XFRM interfaces are available in Linux Kernel 4.19+
When an IF_ID is applied to a XFRM policy and state, the corresponding
traffic will be sent through the virtual interface with the same IF_ID.
The action and ifindex fields aren't represented in the XfrmPolicy type
although they exist in the the linux equivalent data structures. They
are represented in the serialized versions of those datatypes. So this
patch simply exposes those fields to the user-consumable side of the
API. This patch makes the policy's action a specific type in the same
style as the Dir field in XfrmPolicy.
Update the existing unit tests to compare Ifindex and Action fields in
the XFRM structure. Verify that the default policy returns an action of
ALLOW and an ifindex of 0. Add a unit test to add and read back a
policy to the loopback interface (ifindex 1) with action "block".
Signed-off-by: Chris Telfer <ctelfer@docker.com>
- It is part of the ID and it is needed when you
program policies for different SAs which share
same src and dst
Signed-off-by: Alessandro Boch <aboch@docker.com>
- Currently they are not and GET methods are passing
the wrong structure. Also they are setting the incorrect
XFRM_F_DUMP flag. Because of this, current get methods
do not return expected error when query target is not found.
Signed-off-by: Alessandro Boch <aboch@docker.com>
- Package methods only need an empty handle.
Not a regular Handle with a couple of
sockets creation/delete.
Signed-off-by: Alessandro Boch <aboch@docker.com>
- Ties to a netlink socket. All client requests
will re-use same socket. Socket released at
handle deletion.
- Also network namespace can be specified during
handle creation. Socket will be opened on the
specified network namespace.
Signed-off-by: Alessandro Boch <aboch@docker.com>
* Add Mark to xrfm state
Signed-off-by: Alessandro Boch <aboch@docker.com>
* Add Mark to xfrm policies
Signed-off-by: Alessandro Boch <aboch@docker.com>
