Netdev Archive on lore.kernel.org
help / color / mirror / Atom feed
From: Nicolas Dichtel <nicolas.dichtel@6wind.com>
To: steffen.klassert@secunet.com, davem@davemloft.net,
kuba@kernel.org, antony.antony@secunet.com
Cc: netdev@vger.kernel.org, Nicolas Dichtel <nicolas.dichtel@6wind.com>
Subject: [RFC PATCH iproute2] xfrm: enable to manage default policies
Date: Tue, 7 Sep 2021 21:35:10 +0200 [thread overview]
Message-ID: <20210907193510.16487-4-nicolas.dichtel@6wind.com> (raw)
In-Reply-To: <20210907193510.16487-1-nicolas.dichtel@6wind.com>
Two new commands to manage default policies:
- ip xfrm policy setdefault
- ip xfrm policy getdefault
And the corresponding part in 'ip xfrm monitor'.
Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
---
include/uapi/linux/xfrm.h | 9 ++-
ip/xfrm.h | 1 +
ip/xfrm_monitor.c | 3 +
ip/xfrm_policy.c | 121 ++++++++++++++++++++++++++++++++++++++
man/man8/ip-xfrm.8 | 12 ++++
5 files changed, 143 insertions(+), 3 deletions(-)
diff --git a/include/uapi/linux/xfrm.h b/include/uapi/linux/xfrm.h
index ecd06396eb16..2a8135e31f9d 100644
--- a/include/uapi/linux/xfrm.h
+++ b/include/uapi/linux/xfrm.h
@@ -514,9 +514,12 @@ struct xfrm_user_offload {
#define XFRM_OFFLOAD_INBOUND 2
struct xfrm_userpolicy_default {
-#define XFRM_USERPOLICY_DIRMASK_MAX (sizeof(__u8) * 8)
- __u8 dirmask;
- __u8 action;
+#define XFRM_USERPOLICY_UNSPEC 0
+#define XFRM_USERPOLICY_BLOCK 1
+#define XFRM_USERPOLICY_ACCEPT 2
+ __u8 in;
+ __u8 fwd;
+ __u8 out;
};
/* backwards compatibility for userspace */
diff --git a/ip/xfrm.h b/ip/xfrm.h
index 9ba5ca61d5e4..17dcf3fea83f 100644
--- a/ip/xfrm.h
+++ b/ip/xfrm.h
@@ -132,6 +132,7 @@ void xfrm_state_info_print(struct xfrm_usersa_info *xsinfo,
void xfrm_policy_info_print(struct xfrm_userpolicy_info *xpinfo,
struct rtattr *tb[], FILE *fp, const char *prefix,
const char *title);
+int xfrm_policy_default_print(struct nlmsghdr *n, FILE *fp);
int xfrm_id_parse(xfrm_address_t *saddr, struct xfrm_id *id, __u16 *family,
int loose, int *argcp, char ***argvp);
int xfrm_mode_parse(__u8 *mode, int *argcp, char ***argvp);
diff --git a/ip/xfrm_monitor.c b/ip/xfrm_monitor.c
index e34b5fbda130..f67424c5be06 100644
--- a/ip/xfrm_monitor.c
+++ b/ip/xfrm_monitor.c
@@ -323,6 +323,9 @@ static int xfrm_accept_msg(struct rtnl_ctrl_data *ctrl,
case XFRM_MSG_MAPPING:
xfrm_mapping_print(n, arg);
return 0;
+ case XFRM_MSG_GETDEFAULT:
+ xfrm_policy_default_print(n, arg);
+ return 0;
default:
break;
}
diff --git a/ip/xfrm_policy.c b/ip/xfrm_policy.c
index 7cc00e7c2f5b..744f331ff564 100644
--- a/ip/xfrm_policy.c
+++ b/ip/xfrm_policy.c
@@ -66,6 +66,8 @@ static void usage(void)
"Usage: ip xfrm policy flush [ ptype PTYPE ]\n"
"Usage: ip xfrm policy count\n"
"Usage: ip xfrm policy set [ hthresh4 LBITS RBITS ] [ hthresh6 LBITS RBITS ]\n"
+ "Usage: ip xfrm policy setdefault DIR ACTION [ DIR ACTION ] [ DIR ACTION ]\n"
+ "Usage: ip xfrm policy getdefault\n"
"SELECTOR := [ src ADDR[/PLEN] ] [ dst ADDR[/PLEN] ] [ dev DEV ] [ UPSPEC ]\n"
"UPSPEC := proto { { tcp | udp | sctp | dccp } [ sport PORT ] [ dport PORT ] |\n"
" { icmp | ipv6-icmp | mobility-header } [ type NUMBER ] [ code NUMBER ] |\n"
@@ -1124,6 +1126,121 @@ static int xfrm_spd_getinfo(int argc, char **argv)
return 0;
}
+static int xfrm_spd_setdefault(int argc, char **argv)
+{
+ struct rtnl_handle rth;
+ struct {
+ struct nlmsghdr n;
+ struct xfrm_userpolicy_default up;
+ } req = {
+ .n.nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_default)),
+ .n.nlmsg_flags = NLM_F_REQUEST,
+ .n.nlmsg_type = XFRM_MSG_SETDEFAULT,
+ };
+
+ while (argc > 0) {
+ if (strcmp(*argv, "in") == 0) {
+ if (req.up.in)
+ duparg("in", *argv);
+
+ NEXT_ARG();
+ if (strcmp(*argv, "block") == 0)
+ req.up.in = XFRM_USERPOLICY_BLOCK;
+ else if (strcmp(*argv, "accept") == 0)
+ req.up.in = XFRM_USERPOLICY_ACCEPT;
+ else
+ invarg("in policy value is invalid", *argv);
+ } else if (strcmp(*argv, "fwd") == 0) {
+ if (req.up.fwd)
+ duparg("fwd", *argv);
+
+ NEXT_ARG();
+ if (strcmp(*argv, "block") == 0)
+ req.up.fwd = XFRM_USERPOLICY_BLOCK;
+ else if (strcmp(*argv, "accept") == 0)
+ req.up.fwd = XFRM_USERPOLICY_ACCEPT;
+ else
+ invarg("fwd policy value is invalid", *argv);
+ } else if (strcmp(*argv, "out") == 0) {
+ if (req.up.out)
+ duparg("out", *argv);
+
+ NEXT_ARG();
+ if (strcmp(*argv, "block") == 0)
+ req.up.out = XFRM_USERPOLICY_BLOCK;
+ else if (strcmp(*argv, "accept") == 0)
+ req.up.out = XFRM_USERPOLICY_ACCEPT;
+ else
+ invarg("out policy value is invalid", *argv);
+ } else {
+ invarg("unknown direction", *argv);
+ }
+
+ argc--; argv++;
+ }
+
+ if (rtnl_open_byproto(&rth, 0, NETLINK_XFRM) < 0)
+ exit(1);
+
+ if (rtnl_talk(&rth, &req.n, NULL) < 0)
+ exit(2);
+
+ rtnl_close(&rth);
+
+ return 0;
+}
+
+int xfrm_policy_default_print(struct nlmsghdr *n, FILE *fp)
+{
+ struct xfrm_userpolicy_default *up = NLMSG_DATA(n);
+ int len = n->nlmsg_len - NLMSG_SPACE(sizeof(*up));
+
+ if (len < 0) {
+ fprintf(stderr,
+ "BUG: short nlmsg len %u (expect %lu) for XFRM_MSG_GETDEFAULT\n",
+ n->nlmsg_len, NLMSG_SPACE(sizeof(*up)));
+ return -1;
+ }
+
+ fprintf(fp, "Default policies:\n");
+ fprintf(fp, " in: %s\n",
+ up->in == XFRM_USERPOLICY_BLOCK ? "block" : "accept");
+ fprintf(fp, " fwd: %s\n",
+ up->fwd == XFRM_USERPOLICY_BLOCK ? "block" : "accept");
+ fprintf(fp, " out: %s\n",
+ up->out == XFRM_USERPOLICY_BLOCK ? "block" : "accept");
+ fflush(fp);
+
+ return 0;
+}
+
+static int xfrm_spd_getdefault(int argc, char **argv)
+{
+ struct rtnl_handle rth;
+ struct {
+ struct nlmsghdr n;
+ struct xfrm_userpolicy_default up;
+ } req = {
+ .n.nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_userpolicy_default)),
+ .n.nlmsg_flags = NLM_F_REQUEST,
+ .n.nlmsg_type = XFRM_MSG_GETDEFAULT,
+ };
+ struct nlmsghdr *answer;
+
+ if (rtnl_open_byproto(&rth, 0, NETLINK_XFRM) < 0)
+ exit(1);
+
+ if (rtnl_talk(&rth, &req.n, &answer) < 0)
+ exit(2);
+
+ xfrm_policy_default_print(answer, (FILE *)stdout);
+
+ free(answer);
+ rtnl_close(&rth);
+
+ return 0;
+}
+
static int xfrm_policy_flush(int argc, char **argv)
{
struct rtnl_handle rth;
@@ -1197,6 +1314,10 @@ int do_xfrm_policy(int argc, char **argv)
return xfrm_spd_getinfo(argc, argv);
if (matches(*argv, "set") == 0)
return xfrm_spd_setinfo(argc-1, argv+1);
+ if (matches(*argv, "setdefault") == 0)
+ return xfrm_spd_setdefault(argc-1, argv+1);
+ if (matches(*argv, "getdefault") == 0)
+ return xfrm_spd_getdefault(argc-1, argv+1);
if (matches(*argv, "help") == 0)
usage();
fprintf(stderr, "Command \"%s\" is unknown, try \"ip xfrm policy help\".\n", *argv);
diff --git a/man/man8/ip-xfrm.8 b/man/man8/ip-xfrm.8
index 003f6c3d1c28..bf725cabb82d 100644
--- a/man/man8/ip-xfrm.8
+++ b/man/man8/ip-xfrm.8
@@ -298,6 +298,18 @@ ip-xfrm \- transform configuration
.RB "[ " hthresh6
.IR LBITS " " RBITS " ]"
+.ti -8
+.B "ip xfrm policy setdefault"
+.IR DIR
+.IR ACTION " [ "
+.IR DIR
+.IR ACTION " ] [ "
+.IR DIR
+.IR ACTION " ]"
+
+.ti -8
+.B "ip xfrm policy getdefault"
+
.ti -8
.IR SELECTOR " :="
.RB "[ " src
--
2.33.0
next prev parent reply other threads:[~2021-09-07 19:42 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20210331144843.GA25749@moon.secunet.de>
2021-07-16 9:15 ` [PATCH ipsec-next] xfrm: Add possibility to set the default to block if we have no policy Antony Antony
2021-07-18 3:26 ` kernel test robot
2021-07-18 7:11 ` [PATCH v2 " Antony Antony
2021-07-22 9:43 ` Steffen Klassert
2021-08-11 16:14 ` Nicolas Dichtel
2021-08-17 11:19 ` Antony Antony
2021-08-25 10:01 ` Nicolas Dichtel
2021-09-07 19:35 ` [PATCH ipsec 0/2] xfrm: fix uapi for the default policy Nicolas Dichtel
2021-09-07 19:35 ` [PATCH ipsec 1/2] xfrm: make user policy API complete Nicolas Dichtel
2021-09-07 19:35 ` [PATCH ipsec 2/2] xfrm: notify default policy on update Nicolas Dichtel
2021-09-08 1:35 ` kernel test robot
2021-09-08 7:23 ` [PATCH ipsec v2 0/2] xfrm: fix uapi for the default policy Nicolas Dichtel
2021-09-08 7:23 ` [PATCH ipsec v2 1/2] xfrm: make user policy API complete Nicolas Dichtel
2021-09-08 7:23 ` [PATCH ipsec v2 2/2] xfrm: notify default policy on update Nicolas Dichtel
2021-09-08 7:23 ` [RFC PATCH iproute2 v2] xfrm: enable to manage default policies Nicolas Dichtel
2021-09-14 14:46 ` [PATCH ipsec v3 0/2] xfrm: fix uapi for the default policy Nicolas Dichtel
2021-09-14 14:46 ` [PATCH ipsec v3 1/2] xfrm: make user policy API complete Nicolas Dichtel
2021-09-14 14:46 ` [PATCH ipsec v3 2/2] xfrm: notify default policy on update Nicolas Dichtel
2021-09-14 14:46 ` [RFC PATCH iproute2 v2] xfrm: enable to manage default policies Nicolas Dichtel
2021-09-15 9:19 ` [PATCH ipsec v3 0/2] xfrm: fix uapi for the default policy Antony Antony
2021-09-15 9:55 ` Nicolas Dichtel
2021-09-17 7:06 ` Steffen Klassert
2021-09-17 7:54 ` Nicolas Dichtel
2021-09-07 19:35 ` Nicolas Dichtel [this message]
2021-09-01 15:14 ` [PATCH v2 ipsec-next] xfrm: Add possibility to set the default to block if we have no policy Dmitry V. Levin
2021-09-02 9:05 ` Steffen Klassert
2021-09-19 22:40 ` Paul Cercueil
2021-09-21 6:33 ` Steffen Klassert
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210907193510.16487-4-nicolas.dichtel@6wind.com \
--to=nicolas.dichtel@6wind.com \
--cc=antony.antony@secunet.com \
--cc=davem@davemloft.net \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=steffen.klassert@secunet.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).