nat: fix nat44 vrf handlers

Change of enums used in REPLY_MACRO() to appropriate one
for handlers:
-vl_api_nat44_ed_add_del_vrf_table_t_handler
-vl_api_nat44_ed_add_del_vrf_route_t_handler

Type: fix

Change-Id: I58e97817b1678da7c025c0d03a8b938a4e0f7b6c
Signed-off-by: Daniel Béreš <daniel.beres@pantheon.tech>
(cherry picked from commit 2c03879ce45c6568da015c01d85300eef147ece7)

.gitignore

@@ -27,8 +27,8 @@
 /build-config.mk
 /build/external/*.tar.gz
 /build/external/*.tar.xz
-/build/external/vpp-*.deb
-/build/external/vpp-*.changes
+/build/external/vpp-*
+/build/external/dpdk_mlx_default.sh
 /build/external/downloads/
 /path_setup
 /tools/

.gitreview

@@ -2,3 +2,4 @@
 host=gerrit.fd.io
 port=29418
 project=vpp
+defaultbranch=stable/2210

MAINTAINERS

@@ -817,6 +817,12 @@ I:	rpm-packaging
 M:	Laszlo Kiraly <laszlo.kiraly@est.tech>
 F:	src/extras/rpm/opensuse
 
+VPP StrongSwan Daemon
+I:	vpp-swan
+M:	Fan Zhang <roy.fan.zhang@intel.com>
+M:	Gabriel Oginski <gabrielx.oginski@intel.com>
+F:	extras/strongswan/vpp_sswan
+
 THE REST
 I:	misc
 M:	vpp-dev Mailing List <vpp-dev@fd.io>

Makefile

@@ -760,3 +760,7 @@ ifeq ($(OS_ID)-$(OS_VERSION_ID),$(MAKE_VERIFY_GATE_OS))
 else
 	$(call banner,"Skipping tests. Tests under 'make verify' supported on $(MAKE_VERIFY_GATE_OS)")
 endif
+
+.PHONY: check-dpdk-mlx
+check-dpdk-mlx:
+	@[ $$(make -sC build/external dpdk-show-DPDK_MLX_DEFAULT) = y ]

build/external/Makefile

@@ -38,8 +38,8 @@ ARCH_X86_64=$(filter x86_64,$(shell uname -m))
 include packages.mk
 include packages/ipsec-mb.mk
 include packages/quicly.mk
-include packages/dpdk.mk
 include packages/rdma-core.mk
+include packages/dpdk.mk
 include packages/libbpf.mk
 
 .PHONY: clean

build/external/deb/debian/rules

@@ -28,3 +28,5 @@ override_dh_install:
 	make $(MAKE_ARGS) install
 	dh_install -p$(PKG) --autodest /opt
 
+override_dh_shlibdeps:
+	dh_shlibdeps -l$(INSTALL_DIR)lib/

build/external/mlx_rdma_dpdk_matrix.txt

@@ -0,0 +1 @@
+rdma=41.0 dpdk=22.07

build/external/packages.mk

@@ -146,5 +146,9 @@ $(B)/.$1.install.ok: $(B)/.$1.build.ok
 .PHONY: $1-install
 $1-install: $(B)/.$1.install.ok
 
+.PHONY: $1-show-%
+$1-show-%:
+	@echo $$($$*)
+
 ALL_TARGETS += $1-install
 endef

build/external/packages/dpdk.mk

@@ -14,9 +14,6 @@
 DPDK_PKTMBUF_HEADROOM        ?= 128
 DPDK_USE_LIBBSD              ?= n
 DPDK_DEBUG                   ?= n
-DPDK_MLX4_PMD                ?= n
-DPDK_MLX5_PMD                ?= n
-DPDK_MLX5_COMMON_PMD         ?= n
 DPDK_TAP_PMD                 ?= n
 DPDK_FAILSAFE_PMD            ?= n
 DPDK_MACHINE                 ?= default
@@ -34,6 +31,11 @@ dpdk_tarball_md5sum          := $(dpdk_tarball_md5sum_$(dpdk_version))
 dpdk_url                     := $(dpdk_base_url)/$(dpdk_tarball)
 dpdk_tarball_strip_dirs      := 1
 dpdk_depends		     := rdma-core $(if $(ARCH_X86_64), ipsec-mb)
+
+DPDK_MLX_DEFAULT             := $(shell if grep -q "rdma=$(rdma-core_version) dpdk=$(dpdk_version)" mlx_rdma_dpdk_matrix.txt; then echo 'y'; else echo 'n'; fi)
+DPDK_MLX4_PMD                ?= $(DPDK_MLX_DEFAULT)
+DPDK_MLX5_PMD                ?= $(DPDK_MLX_DEFAULT)
+DPDK_MLX5_COMMON_PMD         ?= $(DPDK_MLX_DEFAULT)
 # Debug or release
 
 DPDK_BUILD_TYPE:=release
@@ -173,6 +175,7 @@ PIP_DOWNLOAD_DIR = $(CURDIR)/downloads/
 
 define dpdk_config_cmds
 	cd $(dpdk_build_dir) && \
+	echo "DPDK_MLX_DEFAULT=$(DPDK_MLX_DEFAULT)" > ../../../dpdk_mlx_default.sh && \
 	rm -rf ../dpdk-meson-venv && \
 	mkdir -p ../dpdk-meson-venv && \
 	python3 -m venv ../dpdk-meson-venv && \

build/external/packages/rdma-core.mk

@@ -32,27 +32,16 @@ define  rdma-core_config_cmds
 	    -DENABLE_STATIC=1 -DENABLE_RESOLVE_NEIGH=0 -DNO_PYVERBS=1 -DENABLE_VALGRIND=0\
 	    -DCMAKE_BUILD_TYPE=$(RDMA_BUILD_TYPE) -DCMAKE_INSTALL_PREFIX=$(rdma-core_install_dir) \
 	    -DCMAKE_INSTALL_LIBDIR=lib \
-	    -DCMAKE_C_FLAGS='-fPIC -fvisibility=hidden' > $(rdma-core_config_log)
+	    -DCMAKE_INSTALL_RUNDIR:PATH=/run \
+	    -DCMAKE_C_FLAGS='-fPIC' -DNO_MAN_PAGES=ON | tee $(rdma-core_config_log)
 endef
 
 define  rdma-core_build_cmds
-	$(CMAKE) --build $(rdma-core_build_dir) -- libccan.a libibverbs.a librdma_util.a libmlx5.a libmlx4.a > $(rdma-core_build_log)
-	sed 's/^Libs.private:.*/Libs.private: -lmlx4 -lmlx5 -libverbs -lrdma_util -lccan -lpthread/' -i $(rdma-core_build_dir)/lib/pkgconfig/libibverbs.pc >> $(rdma-core_build_log)
+	$(CMAKE) --build $(rdma-core_build_dir) | tee $(rdma-core_build_log)
 endef
 
 define  rdma-core_install_cmds
-	mkdir -p $(rdma-core_install_dir)/lib/pkgconfig
-	cp -avL $(rdma-core_build_dir)/include $(rdma-core_install_dir) > $(rdma-core_install_log)
-	cp -avL $(rdma-core_build_dir)/lib/pkgconfig/libibverbs.pc \
-	  $(rdma-core_build_dir)/lib/pkgconfig/libmlx5.pc \
-	  $(rdma-core_build_dir)/lib/pkgconfig/libmlx4.pc \
-	  $(rdma-core_install_dir)/lib/pkgconfig >> $(rdma-core_install_log)
-	cp -avL $(rdma-core_build_dir)/lib/statics/libibverbs.a \
-	  $(rdma-core_build_dir)/lib/statics/libmlx5.a \
-	  $(rdma-core_build_dir)/lib/statics/libmlx4.a \
-	  $(rdma-core_build_dir)/util/librdma_util.a \
-	  $(rdma-core_build_dir)/ccan/libccan.a \
-	  $(rdma-core_install_dir)/lib >> $(rdma-core_install_log)
+	$(CMAKE) --install $(rdma-core_build_dir) | tee $(rdma-core_install_log)
 endef
 
 $(eval $(call package,rdma-core))

docs/aboutvpp/releasenotes/index.rst

@@ -6,7 +6,9 @@ Release notes
 .. toctree::
     :maxdepth: 2
 
+    v22.10.1
+    v22.10
+    v22.06.1
     v22.06
     v22.02
-    v21.10.1
     past

docs/aboutvpp/releasenotes/past.rst

@@ -6,6 +6,7 @@ Past releases
 .. toctree::
     :maxdepth: 1
 
+    v21.10.1
     v21.10
     v21.06
     v21.01
@@ -38,4 +39,3 @@ Past releases
     v17.01
     v16.09
     v16.06
-

docs/aboutvpp/releasenotes/v22.06.1.rst

@@ -0,0 +1,12 @@
+Release notes for VPP 22.06.1
+=============================
+
+This is bug fix release.
+
+Of particular importance, this release contains the fix for
+`JIRA VPP-2307: CVE-2022-46397 FD.io VPP (Vector Packet Processor) IPSec generates a predictable IV in AES-CBC mode <https://jira.fd.io/browse/VPP-2037>`__
+
+For the full list of fixed issues please refer to:
+
+- fd.io `JIRA <https://jira.fd.io>`__
+- git `commit log <https://git.fd.io/vpp/log/?h=stable/2206>`__

docs/aboutvpp/releasenotes/v22.10.1.rst

@@ -0,0 +1,12 @@
+Release notes for VPP 22.10.1
+=============================
+
+This is bug fix release.
+
+Of particular importance, this release contains the fix for
+`JIRA VPP-2307: CVE-2022-46397 FD.io VPP (Vector Packet Processor) IPSec generates a predictable IV in AES-CBC mode <https://jira.fd.io/browse/VPP-2037>`__
+
+For the full list of fixed issues please refer to:
+
+- fd.io `JIRA <https://jira.fd.io>`__
+- git `commit log <https://git.fd.io/vpp/log/?h=stable/2210>`__

docs/gettingstarted/troubleshooting/mem.rst

@@ -26,7 +26,7 @@ To dump memory traces for analysis:
 
 .. code-block:: console
 
-    $ vppctl show memory-trace on main-heap
+    $ vppctl show memory main-heap verbose
     Thread 0 vpp_main
       base 0x7fffb6422000, size 1g, locked, unmap-on-destroy, name 'main heap'
 	page stats: page-size 4K, total 262144, mapped 30343, not-mapped 231801

extras/packetforge/packetforge.py

@@ -145,7 +145,7 @@ def GetMask(item):
     if "format" in item:
         format = item["format"]
         if format == "mac":
-            mask = "ff.ff.ff.ff.ff.ff"
+            mask = "ff:ff:ff:ff:ff:ff"
         elif format == "ipv4":
             mask = "255.255.255.255"
         elif format == "ipv6":

extras/packetforge/parsegraph/nodes/gtppsc.json

@@ -4,7 +4,7 @@
     "layout" : [
         {
             "name" : "length",
-            "size" : "1",
+            "size" : "8",
             "default" : "1",
             "readonly" : "true"
         },
@@ -23,6 +23,10 @@
         {
             "name" : "qfi",
             "size" : "6"
+        },
+        {
+            "name" : "nextext",
+            "size" : "8"
         }
     ]
 }

extras/strongswan/vpp_sswan/Makefile

@@ -0,0 +1,108 @@
+# the directory to the strongSwan sources
+SWANDIR=${CURDIR}/../../../build-root/build-vpp-native/external/sswan
+# location of config.h
+CONFIGH=$(SWANDIR)/config.h
+# default install prefix: /usr/local or /usr
+PREFIX=/usr
+# location of the installed strongSwan libraries
+SWANLIBS=$(PREFIX)/lib/ipsec/
+# location of the strongSwan plugins
+SWANPLUGINS=$(PREFIX)/lib/ipsec/plugins
+# location of the strongSwan archive
+SWANARCHIVE=${CURDIR}/../../../build/external/downloads
+# default install configuration files:
+PREFIX_SYS_CONF=/etc
+# target location of the plugin config snippet: $(PREFIX)/etc/strongswan.d/charon/ or /etc/strongswan.d/charon/
+PLUGINCONF=$(PREFIX_SYS_CONF)/strongswan.d/charon/
+# location of the  VPP libraries
+VPPLIBS=$(CURDIR)/../../../build-root/install-vpp-native/vpp/lib/x86_64-linux-gnu
+# the directory to the VPP sources
+VPPDIR=../../../build-root/install-vpp-native/vpp/include
+
+TARGET=libstrongswan-kernel-vpp.so
+
+# tested only with 5.9.5 and 5.9.6 version of strongSwan
+VERSION_SSWAN=5.9.6
+
+CFLAGS=-O2 -g -Wall -Wextra -fpic
+
+CFLAGS_I=-include $(CONFIGH) \
+	-I$(SWANDIR)/src/libstrongswan \
+	-I$(SWANDIR)/src/libcharon
+
+LDFLAGS= -lvppinfra \
+	-lvlibmemoryclient \
+	-lvppapiclient \
+	-lsvm \
+	-lvlib
+
+VERSION_VPP=$(shell (dpkg -s vpp | grep Version) | grep -Po '(?<=Version: )\d\d.\d\d')
+
+# check if VPP is installed
+ifneq ($(shell test "$(shell ldconfig -p | grep vppinfra.so | awk 'NR==1{print $$1;}')" && echo "yes"), yes)
+# check if VPPDIR exists
+ifeq ($(shell test -d $(VPPDIR) && echo "yes"), yes)
+	CFLAGS_I += -I$(VPPDIR)
+endif
+# check if VPPLIBS exists
+ifeq ($(shell test -d $(VPPLIBS) && echo "yes"), yes)
+	LDFLAGS += -L$(VPPLIBS)
+	LDFLAGS += -Wl,-rpath=$(VPPLIBS)
+endif
+endif
+
+SOURCES=$(wildcard *.c)
+OBJECTS=$(SOURCES:.c=.o)
+
+all: pull-swan $(TARGET)
+
+pull-swan:
+	@if [ -d "${SWANDIR}" ]; then \
+	  rm -rf ${SWANDIR} ; \
+	fi
+	@if ! [ -f "${SWANARCHIVE}/strongswan-${VERSION_SSWAN}.tar.gz" ]; then \
+	  curl -o ${SWANARCHIVE}/strongswan-${VERSION_SSWAN}.tar.gz -LO https://github.com/strongswan/strongswan/archive/${VERSION_SSWAN}.tar.gz; \
+	fi
+	@if ! [ -d "${CURDIR}/../../../build-root/build-vpp-native/external/" ]; then \
+	  mkdir ${CURDIR}/../../../build-root/build-vpp-native/external; \
+	fi
+	tar -zxof ${SWANARCHIVE}/strongswan-${VERSION_SSWAN}.tar.gz -C ${CURDIR}/../../../build-root/build-vpp-native/external/
+	mv ${CURDIR}/../../../build-root/build-vpp-native/external/strongswan-${VERSION_SSWAN} ${SWANDIR}
+	cd ${SWANDIR} && ./autogen.sh
+	cd ${SWANDIR} && ./configure --prefix=${PREFIX} --sysconfdir=${PREFIX_SYS_CONF} --enable-libipsec --enable-systemd --enable-swanctl --disable-gmp --enable-openssl
+	cd ${SWANDIR} && make -j$(nproc)
+#	cd ${SWANDIR} && sudo make install
+
+# check if VPP is installed
+ifneq ($(shell test "$(shell ldconfig -p | grep vppinfra.so | awk 'NR==1{print $$1;}')" && echo "yes"), yes)
+	$(info INFO: Not found installed VPP - checking if locally VPP exists)
+# check if VPPDIR exists
+ifneq ($(shell test -d $(VPPDIR) && echo "yes"), yes)
+	$(error ERROR: Not found installed VPP and locally VPP - please install or build)
+else
+# check if VPPLIBS exists
+ifneq ($(shell test -d $(VPPLIBS) && echo "yes"), yes)
+	$(error ERROR: directory $(VPPLIBS) - doesn't exists, please compile VPP before build this)
+else
+	$(info INFO: Found locally VPP)
+endif
+endif
+else
+	$(info INFO: Found installed VPP in version: $(VERSION_VPP))
+endif
+
+$(TARGET): $(OBJECTS)
+	gcc $(CFLAGS) -shared -DPIC $(OBJECTS) $(LDFLAGS) -Wl,-soname -Wl,$(TARGET) -o $@
+	cp $(TARGET) ${SWANDIR}
+
+%.o: %.c
+	gcc $(CFLAGS) $(CFLAGS_I) -c $< -o $@ $(LDFLAGS)
+
+install:
+	cp $(TARGET) $(SWANPLUGINS)/$(TARGET)
+	cp kernel-vpp.conf $(PLUGINCONF)
+
+clean:
+	rm -f *.so *.o
+
+.PHONY: clean install all

extras/strongswan/vpp_sswan/README.rst

@@ -0,0 +1,128 @@
+.. _vpp_sswan_doc:
+
+VPP-SSWAN
+=======================
+
+``VPP-SSWAN`` is a StrongSwan plugin that helps offloading Strongswan IPsec ESP
+process from Linux Kernel to ``VPP``.
+
+The kernel-vpp plugin is an interface to the IPsec and networking backend for
+`VPP <https://wiki.fd.io/view/VPP>`__ platform using the
+`VPP C API <https://wiki.fd.io/view/VPP/How_To_Use_The_C_API>`__.
+It provides address and routing lookup functionality and installs routes for
+IPsec traffic.
+It installs and maintains Security Associations and Policies to the
+`VPP IPsec <https://wiki.fd.io/view/VPP/IPSec_and_IKEv2#IPSec>`__.
+
+Prerequisites
+-------------
+
+``VPP`` in release mode should be built before compiling ``vpp-swan plugin``.
+The dependencies of ``StrongSwan`` should be installed before building
+``VPP-SSWAN``. In addition ``libsystemd-dev`` should be installed.
+
+Build VPP Strongswan Plugin
+-------------
+
+The following list of things will be done to build ``vpp-swan plugin``:
+
+- download strongswan source code to:
+``path/to/vpp/build/external/downloads``
+
+- unzip source code strongswan to:
+``path/to/vpp/build-root/build-vpp-native/external/sswan``
+
+- check if you have installed packages: ``libsystemd-dev`` on your OS
+
+- configure strongswan by:
+``./configure --prefix=/usr --sysconfdir=/etc --enable-libipsec
+--enable-systemd --enable-swanctl --disable-gmp --enable-openssl``
+
+- compile strongswan in:
+``path/to/vpp/build-root/build-vpp-native/external/sswan``
+
+- compile ``vpp-swan plugin`` by:
+
+::
+
+   ./make all
+
+- if everything it ok, copy the compiled ``vpp-swan plugin`` to:
+``/usr/lib/ipsec/plugins``
+
+Build/install Strongswan
+-------------
+
+It is recommended to use ``Strongswan`` in version ``5.9.6`` or ``5.9.5``
+installed from this script, due to configuration Strongswan that is required.
+Only version ``5.9.5`` and ``5.9.6`` was tested with this plugin.
+
+To install the built Strongswan, please execute the following command:
+
+::
+
+   path/to/vpp/build-root/build-vpp-native/external/sswan/sudo make install
+
+Insert plugin in runtime mode
+-------------
+
+After builded this plugin and also installed Strongswan you can loaded plugin
+into Strongswan directory by:
+
+::
+
+   ./make install
+
+Or you can do manually copy ``libstrongswan-kernel-vpp.so`` into:
+``/usr/lib/ipsec/plugins`` and also ``kernel-vpp.conf`` into: ``/etc/strongswan.d/charon/``
+
+And also you should restart Strongswan by:
+
+::
+
+   systemctl restart strongswan.service
+
+Configuration Strongswan
+-------------
+In ``swanctl.conf`` file you can find example configuration to initialize
+connections between two endpoints.
+
+Copy this file into: ``/etc/swanctl/conf.d/swanctl.conf``
+
+Configuration VPP
+-------------
+
+In your ``startup.conf`` add these following commands:
+
+::
+
+   plugins {
+     plugin linux_cp_plugin.so { enable }
+     plugin ikev2_plugin.so { disable }
+    }
+
+   linux-cp {
+      lcp-sync
+   }
+
+To enable ``CP Plugin`` and disable ``IKEv2`` plugin.
+
+These following commands executed in ``VPP``:
+
+::
+
+   lcp create eth2 host-if eth2
+   set interface state eth2 up
+   set interface ip address eth2 192.168.0.2/24
+   set int state eth1 up
+   set int ip addr eth1 192.168.200.1/24
+
+To create interface by ``CP Plugin`` and also setup two ethernet interfaces.
+
+Misc
+-------------
+This plugin is based on:
+`https://github.com/matfabia/strongswan
+<https://github.com/matfabia/strongswan>`__
+
+Author: Matus Fabian <matfabia@cisco.com>

extras/strongswan/vpp_sswan/kernel-vpp.conf

@@ -0,0 +1,7 @@
+kernel-vpp {
+
+    # Whether to load the plugin. Can also be an integer to increase the
+    # priority of this plugin.
+    load = yes
+
+}

extras/strongswan/vpp_sswan/kernel_vpp_ipsec.h

@@ -0,0 +1,41 @@
+#ifndef KERNEL_VPP_IPSEC_H_
+#define KERNEL_VPP_IPSEC_H_
+/*
+ * Copyright (c) 2022 Intel and/or its affiliates.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <kernel/kernel_ipsec.h>
+
+typedef struct kernel_vpp_ipsec_t kernel_vpp_ipsec_t;
+
+/**
+ * Implementation of the kernel ipsec interface using Netlink.
+ */
+struct kernel_vpp_ipsec_t
+{
+
+  /**
+   * Implements kernel_ipsec_t interface
+   */
+  kernel_ipsec_t interface;
+};
+
+/**
+ * Create a vpp kernel ipsec interface instance.
+ *
+ * @return          kernel_vpp_ipsec_t instance
+ */
+kernel_vpp_ipsec_t *kernel_vpp_ipsec_create ();
+
+#endif /** KERNEL_VPP_IPSEC_H_ @}*/

extras/strongswan/vpp_sswan/kernel_vpp_net.h

@@ -0,0 +1,41 @@
+#ifndef KERNEL_VPP_NET_H_
+#define KERNEL_VPP_NET_H_
+/*
+ * Copyright (c) 2022 Intel and/or its affiliates.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <kernel/kernel_net.h>
+
+typedef struct kernel_vpp_net_t kernel_vpp_net_t;
+
+/**
+ * Implementation of the kernel network interface using Netlink.
+ */
+struct kernel_vpp_net_t
+{
+
+  /**
+   * Implements kernel_net_t interface
+   */
+  kernel_net_t interface;
+};
+
+/**
+ * Create a vpp kernel network interface instance.
+ *
+ * @return          kernel_vpp_net_t instance
+ */
+kernel_vpp_net_t *kernel_vpp_net_create ();
+
+#endif /** KERNEL_VPP_NET_H_ @}*/

extras/strongswan/vpp_sswan/kernel_vpp_plugin.c

@@ -0,0 +1,103 @@
+/*
+ * Copyright (c) 2022 Intel and/or its affiliates.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <utils/debug.h>
+#include <vlibapi/api.h>
+#include <vlibmemory/api.h>
+
+#define vl_typedefs
+#define vl_endianfun
+/* Include the (first) vlib-api API definition layer */
+#include <vlibmemory/vl_memory_api_h.h>
+/* Include the current layer (third) vpp API definition layer */
+#include <vpp/api/vpe_types.api.h>
+#include <vpp/api/vpe.api.h>
+#undef vl_typedefs
+#undef vl_endianfun
+
+#include "kernel_vpp_plugin.h"
+#include "kernel_vpp_shared.h"
+#include "kernel_vpp_ipsec.h"
+#include "kernel_vpp_net.h"
+
+typedef struct private_kernel_vpp_plugin_t private_kernel_vpp_plugin_t;
+
+/**
+ * private data of kernel vpp plugin
+ */
+struct private_kernel_vpp_plugin_t
+{
+  /**
+   * implements plugin interface
+   */
+  kernel_vpp_plugin_t public;
+
+  vac_t *vac;
+};
+
+METHOD (plugin_t, get_name, char *, private_kernel_vpp_plugin_t *this)
+{
+  return "kernel-vpp";
+}
+
+METHOD (plugin_t, get_features, int, private_kernel_vpp_plugin_t *this,
+	plugin_feature_t *features[])
+{
+  static plugin_feature_t f[] = {
+    PLUGIN_CALLBACK (kernel_ipsec_register, kernel_vpp_ipsec_create),
+    PLUGIN_PROVIDE (CUSTOM, "kernel-ipsec"),
+    PLUGIN_CALLBACK (kernel_net_register, kernel_vpp_net_create),
+    PLUGIN_PROVIDE (CUSTOM, "kernel-net"),
+  };
+  *features = f;
+  return countof (f);
+}
+
+METHOD (plugin_t, destroy, void, private_kernel_vpp_plugin_t *this)
+{
+  if (this->vac)
+    {
+      lib->set (lib, "kernel-vpp-vac", NULL);
+      this->vac->destroy (this->vac);
+    }
+  free (this);
+}
+
+plugin_t *
+kernel_vpp_plugin_create ()
+{
+  private_kernel_vpp_plugin_t *this;
+
+  INIT(this,
+        .public = {
+            .plugin = {
+                .get_name = _get_name,
+                .get_features = _get_features,
+                .destroy = _destroy,
+            },
+        },
+    );
+
+  this->vac = vac_create ("strongswan");
+  if (!this->vac)
+    {
+      DBG1 (DBG_KNL, "vac_create failed");
+      destroy (this);
+      return NULL;
+    }
+  lib->set (lib, "kernel-vpp-vac", this->vac);
+
+  return &this->public.plugin;
+}

extras/strongswan/vpp_sswan/kernel_vpp_plugin.h

@@ -0,0 +1,34 @@
+#ifndef KERNEL_VPP_PLUGIN_H_
+#define KERNEL_VPP_PLUGIN_H_
+/*
+ * Copyright (c) 2022 Intel and/or its affiliates.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <plugins/plugin.h>
+
+typedef struct kernel_vpp_plugin_t kernel_vpp_plugin_t;
+
+/**
+ * vpp kernel interface plugin
+ */
+struct kernel_vpp_plugin_t
+{
+
+  /**
+   * implements plugin interface
+   */
+  plugin_t plugin;
+};
+
+#endif /** KERNEL_VPP_PLUGIN_H_ @}*/

extras/strongswan/vpp_sswan/kernel_vpp_shared.h

@@ -0,0 +1,85 @@
+#ifndef KERNEL_VPP_SHARED_H_
+#define KERNEL_VPP_SHARED_H_
+/*
+ * Copyright (c) 2022 Intel and/or its affiliates.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+typedef struct vac_t vac_t;
+
+/**
+ * Callback function invoked for received event messages.
+ *
+ * @param data     associated event message, destroyed by VPP API wrapper
+ * @param data_len length of the event message
+ * @param ctx      user data, as passed to register_event
+ */
+typedef void (*event_cb_t) (char *data, int data_len, void *ctx);
+
+/**
+ * Wrapper around VPP binary API client.
+ */
+struct vac_t
+{
+
+  /**
+   * Destroy the VPP API client.
+   */
+  void (*destroy) (vac_t *this);
+
+  /**
+   * Send VPP API message and wait for a reply
+   *
+   * @param in      VPP API message to send
+   * @param in_len  length of the message to send
+   * @param out     received VPP API message
+   * @param out_len length of the received message
+   */
+  status_t (*send) (vac_t *this, char *in, int in_len, char **out,
+		    int *out_len);
+
+  /**
+   * Send VPP API dump message and wait for a reply.
+   *
+   * @param in      VPP API message to send
+   * @param in_len  length of the message to send
+   * @param out     received VPP API message
+   * @param out_len length of the received message
+   */
+  status_t (*send_dump) (vac_t *this, char *in, int in_len, char **out,
+			 int *out_len);
+
+  /**
+   * Register for VPP API event of a given kind.
+   *
+   * @param in       VPP API event message to register
+   * @param in_len   length of the event message to register
+   * @param cb       callback function to register
+   * @param event_id event ID
+   * @param ctx      user data passed to callback invocations
+   */
+  status_t (*register_event) (vac_t *this, char *in, int in_len, event_cb_t cb,
+			      uint16_t event_id, void *ctx);
+};
+
+extern vac_t *vac;
+
+/**
+ * Establishing a binary API connection to VPP.
+ *
+ * @param name client name
+ * @return     vac_t instance
+ */
+vac_t *vac_create (char *name);
+
+#endif /* KERNEL_VPP_SHARED_H_ */

extras/strongswan/vpp_sswan/swanctl.conf

@@ -0,0 +1,35 @@
+connections {
+  net-net {
+    local_addrs = 192.168.0.2
+    remote_addrs = 192.168.0.1
+    local {
+      auth = psk
+      id = sun.strongswan.org
+    }
+    remote {
+      auth = psk
+      id = moon.strongswan.org
+    }
+    children {
+      net-net {
+        local_ts = 192.168.200.0/24
+        remote_ts = 192.168.100.0/24
+        esp_proposals = aes128-sha1-modp2048
+        rekey_time = 240m
+      }
+    }
+    version = 2
+    mobike = yes
+    encap = no # NAT-T if needed
+    proposals = aes128-sha256-x25519
+    }
+}
+secrets {
+  ike-net-net {
+    id = moon.strongswan.org
+    secret = simplepsk
+  }
+}
+
+# Include config snippets
+include conf.d/*.conf