diff options
author | Artem Glazychev <artem.glazychev@xored.com> | 2020-08-31 17:12:30 +0700 |
---|---|---|
committer | Damjan Marion <dmarion@me.com> | 2020-09-09 11:57:48 +0000 |
commit | edca1325cf296bd0f5ff422fc12de2ce7a7bad88 (patch) | |
tree | fb12d12bd4193c5b2c7559d98aba9dc5d2f14e85 /src/plugins/wireguard/wireguard_cli.c | |
parent | ef80ad6bff03e3cc35950de0e15e4821ef3f7c04 (diff) |
wireguard: initial implementation of wireguard protocol
Type: feature
The main information about plugin you can see in README.md
vpp# wireguard ?
wireguard create wireguard create listen-port <port> private-key <key> src <IP> [generate-key]
wireguard delete wireguard delete <interface>
wireguard peer add wireguard peer add <wg_int> public-key <pub_key_other>endpoint <ip4_dst> allowed-ip <prefix>dst-port [port_dst] persistent-keepalive [keepalive_interval]
wireguard peer remove wireguard peer remove <index>
Change-Id: I85eb0bfc033ccfb2045696398d8a108b1c64b8d9
Signed-off-by: Artem Glazychev <artem.glazychev@xored.com>
Signed-off-by: Damjan Marion <damarion@cisco.com>
Signed-off-by: Jim Thompson <jim@netgate.com>
Signed-off-by: Neale Ranns <nranns@cisco.com>
Signed-off-by: Damjan Marion <damarion@cisco.com>
Diffstat (limited to 'src/plugins/wireguard/wireguard_cli.c')
-rwxr-xr-x | src/plugins/wireguard/wireguard_cli.c | 358 |
1 files changed, 358 insertions, 0 deletions
diff --git a/src/plugins/wireguard/wireguard_cli.c b/src/plugins/wireguard/wireguard_cli.c new file mode 100755 index 00000000000..7fdccdc64b3 --- /dev/null +++ b/src/plugins/wireguard/wireguard_cli.c @@ -0,0 +1,358 @@ +/* + * Copyright (c) 2020 Doc.ai and/or its affiliates. + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include <wireguard/wireguard.h> +#include <wireguard/wireguard_key.h> +#include <wireguard/wireguard_peer.h> +#include <wireguard/wireguard_if.h> + +static clib_error_t * +wg_if_create_cli (vlib_main_t * vm, + unformat_input_t * input, vlib_cli_command_t * cmd) +{ + unformat_input_t _line_input, *line_input = &_line_input; + u8 private_key[NOISE_PUBLIC_KEY_LEN]; + u32 instance, sw_if_index; + ip_address_t src_ip; + clib_error_t *error; + u8 *private_key_64; + u32 port, generate_key = 0; + int rv; + + error = NULL; + instance = sw_if_index = ~0; + private_key_64 = 0; + port = 0; + + if (unformat_user (input, unformat_line_input, line_input)) + { + while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT) + { + if (unformat (line_input, "instance %d", &instance)) + ; + else if (unformat (line_input, "private-key %s", &private_key_64)) + { + if (!(key_from_base64 (private_key_64, + NOISE_KEY_LEN_BASE64, private_key))) + { + error = clib_error_return (0, "Error parsing private key"); + break; + } + } + else if (unformat (line_input, "listen-port %d", &port)) + ; + else if (unformat (line_input, "port %d", &port)) + ; + else if (unformat (line_input, "generate-key")) + generate_key = 1; + else + if (unformat (line_input, "src %U", unformat_ip_address, &src_ip)) + ; + else + { + error = clib_error_return (0, "unknown input: %U", + format_unformat_error, line_input); + break; + } + } + + unformat_free (line_input); + + if (error) + return error; + } + + if (generate_key) + curve25519_gen_secret (private_key); + + rv = wg_if_create (instance, private_key, port, &src_ip, &sw_if_index); + + if (rv) + return clib_error_return (0, "wireguard interface create failed"); + + vlib_cli_output (vm, "%U\n", format_vnet_sw_if_index_name, vnet_get_main (), + sw_if_index); + return 0; +} + +/*? + * Create a Wireguard interface. +?*/ +/* *INDENT-OFF* */ +VLIB_CLI_COMMAND (wg_if_create_command, static) = { + .path = "wireguard create", + .short_help = "wireguard create listen-port <port> " + "private-key <key> src <IP> [generate-key]", + .function = wg_if_create_cli, +}; +/* *INDENT-ON* */ + +static clib_error_t * +wg_if_delete_cli (vlib_main_t * vm, + unformat_input_t * input, vlib_cli_command_t * cmd) +{ + vnet_main_t *vnm; + u32 sw_if_index; + int rv; + + vnm = vnet_get_main (); + sw_if_index = ~0; + + while (unformat_check_input (input) != UNFORMAT_END_OF_INPUT) + { + if (unformat + (input, "%U", unformat_vnet_sw_interface, vnm, &sw_if_index)) + ; + else + break; + } + + if (~0 != sw_if_index) + { + rv = wg_if_delete (sw_if_index); + + if (rv) + return clib_error_return (0, "wireguard interface delete failed"); + } + else + return clib_error_return (0, "no such interface: %U", + format_unformat_error, input); + + return 0; +} + +/*? + * Delete a Wireguard interface. +?*/ +/* *INDENT-OFF* */ +VLIB_CLI_COMMAND (wg_if_delete_command, static) = { + .path = "wireguard delete", + .short_help = "wireguard delete <interface>", + .function = wg_if_delete_cli, +}; +/* *INDENT-ON* */ + + +static clib_error_t * +wg_peer_add_command_fn (vlib_main_t * vm, + unformat_input_t * input, vlib_cli_command_t * cmd) +{ + vnet_main_t *vnm = vnet_get_main (); + clib_error_t *error = NULL; + unformat_input_t _line_input, *line_input = &_line_input; + + u8 *public_key_64 = 0; + u8 public_key[NOISE_PUBLIC_KEY_LEN]; + fib_prefix_t allowed_ip, *allowed_ips = NULL; + ip_prefix_t pfx; + ip_address_t ip; + u32 portDst = 0, table_id = 0; + u32 persistent_keepalive = 0; + u32 tun_sw_if_index = ~0; + u32 peer_index; + int rv; + + if (!unformat_user (input, unformat_line_input, line_input)) + return 0; + + while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT) + { + if (unformat (line_input, "public-key %s", &public_key_64)) + { + if (!(key_from_base64 (public_key_64, + NOISE_KEY_LEN_BASE64, public_key))) + { + error = clib_error_return (0, "Error parsing private key"); + goto done; + } + } + else if (unformat (line_input, "endpoint %U", unformat_ip_address, &ip)) + ; + else if (unformat (line_input, "table-id %d", &table_id)) + ; + else if (unformat (line_input, "port %d", &portDst)) + ; + else if (unformat (line_input, "persistent-keepalive %d", + &persistent_keepalive)) + ; + else if (unformat (line_input, "allowed-ip %U", + unformat_ip_prefix, &pfx)) + { + ip_prefix_to_fib_prefix (&pfx, &allowed_ip); + vec_add1 (allowed_ips, allowed_ip); + } + else if (unformat (line_input, "%U", + unformat_vnet_sw_interface, vnm, &tun_sw_if_index)) + ; + else + { + error = clib_error_return (0, "Input error"); + goto done; + } + } + + if (AF_IP6 == ip_addr_version (&ip) || + FIB_PROTOCOL_IP6 == allowed_ip.fp_proto) + rv = VNET_API_ERROR_INVALID_PROTOCOL; + else + rv = wg_peer_add (tun_sw_if_index, + public_key, + table_id, + &ip_addr_46 (&ip), + allowed_ips, + portDst, persistent_keepalive, &peer_index); + + switch (rv) + { + case VNET_API_ERROR_KEY_LENGTH: + error = clib_error_return (0, "Error parsing public key"); + break; + case VNET_API_ERROR_ENTRY_ALREADY_EXISTS: + error = clib_error_return (0, "Peer already exist"); + break; + case VNET_API_ERROR_INVALID_SW_IF_INDEX: + error = clib_error_return (0, "Tunnel is not specified"); + break; + case VNET_API_ERROR_LIMIT_EXCEEDED: + error = clib_error_return (0, "Max peers limit"); + break; + case VNET_API_ERROR_INIT_FAILED: + error = clib_error_return (0, "wireguard device parameters is not set"); + break; + case VNET_API_ERROR_INVALID_PROTOCOL: + error = clib_error_return (0, "ipv6 not supported yet"); + break; + } + +done: + vec_free (public_key_64); + vec_free (allowed_ips); + unformat_free (line_input); + return error; +} + +/* *INDENT-OFF* */ +VLIB_CLI_COMMAND (wg_peer_add_command, static) = +{ + .path = "wireguard peer add", + .short_help = "wireguard peer add <wg_int> public-key <pub_key_other>" + "endpoint <ip4_dst> allowed-ip <prefix>" + "dst-port [port_dst] persistent-keepalive [keepalive_interval]", + .function = wg_peer_add_command_fn, +}; +/* *INDENT-ON* */ + +static clib_error_t * +wg_peer_remove_command_fn (vlib_main_t * vm, + unformat_input_t * input, vlib_cli_command_t * cmd) +{ + clib_error_t *error = NULL; + u32 peer_index; + int rv; + + unformat_input_t _line_input, *line_input = &_line_input; + if (!unformat_user (input, unformat_line_input, line_input)) + return 0; + + if (unformat (line_input, "%d", &peer_index)) + ; + else + { + error = clib_error_return (0, "Input error"); + goto done; + } + + rv = wg_peer_remove (peer_index); + + switch (rv) + { + case VNET_API_ERROR_KEY_LENGTH: + error = clib_error_return (0, "Error parsing public key"); + break; + } + +done: + unformat_free (line_input); + return error; +} + +/* *INDENT-OFF* */ +VLIB_CLI_COMMAND (wg_peer_remove_command, static) = +{ + .path = "wireguard peer remove", + .short_help = "wireguard peer remove <index>", + .function = wg_peer_remove_command_fn, +}; +/* *INDENT-ON* */ + +static walk_rc_t +wg_peer_show_one (index_t peeri, void *arg) +{ + vlib_cli_output (arg, "%U", format_wg_peer, peeri); + + return (WALK_CONTINUE); +} + +static clib_error_t * +wg_show_peer_command_fn (vlib_main_t * vm, + unformat_input_t * input, vlib_cli_command_t * cmd) +{ + wg_peer_walk (wg_peer_show_one, vm); + + return NULL; +} + +/* *INDENT-OFF* */ +VLIB_CLI_COMMAND (wg_show_peers_command, static) = +{ + .path = "show wireguard peer", + .short_help = "show wireguard peer", + .function = wg_show_peer_command_fn, +}; +/* *INDENT-ON* */ + +static walk_rc_t +wg_if_show_one (index_t itfi, void *arg) +{ + vlib_cli_output (arg, "%U", format_wg_if, itfi); + + return (WALK_CONTINUE); +} + +static clib_error_t * +wg_show_if_command_fn (vlib_main_t * vm, + unformat_input_t * input, vlib_cli_command_t * cmd) +{ + wg_if_walk (wg_if_show_one, vm); + + return NULL; +} + +/* *INDENT-OFF* */ +VLIB_CLI_COMMAND (wg_show_itfs_command, static) = +{ + .path = "show wireguard interface", + .short_help = "show wireguard", + .function = wg_show_if_command_fn, +}; +/* *INDENT-ON* */ + +/* + * fd.io coding-style-patch-verification: ON + * + * Local Variables: + * eval: (c-set-style "gnu") + * End: + */ |