45 &sw_if_index, &spd_id))
47 else if (
unformat (line_input,
"del"))
66 .path =
"set interface ipsec spd",
68 "set interface ipsec spd <int> <id>",
79 ip46_address_t tun_src = { }, tun_dst =
97 flags = IPSEC_SA_FLAG_NONE;
99 integ_alg = IPSEC_INTEG_ALG_NONE;
100 crypto_alg = IPSEC_CRYPTO_ALG_NONE;
108 if (
unformat (line_input,
"add %u", &
id))
113 else if (
unformat (line_input,
"del %u", &
id))
118 else if (
unformat (line_input,
"spi %u", &spi))
120 else if (
unformat (line_input,
"salt 0x%x", &salt))
122 else if (
unformat (line_input,
"esp"))
124 else if (
unformat (line_input,
"ah"))
126 else if (
unformat (line_input,
"crypto-key %U",
129 else if (
unformat (line_input,
"crypto-alg %U",
134 else if (
unformat (line_input,
"integ-alg %U",
137 else if (
unformat (line_input,
"tunnel-src %U",
140 flags |= IPSEC_SA_FLAG_IS_TUNNEL;
142 flags |= IPSEC_SA_FLAG_IS_TUNNEL_V6;
144 else if (
unformat (line_input,
"tunnel-dst %U",
147 else if (
unformat (line_input,
"inbound"))
148 flags |= IPSEC_SA_FLAG_IS_INBOUND;
149 else if (
unformat (line_input,
"use-anti-replay"))
150 flags |= IPSEC_SA_FLAG_USE_ANTI_REPLAY;
151 else if (
unformat (line_input,
"use-esn"))
152 flags |= IPSEC_SA_FLAG_USE_ESN;
153 else if (
unformat (line_input,
"udp-encap"))
154 flags |= IPSEC_SA_FLAG_UDP_ENCAP;
162 if ((flags & IPSEC_SA_FLAG_IS_INBOUND)
163 && !(flags & IPSEC_SA_FLAG_IS_TUNNEL))
183 &ck, integ_alg, &ik, flags,
184 0, clib_host_to_net_u32 (salt),
185 &tun_src, &tun_dst, &sai, udp_src, udp_dst);
205 "ipsec sa [add|del]",
227 else if (
unformat (line_input,
"del"))
229 else if (
unformat (line_input,
"%u", &spd_id))
257 "ipsec spd [add|del] <id>",
271 u32 tmp, tmp2, stat_index, local_range_set, remote_range_set;
277 remote_range_set = local_range_set = is_outbound = 0;
286 else if (
unformat (line_input,
"del"))
288 else if (
unformat (line_input,
"ip6"))
290 else if (
unformat (line_input,
"spd %u", &p.
id))
292 else if (
unformat (line_input,
"inbound"))
294 else if (
unformat (line_input,
"outbound"))
298 else if (
unformat (line_input,
"protocol %u", &tmp))
305 if (p.
policy == IPSEC_POLICY_ACTION_RESOLVE)
313 else if (
unformat (line_input,
"local-ip-range %U - %U",
317 else if (
unformat (line_input,
"remote-ip-range %U - %U",
320 remote_range_set = 1;
321 else if (
unformat (line_input,
"local-ip-range %U - %U",
328 else if (
unformat (line_input,
"remote-ip-range %U - %U",
333 remote_range_set = 1;
335 else if (
unformat (line_input,
"local-port-range %u - %u", &tmp, &tmp2))
341 if (
unformat (line_input,
"remote-port-range %u - %u", &tmp, &tmp2))
354 if (!remote_range_set)
361 if (!local_range_set)
374 " outboud:%s %s action:%U",
375 (is_outbound ?
"yes" :
"no"),
396 .path =
"ipsec policy",
398 "ipsec policy [add|del] spd <id> priority <n> ",
410 vlib_cli_output(vm,
"%U", format_ipsec_sa, sai,
411 (detail ? IPSEC_FORMAT_DETAIL : IPSEC_FORMAT_BRIEF));
423 vlib_cli_output(vm,
"%U", format_ipsec_spd, spdi);
438 spd = pool_elt_at_index (im->spds, spd_id);
439 vlib_cli_output (vm,
" %d -> %U", spd->id,
440 format_vnet_sw_if_index_name, im->vnet_main,
479 .path =
"show ipsec all",
480 .short_help =
"show ipsec all",
548 .path =
"show ipsec sa",
549 .short_help =
"show ipsec sa [index]",
554 .path =
"clear ipsec sa",
555 .short_help =
"clear ipsec sa [index]",
565 u8 show_bindings = 0;
572 else if (
unformat (input,
"bindings"))
590 .path =
"show ipsec spd",
591 .short_help =
"show ipsec spd [index]",
608 .path =
"show ipsec tunnel",
609 .short_help =
"show ipsec tunnel",
622 (void)
unformat (input,
"verbose %u", &verbose);
625 u8 *s =
format (NULL,
"%=25s %=25s %=10s\n",
"Name",
"Index",
"Active");
629 s = format (s,
"%=25s %=25u %=10s\n", ab->name, ab - im->ah_backends,
630 ab - im->ah_backends == im->ah_current_backend ?
"yes" :
"no");
633 n = vlib_get_node (vm, ab->ah4_encrypt_node_index);
634 s = format (s,
" enc4 %s (next %d)\n", n->name, ab->ah4_encrypt_next_index);
635 n = vlib_get_node (vm, ab->ah4_decrypt_node_index);
636 s = format (s,
" dec4 %s (next %d)\n", n->name, ab->ah4_decrypt_next_index);
637 n = vlib_get_node (vm, ab->ah6_encrypt_node_index);
638 s = format (s,
" enc6 %s (next %d)\n", n->name, ab->ah6_encrypt_next_index);
639 n = vlib_get_node (vm, ab->ah6_decrypt_node_index);
640 s = format (s,
" dec6 %s (next %d)\n", n->name, ab->ah6_decrypt_next_index);
647 s =
format (s,
"%=25s %=25s %=10s\n",
"Name",
"Index",
"Active");
651 s = format (s,
"%=25s %=25u %=10s\n", eb->name, eb - im->esp_backends,
652 eb - im->esp_backends == im->esp_current_backend ?
"yes" 656 n = vlib_get_node (vm, eb->esp4_encrypt_node_index);
657 s = format (s,
" enc4 %s (next %d)\n", n->name, eb->esp4_encrypt_next_index);
658 n = vlib_get_node (vm, eb->esp4_decrypt_node_index);
659 s = format (s,
" dec4 %s (next %d)\n", n->name, eb->esp4_decrypt_next_index);
660 n = vlib_get_node (vm, eb->esp6_encrypt_node_index);
661 s = format (s,
" enc6 %s (next %d)\n", n->name, eb->esp6_encrypt_next_index);
662 n = vlib_get_node (vm, eb->esp6_decrypt_node_index);
663 s = format (s,
" dec6 %s (next %d)\n", n->name, eb->esp6_decrypt_next_index);
675 .path =
"show ipsec backends",
676 .short_help =
"show ipsec backends",
702 if (
unformat (line_input,
"%u", &backend_index))
716 else if (
unformat (line_input,
"esp"))
718 if (
unformat (line_input,
"%u", &backend_index))
743 .path =
"ipsec select backend",
744 .short_help =
"ipsec select backend <ah|esp> <backend index>",
763 .path =
"clear ipsec counters",
764 .short_help =
"clear ipsec counters",
772 return (0x80000000 | ti);
778 return (0xc0000000 | ti);
807 flags = IPSEC_SA_FLAG_NONE;
830 else if (
unformat (line_input,
"local-spi %u", &local_spi))
832 else if (
unformat (line_input,
"remote-spi %u", &remote_spi))
834 else if (
unformat (line_input,
"salt 0x%x", &salt))
836 else if (
unformat (line_input,
"udp-encap"))
837 flags |= IPSEC_SA_FLAG_UDP_ENCAP;
838 else if (
unformat (line_input,
"use-esn"))
839 flags |= IPSEC_SA_FLAG_USE_ESN;
840 else if (
unformat (line_input,
"use-anti-replay"))
841 flags |= IPSEC_SA_FLAG_USE_ANTI_REPLAY;
842 else if (
unformat (line_input,
"instance %u", &instance))
854 else if (
unformat (line_input,
"crypto-alg %U",
865 else if (
unformat (line_input,
"integ-alg %U",
868 else if (
unformat (line_input,
"del"))
886 if (ipv4_set && ipv6_set)
893 rv = VNET_API_ERROR_NO_SUCH_FIB;
905 instance, &local_ip, &remote_ip, fib_index,
906 TUNNEL_ENCAP_DECAP_FLAG_NONE, IP_DSCP_CS0,
907 TUNNEL_MODE_P2P, &sw_if_index);
911 &lck, integ_alg, &lik, flags,
table_id,
912 clib_host_to_net_u32 (salt), &local_ip,
918 &rck, integ_alg, &rik,
919 (flags | IPSEC_SA_FLAG_IS_INBOUND),
table_id,
920 clib_host_to_net_u32 (salt), &remote_ip,
936 case VNET_API_ERROR_INVALID_VALUE:
938 "IPSec tunnel interface already exists...");
954 .path =
"create ipsec tunnel",
955 .short_help =
"create ipsec tunnel local-ip <addr> local-spi <spi> " 956 "remote-ip <addr> remote-spi <spi> [instance <inst_num>] [udp-encap] [use-esn] [use-anti-replay] " 957 "[tx-table <table-id>]",
982 else if (
unformat (line_input,
"add"))
984 else if (
unformat (line_input,
"sa-in %d", &sa_in))
986 else if (
unformat (line_input,
"sa-out %d", &sa_out))
988 else if (
unformat (line_input,
"%U",
1011 .path =
"ipsec tunnel protect",
1013 .short_help =
"ipsec tunnel protect <interface> input-sa <SA> output-sa <SA>",
1034 .path =
"show ipsec protect",
1036 .short_help =
"show ipsec protect",
1049 ipsec4_tunnel_key_t
key;
1056 vlib_cli_output (vm,
" %U", format_ipsec4_tunnel_key, &key);
1057 vlib_cli_output (vm,
" tun:%d sa:%d", value.tun_index, value.sa_index);
1064 ipsec6_tunnel_key_t *
key;
1071 vlib_cli_output (vm,
" %U", format_ipsec6_tunnel_key, key);
1072 vlib_cli_output (vm,
" tun:%d sa:%d", value.tun_index, value.sa_index);
1086 .path =
"show ipsec protect-hash",
1088 .short_help =
"show ipsec protect-hash",
1105 int async_enable = 0;
1114 else if (
unformat (line_input,
"off"))
1130 .path =
"set ipsec async mode",
1131 .short_help =
"set ipsec async mode on|off",
static clib_error_t * ipsec_select_backend_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
uword * tun6_protect_by_key
vl_api_wireguard_peer_flags_t flags
static u32 ipsec_tun_mk_local_sa_id(u32 ti)
vnet_main_t * vnet_get_main(void)
ip46_address_range_t laddr
static clib_error_t * show_ipsec_spd_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
clib_memset(h->entries, 0, sizeof(h->entries[0]) *entries)
int ipsec_policy_mk_type(bool is_outbound, bool is_ipv6, ipsec_policy_action_t action, ipsec_spd_policy_type_t *type)
void vnet_crypto_request_async_mode(int is_enable)
static clib_error_t * create_ipsec_tunnel_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
u32 index_t
A Data-Path Object is an object that represents actions that are applied to packets are they are swit...
#define vec_add1(V, E)
Add 1 element to end of vector (unspecified alignment).
void ipsec_sa_clear(index_t sai)
int ipsec_select_ah_backend(ipsec_main_t *im, u32 backend_idx)
unformat_function_t unformat_vnet_sw_interface
A Secruity Policy Database.
int ipsec_sa_add_and_lock(u32 id, u32 spi, ipsec_protocol_t proto, ipsec_crypto_alg_t crypto_alg, const ipsec_key_t *ck, ipsec_integ_alg_t integ_alg, const ipsec_key_t *ik, ipsec_sa_flags_t flags, u32 tx_table_id, u32 salt, const ip46_address_t *tun_src, const ip46_address_t *tun_dst, u32 *sa_out_index, u16 src_port, u16 dst_port)
int ipip_add_tunnel(ipip_transport_t transport, u32 instance, ip46_address_t *src, ip46_address_t *dst, u32 fib_index, tunnel_encap_decap_flags_t flags, ip_dscp_t dscp, tunnel_mode_t tmode, u32 *sw_if_indexp)
static u8 ip46_address_is_ip4(const ip46_address_t *ip46)
void ipsec_tun_protect_walk(ipsec_tun_protect_walk_cb_t fn, void *ctx)
static void ipsec_tunnel_show_all(vlib_main_t *vm)
uword * spd_index_by_sw_if_index
enum walk_rc_t_ walk_rc_t
Walk return code.
void vlib_clear_combined_counters(vlib_combined_counter_main_t *cm)
Clear a collection of combined counters.
#define pool_foreach(VAR, POOL, BODY)
Iterate through pool.
#define VLIB_INIT_FUNCTION(x)
int ipsec_select_esp_backend(ipsec_main_t *im, u32 backend_idx)
#define hash_foreach(key_var, value_var, h, body)
#define clib_error_return(e, args...)
int ipsec_sa_unlock_id(u32 id)
u32 fib_table_find(fib_protocol_t proto, u32 table_id)
Get the index of the FIB for a Table-ID.
static clib_error_t * ipsec_tun_protect_show(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
vlib_combined_counter_main_t ipsec_spd_policy_counters
Policy packet & bytes counters.
static clib_error_t * ipsec_policy_add_del_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
int ipsec_add_del_policy(vlib_main_t *vm, ipsec_policy_t *policy, int is_add, u32 *stat_index)
Add/Delete a SPD.
static clib_error_t * set_interface_spd_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
static clib_error_t * set_async_mode_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
clib_error_t * ipsec_rsc_in_use(ipsec_main_t *im)
static clib_error_t * ipsec_show_backends_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
ipsec_spd_policy_type_t type
uword unformat_ip_address(unformat_input_t *input, va_list *args)
#define hash_foreach_mem(key_var, value_var, h, body)
#define IP_ADDRESS_V4_ALL_0S
static void ipsec_spd_bindings_show_all(vlib_main_t *vm, ipsec_main_t *im)
static clib_error_t * clear_ipsec_counters_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
int ipsec_tun_protect_update_one(u32 sw_if_index, const ip_address_t *nh, u32 sa_out, u32 sa_in)
static void ipsec_sa_show_all(vlib_main_t *vm, ipsec_main_t *im, u8 detail)
ipsec_ah_backend_t * ah_backends
clib_error_t * ipsec_cli_init(vlib_main_t *vm)
#define vec_free(V)
Free vector's memory (no header).
static clib_error_t * clear_ipsec_sa_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
ipsec_policy_action_t policy
enum ipsec_sad_flags_t_ ipsec_sa_flags_t
#define pool_is_free_index(P, I)
Use free bitmap to query whether given index is free.
#define VLIB_CLI_COMMAND(x,...)
static void ipsec_spd_show_all(vlib_main_t *vm, ipsec_main_t *im)
vlib_combined_counter_main_t ipsec_sa_counters
SA packet & bytes counters.
void ipsec_set_async_mode(u32 is_enabled)
void vlib_cli_output(vlib_main_t *vm, char *fmt,...)
static clib_error_t * show_ipsec_sa_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
static clib_error_t * ipsec_tun_protect_cmd(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
ip46_address_range_t raddr
static fib_protocol_t fib_ip_proto(bool is_ip6)
Convert from boolean is_ip6 to FIB protocol.
static u32 ipsec_tun_mk_remote_sa_id(u32 ti)
static clib_error_t * show_ipsec_tunnel_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
static clib_error_t * ipsec_sa_add_del_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
int ipsec_set_interface_spd(vlib_main_t *vm, u32 sw_if_index, u32 spd_id, int is_add)
Bind/attach a SPD to an interface.
static clib_error_t * ipsec_tun_protect_hash_show(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
int ipsec_add_del_spd(vlib_main_t *vm, u32 spd_id, int is_add)
Add/Delete a SPD.
static clib_error_t * show_ipsec_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
static walk_rc_t ipsec_tun_protect_show_one(index_t itpi, void *ctx)
#define pool_foreach_index(i, v, body)
Iterate pool by index.
static clib_error_t * ipsec_spd_add_del_command_fn(vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd)
#define IPSEC_UDP_PORT_NONE
#define ip46_address_initializer
vl_api_interface_index_t sw_if_index
uword * tun4_protect_by_key
int ipsec_tun_protect_update(u32 sw_if_index, const ip_address_t *nh, u32 sa_out, u32 *sas_in)