[PATCH v4 iproute2 -next 1/2] include/linux: update xfrm.h

[PATCH v4 iproute2 -next 1/2] include/linux: update xfrm.h

[Nicolas Dichtel]

Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
---
Note that this patch is based on net-next.

v4: use C99 initializers for all structure

v3: use C99 initializers

 include/linux/xfrm.h | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/include/linux/xfrm.h b/include/linux/xfrm.h
index 341c3c951dac..fa2ecb2eb998 100644
--- a/include/linux/xfrm.h
+++ b/include/linux/xfrm.h
@@ -298,6 +298,8 @@ enum xfrm_attr_type_t {
 	XFRMA_TFCPAD,		/* __u32 */
 	XFRMA_REPLAY_ESN_VAL,	/* struct xfrm_replay_esn */
 	XFRMA_SA_EXTRA_FLAGS,	/* __u32 */
+	XFRMA_PROTO,		/* __u8 */
+	XFRMA_ADDRESS_FILTER,	/* struct xfrm_address_filter */
 	__XFRMA_MAX
 
 #define XFRMA_MAX (__XFRMA_MAX - 1)
@@ -474,6 +476,14 @@ struct xfrm_user_mapping {
 	__be16				new_sport;
 };
 
+struct xfrm_address_filter {
+	xfrm_address_t			saddr;
+	xfrm_address_t			daddr;
+	__u16				family;
+	__u8				splen;
+	__u8				dplen;
+};
+
 /* backwards compatibility for userspace */
 #define XFRMGRP_ACQUIRE		1
 #define XFRMGRP_EXPIRE		2
-- 
1.8.5.4

[PATCH v4 iproute2 -next 2/2] ipxfrm: allow to setup filter when dumping SA

[Nicolas Dichtel]

It's now possible to filter SA directly into the kernel by specifying
XFRMA_PROTO and/or XFRMA_ADDRESS_FILTER.

Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
---
Note that this patch is intended to work with net-next.

v4: use C99 initializers for all structure

v3: use C99 initializers

 ip/xfrm_state.c | 25 ++++++++++++++++++++++++-
 1 file changed, 24 insertions(+), 1 deletion(-)

diff --git a/ip/xfrm_state.c b/ip/xfrm_state.c
index 140a4503b799..fe7708e533f3 100644
--- a/ip/xfrm_state.c
+++ b/ip/xfrm_state.c
@@ -1136,7 +1136,30 @@ static int xfrm_state_list_or_deleteall(int argc, char **argv, int deleteall)
 		}
 
 	} else {
-		if (rtnl_wilddump_request(&rth, preferred_family, XFRM_MSG_GETSA) < 0) {
+		struct xfrm_address_filter addrfilter = {
+			.saddr = filter.xsinfo.saddr,
+			.daddr = filter.xsinfo.id.daddr,
+			.family = filter.xsinfo.family,
+			.splen = filter.id_src_mask,
+			.dplen = filter.id_dst_mask,
+		};
+		struct {
+			struct nlmsghdr n;
+			char buf[NLMSG_BUF_SIZE];
+		} req = {
+			.n.nlmsg_len = NLMSG_HDRLEN,
+			.n.nlmsg_flags = NLM_F_DUMP | NLM_F_REQUEST,
+			.n.nlmsg_type = XFRM_MSG_GETSA,
+			.n.nlmsg_seq = rth.dump = ++rth.seq,
+		};
+
+		if (filter.xsinfo.id.proto)
+			addattr8(&req.n, sizeof(req), XFRMA_PROTO,
+				 filter.xsinfo.id.proto);
+		addattr_l(&req.n, sizeof(req), XFRMA_ADDRESS_FILTER,
+			  &addrfilter, sizeof(addrfilter));
+
+		if (rtnl_send(&rth, (void *)&req, req.n.nlmsg_len) < 0) {
 			perror("Cannot send dump request");
 			exit(1);
 		}
-- 
1.8.5.4

Re: [PATCH v4 iproute2 -next 2/2] ipxfrm: allow to setup filter when dumping SA

[Stephen Hemminger]

On Fri, 21 Mar 2014 11:02:43 +0100
Nicolas Dichtel <nicolas.dichtel@6wind.com> wrote:

> It's now possible to filter SA directly into the kernel by specifying
> XFRMA_PROTO and/or XFRMA_ADDRESS_FILTER.
> 
> Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
> ---
> Note that this patch is intended to work with net-next.
> 
> v4: use C99 initializers for all structure
> 
> v3: use C99 initializers
> 
>  ip/xfrm_state.c | 25 ++++++++++++++++++++++++-
>  1 file changed, 24 insertions(+), 1 deletion(-)

Applied to net-next branch