Gitiles
Code Review Sign In
gerrit.nordix.org / fdio / vpp / 4117b24acb4241d7f2ef38248bc254f6a4a7b422 / . / src / vnet / ipsec / ipsec.api
blob: 6cbad6e74fa9f69115e6415a5e594e4ae8c6ef7d [file] [log] [blame]
Neale Ranns17dcec02019-01-09 21:22:20 -0800[diff] [blame]1/* Hey Emacs use -*- mode: C -*- */
Pavel Kotucek9c7ef032016-12-21 07:46:45 +0100[diff] [blame]2/*
3 * Copyright (c) 2015-2016 Cisco and/or its affiliates.
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at:
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
Neale Rannsff2e4132021-06-24 14:57:56 +0000[diff] [blame]17option version = "5.0.2";
Neale Ranns17dcec02019-01-09 21:22:20 -0800[diff] [blame]18
Prashant Maheshwaridbf68c92019-11-14 12:42:59 +0530[diff] [blame]19import "vnet/ipsec/ipsec_types.api";
Neale Rannsc87b66c2019-02-07 07:26:12 -0800[diff] [blame]20import "vnet/interface_types.api";
Jakub Grajciar287d5e12020-02-28 08:26:32 +0100[diff] [blame]21import "vnet/ip/ip_types.api";
22import "vnet/interface_types.api";
Neale Rannsdd4ccf22020-06-30 07:47:14 +0000[diff] [blame]23import "vnet/tunnel/tunnel_types.api";
Dave Barach0d056e52017-09-28 15:11:16 -0400[diff] [blame]24
Pavel Kotucek9c7ef032016-12-21 07:46:45 +0100[diff] [blame]25/** \brief IPsec: Add/delete Security Policy Database
26 @param client_index - opaque cookie to identify the sender
27 @param context - sender context, to match reply w/ request
28 @param is_add - add SPD if non-zero, else delete
29 @param spd_id - SPD instance id (control plane allocated)
30*/
31
Dave Barach11b8dbf2017-04-24 10:46:54 -0400[diff] [blame]32autoreply define ipsec_spd_add_del
Pavel Kotucek9c7ef032016-12-21 07:46:45 +0100[diff] [blame]33{
34 u32 client_index;
35 u32 context;
Jakub Grajciar287d5e12020-02-28 08:26:32 +0100[diff] [blame]36 bool is_add;
Pavel Kotucek9c7ef032016-12-21 07:46:45 +0100[diff] [blame]37 u32 spd_id;
38};
39
Pavel Kotucek9c7ef032016-12-21 07:46:45 +0100[diff] [blame]40/** \brief IPsec: Add/delete SPD from interface
41
42 @param client_index - opaque cookie to identify the sender
43 @param context - sender context, to match reply w/ request
44 @param is_add - add security mode if non-zero, else delete
45 @param sw_if_index - index of the interface
46 @param spd_id - SPD instance id to use for lookups
47*/
48
49
Dave Barach11b8dbf2017-04-24 10:46:54 -0400[diff] [blame]50autoreply define ipsec_interface_add_del_spd
Pavel Kotucek9c7ef032016-12-21 07:46:45 +0100[diff] [blame]51{
52 u32 client_index;
53 u32 context;
54
Jakub Grajciar287d5e12020-02-28 08:26:32 +0100[diff] [blame]55 bool is_add;
56 vl_api_interface_index_t sw_if_index;
Pavel Kotucek9c7ef032016-12-21 07:46:45 +0100[diff] [blame]57 u32 spd_id;
58};
59
Neale Ranns17dcec02019-01-09 21:22:20 -0800[diff] [blame]60/** \brief IPsec: Add/delete Security Policy Database entry
61
62 @param client_index - opaque cookie to identify the sender
63 @param context - sender context, to match reply w/ request
64 @param is_add - add SPD if non-zero, else delete
65 @param entry - Description of the entry to add/dell
66*/
Neale Rannsa09c1ff2019-02-04 01:10:30 -0800[diff] [blame]67define ipsec_spd_entry_add_del
Neale Ranns17dcec02019-01-09 21:22:20 -0800[diff] [blame]68{
Piotr Bronowski815c6a42022-06-09 09:09:28 +0000[diff] [blame]69 option deprecated;
Neale Ranns17dcec02019-01-09 21:22:20 -0800[diff] [blame]70 u32 client_index;
71 u32 context;
Jakub Grajciar287d5e12020-02-28 08:26:32 +0100[diff] [blame]72 bool is_add;
Neale Ranns17dcec02019-01-09 21:22:20 -0800[diff] [blame]73 vl_api_ipsec_spd_entry_t entry;
74};
75
Piotr Bronowski815c6a42022-06-09 09:09:28 +0000[diff] [blame]76/** \brief IPsec: Add/delete Security Policy Database entry v2
77
78 @param client_index - opaque cookie to identify the sender
79 @param context - sender context, to match reply w/ request
80 @param is_add - add SPD if non-zero, else delete
81 @param entry - Description of the entry to add/dell
82*/
83define ipsec_spd_entry_add_del_v2
84{
85 u32 client_index;
86 u32 context;
87 bool is_add;
88 vl_api_ipsec_spd_entry_v2_t entry;
89};
90
Neale Rannsa09c1ff2019-02-04 01:10:30 -0800[diff] [blame]91/** \brief IPsec: Reply Add/delete Security Policy Database entry
92
93 @param context - sender context, to match reply w/ request
94 @param retval - success/fail rutrun code
95 @param stat_index - An index for the policy in the stats segment @ /net/ipec/policy
96*/
97define ipsec_spd_entry_add_del_reply
98{
Vratko Polak520cde42022-11-25 17:10:10 +0100[diff] [blame]99 option deprecated;
Neale Rannsa09c1ff2019-02-04 01:10:30 -0800[diff] [blame]100 u32 context;
101 i32 retval;
102 u32 stat_index;
103};
104
Piotr Bronowski815c6a42022-06-09 09:09:28 +0000[diff] [blame]105/** \brief IPsec: Reply Add/delete Security Policy Database entry v2
106
107 @param context - sender context, to match reply w/ request
108 @param retval - success/fail rutrun code
109 @param stat_index - An index for the policy in the stats segment @ /net/ipec/policy
110*/
111define ipsec_spd_entry_add_del_v2_reply
112{
113 u32 context;
114 i32 retval;
115 u32 stat_index;
116};
117
Neale Ranns17dcec02019-01-09 21:22:20 -0800[diff] [blame]118/** \brief Dump IPsec all SPD IDs
119 @param client_index - opaque cookie to identify the sender
120 @param context - sender context, to match reply w/ request
121*/
122define ipsec_spds_dump {
123 u32 client_index;
124 u32 context;
125};
126
127/** \brief Dump IPsec all SPD IDs response
128 @param client_index - opaque cookie to identify the sender
129 @param spd_id - SPD instance id (control plane allocated)
130 @param npolicies - number of policies in SPD
131*/
132define ipsec_spds_details {
133 u32 context;
134 u32 spd_id;
135 u32 npolicies;
Jakub Grajciar287d5e12020-02-28 08:26:32 +0100[diff] [blame]136};
Neale Ranns17dcec02019-01-09 21:22:20 -0800[diff] [blame]137
138/** \brief Dump ipsec policy database data
139 @param client_index - opaque cookie to identify the sender
140 @param context - sender context, to match reply w/ request
141 @param spd_id - SPD instance id
142 @param sa_id - SA id, optional, set to ~0 to see all policies in SPD
143*/
144define ipsec_spd_dump {
145 u32 client_index;
146 u32 context;
147 u32 spd_id;
148 u32 sa_id;
149};
150
151/** \brief IPsec policy database response
152 @param context - sender context which was passed in the request
153 €param entry - The SPD entry.
154 @param bytes - byte count of packets matching this policy
155 @param packets - count of packets matching this policy
156*/
157define ipsec_spd_details {
158 u32 context;
159 vl_api_ipsec_spd_entry_t entry;
Neale Ranns17dcec02019-01-09 21:22:20 -0800[diff] [blame]160};
161
Pavel Kotucek9c7ef032016-12-21 07:46:45 +0100[diff] [blame]162/** \brief IPsec: Add/delete Security Association Database entry
163 @param client_index - opaque cookie to identify the sender
164 @param context - sender context, to match reply w/ request
Neale Ranns17dcec02019-01-09 21:22:20 -0800[diff] [blame]165 @param entry - Entry to add or delete
Pavel Kotucek9c7ef032016-12-21 07:46:45 +0100[diff] [blame]166 */
Neale Rannseba31ec2019-02-17 18:04:27 +0000[diff] [blame]167define ipsec_sad_entry_add_del
Pavel Kotucek9c7ef032016-12-21 07:46:45 +0100[diff] [blame]168{
Neale Ranns9ec846c2021-02-09 14:04:02 +0000[diff] [blame]169 option deprecated;
Pavel Kotucek9c7ef032016-12-21 07:46:45 +0100[diff] [blame]170 u32 client_index;
171 u32 context;
Jakub Grajciar287d5e12020-02-28 08:26:32 +0100[diff] [blame]172 bool is_add;
Neale Ranns17dcec02019-01-09 21:22:20 -0800[diff] [blame]173 vl_api_ipsec_sad_entry_t entry;
Pavel Kotucek9c7ef032016-12-21 07:46:45 +0100[diff] [blame]174};
Piotr Bronowski815c6a42022-06-09 09:09:28 +0000[diff] [blame]175
Neale Ranns041add72020-01-02 04:06:10 +0000[diff] [blame]176define ipsec_sad_entry_add_del_v2
177{
178 u32 client_index;
179 u32 context;
180 bool is_add;
181 vl_api_ipsec_sad_entry_v2_t entry;
182};
Piotr Bronowski815c6a42022-06-09 09:09:28 +0000[diff] [blame]183
Neale Ranns9ec846c2021-02-09 14:04:02 +0000[diff] [blame]184define ipsec_sad_entry_add_del_v3
185{
186 u32 client_index;
187 u32 context;
188 bool is_add;
189 vl_api_ipsec_sad_entry_v3_t entry;
190};
Neale Rannsff2e4132021-06-24 14:57:56 +0000[diff] [blame]191define ipsec_sad_entry_add
192{
193 u32 client_index;
194 u32 context;
195 vl_api_ipsec_sad_entry_v3_t entry;
196};
197autoreply define ipsec_sad_entry_del
198{
199 u32 client_index;
200 u32 context;
201 u32 id;
202};
Neale Ranns9ec846c2021-02-09 14:04:02 +0000[diff] [blame]203
Arthur de Kerhor4117b242022-08-31 19:13:03 +0200[diff] [blame^]204/** \brief An API to update the tunnel parameters and the ports associated with an SA
205
206 Used in the NAT-T case when the NAT data changes
207 @param client_index - opaque cookie to identify the sender
208 @param context - sender context, to match reply w/ request
209 @param sa_id - the id of the SA to update
210 @param is_tun - update the tunnel if non-zero, else update only the ports
211 @param tunnel - sender context, to match reply w/ request
212 @param udp_src_port - new src port for NAT-T. Used if different from 0xffff
213 @param udp_dst_port - new dst port for NAT-T. Used if different from 0xffff
214 */
215autoreply define ipsec_sad_entry_update
216{
217 u32 client_index;
218 u32 context;
219 u32 sad_id;
220 bool is_tun;
221 vl_api_tunnel_t tunnel;
222 u16 udp_src_port [default=0xffff];
223 u16 udp_dst_port [default=0xffff];
224};
225
Neale Rannseba31ec2019-02-17 18:04:27 +0000[diff] [blame]226define ipsec_sad_entry_add_del_reply
227{
Neale Ranns9ec846c2021-02-09 14:04:02 +0000[diff] [blame]228 option deprecated;
Neale Rannseba31ec2019-02-17 18:04:27 +0000[diff] [blame]229 u32 context;
230 i32 retval;
231 u32 stat_index;
232};
Piotr Bronowski815c6a42022-06-09 09:09:28 +0000[diff] [blame]233
Neale Ranns041add72020-01-02 04:06:10 +0000[diff] [blame]234define ipsec_sad_entry_add_del_v2_reply
235{
236 u32 context;
237 i32 retval;
238 u32 stat_index;
239};
Piotr Bronowski815c6a42022-06-09 09:09:28 +0000[diff] [blame]240
Neale Ranns9ec846c2021-02-09 14:04:02 +0000[diff] [blame]241define ipsec_sad_entry_add_del_v3_reply
242{
243 u32 context;
244 i32 retval;
245 u32 stat_index;
246};
Neale Rannsff2e4132021-06-24 14:57:56 +0000[diff] [blame]247define ipsec_sad_entry_add_reply
248{
249 u32 context;
250 i32 retval;
251 u32 stat_index;
252};
Pavel Kotucek9c7ef032016-12-21 07:46:45 +0100[diff] [blame]253
Neale Rannsc87b66c2019-02-07 07:26:12 -0800[diff] [blame]254/** \brief Add or Update Protection for a tunnel with IPSEC
255
256 Tunnel protection directly associates an SA with all packets
257 ingress and egress on the tunnel. This could also be achieved by
258 assigning an SPD to the tunnel, but that would incur an unnessccary
259 SPD entry lookup.
260
261 For tunnels the ESP acts on the post-encapsulated packet. So if this
262 packet:
263 +---------+------+
264 | Payload | O-IP |
265 +---------+------+
266 where O-IP is the overlay IP addrees that was routed into the tunnel,
267 the resulting encapsulated packet will be:
268 +---------+------+------+
269 | Payload | O-IP | T-IP |
270 +---------+------+------+
271 where T-IP is the tunnel's src.dst IP addresses.
272 If the SAs used for protection are in transport mode then the ESP is
273 inserted before T-IP, i.e.:
274 +---------+------+-----+------+
275 | Payload | O-IP | ESP | T-IP |
276 +---------+------+-----+------+
277 If the SAs used for protection are in tunnel mode then another
278 encapsulation occurs, i.e.:
279 +---------+------+------+-----+------+
280 | Payload | O-IP | T-IP | ESP | C-IP |
281 +---------+------+------+-----+------+
282 where C-IP are the crypto endpoint IP addresses defined as the tunnel
283 endpoints in the SA.
284 The mode for the inbound and outbound SA must be the same.
285
286 @param client_index - opaque cookie to identify the sender
287 @param context - sender context, to match reply w/ request
288 @param sw_id_index - Tunnel interface to protect
Neale Ranns28287212019-12-16 00:53:11 +0000[diff] [blame]289 @param nh - The peer/next-hop on the tunnel to which the traffic
290 should be protected. For a P2P interface set this to the
291 all 0s address.
Neale Rannsc87b66c2019-02-07 07:26:12 -0800[diff] [blame]292 @param sa_in - The ID [set] of inbound SAs
293 @param sa_out - The ID of outbound SA
294*/
295typedef ipsec_tunnel_protect
296{
297 vl_api_interface_index_t sw_if_index;
Neale Ranns28287212019-12-16 00:53:11 +0000[diff] [blame]298 vl_api_address_t nh;
Neale Rannsc87b66c2019-02-07 07:26:12 -0800[diff] [blame]299 u32 sa_out;
300 u8 n_sa_in;
301 u32 sa_in[n_sa_in];
302};
303
304autoreply define ipsec_tunnel_protect_update
305{
306 u32 client_index;
307 u32 context;
308
309 vl_api_ipsec_tunnel_protect_t tunnel;
310};
311
312autoreply define ipsec_tunnel_protect_del
313{
314 u32 client_index;
315 u32 context;
316
317 vl_api_interface_index_t sw_if_index;
Neale Ranns28287212019-12-16 00:53:11 +0000[diff] [blame]318 vl_api_address_t nh;
Neale Rannsc87b66c2019-02-07 07:26:12 -0800[diff] [blame]319};
320
Neale Ranns12989b52019-09-26 16:20:19 +0000[diff] [blame]321/**
322 * @brief Dump all tunnel protections
323 */
Neale Rannsc87b66c2019-02-07 07:26:12 -0800[diff] [blame]324define ipsec_tunnel_protect_dump
325{
326 u32 client_index;
327 u32 context;
328 vl_api_interface_index_t sw_if_index;
329};
330
331define ipsec_tunnel_protect_details
332{
333 u32 context;
334 vl_api_ipsec_tunnel_protect_t tun;
335};
336
Filip Varga871bca92018-11-02 13:51:44 +0100[diff] [blame]337/** \brief IPsec: Get SPD interfaces
338 @param client_index - opaque cookie to identify the sender
339 @param context - sender context, to match reply w/ request
340 @param spd_index - SPD index
341 @param spd_index_valid - if 1 spd_index is used to filter
342 spd_index's, if 0 no filtering is done
343*/
344define ipsec_spd_interface_dump {
345 u32 client_index;
346 u32 context;
347 u32 spd_index;
348 u8 spd_index_valid;
349};
350
351/** \brief IPsec: SPD interface response
352 @param context - sender context which was passed in the request
353 @param spd_index - SPD index
354 @param sw_if_index - index of the interface
355*/
356define ipsec_spd_interface_details {
357 u32 context;
358 u32 spd_index;
Jakub Grajciar287d5e12020-02-28 08:26:32 +0100[diff] [blame]359 vl_api_interface_index_t sw_if_index;
Filip Varga871bca92018-11-02 13:51:44 +0100[diff] [blame]360};
361
Neale Rannsdd4ccf22020-06-30 07:47:14 +0000[diff] [blame]362typedef ipsec_itf
363{
364 u32 user_instance [default=0xffffffff];
365 vl_api_tunnel_mode_t mode;
366 vl_api_interface_index_t sw_if_index;
367};
368
369/** \brief Create an IPSec interface
370 */
371define ipsec_itf_create {
372 u32 client_index;
373 u32 context;
374 vl_api_ipsec_itf_t itf;
375};
376
377/** \brief Add IPsec interface interface response
378 @param context - sender context, to match reply w/ request
379 @param retval - return status
380 @param sw_if_index - sw_if_index of new interface (for successful add)
381*/
382define ipsec_itf_create_reply
383{
384 u32 context;
385 i32 retval;
386 vl_api_interface_index_t sw_if_index;
387};
388
389autoreply define ipsec_itf_delete
390{
391 u32 client_index;
392 u32 context;
393 vl_api_interface_index_t sw_if_index;
394};
395
396define ipsec_itf_dump
397{
398 u32 client_index;
399 u32 context;
400 vl_api_interface_index_t sw_if_index;
401};
402
403define ipsec_itf_details
404{
405 u32 context;
406 vl_api_ipsec_itf_t itf;
407};
408
Matthew Smith28029532017-09-26 13:33:44 -0500[diff] [blame]409/** \brief Dump IPsec security association
410 @param client_index - opaque cookie to identify the sender
411 @param context - sender context, to match reply w/ request
412 @param sa_id - optional ID of an SA to dump, if ~0 dump all SAs in SAD
413*/
Neale Rannsdd4ccf22020-06-30 07:47:14 +0000[diff] [blame]414define ipsec_sa_dump
415{
Neale Ranns9ec846c2021-02-09 14:04:02 +0000[diff] [blame]416 option deprecated;
Matthew Smith28029532017-09-26 13:33:44 -0500[diff] [blame]417 u32 client_index;
418 u32 context;
419 u32 sa_id;
420};
Neale Ranns041add72020-01-02 04:06:10 +0000[diff] [blame]421define ipsec_sa_v2_dump
422{
423 u32 client_index;
424 u32 context;
425 u32 sa_id;
426};
Neale Ranns9ec846c2021-02-09 14:04:02 +0000[diff] [blame]427define ipsec_sa_v3_dump
428{
429 u32 client_index;
430 u32 context;
431 u32 sa_id;
432};
Matthew Smith28029532017-09-26 13:33:44 -0500[diff] [blame]433
434/** \brief IPsec security association database response
435 @param context - sender context which was passed in the request
Neale Ranns041add72020-01-02 04:06:10 +0000[diff] [blame]436 @param entry - The SA details
Matthew Smith28029532017-09-26 13:33:44 -0500[diff] [blame]437 @param sw_if_index - sw_if_index of tunnel interface, policy-based SAs = ~0
Jakub Grajciar287d5e12020-02-28 08:26:32 +0100[diff] [blame]438 @param salt - 4 byte salt
Matthew Smith28029532017-09-26 13:33:44 -0500[diff] [blame]439 @param seq - current sequence number for outbound
Jakub Grajciar287d5e12020-02-28 08:26:32 +0100[diff] [blame]440 @param seq_hi - high 32 bits of ESN for outbound
Matthew Smith28029532017-09-26 13:33:44 -0500[diff] [blame]441 @param last_seq - highest sequence number received inbound
442 @param last_seq_hi - high 32 bits of highest ESN received inbound
443 @param replay_window - bit map of seq nums received relative to last_seq if using anti-replay
Matthew Smith48d32b42020-04-02 07:45:49 -0500[diff] [blame]444 @param stat_index - index for the SA in the stats segment @ /net/ipsec/sa
Matthew Smith28029532017-09-26 13:33:44 -0500[diff] [blame]445*/
446define ipsec_sa_details {
Neale Ranns9ec846c2021-02-09 14:04:02 +0000[diff] [blame]447 option deprecated;
Matthew Smith28029532017-09-26 13:33:44 -0500[diff] [blame]448 u32 context;
Neale Ranns8d7c5022019-02-06 01:41:05 -0800[diff] [blame]449 vl_api_ipsec_sad_entry_t entry;
450
Jakub Grajciar287d5e12020-02-28 08:26:32 +0100[diff] [blame]451 vl_api_interface_index_t sw_if_index;
Matthew Smith28029532017-09-26 13:33:44 -0500[diff] [blame]452 u32 salt;
453 u64 seq_outbound;
454 u64 last_seq_inbound;
455 u64 replay_window;
456
Matthew Smith48d32b42020-04-02 07:45:49 -0500[diff] [blame]457 u32 stat_index;
Matthew Smith28029532017-09-26 13:33:44 -0500[diff] [blame]458};
Neale Ranns041add72020-01-02 04:06:10 +0000[diff] [blame]459define ipsec_sa_v2_details {
460 u32 context;
461 vl_api_ipsec_sad_entry_v2_t entry;
462
463 vl_api_interface_index_t sw_if_index;
464 u32 salt;
465 u64 seq_outbound;
466 u64 last_seq_inbound;
467 u64 replay_window;
468
469 u32 stat_index;
470};
Neale Ranns9ec846c2021-02-09 14:04:02 +0000[diff] [blame]471define ipsec_sa_v3_details {
472 u32 context;
473 vl_api_ipsec_sad_entry_v3_t entry;
474
475 vl_api_interface_index_t sw_if_index;
476 u64 seq_outbound;
477 u64 last_seq_inbound;
478 u64 replay_window;
479
480 u32 stat_index;
481};
Matthew Smith28029532017-09-26 13:33:44 -0500[diff] [blame]482
Klement Sekerab4d30532018-11-08 13:00:02 +0100[diff] [blame]483/** \brief Dump IPsec backends
484 @param client_index - opaque cookie to identify the sender
485 @param context - sender context, to match reply w/ request
486*/
487define ipsec_backend_dump {
488 u32 client_index;
489 u32 context;
490};
491
492/** \brief IPsec backend details
493 @param name - name of the backend
494 @param protocol - IPsec protocol (value from ipsec_protocol_t)
495 @param index - backend index
496 @param active - set to 1 if the backend is active, otherwise 0
497*/
498define ipsec_backend_details {
499 u32 context;
Jakub Grajciar287d5e12020-02-28 08:26:32 +0100[diff] [blame]500 string name[128];
Neale Ranns17dcec02019-01-09 21:22:20 -0800[diff] [blame]501 vl_api_ipsec_proto_t protocol;
Klement Sekerab4d30532018-11-08 13:00:02 +0100[diff] [blame]502 u8 index;
Jakub Grajciar287d5e12020-02-28 08:26:32 +0100[diff] [blame]503 bool active;
Klement Sekerab4d30532018-11-08 13:00:02 +0100[diff] [blame]504};
505
506/** \brief Select IPsec backend
507 @param client_index - opaque cookie to identify the sender
508 @param context - sender context, to match reply w/ request
509 @param protocol - IPsec protocol (value from ipsec_protocol_t)
510 @param index - backend index
511*/
512autoreply define ipsec_select_backend {
513 u32 client_index;
514 u32 context;
Neale Ranns17dcec02019-01-09 21:22:20 -0800[diff] [blame]515 vl_api_ipsec_proto_t protocol;
Klement Sekerab4d30532018-11-08 13:00:02 +0100[diff] [blame]516 u8 index;
517};
518
Yulong Pei2e84d662020-08-14 18:21:08 +0800[diff] [blame]519
520/** \brief IPsec Set Async mode
521 @param client_index - opaque cookie to identify the sender
522 @param context - sender context, to match reply w/ request
523 @param async_enable - ipsec async mode on or off
524*/
525autoreply define ipsec_set_async_mode {
526 u32 client_index;
527 u32 context;
528 bool async_enable;
529};
530
Neale Ranns93688d72022-08-09 03:34:51 +0000[diff] [blame]531counters esp_decrypt {
532 rx_pkts {
533 severity info;
534 type counter64;
535 units "packets";
536 description "ESP pkts received";
537 };
538 rx_post_pkts {
539 severity info;
540 type counter64;
541 units "packets";
542 description "ESP-POST pkts received";
543 };
544 handoff {
545 severity info;
546 type counter64;
547 units "packets";
548 description "hand-off";
549 };
550 decryption_failed {
551 severity error;
552 type counter64;
553 units "packets";
554 description "ESP decryption failed";
555 };
556 integ_error {
557 severity error;
558 type counter64;
559 units "packets";
560 description "integrity check failed";
561 };
562 crypto_engine_error {
563 severity error;
564 type counter64;
565 units "packets";
566 description "crypto engine error (packet dropped)";
567 };
568 replay {
569 severity error;
570 type counter64;
571 units "packets";
572 description "SA replayed packet";
573 };
574 runt {
575 severity error;
576 type counter64;
577 units "packets";
578 description "undersized packet";
579 };
580 no_buffers {
581 severity error;
582 type counter64;
583 units "packets";
584 description "no buffers (packet dropped)";
585 };
586 oversized_header {
587 severity error;
588 type counter64;
589 units "packets";
590 description "buffer with oversized header (dropped)";
591 };
592 no_tail_space {
593 severity error;
594 type counter64;
595 units "packets";
596 description "no enough buffer tail space (dropped)";
597 };
598 tun_no_proto {
599 severity error;
600 type counter64;
601 units "packets";
602 description "no tunnel protocol";
603 };
604 unsup_payload {
605 severity error;
606 type counter64;
607 units "packets";
608 description "unsupported payload";
609 };
610};
611
612counters esp_encrypt {
613 rx_pkts {
614 severity info;
615 type counter64;
616 units "packets";
617 description "ESP pkts received";
618 };
619 post_rx_pkts {
620 severity info;
621 type counter64;
622 units "packets";
623 description "ESP-post pkts received";
624 };
625 handoff {
626 severity info;
627 type counter64;
628 units "packets";
629 description "Hand-off";
630 };
631 seq_cycled {
632 severity error;
633 type counter64;
634 units "packets";
635 description "sequence number cycled (packet dropped)";
636 };
637 crypto_engine_error {
638 severity error;
639 type counter64;
640 units "packets";
641 description "crypto engine error (packet dropped)";
642 };
643 crypto_queue_full {
644 severity error;
645 type counter64;
646 units "packets";
647 description "crypto queue full (packet dropped)";
648 };
649 no_buffers {
650 severity error;
651 type counter64;
652 units "packets";
653 description "no buffers (packet dropped)";
654 };
655 no_protection {
656 severity error;
657 type counter64;
658 units "packets";
659 description "no protecting SA (packet dropped)";
660 };
661 no_encryption {
662 severity error;
663 type counter64;
664 units "packets";
665 description "no Encrypting SA (packet dropped)";
666 };
667};
668
669counters ah_encrypt {
670 rx_pkts {
671 severity info;
672 type counter64;
673 units "packets";
674 description "AH pkts received";
675 };
676 crypto_engine_error {
677 severity error;
678 type counter64;
679 units "packets";
680 description "crypto engine error (packet dropped)";
681 };
682 seq_cycled {
683 severity error;
684 type counter64;
685 units "packets";
686 description "sequence number cycled (packet dropped)";
687 };
688};
689
690counters ah_decrypt {
691 rx_pkts {
692 severity info;
693 type counter64;
694 units "packets";
695 description "AH pkts received";
696 };
697 decryption_failed {
698 severity error;
699 type counter64;
700 units "packets";
701 description "AH decryption failed";
702 };
703 integ_error {
704 severity error;
705 type counter64;
706 units "packets";
707 description "Integrity check failed";
708 };
709 no_tail_space {
710 severity error;
711 type counter64;
712 units "packets";
713 description "not enough buffer tail space (dropped)";
714 };
715 drop_fragments {
716 severity error;
717 type counter64;
718 units "packets";
719 description "IP fragments drop";
720 };
721 replay {
722 severity error;
723 type counter64;
724 units "packets";
725 description "SA replayed packet";
726 };
727};
728
729counters ipsec_tun {
730 rx {
731 severity info;
732 type counter64;
733 units "packets";
734 description "good packets received";
735 };
736 disabled {
737 severity error;
738 type counter64;
739 units "packets";
740 description "ipsec packets received on disabled interface";
741 };
742 no_tunnel {
743 severity error;
744 type counter64;
745 units "packets";
746 description "no matching tunnel";
747 };
748 tunnel_mismatch {
749 severity error;
750 type counter64;
751 units "packets";
752 description "SPI-tunnel mismatch";
753 };
754 nat_keepalive {
755 severity info;
756 type counter64;
757 units "packets";
758 description "NAT Keepalive";
759 };
760 too_short {
761 severity error;
762 type counter64;
763 units "packets";
764 description "Too Short";
765 };
766 spi_0 {
767 severity info;
768 type counter64;
769 units "packets";
770 description "SPI 0";
771 };
772};
773
774paths {
775 "/err/esp4-encrypt" "esp_encrypt";
776 "/err/esp4-encrypt-post" "esp_encrypt";
777 "/err/esp4-encrypt-tun" "esp_encrypt";
778 "/err/esp4-encrypt-tun-post" "esp_encrypt";
779 "/err/esp6-encrypt" "esp_encrypt";
780 "/err/esp6-encrypt-post" "esp_encrypt";
781 "/err/esp6-encrypt-tun" "esp_encrypt";
782 "/err/esp6-encrypt-tun-post" "esp_encrypt";
783 "/err/esp-mpls-encrypt-tun" "esp_encrypt";
784 "/err/esp-mpls-encrypt-tun-post" "esp_encrypt";
785 "/err/esp4-decrypt" "esp_decrypt";
786 "/err/esp4-decrypt-post" "esp_decrypt";
787 "/err/esp4-decrypt-tun" "esp_decrypt";
788 "/err/esp4-decrypt-tun-post" "esp_decrypt";
789 "/err/esp6-decrypt" "esp_decrypt";
790 "/err/esp6-decrypt-post" "esp_decrypt";
791 "/err/esp6-decrypt-tun" "esp_decrypt";
792 "/err/esp6-decrypt-tun-post" "esp_decrypt";
793 "/err/ah4-encrypt" "ah_encrypt";
794 "/err/ah6-encrypt" "ah_encrypt";
795 "/err/ipsec4-tun-input" "ipsec_tun";
796 "/err/ipsec6-tun-input" "ipsec_tun";
797};
798
Pavel Kotucek9c7ef032016-12-21 07:46:45 +0100[diff] [blame]799/*
800 * Local Variables:
801 * eval: (c-set-style "gnu")
802 * End:
803 */