2 * decap.c : IPSec tunnel support
4 * Copyright (c) 2015 Cisco and/or its affiliates.
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
9 * http://www.apache.org/licenses/LICENSE-2.0
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
18 #include <vnet/vnet.h>
19 #include <vnet/api_errno.h>
20 #include <vnet/ip/ip.h>
21 #include <vnet/interface.h>
23 #include <vnet/ipsec/ipsec.h>
26 set_interface_spd_command_fn (vlib_main_t * vm,
27 unformat_input_t * input,
28 vlib_cli_command_t * cmd)
30 unformat_input_t _line_input, *line_input = &_line_input;
31 ipsec_main_t *im = &ipsec_main;
32 u32 sw_if_index = (u32) ~ 0;
35 clib_error_t *error = NULL;
37 if (!unformat_user (input, unformat_line_input, line_input))
41 (line_input, "%U %u", unformat_vnet_sw_interface, im->vnet_main,
42 &sw_if_index, &spd_id))
44 else if (unformat (line_input, "del"))
48 error = clib_error_return (0, "parse error: '%U'",
49 format_unformat_error, line_input);
53 ipsec_set_interface_spd (vm, sw_if_index, spd_id, is_add);
56 unformat_free (line_input);
62 VLIB_CLI_COMMAND (set_interface_spd_command, static) = {
63 .path = "set interface ipsec spd",
65 "set interface ipsec spd <int> <id>",
66 .function = set_interface_spd_command_fn,
71 ipsec_sa_add_del_command_fn (vlib_main_t * vm,
72 unformat_input_t * input,
73 vlib_cli_command_t * cmd)
75 ipsec_main_t *im = &ipsec_main;
76 unformat_input_t _line_input, *line_input = &_line_input;
80 clib_error_t *error = NULL;
82 clib_memset (&sa, 0, sizeof (sa));
84 if (!unformat_user (input, unformat_line_input, line_input))
87 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
89 if (unformat (line_input, "add %u", &sa.id))
91 else if (unformat (line_input, "del %u", &sa.id))
93 else if (unformat (line_input, "spi %u", &sa.spi))
95 else if (unformat (line_input, "esp"))
96 sa.protocol = IPSEC_PROTOCOL_ESP;
97 else if (unformat (line_input, "ah"))
99 sa.protocol = IPSEC_PROTOCOL_AH;
102 if (unformat (line_input, "crypto-key %U", unformat_hex_string, &ck))
103 sa.crypto_key_len = vec_len (ck);
106 (line_input, "crypto-alg %U", unformat_ipsec_crypto_alg,
109 if (sa.crypto_alg < IPSEC_CRYPTO_ALG_NONE ||
110 sa.crypto_alg >= IPSEC_CRYPTO_N_ALG)
112 error = clib_error_return (0, "unsupported crypto-alg: '%U'",
113 format_ipsec_crypto_alg,
119 if (unformat (line_input, "integ-key %U", unformat_hex_string, &ik))
120 sa.integ_key_len = vec_len (ik);
121 else if (unformat (line_input, "integ-alg %U", unformat_ipsec_integ_alg,
124 if (sa.integ_alg < IPSEC_INTEG_ALG_NONE ||
125 sa.integ_alg >= IPSEC_INTEG_N_ALG)
127 error = clib_error_return (0, "unsupported integ-alg: '%U'",
128 format_ipsec_integ_alg,
133 else if (unformat (line_input, "tunnel-src %U",
134 unformat_ip4_address, &sa.tunnel_src_addr.ip4))
136 else if (unformat (line_input, "tunnel-dst %U",
137 unformat_ip4_address, &sa.tunnel_dst_addr.ip4))
139 else if (unformat (line_input, "tunnel-src %U",
140 unformat_ip6_address, &sa.tunnel_src_addr.ip6))
143 sa.is_tunnel_ip6 = 1;
145 else if (unformat (line_input, "tunnel-dst %U",
146 unformat_ip6_address, &sa.tunnel_dst_addr.ip6))
149 sa.is_tunnel_ip6 = 1;
151 else if (unformat (line_input, "udp-encap"))
157 error = clib_error_return (0, "parse error: '%U'",
158 format_unformat_error, line_input);
163 if (sa.crypto_key_len > sizeof (sa.crypto_key))
164 sa.crypto_key_len = sizeof (sa.crypto_key);
166 if (sa.integ_key_len > sizeof (sa.integ_key))
167 sa.integ_key_len = sizeof (sa.integ_key);
170 strncpy ((char *) sa.crypto_key, (char *) ck, sa.crypto_key_len);
173 strncpy ((char *) sa.integ_key, (char *) ik, sa.integ_key_len);
177 error = ipsec_check_support_cb (im, &sa);
182 ipsec_add_del_sa (vm, &sa, is_add);
185 unformat_free (line_input);
191 VLIB_CLI_COMMAND (ipsec_sa_add_del_command, static) = {
194 "ipsec sa [add|del]",
195 .function = ipsec_sa_add_del_command_fn,
199 static clib_error_t *
200 ipsec_spd_add_del_command_fn (vlib_main_t * vm,
201 unformat_input_t * input,
202 vlib_cli_command_t * cmd)
204 unformat_input_t _line_input, *line_input = &_line_input;
207 clib_error_t *error = NULL;
209 if (!unformat_user (input, unformat_line_input, line_input))
212 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
214 if (unformat (line_input, "add"))
216 else if (unformat (line_input, "del"))
218 else if (unformat (line_input, "%u", &spd_id))
222 error = clib_error_return (0, "parse error: '%U'",
223 format_unformat_error, line_input);
230 error = clib_error_return (0, "please specify SPD ID");
234 ipsec_add_del_spd (vm, spd_id, is_add);
237 unformat_free (line_input);
243 VLIB_CLI_COMMAND (ipsec_spd_add_del_command, static) = {
246 "ipsec spd [add|del] <id>",
247 .function = ipsec_spd_add_del_command_fn,
252 static clib_error_t *
253 ipsec_policy_add_del_command_fn (vlib_main_t * vm,
254 unformat_input_t * input,
255 vlib_cli_command_t * cmd)
257 unformat_input_t _line_input, *line_input = &_line_input;
262 clib_error_t *error = NULL;
264 clib_memset (&p, 0, sizeof (p));
265 p.lport.stop = p.rport.stop = ~0;
266 p.laddr.stop.ip4.as_u32 = p.raddr.stop.ip4.as_u32 = (u32) ~ 0;
267 p.laddr.stop.ip6.as_u64[0] = p.laddr.stop.ip6.as_u64[1] = (u64) ~ 0;
268 p.raddr.stop.ip6.as_u64[0] = p.raddr.stop.ip6.as_u64[1] = (u64) ~ 0;
270 if (!unformat_user (input, unformat_line_input, line_input))
273 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
275 if (unformat (line_input, "add"))
277 else if (unformat (line_input, "del"))
279 else if (unformat (line_input, "spd %u", &p.id))
281 else if (unformat (line_input, "inbound"))
283 else if (unformat (line_input, "outbound"))
285 else if (unformat (line_input, "priority %d", &p.priority))
287 else if (unformat (line_input, "protocol %u", &tmp))
288 p.protocol = (u8) tmp;
291 (line_input, "action %U", unformat_ipsec_policy_action,
294 if (p.policy == IPSEC_POLICY_ACTION_RESOLVE)
296 error = clib_error_return (0, "unsupported action: 'resolve'");
300 else if (unformat (line_input, "sa %u", &p.sa_id))
302 else if (unformat (line_input, "local-ip-range %U - %U",
303 unformat_ip4_address, &p.laddr.start.ip4,
304 unformat_ip4_address, &p.laddr.stop.ip4))
306 else if (unformat (line_input, "remote-ip-range %U - %U",
307 unformat_ip4_address, &p.raddr.start.ip4,
308 unformat_ip4_address, &p.raddr.stop.ip4))
310 else if (unformat (line_input, "local-ip-range %U - %U",
311 unformat_ip6_address, &p.laddr.start.ip6,
312 unformat_ip6_address, &p.laddr.stop.ip6))
317 else if (unformat (line_input, "remote-ip-range %U - %U",
318 unformat_ip6_address, &p.raddr.start.ip6,
319 unformat_ip6_address, &p.raddr.stop.ip6))
324 else if (unformat (line_input, "local-port-range %u - %u", &tmp, &tmp2))
330 if (unformat (line_input, "remote-port-range %u - %u", &tmp, &tmp2))
337 error = clib_error_return (0, "parse error: '%U'",
338 format_unformat_error, line_input);
343 /* Check if SA is for IPv6/AH which is not supported. Return error if TRUE. */
347 ipsec_main_t *im = &ipsec_main;
349 p1 = hash_get (im->sa_index_by_sa_id, p.sa_id);
353 clib_error_return (0, "SA with index %u not found", p.sa_id);
356 sa = pool_elt_at_index (im->sad, p1[0]);
357 if (sa && sa->protocol == IPSEC_PROTOCOL_AH && is_add && p.is_ipv6)
359 error = clib_error_return (0, "AH not supported for IPV6: '%U'",
360 format_unformat_error, line_input);
364 ipsec_add_del_policy (vm, &p, is_add);
368 ipsec_add_del_policy (vm, &p, is_add);
372 unformat_free (line_input);
378 VLIB_CLI_COMMAND (ipsec_policy_add_del_command, static) = {
379 .path = "ipsec policy",
381 "ipsec policy [add|del] spd <id> priority <n> ",
382 .function = ipsec_policy_add_del_command_fn,
386 static clib_error_t *
387 set_ipsec_sa_key_command_fn (vlib_main_t * vm,
388 unformat_input_t * input,
389 vlib_cli_command_t * cmd)
391 unformat_input_t _line_input, *line_input = &_line_input;
394 clib_error_t *error = NULL;
396 clib_memset (&sa, 0, sizeof (sa));
398 if (!unformat_user (input, unformat_line_input, line_input))
401 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
403 if (unformat (line_input, "%u", &sa.id))
406 if (unformat (line_input, "crypto-key %U", unformat_hex_string, &ck))
407 sa.crypto_key_len = vec_len (ck);
409 if (unformat (line_input, "integ-key %U", unformat_hex_string, &ik))
410 sa.integ_key_len = vec_len (ik);
413 error = clib_error_return (0, "parse error: '%U'",
414 format_unformat_error, line_input);
419 if (sa.crypto_key_len > sizeof (sa.crypto_key))
420 sa.crypto_key_len = sizeof (sa.crypto_key);
422 if (sa.integ_key_len > sizeof (sa.integ_key))
423 sa.integ_key_len = sizeof (sa.integ_key);
426 strncpy ((char *) sa.crypto_key, (char *) ck, sa.crypto_key_len);
429 strncpy ((char *) sa.integ_key, (char *) ik, sa.integ_key_len);
431 ipsec_set_sa_key (vm, &sa);
434 unformat_free (line_input);
440 VLIB_CLI_COMMAND (set_ipsec_sa_key_command, static) = {
441 .path = "set ipsec sa",
443 "set ipsec sa <id> crypto-key <key> integ-key <key>",
444 .function = set_ipsec_sa_key_command_fn,
448 static clib_error_t *
449 show_ipsec_command_fn (vlib_main_t * vm,
450 unformat_input_t * input, vlib_cli_command_t * cmd)
455 ipsec_main_t *im = &ipsec_main;
457 ipsec_tunnel_if_t *t;
458 vnet_hw_interface_t *hi;
463 pool_foreach (sa, im->sad, ({
465 vlib_cli_output(vm, "sa %u spi %u mode %s protocol %s%s", sa->id, sa->spi,
466 sa->is_tunnel ? "tunnel" : "transport",
467 sa->protocol ? "esp" : "ah",
468 sa->udp_encap ? " udp-encap-enabled" : "");
469 if (sa->protocol == IPSEC_PROTOCOL_ESP) {
470 vlib_cli_output(vm, " crypto alg %U%s%U integrity alg %U%s%U",
471 format_ipsec_crypto_alg, sa->crypto_alg,
472 sa->crypto_alg ? " key " : "",
473 format_hex_bytes, sa->crypto_key, sa->crypto_key_len,
474 format_ipsec_integ_alg, sa->integ_alg,
475 sa->integ_alg ? " key " : "",
476 format_hex_bytes, sa->integ_key, sa->integ_key_len);
478 if (sa->is_tunnel && sa->is_tunnel_ip6) {
479 vlib_cli_output(vm, " tunnel src %U dst %U",
480 format_ip6_address, &sa->tunnel_src_addr.ip6,
481 format_ip6_address, &sa->tunnel_dst_addr.ip6);
482 } else if (sa->is_tunnel) {
483 vlib_cli_output(vm, " tunnel src %U dst %U",
484 format_ip4_address, &sa->tunnel_src_addr.ip4,
485 format_ip4_address, &sa->tunnel_dst_addr.ip4);
492 pool_foreach (spd, im->spds, ({
493 vlib_cli_output(vm, "spd %u", spd->id);
495 vlib_cli_output(vm, " outbound policies");
496 vec_foreach(i, spd->ipv4_outbound_policies)
498 p = pool_elt_at_index(spd->policies, *i);
499 vec_reset_length(protocol);
500 vec_reset_length(policy);
502 protocol = format(protocol, "%U", format_ip_protocol, p->protocol);
504 protocol = format(protocol, "any");
506 if (p->policy == IPSEC_POLICY_ACTION_PROTECT) {
507 policy = format(policy, " sa %u", p->sa_id);
510 vlib_cli_output(vm, " priority %d action %U protocol %v%v",
511 p->priority, format_ipsec_policy_action, p->policy,
513 vlib_cli_output(vm, " local addr range %U - %U port range %u - %u",
514 format_ip4_address, &p->laddr.start.ip4,
515 format_ip4_address, &p->laddr.stop.ip4,
516 p->lport.start, p->lport.stop);
517 vlib_cli_output(vm, " remote addr range %U - %U port range %u - %u",
518 format_ip4_address, &p->raddr.start.ip4,
519 format_ip4_address, &p->raddr.stop.ip4,
520 p->rport.start, p->rport.stop);
521 vlib_cli_output(vm, " packets %u bytes %u", p->counter.packets,
524 vec_foreach(i, spd->ipv6_outbound_policies)
526 p = pool_elt_at_index(spd->policies, *i);
527 vec_reset_length(protocol);
528 vec_reset_length(policy);
530 protocol = format(protocol, "%U", format_ip_protocol, p->protocol);
532 protocol = format(protocol, "any");
534 if (p->policy == IPSEC_POLICY_ACTION_PROTECT) {
535 policy = format(policy, " sa %u", p->sa_id);
537 vlib_cli_output(vm, " priority %d action %U protocol %v%v",
538 p->priority, format_ipsec_policy_action, p->policy,
540 vlib_cli_output(vm, " local addr range %U - %U port range %u - %u",
541 format_ip6_address, &p->laddr.start.ip6,
542 format_ip6_address, &p->laddr.stop.ip6,
543 p->lport.start, p->lport.stop);
544 vlib_cli_output(vm, " remote addr range %U - %U port range %u - %u",
545 format_ip6_address, &p->raddr.start.ip6,
546 format_ip6_address, &p->raddr.stop.ip6,
547 p->rport.start, p->rport.stop);
548 vlib_cli_output(vm, " packets %u bytes %u", p->counter.packets,
551 vlib_cli_output(vm, " inbound policies");
552 vec_foreach(i, spd->ipv4_inbound_protect_policy_indices)
554 p = pool_elt_at_index(spd->policies, *i);
555 vec_reset_length(protocol);
556 vec_reset_length(policy);
558 protocol = format(protocol, "%U", format_ip_protocol, p->protocol);
560 protocol = format(protocol, "any");
562 if (p->policy == IPSEC_POLICY_ACTION_PROTECT) {
563 policy = format(policy, " sa %u", p->sa_id);
565 vlib_cli_output(vm, " priority %d action %U protocol %v%v",
566 p->priority, format_ipsec_policy_action, p->policy,
568 vlib_cli_output(vm, " local addr range %U - %U port range %u - %u",
569 format_ip4_address, &p->laddr.start.ip4,
570 format_ip4_address, &p->laddr.stop.ip4,
571 p->lport.start, p->lport.stop);
572 vlib_cli_output(vm, " remote addr range %U - %U port range %u - %u",
573 format_ip4_address, &p->raddr.start.ip4,
574 format_ip4_address, &p->raddr.stop.ip4,
575 p->rport.start, p->rport.stop);
576 vlib_cli_output(vm, " packets %u bytes %u", p->counter.packets,
579 vec_foreach(i, spd->ipv4_inbound_policy_discard_and_bypass_indices)
581 p = pool_elt_at_index(spd->policies, *i);
582 vec_reset_length(protocol);
583 vec_reset_length(policy);
585 protocol = format(protocol, "%U", format_ip_protocol, p->protocol);
587 protocol = format(protocol, "any");
589 if (p->policy == IPSEC_POLICY_ACTION_PROTECT) {
590 policy = format(policy, " sa %u", p->sa_id);
592 vlib_cli_output(vm, " priority %d action %U protocol %v%v",
593 p->priority, format_ipsec_policy_action, p->policy,
595 vlib_cli_output(vm, " local addr range %U - %U port range %u - %u",
596 format_ip4_address, &p->laddr.start.ip4,
597 format_ip4_address, &p->laddr.stop.ip4,
598 p->lport.start, p->lport.stop);
599 vlib_cli_output(vm, " remote addr range %U - %U port range %u - %u",
600 format_ip4_address, &p->raddr.start.ip4,
601 format_ip4_address, &p->raddr.stop.ip4,
602 p->rport.start, p->rport.stop);
603 vlib_cli_output(vm, " packets %u bytes %u", p->counter.packets,
606 vec_foreach(i, spd->ipv6_inbound_protect_policy_indices)
608 p = pool_elt_at_index(spd->policies, *i);
609 vec_reset_length(protocol);
610 vec_reset_length(policy);
612 protocol = format(protocol, "%U", format_ip_protocol, p->protocol);
614 protocol = format(protocol, "any");
616 if (p->policy == IPSEC_POLICY_ACTION_PROTECT) {
617 policy = format(policy, " sa %u", p->sa_id);
619 vlib_cli_output(vm, " priority %d action %U protocol %v%v",
620 p->priority, format_ipsec_policy_action, p->policy,
622 vlib_cli_output(vm, " local addr range %U - %U port range %u - %u",
623 format_ip6_address, &p->laddr.start.ip6,
624 format_ip6_address, &p->laddr.stop.ip6,
625 p->lport.start, p->lport.stop);
626 vlib_cli_output(vm, " remote addr range %U - %U port range %u - %u",
627 format_ip6_address, &p->raddr.start.ip6,
628 format_ip6_address, &p->raddr.stop.ip6,
629 p->rport.start, p->rport.stop);
630 vlib_cli_output(vm, " packets %u bytes %u", p->counter.packets,
633 vec_foreach(i, spd->ipv6_inbound_policy_discard_and_bypass_indices)
635 p = pool_elt_at_index(spd->policies, *i);
636 vec_reset_length(protocol);
637 vec_reset_length(policy);
639 protocol = format(protocol, "%U", format_ip_protocol, p->protocol);
641 protocol = format(protocol, "any");
643 if (p->policy == IPSEC_POLICY_ACTION_PROTECT) {
644 policy = format(policy, " sa %u", p->sa_id);
646 vlib_cli_output(vm, " priority %d action %U protocol %v%v",
647 p->priority, format_ipsec_policy_action, p->policy,
649 vlib_cli_output(vm, " local addr range %U - %U port range %u - %u",
650 format_ip6_address, &p->laddr.start.ip6,
651 format_ip6_address, &p->laddr.stop.ip6,
652 p->lport.start, p->lport.stop);
653 vlib_cli_output(vm, " remote addr range %U - %U port range %u - %u",
654 format_ip6_address, &p->raddr.start.ip6,
655 format_ip6_address, &p->raddr.stop.ip6,
656 p->rport.start, p->rport.stop);
657 vlib_cli_output(vm, " packets %u bytes %u", p->counter.packets,
663 vlib_cli_output (vm, "tunnel interfaces");
665 pool_foreach (t, im->tunnel_interfaces, ({
666 if (t->hw_if_index == ~0)
668 hi = vnet_get_hw_interface (im->vnet_main, t->hw_if_index);
669 vlib_cli_output(vm, " %s seq", hi->name);
670 sa = pool_elt_at_index(im->sad, t->output_sa_index);
671 vlib_cli_output(vm, " seq %u seq-hi %u esn %u anti-replay %u udp-encap %u",
672 sa->seq, sa->seq_hi, sa->use_esn, sa->use_anti_replay, sa->udp_encap);
673 vlib_cli_output(vm, " local-spi %u local-ip %U", sa->spi,
674 format_ip4_address, &sa->tunnel_src_addr.ip4);
675 vlib_cli_output(vm, " local-crypto %U %U",
676 format_ipsec_crypto_alg, sa->crypto_alg,
677 format_hex_bytes, sa->crypto_key, sa->crypto_key_len);
678 vlib_cli_output(vm, " local-integrity %U %U",
679 format_ipsec_integ_alg, sa->integ_alg,
680 format_hex_bytes, sa->integ_key, sa->integ_key_len);
681 sa = pool_elt_at_index(im->sad, t->input_sa_index);
682 vlib_cli_output(vm, " last-seq %u last-seq-hi %u esn %u anti-replay %u window %U",
683 sa->last_seq, sa->last_seq_hi, sa->use_esn,
685 format_ipsec_replay_window, sa->replay_window);
686 vlib_cli_output(vm, " remote-spi %u remote-ip %U", sa->spi,
687 format_ip4_address, &sa->tunnel_src_addr.ip4);
688 vlib_cli_output(vm, " remote-crypto %U %U",
689 format_ipsec_crypto_alg, sa->crypto_alg,
690 format_hex_bytes, sa->crypto_key, sa->crypto_key_len);
691 vlib_cli_output(vm, " remote-integrity %U %U",
692 format_ipsec_integ_alg, sa->integ_alg,
693 format_hex_bytes, sa->integ_key, sa->integ_key_len);
702 VLIB_CLI_COMMAND (show_ipsec_command, static) = {
703 .path = "show ipsec",
704 .short_help = "show ipsec [backends]",
705 .function = show_ipsec_command_fn,
709 static clib_error_t *
710 ipsec_show_backends_command_fn (vlib_main_t * vm,
711 unformat_input_t * input,
712 vlib_cli_command_t * cmd)
714 ipsec_main_t *im = &ipsec_main;
717 (void) unformat (input, "verbose %u", &verbose);
719 vlib_cli_output (vm, "IPsec AH backends available:");
720 u8 *s = format (NULL, "%=25s %=25s %=10s\n", "Name", "Index", "Active");
721 ipsec_ah_backend_t *ab;
723 pool_foreach (ab, im->ah_backends, {
724 s = format (s, "%=25s %=25u %=10s\n", ab->name, ab - im->ah_backends,
725 ab - im->ah_backends == im->ah_current_backend ? "yes" : "no");
728 n = vlib_get_node (vm, ab->ah4_encrypt_node_index);
729 s = format (s, " enc4 %s (next %d)\n", n->name, ab->ah4_encrypt_next_index);
730 n = vlib_get_node (vm, ab->ah4_decrypt_node_index);
731 s = format (s, " dec4 %s (next %d)\n", n->name, ab->ah4_decrypt_next_index);
732 n = vlib_get_node (vm, ab->ah6_encrypt_node_index);
733 s = format (s, " enc6 %s (next %d)\n", n->name, ab->ah6_encrypt_next_index);
734 n = vlib_get_node (vm, ab->ah6_decrypt_node_index);
735 s = format (s, " dec6 %s (next %d)\n", n->name, ab->ah6_decrypt_next_index);
739 vlib_cli_output (vm, "%v", s);
741 vlib_cli_output (vm, "IPsec ESP backends available:");
742 s = format (s, "%=25s %=25s %=10s\n", "Name", "Index", "Active");
743 ipsec_esp_backend_t *eb;
745 pool_foreach (eb, im->esp_backends, {
746 s = format (s, "%=25s %=25u %=10s\n", eb->name, eb - im->esp_backends,
747 eb - im->esp_backends == im->esp_current_backend ? "yes"
751 n = vlib_get_node (vm, eb->esp4_encrypt_node_index);
752 s = format (s, " enc4 %s (next %d)\n", n->name, eb->esp4_encrypt_next_index);
753 n = vlib_get_node (vm, eb->esp4_decrypt_node_index);
754 s = format (s, " dec4 %s (next %d)\n", n->name, eb->esp4_decrypt_next_index);
755 n = vlib_get_node (vm, eb->esp6_encrypt_node_index);
756 s = format (s, " enc6 %s (next %d)\n", n->name, eb->esp6_encrypt_next_index);
757 n = vlib_get_node (vm, eb->esp6_decrypt_node_index);
758 s = format (s, " dec6 %s (next %d)\n", n->name, eb->esp6_decrypt_next_index);
762 vlib_cli_output (vm, "%v", s);
769 VLIB_CLI_COMMAND (ipsec_show_backends_command, static) = {
770 .path = "show ipsec backends",
771 .short_help = "show ipsec backends",
772 .function = ipsec_show_backends_command_fn,
776 static clib_error_t *
777 ipsec_select_backend_command_fn (vlib_main_t * vm,
778 unformat_input_t * input,
779 vlib_cli_command_t * cmd)
782 ipsec_main_t *im = &ipsec_main;
784 if (pool_elts (im->sad) > 0)
786 return clib_error_return (0,
787 "Cannot change IPsec backend, while %u SA entries are configured",
788 pool_elts (im->sad));
791 unformat_input_t _line_input, *line_input = &_line_input;
792 /* Get a line of input. */
793 if (!unformat_user (input, unformat_line_input, line_input))
796 if (unformat (line_input, "ah"))
798 if (unformat (line_input, "%u", &backend_index))
800 if (ipsec_select_ah_backend (im, backend_index) < 0)
802 return clib_error_return (0, "Invalid AH backend index `%u'",
808 return clib_error_return (0, "Invalid backend index `%U'",
809 format_unformat_error, line_input);
812 else if (unformat (line_input, "esp"))
814 if (unformat (line_input, "%u", &backend_index))
816 if (ipsec_select_esp_backend (im, backend_index) < 0)
818 return clib_error_return (0, "Invalid ESP backend index `%u'",
824 return clib_error_return (0, "Invalid backend index `%U'",
825 format_unformat_error, line_input);
830 return clib_error_return (0, "Unknown input `%U'",
831 format_unformat_error, line_input);
838 VLIB_CLI_COMMAND (ipsec_select_backend_command, static) = {
839 .path = "ipsec select backend",
840 .short_help = "ipsec select backend <ah|esp> <backend index>",
841 .function = ipsec_select_backend_command_fn,
846 static clib_error_t *
847 clear_ipsec_counters_command_fn (vlib_main_t * vm,
848 unformat_input_t * input,
849 vlib_cli_command_t * cmd)
851 ipsec_main_t *im = &ipsec_main;
856 pool_foreach (spd, im->spds, ({
857 pool_foreach(p, spd->policies, ({
858 p->counter.packets = p->counter.bytes = 0;
867 VLIB_CLI_COMMAND (clear_ipsec_counters_command, static) = {
868 .path = "clear ipsec counters",
869 .short_help = "clear ipsec counters",
870 .function = clear_ipsec_counters_command_fn,
874 static clib_error_t *
875 create_ipsec_tunnel_command_fn (vlib_main_t * vm,
876 unformat_input_t * input,
877 vlib_cli_command_t * cmd)
879 unformat_input_t _line_input, *line_input = &_line_input;
880 ipsec_add_del_tunnel_args_t a;
883 clib_error_t *error = NULL;
885 clib_memset (&a, 0, sizeof (a));
888 /* Get a line of input. */
889 if (!unformat_user (input, unformat_line_input, line_input))
892 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
895 (line_input, "local-ip %U", unformat_ip4_address, &a.local_ip))
899 (line_input, "remote-ip %U", unformat_ip4_address, &a.remote_ip))
901 else if (unformat (line_input, "local-spi %u", &a.local_spi))
903 else if (unformat (line_input, "remote-spi %u", &a.remote_spi))
905 else if (unformat (line_input, "instance %u", &a.show_instance))
907 else if (unformat (line_input, "del"))
909 else if (unformat (line_input, "udp-encap"))
913 error = clib_error_return (0, "unknown input `%U'",
914 format_unformat_error, line_input);
921 error = clib_error_return (0, "mandatory argument(s) missing");
925 rv = ipsec_add_del_tunnel_if (&a);
931 case VNET_API_ERROR_INVALID_VALUE:
933 error = clib_error_return (0,
934 "IPSec tunnel interface already exists...");
936 error = clib_error_return (0, "IPSec tunnel interface not exists...");
939 error = clib_error_return (0, "ipsec_register_interface returned %d",
945 unformat_free (line_input);
951 VLIB_CLI_COMMAND (create_ipsec_tunnel_command, static) = {
952 .path = "create ipsec tunnel",
953 .short_help = "create ipsec tunnel local-ip <addr> local-spi <spi> remote-ip <addr> remote-spi <spi> [instance <inst_num>] [udp-encap]",
954 .function = create_ipsec_tunnel_command_fn,
958 static clib_error_t *
959 set_interface_key_command_fn (vlib_main_t * vm,
960 unformat_input_t * input,
961 vlib_cli_command_t * cmd)
963 unformat_input_t _line_input, *line_input = &_line_input;
964 ipsec_main_t *im = &ipsec_main;
965 ipsec_if_set_key_type_t type = IPSEC_IF_SET_KEY_TYPE_NONE;
966 u32 hw_if_index = (u32) ~ 0;
969 clib_error_t *error = NULL;
971 if (!unformat_user (input, unformat_line_input, line_input))
974 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
976 if (unformat (line_input, "%U",
977 unformat_vnet_hw_interface, im->vnet_main, &hw_if_index))
981 (line_input, "local crypto %U", unformat_ipsec_crypto_alg, &alg))
982 type = IPSEC_IF_SET_KEY_TYPE_LOCAL_CRYPTO;
985 (line_input, "remote crypto %U", unformat_ipsec_crypto_alg, &alg))
986 type = IPSEC_IF_SET_KEY_TYPE_REMOTE_CRYPTO;
989 (line_input, "local integ %U", unformat_ipsec_integ_alg, &alg))
990 type = IPSEC_IF_SET_KEY_TYPE_LOCAL_INTEG;
993 (line_input, "remote integ %U", unformat_ipsec_integ_alg, &alg))
994 type = IPSEC_IF_SET_KEY_TYPE_REMOTE_INTEG;
995 else if (unformat (line_input, "%U", unformat_hex_string, &key))
999 error = clib_error_return (0, "parse error: '%U'",
1000 format_unformat_error, line_input);
1005 if (type == IPSEC_IF_SET_KEY_TYPE_NONE)
1007 error = clib_error_return (0, "unknown key type");
1011 if (alg > 0 && vec_len (key) == 0)
1013 error = clib_error_return (0, "key is not specified");
1017 if (hw_if_index == (u32) ~ 0)
1019 error = clib_error_return (0, "interface not specified");
1023 ipsec_set_interface_key (im->vnet_main, hw_if_index, type, alg, key);
1027 unformat_free (line_input);
1033 VLIB_CLI_COMMAND (set_interface_key_command, static) = {
1034 .path = "set interface ipsec key",
1036 "set interface ipsec key <int> <local|remote> <crypto|integ> <key type> <key>",
1037 .function = set_interface_key_command_fn,
1042 ipsec_cli_init (vlib_main_t * vm)
1047 VLIB_INIT_FUNCTION (ipsec_cli_init);
1051 * fd.io coding-style-patch-verification: ON
1054 * eval: (c-set-style "gnu")
Code Review / vpp.git / blob