blob: a48bd57393892dd56ca319d1aa7d0b29748f8c7c [file] [log] [blame]
Gabriel Oginski4e88e042022-06-29 12:54:30 +00001/*
2 * Copyright (c) 2022 Intel and/or its affiliates.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at:
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16#include <daemon.h>
17#include <utils/debug.h>
18#include <vlibapi/api.h>
19#include <vlibmemory/api.h>
20#include <vnet/ipsec/ipsec.h>
21#include <vnet/vnet.h>
22#include <collections/hashtable.h>
23#include <threading/mutex.h>
24#include <processing/jobs/callback_job.h>
25#include <vpp-api/client/stat_client.h>
26
27#define vl_typedefs
28#define vl_endianfun
29/* Include the (first) vlib-api API definition layer */
30#include <vlibmemory/vl_memory_api_h.h>
31/* Include the current layer (third) vpp API definition layer */
32#include <vpp/api/vpe_types.api.h>
33#include <vpp/api/vpe.api.h>
34
35#include <vnet/ip-neighbor/ip_neighbor.api_enum.h>
36#include <vnet/ip-neighbor/ip_neighbor.api_types.h>
37#include <vnet/ipsec/ipsec.api_enum.h>
38#include <vnet/ipsec/ipsec.api_types.h>
39#include <vnet/interface.api_enum.h>
40#include <vnet/interface.api_types.h>
41#undef vl_typedefs
42#undef vl_endianfun
43
44#include "kernel_vpp_ipsec.h"
45#include "kernel_vpp_shared.h"
46
47#include <stdio.h>
48#include <stdlib.h>
49#include <string.h>
50#include <sys/socket.h>
51#include <netinet/in.h>
52#include <arpa/inet.h>
53#include <sys/ioctl.h>
54#include <net/if.h>
55#include <net/route.h>
56#include <unistd.h>
57#include <fcntl.h>
58#include <sys/types.h>
59#include <net/if_arp.h>
60#include <sys/stat.h>
61#include <dirent.h>
62
63#define PRIO_BASE 384
64
Gabriel Oginski2da99e52023-02-14 08:46:36 +000065/**
66 * Every 2 seconds, the thread responsible for collecting the available
67 * interfaces will be executed.
68 * Retrying 5 times every 1 second ensures that there is enough time to check
69 * if the interface will be available.
70 */
71#define N_RETRY_GET_IF 5
72
Gabriel Oginski4e88e042022-06-29 12:54:30 +000073u32 natt_port;
74
75/**
76 * One and only instance of the daemon.
77 */
78daemon_t *charon;
79
80typedef struct private_kernel_vpp_ipsec_t private_kernel_vpp_ipsec_t;
81
82/**
83 * Private variables of kernel_vpp_ipsec class.
84 */
85struct private_kernel_vpp_ipsec_t
86{
87
88 /**
89 * Public interface
90 */
91 kernel_vpp_ipsec_t public;
92
93 /**
94 * Next security association database entry ID to allocate
95 */
96 refcount_t next_sad_id;
97
98 /**
99 * Next security policy database entry ID to allocate
100 */
101 refcount_t next_spd_id;
102
103 /**
104 * Mutex to lock access to installed policies
105 */
106 mutex_t *mutex;
107
108 /**
109 * Hash table of instaled SA, as kernel_ipsec_sa_id_t => sa_t
110 */
111 hashtable_t *sas;
112
113 /**
114 * Hash table of security policy databases, as nterface => spd_t
115 */
116 hashtable_t *spds;
117
118 /**
119 * Linked list of installed routes
120 */
121 linked_list_t *routes;
122
123 /**
124 * Next SPI to allocate
125 */
126 refcount_t nextspi;
127
128 /**
129 * Mix value to distribute SPI allocation randomly
130 */
131 uint32_t mixspi;
132
133 /**
134 * Whether to install routes along policies
135 */
136 bool install_routes;
Atzm Watanabefc2d95d2023-01-25 14:11:10 +0900137
138 /**
139 * Whether to install SAs with tunnel flag. Disabling this can be useful
140 * in some scenarios e.g. using SAs to "ipsec tunnel protect" for the
141 * route-based IPsec
142 */
143 bool use_tunnel_mode_sa;
Gabriel Oginski2da99e52023-02-14 08:46:36 +0000144
145 /**
146 * Connections to VPP Stats
147 */
148 stat_client_main_t *sm;
Gabriel Oginski4e88e042022-06-29 12:54:30 +0000149};
150
151/**
152 * Security association entry
153 */
154typedef struct
155{
156 /** VPP SA ID */
157 uint32_t sa_id;
158 uint32_t stat_index;
Gabriel Oginski2da99e52023-02-14 08:46:36 +0000159 kernel_ipsec_sa_id_t *sa_id_p;
Gabriel Oginski4e88e042022-06-29 12:54:30 +0000160} sa_t;
161
162/**
163 * Security policy database
164 */
165typedef struct
166{
167 /** VPP SPD ID */
168 uint32_t spd_id;
169 /** Networking interface ID restricting policy */
170 uint32_t sw_if_index;
171 /** Policy count for this SPD */
172 refcount_t policy_num;
Gabriel Oginski2da99e52023-02-14 08:46:36 +0000173 /** Name of the interface the SPD is bound to */
174 char *if_name;
Gabriel Oginski4e88e042022-06-29 12:54:30 +0000175} spd_t;
176
177/**
178 * Installed route
179 */
180typedef struct
181{
182 /** Name of the interface the route is bound to */
183 char *if_name;
184 /** Gateway of route */
185 host_t *gateway;
186 /** Destination network of route */
187 host_t *dst_net;
188 /** Prefix length of dst_net */
189 uint8_t prefixlen;
190 /** References for route */
191 refcount_t refs;
192} route_entry_t;
193
194#define htonll(x) \
195 ((1 == htonl (1)) ? \
196 (x) : \
197 ((uint64_t) htonl ((x) &0xFFFFFFFF) << 32) | htonl ((x) >> 32))
198#define ntohll(x) \
199 ((1 == ntohl (1)) ? \
200 (x) : \
201 ((uint64_t) ntohl ((x) &0xFFFFFFFF) << 32) | ntohl ((x) >> 32))
202
203CALLBACK (route_equals, bool, route_entry_t *a, va_list args)
204{
205 host_t *dst_net, *gateway;
206 uint8_t *prefixlen;
207 char *if_name;
208
209 VA_ARGS_VGET (args, if_name, gateway, dst_net, prefixlen);
210
211 return a->if_name && if_name && streq (a->if_name, if_name) &&
212 a->gateway->ip_equals (a->gateway, gateway) &&
213 a->dst_net->ip_equals (a->dst_net, dst_net) &&
214 a->prefixlen == *prefixlen;
215}
216
217/**
218 * Clean up a route entry
219 */
220static void
221route_destroy (route_entry_t *this)
222{
223 this->dst_net->destroy (this->dst_net);
224 this->gateway->destroy (this->gateway);
225 free (this->if_name);
226 free (this);
227}
228
229static uint32_t get_sw_if_index ();
230
231static int
232set_arp (char *ipStr, char *if_name, bool add)
233{
234 char *out = NULL;
235 int out_len = 0;
Gabriel Oginski9cb3e152023-02-14 08:41:07 +0000236 vl_api_ip_neighbor_add_del_t *mp = NULL;
237 vl_api_ip_neighbor_add_del_reply_t *rmp = NULL;
Gabriel Oginski4e88e042022-06-29 12:54:30 +0000238 int rc = SUCCESS;
239 uint32_t sw_if_index = ~0;
240
241 FILE *fp;
242 int nread = 0;
243 ssize_t len = 0;
244 char *buffer = NULL;
245 char buf[2][20];
246 char *file = "/proc/net/arp";
247 unsigned char mac[8] = {
248 0,
249 };
Gabriel Oginski9cb3e152023-02-14 08:41:07 +0000250 uint32_t addr = 0;
Gabriel Oginski4e88e042022-06-29 12:54:30 +0000251
252 if (if_name == NULL || ipStr == NULL)
253 {
254 DBG2 (DBG_KNL, "para is null\n");
255 rc = FAILED;
Gabriel Oginski9cb3e152023-02-14 08:41:07 +0000256 goto error;
Gabriel Oginski4e88e042022-06-29 12:54:30 +0000257 }
258 DBG2 (DBG_KNL, "from kernel read mac\n");
259
260 mp = vl_msg_api_alloc (sizeof (*mp));
261 memset (mp, 0, sizeof (*mp));
262 sw_if_index = get_sw_if_index (if_name);
263 if (sw_if_index == ~0)
264 {
265 DBG1 (DBG_KNL, "sw_if_index for %s not found", if_name);
266 goto error;
267 }
268
269 fp = fopen (file, "rb");
Gabriel Oginski9cb3e152023-02-14 08:41:07 +0000270 while (fp && ((nread = getline (&buffer, &len, fp)) != -1))
Gabriel Oginski4e88e042022-06-29 12:54:30 +0000271 {
272 sscanf (buffer, "%s %*s %*s %s %*s %*s", &buf[0], &buf[1]);
273 inet_aton (&buf[0], &addr);
274
275 if (addr == *((u32 *) (ipStr)))
276 {
277 sscanf (buf[1], "%02x:%02x:%02x:%02x:%02x:%02x", &mac[0], &mac[1],
278 &mac[2], &mac[3], &mac[4], &mac[5]);
279 u16 msg_id =
280 vl_msg_api_get_msg_index ((u8 *) "ip_neighbor_add_del_0607c257");
281 mp->_vl_msg_id = htons (msg_id);
282 mp->is_add = add;
283 memcpy (mp->neighbor.ip_address.un.ip4, (u8 *) &addr, sizeof (addr));
284 mp->neighbor.ip_address.af = 0;
285 memcpy (mp->neighbor.mac_address, mac, 6);
286 mp->neighbor.sw_if_index = htonl (sw_if_index);
287 mp->neighbor.flags = 1;
288
289 if (vac->send (vac, (char *) mp, sizeof (*mp), &out, &out_len))
290 {
291 DBG1 (DBG_KNL, "vac %s neighbor entry",
292 add ? "adding" : "removing");
Gabriel Oginski9cb3e152023-02-14 08:41:07 +0000293 fclose (fp);
Gabriel Oginski4e88e042022-06-29 12:54:30 +0000294 goto error;
295 }
296 rmp = (void *) out;
297 if (rmp->retval)
298 {
299 DBG1 (DBG_KNL, "%s neighbor add rv:%d", add ? "add" : "remove",
300 ntohl (rmp->retval));
Gabriel Oginski9cb3e152023-02-14 08:41:07 +0000301 fclose (fp);
Gabriel Oginski4e88e042022-06-29 12:54:30 +0000302 goto error;
303 }
304 fclose (fp);
Gabriel Oginski9cb3e152023-02-14 08:41:07 +0000305 free (out);
306 vl_msg_api_free (mp);
307 free (buffer);
308
Gabriel Oginski4e88e042022-06-29 12:54:30 +0000309 return rc;
310 }
311 }
Gabriel Oginski9cb3e152023-02-14 08:41:07 +0000312
313 if (fp != NULL)
314 {
315 fclose (fp);
316 fp = NULL;
317 }
Gabriel Oginski4e88e042022-06-29 12:54:30 +0000318
319error:
320 free (out);
321 vl_msg_api_free (mp);
Gabriel Oginski9cb3e152023-02-14 08:41:07 +0000322 if (buffer != NULL)
323 {
324 free (buffer);
325 buffer = NULL;
326 }
Gabriel Oginski4e88e042022-06-29 12:54:30 +0000327 return rc;
328}
329
330static int
331add_Route (char *ipAddr, int len, char *mask, char *gateWay)
332{
333 int fd;
334 int rc = SUCCESS;
335 struct sockaddr_in _sin;
336 struct sockaddr_in *sin = &_sin;
337 struct rtentry rt;
338
339 do
340 {
341 fd = socket (AF_INET, SOCK_DGRAM, 0);
342 if (fd < 0)
343 {
344 DBG2 (DBG_KNL, "addRoute: socket error\n");
345 rc = FAILED;
346 break;
347 }
348 memset (&rt, 0, sizeof (struct rtentry));
349 memset (sin, 0, sizeof (struct sockaddr_in));
350 sin->sin_family = AF_INET;
351 sin->sin_port = 0;
352
353 if (inet_aton (gateWay, &sin->sin_addr) < 0)
354 {
355 rc = FAILED;
356 break;
357 }
358 memcpy (&rt.rt_gateway, sin, sizeof (struct sockaddr_in));
359
360 ((struct sockaddr_in *) &rt.rt_dst)->sin_family = AF_INET;
361 memcpy (&((struct sockaddr_in *) &rt.rt_dst)->sin_addr, ipAddr, len);
362
363 ((struct sockaddr_in *) &rt.rt_genmask)->sin_family = AF_INET;
364 if (inet_aton (mask,
365 &((struct sockaddr_in *) &rt.rt_genmask)->sin_addr) < 0)
366 {
367 rc = FAILED;
368 break;
369 }
370 rt.rt_flags = RTF_GATEWAY;
371 if (ioctl (fd, SIOCADDRT, &rt) < 0)
372 {
373 rc = FAILED;
374 }
375 }
376 while (0);
377
378 close (fd);
379 return rc;
380}
381
382static int
383set_address (u32 ipAddr, u32 sw_if_index, bool add)
384{
385 char *out = NULL;
386 int out_len = 0;
387 vl_api_sw_interface_add_del_address_t *mp;
388 vl_api_sw_interface_add_del_address_reply_t *rmp;
389
390 int rc = SUCCESS;
391
392 uint32_t addr;
393
394 mp = vl_msg_api_alloc (sizeof (*mp));
395 memset (mp, 0, sizeof (*mp));
396
397 u16 msg_id =
398 vl_msg_api_get_msg_index ((u8 *) "sw_interface_add_del_address_5463d73b");
399 mp->_vl_msg_id = htons (msg_id);
400 mp->is_add = add;
401 memcpy (mp->prefix.address.un.ip4, (u8 *) &ipAddr, sizeof (ipAddr));
402 mp->prefix.len = 24;
403 mp->sw_if_index = sw_if_index;
404
405 if (vac->send (vac, (char *) mp, sizeof (*mp), &out, &out_len))
406 {
407 DBG2 (DBG_KNL, "vac %s neighbor entry", add ? "adding" : "removing");
408 goto error;
409 }
410 rmp = (void *) out;
411 if (rmp->retval)
412 {
413 DBG2 (DBG_KNL, "%s neighbor add rv:%d", add ? "add" : "remove",
414 ntohl (rmp->retval));
415 goto error;
416 }
417 return rc;
418
419error:
420 free (out);
421 vl_msg_api_free (mp);
422 return rc;
423}
424
425/**
426 * (Un)-install a single route
427 */
428static void
429manage_route (private_kernel_vpp_ipsec_t *this, bool add,
430 traffic_selector_t *dst_ts, host_t *src, host_t *dst)
431{
Gabriel Oginski2da99e52023-02-14 08:46:36 +0000432 host_t *dst_net = NULL, *gateway = NULL;
Gabriel Oginski4e88e042022-06-29 12:54:30 +0000433 uint8_t prefixlen;
Gabriel Oginski2da99e52023-02-14 08:46:36 +0000434 char *if_name = NULL;
Gabriel Oginski4e88e042022-06-29 12:54:30 +0000435 route_entry_t *route;
436 bool route_exist = FALSE;
437
438 char *netmask = "255.255.255.0";
439 char *tap_gateway = "1.1.1.1";
440 int arp_rc = 0;
441 if (dst->is_anyaddr (dst))
442 {
443 return;
444 }
445 gateway =
446 charon->kernel->get_nexthop (charon->kernel, dst, -1, NULL, &if_name);
447 dst_ts->to_subnet (dst_ts, &dst_net, &prefixlen);
448 if (!if_name)
449 {
450 if (src->is_anyaddr (src))
451 {
Gabriel Oginski2da99e52023-02-14 08:46:36 +0000452 goto error;
Gabriel Oginski4e88e042022-06-29 12:54:30 +0000453 }
454 if (!charon->kernel->get_interface (charon->kernel, src, &if_name))
455 {
Gabriel Oginski2da99e52023-02-14 08:46:36 +0000456 goto error;
Gabriel Oginski4e88e042022-06-29 12:54:30 +0000457 }
458 }
459 route_exist =
460 this->routes->find_first (this->routes, route_equals, (void **) &route,
461 if_name, gateway, dst_net, &prefixlen);
462 if (add)
463 {
464 DBG2 (DBG_KNL, "installing route: %H/%d via %H dev %s", dst_net,
465 prefixlen, gateway, if_name);
466 if (route_exist)
467 {
468 unsigned int refs_num = ref_get (&route->refs);
469 DBG2 (DBG_KNL, "add route but it exist %d", refs_num);
470 }
471 else
472 {
473 INIT (route, .if_name = strdup (if_name),
474 .gateway = gateway->clone (gateway),
475 .dst_net = dst_net->clone (dst_net), .prefixlen = prefixlen,
476 .refs = 1, );
477 this->routes->insert_last (this->routes, route);
478 charon->kernel->add_route (charon->kernel,
479 dst_net->get_address (dst_net), prefixlen,
480 gateway, dst, if_name, 1);
481 }
482
483 add_Route (dst_net->get_address (dst_net).ptr,
484 dst_net->get_address (dst_net).len, netmask, tap_gateway);
485
486 arp_rc = set_arp (gateway->get_address (gateway).ptr, if_name, TRUE);
487 if (arp_rc)
488 DBG2 (DBG_KNL, "arpGet success!\n");
489 }
490 else
491 {
492 DBG2 (DBG_KNL, "uninstalling route: %H/%d via %H dev %s", dst_net,
493 prefixlen, gateway, if_name);
494 if (!route_exist)
495 {
496 DBG2 (DBG_KNL, "del route but it not exist");
Gabriel Oginski2da99e52023-02-14 08:46:36 +0000497 goto error;
Gabriel Oginski4e88e042022-06-29 12:54:30 +0000498 }
499 if (ref_put (&route->refs))
500 {
501 this->routes->remove (this->routes, route, NULL);
502 route_destroy (route);
503 charon->kernel->del_route (charon->kernel,
504 dst_net->get_address (dst_net), prefixlen,
505 gateway, dst, if_name, 1);
506 }
507 }
Gabriel Oginski2da99e52023-02-14 08:46:36 +0000508error:
509 if (gateway != NULL)
510 gateway->destroy (gateway);
511 if (dst_net != NULL)
512 dst_net->destroy (dst_net);
513 if (if_name != NULL)
514 free (if_name);
515 return;
Gabriel Oginski4e88e042022-06-29 12:54:30 +0000516}
517
518/**
519 * Hash function for IPsec SA
520 */
521static u_int
522sa_hash (kernel_ipsec_sa_id_t *sa)
523{
524 return chunk_hash_inc (
525 sa->src->get_address (sa->src),
526 chunk_hash_inc (
527 sa->dst->get_address (sa->dst),
528 chunk_hash_inc (chunk_from_thing (sa->spi),
529 chunk_hash (chunk_from_thing (sa->proto)))));
530}
531
532/**
533 * Equality function for IPsec SA
534 */
535static bool
536sa_equals (kernel_ipsec_sa_id_t *sa, kernel_ipsec_sa_id_t *other_sa)
537{
538 return sa->src->ip_equals (sa->src, other_sa->src) &&
539 sa->dst->ip_equals (sa->dst, other_sa->dst) &&
540 sa->spi == other_sa->spi && sa->proto == other_sa->proto;
541}
542
543/**
Gabriel Oginski8de66c02023-02-03 08:12:36 +0000544 * Equality function for policy SPD
545 */
546static bool
547policy_equals (vl_api_ipsec_spd_entry_t *policy,
548 vl_api_ipsec_spd_entry_t *other_policy)
549{
550
551 /* change protocol due to legacy implementation of ANY protocol inside VPP */
552 if (other_policy->protocol == 255)
553 other_policy->protocol = 0;
554
555 /* return true if both policies are equal */
556 return !memcmp (policy, other_policy, sizeof (*policy));
557}
558
559/**
Gabriel Oginski4e88e042022-06-29 12:54:30 +0000560 * Hash function for interface
561 */
562static u_int
563interface_hash (char *interface)
564{
565 return chunk_hash (chunk_from_str (interface));
566}
567
568/**
569 * Equality function for interface
570 */
571static bool
572interface_equals (char *interface1, char *interface2)
573{
574 return streq (interface1, interface2);
575}
576
577/**
578 * Map an integer x with a one-to-one function using quadratic residues
579 */
580static u_int
581permute (u_int x, u_int p)
582{
583 u_int qr;
584
585 x = x % p;
586 qr = ((uint64_t) x * x) % p;
587 if (x <= p / 2)
588 {
589 return qr;
590 }
591 return p - qr;
592}
593
594/**
595 * Initialize seeds for SPI generation
596 */
597static bool
598init_spi (private_kernel_vpp_ipsec_t *this)
599{
600 bool ok = TRUE;
601 rng_t *rng;
602
603 rng = lib->crypto->create_rng (lib->crypto, RNG_STRONG);
604 if (!rng)
605 {
606 return FALSE;
607 }
608 ok =
609 rng->get_bytes (rng, sizeof (this->nextspi), (uint8_t *) &this->nextspi);
610 if (ok)
611 {
612 ok =
613 rng->get_bytes (rng, sizeof (this->mixspi), (uint8_t *) &this->mixspi);
614 }
615 rng->destroy (rng);
616 return ok;
617}
618
619/**
620 * Calculate policy priority
621 */
622static uint32_t
623calculate_priority (policy_priority_t policy_priority, traffic_selector_t *src,
624 traffic_selector_t *dst)
625{
626 uint32_t priority = PRIO_BASE;
627 uint16_t port;
628 uint8_t mask, proto;
629 host_t *net;
630
631 switch (policy_priority)
632 {
633 case POLICY_PRIORITY_FALLBACK:
634 priority <<= 1;
635 /* fall-through */
636 case POLICY_PRIORITY_ROUTED:
637 priority <<= 1;
638 /* fall-through */
639 case POLICY_PRIORITY_DEFAULT:
640 priority <<= 1;
641 /* fall-through */
642 case POLICY_PRIORITY_PASS:
643 break;
644 }
645 /* calculate priority based on selector size, small size = high prio */
646 src->to_subnet (src, &net, &mask);
647 priority -= mask;
648 proto = src->get_protocol (src);
649 port = net->get_port (net);
650 net->destroy (net);
651
652 dst->to_subnet (dst, &net, &mask);
653 priority -= mask;
654 proto = max (proto, dst->get_protocol (dst));
655 port = max (port, net->get_port (net));
656 net->destroy (net);
657
658 priority <<= 2; /* make some room for the two flags */
659 priority += port ? 0 : 2;
660 priority += proto ? 0 : 1;
661 return priority;
662}
663
664/**
665 * Get sw_if_index from interface name
666 */
667static uint32_t
668get_sw_if_index (char *interface)
669{
670 char *out = NULL;
671 int out_len, name_filter_len = 0, msg_len = 0;
Gabriel Oginski73d82d12023-07-06 09:18:45 +0000672 int num, i;
673 vl_api_sw_interface_dump_t *mp = NULL;
674 vl_api_sw_interface_details_t *rmp = NULL;
Gabriel Oginski4e88e042022-06-29 12:54:30 +0000675 uint32_t sw_if_index = ~0;
676
Gabriel Oginski73d82d12023-07-06 09:18:45 +0000677 if (interface == NULL)
678 goto error;
679
Gabriel Oginski4e88e042022-06-29 12:54:30 +0000680 name_filter_len = strlen (interface);
681 msg_len = sizeof (*mp) + name_filter_len;
682 mp = vl_msg_api_alloc (msg_len);
683 clib_memset (mp, 0, msg_len);
684 u16 msg_id = vl_msg_api_get_msg_index ((u8 *) "sw_interface_dump_aa610c27");
685 mp->_vl_msg_id = htons (msg_id);
686 mp->name_filter_valid = TRUE;
687 mp->name_filter.length = htonl (name_filter_len);
688 memcpy ((char *) mp->name_filter.buf, interface, name_filter_len);
689
Gabriel Oginski73d82d12023-07-06 09:18:45 +0000690 if (vac->send_dump (vac, (char *) mp, msg_len, &out, &out_len))
Gabriel Oginski4e88e042022-06-29 12:54:30 +0000691 {
692 goto error;
693 }
694 if (!out_len)
695 {
696 goto error;
697 }
Gabriel Oginski73d82d12023-07-06 09:18:45 +0000698 num = out_len / sizeof (*rmp);
Gabriel Oginski4e88e042022-06-29 12:54:30 +0000699 rmp = (vl_api_sw_interface_details_t *) out;
Gabriel Oginski73d82d12023-07-06 09:18:45 +0000700 for (i = 0; i < num; i++)
701 {
702 if (strlen (rmp->interface_name) &&
703 streq (interface, rmp->interface_name))
704 {
705 sw_if_index = ntohl (rmp->sw_if_index);
706 break;
707 }
708 rmp += 1;
709 }
Gabriel Oginski4e88e042022-06-29 12:54:30 +0000710
711error:
Gabriel Oginski73d82d12023-07-06 09:18:45 +0000712 if (out)
713 free (out);
714 if (mp)
715 vl_msg_api_free (mp);
Gabriel Oginski4e88e042022-06-29 12:54:30 +0000716 return sw_if_index;
717}
Gabriel Oginski73d82d12023-07-06 09:18:45 +0000718
Gabriel Oginski4e88e042022-06-29 12:54:30 +0000719/**
720 * (Un)-install a security policy database
721 */
722static status_t
723spd_add_del (bool add, uint32_t spd_id)
724{
725 char *out = NULL;
726 int out_len;
727 vl_api_ipsec_spd_add_del_t *mp;
728 vl_api_ipsec_spd_add_del_reply_t *rmp;
729 status_t rv = FAILED;
730
731 mp = vl_msg_api_alloc (sizeof (*mp));
732 memset (mp, 0, sizeof (*mp));
733
734 u16 msg_id = vl_msg_api_get_msg_index ((u8 *) "ipsec_spd_add_del_20e89a95");
735 mp->_vl_msg_id = htons (msg_id);
736 mp->is_add = add;
737 mp->spd_id = htonl (spd_id);
738 if (vac->send (vac, (char *) mp, sizeof (*mp), &out, &out_len))
739 {
740 DBG1 (DBG_KNL, "vac %s SPD failed", add ? "adding" : "removing");
741 goto error;
742 }
743 rmp = (void *) out;
744 if (rmp->retval)
745 {
746 DBG1 (DBG_KNL, "%s SPD failed rv:%d", add ? "add" : "remove",
747 ntohl (rmp->retval));
748 goto error;
749 }
750 rv = SUCCESS;
751
752error:
753 free (out);
754 vl_msg_api_free (mp);
755 return rv;
756}
757
758/**
759 * Enable or disable SPD on an insterface
760 */
761static status_t
762interface_add_del_spd (bool add, uint32_t spd_id, uint32_t sw_if_index)
763{
764 char *out = NULL;
765 int out_len;
766 vl_api_ipsec_interface_add_del_spd_t *mp;
767 vl_api_ipsec_interface_add_del_spd_reply_t *rmp;
768 status_t rv = FAILED;
769
770 mp = vl_msg_api_alloc (sizeof (*mp));
771 memset (mp, 0, sizeof (*mp));
772 u16 msg_id =
773 vl_msg_api_get_msg_index ((u8 *) "ipsec_interface_add_del_spd_80f80cbb");
774 mp->_vl_msg_id = htons (msg_id);
775 mp->is_add = add;
776 mp->spd_id = htonl (spd_id);
777 mp->sw_if_index = htonl (sw_if_index);
778 if (vac->send (vac, (char *) mp, sizeof (*mp), &out, &out_len))
779 {
780 DBG1 (DBG_KNL, "vac %s interface SPD failed",
781 add ? "adding" : "removing");
782 goto error;
783 }
784 rmp = (void *) out;
785 if (rmp->retval)
786 {
787 DBG1 (DBG_KNL, "%s interface SPD failed rv:%d", add ? "add" : "remove",
788 ntohl (rmp->retval));
789 goto error;
790 }
791 rv = SUCCESS;
792
793error:
794 free (out);
795 vl_msg_api_free (mp);
796 return rv;
797}
798
799static int
800bypass_all (bool add, uint32_t spd_id, uint32_t sa_id)
801{
802 vl_api_ipsec_spd_entry_add_del_t *mp;
803 vl_api_ipsec_spd_entry_add_del_reply_t *rmp;
804 char *out = NULL;
805 int out_len;
806 status_t rv = FAILED;
807
808 DBG2 (DBG_KNL, "bypass_all [%s] spd_id %d sa_id %d", add ? "ADD" : "DEL",
809 spd_id, sa_id);
810
811 mp = vl_msg_api_alloc (sizeof (*mp));
812 memset (mp, 0, sizeof (*mp));
813
814 u16 msg_id =
815 vl_msg_api_get_msg_index ((u8 *) "ipsec_spd_entry_add_del_338b7411");
816 mp->_vl_msg_id = ntohs (msg_id);
817 mp->is_add = add;
818 mp->entry.sa_id = ntohl (sa_id);
819 mp->entry.spd_id = ntohl (spd_id);
820 mp->entry.priority = ntohl (INT_MAX - POLICY_PRIORITY_PASS - 1);
821 mp->entry.is_outbound = 0;
822 mp->entry.policy = ntohl (IPSEC_API_SPD_ACTION_BYPASS);
823 memset (mp->entry.local_address_stop.un.ip6, 0xFF, 16);
824 memset (mp->entry.remote_address_stop.un.ip6, 0xFF, 16);
825 mp->entry.remote_port_start = mp->entry.local_port_start = ntohs (0);
826 mp->entry.remote_port_stop = mp->entry.local_port_stop = ntohs (0xFFFF);
827 mp->entry.protocol = IP_API_PROTO_ESP;
828 if (vac->send (vac, (char *) mp, sizeof (*mp), &out, &out_len))
829 {
830 DBG1 (DBG_KNL, "vac %s SPD entry failed", add ? "adding" : "removing");
831 goto error;
832 }
833 rmp = (void *) out;
834 if (rmp->retval)
835 {
836 DBG1 (DBG_KNL, "%s SPD entry failed rv:%d", add ? "add" : "remove",
837 ntohl (rmp->retval));
838 goto error;
839 }
Gabriel Oginski2da99e52023-02-14 08:46:36 +0000840 /* address "out" needs to be freed after vec->send */
841 if (out != NULL)
842 {
843 free (out);
844 out = NULL;
845 }
Gabriel Oginski4e88e042022-06-29 12:54:30 +0000846 mp->entry.is_outbound = 1;
847 if (vac->send (vac, (char *) mp, sizeof (*mp), &out, &out_len))
848 {
849 DBG1 (DBG_KNL, "vac %s SPD entry failed", add ? "adding" : "removing");
850 goto error;
851 }
852 rmp = (void *) out;
853 if (rmp->retval)
854 {
855 DBG1 (DBG_KNL, "%s SPD entry failed rv:%d", add ? "add" : "remove",
856 ntohl (rmp->retval));
857 goto error;
858 }
Gabriel Oginski2da99e52023-02-14 08:46:36 +0000859 /* address "out" needs to be freed after vec->send */
860 if (out != NULL)
861 {
862 free (out);
863 out = NULL;
864 }
Gabriel Oginski4e88e042022-06-29 12:54:30 +0000865 mp->entry.is_outbound = 0;
866 mp->entry.protocol = IP_API_PROTO_AH;
867 if (vac->send (vac, (char *) mp, sizeof (*mp), &out, &out_len))
868 {
869 DBG1 (DBG_KNL, "vac %s SPD entry failed", add ? "adding" : "removing");
870 goto error;
871 }
872 rmp = (void *) out;
873 if (rmp->retval)
874 {
875 DBG1 (DBG_KNL, "%s SPD entry failed rv:%d", add ? "add" : "remove",
876 ntohl (rmp->retval));
877 goto error;
878 }
Gabriel Oginski2da99e52023-02-14 08:46:36 +0000879 /* address "out" needs to be freed after vec->send */
880 if (out != NULL)
881 {
882 free (out);
883 out = NULL;
884 }
Gabriel Oginski4e88e042022-06-29 12:54:30 +0000885 mp->entry.is_outbound = 1;
886 if (vac->send (vac, (char *) mp, sizeof (*mp), &out, &out_len))
887 {
888 DBG1 (DBG_KNL, "vac %s SPD entry failed", add ? "adding" : "removing");
889 goto error;
890 }
891 rmp = (void *) out;
892 if (rmp->retval)
893 {
894 DBG1 (DBG_KNL, "%s SPD entry failed rv:%d", add ? "add" : "remove",
895 ntohl (rmp->retval));
896 goto error;
897 }
898
899 rv = SUCCESS;
900
901error:
902 if (out)
903 free (out);
904 vl_msg_api_free (mp);
905
906 return rv;
907}
908
909static int
910bypass_port (bool add, uint32_t spd_id, uint32_t sa_id, uint16_t port)
911{
912 vl_api_ipsec_spd_entry_add_del_t *mp;
913 vl_api_ipsec_spd_entry_add_del_reply_t *rmp;
914 char *out = NULL;
915 int out_len;
916 status_t rv = FAILED;
917
918 mp = vl_msg_api_alloc (sizeof (*mp));
919 memset (mp, 0, sizeof (*mp));
920
921 u16 msg_id =
922 vl_msg_api_get_msg_index ((u8 *) "ipsec_spd_entry_add_del_338b7411");
923 mp->_vl_msg_id = ntohs (msg_id);
924 mp->is_add = add;
925 mp->entry.sa_id = ntohl (sa_id);
926 mp->entry.spd_id = ntohl (spd_id);
927 mp->entry.priority = ntohl (INT_MAX - POLICY_PRIORITY_PASS - 1);
928 mp->entry.policy = ntohl (IPSEC_API_SPD_ACTION_BYPASS);
929 memset (mp->entry.local_address_stop.un.ip6, 0xFF, 16);
930 memset (mp->entry.remote_address_stop.un.ip6, 0xFF, 16);
931 mp->entry.is_outbound = 0;
932 mp->entry.remote_port_start = mp->entry.local_port_start = ntohs (0);
933 mp->entry.remote_port_stop = mp->entry.local_port_stop = ntohs (0xFFFF);
934 mp->entry.protocol = IP_API_PROTO_HOPOPT;
935
936 if (vac->send (vac, (char *) mp, sizeof (*mp), &out, &out_len))
937 {
938 DBG1 (DBG_KNL, "vac %s SPD entry failed", add ? "adding" : "removing");
939 goto error;
940 }
941 rmp = (void *) out;
942 if (rmp->retval)
943 {
944 DBG1 (DBG_KNL, "%s SPD entry failed rv:%d", add ? "add" : "remove",
945 ntohl (rmp->retval));
946 goto error;
947 }
Gabriel Oginski2da99e52023-02-14 08:46:36 +0000948 /* address "out" needs to be freed after vec->send */
949 if (out != NULL)
950 {
951 free (out);
952 out = NULL;
953 }
Gabriel Oginski4e88e042022-06-29 12:54:30 +0000954 mp->entry.is_outbound = 1;
955 if (vac->send (vac, (char *) mp, sizeof (*mp), &out, &out_len))
956 {
957 DBG1 (DBG_KNL, "vac %s SPD entry failed", add ? "adding" : "removing");
958 goto error;
959 }
960 rmp = (void *) out;
961 if (rmp->retval)
962 {
963 DBG1 (DBG_KNL, "%s SPD entry failed rv:%d", add ? "add" : "remove",
964 ntohl (rmp->retval));
965 goto error;
966 }
967 rv = SUCCESS;
968
969error:
970 if (out)
971 free (out);
972 vl_msg_api_free (mp);
973
974 return rv;
975}
976
977/**
978 * Add or remove a bypass policy
979 */
980static status_t
981manage_bypass (bool add, uint32_t spd_id, uint32_t sa_id)
982{
983 uint16_t port;
984 status_t rv;
985
986 bypass_all (add, spd_id, sa_id);
987
988 port =
989 lib->settings->get_int (lib->settings, "%s.port", IKEV2_UDP_PORT, lib->ns);
990
991 if (port)
992 {
993 rv = bypass_port (add, spd_id, sa_id, port);
994 if (rv != SUCCESS)
995 {
996 return rv;
997 }
998 }
999
1000 port = lib->settings->get_int (lib->settings, "%s.port_nat_t",
1001 IKEV2_NATT_PORT, lib->ns);
1002 if (port)
1003 {
1004 rv = bypass_port (add, spd_id, sa_id, port);
1005 if (rv != SUCCESS)
1006 {
1007 return rv;
1008 }
1009 }
1010
1011 return SUCCESS;
1012}
1013
1014/**
1015 * Add or remove a policy
1016 */
1017static status_t
1018manage_policy (private_kernel_vpp_ipsec_t *this, bool add,
1019 kernel_ipsec_policy_id_t *id,
1020 kernel_ipsec_manage_policy_t *data)
1021{
Gabriel Oginski2da99e52023-02-14 08:46:36 +00001022 spd_t *spd = NULL;
Gabriel Oginski4e88e042022-06-29 12:54:30 +00001023 char *out = NULL, *interface = NULL;
1024 int out_len;
1025 uint32_t sw_if_index, spd_id = ~0, sad_id = ~0;
1026 status_t rv = FAILED;
1027 uint32_t priority, auto_priority;
1028 chunk_t src_from, src_to, dst_from, dst_to;
Gabriel Oginski2da99e52023-02-14 08:46:36 +00001029 host_t *src = NULL, *dst = NULL, *addr = NULL;
1030 vl_api_ipsec_spd_entry_add_del_t *mp = NULL;
1031 vl_api_ipsec_spd_entry_add_del_reply_t *rmp = NULL;
Gabriel Oginski4e88e042022-06-29 12:54:30 +00001032 bool n_spd = false;
Gabriel Oginski2da99e52023-02-14 08:46:36 +00001033 vl_api_ipsec_spd_dump_t *mp_dump = NULL;
1034 vl_api_ipsec_spd_details_t *rmp_dump = NULL, *tmp = NULL;
Gabriel Oginski4e88e042022-06-29 12:54:30 +00001035
1036 mp = vl_msg_api_alloc (sizeof (*mp));
1037 memset (mp, 0, sizeof (*mp));
1038
1039 this->mutex->lock (this->mutex);
Gabriel Oginski2da99e52023-02-14 08:46:36 +00001040 if (id->dir == POLICY_FWD)
Gabriel Oginski4e88e042022-06-29 12:54:30 +00001041 {
Gabriel Oginski2da99e52023-02-14 08:46:36 +00001042 DBG1 (DBG_KNL, "policy FWD interface");
1043 rv = SUCCESS;
1044 goto error;
Gabriel Oginski4e88e042022-06-29 12:54:30 +00001045 }
Gabriel Oginski2da99e52023-02-14 08:46:36 +00001046 addr = id->dir == POLICY_IN ? data->dst : data->src;
1047 for (int i = 0; i < N_RETRY_GET_IF; i++)
1048 {
1049 if (!charon->kernel->get_interface (charon->kernel, addr, &interface))
1050 {
1051 DBG1 (DBG_KNL, "policy no interface %H", addr);
1052 free (interface);
1053 interface = NULL;
1054 sleep (1);
1055 }
1056
1057 if (interface)
1058 {
1059 DBG1 (DBG_KNL, "policy have interface %H", addr);
1060 break;
1061 }
1062 }
1063 if (!interface)
1064 goto error;
Gabriel Oginski4e88e042022-06-29 12:54:30 +00001065
1066 DBG2 (DBG_KNL, "manage policy [%s] interface [%s]", add ? "ADD" : "DEL",
Gabriel Oginski2da99e52023-02-14 08:46:36 +00001067 interface);
Gabriel Oginski4e88e042022-06-29 12:54:30 +00001068
Gabriel Oginski2da99e52023-02-14 08:46:36 +00001069 spd = this->spds->get (this->spds, interface);
Gabriel Oginski4e88e042022-06-29 12:54:30 +00001070 if (!spd)
1071 {
1072 if (!add)
1073 {
1074 DBG1 (DBG_KNL, "SPD for %s not found, should not be deleted",
Gabriel Oginski2da99e52023-02-14 08:46:36 +00001075 interface);
Gabriel Oginski4e88e042022-06-29 12:54:30 +00001076 goto error;
1077 }
Gabriel Oginski2da99e52023-02-14 08:46:36 +00001078 sw_if_index = get_sw_if_index (interface);
Gabriel Oginski4e88e042022-06-29 12:54:30 +00001079 DBG1 (DBG_KNL, "firstly created, spd for %s found sw_if_index is %d",
Gabriel Oginski2da99e52023-02-14 08:46:36 +00001080 interface, sw_if_index);
Gabriel Oginski4e88e042022-06-29 12:54:30 +00001081 if (sw_if_index == ~0)
1082 {
Gabriel Oginski2da99e52023-02-14 08:46:36 +00001083 DBG1 (DBG_KNL, "sw_if_index for %s not found", interface);
Gabriel Oginski4e88e042022-06-29 12:54:30 +00001084 goto error;
1085 }
1086 spd_id = ref_get (&this->next_spd_id);
1087 if (spd_add_del (TRUE, spd_id))
1088 {
1089 DBG1 (DBG_KNL, "spd_add_del %d failed!!!!!", spd_id);
1090 goto error;
1091 }
1092 if (interface_add_del_spd (TRUE, spd_id, sw_if_index))
1093 {
1094 DBG1 (DBG_KNL, "interface_add_del_spd %d %d failed!!!!!", spd_id,
1095 sw_if_index);
1096 goto error;
1097 }
Gabriel Oginski2da99e52023-02-14 08:46:36 +00001098 INIT (spd, .spd_id = spd_id, .sw_if_index = sw_if_index, .policy_num = 0,
1099 .if_name = strdup (interface), );
1100 this->spds->put (this->spds, spd->if_name, spd);
Gabriel Oginski4e88e042022-06-29 12:54:30 +00001101 n_spd = true;
1102 }
1103
1104 auto_priority = calculate_priority (data->prio, id->src_ts, id->dst_ts);
1105 priority = data->manual_prio ? data->manual_prio : auto_priority;
1106
1107 u16 msg_id =
1108 vl_msg_api_get_msg_index ((u8 *) "ipsec_spd_entry_add_del_338b7411");
1109 mp->_vl_msg_id = htons (msg_id);
1110 mp->is_add = add;
1111 mp->entry.spd_id = htonl (spd->spd_id);
1112 mp->entry.priority = htonl (INT_MAX - POLICY_PRIORITY_PASS);
1113 mp->entry.is_outbound = id->dir == POLICY_OUT;
1114 switch (data->type)
1115 {
1116 case POLICY_IPSEC:
1117 mp->entry.policy = htonl (IPSEC_API_SPD_ACTION_PROTECT);
1118 break;
1119 case POLICY_PASS:
1120 mp->entry.policy = htonl (IPSEC_API_SPD_ACTION_BYPASS);
1121 break;
1122 case POLICY_DROP:
1123 mp->entry.policy = htonl (IPSEC_API_SPD_ACTION_DISCARD);
1124 break;
1125 }
1126 if ((data->type == POLICY_IPSEC) && data->sa)
1127 {
1128 kernel_ipsec_sa_id_t id = {
1129 .src = data->src,
1130 .dst = data->dst,
1131 .proto = data->sa->esp.use ? IPPROTO_ESP : IPPROTO_AH,
1132 .spi = data->sa->esp.use ? data->sa->esp.spi : data->sa->ah.spi,
1133 };
1134 sa_t *sa = NULL;
1135 sa = this->sas->get (this->sas, &id);
1136 if (!sa)
1137 {
1138 DBG1 (DBG_KNL, "SA ID not found");
1139 goto error;
1140 }
1141 sad_id = sa->sa_id;
1142 if (n_spd)
1143 {
1144 if (manage_bypass (TRUE, spd_id, ~0))
1145 {
1146 DBG1 (DBG_KNL, "manage_bypass %d failed!!!!", spd_id);
1147 goto error;
1148 }
1149 }
1150 }
1151
1152 mp->entry.sa_id = htonl (sad_id);
1153
1154 bool is_ipv6 = false;
1155 if (id->src_ts->get_type (id->src_ts) == TS_IPV6_ADDR_RANGE)
1156 {
1157 is_ipv6 = true;
1158 mp->entry.local_address_start.af = htonl (ADDRESS_IP6);
1159 mp->entry.local_address_stop.af = htonl (ADDRESS_IP6);
1160 mp->entry.remote_address_start.af = htonl (ADDRESS_IP6);
1161 mp->entry.remote_address_stop.af = htonl (ADDRESS_IP6);
1162 }
1163 else
1164 {
1165 mp->entry.local_address_start.af = htonl (ADDRESS_IP4);
1166 mp->entry.local_address_stop.af = htonl (ADDRESS_IP4);
1167 mp->entry.remote_address_start.af = htonl (ADDRESS_IP4);
1168 mp->entry.remote_address_stop.af = htonl (ADDRESS_IP4);
1169 }
1170 mp->entry.protocol = id->src_ts->get_protocol (id->src_ts);
1171
1172 if (id->dir == POLICY_OUT)
1173 {
1174 src_from = id->src_ts->get_from_address (id->src_ts);
1175 src_to = id->src_ts->get_to_address (id->src_ts);
1176 src = host_create_from_chunk (is_ipv6 ? AF_INET6 : AF_INET, src_to, 0);
1177 dst_from = id->dst_ts->get_from_address (id->dst_ts);
1178 dst_to = id->dst_ts->get_to_address (id->dst_ts);
1179 dst = host_create_from_chunk (is_ipv6 ? AF_INET6 : AF_INET, dst_to, 0);
1180 }
1181 else
1182 {
1183 dst_from = id->src_ts->get_from_address (id->src_ts);
1184 dst_to = id->src_ts->get_to_address (id->src_ts);
1185 dst = host_create_from_chunk (is_ipv6 ? AF_INET6 : AF_INET, dst_from, 0);
1186 src_from = id->dst_ts->get_from_address (id->dst_ts);
1187 src_to = id->dst_ts->get_to_address (id->dst_ts);
1188 src = host_create_from_chunk (is_ipv6 ? AF_INET6 : AF_INET, src_from, 0);
1189 }
1190
1191 if (src->is_anyaddr (src) && dst->is_anyaddr (dst))
1192 {
1193 memset (mp->entry.local_address_stop.un.ip6, 0xFF, 16);
1194 memset (mp->entry.remote_address_stop.un.ip6, 0xFF, 16);
1195 }
1196 else
1197 {
1198 memcpy (is_ipv6 ? mp->entry.local_address_start.un.ip6 :
1199 mp->entry.local_address_start.un.ip4,
1200 src_from.ptr, src_from.len);
1201 memcpy (is_ipv6 ? mp->entry.local_address_stop.un.ip6 :
1202 mp->entry.local_address_stop.un.ip4,
1203 src_to.ptr, src_to.len);
1204 memcpy (is_ipv6 ? mp->entry.remote_address_start.un.ip6 :
1205 mp->entry.remote_address_start.un.ip4,
1206 dst_from.ptr, dst_from.len);
1207 memcpy (is_ipv6 ? mp->entry.remote_address_stop.un.ip6 :
1208 mp->entry.remote_address_stop.un.ip4,
1209 dst_to.ptr, dst_to.len);
1210 }
1211 mp->entry.local_port_start = htons (id->src_ts->get_from_port (id->src_ts));
1212 mp->entry.local_port_stop = htons (id->src_ts->get_to_port (id->src_ts));
1213 mp->entry.remote_port_start = htons (id->dst_ts->get_from_port (id->dst_ts));
1214 mp->entry.remote_port_stop = htons (id->dst_ts->get_to_port (id->dst_ts));
1215
Gabriel Oginski8de66c02023-02-03 08:12:36 +00001216 /* check if policy exists in SPD */
Gabriel Oginski8de66c02023-02-03 08:12:36 +00001217 mp_dump = vl_msg_api_alloc (sizeof (*mp_dump));
1218 memset (mp_dump, 0, sizeof (*mp_dump));
1219
1220 msg_id = vl_msg_api_get_msg_index ((u8 *) "ipsec_spd_dump_afefbf7d");
1221 mp_dump->_vl_msg_id = htons (msg_id);
1222 mp_dump->spd_id = htonl (spd->spd_id);
1223 mp_dump->sa_id = htonl (sad_id);
1224
1225 if (vac->send_dump (vac, (char *) mp_dump, sizeof (*mp_dump), &out,
1226 &out_len))
1227 {
1228 DBG1 (DBG_KNL, "vac %s SPD lookup failed", add ? "adding" : "removing");
1229 goto error;
1230 }
1231
1232 int num = out_len / sizeof (*rmp_dump);
1233 tmp = (void *) out;
1234
1235 /* found existing policy */
1236 if (add && num)
1237 {
1238 int i;
1239 for (i = 0; i < num; i++)
1240 {
1241 rmp_dump = tmp;
1242 tmp += 1;
1243 /* check if found entry equals the new one */
1244 if (policy_equals (&mp->entry, &rmp_dump->entry))
1245 goto next;
1246 }
1247 }
1248 else if (!add && num == 0)
1249 {
1250 /* VPP doesn't have any policy to delete */
1251 goto next;
1252 }
1253
1254 free (out);
1255
Gabriel Oginski4e88e042022-06-29 12:54:30 +00001256 if (vac->send (vac, (char *) mp, sizeof (*mp), &out, &out_len))
1257 {
1258 DBG1 (DBG_KNL, "vac %s SPD entry failed", add ? "adding" : "removing");
1259 goto error;
1260 }
1261 rmp = (void *) out;
1262 if (rmp->retval)
1263 {
1264 DBG1 (DBG_KNL, "%s SPD entry failed rv:%d", add ? "add" : "remove",
1265 ntohl (rmp->retval));
1266 goto error;
1267 }
1268
Gabriel Oginski8de66c02023-02-03 08:12:36 +00001269next:
Gabriel Oginski4e88e042022-06-29 12:54:30 +00001270 if (add)
1271 {
1272 ref_get (&spd->policy_num);
1273 }
1274 else
1275 {
1276 if (ref_put (&spd->policy_num))
1277 {
1278 DBG1 (
1279 DBG_KNL,
1280 "policy_num's ref is 0, delete spd_id %d sw_if_index %d sad_id %x",
1281 spd->spd_id, spd->sw_if_index, sad_id);
1282 interface_add_del_spd (FALSE, spd->spd_id, spd->sw_if_index);
1283 manage_bypass (FALSE, spd->spd_id, sad_id);
1284 spd_add_del (FALSE, spd->spd_id);
Gabriel Oginski2da99e52023-02-14 08:46:36 +00001285 this->spds->remove (this->spds, interface);
1286 if (spd->if_name)
1287 {
1288 free (spd->if_name);
1289 spd->if_name = NULL;
1290 }
1291 if (spd)
1292 {
1293 free (spd);
1294 spd = NULL;
1295 }
Gabriel Oginski4e88e042022-06-29 12:54:30 +00001296 }
1297 }
1298
1299 if (this->install_routes && id->dir == POLICY_OUT && !mp->entry.protocol)
1300 {
1301 if (data->type == POLICY_IPSEC && data->sa->mode != MODE_TRANSPORT)
1302 {
1303 manage_route (this, add, id->dst_ts, data->src, data->dst);
1304 }
1305 }
1306 rv = SUCCESS;
1307error:
Gabriel Oginski2da99e52023-02-14 08:46:36 +00001308 if (out != NULL)
1309 free (out);
1310 if (mp_dump != NULL)
1311 vl_msg_api_free (mp_dump);
1312 if (mp != NULL)
1313 vl_msg_api_free (mp);
1314 if (src != NULL)
1315 src->destroy (src);
1316 if (dst != NULL)
1317 dst->destroy (dst);
1318 if (interface != NULL)
1319 free (interface);
Gabriel Oginski4e88e042022-06-29 12:54:30 +00001320 this->mutex->unlock (this->mutex);
1321 return rv;
1322}
1323
1324METHOD (kernel_ipsec_t, get_features, kernel_feature_t,
1325 private_kernel_vpp_ipsec_t *this)
1326{
1327 return KERNEL_ESP_V3_TFC;
1328}
1329
1330METHOD (kernel_ipsec_t, get_spi, status_t, private_kernel_vpp_ipsec_t *this,
1331 host_t *src, host_t *dst, uint8_t protocol, uint32_t *spi)
1332{
1333 static const u_int p = 268435399, offset = 0xc0000000;
1334
1335 *spi = htonl (offset + permute (ref_get (&this->nextspi) ^ this->mixspi, p));
1336 return SUCCESS;
1337}
1338
1339METHOD (kernel_ipsec_t, get_cpi, status_t, private_kernel_vpp_ipsec_t *this,
1340 host_t *src, host_t *dst, uint16_t *cpi)
1341{
1342 DBG1 (DBG_KNL, "get_cpi is not supported!!!!!!!!!!!!!!!!!!!!!!!!");
1343 return NOT_SUPPORTED;
1344}
1345
1346/**
1347 * Helper struct for expiration events
1348 */
1349typedef struct
1350{
1351
1352 private_kernel_vpp_ipsec_t *manager;
1353
1354 kernel_ipsec_sa_id_t *sa_id;
1355
1356 /**
1357 * 0 if this is a hard expire, otherwise the offset in s (soft->hard)
1358 */
1359 uint32_t hard_offset;
1360
1361} vpp_sa_expired_t;
1362
1363/**
Gabriel Oginski2da99e52023-02-14 08:46:36 +00001364 * Clean up expire data
1365 */
1366static void
1367expire_data_destroy (vpp_sa_expired_t *data)
1368{
1369 free (data);
1370}
1371
1372/**
Gabriel Oginski4e88e042022-06-29 12:54:30 +00001373 * Callback for expiration events
1374 */
1375static job_requeue_t
1376sa_expired (vpp_sa_expired_t *expired)
1377{
1378 private_kernel_vpp_ipsec_t *this = expired->manager;
1379 sa_t *sa;
1380 kernel_ipsec_sa_id_t *id = expired->sa_id;
1381
1382 this->mutex->lock (this->mutex);
1383 sa = this->sas->get (this->sas, id);
1384
1385 if (sa)
1386 {
1387 charon->kernel->expire (charon->kernel, id->proto, id->spi, id->dst,
1388 FALSE);
1389 }
1390
Gabriel Oginski2da99e52023-02-14 08:46:36 +00001391 if (id->src)
1392 id->src->destroy (id->src);
1393 if (id->dst)
1394 id->dst->destroy (id->dst);
Gabriel Oginski4e88e042022-06-29 12:54:30 +00001395 free (id);
1396 this->mutex->unlock (this->mutex);
1397 return JOB_REQUEUE_NONE;
1398}
1399
1400/**
1401 * Schedule a job to handle IPsec SA expiration
1402 */
1403static void
1404schedule_expiration (private_kernel_vpp_ipsec_t *this,
1405 kernel_ipsec_add_sa_t *entry,
1406 kernel_ipsec_sa_id_t *entry2)
1407{
1408 lifetime_cfg_t *lifetime = entry->lifetime;
1409 vpp_sa_expired_t *expired;
1410 callback_job_t *job;
1411 uint32_t timeout;
1412 kernel_ipsec_sa_id_t *id;
1413
1414 if (!lifetime->time.life)
1415 { /* no expiration at all */
1416 return;
1417 }
1418
1419 INIT (id, .src = entry2->src->clone (entry2->src),
1420 .dst = entry2->dst->clone (entry2->dst), .spi = entry2->spi,
1421 .proto = entry2->proto, );
1422
1423 INIT (expired, .manager = this, .sa_id = id, );
1424
1425 /* schedule a rekey first, a hard timeout will be scheduled then, if any */
1426 expired->hard_offset = lifetime->time.life - lifetime->time.rekey;
1427 timeout = lifetime->time.rekey;
1428
1429 if (lifetime->time.life <= lifetime->time.rekey || lifetime->time.rekey == 0)
1430 { /* no rekey, schedule hard timeout */
1431 expired->hard_offset = 0;
1432 timeout = lifetime->time.life;
1433 }
1434
Gabriel Oginski2da99e52023-02-14 08:46:36 +00001435 job =
1436 callback_job_create ((callback_job_cb_t) sa_expired, expired,
1437 (callback_job_cleanup_t) expire_data_destroy, NULL);
Gabriel Oginski4e88e042022-06-29 12:54:30 +00001438 lib->scheduler->schedule_job (lib->scheduler, (job_t *) job, timeout);
1439}
1440
1441METHOD (kernel_ipsec_t, add_sa, status_t, private_kernel_vpp_ipsec_t *this,
1442 kernel_ipsec_sa_id_t *id, kernel_ipsec_add_sa_t *data)
1443{
1444 char *out = NULL;
1445 int out_len;
1446 vl_api_ipsec_sad_entry_add_del_t *mp;
1447 vl_api_ipsec_sad_entry_add_del_reply_t *rmp;
1448 uint32_t sad_id = ref_get (&this->next_sad_id);
1449 uint8_t ca = 0, ia = 0;
1450 status_t rv = FAILED;
1451 chunk_t src, dst;
1452 kernel_ipsec_sa_id_t *sa_id;
1453 sa_t *sa;
1454 int key_len = data->enc_key.len;
1455
1456 if ((data->enc_alg == ENCR_AES_CTR) ||
1457 (data->enc_alg == ENCR_AES_GCM_ICV8) ||
1458 (data->enc_alg == ENCR_AES_GCM_ICV12) ||
1459 (data->enc_alg == ENCR_AES_GCM_ICV16))
1460 {
1461 static const int SALT_SIZE =
1462 4; /* See how enc_size is calculated at keymat_v2.derive_child_keys */
1463 key_len = key_len - SALT_SIZE;
1464 }
1465 natt_port = lib->settings->get_int (
1466 lib->settings, "%s.plugins.socket-default.natt", IKEV2_NATT_PORT, lib->ns);
1467 mp = vl_msg_api_alloc (sizeof (*mp));
1468 memset (mp, 0, sizeof (*mp));
1469 u16 msg_id =
1470 vl_msg_api_get_msg_index ((u8 *) "ipsec_sad_entry_add_del_ab64b5c6");
1471 mp->_vl_msg_id = htons (msg_id);
1472 mp->is_add = 1;
1473 mp->entry.sad_id = htonl (sad_id);
1474 mp->entry.spi = id->spi;
1475 mp->entry.protocol = id->proto == IPPROTO_ESP ? htonl (IPSEC_API_PROTO_ESP) :
1476 htonl (IPSEC_API_PROTO_AH);
1477
1478 switch (data->enc_alg)
1479 {
1480 case ENCR_NULL:
1481 ca = IPSEC_API_CRYPTO_ALG_NONE;
1482 break;
1483 case ENCR_AES_CBC:
1484 switch (key_len * 8)
1485 {
1486 case 128:
1487 ca = IPSEC_API_CRYPTO_ALG_AES_CBC_128;
1488 break;
1489 case 192:
1490 ca = IPSEC_API_CRYPTO_ALG_AES_CBC_192;
1491 break;
1492 case 256:
1493 ca = IPSEC_API_CRYPTO_ALG_AES_CBC_256;
1494 break;
1495 default:
1496 DBG1 (DBG_KNL, "Key length %d is not supported by VPP!",
1497 key_len * 8);
1498 goto error;
1499 }
1500 break;
1501 case ENCR_AES_CTR:
1502 switch (key_len * 8)
1503 {
1504 case 128:
1505 ca = IPSEC_API_CRYPTO_ALG_AES_CTR_128;
1506 break;
1507 case 192:
1508 ca = IPSEC_API_CRYPTO_ALG_AES_CTR_192;
1509 break;
1510 case 256:
1511 ca = IPSEC_API_CRYPTO_ALG_AES_CTR_256;
1512 break;
1513 default:
1514 DBG1 (DBG_KNL, "Key length %d is not supported by VPP!",
1515 key_len * 8);
1516 goto error;
1517 }
1518 break;
1519 case ENCR_AES_GCM_ICV8:
1520 case ENCR_AES_GCM_ICV12:
1521 case ENCR_AES_GCM_ICV16:
1522 switch (key_len * 8)
1523 {
1524 case 128:
1525 ca = IPSEC_API_CRYPTO_ALG_AES_GCM_128;
1526 break;
1527 case 192:
1528 ca = IPSEC_API_CRYPTO_ALG_AES_GCM_192;
1529 break;
1530 case 256:
1531 ca = IPSEC_API_CRYPTO_ALG_AES_GCM_256;
1532 break;
1533 default:
1534 DBG1 (DBG_KNL, "Key length %d is not supported by VPP!",
1535 key_len * 8);
1536 goto error;
1537 }
1538 break;
1539 case ENCR_DES:
1540 ca = IPSEC_API_CRYPTO_ALG_DES_CBC;
1541 break;
1542 case ENCR_3DES:
1543 ca = IPSEC_API_CRYPTO_ALG_3DES_CBC;
1544 break;
1545 default:
1546 DBG1 (DBG_KNL, "algorithm %N not supported by VPP!",
1547 encryption_algorithm_names, data->enc_alg);
1548 goto error;
1549 }
1550 mp->entry.crypto_algorithm = htonl (ca);
1551 mp->entry.crypto_key.length = key_len < 128 ? key_len : 128;
1552 memcpy (mp->entry.crypto_key.data, data->enc_key.ptr,
1553 mp->entry.crypto_key.length);
1554
1555 /* copy salt for AEAD algorithms */
1556 if ((data->enc_alg == ENCR_AES_CTR) ||
1557 (data->enc_alg == ENCR_AES_GCM_ICV8) ||
1558 (data->enc_alg == ENCR_AES_GCM_ICV12) ||
1559 (data->enc_alg == ENCR_AES_GCM_ICV16))
1560 {
1561 memcpy (&mp->entry.salt, data->enc_key.ptr + mp->entry.crypto_key.length,
1562 4);
1563 }
1564
1565 switch (data->int_alg)
1566 {
1567 case AUTH_UNDEFINED:
1568 ia = IPSEC_API_INTEG_ALG_NONE;
1569 break;
1570 case AUTH_HMAC_MD5_96:
1571 ia = IPSEC_API_INTEG_ALG_MD5_96;
1572 break;
1573 case AUTH_HMAC_SHA1_96:
1574 ia = IPSEC_API_INTEG_ALG_SHA1_96;
1575 break;
1576 case AUTH_HMAC_SHA2_256_96:
1577 ia = IPSEC_API_INTEG_ALG_SHA_256_96;
1578 break;
1579 case AUTH_HMAC_SHA2_256_128:
1580 ia = IPSEC_API_INTEG_ALG_SHA_256_128;
1581 break;
1582 case AUTH_HMAC_SHA2_384_192:
1583 ia = IPSEC_API_INTEG_ALG_SHA_384_192;
1584 break;
1585 case AUTH_HMAC_SHA2_512_256:
1586 ia = IPSEC_API_INTEG_ALG_SHA_512_256;
1587 break;
1588 default:
1589 DBG1 (DBG_KNL, "algorithm %N not supported by VPP!",
1590 integrity_algorithm_names, data->int_alg);
1591 goto error;
1592 break;
1593 }
1594 mp->entry.integrity_algorithm = htonl (ia);
1595 mp->entry.integrity_key.length =
1596 data->int_key.len < 128 ? data->int_key.len : 128;
1597 memcpy (mp->entry.integrity_key.data, data->int_key.ptr,
1598 mp->entry.integrity_key.length);
1599
1600 int flags = IPSEC_API_SAD_FLAG_NONE;
Atzm Watanabefc2d95d2023-01-25 14:11:10 +09001601 if (data->inbound)
1602 flags |= IPSEC_API_SAD_FLAG_IS_INBOUND;
1603 /* like the kernel-netlink plugin, anti-replay can be disabled with zero
1604 * replay_window, but window size cannot be customized for vpp */
1605 if (data->replay_window)
1606 flags |= IPSEC_API_SAD_FLAG_USE_ANTI_REPLAY;
Gabriel Oginski4e88e042022-06-29 12:54:30 +00001607 if (data->esn)
1608 flags |= IPSEC_API_SAD_FLAG_USE_ESN;
Atzm Watanabefc2d95d2023-01-25 14:11:10 +09001609 if (this->use_tunnel_mode_sa && data->mode == MODE_TUNNEL)
Gabriel Oginski4e88e042022-06-29 12:54:30 +00001610 {
1611 if (id->src->get_family (id->src) == AF_INET6)
1612 flags |= IPSEC_API_SAD_FLAG_IS_TUNNEL_V6;
1613 else
1614 flags |= IPSEC_API_SAD_FLAG_IS_TUNNEL;
1615 }
1616 if (data->encap)
1617 {
Gabriel Oginski980f3fb2023-04-17 07:00:24 +00001618 DBG1 (DBG_KNL, "UDP encap");
Gabriel Oginski4e88e042022-06-29 12:54:30 +00001619 flags |= IPSEC_API_SAD_FLAG_UDP_ENCAP;
Gabriel Oginski980f3fb2023-04-17 07:00:24 +00001620 mp->entry.udp_src_port = htons (natt_port);
1621 mp->entry.udp_dst_port = htons (natt_port);
Gabriel Oginski4e88e042022-06-29 12:54:30 +00001622 }
1623 mp->entry.flags = htonl (flags);
1624
1625 bool is_ipv6 = false;
1626 if (id->src->get_family (id->src) == AF_INET6)
1627 {
1628 is_ipv6 = true;
1629 mp->entry.tunnel_src.af = htonl (ADDRESS_IP6);
1630 mp->entry.tunnel_dst.af = htonl (ADDRESS_IP6);
1631 }
1632 else
1633 {
1634 mp->entry.tunnel_src.af = htonl (ADDRESS_IP4);
1635 mp->entry.tunnel_dst.af = htonl (ADDRESS_IP4);
1636 }
1637 src = id->src->get_address (id->src);
1638 memcpy (is_ipv6 ? mp->entry.tunnel_src.un.ip6 : mp->entry.tunnel_src.un.ip4,
1639 src.ptr, src.len);
1640 dst = id->dst->get_address (id->dst);
1641 memcpy (is_ipv6 ? mp->entry.tunnel_dst.un.ip6 : mp->entry.tunnel_dst.un.ip4,
1642 dst.ptr, dst.len);
1643 if (vac->send (vac, (char *) mp, sizeof (*mp), &out, &out_len))
1644 {
1645 DBG1 (DBG_KNL, "vac adding SA failed");
1646 goto error;
1647 }
1648 rmp = (void *) out;
1649 if (rmp->retval)
1650 {
1651 DBG1 (DBG_KNL, "add SA failed rv:%d", ntohl (rmp->retval));
1652 goto error;
1653 }
1654
1655 this->mutex->lock (this->mutex);
1656 INIT (sa_id, .src = id->src->clone (id->src),
1657 .dst = id->dst->clone (id->dst), .spi = id->spi, .proto = id->proto, );
Gabriel Oginski2da99e52023-02-14 08:46:36 +00001658 INIT (sa, .sa_id = sad_id, .stat_index = ntohl (rmp->stat_index),
1659 .sa_id_p = sa_id, );
Gabriel Oginski4e88e042022-06-29 12:54:30 +00001660 DBG4 (DBG_KNL, "put sa by its sa_id %x !!!!!!", sad_id);
1661 this->sas->put (this->sas, sa_id, sa);
1662 schedule_expiration (this, data, id);
1663 this->mutex->unlock (this->mutex);
1664 rv = SUCCESS;
1665
1666error:
1667 free (out);
1668 vl_msg_api_free (mp);
1669 return rv;
1670}
1671
1672METHOD (kernel_ipsec_t, update_sa, status_t, private_kernel_vpp_ipsec_t *this,
1673 kernel_ipsec_sa_id_t *id, kernel_ipsec_update_sa_t *data)
1674{
1675 DBG1 (DBG_KNL,
1676 "update sa not supported!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!");
1677 return NOT_SUPPORTED;
1678}
1679
1680METHOD (kernel_ipsec_t, query_sa, status_t, private_kernel_vpp_ipsec_t *this,
1681 kernel_ipsec_sa_id_t *id, kernel_ipsec_query_sa_t *data,
1682 uint64_t *bytes, uint64_t *packets, time_t *time)
1683{
1684 status_t rv = FAILED;
1685 sa_t *sa;
Gabriel Oginski2da99e52023-02-14 08:46:36 +00001686 u32 *dir = NULL;
Gabriel Oginski4e88e042022-06-29 12:54:30 +00001687 int i, k;
Gabriel Oginski2da99e52023-02-14 08:46:36 +00001688 stat_segment_data_t *res = NULL;
Gabriel Oginski4e88e042022-06-29 12:54:30 +00001689 u8 **pattern = 0;
1690 uint64_t res_bytes = 0;
1691 uint64_t res_packets = 0;
1692
1693 this->mutex->lock (this->mutex);
1694 sa = this->sas->get (this->sas, id);
Gabriel Oginski4e88e042022-06-29 12:54:30 +00001695 if (!sa)
1696 {
Gabriel Oginski2da99e52023-02-14 08:46:36 +00001697 this->mutex->unlock (this->mutex);
Gabriel Oginski4e88e042022-06-29 12:54:30 +00001698 DBG1 (DBG_KNL, "SA not found");
1699 return NOT_FOUND;
1700 }
1701
Gabriel Oginski2da99e52023-02-14 08:46:36 +00001702 if (this->sm == NULL)
Gabriel Oginski4e88e042022-06-29 12:54:30 +00001703 {
Gabriel Oginski2da99e52023-02-14 08:46:36 +00001704 stat_client_main_t *sm = NULL;
1705 sm = stat_client_get ();
1706
1707 if (!sm)
1708 {
1709 DBG1 (DBG_KNL, "Not connecting with stats segmentation");
1710 this->mutex->unlock (this->mutex);
1711 return NOT_FOUND;
1712 }
1713 this->sm = sm;
1714 int rv_stat = stat_segment_connect_r ("/run/vpp/stats.sock", this->sm);
1715 if (rv_stat != 0)
1716 {
1717 stat_client_free (this->sm);
1718 this->sm = NULL;
1719 DBG1 (DBG_KNL, "Not connecting with stats segmentation");
1720 this->mutex->unlock (this->mutex);
1721 return NOT_FOUND;
1722 }
Gabriel Oginski4e88e042022-06-29 12:54:30 +00001723 }
Gabriel Oginski2da99e52023-02-14 08:46:36 +00001724
Gabriel Oginski4e88e042022-06-29 12:54:30 +00001725 vec_add1 (pattern, (u8 *) "/net/ipsec/sa");
Gabriel Oginski2da99e52023-02-14 08:46:36 +00001726 dir = stat_segment_ls_r ((u8 **) pattern, this->sm);
1727 res = stat_segment_dump_r (dir, this->sm);
Gabriel Oginski4e88e042022-06-29 12:54:30 +00001728 /* i-loop for each results find by pattern - here two:
1729 * 1. /net/ipsec/sa
1730 * 2. /net/ipsec/sa/lost
1731 */
1732 for (i = 0; i < vec_len (res); i++)
1733 {
1734 switch (res[i].type)
1735 {
1736 /* type for how many packets are lost */
1737 case STAT_DIR_TYPE_COUNTER_VECTOR_SIMPLE:
1738 if (res[i].simple_counter_vec == 0)
1739 continue;
1740 break;
1741 /* type for counter for each SA */
1742 case STAT_DIR_TYPE_COUNTER_VECTOR_COMBINED:
1743 if (res[i].combined_counter_vec == 0)
1744 continue;
1745 /* k-loop for each threads - that you run VPP */
1746 for (k = 0; k < vec_len (res[i].combined_counter_vec); k++)
1747 {
1748 if (sa->stat_index <= vec_len (res[i].combined_counter_vec[k]))
1749 {
1750 DBG4 (DBG_KNL, "Thread: %d, Packets: %lu, Bytes: %lu", k,
1751 res[i].combined_counter_vec[k][sa->stat_index].packets,
1752 res[i].combined_counter_vec[k][sa->stat_index].bytes);
1753 res_bytes +=
1754 res[i].combined_counter_vec[k][sa->stat_index].bytes;
1755 res_packets +=
1756 res[i].combined_counter_vec[k][sa->stat_index].packets;
1757 }
1758 }
1759 break;
1760 case STAT_DIR_TYPE_NAME_VECTOR:
1761 if (res[i].name_vector == 0)
1762 continue;
1763 break;
1764 }
1765 }
Gabriel Oginski4e88e042022-06-29 12:54:30 +00001766
1767 vec_free (pattern);
1768 vec_free (dir);
Gabriel Oginski2da99e52023-02-14 08:46:36 +00001769 stat_segment_data_free (res);
Gabriel Oginski4e88e042022-06-29 12:54:30 +00001770
1771 if (bytes)
1772 {
1773 *bytes = res_bytes;
1774 }
1775 if (packets)
1776 {
1777 *packets = res_packets;
1778 }
1779 if (time)
1780 {
1781 *time = 0;
1782 }
1783
Gabriel Oginski2da99e52023-02-14 08:46:36 +00001784 this->mutex->unlock (this->mutex);
Gabriel Oginski4e88e042022-06-29 12:54:30 +00001785 rv = SUCCESS;
1786 return rv;
1787}
1788
1789METHOD (kernel_ipsec_t, del_sa, status_t, private_kernel_vpp_ipsec_t *this,
1790 kernel_ipsec_sa_id_t *id, kernel_ipsec_del_sa_t *data)
1791{
1792 char *out = NULL;
1793 int out_len;
Gabriel Oginski2da99e52023-02-14 08:46:36 +00001794 vl_api_ipsec_sad_entry_add_del_t *mp = NULL;
1795 vl_api_ipsec_sad_entry_add_del_reply_t *rmp = NULL;
Gabriel Oginski4e88e042022-06-29 12:54:30 +00001796 status_t rv = FAILED;
1797 sa_t *sa;
1798
1799 this->mutex->lock (this->mutex);
1800 sa = this->sas->get (this->sas, id);
1801 if (!sa)
1802 {
1803 DBG1 (DBG_KNL, "SA not found");
1804 rv = NOT_FOUND;
1805 goto error;
1806 }
1807 mp = vl_msg_api_alloc (sizeof (*mp));
1808 memset (mp, 0, sizeof (*mp));
1809 mp->is_add = 0;
1810 u16 msg_id =
1811 vl_msg_api_get_msg_index ((u8 *) "ipsec_sad_entry_add_del_ab64b5c6");
1812 mp->_vl_msg_id = htons (msg_id);
1813 mp->entry.sad_id = htonl (sa->sa_id);
1814
1815 if (vac->send (vac, (char *) mp, sizeof (*mp), &out, &out_len))
1816 {
1817 DBG1 (DBG_KNL, "vac removing SA failed");
1818 goto error;
1819 }
1820 rmp = (void *) out;
1821 if (rmp->retval)
1822 {
1823 DBG1 (DBG_KNL, "del SA failed rv:%d", ntohl (rmp->retval));
1824 goto error;
1825 }
1826
Gabriel Oginski2da99e52023-02-14 08:46:36 +00001827 void *temp = this->sas->remove (this->sas, id);
1828 if (sa->sa_id_p)
1829 {
1830 if (sa->sa_id_p->src)
1831 sa->sa_id_p->src->destroy (sa->sa_id_p->src);
1832 if (sa->sa_id_p->dst)
1833 sa->sa_id_p->dst->destroy (sa->sa_id_p->dst);
1834 free (sa->sa_id_p);
1835 }
1836 free (sa);
Gabriel Oginski4e88e042022-06-29 12:54:30 +00001837 rv = SUCCESS;
1838error:
1839 free (out);
Gabriel Oginski2da99e52023-02-14 08:46:36 +00001840 vl_msg_api_free (mp);
Gabriel Oginski4e88e042022-06-29 12:54:30 +00001841 this->mutex->unlock (this->mutex);
1842 return rv;
1843}
1844
1845METHOD (kernel_ipsec_t, flush_sas, status_t, private_kernel_vpp_ipsec_t *this)
1846{
1847 enumerator_t *enumerator;
1848 int out_len;
1849 char *out;
Gabriel Oginski2da99e52023-02-14 08:46:36 +00001850 vl_api_ipsec_sad_entry_add_del_t *mp = NULL;
1851 vl_api_ipsec_sad_entry_add_del_reply_t *rmp = NULL;
Gabriel Oginski4e88e042022-06-29 12:54:30 +00001852 sa_t *sa = NULL;
Gabriel Oginski2da99e52023-02-14 08:46:36 +00001853 status_t rv = FAILED;
Gabriel Oginski4e88e042022-06-29 12:54:30 +00001854
1855 this->mutex->lock (this->mutex);
1856 enumerator = this->sas->create_enumerator (this->sas);
Gabriel Oginski2da99e52023-02-14 08:46:36 +00001857 while (enumerator->enumerate (enumerator, &sa))
Gabriel Oginski4e88e042022-06-29 12:54:30 +00001858 {
1859 mp = vl_msg_api_alloc (sizeof (*mp));
1860 memset (mp, 0, sizeof (*mp));
1861 u16 msg_id =
1862 vl_msg_api_get_msg_index ((u8 *) "ipsec_sad_entry_add_del_ab64b5c6");
1863 mp->_vl_msg_id = htons (msg_id);
1864 mp->entry.sad_id = htonl (sa->sa_id);
1865 mp->is_add = 0;
1866 if (vac->send (vac, (char *) mp, sizeof (*mp), &out, &out_len))
1867 {
1868 DBG1 (DBG_KNL, "flush_sas failed!!!!");
Gabriel Oginski2da99e52023-02-14 08:46:36 +00001869 goto error;
1870 }
1871 rmp = (void *) out;
1872 if (rmp->retval)
1873 {
1874 DBG1 (DBG_KNL, "flush_sas failed!!!! rv: %d", ntohl (rmp->retval));
1875 goto error;
1876 }
1877 if (sa->sa_id_p)
1878 {
1879 if (sa->sa_id_p->src)
1880 sa->sa_id_p->src->destroy (sa->sa_id_p->src);
1881 if (sa->sa_id_p->dst)
1882 sa->sa_id_p->dst->destroy (sa->sa_id_p->dst);
Gabriel Oginski4e88e042022-06-29 12:54:30 +00001883 }
1884 free (out);
1885 vl_msg_api_free (mp);
1886 this->sas->remove_at (this->sas, enumerator);
Gabriel Oginski2da99e52023-02-14 08:46:36 +00001887 free (sa->sa_id_p);
1888 free (sa);
Gabriel Oginski4e88e042022-06-29 12:54:30 +00001889 }
Gabriel Oginski2da99e52023-02-14 08:46:36 +00001890 rv = SUCCESS;
1891error:
1892 if (out != NULL)
1893 free (out);
1894 if (mp != NULL)
1895 vl_msg_api_free (mp);
1896
Gabriel Oginski4e88e042022-06-29 12:54:30 +00001897 enumerator->destroy (enumerator);
1898 this->mutex->unlock (this->mutex);
1899
Gabriel Oginski2da99e52023-02-14 08:46:36 +00001900 return rv;
Gabriel Oginski4e88e042022-06-29 12:54:30 +00001901}
1902
1903METHOD (kernel_ipsec_t, add_policy, status_t, private_kernel_vpp_ipsec_t *this,
1904 kernel_ipsec_policy_id_t *id, kernel_ipsec_manage_policy_t *data)
1905{
1906 return manage_policy (this, TRUE, id, data);
1907}
1908
1909METHOD (kernel_ipsec_t, query_policy, status_t,
1910 private_kernel_vpp_ipsec_t *this, kernel_ipsec_policy_id_t *id,
1911 kernel_ipsec_query_policy_t *data, time_t *use_time)
1912{
1913 return NOT_SUPPORTED;
1914}
1915
1916METHOD (kernel_ipsec_t, del_policy, status_t, private_kernel_vpp_ipsec_t *this,
1917 kernel_ipsec_policy_id_t *id, kernel_ipsec_manage_policy_t *data)
1918{
1919 return manage_policy (this, FALSE, id, data);
1920}
1921
1922METHOD (kernel_ipsec_t, flush_policies, status_t,
1923 private_kernel_vpp_ipsec_t *this)
1924{
1925 return NOT_SUPPORTED;
1926}
1927
1928METHOD (kernel_ipsec_t, bypass_socket, bool, private_kernel_vpp_ipsec_t *this,
1929 int fd, int family)
1930{
1931 return FALSE;
1932}
1933
1934METHOD (kernel_ipsec_t, enable_udp_decap, bool,
1935 private_kernel_vpp_ipsec_t *this, int fd, int family, u_int16_t port)
1936{
1937 DBG1 (DBG_KNL, "enable_udp_decap not supported!!!!!!!!!!!!!!!!!!!!!!!!!");
1938 return FALSE;
1939}
1940
1941METHOD (kernel_ipsec_t, destroy, void, private_kernel_vpp_ipsec_t *this)
1942{
1943 this->mutex->destroy (this->mutex);
1944 this->sas->destroy (this->sas);
1945 this->spds->destroy (this->spds);
1946 this->routes->destroy (this->routes);
Gabriel Oginski2da99e52023-02-14 08:46:36 +00001947 if (this->sm)
1948 {
1949 stat_segment_disconnect_r (this->sm);
1950 stat_client_free (this->sm);
1951 this->sm = NULL;
1952 }
Gabriel Oginski4e88e042022-06-29 12:54:30 +00001953 free (this);
1954}
1955
1956kernel_vpp_ipsec_t *
1957kernel_vpp_ipsec_create ()
1958{
1959 private_kernel_vpp_ipsec_t *this;
1960
1961 INIT(this,
1962 .public = {
1963 .interface = {
1964 .get_features = _get_features,
1965 .get_spi = _get_spi,
1966 .get_cpi = _get_cpi,
1967 .add_sa = _add_sa,
1968 .update_sa = _update_sa,
1969 .query_sa = _query_sa,
1970 .del_sa = _del_sa,
1971 .flush_sas = _flush_sas,
1972 .add_policy = _add_policy,
1973 .query_policy = _query_policy,
1974 .del_policy = _del_policy,
1975 .flush_policies = _flush_policies,
1976 .bypass_socket = _bypass_socket,
1977 .enable_udp_decap = _enable_udp_decap,
1978 .destroy = _destroy,
1979 },
1980 },
1981 .next_sad_id = 0,
1982 .next_spd_id = 0,
1983 .mutex = mutex_create(MUTEX_TYPE_DEFAULT),
1984 .sas = hashtable_create((hashtable_hash_t)sa_hash,
1985 (hashtable_equals_t)sa_equals, 32),
1986 .spds = hashtable_create((hashtable_hash_t)interface_hash,
1987 (hashtable_equals_t)interface_equals, 4),
1988 .routes = linked_list_create(),
1989 .install_routes = lib->settings->get_bool(lib->settings,
1990 "%s.install_routes", TRUE, lib->ns),
Atzm Watanabefc2d95d2023-01-25 14:11:10 +09001991 .use_tunnel_mode_sa = lib->settings->get_bool(lib->settings,
1992 "%s.plugins.kernel-vpp.use_tunnel_mode_sa",
1993 TRUE, lib->ns),
Gabriel Oginski2da99e52023-02-14 08:46:36 +00001994 .sm = NULL,
Gabriel Oginski4e88e042022-06-29 12:54:30 +00001995 );
1996
1997 if (!init_spi (this))
1998 {
1999 destroy (this);
2000 return NULL;
2001 }
2002
2003 return &this->public;
2004}