2 * ipsec_itf.c: IPSec dedicated interface type
4 * Copyright (c) 2020 Cisco and/or its affiliates.
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
9 * http://www.apache.org/licenses/LICENSE-2.0
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
18 #include <vnet/ip/ip.h>
19 #include <vnet/ipsec/ipsec_itf.h>
20 #include <vnet/ipsec/ipsec_tun.h>
21 #include <vnet/ipsec/ipsec.h>
22 #include <vnet/adj/adj_midchain.h>
23 #include <vnet/ethernet/mac_address.h>
25 /* bitmap of Allocated IPSEC_ITF instances */
26 static uword *ipsec_itf_instances;
28 /* pool of interfaces */
29 static ipsec_itf_t *ipsec_itf_pool;
31 static u32 *ipsec_itf_index_by_sw_if_index;
34 ipsec_itf_get (index_t ii)
36 return (pool_elt_at_index (ipsec_itf_pool, ii));
40 ipsec_itf_count (void)
42 return (pool_elts (ipsec_itf_pool));
46 ipsec_itf_find_by_sw_if_index (u32 sw_if_index)
48 if (vec_len (ipsec_itf_index_by_sw_if_index) <= sw_if_index)
50 u32 ti = ipsec_itf_index_by_sw_if_index[sw_if_index];
53 return pool_elt_at_index (ipsec_itf_pool, ti);
57 format_ipsec_itf_name (u8 * s, va_list * args)
59 u32 dev_instance = va_arg (*args, u32);
60 return format (s, "ipsec%d", dev_instance);
64 ipsec_itf_adj_unstack (adj_index_t ai)
66 adj_midchain_delegate_unstack (ai);
70 ipsec_itf_adj_stack (adj_index_t ai, u32 sai)
72 const vnet_hw_interface_t *hw;
74 hw = vnet_get_sup_hw_interface (vnet_get_main (), adj_get_sw_if_index (ai));
76 if (hw->flags & VNET_HW_INTERFACE_FLAG_LINK_UP)
81 sa = ipsec_sa_get (sai);
82 ip_address_to_fib_prefix (&sa->tunnel.t_dst, &dst);
83 adj_midchain_delegate_stack (ai, sa->tunnel.t_fib_index, &dst);
86 adj_midchain_delegate_unstack (ai);
90 ipsec_itf_adj_stack_cb (adj_index_t ai, void *arg)
92 ipsec_tun_protect_t *itp = arg;
94 ipsec_itf_adj_stack (ai, itp->itp_out_sa);
96 return (ADJ_WALK_RC_CONTINUE);
100 ipsec_itf_restack (index_t itpi, const ipsec_itf_t * itf)
102 ipsec_tun_protect_t *itp;
103 fib_protocol_t proto;
105 itp = ipsec_tun_protect_get (itpi);
108 * walk all the adjacencies on the interface and restack them
110 FOR_EACH_FIB_IP_PROTOCOL (proto)
112 adj_nbr_walk (itf->ii_sw_if_index, proto, ipsec_itf_adj_stack_cb, itp);
117 ipsec_tun_protect_walk_state_change (index_t itpi, void *arg)
119 const ipsec_itf_t *itf = arg;
121 ipsec_itf_restack (itpi, itf);
123 return (WALK_CONTINUE);
126 static clib_error_t *
127 ipsec_itf_admin_up_down (vnet_main_t * vnm, u32 hw_if_index, u32 flags)
129 vnet_hw_interface_t *hi;
133 hi = vnet_get_hw_interface (vnm, hw_if_index);
134 hw_flags = (flags & VNET_SW_INTERFACE_FLAG_ADMIN_UP ?
135 VNET_HW_INTERFACE_FLAG_LINK_UP : 0);
136 vnet_hw_interface_set_flags (vnm, hw_if_index, hw_flags);
138 itf = ipsec_itf_find_by_sw_if_index (hi->sw_if_index);
141 ipsec_tun_protect_walk_itf (itf->ii_sw_if_index,
142 ipsec_tun_protect_walk_state_change, itf);
148 ipsec_itf_tunnel_desc (u32 sw_if_index,
149 ip46_address_t * src, ip46_address_t * dst, u8 * is_l2)
151 ip46_address_reset (src);
152 ip46_address_reset (dst);
159 ipsec_itf_build_rewrite (void)
162 * passing the adj code a NULL rewrite means 'i don't have one cos
163 * t'other end is unresolved'. That's not the case here. For the ipsec
164 * tunnel there are just no bytes of encap to apply in the adj.
165 * So return a zero length rewrite. Encap will be added by a tunnel mode SA.
169 vec_validate (rewrite, 0);
170 vec_reset_length (rewrite);
176 ipsec_itf_build_rewrite_i (vnet_main_t * vnm,
178 vnet_link_t link_type, const void *dst_address)
180 return (ipsec_itf_build_rewrite ());
184 ipsec_itf_update_adj (vnet_main_t * vnm, u32 sw_if_index, adj_index_t ai)
186 adj_nbr_midchain_update_rewrite
187 (ai, NULL, NULL, ADJ_FLAG_MIDCHAIN_IP_STACK, ipsec_itf_build_rewrite ());
191 VNET_DEVICE_CLASS (ipsec_itf_device_class) = {
192 .name = "IPSEC Tunnel",
193 .format_device_name = format_ipsec_itf_name,
194 .admin_up_down_function = ipsec_itf_admin_up_down,
195 .ip_tun_desc = ipsec_itf_tunnel_desc,
198 VNET_HW_INTERFACE_CLASS(ipsec_hw_interface_class) = {
200 .build_rewrite = ipsec_itf_build_rewrite_i,
201 .update_adjacency = ipsec_itf_update_adj,
202 .flags = VNET_HW_INTERFACE_CLASS_FLAG_P2P,
204 VNET_HW_INTERFACE_CLASS(ipsec_p2mp_hw_interface_class) = {
206 .build_rewrite = ipsec_itf_build_rewrite_i,
207 .update_adjacency = ipsec_itf_update_adj,
208 .flags = VNET_HW_INTERFACE_CLASS_FLAG_NBMA,
213 * Maintain a bitmap of allocated ipsec_itf instance numbers.
215 #define IPSEC_ITF_MAX_INSTANCE (16 * 1024)
218 ipsec_itf_instance_alloc (u32 want)
221 * Check for dynamically allocated instance number.
227 bit = clib_bitmap_first_clear (ipsec_itf_instances);
228 if (bit >= IPSEC_ITF_MAX_INSTANCE)
232 ipsec_itf_instances = clib_bitmap_set (ipsec_itf_instances, bit, 1);
239 if (want >= IPSEC_ITF_MAX_INSTANCE)
247 if (clib_bitmap_get (ipsec_itf_instances, want))
253 * Grant allocation request.
255 ipsec_itf_instances = clib_bitmap_set (ipsec_itf_instances, want, 1);
261 ipsec_itf_instance_free (u32 instance)
263 if (instance >= IPSEC_ITF_MAX_INSTANCE)
268 if (clib_bitmap_get (ipsec_itf_instances, instance) == 0)
273 ipsec_itf_instances = clib_bitmap_set (ipsec_itf_instances, instance, 0);
278 ipsec_itf_create (u32 user_instance, tunnel_mode_t mode, u32 * sw_if_indexp)
280 vnet_main_t *vnm = vnet_get_main ();
281 u32 instance, hw_if_index;
282 vnet_hw_interface_t *hi;
283 ipsec_itf_t *ipsec_itf;
285 ASSERT (sw_if_indexp);
287 *sw_if_indexp = (u32) ~ 0;
290 * Allocate a ipsec_itf instance. Either select on dynamically
291 * or try to use the desired user_instance number.
293 instance = ipsec_itf_instance_alloc (user_instance);
295 return VNET_API_ERROR_INVALID_REGISTRATION;
297 pool_get (ipsec_itf_pool, ipsec_itf);
299 /* tunnel index (or instance) */
300 u32 t_idx = ipsec_itf - ipsec_itf_pool;
302 ipsec_itf->ii_mode = mode;
303 ipsec_itf->ii_user_instance = instance;
305 hw_if_index = vnet_register_interface (vnm,
306 ipsec_itf_device_class.index,
307 ipsec_itf->ii_user_instance,
308 (mode == TUNNEL_MODE_P2P ?
309 ipsec_hw_interface_class.index :
310 ipsec_p2mp_hw_interface_class.index),
313 hi = vnet_get_hw_interface (vnm, hw_if_index);
314 vnet_sw_interface_set_mtu (vnm, hi->sw_if_index, 9000);
316 vec_validate_init_empty (ipsec_itf_index_by_sw_if_index, hi->sw_if_index,
318 ipsec_itf_index_by_sw_if_index[hi->sw_if_index] = t_idx;
320 ipsec_itf->ii_sw_if_index = *sw_if_indexp = hi->sw_if_index;
326 ipsec_itf_delete (u32 sw_if_index)
328 vnet_main_t *vnm = vnet_get_main ();
330 if (pool_is_free_index (vnm->interface_main.sw_interfaces, sw_if_index))
331 return VNET_API_ERROR_INVALID_SW_IF_INDEX;
333 vnet_hw_interface_t *hw = vnet_get_sup_hw_interface (vnm, sw_if_index);
334 if (hw == 0 || hw->dev_class_index != ipsec_itf_device_class.index)
335 return VNET_API_ERROR_INVALID_SW_IF_INDEX;
337 ipsec_itf_t *ipsec_itf;
338 ipsec_itf = ipsec_itf_find_by_sw_if_index (sw_if_index);
339 if (NULL == ipsec_itf)
340 return VNET_API_ERROR_INVALID_SW_IF_INDEX;
342 if (ipsec_itf_instance_free (hw->dev_instance) < 0)
343 return VNET_API_ERROR_INVALID_SW_IF_INDEX;
345 vnet_reset_interface_l3_output_node (vnm->vlib_main, sw_if_index);
347 vnet_delete_hw_interface (vnm, hw->hw_if_index);
348 pool_put (ipsec_itf_pool, ipsec_itf);
354 ipsec_itf_walk (ipsec_itf_walk_cb_t cb, void *ctx)
358 pool_foreach (itf, ipsec_itf_pool)
360 if (WALK_CONTINUE != cb (itf, ctx))
365 static clib_error_t *
366 ipsec_itf_create_cli (vlib_main_t * vm,
367 unformat_input_t * input, vlib_cli_command_t * cmd)
369 unformat_input_t _line_input, *line_input = &_line_input;
370 u32 instance, sw_if_index;
376 instance = sw_if_index = ~0;
377 mac_address_set_zero (&mac);
379 if (unformat_user (input, unformat_line_input, line_input))
381 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
383 if (unformat (line_input, "instance %d", &instance))
387 error = clib_error_return (0, "unknown input: %U",
388 format_unformat_error, line_input);
393 unformat_free (line_input);
399 rv = ipsec_itf_create (instance, TUNNEL_MODE_P2P, &sw_if_index);
402 return clib_error_return (0, "iPSec interface create failed");
404 vlib_cli_output (vm, "%U\n", format_vnet_sw_if_index_name, vnet_get_main (),
410 * Create a IPSec interface.
413 * The following two command syntaxes are equivalent:
414 * @cliexcmd{ipsec itf create [instance <instance>]}
415 * Example of how to create a ipsec interface:
416 * @cliexcmd{ipsec itf create}
419 VLIB_CLI_COMMAND (ipsec_itf_create_command, static) = {
420 .path = "ipsec itf create",
421 .short_help = "ipsec itf create [instance <instance>]",
422 .function = ipsec_itf_create_cli,
426 static clib_error_t *
427 ipsec_itf_delete_cli (vlib_main_t * vm,
428 unformat_input_t * input, vlib_cli_command_t * cmd)
434 vnm = vnet_get_main ();
437 while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT)
440 (input, "%U", unformat_vnet_sw_interface, vnm, &sw_if_index))
446 if (~0 != sw_if_index)
448 rv = ipsec_itf_delete (sw_if_index);
451 return clib_error_return (0, "ipsec interface delete failed");
454 return clib_error_return (0, "no such interface: %U",
455 format_unformat_error, input);
461 * Delete a IPSEC_ITF interface.
464 * The following two command syntaxes are equivalent:
465 * @cliexcmd{ipsec itf delete <interface>}
466 * Example of how to create a ipsec_itf interface:
467 * @cliexcmd{ipsec itf delete ipsec0}
470 VLIB_CLI_COMMAND (ipsec_itf_delete_command, static) = {
471 .path = "ipsec itf delete",
472 .short_help = "ipsec itf delete <interface>",
473 .function = ipsec_itf_delete_cli,
477 static clib_error_t *
478 ipsec_interface_show (vlib_main_t * vm,
479 unformat_input_t * input, vlib_cli_command_t * cmd)
484 pool_foreach_index (ii, ipsec_itf_pool)
486 vlib_cli_output (vm, "%U", format_ipsec_itf, ii);
494 * show IPSEC tunnel protection hash tables
497 VLIB_CLI_COMMAND (ipsec_interface_show_node, static) =
499 .path = "show ipsec interface",
500 .function = ipsec_interface_show,
501 .short_help = "show ipsec interface",
506 * fd.io coding-style-patch-verification: ON
509 * eval: (c-set-style "gnu")