(line_input, "crypto-alg %U", unformat_ipsec_crypto_alg,
&sa.crypto_alg))
{
- if (sa.crypto_alg < IPSEC_CRYPTO_ALG_AES_CBC_128 ||
+ if (sa.crypto_alg < IPSEC_CRYPTO_ALG_NONE ||
sa.crypto_alg >= IPSEC_CRYPTO_N_ALG)
{
error = clib_error_return (0, "unsupported crypto-alg: '%U'",
else if (unformat (line_input, "integ-alg %U", unformat_ipsec_integ_alg,
&sa.integ_alg))
{
- if (sa.integ_alg < IPSEC_INTEG_ALG_SHA1_96 ||
+ if (sa.integ_alg < IPSEC_INTEG_ALG_NONE ||
sa.integ_alg >= IPSEC_INTEG_N_ALG)
{
error = clib_error_return (0, "unsupported integ-alg: '%U'",
goto done;
}
- ipsec_add_del_sa (vm, &sa, is_add);
+ ipsec_add_del_sa (vm, &sa, is_add, 0 /* enable nat traversal */ );
done:
unformat_free (line_input);
ipsec_main_t *im = &ipsec_main;
ipsec_sa_t *sa = 0;
p1 = hash_get (im->sa_index_by_sa_id, p.sa_id);
+ if (!p1)
+ {
+ error =
+ clib_error_return (0, "SA with index %u not found", p.sa_id);
+ goto done;
+ }
sa = pool_elt_at_index (im->sad, p1[0]);
if (sa && sa->protocol == IPSEC_PROTOCOL_AH && is_add && p.is_ipv6)
{
u32 *i;
ipsec_tunnel_if_t *t;
vnet_hw_interface_t *hi;
+ u8 *protocol = NULL;
+ u8 *policy = NULL;
/* *INDENT-OFF* */
pool_foreach (sa, im->sad, ({
if (sa->id) {
- vlib_cli_output(vm, "sa %u spi %u mode %s protocol %s", sa->id, sa->spi,
+ vlib_cli_output(vm, "sa %u spi %u mode %s protocol %s%s", sa->id, sa->spi,
sa->is_tunnel ? "tunnel" : "transport",
- sa->protocol ? "esp" : "ah");
+ sa->protocol ? "esp" : "ah",
+ sa->udp_encap ? " udp-encap-enabled" : "");
if (sa->protocol == IPSEC_PROTOCOL_ESP) {
vlib_cli_output(vm, " crypto alg %U%s%U integrity alg %U%s%U",
format_ipsec_crypto_alg, sa->crypto_alg,
vec_foreach(i, spd->ipv4_outbound_policies)
{
p = pool_elt_at_index(spd->policies, *i);
- vlib_cli_output(vm, " priority %d action %U protocol %s%s",
- p->priority,
- format_ipsec_policy_action, p->policy,
- p->protocol ?
- format(0, "%U", format_ip_protocol, p->protocol) :
- (u8 *) "any",
- p->policy == IPSEC_POLICY_ACTION_PROTECT ?
- format(0, " sa %u", p->sa_id) :
- (u8 *) "");
+ vec_reset_length(protocol);
+ vec_reset_length(policy);
+ if (p->protocol) {
+ protocol = format(protocol, "%U", format_ip_protocol, p->protocol);
+ } else {
+ protocol = format(protocol, "any");
+ }
+ if (p->policy == IPSEC_POLICY_ACTION_PROTECT) {
+ policy = format(policy, " sa %u", p->sa_id);
+ }
+
+ vlib_cli_output(vm, " priority %d action %U protocol %v%v",
+ p->priority, format_ipsec_policy_action, p->policy,
+ protocol, policy);
vlib_cli_output(vm, " local addr range %U - %U port range %u - %u",
format_ip4_address, &p->laddr.start.ip4,
format_ip4_address, &p->laddr.stop.ip4,
vec_foreach(i, spd->ipv6_outbound_policies)
{
p = pool_elt_at_index(spd->policies, *i);
- vlib_cli_output(vm, " priority %d action %U protocol %s%s",
- p->priority,
- format_ipsec_policy_action, p->policy,
- p->protocol ?
- format(0, "%U", format_ip_protocol, p->protocol) :
- (u8 *) "any",
- p->policy == IPSEC_POLICY_ACTION_PROTECT ?
- format(0, " sa %u", p->sa_id) :
- (u8 *) "");
+ vec_reset_length(protocol);
+ vec_reset_length(policy);
+ if (p->protocol) {
+ protocol = format(protocol, "%U", format_ip_protocol, p->protocol);
+ } else {
+ protocol = format(protocol, "any");
+ }
+ if (p->policy == IPSEC_POLICY_ACTION_PROTECT) {
+ policy = format(policy, " sa %u", p->sa_id);
+ }
+ vlib_cli_output(vm, " priority %d action %U protocol %v%v",
+ p->priority, format_ipsec_policy_action, p->policy,
+ protocol, policy);
vlib_cli_output(vm, " local addr range %U - %U port range %u - %u",
format_ip6_address, &p->laddr.start.ip6,
format_ip6_address, &p->laddr.stop.ip6,
vec_foreach(i, spd->ipv4_inbound_protect_policy_indices)
{
p = pool_elt_at_index(spd->policies, *i);
- vlib_cli_output(vm, " priority %d action %U protocol %s%s",
- p->priority,
- format_ipsec_policy_action, p->policy,
- p->protocol ?
- format(0, "%U", format_ip_protocol, p->protocol) :
- (u8 *) "any",
- p->policy == IPSEC_POLICY_ACTION_PROTECT ?
- format(0, " sa %u", p->sa_id) :
- (u8 *) "");
+ vec_reset_length(protocol);
+ vec_reset_length(policy);
+ if (p->protocol) {
+ protocol = format(protocol, "%U", format_ip_protocol, p->protocol);
+ } else {
+ protocol = format(protocol, "any");
+ }
+ if (p->policy == IPSEC_POLICY_ACTION_PROTECT) {
+ policy = format(policy, " sa %u", p->sa_id);
+ }
+ vlib_cli_output(vm, " priority %d action %U protocol %v%v",
+ p->priority, format_ipsec_policy_action, p->policy,
+ protocol, policy);
vlib_cli_output(vm, " local addr range %U - %U port range %u - %u",
format_ip4_address, &p->laddr.start.ip4,
format_ip4_address, &p->laddr.stop.ip4,
vec_foreach(i, spd->ipv4_inbound_policy_discard_and_bypass_indices)
{
p = pool_elt_at_index(spd->policies, *i);
- vlib_cli_output(vm, " priority %d action %U protocol %s%s",
- p->priority,
- format_ipsec_policy_action, p->policy,
- p->protocol ?
- format(0, "%U", format_ip_protocol, p->protocol) :
- (u8 *) "any",
- p->policy == IPSEC_POLICY_ACTION_PROTECT ?
- format(0, " sa %u", p->sa_id) :
- (u8 *) "");
+ vec_reset_length(protocol);
+ vec_reset_length(policy);
+ if (p->protocol) {
+ protocol = format(protocol, "%U", format_ip_protocol, p->protocol);
+ } else {
+ protocol = format(protocol, "any");
+ }
+ if (p->policy == IPSEC_POLICY_ACTION_PROTECT) {
+ policy = format(policy, " sa %u", p->sa_id);
+ }
+ vlib_cli_output(vm, " priority %d action %U protocol %v%v",
+ p->priority, format_ipsec_policy_action, p->policy,
+ protocol, policy);
vlib_cli_output(vm, " local addr range %U - %U port range %u - %u",
format_ip4_address, &p->laddr.start.ip4,
format_ip4_address, &p->laddr.stop.ip4,
vec_foreach(i, spd->ipv6_inbound_protect_policy_indices)
{
p = pool_elt_at_index(spd->policies, *i);
- vlib_cli_output(vm, " priority %d action %U protocol %s%s",
- p->priority,
- format_ipsec_policy_action, p->policy,
- p->protocol ?
- format(0, "%U", format_ip_protocol, p->protocol) :
- (u8 *) "any",
- p->policy == IPSEC_POLICY_ACTION_PROTECT ?
- format(0, " sa %u", p->sa_id) :
- (u8 *) "");
+ vec_reset_length(protocol);
+ vec_reset_length(policy);
+ if (p->protocol) {
+ protocol = format(protocol, "%U", format_ip_protocol, p->protocol);
+ } else {
+ protocol = format(protocol, "any");
+ }
+ if (p->policy == IPSEC_POLICY_ACTION_PROTECT) {
+ policy = format(policy, " sa %u", p->sa_id);
+ }
+ vlib_cli_output(vm, " priority %d action %U protocol %v%v",
+ p->priority, format_ipsec_policy_action, p->policy,
+ protocol, policy);
vlib_cli_output(vm, " local addr range %U - %U port range %u - %u",
format_ip6_address, &p->laddr.start.ip6,
format_ip6_address, &p->laddr.stop.ip6,
vec_foreach(i, spd->ipv6_inbound_policy_discard_and_bypass_indices)
{
p = pool_elt_at_index(spd->policies, *i);
- vlib_cli_output(vm, " priority %d action %U protocol %s%s",
- p->priority,
- format_ipsec_policy_action, p->policy,
- p->protocol ?
- format(0, "%U", format_ip_protocol, p->protocol) :
- (u8 *) "any",
- p->policy == IPSEC_POLICY_ACTION_PROTECT ?
- format(0, " sa %u", p->sa_id) :
- (u8 *) "");
+ vec_reset_length(protocol);
+ vec_reset_length(policy);
+ if (p->protocol) {
+ protocol = format(protocol, "%U", format_ip_protocol, p->protocol);
+ } else {
+ protocol = format(protocol, "any");
+ }
+ if (p->policy == IPSEC_POLICY_ACTION_PROTECT) {
+ policy = format(policy, " sa %u", p->sa_id);
+ }
+ vlib_cli_output(vm, " priority %d action %U protocol %v%v",
+ p->priority, format_ipsec_policy_action, p->policy,
+ protocol, policy);
vlib_cli_output(vm, " local addr range %U - %U port range %u - %u",
format_ip6_address, &p->laddr.start.ip6,
format_ip6_address, &p->laddr.stop.ip6,
format_ipsec_integ_alg, sa->integ_alg,
format_hex_bytes, sa->integ_key, sa->integ_key_len);
}));
+ vec_free(policy);
+ vec_free(protocol);
/* *INDENT-ON* */
return 0;
}