Make xfrm linux-only

The xfrm framework is linux-only. Only implement the respective types
for GOOS=linux to avoid dependencies to x/sys/unix on non-linux or
non-unix platforms. Provide dummy XfrmPolicy and XfrmState types for the
globally defined XfrmPolicy* and XfrmState* functions.

xfrm_linux.go

@@ -14,7 +14,7 @@ const (
 	XFRM_PROTO_ESP       Proto = unix.IPPROTO_ESP
 	XFRM_PROTO_AH        Proto = unix.IPPROTO_AH
 	XFRM_PROTO_HAO       Proto = unix.IPPROTO_DSTOPTS
-	XFRM_PROTO_COMP      Proto = 0x6c // NOTE not defined on darwin
+	XFRM_PROTO_COMP      Proto = unix.IPPROTO_COMP
 	XFRM_PROTO_IPSEC_ANY Proto = unix.IPPROTO_RAW
 )
 

xfrm_monitor_linux_test.go

@@ -1,6 +1,3 @@
-//go:build linux
-// +build linux
-
 package netlink
 
 import (

xfrm_policy.go

@@ -1,97 +0,0 @@
-package netlink
-
-import (
-	"fmt"
-	"net"
-)
-
-// Dir is an enum representing an ipsec template direction.
-type Dir uint8
-
-const (
-	XFRM_DIR_IN Dir = iota
-	XFRM_DIR_OUT
-	XFRM_DIR_FWD
-	XFRM_SOCKET_IN
-	XFRM_SOCKET_OUT
-	XFRM_SOCKET_FWD
-)
-
-func (d Dir) String() string {
-	switch d {
-	case XFRM_DIR_IN:
-		return "dir in"
-	case XFRM_DIR_OUT:
-		return "dir out"
-	case XFRM_DIR_FWD:
-		return "dir fwd"
-	case XFRM_SOCKET_IN:
-		return "socket in"
-	case XFRM_SOCKET_OUT:
-		return "socket out"
-	case XFRM_SOCKET_FWD:
-		return "socket fwd"
-	}
-	return fmt.Sprintf("socket %d", d-XFRM_SOCKET_IN)
-}
-
-// PolicyAction is an enum representing an ipsec policy action.
-type PolicyAction uint8
-
-const (
-	XFRM_POLICY_ALLOW PolicyAction = 0
-	XFRM_POLICY_BLOCK PolicyAction = 1
-)
-
-func (a PolicyAction) String() string {
-	switch a {
-	case XFRM_POLICY_ALLOW:
-		return "allow"
-	case XFRM_POLICY_BLOCK:
-		return "block"
-	default:
-		return fmt.Sprintf("action %d", a)
-	}
-}
-
-// XfrmPolicyTmpl encapsulates a rule for the base addresses of an ipsec
-// policy. These rules are matched with XfrmState to determine encryption
-// and authentication algorithms.
-type XfrmPolicyTmpl struct {
-	Dst      net.IP
-	Src      net.IP
-	Proto    Proto
-	Mode     Mode
-	Spi      int
-	Reqid    int
-	Optional int
-}
-
-func (t XfrmPolicyTmpl) String() string {
-	return fmt.Sprintf("{Dst: %v, Src: %v, Proto: %s, Mode: %s, Spi: 0x%x, Reqid: 0x%x}",
-		t.Dst, t.Src, t.Proto, t.Mode, t.Spi, t.Reqid)
-}
-
-// XfrmPolicy represents an ipsec policy. It represents the overlay network
-// and has a list of XfrmPolicyTmpls representing the base addresses of
-// the policy.
-type XfrmPolicy struct {
-	Dst      *net.IPNet
-	Src      *net.IPNet
-	Proto    Proto
-	DstPort  int
-	SrcPort  int
-	Dir      Dir
-	Priority int
-	Index    int
-	Action   PolicyAction
-	Ifindex  int
-	Ifid     int
-	Mark     *XfrmMark
-	Tmpls    []XfrmPolicyTmpl
-}
-
-func (p XfrmPolicy) String() string {
-	return fmt.Sprintf("{Dst: %v, Src: %v, Proto: %s, DstPort: %d, SrcPort: %d, Dir: %s, Priority: %d, Index: %d, Action: %s, Ifindex: %d, Ifid: %d, Mark: %s, Tmpls: %s}",
-		p.Dst, p.Src, p.Proto, p.DstPort, p.SrcPort, p.Dir, p.Priority, p.Index, p.Action, p.Ifindex, p.Ifid, p.Mark, p.Tmpls)
-}

xfrm_policy_linux.go

@@ -1,10 +1,104 @@
 package netlink
 
 import (
+	"fmt"
+	"net"
+
 	"github.com/vishvananda/netlink/nl"
 	"golang.org/x/sys/unix"
 )
 
+// Dir is an enum representing an ipsec template direction.
+type Dir uint8
+
+const (
+	XFRM_DIR_IN Dir = iota
+	XFRM_DIR_OUT
+	XFRM_DIR_FWD
+	XFRM_SOCKET_IN
+	XFRM_SOCKET_OUT
+	XFRM_SOCKET_FWD
+)
+
+func (d Dir) String() string {
+	switch d {
+	case XFRM_DIR_IN:
+		return "dir in"
+	case XFRM_DIR_OUT:
+		return "dir out"
+	case XFRM_DIR_FWD:
+		return "dir fwd"
+	case XFRM_SOCKET_IN:
+		return "socket in"
+	case XFRM_SOCKET_OUT:
+		return "socket out"
+	case XFRM_SOCKET_FWD:
+		return "socket fwd"
+	}
+	return fmt.Sprintf("socket %d", d-XFRM_SOCKET_IN)
+}
+
+// PolicyAction is an enum representing an ipsec policy action.
+type PolicyAction uint8
+
+const (
+	XFRM_POLICY_ALLOW PolicyAction = 0
+	XFRM_POLICY_BLOCK PolicyAction = 1
+)
+
+func (a PolicyAction) String() string {
+	switch a {
+	case XFRM_POLICY_ALLOW:
+		return "allow"
+	case XFRM_POLICY_BLOCK:
+		return "block"
+	default:
+		return fmt.Sprintf("action %d", a)
+	}
+}
+
+// XfrmPolicyTmpl encapsulates a rule for the base addresses of an ipsec
+// policy. These rules are matched with XfrmState to determine encryption
+// and authentication algorithms.
+type XfrmPolicyTmpl struct {
+	Dst      net.IP
+	Src      net.IP
+	Proto    Proto
+	Mode     Mode
+	Spi      int
+	Reqid    int
+	Optional int
+}
+
+func (t XfrmPolicyTmpl) String() string {
+	return fmt.Sprintf("{Dst: %v, Src: %v, Proto: %s, Mode: %s, Spi: 0x%x, Reqid: 0x%x}",
+		t.Dst, t.Src, t.Proto, t.Mode, t.Spi, t.Reqid)
+}
+
+// XfrmPolicy represents an ipsec policy. It represents the overlay network
+// and has a list of XfrmPolicyTmpls representing the base addresses of
+// the policy.
+type XfrmPolicy struct {
+	Dst      *net.IPNet
+	Src      *net.IPNet
+	Proto    Proto
+	DstPort  int
+	SrcPort  int
+	Dir      Dir
+	Priority int
+	Index    int
+	Action   PolicyAction
+	Ifindex  int
+	Ifid     int
+	Mark     *XfrmMark
+	Tmpls    []XfrmPolicyTmpl
+}
+
+func (p XfrmPolicy) String() string {
+	return fmt.Sprintf("{Dst: %v, Src: %v, Proto: %s, DstPort: %d, SrcPort: %d, Dir: %s, Priority: %d, Index: %d, Action: %s, Ifindex: %d, Ifid: %d, Mark: %s, Tmpls: %s}",
+		p.Dst, p.Src, p.Proto, p.DstPort, p.SrcPort, p.Dir, p.Priority, p.Index, p.Action, p.Ifindex, p.Ifid, p.Mark, p.Tmpls)
+}
+
 func selFromPolicy(sel *nl.XfrmSelector, policy *XfrmPolicy) {
 	sel.Family = uint16(nl.FAMILY_V4)
 	if policy.Dst != nil {

xfrm_policy_linux_test.go

@@ -1,6 +1,3 @@
-//go:build linux
-// +build linux
-
 package netlink
 
 import (

xfrm_state.go

@@ -1,148 +0,0 @@
-package netlink
-
-import (
-	"fmt"
-	"net"
-	"time"
-)
-
-// XfrmStateAlgo represents the algorithm to use for the ipsec encryption.
-type XfrmStateAlgo struct {
-	Name        string
-	Key         []byte
-	TruncateLen int // Auth only
-	ICVLen      int // AEAD only
-}
-
-func (a XfrmStateAlgo) String() string {
-	base := fmt.Sprintf("{Name: %s, Key: 0x%x", a.Name, a.Key)
-	if a.TruncateLen != 0 {
-		base = fmt.Sprintf("%s, Truncate length: %d", base, a.TruncateLen)
-	}
-	if a.ICVLen != 0 {
-		base = fmt.Sprintf("%s, ICV length: %d", base, a.ICVLen)
-	}
-	return fmt.Sprintf("%s}", base)
-}
-
-// EncapType is an enum representing the optional packet encapsulation.
-type EncapType uint8
-
-const (
-	XFRM_ENCAP_ESPINUDP_NONIKE EncapType = iota + 1
-	XFRM_ENCAP_ESPINUDP
-)
-
-func (e EncapType) String() string {
-	switch e {
-	case XFRM_ENCAP_ESPINUDP_NONIKE:
-		return "espinudp-non-ike"
-	case XFRM_ENCAP_ESPINUDP:
-		return "espinudp"
-	}
-	return "unknown"
-}
-
-// XfrmStateEncap represents the encapsulation to use for the ipsec encryption.
-type XfrmStateEncap struct {
-	Type            EncapType
-	SrcPort         int
-	DstPort         int
-	OriginalAddress net.IP
-}
-
-func (e XfrmStateEncap) String() string {
-	return fmt.Sprintf("{Type: %s, Srcport: %d, DstPort: %d, OriginalAddress: %v}",
-		e.Type, e.SrcPort, e.DstPort, e.OriginalAddress)
-}
-
-// XfrmStateLimits represents the configured limits for the state.
-type XfrmStateLimits struct {
-	ByteSoft    uint64
-	ByteHard    uint64
-	PacketSoft  uint64
-	PacketHard  uint64
-	TimeSoft    uint64
-	TimeHard    uint64
-	TimeUseSoft uint64
-	TimeUseHard uint64
-}
-
-// XfrmStateStats represents the current number of bytes/packets
-// processed by this State, the State's installation and first use
-// time and the replay window counters.
-type XfrmStateStats struct {
-	ReplayWindow uint32
-	Replay       uint32
-	Failed       uint32
-	Bytes        uint64
-	Packets      uint64
-	AddTime      uint64
-	UseTime      uint64
-}
-
-// XfrmReplayState represents the sequence number states for
-// "legacy" anti-replay mode.
-type XfrmReplayState struct {
-	OSeq   uint32
-	Seq    uint32
-	BitMap uint32
-}
-
-func (r XfrmReplayState) String() string {
-	return fmt.Sprintf("{OSeq: 0x%x, Seq: 0x%x, BitMap: 0x%x}",
-		r.OSeq, r.Seq, r.BitMap)
-}
-
-// XfrmState represents the state of an ipsec policy. It optionally
-// contains an XfrmStateAlgo for encryption and one for authentication.
-type XfrmState struct {
-	Dst           net.IP
-	Src           net.IP
-	Proto         Proto
-	Mode          Mode
-	Spi           int
-	Reqid         int
-	ReplayWindow  int
-	Limits        XfrmStateLimits
-	Statistics    XfrmStateStats
-	Mark          *XfrmMark
-	OutputMark    *XfrmMark
-	Ifid          int
-	Auth          *XfrmStateAlgo
-	Crypt         *XfrmStateAlgo
-	Aead          *XfrmStateAlgo
-	Encap         *XfrmStateEncap
-	ESN           bool
-	DontEncapDSCP bool
-	OSeqMayWrap   bool
-	Replay        *XfrmReplayState
-	Selector      *XfrmPolicy
-}
-
-func (sa XfrmState) String() string {
-	return fmt.Sprintf("Dst: %v, Src: %v, Proto: %s, Mode: %s, SPI: 0x%x, ReqID: 0x%x, ReplayWindow: %d, Mark: %v, OutputMark: %v, Ifid: %d, Auth: %v, Crypt: %v, Aead: %v, Encap: %v, ESN: %t, DontEncapDSCP: %t, OSeqMayWrap: %t, Replay: %v",
-		sa.Dst, sa.Src, sa.Proto, sa.Mode, sa.Spi, sa.Reqid, sa.ReplayWindow, sa.Mark, sa.OutputMark, sa.Ifid, sa.Auth, sa.Crypt, sa.Aead, sa.Encap, sa.ESN, sa.DontEncapDSCP, sa.OSeqMayWrap, sa.Replay)
-}
-func (sa XfrmState) Print(stats bool) string {
-	if !stats {
-		return sa.String()
-	}
-	at := time.Unix(int64(sa.Statistics.AddTime), 0).Format(time.UnixDate)
-	ut := "-"
-	if sa.Statistics.UseTime > 0 {
-		ut = time.Unix(int64(sa.Statistics.UseTime), 0).Format(time.UnixDate)
-	}
-	return fmt.Sprintf("%s, ByteSoft: %s, ByteHard: %s, PacketSoft: %s, PacketHard: %s, TimeSoft: %d, TimeHard: %d, TimeUseSoft: %d, TimeUseHard: %d, Bytes: %d, Packets: %d, "+
-		"AddTime: %s, UseTime: %s, ReplayWindow: %d, Replay: %d, Failed: %d",
-		sa.String(), printLimit(sa.Limits.ByteSoft), printLimit(sa.Limits.ByteHard), printLimit(sa.Limits.PacketSoft), printLimit(sa.Limits.PacketHard),
-		sa.Limits.TimeSoft, sa.Limits.TimeHard, sa.Limits.TimeUseSoft, sa.Limits.TimeUseHard, sa.Statistics.Bytes, sa.Statistics.Packets, at, ut,
-		sa.Statistics.ReplayWindow, sa.Statistics.Replay, sa.Statistics.Failed)
-}
-
-func printLimit(lmt uint64) string {
-	if lmt == ^uint64(0) {
-		return "(INF)"
-	}
-	return fmt.Sprintf("%d", lmt)
-}

xfrm_state_linux.go

@@ -2,12 +2,154 @@ package netlink
 
 import (
 	"fmt"
+	"net"
+	"time"
 	"unsafe"
 
 	"github.com/vishvananda/netlink/nl"
 	"golang.org/x/sys/unix"
 )
 
+// XfrmStateAlgo represents the algorithm to use for the ipsec encryption.
+type XfrmStateAlgo struct {
+	Name        string
+	Key         []byte
+	TruncateLen int // Auth only
+	ICVLen      int // AEAD only
+}
+
+func (a XfrmStateAlgo) String() string {
+	base := fmt.Sprintf("{Name: %s, Key: 0x%x", a.Name, a.Key)
+	if a.TruncateLen != 0 {
+		base = fmt.Sprintf("%s, Truncate length: %d", base, a.TruncateLen)
+	}
+	if a.ICVLen != 0 {
+		base = fmt.Sprintf("%s, ICV length: %d", base, a.ICVLen)
+	}
+	return fmt.Sprintf("%s}", base)
+}
+
+// EncapType is an enum representing the optional packet encapsulation.
+type EncapType uint8
+
+const (
+	XFRM_ENCAP_ESPINUDP_NONIKE EncapType = iota + 1
+	XFRM_ENCAP_ESPINUDP
+)
+
+func (e EncapType) String() string {
+	switch e {
+	case XFRM_ENCAP_ESPINUDP_NONIKE:
+		return "espinudp-non-ike"
+	case XFRM_ENCAP_ESPINUDP:
+		return "espinudp"
+	}
+	return "unknown"
+}
+
+// XfrmStateEncap represents the encapsulation to use for the ipsec encryption.
+type XfrmStateEncap struct {
+	Type            EncapType
+	SrcPort         int
+	DstPort         int
+	OriginalAddress net.IP
+}
+
+func (e XfrmStateEncap) String() string {
+	return fmt.Sprintf("{Type: %s, Srcport: %d, DstPort: %d, OriginalAddress: %v}",
+		e.Type, e.SrcPort, e.DstPort, e.OriginalAddress)
+}
+
+// XfrmStateLimits represents the configured limits for the state.
+type XfrmStateLimits struct {
+	ByteSoft    uint64
+	ByteHard    uint64
+	PacketSoft  uint64
+	PacketHard  uint64
+	TimeSoft    uint64
+	TimeHard    uint64
+	TimeUseSoft uint64
+	TimeUseHard uint64
+}
+
+// XfrmStateStats represents the current number of bytes/packets
+// processed by this State, the State's installation and first use
+// time and the replay window counters.
+type XfrmStateStats struct {
+	ReplayWindow uint32
+	Replay       uint32
+	Failed       uint32
+	Bytes        uint64
+	Packets      uint64
+	AddTime      uint64
+	UseTime      uint64
+}
+
+// XfrmReplayState represents the sequence number states for
+// "legacy" anti-replay mode.
+type XfrmReplayState struct {
+	OSeq   uint32
+	Seq    uint32
+	BitMap uint32
+}
+
+func (r XfrmReplayState) String() string {
+	return fmt.Sprintf("{OSeq: 0x%x, Seq: 0x%x, BitMap: 0x%x}",
+		r.OSeq, r.Seq, r.BitMap)
+}
+
+// XfrmState represents the state of an ipsec policy. It optionally
+// contains an XfrmStateAlgo for encryption and one for authentication.
+type XfrmState struct {
+	Dst           net.IP
+	Src           net.IP
+	Proto         Proto
+	Mode          Mode
+	Spi           int
+	Reqid         int
+	ReplayWindow  int
+	Limits        XfrmStateLimits
+	Statistics    XfrmStateStats
+	Mark          *XfrmMark
+	OutputMark    *XfrmMark
+	Ifid          int
+	Auth          *XfrmStateAlgo
+	Crypt         *XfrmStateAlgo
+	Aead          *XfrmStateAlgo
+	Encap         *XfrmStateEncap
+	ESN           bool
+	DontEncapDSCP bool
+	OSeqMayWrap   bool
+	Replay        *XfrmReplayState
+	Selector      *XfrmPolicy
+}
+
+func (sa XfrmState) String() string {
+	return fmt.Sprintf("Dst: %v, Src: %v, Proto: %s, Mode: %s, SPI: 0x%x, ReqID: 0x%x, ReplayWindow: %d, Mark: %v, OutputMark: %v, Ifid: %d, Auth: %v, Crypt: %v, Aead: %v, Encap: %v, ESN: %t, DontEncapDSCP: %t, OSeqMayWrap: %t, Replay: %v",
+		sa.Dst, sa.Src, sa.Proto, sa.Mode, sa.Spi, sa.Reqid, sa.ReplayWindow, sa.Mark, sa.OutputMark, sa.Ifid, sa.Auth, sa.Crypt, sa.Aead, sa.Encap, sa.ESN, sa.DontEncapDSCP, sa.OSeqMayWrap, sa.Replay)
+}
+func (sa XfrmState) Print(stats bool) string {
+	if !stats {
+		return sa.String()
+	}
+	at := time.Unix(int64(sa.Statistics.AddTime), 0).Format(time.UnixDate)
+	ut := "-"
+	if sa.Statistics.UseTime > 0 {
+		ut = time.Unix(int64(sa.Statistics.UseTime), 0).Format(time.UnixDate)
+	}
+	return fmt.Sprintf("%s, ByteSoft: %s, ByteHard: %s, PacketSoft: %s, PacketHard: %s, TimeSoft: %d, TimeHard: %d, TimeUseSoft: %d, TimeUseHard: %d, Bytes: %d, Packets: %d, "+
+		"AddTime: %s, UseTime: %s, ReplayWindow: %d, Replay: %d, Failed: %d",
+		sa.String(), printLimit(sa.Limits.ByteSoft), printLimit(sa.Limits.ByteHard), printLimit(sa.Limits.PacketSoft), printLimit(sa.Limits.PacketHard),
+		sa.Limits.TimeSoft, sa.Limits.TimeHard, sa.Limits.TimeUseSoft, sa.Limits.TimeUseHard, sa.Statistics.Bytes, sa.Statistics.Packets, at, ut,
+		sa.Statistics.ReplayWindow, sa.Statistics.Replay, sa.Statistics.Failed)
+}
+
+func printLimit(lmt uint64) string {
+	if lmt == ^uint64(0) {
+		return "(INF)"
+	}
+	return fmt.Sprintf("%d", lmt)
+}
 func writeStateAlgo(a *XfrmStateAlgo) []byte {
 	algo := nl.XfrmAlgo{
 		AlgKeyLen: uint32(len(a.Key) * 8),

xfrm_state_linux_test.go

@@ -1,6 +1,3 @@
-//go:build linux
-// +build linux
-
 package netlink
 
 import (

xfrm_unspecified.go

@@ -0,0 +1,7 @@
+//go:build !linux
+// +build !linux
+
+package netlink
+
+type XfrmPolicy struct{}
+type XfrmState struct{}