aboutsummaryrefslogtreecommitdiffstats
path: root/src/vat
diff options
context:
space:
mode:
authorNeale Ranns <nranns@cisco.com>2019-02-06 01:41:05 -0800
committerFlorin Coras <florin.coras@gmail.com>2019-02-07 19:13:32 +0000
commit8d7c502002636da1cb7c71a87757f328e7c2c4fd (patch)
tree1005d63dcb3a24f7bb2ad2d3224bfcb062909666 /src/vat
parent3d0ef26a0285b9baa486c91b2e6609125a2bc651 (diff)
IPSEC: no second lookup after tunnel encap
in the same maaner as with other tunnel tyeps we use the FIB to cache and track the destination used to reach the tunnel endpoint. Post encap we can then ship the packet straight to this adjacency and thus elide the costly second lookup. - SA add and del function so they can be used both directly from the API and for tunnels. - API change for the SA dump to use the SA type - ipsec_key_t type for convenience (copying, [un]formating) - no matching tunnel counters in ipsec-if-input Change-Id: I9d144a59667f7bf96442f4ca66bef5c1d3c7f1ea Signed-off-by: Neale Ranns <nranns@cisco.com>
Diffstat (limited to 'src/vat')
-rw-r--r--src/vat/api_format.c114
1 files changed, 59 insertions, 55 deletions
diff --git a/src/vat/api_format.c b/src/vat/api_format.c
index 5ddbb57f281..1d93cc17648 100644
--- a/src/vat/api_format.c
+++ b/src/vat/api_format.c
@@ -15215,21 +15215,21 @@ vl_api_ipsec_sa_details_t_handler (vl_api_ipsec_sa_details_t * mp)
vat_main_t *vam = &vat_main;
print (vam->ofp, "sa_id %u sw_if_index %u spi %u proto %u crypto_alg %u "
- "crypto_key %U integ_alg %u integ_key %U use_esn %u "
- "use_anti_replay %u is_tunnel %u is_tunnel_ip6 %u "
+ "crypto_key %U integ_alg %u integ_key %U flags %x "
"tunnel_src_addr %U tunnel_dst_addr %U "
"salt %u seq_outbound %lu last_seq_inbound %lu "
"replay_window %lu total_data_size %lu\n",
- ntohl (mp->sa_id), ntohl (mp->sw_if_index), ntohl (mp->spi),
- mp->protocol,
- mp->crypto_alg, format_hex_bytes, mp->crypto_key, mp->crypto_key_len,
- mp->integ_alg, format_hex_bytes, mp->integ_key, mp->integ_key_len,
- mp->use_esn, mp->use_anti_replay, mp->is_tunnel, mp->is_tunnel_ip6,
- (mp->is_tunnel_ip6) ? format_ip6_address : format_ip4_address,
- mp->tunnel_src_addr,
- (mp->is_tunnel_ip6) ? format_ip6_address : format_ip4_address,
- mp->tunnel_dst_addr,
- ntohl (mp->salt),
+ ntohl (mp->entry.sad_id),
+ ntohl (mp->sw_if_index),
+ ntohl (mp->entry.spi),
+ ntohl (mp->entry.protocol),
+ ntohl (mp->entry.crypto_algorithm),
+ format_hex_bytes, mp->entry.crypto_key.data,
+ mp->entry.crypto_key.length, ntohl (mp->entry.integrity_algorithm),
+ format_hex_bytes, mp->entry.integrity_key.data,
+ mp->entry.integrity_key.length, ntohl (mp->entry.flags),
+ format_vl_api_address, &mp->entry.tunnel_src, format_vl_api_address,
+ &mp->entry.tunnel_dst, ntohl (mp->salt),
clib_net_to_host_u64 (mp->seq_outbound),
clib_net_to_host_u64 (mp->last_seq_inbound),
clib_net_to_host_u64 (mp->replay_window),
@@ -15239,13 +15239,32 @@ vl_api_ipsec_sa_details_t_handler (vl_api_ipsec_sa_details_t * mp)
#define vl_api_ipsec_sa_details_t_endian vl_noop_handler
#define vl_api_ipsec_sa_details_t_print vl_noop_handler
+static void
+vat_json_object_add_address (vat_json_node_t * node,
+ const vl_api_address_t * addr)
+{
+ if (ADDRESS_IP6 == addr->af)
+ {
+ struct in6_addr ip6;
+
+ clib_memcpy (&ip6, &addr->un.ip6, sizeof (ip6));
+ vat_json_object_add_ip6 (node, "ip_address", ip6);
+ }
+ else
+ {
+ struct in_addr ip4;
+
+ clib_memcpy (&ip4, &addr->un.ip4, sizeof (ip4));
+ vat_json_object_add_ip4 (node, "ip_address", ip4);
+ }
+}
+
static void vl_api_ipsec_sa_details_t_handler_json
(vl_api_ipsec_sa_details_t * mp)
{
vat_main_t *vam = &vat_main;
vat_json_node_t *node = NULL;
- struct in_addr src_ip4, dst_ip4;
- struct in6_addr src_ip6, dst_ip6;
+ vl_api_ipsec_sad_flags_t flags;
if (VAT_JSON_ARRAY != vam->json_tree.type)
{
@@ -15255,39 +15274,36 @@ static void vl_api_ipsec_sa_details_t_handler_json
node = vat_json_array_add (&vam->json_tree);
vat_json_init_object (node);
- vat_json_object_add_uint (node, "sa_id", ntohl (mp->sa_id));
+ vat_json_object_add_uint (node, "sa_id", ntohl (mp->entry.sad_id));
vat_json_object_add_uint (node, "sw_if_index", ntohl (mp->sw_if_index));
- vat_json_object_add_uint (node, "spi", ntohl (mp->spi));
- vat_json_object_add_uint (node, "proto", mp->protocol);
- vat_json_object_add_uint (node, "crypto_alg", mp->crypto_alg);
- vat_json_object_add_uint (node, "integ_alg", mp->integ_alg);
- vat_json_object_add_uint (node, "use_esn", mp->use_esn);
- vat_json_object_add_uint (node, "use_anti_replay", mp->use_anti_replay);
- vat_json_object_add_uint (node, "is_tunnel", mp->is_tunnel);
- vat_json_object_add_uint (node, "is_tunnel_ip6", mp->is_tunnel_ip6);
- vat_json_object_add_bytes (node, "crypto_key", mp->crypto_key,
- mp->crypto_key_len);
- vat_json_object_add_bytes (node, "integ_key", mp->integ_key,
- mp->integ_key_len);
- if (mp->is_tunnel_ip6)
- {
- clib_memcpy (&src_ip6, mp->tunnel_src_addr, sizeof (src_ip6));
- vat_json_object_add_ip6 (node, "tunnel_src_addr", src_ip6);
- clib_memcpy (&dst_ip6, mp->tunnel_dst_addr, sizeof (dst_ip6));
- vat_json_object_add_ip6 (node, "tunnel_dst_addr", dst_ip6);
- }
- else
- {
- clib_memcpy (&src_ip4, mp->tunnel_src_addr, sizeof (src_ip4));
- vat_json_object_add_ip4 (node, "tunnel_src_addr", src_ip4);
- clib_memcpy (&dst_ip4, mp->tunnel_dst_addr, sizeof (dst_ip4));
- vat_json_object_add_ip4 (node, "tunnel_dst_addr", dst_ip4);
- }
+ vat_json_object_add_uint (node, "spi", ntohl (mp->entry.spi));
+ vat_json_object_add_uint (node, "proto", ntohl (mp->entry.protocol));
+ vat_json_object_add_uint (node, "crypto_alg",
+ ntohl (mp->entry.crypto_algorithm));
+ vat_json_object_add_uint (node, "integ_alg",
+ ntohl (mp->entry.integrity_algorithm));
+ flags = ntohl (mp->entry.flags);
+ vat_json_object_add_uint (node, "use_esn",
+ ! !(flags &
+ IPSEC_API_SAD_FLAG_USE_EXTENDED_SEQ_NUM));
+ vat_json_object_add_uint (node, "use_anti_replay",
+ ! !(flags & IPSEC_API_SAD_FLAG_USE_ANTI_REPLAY));
+ vat_json_object_add_uint (node, "is_tunnel",
+ ! !(flags & IPSEC_API_SAD_FLAG_IS_TUNNEL));
+ vat_json_object_add_uint (node, "is_tunnel_ip6",
+ ! !(flags & IPSEC_API_SAD_FLAG_IS_TUNNEL_V6));
+ vat_json_object_add_uint (node, "udp_encap",
+ ! !(flags & IPSEC_API_SAD_FLAG_UDP_ENCAP));
+ vat_json_object_add_bytes (node, "crypto_key", mp->entry.crypto_key.data,
+ mp->entry.crypto_key.length);
+ vat_json_object_add_bytes (node, "integ_key", mp->entry.integrity_key.data,
+ mp->entry.integrity_key.length);
+ vat_json_object_add_address (node, &mp->entry.tunnel_src);
+ vat_json_object_add_address (node, &mp->entry.tunnel_dst);
vat_json_object_add_uint (node, "replay_window",
clib_net_to_host_u64 (mp->replay_window));
vat_json_object_add_uint (node, "total_data_size",
clib_net_to_host_u64 (mp->total_data_size));
-
}
static int
@@ -20085,8 +20101,6 @@ static void vl_api_ip_neighbor_details_t_handler_json
vat_main_t *vam = &vat_main;
vat_json_node_t *node;
- struct in_addr ip4;
- struct in6_addr ip6;
if (VAT_JSON_ARRAY != vam->json_tree.type)
{
@@ -20104,17 +20118,7 @@ static void vl_api_ip_neighbor_details_t_handler_json
vat_json_object_add_string_copy (node, "link_layer",
format (0, "%U", format_vl_api_mac_address,
&mp->neighbor.mac_address));
-
- if (ADDRESS_IP6 == mp->neighbor.ip_address.af)
- {
- clib_memcpy (&ip6, &mp->neighbor.ip_address.un.ip6, sizeof (ip6));
- vat_json_object_add_ip6 (node, "ip_address", ip6);
- }
- else
- {
- clib_memcpy (&ip4, &mp->neighbor.ip_address.un.ip4, sizeof (ip4));
- vat_json_object_add_ip4 (node, "ip_address", ip4);
- }
+ vat_json_object_add_address (node, &mp->neighbor.ip_address);
}
static int