From d7fc12f07313f9147159f2562f6fcc928af7a963 Mon Sep 17 00:00:00 2001
From: Filip Tehlar <ftehlar@cisco.com>
Date: Fri, 30 Oct 2020 04:47:44 +0000
Subject: ikev2: add option to disable NAT traversal

Type: feature
Ticket: VPP-1935

Change-Id: I705f84047b112279377590157a1c7b4a34f693d2
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
---
 src/plugins/ikev2/ikev2_test.c | 65 +++++++++++++++++++++++++++++-------------
 1 file changed, 45 insertions(+), 20 deletions(-)

(limited to 'src/plugins/ikev2/ikev2_test.c')

diff --git a/src/plugins/ikev2/ikev2_test.c b/src/plugins/ikev2/ikev2_test.c
index 81a222c0971..d9f5e2256b6 100644
--- a/src/plugins/ikev2/ikev2_test.c
+++ b/src/plugins/ikev2/ikev2_test.c
@@ -46,6 +46,7 @@ typedef struct
   vat_main_t *vat_main;
 } ikev2_test_main_t;
 
+static const char *valid_chars = "a-zA-Z0-9_";
 ikev2_test_main_t ikev2_test_main;
 
 uword
@@ -191,6 +192,47 @@ format_ikev2_sa_transform (u8 * s, va_list * args)
   return s;
 }
 
+static int
+api_ikev2_profile_disable_natt (vat_main_t * vam)
+{
+  unformat_input_t *i = vam->input;
+  vl_api_ikev2_profile_disable_natt_t *mp;
+  u8 *name = 0;
+  int ret;
+
+  while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT)
+    {
+      if (unformat (i, "%U", unformat_token, valid_chars, &name))
+	vec_add1 (name, 0);
+      else
+	{
+	  errmsg ("parse error '%U'", format_unformat_error, i);
+	  return -99;
+	}
+    }
+
+  if (!vec_len (name))
+    {
+      errmsg ("profile name must be specified");
+      return -99;
+    }
+
+  if (vec_len (name) > 64)
+    {
+      errmsg ("profile name too long");
+      return -99;
+    }
+
+  M (IKEV2_PROFILE_DISABLE_NATT, mp);
+
+  clib_memcpy (mp->name, name, vec_len (name));
+  vec_free (name);
+
+  S (mp);
+  W (ret);
+  return ret;
+}
+
 static int
 api_ikev2_profile_dump (vat_main_t * vam)
 {
@@ -280,6 +322,9 @@ static void vl_api_ikev2_profile_details_t_handler
   if (p->udp_encap)
     fformat (vam->ofp, "  udp-encap\n");
 
+  if (p->natt_disabled)
+    fformat (vam->ofp, "  NAT-T disabled\n");
+
   u32 ipsec_over_udp_port = clib_net_to_host_u16 (p->ipsec_over_udp_port);
   if (ipsec_over_udp_port != IPSEC_UDP_PORT_NONE)
     fformat (vam->ofp, "  ipsec-over-udp port %d\n", ipsec_over_udp_port);
@@ -674,8 +719,6 @@ api_ikev2_profile_add_del (vat_main_t * vam)
   u8 *name = 0;
   int ret;
 
-  const char *valid_chars = "a-zA-Z0-9_";
-
   while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT)
     {
       if (unformat (i, "del"))
@@ -723,8 +766,6 @@ api_ikev2_profile_set_auth (vat_main_t * vam)
   u8 is_hex = 0;
   int ret;
 
-  const char *valid_chars = "a-zA-Z0-9_";
-
   while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT)
     {
       if (unformat (i, "name %U", unformat_token, valid_chars, &name))
@@ -794,8 +835,6 @@ api_ikev2_profile_set_id (vat_main_t * vam)
   ip_address_t ip;
   int ret;
 
-  const char *valid_chars = "a-zA-Z0-9_";
-
   while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT)
     {
       if (unformat (i, "name %U", unformat_token, valid_chars, &name))
@@ -871,8 +910,6 @@ api_ikev2_profile_set_ts (vat_main_t * vam)
   u32 proto = 0, start_port = 0, end_port = (u32) ~ 0;
   ip_address_t start_addr, end_addr;
   u8 start_addr_set = 0, end_addr_set = 0;
-
-  const char *valid_chars = "a-zA-Z0-9_";
   int ret;
 
   while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT)
@@ -984,8 +1021,6 @@ api_ikev2_profile_set_udp_encap (vat_main_t * vam)
   int ret;
   u8 *name = 0;
 
-  const char *valid_chars = "a-zA-Z0-9_";
-
   while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT)
     {
       if (unformat (i, "%U udp-encap", unformat_token, valid_chars, &name))
@@ -1035,8 +1070,6 @@ api_ikev2_set_responder (vat_main_t * vam)
   u32 sw_if_index = ~0;
   ip_address_t address;
 
-  const char *valid_chars = "a-zA-Z0-9_";
-
   while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT)
     {
       if (unformat
@@ -1084,8 +1117,6 @@ api_ikev2_set_ike_transforms (vat_main_t * vam)
   u8 *name = 0;
   u32 crypto_alg, crypto_key_size, integ_alg, dh_group;
 
-  const char *valid_chars = "a-zA-Z0-9_";
-
   while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT)
     {
       if (unformat (i, "%U %d %d %d %d", unformat_token, valid_chars, &name,
@@ -1134,8 +1165,6 @@ api_ikev2_set_esp_transforms (vat_main_t * vam)
   u8 *name = 0;
   u32 crypto_alg, crypto_key_size, integ_alg;
 
-  const char *valid_chars = "a-zA-Z0-9_";
-
   while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT)
     {
       if (unformat (i, "%U %d %d %d", unformat_token, valid_chars, &name,
@@ -1183,8 +1212,6 @@ api_ikev2_set_sa_lifetime (vat_main_t * vam)
   u64 lifetime, lifetime_maxdata;
   u32 lifetime_jitter, handover;
 
-  const char *valid_chars = "a-zA-Z0-9_";
-
   while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT)
     {
       if (unformat (i, "%U %lu %u %u %lu", unformat_token, valid_chars, &name,
@@ -1232,8 +1259,6 @@ api_ikev2_initiate_sa_init (vat_main_t * vam)
   int ret;
   u8 *name = 0;
 
-  const char *valid_chars = "a-zA-Z0-9_";
-
   while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT)
     {
       if (unformat (i, "%U", unformat_token, valid_chars, &name))
-- 
cgit 1.2.3-korg