go.ligato.io/vpp-agent/v3@v3.5.0/plugins/vpp/ipsecplugin/ipsecplugin.go (about) 1 // Copyright (c) 2021 Cisco and/or its affiliates. 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at: 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 //go:generate descriptor-adapter --descriptor-name SPD --value-type *vpp_ipsec.SecurityPolicyDatabase --import "go.ligato.io/vpp-agent/v3/proto/ligato/vpp/ipsec" --output-dir "descriptor" 16 //go:generate descriptor-adapter --descriptor-name SPDInterface --value-type *vpp_ipsec.SecurityPolicyDatabase_Interface --import "go.ligato.io/vpp-agent/v3/proto/ligato/vpp/ipsec" --output-dir "descriptor" 17 //go:generate descriptor-adapter --descriptor-name SP --value-type *vpp_ipsec.SecurityPolicy --import "go.ligato.io/vpp-agent/v3/proto/ligato/vpp/ipsec" --output-dir "descriptor" 18 //go:generate descriptor-adapter --descriptor-name SA --value-type *vpp_ipsec.SecurityAssociation --import "go.ligato.io/vpp-agent/v3/proto/ligato/vpp/ipsec" --output-dir "descriptor" 19 //go:generate descriptor-adapter --descriptor-name TunProtect --value-type *vpp_ipsec.TunnelProtection --import "go.ligato.io/vpp-agent/v3/proto/ligato/vpp/ipsec" --output-dir "descriptor" 20 21 package ipsecplugin 22 23 import ( 24 "github.com/pkg/errors" 25 "go.ligato.io/cn-infra/v2/health/statuscheck" 26 "go.ligato.io/cn-infra/v2/infra" 27 28 "go.ligato.io/vpp-agent/v3/plugins/kvscheduler" 29 30 "go.ligato.io/vpp-agent/v3/plugins/govppmux" 31 kvs "go.ligato.io/vpp-agent/v3/plugins/kvscheduler/api" 32 "go.ligato.io/vpp-agent/v3/plugins/vpp/ifplugin" 33 "go.ligato.io/vpp-agent/v3/plugins/vpp/ipsecplugin/descriptor" 34 "go.ligato.io/vpp-agent/v3/plugins/vpp/ipsecplugin/descriptor/adapter" 35 "go.ligato.io/vpp-agent/v3/plugins/vpp/ipsecplugin/vppcalls" 36 37 _ "go.ligato.io/vpp-agent/v3/plugins/vpp/ipsecplugin/vppcalls/vpp2101" 38 _ "go.ligato.io/vpp-agent/v3/plugins/vpp/ipsecplugin/vppcalls/vpp2106" 39 _ "go.ligato.io/vpp-agent/v3/plugins/vpp/ipsecplugin/vppcalls/vpp2202" 40 _ "go.ligato.io/vpp-agent/v3/plugins/vpp/ipsecplugin/vppcalls/vpp2210" 41 ) 42 43 func init() { 44 kvscheduler.AddNonRetryableError(vppcalls.ErrTunnelProtectionUnsupported) 45 } 46 47 // IPSecPlugin configures VPP security policy databases and security associations using GoVPP. 48 type IPSecPlugin struct { 49 Deps 50 51 // handler 52 ipSecHandler vppcalls.IPSecVppAPI 53 54 // descriptors 55 spdDescriptor *descriptor.IPSecSPDDescriptor 56 saDescriptor *descriptor.IPSecSADescriptor 57 spdIfDescriptor *descriptor.SPDInterfaceDescriptor 58 tunProtectDescriptor *descriptor.TunnelProtectDescriptor 59 } 60 61 // Deps lists dependencies of the IPSec plugin. 62 type Deps struct { 63 infra.PluginDeps 64 KVScheduler kvs.KVScheduler 65 VPP govppmux.API 66 IfPlugin ifplugin.API 67 StatusCheck statuscheck.PluginStatusWriter // optional 68 } 69 70 // Init registers IPSec-related descriptors. 71 func (p *IPSecPlugin) Init() (err error) { 72 // init IPSec handler 73 p.ipSecHandler = vppcalls.CompatibleIPSecVppHandler(p.VPP, p.IfPlugin.GetInterfaceIndex(), p.Log) 74 if p.ipSecHandler == nil { 75 return errors.New("ipsecHandler is not available") 76 } 77 78 // init and register security policy database descriptor 79 p.spdDescriptor = descriptor.NewIPSecSPDDescriptor(p.ipSecHandler, p.Log) 80 spdDescriptor := adapter.NewSPDDescriptor(p.spdDescriptor.GetDescriptor()) 81 err = p.KVScheduler.RegisterKVDescriptor(spdDescriptor) 82 if err != nil { 83 return err 84 } 85 86 // init and register security policy descriptor 87 spDescriptor := descriptor.NewIPSecSPDescriptor(p.ipSecHandler, p.Log) 88 err = p.KVScheduler.RegisterKVDescriptor(spDescriptor) 89 if err != nil { 90 return err 91 } 92 93 // init and register security association descriptor 94 p.saDescriptor = descriptor.NewIPSecSADescriptor(p.ipSecHandler, p.Log) 95 saDescriptor := adapter.NewSADescriptor(p.saDescriptor.GetDescriptor()) 96 err = p.KVScheduler.RegisterKVDescriptor(saDescriptor) 97 if err != nil { 98 return err 99 } 100 101 // init and register tunnel protection descriptor 102 p.tunProtectDescriptor = descriptor.NewTunnelProtectDescriptor(p.ipSecHandler, p.Log) 103 tunProtectDescriptor := adapter.NewTunProtectDescriptor(p.tunProtectDescriptor.GetDescriptor()) 104 err = p.KVScheduler.RegisterKVDescriptor(tunProtectDescriptor) 105 if err != nil { 106 return err 107 } 108 109 // init & register other descriptors for derived types 110 p.spdIfDescriptor = descriptor.NewSPDInterfaceDescriptor(p.ipSecHandler, p.Log) 111 spdIfDescriptor := adapter.NewSPDInterfaceDescriptor(p.spdIfDescriptor.GetDescriptor()) 112 err = p.KVScheduler.RegisterKVDescriptor(spdIfDescriptor) 113 if err != nil { 114 return err 115 } 116 117 return nil 118 } 119 120 // AfterInit registers plugin with StatusCheck. 121 func (p *IPSecPlugin) AfterInit() error { 122 if p.StatusCheck != nil { 123 p.StatusCheck.Register(p.PluginName, nil) 124 } 125 return nil 126 }