[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <e45ed911-8e48-4fac-9b56-d39471b0d631@openvpn.net>
Date: Mon, 23 Sep 2024 14:59:02 +0200
From: Antonio Quartulli <antonio@...nvpn.net>
To: Sergey Ryazanov <ryazanov.s.a@...il.com>
Cc: netdev@...r.kernel.org, kuba@...nel.org, pabeni@...hat.com,
edumazet@...gle.com, andrew@...n.ch, sd@...asysnail.net,
donald.hunter@...il.com
Subject: Re: [PATCH net-next v7 04/25] ovpn: add basic netlink support
On 23/09/2024 01:20, Sergey Ryazanov wrote:
> On 17.09.2024 04:07, Antonio Quartulli wrote:
>> + -
>> + name: set-peer
>> + attribute-set: ovpn
>> + flags: [ admin-perm ]
>> + doc: Add or modify a remote peer
>
> As Donald already mentioned, the typical approach to manage objects via
> Netlink is to provide an interface with four commands: New, Set, Get,
> Del. Here, peer created implicitely using the "set" comand. Out of
> curiosity, what the reason to create peers in the such way?
To be honest, I just wanted to keep the API as concise as possible and
having ADD and SET looked like duplicating methods, from a conceptual
perspective.
What userspace wants is "ensure we have a peer with ID X and these
attributes". If this ID was already known is not extremely important.
I can understand in other contexts knowing if an object already exists
can be crucial.
>
> Is the reason to create keys also implicitly same?
basically yes: userspace tells kernelspace "this is what I have
configured in my slots - make sure to have the same"
(this statement also goes back to the other reply I have sent regarding
changing the KEY APIs)
Cheers,
>
>> + do:
>> + pre: ovpn-nl-pre-doit
>> + post: ovpn-nl-post-doit
>> + request:
>> + attributes:
>> + - ifindex
>> + - peer
>> + -
>> + name: get-peer
>> + attribute-set: ovpn
>> + flags: [ admin-perm ]
>> + doc: Retrieve data about existing remote peers (or a specific one)
>> + do:
>> + pre: ovpn-nl-pre-doit
>> + post: ovpn-nl-post-doit
>> + request:
>> + attributes:
>> + - ifindex
>> + - peer
>> + reply:
>> + attributes:
>> + - peer
>> + dump:
>> + request:
>> + attributes:
>> + - ifindex
>> + reply:
>> + attributes:
>> + - peer
>> + -
>> + name: del-peer
>> + attribute-set: ovpn
>> + flags: [ admin-perm ]
>> + doc: Delete existing remote peer
>> + do:
>> + pre: ovpn-nl-pre-doit
>> + post: ovpn-nl-post-doit
>> + request:
>> + attributes:
>> + - ifindex
>> + - peer
>> + -
>> + name: set-key
>> + attribute-set: ovpn
>> + flags: [ admin-perm ]
>> + doc: Add or modify a cipher key for a specific peer
>> + do:
>> + pre: ovpn-nl-pre-doit
>> + post: ovpn-nl-post-doit
>> + request:
>> + attributes:
>> + - ifindex
>> + - peer
>> + -
>> + name: swap-keys
>> + attribute-set: ovpn
>> + flags: [ admin-perm ]
>> + doc: Swap primary and secondary session keys for a specific peer
>> + do:
>> + pre: ovpn-nl-pre-doit
>> + post: ovpn-nl-post-doit
>> + request:
>> + attributes:
>> + - ifindex
>> + - peer
>> + -
>> + name: del-key
>> + attribute-set: ovpn
>> + flags: [ admin-perm ]
>> + doc: Delete cipher key for a specific peer
>> + do:
>> + pre: ovpn-nl-pre-doit
>> + post: ovpn-nl-post-doit
>> + request:
>> + attributes:
>> + - ifindex
>> + - peer
>> +
>
> --
> Sergey
>
--
Antonio Quartulli
OpenVPN Inc.
Powered by blists - more mailing lists