summaryrefslogtreecommitdiffstats
path: root/src/vat/api_format.c
diff options
context:
space:
mode:
authorMatthew Smith <mgsmith@netgate.com>2017-09-26 13:33:44 -0500
committerDamjan Marion <dmarion.lists@gmail.com>2017-10-04 09:37:03 +0000
commit28029530963223c5c3b94f7a2f9d1343662a1a04 (patch)
treeb4934a6e574ac2815d43f8a3079211f11bf6ab42 /src/vat/api_format.c
parent780fc39506759127f59840e37be9c03d278a2f6b (diff)
Add API support to dump IPsec SAs
Add an API request message type to dump IPsec SAs. Either all IPsec SAs can be dumped or it can be limited to a single SA ID (numeric ID set at creation time - not an index). Add a handler for incoming messages with the new request type. Add an API response message type containing the data for an IPsec SA. Add VAT support for new message type. Change-Id: Id7828d000efc637dee7f988a87d3f707a8b466b7 Signed-off-by: Matthew Smith <mgsmith@netgate.com>
Diffstat (limited to 'src/vat/api_format.c')
-rw-r--r--src/vat/api_format.c117
1 files changed, 117 insertions, 0 deletions
diff --git a/src/vat/api_format.c b/src/vat/api_format.c
index 1010a0570b7..08f90dc498e 100644
--- a/src/vat/api_format.c
+++ b/src/vat/api_format.c
@@ -5232,6 +5232,7 @@ _(IPSEC_SPD_ADD_DEL_REPLY, ipsec_spd_add_del_reply) \
_(IPSEC_INTERFACE_ADD_DEL_SPD_REPLY, ipsec_interface_add_del_spd_reply) \
_(IPSEC_SPD_ADD_DEL_ENTRY_REPLY, ipsec_spd_add_del_entry_reply) \
_(IPSEC_SAD_ADD_DEL_ENTRY_REPLY, ipsec_sad_add_del_entry_reply) \
+_(IPSEC_SA_DETAILS, ipsec_sa_details) \
_(IPSEC_SA_SET_KEY_REPLY, ipsec_sa_set_key_reply) \
_(IPSEC_TUNNEL_IF_ADD_DEL_REPLY, ipsec_tunnel_if_add_del_reply) \
_(IKEV2_PROFILE_ADD_DEL_REPLY, ikev2_profile_add_del_reply) \
@@ -13774,6 +13775,121 @@ api_ipsec_tunnel_if_add_del (vat_main_t * vam)
return ret;
}
+static void
+vl_api_ipsec_sa_details_t_handler (vl_api_ipsec_sa_details_t * mp)
+{
+ vat_main_t *vam = &vat_main;
+
+ print (vam->ofp, "sa_id %u sw_if_index %u spi %u proto %u crypto_alg %u "
+ "crypto_key %U integ_alg %u integ_key %U use_esn %u "
+ "use_anti_replay %u is_tunnel %u is_tunnel_ip6 %u "
+ "tunnel_src_addr %U tunnel_dst_addr %U "
+ "salt %u seq_outbound %lu last_seq_inbound %lu "
+ "replay_window %lu total_data_size %lu\n",
+ ntohl (mp->sa_id), ntohl (mp->sw_if_index), ntohl (mp->spi),
+ mp->protocol,
+ mp->crypto_alg, format_hex_bytes, mp->crypto_key, mp->crypto_key_len,
+ mp->integ_alg, format_hex_bytes, mp->integ_key, mp->integ_key_len,
+ mp->use_esn, mp->use_anti_replay, mp->is_tunnel, mp->is_tunnel_ip6,
+ (mp->is_tunnel_ip6) ? format_ip6_address : format_ip4_address,
+ mp->tunnel_src_addr,
+ (mp->is_tunnel_ip6) ? format_ip6_address : format_ip4_address,
+ mp->tunnel_dst_addr,
+ ntohl (mp->salt),
+ clib_net_to_host_u64 (mp->seq_outbound),
+ clib_net_to_host_u64 (mp->last_seq_inbound),
+ clib_net_to_host_u64 (mp->replay_window),
+ clib_net_to_host_u64 (mp->total_data_size));
+}
+
+#define vl_api_ipsec_sa_details_t_endian vl_noop_handler
+#define vl_api_ipsec_sa_details_t_print vl_noop_handler
+
+static void vl_api_ipsec_sa_details_t_handler_json
+ (vl_api_ipsec_sa_details_t * mp)
+{
+ vat_main_t *vam = &vat_main;
+ vat_json_node_t *node = NULL;
+ struct in_addr src_ip4, dst_ip4;
+ struct in6_addr src_ip6, dst_ip6;
+
+ if (VAT_JSON_ARRAY != vam->json_tree.type)
+ {
+ ASSERT (VAT_JSON_NONE == vam->json_tree.type);
+ vat_json_init_array (&vam->json_tree);
+ }
+ node = vat_json_array_add (&vam->json_tree);
+
+ vat_json_init_object (node);
+ vat_json_object_add_uint (node, "sa_id", ntohl (mp->sa_id));
+ vat_json_object_add_uint (node, "sw_if_index", ntohl (mp->sw_if_index));
+ vat_json_object_add_uint (node, "spi", ntohl (mp->spi));
+ vat_json_object_add_uint (node, "proto", mp->protocol);
+ vat_json_object_add_uint (node, "crypto_alg", mp->crypto_alg);
+ vat_json_object_add_uint (node, "integ_alg", mp->integ_alg);
+ vat_json_object_add_uint (node, "use_esn", mp->use_esn);
+ vat_json_object_add_uint (node, "use_anti_replay", mp->use_anti_replay);
+ vat_json_object_add_uint (node, "is_tunnel", mp->is_tunnel);
+ vat_json_object_add_uint (node, "is_tunnel_ip6", mp->is_tunnel_ip6);
+ vat_json_object_add_bytes (node, "crypto_key", mp->crypto_key,
+ mp->crypto_key_len);
+ vat_json_object_add_bytes (node, "integ_key", mp->integ_key,
+ mp->integ_key_len);
+ if (mp->is_tunnel_ip6)
+ {
+ clib_memcpy (&src_ip6, mp->tunnel_src_addr, sizeof (src_ip6));
+ vat_json_object_add_ip6 (node, "tunnel_src_addr", src_ip6);
+ clib_memcpy (&dst_ip6, mp->tunnel_dst_addr, sizeof (dst_ip6));
+ vat_json_object_add_ip6 (node, "tunnel_dst_addr", dst_ip6);
+ }
+ else
+ {
+ clib_memcpy (&src_ip4, mp->tunnel_src_addr, sizeof (src_ip4));
+ vat_json_object_add_ip4 (node, "tunnel_src_addr", src_ip4);
+ clib_memcpy (&dst_ip4, mp->tunnel_dst_addr, sizeof (dst_ip4));
+ vat_json_object_add_ip4 (node, "tunnel_dst_addr", dst_ip4);
+ }
+ vat_json_object_add_uint (node, "replay_window",
+ clib_net_to_host_u64 (mp->replay_window));
+ vat_json_object_add_uint (node, "total_data_size",
+ clib_net_to_host_u64 (mp->total_data_size));
+
+}
+
+static int
+api_ipsec_sa_dump (vat_main_t * vam)
+{
+ unformat_input_t *i = vam->input;
+ vl_api_ipsec_sa_dump_t *mp;
+ vl_api_control_ping_t *mp_ping;
+ u32 sa_id = ~0;
+ int ret;
+
+ while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT)
+ {
+ if (unformat (i, "sa_id %d", &sa_id))
+ ;
+ else
+ {
+ clib_warning ("parse error '%U'", format_unformat_error, i);
+ return -99;
+ }
+ }
+
+ M (IPSEC_SA_DUMP, mp);
+
+ mp->sa_id = ntohl (sa_id);
+
+ S (mp);
+
+ /* Use a control ping for synchronization */
+ M (CONTROL_PING, mp_ping);
+ S (mp_ping);
+
+ W (ret);
+ return ret;
+}
+
static int
api_ikev2_profile_add_del (vat_main_t * vam)
{
@@ -20838,6 +20954,7 @@ _(ipsec_tunnel_if_add_del, "local_spi <n> remote_spi <n>\n" \
" crypto_alg <alg> local_crypto_key <hex> remote_crypto_key <hex>\n" \
" integ_alg <alg> local_integ_key <hex> remote_integ_key <hex>\n" \
" local_ip <addr> remote_ip <addr> [esn] [anti_replay] [del]\n") \
+_(ipsec_sa_dump, "[sa_id <n>]") \
_(ikev2_profile_add_del, "name <profile_name> [del]") \
_(ikev2_profile_set_auth, "name <profile_name> auth_method <method>\n" \
"(auth_data 0x<data> | auth_data <data>)") \