XFRM interfaces are available in Linux Kernel 4.19+
When an IF_ID is applied to a XFRM policy and state, the corresponding
traffic will be sent through the virtual interface with the same IF_ID.
The action and ifindex fields aren't represented in the XfrmPolicy type
although they exist in the the linux equivalent data structures. They
are represented in the serialized versions of those datatypes. So this
patch simply exposes those fields to the user-consumable side of the
API. This patch makes the policy's action a specific type in the same
style as the Dir field in XfrmPolicy.
Update the existing unit tests to compare Ifindex and Action fields in
the XFRM structure. Verify that the default policy returns an action of
ALLOW and an ifindex of 0. Add a unit test to add and read back a
policy to the loopback interface (ifindex 1) with action "block".
Signed-off-by: Chris Telfer <ctelfer@docker.com>
The go get command and make both fail when executed on
non-linux platforms. Modified it so that there are no
compilation errors when developing in such an
environment.
- It is part of the ID and it is needed when you
program policies for different SAs which share
same src and dst
Signed-off-by: Alessandro Boch <aboch@docker.com>
- Currently they are not and GET methods are passing
the wrong structure. Also they are setting the incorrect
XFRM_F_DUMP flag. Because of this, current get methods
do not return expected error when query target is not found.
Signed-off-by: Alessandro Boch <aboch@docker.com>
* Add Mark to xrfm state
Signed-off-by: Alessandro Boch <aboch@docker.com>
* Add Mark to xfrm policies
Signed-off-by: Alessandro Boch <aboch@docker.com>
