go.ligato.io/vpp-agent/v3@v3.5.0/plugins/vpp/ipsecplugin/vppcalls/ipsec_vppcalls.go (about)

     1  // Copyright (c) 2018 Cisco and/or its affiliates.
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at:
     6  //
     7  //     http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  package vppcalls
    16  
    17  import (
    18  	"errors"
    19  
    20  	govppapi "go.fd.io/govpp/api"
    21  	"go.ligato.io/cn-infra/v2/logging"
    22  
    23  	"go.ligato.io/vpp-agent/v3/plugins/vpp"
    24  	"go.ligato.io/vpp-agent/v3/plugins/vpp/ifplugin/ifaceidx"
    25  	ipsec "go.ligato.io/vpp-agent/v3/proto/ligato/vpp/ipsec"
    26  )
    27  
    28  var (
    29  	// ErrTunnelProtectionUnsupported error is returned if IPSec tunnel protection is not supported on given VPP version.
    30  	ErrTunnelProtectionUnsupported = errors.New("IPSec tunnel protection is not supported")
    31  )
    32  
    33  // IPSecSaDetails holds security association with VPP metadata
    34  type IPSecSaDetails struct {
    35  	Sa   *ipsec.SecurityAssociation
    36  	Meta *IPSecSaMeta
    37  }
    38  
    39  // IPSecSaMeta contains all VPP-specific metadata
    40  type IPSecSaMeta struct {
    41  	SaID           uint32
    42  	Interface      string
    43  	IfIdx          uint32
    44  	CryptoKeyLen   uint8
    45  	IntegKeyLen    uint8
    46  	Salt           uint32 // not used for VPP >= 22.10
    47  	SeqOutbound    uint64
    48  	LastSeqInbound uint64
    49  	ReplayWindow   uint64
    50  	TotalDataSize  uint64
    51  }
    52  
    53  // IPSecVppAPI provides methods for creating and managing of a IPsec configuration
    54  type IPSecVppAPI interface {
    55  	IPSecVPPRead
    56  
    57  	// AddSPD adds SPD to VPP via binary API
    58  	AddSPD(spdID uint32) error
    59  	// DeleteSPD deletes SPD from VPP via binary API
    60  	DeleteSPD(spdID uint32) error
    61  	// AddSPDInterface adds SPD interface assignment to VPP via binary API
    62  	AddSPDInterface(spdID uint32, iface *ipsec.SecurityPolicyDatabase_Interface) error
    63  	// DeleteSPDInterface deletes SPD interface assignment from VPP via binary API
    64  	DeleteSPDInterface(spdID uint32, iface *ipsec.SecurityPolicyDatabase_Interface) error
    65  	// AddSP adds security policy to VPP via binary API
    66  	AddSP(sp *ipsec.SecurityPolicy) error
    67  	// DeleteSP deletes security policy from VPP via binary API
    68  	DeleteSP(sp *ipsec.SecurityPolicy) error
    69  	// AddSA adds SA to VPP via binary API
    70  	AddSA(sa *ipsec.SecurityAssociation) error
    71  	// DeleteSA deletes SA from VPP via binary API
    72  	DeleteSA(sa *ipsec.SecurityAssociation) error
    73  	// AddTunnelProtection adds a tunnel protection to VPP via binary API
    74  	AddTunnelProtection(tp *ipsec.TunnelProtection) error
    75  	// UpdateTunnelProtection updates a tunnel protection on VPP via binary API
    76  	UpdateTunnelProtection(tp *ipsec.TunnelProtection) error
    77  	// DeleteTunnelProtection deletes a tunnel protection from VPP via binary API
    78  	DeleteTunnelProtection(tp *ipsec.TunnelProtection) error
    79  }
    80  
    81  // IPSecVPPRead provides read methods for IPSec
    82  type IPSecVPPRead interface {
    83  	// DumpIPSecSPD returns a list of IPSec security policy databases
    84  	DumpIPSecSPD() (spdList []*ipsec.SecurityPolicyDatabase, err error)
    85  	// DumpIPSecSP returns a list of configured security policies
    86  	DumpIPSecSP() (spList []*ipsec.SecurityPolicy, err error)
    87  	// DumpIPSecSA returns a list of configured security associations
    88  	DumpIPSecSA() (saList []*IPSecSaDetails, err error)
    89  	// DumpIPSecSAWithIndex returns a security association with provided index
    90  	DumpIPSecSAWithIndex(saID uint32) (saList []*IPSecSaDetails, err error)
    91  	// DumpTunnelProtections returns configured IPSec tunnel protections
    92  	DumpTunnelProtections() (tpList []*ipsec.TunnelProtection, err error)
    93  }
    94  
    95  var Handler = vpp.RegisterHandler(vpp.HandlerDesc{
    96  	Name:       "ipsec",
    97  	HandlerAPI: (*IPSecVppAPI)(nil),
    98  })
    99  
   100  type NewHandlerFunc func(ch govppapi.Channel, ifDdx ifaceidx.IfaceMetadataIndex, log logging.Logger) IPSecVppAPI
   101  
   102  func AddHandlerVersion(version vpp.Version, msgs []govppapi.Message, h NewHandlerFunc) {
   103  	Handler.AddVersion(vpp.HandlerVersion{
   104  		Version: version,
   105  		Check: func(c vpp.Client) error {
   106  			ch, err := c.NewAPIChannel()
   107  			if err != nil {
   108  				return err
   109  			}
   110  			return ch.CheckCompatiblity(msgs...)
   111  		},
   112  		NewHandler: func(c vpp.Client, a ...interface{}) vpp.HandlerAPI {
   113  			ch, err := c.NewAPIChannel()
   114  			if err != nil {
   115  				return err
   116  			}
   117  			return h(ch, a[0].(ifaceidx.IfaceMetadataIndex), a[1].(logging.Logger))
   118  		},
   119  	})
   120  }
   121  
   122  func CompatibleIPSecVppHandler(c vpp.Client, ifIdx ifaceidx.IfaceMetadataIndex, log logging.Logger) IPSecVppAPI {
   123  	if v := Handler.FindCompatibleVersion(c); v != nil {
   124  		return v.NewHandler(c, ifIdx, log).(IPSecVppAPI)
   125  	}
   126  	return nil
   127  }