2 *------------------------------------------------------------------
3 * ipsec_api.c - ipsec api
5 * Copyright (c) 2016 Cisco and/or its affiliates.
6 * Licensed under the Apache License, Version 2.0 (the "License");
7 * you may not use this file except in compliance with the License.
8 * You may obtain a copy of the License at:
10 * http://www.apache.org/licenses/LICENSE-2.0
12 * Unless required by applicable law or agreed to in writing, software
13 * distributed under the License is distributed on an "AS IS" BASIS,
14 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15 * See the License for the specific language governing permissions and
16 * limitations under the License.
17 *------------------------------------------------------------------
20 #include <vnet/vnet.h>
21 #include <vlibmemory/api.h>
23 #include <vnet/interface.h>
24 #include <vnet/api_errno.h>
25 #include <vnet/ip/ip.h>
26 #include <vnet/ip/ip_types_api.h>
27 #include <vnet/ipsec/ipsec_types_api.h>
28 #include <vnet/tunnel/tunnel_types_api.h>
29 #include <vnet/fib/fib.h>
30 #include <vnet/ipip/ipip.h>
31 #include <vnet/tunnel/tunnel_types_api.h>
33 #include <vnet/vnet_msg_enum.h>
36 #include <vnet/ipsec/ipsec.h>
37 #include <vnet/ipsec/ipsec_tun.h>
38 #include <vnet/ipsec/ipsec_itf.h>
41 #define vl_typedefs /* define message structures */
42 #include <vnet/vnet_all_api_h.h>
45 #define vl_endianfun /* define message structures */
46 #include <vnet/vnet_all_api_h.h>
49 /* instantiate all the print functions we know about */
50 #define vl_print(handle, ...) vlib_cli_output (handle, __VA_ARGS__)
52 #include <vnet/vnet_all_api_h.h>
55 #include <vlibapi/api_helper_macros.h>
57 #define foreach_vpe_api_msg \
58 _(IPSEC_SPD_ADD_DEL, ipsec_spd_add_del) \
59 _(IPSEC_INTERFACE_ADD_DEL_SPD, ipsec_interface_add_del_spd) \
60 _(IPSEC_SPD_ENTRY_ADD_DEL, ipsec_spd_entry_add_del) \
61 _(IPSEC_SAD_ENTRY_ADD_DEL, ipsec_sad_entry_add_del) \
62 _(IPSEC_SAD_ENTRY_ADD_DEL_V2, ipsec_sad_entry_add_del_v2) \
63 _(IPSEC_SA_DUMP, ipsec_sa_dump) \
64 _(IPSEC_SA_V2_DUMP, ipsec_sa_v2_dump) \
65 _(IPSEC_SPDS_DUMP, ipsec_spds_dump) \
66 _(IPSEC_SPD_DUMP, ipsec_spd_dump) \
67 _(IPSEC_SPD_INTERFACE_DUMP, ipsec_spd_interface_dump) \
68 _(IPSEC_ITF_CREATE, ipsec_itf_create) \
69 _(IPSEC_ITF_DELETE, ipsec_itf_delete) \
70 _(IPSEC_ITF_DUMP, ipsec_itf_dump) \
71 _(IPSEC_SELECT_BACKEND, ipsec_select_backend) \
72 _(IPSEC_BACKEND_DUMP, ipsec_backend_dump) \
73 _(IPSEC_TUNNEL_PROTECT_UPDATE, ipsec_tunnel_protect_update) \
74 _(IPSEC_TUNNEL_PROTECT_DEL, ipsec_tunnel_protect_del) \
75 _(IPSEC_TUNNEL_PROTECT_DUMP, ipsec_tunnel_protect_dump) \
76 _(IPSEC_SET_ASYNC_MODE, ipsec_set_async_mode)
79 vl_api_ipsec_spd_add_del_t_handler (vl_api_ipsec_spd_add_del_t * mp)
82 clib_warning ("unimplemented");
85 vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main ();
86 vl_api_ipsec_spd_add_del_reply_t *rmp;
89 rv = ipsec_add_del_spd (vm, ntohl (mp->spd_id), mp->is_add);
91 REPLY_MACRO (VL_API_IPSEC_SPD_ADD_DEL_REPLY);
95 static void vl_api_ipsec_interface_add_del_spd_t_handler
96 (vl_api_ipsec_interface_add_del_spd_t * mp)
98 vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main ();
99 vl_api_ipsec_interface_add_del_spd_reply_t *rmp;
101 u32 sw_if_index __attribute__ ((unused));
102 u32 spd_id __attribute__ ((unused));
104 sw_if_index = ntohl (mp->sw_if_index);
105 spd_id = ntohl (mp->spd_id);
107 VALIDATE_SW_IF_INDEX (mp);
110 rv = ipsec_set_interface_spd (vm, sw_if_index, spd_id, mp->is_add);
112 rv = VNET_API_ERROR_UNIMPLEMENTED;
115 BAD_SW_IF_INDEX_LABEL;
117 REPLY_MACRO (VL_API_IPSEC_INTERFACE_ADD_DEL_SPD_REPLY);
120 static void vl_api_ipsec_tunnel_protect_update_t_handler
121 (vl_api_ipsec_tunnel_protect_update_t * mp)
123 vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main ();
124 vl_api_ipsec_tunnel_protect_update_reply_t *rmp;
125 u32 sw_if_index, ii, *sa_ins = NULL;
129 sw_if_index = ntohl (mp->tunnel.sw_if_index);
131 VALIDATE_SW_IF_INDEX (&(mp->tunnel));
135 for (ii = 0; ii < mp->tunnel.n_sa_in; ii++)
136 vec_add1 (sa_ins, ntohl (mp->tunnel.sa_in[ii]));
138 ip_address_decode2 (&mp->tunnel.nh, &nh);
140 rv = ipsec_tun_protect_update (sw_if_index, &nh,
141 ntohl (mp->tunnel.sa_out), sa_ins);
143 rv = VNET_API_ERROR_UNIMPLEMENTED;
146 BAD_SW_IF_INDEX_LABEL;
148 REPLY_MACRO (VL_API_IPSEC_TUNNEL_PROTECT_UPDATE_REPLY);
151 static void vl_api_ipsec_tunnel_protect_del_t_handler
152 (vl_api_ipsec_tunnel_protect_del_t * mp)
154 vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main ();
155 vl_api_ipsec_tunnel_protect_del_reply_t *rmp;
160 sw_if_index = ntohl (mp->sw_if_index);
162 VALIDATE_SW_IF_INDEX (mp);
165 ip_address_decode2 (&mp->nh, &nh);
166 rv = ipsec_tun_protect_del (sw_if_index, &nh);
168 rv = VNET_API_ERROR_UNIMPLEMENTED;
171 BAD_SW_IF_INDEX_LABEL;
173 REPLY_MACRO (VL_API_IPSEC_TUNNEL_PROTECT_DEL_REPLY);
176 typedef struct ipsec_dump_walk_ctx_t_
178 vl_api_registration_t *reg;
180 } ipsec_dump_walk_ctx_t;
183 send_ipsec_tunnel_protect_details (index_t itpi, void *arg)
185 ipsec_dump_walk_ctx_t *ctx = arg;
186 vl_api_ipsec_tunnel_protect_details_t *mp;
187 ipsec_tun_protect_t *itp;
191 itp = ipsec_tun_protect_get (itpi);
193 mp = vl_msg_api_alloc (sizeof (*mp) + (sizeof (u32) * itp->itp_n_sa_in));
194 clib_memset (mp, 0, sizeof (*mp));
195 mp->_vl_msg_id = ntohs (VL_API_IPSEC_TUNNEL_PROTECT_DETAILS);
196 mp->context = ctx->context;
198 mp->tun.sw_if_index = htonl (itp->itp_sw_if_index);
199 ip_address_encode2 (itp->itp_key, &mp->tun.nh);
201 sa = ipsec_sa_get (itp->itp_out_sa);
202 mp->tun.sa_out = htonl (sa->id);
203 mp->tun.n_sa_in = itp->itp_n_sa_in;
205 FOR_EACH_IPSEC_PROTECT_INPUT_SA(itp, sa,
207 mp->tun.sa_in[ii++] = htonl (sa->id);
211 vl_api_send_msg (ctx->reg, (u8 *) mp);
213 return (WALK_CONTINUE);
217 vl_api_ipsec_tunnel_protect_dump_t_handler (vl_api_ipsec_tunnel_protect_dump_t
220 vl_api_registration_t *reg;
224 reg = vl_api_client_index_to_registration (mp->client_index);
228 ipsec_dump_walk_ctx_t ctx = {
230 .context = mp->context,
233 sw_if_index = ntohl (mp->sw_if_index);
235 if (~0 == sw_if_index)
237 ipsec_tun_protect_walk (send_ipsec_tunnel_protect_details, &ctx);
241 ipsec_tun_protect_walk_itf (sw_if_index,
242 send_ipsec_tunnel_protect_details, &ctx);
245 clib_warning ("unimplemented");
250 ipsec_spd_action_decode (vl_api_ipsec_spd_action_t in,
251 ipsec_policy_action_t * out)
253 in = clib_net_to_host_u32 (in);
257 #define _(v,f,s) case IPSEC_API_SPD_ACTION_##f: \
258 *out = IPSEC_POLICY_ACTION_##f; \
260 foreach_ipsec_policy_action
263 return (VNET_API_ERROR_UNIMPLEMENTED);
266 static void vl_api_ipsec_spd_entry_add_del_t_handler
267 (vl_api_ipsec_spd_entry_add_del_t * mp)
269 vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main ();
270 vl_api_ipsec_spd_entry_add_del_reply_t *rmp;
280 clib_memset (&p, 0, sizeof (p));
282 p.id = ntohl (mp->entry.spd_id);
283 p.priority = ntohl (mp->entry.priority);
285 itype = ip_address_decode (&mp->entry.remote_address_start, &p.raddr.start);
286 ip_address_decode (&mp->entry.remote_address_stop, &p.raddr.stop);
287 ip_address_decode (&mp->entry.local_address_start, &p.laddr.start);
288 ip_address_decode (&mp->entry.local_address_stop, &p.laddr.stop);
290 p.is_ipv6 = (itype == IP46_TYPE_IP6);
292 p.protocol = mp->entry.protocol;
293 p.rport.start = ntohs (mp->entry.remote_port_start);
294 p.rport.stop = ntohs (mp->entry.remote_port_stop);
295 p.lport.start = ntohs (mp->entry.local_port_start);
296 p.lport.stop = ntohs (mp->entry.local_port_stop);
298 rv = ipsec_spd_action_decode (mp->entry.policy, &p.policy);
303 /* policy action resolve unsupported */
304 if (p.policy == IPSEC_POLICY_ACTION_RESOLVE)
306 clib_warning ("unsupported action: 'resolve'");
307 rv = VNET_API_ERROR_UNIMPLEMENTED;
310 p.sa_id = ntohl (mp->entry.sa_id);
312 ipsec_policy_mk_type (mp->entry.is_outbound, p.is_ipv6, p.policy,
317 rv = ipsec_add_del_policy (vm, &p, mp->is_add, &stat_index);
322 rv = VNET_API_ERROR_UNIMPLEMENTED;
328 REPLY_MACRO2 (VL_API_IPSEC_SPD_ENTRY_ADD_DEL_REPLY,
330 rmp->stat_index = ntohl(stat_index);
335 static void vl_api_ipsec_sad_entry_add_del_t_handler
336 (vl_api_ipsec_sad_entry_add_del_t * mp)
338 vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main ();
339 vl_api_ipsec_sad_entry_add_del_reply_t *rmp;
340 ip46_address_t tun_src = { }, tun_dst =
343 ipsec_key_t crypto_key, integ_key;
344 ipsec_crypto_alg_t crypto_alg;
345 ipsec_integ_alg_t integ_alg;
346 ipsec_protocol_t proto;
347 ipsec_sa_flags_t flags;
348 u32 id, spi, sa_index = ~0;
353 id = ntohl (mp->entry.sad_id);
354 spi = ntohl (mp->entry.spi);
356 rv = ipsec_proto_decode (mp->entry.protocol, &proto);
361 rv = ipsec_crypto_algo_decode (mp->entry.crypto_algorithm, &crypto_alg);
366 rv = ipsec_integ_algo_decode (mp->entry.integrity_algorithm, &integ_alg);
371 ipsec_key_decode (&mp->entry.crypto_key, &crypto_key);
372 ipsec_key_decode (&mp->entry.integrity_key, &integ_key);
374 flags = ipsec_sa_flags_decode (mp->entry.flags);
376 ip_address_decode (&mp->entry.tunnel_src, &tun_src);
377 ip_address_decode (&mp->entry.tunnel_dst, &tun_dst);
380 rv = ipsec_sa_add_and_lock (id, spi, proto,
381 crypto_alg, &crypto_key,
382 integ_alg, &integ_key, flags,
383 0, mp->entry.salt, &tun_src, &tun_dst,
384 TUNNEL_ENCAP_DECAP_FLAG_NONE,
387 htons (mp->entry.udp_src_port),
388 htons (mp->entry.udp_dst_port));
390 rv = ipsec_sa_unlock_id (id);
393 rv = VNET_API_ERROR_UNIMPLEMENTED;
398 REPLY_MACRO2 (VL_API_IPSEC_SAD_ENTRY_ADD_DEL_REPLY,
400 rmp->stat_index = htonl (sa_index);
405 static void vl_api_ipsec_sad_entry_add_del_v2_t_handler
406 (vl_api_ipsec_sad_entry_add_del_v2_t * mp)
408 vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main ();
409 vl_api_ipsec_sad_entry_add_del_v2_reply_t *rmp;
410 ip46_address_t tun_src = { }, tun_dst =
413 tunnel_encap_decap_flags_t tunnel_flags;
414 ipsec_key_t crypto_key, integ_key;
415 ipsec_crypto_alg_t crypto_alg;
416 ipsec_integ_alg_t integ_alg;
417 ipsec_protocol_t proto;
418 ipsec_sa_flags_t flags;
419 u32 id, spi, sa_index = ~0;
424 id = ntohl (mp->entry.sad_id);
425 spi = ntohl (mp->entry.spi);
427 rv = ipsec_proto_decode (mp->entry.protocol, &proto);
432 rv = ipsec_crypto_algo_decode (mp->entry.crypto_algorithm, &crypto_alg);
437 rv = ipsec_integ_algo_decode (mp->entry.integrity_algorithm, &integ_alg);
443 tunnel_encap_decap_flags_decode (mp->entry.tunnel_flags, &tunnel_flags);
448 ipsec_key_decode (&mp->entry.crypto_key, &crypto_key);
449 ipsec_key_decode (&mp->entry.integrity_key, &integ_key);
451 flags = ipsec_sa_flags_decode (mp->entry.flags);
453 ip_address_decode (&mp->entry.tunnel_src, &tun_src);
454 ip_address_decode (&mp->entry.tunnel_dst, &tun_dst);
457 rv = ipsec_sa_add_and_lock (
458 id, spi, proto, crypto_alg, &crypto_key, integ_alg, &integ_key, flags,
459 htonl (mp->entry.tx_table_id), mp->entry.salt, &tun_src, &tun_dst,
460 tunnel_flags, ip_dscp_decode (mp->entry.dscp), &sa_index,
461 htons (mp->entry.udp_src_port), htons (mp->entry.udp_dst_port));
463 rv = ipsec_sa_unlock_id (id);
466 rv = VNET_API_ERROR_UNIMPLEMENTED;
471 REPLY_MACRO2 (VL_API_IPSEC_SAD_ENTRY_ADD_DEL_V2_REPLY,
473 rmp->stat_index = htonl (sa_index);
479 send_ipsec_spds_details (ipsec_spd_t * spd, vl_api_registration_t * reg,
482 vl_api_ipsec_spds_details_t *mp;
485 mp = vl_msg_api_alloc (sizeof (*mp));
486 clib_memset (mp, 0, sizeof (*mp));
487 mp->_vl_msg_id = ntohs (VL_API_IPSEC_SPDS_DETAILS);
488 mp->context = context;
490 mp->spd_id = htonl (spd->id);
491 #define _(s, n) n_policies += vec_len (spd->policies[IPSEC_SPD_POLICY_##s]);
492 foreach_ipsec_spd_policy_type
494 mp->npolicies = htonl (n_policies);
496 vl_api_send_msg (reg, (u8 *) mp);
500 vl_api_ipsec_spds_dump_t_handler (vl_api_ipsec_spds_dump_t * mp)
502 vl_api_registration_t *reg;
503 ipsec_main_t *im = &ipsec_main;
506 reg = vl_api_client_index_to_registration (mp->client_index);
511 pool_foreach (spd, im->spds) {
512 send_ipsec_spds_details (spd, reg, mp->context);
516 clib_warning ("unimplemented");
520 vl_api_ipsec_spd_action_t
521 ipsec_spd_action_encode (ipsec_policy_action_t in)
523 vl_api_ipsec_spd_action_t out = IPSEC_API_SPD_ACTION_BYPASS;
527 #define _(v,f,s) case IPSEC_POLICY_ACTION_##f: \
528 out = IPSEC_API_SPD_ACTION_##f; \
530 foreach_ipsec_policy_action
533 return (clib_host_to_net_u32 (out));
537 send_ipsec_spd_details (ipsec_policy_t * p, vl_api_registration_t * reg,
540 vl_api_ipsec_spd_details_t *mp;
542 mp = vl_msg_api_alloc (sizeof (*mp));
543 clib_memset (mp, 0, sizeof (*mp));
544 mp->_vl_msg_id = ntohs (VL_API_IPSEC_SPD_DETAILS);
545 mp->context = context;
547 mp->entry.spd_id = htonl (p->id);
548 mp->entry.priority = htonl (p->priority);
549 mp->entry.is_outbound = ((p->type == IPSEC_SPD_POLICY_IP6_OUTBOUND) ||
550 (p->type == IPSEC_SPD_POLICY_IP4_OUTBOUND));
552 ip_address_encode (&p->laddr.start, IP46_TYPE_ANY,
553 &mp->entry.local_address_start);
554 ip_address_encode (&p->laddr.stop, IP46_TYPE_ANY,
555 &mp->entry.local_address_stop);
556 ip_address_encode (&p->raddr.start, IP46_TYPE_ANY,
557 &mp->entry.remote_address_start);
558 ip_address_encode (&p->raddr.stop, IP46_TYPE_ANY,
559 &mp->entry.remote_address_stop);
560 mp->entry.local_port_start = htons (p->lport.start);
561 mp->entry.local_port_stop = htons (p->lport.stop);
562 mp->entry.remote_port_start = htons (p->rport.start);
563 mp->entry.remote_port_stop = htons (p->rport.stop);
564 mp->entry.protocol = p->protocol;
565 mp->entry.policy = ipsec_spd_action_encode (p->policy);
566 mp->entry.sa_id = htonl (p->sa_id);
568 vl_api_send_msg (reg, (u8 *) mp);
572 vl_api_ipsec_spd_dump_t_handler (vl_api_ipsec_spd_dump_t * mp)
574 vl_api_registration_t *reg;
575 ipsec_main_t *im = &ipsec_main;
576 ipsec_spd_policy_type_t ptype;
577 ipsec_policy_t *policy;
582 reg = vl_api_client_index_to_registration (mp->client_index);
586 p = hash_get (im->spd_index_by_spd_id, ntohl (mp->spd_id));
591 spd = pool_elt_at_index (im->spds, spd_index);
594 FOR_EACH_IPSEC_SPD_POLICY_TYPE(ptype) {
595 vec_foreach(ii, spd->policies[ptype])
597 policy = pool_elt_at_index(im->policies, *ii);
599 if (mp->sa_id == ~(0) || ntohl (mp->sa_id) == policy->sa_id)
600 send_ipsec_spd_details (policy, reg, mp->context);
605 clib_warning ("unimplemented");
610 send_ipsec_spd_interface_details (vl_api_registration_t * reg, u32 spd_index,
611 u32 sw_if_index, u32 context)
613 vl_api_ipsec_spd_interface_details_t *mp;
615 mp = vl_msg_api_alloc (sizeof (*mp));
616 clib_memset (mp, 0, sizeof (*mp));
617 mp->_vl_msg_id = ntohs (VL_API_IPSEC_SPD_INTERFACE_DETAILS);
618 mp->context = context;
620 mp->spd_index = htonl (spd_index);
621 mp->sw_if_index = htonl (sw_if_index);
623 vl_api_send_msg (reg, (u8 *) mp);
627 vl_api_ipsec_spd_interface_dump_t_handler (vl_api_ipsec_spd_interface_dump_t *
630 ipsec_main_t *im = &ipsec_main;
631 vl_api_registration_t *reg;
635 reg = vl_api_client_index_to_registration (mp->client_index);
639 if (mp->spd_index_valid)
641 spd_index = ntohl (mp->spd_index);
643 hash_foreach(k, v, im->spd_index_by_sw_if_index, ({
645 send_ipsec_spd_interface_details(reg, v, k, mp->context);
652 hash_foreach(k, v, im->spd_index_by_sw_if_index, ({
653 send_ipsec_spd_interface_details(reg, v, k, mp->context);
659 clib_warning ("unimplemented");
664 vl_api_ipsec_itf_create_t_handler (vl_api_ipsec_itf_create_t * mp)
666 vl_api_ipsec_itf_create_reply_t *rmp;
668 u32 sw_if_index = ~0;
671 rv = tunnel_mode_decode (mp->itf.mode, &mode);
674 rv = ipsec_itf_create (ntohl (mp->itf.user_instance), mode, &sw_if_index);
677 REPLY_MACRO2 (VL_API_IPSEC_ITF_CREATE_REPLY,
679 rmp->sw_if_index = htonl (sw_if_index);
685 vl_api_ipsec_itf_delete_t_handler (vl_api_ipsec_itf_delete_t * mp)
687 vl_api_ipsec_itf_delete_reply_t *rmp;
690 rv = ipsec_itf_delete (ntohl (mp->sw_if_index));
692 REPLY_MACRO (VL_API_IPSEC_ITF_DELETE_REPLY);
696 vl_api_ipsec_itf_dump_t_handler (vl_api_ipsec_itf_dump_t * mp)
700 typedef struct ipsec_sa_dump_match_ctx_t_
704 } ipsec_sa_dump_match_ctx_t;
707 ipsec_sa_dump_match_sa (index_t itpi, void *arg)
709 ipsec_sa_dump_match_ctx_t *ctx = arg;
710 ipsec_tun_protect_t *itp;
713 itp = ipsec_tun_protect_get (itpi);
715 if (itp->itp_out_sa == ctx->sai)
717 ctx->sw_if_index = itp->itp_sw_if_index;
721 FOR_EACH_IPSEC_PROTECT_INPUT_SAI (itp, sai,
725 ctx->sw_if_index = itp->itp_sw_if_index;
731 return (WALK_CONTINUE);
735 send_ipsec_sa_details (ipsec_sa_t * sa, void *arg)
737 ipsec_dump_walk_ctx_t *ctx = arg;
738 vl_api_ipsec_sa_details_t *mp;
739 ipsec_main_t *im = &ipsec_main;
741 mp = vl_msg_api_alloc (sizeof (*mp));
742 clib_memset (mp, 0, sizeof (*mp));
743 mp->_vl_msg_id = ntohs (VL_API_IPSEC_SA_DETAILS);
744 mp->context = ctx->context;
746 mp->entry.sad_id = htonl (sa->id);
747 mp->entry.spi = htonl (sa->spi);
748 mp->entry.protocol = ipsec_proto_encode (sa->protocol);
749 mp->entry.tx_table_id =
750 htonl (fib_table_get_table_id (sa->tx_fib_index, FIB_PROTOCOL_IP4));
752 mp->entry.crypto_algorithm = ipsec_crypto_algo_encode (sa->crypto_alg);
753 ipsec_key_encode (&sa->crypto_key, &mp->entry.crypto_key);
755 mp->entry.integrity_algorithm = ipsec_integ_algo_encode (sa->integ_alg);
756 ipsec_key_encode (&sa->integ_key, &mp->entry.integrity_key);
758 mp->entry.flags = ipsec_sad_flags_encode (sa);
759 mp->entry.salt = clib_host_to_net_u32 (sa->salt);
761 if (ipsec_sa_is_set_IS_PROTECT (sa))
763 ipsec_sa_dump_match_ctx_t ctx = {
767 ipsec_tun_protect_walk (ipsec_sa_dump_match_sa, &ctx);
769 mp->sw_if_index = htonl (ctx.sw_if_index);
772 mp->sw_if_index = ~0;
774 if (ipsec_sa_is_set_IS_TUNNEL (sa))
776 ip_address_encode (&sa->tunnel_src_addr, IP46_TYPE_ANY,
777 &mp->entry.tunnel_src);
778 ip_address_encode (&sa->tunnel_dst_addr, IP46_TYPE_ANY,
779 &mp->entry.tunnel_dst);
781 if (ipsec_sa_is_set_UDP_ENCAP (sa))
783 mp->entry.udp_src_port = sa->udp_hdr.src_port;
784 mp->entry.udp_dst_port = sa->udp_hdr.dst_port;
787 mp->seq_outbound = clib_host_to_net_u64 (((u64) sa->seq));
788 mp->last_seq_inbound = clib_host_to_net_u64 (((u64) sa->last_seq));
789 if (ipsec_sa_is_set_USE_ESN (sa))
791 mp->seq_outbound |= (u64) (clib_host_to_net_u32 (sa->seq_hi));
792 mp->last_seq_inbound |= (u64) (clib_host_to_net_u32 (sa->last_seq_hi));
794 if (ipsec_sa_is_set_USE_ANTI_REPLAY (sa))
795 mp->replay_window = clib_host_to_net_u64 (sa->replay_window);
797 mp->stat_index = clib_host_to_net_u32 (sa->stat_index);
799 vl_api_send_msg (ctx->reg, (u8 *) mp);
801 return (WALK_CONTINUE);
805 vl_api_ipsec_sa_dump_t_handler (vl_api_ipsec_sa_dump_t * mp)
807 vl_api_registration_t *reg;
810 reg = vl_api_client_index_to_registration (mp->client_index);
814 ipsec_dump_walk_ctx_t ctx = {
816 .context = mp->context,
819 ipsec_sa_walk (send_ipsec_sa_details, &ctx);
822 clib_warning ("unimplemented");
827 send_ipsec_sa_v2_details (ipsec_sa_t * sa, void *arg)
829 ipsec_dump_walk_ctx_t *ctx = arg;
830 vl_api_ipsec_sa_v2_details_t *mp;
831 ipsec_main_t *im = &ipsec_main;
833 mp = vl_msg_api_alloc (sizeof (*mp));
834 clib_memset (mp, 0, sizeof (*mp));
835 mp->_vl_msg_id = ntohs (VL_API_IPSEC_SA_V2_DETAILS);
836 mp->context = ctx->context;
838 mp->entry.sad_id = htonl (sa->id);
839 mp->entry.spi = htonl (sa->spi);
840 mp->entry.protocol = ipsec_proto_encode (sa->protocol);
841 mp->entry.tx_table_id =
842 htonl (fib_table_get_table_id (sa->tx_fib_index, FIB_PROTOCOL_IP4));
844 mp->entry.crypto_algorithm = ipsec_crypto_algo_encode (sa->crypto_alg);
845 ipsec_key_encode (&sa->crypto_key, &mp->entry.crypto_key);
847 mp->entry.integrity_algorithm = ipsec_integ_algo_encode (sa->integ_alg);
848 ipsec_key_encode (&sa->integ_key, &mp->entry.integrity_key);
850 mp->entry.flags = ipsec_sad_flags_encode (sa);
851 mp->entry.salt = clib_host_to_net_u32 (sa->salt);
853 if (ipsec_sa_is_set_IS_PROTECT (sa))
855 ipsec_sa_dump_match_ctx_t ctx = {
859 ipsec_tun_protect_walk (ipsec_sa_dump_match_sa, &ctx);
861 mp->sw_if_index = htonl (ctx.sw_if_index);
864 mp->sw_if_index = ~0;
866 if (ipsec_sa_is_set_IS_TUNNEL (sa))
868 ip_address_encode (&sa->tunnel_src_addr, IP46_TYPE_ANY,
869 &mp->entry.tunnel_src);
870 ip_address_encode (&sa->tunnel_dst_addr, IP46_TYPE_ANY,
871 &mp->entry.tunnel_dst);
873 if (ipsec_sa_is_set_UDP_ENCAP (sa))
875 mp->entry.udp_src_port = sa->udp_hdr.src_port;
876 mp->entry.udp_dst_port = sa->udp_hdr.dst_port;
879 mp->entry.tunnel_flags = tunnel_encap_decap_flags_encode (sa->tunnel_flags);
880 mp->entry.dscp = ip_dscp_encode (sa->dscp);
882 mp->seq_outbound = clib_host_to_net_u64 (((u64) sa->seq));
883 mp->last_seq_inbound = clib_host_to_net_u64 (((u64) sa->last_seq));
884 if (ipsec_sa_is_set_USE_ESN (sa))
886 mp->seq_outbound |= (u64) (clib_host_to_net_u32 (sa->seq_hi));
887 mp->last_seq_inbound |= (u64) (clib_host_to_net_u32 (sa->last_seq_hi));
889 if (ipsec_sa_is_set_USE_ANTI_REPLAY (sa))
890 mp->replay_window = clib_host_to_net_u64 (sa->replay_window);
892 mp->stat_index = clib_host_to_net_u32 (sa->stat_index);
894 vl_api_send_msg (ctx->reg, (u8 *) mp);
896 return (WALK_CONTINUE);
900 vl_api_ipsec_sa_v2_dump_t_handler (vl_api_ipsec_sa_dump_t * mp)
902 vl_api_registration_t *reg;
905 reg = vl_api_client_index_to_registration (mp->client_index);
909 ipsec_dump_walk_ctx_t ctx = {
911 .context = mp->context,
914 ipsec_sa_walk (send_ipsec_sa_v2_details, &ctx);
917 clib_warning ("unimplemented");
922 vl_api_ipsec_backend_dump_t_handler (vl_api_ipsec_backend_dump_t * mp)
924 vl_api_registration_t *rp;
925 ipsec_main_t *im = &ipsec_main;
926 u32 context = mp->context;
928 rp = vl_api_client_index_to_registration (mp->client_index);
932 clib_warning ("Client %d AWOL", mp->client_index);
936 ipsec_ah_backend_t *ab;
937 ipsec_esp_backend_t *eb;
939 pool_foreach (ab, im->ah_backends) {
940 vl_api_ipsec_backend_details_t *mp = vl_msg_api_alloc (sizeof (*mp));
941 clib_memset (mp, 0, sizeof (*mp));
942 mp->_vl_msg_id = ntohs (VL_API_IPSEC_BACKEND_DETAILS);
943 mp->context = context;
944 snprintf ((char *)mp->name, sizeof (mp->name), "%.*s", vec_len (ab->name),
946 mp->protocol = ntohl (IPSEC_API_PROTO_AH);
947 mp->index = ab - im->ah_backends;
948 mp->active = mp->index == im->ah_current_backend ? 1 : 0;
949 vl_api_send_msg (rp, (u8 *)mp);
951 pool_foreach (eb, im->esp_backends) {
952 vl_api_ipsec_backend_details_t *mp = vl_msg_api_alloc (sizeof (*mp));
953 clib_memset (mp, 0, sizeof (*mp));
954 mp->_vl_msg_id = ntohs (VL_API_IPSEC_BACKEND_DETAILS);
955 mp->context = context;
956 snprintf ((char *)mp->name, sizeof (mp->name), "%.*s", vec_len (eb->name),
958 mp->protocol = ntohl (IPSEC_API_PROTO_ESP);
959 mp->index = eb - im->esp_backends;
960 mp->active = mp->index == im->esp_current_backend ? 1 : 0;
961 vl_api_send_msg (rp, (u8 *)mp);
967 vl_api_ipsec_select_backend_t_handler (vl_api_ipsec_select_backend_t * mp)
969 ipsec_main_t *im = &ipsec_main;
970 vl_api_ipsec_select_backend_reply_t *rmp;
971 ipsec_protocol_t protocol;
973 if (pool_elts (im->sad) > 0)
975 rv = VNET_API_ERROR_INSTANCE_IN_USE;
979 rv = ipsec_proto_decode (mp->protocol, &protocol);
987 case IPSEC_PROTOCOL_ESP:
988 rv = ipsec_select_esp_backend (im, mp->index);
990 case IPSEC_PROTOCOL_AH:
991 rv = ipsec_select_ah_backend (im, mp->index);
994 rv = VNET_API_ERROR_INVALID_PROTOCOL;
998 clib_warning ("unimplemented"); /* FIXME */
1001 REPLY_MACRO (VL_API_IPSEC_SELECT_BACKEND_REPLY);
1005 vl_api_ipsec_set_async_mode_t_handler (vl_api_ipsec_set_async_mode_t * mp)
1007 vl_api_ipsec_set_async_mode_reply_t *rmp;
1010 vnet_crypto_request_async_mode (mp->async_enable);
1011 ipsec_set_async_mode (mp->async_enable);
1013 REPLY_MACRO (VL_API_IPSEC_SET_ASYNC_MODE_REPLY);
1018 * Add vpe's API message handlers to the table.
1019 * vlib has already mapped shared memory and
1020 * added the client registration handlers.
1021 * See .../vlib-api/vlibmemory/memclnt_vlib.c:memclnt_process()
1023 #define vl_msg_name_crc_list
1024 #include <vnet/vnet_all_api_h.h>
1025 #undef vl_msg_name_crc_list
1028 setup_message_id_table (api_main_t * am)
1030 #define _(id,n,crc) vl_msg_api_add_msg_name_crc (am, #n "_" #crc, id);
1031 foreach_vl_msg_name_crc_ipsec;
1035 static clib_error_t *
1036 ipsec_api_hookup (vlib_main_t * vm)
1038 api_main_t *am = vlibapi_get_main ();
1041 vl_msg_api_set_handlers(VL_API_##N, #n, \
1042 vl_api_##n##_t_handler, \
1044 vl_api_##n##_t_endian, \
1045 vl_api_##n##_t_print, \
1046 sizeof(vl_api_##n##_t), 1);
1047 foreach_vpe_api_msg;
1051 * Set up the (msg_name, crc, message-id) table
1053 setup_message_id_table (am);
1058 VLIB_API_INIT_FUNCTION (ipsec_api_hookup);
1061 * fd.io coding-style-patch-verification: ON
1064 * eval: (c-set-style "gnu")
Code Review / vpp.git / blob