ligang/vpp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

ikev2: support ipv6 traffic selectors & overlay

Browse Source 
Ticket: VPP-1917
Type: feature

Change-Id: Ie9f22e7336aa7807b1967c48de9843df10fb575c
Signed-off-by: Filip Tehlar <ftehlar@cisco.com>
This commit is contained in:
Filip Tehlar
2020-09-08 06:08:05 +00:00
committed by Beno�t Ganne
parent 7b4e52f88f
commit 84962d19ba
11 changed files with 695 additions and 380 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/plugins/ikev2/ikev2.api
+1 -1
View File
@@ -264,7 +264,7 @@ autoreply define ikev2_profile_set_ts
string name[64];
vl_api_ikev2_ts_t ts;
option vat_help = "name <profile_name> protocol <proto> start_port <port> end_port <port> start_addr <ip4> end_addr <ip4> (local|remote)";
option vat_help = "name <profile_name> protocol <proto> start_port <port> end_port <port> start_addr <ip> end_addr <ip> (local|remote)";
option status="in_progress";
};
src/plugins/ikev2/ikev2.c
+358 -170
View File
File diff suppressed because it is too large Load Diff
src/plugins/ikev2/ikev2.h
+9 -3
View File
@@ -369,6 +369,12 @@ typedef enum
#undef _
} ikev2_id_type_t;
typedef enum
{
TS_IPV4_ADDR_RANGE = 7,
TS_IPV6_ADDR_RANGE = 8,
} ikev2_traffic_selector_type_t;
clib_error_t *ikev2_init (vlib_main_t * vm);
clib_error_t *ikev2_set_local_key (vlib_main_t * vm, u8 * file);
clib_error_t *ikev2_add_del_profile (vlib_main_t * vm, u8 * name, int is_add);
@@ -379,11 +385,11 @@ clib_error_t *ikev2_set_profile_id (vlib_main_t * vm, u8 * name,
u8 id_type, u8 * data, int is_local);
clib_error_t *ikev2_set_profile_ts (vlib_main_t * vm, u8 * name,
u8 protocol_id, u16 start_port,
u16 end_port, ip4_address_t start_addr,
ip4_address_t end_addr, int is_local);
u16 end_port, ip_address_t start_addr,
ip_address_t end_addr, int is_local);
clib_error_t *ikev2_set_profile_responder (vlib_main_t * vm, u8 * name,
u32 sw_if_index,
ip4_address_t ip4);
ip_address_t addr);
clib_error_t *ikev2_set_profile_ike_transforms (vlib_main_t * vm, u8 * name,
ikev2_transform_encr_type_t
crypto_alg,
src/plugins/ikev2/ikev2_api.c
+11 -11
View File
@@ -98,8 +98,8 @@ cp_ts (vl_api_ikev2_ts_t * vl_api_ts, ikev2_ts_t * ts, u8 is_local)
vl_api_ts->protocol_id = ts->protocol_id;
vl_api_ts->start_port = ts->start_port;
vl_api_ts->end_port = ts->end_port;
ip4_address_encode (&ts->start_addr, vl_api_ts->start_addr);
ip4_address_encode (&ts->end_addr, vl_api_ts->end_addr);
ip_address_encode2 (&ts->start_addr, &vl_api_ts->start_addr);
ip_address_encode2 (&ts->end_addr, &vl_api_ts->end_addr);
}
static void
@@ -116,7 +116,7 @@ cp_responder (vl_api_ikev2_responder_t * vl_api_responder,
ikev2_responder_t * responder)
{
vl_api_responder->sw_if_index = responder->sw_if_index;
ip4_address_encode (&responder->ip4, vl_api_responder->ip4);
ip_address_encode2 (&responder->addr, &vl_api_responder->addr);
}
void
@@ -208,8 +208,8 @@ send_sa (ikev2_sa_t * sa, vl_api_ikev2_sa_dump_t * mp, u32 api_sa_index)
vl_api_ikev2_keys_t* k = &rsa->keys;
rsa->profile_index = rsa->profile_index;
rsa->sa_index = api_sa_index;
ip4_address_encode (&sa->iaddr, rsa->iaddr);
ip4_address_encode (&sa->raddr, rsa->raddr);
ip_address_encode2 (&sa->iaddr, &rsa->iaddr);
ip_address_encode2 (&sa->raddr, &rsa->raddr);
rsa->ispi = sa->ispi;
rsa->rspi = sa->rspi;
cp_id(&rsa->i_id, &sa->i_id);
@@ -593,9 +593,9 @@ vl_api_ikev2_profile_set_ts_t_handler (vl_api_ikev2_profile_set_ts_t * mp)
vlib_main_t *vm = vlib_get_main ();
clib_error_t *error;
u8 *tmp = format (0, "%s", mp->name);
ip4_address_t start_addr, end_addr;
ip4_address_decode (mp->ts.start_addr, &start_addr);
ip4_address_decode (mp->ts.end_addr, &end_addr);
ip_address_t start_addr, end_addr;
ip_address_decode2 (&mp->ts.start_addr, &start_addr);
ip_address_decode2 (&mp->ts.end_addr, &end_addr);
error =
ikev2_set_profile_ts (vm, tmp, mp->ts.protocol_id,
clib_net_to_host_u16 (mp->ts.start_port),
@@ -642,11 +642,11 @@ vl_api_ikev2_set_responder_t_handler (vl_api_ikev2_set_responder_t * mp)
clib_error_t *error;
u8 *tmp = format (0, "%s", mp->name);
ip4_address_t ip4;
ip4_address_decode (mp->responder.ip4, &ip4);
ip_address_t ip;
ip_address_decode2 (&mp->responder.addr, &ip);
u32 sw_if_index = clib_net_to_host_u32 (mp->responder.sw_if_index);
error = ikev2_set_profile_responder (vm, tmp, sw_if_index, ip4);
error = ikev2_set_profile_responder (vm, tmp, sw_if_index, ip);
vec_free (tmp);
if (error)
rv = VNET_API_ERROR_UNSPECIFIED;
src/plugins/ikev2/ikev2_cli.c
+28 -34
View File
@@ -55,8 +55,8 @@ format_ikev2_traffic_selector (u8 * s, va_list * va)
s = format (s, "%u type %u protocol_id %u addr "
"%U - %U port %u - %u\n",
index, ts->ts_type, ts->protocol_id,
format_ip4_address, &ts->start_addr,
format_ip4_address, &ts->end_addr,
format_ip_address, &ts->start_addr,
format_ip_address, &ts->end_addr,
clib_net_to_host_u16 (ts->start_port),
clib_net_to_host_u16 (ts->end_port));
return s;
@@ -127,8 +127,8 @@ format_ikev2_sa (u8 * s, va_list * va)
u32 indent = 1;
s = format (s, "iip %U ispi %lx rip %U rspi %lx",
format_ip4_address, &sa->iaddr, sa->ispi,
format_ip4_address, &sa->raddr, sa->rspi);
format_ip_address, &sa->iaddr, sa->ispi,
format_ip_address, &sa->raddr, sa->rspi);
if (!details)
return s;
@@ -279,11 +279,9 @@ ikev2_profile_add_del_command_fn (vlib_main_t * vm,
u8 *data = 0;
u32 tmp1, tmp2, tmp3;
u64 tmp4, tmp5;
ip4_address_t ip4;
ip4_address_t end_addr;
ip_address_t ip, end_addr;
u32 responder_sw_if_index = (u32) ~ 0;
u32 tun_sw_if_index = (u32) ~ 0;
ip4_address_t responder_ip4;
ikev2_transform_encr_type_t crypto_alg;
ikev2_transform_integ_type_t integ_alg;
ikev2_transform_dh_type_t dh_type;
@@ -333,10 +331,10 @@ ikev2_profile_add_del_command_fn (vlib_main_t * vm,
else if (unformat (line_input, "set %U id local %U %U",
unformat_ikev2_token, &name,
unformat_ikev2_id_type, &id_type,
unformat_ip4_address, &ip4))
unformat_ip_address, &ip))
{
data = vec_new (u8, 4);
clib_memcpy (data, ip4.as_u8, 4);
data = vec_new (u8, ip_address_size (&ip));
clib_memcpy (data, ip_addr_bytes (&ip), ip_address_size (&ip));
r =
ikev2_set_profile_id (vm, name, (u8) id_type, data, /*local */ 1);
goto done;
@@ -361,10 +359,10 @@ ikev2_profile_add_del_command_fn (vlib_main_t * vm,
else if (unformat (line_input, "set %U id remote %U %U",
unformat_ikev2_token, &name,
unformat_ikev2_id_type, &id_type,
unformat_ip4_address, &ip4))
unformat_ip_address, &ip))
{
data = vec_new (u8, 4);
clib_memcpy (data, ip4.as_u8, 4);
data = vec_new (u8, ip_address_size (&ip));
clib_memcpy (data, ip_addr_bytes (&ip), ip_address_size (&ip));
r = ikev2_set_profile_id (vm, name, (u8) id_type, data, /*remote */
0);
goto done;
@@ -389,36 +387,32 @@ ikev2_profile_add_del_command_fn (vlib_main_t * vm,
else if (unformat (line_input, "set %U traffic-selector local "
"ip-range %U - %U port-range %u - %u protocol %u",
unformat_ikev2_token, &name,
unformat_ip4_address, &ip4,
unformat_ip4_address, &end_addr,
&tmp1, &tmp2, &tmp3))
unformat_ip_address, &ip,
unformat_ip_address, &end_addr, &tmp1, &tmp2, &tmp3))
{
r =
ikev2_set_profile_ts (vm, name, (u8) tmp3, (u16) tmp1, (u16) tmp2,
ip4, end_addr, /*local */ 1);
ip, end_addr, /*local */ 1);
goto done;
}
else if (unformat (line_input, "set %U traffic-selector remote "
"ip-range %U - %U port-range %u - %u protocol %u",
unformat_ikev2_token, &name,
unformat_ip4_address, &ip4,
unformat_ip4_address, &end_addr,
&tmp1, &tmp2, &tmp3))
unformat_ip_address, &ip,
unformat_ip_address, &end_addr, &tmp1, &tmp2, &tmp3))
{
r =
ikev2_set_profile_ts (vm, name, (u8) tmp3, (u16) tmp1, (u16) tmp2,
ip4, end_addr, /*remote */ 0);
ip, end_addr, /*remote */ 0);
goto done;
}
else if (unformat (line_input, "set %U responder %U %U",
unformat_ikev2_token, &name,
unformat_vnet_sw_interface, vnm,
&responder_sw_if_index, unformat_ip4_address,
&responder_ip4))
&responder_sw_if_index, unformat_ip_address, &ip))
{
r =
ikev2_set_profile_responder (vm, name, responder_sw_if_index,
responder_ip4);
ikev2_set_profile_responder (vm, name, responder_sw_if_index, ip);
goto done;
}
else if (unformat (line_input, "set %U tunnel %U",
@@ -565,7 +559,7 @@ show_ikev2_profile_command_fn (vlib_main_t * vm,
if (p->loc_id.type == IKEV2_ID_TYPE_ID_IPV4_ADDR)
vlib_cli_output(vm, " local id-type %U data %U",
format_ikev2_id_type, p->loc_id.type,
format_ip4_address, p->loc_id.data);
format_ip_address, p->loc_id.data);
else if (p->loc_id.type == IKEV2_ID_TYPE_ID_KEY_ID)
vlib_cli_output(vm, " local id-type %U data 0x%U",
format_ikev2_id_type, p->loc_id.type,
@@ -581,7 +575,7 @@ show_ikev2_profile_command_fn (vlib_main_t * vm,
if (p->rem_id.type == IKEV2_ID_TYPE_ID_IPV4_ADDR)
vlib_cli_output(vm, " remote id-type %U data %U",
format_ikev2_id_type, p->rem_id.type,
format_ip4_address, p->rem_id.data);
format_ip_address, p->rem_id.data);
else if (p->rem_id.type == IKEV2_ID_TYPE_ID_KEY_ID)
vlib_cli_output(vm, " remote id-type %U data 0x%U",
format_ikev2_id_type, p->rem_id.type,
@@ -592,19 +586,19 @@ show_ikev2_profile_command_fn (vlib_main_t * vm,
format_ikev2_id_type, p->rem_id.type, p->rem_id.data);
}
if (p->loc_ts.end_addr.as_u32)
if (!ip_address_is_zero (&p->loc_ts.start_addr))
vlib_cli_output(vm, " local traffic-selector addr %U - %U port %u - %u"
" protocol %u",
format_ip4_address, &p->loc_ts.start_addr,
format_ip4_address, &p->loc_ts.end_addr,
format_ip_address, &p->loc_ts.start_addr,
format_ip_address, &p->loc_ts.end_addr,
p->loc_ts.start_port, p->loc_ts.end_port,
p->loc_ts.protocol_id);
if (p->rem_ts.end_addr.as_u32)
if (!ip_address_is_zero (&p->rem_ts.start_addr))
vlib_cli_output(vm, " remote traffic-selector addr %U - %U port %u - %u"
" protocol %u",
format_ip4_address, &p->rem_ts.start_addr,
format_ip4_address, &p->rem_ts.end_addr,
format_ip_address, &p->rem_ts.start_addr,
format_ip_address, &p->rem_ts.end_addr,
p->rem_ts.start_port, p->rem_ts.end_port,
p->rem_ts.protocol_id);
if (~0 != p->tun_itf)
@@ -613,7 +607,7 @@ show_ikev2_profile_command_fn (vlib_main_t * vm,
if (~0 != p->responder.sw_if_index)
vlib_cli_output(vm, " responder %U %U",
format_vnet_sw_if_index_name, vnet_get_main(), p->responder.sw_if_index,
format_ip4_address, &p->responder.ip4);
format_ip_address, &p->responder.addr);
if (p->udp_encap)
vlib_cli_output(vm, " udp-encap");
src/plugins/ikev2/ikev2_payload.c
+87 -27
View File
@@ -37,14 +37,23 @@ typedef CLIB_PACKED (struct {
/* *INDENT-ON* */
/* *INDENT-OFF* */
typedef CLIB_PACKED (struct {
ip4_address_t start_addr;
ip4_address_t end_addr;
}) ikev2_ip4_addr_pair_t;
typedef CLIB_PACKED (struct {
ip6_address_t start_addr;
ip6_address_t end_addr;
}) ikev2_ip6_addr_pair_t;
typedef CLIB_PACKED (struct {
u8 ts_type;
u8 protocol_id;
u16 selector_len;
u16 start_port;
u16 end_port;
ip4_address_t start_addr;
ip4_address_t end_addr;
u8 addr_pair[0];
}) ikev2_ts_payload_entry_t;
/* *INDENT-OFF* */
@@ -286,12 +295,46 @@ ikev2_payload_add_auth (ikev2_payload_chain_t * c, ikev2_auth_t * auth)
ikev2_payload_add_data (c, auth->data);
}
static void
ikev2_payload_add_ts_entry (u8 ** data, ikev2_ts_t * ts)
{
u8 * tmp;
ikev2_ts_payload_entry_t *entry;
int len = sizeof (*entry);
if (ts->ts_type == TS_IPV4_ADDR_RANGE)
len += sizeof (ikev2_ip4_addr_pair_t);
else
len += sizeof (ikev2_ip6_addr_pair_t);
vec_add2 (data[0], tmp, len);
entry = (ikev2_ts_payload_entry_t *) tmp;
entry->ts_type = ts->ts_type;
entry->protocol_id = ts->protocol_id;
entry->selector_len = clib_host_to_net_u16 (len);
entry->start_port = clib_host_to_net_u16 (ts->start_port);
entry->end_port = clib_host_to_net_u16 (ts->end_port);
if (ts->ts_type == TS_IPV4_ADDR_RANGE)
{
ikev2_ip4_addr_pair_t *pair = (ikev2_ip4_addr_pair_t*) entry->addr_pair;
ip_address_copy_addr (&pair->start_addr, &ts->start_addr);
ip_address_copy_addr (&pair->end_addr, &ts->end_addr);
}
else
{
ikev2_ip6_addr_pair_t *pair = (ikev2_ip6_addr_pair_t*) entry->addr_pair;
ip_address_copy_addr (&pair->start_addr, &ts->start_addr);
ip_address_copy_addr (&pair->end_addr, &ts->end_addr);
}
}
void
ikev2_payload_add_ts (ikev2_payload_chain_t * c, ikev2_ts_t * ts, u8 type)
{
ike_ts_payload_header_t *tsh;
ikev2_ts_t *ts2;
u8 *data = 0, *tmp;
u8 *data = 0;
tsh =
(ike_ts_payload_header_t *) ikev2_payload_add_hdr (c, type,
@@ -300,17 +343,9 @@ ikev2_payload_add_ts (ikev2_payload_chain_t * c, ikev2_ts_t * ts, u8 type)
vec_foreach (ts2, ts)
{
ASSERT (ts2->ts_type == 7); /*TS_IPV4_ADDR_RANGE */
ikev2_ts_payload_entry_t *entry;
vec_add2 (data, tmp, sizeof (*entry));
entry = (ikev2_ts_payload_entry_t *) tmp;
entry->ts_type = ts2->ts_type;
entry->protocol_id = ts2->protocol_id;
entry->selector_len = clib_host_to_net_u16 (16);
entry->start_port = clib_host_to_net_u16 (ts2->start_port);
entry->end_port = clib_host_to_net_u16 (ts2->end_port);
entry->start_addr.as_u32 = ts2->start_addr.as_u32;
entry->end_addr.as_u32 = ts2->end_addr.as_u32;
ASSERT (ts2->ts_type == TS_IPV4_ADDR_RANGE ||
ts2->ts_type == TS_IPV6_ADDR_RANGE);
ikev2_payload_add_ts_entry (&data, ts2);
}
ikev2_payload_add_data (c, data);
@@ -413,31 +448,56 @@ ikev2_parse_ts_payload (ike_payload_header_t * ikep, u32 rlen)
{
ike_ts_payload_header_t *tsp = (ike_ts_payload_header_t *) ikep;
ikev2_ts_t *r = 0, *ts;
u8 i;
ikev2_ip4_addr_pair_t *pair4;
ikev2_ip6_addr_pair_t *pair6;
int p = 0, n_left;
ikev2_ts_payload_entry_t *pe;
if (sizeof (*tsp) > rlen)
return 0;
if (sizeof (*tsp) + tsp->num_ts * sizeof (ikev2_ts_payload_entry_t) > rlen)
return 0;
rlen -= sizeof (*tsp);
n_left = tsp->num_ts;
for (i = 0; i < tsp->num_ts; i++)
while (n_left && p + sizeof (*pe) < rlen)
{
if (tsp->ts[i].ts_type != 7) /* TS_IPV4_ADDR_RANGE */
pe = (ikev2_ts_payload_entry_t *) (((u8 *)tsp->ts) + p);
p += sizeof (*pe);
if (pe->ts_type != TS_IPV4_ADDR_RANGE &&
pe->ts_type != TS_IPV6_ADDR_RANGE)
{
ikev2_elog_uint (IKEV2_LOG_ERROR,
"unsupported TS type received (%u)", tsp->ts[i].ts_type);
continue;
"unsupported TS type received (%u)", pe->ts_type);
return 0;
}
vec_add2 (r, ts, 1);
ts->ts_type = tsp->ts[i].ts_type;
ts->protocol_id = tsp->ts[i].protocol_id;
ts->start_port = tsp->ts[i].start_port;
ts->end_port = tsp->ts[i].end_port;
ts->start_addr.as_u32 = tsp->ts[i].start_addr.as_u32;
ts->end_addr.as_u32 = tsp->ts[i].end_addr.as_u32;
ts->ts_type = pe->ts_type;
ts->protocol_id = pe->protocol_id;
ts->start_port = pe->start_port;
ts->end_port = pe->end_port;
if (pe->ts_type == TS_IPV4_ADDR_RANGE)
{
pair4 = (ikev2_ip4_addr_pair_t*) pe->addr_pair;
ip_address_set (&ts->start_addr, &pair4->start_addr, AF_IP4);
ip_address_set (&ts->end_addr, &pair4->end_addr, AF_IP4);
p += sizeof (*pair4);
}
else
{
pair6 = (ikev2_ip6_addr_pair_t*) pe->addr_pair;
ip_address_set (&ts->start_addr, &pair6->start_addr, AF_IP6);
ip_address_set (&ts->end_addr, &pair6->end_addr, AF_IP6);
p += sizeof (*pair6);
}
n_left--;
}
if (n_left)
return 0;
return r;
}
src/plugins/ikev2/ikev2_priv.h
+18 -32
View File
@@ -81,7 +81,7 @@ do { \
} \
} while (0) \
#define ikev2_elog_exchange(_format, _ispi, _rspi, _addr) \
#define ikev2_elog_exchange_internal(_format, _ispi, _rspi, _addr) \
do { \
ikev2_main_t *km = &ikev2_main; \
if (PREDICT_FALSE (km->log_level >= IKEV2_LOG_DEBUG)) \
@@ -110,6 +110,17 @@ do { \
} \
} while (0) \
#define IKE_ELOG_IP4_FMT "%d.%d.%d.%d"
#define IKE_ELOG_IP6_FMT "[v6]:%x%x:%x%x"
#define ikev2_elog_exchange(_fmt, _ispi, _rspi, _addr, _v4) \
do { \
if (_v4) \
ikev2_elog_exchange_internal (_fmt IKE_ELOG_IP4_FMT, _ispi, _rspi, _addr);\
else \
ikev2_elog_exchange_internal (_fmt IKE_ELOG_IP6_FMT, _ispi, _rspi, _addr);\
} while (0)
#define ikev2_elog_uint(_level, _format, _val) \
do { \
ikev2_main_t *km = &ikev2_main; \
@@ -156,31 +167,6 @@ do { \
} \
} while (0)
#define ikev2_elog_peers(_level, _format, _ip1, _ip2) \
do { \
ikev2_main_t *km = &ikev2_main; \
if (PREDICT_FALSE (km->log_level >= _level)) \
{ \
ELOG_TYPE_DECLARE (e) = \
{ \
.format = "ikev2: " _format, \
.format_args = "i1i1i1i1i1i1i1i1", \
}; \
CLIB_PACKED(struct { \
u8 i11; u8 i12; u8 i13; u8 i14; \
u8 i21; u8 i22; u8 i23; u8 i24; }) *ed; \
ed = ELOG_DATA (&vlib_global_main.elog_main, e); \
ed->i14 = (_ip1) >> 24; \
ed->i13 = (_ip1) >> 16; \
ed->i12 = (_ip1) >> 8; \
ed->i11 = (_ip1); \
ed->i24 = (_ip2) >> 24; \
ed->i23 = (_ip2) >> 16; \
ed->i22 = (_ip2) >> 8; \
ed->i21 = (_ip2); \
} \
} while (0)
#define ikev2_elog_error(_msg) \
_ikev2_elog(IKEV2_LOG_ERROR, "[error] " _msg)
#define ikev2_elog_warning(_msg) \
@@ -258,19 +244,19 @@ typedef struct
typedef struct
{
u8 ts_type;
ikev2_traffic_selector_type_t ts_type;
u8 protocol_id;
u16 selector_len;
u16 start_port;
u16 end_port;
ip4_address_t start_addr;
ip4_address_t end_addr;
ip_address_t start_addr;
ip_address_t end_addr;
} ikev2_ts_t;
typedef struct
{
u32 sw_if_index;
ip4_address_t ip4;
ip_address_t addr;
} ikev2_responder_t;
typedef struct
@@ -368,8 +354,8 @@ typedef struct
ikev2_state_t state;
u8 unsupported_cp;
u8 initial_contact;
ip4_address_t iaddr;
ip4_address_t raddr;
ip_address_t iaddr;
ip_address_t raddr;
u64 ispi;
u64 rspi;
u8 *i_nonce;
src/plugins/ikev2/ikev2_test.c
+38 -40
View File
@@ -135,7 +135,7 @@ MACRO_FORMAT (auth_method)
s = format (s, " %s", id->data);
break;
case IKEV2_ID_TYPE_ID_IPV4_ADDR:
s = format (s, " %U", format_ip4_address, id->data);
s = format (s, " %U", format_ip_address, id->data);
break;
case IKEV2_ID_TYPE_ID_KEY_ID:
s = format (s, " 0x%U", format_hex_bytes, id->data, id->data_len);
@@ -225,7 +225,6 @@ static void vl_api_ikev2_profile_details_t_handler
{
vat_main_t *vam = ikev2_test_main.vat_main;
vl_api_ikev2_profile_t *p = &mp->profile;
ip4_address_t start_addr, end_addr;
fformat (vam->ofp, "profile %s\n", p->name);
@@ -256,21 +255,17 @@ static void vl_api_ikev2_profile_details_t_handler
format_ikev2_id_type_and_data, &p->rem_id);
}
ip4_address_decode (p->loc_ts.start_addr, &start_addr);
ip4_address_decode (p->loc_ts.end_addr, &end_addr);
fformat (vam->ofp, " local traffic-selector addr %U - %U port %u - %u"
" protocol %u\n",
format_ip4_address, &start_addr,
format_ip4_address, &end_addr,
format_ip_address, &p->loc_ts.start_addr,
format_ip_address, &p->loc_ts.end_addr,
clib_net_to_host_u16 (p->loc_ts.start_port),
clib_net_to_host_u16 (p->loc_ts.end_port), p->loc_ts.protocol_id);
ip4_address_decode (p->rem_ts.start_addr, &start_addr);
ip4_address_decode (p->rem_ts.end_addr, &end_addr);
fformat (vam->ofp, " remote traffic-selector addr %U - %U port %u - %u"
" protocol %u\n",
format_ip4_address, &start_addr,
format_ip4_address, &end_addr,
format_ip_address, &p->rem_ts.start_addr,
format_ip_address, &p->rem_ts.end_addr,
clib_net_to_host_u16 (p->rem_ts.start_port),
clib_net_to_host_u16 (p->rem_ts.end_port), p->rem_ts.protocol_id);
u32 tun_itf = clib_net_to_host_u32 (p->tun_itf);
@@ -280,7 +275,7 @@ static void vl_api_ikev2_profile_details_t_handler
u32 sw_if_index = clib_net_to_host_u32 (p->responder.sw_if_index);
if (~0 != sw_if_index)
fformat (vam->ofp, " responder idx %d %U\n",
sw_if_index, format_ip4_address, &p->responder.ip4);
sw_if_index, format_ip_address, &p->responder.addr);
if (p->udp_encap)
fformat (vam->ofp, " udp-encap\n");
@@ -348,18 +343,18 @@ vl_api_ikev2_sa_details_t_handler (vl_api_ikev2_sa_details_t * mp)
{
vat_main_t *vam = ikev2_test_main.vat_main;
vl_api_ikev2_sa_t *sa = &mp->sa;
ip4_address_t iaddr;
ip4_address_t raddr;
ip_address_t iaddr;
ip_address_t raddr;
vl_api_ikev2_keys_t *k = &sa->keys;
vl_api_ikev2_sa_t_endian (sa);
ip4_address_decode (sa->iaddr, &iaddr);
ip4_address_decode (sa->raddr, &raddr);
ip_address_decode2 (&sa->iaddr, &iaddr);
ip_address_decode2 (&sa->raddr, &raddr);
fformat (vam->ofp, "profile index %d sa index: %d\n",
mp->sa.profile_index, mp->sa.sa_index);
fformat (vam->ofp, " iip %U ispi %lx rip %U rspi %lx\n", format_ip4_address,
&iaddr, sa->ispi, format_ip4_address, &raddr, sa->rspi);
fformat (vam->ofp, " iip %U ispi %lx rip %U rspi %lx\n", format_ip_address,
&iaddr, sa->ispi, format_ip_address, &raddr, sa->rspi);
fformat (vam->ofp, " %U ", format_ikev2_sa_transform, &sa->encryption);
fformat (vam->ofp, "%U ", format_ikev2_sa_transform, &sa->prf);
fformat (vam->ofp, "%U ", format_ikev2_sa_transform, &sa->integrity);
@@ -526,18 +521,17 @@ static void
{
vat_main_t *vam = ikev2_test_main.vat_main;
vl_api_ikev2_ts_t *ts = &mp->ts;
ip4_address_t start_addr;
ip4_address_t end_addr;
ip_address_t start_addr, end_addr;
vl_api_ikev2_ts_t_endian (ts);
ip4_address_decode (ts->start_addr, &start_addr);
ip4_address_decode (ts->end_addr, &end_addr);
ip_address_decode2 (&ts->start_addr, &start_addr);
ip_address_decode2 (&ts->end_addr, &end_addr);
fformat (vam->ofp, " %s protocol_id %u addr "
"%U - %U port %u - %u\n",
ts->is_local, ts->protocol_id,
format_ip4_address, &start_addr,
format_ip4_address, &end_addr, ts->start_port, ts->end_port);
format_ip_address, &start_addr,
format_ip_address, &end_addr, ts->start_port, ts->end_port);
vam->result_ready = 1;
}
@@ -797,7 +791,7 @@ api_ikev2_profile_set_id (vat_main_t * vam)
u8 *data = 0;
u8 is_local = 0;
u32 id_type = 0;
ip4_address_t ip4;
ip_address_t ip;
int ret;
const char *valid_chars = "a-zA-Z0-9_";
@@ -808,10 +802,10 @@ api_ikev2_profile_set_id (vat_main_t * vam)
vec_add1 (name, 0);
else if (unformat (i, "id_type %U", unformat_ikev2_id_type, &id_type))
;
else if (unformat (i, "id_data %U", unformat_ip4_address, &ip4))
else if (unformat (i, "id_data %U", unformat_ip_address, &ip))
{
data = vec_new (u8, 4);
clib_memcpy (data, ip4.as_u8, 4);
data = vec_new (u8, ip_address_size (&ip));
clib_memcpy (data, ip_addr_bytes (&ip), ip_address_size (&ip));
}
else if (unformat (i, "id_data 0x%U", unformat_hex_string, &data))
;
@@ -875,14 +869,12 @@ api_ikev2_profile_set_ts (vat_main_t * vam)
u8 *name = 0;
u8 is_local = 0;
u32 proto = 0, start_port = 0, end_port = (u32) ~ 0;
ip4_address_t start_addr, end_addr;
ip_address_t start_addr, end_addr;
u8 start_addr_set = 0, end_addr_set = 0;
const char *valid_chars = "a-zA-Z0-9_";
int ret;
start_addr.as_u32 = 0;
end_addr.as_u32 = (u32) ~ 0;
while (unformat_check_input (i) != UNFORMAT_END_OF_INPUT)
{
if (unformat (i, "name %U", unformat_token, valid_chars, &name))
@@ -894,10 +886,10 @@ api_ikev2_profile_set_ts (vat_main_t * vam)
else if (unformat (i, "end_port %d", &end_port))
;
else
if (unformat (i, "start_addr %U", unformat_ip4_address, &start_addr))
;
else if (unformat (i, "end_addr %U", unformat_ip4_address, &end_addr))
;
if (unformat (i, "start_addr %U", unformat_ip_address, &start_addr))
start_addr_set = 1;
else if (unformat (i, "end_addr %U", unformat_ip_address, &end_addr))
end_addr_set = 1;
else if (unformat (i, "local"))
is_local = 1;
else if (unformat (i, "remote"))
@@ -909,6 +901,12 @@ api_ikev2_profile_set_ts (vat_main_t * vam)
}
}
if (!start_addr_set || !end_addr_set)
{
errmsg ("missing start or end address");
return -99;
}
if (!vec_len (name))
{
errmsg ("profile name must be specified");
@@ -927,8 +925,8 @@ api_ikev2_profile_set_ts (vat_main_t * vam)
mp->ts.protocol_id = (u8) proto;
mp->ts.start_port = clib_host_to_net_u16 ((u16) start_port);
mp->ts.end_port = clib_host_to_net_u16 ((u16) end_port);
ip4_address_encode (&start_addr, mp->ts.start_addr);
ip4_address_encode (&end_addr, mp->ts.end_addr);
ip_address_encode2 (&start_addr, &mp->ts.start_addr);
ip_address_encode2 (&end_addr, &mp->ts.end_addr);
clib_memcpy (mp->name, name, vec_len (name));
vec_free (name);
@@ -1035,7 +1033,7 @@ api_ikev2_set_responder (vat_main_t * vam)
int ret;
u8 *name = 0;
u32 sw_if_index = ~0;
ip4_address_t address;
ip_address_t address;
const char *valid_chars = "a-zA-Z0-9_";
@@ -1043,7 +1041,7 @@ api_ikev2_set_responder (vat_main_t * vam)
{
if (unformat
(i, "%U interface %d address %U", unformat_token, valid_chars,
&name, &sw_if_index, unformat_ip4_address, &address))
&name, &sw_if_index, unformat_ip_address, &address))
vec_add1 (name, 0);
else
{
@@ -1070,7 +1068,7 @@ api_ikev2_set_responder (vat_main_t * vam)
vec_free (name);
mp->responder.sw_if_index = clib_host_to_net_u32 (sw_if_index);
ip4_address_encode (&address, mp->responder.ip4);
ip_address_encode2 (&address, &mp->responder.addr);
S (mp);
W (ret);
src/plugins/ikev2/ikev2_types.api
+5 -5
View File
@@ -34,8 +34,8 @@ typedef ikev2_ts
u8 protocol_id;
u16 start_port;
u16 end_port;
vl_api_ip4_address_t start_addr;
vl_api_ip4_address_t end_addr;
vl_api_address_t start_addr;
vl_api_address_t end_addr;
};
typedef ikev2_auth
@@ -49,7 +49,7 @@ typedef ikev2_auth
typedef ikev2_responder
{
vl_api_interface_index_t sw_if_index;
vl_api_ip4_address_t ip4;
vl_api_address_t addr;
};
typedef ikev2_ike_transforms
@@ -134,8 +134,8 @@ typedef ikev2_sa
u64 ispi;
u64 rspi;
vl_api_ip4_address_t iaddr;
vl_api_ip4_address_t raddr;
vl_api_address_t iaddr;
vl_api_address_t raddr;
vl_api_ikev2_keys_t keys;
src/plugins/ikev2/test/test_ikev2.py
+129 -55
View File
File diff suppressed because it is too large Load Diff
src/plugins/ikev2/test/vpp_ikev2.py
+11 -2
View File
@@ -1,3 +1,4 @@
from ipaddress import IPv4Address, AddressValueError
from vpp_object import VppObject
from vpp_papi import VppEnum
@@ -12,7 +13,8 @@ class AuthMethod:
class IDType:
v = {'ip4-addr': 1,
'fqdn': 2}
'fqdn': 2,
'ip6-addr': 5}
@staticmethod
def value(key): return IDType.v[key]
@@ -52,7 +54,8 @@ class Profile(VppObject):
'is_local': False}
def add_local_ts(self, start_addr, end_addr, start_port=0, end_port=0xffff,
proto=0):
proto=0, is_ip4=True):
self.ts_is_ip4 = is_ip4
self.local_ts = {'is_local': True,
'protocol_id': proto,
'start_port': start_port,
@@ -62,6 +65,12 @@ class Profile(VppObject):
def add_remote_ts(self, start_addr, end_addr, start_port=0,
end_port=0xffff, proto=0):
try:
IPv4Address(start_addr)
is_ip4 = True
except AddressValueError:
is_ip4 = False
self.ts_is_ip4 = is_ip4
self.remote_ts = {'is_local': False,
'protocol_id': proto,
'start_port': start_port,