Message ID | 20190404160738.18687-1-eyal.birger@gmail.com |
---|---|
State | Accepted |
Delegated to: | stephen hemminger |
Headers | show |
Series | [iproute2-next] ip xfrm: support setting/printing XFRMA_IF_ID attribute in states/policies | expand |
On Thu, 4 Apr 2019 19:07:38 +0300 Eyal Birger <eyal.birger@gmail.com> wrote: > The XFRMA_IF_ID attribute is set in policies/states for them to be > associated with an XFRM interface (4.19+). > > Add support for setting / displaying this attribute. > > Note that 0 is a valid value therefore set XFRMA_IF_ID if any value > was provided in command line. > > Tested-by: Antony Antony <antony@phenome.org> > Signed-off-by: Eyal Birger <eyal.birger@gmail.com> > --- Since this works with existing kernel int should not need to wait for next.
Hi Stephen, On Thu, 4 Apr 2019 10:13:36 -0700 Stephen Hemminger <stephen@networkplumber.org> wrote: > On Thu, 4 Apr 2019 19:07:38 +0300 > Eyal Birger <eyal.birger@gmail.com> wrote: > > > The XFRMA_IF_ID attribute is set in policies/states for them to be > > associated with an XFRM interface (4.19+). > > > > Add support for setting / displaying this attribute. > > > > Note that 0 is a valid value therefore set XFRMA_IF_ID if any value > > was provided in command line. > > > > Tested-by: Antony Antony <antony@phenome.org> > > Signed-off-by: Eyal Birger <eyal.birger@gmail.com> > > --- > > Since this works with existing kernel int should not need to wait for > next. Oh, sorry about that. The patch applies cleanly and works on the iproute2 tree. Should I resubmit? Thanks! Eyal.
On Thu, 4 Apr 2019 19:07:38 +0300 Eyal Birger <eyal.birger@gmail.com> wrote: > The XFRMA_IF_ID attribute is set in policies/states for them to be > associated with an XFRM interface (4.19+). > > Add support for setting / displaying this attribute. > > Note that 0 is a valid value therefore set XFRMA_IF_ID if any value > was provided in command line. > > Tested-by: Antony Antony <antony@phenome.org> > Signed-off-by: Eyal Birger <eyal.birger@gmail.com> This is already handled by an earlier patch, that I just applied
On Fri, Apr 05, 2019 at 03:07:58PM -0700, Stephen Hemminger wrote: > On Thu, 4 Apr 2019 19:07:38 +0300 > Eyal Birger <eyal.birger@gmail.com> wrote: > > > The XFRMA_IF_ID attribute is set in policies/states for them to be > > associated with an XFRM interface (4.19+). > > > > Add support for setting / displaying this attribute. > > > > Note that 0 is a valid value therefore set XFRMA_IF_ID if any value > > was provided in command line. > > > > Tested-by: Antony Antony <antony@phenome.org> > > Signed-off-by: Eyal Birger <eyal.birger@gmail.com> > > This is already handled by an earlier patch, that I just applied Do you mean commit 286446c1 https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/commit/?id=286446c1e8c7f5f6eca4959015aa9e482b7adb11 Matt's patch is to support link. e.g ip link add ipsec0 type xfrm dev enp0s5 if_id 0xAB Eyal's patch for xfrm state and policy. e.g ip xfrm policy add src 10.1.1.200/32 dst 10.1.1.100/32 dir in tmpl src 172.16.1.200 dst 172.16.1.100 proto esp reqid 2 mode tunnel if_id 10 Thanks for applying Matt's patch. We need for both patches. -antony
On 4/5/19 8:57 PM, Antony Antony wrote: > On Fri, Apr 05, 2019 at 03:07:58PM -0700, Stephen Hemminger wrote: >> On Thu, 4 Apr 2019 19:07:38 +0300 >> Eyal Birger <eyal.birger@gmail.com> wrote: >> >>> The XFRMA_IF_ID attribute is set in policies/states for them to be >>> associated with an XFRM interface (4.19+). >>> >>> Add support for setting / displaying this attribute. >>> >>> Note that 0 is a valid value therefore set XFRMA_IF_ID if any value >>> was provided in command line. >>> >>> Tested-by: Antony Antony <antony@phenome.org> >>> Signed-off-by: Eyal Birger <eyal.birger@gmail.com> >> >> This is already handled by an earlier patch, that I just applied > > Do you mean commit 286446c1 > https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/commit/?id=286446c1e8c7f5f6eca4959015aa9e482b7adb11 > > Matt's patch is to support link. > e.g ip link add ipsec0 type xfrm dev enp0s5 if_id 0xAB > > Eyal's patch for xfrm state and policy. > e.g > ip xfrm policy add src 10.1.1.200/32 dst 10.1.1.100/32 dir in tmpl src > 172.16.1.200 dst 172.16.1.100 proto esp reqid 2 mode tunnel if_id 10 > > Thanks for applying Matt's patch. We need for both patches. > > -antony > Stephen: since you took Matt's, I am assuming you will take the xfrm patch too.
diff --git a/ip/ipxfrm.c b/ip/ipxfrm.c index b153b863..32f56093 100644 --- a/ip/ipxfrm.c +++ b/ip/ipxfrm.c @@ -891,6 +891,14 @@ void xfrm_xfrma_print(struct rtattr *tb[], __u16 family, (xuo->flags & XFRM_OFFLOAD_INBOUND) ? "in" : "out"); fprintf(fp, "%s", _SL_); } + if (tb[XFRMA_IF_ID]) { + __u32 if_id = rta_getattr_u32(tb[XFRMA_IF_ID]); + + if (prefix) + fputs(prefix, fp); + fprintf(fp, "if_id %#x", if_id); + fprintf(fp, "%s", _SL_); + } } static int xfrm_selector_iszero(struct xfrm_selector *s) diff --git a/ip/xfrm_policy.c b/ip/xfrm_policy.c index feccaada..4a63e9ab 100644 --- a/ip/xfrm_policy.c +++ b/ip/xfrm_policy.c @@ -55,7 +55,7 @@ static void usage(void) fprintf(stderr, "Usage: ip xfrm policy { add | update } SELECTOR dir DIR [ ctx CTX ]\n"); fprintf(stderr, " [ mark MARK [ mask MASK ] ] [ index INDEX ] [ ptype PTYPE ]\n"); fprintf(stderr, " [ action ACTION ] [ priority PRIORITY ] [ flag FLAG-LIST ]\n"); - fprintf(stderr, " [ LIMIT-LIST ] [ TMPL-LIST ]\n"); + fprintf(stderr, " [ if_id IF_ID ] [ LIMIT-LIST ] [ TMPL-LIST ]\n"); fprintf(stderr, "Usage: ip xfrm policy { delete | get } { SELECTOR | index INDEX } dir DIR\n"); fprintf(stderr, " [ ctx CTX ] [ mark MARK [ mask MASK ] ] [ ptype PTYPE ]\n"); fprintf(stderr, "Usage: ip xfrm policy { deleteall | list } [ nosock ] [ SELECTOR ] [ dir DIR ]\n"); @@ -270,6 +270,8 @@ static int xfrm_policy_modify(int cmd, unsigned int flags, int argc, char **argv struct xfrm_user_sec_ctx sctx; char str[CTX_BUF_SIZE]; } ctx = {}; + bool is_if_id_set = false; + __u32 if_id = 0; while (argc > 0) { if (strcmp(*argv, "dir") == 0) { @@ -338,6 +340,11 @@ static int xfrm_policy_modify(int cmd, unsigned int flags, int argc, char **argv xfrm_tmpl_parse(tmpl, &argc, &argv); tmpls_len += sizeof(*tmpl); + } else if (strcmp(*argv, "if_id") == 0) { + NEXT_ARG(); + if (get_u32(&if_id, *argv, 0)) + invarg("IF_ID value is invalid", *argv); + is_if_id_set = true; } else { if (selp) duparg("unknown", *argv); @@ -380,6 +387,9 @@ static int xfrm_policy_modify(int cmd, unsigned int flags, int argc, char **argv (void *)&ctx, ctx.sctx.len); } + if (is_if_id_set) + addattr32(&req.n, sizeof(req.buf), XFRMA_IF_ID, if_id); + if (rtnl_open_byproto(&rth, 0, NETLINK_XFRM) < 0) exit(1); diff --git a/ip/xfrm_state.c b/ip/xfrm_state.c index 09292da9..93601437 100644 --- a/ip/xfrm_state.c +++ b/ip/xfrm_state.c @@ -62,6 +62,7 @@ static void usage(void) fprintf(stderr, " [ coa ADDR[/PLEN] ] [ ctx CTX ] [ extra-flag EXTRA-FLAG-LIST ]\n"); fprintf(stderr, " [ offload [dev DEV] dir DIR ]\n"); fprintf(stderr, " [ output-mark OUTPUT-MARK ]\n"); ++ fprintf(stderr, " [ if_id IF_ID ]\n"); fprintf(stderr, "Usage: ip xfrm state allocspi ID [ mode MODE ] [ mark MARK [ mask MASK ] ]\n"); fprintf(stderr, " [ reqid REQID ] [ seq SEQ ] [ min SPI max SPI ]\n"); fprintf(stderr, "Usage: ip xfrm state { delete | get } ID [ mark MARK [ mask MASK ] ]\n"); @@ -326,6 +327,8 @@ static int xfrm_state_modify(int cmd, unsigned int flags, int argc, char **argv) char str[CTX_BUF_SIZE]; } ctx = {}; __u32 output_mark = 0; + bool is_if_id_set = false; + __u32 if_id = 0; while (argc > 0) { if (strcmp(*argv, "mode") == 0) { @@ -445,6 +448,11 @@ static int xfrm_state_modify(int cmd, unsigned int flags, int argc, char **argv) NEXT_ARG(); if (get_u32(&output_mark, *argv, 0)) invarg("value after \"output-mark\" is invalid", *argv); + } else if (strcmp(*argv, "if_id") == 0) { + NEXT_ARG(); + if (get_u32(&if_id, *argv, 0)) + invarg("value after \"if_id\" is invalid", *argv); + is_if_id_set = true; } else { /* try to assume ALGO */ int type = xfrm_algotype_getbyname(*argv); @@ -627,6 +635,9 @@ static int xfrm_state_modify(int cmd, unsigned int flags, int argc, char **argv) } } + if (is_if_id_set) + addattr32(&req.n, sizeof(req.buf), XFRMA_IF_ID, if_id); + if (xfrm_xfrmproto_is_ipsec(req.xsinfo.id.proto)) { switch (req.xsinfo.mode) { case XFRM_MODE_TRANSPORT: