Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 1 | /* |
| 2 | * decap.c : IPSec tunnel support |
| 3 | * |
| 4 | * Copyright (c) 2015 Cisco and/or its affiliates. |
| 5 | * Licensed under the Apache License, Version 2.0 (the "License"); |
| 6 | * you may not use this file except in compliance with the License. |
| 7 | * You may obtain a copy of the License at: |
| 8 | * |
| 9 | * http://www.apache.org/licenses/LICENSE-2.0 |
| 10 | * |
| 11 | * Unless required by applicable law or agreed to in writing, software |
| 12 | * distributed under the License is distributed on an "AS IS" BASIS, |
| 13 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 14 | * See the License for the specific language governing permissions and |
| 15 | * limitations under the License. |
| 16 | */ |
| 17 | |
| 18 | #include <vnet/vnet.h> |
| 19 | #include <vnet/api_errno.h> |
| 20 | #include <vnet/ip/ip.h> |
| 21 | #include <vnet/interface.h> |
Neale Ranns | 8d7c502 | 2019-02-06 01:41:05 -0800 | [diff] [blame] | 22 | #include <vnet/fib/fib_table.h> |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 23 | |
| 24 | #include <vnet/ipsec/ipsec.h> |
| 25 | |
| 26 | u8 * |
| 27 | format_ipsec_policy_action (u8 * s, va_list * args) |
| 28 | { |
| 29 | u32 i = va_arg (*args, u32); |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 30 | char *t = 0; |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 31 | |
| 32 | switch (i) |
| 33 | { |
| 34 | #define _(v,f,str) case IPSEC_POLICY_ACTION_##f: t = str; break; |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 35 | foreach_ipsec_policy_action |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 36 | #undef _ |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 37 | default: |
| 38 | s = format (s, "unknown"); |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 39 | } |
| 40 | s = format (s, "%s", t); |
| 41 | return s; |
| 42 | } |
| 43 | |
| 44 | uword |
| 45 | unformat_ipsec_policy_action (unformat_input_t * input, va_list * args) |
| 46 | { |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 47 | u32 *r = va_arg (*args, u32 *); |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 48 | |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 49 | if (0); |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 50 | #define _(v,f,s) else if (unformat (input, s)) *r = IPSEC_POLICY_ACTION_##f; |
| 51 | foreach_ipsec_policy_action |
| 52 | #undef _ |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 53 | else |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 54 | return 0; |
| 55 | return 1; |
| 56 | } |
| 57 | |
| 58 | u8 * |
| 59 | format_ipsec_crypto_alg (u8 * s, va_list * args) |
| 60 | { |
| 61 | u32 i = va_arg (*args, u32); |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 62 | u8 *t = 0; |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 63 | |
| 64 | switch (i) |
| 65 | { |
| 66 | #define _(v,f,str) case IPSEC_CRYPTO_ALG_##f: t = (u8 *) str; break; |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 67 | foreach_ipsec_crypto_alg |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 68 | #undef _ |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 69 | default: |
| 70 | s = format (s, "unknown"); |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 71 | } |
| 72 | s = format (s, "%s", t); |
| 73 | return s; |
| 74 | } |
| 75 | |
| 76 | uword |
| 77 | unformat_ipsec_crypto_alg (unformat_input_t * input, va_list * args) |
| 78 | { |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 79 | u32 *r = va_arg (*args, u32 *); |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 80 | |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 81 | if (0); |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 82 | #define _(v,f,s) else if (unformat (input, s)) *r = IPSEC_CRYPTO_ALG_##f; |
| 83 | foreach_ipsec_crypto_alg |
| 84 | #undef _ |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 85 | else |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 86 | return 0; |
| 87 | return 1; |
| 88 | } |
| 89 | |
| 90 | u8 * |
| 91 | format_ipsec_integ_alg (u8 * s, va_list * args) |
| 92 | { |
| 93 | u32 i = va_arg (*args, u32); |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 94 | u8 *t = 0; |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 95 | |
| 96 | switch (i) |
| 97 | { |
| 98 | #define _(v,f,str) case IPSEC_INTEG_ALG_##f: t = (u8 *) str; break; |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 99 | foreach_ipsec_integ_alg |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 100 | #undef _ |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 101 | default: |
| 102 | s = format (s, "unknown"); |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 103 | } |
| 104 | s = format (s, "%s", t); |
| 105 | return s; |
| 106 | } |
| 107 | |
| 108 | uword |
| 109 | unformat_ipsec_integ_alg (unformat_input_t * input, va_list * args) |
| 110 | { |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 111 | u32 *r = va_arg (*args, u32 *); |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 112 | |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 113 | if (0); |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 114 | #define _(v,f,s) else if (unformat (input, s)) *r = IPSEC_INTEG_ALG_##f; |
| 115 | foreach_ipsec_integ_alg |
| 116 | #undef _ |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 117 | else |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 118 | return 0; |
| 119 | return 1; |
| 120 | } |
| 121 | |
| 122 | u8 * |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 123 | format_ipsec_replay_window (u8 * s, va_list * args) |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 124 | { |
| 125 | u64 w = va_arg (*args, u64); |
| 126 | u8 i; |
| 127 | |
| 128 | for (i = 0; i < 64; i++) |
| 129 | { |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 130 | s = format (s, "%u", w & (1ULL << i) ? 1 : 0); |
Ed Warnicke | cb9cada | 2015-12-08 15:45:58 -0700 | [diff] [blame] | 131 | } |
| 132 | |
| 133 | return s; |
| 134 | } |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 135 | |
Neale Ranns | a09c1ff | 2019-02-04 01:10:30 -0800 | [diff] [blame] | 136 | u8 * |
| 137 | format_ipsec_policy (u8 * s, va_list * args) |
| 138 | { |
| 139 | u32 pi = va_arg (*args, u32); |
| 140 | ipsec_main_t *im = &ipsec_main; |
| 141 | ipsec_policy_t *p; |
| 142 | vlib_counter_t counts; |
| 143 | |
| 144 | p = pool_elt_at_index (im->policies, pi); |
| 145 | |
| 146 | s = format (s, " [%d] priority %d action %U protocol ", |
| 147 | pi, p->priority, format_ipsec_policy_action, p->policy); |
| 148 | if (p->protocol) |
| 149 | { |
| 150 | s = format (s, "%U", format_ip_protocol, p->protocol); |
| 151 | } |
| 152 | else |
| 153 | { |
| 154 | s = format (s, "any"); |
| 155 | } |
| 156 | if (p->policy == IPSEC_POLICY_ACTION_PROTECT) |
| 157 | { |
| 158 | s = format (s, " sa %u", p->sa_id); |
| 159 | } |
| 160 | if (p->is_ipv6) |
| 161 | { |
| 162 | s = format (s, "\n local addr range %U - %U port range %u - %u", |
| 163 | format_ip6_address, &p->laddr.start.ip6, |
| 164 | format_ip6_address, &p->laddr.stop.ip6, |
| 165 | p->lport.start, p->lport.stop); |
| 166 | s = format (s, "\n remote addr range %U - %U port range %u - %u", |
| 167 | format_ip6_address, &p->raddr.start.ip6, |
| 168 | format_ip6_address, &p->raddr.stop.ip6, |
| 169 | p->rport.start, p->rport.stop); |
| 170 | } |
| 171 | else |
| 172 | { |
| 173 | s = format (s, "\n local addr range %U - %U port range %u - %u", |
| 174 | format_ip4_address, &p->laddr.start.ip4, |
| 175 | format_ip4_address, &p->laddr.stop.ip4, |
| 176 | p->lport.start, p->lport.stop); |
| 177 | s = format (s, "\n remote addr range %U - %U port range %u - %u", |
| 178 | format_ip4_address, &p->raddr.start.ip4, |
| 179 | format_ip4_address, &p->raddr.stop.ip4, |
| 180 | p->rport.start, p->rport.stop); |
| 181 | } |
| 182 | vlib_get_combined_counter (&ipsec_spd_policy_counters, pi, &counts); |
| 183 | s = format (s, "\n packets %u bytes %u", counts.packets, counts.bytes); |
| 184 | |
| 185 | return (s); |
| 186 | } |
| 187 | |
| 188 | u8 * |
| 189 | format_ipsec_spd (u8 * s, va_list * args) |
| 190 | { |
| 191 | u32 si = va_arg (*args, u32); |
| 192 | ipsec_main_t *im = &ipsec_main; |
| 193 | ipsec_spd_t *spd; |
| 194 | u32 *i; |
| 195 | |
| 196 | spd = pool_elt_at_index (im->spds, si); |
| 197 | |
| 198 | s = format (s, "spd %u", spd->id); |
| 199 | |
| 200 | #define _(v, n) \ |
| 201 | s = format (s, "\n %s:", n); \ |
| 202 | vec_foreach(i, spd->policies[IPSEC_SPD_POLICY_##v]) \ |
| 203 | { \ |
| 204 | s = format (s, "\n %U", format_ipsec_policy, *i); \ |
| 205 | } |
| 206 | foreach_ipsec_spd_policy_type; |
| 207 | #undef _ |
| 208 | |
| 209 | return (s); |
| 210 | } |
| 211 | |
Neale Ranns | 8d7c502 | 2019-02-06 01:41:05 -0800 | [diff] [blame] | 212 | u8 * |
| 213 | format_ipsec_key (u8 * s, va_list * args) |
| 214 | { |
| 215 | ipsec_key_t *key = va_arg (*args, ipsec_key_t *); |
| 216 | |
| 217 | return (format (s, "%U", format_hex_bytes, key->data, key->len)); |
| 218 | } |
| 219 | |
| 220 | uword |
| 221 | unformat_ipsec_key (unformat_input_t * input, va_list * args) |
| 222 | { |
| 223 | ipsec_key_t *key = va_arg (*args, ipsec_key_t *); |
| 224 | u8 *data; |
| 225 | |
| 226 | if (unformat (input, "%U", unformat_hex_string, &data)) |
| 227 | { |
| 228 | ipsec_mk_key (key, data, vec_len (data)); |
| 229 | vec_free (data); |
| 230 | } |
| 231 | else |
| 232 | return 0; |
| 233 | return 1; |
| 234 | } |
| 235 | |
| 236 | u8 * |
| 237 | format_ipsec_sa (u8 * s, va_list * args) |
| 238 | { |
| 239 | u32 sai = va_arg (*args, u32); |
| 240 | ipsec_main_t *im = &ipsec_main; |
Neale Ranns | eba31ec | 2019-02-17 18:04:27 +0000 | [diff] [blame] | 241 | vlib_counter_t counts; |
Neale Ranns | 8d7c502 | 2019-02-06 01:41:05 -0800 | [diff] [blame] | 242 | u32 tx_table_id; |
| 243 | ipsec_sa_t *sa; |
| 244 | |
| 245 | sa = pool_elt_at_index (im->sad, sai); |
| 246 | |
| 247 | s = format (s, "[%d] sa %u spi %u mode %s%s protocol %s%s%s%s", |
| 248 | sai, sa->id, sa->spi, |
| 249 | sa->is_tunnel ? "tunnel" : "transport", |
| 250 | sa->is_tunnel_ip6 ? "-ip6" : "", |
| 251 | sa->protocol ? "esp" : "ah", |
| 252 | sa->udp_encap ? " udp-encap-enabled" : "", |
| 253 | sa->use_anti_replay ? " anti-replay" : "", |
| 254 | sa->use_esn ? " extended-sequence-number" : ""); |
| 255 | s = format (s, "\n last-seq %u last-seq-hi %u window %U", |
| 256 | sa->last_seq, sa->last_seq_hi, |
| 257 | format_ipsec_replay_window, sa->replay_window); |
| 258 | s = format (s, "\n crypto alg %U%s%U", |
| 259 | format_ipsec_crypto_alg, sa->crypto_alg, |
| 260 | sa->crypto_alg ? " key " : "", |
| 261 | format_ipsec_key, &sa->crypto_key); |
| 262 | s = format (s, "\n integrity alg %U%s%U", |
| 263 | format_ipsec_integ_alg, sa->integ_alg, |
| 264 | sa->integ_alg ? " key " : "", format_ipsec_key, &sa->integ_key); |
Neale Ranns | eba31ec | 2019-02-17 18:04:27 +0000 | [diff] [blame] | 265 | vlib_get_combined_counter (&ipsec_sa_counters, sai, &counts); |
| 266 | s = format (s, "\n packets %u bytes %u", counts.packets, counts.bytes); |
Neale Ranns | 8d7c502 | 2019-02-06 01:41:05 -0800 | [diff] [blame] | 267 | |
| 268 | if (sa->is_tunnel) |
| 269 | { |
| 270 | tx_table_id = fib_table_get_table_id (sa->tx_fib_index, |
| 271 | FIB_PROTOCOL_IP4); |
| 272 | s = format (s, "\n table-ID %d tunnel src %U dst %U", |
| 273 | tx_table_id, |
| 274 | format_ip46_address, &sa->tunnel_src_addr, IP46_TYPE_ANY, |
| 275 | format_ip46_address, &sa->tunnel_dst_addr, IP46_TYPE_ANY); |
| 276 | s = format (s, "\n resovle via fib-entry: %d", sa->fib_entry_index); |
| 277 | s = format (s, "\n stacked on:"); |
| 278 | s = |
| 279 | format (s, "\n %U", format_dpo_id, &sa->dpo[IPSEC_PROTOCOL_ESP], |
| 280 | 6); |
| 281 | } |
| 282 | |
| 283 | return (s); |
| 284 | } |
| 285 | |
Keith Burns (alagalah) | 166a9d4 | 2016-08-06 11:00:56 -0700 | [diff] [blame] | 286 | /* |
| 287 | * fd.io coding-style-patch-verification: ON |
| 288 | * |
| 289 | * Local Variables: |
| 290 | * eval: (c-set-style "gnu") |
| 291 | * End: |
| 292 | */ |