[PATCH] Add nl_open to libnetlink

[PATCH] Add nl_open to libnetlink

[Herbert Xu]

[-- Attachment #1: Type: text/plain, Size: 518 bytes --]

Hi Stephen:

I'm in the process of writing two new modules fo ip(8), ippolicy and
ipstate which will be a NETLINK based replacement for setkey.

In order to do so, I need to get libnetlink to speak the XFRM protocol.
Thus I've added a new nl_open function which allows the protocol to
be specified.

Cheers,
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

[-- Attachment #2: p --]
[-- Type: text/plain, Size: 1548 bytes --]

Index: include/libnetlink.h
===================================================================
RCS file: /home/gondolin/herbert/src/CVS/iproute/include/libnetlink.h,v
retrieving revision 1.1.1.1
retrieving revision 1.2
diff -u -r1.1.1.1 -r1.2
--- include/libnetlink.h	2 Jul 2004 17:53:03 -0000	1.1.1.1
+++ include/libnetlink.h	3 Jul 2004 09:34:05 -0000	1.2
@@ -15,6 +15,7 @@
 };
 
 extern int rtnl_open(struct rtnl_handle *rth, unsigned subscriptions);
+extern int nl_open(struct rtnl_handle *rth, unsigned subscriptions, int proto);
 extern void rtnl_close(struct rtnl_handle *rth);
 extern int rtnl_wilddump_request(struct rtnl_handle *rth, int fam, int type);
 extern int rtnl_dump_request(struct rtnl_handle *rth, int type, void *req, int len);
Index: lib/libnetlink.c
===================================================================
RCS file: /home/gondolin/herbert/src/CVS/iproute/lib/libnetlink.c,v
retrieving revision 1.1.1.1
retrieving revision 1.2
diff -u -r1.1.1.1 -r1.2
--- lib/libnetlink.c	2 Jul 2004 17:53:03 -0000	1.1.1.1
+++ lib/libnetlink.c	3 Jul 2004 09:34:06 -0000	1.2
@@ -32,11 +32,16 @@
 
 int rtnl_open(struct rtnl_handle *rth, unsigned subscriptions)
 {
+	return nl_open(rth, subscriptions, NETLINK_ROUTE);
+}
+
+int nl_open(struct rtnl_handle *rth, unsigned subscriptions, int proto)
+{
 	int addr_len;
 
 	memset(rth, 0, sizeof(rth));
 
-	rth->fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
+	rth->fd = socket(AF_NETLINK, SOCK_RAW, proto);
 	if (rth->fd < 0) {
 		perror("Cannot open netlink socket");
 		return -1;

Re: [PATCH] Add nl_open to libnetlink

[Masahide NAKAMURA]

Hello,

On Sat, 3 Jul 2004 19:46:32 +1000
Herbert Xu <herbert@gondor.apana.org.au> wrote:

> I'm in the process of writing two new modules fo ip(8), ippolicy and
> ipstate which will be a NETLINK based replacement for setkey.
> 
> In order to do so, I need to get libnetlink to speak the XFRM protocol.
> Thus I've added a new nl_open function which allows the protocol to
> be specified.

I agree with it.

Anyway, I have code for ip(8) for similar reason.
The patch is below:
http://www.linux-ipv6.org/~nakam/ipxfrm-20040705.diff

Can you take a look at it, Stephen and Herbert?

I'm in the process of writing Mobile IPv6 with extended xfrm,
so I'm interested in extending "ip(8) which can handle xfrm".

About "nl_open", my code is not the same for Herbert's one actually, but
similar change is in it (and Herberts' one is also welcome for me).

My patch is:

- Checking SA's algorithm is not implemented yet
- Command line option is `ip xfrm policy` and `ip xfrm state`.
- defined "USE_MIP6" for Mobile IPv6.
	(please ignore MIPv6 now...)

# I can prepare cleaner patch (e.g. removing Mobile IPV6 part), if you want.

Regards,

-- 
Masahide NAKAMURA

Re: [PATCH] Add nl_open to libnetlink

[Herbert Xu]

On Mon, Jul 05, 2004 at 04:05:00PM +0900, Masahide NAKAMURA wrote:
> 
> Anyway, I have code for ip(8) for similar reason.
> The patch is below:
> http://www.linux-ipv6.org/~nakam/ipxfrm-20040705.diff
> 
> Can you take a look at it, Stephen and Herbert?

Excellent.  That'll save me a lot of work :) I'll have a look at it.

Cheers,
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Re: [PATCH] Add nl_open to libnetlink

[Stephen Hemminger]

On Mon, 5 Jul 2004 16:05:00 +0900
Masahide NAKAMURA <nakam@linux-ipv6.org> wrote:

> Hello,
> 
> On Sat, 3 Jul 2004 19:46:32 +1000
> Herbert Xu <herbert@gondor.apana.org.au> wrote:
> 
> > I'm in the process of writing two new modules fo ip(8), ippolicy and
> > ipstate which will be a NETLINK based replacement for setkey.
> > 
> > In order to do so, I need to get libnetlink to speak the XFRM protocol.
> > Thus I've added a new nl_open function which allows the protocol to
> > be specified.
> 
> I agree with it.
> 
> Anyway, I have code for ip(8) for similar reason.
> The patch is below:
> http://www.linux-ipv6.org/~nakam/ipxfrm-20040705.diff

This code won't build with current kernel headers. There is no xfrmsel_icmp_type
in current 2.6 definition of struct xfrm_selector.
	

Re: [PATCH] Add nl_open to libnetlink

[Masahide NAKAMURA]

On Tue, 6 Jul 2004 14:05:50 -0700
Stephen Hemminger <shemminger@osdl.org> wrote:

> On Mon, 5 Jul 2004 16:05:00 +0900
> Masahide NAKAMURA <nakam@linux-ipv6.org> wrote:
> 
> > Hello,
> > 
> > On Sat, 3 Jul 2004 19:46:32 +1000
> > Herbert Xu <herbert@gondor.apana.org.au> wrote:
> > 
> > > I'm in the process of writing two new modules fo ip(8), ippolicy and
> > > ipstate which will be a NETLINK based replacement for setkey.
> > > 
> > > In order to do so, I need to get libnetlink to speak the XFRM protocol.
> > > Thus I've added a new nl_open function which allows the protocol to
> > > be specified.
> > 
> > I agree with it.
> > 
> > Anyway, I have code for ip(8) for similar reason.
> > The patch is below:
> > http://www.linux-ipv6.org/~nakam/ipxfrm-20040705.diff
> 
> This code won't build with current kernel headers. There is no xfrmsel_icmp_type
> in current 2.6 definition of struct xfrm_selector.

I've made another patch which can build with 2.6.7 kernel headers.
(And I removed some unnecessary code for the kernel.)

Try below:
http://www.linux-ipv6.org/~nakam/ipxfrm-20040707.diff


BTW, The definition in previous patch is for understanding ICMP
type/code by xfrm_selector. I wrote the kernel feature and I'm
testing it. Anyway, I'll send it to the list, too.

Thanks,

-- 
Masahide NAKAMURA

Re: [PATCH] Add nl_open to libnetlink

[Masahide NAKAMURA]

Oops, I'm sorry, the patch below is still broken.
Please wait for fixing it.

On Wed, 7 Jul 2004 13:09:50 +0900
Masahide NAKAMURA <nakam@linux-ipv6.org> wrote:

> Try below:
> http://www.linux-ipv6.org/~nakam/ipxfrm-20040707.diff
> 
> 
> BTW, The definition in previous patch is for understanding ICMP
> type/code by xfrm_selector. I wrote the kernel feature and I'm
> testing it. Anyway, I'll send it to the list, too.
> 
> Thanks,
> 
> -- 
> Masahide NAKAMURA
> 
> 


-- 
Masahide NAKAMURA

Re: [PATCH] Add nl_open to libnetlink

[Masahide NAKAMURA]

Hello Stephen and Herbert,

> > > On Sat, 3 Jul 2004 19:46:32 +1000
> > > Herbert Xu <herbert@gondor.apana.org.au> wrote:
> > > 
> > > > I'm in the process of writing two new modules fo ip(8), ippolicy and
> > > > ipstate which will be a NETLINK based replacement for setkey.
> > > > 
> > > > In order to do so, I need to get libnetlink to speak the XFRM protocol.
> > > > Thus I've added a new nl_open function which allows the protocol to
> > > > be specified.
> > > 
> > > I agree with it.
> > > 
> > > Anyway, I have code for ip(8) for similar reason.

I've updated the patch and it can build with 2.6.7 kernel headers.
Can you check it?

http://www.linux-ipv6.org/~nakam/ipxfrm-20040707_2.diff

-- 
Masahide NAKAMURA

Re: [PATCH] Add nl_open to libnetlink

[Herbert Xu]

On Wed, Jul 07, 2004 at 03:56:02PM +0900, Masahide NAKAMURA wrote:
> 
> I've updated the patch and it can build with 2.6.7 kernel headers.
> Can you check it?
> 
> http://www.linux-ipv6.org/~nakam/ipxfrm-20040707_2.diff

Thanks.

Could you please change the output of ip xfrm policy/state so that
it can be fed directly back in? For example the output of ip ro ls
can be fed back into ip ro add.

Could you please also make it understand ip x p instead of ip x policy?

And there seems to be something wrong with the keys in the output of
ip x state.  There are too many f's for it to be right.

Cheers,
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Re: [PATCH] Add nl_open to libnetlink

[Stephen Hemminger]

On Wed, 7 Jul 2004 15:56:02 +0900
Masahide NAKAMURA <nakam@linux-ipv6.org> wrote:

> Hello Stephen and Herbert,
> 
> > > > On Sat, 3 Jul 2004 19:46:32 +1000
> > > > Herbert Xu <herbert@gondor.apana.org.au> wrote:
> > > > 
> > > > > I'm in the process of writing two new modules fo ip(8), ippolicy and
> > > > > ipstate which will be a NETLINK based replacement for setkey.
> > > > > 
> > > > > In order to do so, I need to get libnetlink to speak the XFRM protocol.
> > > > > Thus I've added a new nl_open function which allows the protocol to
> > > > > be specified.
> > > > 
> > > > I agree with it.
> > > > 
> > > > Anyway, I have code for ip(8) for similar reason.
> 
> I've updated the patch and it can build with 2.6.7 kernel headers.
> Can you check it?
> 
> http://www.linux-ipv6.org/~nakam/ipxfrm-20040707_2.diff
> 

Got it, it builds and is in the current bk tree; will go out with next snapshot
this week.

Re: [PATCH] Add nl_open to libnetlink

[Masahide NAKAMURA]

Hi Herbert,

Thanks for comments.

On Wed, 7 Jul 2004 21:03:15 +1000
Herbert Xu <herbert@gondor.apana.org.au> wrote:

> Could you please change the output of ip xfrm policy/state so that
> it can be fed directly back in? For example the output of ip ro ls
> can be fed back into ip ro add.

Yes. I'll fix the output to follow current command line option.

> Could you please also make it understand ip x p instead of ip x policy?

Sure.

> And there seems to be something wrong with the keys in the output of
> ip x state.  There are too many f's for it to be right.

OK. I'll check it.


-- 
Masahide NAKAMURA

[PATCH 1/3] iproute2 and xfrm

[Masahide NAKAMURA]

Hello,

This patch is minor fix for iproute2.
It consists of two small ChangeSets.

Regards,


ChangeSet@1.55, 2004-07-12 19:58:53+09:00, nakam@linux-ipv6.org
  fix usage message for ipxfrm.

diff -Nru a/ip/xfrm_policy.c b/ip/xfrm_policy.c
--- a/ip/xfrm_policy.c	2004-07-14 16:35:49 +09:00
+++ b/ip/xfrm_policy.c	2004-07-14 16:35:49 +09:00
@@ -55,7 +55,6 @@
 {
 	fprintf(stderr, "Usage: ip xfrm policy { add | update } dir DIR sel SELECTOR [ index INDEX ] \n");
 	fprintf(stderr, "        [ action ACTION ] [ priority PRIORITY ] [ LIMIT-LIST ] [ TMPL-LIST ]\n");
-	fprintf(stderr, "        [ sel SELECTOR | index INDEX ] [ TMPL-LIST ]\n");
 	fprintf(stderr, "Usage: ip xfrm policy { delete | get } dir DIR [ sel SELECTOR | index INDEX ]\n");
 	fprintf(stderr, "Usage: ip xfrm policy { flush | list } [ dir DIR ] [ sel SELECTOR ]\n");
 	fprintf(stderr, "        [ index INDEX ] [ action ACTION ] [ priority PRIORITY ]\n");
@@ -75,7 +74,7 @@
 	fprintf(stderr, "LIMIT := [ [time-soft|time-hard|time-use-soft|time-use-hard] SECONDS ] |\n");
 	fprintf(stderr, "         [ [byte-soft|byte-hard] SIZE ] | [ [packet-soft|packet-hard] NUMBER ]\n");
 
-	fprintf(stderr, "TMPL-LIST := [ TMPL-LIST ] | [ tmpl TMPL ] | [ tmpl remain ](change only)\n");
+	fprintf(stderr, "TMPL-LIST := [ TMPL-LIST ] | [ tmpl TMPL ]\n");
 	fprintf(stderr, "TMPL := ID [ mode MODE ] [ reqid REQID ] [ level LEVEL ]\n");
 	fprintf(stderr, "ID := [ src ADDR ] [ dst ADDR ] [ proto XFRM_PROTO ] [ spi SPI ]\n");
 


ChangeSet@1.54, 2004-07-12 19:57:50+09:00, nakam@linux-ipv6.org
  fix command line option to understand "ip x p" and "ip x s".

diff -Nru a/ip/ipxfrm.c b/ip/ipxfrm.c
--- a/ip/ipxfrm.c	2004-07-14 16:35:49 +09:00
+++ b/ip/ipxfrm.c	2004-07-14 16:35:49 +09:00
@@ -793,13 +793,12 @@
 	if (argc < 1)
 		usage();
 
-	if (strcmp(*argv, "state") == 0 ||
-	    strcmp(*argv, "sa") == 0) {
+	if (matches(*argv, "state") == 0 ||
+	    matches(*argv, "sa") == 0) {
 		return do_xfrm_state(argc-1, argv+1);
-	} else if (strcmp(*argv, "policy") == 0 ||
-		   strcmp(*argv, "pol") == 0) {
+	} else if (matches(*argv, "policy") == 0)
 		return do_xfrm_policy(argc-1, argv+1);
-	} else if (strcmp(*argv, "help") == 0) {
+	else if (matches(*argv, "help") == 0) {
 		usage();
 		fprintf(stderr, "xfrm Object \"%s\" is unknown.\n", *argv);
 		exit(-1);



-- 
Masahide NAKAMURA

[PATCH 2/3] iproute2 and xfrm

[Masahide NAKAMURA]

Hello,

This patch is for iproute2.
Please check comment in a ChangeSet below.

Regards,


ChangeSet@1.56, 2004-07-12 20:00:04+09:00, nakam@linux-ipv6.org
  fix output format to follow command line option style when using
  without "-s" option.

diff -Nru a/ip/ipxfrm.c b/ip/ipxfrm.c
--- a/ip/ipxfrm.c	2004-07-14 16:35:49 +09:00
+++ b/ip/ipxfrm.c	2004-07-14 16:35:49 +09:00
@@ -105,11 +105,11 @@
 		fprintf(fp, prefix);
 
 	memset(abuf, '\0', sizeof(abuf));
-	fprintf(fp, "%s ", rt_addr_n2a(family, sizeof(*saddr),
-				       saddr, abuf, sizeof(abuf)));
+	fprintf(fp, "src %s ", rt_addr_n2a(family, sizeof(*saddr),
+					   saddr, abuf, sizeof(abuf)));
 	memset(abuf, '\0', sizeof(abuf));
-	fprintf(fp, "%s\n", rt_addr_n2a(family, sizeof(id->daddr),
-					&id->daddr, abuf, sizeof(abuf)));
+	fprintf(fp, "dst %s\n", rt_addr_n2a(family, sizeof(id->daddr),
+					    &id->daddr, abuf, sizeof(abuf)));
 
 	if (prefix)
 		fprintf(fp, prefix);
@@ -122,30 +122,20 @@
 		sprintf(pbuf, "%d", id->proto);
 		p = pbuf;
 	}
+	fprintf(fp, "proto %s ", p);
 
-	switch (id->proto) {
-	case IPPROTO_ESP:
-	case IPPROTO_AH:
-	case IPPROTO_COMP:
-		fprintf(fp, "%s ", p);
-		break;
-	default:
-		fprintf(fp, "unspec(%s)", p);
-		break;
-	}
-
-	switch (id->proto) {
-	case IPPROTO_ESP:
-	case IPPROTO_AH:
-	case IPPROTO_COMP:
-	default:
-		spi = ntohl(id->spi);
-		fprintf(fp, "spi %d(0x%08x) ", spi, spi);
-		break;
-	}
+	spi = ntohl(id->spi);
+	fprintf(fp, "spi %u", spi);
+	if (show_stats > 0)
+		fprintf(fp, "(0x%08x)", spi);
+	fprintf(fp, " ");
+
+	fprintf(fp, "reqid %u", reqid);
+	if (show_stats > 0)
+		fprintf(fp, "(0x%08x)", reqid);
+	fprintf(fp, " ");
 
-	fprintf(fp, "reqid %d ", reqid);
-	fprintf(fp, "%s\n", (mode ? "tunnel" : "transport"));
+	fprintf(fp, "mode %s\n", (mode ? "tunnel" : "transport"));
 }
 
 static const char *strxf_limit(__u64 limit)
@@ -279,16 +269,14 @@
 		fprintf(fp, prefix);
 
 	memset(abuf, '\0', sizeof(abuf));
-	fprintf(fp, "%s/%d[%u]", rt_addr_n2a(f, sizeof(sel->saddr),
-					     &sel->saddr,
-					     abuf, sizeof(abuf)),
-		sel->prefixlen_s, sel->sport);
+	fprintf(fp, "src %s/%d ", rt_addr_n2a(f, sizeof(sel->saddr),
+					      &sel->saddr, abuf, sizeof(abuf)),
+		sel->prefixlen_s);
 
 	memset(abuf, '\0', sizeof(abuf));
-	fprintf(fp, " %s/%d[%u]", rt_addr_n2a(f, sizeof(sel->daddr),
-					      &sel->daddr,
-					      abuf, sizeof(abuf)),
-		sel->prefixlen_d, sel->dport);
+	fprintf(fp, "dst %s/%d", rt_addr_n2a(f, sizeof(sel->daddr),
+					      &sel->daddr, abuf, sizeof(abuf)),
+		sel->prefixlen_d);
 
 	fprintf(fp, "\n");
 
@@ -296,7 +284,8 @@
 		fprintf(fp, prefix);
 	fprintf(fp, "\t");
 
-	fprintf(fp, "upspec %u ", sel->proto);
+	fprintf(fp, "upspec proto %u ", sel->proto);
+	fprintf(fp, "sport %u dport %u ", sel->sport, sel->dport);
 
 	if (sel->ifindex > 0) {
 		char buf[IF_NAMESIZE];
@@ -304,10 +293,10 @@
 		memset(buf, '\0', sizeof(buf));
 		if_indextoname(sel->ifindex, buf);
 		fprintf(fp, "dev %s ", buf);
-	} else
-		fprintf(fp, "dev (none) ");
+	}
 
-	fprintf(fp, "uid %u", sel->user);
+	if (show_stats > 0)
+		fprintf(fp, "uid %u", sel->user);
 	fprintf(fp, "\n");
 }
 
@@ -367,35 +356,41 @@
 			    __u16 family, FILE *fp, const char *prefix)
 {
 	char buf[32];
-	const char *p = NULL;
 	int i;
 
-	if (prefix) {
-		strcpy(buf, prefix);
-		strcat(buf, "  ");
-	} else
-		strcpy(buf, "  ");
-	p = buf;
-
 	for (i = 0; i < ntmpls; i++) {
 		struct xfrm_user_tmpl *tmpl = &tmpls[i];
 
 		if (prefix)
 			fprintf(fp, prefix);
-		fprintf(fp, "tmpl-%d:\n", i+1);
+
+		fprintf(fp, "tmpl");
 		xfrm_id_info_print(&tmpl->saddr, &tmpl->id, tmpl->mode,
-				   tmpl->reqid, family, fp, p);
+				   tmpl->reqid, family, fp, prefix);
 
-		fprintf(fp, p);
+		fprintf(fp, prefix);
 		fprintf(fp, "\t");
-		fprintf(fp, "level %s ", ((tmpl->optional == 0) ? "required" :
-					  (tmpl->optional == 1) ? "use" :
-					  "unknown-level"));
-		fprintf(fp, "share %s ", strxf_share(tmpl->share));
-		fprintf(fp, "algo-mask:");
-		fprintf(fp, "E=%s, ", strxf_mask(tmpl->ealgos));
-		fprintf(fp, "A=%s, ", strxf_mask(tmpl->aalgos));
-		fprintf(fp, "C=%s", strxf_mask(tmpl->calgos));
+		fprintf(fp, "level ");
+		switch (tmpl->optional) {
+		case 0:
+			fprintf(fp, "required");
+			break;
+		case 1:
+			fprintf(fp, "use");
+			break;
+		default:
+			fprintf(fp, "%d", tmpl->optional);
+			break;
+		}
+		fprintf(fp, " ");
+
+		if (show_stats > 0) {
+			fprintf(fp, "share %s ", strxf_share(tmpl->share));
+			fprintf(fp, "algo-mask:");
+			fprintf(fp, "E=%s, ", strxf_mask(tmpl->ealgos));
+			fprintf(fp, "A=%s, ", strxf_mask(tmpl->aalgos));
+			fprintf(fp, "C=%s", strxf_mask(tmpl->calgos));
+		}
 		fprintf(fp, "\n");
 	}
 }
@@ -413,17 +408,17 @@
 		case XFRMA_ALG_CRYPT:
 			if (prefix)
 				fprintf(fp, prefix);
-			xfrm_algo_print((struct xfrm_algo *)data, fp, "E:");
+			xfrm_algo_print((struct xfrm_algo *)data, fp, "algo E ");
 			break;
 		case XFRMA_ALG_AUTH:
 			if (prefix)
 				fprintf(fp, prefix);
-			xfrm_algo_print((struct xfrm_algo *)data, fp, "A:");
+			xfrm_algo_print((struct xfrm_algo *)data, fp, "algo A ");
 			break;
 		case XFRMA_ALG_COMP:
 			if (prefix)
 				fprintf(fp, prefix);
-			xfrm_algo_print((struct xfrm_algo *)data, fp, "C:");
+			xfrm_algo_print((struct xfrm_algo *)data, fp, "algo C ");
 			break;
 		case XFRMA_ENCAP:
 			if (prefix)
diff -Nru a/ip/xfrm_policy.c b/ip/xfrm_policy.c
--- a/ip/xfrm_policy.c	2004-07-14 16:35:49 +09:00
+++ b/ip/xfrm_policy.c	2004-07-14 16:35:49 +09:00
@@ -357,20 +357,47 @@
 	if (n->nlmsg_type == XFRM_MSG_DELPOLICY)
 		fprintf(fp, "Deleted ");
 
+	fprintf(fp, "sel ");
 	xfrm_selector_print(&xpinfo->sel, preferred_family, fp, NULL);
 
 	fprintf(fp, "\t");
-	fprintf(fp, "%s ", (xpinfo->dir == XFRM_POLICY_IN ? "in " :
-			    xpinfo->dir == XFRM_POLICY_OUT ? "out" :
-			    xpinfo->dir == XFRM_POLICY_FWD ? "fwd" :
-			    "unknown-dir"));
-	fprintf(fp, "%s ", (xpinfo->action == XFRM_POLICY_ALLOW ? "allow" :
-			   xpinfo->action == XFRM_POLICY_BLOCK ? "block" :
-			   "unknown-action"));
+	fprintf(fp, "dir ");
+	switch (xpinfo->dir) {
+	case XFRM_POLICY_IN:
+		fprintf(fp, "in");
+		break;
+	case XFRM_POLICY_OUT:
+		fprintf(fp, "out");
+		break;
+	case XFRM_POLICY_FWD:
+		fprintf(fp, "fwd");
+		break;
+	default:
+		fprintf(fp, "%d", xpinfo->dir);
+		break;
+	}
+	fprintf(fp, " ");
+
+	fprintf(fp, "action ");
+	switch (xpinfo->action) {
+	case XFRM_POLICY_ALLOW:
+		fprintf(fp, "allow");
+		break;
+	case XFRM_POLICY_BLOCK:
+		fprintf(fp, "block");
+		break;
+	default:
+		fprintf(fp, "%d", xpinfo->action);
+		break;
+	}
+	fprintf(fp, " ");
+
 	fprintf(fp, "index %u ", xpinfo->index);
 	fprintf(fp, "priority %u ", xpinfo->priority);
-	fprintf(fp, "share %s ", strxf_share(xpinfo->share));
-	fprintf(fp, "flags 0x%s", strxf_flags(xpinfo->flags));
+	if (show_stats > 0) {
+		fprintf(fp, "share %s ", strxf_share(xpinfo->share));
+		fprintf(fp, "flags 0x%s", strxf_flags(xpinfo->flags));
+	}
 	fprintf(fp, "\n");
 
 	if (show_stats > 0)
diff -Nru a/ip/xfrm_state.c b/ip/xfrm_state.c
--- a/ip/xfrm_state.c	2004-07-14 16:35:49 +09:00
+++ b/ip/xfrm_state.c	2004-07-14 16:35:49 +09:00
@@ -142,11 +142,20 @@
 {
 	int argc = *argcp;
 	char **argv = *argvp;
+	int len = strlen(*argv);
 
-	if (strcmp(*argv, "noecn") == 0)
-		*flags |= XFRM_STATE_NOECN;
-	else
-		invarg("\"FLAG\" is invalid", *argv);
+	if (len > 2 && strncmp(*argv, "0x", 2) == 0) {
+		__u8 val = 0;
+
+		if (get_u8(&val, *argv, 16))
+			invarg("\"FLAG\" is invalid", *argv);
+		*flags = val;
+	} else {
+		if (strcmp(*argv, "noecn") == 0)
+			*flags |= XFRM_STATE_NOECN;
+		else
+			invarg("\"FLAG\" is invalid", *argv);
+	}
 
 	filter.state_flags_mask = XFRM_FILTER_MASK_FULL;
 
@@ -357,22 +366,26 @@
 	xfrm_id_info_print(&xsinfo->saddr, &xsinfo->id, xsinfo->mode,
 			   xsinfo->reqid, xsinfo->family, fp, NULL);
 
+	fprintf(fp, "\t");
 	if (show_stats > 0) {
-		fprintf(fp, "\t");
 		fprintf(fp, "seq 0x%08u ", xsinfo->seq);
 		fprintf(fp, "replay-window %d ", xsinfo->replay_window);
-		fprintf(fp, "flags ");
-		if (xsinfo->flags & XFRM_STATE_NOECN)
-			fprintf(fp, "noecn ");
-		fprintf(fp, "(0x%s)", strxf_flags(xsinfo->flags));
-
-		fprintf(fp, "\n");
 	}
+	fprintf(fp, "flag 0x%s", strxf_flags(xsinfo->flags));
+	if (show_stats > 0) {
+		if (xsinfo->flags) {
+			fprintf(fp, "(");
+			if (xsinfo->flags & XFRM_STATE_NOECN)
+				fprintf(fp, "noecn");
+			fprintf(fp, ")");
+		}
+	}
+	fprintf(fp, "\n");
 
 	xfrm_xfrma_print(tb, ntb, xsinfo->family, fp, "\t");
 
 	if (show_stats > 0) {
-		fprintf(fp, "\tsel:\n");
+		fprintf(fp, "\tsel\n");
 		xfrm_selector_print(&xsinfo->sel, xsinfo->family, fp, "\t  ");
 	}
 




-- 
Masahide NAKAMURA

[PATCH 3/3] iproute2 and xfrm

[Masahide NAKAMURA]

This patch is for iproute2 and fixes minor output format.

Regards,


ChangeSet@1.57, 2004-07-12 20:01:23+09:00, nakam@linux-ipv6.org
  fix message for protocol.

diff -Nru a/ip/ipxfrm.c b/ip/ipxfrm.c
--- a/ip/ipxfrm.c	2004-07-14 16:35:49 +09:00
+++ b/ip/ipxfrm.c	2004-07-14 16:35:49 +09:00
@@ -91,6 +91,23 @@
 	return str;
 }
 
+const char *strxf_proto(__u8 proto)
+{
+	static char buf[32];
+	struct protoent *pp;
+	const char *p;
+
+	pp = getprotobynumber(proto);
+	if (pp)
+		p = pp->p_name;
+	else {
+		sprintf(buf, "%d", proto);
+		p = buf;
+	}
+
+	return p;
+}
+
 void xfrm_id_info_print(xfrm_address_t *saddr, struct xfrm_id *id,
 			__u8 mode, __u32 reqid, __u16 family, FILE *fp,
 			const char *prefix)
diff -Nru a/ip/xfrm.h b/ip/xfrm.h
--- a/ip/xfrm.h	2004-07-14 16:35:49 +09:00
+++ b/ip/xfrm.h	2004-07-14 16:35:49 +09:00
@@ -80,6 +80,7 @@
 
 const char *strxf_flags(__u8 flags);
 const char *strxf_share(__u8 share);
+const char *strxf_proto(__u8 proto);
 void xfrm_id_info_print(xfrm_address_t *saddr, struct xfrm_id *id,
 			__u8 mode, __u32 reqid, __u16 family, FILE *fp,
 			const char *prefix);
diff -Nru a/ip/xfrm_policy.c b/ip/xfrm_policy.c
--- a/ip/xfrm_policy.c	2004-07-14 16:35:49 +09:00
+++ b/ip/xfrm_policy.c	2004-07-14 16:35:49 +09:00
@@ -78,7 +78,12 @@
 	fprintf(stderr, "TMPL := ID [ mode MODE ] [ reqid REQID ] [ level LEVEL ]\n");
 	fprintf(stderr, "ID := [ src ADDR ] [ dst ADDR ] [ proto XFRM_PROTO ] [ spi SPI ]\n");
 
-	fprintf(stderr, "XFRM_PROTO := [ esp | ah | ipcomp ]\n");
+	//fprintf(stderr, "XFRM_PROTO := [ esp | ah | ipcomp ]\n");
+	fprintf(stderr, "XFRM_PROTO := [ ");
+	fprintf(stderr, "%s | ", strxf_proto(IPPROTO_ESP));
+	fprintf(stderr, "%s | ", strxf_proto(IPPROTO_AH));
+	fprintf(stderr, "%s", strxf_proto(IPPROTO_COMP));
+	fprintf(stderr, " ]\n");
 
  	fprintf(stderr, "MODE := [ transport | tunnel ](default=transport)\n");
  	//fprintf(stderr, "REQID - number(default=0)\n");
diff -Nru a/ip/xfrm_state.c b/ip/xfrm_state.c
--- a/ip/xfrm_state.c	2004-07-14 16:35:49 +09:00
+++ b/ip/xfrm_state.c	2004-07-14 16:35:49 +09:00
@@ -63,7 +63,13 @@
 	fprintf(stderr, "        [ FLAG_LIST ]\n");
 
 	fprintf(stderr, "ID := [ src ADDR ] [ dst ADDR ] [ proto XFRM_PROTO ] [ spi SPI ]\n");
-	fprintf(stderr, "XFRM_PROTO := [ esp | ah | ipcomp ]\n");
+	//fprintf(stderr, "XFRM_PROTO := [ esp | ah | ipcomp ]\n");
+	fprintf(stderr, "XFRM_PROTO := [ ");
+	fprintf(stderr, "%s | ", strxf_proto(IPPROTO_ESP));
+	fprintf(stderr, "%s | ", strxf_proto(IPPROTO_AH));
+	fprintf(stderr, "%s", strxf_proto(IPPROTO_COMP));
+	fprintf(stderr, " ]\n");
+
 	//fprintf(stderr, "SPI - security parameter index(default=0)\n");
 
  	fprintf(stderr, "MODE := [ transport | tunnel ](default=transport)\n");




-- 
Masahide NAKAMURA

Re: [PATCH 1/3] iproute2 and xfrm

[Stephen Hemminger]

On Thu, 15 Jul 2004 15:02:14 +0900
Masahide NAKAMURA <nakam@linux-ipv6.org> wrote:

> Hello,
> 
> This patch is minor fix for iproute2.
> It consists of two small ChangeSets.

Applied to the iproute2 bk tree for next release.

Re: [PATCH 2/3] iproute2 and xfrm

[Herbert Xu]

On Thu, Jul 15, 2004 at 03:02:19PM +0900, Masahide NAKAMURA wrote:
> 
> This patch is for iproute2.
> Please check comment in a ChangeSet below.

Thanks for the patches.  It's much better.

I think some simplifications can still be made:

Policies:

* sel/upsec are redundant.  You can disambiguate src/dst/proto
  by whether they're preceded by tmpl or not.
* proto/sport/dport should be omitted if they're zero.
* level should be omitted if it's required.
* spi should be omitted if it's zero.
* index should be omitted in the default output.  It's not a part of
  the policy specification.
* action should be omitted if it's allow.

States:

* spi should be shown in hex by default.  Related tools like tcpdump show
  hex so this makes debugging easier.
* flag should be omitted if it's zero.
* Please use auth/enc instead of A/E.  The latter looks out-of-place in ip(8).
* You can also skip algo and use auth/enc to detect the start of an
  algorithm.
* replay_window is not a statistic so it should shown in the main output.
* The selector should be shown in the main output if it is not zero.

The above changes can be summarised by these two principles:

1. By cut-n-pasting the output of ip x p/s, I should be able to recreate
   the exact same policies/states.
2. The output of ip x p/s should be minimal so that it is easy to
   understand and type in.

Please also fix ip -o x so that the output can be on one line.

Cheers,
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt