X-Git-Url: https://gerrit.fd.io/r/gitweb?a=blobdiff_plain;f=src%2Fvnet%2Fipsec%2Fipsec_cli.c;h=95e8145fe92e2a6f541cd1182d8643d80958ed64;hb=ba87563bee400f8ce6d99842a6e455c898cf2c1d;hp=b708e50378c58e56416b891c20b154300321be28;hpb=048189e7a15270939b23526eee83c543fb2c7567;p=vpp.git diff --git a/src/vnet/ipsec/ipsec_cli.c b/src/vnet/ipsec/ipsec_cli.c index b708e50378c..95e8145fe92 100644 --- a/src/vnet/ipsec/ipsec_cli.c +++ b/src/vnet/ipsec/ipsec_cli.c @@ -86,9 +86,6 @@ ipsec_sa_add_del_command_fn (vlib_main_t * vm, vlib_cli_command_t * cmd) { unformat_input_t _line_input, *line_input = &_line_input; - ip46_address_t tun_src = { }, tun_dst = - { - }; ipsec_crypto_alg_t crypto_alg; ipsec_integ_alg_t integ_alg; ipsec_protocol_t proto; @@ -101,8 +98,7 @@ ipsec_sa_add_del_command_fn (vlib_main_t * vm, u16 udp_src, udp_dst; int is_add, rv; u32 m_args = 0; - ip_dscp_t dscp; - u32 tx_table_id; + tunnel_t tun = {}; salt = 0; error = NULL; @@ -112,8 +108,6 @@ ipsec_sa_add_del_command_fn (vlib_main_t * vm, integ_alg = IPSEC_INTEG_ALG_NONE; crypto_alg = IPSEC_CRYPTO_ALG_NONE; udp_src = udp_dst = IPSEC_UDP_PORT_NONE; - dscp = IP_DSCP_CS0; - tx_table_id = 0; if (!unformat_user (input, unformat_line_input, line_input)) return 0; @@ -149,22 +143,16 @@ ipsec_sa_add_del_command_fn (vlib_main_t * vm, else if (unformat (line_input, "integ-alg %U", unformat_ipsec_integ_alg, &integ_alg)) ; - else if (unformat (line_input, "tunnel-src %U", - unformat_ip46_address, &tun_src, IP46_TYPE_ANY)) + else if (unformat (line_input, " %U", unformat_tunnel, &tun)) { flags |= IPSEC_SA_FLAG_IS_TUNNEL; - if (!ip46_address_is_ip4 (&tun_src)) + if (AF_IP6 == tunnel_get_af (&tun)) flags |= IPSEC_SA_FLAG_IS_TUNNEL_V6; } - else if (unformat (line_input, "tunnel-dst %U", - unformat_ip46_address, &tun_dst, IP46_TYPE_ANY)) - ; else if (unformat (line_input, "udp-src-port %d", &i)) udp_src = i; else if (unformat (line_input, "udp-dst-port %d", &i)) udp_dst = i; - else if (unformat (line_input, "tx-table-id %d", &tx_table_id)) - ; else if (unformat (line_input, "inbound")) flags |= IPSEC_SA_FLAG_IS_INBOUND; else if (unformat (line_input, "use-anti-replay")) @@ -173,6 +161,8 @@ ipsec_sa_add_del_command_fn (vlib_main_t * vm, flags |= IPSEC_SA_FLAG_USE_ESN; else if (unformat (line_input, "udp-encap")) flags |= IPSEC_SA_FLAG_UDP_ENCAP; + else if (unformat (line_input, "async")) + flags |= IPSEC_SA_FLAG_IS_ASYNC; else { error = clib_error_return (0, "parse error: '%U'", @@ -180,12 +170,6 @@ ipsec_sa_add_del_command_fn (vlib_main_t * vm, goto done; } } - if ((flags & IPSEC_SA_FLAG_IS_INBOUND) - && !(flags & IPSEC_SA_FLAG_IS_TUNNEL)) - { - error = clib_error_return (0, "inbound specified on non-tunnel SA"); - goto done; - } if (!(m_args & 1)) { @@ -200,12 +184,9 @@ ipsec_sa_add_del_command_fn (vlib_main_t * vm, error = clib_error_return (0, "missing spi"); goto done; } - rv = ipsec_sa_add_and_lock (id, spi, proto, crypto_alg, - &ck, integ_alg, &ik, flags, - tx_table_id, clib_host_to_net_u32 (salt), - &tun_src, &tun_dst, - TUNNEL_ENCAP_DECAP_FLAG_NONE, dscp, - &sai, udp_src, udp_dst); + rv = ipsec_sa_add_and_lock (id, spi, proto, crypto_alg, &ck, integ_alg, + &ik, flags, clib_host_to_net_u32 (salt), + udp_src, udp_dst, &tun, &sai); } else { @@ -213,7 +194,7 @@ ipsec_sa_add_del_command_fn (vlib_main_t * vm, } if (rv) - error = clib_error_return (0, "failed"); + error = clib_error_return (0, "failed: %d", rv); done: unformat_free (line_input); @@ -429,10 +410,11 @@ ipsec_sa_show_all (vlib_main_t * vm, ipsec_main_t * im, u8 detail) u32 sai; /* *INDENT-OFF* */ - pool_foreach_index (sai, im->sad) { - vlib_cli_output(vm, "%U", format_ipsec_sa, sai, - (detail ? IPSEC_FORMAT_DETAIL : IPSEC_FORMAT_BRIEF)); - } + pool_foreach_index (sai, ipsec_sa_pool) + { + vlib_cli_output (vm, "%U", format_ipsec_sa, sai, + (detail ? IPSEC_FORMAT_DETAIL : IPSEC_FORMAT_BRIEF)); + } /* *INDENT-ON* */ } @@ -445,6 +427,11 @@ ipsec_spd_show_all (vlib_main_t * vm, ipsec_main_t * im) pool_foreach_index (spdi, im->spds) { vlib_cli_output(vm, "%U", format_ipsec_spd, spdi); } + + if (im->flow_cache_flag) + { + vlib_cli_output (vm, "%U", format_ipsec_spd_flow_cache); + } /* *INDENT-ON* */ } @@ -536,7 +523,6 @@ static clib_error_t * clear_ipsec_sa_command_fn (vlib_main_t * vm, unformat_input_t * input, vlib_cli_command_t * cmd) { - ipsec_main_t *im = &ipsec_main; u32 sai = ~0; while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT) @@ -550,14 +536,15 @@ clear_ipsec_sa_command_fn (vlib_main_t * vm, if (~0 == sai) { /* *INDENT-OFF* */ - pool_foreach_index (sai, im->sad) { - ipsec_sa_clear(sai); - } + pool_foreach_index (sai, ipsec_sa_pool) + { + ipsec_sa_clear (sai); + } /* *INDENT-ON* */ } else { - if (pool_is_free_index (im->sad, sai)) + if (pool_is_free_index (ipsec_sa_pool, sai)) return clib_error_return (0, "unknown SA index: %d", sai); else ipsec_sa_clear (sai); @@ -777,6 +764,7 @@ clear_ipsec_counters_command_fn (vlib_main_t * vm, { vlib_clear_combined_counters (&ipsec_spd_policy_counters); vlib_clear_combined_counters (&ipsec_sa_counters); + vlib_clear_simple_counters (&ipsec_sa_lost_counters); return (NULL); } @@ -954,7 +942,6 @@ set_async_mode_command_fn (vlib_main_t * vm, unformat_input_t * input, format_unformat_error, line_input)); } - vnet_crypto_request_async_mode (async_enable); ipsec_set_async_mode (async_enable); unformat_free (line_input);