2 *------------------------------------------------------------------
3 * ipsec_api.c - ipsec api
5 * Copyright (c) 2016 Cisco and/or its affiliates.
6 * Licensed under the Apache License, Version 2.0 (the "License");
7 * you may not use this file except in compliance with the License.
8 * You may obtain a copy of the License at:
10 * http://www.apache.org/licenses/LICENSE-2.0
12 * Unless required by applicable law or agreed to in writing, software
13 * distributed under the License is distributed on an "AS IS" BASIS,
14 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15 * See the License for the specific language governing permissions and
16 * limitations under the License.
17 *------------------------------------------------------------------
20 #include <vnet/vnet.h>
21 #include <vlibmemory/api.h>
23 #include <vnet/interface.h>
24 #include <vnet/api_errno.h>
25 #include <vnet/ip/ip.h>
26 #include <vnet/ip/ip_types_api.h>
27 #include <vnet/ipsec/ipsec_types_api.h>
28 #include <vnet/tunnel/tunnel_types_api.h>
29 #include <vnet/fib/fib.h>
30 #include <vnet/ipip/ipip.h>
31 #include <vnet/tunnel/tunnel_types_api.h>
32 #include <vnet/ipsec/ipsec.h>
33 #include <vnet/ipsec/ipsec_tun.h>
34 #include <vnet/ipsec/ipsec_itf.h>
36 #include <vnet/format_fns.h>
37 #include <vnet/ipsec/ipsec.api_enum.h>
38 #include <vnet/ipsec/ipsec.api_types.h>
40 #define REPLY_MSG_ID_BASE ipsec_main.msg_id_base
41 #include <vlibapi/api_helper_macros.h>
44 vl_api_ipsec_spd_add_del_t_handler (vl_api_ipsec_spd_add_del_t * mp)
46 vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main ();
47 vl_api_ipsec_spd_add_del_reply_t *rmp;
50 rv = ipsec_add_del_spd (vm, ntohl (mp->spd_id), mp->is_add);
52 REPLY_MACRO (VL_API_IPSEC_SPD_ADD_DEL_REPLY);
55 static void vl_api_ipsec_interface_add_del_spd_t_handler
56 (vl_api_ipsec_interface_add_del_spd_t * mp)
58 vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main ();
59 vl_api_ipsec_interface_add_del_spd_reply_t *rmp;
61 u32 sw_if_index __attribute__ ((unused));
62 u32 spd_id __attribute__ ((unused));
64 sw_if_index = ntohl (mp->sw_if_index);
65 spd_id = ntohl (mp->spd_id);
67 VALIDATE_SW_IF_INDEX (mp);
69 rv = ipsec_set_interface_spd (vm, sw_if_index, spd_id, mp->is_add);
71 BAD_SW_IF_INDEX_LABEL;
73 REPLY_MACRO (VL_API_IPSEC_INTERFACE_ADD_DEL_SPD_REPLY);
76 static void vl_api_ipsec_tunnel_protect_update_t_handler
77 (vl_api_ipsec_tunnel_protect_update_t * mp)
79 vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main ();
80 vl_api_ipsec_tunnel_protect_update_reply_t *rmp;
81 u32 sw_if_index, ii, *sa_ins = NULL;
85 sw_if_index = ntohl (mp->tunnel.sw_if_index);
87 VALIDATE_SW_IF_INDEX (&(mp->tunnel));
89 for (ii = 0; ii < mp->tunnel.n_sa_in; ii++)
90 vec_add1 (sa_ins, ntohl (mp->tunnel.sa_in[ii]));
92 ip_address_decode2 (&mp->tunnel.nh, &nh);
94 rv = ipsec_tun_protect_update (sw_if_index, &nh,
95 ntohl (mp->tunnel.sa_out), sa_ins);
97 BAD_SW_IF_INDEX_LABEL;
99 REPLY_MACRO (VL_API_IPSEC_TUNNEL_PROTECT_UPDATE_REPLY);
102 static void vl_api_ipsec_tunnel_protect_del_t_handler
103 (vl_api_ipsec_tunnel_protect_del_t * mp)
105 vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main ();
106 vl_api_ipsec_tunnel_protect_del_reply_t *rmp;
111 sw_if_index = ntohl (mp->sw_if_index);
113 VALIDATE_SW_IF_INDEX (mp);
115 ip_address_decode2 (&mp->nh, &nh);
116 rv = ipsec_tun_protect_del (sw_if_index, &nh);
118 BAD_SW_IF_INDEX_LABEL;
120 REPLY_MACRO (VL_API_IPSEC_TUNNEL_PROTECT_DEL_REPLY);
123 typedef struct ipsec_dump_walk_ctx_t_
125 vl_api_registration_t *reg;
128 } ipsec_dump_walk_ctx_t;
131 send_ipsec_tunnel_protect_details (index_t itpi, void *arg)
133 ipsec_dump_walk_ctx_t *ctx = arg;
134 vl_api_ipsec_tunnel_protect_details_t *mp;
135 ipsec_tun_protect_t *itp;
139 itp = ipsec_tun_protect_get (itpi);
141 mp = vl_msg_api_alloc (sizeof (*mp) + (sizeof (u32) * itp->itp_n_sa_in));
142 clib_memset (mp, 0, sizeof (*mp));
144 ntohs (REPLY_MSG_ID_BASE + VL_API_IPSEC_TUNNEL_PROTECT_DETAILS);
145 mp->context = ctx->context;
147 mp->tun.sw_if_index = htonl (itp->itp_sw_if_index);
148 ip_address_encode2 (itp->itp_key, &mp->tun.nh);
150 sa = ipsec_sa_get (itp->itp_out_sa);
151 mp->tun.sa_out = htonl (sa->id);
152 mp->tun.n_sa_in = itp->itp_n_sa_in;
154 FOR_EACH_IPSEC_PROTECT_INPUT_SA(itp, sa,
156 mp->tun.sa_in[ii++] = htonl (sa->id);
160 vl_api_send_msg (ctx->reg, (u8 *) mp);
162 return (WALK_CONTINUE);
166 vl_api_ipsec_tunnel_protect_dump_t_handler (vl_api_ipsec_tunnel_protect_dump_t
169 vl_api_registration_t *reg;
172 reg = vl_api_client_index_to_registration (mp->client_index);
176 ipsec_dump_walk_ctx_t ctx = {
178 .context = mp->context,
181 sw_if_index = ntohl (mp->sw_if_index);
183 if (~0 == sw_if_index)
185 ipsec_tun_protect_walk (send_ipsec_tunnel_protect_details, &ctx);
189 ipsec_tun_protect_walk_itf (sw_if_index,
190 send_ipsec_tunnel_protect_details, &ctx);
195 ipsec_spd_action_decode (vl_api_ipsec_spd_action_t in,
196 ipsec_policy_action_t * out)
198 in = clib_net_to_host_u32 (in);
202 #define _(v,f,s) case IPSEC_API_SPD_ACTION_##f: \
203 *out = IPSEC_POLICY_ACTION_##f; \
205 foreach_ipsec_policy_action
208 return (VNET_API_ERROR_UNIMPLEMENTED);
211 static void vl_api_ipsec_spd_entry_add_del_t_handler
212 (vl_api_ipsec_spd_entry_add_del_t * mp)
214 vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main ();
215 vl_api_ipsec_spd_entry_add_del_reply_t *rmp;
224 clib_memset (&p, 0, sizeof (p));
226 p.id = ntohl (mp->entry.spd_id);
227 p.priority = ntohl (mp->entry.priority);
229 itype = ip_address_decode (&mp->entry.remote_address_start, &p.raddr.start);
230 ip_address_decode (&mp->entry.remote_address_stop, &p.raddr.stop);
231 ip_address_decode (&mp->entry.local_address_start, &p.laddr.start);
232 ip_address_decode (&mp->entry.local_address_stop, &p.laddr.stop);
234 p.is_ipv6 = (itype == IP46_TYPE_IP6);
237 mp->entry.protocol ? mp->entry.protocol : IPSEC_POLICY_PROTOCOL_ANY;
238 p.rport.start = ntohs (mp->entry.remote_port_start);
239 p.rport.stop = ntohs (mp->entry.remote_port_stop);
240 p.lport.start = ntohs (mp->entry.local_port_start);
241 p.lport.stop = ntohs (mp->entry.local_port_stop);
243 rv = ipsec_spd_action_decode (mp->entry.policy, &p.policy);
248 /* policy action resolve unsupported */
249 if (p.policy == IPSEC_POLICY_ACTION_RESOLVE)
251 clib_warning ("unsupported action: 'resolve'");
252 rv = VNET_API_ERROR_UNIMPLEMENTED;
255 p.sa_id = ntohl (mp->entry.sa_id);
257 ipsec_policy_mk_type (mp->entry.is_outbound, p.is_ipv6, p.policy,
262 rv = ipsec_add_del_policy (vm, &p, mp->is_add, &stat_index);
268 REPLY_MACRO2 (VL_API_IPSEC_SPD_ENTRY_ADD_DEL_REPLY,
270 rmp->stat_index = ntohl(stat_index);
276 vl_api_ipsec_spd_entry_add_del_v2_t_handler (
277 vl_api_ipsec_spd_entry_add_del_v2_t *mp)
279 vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main ();
280 vl_api_ipsec_spd_entry_add_del_reply_t *rmp;
289 clib_memset (&p, 0, sizeof (p));
291 p.id = ntohl (mp->entry.spd_id);
292 p.priority = ntohl (mp->entry.priority);
294 itype = ip_address_decode (&mp->entry.remote_address_start, &p.raddr.start);
295 ip_address_decode (&mp->entry.remote_address_stop, &p.raddr.stop);
296 ip_address_decode (&mp->entry.local_address_start, &p.laddr.start);
297 ip_address_decode (&mp->entry.local_address_stop, &p.laddr.stop);
299 p.is_ipv6 = (itype == IP46_TYPE_IP6);
301 p.protocol = mp->entry.protocol;
302 p.rport.start = ntohs (mp->entry.remote_port_start);
303 p.rport.stop = ntohs (mp->entry.remote_port_stop);
304 p.lport.start = ntohs (mp->entry.local_port_start);
305 p.lport.stop = ntohs (mp->entry.local_port_stop);
307 rv = ipsec_spd_action_decode (mp->entry.policy, &p.policy);
312 /* policy action resolve unsupported */
313 if (p.policy == IPSEC_POLICY_ACTION_RESOLVE)
315 clib_warning ("unsupported action: 'resolve'");
316 rv = VNET_API_ERROR_UNIMPLEMENTED;
319 p.sa_id = ntohl (mp->entry.sa_id);
321 ipsec_policy_mk_type (mp->entry.is_outbound, p.is_ipv6, p.policy, &p.type);
325 rv = ipsec_add_del_policy (vm, &p, mp->is_add, &stat_index);
330 REPLY_MACRO2 (VL_API_IPSEC_SPD_ENTRY_ADD_DEL_V2_REPLY,
331 ({ rmp->stat_index = ntohl (stat_index); }));
334 static void vl_api_ipsec_sad_entry_add_del_t_handler
335 (vl_api_ipsec_sad_entry_add_del_t * mp)
337 vl_api_ipsec_sad_entry_add_del_reply_t *rmp;
338 ipsec_key_t crypto_key, integ_key;
339 ipsec_crypto_alg_t crypto_alg;
340 ipsec_integ_alg_t integ_alg;
341 ipsec_protocol_t proto;
342 ipsec_sa_flags_t flags;
343 u32 id, spi, sa_index = ~0;
345 .t_flags = TUNNEL_FLAG_NONE,
346 .t_encap_decap_flags = TUNNEL_ENCAP_DECAP_FLAG_NONE,
348 .t_mode = TUNNEL_MODE_P2P,
354 id = ntohl (mp->entry.sad_id);
357 rv = ipsec_sa_unlock_id (id);
360 spi = ntohl (mp->entry.spi);
362 rv = ipsec_proto_decode (mp->entry.protocol, &proto);
367 rv = ipsec_crypto_algo_decode (mp->entry.crypto_algorithm, &crypto_alg);
372 rv = ipsec_integ_algo_decode (mp->entry.integrity_algorithm, &integ_alg);
377 ipsec_key_decode (&mp->entry.crypto_key, &crypto_key);
378 ipsec_key_decode (&mp->entry.integrity_key, &integ_key);
380 flags = ipsec_sa_flags_decode (mp->entry.flags);
382 ip_address_decode2 (&mp->entry.tunnel_src, &tun.t_src);
383 ip_address_decode2 (&mp->entry.tunnel_dst, &tun.t_dst);
385 rv = ipsec_sa_add_and_lock (id, spi, proto, crypto_alg, &crypto_key,
386 integ_alg, &integ_key, flags, mp->entry.salt,
387 htons (mp->entry.udp_src_port),
388 htons (mp->entry.udp_dst_port), &tun, &sa_index);
392 REPLY_MACRO2 (VL_API_IPSEC_SAD_ENTRY_ADD_DEL_REPLY,
394 rmp->stat_index = htonl (sa_index);
399 static void vl_api_ipsec_sad_entry_add_del_v2_t_handler
400 (vl_api_ipsec_sad_entry_add_del_v2_t * mp)
402 vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main ();
403 vl_api_ipsec_sad_entry_add_del_v2_reply_t *rmp;
404 ipsec_key_t crypto_key, integ_key;
405 ipsec_crypto_alg_t crypto_alg;
406 ipsec_integ_alg_t integ_alg;
407 ipsec_protocol_t proto;
408 ipsec_sa_flags_t flags;
409 u32 id, spi, sa_index = ~0;
412 .t_flags = TUNNEL_FLAG_NONE,
413 .t_encap_decap_flags = TUNNEL_ENCAP_DECAP_FLAG_NONE,
415 .t_mode = TUNNEL_MODE_P2P,
416 .t_table_id = htonl (mp->entry.tx_table_id),
420 id = ntohl (mp->entry.sad_id);
423 rv = ipsec_sa_unlock_id (id);
427 spi = ntohl (mp->entry.spi);
429 rv = ipsec_proto_decode (mp->entry.protocol, &proto);
434 rv = ipsec_crypto_algo_decode (mp->entry.crypto_algorithm, &crypto_alg);
439 rv = ipsec_integ_algo_decode (mp->entry.integrity_algorithm, &integ_alg);
444 rv = tunnel_encap_decap_flags_decode (mp->entry.tunnel_flags,
445 &tun.t_encap_decap_flags);
450 ipsec_key_decode (&mp->entry.crypto_key, &crypto_key);
451 ipsec_key_decode (&mp->entry.integrity_key, &integ_key);
453 flags = ipsec_sa_flags_decode (mp->entry.flags);
454 tun.t_dscp = ip_dscp_decode (mp->entry.dscp);
456 ip_address_decode2 (&mp->entry.tunnel_src, &tun.t_src);
457 ip_address_decode2 (&mp->entry.tunnel_dst, &tun.t_dst);
459 rv = ipsec_sa_add_and_lock (
460 id, spi, proto, crypto_alg, &crypto_key, integ_alg, &integ_key, flags,
461 mp->entry.salt, htons (mp->entry.udp_src_port),
462 htons (mp->entry.udp_dst_port), &tun, &sa_index);
466 REPLY_MACRO2 (VL_API_IPSEC_SAD_ENTRY_ADD_DEL_V2_REPLY,
468 rmp->stat_index = htonl (sa_index);
474 ipsec_sad_entry_add_v3 (const vl_api_ipsec_sad_entry_v3_t *entry,
477 ipsec_key_t crypto_key, integ_key;
478 ipsec_crypto_alg_t crypto_alg;
479 ipsec_integ_alg_t integ_alg;
480 ipsec_protocol_t proto;
481 ipsec_sa_flags_t flags;
483 tunnel_t tun = { 0 };
486 id = ntohl (entry->sad_id);
487 spi = ntohl (entry->spi);
489 rv = ipsec_proto_decode (entry->protocol, &proto);
494 rv = ipsec_crypto_algo_decode (entry->crypto_algorithm, &crypto_alg);
499 rv = ipsec_integ_algo_decode (entry->integrity_algorithm, &integ_alg);
504 flags = ipsec_sa_flags_decode (entry->flags);
506 if (flags & IPSEC_SA_FLAG_IS_TUNNEL)
508 rv = tunnel_decode (&entry->tunnel, &tun);
514 ipsec_key_decode (&entry->crypto_key, &crypto_key);
515 ipsec_key_decode (&entry->integrity_key, &integ_key);
517 return ipsec_sa_add_and_lock (id, spi, proto, crypto_alg, &crypto_key,
518 integ_alg, &integ_key, flags, entry->salt,
519 htons (entry->udp_src_port),
520 htons (entry->udp_dst_port), &tun, sa_index);
524 vl_api_ipsec_sad_entry_add_del_v3_t_handler (
525 vl_api_ipsec_sad_entry_add_del_v3_t *mp)
527 vl_api_ipsec_sad_entry_add_del_v3_reply_t *rmp;
528 u32 id, sa_index = ~0;
531 id = ntohl (mp->entry.sad_id);
535 rv = ipsec_sa_unlock_id (id);
539 rv = ipsec_sad_entry_add_v3 (&mp->entry, &sa_index);
542 REPLY_MACRO2 (VL_API_IPSEC_SAD_ENTRY_ADD_DEL_V3_REPLY,
543 { rmp->stat_index = htonl (sa_index); });
547 vl_api_ipsec_sad_entry_del_t_handler (vl_api_ipsec_sad_entry_del_t *mp)
549 vl_api_ipsec_sad_entry_del_reply_t *rmp;
552 rv = ipsec_sa_unlock_id (ntohl (mp->id));
554 REPLY_MACRO (VL_API_IPSEC_SAD_ENTRY_DEL_REPLY);
558 vl_api_ipsec_sad_entry_add_t_handler (vl_api_ipsec_sad_entry_add_t *mp)
560 vl_api_ipsec_sad_entry_add_reply_t *rmp;
564 rv = ipsec_sad_entry_add_v3 (&mp->entry, &sa_index);
566 REPLY_MACRO2 (VL_API_IPSEC_SAD_ENTRY_ADD_REPLY,
567 { rmp->stat_index = htonl (sa_index); });
571 vl_api_ipsec_sad_entry_update_t_handler (vl_api_ipsec_sad_entry_update_t *mp)
573 vl_api_ipsec_sad_entry_update_reply_t *rmp;
575 tunnel_t tun = { 0 };
578 id = ntohl (mp->sad_id);
582 rv = tunnel_decode (&mp->tunnel, &tun);
588 rv = ipsec_sa_update (id, htons (mp->udp_src_port), htons (mp->udp_dst_port),
592 REPLY_MACRO (VL_API_IPSEC_SAD_ENTRY_UPDATE_REPLY);
596 send_ipsec_spds_details (ipsec_spd_t * spd, vl_api_registration_t * reg,
599 vl_api_ipsec_spds_details_t *mp;
602 mp = vl_msg_api_alloc (sizeof (*mp));
603 clib_memset (mp, 0, sizeof (*mp));
604 mp->_vl_msg_id = ntohs (REPLY_MSG_ID_BASE + VL_API_IPSEC_SPDS_DETAILS);
605 mp->context = context;
607 mp->spd_id = htonl (spd->id);
608 #define _(s, n) n_policies += vec_len (spd->policies[IPSEC_SPD_POLICY_##s]);
609 foreach_ipsec_spd_policy_type
611 mp->npolicies = htonl (n_policies);
613 vl_api_send_msg (reg, (u8 *) mp);
617 vl_api_ipsec_spds_dump_t_handler (vl_api_ipsec_spds_dump_t * mp)
619 vl_api_registration_t *reg;
620 ipsec_main_t *im = &ipsec_main;
623 reg = vl_api_client_index_to_registration (mp->client_index);
627 pool_foreach (spd, im->spds) {
628 send_ipsec_spds_details (spd, reg, mp->context);
632 vl_api_ipsec_spd_action_t
633 ipsec_spd_action_encode (ipsec_policy_action_t in)
635 vl_api_ipsec_spd_action_t out = IPSEC_API_SPD_ACTION_BYPASS;
639 #define _(v,f,s) case IPSEC_POLICY_ACTION_##f: \
640 out = IPSEC_API_SPD_ACTION_##f; \
642 foreach_ipsec_policy_action
645 return (clib_host_to_net_u32 (out));
649 send_ipsec_spd_details (ipsec_policy_t * p, vl_api_registration_t * reg,
652 vl_api_ipsec_spd_details_t *mp;
654 mp = vl_msg_api_alloc (sizeof (*mp));
655 clib_memset (mp, 0, sizeof (*mp));
656 mp->_vl_msg_id = ntohs (REPLY_MSG_ID_BASE + VL_API_IPSEC_SPD_DETAILS);
657 mp->context = context;
659 mp->entry.spd_id = htonl (p->id);
660 mp->entry.priority = htonl (p->priority);
661 mp->entry.is_outbound = ((p->type == IPSEC_SPD_POLICY_IP6_OUTBOUND) ||
662 (p->type == IPSEC_SPD_POLICY_IP4_OUTBOUND));
664 ip_address_encode (&p->laddr.start, IP46_TYPE_ANY,
665 &mp->entry.local_address_start);
666 ip_address_encode (&p->laddr.stop, IP46_TYPE_ANY,
667 &mp->entry.local_address_stop);
668 ip_address_encode (&p->raddr.start, IP46_TYPE_ANY,
669 &mp->entry.remote_address_start);
670 ip_address_encode (&p->raddr.stop, IP46_TYPE_ANY,
671 &mp->entry.remote_address_stop);
672 mp->entry.local_port_start = htons (p->lport.start);
673 mp->entry.local_port_stop = htons (p->lport.stop);
674 mp->entry.remote_port_start = htons (p->rport.start);
675 mp->entry.remote_port_stop = htons (p->rport.stop);
676 mp->entry.protocol = p->protocol;
677 mp->entry.policy = ipsec_spd_action_encode (p->policy);
678 mp->entry.sa_id = htonl (p->sa_id);
680 vl_api_send_msg (reg, (u8 *) mp);
684 vl_api_ipsec_spd_dump_t_handler (vl_api_ipsec_spd_dump_t * mp)
686 vl_api_registration_t *reg;
687 ipsec_main_t *im = &ipsec_main;
688 ipsec_spd_policy_type_t ptype;
689 ipsec_policy_t *policy;
694 reg = vl_api_client_index_to_registration (mp->client_index);
698 p = hash_get (im->spd_index_by_spd_id, ntohl (mp->spd_id));
703 spd = pool_elt_at_index (im->spds, spd_index);
705 FOR_EACH_IPSEC_SPD_POLICY_TYPE(ptype) {
706 vec_foreach(ii, spd->policies[ptype])
708 policy = pool_elt_at_index(im->policies, *ii);
710 if (mp->sa_id == ~(0) || ntohl (mp->sa_id) == policy->sa_id)
711 send_ipsec_spd_details (policy, reg, mp->context);
717 send_ipsec_spd_interface_details (vl_api_registration_t * reg, u32 spd_index,
718 u32 sw_if_index, u32 context)
720 vl_api_ipsec_spd_interface_details_t *mp;
722 mp = vl_msg_api_alloc (sizeof (*mp));
723 clib_memset (mp, 0, sizeof (*mp));
725 ntohs (REPLY_MSG_ID_BASE + VL_API_IPSEC_SPD_INTERFACE_DETAILS);
726 mp->context = context;
728 mp->spd_index = htonl (spd_index);
729 mp->sw_if_index = htonl (sw_if_index);
731 vl_api_send_msg (reg, (u8 *) mp);
735 vl_api_ipsec_spd_interface_dump_t_handler (vl_api_ipsec_spd_interface_dump_t *
738 ipsec_main_t *im = &ipsec_main;
739 vl_api_registration_t *reg;
742 reg = vl_api_client_index_to_registration (mp->client_index);
746 if (mp->spd_index_valid)
748 spd_index = ntohl (mp->spd_index);
750 hash_foreach(k, v, im->spd_index_by_sw_if_index, ({
752 send_ipsec_spd_interface_details(reg, v, k, mp->context);
758 hash_foreach(k, v, im->spd_index_by_sw_if_index, ({
759 send_ipsec_spd_interface_details(reg, v, k, mp->context);
765 vl_api_ipsec_itf_create_t_handler (vl_api_ipsec_itf_create_t * mp)
767 vl_api_ipsec_itf_create_reply_t *rmp;
769 u32 sw_if_index = ~0;
772 rv = tunnel_mode_decode (mp->itf.mode, &mode);
775 rv = ipsec_itf_create (ntohl (mp->itf.user_instance), mode, &sw_if_index);
778 REPLY_MACRO2 (VL_API_IPSEC_ITF_CREATE_REPLY,
780 rmp->sw_if_index = htonl (sw_if_index);
786 vl_api_ipsec_itf_delete_t_handler (vl_api_ipsec_itf_delete_t * mp)
788 vl_api_ipsec_itf_delete_reply_t *rmp;
791 rv = ipsec_itf_delete (ntohl (mp->sw_if_index));
793 REPLY_MACRO (VL_API_IPSEC_ITF_DELETE_REPLY);
797 send_ipsec_itf_details (ipsec_itf_t *itf, void *arg)
799 ipsec_dump_walk_ctx_t *ctx = arg;
800 vl_api_ipsec_itf_details_t *mp;
802 if (~0 != ctx->sw_if_index && ctx->sw_if_index != itf->ii_sw_if_index)
803 return (WALK_CONTINUE);
805 mp = vl_msg_api_alloc (sizeof (*mp));
806 clib_memset (mp, 0, sizeof (*mp));
807 mp->_vl_msg_id = ntohs (REPLY_MSG_ID_BASE + VL_API_IPSEC_ITF_DETAILS);
808 mp->context = ctx->context;
810 mp->itf.mode = tunnel_mode_encode (itf->ii_mode);
811 mp->itf.user_instance = htonl (itf->ii_user_instance);
812 mp->itf.sw_if_index = htonl (itf->ii_sw_if_index);
813 vl_api_send_msg (ctx->reg, (u8 *) mp);
815 return (WALK_CONTINUE);
819 vl_api_ipsec_itf_dump_t_handler (vl_api_ipsec_itf_dump_t * mp)
821 vl_api_registration_t *reg;
823 reg = vl_api_client_index_to_registration (mp->client_index);
827 ipsec_dump_walk_ctx_t ctx = {
829 .context = mp->context,
830 .sw_if_index = ntohl (mp->sw_if_index),
833 ipsec_itf_walk (send_ipsec_itf_details, &ctx);
836 typedef struct ipsec_sa_dump_match_ctx_t_
840 } ipsec_sa_dump_match_ctx_t;
843 ipsec_sa_dump_match_sa (index_t itpi, void *arg)
845 ipsec_sa_dump_match_ctx_t *ctx = arg;
846 ipsec_tun_protect_t *itp;
849 itp = ipsec_tun_protect_get (itpi);
851 if (itp->itp_out_sa == ctx->sai)
853 ctx->sw_if_index = itp->itp_sw_if_index;
857 FOR_EACH_IPSEC_PROTECT_INPUT_SAI (itp, sai,
861 ctx->sw_if_index = itp->itp_sw_if_index;
866 return (WALK_CONTINUE);
870 send_ipsec_sa_details (ipsec_sa_t * sa, void *arg)
872 ipsec_dump_walk_ctx_t *ctx = arg;
873 vl_api_ipsec_sa_details_t *mp;
875 mp = vl_msg_api_alloc (sizeof (*mp));
876 clib_memset (mp, 0, sizeof (*mp));
877 mp->_vl_msg_id = ntohs (REPLY_MSG_ID_BASE + VL_API_IPSEC_SA_DETAILS);
878 mp->context = ctx->context;
880 mp->entry.sad_id = htonl (sa->id);
881 mp->entry.spi = htonl (sa->spi);
882 mp->entry.protocol = ipsec_proto_encode (sa->protocol);
883 mp->entry.tx_table_id = htonl (sa->tunnel.t_table_id);
885 mp->entry.crypto_algorithm = ipsec_crypto_algo_encode (sa->crypto_alg);
886 ipsec_key_encode (&sa->crypto_key, &mp->entry.crypto_key);
888 mp->entry.integrity_algorithm = ipsec_integ_algo_encode (sa->integ_alg);
889 ipsec_key_encode (&sa->integ_key, &mp->entry.integrity_key);
891 mp->entry.flags = ipsec_sad_flags_encode (sa);
892 mp->entry.salt = clib_host_to_net_u32 (sa->salt);
894 if (ipsec_sa_is_set_IS_PROTECT (sa))
896 ipsec_sa_dump_match_ctx_t ctx = {
897 .sai = sa - ipsec_sa_pool,
900 ipsec_tun_protect_walk (ipsec_sa_dump_match_sa, &ctx);
902 mp->sw_if_index = htonl (ctx.sw_if_index);
905 mp->sw_if_index = ~0;
907 if (ipsec_sa_is_set_IS_TUNNEL (sa))
909 ip_address_encode2 (&sa->tunnel.t_src, &mp->entry.tunnel_src);
910 ip_address_encode2 (&sa->tunnel.t_dst, &mp->entry.tunnel_dst);
912 if (ipsec_sa_is_set_UDP_ENCAP (sa))
914 mp->entry.udp_src_port = sa->udp_hdr.src_port;
915 mp->entry.udp_dst_port = sa->udp_hdr.dst_port;
918 mp->seq_outbound = clib_host_to_net_u64 (((u64) sa->seq));
919 mp->last_seq_inbound = clib_host_to_net_u64 (((u64) sa->seq));
920 if (ipsec_sa_is_set_USE_ESN (sa))
922 mp->seq_outbound |= (u64) (clib_host_to_net_u32 (sa->seq_hi));
923 mp->last_seq_inbound |= (u64) (clib_host_to_net_u32 (sa->seq_hi));
925 if (ipsec_sa_is_set_USE_ANTI_REPLAY (sa))
926 mp->replay_window = clib_host_to_net_u64 (sa->replay_window);
928 mp->stat_index = clib_host_to_net_u32 (sa->stat_index);
930 vl_api_send_msg (ctx->reg, (u8 *) mp);
932 return (WALK_CONTINUE);
936 vl_api_ipsec_sa_dump_t_handler (vl_api_ipsec_sa_dump_t * mp)
938 vl_api_registration_t *reg;
940 reg = vl_api_client_index_to_registration (mp->client_index);
944 ipsec_dump_walk_ctx_t ctx = {
946 .context = mp->context,
949 ipsec_sa_walk (send_ipsec_sa_details, &ctx);
953 send_ipsec_sa_v2_details (ipsec_sa_t * sa, void *arg)
955 ipsec_dump_walk_ctx_t *ctx = arg;
956 vl_api_ipsec_sa_v2_details_t *mp;
958 mp = vl_msg_api_alloc (sizeof (*mp));
959 clib_memset (mp, 0, sizeof (*mp));
960 mp->_vl_msg_id = ntohs (REPLY_MSG_ID_BASE + VL_API_IPSEC_SA_V2_DETAILS);
961 mp->context = ctx->context;
963 mp->entry.sad_id = htonl (sa->id);
964 mp->entry.spi = htonl (sa->spi);
965 mp->entry.protocol = ipsec_proto_encode (sa->protocol);
966 mp->entry.tx_table_id = htonl (sa->tunnel.t_table_id);
968 mp->entry.crypto_algorithm = ipsec_crypto_algo_encode (sa->crypto_alg);
969 ipsec_key_encode (&sa->crypto_key, &mp->entry.crypto_key);
971 mp->entry.integrity_algorithm = ipsec_integ_algo_encode (sa->integ_alg);
972 ipsec_key_encode (&sa->integ_key, &mp->entry.integrity_key);
974 mp->entry.flags = ipsec_sad_flags_encode (sa);
975 mp->entry.salt = clib_host_to_net_u32 (sa->salt);
977 if (ipsec_sa_is_set_IS_PROTECT (sa))
979 ipsec_sa_dump_match_ctx_t ctx = {
980 .sai = sa - ipsec_sa_pool,
983 ipsec_tun_protect_walk (ipsec_sa_dump_match_sa, &ctx);
985 mp->sw_if_index = htonl (ctx.sw_if_index);
988 mp->sw_if_index = ~0;
990 if (ipsec_sa_is_set_IS_TUNNEL (sa))
992 ip_address_encode2 (&sa->tunnel.t_src, &mp->entry.tunnel_src);
993 ip_address_encode2 (&sa->tunnel.t_dst, &mp->entry.tunnel_dst);
995 if (ipsec_sa_is_set_UDP_ENCAP (sa))
997 mp->entry.udp_src_port = sa->udp_hdr.src_port;
998 mp->entry.udp_dst_port = sa->udp_hdr.dst_port;
1001 mp->entry.tunnel_flags =
1002 tunnel_encap_decap_flags_encode (sa->tunnel.t_encap_decap_flags);
1003 mp->entry.dscp = ip_dscp_encode (sa->tunnel.t_dscp);
1005 mp->seq_outbound = clib_host_to_net_u64 (((u64) sa->seq));
1006 mp->last_seq_inbound = clib_host_to_net_u64 (((u64) sa->seq));
1007 if (ipsec_sa_is_set_USE_ESN (sa))
1009 mp->seq_outbound |= (u64) (clib_host_to_net_u32 (sa->seq_hi));
1010 mp->last_seq_inbound |= (u64) (clib_host_to_net_u32 (sa->seq_hi));
1012 if (ipsec_sa_is_set_USE_ANTI_REPLAY (sa))
1013 mp->replay_window = clib_host_to_net_u64 (sa->replay_window);
1015 mp->stat_index = clib_host_to_net_u32 (sa->stat_index);
1017 vl_api_send_msg (ctx->reg, (u8 *) mp);
1019 return (WALK_CONTINUE);
1023 vl_api_ipsec_sa_v2_dump_t_handler (vl_api_ipsec_sa_v2_dump_t *mp)
1025 vl_api_registration_t *reg;
1027 reg = vl_api_client_index_to_registration (mp->client_index);
1031 ipsec_dump_walk_ctx_t ctx = {
1033 .context = mp->context,
1036 ipsec_sa_walk (send_ipsec_sa_v2_details, &ctx);
1040 send_ipsec_sa_v3_details (ipsec_sa_t *sa, void *arg)
1042 ipsec_dump_walk_ctx_t *ctx = arg;
1043 vl_api_ipsec_sa_v3_details_t *mp;
1045 mp = vl_msg_api_alloc (sizeof (*mp));
1046 clib_memset (mp, 0, sizeof (*mp));
1047 mp->_vl_msg_id = ntohs (REPLY_MSG_ID_BASE + VL_API_IPSEC_SA_V3_DETAILS);
1048 mp->context = ctx->context;
1050 mp->entry.sad_id = htonl (sa->id);
1051 mp->entry.spi = htonl (sa->spi);
1052 mp->entry.protocol = ipsec_proto_encode (sa->protocol);
1054 mp->entry.crypto_algorithm = ipsec_crypto_algo_encode (sa->crypto_alg);
1055 ipsec_key_encode (&sa->crypto_key, &mp->entry.crypto_key);
1057 mp->entry.integrity_algorithm = ipsec_integ_algo_encode (sa->integ_alg);
1058 ipsec_key_encode (&sa->integ_key, &mp->entry.integrity_key);
1060 mp->entry.flags = ipsec_sad_flags_encode (sa);
1061 mp->entry.salt = clib_host_to_net_u32 (sa->salt);
1063 if (ipsec_sa_is_set_IS_PROTECT (sa))
1065 ipsec_sa_dump_match_ctx_t ctx = {
1066 .sai = sa - ipsec_sa_pool,
1069 ipsec_tun_protect_walk (ipsec_sa_dump_match_sa, &ctx);
1071 mp->sw_if_index = htonl (ctx.sw_if_index);
1074 mp->sw_if_index = ~0;
1076 if (ipsec_sa_is_set_IS_TUNNEL (sa))
1077 tunnel_encode (&sa->tunnel, &mp->entry.tunnel);
1079 if (ipsec_sa_is_set_UDP_ENCAP (sa))
1081 mp->entry.udp_src_port = sa->udp_hdr.src_port;
1082 mp->entry.udp_dst_port = sa->udp_hdr.dst_port;
1085 mp->seq_outbound = clib_host_to_net_u64 (((u64) sa->seq));
1086 mp->last_seq_inbound = clib_host_to_net_u64 (((u64) sa->seq));
1087 if (ipsec_sa_is_set_USE_ESN (sa))
1089 mp->seq_outbound |= (u64) (clib_host_to_net_u32 (sa->seq_hi));
1090 mp->last_seq_inbound |= (u64) (clib_host_to_net_u32 (sa->seq_hi));
1092 if (ipsec_sa_is_set_USE_ANTI_REPLAY (sa))
1093 mp->replay_window = clib_host_to_net_u64 (sa->replay_window);
1095 mp->stat_index = clib_host_to_net_u32 (sa->stat_index);
1097 vl_api_send_msg (ctx->reg, (u8 *) mp);
1099 return (WALK_CONTINUE);
1103 vl_api_ipsec_sa_v3_dump_t_handler (vl_api_ipsec_sa_v3_dump_t *mp)
1105 vl_api_registration_t *reg;
1107 reg = vl_api_client_index_to_registration (mp->client_index);
1111 ipsec_dump_walk_ctx_t ctx = {
1113 .context = mp->context,
1116 ipsec_sa_walk (send_ipsec_sa_v3_details, &ctx);
1120 vl_api_ipsec_backend_dump_t_handler (vl_api_ipsec_backend_dump_t * mp)
1122 vl_api_registration_t *rp;
1123 ipsec_main_t *im = &ipsec_main;
1124 u32 context = mp->context;
1126 rp = vl_api_client_index_to_registration (mp->client_index);
1130 clib_warning ("Client %d AWOL", mp->client_index);
1134 ipsec_ah_backend_t *ab;
1135 ipsec_esp_backend_t *eb;
1137 pool_foreach (ab, im->ah_backends) {
1138 vl_api_ipsec_backend_details_t *mp = vl_msg_api_alloc (sizeof (*mp));
1139 clib_memset (mp, 0, sizeof (*mp));
1140 mp->_vl_msg_id = ntohs (REPLY_MSG_ID_BASE + VL_API_IPSEC_BACKEND_DETAILS);
1141 mp->context = context;
1142 snprintf ((char *)mp->name, sizeof (mp->name), "%.*s", vec_len (ab->name),
1144 mp->protocol = ntohl (IPSEC_API_PROTO_AH);
1145 mp->index = ab - im->ah_backends;
1146 mp->active = mp->index == im->ah_current_backend ? 1 : 0;
1147 vl_api_send_msg (rp, (u8 *)mp);
1149 pool_foreach (eb, im->esp_backends) {
1150 vl_api_ipsec_backend_details_t *mp = vl_msg_api_alloc (sizeof (*mp));
1151 clib_memset (mp, 0, sizeof (*mp));
1152 mp->_vl_msg_id = ntohs (REPLY_MSG_ID_BASE + VL_API_IPSEC_BACKEND_DETAILS);
1153 mp->context = context;
1154 snprintf ((char *)mp->name, sizeof (mp->name), "%.*s", vec_len (eb->name),
1156 mp->protocol = ntohl (IPSEC_API_PROTO_ESP);
1157 mp->index = eb - im->esp_backends;
1158 mp->active = mp->index == im->esp_current_backend ? 1 : 0;
1159 vl_api_send_msg (rp, (u8 *)mp);
1165 vl_api_ipsec_select_backend_t_handler (vl_api_ipsec_select_backend_t * mp)
1167 ipsec_main_t *im = &ipsec_main;
1168 vl_api_ipsec_select_backend_reply_t *rmp;
1169 ipsec_protocol_t protocol;
1171 if (pool_elts (ipsec_sa_pool) > 0)
1173 rv = VNET_API_ERROR_INSTANCE_IN_USE;
1177 rv = ipsec_proto_decode (mp->protocol, &protocol);
1184 case IPSEC_PROTOCOL_ESP:
1185 rv = ipsec_select_esp_backend (im, mp->index);
1187 case IPSEC_PROTOCOL_AH:
1188 rv = ipsec_select_ah_backend (im, mp->index);
1191 rv = VNET_API_ERROR_INVALID_PROTOCOL;
1195 REPLY_MACRO (VL_API_IPSEC_SELECT_BACKEND_REPLY);
1199 vl_api_ipsec_set_async_mode_t_handler (vl_api_ipsec_set_async_mode_t * mp)
1201 vl_api_ipsec_set_async_mode_reply_t *rmp;
1204 ipsec_set_async_mode (mp->async_enable);
1206 REPLY_MACRO (VL_API_IPSEC_SET_ASYNC_MODE_REPLY);
1209 #include <vnet/ipsec/ipsec.api.c>
1210 static clib_error_t *
1211 ipsec_api_hookup (vlib_main_t * vm)
1214 * Set up the (msg_name, crc, message-id) table
1216 REPLY_MSG_ID_BASE = setup_message_id_table ();
1221 VLIB_API_INIT_FUNCTION (ipsec_api_hookup);
1224 * fd.io coding-style-patch-verification: ON
1227 * eval: (c-set-style "gnu")
Code Review / vpp.git / blob