44 #define vl_print(handle, ...) vlib_cli_output (handle, __VA_ARGS__) 51 #define foreach_vpe_api_msg \ 52 _(IPSEC_SPD_ADD_DEL, ipsec_spd_add_del) \ 53 _(IPSEC_INTERFACE_ADD_DEL_SPD, ipsec_interface_add_del_spd) \ 54 _(IPSEC_SPD_ENTRY_ADD_DEL, ipsec_spd_entry_add_del) \ 55 _(IPSEC_SAD_ENTRY_ADD_DEL, ipsec_sad_entry_add_del) \ 56 _(IPSEC_SA_SET_KEY, ipsec_sa_set_key) \ 57 _(IPSEC_SA_DUMP, ipsec_sa_dump) \ 58 _(IPSEC_SPDS_DUMP, ipsec_spds_dump) \ 59 _(IPSEC_SPD_DUMP, ipsec_spd_dump) \ 60 _(IPSEC_SPD_INTERFACE_DUMP, ipsec_spd_interface_dump) \ 61 _(IPSEC_TUNNEL_IF_ADD_DEL, ipsec_tunnel_if_add_del) \ 62 _(IPSEC_TUNNEL_IF_SET_KEY, ipsec_tunnel_if_set_key) \ 63 _(IPSEC_TUNNEL_IF_SET_SA, ipsec_tunnel_if_set_sa) \ 64 _(IPSEC_SELECT_BACKEND, ipsec_select_backend) \ 65 _(IPSEC_BACKEND_DUMP, ipsec_backend_dump) 75 vl_api_ipsec_spd_add_del_reply_t *rmp;
88 vl_api_ipsec_interface_add_del_spd_reply_t *rmp;
91 u32 spd_id __attribute__ ((unused));
94 spd_id = ntohl (mp->
spd_id);
101 rv = VNET_API_ERROR_UNIMPLEMENTED;
106 REPLY_MACRO (VL_API_IPSEC_INTERFACE_ADD_DEL_SPD_REPLY);
113 in = clib_net_to_host_u32 (in);
117 #define _(v,f,s) case IPSEC_API_SPD_ACTION_##f: \ 118 *out = IPSEC_POLICY_ACTION_##f; \ 123 return (VNET_API_ERROR_UNIMPLEMENTED);
142 p.
id = ntohl (mp->
entry.spd_id);
164 if (p.
policy == IPSEC_POLICY_ACTION_RESOLVE)
167 rv = VNET_API_ERROR_UNIMPLEMENTED;
182 rv = VNET_API_ERROR_UNIMPLEMENTED;
198 in = clib_net_to_host_u32 (in);
209 return (VNET_API_ERROR_INVALID_PROTOCOL);
212 static vl_api_ipsec_proto_t
222 return (VNET_API_ERROR_UNIMPLEMENTED);
229 in = clib_net_to_host_u32 (in);
233 #define _(v,f,s) case IPSEC_API_CRYPTO_ALG_##f: \ 234 *out = IPSEC_CRYPTO_ALG_##f; \ 239 return (VNET_API_ERROR_INVALID_ALGORITHM);
242 static vl_api_ipsec_crypto_alg_t
247 #define _(v,f,s) case IPSEC_CRYPTO_ALG_##f: \ 248 return clib_host_to_net_u32(IPSEC_API_CRYPTO_ALG_##f); 255 return (VNET_API_ERROR_UNIMPLEMENTED);
262 in = clib_net_to_host_u32 (in);
266 #define _(v,f,s) case IPSEC_API_INTEG_ALG_##f: \ 267 *out = IPSEC_INTEG_ALG_##f; \ 272 return (VNET_API_ERROR_INVALID_ALGORITHM);
275 static vl_api_ipsec_integ_alg_t
280 #define _(v,f,s) case IPSEC_INTEG_ALG_##f: \ 281 return (clib_host_to_net_u32(IPSEC_API_INTEG_ALG_##f)); 288 return (VNET_API_ERROR_UNIMPLEMENTED);
300 out->length = in->
len;
308 in = clib_net_to_host_u32 (in);
311 flags |= IPSEC_SA_FLAG_USE_ESN;
313 flags |= IPSEC_SA_FLAG_USE_ANTI_REPLAY;
315 flags |= IPSEC_SA_FLAG_IS_TUNNEL;
317 flags |= IPSEC_SA_FLAG_IS_TUNNEL_V6;
319 flags |= IPSEC_SA_FLAG_UDP_ENCAP;
324 static vl_api_ipsec_sad_flags_t
329 if (ipsec_sa_is_set_USE_ESN (sa))
331 if (ipsec_sa_is_set_USE_ANTI_REPLAY (sa))
333 if (ipsec_sa_is_set_IS_TUNNEL (sa))
335 if (ipsec_sa_is_set_IS_TUNNEL_V6 (sa))
337 if (ipsec_sa_is_set_UDP_ENCAP (sa))
340 return clib_host_to_net_u32 (flags);
348 ip46_address_t tun_src = { }, tun_dst =
361 id = ntohl (mp->
entry.sad_id);
362 spi = ntohl (mp->
entry.spi);
390 crypto_alg, &crypto_key,
391 integ_alg, &integ_key, flags,
392 0, 0, &tun_src, &tun_dst, &sa_index);
397 rv = VNET_API_ERROR_UNIMPLEMENTED;
418 mp->_vl_msg_id = ntohs (VL_API_IPSEC_SPDS_DETAILS);
422 #define _(s, n) n_policies += vec_len (spd->policies[IPSEC_SPD_POLICY_##s]); 443 send_ipsec_spds_details (spd, reg, mp->context);
451 vl_api_ipsec_spd_action_t
458 #define _(v,f,s) case IPSEC_POLICY_ACTION_##f: \ 459 out = IPSEC_API_SPD_ACTION_##f; \ 464 return (clib_host_to_net_u32 (out));
475 mp->_vl_msg_id = ntohs (VL_API_IPSEC_SPD_DETAILS);
478 mp->
entry.spd_id = htonl (p->
id);
480 mp->
entry.is_outbound = ((p->
type == IPSEC_SPD_POLICY_IP6_OUTBOUND) ||
481 (p->
type == IPSEC_SPD_POLICY_IP4_OUTBOUND));
484 &mp->
entry.local_address_start);
486 &mp->
entry.local_address_stop);
488 &mp->
entry.remote_address_start);
490 &mp->
entry.remote_address_stop);
548 mp->_vl_msg_id = ntohs (VL_API_IPSEC_SPD_INTERFACE_DETAILS);
576 send_ipsec_spd_interface_details(reg, v, k, mp->context);
584 send_ipsec_spd_interface_details(reg, v, k, mp->context);
598 vl_api_ipsec_sa_set_key_reply_t *rmp;
604 id = ntohl (mp->
sa_id);
611 rv = VNET_API_ERROR_UNIMPLEMENTED;
663 rv = VNET_API_ERROR_UNIMPLEMENTED;
682 mp->_vl_msg_id = ntohs (VL_API_IPSEC_SA_DETAILS);
685 mp->
entry.sad_id = htonl (sa->
id);
688 mp->
entry.tx_table_id =
699 if (ipsec_sa_is_set_IS_TUNNEL (sa))
702 &mp->
entry.tunnel_src);
704 &mp->
entry.tunnel_dst);
708 mp->
salt = clib_host_to_net_u32 (sa->
salt);
711 if (ipsec_sa_is_set_USE_ESN (sa))
716 if (ipsec_sa_is_set_USE_ANTI_REPLAY (sa))
731 u32 *sa_index_to_tun_if_index = 0;
744 vnet_hw_interface_t *hi;
745 u32 sw_if_index = ~0;
747 hi = vnet_get_hw_interface (vnm, t->hw_if_index);
748 sw_if_index = hi->sw_if_index;
749 sa_index_to_tun_if_index[t->input_sa_index] = sw_if_index;
750 sa_index_to_tun_if_index[t->output_sa_index] = sw_if_index;
755 if (mp->sa_id == ~(0) || ntohl (mp->sa_id) == sa->id)
756 send_ipsec_sa_details (sa, reg, mp->context,
757 sa_index_to_tun_if_index[sa - im->sad]);
761 vec_free (sa_index_to_tun_if_index);
772 vl_api_ipsec_tunnel_if_set_key_reply_t *rmp;
786 if (mp->
alg < IPSEC_CRYPTO_ALG_AES_CBC_128 ||
789 rv = VNET_API_ERROR_INVALID_ALGORITHM;
797 rv = VNET_API_ERROR_INVALID_ALGORITHM;
803 rv = VNET_API_ERROR_UNIMPLEMENTED;
819 REPLY_MACRO (VL_API_IPSEC_TUNNEL_IF_SET_KEY_REPLY);
826 vl_api_ipsec_tunnel_if_set_sa_reply_t *rmp;
863 vl_api_ipsec_backend_details_t *mp = vl_msg_api_alloc (sizeof (*mp));
864 clib_memset (mp, 0, sizeof (*mp));
865 mp->_vl_msg_id = ntohs (VL_API_IPSEC_BACKEND_DETAILS);
866 mp->context = context;
867 snprintf ((char *)mp->name, sizeof (mp->name),
"%.*s", vec_len (ab->name),
869 mp->protocol = ntohl (IPSEC_API_PROTO_AH);
870 mp->index = ab - im->ah_backends;
871 mp->active = mp->index == im->ah_current_backend ? 1 : 0;
872 vl_api_send_msg (rp, (u8 *)mp);
875 vl_api_ipsec_backend_details_t *mp = vl_msg_api_alloc (sizeof (*mp));
876 clib_memset (mp, 0, sizeof (*mp));
877 mp->_vl_msg_id = ntohs (VL_API_IPSEC_BACKEND_DETAILS);
878 mp->context = context;
879 snprintf ((char *)mp->name, sizeof (mp->name),
"%.*s", vec_len (eb->name),
881 mp->protocol = ntohl (IPSEC_API_PROTO_ESP);
882 mp->index = eb - im->esp_backends;
883 mp->active = mp->index == im->esp_current_backend ? 1 : 0;
884 vl_api_send_msg (rp, (u8 *)mp);
893 vl_api_ipsec_select_backend_reply_t *rmp;
898 rv = VNET_API_ERROR_INSTANCE_IN_USE;
917 rv = VNET_API_ERROR_INVALID_PROTOCOL;
934 #define vl_msg_name_crc_list 936 #undef vl_msg_name_crc_list 941 #define _(id,n,crc) vl_msg_api_add_msg_name_crc (am, #n "_" #crc, id); 942 foreach_vl_msg_name_crc_ipsec;
952 vl_msg_api_set_handlers(VL_API_##N, #n, \ 953 vl_api_##n##_t_handler, \ 955 vl_api_##n##_t_endian, \ 956 vl_api_##n##_t_print, \ 957 sizeof(vl_api_##n##_t), 1);
static void vl_api_ipsec_sa_set_key_t_handler(vl_api_ipsec_sa_set_key_t *mp)
IPsec: Add/delete Security Policy Database entry.
vl_api_ipsec_spd_action_t ipsec_spd_action_encode(ipsec_policy_action_t in)
ipsec_tunnel_if_t * tunnel_interfaces
ip46_address_t tunnel_src_addr
enum ipsec_spd_policy_t_ ipsec_spd_policy_type_t
IPsec: SPD interface response.
static void vl_api_ipsec_tunnel_if_set_key_t_handler(vl_api_ipsec_tunnel_if_set_key_t *mp)
VLIB_API_INIT_FUNCTION(ipsec_api_hookup)
static vl_api_ipsec_crypto_alg_t ipsec_crypto_algo_encode(ipsec_crypto_alg_t c)
IPsec: Update Security Association keys.
ip46_address_range_t laddr
#define REPLY_MACRO2(t, body)
#define foreach_ipsec_crypto_alg
#define FOR_EACH_IPSEC_SPD_POLICY_TYPE(_t)
int ipsec_set_interface_sa(vnet_main_t *vnm, u32 hw_if_index, u32 sa_id, u8 is_outbound)
int ipsec_policy_mk_type(bool is_outbound, bool is_ipv6, ipsec_policy_action_t action, ipsec_spd_policy_type_t *type)
static void vl_api_send_msg(vl_api_registration_t *rp, u8 *elem)
int ipsec_set_sa_key(u32 id, const ipsec_key_t *ck, const ipsec_key_t *ik)
ipsec_integ_alg_t integ_alg
u8 remote_crypto_key[128]
static void setup_message_id_table(api_main_t *am)
#define foreach_ipsec_integ_alg
vl_api_ipsec_spd_action_t policy
clib_memset(h->entries, 0, sizeof(h->entries[0])*entries)
static void vl_api_ipsec_sa_dump_t_handler(vl_api_ipsec_sa_dump_t *mp)
static vnet_sw_interface_t * vnet_get_sw_interface(vnet_main_t *vnm, u32 sw_if_index)
int ipsec_select_ah_backend(ipsec_main_t *im, u32 backend_idx)
A Secruity Policy Database.
static ipsec_sa_flags_t ipsec_sa_flags_decode(vl_api_ipsec_sad_flags_t in)
void * vl_msg_api_alloc(int nbytes)
void ipsec_mk_key(ipsec_key_t *key, const u8 *data, u8 len)
#define foreach_vpe_api_msg
vl_api_address_t remote_ip
uword * spd_index_by_sw_if_index
static void vl_api_ipsec_interface_add_del_spd_t_handler(vl_api_ipsec_interface_add_del_spd_t *mp)
#define clib_memcpy(d, s, n)
#define pool_foreach(VAR, POOL, BODY)
Iterate through pool.
static int ipsec_proto_decode(vl_api_ipsec_proto_t in, ipsec_protocol_t *out)
#define vec_new(T, N)
Create new vector of given type and length (unspecified alignment, no header).
static void vl_api_ipsec_tunnel_if_add_del_t_handler(vl_api_ipsec_tunnel_if_add_del_t *mp)
Set key on IPsec interface.
static void vl_api_ipsec_backend_dump_t_handler(vl_api_ipsec_backend_dump_t *mp)
int ipsec_select_esp_backend(ipsec_main_t *im, u32 backend_idx)
#define hash_foreach(key_var, value_var, h, body)
static void vl_api_ipsec_spd_dump_t_handler(vl_api_ipsec_spd_dump_t *mp)
static void vl_api_ipsec_spd_interface_dump_t_handler(vl_api_ipsec_spd_interface_dump_t *mp)
vl_api_address_t local_ip
int ipsec_set_interface_key(vnet_main_t *vnm, u32 hw_if_index, ipsec_if_set_key_type_t type, u8 alg, u8 *key)
IPsec: Reply Add/delete Security Policy Database entry.
ip46_type_t ip_address_decode(const vl_api_address_t *in, ip46_address_t *out)
static void vl_api_ipsec_spd_add_del_t_handler(vl_api_ipsec_spd_add_del_t *mp)
IPsec: Add/delete Security Association Database entry.
#define pool_elt_at_index(p, i)
Returns pointer to element at given index.
u8 remote_crypto_key[128]
Dump IPsec all SPD IDs response.
Add/delete IPsec tunnel interface response.
IPsec: Add/delete Security Policy Database.
int ipsec_add_del_policy(vlib_main_t *vm, ipsec_policy_t *policy, int is_add, u32 *stat_index)
Add/Delete a SPD.
static int ipsec_spd_action_decode(vl_api_ipsec_spd_action_t in, ipsec_policy_action_t *out)
ipsec_spd_policy_type_t type
static vl_api_ipsec_sad_flags_t ipsec_sad_flags_encode(const ipsec_sa_t *sa)
static void send_ipsec_sa_details(ipsec_sa_t *sa, vl_api_registration_t *reg, u32 context, u32 sw_if_index)
uword * spd_index_by_spd_id
static void vl_api_ipsec_tunnel_if_set_sa_t_handler(vl_api_ipsec_tunnel_if_set_sa_t *mp)
API main structure, used by both vpp and binary API clients.
ip46_address_t tunnel_dst_addr
An API client registration, only in vpp/vlib.
#define BAD_SW_IF_INDEX_LABEL
IPsec: Add/delete SPD from interface.
ipsec_crypto_alg_t crypto_alg
ipsec_ah_backend_t * ah_backends
#define vec_free(V)
Free vector's memory (no header).
vl_api_ipsec_sad_entry_t entry
ipsec_policy_action_t policy
#define clib_warning(format, args...)
static int ipsec_crypto_algo_decode(vl_api_ipsec_crypto_alg_t in, ipsec_crypto_alg_t *out)
enum ipsec_sad_flags_t_ ipsec_sa_flags_t
vl_api_ipsec_proto_t protocol
Set new SA on IPsec interface.
static vl_api_registration_t * vl_api_client_index_to_registration(u32 index)
static void vl_api_ipsec_spds_dump_t_handler(vl_api_ipsec_spds_dump_t *mp)
static void send_ipsec_spd_interface_details(vl_api_registration_t *reg, u32 spd_index, u32 sw_if_index, u32 context)
vl_api_ipsec_sad_entry_t entry
static void send_ipsec_spd_details(ipsec_policy_t *p, vl_api_registration_t *reg, u32 context)
u8 data[IPSEC_KEY_MAX_LEN]
static void vl_api_ipsec_spd_entry_add_del_t_handler(vl_api_ipsec_spd_entry_add_del_t *mp)
ipsec_policy_t * policies
Dump IPsec security association.
ipsec_integ_alg_t integ_alg
u32 fib_table_get_table_id(u32 fib_index, fib_protocol_t proto)
Get the Table-ID of the FIB from protocol and index.
u32 * policies[IPSEC_SPD_POLICY_N_TYPES]
vectors for each of the policy types
Dump ipsec policy database data.
int ipsec_add_del_tunnel_if_internal(vnet_main_t *vnm, ipsec_add_del_tunnel_args_t *args, u32 *sw_if_index)
ipsec_protocol_t protocol
static void send_ipsec_spds_details(ipsec_spd_t *spd, vl_api_registration_t *reg, u32 context)
static vl_api_ipsec_proto_t ipsec_proto_encode(ipsec_protocol_t p)
static vlib_main_t * vlib_get_main(void)
IPsec policy database response.
IPsec: Get SPD interfaces.
vl_api_ipsec_spd_entry_t entry
vl_api_ipsec_spd_entry_t entry
int ipsec_sa_add(u32 id, u32 spi, ipsec_protocol_t proto, ipsec_crypto_alg_t crypto_alg, const ipsec_key_t *ck, ipsec_integ_alg_t integ_alg, const ipsec_key_t *ik, ipsec_sa_flags_t flags, u32 tx_table_id, u32 salt, const ip46_address_t *tun_src, const ip46_address_t *tun_dst, u32 *sa_out_index)
#define vec_len(v)
Number of elements in vector (rvalue-only, NULL tolerant)
ip46_address_range_t raddr
static int ipsec_integ_algo_decode(vl_api_ipsec_integ_alg_t in, ipsec_integ_alg_t *out)
int ipsec_set_interface_spd(vlib_main_t *vm, u32 sw_if_index, u32 spd_id, int is_add)
Bind/attach a SPD to an interface.
static vl_api_ipsec_integ_alg_t ipsec_integ_algo_encode(ipsec_integ_alg_t i)
vl_api_gbp_endpoint_tun_t tun
void ip_address_encode(const ip46_address_t *in, ip46_type_t type, vl_api_address_t *out)
static void ipsec_key_decode(const vl_api_key_t *key, ipsec_key_t *out)
u32 id
the User's ID for this policy
static void ipsec_key_encode(const ipsec_key_t *in, vl_api_key_t *out)
vl_api_key_t integrity_key
ipsec_crypto_alg_t crypto_alg
int ipsec_add_del_spd(vlib_main_t *vm, u32 spd_id, int is_add)
Add/Delete a SPD.
static clib_error_t * ipsec_api_hookup(vlib_main_t *vm)
#define foreach_ipsec_spd_policy_type
#define vec_foreach(var, vec)
Vector iterator.
static void vl_api_ipsec_select_backend_t_handler(vl_api_ipsec_select_backend_t *mp)
IPsec security association database response.
ipsec_esp_backend_t * esp_backends
#define vec_validate_init_empty(V, I, INIT)
Make sure vector is long enough for given index and initialize empty space (no header, unspecified alignment)
Add or delete IPsec tunnel interface.
#define VALIDATE_SW_IF_INDEX(mp)
static void vl_api_ipsec_sad_entry_add_del_t_handler(vl_api_ipsec_sad_entry_add_del_t *mp)
static uword pool_elts(void *v)
Number of active elements in a pool.