- changes: 1. set userTmpl.Family to correct family 2. add Selector to XfrmState which is corresponding to XfrmUsersaInfo.Sel
- update *XfrmAddress.ToIPNet method to support 0.0.0.0/0 and ::/0 correctly
- update xfrmStateFromXfrmUsersaInfo to get XfrmState.Selector
- extend TestXfrmStateAddGetDel for v6ov4 and v4ov6 cases
Add support of XFRMA_SA_EXTRA_FLAGS attribute of XFRM State interface.
The attribute is a 32bit flag and currently two flags
(XFRM_SA_XFLAG_DONT_ENCAP_DSCP and XFRM_SA_XFLAG_OSEQ_MAY_WRAP) are
defined. Two boolean flags added to XfrmState struct are correspoinding
to those flags. Naming of the flags are taken from iproute2's options
(extra-flag dont-encap-dscp | oseq-may-wrap).
A value of 0 for XFRMA_IF_ID is not valid and will be rejected as of
Linux kernel commit torvalds/linux@68ac0f3810 ("xfrm: state and policy
should fail if XFRMA_IF_ID 0"), which will return EINVAL when setting
XFRMA_IF_ID = 0. Thus, only set the XFRMA_IF_ID attribute in case
XfrmState.Ifid or XfrmPolicy.Ifid are != 0.
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
XfrmState currently doesn't allow setting the mask for the output mark.
As a result, setting an output mark always clears all bits. This commit
adds support for the mask value.
Signed-off-by: Paul Chaignon <paul@cilium.io>
XFRM interfaces are available in Linux Kernel 4.19+
When an IF_ID is applied to a XFRM policy and state, the corresponding
traffic will be sent through the virtual interface with the same IF_ID.
- Currently they are not and GET methods are passing
the wrong structure. Also they are setting the incorrect
XFRM_F_DUMP flag. Because of this, current get methods
do not return expected error when query target is not found.
Signed-off-by: Alessandro Boch <aboch@docker.com>
- Package methods only need an empty handle.
Not a regular Handle with a couple of
sockets creation/delete.
Signed-off-by: Alessandro Boch <aboch@docker.com>
- Ties to a netlink socket. All client requests
will re-use same socket. Socket released at
handle deletion.
- Also network namespace can be specified during
handle creation. Socket will be opened on the
specified network namespace.
Signed-off-by: Alessandro Boch <aboch@docker.com>
* Add Mark to xrfm state
Signed-off-by: Alessandro Boch <aboch@docker.com>
* Add Mark to xfrm policies
Signed-off-by: Alessandro Boch <aboch@docker.com>
