46 &sw_if_index, &spd_id))
48 else if (
unformat (line_input,
"del"))
60 case VNET_API_ERROR_SYSCALL_ERROR_1:
63 case VNET_API_ERROR_SYSCALL_ERROR_2:
76 .path =
"set interface ipsec spd",
78 "set interface ipsec spd <int> <id>",
89 ip46_address_t tun_src = { }, tun_dst =
92 ipsec_crypto_alg_t crypto_alg;
94 ipsec_protocol_t
proto;
100 u16 udp_src, udp_dst;
109 flags = IPSEC_SA_FLAG_NONE;
111 integ_alg = IPSEC_INTEG_ALG_NONE;
112 crypto_alg = IPSEC_CRYPTO_ALG_NONE;
122 if (
unformat (line_input,
"add %u", &
id))
127 else if (
unformat (line_input,
"del %u", &
id))
132 else if (
unformat (line_input,
"spi %u", &spi))
134 else if (
unformat (line_input,
"salt 0x%x", &salt))
136 else if (
unformat (line_input,
"esp"))
138 else if (
unformat (line_input,
"ah"))
140 else if (
unformat (line_input,
"crypto-key %U",
143 else if (
unformat (line_input,
"crypto-alg %U",
148 else if (
unformat (line_input,
"integ-alg %U",
151 else if (
unformat (line_input,
"tunnel-src %U",
154 flags |= IPSEC_SA_FLAG_IS_TUNNEL;
156 flags |= IPSEC_SA_FLAG_IS_TUNNEL_V6;
158 else if (
unformat (line_input,
"tunnel-dst %U",
161 else if (
unformat (line_input,
"tx-table-id %d", &tx_table_id))
163 else if (
unformat (line_input,
"inbound"))
164 flags |= IPSEC_SA_FLAG_IS_INBOUND;
165 else if (
unformat (line_input,
"use-anti-replay"))
166 flags |= IPSEC_SA_FLAG_USE_ANTI_REPLAY;
167 else if (
unformat (line_input,
"use-esn"))
168 flags |= IPSEC_SA_FLAG_USE_ESN;
169 else if (
unformat (line_input,
"udp-encap"))
170 flags |= IPSEC_SA_FLAG_UDP_ENCAP;
178 if ((flags & IPSEC_SA_FLAG_IS_INBOUND)
179 && !(flags & IPSEC_SA_FLAG_IS_TUNNEL))
199 &ck, integ_alg, &ik, flags,
200 tx_table_id, clib_host_to_net_u32 (salt),
202 TUNNEL_ENCAP_DECAP_FLAG_NONE, dscp,
203 &sai, udp_src, udp_dst);
223 "ipsec sa [add|del]",
245 else if (
unformat (line_input,
"del"))
247 else if (
unformat (line_input,
"%u", &spd_id))
275 "ipsec spd [add|del] <id>",
289 u32 tmp, tmp2, stat_index, local_range_set, remote_range_set;
295 remote_range_set = local_range_set = is_outbound = 0;
304 else if (
unformat (line_input,
"del"))
306 else if (
unformat (line_input,
"ip6"))
308 else if (
unformat (line_input,
"spd %u", &p.
id))
310 else if (
unformat (line_input,
"inbound"))
312 else if (
unformat (line_input,
"outbound"))
316 else if (
unformat (line_input,
"protocol %u", &tmp))
323 if (p.
policy == IPSEC_POLICY_ACTION_RESOLVE)
331 else if (
unformat (line_input,
"local-ip-range %U - %U",
335 else if (
unformat (line_input,
"remote-ip-range %U - %U",
338 remote_range_set = 1;
339 else if (
unformat (line_input,
"local-ip-range %U - %U",
346 else if (
unformat (line_input,
"remote-ip-range %U - %U",
351 remote_range_set = 1;
353 else if (
unformat (line_input,
"local-port-range %u - %u", &tmp, &tmp2))
359 if (
unformat (line_input,
"remote-port-range %u - %u", &tmp, &tmp2))
372 if (!remote_range_set)
379 if (!local_range_set)
392 " outboud:%s %s action:%U",
393 (is_outbound ?
"yes" :
"no"),
414 .path =
"ipsec policy",
416 "ipsec policy [add|del] spd <id> priority <n> ",
456 spd = pool_elt_at_index (im->spds, spd_id);
457 vlib_cli_output (vm,
" %d -> %U", spd->id,
458 format_vnet_sw_if_index_name, im->vnet_main,
497 .path =
"show ipsec all",
498 .short_help =
"show ipsec all",
566 .path =
"show ipsec sa",
567 .short_help =
"show ipsec sa [index]",
572 .path =
"clear ipsec sa",
573 .short_help =
"clear ipsec sa [index]",
583 u8 show_bindings = 0;
590 else if (
unformat (input,
"bindings"))
608 .path =
"show ipsec spd",
609 .short_help =
"show ipsec spd [index]",
626 .path =
"show ipsec tunnel",
627 .short_help =
"show ipsec tunnel",
640 (void)
unformat (input,
"verbose %u", &verbose);
643 u8 *s =
format (NULL,
"%=25s %=25s %=10s\n",
"Name",
"Index",
"Active");
665 s =
format (s,
"%=25s %=25s %=10s\n",
"Name",
"Index",
"Active");
693 .path =
"show ipsec backends",
694 .short_help =
"show ipsec backends",
720 if (
unformat (line_input,
"%u", &backend_index))
734 else if (
unformat (line_input,
"esp"))
736 if (
unformat (line_input,
"%u", &backend_index))
761 .path =
"ipsec select backend",
762 .short_help =
"ipsec select backend <ah|esp> <backend index>",
781 .path =
"clear ipsec counters",
782 .short_help =
"clear ipsec counters",
790 return (0x80000000 | ti);
796 return (0xc0000000 | ti);
808 ipsec_crypto_alg_t crypto_alg = IPSEC_CRYPTO_ALG_NONE;
809 ipsec_integ_alg_t
integ_alg = IPSEC_INTEG_ALG_NONE;
825 flags = IPSEC_SA_FLAG_NONE;
848 else if (
unformat (line_input,
"local-spi %u", &local_spi))
850 else if (
unformat (line_input,
"remote-spi %u", &remote_spi))
852 else if (
unformat (line_input,
"salt 0x%x", &salt))
854 else if (
unformat (line_input,
"udp-encap"))
855 flags |= IPSEC_SA_FLAG_UDP_ENCAP;
856 else if (
unformat (line_input,
"use-esn"))
857 flags |= IPSEC_SA_FLAG_USE_ESN;
858 else if (
unformat (line_input,
"use-anti-replay"))
859 flags |= IPSEC_SA_FLAG_USE_ANTI_REPLAY;
860 else if (
unformat (line_input,
"instance %u", &instance))
872 else if (
unformat (line_input,
"crypto-alg %U",
883 else if (
unformat (line_input,
"integ-alg %U",
886 else if (
unformat (line_input,
"del"))
904 if (ipv4_set && ipv6_set)
911 rv = VNET_API_ERROR_NO_SUCH_FIB;
923 instance, &local_ip, &remote_ip, fib_index,
924 TUNNEL_ENCAP_DECAP_FLAG_NONE, IP_DSCP_CS0,
925 TUNNEL_MODE_P2P, &sw_if_index);
929 &lck, integ_alg, &lik, flags,
table_id,
930 clib_host_to_net_u32 (salt), &local_ip,
931 &remote_ip, TUNNEL_ENCAP_DECAP_FLAG_NONE,
937 &rck, integ_alg, &rik,
938 (flags | IPSEC_SA_FLAG_IS_INBOUND),
table_id,
939 clib_host_to_net_u32 (salt), &remote_ip,
940 &local_ip, TUNNEL_ENCAP_DECAP_FLAG_NONE,
956 case VNET_API_ERROR_INVALID_VALUE:
958 "IPSec tunnel interface already exists...");
974 .path =
"create ipsec tunnel",
975 .short_help =
"create ipsec tunnel local-ip <addr> local-spi <spi> " 976 "remote-ip <addr> remote-spi <spi> [instance <inst_num>] [udp-encap] [use-esn] [use-anti-replay] " 977 "[tx-table <table-id>]",
1002 else if (
unformat (line_input,
"add"))
1004 else if (
unformat (line_input,
"sa-in %d", &sa_in))
1006 else if (
unformat (line_input,
"sa-out %d", &sa_out))
1008 else if (
unformat (line_input,
"%U",
1033 .path =
"ipsec tunnel protect",
1035 .short_help =
"ipsec tunnel protect <interface> input-sa <SA> output-sa <SA> [add|del]",
1056 .path =
"show ipsec protect",
1058 .short_help =
"show ipsec protect",
1070 return (BIHASH_WALK_CONTINUE);
1081 return (BIHASH_WALK_CONTINUE);
1094 clib_bihash_foreach_key_value_pair_8_16
1099 clib_bihash_foreach_key_value_pair_24_16
1112 .path =
"show ipsec protect-hash",
1114 .short_help =
"show ipsec protect-hash",
1131 int async_enable = 0;
1140 else if (
unformat (line_input,
"off"))
1156 .path =
"set ipsec async mode",
1157 .short_help =
"set ipsec async mode on|off",
static clib_error_t * ipsec_select_backend_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
static int ipsec_tun_protect6_hash_show_one(clib_bihash_kv_24_16_t *kv, void *arg)
u32 esp4_encrypt_next_index
int ipsec_sa_add_and_lock(u32 id, u32 spi, ipsec_protocol_t proto, ipsec_crypto_alg_t crypto_alg, const ipsec_key_t *ck, ipsec_integ_alg_t integ_alg, const ipsec_key_t *ik, ipsec_sa_flags_t flags, u32 tx_table_id, u32 salt, const ip46_address_t *tun_src, const ip46_address_t *tun_dst, tunnel_encap_decap_flags_t tunnel_flags, ip_dscp_t dscp, u32 *sa_out_index, u16 src_port, u16 dst_port)
#define pool_foreach_index(i, v)
vl_api_wireguard_peer_flags_t flags
static u32 ipsec_tun_mk_local_sa_id(u32 ti)
vnet_main_t * vnet_get_main(void)
#define pool_foreach(VAR, POOL)
Iterate through pool.
ip46_address_range_t laddr
static clib_error_t * show_ipsec_spd_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
clib_memset(h->entries, 0, sizeof(h->entries[0]) *entries)
u32 esp4_decrypt_node_index
int ipsec_policy_mk_type(bool is_outbound, bool is_ipv6, ipsec_policy_action_t action, ipsec_spd_policy_type_t *type)
u32 ah6_decrypt_next_index
void vnet_crypto_request_async_mode(int is_enable)
static clib_error_t * create_ipsec_tunnel_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
u32 esp6_decrypt_next_index
u32 index_t
A Data-Path Object is an object that represents actions that are applied to packets are they are swit...
#define vec_add1(V, E)
Add 1 element to end of vector (unspecified alignment).
u32 ah4_encrypt_node_index
u32 esp6_encrypt_node_index
void ipsec_sa_clear(index_t sai)
int ipsec_select_ah_backend(ipsec_main_t *im, u32 backend_idx)
unformat_function_t unformat_vnet_sw_interface
A Secruity Policy Database.
int ipip_add_tunnel(ipip_transport_t transport, u32 instance, ip46_address_t *src, ip46_address_t *dst, u32 fib_index, tunnel_encap_decap_flags_t flags, ip_dscp_t dscp, tunnel_mode_t tmode, u32 *sw_if_indexp)
static u8 ip46_address_is_ip4(const ip46_address_t *ip46)
u32 ah6_decrypt_node_index
void ipsec_tun_protect_walk(ipsec_tun_protect_walk_cb_t fn, void *ctx)
static void ipsec_tunnel_show_all(vlib_main_t *vm)
uword * spd_index_by_sw_if_index
enum walk_rc_t_ walk_rc_t
Walk return code.
u32 esp6_encrypt_next_index
u32 ah6_encrypt_node_index
void vlib_clear_combined_counters(vlib_combined_counter_main_t *cm)
Clear a collection of combined counters.
#define VLIB_INIT_FUNCTION(x)
int ipsec_tun_protect_del(u32 sw_if_index, const ip_address_t *nh)
u32 ah6_encrypt_next_index
description fragment has unexpected format
int ipsec_select_esp_backend(ipsec_main_t *im, u32 backend_idx)
#define hash_foreach(key_var, value_var, h, body)
#define clib_error_return(e, args...)
int ipsec_sa_unlock_id(u32 id)
clib_bihash_8_16_t tun4_protect_by_key
u32 fib_table_find(fib_protocol_t proto, u32 table_id)
Get the index of the FIB for a Table-ID.
u32 esp6_decrypt_node_index
static clib_error_t * ipsec_tun_protect_show(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
vlib_combined_counter_main_t ipsec_spd_policy_counters
Policy packet & bytes counters.
static clib_error_t * ipsec_policy_add_del_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
clib_bihash_24_16_t tun6_protect_by_key
int ipsec_add_del_policy(vlib_main_t *vm, ipsec_policy_t *policy, int is_add, u32 *stat_index)
Add/Delete a SPD.
u32 ah4_decrypt_next_index
static clib_error_t * set_interface_spd_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
static clib_error_t * set_async_mode_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
clib_error_t * ipsec_rsc_in_use(ipsec_main_t *im)
static clib_error_t * ipsec_show_backends_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
ipsec_spd_policy_type_t type
uword unformat_ip_address(unformat_input_t *input, va_list *args)
u32 esp4_encrypt_node_index
#define IP_ADDRESS_V4_ALL_0S
static void ipsec_spd_bindings_show_all(vlib_main_t *vm, ipsec_main_t *im)
static clib_error_t * clear_ipsec_counters_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
int ipsec_tun_protect_update_one(u32 sw_if_index, const ip_address_t *nh, u32 sa_out, u32 sa_in)
u32 ah4_decrypt_node_index
static void ipsec_sa_show_all(vlib_main_t *vm, ipsec_main_t *im, u8 detail)
ipsec_ah_backend_t * ah_backends
clib_error_t * ipsec_cli_init(vlib_main_t *vm)
8 octet key, 8 octet key value pair
#define vec_free(V)
Free vector's memory (no header).
static clib_error_t * clear_ipsec_sa_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
ipsec_policy_action_t policy
u32 ah4_encrypt_next_index
enum ipsec_sad_flags_t_ ipsec_sa_flags_t
#define pool_is_free_index(P, I)
Use free bitmap to query whether given index is free.
#define VLIB_CLI_COMMAND(x,...)
static void ipsec_spd_show_all(vlib_main_t *vm, ipsec_main_t *im)
vlib_combined_counter_main_t ipsec_sa_counters
SA packet & bytes counters.
void ipsec_set_async_mode(u32 is_enabled)
void vlib_cli_output(vlib_main_t *vm, char *fmt,...)
enum ip_dscp_t_ ip_dscp_t
static clib_error_t * show_ipsec_sa_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
static clib_error_t * ipsec_tun_protect_cmd(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
ip46_address_range_t raddr
static fib_protocol_t fib_ip_proto(bool is_ip6)
Convert from boolean is_ip6 to FIB protocol.
static u32 ipsec_tun_mk_remote_sa_id(u32 ti)
static clib_error_t * show_ipsec_tunnel_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
static clib_error_t * ipsec_sa_add_del_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
int ipsec_set_interface_spd(vlib_main_t *vm, u32 sw_if_index, u32 spd_id, int is_add)
Bind/attach a SPD to an interface.
u32 esp4_decrypt_next_index
static int ipsec_tun_protect4_hash_show_one(clib_bihash_kv_8_16_t *kv, void *arg)
static clib_error_t * ipsec_tun_protect_hash_show(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
int ipsec_add_del_spd(vlib_main_t *vm, u32 spd_id, int is_add)
Add/Delete a SPD.
static clib_error_t * show_ipsec_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
static vlib_node_t * vlib_get_node(vlib_main_t *vm, u32 i)
Get vlib node by index.
static walk_rc_t ipsec_tun_protect_show_one(index_t itpi, void *ctx)
ipsec_esp_backend_t * esp_backends
static clib_error_t * ipsec_spd_add_del_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
#define IPSEC_UDP_PORT_NONE
#define ip46_address_initializer
vl_api_interface_index_t sw_if_index
int ipsec_tun_protect_update(u32 sw_if_index, const ip_address_t *nh, u32 sa_out, u32 *sas_in)