summaryrefslogtreecommitdiffstats
path: root/src
AgeCommit message (Collapse)AuthorFilesLines
2019-03-08session/tcp/vcl: fixes and optimizationsFlorin Coras6-22/+56
Change-Id: Idc7dfe743399dd8dee0f6b3ec83f194f3fca580b Signed-off-by: Florin Coras <fcoras@cisco.com>
2019-03-08tcp: fix window probes in fin-wait-1Florin Coras2-15/+10
Change-Id: Idf060f385f4d9b2f42fdab6a1d372727beb8b19e Signed-off-by: Florin Coras <fcoras@cisco.com>
2019-03-08session: reorganize session fieldsFlorin Coras3-43/+25
Change-Id: I7f3b015ea6750c9773e4285bb63b0d44fa2177b9 Signed-off-by: Florin Coras <fcoras@cisco.com>
2019-03-08updates now that flags are supported on the APINeale Ranns2-7/+0
Change-Id: I9c45f390a6454c114f12f9c46c3a93fcecffa73f Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-03-07parse ethernet header in ct6_in2outDave Barach2-8/+30
fix a debug CLI scripting bug: cp_ip6_address_add_del_command_function ate any subsequent commands, yielding indigestion. Change-Id: Iaca7bed5687759da36ae91dc658e758549b71796 Signed-off-by: Dave Barach <dave@barachs.net>
2019-03-07vpp_papi: Adjust aenum import for python3.Paul Vinciguerra2-4/+11
The stdlib introduced IntEnum in python 3.4 and IntFlag in python 3.6. Change-Id: I3ac278a9d5a97eefa9fc4f1491f0cd030e40c3b2 Signed-off-by: Paul Vinciguerra <pvinci@vinciconsulting.com>
2019-03-07Honor vnet_rewrite_data_t data_bytes == 0Dave Barach1-1/+15
Avoid the cache miss consequences of spraying [functionally harmless] junk into un-prefetched rewrite space. As things stand, several tunnel encap rewrites set rewrite data_bytes = 0, and take a performance hit due to unwanted speculative copying. Should be performance-neutral in speed-path cases, which won't execute the added check. Change-Id: Id83c0325e58c0f31631b4bae5a06457dfc7ed567 Signed-off-by: Dave Barach <dave@barachs.net>
2019-03-07Fix typo in feature arc constraintDave Barach1-3/+3
Also, increase ip6 address field width in "show ip6 conn verbose" output Change-Id: If7d1bcd439d94a22d1f1c6c1298cb30aba13d0a2 Signed-off-by: Dave Barach <dave@barachs.net>
2019-03-07assign flood_class to vnet_sw_interface_t template in subif api handle functionJoe Zhou1-0/+2
Change-Id: I352f4a4adcf8771c21530657efcaecb532416612 Signed-off-by: Joe Zhou <zhouyoucn@qq.com>
2019-03-07Remove local REPLY_MACRO so that socket transport works.Ole Troan4-133/+8
memif, lacp, nsh and cdp used local REPLY_MACROs. Remove and use those in api_helper.h Change-Id: Ib01d6ae5cff0b6f1cef90996a54b3177f0c53463 Signed-off-by: Ole Troan <ot@cisco.com>
2019-03-07ipsec: cli bug fixesKingwel Xie2-5/+9
1. fix wrong assignemnt of lik/rik 2. keys initialized to 0, to avoid using random data in stack. could cause memory overlapped then crash 3. show sa->id in hex format Change-Id: Id0430aa49bb55c27cee4f97f8c0e4ec87515dcd2 Signed-off-by: Kingwel Xie <kingwel.xie@ericsson.com>
2019-03-07API: Add python2.7 support for enum flags via aenumOle Troan3-5/+8
Change-Id: I77a43bfb37d827727c331cd65eee77536cc15953 Signed-off-by: Ole Troan <ot@cisco.com>
2019-03-07BIER: trace then drop. MPLS: trace the dropsNeale Ranns2-3/+46
Change-Id: I952e6aec6487270a79c4d92cfe828cc55d42d536 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-03-07gdb-helper: add gdb_show_tracesKingwel Xie1-0/+74
gdb_show_traces() dumps buffer traces. Ease gdb debugging when vpp crashed... Change-Id: Ib24314832386ee4defc2d31cbb4c05d293fb3338 Signed-off-by: Kingwel Xie <kingwel.xie@ericsson.com>
2019-03-07classify: migrate old MULTIARCH macros to VLIB_NODE_FNFilip Tehlar3-26/+21
Change-Id: I01730ec9eb8033074c8710daf0848c3573293aeb Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2019-03-07policer: migrate old MULTIARCH macros to VLIB_NODE_FNFilip Tehlar2-26/+23
Change-Id: I88d2632fa451dbafbc212dd142a67fe5ec4cd610 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2019-03-07vlibmemory: coverity woesSteven Luong1-1/+1
Coverity complains about resource leak after open when fd gets 0 with below warning. off_by_one: Testing whether handle tfd is strictly greater than zero is suspicious. tfd leaks when it is zero. It is right. 0 is a valid fd. -1 is not. Change-Id: I22c2eb75b99bb6209921b9f874190cbbdf10e6ce Signed-off-by: Steven Luong <sluong@cisco.com>
2019-03-07Add VAT support for LBHongjun Ni2-60/+179
Change-Id: I61d8c35f48a059968909fc8523bd313fc4799389 Signed-off-by: Hongjun Ni <hongjun.ni@intel.com>
2019-03-07session/tls: remove unused t_app_index fieldFlorin Coras3-7/+0
Change-Id: Idbf7f3a57dc399798b8dba9463daeb7d66470ab1 Signed-off-by: Florin Coras <fcoras@cisco.com>
2019-03-07ipsec: ipsec-if optimizations & bug fixesKingwel Xie2-254/+309
1. changed to vlib_buffer_enqueue_to_next 2. error counter fixes; stats added to last_sw_if_index when interface changed 3. udp-encap support Change-Id: I70b0814aa37181fea4d70fa3c96c608adb5afe49 Signed-off-by: Kingwel Xie <kingwel.xie@ericsson.com>
2019-03-07session: use transport custom tx for app transportsFlorin Coras5-24/+31
Change-Id: I675f7090fa6b2ffdfb4ee748df858bfb7e39ce5a Signed-off-by: Florin Coras <fcoras@cisco.com>
2019-03-07session: cleanup instances of deprecated io evtsFlorin Coras3-7/+7
Change-Id: Iad119e05ae5e570fbfcf66747c95822cee647c99 Signed-off-by: Florin Coras <fcoras@cisco.com>
2019-03-06sctp chunk_len fixSirshak das1-2/+4
total_length_not_including_first_buffer should only be used when VLIB_BUFFER_TOTAL_LENGTH_VALID is set, if not it uses stale data from previous session_chain_tail calculation to set data/chunk len. Change-Id: I9802341e522cf9b18d0aef817f0047b76945782e Signed-off-by: Sirshak Das <sirshak.das@arm.com> Reviewed-by: Honnappa Nagarahalli <honnappa.nagarahalli@arm.com>
2019-03-06session: use session index instead of fifo for evtFlorin Coras10-105/+73
Avoids derefrencing fifo pointers whose segments could have been unmapped. Change-Id: Ifb0b7399e424f145f3f94b769391a6f4e31bb4e6 Signed-off-by: Florin Coras <fcoras@cisco.com>
2019-03-06udp: migrate old MULTIARCH macros to VLIB_NODE_FNFilip Tehlar5-27/+25
Change-Id: I2b324c77df2685a0bdfb617fb484022daf017d0b Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2019-03-06session: use vpp to switch io events for ct sessionsFlorin Coras16-606/+257
Instead of allocating pairs of message queues per cut-thru session and having the applications map them, this uses vpp as an io event message switch. Change-Id: I51db1c7564df479a7d1a3288342394251fd188bb Signed-off-by: Florin Coras <fcoras@cisco.com>
2019-03-06ipv6 connection tracking pluginDave Barach9-0/+1706
A security feature: drop unsolicited global unicast traffic. Change-Id: I421da7d52e08b7acf40c62a1f6e2a6caac349e7e Signed-off-by: Dave Barach <dave@barachs.net>
2019-03-06tcp: migrate old MULTIARCH macros to VLIB_NODE_FNFilip Tehlar5-109/+83
Change-Id: Ifd9fa30eed343e2c5d40582b3e3aa589b070637d Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2019-03-06ipsec: esp-encrypt and esp-decrypt cleanupDamjan Marion4-558/+447
Change-Id: I1e431aa36a282ca7565c6618a940d591674b8cd2 Signed-off-by: Damjan Marion <damarion@cisco.com>
2019-03-06GBP: use sclass in the DP for policyNeale Ranns33-693/+207
Change-Id: I154e18f22ec7708127b8ade98e80546ab1dcd05b Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-03-06interface: migrate old MULTIARCH macros to VLIB_NODE_FNFilip Tehlar3-34/+32
Change-Id: Ib92e338d0becbfbc38e6b9f34f262df76b63eead Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2019-03-06cop: migrate old MULTIARCH macros to VLIB_NODE_FNFilip Tehlar4-21/+9
Change-Id: Ic0c9c50376ceb0ff4e2d5e52e13b6506e68adf4b Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2019-03-06vxlan*: migrate old MULTIARCH macros to VLIB_NODE_FNFilip Tehlar5-80/+85
Change-Id: Ide23bb3d82024118214902850821a8184fe65dfc Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2019-03-06vmbus: fix bug that breaks multiple netvsc vdevsMatthew Smith1-2/+2
VPP supports two DPDK drivers for managing netvsc devices on Azure/Hyper-V. The new netvsc PMD looks a lot like other PCI-based PMDs but it requires recently added kernel support (>=4.17). The older vdev_netvsc is an abstraction that manages the mlx4 VF and tap device underlying the netvsc interface using the failsafe PMD. Distros with older kernels (e.g. RHEL/CentOS 7.x) have to use vdev_netvsc. At startup, netvsc devices are processed and an attempt is made to initialize them for management by the netvsc PMD. If that fails, then vlib_vmbus_bind_to_uio() returns early and the device can be initialized for management by vdev_netvsc. The operation that is supposed to fail if the netvsc PMD cannot be used is registration of the netvsc device type ID with the uio_hv_generic driver. This operation is attempted exactly once so it does not fail for netvsc devices processed after the first one and they end up in a state where they cannot be initialized for use by vdev_netvsc. Only unset uio_new_id_needed if uio_hv_generic registration succeeds. Change-Id: I6be925d422b87ed24e0f4611304cc3a6b07a34fd Signed-off-by: Matthew Smith <mgsmith@netgate.com>
2019-03-06span: migrate old MULTIARCH macros to VLIB_NODE_FNFilip Tehlar2-30/+17
Change-Id: I5c671d8af8d528eae625001d4755db8ef61f00b2 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2019-03-06geneve: migrate old MULTIARCH macros to VLIB_NODE_FNFilip Tehlar5-57/+49
Change-Id: Ie7b201b2742e0051b249acc011f609905bc178c8 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2019-03-06ipip: migrate old MULTIARCH macros to VLIB_NODE_FNFilip Tehlar2-11/+9
Change-Id: I9c05225b71b60dc2b419a96daeb71d89757aef98 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2019-03-06sctp: migrate old MULTIARCH macros to VLIB_NODE_FNFilip Tehlar6-452/+449
Change-Id: I7248a94977fe11bbe58db53d7ca8ae8c582e7305 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2019-03-06ip: coverity woesSteven Luong1-4/+4
coverity complains about logically dead code for the statement if (error) because error was assigned to 0 prior to the check. I believe error was meant to get the return status of the call vnet_punt_socket_add. Change-Id: I794167493f63cb898d3618c2c28817823f46b765 Signed-off-by: Steven Luong <sluong@cisco.com>
2019-03-06vlib: coverity woesSteven Luong1-2/+1
Remove logically dead code to keep coverity from complaining Change-Id: If27d6684d19ab3c8886732a67922c86e5f0b3554 Signed-off-by: Steven Luong <sluong@cisco.com>
2019-03-06IPSEC: tunnel encap/decap dual loop speedupsNeale Ranns3-89/+255
baseline: ipsec0-tx 1.27e1 ipsec-if-input 8.19e1 this change: ipsec0-tx 6.17e0 ipsec-if-input 6.39e1 this also fixes the double tunnel TX counts by removing the duplicate from the TX node. Change-Id: Ie4608acda08dc653b6fb9e2c85185d83625efd40 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-03-06GBP: format EPG retention policyNeale Ranns1-1/+12
Change-Id: I17826cfa9a27dc241e07988bf0bbaf9eca9ae525 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-03-06GBP: learn from ARP and L2 packetsNeale Ranns9-19/+69
Change-Id: I8af7bca566ec7c9bd2b72529d49e04c6e649b44a Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-03-06punt.c -- coverity woesSteven Luong1-9/+0
Coverity complains about identical code is executed for if and else branch. Clean them up by removing the useless code. Change-Id: Ie53f1dff055440ab2c3c3d2ea91edb1e50204b38 Signed-off-by: Steven Luong <sluong@cisco.com>
2019-03-05ipsec: cleanup, remove unnecessary code,Kingwel Xie5-13/+7
ipsec_proto_main moved to ipsec.c fix missing '\0' of backend name Change-Id: I90760b3045973a46792c2f098d9b0b1b3d209ad0 Signed-off-by: Kingwel Xie <kingwel.xie@ericsson.com>
2019-03-05VXLAN-GBP: decap checks src,dst&VNI for unicast, then checks only dst&VNI ↵Neale Ranns2-71/+62
for multicast Change-Id: I17caf3c5a2060de497c44655b66a15a2007f716b Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-03-05GBP: format include EPG indexNeale Ranns1-1/+2
Change-Id: I1789a4ea44cfc6a11ad8750074ffcf14c4ab8712 Signed-off-by: Neale Ranns <nranns@cisco.com>
2019-03-05bier: migrate old MULTIARCH macros to VLIB_NODE_FNFilip Tehlar4-16/+10
Change-Id: I561591c7d31ec66dfa0a1d7ef66bcf1d0c70f07c Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2019-03-05qos: migrate old MULTIARCH macros to VLIB_NODE_FNFilip Tehlar5-703/+735
Change-Id: I4dc77979594de0b6a21644ea0a982085c6386010 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
2019-03-05mpls: migrate old MULTIARCH macros to VLIB_NODE_FNFilip Tehlar6-55/+31
Change-Id: I8c5f7cda655e3343d50a96d714796ea4255588b6 Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
p">, sa->r_nonce, vec_len(sa->r_nonce)); vlib_cli_output(vm, " SK_d %U", format_hex_bytes, sa->sk_d, vec_len(sa->sk_d)); if (sa->sk_ai) { vlib_cli_output(vm, " SK_a i:%U\n r:%U", format_hex_bytes, sa->sk_ai, vec_len(sa->sk_ai), format_hex_bytes, sa->sk_ar, vec_len(sa->sk_ar)); } vlib_cli_output(vm, " SK_e i:%U\n r:%U", format_hex_bytes, sa->sk_ei, vec_len(sa->sk_ei), format_hex_bytes, sa->sk_er, vec_len(sa->sk_er)); vlib_cli_output(vm, " SK_p i:%U\n r:%U", format_hex_bytes, sa->sk_pi, vec_len(sa->sk_pi), format_hex_bytes, sa->sk_pr, vec_len(sa->sk_pr)); vlib_cli_output(vm, " identifier (i) %U", format_ikev2_id_type_and_data, &sa->i_id); vlib_cli_output(vm, " identifier (r) %U", format_ikev2_id_type_and_data, &sa->r_id); vec_foreach(child, sa->childs) { vlib_cli_output(vm, " child sa %u:", child - sa->childs); tr = ikev2_sa_get_td_for_type(child->r_proposals, IKEV2_TRANSFORM_TYPE_ENCR); s = format(s, "%U ", format_ikev2_sa_transform, tr); tr = ikev2_sa_get_td_for_type(child->r_proposals, IKEV2_TRANSFORM_TYPE_INTEG); s = format(s, "%U ", format_ikev2_sa_transform, tr); tr = ikev2_sa_get_td_for_type(child->r_proposals, IKEV2_TRANSFORM_TYPE_ESN); s = format(s, "%U ", format_ikev2_sa_transform, tr); vlib_cli_output(vm, " %v", s); vec_free(s); vlib_cli_output(vm, " spi(i) %lx spi(r) %lx", child->i_proposals ? child->i_proposals[0].spi : 0, child->r_proposals ? child->r_proposals[0].spi : 0); vlib_cli_output(vm, " SK_e i:%U\n r:%U", format_hex_bytes, child->sk_ei, vec_len(child->sk_ei), format_hex_bytes, child->sk_er, vec_len(child->sk_er)); if (child->sk_ai) { vlib_cli_output(vm, " SK_a i:%U\n r:%U", format_hex_bytes, child->sk_ai, vec_len(child->sk_ai), format_hex_bytes, child->sk_ar, vec_len(child->sk_ar)); vlib_cli_output(vm, " traffic selectors (i):"); } vec_foreach(ts, child->tsi) { vlib_cli_output(vm, " %u type %u protocol_id %u addr " "%U - %U port %u - %u", ts - child->tsi, ts->ts_type, ts->protocol_id, format_ip4_address, &ts->start_addr, format_ip4_address, &ts->end_addr, clib_net_to_host_u16( ts->start_port), clib_net_to_host_u16( ts->end_port)); } vlib_cli_output(vm, " traffic selectors (r):"); vec_foreach(ts, child->tsr) { vlib_cli_output(vm, " %u type %u protocol_id %u addr " "%U - %U port %u - %u", ts - child->tsr, ts->ts_type, ts->protocol_id, format_ip4_address, &ts->start_addr, format_ip4_address, &ts->end_addr, clib_net_to_host_u16( ts->start_port), clib_net_to_host_u16( ts->end_port)); } } vlib_cli_output(vm, ""); })); /* *INDENT-ON* */ } return 0; } /* *INDENT-OFF* */ VLIB_CLI_COMMAND (show_ikev2_sa_command, static) = { .path = "show ikev2 sa", .short_help = "show ikev2 sa", .function = show_ikev2_sa_command_fn, }; /* *INDENT-ON* */ static clib_error_t * ikev2_profile_add_del_command_fn (vlib_main_t * vm, unformat_input_t * input, vlib_cli_command_t * cmd) { vnet_main_t *vnm = vnet_get_main (); unformat_input_t _line_input, *line_input = &_line_input; u8 *name = 0; clib_error_t *r = 0; u32 id_type; u8 *data = 0; u32 tmp1, tmp2, tmp3; u64 tmp4, tmp5; ip4_address_t ip4; ip4_address_t end_addr; u32 responder_sw_if_index = (u32) ~ 0; u32 tun_sw_if_index = (u32) ~ 0; ip4_address_t responder_ip4; ikev2_transform_encr_type_t crypto_alg; ikev2_transform_integ_type_t integ_alg; ikev2_transform_dh_type_t dh_type; const char *valid_chars = "a-zA-Z0-9_"; if (!unformat_user (input, unformat_line_input, line_input)) return 0; while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT) { if (unformat (line_input, "add %U", unformat_token, valid_chars, &name)) { r = ikev2_add_del_profile (vm, name, 1); goto done; } else if (unformat (line_input, "del %U", unformat_token, valid_chars, &name)) { r = ikev2_add_del_profile (vm, name, 0); goto done; } else if (unformat (line_input, "set %U auth shared-key-mic string %v", unformat_token, valid_chars, &name, &data)) { r = ikev2_set_profile_auth (vm, name, IKEV2_AUTH_METHOD_SHARED_KEY_MIC, data, 0); goto done; } else if (unformat (line_input, "set %U auth shared-key-mic hex %U", unformat_token, valid_chars, &name, unformat_hex_string, &data)) { r = ikev2_set_profile_auth (vm, name, IKEV2_AUTH_METHOD_SHARED_KEY_MIC, data, 1); goto done; } else if (unformat (line_input, "set %U auth rsa-sig cert-file %v", unformat_token, valid_chars, &name, &data)) { r = ikev2_set_profile_auth (vm, name, IKEV2_AUTH_METHOD_RSA_SIG, data, 0); goto done; } else if (unformat (line_input, "set %U id local %U %U", unformat_token, valid_chars, &name, unformat_ikev2_id_type, &id_type, unformat_ip4_address, &ip4)) { data = vec_new (u8, 4); clib_memcpy (data, ip4.as_u8, 4); r = ikev2_set_profile_id (vm, name, (u8) id_type, data, /*local */ 1); goto done; } else if (unformat (line_input, "set %U id local %U 0x%U", unformat_token, valid_chars, &name, unformat_ikev2_id_type, &id_type, unformat_hex_string, &data)) { r = ikev2_set_profile_id (vm, name, (u8) id_type, data, /*local */ 1); goto done; } else if (unformat (line_input, "set %U id local %U %v", unformat_token, valid_chars, &name, unformat_ikev2_id_type, &id_type, &data)) { r = ikev2_set_profile_id (vm, name, (u8) id_type, data, /*local */ 1); goto done; } else if (unformat (line_input, "set %U id remote %U %U", unformat_token, valid_chars, &name, unformat_ikev2_id_type, &id_type, unformat_ip4_address, &ip4)) { data = vec_new (u8, 4); clib_memcpy (data, ip4.as_u8, 4); r = ikev2_set_profile_id (vm, name, (u8) id_type, data, /*remote */ 0); goto done; } else if (unformat (line_input, "set %U id remote %U 0x%U", unformat_token, valid_chars, &name, unformat_ikev2_id_type, &id_type, unformat_hex_string, &data)) { r = ikev2_set_profile_id (vm, name, (u8) id_type, data, /*remote */ 0); goto done; } else if (unformat (line_input, "set %U id remote %U %v", unformat_token, valid_chars, &name, unformat_ikev2_id_type, &id_type, &data)) { r = ikev2_set_profile_id (vm, name, (u8) id_type, data, /*remote */ 0); goto done; } else if (unformat (line_input, "set %U traffic-selector local " "ip-range %U - %U port-range %u - %u protocol %u", unformat_token, valid_chars, &name, unformat_ip4_address, &ip4, unformat_ip4_address, &end_addr, &tmp1, &tmp2, &tmp3)) { r = ikev2_set_profile_ts (vm, name, (u8) tmp3, (u16) tmp1, (u16) tmp2, ip4, end_addr, /*local */ 1); goto done; } else if (unformat (line_input, "set %U traffic-selector remote " "ip-range %U - %U port-range %u - %u protocol %u", unformat_token, valid_chars, &name, unformat_ip4_address, &ip4, unformat_ip4_address, &end_addr, &tmp1, &tmp2, &tmp3)) { r = ikev2_set_profile_ts (vm, name, (u8) tmp3, (u16) tmp1, (u16) tmp2, ip4, end_addr, /*remote */ 0); goto done; } else if (unformat (line_input, "set %U responder %U %U", unformat_token, valid_chars, &name, unformat_vnet_sw_interface, vnm, &responder_sw_if_index, unformat_ip4_address, &responder_ip4)) { r = ikev2_set_profile_responder (vm, name, responder_sw_if_index, responder_ip4); goto done; } else if (unformat (line_input, "set %U tunnel %U", unformat_token, valid_chars, &name, unformat_vnet_sw_interface, vnm, &tun_sw_if_index)) { r = ikev2_set_profile_tunnel_interface (vm, name, tun_sw_if_index); goto done; } else if (unformat (line_input, "set %U ike-crypto-alg %U %u ike-integ-alg %U ike-dh %U", unformat_token, valid_chars, &name, unformat_ikev2_transform_encr_type, &crypto_alg, &tmp1, unformat_ikev2_transform_integ_type, &integ_alg, unformat_ikev2_transform_dh_type, &dh_type)) { r = ikev2_set_profile_ike_transforms (vm, name, crypto_alg, integ_alg, dh_type, tmp1); goto done; } else if (unformat (line_input, "set %U ike-crypto-alg %U %u ike-dh %U", unformat_token, valid_chars, &name, unformat_ikev2_transform_encr_type, &crypto_alg, &tmp1, unformat_ikev2_transform_dh_type, &dh_type)) { r = ikev2_set_profile_ike_transforms (vm, name, crypto_alg, IKEV2_TRANSFORM_INTEG_TYPE_NONE, dh_type, tmp1); goto done; } else if (unformat (line_input, "set %U esp-crypto-alg %U %u esp-integ-alg %U", unformat_token, valid_chars, &name, unformat_ikev2_transform_encr_type, &crypto_alg, &tmp1, unformat_ikev2_transform_integ_type, &integ_alg)) { r = ikev2_set_profile_esp_transforms (vm, name, crypto_alg, integ_alg, tmp1); goto done; } else if (unformat (line_input, "set %U esp-crypto-alg %U %u", unformat_token, valid_chars, &name, unformat_ikev2_transform_encr_type, &crypto_alg, &tmp1)) { r = ikev2_set_profile_esp_transforms (vm, name, crypto_alg, 0, tmp1); goto done; } else if (unformat (line_input, "set %U sa-lifetime %lu %u %u %lu", unformat_token, valid_chars, &name, &tmp4, &tmp1, &tmp2, &tmp5)) { r = ikev2_set_profile_sa_lifetime (vm, name, tmp4, tmp1, tmp2, tmp5); goto done; } else if (unformat (line_input, "set %U udp-encap", unformat_token, valid_chars, &name)) { r = ikev2_set_profile_udp_encap (vm, name); goto done; } else if (unformat (line_input, "set %U ipsec-over-udp port %u", unformat_token, valid_chars, &name, &tmp1)) { int rv = ikev2_set_profile_ipsec_udp_port (vm, name, tmp1, 1); if (rv) r = clib_error_return (0, "Error: %U", format_vnet_api_errno, rv); goto done; } else break; } r = clib_error_return (0, "parse error: '%U'", format_unformat_error, line_input); done: vec_free (name); vec_free (data); unformat_free (line_input); return r; } /* *INDENT-OFF* */ VLIB_CLI_COMMAND (ikev2_profile_add_del_command, static) = { .path = "ikev2 profile", .short_help = "ikev2 profile [add|del] <id>\n" "ikev2 profile set <id> auth [rsa-sig|shared-key-mic] [cert-file|string|hex]" " <data>\n" "ikev2 profile set <id> id <local|remote> <type> <data>\n" "ikev2 profile set <id> tunnel <interface>\n" "ikev2 profile set <id> udp-encap\n" "ikev2 profile set <id> traffic-selector <local|remote> ip-range " "<start-addr> - <end-addr> port-range <start-port> - <end-port> " "protocol <protocol-number>\n" "ikev2 profile set <id> responder <interface> <addr>\n" "ikev2 profile set <id> ike-crypto-alg <crypto alg> <key size> ike-integ-alg <integ alg> ike-dh <dh type>\n" "ikev2 profile set <id> esp-crypto-alg <crypto alg> <key size> " "[esp-integ-alg <integ alg>]\n" "ikev2 profile set <id> sa-lifetime <seconds> <jitter> <handover> <max bytes>", .function = ikev2_profile_add_del_command_fn, }; /* *INDENT-ON* */ static clib_error_t * show_ikev2_profile_command_fn (vlib_main_t * vm, unformat_input_t * input, vlib_cli_command_t * cmd) { ikev2_main_t *km = &ikev2_main; ikev2_profile_t *p; /* *INDENT-OFF* */ pool_foreach (p, km->profiles, ({ vlib_cli_output(vm, "profile %v", p->name); if (p->auth.data) { if (p->auth.hex) vlib_cli_output(vm, " auth-method %U auth data 0x%U", format_ikev2_auth_method, p->auth.method, format_hex_bytes, p->auth.data, vec_len(p->auth.data)); else vlib_cli_output(vm, " auth-method %U auth data %v", format_ikev2_auth_method, p->auth.method, p->auth.data); } if (p->loc_id.data) { if (p->loc_id.type == IKEV2_ID_TYPE_ID_IPV4_ADDR) vlib_cli_output(vm, " local id-type %U data %U", format_ikev2_id_type, p->loc_id.type, format_ip4_address, p->loc_id.data); else if (p->loc_id.type == IKEV2_ID_TYPE_ID_KEY_ID) vlib_cli_output(vm, " local id-type %U data 0x%U", format_ikev2_id_type, p->loc_id.type, format_hex_bytes, p->loc_id.data, vec_len(p->loc_id.data)); else vlib_cli_output(vm, " local id-type %U data %v", format_ikev2_id_type, p->loc_id.type, p->loc_id.data); } if (p->rem_id.data) { if (p->rem_id.type == IKEV2_ID_TYPE_ID_IPV4_ADDR) vlib_cli_output(vm, " remote id-type %U data %U", format_ikev2_id_type, p->rem_id.type, format_ip4_address, p->rem_id.data); else if (p->rem_id.type == IKEV2_ID_TYPE_ID_KEY_ID) vlib_cli_output(vm, " remote id-type %U data 0x%U", format_ikev2_id_type, p->rem_id.type, format_hex_bytes, p->rem_id.data, vec_len(p->rem_id.data)); else vlib_cli_output(vm, " remote id-type %U data %v", format_ikev2_id_type, p->rem_id.type, p->rem_id.data); } if (p->loc_ts.end_addr.as_u32) vlib_cli_output(vm, " local traffic-selector addr %U - %U port %u - %u" " protocol %u", format_ip4_address, &p->loc_ts.start_addr, format_ip4_address, &p->loc_ts.end_addr, p->loc_ts.start_port, p->loc_ts.end_port, p->loc_ts.protocol_id); if (p->rem_ts.end_addr.as_u32) vlib_cli_output(vm, " remote traffic-selector addr %U - %U port %u - %u" " protocol %u", format_ip4_address, &p->rem_ts.start_addr, format_ip4_address, &p->rem_ts.end_addr, p->rem_ts.start_port, p->rem_ts.end_port, p->rem_ts.protocol_id); if (~0 != p->tun_itf) vlib_cli_output(vm, " protected tunnel %U", format_vnet_sw_if_index_name, vnet_get_main(), p->tun_itf); if (~0 != p->responder.sw_if_index) vlib_cli_output(vm, " responder %U %U", format_vnet_sw_if_index_name, vnet_get_main(), p->responder.sw_if_index, format_ip4_address, &p->responder.ip4); if (p->udp_encap) vlib_cli_output(vm, " udp-encap"); if (p->ipsec_over_udp_port != IPSEC_UDP_PORT_NONE) vlib_cli_output(vm, " ipsec-over-udp port %d", p->ipsec_over_udp_port); if (p->ike_ts.crypto_alg || p->ike_ts.integ_alg || p->ike_ts.dh_type || p->ike_ts.crypto_key_size) vlib_cli_output(vm, " ike-crypto-alg %U %u ike-integ-alg %U ike-dh %U", format_ikev2_transform_encr_type, p->ike_ts.crypto_alg, p->ike_ts.crypto_key_size, format_ikev2_transform_integ_type, p->ike_ts.integ_alg, format_ikev2_transform_dh_type, p->ike_ts.dh_type); if (p->esp_ts.crypto_alg || p->esp_ts.integ_alg || p->esp_ts.dh_type) vlib_cli_output(vm, " esp-crypto-alg %U %u esp-integ-alg %U", format_ikev2_transform_encr_type, p->esp_ts.crypto_alg, p->esp_ts.crypto_key_size, format_ikev2_transform_integ_type, p->esp_ts.integ_alg); vlib_cli_output(vm, " lifetime %d jitter %d handover %d maxdata %d", p->lifetime, p->lifetime_jitter, p->handover, p->lifetime_maxdata); })); /* *INDENT-ON* */ return 0; } /* *INDENT-OFF* */ VLIB_CLI_COMMAND (show_ikev2_profile_command, static) = { .path = "show ikev2 profile", .short_help = "show ikev2 profile", .function = show_ikev2_profile_command_fn, }; /* *INDENT-ON* */ static clib_error_t * set_ikev2_liveness_period_fn (vlib_main_t * vm, unformat_input_t * input, vlib_cli_command_t * cmd) { unformat_input_t _line_input, *line_input = &_line_input; clib_error_t *r = 0; u32 period = 0, max_retries = 0; if (!unformat_user (input, unformat_line_input, line_input)) return 0; while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT) { if (unformat (line_input, "%d %d", &period, &max_retries)) { r = ikev2_set_liveness_params (period, max_retries); goto done; } else break; } r = clib_error_return (0, "parse error: '%U'", format_unformat_error, line_input); done: unformat_free (line_input); return r; } /* *INDENT-OFF* */ VLIB_CLI_COMMAND (set_ikev2_liveness_command, static) = { .path = "ikev2 set liveness", .short_help = "ikev2 set liveness <period> <max-retires>", .function = set_ikev2_liveness_period_fn, }; /* *INDENT-ON* */ static clib_error_t * set_ikev2_local_key_command_fn (vlib_main_t * vm, unformat_input_t * input, vlib_cli_command_t * cmd) { unformat_input_t _line_input, *line_input = &_line_input; clib_error_t *r = 0; u8 *data = 0; if (!unformat_user (input, unformat_line_input, line_input)) return 0; while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT) { if (unformat (line_input, "%s", &data)) { r = ikev2_set_local_key (vm, data); goto done; } else break; } r = clib_error_return (0, "parse error: '%U'", format_unformat_error, line_input); done: vec_free (data); unformat_free (line_input); return r; } /* *INDENT-OFF* */ VLIB_CLI_COMMAND (set_ikev2_local_key_command, static) = { .path = "set ikev2 local key", .short_help = "set ikev2 local key <file>", .function = set_ikev2_local_key_command_fn, }; /* *INDENT-ON* */ static clib_error_t * ikev2_initiate_command_fn (vlib_main_t * vm, unformat_input_t * input, vlib_cli_command_t * cmd) { unformat_input_t _line_input, *line_input = &_line_input; clib_error_t *r = 0; u8 *name = 0; u32 tmp1; u64 tmp2; const char *valid_chars = "a-zA-Z0-9_"; if (!unformat_user (input, unformat_line_input, line_input)) return 0; while (unformat_check_input (line_input) != UNFORMAT_END_OF_INPUT) { if (unformat (line_input, "sa-init %U", unformat_token, valid_chars, &name)) { r = ikev2_initiate_sa_init (vm, name); goto done; } else if (unformat (line_input, "del-child-sa %x", &tmp1)) { r = ikev2_initiate_delete_child_sa (vm, tmp1); goto done; } else if (unformat (line_input, "del-sa %lx", &tmp2)) { r = ikev2_initiate_delete_ike_sa (vm, tmp2); goto done; } else if (unformat (line_input, "rekey-child-sa %x", &tmp1)) { r = ikev2_initiate_rekey_child_sa (vm, tmp1); goto done; } else break; } r = clib_error_return (0, "parse error: '%U'", format_unformat_error, line_input); done: vec_free (name); unformat_free (line_input); return r; } /* *INDENT-OFF* */ VLIB_CLI_COMMAND (ikev2_initiate_command, static) = { .path = "ikev2 initiate", .short_help = "ikev2 initiate sa-init <profile id>\n" "ikev2 initiate del-child-sa <child sa ispi>\n" "ikev2 initiate del-sa <sa ispi>\n" "ikev2 initiate rekey-child-sa <profile id> <child sa ispi>\n", .function = ikev2_initiate_command_fn, }; /* *INDENT-ON* */ void ikev2_cli_reference (void) { } static clib_error_t * ikev2_set_log_level_command_fn (vlib_main_t * vm, unformat_input_t * input, vlib_cli_command_t * cmd) { unformat_input_t _line_input, *line_input = &_line_input; u32 log_level = IKEV2_LOG_NONE; clib_error_t *error = 0; /* Get a line of input. */ if (!unformat_user (input, unformat_line_input, line_input)) return 0; if (!unformat (line_input, "%d", &log_level)) { error = clib_error_return (0, "unknown input '%U'", format_unformat_error, line_input); goto done; } int rc = ikev2_set_log_level (log_level); if (rc < 0) error = clib_error_return (0, "setting log level failed!"); done: unformat_free (line_input); return error; } /* *INDENT-OFF* */ VLIB_CLI_COMMAND (ikev2_set_log_level_command, static) = { .path = "ikev2 set logging level", .function = ikev2_set_log_level_command_fn, .short_help = "ikev2 set logging level <0-5>", }; /* *INDENT-ON* */ /* * fd.io coding-style-patch-verification: ON * * Local Variables: * eval: (c-set-style "gnu") * End: */