43 &sw_if_index, &spd_id))
45 else if (
unformat (line_input,
"del"))
64 .path =
"set interface ipsec spd",
66 "set interface ipsec spd <int> <id>",
77 ip46_address_t tun_src = { }, tun_dst =
92 flags = IPSEC_SA_FLAG_NONE;
100 if (
unformat (line_input,
"add %u", &
id))
102 else if (
unformat (line_input,
"del %u", &
id))
104 else if (
unformat (line_input,
"spi %u", &spi))
106 else if (
unformat (line_input,
"esp"))
108 else if (
unformat (line_input,
"ah"))
110 else if (
unformat (line_input,
"crypto-key %U",
113 else if (
unformat (line_input,
"crypto-alg %U",
118 else if (
unformat (line_input,
"integ-alg %U",
121 else if (
unformat (line_input,
"tunnel-src %U",
124 flags |= IPSEC_SA_FLAG_IS_TUNNEL;
126 flags |= IPSEC_SA_FLAG_IS_TUNNEL_V6;
128 else if (
unformat (line_input,
"tunnel-dst %U",
131 else if (
unformat (line_input,
"udp-encap"))
132 flags |= IPSEC_SA_FLAG_UDP_ENCAP;
143 &ck, integ_alg, &ik, flags,
144 0, 0, &tun_src, &tun_dst,
NULL);
161 "ipsec sa [add|del]",
183 else if (
unformat (line_input,
"del"))
185 else if (
unformat (line_input,
"%u", &spd_id))
213 "ipsec spd [add|del] <id>",
227 u32 tmp, tmp2, stat_index;
245 else if (
unformat (line_input,
"del"))
247 else if (
unformat (line_input,
"spd %u", &p.
id))
249 else if (
unformat (line_input,
"inbound"))
251 else if (
unformat (line_input,
"outbound"))
255 else if (
unformat (line_input,
"protocol %u", &tmp))
262 if (p.
policy == IPSEC_POLICY_ACTION_RESOLVE)
270 else if (
unformat (line_input,
"local-ip-range %U - %U",
274 else if (
unformat (line_input,
"remote-ip-range %U - %U",
278 else if (
unformat (line_input,
"local-ip-range %U - %U",
284 else if (
unformat (line_input,
"remote-ip-range %U - %U",
290 else if (
unformat (line_input,
"local-port-range %u - %u", &tmp, &tmp2))
296 if (
unformat (line_input,
"remote-port-range %u - %u", &tmp, &tmp2))
336 " outboud:%s %s action:%U",
337 (is_outbound ?
"yes" :
"no"),
358 .path =
"ipsec policy",
360 "ipsec policy [add|del] spd <id> priority <n> ",
380 if (
unformat (line_input,
"%u", &
id))
405 .path =
"set ipsec sa",
406 .short_help =
"set ipsec sa <id> crypto-key <key> integ-key <key>",
418 vlib_cli_output(vm,
"%U", format_ipsec_sa, sai, IPSEC_FORMAT_BRIEF);
430 vlib_cli_output(vm,
"%U", format_ipsec_spd, spdi);
444 vlib_cli_output (vm,
" %d -> %U", spd_id,
445 format_vnet_sw_if_index_name, im->vnet_main,
459 vlib_cli_output(vm,
" %U", format_ipsec_tunnel, ti);
480 .path =
"show ipsec all",
481 .short_help =
"show ipsec all",
511 .path =
"show ipsec sa",
512 .short_help =
"show ipsec sa [index]",
522 u8 show_bindings = 0;
529 else if (
unformat (input,
"bindings"))
547 .path =
"show ipsec spd",
548 .short_help =
"show ipsec spd [index]",
579 .path =
"show ipsec tunnel",
580 .short_help =
"show ipsec tunnel [index]",
593 (void)
unformat (input,
"verbose %u", &verbose);
596 u8 *s =
format (
NULL,
"%=25s %=25s %=10s\n",
"Name",
"Index",
"Active");
600 s = format (s,
"%=25s %=25u %=10s\n", ab->name, ab - im->ah_backends,
601 ab - im->ah_backends == im->ah_current_backend ?
"yes" :
"no");
604 n = vlib_get_node (vm, ab->ah4_encrypt_node_index);
605 s = format (s,
" enc4 %s (next %d)\n", n->name, ab->ah4_encrypt_next_index);
606 n = vlib_get_node (vm, ab->ah4_decrypt_node_index);
607 s = format (s,
" dec4 %s (next %d)\n", n->name, ab->ah4_decrypt_next_index);
608 n = vlib_get_node (vm, ab->ah6_encrypt_node_index);
609 s = format (s,
" enc6 %s (next %d)\n", n->name, ab->ah6_encrypt_next_index);
610 n = vlib_get_node (vm, ab->ah6_decrypt_node_index);
611 s = format (s,
" dec6 %s (next %d)\n", n->name, ab->ah6_decrypt_next_index);
618 s =
format (s,
"%=25s %=25s %=10s\n",
"Name",
"Index",
"Active");
622 s = format (s,
"%=25s %=25u %=10s\n", eb->name, eb - im->esp_backends,
623 eb - im->esp_backends == im->esp_current_backend ?
"yes" 627 n = vlib_get_node (vm, eb->esp4_encrypt_node_index);
628 s = format (s,
" enc4 %s (next %d)\n", n->name, eb->esp4_encrypt_next_index);
629 n = vlib_get_node (vm, eb->esp4_decrypt_node_index);
630 s = format (s,
" dec4 %s (next %d)\n", n->name, eb->esp4_decrypt_next_index);
631 n = vlib_get_node (vm, eb->esp6_encrypt_node_index);
632 s = format (s,
" enc6 %s (next %d)\n", n->name, eb->esp6_encrypt_next_index);
633 n = vlib_get_node (vm, eb->esp6_decrypt_node_index);
634 s = format (s,
" dec6 %s (next %d)\n", n->name, eb->esp6_decrypt_next_index);
646 .path =
"show ipsec backends",
647 .short_help =
"show ipsec backends",
673 if (
unformat (line_input,
"%u", &backend_index))
687 else if (
unformat (line_input,
"esp"))
689 if (
unformat (line_input,
"%u", &backend_index))
714 .path =
"ipsec select backend",
715 .short_help =
"ipsec select backend <ah|esp> <backend index>",
734 .path =
"clear ipsec counters",
735 .short_help =
"clear ipsec counters",
790 else if (
unformat (line_input,
"udp-encap"))
792 else if (
unformat (line_input,
"use-esn"))
794 else if (
unformat (line_input,
"use-anti-replay"))
806 else if (
unformat (line_input,
"crypto-alg %U",
817 else if (
unformat (line_input,
"integ-alg %U",
820 else if (
unformat (line_input,
"del"))
836 if (ipv4_set && ipv6_set)
842 a.local_crypto_key_len = lck.len;
844 a.remote_crypto_key_len = rck.len;
847 a.local_integ_key_len = lck.len;
849 a.remote_integ_key_len = rck.len;
857 case VNET_API_ERROR_INVALID_VALUE:
860 "IPSec tunnel interface already exists...");
878 .path =
"create ipsec tunnel",
879 .short_help =
"create ipsec tunnel local-ip <addr> local-spi <spi> " 880 "remote-ip <addr> remote-spi <spi> [instance <inst_num>] [udp-encap] [use-esn] [use-anti-replay] " 881 "[tx-table <table-id>]",
894 u32 hw_if_index = (
u32) ~ 0;
939 if (alg > 0 &&
vec_len (key) == 0)
945 if (hw_if_index == (
u32) ~ 0)
962 .path =
"set interface ipsec key",
964 "set interface ipsec key <int> <local|remote> <crypto|integ> <key type> <key>",
static clib_error_t * ipsec_select_backend_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
unformat_function_t unformat_vnet_hw_interface
ipsec_tunnel_if_t * tunnel_interfaces
static clib_error_t * set_ipsec_sa_key_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
ip46_address_range_t laddr
static clib_error_t * show_ipsec_spd_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
clib_memset(h->entries, 0, sizeof(h->entries[0]) *entries)
int ipsec_policy_mk_type(bool is_outbound, bool is_ipv6, ipsec_policy_action_t action, ipsec_spd_policy_type_t *type)
int ipsec_set_sa_key(u32 id, const ipsec_key_t *ck, const ipsec_key_t *ik)
static clib_error_t * create_ipsec_tunnel_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
int ipsec_add_del_tunnel_if(ipsec_add_del_tunnel_args_t *args)
int ipsec_select_ah_backend(ipsec_main_t *im, u32 backend_idx)
static clib_error_t * set_interface_key_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
unformat_function_t unformat_vnet_sw_interface
uword * spd_index_by_sw_if_index
#define clib_memcpy(d, s, n)
void vlib_clear_combined_counters(vlib_combined_counter_main_t *cm)
Clear a collection of combined counters.
#define pool_foreach(VAR, POOL, BODY)
Iterate through pool.
#define VLIB_INIT_FUNCTION(x)
int ipsec_select_esp_backend(ipsec_main_t *im, u32 backend_idx)
#define hash_foreach(key_var, value_var, h, body)
#define clib_error_return(e, args...)
int ipsec_set_interface_key(vnet_main_t *vnm, u32 hw_if_index, ipsec_if_set_key_type_t type, u8 alg, u8 *key)
static void ipsec_tunnel_show_all(vlib_main_t *vm, ipsec_main_t *im)
#define pool_elt_at_index(p, i)
Returns pointer to element at given index.
vlib_combined_counter_main_t ipsec_spd_policy_counters
Policy packet & bytes counters.
static clib_error_t * ipsec_policy_add_del_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
int ipsec_add_del_policy(vlib_main_t *vm, ipsec_policy_t *policy, int is_add, u32 *stat_index)
Add/Delete a SPD.
static clib_error_t * set_interface_spd_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
clib_error_t * ipsec_rsc_in_use(ipsec_main_t *im)
static clib_error_t * ipsec_show_backends_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
ipsec_spd_policy_type_t type
static void ipsec_spd_bindings_show_all(vlib_main_t *vm, ipsec_main_t *im)
static clib_error_t * clear_ipsec_counters_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
#define ip46_address_is_ip4(ip46)
ipsec_crypto_alg_t crypto_alg
ipsec_ah_backend_t * ah_backends
clib_error_t * ipsec_cli_init(vlib_main_t *vm)
#define vec_free(V)
Free vector's memory (no header).
ipsec_policy_action_t policy
enum ipsec_sad_flags_t_ ipsec_sa_flags_t
uword * sa_index_by_sa_id
#define VLIB_CLI_COMMAND(x,...)
static void ipsec_spd_show_all(vlib_main_t *vm, ipsec_main_t *im)
vlib_combined_counter_main_t ipsec_sa_counters
SA packet & bytes counters.
ipsec_integ_alg_t integ_alg
static clib_error_t * show_ipsec_sa_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
ipsec_protocol_t protocol
int ipsec_sa_add(u32 id, u32 spi, ipsec_protocol_t proto, ipsec_crypto_alg_t crypto_alg, const ipsec_key_t *ck, ipsec_integ_alg_t integ_alg, const ipsec_key_t *ik, ipsec_sa_flags_t flags, u32 tx_table_id, u32 salt, const ip46_address_t *tun_src, const ip46_address_t *tun_dst, u32 *sa_out_index)
#define vec_len(v)
Number of elements in vector (rvalue-only, NULL tolerant)
ip46_address_range_t raddr
static clib_error_t * show_ipsec_tunnel_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
static clib_error_t * ipsec_sa_add_del_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
int ipsec_set_interface_spd(vlib_main_t *vm, u32 sw_if_index, u32 spd_id, int is_add)
Bind/attach a SPD to an interface.
int ipsec_add_del_spd(vlib_main_t *vm, u32 spd_id, int is_add)
Add/Delete a SPD.
static clib_error_t * show_ipsec_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
#define pool_foreach_index(i, v, body)
Iterate pool by index.
static clib_error_t * ipsec_spd_add_del_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
static void ipsec_sa_show_all(vlib_main_t *vm, ipsec_main_t *im)
void vlib_cli_output(vlib_main_t *vm, char *fmt,...)