMAND(x,...)
Definition: cli.h:158
vnet_main_t
Definition: vnet.h:60
ipsec_spd_show_all
static void ipsec_spd_show_all(vlib_main_t *vm, ipsec_main_t *im)
Definition: ipsec_cli.c:435
ipsec_sa_counters
vlib_combined_counter_main_t ipsec_sa_counters
SA packet & bytes counters.
Definition: ipsec_sa.c:27
ipsec_set_async_mode
void ipsec_set_async_mode(u32 is_enabled)
Definition: ipsec.c:339
vlib_cli_output
void vlib_cli_output(vlib_main_t *vm, char *fmt,...)
Definition: cli.c:696
ip_dscp_t
enum ip_dscp_t_ ip_dscp_t
ipsec_main_t::sad
ipsec_sa_t * sad
Definition: ipsec.h:111
IP46_TYPE_ANY
Definition: ip46_address.h:24
show_ipsec_sa_command_fn
static clib_error_t * show_ipsec_sa_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
Definition: ipsec_cli.c:504
unformat_ipsec_integ_alg
uword unformat_ipsec_integ_alg(unformat_input_t *input, va_list *args)
Definition: ipsec_format.c:129
ipsec_tun_protect_cmd
static clib_error_t * ipsec_tun_protect_cmd(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
Definition: ipsec_cli.c:983
format_ipsec_policy_action
u8 * format_ipsec_policy_action(u8 *s, va_list *args)
Definition: ipsec_format.c:29
unformat_ipsec_policy_action
uword unformat_ipsec_policy_action(unformat_input_t *input, va_list *args)
Definition: ipsec_format.c:65
unformat_ip46_address
unformat_function_t unformat_ip46_address
Definition: format.h:63
clib_error_t
Definition: clib_error.h:21
ipsec_policy_t_::raddr
ip46_address_range_t raddr
Definition: ipsec_spd_policy.h:65
instance
u32 instance
Definition: gre.api:51
fib_ip_proto
static fib_protocol_t fib_ip_proto(bool is_ip6)
Convert from boolean is_ip6 to FIB protocol.
Definition: fib_types.h:79
ipsec_tun_mk_remote_sa_id
static u32 ipsec_tun_mk_remote_sa_id(u32 ti)
Definition: ipsec_cli.c:794
vlib_main_t
Definition: main.h:119
ipsec4_tunnel_kv_t
Definition: ipsec_tun.h:47
show_ipsec_tunnel_command_fn
static clib_error_t * show_ipsec_tunnel_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
Definition: ipsec_cli.c:615
unformat_free
static void unformat_free(unformat_input_t *i)
Definition: format.h:162
vlib_node_t
Definition: node.h:258
table_id
u32 table_id
Definition: wireguard.api:102
vlib_cli_command_t
Definition: cli.h:91
ipsec_sa_add_del_command_fn
static clib_error_t * ipsec_sa_add_del_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
Definition: ipsec_cli.c:84
ipsec_set_interface_spd
int ipsec_set_interface_spd(vlib_main_t *vm, u32 sw_if_index, u32 spd_id, int is_add)
Bind/attach a SPD to an interface.
Definition: ipsec_spd.c:63
ipsec_esp_backend_t::esp4_decrypt_next_index
u32 esp4_decrypt_next_index
Definition: ipsec.h:66
ipsec_tun_protect4_hash_show_one
static int ipsec_tun_protect4_hash_show_one(clib_bihash_kv_8_16_t *kv, void *arg)
Definition: ipsec_cli.c:1063
ipsec_tun.h
ipsec_tun_protect_hash_show
static clib_error_t * ipsec_tun_protect_hash_show(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
Definition: ipsec_cli.c:1085
format_unformat_error
u8 * format_unformat_error(u8 *s, va_list *va)
Definition: unformat.c:91
ipsec_policy_t_::lport
port_range_t lport
Definition: ipsec_spd_policy.h:67
ipsec_add_del_spd
int ipsec_add_del_spd(vlib_main_t *vm, u32 spd_id, int is_add)
Add/Delete a SPD.
Definition: ipsec_spd.c:20
show_ipsec_command_fn
static clib_error_t * show_ipsec_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
Definition: ipsec_cli.c:479
vlib_get_node
static vlib_node_t * vlib_get_node(vlib_main_t *vm, u32 i)
Get vlib node by index.
Definition: node_funcs.h:85
ipsec_tun_protect_show_one
static walk_rc_t ipsec_tun_protect_show_one(index_t itpi, void *ctx)
Definition: ipsec_cli.c:465
ipsec_main_t::esp_backends
ipsec_esp_backend_t * esp_backends
Definition: ipsec.h:173
ipsec_spd_add_del_command_fn
static clib_error_t * ipsec_spd_add_del_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
Definition: ipsec_cli.c:229
ipsec_key_t_
Definition: ipsec_sa.h:75
ipsec_main_t::async_mode
u8 async_mode
Definition: ipsec.h:207
unformat_ipsec_key
uword unformat_ipsec_key(unformat_input_t *input, va_list *args)
Definition: ipsec_format.c:243
IPSEC_UDP_PORT_NONE
#define IPSEC_UDP_PORT_NONE
Definition: ipsec_sa.h:290
ipsec_policy_t_::is_ipv6
u8 is_ipv6
Definition: ipsec_spd_policy.h:63
ip46_address_initializer
#define ip46_address_initializer
Definition: ip46_address.h:52
sw_if_index
vl_api_interface_index_t sw_if_index
Definition: wireguard.api:34
unformat
uword unformat(unformat_input_t *i, const char *fmt,...)
Definition: unformat.c:978
unformat_check_input
static uword unformat_check_input(unformat_input_t *i)
Definition: format.h:170
ipsec_tun_protect_update
int ipsec_tun_protect_update(u32 sw_if_index, const ip_address_t *nh, u32 sa_out, u32 *sas_in)
Definition: ipsec_tun.c:654