u32 spd_id;
int is_add = 1;
clib_error_t *error = NULL;
+ int err;
if (!unformat_user (input, unformat_line_input, line_input))
return 0;
goto done;
}
- ipsec_set_interface_spd (vm, sw_if_index, spd_id, is_add);
+ err = ipsec_set_interface_spd (vm, sw_if_index, spd_id, is_add);
+ switch (err)
+ {
+ case VNET_API_ERROR_SYSCALL_ERROR_1:
+ error = clib_error_return (0, "no such spd-id");
+ break;
+ case VNET_API_ERROR_SYSCALL_ERROR_2:
+ error = clib_error_return (0, "spd already assigned");
+ break;
+ }
done:
unformat_free (line_input);
u16 udp_src, udp_dst;
int is_add, rv;
u32 m_args = 0;
+ ip_dscp_t dscp;
+ u32 tx_table_id;
salt = 0;
error = NULL;
integ_alg = IPSEC_INTEG_ALG_NONE;
crypto_alg = IPSEC_CRYPTO_ALG_NONE;
udp_src = udp_dst = IPSEC_UDP_PORT_NONE;
+ dscp = IP_DSCP_CS0;
+ tx_table_id = 0;
if (!unformat_user (input, unformat_line_input, line_input))
return 0;
else if (unformat (line_input, "tunnel-dst %U",
unformat_ip46_address, &tun_dst, IP46_TYPE_ANY))
;
+ else if (unformat (line_input, "tx-table-id %d", &tx_table_id))
+ ;
else if (unformat (line_input, "inbound"))
flags |= IPSEC_SA_FLAG_IS_INBOUND;
else if (unformat (line_input, "use-anti-replay"))
}
rv = ipsec_sa_add_and_lock (id, spi, proto, crypto_alg,
&ck, integ_alg, &ik, flags,
- 0, clib_host_to_net_u32 (salt),
- &tun_src, &tun_dst, &sai, udp_src, udp_dst);
+ tx_table_id, clib_host_to_net_u32 (salt),
+ &tun_src, &tun_dst,
+ TUNNEL_ENCAP_DECAP_FLAG_NONE, dscp,
+ &sai, udp_src, udp_dst);
}
else
{
u32 sai;
/* *INDENT-OFF* */
- pool_foreach_index (sai, im->sad, ({
+ pool_foreach_index (sai, im->sad) {
vlib_cli_output(vm, "%U", format_ipsec_sa, sai,
(detail ? IPSEC_FORMAT_DETAIL : IPSEC_FORMAT_BRIEF));
- }));
+ }
/* *INDENT-ON* */
}
u32 spdi;
/* *INDENT-OFF* */
- pool_foreach_index (spdi, im->spds, ({
+ pool_foreach_index (spdi, im->spds) {
vlib_cli_output(vm, "%U", format_ipsec_spd, spdi);
- }));
+ }
/* *INDENT-ON* */
}
if (~0 == sai)
{
/* *INDENT-OFF* */
- pool_foreach_index (sai, im->sad, ({
+ pool_foreach_index (sai, im->sad) {
ipsec_sa_clear(sai);
- }));
+ }
/* *INDENT-ON* */
}
else
u8 *s = format (NULL, "%=25s %=25s %=10s\n", "Name", "Index", "Active");
ipsec_ah_backend_t *ab;
/* *INDENT-OFF* */
- pool_foreach (ab, im->ah_backends, {
+ pool_foreach (ab, im->ah_backends) {
s = format (s, "%=25s %=25u %=10s\n", ab->name, ab - im->ah_backends,
ab - im->ah_backends == im->ah_current_backend ? "yes" : "no");
if (verbose) {
n = vlib_get_node (vm, ab->ah6_decrypt_node_index);
s = format (s, " dec6 %s (next %d)\n", n->name, ab->ah6_decrypt_next_index);
}
- });
+ }
/* *INDENT-ON* */
vlib_cli_output (vm, "%v", s);
_vec_len (s) = 0;
s = format (s, "%=25s %=25s %=10s\n", "Name", "Index", "Active");
ipsec_esp_backend_t *eb;
/* *INDENT-OFF* */
- pool_foreach (eb, im->esp_backends, {
+ pool_foreach (eb, im->esp_backends) {
s = format (s, "%=25s %=25u %=10s\n", eb->name, eb - im->esp_backends,
eb - im->esp_backends == im->esp_current_backend ? "yes"
: "no");
n = vlib_get_node (vm, eb->esp6_decrypt_node_index);
s = format (s, " dec6 %s (next %d)\n", n->name, eb->esp6_decrypt_next_index);
}
- });
+ }
/* *INDENT-ON* */
vlib_cli_output (vm, "%v", s);
local_spi, IPSEC_PROTOCOL_ESP, crypto_alg,
&lck, integ_alg, &lik, flags, table_id,
clib_host_to_net_u32 (salt), &local_ip,
- &remote_ip, NULL, IPSEC_UDP_PORT_NONE,
- IPSEC_UDP_PORT_NONE);
+ &remote_ip, TUNNEL_ENCAP_DECAP_FLAG_NONE,
+ IP_DSCP_CS0, NULL,
+ IPSEC_UDP_PORT_NONE, IPSEC_UDP_PORT_NONE);
rv |=
ipsec_sa_add_and_lock (ipsec_tun_mk_remote_sa_id (sw_if_index),
remote_spi, IPSEC_PROTOCOL_ESP, crypto_alg,
&rck, integ_alg, &rik,
(flags | IPSEC_SA_FLAG_IS_INBOUND), table_id,
clib_host_to_net_u32 (salt), &remote_ip,
- &local_ip, NULL, IPSEC_UDP_PORT_NONE,
- IPSEC_UDP_PORT_NONE);
+ &local_ip, TUNNEL_ENCAP_DECAP_FLAG_NONE,
+ IP_DSCP_CS0, NULL,
+ IPSEC_UDP_PORT_NONE, IPSEC_UDP_PORT_NONE);
rv |=
ipsec_tun_protect_update_one (sw_if_index, &nh,
ipsec_tun_mk_local_sa_id (sw_if_index),
if (!is_del)
ipsec_tun_protect_update (sw_if_index, &peer, sa_out, sa_ins);
+ else
+ ipsec_tun_protect_del (sw_if_index, &peer);
unformat_free (line_input);
return NULL;
{
.path = "ipsec tunnel protect",
.function = ipsec_tun_protect_cmd,
- .short_help = "ipsec tunnel protect <interface> input-sa <SA> output-sa <SA>",
+ .short_help = "ipsec tunnel protect <interface> input-sa <SA> output-sa <SA> [add|del]",
// this is not MP safe
};
/* *INDENT-ON* */
};
/* *INDENT-ON* */
+static int
+ipsec_tun_protect4_hash_show_one (clib_bihash_kv_8_16_t * kv, void *arg)
+{
+ ipsec4_tunnel_kv_t *ikv = (ipsec4_tunnel_kv_t *) kv;
+ vlib_main_t *vm = arg;
+
+ vlib_cli_output (vm, " %U", format_ipsec4_tunnel_kv, ikv);
+
+ return (BIHASH_WALK_CONTINUE);
+}
+
+static int
+ipsec_tun_protect6_hash_show_one (clib_bihash_kv_24_16_t * kv, void *arg)
+{
+ ipsec6_tunnel_kv_t *ikv = (ipsec6_tunnel_kv_t *) kv;
+ vlib_main_t *vm = arg;
+
+ vlib_cli_output (vm, " %U", format_ipsec6_tunnel_kv, ikv);
+
+ return (BIHASH_WALK_CONTINUE);
+}
+
static clib_error_t *
ipsec_tun_protect_hash_show (vlib_main_t * vm,
unformat_input_t * input,
ipsec_main_t *im = &ipsec_main;
{
- ipsec_tun_lkup_result_t value;
- ipsec4_tunnel_key_t key;
-
vlib_cli_output (vm, "IPv4:");
- /* *INDENT-OFF* */
- hash_foreach(key.as_u64, value.as_u64, im->tun4_protect_by_key,
- ({
- vlib_cli_output (vm, " %U", format_ipsec4_tunnel_key, &key);
- vlib_cli_output (vm, " tun:%d sa:%d", value.tun_index, value.sa_index);
- }));
- /* *INDENT-ON* */
- }
-
- {
- ipsec_tun_lkup_result_t value;
- ipsec6_tunnel_key_t *key;
+ clib_bihash_foreach_key_value_pair_8_16
+ (&im->tun4_protect_by_key, ipsec_tun_protect4_hash_show_one, vm);
vlib_cli_output (vm, "IPv6:");
- /* *INDENT-OFF* */
- hash_foreach_mem(key, value.as_u64, im->tun6_protect_by_key,
- ({
- vlib_cli_output (vm, " %U", format_ipsec6_tunnel_key, key);
- vlib_cli_output (vm, " tun:%d sa:%d", value.tun_index, value.sa_index);
- }));
- /* *INDENT-ON* */
+ clib_bihash_foreach_key_value_pair_24_16
+ (&im->tun6_protect_by_key, ipsec_tun_protect6_hash_show_one, vm);
}
return NULL;
Code Review / vpp.git / blobdiff