| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <e45ed911-8e48-4fac-9b56-d39471b0d631@openvpn.net> Date: Mon, 23 Sep 2024 14:59:02 +0200 From: Antonio Quartulli <antonio@...nvpn.net> To: Sergey Ryazanov <ryazanov.s.a@...il.com> Cc: netdev@...r.kernel.org, kuba@...nel.org, pabeni@...hat.com, edumazet@...gle.com, andrew@...n.ch, sd@...asysnail.net, donald.hunter@...il.com Subject: Re: [PATCH net-next v7 04/25] ovpn: add basic netlink support On 23/09/2024 01:20, Sergey Ryazanov wrote: > On 17.09.2024 04:07, Antonio Quartulli wrote: >> + - >> + name: set-peer >> + attribute-set: ovpn >> + flags: [ admin-perm ] >> + doc: Add or modify a remote peer > > As Donald already mentioned, the typical approach to manage objects via > Netlink is to provide an interface with four commands: New, Set, Get, > Del. Here, peer created implicitely using the "set" comand. Out of > curiosity, what the reason to create peers in the such way? To be honest, I just wanted to keep the API as concise as possible and having ADD and SET looked like duplicating methods, from a conceptual perspective. What userspace wants is "ensure we have a peer with ID X and these attributes". If this ID was already known is not extremely important. I can understand in other contexts knowing if an object already exists can be crucial. > > Is the reason to create keys also implicitly same? basically yes: userspace tells kernelspace "this is what I have configured in my slots - make sure to have the same" (this statement also goes back to the other reply I have sent regarding changing the KEY APIs) Cheers, > >> + do: >> + pre: ovpn-nl-pre-doit >> + post: ovpn-nl-post-doit >> + request: >> + attributes: >> + - ifindex >> + - peer >> + - >> + name: get-peer >> + attribute-set: ovpn >> + flags: [ admin-perm ] >> + doc: Retrieve data about existing remote peers (or a specific one) >> + do: >> + pre: ovpn-nl-pre-doit >> + post: ovpn-nl-post-doit >> + request: >> + attributes: >> + - ifindex >> + - peer >> + reply: >> + attributes: >> + - peer >> + dump: >> + request: >> + attributes: >> + - ifindex >> + reply: >> + attributes: >> + - peer >> + - >> + name: del-peer >> + attribute-set: ovpn >> + flags: [ admin-perm ] >> + doc: Delete existing remote peer >> + do: >> + pre: ovpn-nl-pre-doit >> + post: ovpn-nl-post-doit >> + request: >> + attributes: >> + - ifindex >> + - peer >> + - >> + name: set-key >> + attribute-set: ovpn >> + flags: [ admin-perm ] >> + doc: Add or modify a cipher key for a specific peer >> + do: >> + pre: ovpn-nl-pre-doit >> + post: ovpn-nl-post-doit >> + request: >> + attributes: >> + - ifindex >> + - peer >> + - >> + name: swap-keys >> + attribute-set: ovpn >> + flags: [ admin-perm ] >> + doc: Swap primary and secondary session keys for a specific peer >> + do: >> + pre: ovpn-nl-pre-doit >> + post: ovpn-nl-post-doit >> + request: >> + attributes: >> + - ifindex >> + - peer >> + - >> + name: del-key >> + attribute-set: ovpn >> + flags: [ admin-perm ] >> + doc: Delete cipher key for a specific peer >> + do: >> + pre: ovpn-nl-pre-doit >> + post: ovpn-nl-post-doit >> + request: >> + attributes: >> + - ifindex >> + - peer >> + > > -- > Sergey > -- Antonio Quartulli OpenVPN Inc.
Powered by blists - more mailing lists