FD.io VPP  v19.04.1-1-ge4a0f9f
Vector Packet Processing
ipsec_format.c
Go to the documentation of this file.
1 /*
2  * decap.c : IPSec tunnel support
3  *
4  * Copyright (c) 2015 Cisco and/or its affiliates.
5  * Licensed under the Apache License, Version 2.0 (the "License");
6  * you may not use this file except in compliance with the License.
7  * You may obtain a copy of the License at:
8  *
9  * http://www.apache.org/licenses/LICENSE-2.0
10  *
11  * Unless required by applicable law or agreed to in writing, software
12  * distributed under the License is distributed on an "AS IS" BASIS,
13  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14  * See the License for the specific language governing permissions and
15  * limitations under the License.
16  */
17 
18 #include <vnet/vnet.h>
19 #include <vnet/api_errno.h>
20 #include <vnet/ip/ip.h>
21 #include <vnet/interface.h>
22 #include <vnet/fib/fib_table.h>
23 
24 #include <vnet/ipsec/ipsec.h>
25 
26 u8 *
27 format_ipsec_policy_action (u8 * s, va_list * args)
28 {
29  u32 i = va_arg (*args, u32);
30  char *t = 0;
31 
32  switch (i)
33  {
34 #define _(v,f,str) case IPSEC_POLICY_ACTION_##f: t = str; break;
36 #undef _
37  default:
38  s = format (s, "unknown");
39  }
40  s = format (s, "%s", t);
41  return s;
42 }
43 
44 u8 *
45 format_ipsec_policy_type (u8 * s, va_list * args)
46 {
47  u32 i = va_arg (*args, u32);
48  char *t = 0;
49 
50  switch (i)
51  {
52 #define _(f,str) case IPSEC_SPD_POLICY_##f: t = str; break;
54 #undef _
55  default:
56  s = format (s, "unknown");
57  }
58  s = format (s, "%s", t);
59  return s;
60 }
61 
62 uword
64 {
65  u32 *r = va_arg (*args, u32 *);
66 
67  if (0);
68 #define _(v,f,s) else if (unformat (input, s)) *r = IPSEC_POLICY_ACTION_##f;
70 #undef _
71  else
72  return 0;
73  return 1;
74 }
75 
76 u8 *
77 format_ipsec_crypto_alg (u8 * s, va_list * args)
78 {
79  u32 i = va_arg (*args, u32);
80  u8 *t = 0;
81 
82  switch (i)
83  {
84 #define _(v,f,str) case IPSEC_CRYPTO_ALG_##f: t = (u8 *) str; break;
86 #undef _
87  default:
88  s = format (s, "unknown");
89  }
90  s = format (s, "%s", t);
91  return s;
92 }
93 
94 uword
96 {
97  u32 *r = va_arg (*args, u32 *);
98 
99  if (0);
100 #define _(v,f,s) else if (unformat (input, s)) *r = IPSEC_CRYPTO_ALG_##f;
102 #undef _
103  else
104  return 0;
105  return 1;
106 }
107 
108 u8 *
109 format_ipsec_integ_alg (u8 * s, va_list * args)
110 {
111  u32 i = va_arg (*args, u32);
112  u8 *t = 0;
113 
114  switch (i)
115  {
116 #define _(v,f,str) case IPSEC_INTEG_ALG_##f: t = (u8 *) str; break;
118 #undef _
119  default:
120  s = format (s, "unknown");
121  }
122  s = format (s, "%s", t);
123  return s;
124 }
125 
126 uword
128 {
129  u32 *r = va_arg (*args, u32 *);
130 
131  if (0);
132 #define _(v,f,s) else if (unformat (input, s)) *r = IPSEC_INTEG_ALG_##f;
134 #undef _
135  else
136  return 0;
137  return 1;
138 }
139 
140 u8 *
141 format_ipsec_replay_window (u8 * s, va_list * args)
142 {
143  u64 w = va_arg (*args, u64);
144  u8 i;
145 
146  for (i = 0; i < 64; i++)
147  {
148  s = format (s, "%u", w & (1ULL << i) ? 1 : 0);
149  }
150 
151  return s;
152 }
153 
154 u8 *
155 format_ipsec_policy (u8 * s, va_list * args)
156 {
157  u32 pi = va_arg (*args, u32);
158  ipsec_main_t *im = &ipsec_main;
159  ipsec_policy_t *p;
160  vlib_counter_t counts;
161 
162  p = pool_elt_at_index (im->policies, pi);
163 
164  s = format (s, " [%d] priority %d action %U type %U protocol ",
165  pi, p->priority,
168  if (p->protocol)
169  {
170  s = format (s, "%U", format_ip_protocol, p->protocol);
171  }
172  else
173  {
174  s = format (s, "any");
175  }
176  if (p->policy == IPSEC_POLICY_ACTION_PROTECT)
177  {
178  s = format (s, " sa %u", p->sa_id);
179  }
180 
181  s = format (s, "\n local addr range %U - %U port range %u - %u",
184  clib_net_to_host_u16 (p->lport.start),
185  clib_net_to_host_u16 (p->lport.stop));
186  s = format (s, "\n remote addr range %U - %U port range %u - %u",
189  clib_net_to_host_u16 (p->rport.start),
190  clib_net_to_host_u16 (p->rport.stop));
191 
193  s = format (s, "\n packets %u bytes %u", counts.packets, counts.bytes);
194 
195  return (s);
196 }
197 
198 u8 *
199 format_ipsec_spd (u8 * s, va_list * args)
200 {
201  u32 si = va_arg (*args, u32);
202  ipsec_main_t *im = &ipsec_main;
203  ipsec_spd_t *spd;
204  u32 *i;
205 
206  if (pool_is_free_index (im->spds, si))
207  {
208  s = format (s, "No such SPD index: %d", si);
209  goto done;
210  }
211 
212  spd = pool_elt_at_index (im->spds, si);
213 
214  s = format (s, "spd %u", spd->id);
215 
216 #define _(v, n) \
217  s = format (s, "\n %s:", n); \
218  vec_foreach(i, spd->policies[IPSEC_SPD_POLICY_##v]) \
219  { \
220  s = format (s, "\n %U", format_ipsec_policy, *i); \
221  }
223 #undef _
224 
225 done:
226  return (s);
227 }
228 
229 u8 *
230 format_ipsec_key (u8 * s, va_list * args)
231 {
232  ipsec_key_t *key = va_arg (*args, ipsec_key_t *);
233 
234  return (format (s, "%U", format_hex_bytes, key->data, key->len));
235 }
236 
237 uword
238 unformat_ipsec_key (unformat_input_t * input, va_list * args)
239 {
240  ipsec_key_t *key = va_arg (*args, ipsec_key_t *);
241  u8 *data;
242 
243  if (unformat (input, "%U", unformat_hex_string, &data))
244  {
245  ipsec_mk_key (key, data, vec_len (data));
246  vec_free (data);
247  }
248  else
249  return 0;
250  return 1;
251 }
252 
253 u8 *
254 format_ipsec_sa_flags (u8 * s, va_list * args)
255 {
256  ipsec_sa_flags_t flags = va_arg (*args, int);
257 
258  if (0)
259  ;
260 #define _(v, f, str) else if (flags & IPSEC_SA_FLAG_##f) s = format(s, "%s ", str);
262 #undef _
263  return (s);
264 }
265 
266 u8 *
267 format_ipsec_sa (u8 * s, va_list * args)
268 {
269  u32 sai = va_arg (*args, u32);
271  ipsec_main_t *im = &ipsec_main;
272  vlib_counter_t counts;
274  ipsec_sa_t *sa;
275 
276  if (pool_is_free_index (im->sad, sai))
277  {
278  s = format (s, "No such SA index: %d", sai);
279  goto done;
280  }
281 
282  sa = pool_elt_at_index (im->sad, sai);
283 
284  s = format (s, "[%d] sa 0x%x spi %u mode %s%s protocol %s %U",
285  sai, sa->id, sa->spi,
286  ipsec_sa_is_set_IS_TUNNEL (sa) ? "tunnel" : "transport",
287  ipsec_sa_is_set_IS_TUNNEL_V6 (sa) ? "-ip6" : "",
288  sa->protocol ? "esp" : "ah", format_ipsec_sa_flags, sa->flags);
289 
290  if (!(flags & IPSEC_FORMAT_DETAIL))
291  goto done;
292 
293  s = format (s, "\n salt 0x%x", sa->salt);
294  s = format (s, "\n seq %u seq-hi %u", sa->seq, sa->seq_hi);
295  s = format (s, "\n last-seq %u last-seq-hi %u window %U",
296  sa->last_seq, sa->last_seq_hi,
298  s = format (s, "\n crypto alg %U%s%U",
300  sa->crypto_alg ? " key " : "",
302  s = format (s, "\n integrity alg %U%s%U",
304  sa->integ_alg ? " key " : "", format_ipsec_key, &sa->integ_key);
306  s = format (s, "\n packets %u bytes %u", counts.packets, counts.bytes);
307 
308  if (ipsec_sa_is_set_IS_TUNNEL (sa))
309  {
310  tx_table_id = fib_table_get_table_id (sa->tx_fib_index,
312  s = format (s, "\n table-ID %d tunnel src %U dst %U",
313  tx_table_id,
316  if (!ipsec_sa_is_set_IS_INBOUND (sa))
317  {
318  s =
319  format (s, "\n resovle via fib-entry: %d",
320  sa->fib_entry_index);
321  s = format (s, "\n stacked on:");
322  s =
323  format (s, "\n %U", format_dpo_id,
324  &sa->dpo[IPSEC_PROTOCOL_ESP], 6);
325  }
326  }
327 
328 done:
329  return (s);
330 }
331 
332 u8 *
333 format_ipsec_tunnel (u8 * s, va_list * args)
334 {
335  ipsec_main_t *im = &ipsec_main;
336  u32 ti = va_arg (*args, u32);
339 
341  {
342  s = format (s, "No such tunnel index: %d", ti);
343  goto done;
344  }
345 
346  t = pool_elt_at_index (im->tunnel_interfaces, ti);
347 
348  if (t->hw_if_index == ~0)
349  goto done;
350 
352 
353  s = format (s, "%s\n", hi->name);
354 
355  s = format (s, " out-bound sa: ");
356  s = format (s, "%U\n", format_ipsec_sa, t->output_sa_index,
358 
359  s = format (s, " in-bound sa: ");
360  s = format (s, "%U\n", format_ipsec_sa, t->input_sa_index,
362 
363 done:
364  return (s);
365 }
366 
367 /*
368  * fd.io coding-style-patch-verification: ON
369  *
370  * Local Variables:
371  * eval: (c-set-style "gnu")
372  * End:
373  */
u32 tx_table_id
Definition: ipsec.api:284
vmrglw vmrglh hi
format_function_t format_ip_protocol
Definition: format.h:45
u8 * format_ipsec_integ_alg(u8 *s, va_list *args)
Definition: ipsec_format.c:109
ipsec_spd_t * spds
Definition: ipsec.h:93
u32 flags
Definition: vhost_user.h:115
ipsec_tunnel_if_t * tunnel_interfaces
Definition: ipsec.h:100
ip46_address_t tunnel_src_addr
Definition: ipsec_sa.h:156
unsigned long u64
Definition: types.h:89
ip46_address_range_t laddr
#define foreach_ipsec_crypto_alg
Definition: ipsec_sa.h:24
unformat_function_t unformat_hex_string
Definition: format.h:288
enum ipsec_format_flags_t_ ipsec_format_flags_t
ipsec_key_t crypto_key
Definition: ipsec_sa.h:151
ipsec_integ_alg_t integ_alg
Definition: ipsec_sa.h:153
static vnet_hw_interface_t * vnet_get_hw_interface(vnet_main_t *vnm, u32 hw_if_index)
Combined counter to hold both packets and byte differences.
Definition: counter_types.h:26
int i
#define foreach_ipsec_integ_alg
Definition: ipsec_sa.h:51
format_function_t format_ip46_address
Definition: format.h:61
u8 * format(u8 *s, const char *fmt,...)
Definition: format.c:424
u8 data[128]
Definition: ipsec.api:248
A Secruity Policy Database.
Definition: ipsec_spd.h:44
void ipsec_mk_key(ipsec_key_t *key, const u8 *data, u8 len)
Definition: ipsec_sa.c:54
unsigned char u8
Definition: types.h:56
u32 seq_hi
Definition: ipsec_sa.h:123
u64 replay_window
Definition: ipsec_sa.h:126
ipsec_main_t ipsec_main
Definition: ipsec.c:28
uword unformat_ipsec_crypto_alg(unformat_input_t *input, va_list *args)
Definition: ipsec_format.c:95
u8 * format_hex_bytes(u8 *s, va_list *va)
Definition: std-formats.c:84
u8 * format_ipsec_replay_window(u8 *s, va_list *args)
Definition: ipsec_format.c:141
port_range_t rport
u8 * format_ipsec_sa(u8 *s, va_list *args)
Definition: ipsec_format.c:267
u8 * format_ipsec_crypto_alg(u8 *s, va_list *args)
Definition: ipsec_format.c:77
unsigned int u32
Definition: types.h:88
ipsec_sa_flags_t flags
Definition: ipsec_sa.h:116
u32 last_seq
Definition: ipsec_sa.h:124
u32 tx_fib_index
Definition: ipsec_sa.h:162
#define pool_elt_at_index(p, i)
Returns pointer to element at given index.
Definition: pool.h:514
vlib_combined_counter_main_t ipsec_spd_policy_counters
Policy packet & bytes counters.
counter_t packets
packet counter
Definition: counter_types.h:28
u8 * format_ipsec_spd(u8 *s, va_list *args)
Definition: ipsec_format.c:199
u32 salt
Definition: ipsec_sa.h:163
vnet_main_t * vnet_main
Definition: ipsec.h:106
struct _unformat_input_t unformat_input_t
fib_node_index_t fib_entry_index
Definition: ipsec_sa.h:159
u32 last_seq_hi
Definition: ipsec_sa.h:125
u8 * format_ipsec_tunnel(u8 *s, va_list *args)
Definition: ipsec_format.c:333
ipsec_spd_policy_type_t type
ip46_address_t tunnel_dst_addr
Definition: ipsec_sa.h:157
u8 * format_ipsec_policy(u8 *s, va_list *args)
Definition: ipsec_format.c:155
static void vlib_get_combined_counter(const vlib_combined_counter_main_t *cm, u32 index, vlib_counter_t *result)
Get the value of a combined counter, never called in the speed path Scrapes the entire set of per-thr...
Definition: counter.h:259
#define vec_free(V)
Free vector&#39;s memory (no header).
Definition: vec.h:341
ipsec_policy_action_t policy
ip46_address_t start
enum ipsec_sad_flags_t_ ipsec_sa_flags_t
#define pool_is_free_index(P, I)
Use free bitmap to query whether given index is free.
Definition: pool.h:283
A Secruity Policy.
vlib_combined_counter_main_t ipsec_sa_counters
SA packet & bytes counters.
Definition: ipsec_sa.c:25
u8 data[IPSEC_KEY_MAX_LEN]
Definition: ipsec_sa.h:80
ipsec_policy_t * policies
Definition: ipsec.h:97
ipsec_sa_t * sad
Definition: ipsec.h:95
u32 fib_table_get_table_id(u32 fib_index, fib_protocol_t proto)
Get the Table-ID of the FIB from protocol and index.
Definition: fib_table.c:1053
dpo_id_t dpo[IPSEC_N_PROTOCOLS]
Definition: ipsec_sa.h:132
uword unformat_ipsec_integ_alg(unformat_input_t *input, va_list *args)
Definition: ipsec_format.c:127
u8 * format_ipsec_policy_type(u8 *s, va_list *args)
Definition: ipsec_format.c:45
ipsec_protocol_t protocol
Definition: ipsec_sa.h:148
u8 * format_ipsec_policy_action(u8 *s, va_list *args)
Definition: ipsec_format.c:27
u8 * format_dpo_id(u8 *s, va_list *args)
Format a DPO_id_t oject
Definition: dpo.c:147
uword unformat_ipsec_policy_action(unformat_input_t *input, va_list *args)
Definition: ipsec_format.c:63
counter_t bytes
byte counter
Definition: counter_types.h:29
#define vec_len(v)
Number of elements in vector (rvalue-only, NULL tolerant)
ip46_address_range_t raddr
u64 uword
Definition: types.h:112
typedef key
Definition: ipsec.api:244
u32 id
the User&#39;s ID for this policy
Definition: ipsec_spd.h:47
ipsec_crypto_alg_t crypto_alg
Definition: ipsec_sa.h:150
port_range_t lport
#define foreach_ipsec_spd_policy_type
Definition: ipsec_spd.h:20
u8 * format_ipsec_sa_flags(u8 *s, va_list *args)
Definition: ipsec_format.c:254
ipsec_key_t integ_key
Definition: ipsec_sa.h:154
uword unformat_ipsec_key(unformat_input_t *input, va_list *args)
Definition: ipsec_format.c:238
uword unformat(unformat_input_t *i, const char *fmt,...)
Definition: unformat.c:972
u8 * format_ipsec_key(u8 *s, va_list *args)
Definition: ipsec_format.c:230