+static clib_error_t *
+ipsec_tun_protect_cmd (vlib_main_t * vm,
+ unformat_input_t * input, vlib_cli_command_t * cmd)
+{
+ unformat_input_t _line_input, *line_input = &_line_input;
+ u32 sw_if_index, is_del, sa_in, sa_out, *sa_ins = NULL;
+ ip_address_t peer = { };
+ vnet_main_t *vnm;
+
+ is_del = 0;
+ sw_if_index = ~0;
+ vnm = vnet_get_main ();
+
+ if (!unformat_user (input, unformat_line_input, line_input))
+ return 0;
+
+ while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
+ {
+ if (unformat (line_input, "del"))
+ is_del = 1;
+ else if (unformat (line_input, "add"))
+ is_del = 0;
+ else if (unformat (line_input, "sa-in %d", &sa_in))
+ vec_add1 (sa_ins, sa_in);
+ else if (unformat (line_input, "sa-out %d", &sa_out))
+ ;
+ else if (unformat (line_input, "%U",
+ unformat_vnet_sw_interface, vnm, &sw_if_index))
+ ;
+ else if (unformat (line_input, "%U", unformat_ip_address, &peer))
+ ;
+ else
+ return (clib_error_return (0, "unknown input '%U'",
+ format_unformat_error, line_input));
+ }
+
+ if (!is_del)
+ ipsec_tun_protect_update (sw_if_index, &peer, sa_out, sa_ins);
+
+ unformat_free (line_input);
+ return NULL;
+}
+
+/**
+ * Protect tunnel with IPSEC
+ */
+/* *INDENT-OFF* */
+VLIB_CLI_COMMAND (ipsec_tun_protect_cmd_node, static) =
+{
+ .path = "ipsec tunnel protect",
+ .function = ipsec_tun_protect_cmd,
+ .short_help = "ipsec tunnel protect <interface> input-sa <SA> output-sa <SA>",
+ // this is not MP safe
+};
+/* *INDENT-ON* */
+
+
+static clib_error_t *
+ipsec_tun_protect_show (vlib_main_t * vm,
+ unformat_input_t * input, vlib_cli_command_t * cmd)
+{
+ ipsec_tun_protect_walk (ipsec_tun_protect_show_one, vm);
+
+ return NULL;
+}
+
+/**
+ * show IPSEC tunnel protection
+ */
+/* *INDENT-OFF* */
+VLIB_CLI_COMMAND (ipsec_tun_protect_show_node, static) =
+{
+ .path = "show ipsec protect",
+ .function = ipsec_tun_protect_show,
+ .short_help = "show ipsec protect",
+};
+/* *INDENT-ON* */
+
+static clib_error_t *
+ipsec_tun_protect_hash_show (vlib_main_t * vm,
+ unformat_input_t * input,
+ vlib_cli_command_t * cmd)
+{
+ ipsec_main_t *im = &ipsec_main;
+
+ {
+ ipsec_tun_lkup_result_t value;
+ ipsec4_tunnel_key_t key;
+
+ vlib_cli_output (vm, "IPv4:");
+
+ /* *INDENT-OFF* */
+ hash_foreach(key.as_u64, value.as_u64, im->tun4_protect_by_key,
+ ({
+ vlib_cli_output (vm, " %U", format_ipsec4_tunnel_key, &key);
+ vlib_cli_output (vm, " tun:%d sa:%d", value.tun_index, value.sa_index);
+ }));
+ /* *INDENT-ON* */
+ }
+
+ {
+ ipsec_tun_lkup_result_t value;
+ ipsec6_tunnel_key_t *key;
+
+ vlib_cli_output (vm, "IPv6:");
+
+ /* *INDENT-OFF* */
+ hash_foreach_mem(key, value.as_u64, im->tun6_protect_by_key,
+ ({
+ vlib_cli_output (vm, " %U", format_ipsec6_tunnel_key, key);
+ vlib_cli_output (vm, " tun:%d sa:%d", value.tun_index, value.sa_index);
+ }));
+ /* *INDENT-ON* */
+ }
+
+ return NULL;
+}
+
+/**
+ * show IPSEC tunnel protection hash tables
+ */
+/* *INDENT-OFF* */
+VLIB_CLI_COMMAND (ipsec_tun_protect_hash_show_node, static) =
+{
+ .path = "show ipsec protect-hash",
+ .function = ipsec_tun_protect_hash_show,
+ .short_help = "show ipsec protect-hash",
+};
+/* *INDENT-ON* */
+