diff options
author | Neale Ranns <nranns@cisco.com> | 2019-02-06 01:41:05 -0800 |
---|---|---|
committer | Florin Coras <florin.coras@gmail.com> | 2019-02-07 19:13:32 +0000 |
commit | 8d7c502002636da1cb7c71a87757f328e7c2c4fd (patch) | |
tree | 1005d63dcb3a24f7bb2ad2d3224bfcb062909666 /src/vnet/ipsec/ipsec_cli.c | |
parent | 3d0ef26a0285b9baa486c91b2e6609125a2bc651 (diff) |
IPSEC: no second lookup after tunnel encap
in the same maaner as with other tunnel tyeps we use
the FIB to cache and track the destination used to reach
the tunnel endpoint. Post encap we can then ship the packet
straight to this adjacency and thus elide the costly second
lookup.
- SA add and del function so they can be used both directly
from the API and for tunnels.
- API change for the SA dump to use the SA type
- ipsec_key_t type for convenience (copying, [un]formating)
- no matching tunnel counters in ipsec-if-input
Change-Id: I9d144a59667f7bf96442f4ca66bef5c1d3c7f1ea
Signed-off-by: Neale Ranns <nranns@cisco.com>
Diffstat (limited to 'src/vnet/ipsec/ipsec_cli.c')
-rw-r--r-- | src/vnet/ipsec/ipsec_cli.c | 244 |
1 files changed, 71 insertions, 173 deletions
diff --git a/src/vnet/ipsec/ipsec_cli.c b/src/vnet/ipsec/ipsec_cli.c index 4bc14372042..f66bf6d5aa1 100644 --- a/src/vnet/ipsec/ipsec_cli.c +++ b/src/vnet/ipsec/ipsec_cli.c @@ -73,87 +73,62 @@ ipsec_sa_add_del_command_fn (vlib_main_t * vm, unformat_input_t * input, vlib_cli_command_t * cmd) { - ipsec_main_t *im = &ipsec_main; unformat_input_t _line_input, *line_input = &_line_input; - ipsec_sa_t sa; - int is_add = ~0; - u8 *ck = 0, *ik = 0; - clib_error_t *error = NULL; - - clib_memset (&sa, 0, sizeof (sa)); - sa.tx_fib_index = ~((u32) 0); /* Only supported for ipsec interfaces */ + ip46_address_t tun_src = { }, tun_dst = + { + }; + ipsec_crypto_alg_t crypto_alg; + ipsec_integ_alg_t integ_alg; + ipsec_protocol_t proto; + ipsec_sa_flags_t flags; + clib_error_t *error; + ipsec_key_t ck, ik; + int is_add, rv; + u32 id, spi; + + error = NULL; + is_add = 0; + flags = IPSEC_SA_FLAG_NONE; + proto = IPSEC_PROTOCOL_ESP; if (!unformat_user (input, unformat_line_input, line_input)) return 0; while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT) { - if (unformat (line_input, "add %u", &sa.id)) + if (unformat (line_input, "add %u", &id)) is_add = 1; - else if (unformat (line_input, "del %u", &sa.id)) + else if (unformat (line_input, "del %u", &id)) is_add = 0; - else if (unformat (line_input, "spi %u", &sa.spi)) + else if (unformat (line_input, "spi %u", &spi)) ; else if (unformat (line_input, "esp")) - sa.protocol = IPSEC_PROTOCOL_ESP; + proto = IPSEC_PROTOCOL_ESP; else if (unformat (line_input, "ah")) - { - sa.protocol = IPSEC_PROTOCOL_AH; - } - else - if (unformat (line_input, "crypto-key %U", unformat_hex_string, &ck)) - sa.crypto_key_len = vec_len (ck); - else - if (unformat - (line_input, "crypto-alg %U", unformat_ipsec_crypto_alg, - &sa.crypto_alg)) - { - if (sa.crypto_alg < IPSEC_CRYPTO_ALG_NONE || - sa.crypto_alg >= IPSEC_CRYPTO_N_ALG) - { - error = clib_error_return (0, "unsupported crypto-alg: '%U'", - format_ipsec_crypto_alg, - sa.crypto_alg); - goto done; - } - } - else - if (unformat (line_input, "integ-key %U", unformat_hex_string, &ik)) - sa.integ_key_len = vec_len (ik); - else if (unformat (line_input, "integ-alg %U", unformat_ipsec_integ_alg, - &sa.integ_alg)) - { - if (sa.integ_alg < IPSEC_INTEG_ALG_NONE || - sa.integ_alg >= IPSEC_INTEG_N_ALG) - { - error = clib_error_return (0, "unsupported integ-alg: '%U'", - format_ipsec_integ_alg, - sa.integ_alg); - goto done; - } - } - else if (unformat (line_input, "tunnel-src %U", - unformat_ip4_address, &sa.tunnel_src_addr.ip4)) - sa.is_tunnel = 1; - else if (unformat (line_input, "tunnel-dst %U", - unformat_ip4_address, &sa.tunnel_dst_addr.ip4)) - sa.is_tunnel = 1; + proto = IPSEC_PROTOCOL_AH; + else if (unformat (line_input, "crypto-key %U", + unformat_ipsec_key, &ck)) + ; + else if (unformat (line_input, "crypto-alg %U", + unformat_ipsec_crypto_alg, &crypto_alg)) + ; + else if (unformat (line_input, "integ-key %U", unformat_ipsec_key, &ik)) + ; + else if (unformat (line_input, "integ-alg %U", + unformat_ipsec_integ_alg, &integ_alg)) + ; else if (unformat (line_input, "tunnel-src %U", - unformat_ip6_address, &sa.tunnel_src_addr.ip6)) + unformat_ip46_address, &tun_src)) { - sa.is_tunnel = 1; - sa.is_tunnel_ip6 = 1; + flags |= IPSEC_SA_FLAG_IS_TUNNEL; + if (!ip46_address_is_ip4 (&tun_src)) + flags |= IPSEC_SA_FLAG_IS_TUNNEL_V6; } else if (unformat (line_input, "tunnel-dst %U", - unformat_ip6_address, &sa.tunnel_dst_addr.ip6)) - { - sa.is_tunnel = 1; - sa.is_tunnel_ip6 = 1; - } + unformat_ip46_address, &tun_dst)) + ; else if (unformat (line_input, "udp-encap")) - { - sa.udp_encap = 1; - } + flags |= IPSEC_SA_FLAG_UDP_ENCAP; else { error = clib_error_return (0, "parse error: '%U'", @@ -162,26 +137,15 @@ ipsec_sa_add_del_command_fn (vlib_main_t * vm, } } - if (sa.crypto_key_len > sizeof (sa.crypto_key)) - sa.crypto_key_len = sizeof (sa.crypto_key); - - if (sa.integ_key_len > sizeof (sa.integ_key)) - sa.integ_key_len = sizeof (sa.integ_key); - - if (ck) - memcpy (sa.crypto_key, ck, sa.crypto_key_len); - - if (ik) - memcpy (sa.integ_key, ik, sa.integ_key_len); - if (is_add) - { - error = ipsec_check_support_cb (im, &sa); - if (error) - goto done; - } + rv = ipsec_sa_add (id, spi, proto, crypto_alg, + &ck, integ_alg, &ik, flags, + 0, &tun_src, &tun_dst, NULL); + else + rv = ipsec_sa_del (id); - ipsec_add_del_sa (vm, &sa, is_add); + if (rv) + clib_error_return (0, "failed"); done: unformat_free (line_input); @@ -388,25 +352,22 @@ set_ipsec_sa_key_command_fn (vlib_main_t * vm, vlib_cli_command_t * cmd) { unformat_input_t _line_input, *line_input = &_line_input; - ipsec_sa_t sa; - u8 *ck = 0, *ik = 0; clib_error_t *error = NULL; - - clib_memset (&sa, 0, sizeof (sa)); + ipsec_key_t ck, ik; + u32 id; if (!unformat_user (input, unformat_line_input, line_input)) return 0; while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT) { - if (unformat (line_input, "%u", &sa.id)) + if (unformat (line_input, "%u", &id)) ; else - if (unformat (line_input, "crypto-key %U", unformat_hex_string, &ck)) - sa.crypto_key_len = vec_len (ck); - else - if (unformat (line_input, "integ-key %U", unformat_hex_string, &ik)) - sa.integ_key_len = vec_len (ik); + if (unformat (line_input, "crypto-key %U", unformat_ipsec_key, &ck)) + ; + else if (unformat (line_input, "integ-key %U", unformat_ipsec_key, &ik)) + ; else { error = clib_error_return (0, "parse error: '%U'", @@ -415,19 +376,7 @@ set_ipsec_sa_key_command_fn (vlib_main_t * vm, } } - if (sa.crypto_key_len > sizeof (sa.crypto_key)) - sa.crypto_key_len = sizeof (sa.crypto_key); - - if (sa.integ_key_len > sizeof (sa.integ_key)) - sa.integ_key_len = sizeof (sa.integ_key); - - if (ck) - strncpy ((char *) sa.crypto_key, (char *) ck, sa.crypto_key_len); - - if (ik) - strncpy ((char *) sa.integ_key, (char *) ik, sa.integ_key_len); - - ipsec_set_sa_key (vm, &sa); + ipsec_set_sa_key (id, &ck, &ik); done: unformat_free (line_input); @@ -448,96 +397,45 @@ static clib_error_t * show_ipsec_command_fn (vlib_main_t * vm, unformat_input_t * input, vlib_cli_command_t * cmd) { - ipsec_sa_t *sa; ipsec_main_t *im = &ipsec_main; - u32 i; - ipsec_tunnel_if_t *t; + u32 spd_id, sw_if_index, sai; vnet_hw_interface_t *hi; + ipsec_tunnel_if_t *t; u8 *protocol = NULL; u8 *policy = NULL; - u32 tx_table_id, spd_id, sw_if_index; + u32 i; /* *INDENT-OFF* */ - pool_foreach (sa, im->sad, ({ - if (sa->id) { - vlib_cli_output(vm, "sa %u spi %u mode %s protocol %s%s%s%s", sa->id, sa->spi, - sa->is_tunnel ? "tunnel" : "transport", - sa->protocol ? "esp" : "ah", - sa->udp_encap ? " udp-encap-enabled" : "", - sa->use_anti_replay ? " anti-replay" : "", - sa->use_esn ? " extended-sequence-number" : ""); - if (sa->protocol == IPSEC_PROTOCOL_ESP) { - vlib_cli_output(vm, " crypto alg %U%s%U integrity alg %U%s%U", - format_ipsec_crypto_alg, sa->crypto_alg, - sa->crypto_alg ? " key " : "", - format_hex_bytes, sa->crypto_key, sa->crypto_key_len, - format_ipsec_integ_alg, sa->integ_alg, - sa->integ_alg ? " key " : "", - format_hex_bytes, sa->integ_key, sa->integ_key_len); - } - if (sa->is_tunnel && sa->is_tunnel_ip6) { - vlib_cli_output(vm, " tunnel src %U dst %U", - format_ip6_address, &sa->tunnel_src_addr.ip6, - format_ip6_address, &sa->tunnel_dst_addr.ip6); - } else if (sa->is_tunnel) { - vlib_cli_output(vm, " tunnel src %U dst %U", - format_ip4_address, &sa->tunnel_src_addr.ip4, - format_ip4_address, &sa->tunnel_dst_addr.ip4); - } - } + pool_foreach_index (sai, im->sad, ({ + vlib_cli_output(vm, "%U", format_ipsec_sa, sai); })); - /* *INDENT-ON* */ - - /* *INDENT-OFF* */ pool_foreach_index (i, im->spds, ({ vlib_cli_output(vm, "%U", format_ipsec_spd, i); })); - /* *INDENT-ON* */ vlib_cli_output (vm, "SPD Bindings:"); - /* *INDENT-OFF* */ + hash_foreach(sw_if_index, spd_id, im->spd_index_by_sw_if_index, ({ - vlib_cli_output (vm, " %d -> %U", spd_id, - format_vnet_sw_if_index_name, im->vnet_main, - sw_if_index); + vlib_cli_output (vm, " %d -> %U", spd_id, + format_vnet_sw_if_index_name, im->vnet_main, + sw_if_index); })); /* *INDENT-ON* */ - vlib_cli_output (vm, "tunnel interfaces"); /* *INDENT-OFF* */ pool_foreach (t, im->tunnel_interfaces, ({ if (t->hw_if_index == ~0) continue; hi = vnet_get_hw_interface (im->vnet_main, t->hw_if_index); - vlib_cli_output(vm, " %s seq", hi->name); - sa = pool_elt_at_index(im->sad, t->output_sa_index); - - tx_table_id = fib_table_get_table_id(sa->tx_fib_index, FIB_PROTOCOL_IP4); - - vlib_cli_output(vm, " seq %u seq-hi %u esn %u anti-replay %u udp-encap %u tx-table %u", - sa->seq, sa->seq_hi, sa->use_esn, sa->use_anti_replay, sa->udp_encap, tx_table_id); - vlib_cli_output(vm, " local-spi %u local-ip %U", sa->spi, - format_ip4_address, &sa->tunnel_src_addr.ip4); - vlib_cli_output(vm, " local-crypto %U %U", - format_ipsec_crypto_alg, sa->crypto_alg, - format_hex_bytes, sa->crypto_key, sa->crypto_key_len); - vlib_cli_output(vm, " local-integrity %U %U", - format_ipsec_integ_alg, sa->integ_alg, - format_hex_bytes, sa->integ_key, sa->integ_key_len); - sa = pool_elt_at_index(im->sad, t->input_sa_index); - vlib_cli_output(vm, " last-seq %u last-seq-hi %u esn %u anti-replay %u window %U", - sa->last_seq, sa->last_seq_hi, sa->use_esn, - sa->use_anti_replay, - format_ipsec_replay_window, sa->replay_window); - vlib_cli_output(vm, " remote-spi %u remote-ip %U", sa->spi, - format_ip4_address, &sa->tunnel_src_addr.ip4); - vlib_cli_output(vm, " remote-crypto %U %U", - format_ipsec_crypto_alg, sa->crypto_alg, - format_hex_bytes, sa->crypto_key, sa->crypto_key_len); - vlib_cli_output(vm, " remote-integrity %U %U", - format_ipsec_integ_alg, sa->integ_alg, - format_hex_bytes, sa->integ_key, sa->integ_key_len); + + vlib_cli_output(vm, " %s", hi->name); + + vlib_cli_output(vm, " out-bound sa"); + vlib_cli_output(vm, " %U", format_ipsec_sa, t->output_sa_index); + + vlib_cli_output(vm, " in-bound sa"); + vlib_cli_output(vm, " %U", format_ipsec_sa, t->input_sa_index); })); vec_free(policy); vec_free(protocol); |