X-Git-Url: https://gerrit.fd.io/r/gitweb?a=blobdiff_plain;f=src%2Fvnet%2Fipsec%2Fipsec_cli.c;h=07d9df8f2044f0ac2197eabb22a336ad41634f75;hb=2f4586d9b3507243918c11ce99b9d151d5bde7a0;hp=bb80b328d5667f8d5e38a088f566b8558251bb15;hpb=c5fe57dac12a46fa618259643909afaec1ac5aae;p=vpp.git diff --git a/src/vnet/ipsec/ipsec_cli.c b/src/vnet/ipsec/ipsec_cli.c index bb80b328d56..07d9df8f204 100644 --- a/src/vnet/ipsec/ipsec_cli.c +++ b/src/vnet/ipsec/ipsec_cli.c @@ -71,14 +71,12 @@ done: return error; } -/* *INDENT-OFF* */ VLIB_CLI_COMMAND (set_interface_spd_command, static) = { .path = "set interface ipsec spd", .short_help = "set interface ipsec spd ", .function = set_interface_spd_command_fn, }; -/* *INDENT-ON* */ static clib_error_t * ipsec_sa_add_del_command_fn (vlib_main_t * vm, @@ -88,6 +86,7 @@ ipsec_sa_add_del_command_fn (vlib_main_t * vm, unformat_input_t _line_input, *line_input = &_line_input; ipsec_crypto_alg_t crypto_alg; ipsec_integ_alg_t integ_alg; + u32 anti_replay_window_size; ipsec_protocol_t proto; ipsec_sa_flags_t flags; clib_error_t *error; @@ -98,13 +97,14 @@ ipsec_sa_add_del_command_fn (vlib_main_t * vm, u16 udp_src, udp_dst; int is_add, rv; u32 m_args = 0; - tunnel_t tun; + tunnel_t tun = {}; salt = 0; error = NULL; is_add = 0; flags = IPSEC_SA_FLAG_NONE; proto = IPSEC_PROTOCOL_ESP; + anti_replay_window_size = 0; integ_alg = IPSEC_INTEG_ALG_NONE; crypto_alg = IPSEC_CRYPTO_ALG_NONE; udp_src = udp_dst = IPSEC_UDP_PORT_NONE; @@ -143,7 +143,7 @@ ipsec_sa_add_del_command_fn (vlib_main_t * vm, else if (unformat (line_input, "integ-alg %U", unformat_ipsec_integ_alg, &integ_alg)) ; - else if (unformat (line_input, " %U", unformat_tunnel, &tun)) + else if (unformat (line_input, "%U", unformat_tunnel, &tun)) { flags |= IPSEC_SA_FLAG_IS_TUNNEL; if (AF_IP6 == tunnel_get_af (&tun)) @@ -153,6 +153,9 @@ ipsec_sa_add_del_command_fn (vlib_main_t * vm, udp_src = i; else if (unformat (line_input, "udp-dst-port %d", &i)) udp_dst = i; + else if (unformat (line_input, "anti-replay-size %d", + &anti_replay_window_size)) + flags |= IPSEC_SA_FLAG_USE_ANTI_REPLAY; else if (unformat (line_input, "inbound")) flags |= IPSEC_SA_FLAG_IS_INBOUND; else if (unformat (line_input, "use-anti-replay")) @@ -161,6 +164,8 @@ ipsec_sa_add_del_command_fn (vlib_main_t * vm, flags |= IPSEC_SA_FLAG_USE_ESN; else if (unformat (line_input, "udp-encap")) flags |= IPSEC_SA_FLAG_UDP_ENCAP; + else if (unformat (line_input, "async")) + flags |= IPSEC_SA_FLAG_IS_ASYNC; else { error = clib_error_return (0, "parse error: '%U'", @@ -168,12 +173,6 @@ ipsec_sa_add_del_command_fn (vlib_main_t * vm, goto done; } } - if ((flags & IPSEC_SA_FLAG_IS_INBOUND) - && !(flags & IPSEC_SA_FLAG_IS_TUNNEL)) - { - error = clib_error_return (0, "inbound specified on non-tunnel SA"); - goto done; - } if (!(m_args & 1)) { @@ -188,9 +187,10 @@ ipsec_sa_add_del_command_fn (vlib_main_t * vm, error = clib_error_return (0, "missing spi"); goto done; } - rv = ipsec_sa_add_and_lock (id, spi, proto, crypto_alg, &ck, integ_alg, - &ik, flags, clib_host_to_net_u32 (salt), - udp_src, udp_dst, &tun, &sai); + rv = + ipsec_sa_add_and_lock (id, spi, proto, crypto_alg, &ck, integ_alg, &ik, + flags, clib_host_to_net_u32 (salt), udp_src, + udp_dst, anti_replay_window_size, &tun, &sai); } else { @@ -198,7 +198,7 @@ ipsec_sa_add_del_command_fn (vlib_main_t * vm, } if (rv) - error = clib_error_return (0, "failed"); + error = clib_error_return (0, "failed: %d", rv); done: unformat_free (line_input); @@ -206,14 +206,77 @@ done: return error; } -/* *INDENT-OFF* */ VLIB_CLI_COMMAND (ipsec_sa_add_del_command, static) = { .path = "ipsec sa", .short_help = "ipsec sa [add|del]", .function = ipsec_sa_add_del_command_fn, }; -/* *INDENT-ON* */ + +static clib_error_t * +ipsec_sa_bind_cli (vlib_main_t *vm, unformat_input_t *input, + vlib_cli_command_t *cmd) +{ + unformat_input_t _line_input, *line_input = &_line_input; + u32 id = ~0; + u32 worker = ~0; + bool bind = 1; + int rv; + clib_error_t *error = NULL; + + if (!unformat_user (input, unformat_line_input, line_input)) + return 0; + + while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT) + { + if (unformat (line_input, "unbind")) + bind = 0; + else if (id == ~0 && unformat (line_input, "%u", &id)) + ; + else if (unformat (line_input, "%u", &worker)) + ; + else + { + error = clib_error_return (0, "parse error: '%U'", + format_unformat_error, line_input); + goto done; + } + } + + if (id == ~0) + { + error = clib_error_return (0, "please specify SA ID"); + goto done; + } + + if (bind && ~0 == worker) + { + error = clib_error_return (0, "please specify worker to bind to"); + goto done; + } + + rv = ipsec_sa_bind (id, worker, bind); + switch (rv) + { + case VNET_API_ERROR_INVALID_VALUE: + error = clib_error_return (0, "please specify a valid SA ID"); + break; + case VNET_API_ERROR_INVALID_WORKER: + error = clib_error_return (0, "please specify a valid worker index"); + break; + } + +done: + unformat_free (line_input); + + return error; +} + +VLIB_CLI_COMMAND (ipsec_sa_bind_cmd, static) = { + .path = "ipsec sa bind", + .short_help = "ipsec sa [unbind] ", + .function = ipsec_sa_bind_cli, +}; static clib_error_t * ipsec_spd_add_del_command_fn (vlib_main_t * vm, @@ -258,14 +321,12 @@ done: return error; } -/* *INDENT-OFF* */ VLIB_CLI_COMMAND (ipsec_spd_add_del_command, static) = { .path = "ipsec spd", .short_help = "ipsec spd [add|del] ", .function = ipsec_spd_add_del_command_fn, }; -/* *INDENT-ON* */ static clib_error_t * @@ -283,6 +344,7 @@ ipsec_policy_add_del_command_fn (vlib_main_t * vm, clib_memset (&p, 0, sizeof (p)); p.lport.stop = p.rport.stop = ~0; remote_range_set = local_range_set = is_outbound = 0; + p.protocol = IPSEC_POLICY_PROTOCOL_ANY; if (!unformat_user (input, unformat_line_input, line_input)) return 0; @@ -399,27 +461,23 @@ done: return error; } -/* *INDENT-OFF* */ VLIB_CLI_COMMAND (ipsec_policy_add_del_command, static) = { .path = "ipsec policy", .short_help = "ipsec policy [add|del] spd priority ", .function = ipsec_policy_add_del_command_fn, }; -/* *INDENT-ON* */ static void ipsec_sa_show_all (vlib_main_t * vm, ipsec_main_t * im, u8 detail) { u32 sai; - /* *INDENT-OFF* */ pool_foreach_index (sai, ipsec_sa_pool) { vlib_cli_output (vm, "%U", format_ipsec_sa, sai, (detail ? IPSEC_FORMAT_DETAIL : IPSEC_FORMAT_BRIEF)); } - /* *INDENT-ON* */ } static void @@ -427,11 +485,18 @@ ipsec_spd_show_all (vlib_main_t * vm, ipsec_main_t * im) { u32 spdi; - /* *INDENT-OFF* */ pool_foreach_index (spdi, im->spds) { vlib_cli_output(vm, "%U", format_ipsec_spd, spdi); } - /* *INDENT-ON* */ + + if (im->output_flow_cache_flag) + { + vlib_cli_output (vm, "%U", format_ipsec_out_spd_flow_cache); + } + if (im->input_flow_cache_flag) + { + vlib_cli_output (vm, "%U", format_ipsec_in_spd_flow_cache); + } } static void @@ -442,14 +507,12 @@ ipsec_spd_bindings_show_all (vlib_main_t * vm, ipsec_main_t * im) vlib_cli_output (vm, "SPD Bindings:"); - /* *INDENT-OFF* */ hash_foreach(sw_if_index, spd_id, im->spd_index_by_sw_if_index, ({ spd = pool_elt_at_index (im->spds, spd_id); vlib_cli_output (vm, " %d -> %U", spd->id, format_vnet_sw_if_index_name, im->vnet_main, sw_if_index); })); - /* *INDENT-ON* */ } static walk_rc_t @@ -483,13 +546,11 @@ show_ipsec_command_fn (vlib_main_t * vm, return 0; } -/* *INDENT-OFF* */ VLIB_CLI_COMMAND (show_ipsec_command, static) = { .path = "show ipsec all", .short_help = "show ipsec all", .function = show_ipsec_command_fn, }; -/* *INDENT-ON* */ static clib_error_t * show_ipsec_sa_command_fn (vlib_main_t * vm, @@ -534,12 +595,10 @@ clear_ipsec_sa_command_fn (vlib_main_t * vm, if (~0 == sai) { - /* *INDENT-OFF* */ pool_foreach_index (sai, ipsec_sa_pool) { ipsec_sa_clear (sai); } - /* *INDENT-ON* */ } else { @@ -552,7 +611,6 @@ clear_ipsec_sa_command_fn (vlib_main_t * vm, return 0; } -/* *INDENT-OFF* */ VLIB_CLI_COMMAND (show_ipsec_sa_command, static) = { .path = "show ipsec sa", .short_help = "show ipsec sa [index]", @@ -564,7 +622,6 @@ VLIB_CLI_COMMAND (clear_ipsec_sa_command, static) = { .short_help = "clear ipsec sa [index]", .function = clear_ipsec_sa_command_fn, }; -/* *INDENT-ON* */ static clib_error_t * show_ipsec_spd_command_fn (vlib_main_t * vm, @@ -594,13 +651,11 @@ show_ipsec_spd_command_fn (vlib_main_t * vm, return 0; } -/* *INDENT-OFF* */ VLIB_CLI_COMMAND (show_ipsec_spd_command, static) = { .path = "show ipsec spd", .short_help = "show ipsec spd [index]", .function = show_ipsec_spd_command_fn, }; -/* *INDENT-ON* */ static clib_error_t * show_ipsec_tunnel_command_fn (vlib_main_t * vm, @@ -612,13 +667,11 @@ show_ipsec_tunnel_command_fn (vlib_main_t * vm, return 0; } -/* *INDENT-OFF* */ VLIB_CLI_COMMAND (show_ipsec_tunnel_command, static) = { .path = "show ipsec tunnel", .short_help = "show ipsec tunnel", .function = show_ipsec_tunnel_command_fn, }; -/* *INDENT-ON* */ static clib_error_t * ipsec_show_backends_command_fn (vlib_main_t * vm, @@ -633,7 +686,6 @@ ipsec_show_backends_command_fn (vlib_main_t * vm, vlib_cli_output (vm, "IPsec AH backends available:"); u8 *s = format (NULL, "%=25s %=25s %=10s\n", "Name", "Index", "Active"); ipsec_ah_backend_t *ab; - /* *INDENT-OFF* */ pool_foreach (ab, im->ah_backends) { s = format (s, "%=25s %=25u %=10s\n", ab->name, ab - im->ah_backends, ab - im->ah_backends == im->ah_current_backend ? "yes" : "no"); @@ -649,13 +701,11 @@ ipsec_show_backends_command_fn (vlib_main_t * vm, s = format (s, " dec6 %s (next %d)\n", n->name, ab->ah6_decrypt_next_index); } } - /* *INDENT-ON* */ vlib_cli_output (vm, "%v", s); - _vec_len (s) = 0; + vec_set_len (s, 0); vlib_cli_output (vm, "IPsec ESP backends available:"); s = format (s, "%=25s %=25s %=10s\n", "Name", "Index", "Active"); ipsec_esp_backend_t *eb; - /* *INDENT-OFF* */ pool_foreach (eb, im->esp_backends) { s = format (s, "%=25s %=25u %=10s\n", eb->name, eb - im->esp_backends, eb - im->esp_backends == im->esp_current_backend ? "yes" @@ -672,20 +722,17 @@ ipsec_show_backends_command_fn (vlib_main_t * vm, s = format (s, " dec6 %s (next %d)\n", n->name, eb->esp6_decrypt_next_index); } } - /* *INDENT-ON* */ vlib_cli_output (vm, "%v", s); vec_free (s); return 0; } -/* *INDENT-OFF* */ VLIB_CLI_COMMAND (ipsec_show_backends_command, static) = { .path = "show ipsec backends", .short_help = "show ipsec backends", .function = ipsec_show_backends_command_fn, }; -/* *INDENT-ON* */ static clib_error_t * ipsec_select_backend_command_fn (vlib_main_t * vm, @@ -747,14 +794,12 @@ ipsec_select_backend_command_fn (vlib_main_t * vm, return 0; } -/* *INDENT-OFF* */ VLIB_CLI_COMMAND (ipsec_select_backend_command, static) = { .path = "ipsec select backend", .short_help = "ipsec select backend ", .function = ipsec_select_backend_command_fn, }; -/* *INDENT-ON* */ static clib_error_t * clear_ipsec_counters_command_fn (vlib_main_t * vm, @@ -763,17 +808,17 @@ clear_ipsec_counters_command_fn (vlib_main_t * vm, { vlib_clear_combined_counters (&ipsec_spd_policy_counters); vlib_clear_combined_counters (&ipsec_sa_counters); + for (int i = 0; i < IPSEC_SA_N_ERRORS; i++) + vlib_clear_simple_counters (&ipsec_sa_err_counters[i]); return (NULL); } -/* *INDENT-OFF* */ VLIB_CLI_COMMAND (clear_ipsec_counters_command, static) = { .path = "clear ipsec counters", .short_help = "clear ipsec counters", .function = clear_ipsec_counters_command_fn, }; -/* *INDENT-ON* */ static clib_error_t * ipsec_tun_protect_cmd (vlib_main_t * vm, @@ -823,7 +868,6 @@ ipsec_tun_protect_cmd (vlib_main_t * vm, /** * Protect tunnel with IPSEC */ -/* *INDENT-OFF* */ VLIB_CLI_COMMAND (ipsec_tun_protect_cmd_node, static) = { .path = "ipsec tunnel protect", @@ -831,7 +875,6 @@ VLIB_CLI_COMMAND (ipsec_tun_protect_cmd_node, static) = .short_help = "ipsec tunnel protect input-sa output-sa [add|del]", // this is not MP safe }; -/* *INDENT-ON* */ static clib_error_t * @@ -846,14 +889,12 @@ ipsec_tun_protect_show (vlib_main_t * vm, /** * show IPSEC tunnel protection */ -/* *INDENT-OFF* */ VLIB_CLI_COMMAND (ipsec_tun_protect_show_node, static) = { .path = "show ipsec protect", .function = ipsec_tun_protect_show, .short_help = "show ipsec protect", }; -/* *INDENT-ON* */ static int ipsec_tun_protect4_hash_show_one (clib_bihash_kv_8_16_t * kv, void *arg) @@ -902,14 +943,12 @@ ipsec_tun_protect_hash_show (vlib_main_t * vm, /** * show IPSEC tunnel protection hash tables */ -/* *INDENT-OFF* */ VLIB_CLI_COMMAND (ipsec_tun_protect_hash_show_node, static) = { .path = "show ipsec protect-hash", .function = ipsec_tun_protect_hash_show, .short_help = "show ipsec protect-hash", }; -/* *INDENT-ON* */ clib_error_t * ipsec_cli_init (vlib_main_t * vm) @@ -940,20 +979,17 @@ set_async_mode_command_fn (vlib_main_t * vm, unformat_input_t * input, format_unformat_error, line_input)); } - vnet_crypto_request_async_mode (async_enable); ipsec_set_async_mode (async_enable); unformat_free (line_input); return (NULL); } -/* *INDENT-OFF* */ VLIB_CLI_COMMAND (set_async_mode_command, static) = { .path = "set ipsec async mode", .short_help = "set ipsec async mode on|off", .function = set_async_mode_command_fn, }; -/* *INDENT-ON* */ /* * fd.io coding-style-patch-verification: ON