2 *------------------------------------------------------------------
3 * ipsec_api.c - ipsec api
5 * Copyright (c) 2016 Cisco and/or its affiliates.
6 * Licensed under the Apache License, Version 2.0 (the "License");
7 * you may not use this file except in compliance with the License.
8 * You may obtain a copy of the License at:
10 * http://www.apache.org/licenses/LICENSE-2.0
12 * Unless required by applicable law or agreed to in writing, software
13 * distributed under the License is distributed on an "AS IS" BASIS,
14 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15 * See the License for the specific language governing permissions and
16 * limitations under the License.
17 *------------------------------------------------------------------
20 #include <vnet/vnet.h>
21 #include <vlibmemory/api.h>
23 #include <vnet/interface.h>
24 #include <vnet/api_errno.h>
25 #include <vnet/ip/ip.h>
26 #include <vnet/ip/ip_types_api.h>
27 #include <vnet/ipsec/ipsec_types_api.h>
28 #include <vnet/tunnel/tunnel_types_api.h>
29 #include <vnet/fib/fib.h>
30 #include <vnet/ipip/ipip.h>
31 #include <vnet/tunnel/tunnel_types_api.h>
32 #include <vnet/ipsec/ipsec.h>
33 #include <vnet/ipsec/ipsec_tun.h>
34 #include <vnet/ipsec/ipsec_itf.h>
36 #include <vnet/format_fns.h>
37 #include <vnet/ipsec/ipsec.api_enum.h>
38 #include <vnet/ipsec/ipsec.api_types.h>
40 #define REPLY_MSG_ID_BASE ipsec_main.msg_id_base
41 #include <vlibapi/api_helper_macros.h>
44 vl_api_ipsec_spd_add_del_t_handler (vl_api_ipsec_spd_add_del_t * mp)
46 vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main ();
47 vl_api_ipsec_spd_add_del_reply_t *rmp;
50 rv = ipsec_add_del_spd (vm, ntohl (mp->spd_id), mp->is_add);
52 REPLY_MACRO (VL_API_IPSEC_SPD_ADD_DEL_REPLY);
55 static void vl_api_ipsec_interface_add_del_spd_t_handler
56 (vl_api_ipsec_interface_add_del_spd_t * mp)
58 vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main ();
59 vl_api_ipsec_interface_add_del_spd_reply_t *rmp;
61 u32 sw_if_index __attribute__ ((unused));
62 u32 spd_id __attribute__ ((unused));
64 sw_if_index = ntohl (mp->sw_if_index);
65 spd_id = ntohl (mp->spd_id);
67 VALIDATE_SW_IF_INDEX (mp);
69 rv = ipsec_set_interface_spd (vm, sw_if_index, spd_id, mp->is_add);
71 BAD_SW_IF_INDEX_LABEL;
73 REPLY_MACRO (VL_API_IPSEC_INTERFACE_ADD_DEL_SPD_REPLY);
76 static void vl_api_ipsec_tunnel_protect_update_t_handler
77 (vl_api_ipsec_tunnel_protect_update_t * mp)
79 vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main ();
80 vl_api_ipsec_tunnel_protect_update_reply_t *rmp;
81 u32 sw_if_index, ii, *sa_ins = NULL;
85 sw_if_index = ntohl (mp->tunnel.sw_if_index);
87 VALIDATE_SW_IF_INDEX (&(mp->tunnel));
89 for (ii = 0; ii < mp->tunnel.n_sa_in; ii++)
90 vec_add1 (sa_ins, ntohl (mp->tunnel.sa_in[ii]));
92 ip_address_decode2 (&mp->tunnel.nh, &nh);
94 rv = ipsec_tun_protect_update (sw_if_index, &nh,
95 ntohl (mp->tunnel.sa_out), sa_ins);
97 BAD_SW_IF_INDEX_LABEL;
99 REPLY_MACRO (VL_API_IPSEC_TUNNEL_PROTECT_UPDATE_REPLY);
102 static void vl_api_ipsec_tunnel_protect_del_t_handler
103 (vl_api_ipsec_tunnel_protect_del_t * mp)
105 vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main ();
106 vl_api_ipsec_tunnel_protect_del_reply_t *rmp;
111 sw_if_index = ntohl (mp->sw_if_index);
113 VALIDATE_SW_IF_INDEX (mp);
115 ip_address_decode2 (&mp->nh, &nh);
116 rv = ipsec_tun_protect_del (sw_if_index, &nh);
118 BAD_SW_IF_INDEX_LABEL;
120 REPLY_MACRO (VL_API_IPSEC_TUNNEL_PROTECT_DEL_REPLY);
123 typedef struct ipsec_dump_walk_ctx_t_
125 vl_api_registration_t *reg;
128 } ipsec_dump_walk_ctx_t;
131 send_ipsec_tunnel_protect_details (index_t itpi, void *arg)
133 ipsec_dump_walk_ctx_t *ctx = arg;
134 vl_api_ipsec_tunnel_protect_details_t *mp;
135 ipsec_tun_protect_t *itp;
139 itp = ipsec_tun_protect_get (itpi);
141 mp = vl_msg_api_alloc (sizeof (*mp) + (sizeof (u32) * itp->itp_n_sa_in));
142 clib_memset (mp, 0, sizeof (*mp));
144 ntohs (REPLY_MSG_ID_BASE + VL_API_IPSEC_TUNNEL_PROTECT_DETAILS);
145 mp->context = ctx->context;
147 mp->tun.sw_if_index = htonl (itp->itp_sw_if_index);
148 ip_address_encode2 (itp->itp_key, &mp->tun.nh);
150 sa = ipsec_sa_get (itp->itp_out_sa);
151 mp->tun.sa_out = htonl (sa->id);
152 mp->tun.n_sa_in = itp->itp_n_sa_in;
154 FOR_EACH_IPSEC_PROTECT_INPUT_SA(itp, sa,
156 mp->tun.sa_in[ii++] = htonl (sa->id);
160 vl_api_send_msg (ctx->reg, (u8 *) mp);
162 return (WALK_CONTINUE);
166 vl_api_ipsec_tunnel_protect_dump_t_handler (vl_api_ipsec_tunnel_protect_dump_t
169 vl_api_registration_t *reg;
172 reg = vl_api_client_index_to_registration (mp->client_index);
176 ipsec_dump_walk_ctx_t ctx = {
178 .context = mp->context,
181 sw_if_index = ntohl (mp->sw_if_index);
183 if (~0 == sw_if_index)
185 ipsec_tun_protect_walk (send_ipsec_tunnel_protect_details, &ctx);
189 ipsec_tun_protect_walk_itf (sw_if_index,
190 send_ipsec_tunnel_protect_details, &ctx);
195 ipsec_spd_action_decode (vl_api_ipsec_spd_action_t in,
196 ipsec_policy_action_t * out)
198 in = clib_net_to_host_u32 (in);
202 #define _(v,f,s) case IPSEC_API_SPD_ACTION_##f: \
203 *out = IPSEC_POLICY_ACTION_##f; \
205 foreach_ipsec_policy_action
208 return (VNET_API_ERROR_UNIMPLEMENTED);
211 static void vl_api_ipsec_spd_entry_add_del_t_handler
212 (vl_api_ipsec_spd_entry_add_del_t * mp)
214 vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main ();
215 vl_api_ipsec_spd_entry_add_del_reply_t *rmp;
224 clib_memset (&p, 0, sizeof (p));
226 p.id = ntohl (mp->entry.spd_id);
227 p.priority = ntohl (mp->entry.priority);
229 itype = ip_address_decode (&mp->entry.remote_address_start, &p.raddr.start);
230 ip_address_decode (&mp->entry.remote_address_stop, &p.raddr.stop);
231 ip_address_decode (&mp->entry.local_address_start, &p.laddr.start);
232 ip_address_decode (&mp->entry.local_address_stop, &p.laddr.stop);
234 p.is_ipv6 = (itype == IP46_TYPE_IP6);
237 mp->entry.protocol ? mp->entry.protocol : IPSEC_POLICY_PROTOCOL_ANY;
238 p.rport.start = ntohs (mp->entry.remote_port_start);
239 p.rport.stop = ntohs (mp->entry.remote_port_stop);
240 p.lport.start = ntohs (mp->entry.local_port_start);
241 p.lport.stop = ntohs (mp->entry.local_port_stop);
243 rv = ipsec_spd_action_decode (mp->entry.policy, &p.policy);
248 /* policy action resolve unsupported */
249 if (p.policy == IPSEC_POLICY_ACTION_RESOLVE)
251 clib_warning ("unsupported action: 'resolve'");
252 rv = VNET_API_ERROR_UNIMPLEMENTED;
255 p.sa_id = ntohl (mp->entry.sa_id);
257 ipsec_policy_mk_type (mp->entry.is_outbound, p.is_ipv6, p.policy,
262 rv = ipsec_add_del_policy (vm, &p, mp->is_add, &stat_index);
268 REPLY_MACRO2 (VL_API_IPSEC_SPD_ENTRY_ADD_DEL_REPLY,
270 rmp->stat_index = ntohl(stat_index);
276 vl_api_ipsec_spd_entry_add_del_v2_t_handler (
277 vl_api_ipsec_spd_entry_add_del_v2_t *mp)
279 vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main ();
280 vl_api_ipsec_spd_entry_add_del_reply_t *rmp;
289 clib_memset (&p, 0, sizeof (p));
291 p.id = ntohl (mp->entry.spd_id);
292 p.priority = ntohl (mp->entry.priority);
294 itype = ip_address_decode (&mp->entry.remote_address_start, &p.raddr.start);
295 ip_address_decode (&mp->entry.remote_address_stop, &p.raddr.stop);
296 ip_address_decode (&mp->entry.local_address_start, &p.laddr.start);
297 ip_address_decode (&mp->entry.local_address_stop, &p.laddr.stop);
299 p.is_ipv6 = (itype == IP46_TYPE_IP6);
301 p.protocol = mp->entry.protocol;
302 p.rport.start = ntohs (mp->entry.remote_port_start);
303 p.rport.stop = ntohs (mp->entry.remote_port_stop);
304 p.lport.start = ntohs (mp->entry.local_port_start);
305 p.lport.stop = ntohs (mp->entry.local_port_stop);
307 rv = ipsec_spd_action_decode (mp->entry.policy, &p.policy);
312 /* policy action resolve unsupported */
313 if (p.policy == IPSEC_POLICY_ACTION_RESOLVE)
315 clib_warning ("unsupported action: 'resolve'");
316 rv = VNET_API_ERROR_UNIMPLEMENTED;
319 p.sa_id = ntohl (mp->entry.sa_id);
321 ipsec_policy_mk_type (mp->entry.is_outbound, p.is_ipv6, p.policy, &p.type);
325 rv = ipsec_add_del_policy (vm, &p, mp->is_add, &stat_index);
330 REPLY_MACRO2 (VL_API_IPSEC_SPD_ENTRY_ADD_DEL_V2_REPLY,
331 ({ rmp->stat_index = ntohl (stat_index); }));
334 static void vl_api_ipsec_sad_entry_add_del_t_handler
335 (vl_api_ipsec_sad_entry_add_del_t * mp)
337 vl_api_ipsec_sad_entry_add_del_reply_t *rmp;
338 ipsec_key_t crypto_key, integ_key;
339 ipsec_crypto_alg_t crypto_alg;
340 ipsec_integ_alg_t integ_alg;
341 ipsec_protocol_t proto;
342 ipsec_sa_flags_t flags;
343 u32 id, spi, sa_index = ~0;
345 .t_flags = TUNNEL_FLAG_NONE,
346 .t_encap_decap_flags = TUNNEL_ENCAP_DECAP_FLAG_NONE,
348 .t_mode = TUNNEL_MODE_P2P,
354 id = ntohl (mp->entry.sad_id);
357 rv = ipsec_sa_unlock_id (id);
360 spi = ntohl (mp->entry.spi);
362 rv = ipsec_proto_decode (mp->entry.protocol, &proto);
367 rv = ipsec_crypto_algo_decode (mp->entry.crypto_algorithm, &crypto_alg);
372 rv = ipsec_integ_algo_decode (mp->entry.integrity_algorithm, &integ_alg);
377 ipsec_key_decode (&mp->entry.crypto_key, &crypto_key);
378 ipsec_key_decode (&mp->entry.integrity_key, &integ_key);
380 flags = ipsec_sa_flags_decode (mp->entry.flags);
382 ip_address_decode2 (&mp->entry.tunnel_src, &tun.t_src);
383 ip_address_decode2 (&mp->entry.tunnel_dst, &tun.t_dst);
385 rv = ipsec_sa_add_and_lock (id, spi, proto, crypto_alg, &crypto_key,
386 integ_alg, &integ_key, flags, mp->entry.salt,
387 htons (mp->entry.udp_src_port),
388 htons (mp->entry.udp_dst_port), &tun, &sa_index);
392 REPLY_MACRO2 (VL_API_IPSEC_SAD_ENTRY_ADD_DEL_REPLY,
394 rmp->stat_index = htonl (sa_index);
399 static void vl_api_ipsec_sad_entry_add_del_v2_t_handler
400 (vl_api_ipsec_sad_entry_add_del_v2_t * mp)
402 vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main ();
403 vl_api_ipsec_sad_entry_add_del_v2_reply_t *rmp;
404 ipsec_key_t crypto_key, integ_key;
405 ipsec_crypto_alg_t crypto_alg;
406 ipsec_integ_alg_t integ_alg;
407 ipsec_protocol_t proto;
408 ipsec_sa_flags_t flags;
409 u32 id, spi, sa_index = ~0;
412 .t_flags = TUNNEL_FLAG_NONE,
413 .t_encap_decap_flags = TUNNEL_ENCAP_DECAP_FLAG_NONE,
415 .t_mode = TUNNEL_MODE_P2P,
416 .t_table_id = htonl (mp->entry.tx_table_id),
420 id = ntohl (mp->entry.sad_id);
423 rv = ipsec_sa_unlock_id (id);
427 spi = ntohl (mp->entry.spi);
429 rv = ipsec_proto_decode (mp->entry.protocol, &proto);
434 rv = ipsec_crypto_algo_decode (mp->entry.crypto_algorithm, &crypto_alg);
439 rv = ipsec_integ_algo_decode (mp->entry.integrity_algorithm, &integ_alg);
444 rv = tunnel_encap_decap_flags_decode (mp->entry.tunnel_flags,
445 &tun.t_encap_decap_flags);
450 ipsec_key_decode (&mp->entry.crypto_key, &crypto_key);
451 ipsec_key_decode (&mp->entry.integrity_key, &integ_key);
453 flags = ipsec_sa_flags_decode (mp->entry.flags);
454 tun.t_dscp = ip_dscp_decode (mp->entry.dscp);
456 ip_address_decode2 (&mp->entry.tunnel_src, &tun.t_src);
457 ip_address_decode2 (&mp->entry.tunnel_dst, &tun.t_dst);
459 rv = ipsec_sa_add_and_lock (
460 id, spi, proto, crypto_alg, &crypto_key, integ_alg, &integ_key, flags,
461 mp->entry.salt, htons (mp->entry.udp_src_port),
462 htons (mp->entry.udp_dst_port), &tun, &sa_index);
466 REPLY_MACRO2 (VL_API_IPSEC_SAD_ENTRY_ADD_DEL_V2_REPLY,
468 rmp->stat_index = htonl (sa_index);
474 ipsec_sad_entry_add_v3 (const vl_api_ipsec_sad_entry_v3_t *entry,
477 ipsec_key_t crypto_key, integ_key;
478 ipsec_crypto_alg_t crypto_alg;
479 ipsec_integ_alg_t integ_alg;
480 ipsec_protocol_t proto;
481 ipsec_sa_flags_t flags;
483 tunnel_t tun = { 0 };
486 id = ntohl (entry->sad_id);
487 spi = ntohl (entry->spi);
489 rv = ipsec_proto_decode (entry->protocol, &proto);
494 rv = ipsec_crypto_algo_decode (entry->crypto_algorithm, &crypto_alg);
499 rv = ipsec_integ_algo_decode (entry->integrity_algorithm, &integ_alg);
504 flags = ipsec_sa_flags_decode (entry->flags);
506 if (flags & IPSEC_SA_FLAG_IS_TUNNEL)
508 rv = tunnel_decode (&entry->tunnel, &tun);
514 ipsec_key_decode (&entry->crypto_key, &crypto_key);
515 ipsec_key_decode (&entry->integrity_key, &integ_key);
517 return ipsec_sa_add_and_lock (id, spi, proto, crypto_alg, &crypto_key,
518 integ_alg, &integ_key, flags, entry->salt,
519 htons (entry->udp_src_port),
520 htons (entry->udp_dst_port), &tun, sa_index);
524 vl_api_ipsec_sad_entry_add_del_v3_t_handler (
525 vl_api_ipsec_sad_entry_add_del_v3_t *mp)
527 vl_api_ipsec_sad_entry_add_del_v3_reply_t *rmp;
528 u32 id, sa_index = ~0;
531 id = ntohl (mp->entry.sad_id);
535 rv = ipsec_sa_unlock_id (id);
539 rv = ipsec_sad_entry_add_v3 (&mp->entry, &sa_index);
542 REPLY_MACRO2 (VL_API_IPSEC_SAD_ENTRY_ADD_DEL_V3_REPLY,
543 { rmp->stat_index = htonl (sa_index); });
547 vl_api_ipsec_sad_entry_del_t_handler (vl_api_ipsec_sad_entry_del_t *mp)
549 vl_api_ipsec_sad_entry_del_reply_t *rmp;
552 rv = ipsec_sa_unlock_id (ntohl (mp->id));
554 REPLY_MACRO (VL_API_IPSEC_SAD_ENTRY_DEL_REPLY);
558 vl_api_ipsec_sad_entry_add_t_handler (vl_api_ipsec_sad_entry_add_t *mp)
560 vl_api_ipsec_sad_entry_add_reply_t *rmp;
564 rv = ipsec_sad_entry_add_v3 (&mp->entry, &sa_index);
566 REPLY_MACRO2 (VL_API_IPSEC_SAD_ENTRY_ADD_REPLY,
567 { rmp->stat_index = htonl (sa_index); });
571 vl_api_ipsec_sad_entry_update_t_handler (vl_api_ipsec_sad_entry_update_t *mp)
573 vl_api_ipsec_sad_entry_update_reply_t *rmp;
575 tunnel_t tun = { 0 };
578 id = ntohl (mp->sad_id);
582 rv = tunnel_decode (&mp->tunnel, &tun);
588 rv = ipsec_sa_update (id, htons (mp->udp_src_port), htons (mp->udp_dst_port),
592 REPLY_MACRO (VL_API_IPSEC_SAD_ENTRY_UPDATE_REPLY);
596 vl_api_ipsec_sad_bind_t_handler (vl_api_ipsec_sad_bind_t *mp)
598 vl_api_ipsec_sad_bind_reply_t *rmp;
603 sa_id = ntohl (mp->sa_id);
604 worker = ntohl (mp->worker);
606 rv = ipsec_sa_bind (sa_id, worker, true /* bind */);
608 REPLY_MACRO (VL_API_IPSEC_SAD_BIND_REPLY);
612 vl_api_ipsec_sad_unbind_t_handler (vl_api_ipsec_sad_unbind_t *mp)
614 vl_api_ipsec_sad_unbind_reply_t *rmp;
618 sa_id = ntohl (mp->sa_id);
620 rv = ipsec_sa_bind (sa_id, ~0, false /* bind */);
622 REPLY_MACRO (VL_API_IPSEC_SAD_UNBIND_REPLY);
626 send_ipsec_spds_details (ipsec_spd_t * spd, vl_api_registration_t * reg,
629 vl_api_ipsec_spds_details_t *mp;
632 mp = vl_msg_api_alloc (sizeof (*mp));
633 clib_memset (mp, 0, sizeof (*mp));
634 mp->_vl_msg_id = ntohs (REPLY_MSG_ID_BASE + VL_API_IPSEC_SPDS_DETAILS);
635 mp->context = context;
637 mp->spd_id = htonl (spd->id);
638 #define _(s, n) n_policies += vec_len (spd->policies[IPSEC_SPD_POLICY_##s]);
639 foreach_ipsec_spd_policy_type
641 mp->npolicies = htonl (n_policies);
643 vl_api_send_msg (reg, (u8 *) mp);
647 vl_api_ipsec_spds_dump_t_handler (vl_api_ipsec_spds_dump_t * mp)
649 vl_api_registration_t *reg;
650 ipsec_main_t *im = &ipsec_main;
653 reg = vl_api_client_index_to_registration (mp->client_index);
657 pool_foreach (spd, im->spds) {
658 send_ipsec_spds_details (spd, reg, mp->context);
662 vl_api_ipsec_spd_action_t
663 ipsec_spd_action_encode (ipsec_policy_action_t in)
665 vl_api_ipsec_spd_action_t out = IPSEC_API_SPD_ACTION_BYPASS;
669 #define _(v,f,s) case IPSEC_POLICY_ACTION_##f: \
670 out = IPSEC_API_SPD_ACTION_##f; \
672 foreach_ipsec_policy_action
675 return (clib_host_to_net_u32 (out));
679 send_ipsec_spd_details (ipsec_policy_t * p, vl_api_registration_t * reg,
682 vl_api_ipsec_spd_details_t *mp;
684 mp = vl_msg_api_alloc (sizeof (*mp));
685 clib_memset (mp, 0, sizeof (*mp));
686 mp->_vl_msg_id = ntohs (REPLY_MSG_ID_BASE + VL_API_IPSEC_SPD_DETAILS);
687 mp->context = context;
689 mp->entry.spd_id = htonl (p->id);
690 mp->entry.priority = htonl (p->priority);
691 mp->entry.is_outbound = ((p->type == IPSEC_SPD_POLICY_IP6_OUTBOUND) ||
692 (p->type == IPSEC_SPD_POLICY_IP4_OUTBOUND));
694 ip_address_encode (&p->laddr.start, IP46_TYPE_ANY,
695 &mp->entry.local_address_start);
696 ip_address_encode (&p->laddr.stop, IP46_TYPE_ANY,
697 &mp->entry.local_address_stop);
698 ip_address_encode (&p->raddr.start, IP46_TYPE_ANY,
699 &mp->entry.remote_address_start);
700 ip_address_encode (&p->raddr.stop, IP46_TYPE_ANY,
701 &mp->entry.remote_address_stop);
702 mp->entry.local_port_start = htons (p->lport.start);
703 mp->entry.local_port_stop = htons (p->lport.stop);
704 mp->entry.remote_port_start = htons (p->rport.start);
705 mp->entry.remote_port_stop = htons (p->rport.stop);
706 mp->entry.protocol = p->protocol;
707 mp->entry.policy = ipsec_spd_action_encode (p->policy);
708 mp->entry.sa_id = htonl (p->sa_id);
710 vl_api_send_msg (reg, (u8 *) mp);
714 vl_api_ipsec_spd_dump_t_handler (vl_api_ipsec_spd_dump_t * mp)
716 vl_api_registration_t *reg;
717 ipsec_main_t *im = &ipsec_main;
718 ipsec_spd_policy_type_t ptype;
719 ipsec_policy_t *policy;
724 reg = vl_api_client_index_to_registration (mp->client_index);
728 p = hash_get (im->spd_index_by_spd_id, ntohl (mp->spd_id));
733 spd = pool_elt_at_index (im->spds, spd_index);
735 FOR_EACH_IPSEC_SPD_POLICY_TYPE(ptype) {
736 vec_foreach(ii, spd->policies[ptype])
738 policy = pool_elt_at_index(im->policies, *ii);
740 if (mp->sa_id == ~(0) || ntohl (mp->sa_id) == policy->sa_id)
741 send_ipsec_spd_details (policy, reg, mp->context);
747 send_ipsec_spd_interface_details (vl_api_registration_t * reg, u32 spd_index,
748 u32 sw_if_index, u32 context)
750 vl_api_ipsec_spd_interface_details_t *mp;
752 mp = vl_msg_api_alloc (sizeof (*mp));
753 clib_memset (mp, 0, sizeof (*mp));
755 ntohs (REPLY_MSG_ID_BASE + VL_API_IPSEC_SPD_INTERFACE_DETAILS);
756 mp->context = context;
758 mp->spd_index = htonl (spd_index);
759 mp->sw_if_index = htonl (sw_if_index);
761 vl_api_send_msg (reg, (u8 *) mp);
765 vl_api_ipsec_spd_interface_dump_t_handler (vl_api_ipsec_spd_interface_dump_t *
768 ipsec_main_t *im = &ipsec_main;
769 vl_api_registration_t *reg;
772 reg = vl_api_client_index_to_registration (mp->client_index);
776 if (mp->spd_index_valid)
778 spd_index = ntohl (mp->spd_index);
780 hash_foreach(k, v, im->spd_index_by_sw_if_index, ({
782 send_ipsec_spd_interface_details(reg, v, k, mp->context);
788 hash_foreach(k, v, im->spd_index_by_sw_if_index, ({
789 send_ipsec_spd_interface_details(reg, v, k, mp->context);
795 vl_api_ipsec_itf_create_t_handler (vl_api_ipsec_itf_create_t * mp)
797 vl_api_ipsec_itf_create_reply_t *rmp;
799 u32 sw_if_index = ~0;
802 rv = tunnel_mode_decode (mp->itf.mode, &mode);
805 rv = ipsec_itf_create (ntohl (mp->itf.user_instance), mode, &sw_if_index);
808 REPLY_MACRO2 (VL_API_IPSEC_ITF_CREATE_REPLY,
810 rmp->sw_if_index = htonl (sw_if_index);
816 vl_api_ipsec_itf_delete_t_handler (vl_api_ipsec_itf_delete_t * mp)
818 vl_api_ipsec_itf_delete_reply_t *rmp;
821 rv = ipsec_itf_delete (ntohl (mp->sw_if_index));
823 REPLY_MACRO (VL_API_IPSEC_ITF_DELETE_REPLY);
827 send_ipsec_itf_details (ipsec_itf_t *itf, void *arg)
829 ipsec_dump_walk_ctx_t *ctx = arg;
830 vl_api_ipsec_itf_details_t *mp;
832 if (~0 != ctx->sw_if_index && ctx->sw_if_index != itf->ii_sw_if_index)
833 return (WALK_CONTINUE);
835 mp = vl_msg_api_alloc (sizeof (*mp));
836 clib_memset (mp, 0, sizeof (*mp));
837 mp->_vl_msg_id = ntohs (REPLY_MSG_ID_BASE + VL_API_IPSEC_ITF_DETAILS);
838 mp->context = ctx->context;
840 mp->itf.mode = tunnel_mode_encode (itf->ii_mode);
841 mp->itf.user_instance = htonl (itf->ii_user_instance);
842 mp->itf.sw_if_index = htonl (itf->ii_sw_if_index);
843 vl_api_send_msg (ctx->reg, (u8 *) mp);
845 return (WALK_CONTINUE);
849 vl_api_ipsec_itf_dump_t_handler (vl_api_ipsec_itf_dump_t * mp)
851 vl_api_registration_t *reg;
853 reg = vl_api_client_index_to_registration (mp->client_index);
857 ipsec_dump_walk_ctx_t ctx = {
859 .context = mp->context,
860 .sw_if_index = ntohl (mp->sw_if_index),
863 ipsec_itf_walk (send_ipsec_itf_details, &ctx);
866 typedef struct ipsec_sa_dump_match_ctx_t_
870 } ipsec_sa_dump_match_ctx_t;
873 ipsec_sa_dump_match_sa (index_t itpi, void *arg)
875 ipsec_sa_dump_match_ctx_t *ctx = arg;
876 ipsec_tun_protect_t *itp;
879 itp = ipsec_tun_protect_get (itpi);
881 if (itp->itp_out_sa == ctx->sai)
883 ctx->sw_if_index = itp->itp_sw_if_index;
887 FOR_EACH_IPSEC_PROTECT_INPUT_SAI (itp, sai,
891 ctx->sw_if_index = itp->itp_sw_if_index;
896 return (WALK_CONTINUE);
900 send_ipsec_sa_details (ipsec_sa_t * sa, void *arg)
902 ipsec_dump_walk_ctx_t *ctx = arg;
903 vl_api_ipsec_sa_details_t *mp;
905 mp = vl_msg_api_alloc (sizeof (*mp));
906 clib_memset (mp, 0, sizeof (*mp));
907 mp->_vl_msg_id = ntohs (REPLY_MSG_ID_BASE + VL_API_IPSEC_SA_DETAILS);
908 mp->context = ctx->context;
910 mp->entry.sad_id = htonl (sa->id);
911 mp->entry.spi = htonl (sa->spi);
912 mp->entry.protocol = ipsec_proto_encode (sa->protocol);
913 mp->entry.tx_table_id = htonl (sa->tunnel.t_table_id);
915 mp->entry.crypto_algorithm = ipsec_crypto_algo_encode (sa->crypto_alg);
916 ipsec_key_encode (&sa->crypto_key, &mp->entry.crypto_key);
918 mp->entry.integrity_algorithm = ipsec_integ_algo_encode (sa->integ_alg);
919 ipsec_key_encode (&sa->integ_key, &mp->entry.integrity_key);
921 mp->entry.flags = ipsec_sad_flags_encode (sa);
922 mp->entry.salt = clib_host_to_net_u32 (sa->salt);
924 if (ipsec_sa_is_set_IS_PROTECT (sa))
926 ipsec_sa_dump_match_ctx_t ctx = {
927 .sai = sa - ipsec_sa_pool,
930 ipsec_tun_protect_walk (ipsec_sa_dump_match_sa, &ctx);
932 mp->sw_if_index = htonl (ctx.sw_if_index);
935 mp->sw_if_index = ~0;
937 if (ipsec_sa_is_set_IS_TUNNEL (sa))
939 ip_address_encode2 (&sa->tunnel.t_src, &mp->entry.tunnel_src);
940 ip_address_encode2 (&sa->tunnel.t_dst, &mp->entry.tunnel_dst);
942 if (ipsec_sa_is_set_UDP_ENCAP (sa))
944 mp->entry.udp_src_port = sa->udp_hdr.src_port;
945 mp->entry.udp_dst_port = sa->udp_hdr.dst_port;
948 mp->seq_outbound = clib_host_to_net_u64 (((u64) sa->seq));
949 mp->last_seq_inbound = clib_host_to_net_u64 (((u64) sa->seq));
950 if (ipsec_sa_is_set_USE_ESN (sa))
952 mp->seq_outbound |= (u64) (clib_host_to_net_u32 (sa->seq_hi));
953 mp->last_seq_inbound |= (u64) (clib_host_to_net_u32 (sa->seq_hi));
955 if (ipsec_sa_is_set_USE_ANTI_REPLAY (sa))
956 mp->replay_window = clib_host_to_net_u64 (sa->replay_window);
958 mp->stat_index = clib_host_to_net_u32 (sa->stat_index);
960 vl_api_send_msg (ctx->reg, (u8 *) mp);
962 return (WALK_CONTINUE);
966 vl_api_ipsec_sa_dump_t_handler (vl_api_ipsec_sa_dump_t * mp)
968 vl_api_registration_t *reg;
970 reg = vl_api_client_index_to_registration (mp->client_index);
974 ipsec_dump_walk_ctx_t ctx = {
976 .context = mp->context,
979 ipsec_sa_walk (send_ipsec_sa_details, &ctx);
983 send_ipsec_sa_v2_details (ipsec_sa_t * sa, void *arg)
985 ipsec_dump_walk_ctx_t *ctx = arg;
986 vl_api_ipsec_sa_v2_details_t *mp;
988 mp = vl_msg_api_alloc (sizeof (*mp));
989 clib_memset (mp, 0, sizeof (*mp));
990 mp->_vl_msg_id = ntohs (REPLY_MSG_ID_BASE + VL_API_IPSEC_SA_V2_DETAILS);
991 mp->context = ctx->context;
993 mp->entry.sad_id = htonl (sa->id);
994 mp->entry.spi = htonl (sa->spi);
995 mp->entry.protocol = ipsec_proto_encode (sa->protocol);
996 mp->entry.tx_table_id = htonl (sa->tunnel.t_table_id);
998 mp->entry.crypto_algorithm = ipsec_crypto_algo_encode (sa->crypto_alg);
999 ipsec_key_encode (&sa->crypto_key, &mp->entry.crypto_key);
1001 mp->entry.integrity_algorithm = ipsec_integ_algo_encode (sa->integ_alg);
1002 ipsec_key_encode (&sa->integ_key, &mp->entry.integrity_key);
1004 mp->entry.flags = ipsec_sad_flags_encode (sa);
1005 mp->entry.salt = clib_host_to_net_u32 (sa->salt);
1007 if (ipsec_sa_is_set_IS_PROTECT (sa))
1009 ipsec_sa_dump_match_ctx_t ctx = {
1010 .sai = sa - ipsec_sa_pool,
1013 ipsec_tun_protect_walk (ipsec_sa_dump_match_sa, &ctx);
1015 mp->sw_if_index = htonl (ctx.sw_if_index);
1018 mp->sw_if_index = ~0;
1020 if (ipsec_sa_is_set_IS_TUNNEL (sa))
1022 ip_address_encode2 (&sa->tunnel.t_src, &mp->entry.tunnel_src);
1023 ip_address_encode2 (&sa->tunnel.t_dst, &mp->entry.tunnel_dst);
1025 if (ipsec_sa_is_set_UDP_ENCAP (sa))
1027 mp->entry.udp_src_port = sa->udp_hdr.src_port;
1028 mp->entry.udp_dst_port = sa->udp_hdr.dst_port;
1031 mp->entry.tunnel_flags =
1032 tunnel_encap_decap_flags_encode (sa->tunnel.t_encap_decap_flags);
1033 mp->entry.dscp = ip_dscp_encode (sa->tunnel.t_dscp);
1035 mp->seq_outbound = clib_host_to_net_u64 (((u64) sa->seq));
1036 mp->last_seq_inbound = clib_host_to_net_u64 (((u64) sa->seq));
1037 if (ipsec_sa_is_set_USE_ESN (sa))
1039 mp->seq_outbound |= (u64) (clib_host_to_net_u32 (sa->seq_hi));
1040 mp->last_seq_inbound |= (u64) (clib_host_to_net_u32 (sa->seq_hi));
1042 if (ipsec_sa_is_set_USE_ANTI_REPLAY (sa))
1043 mp->replay_window = clib_host_to_net_u64 (sa->replay_window);
1045 mp->stat_index = clib_host_to_net_u32 (sa->stat_index);
1047 vl_api_send_msg (ctx->reg, (u8 *) mp);
1049 return (WALK_CONTINUE);
1053 vl_api_ipsec_sa_v2_dump_t_handler (vl_api_ipsec_sa_v2_dump_t *mp)
1055 vl_api_registration_t *reg;
1057 reg = vl_api_client_index_to_registration (mp->client_index);
1061 ipsec_dump_walk_ctx_t ctx = {
1063 .context = mp->context,
1066 ipsec_sa_walk (send_ipsec_sa_v2_details, &ctx);
1070 send_ipsec_sa_v3_details (ipsec_sa_t *sa, void *arg)
1072 ipsec_dump_walk_ctx_t *ctx = arg;
1073 vl_api_ipsec_sa_v3_details_t *mp;
1075 mp = vl_msg_api_alloc (sizeof (*mp));
1076 clib_memset (mp, 0, sizeof (*mp));
1077 mp->_vl_msg_id = ntohs (REPLY_MSG_ID_BASE + VL_API_IPSEC_SA_V3_DETAILS);
1078 mp->context = ctx->context;
1080 mp->entry.sad_id = htonl (sa->id);
1081 mp->entry.spi = htonl (sa->spi);
1082 mp->entry.protocol = ipsec_proto_encode (sa->protocol);
1084 mp->entry.crypto_algorithm = ipsec_crypto_algo_encode (sa->crypto_alg);
1085 ipsec_key_encode (&sa->crypto_key, &mp->entry.crypto_key);
1087 mp->entry.integrity_algorithm = ipsec_integ_algo_encode (sa->integ_alg);
1088 ipsec_key_encode (&sa->integ_key, &mp->entry.integrity_key);
1090 mp->entry.flags = ipsec_sad_flags_encode (sa);
1091 mp->entry.salt = clib_host_to_net_u32 (sa->salt);
1093 if (ipsec_sa_is_set_IS_PROTECT (sa))
1095 ipsec_sa_dump_match_ctx_t ctx = {
1096 .sai = sa - ipsec_sa_pool,
1099 ipsec_tun_protect_walk (ipsec_sa_dump_match_sa, &ctx);
1101 mp->sw_if_index = htonl (ctx.sw_if_index);
1104 mp->sw_if_index = ~0;
1106 if (ipsec_sa_is_set_IS_TUNNEL (sa))
1107 tunnel_encode (&sa->tunnel, &mp->entry.tunnel);
1109 if (ipsec_sa_is_set_UDP_ENCAP (sa))
1111 mp->entry.udp_src_port = sa->udp_hdr.src_port;
1112 mp->entry.udp_dst_port = sa->udp_hdr.dst_port;
1115 mp->seq_outbound = clib_host_to_net_u64 (((u64) sa->seq));
1116 mp->last_seq_inbound = clib_host_to_net_u64 (((u64) sa->seq));
1117 if (ipsec_sa_is_set_USE_ESN (sa))
1119 mp->seq_outbound |= (u64) (clib_host_to_net_u32 (sa->seq_hi));
1120 mp->last_seq_inbound |= (u64) (clib_host_to_net_u32 (sa->seq_hi));
1122 if (ipsec_sa_is_set_USE_ANTI_REPLAY (sa))
1123 mp->replay_window = clib_host_to_net_u64 (sa->replay_window);
1125 mp->stat_index = clib_host_to_net_u32 (sa->stat_index);
1127 vl_api_send_msg (ctx->reg, (u8 *) mp);
1129 return (WALK_CONTINUE);
1133 vl_api_ipsec_sa_v3_dump_t_handler (vl_api_ipsec_sa_v3_dump_t *mp)
1135 vl_api_registration_t *reg;
1137 reg = vl_api_client_index_to_registration (mp->client_index);
1141 ipsec_dump_walk_ctx_t ctx = {
1143 .context = mp->context,
1146 ipsec_sa_walk (send_ipsec_sa_v3_details, &ctx);
1150 send_ipsec_sa_v4_details (ipsec_sa_t *sa, void *arg)
1152 ipsec_dump_walk_ctx_t *ctx = arg;
1153 vl_api_ipsec_sa_v4_details_t *mp;
1155 mp = vl_msg_api_alloc (sizeof (*mp));
1156 clib_memset (mp, 0, sizeof (*mp));
1157 mp->_vl_msg_id = ntohs (REPLY_MSG_ID_BASE + VL_API_IPSEC_SA_V4_DETAILS);
1158 mp->context = ctx->context;
1160 mp->entry.sad_id = htonl (sa->id);
1161 mp->entry.spi = htonl (sa->spi);
1162 mp->entry.protocol = ipsec_proto_encode (sa->protocol);
1164 mp->entry.crypto_algorithm = ipsec_crypto_algo_encode (sa->crypto_alg);
1165 ipsec_key_encode (&sa->crypto_key, &mp->entry.crypto_key);
1167 mp->entry.integrity_algorithm = ipsec_integ_algo_encode (sa->integ_alg);
1168 ipsec_key_encode (&sa->integ_key, &mp->entry.integrity_key);
1170 mp->entry.flags = ipsec_sad_flags_encode (sa);
1171 mp->entry.salt = clib_host_to_net_u32 (sa->salt);
1173 if (ipsec_sa_is_set_IS_PROTECT (sa))
1175 ipsec_sa_dump_match_ctx_t ctx = {
1176 .sai = sa - ipsec_sa_pool,
1179 ipsec_tun_protect_walk (ipsec_sa_dump_match_sa, &ctx);
1181 mp->sw_if_index = htonl (ctx.sw_if_index);
1184 mp->sw_if_index = ~0;
1186 if (ipsec_sa_is_set_IS_TUNNEL (sa))
1187 tunnel_encode (&sa->tunnel, &mp->entry.tunnel);
1189 if (ipsec_sa_is_set_UDP_ENCAP (sa))
1191 mp->entry.udp_src_port = sa->udp_hdr.src_port;
1192 mp->entry.udp_dst_port = sa->udp_hdr.dst_port;
1195 mp->seq_outbound = clib_host_to_net_u64 (((u64) sa->seq));
1196 mp->last_seq_inbound = clib_host_to_net_u64 (((u64) sa->seq));
1197 if (ipsec_sa_is_set_USE_ESN (sa))
1199 mp->seq_outbound |= (u64) (clib_host_to_net_u32 (sa->seq_hi));
1200 mp->last_seq_inbound |= (u64) (clib_host_to_net_u32 (sa->seq_hi));
1202 if (ipsec_sa_is_set_USE_ANTI_REPLAY (sa))
1203 mp->replay_window = clib_host_to_net_u64 (sa->replay_window);
1205 mp->thread_index = clib_host_to_net_u32 (sa->thread_index);
1206 mp->stat_index = clib_host_to_net_u32 (sa->stat_index);
1208 vl_api_send_msg (ctx->reg, (u8 *) mp);
1210 return (WALK_CONTINUE);
1214 vl_api_ipsec_sa_v4_dump_t_handler (vl_api_ipsec_sa_v4_dump_t *mp)
1216 vl_api_registration_t *reg;
1218 reg = vl_api_client_index_to_registration (mp->client_index);
1222 ipsec_dump_walk_ctx_t ctx = {
1224 .context = mp->context,
1227 ipsec_sa_walk (send_ipsec_sa_v4_details, &ctx);
1231 vl_api_ipsec_backend_dump_t_handler (vl_api_ipsec_backend_dump_t * mp)
1233 vl_api_registration_t *rp;
1234 ipsec_main_t *im = &ipsec_main;
1235 u32 context = mp->context;
1237 rp = vl_api_client_index_to_registration (mp->client_index);
1241 clib_warning ("Client %d AWOL", mp->client_index);
1245 ipsec_ah_backend_t *ab;
1246 ipsec_esp_backend_t *eb;
1248 pool_foreach (ab, im->ah_backends) {
1249 vl_api_ipsec_backend_details_t *mp = vl_msg_api_alloc (sizeof (*mp));
1250 clib_memset (mp, 0, sizeof (*mp));
1251 mp->_vl_msg_id = ntohs (REPLY_MSG_ID_BASE + VL_API_IPSEC_BACKEND_DETAILS);
1252 mp->context = context;
1253 snprintf ((char *)mp->name, sizeof (mp->name), "%.*s", vec_len (ab->name),
1255 mp->protocol = ntohl (IPSEC_API_PROTO_AH);
1256 mp->index = ab - im->ah_backends;
1257 mp->active = mp->index == im->ah_current_backend ? 1 : 0;
1258 vl_api_send_msg (rp, (u8 *)mp);
1260 pool_foreach (eb, im->esp_backends) {
1261 vl_api_ipsec_backend_details_t *mp = vl_msg_api_alloc (sizeof (*mp));
1262 clib_memset (mp, 0, sizeof (*mp));
1263 mp->_vl_msg_id = ntohs (REPLY_MSG_ID_BASE + VL_API_IPSEC_BACKEND_DETAILS);
1264 mp->context = context;
1265 snprintf ((char *)mp->name, sizeof (mp->name), "%.*s", vec_len (eb->name),
1267 mp->protocol = ntohl (IPSEC_API_PROTO_ESP);
1268 mp->index = eb - im->esp_backends;
1269 mp->active = mp->index == im->esp_current_backend ? 1 : 0;
1270 vl_api_send_msg (rp, (u8 *)mp);
1276 vl_api_ipsec_select_backend_t_handler (vl_api_ipsec_select_backend_t * mp)
1278 ipsec_main_t *im = &ipsec_main;
1279 vl_api_ipsec_select_backend_reply_t *rmp;
1280 ipsec_protocol_t protocol;
1282 if (pool_elts (ipsec_sa_pool) > 0)
1284 rv = VNET_API_ERROR_INSTANCE_IN_USE;
1288 rv = ipsec_proto_decode (mp->protocol, &protocol);
1295 case IPSEC_PROTOCOL_ESP:
1296 rv = ipsec_select_esp_backend (im, mp->index);
1298 case IPSEC_PROTOCOL_AH:
1299 rv = ipsec_select_ah_backend (im, mp->index);
1302 rv = VNET_API_ERROR_INVALID_PROTOCOL;
1306 REPLY_MACRO (VL_API_IPSEC_SELECT_BACKEND_REPLY);
1310 vl_api_ipsec_set_async_mode_t_handler (vl_api_ipsec_set_async_mode_t * mp)
1312 vl_api_ipsec_set_async_mode_reply_t *rmp;
1315 ipsec_set_async_mode (mp->async_enable);
1317 REPLY_MACRO (VL_API_IPSEC_SET_ASYNC_MODE_REPLY);
1320 #include <vnet/ipsec/ipsec.api.c>
1321 static clib_error_t *
1322 ipsec_api_hookup (vlib_main_t * vm)
1325 * Set up the (msg_name, crc, message-id) table
1327 REPLY_MSG_ID_BASE = setup_message_id_table ();
1332 VLIB_API_INIT_FUNCTION (ipsec_api_hookup);
1335 * fd.io coding-style-patch-verification: ON
1338 * eval: (c-set-style "gnu")
Code Review / vpp.git / blob