aboutsummaryrefslogtreecommitdiffstats
path: root/resources
diff options
context:
space:
mode:
Diffstat (limited to 'resources')
-rw-r--r--resources/libraries/python/Classify.py86
-rw-r--r--resources/libraries/python/IPv4Setup.py2
-rw-r--r--resources/libraries/python/IPv6Util.py26
-rw-r--r--resources/libraries/python/InterfaceUtil.py25
-rw-r--r--resources/libraries/robot/iacl.robot125
-rw-r--r--resources/libraries/robot/traffic.robot1
-rw-r--r--resources/templates/vat/classify_add_session.vat1
-rw-r--r--resources/templates/vat/classify_add_table.vat1
-rw-r--r--resources/templates/vat/input_acl_int.vat1
9 files changed, 266 insertions, 2 deletions
diff --git a/resources/libraries/python/Classify.py b/resources/libraries/python/Classify.py
new file mode 100644
index 0000000000..cf93a04b2b
--- /dev/null
+++ b/resources/libraries/python/Classify.py
@@ -0,0 +1,86 @@
+# Copyright (c) 2016 Cisco and/or its affiliates.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at:
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+from robot.api import logger
+
+from resources.libraries.python.VatExecutor import VatExecutor, VatTerminal
+
+
+class Classify(object):
+ """Classify utilities."""
+
+ @staticmethod
+ def vpp_create_classify_table(node, ip_version, direction):
+ """Create classify table.
+
+ :param node: VPP node to create classify table.
+ :param ip_version: Version of IP protocol.
+ :param direction: Direction of traffic - src/dst.
+ :type node: dict
+ :type ip_version: str
+ :type direction: str
+ :return table_index: Classify table index.
+ :return skip_n: Number of skip vectors.
+ :return match_n: Number of match vectors.
+ :rtype table_index: int
+ :rtype skip_n: int
+ :rtype match_n: int
+ """
+ output = VatExecutor.cmd_from_template(node, "classify_add_table.vat",
+ ip_version=ip_version,
+ direction=direction)
+
+ if output[0]["retval"] == 0:
+ table_index = output[0]["new_table_index"]
+ skip_n = output[0]["skip_n_vectors"]
+ match_n = output[0]["match_n_vectors"]
+ logger.trace('Classify table with table_index {} created on node {}'
+ .format(table_index, node['host']))
+ else:
+ raise RuntimeError('Unable to create classify table on node {}'
+ .format(node['host']))
+
+ return table_index, skip_n, match_n
+
+ @staticmethod
+ def vpp_configure_classify_session(node, acl_method, table_index, skip_n,
+ match_n, ip_version, direction, address):
+ """Configuration of classify session.
+
+ :param node: VPP node to setup classify session.
+ :param acl_method: ACL method - deny/permit.
+ :param table_index: Classify table index.
+ :param skip_n: Number of skip vectors based on mask.
+ :param match_n: Number of match vectors based on mask.
+ :param ip_version: Version of IP protocol.
+ :param direction: Direction of traffic - src/dst.
+ :param address: IPv4 or IPv6 address.
+ :type node: dict
+ :type acl_method: str
+ :type table_index: int
+ :type skip_n: int
+ :type match_n: int
+ :type ip_version: str
+ :type direction: str
+ :type address: str
+ """
+ with VatTerminal(node) as vat:
+ vat.vat_terminal_exec_cmd_from_template("classify_add_session.vat",
+ acl_method=acl_method,
+ table_index=table_index,
+ skip_n=skip_n,
+ match_n=match_n,
+ ip_version=ip_version,
+ direction=direction,
+ address=address)
diff --git a/resources/libraries/python/IPv4Setup.py b/resources/libraries/python/IPv4Setup.py
index 50154103ec..577b225ad1 100644
--- a/resources/libraries/python/IPv4Setup.py
+++ b/resources/libraries/python/IPv4Setup.py
@@ -319,7 +319,7 @@ class IPv4Setup(object):
def add_arp_on_dut(node, interface, ip_address, mac_address):
"""Set ARP cache entree on DUT node.
- :param node: Node in the topology.
+ :param node: VPP Node in the topology.
:param interface: Interface name of the node.
:param ip_address: IP address of the interface.
:param mac_address: MAC address of the interface.
diff --git a/resources/libraries/python/IPv6Util.py b/resources/libraries/python/IPv6Util.py
index 519026beae..35ec8d5258 100644
--- a/resources/libraries/python/IPv6Util.py
+++ b/resources/libraries/python/IPv6Util.py
@@ -16,6 +16,8 @@
import re
from resources.libraries.python.ssh import SSH
+from resources.libraries.python.VatExecutor import VatTerminal
+from resources.libraries.python.topology import Topology
class IPv6Util(object):
@@ -106,3 +108,27 @@ class IPv6Util(object):
raise Exception('Node {n} port {p} IPv6 address not found.'.format(
n=node['host'], p=interface))
+
+ @staticmethod
+ def add_ip_neighbor(node, interface, ip_address, mac_address):
+ """Add IP neighbor.
+
+ :param node: VPP node to add ip neighbor.
+ :param interface: Interface name or sw_if_index.
+ :param ip_address: IP address.
+ :param mac_address: MAC address.
+ :type node: dict
+ :type interface: str or int
+ :type ip_address: str
+ :type mac_address: str
+ """
+ if isinstance(interface, basestring):
+ sw_if_index = Topology.get_interface_sw_index(node, interface)
+ else:
+ sw_if_index = interface
+
+ with VatTerminal(node) as vat:
+ vat.vat_terminal_exec_cmd_from_template("add_ip_neighbor.vat",
+ sw_if_index=sw_if_index,
+ ip_address=ip_address,
+ mac_address=mac_address)
diff --git a/resources/libraries/python/InterfaceUtil.py b/resources/libraries/python/InterfaceUtil.py
index 35194f2487..3da0e1a204 100644
--- a/resources/libraries/python/InterfaceUtil.py
+++ b/resources/libraries/python/InterfaceUtil.py
@@ -580,3 +580,28 @@ class InterfaceUtil(object):
else:
raise RuntimeError('Create loopback failed on node "{}"'
.format(node['host']))
+
+ @staticmethod
+ def vpp_enable_input_acl_interface(node, interface, ip_version,
+ table_index):
+ """Enable input acl on interface.
+
+ :param node: VPP node to setup interface for input acl.
+ :param interface: Interface to setup input acl.
+ :param ip_version: Version of IP protocol.
+ :param table_index: Classify table index.
+ :type node: dict
+ :type interface: str or int
+ :type ip_version: str
+ :type table_index: int
+ """
+ if isinstance(interface, basestring):
+ sw_if_index = Topology.get_interface_sw_index(node, interface)
+ else:
+ sw_if_index = interface
+
+ with VatTerminal(node) as vat:
+ vat.vat_terminal_exec_cmd_from_template("input_acl_int.vat",
+ sw_if_index=sw_if_index,
+ ip_version=ip_version,
+ table_index=table_index)
diff --git a/resources/libraries/robot/iacl.robot b/resources/libraries/robot/iacl.robot
new file mode 100644
index 0000000000..659edb8c30
--- /dev/null
+++ b/resources/libraries/robot/iacl.robot
@@ -0,0 +1,125 @@
+# Copyright (c) 2016 Cisco and/or its affiliates.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at:
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+*** Settings ***
+| Documentation | Keywords for iACL tests
+| Resource | resources/libraries/robot/default.robot
+| Library | resources.libraries.python.InterfaceUtil
+| Library | resources.libraries.python.NodePath
+
+*** Keywords ***
+| Node path computed for 3-node topology
+| | [Arguments] | ${tg_node} | ${dut1_node} | ${dut2_node} | ${tg_node}
+| | [Documentation] | *Create interface variables for 3-node topology.*
+| | ...
+| | ... | *Arguments:*
+| | ... | - ${tg_node} - Node attached to the path. Type: dictionary
+| | ... | - ${dut1_node} - Node attached to the path. Type: dictionary
+| | ... | - ${dut2_node} - Node attached to the path. Type: dictionary
+| | ...
+| | ... | _Set testcase variables for nodes and interfaces._
+| | ... | - ${tg_node} - Variable for node in path. Type: dictionary
+| | ... | - ${dut1_node} - Variable for node in path. Type: dictionary
+| | ... | - ${dut2_node} - Variable for node in path. Type: dictionary
+| | ... | - ${tg_if1} - First interface of TG node. Type: str
+| | ... | - ${tg_if2} - Second interface of TG node. Type: str
+| | ... | - ${dut1_if1} - First interface of first DUT node. Type: str
+| | ... | - ${dut1_if2} - Second interface of first DUT node. Type: str
+| | ... | - ${dut2_if1} - First interface of second DUT node. Type: str
+| | ... | - ${dut2_if2} - Second interface of second DUT node. Type: str
+| | ... | - ${tg_if1_mac} - MAC address of TG interface (1st).
+| | ... | - ${tg_if2_mac} - MAC address of TG interface (2nd).
+| | ... | - ${dut1_if1_mac} - MAC address of DUT1 interface (1st).
+| | ... | - ${dut1_if2_mac} - MAC address of DUT1 interface (2nd).
+| | ...
+| | Append Nodes | ${tg_node} | ${dut1_node} | ${dut2_node} | ${tg_node}
+| | Compute Path
+| | ${tg_if1} | ${tg_node}= | Next Interface
+| | ${dut1_if1} | ${dut1_node}= | Next Interface
+| | ${dut1_if2} | ${dut1_node}= | Next Interface
+| | ${dut2_if1} | ${dut2_node}= | Next Interface
+| | ${dut2_if2} | ${dut2_node}= | Next Interface
+| | ${tg_if2} | ${tg_node}= | Next Interface
+| | ${tg_if1_mac}= | Get interface mac | ${tg_node} | ${tg_if1}
+| | ${tg_if2_mac}= | Get interface mac | ${tg_node} | ${tg_if2}
+| | ${dut1_if1_mac}= | Get interface mac | ${dut1_node} | ${dut1_if1}
+| | ${dut1_if2_mac}= | Get interface mac | ${dut1_node} | ${dut1_if2}
+| | Set Test Variable | ${tg_node}
+| | Set Test Variable | ${tg_if1}
+| | Set Test Variable | ${tg_if2}
+| | Set Test Variable | ${dut1_node}
+| | Set Test Variable | ${dut1_if1}
+| | Set Test Variable | ${dut1_if2}
+| | Set Test Variable | ${dut2_node}
+| | Set Test Variable | ${dut2_if1}
+| | Set Test Variable | ${dut2_if2}
+| | Set Test Variable | ${tg_if1_mac}
+| | Set Test Variable | ${tg_if2_mac}
+| | Set Test Variable | ${dut1_if1_mac}
+| | Set Test Variable | ${dut1_if2_mac}
+
+| Interfaces in path are up
+| | [Documentation] | *Set UP state on interfaces in path on nodes.*
+| | ...
+| | Set Interface State | ${tg_node} | ${tg_if1} | up
+| | Set Interface State | ${tg_node} | ${tg_if2} | up
+| | Set Interface State | ${dut1_node} | ${dut1_if1} | up
+| | Set Interface State | ${dut1_node} | ${dut1_if2} | up
+| | Set Interface State | ${dut2_node} | ${dut2_if1} | up
+| | Set Interface State | ${dut2_node} | ${dut2_if2} | up
+| | Vpp Node Interfaces Ready Wait | ${dut1_node}
+| | Vpp Node Interfaces Ready Wait | ${dut2_node}
+
+| IPv4 Addresses set on the node interfaces
+| | [Arguments] | ${dut_node} | ${int1} | ${ip_addr1} | ${int2} | ${ip_addr2}
+| | ... | ${prefix_length}
+| | [Documentation] | Setup IPv4 adresses on the node interfaces
+| | ...
+| | ... | *Arguments*
+| | ... | - ${dut_node} - VPP node.
+| | ... | - ${int1} - First node interface.
+| | ... | - ${ip_addr1} - First IP address.
+| | ... | - ${int2} - Second node interface.
+| | ... | - ${ip_addr2} - Second IP address.
+| | ... | - ${prefix_length} - IP prefix length.
+| | ...
+| | ... | *Example*
+| | ... | \| IPv4 Addresses set on the node interfaces \
+| | ... | \| ${dut1_node} \| ${dut1_if1} \| ${dut1_if1_ip} \
+| | ... | \| ${dut1_if2} \| ${dut1_if2_ip} \| ${prefix_length} \|
+| | ...
+| | Set Interface Address | ${dut_node} | ${int1} | ${ip_addr1}
+| | ... | ${prefix_length}
+| | Set Interface Address | ${dut_node} | ${int2} | ${ip_addr2}
+| | ... | ${prefix_length}
+
+| IPv6 Addresses set on the node interfaces
+| | [Arguments] | ${dut_node} | ${int1} | ${ip_addr1} | ${int2} | ${ip_addr2}
+| | ... | ${prefix_length}
+| | [Documentation] | Setup IPv6 adresses on the node interfaces
+| | ...
+| | ... | *Arguments*
+| | ... | - ${dut_node} - VPP node.
+| | ... | - ${int1} - First node interface.
+| | ... | - ${ip_addr1} - First IP address.
+| | ... | - ${int2} - Second node interface.
+| | ... | - ${ip_addr2} - Second IP address.
+| | ... | - ${prefix_length} - IP prefix length.
+| | ...
+| | ... | *Example*
+| | ... | \| IPv6 Addresses set on the node interfaces \
+| | ... | \| ${dut1_node} \| ${dut1_if1} \| ${dut1_if1_ip} \
+| | ... | \| ${dut1_if2} \| ${dut1_if2_ip} \| ${prefix_length} \|
+| | ...
+| | Vpp Set If Ipv6 Addr | ${dut_node} | ${int1} | ${ip_addr1} | ${prefix_length}
+| | Vpp Set If Ipv6 Addr | ${dut_node} | ${int2} | ${ip_addr2} | ${prefix_length}
diff --git a/resources/libraries/robot/traffic.robot b/resources/libraries/robot/traffic.robot
index b97a6d4360..fc1fa363fe 100644
--- a/resources/libraries/robot/traffic.robot
+++ b/resources/libraries/robot/traffic.robot
@@ -105,4 +105,3 @@
| | Run Keyword And Expect Error | ICMP echo Rx timeout |
| | ... | Run Traffic Script On Node | send_icmp_check_headers.py
| | ... | ${tg_node} | ${args}
-l \ No newline at end of file
diff --git a/resources/templates/vat/classify_add_session.vat b/resources/templates/vat/classify_add_session.vat
new file mode 100644
index 0000000000..e68b46f965
--- /dev/null
+++ b/resources/templates/vat/classify_add_session.vat
@@ -0,0 +1 @@
+classify_add_del_session acl-hit-next {acl_method} table-index {table_index} skip_n {skip_n} match_n {match_n} match l3 {ip_version} {direction} {address} \ No newline at end of file
diff --git a/resources/templates/vat/classify_add_table.vat b/resources/templates/vat/classify_add_table.vat
new file mode 100644
index 0000000000..fea8926a68
--- /dev/null
+++ b/resources/templates/vat/classify_add_table.vat
@@ -0,0 +1 @@
+classify_add_del_table mask l3 {ip_version} {direction} \ No newline at end of file
diff --git a/resources/templates/vat/input_acl_int.vat b/resources/templates/vat/input_acl_int.vat
new file mode 100644
index 0000000000..c9d7441796
--- /dev/null
+++ b/resources/templates/vat/input_acl_int.vat
@@ -0,0 +1 @@
+input_acl_set_interface sw_if_index {sw_if_index} {ip_version}-table {table_index} \ No newline at end of file
n { color: #f92672 } /* Keyword.Namespace */ .highlight .kp { color: #66d9ef } /* Keyword.Pseudo */ .highlight .kr { color: #66d9ef } /* Keyword.Reserved */ .highlight .kt { color: #66d9ef } /* Keyword.Type */ .highlight .ld { color: #e6db74 } /* Literal.Date */ .highlight .m { color: #ae81ff } /* Literal.Number */ .highlight .s { color: #e6db74 } /* Literal.String */ .highlight .na { color: #a6e22e } /* Name.Attribute */ .highlight .nb { color: #f8f8f2 } /* Name.Builtin */ .highlight .nc { color: #a6e22e } /* Name.Class */ .highlight .no { color: #66d9ef } /* Name.Constant */ .highlight .nd { color: #a6e22e } /* Name.Decorator */ .highlight .ni { color: #f8f8f2 } /* Name.Entity */ .highlight .ne { color: #a6e22e } /* Name.Exception */ .highlight .nf { color: #a6e22e } /* Name.Function */ .highlight .nl { color: #f8f8f2 } /* Name.Label */ .highlight .nn { color: #f8f8f2 } /* Name.Namespace */ .highlight .nx { color: #a6e22e } /* Name.Other */ .highlight .py { color: #f8f8f2 } /* Name.Property */ .highlight .nt { color: #f92672 } /* Name.Tag */ .highlight .nv { color: #f8f8f2 } /* Name.Variable */ .highlight .ow { color: #f92672 } /* Operator.Word */ .highlight .w { color: #f8f8f2 } /* Text.Whitespace */ .highlight .mb { color: #ae81ff } /* Literal.Number.Bin */ .highlight .mf { color: #ae81ff } /* Literal.Number.Float */ .highlight .mh { color: #ae81ff } /* Literal.Number.Hex */ .highlight .mi { color: #ae81ff } /* Literal.Number.Integer */ .highlight .mo { color: #ae81ff } /* Literal.Number.Oct */ .highlight .sa { color: #e6db74 } /* Literal.String.Affix */ .highlight .sb { color: #e6db74 } /* Literal.String.Backtick */ .highlight .sc { color: #e6db74 } /* Literal.String.Char */ .highlight .dl { color: #e6db74 } /* Literal.String.Delimiter */ .highlight .sd { color: #e6db74 } /* Literal.String.Doc */ .highlight .s2 { color: #e6db74 } /* Literal.String.Double */ .highlight .se { color: #ae81ff } /* Literal.String.Escape */ .highlight .sh { color: #e6db74 } /* Literal.String.Heredoc */ .highlight .si { color: #e6db74 } /* Literal.String.Interpol */ .highlight .sx { color: #e6db74 } /* Literal.String.Other */ .highlight .sr { color: #e6db74 } /* Literal.String.Regex */ .highlight .s1 { color: #e6db74 } /* Literal.String.Single */ .highlight .ss { color: #e6db74 } /* Literal.String.Symbol */ .highlight .bp { color: #f8f8f2 } /* Name.Builtin.Pseudo */ .highlight .fm { color: #a6e22e } /* Name.Function.Magic */ .highlight .vc { color: #f8f8f2 } /* Name.Variable.Class */ .highlight .vg { color: #f8f8f2 } /* Name.Variable.Global */ .highlight .vi { color: #f8f8f2 } /* Name.Variable.Instance */ .highlight .vm { color: #f8f8f2 } /* Name.Variable.Magic */ .highlight .il { color: #ae81ff } /* Literal.Number.Integer.Long */ } @media (prefers-color-scheme: light) { .highlight .hll { background-color: #ffffcc } .highlight .c { color: #888888 } /* Comment */ .highlight .err { color: #a61717; background-color: #e3d2d2 } /* Error */ .highlight .k { color: #008800; font-weight: bold } /* Keyword */ .highlight .ch { color: #888888 } /* Comment.Hashbang */ .highlight .cm { color: #888888 } /* Comment.Multiline */ .highlight .cp { color: #cc0000; font-weight: bold } /* Comment.Preproc */ .highlight .cpf { color: #888888 } /* Comment.PreprocFile */ .highlight .c1 { color: #888888 } /* Comment.Single */ .highlight .cs { color: #cc0000; font-weight: bold; background-color: #fff0f0 } /* Comment.Special */ .highlight .gd { color: #000000; background-color: #ffdddd } /* Generic.Deleted */ .highlight .ge { font-style: italic } /* Generic.Emph */ .highlight .gr { color: #aa0000 } /* Generic.Error */ .highlight .gh { color: #333333 } /* Generic.Heading */ .highlight .gi { color: #000000; background-color: #ddffdd } /* Generic.Inserted */ .highlight .go { color: #888888 } /* Generic.Output */ .highlight .gp { color: #555555 } /* Generic.Prompt */ .highlight .gs { font-weight: bold } /* Generic.Strong */ .highlight .gu { color: #666666 } /* Generic.Subheading */ .highlight .gt { color: #aa0000 } /* Generic.Traceback */ .highlight .kc { color: #008800; font-weight: bold } /* Keyword.Constant */ .highlight .kd { color: #008800; font-weight: bold } /* Keyword.Declaration */ .highlight .kn { color: #008800; font-weight: bold } /* Keyword.Namespace */ .highlight .kp { color: #008800 } /* Keyword.Pseudo */ .highlight .kr { color: #008800; font-weight: bold } /* Keyword.Reserved */ .highlight .kt { color: #888888; font-weight: bold } /* Keyword.Type */ .highlight .m { color: #0000DD; font-weight: bold } /* Literal.Number */ .highlight .s { color: #dd2200; background-color: #fff0f0 } /* Literal.String */ .highlight .na { color: #336699 } /* Name.Attribute */ .highlight .nb { color: #003388 } /* Name.Builtin */ .highlight .nc { color: #bb0066; font-weight: bold } /* Name.Class */ .highlight .no { color: #003366; font-weight: bold } /* Name.Constant */ .highlight .nd { color: #555555 } /* Name.Decorator */ .highlight .ne { color: #bb0066; font-weight: bold } /* Name.Exception */ .highlight .nf { color: #0066bb; font-weight: bold } /* Name.Function */ .highlight .nl { color: #336699; font-style: italic } /* Name.Label */ .highlight .nn { color: #bb0066; font-weight: bold } /* Name.Namespace */ .highlight .py { color: #336699; font-weight: bold } /* Name.Property */ .highlight .nt { color: #bb0066; font-weight: bold } /* Name.Tag */ .highlight .nv { color: #336699 } /* Name.Variable */ .highlight .ow { color: #008800 } /* Operator.Word */ .highlight .w { color: #bbbbbb } /* Text.Whitespace */ .highlight .mb { color: #0000DD; font-weight: bold } /* Literal.Number.Bin */ .highlight .mf { color: #0000DD; font-weight: bold } /* Literal.Number.Float */ .highlight .mh { color: #0000DD; font-weight: bold } /* Literal.Number.Hex */ .highlight .mi { color: #0000DD; font-weight: bold } /* Literal.Number.Integer */ .highlight .mo { color: #0000DD; font-weight: bold } /* Literal.Number.Oct */ .highlight .sa { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Affix */ .highlight .sb { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Backtick */ .highlight .sc { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Char */ .highlight .dl { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Delimiter */ .highlight .sd { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Doc */ .highlight .s2 { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Double */ .highlight .se { color: #0044dd; background-color: #fff0f0 } /* Literal.String.Escape */ .highlight .sh { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Heredoc */ .highlight .si { color: #3333bb; background-color: #fff0f0 } /* Literal.String.Interpol */ .highlight .sx { color: #22bb22; background-color: #f0fff0 } /* Literal.String.Other */ .highlight .sr { color: #008800; background-color: #fff0ff } /* Literal.String.Regex */ .highlight .s1 { color: #dd2200; background-color: #fff0f0 } /* Literal.String.Single */ .highlight .ss { color: #aa6600; background-color: #fff0f0 } /* Literal.String.Symbol */ .highlight .bp { color: #003388 } /* Name.Builtin.Pseudo */ .highlight .fm { color: #0066bb; font-weight: bold } /* Name.Function.Magic */ .highlight .vc { color: #336699 } /* Name.Variable.Class */ .highlight .vg { color: #dd7700 } /* Name.Variable.Global */ .highlight .vi { color: #3333bb } /* Name.Variable.Instance */ .highlight .vm { color: #336699 } /* Name.Variable.Magic */ .highlight .il { color: #0000DD; font-weight: bold } /* Literal.Number.Integer.Long */ } 
/*
 *------------------------------------------------------------------
 * ipsec_api.c - ipsec api
 *
 * Copyright (c) 2016 Cisco and/or its affiliates.
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at:
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 *------------------------------------------------------------------
 */

#include <vnet/vnet.h>
#include <vlibmemory/api.h>

#include <vnet/interface.h>
#include <vnet/api_errno.h>
#include <vnet/ip/ip.h>
#include <vnet/ip/ip_types_api.h>
#include <vnet/ipsec/ipsec_types_api.h>
#include <vnet/fib/fib.h>
#include <vnet/ipip/ipip.h>

#include <vnet/vnet_msg_enum.h>

#if WITH_LIBSSL > 0
#include <vnet/ipsec/ipsec.h>
#include <vnet/ipsec/ipsec_tun.h>
#endif /* IPSEC */

#define vl_typedefs		/* define message structures */
#include <vnet/vnet_all_api_h.h>
#undef vl_typedefs

#define vl_endianfun		/* define message structures */
#include <vnet/vnet_all_api_h.h>
#undef vl_endianfun

/* instantiate all the print functions we know about */
#define vl_print(handle, ...) vlib_cli_output (handle, __VA_ARGS__)
#define vl_printfun
#include <vnet/vnet_all_api_h.h>
#undef vl_printfun

#include <vlibapi/api_helper_macros.h>

#define foreach_vpe_api_msg                                     \
_(IPSEC_SPD_ADD_DEL, ipsec_spd_add_del)                         \
_(IPSEC_INTERFACE_ADD_DEL_SPD, ipsec_interface_add_del_spd)     \
_(IPSEC_SPD_ENTRY_ADD_DEL, ipsec_spd_entry_add_del)             \
_(IPSEC_SAD_ENTRY_ADD_DEL, ipsec_sad_entry_add_del)             \
_(IPSEC_SA_DUMP, ipsec_sa_dump)                                 \
_(IPSEC_SPDS_DUMP, ipsec_spds_dump)                             \
_(IPSEC_SPD_DUMP, ipsec_spd_dump)                               \
_(IPSEC_SPD_INTERFACE_DUMP, ipsec_spd_interface_dump)		\
_(IPSEC_TUNNEL_IF_ADD_DEL, ipsec_tunnel_if_add_del)             \
_(IPSEC_TUNNEL_IF_SET_SA, ipsec_tunnel_if_set_sa)               \
_(IPSEC_SELECT_BACKEND, ipsec_select_backend)                   \
_(IPSEC_BACKEND_DUMP, ipsec_backend_dump)                       \
_(IPSEC_TUNNEL_PROTECT_UPDATE, ipsec_tunnel_protect_update)     \
_(IPSEC_TUNNEL_PROTECT_DEL, ipsec_tunnel_protect_del)           \
_(IPSEC_TUNNEL_PROTECT_DUMP, ipsec_tunnel_protect_dump)

static void
vl_api_ipsec_spd_add_del_t_handler (vl_api_ipsec_spd_add_del_t * mp)
{
#if WITH_LIBSSL == 0
  clib_warning ("unimplemented");
#else

  vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main ();
  vl_api_ipsec_spd_add_del_reply_t *rmp;
  int rv;

  rv = ipsec_add_del_spd (vm, ntohl (mp->spd_id), mp->is_add);

  REPLY_MACRO (VL_API_IPSEC_SPD_ADD_DEL_REPLY);
#endif
}

static void vl_api_ipsec_interface_add_del_spd_t_handler
  (vl_api_ipsec_interface_add_del_spd_t * mp)
{
  vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main ();
  vl_api_ipsec_interface_add_del_spd_reply_t *rmp;
  int rv;
  u32 sw_if_index __attribute__ ((unused));
  u32 spd_id __attribute__ ((unused));

  sw_if_index = ntohl (mp->sw_if_index);
  spd_id = ntohl (mp->spd_id);

  VALIDATE_SW_IF_INDEX (mp);

#if WITH_LIBSSL > 0
  rv = ipsec_set_interface_spd (vm, sw_if_index, spd_id, mp->is_add);
#else
  rv = VNET_API_ERROR_UNIMPLEMENTED;
#endif

  BAD_SW_IF_INDEX_LABEL;

  REPLY_MACRO (VL_API_IPSEC_INTERFACE_ADD_DEL_SPD_REPLY);
}

static void vl_api_ipsec_tunnel_protect_update_t_handler
  (vl_api_ipsec_tunnel_protect_update_t * mp)
{
  vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main ();
  vl_api_ipsec_tunnel_protect_update_reply_t *rmp;
  u32 sw_if_index, ii, *sa_ins = NULL;
  int rv;

  sw_if_index = ntohl (mp->tunnel.sw_if_index);

  VALIDATE_SW_IF_INDEX (&(mp->tunnel));

#if WITH_LIBSSL > 0

  for (ii = 0; ii < mp->tunnel.n_sa_in; ii++)
    vec_add1 (sa_ins, ntohl (mp->tunnel.sa_in[ii]));

  rv = ipsec_tun_protect_update (sw_if_index,
				 ntohl (mp->tunnel.sa_out), sa_ins);
#else
  rv = VNET_API_ERROR_UNIMPLEMENTED;
#endif

  BAD_SW_IF_INDEX_LABEL;

  REPLY_MACRO (VL_API_IPSEC_TUNNEL_PROTECT_UPDATE_REPLY);
}

static void vl_api_ipsec_tunnel_protect_del_t_handler
  (vl_api_ipsec_tunnel_protect_del_t * mp)
{
  vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main ();
  vl_api_ipsec_tunnel_protect_del_reply_t *rmp;
  int rv;
  u32 sw_if_index;

  sw_if_index = ntohl (mp->sw_if_index);

  VALIDATE_SW_IF_INDEX (mp);

#if WITH_LIBSSL > 0
  rv = ipsec_tun_protect_del (sw_if_index);
#else
  rv = VNET_API_ERROR_UNIMPLEMENTED;
#endif

  BAD_SW_IF_INDEX_LABEL;

  REPLY_MACRO (VL_API_IPSEC_TUNNEL_PROTECT_DEL_REPLY);
}

typedef struct ipsec_dump_walk_ctx_t_
{
  vl_api_registration_t *reg;
  u32 context;
} ipsec_dump_walk_ctx_t;

static walk_rc_t
send_ipsec_tunnel_protect_details (index_t itpi, void *arg)
{
  ipsec_dump_walk_ctx_t *ctx = arg;
  vl_api_ipsec_tunnel_protect_details_t *mp;
  ipsec_tun_protect_t *itp;
  u32 sai, ii = 0;

  itp = ipsec_tun_protect_get (itpi);


  mp = vl_msg_api_alloc (sizeof (*mp) + (sizeof (u32) * itp->itp_n_sa_in));
  clib_memset (mp, 0, sizeof (*mp));
  mp->_vl_msg_id = ntohs (VL_API_IPSEC_TUNNEL_PROTECT_DETAILS);
  mp->context = ctx->context;

  mp->tun.sw_if_index = htonl (itp->itp_sw_if_index);

  mp->tun.sa_out = htonl (itp->itp_out_sa);
  mp->tun.n_sa_in = itp->itp_n_sa_in;
  /* *INDENT-OFF* */
  FOR_EACH_IPSEC_PROTECT_INPUT_SAI(itp, sai,
  ({
    mp->tun.sa_in[ii++] = htonl (sai);
  }));
  /* *INDENT-ON* */

  vl_api_send_msg (ctx->reg, (u8 *) mp);

  return (WALK_CONTINUE);
}

static void
vl_api_ipsec_tunnel_protect_dump_t_handler (vl_api_ipsec_tunnel_protect_dump_t
					    * mp)
{
  vl_api_registration_t *reg;
  u32 sw_if_index;

#if WITH_LIBSSL > 0
  reg = vl_api_client_index_to_registration (mp->client_index);
  if (!reg)
    return;

  ipsec_dump_walk_ctx_t ctx = {
    .reg = reg,
    .context = mp->context,
  };

  sw_if_index = ntohl (mp->sw_if_index);

  if (~0 == sw_if_index)
    {
      ipsec_tun_protect_walk (send_ipsec_tunnel_protect_details, &ctx);
    }
  else
    {
      index_t itpi;

      itpi = ipsec_tun_protect_find (sw_if_index);

      if (INDEX_INVALID != itpi)
	send_ipsec_tunnel_protect_details (itpi, &ctx);
    }
#else
  clib_warning ("unimplemented");
#endif
}

static int
ipsec_spd_action_decode (vl_api_ipsec_spd_action_t in,
			 ipsec_policy_action_t * out)
{
  in = clib_net_to_host_u32 (in);

  switch (in)
    {
#define _(v,f,s) case IPSEC_API_SPD_ACTION_##f: \
      *out = IPSEC_POLICY_ACTION_##f;              \
      return (0);
      foreach_ipsec_policy_action
#undef _
    }
  return (VNET_API_ERROR_UNIMPLEMENTED);
}

static void vl_api_ipsec_spd_entry_add_del_t_handler
  (vl_api_ipsec_spd_entry_add_del_t * mp)
{
  vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main ();
  vl_api_ipsec_spd_entry_add_del_reply_t *rmp;
  ip46_type_t itype;
  u32 stat_index;
  int rv;

  stat_index = ~0;

#if WITH_LIBSSL > 0
  ipsec_policy_t p;

  clib_memset (&p, 0, sizeof (p));

  p.id = ntohl (mp->entry.spd_id);
  p.priority = ntohl (mp->entry.priority);

  itype = ip_address_decode (&mp->entry.remote_address_start, &p.raddr.start);
  ip_address_decode (&mp->entry.remote_address_stop, &p.raddr.stop);
  ip_address_decode (&mp->entry.local_address_start, &p.laddr.start);
  ip_address_decode (&mp->entry.local_address_stop, &p.laddr.stop);

  p.is_ipv6 = (itype == IP46_TYPE_IP6);

  p.protocol = mp->entry.protocol;
  p.rport.start = ntohs (mp->entry.remote_port_start);
  p.rport.stop = ntohs (mp->entry.remote_port_stop);
  p.lport.start = ntohs (mp->entry.local_port_start);
  p.lport.stop = ntohs (mp->entry.local_port_stop);

  rv = ipsec_spd_action_decode (mp->entry.policy, &p.policy);

  if (rv)
    goto out;

  /* policy action resolve unsupported */
  if (p.policy == IPSEC_POLICY_ACTION_RESOLVE)
    {
      clib_warning ("unsupported action: 'resolve'");
      rv = VNET_API_ERROR_UNIMPLEMENTED;
      goto out;
    }
  p.sa_id = ntohl (mp->entry.sa_id);
  rv =
    ipsec_policy_mk_type (mp->entry.is_outbound, p.is_ipv6, p.policy,
			  &p.type);
  if (rv)
    goto out;

  rv = ipsec_add_del_policy (vm, &p, mp->is_add, &stat_index);
  if (rv)
    goto out;

#else
  rv = VNET_API_ERROR_UNIMPLEMENTED;
  goto out;
#endif

out:
  /* *INDENT-OFF* */
  REPLY_MACRO2 (VL_API_IPSEC_SPD_ENTRY_ADD_DEL_REPLY,
  ({
    rmp->stat_index = ntohl(stat_index);
  }));
  /* *INDENT-ON* */
}

static void vl_api_ipsec_sad_entry_add_del_t_handler
  (vl_api_ipsec_sad_entry_add_del_t * mp)
{
  vlib_main_t *vm __attribute__ ((unused)) = vlib_get_main ();
  vl_api_ipsec_sad_entry_add_del_reply_t *rmp;
  ip46_address_t tun_src = { }, tun_dst =
  {
  };
  ipsec_key_t crypto_key, integ_key;
  ipsec_crypto_alg_t crypto_alg;
  ipsec_integ_alg_t integ_alg;
  ipsec_protocol_t proto;
  ipsec_sa_flags_t flags;
  u32 id, spi, sa_index = ~0;
  int rv;

#if WITH_LIBSSL > 0

  id = ntohl (mp->entry.sad_id);
  spi = ntohl (mp->entry.spi);

  rv = ipsec_proto_decode (mp->entry.protocol, &proto);

  if (rv)
    goto out;

  rv = ipsec_crypto_algo_decode (mp->entry.crypto_algorithm, &crypto_alg);

  if (rv)
    goto out;

  rv = ipsec_integ_algo_decode (mp->entry.integrity_algorithm, &integ_alg);

  if (rv)
    goto out;

  ipsec_key_decode (&mp->entry.crypto_key, &crypto_key);
  ipsec_key_decode (&mp->entry.integrity_key, &integ_key);

  flags = ipsec_sa_flags_decode (mp->entry.flags);

  ip_address_decode (&mp->entry.tunnel_src, &tun_src);
  ip_address_decode (&mp->entry.tunnel_dst, &tun_dst);

  if (mp->is_add)
    rv = ipsec_sa_add_and_lock (id, spi, proto,
				crypto_alg, &crypto_key,
				integ_alg, &integ_key, flags,
				0, mp->entry.salt, &tun_src, &tun_dst,
				&sa_index);
  else
    rv = ipsec_sa_unlock_id (id);

#else
  rv = VNET_API_ERROR_UNIMPLEMENTED;
#endif

out:
  /* *INDENT-OFF* */
  REPLY_MACRO2 (VL_API_IPSEC_SAD_ENTRY_ADD_DEL_REPLY,
  {
    rmp->stat_index = htonl (sa_index);
  });
  /* *INDENT-ON* */
}

static void
send_ipsec_spds_details (ipsec_spd_t * spd, vl_api_registration_t * reg,
			 u32 context)
{
  vl_api_ipsec_spds_details_t *mp;
  u32 n_policies = 0;

  mp = vl_msg_api_alloc (sizeof (*mp));
  clib_memset (mp, 0, sizeof (*mp));
  mp->_vl_msg_id = ntohs (VL_API_IPSEC_SPDS_DETAILS);
  mp->context = context;

  mp->spd_id = htonl (spd->id);
#define _(s, n) n_policies += vec_len (spd->policies[IPSEC_SPD_POLICY_##s]);
  foreach_ipsec_spd_policy_type
#undef _
    mp->npolicies = htonl (n_policies);

  vl_api_send_msg (reg, (u8 *) mp);
}

static void
vl_api_ipsec_spds_dump_t_handler (vl_api_ipsec_spds_dump_t * mp)
{
  vl_api_registration_t *reg;
  ipsec_main_t *im = &ipsec_main;
  ipsec_spd_t *spd;
#if WITH_LIBSSL > 0
  reg = vl_api_client_index_to_registration (mp->client_index);
  if (!reg)
    return;

  /* *INDENT-OFF* */
  pool_foreach (spd, im->spds, ({
    send_ipsec_spds_details (spd, reg, mp->context);
  }));
  /* *INDENT-ON* */
#else
  clib_warning ("unimplemented");
#endif
}

vl_api_ipsec_spd_action_t
ipsec_spd_action_encode (ipsec_policy_action_t in)
{
  vl_api_ipsec_spd_action_t out = IPSEC_API_SPD_ACTION_BYPASS;

  switch (in)
    {
#define _(v,f,s) case IPSEC_POLICY_ACTION_##f: \
      out = IPSEC_API_SPD_ACTION_##f;          \
      break;
      foreach_ipsec_policy_action
#undef _
    }
  return (clib_host_to_net_u32 (out));
}

static void
send_ipsec_spd_details (ipsec_policy_t * p, vl_api_registration_t * reg,
			u32 context)
{
  vl_api_ipsec_spd_details_t *mp;

  mp = vl_msg_api_alloc (sizeof (*mp));
  clib_memset (mp, 0, sizeof (*mp));
  mp->_vl_msg_id = ntohs (VL_API_IPSEC_SPD_DETAILS);
  mp->context = context;

  mp->entry.spd_id = htonl (p->id);
  mp->entry.priority = htonl (p->priority);
  mp->entry.is_outbound = ((p->type == IPSEC_SPD_POLICY_IP6_OUTBOUND) ||
			   (p->type == IPSEC_SPD_POLICY_IP4_OUTBOUND));

  ip_address_encode (&p->laddr.start, IP46_TYPE_ANY,
		     &mp->entry.local_address_start);
  ip_address_encode (&p->laddr.stop, IP46_TYPE_ANY,
		     &mp->entry.local_address_stop);
  ip_address_encode (&p->raddr.start, IP46_TYPE_ANY,
		     &mp->entry.remote_address_start);
  ip_address_encode (&p->raddr.stop, IP46_TYPE_ANY,
		     &mp->entry.remote_address_stop);
  mp->entry.local_port_start = htons (p->lport.start);
  mp->entry.local_port_stop = htons (p->lport.stop);
  mp->entry.remote_port_start = htons (p->rport.start);
  mp->entry.remote_port_stop = htons (p->rport.stop);
  mp->entry.protocol = p->protocol;
  mp->entry.policy = ipsec_spd_action_encode (p->policy);
  mp->entry.sa_id = htonl (p->sa_id);

  vl_api_send_msg (reg, (u8 *) mp);
}

static void
vl_api_ipsec_spd_dump_t_handler (vl_api_ipsec_spd_dump_t * mp)
{
  vl_api_registration_t *reg;
  ipsec_main_t *im = &ipsec_main;
  ipsec_spd_policy_type_t ptype;
  ipsec_policy_t *policy;
  ipsec_spd_t *spd;
  uword *p;
  u32 spd_index, *ii;
#if WITH_LIBSSL > 0
  reg = vl_api_client_index_to_registration (mp->client_index);
  if (!reg)
    return;

  p = hash_get (im->spd_index_by_spd_id, ntohl (mp->spd_id));
  if (!p)
    return;

  spd_index = p[0];
  spd = pool_elt_at_index (im->spds, spd_index);

  /* *INDENT-OFF* */
  FOR_EACH_IPSEC_SPD_POLICY_TYPE(ptype) {
    vec_foreach(ii, spd->policies[ptype])
      {
        policy = pool_elt_at_index(im->policies, *ii);

        if (mp->sa_id == ~(0) || ntohl (mp->sa_id) == policy->sa_id)
          send_ipsec_spd_details (policy, reg, mp->context);
      }
  }
  /* *INDENT-ON* */
#else
  clib_warning ("unimplemented");
#endif
}

static void
send_ipsec_spd_interface_details (vl_api_registration_t * reg, u32 spd_index,
				  u32 sw_if_index, u32 context)
{
  vl_api_ipsec_spd_interface_details_t *mp;

  mp = vl_msg_api_alloc (sizeof (*mp));
  clib_memset (mp, 0, sizeof (*mp));
  mp->_vl_msg_id = ntohs (VL_API_IPSEC_SPD_INTERFACE_DETAILS);
  mp->context = context;

  mp->spd_index = htonl (spd_index);
  mp->sw_if_index = htonl (sw_if_index);

  vl_api_send_msg (reg, (u8 *) mp);
}

static void
vl_api_ipsec_spd_interface_dump_t_handler (vl_api_ipsec_spd_interface_dump_t *
					   mp)
{
  ipsec_main_t *im = &ipsec_main;
  vl_api_registration_t *reg;
  u32 k, v, spd_index;

#if WITH_LIBSSL > 0
  reg = vl_api_client_index_to_registration (mp->client_index);
  if (!reg)
    return;

  if (mp->spd_index_valid)
    {
      spd_index = ntohl (mp->spd_index);
      /* *INDENT-OFF* */
      hash_foreach(k, v, im->spd_index_by_sw_if_index, ({
        if (v == spd_index)
          send_ipsec_spd_interface_details(reg, v, k, mp->context);
      }));
      /* *INDENT-ON* */
    }
  else
    {
      /* *INDENT-OFF* */
      hash_foreach(k, v, im->spd_index_by_sw_if_index, ({
        send_ipsec_spd_interface_details(reg, v, k, mp->context);
      }));
      /* *INDENT-ON* */
    }

#else
  clib_warning ("unimplemented");
#endif
}

static u32
ipsec_tun_mk_input_sa_id (u32 ti)
{
  return (0x80000000 | ti);
}

static u32
ipsec_tun_mk_output_sa_id (u32 ti)
{
  return (0xc0000000 | ti);
}

static void
vl_api_ipsec_tunnel_if_add_del_t_handler (vl_api_ipsec_tunnel_if_add_del_t *
					  mp)
{
  vl_api_ipsec_tunnel_if_add_del_reply_t *rmp;
  u32 sw_if_index = ~0;
  int rv;

#if WITH_LIBSSL > 0
  ip46_address_t local_ip = ip46_address_initializer;
  ip46_address_t remote_ip = ip46_address_initializer;
  ipsec_key_t crypto_key, integ_key;
  ipsec_sa_flags_t flags;
  ip46_type_t local_ip_type, remote_ip_type;
  ipip_transport_t transport;
  u32 fib_index;

  local_ip_type = ip_address_decode (&mp->local_ip, &local_ip);
  remote_ip_type = ip_address_decode (&mp->remote_ip, &remote_ip);
  transport = (IP46_TYPE_IP6 == local_ip_type ?
	       IPIP_TRANSPORT_IP6 : IPIP_TRANSPORT_IP4);

  if (local_ip_type != remote_ip_type)
    {
      rv = VNET_API_ERROR_INVALID_VALUE;
      goto done;
    }

  flags = IPSEC_SA_FLAG_NONE;

  if (mp->udp_encap)
    flags |= IPSEC_SA_FLAG_UDP_ENCAP;
  if (mp->esn)
    flags |= IPSEC_SA_FLAG_USE_ESN;
  if (mp->anti_replay)
    flags |= IPSEC_SA_FLAG_USE_ANTI_REPLAY;

  ipsec_mk_key (&crypto_key, mp->remote_crypto_key,
		mp->remote_crypto_key_len);
  ipsec_mk_key (&integ_key, mp->remote_integ_key, mp->remote_integ_key_len);
  ipsec_mk_key (&crypto_key, mp->local_crypto_key, mp->local_crypto_key_len);
  ipsec_mk_key (&integ_key, mp->local_integ_key, mp->local_integ_key_len);

  fib_index =
    fib_table_find (fib_proto_from_ip46 (local_ip_type),
		    ntohl (mp->tx_table_id));

  if (~0 == fib_index)
    {
      rv = VNET_API_ERROR_NO_SUCH_FIB;
      goto done;
    }

  if (mp->is_add)
    {
      // remote = input, local = output
      /* create an ip-ip tunnel, then the two SA, then bind them */
      rv = ipip_add_tunnel (transport,
			    (mp->renumber ? ntohl (mp->show_instance) : ~0),
			    &local_ip,
			    &remote_ip, fib_index,
			    TUNNEL_ENCAP_DECAP_FLAG_NONE, IP_DSCP_CS0,
			    &sw_if_index);

      if (rv)
	goto done;

      rv = ipsec_sa_add_and_lock (ipsec_tun_mk_input_sa_id (sw_if_index),
				  ntohl (mp->remote_spi),
				  IPSEC_PROTOCOL_ESP,
				  mp->crypto_alg,
				  &crypto_key,
				  mp->integ_alg,
				  &integ_key,
				  (flags | IPSEC_SA_FLAG_IS_INBOUND),
				  ntohl (mp->tx_table_id),
				  mp->salt, &remote_ip, &local_ip, NULL);

      if (rv)
	goto done;

      rv = ipsec_sa_add_and_lock (ipsec_tun_mk_output_sa_id (sw_if_index),
				  ntohl (mp->local_spi),
				  IPSEC_PROTOCOL_ESP,
				  mp->crypto_alg,
				  &crypto_key,
				  mp->integ_alg,
				  &integ_key,
				  flags,
				  ntohl (mp->tx_table_id),
				  mp->salt, &local_ip, &remote_ip, NULL);

      if (rv)
	goto done;

      rv = ipsec_tun_protect_update_one (sw_if_index,
					 ipsec_tun_mk_output_sa_id
					 (sw_if_index),
					 ipsec_tun_mk_input_sa_id
					 (sw_if_index));
      if (rv)
	goto done;

      /* the SAs are locked as a result of being used for proection,
       * they cannot be removed from the API, since they cannot be refered
       * to by the API. unlock them now, so that if the tunnel is rekeyed
       * they-ll disapper
       */
      ipsec_sa_unlock_id (ipsec_tun_mk_input_sa_id (sw_if_index));
      ipsec_sa_unlock_id (ipsec_tun_mk_output_sa_id (sw_if_index));
    }
  else
    {
      /* *INDENT-OFF* */
      ipip_tunnel_key_t key = {
	.transport = transport,
	.fib_index = fib_index,
	.src = local_ip,
	.dst = remote_ip
      };
      /* *INDENT-ON* */

      ipip_tunnel_t *t = ipip_tunnel_db_find (&key);

      if (NULL != t)
	{
	  rv = ipsec_tun_protect_del (t->sw_if_index);
	  ipip_del_tunnel (t->sw_if_index);
	}
      else
	rv = VNET_API_ERROR_NO_SUCH_ENTRY;
    }

#else
  rv = VNET_API_ERROR_UNIMPLEMENTED;
#endif
done:
  /* *INDENT-OFF* */
  REPLY_MACRO2 (VL_API_IPSEC_TUNNEL_IF_ADD_DEL_REPLY,
  ({
    rmp->sw_if_index = htonl (sw_if_index);
  }));
  /* *INDENT-ON* */
}

typedef struct ipsec_sa_dump_match_ctx_t_
{
  index_t sai;
  u32 sw_if_index;
} ipsec_sa_dump_match_ctx_t;

static walk_rc_t
ipsec_sa_dump_match_sa (index_t itpi, void *arg)
{
  ipsec_sa_dump_match_ctx_t *ctx = arg;
  ipsec_tun_protect_t *itp;
  index_t sai;

  itp = ipsec_tun_protect_get (itpi);

  if (itp->itp_out_sa == ctx->sai)
    {
      ctx->sw_if_index = itp->itp_sw_if_index;
      return (WALK_STOP);
    }
  /* *INDENT-OFF* */
  FOR_EACH_IPSEC_PROTECT_INPUT_SAI (itp, sai,
  ({
    if (sai == ctx->sai)
      {
        ctx->sw_if_index = itp->itp_sw_if_index;
        return (WALK_STOP);
      }
  }));
  /* *INDENT-OFF* */

  return (WALK_CONTINUE);
}

static walk_rc_t
send_ipsec_sa_details (ipsec_sa_t * sa, void *arg)
{
  ipsec_dump_walk_ctx_t *ctx = arg;
  vl_api_ipsec_sa_details_t *mp;
  ipsec_main_t *im = &ipsec_main;

  mp = vl_msg_api_alloc (sizeof (*mp));
  clib_memset (mp, 0, sizeof (*mp));
  mp->_vl_msg_id = ntohs (VL_API_IPSEC_SA_DETAILS);
  mp->context = ctx->context;

  mp->entry.sad_id = htonl (sa->id);
  mp->entry.spi = htonl (sa->spi);
  mp->entry.protocol = ipsec_proto_encode (sa->protocol);
  mp->entry.tx_table_id =
    htonl (fib_table_get_table_id (sa->tx_fib_index, FIB_PROTOCOL_IP4));

  mp->entry.crypto_algorithm = ipsec_crypto_algo_encode (sa->crypto_alg);
  ipsec_key_encode (&sa->crypto_key, &mp->entry.crypto_key);

  mp->entry.integrity_algorithm = ipsec_integ_algo_encode (sa->integ_alg);
  ipsec_key_encode (&sa->integ_key, &mp->entry.integrity_key);

  mp->entry.flags = ipsec_sad_flags_encode (sa);
  mp->entry.salt = clib_host_to_net_u32 (sa->salt);

  if (ipsec_sa_is_set_IS_PROTECT (sa))
    {
      ipsec_sa_dump_match_ctx_t ctx = {
        .sai = sa - im->sad,
        .sw_if_index = ~0,
      };
      ipsec_tun_protect_walk (ipsec_sa_dump_match_sa, &ctx);

      mp->sw_if_index = htonl (ctx.sw_if_index);
    }
  else
    mp->sw_if_index = ~0;

  if (ipsec_sa_is_set_IS_TUNNEL (sa))
    {
      ip_address_encode (&sa->tunnel_src_addr, IP46_TYPE_ANY,
			 &mp->entry.tunnel_src);
      ip_address_encode (&sa->tunnel_dst_addr, IP46_TYPE_ANY,
			 &mp->entry.tunnel_dst);
    }

  mp->seq_outbound = clib_host_to_net_u64 (((u64) sa->seq));
  mp->last_seq_inbound = clib_host_to_net_u64 (((u64) sa->last_seq));
  if (ipsec_sa_is_set_USE_ESN (sa))
    {
      mp->seq_outbound |= (u64) (clib_host_to_net_u32 (sa->seq_hi));
      mp->last_seq_inbound |= (u64) (clib_host_to_net_u32 (sa->last_seq_hi));
    }
  if (ipsec_sa_is_set_USE_ANTI_REPLAY (sa))
    mp->replay_window = clib_host_to_net_u64 (sa->replay_window);

  vl_api_send_msg (ctx->reg, (u8 *) mp);

  return (WALK_CONTINUE);
}

static void
vl_api_ipsec_sa_dump_t_handler (vl_api_ipsec_sa_dump_t * mp)
{
  vl_api_registration_t *reg;

#if WITH_LIBSSL > 0
  reg = vl_api_client_index_to_registration (mp->client_index);
  if (!reg)
    return;

  ipsec_dump_walk_ctx_t ctx = {
    .reg = reg,
    .context = mp->context,
  };

  ipsec_sa_walk (send_ipsec_sa_details, &ctx);

#else
  clib_warning ("unimplemented");
#endif
}

static void
vl_api_ipsec_tunnel_if_set_sa_t_handler (vl_api_ipsec_tunnel_if_set_sa_t * mp)
{
  vl_api_ipsec_tunnel_if_set_sa_reply_t *rmp;
  int rv;

#if WITH_LIBSSL > 0
  VALIDATE_SW_IF_INDEX(mp);

  if (mp->is_outbound)
    rv = ipsec_tun_protect_update_out (ntohl (mp->sw_if_index),
                                       ntohl (mp->sa_id));
  else
    rv = ipsec_tun_protect_update_in (ntohl (mp->sw_if_index),
                                       ntohl (mp->sa_id));

#else
  clib_warning ("unimplemented");
#endif

  BAD_SW_IF_INDEX_LABEL;

  REPLY_MACRO (VL_API_IPSEC_TUNNEL_IF_SET_SA_REPLY);
}

static void
vl_api_ipsec_backend_dump_t_handler (vl_api_ipsec_backend_dump_t * mp)
{
  vl_api_registration_t *rp;
  ipsec_main_t *im = &ipsec_main;
  u32 context = mp->context;

  rp = vl_api_client_index_to_registration (mp->client_index);

  if (rp == 0)
    {
      clib_warning ("Client %d AWOL", mp->client_index);
      return;
    }

  ipsec_ah_backend_t *ab;
  ipsec_esp_backend_t *eb;
  /* *INDENT-OFF* */
  pool_foreach (ab, im->ah_backends, {
    vl_api_ipsec_backend_details_t *mp = vl_msg_api_alloc (sizeof (*mp));
    clib_memset (mp, 0, sizeof (*mp));
    mp->_vl_msg_id = ntohs (VL_API_IPSEC_BACKEND_DETAILS);
    mp->context = context;
    snprintf ((char *)mp->name, sizeof (mp->name), "%.*s", vec_len (ab->name),
              ab->name);
    mp->protocol = ntohl (IPSEC_API_PROTO_AH);
    mp->index = ab - im->ah_backends;
    mp->active = mp->index == im->ah_current_backend ? 1 : 0;
    vl_api_send_msg (rp, (u8 *)mp);
  });
  pool_foreach (eb, im->esp_backends, {
    vl_api_ipsec_backend_details_t *mp = vl_msg_api_alloc (sizeof (*mp));
    clib_memset (mp, 0, sizeof (*mp));
    mp->_vl_msg_id = ntohs (VL_API_IPSEC_BACKEND_DETAILS);
    mp->context = context;
    snprintf ((char *)mp->name, sizeof (mp->name), "%.*s", vec_len (eb->name),
              eb->name);
    mp->protocol = ntohl (IPSEC_API_PROTO_ESP);
    mp->index = eb - im->esp_backends;
    mp->active = mp->index == im->esp_current_backend ? 1 : 0;
    vl_api_send_msg (rp, (u8 *)mp);
  });
  /* *INDENT-ON* */
}

static void
vl_api_ipsec_select_backend_t_handler (vl_api_ipsec_select_backend_t * mp)
{
  ipsec_main_t *im = &ipsec_main;
  vl_api_ipsec_select_backend_reply_t *rmp;
  ipsec_protocol_t protocol;
  int rv = 0;
  if (pool_elts (im->sad) > 0)
    {
      rv = VNET_API_ERROR_INSTANCE_IN_USE;
      goto done;
    }

  rv = ipsec_proto_decode (mp->protocol, &protocol);

  if (rv)
    goto done;

#if WITH_LIBSSL > 0
  switch (protocol)
    {
    case IPSEC_PROTOCOL_ESP:
      rv = ipsec_select_esp_backend (im, mp->index);
      break;
    case IPSEC_PROTOCOL_AH:
      rv = ipsec_select_ah_backend (im, mp->index);
      break;
    default:
      rv = VNET_API_ERROR_INVALID_PROTOCOL;
      break;
    }
#else
  clib_warning ("unimplemented");	/* FIXME */
#endif
done:
  REPLY_MACRO (VL_API_IPSEC_SELECT_BACKEND_REPLY);
}

/*
 * ipsec_api_hookup
 * Add vpe's API message handlers to the table.
 * vlib has already mapped shared memory and
 * added the client registration handlers.
 * See .../vlib-api/vlibmemory/memclnt_vlib.c:memclnt_process()
 */
#define vl_msg_name_crc_list
#include <vnet/vnet_all_api_h.h>
#undef vl_msg_name_crc_list

static void
setup_message_id_table (api_main_t * am)
{
#define _(id,n,crc) vl_msg_api_add_msg_name_crc (am, #n "_" #crc, id);
  foreach_vl_msg_name_crc_ipsec;
#undef _
}

static clib_error_t *
ipsec_api_hookup (vlib_main_t * vm)
{
  api_main_t *am = vlibapi_get_main ();

#define _(N,n)                                                  \
    vl_msg_api_set_handlers(VL_API_##N, #n,                     \
                           vl_api_##n##_t_handler,              \
                           vl_noop_handler,                     \
                           vl_api_##n##_t_endian,               \
                           vl_api_##n##_t_print,                \
                           sizeof(vl_api_##n##_t), 1);
  foreach_vpe_api_msg;
#undef _

  /*
   * Adding and deleting SAs is MP safe since when they are added/delete
   * no traffic is using them
   */
  am->is_mp_safe[VL_API_IPSEC_SAD_ENTRY_ADD_DEL] = 1;
  am->is_mp_safe[VL_API_IPSEC_SAD_ENTRY_ADD_DEL_REPLY] = 1;

  /*
   * Set up the (msg_name, crc, message-id) table
   */
  setup_message_id_table (am);

  return 0;
}

VLIB_API_INIT_FUNCTION (ipsec_api_hookup);

/*
 * fd.io coding-style-patch-verification: ON
 *
 * Local Variables:
 * eval: (c-set-style "gnu")
 * End:
 */