diff options
author | Matus Fabian <matfabia@cisco.com> | 2016-08-10 01:55:36 -0700 |
---|---|---|
committer | Keith Burns <alagalah@gmail.com> | 2016-08-17 23:21:46 +0000 |
commit | 694265d4f10dc86bd27bfd29a2b7c49440aeb6b5 (patch) | |
tree | 48dac360be791a6de945b4eaf1eca495ef08ef0a /vpp | |
parent | 0c25d1f2a872e693d22b81f1d9cd48cc46b10cc1 (diff) |
VPP-202: L2-GRE over IPSec
GRE encapsulate layer 2 traffic and IPSec encrypt what is encapsulated by GRE.
The whole point of L2-GRE over IPSec is to tunnel layer 2 over GRE and IPSec by
bridging the physical interface with IPSec-GRE tunnel interface.
Change-Id: Ia4cf9ed407bf663770e0d8905c0ad44ce73bd23b
Signed-off-by: Matus Fabian <matfabia@cisco.com>
Diffstat (limited to 'vpp')
-rw-r--r-- | vpp/vpp-api/api.c | 96 | ||||
-rw-r--r-- | vpp/vpp-api/custom_dump.c | 41 | ||||
-rw-r--r-- | vpp/vpp-api/vpe.api | 58 |
3 files changed, 193 insertions, 2 deletions
diff --git a/vpp/vpp-api/api.c b/vpp/vpp-api/api.c index 8b34fd90..e142be63 100644 --- a/vpp/vpp-api/api.c +++ b/vpp/vpp-api/api.c @@ -82,6 +82,7 @@ #include <vnet/policer/policer.h> #include <vnet/devices/netmap/netmap.h> #include <vnet/flow/flow_report.h> +#include <vnet/ipsec-gre/ipsec_gre.h> #undef BIHASH_TYPE #undef __included_bihash_template_h__ @@ -382,7 +383,9 @@ _(PG_ENABLE_DISABLE, pg_enable_disable) \ _(IP_SOURCE_AND_PORT_RANGE_CHECK_ADD_DEL, \ ip_source_and_port_range_check_add_del) \ _(IP_SOURCE_AND_PORT_RANGE_CHECK_INTERFACE_ADD_DEL, \ - ip_source_and_port_range_check_interface_add_del) + ip_source_and_port_range_check_interface_add_del) \ +_(IPSEC_GRE_ADD_DEL_TUNNEL, ipsec_gre_add_del_tunnel) \ +_(IPSEC_GRE_TUNNEL_DUMP, ipsec_gre_tunnel_dump) #define QUOTE_(x) #x #define QUOTE(x) QUOTE_(x) @@ -7987,6 +7990,97 @@ reply: REPLY_MACRO (VL_API_IP_SOURCE_AND_PORT_RANGE_CHECK_INTERFACE_ADD_DEL_REPLY); } +static void +vl_api_ipsec_gre_add_del_tunnel_t_handler (vl_api_ipsec_gre_add_del_tunnel_t * + mp) +{ + vl_api_ipsec_gre_add_del_tunnel_reply_t *rmp; + int rv = 0; + vnet_ipsec_gre_add_del_tunnel_args_t _a, *a = &_a; + u32 sw_if_index = ~0; + + /* Check src & dst are different */ + if (memcmp (mp->src_address, mp->dst_address, 4) == 0) + { + rv = VNET_API_ERROR_SAME_SRC_DST; + goto out; + } + + memset (a, 0, sizeof (*a)); + + /* ip addresses sent in network byte order */ + clib_memcpy (&(a->src), mp->src_address, 4); + clib_memcpy (&(a->dst), mp->dst_address, 4); + a->is_add = mp->is_add; + a->lsa = ntohl (mp->local_sa_id); + a->rsa = ntohl (mp->remote_sa_id); + + rv = vnet_ipsec_gre_add_del_tunnel (a, &sw_if_index); + +out: + /* *INDENT-OFF* */ + REPLY_MACRO2(VL_API_GRE_ADD_DEL_TUNNEL_REPLY, + ({ + rmp->sw_if_index = ntohl (sw_if_index); + })); + /* *INDENT-ON* */ +} + +static void send_ipsec_gre_tunnel_details + (ipsec_gre_tunnel_t * t, unix_shared_memory_queue_t * q, u32 context) +{ + vl_api_ipsec_gre_tunnel_details_t *rmp; + + rmp = vl_msg_api_alloc (sizeof (*rmp)); + memset (rmp, 0, sizeof (*rmp)); + rmp->_vl_msg_id = ntohs (VL_API_IPSEC_GRE_TUNNEL_DETAILS); + clib_memcpy (rmp->src_address, &(t->tunnel_src), 4); + clib_memcpy (rmp->dst_address, &(t->tunnel_dst), 4); + rmp->sw_if_index = htonl (t->sw_if_index); + rmp->local_sa_id = htonl (t->local_sa_id); + rmp->remote_sa_id = htonl (t->remote_sa_id); + rmp->context = context; + + vl_msg_api_send_shmem (q, (u8 *) & rmp); +} + +static void vl_api_ipsec_gre_tunnel_dump_t_handler + (vl_api_ipsec_gre_tunnel_dump_t * mp) +{ + unix_shared_memory_queue_t *q; + ipsec_gre_main_t *igm = &ipsec_gre_main; + ipsec_gre_tunnel_t *t; + u32 sw_if_index; + + q = vl_api_client_index_to_input_queue (mp->client_index); + if (q == 0) + { + return; + } + + sw_if_index = ntohl (mp->sw_if_index); + + if (~0 == sw_if_index) + { + /* *INDENT-OFF* */ + pool_foreach (t, igm->tunnels, + ({ + send_ipsec_gre_tunnel_details(t, q, mp->context); + })); + /* *INDENT-ON* */ + } + else + { + if ((sw_if_index >= vec_len (igm->tunnel_index_by_sw_if_index)) || + (~0 == igm->tunnel_index_by_sw_if_index[sw_if_index])) + { + return; + } + t = &igm->tunnels[igm->tunnel_index_by_sw_if_index[sw_if_index]]; + send_ipsec_gre_tunnel_details (t, q, mp->context); + } +} + #define BOUNCE_HANDLER(nn) \ static void vl_api_##nn##_t_handler ( \ vl_api_##nn##_t *mp) \ diff --git a/vpp/vpp-api/custom_dump.c b/vpp/vpp-api/custom_dump.c index c4d9a6ee..db5ea646 100644 --- a/vpp/vpp-api/custom_dump.c +++ b/vpp/vpp-api/custom_dump.c @@ -2534,6 +2534,42 @@ static void *vl_api_lisp_eid_table_dump_t_print FINISH; } +static void *vl_api_ipsec_gre_add_del_tunnel_t_print + (vl_api_ipsec_gre_add_del_tunnel_t * mp, void *handle) +{ + u8 *s; + + s = format (0, "SCRIPT: ipsec_gre_add_del_tunnel "); + + s = format (s, "dst %U ", format_ip4_address, + (ip4_address_t *) & (mp->dst_address)); + + s = format (s, "src %U ", format_ip4_address, + (ip4_address_t *) & (mp->src_address)); + + s = format (s, "local_sa %d ", ntohl (mp->local_sa_id)); + + s = format (s, "remote_sa %d ", ntohl (mp->remote_sa_id)); + + if (mp->is_add == 0) + s = format (s, "del "); + + FINISH; +} + +static void *vl_api_ipsec_gre_tunnel_dump_t_print + (vl_api_ipsec_gre_tunnel_dump_t * mp, void *handle) +{ + u8 *s; + + s = format (0, "SCRIPT: ipsec_gre_tunnel_dump "); + + if (mp->sw_if_index != ~0) + s = format (s, "sw_if_index %d ", ntohl (mp->sw_if_index)); + + FINISH; +} + #define foreach_custom_print_no_arg_function \ _(lisp_eid_table_map_dump) \ _(lisp_map_resolver_dump) \ @@ -2677,7 +2713,10 @@ _(LISP_EID_TABLE_DUMP, lisp_eid_table_dump) \ _(LISP_EID_TABLE_MAP_DUMP, lisp_eid_table_map_dump) \ _(LISP_GPE_TUNNEL_DUMP, lisp_gpe_tunnel_dump) \ _(LISP_MAP_RESOLVER_DUMP, lisp_map_resolver_dump) \ -_(LISP_LOCATOR_SET_DUMP, lisp_locator_set_dump) +_(LISP_LOCATOR_SET_DUMP, lisp_locator_set_dump) \ +_(LISP_LOCATOR_SET_DUMP, lisp_locator_set_dump) \ +_(IPSEC_GRE_ADD_DEL_TUNNEL, ipsec_gre_add_del_tunnel) \ +_(IPSEC_GRE_TUNNEL_DUMP, ipsec_gre_tunnel_dump) void vl_msg_api_custom_dump_configure (api_main_t * am) { diff --git a/vpp/vpp-api/vpe.api b/vpp/vpp-api/vpe.api index 83f096b8..0685d21e 100644 --- a/vpp/vpp-api/vpe.api +++ b/vpp/vpp-api/vpe.api @@ -4744,3 +4744,61 @@ define ip_source_and_port_range_check_interface_add_del_reply u32 context; i32 retval; }; + +/** \brief Add / del ipsec gre tunnel request + @param client_index - opaque cookie to identify the sender + @param context - sender context, to match reply w/ request + @param local_sa_id - local SA id + @param remote_sa_id - remote SA id + @param is_add - 1 if adding the tunnel, 0 if deleting + @param src_address - tunnel source address + @param dst_address - tunnel destination address +*/ +define ipsec_gre_add_del_tunnel { + u32 client_index; + u32 context; + u32 local_sa_id; + u32 remote_sa_id; + u8 is_add; + u8 src_address[4]; + u8 dst_address[4]; +}; + +/** \brief Reply for add / del ipsec gre tunnel request + @param context - returned sender context, to match reply w/ request + @param retval - return code + @param sw_if_index - software index of the new ipsec gre tunnel +*/ +define ipsec_gre_add_del_tunnel_reply { + u32 context; + i32 retval; + u32 sw_if_index; +}; + +/** \brief Dump ipsec gre tunnel table + @param client_index - opaque cookie to identify the sender + @param context - sender context, to match reply w/ request + @param tunnel_index - gre tunnel identifier or -1 in case of all tunnels +*/ +define ipsec_gre_tunnel_dump { + u32 client_index; + u32 context; + u32 sw_if_index; +}; + +/** \brief mpls gre tunnel operational state response + @param context - returned sender context, to match reply w/ request + @param sw_if_index - software index of the ipsec gre tunnel + @param local_sa_id - local SA id + @param remote_sa_id - remote SA id + @param src_address - tunnel source address + @param dst_address - tunnel destination address +*/ +define ipsec_gre_tunnel_details { + u32 context; + u32 sw_if_index; + u32 local_sa_id; + u32 remote_sa_id; + u8 src_address[4]; + u8 dst_address[4]; +}; |