2 * Copyright (c) 2022 Intel and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
17 #include <utils/debug.h>
18 #include <vlibapi/api.h>
19 #include <vlibmemory/api.h>
20 #include <vnet/ipsec/ipsec.h>
21 #include <vnet/vnet.h>
22 #include <collections/hashtable.h>
23 #include <threading/mutex.h>
24 #include <processing/jobs/callback_job.h>
25 #include <vpp-api/client/stat_client.h>
29 /* Include the (first) vlib-api API definition layer */
30 #include <vlibmemory/vl_memory_api_h.h>
31 /* Include the current layer (third) vpp API definition layer */
32 #include <vpp/api/vpe_types.api.h>
33 #include <vpp/api/vpe.api.h>
35 #include <vnet/ip-neighbor/ip_neighbor.api_enum.h>
36 #include <vnet/ip-neighbor/ip_neighbor.api_types.h>
37 #include <vnet/ipsec/ipsec.api_enum.h>
38 #include <vnet/ipsec/ipsec.api_types.h>
39 #include <vnet/interface.api_enum.h>
40 #include <vnet/interface.api_types.h>
44 #include "kernel_vpp_ipsec.h"
45 #include "kernel_vpp_shared.h"
50 #include <sys/socket.h>
51 #include <netinet/in.h>
52 #include <arpa/inet.h>
53 #include <sys/ioctl.h>
55 #include <net/route.h>
58 #include <sys/types.h>
59 #include <net/if_arp.h>
66 * Every 2 seconds, the thread responsible for collecting the available
67 * interfaces will be executed.
68 * Retrying 5 times every 1 second ensures that there is enough time to check
69 * if the interface will be available.
71 #define N_RETRY_GET_IF 5
76 * One and only instance of the daemon.
80 typedef struct private_kernel_vpp_ipsec_t private_kernel_vpp_ipsec_t;
83 * Private variables of kernel_vpp_ipsec class.
85 struct private_kernel_vpp_ipsec_t
91 kernel_vpp_ipsec_t public;
94 * Next security association database entry ID to allocate
96 refcount_t next_sad_id;
99 * Next security policy database entry ID to allocate
101 refcount_t next_spd_id;
104 * Mutex to lock access to installed policies
109 * Hash table of instaled SA, as kernel_ipsec_sa_id_t => sa_t
114 * Hash table of security policy databases, as nterface => spd_t
119 * Linked list of installed routes
121 linked_list_t *routes;
124 * Next SPI to allocate
129 * Mix value to distribute SPI allocation randomly
134 * Whether to install routes along policies
139 * Whether to install SAs with tunnel flag. Disabling this can be useful
140 * in some scenarios e.g. using SAs to "ipsec tunnel protect" for the
143 bool use_tunnel_mode_sa;
146 * Connections to VPP Stats
148 stat_client_main_t *sm;
152 * Security association entry
159 kernel_ipsec_sa_id_t *sa_id_p;
163 * Security policy database
169 /** Networking interface ID restricting policy */
170 uint32_t sw_if_index;
171 /** Policy count for this SPD */
172 refcount_t policy_num;
173 /** Name of the interface the SPD is bound to */
182 /** Name of the interface the route is bound to */
184 /** Gateway of route */
186 /** Destination network of route */
188 /** Prefix length of dst_net */
190 /** References for route */
195 ((1 == htonl (1)) ? \
197 ((uint64_t) htonl ((x) &0xFFFFFFFF) << 32) | htonl ((x) >> 32))
199 ((1 == ntohl (1)) ? \
201 ((uint64_t) ntohl ((x) &0xFFFFFFFF) << 32) | ntohl ((x) >> 32))
203 CALLBACK (route_equals, bool, route_entry_t *a, va_list args)
205 host_t *dst_net, *gateway;
209 VA_ARGS_VGET (args, if_name, gateway, dst_net, prefixlen);
211 return a->if_name && if_name && streq (a->if_name, if_name) &&
212 a->gateway->ip_equals (a->gateway, gateway) &&
213 a->dst_net->ip_equals (a->dst_net, dst_net) &&
214 a->prefixlen == *prefixlen;
218 * Clean up a route entry
221 route_destroy (route_entry_t *this)
223 this->dst_net->destroy (this->dst_net);
224 this->gateway->destroy (this->gateway);
225 free (this->if_name);
229 static uint32_t get_sw_if_index ();
232 set_arp (char *ipStr, char *if_name, bool add)
236 vl_api_ip_neighbor_add_del_t *mp = NULL;
237 vl_api_ip_neighbor_add_del_reply_t *rmp = NULL;
239 uint32_t sw_if_index = ~0;
246 char *file = "/proc/net/arp";
247 unsigned char mac[8] = {
252 if (if_name == NULL || ipStr == NULL)
254 DBG2 (DBG_KNL, "para is null\n");
258 DBG2 (DBG_KNL, "from kernel read mac\n");
260 mp = vl_msg_api_alloc (sizeof (*mp));
261 memset (mp, 0, sizeof (*mp));
262 sw_if_index = get_sw_if_index (if_name);
263 if (sw_if_index == ~0)
265 DBG1 (DBG_KNL, "sw_if_index for %s not found", if_name);
269 fp = fopen (file, "rb");
270 while (fp && ((nread = getline (&buffer, &len, fp)) != -1))
272 sscanf (buffer, "%s %*s %*s %s %*s %*s", &buf[0], &buf[1]);
273 inet_aton (&buf[0], &addr);
275 if (addr == *((u32 *) (ipStr)))
277 sscanf (buf[1], "%02x:%02x:%02x:%02x:%02x:%02x", &mac[0], &mac[1],
278 &mac[2], &mac[3], &mac[4], &mac[5]);
280 vl_msg_api_get_msg_index ((u8 *) "ip_neighbor_add_del_0607c257");
281 mp->_vl_msg_id = htons (msg_id);
283 memcpy (mp->neighbor.ip_address.un.ip4, (u8 *) &addr, sizeof (addr));
284 mp->neighbor.ip_address.af = 0;
285 memcpy (mp->neighbor.mac_address, mac, 6);
286 mp->neighbor.sw_if_index = htonl (sw_if_index);
287 mp->neighbor.flags = 1;
289 if (vac->send (vac, (char *) mp, sizeof (*mp), &out, &out_len))
291 DBG1 (DBG_KNL, "vac %s neighbor entry",
292 add ? "adding" : "removing");
299 DBG1 (DBG_KNL, "%s neighbor add rv:%d", add ? "add" : "remove",
300 ntohl (rmp->retval));
306 vl_msg_api_free (mp);
321 vl_msg_api_free (mp);
331 add_Route (char *ipAddr, int len, char *mask, char *gateWay)
335 struct sockaddr_in _sin;
336 struct sockaddr_in *sin = &_sin;
341 fd = socket (AF_INET, SOCK_DGRAM, 0);
344 DBG2 (DBG_KNL, "addRoute: socket error\n");
348 memset (&rt, 0, sizeof (struct rtentry));
349 memset (sin, 0, sizeof (struct sockaddr_in));
350 sin->sin_family = AF_INET;
353 if (inet_aton (gateWay, &sin->sin_addr) < 0)
358 memcpy (&rt.rt_gateway, sin, sizeof (struct sockaddr_in));
360 ((struct sockaddr_in *) &rt.rt_dst)->sin_family = AF_INET;
361 memcpy (&((struct sockaddr_in *) &rt.rt_dst)->sin_addr, ipAddr, len);
363 ((struct sockaddr_in *) &rt.rt_genmask)->sin_family = AF_INET;
365 &((struct sockaddr_in *) &rt.rt_genmask)->sin_addr) < 0)
370 rt.rt_flags = RTF_GATEWAY;
371 if (ioctl (fd, SIOCADDRT, &rt) < 0)
383 set_address (u32 ipAddr, u32 sw_if_index, bool add)
387 vl_api_sw_interface_add_del_address_t *mp;
388 vl_api_sw_interface_add_del_address_reply_t *rmp;
394 mp = vl_msg_api_alloc (sizeof (*mp));
395 memset (mp, 0, sizeof (*mp));
398 vl_msg_api_get_msg_index ((u8 *) "sw_interface_add_del_address_5463d73b");
399 mp->_vl_msg_id = htons (msg_id);
401 memcpy (mp->prefix.address.un.ip4, (u8 *) &ipAddr, sizeof (ipAddr));
403 mp->sw_if_index = sw_if_index;
405 if (vac->send (vac, (char *) mp, sizeof (*mp), &out, &out_len))
407 DBG2 (DBG_KNL, "vac %s neighbor entry", add ? "adding" : "removing");
413 DBG2 (DBG_KNL, "%s neighbor add rv:%d", add ? "add" : "remove",
414 ntohl (rmp->retval));
421 vl_msg_api_free (mp);
426 * (Un)-install a single route
429 manage_route (private_kernel_vpp_ipsec_t *this, bool add,
430 traffic_selector_t *dst_ts, host_t *src, host_t *dst)
432 host_t *dst_net = NULL, *gateway = NULL;
434 char *if_name = NULL;
435 route_entry_t *route;
436 bool route_exist = FALSE;
438 char *netmask = "255.255.255.0";
439 char *tap_gateway = "1.1.1.1";
441 if (dst->is_anyaddr (dst))
446 charon->kernel->get_nexthop (charon->kernel, dst, -1, NULL, &if_name);
447 dst_ts->to_subnet (dst_ts, &dst_net, &prefixlen);
450 if (src->is_anyaddr (src))
454 if (!charon->kernel->get_interface (charon->kernel, src, &if_name))
460 this->routes->find_first (this->routes, route_equals, (void **) &route,
461 if_name, gateway, dst_net, &prefixlen);
464 DBG2 (DBG_KNL, "installing route: %H/%d via %H dev %s", dst_net,
465 prefixlen, gateway, if_name);
468 unsigned int refs_num = ref_get (&route->refs);
469 DBG2 (DBG_KNL, "add route but it exist %d", refs_num);
473 INIT (route, .if_name = strdup (if_name),
474 .gateway = gateway->clone (gateway),
475 .dst_net = dst_net->clone (dst_net), .prefixlen = prefixlen,
477 this->routes->insert_last (this->routes, route);
478 charon->kernel->add_route (charon->kernel,
479 dst_net->get_address (dst_net), prefixlen,
480 gateway, dst, if_name, 1);
483 add_Route (dst_net->get_address (dst_net).ptr,
484 dst_net->get_address (dst_net).len, netmask, tap_gateway);
486 arp_rc = set_arp (gateway->get_address (gateway).ptr, if_name, TRUE);
488 DBG2 (DBG_KNL, "arpGet success!\n");
492 DBG2 (DBG_KNL, "uninstalling route: %H/%d via %H dev %s", dst_net,
493 prefixlen, gateway, if_name);
496 DBG2 (DBG_KNL, "del route but it not exist");
499 if (ref_put (&route->refs))
501 this->routes->remove (this->routes, route, NULL);
502 route_destroy (route);
503 charon->kernel->del_route (charon->kernel,
504 dst_net->get_address (dst_net), prefixlen,
505 gateway, dst, if_name, 1);
510 gateway->destroy (gateway);
512 dst_net->destroy (dst_net);
519 * Hash function for IPsec SA
522 sa_hash (kernel_ipsec_sa_id_t *sa)
524 return chunk_hash_inc (
525 sa->src->get_address (sa->src),
527 sa->dst->get_address (sa->dst),
528 chunk_hash_inc (chunk_from_thing (sa->spi),
529 chunk_hash (chunk_from_thing (sa->proto)))));
533 * Equality function for IPsec SA
536 sa_equals (kernel_ipsec_sa_id_t *sa, kernel_ipsec_sa_id_t *other_sa)
538 return sa->src->ip_equals (sa->src, other_sa->src) &&
539 sa->dst->ip_equals (sa->dst, other_sa->dst) &&
540 sa->spi == other_sa->spi && sa->proto == other_sa->proto;
544 * Equality function for policy SPD
547 policy_equals (vl_api_ipsec_spd_entry_t *policy,
548 vl_api_ipsec_spd_entry_t *other_policy)
551 /* change protocol due to legacy implementation of ANY protocol inside VPP */
552 if (other_policy->protocol == 255)
553 other_policy->protocol = 0;
555 /* return true if both policies are equal */
556 return !memcmp (policy, other_policy, sizeof (*policy));
560 * Hash function for interface
563 interface_hash (char *interface)
565 return chunk_hash (chunk_from_str (interface));
569 * Equality function for interface
572 interface_equals (char *interface1, char *interface2)
574 return streq (interface1, interface2);
578 * Map an integer x with a one-to-one function using quadratic residues
581 permute (u_int x, u_int p)
586 qr = ((uint64_t) x * x) % p;
595 * Initialize seeds for SPI generation
598 init_spi (private_kernel_vpp_ipsec_t *this)
603 rng = lib->crypto->create_rng (lib->crypto, RNG_STRONG);
609 rng->get_bytes (rng, sizeof (this->nextspi), (uint8_t *) &this->nextspi);
613 rng->get_bytes (rng, sizeof (this->mixspi), (uint8_t *) &this->mixspi);
620 * Calculate policy priority
623 calculate_priority (policy_priority_t policy_priority, traffic_selector_t *src,
624 traffic_selector_t *dst)
626 uint32_t priority = PRIO_BASE;
631 switch (policy_priority)
633 case POLICY_PRIORITY_FALLBACK:
636 case POLICY_PRIORITY_ROUTED:
639 case POLICY_PRIORITY_DEFAULT:
642 case POLICY_PRIORITY_PASS:
645 /* calculate priority based on selector size, small size = high prio */
646 src->to_subnet (src, &net, &mask);
648 proto = src->get_protocol (src);
649 port = net->get_port (net);
652 dst->to_subnet (dst, &net, &mask);
654 proto = max (proto, dst->get_protocol (dst));
655 port = max (port, net->get_port (net));
658 priority <<= 2; /* make some room for the two flags */
659 priority += port ? 0 : 2;
660 priority += proto ? 0 : 1;
665 * Get sw_if_index from interface name
668 get_sw_if_index (char *interface)
671 int out_len, name_filter_len = 0, msg_len = 0;
672 vl_api_sw_interface_dump_t *mp;
673 vl_api_sw_interface_details_t *rmp;
674 uint32_t sw_if_index = ~0;
676 name_filter_len = strlen (interface);
677 msg_len = sizeof (*mp) + name_filter_len;
678 mp = vl_msg_api_alloc (msg_len);
679 clib_memset (mp, 0, msg_len);
680 u16 msg_id = vl_msg_api_get_msg_index ((u8 *) "sw_interface_dump_aa610c27");
681 mp->_vl_msg_id = htons (msg_id);
682 mp->name_filter_valid = TRUE;
683 mp->name_filter.length = htonl (name_filter_len);
684 memcpy ((char *) mp->name_filter.buf, interface, name_filter_len);
686 if (vac->send (vac, (char *) mp, msg_len, &out, &out_len))
694 rmp = (vl_api_sw_interface_details_t *) out;
695 sw_if_index = ntohl (rmp->sw_if_index);
699 vl_msg_api_free (mp);
703 * (Un)-install a security policy database
706 spd_add_del (bool add, uint32_t spd_id)
710 vl_api_ipsec_spd_add_del_t *mp;
711 vl_api_ipsec_spd_add_del_reply_t *rmp;
712 status_t rv = FAILED;
714 mp = vl_msg_api_alloc (sizeof (*mp));
715 memset (mp, 0, sizeof (*mp));
717 u16 msg_id = vl_msg_api_get_msg_index ((u8 *) "ipsec_spd_add_del_20e89a95");
718 mp->_vl_msg_id = htons (msg_id);
720 mp->spd_id = htonl (spd_id);
721 if (vac->send (vac, (char *) mp, sizeof (*mp), &out, &out_len))
723 DBG1 (DBG_KNL, "vac %s SPD failed", add ? "adding" : "removing");
729 DBG1 (DBG_KNL, "%s SPD failed rv:%d", add ? "add" : "remove",
730 ntohl (rmp->retval));
737 vl_msg_api_free (mp);
742 * Enable or disable SPD on an insterface
745 interface_add_del_spd (bool add, uint32_t spd_id, uint32_t sw_if_index)
749 vl_api_ipsec_interface_add_del_spd_t *mp;
750 vl_api_ipsec_interface_add_del_spd_reply_t *rmp;
751 status_t rv = FAILED;
753 mp = vl_msg_api_alloc (sizeof (*mp));
754 memset (mp, 0, sizeof (*mp));
756 vl_msg_api_get_msg_index ((u8 *) "ipsec_interface_add_del_spd_80f80cbb");
757 mp->_vl_msg_id = htons (msg_id);
759 mp->spd_id = htonl (spd_id);
760 mp->sw_if_index = htonl (sw_if_index);
761 if (vac->send (vac, (char *) mp, sizeof (*mp), &out, &out_len))
763 DBG1 (DBG_KNL, "vac %s interface SPD failed",
764 add ? "adding" : "removing");
770 DBG1 (DBG_KNL, "%s interface SPD failed rv:%d", add ? "add" : "remove",
771 ntohl (rmp->retval));
778 vl_msg_api_free (mp);
783 bypass_all (bool add, uint32_t spd_id, uint32_t sa_id)
785 vl_api_ipsec_spd_entry_add_del_t *mp;
786 vl_api_ipsec_spd_entry_add_del_reply_t *rmp;
789 status_t rv = FAILED;
791 DBG2 (DBG_KNL, "bypass_all [%s] spd_id %d sa_id %d", add ? "ADD" : "DEL",
794 mp = vl_msg_api_alloc (sizeof (*mp));
795 memset (mp, 0, sizeof (*mp));
798 vl_msg_api_get_msg_index ((u8 *) "ipsec_spd_entry_add_del_338b7411");
799 mp->_vl_msg_id = ntohs (msg_id);
801 mp->entry.sa_id = ntohl (sa_id);
802 mp->entry.spd_id = ntohl (spd_id);
803 mp->entry.priority = ntohl (INT_MAX - POLICY_PRIORITY_PASS - 1);
804 mp->entry.is_outbound = 0;
805 mp->entry.policy = ntohl (IPSEC_API_SPD_ACTION_BYPASS);
806 memset (mp->entry.local_address_stop.un.ip6, 0xFF, 16);
807 memset (mp->entry.remote_address_stop.un.ip6, 0xFF, 16);
808 mp->entry.remote_port_start = mp->entry.local_port_start = ntohs (0);
809 mp->entry.remote_port_stop = mp->entry.local_port_stop = ntohs (0xFFFF);
810 mp->entry.protocol = IP_API_PROTO_ESP;
811 if (vac->send (vac, (char *) mp, sizeof (*mp), &out, &out_len))
813 DBG1 (DBG_KNL, "vac %s SPD entry failed", add ? "adding" : "removing");
819 DBG1 (DBG_KNL, "%s SPD entry failed rv:%d", add ? "add" : "remove",
820 ntohl (rmp->retval));
823 /* address "out" needs to be freed after vec->send */
829 mp->entry.is_outbound = 1;
830 if (vac->send (vac, (char *) mp, sizeof (*mp), &out, &out_len))
832 DBG1 (DBG_KNL, "vac %s SPD entry failed", add ? "adding" : "removing");
838 DBG1 (DBG_KNL, "%s SPD entry failed rv:%d", add ? "add" : "remove",
839 ntohl (rmp->retval));
842 /* address "out" needs to be freed after vec->send */
848 mp->entry.is_outbound = 0;
849 mp->entry.protocol = IP_API_PROTO_AH;
850 if (vac->send (vac, (char *) mp, sizeof (*mp), &out, &out_len))
852 DBG1 (DBG_KNL, "vac %s SPD entry failed", add ? "adding" : "removing");
858 DBG1 (DBG_KNL, "%s SPD entry failed rv:%d", add ? "add" : "remove",
859 ntohl (rmp->retval));
862 /* address "out" needs to be freed after vec->send */
868 mp->entry.is_outbound = 1;
869 if (vac->send (vac, (char *) mp, sizeof (*mp), &out, &out_len))
871 DBG1 (DBG_KNL, "vac %s SPD entry failed", add ? "adding" : "removing");
877 DBG1 (DBG_KNL, "%s SPD entry failed rv:%d", add ? "add" : "remove",
878 ntohl (rmp->retval));
887 vl_msg_api_free (mp);
893 bypass_port (bool add, uint32_t spd_id, uint32_t sa_id, uint16_t port)
895 vl_api_ipsec_spd_entry_add_del_t *mp;
896 vl_api_ipsec_spd_entry_add_del_reply_t *rmp;
899 status_t rv = FAILED;
901 mp = vl_msg_api_alloc (sizeof (*mp));
902 memset (mp, 0, sizeof (*mp));
905 vl_msg_api_get_msg_index ((u8 *) "ipsec_spd_entry_add_del_338b7411");
906 mp->_vl_msg_id = ntohs (msg_id);
908 mp->entry.sa_id = ntohl (sa_id);
909 mp->entry.spd_id = ntohl (spd_id);
910 mp->entry.priority = ntohl (INT_MAX - POLICY_PRIORITY_PASS - 1);
911 mp->entry.policy = ntohl (IPSEC_API_SPD_ACTION_BYPASS);
912 memset (mp->entry.local_address_stop.un.ip6, 0xFF, 16);
913 memset (mp->entry.remote_address_stop.un.ip6, 0xFF, 16);
914 mp->entry.is_outbound = 0;
915 mp->entry.remote_port_start = mp->entry.local_port_start = ntohs (0);
916 mp->entry.remote_port_stop = mp->entry.local_port_stop = ntohs (0xFFFF);
917 mp->entry.protocol = IP_API_PROTO_HOPOPT;
919 if (vac->send (vac, (char *) mp, sizeof (*mp), &out, &out_len))
921 DBG1 (DBG_KNL, "vac %s SPD entry failed", add ? "adding" : "removing");
927 DBG1 (DBG_KNL, "%s SPD entry failed rv:%d", add ? "add" : "remove",
928 ntohl (rmp->retval));
931 /* address "out" needs to be freed after vec->send */
937 mp->entry.is_outbound = 1;
938 if (vac->send (vac, (char *) mp, sizeof (*mp), &out, &out_len))
940 DBG1 (DBG_KNL, "vac %s SPD entry failed", add ? "adding" : "removing");
946 DBG1 (DBG_KNL, "%s SPD entry failed rv:%d", add ? "add" : "remove",
947 ntohl (rmp->retval));
955 vl_msg_api_free (mp);
961 * Add or remove a bypass policy
964 manage_bypass (bool add, uint32_t spd_id, uint32_t sa_id)
969 bypass_all (add, spd_id, sa_id);
972 lib->settings->get_int (lib->settings, "%s.port", IKEV2_UDP_PORT, lib->ns);
976 rv = bypass_port (add, spd_id, sa_id, port);
983 port = lib->settings->get_int (lib->settings, "%s.port_nat_t",
984 IKEV2_NATT_PORT, lib->ns);
987 rv = bypass_port (add, spd_id, sa_id, port);
998 * Add or remove a policy
1001 manage_policy (private_kernel_vpp_ipsec_t *this, bool add,
1002 kernel_ipsec_policy_id_t *id,
1003 kernel_ipsec_manage_policy_t *data)
1006 char *out = NULL, *interface = NULL;
1008 uint32_t sw_if_index, spd_id = ~0, sad_id = ~0;
1009 status_t rv = FAILED;
1010 uint32_t priority, auto_priority;
1011 chunk_t src_from, src_to, dst_from, dst_to;
1012 host_t *src = NULL, *dst = NULL, *addr = NULL;
1013 vl_api_ipsec_spd_entry_add_del_t *mp = NULL;
1014 vl_api_ipsec_spd_entry_add_del_reply_t *rmp = NULL;
1016 vl_api_ipsec_spd_dump_t *mp_dump = NULL;
1017 vl_api_ipsec_spd_details_t *rmp_dump = NULL, *tmp = NULL;
1019 mp = vl_msg_api_alloc (sizeof (*mp));
1020 memset (mp, 0, sizeof (*mp));
1022 this->mutex->lock (this->mutex);
1023 if (id->dir == POLICY_FWD)
1025 DBG1 (DBG_KNL, "policy FWD interface");
1029 addr = id->dir == POLICY_IN ? data->dst : data->src;
1030 for (int i = 0; i < N_RETRY_GET_IF; i++)
1032 if (!charon->kernel->get_interface (charon->kernel, addr, &interface))
1034 DBG1 (DBG_KNL, "policy no interface %H", addr);
1042 DBG1 (DBG_KNL, "policy have interface %H", addr);
1049 DBG2 (DBG_KNL, "manage policy [%s] interface [%s]", add ? "ADD" : "DEL",
1052 spd = this->spds->get (this->spds, interface);
1057 DBG1 (DBG_KNL, "SPD for %s not found, should not be deleted",
1061 sw_if_index = get_sw_if_index (interface);
1062 DBG1 (DBG_KNL, "firstly created, spd for %s found sw_if_index is %d",
1063 interface, sw_if_index);
1064 if (sw_if_index == ~0)
1066 DBG1 (DBG_KNL, "sw_if_index for %s not found", interface);
1069 spd_id = ref_get (&this->next_spd_id);
1070 if (spd_add_del (TRUE, spd_id))
1072 DBG1 (DBG_KNL, "spd_add_del %d failed!!!!!", spd_id);
1075 if (interface_add_del_spd (TRUE, spd_id, sw_if_index))
1077 DBG1 (DBG_KNL, "interface_add_del_spd %d %d failed!!!!!", spd_id,
1081 INIT (spd, .spd_id = spd_id, .sw_if_index = sw_if_index, .policy_num = 0,
1082 .if_name = strdup (interface), );
1083 this->spds->put (this->spds, spd->if_name, spd);
1087 auto_priority = calculate_priority (data->prio, id->src_ts, id->dst_ts);
1088 priority = data->manual_prio ? data->manual_prio : auto_priority;
1091 vl_msg_api_get_msg_index ((u8 *) "ipsec_spd_entry_add_del_338b7411");
1092 mp->_vl_msg_id = htons (msg_id);
1094 mp->entry.spd_id = htonl (spd->spd_id);
1095 mp->entry.priority = htonl (INT_MAX - POLICY_PRIORITY_PASS);
1096 mp->entry.is_outbound = id->dir == POLICY_OUT;
1100 mp->entry.policy = htonl (IPSEC_API_SPD_ACTION_PROTECT);
1103 mp->entry.policy = htonl (IPSEC_API_SPD_ACTION_BYPASS);
1106 mp->entry.policy = htonl (IPSEC_API_SPD_ACTION_DISCARD);
1109 if ((data->type == POLICY_IPSEC) && data->sa)
1111 kernel_ipsec_sa_id_t id = {
1114 .proto = data->sa->esp.use ? IPPROTO_ESP : IPPROTO_AH,
1115 .spi = data->sa->esp.use ? data->sa->esp.spi : data->sa->ah.spi,
1118 sa = this->sas->get (this->sas, &id);
1121 DBG1 (DBG_KNL, "SA ID not found");
1127 if (manage_bypass (TRUE, spd_id, ~0))
1129 DBG1 (DBG_KNL, "manage_bypass %d failed!!!!", spd_id);
1135 mp->entry.sa_id = htonl (sad_id);
1137 bool is_ipv6 = false;
1138 if (id->src_ts->get_type (id->src_ts) == TS_IPV6_ADDR_RANGE)
1141 mp->entry.local_address_start.af = htonl (ADDRESS_IP6);
1142 mp->entry.local_address_stop.af = htonl (ADDRESS_IP6);
1143 mp->entry.remote_address_start.af = htonl (ADDRESS_IP6);
1144 mp->entry.remote_address_stop.af = htonl (ADDRESS_IP6);
1148 mp->entry.local_address_start.af = htonl (ADDRESS_IP4);
1149 mp->entry.local_address_stop.af = htonl (ADDRESS_IP4);
1150 mp->entry.remote_address_start.af = htonl (ADDRESS_IP4);
1151 mp->entry.remote_address_stop.af = htonl (ADDRESS_IP4);
1153 mp->entry.protocol = id->src_ts->get_protocol (id->src_ts);
1155 if (id->dir == POLICY_OUT)
1157 src_from = id->src_ts->get_from_address (id->src_ts);
1158 src_to = id->src_ts->get_to_address (id->src_ts);
1159 src = host_create_from_chunk (is_ipv6 ? AF_INET6 : AF_INET, src_to, 0);
1160 dst_from = id->dst_ts->get_from_address (id->dst_ts);
1161 dst_to = id->dst_ts->get_to_address (id->dst_ts);
1162 dst = host_create_from_chunk (is_ipv6 ? AF_INET6 : AF_INET, dst_to, 0);
1166 dst_from = id->src_ts->get_from_address (id->src_ts);
1167 dst_to = id->src_ts->get_to_address (id->src_ts);
1168 dst = host_create_from_chunk (is_ipv6 ? AF_INET6 : AF_INET, dst_from, 0);
1169 src_from = id->dst_ts->get_from_address (id->dst_ts);
1170 src_to = id->dst_ts->get_to_address (id->dst_ts);
1171 src = host_create_from_chunk (is_ipv6 ? AF_INET6 : AF_INET, src_from, 0);
1174 if (src->is_anyaddr (src) && dst->is_anyaddr (dst))
1176 memset (mp->entry.local_address_stop.un.ip6, 0xFF, 16);
1177 memset (mp->entry.remote_address_stop.un.ip6, 0xFF, 16);
1181 memcpy (is_ipv6 ? mp->entry.local_address_start.un.ip6 :
1182 mp->entry.local_address_start.un.ip4,
1183 src_from.ptr, src_from.len);
1184 memcpy (is_ipv6 ? mp->entry.local_address_stop.un.ip6 :
1185 mp->entry.local_address_stop.un.ip4,
1186 src_to.ptr, src_to.len);
1187 memcpy (is_ipv6 ? mp->entry.remote_address_start.un.ip6 :
1188 mp->entry.remote_address_start.un.ip4,
1189 dst_from.ptr, dst_from.len);
1190 memcpy (is_ipv6 ? mp->entry.remote_address_stop.un.ip6 :
1191 mp->entry.remote_address_stop.un.ip4,
1192 dst_to.ptr, dst_to.len);
1194 mp->entry.local_port_start = htons (id->src_ts->get_from_port (id->src_ts));
1195 mp->entry.local_port_stop = htons (id->src_ts->get_to_port (id->src_ts));
1196 mp->entry.remote_port_start = htons (id->dst_ts->get_from_port (id->dst_ts));
1197 mp->entry.remote_port_stop = htons (id->dst_ts->get_to_port (id->dst_ts));
1199 /* check if policy exists in SPD */
1200 mp_dump = vl_msg_api_alloc (sizeof (*mp_dump));
1201 memset (mp_dump, 0, sizeof (*mp_dump));
1203 msg_id = vl_msg_api_get_msg_index ((u8 *) "ipsec_spd_dump_afefbf7d");
1204 mp_dump->_vl_msg_id = htons (msg_id);
1205 mp_dump->spd_id = htonl (spd->spd_id);
1206 mp_dump->sa_id = htonl (sad_id);
1208 if (vac->send_dump (vac, (char *) mp_dump, sizeof (*mp_dump), &out,
1211 DBG1 (DBG_KNL, "vac %s SPD lookup failed", add ? "adding" : "removing");
1215 int num = out_len / sizeof (*rmp_dump);
1218 /* found existing policy */
1222 for (i = 0; i < num; i++)
1226 /* check if found entry equals the new one */
1227 if (policy_equals (&mp->entry, &rmp_dump->entry))
1231 else if (!add && num == 0)
1233 /* VPP doesn't have any policy to delete */
1239 if (vac->send (vac, (char *) mp, sizeof (*mp), &out, &out_len))
1241 DBG1 (DBG_KNL, "vac %s SPD entry failed", add ? "adding" : "removing");
1247 DBG1 (DBG_KNL, "%s SPD entry failed rv:%d", add ? "add" : "remove",
1248 ntohl (rmp->retval));
1255 ref_get (&spd->policy_num);
1259 if (ref_put (&spd->policy_num))
1263 "policy_num's ref is 0, delete spd_id %d sw_if_index %d sad_id %x",
1264 spd->spd_id, spd->sw_if_index, sad_id);
1265 interface_add_del_spd (FALSE, spd->spd_id, spd->sw_if_index);
1266 manage_bypass (FALSE, spd->spd_id, sad_id);
1267 spd_add_del (FALSE, spd->spd_id);
1268 this->spds->remove (this->spds, interface);
1271 free (spd->if_name);
1272 spd->if_name = NULL;
1282 if (this->install_routes && id->dir == POLICY_OUT && !mp->entry.protocol)
1284 if (data->type == POLICY_IPSEC && data->sa->mode != MODE_TRANSPORT)
1286 manage_route (this, add, id->dst_ts, data->src, data->dst);
1293 if (mp_dump != NULL)
1294 vl_msg_api_free (mp_dump);
1296 vl_msg_api_free (mp);
1301 if (interface != NULL)
1303 this->mutex->unlock (this->mutex);
1307 METHOD (kernel_ipsec_t, get_features, kernel_feature_t,
1308 private_kernel_vpp_ipsec_t *this)
1310 return KERNEL_ESP_V3_TFC;
1313 METHOD (kernel_ipsec_t, get_spi, status_t, private_kernel_vpp_ipsec_t *this,
1314 host_t *src, host_t *dst, uint8_t protocol, uint32_t *spi)
1316 static const u_int p = 268435399, offset = 0xc0000000;
1318 *spi = htonl (offset + permute (ref_get (&this->nextspi) ^ this->mixspi, p));
1322 METHOD (kernel_ipsec_t, get_cpi, status_t, private_kernel_vpp_ipsec_t *this,
1323 host_t *src, host_t *dst, uint16_t *cpi)
1325 DBG1 (DBG_KNL, "get_cpi is not supported!!!!!!!!!!!!!!!!!!!!!!!!");
1326 return NOT_SUPPORTED;
1330 * Helper struct for expiration events
1335 private_kernel_vpp_ipsec_t *manager;
1337 kernel_ipsec_sa_id_t *sa_id;
1340 * 0 if this is a hard expire, otherwise the offset in s (soft->hard)
1342 uint32_t hard_offset;
1347 * Clean up expire data
1350 expire_data_destroy (vpp_sa_expired_t *data)
1356 * Callback for expiration events
1358 static job_requeue_t
1359 sa_expired (vpp_sa_expired_t *expired)
1361 private_kernel_vpp_ipsec_t *this = expired->manager;
1363 kernel_ipsec_sa_id_t *id = expired->sa_id;
1365 this->mutex->lock (this->mutex);
1366 sa = this->sas->get (this->sas, id);
1370 charon->kernel->expire (charon->kernel, id->proto, id->spi, id->dst,
1375 id->src->destroy (id->src);
1377 id->dst->destroy (id->dst);
1379 this->mutex->unlock (this->mutex);
1380 return JOB_REQUEUE_NONE;
1384 * Schedule a job to handle IPsec SA expiration
1387 schedule_expiration (private_kernel_vpp_ipsec_t *this,
1388 kernel_ipsec_add_sa_t *entry,
1389 kernel_ipsec_sa_id_t *entry2)
1391 lifetime_cfg_t *lifetime = entry->lifetime;
1392 vpp_sa_expired_t *expired;
1393 callback_job_t *job;
1395 kernel_ipsec_sa_id_t *id;
1397 if (!lifetime->time.life)
1398 { /* no expiration at all */
1402 INIT (id, .src = entry2->src->clone (entry2->src),
1403 .dst = entry2->dst->clone (entry2->dst), .spi = entry2->spi,
1404 .proto = entry2->proto, );
1406 INIT (expired, .manager = this, .sa_id = id, );
1408 /* schedule a rekey first, a hard timeout will be scheduled then, if any */
1409 expired->hard_offset = lifetime->time.life - lifetime->time.rekey;
1410 timeout = lifetime->time.rekey;
1412 if (lifetime->time.life <= lifetime->time.rekey || lifetime->time.rekey == 0)
1413 { /* no rekey, schedule hard timeout */
1414 expired->hard_offset = 0;
1415 timeout = lifetime->time.life;
1419 callback_job_create ((callback_job_cb_t) sa_expired, expired,
1420 (callback_job_cleanup_t) expire_data_destroy, NULL);
1421 lib->scheduler->schedule_job (lib->scheduler, (job_t *) job, timeout);
1424 METHOD (kernel_ipsec_t, add_sa, status_t, private_kernel_vpp_ipsec_t *this,
1425 kernel_ipsec_sa_id_t *id, kernel_ipsec_add_sa_t *data)
1429 vl_api_ipsec_sad_entry_add_del_t *mp;
1430 vl_api_ipsec_sad_entry_add_del_reply_t *rmp;
1431 uint32_t sad_id = ref_get (&this->next_sad_id);
1432 uint8_t ca = 0, ia = 0;
1433 status_t rv = FAILED;
1435 kernel_ipsec_sa_id_t *sa_id;
1437 int key_len = data->enc_key.len;
1439 if ((data->enc_alg == ENCR_AES_CTR) ||
1440 (data->enc_alg == ENCR_AES_GCM_ICV8) ||
1441 (data->enc_alg == ENCR_AES_GCM_ICV12) ||
1442 (data->enc_alg == ENCR_AES_GCM_ICV16))
1444 static const int SALT_SIZE =
1445 4; /* See how enc_size is calculated at keymat_v2.derive_child_keys */
1446 key_len = key_len - SALT_SIZE;
1448 natt_port = lib->settings->get_int (
1449 lib->settings, "%s.plugins.socket-default.natt", IKEV2_NATT_PORT, lib->ns);
1450 mp = vl_msg_api_alloc (sizeof (*mp));
1451 memset (mp, 0, sizeof (*mp));
1453 vl_msg_api_get_msg_index ((u8 *) "ipsec_sad_entry_add_del_ab64b5c6");
1454 mp->_vl_msg_id = htons (msg_id);
1456 mp->entry.sad_id = htonl (sad_id);
1457 mp->entry.spi = id->spi;
1458 mp->entry.protocol = id->proto == IPPROTO_ESP ? htonl (IPSEC_API_PROTO_ESP) :
1459 htonl (IPSEC_API_PROTO_AH);
1461 switch (data->enc_alg)
1464 ca = IPSEC_API_CRYPTO_ALG_NONE;
1467 switch (key_len * 8)
1470 ca = IPSEC_API_CRYPTO_ALG_AES_CBC_128;
1473 ca = IPSEC_API_CRYPTO_ALG_AES_CBC_192;
1476 ca = IPSEC_API_CRYPTO_ALG_AES_CBC_256;
1479 DBG1 (DBG_KNL, "Key length %d is not supported by VPP!",
1485 switch (key_len * 8)
1488 ca = IPSEC_API_CRYPTO_ALG_AES_CTR_128;
1491 ca = IPSEC_API_CRYPTO_ALG_AES_CTR_192;
1494 ca = IPSEC_API_CRYPTO_ALG_AES_CTR_256;
1497 DBG1 (DBG_KNL, "Key length %d is not supported by VPP!",
1502 case ENCR_AES_GCM_ICV8:
1503 case ENCR_AES_GCM_ICV12:
1504 case ENCR_AES_GCM_ICV16:
1505 switch (key_len * 8)
1508 ca = IPSEC_API_CRYPTO_ALG_AES_GCM_128;
1511 ca = IPSEC_API_CRYPTO_ALG_AES_GCM_192;
1514 ca = IPSEC_API_CRYPTO_ALG_AES_GCM_256;
1517 DBG1 (DBG_KNL, "Key length %d is not supported by VPP!",
1523 ca = IPSEC_API_CRYPTO_ALG_DES_CBC;
1526 ca = IPSEC_API_CRYPTO_ALG_3DES_CBC;
1529 DBG1 (DBG_KNL, "algorithm %N not supported by VPP!",
1530 encryption_algorithm_names, data->enc_alg);
1533 mp->entry.crypto_algorithm = htonl (ca);
1534 mp->entry.crypto_key.length = key_len < 128 ? key_len : 128;
1535 memcpy (mp->entry.crypto_key.data, data->enc_key.ptr,
1536 mp->entry.crypto_key.length);
1538 /* copy salt for AEAD algorithms */
1539 if ((data->enc_alg == ENCR_AES_CTR) ||
1540 (data->enc_alg == ENCR_AES_GCM_ICV8) ||
1541 (data->enc_alg == ENCR_AES_GCM_ICV12) ||
1542 (data->enc_alg == ENCR_AES_GCM_ICV16))
1544 memcpy (&mp->entry.salt, data->enc_key.ptr + mp->entry.crypto_key.length,
1548 switch (data->int_alg)
1550 case AUTH_UNDEFINED:
1551 ia = IPSEC_API_INTEG_ALG_NONE;
1553 case AUTH_HMAC_MD5_96:
1554 ia = IPSEC_API_INTEG_ALG_MD5_96;
1556 case AUTH_HMAC_SHA1_96:
1557 ia = IPSEC_API_INTEG_ALG_SHA1_96;
1559 case AUTH_HMAC_SHA2_256_96:
1560 ia = IPSEC_API_INTEG_ALG_SHA_256_96;
1562 case AUTH_HMAC_SHA2_256_128:
1563 ia = IPSEC_API_INTEG_ALG_SHA_256_128;
1565 case AUTH_HMAC_SHA2_384_192:
1566 ia = IPSEC_API_INTEG_ALG_SHA_384_192;
1568 case AUTH_HMAC_SHA2_512_256:
1569 ia = IPSEC_API_INTEG_ALG_SHA_512_256;
1572 DBG1 (DBG_KNL, "algorithm %N not supported by VPP!",
1573 integrity_algorithm_names, data->int_alg);
1577 mp->entry.integrity_algorithm = htonl (ia);
1578 mp->entry.integrity_key.length =
1579 data->int_key.len < 128 ? data->int_key.len : 128;
1580 memcpy (mp->entry.integrity_key.data, data->int_key.ptr,
1581 mp->entry.integrity_key.length);
1583 int flags = IPSEC_API_SAD_FLAG_NONE;
1585 flags |= IPSEC_API_SAD_FLAG_IS_INBOUND;
1586 /* like the kernel-netlink plugin, anti-replay can be disabled with zero
1587 * replay_window, but window size cannot be customized for vpp */
1588 if (data->replay_window)
1589 flags |= IPSEC_API_SAD_FLAG_USE_ANTI_REPLAY;
1591 flags |= IPSEC_API_SAD_FLAG_USE_ESN;
1592 if (this->use_tunnel_mode_sa && data->mode == MODE_TUNNEL)
1594 if (id->src->get_family (id->src) == AF_INET6)
1595 flags |= IPSEC_API_SAD_FLAG_IS_TUNNEL_V6;
1597 flags |= IPSEC_API_SAD_FLAG_IS_TUNNEL;
1601 DBG1 (DBG_KNL, "UDP encap!!!!!!!!!!!!!!!!!!!!");
1602 flags |= IPSEC_API_SAD_FLAG_UDP_ENCAP;
1604 mp->entry.flags = htonl (flags);
1606 bool is_ipv6 = false;
1607 if (id->src->get_family (id->src) == AF_INET6)
1610 mp->entry.tunnel_src.af = htonl (ADDRESS_IP6);
1611 mp->entry.tunnel_dst.af = htonl (ADDRESS_IP6);
1615 mp->entry.tunnel_src.af = htonl (ADDRESS_IP4);
1616 mp->entry.tunnel_dst.af = htonl (ADDRESS_IP4);
1618 src = id->src->get_address (id->src);
1619 memcpy (is_ipv6 ? mp->entry.tunnel_src.un.ip6 : mp->entry.tunnel_src.un.ip4,
1621 dst = id->dst->get_address (id->dst);
1622 memcpy (is_ipv6 ? mp->entry.tunnel_dst.un.ip6 : mp->entry.tunnel_dst.un.ip4,
1624 if (vac->send (vac, (char *) mp, sizeof (*mp), &out, &out_len))
1626 DBG1 (DBG_KNL, "vac adding SA failed");
1632 DBG1 (DBG_KNL, "add SA failed rv:%d", ntohl (rmp->retval));
1636 this->mutex->lock (this->mutex);
1637 INIT (sa_id, .src = id->src->clone (id->src),
1638 .dst = id->dst->clone (id->dst), .spi = id->spi, .proto = id->proto, );
1639 INIT (sa, .sa_id = sad_id, .stat_index = ntohl (rmp->stat_index),
1640 .sa_id_p = sa_id, );
1641 DBG4 (DBG_KNL, "put sa by its sa_id %x !!!!!!", sad_id);
1642 this->sas->put (this->sas, sa_id, sa);
1643 schedule_expiration (this, data, id);
1644 this->mutex->unlock (this->mutex);
1649 vl_msg_api_free (mp);
1653 METHOD (kernel_ipsec_t, update_sa, status_t, private_kernel_vpp_ipsec_t *this,
1654 kernel_ipsec_sa_id_t *id, kernel_ipsec_update_sa_t *data)
1657 "update sa not supported!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!");
1658 return NOT_SUPPORTED;
1661 METHOD (kernel_ipsec_t, query_sa, status_t, private_kernel_vpp_ipsec_t *this,
1662 kernel_ipsec_sa_id_t *id, kernel_ipsec_query_sa_t *data,
1663 uint64_t *bytes, uint64_t *packets, time_t *time)
1665 status_t rv = FAILED;
1669 stat_segment_data_t *res = NULL;
1671 uint64_t res_bytes = 0;
1672 uint64_t res_packets = 0;
1674 this->mutex->lock (this->mutex);
1675 sa = this->sas->get (this->sas, id);
1678 this->mutex->unlock (this->mutex);
1679 DBG1 (DBG_KNL, "SA not found");
1683 if (this->sm == NULL)
1685 stat_client_main_t *sm = NULL;
1686 sm = stat_client_get ();
1690 DBG1 (DBG_KNL, "Not connecting with stats segmentation");
1691 this->mutex->unlock (this->mutex);
1695 int rv_stat = stat_segment_connect_r ("/run/vpp/stats.sock", this->sm);
1698 stat_client_free (this->sm);
1700 DBG1 (DBG_KNL, "Not connecting with stats segmentation");
1701 this->mutex->unlock (this->mutex);
1706 vec_add1 (pattern, (u8 *) "/net/ipsec/sa");
1707 dir = stat_segment_ls_r ((u8 **) pattern, this->sm);
1708 res = stat_segment_dump_r (dir, this->sm);
1709 /* i-loop for each results find by pattern - here two:
1711 * 2. /net/ipsec/sa/lost
1713 for (i = 0; i < vec_len (res); i++)
1715 switch (res[i].type)
1717 /* type for how many packets are lost */
1718 case STAT_DIR_TYPE_COUNTER_VECTOR_SIMPLE:
1719 if (res[i].simple_counter_vec == 0)
1722 /* type for counter for each SA */
1723 case STAT_DIR_TYPE_COUNTER_VECTOR_COMBINED:
1724 if (res[i].combined_counter_vec == 0)
1726 /* k-loop for each threads - that you run VPP */
1727 for (k = 0; k < vec_len (res[i].combined_counter_vec); k++)
1729 if (sa->stat_index <= vec_len (res[i].combined_counter_vec[k]))
1731 DBG4 (DBG_KNL, "Thread: %d, Packets: %lu, Bytes: %lu", k,
1732 res[i].combined_counter_vec[k][sa->stat_index].packets,
1733 res[i].combined_counter_vec[k][sa->stat_index].bytes);
1735 res[i].combined_counter_vec[k][sa->stat_index].bytes;
1737 res[i].combined_counter_vec[k][sa->stat_index].packets;
1741 case STAT_DIR_TYPE_NAME_VECTOR:
1742 if (res[i].name_vector == 0)
1750 stat_segment_data_free (res);
1758 *packets = res_packets;
1765 this->mutex->unlock (this->mutex);
1770 METHOD (kernel_ipsec_t, del_sa, status_t, private_kernel_vpp_ipsec_t *this,
1771 kernel_ipsec_sa_id_t *id, kernel_ipsec_del_sa_t *data)
1775 vl_api_ipsec_sad_entry_add_del_t *mp = NULL;
1776 vl_api_ipsec_sad_entry_add_del_reply_t *rmp = NULL;
1777 status_t rv = FAILED;
1780 this->mutex->lock (this->mutex);
1781 sa = this->sas->get (this->sas, id);
1784 DBG1 (DBG_KNL, "SA not found");
1788 mp = vl_msg_api_alloc (sizeof (*mp));
1789 memset (mp, 0, sizeof (*mp));
1792 vl_msg_api_get_msg_index ((u8 *) "ipsec_sad_entry_add_del_ab64b5c6");
1793 mp->_vl_msg_id = htons (msg_id);
1794 mp->entry.sad_id = htonl (sa->sa_id);
1796 if (vac->send (vac, (char *) mp, sizeof (*mp), &out, &out_len))
1798 DBG1 (DBG_KNL, "vac removing SA failed");
1804 DBG1 (DBG_KNL, "del SA failed rv:%d", ntohl (rmp->retval));
1808 void *temp = this->sas->remove (this->sas, id);
1811 if (sa->sa_id_p->src)
1812 sa->sa_id_p->src->destroy (sa->sa_id_p->src);
1813 if (sa->sa_id_p->dst)
1814 sa->sa_id_p->dst->destroy (sa->sa_id_p->dst);
1821 vl_msg_api_free (mp);
1822 this->mutex->unlock (this->mutex);
1826 METHOD (kernel_ipsec_t, flush_sas, status_t, private_kernel_vpp_ipsec_t *this)
1828 enumerator_t *enumerator;
1831 vl_api_ipsec_sad_entry_add_del_t *mp = NULL;
1832 vl_api_ipsec_sad_entry_add_del_reply_t *rmp = NULL;
1834 status_t rv = FAILED;
1836 this->mutex->lock (this->mutex);
1837 enumerator = this->sas->create_enumerator (this->sas);
1838 while (enumerator->enumerate (enumerator, &sa))
1840 mp = vl_msg_api_alloc (sizeof (*mp));
1841 memset (mp, 0, sizeof (*mp));
1843 vl_msg_api_get_msg_index ((u8 *) "ipsec_sad_entry_add_del_ab64b5c6");
1844 mp->_vl_msg_id = htons (msg_id);
1845 mp->entry.sad_id = htonl (sa->sa_id);
1847 if (vac->send (vac, (char *) mp, sizeof (*mp), &out, &out_len))
1849 DBG1 (DBG_KNL, "flush_sas failed!!!!");
1855 DBG1 (DBG_KNL, "flush_sas failed!!!! rv: %d", ntohl (rmp->retval));
1860 if (sa->sa_id_p->src)
1861 sa->sa_id_p->src->destroy (sa->sa_id_p->src);
1862 if (sa->sa_id_p->dst)
1863 sa->sa_id_p->dst->destroy (sa->sa_id_p->dst);
1866 vl_msg_api_free (mp);
1867 this->sas->remove_at (this->sas, enumerator);
1876 vl_msg_api_free (mp);
1878 enumerator->destroy (enumerator);
1879 this->mutex->unlock (this->mutex);
1884 METHOD (kernel_ipsec_t, add_policy, status_t, private_kernel_vpp_ipsec_t *this,
1885 kernel_ipsec_policy_id_t *id, kernel_ipsec_manage_policy_t *data)
1887 return manage_policy (this, TRUE, id, data);
1890 METHOD (kernel_ipsec_t, query_policy, status_t,
1891 private_kernel_vpp_ipsec_t *this, kernel_ipsec_policy_id_t *id,
1892 kernel_ipsec_query_policy_t *data, time_t *use_time)
1894 return NOT_SUPPORTED;
1897 METHOD (kernel_ipsec_t, del_policy, status_t, private_kernel_vpp_ipsec_t *this,
1898 kernel_ipsec_policy_id_t *id, kernel_ipsec_manage_policy_t *data)
1900 return manage_policy (this, FALSE, id, data);
1903 METHOD (kernel_ipsec_t, flush_policies, status_t,
1904 private_kernel_vpp_ipsec_t *this)
1906 return NOT_SUPPORTED;
1909 METHOD (kernel_ipsec_t, bypass_socket, bool, private_kernel_vpp_ipsec_t *this,
1915 METHOD (kernel_ipsec_t, enable_udp_decap, bool,
1916 private_kernel_vpp_ipsec_t *this, int fd, int family, u_int16_t port)
1918 DBG1 (DBG_KNL, "enable_udp_decap not supported!!!!!!!!!!!!!!!!!!!!!!!!!");
1922 METHOD (kernel_ipsec_t, destroy, void, private_kernel_vpp_ipsec_t *this)
1924 this->mutex->destroy (this->mutex);
1925 this->sas->destroy (this->sas);
1926 this->spds->destroy (this->spds);
1927 this->routes->destroy (this->routes);
1930 stat_segment_disconnect_r (this->sm);
1931 stat_client_free (this->sm);
1937 kernel_vpp_ipsec_t *
1938 kernel_vpp_ipsec_create ()
1940 private_kernel_vpp_ipsec_t *this;
1945 .get_features = _get_features,
1946 .get_spi = _get_spi,
1947 .get_cpi = _get_cpi,
1949 .update_sa = _update_sa,
1950 .query_sa = _query_sa,
1952 .flush_sas = _flush_sas,
1953 .add_policy = _add_policy,
1954 .query_policy = _query_policy,
1955 .del_policy = _del_policy,
1956 .flush_policies = _flush_policies,
1957 .bypass_socket = _bypass_socket,
1958 .enable_udp_decap = _enable_udp_decap,
1959 .destroy = _destroy,
1964 .mutex = mutex_create(MUTEX_TYPE_DEFAULT),
1965 .sas = hashtable_create((hashtable_hash_t)sa_hash,
1966 (hashtable_equals_t)sa_equals, 32),
1967 .spds = hashtable_create((hashtable_hash_t)interface_hash,
1968 (hashtable_equals_t)interface_equals, 4),
1969 .routes = linked_list_create(),
1970 .install_routes = lib->settings->get_bool(lib->settings,
1971 "%s.install_routes", TRUE, lib->ns),
1972 .use_tunnel_mode_sa = lib->settings->get_bool(lib->settings,
1973 "%s.plugins.kernel-vpp.use_tunnel_mode_sa",
1978 if (!init_spi (this))
1984 return &this->public;