diff options
| author |   Neale Ranns <nranns@cisco.com> | 2020-12-23 16:22:28 +0000 |
|---|---|---|
| committer |   Andrew Yourtchenko <ayourtch@gmail.com> | 2021-01-07 09:15:13 +0000 |
| commit | a9e2774f5561ccb77c8243a196f93f5070f6c5ad (patch) | |
| tree | 9bf88556378551ca3bc8ba24b2e2a42878b11208 /src | |
| parent | 3b6c84c8411f0052410fa0f207fd90f99cee5a2b (diff) | |
ipsec: Deprecated the old IPsec Tunnel interface
Type: fix
it's been 2 releases since it was marked deprecated.
Signed-off-by: Neale Ranns <nranns@cisco.com>
Change-Id: I0eba7ed607826ed0d00e7d2d8f9b27d09e8e9a6e
Diffstat (limited to 'src')
| -rw-r--r-- | src/vat/api_format.c | 261 | ||||
| -rw-r--r-- | src/vnet/ipsec/ipsec.api | 92 | ||||
| -rw-r--r-- | src/vnet/ipsec/ipsec_api.c | 190 | ||||
| -rw-r--r-- | src/vnet/ipsec/ipsec_cli.c | 195 | ||||
| -rw-r--r-- | src/vnet/ipsec/ipsec_tun.c | 111 | ||||
| -rw-r--r-- | src/vnet/ipsec/ipsec_tun.h | 10 | ||||
| -rw-r--r-- | src/vpp/api/custom_dump.c | 43 |
7 files changed, 4 insertions, 898 deletions
diff --git a/src/vat/api_format.c b/src/vat/api_format.c index 3f4d74f656f..d9e5b5b8b21 100644 --- a/src/vat/api_format.c +++ b/src/vat/api_format.c @@ -3256,8 +3256,6 @@ _(ipsec_spd_add_del_reply) \ _(ipsec_interface_add_del_spd_reply) \ _(ipsec_spd_entry_add_del_reply) \ _(ipsec_sad_entry_add_del_reply) \ -_(ipsec_tunnel_if_add_del_reply) \ -_(ipsec_tunnel_if_set_sa_reply) \ _(delete_loopback_reply) \ _(bd_ip_mac_add_del_reply) \ _(bd_ip_mac_flush_reply) \ @@ -3439,8 +3437,6 @@ _(IPSEC_INTERFACE_ADD_DEL_SPD_REPLY, ipsec_interface_add_del_spd_reply) \ _(IPSEC_SPD_ENTRY_ADD_DEL_REPLY, ipsec_spd_entry_add_del_reply) \ _(IPSEC_SAD_ENTRY_ADD_DEL_REPLY, ipsec_sad_entry_add_del_reply) \ _(IPSEC_SA_DETAILS, ipsec_sa_details) \ -_(IPSEC_TUNNEL_IF_ADD_DEL_REPLY, ipsec_tunnel_if_add_del_reply) \ -_(IPSEC_TUNNEL_IF_SET_SA_REPLY, ipsec_tunnel_if_set_sa_reply) \ _(DELETE_LOOPBACK_REPLY, delete_loopback_reply) \ _(BD_IP_MAC_ADD_DEL_REPLY, bd_ip_mac_add_del_reply) \ _(BD_IP_MAC_FLUSH_REPLY, bd_ip_mac_flush_reply) \ @@ -10983,206 +10979,6 @@ api_ipsec_sad_entry_add_del (vat_main_t * vam) return ret; } -static int -api_ipsec_tunnel_if_add_del (vat_main_t * vam) -{ - unformat_input_t *i = vam->input; - vl_api_ipsec_tunnel_if_add_del_t *mp; - u32 local_spi = 0, remote_spi = 0; - u32 crypto_alg = 0, integ_alg = 0; - u8 *lck = NULL, *rck = NULL; - u8 *lik = NULL, *rik = NULL; - vl_api_address_t local_ip = { 0 }; - vl_api_address_t remote_ip = { 0 }; - f64 before = 0; - u8 is_add = 1; - u8 esn = 0; - u8 anti_replay = 0; - u8 renumber = 0; - u32 instance = ~0; - u32 count = 1, jj; - int ret = -1; - - while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) - { - if (unformat (i, "del")) - is_add = 0; - else if (unformat (i, "esn")) - esn = 1; - else if (unformat (i, "anti-replay")) - anti_replay = 1; - else if (unformat (i, "count %d", &count)) - ; - else if (unformat (i, "local_spi %d", &local_spi)) - ; - else if (unformat (i, "remote_spi %d", &remote_spi)) - ; - else - if (unformat (i, "local_ip %U", unformat_vl_api_address, &local_ip)) - ; - else - if (unformat (i, "remote_ip %U", unformat_vl_api_address, &remote_ip)) - ; - else if (unformat (i, "local_crypto_key %U", unformat_hex_string, &lck)) - ; - else - if (unformat (i, "remote_crypto_key %U", unformat_hex_string, &rck)) - ; - else if (unformat (i, "local_integ_key %U", unformat_hex_string, &lik)) - ; - else if (unformat (i, "remote_integ_key %U", unformat_hex_string, &rik)) - ; - else - if (unformat - (i, "crypto_alg %U", unformat_ipsec_api_crypto_alg, &crypto_alg)) - { - if (crypto_alg >= IPSEC_CRYPTO_N_ALG) - { - errmsg ("unsupported crypto-alg: '%U'\n", - format_ipsec_crypto_alg, crypto_alg); - return -99; - } - } - else - if (unformat - (i, "integ_alg %U", unformat_ipsec_api_integ_alg, &integ_alg)) - { - if (integ_alg >= IPSEC_INTEG_N_ALG) - { - errmsg ("unsupported integ-alg: '%U'\n", - format_ipsec_integ_alg, integ_alg); - return -99; - } - } - else if (unformat (i, "instance %u", &instance)) - renumber = 1; - else - { - errmsg ("parse error '%U'\n", format_unformat_error, i); - return -99; - } - } - - if (count > 1) - { - /* Turn on async mode */ - vam->async_mode = 1; - vam->async_errors = 0; - before = vat_time_now (vam); - } - - for (jj = 0; jj < count; jj++) - { - M (IPSEC_TUNNEL_IF_ADD_DEL, mp); - - mp->is_add = is_add; - mp->esn = esn; - mp->anti_replay = anti_replay; - - if (jj > 0) - increment_address (&remote_ip); - - clib_memcpy (&mp->local_ip, &local_ip, sizeof (local_ip)); - clib_memcpy (&mp->remote_ip, &remote_ip, sizeof (remote_ip)); - - mp->local_spi = htonl (local_spi + jj); - mp->remote_spi = htonl (remote_spi + jj); - mp->crypto_alg = (u8) crypto_alg; - - mp->local_crypto_key_len = 0; - if (lck) - { - mp->local_crypto_key_len = vec_len (lck); - if (mp->local_crypto_key_len > sizeof (mp->local_crypto_key)) - mp->local_crypto_key_len = sizeof (mp->local_crypto_key); - clib_memcpy (mp->local_crypto_key, lck, mp->local_crypto_key_len); - } - - mp->remote_crypto_key_len = 0; - if (rck) - { - mp->remote_crypto_key_len = vec_len (rck); - if (mp->remote_crypto_key_len > sizeof (mp->remote_crypto_key)) - mp->remote_crypto_key_len = sizeof (mp->remote_crypto_key); - clib_memcpy (mp->remote_crypto_key, rck, mp->remote_crypto_key_len); - } - - mp->integ_alg = (u8) integ_alg; - - mp->local_integ_key_len = 0; - if (lik) - { - mp->local_integ_key_len = vec_len (lik); - if (mp->local_integ_key_len > sizeof (mp->local_integ_key)) - mp->local_integ_key_len = sizeof (mp->local_integ_key); - clib_memcpy (mp->local_integ_key, lik, mp->local_integ_key_len); - } - - mp->remote_integ_key_len = 0; - if (rik) - { - mp->remote_integ_key_len = vec_len (rik); - if (mp->remote_integ_key_len > sizeof (mp->remote_integ_key)) - mp->remote_integ_key_len = sizeof (mp->remote_integ_key); - clib_memcpy (mp->remote_integ_key, rik, mp->remote_integ_key_len); - } - - if (renumber) - { - mp->renumber = renumber; - mp->show_instance = ntohl (instance); - } - S (mp); - } - - /* When testing multiple add/del ops, use a control-ping to sync */ - if (count > 1) - { - vl_api_control_ping_t *mp_ping; - f64 after; - f64 timeout; - - /* Shut off async mode */ - vam->async_mode = 0; - - MPING (CONTROL_PING, mp_ping); - S (mp_ping); - - timeout = vat_time_now (vam) + 1.0; - while (vat_time_now (vam) < timeout) - if (vam->result_ready == 1) - goto out; - vam->retval = -99; - - out: - if (vam->retval == -99) - errmsg ("timeout"); - - if (vam->async_errors > 0) - { - errmsg ("%d asynchronous errors", vam->async_errors); - vam->retval = -98; - } - vam->async_errors = 0; - after = vat_time_now (vam); - - /* slim chance, but we might have eaten SIGTERM on the first iteration */ - if (jj > 0) - count = jj; - - print (vam->ofp, "%d tunnels in %.6f secs, %.2f tunnels/sec", - count, after - before, count / (after - before)); - } - else - { - /* Wait for a reply... */ - W (ret); - return ret; - } - - return ret; -} - static void vl_api_ipsec_sa_details_t_handler (vl_api_ipsec_sa_details_t * mp) { @@ -11292,57 +11088,6 @@ api_ipsec_sa_dump (vat_main_t * vam) } static int -api_ipsec_tunnel_if_set_sa (vat_main_t * vam) -{ - unformat_input_t *i = vam->input; - vl_api_ipsec_tunnel_if_set_sa_t *mp; - u32 sw_if_index = ~0; - u32 sa_id = ~0; - u8 is_outbound = (u8) ~ 0; - int ret; - - while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT) - { - if (unformat (i, "%U", api_unformat_sw_if_index, vam, &sw_if_index)) - ; - else if (unformat (i, "sa_id %d", &sa_id)) - ; - else if (unformat (i, "outbound")) - is_outbound = 1; - else if (unformat (i, "inbound")) - is_outbound = 0; - else - { - clib_warning ("parse error '%U'", format_unformat_error, i); - return -99; - } - } - - if (sw_if_index == ~0) - { - errmsg ("interface must be specified"); - return -99; - } - - if (sa_id == ~0) - { - errmsg ("SA ID must be specified"); - return -99; - } - - M (IPSEC_TUNNEL_IF_SET_SA, mp); - - mp->sw_if_index = htonl (sw_if_index); - mp->sa_id = htonl (sa_id); - mp->is_outbound = is_outbound; - - S (mp); - W (ret); - - return ret; -} - -static int api_get_first_msg_id (vat_main_t * vam) { vl_api_get_first_msg_id_t *mp; @@ -15064,13 +14809,7 @@ _(ipsec_spd_entry_add_del, "spd_id <n> priority <n> action <action>\n" \ " (inbound|outbound) [sa_id <n>] laddr_start <ip4|ip6>\n" \ " laddr_stop <ip4|ip6> raddr_start <ip4|ip6> raddr_stop <ip4|ip6>\n" \ " [lport_start <n> lport_stop <n>] [rport_start <n> rport_stop <n>]" ) \ -_(ipsec_tunnel_if_add_del, "local_spi <n> remote_spi <n>\n" \ - " crypto_alg <alg> local_crypto_key <hex> remote_crypto_key <hex>\n" \ - " integ_alg <alg> local_integ_key <hex> remote_integ_key <hex>\n" \ - " local_ip <addr> remote_ip <addr> [esn] [anti_replay] [del]\n" \ - " [instance <n>]") \ _(ipsec_sa_dump, "[sa_id <n>]") \ -_(ipsec_tunnel_if_set_sa, "<intfc> sa_id <n> <inbound|outbound>\n") \ _(delete_loopback,"sw_if_index <nn>") \ _(bd_ip_mac_add_del, "bd_id <bridge-domain-id> <ip4/6-addr> <mac-addr> [del]") \ _(bd_ip_mac_flush, "bd_id <bridge-domain-id>") \ diff --git a/src/vnet/ipsec/ipsec.api b/src/vnet/ipsec/ipsec.api index 9b091317ee0..c009d8dffaa 100644 --- a/src/vnet/ipsec/ipsec.api +++ b/src/vnet/ipsec/ipsec.api @@ -14,7 +14,7 @@ * limitations under the License. */ -option version = "4.0.0"; +option version = "5.0.0"; import "vnet/ipsec/ipsec_types.api"; import "vnet/interface_types.api"; @@ -324,77 +324,6 @@ define ipsec_spd_interface_details { vl_api_interface_index_t sw_if_index; }; -/** \brief Add or delete IPsec tunnel interface - - !!DEPRECATED!! - use the tunnel protect APIs instead - - @param client_index - opaque cookie to identify the sender - @param context - sender context, to match reply w/ request - @param is_add - add IPsec tunnel interface if nonzero, else delete - @param is_ip6 - tunnel v6 or v4 - @param esn - enable extended sequence numbers if nonzero, else disable - @param anti_replay - enable anti replay check if nonzero, else disable - @param local_ip - local IP address - @param remote_ip - IP address of remote IPsec peer - @param local_spi - SPI of outbound IPsec SA - @param remote_spi - SPI of inbound IPsec SA - @param crypto_alg - encryption algorithm ID - @param local_crypto_key_len - length of local crypto key in bytes - @param local_crypto_key - crypto key for outbound IPsec SA - @param remote_crypto_key_len - length of remote crypto key in bytes - @param remote_crypto_key - crypto key for inbound IPsec SA - @param integ_alg - integrity algorithm ID - @param local_integ_key_len - length of local integrity key in bytes - @param local_integ_key - integrity key for outbound IPsec SA - @param remote_integ_key_len - length of remote integrity key in bytes - @param remote_integ_key - integrity key for inbound IPsec SA - @param renumber - intf display name uses a specified instance if != 0 - @param show_instance - instance to display for intf if renumber is set - @param udp_encap - enable UDP encapsulation for NAT traversal - @param tx_table_id - the FIB id used after packet encap - @param salt - for use with counter mode ciphers -*/ -define ipsec_tunnel_if_add_del { - option deprecated; - u32 client_index; - u32 context; - bool is_add; - bool esn; - bool anti_replay; - vl_api_address_t local_ip; - vl_api_address_t remote_ip; - u32 local_spi; - u32 remote_spi; - u8 crypto_alg; - u8 local_crypto_key_len; - u8 local_crypto_key[128]; - u8 remote_crypto_key_len; - u8 remote_crypto_key[128]; - u8 integ_alg; - u8 local_integ_key_len; - u8 local_integ_key[128]; - u8 remote_integ_key_len; - u8 remote_integ_key[128]; - bool renumber; - u32 show_instance; - bool udp_encap; - u32 tx_table_id; - u32 salt; -}; - -/** \brief Add/delete IPsec tunnel interface response - @param context - sender context, to match reply w/ request - @param retval - return status - @param sw_if_index - sw_if_index of new interface (for successful add) -*/ -define ipsec_tunnel_if_add_del_reply { - option deprecated; - u32 context; - i32 retval; - vl_api_interface_index_t sw_if_index; -}; - typedef ipsec_itf { u32 user_instance [default=0xffffffff]; @@ -497,25 +426,6 @@ define ipsec_sa_v2_details { u32 stat_index; }; -/** \brief Set new SA on IPsec interface - - !! DEPRECATED !! - - @param client_index - opaque cookie to identify the sender - @param context - sender context, to match reply w/ request - @param sw_if_index - index of tunnel interface - @param sa_id - ID of SA to use - @param is_outbound - 1 if outbound (local) SA, 0 if inbound (remote) -*/ -autoreply define ipsec_tunnel_if_set_sa { - option deprecated; - u32 client_index; - u32 context; - vl_api_interface_index_t sw_if_index; - u32 sa_id; - u8 is_outbound; -}; - /** \brief Dump IPsec backends @param client_index - opaque cookie to identify the sender @param context - sender context, to match reply w/ request diff --git a/src/vnet/ipsec/ipsec_api.c b/src/vnet/ipsec/ipsec_api.c index 06e7ba0d784..335996ee077 100644 --- a/src/vnet/ipsec/ipsec_api.c +++ b/src/vnet/ipsec/ipsec_api.c @@ -68,8 +68,6 @@ _(IPSEC_SPD_INTERFACE_DUMP, ipsec_spd_interface_dump) \ _(IPSEC_ITF_CREATE, ipsec_itf_create) \ _(IPSEC_ITF_DELETE, ipsec_itf_delete) \ _(IPSEC_ITF_DUMP, ipsec_itf_dump) \ -_(IPSEC_TUNNEL_IF_ADD_DEL, ipsec_tunnel_if_add_del) \ -_(IPSEC_TUNNEL_IF_SET_SA, ipsec_tunnel_if_set_sa) \ _(IPSEC_SELECT_BACKEND, ipsec_select_backend) \ _(IPSEC_BACKEND_DUMP, ipsec_backend_dump) \ _(IPSEC_TUNNEL_PROTECT_UPDATE, ipsec_tunnel_protect_update) \ @@ -666,169 +664,6 @@ vl_api_ipsec_spd_interface_dump_t_handler (vl_api_ipsec_spd_interface_dump_t * #endif } -static u32 -ipsec_tun_mk_input_sa_id (u32 ti) -{ - return (0x80000000 | ti); -} - -static u32 -ipsec_tun_mk_output_sa_id (u32 ti) -{ - return (0xc0000000 | ti); -} - -static void -vl_api_ipsec_tunnel_if_add_del_t_handler (vl_api_ipsec_tunnel_if_add_del_t * - mp) -{ - vl_api_ipsec_tunnel_if_add_del_reply_t *rmp; - u32 sw_if_index = ~0; - int rv; - -#if WITH_LIBSSL > 0 - ip46_address_t local_ip = ip46_address_initializer; - ip46_address_t remote_ip = ip46_address_initializer; - ipsec_key_t crypto_key, integ_key; - ipsec_sa_flags_t flags; - ip46_type_t local_ip_type, remote_ip_type; - ipip_transport_t transport; - u32 fib_index; - - local_ip_type = ip_address_decode (&mp->local_ip, &local_ip); - remote_ip_type = ip_address_decode (&mp->remote_ip, &remote_ip); - transport = (IP46_TYPE_IP6 == local_ip_type ? - IPIP_TRANSPORT_IP6 : IPIP_TRANSPORT_IP4); - - if (local_ip_type != remote_ip_type) - { - rv = VNET_API_ERROR_INVALID_VALUE; - goto done; - } - - flags = IPSEC_SA_FLAG_NONE; - - if (mp->udp_encap) - flags |= IPSEC_SA_FLAG_UDP_ENCAP; - if (mp->esn) - flags |= IPSEC_SA_FLAG_USE_ESN; - if (mp->anti_replay) - flags |= IPSEC_SA_FLAG_USE_ANTI_REPLAY; - - ipsec_mk_key (&crypto_key, mp->remote_crypto_key, - mp->remote_crypto_key_len); - ipsec_mk_key (&integ_key, mp->remote_integ_key, mp->remote_integ_key_len); - ipsec_mk_key (&crypto_key, mp->local_crypto_key, mp->local_crypto_key_len); - ipsec_mk_key (&integ_key, mp->local_integ_key, mp->local_integ_key_len); - - fib_index = - fib_table_find (fib_proto_from_ip46 (local_ip_type), - ntohl (mp->tx_table_id)); - - if (~0 == fib_index) - { - rv = VNET_API_ERROR_NO_SUCH_FIB; - goto done; - } - - if (mp->is_add) - { - // remote = input, local = output - /* create an ip-ip tunnel, then the two SA, then bind them */ - rv = ipip_add_tunnel (transport, - (mp->renumber ? ntohl (mp->show_instance) : ~0), - &local_ip, - &remote_ip, fib_index, - TUNNEL_ENCAP_DECAP_FLAG_NONE, IP_DSCP_CS0, - TUNNEL_MODE_P2P, &sw_if_index); - - if (rv) - goto done; - - rv = ipsec_sa_add_and_lock (ipsec_tun_mk_input_sa_id (sw_if_index), - ntohl (mp->remote_spi), - IPSEC_PROTOCOL_ESP, - mp->crypto_alg, - &crypto_key, - mp->integ_alg, - &integ_key, - (flags | IPSEC_SA_FLAG_IS_INBOUND), - ntohl (mp->tx_table_id), - mp->salt, &remote_ip, &local_ip, - TUNNEL_ENCAP_DECAP_FLAG_NONE, - IP_DSCP_CS0, NULL, - IPSEC_UDP_PORT_NONE, IPSEC_UDP_PORT_NONE); - - if (rv) - goto done; - - rv = ipsec_sa_add_and_lock (ipsec_tun_mk_output_sa_id (sw_if_index), - ntohl (mp->local_spi), - IPSEC_PROTOCOL_ESP, - mp->crypto_alg, - &crypto_key, - mp->integ_alg, - &integ_key, - flags, - ntohl (mp->tx_table_id), - mp->salt, &local_ip, &remote_ip, - TUNNEL_ENCAP_DECAP_FLAG_NONE, - IP_DSCP_CS0, NULL, - IPSEC_UDP_PORT_NONE, IPSEC_UDP_PORT_NONE); - - if (rv) - goto done; - - rv = ipsec_tun_protect_update_one (sw_if_index, NULL, - ipsec_tun_mk_output_sa_id - (sw_if_index), - ipsec_tun_mk_input_sa_id - (sw_if_index)); - if (rv) - goto done; - - /* the SAs are locked as a result of being used for proection, - * they cannot be removed from the API, since they cannot be refered - * to by the API. unlock them now, so that if the tunnel is rekeyed - * they-ll disapper - */ - ipsec_sa_unlock_id (ipsec_tun_mk_input_sa_id (sw_if_index)); - ipsec_sa_unlock_id (ipsec_tun_mk_output_sa_id (sw_if_index)); - } - else - { - /* *INDENT-OFF* */ - ipip_tunnel_key_t key = { - .transport = transport, - .fib_index = fib_index, - .src = local_ip, - .dst = remote_ip - }; - /* *INDENT-ON* */ - - ipip_tunnel_t *t = ipip_tunnel_db_find (&key); - - if (NULL != t) - { - rv = ipsec_tun_protect_del (t->sw_if_index, NULL); - ipip_del_tunnel (t->sw_if_index); - } - else - rv = VNET_API_ERROR_NO_SUCH_ENTRY; - } - -#else - rv = VNET_API_ERROR_UNIMPLEMENTED; -#endif -done: - /* *INDENT-OFF* */ - REPLY_MACRO2 (VL_API_IPSEC_TUNNEL_IF_ADD_DEL_REPLY, - ({ - rmp->sw_if_index = htonl (sw_if_index); - })); - /* *INDENT-ON* */ -} - static void vl_api_ipsec_itf_create_t_handler (vl_api_ipsec_itf_create_t * mp) { @@ -1088,31 +923,6 @@ vl_api_ipsec_sa_v2_dump_t_handler (vl_api_ipsec_sa_dump_t * mp) } static void -vl_api_ipsec_tunnel_if_set_sa_t_handler (vl_api_ipsec_tunnel_if_set_sa_t * mp) -{ - vl_api_ipsec_tunnel_if_set_sa_reply_t *rmp; - int rv; - -#if WITH_LIBSSL > 0 - VALIDATE_SW_IF_INDEX(mp); - - if (mp->is_outbound) - rv = ipsec_tun_protect_update_out (ntohl (mp->sw_if_index), NULL, - ntohl (mp->sa_id)); - else - rv = ipsec_tun_protect_update_in (ntohl (mp->sw_if_index), NULL, - ntohl (mp->sa_id)); - -#else - clib_warning ("unimplemented"); -#endif - - BAD_SW_IF_INDEX_LABEL; - - REPLY_MACRO (VL_API_IPSEC_TUNNEL_IF_SET_SA_REPLY); -} - -static void vl_api_ipsec_backend_dump_t_handler (vl_api_ipsec_backend_dump_t * mp) { vl_api_registration_t *rp; diff --git a/src/vnet/ipsec/ipsec_cli.c b/src/vnet/ipsec/ipsec_cli.c index 1486bbd89fd..0b0ed6c4f12 100644 --- a/src/vnet/ipsec/ipsec_cli.c +++ b/src/vnet/ipsec/ipsec_cli.c @@ -784,201 +784,6 @@ VLIB_CLI_COMMAND (clear_ipsec_counters_command, static) = { }; /* *INDENT-ON* */ -static u32 -ipsec_tun_mk_local_sa_id (u32 ti) -{ - return (0x80000000 | ti); -} - -static u32 -ipsec_tun_mk_remote_sa_id (u32 ti) -{ - return (0xc0000000 | ti); -} - -static clib_error_t * -create_ipsec_tunnel_command_fn (vlib_main_t * vm, - unformat_input_t * input, - vlib_cli_command_t * cmd) -{ - unformat_input_t _line_input, *line_input = &_line_input; - ip46_address_t local_ip = ip46_address_initializer; - ip46_address_t remote_ip = ip46_address_initializer; - ip_address_t nh = IP_ADDRESS_V4_ALL_0S; - ipsec_crypto_alg_t crypto_alg = IPSEC_CRYPTO_ALG_NONE; - ipsec_integ_alg_t integ_alg = IPSEC_INTEG_ALG_NONE; - ipsec_sa_flags_t flags; - u32 local_spi, remote_spi, salt = 0, table_id, fib_index; - u32 instance = ~0; - int rv; - u32 m_args = 0; - u8 ipv4_set = 0; - u8 ipv6_set = 0; - u8 is_add = 1; - clib_error_t *error = NULL; - ipsec_key_t rck = { 0 }; - ipsec_key_t lck = { 0 }; - ipsec_key_t lik = { 0 }; - ipsec_key_t rik = { 0 }; - - table_id = 0; - flags = IPSEC_SA_FLAG_NONE; - - /* Get a line of input. */ - if (!unformat_user (input, unformat_line_input, line_input)) - return 0; - - while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT) - { - if (unformat - (line_input, "local-ip %U", unformat_ip46_address, &local_ip, - IP46_TYPE_ANY)) - { - ip46_address_is_ip4 (&local_ip) ? (ipv4_set = 1) : (ipv6_set = 1); - m_args |= 1 << 0; - } - else - if (unformat - (line_input, "remote-ip %U", unformat_ip46_address, &remote_ip, - IP46_TYPE_ANY)) - { - ip46_address_is_ip4 (&remote_ip) ? (ipv4_set = 1) : (ipv6_set = 1); - m_args |= 1 << 1; - } - else if (unformat (line_input, "local-spi %u", &local_spi)) - m_args |= 1 << 2; - else if (unformat (line_input, "remote-spi %u", &remote_spi)) - m_args |= 1 << 3; - else if (unformat (line_input, "salt 0x%x", &salt)) - ; - else if (unformat (line_input, "udp-encap")) - flags |= IPSEC_SA_FLAG_UDP_ENCAP; - else if (unformat (line_input, "use-esn")) - flags |= IPSEC_SA_FLAG_USE_ESN; - else if (unformat (line_input, "use-anti-replay")) - flags |= IPSEC_SA_FLAG_USE_ANTI_REPLAY; - else if (unformat (line_input, "instance %u", &instance)) - ; - else if (unformat (line_input, "tx-table %u", &table_id)) - ; - else - if (unformat - (line_input, "local-crypto-key %U", unformat_ipsec_key, &lck)) - ; - else - if (unformat - (line_input, "remote-crypto-key %U", unformat_ipsec_key, &rck)) - ; - else if (unformat (line_input, "crypto-alg %U", - unformat_ipsec_crypto_alg, &crypto_alg)) - ; - else - if (unformat - (line_input, "local-integ-key %U", unformat_ipsec_key, &lik)) - ; - else - if (unformat - (line_input, "remote-integ-key %U", unformat_ipsec_key, &rik)) - ; - else if (unformat (line_input, "integ-alg %U", - unformat_ipsec_integ_alg, &integ_alg)) - ; - else if (unformat (line_input, "del")) - is_add = 0; - else if (unformat (line_input, "nh %U", unformat_ip_address, &nh)) - ; - else - { - error = clib_error_return (0, "unknown input `%U'", - format_unformat_error, line_input); - goto done; - } - } - - if (0xf != m_args) - { - error = clib_error_return (0, "mandatory argument(s) missing"); - goto done; - } - - if (ipv4_set && ipv6_set) - return clib_error_return (0, "both IPv4 and IPv6 addresses specified"); - - fib_index = fib_table_find (fib_ip_proto (ipv6_set), table_id); - - if (~0 == fib_index) - { - rv = VNET_API_ERROR_NO_SUCH_FIB; - goto done; - } - - if (is_add) - { - // remote = input, local = output - u32 sw_if_index; - - /* create an ip-ip tunnel, then the two SA, then bind them */ - rv = - ipip_add_tunnel (ipv6_set ? IPIP_TRANSPORT_IP6 : IPIP_TRANSPORT_IP4, - instance, &local_ip, &remote_ip, fib_index, - TUNNEL_ENCAP_DECAP_FLAG_NONE, IP_DSCP_CS0, - TUNNEL_MODE_P2P, &sw_if_index); - rv |= - ipsec_sa_add_and_lock (ipsec_tun_mk_local_sa_id (sw_if_index), - local_spi, IPSEC_PROTOCOL_ESP, crypto_alg, - &lck, integ_alg, &lik, flags, table_id, - clib_host_to_net_u32 (salt), &local_ip, - &remote_ip, TUNNEL_ENCAP_DECAP_FLAG_NONE, - IP_DSCP_CS0, NULL, - IPSEC_UDP_PORT_NONE, IPSEC_UDP_PORT_NONE); - rv |= - ipsec_sa_add_and_lock (ipsec_tun_mk_remote_sa_id (sw_if_index), - remote_spi, IPSEC_PROTOCOL_ESP, crypto_alg, - &rck, integ_alg, &rik, - (flags | IPSEC_SA_FLAG_IS_INBOUND), table_id, - clib_host_to_net_u32 (salt), &remote_ip, - &local_ip, TUNNEL_ENCAP_DECAP_FLAG_NONE, - IP_DSCP_CS0, NULL, - IPSEC_UDP_PORT_NONE, IPSEC_UDP_PORT_NONE); - rv |= - ipsec_tun_protect_update_one (sw_if_index, &nh, - ipsec_tun_mk_local_sa_id (sw_if_index), - ipsec_tun_mk_remote_sa_id - (sw_if_index)); - } - else - rv = 0; - - switch (rv) - { - case 0: - break; - case VNET_API_ERROR_INVALID_VALUE: - error = clib_error_return (0, - "IPSec tunnel interface already exists..."); - goto done; - default: - error = clib_error_return (0, "ipsec_register_interface returned %d", - rv); - goto done; - } - -done: - unformat_free (line_input); - - return error; -} - -/* *INDENT-OFF* */ -VLIB_CLI_COMMAND (create_ipsec_tunnel_command, static) = { - .path = "create ipsec tunnel", - .short_help = "create ipsec tunnel local-ip <addr> local-spi <spi> " - "remote-ip <addr> remote-spi <spi> [instance <inst_num>] [udp-encap] [use-esn] [use-anti-replay] " - "[tx-table <table-id>]", - .function = create_ipsec_tunnel_command_fn, -}; -/* *INDENT-ON* */ - static clib_error_t * ipsec_tun_protect_cmd (vlib_main_t * vm, unformat_input_t * input, vlib_cli_command_t * cmd) diff --git a/src/vnet/ipsec/ipsec_tun.c b/src/vnet/ipsec/ipsec_tun.c index a35b6190c44..c3f50a6ffe9 100644 --- a/src/vnet/ipsec/ipsec_tun.c +++ b/src/vnet/ipsec/ipsec_tun.c @@ -529,111 +529,6 @@ ipsec_tun_protect_unconfig (ipsec_main_t * im, ipsec_tun_protect_t * itp) ITP_DBG (itp, "unconfigured"); } -int -ipsec_tun_protect_update_one (u32 sw_if_index, - const ip_address_t * nh, u32 sa_out, u32 sa_in) -{ - u32 *sas_in = NULL; - int rv; - - vec_add1 (sas_in, sa_in); - rv = ipsec_tun_protect_update (sw_if_index, nh, sa_out, sas_in); - - return (rv); -} - -int -ipsec_tun_protect_update_out (u32 sw_if_index, - const ip_address_t * nh, u32 sa_out) -{ - u32 itpi, *sas_in, sai, *saip; - ipsec_tun_protect_t *itp; - ipsec_main_t *im; - int rv; - - sas_in = NULL; - rv = 0; - im = &ipsec_main; - - itpi = ipsec_tun_protect_find (sw_if_index, nh); - - if (INDEX_INVALID == itpi) - { - return (VNET_API_ERROR_INVALID_INTERFACE); - } - - itp = pool_elt_at_index (ipsec_tun_protect_pool, itpi); - - /* *INDENT-OFF* */ - FOR_EACH_IPSEC_PROTECT_INPUT_SAI (itp, sai, - ({ - ipsec_sa_lock (sai); - vec_add1 (sas_in, sai); - })); - /* *INDENT-ON* */ - - sa_out = ipsec_sa_find_and_lock (sa_out); - - if (~0 == sa_out) - { - rv = VNET_API_ERROR_INVALID_VALUE; - goto out; - } - - ipsec_tun_protect_unconfig (im, itp); - ipsec_tun_protect_config (im, itp, sa_out, sas_in); - - ipsec_sa_unlock (sa_out); - vec_foreach (saip, sas_in) ipsec_sa_unlock (*saip); - -out: - vec_free (sas_in); - return (rv); -} - -int -ipsec_tun_protect_update_in (u32 sw_if_index, - const ip_address_t * nh, u32 sa_in) -{ - u32 itpi, *sas_in, sa_out; - ipsec_tun_protect_t *itp; - ipsec_main_t *im; - int rv; - - sas_in = NULL; - rv = 0; - im = &ipsec_main; - itpi = ipsec_tun_protect_find (sw_if_index, nh); - - if (INDEX_INVALID == itpi) - { - return (VNET_API_ERROR_INVALID_INTERFACE); - } - - sa_in = ipsec_sa_find_and_lock (sa_in); - - if (~0 == sa_in) - { - rv = VNET_API_ERROR_INVALID_VALUE; - goto out; - } - vec_add1 (sas_in, sa_in); - - itp = pool_elt_at_index (ipsec_tun_protect_pool, itpi); - sa_out = itp->itp_out_sa; - - ipsec_sa_lock (sa_out); - - ipsec_tun_protect_unconfig (im, itp); - ipsec_tun_protect_config (im, itp, sa_out, sas_in); - - ipsec_sa_unlock (sa_out); - ipsec_sa_unlock (sa_in); -out: - vec_free (sas_in); - return (rv); -} - static void ipsec_tun_protect_update_from_teib (ipsec_tun_protect_t * itp, const teib_entry_t * ne) @@ -972,7 +867,7 @@ const static teib_vft_t ipsec_tun_teib_vft = { .nv_deleted = ipsec_tun_teib_entry_deleted, }; -void +static void ipsec_tun_table_init (ip_address_family_t af, uword table_size, u32 n_buckets) { ipsec_main_t *im; @@ -987,8 +882,8 @@ ipsec_tun_table_init (ip_address_family_t af, uword table_size, u32 n_buckets) "IPSec IPv6 tunnels", n_buckets, table_size); } -clib_error_t * -ipsec_tunnel_protect_init (vlib_main_t * vm) +static clib_error_t * +ipsec_tunnel_protect_init (vlib_main_t *vm) { ipsec_main_t *im; diff --git a/src/vnet/ipsec/ipsec_tun.h b/src/vnet/ipsec/ipsec_tun.h index b8e80d3565f..7ae00992faa 100644 --- a/src/vnet/ipsec/ipsec_tun.h +++ b/src/vnet/ipsec/ipsec_tun.h @@ -143,16 +143,9 @@ typedef struct ipsec_tun_protect_t_ } \ } -extern int ipsec_tun_protect_update_one (u32 sw_if_index, - const ip_address_t * nh, - u32 sa_out, u32 sa_in); extern int ipsec_tun_protect_update (u32 sw_if_index, const ip_address_t * nh, u32 sa_out, u32 * sa_ins); -extern int ipsec_tun_protect_update_in (u32 sw_if_index, - const ip_address_t * nh, u32 sa_in); -extern int ipsec_tun_protect_update_out (u32 sw_if_index, - const ip_address_t * nh, u32 sa_out); extern int ipsec_tun_protect_del (u32 sw_if_index, const ip_address_t * nh); @@ -169,9 +162,6 @@ extern u8 *format_ipsec_tun_protect_index (u8 * s, va_list * args); extern void ipsec_tun_register_nodes (ip_address_family_t af); extern void ipsec_tun_unregister_nodes (ip_address_family_t af); -extern void ipsec_tun_table_init (ip_address_family_t af, - uword table_size, u32 n_buckets); - // FIXME extern vlib_node_registration_t ipsec4_tun_input_node; extern vlib_node_registration_t ipsec6_tun_input_node; diff --git a/src/vpp/api/custom_dump.c b/src/vpp/api/custom_dump.c index d0b5dac4844..1bc4cde900d 100644 --- a/src/vpp/api/custom_dump.c +++ b/src/vpp/api/custom_dump.c @@ -2464,48 +2464,6 @@ static void *vl_api_ip_source_and_port_range_check_interface_add_del_t_print FINISH; } -static void *vl_api_ipsec_tunnel_if_add_del_t_print - (vl_api_ipsec_tunnel_if_add_del_t * mp, void *handle) -{ - u8 *s; - - s = format (0, "SCRIPT: ipsec_tunnel_if_add_del "); - - if (mp->esn) - s = format (s, "esn"); - if (mp->anti_replay) - s = format (s, "anti-replay"); - if (mp->udp_encap) - s = format (s, "udp-encap"); - - s = format (s, "local-ip %U ", format_vl_api_address, &mp->remote_ip); - - s = format (s, "remote-ip %U ", format_vl_api_address, &mp->local_ip); - s = format (s, "tx-table-id %d ", (mp->tx_table_id)); - - s = format (s, "local-spi %d ", (mp->local_spi)); - - s = format (s, "remote-spi %d ", (mp->remote_spi)); - - s = format (s, "local-crypto-key-len %d ", mp->local_crypto_key_len); - s = format (s, "local-crypto-key %U ", format_hex_bytes, - mp->local_crypto_key, mp->local_crypto_key_len, 0); - s = format (s, "remote-crypto-key-len %d ", mp->remote_crypto_key_len); - s = format (s, "remote-crypto-key %U ", format_hex_bytes, - mp->remote_crypto_key, mp->remote_crypto_key_len, 0); - s = format (s, "local-integ-key-len %d ", mp->local_integ_key_len); - s = format (s, "local-integ-key %U ", format_hex_bytes, - mp->local_integ_key, mp->local_integ_key_len, 0); - s = format (s, "remote-integ-key-len %d ", mp->remote_integ_key_len); - s = format (s, "remote-integ-key %U ", format_hex_bytes, - mp->remote_integ_key, mp->remote_integ_key_len, 0); - - if (mp->is_add == 0) - s = format (s, "del "); - - FINISH; -} - /* static u8 * */ /* format_nsh_address_vat (u8 * s, va_list * args) */ /* { */ @@ -3099,7 +3057,6 @@ _(IPSEC_INTERFACE_ADD_DEL_SPD, ipsec_interface_add_del_spd) \ _(IPSEC_SAD_ENTRY_ADD_DEL, ipsec_sad_entry_add_del) \ _(IPSEC_SPD_ADD_DEL, ipsec_spd_add_del) \ _(IPSEC_SPD_ENTRY_ADD_DEL, ipsec_spd_entry_add_del) \ -_(IPSEC_TUNNEL_IF_ADD_DEL, ipsec_tunnel_if_add_del) \ _(DELETE_SUBIF, delete_subif) \ _(L2_INTERFACE_PBB_TAG_REWRITE, l2_interface_pbb_tag_rewrite) \ _(SET_PUNT, set_punt) \ |