aboutsummaryrefslogtreecommitdiffstats
path: root/vpp
diff options
context:
space:
mode:
authorMatus Fabian <matfabia@cisco.com>2016-08-10 01:55:36 -0700
committerKeith Burns <alagalah@gmail.com>2016-08-17 23:21:46 +0000
commit694265d4f10dc86bd27bfd29a2b7c49440aeb6b5 (patch)
tree48dac360be791a6de945b4eaf1eca495ef08ef0a /vpp
parent0c25d1f2a872e693d22b81f1d9cd48cc46b10cc1 (diff)
VPP-202: L2-GRE over IPSec
GRE encapsulate layer 2 traffic and IPSec encrypt what is encapsulated by GRE. The whole point of L2-GRE over IPSec is to tunnel layer 2 over GRE and IPSec by bridging the physical interface with IPSec-GRE tunnel interface. Change-Id: Ia4cf9ed407bf663770e0d8905c0ad44ce73bd23b Signed-off-by: Matus Fabian <matfabia@cisco.com>
Diffstat (limited to 'vpp')
-rw-r--r--vpp/vpp-api/api.c96
-rw-r--r--vpp/vpp-api/custom_dump.c41
-rw-r--r--vpp/vpp-api/vpe.api58
3 files changed, 193 insertions, 2 deletions
diff --git a/vpp/vpp-api/api.c b/vpp/vpp-api/api.c
index 8b34fd90..e142be63 100644
--- a/vpp/vpp-api/api.c
+++ b/vpp/vpp-api/api.c
@@ -82,6 +82,7 @@
#include <vnet/policer/policer.h>
#include <vnet/devices/netmap/netmap.h>
#include <vnet/flow/flow_report.h>
+#include <vnet/ipsec-gre/ipsec_gre.h>
#undef BIHASH_TYPE
#undef __included_bihash_template_h__
@@ -382,7 +383,9 @@ _(PG_ENABLE_DISABLE, pg_enable_disable) \
_(IP_SOURCE_AND_PORT_RANGE_CHECK_ADD_DEL, \
ip_source_and_port_range_check_add_del) \
_(IP_SOURCE_AND_PORT_RANGE_CHECK_INTERFACE_ADD_DEL, \
- ip_source_and_port_range_check_interface_add_del)
+ ip_source_and_port_range_check_interface_add_del) \
+_(IPSEC_GRE_ADD_DEL_TUNNEL, ipsec_gre_add_del_tunnel) \
+_(IPSEC_GRE_TUNNEL_DUMP, ipsec_gre_tunnel_dump)
#define QUOTE_(x) #x
#define QUOTE(x) QUOTE_(x)
@@ -7987,6 +7990,97 @@ reply:
REPLY_MACRO (VL_API_IP_SOURCE_AND_PORT_RANGE_CHECK_INTERFACE_ADD_DEL_REPLY);
}
+static void
+vl_api_ipsec_gre_add_del_tunnel_t_handler (vl_api_ipsec_gre_add_del_tunnel_t *
+ mp)
+{
+ vl_api_ipsec_gre_add_del_tunnel_reply_t *rmp;
+ int rv = 0;
+ vnet_ipsec_gre_add_del_tunnel_args_t _a, *a = &_a;
+ u32 sw_if_index = ~0;
+
+ /* Check src & dst are different */
+ if (memcmp (mp->src_address, mp->dst_address, 4) == 0)
+ {
+ rv = VNET_API_ERROR_SAME_SRC_DST;
+ goto out;
+ }
+
+ memset (a, 0, sizeof (*a));
+
+ /* ip addresses sent in network byte order */
+ clib_memcpy (&(a->src), mp->src_address, 4);
+ clib_memcpy (&(a->dst), mp->dst_address, 4);
+ a->is_add = mp->is_add;
+ a->lsa = ntohl (mp->local_sa_id);
+ a->rsa = ntohl (mp->remote_sa_id);
+
+ rv = vnet_ipsec_gre_add_del_tunnel (a, &sw_if_index);
+
+out:
+ /* *INDENT-OFF* */
+ REPLY_MACRO2(VL_API_GRE_ADD_DEL_TUNNEL_REPLY,
+ ({
+ rmp->sw_if_index = ntohl (sw_if_index);
+ }));
+ /* *INDENT-ON* */
+}
+
+static void send_ipsec_gre_tunnel_details
+ (ipsec_gre_tunnel_t * t, unix_shared_memory_queue_t * q, u32 context)
+{
+ vl_api_ipsec_gre_tunnel_details_t *rmp;
+
+ rmp = vl_msg_api_alloc (sizeof (*rmp));
+ memset (rmp, 0, sizeof (*rmp));
+ rmp->_vl_msg_id = ntohs (VL_API_IPSEC_GRE_TUNNEL_DETAILS);
+ clib_memcpy (rmp->src_address, &(t->tunnel_src), 4);
+ clib_memcpy (rmp->dst_address, &(t->tunnel_dst), 4);
+ rmp->sw_if_index = htonl (t->sw_if_index);
+ rmp->local_sa_id = htonl (t->local_sa_id);
+ rmp->remote_sa_id = htonl (t->remote_sa_id);
+ rmp->context = context;
+
+ vl_msg_api_send_shmem (q, (u8 *) & rmp);
+}
+
+static void vl_api_ipsec_gre_tunnel_dump_t_handler
+ (vl_api_ipsec_gre_tunnel_dump_t * mp)
+{
+ unix_shared_memory_queue_t *q;
+ ipsec_gre_main_t *igm = &ipsec_gre_main;
+ ipsec_gre_tunnel_t *t;
+ u32 sw_if_index;
+
+ q = vl_api_client_index_to_input_queue (mp->client_index);
+ if (q == 0)
+ {
+ return;
+ }
+
+ sw_if_index = ntohl (mp->sw_if_index);
+
+ if (~0 == sw_if_index)
+ {
+ /* *INDENT-OFF* */
+ pool_foreach (t, igm->tunnels,
+ ({
+ send_ipsec_gre_tunnel_details(t, q, mp->context);
+ }));
+ /* *INDENT-ON* */
+ }
+ else
+ {
+ if ((sw_if_index >= vec_len (igm->tunnel_index_by_sw_if_index)) ||
+ (~0 == igm->tunnel_index_by_sw_if_index[sw_if_index]))
+ {
+ return;
+ }
+ t = &igm->tunnels[igm->tunnel_index_by_sw_if_index[sw_if_index]];
+ send_ipsec_gre_tunnel_details (t, q, mp->context);
+ }
+}
+
#define BOUNCE_HANDLER(nn) \
static void vl_api_##nn##_t_handler ( \
vl_api_##nn##_t *mp) \
diff --git a/vpp/vpp-api/custom_dump.c b/vpp/vpp-api/custom_dump.c
index c4d9a6ee..db5ea646 100644
--- a/vpp/vpp-api/custom_dump.c
+++ b/vpp/vpp-api/custom_dump.c
@@ -2534,6 +2534,42 @@ static void *vl_api_lisp_eid_table_dump_t_print
FINISH;
}
+static void *vl_api_ipsec_gre_add_del_tunnel_t_print
+ (vl_api_ipsec_gre_add_del_tunnel_t * mp, void *handle)
+{
+ u8 *s;
+
+ s = format (0, "SCRIPT: ipsec_gre_add_del_tunnel ");
+
+ s = format (s, "dst %U ", format_ip4_address,
+ (ip4_address_t *) & (mp->dst_address));
+
+ s = format (s, "src %U ", format_ip4_address,
+ (ip4_address_t *) & (mp->src_address));
+
+ s = format (s, "local_sa %d ", ntohl (mp->local_sa_id));
+
+ s = format (s, "remote_sa %d ", ntohl (mp->remote_sa_id));
+
+ if (mp->is_add == 0)
+ s = format (s, "del ");
+
+ FINISH;
+}
+
+static void *vl_api_ipsec_gre_tunnel_dump_t_print
+ (vl_api_ipsec_gre_tunnel_dump_t * mp, void *handle)
+{
+ u8 *s;
+
+ s = format (0, "SCRIPT: ipsec_gre_tunnel_dump ");
+
+ if (mp->sw_if_index != ~0)
+ s = format (s, "sw_if_index %d ", ntohl (mp->sw_if_index));
+
+ FINISH;
+}
+
#define foreach_custom_print_no_arg_function \
_(lisp_eid_table_map_dump) \
_(lisp_map_resolver_dump) \
@@ -2677,7 +2713,10 @@ _(LISP_EID_TABLE_DUMP, lisp_eid_table_dump) \
_(LISP_EID_TABLE_MAP_DUMP, lisp_eid_table_map_dump) \
_(LISP_GPE_TUNNEL_DUMP, lisp_gpe_tunnel_dump) \
_(LISP_MAP_RESOLVER_DUMP, lisp_map_resolver_dump) \
-_(LISP_LOCATOR_SET_DUMP, lisp_locator_set_dump)
+_(LISP_LOCATOR_SET_DUMP, lisp_locator_set_dump) \
+_(LISP_LOCATOR_SET_DUMP, lisp_locator_set_dump) \
+_(IPSEC_GRE_ADD_DEL_TUNNEL, ipsec_gre_add_del_tunnel) \
+_(IPSEC_GRE_TUNNEL_DUMP, ipsec_gre_tunnel_dump)
void
vl_msg_api_custom_dump_configure (api_main_t * am)
{
diff --git a/vpp/vpp-api/vpe.api b/vpp/vpp-api/vpe.api
index 83f096b8..0685d21e 100644
--- a/vpp/vpp-api/vpe.api
+++ b/vpp/vpp-api/vpe.api
@@ -4744,3 +4744,61 @@ define ip_source_and_port_range_check_interface_add_del_reply
u32 context;
i32 retval;
};
+
+/** \brief Add / del ipsec gre tunnel request
+ @param client_index - opaque cookie to identify the sender
+ @param context - sender context, to match reply w/ request
+ @param local_sa_id - local SA id
+ @param remote_sa_id - remote SA id
+ @param is_add - 1 if adding the tunnel, 0 if deleting
+ @param src_address - tunnel source address
+ @param dst_address - tunnel destination address
+*/
+define ipsec_gre_add_del_tunnel {
+ u32 client_index;
+ u32 context;
+ u32 local_sa_id;
+ u32 remote_sa_id;
+ u8 is_add;
+ u8 src_address[4];
+ u8 dst_address[4];
+};
+
+/** \brief Reply for add / del ipsec gre tunnel request
+ @param context - returned sender context, to match reply w/ request
+ @param retval - return code
+ @param sw_if_index - software index of the new ipsec gre tunnel
+*/
+define ipsec_gre_add_del_tunnel_reply {
+ u32 context;
+ i32 retval;
+ u32 sw_if_index;
+};
+
+/** \brief Dump ipsec gre tunnel table
+ @param client_index - opaque cookie to identify the sender
+ @param context - sender context, to match reply w/ request
+ @param tunnel_index - gre tunnel identifier or -1 in case of all tunnels
+*/
+define ipsec_gre_tunnel_dump {
+ u32 client_index;
+ u32 context;
+ u32 sw_if_index;
+};
+
+/** \brief mpls gre tunnel operational state response
+ @param context - returned sender context, to match reply w/ request
+ @param sw_if_index - software index of the ipsec gre tunnel
+ @param local_sa_id - local SA id
+ @param remote_sa_id - remote SA id
+ @param src_address - tunnel source address
+ @param dst_address - tunnel destination address
+*/
+define ipsec_gre_tunnel_details {
+ u32 context;
+ u32 sw_if_index;
+ u32 local_sa_id;
+ u32 remote_sa_id;
+ u8 src_address[4];
+ u8 dst_address[4];
+};