libnl 3.11.0
sp.c
1/* SPDX-License-Identifier: LGPL-2.1-only */
2/*
3 * Copyright (C) 2012 Texas Instruments Incorporated - http://www.ti.com/
4 *
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 *
13 * Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the
16 * distribution.
17 *
18 * Neither the name of Texas Instruments Incorporated nor the names of
19 * its contributors may be used to endorse or promote products derived
20 * from this software without specific prior written permission.
21 *
22 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
23 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
24 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
25 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
26 * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
27 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
28 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
29 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
30 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
31 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
32 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
33 *
34 */
35
36/**
37 * @ingroup xfrmnl
38 * @defgroup sp Security Policy
39 * @brief
40 */
41
42#include "nl-default.h"
43
44#include <time.h>
45#include <netlink/netlink.h>
46#include <netlink/cache.h>
47#include <netlink/object.h>
48#include <netlink/xfrm/selector.h>
49#include <netlink/xfrm/lifetime.h>
50#include <netlink/xfrm/template.h>
51#include <netlink/xfrm/sp.h>
52
53#include "nl-xfrm.h"
54#include "nl-priv-dynamic-core/object-api.h"
55#include "nl-priv-dynamic-core/nl-core.h"
56#include "nl-priv-dynamic-core/cache-api.h"
57#include "nl-aux-core/nl-core.h"
58#include "nl-aux-xfrm/nl-xfrm.h"
59
61 uint8_t type;
62 uint16_t reserved1;
63 uint16_t reserved2;
64};
65
66struct xfrmnl_sp {
67 NLHDR_COMMON
68
69 struct xfrmnl_sel* sel;
70 struct xfrmnl_ltime_cfg* lft;
71 struct xfrmnl_lifetime_cur curlft;
72 uint32_t priority;
73 uint32_t index;
74 uint8_t dir;
75 uint8_t action;
76 uint8_t flags;
77 uint8_t share;
78 struct xfrmnl_user_sec_ctx* sec_ctx;
79 struct xfrmnl_userpolicy_type uptype;
80 uint32_t nr_user_tmpl;
81 struct nl_list_head usertmpl_list;
82 struct xfrmnl_mark mark;
83};
84
85/** @cond SKIP */
86#define XFRM_SP_ATTR_SEL 0x01
87#define XFRM_SP_ATTR_LTIME_CFG 0x02
88#define XFRM_SP_ATTR_LTIME_CUR 0x04
89#define XFRM_SP_ATTR_PRIO 0x08
90#define XFRM_SP_ATTR_INDEX 0x10
91#define XFRM_SP_ATTR_DIR 0x20
92#define XFRM_SP_ATTR_ACTION 0x40
93#define XFRM_SP_ATTR_FLAGS 0x80
94#define XFRM_SP_ATTR_SHARE 0x100
95#define XFRM_SP_ATTR_POLTYPE 0x200
96#define XFRM_SP_ATTR_SECCTX 0x400
97#define XFRM_SP_ATTR_TMPL 0x800
98#define XFRM_SP_ATTR_MARK 0x1000
99
100static struct nl_cache_ops xfrmnl_sp_ops;
101static struct nl_object_ops xfrm_sp_obj_ops;
102/** @endcond */
103
104static void xfrm_sp_alloc_data(struct nl_object *c)
105{
106 struct xfrmnl_sp* sp = nl_object_priv (c);
107
108 if ((sp->sel = xfrmnl_sel_alloc ()) == NULL)
109 return;
110
111 if ((sp->lft = xfrmnl_ltime_cfg_alloc ()) == NULL)
112 return;
113
114 nl_init_list_head(&sp->usertmpl_list);
115
116 return;
117}
118
119static void xfrm_sp_free_data(struct nl_object *c)
120{
121 struct xfrmnl_sp* sp = nl_object_priv (c);
122 struct xfrmnl_user_tmpl *utmpl, *tmp;
123
124 if (sp == NULL)
125 return;
126
127 xfrmnl_sel_put (sp->sel);
128 xfrmnl_ltime_cfg_put (sp->lft);
129
130 if (sp->sec_ctx) {
131 free(sp->sec_ctx);
132 }
133
134 nl_list_for_each_entry_safe(utmpl, tmp, &sp->usertmpl_list, utmpl_list) {
135 xfrmnl_sp_remove_usertemplate (sp, utmpl);
136 xfrmnl_user_tmpl_free (utmpl);
137 }
138}
139
140static int xfrm_sp_clone(struct nl_object *_dst, struct nl_object *_src)
141{
142 struct xfrmnl_sp* dst = nl_object_priv(_dst);
143 struct xfrmnl_sp* src = nl_object_priv(_src);
144 struct xfrmnl_user_tmpl *utmpl;
145 struct xfrmnl_user_tmpl *new;
146
147 dst->sel = NULL;
148 dst->lft = NULL;
149 dst->sec_ctx = NULL;
150 nl_init_list_head(&dst->usertmpl_list);
151
152 if (src->sel) {
153 if ((dst->sel = xfrmnl_sel_clone (src->sel)) == NULL)
154 return -NLE_NOMEM;
155 }
156
157 if (src->lft) {
158 if ((dst->lft = xfrmnl_ltime_cfg_clone (src->lft)) == NULL)
159 return -NLE_NOMEM;
160 }
161
162 if (src->sec_ctx) {
163 uint32_t len = sizeof (struct xfrmnl_user_sec_ctx) + src->sec_ctx->ctx_len;
164
165 if ((dst->sec_ctx = malloc (len)) == NULL)
166 return -NLE_NOMEM;
167 memcpy(dst->sec_ctx, src->sec_ctx, len);
168 }
169
170 nl_list_for_each_entry(utmpl, &src->usertmpl_list, utmpl_list) {
171 new = xfrmnl_user_tmpl_clone (utmpl);
172 if (!new)
173 return -NLE_NOMEM;
174 xfrmnl_sp_add_usertemplate(dst, new);
175 }
176
177 return 0;
178}
179
180static uint64_t xfrm_sp_compare(struct nl_object *_a, struct nl_object *_b,
181 uint64_t attrs, int flags)
182{
183 struct xfrmnl_sp* a = (struct xfrmnl_sp *) _a;
184 struct xfrmnl_sp* b = (struct xfrmnl_sp *) _b;
185 struct xfrmnl_user_tmpl *tmpl_a, *tmpl_b;
186 uint64_t diff = 0;
187
188#define _DIFF(ATTR, EXPR) ATTR_DIFF(attrs, ATTR, a, b, EXPR)
189 diff |= _DIFF(XFRM_SP_ATTR_SEL, xfrmnl_sel_cmp(a->sel, b->sel));
190 diff |= _DIFF(XFRM_SP_ATTR_LTIME_CFG,
191 xfrmnl_ltime_cfg_cmp(a->lft, b->lft));
192 diff |= _DIFF(XFRM_SP_ATTR_PRIO, a->priority != b->priority);
193 diff |= _DIFF(XFRM_SP_ATTR_INDEX, a->index != b->index);
194 diff |= _DIFF(XFRM_SP_ATTR_DIR, a->dir != b->dir);
195 diff |= _DIFF(XFRM_SP_ATTR_ACTION, a->action != b->action);
196 diff |= _DIFF(XFRM_SP_ATTR_FLAGS, a->flags != b->flags);
197 diff |= _DIFF(XFRM_SP_ATTR_SHARE, a->share != b->share);
198 diff |= _DIFF(XFRM_SP_ATTR_SECCTX,
199 ((a->sec_ctx->len != b->sec_ctx->len) ||
200 (a->sec_ctx->exttype != b->sec_ctx->exttype) ||
201 (a->sec_ctx->ctx_alg != b->sec_ctx->ctx_alg) ||
202 (a->sec_ctx->ctx_doi != b->sec_ctx->ctx_doi) ||
203 (a->sec_ctx->ctx_len != b->sec_ctx->ctx_len) ||
204 strcmp(a->sec_ctx->ctx, b->sec_ctx->ctx)));
205 diff |= _DIFF(XFRM_SP_ATTR_POLTYPE, (a->uptype.type != b->uptype.type));
206 diff |= _DIFF(XFRM_SP_ATTR_TMPL, (a->nr_user_tmpl != b->nr_user_tmpl));
207 diff |= _DIFF(XFRM_SP_ATTR_MARK,
208 (a->mark.m != b->mark.m) || (a->mark.v != b->mark.v));
209
210 /* Compare the templates */
211 nl_list_for_each_entry(tmpl_b, &b->usertmpl_list, utmpl_list)
212 nl_list_for_each_entry(tmpl_a, &a->usertmpl_list, utmpl_list)
213 diff |= xfrmnl_user_tmpl_cmp (tmpl_a, tmpl_b);
214#undef _DIFF
215
216 return diff;
217}
218
219/**
220 * @name XFRM SP Attribute Translations
221 * @{
222 */
223static const struct trans_tbl sp_attrs[] = {
224 __ADD(XFRM_SP_ATTR_SEL, selector),
225 __ADD(XFRM_SP_ATTR_LTIME_CFG, lifetime_cfg),
226 __ADD(XFRM_SP_ATTR_LTIME_CUR, lifetime_cur),
227 __ADD(XFRM_SP_ATTR_PRIO, priority),
228 __ADD(XFRM_SP_ATTR_INDEX, index),
229 __ADD(XFRM_SP_ATTR_DIR, direction),
230 __ADD(XFRM_SP_ATTR_ACTION, action),
231 __ADD(XFRM_SP_ATTR_FLAGS, flags),
232 __ADD(XFRM_SP_ATTR_SHARE, share),
233 __ADD(XFRM_SP_ATTR_POLTYPE, policy_type),
234 __ADD(XFRM_SP_ATTR_SECCTX, security_context),
235 __ADD(XFRM_SP_ATTR_TMPL, user_template),
236 __ADD(XFRM_SP_ATTR_MARK, mark),
237};
238
239static char* xfrm_sp_attrs2str(int attrs, char *buf, size_t len)
240{
241 return __flags2str (attrs, buf, len, sp_attrs, ARRAY_SIZE(sp_attrs));
242}
243/** @} */
244
245/**
246 * @name XFRM SP Action Translations
247 * @{
248 */
249static const struct trans_tbl sa_actions[] = {
250 __ADD(XFRM_POLICY_ALLOW, allow),
251 __ADD(XFRM_POLICY_BLOCK, block),
252};
253
254char* xfrmnl_sp_action2str(int action, char *buf, size_t len)
255{
256 return __type2str (action, buf, len, sa_actions, ARRAY_SIZE(sa_actions));
257}
258
259int xfrmnl_sp_str2action(const char *name)
260{
261 return __str2type (name, sa_actions, ARRAY_SIZE(sa_actions));
262}
263/** @} */
264
265/**
266 * @name XFRM SP Flags Translations
267 * @{
268 */
269static const struct trans_tbl sp_flags[] = {
270 __ADD(XFRM_POLICY_LOCALOK, allow policy override by user),
271 __ADD(XFRM_POLICY_ICMP, auto include ICMP in policy),
272};
273
274char* xfrmnl_sp_flags2str(int flags, char *buf, size_t len)
275{
276 return __flags2str (flags, buf, len, sp_flags, ARRAY_SIZE(sp_flags));
277}
278
279int xfrmnl_sp_str2flag(const char *name)
280{
281 return __str2flags(name, sp_flags, ARRAY_SIZE(sp_flags));
282}
283/** @} */
284
285/**
286 * @name XFRM SP Type Translations
287 * @{
288 */
289static const struct trans_tbl sp_types[] = {
290 __ADD(XFRM_POLICY_TYPE_MAIN, main),
291 __ADD(XFRM_POLICY_TYPE_SUB, sub),
292 __ADD(XFRM_POLICY_TYPE_MAX, max),
293 __ADD(XFRM_POLICY_TYPE_ANY, any),
294};
295
296char* xfrmnl_sp_type2str(int type, char *buf, size_t len)
297{
298 return __type2str(type, buf, len, sp_types, ARRAY_SIZE(sp_types));
299}
300
301int xfrmnl_sp_str2type(const char *name)
302{
303 return __str2type(name, sp_types, ARRAY_SIZE(sp_types));
304}
305/** @} */
306
307/**
308 * @name XFRM SP Direction Translations
309 * @{
310 */
311static const struct trans_tbl sp_dir[] = {
312 __ADD(XFRM_POLICY_IN, in),
313 __ADD(XFRM_POLICY_OUT, out),
314 __ADD(XFRM_POLICY_FWD, fwd),
315 __ADD(XFRM_POLICY_MASK, mask),
316};
317
318char* xfrmnl_sp_dir2str(int dir, char *buf, size_t len)
319{
320 return __type2str (dir, buf, len, sp_dir, ARRAY_SIZE(sp_dir));
321}
322
323int xfrmnl_sp_str2dir(const char *name)
324{
325 return __str2type (name, sp_dir, ARRAY_SIZE(sp_dir));
326}
327
328int xfrmnl_sp_index2dir (unsigned int index)
329{
330 return index & 0x7;
331}
332/** @} */
333
334/**
335 * @name XFRM SP Share Translations
336 * @{
337 */
338static const struct trans_tbl sp_share[] = {
339 __ADD(XFRM_SHARE_ANY, any),
340 __ADD(XFRM_SHARE_SESSION, session),
341 __ADD(XFRM_SHARE_USER, user),
342 __ADD(XFRM_SHARE_UNIQUE, unique),
343};
344
345char* xfrmnl_sp_share2str(int share, char *buf, size_t len)
346{
347 return __type2str (share, buf, len, sp_share, ARRAY_SIZE(sp_share));
348}
349
350int xfrmnl_sp_str2share(const char *name)
351{
352 return __str2type (name, sp_share, ARRAY_SIZE(sp_share));
353}
354/** @} */
355
356static void xfrm_sp_dump_line(struct nl_object *a, struct nl_dump_params *p)
357{
358 struct xfrmnl_sp* sp = (struct xfrmnl_sp *) a;
359 char dir[32], action[32], share[32], flags[32];
360 char dst[INET6_ADDRSTRLEN+5], src[INET6_ADDRSTRLEN+5];
361 time_t add_time, use_time;
362 struct tm *add_time_tm, *use_time_tm;
363 struct tm tm_buf;
364
365 nl_addr2str(xfrmnl_sel_get_saddr (sp->sel), src, sizeof(src));
366 nl_addr2str (xfrmnl_sel_get_daddr (sp->sel), dst, sizeof (dst));
367 nl_af2str (xfrmnl_sel_get_family (sp->sel), dir, 32);
368 nl_dump_line(p, "src %s dst %s family: %s\n", src, dst, dir);
369 nl_dump_line (p, "src port/mask: %d/%d dst port/mask: %d/%d\n",
370 xfrmnl_sel_get_dport (sp->sel), xfrmnl_sel_get_dportmask (sp->sel),
371 xfrmnl_sel_get_sport (sp->sel), xfrmnl_sel_get_sportmask (sp->sel));
372 nl_dump_line (p, "protocol: %s ifindex: %u uid: %u\n",
373 nl_ip_proto2str (xfrmnl_sel_get_proto (sp->sel), dir, sizeof(dir)),
374 xfrmnl_sel_get_ifindex (sp->sel),
375 xfrmnl_sel_get_userid (sp->sel));
376
377 xfrmnl_sp_dir2str (sp->dir, dir, 32);
378 xfrmnl_sp_action2str (sp->action, action, 32);
379 xfrmnl_sp_share2str (sp->share, share, 32);
380 xfrmnl_sp_flags2str (sp->flags, flags, 32);
381 nl_dump_line(p, "\tdir: %s action: %s index: %u priority: %u share: %s flags: %s(0x%x) \n",
382 dir, action, sp->index, sp->priority, share, flags, sp->flags);
383
384 nl_dump_line(p, "\tlifetime configuration: \n");
385 if (sp->lft->soft_byte_limit == XFRM_INF)
386 sprintf (dir, "INF");
387 else
388 sprintf (dir, "%" PRIu64, sp->lft->soft_byte_limit);
389 if (sp->lft->soft_packet_limit == XFRM_INF)
390 sprintf (action, "INF");
391 else
392 sprintf (action, "%" PRIu64, sp->lft->soft_packet_limit);
393 if (sp->lft->hard_byte_limit == XFRM_INF)
394 sprintf (flags, "INF");
395 else
396 sprintf (flags, "%" PRIu64, sp->lft->hard_byte_limit);
397 if (sp->lft->hard_packet_limit == XFRM_INF)
398 sprintf (share, "INF");
399 else
400 sprintf (share, "%" PRIu64, sp->lft->hard_packet_limit);
401 nl_dump_line(p, "\t\tsoft limit: %s (bytes), %s (packets) \n", dir,
402 action);
403 nl_dump_line(p, "\t\thard limit: %s (bytes), %s (packets) \n", flags,
404 share);
405 nl_dump_line(
406 p,
407 "\t\tsoft add_time: %llu (seconds), soft use_time: %llu (seconds) \n",
408 (long long unsigned)sp->lft->soft_add_expires_seconds,
409 (long long unsigned)sp->lft->soft_use_expires_seconds);
410 nl_dump_line(
411 p,
412 "\t\thard add_time: %llu (seconds), hard use_time: %llu (seconds) \n",
413 (long long unsigned)sp->lft->hard_add_expires_seconds,
414 (long long unsigned)sp->lft->hard_use_expires_seconds);
415
416 nl_dump_line(p, "\tlifetime current: \n");
417 nl_dump_line(p, "\t\t%llu bytes, %llu packets\n",
418 (long long unsigned)sp->curlft.bytes,
419 (long long unsigned)sp->curlft.packets);
420
421 if (sp->curlft.add_time != 0)
422 {
423 add_time = sp->curlft.add_time;
424 add_time_tm = gmtime_r (&add_time, &tm_buf);
425 strftime (dst, INET6_ADDRSTRLEN+5, "%Y-%m-%d %H-%M-%S", add_time_tm);
426 }
427 else
428 {
429 sprintf (dst, "%s", "-");
430 }
431
432 if (sp->curlft.use_time != 0)
433 {
434 use_time = sp->curlft.use_time;
435 use_time_tm = gmtime_r (&use_time, &tm_buf);
436 strftime (src, INET6_ADDRSTRLEN+5, "%Y-%m-%d %H-%M-%S", use_time_tm);
437 }
438 else
439 {
440 sprintf (src, "%s", "-");
441 }
442 nl_dump_line(p, "\t\tadd_time: %s, use_time: %s\n", dst, src);
443
444 if (sp->ce_mask & XFRM_SP_ATTR_SECCTX)
445 {
446 nl_dump_line(p, "\tUser security context: \n");
447 nl_dump_line(p, "\t\tlen: %d exttype: %d Algo: %d DOI: %d ctxlen: %d\n",
448 sp->sec_ctx->len, sp->sec_ctx->exttype,
449 sp->sec_ctx->ctx_alg, sp->sec_ctx->ctx_doi, sp->sec_ctx->ctx_len);
450 nl_dump_line (p, "\t\tctx: %s \n", sp->sec_ctx->ctx);
451 }
452
453 xfrmnl_sp_type2str (sp->uptype.type, flags, 32);
454 if (sp->ce_mask & XFRM_SP_ATTR_POLTYPE)
455 nl_dump_line(p, "\tUser policy type: %s\n", flags);
456
457 if (sp->ce_mask & XFRM_SP_ATTR_TMPL)
458 {
459 struct xfrmnl_user_tmpl* utmpl;
460
461 nl_dump_line(p, "\tUser template: \n");
462
463 nl_list_for_each_entry(utmpl, &sp->usertmpl_list, utmpl_list)
464 xfrmnl_user_tmpl_dump (utmpl, p);
465 }
466
467 if (sp->ce_mask & XFRM_SP_ATTR_MARK)
468 nl_dump_line(p, "\tMark mask: 0x%x Mark value: 0x%x\n", sp->mark.m, sp->mark.v);
469
470 nl_dump(p, "\n");
471}
472
473static void xfrm_sp_dump_details(struct nl_object *a, struct nl_dump_params *p)
474{
475 xfrm_sp_dump_line(a, p);
476}
477
478static void xfrm_sp_dump_stats(struct nl_object *a, struct nl_dump_params *p)
479{
480 xfrm_sp_dump_details(a, p);
481
482 return;
483}
484
485/**
486 * @name XFRM SP Object Allocation/Freeage
487 * @{
488 */
489
490struct xfrmnl_sp* xfrmnl_sp_alloc(void)
491{
492 return (struct xfrmnl_sp*) nl_object_alloc(&xfrm_sp_obj_ops);
493}
494
495void xfrmnl_sp_put(struct xfrmnl_sp* sp)
496{
497 nl_object_put((struct nl_object *) sp);
498}
499
500/** @} */
501
502/**
503 * @name SP Cache Managament
504 * @{
505 */
506
507/**
508 * Build a SP cache including all SPs currently configured in the kernel.
509 * @arg sock Netlink socket.
510 * @arg result Pointer to store resulting cache.
511 *
512 * Allocates a new SP cache, initializes it properly and updates it
513 * to include all SPs currently configured in the kernel.
514 *
515 * @return 0 on success or a negative error code.
516 */
517int xfrmnl_sp_alloc_cache(struct nl_sock *sock, struct nl_cache **result)
518{
519 return nl_cache_alloc_and_fill(&xfrmnl_sp_ops, sock, result);
520}
521
522/**
523 * Look up a SP by policy id and direction
524 * @arg cache SP cache
525 * @arg index Policy Id
526 * @arg dir direction
527 * @return sp handle or NULL if no match was found.
528 */
529struct xfrmnl_sp* xfrmnl_sp_get(struct nl_cache* cache, unsigned int index, unsigned int dir)
530{
531 struct xfrmnl_sp *sp;
532
533 //nl_list_for_each_entry(sp, &cache->c_items, ce_list) {
534 for (sp = (struct xfrmnl_sp*)nl_cache_get_first (cache);
535 sp != NULL;
536 sp = (struct xfrmnl_sp*)nl_cache_get_next ((struct nl_object*)sp))
537 {
538 if (sp->index == index && sp->dir == dir)
539 {
540 nl_object_get((struct nl_object *) sp);
541 return sp;
542 }
543 }
544
545 return NULL;
546}
547
548
549/** @} */
550
551
552static struct nla_policy xfrm_sp_policy[XFRMA_MAX+1] = {
553 [XFRMA_POLICY] = { .minlen = sizeof(struct xfrm_userpolicy_info)},
554 [XFRMA_SEC_CTX] = { .minlen = sizeof(struct xfrm_sec_ctx) },
555 [XFRMA_TMPL] = { .minlen = sizeof(struct xfrm_user_tmpl) },
556 [XFRMA_POLICY_TYPE] = { .minlen = sizeof(struct xfrm_userpolicy_type)},
557 [XFRMA_MARK] = { .minlen = sizeof(struct xfrm_mark) },
558};
559
560static int xfrm_sp_request_update(struct nl_cache *c, struct nl_sock *h)
561{
562 return nl_send_simple (h, XFRM_MSG_GETPOLICY, NLM_F_DUMP, NULL, 0);
563}
564
565int xfrmnl_sp_parse(struct nlmsghdr *n, struct xfrmnl_sp **result)
566{
567 _nl_auto_nl_addr struct nl_addr *addr1 = NULL;
568 _nl_auto_nl_addr struct nl_addr *addr2 = NULL;
569 _nl_auto_xfrmnl_sp struct xfrmnl_sp *sp = NULL;
570 struct nlattr *tb[XFRMA_MAX + 1];
571 struct xfrm_userpolicy_info *sp_info;
572 int len, err;
573
574 sp = xfrmnl_sp_alloc();
575 if (!sp)
576 return -NLE_NOMEM;
577
578 sp->ce_msgtype = n->nlmsg_type;
579 if (n->nlmsg_type == XFRM_MSG_DELPOLICY)
580 sp_info = (struct xfrm_userpolicy_info*)((char *)nlmsg_data(n) + sizeof (struct xfrm_userpolicy_id) + NLA_HDRLEN);
581 else
582 sp_info = nlmsg_data(n);
583
584 err = nlmsg_parse(n, sizeof(struct xfrm_userpolicy_info), tb, XFRMA_MAX, xfrm_sp_policy);
585 if (err < 0)
586 return err;
587
588 if (!(addr1 = _nl_addr_build(sp_info->sel.family, &sp_info->sel.daddr)))
589 return -NLE_NOMEM;
590 nl_addr_set_prefixlen (addr1, sp_info->sel.prefixlen_d);
591 xfrmnl_sel_set_daddr (sp->sel, addr1);
592 xfrmnl_sel_set_prefixlen_d (sp->sel, sp_info->sel.prefixlen_d);
593
594 if (!(addr2 = _nl_addr_build(sp_info->sel.family, &sp_info->sel.saddr)))
595 return -NLE_NOMEM;
596 nl_addr_set_prefixlen (addr2, sp_info->sel.prefixlen_s);
597 xfrmnl_sel_set_saddr (sp->sel, addr2);
598 xfrmnl_sel_set_prefixlen_s (sp->sel, sp_info->sel.prefixlen_s);
599
600 xfrmnl_sel_set_dport (sp->sel, ntohs (sp_info->sel.dport));
601 xfrmnl_sel_set_dportmask (sp->sel, ntohs (sp_info->sel.dport_mask));
602 xfrmnl_sel_set_sport (sp->sel, ntohs (sp_info->sel.sport));
603 xfrmnl_sel_set_sportmask (sp->sel, ntohs (sp_info->sel.sport_mask));
604 xfrmnl_sel_set_family (sp->sel, sp_info->sel.family);
605 xfrmnl_sel_set_proto (sp->sel, sp_info->sel.proto);
606 xfrmnl_sel_set_ifindex (sp->sel, sp_info->sel.ifindex);
607 xfrmnl_sel_set_userid (sp->sel, sp_info->sel.user);
608 sp->ce_mask |= XFRM_SP_ATTR_SEL;
609
610 sp->lft->soft_byte_limit = sp_info->lft.soft_byte_limit;
611 sp->lft->hard_byte_limit = sp_info->lft.hard_byte_limit;
612 sp->lft->soft_packet_limit = sp_info->lft.soft_packet_limit;
613 sp->lft->hard_packet_limit = sp_info->lft.hard_packet_limit;
614 sp->lft->soft_add_expires_seconds = sp_info->lft.soft_add_expires_seconds;
615 sp->lft->hard_add_expires_seconds = sp_info->lft.hard_add_expires_seconds;
616 sp->lft->soft_use_expires_seconds = sp_info->lft.soft_use_expires_seconds;
617 sp->lft->hard_use_expires_seconds = sp_info->lft.hard_use_expires_seconds;
618 sp->ce_mask |= XFRM_SP_ATTR_LTIME_CFG;
619
620 sp->curlft.bytes = sp_info->curlft.bytes;
621 sp->curlft.packets = sp_info->curlft.packets;
622 sp->curlft.add_time = sp_info->curlft.add_time;
623 sp->curlft.use_time = sp_info->curlft.use_time;
624 sp->ce_mask |= XFRM_SP_ATTR_LTIME_CUR;
625
626 sp->priority = sp_info->priority;
627 sp->index = sp_info->index;
628 sp->dir = sp_info->dir;
629 sp->action = sp_info->action;
630 sp->flags = sp_info->flags;
631 sp->share = sp_info->share;
632 sp->ce_mask |= (XFRM_SP_ATTR_PRIO | XFRM_SP_ATTR_INDEX |
633 XFRM_SP_ATTR_DIR | XFRM_SP_ATTR_ACTION |
634 XFRM_SP_ATTR_FLAGS | XFRM_SP_ATTR_SHARE);
635
636 if (tb[XFRMA_SEC_CTX]) {
637 struct xfrm_user_sec_ctx* ctx = nla_data(tb[XFRMA_SEC_CTX]);
638
639 len = sizeof (struct xfrmnl_user_sec_ctx) + ctx->ctx_len;
640 if ((sp->sec_ctx = calloc (1, len)) == NULL)
641 return -NLE_NOMEM;
642 memcpy ((void *)sp->sec_ctx, (void *)ctx, len);
643 sp->ce_mask |= XFRM_SP_ATTR_SECCTX;
644 }
645
646 if (tb[XFRMA_POLICY_TYPE]) {
647 struct xfrm_userpolicy_type* up = nla_data(tb[XFRMA_POLICY_TYPE]);
648
649 memcpy ((void *)&sp->uptype, (void *)up, sizeof (struct xfrm_userpolicy_type));
650 sp->ce_mask |= XFRM_SP_ATTR_POLTYPE;
651 }
652
653 if (tb[XFRMA_TMPL]) {
654 struct xfrm_user_tmpl* tmpl = nla_data(tb[XFRMA_TMPL]);
655 uint32_t i;
656 uint32_t num_tmpls = nla_len(tb[XFRMA_TMPL]) / sizeof (*tmpl);
657
658 for (i = 0; (i < num_tmpls) && (tmpl); i ++, tmpl++)
659 {
660 _nl_auto_xfrmnl_user_tmpl struct xfrmnl_user_tmpl *sputmpl = NULL;
661 _nl_auto_nl_addr struct nl_addr *addr1 = NULL;
662 _nl_auto_nl_addr struct nl_addr *addr2 = NULL;
663
664 if ((sputmpl = xfrmnl_user_tmpl_alloc ()) == NULL)
665 return -NLE_NOMEM;
666
667 if (!(addr1 = _nl_addr_build(tmpl->family, &tmpl->id.daddr)))
668 return -NLE_NOMEM;
669 xfrmnl_user_tmpl_set_daddr (sputmpl, addr1);
670 xfrmnl_user_tmpl_set_spi (sputmpl, ntohl(tmpl->id.spi));
671 xfrmnl_user_tmpl_set_proto (sputmpl, tmpl->id.proto);
672 xfrmnl_user_tmpl_set_family (sputmpl, tmpl->family);
673
674 if (!(addr2 = _nl_addr_build(tmpl->family, &tmpl->saddr)))
675 return -NLE_NOMEM;
676 xfrmnl_user_tmpl_set_saddr (sputmpl, addr2);
677
678 xfrmnl_user_tmpl_set_reqid (sputmpl, tmpl->reqid);
679 xfrmnl_user_tmpl_set_mode (sputmpl, tmpl->mode);
680 xfrmnl_user_tmpl_set_share (sputmpl, tmpl->share);
681 xfrmnl_user_tmpl_set_optional (sputmpl, tmpl->optional);
682 xfrmnl_user_tmpl_set_aalgos (sputmpl, tmpl->aalgos);
683 xfrmnl_user_tmpl_set_ealgos (sputmpl, tmpl->ealgos);
684 xfrmnl_user_tmpl_set_calgos (sputmpl, tmpl->calgos);
685 xfrmnl_sp_add_usertemplate (sp, _nl_steal_pointer(&sputmpl));
686
687 sp->ce_mask |= XFRM_SP_ATTR_TMPL;
688 }
689 }
690
691 if (tb[XFRMA_MARK]) {
692 struct xfrm_mark* m = nla_data(tb[XFRMA_MARK]);
693 sp->mark.m = m->m;
694 sp->mark.v = m->v;
695 sp->ce_mask |= XFRM_SP_ATTR_MARK;
696 }
697
698 *result = _nl_steal_pointer(&sp);
699 return 0;
700}
701
702static int xfrm_sp_msg_parser(struct nl_cache_ops *ops, struct sockaddr_nl *who,
703 struct nlmsghdr *n, struct nl_parser_param *pp)
704{
705 struct xfrmnl_sp* sp;
706 int err;
707
708 if ((err = xfrmnl_sp_parse(n, &sp)) < 0)
709 {
710 printf ("received error: %d \n", err);
711 return err;
712 }
713
714 err = pp->pp_cb((struct nl_object *) sp, pp);
715
716 xfrmnl_sp_put(sp);
717 return err;
718}
719
720/**
721 * @name XFRM SP Get
722 * @{
723 */
724
725int xfrmnl_sp_build_get_request(unsigned int index, unsigned int dir, unsigned int mark_v, unsigned int mark_m, struct nl_msg **result)
726{
727 struct nl_msg *msg;
728 struct xfrm_userpolicy_id spid;
729 struct xfrm_mark mark;
730
731 memset(&spid, 0, sizeof(spid));
732 spid.index = index;
733 spid.dir = dir;
734
735 if (!(msg = nlmsg_alloc_simple(XFRM_MSG_GETPOLICY, 0)))
736 return -NLE_NOMEM;
737
738 if (nlmsg_append(msg, &spid, sizeof(spid), NLMSG_ALIGNTO) < 0)
739 goto nla_put_failure;
740
741 if ((mark_m & mark_v) != 0)
742 {
743 memset(&mark, 0, sizeof(struct xfrm_mark));
744 mark.m = mark_m;
745 mark.v = mark_v;
746
747 NLA_PUT (msg, XFRMA_MARK, sizeof (struct xfrm_mark), &mark);
748 }
749
750 *result = msg;
751 return 0;
752
753nla_put_failure:
754 nlmsg_free(msg);
755 return -NLE_MSGSIZE;
756}
757
758int xfrmnl_sp_get_kernel(struct nl_sock* sock, unsigned int index, unsigned int dir, unsigned int mark_v, unsigned int mark_m, struct xfrmnl_sp** result)
759{
760 struct nl_msg *msg = NULL;
761 struct nl_object *obj;
762 int err;
763
764 if ((err = xfrmnl_sp_build_get_request(index, dir, mark_m, mark_v, &msg)) < 0)
765 return err;
766
767 err = nl_send_auto(sock, msg);
768 nlmsg_free(msg);
769 if (err < 0)
770 return err;
771
772 if ((err = nl_pickup(sock, &xfrm_sp_msg_parser, &obj)) < 0)
773 return err;
774
775 /* We have used xfrm_sp_msg_parser(), object is definitely a xfrm ae */
776 *result = (struct xfrmnl_sp *) obj;
777
778 /* If an object has been returned, we also need to wait for the ACK */
779 if (err == 0 && obj)
780 nl_wait_for_ack(sock);
781
782 return 0;
783}
784
785/** @} */
786
787static int build_xfrm_sp_message(struct xfrmnl_sp *tmpl, int cmd, int flags, struct nl_msg **result)
788{
789 struct nl_msg* msg;
790 struct xfrm_userpolicy_info sp_info;
791 uint32_t len;
792 struct nl_addr* addr;
793
794 if (!(tmpl->ce_mask & XFRM_SP_ATTR_DIR) ||
795 (!(tmpl->ce_mask & XFRM_SP_ATTR_INDEX) &&
796 !(tmpl->ce_mask & XFRM_SP_ATTR_SEL)))
797 return -NLE_MISSING_ATTR;
798
799 memset ((void*)&sp_info, 0, sizeof (sp_info));
800 if (tmpl->ce_mask & XFRM_SP_ATTR_SEL)
801 {
802 addr = xfrmnl_sel_get_daddr (tmpl->sel);
803 memcpy ((void*)&sp_info.sel.daddr, (void*)nl_addr_get_binary_addr (addr), sizeof (uint8_t) * nl_addr_get_len (addr));
804 addr = xfrmnl_sel_get_saddr (tmpl->sel);
805 memcpy ((void*)&sp_info.sel.saddr, (void*)nl_addr_get_binary_addr (addr), sizeof (uint8_t) * nl_addr_get_len (addr));
806 sp_info.sel.dport = htons (xfrmnl_sel_get_dport (tmpl->sel));
807 sp_info.sel.dport_mask = htons (xfrmnl_sel_get_dportmask (tmpl->sel));
808 sp_info.sel.sport = htons (xfrmnl_sel_get_sport (tmpl->sel));
809 sp_info.sel.sport_mask = htons (xfrmnl_sel_get_sportmask (tmpl->sel));
810 sp_info.sel.family = xfrmnl_sel_get_family (tmpl->sel);
811 sp_info.sel.prefixlen_d = xfrmnl_sel_get_prefixlen_d (tmpl->sel);
812 sp_info.sel.prefixlen_s = xfrmnl_sel_get_prefixlen_s (tmpl->sel);
813 sp_info.sel.proto = xfrmnl_sel_get_proto (tmpl->sel);
814 sp_info.sel.ifindex = xfrmnl_sel_get_ifindex (tmpl->sel);
815 sp_info.sel.user = xfrmnl_sel_get_userid (tmpl->sel);
816 }
817
818 if (tmpl->ce_mask & XFRM_SP_ATTR_LTIME_CFG)
819 {
820 sp_info.lft.soft_byte_limit = xfrmnl_ltime_cfg_get_soft_bytelimit (tmpl->lft);
821 sp_info.lft.hard_byte_limit = xfrmnl_ltime_cfg_get_hard_bytelimit (tmpl->lft);
822 sp_info.lft.soft_packet_limit = xfrmnl_ltime_cfg_get_soft_packetlimit (tmpl->lft);
823 sp_info.lft.hard_packet_limit = xfrmnl_ltime_cfg_get_hard_packetlimit (tmpl->lft);
824 sp_info.lft.soft_add_expires_seconds = xfrmnl_ltime_cfg_get_soft_addexpires (tmpl->lft);
825 sp_info.lft.hard_add_expires_seconds = xfrmnl_ltime_cfg_get_hard_addexpires (tmpl->lft);
826 sp_info.lft.soft_use_expires_seconds = xfrmnl_ltime_cfg_get_soft_useexpires (tmpl->lft);
827 sp_info.lft.hard_use_expires_seconds = xfrmnl_ltime_cfg_get_hard_useexpires (tmpl->lft);
828 }
829
830 //Skip current lifetime: cur lifetime can be updated only via AE
831
832 if (tmpl->ce_mask & XFRM_SP_ATTR_PRIO)
833 sp_info.priority = tmpl->priority;
834
835 if (tmpl->ce_mask & XFRM_SP_ATTR_INDEX)
836 sp_info.index = tmpl->index;
837
838 if (tmpl->ce_mask & XFRM_SP_ATTR_DIR)
839 sp_info.dir = tmpl->dir;
840
841 if (tmpl->ce_mask & XFRM_SP_ATTR_ACTION)
842 sp_info.action = tmpl->action;
843
844 if (tmpl->ce_mask & XFRM_SP_ATTR_FLAGS)
845 sp_info.flags = tmpl->flags;
846
847 if (tmpl->ce_mask & XFRM_SP_ATTR_SHARE)
848 sp_info.share = tmpl->share;
849
850 msg = nlmsg_alloc_simple(cmd, flags);
851 if (!msg)
852 return -NLE_NOMEM;
853
854 if (nlmsg_append(msg, &sp_info, sizeof(sp_info), NLMSG_ALIGNTO) < 0)
855 goto nla_put_failure;
856
857 if (tmpl->ce_mask & XFRM_SP_ATTR_SECCTX) {
858 len = (sizeof (struct xfrm_user_sec_ctx)) + tmpl->sec_ctx->ctx_len;
859 NLA_PUT (msg, XFRMA_SEC_CTX, len, tmpl->sec_ctx);
860 }
861
862 if (tmpl->ce_mask & XFRM_SP_ATTR_POLTYPE) {
863 len = sizeof (struct xfrm_userpolicy_type);
864 NLA_PUT (msg, XFRMA_POLICY_TYPE, len, &tmpl->uptype);
865 }
866
867 if (tmpl->ce_mask & XFRM_SP_ATTR_TMPL) {
868 struct nlattr* tmpls;
869 struct xfrmnl_user_tmpl* utmpl;
870 struct nl_addr* addr;
871
872 if (!(tmpls = nla_nest_start(msg, XFRMA_TMPL)))
873 goto nla_put_failure;
874
875 nl_list_for_each_entry(utmpl, &tmpl->usertmpl_list, utmpl_list) {
876 struct xfrm_user_tmpl* tmpl;
877
878 tmpl = nlmsg_reserve(msg, sizeof(*tmpl), NLMSG_ALIGNTO);
879 if (!tmpl)
880 goto nla_put_failure;
881 addr = xfrmnl_user_tmpl_get_daddr (utmpl);
882 memcpy ((void *)&tmpl->id.daddr, nl_addr_get_binary_addr (addr),
883 nl_addr_get_len (addr));
884 tmpl->id.spi = htonl(xfrmnl_user_tmpl_get_spi (utmpl));
885 tmpl->id.proto = xfrmnl_user_tmpl_get_proto (utmpl);
886 tmpl->family = xfrmnl_user_tmpl_get_family (utmpl);
887 addr = xfrmnl_user_tmpl_get_saddr (utmpl);
888 memcpy ((void *)&tmpl->saddr, nl_addr_get_binary_addr (addr),
889 nl_addr_get_len (addr));
890 tmpl->reqid = xfrmnl_user_tmpl_get_reqid (utmpl);
891 tmpl->mode = xfrmnl_user_tmpl_get_mode (utmpl);
892 tmpl->share = xfrmnl_user_tmpl_get_share (utmpl);
893 tmpl->optional = xfrmnl_user_tmpl_get_optional (utmpl);
894 tmpl->aalgos = xfrmnl_user_tmpl_get_aalgos (utmpl);
895 tmpl->ealgos = xfrmnl_user_tmpl_get_ealgos (utmpl);
896 tmpl->calgos = xfrmnl_user_tmpl_get_calgos (utmpl);
897 }
898 nla_nest_end(msg, tmpls);
899 }
900
901 if (tmpl->ce_mask & XFRM_SP_ATTR_MARK) {
902 NLA_PUT (msg, XFRMA_MARK, sizeof (struct xfrm_mark), &tmpl->mark);
903 }
904
905 *result = msg;
906 return 0;
907
908nla_put_failure:
909 nlmsg_free(msg);
910 return -NLE_MSGSIZE;
911}
912
913/**
914 * @name XFRM SP Add
915 * @{
916 */
917
918int xfrmnl_sp_build_add_request(struct xfrmnl_sp* tmpl, int flags, struct nl_msg **result)
919{
920 return build_xfrm_sp_message (tmpl, XFRM_MSG_NEWPOLICY, flags, result);
921}
922
923int xfrmnl_sp_add(struct nl_sock* sk, struct xfrmnl_sp* tmpl, int flags)
924{
925 int err;
926 struct nl_msg *msg;
927
928 if ((err = xfrmnl_sp_build_add_request(tmpl, flags, &msg)) < 0)
929 return err;
930
931 err = nl_send_auto_complete(sk, msg);
932 nlmsg_free(msg);
933 if (err < 0)
934 return err;
935
936 return nl_wait_for_ack(sk);
937}
938
939/**
940 * @name XFRM SP Update
941 * @{
942 */
943
944int xfrmnl_sp_build_update_request(struct xfrmnl_sp* tmpl, int flags, struct nl_msg **result)
945{
946 return build_xfrm_sp_message (tmpl, XFRM_MSG_UPDPOLICY, flags, result);
947}
948
949int xfrmnl_sp_update(struct nl_sock* sk, struct xfrmnl_sp* tmpl, int flags)
950{
951 int err;
952 struct nl_msg *msg;
953
954 if ((err = xfrmnl_sp_build_update_request(tmpl, flags, &msg)) < 0)
955 return err;
956
957 err = nl_send_auto_complete(sk, msg);
958 nlmsg_free(msg);
959 if (err < 0)
960 return err;
961
962 return nl_wait_for_ack(sk);
963}
964
965/** @} */
966
967/**
968 * \brief Builds a xfrm_sp_delete_message. Uses either index and direction
969 * or security-context (not set is a valid value), selector and
970 * direction for identification.
971 * Returns error if necessary values aren't set.
972 *
973 * \param tmpl The policy template.
974 * \param cmd The command. Should be XFRM_MSG_DELPOLICY.
975 * \param flags Additional flags
976 * \param result Resulting message.
977 *
978 * \return 0 if successful, else error value < 0
979 */
980static int build_xfrm_sp_delete_message(struct xfrmnl_sp *tmpl, int cmd, int flags, struct nl_msg **result)
981{
982 struct nl_msg* msg;
983 struct xfrm_userpolicy_id spid;
984 struct nl_addr* addr;
985 uint32_t len;
986
987 if (!(tmpl->ce_mask & XFRM_SP_ATTR_DIR) ||
988 (!(tmpl->ce_mask & XFRM_SP_ATTR_INDEX) &&
989 !(tmpl->ce_mask & XFRM_SP_ATTR_SEL)))
990 return -NLE_MISSING_ATTR;
991
992 memset(&spid, 0, sizeof(spid));
993 spid.dir = tmpl->dir;
994 if(tmpl->ce_mask & XFRM_SP_ATTR_INDEX)
995 spid.index = tmpl->index;
996
997 if (tmpl->ce_mask & XFRM_SP_ATTR_SEL)
998 {
999 addr = xfrmnl_sel_get_daddr (tmpl->sel);
1000 memcpy ((void*)&spid.sel.daddr, (void*)nl_addr_get_binary_addr (addr), sizeof (uint8_t) * nl_addr_get_len (addr));
1001 addr = xfrmnl_sel_get_saddr (tmpl->sel);
1002 memcpy ((void*)&spid.sel.saddr, (void*)nl_addr_get_binary_addr (addr), sizeof (uint8_t) * nl_addr_get_len (addr));
1003 spid.sel.dport = htons (xfrmnl_sel_get_dport (tmpl->sel));
1004 spid.sel.dport_mask = htons (xfrmnl_sel_get_dportmask (tmpl->sel));
1005 spid.sel.sport = htons (xfrmnl_sel_get_sport (tmpl->sel));
1006 spid.sel.sport_mask = htons (xfrmnl_sel_get_sportmask (tmpl->sel));
1007 spid.sel.family = xfrmnl_sel_get_family (tmpl->sel);
1008 spid.sel.prefixlen_d = xfrmnl_sel_get_prefixlen_d (tmpl->sel);
1009 spid.sel.prefixlen_s = xfrmnl_sel_get_prefixlen_s (tmpl->sel);
1010 spid.sel.proto = xfrmnl_sel_get_proto (tmpl->sel);
1011 spid.sel.ifindex = xfrmnl_sel_get_ifindex (tmpl->sel);
1012 spid.sel.user = xfrmnl_sel_get_userid (tmpl->sel);
1013 }
1014
1015 msg = nlmsg_alloc_simple(cmd, flags);
1016 if (!msg)
1017 return -NLE_NOMEM;
1018
1019 if (nlmsg_append(msg, &spid, sizeof(spid), NLMSG_ALIGNTO) < 0)
1020 goto nla_put_failure;
1021
1022 if (tmpl->ce_mask & XFRM_SP_ATTR_SECCTX) {
1023 len = (sizeof (struct xfrm_user_sec_ctx)) + tmpl->sec_ctx->ctx_len;
1024 NLA_PUT (msg, XFRMA_SEC_CTX, len, tmpl->sec_ctx);
1025 }
1026
1027 if (tmpl->ce_mask & XFRM_SP_ATTR_MARK) {
1028 len = sizeof (struct xfrm_mark);
1029 NLA_PUT (msg, XFRMA_MARK, len, &tmpl->mark);
1030 }
1031
1032 *result = msg;
1033 return 0;
1034
1035nla_put_failure:
1036 nlmsg_free(msg);
1037 return -NLE_MSGSIZE;
1038}
1039
1040/**
1041 * @name XFRM SA Delete
1042 * @{
1043 */
1044
1045int xfrmnl_sp_build_delete_request(struct xfrmnl_sp* tmpl, int flags, struct nl_msg **result)
1046{
1047 return build_xfrm_sp_delete_message (tmpl, XFRM_MSG_DELPOLICY, flags, result);
1048}
1049
1050int xfrmnl_sp_delete(struct nl_sock* sk, struct xfrmnl_sp* tmpl, int flags)
1051{
1052 int err;
1053 struct nl_msg *msg;
1054
1055 if ((err = xfrmnl_sp_build_delete_request(tmpl, flags, &msg)) < 0)
1056 return err;
1057
1058 err = nl_send_auto_complete(sk, msg);
1059 nlmsg_free(msg);
1060 if (err < 0)
1061 return err;
1062
1063 return nl_wait_for_ack(sk);
1064}
1065
1066/** @} */
1067
1068
1069/**
1070 * @name Attributes
1071 * @{
1072 */
1073
1074struct xfrmnl_sel* xfrmnl_sp_get_sel (struct xfrmnl_sp* sp)
1075{
1076 if (sp->ce_mask & XFRM_SP_ATTR_SEL)
1077 return sp->sel;
1078 else
1079 return NULL;
1080}
1081
1082int xfrmnl_sp_set_sel (struct xfrmnl_sp* sp, struct xfrmnl_sel* sel)
1083{
1084 /* Release any previously held selector object from the SP */
1085 if (sp->sel)
1086 xfrmnl_sel_put (sp->sel);
1087
1088 /* Increment ref count on new selector and save it in the SP */
1089 xfrmnl_sel_get (sel);
1090 sp->sel = sel;
1091 sp->ce_mask |= XFRM_SP_ATTR_SEL;
1092
1093 return 0;
1094}
1095
1096struct xfrmnl_ltime_cfg* xfrmnl_sp_get_lifetime_cfg (struct xfrmnl_sp* sp)
1097{
1098 if (sp->ce_mask & XFRM_SP_ATTR_LTIME_CFG)
1099 return sp->lft;
1100 else
1101 return NULL;
1102}
1103
1104int xfrmnl_sp_set_lifetime_cfg (struct xfrmnl_sp* sp, struct xfrmnl_ltime_cfg* ltime)
1105{
1106 /* Release any previously held lifetime cfg object from the SP */
1107 if (sp->lft)
1108 xfrmnl_ltime_cfg_put (sp->lft);
1109
1110 /* Increment ref count on new lifetime object and save it in the SP */
1111 xfrmnl_ltime_cfg_get (ltime);
1112 sp->lft = ltime;
1113 sp->ce_mask |= XFRM_SP_ATTR_LTIME_CFG;
1114
1115 return 0;
1116}
1117
1118int xfrmnl_sp_get_curlifetime (struct xfrmnl_sp* sp, unsigned long long int* curr_bytes,
1119 unsigned long long int* curr_packets, unsigned long long int* curr_add_time, unsigned long long int* curr_use_time)
1120{
1121 if (sp == NULL || curr_bytes == NULL || curr_packets == NULL || curr_add_time == NULL || curr_use_time == NULL)
1122 return -1;
1123
1124 *curr_bytes = sp->curlft.bytes;
1125 *curr_packets = sp->curlft.packets;
1126 *curr_add_time = sp->curlft.add_time;
1127 *curr_use_time = sp->curlft.use_time;
1128
1129 return 0;
1130}
1131
1132int xfrmnl_sp_get_priority (struct xfrmnl_sp* sp)
1133{
1134 if (sp->ce_mask & XFRM_SP_ATTR_PRIO)
1135 return sp->priority;
1136 else
1137 return -1;
1138}
1139
1140int xfrmnl_sp_set_priority (struct xfrmnl_sp* sp, unsigned int prio)
1141{
1142 sp->priority = prio;
1143 sp->ce_mask |= XFRM_SP_ATTR_PRIO;
1144
1145 return 0;
1146}
1147
1148int xfrmnl_sp_get_index (struct xfrmnl_sp* sp)
1149{
1150 if (sp->ce_mask & XFRM_SP_ATTR_INDEX)
1151 return sp->index;
1152 else
1153 return -1;
1154}
1155
1156int xfrmnl_sp_set_index (struct xfrmnl_sp* sp, unsigned int index)
1157{
1158 sp->index = index;
1159 sp->ce_mask |= XFRM_SP_ATTR_INDEX;
1160
1161 return 0;
1162}
1163
1164int xfrmnl_sp_get_dir (struct xfrmnl_sp* sp)
1165{
1166 if (sp->ce_mask & XFRM_SP_ATTR_DIR)
1167 return sp->dir;
1168 else
1169 return -1;
1170}
1171
1172int xfrmnl_sp_set_dir (struct xfrmnl_sp* sp, unsigned int dir)
1173{
1174 sp->dir = dir;
1175 sp->ce_mask |= XFRM_SP_ATTR_DIR;
1176
1177 return 0;
1178}
1179
1180int xfrmnl_sp_get_action (struct xfrmnl_sp* sp)
1181{
1182 if (sp->ce_mask & XFRM_SP_ATTR_ACTION)
1183 return sp->action;
1184 else
1185 return -1;
1186}
1187
1188int xfrmnl_sp_set_action (struct xfrmnl_sp* sp, unsigned int action)
1189{
1190 sp->action = action;
1191 sp->ce_mask |= XFRM_SP_ATTR_ACTION;
1192
1193 return 0;
1194}
1195
1196int xfrmnl_sp_get_flags (struct xfrmnl_sp* sp)
1197{
1198 if (sp->ce_mask & XFRM_SP_ATTR_FLAGS)
1199 return sp->flags;
1200 else
1201 return -1;
1202}
1203
1204int xfrmnl_sp_set_flags (struct xfrmnl_sp* sp, unsigned int flags)
1205{
1206 sp->flags = flags;
1207 sp->ce_mask |= XFRM_SP_ATTR_FLAGS;
1208
1209 return 0;
1210}
1211
1212int xfrmnl_sp_get_share (struct xfrmnl_sp* sp)
1213{
1214 if (sp->ce_mask & XFRM_SP_ATTR_SHARE)
1215 return sp->share;
1216 else
1217 return -1;
1218}
1219
1220int xfrmnl_sp_set_share (struct xfrmnl_sp* sp, unsigned int share)
1221{
1222 sp->share = share;
1223 sp->ce_mask |= XFRM_SP_ATTR_SHARE;
1224
1225 return 0;
1226}
1227
1228/**
1229 * Get the security context.
1230 *
1231 * @arg sp The xfrmnl_sp object.
1232 * @arg len An optional output value for the ctx_str length including the xfrmnl_sp header.
1233 * @arg exttype An optional output value.
1234 * @arg alg An optional output value for the security context algorithm.
1235 * @arg doi An optional output value for the security context domain of interpretation.
1236 * @arg ctx_len An optional output value for the security context length, including the
1237 * terminating null byte ('\0').
1238 * @arg ctx_str An optional buffer large enough for the security context string. It must
1239 * contain at least @ctx_len bytes. You are advised to create the ctx_str
1240 * buffer one element larger and ensure NUL termination yourself.
1241 *
1242 * Warning: you must ensure that @ctx_str is large enough. If you don't know the length before-hand,
1243 * call xfrmnl_sp_get_sec_ctx() without @ctx_str argument to query only the required buffer size.
1244 * This modified API is available in all versions of libnl3 that support the capability
1245 * @def NL_CAPABILITY_XFRM_SP_SEC_CTX_LEN (@see nl_has_capability for further information).
1246 *
1247 * @return 0 on success or a negative error code.
1248 */
1249int xfrmnl_sp_get_sec_ctx (struct xfrmnl_sp* sp, unsigned int* len, unsigned int* exttype, unsigned int* alg, unsigned int* doi, unsigned int* ctx_len, char* ctx_str)
1250{
1251 if (sp->ce_mask & XFRM_SP_ATTR_SECCTX)
1252 {
1253 if (len)
1254 *len = sizeof (struct xfrmnl_user_sec_ctx) + sp->sec_ctx->ctx_len;
1255 if (exttype)
1256 *exttype = sp->sec_ctx->exttype;
1257 if (alg)
1258 *alg = sp->sec_ctx->ctx_alg;
1259 if (doi)
1260 *doi = sp->sec_ctx->ctx_doi;
1261 if (ctx_len)
1262 *ctx_len = sp->sec_ctx->ctx_len;
1263 if (ctx_str)
1264 memcpy ((void *)ctx_str, (void *)sp->sec_ctx->ctx, sp->sec_ctx->ctx_len);
1265 }
1266 else
1267 return -1;
1268
1269 return 0;
1270}
1271/**
1272 * @brief Set security context (ctx_str) for XFRM Polixy.
1273 *
1274 * @param sp XFRM Policy
1275 * @param len !!! depricated unused parameter !!!
1276 * @param exttype netlink message attribute - probably XFRMA_SEC_CTX
1277 * @param alg security context algorithm
1278 * @param doi security context domain interpretation
1279 * @param ctx_len Length of the context string.
1280 * @param ctx_str The context string.
1281 *
1282 * @return 0 if sucessfull, else -1
1283 */
1284int xfrmnl_sp_set_sec_ctx (struct xfrmnl_sp* sp, unsigned int len, unsigned int exttype, unsigned int alg, unsigned int doi, unsigned int ctx_len, char* ctx_str)
1285{
1286 /* Free up the old context string and allocate new one */
1287 if (sp->sec_ctx)
1288 free (sp->sec_ctx);
1289 if ((sp->sec_ctx = calloc (1, sizeof (struct xfrmnl_user_sec_ctx) + 1 + ctx_len)) == NULL)
1290 return -1;
1291
1292 /* Save the new info */
1293 sp->sec_ctx->len = sizeof (struct xfrmnl_user_sec_ctx) + ctx_len;
1294 sp->sec_ctx->exttype = exttype;
1295 sp->sec_ctx->ctx_alg = alg;
1296 sp->sec_ctx->ctx_doi = doi;
1297 sp->sec_ctx->ctx_len = ctx_len;
1298 memcpy ((void *)sp->sec_ctx->ctx, (void *)ctx_str, ctx_len);
1299 sp->sec_ctx->ctx[ctx_len] = '\0';
1300
1301 sp->ce_mask |= XFRM_SP_ATTR_SECCTX;
1302
1303 return 0;
1304}
1305
1306int xfrmnl_sp_get_userpolicy_type (struct xfrmnl_sp* sp)
1307{
1308 if (sp->ce_mask & XFRM_SP_ATTR_POLTYPE)
1309 return sp->uptype.type;
1310 else
1311 return -1;
1312}
1313
1314int xfrmnl_sp_set_userpolicy_type (struct xfrmnl_sp* sp, unsigned int type)
1315{
1316 sp->uptype.type = type;
1317 sp->ce_mask |= XFRM_SP_ATTR_POLTYPE;
1318
1319 return 0;
1320}
1321
1322void xfrmnl_sp_add_usertemplate(struct xfrmnl_sp *sp, struct xfrmnl_user_tmpl *utmpl)
1323{
1324 nl_list_add_tail(&utmpl->utmpl_list, &sp->usertmpl_list);
1325 sp->nr_user_tmpl++;
1326 sp->ce_mask |= XFRM_SP_ATTR_TMPL;
1327}
1328
1329void xfrmnl_sp_remove_usertemplate(struct xfrmnl_sp *sp, struct xfrmnl_user_tmpl *utmpl)
1330{
1331 if (sp->ce_mask & XFRM_SP_ATTR_TMPL) {
1332 sp->nr_user_tmpl--;
1333 nl_list_del(&utmpl->utmpl_list);
1334 if (sp->nr_user_tmpl == 0)
1335 sp->ce_mask &= ~XFRM_SP_ATTR_TMPL;
1336 }
1337}
1338
1339struct nl_list_head *xfrmnl_sp_get_usertemplates(struct xfrmnl_sp *sp)
1340{
1341 if (sp->ce_mask & XFRM_SP_ATTR_TMPL)
1342 return &sp->usertmpl_list;
1343
1344 return NULL;
1345}
1346
1347int xfrmnl_sp_get_nusertemplates(struct xfrmnl_sp *sp)
1348{
1349 if (sp->ce_mask & XFRM_SP_ATTR_TMPL)
1350 return sp->nr_user_tmpl;
1351
1352 return 0;
1353}
1354
1355void xfrmnl_sp_foreach_usertemplate(struct xfrmnl_sp *r,
1356 void (*cb)(struct xfrmnl_user_tmpl *, void *),
1357 void *arg)
1358{
1359 struct xfrmnl_user_tmpl *utmpl;
1360
1361 if (r->ce_mask & XFRM_SP_ATTR_TMPL) {
1362 nl_list_for_each_entry(utmpl, &r->usertmpl_list, utmpl_list) {
1363 cb(utmpl, arg);
1364 }
1365 }
1366}
1367
1368struct xfrmnl_user_tmpl *xfrmnl_sp_usertemplate_n(struct xfrmnl_sp *r, int n)
1369{
1370 struct xfrmnl_user_tmpl *utmpl;
1371
1372 if (r->ce_mask & XFRM_SP_ATTR_TMPL && n >= 0 &&
1373 ((unsigned)n) < r->nr_user_tmpl) {
1374 uint32_t i;
1375
1376 i = 0;
1377 nl_list_for_each_entry(utmpl, &r->usertmpl_list, utmpl_list) {
1378 if (i == ((unsigned)n))
1379 return utmpl;
1380 i++;
1381 }
1382 }
1383 return NULL;
1384}
1385
1386int xfrmnl_sp_get_mark (struct xfrmnl_sp* sp, unsigned int* mark_mask, unsigned int* mark_value)
1387{
1388 if (mark_mask == NULL || mark_value == NULL)
1389 return -1;
1390
1391 if (sp->ce_mask & XFRM_SP_ATTR_MARK)
1392 {
1393 *mark_mask = sp->mark.m;
1394 *mark_value = sp->mark.v;
1395
1396 return 0;
1397 }
1398 else
1399 return -1;
1400}
1401
1402int xfrmnl_sp_set_mark (struct xfrmnl_sp* sp, unsigned int value, unsigned int mask)
1403{
1404 sp->mark.v = value;
1405 sp->mark.m = mask;
1406 sp->ce_mask |= XFRM_SP_ATTR_MARK;
1407
1408 return 0;
1409}
1410
1411/** @} */
1412
1413static struct nl_object_ops xfrm_sp_obj_ops = {
1414 .oo_name = "xfrm/sp",
1415 .oo_size = sizeof(struct xfrmnl_sp),
1416 .oo_constructor = xfrm_sp_alloc_data,
1417 .oo_free_data = xfrm_sp_free_data,
1418 .oo_clone = xfrm_sp_clone,
1419 .oo_dump = {
1420 [NL_DUMP_LINE] = xfrm_sp_dump_line,
1421 [NL_DUMP_DETAILS] = xfrm_sp_dump_details,
1422 [NL_DUMP_STATS] = xfrm_sp_dump_stats,
1423 },
1424 .oo_compare = xfrm_sp_compare,
1425 .oo_attrs2str = xfrm_sp_attrs2str,
1426 .oo_id_attrs = (XFRM_SP_ATTR_SEL | XFRM_SP_ATTR_INDEX | XFRM_SP_ATTR_DIR),
1427};
1428
1429static struct nl_af_group xfrm_sp_groups[] = {
1430 { AF_UNSPEC, XFRMNLGRP_POLICY },
1431 { END_OF_GROUP_LIST },
1432};
1433
1434static struct nl_cache_ops xfrmnl_sp_ops = {
1435 .co_name = "xfrm/sp",
1436 .co_hdrsize = sizeof(struct xfrm_userpolicy_info),
1437 .co_msgtypes = {
1438 { XFRM_MSG_NEWPOLICY, NL_ACT_NEW, "new" },
1439 { XFRM_MSG_DELPOLICY, NL_ACT_DEL, "del" },
1440 { XFRM_MSG_GETPOLICY, NL_ACT_GET, "get" },
1441 { XFRM_MSG_UPDPOLICY, NL_ACT_NEW, "update" },
1442 END_OF_MSGTYPES_LIST,
1443 },
1444 .co_protocol = NETLINK_XFRM,
1445 .co_groups = xfrm_sp_groups,
1446 .co_request_update = xfrm_sp_request_update,
1447 .co_msg_parser = xfrm_sp_msg_parser,
1448 .co_obj_ops = &xfrm_sp_obj_ops,
1449};
1450
1451/**
1452 * @name XFRM SA Cache Managament
1453 * @{
1454 */
1455
1456static void _nl_init xfrm_sp_init(void)
1457{
1458 nl_cache_mngt_register(&xfrmnl_sp_ops);
1459}
1460
1461static void _nl_exit xfrm_sp_exit(void)
1462{
1463 nl_cache_mngt_unregister(&xfrmnl_sp_ops);
1464}
1465
1466/** @} */
struct xfrmnl_user_tmpl * xfrmnl_user_tmpl_clone(struct xfrmnl_user_tmpl *utmpl)
Clone existing user template object.
Definition template.c:95
int xfrmnl_sel_cmp(struct xfrmnl_sel *a, struct xfrmnl_sel *b)
Compares two selector objects.
Definition selector.c:180
struct xfrmnl_ltime_cfg * xfrmnl_ltime_cfg_alloc()
Allocate new lifetime config object.
Definition lifetime.c:79
int xfrmnl_ltime_cfg_cmp(struct xfrmnl_ltime_cfg *a, struct xfrmnl_ltime_cfg *b)
Compares two lifetime config objects.
Definition lifetime.c:159
struct xfrmnl_ltime_cfg * xfrmnl_ltime_cfg_clone(struct xfrmnl_ltime_cfg *ltime)
Clone existing lifetime config object.
Definition lifetime.c:98
struct xfrmnl_sel * xfrmnl_sel_alloc()
Allocate new selector object.
Definition selector.c:96
int xfrmnl_user_tmpl_cmp(struct xfrmnl_user_tmpl *a, struct xfrmnl_user_tmpl *b)
Compares two user template objects.
Definition template.c:148
struct xfrmnl_sel * xfrmnl_sel_clone(struct xfrmnl_sel *sel)
Clone existing selector object.
Definition selector.c:115
struct xfrmnl_user_tmpl * xfrmnl_user_tmpl_alloc()
Allocate new user template object.
Definition template.c:76
void nl_addr_set_prefixlen(struct nl_addr *addr, int prefixlen)
Set the prefix length of an abstract address.
Definition addr.c:967
void * nl_addr_get_binary_addr(const struct nl_addr *addr)
Get binary address of abstract address object.
Definition addr.c:943
char * nl_addr2str(const struct nl_addr *addr, char *buf, size_t size)
Convert abstract address object to character string.
Definition addr.c:1001
unsigned int nl_addr_get_len(const struct nl_addr *addr)
Get length of binary address of abstract address object.
Definition addr.c:955
void * nla_data(const struct nlattr *nla)
Return pointer to the payload section.
Definition attr.c:119
#define NLA_PUT(msg, attrtype, attrlen, data)
Add unspecific attribute to netlink message.
Definition attr.h:166
struct nlattr * nla_nest_start(struct nl_msg *msg, int attrtype)
Start a new level of nested attributes.
Definition attr.c:974
int nla_len(const struct nlattr *nla)
Return length of the payload .
Definition attr.c:130
int nla_nest_end(struct nl_msg *msg, struct nlattr *start)
Finalize nesting of attributes.
Definition attr.c:1037
int nl_cache_mngt_unregister(struct nl_cache_ops *ops)
Unregister a set of cache operations.
Definition cache_mngt.c:287
int nl_cache_mngt_register(struct nl_cache_ops *ops)
Register a set of cache operations.
Definition cache_mngt.c:252
struct nl_object * nl_cache_get_next(struct nl_object *obj)
Return the next element in the cache.
Definition cache.c:146
int nl_cache_alloc_and_fill(struct nl_cache_ops *ops, struct nl_sock *sock, struct nl_cache **result)
Allocate new cache and fill it.
Definition cache.c:234
struct nl_object * nl_cache_get_first(struct nl_cache *cache)
Return the first element in the cache.
Definition cache.c:120
struct nl_msg * nlmsg_alloc_simple(int nlmsgtype, int flags)
Allocate a new netlink message.
Definition msg.c:352
void * nlmsg_data(const struct nlmsghdr *nlh)
Return pointer to message payload.
Definition msg.c:108
void * nlmsg_reserve(struct nl_msg *n, size_t len, int pad)
Reserve room for additional data in a netlink message.
Definition msg.c:418
void nlmsg_free(struct nl_msg *msg)
Release a reference from an netlink message.
Definition msg.c:572
int nlmsg_parse(struct nlmsghdr *nlh, int hdrlen, struct nlattr *tb[], int maxtype, const struct nla_policy *policy)
parse attributes of a netlink message
Definition msg.c:219
int nlmsg_append(struct nl_msg *n, void *data, size_t len, int pad)
Append data to tail of a netlink message.
Definition msg.c:456
void nl_object_put(struct nl_object *obj)
Release a reference from an object.
Definition object.c:221
void nl_object_get(struct nl_object *obj)
Acquire a reference on a object.
Definition object.c:210
struct nl_object * nl_object_alloc(struct nl_object_ops *ops)
Allocate a new object of kind specified by the operations handle.
Definition object.c:55
int nl_send_auto(struct nl_sock *sk, struct nl_msg *msg)
Finalize and transmit Netlink message.
Definition nl.c:515
int nl_send_auto_complete(struct nl_sock *sk, struct nl_msg *msg)
Definition nl.c:1247
int nl_pickup(struct nl_sock *sk, int(*parser)(struct nl_cache_ops *, struct sockaddr_nl *, struct nlmsghdr *, struct nl_parser_param *), struct nl_object **result)
Pickup netlink answer, parse is and return object.
Definition nl.c:1178
int nl_wait_for_ack(struct nl_sock *sk)
Wait for ACK.
Definition nl.c:1112
int nl_send_simple(struct nl_sock *sk, int type, int flags, void *buf, size_t size)
Construct and transmit a Netlink message.
Definition nl.c:579
void nl_dump(struct nl_dump_params *params, const char *fmt,...)
Dump a formatted character string.
Definition utils.c:1015
@ NL_DUMP_STATS
Dump all attributes including statistics.
Definition types.h:22
@ NL_DUMP_LINE
Dump object briefly on one line.
Definition types.h:20
@ NL_DUMP_DETAILS
Dump all attributes but no statistics.
Definition types.h:21
Dumping parameters.
Definition types.h:32
Attribute validation policy.
Definition attr.h:66
uint16_t minlen
Minimal length of payload required.
Definition attr.h:71
uint16_t type
Type of attribute or NLA_UNSPEC.
Definition attr.h:68
Definition sp.c:66