[PATCH iproute2 -next 1/3] ipxfrm: prepares update of include/linux/xfrm.h

[PATCH iproute2 -next 1/3] ipxfrm: prepares update of include/linux/xfrm.h

[Nicolas Dichtel]

'struct xfrm_filter' is now defined by the kernel API. Let's rename the one
defined in iproute2 to 'struct ipxfrm_filter'.

Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
---
 ip/ipxfrm.c | 2 +-
 ip/xfrm.h   | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/ip/ipxfrm.c b/ip/ipxfrm.c
index cce51518170c..ff6cb2c2dda5 100644
--- a/ip/ipxfrm.c
+++ b/ip/ipxfrm.c
@@ -53,7 +53,7 @@
 		} \
 	} while(0);
 
-struct xfrm_filter filter;
+struct ipxfrm_filter filter;
 
 static void usage(void) __attribute__((noreturn));
 
diff --git a/ip/xfrm.h b/ip/xfrm.h
index 773c92e99e9e..31cc89a0f19a 100644
--- a/ip/xfrm.h
+++ b/ip/xfrm.h
@@ -74,7 +74,7 @@ struct xfrm_buffer {
 	struct rtnl_handle *rth;
 };
 
-struct xfrm_filter {
+struct ipxfrm_filter {
 	int use;
 
 	struct xfrm_usersa_info xsinfo;
@@ -105,7 +105,7 @@ struct xfrm_filter {
 };
 #define XFRM_FILTER_MASK_FULL (~0)
 
-extern struct xfrm_filter filter;
+extern struct ipxfrm_filter filter;
 
 int xfrm_state_print(const struct sockaddr_nl *who, struct nlmsghdr *n,
 		     void *arg);
-- 
1.8.5.4

[PATCH iproute2 -next 2/3] include/linux: update xfrm.h

[Nicolas Dichtel]

Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
---

Note that this patch is based on net-next.

 include/linux/xfrm.h | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/include/linux/xfrm.h b/include/linux/xfrm.h
index 341c3c951dac..694aa90df7d8 100644
--- a/include/linux/xfrm.h
+++ b/include/linux/xfrm.h
@@ -298,6 +298,8 @@ enum xfrm_attr_type_t {
 	XFRMA_TFCPAD,		/* __u32 */
 	XFRMA_REPLAY_ESN_VAL,	/* struct xfrm_replay_esn */
 	XFRMA_SA_EXTRA_FLAGS,	/* __u32 */
+	XFRMA_PROTO,		/* __u8 */
+	XFRMA_FILTER,		/* struct xfrm_filter */
 	__XFRMA_MAX
 
 #define XFRMA_MAX (__XFRMA_MAX - 1)
@@ -474,6 +476,14 @@ struct xfrm_user_mapping {
 	__be16				new_sport;
 };
 
+struct xfrm_filter {
+	xfrm_address_t			saddr;
+	xfrm_address_t			daddr;
+	__u16				family;
+	__u8				splen;
+	__u8				dplen;
+};
+
 /* backwards compatibility for userspace */
 #define XFRMGRP_ACQUIRE		1
 #define XFRMGRP_EXPIRE		2
-- 
1.8.5.4

Re: [PATCH iproute2 -next 2/3] include/linux: update xfrm.h

[Stephen Hemminger]

On Mon,  3 Mar 2014 15:36:06 +0100
Nicolas Dichtel <nicolas.dichtel@6wind.com> wrote:

> Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
> ---

Sigh. couldn't you have chosen another variable name.
As it is new kernel headers with old iproute2 source will break.

Re: [PATCH iproute2 -next 2/3] include/linux: update xfrm.h

[Nicolas Dichtel]

Le 05/03/2014 02:03, Stephen Hemminger a écrit :
> On Mon,  3 Mar 2014 15:36:06 +0100
> Nicolas Dichtel <nicolas.dichtel@6wind.com> wrote:
>
>> Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
>> ---
>
> Sigh. couldn't you have chosen another variable name.
> As it is new kernel headers with old iproute2 source will break.
>
I noticed this after finishing the kernel part.
I have not thought about this because kernel headers are embedded in iproute2.

[PATCH net-next] xfrm: rename struct xfrm_filter

[Nicolas Dichtel]

iproute2 already defines a structure with that name, let's use another one to
avoid any conflict.

CC: Stephen Hemminger <stephen@networkplumber.org>
Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
---

The structure and the attribute exist only in net-next, hence we can update
the name.

 include/net/xfrm.h        | 4 ++--
 include/uapi/linux/xfrm.h | 4 ++--
 net/key/af_key.c          | 2 +-
 net/xfrm/xfrm_state.c     | 4 ++--
 net/xfrm/xfrm_user.c      | 8 ++++----
 5 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/include/net/xfrm.h b/include/net/xfrm.h
index 23bfd4591e8b..cbb728d9f107 100644
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -121,7 +121,7 @@ struct xfrm_state_walk {
 	u8			dying;
 	u8			proto;
 	u32			seq;
-	struct xfrm_filter	*filter;
+	struct xfrm_address_filter *filter;
 };
 
 /* Full description of state of transformer. */
@@ -1423,7 +1423,7 @@ static inline void xfrm_sysctl_fini(struct net *net)
 #endif
 
 void xfrm_state_walk_init(struct xfrm_state_walk *walk, u8 proto,
-			  struct xfrm_filter *filter);
+			  struct xfrm_address_filter *filter);
 int xfrm_state_walk(struct net *net, struct xfrm_state_walk *walk,
 		    int (*func)(struct xfrm_state *, int, void*), void *);
 void xfrm_state_walk_done(struct xfrm_state_walk *walk, struct net *net);
diff --git a/include/uapi/linux/xfrm.h b/include/uapi/linux/xfrm.h
index 6550c679584f..25e5dd916ba4 100644
--- a/include/uapi/linux/xfrm.h
+++ b/include/uapi/linux/xfrm.h
@@ -299,7 +299,7 @@ enum xfrm_attr_type_t {
 	XFRMA_REPLAY_ESN_VAL,	/* struct xfrm_replay_esn */
 	XFRMA_SA_EXTRA_FLAGS,	/* __u32 */
 	XFRMA_PROTO,		/* __u8 */
-	XFRMA_FILTER,		/* struct xfrm_filter */
+	XFRMA_ADDRESS_FILTER,	/* struct xfrm_address_filter */
 	__XFRMA_MAX
 
 #define XFRMA_MAX (__XFRMA_MAX - 1)
@@ -476,7 +476,7 @@ struct xfrm_user_mapping {
 	__be16				new_sport;
 };
 
-struct xfrm_filter {
+struct xfrm_address_filter {
 	xfrm_address_t			saddr;
 	xfrm_address_t			daddr;
 	__u16				family;
diff --git a/net/key/af_key.c b/net/key/af_key.c
index a50d979b5926..12651b42aad8 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -1799,7 +1799,7 @@ static void pfkey_dump_sa_done(struct pfkey_sock *pfk)
 static int pfkey_dump(struct sock *sk, struct sk_buff *skb, const struct sadb_msg *hdr, void * const *ext_hdrs)
 {
 	u8 proto;
-	struct xfrm_filter *filter = NULL;
+	struct xfrm_address_filter *filter = NULL;
 	struct pfkey_sock *pfk = pfkey_sk(sk);
 
 	if (pfk->dump.dump != NULL)
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index 06970fee9155..8e9c781a6bba 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -1609,7 +1609,7 @@ unlock:
 EXPORT_SYMBOL(xfrm_alloc_spi);
 
 static bool __xfrm_state_filter_match(struct xfrm_state *x,
-				      struct xfrm_filter *filter)
+				      struct xfrm_address_filter *filter)
 {
 	if (filter) {
 		if ((filter->family == AF_INET ||
@@ -1668,7 +1668,7 @@ out:
 EXPORT_SYMBOL(xfrm_state_walk);
 
 void xfrm_state_walk_init(struct xfrm_state_walk *walk, u8 proto,
-			  struct xfrm_filter *filter)
+			  struct xfrm_address_filter *filter)
 {
 	INIT_LIST_HEAD(&walk->all);
 	walk->proto = proto;
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 195dbe230b98..cdd9e9c7ff0e 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -899,7 +899,7 @@ static int xfrm_dump_sa(struct sk_buff *skb, struct netlink_callback *cb)
 
 	if (!cb->args[0]) {
 		struct nlattr *attrs[XFRMA_MAX+1];
-		struct xfrm_filter *filter = NULL;
+		struct xfrm_address_filter *filter = NULL;
 		u8 proto = 0;
 		int err;
 
@@ -910,12 +910,12 @@ static int xfrm_dump_sa(struct sk_buff *skb, struct netlink_callback *cb)
 		if (err < 0)
 			return err;
 
-		if (attrs[XFRMA_FILTER]) {
+		if (attrs[XFRMA_ADDRESS_FILTER]) {
 			filter = kmalloc(sizeof(*filter), GFP_KERNEL);
 			if (filter == NULL)
 				return -ENOMEM;
 
-			memcpy(filter, nla_data(attrs[XFRMA_FILTER]),
+			memcpy(filter, nla_data(attrs[XFRMA_ADDRESS_FILTER]),
 			       sizeof(*filter));
 		}
 
@@ -2329,7 +2329,7 @@ static const struct nla_policy xfrma_policy[XFRMA_MAX+1] = {
 	[XFRMA_REPLAY_ESN_VAL]	= { .len = sizeof(struct xfrm_replay_state_esn) },
 	[XFRMA_SA_EXTRA_FLAGS]	= { .type = NLA_U32 },
 	[XFRMA_PROTO]		= { .type = NLA_U8 },
-	[XFRMA_FILTER]		= { .len = sizeof(struct xfrm_filter) },
+	[XFRMA_ADDRESS_FILTER]	= { .len = sizeof(struct xfrm_address_filter) },
 };
 
 static const struct xfrm_link {
-- 
1.8.5.4

Re: [PATCH net-next] xfrm: rename struct xfrm_filter

[Steffen Klassert]

On Thu, Mar 06, 2014 at 06:24:29PM +0100, Nicolas Dichtel wrote:
> iproute2 already defines a structure with that name, let's use another one to
> avoid any conflict.
> 
> CC: Stephen Hemminger <stephen@networkplumber.org>
> Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>

Applied to ipsec-next, thanks!

[PATCH iproute2 -next 3/3] ipxfrm: allow to setup filter when dumping SA

[Nicolas Dichtel]

It's now possible to filter SA directly into the kernel by specifying
XFRMA_PROTO and/or XFRMA_FILTER.

Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
---

Note that this patch is intended to work with net-next.

 ip/xfrm_state.c | 30 +++++++++++++++++++++++++++++-
 1 file changed, 29 insertions(+), 1 deletion(-)

diff --git a/ip/xfrm_state.c b/ip/xfrm_state.c
index 140a4503b799..61f6d930b2d2 100644
--- a/ip/xfrm_state.c
+++ b/ip/xfrm_state.c
@@ -1136,7 +1136,35 @@ static int xfrm_state_list_or_deleteall(int argc, char **argv, int deleteall)
 		}
 
 	} else {
-		if (rtnl_wilddump_request(&rth, preferred_family, XFRM_MSG_GETSA) < 0) {
+		struct xfrm_filter safilter;
+		struct {
+			struct nlmsghdr n;
+			char buf[NLMSG_BUF_SIZE];
+		} req;
+
+		memset(&safilter, 0, sizeof(safilter));
+		safilter.family = filter.xsinfo.family;
+		memcpy(&safilter.saddr, &filter.xsinfo.saddr,
+		       sizeof(xfrm_address_t));
+		safilter.splen = filter.id_src_mask;
+		memcpy(&safilter.daddr, &filter.xsinfo.id.daddr,
+		       sizeof(xfrm_address_t));
+		safilter.dplen = filter.id_dst_mask;
+
+		memset(&req, 0, sizeof(req));
+		req.n.nlmsg_len = NLMSG_HDRLEN;
+		req.n.nlmsg_flags = NLM_F_DUMP | NLM_F_REQUEST;
+		req.n.nlmsg_type = XFRM_MSG_GETSA;
+		req.n.nlmsg_pid = 0;
+		req.n.nlmsg_seq = rth.dump = ++rth.seq;
+
+		if (filter.xsinfo.id.proto)
+			addattr8(&req.n, sizeof(req), XFRMA_PROTO,
+				 filter.xsinfo.id.proto);
+		addattr_l(&req.n, sizeof(req), XFRMA_FILTER, &safilter,
+			  sizeof(safilter));
+
+		if (rtnl_send(&rth, (void *)&req, req.n.nlmsg_len) < 0) {
 			perror("Cannot send dump request");
 			exit(1);
 		}
-- 
1.8.5.4