#include <vnet/api_errno.h>
#include <vnet/ip/ip.h>
#include <vnet/interface.h>
+#include <vnet/fib/fib.h>
#include <vnet/ipsec/ipsec.h>
u8 *ck = 0, *ik = 0;
clib_error_t *error = NULL;
- memset (&sa, 0, sizeof (sa));
+ clib_memset (&sa, 0, sizeof (sa));
+ sa.tx_fib_index = ~((u32) 0); /* Only supported for ipsec interfaces */
if (!unformat_user (input, unformat_line_input, line_input))
return 0;
sa.is_tunnel = 1;
sa.is_tunnel_ip6 = 1;
}
+ else if (unformat (line_input, "udp-encap"))
+ {
+ sa.udp_encap = 1;
+ }
else
{
error = clib_error_return (0, "parse error: '%U'",
sa.integ_key_len = sizeof (sa.integ_key);
if (ck)
- strncpy ((char *) sa.crypto_key, (char *) ck, sa.crypto_key_len);
+ memcpy (sa.crypto_key, ck, sa.crypto_key_len);
if (ik)
- strncpy ((char *) sa.integ_key, (char *) ik, sa.integ_key_len);
+ memcpy (sa.integ_key, ik, sa.integ_key_len);
if (is_add)
{
- ASSERT (im->cb.check_support_cb);
- error = im->cb.check_support_cb (&sa);
+ error = ipsec_check_support_cb (im, &sa);
if (error)
goto done;
}
- ipsec_add_del_sa (vm, &sa, is_add, 0 /* enable nat traversal */ );
+ ipsec_add_del_sa (vm, &sa, is_add);
done:
unformat_free (line_input);
{
unformat_input_t _line_input, *line_input = &_line_input;
ipsec_policy_t p;
- int is_add = 0;
- int is_ip_any = 1;
- u32 tmp, tmp2;
+ int rv, is_add = 0;
+ u32 tmp, tmp2, stat_index;
clib_error_t *error = NULL;
- memset (&p, 0, sizeof (p));
+ clib_memset (&p, 0, sizeof (p));
p.lport.stop = p.rport.stop = ~0;
p.laddr.stop.ip4.as_u32 = p.raddr.stop.ip4.as_u32 = (u32) ~ 0;
p.laddr.stop.ip6.as_u64[0] = p.laddr.stop.ip6.as_u64[1] = (u64) ~ 0;
else if (unformat (line_input, "local-ip-range %U - %U",
unformat_ip4_address, &p.laddr.start.ip4,
unformat_ip4_address, &p.laddr.stop.ip4))
- is_ip_any = 0;
+ ;
else if (unformat (line_input, "remote-ip-range %U - %U",
unformat_ip4_address, &p.raddr.start.ip4,
unformat_ip4_address, &p.raddr.stop.ip4))
- is_ip_any = 0;
+ ;
else if (unformat (line_input, "local-ip-range %U - %U",
unformat_ip6_address, &p.laddr.start.ip6,
unformat_ip6_address, &p.laddr.stop.ip6))
{
p.is_ipv6 = 1;
- is_ip_any = 0;
}
else if (unformat (line_input, "remote-ip-range %U - %U",
unformat_ip6_address, &p.raddr.start.ip6,
unformat_ip6_address, &p.raddr.stop.ip6))
{
p.is_ipv6 = 1;
- is_ip_any = 0;
}
else if (unformat (line_input, "local-port-range %u - %u", &tmp, &tmp2))
{
goto done;
}
}
- ipsec_add_del_policy (vm, &p, is_add);
- if (is_ip_any)
- {
- p.is_ipv6 = 1;
- ipsec_add_del_policy (vm, &p, is_add);
- }
+ rv = ipsec_add_del_policy (vm, &p, is_add, &stat_index);
+
+ if (!rv)
+ vlib_cli_output (vm, "policy-index:%d", stat_index);
+ else
+ vlib_cli_output (vm, "error:%d", rv);
done:
unformat_free (line_input);
u8 *ck = 0, *ik = 0;
clib_error_t *error = NULL;
- memset (&sa, 0, sizeof (sa));
+ clib_memset (&sa, 0, sizeof (sa));
if (!unformat_user (input, unformat_line_input, line_input))
return 0;
show_ipsec_command_fn (vlib_main_t * vm,
unformat_input_t * input, vlib_cli_command_t * cmd)
{
- ipsec_spd_t *spd;
ipsec_sa_t *sa;
- ipsec_policy_t *p;
ipsec_main_t *im = &ipsec_main;
- u32 *i;
+ u32 i;
ipsec_tunnel_if_t *t;
vnet_hw_interface_t *hi;
u8 *protocol = NULL;
u8 *policy = NULL;
+ u32 tx_table_id, spd_id, sw_if_index;
/* *INDENT-OFF* */
pool_foreach (sa, im->sad, ({
if (sa->id) {
- vlib_cli_output(vm, "sa %u spi %u mode %s protocol %s%s", sa->id, sa->spi,
+ vlib_cli_output(vm, "sa %u spi %u mode %s protocol %s%s%s%s", sa->id, sa->spi,
sa->is_tunnel ? "tunnel" : "transport",
sa->protocol ? "esp" : "ah",
- sa->udp_encap ? " udp-encap-enabled" : "");
+ sa->udp_encap ? " udp-encap-enabled" : "",
+ sa->use_anti_replay ? " anti-replay" : "",
+ sa->use_esn ? " extended-sequence-number" : "");
if (sa->protocol == IPSEC_PROTOCOL_ESP) {
vlib_cli_output(vm, " crypto alg %U%s%U integrity alg %U%s%U",
format_ipsec_crypto_alg, sa->crypto_alg,
/* *INDENT-ON* */
/* *INDENT-OFF* */
- pool_foreach (spd, im->spds, ({
- vlib_cli_output(vm, "spd %u", spd->id);
-
- vlib_cli_output(vm, " outbound policies");
- vec_foreach(i, spd->ipv4_outbound_policies)
- {
- p = pool_elt_at_index(spd->policies, *i);
- vec_reset_length(protocol);
- vec_reset_length(policy);
- if (p->protocol) {
- protocol = format(protocol, "%U", format_ip_protocol, p->protocol);
- } else {
- protocol = format(protocol, "any");
- }
- if (p->policy == IPSEC_POLICY_ACTION_PROTECT) {
- policy = format(policy, " sa %u", p->sa_id);
- }
+ pool_foreach_index (i, im->spds, ({
+ vlib_cli_output(vm, "%U", format_ipsec_spd, i);
+ }));
+ /* *INDENT-ON* */
- vlib_cli_output(vm, " priority %d action %U protocol %v%v",
- p->priority, format_ipsec_policy_action, p->policy,
- protocol, policy);
- vlib_cli_output(vm, " local addr range %U - %U port range %u - %u",
- format_ip4_address, &p->laddr.start.ip4,
- format_ip4_address, &p->laddr.stop.ip4,
- p->lport.start, p->lport.stop);
- vlib_cli_output(vm, " remte addr range %U - %U port range %u - %u",
- format_ip4_address, &p->raddr.start.ip4,
- format_ip4_address, &p->raddr.stop.ip4,
- p->rport.start, p->rport.stop);
- vlib_cli_output(vm, " packets %u bytes %u", p->counter.packets,
- p->counter.bytes);
- };
- vec_foreach(i, spd->ipv6_outbound_policies)
- {
- p = pool_elt_at_index(spd->policies, *i);
- vec_reset_length(protocol);
- vec_reset_length(policy);
- if (p->protocol) {
- protocol = format(protocol, "%U", format_ip_protocol, p->protocol);
- } else {
- protocol = format(protocol, "any");
- }
- if (p->policy == IPSEC_POLICY_ACTION_PROTECT) {
- policy = format(policy, " sa %u", p->sa_id);
- }
- vlib_cli_output(vm, " priority %d action %U protocol %v%v",
- p->priority, format_ipsec_policy_action, p->policy,
- protocol, policy);
- vlib_cli_output(vm, " local addr range %U - %U port range %u - %u",
- format_ip6_address, &p->laddr.start.ip6,
- format_ip6_address, &p->laddr.stop.ip6,
- p->lport.start, p->lport.stop);
- vlib_cli_output(vm, " remote addr range %U - %U port range %u - %u",
- format_ip6_address, &p->raddr.start.ip6,
- format_ip6_address, &p->raddr.stop.ip6,
- p->rport.start, p->rport.stop);
- vlib_cli_output(vm, " packets %u bytes %u", p->counter.packets,
- p->counter.bytes);
- };
- vlib_cli_output(vm, " inbound policies");
- vec_foreach(i, spd->ipv4_inbound_protect_policy_indices)
- {
- p = pool_elt_at_index(spd->policies, *i);
- vec_reset_length(protocol);
- vec_reset_length(policy);
- if (p->protocol) {
- protocol = format(protocol, "%U", format_ip_protocol, p->protocol);
- } else {
- protocol = format(protocol, "any");
- }
- if (p->policy == IPSEC_POLICY_ACTION_PROTECT) {
- policy = format(policy, " sa %u", p->sa_id);
- }
- vlib_cli_output(vm, " priority %d action %U protocol %v%v",
- p->priority, format_ipsec_policy_action, p->policy,
- protocol, policy);
- vlib_cli_output(vm, " local addr range %U - %U port range %u - %u",
- format_ip4_address, &p->laddr.start.ip4,
- format_ip4_address, &p->laddr.stop.ip4,
- p->lport.start, p->lport.stop);
- vlib_cli_output(vm, " remte addr range %U - %U port range %u - %u",
- format_ip4_address, &p->raddr.start.ip4,
- format_ip4_address, &p->raddr.stop.ip4,
- p->rport.start, p->rport.stop);
- vlib_cli_output(vm, " packets %u bytes %u", p->counter.packets,
- p->counter.bytes);
- };
- vec_foreach(i, spd->ipv4_inbound_policy_discard_and_bypass_indices)
- {
- p = pool_elt_at_index(spd->policies, *i);
- vec_reset_length(protocol);
- vec_reset_length(policy);
- if (p->protocol) {
- protocol = format(protocol, "%U", format_ip_protocol, p->protocol);
- } else {
- protocol = format(protocol, "any");
- }
- if (p->policy == IPSEC_POLICY_ACTION_PROTECT) {
- policy = format(policy, " sa %u", p->sa_id);
- }
- vlib_cli_output(vm, " priority %d action %U protocol %v%v",
- p->priority, format_ipsec_policy_action, p->policy,
- protocol, policy);
- vlib_cli_output(vm, " local addr range %U - %U port range %u - %u",
- format_ip4_address, &p->laddr.start.ip4,
- format_ip4_address, &p->laddr.stop.ip4,
- p->lport.start, p->lport.stop);
- vlib_cli_output(vm, " remte addr range %U - %U port range %u - %u",
- format_ip4_address, &p->raddr.start.ip4,
- format_ip4_address, &p->raddr.stop.ip4,
- p->rport.start, p->rport.stop);
- vlib_cli_output(vm, " packets %u bytes %u", p->counter.packets,
- p->counter.bytes);
- };
- vec_foreach(i, spd->ipv6_inbound_protect_policy_indices)
- {
- p = pool_elt_at_index(spd->policies, *i);
- vec_reset_length(protocol);
- vec_reset_length(policy);
- if (p->protocol) {
- protocol = format(protocol, "%U", format_ip_protocol, p->protocol);
- } else {
- protocol = format(protocol, "any");
- }
- if (p->policy == IPSEC_POLICY_ACTION_PROTECT) {
- policy = format(policy, " sa %u", p->sa_id);
- }
- vlib_cli_output(vm, " priority %d action %U protocol %v%v",
- p->priority, format_ipsec_policy_action, p->policy,
- protocol, policy);
- vlib_cli_output(vm, " local addr range %U - %U port range %u - %u",
- format_ip6_address, &p->laddr.start.ip6,
- format_ip6_address, &p->laddr.stop.ip6,
- p->lport.start, p->lport.stop);
- vlib_cli_output(vm, " remote addr range %U - %U port range %u - %u",
- format_ip6_address, &p->raddr.start.ip6,
- format_ip6_address, &p->raddr.stop.ip6,
- p->rport.start, p->rport.stop);
- vlib_cli_output(vm, " packets %u bytes %u", p->counter.packets,
- p->counter.bytes);
- };
- vec_foreach(i, spd->ipv6_inbound_policy_discard_and_bypass_indices)
- {
- p = pool_elt_at_index(spd->policies, *i);
- vec_reset_length(protocol);
- vec_reset_length(policy);
- if (p->protocol) {
- protocol = format(protocol, "%U", format_ip_protocol, p->protocol);
- } else {
- protocol = format(protocol, "any");
- }
- if (p->policy == IPSEC_POLICY_ACTION_PROTECT) {
- policy = format(policy, " sa %u", p->sa_id);
- }
- vlib_cli_output(vm, " priority %d action %U protocol %v%v",
- p->priority, format_ipsec_policy_action, p->policy,
- protocol, policy);
- vlib_cli_output(vm, " local addr range %U - %U port range %u - %u",
- format_ip6_address, &p->laddr.start.ip6,
- format_ip6_address, &p->laddr.stop.ip6,
- p->lport.start, p->lport.stop);
- vlib_cli_output(vm, " remote addr range %U - %U port range %u - %u",
- format_ip6_address, &p->raddr.start.ip6,
- format_ip6_address, &p->raddr.stop.ip6,
- p->rport.start, p->rport.stop);
- vlib_cli_output(vm, " packets %u bytes %u", p->counter.packets,
- p->counter.bytes);
- };
+ vlib_cli_output (vm, "SPD Bindings:");
+ /* *INDENT-OFF* */
+ hash_foreach(sw_if_index, spd_id, im->spd_index_by_sw_if_index, ({
+ vlib_cli_output (vm, " %d -> %U", spd_id,
+ format_vnet_sw_if_index_name, im->vnet_main,
+ sw_if_index);
}));
/* *INDENT-ON* */
+
vlib_cli_output (vm, "tunnel interfaces");
/* *INDENT-OFF* */
pool_foreach (t, im->tunnel_interfaces, ({
hi = vnet_get_hw_interface (im->vnet_main, t->hw_if_index);
vlib_cli_output(vm, " %s seq", hi->name);
sa = pool_elt_at_index(im->sad, t->output_sa_index);
- vlib_cli_output(vm, " seq %u seq-hi %u esn %u anti-replay %u",
- sa->seq, sa->seq_hi, sa->use_esn, sa->use_anti_replay);
+
+ tx_table_id = fib_table_get_table_id(sa->tx_fib_index, FIB_PROTOCOL_IP4);
+
+ vlib_cli_output(vm, " seq %u seq-hi %u esn %u anti-replay %u udp-encap %u tx-table %u",
+ sa->seq, sa->seq_hi, sa->use_esn, sa->use_anti_replay, sa->udp_encap, tx_table_id);
vlib_cli_output(vm, " local-spi %u local-ip %U", sa->spi,
format_ip4_address, &sa->tunnel_src_addr.ip4);
vlib_cli_output(vm, " local-crypto %U %U",
/* *INDENT-OFF* */
VLIB_CLI_COMMAND (show_ipsec_command, static) = {
.path = "show ipsec",
- .short_help = "show ipsec",
+ .short_help = "show ipsec [backends]",
.function = show_ipsec_command_fn,
};
/* *INDENT-ON* */
static clib_error_t *
-clear_ipsec_counters_command_fn (vlib_main_t * vm,
- unformat_input_t * input,
- vlib_cli_command_t * cmd)
+ipsec_show_backends_command_fn (vlib_main_t * vm,
+ unformat_input_t * input,
+ vlib_cli_command_t * cmd)
{
ipsec_main_t *im = &ipsec_main;
- ipsec_spd_t *spd;
- ipsec_policy_t *p;
+ u32 verbose = 0;
+ (void) unformat (input, "verbose %u", &verbose);
+
+ vlib_cli_output (vm, "IPsec AH backends available:");
+ u8 *s = format (NULL, "%=25s %=25s %=10s\n", "Name", "Index", "Active");
+ ipsec_ah_backend_t *ab;
/* *INDENT-OFF* */
- pool_foreach (spd, im->spds, ({
- pool_foreach(p, spd->policies, ({
- p->counter.packets = p->counter.bytes = 0;
- }));
- }));
+ pool_foreach (ab, im->ah_backends, {
+ s = format (s, "%=25s %=25u %=10s\n", ab->name, ab - im->ah_backends,
+ ab - im->ah_backends == im->ah_current_backend ? "yes" : "no");
+ if (verbose) {
+ vlib_node_t *n;
+ n = vlib_get_node (vm, ab->ah4_encrypt_node_index);
+ s = format (s, " enc4 %s (next %d)\n", n->name, ab->ah4_encrypt_next_index);
+ n = vlib_get_node (vm, ab->ah4_decrypt_node_index);
+ s = format (s, " dec4 %s (next %d)\n", n->name, ab->ah4_decrypt_next_index);
+ n = vlib_get_node (vm, ab->ah6_encrypt_node_index);
+ s = format (s, " enc6 %s (next %d)\n", n->name, ab->ah6_encrypt_next_index);
+ n = vlib_get_node (vm, ab->ah6_decrypt_node_index);
+ s = format (s, " dec6 %s (next %d)\n", n->name, ab->ah6_decrypt_next_index);
+ }
+ });
/* *INDENT-ON* */
+ vlib_cli_output (vm, "%v", s);
+ _vec_len (s) = 0;
+ vlib_cli_output (vm, "IPsec ESP backends available:");
+ s = format (s, "%=25s %=25s %=10s\n", "Name", "Index", "Active");
+ ipsec_esp_backend_t *eb;
+ /* *INDENT-OFF* */
+ pool_foreach (eb, im->esp_backends, {
+ s = format (s, "%=25s %=25u %=10s\n", eb->name, eb - im->esp_backends,
+ eb - im->esp_backends == im->esp_current_backend ? "yes"
+ : "no");
+ if (verbose) {
+ vlib_node_t *n;
+ n = vlib_get_node (vm, eb->esp4_encrypt_node_index);
+ s = format (s, " enc4 %s (next %d)\n", n->name, eb->esp4_encrypt_next_index);
+ n = vlib_get_node (vm, eb->esp4_decrypt_node_index);
+ s = format (s, " dec4 %s (next %d)\n", n->name, eb->esp4_decrypt_next_index);
+ n = vlib_get_node (vm, eb->esp6_encrypt_node_index);
+ s = format (s, " enc6 %s (next %d)\n", n->name, eb->esp6_encrypt_next_index);
+ n = vlib_get_node (vm, eb->esp6_decrypt_node_index);
+ s = format (s, " dec6 %s (next %d)\n", n->name, eb->esp6_decrypt_next_index);
+ }
+ });
+ /* *INDENT-ON* */
+ vlib_cli_output (vm, "%v", s);
+
+ vec_free (s);
+ return 0;
+}
+
+/* *INDENT-OFF* */
+VLIB_CLI_COMMAND (ipsec_show_backends_command, static) = {
+ .path = "show ipsec backends",
+ .short_help = "show ipsec backends",
+ .function = ipsec_show_backends_command_fn,
+};
+/* *INDENT-ON* */
+
+static clib_error_t *
+ipsec_select_backend_command_fn (vlib_main_t * vm,
+ unformat_input_t * input,
+ vlib_cli_command_t * cmd)
+{
+ u32 backend_index;
+ ipsec_main_t *im = &ipsec_main;
+
+ if (pool_elts (im->sad) > 0)
+ {
+ return clib_error_return (0,
+ "Cannot change IPsec backend, while %u SA entries are configured",
+ pool_elts (im->sad));
+ }
+
+ unformat_input_t _line_input, *line_input = &_line_input;
+ /* Get a line of input. */
+ if (!unformat_user (input, unformat_line_input, line_input))
+ return 0;
+
+ if (unformat (line_input, "ah"))
+ {
+ if (unformat (line_input, "%u", &backend_index))
+ {
+ if (ipsec_select_ah_backend (im, backend_index) < 0)
+ {
+ return clib_error_return (0, "Invalid AH backend index `%u'",
+ backend_index);
+ }
+ }
+ else
+ {
+ return clib_error_return (0, "Invalid backend index `%U'",
+ format_unformat_error, line_input);
+ }
+ }
+ else if (unformat (line_input, "esp"))
+ {
+ if (unformat (line_input, "%u", &backend_index))
+ {
+ if (ipsec_select_esp_backend (im, backend_index) < 0)
+ {
+ return clib_error_return (0, "Invalid ESP backend index `%u'",
+ backend_index);
+ }
+ }
+ else
+ {
+ return clib_error_return (0, "Invalid backend index `%U'",
+ format_unformat_error, line_input);
+ }
+ }
+ else
+ {
+ return clib_error_return (0, "Unknown input `%U'",
+ format_unformat_error, line_input);
+ }
return 0;
}
+/* *INDENT-OFF* */
+VLIB_CLI_COMMAND (ipsec_select_backend_command, static) = {
+ .path = "ipsec select backend",
+ .short_help = "ipsec select backend <ah|esp> <backend index>",
+ .function = ipsec_select_backend_command_fn,
+};
+
+/* *INDENT-ON* */
+
+static clib_error_t *
+clear_ipsec_counters_command_fn (vlib_main_t * vm,
+ unformat_input_t * input,
+ vlib_cli_command_t * cmd)
+{
+ vlib_clear_combined_counters (&ipsec_spd_policy_counters);
+
+ return (NULL);
+}
+
/* *INDENT-OFF* */
VLIB_CLI_COMMAND (clear_ipsec_counters_command, static) = {
.path = "clear ipsec counters",
u32 num_m_args = 0;
clib_error_t *error = NULL;
- memset (&a, 0, sizeof (a));
+ clib_memset (&a, 0, sizeof (a));
a.is_add = 1;
/* Get a line of input. */
num_m_args++;
else if (unformat (line_input, "instance %u", &a.show_instance))
a.renumber = 1;
+ else if (unformat (line_input, "udp-encap"))
+ a.udp_encap = 1;
+ else if (unformat (line_input, "use-esn"))
+ a.esn = 1;
+ else if (unformat (line_input, "use-anti-replay"))
+ a.anti_replay = 1;
+ else if (unformat (line_input, "tx-table %u", &a.tx_table_id))
+ ;
else if (unformat (line_input, "del"))
a.is_add = 0;
else
/* *INDENT-OFF* */
VLIB_CLI_COMMAND (create_ipsec_tunnel_command, static) = {
.path = "create ipsec tunnel",
- .short_help = "create ipsec tunnel local-ip <addr> local-spi <spi> remote-ip <addr> remote-spi <spi> [instance <inst_num>]",
+ .short_help = "create ipsec tunnel local-ip <addr> local-spi <spi> "
+ "remote-ip <addr> remote-spi <spi> [instance <inst_num>] [udp-encap] [use-esn] [use-anti-replay] "
+ "[tx-table <table-id>]",
.function = create_ipsec_tunnel_command_fn,
};
/* *INDENT-ON* */
Code Review / vpp.git / blobdiff