From: David Ahern <dsahern@gmail.com>
To: Nicolas Dichtel <nicolas.dichtel@6wind.com>, stephen@networkplumber.org
Cc: netdev@vger.kernel.org, antony.antony@secunet.com,
steffen.klassert@secunet.com
Subject: Re: [PATCH iproute2 v2] xfrm: enable to manage default policies
Date: Thu, 21 Oct 2021 08:55:46 -0600 [thread overview]
Message-ID: <1ee8e8ec-734b-eec7-1826-340c0d48f26e@gmail.com> (raw)
In-Reply-To: <20211018083045.27406-1-nicolas.dichtel@6wind.com>
On 10/18/21 2:30 AM, Nicolas Dichtel wrote:
> diff --git a/include/uapi/linux/xfrm.h b/include/uapi/linux/xfrm.h
> index ecd06396eb16..378b4092f26a 100644
> --- a/include/uapi/linux/xfrm.h
> +++ b/include/uapi/linux/xfrm.h
> @@ -213,13 +213,13 @@ enum {
> XFRM_MSG_GETSPDINFO,
> #define XFRM_MSG_GETSPDINFO XFRM_MSG_GETSPDINFO
>
> + XFRM_MSG_MAPPING,
> +#define XFRM_MSG_MAPPING XFRM_MSG_MAPPING
> +
> XFRM_MSG_SETDEFAULT,
> #define XFRM_MSG_SETDEFAULT XFRM_MSG_SETDEFAULT
> XFRM_MSG_GETDEFAULT,
> #define XFRM_MSG_GETDEFAULT XFRM_MSG_GETDEFAULT
> -
> - XFRM_MSG_MAPPING,
> -#define XFRM_MSG_MAPPING XFRM_MSG_MAPPING
> __XFRM_MSG_MAX
> };
> #define XFRM_MSG_MAX (__XFRM_MSG_MAX - 1)
> @@ -514,9 +514,12 @@ struct xfrm_user_offload {
> #define XFRM_OFFLOAD_INBOUND 2
>
> struct xfrm_userpolicy_default {
> -#define XFRM_USERPOLICY_DIRMASK_MAX (sizeof(__u8) * 8)
> - __u8 dirmask;
> - __u8 action;
> +#define XFRM_USERPOLICY_UNSPEC 0
> +#define XFRM_USERPOLICY_BLOCK 1
> +#define XFRM_USERPOLICY_ACCEPT 2
> + __u8 in;
> + __u8 fwd;
> + __u8 out;
> };
>
> /* backwards compatibility for userspace */
that is already updated in iproute2-next.
> diff --git a/ip/xfrm_policy.c b/ip/xfrm_policy.c
> index 7cc00e7c2f5b..744f331ff564 100644
> --- a/ip/xfrm_policy.c
> +++ b/ip/xfrm_policy.c
> @@ -1124,6 +1126,121 @@ static int xfrm_spd_getinfo(int argc, char **argv)
> return 0;
> }
>
> +static int xfrm_spd_setdefault(int argc, char **argv)
> +{
> + struct rtnl_handle rth;
> + struct {
> + struct nlmsghdr n;
> + struct xfrm_userpolicy_default up;
> + } req = {
> + .n.nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_default)),
> + .n.nlmsg_flags = NLM_F_REQUEST,
> + .n.nlmsg_type = XFRM_MSG_SETDEFAULT,
> + };
> +
> + while (argc > 0) {
> + if (strcmp(*argv, "in") == 0) {
> + if (req.up.in)
> + duparg("in", *argv);
> +
> + NEXT_ARG();
> + if (strcmp(*argv, "block") == 0)
> + req.up.in = XFRM_USERPOLICY_BLOCK;
> + else if (strcmp(*argv, "accept") == 0)
> + req.up.in = XFRM_USERPOLICY_ACCEPT;
> + else
> + invarg("in policy value is invalid", *argv);
> + } else if (strcmp(*argv, "fwd") == 0) {
> + if (req.up.fwd)
> + duparg("fwd", *argv);
> +
> + NEXT_ARG();
> + if (strcmp(*argv, "block") == 0)
> + req.up.fwd = XFRM_USERPOLICY_BLOCK;
> + else if (strcmp(*argv, "accept") == 0)
> + req.up.fwd = XFRM_USERPOLICY_ACCEPT;
> + else
> + invarg("fwd policy value is invalid", *argv);
> + } else if (strcmp(*argv, "out") == 0) {
> + if (req.up.out)
> + duparg("out", *argv);
> +
> + NEXT_ARG();
> + if (strcmp(*argv, "block") == 0)
> + req.up.out = XFRM_USERPOLICY_BLOCK;
> + else if (strcmp(*argv, "accept") == 0)
> + req.up.out = XFRM_USERPOLICY_ACCEPT;
> + else
> + invarg("out policy value is invalid", *argv);
> + } else {
> + invarg("unknown direction", *argv);
> + }
> +
> + argc--; argv++;
> + }
> +
> + if (rtnl_open_byproto(&rth, 0, NETLINK_XFRM) < 0)
> + exit(1);
> +
> + if (rtnl_talk(&rth, &req.n, NULL) < 0)
> + exit(2);
> +
> + rtnl_close(&rth);
> +
> + return 0;
> +}
> +
> +int xfrm_policy_default_print(struct nlmsghdr *n, FILE *fp)
> +{
> + struct xfrm_userpolicy_default *up = NLMSG_DATA(n);
> + int len = n->nlmsg_len - NLMSG_SPACE(sizeof(*up));
> +
> + if (len < 0) {
> + fprintf(stderr,
> + "BUG: short nlmsg len %u (expect %lu) for XFRM_MSG_GETDEFAULT\n",
> + n->nlmsg_len, NLMSG_SPACE(sizeof(*up)));
> + return -1;
> + }
> +
> + fprintf(fp, "Default policies:\n");
> + fprintf(fp, " in: %s\n",
> + up->in == XFRM_USERPOLICY_BLOCK ? "block" : "accept");
> + fprintf(fp, " fwd: %s\n",
> + up->fwd == XFRM_USERPOLICY_BLOCK ? "block" : "accept");
> + fprintf(fp, " out: %s\n",
> + up->out == XFRM_USERPOLICY_BLOCK ? "block" : "accept");
> + fflush(fp);
> +
> + return 0;
> +}
> +
create xfrm_str_to_policy and xfrm_policy_to_str helpers for the
conversions between "block" and "accept" to XFRM_USERPOLICY_BLOCK and
XFRM_USERPOLICY_ACCEPT and back.
next prev parent reply other threads:[~2021-10-21 14:55 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-23 6:13 [PATCH iproute2] xfrm: enable to manage default policies Nicolas Dichtel
2021-10-18 8:30 ` [PATCH iproute2 v2] " Nicolas Dichtel
2021-10-21 14:55 ` David Ahern [this message]
2021-10-21 21:23 ` Nicolas Dichtel
2021-10-21 22:10 ` David Ahern
2021-10-22 7:52 ` Nicolas Dichtel
2021-10-21 22:25 ` Stephen Hemminger
2021-10-25 8:17 ` [PATCH iproute2-next " Nicolas Dichtel
2021-10-28 15:00 ` patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1ee8e8ec-734b-eec7-1826-340c0d48f26e@gmail.com \
--to=dsahern@gmail.com \
--cc=antony.antony@secunet.com \
--cc=netdev@vger.kernel.org \
--cc=nicolas.dichtel@6wind.com \
--cc=steffen.klassert@secunet.com \
--cc=stephen@networkplumber.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.