| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 19 Jan 2020 11:32:09 +0100
From: Sabrina Dubroca <sd@...asysnail.net>
To: netdev@...r.kernel.org
Cc: Stephen Hemminger <stephen@...workplumber.org>,
David Ahern <dsahern@...il.com>,
Sabrina Dubroca <sd@...asysnail.net>,
Herbert Xu <herbert@...dor.apana.org.au>
Subject: [PATCH iproute2-next v2] ip: xfrm: add espintcp encapsulation
While at it, convert xfrm_xfrma_print and xfrm_encap_type_parse to use
the UAPI macros for encap_type as suggested by David Ahern, and add the
UAPI udp.h header (sync'd from ipsec-next to get the TCP_ENCAP_ESPINTCP
definition).
Co-developed-by: Herbert Xu <herbert@...dor.apana.org.au>
Signed-off-by: Sabrina Dubroca <sd@...asysnail.net>
---
v2: add udp.h header and use the macros
include/uapi/linux/udp.h | 47 ++++++++++++++++++++++++++++++++++++++++
ip/ipxfrm.c | 14 ++++++++----
ip/xfrm_state.c | 2 +-
man/man8/ip-xfrm.8 | 4 ++--
4 files changed, 60 insertions(+), 7 deletions(-)
create mode 100644 include/uapi/linux/udp.h
diff --git a/include/uapi/linux/udp.h b/include/uapi/linux/udp.h
new file mode 100644
index 000000000000..2d1f561b89d2
--- /dev/null
+++ b/include/uapi/linux/udp.h
@@ -0,0 +1,47 @@
+/* SPDX-License-Identifier: GPL-2.0+ WITH Linux-syscall-note */
+/*
+ * INET An implementation of the TCP/IP protocol suite for the LINUX
+ * operating system. INET is implemented using the BSD Socket
+ * interface as the means of communication with the user level.
+ *
+ * Definitions for the UDP protocol.
+ *
+ * Version: @(#)udp.h 1.0.2 04/28/93
+ *
+ * Author: Fred N. van Kempen, <waltje@...lt.NL.Mugnet.ORG>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version
+ * 2 of the License, or (at your option) any later version.
+ */
+#ifndef _UDP_H
+#define _UDP_H
+
+#include <linux/types.h>
+
+struct udphdr {
+ __be16 source;
+ __be16 dest;
+ __be16 len;
+ __sum16 check;
+};
+
+/* UDP socket options */
+#define UDP_CORK 1 /* Never send partially complete segments */
+#define UDP_ENCAP 100 /* Set the socket to accept encapsulated packets */
+#define UDP_NO_CHECK6_TX 101 /* Disable sending checksum for UDP6X */
+#define UDP_NO_CHECK6_RX 102 /* Disable accpeting checksum for UDP6 */
+#define UDP_SEGMENT 103 /* Set GSO segmentation size */
+#define UDP_GRO 104 /* This socket can receive UDP GRO packets */
+
+/* UDP encapsulation types */
+#define UDP_ENCAP_ESPINUDP_NON_IKE 1 /* draft-ietf-ipsec-nat-t-ike-00/01 */
+#define UDP_ENCAP_ESPINUDP 2 /* draft-ietf-ipsec-udp-encaps-06 */
+#define UDP_ENCAP_L2TPINUDP 3 /* rfc2661 */
+#define UDP_ENCAP_GTP0 4 /* GSM TS 09.60 */
+#define UDP_ENCAP_GTP1U 5 /* 3GPP TS 29.060 */
+#define UDP_ENCAP_RXRPC 6
+#define TCP_ENCAP_ESPINTCP 7 /* Yikes, this is really xfrm encap types. */
+
+#endif /* _UDP_H */
diff --git a/ip/ipxfrm.c b/ip/ipxfrm.c
index 32f560933a47..fec206abc1f0 100644
--- a/ip/ipxfrm.c
+++ b/ip/ipxfrm.c
@@ -34,6 +34,7 @@
#include <netdb.h>
#include <linux/netlink.h>
#include <linux/rtnetlink.h>
+#include <linux/udp.h>
#include "utils.h"
#include "xfrm.h"
@@ -753,12 +754,15 @@ void xfrm_xfrma_print(struct rtattr *tb[], __u16 family,
fprintf(fp, "type ");
switch (e->encap_type) {
- case 1:
+ case UDP_ENCAP_ESPINUDP_NON_IKE:
fprintf(fp, "espinudp-nonike ");
break;
- case 2:
+ case UDP_ENCAP_ESPINUDP:
fprintf(fp, "espinudp ");
break;
+ case TCP_ENCAP_ESPINTCP:
+ fprintf(fp, "espintcp ");
+ break;
default:
fprintf(fp, "%u ", e->encap_type);
break;
@@ -1208,9 +1212,11 @@ int xfrm_encap_type_parse(__u16 *type, int *argcp, char ***argvp)
char **argv = *argvp;
if (strcmp(*argv, "espinudp-nonike") == 0)
- *type = 1;
+ *type = UDP_ENCAP_ESPINUDP_NON_IKE;
else if (strcmp(*argv, "espinudp") == 0)
- *type = 2;
+ *type = UDP_ENCAP_ESPINUDP;
+ else if (strcmp(*argv, "espintcp") == 0)
+ *type = TCP_ENCAP_ESPINTCP;
else
invarg("ENCAP-TYPE value is invalid", *argv);
diff --git a/ip/xfrm_state.c b/ip/xfrm_state.c
index b03ccc5807e9..df2d50c3843b 100644
--- a/ip/xfrm_state.c
+++ b/ip/xfrm_state.c
@@ -130,7 +130,7 @@ static void usage(void)
"LIMIT-LIST := [ LIMIT-LIST ] limit LIMIT\n"
"LIMIT := { time-soft | time-hard | time-use-soft | time-use-hard } SECONDS |\n"
" { byte-soft | byte-hard } SIZE | { packet-soft | packet-hard } COUNT\n"
- "ENCAP := { espinudp | espinudp-nonike } SPORT DPORT OADDR\n"
+ "ENCAP := { espinudp | espinudp-nonike | espintcp } SPORT DPORT OADDR\n"
"DIR := in | out\n");
exit(-1);
diff --git a/man/man8/ip-xfrm.8 b/man/man8/ip-xfrm.8
index cfce1e40b7f7..f99f30bb448a 100644
--- a/man/man8/ip-xfrm.8
+++ b/man/man8/ip-xfrm.8
@@ -207,7 +207,7 @@ ip-xfrm \- transform configuration
.ti -8
.IR ENCAP " :="
-.RB "{ " espinudp " | " espinudp-nonike " }"
+.RB "{ " espinudp " | " espinudp-nonike " | " espintcp " }"
.IR SPORT " " DPORT " " OADDR
.ti -8
@@ -548,7 +548,7 @@ sets limits in seconds, bytes, or numbers of packets.
.TP
.I ENCAP
encapsulates packets with protocol
-.BR espinudp " or " espinudp-nonike ","
+.BR espinudp ", " espinudp-nonike ", or " espintcp ","
.RI "using source port " SPORT ", destination port " DPORT
.RI ", and original address " OADDR "."
--
2.25.0
Powered by blists - more mailing lists