From 6ba4e41d33ffda2596d9d4b3a1d7fdd3c9a6b870 Mon Sep 17 00:00:00 2001
From: Neale Ranns <nranns@cisco.com>
Date: Mon, 19 Oct 2020 09:59:41 +0000
Subject: ipsec: support for multipoint on ipsec interfaces

Type: feature

Signed-off-by: Neale Ranns <nranns@cisco.com>
Change-Id: Iae9fe35cfbce4c675fa25e0800c0f4629a83e012
---
 src/vnet/gre/interface.c      |  2 +-
 src/vnet/ipsec/ipsec_format.c | 15 +++++++++++++++
 src/vnet/ipsec/ipsec_itf.c    | 45 +++++++++++++++++++++++++++++++++++++++----
 src/vnet/ipsec/ipsec_itf.h    |  4 ++++
 src/vnet/ipsec/ipsec_tun.c    |  5 +++--
 5 files changed, 64 insertions(+), 7 deletions(-)

(limited to 'src/vnet')

diff --git a/src/vnet/gre/interface.c b/src/vnet/gre/interface.c
index 92e4f7469ac..ad0efde4345 100644
--- a/src/vnet/gre/interface.c
+++ b/src/vnet/gre/interface.c
@@ -202,7 +202,7 @@ gre_teib_mk_key (const gre_tunnel_t * t,
 }
 
 /**
- * An NHRP entry has been added
+ * An TEIB entry has been added
  */
 static void
 gre_teib_entry_added (const teib_entry_t * ne)
diff --git a/src/vnet/ipsec/ipsec_format.c b/src/vnet/ipsec/ipsec_format.c
index 8fdc844aec3..6781fe580c1 100644
--- a/src/vnet/ipsec/ipsec_format.c
+++ b/src/vnet/ipsec/ipsec_format.c
@@ -23,6 +23,7 @@
 
 #include <vnet/ipsec/ipsec.h>
 #include <vnet/ipsec/ipsec_tun.h>
+#include <vnet/ipsec/ipsec_itf.h>
 
 u8 *
 format_ipsec_policy_action (u8 * s, va_list * args)
@@ -427,6 +428,20 @@ format_ipsec6_tunnel_kv (u8 * s, va_list * args)
   return (s);
 }
 
+u8 *
+format_ipsec_itf (u8 * s, va_list * a)
+{
+  index_t ii = va_arg (*a, index_t);
+  ipsec_itf_t *itf;
+
+  itf = ipsec_itf_get (ii);
+  s = format (s, "[%d] %U %U",
+	      ii, format_vnet_sw_if_index_name, vnet_get_main (),
+	      itf->ii_sw_if_index, format_tunnel_mode, itf->ii_mode);
+
+  return (s);
+}
+
 /*
  * fd.io coding-style-patch-verification: ON
  *
diff --git a/src/vnet/ipsec/ipsec_itf.c b/src/vnet/ipsec/ipsec_itf.c
index 46095ce07fe..ff06a579f2e 100644
--- a/src/vnet/ipsec/ipsec_itf.c
+++ b/src/vnet/ipsec/ipsec_itf.c
@@ -29,6 +29,12 @@ static ipsec_itf_t *ipsec_itf_pool;
 
 static u32 *ipsec_itf_index_by_sw_if_index;
 
+ipsec_itf_t *
+ipsec_itf_get (index_t ii)
+{
+  return (pool_elt_at_index (ipsec_itf_pool, ii));
+}
+
 static ipsec_itf_t *
 ipsec_itf_find_by_sw_if_index (u32 sw_if_index)
 {
@@ -197,6 +203,11 @@ VNET_HW_INTERFACE_CLASS(ipsec_hw_interface_class) = {
   .update_adjacency = ipsec_itf_update_adj,
   .flags = VNET_HW_INTERFACE_CLASS_FLAG_P2P,
 };
+VNET_HW_INTERFACE_CLASS(ipsec_p2mp_hw_interface_class) = {
+  .name = "IPSec",
+  .build_rewrite = ipsec_itf_build_rewrite_i,
+  .update_adjacency = ipsec_itf_update_adj,
+};
 /* *INDENT-ON* */
 
 /*
@@ -276,9 +287,6 @@ ipsec_itf_create (u32 user_instance, tunnel_mode_t mode, u32 * sw_if_indexp)
 
   *sw_if_indexp = (u32) ~ 0;
 
-  if (mode != TUNNEL_MODE_P2P)
-    return VNET_API_ERROR_UNSUPPORTED;
-
   /*
    * Allocate a ipsec_itf instance.  Either select on dynamically
    * or try to use the desired user_instance number.
@@ -298,7 +306,9 @@ ipsec_itf_create (u32 user_instance, tunnel_mode_t mode, u32 * sw_if_indexp)
   hw_if_index = vnet_register_interface (vnm,
 					 ipsec_itf_device_class.index,
 					 ipsec_itf->ii_user_instance,
-					 ipsec_hw_interface_class.index,
+					 (mode == TUNNEL_MODE_P2P ?
+					  ipsec_hw_interface_class.index :
+					  ipsec_p2mp_hw_interface_class.index),
 					 t_idx);
 
   hi = vnet_get_hw_interface (vnm, hw_if_index);
@@ -450,6 +460,33 @@ VLIB_CLI_COMMAND (ipsec_itf_delete_command, static) = {
 };
 /* *INDENT-ON* */
 
+static clib_error_t *
+ipsec_interface_show (vlib_main_t * vm,
+		      unformat_input_t * input, vlib_cli_command_t * cmd)
+{
+  index_t ii;
+
+  /* *INDENT-OFF* */
+  pool_foreach_index (ii, ipsec_itf_pool,
+  ({
+    vlib_cli_output (vm, "%U", format_ipsec_itf, ii);
+  }));
+  /* *INDENT-ON* */
+
+  return NULL;
+}
+
+/**
+ * show IPSEC tunnel protection hash tables
+ */
+/* *INDENT-OFF* */
+VLIB_CLI_COMMAND (ipsec_interface_show_node, static) =
+{
+  .path = "show ipsec interface",
+  .function = ipsec_interface_show,
+  .short_help =  "show ipsec interface",
+};
+/* *INDENT-ON* */
 
 /*
  * fd.io coding-style-patch-verification: ON
diff --git a/src/vnet/ipsec/ipsec_itf.h b/src/vnet/ipsec/ipsec_itf.h
index 93e03f7b477..ab317e10332 100644
--- a/src/vnet/ipsec/ipsec_itf.h
+++ b/src/vnet/ipsec/ipsec_itf.h
@@ -106,6 +106,10 @@ extern int ipsec_itf_delete (u32 sw_if_index);
 extern void ipsec_itf_adj_stack (adj_index_t ai, u32 sai);
 extern void ipsec_itf_adj_unstack (adj_index_t ai);
 
+extern u8 *format_ipsec_itf (u8 * s, va_list * a);
+
+extern ipsec_itf_t *ipsec_itf_get (index_t ii);
+
 /*
  * fd.io coding-style-patch-verification: ON
  *
diff --git a/src/vnet/ipsec/ipsec_tun.c b/src/vnet/ipsec/ipsec_tun.c
index c4c8fa7d262..9116df5d7e3 100644
--- a/src/vnet/ipsec/ipsec_tun.c
+++ b/src/vnet/ipsec/ipsec_tun.c
@@ -732,8 +732,9 @@ ipsec_tun_protect_update (u32 sw_if_index,
 
       if (ip46_address_is_zero (&itp->itp_tun.src))
 	{
-	  /* must be one of thos pesky ipsec interfaces that has no encap.
-	   * the encap then MUST comefrom the tunnel mode SA.
+	  /*
+	   * must be one of those pesky ipsec interfaces that has no encap.
+	   * the encap then MUST come from the tunnel mode SA.
 	   */
 	  ipsec_sa_t *sa;
 
-- 
cgit 1.2.3-korg