X-Git-Url: https://gerrit.fd.io/r/gitweb?a=blobdiff_plain;f=src%2Fvnet%2Fipsec%2Fipsec_cli.c;h=5aef630a33f14d61946d0514ccae7928abf844c4;hb=0e2f188f7c9872d7c946c14d785c6dc7c7c68847;hp=3a3e53b663eacd8787b1e6c580f822e1dc5814cb;hpb=7db75dd0d32d92674bbb7aa1b23341e8a349e05a;p=vpp.git

diff --git a/src/vnet/ipsec/ipsec_cli.c b/src/vnet/ipsec/ipsec_cli.c
index 3a3e53b663e..5aef630a33f 100644
--- a/src/vnet/ipsec/ipsec_cli.c
+++ b/src/vnet/ipsec/ipsec_cli.c
@@ -88,6 +88,7 @@ ipsec_sa_add_del_command_fn (vlib_main_t * vm,
   unformat_input_t _line_input, *line_input = &_line_input;
   ipsec_crypto_alg_t crypto_alg;
   ipsec_integ_alg_t integ_alg;
+  u32 anti_replay_window_size;
   ipsec_protocol_t proto;
   ipsec_sa_flags_t flags;
   clib_error_t *error;
@@ -105,6 +106,7 @@ ipsec_sa_add_del_command_fn (vlib_main_t * vm,
   is_add = 0;
   flags = IPSEC_SA_FLAG_NONE;
   proto = IPSEC_PROTOCOL_ESP;
+  anti_replay_window_size = 0;
   integ_alg = IPSEC_INTEG_ALG_NONE;
   crypto_alg = IPSEC_CRYPTO_ALG_NONE;
   udp_src = udp_dst = IPSEC_UDP_PORT_NONE;
@@ -143,7 +145,7 @@ ipsec_sa_add_del_command_fn (vlib_main_t * vm,
       else if (unformat (line_input, "integ-alg %U",
 			 unformat_ipsec_integ_alg, &integ_alg))
 	;
-      else if (unformat (line_input, " %U", unformat_tunnel, &tun))
+      else if (unformat (line_input, "%U", unformat_tunnel, &tun))
 	{
 	  flags |= IPSEC_SA_FLAG_IS_TUNNEL;
 	  if (AF_IP6 == tunnel_get_af (&tun))
@@ -153,6 +155,9 @@ ipsec_sa_add_del_command_fn (vlib_main_t * vm,
 	udp_src = i;
       else if (unformat (line_input, "udp-dst-port %d", &i))
 	udp_dst = i;
+      else if (unformat (line_input, "anti-replay-size %d",
+			 &anti_replay_window_size))
+	flags |= IPSEC_SA_FLAG_USE_ANTI_REPLAY;
       else if (unformat (line_input, "inbound"))
 	flags |= IPSEC_SA_FLAG_IS_INBOUND;
       else if (unformat (line_input, "use-anti-replay"))
@@ -184,9 +189,10 @@ ipsec_sa_add_del_command_fn (vlib_main_t * vm,
 	  error = clib_error_return (0, "missing spi");
 	  goto done;
 	}
-      rv = ipsec_sa_add_and_lock (id, spi, proto, crypto_alg, &ck, integ_alg,
-				  &ik, flags, clib_host_to_net_u32 (salt),
-				  udp_src, udp_dst, &tun, &sai);
+      rv =
+	ipsec_sa_add_and_lock (id, spi, proto, crypto_alg, &ck, integ_alg, &ik,
+			       flags, clib_host_to_net_u32 (salt), udp_src,
+			       udp_dst, anti_replay_window_size, &tun, &sai);
     }
   else
     {
@@ -211,6 +217,71 @@ VLIB_CLI_COMMAND (ipsec_sa_add_del_command, static) = {
 };
 /* *INDENT-ON* */
 
+static clib_error_t *
+ipsec_sa_bind_cli (vlib_main_t *vm, unformat_input_t *input,
+		   vlib_cli_command_t *cmd)
+{
+  unformat_input_t _line_input, *line_input = &_line_input;
+  u32 id = ~0;
+  u32 worker = ~0;
+  bool bind = 1;
+  int rv;
+  clib_error_t *error = NULL;
+
+  if (!unformat_user (input, unformat_line_input, line_input))
+    return 0;
+
+  while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
+    {
+      if (unformat (line_input, "unbind"))
+	bind = 0;
+      else if (id == ~0 && unformat (line_input, "%u", &id))
+	;
+      else if (unformat (line_input, "%u", &worker))
+	;
+      else
+	{
+	  error = clib_error_return (0, "parse error: '%U'",
+				     format_unformat_error, line_input);
+	  goto done;
+	}
+    }
+
+  if (id == ~0)
+    {
+      error = clib_error_return (0, "please specify SA ID");
+      goto done;
+    }
+
+  if (bind && ~0 == worker)
+    {
+      error = clib_error_return (0, "please specify worker to bind to");
+      goto done;
+    }
+
+  rv = ipsec_sa_bind (id, worker, bind);
+  switch (rv)
+    {
+    case VNET_API_ERROR_INVALID_VALUE:
+      error = clib_error_return (0, "please specify a valid SA ID");
+      break;
+    case VNET_API_ERROR_INVALID_WORKER:
+      error = clib_error_return (0, "please specify a valid worker index");
+      break;
+    }
+
+done:
+  unformat_free (line_input);
+
+  return error;
+}
+
+VLIB_CLI_COMMAND (ipsec_sa_bind_cmd, static) = {
+  .path = "ipsec sa bind",
+  .short_help = "ipsec sa [unbind] <sa-id> <worker>",
+  .function = ipsec_sa_bind_cli,
+};
+
 static clib_error_t *
 ipsec_spd_add_del_command_fn (vlib_main_t * vm,
 			      unformat_input_t * input,
@@ -279,6 +350,7 @@ ipsec_policy_add_del_command_fn (vlib_main_t * vm,
   clib_memset (&p, 0, sizeof (p));
   p.lport.stop = p.rport.stop = ~0;
   remote_range_set = local_range_set = is_outbound = 0;
+  p.protocol = IPSEC_POLICY_PROTOCOL_ANY;
 
   if (!unformat_user (input, unformat_line_input, line_input))
     return 0;
@@ -427,6 +499,15 @@ ipsec_spd_show_all (vlib_main_t * vm, ipsec_main_t * im)
   pool_foreach_index (spdi, im->spds)  {
     vlib_cli_output(vm, "%U", format_ipsec_spd, spdi);
   }
+
+  if (im->output_flow_cache_flag)
+    {
+      vlib_cli_output (vm, "%U", format_ipsec_out_spd_flow_cache);
+    }
+  if (im->input_flow_cache_flag)
+    {
+      vlib_cli_output (vm, "%U", format_ipsec_in_spd_flow_cache);
+    }
   /* *INDENT-ON* */
 }
 
@@ -647,7 +728,7 @@ ipsec_show_backends_command_fn (vlib_main_t * vm,
   }
   /* *INDENT-ON* */
   vlib_cli_output (vm, "%v", s);
-  _vec_len (s) = 0;
+  vec_set_len (s, 0);
   vlib_cli_output (vm, "IPsec ESP backends available:");
   s = format (s, "%=25s %=25s %=10s\n", "Name", "Index", "Active");
   ipsec_esp_backend_t *eb;
@@ -759,6 +840,8 @@ clear_ipsec_counters_command_fn (vlib_main_t * vm,
 {
   vlib_clear_combined_counters (&ipsec_spd_policy_counters);
   vlib_clear_combined_counters (&ipsec_sa_counters);
+  for (int i = 0; i < IPSEC_SA_N_ERRORS; i++)
+    vlib_clear_simple_counters (&ipsec_sa_err_counters[i]);
 
   return (NULL);
 }