ipsec: huge anti-replay window support

[vpp.git] / src / vnet / ipsec / ipsec_cli.c

diff --git a/src/vnet/ipsec/ipsec_cli.c b/src/vnet/ipsec/ipsec_cli.c
index 95e8145..5aef630 100644 (file)
--- a/src/vnet/ipsec/ipsec_cli.c
+++ b/src/vnet/ipsec/ipsec_cli.c
@@ -88,6 +88,7 @@ ipsec_sa_add_del_command_fn (vlib_main_t * vm,
   unformat_input_t _line_input, *line_input = &_line_input;
   ipsec_crypto_alg_t crypto_alg;
   ipsec_integ_alg_t integ_alg;
+  u32 anti_replay_window_size;
   ipsec_protocol_t proto;
   ipsec_sa_flags_t flags;
   clib_error_t *error;
@@ -105,6 +106,7 @@ ipsec_sa_add_del_command_fn (vlib_main_t * vm,
   is_add = 0;
   flags = IPSEC_SA_FLAG_NONE;
   proto = IPSEC_PROTOCOL_ESP;
+  anti_replay_window_size = 0;
   integ_alg = IPSEC_INTEG_ALG_NONE;
   crypto_alg = IPSEC_CRYPTO_ALG_NONE;
   udp_src = udp_dst = IPSEC_UDP_PORT_NONE;
@@ -143,7 +145,7 @@ ipsec_sa_add_del_command_fn (vlib_main_t * vm,
       else if (unformat (line_input, "integ-alg %U",
                         unformat_ipsec_integ_alg, &integ_alg))
        ;
-      else if (unformat (line_input, " %U", unformat_tunnel, &tun))
+      else if (unformat (line_input, "%U", unformat_tunnel, &tun))
        {
          flags |= IPSEC_SA_FLAG_IS_TUNNEL;
          if (AF_IP6 == tunnel_get_af (&tun))
@@ -153,6 +155,9 @@ ipsec_sa_add_del_command_fn (vlib_main_t * vm,
        udp_src = i;
       else if (unformat (line_input, "udp-dst-port %d", &i))
        udp_dst = i;
+      else if (unformat (line_input, "anti-replay-size %d",
+                        &anti_replay_window_size))
+       flags |= IPSEC_SA_FLAG_USE_ANTI_REPLAY;
       else if (unformat (line_input, "inbound"))
        flags |= IPSEC_SA_FLAG_IS_INBOUND;
       else if (unformat (line_input, "use-anti-replay"))
@@ -184,9 +189,10 @@ ipsec_sa_add_del_command_fn (vlib_main_t * vm,
          error = clib_error_return (0, "missing spi");
          goto done;
        }
-      rv = ipsec_sa_add_and_lock (id, spi, proto, crypto_alg, &ck, integ_alg,
-                                 &ik, flags, clib_host_to_net_u32 (salt),
-                                 udp_src, udp_dst, &tun, &sai);
+      rv =
+       ipsec_sa_add_and_lock (id, spi, proto, crypto_alg, &ck, integ_alg, &ik,
+                              flags, clib_host_to_net_u32 (salt), udp_src,
+                              udp_dst, anti_replay_window_size, &tun, &sai);
     }
   else
     {
@@ -211,6 +217,71 @@ VLIB_CLI_COMMAND (ipsec_sa_add_del_command, static) = {
 };
 /* *INDENT-ON* */
 
+static clib_error_t *
+ipsec_sa_bind_cli (vlib_main_t *vm, unformat_input_t *input,
+                  vlib_cli_command_t *cmd)
+{
+  unformat_input_t _line_input, *line_input = &_line_input;
+  u32 id = ~0;
+  u32 worker = ~0;
+  bool bind = 1;
+  int rv;
+  clib_error_t *error = NULL;
+
+  if (!unformat_user (input, unformat_line_input, line_input))
+    return 0;
+
+  while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
+    {
+      if (unformat (line_input, "unbind"))
+       bind = 0;
+      else if (id == ~0 && unformat (line_input, "%u", &id))
+       ;
+      else if (unformat (line_input, "%u", &worker))
+       ;
+      else
+       {
+         error = clib_error_return (0, "parse error: '%U'",
+                                    format_unformat_error, line_input);
+         goto done;
+       }
+    }
+
+  if (id == ~0)
+    {
+      error = clib_error_return (0, "please specify SA ID");
+      goto done;
+    }
+
+  if (bind && ~0 == worker)
+    {
+      error = clib_error_return (0, "please specify worker to bind to");
+      goto done;
+    }
+
+  rv = ipsec_sa_bind (id, worker, bind);
+  switch (rv)
+    {
+    case VNET_API_ERROR_INVALID_VALUE:
+      error = clib_error_return (0, "please specify a valid SA ID");
+      break;
+    case VNET_API_ERROR_INVALID_WORKER:
+      error = clib_error_return (0, "please specify a valid worker index");
+      break;
+    }
+
+done:
+  unformat_free (line_input);
+
+  return error;
+}
+
+VLIB_CLI_COMMAND (ipsec_sa_bind_cmd, static) = {
+  .path = "ipsec sa bind",
+  .short_help = "ipsec sa [unbind] <sa-id> <worker>",
+  .function = ipsec_sa_bind_cli,
+};
+
 static clib_error_t *
 ipsec_spd_add_del_command_fn (vlib_main_t * vm,
                              unformat_input_t * input,
@@ -279,6 +350,7 @@ ipsec_policy_add_del_command_fn (vlib_main_t * vm,
   clib_memset (&p, 0, sizeof (p));
   p.lport.stop = p.rport.stop = ~0;
   remote_range_set = local_range_set = is_outbound = 0;
+  p.protocol = IPSEC_POLICY_PROTOCOL_ANY;
 
   if (!unformat_user (input, unformat_line_input, line_input))
     return 0;
@@ -428,9 +500,13 @@ ipsec_spd_show_all (vlib_main_t * vm, ipsec_main_t * im)
     vlib_cli_output(vm, "%U", format_ipsec_spd, spdi);
   }
 
-  if (im->flow_cache_flag)
+  if (im->output_flow_cache_flag)
+    {
+      vlib_cli_output (vm, "%U", format_ipsec_out_spd_flow_cache);
+    }
+  if (im->input_flow_cache_flag)
     {
-      vlib_cli_output (vm, "%U", format_ipsec_spd_flow_cache);
+      vlib_cli_output (vm, "%U", format_ipsec_in_spd_flow_cache);
     }
   /* *INDENT-ON* */
 }
@@ -652,7 +728,7 @@ ipsec_show_backends_command_fn (vlib_main_t * vm,
   }
   /* *INDENT-ON* */
   vlib_cli_output (vm, "%v", s);
-  _vec_len (s) = 0;
+  vec_set_len (s, 0);
   vlib_cli_output (vm, "IPsec ESP backends available:");
   s = format (s, "%=25s %=25s %=10s\n", "Name", "Index", "Active");
   ipsec_esp_backend_t *eb;
@@ -764,7 +840,8 @@ clear_ipsec_counters_command_fn (vlib_main_t * vm,
 {
   vlib_clear_combined_counters (&ipsec_spd_policy_counters);
   vlib_clear_combined_counters (&ipsec_sa_counters);
-  vlib_clear_simple_counters (&ipsec_sa_lost_counters);
+  for (int i = 0; i < IPSEC_SA_N_ERRORS; i++)
+    vlib_clear_simple_counters (&ipsec_sa_err_counters[i]);
 
   return (NULL);
 }