netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: devel@linux-ipsec.org, tobias@strongswan.org,
	steffen.klassert@secunet.com, antony@phenome.org,
	thomas.egerer@secunet.com
Subject: [iproute2] xfrm: add udp standalone encapsulation mode
Date: Tue, 12 Sep 2023 13:45:43 +0200	[thread overview]
Message-ID: <20230912114543.7683-1-pablo@netfilter.org> (raw)

This patch enables two new encapsulation modes:

- espinudp-tx, for the sender side, this requires the source and
  destination ports to be specified, to be placed in the UDP header.
- espinudp-rx, for the receiver side, this requires only the source port
  which is used for the listener in-kernel UDP socket.

The following example shows how to configure the SAs:

  ip xfrm state add src 192.168.10.10 dst 192.168.10.11 proto esp spi 1 \
        encap espinudp-tx 9999 9999 0.0.0.0 \
        if_id 0x1 reqid 1 replay-window 1  mode tunnel aead 'rfc4106(gcm(aes))' \
        0x1111111111111111111111111111111111111111 96 \
        sel src 10.141.10.0/24 dst 10.141.11.0/24

  ip xfrm state add src 192.168.10.11 dst 192.168.10.10 proto esp spi 2 \
        encap espinudp-rx 9999 0 0.0.0.0 \
        if_id 0x1 reqid 2 replay-window 10 mode tunnel aead 'rfc4106(gcm(aes))' \
        0x2222222222222222222222222222222222222222 96

People work around this by creating dummy userspace daemon such
as in smallish programs to work around this limitation, see:

  https://github.com/nilcons/ipsec-stun-explain/blob/master/tools/orig_ipsec_decap.pl

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 include/uapi/linux/udp.h |  2 ++
 ip/ipxfrm.c              | 10 ++++++++++
 ip/xfrm_state.c          |  2 +-
 man/man8/ip-xfrm.8       |  4 ++--
 4 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/include/uapi/linux/udp.h b/include/uapi/linux/udp.h
index d0a7223a0119..8ff9b547733c 100644
--- a/include/uapi/linux/udp.h
+++ b/include/uapi/linux/udp.h
@@ -43,5 +43,7 @@ struct udphdr {
 #define UDP_ENCAP_GTP1U		5 /* 3GPP TS 29.060 */
 #define UDP_ENCAP_RXRPC		6
 #define TCP_ENCAP_ESPINTCP	7 /* Yikes, this is really xfrm encap types. */
+#define UDP_ENCAP_ESPINUDP_RX	8
+#define UDP_ENCAP_ESPINUDP_TX	9
 
 #endif /* _LINUX_UDP_H */
diff --git a/ip/ipxfrm.c b/ip/ipxfrm.c
index b78c712dfd73..50ae147c333f 100644
--- a/ip/ipxfrm.c
+++ b/ip/ipxfrm.c
@@ -751,6 +751,12 @@ void xfrm_xfrma_print(struct rtattr *tb[], __u16 family, FILE *fp,
 		case TCP_ENCAP_ESPINTCP:
 			fprintf(fp, "espintcp ");
 			break;
+		case UDP_ENCAP_ESPINUDP_RX:
+			fprintf(fp, "espinudp-rx ");
+			break;
+		case UDP_ENCAP_ESPINUDP_TX:
+			fprintf(fp, "espinudp-tx ");
+			break;
 		default:
 			fprintf(fp, "%u ", e->encap_type);
 			break;
@@ -1212,6 +1218,10 @@ int xfrm_encap_type_parse(__u16 *type, int *argcp, char ***argvp)
 		*type = UDP_ENCAP_ESPINUDP;
 	else if (strcmp(*argv, "espintcp") == 0)
 		*type = TCP_ENCAP_ESPINTCP;
+	else if (strcmp(*argv, "espinudp-rx") == 0)
+		*type = UDP_ENCAP_ESPINUDP_RX;
+	else if (strcmp(*argv, "espinudp-tx") == 0)
+		*type = UDP_ENCAP_ESPINUDP_TX;
 	else
 		invarg("ENCAP-TYPE value is invalid", *argv);
 
diff --git a/ip/xfrm_state.c b/ip/xfrm_state.c
index aa0dce072dff..eaadf86cc913 100644
--- a/ip/xfrm_state.c
+++ b/ip/xfrm_state.c
@@ -96,7 +96,7 @@ static void usage(void)
 		"LIMIT-LIST := [ LIMIT-LIST ] limit LIMIT\n"
 		"LIMIT := { time-soft | time-hard | time-use-soft | time-use-hard } SECONDS |\n"
 		"         { byte-soft | byte-hard } SIZE | { packet-soft | packet-hard } COUNT\n"
-		"ENCAP := { espinudp | espinudp-nonike | espintcp } SPORT DPORT OADDR\n"
+		"ENCAP := { espinudp | espinudp-nonike | espintcp | espinudp-rx | espinudp-tx } SPORT DPORT OADDR\n"
 		"DIR := in | out\n");
 
 	exit(-1);
diff --git a/man/man8/ip-xfrm.8 b/man/man8/ip-xfrm.8
index 3270f336d070..92e82ddb9534 100644
--- a/man/man8/ip-xfrm.8
+++ b/man/man8/ip-xfrm.8
@@ -219,7 +219,7 @@ ip-xfrm \- transform configuration
 
 .ti -8
 .IR ENCAP " :="
-.RB "{ " espinudp " | " espinudp-nonike " | " espintcp " }"
+.RB "{ " espinudp " | " espinudp-nonike " | " espintcp " | " espinudp-rx " | " espinudp-tx " }"
 .IR SPORT " " DPORT " " OADDR
 
 .ti -8
@@ -580,7 +580,7 @@ sets limits in seconds, bytes, or numbers of packets.
 .TP
 .I ENCAP
 encapsulates packets with protocol
-.BR espinudp ", " espinudp-nonike ", or " espintcp ","
+.BR espinudp ", " espinudp-nonike ", " espintcp ", " or " espinudp-rx " | " espinudp-tx ","
 .RI "using source port " SPORT ", destination port "  DPORT
 .RI ", and original address " OADDR "."
 
-- 
2.30.2


                 reply	other threads:[~2023-09-12 11:45 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20230912114543.7683-1-pablo@netfilter.org \
    --to=pablo@netfilter.org \
    --cc=antony@phenome.org \
    --cc=devel@linux-ipsec.org \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=steffen.klassert@secunet.com \
    --cc=thomas.egerer@secunet.com \
    --cc=tobias@strongswan.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).