2 * decap.c : IPSec tunnel support
4 * Copyright (c) 2015 Cisco and/or its affiliates.
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
9 * http://www.apache.org/licenses/LICENSE-2.0
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
18 #include <vnet/vnet.h>
19 #include <vnet/api_errno.h>
20 #include <vnet/ip/ip.h>
21 #include <vnet/interface.h>
23 #include <vnet/ipsec/ipsec.h>
26 set_interface_spd_command_fn (vlib_main_t * vm,
27 unformat_input_t * input,
28 vlib_cli_command_t * cmd)
30 unformat_input_t _line_input, *line_input = &_line_input;
31 ipsec_main_t *im = &ipsec_main;
32 u32 sw_if_index = (u32) ~ 0;
35 clib_error_t *error = NULL;
37 if (!unformat_user (input, unformat_line_input, line_input))
41 (line_input, "%U %u", unformat_vnet_sw_interface, im->vnet_main,
42 &sw_if_index, &spd_id))
44 else if (unformat (line_input, "del"))
48 error = clib_error_return (0, "parse error: '%U'",
49 format_unformat_error, line_input);
53 ipsec_set_interface_spd (vm, sw_if_index, spd_id, is_add);
56 unformat_free (line_input);
62 VLIB_CLI_COMMAND (set_interface_spd_command, static) = {
63 .path = "set interface ipsec spd",
65 "set interface ipsec spd <int> <id>",
66 .function = set_interface_spd_command_fn,
71 ipsec_sa_add_del_command_fn (vlib_main_t * vm,
72 unformat_input_t * input,
73 vlib_cli_command_t * cmd)
75 ipsec_main_t *im = &ipsec_main;
76 unformat_input_t _line_input, *line_input = &_line_input;
80 clib_error_t *error = NULL;
82 clib_memset (&sa, 0, sizeof (sa));
84 if (!unformat_user (input, unformat_line_input, line_input))
87 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
89 if (unformat (line_input, "add %u", &sa.id))
91 else if (unformat (line_input, "del %u", &sa.id))
93 else if (unformat (line_input, "spi %u", &sa.spi))
95 else if (unformat (line_input, "esp"))
96 sa.protocol = IPSEC_PROTOCOL_ESP;
97 else if (unformat (line_input, "ah"))
99 sa.protocol = IPSEC_PROTOCOL_AH;
102 if (unformat (line_input, "crypto-key %U", unformat_hex_string, &ck))
103 sa.crypto_key_len = vec_len (ck);
106 (line_input, "crypto-alg %U", unformat_ipsec_crypto_alg,
109 if (sa.crypto_alg < IPSEC_CRYPTO_ALG_NONE ||
110 sa.crypto_alg >= IPSEC_CRYPTO_N_ALG)
112 error = clib_error_return (0, "unsupported crypto-alg: '%U'",
113 format_ipsec_crypto_alg,
119 if (unformat (line_input, "integ-key %U", unformat_hex_string, &ik))
120 sa.integ_key_len = vec_len (ik);
121 else if (unformat (line_input, "integ-alg %U", unformat_ipsec_integ_alg,
124 if (sa.integ_alg < IPSEC_INTEG_ALG_NONE ||
125 sa.integ_alg >= IPSEC_INTEG_N_ALG)
127 error = clib_error_return (0, "unsupported integ-alg: '%U'",
128 format_ipsec_integ_alg,
133 else if (unformat (line_input, "tunnel-src %U",
134 unformat_ip4_address, &sa.tunnel_src_addr.ip4))
136 else if (unformat (line_input, "tunnel-dst %U",
137 unformat_ip4_address, &sa.tunnel_dst_addr.ip4))
139 else if (unformat (line_input, "tunnel-src %U",
140 unformat_ip6_address, &sa.tunnel_src_addr.ip6))
143 sa.is_tunnel_ip6 = 1;
145 else if (unformat (line_input, "tunnel-dst %U",
146 unformat_ip6_address, &sa.tunnel_dst_addr.ip6))
149 sa.is_tunnel_ip6 = 1;
151 else if (unformat (line_input, "udp-encap"))
157 error = clib_error_return (0, "parse error: '%U'",
158 format_unformat_error, line_input);
163 if (sa.crypto_key_len > sizeof (sa.crypto_key))
164 sa.crypto_key_len = sizeof (sa.crypto_key);
166 if (sa.integ_key_len > sizeof (sa.integ_key))
167 sa.integ_key_len = sizeof (sa.integ_key);
170 memcpy (sa.crypto_key, ck, sa.crypto_key_len);
173 memcpy (sa.integ_key, ik, sa.integ_key_len);
177 error = ipsec_check_support_cb (im, &sa);
182 ipsec_add_del_sa (vm, &sa, is_add);
185 unformat_free (line_input);
191 VLIB_CLI_COMMAND (ipsec_sa_add_del_command, static) = {
194 "ipsec sa [add|del]",
195 .function = ipsec_sa_add_del_command_fn,
199 static clib_error_t *
200 ipsec_spd_add_del_command_fn (vlib_main_t * vm,
201 unformat_input_t * input,
202 vlib_cli_command_t * cmd)
204 unformat_input_t _line_input, *line_input = &_line_input;
207 clib_error_t *error = NULL;
209 if (!unformat_user (input, unformat_line_input, line_input))
212 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
214 if (unformat (line_input, "add"))
216 else if (unformat (line_input, "del"))
218 else if (unformat (line_input, "%u", &spd_id))
222 error = clib_error_return (0, "parse error: '%U'",
223 format_unformat_error, line_input);
230 error = clib_error_return (0, "please specify SPD ID");
234 ipsec_add_del_spd (vm, spd_id, is_add);
237 unformat_free (line_input);
243 VLIB_CLI_COMMAND (ipsec_spd_add_del_command, static) = {
246 "ipsec spd [add|del] <id>",
247 .function = ipsec_spd_add_del_command_fn,
252 static clib_error_t *
253 ipsec_policy_add_del_command_fn (vlib_main_t * vm,
254 unformat_input_t * input,
255 vlib_cli_command_t * cmd)
257 unformat_input_t _line_input, *line_input = &_line_input;
262 clib_error_t *error = NULL;
264 clib_memset (&p, 0, sizeof (p));
265 p.lport.stop = p.rport.stop = ~0;
266 p.laddr.stop.ip4.as_u32 = p.raddr.stop.ip4.as_u32 = (u32) ~ 0;
267 p.laddr.stop.ip6.as_u64[0] = p.laddr.stop.ip6.as_u64[1] = (u64) ~ 0;
268 p.raddr.stop.ip6.as_u64[0] = p.raddr.stop.ip6.as_u64[1] = (u64) ~ 0;
270 if (!unformat_user (input, unformat_line_input, line_input))
273 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
275 if (unformat (line_input, "add"))
277 else if (unformat (line_input, "del"))
279 else if (unformat (line_input, "spd %u", &p.id))
281 else if (unformat (line_input, "inbound"))
283 else if (unformat (line_input, "outbound"))
285 else if (unformat (line_input, "priority %d", &p.priority))
287 else if (unformat (line_input, "protocol %u", &tmp))
288 p.protocol = (u8) tmp;
291 (line_input, "action %U", unformat_ipsec_policy_action,
294 if (p.policy == IPSEC_POLICY_ACTION_RESOLVE)
296 error = clib_error_return (0, "unsupported action: 'resolve'");
300 else if (unformat (line_input, "sa %u", &p.sa_id))
302 else if (unformat (line_input, "local-ip-range %U - %U",
303 unformat_ip4_address, &p.laddr.start.ip4,
304 unformat_ip4_address, &p.laddr.stop.ip4))
306 else if (unformat (line_input, "remote-ip-range %U - %U",
307 unformat_ip4_address, &p.raddr.start.ip4,
308 unformat_ip4_address, &p.raddr.stop.ip4))
310 else if (unformat (line_input, "local-ip-range %U - %U",
311 unformat_ip6_address, &p.laddr.start.ip6,
312 unformat_ip6_address, &p.laddr.stop.ip6))
317 else if (unformat (line_input, "remote-ip-range %U - %U",
318 unformat_ip6_address, &p.raddr.start.ip6,
319 unformat_ip6_address, &p.raddr.stop.ip6))
324 else if (unformat (line_input, "local-port-range %u - %u", &tmp, &tmp2))
330 if (unformat (line_input, "remote-port-range %u - %u", &tmp, &tmp2))
337 error = clib_error_return (0, "parse error: '%U'",
338 format_unformat_error, line_input);
343 /* Check if SA is for IPv6/AH which is not supported. Return error if TRUE. */
347 ipsec_main_t *im = &ipsec_main;
349 p1 = hash_get (im->sa_index_by_sa_id, p.sa_id);
353 clib_error_return (0, "SA with index %u not found", p.sa_id);
356 sa = pool_elt_at_index (im->sad, p1[0]);
357 if (sa && sa->protocol == IPSEC_PROTOCOL_AH && is_add && p.is_ipv6)
359 error = clib_error_return (0, "AH not supported for IPV6: '%U'",
360 format_unformat_error, line_input);
364 ipsec_add_del_policy (vm, &p, is_add);
368 ipsec_add_del_policy (vm, &p, is_add);
372 unformat_free (line_input);
378 VLIB_CLI_COMMAND (ipsec_policy_add_del_command, static) = {
379 .path = "ipsec policy",
381 "ipsec policy [add|del] spd <id> priority <n> ",
382 .function = ipsec_policy_add_del_command_fn,
386 static clib_error_t *
387 set_ipsec_sa_key_command_fn (vlib_main_t * vm,
388 unformat_input_t * input,
389 vlib_cli_command_t * cmd)
391 unformat_input_t _line_input, *line_input = &_line_input;
394 clib_error_t *error = NULL;
396 clib_memset (&sa, 0, sizeof (sa));
398 if (!unformat_user (input, unformat_line_input, line_input))
401 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
403 if (unformat (line_input, "%u", &sa.id))
406 if (unformat (line_input, "crypto-key %U", unformat_hex_string, &ck))
407 sa.crypto_key_len = vec_len (ck);
409 if (unformat (line_input, "integ-key %U", unformat_hex_string, &ik))
410 sa.integ_key_len = vec_len (ik);
413 error = clib_error_return (0, "parse error: '%U'",
414 format_unformat_error, line_input);
419 if (sa.crypto_key_len > sizeof (sa.crypto_key))
420 sa.crypto_key_len = sizeof (sa.crypto_key);
422 if (sa.integ_key_len > sizeof (sa.integ_key))
423 sa.integ_key_len = sizeof (sa.integ_key);
426 strncpy ((char *) sa.crypto_key, (char *) ck, sa.crypto_key_len);
429 strncpy ((char *) sa.integ_key, (char *) ik, sa.integ_key_len);
431 ipsec_set_sa_key (vm, &sa);
434 unformat_free (line_input);
440 VLIB_CLI_COMMAND (set_ipsec_sa_key_command, static) = {
441 .path = "set ipsec sa",
443 "set ipsec sa <id> crypto-key <key> integ-key <key>",
444 .function = set_ipsec_sa_key_command_fn,
448 static clib_error_t *
449 show_ipsec_command_fn (vlib_main_t * vm,
450 unformat_input_t * input, vlib_cli_command_t * cmd)
455 ipsec_main_t *im = &ipsec_main;
457 ipsec_tunnel_if_t *t;
458 vnet_hw_interface_t *hi;
463 pool_foreach (sa, im->sad, ({
465 vlib_cli_output(vm, "sa %u spi %u mode %s protocol %s%s%s%s", sa->id, sa->spi,
466 sa->is_tunnel ? "tunnel" : "transport",
467 sa->protocol ? "esp" : "ah",
468 sa->udp_encap ? " udp-encap-enabled" : "",
469 sa->use_anti_replay ? " anti-replay" : "",
470 sa->use_esn ? " extended-sequence-number" : "");
471 if (sa->protocol == IPSEC_PROTOCOL_ESP) {
472 vlib_cli_output(vm, " crypto alg %U%s%U integrity alg %U%s%U",
473 format_ipsec_crypto_alg, sa->crypto_alg,
474 sa->crypto_alg ? " key " : "",
475 format_hex_bytes, sa->crypto_key, sa->crypto_key_len,
476 format_ipsec_integ_alg, sa->integ_alg,
477 sa->integ_alg ? " key " : "",
478 format_hex_bytes, sa->integ_key, sa->integ_key_len);
480 if (sa->is_tunnel && sa->is_tunnel_ip6) {
481 vlib_cli_output(vm, " tunnel src %U dst %U",
482 format_ip6_address, &sa->tunnel_src_addr.ip6,
483 format_ip6_address, &sa->tunnel_dst_addr.ip6);
484 } else if (sa->is_tunnel) {
485 vlib_cli_output(vm, " tunnel src %U dst %U",
486 format_ip4_address, &sa->tunnel_src_addr.ip4,
487 format_ip4_address, &sa->tunnel_dst_addr.ip4);
494 pool_foreach (spd, im->spds, ({
495 vlib_cli_output(vm, "spd %u", spd->id);
497 vlib_cli_output(vm, " outbound policies");
498 vec_foreach(i, spd->ipv4_outbound_policies)
500 p = pool_elt_at_index(spd->policies, *i);
501 vec_reset_length(protocol);
502 vec_reset_length(policy);
504 protocol = format(protocol, "%U", format_ip_protocol, p->protocol);
506 protocol = format(protocol, "any");
508 if (p->policy == IPSEC_POLICY_ACTION_PROTECT) {
509 policy = format(policy, " sa %u", p->sa_id);
512 vlib_cli_output(vm, " priority %d action %U protocol %v%v",
513 p->priority, format_ipsec_policy_action, p->policy,
515 vlib_cli_output(vm, " local addr range %U - %U port range %u - %u",
516 format_ip4_address, &p->laddr.start.ip4,
517 format_ip4_address, &p->laddr.stop.ip4,
518 p->lport.start, p->lport.stop);
519 vlib_cli_output(vm, " remote addr range %U - %U port range %u - %u",
520 format_ip4_address, &p->raddr.start.ip4,
521 format_ip4_address, &p->raddr.stop.ip4,
522 p->rport.start, p->rport.stop);
523 vlib_cli_output(vm, " packets %u bytes %u", p->counter.packets,
526 vec_foreach(i, spd->ipv6_outbound_policies)
528 p = pool_elt_at_index(spd->policies, *i);
529 vec_reset_length(protocol);
530 vec_reset_length(policy);
532 protocol = format(protocol, "%U", format_ip_protocol, p->protocol);
534 protocol = format(protocol, "any");
536 if (p->policy == IPSEC_POLICY_ACTION_PROTECT) {
537 policy = format(policy, " sa %u", p->sa_id);
539 vlib_cli_output(vm, " priority %d action %U protocol %v%v",
540 p->priority, format_ipsec_policy_action, p->policy,
542 vlib_cli_output(vm, " local addr range %U - %U port range %u - %u",
543 format_ip6_address, &p->laddr.start.ip6,
544 format_ip6_address, &p->laddr.stop.ip6,
545 p->lport.start, p->lport.stop);
546 vlib_cli_output(vm, " remote addr range %U - %U port range %u - %u",
547 format_ip6_address, &p->raddr.start.ip6,
548 format_ip6_address, &p->raddr.stop.ip6,
549 p->rport.start, p->rport.stop);
550 vlib_cli_output(vm, " packets %u bytes %u", p->counter.packets,
553 vlib_cli_output(vm, " inbound policies");
554 vec_foreach(i, spd->ipv4_inbound_protect_policy_indices)
556 p = pool_elt_at_index(spd->policies, *i);
557 vec_reset_length(protocol);
558 vec_reset_length(policy);
560 protocol = format(protocol, "%U", format_ip_protocol, p->protocol);
562 protocol = format(protocol, "any");
564 if (p->policy == IPSEC_POLICY_ACTION_PROTECT) {
565 policy = format(policy, " sa %u", p->sa_id);
567 vlib_cli_output(vm, " priority %d action %U protocol %v%v",
568 p->priority, format_ipsec_policy_action, p->policy,
570 vlib_cli_output(vm, " local addr range %U - %U port range %u - %u",
571 format_ip4_address, &p->laddr.start.ip4,
572 format_ip4_address, &p->laddr.stop.ip4,
573 p->lport.start, p->lport.stop);
574 vlib_cli_output(vm, " remote addr range %U - %U port range %u - %u",
575 format_ip4_address, &p->raddr.start.ip4,
576 format_ip4_address, &p->raddr.stop.ip4,
577 p->rport.start, p->rport.stop);
578 vlib_cli_output(vm, " packets %u bytes %u", p->counter.packets,
581 vec_foreach(i, spd->ipv4_inbound_policy_discard_and_bypass_indices)
583 p = pool_elt_at_index(spd->policies, *i);
584 vec_reset_length(protocol);
585 vec_reset_length(policy);
587 protocol = format(protocol, "%U", format_ip_protocol, p->protocol);
589 protocol = format(protocol, "any");
591 if (p->policy == IPSEC_POLICY_ACTION_PROTECT) {
592 policy = format(policy, " sa %u", p->sa_id);
594 vlib_cli_output(vm, " priority %d action %U protocol %v%v",
595 p->priority, format_ipsec_policy_action, p->policy,
597 vlib_cli_output(vm, " local addr range %U - %U port range %u - %u",
598 format_ip4_address, &p->laddr.start.ip4,
599 format_ip4_address, &p->laddr.stop.ip4,
600 p->lport.start, p->lport.stop);
601 vlib_cli_output(vm, " remote addr range %U - %U port range %u - %u",
602 format_ip4_address, &p->raddr.start.ip4,
603 format_ip4_address, &p->raddr.stop.ip4,
604 p->rport.start, p->rport.stop);
605 vlib_cli_output(vm, " packets %u bytes %u", p->counter.packets,
608 vec_foreach(i, spd->ipv6_inbound_protect_policy_indices)
610 p = pool_elt_at_index(spd->policies, *i);
611 vec_reset_length(protocol);
612 vec_reset_length(policy);
614 protocol = format(protocol, "%U", format_ip_protocol, p->protocol);
616 protocol = format(protocol, "any");
618 if (p->policy == IPSEC_POLICY_ACTION_PROTECT) {
619 policy = format(policy, " sa %u", p->sa_id);
621 vlib_cli_output(vm, " priority %d action %U protocol %v%v",
622 p->priority, format_ipsec_policy_action, p->policy,
624 vlib_cli_output(vm, " local addr range %U - %U port range %u - %u",
625 format_ip6_address, &p->laddr.start.ip6,
626 format_ip6_address, &p->laddr.stop.ip6,
627 p->lport.start, p->lport.stop);
628 vlib_cli_output(vm, " remote addr range %U - %U port range %u - %u",
629 format_ip6_address, &p->raddr.start.ip6,
630 format_ip6_address, &p->raddr.stop.ip6,
631 p->rport.start, p->rport.stop);
632 vlib_cli_output(vm, " packets %u bytes %u", p->counter.packets,
635 vec_foreach(i, spd->ipv6_inbound_policy_discard_and_bypass_indices)
637 p = pool_elt_at_index(spd->policies, *i);
638 vec_reset_length(protocol);
639 vec_reset_length(policy);
641 protocol = format(protocol, "%U", format_ip_protocol, p->protocol);
643 protocol = format(protocol, "any");
645 if (p->policy == IPSEC_POLICY_ACTION_PROTECT) {
646 policy = format(policy, " sa %u", p->sa_id);
648 vlib_cli_output(vm, " priority %d action %U protocol %v%v",
649 p->priority, format_ipsec_policy_action, p->policy,
651 vlib_cli_output(vm, " local addr range %U - %U port range %u - %u",
652 format_ip6_address, &p->laddr.start.ip6,
653 format_ip6_address, &p->laddr.stop.ip6,
654 p->lport.start, p->lport.stop);
655 vlib_cli_output(vm, " remote addr range %U - %U port range %u - %u",
656 format_ip6_address, &p->raddr.start.ip6,
657 format_ip6_address, &p->raddr.stop.ip6,
658 p->rport.start, p->rport.stop);
659 vlib_cli_output(vm, " packets %u bytes %u", p->counter.packets,
665 vlib_cli_output (vm, "tunnel interfaces");
667 pool_foreach (t, im->tunnel_interfaces, ({
668 if (t->hw_if_index == ~0)
670 hi = vnet_get_hw_interface (im->vnet_main, t->hw_if_index);
671 vlib_cli_output(vm, " %s seq", hi->name);
672 sa = pool_elt_at_index(im->sad, t->output_sa_index);
673 vlib_cli_output(vm, " seq %u seq-hi %u esn %u anti-replay %u udp-encap %u",
674 sa->seq, sa->seq_hi, sa->use_esn, sa->use_anti_replay, sa->udp_encap);
675 vlib_cli_output(vm, " local-spi %u local-ip %U", sa->spi,
676 format_ip4_address, &sa->tunnel_src_addr.ip4);
677 vlib_cli_output(vm, " local-crypto %U %U",
678 format_ipsec_crypto_alg, sa->crypto_alg,
679 format_hex_bytes, sa->crypto_key, sa->crypto_key_len);
680 vlib_cli_output(vm, " local-integrity %U %U",
681 format_ipsec_integ_alg, sa->integ_alg,
682 format_hex_bytes, sa->integ_key, sa->integ_key_len);
683 sa = pool_elt_at_index(im->sad, t->input_sa_index);
684 vlib_cli_output(vm, " last-seq %u last-seq-hi %u esn %u anti-replay %u window %U",
685 sa->last_seq, sa->last_seq_hi, sa->use_esn,
687 format_ipsec_replay_window, sa->replay_window);
688 vlib_cli_output(vm, " remote-spi %u remote-ip %U", sa->spi,
689 format_ip4_address, &sa->tunnel_src_addr.ip4);
690 vlib_cli_output(vm, " remote-crypto %U %U",
691 format_ipsec_crypto_alg, sa->crypto_alg,
692 format_hex_bytes, sa->crypto_key, sa->crypto_key_len);
693 vlib_cli_output(vm, " remote-integrity %U %U",
694 format_ipsec_integ_alg, sa->integ_alg,
695 format_hex_bytes, sa->integ_key, sa->integ_key_len);
704 VLIB_CLI_COMMAND (show_ipsec_command, static) = {
705 .path = "show ipsec",
706 .short_help = "show ipsec [backends]",
707 .function = show_ipsec_command_fn,
711 static clib_error_t *
712 ipsec_show_backends_command_fn (vlib_main_t * vm,
713 unformat_input_t * input,
714 vlib_cli_command_t * cmd)
716 ipsec_main_t *im = &ipsec_main;
719 (void) unformat (input, "verbose %u", &verbose);
721 vlib_cli_output (vm, "IPsec AH backends available:");
722 u8 *s = format (NULL, "%=25s %=25s %=10s\n", "Name", "Index", "Active");
723 ipsec_ah_backend_t *ab;
725 pool_foreach (ab, im->ah_backends, {
726 s = format (s, "%=25s %=25u %=10s\n", ab->name, ab - im->ah_backends,
727 ab - im->ah_backends == im->ah_current_backend ? "yes" : "no");
730 n = vlib_get_node (vm, ab->ah4_encrypt_node_index);
731 s = format (s, " enc4 %s (next %d)\n", n->name, ab->ah4_encrypt_next_index);
732 n = vlib_get_node (vm, ab->ah4_decrypt_node_index);
733 s = format (s, " dec4 %s (next %d)\n", n->name, ab->ah4_decrypt_next_index);
734 n = vlib_get_node (vm, ab->ah6_encrypt_node_index);
735 s = format (s, " enc6 %s (next %d)\n", n->name, ab->ah6_encrypt_next_index);
736 n = vlib_get_node (vm, ab->ah6_decrypt_node_index);
737 s = format (s, " dec6 %s (next %d)\n", n->name, ab->ah6_decrypt_next_index);
741 vlib_cli_output (vm, "%v", s);
743 vlib_cli_output (vm, "IPsec ESP backends available:");
744 s = format (s, "%=25s %=25s %=10s\n", "Name", "Index", "Active");
745 ipsec_esp_backend_t *eb;
747 pool_foreach (eb, im->esp_backends, {
748 s = format (s, "%=25s %=25u %=10s\n", eb->name, eb - im->esp_backends,
749 eb - im->esp_backends == im->esp_current_backend ? "yes"
753 n = vlib_get_node (vm, eb->esp4_encrypt_node_index);
754 s = format (s, " enc4 %s (next %d)\n", n->name, eb->esp4_encrypt_next_index);
755 n = vlib_get_node (vm, eb->esp4_decrypt_node_index);
756 s = format (s, " dec4 %s (next %d)\n", n->name, eb->esp4_decrypt_next_index);
757 n = vlib_get_node (vm, eb->esp6_encrypt_node_index);
758 s = format (s, " enc6 %s (next %d)\n", n->name, eb->esp6_encrypt_next_index);
759 n = vlib_get_node (vm, eb->esp6_decrypt_node_index);
760 s = format (s, " dec6 %s (next %d)\n", n->name, eb->esp6_decrypt_next_index);
764 vlib_cli_output (vm, "%v", s);
771 VLIB_CLI_COMMAND (ipsec_show_backends_command, static) = {
772 .path = "show ipsec backends",
773 .short_help = "show ipsec backends",
774 .function = ipsec_show_backends_command_fn,
778 static clib_error_t *
779 ipsec_select_backend_command_fn (vlib_main_t * vm,
780 unformat_input_t * input,
781 vlib_cli_command_t * cmd)
784 ipsec_main_t *im = &ipsec_main;
786 if (pool_elts (im->sad) > 0)
788 return clib_error_return (0,
789 "Cannot change IPsec backend, while %u SA entries are configured",
790 pool_elts (im->sad));
793 unformat_input_t _line_input, *line_input = &_line_input;
794 /* Get a line of input. */
795 if (!unformat_user (input, unformat_line_input, line_input))
798 if (unformat (line_input, "ah"))
800 if (unformat (line_input, "%u", &backend_index))
802 if (ipsec_select_ah_backend (im, backend_index) < 0)
804 return clib_error_return (0, "Invalid AH backend index `%u'",
810 return clib_error_return (0, "Invalid backend index `%U'",
811 format_unformat_error, line_input);
814 else if (unformat (line_input, "esp"))
816 if (unformat (line_input, "%u", &backend_index))
818 if (ipsec_select_esp_backend (im, backend_index) < 0)
820 return clib_error_return (0, "Invalid ESP backend index `%u'",
826 return clib_error_return (0, "Invalid backend index `%U'",
827 format_unformat_error, line_input);
832 return clib_error_return (0, "Unknown input `%U'",
833 format_unformat_error, line_input);
840 VLIB_CLI_COMMAND (ipsec_select_backend_command, static) = {
841 .path = "ipsec select backend",
842 .short_help = "ipsec select backend <ah|esp> <backend index>",
843 .function = ipsec_select_backend_command_fn,
848 static clib_error_t *
849 clear_ipsec_counters_command_fn (vlib_main_t * vm,
850 unformat_input_t * input,
851 vlib_cli_command_t * cmd)
853 ipsec_main_t *im = &ipsec_main;
858 pool_foreach (spd, im->spds, ({
859 pool_foreach(p, spd->policies, ({
860 p->counter.packets = p->counter.bytes = 0;
869 VLIB_CLI_COMMAND (clear_ipsec_counters_command, static) = {
870 .path = "clear ipsec counters",
871 .short_help = "clear ipsec counters",
872 .function = clear_ipsec_counters_command_fn,
876 static clib_error_t *
877 create_ipsec_tunnel_command_fn (vlib_main_t * vm,
878 unformat_input_t * input,
879 vlib_cli_command_t * cmd)
881 unformat_input_t _line_input, *line_input = &_line_input;
882 ipsec_add_del_tunnel_args_t a;
885 clib_error_t *error = NULL;
887 clib_memset (&a, 0, sizeof (a));
890 /* Get a line of input. */
891 if (!unformat_user (input, unformat_line_input, line_input))
894 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
897 (line_input, "local-ip %U", unformat_ip4_address, &a.local_ip))
901 (line_input, "remote-ip %U", unformat_ip4_address, &a.remote_ip))
903 else if (unformat (line_input, "local-spi %u", &a.local_spi))
905 else if (unformat (line_input, "remote-spi %u", &a.remote_spi))
907 else if (unformat (line_input, "instance %u", &a.show_instance))
909 else if (unformat (line_input, "del"))
911 else if (unformat (line_input, "udp-encap"))
915 error = clib_error_return (0, "unknown input `%U'",
916 format_unformat_error, line_input);
923 error = clib_error_return (0, "mandatory argument(s) missing");
927 rv = ipsec_add_del_tunnel_if (&a);
933 case VNET_API_ERROR_INVALID_VALUE:
935 error = clib_error_return (0,
936 "IPSec tunnel interface already exists...");
938 error = clib_error_return (0, "IPSec tunnel interface not exists...");
941 error = clib_error_return (0, "ipsec_register_interface returned %d",
947 unformat_free (line_input);
953 VLIB_CLI_COMMAND (create_ipsec_tunnel_command, static) = {
954 .path = "create ipsec tunnel",
955 .short_help = "create ipsec tunnel local-ip <addr> local-spi <spi> remote-ip <addr> remote-spi <spi> [instance <inst_num>] [udp-encap]",
956 .function = create_ipsec_tunnel_command_fn,
960 static clib_error_t *
961 set_interface_key_command_fn (vlib_main_t * vm,
962 unformat_input_t * input,
963 vlib_cli_command_t * cmd)
965 unformat_input_t _line_input, *line_input = &_line_input;
966 ipsec_main_t *im = &ipsec_main;
967 ipsec_if_set_key_type_t type = IPSEC_IF_SET_KEY_TYPE_NONE;
968 u32 hw_if_index = (u32) ~ 0;
971 clib_error_t *error = NULL;
973 if (!unformat_user (input, unformat_line_input, line_input))
976 while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
978 if (unformat (line_input, "%U",
979 unformat_vnet_hw_interface, im->vnet_main, &hw_if_index))
983 (line_input, "local crypto %U", unformat_ipsec_crypto_alg, &alg))
984 type = IPSEC_IF_SET_KEY_TYPE_LOCAL_CRYPTO;
987 (line_input, "remote crypto %U", unformat_ipsec_crypto_alg, &alg))
988 type = IPSEC_IF_SET_KEY_TYPE_REMOTE_CRYPTO;
991 (line_input, "local integ %U", unformat_ipsec_integ_alg, &alg))
992 type = IPSEC_IF_SET_KEY_TYPE_LOCAL_INTEG;
995 (line_input, "remote integ %U", unformat_ipsec_integ_alg, &alg))
996 type = IPSEC_IF_SET_KEY_TYPE_REMOTE_INTEG;
997 else if (unformat (line_input, "%U", unformat_hex_string, &key))
1001 error = clib_error_return (0, "parse error: '%U'",
1002 format_unformat_error, line_input);
1007 if (type == IPSEC_IF_SET_KEY_TYPE_NONE)
1009 error = clib_error_return (0, "unknown key type");
1013 if (alg > 0 && vec_len (key) == 0)
1015 error = clib_error_return (0, "key is not specified");
1019 if (hw_if_index == (u32) ~ 0)
1021 error = clib_error_return (0, "interface not specified");
1025 ipsec_set_interface_key (im->vnet_main, hw_if_index, type, alg, key);
1029 unformat_free (line_input);
1035 VLIB_CLI_COMMAND (set_interface_key_command, static) = {
1036 .path = "set interface ipsec key",
1038 "set interface ipsec key <int> <local|remote> <crypto|integ> <key type> <key>",
1039 .function = set_interface_key_command_fn,
1044 ipsec_cli_init (vlib_main_t * vm)
1049 VLIB_INIT_FUNCTION (ipsec_cli_init);
1053 * fd.io coding-style-patch-verification: ON
1056 * eval: (c-set-style "gnu")
Code Review / vpp.git / blob