ip: support for xfrm interfaces

Interfaces take a 'if_id' which is an interface id which can be set on an xfrm policy as its interface lookup key (XFRMA_IF_ID). Signed-off-by: Matt Ellison <matt@arroyo.io> Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
2025-08-14 15:10:16 +00:00 · 2019-04-04 10:08:45 -04:00 · 2019-04-04 10:08:45 -04:00 · 286446c1e8
commit 286446c1e8
parent d5d27f27d8
5 changed files with 138 additions and 3 deletions
--- a/ip/Makefile
+++ b/ip/Makefile
@ -5,7 +5,7 @@ IPOBJ=ip.o ipaddress.o ipaddrlabel.o iproute.o iprule.o ipnetns.o \
    ipxfrm.o xfrm_state.o xfrm_policy.o xfrm_monitor.o iplink_dummy.o \
    iplink_ifb.o iplink_nlmon.o iplink_team.o iplink_vcan.o iplink_vxcan.o \
    iplink_vlan.o link_veth.o link_gre.o iplink_can.o iplink_xdp.o \
-    iplink_macvlan.o ipl2tp.o link_vti.o link_vti6.o \
+    iplink_macvlan.o ipl2tp.o link_vti.o link_vti6.o link_xfrm.o \
    iplink_vxlan.o tcp_metrics.o iplink_ipoib.o ipnetconf.o link_ip6tnl.o \
    link_iptnl.o link_gre6.o iplink_bond.o iplink_bond_slave.o iplink_hsr.o \
    iplink_bridge.o iplink_bridge_slave.o ipfou.o iplink_ipvlan.o \
--- a/ip/iplink.c
+++ b/ip/iplink.c
@ -121,7 +121,8 @@ void iplink_usage(void)
 			"          bridge | bond | team | ipoib | ip6tnl | ipip | sit | vxlan |\n"
 			"          gre | gretap | erspan | ip6gre | ip6gretap | ip6erspan |\n"
 			"          vti | nlmon | team_slave | bond_slave | bridge_slave |\n"
-			"          ipvlan | ipvtap | geneve | vrf | macsec | netdevsim | rmnet }\n");
+			"          ipvlan | ipvtap | geneve | vrf | macsec | netdevsim | rmnet |\n"
+			"          xfrm }\n");
 	}
 	exit(-1);
 }
--- a/ip/link_xfrm.c
+++ b/ip/link_xfrm.c
@ -0,0 +1,77 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * link_xfrm.c	Virtual XFRM Interface driver module
+ *
+ * Authors:	Matt Ellison <matt@arroyo.io>
+ */
+
+#include <string.h>
+#include <linux/if_link.h>
+
+#include "rt_names.h"
+#include "utils.h"
+#include "ip_common.h"
+#include "tunnel.h"
+
+static void xfrm_print_help(struct link_util *lu, int argc, char **argv,
+			    FILE *f)
+{
+	fprintf(f, "Usage: ... %-4s dev PHYS_DEV [ if_id IF-ID ]\n", lu->id);
+	fprintf(f, "\nWhere: IF-ID := { 0x0..0xffffffff }\n");
+}
+
+static int xfrm_parse_opt(struct link_util *lu, int argc, char **argv,
+			  struct nlmsghdr *n)
+{
+	unsigned int link = 0;
+	__u32 if_id = 0;
+
+	while (argc > 0) {
+		if (!matches(*argv, "dev")) {
+			NEXT_ARG();
+			link = ll_name_to_index(*argv);
+			if (!link)
+				exit(nodev(*argv));
+		} else if (!matches(*argv, "if_id")) {
+			NEXT_ARG();
+			if (!get_u32(&if_id, *argv, 0))
+				addattr32(n, 1024, IFLA_XFRM_IF_ID, if_id);
+		} else {
+			xfrm_print_help(lu, argc, argv, stderr);
+			return -1;
+		}
+		argc--; argv++;
+	}
+
+	if (link) {
+		addattr32(n, 1024, IFLA_XFRM_LINK, link);
+	} else {
+		fprintf(stderr, "must specify physical device\n");
+		return -1;
+	}
+
+	return 0;
+}
+
+static void xfrm_print_opt(struct link_util *lu, FILE *f, struct rtattr *tb[])
+{
+
+	if (!tb)
+		return;
+
+	if (tb[IFLA_XFRM_IF_ID]) {
+		__u32 id = rta_getattr_u32(tb[IFLA_XFRM_IF_ID]);
+
+		print_0xhex(PRINT_ANY, "if_id", "if_id %#llx ", id);
+
+	}
+
+}
+
+struct link_util xfrm_link_util = {
+	.id = "xfrm",
+	.maxattr = IFLA_XFRM_MAX,
+	.parse_opt = xfrm_parse_opt,
+	.print_opt = xfrm_print_opt,
+	.print_help = xfrm_print_help,
+};
--- a/man/man8/ip-link.8.in
+++ b/man/man8/ip-link.8.in
@ -221,7 +221,8 @@ ip-link \- network device configuration
 .BR vrf " |"
 .BR macsec " |"
 .BR netdevsim " |"
-.BR rmnet " ]"
+.BR rmnet " |"
+.BR xfrm " ]"

 .ti -8
 .IR ETYPE " := [ " TYPE " |"
@ -350,6 +351,9 @@ Link types:
 .sp
 .BR rmnet
 - Qualcomm rmnet device
+.sp
+.BR xfrm
+- Virtual xfrm interface
 .in -8

 .TP
@ -1741,6 +1745,27 @@ the following additional arguments are supported:

 .in -8

+.TP
+XFRM Type Support
+For a link of type
+.I XFRM
+the following additional arguments are supported:
+
+.BI "ip link add " DEVICE " type xfrm dev " PHYS_DEV " [ if_id " IF_ID " ]"
+
+.in +8
+.sp
+.BI dev " PHYS_DEV "
+- specifies the underlying physical interface from which transform traffic is sent and received.
+
+.sp
+.BI if_id " IF-ID "
+- specifies the hexadecimal lookup key used to send traffic to and from specific xfrm
+policies. Policies must be configured with the same key. If not set, the key defaults to
+0 and will match any policies which similarly do not have a lookup key configuration.
+
+.in -8
+
 .SS ip link delete - delete virtual link

 .TP
--- a/testsuite/tests/ip/link/add_type_xfrm.t
+++ b/testsuite/tests/ip/link/add_type_xfrm.t
@ -0,0 +1,32 @@
+#!/bin/sh
+
+. lib/generic.sh
+
+ts_log "[Testing Add XFRM Interface, With IF-ID]"
+
+PHYS_DEV="lo"
+NEW_DEV="$(rand_dev)"
+IF_ID="0xf"
+
+ts_ip "$0" "Add $NEW_DEV xfrm interface"    link add dev $NEW_DEV type xfrm dev $PHYS_DEV if_id $IF_ID
+
+ts_ip "$0" "Show $NEW_DEV xfrm interface"   -d link show dev $NEW_DEV
+test_on "$NEW_DEV"
+test_on "if_id $IF_ID"
+
+ts_ip "$0" "Del $NEW_DEV xfrm interface"   link del dev $NEW_DEV
+
+
+ts_log "[Testing Add XFRM Interface, No IF-ID]"
+
+PHYS_DEV="lo"
+NEW_DEV="$(rand_dev)"
+IF_ID="0xf"
+
+ts_ip "$0" "Add $NEW_DEV xfrm interface"    link add dev $NEW_DEV type xfrm dev $PHYS_DEV
+
+ts_ip "$0" "Show $NEW_DEV xfrm interface"   -d link show dev $NEW_DEV
+test_on "$NEW_DEV"
+test_on_not "if_id $IF_ID"
+
+ts_ip "$0" "Del $NEW_DEV xfrm interface"   link del dev $NEW_DEV