d5/d3f/ipsec__api_8c_source.html

 /*
  *------------------------------------------------------------------
  * ipsec_api.c - ipsec api
  *
  * Copyright (c) 2016 Cisco and/or its affiliates.
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at:
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  *------------------------------------------------------------------
  */

 #include <vnet/vnet.h>
 #include <vlibmemory/api.h>

 #include <vnet/interface.h>
 #include <vnet/api_errno.h>
 #include <vnet/ip/ip.h>
 #include <vnet/ip/ip_types_api.h>
 #include <vnet/fib/fib.h>

 #include <vnet/vnet_msg_enum.h>

 #if WITH_LIBSSL > 0
 #include <vnet/ipsec/ipsec.h>
 #endif /* IPSEC */

 #define vl_typedefs             /* define message structures */
 #include <vnet/vnet_all_api_h.h>
 #undef vl_typedefs

 #define vl_endianfun            /* define message structures */
 #include <vnet/vnet_all_api_h.h>
 #undef vl_endianfun

 /* instantiate all the print functions we know about */
 #define vl_print(handle, ...) vlib_cli_output (handle, __VA_ARGS__)
 #define vl_printfun
 #include <vnet/vnet_all_api_h.h>
 #undef vl_printfun

 #include <vlibapi/api_helper_macros.h>

 #define foreach_vpe_api_msg                                     \
 _(IPSEC_SPD_ADD_DEL, ipsec_spd_add_del)                         \
 _(IPSEC_INTERFACE_ADD_DEL_SPD, ipsec_interface_add_del_spd)     \
 _(IPSEC_SPD_ENTRY_ADD_DEL, ipsec_spd_entry_add_del)             \
 _(IPSEC_SAD_ENTRY_ADD_DEL, ipsec_sad_entry_add_del)             \
 _(IPSEC_SA_SET_KEY, ipsec_sa_set_key)                           \
 _(IPSEC_SA_DUMP, ipsec_sa_dump)                                 \
 _(IPSEC_SPDS_DUMP, ipsec_spds_dump)                             \
 _(IPSEC_SPD_DUMP, ipsec_spd_dump)                               \
 _(IPSEC_SPD_INTERFACE_DUMP, ipsec_spd_interface_dump)           \
 _(IPSEC_TUNNEL_IF_ADD_DEL, ipsec_tunnel_if_add_del)             \
 _(IPSEC_TUNNEL_IF_SET_KEY, ipsec_tunnel_if_set_key)             \
 _(IPSEC_TUNNEL_IF_SET_SA, ipsec_tunnel_if_set_sa)               \
 _(IPSEC_SELECT_BACKEND, ipsec_select_backend)                   \
 _(IPSEC_BACKEND_DUMP, ipsec_backend_dump)

 static void
 vl_api_ipsec_spd_add_del_t_handler (vl_api_ipsec_spd_add_del_t * mp)
 {
 #if WITH_LIBSSL == 0
   clib_warning ("unimplemented");
 #else

   vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main ();
   vl_api_ipsec_spd_add_del_reply_t *rmp;
   int rv;

   rv = ipsec_add_del_spd (vm, ntohl (mp->spd_id), mp->is_add);

   REPLY_MACRO (VL_API_IPSEC_SPD_ADD_DEL_REPLY);
 #endif
 }

 static void vl_api_ipsec_interface_add_del_spd_t_handler
   (vl_api_ipsec_interface_add_del_spd_t * mp)
 {
   vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main ();
   vl_api_ipsec_interface_add_del_spd_reply_t *rmp;
   int rv;
   u32 sw_if_index __attribute__ ((unused));
   u32 spd_id __attribute__ ((unused));

   sw_if_index = ntohl (mp->sw_if_index);
   spd_id = ntohl (mp->spd_id);

   VALIDATE_SW_IF_INDEX (mp);

 #if WITH_LIBSSL > 0
   rv = ipsec_set_interface_spd (vm, sw_if_index, spd_id, mp->is_add);
 #else
   rv = VNET_API_ERROR_UNIMPLEMENTED;
 #endif

   BAD_SW_IF_INDEX_LABEL;

   REPLY_MACRO (VL_API_IPSEC_INTERFACE_ADD_DEL_SPD_REPLY);
 }

 static int
 ipsec_spd_action_decode (vl_api_ipsec_spd_action_t in,
                          ipsec_policy_action_t * out)
 {
   in = clib_net_to_host_u32 (in);

   switch (in)
     {
 #define _(v,f,s) case IPSEC_API_SPD_ACTION_##f: \
       *out = IPSEC_POLICY_ACTION_##f;              \
       return (0);
       foreach_ipsec_policy_action
 #undef _
     }
   return (VNET_API_ERROR_UNIMPLEMENTED);
 }

 static void vl_api_ipsec_spd_entry_add_del_t_handler
   (vl_api_ipsec_spd_entry_add_del_t * mp)
 {
   vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main ();
   vl_api_ipsec_spd_entry_add_del_reply_t *rmp;
   ip46_type_t itype;
   u32 stat_index;
   int rv;

   stat_index = ~0;

 #if WITH_LIBSSL > 0
   ipsec_policy_t p;

   clib_memset (&p, 0, sizeof (p));

   p.id = ntohl (mp->entry.spd_id);
   p.priority = ntohl (mp->entry.priority);

   itype = ip_address_decode (&mp->entry.remote_address_start, &p.raddr.start);
   ip_address_decode (&mp->entry.remote_address_stop, &p.raddr.stop);
   ip_address_decode (&mp->entry.local_address_start, &p.laddr.start);
   ip_address_decode (&mp->entry.local_address_stop, &p.laddr.stop);

   p.is_ipv6 = (itype == IP46_TYPE_IP6);

   p.protocol = mp->entry.protocol;
   /* leave the ports in network order */
   p.rport.start = mp->entry.remote_port_start;
   p.rport.stop = mp->entry.remote_port_stop;
   p.lport.start = mp->entry.local_port_start;
   p.lport.stop = mp->entry.local_port_stop;

   rv = ipsec_spd_action_decode (mp->entry.policy, &p.policy);

   if (rv)
     goto out;

   /* policy action resolve unsupported */
   if (p.policy == IPSEC_POLICY_ACTION_RESOLVE)
     {
       clib_warning ("unsupported action: 'resolve'");
       rv = VNET_API_ERROR_UNIMPLEMENTED;
       goto out;
     }
   p.sa_id = ntohl (mp->entry.sa_id);
   rv =
     ipsec_policy_mk_type (mp->entry.is_outbound, p.is_ipv6, p.policy,
                           &p.type);
   if (rv)
     goto out;

   rv = ipsec_add_del_policy (vm, &p, mp->is_add, &stat_index);
   if (rv)
     goto out;

 #else
   rv = VNET_API_ERROR_UNIMPLEMENTED;
   goto out;
 #endif

 out:
   /* *INDENT-OFF* */
   REPLY_MACRO2 (VL_API_IPSEC_SPD_ENTRY_ADD_DEL_REPLY,
   ({
     rmp->stat_index = ntohl(stat_index);
   }));
   /* *INDENT-ON* */
 }

 static int
 ipsec_proto_decode (vl_api_ipsec_proto_t in, ipsec_protocol_t * out)
 {
   in = clib_net_to_host_u32 (in);

   switch (in)
     {
     case IPSEC_API_PROTO_ESP:
       *out = IPSEC_PROTOCOL_ESP;
       return (0);
     case IPSEC_API_PROTO_AH:
       *out = IPSEC_PROTOCOL_AH;
       return (0);
     }
   return (VNET_API_ERROR_INVALID_PROTOCOL);
 }

 static vl_api_ipsec_proto_t
 ipsec_proto_encode (ipsec_protocol_t p)
 {
   switch (p)
     {
     case IPSEC_PROTOCOL_ESP:
       return clib_host_to_net_u32 (IPSEC_API_PROTO_ESP);
     case IPSEC_PROTOCOL_AH:
       return clib_host_to_net_u32 (IPSEC_API_PROTO_AH);
     }
   return (VNET_API_ERROR_UNIMPLEMENTED);
 }

 static int
 ipsec_crypto_algo_decode (vl_api_ipsec_crypto_alg_t in,
                           ipsec_crypto_alg_t * out)
 {
   in = clib_net_to_host_u32 (in);

   switch (in)
     {
 #define _(v,f,s) case IPSEC_API_CRYPTO_ALG_##f: \
       *out = IPSEC_CRYPTO_ALG_##f;              \
       return (0);
       foreach_ipsec_crypto_alg
 #undef _
     }
   return (VNET_API_ERROR_INVALID_ALGORITHM);
 }

 static vl_api_ipsec_crypto_alg_t
 ipsec_crypto_algo_encode (ipsec_crypto_alg_t c)
 {
   switch (c)
     {
 #define _(v,f,s) case IPSEC_CRYPTO_ALG_##f:                     \
       return clib_host_to_net_u32(IPSEC_API_CRYPTO_ALG_##f);
       foreach_ipsec_crypto_alg
 #undef _
     case IPSEC_CRYPTO_N_ALG:
       break;
     }
   ASSERT (0);
   return (VNET_API_ERROR_UNIMPLEMENTED);
 }


 static int
 ipsec_integ_algo_decode (vl_api_ipsec_integ_alg_t in, ipsec_integ_alg_t * out)
 {
   in = clib_net_to_host_u32 (in);

   switch (in)
     {
 #define _(v,f,s) case IPSEC_API_INTEG_ALG_##f:  \
       *out = IPSEC_INTEG_ALG_##f;               \
       return (0);
       foreach_ipsec_integ_alg
 #undef _
     }
   return (VNET_API_ERROR_INVALID_ALGORITHM);
 }

 static vl_api_ipsec_integ_alg_t
 ipsec_integ_algo_encode (ipsec_integ_alg_t i)
 {
   switch (i)
     {
 #define _(v,f,s) case IPSEC_INTEG_ALG_##f:                      \
       return (clib_host_to_net_u32(IPSEC_API_INTEG_ALG_##f));
       foreach_ipsec_integ_alg
 #undef _
     case IPSEC_INTEG_N_ALG:
       break;
     }
   ASSERT (0);
   return (VNET_API_ERROR_UNIMPLEMENTED);
 }

 static void
 ipsec_key_decode (const vl_api_key_t * key, ipsec_key_t * out)
 {
   ipsec_mk_key (out, key->data, key->length);
 }

 static void
 ipsec_key_encode (const ipsec_key_t * in, vl_api_key_t * out)
 {
   out->length = in->len;
   clib_memcpy (out->data, in->data, out->length);
 }

 static ipsec_sa_flags_t
 ipsec_sa_flags_decode (vl_api_ipsec_sad_flags_t in)
 {
   ipsec_sa_flags_t flags = IPSEC_SA_FLAG_NONE;
   in = clib_net_to_host_u32 (in);

   if (in & IPSEC_API_SAD_FLAG_USE_ESN)
     flags |= IPSEC_SA_FLAG_USE_ESN;
   if (in & IPSEC_API_SAD_FLAG_USE_ANTI_REPLAY)
     flags |= IPSEC_SA_FLAG_USE_ANTI_REPLAY;
   if (in & IPSEC_API_SAD_FLAG_IS_TUNNEL)
     flags |= IPSEC_SA_FLAG_IS_TUNNEL;
   if (in & IPSEC_API_SAD_FLAG_IS_TUNNEL_V6)
     flags |= IPSEC_SA_FLAG_IS_TUNNEL_V6;
   if (in & IPSEC_API_SAD_FLAG_UDP_ENCAP)
     flags |= IPSEC_SA_FLAG_UDP_ENCAP;

   return (flags);
 }

 static vl_api_ipsec_sad_flags_t
 ipsec_sad_flags_encode (const ipsec_sa_t * sa)
 {
   vl_api_ipsec_sad_flags_t flags = IPSEC_API_SAD_FLAG_NONE;

   if (ipsec_sa_is_set_USE_ESN (sa))
     flags |= IPSEC_API_SAD_FLAG_USE_ESN;
   if (ipsec_sa_is_set_USE_ANTI_REPLAY (sa))
     flags |= IPSEC_API_SAD_FLAG_USE_ANTI_REPLAY;
   if (ipsec_sa_is_set_IS_TUNNEL (sa))
     flags |= IPSEC_API_SAD_FLAG_IS_TUNNEL;
   if (ipsec_sa_is_set_IS_TUNNEL_V6 (sa))
     flags |= IPSEC_API_SAD_FLAG_IS_TUNNEL_V6;
   if (ipsec_sa_is_set_UDP_ENCAP (sa))
     flags |= IPSEC_API_SAD_FLAG_UDP_ENCAP;

   return clib_host_to_net_u32 (flags);
 }

 static void vl_api_ipsec_sad_entry_add_del_t_handler
   (vl_api_ipsec_sad_entry_add_del_t * mp)
 {
   vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main ();
   vl_api_ipsec_sad_entry_add_del_reply_t *rmp;
   ip46_address_t tun_src = { }, tun_dst =
   {
   };
   ipsec_key_t crypto_key, integ_key;
   ipsec_crypto_alg_t crypto_alg;
   ipsec_integ_alg_t integ_alg;
   ipsec_protocol_t proto;
   ipsec_sa_flags_t flags;
   u32 id, spi, sa_index = ~0;
   int rv;

 #if WITH_LIBSSL > 0

   id = ntohl (mp->entry.sad_id);
   spi = ntohl (mp->entry.spi);

   rv = ipsec_proto_decode (mp->entry.protocol, &proto);

   if (rv)
     goto out;

   rv = ipsec_crypto_algo_decode (mp->entry.crypto_algorithm, &crypto_alg);

   if (rv)
     goto out;

   rv = ipsec_integ_algo_decode (mp->entry.integrity_algorithm, &integ_alg);

   if (rv)
     goto out;

   ipsec_key_decode (&mp->entry.crypto_key, &crypto_key);
   ipsec_key_decode (&mp->entry.integrity_key, &integ_key);

   flags = ipsec_sa_flags_decode (mp->entry.flags);

   ip_address_decode (&mp->entry.tunnel_src, &tun_src);
   ip_address_decode (&mp->entry.tunnel_dst, &tun_dst);


   if (mp->is_add)
     rv = ipsec_sa_add (id, spi, proto,
                        crypto_alg, &crypto_key,
                        integ_alg, &integ_key, flags,
                        0, 0, &tun_src, &tun_dst, &sa_index);
   else
     rv = ipsec_sa_del (id);

 #else
   rv = VNET_API_ERROR_UNIMPLEMENTED;
 #endif

 out:
   /* *INDENT-OFF* */
   REPLY_MACRO2 (VL_API_IPSEC_SAD_ENTRY_ADD_DEL_REPLY,
   {
     rmp->stat_index = htonl (sa_index);
   });
   /* *INDENT-ON* */
 }

 static void
 send_ipsec_spds_details (ipsec_spd_t * spd, vl_api_registration_t * reg,
                          u32 context)
 {
   vl_api_ipsec_spds_details_t *mp;
   u32 n_policies = 0;

   mp = vl_msg_api_alloc (sizeof (*mp));
   clib_memset (mp, 0, sizeof (*mp));
   mp->_vl_msg_id = ntohs (VL_API_IPSEC_SPDS_DETAILS);
   mp->context = context;

   mp->spd_id = htonl (spd->id);
 #define _(s, n) n_policies += vec_len (spd->policies[IPSEC_SPD_POLICY_##s]);
   foreach_ipsec_spd_policy_type
 #undef _
     mp->npolicies = htonl (n_policies);

   vl_api_send_msg (reg, (u8 *) mp);
 }

 static void
 vl_api_ipsec_spds_dump_t_handler (vl_api_ipsec_spds_dump_t * mp)
 {
   vl_api_registration_t *reg;
   ipsec_main_t *im = &ipsec_main;
   ipsec_spd_t *spd;
 #if WITH_LIBSSL > 0
   reg = vl_api_client_index_to_registration (mp->client_index);
   if (!reg)
     return;

   /* *INDENT-OFF* */
   pool_foreach (spd, im->spds, ({
     send_ipsec_spds_details (spd, reg, mp->context);
   }));
   /* *INDENT-ON* */
 #else
   clib_warning ("unimplemented");
 #endif
 }

 vl_api_ipsec_spd_action_t
 ipsec_spd_action_encode (ipsec_policy_action_t in)
 {
   vl_api_ipsec_spd_action_t out = IPSEC_API_SPD_ACTION_BYPASS;

   switch (in)
     {
 #define _(v,f,s) case IPSEC_POLICY_ACTION_##f: \
       out = IPSEC_API_SPD_ACTION_##f;          \
       break;
       foreach_ipsec_policy_action
 #undef _
     }
   return (clib_host_to_net_u32 (out));
 }

 static void
 send_ipsec_spd_details (ipsec_policy_t * p, vl_api_registration_t * reg,
                         u32 context)
 {
   vl_api_ipsec_spd_details_t *mp;

   mp = vl_msg_api_alloc (sizeof (*mp));
   clib_memset (mp, 0, sizeof (*mp));
   mp->_vl_msg_id = ntohs (VL_API_IPSEC_SPD_DETAILS);
   mp->context = context;

   mp->entry.spd_id = htonl (p->id);
   mp->entry.priority = htonl (p->priority);
   mp->entry.is_outbound = ((p->type == IPSEC_SPD_POLICY_IP6_OUTBOUND) ||
                            (p->type == IPSEC_SPD_POLICY_IP4_OUTBOUND));

   ip_address_encode (&p->laddr.start, IP46_TYPE_ANY,
                      &mp->entry.local_address_start);
   ip_address_encode (&p->laddr.stop, IP46_TYPE_ANY,
                      &mp->entry.local_address_stop);
   ip_address_encode (&p->raddr.start, IP46_TYPE_ANY,
                      &mp->entry.remote_address_start);
   ip_address_encode (&p->raddr.stop, IP46_TYPE_ANY,
                      &mp->entry.remote_address_stop);
   mp->entry.local_port_start = p->lport.start;
   mp->entry.local_port_stop = p->lport.stop;
   mp->entry.remote_port_start = p->rport.start;
   mp->entry.remote_port_stop = p->rport.stop;
   mp->entry.protocol = p->protocol;
   mp->entry.policy = ipsec_spd_action_encode (p->policy);
   mp->entry.sa_id = htonl (p->sa_id);

   vl_api_send_msg (reg, (u8 *) mp);
 }

 static void
 vl_api_ipsec_spd_dump_t_handler (vl_api_ipsec_spd_dump_t * mp)
 {
   vl_api_registration_t *reg;
   ipsec_main_t *im = &ipsec_main;
   ipsec_spd_policy_type_t ptype;
   ipsec_policy_t *policy;
   ipsec_spd_t *spd;
   uword *p;
   u32 spd_index, *ii;
 #if WITH_LIBSSL > 0
   reg = vl_api_client_index_to_registration (mp->client_index);
   if (!reg)
     return;

   p = hash_get (im->spd_index_by_spd_id, ntohl (mp->spd_id));
   if (!p)
     return;

   spd_index = p[0];
   spd = pool_elt_at_index (im->spds, spd_index);

   /* *INDENT-OFF* */
   FOR_EACH_IPSEC_SPD_POLICY_TYPE(ptype) {
     vec_foreach(ii, spd->policies[ptype])
       {
         policy = pool_elt_at_index(im->policies, *ii);

         if (mp->sa_id == ~(0) || ntohl (mp->sa_id) == policy->sa_id)
           send_ipsec_spd_details (policy, reg, mp->context);
       }
   }
   /* *INDENT-ON* */
 #else
   clib_warning ("unimplemented");
 #endif
 }

 static void
 send_ipsec_spd_interface_details (vl_api_registration_t * reg, u32 spd_index,
                                   u32 sw_if_index, u32 context)
 {
   vl_api_ipsec_spd_interface_details_t *mp;

   mp = vl_msg_api_alloc (sizeof (*mp));
   clib_memset (mp, 0, sizeof (*mp));
   mp->_vl_msg_id = ntohs (VL_API_IPSEC_SPD_INTERFACE_DETAILS);
   mp->context = context;

   mp->spd_index = htonl (spd_index);
   mp->sw_if_index = htonl (sw_if_index);

   vl_api_send_msg (reg, (u8 *) mp);
 }

 static void
 vl_api_ipsec_spd_interface_dump_t_handler (vl_api_ipsec_spd_interface_dump_t *
                                            mp)
 {
   ipsec_main_t *im = &ipsec_main;
   vl_api_registration_t *reg;
   u32 k, v, spd_index;

 #if WITH_LIBSSL > 0
   reg = vl_api_client_index_to_registration (mp->client_index);
   if (!reg)
     return;

   if (mp->spd_index_valid)
     {
       spd_index = ntohl (mp->spd_index);
       /* *INDENT-OFF* */
       hash_foreach(k, v, im->spd_index_by_sw_if_index, ({
         if (v == spd_index)
           send_ipsec_spd_interface_details(reg, v, k, mp->context);
       }));
       /* *INDENT-ON* */
     }
   else
     {
       /* *INDENT-OFF* */
       hash_foreach(k, v, im->spd_index_by_sw_if_index, ({
         send_ipsec_spd_interface_details(reg, v, k, mp->context);
       }));
       /* *INDENT-ON* */
     }

 #else
   clib_warning ("unimplemented");
 #endif
 }

 static void
 vl_api_ipsec_sa_set_key_t_handler (vl_api_ipsec_sa_set_key_t * mp)
 {
   vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main ();
   vl_api_ipsec_sa_set_key_reply_t *rmp;
   ipsec_key_t ck, ik;
   u32 id;
   int rv;
 #if WITH_LIBSSL > 0

   id = ntohl (mp->sa_id);

   ipsec_key_decode (&mp->crypto_key, &ck);
   ipsec_key_decode (&mp->integrity_key, &ik);

   rv = ipsec_set_sa_key (id, &ck, &ik);
 #else
   rv = VNET_API_ERROR_UNIMPLEMENTED;
 #endif

   REPLY_MACRO (VL_API_IPSEC_SA_SET_KEY_REPLY);
 }

 static void
 vl_api_ipsec_tunnel_if_add_del_t_handler (vl_api_ipsec_tunnel_if_add_del_t *
                                           mp)
 {
   vl_api_ipsec_tunnel_if_add_del_reply_t *rmp;
   ipsec_main_t *im = &ipsec_main;
   vnet_main_t *vnm = im->vnet_main;
   u32 sw_if_index = ~0;
   ip46_type_t itype;
   int rv;

 #if WITH_LIBSSL > 0
   ipsec_add_del_tunnel_args_t tun;

   clib_memset (&tun, 0, sizeof (ipsec_add_del_tunnel_args_t));

   tun.is_add = mp->is_add;
   tun.esn = mp->esn;
   tun.anti_replay = mp->anti_replay;
   tun.local_spi = ntohl (mp->local_spi);
   tun.remote_spi = ntohl (mp->remote_spi);
   tun.crypto_alg = mp->crypto_alg;
   tun.local_crypto_key_len = mp->local_crypto_key_len;
   tun.remote_crypto_key_len = mp->remote_crypto_key_len;
   tun.integ_alg = mp->integ_alg;
   tun.local_integ_key_len = mp->local_integ_key_len;
   tun.remote_integ_key_len = mp->remote_integ_key_len;
   tun.udp_encap = mp->udp_encap;
   tun.tx_table_id = ntohl (mp->tx_table_id);
   itype = ip_address_decode (&mp->local_ip, &tun.local_ip);
   itype = ip_address_decode (&mp->remote_ip, &tun.remote_ip);
   tun.is_ip6 = (IP46_TYPE_IP6 == itype);
   memcpy (&tun.local_crypto_key, &mp->local_crypto_key,
           mp->local_crypto_key_len);
   memcpy (&tun.remote_crypto_key, &mp->remote_crypto_key,
           mp->remote_crypto_key_len);
   memcpy (&tun.local_integ_key, &mp->local_integ_key,
           mp->local_integ_key_len);
   memcpy (&tun.remote_integ_key, &mp->remote_integ_key,
           mp->remote_integ_key_len);
   tun.renumber = mp->renumber;
   tun.show_instance = ntohl (mp->show_instance);

   rv = ipsec_add_del_tunnel_if_internal (vnm, &tun, &sw_if_index);

 #else
   rv = VNET_API_ERROR_UNIMPLEMENTED;
 #endif

   /* *INDENT-OFF* */
   REPLY_MACRO2 (VL_API_IPSEC_TUNNEL_IF_ADD_DEL_REPLY,
   ({
     rmp->sw_if_index = htonl (sw_if_index);
   }));
   /* *INDENT-ON* */
 }

 static void
 send_ipsec_sa_details (ipsec_sa_t * sa, vl_api_registration_t * reg,
                        u32 context, u32 sw_if_index)
 {
   vl_api_ipsec_sa_details_t *mp;

   mp = vl_msg_api_alloc (sizeof (*mp));
   clib_memset (mp, 0, sizeof (*mp));
   mp->_vl_msg_id = ntohs (VL_API_IPSEC_SA_DETAILS);
   mp->context = context;

   mp->entry.sad_id = htonl (sa->id);
   mp->entry.spi = htonl (sa->spi);
   mp->entry.protocol = ipsec_proto_encode (sa->protocol);
   mp->entry.tx_table_id =
     htonl (fib_table_get_table_id (sa->tx_fib_index, FIB_PROTOCOL_IP4));

   mp->entry.crypto_algorithm = ipsec_crypto_algo_encode (sa->crypto_alg);
   ipsec_key_encode (&sa->crypto_key, &mp->entry.crypto_key);

   mp->entry.integrity_algorithm = ipsec_integ_algo_encode (sa->integ_alg);
   ipsec_key_encode (&sa->integ_key, &mp->entry.integrity_key);

   mp->entry.flags = ipsec_sad_flags_encode (sa);

   if (ipsec_sa_is_set_IS_TUNNEL (sa))
     {
       ip_address_encode (&sa->tunnel_src_addr, IP46_TYPE_ANY,
                          &mp->entry.tunnel_src);
       ip_address_encode (&sa->tunnel_dst_addr, IP46_TYPE_ANY,
                          &mp->entry.tunnel_dst);
     }

   mp->sw_if_index = htonl (sw_if_index);
   mp->salt = clib_host_to_net_u32 (sa->salt);
   mp->seq_outbound = clib_host_to_net_u64 (((u64) sa->seq));
   mp->last_seq_inbound = clib_host_to_net_u64 (((u64) sa->last_seq));
   if (ipsec_sa_is_set_USE_ESN (sa))
     {
       mp->seq_outbound |= (u64) (clib_host_to_net_u32 (sa->seq_hi));
       mp->last_seq_inbound |= (u64) (clib_host_to_net_u32 (sa->last_seq_hi));
     }
   if (ipsec_sa_is_set_USE_ANTI_REPLAY (sa))
     mp->replay_window = clib_host_to_net_u64 (sa->replay_window);

   vl_api_send_msg (reg, (u8 *) mp);
 }


 static void
 vl_api_ipsec_sa_dump_t_handler (vl_api_ipsec_sa_dump_t * mp)
 {
   vl_api_registration_t *reg;
   ipsec_main_t *im = &ipsec_main;
   vnet_main_t *vnm = im->vnet_main;
   ipsec_sa_t *sa;
   ipsec_tunnel_if_t *t;
   u32 *sa_index_to_tun_if_index = 0;

 #if WITH_LIBSSL > 0
   reg = vl_api_client_index_to_registration (mp->client_index);
   if (!reg || pool_elts (im->sad) == 0)
     return;

   vec_validate_init_empty (sa_index_to_tun_if_index, vec_len (im->sad) - 1,
                            ~0);

   /* *INDENT-OFF* */
   pool_foreach (t, im->tunnel_interfaces,
   ({
     vnet_hw_interface_t *hi;
     u32 sw_if_index = ~0;

     hi = vnet_get_hw_interface (vnm, t->hw_if_index);
     sw_if_index = hi->sw_if_index;
     sa_index_to_tun_if_index[t->input_sa_index] = sw_if_index;
     sa_index_to_tun_if_index[t->output_sa_index] = sw_if_index;
   }));

   pool_foreach (sa, im->sad,
   ({
     if (mp->sa_id == ~(0) || ntohl (mp->sa_id) == sa->id)
       send_ipsec_sa_details (sa, reg, mp->context,
                              sa_index_to_tun_if_index[sa - im->sad]);
   }));
   /* *INDENT-ON* */

   vec_free (sa_index_to_tun_if_index);
 #else
   clib_warning ("unimplemented");
 #endif
 }


 static void
 vl_api_ipsec_tunnel_if_set_key_t_handler (vl_api_ipsec_tunnel_if_set_key_t *
                                           mp)
 {
   vl_api_ipsec_tunnel_if_set_key_reply_t *rmp;
   ipsec_main_t *im = &ipsec_main;
   vnet_main_t *vnm = im->vnet_main;
   vnet_sw_interface_t *sw;
   u8 *key = 0;
   int rv;

 #if WITH_LIBSSL > 0
   sw = vnet_get_sw_interface (vnm, ntohl (mp->sw_if_index));

   switch (mp->key_type)
     {
     case IPSEC_IF_SET_KEY_TYPE_LOCAL_CRYPTO:
     case IPSEC_IF_SET_KEY_TYPE_REMOTE_CRYPTO:
       if (mp->alg < IPSEC_CRYPTO_ALG_AES_CBC_128 ||
           mp->alg >= IPSEC_CRYPTO_N_ALG)
         {
           rv = VNET_API_ERROR_INVALID_ALGORITHM;
           goto out;
         }
       break;
     case IPSEC_IF_SET_KEY_TYPE_LOCAL_INTEG:
     case IPSEC_IF_SET_KEY_TYPE_REMOTE_INTEG:
       if (mp->alg >= IPSEC_INTEG_N_ALG)
         {
           rv = VNET_API_ERROR_INVALID_ALGORITHM;
           goto out;
         }
       break;
     case IPSEC_IF_SET_KEY_TYPE_NONE:
     default:
       rv = VNET_API_ERROR_UNIMPLEMENTED;
       goto out;
       break;
     }

   key = vec_new (u8, mp->key_len);
   clib_memcpy (key, mp->key, mp->key_len);

   rv = ipsec_set_interface_key (vnm, sw->hw_if_index, mp->key_type, mp->alg,
                                 key);
   vec_free (key);
 #else
   clib_warning ("unimplemented");
 #endif

 out:
   REPLY_MACRO (VL_API_IPSEC_TUNNEL_IF_SET_KEY_REPLY);
 }


 static void
 vl_api_ipsec_tunnel_if_set_sa_t_handler (vl_api_ipsec_tunnel_if_set_sa_t * mp)
 {
   vl_api_ipsec_tunnel_if_set_sa_reply_t *rmp;
   ipsec_main_t *im = &ipsec_main;
   vnet_main_t *vnm = im->vnet_main;
   vnet_sw_interface_t *sw;
   int rv;

 #if WITH_LIBSSL > 0
   sw = vnet_get_sw_interface (vnm, ntohl (mp->sw_if_index));

   rv = ipsec_set_interface_sa (vnm, sw->hw_if_index, ntohl (mp->sa_id),
                                mp->is_outbound);
 #else
   clib_warning ("unimplemented");
 #endif

   REPLY_MACRO (VL_API_IPSEC_TUNNEL_IF_SET_SA_REPLY);
 }

 static void
 vl_api_ipsec_backend_dump_t_handler (vl_api_ipsec_backend_dump_t * mp)
 {
   vl_api_registration_t *rp;
   ipsec_main_t *im = &ipsec_main;
   u32 context = mp->context;

   rp = vl_api_client_index_to_registration (mp->client_index);

   if (rp == 0)
     {
       clib_warning ("Client %d AWOL", mp->client_index);
       return;
     }

   ipsec_ah_backend_t *ab;
   ipsec_esp_backend_t *eb;
   /* *INDENT-OFF* */
   pool_foreach (ab, im->ah_backends, {
     vl_api_ipsec_backend_details_t *mp = vl_msg_api_alloc (sizeof (*mp));
     clib_memset (mp, 0, sizeof (*mp));
     mp->_vl_msg_id = ntohs (VL_API_IPSEC_BACKEND_DETAILS);
     mp->context = context;
     snprintf ((char *)mp->name, sizeof (mp->name), "%.*s", vec_len (ab->name),
               ab->name);
     mp->protocol = ntohl (IPSEC_API_PROTO_AH);
     mp->index = ab - im->ah_backends;
     mp->active = mp->index == im->ah_current_backend ? 1 : 0;
     vl_api_send_msg (rp, (u8 *)mp);
   });
   pool_foreach (eb, im->esp_backends, {
     vl_api_ipsec_backend_details_t *mp = vl_msg_api_alloc (sizeof (*mp));
     clib_memset (mp, 0, sizeof (*mp));
     mp->_vl_msg_id = ntohs (VL_API_IPSEC_BACKEND_DETAILS);
     mp->context = context;
     snprintf ((char *)mp->name, sizeof (mp->name), "%.*s", vec_len (eb->name),
               eb->name);
     mp->protocol = ntohl (IPSEC_API_PROTO_ESP);
     mp->index = eb - im->esp_backends;
     mp->active = mp->index == im->esp_current_backend ? 1 : 0;
     vl_api_send_msg (rp, (u8 *)mp);
   });
   /* *INDENT-ON* */
 }

 static void
 vl_api_ipsec_select_backend_t_handler (vl_api_ipsec_select_backend_t * mp)
 {
   ipsec_main_t *im = &ipsec_main;
   vl_api_ipsec_select_backend_reply_t *rmp;
   ipsec_protocol_t protocol;
   int rv = 0;
   if (pool_elts (im->sad) > 0)
     {
       rv = VNET_API_ERROR_INSTANCE_IN_USE;
       goto done;
     }

   rv = ipsec_proto_decode (mp->protocol, &protocol);

   if (rv)
     goto done;

 #if WITH_LIBSSL > 0
   switch (protocol)
     {
     case IPSEC_PROTOCOL_ESP:
       rv = ipsec_select_esp_backend (im, mp->index);
       break;
     case IPSEC_PROTOCOL_AH:
       rv = ipsec_select_ah_backend (im, mp->index);
       break;
     default:
       rv = VNET_API_ERROR_INVALID_PROTOCOL;
       break;
     }
 #else
   clib_warning ("unimplemented");       /* FIXME */
 #endif
 done:
   REPLY_MACRO (VL_API_IPSEC_SELECT_BACKEND_REPLY);
 }

 /*
  * ipsec_api_hookup
  * Add vpe's API message handlers to the table.
  * vlib has already mapped shared memory and
  * added the client registration handlers.
  * See .../vlib-api/vlibmemory/memclnt_vlib.c:memclnt_process()
  */
 #define vl_msg_name_crc_list
 #include <vnet/vnet_all_api_h.h>
 #undef vl_msg_name_crc_list

 static void
 setup_message_id_table (api_main_t * am)
 {
 #define _(id,n,crc) vl_msg_api_add_msg_name_crc (am, #n "_" #crc, id);
   foreach_vl_msg_name_crc_ipsec;
 #undef _
 }

 static clib_error_t *
 ipsec_api_hookup (vlib_main_t * vm)
 {
   api_main_t *am = &api_main;

 #define _(N,n)                                                  \
     vl_msg_api_set_handlers(VL_API_##N, #n,                     \
                            vl_api_##n##_t_handler,              \
                            vl_noop_handler,                     \
                            vl_api_##n##_t_endian,               \
                            vl_api_##n##_t_print,                \
                            sizeof(vl_api_##n##_t), 1);
   foreach_vpe_api_msg;
 #undef _

   /*
    * Set up the (msg_name, crc, message-id) table
    */
   setup_message_id_table (am);

   return 0;
 }

 VLIB_API_INIT_FUNCTION (ipsec_api_hookup);

 /*
  * fd.io coding-style-patch-verification: ON
  *
  * Local Variables:
  * eval: (c-set-style "gnu")
  * End:
  */
ip46_address_range_t::stop
ip46_address_t stop
Definition: ipsec_spd_policy.h:37

sw_if_index
u32 sw_if_index
Definition: ipsec_gre.api:37

vl_api_ipsec_sa_set_key_t_handler
static void vl_api_ipsec_sa_set_key_t_handler(vl_api_ipsec_sa_set_key_t *mp)
Definition: ipsec_api.c:596

vl_api_ipsec_sa_set_key_t::crypto_key
vl_api_key_t crypto_key
Definition: ipsec.api:323

ipsec_main_t::spds
ipsec_spd_t * spds
Definition: ipsec.h:93

vl_api_ipsec_spd_entry_add_del_t
IPsec: Add/delete Security Policy Database entry.
Definition: ipsec.api:117

vl_api_ipsec_tunnel_if_set_key_t::key_type
u8 key_type
Definition: ipsec.api:479

flags
u32 flags
Definition: vhost_user.h:115

ipsec_spd_action_encode
vl_api_ipsec_spd_action_t ipsec_spd_action_encode(ipsec_policy_action_t in)
Definition: ipsec_api.c:453

ipsec_main_t::tunnel_interfaces
ipsec_tunnel_if_t * tunnel_interfaces
Definition: ipsec.h:100

IPSEC_API_SPD_ACTION_BYPASS
Definition: ipsec.api:60

port_range_t::stop
u16 stop
Definition: ipsec_spd_policy.h:43

vl_api_ipsec_sa_dump_t::client_index
u32 client_index
Definition: ipsec.api:421

ipsec_sa_t::tunnel_src_addr
ip46_address_t tunnel_src_addr
Definition: ipsec_sa.h:156

IP46_TYPE_IP6
Definition: ip6_packet.h:74

ipsec_policy_t_::sa_id
u32 sa_id
Definition: ipsec_spd_policy.h:73

ipsec_sa_del
u32 ipsec_sa_del(u32 id)
Definition: ipsec_sa.c:254

ipsec_spd_policy_type_t
enum ipsec_spd_policy_t_ ipsec_spd_policy_type_t

vl_api_ipsec_tunnel_if_add_del_t::crypto_alg
u8 crypto_alg
Definition: ipsec.api:388

ipsec_sa_t::id
u32 id
Definition: ipsec_sa.h:146

IP46_TYPE_ANY
Definition: ip6_packet.h:72

vl_api_ipsec_spd_interface_details_t
IPsec: SPD interface response.
Definition: ipsec.api:346

vl_api_ipsec_tunnel_if_set_key_t::key
u8 key[128]
Definition: ipsec.api:482

vl_api_ipsec_tunnel_if_set_key_t_handler
static void vl_api_ipsec_tunnel_if_set_key_t_handler(vl_api_ipsec_tunnel_if_set_key_t *mp)
Definition: ipsec_api.c:770

ipsec_add_del_tunnel_args_t::local_ip
ip46_address_t local_ip
Definition: ipsec_if.h:47

vl_api_ipsec_tunnel_if_add_del_t::anti_replay
u8 anti_replay
Definition: ipsec.api:383

vl_api_ipsec_backend_dump_t
Dump IPsec backends.
Definition: ipsec.api:504

vl_api_ipsec_backend_dump_t::client_index
u32 client_index
Definition: ipsec.api:505

fib.h

ip_types_api.h

ipsec_integ_alg_t
ipsec_integ_alg_t
Definition: ipsec_sa.h:60

VLIB_API_INIT_FUNCTION
VLIB_API_INIT_FUNCTION(ipsec_api_hookup)

vl_api_ipsec_sa_details_t::sw_if_index
u32 sw_if_index
Definition: ipsec.api:457

ipsec_crypto_algo_encode
static vl_api_ipsec_crypto_alg_t ipsec_crypto_algo_encode(ipsec_crypto_alg_t c)
Definition: ipsec_api.c:244

ipsec_ah_backend_t
Definition: ipsec.h:33

vl_api_ipsec_sa_set_key_t
IPsec: Update Security Association keys.
Definition: ipsec.api:316

u64
unsigned long u64
Definition: types.h:89

ipsec_policy_t_::laddr
ip46_address_range_t laddr
Definition: ipsec_spd_policy.h:65

ipsec_policy_t_::id
u32 id
Definition: ipsec_spd_policy.h:57

REPLY_MACRO2
#define REPLY_MACRO2(t, body)
Definition: api_helper_macros.h:46

ipsec_add_del_tunnel_args_t::renumber
u8 renumber
Definition: ipsec_if.h:60

foreach_ipsec_crypto_alg
#define foreach_ipsec_crypto_alg
Definition: ipsec_sa.h:24

FOR_EACH_IPSEC_SPD_POLICY_TYPE
#define FOR_EACH_IPSEC_SPD_POLICY_TYPE(_t)
Definition: ipsec_spd.h:36

ipsec_set_interface_sa
int ipsec_set_interface_sa(vnet_main_t *vnm, u32 hw_if_index, u32 sa_id, u8 is_outbound)
Definition: ipsec_if.c:563

ipsec_policy_mk_type
int ipsec_policy_mk_type(bool is_outbound, bool is_ipv6, ipsec_policy_action_t action, ipsec_spd_policy_type_t *type)
Definition: ipsec_spd_policy.c:100

vl_api_send_msg
static void vl_api_send_msg(vl_api_registration_t *rp, u8 *elem)
Definition: api.h:34

ipsec_sa_t::crypto_key
ipsec_key_t crypto_key
Definition: ipsec_sa.h:151

ipsec.h

ipsec_set_sa_key
int ipsec_set_sa_key(u32 id, const ipsec_key_t *ck, const ipsec_key_t *ik)
Definition: ipsec_sa.c:321

ipsec_sa_t::integ_alg
ipsec_integ_alg_t integ_alg
Definition: ipsec_sa.h:153

vl_api_ipsec_backend_dump_t::context
u32 context
Definition: ipsec.api:506

vl_api_ipsec_tunnel_if_add_del_t::integ_alg
u8 integ_alg
Definition: ipsec.api:393

ipsec_add_del_tunnel_args_t::remote_integ_key
u8 remote_integ_key[128]
Definition: ipsec_if.h:59

ipsec_protocol_t
ipsec_protocol_t
Definition: ipsec_sa.h:68

vl_api_ipsec_spd_interface_details_t::context
u32 context
Definition: ipsec.api:347

ipsec_add_del_tunnel_args_t::remote_crypto_key
u8 remote_crypto_key[128]
Definition: ipsec_if.h:54

vl_api_ipsec_tunnel_if_add_del_t::remote_crypto_key_len
u8 remote_crypto_key_len
Definition: ipsec.api:391

setup_message_id_table
static void setup_message_id_table(api_main_t *am)
Definition: ipsec_api.c:940

vl_api_ipsec_spd_interface_dump_t::spd_index
u32 spd_index
Definition: ipsec.api:337

vl_api_ipsec_spd_dump_t::spd_id
u32 spd_id
Definition: ipsec.api:167

i
int i
Definition: flowhash_template.h:376

IPSEC_PROTOCOL_ESP
Definition: ipsec_sa.h:71

IPSEC_API_PROTO_AH
Definition: ipsec.api:240

foreach_ipsec_integ_alg
#define foreach_ipsec_integ_alg
Definition: ipsec_sa.h:51

policy
vl_api_ipsec_spd_action_t policy
Definition: ipsec.api:95

clib_memset
clib_memset(h->entries, 0, sizeof(h->entries[0])*entries)

vl_api_ipsec_spd_add_del_t::is_add
u8 is_add
Definition: ipsec.api:32

vl_api_ipsec_sa_dump_t_handler
static void vl_api_ipsec_sa_dump_t_handler(vl_api_ipsec_sa_dump_t *mp)
Definition: ipsec_api.c:725

vnet_get_sw_interface
static vnet_sw_interface_t * vnet_get_sw_interface(vnet_main_t *vnm, u32 sw_if_index)
Definition: interface_funcs.h:58

ipsec_add_del_tunnel_args_t::udp_encap
u8 udp_encap
Definition: ipsec_if.h:62

vnet_sw_interface_t
Definition: interface.h:680

ipsec_select_ah_backend
int ipsec_select_ah_backend(ipsec_main_t *im, u32 backend_idx)
Definition: ipsec.c:195

IPSEC_INTEG_N_ALG
Definition: ipsec_sa.h:65

ipsec_spd_t
A Secruity Policy Database.
Definition: ipsec_spd.h:44

ipsec_sa_flags_decode
static ipsec_sa_flags_t ipsec_sa_flags_decode(vl_api_ipsec_sad_flags_t in)
Definition: ipsec_api.c:306

IPSEC_API_SAD_FLAG_USE_ANTI_REPLAY
Definition: ipsec.api:227

ipsec_tunnel_if_t
Definition: ipsec_if.h:29

vl_api_ipsec_tunnel_if_set_key_t::key_len
u8 key_len
Definition: ipsec.api:481

vnet_msg_enum.h

ip.h

vl_msg_api_alloc
void * vl_msg_api_alloc(int nbytes)
Definition: memory_shared.c:198

ipsec_mk_key
void ipsec_mk_key(ipsec_key_t *key, const u8 *data, u8 len)
Definition: ipsec_sa.c:54

ipsec_key_t_::len
u8 len
Definition: ipsec_sa.h:79

vl_api_ipsec_spd_entry_add_del_t::is_add
u8 is_add
Definition: ipsec.api:121

vl_api_ipsec_tunnel_if_add_del_t::remote_spi
u32 remote_spi
Definition: ipsec.api:387

IPSEC_IF_SET_KEY_TYPE_REMOTE_INTEG
Definition: ipsec_if.h:26

vl_api_ipsec_tunnel_if_add_del_reply_t::sw_if_index
u32 sw_if_index
Definition: ipsec.api:412

u8
unsigned char u8
Definition: types.h:56

foreach_vpe_api_msg
#define foreach_vpe_api_msg
Definition: ipsec_api.c:51

vl_api_ipsec_tunnel_if_add_del_t::remote_ip
vl_api_address_t remote_ip
Definition: ipsec.api:385

ipsec_sa_t::spi
u32 spi
Definition: ipsec_sa.h:121

ipsec_sa_t::seq_hi
u32 seq_hi
Definition: ipsec_sa.h:123

ipsec_main_t::spd_index_by_sw_if_index
uword * spd_index_by_sw_if_index
Definition: ipsec.h:110

vl_api_ipsec_interface_add_del_spd_t_handler
static void vl_api_ipsec_interface_add_del_spd_t_handler(vl_api_ipsec_interface_add_del_spd_t *mp)
Definition: ipsec_api.c:85

clib_memcpy
#define clib_memcpy(d, s, n)
Definition: string.h:180

ipsec_sa_t::replay_window
u64 replay_window
Definition: ipsec_sa.h:126

crypto_key
vl_api_key_t crypto_key
Definition: ipsec.api:275

ipsec_policy_t_::protocol
u8 protocol
Definition: ipsec_spd_policy.h:67

ipsec_add_del_tunnel_args_t::remote_spi
u32 remote_spi
Definition: ipsec_if.h:49

vl_api_ipsec_select_backend_t
Select IPsec backend.
Definition: ipsec.api:529

pool_foreach
#define pool_foreach(VAR, POOL, BODY)
Iterate through pool.
Definition: pool.h:493

vl_api_ipsec_tunnel_if_add_del_t::is_add
u8 is_add
Definition: ipsec.api:381

ipsec_add_del_tunnel_args_t::remote_integ_key_len
u8 remote_integ_key_len
Definition: ipsec_if.h:58

ipsec_proto_decode
static int ipsec_proto_decode(vl_api_ipsec_proto_t in, ipsec_protocol_t *out)
Definition: ipsec_api.c:197

ipsec_main
ipsec_main_t ipsec_main
Definition: ipsec.c:28

ipsec_add_del_tunnel_args_t::local_spi
u32 local_spi
Definition: ipsec_if.h:48

vl_api_ipsec_sad_entry_add_del_reply_t
Definition: ipsec.api:299

vec_new
#define vec_new(T, N)
Create new vector of given type and length (unspecified alignment, no header).
Definition: vec.h:311

vl_api_ipsec_tunnel_if_add_del_t::renumber
u8 renumber
Definition: ipsec.api:398

vl_api_ipsec_tunnel_if_add_del_t_handler
static void vl_api_ipsec_tunnel_if_add_del_t_handler(vl_api_ipsec_tunnel_if_add_del_t *mp)
Definition: ipsec_api.c:619

vl_api_ipsec_tunnel_if_set_key_t
Set key on IPsec interface.
Definition: ipsec.api:475

vl_api_ipsec_backend_dump_t_handler
static void vl_api_ipsec_backend_dump_t_handler(vl_api_ipsec_backend_dump_t *mp)
Definition: ipsec_api.c:846

foreach_ipsec_policy_action
Definition: ipsec_spd_policy.h:29

ipsec_select_esp_backend
int ipsec_select_esp_backend(ipsec_main_t *im, u32 backend_idx)
Definition: ipsec.c:218

hash_foreach
#define hash_foreach(key_var, value_var, h, body)
Definition: hash.h:442

vl_api_ipsec_spd_dump_t_handler
static void vl_api_ipsec_spd_dump_t_handler(vl_api_ipsec_spd_dump_t *mp)
Definition: ipsec_api.c:504

vl_api_ipsec_spd_interface_dump_t_handler
static void vl_api_ipsec_spd_interface_dump_t_handler(vl_api_ipsec_spd_interface_dump_t *mp)
Definition: ipsec_api.c:559

vl_api_ipsec_tunnel_if_add_del_t::local_ip
vl_api_address_t local_ip
Definition: ipsec.api:384

ipsec_add_del_tunnel_args_t::is_ip6
u8 is_ip6
Definition: ipsec_if.h:44

port_range_t::start
u16 start
Definition: ipsec_spd_policy.h:43

api_errno.h

vl_api_ipsec_tunnel_if_set_sa_t::sw_if_index
u32 sw_if_index
Definition: ipsec.api:495

vl_api_ipsec_interface_add_del_spd_t::is_add
u8 is_add
Definition: ipsec.api:51

IPSEC_CRYPTO_N_ALG
Definition: ipsec_sa.h:43

ipsec_policy_t_::rport
port_range_t rport
Definition: ipsec_spd_policy.h:69

ipsec_set_interface_key
int ipsec_set_interface_key(vnet_main_t *vnm, u32 hw_if_index, ipsec_if_set_key_type_t type, u8 alg, u8 *key)
Definition: ipsec_if.c:517

u32
unsigned int u32
Definition: types.h:88

vl_api_ipsec_spd_entry_add_del_reply_t
IPsec: Reply Add/delete Security Policy Database entry.
Definition: ipsec.api:131

vl_api_ipsec_sa_details_t::last_seq_inbound
u64 last_seq_inbound
Definition: ipsec.api:460

ipsec_main_t
Definition: ipsec.h:90

ip_address_decode
ip46_type_t ip_address_decode(const vl_api_address_t *in, ip46_address_t *out)
Definition: ip_types_api.c:83

vl_api_ipsec_sa_details_t::seq_outbound
u64 seq_outbound
Definition: ipsec.api:459

IPSEC_API_SAD_FLAG_USE_ESN
Definition: ipsec.api:225

vl_api_ipsec_spd_add_del_t_handler
static void vl_api_ipsec_spd_add_del_t_handler(vl_api_ipsec_spd_add_del_t *mp)
Definition: ipsec_api.c:68

ipsec_sa_t::last_seq
u32 last_seq
Definition: ipsec_sa.h:124

api_helper_macros.h

hash_get
#define hash_get(h, key)
Definition: hash.h:249

vl_api_ipsec_sad_entry_add_del_t
IPsec: Add/delete Security Association Database entry.
Definition: ipsec.api:292

ipsec_sa_t::tx_fib_index
u32 tx_fib_index
Definition: ipsec_sa.h:162

pool_elt_at_index
#define pool_elt_at_index(p, i)
Returns pointer to element at given index.
Definition: pool.h:514

vl_api_ipsec_tunnel_if_add_del_t::remote_crypto_key
u8 remote_crypto_key[128]
Definition: ipsec.api:392

interface.h

vl_api_ipsec_spds_details_t
Dump IPsec all SPD IDs response.
Definition: ipsec.api:152

vl_api_ipsec_tunnel_if_add_del_reply_t
Add/delete IPsec tunnel interface response.
Definition: ipsec.api:409

vl_api_ipsec_tunnel_if_add_del_t::remote_integ_key_len
u8 remote_integ_key_len
Definition: ipsec.api:396

vl_api_ipsec_spd_add_del_t
IPsec: Add/delete Security Policy Database.
Definition: ipsec.api:28

ipsec_sa_t::salt
u32 salt
Definition: ipsec_sa.h:163

ipsec_main_t::vnet_main
vnet_main_t * vnet_main
Definition: ipsec.h:106

ipsec_add_del_policy
int ipsec_add_del_policy(vlib_main_t *vm, ipsec_policy_t *policy, int is_add, u32 *stat_index)
Add/Delete a SPD.
Definition: ipsec_spd_policy.c:136

ipsec_sa_t::last_seq_hi
u32 last_seq_hi
Definition: ipsec_sa.h:125

vl_api_ipsec_tunnel_if_add_del_t::local_integ_key
u8 local_integ_key[128]
Definition: ipsec.api:395

ipsec_spd_action_decode
static int ipsec_spd_action_decode(vl_api_ipsec_spd_action_t in, ipsec_policy_action_t *out)
Definition: ipsec_api.c:110

ipsec_add_del_tunnel_args_t::remote_ip
ip46_address_t remote_ip
Definition: ipsec_if.h:47

ipsec_add_del_tunnel_args_t::local_crypto_key_len
u8 local_crypto_key_len
Definition: ipsec_if.h:51

vl_api_ipsec_tunnel_if_add_del_t::udp_encap
u8 udp_encap
Definition: ipsec.api:400

IPSEC_API_SAD_FLAG_IS_TUNNEL
Definition: ipsec.api:229

REPLY_MACRO
#define REPLY_MACRO(t)
Definition: api_helper_macros.h:30

ipsec_policy_t_::type
ipsec_spd_policy_type_t type
Definition: ipsec_spd_policy.h:61

IPSEC_IF_SET_KEY_TYPE_REMOTE_CRYPTO
Definition: ipsec_if.h:24

ipsec_sad_flags_encode
static vl_api_ipsec_sad_flags_t ipsec_sad_flags_encode(const ipsec_sa_t *sa)
Definition: ipsec_api.c:326

vl_api_ipsec_spd_dump_t::sa_id
u32 sa_id
Definition: ipsec.api:168

ipsec_sa_t
Definition: ipsec_sa.h:111

vl_api_ipsec_interface_add_del_spd_t::spd_id
u32 spd_id
Definition: ipsec.api:53

ipsec_add_del_tunnel_args_t::local_integ_key_len
u8 local_integ_key_len
Definition: ipsec_if.h:56

send_ipsec_sa_details
static void send_ipsec_sa_details(ipsec_sa_t *sa, vl_api_registration_t *reg, u32 context, u32 sw_if_index)
Definition: ipsec_api.c:676

ipsec_policy_action_t
ipsec_policy_action_t
Definition: ipsec_spd_policy.h:26

ipsec_main_t::spd_index_by_spd_id
uword * spd_index_by_spd_id
Definition: ipsec.h:109

vnet.h

vl_api_ipsec_spd_interface_details_t::sw_if_index
u32 sw_if_index
Definition: ipsec.api:349

vl_api_ipsec_spds_dump_t::client_index
u32 client_index
Definition: ipsec.api:143

vl_api_ipsec_tunnel_if_set_sa_t_handler
static void vl_api_ipsec_tunnel_if_set_sa_t_handler(vl_api_ipsec_tunnel_if_set_sa_t *mp)
Definition: ipsec_api.c:825

api_main_t
API main structure, used by both vpp and binary API clients.
Definition: api_common.h:202

ipsec_sa_t::tunnel_dst_addr
ip46_address_t tunnel_dst_addr
Definition: ipsec_sa.h:157

vl_api_ipsec_tunnel_if_add_del_t::remote_integ_key
u8 remote_integ_key[128]
Definition: ipsec.api:397

IPSEC_API_SAD_FLAG_UDP_ENCAP
Definition: ipsec.api:234

vl_api_registration_
An API client registration, only in vpp/vlib.
Definition: api_common.h:45

BAD_SW_IF_INDEX_LABEL
#define BAD_SW_IF_INDEX_LABEL
Definition: api_helper_macros.h:125

vl_api_ipsec_interface_add_del_spd_t
IPsec: Add/delete SPD from interface.
Definition: ipsec.api:46

ipsec_add_del_tunnel_args_t::crypto_alg
ipsec_crypto_alg_t crypto_alg
Definition: ipsec_if.h:50

c
svmdb_client_t * c
Definition: vpp_get_metrics.c:49

vl_api_ipsec_tunnel_if_add_del_t::esn
u8 esn
Definition: ipsec.api:382

ipsec_add_del_tunnel_args_t
Definition: ipsec_if.h:41

ipsec_add_del_tunnel_args_t::remote_crypto_key_len
u8 remote_crypto_key_len
Definition: ipsec_if.h:53

vm
vlib_main_t * vm
Definition: buffer.c:312

ipsec_main_t::ah_backends
ipsec_ah_backend_t * ah_backends
Definition: ipsec.h:142

ipsec_policy_t_::priority
i32 priority
Definition: ipsec_spd_policy.h:58

vec_free
#define vec_free(V)
Free vector&#39;s memory (no header).
Definition: vec.h:341

vl_api_ipsec_spds_dump_t
Dump IPsec all SPD IDs.
Definition: ipsec.api:142

vl_api_ipsec_sad_entry_add_del_t::entry
vl_api_ipsec_sad_entry_t entry
Definition: ipsec.api:297

vl_api_ipsec_select_backend_t::index
u8 index
Definition: ipsec.api:533

ipsec_policy_t_::policy
ipsec_policy_action_t policy
Definition: ipsec_spd_policy.h:72

ip46_address_range_t::start
ip46_address_t start
Definition: ipsec_spd_policy.h:37

context
u32 context
Definition: ipsec_gre.api:33

clib_warning
#define clib_warning(format, args...)
Definition: error.h:59

vl_api_ipsec_tunnel_if_add_del_t::local_spi
u32 local_spi
Definition: ipsec.api:386

ipsec_crypto_algo_decode
static int ipsec_crypto_algo_decode(vl_api_ipsec_crypto_alg_t in, ipsec_crypto_alg_t *out)
Definition: ipsec_api.c:227

ipsec_sa_flags_t
enum ipsec_sad_flags_t_ ipsec_sa_flags_t

vl_api_ipsec_select_backend_t::protocol
vl_api_ipsec_proto_t protocol
Definition: ipsec.api:532

IPSEC_IF_SET_KEY_TYPE_LOCAL_INTEG
Definition: ipsec_if.h:25

ipsec_esp_backend_t
Definition: ipsec.h:50

vl_api_ipsec_tunnel_if_set_sa_t
Set new SA on IPsec interface.
Definition: ipsec.api:492

vl_api_client_index_to_registration
static vl_api_registration_t * vl_api_client_index_to_registration(u32 index)
Definition: api.h:56

ipsec_policy_t_
A Secruity Policy.
Definition: ipsec_spd_policy.h:55

vl_api_ipsec_spd_add_del_t::spd_id
u32 spd_id
Definition: ipsec.api:33

vl_api_ipsec_spds_dump_t_handler
static void vl_api_ipsec_spds_dump_t_handler(vl_api_ipsec_spds_dump_t *mp)
Definition: ipsec_api.c:432

send_ipsec_spd_interface_details
static void send_ipsec_spd_interface_details(vl_api_registration_t *reg, u32 spd_index, u32 sw_if_index, u32 context)
Definition: ipsec_api.c:542

vl_api_ipsec_spd_dump_t::client_index
u32 client_index
Definition: ipsec.api:165

vl_api_ipsec_sa_details_t::salt
u32 salt
Definition: ipsec.api:458

vl_api_ipsec_sa_details_t::entry
vl_api_ipsec_sad_entry_t entry
Definition: ipsec.api:455

vnet_main_t
Definition: vnet.h:51

send_ipsec_spd_details
static void send_ipsec_spd_details(ipsec_policy_t *p, vl_api_registration_t *reg, u32 context)
Definition: ipsec_api.c:469

ipsec_key_t_::data
u8 data[IPSEC_KEY_MAX_LEN]
Definition: ipsec_sa.h:80

ipsec_add_del_tunnel_args_t::local_crypto_key
u8 local_crypto_key[128]
Definition: ipsec_if.h:52

ASSERT
#define ASSERT(truth)
Definition: error_bootstrap.h:69

spi
u32 spi
Definition: ipsec.api:270

IPSEC_API_SAD_FLAG_IS_TUNNEL_V6
Definition: ipsec.api:232

vl_api_ipsec_spd_entry_add_del_t_handler
static void vl_api_ipsec_spd_entry_add_del_t_handler(vl_api_ipsec_spd_entry_add_del_t *mp)
Definition: ipsec_api.c:127

ipsec_main_t::policies
ipsec_policy_t * policies
Definition: ipsec.h:97

vl_api_ipsec_tunnel_if_add_del_t::local_crypto_key
u8 local_crypto_key[128]
Definition: ipsec.api:390

vl_api_ipsec_sa_dump_t
Dump IPsec security association.
Definition: ipsec.api:420

ipsec_add_del_tunnel_args_t::integ_alg
ipsec_integ_alg_t integ_alg
Definition: ipsec_if.h:55

ipsec_add_del_tunnel_args_t::esn
u8 esn
Definition: ipsec_if.h:45

ip46_type_t
ip46_type_t
Definition: ip6_packet.h:70

ipsec_main_t::sad
ipsec_sa_t * sad
Definition: ipsec.h:95

vl_api_ipsec_spd_interface_dump_t::spd_index_valid
u8 spd_index_valid
Definition: ipsec.api:338

fib_table_get_table_id
u32 fib_table_get_table_id(u32 fib_index, fib_protocol_t proto)
Get the Table-ID of the FIB from protocol and index.
Definition: fib_table.c:1053

ipsec_spd_t::policies
u32 * policies[IPSEC_SPD_POLICY_N_TYPES]
vectors for each of the policy types
Definition: ipsec_spd.h:49

ipsec_add_del_tunnel_args_t::tx_table_id
u32 tx_table_id
Definition: ipsec_if.h:63

vl_api_ipsec_tunnel_if_set_key_t::sw_if_index
u32 sw_if_index
Definition: ipsec.api:478

IPSEC_IF_SET_KEY_TYPE_LOCAL_CRYPTO
Definition: ipsec_if.h:23

vl_api_ipsec_spd_dump_t
Dump ipsec policy database data.
Definition: ipsec.api:164

vl_api_ipsec_spd_dump_t::context
u32 context
Definition: ipsec.api:166

vl_api_ipsec_spd_entry_add_del_reply_t::stat_index
u32 stat_index
Definition: ipsec.api:135

vnet_sw_interface_t::hw_if_index
u32 hw_if_index
Definition: interface.h:698

vl_api_ipsec_sa_details_t::replay_window
u64 replay_window
Definition: ipsec.api:461

ipsec_add_del_tunnel_if_internal
int ipsec_add_del_tunnel_if_internal(vnet_main_t *vnm, ipsec_add_del_tunnel_args_t *args, u32 *sw_if_index)
Definition: ipsec_if.c:256

ipsec_sa_t::protocol
ipsec_protocol_t protocol
Definition: ipsec_sa.h:148

send_ipsec_spds_details
static void send_ipsec_spds_details(ipsec_spd_t *spd, vl_api_registration_t *reg, u32 context)
Definition: ipsec_api.c:411

vl_api_ipsec_sa_set_key_t::sa_id
u32 sa_id
Definition: ipsec.api:321

ipsec_proto_encode
static vl_api_ipsec_proto_t ipsec_proto_encode(ipsec_protocol_t p)
Definition: ipsec_api.c:214

vlib_get_main
static vlib_main_t * vlib_get_main(void)
Definition: global_funcs.h:23

vl_api_ipsec_spds_details_t::spd_id
u32 spd_id
Definition: ipsec.api:154

ipsec_sa_t::seq
u32 seq
Definition: ipsec_sa.h:122

vl_api_ipsec_spd_details_t
IPsec policy database response.
Definition: ipsec.api:177

clib_error_t
Definition: clib_error.h:21

vl_api_ipsec_spd_interface_dump_t
IPsec: Get SPD interfaces.
Definition: ipsec.api:334

vl_api_ipsec_spd_details_t::entry
vl_api_ipsec_spd_entry_t entry
Definition: ipsec.api:179

vl_api_ipsec_spd_entry_add_del_t::entry
vl_api_ipsec_spd_entry_t entry
Definition: ipsec.api:122

vl_api_ipsec_tunnel_if_add_del_t::local_integ_key_len
u8 local_integ_key_len
Definition: ipsec.api:394

vnet_all_api_h.h

ipsec_sa_add
int ipsec_sa_add(u32 id, u32 spi, ipsec_protocol_t proto, ipsec_crypto_alg_t crypto_alg, const ipsec_key_t *ck, ipsec_integ_alg_t integ_alg, const ipsec_key_t *ik, ipsec_sa_flags_t flags, u32 tx_table_id, u32 salt, const ip46_address_t *tun_src, const ip46_address_t *tun_dst, u32 *sa_out_index)
Definition: ipsec_sa.c:123

vec_len
#define vec_len(v)
Number of elements in vector (rvalue-only, NULL tolerant)
Definition: vec_bootstrap.h:143

vl_api_ipsec_tunnel_if_add_del_t::local_crypto_key_len
u8 local_crypto_key_len
Definition: ipsec.api:389

vl_api_ipsec_spd_details_t::context
u32 context
Definition: ipsec.api:178

ipsec_policy_t_::raddr
ip46_address_range_t raddr
Definition: ipsec_spd_policy.h:66

FIB_PROTOCOL_IP4
Definition: fib_types.h:37

api.h

vlib_main_t
Definition: main.h:68

uword
u64 uword
Definition: types.h:112

IPSEC_API_SAD_FLAG_NONE
Definition: ipsec.api:223

ipsec_crypto_alg_t
ipsec_crypto_alg_t
Definition: ipsec_sa.h:38

key
typedef key
Definition: ipsec.api:244

ipsec_integ_algo_decode
static int ipsec_integ_algo_decode(vl_api_ipsec_integ_alg_t in, ipsec_integ_alg_t *out)
Definition: ipsec_api.c:261

vl_api_ipsec_sad_entry_add_del_t::is_add
u8 is_add
Definition: ipsec.api:296

vl_api_ipsec_tunnel_if_set_sa_t::is_outbound
u8 is_outbound
Definition: ipsec.api:497

vl_api_ipsec_tunnel_if_set_sa_t::sa_id
u32 sa_id
Definition: ipsec.api:496

ipsec_set_interface_spd
int ipsec_set_interface_spd(vlib_main_t *vm, u32 sw_if_index, u32 spd_id, int is_add)
Bind/attach a SPD to an interface.
Definition: ipsec_spd.c:63

ipsec_integ_algo_encode
static vl_api_ipsec_integ_alg_t ipsec_integ_algo_encode(ipsec_integ_alg_t i)
Definition: ipsec_api.c:277

tun
vl_api_gbp_endpoint_tun_t tun
Definition: gbp.api:121

ip_address_encode
void ip_address_encode(const ip46_address_t *in, ip46_type_t type, vl_api_address_t *out)
Definition: ip_types_api.c:100

ipsec_key_decode
static void ipsec_key_decode(const vl_api_key_t *key, ipsec_key_t *out)
Definition: ipsec_api.c:293

vl_api_ipsec_sa_details_t::context
u32 context
Definition: ipsec.api:454

ipsec_spd_t::id
u32 id
the User&#39;s ID for this policy
Definition: ipsec_spd.h:47

ipsec_key_encode
static void ipsec_key_encode(const ipsec_key_t *in, vl_api_key_t *out)
Definition: ipsec_api.c:299

vl_api_ipsec_sa_set_key_t::integrity_key
vl_api_key_t integrity_key
Definition: ipsec.api:324

vl_api_ipsec_spds_details_t::npolicies
u32 npolicies
Definition: ipsec.api:155

ipsec_add_del_tunnel_args_t::is_add
u8 is_add
Definition: ipsec_if.h:43

ipsec_sa_t::crypto_alg
ipsec_crypto_alg_t crypto_alg
Definition: ipsec_sa.h:150

ipsec_policy_t_::lport
port_range_t lport
Definition: ipsec_spd_policy.h:68

ipsec_add_del_spd
int ipsec_add_del_spd(vlib_main_t *vm, u32 spd_id, int is_add)
Add/Delete a SPD.
Definition: ipsec_spd.c:20

ipsec_api_hookup
static clib_error_t * ipsec_api_hookup(vlib_main_t *vm)
Definition: ipsec_api.c:948

foreach_ipsec_spd_policy_type
#define foreach_ipsec_spd_policy_type
Definition: ipsec_spd.h:20

IPSEC_IF_SET_KEY_TYPE_NONE
Definition: ipsec_if.h:22

vec_foreach
#define vec_foreach(var, vec)
Vector iterator.
Definition: vec_bootstrap.h:185

IPSEC_API_PROTO_ESP
Definition: ipsec.api:239

id
u32 id
Definition: udp.api:45

vl_api_ipsec_tunnel_if_add_del_t::tx_table_id
u32 tx_table_id
Definition: ipsec.api:401

vl_api_ipsec_spds_details_t::context
u32 context
Definition: ipsec.api:153

vl_api_ipsec_spd_interface_details_t::spd_index
u32 spd_index
Definition: ipsec.api:348

vl_api_ipsec_select_backend_t_handler
static void vl_api_ipsec_select_backend_t_handler(vl_api_ipsec_select_backend_t *mp)
Definition: ipsec_api.c:891

vl_api_ipsec_sa_details_t
IPsec security association database response.
Definition: ipsec.api:453

ipsec_main_t::esp_backends
ipsec_esp_backend_t * esp_backends
Definition: ipsec.h:144

vec_validate_init_empty
#define vec_validate_init_empty(V, I, INIT)
Make sure vector is long enough for given index and initialize empty space (no header, unspecified alignment)
Definition: vec.h:486

ipsec_sa_t::integ_key
ipsec_key_t integ_key
Definition: ipsec_sa.h:154

ipsec_key_t_
Definition: ipsec_sa.h:77

ipsec_add_del_tunnel_args_t::anti_replay
u8 anti_replay
Definition: ipsec_if.h:46

vl_api_ipsec_spd_interface_dump_t::client_index
u32 client_index
Definition: ipsec.api:335

api_main
api_main_t api_main
Definition: api_shared.c:35

vl_api_ipsec_tunnel_if_set_key_t::alg
u8 alg
Definition: ipsec.api:480

vl_api_ipsec_tunnel_if_add_del_t
Add or delete IPsec tunnel interface.
Definition: ipsec.api:378

ipsec_policy_t_::is_ipv6
u8 is_ipv6
Definition: ipsec_spd_policy.h:64

IPSEC_PROTOCOL_AH
Definition: ipsec_sa.h:70

vl_api_ipsec_interface_add_del_spd_t::sw_if_index
u32 sw_if_index
Definition: ipsec.api:52

ipsec_add_del_tunnel_args_t::local_integ_key
u8 local_integ_key[128]
Definition: ipsec_if.h:57

protocol
u8 protocol
Definition: ipsec.api:96

VALIDATE_SW_IF_INDEX
#define VALIDATE_SW_IF_INDEX(mp)
Definition: api_helper_macros.h:117

ipsec_add_del_tunnel_args_t::show_instance
u32 show_instance
Definition: ipsec_if.h:61

vl_api_ipsec_sad_entry_add_del_reply_t::stat_index
u32 stat_index
Definition: ipsec.api:303

vl_api_ipsec_sad_entry_add_del_t_handler
static void vl_api_ipsec_sad_entry_add_del_t_handler(vl_api_ipsec_sad_entry_add_del_t *mp)
Definition: ipsec_api.c:345

vl_api_ipsec_tunnel_if_add_del_t::show_instance
u32 show_instance
Definition: ipsec.api:399

pool_elts
static uword pool_elts(void *v)
Number of active elements in a pool.
Definition: pool.h:128