aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorNeale Ranns <nranns@cisco.com>2020-12-23 16:22:28 +0000
committerAndrew Yourtchenko <ayourtch@gmail.com>2021-01-07 09:15:13 +0000
commita9e2774f5561ccb77c8243a196f93f5070f6c5ad (patch)
tree9bf88556378551ca3bc8ba24b2e2a42878b11208 /src
parent3b6c84c8411f0052410fa0f207fd90f99cee5a2b (diff)
ipsec: Deprecated the old IPsec Tunnel interface
Type: fix it's been 2 releases since it was marked deprecated. Signed-off-by: Neale Ranns <nranns@cisco.com> Change-Id: I0eba7ed607826ed0d00e7d2d8f9b27d09e8e9a6e
Diffstat (limited to 'src')
-rw-r--r--src/vat/api_format.c261
-rw-r--r--src/vnet/ipsec/ipsec.api92
-rw-r--r--src/vnet/ipsec/ipsec_api.c190
-rw-r--r--src/vnet/ipsec/ipsec_cli.c195
-rw-r--r--src/vnet/ipsec/ipsec_tun.c111
-rw-r--r--src/vnet/ipsec/ipsec_tun.h10
-rw-r--r--src/vpp/api/custom_dump.c43
7 files changed, 4 insertions, 898 deletions
diff --git a/src/vat/api_format.c b/src/vat/api_format.c
index 3f4d74f656f..d9e5b5b8b21 100644
--- a/src/vat/api_format.c
+++ b/src/vat/api_format.c
@@ -3256,8 +3256,6 @@ _(ipsec_spd_add_del_reply) \
_(ipsec_interface_add_del_spd_reply) \
_(ipsec_spd_entry_add_del_reply) \
_(ipsec_sad_entry_add_del_reply) \
-_(ipsec_tunnel_if_add_del_reply) \
-_(ipsec_tunnel_if_set_sa_reply) \
_(delete_loopback_reply) \
_(bd_ip_mac_add_del_reply) \
_(bd_ip_mac_flush_reply) \
@@ -3439,8 +3437,6 @@ _(IPSEC_INTERFACE_ADD_DEL_SPD_REPLY, ipsec_interface_add_del_spd_reply) \
_(IPSEC_SPD_ENTRY_ADD_DEL_REPLY, ipsec_spd_entry_add_del_reply) \
_(IPSEC_SAD_ENTRY_ADD_DEL_REPLY, ipsec_sad_entry_add_del_reply) \
_(IPSEC_SA_DETAILS, ipsec_sa_details) \
-_(IPSEC_TUNNEL_IF_ADD_DEL_REPLY, ipsec_tunnel_if_add_del_reply) \
-_(IPSEC_TUNNEL_IF_SET_SA_REPLY, ipsec_tunnel_if_set_sa_reply) \
_(DELETE_LOOPBACK_REPLY, delete_loopback_reply) \
_(BD_IP_MAC_ADD_DEL_REPLY, bd_ip_mac_add_del_reply) \
_(BD_IP_MAC_FLUSH_REPLY, bd_ip_mac_flush_reply) \
@@ -10983,206 +10979,6 @@ api_ipsec_sad_entry_add_del (vat_main_t * vam)
return ret;
}
-static int
-api_ipsec_tunnel_if_add_del (vat_main_t * vam)
-{
- unformat_input_t *i = vam->input;
- vl_api_ipsec_tunnel_if_add_del_t *mp;
- u32 local_spi = 0, remote_spi = 0;
- u32 crypto_alg = 0, integ_alg = 0;
- u8 *lck = NULL, *rck = NULL;
- u8 *lik = NULL, *rik = NULL;
- vl_api_address_t local_ip = { 0 };
- vl_api_address_t remote_ip = { 0 };
- f64 before = 0;
- u8 is_add = 1;
- u8 esn = 0;
- u8 anti_replay = 0;
- u8 renumber = 0;
- u32 instance = ~0;
- u32 count = 1, jj;
- int ret = -1;
-
- while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT)
- {
- if (unformat (i, "del"))
- is_add = 0;
- else if (unformat (i, "esn"))
- esn = 1;
- else if (unformat (i, "anti-replay"))
- anti_replay = 1;
- else if (unformat (i, "count %d", &count))
- ;
- else if (unformat (i, "local_spi %d", &local_spi))
- ;
- else if (unformat (i, "remote_spi %d", &remote_spi))
- ;
- else
- if (unformat (i, "local_ip %U", unformat_vl_api_address, &local_ip))
- ;
- else
- if (unformat (i, "remote_ip %U", unformat_vl_api_address, &remote_ip))
- ;
- else if (unformat (i, "local_crypto_key %U", unformat_hex_string, &lck))
- ;
- else
- if (unformat (i, "remote_crypto_key %U", unformat_hex_string, &rck))
- ;
- else if (unformat (i, "local_integ_key %U", unformat_hex_string, &lik))
- ;
- else if (unformat (i, "remote_integ_key %U", unformat_hex_string, &rik))
- ;
- else
- if (unformat
- (i, "crypto_alg %U", unformat_ipsec_api_crypto_alg, &crypto_alg))
- {
- if (crypto_alg >= IPSEC_CRYPTO_N_ALG)
- {
- errmsg ("unsupported crypto-alg: '%U'\n",
- format_ipsec_crypto_alg, crypto_alg);
- return -99;
- }
- }
- else
- if (unformat
- (i, "integ_alg %U", unformat_ipsec_api_integ_alg, &integ_alg))
- {
- if (integ_alg >= IPSEC_INTEG_N_ALG)
- {
- errmsg ("unsupported integ-alg: '%U'\n",
- format_ipsec_integ_alg, integ_alg);
- return -99;
- }
- }
- else if (unformat (i, "instance %u", &instance))
- renumber = 1;
- else
- {
- errmsg ("parse error '%U'\n", format_unformat_error, i);
- return -99;
- }
- }
-
- if (count > 1)
- {
- /* Turn on async mode */
- vam->async_mode = 1;
- vam->async_errors = 0;
- before = vat_time_now (vam);
- }
-
- for (jj = 0; jj < count; jj++)
- {
- M (IPSEC_TUNNEL_IF_ADD_DEL, mp);
-
- mp->is_add = is_add;
- mp->esn = esn;
- mp->anti_replay = anti_replay;
-
- if (jj > 0)
- increment_address (&remote_ip);
-
- clib_memcpy (&mp->local_ip, &local_ip, sizeof (local_ip));
- clib_memcpy (&mp->remote_ip, &remote_ip, sizeof (remote_ip));
-
- mp->local_spi = htonl (local_spi + jj);
- mp->remote_spi = htonl (remote_spi + jj);
- mp->crypto_alg = (u8) crypto_alg;
-
- mp->local_crypto_key_len = 0;
- if (lck)
- {
- mp->local_crypto_key_len = vec_len (lck);
- if (mp->local_crypto_key_len > sizeof (mp->local_crypto_key))
- mp->local_crypto_key_len = sizeof (mp->local_crypto_key);
- clib_memcpy (mp->local_crypto_key, lck, mp->local_crypto_key_len);
- }
-
- mp->remote_crypto_key_len = 0;
- if (rck)
- {
- mp->remote_crypto_key_len = vec_len (rck);
- if (mp->remote_crypto_key_len > sizeof (mp->remote_crypto_key))
- mp->remote_crypto_key_len = sizeof (mp->remote_crypto_key);
- clib_memcpy (mp->remote_crypto_key, rck, mp->remote_crypto_key_len);
- }
-
- mp->integ_alg = (u8) integ_alg;
-
- mp->local_integ_key_len = 0;
- if (lik)
- {
- mp->local_integ_key_len = vec_len (lik);
- if (mp->local_integ_key_len > sizeof (mp->local_integ_key))
- mp->local_integ_key_len = sizeof (mp->local_integ_key);
- clib_memcpy (mp->local_integ_key, lik, mp->local_integ_key_len);
- }
-
- mp->remote_integ_key_len = 0;
- if (rik)
- {
- mp->remote_integ_key_len = vec_len (rik);
- if (mp->remote_integ_key_len > sizeof (mp->remote_integ_key))
- mp->remote_integ_key_len = sizeof (mp->remote_integ_key);
- clib_memcpy (mp->remote_integ_key, rik, mp->remote_integ_key_len);
- }
-
- if (renumber)
- {
- mp->renumber = renumber;
- mp->show_instance = ntohl (instance);
- }
- S (mp);
- }
-
- /* When testing multiple add/del ops, use a control-ping to sync */
- if (count > 1)
- {
- vl_api_control_ping_t *mp_ping;
- f64 after;
- f64 timeout;
-
- /* Shut off async mode */
- vam->async_mode = 0;
-
- MPING (CONTROL_PING, mp_ping);
- S (mp_ping);
-
- timeout = vat_time_now (vam) + 1.0;
- while (vat_time_now (vam) < timeout)
- if (vam->result_ready == 1)
- goto out;
- vam->retval = -99;
-
- out:
- if (vam->retval == -99)
- errmsg ("timeout");
-
- if (vam->async_errors > 0)
- {
- errmsg ("%d asynchronous errors", vam->async_errors);
- vam->retval = -98;
- }
- vam->async_errors = 0;
- after = vat_time_now (vam);
-
- /* slim chance, but we might have eaten SIGTERM on the first iteration */
- if (jj > 0)
- count = jj;
-
- print (vam->ofp, "%d tunnels in %.6f secs, %.2f tunnels/sec",
- count, after - before, count / (after - before));
- }
- else
- {
- /* Wait for a reply... */
- W (ret);
- return ret;
- }
-
- return ret;
-}
-
static void
vl_api_ipsec_sa_details_t_handler (vl_api_ipsec_sa_details_t * mp)
{
@@ -11292,57 +11088,6 @@ api_ipsec_sa_dump (vat_main_t * vam)
}
static int
-api_ipsec_tunnel_if_set_sa (vat_main_t * vam)
-{
- unformat_input_t *i = vam->input;
- vl_api_ipsec_tunnel_if_set_sa_t *mp;
- u32 sw_if_index = ~0;
- u32 sa_id = ~0;
- u8 is_outbound = (u8) ~ 0;
- int ret;
-
- while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT)
- {
- if (unformat (i, "%U", api_unformat_sw_if_index, vam, &sw_if_index))
- ;
- else if (unformat (i, "sa_id %d", &sa_id))
- ;
- else if (unformat (i, "outbound"))
- is_outbound = 1;
- else if (unformat (i, "inbound"))
- is_outbound = 0;
- else
- {
- clib_warning ("parse error '%U'", format_unformat_error, i);
- return -99;
- }
- }
-
- if (sw_if_index == ~0)
- {
- errmsg ("interface must be specified");
- return -99;
- }
-
- if (sa_id == ~0)
- {
- errmsg ("SA ID must be specified");
- return -99;
- }
-
- M (IPSEC_TUNNEL_IF_SET_SA, mp);
-
- mp->sw_if_index = htonl (sw_if_index);
- mp->sa_id = htonl (sa_id);
- mp->is_outbound = is_outbound;
-
- S (mp);
- W (ret);
-
- return ret;
-}
-
-static int
api_get_first_msg_id (vat_main_t * vam)
{
vl_api_get_first_msg_id_t *mp;
@@ -15064,13 +14809,7 @@ _(ipsec_spd_entry_add_del, "spd_id <n> priority <n> action <action>\n" \
" (inbound|outbound) [sa_id <n>] laddr_start <ip4|ip6>\n" \
" laddr_stop <ip4|ip6> raddr_start <ip4|ip6> raddr_stop <ip4|ip6>\n" \
" [lport_start <n> lport_stop <n>] [rport_start <n> rport_stop <n>]" ) \
-_(ipsec_tunnel_if_add_del, "local_spi <n> remote_spi <n>\n" \
- " crypto_alg <alg> local_crypto_key <hex> remote_crypto_key <hex>\n" \
- " integ_alg <alg> local_integ_key <hex> remote_integ_key <hex>\n" \
- " local_ip <addr> remote_ip <addr> [esn] [anti_replay] [del]\n" \
- " [instance <n>]") \
_(ipsec_sa_dump, "[sa_id <n>]") \
-_(ipsec_tunnel_if_set_sa, "<intfc> sa_id <n> <inbound|outbound>\n") \
_(delete_loopback,"sw_if_index <nn>") \
_(bd_ip_mac_add_del, "bd_id <bridge-domain-id> <ip4/6-addr> <mac-addr> [del]") \
_(bd_ip_mac_flush, "bd_id <bridge-domain-id>") \
diff --git a/src/vnet/ipsec/ipsec.api b/src/vnet/ipsec/ipsec.api
index 9b091317ee0..c009d8dffaa 100644
--- a/src/vnet/ipsec/ipsec.api
+++ b/src/vnet/ipsec/ipsec.api
@@ -14,7 +14,7 @@
* limitations under the License.
*/
-option version = "4.0.0";
+option version = "5.0.0";
import "vnet/ipsec/ipsec_types.api";
import "vnet/interface_types.api";
@@ -324,77 +324,6 @@ define ipsec_spd_interface_details {
vl_api_interface_index_t sw_if_index;
};
-/** \brief Add or delete IPsec tunnel interface
-
- !!DEPRECATED!!
- use the tunnel protect APIs instead
-
- @param client_index - opaque cookie to identify the sender
- @param context - sender context, to match reply w/ request
- @param is_add - add IPsec tunnel interface if nonzero, else delete
- @param is_ip6 - tunnel v6 or v4
- @param esn - enable extended sequence numbers if nonzero, else disable
- @param anti_replay - enable anti replay check if nonzero, else disable
- @param local_ip - local IP address
- @param remote_ip - IP address of remote IPsec peer
- @param local_spi - SPI of outbound IPsec SA
- @param remote_spi - SPI of inbound IPsec SA
- @param crypto_alg - encryption algorithm ID
- @param local_crypto_key_len - length of local crypto key in bytes
- @param local_crypto_key - crypto key for outbound IPsec SA
- @param remote_crypto_key_len - length of remote crypto key in bytes
- @param remote_crypto_key - crypto key for inbound IPsec SA
- @param integ_alg - integrity algorithm ID
- @param local_integ_key_len - length of local integrity key in bytes
- @param local_integ_key - integrity key for outbound IPsec SA
- @param remote_integ_key_len - length of remote integrity key in bytes
- @param remote_integ_key - integrity key for inbound IPsec SA
- @param renumber - intf display name uses a specified instance if != 0
- @param show_instance - instance to display for intf if renumber is set
- @param udp_encap - enable UDP encapsulation for NAT traversal
- @param tx_table_id - the FIB id used after packet encap
- @param salt - for use with counter mode ciphers
-*/
-define ipsec_tunnel_if_add_del {
- option deprecated;
- u32 client_index;
- u32 context;
- bool is_add;
- bool esn;
- bool anti_replay;
- vl_api_address_t local_ip;
- vl_api_address_t remote_ip;
- u32 local_spi;
- u32 remote_spi;
- u8 crypto_alg;
- u8 local_crypto_key_len;
- u8 local_crypto_key[128];
- u8 remote_crypto_key_len;
- u8 remote_crypto_key[128];
- u8 integ_alg;
- u8 local_integ_key_len;
- u8 local_integ_key[128];
- u8 remote_integ_key_len;
- u8 remote_integ_key[128];
- bool renumber;
- u32 show_instance;
- bool udp_encap;
- u32 tx_table_id;
- u32 salt;
-};
-
-/** \brief Add/delete IPsec tunnel interface response
- @param context - sender context, to match reply w/ request
- @param retval - return status
- @param sw_if_index - sw_if_index of new interface (for successful add)
-*/
-define ipsec_tunnel_if_add_del_reply {
- option deprecated;
- u32 context;
- i32 retval;
- vl_api_interface_index_t sw_if_index;
-};
-
typedef ipsec_itf
{
u32 user_instance [default=0xffffffff];
@@ -497,25 +426,6 @@ define ipsec_sa_v2_details {
u32 stat_index;
};
-/** \brief Set new SA on IPsec interface
-
- !! DEPRECATED !!
-
- @param client_index - opaque cookie to identify the sender
- @param context - sender context, to match reply w/ request
- @param sw_if_index - index of tunnel interface
- @param sa_id - ID of SA to use
- @param is_outbound - 1 if outbound (local) SA, 0 if inbound (remote)
-*/
-autoreply define ipsec_tunnel_if_set_sa {
- option deprecated;
- u32 client_index;
- u32 context;
- vl_api_interface_index_t sw_if_index;
- u32 sa_id;
- u8 is_outbound;
-};
-
/** \brief Dump IPsec backends
@param client_index - opaque cookie to identify the sender
@param context - sender context, to match reply w/ request
diff --git a/src/vnet/ipsec/ipsec_api.c b/src/vnet/ipsec/ipsec_api.c
index 06e7ba0d784..335996ee077 100644
--- a/src/vnet/ipsec/ipsec_api.c
+++ b/src/vnet/ipsec/ipsec_api.c
@@ -68,8 +68,6 @@ _(IPSEC_SPD_INTERFACE_DUMP, ipsec_spd_interface_dump) \
_(IPSEC_ITF_CREATE, ipsec_itf_create) \
_(IPSEC_ITF_DELETE, ipsec_itf_delete) \
_(IPSEC_ITF_DUMP, ipsec_itf_dump) \
-_(IPSEC_TUNNEL_IF_ADD_DEL, ipsec_tunnel_if_add_del) \
-_(IPSEC_TUNNEL_IF_SET_SA, ipsec_tunnel_if_set_sa) \
_(IPSEC_SELECT_BACKEND, ipsec_select_backend) \
_(IPSEC_BACKEND_DUMP, ipsec_backend_dump) \
_(IPSEC_TUNNEL_PROTECT_UPDATE, ipsec_tunnel_protect_update) \
@@ -666,169 +664,6 @@ vl_api_ipsec_spd_interface_dump_t_handler (vl_api_ipsec_spd_interface_dump_t *
#endif
}
-static u32
-ipsec_tun_mk_input_sa_id (u32 ti)
-{
- return (0x80000000 | ti);
-}
-
-static u32
-ipsec_tun_mk_output_sa_id (u32 ti)
-{
- return (0xc0000000 | ti);
-}
-
-static void
-vl_api_ipsec_tunnel_if_add_del_t_handler (vl_api_ipsec_tunnel_if_add_del_t *
- mp)
-{
- vl_api_ipsec_tunnel_if_add_del_reply_t *rmp;
- u32 sw_if_index = ~0;
- int rv;
-
-#if WITH_LIBSSL > 0
- ip46_address_t local_ip = ip46_address_initializer;
- ip46_address_t remote_ip = ip46_address_initializer;
- ipsec_key_t crypto_key, integ_key;
- ipsec_sa_flags_t flags;
- ip46_type_t local_ip_type, remote_ip_type;
- ipip_transport_t transport;
- u32 fib_index;
-
- local_ip_type = ip_address_decode (&mp->local_ip, &local_ip);
- remote_ip_type = ip_address_decode (&mp->remote_ip, &remote_ip);
- transport = (IP46_TYPE_IP6 == local_ip_type ?
- IPIP_TRANSPORT_IP6 : IPIP_TRANSPORT_IP4);
-
- if (local_ip_type != remote_ip_type)
- {
- rv = VNET_API_ERROR_INVALID_VALUE;
- goto done;
- }
-
- flags = IPSEC_SA_FLAG_NONE;
-
- if (mp->udp_encap)
- flags |= IPSEC_SA_FLAG_UDP_ENCAP;
- if (mp->esn)
- flags |= IPSEC_SA_FLAG_USE_ESN;
- if (mp->anti_replay)
- flags |= IPSEC_SA_FLAG_USE_ANTI_REPLAY;
-
- ipsec_mk_key (&crypto_key, mp->remote_crypto_key,
- mp->remote_crypto_key_len);
- ipsec_mk_key (&integ_key, mp->remote_integ_key, mp->remote_integ_key_len);
- ipsec_mk_key (&crypto_key, mp->local_crypto_key, mp->local_crypto_key_len);
- ipsec_mk_key (&integ_key, mp->local_integ_key, mp->local_integ_key_len);
-
- fib_index =
- fib_table_find (fib_proto_from_ip46 (local_ip_type),
- ntohl (mp->tx_table_id));
-
- if (~0 == fib_index)
- {
- rv = VNET_API_ERROR_NO_SUCH_FIB;
- goto done;
- }
-
- if (mp->is_add)
- {
- // remote = input, local = output
- /* create an ip-ip tunnel, then the two SA, then bind them */
- rv = ipip_add_tunnel (transport,
- (mp->renumber ? ntohl (mp->show_instance) : ~0),
- &local_ip,
- &remote_ip, fib_index,
- TUNNEL_ENCAP_DECAP_FLAG_NONE, IP_DSCP_CS0,
- TUNNEL_MODE_P2P, &sw_if_index);
-
- if (rv)
- goto done;
-
- rv = ipsec_sa_add_and_lock (ipsec_tun_mk_input_sa_id (sw_if_index),
- ntohl (mp->remote_spi),
- IPSEC_PROTOCOL_ESP,
- mp->crypto_alg,
- &crypto_key,
- mp->integ_alg,
- &integ_key,
- (flags | IPSEC_SA_FLAG_IS_INBOUND),
- ntohl (mp->tx_table_id),
- mp->salt, &remote_ip, &local_ip,
- TUNNEL_ENCAP_DECAP_FLAG_NONE,
- IP_DSCP_CS0, NULL,
- IPSEC_UDP_PORT_NONE, IPSEC_UDP_PORT_NONE);
-
- if (rv)
- goto done;
-
- rv = ipsec_sa_add_and_lock (ipsec_tun_mk_output_sa_id (sw_if_index),
- ntohl (mp->local_spi),
- IPSEC_PROTOCOL_ESP,
- mp->crypto_alg,
- &crypto_key,
- mp->integ_alg,
- &integ_key,
- flags,
- ntohl (mp->tx_table_id),
- mp->salt, &local_ip, &remote_ip,
- TUNNEL_ENCAP_DECAP_FLAG_NONE,
- IP_DSCP_CS0, NULL,
- IPSEC_UDP_PORT_NONE, IPSEC_UDP_PORT_NONE);
-
- if (rv)
- goto done;
-
- rv = ipsec_tun_protect_update_one (sw_if_index, NULL,
- ipsec_tun_mk_output_sa_id
- (sw_if_index),
- ipsec_tun_mk_input_sa_id
- (sw_if_index));
- if (rv)
- goto done;
-
- /* the SAs are locked as a result of being used for proection,
- * they cannot be removed from the API, since they cannot be refered
- * to by the API. unlock them now, so that if the tunnel is rekeyed
- * they-ll disapper
- */
- ipsec_sa_unlock_id (ipsec_tun_mk_input_sa_id (sw_if_index));
- ipsec_sa_unlock_id (ipsec_tun_mk_output_sa_id (sw_if_index));
- }
- else
- {
- /* *INDENT-OFF* */
- ipip_tunnel_key_t key = {
- .transport = transport,
- .fib_index = fib_index,
- .src = local_ip,
- .dst = remote_ip
- };
- /* *INDENT-ON* */
-
- ipip_tunnel_t *t = ipip_tunnel_db_find (&key);
-
- if (NULL != t)
- {
- rv = ipsec_tun_protect_del (t->sw_if_index, NULL);
- ipip_del_tunnel (t->sw_if_index);
- }
- else
- rv = VNET_API_ERROR_NO_SUCH_ENTRY;
- }
-
-#else
- rv = VNET_API_ERROR_UNIMPLEMENTED;
-#endif
-done:
- /* *INDENT-OFF* */
- REPLY_MACRO2 (VL_API_IPSEC_TUNNEL_IF_ADD_DEL_REPLY,
- ({
- rmp->sw_if_index = htonl (sw_if_index);
- }));
- /* *INDENT-ON* */
-}
-
static void
vl_api_ipsec_itf_create_t_handler (vl_api_ipsec_itf_create_t * mp)
{
@@ -1088,31 +923,6 @@ vl_api_ipsec_sa_v2_dump_t_handler (vl_api_ipsec_sa_dump_t * mp)
}
static void
-vl_api_ipsec_tunnel_if_set_sa_t_handler (vl_api_ipsec_tunnel_if_set_sa_t * mp)
-{
- vl_api_ipsec_tunnel_if_set_sa_reply_t *rmp;
- int rv;
-
-#if WITH_LIBSSL > 0
- VALIDATE_SW_IF_INDEX(mp);
-
- if (mp->is_outbound)
- rv = ipsec_tun_protect_update_out (ntohl (mp->sw_if_index), NULL,
- ntohl (mp->sa_id));
- else
- rv = ipsec_tun_protect_update_in (ntohl (mp->sw_if_index), NULL,
- ntohl (mp->sa_id));
-
-#else
- clib_warning ("unimplemented");
-#endif
-
- BAD_SW_IF_INDEX_LABEL;
-
- REPLY_MACRO (VL_API_IPSEC_TUNNEL_IF_SET_SA_REPLY);
-}
-
-static void
vl_api_ipsec_backend_dump_t_handler (vl_api_ipsec_backend_dump_t * mp)
{
vl_api_registration_t *rp;
diff --git a/src/vnet/ipsec/ipsec_cli.c b/src/vnet/ipsec/ipsec_cli.c
index 1486bbd89fd..0b0ed6c4f12 100644
--- a/src/vnet/ipsec/ipsec_cli.c
+++ b/src/vnet/ipsec/ipsec_cli.c
@@ -784,201 +784,6 @@ VLIB_CLI_COMMAND (clear_ipsec_counters_command, static) = {
};
/* *INDENT-ON* */
-static u32
-ipsec_tun_mk_local_sa_id (u32 ti)
-{
- return (0x80000000 | ti);
-}
-
-static u32
-ipsec_tun_mk_remote_sa_id (u32 ti)
-{
- return (0xc0000000 | ti);
-}
-
-static clib_error_t *
-create_ipsec_tunnel_command_fn (vlib_main_t * vm,
- unformat_input_t * input,
- vlib_cli_command_t * cmd)
-{
- unformat_input_t _line_input, *line_input = &_line_input;
- ip46_address_t local_ip = ip46_address_initializer;
- ip46_address_t remote_ip = ip46_address_initializer;
- ip_address_t nh = IP_ADDRESS_V4_ALL_0S;
- ipsec_crypto_alg_t crypto_alg = IPSEC_CRYPTO_ALG_NONE;
- ipsec_integ_alg_t integ_alg = IPSEC_INTEG_ALG_NONE;
- ipsec_sa_flags_t flags;
- u32 local_spi, remote_spi, salt = 0, table_id, fib_index;
- u32 instance = ~0;
- int rv;
- u32 m_args = 0;
- u8 ipv4_set = 0;
- u8 ipv6_set = 0;
- u8 is_add = 1;
- clib_error_t *error = NULL;
- ipsec_key_t rck = { 0 };
- ipsec_key_t lck = { 0 };
- ipsec_key_t lik = { 0 };
- ipsec_key_t rik = { 0 };
-
- table_id = 0;
- flags = IPSEC_SA_FLAG_NONE;
-
- /* Get a line of input. */
- if (!unformat_user (input, unformat_line_input, line_input))
- return 0;
-
- while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT)
- {
- if (unformat
- (line_input, "local-ip %U", unformat_ip46_address, &local_ip,
- IP46_TYPE_ANY))
- {
- ip46_address_is_ip4 (&local_ip) ? (ipv4_set = 1) : (ipv6_set = 1);
- m_args |= 1 << 0;
- }
- else
- if (unformat
- (line_input, "remote-ip %U", unformat_ip46_address, &remote_ip,
- IP46_TYPE_ANY))
- {
- ip46_address_is_ip4 (&remote_ip) ? (ipv4_set = 1) : (ipv6_set = 1);
- m_args |= 1 << 1;
- }
- else if (unformat (line_input, "local-spi %u", &local_spi))
- m_args |= 1 << 2;
- else if (unformat (line_input, "remote-spi %u", &remote_spi))
- m_args |= 1 << 3;
- else if (unformat (line_input, "salt 0x%x", &salt))
- ;
- else if (unformat (line_input, "udp-encap"))
- flags |= IPSEC_SA_FLAG_UDP_ENCAP;
- else if (unformat (line_input, "use-esn"))
- flags |= IPSEC_SA_FLAG_USE_ESN;
- else if (unformat (line_input, "use-anti-replay"))
- flags |= IPSEC_SA_FLAG_USE_ANTI_REPLAY;
- else if (unformat (line_input, "instance %u", &instance))
- ;
- else if (unformat (line_input, "tx-table %u", &table_id))
- ;
- else
- if (unformat
- (line_input, "local-crypto-key %U", unformat_ipsec_key, &lck))
- ;
- else
- if (unformat
- (line_input, "remote-crypto-key %U", unformat_ipsec_key, &rck))
- ;
- else if (unformat (line_input, "crypto-alg %U",
- unformat_ipsec_crypto_alg, &crypto_alg))
- ;
- else
- if (unformat
- (line_input, "local-integ-key %U", unformat_ipsec_key, &lik))
- ;
- else
- if (unformat
- (line_input, "remote-integ-key %U", unformat_ipsec_key, &rik))
- ;
- else if (unformat (line_input, "integ-alg %U",
- unformat_ipsec_integ_alg, &integ_alg))
- ;
- else if (unformat (line_input, "del"))
- is_add = 0;
- else if (unformat (line_input, "nh %U", unformat_ip_address, &nh))
- ;
- else
- {
- error = clib_error_return (0, "unknown input `%U'",
- format_unformat_error, line_input);
- goto done;
- }
- }
-
- if (0xf != m_args)
- {
- error = clib_error_return (0, "mandatory argument(s) missing");
- goto done;
- }
-
- if (ipv4_set && ipv6_set)
- return clib_error_return (0, "both IPv4 and IPv6 addresses specified");
-
- fib_index = fib_table_find (fib_ip_proto (ipv6_set), table_id);
-
- if (~0 == fib_index)
- {
- rv = VNET_API_ERROR_NO_SUCH_FIB;
- goto done;
- }
-
- if (is_add)
- {
- // remote = input, local = output
- u32 sw_if_index;
-
- /* create an ip-ip tunnel, then the two SA, then bind them */
- rv =
- ipip_add_tunnel (ipv6_set ? IPIP_TRANSPORT_IP6 : IPIP_TRANSPORT_IP4,
- instance, &local_ip, &remote_ip, fib_index,
- TUNNEL_ENCAP_DECAP_FLAG_NONE, IP_DSCP_CS0,
- TUNNEL_MODE_P2P, &sw_if_index);
- rv |=
- ipsec_sa_add_and_lock (ipsec_tun_mk_local_sa_id (sw_if_index),
- local_spi, IPSEC_PROTOCOL_ESP, crypto_alg,
- &lck, integ_alg, &lik, flags, table_id,
- clib_host_to_net_u32 (salt), &local_ip,
- &remote_ip, TUNNEL_ENCAP_DECAP_FLAG_NONE,
- IP_DSCP_CS0, NULL,
- IPSEC_UDP_PORT_NONE, IPSEC_UDP_PORT_NONE);
- rv |=
- ipsec_sa_add_and_lock (ipsec_tun_mk_remote_sa_id (sw_if_index),
- remote_spi, IPSEC_PROTOCOL_ESP, crypto_alg,
- &rck, integ_alg, &rik,
- (flags | IPSEC_SA_FLAG_IS_INBOUND), table_id,
- clib_host_to_net_u32 (salt), &remote_ip,
- &local_ip, TUNNEL_ENCAP_DECAP_FLAG_NONE,
- IP_DSCP_CS0, NULL,
- IPSEC_UDP_PORT_NONE, IPSEC_UDP_PORT_NONE);
- rv |=
- ipsec_tun_protect_update_one (sw_if_index, &nh,
- ipsec_tun_mk_local_sa_id (sw_if_index),
- ipsec_tun_mk_remote_sa_id
- (sw_if_index));
- }
- else
- rv = 0;
-
- switch (rv)
- {
- case 0:
- break;
- case VNET_API_ERROR_INVALID_VALUE:
- error = clib_error_return (0,
- "IPSec tunnel interface already exists...");
- goto done;
- default:
- error = clib_error_return (0, "ipsec_register_interface returned %d",
- rv);
- goto done;
- }
-
-done:
- unformat_free (line_input);
-
- return error;
-}
-
-/* *INDENT-OFF* */
-VLIB_CLI_COMMAND (create_ipsec_tunnel_command, static) = {
- .path = "create ipsec tunnel",
- .short_help = "create ipsec tunnel local-ip <addr> local-spi <spi> "
- "remote-ip <addr> remote-spi <spi> [instance <inst_num>] [udp-encap] [use-esn] [use-anti-replay] "
- "[tx-table <table-id>]",
- .function = create_ipsec_tunnel_command_fn,
-};
-/* *INDENT-ON* */
-
static clib_error_t *
ipsec_tun_protect_cmd (vlib_main_t * vm,
unformat_input_t * input, vlib_cli_command_t * cmd)
diff --git a/src/vnet/ipsec/ipsec_tun.c b/src/vnet/ipsec/ipsec_tun.c
index a35b6190c44..c3f50a6ffe9 100644
--- a/src/vnet/ipsec/ipsec_tun.c
+++ b/src/vnet/ipsec/ipsec_tun.c
@@ -529,111 +529,6 @@ ipsec_tun_protect_unconfig (ipsec_main_t * im, ipsec_tun_protect_t * itp)
ITP_DBG (itp, "unconfigured");
}
-int
-ipsec_tun_protect_update_one (u32 sw_if_index,
- const ip_address_t * nh, u32 sa_out, u32 sa_in)
-{
- u32 *sas_in = NULL;
- int rv;
-
- vec_add1 (sas_in, sa_in);
- rv = ipsec_tun_protect_update (sw_if_index, nh, sa_out, sas_in);
-
- return (rv);
-}
-
-int
-ipsec_tun_protect_update_out (u32 sw_if_index,
- const ip_address_t * nh, u32 sa_out)
-{
- u32 itpi, *sas_in, sai, *saip;
- ipsec_tun_protect_t *itp;
- ipsec_main_t *im;
- int rv;
-
- sas_in = NULL;
- rv = 0;
- im = &ipsec_main;
-
- itpi = ipsec_tun_protect_find (sw_if_index, nh);
-
- if (INDEX_INVALID == itpi)
- {
- return (VNET_API_ERROR_INVALID_INTERFACE);
- }
-
- itp = pool_elt_at_index (ipsec_tun_protect_pool, itpi);
-
- /* *INDENT-OFF* */
- FOR_EACH_IPSEC_PROTECT_INPUT_SAI (itp, sai,
- ({
- ipsec_sa_lock (sai);
- vec_add1 (sas_in, sai);
- }));
- /* *INDENT-ON* */
-
- sa_out = ipsec_sa_find_and_lock (sa_out);
-
- if (~0 == sa_out)
- {
- rv = VNET_API_ERROR_INVALID_VALUE;
- goto out;
- }
-
- ipsec_tun_protect_unconfig (im, itp);
- ipsec_tun_protect_config (im, itp, sa_out, sas_in);
-
- ipsec_sa_unlock (sa_out);
- vec_foreach (saip, sas_in) ipsec_sa_unlock (*saip);
-
-out:
- vec_free (sas_in);
- return (rv);
-}
-
-int
-ipsec_tun_protect_update_in (u32 sw_if_index,
- const ip_address_t * nh, u32 sa_in)
-{
- u32 itpi, *sas_in, sa_out;
- ipsec_tun_protect_t *itp;
- ipsec_main_t *im;
- int rv;
-
- sas_in = NULL;
- rv = 0;
- im = &ipsec_main;
- itpi = ipsec_tun_protect_find (sw_if_index, nh);
-
- if (INDEX_INVALID == itpi)
- {
- return (VNET_API_ERROR_INVALID_INTERFACE);
- }
-
- sa_in = ipsec_sa_find_and_lock (sa_in);
-
- if (~0 == sa_in)
- {
- rv = VNET_API_ERROR_INVALID_VALUE;
- goto out;
- }
- vec_add1 (sas_in, sa_in);
-
- itp = pool_elt_at_index (ipsec_tun_protect_pool, itpi);
- sa_out = itp->itp_out_sa;
-
- ipsec_sa_lock (sa_out);
-
- ipsec_tun_protect_unconfig (im, itp);
- ipsec_tun_protect_config (im, itp, sa_out, sas_in);
-
- ipsec_sa_unlock (sa_out);
- ipsec_sa_unlock (sa_in);
-out:
- vec_free (sas_in);
- return (rv);
-}
-
static void
ipsec_tun_protect_update_from_teib (ipsec_tun_protect_t * itp,
const teib_entry_t * ne)
@@ -972,7 +867,7 @@ const static teib_vft_t ipsec_tun_teib_vft = {
.nv_deleted = ipsec_tun_teib_entry_deleted,
};
-void
+static void
ipsec_tun_table_init (ip_address_family_t af, uword table_size, u32 n_buckets)
{
ipsec_main_t *im;
@@ -987,8 +882,8 @@ ipsec_tun_table_init (ip_address_family_t af, uword table_size, u32 n_buckets)
"IPSec IPv6 tunnels", n_buckets, table_size);
}
-clib_error_t *
-ipsec_tunnel_protect_init (vlib_main_t * vm)
+static clib_error_t *
+ipsec_tunnel_protect_init (vlib_main_t *vm)
{
ipsec_main_t *im;
diff --git a/src/vnet/ipsec/ipsec_tun.h b/src/vnet/ipsec/ipsec_tun.h
index b8e80d3565f..7ae00992faa 100644
--- a/src/vnet/ipsec/ipsec_tun.h
+++ b/src/vnet/ipsec/ipsec_tun.h
@@ -143,16 +143,9 @@ typedef struct ipsec_tun_protect_t_
} \
}
-extern int ipsec_tun_protect_update_one (u32 sw_if_index,
- const ip_address_t * nh,
- u32 sa_out, u32 sa_in);
extern int ipsec_tun_protect_update (u32 sw_if_index,
const ip_address_t * nh,
u32 sa_out, u32 * sa_ins);
-extern int ipsec_tun_protect_update_in (u32 sw_if_index,
- const ip_address_t * nh, u32 sa_in);
-extern int ipsec_tun_protect_update_out (u32 sw_if_index,
- const ip_address_t * nh, u32 sa_out);
extern int ipsec_tun_protect_del (u32 sw_if_index, const ip_address_t * nh);
@@ -169,9 +162,6 @@ extern u8 *format_ipsec_tun_protect_index (u8 * s, va_list * args);
extern void ipsec_tun_register_nodes (ip_address_family_t af);
extern void ipsec_tun_unregister_nodes (ip_address_family_t af);
-extern void ipsec_tun_table_init (ip_address_family_t af,
- uword table_size, u32 n_buckets);
-
// FIXME
extern vlib_node_registration_t ipsec4_tun_input_node;
extern vlib_node_registration_t ipsec6_tun_input_node;
diff --git a/src/vpp/api/custom_dump.c b/src/vpp/api/custom_dump.c
index d0b5dac4844..1bc4cde900d 100644
--- a/src/vpp/api/custom_dump.c
+++ b/src/vpp/api/custom_dump.c
@@ -2464,48 +2464,6 @@ static void *vl_api_ip_source_and_port_range_check_interface_add_del_t_print
FINISH;
}
-static void *vl_api_ipsec_tunnel_if_add_del_t_print
- (vl_api_ipsec_tunnel_if_add_del_t * mp, void *handle)
-{
- u8 *s;
-
- s = format (0, "SCRIPT: ipsec_tunnel_if_add_del ");
-
- if (mp->esn)
- s = format (s, "esn");
- if (mp->anti_replay)
- s = format (s, "anti-replay");
- if (mp->udp_encap)
- s = format (s, "udp-encap");
-
- s = format (s, "local-ip %U ", format_vl_api_address, &mp->remote_ip);
-
- s = format (s, "remote-ip %U ", format_vl_api_address, &mp->local_ip);
- s = format (s, "tx-table-id %d ", (mp->tx_table_id));
-
- s = format (s, "local-spi %d ", (mp->local_spi));
-
- s = format (s, "remote-spi %d ", (mp->remote_spi));
-
- s = format (s, "local-crypto-key-len %d ", mp->local_crypto_key_len);
- s = format (s, "local-crypto-key %U ", format_hex_bytes,
- mp->local_crypto_key, mp->local_crypto_key_len, 0);
- s = format (s, "remote-crypto-key-len %d ", mp->remote_crypto_key_len);
- s = format (s, "remote-crypto-key %U ", format_hex_bytes,
- mp->remote_crypto_key, mp->remote_crypto_key_len, 0);
- s = format (s, "local-integ-key-len %d ", mp->local_integ_key_len);
- s = format (s, "local-integ-key %U ", format_hex_bytes,
- mp->local_integ_key, mp->local_integ_key_len, 0);
- s = format (s, "remote-integ-key-len %d ", mp->remote_integ_key_len);
- s = format (s, "remote-integ-key %U ", format_hex_bytes,
- mp->remote_integ_key, mp->remote_integ_key_len, 0);
-
- if (mp->is_add == 0)
- s = format (s, "del ");
-
- FINISH;
-}
-
/* static u8 * */
/* format_nsh_address_vat (u8 * s, va_list * args) */
/* { */
@@ -3099,7 +3057,6 @@ _(IPSEC_INTERFACE_ADD_DEL_SPD, ipsec_interface_add_del_spd) \
_(IPSEC_SAD_ENTRY_ADD_DEL, ipsec_sad_entry_add_del) \
_(IPSEC_SPD_ADD_DEL, ipsec_spd_add_del) \
_(IPSEC_SPD_ENTRY_ADD_DEL, ipsec_spd_entry_add_del) \
-_(IPSEC_TUNNEL_IF_ADD_DEL, ipsec_tunnel_if_add_del) \
_(DELETE_SUBIF, delete_subif) \
_(L2_INTERFACE_PBB_TAG_REWRITE, l2_interface_pbb_tag_rewrite) \
_(SET_PUNT, set_punt) \