Blame - extras/strongswan/vpp_sswan/kernel_vpp_ipsec.c - fdio/vpp

blob: e1c71edc836abafff93e3dd6b1e1ff92ecbc65b0 [file] [log] [blame]

Gabriel Oginski	4e88e04	2022-06-29 12:54:30 +0000	[diff] [blame]	1	/*
				2	* Copyright (c) 2022 Intel and/or its affiliates.
				3	* Licensed under the Apache License, Version 2.0 (the "License");
				4	* you may not use this file except in compliance with the License.
				5	* You may obtain a copy of the License at:
				6	*
				7	* http://www.apache.org/licenses/LICENSE-2.0
				8	*
				9	* Unless required by applicable law or agreed to in writing, software
				10	* distributed under the License is distributed on an "AS IS" BASIS,
				11	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
				12	* See the License for the specific language governing permissions and
				13	* limitations under the License.
				14	*/
				15
				16	#include <daemon.h>
				17	#include <utils/debug.h>
				18	#include <vlibapi/api.h>
				19	#include <vlibmemory/api.h>
				20	#include <vnet/ipsec/ipsec.h>
				21	#include <vnet/vnet.h>
				22	#include <collections/hashtable.h>
				23	#include <threading/mutex.h>
				24	#include <processing/jobs/callback_job.h>
				25	#include <vpp-api/client/stat_client.h>
				26
				27	#define vl_typedefs
				28	#define vl_endianfun
				29	/* Include the (first) vlib-api API definition layer */
				30	#include <vlibmemory/vl_memory_api_h.h>
				31	/* Include the current layer (third) vpp API definition layer */
				32	#include <vpp/api/vpe_types.api.h>
				33	#include <vpp/api/vpe.api.h>
				34
				35	#include <vnet/ip-neighbor/ip_neighbor.api_enum.h>
				36	#include <vnet/ip-neighbor/ip_neighbor.api_types.h>
				37	#include <vnet/ipsec/ipsec.api_enum.h>
				38	#include <vnet/ipsec/ipsec.api_types.h>
				39	#include <vnet/interface.api_enum.h>
				40	#include <vnet/interface.api_types.h>
				41	#undef vl_typedefs
				42	#undef vl_endianfun
				43
				44	#include "kernel_vpp_ipsec.h"
				45	#include "kernel_vpp_shared.h"
				46
				47	#include <stdio.h>
				48	#include <stdlib.h>
				49	#include <string.h>
				50	#include <sys/socket.h>
				51	#include <netinet/in.h>
				52	#include <arpa/inet.h>
				53	#include <sys/ioctl.h>
				54	#include <net/if.h>
				55	#include <net/route.h>
				56	#include <unistd.h>
				57	#include <fcntl.h>
				58	#include <sys/types.h>
				59	#include <net/if_arp.h>
				60	#include <sys/stat.h>
				61	#include <dirent.h>
				62
				63	#define PRIO_BASE 384
				64
				65	u32 natt_port;
				66
				67	/**
				68	* One and only instance of the daemon.
				69	*/
				70	daemon_t *charon;
				71
				72	typedef struct private_kernel_vpp_ipsec_t private_kernel_vpp_ipsec_t;
				73
				74	/**
				75	* Private variables of kernel_vpp_ipsec class.
				76	*/
				77	struct private_kernel_vpp_ipsec_t
				78	{
				79
				80	/**
				81	* Public interface
				82	*/
				83	kernel_vpp_ipsec_t public;
				84
				85	/**
				86	* Next security association database entry ID to allocate
				87	*/
				88	refcount_t next_sad_id;
				89
				90	/**
				91	* Next security policy database entry ID to allocate
				92	*/
				93	refcount_t next_spd_id;
				94
				95	/**
				96	* Mutex to lock access to installed policies
				97	*/
				98	mutex_t *mutex;
				99
				100	/**
				101	* Hash table of instaled SA, as kernel_ipsec_sa_id_t => sa_t
				102	*/
				103	hashtable_t *sas;
				104
				105	/**
				106	* Hash table of security policy databases, as nterface => spd_t
				107	*/
				108	hashtable_t *spds;
				109
				110	/**
				111	* Linked list of installed routes
				112	*/
				113	linked_list_t *routes;
				114
				115	/**
				116	* Next SPI to allocate
				117	*/
				118	refcount_t nextspi;
				119
				120	/**
				121	* Mix value to distribute SPI allocation randomly
				122	*/
				123	uint32_t mixspi;
				124
				125	/**
				126	* Whether to install routes along policies
				127	*/
				128	bool install_routes;
Atzm Watanabe	fc2d95d	2023-01-25 14:11:10 +0900	[diff] [blame]	129
				130	/**
				131	* Whether to install SAs with tunnel flag. Disabling this can be useful
				132	* in some scenarios e.g. using SAs to "ipsec tunnel protect" for the
				133	* route-based IPsec
				134	*/
				135	bool use_tunnel_mode_sa;
Gabriel Oginski	2da99e5	2023-02-14 08:46:36 +0000	[diff] [blame]	136
				137	/**
				138	* Connections to VPP Stats
				139	*/
				140	stat_client_main_t *sm;
Gabriel Oginski	4e88e04	2022-06-29 12:54:30 +0000	[diff] [blame]	141	};
				142
				143	/**
				144	* Security association entry
				145	*/
				146	typedef struct
				147	{
				148	/** VPP SA ID */
				149	uint32_t sa_id;
				150	uint32_t stat_index;
Gabriel Oginski	2da99e5	2023-02-14 08:46:36 +0000	[diff] [blame]	151	kernel_ipsec_sa_id_t *sa_id_p;
Gabriel Oginski	4e88e04	2022-06-29 12:54:30 +0000	[diff] [blame]	152	} sa_t;
				153
				154	/**
				155	* Security policy database
				156	*/
				157	typedef struct
				158	{
				159	/** VPP SPD ID */
				160	uint32_t spd_id;
				161	/** Networking interface ID restricting policy */
				162	uint32_t sw_if_index;
				163	/** Policy count for this SPD */
				164	refcount_t policy_num;
Gabriel Oginski	2da99e5	2023-02-14 08:46:36 +0000	[diff] [blame]	165	/** Name of the interface the SPD is bound to */
				166	char *if_name;
Gabriel Oginski	4e88e04	2022-06-29 12:54:30 +0000	[diff] [blame]	167	} spd_t;
				168
				169	/**
				170	* Installed route
				171	*/
				172	typedef struct
				173	{
				174	/** Name of the interface the route is bound to */
				175	char *if_name;
				176	/** Gateway of route */
				177	host_t *gateway;
				178	/** Destination network of route */
				179	host_t *dst_net;
				180	/** Prefix length of dst_net */
				181	uint8_t prefixlen;
				182	/** References for route */
				183	refcount_t refs;
				184	} route_entry_t;
				185
				186	#define htonll(x) \
				187	((1 == htonl (1)) ? \
				188	(x) : \
				189	((uint64_t) htonl ((x) &0xFFFFFFFF) << 32) \| htonl ((x) >> 32))
				190	#define ntohll(x) \
				191	((1 == ntohl (1)) ? \
				192	(x) : \
				193	((uint64_t) ntohl ((x) &0xFFFFFFFF) << 32) \| ntohl ((x) >> 32))
				194
				195	CALLBACK (route_equals, bool, route_entry_t *a, va_list args)
				196	{
				197	host_t dst_net, gateway;
				198	uint8_t *prefixlen;
				199	char *if_name;
				200
				201	VA_ARGS_VGET (args, if_name, gateway, dst_net, prefixlen);
				202
				203	return a->if_name && if_name && streq (a->if_name, if_name) &&
				204	a->gateway->ip_equals (a->gateway, gateway) &&
				205	a->dst_net->ip_equals (a->dst_net, dst_net) &&
				206	a->prefixlen == *prefixlen;
				207	}
				208
				209	/**
				210	* Clean up a route entry
				211	*/
				212	static void
				213	route_destroy (route_entry_t *this)
				214	{
				215	this->dst_net->destroy (this->dst_net);
				216	this->gateway->destroy (this->gateway);
				217	free (this->if_name);
				218	free (this);
				219	}
				220
				221	static uint32_t get_sw_if_index ();
				222
				223	static int
				224	set_arp (char ipStr, char if_name, bool add)
				225	{
				226	char *out = NULL;
				227	int out_len = 0;
Gabriel Oginski	9cb3e15	2023-02-14 08:41:07 +0000	[diff] [blame]	228	vl_api_ip_neighbor_add_del_t *mp = NULL;
				229	vl_api_ip_neighbor_add_del_reply_t *rmp = NULL;
Gabriel Oginski	4e88e04	2022-06-29 12:54:30 +0000	[diff] [blame]	230	int rc = SUCCESS;
				231	uint32_t sw_if_index = ~0;
				232
				233	FILE *fp;
				234	int nread = 0;
				235	ssize_t len = 0;
				236	char *buffer = NULL;
				237	char buf[2][20];
				238	char *file = "/proc/net/arp";
				239	unsigned char mac[8] = {
				240	0,
				241	};
Gabriel Oginski	9cb3e15	2023-02-14 08:41:07 +0000	[diff] [blame]	242	uint32_t addr = 0;
Gabriel Oginski	4e88e04	2022-06-29 12:54:30 +0000	[diff] [blame]	243
				244	if (if_name == NULL \|\| ipStr == NULL)
				245	{
				246	DBG2 (DBG_KNL, "para is null\n");
				247	rc = FAILED;
Gabriel Oginski	9cb3e15	2023-02-14 08:41:07 +0000	[diff] [blame]	248	goto error;
Gabriel Oginski	4e88e04	2022-06-29 12:54:30 +0000	[diff] [blame]	249	}
				250	DBG2 (DBG_KNL, "from kernel read mac\n");
				251
				252	mp = vl_msg_api_alloc (sizeof (*mp));
				253	memset (mp, 0, sizeof (*mp));
				254	sw_if_index = get_sw_if_index (if_name);
				255	if (sw_if_index == ~0)
				256	{
				257	DBG1 (DBG_KNL, "sw_if_index for %s not found", if_name);
				258	goto error;
				259	}
				260
				261	fp = fopen (file, "rb");
Gabriel Oginski	9cb3e15	2023-02-14 08:41:07 +0000	[diff] [blame]	262	while (fp && ((nread = getline (&buffer, &len, fp)) != -1))
Gabriel Oginski	4e88e04	2022-06-29 12:54:30 +0000	[diff] [blame]	263	{
				264	sscanf (buffer, "%s %s %s %s %s %s", &buf[0], &buf[1]);
				265	inet_aton (&buf[0], &addr);
				266
				267	if (addr == ((u32 ) (ipStr)))
				268	{
				269	sscanf (buf[1], "%02x:%02x:%02x:%02x:%02x:%02x", &mac[0], &mac[1],
				270	&mac[2], &mac[3], &mac[4], &mac[5]);
				271	u16 msg_id =
				272	vl_msg_api_get_msg_index ((u8 *) "ip_neighbor_add_del_0607c257");
				273	mp->_vl_msg_id = htons (msg_id);
				274	mp->is_add = add;
				275	memcpy (mp->neighbor.ip_address.un.ip4, (u8 *) &addr, sizeof (addr));
				276	mp->neighbor.ip_address.af = 0;
				277	memcpy (mp->neighbor.mac_address, mac, 6);
				278	mp->neighbor.sw_if_index = htonl (sw_if_index);
				279	mp->neighbor.flags = 1;
				280
				281	if (vac->send (vac, (char ) mp, sizeof (mp), &out, &out_len))
				282	{
				283	DBG1 (DBG_KNL, "vac %s neighbor entry",
				284	add ? "adding" : "removing");
Gabriel Oginski	9cb3e15	2023-02-14 08:41:07 +0000	[diff] [blame]	285	fclose (fp);
Gabriel Oginski	4e88e04	2022-06-29 12:54:30 +0000	[diff] [blame]	286	goto error;
				287	}
				288	rmp = (void *) out;
				289	if (rmp->retval)
				290	{
				291	DBG1 (DBG_KNL, "%s neighbor add rv:%d", add ? "add" : "remove",
				292	ntohl (rmp->retval));
Gabriel Oginski	9cb3e15	2023-02-14 08:41:07 +0000	[diff] [blame]	293	fclose (fp);
Gabriel Oginski	4e88e04	2022-06-29 12:54:30 +0000	[diff] [blame]	294	goto error;
				295	}
				296	fclose (fp);
Gabriel Oginski	9cb3e15	2023-02-14 08:41:07 +0000	[diff] [blame]	297	free (out);
				298	vl_msg_api_free (mp);
				299	free (buffer);
				300
Gabriel Oginski	4e88e04	2022-06-29 12:54:30 +0000	[diff] [blame]	301	return rc;
				302	}
				303	}
Gabriel Oginski	9cb3e15	2023-02-14 08:41:07 +0000	[diff] [blame]	304
				305	if (fp != NULL)
				306	{
				307	fclose (fp);
				308	fp = NULL;
				309	}
Gabriel Oginski	4e88e04	2022-06-29 12:54:30 +0000	[diff] [blame]	310
				311	error:
				312	free (out);
				313	vl_msg_api_free (mp);
Gabriel Oginski	9cb3e15	2023-02-14 08:41:07 +0000	[diff] [blame]	314	if (buffer != NULL)
				315	{
				316	free (buffer);
				317	buffer = NULL;
				318	}
Gabriel Oginski	4e88e04	2022-06-29 12:54:30 +0000	[diff] [blame]	319	return rc;
				320	}
				321
				322	static int
				323	add_Route (char ipAddr, int len, char mask, char *gateWay)
				324	{
				325	int fd;
				326	int rc = SUCCESS;
				327	struct sockaddr_in _sin;
				328	struct sockaddr_in *sin = &_sin;
				329	struct rtentry rt;
				330
				331	do
				332	{
				333	fd = socket (AF_INET, SOCK_DGRAM, 0);
				334	if (fd < 0)
				335	{
				336	DBG2 (DBG_KNL, "addRoute: socket error\n");
				337	rc = FAILED;
				338	break;
				339	}
				340	memset (&rt, 0, sizeof (struct rtentry));
				341	memset (sin, 0, sizeof (struct sockaddr_in));
				342	sin->sin_family = AF_INET;
				343	sin->sin_port = 0;
				344
				345	if (inet_aton (gateWay, &sin->sin_addr) < 0)
				346	{
				347	rc = FAILED;
				348	break;
				349	}
				350	memcpy (&rt.rt_gateway, sin, sizeof (struct sockaddr_in));
				351
				352	((struct sockaddr_in *) &rt.rt_dst)->sin_family = AF_INET;
				353	memcpy (&((struct sockaddr_in *) &rt.rt_dst)->sin_addr, ipAddr, len);
				354
				355	((struct sockaddr_in *) &rt.rt_genmask)->sin_family = AF_INET;
				356	if (inet_aton (mask,
				357	&((struct sockaddr_in *) &rt.rt_genmask)->sin_addr) < 0)
				358	{
				359	rc = FAILED;
				360	break;
				361	}
				362	rt.rt_flags = RTF_GATEWAY;
				363	if (ioctl (fd, SIOCADDRT, &rt) < 0)
				364	{
				365	rc = FAILED;
				366	}
				367	}
				368	while (0);
				369
				370	close (fd);
				371	return rc;
				372	}
				373
				374	static int
				375	set_address (u32 ipAddr, u32 sw_if_index, bool add)
				376	{
				377	char *out = NULL;
				378	int out_len = 0;
				379	vl_api_sw_interface_add_del_address_t *mp;
				380	vl_api_sw_interface_add_del_address_reply_t *rmp;
				381
				382	int rc = SUCCESS;
				383
				384	uint32_t addr;
				385
				386	mp = vl_msg_api_alloc (sizeof (*mp));
				387	memset (mp, 0, sizeof (*mp));
				388
				389	u16 msg_id =
				390	vl_msg_api_get_msg_index ((u8 *) "sw_interface_add_del_address_5463d73b");
				391	mp->_vl_msg_id = htons (msg_id);
				392	mp->is_add = add;
				393	memcpy (mp->prefix.address.un.ip4, (u8 *) &ipAddr, sizeof (ipAddr));
				394	mp->prefix.len = 24;
				395	mp->sw_if_index = sw_if_index;
				396
				397	if (vac->send (vac, (char ) mp, sizeof (mp), &out, &out_len))
				398	{
				399	DBG2 (DBG_KNL, "vac %s neighbor entry", add ? "adding" : "removing");
				400	goto error;
				401	}
				402	rmp = (void *) out;
				403	if (rmp->retval)
				404	{
				405	DBG2 (DBG_KNL, "%s neighbor add rv:%d", add ? "add" : "remove",
				406	ntohl (rmp->retval));
				407	goto error;
				408	}
				409	return rc;
				410
				411	error:
				412	free (out);
				413	vl_msg_api_free (mp);
				414	return rc;
				415	}
				416
				417	/**
				418	* (Un)-install a single route
				419	*/
				420	static void
				421	manage_route (private_kernel_vpp_ipsec_t *this, bool add,
				422	traffic_selector_t dst_ts, host_t src, host_t *dst)
				423	{
Gabriel Oginski	2da99e5	2023-02-14 08:46:36 +0000	[diff] [blame]	424	host_t dst_net = NULL, gateway = NULL;
Gabriel Oginski	4e88e04	2022-06-29 12:54:30 +0000	[diff] [blame]	425	uint8_t prefixlen;
Gabriel Oginski	2da99e5	2023-02-14 08:46:36 +0000	[diff] [blame]	426	char *if_name = NULL;
Gabriel Oginski	4e88e04	2022-06-29 12:54:30 +0000	[diff] [blame]	427	route_entry_t *route;
				428	bool route_exist = FALSE;
				429
				430	char *netmask = "255.255.255.0";
				431	char *tap_gateway = "1.1.1.1";
				432	int arp_rc = 0;
				433	if (dst->is_anyaddr (dst))
				434	{
				435	return;
				436	}
				437	gateway =
				438	charon->kernel->get_nexthop (charon->kernel, dst, -1, NULL, &if_name);
				439	dst_ts->to_subnet (dst_ts, &dst_net, &prefixlen);
				440	if (!if_name)
				441	{
				442	if (src->is_anyaddr (src))
				443	{
Gabriel Oginski	2da99e5	2023-02-14 08:46:36 +0000	[diff] [blame]	444	goto error;
Gabriel Oginski	4e88e04	2022-06-29 12:54:30 +0000	[diff] [blame]	445	}
				446	if (!charon->kernel->get_interface (charon->kernel, src, &if_name))
				447	{
Gabriel Oginski	2da99e5	2023-02-14 08:46:36 +0000	[diff] [blame]	448	goto error;
Gabriel Oginski	4e88e04	2022-06-29 12:54:30 +0000	[diff] [blame]	449	}
				450	}
				451	route_exist =
				452	this->routes->find_first (this->routes, route_equals, (void **) &route,
				453	if_name, gateway, dst_net, &prefixlen);
				454	if (add)
				455	{
				456	DBG2 (DBG_KNL, "installing route: %H/%d via %H dev %s", dst_net,
				457	prefixlen, gateway, if_name);
				458	if (route_exist)
				459	{
				460	unsigned int refs_num = ref_get (&route->refs);
				461	DBG2 (DBG_KNL, "add route but it exist %d", refs_num);
				462	}
				463	else
				464	{
				465	INIT (route, .if_name = strdup (if_name),
				466	.gateway = gateway->clone (gateway),
				467	.dst_net = dst_net->clone (dst_net), .prefixlen = prefixlen,
				468	.refs = 1, );
				469	this->routes->insert_last (this->routes, route);
				470	charon->kernel->add_route (charon->kernel,
				471	dst_net->get_address (dst_net), prefixlen,
				472	gateway, dst, if_name, 1);
				473	}
				474
				475	add_Route (dst_net->get_address (dst_net).ptr,
				476	dst_net->get_address (dst_net).len, netmask, tap_gateway);
				477
				478	arp_rc = set_arp (gateway->get_address (gateway).ptr, if_name, TRUE);
				479	if (arp_rc)
				480	DBG2 (DBG_KNL, "arpGet success!\n");
				481	}
				482	else
				483	{
				484	DBG2 (DBG_KNL, "uninstalling route: %H/%d via %H dev %s", dst_net,
				485	prefixlen, gateway, if_name);
				486	if (!route_exist)
				487	{
				488	DBG2 (DBG_KNL, "del route but it not exist");
Gabriel Oginski	2da99e5	2023-02-14 08:46:36 +0000	[diff] [blame]	489	goto error;
Gabriel Oginski	4e88e04	2022-06-29 12:54:30 +0000	[diff] [blame]	490	}
				491	if (ref_put (&route->refs))
				492	{
				493	this->routes->remove (this->routes, route, NULL);
				494	route_destroy (route);
				495	charon->kernel->del_route (charon->kernel,
				496	dst_net->get_address (dst_net), prefixlen,
				497	gateway, dst, if_name, 1);
				498	}
				499	}
Gabriel Oginski	2da99e5	2023-02-14 08:46:36 +0000	[diff] [blame]	500	error:
				501	if (gateway != NULL)
				502	gateway->destroy (gateway);
				503	if (dst_net != NULL)
				504	dst_net->destroy (dst_net);
				505	if (if_name != NULL)
				506	free (if_name);
				507	return;
Gabriel Oginski	4e88e04	2022-06-29 12:54:30 +0000	[diff] [blame]	508	}
				509
				510	/**
				511	* Hash function for IPsec SA
				512	*/
				513	static u_int
				514	sa_hash (kernel_ipsec_sa_id_t *sa)
				515	{
				516	return chunk_hash_inc (
				517	sa->src->get_address (sa->src),
				518	chunk_hash_inc (
				519	sa->dst->get_address (sa->dst),
				520	chunk_hash_inc (chunk_from_thing (sa->spi),
				521	chunk_hash (chunk_from_thing (sa->proto)))));
				522	}
				523
				524	/**
				525	* Equality function for IPsec SA
				526	*/
				527	static bool
				528	sa_equals (kernel_ipsec_sa_id_t sa, kernel_ipsec_sa_id_t other_sa)
				529	{
				530	return sa->src->ip_equals (sa->src, other_sa->src) &&
				531	sa->dst->ip_equals (sa->dst, other_sa->dst) &&
				532	sa->spi == other_sa->spi && sa->proto == other_sa->proto;
				533	}
				534
				535	/**
Gabriel Oginski	8de66c0	2023-02-03 08:12:36 +0000	[diff] [blame]	536	* Equality function for policy SPD
				537	*/
				538	static bool
				539	policy_equals (vl_api_ipsec_spd_entry_t *policy,
				540	vl_api_ipsec_spd_entry_t *other_policy)
				541	{
				542
				543	/* change protocol due to legacy implementation of ANY protocol inside VPP */
				544	if (other_policy->protocol == 255)
				545	other_policy->protocol = 0;
				546
				547	/* return true if both policies are equal */
				548	return !memcmp (policy, other_policy, sizeof (*policy));
				549	}
				550
				551	/**
Gabriel Oginski	4e88e04	2022-06-29 12:54:30 +0000	[diff] [blame]	552	* Hash function for interface
				553	*/
				554	static u_int
				555	interface_hash (char *interface)
				556	{
				557	return chunk_hash (chunk_from_str (interface));
				558	}
				559
				560	/**
				561	* Equality function for interface
				562	*/
				563	static bool
				564	interface_equals (char interface1, char interface2)
				565	{
				566	return streq (interface1, interface2);
				567	}
				568
				569	/**
				570	* Map an integer x with a one-to-one function using quadratic residues
				571	*/
				572	static u_int
				573	permute (u_int x, u_int p)
				574	{
				575	u_int qr;
				576
				577	x = x % p;
				578	qr = ((uint64_t) x * x) % p;
				579	if (x <= p / 2)
				580	{
				581	return qr;
				582	}
				583	return p - qr;
				584	}
				585
				586	/**
				587	* Initialize seeds for SPI generation
				588	*/
				589	static bool
				590	init_spi (private_kernel_vpp_ipsec_t *this)
				591	{
				592	bool ok = TRUE;
				593	rng_t *rng;
				594
				595	rng = lib->crypto->create_rng (lib->crypto, RNG_STRONG);
				596	if (!rng)
				597	{
				598	return FALSE;
				599	}
				600	ok =
				601	rng->get_bytes (rng, sizeof (this->nextspi), (uint8_t *) &this->nextspi);
				602	if (ok)
				603	{
				604	ok =
				605	rng->get_bytes (rng, sizeof (this->mixspi), (uint8_t *) &this->mixspi);
				606	}
				607	rng->destroy (rng);
				608	return ok;
				609	}
				610
				611	/**
				612	* Calculate policy priority
				613	*/
				614	static uint32_t
				615	calculate_priority (policy_priority_t policy_priority, traffic_selector_t *src,
				616	traffic_selector_t *dst)
				617	{
				618	uint32_t priority = PRIO_BASE;
				619	uint16_t port;
				620	uint8_t mask, proto;
				621	host_t *net;
				622
				623	switch (policy_priority)
				624	{
				625	case POLICY_PRIORITY_FALLBACK:
				626	priority <<= 1;
				627	/* fall-through */
				628	case POLICY_PRIORITY_ROUTED:
				629	priority <<= 1;
				630	/* fall-through */
				631	case POLICY_PRIORITY_DEFAULT:
				632	priority <<= 1;
				633	/* fall-through */
				634	case POLICY_PRIORITY_PASS:
				635	break;
				636	}
				637	/* calculate priority based on selector size, small size = high prio */
				638	src->to_subnet (src, &net, &mask);
				639	priority -= mask;
				640	proto = src->get_protocol (src);
				641	port = net->get_port (net);
				642	net->destroy (net);
				643
				644	dst->to_subnet (dst, &net, &mask);
				645	priority -= mask;
				646	proto = max (proto, dst->get_protocol (dst));
				647	port = max (port, net->get_port (net));
				648	net->destroy (net);
				649
				650	priority <<= 2; /* make some room for the two flags */
				651	priority += port ? 0 : 2;
				652	priority += proto ? 0 : 1;
				653	return priority;
				654	}
				655
				656	/**
				657	* Get sw_if_index from interface name
				658	*/
				659	static uint32_t
				660	get_sw_if_index (char *interface)
				661	{
				662	char *out = NULL;
				663	int out_len, name_filter_len = 0, msg_len = 0;
Gabriel Oginski	73d82d1	2023-07-06 09:18:45 +0000	[diff] [blame]	664	int num, i;
				665	vl_api_sw_interface_dump_t *mp = NULL;
				666	vl_api_sw_interface_details_t *rmp = NULL;
Gabriel Oginski	4e88e04	2022-06-29 12:54:30 +0000	[diff] [blame]	667	uint32_t sw_if_index = ~0;
				668
Gabriel Oginski	73d82d1	2023-07-06 09:18:45 +0000	[diff] [blame]	669	if (interface == NULL)
				670	goto error;
				671
Gabriel Oginski	4e88e04	2022-06-29 12:54:30 +0000	[diff] [blame]	672	name_filter_len = strlen (interface);
				673	msg_len = sizeof (*mp) + name_filter_len;
				674	mp = vl_msg_api_alloc (msg_len);
				675	clib_memset (mp, 0, msg_len);
				676	u16 msg_id = vl_msg_api_get_msg_index ((u8 *) "sw_interface_dump_aa610c27");
				677	mp->_vl_msg_id = htons (msg_id);
				678	mp->name_filter_valid = TRUE;
				679	mp->name_filter.length = htonl (name_filter_len);
				680	memcpy ((char *) mp->name_filter.buf, interface, name_filter_len);
				681
Gabriel Oginski	73d82d1	2023-07-06 09:18:45 +0000	[diff] [blame]	682	if (vac->send_dump (vac, (char *) mp, msg_len, &out, &out_len))
Gabriel Oginski	4e88e04	2022-06-29 12:54:30 +0000	[diff] [blame]	683	{
				684	goto error;
				685	}
				686	if (!out_len)
				687	{
				688	goto error;
				689	}
Gabriel Oginski	73d82d1	2023-07-06 09:18:45 +0000	[diff] [blame]	690	num = out_len / sizeof (*rmp);
Gabriel Oginski	4e88e04	2022-06-29 12:54:30 +0000	[diff] [blame]	691	rmp = (vl_api_sw_interface_details_t *) out;
Gabriel Oginski	73d82d1	2023-07-06 09:18:45 +0000	[diff] [blame]	692	for (i = 0; i < num; i++)
				693	{
				694	if (strlen (rmp->interface_name) &&
				695	streq (interface, rmp->interface_name))
				696	{
				697	sw_if_index = ntohl (rmp->sw_if_index);
				698	break;
				699	}
				700	rmp += 1;
				701	}
Gabriel Oginski	4e88e04	2022-06-29 12:54:30 +0000	[diff] [blame]	702
				703	error:
Gabriel Oginski	73d82d1	2023-07-06 09:18:45 +0000	[diff] [blame]	704	if (out)
				705	free (out);
				706	if (mp)
				707	vl_msg_api_free (mp);
Gabriel Oginski	4e88e04	2022-06-29 12:54:30 +0000	[diff] [blame]	708	return sw_if_index;
				709	}
Gabriel Oginski	73d82d1	2023-07-06 09:18:45 +0000	[diff] [blame]	710
Gabriel Oginski	4e88e04	2022-06-29 12:54:30 +0000	[diff] [blame]	711	/**
				712	* (Un)-install a security policy database
				713	*/
				714	static status_t
				715	spd_add_del (bool add, uint32_t spd_id)
				716	{
				717	char *out = NULL;
				718	int out_len;
				719	vl_api_ipsec_spd_add_del_t *mp;
				720	vl_api_ipsec_spd_add_del_reply_t *rmp;
				721	status_t rv = FAILED;
				722
				723	mp = vl_msg_api_alloc (sizeof (*mp));
				724	memset (mp, 0, sizeof (*mp));
				725
				726	u16 msg_id = vl_msg_api_get_msg_index ((u8 *) "ipsec_spd_add_del_20e89a95");
				727	mp->_vl_msg_id = htons (msg_id);
				728	mp->is_add = add;
				729	mp->spd_id = htonl (spd_id);
				730	if (vac->send (vac, (char ) mp, sizeof (mp), &out, &out_len))
				731	{
				732	DBG1 (DBG_KNL, "vac %s SPD failed", add ? "adding" : "removing");
				733	goto error;
				734	}
				735	rmp = (void *) out;
				736	if (rmp->retval)
				737	{
				738	DBG1 (DBG_KNL, "%s SPD failed rv:%d", add ? "add" : "remove",
				739	ntohl (rmp->retval));
				740	goto error;
				741	}
				742	rv = SUCCESS;
				743
				744	error:
				745	free (out);
				746	vl_msg_api_free (mp);
				747	return rv;
				748	}
				749
				750	/**
				751	* Enable or disable SPD on an insterface
				752	*/
				753	static status_t
				754	interface_add_del_spd (bool add, uint32_t spd_id, uint32_t sw_if_index)
				755	{
				756	char *out = NULL;
				757	int out_len;
				758	vl_api_ipsec_interface_add_del_spd_t *mp;
				759	vl_api_ipsec_interface_add_del_spd_reply_t *rmp;
				760	status_t rv = FAILED;
				761
				762	mp = vl_msg_api_alloc (sizeof (*mp));
				763	memset (mp, 0, sizeof (*mp));
				764	u16 msg_id =
				765	vl_msg_api_get_msg_index ((u8 *) "ipsec_interface_add_del_spd_80f80cbb");
				766	mp->_vl_msg_id = htons (msg_id);
				767	mp->is_add = add;
				768	mp->spd_id = htonl (spd_id);
				769	mp->sw_if_index = htonl (sw_if_index);
				770	if (vac->send (vac, (char ) mp, sizeof (mp), &out, &out_len))
				771	{
				772	DBG1 (DBG_KNL, "vac %s interface SPD failed",
				773	add ? "adding" : "removing");
				774	goto error;
				775	}
				776	rmp = (void *) out;
				777	if (rmp->retval)
				778	{
				779	DBG1 (DBG_KNL, "%s interface SPD failed rv:%d", add ? "add" : "remove",
				780	ntohl (rmp->retval));
				781	goto error;
				782	}
				783	rv = SUCCESS;
				784
				785	error:
				786	free (out);
				787	vl_msg_api_free (mp);
				788	return rv;
				789	}
				790
				791	static int
Gabriel Oginski	052b023	2023-09-14 09:03:36 +0000	[diff] [blame]	792	bypass_all (bool add, uint32_t spd_id, uint32_t sa_id, uint32_t priority)
Gabriel Oginski	4e88e04	2022-06-29 12:54:30 +0000	[diff] [blame]	793	{
				794	vl_api_ipsec_spd_entry_add_del_t *mp;
				795	vl_api_ipsec_spd_entry_add_del_reply_t *rmp;
				796	char *out = NULL;
				797	int out_len;
				798	status_t rv = FAILED;
				799
				800	DBG2 (DBG_KNL, "bypass_all [%s] spd_id %d sa_id %d", add ? "ADD" : "DEL",
				801	spd_id, sa_id);
				802
				803	mp = vl_msg_api_alloc (sizeof (*mp));
				804	memset (mp, 0, sizeof (*mp));
				805
				806	u16 msg_id =
				807	vl_msg_api_get_msg_index ((u8 *) "ipsec_spd_entry_add_del_338b7411");
				808	mp->_vl_msg_id = ntohs (msg_id);
				809	mp->is_add = add;
				810	mp->entry.sa_id = ntohl (sa_id);
				811	mp->entry.spd_id = ntohl (spd_id);
Gabriel Oginski	052b023	2023-09-14 09:03:36 +0000	[diff] [blame]	812	mp->entry.priority = ntohl (priority - POLICY_PRIORITY_PASS);
Gabriel Oginski	4e88e04	2022-06-29 12:54:30 +0000	[diff] [blame]	813	mp->entry.is_outbound = 0;
				814	mp->entry.policy = ntohl (IPSEC_API_SPD_ACTION_BYPASS);
				815	memset (mp->entry.local_address_stop.un.ip6, 0xFF, 16);
				816	memset (mp->entry.remote_address_stop.un.ip6, 0xFF, 16);
				817	mp->entry.remote_port_start = mp->entry.local_port_start = ntohs (0);
				818	mp->entry.remote_port_stop = mp->entry.local_port_stop = ntohs (0xFFFF);
				819	mp->entry.protocol = IP_API_PROTO_ESP;
				820	if (vac->send (vac, (char ) mp, sizeof (mp), &out, &out_len))
				821	{
				822	DBG1 (DBG_KNL, "vac %s SPD entry failed", add ? "adding" : "removing");
				823	goto error;
				824	}
				825	rmp = (void *) out;
				826	if (rmp->retval)
				827	{
				828	DBG1 (DBG_KNL, "%s SPD entry failed rv:%d", add ? "add" : "remove",
				829	ntohl (rmp->retval));
				830	goto error;
				831	}
Gabriel Oginski	2da99e5	2023-02-14 08:46:36 +0000	[diff] [blame]	832	/* address "out" needs to be freed after vec->send */
				833	if (out != NULL)
				834	{
				835	free (out);
				836	out = NULL;
				837	}
Gabriel Oginski	4e88e04	2022-06-29 12:54:30 +0000	[diff] [blame]	838	mp->entry.is_outbound = 1;
				839	if (vac->send (vac, (char ) mp, sizeof (mp), &out, &out_len))
				840	{
				841	DBG1 (DBG_KNL, "vac %s SPD entry failed", add ? "adding" : "removing");
				842	goto error;
				843	}
				844	rmp = (void *) out;
				845	if (rmp->retval)
				846	{
				847	DBG1 (DBG_KNL, "%s SPD entry failed rv:%d", add ? "add" : "remove",
				848	ntohl (rmp->retval));
				849	goto error;
				850	}
Gabriel Oginski	2da99e5	2023-02-14 08:46:36 +0000	[diff] [blame]	851	/* address "out" needs to be freed after vec->send */
				852	if (out != NULL)
				853	{
				854	free (out);
				855	out = NULL;
				856	}
Gabriel Oginski	4e88e04	2022-06-29 12:54:30 +0000	[diff] [blame]	857	mp->entry.is_outbound = 0;
				858	mp->entry.protocol = IP_API_PROTO_AH;
				859	if (vac->send (vac, (char ) mp, sizeof (mp), &out, &out_len))
				860	{
				861	DBG1 (DBG_KNL, "vac %s SPD entry failed", add ? "adding" : "removing");
				862	goto error;
				863	}
				864	rmp = (void *) out;
				865	if (rmp->retval)
				866	{
				867	DBG1 (DBG_KNL, "%s SPD entry failed rv:%d", add ? "add" : "remove",
				868	ntohl (rmp->retval));
				869	goto error;
				870	}
Gabriel Oginski	2da99e5	2023-02-14 08:46:36 +0000	[diff] [blame]	871	/* address "out" needs to be freed after vec->send */
				872	if (out != NULL)
				873	{
				874	free (out);
				875	out = NULL;
				876	}
Gabriel Oginski	4e88e04	2022-06-29 12:54:30 +0000	[diff] [blame]	877	mp->entry.is_outbound = 1;
				878	if (vac->send (vac, (char ) mp, sizeof (mp), &out, &out_len))
				879	{
				880	DBG1 (DBG_KNL, "vac %s SPD entry failed", add ? "adding" : "removing");
				881	goto error;
				882	}
				883	rmp = (void *) out;
				884	if (rmp->retval)
				885	{
				886	DBG1 (DBG_KNL, "%s SPD entry failed rv:%d", add ? "add" : "remove",
				887	ntohl (rmp->retval));
				888	goto error;
				889	}
				890
				891	rv = SUCCESS;
				892
				893	error:
				894	if (out)
				895	free (out);
				896	vl_msg_api_free (mp);
				897
				898	return rv;
				899	}
				900
				901	static int
Gabriel Oginski	052b023	2023-09-14 09:03:36 +0000	[diff] [blame]	902	bypass_port (bool add, uint32_t spd_id, uint32_t sa_id, uint16_t port,
				903	uint32_t priority)
Gabriel Oginski	4e88e04	2022-06-29 12:54:30 +0000	[diff] [blame]	904	{
				905	vl_api_ipsec_spd_entry_add_del_t *mp;
				906	vl_api_ipsec_spd_entry_add_del_reply_t *rmp;
				907	char *out = NULL;
				908	int out_len;
				909	status_t rv = FAILED;
				910
				911	mp = vl_msg_api_alloc (sizeof (*mp));
				912	memset (mp, 0, sizeof (*mp));
				913
				914	u16 msg_id =
				915	vl_msg_api_get_msg_index ((u8 *) "ipsec_spd_entry_add_del_338b7411");
				916	mp->_vl_msg_id = ntohs (msg_id);
				917	mp->is_add = add;
				918	mp->entry.sa_id = ntohl (sa_id);
				919	mp->entry.spd_id = ntohl (spd_id);
Gabriel Oginski	052b023	2023-09-14 09:03:36 +0000	[diff] [blame]	920	mp->entry.priority = ntohl (priority - POLICY_PRIORITY_PASS);
Gabriel Oginski	4e88e04	2022-06-29 12:54:30 +0000	[diff] [blame]	921	mp->entry.policy = ntohl (IPSEC_API_SPD_ACTION_BYPASS);
				922	memset (mp->entry.local_address_stop.un.ip6, 0xFF, 16);
				923	memset (mp->entry.remote_address_stop.un.ip6, 0xFF, 16);
				924	mp->entry.is_outbound = 0;
Gabriel Oginski	052b023	2023-09-14 09:03:36 +0000	[diff] [blame]	925	mp->entry.remote_port_start = mp->entry.local_port_start = ntohs (port);
				926	mp->entry.remote_port_stop = mp->entry.local_port_stop = ntohs (port);
				927	mp->entry.protocol = IP_API_PROTO_UDP;
Gabriel Oginski	4e88e04	2022-06-29 12:54:30 +0000	[diff] [blame]	928
				929	if (vac->send (vac, (char ) mp, sizeof (mp), &out, &out_len))
				930	{
				931	DBG1 (DBG_KNL, "vac %s SPD entry failed", add ? "adding" : "removing");
				932	goto error;
				933	}
				934	rmp = (void *) out;
				935	if (rmp->retval)
				936	{
				937	DBG1 (DBG_KNL, "%s SPD entry failed rv:%d", add ? "add" : "remove",
				938	ntohl (rmp->retval));
				939	goto error;
				940	}
Gabriel Oginski	2da99e5	2023-02-14 08:46:36 +0000	[diff] [blame]	941	/* address "out" needs to be freed after vec->send */
				942	if (out != NULL)
				943	{
				944	free (out);
				945	out = NULL;
				946	}
Gabriel Oginski	4e88e04	2022-06-29 12:54:30 +0000	[diff] [blame]	947	mp->entry.is_outbound = 1;
				948	if (vac->send (vac, (char ) mp, sizeof (mp), &out, &out_len))
				949	{
				950	DBG1 (DBG_KNL, "vac %s SPD entry failed", add ? "adding" : "removing");
				951	goto error;
				952	}
				953	rmp = (void *) out;
				954	if (rmp->retval)
				955	{
				956	DBG1 (DBG_KNL, "%s SPD entry failed rv:%d", add ? "add" : "remove",
				957	ntohl (rmp->retval));
				958	goto error;
				959	}
				960	rv = SUCCESS;
				961
				962	error:
				963	if (out)
				964	free (out);
				965	vl_msg_api_free (mp);
				966
				967	return rv;
				968	}
				969
				970	/**
				971	* Add or remove a bypass policy
				972	*/
				973	static status_t
Gabriel Oginski	052b023	2023-09-14 09:03:36 +0000	[diff] [blame]	974	manage_bypass (bool add, uint32_t spd_id, uint32_t sa_id, uint32_t priority)
Gabriel Oginski	4e88e04	2022-06-29 12:54:30 +0000	[diff] [blame]	975	{
				976	uint16_t port;
				977	status_t rv;
				978
Gabriel Oginski	052b023	2023-09-14 09:03:36 +0000	[diff] [blame]	979	bypass_all (add, spd_id, sa_id, priority);
Gabriel Oginski	4e88e04	2022-06-29 12:54:30 +0000	[diff] [blame]	980
				981	port =
				982	lib->settings->get_int (lib->settings, "%s.port", IKEV2_UDP_PORT, lib->ns);
				983
				984	if (port)
				985	{
Gabriel Oginski	052b023	2023-09-14 09:03:36 +0000	[diff] [blame]	986	rv = bypass_port (add, spd_id, sa_id, port, priority);
Gabriel Oginski	4e88e04	2022-06-29 12:54:30 +0000	[diff] [blame]	987	if (rv != SUCCESS)
				988	{
				989	return rv;
				990	}
				991	}
				992
				993	port = lib->settings->get_int (lib->settings, "%s.port_nat_t",
				994	IKEV2_NATT_PORT, lib->ns);
				995	if (port)
				996	{
Gabriel Oginski	052b023	2023-09-14 09:03:36 +0000	[diff] [blame]	997	rv = bypass_port (add, spd_id, sa_id, port, priority);
Gabriel Oginski	4e88e04	2022-06-29 12:54:30 +0000	[diff] [blame]	998	if (rv != SUCCESS)
				999	{
				1000	return rv;
				1001	}
				1002	}
				1003
				1004	return SUCCESS;
				1005	}
				1006
				1007	/**
				1008	* Add or remove a policy
				1009	*/
				1010	static status_t
				1011	manage_policy (private_kernel_vpp_ipsec_t *this, bool add,
				1012	kernel_ipsec_policy_id_t *id,
				1013	kernel_ipsec_manage_policy_t *data)
				1014	{
Gabriel Oginski	2da99e5	2023-02-14 08:46:36 +0000	[diff] [blame]	1015	spd_t *spd = NULL;
Gabriel Oginski	4e88e04	2022-06-29 12:54:30 +0000	[diff] [blame]	1016	char out = NULL, interface = NULL;
				1017	int out_len;
				1018	uint32_t sw_if_index, spd_id = ~0, sad_id = ~0;
				1019	status_t rv = FAILED;
				1020	uint32_t priority, auto_priority;
				1021	chunk_t src_from, src_to, dst_from, dst_to;
Gabriel Oginski	2da99e5	2023-02-14 08:46:36 +0000	[diff] [blame]	1022	host_t src = NULL, dst = NULL, *addr = NULL;
				1023	vl_api_ipsec_spd_entry_add_del_t *mp = NULL;
				1024	vl_api_ipsec_spd_entry_add_del_reply_t *rmp = NULL;
Gabriel Oginski	052b023	2023-09-14 09:03:36 +0000	[diff] [blame]	1025	bool n_spd = false; /* is a new SPD? */
Gabriel Oginski	2da99e5	2023-02-14 08:46:36 +0000	[diff] [blame]	1026	vl_api_ipsec_spd_dump_t *mp_dump = NULL;
				1027	vl_api_ipsec_spd_details_t rmp_dump = NULL, tmp = NULL;
Gabriel Oginski	4e88e04	2022-06-29 12:54:30 +0000	[diff] [blame]	1028
				1029	mp = vl_msg_api_alloc (sizeof (*mp));
				1030	memset (mp, 0, sizeof (*mp));
				1031
				1032	this->mutex->lock (this->mutex);
Gabriel Oginski	2da99e5	2023-02-14 08:46:36 +0000	[diff] [blame]	1033	if (id->dir == POLICY_FWD)
Gabriel Oginski	4e88e04	2022-06-29 12:54:30 +0000	[diff] [blame]	1034	{
Gabriel Oginski	2da99e5	2023-02-14 08:46:36 +0000	[diff] [blame]	1035	DBG1 (DBG_KNL, "policy FWD interface");
				1036	rv = SUCCESS;
				1037	goto error;
Gabriel Oginski	4e88e04	2022-06-29 12:54:30 +0000	[diff] [blame]	1038	}
Gabriel Oginski	2da99e5	2023-02-14 08:46:36 +0000	[diff] [blame]	1039	addr = id->dir == POLICY_IN ? data->dst : data->src;
				1040	for (int i = 0; i < N_RETRY_GET_IF; i++)
				1041	{
				1042	if (!charon->kernel->get_interface (charon->kernel, addr, &interface))
				1043	{
				1044	DBG1 (DBG_KNL, "policy no interface %H", addr);
				1045	free (interface);
				1046	interface = NULL;
				1047	sleep (1);
				1048	}
				1049
				1050	if (interface)
				1051	{
				1052	DBG1 (DBG_KNL, "policy have interface %H", addr);
				1053	break;
				1054	}
				1055	}
				1056	if (!interface)
				1057	goto error;
Gabriel Oginski	4e88e04	2022-06-29 12:54:30 +0000	[diff] [blame]	1058
				1059	DBG2 (DBG_KNL, "manage policy [%s] interface [%s]", add ? "ADD" : "DEL",
Gabriel Oginski	2da99e5	2023-02-14 08:46:36 +0000	[diff] [blame]	1060	interface);
Gabriel Oginski	4e88e04	2022-06-29 12:54:30 +0000	[diff] [blame]	1061
Gabriel Oginski	2da99e5	2023-02-14 08:46:36 +0000	[diff] [blame]	1062	spd = this->spds->get (this->spds, interface);
Gabriel Oginski	4e88e04	2022-06-29 12:54:30 +0000	[diff] [blame]	1063	if (!spd)
				1064	{
				1065	if (!add)
				1066	{
				1067	DBG1 (DBG_KNL, "SPD for %s not found, should not be deleted",
Gabriel Oginski	2da99e5	2023-02-14 08:46:36 +0000	[diff] [blame]	1068	interface);
Gabriel Oginski	4e88e04	2022-06-29 12:54:30 +0000	[diff] [blame]	1069	goto error;
				1070	}
Gabriel Oginski	2da99e5	2023-02-14 08:46:36 +0000	[diff] [blame]	1071	sw_if_index = get_sw_if_index (interface);
Gabriel Oginski	4e88e04	2022-06-29 12:54:30 +0000	[diff] [blame]	1072	DBG1 (DBG_KNL, "firstly created, spd for %s found sw_if_index is %d",
Gabriel Oginski	2da99e5	2023-02-14 08:46:36 +0000	[diff] [blame]	1073	interface, sw_if_index);
Gabriel Oginski	4e88e04	2022-06-29 12:54:30 +0000	[diff] [blame]	1074	if (sw_if_index == ~0)
				1075	{
Gabriel Oginski	2da99e5	2023-02-14 08:46:36 +0000	[diff] [blame]	1076	DBG1 (DBG_KNL, "sw_if_index for %s not found", interface);
Gabriel Oginski	4e88e04	2022-06-29 12:54:30 +0000	[diff] [blame]	1077	goto error;
				1078	}
				1079	spd_id = ref_get (&this->next_spd_id);
				1080	if (spd_add_del (TRUE, spd_id))
				1081	{
				1082	DBG1 (DBG_KNL, "spd_add_del %d failed!!!!!", spd_id);
				1083	goto error;
				1084	}
				1085	if (interface_add_del_spd (TRUE, spd_id, sw_if_index))
				1086	{
				1087	DBG1 (DBG_KNL, "interface_add_del_spd %d %d failed!!!!!", spd_id,
				1088	sw_if_index);
				1089	goto error;
				1090	}
Gabriel Oginski	2da99e5	2023-02-14 08:46:36 +0000	[diff] [blame]	1091	INIT (spd, .spd_id = spd_id, .sw_if_index = sw_if_index, .policy_num = 0,
				1092	.if_name = strdup (interface), );
				1093	this->spds->put (this->spds, spd->if_name, spd);
Gabriel Oginski	4e88e04	2022-06-29 12:54:30 +0000	[diff] [blame]	1094	n_spd = true;
				1095	}
				1096
				1097	auto_priority = calculate_priority (data->prio, id->src_ts, id->dst_ts);
				1098	priority = data->manual_prio ? data->manual_prio : auto_priority;
				1099
				1100	u16 msg_id =
				1101	vl_msg_api_get_msg_index ((u8 *) "ipsec_spd_entry_add_del_338b7411");
				1102	mp->_vl_msg_id = htons (msg_id);
				1103	mp->is_add = add;
				1104	mp->entry.spd_id = htonl (spd->spd_id);
Gabriel Oginski	052b023	2023-09-14 09:03:36 +0000	[diff] [blame]	1105	mp->entry.priority = htonl (priority - POLICY_PRIORITY_DEFAULT);
Gabriel Oginski	4e88e04	2022-06-29 12:54:30 +0000	[diff] [blame]	1106	mp->entry.is_outbound = id->dir == POLICY_OUT;
				1107	switch (data->type)
				1108	{
				1109	case POLICY_IPSEC:
				1110	mp->entry.policy = htonl (IPSEC_API_SPD_ACTION_PROTECT);
				1111	break;
				1112	case POLICY_PASS:
				1113	mp->entry.policy = htonl (IPSEC_API_SPD_ACTION_BYPASS);
				1114	break;
				1115	case POLICY_DROP:
				1116	mp->entry.policy = htonl (IPSEC_API_SPD_ACTION_DISCARD);
				1117	break;
				1118	}
				1119	if ((data->type == POLICY_IPSEC) && data->sa)
				1120	{
				1121	kernel_ipsec_sa_id_t id = {
				1122	.src = data->src,
				1123	.dst = data->dst,
				1124	.proto = data->sa->esp.use ? IPPROTO_ESP : IPPROTO_AH,
				1125	.spi = data->sa->esp.use ? data->sa->esp.spi : data->sa->ah.spi,
				1126	};
				1127	sa_t *sa = NULL;
				1128	sa = this->sas->get (this->sas, &id);
				1129	if (!sa)
				1130	{
				1131	DBG1 (DBG_KNL, "SA ID not found");
				1132	goto error;
				1133	}
				1134	sad_id = sa->sa_id;
				1135	if (n_spd)
				1136	{
Gabriel Oginski	052b023	2023-09-14 09:03:36 +0000	[diff] [blame]	1137	if (manage_bypass (TRUE, spd_id, ~0, priority))
Gabriel Oginski	4e88e04	2022-06-29 12:54:30 +0000	[diff] [blame]	1138	{
				1139	DBG1 (DBG_KNL, "manage_bypass %d failed!!!!", spd_id);
				1140	goto error;
				1141	}
				1142	}
				1143	}
				1144
				1145	mp->entry.sa_id = htonl (sad_id);
				1146
				1147	bool is_ipv6 = false;
				1148	if (id->src_ts->get_type (id->src_ts) == TS_IPV6_ADDR_RANGE)
				1149	{
				1150	is_ipv6 = true;
				1151	mp->entry.local_address_start.af = htonl (ADDRESS_IP6);
				1152	mp->entry.local_address_stop.af = htonl (ADDRESS_IP6);
				1153	mp->entry.remote_address_start.af = htonl (ADDRESS_IP6);
				1154	mp->entry.remote_address_stop.af = htonl (ADDRESS_IP6);
				1155	}
				1156	else
				1157	{
				1158	mp->entry.local_address_start.af = htonl (ADDRESS_IP4);
				1159	mp->entry.local_address_stop.af = htonl (ADDRESS_IP4);
				1160	mp->entry.remote_address_start.af = htonl (ADDRESS_IP4);
				1161	mp->entry.remote_address_stop.af = htonl (ADDRESS_IP4);
				1162	}
				1163	mp->entry.protocol = id->src_ts->get_protocol (id->src_ts);
				1164
				1165	if (id->dir == POLICY_OUT)
				1166	{
				1167	src_from = id->src_ts->get_from_address (id->src_ts);
				1168	src_to = id->src_ts->get_to_address (id->src_ts);
				1169	src = host_create_from_chunk (is_ipv6 ? AF_INET6 : AF_INET, src_to, 0);
				1170	dst_from = id->dst_ts->get_from_address (id->dst_ts);
				1171	dst_to = id->dst_ts->get_to_address (id->dst_ts);
				1172	dst = host_create_from_chunk (is_ipv6 ? AF_INET6 : AF_INET, dst_to, 0);
				1173	}
				1174	else
				1175	{
				1176	dst_from = id->src_ts->get_from_address (id->src_ts);
				1177	dst_to = id->src_ts->get_to_address (id->src_ts);
				1178	dst = host_create_from_chunk (is_ipv6 ? AF_INET6 : AF_INET, dst_from, 0);
				1179	src_from = id->dst_ts->get_from_address (id->dst_ts);
				1180	src_to = id->dst_ts->get_to_address (id->dst_ts);
				1181	src = host_create_from_chunk (is_ipv6 ? AF_INET6 : AF_INET, src_from, 0);
				1182	}
				1183
				1184	if (src->is_anyaddr (src) && dst->is_anyaddr (dst))
				1185	{
				1186	memset (mp->entry.local_address_stop.un.ip6, 0xFF, 16);
				1187	memset (mp->entry.remote_address_stop.un.ip6, 0xFF, 16);
				1188	}
				1189	else
				1190	{
				1191	memcpy (is_ipv6 ? mp->entry.local_address_start.un.ip6 :
				1192	mp->entry.local_address_start.un.ip4,
				1193	src_from.ptr, src_from.len);
				1194	memcpy (is_ipv6 ? mp->entry.local_address_stop.un.ip6 :
				1195	mp->entry.local_address_stop.un.ip4,
				1196	src_to.ptr, src_to.len);
				1197	memcpy (is_ipv6 ? mp->entry.remote_address_start.un.ip6 :
				1198	mp->entry.remote_address_start.un.ip4,
				1199	dst_from.ptr, dst_from.len);
				1200	memcpy (is_ipv6 ? mp->entry.remote_address_stop.un.ip6 :
				1201	mp->entry.remote_address_stop.un.ip4,
				1202	dst_to.ptr, dst_to.len);
				1203	}
				1204	mp->entry.local_port_start = htons (id->src_ts->get_from_port (id->src_ts));
				1205	mp->entry.local_port_stop = htons (id->src_ts->get_to_port (id->src_ts));
				1206	mp->entry.remote_port_start = htons (id->dst_ts->get_from_port (id->dst_ts));
				1207	mp->entry.remote_port_stop = htons (id->dst_ts->get_to_port (id->dst_ts));
				1208
Gabriel Oginski	8de66c0	2023-02-03 08:12:36 +0000	[diff] [blame]	1209	/* check if policy exists in SPD */
Gabriel Oginski	8de66c0	2023-02-03 08:12:36 +0000	[diff] [blame]	1210	mp_dump = vl_msg_api_alloc (sizeof (*mp_dump));
				1211	memset (mp_dump, 0, sizeof (*mp_dump));
				1212
				1213	msg_id = vl_msg_api_get_msg_index ((u8 *) "ipsec_spd_dump_afefbf7d");
				1214	mp_dump->_vl_msg_id = htons (msg_id);
				1215	mp_dump->spd_id = htonl (spd->spd_id);
				1216	mp_dump->sa_id = htonl (sad_id);
				1217
				1218	if (vac->send_dump (vac, (char ) mp_dump, sizeof (mp_dump), &out,
				1219	&out_len))
				1220	{
				1221	DBG1 (DBG_KNL, "vac %s SPD lookup failed", add ? "adding" : "removing");
				1222	goto error;
				1223	}
				1224
				1225	int num = out_len / sizeof (*rmp_dump);
				1226	tmp = (void *) out;
				1227
				1228	/* found existing policy */
				1229	if (add && num)
				1230	{
				1231	int i;
				1232	for (i = 0; i < num; i++)
				1233	{
				1234	rmp_dump = tmp;
				1235	tmp += 1;
				1236	/* check if found entry equals the new one */
				1237	if (policy_equals (&mp->entry, &rmp_dump->entry))
				1238	goto next;
				1239	}
				1240	}
				1241	else if (!add && num == 0)
				1242	{
				1243	/* VPP doesn't have any policy to delete */
				1244	goto next;
				1245	}
				1246
				1247	free (out);
				1248
Gabriel Oginski	4e88e04	2022-06-29 12:54:30 +0000	[diff] [blame]	1249	if (vac->send (vac, (char ) mp, sizeof (mp), &out, &out_len))
				1250	{
				1251	DBG1 (DBG_KNL, "vac %s SPD entry failed", add ? "adding" : "removing");
				1252	goto error;
				1253	}
				1254	rmp = (void *) out;
				1255	if (rmp->retval)
				1256	{
				1257	DBG1 (DBG_KNL, "%s SPD entry failed rv:%d", add ? "add" : "remove",
				1258	ntohl (rmp->retval));
				1259	goto error;
				1260	}
				1261
Gabriel Oginski	8de66c0	2023-02-03 08:12:36 +0000	[diff] [blame]	1262	next:
Gabriel Oginski	4e88e04	2022-06-29 12:54:30 +0000	[diff] [blame]	1263	if (add)
				1264	{
				1265	ref_get (&spd->policy_num);
				1266	}
				1267	else
				1268	{
				1269	if (ref_put (&spd->policy_num))
				1270	{
				1271	DBG1 (
				1272	DBG_KNL,
				1273	"policy_num's ref is 0, delete spd_id %d sw_if_index %d sad_id %x",
				1274	spd->spd_id, spd->sw_if_index, sad_id);
				1275	interface_add_del_spd (FALSE, spd->spd_id, spd->sw_if_index);
Gabriel Oginski	052b023	2023-09-14 09:03:36 +0000	[diff] [blame]	1276	manage_bypass (FALSE, spd->spd_id, sad_id, priority);
Gabriel Oginski	4e88e04	2022-06-29 12:54:30 +0000	[diff] [blame]	1277	spd_add_del (FALSE, spd->spd_id);
Gabriel Oginski	2da99e5	2023-02-14 08:46:36 +0000	[diff] [blame]	1278	this->spds->remove (this->spds, interface);
				1279	if (spd->if_name)
				1280	{
				1281	free (spd->if_name);
				1282	spd->if_name = NULL;
				1283	}
				1284	if (spd)
				1285	{
				1286	free (spd);
				1287	spd = NULL;
				1288	}
Gabriel Oginski	4e88e04	2022-06-29 12:54:30 +0000	[diff] [blame]	1289	}
				1290	}
				1291
				1292	if (this->install_routes && id->dir == POLICY_OUT && !mp->entry.protocol)
				1293	{
				1294	if (data->type == POLICY_IPSEC && data->sa->mode != MODE_TRANSPORT)
				1295	{
				1296	manage_route (this, add, id->dst_ts, data->src, data->dst);
				1297	}
				1298	}
				1299	rv = SUCCESS;
				1300	error:
Gabriel Oginski	2da99e5	2023-02-14 08:46:36 +0000	[diff] [blame]	1301	if (out != NULL)
				1302	free (out);
				1303	if (mp_dump != NULL)
				1304	vl_msg_api_free (mp_dump);
				1305	if (mp != NULL)
				1306	vl_msg_api_free (mp);
				1307	if (src != NULL)
				1308	src->destroy (src);
				1309	if (dst != NULL)
				1310	dst->destroy (dst);
				1311	if (interface != NULL)
				1312	free (interface);
Gabriel Oginski	4e88e04	2022-06-29 12:54:30 +0000	[diff] [blame]	1313	this->mutex->unlock (this->mutex);
				1314	return rv;
				1315	}
				1316
				1317	METHOD (kernel_ipsec_t, get_features, kernel_feature_t,
				1318	private_kernel_vpp_ipsec_t *this)
				1319	{
				1320	return KERNEL_ESP_V3_TFC;
				1321	}
				1322
				1323	METHOD (kernel_ipsec_t, get_spi, status_t, private_kernel_vpp_ipsec_t *this,
				1324	host_t src, host_t dst, uint8_t protocol, uint32_t *spi)
				1325	{
				1326	static const u_int p = 268435399, offset = 0xc0000000;
				1327
				1328	*spi = htonl (offset + permute (ref_get (&this->nextspi) ^ this->mixspi, p));
				1329	return SUCCESS;
				1330	}
				1331
				1332	METHOD (kernel_ipsec_t, get_cpi, status_t, private_kernel_vpp_ipsec_t *this,
				1333	host_t src, host_t dst, uint16_t *cpi)
				1334	{
				1335	DBG1 (DBG_KNL, "get_cpi is not supported!!!!!!!!!!!!!!!!!!!!!!!!");
				1336	return NOT_SUPPORTED;
				1337	}
				1338
				1339	/**
				1340	* Helper struct for expiration events
				1341	*/
				1342	typedef struct
				1343	{
				1344
				1345	private_kernel_vpp_ipsec_t *manager;
				1346
				1347	kernel_ipsec_sa_id_t *sa_id;
				1348
				1349	/**
				1350	* 0 if this is a hard expire, otherwise the offset in s (soft->hard)
				1351	*/
				1352	uint32_t hard_offset;
				1353
				1354	} vpp_sa_expired_t;
				1355
				1356	/**
Gabriel Oginski	2da99e5	2023-02-14 08:46:36 +0000	[diff] [blame]	1357	* Clean up expire data
				1358	*/
				1359	static void
				1360	expire_data_destroy (vpp_sa_expired_t *data)
				1361	{
				1362	free (data);
				1363	}
				1364
				1365	/**
Gabriel Oginski	4e88e04	2022-06-29 12:54:30 +0000	[diff] [blame]	1366	* Callback for expiration events
				1367	*/
				1368	static job_requeue_t
				1369	sa_expired (vpp_sa_expired_t *expired)
				1370	{
				1371	private_kernel_vpp_ipsec_t *this = expired->manager;
				1372	sa_t *sa;
				1373	kernel_ipsec_sa_id_t *id = expired->sa_id;
				1374
				1375	this->mutex->lock (this->mutex);
				1376	sa = this->sas->get (this->sas, id);
				1377
				1378	if (sa)
				1379	{
				1380	charon->kernel->expire (charon->kernel, id->proto, id->spi, id->dst,
				1381	FALSE);
				1382	}
				1383
Gabriel Oginski	2da99e5	2023-02-14 08:46:36 +0000	[diff] [blame]	1384	if (id->src)
				1385	id->src->destroy (id->src);
				1386	if (id->dst)
				1387	id->dst->destroy (id->dst);
Gabriel Oginski	4e88e04	2022-06-29 12:54:30 +0000	[diff] [blame]	1388	free (id);
				1389	this->mutex->unlock (this->mutex);
				1390	return JOB_REQUEUE_NONE;
				1391	}
				1392
				1393	/**
				1394	* Schedule a job to handle IPsec SA expiration
				1395	*/
				1396	static void
				1397	schedule_expiration (private_kernel_vpp_ipsec_t *this,
				1398	kernel_ipsec_add_sa_t *entry,
				1399	kernel_ipsec_sa_id_t *entry2)
				1400	{
				1401	lifetime_cfg_t *lifetime = entry->lifetime;
				1402	vpp_sa_expired_t *expired;
				1403	callback_job_t *job;
				1404	uint32_t timeout;
				1405	kernel_ipsec_sa_id_t *id;
				1406
				1407	if (!lifetime->time.life)
				1408	{ /* no expiration at all */
				1409	return;
				1410	}
				1411
				1412	INIT (id, .src = entry2->src->clone (entry2->src),
				1413	.dst = entry2->dst->clone (entry2->dst), .spi = entry2->spi,
				1414	.proto = entry2->proto, );
				1415
				1416	INIT (expired, .manager = this, .sa_id = id, );
				1417
				1418	/* schedule a rekey first, a hard timeout will be scheduled then, if any */
				1419	expired->hard_offset = lifetime->time.life - lifetime->time.rekey;
				1420	timeout = lifetime->time.rekey;
				1421
				1422	if (lifetime->time.life <= lifetime->time.rekey \|\| lifetime->time.rekey == 0)
				1423	{ /* no rekey, schedule hard timeout */
				1424	expired->hard_offset = 0;
				1425	timeout = lifetime->time.life;
				1426	}
				1427
Gabriel Oginski	2da99e5	2023-02-14 08:46:36 +0000	[diff] [blame]	1428	job =
				1429	callback_job_create ((callback_job_cb_t) sa_expired, expired,
				1430	(callback_job_cleanup_t) expire_data_destroy, NULL);
Gabriel Oginski	4e88e04	2022-06-29 12:54:30 +0000	[diff] [blame]	1431	lib->scheduler->schedule_job (lib->scheduler, (job_t *) job, timeout);
				1432	}
				1433
				1434	METHOD (kernel_ipsec_t, add_sa, status_t, private_kernel_vpp_ipsec_t *this,
				1435	kernel_ipsec_sa_id_t id, kernel_ipsec_add_sa_t data)
				1436	{
				1437	char *out = NULL;
				1438	int out_len;
				1439	vl_api_ipsec_sad_entry_add_del_t *mp;
				1440	vl_api_ipsec_sad_entry_add_del_reply_t *rmp;
				1441	uint32_t sad_id = ref_get (&this->next_sad_id);
				1442	uint8_t ca = 0, ia = 0;
				1443	status_t rv = FAILED;
				1444	chunk_t src, dst;
				1445	kernel_ipsec_sa_id_t *sa_id;
				1446	sa_t *sa;
				1447	int key_len = data->enc_key.len;
				1448
				1449	if ((data->enc_alg == ENCR_AES_CTR) \|\|
				1450	(data->enc_alg == ENCR_AES_GCM_ICV8) \|\|
				1451	(data->enc_alg == ENCR_AES_GCM_ICV12) \|\|
				1452	(data->enc_alg == ENCR_AES_GCM_ICV16))
				1453	{
				1454	static const int SALT_SIZE =
				1455	4; /* See how enc_size is calculated at keymat_v2.derive_child_keys */
				1456	key_len = key_len - SALT_SIZE;
				1457	}
				1458	natt_port = lib->settings->get_int (
				1459	lib->settings, "%s.plugins.socket-default.natt", IKEV2_NATT_PORT, lib->ns);
				1460	mp = vl_msg_api_alloc (sizeof (*mp));
				1461	memset (mp, 0, sizeof (*mp));
				1462	u16 msg_id =
				1463	vl_msg_api_get_msg_index ((u8 *) "ipsec_sad_entry_add_del_ab64b5c6");
				1464	mp->_vl_msg_id = htons (msg_id);
				1465	mp->is_add = 1;
				1466	mp->entry.sad_id = htonl (sad_id);
				1467	mp->entry.spi = id->spi;
				1468	mp->entry.protocol = id->proto == IPPROTO_ESP ? htonl (IPSEC_API_PROTO_ESP) :
				1469	htonl (IPSEC_API_PROTO_AH);
				1470
				1471	switch (data->enc_alg)
				1472	{
				1473	case ENCR_NULL:
				1474	ca = IPSEC_API_CRYPTO_ALG_NONE;
				1475	break;
				1476	case ENCR_AES_CBC:
				1477	switch (key_len * 8)
				1478	{
				1479	case 128:
				1480	ca = IPSEC_API_CRYPTO_ALG_AES_CBC_128;
				1481	break;
				1482	case 192:
				1483	ca = IPSEC_API_CRYPTO_ALG_AES_CBC_192;
				1484	break;
				1485	case 256:
				1486	ca = IPSEC_API_CRYPTO_ALG_AES_CBC_256;
				1487	break;
				1488	default:
				1489	DBG1 (DBG_KNL, "Key length %d is not supported by VPP!",
				1490	key_len * 8);
				1491	goto error;
				1492	}
				1493	break;
				1494	case ENCR_AES_CTR:
				1495	switch (key_len * 8)
				1496	{
				1497	case 128:
				1498	ca = IPSEC_API_CRYPTO_ALG_AES_CTR_128;
				1499	break;
				1500	case 192:
				1501	ca = IPSEC_API_CRYPTO_ALG_AES_CTR_192;
				1502	break;
				1503	case 256:
				1504	ca = IPSEC_API_CRYPTO_ALG_AES_CTR_256;
				1505	break;
				1506	default:
				1507	DBG1 (DBG_KNL, "Key length %d is not supported by VPP!",
				1508	key_len * 8);
				1509	goto error;
				1510	}
				1511	break;
				1512	case ENCR_AES_GCM_ICV8:
				1513	case ENCR_AES_GCM_ICV12:
				1514	case ENCR_AES_GCM_ICV16:
				1515	switch (key_len * 8)
				1516	{
				1517	case 128:
				1518	ca = IPSEC_API_CRYPTO_ALG_AES_GCM_128;
				1519	break;
				1520	case 192:
				1521	ca = IPSEC_API_CRYPTO_ALG_AES_GCM_192;
				1522	break;
				1523	case 256:
				1524	ca = IPSEC_API_CRYPTO_ALG_AES_GCM_256;
				1525	break;
				1526	default:
				1527	DBG1 (DBG_KNL, "Key length %d is not supported by VPP!",
				1528	key_len * 8);
				1529	goto error;
				1530	}
				1531	break;
				1532	case ENCR_DES:
				1533	ca = IPSEC_API_CRYPTO_ALG_DES_CBC;
				1534	break;
				1535	case ENCR_3DES:
				1536	ca = IPSEC_API_CRYPTO_ALG_3DES_CBC;
				1537	break;
				1538	default:
				1539	DBG1 (DBG_KNL, "algorithm %N not supported by VPP!",
				1540	encryption_algorithm_names, data->enc_alg);
				1541	goto error;
				1542	}
				1543	mp->entry.crypto_algorithm = htonl (ca);
				1544	mp->entry.crypto_key.length = key_len < 128 ? key_len : 128;
				1545	memcpy (mp->entry.crypto_key.data, data->enc_key.ptr,
				1546	mp->entry.crypto_key.length);
				1547
				1548	/* copy salt for AEAD algorithms */
				1549	if ((data->enc_alg == ENCR_AES_CTR) \|\|
				1550	(data->enc_alg == ENCR_AES_GCM_ICV8) \|\|
				1551	(data->enc_alg == ENCR_AES_GCM_ICV12) \|\|
				1552	(data->enc_alg == ENCR_AES_GCM_ICV16))
				1553	{
				1554	memcpy (&mp->entry.salt, data->enc_key.ptr + mp->entry.crypto_key.length,
				1555	4);
				1556	}
				1557
				1558	switch (data->int_alg)
				1559	{
				1560	case AUTH_UNDEFINED:
				1561	ia = IPSEC_API_INTEG_ALG_NONE;
				1562	break;
				1563	case AUTH_HMAC_MD5_96:
				1564	ia = IPSEC_API_INTEG_ALG_MD5_96;
				1565	break;
				1566	case AUTH_HMAC_SHA1_96:
				1567	ia = IPSEC_API_INTEG_ALG_SHA1_96;
				1568	break;
				1569	case AUTH_HMAC_SHA2_256_96:
				1570	ia = IPSEC_API_INTEG_ALG_SHA_256_96;
				1571	break;
				1572	case AUTH_HMAC_SHA2_256_128:
				1573	ia = IPSEC_API_INTEG_ALG_SHA_256_128;
				1574	break;
				1575	case AUTH_HMAC_SHA2_384_192:
				1576	ia = IPSEC_API_INTEG_ALG_SHA_384_192;
				1577	break;
				1578	case AUTH_HMAC_SHA2_512_256:
				1579	ia = IPSEC_API_INTEG_ALG_SHA_512_256;
				1580	break;
				1581	default:
				1582	DBG1 (DBG_KNL, "algorithm %N not supported by VPP!",
				1583	integrity_algorithm_names, data->int_alg);
				1584	goto error;
				1585	break;
				1586	}
				1587	mp->entry.integrity_algorithm = htonl (ia);
				1588	mp->entry.integrity_key.length =
				1589	data->int_key.len < 128 ? data->int_key.len : 128;
				1590	memcpy (mp->entry.integrity_key.data, data->int_key.ptr,
				1591	mp->entry.integrity_key.length);
				1592
				1593	int flags = IPSEC_API_SAD_FLAG_NONE;
Atzm Watanabe	fc2d95d	2023-01-25 14:11:10 +0900	[diff] [blame]	1594	if (data->inbound)
				1595	flags \|= IPSEC_API_SAD_FLAG_IS_INBOUND;
				1596	/* like the kernel-netlink plugin, anti-replay can be disabled with zero
				1597	* replay_window, but window size cannot be customized for vpp */
				1598	if (data->replay_window)
				1599	flags \|= IPSEC_API_SAD_FLAG_USE_ANTI_REPLAY;
Gabriel Oginski	4e88e04	2022-06-29 12:54:30 +0000	[diff] [blame]	1600	if (data->esn)
				1601	flags \|= IPSEC_API_SAD_FLAG_USE_ESN;
Atzm Watanabe	fc2d95d	2023-01-25 14:11:10 +0900	[diff] [blame]	1602	if (this->use_tunnel_mode_sa && data->mode == MODE_TUNNEL)
Gabriel Oginski	4e88e04	2022-06-29 12:54:30 +0000	[diff] [blame]	1603	{
				1604	if (id->src->get_family (id->src) == AF_INET6)
				1605	flags \|= IPSEC_API_SAD_FLAG_IS_TUNNEL_V6;
				1606	else
				1607	flags \|= IPSEC_API_SAD_FLAG_IS_TUNNEL;
				1608	}
				1609	if (data->encap)
				1610	{
Gabriel Oginski	980f3fb	2023-04-17 07:00:24 +0000	[diff] [blame]	1611	DBG1 (DBG_KNL, "UDP encap");
Gabriel Oginski	4e88e04	2022-06-29 12:54:30 +0000	[diff] [blame]	1612	flags \|= IPSEC_API_SAD_FLAG_UDP_ENCAP;
Gabriel Oginski	980f3fb	2023-04-17 07:00:24 +0000	[diff] [blame]	1613	mp->entry.udp_src_port = htons (natt_port);
				1614	mp->entry.udp_dst_port = htons (natt_port);
Gabriel Oginski	4e88e04	2022-06-29 12:54:30 +0000	[diff] [blame]	1615	}
				1616	mp->entry.flags = htonl (flags);
				1617
				1618	bool is_ipv6 = false;
				1619	if (id->src->get_family (id->src) == AF_INET6)
				1620	{
				1621	is_ipv6 = true;
				1622	mp->entry.tunnel_src.af = htonl (ADDRESS_IP6);
				1623	mp->entry.tunnel_dst.af = htonl (ADDRESS_IP6);
				1624	}
				1625	else
				1626	{
				1627	mp->entry.tunnel_src.af = htonl (ADDRESS_IP4);
				1628	mp->entry.tunnel_dst.af = htonl (ADDRESS_IP4);
				1629	}
				1630	src = id->src->get_address (id->src);
				1631	memcpy (is_ipv6 ? mp->entry.tunnel_src.un.ip6 : mp->entry.tunnel_src.un.ip4,
				1632	src.ptr, src.len);
				1633	dst = id->dst->get_address (id->dst);
				1634	memcpy (is_ipv6 ? mp->entry.tunnel_dst.un.ip6 : mp->entry.tunnel_dst.un.ip4,
				1635	dst.ptr, dst.len);
				1636	if (vac->send (vac, (char ) mp, sizeof (mp), &out, &out_len))
				1637	{
				1638	DBG1 (DBG_KNL, "vac adding SA failed");
				1639	goto error;
				1640	}
				1641	rmp = (void *) out;
				1642	if (rmp->retval)
				1643	{
				1644	DBG1 (DBG_KNL, "add SA failed rv:%d", ntohl (rmp->retval));
				1645	goto error;
				1646	}
				1647
				1648	this->mutex->lock (this->mutex);
				1649	INIT (sa_id, .src = id->src->clone (id->src),
				1650	.dst = id->dst->clone (id->dst), .spi = id->spi, .proto = id->proto, );
Gabriel Oginski	2da99e5	2023-02-14 08:46:36 +0000	[diff] [blame]	1651	INIT (sa, .sa_id = sad_id, .stat_index = ntohl (rmp->stat_index),
				1652	.sa_id_p = sa_id, );
Gabriel Oginski	4e88e04	2022-06-29 12:54:30 +0000	[diff] [blame]	1653	DBG4 (DBG_KNL, "put sa by its sa_id %x !!!!!!", sad_id);
				1654	this->sas->put (this->sas, sa_id, sa);
				1655	schedule_expiration (this, data, id);
				1656	this->mutex->unlock (this->mutex);
				1657	rv = SUCCESS;
				1658
				1659	error:
				1660	free (out);
				1661	vl_msg_api_free (mp);
				1662	return rv;
				1663	}
				1664
				1665	METHOD (kernel_ipsec_t, update_sa, status_t, private_kernel_vpp_ipsec_t *this,
				1666	kernel_ipsec_sa_id_t id, kernel_ipsec_update_sa_t data)
				1667	{
				1668	DBG1 (DBG_KNL,
				1669	"update sa not supported!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!");
				1670	return NOT_SUPPORTED;
				1671	}
				1672
				1673	METHOD (kernel_ipsec_t, query_sa, status_t, private_kernel_vpp_ipsec_t *this,
				1674	kernel_ipsec_sa_id_t id, kernel_ipsec_query_sa_t data,
				1675	uint64_t bytes, uint64_t packets, time_t *time)
				1676	{
				1677	status_t rv = FAILED;
				1678	sa_t *sa;
Gabriel Oginski	2da99e5	2023-02-14 08:46:36 +0000	[diff] [blame]	1679	u32 *dir = NULL;
Gabriel Oginski	4e88e04	2022-06-29 12:54:30 +0000	[diff] [blame]	1680	int i, k;
Gabriel Oginski	2da99e5	2023-02-14 08:46:36 +0000	[diff] [blame]	1681	stat_segment_data_t *res = NULL;
Gabriel Oginski	4e88e04	2022-06-29 12:54:30 +0000	[diff] [blame]	1682	u8 **pattern = 0;
				1683	uint64_t res_bytes = 0;
				1684	uint64_t res_packets = 0;
				1685
				1686	this->mutex->lock (this->mutex);
				1687	sa = this->sas->get (this->sas, id);
Gabriel Oginski	4e88e04	2022-06-29 12:54:30 +0000	[diff] [blame]	1688	if (!sa)
				1689	{
Gabriel Oginski	2da99e5	2023-02-14 08:46:36 +0000	[diff] [blame]	1690	this->mutex->unlock (this->mutex);
Gabriel Oginski	4e88e04	2022-06-29 12:54:30 +0000	[diff] [blame]	1691	DBG1 (DBG_KNL, "SA not found");
				1692	return NOT_FOUND;
				1693	}
				1694
Gabriel Oginski	2da99e5	2023-02-14 08:46:36 +0000	[diff] [blame]	1695	if (this->sm == NULL)
Gabriel Oginski	4e88e04	2022-06-29 12:54:30 +0000	[diff] [blame]	1696	{
Gabriel Oginski	2da99e5	2023-02-14 08:46:36 +0000	[diff] [blame]	1697	stat_client_main_t *sm = NULL;
				1698	sm = stat_client_get ();
				1699
				1700	if (!sm)
				1701	{
				1702	DBG1 (DBG_KNL, "Not connecting with stats segmentation");
				1703	this->mutex->unlock (this->mutex);
				1704	return NOT_FOUND;
				1705	}
				1706	this->sm = sm;
				1707	int rv_stat = stat_segment_connect_r ("/run/vpp/stats.sock", this->sm);
				1708	if (rv_stat != 0)
				1709	{
				1710	stat_client_free (this->sm);
				1711	this->sm = NULL;
				1712	DBG1 (DBG_KNL, "Not connecting with stats segmentation");
				1713	this->mutex->unlock (this->mutex);
				1714	return NOT_FOUND;
				1715	}
Gabriel Oginski	4e88e04	2022-06-29 12:54:30 +0000	[diff] [blame]	1716	}
Gabriel Oginski	2da99e5	2023-02-14 08:46:36 +0000	[diff] [blame]	1717
Gabriel Oginski	4e88e04	2022-06-29 12:54:30 +0000	[diff] [blame]	1718	vec_add1 (pattern, (u8 *) "/net/ipsec/sa");
Gabriel Oginski	2da99e5	2023-02-14 08:46:36 +0000	[diff] [blame]	1719	dir = stat_segment_ls_r ((u8 **) pattern, this->sm);
				1720	res = stat_segment_dump_r (dir, this->sm);
Gabriel Oginski	4e88e04	2022-06-29 12:54:30 +0000	[diff] [blame]	1721	/* i-loop for each results find by pattern - here two:
				1722	* 1. /net/ipsec/sa
				1723	* 2. /net/ipsec/sa/lost
				1724	*/
				1725	for (i = 0; i < vec_len (res); i++)
				1726	{
				1727	switch (res[i].type)
				1728	{
				1729	/* type for how many packets are lost */
				1730	case STAT_DIR_TYPE_COUNTER_VECTOR_SIMPLE:
				1731	if (res[i].simple_counter_vec == 0)
				1732	continue;
				1733	break;
				1734	/* type for counter for each SA */
				1735	case STAT_DIR_TYPE_COUNTER_VECTOR_COMBINED:
				1736	if (res[i].combined_counter_vec == 0)
				1737	continue;
				1738	/* k-loop for each threads - that you run VPP */
				1739	for (k = 0; k < vec_len (res[i].combined_counter_vec); k++)
				1740	{
				1741	if (sa->stat_index <= vec_len (res[i].combined_counter_vec[k]))
				1742	{
				1743	DBG4 (DBG_KNL, "Thread: %d, Packets: %lu, Bytes: %lu", k,
				1744	res[i].combined_counter_vec[k][sa->stat_index].packets,
				1745	res[i].combined_counter_vec[k][sa->stat_index].bytes);
				1746	res_bytes +=
				1747	res[i].combined_counter_vec[k][sa->stat_index].bytes;
				1748	res_packets +=
				1749	res[i].combined_counter_vec[k][sa->stat_index].packets;
				1750	}
				1751	}
				1752	break;
				1753	case STAT_DIR_TYPE_NAME_VECTOR:
				1754	if (res[i].name_vector == 0)
				1755	continue;
				1756	break;
				1757	}
				1758	}
Gabriel Oginski	4e88e04	2022-06-29 12:54:30 +0000	[diff] [blame]	1759
				1760	vec_free (pattern);
				1761	vec_free (dir);
Gabriel Oginski	2da99e5	2023-02-14 08:46:36 +0000	[diff] [blame]	1762	stat_segment_data_free (res);
Gabriel Oginski	4e88e04	2022-06-29 12:54:30 +0000	[diff] [blame]	1763
				1764	if (bytes)
				1765	{
				1766	*bytes = res_bytes;
				1767	}
				1768	if (packets)
				1769	{
				1770	*packets = res_packets;
				1771	}
				1772	if (time)
				1773	{
				1774	*time = 0;
				1775	}
				1776
Gabriel Oginski	2da99e5	2023-02-14 08:46:36 +0000	[diff] [blame]	1777	this->mutex->unlock (this->mutex);
Gabriel Oginski	4e88e04	2022-06-29 12:54:30 +0000	[diff] [blame]	1778	rv = SUCCESS;
				1779	return rv;
				1780	}
				1781
				1782	METHOD (kernel_ipsec_t, del_sa, status_t, private_kernel_vpp_ipsec_t *this,
				1783	kernel_ipsec_sa_id_t id, kernel_ipsec_del_sa_t data)
				1784	{
				1785	char *out = NULL;
				1786	int out_len;
Gabriel Oginski	2da99e5	2023-02-14 08:46:36 +0000	[diff] [blame]	1787	vl_api_ipsec_sad_entry_add_del_t *mp = NULL;
				1788	vl_api_ipsec_sad_entry_add_del_reply_t *rmp = NULL;
Gabriel Oginski	4e88e04	2022-06-29 12:54:30 +0000	[diff] [blame]	1789	status_t rv = FAILED;
				1790	sa_t *sa;
				1791
				1792	this->mutex->lock (this->mutex);
				1793	sa = this->sas->get (this->sas, id);
				1794	if (!sa)
				1795	{
				1796	DBG1 (DBG_KNL, "SA not found");
				1797	rv = NOT_FOUND;
				1798	goto error;
				1799	}
				1800	mp = vl_msg_api_alloc (sizeof (*mp));
				1801	memset (mp, 0, sizeof (*mp));
				1802	mp->is_add = 0;
				1803	u16 msg_id =
				1804	vl_msg_api_get_msg_index ((u8 *) "ipsec_sad_entry_add_del_ab64b5c6");
				1805	mp->_vl_msg_id = htons (msg_id);
				1806	mp->entry.sad_id = htonl (sa->sa_id);
				1807
				1808	if (vac->send (vac, (char ) mp, sizeof (mp), &out, &out_len))
				1809	{
				1810	DBG1 (DBG_KNL, "vac removing SA failed");
				1811	goto error;
				1812	}
				1813	rmp = (void *) out;
				1814	if (rmp->retval)
				1815	{
				1816	DBG1 (DBG_KNL, "del SA failed rv:%d", ntohl (rmp->retval));
				1817	goto error;
				1818	}
				1819
Gabriel Oginski	2da99e5	2023-02-14 08:46:36 +0000	[diff] [blame]	1820	void *temp = this->sas->remove (this->sas, id);
				1821	if (sa->sa_id_p)
				1822	{
				1823	if (sa->sa_id_p->src)
				1824	sa->sa_id_p->src->destroy (sa->sa_id_p->src);
				1825	if (sa->sa_id_p->dst)
				1826	sa->sa_id_p->dst->destroy (sa->sa_id_p->dst);
				1827	free (sa->sa_id_p);
				1828	}
				1829	free (sa);
Gabriel Oginski	4e88e04	2022-06-29 12:54:30 +0000	[diff] [blame]	1830	rv = SUCCESS;
				1831	error:
				1832	free (out);
Gabriel Oginski	2da99e5	2023-02-14 08:46:36 +0000	[diff] [blame]	1833	vl_msg_api_free (mp);
Gabriel Oginski	4e88e04	2022-06-29 12:54:30 +0000	[diff] [blame]	1834	this->mutex->unlock (this->mutex);
				1835	return rv;
				1836	}
				1837
				1838	METHOD (kernel_ipsec_t, flush_sas, status_t, private_kernel_vpp_ipsec_t *this)
				1839	{
				1840	enumerator_t *enumerator;
				1841	int out_len;
				1842	char *out;
Gabriel Oginski	2da99e5	2023-02-14 08:46:36 +0000	[diff] [blame]	1843	vl_api_ipsec_sad_entry_add_del_t *mp = NULL;
				1844	vl_api_ipsec_sad_entry_add_del_reply_t *rmp = NULL;
Gabriel Oginski	4e88e04	2022-06-29 12:54:30 +0000	[diff] [blame]	1845	sa_t *sa = NULL;
Gabriel Oginski	2da99e5	2023-02-14 08:46:36 +0000	[diff] [blame]	1846	status_t rv = FAILED;
Gabriel Oginski	4e88e04	2022-06-29 12:54:30 +0000	[diff] [blame]	1847
				1848	this->mutex->lock (this->mutex);
				1849	enumerator = this->sas->create_enumerator (this->sas);
Gabriel Oginski	2da99e5	2023-02-14 08:46:36 +0000	[diff] [blame]	1850	while (enumerator->enumerate (enumerator, &sa))
Gabriel Oginski	4e88e04	2022-06-29 12:54:30 +0000	[diff] [blame]	1851	{
				1852	mp = vl_msg_api_alloc (sizeof (*mp));
				1853	memset (mp, 0, sizeof (*mp));
				1854	u16 msg_id =
				1855	vl_msg_api_get_msg_index ((u8 *) "ipsec_sad_entry_add_del_ab64b5c6");
				1856	mp->_vl_msg_id = htons (msg_id);
				1857	mp->entry.sad_id = htonl (sa->sa_id);
				1858	mp->is_add = 0;
				1859	if (vac->send (vac, (char ) mp, sizeof (mp), &out, &out_len))
				1860	{
				1861	DBG1 (DBG_KNL, "flush_sas failed!!!!");
Gabriel Oginski	2da99e5	2023-02-14 08:46:36 +0000	[diff] [blame]	1862	goto error;
				1863	}
				1864	rmp = (void *) out;
				1865	if (rmp->retval)
				1866	{
				1867	DBG1 (DBG_KNL, "flush_sas failed!!!! rv: %d", ntohl (rmp->retval));
				1868	goto error;
				1869	}
				1870	if (sa->sa_id_p)
				1871	{
				1872	if (sa->sa_id_p->src)
				1873	sa->sa_id_p->src->destroy (sa->sa_id_p->src);
				1874	if (sa->sa_id_p->dst)
				1875	sa->sa_id_p->dst->destroy (sa->sa_id_p->dst);
Gabriel Oginski	4e88e04	2022-06-29 12:54:30 +0000	[diff] [blame]	1876	}
				1877	free (out);
				1878	vl_msg_api_free (mp);
				1879	this->sas->remove_at (this->sas, enumerator);
Gabriel Oginski	2da99e5	2023-02-14 08:46:36 +0000	[diff] [blame]	1880	free (sa->sa_id_p);
				1881	free (sa);
Gabriel Oginski	4e88e04	2022-06-29 12:54:30 +0000	[diff] [blame]	1882	}
Gabriel Oginski	2da99e5	2023-02-14 08:46:36 +0000	[diff] [blame]	1883	rv = SUCCESS;
				1884	error:
				1885	if (out != NULL)
				1886	free (out);
				1887	if (mp != NULL)
				1888	vl_msg_api_free (mp);
				1889
Gabriel Oginski	4e88e04	2022-06-29 12:54:30 +0000	[diff] [blame]	1890	enumerator->destroy (enumerator);
				1891	this->mutex->unlock (this->mutex);
				1892
Gabriel Oginski	2da99e5	2023-02-14 08:46:36 +0000	[diff] [blame]	1893	return rv;
Gabriel Oginski	4e88e04	2022-06-29 12:54:30 +0000	[diff] [blame]	1894	}
				1895
				1896	METHOD (kernel_ipsec_t, add_policy, status_t, private_kernel_vpp_ipsec_t *this,
				1897	kernel_ipsec_policy_id_t id, kernel_ipsec_manage_policy_t data)
				1898	{
				1899	return manage_policy (this, TRUE, id, data);
				1900	}
				1901
				1902	METHOD (kernel_ipsec_t, query_policy, status_t,
				1903	private_kernel_vpp_ipsec_t this, kernel_ipsec_policy_id_t id,
				1904	kernel_ipsec_query_policy_t data, time_t use_time)
				1905	{
				1906	return NOT_SUPPORTED;
				1907	}
				1908
				1909	METHOD (kernel_ipsec_t, del_policy, status_t, private_kernel_vpp_ipsec_t *this,
				1910	kernel_ipsec_policy_id_t id, kernel_ipsec_manage_policy_t data)
				1911	{
				1912	return manage_policy (this, FALSE, id, data);
				1913	}
				1914
				1915	METHOD (kernel_ipsec_t, flush_policies, status_t,
				1916	private_kernel_vpp_ipsec_t *this)
				1917	{
				1918	return NOT_SUPPORTED;
				1919	}
				1920
				1921	METHOD (kernel_ipsec_t, bypass_socket, bool, private_kernel_vpp_ipsec_t *this,
				1922	int fd, int family)
				1923	{
				1924	return FALSE;
				1925	}
				1926
				1927	METHOD (kernel_ipsec_t, enable_udp_decap, bool,
				1928	private_kernel_vpp_ipsec_t *this, int fd, int family, u_int16_t port)
				1929	{
				1930	DBG1 (DBG_KNL, "enable_udp_decap not supported!!!!!!!!!!!!!!!!!!!!!!!!!");
				1931	return FALSE;
				1932	}
				1933
				1934	METHOD (kernel_ipsec_t, destroy, void, private_kernel_vpp_ipsec_t *this)
				1935	{
				1936	this->mutex->destroy (this->mutex);
				1937	this->sas->destroy (this->sas);
				1938	this->spds->destroy (this->spds);
				1939	this->routes->destroy (this->routes);
Gabriel Oginski	2da99e5	2023-02-14 08:46:36 +0000	[diff] [blame]	1940	if (this->sm)
				1941	{
				1942	stat_segment_disconnect_r (this->sm);
				1943	stat_client_free (this->sm);
				1944	this->sm = NULL;
				1945	}
Gabriel Oginski	4e88e04	2022-06-29 12:54:30 +0000	[diff] [blame]	1946	free (this);
				1947	}
				1948
				1949	kernel_vpp_ipsec_t *
				1950	kernel_vpp_ipsec_create ()
				1951	{
				1952	private_kernel_vpp_ipsec_t *this;
				1953
				1954	INIT(this,
				1955	.public = {
				1956	.interface = {
				1957	.get_features = _get_features,
				1958	.get_spi = _get_spi,
				1959	.get_cpi = _get_cpi,
				1960	.add_sa = _add_sa,
				1961	.update_sa = _update_sa,
				1962	.query_sa = _query_sa,
				1963	.del_sa = _del_sa,
				1964	.flush_sas = _flush_sas,
				1965	.add_policy = _add_policy,
				1966	.query_policy = _query_policy,
				1967	.del_policy = _del_policy,
				1968	.flush_policies = _flush_policies,
				1969	.bypass_socket = _bypass_socket,
				1970	.enable_udp_decap = _enable_udp_decap,
				1971	.destroy = _destroy,
				1972	},
				1973	},
				1974	.next_sad_id = 0,
				1975	.next_spd_id = 0,
				1976	.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
				1977	.sas = hashtable_create((hashtable_hash_t)sa_hash,
				1978	(hashtable_equals_t)sa_equals, 32),
				1979	.spds = hashtable_create((hashtable_hash_t)interface_hash,
				1980	(hashtable_equals_t)interface_equals, 4),
				1981	.routes = linked_list_create(),
				1982	.install_routes = lib->settings->get_bool(lib->settings,
				1983	"%s.install_routes", TRUE, lib->ns),
Atzm Watanabe	fc2d95d	2023-01-25 14:11:10 +0900	[diff] [blame]	1984	.use_tunnel_mode_sa = lib->settings->get_bool(lib->settings,
				1985	"%s.plugins.kernel-vpp.use_tunnel_mode_sa",
				1986	TRUE, lib->ns),
Gabriel Oginski	2da99e5	2023-02-14 08:46:36 +0000	[diff] [blame]	1987	.sm = NULL,
Gabriel Oginski	4e88e04	2022-06-29 12:54:30 +0000	[diff] [blame]	1988	);
				1989
				1990	if (!init_spi (this))
				1991	{
				1992	destroy (this);
				1993	return NULL;
				1994	}
				1995
				1996	return &this->public;
				1997	}