#include <vnet/api_errno.h>
#include <vnet/ip/ip.h>
#include <vnet/ip/ip_types_api.h>
+#include <vnet/ipsec/ipsec_types_api.h>
+#include <vnet/tunnel/tunnel_types_api.h>
#include <vnet/fib/fib.h>
#include <vnet/ipip/ipip.h>
#if WITH_LIBSSL > 0
#include <vnet/ipsec/ipsec.h>
#include <vnet/ipsec/ipsec_tun.h>
+#include <vnet/ipsec/ipsec_itf.h>
#endif /* IPSEC */
#define vl_typedefs /* define message structures */
_(IPSEC_SPDS_DUMP, ipsec_spds_dump) \
_(IPSEC_SPD_DUMP, ipsec_spd_dump) \
_(IPSEC_SPD_INTERFACE_DUMP, ipsec_spd_interface_dump) \
+_(IPSEC_ITF_CREATE, ipsec_itf_create) \
+_(IPSEC_ITF_DELETE, ipsec_itf_delete) \
+_(IPSEC_ITF_DUMP, ipsec_itf_dump) \
_(IPSEC_TUNNEL_IF_ADD_DEL, ipsec_tunnel_if_add_del) \
_(IPSEC_TUNNEL_IF_SET_SA, ipsec_tunnel_if_set_sa) \
_(IPSEC_SELECT_BACKEND, ipsec_select_backend) \
vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main ();
vl_api_ipsec_tunnel_protect_update_reply_t *rmp;
u32 sw_if_index, ii, *sa_ins = NULL;
+ ip_address_t nh;
int rv;
sw_if_index = ntohl (mp->tunnel.sw_if_index);
for (ii = 0; ii < mp->tunnel.n_sa_in; ii++)
vec_add1 (sa_ins, ntohl (mp->tunnel.sa_in[ii]));
- rv = ipsec_tun_protect_update (sw_if_index,
+ ip_address_decode2 (&mp->tunnel.nh, &nh);
+
+ rv = ipsec_tun_protect_update (sw_if_index, &nh,
ntohl (mp->tunnel.sa_out), sa_ins);
#else
rv = VNET_API_ERROR_UNIMPLEMENTED;
{
vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main ();
vl_api_ipsec_tunnel_protect_del_reply_t *rmp;
- int rv;
+ ip_address_t nh;
u32 sw_if_index;
+ int rv;
sw_if_index = ntohl (mp->sw_if_index);
VALIDATE_SW_IF_INDEX (mp);
#if WITH_LIBSSL > 0
- rv = ipsec_tun_protect_del (sw_if_index);
+ ip_address_decode2 (&mp->nh, &nh);
+ rv = ipsec_tun_protect_del (sw_if_index, &nh);
#else
rv = VNET_API_ERROR_UNIMPLEMENTED;
#endif
ipsec_dump_walk_ctx_t *ctx = arg;
vl_api_ipsec_tunnel_protect_details_t *mp;
ipsec_tun_protect_t *itp;
- u32 sai, ii = 0;
+ u32 ii = 0;
+ ipsec_sa_t *sa;
itp = ipsec_tun_protect_get (itpi);
-
mp = vl_msg_api_alloc (sizeof (*mp) + (sizeof (u32) * itp->itp_n_sa_in));
clib_memset (mp, 0, sizeof (*mp));
mp->_vl_msg_id = ntohs (VL_API_IPSEC_TUNNEL_PROTECT_DETAILS);
mp->context = ctx->context;
mp->tun.sw_if_index = htonl (itp->itp_sw_if_index);
+ ip_address_encode2 (itp->itp_key, &mp->tun.nh);
- mp->tun.sa_out = htonl (itp->itp_out_sa);
+ sa = ipsec_sa_get (itp->itp_out_sa);
+ mp->tun.sa_out = htonl (sa->id);
mp->tun.n_sa_in = itp->itp_n_sa_in;
/* *INDENT-OFF* */
- FOR_EACH_IPSEC_PROTECT_INPUT_SAI(itp, sai,
+ FOR_EACH_IPSEC_PROTECT_INPUT_SA(itp, sa,
({
- mp->tun.sa_in[ii++] = htonl (sai);
+ mp->tun.sa_in[ii++] = htonl (sa->id);
}));
/* *INDENT-ON* */
}
else
{
- index_t itpi;
-
- itpi = ipsec_tun_protect_find (sw_if_index);
-
- if (INDEX_INVALID != itpi)
- send_ipsec_tunnel_protect_details (itpi, &ctx);
+ ipsec_tun_protect_walk_itf (sw_if_index,
+ send_ipsec_tunnel_protect_details, &ctx);
}
#else
clib_warning ("unimplemented");
/* *INDENT-ON* */
}
-static int
-ipsec_proto_decode (vl_api_ipsec_proto_t in, ipsec_protocol_t * out)
-{
- in = clib_net_to_host_u32 (in);
-
- switch (in)
- {
- case IPSEC_API_PROTO_ESP:
- *out = IPSEC_PROTOCOL_ESP;
- return (0);
- case IPSEC_API_PROTO_AH:
- *out = IPSEC_PROTOCOL_AH;
- return (0);
- }
- return (VNET_API_ERROR_INVALID_PROTOCOL);
-}
-
-static vl_api_ipsec_proto_t
-ipsec_proto_encode (ipsec_protocol_t p)
-{
- switch (p)
- {
- case IPSEC_PROTOCOL_ESP:
- return clib_host_to_net_u32 (IPSEC_API_PROTO_ESP);
- case IPSEC_PROTOCOL_AH:
- return clib_host_to_net_u32 (IPSEC_API_PROTO_AH);
- }
- return (VNET_API_ERROR_UNIMPLEMENTED);
-}
-
-static int
-ipsec_crypto_algo_decode (vl_api_ipsec_crypto_alg_t in,
- ipsec_crypto_alg_t * out)
-{
- in = clib_net_to_host_u32 (in);
-
- switch (in)
- {
-#define _(v,f,s) case IPSEC_API_CRYPTO_ALG_##f: \
- *out = IPSEC_CRYPTO_ALG_##f; \
- return (0);
- foreach_ipsec_crypto_alg
-#undef _
- }
- return (VNET_API_ERROR_INVALID_ALGORITHM);
-}
-
-static vl_api_ipsec_crypto_alg_t
-ipsec_crypto_algo_encode (ipsec_crypto_alg_t c)
-{
- switch (c)
- {
-#define _(v,f,s) case IPSEC_CRYPTO_ALG_##f: \
- return clib_host_to_net_u32(IPSEC_API_CRYPTO_ALG_##f);
- foreach_ipsec_crypto_alg
-#undef _
- case IPSEC_CRYPTO_N_ALG:
- break;
- }
- ASSERT (0);
- return (VNET_API_ERROR_UNIMPLEMENTED);
-}
-
-static int
-ipsec_integ_algo_decode (vl_api_ipsec_integ_alg_t in, ipsec_integ_alg_t * out)
-{
- in = clib_net_to_host_u32 (in);
-
- switch (in)
- {
-#define _(v,f,s) case IPSEC_API_INTEG_ALG_##f: \
- *out = IPSEC_INTEG_ALG_##f; \
- return (0);
- foreach_ipsec_integ_alg
-#undef _
- }
- return (VNET_API_ERROR_INVALID_ALGORITHM);
-}
-
-static vl_api_ipsec_integ_alg_t
-ipsec_integ_algo_encode (ipsec_integ_alg_t i)
-{
- switch (i)
- {
-#define _(v,f,s) case IPSEC_INTEG_ALG_##f: \
- return (clib_host_to_net_u32(IPSEC_API_INTEG_ALG_##f));
- foreach_ipsec_integ_alg
-#undef _
- case IPSEC_INTEG_N_ALG:
- break;
- }
- ASSERT (0);
- return (VNET_API_ERROR_UNIMPLEMENTED);
-}
-
-static void
-ipsec_key_decode (const vl_api_key_t * key, ipsec_key_t * out)
-{
- ipsec_mk_key (out, key->data, key->length);
-}
-
-static void
-ipsec_key_encode (const ipsec_key_t * in, vl_api_key_t * out)
-{
- out->length = in->len;
- clib_memcpy (out->data, in->data, out->length);
-}
-
-static ipsec_sa_flags_t
-ipsec_sa_flags_decode (vl_api_ipsec_sad_flags_t in)
-{
- ipsec_sa_flags_t flags = IPSEC_SA_FLAG_NONE;
- in = clib_net_to_host_u32 (in);
-
- if (in & IPSEC_API_SAD_FLAG_USE_ESN)
- flags |= IPSEC_SA_FLAG_USE_ESN;
- if (in & IPSEC_API_SAD_FLAG_USE_ANTI_REPLAY)
- flags |= IPSEC_SA_FLAG_USE_ANTI_REPLAY;
- if (in & IPSEC_API_SAD_FLAG_IS_TUNNEL)
- flags |= IPSEC_SA_FLAG_IS_TUNNEL;
- if (in & IPSEC_API_SAD_FLAG_IS_TUNNEL_V6)
- flags |= IPSEC_SA_FLAG_IS_TUNNEL_V6;
- if (in & IPSEC_API_SAD_FLAG_UDP_ENCAP)
- flags |= IPSEC_SA_FLAG_UDP_ENCAP;
-
- return (flags);
-}
-
-static vl_api_ipsec_sad_flags_t
-ipsec_sad_flags_encode (const ipsec_sa_t * sa)
-{
- vl_api_ipsec_sad_flags_t flags = IPSEC_API_SAD_FLAG_NONE;
-
- if (ipsec_sa_is_set_USE_ESN (sa))
- flags |= IPSEC_API_SAD_FLAG_USE_ESN;
- if (ipsec_sa_is_set_USE_ANTI_REPLAY (sa))
- flags |= IPSEC_API_SAD_FLAG_USE_ANTI_REPLAY;
- if (ipsec_sa_is_set_IS_TUNNEL (sa))
- flags |= IPSEC_API_SAD_FLAG_IS_TUNNEL;
- if (ipsec_sa_is_set_IS_TUNNEL_V6 (sa))
- flags |= IPSEC_API_SAD_FLAG_IS_TUNNEL_V6;
- if (ipsec_sa_is_set_UDP_ENCAP (sa))
- flags |= IPSEC_API_SAD_FLAG_UDP_ENCAP;
-
- return clib_host_to_net_u32 (flags);
-}
-
static void vl_api_ipsec_sad_entry_add_del_t_handler
(vl_api_ipsec_sad_entry_add_del_t * mp)
{
crypto_alg, &crypto_key,
integ_alg, &integ_key, flags,
0, mp->entry.salt, &tun_src, &tun_dst,
- &sa_index);
+ &sa_index, htons (mp->entry.udp_src_port),
+ htons (mp->entry.udp_dst_port));
else
rv = ipsec_sa_unlock_id (id);
rv = ipip_add_tunnel (transport,
(mp->renumber ? ntohl (mp->show_instance) : ~0),
&local_ip,
- &remote_ip, fib_index, 0, &sw_if_index);
+ &remote_ip, fib_index,
+ TUNNEL_ENCAP_DECAP_FLAG_NONE, IP_DSCP_CS0,
+ TUNNEL_MODE_P2P, &sw_if_index);
if (rv)
goto done;
&integ_key,
(flags | IPSEC_SA_FLAG_IS_INBOUND),
ntohl (mp->tx_table_id),
- mp->salt, &remote_ip, &local_ip, NULL);
+ mp->salt, &remote_ip, &local_ip, NULL,
+ IPSEC_UDP_PORT_NONE, IPSEC_UDP_PORT_NONE);
if (rv)
goto done;
&integ_key,
flags,
ntohl (mp->tx_table_id),
- mp->salt, &local_ip, &remote_ip, NULL);
+ mp->salt, &local_ip, &remote_ip, NULL,
+ IPSEC_UDP_PORT_NONE, IPSEC_UDP_PORT_NONE);
if (rv)
goto done;
- rv = ipsec_tun_protect_update_one (sw_if_index,
+ rv = ipsec_tun_protect_update_one (sw_if_index, NULL,
ipsec_tun_mk_output_sa_id
(sw_if_index),
ipsec_tun_mk_input_sa_id
if (NULL != t)
{
- rv = ipsec_tun_protect_del (t->sw_if_index);
+ rv = ipsec_tun_protect_del (t->sw_if_index, NULL);
ipip_del_tunnel (t->sw_if_index);
}
else
/* *INDENT-ON* */
}
+static void
+vl_api_ipsec_itf_create_t_handler (vl_api_ipsec_itf_create_t * mp)
+{
+ vl_api_ipsec_itf_create_reply_t *rmp;
+ tunnel_mode_t mode;
+ u32 sw_if_index = ~0;
+ int rv;
+
+ rv = tunnel_mode_decode (mp->itf.mode, &mode);
+
+ if (!rv)
+ rv = ipsec_itf_create (ntohl (mp->itf.user_instance), mode, &sw_if_index);
+
+ /* *INDENT-OFF* */
+ REPLY_MACRO2 (VL_API_IPSEC_ITF_CREATE_REPLY,
+ ({
+ rmp->sw_if_index = htonl (sw_if_index);
+ }));
+ /* *INDENT-ON* */
+}
+
+static void
+vl_api_ipsec_itf_delete_t_handler (vl_api_ipsec_itf_delete_t * mp)
+{
+ vl_api_ipsec_itf_delete_reply_t *rmp;
+ int rv;
+
+ rv = ipsec_itf_delete (ntohl (mp->sw_if_index));
+
+ REPLY_MACRO (VL_API_IPSEC_ITF_DELETE_REPLY);
+}
+
+static void
+vl_api_ipsec_itf_dump_t_handler (vl_api_ipsec_itf_dump_t * mp)
+{
+}
+
typedef struct ipsec_sa_dump_match_ctx_t_
{
index_t sai;
ip_address_encode (&sa->tunnel_dst_addr, IP46_TYPE_ANY,
&mp->entry.tunnel_dst);
}
+ if (ipsec_sa_is_set_UDP_ENCAP (sa))
+ {
+ mp->entry.udp_src_port = sa->udp_hdr.src_port;
+ mp->entry.udp_dst_port = sa->udp_hdr.dst_port;
+ }
mp->seq_outbound = clib_host_to_net_u64 (((u64) sa->seq));
mp->last_seq_inbound = clib_host_to_net_u64 (((u64) sa->last_seq));
if (ipsec_sa_is_set_USE_ANTI_REPLAY (sa))
mp->replay_window = clib_host_to_net_u64 (sa->replay_window);
+ mp->stat_index = clib_host_to_net_u32 (sa->stat_index);
+
vl_api_send_msg (ctx->reg, (u8 *) mp);
return (WALK_CONTINUE);
VALIDATE_SW_IF_INDEX(mp);
if (mp->is_outbound)
- rv = ipsec_tun_protect_update_out (ntohl (mp->sw_if_index),
+ rv = ipsec_tun_protect_update_out (ntohl (mp->sw_if_index), NULL,
ntohl (mp->sa_id));
else
- rv = ipsec_tun_protect_update_in (ntohl (mp->sw_if_index),
+ rv = ipsec_tun_protect_update_in (ntohl (mp->sw_if_index), NULL,
ntohl (mp->sa_id));
#else
static clib_error_t *
ipsec_api_hookup (vlib_main_t * vm)
{
- api_main_t *am = &api_main;
+ api_main_t *am = vlibapi_get_main ();
#define _(N,n) \
vl_msg_api_set_handlers(VL_API_##N, #n, \
foreach_vpe_api_msg;
#undef _
- /*
- * Adding and deleting SAs is MP safe since when they are added/delete
- * no traffic is using them
- */
- am->is_mp_safe[VL_API_IPSEC_SAD_ENTRY_ADD_DEL] = 1;
- am->is_mp_safe[VL_API_IPSEC_SAD_ENTRY_ADD_DEL_REPLY] = 1;
-
/*
* Set up the (msg_name, crc, message-id) table
*/