2 * decap.c : IPSec tunnel support
4 * Copyright (c) 2015 Cisco and/or its affiliates.
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
9 * http://www.apache.org/licenses/LICENSE-2.0
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
18 #include <vnet/vnet.h>
19 #include <vnet/api_errno.h>
20 #include <vnet/ip/ip.h>
21 #include <vnet/interface.h>
22 #include <vnet/fib/fib.h>
23 #include <vnet/ipip/ipip.h>
25 #include <vnet/ipsec/ipsec.h>
26 #include <vnet/ipsec/ipsec_tun.h>
29 set_interface_spd_command_fn (vlib_main_t * vm,
30 unformat_input_t * input,
31 vlib_cli_command_t * cmd)
33 unformat_input_t _line_input, *line_input = &_line_input;
34 ipsec_main_t *im = &ipsec_main;
35 u32 sw_if_index = (u32) ~ 0;
38 clib_error_t *error = NULL;
41 if (!unformat_user (input, unformat_line_input, line_input))
45 (line_input, "%U %u", unformat_vnet_sw_interface, im->vnet_main,
46 &sw_if_index, &spd_id))
48 else if (unformat (line_input, "del"))
52 error = clib_error_return (0, "parse error: '%U'",
53 format_unformat_error, line_input);
57 err = ipsec_set_interface_spd (vm, sw_if_index, spd_id, is_add);
60 case VNET_API_ERROR_SYSCALL_ERROR_1:
61 error = clib_error_return (0, "no such spd-id");
63 case VNET_API_ERROR_SYSCALL_ERROR_2:
64 error = clib_error_return (0, "spd already assigned");
69 unformat_free (line_input);
74 VLIB_CLI_COMMAND (set_interface_spd_command, static) = {
75 .path = "set interface ipsec spd",
77 "set interface ipsec spd <int> <id>",
78 .function = set_interface_spd_command_fn,
82 ipsec_sa_add_del_command_fn (vlib_main_t * vm,
83 unformat_input_t * input,
84 vlib_cli_command_t * cmd)
86 unformat_input_t _line_input, *line_input = &_line_input;
87 ipsec_crypto_alg_t crypto_alg;
88 ipsec_integ_alg_t integ_alg;
89 u32 anti_replay_window_size;
90 ipsec_protocol_t proto;
91 ipsec_sa_flags_t flags;
93 ipsec_key_t ck = { 0 };
94 ipsec_key_t ik = { 0 };
95 u32 id, spi, salt, sai;
105 flags = IPSEC_SA_FLAG_NONE;
106 proto = IPSEC_PROTOCOL_ESP;
107 anti_replay_window_size = 0;
108 integ_alg = IPSEC_INTEG_ALG_NONE;
109 crypto_alg = IPSEC_CRYPTO_ALG_NONE;
110 udp_src = udp_dst = IPSEC_UDP_PORT_NONE;
112 if (!unformat_user (input, unformat_line_input, line_input))
115 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
117 if (unformat (line_input, "add %u", &id))
122 else if (unformat (line_input, "del %u", &id))
127 else if (unformat (line_input, "spi %u", &spi))
129 else if (unformat (line_input, "salt 0x%x", &salt))
131 else if (unformat (line_input, "esp"))
132 proto = IPSEC_PROTOCOL_ESP;
133 else if (unformat (line_input, "ah"))
134 proto = IPSEC_PROTOCOL_AH;
135 else if (unformat (line_input, "crypto-key %U",
136 unformat_ipsec_key, &ck))
138 else if (unformat (line_input, "crypto-alg %U",
139 unformat_ipsec_crypto_alg, &crypto_alg))
141 else if (unformat (line_input, "integ-key %U", unformat_ipsec_key, &ik))
143 else if (unformat (line_input, "integ-alg %U",
144 unformat_ipsec_integ_alg, &integ_alg))
146 else if (unformat (line_input, "%U", unformat_tunnel, &tun))
148 flags |= IPSEC_SA_FLAG_IS_TUNNEL;
149 if (AF_IP6 == tunnel_get_af (&tun))
150 flags |= IPSEC_SA_FLAG_IS_TUNNEL_V6;
152 else if (unformat (line_input, "udp-src-port %d", &i))
154 else if (unformat (line_input, "udp-dst-port %d", &i))
156 else if (unformat (line_input, "anti-replay-size %d",
157 &anti_replay_window_size))
158 flags |= IPSEC_SA_FLAG_USE_ANTI_REPLAY;
159 else if (unformat (line_input, "inbound"))
160 flags |= IPSEC_SA_FLAG_IS_INBOUND;
161 else if (unformat (line_input, "use-anti-replay"))
162 flags |= IPSEC_SA_FLAG_USE_ANTI_REPLAY;
163 else if (unformat (line_input, "use-esn"))
164 flags |= IPSEC_SA_FLAG_USE_ESN;
165 else if (unformat (line_input, "udp-encap"))
166 flags |= IPSEC_SA_FLAG_UDP_ENCAP;
167 else if (unformat (line_input, "async"))
168 flags |= IPSEC_SA_FLAG_IS_ASYNC;
171 error = clib_error_return (0, "parse error: '%U'",
172 format_unformat_error, line_input);
179 error = clib_error_return (0, "missing id");
187 error = clib_error_return (0, "missing spi");
191 ipsec_sa_add_and_lock (id, spi, proto, crypto_alg, &ck, integ_alg, &ik,
192 flags, clib_host_to_net_u32 (salt), udp_src,
193 udp_dst, anti_replay_window_size, &tun, &sai);
197 rv = ipsec_sa_unlock_id (id);
201 error = clib_error_return (0, "failed: %d", rv);
204 unformat_free (line_input);
209 VLIB_CLI_COMMAND (ipsec_sa_add_del_command, static) = {
212 "ipsec sa [add|del]",
213 .function = ipsec_sa_add_del_command_fn,
216 static clib_error_t *
217 ipsec_sa_bind_cli (vlib_main_t *vm, unformat_input_t *input,
218 vlib_cli_command_t *cmd)
220 unformat_input_t _line_input, *line_input = &_line_input;
225 clib_error_t *error = NULL;
227 if (!unformat_user (input, unformat_line_input, line_input))
230 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
232 if (unformat (line_input, "unbind"))
234 else if (id == ~0 && unformat (line_input, "%u", &id))
236 else if (unformat (line_input, "%u", &worker))
240 error = clib_error_return (0, "parse error: '%U'",
241 format_unformat_error, line_input);
248 error = clib_error_return (0, "please specify SA ID");
252 if (bind && ~0 == worker)
254 error = clib_error_return (0, "please specify worker to bind to");
258 rv = ipsec_sa_bind (id, worker, bind);
261 case VNET_API_ERROR_INVALID_VALUE:
262 error = clib_error_return (0, "please specify a valid SA ID");
264 case VNET_API_ERROR_INVALID_WORKER:
265 error = clib_error_return (0, "please specify a valid worker index");
270 unformat_free (line_input);
275 VLIB_CLI_COMMAND (ipsec_sa_bind_cmd, static) = {
276 .path = "ipsec sa bind",
277 .short_help = "ipsec sa [unbind] <sa-id> <worker>",
278 .function = ipsec_sa_bind_cli,
281 static clib_error_t *
282 ipsec_spd_add_del_command_fn (vlib_main_t * vm,
283 unformat_input_t * input,
284 vlib_cli_command_t * cmd)
286 unformat_input_t _line_input, *line_input = &_line_input;
289 clib_error_t *error = NULL;
291 if (!unformat_user (input, unformat_line_input, line_input))
294 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
296 if (unformat (line_input, "add"))
298 else if (unformat (line_input, "del"))
300 else if (unformat (line_input, "%u", &spd_id))
304 error = clib_error_return (0, "parse error: '%U'",
305 format_unformat_error, line_input);
312 error = clib_error_return (0, "please specify SPD ID");
316 ipsec_add_del_spd (vm, spd_id, is_add);
319 unformat_free (line_input);
324 VLIB_CLI_COMMAND (ipsec_spd_add_del_command, static) = {
327 "ipsec spd [add|del] <id>",
328 .function = ipsec_spd_add_del_command_fn,
332 static clib_error_t *
333 ipsec_policy_add_del_command_fn (vlib_main_t * vm,
334 unformat_input_t * input,
335 vlib_cli_command_t * cmd)
337 unformat_input_t _line_input, *line_input = &_line_input;
340 u32 tmp, tmp2, stat_index, local_range_set, remote_range_set;
341 clib_error_t *error = NULL;
344 clib_memset (&p, 0, sizeof (p));
345 p.lport.stop = p.rport.stop = ~0;
346 remote_range_set = local_range_set = is_outbound = 0;
347 p.protocol = IPSEC_POLICY_PROTOCOL_ANY;
349 if (!unformat_user (input, unformat_line_input, line_input))
352 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
354 if (unformat (line_input, "add"))
356 else if (unformat (line_input, "del"))
358 else if (unformat (line_input, "ip6"))
360 else if (unformat (line_input, "spd %u", &p.id))
362 else if (unformat (line_input, "inbound"))
364 else if (unformat (line_input, "outbound"))
366 else if (unformat (line_input, "priority %d", &p.priority))
368 else if (unformat (line_input, "protocol %u", &tmp))
369 p.protocol = (u8) tmp;
372 (line_input, "action %U", unformat_ipsec_policy_action,
375 if (p.policy == IPSEC_POLICY_ACTION_RESOLVE)
377 error = clib_error_return (0, "unsupported action: 'resolve'");
381 else if (unformat (line_input, "sa %u", &p.sa_id))
383 else if (unformat (line_input, "local-ip-range %U - %U",
384 unformat_ip4_address, &p.laddr.start.ip4,
385 unformat_ip4_address, &p.laddr.stop.ip4))
387 else if (unformat (line_input, "remote-ip-range %U - %U",
388 unformat_ip4_address, &p.raddr.start.ip4,
389 unformat_ip4_address, &p.raddr.stop.ip4))
390 remote_range_set = 1;
391 else if (unformat (line_input, "local-ip-range %U - %U",
392 unformat_ip6_address, &p.laddr.start.ip6,
393 unformat_ip6_address, &p.laddr.stop.ip6))
398 else if (unformat (line_input, "remote-ip-range %U - %U",
399 unformat_ip6_address, &p.raddr.start.ip6,
400 unformat_ip6_address, &p.raddr.stop.ip6))
403 remote_range_set = 1;
405 else if (unformat (line_input, "local-port-range %u - %u", &tmp, &tmp2))
411 if (unformat (line_input, "remote-port-range %u - %u", &tmp, &tmp2))
418 error = clib_error_return (0, "parse error: '%U'",
419 format_unformat_error, line_input);
424 if (!remote_range_set)
427 clib_memset (&p.raddr.stop.ip6, 0xff, 16);
429 clib_memset (&p.raddr.stop.ip4, 0xff, 4);
431 if (!local_range_set)
434 clib_memset (&p.laddr.stop.ip6, 0xff, 16);
436 clib_memset (&p.laddr.stop.ip4, 0xff, 4);
439 rv = ipsec_policy_mk_type (is_outbound, p.is_ipv6, p.policy, &p.type);
443 error = clib_error_return (0, "unsupported policy type for:",
444 " outboud:%s %s action:%U",
445 (is_outbound ? "yes" : "no"),
446 (p.is_ipv6 ? "IPv4" : "IPv6"),
447 format_ipsec_policy_action, p.policy);
451 rv = ipsec_add_del_policy (vm, &p, is_add, &stat_index);
454 vlib_cli_output (vm, "policy-index:%d", stat_index);
456 vlib_cli_output (vm, "error:%d", rv);
459 unformat_free (line_input);
464 VLIB_CLI_COMMAND (ipsec_policy_add_del_command, static) = {
465 .path = "ipsec policy",
467 "ipsec policy [add|del] spd <id> priority <n> ",
468 .function = ipsec_policy_add_del_command_fn,
472 ipsec_sa_show_all (vlib_main_t * vm, ipsec_main_t * im, u8 detail)
476 pool_foreach_index (sai, ipsec_sa_pool)
478 vlib_cli_output (vm, "%U", format_ipsec_sa, sai,
479 (detail ? IPSEC_FORMAT_DETAIL : IPSEC_FORMAT_BRIEF));
484 ipsec_spd_show_all (vlib_main_t * vm, ipsec_main_t * im)
488 pool_foreach_index (spdi, im->spds) {
489 vlib_cli_output(vm, "%U", format_ipsec_spd, spdi);
492 if (im->output_flow_cache_flag)
494 vlib_cli_output (vm, "%U", format_ipsec_out_spd_flow_cache);
496 if (im->input_flow_cache_flag)
498 vlib_cli_output (vm, "%U", format_ipsec_in_spd_flow_cache);
503 ipsec_spd_bindings_show_all (vlib_main_t * vm, ipsec_main_t * im)
505 u32 spd_id, sw_if_index;
508 vlib_cli_output (vm, "SPD Bindings:");
510 hash_foreach(sw_if_index, spd_id, im->spd_index_by_sw_if_index, ({
511 spd = pool_elt_at_index (im->spds, spd_id);
512 vlib_cli_output (vm, " %d -> %U", spd->id,
513 format_vnet_sw_if_index_name, im->vnet_main,
519 ipsec_tun_protect_show_one (index_t itpi, void *ctx)
521 vlib_cli_output (ctx, "%U", format_ipsec_tun_protect_index, itpi);
523 return (WALK_CONTINUE);
527 ipsec_tunnel_show_all (vlib_main_t * vm)
529 ipsec_tun_protect_walk (ipsec_tun_protect_show_one, vm);
532 static clib_error_t *
533 show_ipsec_command_fn (vlib_main_t * vm,
534 unformat_input_t * input, vlib_cli_command_t * cmd)
536 ipsec_main_t *im = &ipsec_main;
538 ipsec_sa_show_all (vm, im, 0);
539 ipsec_spd_show_all (vm, im);
540 ipsec_spd_bindings_show_all (vm, im);
541 ipsec_tun_protect_walk (ipsec_tun_protect_show_one, vm);
543 vlib_cli_output (vm, "IPSec async mode: %s",
544 (im->async_mode ? "on" : "off"));
549 VLIB_CLI_COMMAND (show_ipsec_command, static) = {
550 .path = "show ipsec all",
551 .short_help = "show ipsec all",
552 .function = show_ipsec_command_fn,
555 static clib_error_t *
556 show_ipsec_sa_command_fn (vlib_main_t * vm,
557 unformat_input_t * input, vlib_cli_command_t * cmd)
559 ipsec_main_t *im = &ipsec_main;
563 while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT)
565 if (unformat (input, "%u", &sai))
567 if (unformat (input, "detail"))
574 ipsec_sa_show_all (vm, im, detail);
576 vlib_cli_output (vm, "%U", format_ipsec_sa, sai,
577 IPSEC_FORMAT_DETAIL | IPSEC_FORMAT_INSECURE);
582 static clib_error_t *
583 clear_ipsec_sa_command_fn (vlib_main_t * vm,
584 unformat_input_t * input, vlib_cli_command_t * cmd)
588 while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT)
590 if (unformat (input, "%u", &sai))
598 pool_foreach_index (sai, ipsec_sa_pool)
600 ipsec_sa_clear (sai);
605 if (pool_is_free_index (ipsec_sa_pool, sai))
606 return clib_error_return (0, "unknown SA index: %d", sai);
608 ipsec_sa_clear (sai);
614 VLIB_CLI_COMMAND (show_ipsec_sa_command, static) = {
615 .path = "show ipsec sa",
616 .short_help = "show ipsec sa [index]",
617 .function = show_ipsec_sa_command_fn,
620 VLIB_CLI_COMMAND (clear_ipsec_sa_command, static) = {
621 .path = "clear ipsec sa",
622 .short_help = "clear ipsec sa [index]",
623 .function = clear_ipsec_sa_command_fn,
626 static clib_error_t *
627 show_ipsec_spd_command_fn (vlib_main_t * vm,
628 unformat_input_t * input, vlib_cli_command_t * cmd)
630 ipsec_main_t *im = &ipsec_main;
631 u8 show_bindings = 0;
634 while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT)
636 if (unformat (input, "%u", &spdi))
638 else if (unformat (input, "bindings"))
645 ipsec_spd_bindings_show_all (vm, im);
647 vlib_cli_output (vm, "%U", format_ipsec_spd, spdi);
649 ipsec_spd_show_all (vm, im);
654 VLIB_CLI_COMMAND (show_ipsec_spd_command, static) = {
655 .path = "show ipsec spd",
656 .short_help = "show ipsec spd [index]",
657 .function = show_ipsec_spd_command_fn,
660 static clib_error_t *
661 show_ipsec_tunnel_command_fn (vlib_main_t * vm,
662 unformat_input_t * input,
663 vlib_cli_command_t * cmd)
665 ipsec_tunnel_show_all (vm);
670 VLIB_CLI_COMMAND (show_ipsec_tunnel_command, static) = {
671 .path = "show ipsec tunnel",
672 .short_help = "show ipsec tunnel",
673 .function = show_ipsec_tunnel_command_fn,
676 static clib_error_t *
677 ipsec_show_backends_command_fn (vlib_main_t * vm,
678 unformat_input_t * input,
679 vlib_cli_command_t * cmd)
681 ipsec_main_t *im = &ipsec_main;
684 (void) unformat (input, "verbose %u", &verbose);
686 vlib_cli_output (vm, "IPsec AH backends available:");
687 u8 *s = format (NULL, "%=25s %=25s %=10s\n", "Name", "Index", "Active");
688 ipsec_ah_backend_t *ab;
689 pool_foreach (ab, im->ah_backends) {
690 s = format (s, "%=25s %=25u %=10s\n", ab->name, ab - im->ah_backends,
691 ab - im->ah_backends == im->ah_current_backend ? "yes" : "no");
694 n = vlib_get_node (vm, ab->ah4_encrypt_node_index);
695 s = format (s, " enc4 %s (next %d)\n", n->name, ab->ah4_encrypt_next_index);
696 n = vlib_get_node (vm, ab->ah4_decrypt_node_index);
697 s = format (s, " dec4 %s (next %d)\n", n->name, ab->ah4_decrypt_next_index);
698 n = vlib_get_node (vm, ab->ah6_encrypt_node_index);
699 s = format (s, " enc6 %s (next %d)\n", n->name, ab->ah6_encrypt_next_index);
700 n = vlib_get_node (vm, ab->ah6_decrypt_node_index);
701 s = format (s, " dec6 %s (next %d)\n", n->name, ab->ah6_decrypt_next_index);
704 vlib_cli_output (vm, "%v", s);
706 vlib_cli_output (vm, "IPsec ESP backends available:");
707 s = format (s, "%=25s %=25s %=10s\n", "Name", "Index", "Active");
708 ipsec_esp_backend_t *eb;
709 pool_foreach (eb, im->esp_backends) {
710 s = format (s, "%=25s %=25u %=10s\n", eb->name, eb - im->esp_backends,
711 eb - im->esp_backends == im->esp_current_backend ? "yes"
715 n = vlib_get_node (vm, eb->esp4_encrypt_node_index);
716 s = format (s, " enc4 %s (next %d)\n", n->name, eb->esp4_encrypt_next_index);
717 n = vlib_get_node (vm, eb->esp4_decrypt_node_index);
718 s = format (s, " dec4 %s (next %d)\n", n->name, eb->esp4_decrypt_next_index);
719 n = vlib_get_node (vm, eb->esp6_encrypt_node_index);
720 s = format (s, " enc6 %s (next %d)\n", n->name, eb->esp6_encrypt_next_index);
721 n = vlib_get_node (vm, eb->esp6_decrypt_node_index);
722 s = format (s, " dec6 %s (next %d)\n", n->name, eb->esp6_decrypt_next_index);
725 vlib_cli_output (vm, "%v", s);
731 VLIB_CLI_COMMAND (ipsec_show_backends_command, static) = {
732 .path = "show ipsec backends",
733 .short_help = "show ipsec backends",
734 .function = ipsec_show_backends_command_fn,
737 static clib_error_t *
738 ipsec_select_backend_command_fn (vlib_main_t * vm,
739 unformat_input_t * input,
740 vlib_cli_command_t * cmd)
742 unformat_input_t _line_input, *line_input = &_line_input;
743 ipsec_main_t *im = &ipsec_main;
747 error = ipsec_rsc_in_use (im);
752 /* Get a line of input. */
753 if (!unformat_user (input, unformat_line_input, line_input))
756 if (unformat (line_input, "ah"))
758 if (unformat (line_input, "%u", &backend_index))
760 if (ipsec_select_ah_backend (im, backend_index) < 0)
762 return clib_error_return (0, "Invalid AH backend index `%u'",
768 return clib_error_return (0, "Invalid backend index `%U'",
769 format_unformat_error, line_input);
772 else if (unformat (line_input, "esp"))
774 if (unformat (line_input, "%u", &backend_index))
776 if (ipsec_select_esp_backend (im, backend_index) < 0)
778 return clib_error_return (0, "Invalid ESP backend index `%u'",
784 return clib_error_return (0, "Invalid backend index `%U'",
785 format_unformat_error, line_input);
790 return clib_error_return (0, "Unknown input `%U'",
791 format_unformat_error, line_input);
797 VLIB_CLI_COMMAND (ipsec_select_backend_command, static) = {
798 .path = "ipsec select backend",
799 .short_help = "ipsec select backend <ah|esp> <backend index>",
800 .function = ipsec_select_backend_command_fn,
804 static clib_error_t *
805 clear_ipsec_counters_command_fn (vlib_main_t * vm,
806 unformat_input_t * input,
807 vlib_cli_command_t * cmd)
809 vlib_clear_combined_counters (&ipsec_spd_policy_counters);
810 vlib_clear_combined_counters (&ipsec_sa_counters);
811 for (int i = 0; i < IPSEC_SA_N_ERRORS; i++)
812 vlib_clear_simple_counters (&ipsec_sa_err_counters[i]);
817 VLIB_CLI_COMMAND (clear_ipsec_counters_command, static) = {
818 .path = "clear ipsec counters",
819 .short_help = "clear ipsec counters",
820 .function = clear_ipsec_counters_command_fn,
823 static clib_error_t *
824 ipsec_tun_protect_cmd (vlib_main_t * vm,
825 unformat_input_t * input, vlib_cli_command_t * cmd)
827 unformat_input_t _line_input, *line_input = &_line_input;
828 u32 sw_if_index, is_del, sa_in, sa_out, *sa_ins = NULL;
829 ip_address_t peer = { };
834 vnm = vnet_get_main ();
836 if (!unformat_user (input, unformat_line_input, line_input))
839 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
841 if (unformat (line_input, "del"))
843 else if (unformat (line_input, "add"))
845 else if (unformat (line_input, "sa-in %d", &sa_in))
846 vec_add1 (sa_ins, sa_in);
847 else if (unformat (line_input, "sa-out %d", &sa_out))
849 else if (unformat (line_input, "%U",
850 unformat_vnet_sw_interface, vnm, &sw_if_index))
852 else if (unformat (line_input, "%U", unformat_ip_address, &peer))
855 return (clib_error_return (0, "unknown input '%U'",
856 format_unformat_error, line_input));
860 ipsec_tun_protect_update (sw_if_index, &peer, sa_out, sa_ins);
862 ipsec_tun_protect_del (sw_if_index, &peer);
864 unformat_free (line_input);
869 * Protect tunnel with IPSEC
871 VLIB_CLI_COMMAND (ipsec_tun_protect_cmd_node, static) =
873 .path = "ipsec tunnel protect",
874 .function = ipsec_tun_protect_cmd,
875 .short_help = "ipsec tunnel protect <interface> input-sa <SA> output-sa <SA> [add|del]",
876 // this is not MP safe
880 static clib_error_t *
881 ipsec_tun_protect_show (vlib_main_t * vm,
882 unformat_input_t * input, vlib_cli_command_t * cmd)
884 ipsec_tun_protect_walk (ipsec_tun_protect_show_one, vm);
890 * show IPSEC tunnel protection
892 VLIB_CLI_COMMAND (ipsec_tun_protect_show_node, static) =
894 .path = "show ipsec protect",
895 .function = ipsec_tun_protect_show,
896 .short_help = "show ipsec protect",
900 ipsec_tun_protect4_hash_show_one (clib_bihash_kv_8_16_t * kv, void *arg)
902 ipsec4_tunnel_kv_t *ikv = (ipsec4_tunnel_kv_t *) kv;
903 vlib_main_t *vm = arg;
905 vlib_cli_output (vm, " %U", format_ipsec4_tunnel_kv, ikv);
907 return (BIHASH_WALK_CONTINUE);
911 ipsec_tun_protect6_hash_show_one (clib_bihash_kv_24_16_t * kv, void *arg)
913 ipsec6_tunnel_kv_t *ikv = (ipsec6_tunnel_kv_t *) kv;
914 vlib_main_t *vm = arg;
916 vlib_cli_output (vm, " %U", format_ipsec6_tunnel_kv, ikv);
918 return (BIHASH_WALK_CONTINUE);
921 static clib_error_t *
922 ipsec_tun_protect_hash_show (vlib_main_t * vm,
923 unformat_input_t * input,
924 vlib_cli_command_t * cmd)
926 ipsec_main_t *im = &ipsec_main;
929 vlib_cli_output (vm, "IPv4:");
931 clib_bihash_foreach_key_value_pair_8_16
932 (&im->tun4_protect_by_key, ipsec_tun_protect4_hash_show_one, vm);
934 vlib_cli_output (vm, "IPv6:");
936 clib_bihash_foreach_key_value_pair_24_16
937 (&im->tun6_protect_by_key, ipsec_tun_protect6_hash_show_one, vm);
944 * show IPSEC tunnel protection hash tables
946 VLIB_CLI_COMMAND (ipsec_tun_protect_hash_show_node, static) =
948 .path = "show ipsec protect-hash",
949 .function = ipsec_tun_protect_hash_show,
950 .short_help = "show ipsec protect-hash",
954 ipsec_cli_init (vlib_main_t * vm)
959 VLIB_INIT_FUNCTION (ipsec_cli_init);
961 static clib_error_t *
962 set_async_mode_command_fn (vlib_main_t * vm, unformat_input_t * input,
963 vlib_cli_command_t * cmd)
965 unformat_input_t _line_input, *line_input = &_line_input;
966 int async_enable = 0;
968 if (!unformat_user (input, unformat_line_input, line_input))
971 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
973 if (unformat (line_input, "on"))
975 else if (unformat (line_input, "off"))
978 return (clib_error_return (0, "unknown input '%U'",
979 format_unformat_error, line_input));
982 ipsec_set_async_mode (async_enable);
984 unformat_free (line_input);
988 VLIB_CLI_COMMAND (set_async_mode_command, static) = {
989 .path = "set ipsec async mode",
990 .short_help = "set ipsec async mode on|off",
991 .function = set_async_mode_command_fn,
995 * fd.io coding-style-patch-verification: ON
998 * eval: (c-set-style "gnu")