43 &sw_if_index, &spd_id))
45 else if (
unformat (line_input,
"del"))
64 .path =
"set interface ipsec spd",
66 "set interface ipsec spd <int> <id>",
93 else if (
unformat (line_input,
"del %u", &sa.
id))
97 else if (
unformat (line_input,
"esp"))
99 else if (
unformat (line_input,
"ah"))
126 if (sa.
integ_alg < IPSEC_INTEG_ALG_NONE ||
135 else if (
unformat (line_input,
"tunnel-src %U",
138 else if (
unformat (line_input,
"tunnel-dst %U",
141 else if (
unformat (line_input,
"tunnel-src %U",
147 else if (
unformat (line_input,
"tunnel-dst %U",
153 else if (
unformat (line_input,
"udp-encap"))
196 "ipsec sa [add|del]",
218 else if (
unformat (line_input,
"del"))
220 else if (
unformat (line_input,
"%u", &spd_id))
248 "ipsec spd [add|del] <id>",
279 else if (
unformat (line_input,
"del"))
281 else if (
unformat (line_input,
"spd %u", &p.
id))
283 else if (
unformat (line_input,
"inbound"))
285 else if (
unformat (line_input,
"outbound"))
289 else if (
unformat (line_input,
"protocol %u", &tmp))
296 if (p.
policy == IPSEC_POLICY_ACTION_RESOLVE)
304 else if (
unformat (line_input,
"local-ip-range %U - %U",
308 else if (
unformat (line_input,
"remote-ip-range %U - %U",
312 else if (
unformat (line_input,
"local-ip-range %U - %U",
319 else if (
unformat (line_input,
"remote-ip-range %U - %U",
326 else if (
unformat (line_input,
"local-port-range %u - %u", &tmp, &tmp2))
332 if (
unformat (line_input,
"remote-port-range %u - %u", &tmp, &tmp2))
381 .path =
"ipsec policy",
383 "ipsec policy [add|del] spd <id> priority <n> ",
443 .path =
"set ipsec sa",
445 "set ipsec sa <id> crypto-key <key> integ-key <key>",
468 vlib_cli_output(vm,
"sa %u spi %u mode %s protocol %s%s%s%s", sa->id, sa->spi,
469 sa->is_tunnel ?
"tunnel" :
"transport",
470 sa->protocol ?
"esp" :
"ah",
471 sa->udp_encap ?
" udp-encap-enabled" :
"",
472 sa->use_anti_replay ?
" anti-replay" :
"",
473 sa->use_esn ?
" extended-sequence-number" :
"");
474 if (sa->protocol == IPSEC_PROTOCOL_ESP) {
475 vlib_cli_output(vm,
" crypto alg %U%s%U integrity alg %U%s%U",
476 format_ipsec_crypto_alg, sa->crypto_alg,
477 sa->crypto_alg ?
" key " :
"",
478 format_hex_bytes, sa->crypto_key, sa->crypto_key_len,
479 format_ipsec_integ_alg, sa->integ_alg,
480 sa->integ_alg ?
" key " :
"",
481 format_hex_bytes, sa->integ_key, sa->integ_key_len);
483 if (sa->is_tunnel && sa->is_tunnel_ip6) {
484 vlib_cli_output(vm,
" tunnel src %U dst %U",
485 format_ip6_address, &sa->tunnel_src_addr.ip6,
486 format_ip6_address, &sa->tunnel_dst_addr.ip6);
487 } else if (sa->is_tunnel) {
488 vlib_cli_output(vm,
" tunnel src %U dst %U",
489 format_ip4_address, &sa->tunnel_src_addr.ip4,
490 format_ip4_address, &sa->tunnel_dst_addr.ip4);
498 vlib_cli_output(vm,
"spd %u", spd->id);
500 vlib_cli_output(vm,
" outbound policies");
501 vec_foreach(i, spd->ipv4_outbound_policies)
503 p = pool_elt_at_index(spd->policies, *i);
504 vec_reset_length(protocol);
505 vec_reset_length(policy);
507 protocol = format(protocol,
"%U", format_ip_protocol, p->protocol);
509 protocol = format(protocol,
"any");
511 if (p->policy == IPSEC_POLICY_ACTION_PROTECT) {
512 policy = format(policy,
" sa %u", p->sa_id);
515 vlib_cli_output(vm,
" priority %d action %U protocol %v%v",
516 p->priority, format_ipsec_policy_action, p->policy,
518 vlib_cli_output(vm,
" local addr range %U - %U port range %u - %u",
519 format_ip4_address, &p->laddr.start.ip4,
520 format_ip4_address, &p->laddr.stop.ip4,
521 p->lport.start, p->lport.stop);
522 vlib_cli_output(vm,
" remote addr range %U - %U port range %u - %u",
523 format_ip4_address, &p->raddr.start.ip4,
524 format_ip4_address, &p->raddr.stop.ip4,
525 p->rport.start, p->rport.stop);
526 vlib_cli_output(vm,
" packets %u bytes %u", p->counter.packets,
531 p = pool_elt_at_index(spd->policies, *i);
532 vec_reset_length(protocol);
533 vec_reset_length(policy);
535 protocol = format(protocol,
"%U", format_ip_protocol, p->protocol);
537 protocol = format(protocol,
"any");
539 if (p->policy == IPSEC_POLICY_ACTION_PROTECT) {
540 policy = format(policy,
" sa %u", p->sa_id);
548 p->lport.start, p->lport.stop);
552 p->rport.start, p->rport.stop);
557 vec_foreach(
i, spd->ipv4_inbound_protect_policy_indices)
565 protocol =
format(protocol,
"any");
567 if (p->policy == IPSEC_POLICY_ACTION_PROTECT) {
568 policy =
format(policy,
" sa %u", p->sa_id);
576 p->lport.start, p->lport.stop);
580 p->rport.start, p->rport.stop);
584 vec_foreach(
i, spd->ipv4_inbound_policy_discard_and_bypass_indices)
592 protocol =
format(protocol,
"any");
594 if (p->policy == IPSEC_POLICY_ACTION_PROTECT) {
595 policy =
format(policy,
" sa %u", p->sa_id);
603 p->lport.start, p->lport.stop);
607 p->rport.start, p->rport.stop);
611 vec_foreach(
i, spd->ipv6_inbound_protect_policy_indices)
619 protocol =
format(protocol,
"any");
621 if (p->policy == IPSEC_POLICY_ACTION_PROTECT) {
622 policy =
format(policy,
" sa %u", p->sa_id);
630 p->lport.start, p->lport.stop);
634 p->rport.start, p->rport.stop);
638 vec_foreach(
i, spd->ipv6_inbound_policy_discard_and_bypass_indices)
646 protocol =
format(protocol,
"any");
648 if (p->policy == IPSEC_POLICY_ACTION_PROTECT) {
649 policy =
format(policy,
" sa %u", p->sa_id);
657 p->lport.start, p->lport.stop);
661 p->rport.start, p->rport.stop);
671 if (t->hw_if_index == ~0)
673 hi = vnet_get_hw_interface (im->vnet_main, t->hw_if_index);
674 vlib_cli_output(vm,
" %s seq", hi->name);
675 sa = pool_elt_at_index(im->sad, t->output_sa_index);
677 tx_table_id = fib_table_get_table_id(sa->tx_fib_index, FIB_PROTOCOL_IP4);
679 vlib_cli_output(vm,
" seq %u seq-hi %u esn %u anti-replay %u udp-encap %u tx-table %u",
680 sa->seq, sa->seq_hi, sa->use_esn, sa->use_anti_replay, sa->udp_encap, tx_table_id);
681 vlib_cli_output(vm,
" local-spi %u local-ip %U", sa->spi,
682 format_ip4_address, &sa->tunnel_src_addr.ip4);
683 vlib_cli_output(vm,
" local-crypto %U %U",
684 format_ipsec_crypto_alg, sa->crypto_alg,
685 format_hex_bytes, sa->crypto_key, sa->crypto_key_len);
686 vlib_cli_output(vm,
" local-integrity %U %U",
687 format_ipsec_integ_alg, sa->integ_alg,
688 format_hex_bytes, sa->integ_key, sa->integ_key_len);
689 sa = pool_elt_at_index(im->sad, t->input_sa_index);
690 vlib_cli_output(vm,
" last-seq %u last-seq-hi %u esn %u anti-replay %u window %U",
691 sa->last_seq, sa->last_seq_hi, sa->use_esn,
693 format_ipsec_replay_window, sa->replay_window);
694 vlib_cli_output(vm,
" remote-spi %u remote-ip %U", sa->spi,
695 format_ip4_address, &sa->tunnel_src_addr.ip4);
696 vlib_cli_output(vm,
" remote-crypto %U %U",
697 format_ipsec_crypto_alg, sa->crypto_alg,
698 format_hex_bytes, sa->crypto_key, sa->crypto_key_len);
699 vlib_cli_output(vm,
" remote-integrity %U %U",
700 format_ipsec_integ_alg, sa->integ_alg,
701 format_hex_bytes, sa->integ_key, sa->integ_key_len);
711 .path =
"show ipsec",
712 .short_help =
"show ipsec [backends]",
725 (void)
unformat (input,
"verbose %u", &verbose);
728 u8 *s =
format (
NULL,
"%=25s %=25s %=10s\n",
"Name",
"Index",
"Active");
732 s = format (s,
"%=25s %=25u %=10s\n", ab->name, ab - im->ah_backends,
733 ab - im->ah_backends == im->ah_current_backend ?
"yes" :
"no");
736 n = vlib_get_node (vm, ab->ah4_encrypt_node_index);
737 s = format (s,
" enc4 %s (next %d)\n", n->name, ab->ah4_encrypt_next_index);
738 n = vlib_get_node (vm, ab->ah4_decrypt_node_index);
739 s = format (s,
" dec4 %s (next %d)\n", n->name, ab->ah4_decrypt_next_index);
740 n = vlib_get_node (vm, ab->ah6_encrypt_node_index);
741 s = format (s,
" enc6 %s (next %d)\n", n->name, ab->ah6_encrypt_next_index);
742 n = vlib_get_node (vm, ab->ah6_decrypt_node_index);
743 s = format (s,
" dec6 %s (next %d)\n", n->name, ab->ah6_decrypt_next_index);
750 s =
format (s,
"%=25s %=25s %=10s\n",
"Name",
"Index",
"Active");
754 s = format (s,
"%=25s %=25u %=10s\n", eb->name, eb - im->esp_backends,
755 eb - im->esp_backends == im->esp_current_backend ?
"yes" 759 n = vlib_get_node (vm, eb->esp4_encrypt_node_index);
760 s = format (s,
" enc4 %s (next %d)\n", n->name, eb->esp4_encrypt_next_index);
761 n = vlib_get_node (vm, eb->esp4_decrypt_node_index);
762 s = format (s,
" dec4 %s (next %d)\n", n->name, eb->esp4_decrypt_next_index);
763 n = vlib_get_node (vm, eb->esp6_encrypt_node_index);
764 s = format (s,
" enc6 %s (next %d)\n", n->name, eb->esp6_encrypt_next_index);
765 n = vlib_get_node (vm, eb->esp6_decrypt_node_index);
766 s = format (s,
" dec6 %s (next %d)\n", n->name, eb->esp6_decrypt_next_index);
778 .path =
"show ipsec backends",
779 .short_help =
"show ipsec backends",
795 "Cannot change IPsec backend, while %u SA entries are configured",
806 if (
unformat (line_input,
"%u", &backend_index))
820 else if (
unformat (line_input,
"esp"))
822 if (
unformat (line_input,
"%u", &backend_index))
847 .path =
"ipsec select backend",
848 .short_help =
"ipsec select backend <ah|esp> <backend index>",
865 pool_foreach(p, spd->policies, ({
866 p->counter.packets = p->counter.bytes = 0;
876 .path =
"clear ipsec counters",
877 .short_help =
"clear ipsec counters",
915 else if (
unformat (line_input,
"del"))
917 else if (
unformat (line_input,
"udp-encap"))
941 case VNET_API_ERROR_INVALID_VALUE:
944 "IPSec tunnel interface already exists...");
962 .path =
"create ipsec tunnel",
963 .short_help =
"create ipsec tunnel local-ip <addr> local-spi <spi> " 964 "remote-ip <addr> remote-spi <spi> [instance <inst_num>] [udp-encap] " 965 "[tx-table <table-id>]",
978 u32 hw_if_index = (
u32) ~ 0;
1023 if (alg > 0 &&
vec_len (key) == 0)
1029 if (hw_if_index == (
u32) ~ 0)
1046 .path =
"set interface ipsec key",
1048 "set interface ipsec key <int> <local|remote> <crypto|integ> <key type> <key>",
static clib_error_t * ipsec_select_backend_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
unformat_function_t unformat_vnet_hw_interface
int ipsec_set_interface_key(vnet_main_t *vnm, u32 hw_if_index, ipsec_if_set_key_type_t type, u8 alg, u8 *key)
int ipsec_add_del_policy(vlib_main_t *vm, ipsec_policy_t *policy, int is_add)
ip46_address_t tunnel_src_addr
static clib_error_t * set_ipsec_sa_key_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
int ipsec_set_interface_spd(vlib_main_t *vm, u32 sw_if_index, u32 spd_id, int is_add)
ipsec_integ_alg_t integ_alg
static clib_error_t * create_ipsec_tunnel_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
clib_memset(h->entries, 0, sizeof(h->entries[0])*entries)
int ipsec_select_ah_backend(ipsec_main_t *im, u32 backend_idx)
static clib_error_t * set_interface_key_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
unformat_function_t unformat_vnet_sw_interface
static vlib_cli_command_t set_interface_key_command
(constructor) VLIB_CLI_COMMAND (set_interface_key_command)
#define vec_reset_length(v)
Reset vector length to zero NULL-pointer tolerant.
int ipsec_add_del_spd(vlib_main_t *vm, u32 spd_id, int is_add)
static vlib_cli_command_t ipsec_show_backends_command
(constructor) VLIB_CLI_COMMAND (ipsec_show_backends_command)
#define pool_foreach(VAR, POOL, BODY)
Iterate through pool.
static vlib_cli_command_t show_ipsec_command
(constructor) VLIB_CLI_COMMAND (show_ipsec_command)
#define VLIB_INIT_FUNCTION(x)
uword unformat_ipsec_integ_alg(unformat_input_t *input, va_list *args)
int ipsec_select_esp_backend(ipsec_main_t *im, u32 backend_idx)
#define clib_error_return(e, args...)
u8 * format_ipsec_crypto_alg(u8 *s, va_list *args)
#define pool_elt_at_index(p, i)
Returns pointer to element at given index.
static vlib_cli_command_t create_ipsec_tunnel_command
(constructor) VLIB_CLI_COMMAND (create_ipsec_tunnel_command)
static clib_error_t * ipsec_policy_add_del_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
clib_error_t * ipsec_check_support_cb(ipsec_main_t *im, ipsec_sa_t *sa)
static clib_error_t * set_interface_spd_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
uword unformat_ipsec_crypto_alg(unformat_input_t *input, va_list *args)
static clib_error_t * ipsec_show_backends_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
ip46_address_range_t laddr
ip46_address_t tunnel_dst_addr
static clib_error_t * clear_ipsec_counters_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
ipsec_ah_backend_t * ah_backends
int ipsec_add_del_sa(vlib_main_t *vm, ipsec_sa_t *new_sa, int is_add)
clib_error_t * ipsec_cli_init(vlib_main_t *vm)
#define vec_free(V)
Free vector's memory (no header).
uword * sa_index_by_sa_id
int ipsec_set_sa_key(vlib_main_t *vm, ipsec_sa_t *sa_update)
#define VLIB_CLI_COMMAND(x,...)
ip46_address_range_t raddr
static vlib_cli_command_t ipsec_select_backend_command
(constructor) VLIB_CLI_COMMAND (ipsec_select_backend_command)
ipsec_protocol_t protocol
uword unformat_ipsec_policy_action(unformat_input_t *input, va_list *args)
u8 * format_ipsec_integ_alg(u8 *s, va_list *args)
u8 * format_ipsec_policy_action(u8 *s, va_list *args)
#define vec_len(v)
Number of elements in vector (rvalue-only, NULL tolerant)
static clib_error_t * ipsec_sa_add_del_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
ipsec_crypto_alg_t crypto_alg
static clib_error_t * show_ipsec_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
#define vec_foreach(var, vec)
Vector iterator.
int ipsec_add_del_tunnel_if(ipsec_add_del_tunnel_args_t *args)
static clib_error_t * ipsec_spd_add_del_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
void vlib_cli_output(vlib_main_t *vm, char *fmt,...)
static vlib_cli_command_t clear_ipsec_counters_command
(constructor) VLIB_CLI_COMMAND (clear_ipsec_counters_command)
static uword pool_elts(void *v)
Number of active elements in a pool.