lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 4 Apr 2019 18:25:28 +0200
From:   Antony Antony <antony@...nome.org>
To:     Matt Ellison <matt@...oyo.io>
Cc:     Stephen Hemminger <stephen@...workplumber.org>,
        netdev@...r.kernel.org
Subject: Re: [iproute2] ip: support for xfrm interfaces

Tested-by: Antony Antony <antony@...nome.org>

Question: is it easy to add "if_id" to "ip link show" output?
currently:
ip link show ipsec0
4: ipsec0@...1: <NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/none da:25:61:2e:0c:98 brd ff:ff:ff:ff:ff:ff

proposed:
4: ipsec0@...1: <NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue xfrm_if_id 0x1 
state UNKNOWN mode DEFAULT group default qlen 1000
    link/none da:25:61:2e:0c:98 brd ff:ff:ff:ff:ff:ff

thanks,
-antony

On Tue, Jan 01, 2019 at 12:40:01PM -0500, Matt Ellison wrote:
> Support for new (4.19+) xfrm virtual interfaces.
> 
> Interfaces take a 'if_id' which is an interface id which can be set on
> an xfrm policy as its interface lookup key (XFRMA_IF_ID).
> 
> Signed-off-by: Matt Ellison <matt@...oyo.io>
> ---
>  ip/Makefile                             |  2 +-
>  ip/iplink.c                             |  3 +-
>  ip/link_xfrm.c                          | 79 +++++++++++++++++++++++++
>  man/man8/ip-link.8.in                   | 27 ++++++++-
>  testsuite/tests/ip/link/add_type_xfrm.t | 32 ++++++++++
>  5 files changed, 140 insertions(+), 3 deletions(-)
>  create mode 100644 ip/link_xfrm.c
>  create mode 100755 testsuite/tests/ip/link/add_type_xfrm.t
> 
> diff --git a/ip/Makefile b/ip/Makefile
> index a88f9366..7ce6e91a 100644
> --- a/ip/Makefile
> +++ b/ip/Makefile
> @@ -5,7 +5,7 @@ IPOBJ=ip.o ipaddress.o ipaddrlabel.o iproute.o iprule.o ipnetns.o \
>      ipxfrm.o xfrm_state.o xfrm_policy.o xfrm_monitor.o iplink_dummy.o \
>      iplink_ifb.o iplink_nlmon.o iplink_team.o iplink_vcan.o iplink_vxcan.o \
>      iplink_vlan.o link_veth.o link_gre.o iplink_can.o iplink_xdp.o \
> -    iplink_macvlan.o ipl2tp.o link_vti.o link_vti6.o \
> +    iplink_macvlan.o ipl2tp.o link_vti.o link_vti6.o link_xfrm.o \
>      iplink_vxlan.o tcp_metrics.o iplink_ipoib.o ipnetconf.o link_ip6tnl.o \
>      link_iptnl.o link_gre6.o iplink_bond.o iplink_bond_slave.o iplink_hsr.o \
>      iplink_bridge.o iplink_bridge_slave.o ipfou.o iplink_ipvlan.o \
> diff --git a/ip/iplink.c b/ip/iplink.c
> index b5519201..f61e570a 100644
> --- a/ip/iplink.c
> +++ b/ip/iplink.c
> @@ -121,7 +121,8 @@ void iplink_usage(void)
>  			"          bridge | bond | team | ipoib | ip6tnl | ipip | sit | vxlan |\n"
>  			"          gre | gretap | erspan | ip6gre | ip6gretap | ip6erspan |\n"
>  			"          vti | nlmon | team_slave | bond_slave | bridge_slave |\n"
> -			"          ipvlan | ipvtap | geneve | vrf | macsec | netdevsim | rmnet }\n");
> +			"          ipvlan | ipvtap | geneve | vrf | macsec | netdevsim | rmnet |\n"
> +			"          xfrm }\n");
>  	}
>  	exit(-1);
>  }
> diff --git a/ip/link_xfrm.c b/ip/link_xfrm.c
> new file mode 100644
> index 00000000..1115fde5
> --- /dev/null
> +++ b/ip/link_xfrm.c
> @@ -0,0 +1,79 @@
> +// SPDX-License-Identifier: GPL-2.0
> +/*
> + * link_xfrm.c	Virtual XFRM Interface driver module
> + *
> + * Authors:	Matt Ellison <matt@...oyo.io>
> + */
> +
> +#include <string.h>
> +#include <linux/if_link.h>
> +
> +#include "rt_names.h"
> +#include "utils.h"
> +#include "ip_common.h"
> +#include "tunnel.h"
> +
> +static void xfrm_print_help(struct link_util *lu, int argc, char **argv,
> +			    FILE *f)
> +{
> +	fprintf(f, "Usage: ... %-4s dev PHYS_DEV [ if_id IF-ID ]\n", lu->id);
> +	fprintf(f, "\nWhere: IF-ID := { 0x0..0xffffffff }\n");
> +}
> +
> +static int xfrm_parse_opt(struct link_util *lu, int argc, char **argv,
> +			  struct nlmsghdr *n)
> +{
> +	unsigned int link = 0;
> +	__u32 if_id = 0;
> +
> +	while (argc > 0) {
> +		if (!matches(*argv, "dev")) {
> +			NEXT_ARG();
> +			link = ll_name_to_index(*argv);
> +			if (!link)
> +				exit(nodev(*argv));
> +		} else if (!matches(*argv, "if_id")) {
> +			NEXT_ARG();
> +			if (get_u32(&if_id, *argv, 0))
> +				invarg("if_id", *argv);
> +		} else {
> +			xfrm_print_help(lu, argc, argv, stderr);
> +			return -1;
> +		}
> +		argc--; argv++;
> +	}
> +
> +	addattr32(n, 1024, IFLA_XFRM_IF_ID, if_id);
> +
> +	if (link) {
> +		addattr32(n, 1024, IFLA_XFRM_LINK, link);
> +	} else {
> +		fprintf(stderr, "must specify physical device\n");
> +		return -1;
> +	}
> +
> +	return 0;
> +}
> +
> +static void xfrm_print_opt(struct link_util *lu, FILE *f, struct rtattr *tb[])
> +{
> +
> +	if (!tb)
> +		return;
> +
> +	if (tb[IFLA_XFRM_IF_ID]) {
> +		__u32 id = rta_getattr_u32(tb[IFLA_XFRM_IF_ID]);
> +
> +		print_0xhex(PRINT_ANY, "if_id", "if_id %#llx ", id);
> +
> +	}
> +
> +}
> +
> +struct link_util xfrm_link_util = {
> +	.id = "xfrm",
> +	.maxattr = IFLA_XFRM_MAX,
> +	.parse_opt = xfrm_parse_opt,
> +	.print_opt = xfrm_print_opt,
> +	.print_help = xfrm_print_help,
> +};
> diff --git a/man/man8/ip-link.8.in b/man/man8/ip-link.8.in
> index 5132f514..a361101a 100644
> --- a/man/man8/ip-link.8.in
> +++ b/man/man8/ip-link.8.in
> @@ -221,7 +221,8 @@ ip-link \- network device configuration
>  .BR vrf " |"
>  .BR macsec " |"
>  .BR netdevsim " |"
> -.BR rmnet " ]"
> +.BR rmnet " |"
> +.BR xfrm " ]"
>  
>  .ti -8
>  .IR ETYPE " := [ " TYPE " |"
> @@ -350,6 +351,9 @@ Link types:
>  .sp
>  .BR rmnet
>  - Qualcomm rmnet device
> +.sp
> +.BR xfrm
> +- Virtual xfrm interface
>  .in -8
>  
>  .TP
> @@ -1676,6 +1680,27 @@ the following additional arguments are supported:
>  
>  .in -8
>  
> +.TP
> +XFRM Type Support
> +For a link of type
> +.I XFRM
> +the following additional arguments are supported:
> +
> +.BI "ip link add " DEVICE " type xfrm dev " PHYS_DEV " [ if_id " IF_ID " ]"
> +
> +.in +8
> +.sp
> +.BI dev " PHYS_DEV "
> +- specifies the underlying physical interface from which transform traffic is sent and received.
> +
> +.sp
> +.BI if_id " IF-ID "
> +- specifies the hexadecimal lookup key used to send traffic to and from specific xfrm
> +policies. Policies must be configured with the same key. If not set, the key defaults to
> +0 and will match any policies which similarly do not have a lookup key configuration.
> +
> +.in -8
> +
>  .SS ip link delete - delete virtual link
>  
>  .TP
> diff --git a/testsuite/tests/ip/link/add_type_xfrm.t b/testsuite/tests/ip/link/add_type_xfrm.t
> new file mode 100755
> index 00000000..78ce28e0
> --- /dev/null
> +++ b/testsuite/tests/ip/link/add_type_xfrm.t
> @@ -0,0 +1,32 @@
> +#!/bin/sh
> +
> +. lib/generic.sh
> +
> +ts_log "[Testing Add XFRM Interface, With IF-ID]"
> +
> +PHYS_DEV="lo"
> +NEW_DEV="$(rand_dev)"
> +IF_ID="0xf"
> +
> +ts_ip "$0" "Add $NEW_DEV xfrm interface"    link add dev $NEW_DEV type xfrm dev $PHYS_DEV if_id $IF_ID
> +
> +ts_ip "$0" "Show $NEW_DEV xfrm interface"   -d link show dev $NEW_DEV
> +test_on "$NEW_DEV"
> +test_on "if_id $IF_ID"
> +
> +ts_ip "$0" "Del $NEW_DEV xfrm interface"   link del dev $NEW_DEV
> +
> +
> +ts_log "[Testing Add XFRM Interface, No IF-ID]"
> +
> +PHYS_DEV="lo"
> +NEW_DEV="$(rand_dev)"
> +IF_ID="0xf"
> +
> +ts_ip "$0" "Add $NEW_DEV xfrm interface"    link add dev $NEW_DEV type xfrm dev $PHYS_DEV
> +
> +ts_ip "$0" "Show $NEW_DEV xfrm interface"   -d link show dev $NEW_DEV
> +test_on "$NEW_DEV"
> +test_on_not "if_id $IF_ID"
> +
> +ts_ip "$0" "Del $NEW_DEV xfrm interface"   link del dev $NEW_DEV

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ