Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 1 | /* |
| 2 | * decap.c : IPSec tunnel support |
| 3 | * |
| 4 | * Copyright (c) 2015 Cisco and/or its affiliates. |
| 5 | * Licensed under the Apache License, Version 2.0 (the "License"); |
| 6 | * you may not use this file except in compliance with the License. |
| 7 | * You may obtain a copy of the License at: |
| 8 | * |
| 9 | * http://www.apache.org/licenses/LICENSE-2.0 |
| 10 | * |
| 11 | * Unless required by applicable law or agreed to in writing, software |
| 12 | * distributed under the License is distributed on an "AS IS" BASIS, |
| 13 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 14 | * See the License for the specific language governing permissions and |
| 15 | * limitations under the License. |
| 16 | */ |
| 17 | |
| 18 | #include <vnet/vnet.h> |
| 19 | #include <vnet/api_errno.h> |
| 20 | #include <vnet/ip/ip.h> |
| 21 | #include <vnet/interface.h> |
Pierre Pfister | 4c422f9 | 2018-12-10 11:19:08 +0100 | [diff] [blame] | 22 | #include <vnet/fib/fib.h> |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 23 | |
| 24 | #include <vnet/ipsec/ipsec.h> |
| 25 | |
| 26 | static clib_error_t * |
| 27 | set_interface_spd_command_fn (vlib_main_t * vm, |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 28 | unformat_input_t * input, |
| 29 | vlib_cli_command_t * cmd) |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 30 | { |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 31 | unformat_input_t _line_input, *line_input = &_line_input; |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 32 | ipsec_main_t *im = &ipsec_main; |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 33 | u32 sw_if_index = (u32) ~ 0; |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 34 | u32 spd_id; |
| 35 | int is_add = 1; |
Billy McFall | a9a20e7 | 2017-02-15 11:39:12 -0500 | [diff] [blame] | 36 | clib_error_t *error = NULL; |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 37 | |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 38 | if (!unformat_user (input, unformat_line_input, line_input)) |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 39 | return 0; |
| 40 | |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 41 | if (unformat |
| 42 | (line_input, "%U %u", unformat_vnet_sw_interface, im->vnet_main, |
| 43 | &sw_if_index, &spd_id)) |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 44 | ; |
| 45 | else if (unformat (line_input, "del")) |
| 46 | is_add = 0; |
| 47 | else |
Billy McFall | a9a20e7 | 2017-02-15 11:39:12 -0500 | [diff] [blame] | 48 | { |
| 49 | error = clib_error_return (0, "parse error: '%U'", |
| 50 | format_unformat_error, line_input); |
| 51 | goto done; |
| 52 | } |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 53 | |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 54 | ipsec_set_interface_spd (vm, sw_if_index, spd_id, is_add); |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 55 | |
Billy McFall | a9a20e7 | 2017-02-15 11:39:12 -0500 | [diff] [blame] | 56 | done: |
| 57 | unformat_free (line_input); |
| 58 | |
| 59 | return error; |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 60 | } |
| 61 | |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 62 | /* *INDENT-OFF* */ |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 63 | VLIB_CLI_COMMAND (set_interface_spd_command, static) = { |
| 64 | .path = "set interface ipsec spd", |
| 65 | .short_help = |
| 66 | "set interface ipsec spd <int> <id>", |
| 67 | .function = set_interface_spd_command_fn, |
| 68 | }; |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 69 | /* *INDENT-ON* */ |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 70 | |
| 71 | static clib_error_t * |
| 72 | ipsec_sa_add_del_command_fn (vlib_main_t * vm, |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 73 | unformat_input_t * input, |
| 74 | vlib_cli_command_t * cmd) |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 75 | { |
Sergio Gonzalez Monroy | d04b60b | 2017-01-20 15:35:23 +0000 | [diff] [blame] | 76 | ipsec_main_t *im = &ipsec_main; |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 77 | unformat_input_t _line_input, *line_input = &_line_input; |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 78 | ipsec_sa_t sa; |
| 79 | int is_add = ~0; |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 80 | u8 *ck = 0, *ik = 0; |
Billy McFall | a9a20e7 | 2017-02-15 11:39:12 -0500 | [diff] [blame] | 81 | clib_error_t *error = NULL; |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 82 | |
Dave Barach | b7b9299 | 2018-10-17 10:38:51 -0400 | [diff] [blame] | 83 | clib_memset (&sa, 0, sizeof (sa)); |
Pierre Pfister | 4c422f9 | 2018-12-10 11:19:08 +0100 | [diff] [blame] | 84 | sa.tx_fib_index = ~((u32) 0); /* Only supported for ipsec interfaces */ |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 85 | |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 86 | if (!unformat_user (input, unformat_line_input, line_input)) |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 87 | return 0; |
| 88 | |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 89 | while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT) |
| 90 | { |
| 91 | if (unformat (line_input, "add %u", &sa.id)) |
| 92 | is_add = 1; |
| 93 | else if (unformat (line_input, "del %u", &sa.id)) |
| 94 | is_add = 0; |
| 95 | else if (unformat (line_input, "spi %u", &sa.spi)) |
| 96 | ; |
| 97 | else if (unformat (line_input, "esp")) |
| 98 | sa.protocol = IPSEC_PROTOCOL_ESP; |
| 99 | else if (unformat (line_input, "ah")) |
Billy McFall | a9a20e7 | 2017-02-15 11:39:12 -0500 | [diff] [blame] | 100 | { |
“mukeshyadav1984” | 430ac93 | 2017-11-23 02:39:33 -0800 | [diff] [blame] | 101 | sa.protocol = IPSEC_PROTOCOL_AH; |
Billy McFall | a9a20e7 | 2017-02-15 11:39:12 -0500 | [diff] [blame] | 102 | } |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 103 | else |
| 104 | if (unformat (line_input, "crypto-key %U", unformat_hex_string, &ck)) |
| 105 | sa.crypto_key_len = vec_len (ck); |
| 106 | else |
| 107 | if (unformat |
| 108 | (line_input, "crypto-alg %U", unformat_ipsec_crypto_alg, |
| 109 | &sa.crypto_alg)) |
| 110 | { |
Radu Nicolau | 89c2781 | 2018-05-04 12:51:53 +0100 | [diff] [blame] | 111 | if (sa.crypto_alg < IPSEC_CRYPTO_ALG_NONE || |
Radu Nicolau | 6929ea9 | 2016-11-29 11:00:30 +0000 | [diff] [blame] | 112 | sa.crypto_alg >= IPSEC_CRYPTO_N_ALG) |
Billy McFall | a9a20e7 | 2017-02-15 11:39:12 -0500 | [diff] [blame] | 113 | { |
| 114 | error = clib_error_return (0, "unsupported crypto-alg: '%U'", |
| 115 | format_ipsec_crypto_alg, |
| 116 | sa.crypto_alg); |
| 117 | goto done; |
| 118 | } |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 119 | } |
| 120 | else |
| 121 | if (unformat (line_input, "integ-key %U", unformat_hex_string, &ik)) |
| 122 | sa.integ_key_len = vec_len (ik); |
| 123 | else if (unformat (line_input, "integ-alg %U", unformat_ipsec_integ_alg, |
| 124 | &sa.integ_alg)) |
| 125 | { |
Radu Nicolau | 89c2781 | 2018-05-04 12:51:53 +0100 | [diff] [blame] | 126 | if (sa.integ_alg < IPSEC_INTEG_ALG_NONE || |
Radu Nicolau | 6929ea9 | 2016-11-29 11:00:30 +0000 | [diff] [blame] | 127 | sa.integ_alg >= IPSEC_INTEG_N_ALG) |
Billy McFall | a9a20e7 | 2017-02-15 11:39:12 -0500 | [diff] [blame] | 128 | { |
| 129 | error = clib_error_return (0, "unsupported integ-alg: '%U'", |
| 130 | format_ipsec_integ_alg, |
| 131 | sa.integ_alg); |
| 132 | goto done; |
| 133 | } |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 134 | } |
| 135 | else if (unformat (line_input, "tunnel-src %U", |
| 136 | unformat_ip4_address, &sa.tunnel_src_addr.ip4)) |
| 137 | sa.is_tunnel = 1; |
| 138 | else if (unformat (line_input, "tunnel-dst %U", |
| 139 | unformat_ip4_address, &sa.tunnel_dst_addr.ip4)) |
| 140 | sa.is_tunnel = 1; |
| 141 | else if (unformat (line_input, "tunnel-src %U", |
| 142 | unformat_ip6_address, &sa.tunnel_src_addr.ip6)) |
| 143 | { |
| 144 | sa.is_tunnel = 1; |
| 145 | sa.is_tunnel_ip6 = 1; |
| 146 | } |
| 147 | else if (unformat (line_input, "tunnel-dst %U", |
| 148 | unformat_ip6_address, &sa.tunnel_dst_addr.ip6)) |
| 149 | { |
| 150 | sa.is_tunnel = 1; |
| 151 | sa.is_tunnel_ip6 = 1; |
| 152 | } |
Radu Nicolau | 717de09 | 2018-08-03 10:37:24 +0100 | [diff] [blame] | 153 | else if (unformat (line_input, "udp-encap")) |
| 154 | { |
| 155 | sa.udp_encap = 1; |
| 156 | } |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 157 | else |
Billy McFall | a9a20e7 | 2017-02-15 11:39:12 -0500 | [diff] [blame] | 158 | { |
| 159 | error = clib_error_return (0, "parse error: '%U'", |
| 160 | format_unformat_error, line_input); |
| 161 | goto done; |
| 162 | } |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 163 | } |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 164 | |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 165 | if (sa.crypto_key_len > sizeof (sa.crypto_key)) |
| 166 | sa.crypto_key_len = sizeof (sa.crypto_key); |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 167 | |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 168 | if (sa.integ_key_len > sizeof (sa.integ_key)) |
| 169 | sa.integ_key_len = sizeof (sa.integ_key); |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 170 | |
| 171 | if (ck) |
Pierre Pfister | 6221927 | 2018-11-26 09:29:00 +0100 | [diff] [blame] | 172 | memcpy (sa.crypto_key, ck, sa.crypto_key_len); |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 173 | |
| 174 | if (ik) |
Pierre Pfister | 6221927 | 2018-11-26 09:29:00 +0100 | [diff] [blame] | 175 | memcpy (sa.integ_key, ik, sa.integ_key_len); |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 176 | |
Sergio Gonzalez Monroy | d04b60b | 2017-01-20 15:35:23 +0000 | [diff] [blame] | 177 | if (is_add) |
| 178 | { |
Klement Sekera | b4d3053 | 2018-11-08 13:00:02 +0100 | [diff] [blame] | 179 | error = ipsec_check_support_cb (im, &sa); |
Billy McFall | a9a20e7 | 2017-02-15 11:39:12 -0500 | [diff] [blame] | 180 | if (error) |
| 181 | goto done; |
Sergio Gonzalez Monroy | d04b60b | 2017-01-20 15:35:23 +0000 | [diff] [blame] | 182 | } |
| 183 | |
Radu Nicolau | 717de09 | 2018-08-03 10:37:24 +0100 | [diff] [blame] | 184 | ipsec_add_del_sa (vm, &sa, is_add); |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 185 | |
Billy McFall | a9a20e7 | 2017-02-15 11:39:12 -0500 | [diff] [blame] | 186 | done: |
| 187 | unformat_free (line_input); |
| 188 | |
| 189 | return error; |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 190 | } |
| 191 | |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 192 | /* *INDENT-OFF* */ |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 193 | VLIB_CLI_COMMAND (ipsec_sa_add_del_command, static) = { |
| 194 | .path = "ipsec sa", |
| 195 | .short_help = |
| 196 | "ipsec sa [add|del]", |
| 197 | .function = ipsec_sa_add_del_command_fn, |
| 198 | }; |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 199 | /* *INDENT-ON* */ |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 200 | |
| 201 | static clib_error_t * |
| 202 | ipsec_spd_add_del_command_fn (vlib_main_t * vm, |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 203 | unformat_input_t * input, |
| 204 | vlib_cli_command_t * cmd) |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 205 | { |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 206 | unformat_input_t _line_input, *line_input = &_line_input; |
Damjan Marion | 3f54b18 | 2016-08-16 11:27:02 +0200 | [diff] [blame] | 207 | u32 spd_id = ~0; |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 208 | int is_add = ~0; |
Billy McFall | a9a20e7 | 2017-02-15 11:39:12 -0500 | [diff] [blame] | 209 | clib_error_t *error = NULL; |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 210 | |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 211 | if (!unformat_user (input, unformat_line_input, line_input)) |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 212 | return 0; |
| 213 | |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 214 | while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT) |
| 215 | { |
| 216 | if (unformat (line_input, "add")) |
| 217 | is_add = 1; |
| 218 | else if (unformat (line_input, "del")) |
| 219 | is_add = 0; |
| 220 | else if (unformat (line_input, "%u", &spd_id)) |
| 221 | ; |
| 222 | else |
Billy McFall | a9a20e7 | 2017-02-15 11:39:12 -0500 | [diff] [blame] | 223 | { |
| 224 | error = clib_error_return (0, "parse error: '%U'", |
| 225 | format_unformat_error, line_input); |
| 226 | goto done; |
| 227 | } |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 228 | } |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 229 | |
Damjan Marion | 3f54b18 | 2016-08-16 11:27:02 +0200 | [diff] [blame] | 230 | if (spd_id == ~0) |
Billy McFall | a9a20e7 | 2017-02-15 11:39:12 -0500 | [diff] [blame] | 231 | { |
| 232 | error = clib_error_return (0, "please specify SPD ID"); |
| 233 | goto done; |
| 234 | } |
Damjan Marion | 3f54b18 | 2016-08-16 11:27:02 +0200 | [diff] [blame] | 235 | |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 236 | ipsec_add_del_spd (vm, spd_id, is_add); |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 237 | |
Billy McFall | a9a20e7 | 2017-02-15 11:39:12 -0500 | [diff] [blame] | 238 | done: |
| 239 | unformat_free (line_input); |
| 240 | |
| 241 | return error; |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 242 | } |
| 243 | |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 244 | /* *INDENT-OFF* */ |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 245 | VLIB_CLI_COMMAND (ipsec_spd_add_del_command, static) = { |
| 246 | .path = "ipsec spd", |
| 247 | .short_help = |
| 248 | "ipsec spd [add|del] <id>", |
| 249 | .function = ipsec_spd_add_del_command_fn, |
| 250 | }; |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 251 | /* *INDENT-ON* */ |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 252 | |
| 253 | |
| 254 | static clib_error_t * |
| 255 | ipsec_policy_add_del_command_fn (vlib_main_t * vm, |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 256 | unformat_input_t * input, |
| 257 | vlib_cli_command_t * cmd) |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 258 | { |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 259 | unformat_input_t _line_input, *line_input = &_line_input; |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 260 | ipsec_policy_t p; |
| 261 | int is_add = 0; |
| 262 | int is_ip_any = 1; |
| 263 | u32 tmp, tmp2; |
Billy McFall | a9a20e7 | 2017-02-15 11:39:12 -0500 | [diff] [blame] | 264 | clib_error_t *error = NULL; |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 265 | |
Dave Barach | b7b9299 | 2018-10-17 10:38:51 -0400 | [diff] [blame] | 266 | clib_memset (&p, 0, sizeof (p)); |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 267 | p.lport.stop = p.rport.stop = ~0; |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 268 | p.laddr.stop.ip4.as_u32 = p.raddr.stop.ip4.as_u32 = (u32) ~ 0; |
| 269 | p.laddr.stop.ip6.as_u64[0] = p.laddr.stop.ip6.as_u64[1] = (u64) ~ 0; |
| 270 | p.raddr.stop.ip6.as_u64[0] = p.raddr.stop.ip6.as_u64[1] = (u64) ~ 0; |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 271 | |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 272 | if (!unformat_user (input, unformat_line_input, line_input)) |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 273 | return 0; |
| 274 | |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 275 | while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT) |
| 276 | { |
| 277 | if (unformat (line_input, "add")) |
| 278 | is_add = 1; |
| 279 | else if (unformat (line_input, "del")) |
| 280 | is_add = 0; |
| 281 | else if (unformat (line_input, "spd %u", &p.id)) |
| 282 | ; |
| 283 | else if (unformat (line_input, "inbound")) |
| 284 | p.is_outbound = 0; |
| 285 | else if (unformat (line_input, "outbound")) |
| 286 | p.is_outbound = 1; |
| 287 | else if (unformat (line_input, "priority %d", &p.priority)) |
| 288 | ; |
| 289 | else if (unformat (line_input, "protocol %u", &tmp)) |
| 290 | p.protocol = (u8) tmp; |
| 291 | else |
| 292 | if (unformat |
| 293 | (line_input, "action %U", unformat_ipsec_policy_action, |
| 294 | &p.policy)) |
| 295 | { |
| 296 | if (p.policy == IPSEC_POLICY_ACTION_RESOLVE) |
Billy McFall | a9a20e7 | 2017-02-15 11:39:12 -0500 | [diff] [blame] | 297 | { |
| 298 | error = clib_error_return (0, "unsupported action: 'resolve'"); |
| 299 | goto done; |
| 300 | } |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 301 | } |
| 302 | else if (unformat (line_input, "sa %u", &p.sa_id)) |
| 303 | ; |
| 304 | else if (unformat (line_input, "local-ip-range %U - %U", |
| 305 | unformat_ip4_address, &p.laddr.start.ip4, |
| 306 | unformat_ip4_address, &p.laddr.stop.ip4)) |
| 307 | is_ip_any = 0; |
| 308 | else if (unformat (line_input, "remote-ip-range %U - %U", |
| 309 | unformat_ip4_address, &p.raddr.start.ip4, |
| 310 | unformat_ip4_address, &p.raddr.stop.ip4)) |
| 311 | is_ip_any = 0; |
| 312 | else if (unformat (line_input, "local-ip-range %U - %U", |
| 313 | unformat_ip6_address, &p.laddr.start.ip6, |
| 314 | unformat_ip6_address, &p.laddr.stop.ip6)) |
| 315 | { |
| 316 | p.is_ipv6 = 1; |
| 317 | is_ip_any = 0; |
| 318 | } |
| 319 | else if (unformat (line_input, "remote-ip-range %U - %U", |
| 320 | unformat_ip6_address, &p.raddr.start.ip6, |
| 321 | unformat_ip6_address, &p.raddr.stop.ip6)) |
| 322 | { |
| 323 | p.is_ipv6 = 1; |
| 324 | is_ip_any = 0; |
| 325 | } |
| 326 | else if (unformat (line_input, "local-port-range %u - %u", &tmp, &tmp2)) |
| 327 | { |
| 328 | p.lport.start = tmp; |
| 329 | p.lport.stop = tmp2; |
| 330 | } |
| 331 | else |
| 332 | if (unformat (line_input, "remote-port-range %u - %u", &tmp, &tmp2)) |
| 333 | { |
| 334 | p.rport.start = tmp; |
| 335 | p.rport.stop = tmp2; |
| 336 | } |
| 337 | else |
Billy McFall | a9a20e7 | 2017-02-15 11:39:12 -0500 | [diff] [blame] | 338 | { |
| 339 | error = clib_error_return (0, "parse error: '%U'", |
| 340 | format_unformat_error, line_input); |
| 341 | goto done; |
| 342 | } |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 343 | } |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 344 | |
“mukeshyadav1984” | 430ac93 | 2017-11-23 02:39:33 -0800 | [diff] [blame] | 345 | /* Check if SA is for IPv6/AH which is not supported. Return error if TRUE. */ |
| 346 | if (p.sa_id) |
| 347 | { |
| 348 | uword *p1; |
| 349 | ipsec_main_t *im = &ipsec_main; |
| 350 | ipsec_sa_t *sa = 0; |
| 351 | p1 = hash_get (im->sa_index_by_sa_id, p.sa_id); |
Klement Sekera | c2fc57e | 2018-06-28 14:20:12 +0200 | [diff] [blame] | 352 | if (!p1) |
| 353 | { |
| 354 | error = |
| 355 | clib_error_return (0, "SA with index %u not found", p.sa_id); |
| 356 | goto done; |
| 357 | } |
“mukeshyadav1984” | 430ac93 | 2017-11-23 02:39:33 -0800 | [diff] [blame] | 358 | sa = pool_elt_at_index (im->sad, p1[0]); |
| 359 | if (sa && sa->protocol == IPSEC_PROTOCOL_AH && is_add && p.is_ipv6) |
| 360 | { |
| 361 | error = clib_error_return (0, "AH not supported for IPV6: '%U'", |
| 362 | format_unformat_error, line_input); |
| 363 | goto done; |
| 364 | } |
| 365 | } |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 366 | ipsec_add_del_policy (vm, &p, is_add); |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 367 | if (is_ip_any) |
| 368 | { |
| 369 | p.is_ipv6 = 1; |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 370 | ipsec_add_del_policy (vm, &p, is_add); |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 371 | } |
Billy McFall | a9a20e7 | 2017-02-15 11:39:12 -0500 | [diff] [blame] | 372 | |
| 373 | done: |
| 374 | unformat_free (line_input); |
| 375 | |
| 376 | return error; |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 377 | } |
| 378 | |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 379 | /* *INDENT-OFF* */ |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 380 | VLIB_CLI_COMMAND (ipsec_policy_add_del_command, static) = { |
| 381 | .path = "ipsec policy", |
| 382 | .short_help = |
| 383 | "ipsec policy [add|del] spd <id> priority <n> ", |
| 384 | .function = ipsec_policy_add_del_command_fn, |
| 385 | }; |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 386 | /* *INDENT-ON* */ |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 387 | |
| 388 | static clib_error_t * |
| 389 | set_ipsec_sa_key_command_fn (vlib_main_t * vm, |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 390 | unformat_input_t * input, |
| 391 | vlib_cli_command_t * cmd) |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 392 | { |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 393 | unformat_input_t _line_input, *line_input = &_line_input; |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 394 | ipsec_sa_t sa; |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 395 | u8 *ck = 0, *ik = 0; |
Billy McFall | a9a20e7 | 2017-02-15 11:39:12 -0500 | [diff] [blame] | 396 | clib_error_t *error = NULL; |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 397 | |
Dave Barach | b7b9299 | 2018-10-17 10:38:51 -0400 | [diff] [blame] | 398 | clib_memset (&sa, 0, sizeof (sa)); |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 399 | |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 400 | if (!unformat_user (input, unformat_line_input, line_input)) |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 401 | return 0; |
| 402 | |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 403 | while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT) |
| 404 | { |
| 405 | if (unformat (line_input, "%u", &sa.id)) |
| 406 | ; |
| 407 | else |
| 408 | if (unformat (line_input, "crypto-key %U", unformat_hex_string, &ck)) |
| 409 | sa.crypto_key_len = vec_len (ck); |
| 410 | else |
| 411 | if (unformat (line_input, "integ-key %U", unformat_hex_string, &ik)) |
| 412 | sa.integ_key_len = vec_len (ik); |
| 413 | else |
Billy McFall | a9a20e7 | 2017-02-15 11:39:12 -0500 | [diff] [blame] | 414 | { |
| 415 | error = clib_error_return (0, "parse error: '%U'", |
| 416 | format_unformat_error, line_input); |
| 417 | goto done; |
| 418 | } |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 419 | } |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 420 | |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 421 | if (sa.crypto_key_len > sizeof (sa.crypto_key)) |
| 422 | sa.crypto_key_len = sizeof (sa.crypto_key); |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 423 | |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 424 | if (sa.integ_key_len > sizeof (sa.integ_key)) |
| 425 | sa.integ_key_len = sizeof (sa.integ_key); |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 426 | |
| 427 | if (ck) |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 428 | strncpy ((char *) sa.crypto_key, (char *) ck, sa.crypto_key_len); |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 429 | |
| 430 | if (ik) |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 431 | strncpy ((char *) sa.integ_key, (char *) ik, sa.integ_key_len); |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 432 | |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 433 | ipsec_set_sa_key (vm, &sa); |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 434 | |
Billy McFall | a9a20e7 | 2017-02-15 11:39:12 -0500 | [diff] [blame] | 435 | done: |
| 436 | unformat_free (line_input); |
| 437 | |
| 438 | return error; |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 439 | } |
| 440 | |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 441 | /* *INDENT-OFF* */ |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 442 | VLIB_CLI_COMMAND (set_ipsec_sa_key_command, static) = { |
| 443 | .path = "set ipsec sa", |
| 444 | .short_help = |
| 445 | "set ipsec sa <id> crypto-key <key> integ-key <key>", |
| 446 | .function = set_ipsec_sa_key_command_fn, |
| 447 | }; |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 448 | /* *INDENT-ON* */ |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 449 | |
| 450 | static clib_error_t * |
| 451 | show_ipsec_command_fn (vlib_main_t * vm, |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 452 | unformat_input_t * input, vlib_cli_command_t * cmd) |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 453 | { |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 454 | ipsec_spd_t *spd; |
| 455 | ipsec_sa_t *sa; |
| 456 | ipsec_policy_t *p; |
| 457 | ipsec_main_t *im = &ipsec_main; |
| 458 | u32 *i; |
| 459 | ipsec_tunnel_if_t *t; |
| 460 | vnet_hw_interface_t *hi; |
Klement Sekera | ea84130 | 2018-05-11 12:59:05 +0200 | [diff] [blame] | 461 | u8 *protocol = NULL; |
| 462 | u8 *policy = NULL; |
Neale Ranns | 311124e | 2019-01-24 04:52:25 -0800 | [diff] [blame] | 463 | u32 tx_table_id, spd_id, sw_if_index; |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 464 | |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 465 | /* *INDENT-OFF* */ |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 466 | pool_foreach (sa, im->sad, ({ |
| 467 | if (sa->id) { |
Neale Ranns | de84727 | 2018-11-28 01:38:34 -0800 | [diff] [blame] | 468 | vlib_cli_output(vm, "sa %u spi %u mode %s protocol %s%s%s%s", sa->id, sa->spi, |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 469 | sa->is_tunnel ? "tunnel" : "transport", |
Klement Sekera | 4b089f2 | 2018-04-17 18:04:57 +0200 | [diff] [blame] | 470 | sa->protocol ? "esp" : "ah", |
Neale Ranns | de84727 | 2018-11-28 01:38:34 -0800 | [diff] [blame] | 471 | sa->udp_encap ? " udp-encap-enabled" : "", |
| 472 | sa->use_anti_replay ? " anti-replay" : "", |
| 473 | sa->use_esn ? " extended-sequence-number" : ""); |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 474 | if (sa->protocol == IPSEC_PROTOCOL_ESP) { |
| 475 | vlib_cli_output(vm, " crypto alg %U%s%U integrity alg %U%s%U", |
| 476 | format_ipsec_crypto_alg, sa->crypto_alg, |
| 477 | sa->crypto_alg ? " key " : "", |
| 478 | format_hex_bytes, sa->crypto_key, sa->crypto_key_len, |
| 479 | format_ipsec_integ_alg, sa->integ_alg, |
| 480 | sa->integ_alg ? " key " : "", |
| 481 | format_hex_bytes, sa->integ_key, sa->integ_key_len); |
| 482 | } |
| 483 | if (sa->is_tunnel && sa->is_tunnel_ip6) { |
| 484 | vlib_cli_output(vm, " tunnel src %U dst %U", |
| 485 | format_ip6_address, &sa->tunnel_src_addr.ip6, |
| 486 | format_ip6_address, &sa->tunnel_dst_addr.ip6); |
| 487 | } else if (sa->is_tunnel) { |
| 488 | vlib_cli_output(vm, " tunnel src %U dst %U", |
| 489 | format_ip4_address, &sa->tunnel_src_addr.ip4, |
| 490 | format_ip4_address, &sa->tunnel_dst_addr.ip4); |
| 491 | } |
| 492 | } |
| 493 | })); |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 494 | /* *INDENT-ON* */ |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 495 | |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 496 | /* *INDENT-OFF* */ |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 497 | pool_foreach (spd, im->spds, ({ |
| 498 | vlib_cli_output(vm, "spd %u", spd->id); |
| 499 | |
| 500 | vlib_cli_output(vm, " outbound policies"); |
| 501 | vec_foreach(i, spd->ipv4_outbound_policies) |
| 502 | { |
| 503 | p = pool_elt_at_index(spd->policies, *i); |
Klement Sekera | ea84130 | 2018-05-11 12:59:05 +0200 | [diff] [blame] | 504 | vec_reset_length(protocol); |
| 505 | vec_reset_length(policy); |
| 506 | if (p->protocol) { |
| 507 | protocol = format(protocol, "%U", format_ip_protocol, p->protocol); |
| 508 | } else { |
| 509 | protocol = format(protocol, "any"); |
| 510 | } |
| 511 | if (p->policy == IPSEC_POLICY_ACTION_PROTECT) { |
| 512 | policy = format(policy, " sa %u", p->sa_id); |
| 513 | } |
| 514 | |
| 515 | vlib_cli_output(vm, " priority %d action %U protocol %v%v", |
| 516 | p->priority, format_ipsec_policy_action, p->policy, |
| 517 | protocol, policy); |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 518 | vlib_cli_output(vm, " local addr range %U - %U port range %u - %u", |
| 519 | format_ip4_address, &p->laddr.start.ip4, |
| 520 | format_ip4_address, &p->laddr.stop.ip4, |
| 521 | p->lport.start, p->lport.stop); |
Paul Vinciguerra | bdc0e6b | 2018-09-22 05:32:50 -0700 | [diff] [blame] | 522 | vlib_cli_output(vm, " remote addr range %U - %U port range %u - %u", |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 523 | format_ip4_address, &p->raddr.start.ip4, |
| 524 | format_ip4_address, &p->raddr.stop.ip4, |
| 525 | p->rport.start, p->rport.stop); |
| 526 | vlib_cli_output(vm, " packets %u bytes %u", p->counter.packets, |
| 527 | p->counter.bytes); |
| 528 | }; |
| 529 | vec_foreach(i, spd->ipv6_outbound_policies) |
| 530 | { |
| 531 | p = pool_elt_at_index(spd->policies, *i); |
Klement Sekera | ea84130 | 2018-05-11 12:59:05 +0200 | [diff] [blame] | 532 | vec_reset_length(protocol); |
| 533 | vec_reset_length(policy); |
| 534 | if (p->protocol) { |
| 535 | protocol = format(protocol, "%U", format_ip_protocol, p->protocol); |
| 536 | } else { |
| 537 | protocol = format(protocol, "any"); |
| 538 | } |
| 539 | if (p->policy == IPSEC_POLICY_ACTION_PROTECT) { |
| 540 | policy = format(policy, " sa %u", p->sa_id); |
| 541 | } |
| 542 | vlib_cli_output(vm, " priority %d action %U protocol %v%v", |
| 543 | p->priority, format_ipsec_policy_action, p->policy, |
| 544 | protocol, policy); |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 545 | vlib_cli_output(vm, " local addr range %U - %U port range %u - %u", |
| 546 | format_ip6_address, &p->laddr.start.ip6, |
| 547 | format_ip6_address, &p->laddr.stop.ip6, |
| 548 | p->lport.start, p->lport.stop); |
| 549 | vlib_cli_output(vm, " remote addr range %U - %U port range %u - %u", |
| 550 | format_ip6_address, &p->raddr.start.ip6, |
| 551 | format_ip6_address, &p->raddr.stop.ip6, |
| 552 | p->rport.start, p->rport.stop); |
| 553 | vlib_cli_output(vm, " packets %u bytes %u", p->counter.packets, |
| 554 | p->counter.bytes); |
| 555 | }; |
| 556 | vlib_cli_output(vm, " inbound policies"); |
| 557 | vec_foreach(i, spd->ipv4_inbound_protect_policy_indices) |
| 558 | { |
| 559 | p = pool_elt_at_index(spd->policies, *i); |
Klement Sekera | ea84130 | 2018-05-11 12:59:05 +0200 | [diff] [blame] | 560 | vec_reset_length(protocol); |
| 561 | vec_reset_length(policy); |
| 562 | if (p->protocol) { |
| 563 | protocol = format(protocol, "%U", format_ip_protocol, p->protocol); |
| 564 | } else { |
| 565 | protocol = format(protocol, "any"); |
| 566 | } |
| 567 | if (p->policy == IPSEC_POLICY_ACTION_PROTECT) { |
| 568 | policy = format(policy, " sa %u", p->sa_id); |
| 569 | } |
| 570 | vlib_cli_output(vm, " priority %d action %U protocol %v%v", |
| 571 | p->priority, format_ipsec_policy_action, p->policy, |
| 572 | protocol, policy); |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 573 | vlib_cli_output(vm, " local addr range %U - %U port range %u - %u", |
| 574 | format_ip4_address, &p->laddr.start.ip4, |
| 575 | format_ip4_address, &p->laddr.stop.ip4, |
| 576 | p->lport.start, p->lport.stop); |
Paul Vinciguerra | bdc0e6b | 2018-09-22 05:32:50 -0700 | [diff] [blame] | 577 | vlib_cli_output(vm, " remote addr range %U - %U port range %u - %u", |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 578 | format_ip4_address, &p->raddr.start.ip4, |
| 579 | format_ip4_address, &p->raddr.stop.ip4, |
| 580 | p->rport.start, p->rport.stop); |
| 581 | vlib_cli_output(vm, " packets %u bytes %u", p->counter.packets, |
| 582 | p->counter.bytes); |
| 583 | }; |
| 584 | vec_foreach(i, spd->ipv4_inbound_policy_discard_and_bypass_indices) |
| 585 | { |
| 586 | p = pool_elt_at_index(spd->policies, *i); |
Klement Sekera | ea84130 | 2018-05-11 12:59:05 +0200 | [diff] [blame] | 587 | vec_reset_length(protocol); |
| 588 | vec_reset_length(policy); |
| 589 | if (p->protocol) { |
| 590 | protocol = format(protocol, "%U", format_ip_protocol, p->protocol); |
| 591 | } else { |
| 592 | protocol = format(protocol, "any"); |
| 593 | } |
| 594 | if (p->policy == IPSEC_POLICY_ACTION_PROTECT) { |
| 595 | policy = format(policy, " sa %u", p->sa_id); |
| 596 | } |
| 597 | vlib_cli_output(vm, " priority %d action %U protocol %v%v", |
| 598 | p->priority, format_ipsec_policy_action, p->policy, |
| 599 | protocol, policy); |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 600 | vlib_cli_output(vm, " local addr range %U - %U port range %u - %u", |
| 601 | format_ip4_address, &p->laddr.start.ip4, |
| 602 | format_ip4_address, &p->laddr.stop.ip4, |
| 603 | p->lport.start, p->lport.stop); |
Paul Vinciguerra | bdc0e6b | 2018-09-22 05:32:50 -0700 | [diff] [blame] | 604 | vlib_cli_output(vm, " remote addr range %U - %U port range %u - %u", |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 605 | format_ip4_address, &p->raddr.start.ip4, |
| 606 | format_ip4_address, &p->raddr.stop.ip4, |
| 607 | p->rport.start, p->rport.stop); |
| 608 | vlib_cli_output(vm, " packets %u bytes %u", p->counter.packets, |
| 609 | p->counter.bytes); |
| 610 | }; |
| 611 | vec_foreach(i, spd->ipv6_inbound_protect_policy_indices) |
| 612 | { |
| 613 | p = pool_elt_at_index(spd->policies, *i); |
Klement Sekera | ea84130 | 2018-05-11 12:59:05 +0200 | [diff] [blame] | 614 | vec_reset_length(protocol); |
| 615 | vec_reset_length(policy); |
| 616 | if (p->protocol) { |
| 617 | protocol = format(protocol, "%U", format_ip_protocol, p->protocol); |
| 618 | } else { |
| 619 | protocol = format(protocol, "any"); |
| 620 | } |
| 621 | if (p->policy == IPSEC_POLICY_ACTION_PROTECT) { |
| 622 | policy = format(policy, " sa %u", p->sa_id); |
| 623 | } |
| 624 | vlib_cli_output(vm, " priority %d action %U protocol %v%v", |
| 625 | p->priority, format_ipsec_policy_action, p->policy, |
| 626 | protocol, policy); |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 627 | vlib_cli_output(vm, " local addr range %U - %U port range %u - %u", |
| 628 | format_ip6_address, &p->laddr.start.ip6, |
| 629 | format_ip6_address, &p->laddr.stop.ip6, |
| 630 | p->lport.start, p->lport.stop); |
| 631 | vlib_cli_output(vm, " remote addr range %U - %U port range %u - %u", |
| 632 | format_ip6_address, &p->raddr.start.ip6, |
| 633 | format_ip6_address, &p->raddr.stop.ip6, |
| 634 | p->rport.start, p->rport.stop); |
| 635 | vlib_cli_output(vm, " packets %u bytes %u", p->counter.packets, |
| 636 | p->counter.bytes); |
| 637 | }; |
| 638 | vec_foreach(i, spd->ipv6_inbound_policy_discard_and_bypass_indices) |
| 639 | { |
| 640 | p = pool_elt_at_index(spd->policies, *i); |
Klement Sekera | ea84130 | 2018-05-11 12:59:05 +0200 | [diff] [blame] | 641 | vec_reset_length(protocol); |
| 642 | vec_reset_length(policy); |
| 643 | if (p->protocol) { |
| 644 | protocol = format(protocol, "%U", format_ip_protocol, p->protocol); |
| 645 | } else { |
| 646 | protocol = format(protocol, "any"); |
| 647 | } |
| 648 | if (p->policy == IPSEC_POLICY_ACTION_PROTECT) { |
| 649 | policy = format(policy, " sa %u", p->sa_id); |
| 650 | } |
| 651 | vlib_cli_output(vm, " priority %d action %U protocol %v%v", |
| 652 | p->priority, format_ipsec_policy_action, p->policy, |
| 653 | protocol, policy); |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 654 | vlib_cli_output(vm, " local addr range %U - %U port range %u - %u", |
| 655 | format_ip6_address, &p->laddr.start.ip6, |
| 656 | format_ip6_address, &p->laddr.stop.ip6, |
| 657 | p->lport.start, p->lport.stop); |
| 658 | vlib_cli_output(vm, " remote addr range %U - %U port range %u - %u", |
| 659 | format_ip6_address, &p->raddr.start.ip6, |
| 660 | format_ip6_address, &p->raddr.stop.ip6, |
| 661 | p->rport.start, p->rport.stop); |
| 662 | vlib_cli_output(vm, " packets %u bytes %u", p->counter.packets, |
| 663 | p->counter.bytes); |
| 664 | }; |
| 665 | })); |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 666 | /* *INDENT-ON* */ |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 667 | |
Neale Ranns | 311124e | 2019-01-24 04:52:25 -0800 | [diff] [blame] | 668 | vlib_cli_output (vm, "SPD Bindings:"); |
| 669 | /* *INDENT-OFF* */ |
| 670 | hash_foreach(sw_if_index, spd_id, im->spd_index_by_sw_if_index, ({ |
| 671 | vlib_cli_output (vm, " %d -> %U", spd_id, |
| 672 | format_vnet_sw_if_index_name, im->vnet_main, |
| 673 | sw_if_index); |
| 674 | })); |
| 675 | /* *INDENT-ON* */ |
| 676 | |
| 677 | |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 678 | vlib_cli_output (vm, "tunnel interfaces"); |
| 679 | /* *INDENT-OFF* */ |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 680 | pool_foreach (t, im->tunnel_interfaces, ({ |
Matus Fabian | 694265d | 2016-08-10 01:55:36 -0700 | [diff] [blame] | 681 | if (t->hw_if_index == ~0) |
| 682 | continue; |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 683 | hi = vnet_get_hw_interface (im->vnet_main, t->hw_if_index); |
| 684 | vlib_cli_output(vm, " %s seq", hi->name); |
| 685 | sa = pool_elt_at_index(im->sad, t->output_sa_index); |
Pierre Pfister | 4c422f9 | 2018-12-10 11:19:08 +0100 | [diff] [blame] | 686 | |
| 687 | tx_table_id = fib_table_get_table_id(sa->tx_fib_index, FIB_PROTOCOL_IP4); |
| 688 | |
| 689 | vlib_cli_output(vm, " seq %u seq-hi %u esn %u anti-replay %u udp-encap %u tx-table %u", |
| 690 | sa->seq, sa->seq_hi, sa->use_esn, sa->use_anti_replay, sa->udp_encap, tx_table_id); |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 691 | vlib_cli_output(vm, " local-spi %u local-ip %U", sa->spi, |
| 692 | format_ip4_address, &sa->tunnel_src_addr.ip4); |
| 693 | vlib_cli_output(vm, " local-crypto %U %U", |
| 694 | format_ipsec_crypto_alg, sa->crypto_alg, |
| 695 | format_hex_bytes, sa->crypto_key, sa->crypto_key_len); |
| 696 | vlib_cli_output(vm, " local-integrity %U %U", |
| 697 | format_ipsec_integ_alg, sa->integ_alg, |
| 698 | format_hex_bytes, sa->integ_key, sa->integ_key_len); |
| 699 | sa = pool_elt_at_index(im->sad, t->input_sa_index); |
| 700 | vlib_cli_output(vm, " last-seq %u last-seq-hi %u esn %u anti-replay %u window %U", |
| 701 | sa->last_seq, sa->last_seq_hi, sa->use_esn, |
| 702 | sa->use_anti_replay, |
| 703 | format_ipsec_replay_window, sa->replay_window); |
| 704 | vlib_cli_output(vm, " remote-spi %u remote-ip %U", sa->spi, |
| 705 | format_ip4_address, &sa->tunnel_src_addr.ip4); |
| 706 | vlib_cli_output(vm, " remote-crypto %U %U", |
| 707 | format_ipsec_crypto_alg, sa->crypto_alg, |
| 708 | format_hex_bytes, sa->crypto_key, sa->crypto_key_len); |
| 709 | vlib_cli_output(vm, " remote-integrity %U %U", |
| 710 | format_ipsec_integ_alg, sa->integ_alg, |
| 711 | format_hex_bytes, sa->integ_key, sa->integ_key_len); |
| 712 | })); |
Klement Sekera | ea84130 | 2018-05-11 12:59:05 +0200 | [diff] [blame] | 713 | vec_free(policy); |
| 714 | vec_free(protocol); |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 715 | /* *INDENT-ON* */ |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 716 | return 0; |
| 717 | } |
| 718 | |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 719 | /* *INDENT-OFF* */ |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 720 | VLIB_CLI_COMMAND (show_ipsec_command, static) = { |
| 721 | .path = "show ipsec", |
Klement Sekera | b4d3053 | 2018-11-08 13:00:02 +0100 | [diff] [blame] | 722 | .short_help = "show ipsec [backends]", |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 723 | .function = show_ipsec_command_fn, |
| 724 | }; |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 725 | /* *INDENT-ON* */ |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 726 | |
| 727 | static clib_error_t * |
Klement Sekera | b4d3053 | 2018-11-08 13:00:02 +0100 | [diff] [blame] | 728 | ipsec_show_backends_command_fn (vlib_main_t * vm, |
| 729 | unformat_input_t * input, |
| 730 | vlib_cli_command_t * cmd) |
| 731 | { |
| 732 | ipsec_main_t *im = &ipsec_main; |
| 733 | u32 verbose = 0; |
| 734 | |
| 735 | (void) unformat (input, "verbose %u", &verbose); |
| 736 | |
| 737 | vlib_cli_output (vm, "IPsec AH backends available:"); |
| 738 | u8 *s = format (NULL, "%=25s %=25s %=10s\n", "Name", "Index", "Active"); |
| 739 | ipsec_ah_backend_t *ab; |
| 740 | /* *INDENT-OFF* */ |
| 741 | pool_foreach (ab, im->ah_backends, { |
| 742 | s = format (s, "%=25s %=25u %=10s\n", ab->name, ab - im->ah_backends, |
| 743 | ab - im->ah_backends == im->ah_current_backend ? "yes" : "no"); |
| 744 | if (verbose) { |
| 745 | vlib_node_t *n; |
| 746 | n = vlib_get_node (vm, ab->ah4_encrypt_node_index); |
| 747 | s = format (s, " enc4 %s (next %d)\n", n->name, ab->ah4_encrypt_next_index); |
| 748 | n = vlib_get_node (vm, ab->ah4_decrypt_node_index); |
| 749 | s = format (s, " dec4 %s (next %d)\n", n->name, ab->ah4_decrypt_next_index); |
| 750 | n = vlib_get_node (vm, ab->ah6_encrypt_node_index); |
| 751 | s = format (s, " enc6 %s (next %d)\n", n->name, ab->ah6_encrypt_next_index); |
| 752 | n = vlib_get_node (vm, ab->ah6_decrypt_node_index); |
| 753 | s = format (s, " dec6 %s (next %d)\n", n->name, ab->ah6_decrypt_next_index); |
| 754 | } |
| 755 | }); |
| 756 | /* *INDENT-ON* */ |
| 757 | vlib_cli_output (vm, "%v", s); |
| 758 | _vec_len (s) = 0; |
| 759 | vlib_cli_output (vm, "IPsec ESP backends available:"); |
| 760 | s = format (s, "%=25s %=25s %=10s\n", "Name", "Index", "Active"); |
| 761 | ipsec_esp_backend_t *eb; |
| 762 | /* *INDENT-OFF* */ |
| 763 | pool_foreach (eb, im->esp_backends, { |
| 764 | s = format (s, "%=25s %=25u %=10s\n", eb->name, eb - im->esp_backends, |
| 765 | eb - im->esp_backends == im->esp_current_backend ? "yes" |
| 766 | : "no"); |
| 767 | if (verbose) { |
| 768 | vlib_node_t *n; |
| 769 | n = vlib_get_node (vm, eb->esp4_encrypt_node_index); |
| 770 | s = format (s, " enc4 %s (next %d)\n", n->name, eb->esp4_encrypt_next_index); |
| 771 | n = vlib_get_node (vm, eb->esp4_decrypt_node_index); |
| 772 | s = format (s, " dec4 %s (next %d)\n", n->name, eb->esp4_decrypt_next_index); |
| 773 | n = vlib_get_node (vm, eb->esp6_encrypt_node_index); |
| 774 | s = format (s, " enc6 %s (next %d)\n", n->name, eb->esp6_encrypt_next_index); |
| 775 | n = vlib_get_node (vm, eb->esp6_decrypt_node_index); |
| 776 | s = format (s, " dec6 %s (next %d)\n", n->name, eb->esp6_decrypt_next_index); |
| 777 | } |
| 778 | }); |
| 779 | /* *INDENT-ON* */ |
| 780 | vlib_cli_output (vm, "%v", s); |
| 781 | |
| 782 | vec_free (s); |
| 783 | return 0; |
| 784 | } |
| 785 | |
| 786 | /* *INDENT-OFF* */ |
| 787 | VLIB_CLI_COMMAND (ipsec_show_backends_command, static) = { |
| 788 | .path = "show ipsec backends", |
| 789 | .short_help = "show ipsec backends", |
| 790 | .function = ipsec_show_backends_command_fn, |
| 791 | }; |
| 792 | /* *INDENT-ON* */ |
| 793 | |
| 794 | static clib_error_t * |
| 795 | ipsec_select_backend_command_fn (vlib_main_t * vm, |
| 796 | unformat_input_t * input, |
| 797 | vlib_cli_command_t * cmd) |
| 798 | { |
| 799 | u32 backend_index; |
| 800 | ipsec_main_t *im = &ipsec_main; |
| 801 | |
| 802 | if (pool_elts (im->sad) > 0) |
| 803 | { |
| 804 | return clib_error_return (0, |
| 805 | "Cannot change IPsec backend, while %u SA entries are configured", |
| 806 | pool_elts (im->sad)); |
| 807 | } |
| 808 | |
| 809 | unformat_input_t _line_input, *line_input = &_line_input; |
| 810 | /* Get a line of input. */ |
| 811 | if (!unformat_user (input, unformat_line_input, line_input)) |
| 812 | return 0; |
| 813 | |
| 814 | if (unformat (line_input, "ah")) |
| 815 | { |
| 816 | if (unformat (line_input, "%u", &backend_index)) |
| 817 | { |
| 818 | if (ipsec_select_ah_backend (im, backend_index) < 0) |
| 819 | { |
| 820 | return clib_error_return (0, "Invalid AH backend index `%u'", |
| 821 | backend_index); |
| 822 | } |
| 823 | } |
| 824 | else |
| 825 | { |
| 826 | return clib_error_return (0, "Invalid backend index `%U'", |
| 827 | format_unformat_error, line_input); |
| 828 | } |
| 829 | } |
| 830 | else if (unformat (line_input, "esp")) |
| 831 | { |
| 832 | if (unformat (line_input, "%u", &backend_index)) |
| 833 | { |
| 834 | if (ipsec_select_esp_backend (im, backend_index) < 0) |
| 835 | { |
| 836 | return clib_error_return (0, "Invalid ESP backend index `%u'", |
| 837 | backend_index); |
| 838 | } |
| 839 | } |
| 840 | else |
| 841 | { |
| 842 | return clib_error_return (0, "Invalid backend index `%U'", |
| 843 | format_unformat_error, line_input); |
| 844 | } |
| 845 | } |
| 846 | else |
| 847 | { |
| 848 | return clib_error_return (0, "Unknown input `%U'", |
| 849 | format_unformat_error, line_input); |
| 850 | } |
| 851 | |
| 852 | return 0; |
| 853 | } |
| 854 | |
| 855 | /* *INDENT-OFF* */ |
| 856 | VLIB_CLI_COMMAND (ipsec_select_backend_command, static) = { |
| 857 | .path = "ipsec select backend", |
| 858 | .short_help = "ipsec select backend <ah|esp> <backend index>", |
| 859 | .function = ipsec_select_backend_command_fn, |
| 860 | }; |
| 861 | |
| 862 | /* *INDENT-ON* */ |
| 863 | |
| 864 | static clib_error_t * |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 865 | clear_ipsec_counters_command_fn (vlib_main_t * vm, |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 866 | unformat_input_t * input, |
| 867 | vlib_cli_command_t * cmd) |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 868 | { |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 869 | ipsec_main_t *im = &ipsec_main; |
| 870 | ipsec_spd_t *spd; |
| 871 | ipsec_policy_t *p; |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 872 | |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 873 | /* *INDENT-OFF* */ |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 874 | pool_foreach (spd, im->spds, ({ |
| 875 | pool_foreach(p, spd->policies, ({ |
| 876 | p->counter.packets = p->counter.bytes = 0; |
| 877 | })); |
| 878 | })); |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 879 | /* *INDENT-ON* */ |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 880 | |
| 881 | return 0; |
| 882 | } |
| 883 | |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 884 | /* *INDENT-OFF* */ |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 885 | VLIB_CLI_COMMAND (clear_ipsec_counters_command, static) = { |
| 886 | .path = "clear ipsec counters", |
| 887 | .short_help = "clear ipsec counters", |
| 888 | .function = clear_ipsec_counters_command_fn, |
| 889 | }; |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 890 | /* *INDENT-ON* */ |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 891 | |
| 892 | static clib_error_t * |
| 893 | create_ipsec_tunnel_command_fn (vlib_main_t * vm, |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 894 | unformat_input_t * input, |
| 895 | vlib_cli_command_t * cmd) |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 896 | { |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 897 | unformat_input_t _line_input, *line_input = &_line_input; |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 898 | ipsec_add_del_tunnel_args_t a; |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 899 | int rv; |
| 900 | u32 num_m_args = 0; |
Billy McFall | a9a20e7 | 2017-02-15 11:39:12 -0500 | [diff] [blame] | 901 | clib_error_t *error = NULL; |
Matthew Smith | 2838a23 | 2016-06-21 16:05:09 -0500 | [diff] [blame] | 902 | |
Dave Barach | b7b9299 | 2018-10-17 10:38:51 -0400 | [diff] [blame] | 903 | clib_memset (&a, 0, sizeof (a)); |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 904 | a.is_add = 1; |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 905 | |
| 906 | /* Get a line of input. */ |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 907 | if (!unformat_user (input, unformat_line_input, line_input)) |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 908 | return 0; |
| 909 | |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 910 | while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT) |
| 911 | { |
| 912 | if (unformat |
| 913 | (line_input, "local-ip %U", unformat_ip4_address, &a.local_ip)) |
| 914 | num_m_args++; |
| 915 | else |
| 916 | if (unformat |
| 917 | (line_input, "remote-ip %U", unformat_ip4_address, &a.remote_ip)) |
| 918 | num_m_args++; |
| 919 | else if (unformat (line_input, "local-spi %u", &a.local_spi)) |
| 920 | num_m_args++; |
| 921 | else if (unformat (line_input, "remote-spi %u", &a.remote_spi)) |
| 922 | num_m_args++; |
Matthew Smith | 8e1039a | 2018-04-12 07:32:56 -0500 | [diff] [blame] | 923 | else if (unformat (line_input, "instance %u", &a.show_instance)) |
| 924 | a.renumber = 1; |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 925 | else if (unformat (line_input, "del")) |
| 926 | a.is_add = 0; |
Radu Nicolau | 717de09 | 2018-08-03 10:37:24 +0100 | [diff] [blame] | 927 | else if (unformat (line_input, "udp-encap")) |
| 928 | a.udp_encap = 1; |
Pierre Pfister | 4c422f9 | 2018-12-10 11:19:08 +0100 | [diff] [blame] | 929 | else if (unformat (line_input, "tx-table %u", &a.tx_table_id)) |
| 930 | ; |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 931 | else |
Billy McFall | a9a20e7 | 2017-02-15 11:39:12 -0500 | [diff] [blame] | 932 | { |
| 933 | error = clib_error_return (0, "unknown input `%U'", |
| 934 | format_unformat_error, line_input); |
| 935 | goto done; |
| 936 | } |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 937 | } |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 938 | |
| 939 | if (num_m_args < 4) |
Billy McFall | a9a20e7 | 2017-02-15 11:39:12 -0500 | [diff] [blame] | 940 | { |
| 941 | error = clib_error_return (0, "mandatory argument(s) missing"); |
| 942 | goto done; |
| 943 | } |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 944 | |
Matthew Smith | 2838a23 | 2016-06-21 16:05:09 -0500 | [diff] [blame] | 945 | rv = ipsec_add_del_tunnel_if (&a); |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 946 | |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 947 | switch (rv) |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 948 | { |
| 949 | case 0: |
| 950 | break; |
| 951 | case VNET_API_ERROR_INVALID_VALUE: |
| 952 | if (a.is_add) |
Billy McFall | a9a20e7 | 2017-02-15 11:39:12 -0500 | [diff] [blame] | 953 | error = clib_error_return (0, |
| 954 | "IPSec tunnel interface already exists..."); |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 955 | else |
Billy McFall | a9a20e7 | 2017-02-15 11:39:12 -0500 | [diff] [blame] | 956 | error = clib_error_return (0, "IPSec tunnel interface not exists..."); |
| 957 | goto done; |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 958 | default: |
Billy McFall | a9a20e7 | 2017-02-15 11:39:12 -0500 | [diff] [blame] | 959 | error = clib_error_return (0, "ipsec_register_interface returned %d", |
| 960 | rv); |
| 961 | goto done; |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 962 | } |
| 963 | |
Billy McFall | a9a20e7 | 2017-02-15 11:39:12 -0500 | [diff] [blame] | 964 | done: |
| 965 | unformat_free (line_input); |
| 966 | |
| 967 | return error; |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 968 | } |
| 969 | |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 970 | /* *INDENT-OFF* */ |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 971 | VLIB_CLI_COMMAND (create_ipsec_tunnel_command, static) = { |
| 972 | .path = "create ipsec tunnel", |
Pierre Pfister | 4c422f9 | 2018-12-10 11:19:08 +0100 | [diff] [blame] | 973 | .short_help = "create ipsec tunnel local-ip <addr> local-spi <spi> " |
| 974 | "remote-ip <addr> remote-spi <spi> [instance <inst_num>] [udp-encap] " |
| 975 | "[tx-table <table-id>]", |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 976 | .function = create_ipsec_tunnel_command_fn, |
| 977 | }; |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 978 | /* *INDENT-ON* */ |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 979 | |
| 980 | static clib_error_t * |
| 981 | set_interface_key_command_fn (vlib_main_t * vm, |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 982 | unformat_input_t * input, |
| 983 | vlib_cli_command_t * cmd) |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 984 | { |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 985 | unformat_input_t _line_input, *line_input = &_line_input; |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 986 | ipsec_main_t *im = &ipsec_main; |
| 987 | ipsec_if_set_key_type_t type = IPSEC_IF_SET_KEY_TYPE_NONE; |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 988 | u32 hw_if_index = (u32) ~ 0; |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 989 | u32 alg; |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 990 | u8 *key = 0; |
Billy McFall | a9a20e7 | 2017-02-15 11:39:12 -0500 | [diff] [blame] | 991 | clib_error_t *error = NULL; |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 992 | |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 993 | if (!unformat_user (input, unformat_line_input, line_input)) |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 994 | return 0; |
| 995 | |
| 996 | while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT) |
| 997 | { |
| 998 | if (unformat (line_input, "%U", |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 999 | unformat_vnet_hw_interface, im->vnet_main, &hw_if_index)) |
| 1000 | ; |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 1001 | else |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 1002 | if (unformat |
| 1003 | (line_input, "local crypto %U", unformat_ipsec_crypto_alg, &alg)) |
| 1004 | type = IPSEC_IF_SET_KEY_TYPE_LOCAL_CRYPTO; |
| 1005 | else |
| 1006 | if (unformat |
| 1007 | (line_input, "remote crypto %U", unformat_ipsec_crypto_alg, &alg)) |
| 1008 | type = IPSEC_IF_SET_KEY_TYPE_REMOTE_CRYPTO; |
| 1009 | else |
| 1010 | if (unformat |
| 1011 | (line_input, "local integ %U", unformat_ipsec_integ_alg, &alg)) |
| 1012 | type = IPSEC_IF_SET_KEY_TYPE_LOCAL_INTEG; |
| 1013 | else |
| 1014 | if (unformat |
| 1015 | (line_input, "remote integ %U", unformat_ipsec_integ_alg, &alg)) |
| 1016 | type = IPSEC_IF_SET_KEY_TYPE_REMOTE_INTEG; |
| 1017 | else if (unformat (line_input, "%U", unformat_hex_string, &key)) |
| 1018 | ; |
| 1019 | else |
Billy McFall | a9a20e7 | 2017-02-15 11:39:12 -0500 | [diff] [blame] | 1020 | { |
| 1021 | error = clib_error_return (0, "parse error: '%U'", |
| 1022 | format_unformat_error, line_input); |
| 1023 | goto done; |
| 1024 | } |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 1025 | } |
| 1026 | |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 1027 | if (type == IPSEC_IF_SET_KEY_TYPE_NONE) |
Billy McFall | a9a20e7 | 2017-02-15 11:39:12 -0500 | [diff] [blame] | 1028 | { |
| 1029 | error = clib_error_return (0, "unknown key type"); |
| 1030 | goto done; |
| 1031 | } |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 1032 | |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 1033 | if (alg > 0 && vec_len (key) == 0) |
Billy McFall | a9a20e7 | 2017-02-15 11:39:12 -0500 | [diff] [blame] | 1034 | { |
| 1035 | error = clib_error_return (0, "key is not specified"); |
| 1036 | goto done; |
| 1037 | } |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 1038 | |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 1039 | if (hw_if_index == (u32) ~ 0) |
Billy McFall | a9a20e7 | 2017-02-15 11:39:12 -0500 | [diff] [blame] | 1040 | { |
| 1041 | error = clib_error_return (0, "interface not specified"); |
| 1042 | goto done; |
| 1043 | } |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 1044 | |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 1045 | ipsec_set_interface_key (im->vnet_main, hw_if_index, type, alg, key); |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 1046 | |
Billy McFall | a9a20e7 | 2017-02-15 11:39:12 -0500 | [diff] [blame] | 1047 | done: |
| 1048 | vec_free (key); |
| 1049 | unformat_free (line_input); |
| 1050 | |
| 1051 | return error; |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 1052 | } |
| 1053 | |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 1054 | /* *INDENT-OFF* */ |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 1055 | VLIB_CLI_COMMAND (set_interface_key_command, static) = { |
| 1056 | .path = "set interface ipsec key", |
| 1057 | .short_help = |
| 1058 | "set interface ipsec key <int> <local|remote> <crypto|integ> <key type> <key>", |
| 1059 | .function = set_interface_key_command_fn, |
| 1060 | }; |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 1061 | /* *INDENT-ON* */ |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 1062 | |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 1063 | clib_error_t * |
| 1064 | ipsec_cli_init (vlib_main_t * vm) |
| 1065 | { |
| 1066 | return 0; |
| 1067 | } |
| 1068 | |
| 1069 | VLIB_INIT_FUNCTION (ipsec_cli_init); |
| 1070 | |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 1071 | |
| 1072 | /* |
| 1073 | * fd.io coding-style-patch-verification: ON |
| 1074 | * |
| 1075 | * Local Variables: |
| 1076 | * eval: (c-set-style "gnu") |
| 1077 | * End: |
| 1078 | */ |