2 * Copyright (c) 2020 Doc.ai and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
7 * http://www.apache.org/licenses/LICENSE-2.0
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
16 #include <wireguard/wireguard.h>
17 #include <wireguard/wireguard_key.h>
18 #include <wireguard/wireguard_peer.h>
19 #include <wireguard/wireguard_if.h>
22 wg_if_create_cli (vlib_main_t * vm,
23 unformat_input_t * input, vlib_cli_command_t * cmd)
25 unformat_input_t _line_input, *line_input = &_line_input;
26 u8 private_key[NOISE_PUBLIC_KEY_LEN];
27 u32 instance, sw_if_index;
31 u32 port, generate_key = 0;
35 instance = sw_if_index = ~0;
39 if (unformat_user (input, unformat_line_input, line_input))
41 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
43 if (unformat (line_input, "instance %d", &instance))
45 else if (unformat (line_input, "private-key %s", &private_key_64))
47 if (!(key_from_base64 (private_key_64,
48 NOISE_KEY_LEN_BASE64, private_key)))
50 error = clib_error_return (0, "Error parsing private key");
54 else if (unformat (line_input, "listen-port %d", &port))
56 else if (unformat (line_input, "port %d", &port))
58 else if (unformat (line_input, "generate-key"))
61 if (unformat (line_input, "src %U", unformat_ip_address, &src_ip))
65 error = clib_error_return (0, "unknown input: %U",
66 format_unformat_error, line_input);
71 unformat_free (line_input);
78 curve25519_gen_secret (private_key);
80 rv = wg_if_create (instance, private_key, port, &src_ip, &sw_if_index);
83 return clib_error_return (0, "wireguard interface create failed");
85 vlib_cli_output (vm, "%U\n", format_vnet_sw_if_index_name, vnet_get_main (),
91 * Create a Wireguard interface.
94 VLIB_CLI_COMMAND (wg_if_create_command, static) = {
95 .path = "wireguard create",
96 .short_help = "wireguard create listen-port <port> "
97 "private-key <key> src <IP> [generate-key]",
98 .function = wg_if_create_cli,
102 static clib_error_t *
103 wg_if_delete_cli (vlib_main_t * vm,
104 unformat_input_t * input, vlib_cli_command_t * cmd)
110 vnm = vnet_get_main ();
113 while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT)
116 (input, "%U", unformat_vnet_sw_interface, vnm, &sw_if_index))
122 if (~0 != sw_if_index)
124 rv = wg_if_delete (sw_if_index);
127 return clib_error_return (0, "wireguard interface delete failed");
130 return clib_error_return (0, "no such interface: %U",
131 format_unformat_error, input);
137 * Delete a Wireguard interface.
140 VLIB_CLI_COMMAND (wg_if_delete_command, static) = {
141 .path = "wireguard delete",
142 .short_help = "wireguard delete <interface>",
143 .function = wg_if_delete_cli,
148 static clib_error_t *
149 wg_peer_add_command_fn (vlib_main_t * vm,
150 unformat_input_t * input, vlib_cli_command_t * cmd)
152 vnet_main_t *vnm = vnet_get_main ();
153 clib_error_t *error = NULL;
154 unformat_input_t _line_input, *line_input = &_line_input;
156 u8 *public_key_64 = 0;
157 u8 public_key[NOISE_PUBLIC_KEY_LEN];
158 fib_prefix_t allowed_ip, *allowed_ips = NULL;
161 u32 portDst = 0, table_id = 0;
162 u32 persistent_keepalive = 0;
163 u32 tun_sw_if_index = ~0;
167 if (!unformat_user (input, unformat_line_input, line_input))
170 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
172 if (unformat (line_input, "public-key %s", &public_key_64))
174 if (!(key_from_base64 (public_key_64,
175 NOISE_KEY_LEN_BASE64, public_key)))
177 error = clib_error_return (0, "Error parsing private key");
181 else if (unformat (line_input, "endpoint %U", unformat_ip_address, &ip))
183 else if (unformat (line_input, "table-id %d", &table_id))
185 else if (unformat (line_input, "port %d", &portDst))
187 else if (unformat (line_input, "persistent-keepalive %d",
188 &persistent_keepalive))
190 else if (unformat (line_input, "allowed-ip %U",
191 unformat_ip_prefix, &pfx))
193 ip_prefix_to_fib_prefix (&pfx, &allowed_ip);
194 vec_add1 (allowed_ips, allowed_ip);
196 else if (unformat (line_input, "%U",
197 unformat_vnet_sw_interface, vnm, &tun_sw_if_index))
201 error = clib_error_return (0, "Input error");
206 if (AF_IP6 == ip_addr_version (&ip) ||
207 FIB_PROTOCOL_IP6 == allowed_ip.fp_proto)
208 rv = VNET_API_ERROR_INVALID_PROTOCOL;
210 rv = wg_peer_add (tun_sw_if_index,
215 portDst, persistent_keepalive, &peer_index);
219 case VNET_API_ERROR_KEY_LENGTH:
220 error = clib_error_return (0, "Error parsing public key");
222 case VNET_API_ERROR_ENTRY_ALREADY_EXISTS:
223 error = clib_error_return (0, "Peer already exist");
225 case VNET_API_ERROR_INVALID_SW_IF_INDEX:
226 error = clib_error_return (0, "Tunnel is not specified");
228 case VNET_API_ERROR_LIMIT_EXCEEDED:
229 error = clib_error_return (0, "Max peers limit");
231 case VNET_API_ERROR_INIT_FAILED:
232 error = clib_error_return (0, "wireguard device parameters is not set");
234 case VNET_API_ERROR_INVALID_PROTOCOL:
235 error = clib_error_return (0, "ipv6 not supported yet");
240 vec_free (public_key_64);
241 vec_free (allowed_ips);
242 unformat_free (line_input);
247 VLIB_CLI_COMMAND (wg_peer_add_command, static) =
249 .path = "wireguard peer add",
250 .short_help = "wireguard peer add <wg_int> public-key <pub_key_other>"
251 "endpoint <ip4_dst> allowed-ip <prefix>"
252 "dst-port [port_dst] persistent-keepalive [keepalive_interval]",
253 .function = wg_peer_add_command_fn,
257 static clib_error_t *
258 wg_peer_remove_command_fn (vlib_main_t * vm,
259 unformat_input_t * input, vlib_cli_command_t * cmd)
261 clib_error_t *error = NULL;
265 unformat_input_t _line_input, *line_input = &_line_input;
266 if (!unformat_user (input, unformat_line_input, line_input))
269 if (unformat (line_input, "%d", &peer_index))
273 error = clib_error_return (0, "Input error");
277 rv = wg_peer_remove (peer_index);
281 case VNET_API_ERROR_KEY_LENGTH:
282 error = clib_error_return (0, "Error parsing public key");
287 unformat_free (line_input);
292 VLIB_CLI_COMMAND (wg_peer_remove_command, static) =
294 .path = "wireguard peer remove",
295 .short_help = "wireguard peer remove <index>",
296 .function = wg_peer_remove_command_fn,
301 wg_peer_show_one (index_t peeri, void *arg)
303 vlib_cli_output (arg, "%U", format_wg_peer, peeri);
305 return (WALK_CONTINUE);
308 static clib_error_t *
309 wg_show_peer_command_fn (vlib_main_t * vm,
310 unformat_input_t * input, vlib_cli_command_t * cmd)
312 wg_peer_walk (wg_peer_show_one, vm);
318 VLIB_CLI_COMMAND (wg_show_peers_command, static) =
320 .path = "show wireguard peer",
321 .short_help = "show wireguard peer",
322 .function = wg_show_peer_command_fn,
327 wg_if_show_one (index_t itfi, void *arg)
329 vlib_cli_output (arg, "%U", format_wg_if, itfi);
331 return (WALK_CONTINUE);
334 static clib_error_t *
335 wg_show_if_command_fn (vlib_main_t * vm,
336 unformat_input_t * input, vlib_cli_command_t * cmd)
338 wg_if_walk (wg_if_show_one, vm);
344 VLIB_CLI_COMMAND (wg_show_itfs_command, static) =
346 .path = "show wireguard interface",
347 .short_help = "show wireguard",
348 .function = wg_show_if_command_fn,
353 * fd.io coding-style-patch-verification: ON
356 * eval: (c-set-style "gnu")